2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2,
18 * as published by the Free Software Foundation.
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
50 #include <net/ip.h> /* for sysctl_local_port_range[] */
51 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h> /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h> /* for Unix socket types */
63 #include <net/af_unix.h> /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
76 #define XATTR_SELINUX_SUFFIX "selinux"
77 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
79 extern unsigned int policydb_loaded_version;
80 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
82 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
83 int selinux_enforcing = 0;
85 static int __init enforcing_setup(char *str)
87 selinux_enforcing = simple_strtol(str,NULL,0);
90 __setup("enforcing=", enforcing_setup);
93 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
94 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
96 static int __init selinux_enabled_setup(char *str)
98 selinux_enabled = simple_strtol(str, NULL, 0);
101 __setup("selinux=", selinux_enabled_setup);
104 /* Original (dummy) security module. */
105 static struct security_operations *original_ops = NULL;
107 /* Minimal support for a secondary security module,
108 just to allow the use of the dummy or capability modules.
109 The owlsm module can alternatively be used as a secondary
110 module as long as CONFIG_OWLSM_FD is not enabled. */
111 static struct security_operations *secondary_ops = NULL;
113 /* Lists of inode and superblock security structures initialized
114 before the policy was loaded. */
115 static LIST_HEAD(superblock_security_head);
116 static DEFINE_SPINLOCK(sb_security_lock);
118 /* Allocate and free functions for each kind of security blob. */
120 static int task_alloc_security(struct task_struct *task)
122 struct task_security_struct *tsec;
124 tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL);
128 memset(tsec, 0, sizeof(struct task_security_struct));
129 tsec->magic = SELINUX_MAGIC;
131 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
132 task->security = tsec;
137 static void task_free_security(struct task_struct *task)
139 struct task_security_struct *tsec = task->security;
141 if (!tsec || tsec->magic != SELINUX_MAGIC)
144 task->security = NULL;
148 static int inode_alloc_security(struct inode *inode)
150 struct task_security_struct *tsec = current->security;
151 struct inode_security_struct *isec;
153 isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
157 memset(isec, 0, sizeof(struct inode_security_struct));
158 init_MUTEX(&isec->sem);
159 INIT_LIST_HEAD(&isec->list);
160 isec->magic = SELINUX_MAGIC;
162 isec->sid = SECINITSID_UNLABELED;
163 isec->sclass = SECCLASS_FILE;
164 if (tsec && tsec->magic == SELINUX_MAGIC)
165 isec->task_sid = tsec->sid;
167 isec->task_sid = SECINITSID_UNLABELED;
168 inode->i_security = isec;
173 static void inode_free_security(struct inode *inode)
175 struct inode_security_struct *isec = inode->i_security;
176 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
178 if (!isec || isec->magic != SELINUX_MAGIC)
181 spin_lock(&sbsec->isec_lock);
182 if (!list_empty(&isec->list))
183 list_del_init(&isec->list);
184 spin_unlock(&sbsec->isec_lock);
186 inode->i_security = NULL;
190 static int file_alloc_security(struct file *file)
192 struct task_security_struct *tsec = current->security;
193 struct file_security_struct *fsec;
195 fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
199 memset(fsec, 0, sizeof(struct file_security_struct));
200 fsec->magic = SELINUX_MAGIC;
202 if (tsec && tsec->magic == SELINUX_MAGIC) {
203 fsec->sid = tsec->sid;
204 fsec->fown_sid = tsec->sid;
206 fsec->sid = SECINITSID_UNLABELED;
207 fsec->fown_sid = SECINITSID_UNLABELED;
209 file->f_security = fsec;
214 static void file_free_security(struct file *file)
216 struct file_security_struct *fsec = file->f_security;
218 if (!fsec || fsec->magic != SELINUX_MAGIC)
221 file->f_security = NULL;
225 static int superblock_alloc_security(struct super_block *sb)
227 struct superblock_security_struct *sbsec;
229 sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
233 memset(sbsec, 0, sizeof(struct superblock_security_struct));
234 init_MUTEX(&sbsec->sem);
235 INIT_LIST_HEAD(&sbsec->list);
236 INIT_LIST_HEAD(&sbsec->isec_head);
237 spin_lock_init(&sbsec->isec_lock);
238 sbsec->magic = SELINUX_MAGIC;
240 sbsec->sid = SECINITSID_UNLABELED;
241 sbsec->def_sid = SECINITSID_FILE;
242 sb->s_security = sbsec;
247 static void superblock_free_security(struct super_block *sb)
249 struct superblock_security_struct *sbsec = sb->s_security;
251 if (!sbsec || sbsec->magic != SELINUX_MAGIC)
254 spin_lock(&sb_security_lock);
255 if (!list_empty(&sbsec->list))
256 list_del_init(&sbsec->list);
257 spin_unlock(&sb_security_lock);
259 sb->s_security = NULL;
263 #ifdef CONFIG_SECURITY_NETWORK
264 static int sk_alloc_security(struct sock *sk, int family, int priority)
266 struct sk_security_struct *ssec;
268 if (family != PF_UNIX)
271 ssec = kmalloc(sizeof(*ssec), priority);
275 memset(ssec, 0, sizeof(*ssec));
276 ssec->magic = SELINUX_MAGIC;
278 ssec->peer_sid = SECINITSID_UNLABELED;
279 sk->sk_security = ssec;
284 static void sk_free_security(struct sock *sk)
286 struct sk_security_struct *ssec = sk->sk_security;
288 if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
291 sk->sk_security = NULL;
294 #endif /* CONFIG_SECURITY_NETWORK */
296 /* The security server must be initialized before
297 any labeling or access decisions can be provided. */
298 extern int ss_initialized;
300 /* The file system's label must be initialized prior to use. */
302 static char *labeling_behaviors[6] = {
304 "uses transition SIDs",
306 "uses genfs_contexts",
307 "not configured for labeling",
308 "uses mountpoint labeling",
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313 static inline int inode_doinit(struct inode *inode)
315 return inode_doinit_with_dentry(inode, NULL);
324 static match_table_t tokens = {
325 {Opt_context, "context=%s"},
326 {Opt_fscontext, "fscontext=%s"},
327 {Opt_defcontext, "defcontext=%s"},
330 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
332 static int try_context_mount(struct super_block *sb, void *data)
334 char *context = NULL, *defcontext = NULL;
337 int alloc = 0, rc = 0, seen = 0;
338 struct task_security_struct *tsec = current->security;
339 struct superblock_security_struct *sbsec = sb->s_security;
344 name = sb->s_type->name;
346 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
348 /* NFS we understand. */
349 if (!strcmp(name, "nfs")) {
350 struct nfs_mount_data *d = data;
352 if (d->version < NFS_MOUNT_VERSION)
356 context = d->context;
363 /* Standard string-based options. */
364 char *p, *options = data;
366 while ((p = strsep(&options, ",")) != NULL) {
368 substring_t args[MAX_OPT_ARGS];
373 token = match_token(p, tokens, args);
379 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
382 context = match_strdup(&args[0]);
393 if (seen & (Opt_context|Opt_fscontext)) {
395 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
398 context = match_strdup(&args[0]);
405 seen |= Opt_fscontext;
409 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
411 printk(KERN_WARNING "SELinux: "
412 "defcontext option is invalid "
413 "for this filesystem type\n");
416 if (seen & (Opt_context|Opt_defcontext)) {
418 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
421 defcontext = match_strdup(&args[0]);
428 seen |= Opt_defcontext;
433 printk(KERN_WARNING "SELinux: unknown mount "
445 rc = security_context_to_sid(context, strlen(context), &sid);
447 printk(KERN_WARNING "SELinux: security_context_to_sid"
448 "(%s) failed for (dev %s, type %s) errno=%d\n",
449 context, sb->s_id, name, rc);
453 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
454 FILESYSTEM__RELABELFROM, NULL);
458 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
459 FILESYSTEM__RELABELTO, NULL);
465 if (seen & Opt_context)
466 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
470 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
472 printk(KERN_WARNING "SELinux: security_context_to_sid"
473 "(%s) failed for (dev %s, type %s) errno=%d\n",
474 defcontext, sb->s_id, name, rc);
478 if (sid == sbsec->def_sid)
481 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
482 FILESYSTEM__RELABELFROM, NULL);
486 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
487 FILESYSTEM__ASSOCIATE, NULL);
491 sbsec->def_sid = sid;
503 static int superblock_doinit(struct super_block *sb, void *data)
505 struct superblock_security_struct *sbsec = sb->s_security;
506 struct dentry *root = sb->s_root;
507 struct inode *inode = root->d_inode;
511 if (sbsec->initialized)
514 if (!ss_initialized) {
515 /* Defer initialization until selinux_complete_init,
516 after the initial policy is loaded and the security
517 server is ready to handle calls. */
518 spin_lock(&sb_security_lock);
519 if (list_empty(&sbsec->list))
520 list_add(&sbsec->list, &superblock_security_head);
521 spin_unlock(&sb_security_lock);
525 /* Determine the labeling behavior to use for this filesystem type. */
526 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
528 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
529 __FUNCTION__, sb->s_type->name, rc);
533 rc = try_context_mount(sb, data);
537 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
538 /* Make sure that the xattr handler exists and that no
539 error other than -ENODATA is returned by getxattr on
540 the root directory. -ENODATA is ok, as this may be
541 the first boot of the SELinux kernel before we have
542 assigned xattr values to the filesystem. */
543 if (!inode->i_op->getxattr) {
544 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
545 "xattr support\n", sb->s_id, sb->s_type->name);
549 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
550 if (rc < 0 && rc != -ENODATA) {
551 if (rc == -EOPNOTSUPP)
552 printk(KERN_WARNING "SELinux: (dev %s, type "
553 "%s) has no security xattr handler\n",
554 sb->s_id, sb->s_type->name);
556 printk(KERN_WARNING "SELinux: (dev %s, type "
557 "%s) getxattr errno %d\n", sb->s_id,
558 sb->s_type->name, -rc);
563 if (strcmp(sb->s_type->name, "proc") == 0)
566 sbsec->initialized = 1;
568 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
569 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
570 sb->s_id, sb->s_type->name);
573 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
574 sb->s_id, sb->s_type->name,
575 labeling_behaviors[sbsec->behavior-1]);
578 /* Initialize the root inode. */
579 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
581 /* Initialize any other inodes associated with the superblock, e.g.
582 inodes created prior to initial policy load or inodes created
583 during get_sb by a pseudo filesystem that directly
585 spin_lock(&sbsec->isec_lock);
587 if (!list_empty(&sbsec->isec_head)) {
588 struct inode_security_struct *isec =
589 list_entry(sbsec->isec_head.next,
590 struct inode_security_struct, list);
591 struct inode *inode = isec->inode;
592 spin_unlock(&sbsec->isec_lock);
593 inode = igrab(inode);
595 if (!IS_PRIVATE (inode))
599 spin_lock(&sbsec->isec_lock);
600 list_del_init(&isec->list);
603 spin_unlock(&sbsec->isec_lock);
609 static inline u16 inode_mode_to_security_class(umode_t mode)
611 switch (mode & S_IFMT) {
613 return SECCLASS_SOCK_FILE;
615 return SECCLASS_LNK_FILE;
617 return SECCLASS_FILE;
619 return SECCLASS_BLK_FILE;
623 return SECCLASS_CHR_FILE;
625 return SECCLASS_FIFO_FILE;
629 return SECCLASS_FILE;
632 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
639 return SECCLASS_UNIX_STREAM_SOCKET;
641 return SECCLASS_UNIX_DGRAM_SOCKET;
648 return SECCLASS_TCP_SOCKET;
650 return SECCLASS_UDP_SOCKET;
652 return SECCLASS_RAWIP_SOCKET;
658 return SECCLASS_NETLINK_ROUTE_SOCKET;
659 case NETLINK_FIREWALL:
660 return SECCLASS_NETLINK_FIREWALL_SOCKET;
661 case NETLINK_TCPDIAG:
662 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
664 return SECCLASS_NETLINK_NFLOG_SOCKET;
666 return SECCLASS_NETLINK_XFRM_SOCKET;
667 case NETLINK_SELINUX:
668 return SECCLASS_NETLINK_SELINUX_SOCKET;
670 return SECCLASS_NETLINK_AUDIT_SOCKET;
672 return SECCLASS_NETLINK_IP6FW_SOCKET;
673 case NETLINK_DNRTMSG:
674 return SECCLASS_NETLINK_DNRT_SOCKET;
676 return SECCLASS_NETLINK_SOCKET;
679 return SECCLASS_PACKET_SOCKET;
681 return SECCLASS_KEY_SOCKET;
684 return SECCLASS_SOCKET;
687 #ifdef CONFIG_PROC_FS
688 static int selinux_proc_get_sid(struct proc_dir_entry *de,
693 char *buffer, *path, *end;
695 buffer = (char*)__get_free_page(GFP_KERNEL);
705 while (de && de != de->parent) {
706 buflen -= de->namelen + 1;
710 memcpy(end, de->name, de->namelen);
715 rc = security_genfs_sid("proc", path, tclass, sid);
716 free_page((unsigned long)buffer);
720 static int selinux_proc_get_sid(struct proc_dir_entry *de,
728 /* The inode's security attributes must be initialized before first use. */
729 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
731 struct superblock_security_struct *sbsec = NULL;
732 struct inode_security_struct *isec = inode->i_security;
734 struct dentry *dentry;
735 #define INITCONTEXTLEN 255
736 char *context = NULL;
741 if (isec->initialized)
746 if (isec->initialized)
749 sbsec = inode->i_sb->s_security;
750 if (!sbsec->initialized) {
751 /* Defer initialization until selinux_complete_init,
752 after the initial policy is loaded and the security
753 server is ready to handle calls. */
754 spin_lock(&sbsec->isec_lock);
755 if (list_empty(&isec->list))
756 list_add(&isec->list, &sbsec->isec_head);
757 spin_unlock(&sbsec->isec_lock);
761 switch (sbsec->behavior) {
762 case SECURITY_FS_USE_XATTR:
763 if (!inode->i_op->getxattr) {
764 isec->sid = sbsec->def_sid;
768 /* Need a dentry, since the xattr API requires one.
769 Life would be simpler if we could just pass the inode. */
771 /* Called from d_instantiate or d_splice_alias. */
772 dentry = dget(opt_dentry);
774 /* Called from selinux_complete_init, try to find a dentry. */
775 dentry = d_find_alias(inode);
778 printk(KERN_WARNING "%s: no dentry for dev=%s "
779 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
784 len = INITCONTEXTLEN;
785 context = kmalloc(len, GFP_KERNEL);
791 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
794 /* Need a larger buffer. Query for the right size. */
795 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
803 context = kmalloc(len, GFP_KERNEL);
809 rc = inode->i_op->getxattr(dentry,
815 if (rc != -ENODATA) {
816 printk(KERN_WARNING "%s: getxattr returned "
817 "%d for dev=%s ino=%ld\n", __FUNCTION__,
818 -rc, inode->i_sb->s_id, inode->i_ino);
822 /* Map ENODATA to the default file SID */
823 sid = sbsec->def_sid;
826 rc = security_context_to_sid(context, rc, &sid);
828 printk(KERN_WARNING "%s: context_to_sid(%s) "
829 "returned %d for dev=%s ino=%ld\n",
830 __FUNCTION__, context, -rc,
831 inode->i_sb->s_id, inode->i_ino);
833 /* Leave with the unlabeled SID */
841 case SECURITY_FS_USE_TASK:
842 isec->sid = isec->task_sid;
844 case SECURITY_FS_USE_TRANS:
845 /* Default to the fs SID. */
846 isec->sid = sbsec->sid;
848 /* Try to obtain a transition SID. */
849 isec->sclass = inode_mode_to_security_class(inode->i_mode);
850 rc = security_transition_sid(isec->task_sid,
859 /* Default to the fs SID. */
860 isec->sid = sbsec->sid;
863 struct proc_inode *proci = PROC_I(inode);
865 isec->sclass = inode_mode_to_security_class(inode->i_mode);
866 rc = selinux_proc_get_sid(proci->pde,
877 isec->initialized = 1;
880 if (isec->sclass == SECCLASS_FILE)
881 isec->sclass = inode_mode_to_security_class(inode->i_mode);
888 /* Convert a Linux signal to an access vector. */
889 static inline u32 signal_to_av(int sig)
895 /* Commonly granted from child to parent. */
896 perm = PROCESS__SIGCHLD;
899 /* Cannot be caught or ignored */
900 perm = PROCESS__SIGKILL;
903 /* Cannot be caught or ignored */
904 perm = PROCESS__SIGSTOP;
907 /* All other signals. */
908 perm = PROCESS__SIGNAL;
915 /* Check permission betweeen a pair of tasks, e.g. signal checks,
916 fork check, ptrace check, etc. */
917 static int task_has_perm(struct task_struct *tsk1,
918 struct task_struct *tsk2,
921 struct task_security_struct *tsec1, *tsec2;
923 tsec1 = tsk1->security;
924 tsec2 = tsk2->security;
925 return avc_has_perm(tsec1->sid, tsec2->sid,
926 SECCLASS_PROCESS, perms, NULL);
929 /* Check whether a task is allowed to use a capability. */
930 static int task_has_capability(struct task_struct *tsk,
933 struct task_security_struct *tsec;
934 struct avc_audit_data ad;
936 tsec = tsk->security;
938 AVC_AUDIT_DATA_INIT(&ad,CAP);
942 return avc_has_perm(tsec->sid, tsec->sid,
943 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
946 /* Check whether a task is allowed to use a system operation. */
947 static int task_has_system(struct task_struct *tsk,
950 struct task_security_struct *tsec;
952 tsec = tsk->security;
954 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
955 SECCLASS_SYSTEM, perms, NULL);
958 /* Check whether a task has a particular permission to an inode.
959 The 'adp' parameter is optional and allows other audit
960 data to be passed (e.g. the dentry). */
961 static int inode_has_perm(struct task_struct *tsk,
964 struct avc_audit_data *adp)
966 struct task_security_struct *tsec;
967 struct inode_security_struct *isec;
968 struct avc_audit_data ad;
970 tsec = tsk->security;
971 isec = inode->i_security;
975 AVC_AUDIT_DATA_INIT(&ad, FS);
976 ad.u.fs.inode = inode;
979 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
982 /* Same as inode_has_perm, but pass explicit audit data containing
983 the dentry to help the auditing code to more easily generate the
984 pathname if needed. */
985 static inline int dentry_has_perm(struct task_struct *tsk,
986 struct vfsmount *mnt,
987 struct dentry *dentry,
990 struct inode *inode = dentry->d_inode;
991 struct avc_audit_data ad;
992 AVC_AUDIT_DATA_INIT(&ad,FS);
994 ad.u.fs.dentry = dentry;
995 return inode_has_perm(tsk, inode, av, &ad);
998 /* Check whether a task can use an open file descriptor to
999 access an inode in a given way. Check access to the
1000 descriptor itself, and then use dentry_has_perm to
1001 check a particular permission to the file.
1002 Access to the descriptor is implicitly granted if it
1003 has the same SID as the process. If av is zero, then
1004 access to the file is not checked, e.g. for cases
1005 where only the descriptor is affected like seek. */
1006 static inline int file_has_perm(struct task_struct *tsk,
1010 struct task_security_struct *tsec = tsk->security;
1011 struct file_security_struct *fsec = file->f_security;
1012 struct vfsmount *mnt = file->f_vfsmnt;
1013 struct dentry *dentry = file->f_dentry;
1014 struct inode *inode = dentry->d_inode;
1015 struct avc_audit_data ad;
1018 AVC_AUDIT_DATA_INIT(&ad, FS);
1020 ad.u.fs.dentry = dentry;
1022 if (tsec->sid != fsec->sid) {
1023 rc = avc_has_perm(tsec->sid, fsec->sid,
1031 /* av is zero if only checking access to the descriptor. */
1033 return inode_has_perm(tsk, inode, av, &ad);
1038 /* Check whether a task can create a file. */
1039 static int may_create(struct inode *dir,
1040 struct dentry *dentry,
1043 struct task_security_struct *tsec;
1044 struct inode_security_struct *dsec;
1045 struct superblock_security_struct *sbsec;
1047 struct avc_audit_data ad;
1050 tsec = current->security;
1051 dsec = dir->i_security;
1052 sbsec = dir->i_sb->s_security;
1054 AVC_AUDIT_DATA_INIT(&ad, FS);
1055 ad.u.fs.dentry = dentry;
1057 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1058 DIR__ADD_NAME | DIR__SEARCH,
1063 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1064 newsid = tsec->create_sid;
1066 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1072 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1076 return avc_has_perm(newsid, sbsec->sid,
1077 SECCLASS_FILESYSTEM,
1078 FILESYSTEM__ASSOCIATE, &ad);
1082 #define MAY_UNLINK 1
1085 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1086 static int may_link(struct inode *dir,
1087 struct dentry *dentry,
1091 struct task_security_struct *tsec;
1092 struct inode_security_struct *dsec, *isec;
1093 struct avc_audit_data ad;
1097 tsec = current->security;
1098 dsec = dir->i_security;
1099 isec = dentry->d_inode->i_security;
1101 AVC_AUDIT_DATA_INIT(&ad, FS);
1102 ad.u.fs.dentry = dentry;
1105 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1106 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1121 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1125 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1129 static inline int may_rename(struct inode *old_dir,
1130 struct dentry *old_dentry,
1131 struct inode *new_dir,
1132 struct dentry *new_dentry)
1134 struct task_security_struct *tsec;
1135 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1136 struct avc_audit_data ad;
1138 int old_is_dir, new_is_dir;
1141 tsec = current->security;
1142 old_dsec = old_dir->i_security;
1143 old_isec = old_dentry->d_inode->i_security;
1144 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1145 new_dsec = new_dir->i_security;
1147 AVC_AUDIT_DATA_INIT(&ad, FS);
1149 ad.u.fs.dentry = old_dentry;
1150 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1151 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1154 rc = avc_has_perm(tsec->sid, old_isec->sid,
1155 old_isec->sclass, FILE__RENAME, &ad);
1158 if (old_is_dir && new_dir != old_dir) {
1159 rc = avc_has_perm(tsec->sid, old_isec->sid,
1160 old_isec->sclass, DIR__REPARENT, &ad);
1165 ad.u.fs.dentry = new_dentry;
1166 av = DIR__ADD_NAME | DIR__SEARCH;
1167 if (new_dentry->d_inode)
1168 av |= DIR__REMOVE_NAME;
1169 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1172 if (new_dentry->d_inode) {
1173 new_isec = new_dentry->d_inode->i_security;
1174 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1175 rc = avc_has_perm(tsec->sid, new_isec->sid,
1177 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1185 /* Check whether a task can perform a filesystem operation. */
1186 static int superblock_has_perm(struct task_struct *tsk,
1187 struct super_block *sb,
1189 struct avc_audit_data *ad)
1191 struct task_security_struct *tsec;
1192 struct superblock_security_struct *sbsec;
1194 tsec = tsk->security;
1195 sbsec = sb->s_security;
1196 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1200 /* Convert a Linux mode and permission mask to an access vector. */
1201 static inline u32 file_mask_to_av(int mode, int mask)
1205 if ((mode & S_IFMT) != S_IFDIR) {
1206 if (mask & MAY_EXEC)
1207 av |= FILE__EXECUTE;
1208 if (mask & MAY_READ)
1211 if (mask & MAY_APPEND)
1213 else if (mask & MAY_WRITE)
1217 if (mask & MAY_EXEC)
1219 if (mask & MAY_WRITE)
1221 if (mask & MAY_READ)
1228 /* Convert a Linux file to an access vector. */
1229 static inline u32 file_to_av(struct file *file)
1233 if (file->f_mode & FMODE_READ)
1235 if (file->f_mode & FMODE_WRITE) {
1236 if (file->f_flags & O_APPEND)
1245 /* Set an inode's SID to a specified value. */
1246 static int inode_security_set_sid(struct inode *inode, u32 sid)
1248 struct inode_security_struct *isec = inode->i_security;
1249 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1251 if (!sbsec->initialized) {
1252 /* Defer initialization to selinux_complete_init. */
1257 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1259 isec->initialized = 1;
1264 /* Set the security attributes on a newly created file. */
1265 static int post_create(struct inode *dir,
1266 struct dentry *dentry)
1269 struct task_security_struct *tsec;
1270 struct inode *inode;
1271 struct inode_security_struct *dsec;
1272 struct superblock_security_struct *sbsec;
1278 tsec = current->security;
1279 dsec = dir->i_security;
1280 sbsec = dir->i_sb->s_security;
1282 inode = dentry->d_inode;
1284 /* Some file system types (e.g. NFS) may not instantiate
1285 a dentry for all create operations (e.g. symlink),
1286 so we have to check to see if the inode is non-NULL. */
1287 printk(KERN_WARNING "post_create: no inode, dir (dev=%s, "
1288 "ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
1292 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1293 newsid = tsec->create_sid;
1295 rc = security_transition_sid(tsec->sid, dsec->sid,
1296 inode_mode_to_security_class(inode->i_mode),
1299 printk(KERN_WARNING "post_create: "
1300 "security_transition_sid failed, rc=%d (dev=%s "
1302 -rc, inode->i_sb->s_id, inode->i_ino);
1307 rc = inode_security_set_sid(inode, newsid);
1309 printk(KERN_WARNING "post_create: inode_security_set_sid "
1310 "failed, rc=%d (dev=%s ino=%ld)\n",
1311 -rc, inode->i_sb->s_id, inode->i_ino);
1315 if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
1316 inode->i_op->setxattr) {
1317 /* Use extended attributes. */
1318 rc = security_sid_to_context(newsid, &context, &len);
1320 printk(KERN_WARNING "post_create: sid_to_context "
1321 "failed, rc=%d (dev=%s ino=%ld)\n",
1322 -rc, inode->i_sb->s_id, inode->i_ino);
1325 down(&inode->i_sem);
1326 rc = inode->i_op->setxattr(dentry,
1332 printk(KERN_WARNING "post_create: setxattr failed, "
1333 "rc=%d (dev=%s ino=%ld)\n",
1334 -rc, inode->i_sb->s_id, inode->i_ino);
1343 /* Hook functions begin here. */
1345 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1347 struct task_security_struct *psec = parent->security;
1348 struct task_security_struct *csec = child->security;
1351 rc = secondary_ops->ptrace(parent,child);
1355 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1356 /* Save the SID of the tracing process for later use in apply_creds. */
1358 csec->ptrace_sid = psec->sid;
1362 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1363 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1367 error = task_has_perm(current, target, PROCESS__GETCAP);
1371 return secondary_ops->capget(target, effective, inheritable, permitted);
1374 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1375 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1379 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1383 return task_has_perm(current, target, PROCESS__SETCAP);
1386 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1387 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1389 secondary_ops->capset_set(target, effective, inheritable, permitted);
1392 static int selinux_capable(struct task_struct *tsk, int cap)
1396 rc = secondary_ops->capable(tsk, cap);
1400 return task_has_capability(tsk,cap);
1403 static int selinux_sysctl(ctl_table *table, int op)
1407 struct task_security_struct *tsec;
1411 rc = secondary_ops->sysctl(table, op);
1415 tsec = current->security;
1417 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1418 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1420 /* Default to the well-defined sysctl SID. */
1421 tsid = SECINITSID_SYSCTL;
1424 /* The op values are "defined" in sysctl.c, thereby creating
1425 * a bad coupling between this module and sysctl.c */
1427 error = avc_has_perm(tsec->sid, tsid,
1428 SECCLASS_DIR, DIR__SEARCH, NULL);
1436 error = avc_has_perm(tsec->sid, tsid,
1437 SECCLASS_FILE, av, NULL);
1443 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1456 rc = superblock_has_perm(current,
1458 FILESYSTEM__QUOTAMOD, NULL);
1463 rc = superblock_has_perm(current,
1465 FILESYSTEM__QUOTAGET, NULL);
1468 rc = 0; /* let the kernel handle invalid cmds */
1474 static int selinux_quota_on(struct dentry *dentry)
1476 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1479 static int selinux_syslog(int type)
1483 rc = secondary_ops->syslog(type);
1488 case 3: /* Read last kernel messages */
1489 case 10: /* Return size of the log buffer */
1490 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1492 case 6: /* Disable logging to console */
1493 case 7: /* Enable logging to console */
1494 case 8: /* Set level of messages printed to console */
1495 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1497 case 0: /* Close log */
1498 case 1: /* Open log */
1499 case 2: /* Read from log */
1500 case 4: /* Read/clear last kernel messages */
1501 case 5: /* Clear ring buffer */
1503 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1510 * Check that a process has enough memory to allocate a new virtual
1511 * mapping. 0 means there is enough memory for the allocation to
1512 * succeed and -ENOMEM implies there is not.
1514 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1515 * if the capability is granted, but __vm_enough_memory requires 1 if
1516 * the capability is granted.
1518 * Do not audit the selinux permission check, as this is applied to all
1519 * processes that allocate mappings.
1521 static int selinux_vm_enough_memory(long pages)
1523 int rc, cap_sys_admin = 0;
1524 struct task_security_struct *tsec = current->security;
1526 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1528 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1529 SECCLASS_CAPABILITY,
1530 CAP_TO_MASK(CAP_SYS_ADMIN),
1536 return __vm_enough_memory(pages, cap_sys_admin);
1539 /* binprm security operations */
1541 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1543 struct bprm_security_struct *bsec;
1545 bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1549 memset(bsec, 0, sizeof *bsec);
1550 bsec->magic = SELINUX_MAGIC;
1552 bsec->sid = SECINITSID_UNLABELED;
1555 bprm->security = bsec;
1559 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1561 struct task_security_struct *tsec;
1562 struct inode *inode = bprm->file->f_dentry->d_inode;
1563 struct inode_security_struct *isec;
1564 struct bprm_security_struct *bsec;
1566 struct avc_audit_data ad;
1569 rc = secondary_ops->bprm_set_security(bprm);
1573 bsec = bprm->security;
1578 tsec = current->security;
1579 isec = inode->i_security;
1581 /* Default to the current task SID. */
1582 bsec->sid = tsec->sid;
1584 /* Reset create SID on execve. */
1585 tsec->create_sid = 0;
1587 if (tsec->exec_sid) {
1588 newsid = tsec->exec_sid;
1589 /* Reset exec SID on execve. */
1592 /* Check for a default transition on this program. */
1593 rc = security_transition_sid(tsec->sid, isec->sid,
1594 SECCLASS_PROCESS, &newsid);
1599 AVC_AUDIT_DATA_INIT(&ad, FS);
1600 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1601 ad.u.fs.dentry = bprm->file->f_dentry;
1603 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1606 if (tsec->sid == newsid) {
1607 rc = avc_has_perm(tsec->sid, isec->sid,
1608 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1612 /* Check permissions for the transition. */
1613 rc = avc_has_perm(tsec->sid, newsid,
1614 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1618 rc = avc_has_perm(newsid, isec->sid,
1619 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1623 /* Clear any possibly unsafe personality bits on exec: */
1624 current->personality &= ~PER_CLEAR_ON_SETID;
1626 /* Set the security field to the new SID. */
1634 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1636 return secondary_ops->bprm_check_security(bprm);
1640 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1642 struct task_security_struct *tsec = current->security;
1645 if (tsec->osid != tsec->sid) {
1646 /* Enable secure mode for SIDs transitions unless
1647 the noatsecure permission is granted between
1648 the two SIDs, i.e. ahp returns 0. */
1649 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1651 PROCESS__NOATSECURE, NULL);
1654 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1657 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1659 struct bprm_security_struct *bsec = bprm->security;
1660 bprm->security = NULL;
1664 extern struct vfsmount *selinuxfs_mount;
1665 extern struct dentry *selinux_null;
1667 /* Derived from fs/exec.c:flush_old_files. */
1668 static inline void flush_unauthorized_files(struct files_struct * files)
1670 struct avc_audit_data ad;
1671 struct file *file, *devnull = NULL;
1672 struct tty_struct *tty = current->signal->tty;
1677 file = list_entry(tty->tty_files.next, typeof(*file), f_list);
1679 /* Revalidate access to controlling tty.
1680 Use inode_has_perm on the tty inode directly rather
1681 than using file_has_perm, as this particular open
1682 file may belong to another process and we are only
1683 interested in the inode-based check here. */
1684 struct inode *inode = file->f_dentry->d_inode;
1685 if (inode_has_perm(current, inode,
1686 FILE__READ | FILE__WRITE, NULL)) {
1687 /* Reset controlling tty. */
1688 current->signal->tty = NULL;
1689 current->signal->tty_old_pgrp = 0;
1695 /* Revalidate access to inherited open files. */
1697 AVC_AUDIT_DATA_INIT(&ad,FS);
1699 spin_lock(&files->file_lock);
1701 unsigned long set, i;
1706 if (i >= files->max_fds || i >= files->max_fdset)
1708 set = files->open_fds->fds_bits[j];
1711 spin_unlock(&files->file_lock);
1712 for ( ; set ; i++,set >>= 1) {
1717 if (file_has_perm(current,
1719 file_to_av(file))) {
1721 fd = get_unused_fd();
1729 atomic_inc(&devnull->f_count);
1731 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1738 fd_install(fd, devnull);
1743 spin_lock(&files->file_lock);
1746 spin_unlock(&files->file_lock);
1749 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1751 struct task_security_struct *tsec;
1752 struct bprm_security_struct *bsec;
1756 secondary_ops->bprm_apply_creds(bprm, unsafe);
1758 tsec = current->security;
1760 bsec = bprm->security;
1763 tsec->osid = tsec->sid;
1765 if (tsec->sid != sid) {
1766 /* Check for shared state. If not ok, leave SID
1767 unchanged and kill. */
1768 if (unsafe & LSM_UNSAFE_SHARE) {
1769 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1770 PROCESS__SHARE, NULL);
1777 /* Check for ptracing, and update the task SID if ok.
1778 Otherwise, leave SID unchanged and kill. */
1779 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1780 rc = avc_has_perm(tsec->ptrace_sid, sid,
1781 SECCLASS_PROCESS, PROCESS__PTRACE,
1793 * called after apply_creds without the task lock held
1795 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1797 struct task_security_struct *tsec;
1798 struct rlimit *rlim, *initrlim;
1799 struct itimerval itimer;
1800 struct bprm_security_struct *bsec;
1803 tsec = current->security;
1804 bsec = bprm->security;
1807 force_sig_specific(SIGKILL, current);
1810 if (tsec->osid == tsec->sid)
1813 /* Close files for which the new task SID is not authorized. */
1814 flush_unauthorized_files(current->files);
1816 /* Check whether the new SID can inherit signal state
1817 from the old SID. If not, clear itimers to avoid
1818 subsequent signal generation and flush and unblock
1819 signals. This must occur _after_ the task SID has
1820 been updated so that any kill done after the flush
1821 will be checked against the new SID. */
1822 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1823 PROCESS__SIGINH, NULL);
1825 memset(&itimer, 0, sizeof itimer);
1826 for (i = 0; i < 3; i++)
1827 do_setitimer(i, &itimer, NULL);
1828 flush_signals(current);
1829 spin_lock_irq(¤t->sighand->siglock);
1830 flush_signal_handlers(current, 1);
1831 sigemptyset(¤t->blocked);
1832 recalc_sigpending();
1833 spin_unlock_irq(¤t->sighand->siglock);
1836 /* Check whether the new SID can inherit resource limits
1837 from the old SID. If not, reset all soft limits to
1838 the lower of the current task's hard limit and the init
1839 task's soft limit. Note that the setting of hard limits
1840 (even to lower them) can be controlled by the setrlimit
1841 check. The inclusion of the init task's soft limit into
1842 the computation is to avoid resetting soft limits higher
1843 than the default soft limit for cases where the default
1844 is lower than the hard limit, e.g. RLIMIT_CORE or
1846 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1847 PROCESS__RLIMITINH, NULL);
1849 for (i = 0; i < RLIM_NLIMITS; i++) {
1850 rlim = current->signal->rlim + i;
1851 initrlim = init_task.signal->rlim+i;
1852 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1854 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1856 * This will cause RLIMIT_CPU calculations
1859 current->it_prof_expires = jiffies_to_cputime(1);
1863 /* Wake up the parent if it is waiting so that it can
1864 recheck wait permission to the new task SID. */
1865 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
1868 /* superblock security operations */
1870 static int selinux_sb_alloc_security(struct super_block *sb)
1872 return superblock_alloc_security(sb);
1875 static void selinux_sb_free_security(struct super_block *sb)
1877 superblock_free_security(sb);
1880 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1885 return !memcmp(prefix, option, plen);
1888 static inline int selinux_option(char *option, int len)
1890 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1891 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1892 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1895 static inline void take_option(char **to, char *from, int *first, int len)
1903 memcpy(*to, from, len);
1907 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1909 int fnosec, fsec, rc = 0;
1910 char *in_save, *in_curr, *in_end;
1911 char *sec_curr, *nosec_save, *nosec;
1916 /* Binary mount data: just copy */
1917 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1918 copy_page(sec_curr, in_curr);
1922 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1930 in_save = in_end = orig;
1933 if (*in_end == ',' || *in_end == '\0') {
1934 int len = in_end - in_curr;
1936 if (selinux_option(in_curr, len))
1937 take_option(&sec_curr, in_curr, &fsec, len);
1939 take_option(&nosec, in_curr, &fnosec, len);
1941 in_curr = in_end + 1;
1943 } while (*in_end++);
1945 copy_page(in_save, nosec_save);
1950 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1952 struct avc_audit_data ad;
1955 rc = superblock_doinit(sb, data);
1959 AVC_AUDIT_DATA_INIT(&ad,FS);
1960 ad.u.fs.dentry = sb->s_root;
1961 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1964 static int selinux_sb_statfs(struct super_block *sb)
1966 struct avc_audit_data ad;
1968 AVC_AUDIT_DATA_INIT(&ad,FS);
1969 ad.u.fs.dentry = sb->s_root;
1970 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1973 static int selinux_mount(char * dev_name,
1974 struct nameidata *nd,
1976 unsigned long flags,
1981 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1985 if (flags & MS_REMOUNT)
1986 return superblock_has_perm(current, nd->mnt->mnt_sb,
1987 FILESYSTEM__REMOUNT, NULL);
1989 return dentry_has_perm(current, nd->mnt, nd->dentry,
1993 static int selinux_umount(struct vfsmount *mnt, int flags)
1997 rc = secondary_ops->sb_umount(mnt, flags);
2001 return superblock_has_perm(current,mnt->mnt_sb,
2002 FILESYSTEM__UNMOUNT,NULL);
2005 /* inode security operations */
2007 static int selinux_inode_alloc_security(struct inode *inode)
2009 return inode_alloc_security(inode);
2012 static void selinux_inode_free_security(struct inode *inode)
2014 inode_free_security(inode);
2017 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2019 return may_create(dir, dentry, SECCLASS_FILE);
2022 static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask)
2024 post_create(dir, dentry);
2027 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2031 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2034 return may_link(dir, old_dentry, MAY_LINK);
2037 static void selinux_inode_post_link(struct dentry *old_dentry, struct inode *inode, struct dentry *new_dentry)
2042 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2046 rc = secondary_ops->inode_unlink(dir, dentry);
2049 return may_link(dir, dentry, MAY_UNLINK);
2052 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2054 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2057 static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2059 post_create(dir, dentry);
2062 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2064 return may_create(dir, dentry, SECCLASS_DIR);
2067 static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2069 post_create(dir, dentry);
2072 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2074 return may_link(dir, dentry, MAY_RMDIR);
2077 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2081 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2085 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2088 static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2090 post_create(dir, dentry);
2093 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2094 struct inode *new_inode, struct dentry *new_dentry)
2096 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2099 static void selinux_inode_post_rename(struct inode *old_inode, struct dentry *old_dentry,
2100 struct inode *new_inode, struct dentry *new_dentry)
2105 static int selinux_inode_readlink(struct dentry *dentry)
2107 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2110 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2114 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2117 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2120 static int selinux_inode_permission(struct inode *inode, int mask,
2121 struct nameidata *nd)
2125 rc = secondary_ops->inode_permission(inode, mask, nd);
2130 /* No permission to check. Existence test. */
2134 return inode_has_perm(current, inode,
2135 file_mask_to_av(inode->i_mode, mask), NULL);
2138 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2142 rc = secondary_ops->inode_setattr(dentry, iattr);
2146 if (iattr->ia_valid & ATTR_FORCE)
2149 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2150 ATTR_ATIME_SET | ATTR_MTIME_SET))
2151 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2153 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2156 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2158 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2161 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2163 struct task_security_struct *tsec = current->security;
2164 struct inode *inode = dentry->d_inode;
2165 struct inode_security_struct *isec = inode->i_security;
2166 struct superblock_security_struct *sbsec;
2167 struct avc_audit_data ad;
2171 if (strcmp(name, XATTR_NAME_SELINUX)) {
2172 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2173 sizeof XATTR_SECURITY_PREFIX - 1) &&
2174 !capable(CAP_SYS_ADMIN)) {
2175 /* A different attribute in the security namespace.
2176 Restrict to administrator. */
2180 /* Not an attribute we recognize, so just check the
2181 ordinary setattr permission. */
2182 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2185 sbsec = inode->i_sb->s_security;
2186 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2189 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2192 AVC_AUDIT_DATA_INIT(&ad,FS);
2193 ad.u.fs.dentry = dentry;
2195 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2196 FILE__RELABELFROM, &ad);
2200 rc = security_context_to_sid(value, size, &newsid);
2204 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2205 FILE__RELABELTO, &ad);
2209 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2214 return avc_has_perm(newsid,
2216 SECCLASS_FILESYSTEM,
2217 FILESYSTEM__ASSOCIATE,
2221 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2222 void *value, size_t size, int flags)
2224 struct inode *inode = dentry->d_inode;
2225 struct inode_security_struct *isec = inode->i_security;
2229 if (strcmp(name, XATTR_NAME_SELINUX)) {
2230 /* Not an attribute we recognize, so nothing to do. */
2234 rc = security_context_to_sid(value, size, &newsid);
2236 printk(KERN_WARNING "%s: unable to obtain SID for context "
2237 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2245 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2247 struct inode *inode = dentry->d_inode;
2248 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
2250 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2253 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2256 static int selinux_inode_listxattr (struct dentry *dentry)
2258 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2261 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2263 if (strcmp(name, XATTR_NAME_SELINUX)) {
2264 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2265 sizeof XATTR_SECURITY_PREFIX - 1) &&
2266 !capable(CAP_SYS_ADMIN)) {
2267 /* A different attribute in the security namespace.
2268 Restrict to administrator. */
2272 /* Not an attribute we recognize, so just check the
2273 ordinary setattr permission. Might want a separate
2274 permission for removexattr. */
2275 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2278 /* No one is allowed to remove a SELinux security label.
2279 You can change the label, but all data must be labeled. */
2283 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size)
2285 struct inode_security_struct *isec = inode->i_security;
2290 /* Permission check handled by selinux_inode_getxattr hook.*/
2292 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2295 rc = security_sid_to_context(isec->sid, &context, &len);
2299 if (!buffer || !size) {
2307 memcpy(buffer, context, len);
2312 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2313 const void *value, size_t size, int flags)
2315 struct inode_security_struct *isec = inode->i_security;
2319 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2322 if (!value || !size)
2325 rc = security_context_to_sid((void*)value, size, &newsid);
2333 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2335 const int len = sizeof(XATTR_NAME_SELINUX);
2336 if (buffer && len <= buffer_size)
2337 memcpy(buffer, XATTR_NAME_SELINUX, len);
2341 /* file security operations */
2343 static int selinux_file_permission(struct file *file, int mask)
2345 struct inode *inode = file->f_dentry->d_inode;
2348 /* No permission to check. Existence test. */
2352 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2353 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2356 return file_has_perm(current, file,
2357 file_mask_to_av(inode->i_mode, mask));
2360 static int selinux_file_alloc_security(struct file *file)
2362 return file_alloc_security(file);
2365 static void selinux_file_free_security(struct file *file)
2367 file_free_security(file);
2370 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2382 case EXT2_IOC_GETFLAGS:
2384 case EXT2_IOC_GETVERSION:
2385 error = file_has_perm(current, file, FILE__GETATTR);
2388 case EXT2_IOC_SETFLAGS:
2390 case EXT2_IOC_SETVERSION:
2391 error = file_has_perm(current, file, FILE__SETATTR);
2394 /* sys_ioctl() checks */
2398 error = file_has_perm(current, file, 0);
2403 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2406 /* default case assumes that the command will go
2407 * to the file's ioctl() function.
2410 error = file_has_perm(current, file, FILE__IOCTL);
2416 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2418 #ifndef CONFIG_PPC32
2419 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2421 * We are making executable an anonymous mapping or a
2422 * private file mapping that will also be writable.
2423 * This has an additional check.
2425 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2432 /* read access is always possible with a mapping */
2433 u32 av = FILE__READ;
2435 /* write access only matters if the mapping is shared */
2436 if (shared && (prot & PROT_WRITE))
2439 if (prot & PROT_EXEC)
2440 av |= FILE__EXECUTE;
2442 return file_has_perm(current, file, av);
2447 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2448 unsigned long prot, unsigned long flags)
2452 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2456 if (selinux_checkreqprot)
2459 return file_map_prot_check(file, prot,
2460 (flags & MAP_TYPE) == MAP_SHARED);
2463 static int selinux_file_mprotect(struct vm_area_struct *vma,
2464 unsigned long reqprot,
2469 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2473 if (selinux_checkreqprot)
2476 #ifndef CONFIG_PPC32
2477 if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
2479 * We are making executable a file mapping that has
2480 * had some COW done. Since pages might have been written,
2481 * check ability to execute the possibly modified content.
2482 * This typically should only occur for text relocations.
2484 int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
2490 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2493 static int selinux_file_lock(struct file *file, unsigned int cmd)
2495 return file_has_perm(current, file, FILE__LOCK);
2498 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2505 if (!file->f_dentry || !file->f_dentry->d_inode) {
2510 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2511 err = file_has_perm(current, file,FILE__WRITE);
2520 /* Just check FD__USE permission */
2521 err = file_has_perm(current, file, 0);
2526 #if BITS_PER_LONG == 32
2531 if (!file->f_dentry || !file->f_dentry->d_inode) {
2535 err = file_has_perm(current, file, FILE__LOCK);
2542 static int selinux_file_set_fowner(struct file *file)
2544 struct task_security_struct *tsec;
2545 struct file_security_struct *fsec;
2547 tsec = current->security;
2548 fsec = file->f_security;
2549 fsec->fown_sid = tsec->sid;
2554 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2555 struct fown_struct *fown, int signum)
2559 struct task_security_struct *tsec;
2560 struct file_security_struct *fsec;
2562 /* struct fown_struct is never outside the context of a struct file */
2563 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2565 tsec = tsk->security;
2566 fsec = file->f_security;
2569 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2571 perm = signal_to_av(signum);
2573 return avc_has_perm(fsec->fown_sid, tsec->sid,
2574 SECCLASS_PROCESS, perm, NULL);
2577 static int selinux_file_receive(struct file *file)
2579 return file_has_perm(current, file, file_to_av(file));
2582 /* task security operations */
2584 static int selinux_task_create(unsigned long clone_flags)
2588 rc = secondary_ops->task_create(clone_flags);
2592 return task_has_perm(current, current, PROCESS__FORK);
2595 static int selinux_task_alloc_security(struct task_struct *tsk)
2597 struct task_security_struct *tsec1, *tsec2;
2600 tsec1 = current->security;
2602 rc = task_alloc_security(tsk);
2605 tsec2 = tsk->security;
2607 tsec2->osid = tsec1->osid;
2608 tsec2->sid = tsec1->sid;
2610 /* Retain the exec and create SIDs across fork */
2611 tsec2->exec_sid = tsec1->exec_sid;
2612 tsec2->create_sid = tsec1->create_sid;
2614 /* Retain ptracer SID across fork, if any.
2615 This will be reset by the ptrace hook upon any
2616 subsequent ptrace_attach operations. */
2617 tsec2->ptrace_sid = tsec1->ptrace_sid;
2622 static void selinux_task_free_security(struct task_struct *tsk)
2624 task_free_security(tsk);
2627 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2629 /* Since setuid only affects the current process, and
2630 since the SELinux controls are not based on the Linux
2631 identity attributes, SELinux does not need to control
2632 this operation. However, SELinux does control the use
2633 of the CAP_SETUID and CAP_SETGID capabilities using the
2638 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2640 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2643 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2645 /* See the comment for setuid above. */
2649 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2651 return task_has_perm(current, p, PROCESS__SETPGID);
2654 static int selinux_task_getpgid(struct task_struct *p)
2656 return task_has_perm(current, p, PROCESS__GETPGID);
2659 static int selinux_task_getsid(struct task_struct *p)
2661 return task_has_perm(current, p, PROCESS__GETSESSION);
2664 static int selinux_task_setgroups(struct group_info *group_info)
2666 /* See the comment for setuid above. */
2670 static int selinux_task_setnice(struct task_struct *p, int nice)
2674 rc = secondary_ops->task_setnice(p, nice);
2678 return task_has_perm(current,p, PROCESS__SETSCHED);
2681 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2683 struct rlimit *old_rlim = current->signal->rlim + resource;
2686 rc = secondary_ops->task_setrlimit(resource, new_rlim);
2690 /* Control the ability to change the hard limit (whether
2691 lowering or raising it), so that the hard limit can
2692 later be used as a safe reset point for the soft limit
2693 upon context transitions. See selinux_bprm_apply_creds. */
2694 if (old_rlim->rlim_max != new_rlim->rlim_max)
2695 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2700 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2702 return task_has_perm(current, p, PROCESS__SETSCHED);
2705 static int selinux_task_getscheduler(struct task_struct *p)
2707 return task_has_perm(current, p, PROCESS__GETSCHED);
2710 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2715 rc = secondary_ops->task_kill(p, info, sig);
2719 if (info && ((unsigned long)info == 1 ||
2720 (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2724 perm = PROCESS__SIGNULL; /* null signal; existence test */
2726 perm = signal_to_av(sig);
2728 return task_has_perm(current, p, perm);
2731 static int selinux_task_prctl(int option,
2737 /* The current prctl operations do not appear to require
2738 any SELinux controls since they merely observe or modify
2739 the state of the current process. */
2743 static int selinux_task_wait(struct task_struct *p)
2747 perm = signal_to_av(p->exit_signal);
2749 return task_has_perm(p, current, perm);
2752 static void selinux_task_reparent_to_init(struct task_struct *p)
2754 struct task_security_struct *tsec;
2756 secondary_ops->task_reparent_to_init(p);
2759 tsec->osid = tsec->sid;
2760 tsec->sid = SECINITSID_KERNEL;
2764 static void selinux_task_to_inode(struct task_struct *p,
2765 struct inode *inode)
2767 struct task_security_struct *tsec = p->security;
2768 struct inode_security_struct *isec = inode->i_security;
2770 isec->sid = tsec->sid;
2771 isec->initialized = 1;
2775 #ifdef CONFIG_SECURITY_NETWORK
2777 /* Returns error only if unable to parse addresses */
2778 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2780 int offset, ihlen, ret = -EINVAL;
2781 struct iphdr _iph, *ih;
2783 offset = skb->nh.raw - skb->data;
2784 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2788 ihlen = ih->ihl * 4;
2789 if (ihlen < sizeof(_iph))
2792 ad->u.net.v4info.saddr = ih->saddr;
2793 ad->u.net.v4info.daddr = ih->daddr;
2796 switch (ih->protocol) {
2798 struct tcphdr _tcph, *th;
2800 if (ntohs(ih->frag_off) & IP_OFFSET)
2804 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2808 ad->u.net.sport = th->source;
2809 ad->u.net.dport = th->dest;
2814 struct udphdr _udph, *uh;
2816 if (ntohs(ih->frag_off) & IP_OFFSET)
2820 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2824 ad->u.net.sport = uh->source;
2825 ad->u.net.dport = uh->dest;
2836 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2838 /* Returns error only if unable to parse addresses */
2839 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2842 int ret = -EINVAL, offset;
2843 struct ipv6hdr _ipv6h, *ip6;
2845 offset = skb->nh.raw - skb->data;
2846 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2850 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2851 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2854 nexthdr = ip6->nexthdr;
2855 offset += sizeof(_ipv6h);
2856 offset = ipv6_skip_exthdr(skb, offset, &nexthdr,
2857 skb->tail - skb->head - offset);
2863 struct tcphdr _tcph, *th;
2865 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2869 ad->u.net.sport = th->source;
2870 ad->u.net.dport = th->dest;
2875 struct udphdr _udph, *uh;
2877 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2881 ad->u.net.sport = uh->source;
2882 ad->u.net.dport = uh->dest;
2886 /* includes fragments */
2896 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2897 char **addrp, int *len, int src)
2901 switch (ad->u.net.family) {
2903 ret = selinux_parse_skb_ipv4(skb, ad);
2907 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2908 &ad->u.net.v4info.daddr);
2911 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2913 ret = selinux_parse_skb_ipv6(skb, ad);
2917 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2918 &ad->u.net.v6info.daddr);
2928 /* socket security operations */
2929 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2932 struct inode_security_struct *isec;
2933 struct task_security_struct *tsec;
2934 struct avc_audit_data ad;
2937 tsec = task->security;
2938 isec = SOCK_INODE(sock)->i_security;
2940 if (isec->sid == SECINITSID_KERNEL)
2943 AVC_AUDIT_DATA_INIT(&ad,NET);
2944 ad.u.net.sk = sock->sk;
2945 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2951 static int selinux_socket_create(int family, int type,
2952 int protocol, int kern)
2955 struct task_security_struct *tsec;
2960 tsec = current->security;
2961 err = avc_has_perm(tsec->sid, tsec->sid,
2962 socket_type_to_security_class(family, type,
2963 protocol), SOCKET__CREATE, NULL);
2969 static void selinux_socket_post_create(struct socket *sock, int family,
2970 int type, int protocol, int kern)
2972 struct inode_security_struct *isec;
2973 struct task_security_struct *tsec;
2975 isec = SOCK_INODE(sock)->i_security;
2977 tsec = current->security;
2978 isec->sclass = socket_type_to_security_class(family, type, protocol);
2979 isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2980 isec->initialized = 1;
2985 /* Range of port numbers used to automatically bind.
2986 Need to determine whether we should perform a name_bind
2987 permission check between the socket and the port number. */
2988 #define ip_local_port_range_0 sysctl_local_port_range[0]
2989 #define ip_local_port_range_1 sysctl_local_port_range[1]
2991 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2996 err = socket_has_perm(current, sock, SOCKET__BIND);
3001 * If PF_INET or PF_INET6, check name_bind permission for the port.
3003 family = sock->sk->sk_family;
3004 if (family == PF_INET || family == PF_INET6) {
3006 struct inode_security_struct *isec;
3007 struct task_security_struct *tsec;
3008 struct avc_audit_data ad;
3009 struct sockaddr_in *addr4 = NULL;
3010 struct sockaddr_in6 *addr6 = NULL;
3011 unsigned short snum;
3012 struct sock *sk = sock->sk;
3013 u32 sid, node_perm, addrlen;
3015 tsec = current->security;
3016 isec = SOCK_INODE(sock)->i_security;
3018 if (family == PF_INET) {
3019 addr4 = (struct sockaddr_in *)address;
3020 snum = ntohs(addr4->sin_port);
3021 addrlen = sizeof(addr4->sin_addr.s_addr);
3022 addrp = (char *)&addr4->sin_addr.s_addr;
3024 addr6 = (struct sockaddr_in6 *)address;
3025 snum = ntohs(addr6->sin6_port);
3026 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3027 addrp = (char *)&addr6->sin6_addr.s6_addr;
3030 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3031 snum > ip_local_port_range_1)) {
3032 err = security_port_sid(sk->sk_family, sk->sk_type,
3033 sk->sk_protocol, snum, &sid);
3036 AVC_AUDIT_DATA_INIT(&ad,NET);
3037 ad.u.net.sport = htons(snum);
3038 ad.u.net.family = family;
3039 err = avc_has_perm(isec->sid, sid,
3041 SOCKET__NAME_BIND, &ad);
3046 switch(sk->sk_protocol) {
3048 node_perm = TCP_SOCKET__NODE_BIND;
3052 node_perm = UDP_SOCKET__NODE_BIND;
3056 node_perm = RAWIP_SOCKET__NODE_BIND;
3060 err = security_node_sid(family, addrp, addrlen, &sid);
3064 AVC_AUDIT_DATA_INIT(&ad,NET);
3065 ad.u.net.sport = htons(snum);
3066 ad.u.net.family = family;
3068 if (family == PF_INET)
3069 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3071 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3073 err = avc_has_perm(isec->sid, sid,
3074 isec->sclass, node_perm, &ad);
3082 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3084 struct inode_security_struct *isec;
3087 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3092 * If a TCP socket, check name_connect permission for the port.
3094 isec = SOCK_INODE(sock)->i_security;
3095 if (isec->sclass == SECCLASS_TCP_SOCKET) {
3096 struct sock *sk = sock->sk;
3097 struct avc_audit_data ad;
3098 struct sockaddr_in *addr4 = NULL;
3099 struct sockaddr_in6 *addr6 = NULL;
3100 unsigned short snum;
3103 if (sk->sk_family == PF_INET) {
3104 addr4 = (struct sockaddr_in *)address;
3105 if (addrlen != sizeof(struct sockaddr_in))
3107 snum = ntohs(addr4->sin_port);
3109 addr6 = (struct sockaddr_in6 *)address;
3110 if (addrlen != sizeof(struct sockaddr_in6))
3112 snum = ntohs(addr6->sin6_port);
3115 err = security_port_sid(sk->sk_family, sk->sk_type,
3116 sk->sk_protocol, snum, &sid);
3120 AVC_AUDIT_DATA_INIT(&ad,NET);
3121 ad.u.net.dport = htons(snum);
3122 ad.u.net.family = sk->sk_family;
3123 err = avc_has_perm(isec->sid, sid, isec->sclass,
3124 TCP_SOCKET__NAME_CONNECT, &ad);
3133 static int selinux_socket_listen(struct socket *sock, int backlog)
3135 return socket_has_perm(current, sock, SOCKET__LISTEN);
3138 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3141 struct inode_security_struct *isec;
3142 struct inode_security_struct *newisec;
3144 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3148 newisec = SOCK_INODE(newsock)->i_security;
3150 isec = SOCK_INODE(sock)->i_security;
3151 newisec->sclass = isec->sclass;
3152 newisec->sid = isec->sid;
3153 newisec->initialized = 1;
3158 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3161 return socket_has_perm(current, sock, SOCKET__WRITE);
3164 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3165 int size, int flags)
3167 return socket_has_perm(current, sock, SOCKET__READ);
3170 static int selinux_socket_getsockname(struct socket *sock)
3172 return socket_has_perm(current, sock, SOCKET__GETATTR);
3175 static int selinux_socket_getpeername(struct socket *sock)
3177 return socket_has_perm(current, sock, SOCKET__GETATTR);
3180 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3182 return socket_has_perm(current, sock, SOCKET__SETOPT);
3185 static int selinux_socket_getsockopt(struct socket *sock, int level,
3188 return socket_has_perm(current, sock, SOCKET__GETOPT);
3191 static int selinux_socket_shutdown(struct socket *sock, int how)
3193 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3196 static int selinux_socket_unix_stream_connect(struct socket *sock,
3197 struct socket *other,
3200 struct sk_security_struct *ssec;
3201 struct inode_security_struct *isec;
3202 struct inode_security_struct *other_isec;
3203 struct avc_audit_data ad;
3206 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3210 isec = SOCK_INODE(sock)->i_security;
3211 other_isec = SOCK_INODE(other)->i_security;
3213 AVC_AUDIT_DATA_INIT(&ad,NET);
3214 ad.u.net.sk = other->sk;
3216 err = avc_has_perm(isec->sid, other_isec->sid,
3218 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3222 /* connecting socket */
3223 ssec = sock->sk->sk_security;
3224 ssec->peer_sid = other_isec->sid;
3226 /* server child socket */
3227 ssec = newsk->sk_security;
3228 ssec->peer_sid = isec->sid;
3233 static int selinux_socket_unix_may_send(struct socket *sock,
3234 struct socket *other)
3236 struct inode_security_struct *isec;
3237 struct inode_security_struct *other_isec;
3238 struct avc_audit_data ad;
3241 isec = SOCK_INODE(sock)->i_security;
3242 other_isec = SOCK_INODE(other)->i_security;
3244 AVC_AUDIT_DATA_INIT(&ad,NET);
3245 ad.u.net.sk = other->sk;
3247 err = avc_has_perm(isec->sid, other_isec->sid,
3248 isec->sclass, SOCKET__SENDTO, &ad);
3255 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3260 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3263 struct socket *sock;
3264 struct net_device *dev;
3265 struct avc_audit_data ad;
3267 family = sk->sk_family;
3268 if (family != PF_INET && family != PF_INET6)
3271 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3272 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3275 read_lock_bh(&sk->sk_callback_lock);
3276 sock = sk->sk_socket;
3278 struct inode *inode;
3279 inode = SOCK_INODE(sock);
3281 struct inode_security_struct *isec;
3282 isec = inode->i_security;
3283 sock_sid = isec->sid;
3284 sock_class = isec->sclass;
3287 read_unlock_bh(&sk->sk_callback_lock);
3295 err = sel_netif_sids(dev, &if_sid, NULL);
3299 switch (sock_class) {
3300 case SECCLASS_UDP_SOCKET:
3301 netif_perm = NETIF__UDP_RECV;
3302 node_perm = NODE__UDP_RECV;
3303 recv_perm = UDP_SOCKET__RECV_MSG;
3306 case SECCLASS_TCP_SOCKET:
3307 netif_perm = NETIF__TCP_RECV;
3308 node_perm = NODE__TCP_RECV;
3309 recv_perm = TCP_SOCKET__RECV_MSG;
3313 netif_perm = NETIF__RAWIP_RECV;
3314 node_perm = NODE__RAWIP_RECV;
3318 AVC_AUDIT_DATA_INIT(&ad, NET);
3319 ad.u.net.netif = dev->name;
3320 ad.u.net.family = family;
3322 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3326 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3330 /* Fixme: this lookup is inefficient */
3331 err = security_node_sid(family, addrp, len, &node_sid);
3335 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3342 /* Fixme: make this more efficient */
3343 err = security_port_sid(sk->sk_family, sk->sk_type,
3344 sk->sk_protocol, ntohs(ad.u.net.sport),
3349 err = avc_has_perm(sock_sid, port_sid,
3350 sock_class, recv_perm, &ad);
3356 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3357 int __user *optlen, unsigned len)
3362 struct sk_security_struct *ssec;
3363 struct inode_security_struct *isec;
3365 isec = SOCK_INODE(sock)->i_security;
3366 if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3371 ssec = sock->sk->sk_security;
3373 err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3377 if (scontext_len > len) {
3382 if (copy_to_user(optval, scontext, scontext_len))
3386 if (put_user(scontext_len, optlen))
3394 static int selinux_sk_alloc_security(struct sock *sk, int family, int priority)
3396 return sk_alloc_security(sk, family, priority);
3399 static void selinux_sk_free_security(struct sock *sk)
3401 sk_free_security(sk);
3404 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3408 struct nlmsghdr *nlh;
3409 struct socket *sock = sk->sk_socket;
3410 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3412 if (skb->len < NLMSG_SPACE(0)) {
3416 nlh = (struct nlmsghdr *)skb->data;
3418 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3420 if (err == -EINVAL) {
3421 audit_log(current->audit_context,
3422 "SELinux: unrecognized netlink message"
3423 " type=%hu for sclass=%hu\n",
3424 nlh->nlmsg_type, isec->sclass);
3425 if (!selinux_enforcing)
3435 err = socket_has_perm(current, sock, perm);
3440 #ifdef CONFIG_NETFILTER
3442 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3443 struct sk_buff **pskb,
3444 const struct net_device *in,
3445 const struct net_device *out,
3446 int (*okfn)(struct sk_buff *),
3450 int len, err = NF_ACCEPT;
3451 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3453 struct socket *sock;
3454 struct inode *inode;
3455 struct sk_buff *skb = *pskb;
3456 struct inode_security_struct *isec;
3457 struct avc_audit_data ad;
3458 struct net_device *dev = (struct net_device *)out;
3464 sock = sk->sk_socket;
3468 inode = SOCK_INODE(sock);
3472 err = sel_netif_sids(dev, &if_sid, NULL);
3476 isec = inode->i_security;
3478 switch (isec->sclass) {
3479 case SECCLASS_UDP_SOCKET:
3480 netif_perm = NETIF__UDP_SEND;
3481 node_perm = NODE__UDP_SEND;
3482 send_perm = UDP_SOCKET__SEND_MSG;
3485 case SECCLASS_TCP_SOCKET:
3486 netif_perm = NETIF__TCP_SEND;
3487 node_perm = NODE__TCP_SEND;
3488 send_perm = TCP_SOCKET__SEND_MSG;
3492 netif_perm = NETIF__RAWIP_SEND;
3493 node_perm = NODE__RAWIP_SEND;
3498 AVC_AUDIT_DATA_INIT(&ad, NET);
3499 ad.u.net.netif = dev->name;
3500 ad.u.net.family = family;
3502 err = selinux_parse_skb(skb, &ad, &addrp,
3503 &len, 0) ? NF_DROP : NF_ACCEPT;
3504 if (err != NF_ACCEPT)
3507 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3508 netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3509 if (err != NF_ACCEPT)
3512 /* Fixme: this lookup is inefficient */
3513 err = security_node_sid(family, addrp, len,
3514 &node_sid) ? NF_DROP : NF_ACCEPT;
3515 if (err != NF_ACCEPT)
3518 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3519 node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3520 if (err != NF_ACCEPT)
3526 /* Fixme: make this more efficient */
3527 err = security_port_sid(sk->sk_family,
3530 ntohs(ad.u.net.dport),
3531 &port_sid) ? NF_DROP : NF_ACCEPT;
3532 if (err != NF_ACCEPT)
3535 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3536 send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3543 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3544 struct sk_buff **pskb,
3545 const struct net_device *in,
3546 const struct net_device *out,
3547 int (*okfn)(struct sk_buff *))
3549 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3552 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3554 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3555 struct sk_buff **pskb,
3556 const struct net_device *in,
3557 const struct net_device *out,
3558 int (*okfn)(struct sk_buff *))
3560 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3565 #endif /* CONFIG_NETFILTER */
3569 static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3574 #endif /* CONFIG_SECURITY_NETWORK */
3576 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3578 struct task_security_struct *tsec;
3579 struct av_decision avd;
3582 err = secondary_ops->netlink_send(sk, skb);
3586 tsec = current->security;
3589 avc_has_perm_noaudit(tsec->sid, tsec->sid,
3590 SECCLASS_CAPABILITY, ~0, &avd);
3591 cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3593 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3594 err = selinux_nlmsg_perm(sk, skb);
3599 static int selinux_netlink_recv(struct sk_buff *skb)
3601 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3606 static int ipc_alloc_security(struct task_struct *task,
3607 struct kern_ipc_perm *perm,
3610 struct task_security_struct *tsec = task->security;
3611 struct ipc_security_struct *isec;
3613 isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3617 memset(isec, 0, sizeof(struct ipc_security_struct));
3618 isec->magic = SELINUX_MAGIC;
3619 isec->sclass = sclass;
3620 isec->ipc_perm = perm;
3622 isec->sid = tsec->sid;
3624 isec->sid = SECINITSID_UNLABELED;
3626 perm->security = isec;
3631 static void ipc_free_security(struct kern_ipc_perm *perm)
3633 struct ipc_security_struct *isec = perm->security;
3634 if (!isec || isec->magic != SELINUX_MAGIC)
3637 perm->security = NULL;
3641 static int msg_msg_alloc_security(struct msg_msg *msg)
3643 struct msg_security_struct *msec;
3645 msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3649 memset(msec, 0, sizeof(struct msg_security_struct));
3650 msec->magic = SELINUX_MAGIC;
3652 msec->sid = SECINITSID_UNLABELED;
3653 msg->security = msec;
3658 static void msg_msg_free_security(struct msg_msg *msg)
3660 struct msg_security_struct *msec = msg->security;
3661 if (!msec || msec->magic != SELINUX_MAGIC)
3664 msg->security = NULL;
3668 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3669 u16 sclass, u32 perms)
3671 struct task_security_struct *tsec;
3672 struct ipc_security_struct *isec;
3673 struct avc_audit_data ad;
3675 tsec = current->security;
3676 isec = ipc_perms->security;
3678 AVC_AUDIT_DATA_INIT(&ad, IPC);
3679 ad.u.ipc_id = ipc_perms->key;
3681 return avc_has_perm(tsec->sid, isec->sid, sclass, perms, &ad);
3684 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3686 return msg_msg_alloc_security(msg);
3689 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3691 msg_msg_free_security(msg);
3694 /* message queue security operations */
3695 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3697 struct task_security_struct *tsec;
3698 struct ipc_security_struct *isec;
3699 struct avc_audit_data ad;
3702 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3706 tsec = current->security;
3707 isec = msq->q_perm.security;
3709 AVC_AUDIT_DATA_INIT(&ad, IPC);
3710 ad.u.ipc_id = msq->q_perm.key;
3712 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3715 ipc_free_security(&msq->q_perm);
3721 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3723 ipc_free_security(&msq->q_perm);
3726 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3728 struct task_security_struct *tsec;
3729 struct ipc_security_struct *isec;
3730 struct avc_audit_data ad;
3732 tsec = current->security;
3733 isec = msq->q_perm.security;
3735 AVC_AUDIT_DATA_INIT(&ad, IPC);
3736 ad.u.ipc_id = msq->q_perm.key;
3738 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3739 MSGQ__ASSOCIATE, &ad);
3742 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3750 /* No specific object, just general system-wide information. */
3751 return task_has_system(current, SYSTEM__IPC_INFO);
3754 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3757 perms = MSGQ__SETATTR;
3760 perms = MSGQ__DESTROY;
3766 err = ipc_has_perm(&msq->q_perm, SECCLASS_MSGQ, perms);
3770 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3772 struct task_security_struct *tsec;
3773 struct ipc_security_struct *isec;
3774 struct msg_security_struct *msec;
3775 struct avc_audit_data ad;
3778 tsec = current->security;
3779 isec = msq->q_perm.security;
3780 msec = msg->security;
3783 * First time through, need to assign label to the message
3785 if (msec->sid == SECINITSID_UNLABELED) {
3787 * Compute new sid based on current process and
3788 * message queue this message will be stored in
3790 rc = security_transition_sid(tsec->sid,
3798 AVC_AUDIT_DATA_INIT(&ad, IPC);
3799 ad.u.ipc_id = msq->q_perm.key;
3801 /* Can this process write to the queue? */
3802 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3805 /* Can this process send the message */
3806 rc = avc_has_perm(tsec->sid, msec->sid,
3807 SECCLASS_MSG, MSG__SEND, &ad);
3809 /* Can the message be put in the queue? */
3810 rc = avc_has_perm(msec->sid, isec->sid,
3811 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3816 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3817 struct task_struct *target,
3818 long type, int mode)
3820 struct task_security_struct *tsec;
3821 struct ipc_security_struct *isec;
3822 struct msg_security_struct *msec;
3823 struct avc_audit_data ad;
3826 tsec = target->security;
3827 isec = msq->q_perm.security;
3828 msec = msg->security;
3830 AVC_AUDIT_DATA_INIT(&ad, IPC);
3831 ad.u.ipc_id = msq->q_perm.key;
3833 rc = avc_has_perm(tsec->sid, isec->sid,
3834 SECCLASS_MSGQ, MSGQ__READ, &ad);
3836 rc = avc_has_perm(tsec->sid, msec->sid,
3837 SECCLASS_MSG, MSG__RECEIVE, &ad);
3841 /* Shared Memory security operations */
3842 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3844 struct task_security_struct *tsec;
3845 struct ipc_security_struct *isec;
3846 struct avc_audit_data ad;
3849 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3853 tsec = current->security;
3854 isec = shp->shm_perm.security;
3856 AVC_AUDIT_DATA_INIT(&ad, IPC);
3857 ad.u.ipc_id = shp->shm_perm.key;
3859 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3862 ipc_free_security(&shp->shm_perm);
3868 static void selinux_shm_free_security(struct shmid_kernel *shp)
3870 ipc_free_security(&shp->shm_perm);
3873 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3875 struct task_security_struct *tsec;
3876 struct ipc_security_struct *isec;
3877 struct avc_audit_data ad;
3879 tsec = current->security;
3880 isec = shp->shm_perm.security;
3882 AVC_AUDIT_DATA_INIT(&ad, IPC);
3883 ad.u.ipc_id = shp->shm_perm.key;
3885 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3886 SHM__ASSOCIATE, &ad);
3889 /* Note, at this point, shp is locked down */
3890 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3898 /* No specific object, just general system-wide information. */
3899 return task_has_system(current, SYSTEM__IPC_INFO);
3902 perms = SHM__GETATTR | SHM__ASSOCIATE;
3905 perms = SHM__SETATTR;
3912 perms = SHM__DESTROY;
3918 err = ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms);
3922 static int selinux_shm_shmat(struct shmid_kernel *shp,
3923 char __user *shmaddr, int shmflg)
3928 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3932 if (shmflg & SHM_RDONLY)
3935 perms = SHM__READ | SHM__WRITE;
3937 return ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms);
3940 /* Semaphore security operations */
3941 static int selinux_sem_alloc_security(struct sem_array *sma)
3943 struct task_security_struct *tsec;
3944 struct ipc_security_struct *isec;
3945 struct avc_audit_data ad;
3948 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3952 tsec = current->security;
3953 isec = sma->sem_perm.security;
3955 AVC_AUDIT_DATA_INIT(&ad, IPC);
3956 ad.u.ipc_id = sma->sem_perm.key;
3958 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3961 ipc_free_security(&sma->sem_perm);
3967 static void selinux_sem_free_security(struct sem_array *sma)
3969 ipc_free_security(&sma->sem_perm);
3972 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3974 struct task_security_struct *tsec;
3975 struct ipc_security_struct *isec;
3976 struct avc_audit_data ad;
3978 tsec = current->security;
3979 isec = sma->sem_perm.security;
3981 AVC_AUDIT_DATA_INIT(&ad, IPC);
3982 ad.u.ipc_id = sma->sem_perm.key;
3984 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3985 SEM__ASSOCIATE, &ad);
3988 /* Note, at this point, sma is locked down */
3989 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
3997 /* No specific object, just general system-wide information. */
3998 return task_has_system(current, SYSTEM__IPC_INFO);
4002 perms = SEM__GETATTR;
4013 perms = SEM__DESTROY;
4016 perms = SEM__SETATTR;
4020 perms = SEM__GETATTR | SEM__ASSOCIATE;
4026 err = ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms);
4030 static int selinux_sem_semop(struct sem_array *sma,
4031 struct sembuf *sops, unsigned nsops, int alter)
4036 perms = SEM__READ | SEM__WRITE;
4040 return ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms);
4043 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4045 struct ipc_security_struct *isec = ipcp->security;
4046 u16 sclass = SECCLASS_IPC;
4049 if (isec && isec->magic == SELINUX_MAGIC)
4050 sclass = isec->sclass;
4054 av |= IPC__UNIX_READ;
4056 av |= IPC__UNIX_WRITE;
4061 return ipc_has_perm(ipcp, sclass, av);
4064 /* module stacking operations */
4065 static int selinux_register_security (const char *name, struct security_operations *ops)
4067 if (secondary_ops != original_ops) {
4068 printk(KERN_INFO "%s: There is already a secondary security "
4069 "module registered.\n", __FUNCTION__);
4073 secondary_ops = ops;
4075 printk(KERN_INFO "%s: Registering secondary module %s\n",
4082 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4084 if (ops != secondary_ops) {
4085 printk (KERN_INFO "%s: trying to unregister a security module "
4086 "that is not registered.\n", __FUNCTION__);
4090 secondary_ops = original_ops;
4095 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4098 inode_doinit_with_dentry(inode, dentry);
4101 static int selinux_getprocattr(struct task_struct *p,
4102 char *name, void *value, size_t size)
4104 struct task_security_struct *tsec;
4110 error = task_has_perm(current, p, PROCESS__GETATTR);
4120 if (!strcmp(name, "current"))
4122 else if (!strcmp(name, "prev"))
4124 else if (!strcmp(name, "exec"))
4125 sid = tsec->exec_sid;
4126 else if (!strcmp(name, "fscreate"))
4127 sid = tsec->create_sid;
4134 error = security_sid_to_context(sid, &context, &len);
4141 memcpy(value, context, len);
4146 static int selinux_setprocattr(struct task_struct *p,
4147 char *name, void *value, size_t size)
4149 struct task_security_struct *tsec;
4155 /* SELinux only allows a process to change its own
4156 security attributes. */
4161 * Basic control over ability to set these attributes at all.
4162 * current == p, but we'll pass them separately in case the
4163 * above restriction is ever removed.
4165 if (!strcmp(name, "exec"))
4166 error = task_has_perm(current, p, PROCESS__SETEXEC);
4167 else if (!strcmp(name, "fscreate"))
4168 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4169 else if (!strcmp(name, "current"))
4170 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4176 /* Obtain a SID for the context, if one was specified. */
4177 if (size && str[1] && str[1] != '\n') {
4178 if (str[size-1] == '\n') {
4182 error = security_context_to_sid(value, size, &sid);
4187 /* Permission checking based on the specified context is
4188 performed during the actual operation (execve,
4189 open/mkdir/...), when we know the full context of the
4190 operation. See selinux_bprm_set_security for the execve
4191 checks and may_create for the file creation checks. The
4192 operation will then fail if the context is not permitted. */
4194 if (!strcmp(name, "exec"))
4195 tsec->exec_sid = sid;
4196 else if (!strcmp(name, "fscreate"))
4197 tsec->create_sid = sid;
4198 else if (!strcmp(name, "current")) {
4199 struct av_decision avd;
4204 /* Only allow single threaded processes to change context */
4205 if (atomic_read(&p->mm->mm_users) != 1) {
4206 struct task_struct *g, *t;
4207 struct mm_struct *mm = p->mm;
4208 read_lock(&tasklist_lock);
4209 do_each_thread(g, t)
4210 if (t->mm == mm && t != p) {
4211 read_unlock(&tasklist_lock);
4214 while_each_thread(g, t);
4215 read_unlock(&tasklist_lock);
4218 /* Check permissions for the transition. */
4219 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4220 PROCESS__DYNTRANSITION, NULL);
4224 /* Check for ptracing, and update the task SID if ok.
4225 Otherwise, leave SID unchanged and fail. */
4227 if (p->ptrace & PT_PTRACED) {
4228 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4230 PROCESS__PTRACE, &avd);
4234 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4235 PROCESS__PTRACE, &avd, error, NULL);
4249 static struct security_operations selinux_ops = {
4250 .ptrace = selinux_ptrace,
4251 .capget = selinux_capget,
4252 .capset_check = selinux_capset_check,
4253 .capset_set = selinux_capset_set,
4254 .sysctl = selinux_sysctl,
4255 .capable = selinux_capable,
4256 .quotactl = selinux_quotactl,
4257 .quota_on = selinux_quota_on,
4258 .syslog = selinux_syslog,
4259 .vm_enough_memory = selinux_vm_enough_memory,
4261 .netlink_send = selinux_netlink_send,
4262 .netlink_recv = selinux_netlink_recv,
4264 .bprm_alloc_security = selinux_bprm_alloc_security,
4265 .bprm_free_security = selinux_bprm_free_security,
4266 .bprm_apply_creds = selinux_bprm_apply_creds,
4267 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
4268 .bprm_set_security = selinux_bprm_set_security,
4269 .bprm_check_security = selinux_bprm_check_security,
4270 .bprm_secureexec = selinux_bprm_secureexec,
4272 .sb_alloc_security = selinux_sb_alloc_security,
4273 .sb_free_security = selinux_sb_free_security,
4274 .sb_copy_data = selinux_sb_copy_data,
4275 .sb_kern_mount = selinux_sb_kern_mount,
4276 .sb_statfs = selinux_sb_statfs,
4277 .sb_mount = selinux_mount,
4278 .sb_umount = selinux_umount,
4280 .inode_alloc_security = selinux_inode_alloc_security,
4281 .inode_free_security = selinux_inode_free_security,
4282 .inode_create = selinux_inode_create,
4283 .inode_post_create = selinux_inode_post_create,
4284 .inode_link = selinux_inode_link,
4285 .inode_post_link = selinux_inode_post_link,
4286 .inode_unlink = selinux_inode_unlink,
4287 .inode_symlink = selinux_inode_symlink,
4288 .inode_post_symlink = selinux_inode_post_symlink,
4289 .inode_mkdir = selinux_inode_mkdir,
4290 .inode_post_mkdir = selinux_inode_post_mkdir,
4291 .inode_rmdir = selinux_inode_rmdir,
4292 .inode_mknod = selinux_inode_mknod,
4293 .inode_post_mknod = selinux_inode_post_mknod,
4294 .inode_rename = selinux_inode_rename,
4295 .inode_post_rename = selinux_inode_post_rename,
4296 .inode_readlink = selinux_inode_readlink,
4297 .inode_follow_link = selinux_inode_follow_link,
4298 .inode_permission = selinux_inode_permission,
4299 .inode_setattr = selinux_inode_setattr,
4300 .inode_getattr = selinux_inode_getattr,
4301 .inode_setxattr = selinux_inode_setxattr,
4302 .inode_post_setxattr = selinux_inode_post_setxattr,
4303 .inode_getxattr = selinux_inode_getxattr,
4304 .inode_listxattr = selinux_inode_listxattr,
4305 .inode_removexattr = selinux_inode_removexattr,
4306 .inode_getsecurity = selinux_inode_getsecurity,
4307 .inode_setsecurity = selinux_inode_setsecurity,
4308 .inode_listsecurity = selinux_inode_listsecurity,
4310 .file_permission = selinux_file_permission,
4311 .file_alloc_security = selinux_file_alloc_security,
4312 .file_free_security = selinux_file_free_security,
4313 .file_ioctl = selinux_file_ioctl,
4314 .file_mmap = selinux_file_mmap,
4315 .file_mprotect = selinux_file_mprotect,
4316 .file_lock = selinux_file_lock,
4317 .file_fcntl = selinux_file_fcntl,
4318 .file_set_fowner = selinux_file_set_fowner,
4319 .file_send_sigiotask = selinux_file_send_sigiotask,
4320 .file_receive = selinux_file_receive,
4322 .task_create = selinux_task_create,
4323 .task_alloc_security = selinux_task_alloc_security,
4324 .task_free_security = selinux_task_free_security,
4325 .task_setuid = selinux_task_setuid,
4326 .task_post_setuid = selinux_task_post_setuid,
4327 .task_setgid = selinux_task_setgid,
4328 .task_setpgid = selinux_task_setpgid,
4329 .task_getpgid = selinux_task_getpgid,
4330 .task_getsid = selinux_task_getsid,
4331 .task_setgroups = selinux_task_setgroups,
4332 .task_setnice = selinux_task_setnice,
4333 .task_setrlimit = selinux_task_setrlimit,
4334 .task_setscheduler = selinux_task_setscheduler,
4335 .task_getscheduler = selinux_task_getscheduler,
4336 .task_kill = selinux_task_kill,
4337 .task_wait = selinux_task_wait,
4338 .task_prctl = selinux_task_prctl,
4339 .task_reparent_to_init = selinux_task_reparent_to_init,
4340 .task_to_inode = selinux_task_to_inode,
4342 .ipc_permission = selinux_ipc_permission,
4344 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4345 .msg_msg_free_security = selinux_msg_msg_free_security,
4347 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4348 .msg_queue_free_security = selinux_msg_queue_free_security,
4349 .msg_queue_associate = selinux_msg_queue_associate,
4350 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4351 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4352 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4354 .shm_alloc_security = selinux_shm_alloc_security,
4355 .shm_free_security = selinux_shm_free_security,
4356 .shm_associate = selinux_shm_associate,
4357 .shm_shmctl = selinux_shm_shmctl,
4358 .shm_shmat = selinux_shm_shmat,
4360 .sem_alloc_security = selinux_sem_alloc_security,
4361 .sem_free_security = selinux_sem_free_security,
4362 .sem_associate = selinux_sem_associate,
4363 .sem_semctl = selinux_sem_semctl,
4364 .sem_semop = selinux_sem_semop,
4366 .register_security = selinux_register_security,
4367 .unregister_security = selinux_unregister_security,
4369 .d_instantiate = selinux_d_instantiate,
4371 .getprocattr = selinux_getprocattr,
4372 .setprocattr = selinux_setprocattr,
4374 #ifdef CONFIG_SECURITY_NETWORK
4375 .unix_stream_connect = selinux_socket_unix_stream_connect,
4376 .unix_may_send = selinux_socket_unix_may_send,
4378 .socket_create = selinux_socket_create,
4379 .socket_post_create = selinux_socket_post_create,
4380 .socket_bind = selinux_socket_bind,
4381 .socket_connect = selinux_socket_connect,
4382 .socket_listen = selinux_socket_listen,
4383 .socket_accept = selinux_socket_accept,
4384 .socket_sendmsg = selinux_socket_sendmsg,
4385 .socket_recvmsg = selinux_socket_recvmsg,
4386 .socket_getsockname = selinux_socket_getsockname,
4387 .socket_getpeername = selinux_socket_getpeername,
4388 .socket_getsockopt = selinux_socket_getsockopt,
4389 .socket_setsockopt = selinux_socket_setsockopt,
4390 .socket_shutdown = selinux_socket_shutdown,
4391 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
4392 .socket_getpeersec = selinux_socket_getpeersec,
4393 .sk_alloc_security = selinux_sk_alloc_security,
4394 .sk_free_security = selinux_sk_free_security,
4398 static __init int selinux_init(void)
4400 struct task_security_struct *tsec;
4402 if (!selinux_enabled) {
4403 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4407 printk(KERN_INFO "SELinux: Initializing.\n");
4409 /* Set the security state for the initial task. */
4410 if (task_alloc_security(current))
4411 panic("SELinux: Failed to initialize initial task.\n");
4412 tsec = current->security;
4413 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4417 original_ops = secondary_ops = security_ops;
4419 panic ("SELinux: No initial security operations\n");
4420 if (register_security (&selinux_ops))
4421 panic("SELinux: Unable to register with kernel.\n");
4423 if (selinux_enforcing) {
4424 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4426 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4431 void selinux_complete_init(void)
4433 printk(KERN_INFO "SELinux: Completing initialization.\n");
4435 /* Set up any superblocks initialized prior to the policy load. */
4436 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
4437 spin_lock(&sb_security_lock);
4439 if (!list_empty(&superblock_security_head)) {
4440 struct superblock_security_struct *sbsec =
4441 list_entry(superblock_security_head.next,
4442 struct superblock_security_struct,
4444 struct super_block *sb = sbsec->sb;
4445 spin_lock(&sb_lock);
4447 spin_unlock(&sb_lock);
4448 spin_unlock(&sb_security_lock);
4449 down_read(&sb->s_umount);
4451 superblock_doinit(sb, NULL);
4453 spin_lock(&sb_security_lock);
4454 list_del_init(&sbsec->list);
4457 spin_unlock(&sb_security_lock);
4460 /* SELinux requires early initialization in order to label
4461 all processes and objects when they are created. */
4462 security_initcall(selinux_init);
4464 #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
4466 static struct nf_hook_ops selinux_ipv4_op = {
4467 .hook = selinux_ipv4_postroute_last,
4468 .owner = THIS_MODULE,
4470 .hooknum = NF_IP_POST_ROUTING,
4471 .priority = NF_IP_PRI_SELINUX_LAST,
4474 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4476 static struct nf_hook_ops selinux_ipv6_op = {
4477 .hook = selinux_ipv6_postroute_last,
4478 .owner = THIS_MODULE,
4480 .hooknum = NF_IP6_POST_ROUTING,
4481 .priority = NF_IP6_PRI_SELINUX_LAST,
4486 static int __init selinux_nf_ip_init(void)
4490 if (!selinux_enabled)
4493 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4495 err = nf_register_hook(&selinux_ipv4_op);
4497 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4499 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4501 err = nf_register_hook(&selinux_ipv6_op);
4503 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4510 __initcall(selinux_nf_ip_init);
4512 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4513 static void selinux_nf_ip_exit(void)
4515 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4517 nf_unregister_hook(&selinux_ipv4_op);
4518 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4519 nf_unregister_hook(&selinux_ipv6_op);
4524 #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4526 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4527 #define selinux_nf_ip_exit()
4530 #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4532 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4533 int selinux_disable(void)
4535 extern void exit_sel_fs(void);
4536 static int selinux_disabled = 0;
4538 if (ss_initialized) {
4539 /* Not permitted after initial policy load. */
4543 if (selinux_disabled) {
4544 /* Only do this once. */
4548 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4550 selinux_disabled = 1;
4552 /* Reset security_ops to the secondary module, dummy or capability. */
4553 security_ops = secondary_ops;
4555 /* Unregister netfilter hooks. */
4556 selinux_nf_ip_exit();
4558 /* Unregister selinuxfs. */
projects / cascardo / linux.git / blob