2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
55 #include <net/inet_connection_sock.h>
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
97 /* SECMARK reference count */
98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
103 static int __init enforcing_setup(char *str)
105 unsigned long enforcing;
106 if (!kstrtoul(str, 0, &enforcing))
107 selinux_enforcing = enforcing ? 1 : 0;
110 __setup("enforcing=", enforcing_setup);
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116 static int __init selinux_enabled_setup(char *str)
118 unsigned long enabled;
119 if (!kstrtoul(str, 0, &enabled))
120 selinux_enabled = enabled ? 1 : 0;
123 __setup("selinux=", selinux_enabled_setup);
125 int selinux_enabled = 1;
128 static struct kmem_cache *sel_inode_cache;
129 static struct kmem_cache *file_security_cache;
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
142 static int selinux_secmark_enabled(void)
144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
157 static int selinux_peerlbl_enabled(void)
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
162 static int selinux_netcache_avc_callback(u32 event)
164 if (event == AVC_CALLBACK_RESET) {
174 * initialise the security for the init task
176 static void cred_init_security(void)
178 struct cred *cred = (struct cred *) current->real_cred;
179 struct task_security_struct *tsec;
181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
183 panic("SELinux: Failed to initialize initial task.\n");
185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
186 cred->security = tsec;
190 * get the security ID of a set of credentials
192 static inline u32 cred_sid(const struct cred *cred)
194 const struct task_security_struct *tsec;
196 tsec = cred->security;
201 * get the objective security ID of a task
203 static inline u32 task_sid(const struct task_struct *task)
208 sid = cred_sid(__task_cred(task));
214 * get the subjective security ID of the current task
216 static inline u32 current_sid(void)
218 const struct task_security_struct *tsec = current_security();
223 /* Allocate and free functions for each kind of security blob. */
225 static int inode_alloc_security(struct inode *inode)
227 struct inode_security_struct *isec;
228 u32 sid = current_sid();
230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
234 mutex_init(&isec->lock);
235 INIT_LIST_HEAD(&isec->list);
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
239 isec->task_sid = sid;
240 inode->i_security = isec;
245 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
248 * Try reloading inode security labels that have been marked as invalid. The
249 * @may_sleep parameter indicates when sleeping and thus reloading labels is
250 * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is
251 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
252 * when no dentry is available, set it to NULL instead.
254 static int __inode_security_revalidate(struct inode *inode,
255 struct dentry *opt_dentry,
258 struct inode_security_struct *isec = inode->i_security;
260 might_sleep_if(may_sleep);
262 if (isec->initialized == LABEL_INVALID) {
267 * Try reloading the inode security label. This will fail if
268 * @opt_dentry is NULL and no dentry for this inode can be
269 * found; in that case, continue using the old label.
271 inode_doinit_with_dentry(inode, opt_dentry);
276 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
278 return inode->i_security;
281 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
285 error = __inode_security_revalidate(inode, NULL, !rcu);
287 return ERR_PTR(error);
288 return inode->i_security;
292 * Get the security label of an inode.
294 static struct inode_security_struct *inode_security(struct inode *inode)
296 __inode_security_revalidate(inode, NULL, true);
297 return inode->i_security;
301 * Get the security label of a dentry's backing inode.
303 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
305 struct inode *inode = d_backing_inode(dentry);
307 __inode_security_revalidate(inode, dentry, true);
308 return inode->i_security;
311 static void inode_free_rcu(struct rcu_head *head)
313 struct inode_security_struct *isec;
315 isec = container_of(head, struct inode_security_struct, rcu);
316 kmem_cache_free(sel_inode_cache, isec);
319 static void inode_free_security(struct inode *inode)
321 struct inode_security_struct *isec = inode->i_security;
322 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
325 * As not all inode security structures are in a list, we check for
326 * empty list outside of the lock to make sure that we won't waste
327 * time taking a lock doing nothing.
329 * The list_del_init() function can be safely called more than once.
330 * It should not be possible for this function to be called with
331 * concurrent list_add(), but for better safety against future changes
332 * in the code, we use list_empty_careful() here.
334 if (!list_empty_careful(&isec->list)) {
335 spin_lock(&sbsec->isec_lock);
336 list_del_init(&isec->list);
337 spin_unlock(&sbsec->isec_lock);
341 * The inode may still be referenced in a path walk and
342 * a call to selinux_inode_permission() can be made
343 * after inode_free_security() is called. Ideally, the VFS
344 * wouldn't do this, but fixing that is a much harder
345 * job. For now, simply free the i_security via RCU, and
346 * leave the current inode->i_security pointer intact.
347 * The inode will be freed after the RCU grace period too.
349 call_rcu(&isec->rcu, inode_free_rcu);
352 static int file_alloc_security(struct file *file)
354 struct file_security_struct *fsec;
355 u32 sid = current_sid();
357 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
362 fsec->fown_sid = sid;
363 file->f_security = fsec;
368 static void file_free_security(struct file *file)
370 struct file_security_struct *fsec = file->f_security;
371 file->f_security = NULL;
372 kmem_cache_free(file_security_cache, fsec);
375 static int superblock_alloc_security(struct super_block *sb)
377 struct superblock_security_struct *sbsec;
379 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
383 mutex_init(&sbsec->lock);
384 INIT_LIST_HEAD(&sbsec->isec_head);
385 spin_lock_init(&sbsec->isec_lock);
387 sbsec->sid = SECINITSID_UNLABELED;
388 sbsec->def_sid = SECINITSID_FILE;
389 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
390 sb->s_security = sbsec;
395 static void superblock_free_security(struct super_block *sb)
397 struct superblock_security_struct *sbsec = sb->s_security;
398 sb->s_security = NULL;
402 /* The file system's label must be initialized prior to use. */
404 static const char *labeling_behaviors[7] = {
406 "uses transition SIDs",
408 "uses genfs_contexts",
409 "not configured for labeling",
410 "uses mountpoint labeling",
411 "uses native labeling",
414 static inline int inode_doinit(struct inode *inode)
416 return inode_doinit_with_dentry(inode, NULL);
425 Opt_labelsupport = 5,
429 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
431 static const match_table_t tokens = {
432 {Opt_context, CONTEXT_STR "%s"},
433 {Opt_fscontext, FSCONTEXT_STR "%s"},
434 {Opt_defcontext, DEFCONTEXT_STR "%s"},
435 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
436 {Opt_labelsupport, LABELSUPP_STR},
440 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
442 static int may_context_mount_sb_relabel(u32 sid,
443 struct superblock_security_struct *sbsec,
444 const struct cred *cred)
446 const struct task_security_struct *tsec = cred->security;
449 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450 FILESYSTEM__RELABELFROM, NULL);
454 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
455 FILESYSTEM__RELABELTO, NULL);
459 static int may_context_mount_inode_relabel(u32 sid,
460 struct superblock_security_struct *sbsec,
461 const struct cred *cred)
463 const struct task_security_struct *tsec = cred->security;
465 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
466 FILESYSTEM__RELABELFROM, NULL);
470 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
471 FILESYSTEM__ASSOCIATE, NULL);
475 static int selinux_is_sblabel_mnt(struct super_block *sb)
477 struct superblock_security_struct *sbsec = sb->s_security;
479 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
480 sbsec->behavior == SECURITY_FS_USE_TRANS ||
481 sbsec->behavior == SECURITY_FS_USE_TASK ||
482 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
483 /* Special handling. Genfs but also in-core setxattr handler */
484 !strcmp(sb->s_type->name, "sysfs") ||
485 !strcmp(sb->s_type->name, "pstore") ||
486 !strcmp(sb->s_type->name, "debugfs") ||
487 !strcmp(sb->s_type->name, "rootfs");
490 static int sb_finish_set_opts(struct super_block *sb)
492 struct superblock_security_struct *sbsec = sb->s_security;
493 struct dentry *root = sb->s_root;
494 struct inode *root_inode = d_backing_inode(root);
497 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
498 /* Make sure that the xattr handler exists and that no
499 error other than -ENODATA is returned by getxattr on
500 the root directory. -ENODATA is ok, as this may be
501 the first boot of the SELinux kernel before we have
502 assigned xattr values to the filesystem. */
503 if (!root_inode->i_op->getxattr) {
504 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
505 "xattr support\n", sb->s_id, sb->s_type->name);
509 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
510 if (rc < 0 && rc != -ENODATA) {
511 if (rc == -EOPNOTSUPP)
512 printk(KERN_WARNING "SELinux: (dev %s, type "
513 "%s) has no security xattr handler\n",
514 sb->s_id, sb->s_type->name);
516 printk(KERN_WARNING "SELinux: (dev %s, type "
517 "%s) getxattr errno %d\n", sb->s_id,
518 sb->s_type->name, -rc);
523 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
524 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
525 sb->s_id, sb->s_type->name);
527 sbsec->flags |= SE_SBINITIALIZED;
528 if (selinux_is_sblabel_mnt(sb))
529 sbsec->flags |= SBLABEL_MNT;
531 /* Initialize the root inode. */
532 rc = inode_doinit_with_dentry(root_inode, root);
534 /* Initialize any other inodes associated with the superblock, e.g.
535 inodes created prior to initial policy load or inodes created
536 during get_sb by a pseudo filesystem that directly
538 spin_lock(&sbsec->isec_lock);
540 if (!list_empty(&sbsec->isec_head)) {
541 struct inode_security_struct *isec =
542 list_entry(sbsec->isec_head.next,
543 struct inode_security_struct, list);
544 struct inode *inode = isec->inode;
545 list_del_init(&isec->list);
546 spin_unlock(&sbsec->isec_lock);
547 inode = igrab(inode);
549 if (!IS_PRIVATE(inode))
553 spin_lock(&sbsec->isec_lock);
556 spin_unlock(&sbsec->isec_lock);
562 * This function should allow an FS to ask what it's mount security
563 * options were so it can use those later for submounts, displaying
564 * mount options, or whatever.
566 static int selinux_get_mnt_opts(const struct super_block *sb,
567 struct security_mnt_opts *opts)
570 struct superblock_security_struct *sbsec = sb->s_security;
571 char *context = NULL;
575 security_init_mnt_opts(opts);
577 if (!(sbsec->flags & SE_SBINITIALIZED))
583 /* make sure we always check enough bits to cover the mask */
584 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
586 tmp = sbsec->flags & SE_MNTMASK;
587 /* count the number of mount options for this sb */
588 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
590 opts->num_mnt_opts++;
593 /* Check if the Label support flag is set */
594 if (sbsec->flags & SBLABEL_MNT)
595 opts->num_mnt_opts++;
597 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
598 if (!opts->mnt_opts) {
603 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
604 if (!opts->mnt_opts_flags) {
610 if (sbsec->flags & FSCONTEXT_MNT) {
611 rc = security_sid_to_context(sbsec->sid, &context, &len);
614 opts->mnt_opts[i] = context;
615 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
617 if (sbsec->flags & CONTEXT_MNT) {
618 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
621 opts->mnt_opts[i] = context;
622 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
624 if (sbsec->flags & DEFCONTEXT_MNT) {
625 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
628 opts->mnt_opts[i] = context;
629 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
631 if (sbsec->flags & ROOTCONTEXT_MNT) {
632 struct dentry *root = sbsec->sb->s_root;
633 struct inode_security_struct *isec = backing_inode_security(root);
635 rc = security_sid_to_context(isec->sid, &context, &len);
638 opts->mnt_opts[i] = context;
639 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
641 if (sbsec->flags & SBLABEL_MNT) {
642 opts->mnt_opts[i] = NULL;
643 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
646 BUG_ON(i != opts->num_mnt_opts);
651 security_free_mnt_opts(opts);
655 static int bad_option(struct superblock_security_struct *sbsec, char flag,
656 u32 old_sid, u32 new_sid)
658 char mnt_flags = sbsec->flags & SE_MNTMASK;
660 /* check if the old mount command had the same options */
661 if (sbsec->flags & SE_SBINITIALIZED)
662 if (!(sbsec->flags & flag) ||
663 (old_sid != new_sid))
666 /* check if we were passed the same options twice,
667 * aka someone passed context=a,context=b
669 if (!(sbsec->flags & SE_SBINITIALIZED))
670 if (mnt_flags & flag)
676 * Allow filesystems with binary mount data to explicitly set mount point
677 * labeling information.
679 static int selinux_set_mnt_opts(struct super_block *sb,
680 struct security_mnt_opts *opts,
681 unsigned long kern_flags,
682 unsigned long *set_kern_flags)
684 const struct cred *cred = current_cred();
686 struct superblock_security_struct *sbsec = sb->s_security;
687 const char *name = sb->s_type->name;
688 struct dentry *root = sbsec->sb->s_root;
689 struct inode_security_struct *root_isec = backing_inode_security(root);
690 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
691 u32 defcontext_sid = 0;
692 char **mount_options = opts->mnt_opts;
693 int *flags = opts->mnt_opts_flags;
694 int num_opts = opts->num_mnt_opts;
696 mutex_lock(&sbsec->lock);
698 if (!ss_initialized) {
700 /* Defer initialization until selinux_complete_init,
701 after the initial policy is loaded and the security
702 server is ready to handle calls. */
706 printk(KERN_WARNING "SELinux: Unable to set superblock options "
707 "before the security server is initialized\n");
710 if (kern_flags && !set_kern_flags) {
711 /* Specifying internal flags without providing a place to
712 * place the results is not allowed */
718 * Binary mount data FS will come through this function twice. Once
719 * from an explicit call and once from the generic calls from the vfs.
720 * Since the generic VFS calls will not contain any security mount data
721 * we need to skip the double mount verification.
723 * This does open a hole in which we will not notice if the first
724 * mount using this sb set explict options and a second mount using
725 * this sb does not set any security options. (The first options
726 * will be used for both mounts)
728 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
733 * parse the mount options, check if they are valid sids.
734 * also check if someone is trying to mount the same sb more
735 * than once with different security options.
737 for (i = 0; i < num_opts; i++) {
740 if (flags[i] == SBLABEL_MNT)
742 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
744 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
745 "(%s) failed for (dev %s, type %s) errno=%d\n",
746 mount_options[i], sb->s_id, name, rc);
753 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
755 goto out_double_mount;
757 sbsec->flags |= FSCONTEXT_MNT;
762 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
764 goto out_double_mount;
766 sbsec->flags |= CONTEXT_MNT;
768 case ROOTCONTEXT_MNT:
769 rootcontext_sid = sid;
771 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
773 goto out_double_mount;
775 sbsec->flags |= ROOTCONTEXT_MNT;
779 defcontext_sid = sid;
781 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
783 goto out_double_mount;
785 sbsec->flags |= DEFCONTEXT_MNT;
794 if (sbsec->flags & SE_SBINITIALIZED) {
795 /* previously mounted with options, but not on this attempt? */
796 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
797 goto out_double_mount;
802 if (strcmp(sb->s_type->name, "proc") == 0)
803 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
805 if (!strcmp(sb->s_type->name, "debugfs") ||
806 !strcmp(sb->s_type->name, "sysfs") ||
807 !strcmp(sb->s_type->name, "pstore"))
808 sbsec->flags |= SE_SBGENFS;
810 if (!sbsec->behavior) {
812 * Determine the labeling behavior to use for this
815 rc = security_fs_use(sb);
818 "%s: security_fs_use(%s) returned %d\n",
819 __func__, sb->s_type->name, rc);
823 /* sets the context of the superblock for the fs being mounted. */
825 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
829 sbsec->sid = fscontext_sid;
833 * Switch to using mount point labeling behavior.
834 * sets the label used on all file below the mountpoint, and will set
835 * the superblock context if not already set.
837 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
838 sbsec->behavior = SECURITY_FS_USE_NATIVE;
839 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
843 if (!fscontext_sid) {
844 rc = may_context_mount_sb_relabel(context_sid, sbsec,
848 sbsec->sid = context_sid;
850 rc = may_context_mount_inode_relabel(context_sid, sbsec,
855 if (!rootcontext_sid)
856 rootcontext_sid = context_sid;
858 sbsec->mntpoint_sid = context_sid;
859 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
862 if (rootcontext_sid) {
863 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
868 root_isec->sid = rootcontext_sid;
869 root_isec->initialized = LABEL_INITIALIZED;
872 if (defcontext_sid) {
873 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
874 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
876 printk(KERN_WARNING "SELinux: defcontext option is "
877 "invalid for this filesystem type\n");
881 if (defcontext_sid != sbsec->def_sid) {
882 rc = may_context_mount_inode_relabel(defcontext_sid,
888 sbsec->def_sid = defcontext_sid;
891 rc = sb_finish_set_opts(sb);
893 mutex_unlock(&sbsec->lock);
897 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
898 "security settings for (dev %s, type %s)\n", sb->s_id, name);
902 static int selinux_cmp_sb_context(const struct super_block *oldsb,
903 const struct super_block *newsb)
905 struct superblock_security_struct *old = oldsb->s_security;
906 struct superblock_security_struct *new = newsb->s_security;
907 char oldflags = old->flags & SE_MNTMASK;
908 char newflags = new->flags & SE_MNTMASK;
910 if (oldflags != newflags)
912 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
914 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
916 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
918 if (oldflags & ROOTCONTEXT_MNT) {
919 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
920 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
921 if (oldroot->sid != newroot->sid)
926 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
927 "different security settings for (dev %s, "
928 "type %s)\n", newsb->s_id, newsb->s_type->name);
932 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
933 struct super_block *newsb)
935 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
936 struct superblock_security_struct *newsbsec = newsb->s_security;
938 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
939 int set_context = (oldsbsec->flags & CONTEXT_MNT);
940 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
943 * if the parent was able to be mounted it clearly had no special lsm
944 * mount options. thus we can safely deal with this superblock later
949 /* how can we clone if the old one wasn't set up?? */
950 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
952 /* if fs is reusing a sb, make sure that the contexts match */
953 if (newsbsec->flags & SE_SBINITIALIZED)
954 return selinux_cmp_sb_context(oldsb, newsb);
956 mutex_lock(&newsbsec->lock);
958 newsbsec->flags = oldsbsec->flags;
960 newsbsec->sid = oldsbsec->sid;
961 newsbsec->def_sid = oldsbsec->def_sid;
962 newsbsec->behavior = oldsbsec->behavior;
965 u32 sid = oldsbsec->mntpoint_sid;
969 if (!set_rootcontext) {
970 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
973 newsbsec->mntpoint_sid = sid;
975 if (set_rootcontext) {
976 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
977 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
979 newisec->sid = oldisec->sid;
982 sb_finish_set_opts(newsb);
983 mutex_unlock(&newsbsec->lock);
987 static int selinux_parse_opts_str(char *options,
988 struct security_mnt_opts *opts)
991 char *context = NULL, *defcontext = NULL;
992 char *fscontext = NULL, *rootcontext = NULL;
993 int rc, num_mnt_opts = 0;
995 opts->num_mnt_opts = 0;
997 /* Standard string-based options. */
998 while ((p = strsep(&options, "|")) != NULL) {
1000 substring_t args[MAX_OPT_ARGS];
1005 token = match_token(p, tokens, args);
1009 if (context || defcontext) {
1011 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1014 context = match_strdup(&args[0]);
1024 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1027 fscontext = match_strdup(&args[0]);
1034 case Opt_rootcontext:
1037 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1040 rootcontext = match_strdup(&args[0]);
1047 case Opt_defcontext:
1048 if (context || defcontext) {
1050 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1053 defcontext = match_strdup(&args[0]);
1059 case Opt_labelsupport:
1063 printk(KERN_WARNING "SELinux: unknown mount option\n");
1070 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1071 if (!opts->mnt_opts)
1074 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1075 if (!opts->mnt_opts_flags) {
1076 kfree(opts->mnt_opts);
1081 opts->mnt_opts[num_mnt_opts] = fscontext;
1082 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1085 opts->mnt_opts[num_mnt_opts] = context;
1086 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1089 opts->mnt_opts[num_mnt_opts] = rootcontext;
1090 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1093 opts->mnt_opts[num_mnt_opts] = defcontext;
1094 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1097 opts->num_mnt_opts = num_mnt_opts;
1108 * string mount options parsing and call set the sbsec
1110 static int superblock_doinit(struct super_block *sb, void *data)
1113 char *options = data;
1114 struct security_mnt_opts opts;
1116 security_init_mnt_opts(&opts);
1121 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1123 rc = selinux_parse_opts_str(options, &opts);
1128 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1131 security_free_mnt_opts(&opts);
1135 static void selinux_write_opts(struct seq_file *m,
1136 struct security_mnt_opts *opts)
1141 for (i = 0; i < opts->num_mnt_opts; i++) {
1144 if (opts->mnt_opts[i])
1145 has_comma = strchr(opts->mnt_opts[i], ',');
1149 switch (opts->mnt_opts_flags[i]) {
1151 prefix = CONTEXT_STR;
1154 prefix = FSCONTEXT_STR;
1156 case ROOTCONTEXT_MNT:
1157 prefix = ROOTCONTEXT_STR;
1159 case DEFCONTEXT_MNT:
1160 prefix = DEFCONTEXT_STR;
1164 seq_puts(m, LABELSUPP_STR);
1170 /* we need a comma before each option */
1172 seq_puts(m, prefix);
1175 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1181 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1183 struct security_mnt_opts opts;
1186 rc = selinux_get_mnt_opts(sb, &opts);
1188 /* before policy load we may get EINVAL, don't show anything */
1194 selinux_write_opts(m, &opts);
1196 security_free_mnt_opts(&opts);
1201 static inline u16 inode_mode_to_security_class(umode_t mode)
1203 switch (mode & S_IFMT) {
1205 return SECCLASS_SOCK_FILE;
1207 return SECCLASS_LNK_FILE;
1209 return SECCLASS_FILE;
1211 return SECCLASS_BLK_FILE;
1213 return SECCLASS_DIR;
1215 return SECCLASS_CHR_FILE;
1217 return SECCLASS_FIFO_FILE;
1221 return SECCLASS_FILE;
1224 static inline int default_protocol_stream(int protocol)
1226 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1229 static inline int default_protocol_dgram(int protocol)
1231 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1234 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1240 case SOCK_SEQPACKET:
1241 return SECCLASS_UNIX_STREAM_SOCKET;
1243 return SECCLASS_UNIX_DGRAM_SOCKET;
1250 if (default_protocol_stream(protocol))
1251 return SECCLASS_TCP_SOCKET;
1253 return SECCLASS_RAWIP_SOCKET;
1255 if (default_protocol_dgram(protocol))
1256 return SECCLASS_UDP_SOCKET;
1258 return SECCLASS_RAWIP_SOCKET;
1260 return SECCLASS_DCCP_SOCKET;
1262 return SECCLASS_RAWIP_SOCKET;
1268 return SECCLASS_NETLINK_ROUTE_SOCKET;
1269 case NETLINK_SOCK_DIAG:
1270 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1272 return SECCLASS_NETLINK_NFLOG_SOCKET;
1274 return SECCLASS_NETLINK_XFRM_SOCKET;
1275 case NETLINK_SELINUX:
1276 return SECCLASS_NETLINK_SELINUX_SOCKET;
1278 return SECCLASS_NETLINK_ISCSI_SOCKET;
1280 return SECCLASS_NETLINK_AUDIT_SOCKET;
1281 case NETLINK_FIB_LOOKUP:
1282 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1283 case NETLINK_CONNECTOR:
1284 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1285 case NETLINK_NETFILTER:
1286 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1287 case NETLINK_DNRTMSG:
1288 return SECCLASS_NETLINK_DNRT_SOCKET;
1289 case NETLINK_KOBJECT_UEVENT:
1290 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1291 case NETLINK_GENERIC:
1292 return SECCLASS_NETLINK_GENERIC_SOCKET;
1293 case NETLINK_SCSITRANSPORT:
1294 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1296 return SECCLASS_NETLINK_RDMA_SOCKET;
1297 case NETLINK_CRYPTO:
1298 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1300 return SECCLASS_NETLINK_SOCKET;
1303 return SECCLASS_PACKET_SOCKET;
1305 return SECCLASS_KEY_SOCKET;
1307 return SECCLASS_APPLETALK_SOCKET;
1310 return SECCLASS_SOCKET;
1313 static int selinux_genfs_get_sid(struct dentry *dentry,
1319 struct super_block *sb = dentry->d_inode->i_sb;
1320 char *buffer, *path;
1322 buffer = (char *)__get_free_page(GFP_KERNEL);
1326 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1330 if (flags & SE_SBPROC) {
1331 /* each process gets a /proc/PID/ entry. Strip off the
1332 * PID part to get a valid selinux labeling.
1333 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1334 while (path[1] >= '0' && path[1] <= '9') {
1339 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1341 free_page((unsigned long)buffer);
1345 /* The inode's security attributes must be initialized before first use. */
1346 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1348 struct superblock_security_struct *sbsec = NULL;
1349 struct inode_security_struct *isec = inode->i_security;
1351 struct dentry *dentry;
1352 #define INITCONTEXTLEN 255
1353 char *context = NULL;
1357 if (isec->initialized == LABEL_INITIALIZED)
1360 mutex_lock(&isec->lock);
1361 if (isec->initialized == LABEL_INITIALIZED)
1364 sbsec = inode->i_sb->s_security;
1365 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1366 /* Defer initialization until selinux_complete_init,
1367 after the initial policy is loaded and the security
1368 server is ready to handle calls. */
1369 spin_lock(&sbsec->isec_lock);
1370 if (list_empty(&isec->list))
1371 list_add(&isec->list, &sbsec->isec_head);
1372 spin_unlock(&sbsec->isec_lock);
1376 switch (sbsec->behavior) {
1377 case SECURITY_FS_USE_NATIVE:
1379 case SECURITY_FS_USE_XATTR:
1380 if (!inode->i_op->getxattr) {
1381 isec->sid = sbsec->def_sid;
1385 /* Need a dentry, since the xattr API requires one.
1386 Life would be simpler if we could just pass the inode. */
1388 /* Called from d_instantiate or d_splice_alias. */
1389 dentry = dget(opt_dentry);
1391 /* Called from selinux_complete_init, try to find a dentry. */
1392 dentry = d_find_alias(inode);
1396 * this is can be hit on boot when a file is accessed
1397 * before the policy is loaded. When we load policy we
1398 * may find inodes that have no dentry on the
1399 * sbsec->isec_head list. No reason to complain as these
1400 * will get fixed up the next time we go through
1401 * inode_doinit with a dentry, before these inodes could
1402 * be used again by userspace.
1407 len = INITCONTEXTLEN;
1408 context = kmalloc(len+1, GFP_NOFS);
1414 context[len] = '\0';
1415 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1417 if (rc == -ERANGE) {
1420 /* Need a larger buffer. Query for the right size. */
1421 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1428 context = kmalloc(len+1, GFP_NOFS);
1434 context[len] = '\0';
1435 rc = inode->i_op->getxattr(dentry,
1441 if (rc != -ENODATA) {
1442 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1443 "%d for dev=%s ino=%ld\n", __func__,
1444 -rc, inode->i_sb->s_id, inode->i_ino);
1448 /* Map ENODATA to the default file SID */
1449 sid = sbsec->def_sid;
1452 rc = security_context_to_sid_default(context, rc, &sid,
1456 char *dev = inode->i_sb->s_id;
1457 unsigned long ino = inode->i_ino;
1459 if (rc == -EINVAL) {
1460 if (printk_ratelimit())
1461 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1462 "context=%s. This indicates you may need to relabel the inode or the "
1463 "filesystem in question.\n", ino, dev, context);
1465 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1466 "returned %d for dev=%s ino=%ld\n",
1467 __func__, context, -rc, dev, ino);
1470 /* Leave with the unlabeled SID */
1478 case SECURITY_FS_USE_TASK:
1479 isec->sid = isec->task_sid;
1481 case SECURITY_FS_USE_TRANS:
1482 /* Default to the fs SID. */
1483 isec->sid = sbsec->sid;
1485 /* Try to obtain a transition SID. */
1486 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1487 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1488 isec->sclass, NULL, &sid);
1493 case SECURITY_FS_USE_MNTPOINT:
1494 isec->sid = sbsec->mntpoint_sid;
1497 /* Default to the fs superblock SID. */
1498 isec->sid = sbsec->sid;
1500 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1501 /* We must have a dentry to determine the label on
1504 /* Called from d_instantiate or
1505 * d_splice_alias. */
1506 dentry = dget(opt_dentry);
1508 /* Called from selinux_complete_init, try to
1510 dentry = d_find_alias(inode);
1512 * This can be hit on boot when a file is accessed
1513 * before the policy is loaded. When we load policy we
1514 * may find inodes that have no dentry on the
1515 * sbsec->isec_head list. No reason to complain as
1516 * these will get fixed up the next time we go through
1517 * inode_doinit() with a dentry, before these inodes
1518 * could be used again by userspace.
1522 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1523 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1524 sbsec->flags, &sid);
1533 isec->initialized = LABEL_INITIALIZED;
1536 mutex_unlock(&isec->lock);
1538 if (isec->sclass == SECCLASS_FILE)
1539 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1543 /* Convert a Linux signal to an access vector. */
1544 static inline u32 signal_to_av(int sig)
1550 /* Commonly granted from child to parent. */
1551 perm = PROCESS__SIGCHLD;
1554 /* Cannot be caught or ignored */
1555 perm = PROCESS__SIGKILL;
1558 /* Cannot be caught or ignored */
1559 perm = PROCESS__SIGSTOP;
1562 /* All other signals. */
1563 perm = PROCESS__SIGNAL;
1571 * Check permission between a pair of credentials
1572 * fork check, ptrace check, etc.
1574 static int cred_has_perm(const struct cred *actor,
1575 const struct cred *target,
1578 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1580 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1584 * Check permission between a pair of tasks, e.g. signal checks,
1585 * fork check, ptrace check, etc.
1586 * tsk1 is the actor and tsk2 is the target
1587 * - this uses the default subjective creds of tsk1
1589 static int task_has_perm(const struct task_struct *tsk1,
1590 const struct task_struct *tsk2,
1593 const struct task_security_struct *__tsec1, *__tsec2;
1597 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1598 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1600 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1604 * Check permission between current and another task, e.g. signal checks,
1605 * fork check, ptrace check, etc.
1606 * current is the actor and tsk2 is the target
1607 * - this uses current's subjective creds
1609 static int current_has_perm(const struct task_struct *tsk,
1614 sid = current_sid();
1615 tsid = task_sid(tsk);
1616 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1619 #if CAP_LAST_CAP > 63
1620 #error Fix SELinux to handle capabilities > 63.
1623 /* Check whether a task is allowed to use a capability. */
1624 static int cred_has_capability(const struct cred *cred,
1627 struct common_audit_data ad;
1628 struct av_decision avd;
1630 u32 sid = cred_sid(cred);
1631 u32 av = CAP_TO_MASK(cap);
1634 ad.type = LSM_AUDIT_DATA_CAP;
1637 switch (CAP_TO_INDEX(cap)) {
1639 sclass = SECCLASS_CAPABILITY;
1642 sclass = SECCLASS_CAPABILITY2;
1646 "SELinux: out of range capability %d\n", cap);
1651 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1652 if (audit == SECURITY_CAP_AUDIT) {
1653 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1660 /* Check whether a task is allowed to use a system operation. */
1661 static int task_has_system(struct task_struct *tsk,
1664 u32 sid = task_sid(tsk);
1666 return avc_has_perm(sid, SECINITSID_KERNEL,
1667 SECCLASS_SYSTEM, perms, NULL);
1670 /* Check whether a task has a particular permission to an inode.
1671 The 'adp' parameter is optional and allows other audit
1672 data to be passed (e.g. the dentry). */
1673 static int inode_has_perm(const struct cred *cred,
1674 struct inode *inode,
1676 struct common_audit_data *adp)
1678 struct inode_security_struct *isec;
1681 validate_creds(cred);
1683 if (unlikely(IS_PRIVATE(inode)))
1686 sid = cred_sid(cred);
1687 isec = inode->i_security;
1689 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1692 /* Same as inode_has_perm, but pass explicit audit data containing
1693 the dentry to help the auditing code to more easily generate the
1694 pathname if needed. */
1695 static inline int dentry_has_perm(const struct cred *cred,
1696 struct dentry *dentry,
1699 struct inode *inode = d_backing_inode(dentry);
1700 struct common_audit_data ad;
1702 ad.type = LSM_AUDIT_DATA_DENTRY;
1703 ad.u.dentry = dentry;
1704 __inode_security_revalidate(inode, dentry, true);
1705 return inode_has_perm(cred, inode, av, &ad);
1708 /* Same as inode_has_perm, but pass explicit audit data containing
1709 the path to help the auditing code to more easily generate the
1710 pathname if needed. */
1711 static inline int path_has_perm(const struct cred *cred,
1712 const struct path *path,
1715 struct inode *inode = d_backing_inode(path->dentry);
1716 struct common_audit_data ad;
1718 ad.type = LSM_AUDIT_DATA_PATH;
1720 __inode_security_revalidate(inode, path->dentry, true);
1721 return inode_has_perm(cred, inode, av, &ad);
1724 /* Same as path_has_perm, but uses the inode from the file struct. */
1725 static inline int file_path_has_perm(const struct cred *cred,
1729 struct common_audit_data ad;
1731 ad.type = LSM_AUDIT_DATA_PATH;
1732 ad.u.path = file->f_path;
1733 return inode_has_perm(cred, file_inode(file), av, &ad);
1736 /* Check whether a task can use an open file descriptor to
1737 access an inode in a given way. Check access to the
1738 descriptor itself, and then use dentry_has_perm to
1739 check a particular permission to the file.
1740 Access to the descriptor is implicitly granted if it
1741 has the same SID as the process. If av is zero, then
1742 access to the file is not checked, e.g. for cases
1743 where only the descriptor is affected like seek. */
1744 static int file_has_perm(const struct cred *cred,
1748 struct file_security_struct *fsec = file->f_security;
1749 struct inode *inode = file_inode(file);
1750 struct common_audit_data ad;
1751 u32 sid = cred_sid(cred);
1754 ad.type = LSM_AUDIT_DATA_PATH;
1755 ad.u.path = file->f_path;
1757 if (sid != fsec->sid) {
1758 rc = avc_has_perm(sid, fsec->sid,
1766 /* av is zero if only checking access to the descriptor. */
1769 rc = inode_has_perm(cred, inode, av, &ad);
1776 * Determine the label for an inode that might be unioned.
1778 static int selinux_determine_inode_label(struct inode *dir,
1779 const struct qstr *name,
1783 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1784 const struct inode_security_struct *dsec = inode_security(dir);
1785 const struct task_security_struct *tsec = current_security();
1787 if ((sbsec->flags & SE_SBINITIALIZED) &&
1788 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1789 *_new_isid = sbsec->mntpoint_sid;
1790 } else if ((sbsec->flags & SBLABEL_MNT) &&
1792 *_new_isid = tsec->create_sid;
1794 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1801 /* Check whether a task can create a file. */
1802 static int may_create(struct inode *dir,
1803 struct dentry *dentry,
1806 const struct task_security_struct *tsec = current_security();
1807 struct inode_security_struct *dsec;
1808 struct superblock_security_struct *sbsec;
1810 struct common_audit_data ad;
1813 dsec = inode_security(dir);
1814 sbsec = dir->i_sb->s_security;
1818 ad.type = LSM_AUDIT_DATA_DENTRY;
1819 ad.u.dentry = dentry;
1821 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1822 DIR__ADD_NAME | DIR__SEARCH,
1827 rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
1832 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1836 return avc_has_perm(newsid, sbsec->sid,
1837 SECCLASS_FILESYSTEM,
1838 FILESYSTEM__ASSOCIATE, &ad);
1841 /* Check whether a task can create a key. */
1842 static int may_create_key(u32 ksid,
1843 struct task_struct *ctx)
1845 u32 sid = task_sid(ctx);
1847 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1851 #define MAY_UNLINK 1
1854 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1855 static int may_link(struct inode *dir,
1856 struct dentry *dentry,
1860 struct inode_security_struct *dsec, *isec;
1861 struct common_audit_data ad;
1862 u32 sid = current_sid();
1866 dsec = inode_security(dir);
1867 isec = backing_inode_security(dentry);
1869 ad.type = LSM_AUDIT_DATA_DENTRY;
1870 ad.u.dentry = dentry;
1873 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1874 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1889 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1894 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1898 static inline int may_rename(struct inode *old_dir,
1899 struct dentry *old_dentry,
1900 struct inode *new_dir,
1901 struct dentry *new_dentry)
1903 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1904 struct common_audit_data ad;
1905 u32 sid = current_sid();
1907 int old_is_dir, new_is_dir;
1910 old_dsec = inode_security(old_dir);
1911 old_isec = backing_inode_security(old_dentry);
1912 old_is_dir = d_is_dir(old_dentry);
1913 new_dsec = inode_security(new_dir);
1915 ad.type = LSM_AUDIT_DATA_DENTRY;
1917 ad.u.dentry = old_dentry;
1918 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1919 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1922 rc = avc_has_perm(sid, old_isec->sid,
1923 old_isec->sclass, FILE__RENAME, &ad);
1926 if (old_is_dir && new_dir != old_dir) {
1927 rc = avc_has_perm(sid, old_isec->sid,
1928 old_isec->sclass, DIR__REPARENT, &ad);
1933 ad.u.dentry = new_dentry;
1934 av = DIR__ADD_NAME | DIR__SEARCH;
1935 if (d_is_positive(new_dentry))
1936 av |= DIR__REMOVE_NAME;
1937 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1940 if (d_is_positive(new_dentry)) {
1941 new_isec = backing_inode_security(new_dentry);
1942 new_is_dir = d_is_dir(new_dentry);
1943 rc = avc_has_perm(sid, new_isec->sid,
1945 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1953 /* Check whether a task can perform a filesystem operation. */
1954 static int superblock_has_perm(const struct cred *cred,
1955 struct super_block *sb,
1957 struct common_audit_data *ad)
1959 struct superblock_security_struct *sbsec;
1960 u32 sid = cred_sid(cred);
1962 sbsec = sb->s_security;
1963 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1966 /* Convert a Linux mode and permission mask to an access vector. */
1967 static inline u32 file_mask_to_av(int mode, int mask)
1971 if (!S_ISDIR(mode)) {
1972 if (mask & MAY_EXEC)
1973 av |= FILE__EXECUTE;
1974 if (mask & MAY_READ)
1977 if (mask & MAY_APPEND)
1979 else if (mask & MAY_WRITE)
1983 if (mask & MAY_EXEC)
1985 if (mask & MAY_WRITE)
1987 if (mask & MAY_READ)
1994 /* Convert a Linux file to an access vector. */
1995 static inline u32 file_to_av(struct file *file)
1999 if (file->f_mode & FMODE_READ)
2001 if (file->f_mode & FMODE_WRITE) {
2002 if (file->f_flags & O_APPEND)
2009 * Special file opened with flags 3 for ioctl-only use.
2018 * Convert a file to an access vector and include the correct open
2021 static inline u32 open_file_to_av(struct file *file)
2023 u32 av = file_to_av(file);
2025 if (selinux_policycap_openperm)
2031 /* Hook functions begin here. */
2033 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2035 u32 mysid = current_sid();
2036 u32 mgrsid = task_sid(mgr);
2038 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2039 BINDER__SET_CONTEXT_MGR, NULL);
2042 static int selinux_binder_transaction(struct task_struct *from,
2043 struct task_struct *to)
2045 u32 mysid = current_sid();
2046 u32 fromsid = task_sid(from);
2047 u32 tosid = task_sid(to);
2050 if (mysid != fromsid) {
2051 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2052 BINDER__IMPERSONATE, NULL);
2057 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2061 static int selinux_binder_transfer_binder(struct task_struct *from,
2062 struct task_struct *to)
2064 u32 fromsid = task_sid(from);
2065 u32 tosid = task_sid(to);
2067 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2071 static int selinux_binder_transfer_file(struct task_struct *from,
2072 struct task_struct *to,
2075 u32 sid = task_sid(to);
2076 struct file_security_struct *fsec = file->f_security;
2077 struct dentry *dentry = file->f_path.dentry;
2078 struct inode_security_struct *isec = backing_inode_security(dentry);
2079 struct common_audit_data ad;
2082 ad.type = LSM_AUDIT_DATA_PATH;
2083 ad.u.path = file->f_path;
2085 if (sid != fsec->sid) {
2086 rc = avc_has_perm(sid, fsec->sid,
2094 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2097 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2101 static int selinux_ptrace_access_check(struct task_struct *child,
2104 if (mode & PTRACE_MODE_READ) {
2105 u32 sid = current_sid();
2106 u32 csid = task_sid(child);
2107 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2110 return current_has_perm(child, PROCESS__PTRACE);
2113 static int selinux_ptrace_traceme(struct task_struct *parent)
2115 return task_has_perm(parent, current, PROCESS__PTRACE);
2118 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2119 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2121 return current_has_perm(target, PROCESS__GETCAP);
2124 static int selinux_capset(struct cred *new, const struct cred *old,
2125 const kernel_cap_t *effective,
2126 const kernel_cap_t *inheritable,
2127 const kernel_cap_t *permitted)
2129 return cred_has_perm(old, new, PROCESS__SETCAP);
2133 * (This comment used to live with the selinux_task_setuid hook,
2134 * which was removed).
2136 * Since setuid only affects the current process, and since the SELinux
2137 * controls are not based on the Linux identity attributes, SELinux does not
2138 * need to control this operation. However, SELinux does control the use of
2139 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2142 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2145 return cred_has_capability(cred, cap, audit);
2148 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2150 const struct cred *cred = current_cred();
2162 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2167 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2170 rc = 0; /* let the kernel handle invalid cmds */
2176 static int selinux_quota_on(struct dentry *dentry)
2178 const struct cred *cred = current_cred();
2180 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2183 static int selinux_syslog(int type)
2188 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2189 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2190 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2192 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2193 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2194 /* Set level of messages printed to console */
2195 case SYSLOG_ACTION_CONSOLE_LEVEL:
2196 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2198 case SYSLOG_ACTION_CLOSE: /* Close log */
2199 case SYSLOG_ACTION_OPEN: /* Open log */
2200 case SYSLOG_ACTION_READ: /* Read from log */
2201 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2202 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
2204 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2211 * Check that a process has enough memory to allocate a new virtual
2212 * mapping. 0 means there is enough memory for the allocation to
2213 * succeed and -ENOMEM implies there is not.
2215 * Do not audit the selinux permission check, as this is applied to all
2216 * processes that allocate mappings.
2218 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2220 int rc, cap_sys_admin = 0;
2222 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2223 SECURITY_CAP_NOAUDIT);
2227 return cap_sys_admin;
2230 /* binprm security operations */
2232 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2233 const struct task_security_struct *old_tsec,
2234 const struct task_security_struct *new_tsec)
2236 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2237 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2240 if (!nnp && !nosuid)
2241 return 0; /* neither NNP nor nosuid */
2243 if (new_tsec->sid == old_tsec->sid)
2244 return 0; /* No change in credentials */
2247 * The only transitions we permit under NNP or nosuid
2248 * are transitions to bounded SIDs, i.e. SIDs that are
2249 * guaranteed to only be allowed a subset of the permissions
2250 * of the current SID.
2252 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2255 * On failure, preserve the errno values for NNP vs nosuid.
2256 * NNP: Operation not permitted for caller.
2257 * nosuid: Permission denied to file.
2267 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2269 const struct task_security_struct *old_tsec;
2270 struct task_security_struct *new_tsec;
2271 struct inode_security_struct *isec;
2272 struct common_audit_data ad;
2273 struct inode *inode = file_inode(bprm->file);
2276 /* SELinux context only depends on initial program or script and not
2277 * the script interpreter */
2278 if (bprm->cred_prepared)
2281 old_tsec = current_security();
2282 new_tsec = bprm->cred->security;
2283 isec = inode_security(inode);
2285 /* Default to the current task SID. */
2286 new_tsec->sid = old_tsec->sid;
2287 new_tsec->osid = old_tsec->sid;
2289 /* Reset fs, key, and sock SIDs on execve. */
2290 new_tsec->create_sid = 0;
2291 new_tsec->keycreate_sid = 0;
2292 new_tsec->sockcreate_sid = 0;
2294 if (old_tsec->exec_sid) {
2295 new_tsec->sid = old_tsec->exec_sid;
2296 /* Reset exec SID on execve. */
2297 new_tsec->exec_sid = 0;
2299 /* Fail on NNP or nosuid if not an allowed transition. */
2300 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2304 /* Check for a default transition on this program. */
2305 rc = security_transition_sid(old_tsec->sid, isec->sid,
2306 SECCLASS_PROCESS, NULL,
2312 * Fallback to old SID on NNP or nosuid if not an allowed
2315 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2317 new_tsec->sid = old_tsec->sid;
2320 ad.type = LSM_AUDIT_DATA_PATH;
2321 ad.u.path = bprm->file->f_path;
2323 if (new_tsec->sid == old_tsec->sid) {
2324 rc = avc_has_perm(old_tsec->sid, isec->sid,
2325 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2329 /* Check permissions for the transition. */
2330 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2331 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2335 rc = avc_has_perm(new_tsec->sid, isec->sid,
2336 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2340 /* Check for shared state */
2341 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2342 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2343 SECCLASS_PROCESS, PROCESS__SHARE,
2349 /* Make sure that anyone attempting to ptrace over a task that
2350 * changes its SID has the appropriate permit */
2352 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2353 struct task_struct *tracer;
2354 struct task_security_struct *sec;
2358 tracer = ptrace_parent(current);
2359 if (likely(tracer != NULL)) {
2360 sec = __task_cred(tracer)->security;
2366 rc = avc_has_perm(ptsid, new_tsec->sid,
2368 PROCESS__PTRACE, NULL);
2374 /* Clear any possibly unsafe personality bits on exec: */
2375 bprm->per_clear |= PER_CLEAR_ON_SETID;
2381 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2383 const struct task_security_struct *tsec = current_security();
2391 /* Enable secure mode for SIDs transitions unless
2392 the noatsecure permission is granted between
2393 the two SIDs, i.e. ahp returns 0. */
2394 atsecure = avc_has_perm(osid, sid,
2396 PROCESS__NOATSECURE, NULL);
2402 static int match_file(const void *p, struct file *file, unsigned fd)
2404 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2407 /* Derived from fs/exec.c:flush_old_files. */
2408 static inline void flush_unauthorized_files(const struct cred *cred,
2409 struct files_struct *files)
2411 struct file *file, *devnull = NULL;
2412 struct tty_struct *tty;
2416 tty = get_current_tty();
2418 spin_lock(&tty_files_lock);
2419 if (!list_empty(&tty->tty_files)) {
2420 struct tty_file_private *file_priv;
2422 /* Revalidate access to controlling tty.
2423 Use file_path_has_perm on the tty path directly
2424 rather than using file_has_perm, as this particular
2425 open file may belong to another process and we are
2426 only interested in the inode-based check here. */
2427 file_priv = list_first_entry(&tty->tty_files,
2428 struct tty_file_private, list);
2429 file = file_priv->file;
2430 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2433 spin_unlock(&tty_files_lock);
2436 /* Reset controlling tty. */
2440 /* Revalidate access to inherited open files. */
2441 n = iterate_fd(files, 0, match_file, cred);
2442 if (!n) /* none found? */
2445 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2446 if (IS_ERR(devnull))
2448 /* replace all the matching ones with this */
2450 replace_fd(n - 1, devnull, 0);
2451 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2457 * Prepare a process for imminent new credential changes due to exec
2459 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2461 struct task_security_struct *new_tsec;
2462 struct rlimit *rlim, *initrlim;
2465 new_tsec = bprm->cred->security;
2466 if (new_tsec->sid == new_tsec->osid)
2469 /* Close files for which the new task SID is not authorized. */
2470 flush_unauthorized_files(bprm->cred, current->files);
2472 /* Always clear parent death signal on SID transitions. */
2473 current->pdeath_signal = 0;
2475 /* Check whether the new SID can inherit resource limits from the old
2476 * SID. If not, reset all soft limits to the lower of the current
2477 * task's hard limit and the init task's soft limit.
2479 * Note that the setting of hard limits (even to lower them) can be
2480 * controlled by the setrlimit check. The inclusion of the init task's
2481 * soft limit into the computation is to avoid resetting soft limits
2482 * higher than the default soft limit for cases where the default is
2483 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2485 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2486 PROCESS__RLIMITINH, NULL);
2488 /* protect against do_prlimit() */
2490 for (i = 0; i < RLIM_NLIMITS; i++) {
2491 rlim = current->signal->rlim + i;
2492 initrlim = init_task.signal->rlim + i;
2493 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2495 task_unlock(current);
2496 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2501 * Clean up the process immediately after the installation of new credentials
2504 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2506 const struct task_security_struct *tsec = current_security();
2507 struct itimerval itimer;
2517 /* Check whether the new SID can inherit signal state from the old SID.
2518 * If not, clear itimers to avoid subsequent signal generation and
2519 * flush and unblock signals.
2521 * This must occur _after_ the task SID has been updated so that any
2522 * kill done after the flush will be checked against the new SID.
2524 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2526 memset(&itimer, 0, sizeof itimer);
2527 for (i = 0; i < 3; i++)
2528 do_setitimer(i, &itimer, NULL);
2529 spin_lock_irq(¤t->sighand->siglock);
2530 if (!fatal_signal_pending(current)) {
2531 flush_sigqueue(¤t->pending);
2532 flush_sigqueue(¤t->signal->shared_pending);
2533 flush_signal_handlers(current, 1);
2534 sigemptyset(¤t->blocked);
2535 recalc_sigpending();
2537 spin_unlock_irq(¤t->sighand->siglock);
2540 /* Wake up the parent if it is waiting so that it can recheck
2541 * wait permission to the new task SID. */
2542 read_lock(&tasklist_lock);
2543 __wake_up_parent(current, current->real_parent);
2544 read_unlock(&tasklist_lock);
2547 /* superblock security operations */
2549 static int selinux_sb_alloc_security(struct super_block *sb)
2551 return superblock_alloc_security(sb);
2554 static void selinux_sb_free_security(struct super_block *sb)
2556 superblock_free_security(sb);
2559 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2564 return !memcmp(prefix, option, plen);
2567 static inline int selinux_option(char *option, int len)
2569 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2570 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2571 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2572 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2573 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2576 static inline void take_option(char **to, char *from, int *first, int len)
2583 memcpy(*to, from, len);
2587 static inline void take_selinux_option(char **to, char *from, int *first,
2590 int current_size = 0;
2598 while (current_size < len) {
2608 static int selinux_sb_copy_data(char *orig, char *copy)
2610 int fnosec, fsec, rc = 0;
2611 char *in_save, *in_curr, *in_end;
2612 char *sec_curr, *nosec_save, *nosec;
2618 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2626 in_save = in_end = orig;
2630 open_quote = !open_quote;
2631 if ((*in_end == ',' && open_quote == 0) ||
2633 int len = in_end - in_curr;
2635 if (selinux_option(in_curr, len))
2636 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2638 take_option(&nosec, in_curr, &fnosec, len);
2640 in_curr = in_end + 1;
2642 } while (*in_end++);
2644 strcpy(in_save, nosec_save);
2645 free_page((unsigned long)nosec_save);
2650 static int selinux_sb_remount(struct super_block *sb, void *data)
2653 struct security_mnt_opts opts;
2654 char *secdata, **mount_options;
2655 struct superblock_security_struct *sbsec = sb->s_security;
2657 if (!(sbsec->flags & SE_SBINITIALIZED))
2663 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2666 security_init_mnt_opts(&opts);
2667 secdata = alloc_secdata();
2670 rc = selinux_sb_copy_data(data, secdata);
2672 goto out_free_secdata;
2674 rc = selinux_parse_opts_str(secdata, &opts);
2676 goto out_free_secdata;
2678 mount_options = opts.mnt_opts;
2679 flags = opts.mnt_opts_flags;
2681 for (i = 0; i < opts.num_mnt_opts; i++) {
2684 if (flags[i] == SBLABEL_MNT)
2686 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2688 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2689 "(%s) failed for (dev %s, type %s) errno=%d\n",
2690 mount_options[i], sb->s_id, sb->s_type->name, rc);
2696 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2697 goto out_bad_option;
2700 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2701 goto out_bad_option;
2703 case ROOTCONTEXT_MNT: {
2704 struct inode_security_struct *root_isec;
2705 root_isec = backing_inode_security(sb->s_root);
2707 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2708 goto out_bad_option;
2711 case DEFCONTEXT_MNT:
2712 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2713 goto out_bad_option;
2722 security_free_mnt_opts(&opts);
2724 free_secdata(secdata);
2727 printk(KERN_WARNING "SELinux: unable to change security options "
2728 "during remount (dev %s, type=%s)\n", sb->s_id,
2733 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2735 const struct cred *cred = current_cred();
2736 struct common_audit_data ad;
2739 rc = superblock_doinit(sb, data);
2743 /* Allow all mounts performed by the kernel */
2744 if (flags & MS_KERNMOUNT)
2747 ad.type = LSM_AUDIT_DATA_DENTRY;
2748 ad.u.dentry = sb->s_root;
2749 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2752 static int selinux_sb_statfs(struct dentry *dentry)
2754 const struct cred *cred = current_cred();
2755 struct common_audit_data ad;
2757 ad.type = LSM_AUDIT_DATA_DENTRY;
2758 ad.u.dentry = dentry->d_sb->s_root;
2759 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2762 static int selinux_mount(const char *dev_name,
2765 unsigned long flags,
2768 const struct cred *cred = current_cred();
2770 if (flags & MS_REMOUNT)
2771 return superblock_has_perm(cred, path->dentry->d_sb,
2772 FILESYSTEM__REMOUNT, NULL);
2774 return path_has_perm(cred, path, FILE__MOUNTON);
2777 static int selinux_umount(struct vfsmount *mnt, int flags)
2779 const struct cred *cred = current_cred();
2781 return superblock_has_perm(cred, mnt->mnt_sb,
2782 FILESYSTEM__UNMOUNT, NULL);
2785 /* inode security operations */
2787 static int selinux_inode_alloc_security(struct inode *inode)
2789 return inode_alloc_security(inode);
2792 static void selinux_inode_free_security(struct inode *inode)
2794 inode_free_security(inode);
2797 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2798 struct qstr *name, void **ctx,
2804 rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
2805 inode_mode_to_security_class(mode),
2810 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2813 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2814 const struct qstr *qstr,
2816 void **value, size_t *len)
2818 const struct task_security_struct *tsec = current_security();
2819 struct superblock_security_struct *sbsec;
2820 u32 sid, newsid, clen;
2824 sbsec = dir->i_sb->s_security;
2827 newsid = tsec->create_sid;
2829 rc = selinux_determine_inode_label(
2831 inode_mode_to_security_class(inode->i_mode),
2836 /* Possibly defer initialization to selinux_complete_init. */
2837 if (sbsec->flags & SE_SBINITIALIZED) {
2838 struct inode_security_struct *isec = inode->i_security;
2839 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2841 isec->initialized = LABEL_INITIALIZED;
2844 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2848 *name = XATTR_SELINUX_SUFFIX;
2851 rc = security_sid_to_context_force(newsid, &context, &clen);
2861 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2863 return may_create(dir, dentry, SECCLASS_FILE);
2866 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2868 return may_link(dir, old_dentry, MAY_LINK);
2871 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2873 return may_link(dir, dentry, MAY_UNLINK);
2876 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2878 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2881 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2883 return may_create(dir, dentry, SECCLASS_DIR);
2886 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2888 return may_link(dir, dentry, MAY_RMDIR);
2891 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2893 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2896 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2897 struct inode *new_inode, struct dentry *new_dentry)
2899 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2902 static int selinux_inode_readlink(struct dentry *dentry)
2904 const struct cred *cred = current_cred();
2906 return dentry_has_perm(cred, dentry, FILE__READ);
2909 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2912 const struct cred *cred = current_cred();
2913 struct common_audit_data ad;
2914 struct inode_security_struct *isec;
2917 validate_creds(cred);
2919 ad.type = LSM_AUDIT_DATA_DENTRY;
2920 ad.u.dentry = dentry;
2921 sid = cred_sid(cred);
2922 isec = inode_security_rcu(inode, rcu);
2924 return PTR_ERR(isec);
2926 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2927 rcu ? MAY_NOT_BLOCK : 0);
2930 static noinline int audit_inode_permission(struct inode *inode,
2931 u32 perms, u32 audited, u32 denied,
2935 struct common_audit_data ad;
2936 struct inode_security_struct *isec = inode->i_security;
2939 ad.type = LSM_AUDIT_DATA_INODE;
2942 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2943 audited, denied, result, &ad, flags);
2949 static int selinux_inode_permission(struct inode *inode, int mask)
2951 const struct cred *cred = current_cred();
2954 unsigned flags = mask & MAY_NOT_BLOCK;
2955 struct inode_security_struct *isec;
2957 struct av_decision avd;
2959 u32 audited, denied;
2961 from_access = mask & MAY_ACCESS;
2962 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2964 /* No permission to check. Existence test. */
2968 validate_creds(cred);
2970 if (unlikely(IS_PRIVATE(inode)))
2973 perms = file_mask_to_av(inode->i_mode, mask);
2975 sid = cred_sid(cred);
2976 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
2978 return PTR_ERR(isec);
2980 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2981 audited = avc_audit_required(perms, &avd, rc,
2982 from_access ? FILE__AUDIT_ACCESS : 0,
2984 if (likely(!audited))
2987 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2993 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2995 const struct cred *cred = current_cred();
2996 unsigned int ia_valid = iattr->ia_valid;
2997 __u32 av = FILE__WRITE;
2999 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3000 if (ia_valid & ATTR_FORCE) {
3001 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3007 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3008 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3009 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3011 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3012 && !(ia_valid & ATTR_FILE))
3015 return dentry_has_perm(cred, dentry, av);
3018 static int selinux_inode_getattr(const struct path *path)
3020 return path_has_perm(current_cred(), path, FILE__GETATTR);
3023 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3025 const struct cred *cred = current_cred();
3027 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3028 sizeof XATTR_SECURITY_PREFIX - 1)) {
3029 if (!strcmp(name, XATTR_NAME_CAPS)) {
3030 if (!capable(CAP_SETFCAP))
3032 } else if (!capable(CAP_SYS_ADMIN)) {
3033 /* A different attribute in the security namespace.
3034 Restrict to administrator. */
3039 /* Not an attribute we recognize, so just check the
3040 ordinary setattr permission. */
3041 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3044 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3045 const void *value, size_t size, int flags)
3047 struct inode *inode = d_backing_inode(dentry);
3048 struct inode_security_struct *isec = backing_inode_security(dentry);
3049 struct superblock_security_struct *sbsec;
3050 struct common_audit_data ad;
3051 u32 newsid, sid = current_sid();
3054 if (strcmp(name, XATTR_NAME_SELINUX))
3055 return selinux_inode_setotherxattr(dentry, name);
3057 sbsec = inode->i_sb->s_security;
3058 if (!(sbsec->flags & SBLABEL_MNT))
3061 if (!inode_owner_or_capable(inode))
3064 ad.type = LSM_AUDIT_DATA_DENTRY;
3065 ad.u.dentry = dentry;
3067 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3068 FILE__RELABELFROM, &ad);
3072 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3073 if (rc == -EINVAL) {
3074 if (!capable(CAP_MAC_ADMIN)) {
3075 struct audit_buffer *ab;
3079 /* We strip a nul only if it is at the end, otherwise the
3080 * context contains a nul and we should audit that */
3083 if (str[size - 1] == '\0')
3084 audit_size = size - 1;
3091 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3092 audit_log_format(ab, "op=setxattr invalid_context=");
3093 audit_log_n_untrustedstring(ab, value, audit_size);
3098 rc = security_context_to_sid_force(value, size, &newsid);
3103 rc = avc_has_perm(sid, newsid, isec->sclass,
3104 FILE__RELABELTO, &ad);
3108 rc = security_validate_transition(isec->sid, newsid, sid,
3113 return avc_has_perm(newsid,
3115 SECCLASS_FILESYSTEM,
3116 FILESYSTEM__ASSOCIATE,
3120 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3121 const void *value, size_t size,
3124 struct inode *inode = d_backing_inode(dentry);
3125 struct inode_security_struct *isec = backing_inode_security(dentry);
3129 if (strcmp(name, XATTR_NAME_SELINUX)) {
3130 /* Not an attribute we recognize, so nothing to do. */
3134 rc = security_context_to_sid_force(value, size, &newsid);
3136 printk(KERN_ERR "SELinux: unable to map context to SID"
3137 "for (%s, %lu), rc=%d\n",
3138 inode->i_sb->s_id, inode->i_ino, -rc);
3142 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3144 isec->initialized = LABEL_INITIALIZED;
3149 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3151 const struct cred *cred = current_cred();
3153 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3156 static int selinux_inode_listxattr(struct dentry *dentry)
3158 const struct cred *cred = current_cred();
3160 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3163 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3165 if (strcmp(name, XATTR_NAME_SELINUX))
3166 return selinux_inode_setotherxattr(dentry, name);
3168 /* No one is allowed to remove a SELinux security label.
3169 You can change the label, but all data must be labeled. */
3174 * Copy the inode security context value to the user.
3176 * Permission check is handled by selinux_inode_getxattr hook.
3178 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3182 char *context = NULL;
3183 struct inode_security_struct *isec = inode_security(inode);
3185 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3189 * If the caller has CAP_MAC_ADMIN, then get the raw context
3190 * value even if it is not defined by current policy; otherwise,
3191 * use the in-core value under current policy.
3192 * Use the non-auditing forms of the permission checks since
3193 * getxattr may be called by unprivileged processes commonly
3194 * and lack of permission just means that we fall back to the
3195 * in-core context value, not a denial.
3197 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3198 SECURITY_CAP_NOAUDIT);
3200 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3201 SECURITY_CAP_NOAUDIT);
3203 error = security_sid_to_context_force(isec->sid, &context,
3206 error = security_sid_to_context(isec->sid, &context, &size);
3219 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3220 const void *value, size_t size, int flags)
3222 struct inode_security_struct *isec = inode_security(inode);
3226 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3229 if (!value || !size)
3232 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3236 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3238 isec->initialized = LABEL_INITIALIZED;
3242 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3244 const int len = sizeof(XATTR_NAME_SELINUX);
3245 if (buffer && len <= buffer_size)
3246 memcpy(buffer, XATTR_NAME_SELINUX, len);
3250 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3252 struct inode_security_struct *isec = inode_security(inode);
3256 /* file security operations */
3258 static int selinux_revalidate_file_permission(struct file *file, int mask)
3260 const struct cred *cred = current_cred();
3261 struct inode *inode = file_inode(file);
3263 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3264 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3267 return file_has_perm(cred, file,
3268 file_mask_to_av(inode->i_mode, mask));
3271 static int selinux_file_permission(struct file *file, int mask)
3273 struct inode *inode = file_inode(file);
3274 struct file_security_struct *fsec = file->f_security;
3275 struct inode_security_struct *isec;
3276 u32 sid = current_sid();
3279 /* No permission to check. Existence test. */
3282 isec = inode_security(inode);
3283 if (sid == fsec->sid && fsec->isid == isec->sid &&
3284 fsec->pseqno == avc_policy_seqno())
3285 /* No change since file_open check. */
3288 return selinux_revalidate_file_permission(file, mask);
3291 static int selinux_file_alloc_security(struct file *file)
3293 return file_alloc_security(file);
3296 static void selinux_file_free_security(struct file *file)
3298 file_free_security(file);
3302 * Check whether a task has the ioctl permission and cmd
3303 * operation to an inode.
3305 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3306 u32 requested, u16 cmd)
3308 struct common_audit_data ad;
3309 struct file_security_struct *fsec = file->f_security;
3310 struct inode *inode = file_inode(file);
3311 struct inode_security_struct *isec = inode_security(inode);
3312 struct lsm_ioctlop_audit ioctl;
3313 u32 ssid = cred_sid(cred);
3315 u8 driver = cmd >> 8;
3316 u8 xperm = cmd & 0xff;
3318 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3321 ad.u.op->path = file->f_path;
3323 if (ssid != fsec->sid) {
3324 rc = avc_has_perm(ssid, fsec->sid,
3332 if (unlikely(IS_PRIVATE(inode)))
3335 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3336 requested, driver, xperm, &ad);
3341 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3344 const struct cred *cred = current_cred();
3354 case FS_IOC_GETFLAGS:
3356 case FS_IOC_GETVERSION:
3357 error = file_has_perm(cred, file, FILE__GETATTR);
3360 case FS_IOC_SETFLAGS:
3362 case FS_IOC_SETVERSION:
3363 error = file_has_perm(cred, file, FILE__SETATTR);
3366 /* sys_ioctl() checks */
3370 error = file_has_perm(cred, file, 0);
3375 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3376 SECURITY_CAP_AUDIT);
3379 /* default case assumes that the command will go
3380 * to the file's ioctl() function.
3383 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3388 static int default_noexec;
3390 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3392 const struct cred *cred = current_cred();
3395 if (default_noexec &&
3396 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3397 (!shared && (prot & PROT_WRITE)))) {
3399 * We are making executable an anonymous mapping or a
3400 * private file mapping that will also be writable.
3401 * This has an additional check.
3403 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3409 /* read access is always possible with a mapping */
3410 u32 av = FILE__READ;
3412 /* write access only matters if the mapping is shared */
3413 if (shared && (prot & PROT_WRITE))
3416 if (prot & PROT_EXEC)
3417 av |= FILE__EXECUTE;
3419 return file_has_perm(cred, file, av);
3426 static int selinux_mmap_addr(unsigned long addr)
3430 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3431 u32 sid = current_sid();
3432 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3433 MEMPROTECT__MMAP_ZERO, NULL);
3439 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3440 unsigned long prot, unsigned long flags)
3442 if (selinux_checkreqprot)
3445 return file_map_prot_check(file, prot,
3446 (flags & MAP_TYPE) == MAP_SHARED);
3449 static int selinux_file_mprotect(struct vm_area_struct *vma,
3450 unsigned long reqprot,
3453 const struct cred *cred = current_cred();
3455 if (selinux_checkreqprot)
3458 if (default_noexec &&
3459 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3461 if (vma->vm_start >= vma->vm_mm->start_brk &&
3462 vma->vm_end <= vma->vm_mm->brk) {
3463 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3464 } else if (!vma->vm_file &&
3465 vma->vm_start <= vma->vm_mm->start_stack &&
3466 vma->vm_end >= vma->vm_mm->start_stack) {
3467 rc = current_has_perm(current, PROCESS__EXECSTACK);
3468 } else if (vma->vm_file && vma->anon_vma) {
3470 * We are making executable a file mapping that has
3471 * had some COW done. Since pages might have been
3472 * written, check ability to execute the possibly
3473 * modified content. This typically should only
3474 * occur for text relocations.
3476 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3482 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3485 static int selinux_file_lock(struct file *file, unsigned int cmd)
3487 const struct cred *cred = current_cred();
3489 return file_has_perm(cred, file, FILE__LOCK);
3492 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3495 const struct cred *cred = current_cred();
3500 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3501 err = file_has_perm(cred, file, FILE__WRITE);
3510 case F_GETOWNER_UIDS:
3511 /* Just check FD__USE permission */
3512 err = file_has_perm(cred, file, 0);
3520 #if BITS_PER_LONG == 32
3525 err = file_has_perm(cred, file, FILE__LOCK);
3532 static void selinux_file_set_fowner(struct file *file)
3534 struct file_security_struct *fsec;
3536 fsec = file->f_security;
3537 fsec->fown_sid = current_sid();
3540 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3541 struct fown_struct *fown, int signum)
3544 u32 sid = task_sid(tsk);
3546 struct file_security_struct *fsec;
3548 /* struct fown_struct is never outside the context of a struct file */
3549 file = container_of(fown, struct file, f_owner);
3551 fsec = file->f_security;
3554 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3556 perm = signal_to_av(signum);
3558 return avc_has_perm(fsec->fown_sid, sid,
3559 SECCLASS_PROCESS, perm, NULL);
3562 static int selinux_file_receive(struct file *file)
3564 const struct cred *cred = current_cred();
3566 return file_has_perm(cred, file, file_to_av(file));
3569 static int selinux_file_open(struct file *file, const struct cred *cred)
3571 struct file_security_struct *fsec;
3572 struct inode_security_struct *isec;
3574 fsec = file->f_security;
3575 isec = inode_security(file_inode(file));
3577 * Save inode label and policy sequence number
3578 * at open-time so that selinux_file_permission
3579 * can determine whether revalidation is necessary.
3580 * Task label is already saved in the file security
3581 * struct as its SID.
3583 fsec->isid = isec->sid;
3584 fsec->pseqno = avc_policy_seqno();
3586 * Since the inode label or policy seqno may have changed
3587 * between the selinux_inode_permission check and the saving
3588 * of state above, recheck that access is still permitted.
3589 * Otherwise, access might never be revalidated against the
3590 * new inode label or new policy.
3591 * This check is not redundant - do not remove.
3593 return file_path_has_perm(cred, file, open_file_to_av(file));
3596 /* task security operations */
3598 static int selinux_task_create(unsigned long clone_flags)
3600 return current_has_perm(current, PROCESS__FORK);
3604 * allocate the SELinux part of blank credentials
3606 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3608 struct task_security_struct *tsec;
3610 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3614 cred->security = tsec;
3619 * detach and free the LSM part of a set of credentials
3621 static void selinux_cred_free(struct cred *cred)
3623 struct task_security_struct *tsec = cred->security;
3626 * cred->security == NULL if security_cred_alloc_blank() or
3627 * security_prepare_creds() returned an error.
3629 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3630 cred->security = (void *) 0x7UL;
3635 * prepare a new set of credentials for modification
3637 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3640 const struct task_security_struct *old_tsec;
3641 struct task_security_struct *tsec;
3643 old_tsec = old->security;
3645 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3649 new->security = tsec;
3654 * transfer the SELinux data to a blank set of creds
3656 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3658 const struct task_security_struct *old_tsec = old->security;
3659 struct task_security_struct *tsec = new->security;
3665 * set the security data for a kernel service
3666 * - all the creation contexts are set to unlabelled
3668 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3670 struct task_security_struct *tsec = new->security;
3671 u32 sid = current_sid();
3674 ret = avc_has_perm(sid, secid,
3675 SECCLASS_KERNEL_SERVICE,
3676 KERNEL_SERVICE__USE_AS_OVERRIDE,
3680 tsec->create_sid = 0;
3681 tsec->keycreate_sid = 0;
3682 tsec->sockcreate_sid = 0;
3688 * set the file creation context in a security record to the same as the
3689 * objective context of the specified inode
3691 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3693 struct inode_security_struct *isec = inode_security(inode);
3694 struct task_security_struct *tsec = new->security;
3695 u32 sid = current_sid();
3698 ret = avc_has_perm(sid, isec->sid,
3699 SECCLASS_KERNEL_SERVICE,
3700 KERNEL_SERVICE__CREATE_FILES_AS,
3704 tsec->create_sid = isec->sid;
3708 static int selinux_kernel_module_request(char *kmod_name)
3711 struct common_audit_data ad;
3713 sid = task_sid(current);
3715 ad.type = LSM_AUDIT_DATA_KMOD;
3716 ad.u.kmod_name = kmod_name;
3718 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3719 SYSTEM__MODULE_REQUEST, &ad);
3722 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3724 return current_has_perm(p, PROCESS__SETPGID);
3727 static int selinux_task_getpgid(struct task_struct *p)
3729 return current_has_perm(p, PROCESS__GETPGID);
3732 static int selinux_task_getsid(struct task_struct *p)
3734 return current_has_perm(p, PROCESS__GETSESSION);
3737 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3739 *secid = task_sid(p);
3742 static int selinux_task_setnice(struct task_struct *p, int nice)
3744 return current_has_perm(p, PROCESS__SETSCHED);
3747 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3749 return current_has_perm(p, PROCESS__SETSCHED);
3752 static int selinux_task_getioprio(struct task_struct *p)
3754 return current_has_perm(p, PROCESS__GETSCHED);
3757 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3758 struct rlimit *new_rlim)
3760 struct rlimit *old_rlim = p->signal->rlim + resource;
3762 /* Control the ability to change the hard limit (whether
3763 lowering or raising it), so that the hard limit can
3764 later be used as a safe reset point for the soft limit
3765 upon context transitions. See selinux_bprm_committing_creds. */
3766 if (old_rlim->rlim_max != new_rlim->rlim_max)
3767 return current_has_perm(p, PROCESS__SETRLIMIT);
3772 static int selinux_task_setscheduler(struct task_struct *p)
3774 return current_has_perm(p, PROCESS__SETSCHED);
3777 static int selinux_task_getscheduler(struct task_struct *p)
3779 return current_has_perm(p, PROCESS__GETSCHED);
3782 static int selinux_task_movememory(struct task_struct *p)
3784 return current_has_perm(p, PROCESS__SETSCHED);
3787 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3794 perm = PROCESS__SIGNULL; /* null signal; existence test */
3796 perm = signal_to_av(sig);
3798 rc = avc_has_perm(secid, task_sid(p),
3799 SECCLASS_PROCESS, perm, NULL);
3801 rc = current_has_perm(p, perm);
3805 static int selinux_task_wait(struct task_struct *p)
3807 return task_has_perm(p, current, PROCESS__SIGCHLD);
3810 static void selinux_task_to_inode(struct task_struct *p,
3811 struct inode *inode)
3813 struct inode_security_struct *isec = inode->i_security;
3814 u32 sid = task_sid(p);
3817 isec->initialized = LABEL_INITIALIZED;
3820 /* Returns error only if unable to parse addresses */
3821 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3822 struct common_audit_data *ad, u8 *proto)
3824 int offset, ihlen, ret = -EINVAL;
3825 struct iphdr _iph, *ih;
3827 offset = skb_network_offset(skb);
3828 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3832 ihlen = ih->ihl * 4;
3833 if (ihlen < sizeof(_iph))
3836 ad->u.net->v4info.saddr = ih->saddr;
3837 ad->u.net->v4info.daddr = ih->daddr;
3841 *proto = ih->protocol;
3843 switch (ih->protocol) {
3845 struct tcphdr _tcph, *th;
3847 if (ntohs(ih->frag_off) & IP_OFFSET)
3851 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3855 ad->u.net->sport = th->source;
3856 ad->u.net->dport = th->dest;
3861 struct udphdr _udph, *uh;
3863 if (ntohs(ih->frag_off) & IP_OFFSET)
3867 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3871 ad->u.net->sport = uh->source;
3872 ad->u.net->dport = uh->dest;
3876 case IPPROTO_DCCP: {
3877 struct dccp_hdr _dccph, *dh;
3879 if (ntohs(ih->frag_off) & IP_OFFSET)
3883 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3887 ad->u.net->sport = dh->dccph_sport;
3888 ad->u.net->dport = dh->dccph_dport;
3899 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3901 /* Returns error only if unable to parse addresses */
3902 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3903 struct common_audit_data *ad, u8 *proto)
3906 int ret = -EINVAL, offset;
3907 struct ipv6hdr _ipv6h, *ip6;
3910 offset = skb_network_offset(skb);
3911 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3915 ad->u.net->v6info.saddr = ip6->saddr;
3916 ad->u.net->v6info.daddr = ip6->daddr;
3919 nexthdr = ip6->nexthdr;
3920 offset += sizeof(_ipv6h);
3921 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3930 struct tcphdr _tcph, *th;
3932 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3936 ad->u.net->sport = th->source;
3937 ad->u.net->dport = th->dest;
3942 struct udphdr _udph, *uh;
3944 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3948 ad->u.net->sport = uh->source;
3949 ad->u.net->dport = uh->dest;
3953 case IPPROTO_DCCP: {
3954 struct dccp_hdr _dccph, *dh;
3956 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3960 ad->u.net->sport = dh->dccph_sport;
3961 ad->u.net->dport = dh->dccph_dport;
3965 /* includes fragments */
3975 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3976 char **_addrp, int src, u8 *proto)
3981 switch (ad->u.net->family) {
3983 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3986 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3987 &ad->u.net->v4info.daddr);
3990 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3992 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3995 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3996 &ad->u.net->v6info.daddr);
4006 "SELinux: failure in selinux_parse_skb(),"
4007 " unable to parse packet\n");
4017 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4019 * @family: protocol family
4020 * @sid: the packet's peer label SID
4023 * Check the various different forms of network peer labeling and determine
4024 * the peer label/SID for the packet; most of the magic actually occurs in
4025 * the security server function security_net_peersid_cmp(). The function
4026 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4027 * or -EACCES if @sid is invalid due to inconsistencies with the different
4031 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4038 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4041 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4045 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4046 if (unlikely(err)) {
4048 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4049 " unable to determine packet's peer label\n");
4057 * selinux_conn_sid - Determine the child socket label for a connection
4058 * @sk_sid: the parent socket's SID
4059 * @skb_sid: the packet's SID
4060 * @conn_sid: the resulting connection SID
4062 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4063 * combined with the MLS information from @skb_sid in order to create
4064 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4065 * of @sk_sid. Returns zero on success, negative values on failure.
4068 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4072 if (skb_sid != SECSID_NULL)
4073 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4080 /* socket security operations */
4082 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4083 u16 secclass, u32 *socksid)
4085 if (tsec->sockcreate_sid > SECSID_NULL) {
4086 *socksid = tsec->sockcreate_sid;
4090 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4094 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
4096 struct sk_security_struct *sksec = sk->sk_security;
4097 struct common_audit_data ad;
4098 struct lsm_network_audit net = {0,};
4099 u32 tsid = task_sid(task);
4101 if (sksec->sid == SECINITSID_KERNEL)
4104 ad.type = LSM_AUDIT_DATA_NET;
4108 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
4111 static int selinux_socket_create(int family, int type,
4112 int protocol, int kern)
4114 const struct task_security_struct *tsec = current_security();
4122 secclass = socket_type_to_security_class(family, type, protocol);
4123 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4127 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4130 static int selinux_socket_post_create(struct socket *sock, int family,
4131 int type, int protocol, int kern)
4133 const struct task_security_struct *tsec = current_security();
4134 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4135 struct sk_security_struct *sksec;
4138 isec->sclass = socket_type_to_security_class(family, type, protocol);
4141 isec->sid = SECINITSID_KERNEL;
4143 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4148 isec->initialized = LABEL_INITIALIZED;
4151 sksec = sock->sk->sk_security;
4152 sksec->sid = isec->sid;
4153 sksec->sclass = isec->sclass;
4154 err = selinux_netlbl_socket_post_create(sock->sk, family);
4160 /* Range of port numbers used to automatically bind.
4161 Need to determine whether we should perform a name_bind
4162 permission check between the socket and the port number. */
4164 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4166 struct sock *sk = sock->sk;
4170 err = sock_has_perm(current, sk, SOCKET__BIND);
4175 * If PF_INET or PF_INET6, check name_bind permission for the port.
4176 * Multiple address binding for SCTP is not supported yet: we just
4177 * check the first address now.
4179 family = sk->sk_family;
4180 if (family == PF_INET || family == PF_INET6) {
4182 struct sk_security_struct *sksec = sk->sk_security;
4183 struct common_audit_data ad;
4184 struct lsm_network_audit net = {0,};
4185 struct sockaddr_in *addr4 = NULL;
4186 struct sockaddr_in6 *addr6 = NULL;
4187 unsigned short snum;
4190 if (family == PF_INET) {
4191 addr4 = (struct sockaddr_in *)address;
4192 snum = ntohs(addr4->sin_port);
4193 addrp = (char *)&addr4->sin_addr.s_addr;
4195 addr6 = (struct sockaddr_in6 *)address;
4196 snum = ntohs(addr6->sin6_port);
4197 addrp = (char *)&addr6->sin6_addr.s6_addr;
4203 inet_get_local_port_range(sock_net(sk), &low, &high);
4205 if (snum < max(PROT_SOCK, low) || snum > high) {
4206 err = sel_netport_sid(sk->sk_protocol,
4210 ad.type = LSM_AUDIT_DATA_NET;
4212 ad.u.net->sport = htons(snum);
4213 ad.u.net->family = family;
4214 err = avc_has_perm(sksec->sid, sid,
4216 SOCKET__NAME_BIND, &ad);
4222 switch (sksec->sclass) {
4223 case SECCLASS_TCP_SOCKET:
4224 node_perm = TCP_SOCKET__NODE_BIND;
4227 case SECCLASS_UDP_SOCKET:
4228 node_perm = UDP_SOCKET__NODE_BIND;
4231 case SECCLASS_DCCP_SOCKET:
4232 node_perm = DCCP_SOCKET__NODE_BIND;
4236 node_perm = RAWIP_SOCKET__NODE_BIND;
4240 err = sel_netnode_sid(addrp, family, &sid);
4244 ad.type = LSM_AUDIT_DATA_NET;
4246 ad.u.net->sport = htons(snum);
4247 ad.u.net->family = family;
4249 if (family == PF_INET)
4250 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4252 ad.u.net->v6info.saddr = addr6->sin6_addr;
4254 err = avc_has_perm(sksec->sid, sid,
4255 sksec->sclass, node_perm, &ad);
4263 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4265 struct sock *sk = sock->sk;
4266 struct sk_security_struct *sksec = sk->sk_security;
4269 err = sock_has_perm(current, sk, SOCKET__CONNECT);
4274 * If a TCP or DCCP socket, check name_connect permission for the port.
4276 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4277 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4278 struct common_audit_data ad;
4279 struct lsm_network_audit net = {0,};
4280 struct sockaddr_in *addr4 = NULL;
4281 struct sockaddr_in6 *addr6 = NULL;
4282 unsigned short snum;
4285 if (sk->sk_family == PF_INET) {
4286 addr4 = (struct sockaddr_in *)address;
4287 if (addrlen < sizeof(struct sockaddr_in))
4289 snum = ntohs(addr4->sin_port);
4291 addr6 = (struct sockaddr_in6 *)address;
4292 if (addrlen < SIN6_LEN_RFC2133)
4294 snum = ntohs(addr6->sin6_port);
4297 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4301 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4302 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4304 ad.type = LSM_AUDIT_DATA_NET;
4306 ad.u.net->dport = htons(snum);
4307 ad.u.net->family = sk->sk_family;
4308 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4313 err = selinux_netlbl_socket_connect(sk, address);
4319 static int selinux_socket_listen(struct socket *sock, int backlog)
4321 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4324 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4327 struct inode_security_struct *isec;
4328 struct inode_security_struct *newisec;
4330 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4334 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4336 isec = inode_security_novalidate(SOCK_INODE(sock));
4337 newisec->sclass = isec->sclass;
4338 newisec->sid = isec->sid;
4339 newisec->initialized = LABEL_INITIALIZED;
4344 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4347 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4350 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4351 int size, int flags)
4353 return sock_has_perm(current, sock->sk, SOCKET__READ);
4356 static int selinux_socket_getsockname(struct socket *sock)
4358 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4361 static int selinux_socket_getpeername(struct socket *sock)
4363 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4366 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4370 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4374 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4377 static int selinux_socket_getsockopt(struct socket *sock, int level,
4380 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4383 static int selinux_socket_shutdown(struct socket *sock, int how)
4385 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4388 static int selinux_socket_unix_stream_connect(struct sock *sock,
4392 struct sk_security_struct *sksec_sock = sock->sk_security;
4393 struct sk_security_struct *sksec_other = other->sk_security;
4394 struct sk_security_struct *sksec_new = newsk->sk_security;
4395 struct common_audit_data ad;
4396 struct lsm_network_audit net = {0,};
4399 ad.type = LSM_AUDIT_DATA_NET;
4401 ad.u.net->sk = other;
4403 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4404 sksec_other->sclass,
4405 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4409 /* server child socket */
4410 sksec_new->peer_sid = sksec_sock->sid;
4411 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4416 /* connecting socket */
4417 sksec_sock->peer_sid = sksec_new->sid;
4422 static int selinux_socket_unix_may_send(struct socket *sock,
4423 struct socket *other)
4425 struct sk_security_struct *ssec = sock->sk->sk_security;
4426 struct sk_security_struct *osec = other->sk->sk_security;
4427 struct common_audit_data ad;
4428 struct lsm_network_audit net = {0,};
4430 ad.type = LSM_AUDIT_DATA_NET;
4432 ad.u.net->sk = other->sk;
4434 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4438 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4439 char *addrp, u16 family, u32 peer_sid,
4440 struct common_audit_data *ad)
4446 err = sel_netif_sid(ns, ifindex, &if_sid);
4449 err = avc_has_perm(peer_sid, if_sid,
4450 SECCLASS_NETIF, NETIF__INGRESS, ad);
4454 err = sel_netnode_sid(addrp, family, &node_sid);
4457 return avc_has_perm(peer_sid, node_sid,
4458 SECCLASS_NODE, NODE__RECVFROM, ad);
4461 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4465 struct sk_security_struct *sksec = sk->sk_security;
4466 u32 sk_sid = sksec->sid;
4467 struct common_audit_data ad;
4468 struct lsm_network_audit net = {0,};
4471 ad.type = LSM_AUDIT_DATA_NET;
4473 ad.u.net->netif = skb->skb_iif;
4474 ad.u.net->family = family;
4475 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4479 if (selinux_secmark_enabled()) {
4480 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4486 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4489 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4494 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4497 struct sk_security_struct *sksec = sk->sk_security;
4498 u16 family = sk->sk_family;
4499 u32 sk_sid = sksec->sid;
4500 struct common_audit_data ad;
4501 struct lsm_network_audit net = {0,};
4506 if (family != PF_INET && family != PF_INET6)
4509 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4510 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4513 /* If any sort of compatibility mode is enabled then handoff processing
4514 * to the selinux_sock_rcv_skb_compat() function to deal with the
4515 * special handling. We do this in an attempt to keep this function
4516 * as fast and as clean as possible. */
4517 if (!selinux_policycap_netpeer)
4518 return selinux_sock_rcv_skb_compat(sk, skb, family);
4520 secmark_active = selinux_secmark_enabled();
4521 peerlbl_active = selinux_peerlbl_enabled();
4522 if (!secmark_active && !peerlbl_active)
4525 ad.type = LSM_AUDIT_DATA_NET;
4527 ad.u.net->netif = skb->skb_iif;
4528 ad.u.net->family = family;
4529 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4533 if (peerlbl_active) {
4536 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4539 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4540 addrp, family, peer_sid, &ad);
4542 selinux_netlbl_err(skb, err, 0);
4545 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4548 selinux_netlbl_err(skb, err, 0);
4553 if (secmark_active) {
4554 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4563 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4564 int __user *optlen, unsigned len)
4569 struct sk_security_struct *sksec = sock->sk->sk_security;
4570 u32 peer_sid = SECSID_NULL;
4572 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4573 sksec->sclass == SECCLASS_TCP_SOCKET)
4574 peer_sid = sksec->peer_sid;
4575 if (peer_sid == SECSID_NULL)
4576 return -ENOPROTOOPT;
4578 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4582 if (scontext_len > len) {
4587 if (copy_to_user(optval, scontext, scontext_len))
4591 if (put_user(scontext_len, optlen))
4597 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4599 u32 peer_secid = SECSID_NULL;
4602 if (skb && skb->protocol == htons(ETH_P_IP))
4604 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4607 family = sock->sk->sk_family;
4611 if (sock && family == PF_UNIX)
4612 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4614 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4617 *secid = peer_secid;
4618 if (peer_secid == SECSID_NULL)
4623 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4625 struct sk_security_struct *sksec;
4627 sksec = kzalloc(sizeof(*sksec), priority);
4631 sksec->peer_sid = SECINITSID_UNLABELED;
4632 sksec->sid = SECINITSID_UNLABELED;
4633 sksec->sclass = SECCLASS_SOCKET;
4634 selinux_netlbl_sk_security_reset(sksec);
4635 sk->sk_security = sksec;
4640 static void selinux_sk_free_security(struct sock *sk)
4642 struct sk_security_struct *sksec = sk->sk_security;
4644 sk->sk_security = NULL;
4645 selinux_netlbl_sk_security_free(sksec);
4649 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4651 struct sk_security_struct *sksec = sk->sk_security;
4652 struct sk_security_struct *newsksec = newsk->sk_security;
4654 newsksec->sid = sksec->sid;
4655 newsksec->peer_sid = sksec->peer_sid;
4656 newsksec->sclass = sksec->sclass;
4658 selinux_netlbl_sk_security_reset(newsksec);
4661 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4664 *secid = SECINITSID_ANY_SOCKET;
4666 struct sk_security_struct *sksec = sk->sk_security;
4668 *secid = sksec->sid;
4672 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4674 struct inode_security_struct *isec =
4675 inode_security_novalidate(SOCK_INODE(parent));
4676 struct sk_security_struct *sksec = sk->sk_security;
4678 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4679 sk->sk_family == PF_UNIX)
4680 isec->sid = sksec->sid;
4681 sksec->sclass = isec->sclass;
4684 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4685 struct request_sock *req)
4687 struct sk_security_struct *sksec = sk->sk_security;
4689 u16 family = req->rsk_ops->family;
4693 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4696 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4699 req->secid = connsid;
4700 req->peer_secid = peersid;
4702 return selinux_netlbl_inet_conn_request(req, family);
4705 static void selinux_inet_csk_clone(struct sock *newsk,
4706 const struct request_sock *req)
4708 struct sk_security_struct *newsksec = newsk->sk_security;
4710 newsksec->sid = req->secid;
4711 newsksec->peer_sid = req->peer_secid;
4712 /* NOTE: Ideally, we should also get the isec->sid for the
4713 new socket in sync, but we don't have the isec available yet.
4714 So we will wait until sock_graft to do it, by which
4715 time it will have been created and available. */
4717 /* We don't need to take any sort of lock here as we are the only
4718 * thread with access to newsksec */
4719 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4722 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4724 u16 family = sk->sk_family;
4725 struct sk_security_struct *sksec = sk->sk_security;
4727 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4728 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4731 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4734 static int selinux_secmark_relabel_packet(u32 sid)
4736 const struct task_security_struct *__tsec;
4739 __tsec = current_security();
4742 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4745 static void selinux_secmark_refcount_inc(void)
4747 atomic_inc(&selinux_secmark_refcount);
4750 static void selinux_secmark_refcount_dec(void)
4752 atomic_dec(&selinux_secmark_refcount);
4755 static void selinux_req_classify_flow(const struct request_sock *req,
4758 fl->flowi_secid = req->secid;
4761 static int selinux_tun_dev_alloc_security(void **security)
4763 struct tun_security_struct *tunsec;
4765 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4768 tunsec->sid = current_sid();
4774 static void selinux_tun_dev_free_security(void *security)
4779 static int selinux_tun_dev_create(void)
4781 u32 sid = current_sid();
4783 /* we aren't taking into account the "sockcreate" SID since the socket
4784 * that is being created here is not a socket in the traditional sense,
4785 * instead it is a private sock, accessible only to the kernel, and
4786 * representing a wide range of network traffic spanning multiple
4787 * connections unlike traditional sockets - check the TUN driver to
4788 * get a better understanding of why this socket is special */
4790 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4794 static int selinux_tun_dev_attach_queue(void *security)
4796 struct tun_security_struct *tunsec = security;
4798 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4799 TUN_SOCKET__ATTACH_QUEUE, NULL);
4802 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4804 struct tun_security_struct *tunsec = security;
4805 struct sk_security_struct *sksec = sk->sk_security;
4807 /* we don't currently perform any NetLabel based labeling here and it
4808 * isn't clear that we would want to do so anyway; while we could apply
4809 * labeling without the support of the TUN user the resulting labeled
4810 * traffic from the other end of the connection would almost certainly
4811 * cause confusion to the TUN user that had no idea network labeling
4812 * protocols were being used */
4814 sksec->sid = tunsec->sid;
4815 sksec->sclass = SECCLASS_TUN_SOCKET;
4820 static int selinux_tun_dev_open(void *security)
4822 struct tun_security_struct *tunsec = security;
4823 u32 sid = current_sid();
4826 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4827 TUN_SOCKET__RELABELFROM, NULL);
4830 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4831 TUN_SOCKET__RELABELTO, NULL);
4839 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4843 struct nlmsghdr *nlh;
4844 struct sk_security_struct *sksec = sk->sk_security;
4846 if (skb->len < NLMSG_HDRLEN) {
4850 nlh = nlmsg_hdr(skb);
4852 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4854 if (err == -EINVAL) {
4855 pr_warn_ratelimited("SELinux: unrecognized netlink"
4856 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
4857 " pig=%d comm=%s\n",
4858 sk->sk_protocol, nlh->nlmsg_type,
4859 secclass_map[sksec->sclass - 1].name,
4860 task_pid_nr(current), current->comm);
4861 if (!selinux_enforcing || security_get_allow_unknown())
4871 err = sock_has_perm(current, sk, perm);
4876 #ifdef CONFIG_NETFILTER
4878 static unsigned int selinux_ip_forward(struct sk_buff *skb,
4879 const struct net_device *indev,
4885 struct common_audit_data ad;
4886 struct lsm_network_audit net = {0,};
4891 if (!selinux_policycap_netpeer)
4894 secmark_active = selinux_secmark_enabled();
4895 netlbl_active = netlbl_enabled();
4896 peerlbl_active = selinux_peerlbl_enabled();
4897 if (!secmark_active && !peerlbl_active)
4900 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4903 ad.type = LSM_AUDIT_DATA_NET;
4905 ad.u.net->netif = indev->ifindex;
4906 ad.u.net->family = family;
4907 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4910 if (peerlbl_active) {
4911 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
4912 addrp, family, peer_sid, &ad);
4914 selinux_netlbl_err(skb, err, 1);
4920 if (avc_has_perm(peer_sid, skb->secmark,
4921 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4925 /* we do this in the FORWARD path and not the POST_ROUTING
4926 * path because we want to make sure we apply the necessary
4927 * labeling before IPsec is applied so we can leverage AH
4929 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4935 static unsigned int selinux_ipv4_forward(void *priv,
4936 struct sk_buff *skb,
4937 const struct nf_hook_state *state)
4939 return selinux_ip_forward(skb, state->in, PF_INET);
4942 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4943 static unsigned int selinux_ipv6_forward(void *priv,
4944 struct sk_buff *skb,
4945 const struct nf_hook_state *state)
4947 return selinux_ip_forward(skb, state->in, PF_INET6);
4951 static unsigned int selinux_ip_output(struct sk_buff *skb,
4957 if (!netlbl_enabled())
4960 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4961 * because we want to make sure we apply the necessary labeling
4962 * before IPsec is applied so we can leverage AH protection */
4965 struct sk_security_struct *sksec;
4967 if (sk_listener(sk))
4968 /* if the socket is the listening state then this
4969 * packet is a SYN-ACK packet which means it needs to
4970 * be labeled based on the connection/request_sock and
4971 * not the parent socket. unfortunately, we can't
4972 * lookup the request_sock yet as it isn't queued on
4973 * the parent socket until after the SYN-ACK is sent.
4974 * the "solution" is to simply pass the packet as-is
4975 * as any IP option based labeling should be copied
4976 * from the initial connection request (in the IP
4977 * layer). it is far from ideal, but until we get a
4978 * security label in the packet itself this is the
4979 * best we can do. */
4982 /* standard practice, label using the parent socket */
4983 sksec = sk->sk_security;
4986 sid = SECINITSID_KERNEL;
4987 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4993 static unsigned int selinux_ipv4_output(void *priv,
4994 struct sk_buff *skb,
4995 const struct nf_hook_state *state)
4997 return selinux_ip_output(skb, PF_INET);
5000 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5004 struct sock *sk = skb_to_full_sk(skb);
5005 struct sk_security_struct *sksec;
5006 struct common_audit_data ad;
5007 struct lsm_network_audit net = {0,};
5013 sksec = sk->sk_security;
5015 ad.type = LSM_AUDIT_DATA_NET;
5017 ad.u.net->netif = ifindex;
5018 ad.u.net->family = family;
5019 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5022 if (selinux_secmark_enabled())
5023 if (avc_has_perm(sksec->sid, skb->secmark,
5024 SECCLASS_PACKET, PACKET__SEND, &ad))
5025 return NF_DROP_ERR(-ECONNREFUSED);
5027 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5028 return NF_DROP_ERR(-ECONNREFUSED);
5033 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5034 const struct net_device *outdev,
5039 int ifindex = outdev->ifindex;
5041 struct common_audit_data ad;
5042 struct lsm_network_audit net = {0,};
5047 /* If any sort of compatibility mode is enabled then handoff processing
5048 * to the selinux_ip_postroute_compat() function to deal with the
5049 * special handling. We do this in an attempt to keep this function
5050 * as fast and as clean as possible. */
5051 if (!selinux_policycap_netpeer)
5052 return selinux_ip_postroute_compat(skb, ifindex, family);
5054 secmark_active = selinux_secmark_enabled();
5055 peerlbl_active = selinux_peerlbl_enabled();
5056 if (!secmark_active && !peerlbl_active)
5059 sk = skb_to_full_sk(skb);
5062 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5063 * packet transformation so allow the packet to pass without any checks
5064 * since we'll have another chance to perform access control checks
5065 * when the packet is on it's final way out.
5066 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5067 * is NULL, in this case go ahead and apply access control.
5068 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5069 * TCP listening state we cannot wait until the XFRM processing
5070 * is done as we will miss out on the SA label if we do;
5071 * unfortunately, this means more work, but it is only once per
5073 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5074 !(sk && sk_listener(sk)))
5079 /* Without an associated socket the packet is either coming
5080 * from the kernel or it is being forwarded; check the packet
5081 * to determine which and if the packet is being forwarded
5082 * query the packet directly to determine the security label. */
5084 secmark_perm = PACKET__FORWARD_OUT;
5085 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5088 secmark_perm = PACKET__SEND;
5089 peer_sid = SECINITSID_KERNEL;
5091 } else if (sk_listener(sk)) {
5092 /* Locally generated packet but the associated socket is in the
5093 * listening state which means this is a SYN-ACK packet. In
5094 * this particular case the correct security label is assigned
5095 * to the connection/request_sock but unfortunately we can't
5096 * query the request_sock as it isn't queued on the parent
5097 * socket until after the SYN-ACK packet is sent; the only
5098 * viable choice is to regenerate the label like we do in
5099 * selinux_inet_conn_request(). See also selinux_ip_output()
5100 * for similar problems. */
5102 struct sk_security_struct *sksec;
5104 sksec = sk->sk_security;
5105 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5107 /* At this point, if the returned skb peerlbl is SECSID_NULL
5108 * and the packet has been through at least one XFRM
5109 * transformation then we must be dealing with the "final"
5110 * form of labeled IPsec packet; since we've already applied
5111 * all of our access controls on this packet we can safely
5112 * pass the packet. */
5113 if (skb_sid == SECSID_NULL) {
5116 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5120 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5124 return NF_DROP_ERR(-ECONNREFUSED);
5127 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5129 secmark_perm = PACKET__SEND;
5131 /* Locally generated packet, fetch the security label from the
5132 * associated socket. */
5133 struct sk_security_struct *sksec = sk->sk_security;
5134 peer_sid = sksec->sid;
5135 secmark_perm = PACKET__SEND;
5138 ad.type = LSM_AUDIT_DATA_NET;
5140 ad.u.net->netif = ifindex;
5141 ad.u.net->family = family;
5142 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5146 if (avc_has_perm(peer_sid, skb->secmark,
5147 SECCLASS_PACKET, secmark_perm, &ad))
5148 return NF_DROP_ERR(-ECONNREFUSED);
5150 if (peerlbl_active) {
5154 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5156 if (avc_has_perm(peer_sid, if_sid,
5157 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5158 return NF_DROP_ERR(-ECONNREFUSED);
5160 if (sel_netnode_sid(addrp, family, &node_sid))
5162 if (avc_has_perm(peer_sid, node_sid,
5163 SECCLASS_NODE, NODE__SENDTO, &ad))
5164 return NF_DROP_ERR(-ECONNREFUSED);
5170 static unsigned int selinux_ipv4_postroute(void *priv,
5171 struct sk_buff *skb,
5172 const struct nf_hook_state *state)
5174 return selinux_ip_postroute(skb, state->out, PF_INET);
5177 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5178 static unsigned int selinux_ipv6_postroute(void *priv,
5179 struct sk_buff *skb,
5180 const struct nf_hook_state *state)
5182 return selinux_ip_postroute(skb, state->out, PF_INET6);
5186 #endif /* CONFIG_NETFILTER */
5188 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5190 return selinux_nlmsg_perm(sk, skb);
5193 static int ipc_alloc_security(struct task_struct *task,
5194 struct kern_ipc_perm *perm,
5197 struct ipc_security_struct *isec;
5200 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5204 sid = task_sid(task);
5205 isec->sclass = sclass;
5207 perm->security = isec;
5212 static void ipc_free_security(struct kern_ipc_perm *perm)
5214 struct ipc_security_struct *isec = perm->security;
5215 perm->security = NULL;
5219 static int msg_msg_alloc_security(struct msg_msg *msg)
5221 struct msg_security_struct *msec;
5223 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5227 msec->sid = SECINITSID_UNLABELED;
5228 msg->security = msec;
5233 static void msg_msg_free_security(struct msg_msg *msg)
5235 struct msg_security_struct *msec = msg->security;
5237 msg->security = NULL;
5241 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5244 struct ipc_security_struct *isec;
5245 struct common_audit_data ad;
5246 u32 sid = current_sid();
5248 isec = ipc_perms->security;
5250 ad.type = LSM_AUDIT_DATA_IPC;
5251 ad.u.ipc_id = ipc_perms->key;
5253 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5256 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5258 return msg_msg_alloc_security(msg);
5261 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5263 msg_msg_free_security(msg);
5266 /* message queue security operations */
5267 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5269 struct ipc_security_struct *isec;
5270 struct common_audit_data ad;
5271 u32 sid = current_sid();
5274 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5278 isec = msq->q_perm.security;
5280 ad.type = LSM_AUDIT_DATA_IPC;
5281 ad.u.ipc_id = msq->q_perm.key;
5283 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5286 ipc_free_security(&msq->q_perm);
5292 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5294 ipc_free_security(&msq->q_perm);
5297 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5299 struct ipc_security_struct *isec;
5300 struct common_audit_data ad;
5301 u32 sid = current_sid();
5303 isec = msq->q_perm.security;
5305 ad.type = LSM_AUDIT_DATA_IPC;
5306 ad.u.ipc_id = msq->q_perm.key;
5308 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5309 MSGQ__ASSOCIATE, &ad);
5312 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5320 /* No specific object, just general system-wide information. */
5321 return task_has_system(current, SYSTEM__IPC_INFO);
5324 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5327 perms = MSGQ__SETATTR;
5330 perms = MSGQ__DESTROY;
5336 err = ipc_has_perm(&msq->q_perm, perms);
5340 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5342 struct ipc_security_struct *isec;
5343 struct msg_security_struct *msec;
5344 struct common_audit_data ad;
5345 u32 sid = current_sid();
5348 isec = msq->q_perm.security;
5349 msec = msg->security;
5352 * First time through, need to assign label to the message
5354 if (msec->sid == SECINITSID_UNLABELED) {
5356 * Compute new sid based on current process and
5357 * message queue this message will be stored in
5359 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5365 ad.type = LSM_AUDIT_DATA_IPC;
5366 ad.u.ipc_id = msq->q_perm.key;
5368 /* Can this process write to the queue? */
5369 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5372 /* Can this process send the message */
5373 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5376 /* Can the message be put in the queue? */
5377 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5378 MSGQ__ENQUEUE, &ad);
5383 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5384 struct task_struct *target,
5385 long type, int mode)
5387 struct ipc_security_struct *isec;
5388 struct msg_security_struct *msec;
5389 struct common_audit_data ad;
5390 u32 sid = task_sid(target);
5393 isec = msq->q_perm.security;
5394 msec = msg->security;
5396 ad.type = LSM_AUDIT_DATA_IPC;
5397 ad.u.ipc_id = msq->q_perm.key;
5399 rc = avc_has_perm(sid, isec->sid,
5400 SECCLASS_MSGQ, MSGQ__READ, &ad);
5402 rc = avc_has_perm(sid, msec->sid,
5403 SECCLASS_MSG, MSG__RECEIVE, &ad);
5407 /* Shared Memory security operations */
5408 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5410 struct ipc_security_struct *isec;
5411 struct common_audit_data ad;
5412 u32 sid = current_sid();
5415 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5419 isec = shp->shm_perm.security;
5421 ad.type = LSM_AUDIT_DATA_IPC;
5422 ad.u.ipc_id = shp->shm_perm.key;
5424 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5427 ipc_free_security(&shp->shm_perm);
5433 static void selinux_shm_free_security(struct shmid_kernel *shp)
5435 ipc_free_security(&shp->shm_perm);
5438 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5440 struct ipc_security_struct *isec;
5441 struct common_audit_data ad;
5442 u32 sid = current_sid();
5444 isec = shp->shm_perm.security;
5446 ad.type = LSM_AUDIT_DATA_IPC;
5447 ad.u.ipc_id = shp->shm_perm.key;
5449 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5450 SHM__ASSOCIATE, &ad);
5453 /* Note, at this point, shp is locked down */
5454 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5462 /* No specific object, just general system-wide information. */
5463 return task_has_system(current, SYSTEM__IPC_INFO);
5466 perms = SHM__GETATTR | SHM__ASSOCIATE;
5469 perms = SHM__SETATTR;
5476 perms = SHM__DESTROY;
5482 err = ipc_has_perm(&shp->shm_perm, perms);
5486 static int selinux_shm_shmat(struct shmid_kernel *shp,
5487 char __user *shmaddr, int shmflg)
5491 if (shmflg & SHM_RDONLY)
5494 perms = SHM__READ | SHM__WRITE;
5496 return ipc_has_perm(&shp->shm_perm, perms);
5499 /* Semaphore security operations */
5500 static int selinux_sem_alloc_security(struct sem_array *sma)
5502 struct ipc_security_struct *isec;
5503 struct common_audit_data ad;
5504 u32 sid = current_sid();
5507 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5511 isec = sma->sem_perm.security;
5513 ad.type = LSM_AUDIT_DATA_IPC;
5514 ad.u.ipc_id = sma->sem_perm.key;
5516 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5519 ipc_free_security(&sma->sem_perm);
5525 static void selinux_sem_free_security(struct sem_array *sma)
5527 ipc_free_security(&sma->sem_perm);
5530 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5532 struct ipc_security_struct *isec;
5533 struct common_audit_data ad;
5534 u32 sid = current_sid();
5536 isec = sma->sem_perm.security;
5538 ad.type = LSM_AUDIT_DATA_IPC;
5539 ad.u.ipc_id = sma->sem_perm.key;
5541 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5542 SEM__ASSOCIATE, &ad);
5545 /* Note, at this point, sma is locked down */
5546 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5554 /* No specific object, just general system-wide information. */
5555 return task_has_system(current, SYSTEM__IPC_INFO);
5559 perms = SEM__GETATTR;
5570 perms = SEM__DESTROY;
5573 perms = SEM__SETATTR;
5577 perms = SEM__GETATTR | SEM__ASSOCIATE;
5583 err = ipc_has_perm(&sma->sem_perm, perms);
5587 static int selinux_sem_semop(struct sem_array *sma,
5588 struct sembuf *sops, unsigned nsops, int alter)
5593 perms = SEM__READ | SEM__WRITE;
5597 return ipc_has_perm(&sma->sem_perm, perms);
5600 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5606 av |= IPC__UNIX_READ;
5608 av |= IPC__UNIX_WRITE;
5613 return ipc_has_perm(ipcp, av);
5616 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5618 struct ipc_security_struct *isec = ipcp->security;
5622 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5625 inode_doinit_with_dentry(inode, dentry);
5628 static int selinux_getprocattr(struct task_struct *p,
5629 char *name, char **value)
5631 const struct task_security_struct *__tsec;
5637 error = current_has_perm(p, PROCESS__GETATTR);
5643 __tsec = __task_cred(p)->security;
5645 if (!strcmp(name, "current"))
5647 else if (!strcmp(name, "prev"))
5649 else if (!strcmp(name, "exec"))
5650 sid = __tsec->exec_sid;
5651 else if (!strcmp(name, "fscreate"))
5652 sid = __tsec->create_sid;
5653 else if (!strcmp(name, "keycreate"))
5654 sid = __tsec->keycreate_sid;
5655 else if (!strcmp(name, "sockcreate"))
5656 sid = __tsec->sockcreate_sid;
5664 error = security_sid_to_context(sid, value, &len);
5674 static int selinux_setprocattr(struct task_struct *p,
5675 char *name, void *value, size_t size)
5677 struct task_security_struct *tsec;
5678 struct task_struct *tracer;
5685 /* SELinux only allows a process to change its own
5686 security attributes. */
5691 * Basic control over ability to set these attributes at all.
5692 * current == p, but we'll pass them separately in case the
5693 * above restriction is ever removed.
5695 if (!strcmp(name, "exec"))
5696 error = current_has_perm(p, PROCESS__SETEXEC);
5697 else if (!strcmp(name, "fscreate"))
5698 error = current_has_perm(p, PROCESS__SETFSCREATE);
5699 else if (!strcmp(name, "keycreate"))
5700 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5701 else if (!strcmp(name, "sockcreate"))
5702 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5703 else if (!strcmp(name, "current"))
5704 error = current_has_perm(p, PROCESS__SETCURRENT);
5710 /* Obtain a SID for the context, if one was specified. */
5711 if (size && str[1] && str[1] != '\n') {
5712 if (str[size-1] == '\n') {
5716 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5717 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5718 if (!capable(CAP_MAC_ADMIN)) {
5719 struct audit_buffer *ab;
5722 /* We strip a nul only if it is at the end, otherwise the
5723 * context contains a nul and we should audit that */
5724 if (str[size - 1] == '\0')
5725 audit_size = size - 1;
5728 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5729 audit_log_format(ab, "op=fscreate invalid_context=");
5730 audit_log_n_untrustedstring(ab, value, audit_size);
5735 error = security_context_to_sid_force(value, size,
5742 new = prepare_creds();
5746 /* Permission checking based on the specified context is
5747 performed during the actual operation (execve,
5748 open/mkdir/...), when we know the full context of the
5749 operation. See selinux_bprm_set_creds for the execve
5750 checks and may_create for the file creation checks. The
5751 operation will then fail if the context is not permitted. */
5752 tsec = new->security;
5753 if (!strcmp(name, "exec")) {
5754 tsec->exec_sid = sid;
5755 } else if (!strcmp(name, "fscreate")) {
5756 tsec->create_sid = sid;
5757 } else if (!strcmp(name, "keycreate")) {
5758 error = may_create_key(sid, p);
5761 tsec->keycreate_sid = sid;
5762 } else if (!strcmp(name, "sockcreate")) {
5763 tsec->sockcreate_sid = sid;
5764 } else if (!strcmp(name, "current")) {
5769 /* Only allow single threaded processes to change context */
5771 if (!current_is_single_threaded()) {
5772 error = security_bounded_transition(tsec->sid, sid);
5777 /* Check permissions for the transition. */
5778 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5779 PROCESS__DYNTRANSITION, NULL);
5783 /* Check for ptracing, and update the task SID if ok.
5784 Otherwise, leave SID unchanged and fail. */
5787 tracer = ptrace_parent(p);
5789 ptsid = task_sid(tracer);
5793 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5794 PROCESS__PTRACE, NULL);
5813 static int selinux_ismaclabel(const char *name)
5815 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5818 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5820 return security_sid_to_context(secid, secdata, seclen);
5823 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5825 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5828 static void selinux_release_secctx(char *secdata, u32 seclen)
5833 static void selinux_inode_invalidate_secctx(struct inode *inode)
5835 struct inode_security_struct *isec = inode->i_security;
5837 mutex_lock(&isec->lock);
5838 isec->initialized = LABEL_INVALID;
5839 mutex_unlock(&isec->lock);
5843 * called with inode->i_mutex locked
5845 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5847 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5851 * called with inode->i_mutex locked
5853 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5855 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5858 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5861 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5870 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5871 unsigned long flags)
5873 const struct task_security_struct *tsec;
5874 struct key_security_struct *ksec;
5876 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5880 tsec = cred->security;
5881 if (tsec->keycreate_sid)
5882 ksec->sid = tsec->keycreate_sid;
5884 ksec->sid = tsec->sid;
5890 static void selinux_key_free(struct key *k)
5892 struct key_security_struct *ksec = k->security;
5898 static int selinux_key_permission(key_ref_t key_ref,
5899 const struct cred *cred,
5903 struct key_security_struct *ksec;
5906 /* if no specific permissions are requested, we skip the
5907 permission check. No serious, additional covert channels
5908 appear to be created. */
5912 sid = cred_sid(cred);
5914 key = key_ref_to_ptr(key_ref);
5915 ksec = key->security;
5917 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5920 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5922 struct key_security_struct *ksec = key->security;
5923 char *context = NULL;
5927 rc = security_sid_to_context(ksec->sid, &context, &len);
5936 static struct security_hook_list selinux_hooks[] = {
5937 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
5938 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
5939 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
5940 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
5942 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
5943 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
5944 LSM_HOOK_INIT(capget, selinux_capget),
5945 LSM_HOOK_INIT(capset, selinux_capset),
5946 LSM_HOOK_INIT(capable, selinux_capable),
5947 LSM_HOOK_INIT(quotactl, selinux_quotactl),
5948 LSM_HOOK_INIT(quota_on, selinux_quota_on),
5949 LSM_HOOK_INIT(syslog, selinux_syslog),
5950 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
5952 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
5954 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
5955 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
5956 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
5957 LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
5959 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
5960 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
5961 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
5962 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
5963 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
5964 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
5965 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
5966 LSM_HOOK_INIT(sb_mount, selinux_mount),
5967 LSM_HOOK_INIT(sb_umount, selinux_umount),
5968 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
5969 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
5970 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
5972 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
5974 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
5975 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
5976 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
5977 LSM_HOOK_INIT(inode_create, selinux_inode_create),
5978 LSM_HOOK_INIT(inode_link, selinux_inode_link),
5979 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
5980 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
5981 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
5982 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
5983 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
5984 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
5985 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
5986 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
5987 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
5988 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
5989 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
5990 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
5991 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
5992 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
5993 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
5994 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
5995 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
5996 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
5997 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
5998 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6000 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6001 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6002 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6003 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6004 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6005 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6006 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6007 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6008 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6009 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6010 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6011 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6013 LSM_HOOK_INIT(file_open, selinux_file_open),
6015 LSM_HOOK_INIT(task_create, selinux_task_create),
6016 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6017 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6018 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6019 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6020 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6021 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6022 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6023 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6024 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6025 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6026 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6027 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6028 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6029 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6030 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6031 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6032 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6033 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6034 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6035 LSM_HOOK_INIT(task_wait, selinux_task_wait),
6036 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6038 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6039 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6041 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6042 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6044 LSM_HOOK_INIT(msg_queue_alloc_security,
6045 selinux_msg_queue_alloc_security),
6046 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6047 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6048 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6049 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6050 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6052 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6053 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6054 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6055 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6056 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6058 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6059 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6060 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6061 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6062 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6064 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6066 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6067 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6069 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6070 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6071 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6072 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6073 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6074 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6075 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6076 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6078 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6079 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6081 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6082 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6083 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6084 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6085 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6086 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6087 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6088 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6089 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6090 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6091 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6092 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6093 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6094 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6095 LSM_HOOK_INIT(socket_getpeersec_stream,
6096 selinux_socket_getpeersec_stream),
6097 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6098 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6099 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6100 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6101 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6102 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6103 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6104 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6105 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6106 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6107 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6108 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6109 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6110 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6111 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6112 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6113 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6114 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6115 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6117 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6118 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6119 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6120 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6121 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6122 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6123 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6124 selinux_xfrm_state_alloc_acquire),
6125 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6126 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6127 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6128 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6129 selinux_xfrm_state_pol_flow_match),
6130 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6134 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6135 LSM_HOOK_INIT(key_free, selinux_key_free),
6136 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6137 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6141 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6142 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6143 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6144 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6148 static __init int selinux_init(void)
6150 if (!security_module_enable("selinux")) {
6151 selinux_enabled = 0;
6155 if (!selinux_enabled) {
6156 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6160 printk(KERN_INFO "SELinux: Initializing.\n");
6162 /* Set the security state for the initial task. */
6163 cred_init_security();
6165 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6167 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6168 sizeof(struct inode_security_struct),
6169 0, SLAB_PANIC, NULL);
6170 file_security_cache = kmem_cache_create("selinux_file_security",
6171 sizeof(struct file_security_struct),
6172 0, SLAB_PANIC, NULL);
6175 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6177 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6178 panic("SELinux: Unable to register AVC netcache callback\n");
6180 if (selinux_enforcing)
6181 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6183 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6188 static void delayed_superblock_init(struct super_block *sb, void *unused)
6190 superblock_doinit(sb, NULL);
6193 void selinux_complete_init(void)
6195 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6197 /* Set up any superblocks initialized prior to the policy load. */
6198 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6199 iterate_supers(delayed_superblock_init, NULL);
6202 /* SELinux requires early initialization in order to label
6203 all processes and objects when they are created. */
6204 security_initcall(selinux_init);
6206 #if defined(CONFIG_NETFILTER)
6208 static struct nf_hook_ops selinux_nf_ops[] = {
6210 .hook = selinux_ipv4_postroute,
6212 .hooknum = NF_INET_POST_ROUTING,
6213 .priority = NF_IP_PRI_SELINUX_LAST,
6216 .hook = selinux_ipv4_forward,
6218 .hooknum = NF_INET_FORWARD,
6219 .priority = NF_IP_PRI_SELINUX_FIRST,
6222 .hook = selinux_ipv4_output,
6224 .hooknum = NF_INET_LOCAL_OUT,
6225 .priority = NF_IP_PRI_SELINUX_FIRST,
6227 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6229 .hook = selinux_ipv6_postroute,
6231 .hooknum = NF_INET_POST_ROUTING,
6232 .priority = NF_IP6_PRI_SELINUX_LAST,
6235 .hook = selinux_ipv6_forward,
6237 .hooknum = NF_INET_FORWARD,
6238 .priority = NF_IP6_PRI_SELINUX_FIRST,
6243 static int __init selinux_nf_ip_init(void)
6247 if (!selinux_enabled)
6250 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6252 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6254 panic("SELinux: nf_register_hooks: error %d\n", err);
6259 __initcall(selinux_nf_ip_init);
6261 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6262 static void selinux_nf_ip_exit(void)
6264 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6266 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6270 #else /* CONFIG_NETFILTER */
6272 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6273 #define selinux_nf_ip_exit()
6276 #endif /* CONFIG_NETFILTER */
6278 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6279 static int selinux_disabled;
6281 int selinux_disable(void)
6283 if (ss_initialized) {
6284 /* Not permitted after initial policy load. */
6288 if (selinux_disabled) {
6289 /* Only do this once. */
6293 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6295 selinux_disabled = 1;
6296 selinux_enabled = 0;
6298 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6300 /* Try to destroy the avc node cache */
6303 /* Unregister netfilter hooks. */
6304 selinux_nf_ip_exit();
6306 /* Unregister selinuxfs. */
projects / cascardo / linux.git / blob