2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
89 #define NUM_SEL_MNT_OPTS 4
91 extern unsigned int policydb_loaded_version;
92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
93 extern int selinux_compat_net;
94 extern struct security_operations *security_ops;
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing = 0;
102 static int __init enforcing_setup(char *str)
104 selinux_enforcing = simple_strtol(str,NULL,0);
107 __setup("enforcing=", enforcing_setup);
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
113 static int __init selinux_enabled_setup(char *str)
115 selinux_enabled = simple_strtol(str, NULL, 0);
118 __setup("selinux=", selinux_enabled_setup);
120 int selinux_enabled = 1;
123 /* Original (dummy) security module. */
124 static struct security_operations *original_ops = NULL;
126 /* Minimal support for a secondary security module,
127 just to allow the use of the dummy or capability modules.
128 The owlsm module can alternatively be used as a secondary
129 module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations *secondary_ops = NULL;
132 /* Lists of inode and superblock security structures initialized
133 before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head);
135 static DEFINE_SPINLOCK(sb_security_lock);
137 static struct kmem_cache *sel_inode_cache;
140 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
143 * This function checks the SECMARK reference counter to see if any SECMARK
144 * targets are currently configured, if the reference counter is greater than
145 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
146 * enabled, false (0) if SECMARK is disabled.
149 static int selinux_secmark_enabled(void)
151 return (atomic_read(&selinux_secmark_refcount) > 0);
154 /* Allocate and free functions for each kind of security blob. */
156 static int task_alloc_security(struct task_struct *task)
158 struct task_security_struct *tsec;
160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
165 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166 task->security = tsec;
171 static void task_free_security(struct task_struct *task)
173 struct task_security_struct *tsec = task->security;
174 task->security = NULL;
178 static int inode_alloc_security(struct inode *inode)
180 struct task_security_struct *tsec = current->security;
181 struct inode_security_struct *isec;
183 isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
187 mutex_init(&isec->lock);
188 INIT_LIST_HEAD(&isec->list);
190 isec->sid = SECINITSID_UNLABELED;
191 isec->sclass = SECCLASS_FILE;
192 isec->task_sid = tsec->sid;
193 inode->i_security = isec;
198 static void inode_free_security(struct inode *inode)
200 struct inode_security_struct *isec = inode->i_security;
201 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
203 spin_lock(&sbsec->isec_lock);
204 if (!list_empty(&isec->list))
205 list_del_init(&isec->list);
206 spin_unlock(&sbsec->isec_lock);
208 inode->i_security = NULL;
209 kmem_cache_free(sel_inode_cache, isec);
212 static int file_alloc_security(struct file *file)
214 struct task_security_struct *tsec = current->security;
215 struct file_security_struct *fsec;
217 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
222 fsec->sid = tsec->sid;
223 fsec->fown_sid = tsec->sid;
224 file->f_security = fsec;
229 static void file_free_security(struct file *file)
231 struct file_security_struct *fsec = file->f_security;
232 file->f_security = NULL;
236 static int superblock_alloc_security(struct super_block *sb)
238 struct superblock_security_struct *sbsec;
240 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
244 mutex_init(&sbsec->lock);
245 INIT_LIST_HEAD(&sbsec->list);
246 INIT_LIST_HEAD(&sbsec->isec_head);
247 spin_lock_init(&sbsec->isec_lock);
249 sbsec->sid = SECINITSID_UNLABELED;
250 sbsec->def_sid = SECINITSID_FILE;
251 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
252 sb->s_security = sbsec;
257 static void superblock_free_security(struct super_block *sb)
259 struct superblock_security_struct *sbsec = sb->s_security;
261 spin_lock(&sb_security_lock);
262 if (!list_empty(&sbsec->list))
263 list_del_init(&sbsec->list);
264 spin_unlock(&sb_security_lock);
266 sb->s_security = NULL;
270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
272 struct sk_security_struct *ssec;
274 ssec = kzalloc(sizeof(*ssec), priority);
279 ssec->peer_sid = SECINITSID_UNLABELED;
280 ssec->sid = SECINITSID_UNLABELED;
281 sk->sk_security = ssec;
283 selinux_netlbl_sk_security_init(ssec, family);
288 static void sk_free_security(struct sock *sk)
290 struct sk_security_struct *ssec = sk->sk_security;
292 sk->sk_security = NULL;
296 /* The security server must be initialized before
297 any labeling or access decisions can be provided. */
298 extern int ss_initialized;
300 /* The file system's label must be initialized prior to use. */
302 static char *labeling_behaviors[6] = {
304 "uses transition SIDs",
306 "uses genfs_contexts",
307 "not configured for labeling",
308 "uses mountpoint labeling",
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313 static inline int inode_doinit(struct inode *inode)
315 return inode_doinit_with_dentry(inode, NULL);
326 static match_table_t tokens = {
327 {Opt_context, "context=%s"},
328 {Opt_fscontext, "fscontext=%s"},
329 {Opt_defcontext, "defcontext=%s"},
330 {Opt_rootcontext, "rootcontext=%s"},
334 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
336 static int may_context_mount_sb_relabel(u32 sid,
337 struct superblock_security_struct *sbsec,
338 struct task_security_struct *tsec)
342 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343 FILESYSTEM__RELABELFROM, NULL);
347 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELTO, NULL);
352 static int may_context_mount_inode_relabel(u32 sid,
353 struct superblock_security_struct *sbsec,
354 struct task_security_struct *tsec)
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
362 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__ASSOCIATE, NULL);
367 static int sb_finish_set_opts(struct super_block *sb)
369 struct superblock_security_struct *sbsec = sb->s_security;
370 struct dentry *root = sb->s_root;
371 struct inode *root_inode = root->d_inode;
374 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
375 /* Make sure that the xattr handler exists and that no
376 error other than -ENODATA is returned by getxattr on
377 the root directory. -ENODATA is ok, as this may be
378 the first boot of the SELinux kernel before we have
379 assigned xattr values to the filesystem. */
380 if (!root_inode->i_op->getxattr) {
381 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
382 "xattr support\n", sb->s_id, sb->s_type->name);
386 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
387 if (rc < 0 && rc != -ENODATA) {
388 if (rc == -EOPNOTSUPP)
389 printk(KERN_WARNING "SELinux: (dev %s, type "
390 "%s) has no security xattr handler\n",
391 sb->s_id, sb->s_type->name);
393 printk(KERN_WARNING "SELinux: (dev %s, type "
394 "%s) getxattr errno %d\n", sb->s_id,
395 sb->s_type->name, -rc);
400 sbsec->initialized = 1;
402 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
404 sb->s_id, sb->s_type->name);
406 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
407 sb->s_id, sb->s_type->name,
408 labeling_behaviors[sbsec->behavior-1]);
410 /* Initialize the root inode. */
411 rc = inode_doinit_with_dentry(root_inode, root);
413 /* Initialize any other inodes associated with the superblock, e.g.
414 inodes created prior to initial policy load or inodes created
415 during get_sb by a pseudo filesystem that directly
417 spin_lock(&sbsec->isec_lock);
419 if (!list_empty(&sbsec->isec_head)) {
420 struct inode_security_struct *isec =
421 list_entry(sbsec->isec_head.next,
422 struct inode_security_struct, list);
423 struct inode *inode = isec->inode;
424 spin_unlock(&sbsec->isec_lock);
425 inode = igrab(inode);
427 if (!IS_PRIVATE(inode))
431 spin_lock(&sbsec->isec_lock);
432 list_del_init(&isec->list);
435 spin_unlock(&sbsec->isec_lock);
441 * This function should allow an FS to ask what it's mount security
442 * options were so it can use those later for submounts, displaying
443 * mount options, or whatever.
445 static int selinux_get_mnt_opts(const struct super_block *sb,
446 char ***mount_options, int **mnt_opts_flags,
450 struct superblock_security_struct *sbsec = sb->s_security;
451 char *context = NULL;
456 *mount_options = NULL;
457 *mnt_opts_flags = NULL;
459 if (!sbsec->initialized)
466 * if we ever use sbsec flags for anything other than tracking mount
467 * settings this is going to need a mask
470 /* count the number of mount options for this sb */
471 for (i = 0; i < 8; i++) {
477 *mount_options = kcalloc(*num_opts, sizeof(char *), GFP_ATOMIC);
478 if (!*mount_options) {
483 *mnt_opts_flags = kcalloc(*num_opts, sizeof(int), GFP_ATOMIC);
484 if (!*mnt_opts_flags) {
490 if (sbsec->flags & FSCONTEXT_MNT) {
491 rc = security_sid_to_context(sbsec->sid, &context, &len);
494 (*mount_options)[i] = context;
495 (*mnt_opts_flags)[i++] = FSCONTEXT_MNT;
497 if (sbsec->flags & CONTEXT_MNT) {
498 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
501 (*mount_options)[i] = context;
502 (*mnt_opts_flags)[i++] = CONTEXT_MNT;
504 if (sbsec->flags & DEFCONTEXT_MNT) {
505 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
508 (*mount_options)[i] = context;
509 (*mnt_opts_flags)[i++] = DEFCONTEXT_MNT;
511 if (sbsec->flags & ROOTCONTEXT_MNT) {
512 struct inode *root = sbsec->sb->s_root->d_inode;
513 struct inode_security_struct *isec = root->i_security;
515 rc = security_sid_to_context(isec->sid, &context, &len);
518 (*mount_options)[i] = context;
519 (*mnt_opts_flags)[i++] = ROOTCONTEXT_MNT;
522 BUG_ON(i != *num_opts);
527 /* don't leak context string if security_sid_to_context had an error */
528 if (*mount_options && i)
530 kfree((*mount_options)[i-1]);
531 kfree(*mount_options);
532 *mount_options = NULL;
533 kfree(*mnt_opts_flags);
534 *mnt_opts_flags = NULL;
539 static int bad_option(struct superblock_security_struct *sbsec, char flag,
540 u32 old_sid, u32 new_sid)
542 /* check if the old mount command had the same options */
543 if (sbsec->initialized)
544 if (!(sbsec->flags & flag) ||
545 (old_sid != new_sid))
548 /* check if we were passed the same options twice,
549 * aka someone passed context=a,context=b
551 if (!sbsec->initialized)
552 if (sbsec->flags & flag)
557 * Allow filesystems with binary mount data to explicitly set mount point
558 * labeling information.
560 static int selinux_set_mnt_opts(struct super_block *sb, char **mount_options,
561 int *flags, int num_opts)
564 struct task_security_struct *tsec = current->security;
565 struct superblock_security_struct *sbsec = sb->s_security;
566 const char *name = sb->s_type->name;
567 struct inode *inode = sbsec->sb->s_root->d_inode;
568 struct inode_security_struct *root_isec = inode->i_security;
569 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
570 u32 defcontext_sid = 0;
572 mutex_lock(&sbsec->lock);
574 if (!ss_initialized) {
576 /* Defer initialization until selinux_complete_init,
577 after the initial policy is loaded and the security
578 server is ready to handle calls. */
579 spin_lock(&sb_security_lock);
580 if (list_empty(&sbsec->list))
581 list_add(&sbsec->list, &superblock_security_head);
582 spin_unlock(&sb_security_lock);
586 printk(KERN_WARNING "Unable to set superblock options before "
587 "the security server is initialized\n");
592 * parse the mount options, check if they are valid sids.
593 * also check if someone is trying to mount the same sb more
594 * than once with different security options.
596 for (i = 0; i < num_opts; i++) {
598 rc = security_context_to_sid(mount_options[i],
599 strlen(mount_options[i]), &sid);
601 printk(KERN_WARNING "SELinux: security_context_to_sid"
602 "(%s) failed for (dev %s, type %s) errno=%d\n",
603 mount_options[i], sb->s_id, name, rc);
610 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
612 goto out_double_mount;
614 sbsec->flags |= FSCONTEXT_MNT;
619 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
621 goto out_double_mount;
623 sbsec->flags |= CONTEXT_MNT;
625 case ROOTCONTEXT_MNT:
626 rootcontext_sid = sid;
628 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
630 goto out_double_mount;
632 sbsec->flags |= ROOTCONTEXT_MNT;
636 defcontext_sid = sid;
638 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
640 goto out_double_mount;
642 sbsec->flags |= DEFCONTEXT_MNT;
651 if (sbsec->initialized) {
652 /* previously mounted with options, but not on this attempt? */
653 if (sbsec->flags && !num_opts)
654 goto out_double_mount;
659 if (strcmp(sb->s_type->name, "proc") == 0)
662 /* Determine the labeling behavior to use for this filesystem type. */
663 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
665 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
666 __FUNCTION__, sb->s_type->name, rc);
670 /* sets the context of the superblock for the fs being mounted. */
673 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
677 sbsec->sid = fscontext_sid;
681 * Switch to using mount point labeling behavior.
682 * sets the label used on all file below the mountpoint, and will set
683 * the superblock context if not already set.
686 if (!fscontext_sid) {
687 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
690 sbsec->sid = context_sid;
692 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
696 if (!rootcontext_sid)
697 rootcontext_sid = context_sid;
699 sbsec->mntpoint_sid = context_sid;
700 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
703 if (rootcontext_sid) {
704 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
708 root_isec->sid = rootcontext_sid;
709 root_isec->initialized = 1;
712 if (defcontext_sid) {
713 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
715 printk(KERN_WARNING "SELinux: defcontext option is "
716 "invalid for this filesystem type\n");
720 if (defcontext_sid != sbsec->def_sid) {
721 rc = may_context_mount_inode_relabel(defcontext_sid,
727 sbsec->def_sid = defcontext_sid;
730 rc = sb_finish_set_opts(sb);
732 mutex_unlock(&sbsec->lock);
736 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
737 "security settings for (dev %s, type %s)\n", sb->s_id, name);
741 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
742 struct super_block *newsb)
744 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
745 struct superblock_security_struct *newsbsec = newsb->s_security;
747 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
748 int set_context = (oldsbsec->flags & CONTEXT_MNT);
749 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
751 /* we can't error, we can't save the info, this shouldn't get called
752 * this early in the boot process. */
753 BUG_ON(!ss_initialized);
755 /* this might go away sometime down the line if there is a new user
756 * of clone, but for now, nfs better not get here... */
757 BUG_ON(newsbsec->initialized);
759 /* how can we clone if the old one wasn't set up?? */
760 BUG_ON(!oldsbsec->initialized);
762 mutex_lock(&newsbsec->lock);
764 newsbsec->flags = oldsbsec->flags;
766 newsbsec->sid = oldsbsec->sid;
767 newsbsec->def_sid = oldsbsec->def_sid;
768 newsbsec->behavior = oldsbsec->behavior;
771 u32 sid = oldsbsec->mntpoint_sid;
775 if (!set_rootcontext) {
776 struct inode *newinode = newsb->s_root->d_inode;
777 struct inode_security_struct *newisec = newinode->i_security;
780 newsbsec->mntpoint_sid = sid;
782 if (set_rootcontext) {
783 const struct inode *oldinode = oldsb->s_root->d_inode;
784 const struct inode_security_struct *oldisec = oldinode->i_security;
785 struct inode *newinode = newsb->s_root->d_inode;
786 struct inode_security_struct *newisec = newinode->i_security;
788 newisec->sid = oldisec->sid;
791 sb_finish_set_opts(newsb);
792 mutex_unlock(&newsbsec->lock);
796 * string mount options parsing and call set the sbsec
798 static int superblock_doinit(struct super_block *sb, void *data)
800 char *context = NULL, *defcontext = NULL;
801 char *fscontext = NULL, *rootcontext = NULL;
803 char *p, *options = data;
804 /* selinux only know about a fixed number of mount options */
805 char *mnt_opts[NUM_SEL_MNT_OPTS];
806 int mnt_opts_flags[NUM_SEL_MNT_OPTS], num_mnt_opts = 0;
811 /* with the nfs patch this will become a goto out; */
812 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
813 const char *name = sb->s_type->name;
814 /* NFS we understand. */
815 if (!strcmp(name, "nfs")) {
816 struct nfs_mount_data *d = data;
818 if (d->version != NFS_MOUNT_VERSION)
822 context = kstrdup(d->context, GFP_KERNEL);
833 /* Standard string-based options. */
834 while ((p = strsep(&options, "|")) != NULL) {
836 substring_t args[MAX_OPT_ARGS];
841 token = match_token(p, tokens, args);
845 if (context || defcontext) {
847 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
850 context = match_strdup(&args[0]);
860 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
863 fscontext = match_strdup(&args[0]);
870 case Opt_rootcontext:
873 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
876 rootcontext = match_strdup(&args[0]);
884 if (context || defcontext) {
886 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
889 defcontext = match_strdup(&args[0]);
898 printk(KERN_WARNING "SELinux: unknown mount option\n");
906 mnt_opts[num_mnt_opts] = fscontext;
907 mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
910 mnt_opts[num_mnt_opts] = context;
911 mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
914 mnt_opts[num_mnt_opts] = rootcontext;
915 mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
918 mnt_opts[num_mnt_opts] = defcontext;
919 mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
923 rc = selinux_set_mnt_opts(sb, mnt_opts, mnt_opts_flags, num_mnt_opts);
932 static inline u16 inode_mode_to_security_class(umode_t mode)
934 switch (mode & S_IFMT) {
936 return SECCLASS_SOCK_FILE;
938 return SECCLASS_LNK_FILE;
940 return SECCLASS_FILE;
942 return SECCLASS_BLK_FILE;
946 return SECCLASS_CHR_FILE;
948 return SECCLASS_FIFO_FILE;
952 return SECCLASS_FILE;
955 static inline int default_protocol_stream(int protocol)
957 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
960 static inline int default_protocol_dgram(int protocol)
962 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
965 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
972 return SECCLASS_UNIX_STREAM_SOCKET;
974 return SECCLASS_UNIX_DGRAM_SOCKET;
981 if (default_protocol_stream(protocol))
982 return SECCLASS_TCP_SOCKET;
984 return SECCLASS_RAWIP_SOCKET;
986 if (default_protocol_dgram(protocol))
987 return SECCLASS_UDP_SOCKET;
989 return SECCLASS_RAWIP_SOCKET;
991 return SECCLASS_DCCP_SOCKET;
993 return SECCLASS_RAWIP_SOCKET;
999 return SECCLASS_NETLINK_ROUTE_SOCKET;
1000 case NETLINK_FIREWALL:
1001 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1002 case NETLINK_INET_DIAG:
1003 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1005 return SECCLASS_NETLINK_NFLOG_SOCKET;
1007 return SECCLASS_NETLINK_XFRM_SOCKET;
1008 case NETLINK_SELINUX:
1009 return SECCLASS_NETLINK_SELINUX_SOCKET;
1011 return SECCLASS_NETLINK_AUDIT_SOCKET;
1012 case NETLINK_IP6_FW:
1013 return SECCLASS_NETLINK_IP6FW_SOCKET;
1014 case NETLINK_DNRTMSG:
1015 return SECCLASS_NETLINK_DNRT_SOCKET;
1016 case NETLINK_KOBJECT_UEVENT:
1017 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1019 return SECCLASS_NETLINK_SOCKET;
1022 return SECCLASS_PACKET_SOCKET;
1024 return SECCLASS_KEY_SOCKET;
1026 return SECCLASS_APPLETALK_SOCKET;
1029 return SECCLASS_SOCKET;
1032 #ifdef CONFIG_PROC_FS
1033 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1038 char *buffer, *path, *end;
1040 buffer = (char*)__get_free_page(GFP_KERNEL);
1045 end = buffer+buflen;
1050 while (de && de != de->parent) {
1051 buflen -= de->namelen + 1;
1055 memcpy(end, de->name, de->namelen);
1060 rc = security_genfs_sid("proc", path, tclass, sid);
1061 free_page((unsigned long)buffer);
1065 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1073 /* The inode's security attributes must be initialized before first use. */
1074 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1076 struct superblock_security_struct *sbsec = NULL;
1077 struct inode_security_struct *isec = inode->i_security;
1079 struct dentry *dentry;
1080 #define INITCONTEXTLEN 255
1081 char *context = NULL;
1085 if (isec->initialized)
1088 mutex_lock(&isec->lock);
1089 if (isec->initialized)
1092 sbsec = inode->i_sb->s_security;
1093 if (!sbsec->initialized) {
1094 /* Defer initialization until selinux_complete_init,
1095 after the initial policy is loaded and the security
1096 server is ready to handle calls. */
1097 spin_lock(&sbsec->isec_lock);
1098 if (list_empty(&isec->list))
1099 list_add(&isec->list, &sbsec->isec_head);
1100 spin_unlock(&sbsec->isec_lock);
1104 switch (sbsec->behavior) {
1105 case SECURITY_FS_USE_XATTR:
1106 if (!inode->i_op->getxattr) {
1107 isec->sid = sbsec->def_sid;
1111 /* Need a dentry, since the xattr API requires one.
1112 Life would be simpler if we could just pass the inode. */
1114 /* Called from d_instantiate or d_splice_alias. */
1115 dentry = dget(opt_dentry);
1117 /* Called from selinux_complete_init, try to find a dentry. */
1118 dentry = d_find_alias(inode);
1121 printk(KERN_WARNING "%s: no dentry for dev=%s "
1122 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1127 len = INITCONTEXTLEN;
1128 context = kmalloc(len, GFP_KERNEL);
1134 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1136 if (rc == -ERANGE) {
1137 /* Need a larger buffer. Query for the right size. */
1138 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1146 context = kmalloc(len, GFP_KERNEL);
1152 rc = inode->i_op->getxattr(dentry,
1158 if (rc != -ENODATA) {
1159 printk(KERN_WARNING "%s: getxattr returned "
1160 "%d for dev=%s ino=%ld\n", __FUNCTION__,
1161 -rc, inode->i_sb->s_id, inode->i_ino);
1165 /* Map ENODATA to the default file SID */
1166 sid = sbsec->def_sid;
1169 rc = security_context_to_sid_default(context, rc, &sid,
1172 printk(KERN_WARNING "%s: context_to_sid(%s) "
1173 "returned %d for dev=%s ino=%ld\n",
1174 __FUNCTION__, context, -rc,
1175 inode->i_sb->s_id, inode->i_ino);
1177 /* Leave with the unlabeled SID */
1185 case SECURITY_FS_USE_TASK:
1186 isec->sid = isec->task_sid;
1188 case SECURITY_FS_USE_TRANS:
1189 /* Default to the fs SID. */
1190 isec->sid = sbsec->sid;
1192 /* Try to obtain a transition SID. */
1193 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1194 rc = security_transition_sid(isec->task_sid,
1202 case SECURITY_FS_USE_MNTPOINT:
1203 isec->sid = sbsec->mntpoint_sid;
1206 /* Default to the fs superblock SID. */
1207 isec->sid = sbsec->sid;
1210 struct proc_inode *proci = PROC_I(inode);
1212 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1213 rc = selinux_proc_get_sid(proci->pde,
1224 isec->initialized = 1;
1227 mutex_unlock(&isec->lock);
1229 if (isec->sclass == SECCLASS_FILE)
1230 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1234 /* Convert a Linux signal to an access vector. */
1235 static inline u32 signal_to_av(int sig)
1241 /* Commonly granted from child to parent. */
1242 perm = PROCESS__SIGCHLD;
1245 /* Cannot be caught or ignored */
1246 perm = PROCESS__SIGKILL;
1249 /* Cannot be caught or ignored */
1250 perm = PROCESS__SIGSTOP;
1253 /* All other signals. */
1254 perm = PROCESS__SIGNAL;
1261 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1262 fork check, ptrace check, etc. */
1263 static int task_has_perm(struct task_struct *tsk1,
1264 struct task_struct *tsk2,
1267 struct task_security_struct *tsec1, *tsec2;
1269 tsec1 = tsk1->security;
1270 tsec2 = tsk2->security;
1271 return avc_has_perm(tsec1->sid, tsec2->sid,
1272 SECCLASS_PROCESS, perms, NULL);
1275 #if CAP_LAST_CAP > 63
1276 #error Fix SELinux to handle capabilities > 63.
1279 /* Check whether a task is allowed to use a capability. */
1280 static int task_has_capability(struct task_struct *tsk,
1283 struct task_security_struct *tsec;
1284 struct avc_audit_data ad;
1286 u32 av = CAP_TO_MASK(cap);
1288 tsec = tsk->security;
1290 AVC_AUDIT_DATA_INIT(&ad,CAP);
1294 switch (CAP_TO_INDEX(cap)) {
1296 sclass = SECCLASS_CAPABILITY;
1299 sclass = SECCLASS_CAPABILITY2;
1303 "SELinux: out of range capability %d\n", cap);
1306 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1309 /* Check whether a task is allowed to use a system operation. */
1310 static int task_has_system(struct task_struct *tsk,
1313 struct task_security_struct *tsec;
1315 tsec = tsk->security;
1317 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1318 SECCLASS_SYSTEM, perms, NULL);
1321 /* Check whether a task has a particular permission to an inode.
1322 The 'adp' parameter is optional and allows other audit
1323 data to be passed (e.g. the dentry). */
1324 static int inode_has_perm(struct task_struct *tsk,
1325 struct inode *inode,
1327 struct avc_audit_data *adp)
1329 struct task_security_struct *tsec;
1330 struct inode_security_struct *isec;
1331 struct avc_audit_data ad;
1333 if (unlikely (IS_PRIVATE (inode)))
1336 tsec = tsk->security;
1337 isec = inode->i_security;
1341 AVC_AUDIT_DATA_INIT(&ad, FS);
1342 ad.u.fs.inode = inode;
1345 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1348 /* Same as inode_has_perm, but pass explicit audit data containing
1349 the dentry to help the auditing code to more easily generate the
1350 pathname if needed. */
1351 static inline int dentry_has_perm(struct task_struct *tsk,
1352 struct vfsmount *mnt,
1353 struct dentry *dentry,
1356 struct inode *inode = dentry->d_inode;
1357 struct avc_audit_data ad;
1358 AVC_AUDIT_DATA_INIT(&ad,FS);
1359 ad.u.fs.path.mnt = mnt;
1360 ad.u.fs.path.dentry = dentry;
1361 return inode_has_perm(tsk, inode, av, &ad);
1364 /* Check whether a task can use an open file descriptor to
1365 access an inode in a given way. Check access to the
1366 descriptor itself, and then use dentry_has_perm to
1367 check a particular permission to the file.
1368 Access to the descriptor is implicitly granted if it
1369 has the same SID as the process. If av is zero, then
1370 access to the file is not checked, e.g. for cases
1371 where only the descriptor is affected like seek. */
1372 static int file_has_perm(struct task_struct *tsk,
1376 struct task_security_struct *tsec = tsk->security;
1377 struct file_security_struct *fsec = file->f_security;
1378 struct inode *inode = file->f_path.dentry->d_inode;
1379 struct avc_audit_data ad;
1382 AVC_AUDIT_DATA_INIT(&ad, FS);
1383 ad.u.fs.path = file->f_path;
1385 if (tsec->sid != fsec->sid) {
1386 rc = avc_has_perm(tsec->sid, fsec->sid,
1394 /* av is zero if only checking access to the descriptor. */
1396 return inode_has_perm(tsk, inode, av, &ad);
1401 /* Check whether a task can create a file. */
1402 static int may_create(struct inode *dir,
1403 struct dentry *dentry,
1406 struct task_security_struct *tsec;
1407 struct inode_security_struct *dsec;
1408 struct superblock_security_struct *sbsec;
1410 struct avc_audit_data ad;
1413 tsec = current->security;
1414 dsec = dir->i_security;
1415 sbsec = dir->i_sb->s_security;
1417 AVC_AUDIT_DATA_INIT(&ad, FS);
1418 ad.u.fs.path.dentry = dentry;
1420 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1421 DIR__ADD_NAME | DIR__SEARCH,
1426 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1427 newsid = tsec->create_sid;
1429 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1435 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1439 return avc_has_perm(newsid, sbsec->sid,
1440 SECCLASS_FILESYSTEM,
1441 FILESYSTEM__ASSOCIATE, &ad);
1444 /* Check whether a task can create a key. */
1445 static int may_create_key(u32 ksid,
1446 struct task_struct *ctx)
1448 struct task_security_struct *tsec;
1450 tsec = ctx->security;
1452 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1456 #define MAY_UNLINK 1
1459 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1460 static int may_link(struct inode *dir,
1461 struct dentry *dentry,
1465 struct task_security_struct *tsec;
1466 struct inode_security_struct *dsec, *isec;
1467 struct avc_audit_data ad;
1471 tsec = current->security;
1472 dsec = dir->i_security;
1473 isec = dentry->d_inode->i_security;
1475 AVC_AUDIT_DATA_INIT(&ad, FS);
1476 ad.u.fs.path.dentry = dentry;
1479 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1480 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1495 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1499 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1503 static inline int may_rename(struct inode *old_dir,
1504 struct dentry *old_dentry,
1505 struct inode *new_dir,
1506 struct dentry *new_dentry)
1508 struct task_security_struct *tsec;
1509 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1510 struct avc_audit_data ad;
1512 int old_is_dir, new_is_dir;
1515 tsec = current->security;
1516 old_dsec = old_dir->i_security;
1517 old_isec = old_dentry->d_inode->i_security;
1518 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1519 new_dsec = new_dir->i_security;
1521 AVC_AUDIT_DATA_INIT(&ad, FS);
1523 ad.u.fs.path.dentry = old_dentry;
1524 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1525 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1528 rc = avc_has_perm(tsec->sid, old_isec->sid,
1529 old_isec->sclass, FILE__RENAME, &ad);
1532 if (old_is_dir && new_dir != old_dir) {
1533 rc = avc_has_perm(tsec->sid, old_isec->sid,
1534 old_isec->sclass, DIR__REPARENT, &ad);
1539 ad.u.fs.path.dentry = new_dentry;
1540 av = DIR__ADD_NAME | DIR__SEARCH;
1541 if (new_dentry->d_inode)
1542 av |= DIR__REMOVE_NAME;
1543 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1546 if (new_dentry->d_inode) {
1547 new_isec = new_dentry->d_inode->i_security;
1548 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1549 rc = avc_has_perm(tsec->sid, new_isec->sid,
1551 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1559 /* Check whether a task can perform a filesystem operation. */
1560 static int superblock_has_perm(struct task_struct *tsk,
1561 struct super_block *sb,
1563 struct avc_audit_data *ad)
1565 struct task_security_struct *tsec;
1566 struct superblock_security_struct *sbsec;
1568 tsec = tsk->security;
1569 sbsec = sb->s_security;
1570 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1574 /* Convert a Linux mode and permission mask to an access vector. */
1575 static inline u32 file_mask_to_av(int mode, int mask)
1579 if ((mode & S_IFMT) != S_IFDIR) {
1580 if (mask & MAY_EXEC)
1581 av |= FILE__EXECUTE;
1582 if (mask & MAY_READ)
1585 if (mask & MAY_APPEND)
1587 else if (mask & MAY_WRITE)
1591 if (mask & MAY_EXEC)
1593 if (mask & MAY_WRITE)
1595 if (mask & MAY_READ)
1602 /* Convert a Linux file to an access vector. */
1603 static inline u32 file_to_av(struct file *file)
1607 if (file->f_mode & FMODE_READ)
1609 if (file->f_mode & FMODE_WRITE) {
1610 if (file->f_flags & O_APPEND)
1619 /* Hook functions begin here. */
1621 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1623 struct task_security_struct *psec = parent->security;
1624 struct task_security_struct *csec = child->security;
1627 rc = secondary_ops->ptrace(parent,child);
1631 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1632 /* Save the SID of the tracing process for later use in apply_creds. */
1633 if (!(child->ptrace & PT_PTRACED) && !rc)
1634 csec->ptrace_sid = psec->sid;
1638 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1639 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1643 error = task_has_perm(current, target, PROCESS__GETCAP);
1647 return secondary_ops->capget(target, effective, inheritable, permitted);
1650 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1651 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1655 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1659 return task_has_perm(current, target, PROCESS__SETCAP);
1662 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1663 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1665 secondary_ops->capset_set(target, effective, inheritable, permitted);
1668 static int selinux_capable(struct task_struct *tsk, int cap)
1672 rc = secondary_ops->capable(tsk, cap);
1676 return task_has_capability(tsk,cap);
1679 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1682 char *buffer, *path, *end;
1685 buffer = (char*)__get_free_page(GFP_KERNEL);
1690 end = buffer+buflen;
1696 const char *name = table->procname;
1697 size_t namelen = strlen(name);
1698 buflen -= namelen + 1;
1702 memcpy(end, name, namelen);
1705 table = table->parent;
1711 memcpy(end, "/sys", 4);
1713 rc = security_genfs_sid("proc", path, tclass, sid);
1715 free_page((unsigned long)buffer);
1720 static int selinux_sysctl(ctl_table *table, int op)
1724 struct task_security_struct *tsec;
1728 rc = secondary_ops->sysctl(table, op);
1732 tsec = current->security;
1734 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1735 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1737 /* Default to the well-defined sysctl SID. */
1738 tsid = SECINITSID_SYSCTL;
1741 /* The op values are "defined" in sysctl.c, thereby creating
1742 * a bad coupling between this module and sysctl.c */
1744 error = avc_has_perm(tsec->sid, tsid,
1745 SECCLASS_DIR, DIR__SEARCH, NULL);
1753 error = avc_has_perm(tsec->sid, tsid,
1754 SECCLASS_FILE, av, NULL);
1760 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1773 rc = superblock_has_perm(current,
1775 FILESYSTEM__QUOTAMOD, NULL);
1780 rc = superblock_has_perm(current,
1782 FILESYSTEM__QUOTAGET, NULL);
1785 rc = 0; /* let the kernel handle invalid cmds */
1791 static int selinux_quota_on(struct dentry *dentry)
1793 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1796 static int selinux_syslog(int type)
1800 rc = secondary_ops->syslog(type);
1805 case 3: /* Read last kernel messages */
1806 case 10: /* Return size of the log buffer */
1807 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1809 case 6: /* Disable logging to console */
1810 case 7: /* Enable logging to console */
1811 case 8: /* Set level of messages printed to console */
1812 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1814 case 0: /* Close log */
1815 case 1: /* Open log */
1816 case 2: /* Read from log */
1817 case 4: /* Read/clear last kernel messages */
1818 case 5: /* Clear ring buffer */
1820 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1827 * Check that a process has enough memory to allocate a new virtual
1828 * mapping. 0 means there is enough memory for the allocation to
1829 * succeed and -ENOMEM implies there is not.
1831 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1832 * if the capability is granted, but __vm_enough_memory requires 1 if
1833 * the capability is granted.
1835 * Do not audit the selinux permission check, as this is applied to all
1836 * processes that allocate mappings.
1838 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1840 int rc, cap_sys_admin = 0;
1841 struct task_security_struct *tsec = current->security;
1843 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1845 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1846 SECCLASS_CAPABILITY,
1847 CAP_TO_MASK(CAP_SYS_ADMIN),
1854 return __vm_enough_memory(mm, pages, cap_sys_admin);
1857 /* binprm security operations */
1859 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1861 struct bprm_security_struct *bsec;
1863 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1868 bsec->sid = SECINITSID_UNLABELED;
1871 bprm->security = bsec;
1875 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1877 struct task_security_struct *tsec;
1878 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1879 struct inode_security_struct *isec;
1880 struct bprm_security_struct *bsec;
1882 struct avc_audit_data ad;
1885 rc = secondary_ops->bprm_set_security(bprm);
1889 bsec = bprm->security;
1894 tsec = current->security;
1895 isec = inode->i_security;
1897 /* Default to the current task SID. */
1898 bsec->sid = tsec->sid;
1900 /* Reset fs, key, and sock SIDs on execve. */
1901 tsec->create_sid = 0;
1902 tsec->keycreate_sid = 0;
1903 tsec->sockcreate_sid = 0;
1905 if (tsec->exec_sid) {
1906 newsid = tsec->exec_sid;
1907 /* Reset exec SID on execve. */
1910 /* Check for a default transition on this program. */
1911 rc = security_transition_sid(tsec->sid, isec->sid,
1912 SECCLASS_PROCESS, &newsid);
1917 AVC_AUDIT_DATA_INIT(&ad, FS);
1918 ad.u.fs.path = bprm->file->f_path;
1920 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1923 if (tsec->sid == newsid) {
1924 rc = avc_has_perm(tsec->sid, isec->sid,
1925 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1929 /* Check permissions for the transition. */
1930 rc = avc_has_perm(tsec->sid, newsid,
1931 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1935 rc = avc_has_perm(newsid, isec->sid,
1936 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1940 /* Clear any possibly unsafe personality bits on exec: */
1941 current->personality &= ~PER_CLEAR_ON_SETID;
1943 /* Set the security field to the new SID. */
1951 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1953 return secondary_ops->bprm_check_security(bprm);
1957 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1959 struct task_security_struct *tsec = current->security;
1962 if (tsec->osid != tsec->sid) {
1963 /* Enable secure mode for SIDs transitions unless
1964 the noatsecure permission is granted between
1965 the two SIDs, i.e. ahp returns 0. */
1966 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1968 PROCESS__NOATSECURE, NULL);
1971 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1974 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1976 kfree(bprm->security);
1977 bprm->security = NULL;
1980 extern struct vfsmount *selinuxfs_mount;
1981 extern struct dentry *selinux_null;
1983 /* Derived from fs/exec.c:flush_old_files. */
1984 static inline void flush_unauthorized_files(struct files_struct * files)
1986 struct avc_audit_data ad;
1987 struct file *file, *devnull = NULL;
1988 struct tty_struct *tty;
1989 struct fdtable *fdt;
1993 mutex_lock(&tty_mutex);
1994 tty = get_current_tty();
1997 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1999 /* Revalidate access to controlling tty.
2000 Use inode_has_perm on the tty inode directly rather
2001 than using file_has_perm, as this particular open
2002 file may belong to another process and we are only
2003 interested in the inode-based check here. */
2004 struct inode *inode = file->f_path.dentry->d_inode;
2005 if (inode_has_perm(current, inode,
2006 FILE__READ | FILE__WRITE, NULL)) {
2012 mutex_unlock(&tty_mutex);
2013 /* Reset controlling tty. */
2017 /* Revalidate access to inherited open files. */
2019 AVC_AUDIT_DATA_INIT(&ad,FS);
2021 spin_lock(&files->file_lock);
2023 unsigned long set, i;
2028 fdt = files_fdtable(files);
2029 if (i >= fdt->max_fds)
2031 set = fdt->open_fds->fds_bits[j];
2034 spin_unlock(&files->file_lock);
2035 for ( ; set ; i++,set >>= 1) {
2040 if (file_has_perm(current,
2042 file_to_av(file))) {
2044 fd = get_unused_fd();
2054 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2055 if (IS_ERR(devnull)) {
2062 fd_install(fd, devnull);
2067 spin_lock(&files->file_lock);
2070 spin_unlock(&files->file_lock);
2073 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2075 struct task_security_struct *tsec;
2076 struct bprm_security_struct *bsec;
2080 secondary_ops->bprm_apply_creds(bprm, unsafe);
2082 tsec = current->security;
2084 bsec = bprm->security;
2087 tsec->osid = tsec->sid;
2089 if (tsec->sid != sid) {
2090 /* Check for shared state. If not ok, leave SID
2091 unchanged and kill. */
2092 if (unsafe & LSM_UNSAFE_SHARE) {
2093 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2094 PROCESS__SHARE, NULL);
2101 /* Check for ptracing, and update the task SID if ok.
2102 Otherwise, leave SID unchanged and kill. */
2103 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2104 rc = avc_has_perm(tsec->ptrace_sid, sid,
2105 SECCLASS_PROCESS, PROCESS__PTRACE,
2117 * called after apply_creds without the task lock held
2119 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2121 struct task_security_struct *tsec;
2122 struct rlimit *rlim, *initrlim;
2123 struct itimerval itimer;
2124 struct bprm_security_struct *bsec;
2127 tsec = current->security;
2128 bsec = bprm->security;
2131 force_sig_specific(SIGKILL, current);
2134 if (tsec->osid == tsec->sid)
2137 /* Close files for which the new task SID is not authorized. */
2138 flush_unauthorized_files(current->files);
2140 /* Check whether the new SID can inherit signal state
2141 from the old SID. If not, clear itimers to avoid
2142 subsequent signal generation and flush and unblock
2143 signals. This must occur _after_ the task SID has
2144 been updated so that any kill done after the flush
2145 will be checked against the new SID. */
2146 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2147 PROCESS__SIGINH, NULL);
2149 memset(&itimer, 0, sizeof itimer);
2150 for (i = 0; i < 3; i++)
2151 do_setitimer(i, &itimer, NULL);
2152 flush_signals(current);
2153 spin_lock_irq(¤t->sighand->siglock);
2154 flush_signal_handlers(current, 1);
2155 sigemptyset(¤t->blocked);
2156 recalc_sigpending();
2157 spin_unlock_irq(¤t->sighand->siglock);
2160 /* Always clear parent death signal on SID transitions. */
2161 current->pdeath_signal = 0;
2163 /* Check whether the new SID can inherit resource limits
2164 from the old SID. If not, reset all soft limits to
2165 the lower of the current task's hard limit and the init
2166 task's soft limit. Note that the setting of hard limits
2167 (even to lower them) can be controlled by the setrlimit
2168 check. The inclusion of the init task's soft limit into
2169 the computation is to avoid resetting soft limits higher
2170 than the default soft limit for cases where the default
2171 is lower than the hard limit, e.g. RLIMIT_CORE or
2173 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2174 PROCESS__RLIMITINH, NULL);
2176 for (i = 0; i < RLIM_NLIMITS; i++) {
2177 rlim = current->signal->rlim + i;
2178 initrlim = init_task.signal->rlim+i;
2179 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2181 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2183 * This will cause RLIMIT_CPU calculations
2186 current->it_prof_expires = jiffies_to_cputime(1);
2190 /* Wake up the parent if it is waiting so that it can
2191 recheck wait permission to the new task SID. */
2192 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
2195 /* superblock security operations */
2197 static int selinux_sb_alloc_security(struct super_block *sb)
2199 return superblock_alloc_security(sb);
2202 static void selinux_sb_free_security(struct super_block *sb)
2204 superblock_free_security(sb);
2207 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2212 return !memcmp(prefix, option, plen);
2215 static inline int selinux_option(char *option, int len)
2217 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2218 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
2219 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2220 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
2223 static inline void take_option(char **to, char *from, int *first, int len)
2230 memcpy(*to, from, len);
2234 static inline void take_selinux_option(char **to, char *from, int *first,
2237 int current_size = 0;
2246 while (current_size < len) {
2256 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
2258 int fnosec, fsec, rc = 0;
2259 char *in_save, *in_curr, *in_end;
2260 char *sec_curr, *nosec_save, *nosec;
2266 /* Binary mount data: just copy */
2267 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2268 copy_page(sec_curr, in_curr);
2272 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2280 in_save = in_end = orig;
2284 open_quote = !open_quote;
2285 if ((*in_end == ',' && open_quote == 0) ||
2287 int len = in_end - in_curr;
2289 if (selinux_option(in_curr, len))
2290 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2292 take_option(&nosec, in_curr, &fnosec, len);
2294 in_curr = in_end + 1;
2296 } while (*in_end++);
2298 strcpy(in_save, nosec_save);
2299 free_page((unsigned long)nosec_save);
2304 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2306 struct avc_audit_data ad;
2309 rc = superblock_doinit(sb, data);
2313 AVC_AUDIT_DATA_INIT(&ad,FS);
2314 ad.u.fs.path.dentry = sb->s_root;
2315 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2318 static int selinux_sb_statfs(struct dentry *dentry)
2320 struct avc_audit_data ad;
2322 AVC_AUDIT_DATA_INIT(&ad,FS);
2323 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2324 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2327 static int selinux_mount(char * dev_name,
2328 struct nameidata *nd,
2330 unsigned long flags,
2335 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2339 if (flags & MS_REMOUNT)
2340 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2341 FILESYSTEM__REMOUNT, NULL);
2343 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2347 static int selinux_umount(struct vfsmount *mnt, int flags)
2351 rc = secondary_ops->sb_umount(mnt, flags);
2355 return superblock_has_perm(current,mnt->mnt_sb,
2356 FILESYSTEM__UNMOUNT,NULL);
2359 /* inode security operations */
2361 static int selinux_inode_alloc_security(struct inode *inode)
2363 return inode_alloc_security(inode);
2366 static void selinux_inode_free_security(struct inode *inode)
2368 inode_free_security(inode);
2371 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2372 char **name, void **value,
2375 struct task_security_struct *tsec;
2376 struct inode_security_struct *dsec;
2377 struct superblock_security_struct *sbsec;
2380 char *namep = NULL, *context;
2382 tsec = current->security;
2383 dsec = dir->i_security;
2384 sbsec = dir->i_sb->s_security;
2386 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2387 newsid = tsec->create_sid;
2389 rc = security_transition_sid(tsec->sid, dsec->sid,
2390 inode_mode_to_security_class(inode->i_mode),
2393 printk(KERN_WARNING "%s: "
2394 "security_transition_sid failed, rc=%d (dev=%s "
2397 -rc, inode->i_sb->s_id, inode->i_ino);
2402 /* Possibly defer initialization to selinux_complete_init. */
2403 if (sbsec->initialized) {
2404 struct inode_security_struct *isec = inode->i_security;
2405 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2407 isec->initialized = 1;
2410 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2414 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2421 rc = security_sid_to_context(newsid, &context, &clen);
2433 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2435 return may_create(dir, dentry, SECCLASS_FILE);
2438 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2442 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2445 return may_link(dir, old_dentry, MAY_LINK);
2448 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2452 rc = secondary_ops->inode_unlink(dir, dentry);
2455 return may_link(dir, dentry, MAY_UNLINK);
2458 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2460 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2463 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2465 return may_create(dir, dentry, SECCLASS_DIR);
2468 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2470 return may_link(dir, dentry, MAY_RMDIR);
2473 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2477 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2481 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2484 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2485 struct inode *new_inode, struct dentry *new_dentry)
2487 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2490 static int selinux_inode_readlink(struct dentry *dentry)
2492 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2495 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2499 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2502 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2505 static int selinux_inode_permission(struct inode *inode, int mask,
2506 struct nameidata *nd)
2510 rc = secondary_ops->inode_permission(inode, mask, nd);
2515 /* No permission to check. Existence test. */
2519 return inode_has_perm(current, inode,
2520 file_mask_to_av(inode->i_mode, mask), NULL);
2523 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2527 rc = secondary_ops->inode_setattr(dentry, iattr);
2531 if (iattr->ia_valid & ATTR_FORCE)
2534 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2535 ATTR_ATIME_SET | ATTR_MTIME_SET))
2536 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2538 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2541 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2543 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2546 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2548 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2549 sizeof XATTR_SECURITY_PREFIX - 1)) {
2550 if (!strcmp(name, XATTR_NAME_CAPS)) {
2551 if (!capable(CAP_SETFCAP))
2553 } else if (!capable(CAP_SYS_ADMIN)) {
2554 /* A different attribute in the security namespace.
2555 Restrict to administrator. */
2560 /* Not an attribute we recognize, so just check the
2561 ordinary setattr permission. */
2562 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2565 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2567 struct task_security_struct *tsec = current->security;
2568 struct inode *inode = dentry->d_inode;
2569 struct inode_security_struct *isec = inode->i_security;
2570 struct superblock_security_struct *sbsec;
2571 struct avc_audit_data ad;
2575 if (strcmp(name, XATTR_NAME_SELINUX))
2576 return selinux_inode_setotherxattr(dentry, name);
2578 sbsec = inode->i_sb->s_security;
2579 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2582 if (!is_owner_or_cap(inode))
2585 AVC_AUDIT_DATA_INIT(&ad,FS);
2586 ad.u.fs.path.dentry = dentry;
2588 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2589 FILE__RELABELFROM, &ad);
2593 rc = security_context_to_sid(value, size, &newsid);
2597 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2598 FILE__RELABELTO, &ad);
2602 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2607 return avc_has_perm(newsid,
2609 SECCLASS_FILESYSTEM,
2610 FILESYSTEM__ASSOCIATE,
2614 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2615 void *value, size_t size, int flags)
2617 struct inode *inode = dentry->d_inode;
2618 struct inode_security_struct *isec = inode->i_security;
2622 if (strcmp(name, XATTR_NAME_SELINUX)) {
2623 /* Not an attribute we recognize, so nothing to do. */
2627 rc = security_context_to_sid(value, size, &newsid);
2629 printk(KERN_WARNING "%s: unable to obtain SID for context "
2630 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2638 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2640 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2643 static int selinux_inode_listxattr (struct dentry *dentry)
2645 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2648 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2650 if (strcmp(name, XATTR_NAME_SELINUX))
2651 return selinux_inode_setotherxattr(dentry, name);
2653 /* No one is allowed to remove a SELinux security label.
2654 You can change the label, but all data must be labeled. */
2659 * Copy the in-core inode security context value to the user. If the
2660 * getxattr() prior to this succeeded, check to see if we need to
2661 * canonicalize the value to be finally returned to the user.
2663 * Permission check is handled by selinux_inode_getxattr hook.
2665 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2669 char *context = NULL;
2670 struct inode_security_struct *isec = inode->i_security;
2672 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2675 error = security_sid_to_context(isec->sid, &context, &size);
2688 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2689 const void *value, size_t size, int flags)
2691 struct inode_security_struct *isec = inode->i_security;
2695 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2698 if (!value || !size)
2701 rc = security_context_to_sid((void*)value, size, &newsid);
2709 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2711 const int len = sizeof(XATTR_NAME_SELINUX);
2712 if (buffer && len <= buffer_size)
2713 memcpy(buffer, XATTR_NAME_SELINUX, len);
2717 static int selinux_inode_need_killpriv(struct dentry *dentry)
2719 return secondary_ops->inode_need_killpriv(dentry);
2722 static int selinux_inode_killpriv(struct dentry *dentry)
2724 return secondary_ops->inode_killpriv(dentry);
2727 /* file security operations */
2729 static int selinux_revalidate_file_permission(struct file *file, int mask)
2732 struct inode *inode = file->f_path.dentry->d_inode;
2735 /* No permission to check. Existence test. */
2739 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2740 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2743 rc = file_has_perm(current, file,
2744 file_mask_to_av(inode->i_mode, mask));
2748 return selinux_netlbl_inode_permission(inode, mask);
2751 static int selinux_file_permission(struct file *file, int mask)
2753 struct inode *inode = file->f_path.dentry->d_inode;
2754 struct task_security_struct *tsec = current->security;
2755 struct file_security_struct *fsec = file->f_security;
2756 struct inode_security_struct *isec = inode->i_security;
2759 /* No permission to check. Existence test. */
2763 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2764 && fsec->pseqno == avc_policy_seqno())
2765 return selinux_netlbl_inode_permission(inode, mask);
2767 return selinux_revalidate_file_permission(file, mask);
2770 static int selinux_file_alloc_security(struct file *file)
2772 return file_alloc_security(file);
2775 static void selinux_file_free_security(struct file *file)
2777 file_free_security(file);
2780 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2792 case EXT2_IOC_GETFLAGS:
2794 case EXT2_IOC_GETVERSION:
2795 error = file_has_perm(current, file, FILE__GETATTR);
2798 case EXT2_IOC_SETFLAGS:
2800 case EXT2_IOC_SETVERSION:
2801 error = file_has_perm(current, file, FILE__SETATTR);
2804 /* sys_ioctl() checks */
2808 error = file_has_perm(current, file, 0);
2813 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2816 /* default case assumes that the command will go
2817 * to the file's ioctl() function.
2820 error = file_has_perm(current, file, FILE__IOCTL);
2826 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2828 #ifndef CONFIG_PPC32
2829 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2831 * We are making executable an anonymous mapping or a
2832 * private file mapping that will also be writable.
2833 * This has an additional check.
2835 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2842 /* read access is always possible with a mapping */
2843 u32 av = FILE__READ;
2845 /* write access only matters if the mapping is shared */
2846 if (shared && (prot & PROT_WRITE))
2849 if (prot & PROT_EXEC)
2850 av |= FILE__EXECUTE;
2852 return file_has_perm(current, file, av);
2857 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2858 unsigned long prot, unsigned long flags,
2859 unsigned long addr, unsigned long addr_only)
2862 u32 sid = ((struct task_security_struct*)(current->security))->sid;
2864 if (addr < mmap_min_addr)
2865 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2866 MEMPROTECT__MMAP_ZERO, NULL);
2867 if (rc || addr_only)
2870 if (selinux_checkreqprot)
2873 return file_map_prot_check(file, prot,
2874 (flags & MAP_TYPE) == MAP_SHARED);
2877 static int selinux_file_mprotect(struct vm_area_struct *vma,
2878 unsigned long reqprot,
2883 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2887 if (selinux_checkreqprot)
2890 #ifndef CONFIG_PPC32
2891 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2893 if (vma->vm_start >= vma->vm_mm->start_brk &&
2894 vma->vm_end <= vma->vm_mm->brk) {
2895 rc = task_has_perm(current, current,
2897 } else if (!vma->vm_file &&
2898 vma->vm_start <= vma->vm_mm->start_stack &&
2899 vma->vm_end >= vma->vm_mm->start_stack) {
2900 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2901 } else if (vma->vm_file && vma->anon_vma) {
2903 * We are making executable a file mapping that has
2904 * had some COW done. Since pages might have been
2905 * written, check ability to execute the possibly
2906 * modified content. This typically should only
2907 * occur for text relocations.
2909 rc = file_has_perm(current, vma->vm_file,
2917 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2920 static int selinux_file_lock(struct file *file, unsigned int cmd)
2922 return file_has_perm(current, file, FILE__LOCK);
2925 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2932 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2937 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2938 err = file_has_perm(current, file,FILE__WRITE);
2947 /* Just check FD__USE permission */
2948 err = file_has_perm(current, file, 0);
2953 #if BITS_PER_LONG == 32
2958 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2962 err = file_has_perm(current, file, FILE__LOCK);
2969 static int selinux_file_set_fowner(struct file *file)
2971 struct task_security_struct *tsec;
2972 struct file_security_struct *fsec;
2974 tsec = current->security;
2975 fsec = file->f_security;
2976 fsec->fown_sid = tsec->sid;
2981 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2982 struct fown_struct *fown, int signum)
2986 struct task_security_struct *tsec;
2987 struct file_security_struct *fsec;
2989 /* struct fown_struct is never outside the context of a struct file */
2990 file = container_of(fown, struct file, f_owner);
2992 tsec = tsk->security;
2993 fsec = file->f_security;
2996 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2998 perm = signal_to_av(signum);
3000 return avc_has_perm(fsec->fown_sid, tsec->sid,
3001 SECCLASS_PROCESS, perm, NULL);
3004 static int selinux_file_receive(struct file *file)
3006 return file_has_perm(current, file, file_to_av(file));
3009 static int selinux_dentry_open(struct file *file)
3011 struct file_security_struct *fsec;
3012 struct inode *inode;
3013 struct inode_security_struct *isec;
3014 inode = file->f_path.dentry->d_inode;
3015 fsec = file->f_security;
3016 isec = inode->i_security;
3018 * Save inode label and policy sequence number
3019 * at open-time so that selinux_file_permission
3020 * can determine whether revalidation is necessary.
3021 * Task label is already saved in the file security
3022 * struct as its SID.
3024 fsec->isid = isec->sid;
3025 fsec->pseqno = avc_policy_seqno();
3027 * Since the inode label or policy seqno may have changed
3028 * between the selinux_inode_permission check and the saving
3029 * of state above, recheck that access is still permitted.
3030 * Otherwise, access might never be revalidated against the
3031 * new inode label or new policy.
3032 * This check is not redundant - do not remove.
3034 return inode_has_perm(current, inode, file_to_av(file), NULL);
3037 /* task security operations */
3039 static int selinux_task_create(unsigned long clone_flags)
3043 rc = secondary_ops->task_create(clone_flags);
3047 return task_has_perm(current, current, PROCESS__FORK);
3050 static int selinux_task_alloc_security(struct task_struct *tsk)
3052 struct task_security_struct *tsec1, *tsec2;
3055 tsec1 = current->security;
3057 rc = task_alloc_security(tsk);
3060 tsec2 = tsk->security;
3062 tsec2->osid = tsec1->osid;
3063 tsec2->sid = tsec1->sid;
3065 /* Retain the exec, fs, key, and sock SIDs across fork */
3066 tsec2->exec_sid = tsec1->exec_sid;
3067 tsec2->create_sid = tsec1->create_sid;
3068 tsec2->keycreate_sid = tsec1->keycreate_sid;
3069 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3071 /* Retain ptracer SID across fork, if any.
3072 This will be reset by the ptrace hook upon any
3073 subsequent ptrace_attach operations. */
3074 tsec2->ptrace_sid = tsec1->ptrace_sid;
3079 static void selinux_task_free_security(struct task_struct *tsk)
3081 task_free_security(tsk);
3084 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3086 /* Since setuid only affects the current process, and
3087 since the SELinux controls are not based on the Linux
3088 identity attributes, SELinux does not need to control
3089 this operation. However, SELinux does control the use
3090 of the CAP_SETUID and CAP_SETGID capabilities using the
3095 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3097 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3100 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3102 /* See the comment for setuid above. */
3106 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3108 return task_has_perm(current, p, PROCESS__SETPGID);
3111 static int selinux_task_getpgid(struct task_struct *p)
3113 return task_has_perm(current, p, PROCESS__GETPGID);
3116 static int selinux_task_getsid(struct task_struct *p)
3118 return task_has_perm(current, p, PROCESS__GETSESSION);
3121 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3123 selinux_get_task_sid(p, secid);
3126 static int selinux_task_setgroups(struct group_info *group_info)
3128 /* See the comment for setuid above. */
3132 static int selinux_task_setnice(struct task_struct *p, int nice)
3136 rc = secondary_ops->task_setnice(p, nice);
3140 return task_has_perm(current,p, PROCESS__SETSCHED);
3143 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3147 rc = secondary_ops->task_setioprio(p, ioprio);
3151 return task_has_perm(current, p, PROCESS__SETSCHED);
3154 static int selinux_task_getioprio(struct task_struct *p)
3156 return task_has_perm(current, p, PROCESS__GETSCHED);
3159 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3161 struct rlimit *old_rlim = current->signal->rlim + resource;
3164 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3168 /* Control the ability to change the hard limit (whether
3169 lowering or raising it), so that the hard limit can
3170 later be used as a safe reset point for the soft limit
3171 upon context transitions. See selinux_bprm_apply_creds. */
3172 if (old_rlim->rlim_max != new_rlim->rlim_max)
3173 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3178 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3182 rc = secondary_ops->task_setscheduler(p, policy, lp);
3186 return task_has_perm(current, p, PROCESS__SETSCHED);
3189 static int selinux_task_getscheduler(struct task_struct *p)
3191 return task_has_perm(current, p, PROCESS__GETSCHED);
3194 static int selinux_task_movememory(struct task_struct *p)
3196 return task_has_perm(current, p, PROCESS__SETSCHED);
3199 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3204 struct task_security_struct *tsec;
3206 rc = secondary_ops->task_kill(p, info, sig, secid);
3210 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3214 perm = PROCESS__SIGNULL; /* null signal; existence test */
3216 perm = signal_to_av(sig);
3219 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3221 rc = task_has_perm(current, p, perm);
3225 static int selinux_task_prctl(int option,
3231 /* The current prctl operations do not appear to require
3232 any SELinux controls since they merely observe or modify
3233 the state of the current process. */
3237 static int selinux_task_wait(struct task_struct *p)
3239 return task_has_perm(p, current, PROCESS__SIGCHLD);
3242 static void selinux_task_reparent_to_init(struct task_struct *p)
3244 struct task_security_struct *tsec;
3246 secondary_ops->task_reparent_to_init(p);
3249 tsec->osid = tsec->sid;
3250 tsec->sid = SECINITSID_KERNEL;
3254 static void selinux_task_to_inode(struct task_struct *p,
3255 struct inode *inode)
3257 struct task_security_struct *tsec = p->security;
3258 struct inode_security_struct *isec = inode->i_security;
3260 isec->sid = tsec->sid;
3261 isec->initialized = 1;
3265 /* Returns error only if unable to parse addresses */
3266 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3267 struct avc_audit_data *ad, u8 *proto)
3269 int offset, ihlen, ret = -EINVAL;
3270 struct iphdr _iph, *ih;
3272 offset = skb_network_offset(skb);
3273 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3277 ihlen = ih->ihl * 4;
3278 if (ihlen < sizeof(_iph))
3281 ad->u.net.v4info.saddr = ih->saddr;
3282 ad->u.net.v4info.daddr = ih->daddr;
3286 *proto = ih->protocol;
3288 switch (ih->protocol) {
3290 struct tcphdr _tcph, *th;
3292 if (ntohs(ih->frag_off) & IP_OFFSET)
3296 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3300 ad->u.net.sport = th->source;
3301 ad->u.net.dport = th->dest;
3306 struct udphdr _udph, *uh;
3308 if (ntohs(ih->frag_off) & IP_OFFSET)
3312 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3316 ad->u.net.sport = uh->source;
3317 ad->u.net.dport = uh->dest;
3321 case IPPROTO_DCCP: {
3322 struct dccp_hdr _dccph, *dh;
3324 if (ntohs(ih->frag_off) & IP_OFFSET)
3328 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3332 ad->u.net.sport = dh->dccph_sport;
3333 ad->u.net.dport = dh->dccph_dport;
3344 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3346 /* Returns error only if unable to parse addresses */
3347 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3348 struct avc_audit_data *ad, u8 *proto)
3351 int ret = -EINVAL, offset;
3352 struct ipv6hdr _ipv6h, *ip6;
3354 offset = skb_network_offset(skb);
3355 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3359 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3360 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3363 nexthdr = ip6->nexthdr;
3364 offset += sizeof(_ipv6h);
3365 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3374 struct tcphdr _tcph, *th;
3376 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3380 ad->u.net.sport = th->source;
3381 ad->u.net.dport = th->dest;
3386 struct udphdr _udph, *uh;
3388 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3392 ad->u.net.sport = uh->source;
3393 ad->u.net.dport = uh->dest;
3397 case IPPROTO_DCCP: {
3398 struct dccp_hdr _dccph, *dh;
3400 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3404 ad->u.net.sport = dh->dccph_sport;
3405 ad->u.net.dport = dh->dccph_dport;
3409 /* includes fragments */
3419 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3420 char **addrp, int src, u8 *proto)
3424 switch (ad->u.net.family) {
3426 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3429 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3430 &ad->u.net.v4info.daddr);
3433 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3435 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3438 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3439 &ad->u.net.v6info.daddr);
3448 "SELinux: failure in selinux_parse_skb(),"
3449 " unable to parse packet\n");
3455 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3457 * @family: protocol family
3458 * @sid: the packet's peer label SID
3461 * Check the various different forms of network peer labeling and determine
3462 * the peer label/SID for the packet; most of the magic actually occurs in
3463 * the security server function security_net_peersid_cmp(). The function
3464 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3465 * or -EACCES if @sid is invalid due to inconsistencies with the different
3469 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3476 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3477 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3479 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3480 if (unlikely(err)) {
3482 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3483 " unable to determine packet's peer label\n");
3490 /* socket security operations */
3491 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3494 struct inode_security_struct *isec;
3495 struct task_security_struct *tsec;
3496 struct avc_audit_data ad;
3499 tsec = task->security;
3500 isec = SOCK_INODE(sock)->i_security;
3502 if (isec->sid == SECINITSID_KERNEL)
3505 AVC_AUDIT_DATA_INIT(&ad,NET);
3506 ad.u.net.sk = sock->sk;
3507 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3513 static int selinux_socket_create(int family, int type,
3514 int protocol, int kern)
3517 struct task_security_struct *tsec;
3523 tsec = current->security;
3524 newsid = tsec->sockcreate_sid ? : tsec->sid;
3525 err = avc_has_perm(tsec->sid, newsid,
3526 socket_type_to_security_class(family, type,
3527 protocol), SOCKET__CREATE, NULL);
3533 static int selinux_socket_post_create(struct socket *sock, int family,
3534 int type, int protocol, int kern)
3537 struct inode_security_struct *isec;
3538 struct task_security_struct *tsec;
3539 struct sk_security_struct *sksec;
3542 isec = SOCK_INODE(sock)->i_security;
3544 tsec = current->security;
3545 newsid = tsec->sockcreate_sid ? : tsec->sid;
3546 isec->sclass = socket_type_to_security_class(family, type, protocol);
3547 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3548 isec->initialized = 1;
3551 sksec = sock->sk->sk_security;
3552 sksec->sid = isec->sid;
3553 sksec->sclass = isec->sclass;
3554 err = selinux_netlbl_socket_post_create(sock);
3560 /* Range of port numbers used to automatically bind.
3561 Need to determine whether we should perform a name_bind
3562 permission check between the socket and the port number. */
3564 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3569 err = socket_has_perm(current, sock, SOCKET__BIND);
3574 * If PF_INET or PF_INET6, check name_bind permission for the port.
3575 * Multiple address binding for SCTP is not supported yet: we just
3576 * check the first address now.
3578 family = sock->sk->sk_family;
3579 if (family == PF_INET || family == PF_INET6) {
3581 struct inode_security_struct *isec;
3582 struct task_security_struct *tsec;
3583 struct avc_audit_data ad;
3584 struct sockaddr_in *addr4 = NULL;
3585 struct sockaddr_in6 *addr6 = NULL;
3586 unsigned short snum;
3587 struct sock *sk = sock->sk;
3588 u32 sid, node_perm, addrlen;
3590 tsec = current->security;
3591 isec = SOCK_INODE(sock)->i_security;
3593 if (family == PF_INET) {
3594 addr4 = (struct sockaddr_in *)address;
3595 snum = ntohs(addr4->sin_port);
3596 addrlen = sizeof(addr4->sin_addr.s_addr);
3597 addrp = (char *)&addr4->sin_addr.s_addr;
3599 addr6 = (struct sockaddr_in6 *)address;
3600 snum = ntohs(addr6->sin6_port);
3601 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3602 addrp = (char *)&addr6->sin6_addr.s6_addr;
3608 inet_get_local_port_range(&low, &high);
3610 if (snum < max(PROT_SOCK, low) || snum > high) {
3611 err = security_port_sid(sk->sk_family,
3613 sk->sk_protocol, snum,
3617 AVC_AUDIT_DATA_INIT(&ad,NET);
3618 ad.u.net.sport = htons(snum);
3619 ad.u.net.family = family;
3620 err = avc_has_perm(isec->sid, sid,
3622 SOCKET__NAME_BIND, &ad);
3628 switch(isec->sclass) {
3629 case SECCLASS_TCP_SOCKET:
3630 node_perm = TCP_SOCKET__NODE_BIND;
3633 case SECCLASS_UDP_SOCKET:
3634 node_perm = UDP_SOCKET__NODE_BIND;
3637 case SECCLASS_DCCP_SOCKET:
3638 node_perm = DCCP_SOCKET__NODE_BIND;
3642 node_perm = RAWIP_SOCKET__NODE_BIND;
3646 err = sel_netnode_sid(addrp, family, &sid);
3650 AVC_AUDIT_DATA_INIT(&ad,NET);
3651 ad.u.net.sport = htons(snum);
3652 ad.u.net.family = family;
3654 if (family == PF_INET)
3655 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3657 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3659 err = avc_has_perm(isec->sid, sid,
3660 isec->sclass, node_perm, &ad);
3668 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3670 struct inode_security_struct *isec;
3673 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3678 * If a TCP or DCCP socket, check name_connect permission for the port.
3680 isec = SOCK_INODE(sock)->i_security;
3681 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3682 isec->sclass == SECCLASS_DCCP_SOCKET) {
3683 struct sock *sk = sock->sk;
3684 struct avc_audit_data ad;
3685 struct sockaddr_in *addr4 = NULL;
3686 struct sockaddr_in6 *addr6 = NULL;
3687 unsigned short snum;
3690 if (sk->sk_family == PF_INET) {
3691 addr4 = (struct sockaddr_in *)address;
3692 if (addrlen < sizeof(struct sockaddr_in))
3694 snum = ntohs(addr4->sin_port);
3696 addr6 = (struct sockaddr_in6 *)address;
3697 if (addrlen < SIN6_LEN_RFC2133)
3699 snum = ntohs(addr6->sin6_port);
3702 err = security_port_sid(sk->sk_family, sk->sk_type,
3703 sk->sk_protocol, snum, &sid);
3707 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3708 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3710 AVC_AUDIT_DATA_INIT(&ad,NET);
3711 ad.u.net.dport = htons(snum);
3712 ad.u.net.family = sk->sk_family;
3713 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3722 static int selinux_socket_listen(struct socket *sock, int backlog)
3724 return socket_has_perm(current, sock, SOCKET__LISTEN);
3727 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3730 struct inode_security_struct *isec;
3731 struct inode_security_struct *newisec;
3733 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3737 newisec = SOCK_INODE(newsock)->i_security;
3739 isec = SOCK_INODE(sock)->i_security;
3740 newisec->sclass = isec->sclass;
3741 newisec->sid = isec->sid;
3742 newisec->initialized = 1;
3747 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3752 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3756 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3759 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3760 int size, int flags)
3762 return socket_has_perm(current, sock, SOCKET__READ);
3765 static int selinux_socket_getsockname(struct socket *sock)
3767 return socket_has_perm(current, sock, SOCKET__GETATTR);
3770 static int selinux_socket_getpeername(struct socket *sock)
3772 return socket_has_perm(current, sock, SOCKET__GETATTR);
3775 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3779 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3783 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3786 static int selinux_socket_getsockopt(struct socket *sock, int level,
3789 return socket_has_perm(current, sock, SOCKET__GETOPT);
3792 static int selinux_socket_shutdown(struct socket *sock, int how)
3794 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3797 static int selinux_socket_unix_stream_connect(struct socket *sock,
3798 struct socket *other,
3801 struct sk_security_struct *ssec;
3802 struct inode_security_struct *isec;
3803 struct inode_security_struct *other_isec;
3804 struct avc_audit_data ad;
3807 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3811 isec = SOCK_INODE(sock)->i_security;
3812 other_isec = SOCK_INODE(other)->i_security;
3814 AVC_AUDIT_DATA_INIT(&ad,NET);
3815 ad.u.net.sk = other->sk;
3817 err = avc_has_perm(isec->sid, other_isec->sid,
3819 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3823 /* connecting socket */
3824 ssec = sock->sk->sk_security;
3825 ssec->peer_sid = other_isec->sid;
3827 /* server child socket */
3828 ssec = newsk->sk_security;
3829 ssec->peer_sid = isec->sid;
3830 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3835 static int selinux_socket_unix_may_send(struct socket *sock,
3836 struct socket *other)
3838 struct inode_security_struct *isec;
3839 struct inode_security_struct *other_isec;
3840 struct avc_audit_data ad;
3843 isec = SOCK_INODE(sock)->i_security;
3844 other_isec = SOCK_INODE(other)->i_security;
3846 AVC_AUDIT_DATA_INIT(&ad,NET);
3847 ad.u.net.sk = other->sk;
3849 err = avc_has_perm(isec->sid, other_isec->sid,
3850 isec->sclass, SOCKET__SENDTO, &ad);
3857 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3859 struct avc_audit_data *ad)
3865 err = sel_netif_sid(ifindex, &if_sid);
3868 err = avc_has_perm(peer_sid, if_sid,
3869 SECCLASS_NETIF, NETIF__INGRESS, ad);
3873 err = sel_netnode_sid(addrp, family, &node_sid);
3876 return avc_has_perm(peer_sid, node_sid,
3877 SECCLASS_NODE, NODE__RECVFROM, ad);
3880 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3881 struct sk_buff *skb,
3882 struct avc_audit_data *ad,
3887 struct sk_security_struct *sksec = sk->sk_security;
3889 u32 netif_perm, node_perm, recv_perm;
3890 u32 port_sid, node_sid, if_sid, sk_sid;
3892 sk_sid = sksec->sid;
3893 sk_class = sksec->sclass;
3896 case SECCLASS_UDP_SOCKET:
3897 netif_perm = NETIF__UDP_RECV;
3898 node_perm = NODE__UDP_RECV;
3899 recv_perm = UDP_SOCKET__RECV_MSG;
3901 case SECCLASS_TCP_SOCKET:
3902 netif_perm = NETIF__TCP_RECV;
3903 node_perm = NODE__TCP_RECV;
3904 recv_perm = TCP_SOCKET__RECV_MSG;
3906 case SECCLASS_DCCP_SOCKET:
3907 netif_perm = NETIF__DCCP_RECV;
3908 node_perm = NODE__DCCP_RECV;
3909 recv_perm = DCCP_SOCKET__RECV_MSG;
3912 netif_perm = NETIF__RAWIP_RECV;
3913 node_perm = NODE__RAWIP_RECV;
3918 err = sel_netif_sid(skb->iif, &if_sid);
3921 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3925 err = sel_netnode_sid(addrp, family, &node_sid);
3928 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3934 err = security_port_sid(sk->sk_family, sk->sk_type,
3935 sk->sk_protocol, ntohs(ad->u.net.sport),
3937 if (unlikely(err)) {
3939 "SELinux: failure in"
3940 " selinux_sock_rcv_skb_iptables_compat(),"
3941 " network port label not found\n");
3944 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
3947 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3948 struct avc_audit_data *ad,
3949 u16 family, char *addrp)
3952 struct sk_security_struct *sksec = sk->sk_security;
3954 u32 sk_sid = sksec->sid;
3956 if (selinux_compat_net)
3957 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
3960 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
3965 if (selinux_policycap_netpeer) {
3966 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
3969 err = avc_has_perm(sk_sid, peer_sid,
3970 SECCLASS_PEER, PEER__RECV, ad);
3972 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
3975 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
3981 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3984 struct sk_security_struct *sksec = sk->sk_security;
3985 u16 family = sk->sk_family;
3986 u32 sk_sid = sksec->sid;
3987 struct avc_audit_data ad;
3990 if (family != PF_INET && family != PF_INET6)
3993 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3994 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
3997 AVC_AUDIT_DATA_INIT(&ad, NET);
3998 ad.u.net.netif = skb->iif;
3999 ad.u.net.family = family;
4000 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4004 /* If any sort of compatibility mode is enabled then handoff processing
4005 * to the selinux_sock_rcv_skb_compat() function to deal with the
4006 * special handling. We do this in an attempt to keep this function
4007 * as fast and as clean as possible. */
4008 if (selinux_compat_net || !selinux_policycap_netpeer)
4009 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4012 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4015 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4018 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4022 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4026 if (selinux_secmark_enabled()) {
4027 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4036 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4037 int __user *optlen, unsigned len)
4042 struct sk_security_struct *ssec;
4043 struct inode_security_struct *isec;
4044 u32 peer_sid = SECSID_NULL;
4046 isec = SOCK_INODE(sock)->i_security;
4048 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4049 isec->sclass == SECCLASS_TCP_SOCKET) {
4050 ssec = sock->sk->sk_security;
4051 peer_sid = ssec->peer_sid;
4053 if (peer_sid == SECSID_NULL) {
4058 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4063 if (scontext_len > len) {
4068 if (copy_to_user(optval, scontext, scontext_len))
4072 if (put_user(scontext_len, optlen))
4080 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4082 u32 peer_secid = SECSID_NULL;
4086 family = sock->sk->sk_family;
4087 else if (skb && skb->sk)
4088 family = skb->sk->sk_family;
4092 if (sock && family == PF_UNIX)
4093 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4095 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4098 *secid = peer_secid;
4099 if (peer_secid == SECSID_NULL)
4104 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4106 return sk_alloc_security(sk, family, priority);
4109 static void selinux_sk_free_security(struct sock *sk)
4111 sk_free_security(sk);
4114 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4116 struct sk_security_struct *ssec = sk->sk_security;
4117 struct sk_security_struct *newssec = newsk->sk_security;
4119 newssec->sid = ssec->sid;
4120 newssec->peer_sid = ssec->peer_sid;
4121 newssec->sclass = ssec->sclass;
4123 selinux_netlbl_sk_security_clone(ssec, newssec);
4126 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4129 *secid = SECINITSID_ANY_SOCKET;
4131 struct sk_security_struct *sksec = sk->sk_security;
4133 *secid = sksec->sid;
4137 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4139 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4140 struct sk_security_struct *sksec = sk->sk_security;
4142 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4143 sk->sk_family == PF_UNIX)
4144 isec->sid = sksec->sid;
4145 sksec->sclass = isec->sclass;
4147 selinux_netlbl_sock_graft(sk, parent);
4150 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4151 struct request_sock *req)
4153 struct sk_security_struct *sksec = sk->sk_security;
4158 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4161 if (peersid == SECSID_NULL) {
4162 req->secid = sksec->sid;
4163 req->peer_secid = SECSID_NULL;
4167 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4171 req->secid = newsid;
4172 req->peer_secid = peersid;
4176 static void selinux_inet_csk_clone(struct sock *newsk,
4177 const struct request_sock *req)
4179 struct sk_security_struct *newsksec = newsk->sk_security;
4181 newsksec->sid = req->secid;
4182 newsksec->peer_sid = req->peer_secid;
4183 /* NOTE: Ideally, we should also get the isec->sid for the
4184 new socket in sync, but we don't have the isec available yet.
4185 So we will wait until sock_graft to do it, by which
4186 time it will have been created and available. */
4188 /* We don't need to take any sort of lock here as we are the only
4189 * thread with access to newsksec */
4190 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4193 static void selinux_inet_conn_established(struct sock *sk,
4194 struct sk_buff *skb)
4196 struct sk_security_struct *sksec = sk->sk_security;
4198 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4201 static void selinux_req_classify_flow(const struct request_sock *req,
4204 fl->secid = req->secid;
4207 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4211 struct nlmsghdr *nlh;
4212 struct socket *sock = sk->sk_socket;
4213 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4215 if (skb->len < NLMSG_SPACE(0)) {
4219 nlh = nlmsg_hdr(skb);
4221 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4223 if (err == -EINVAL) {
4224 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4225 "SELinux: unrecognized netlink message"
4226 " type=%hu for sclass=%hu\n",
4227 nlh->nlmsg_type, isec->sclass);
4228 if (!selinux_enforcing)
4238 err = socket_has_perm(current, sock, perm);
4243 #ifdef CONFIG_NETFILTER
4245 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4250 struct avc_audit_data ad;
4254 if (!selinux_policycap_netpeer)
4257 secmark_active = selinux_secmark_enabled();
4258 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4259 if (!secmark_active && !peerlbl_active)
4262 AVC_AUDIT_DATA_INIT(&ad, NET);
4263 ad.u.net.netif = ifindex;
4264 ad.u.net.family = family;
4265 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4268 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4272 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4273 peer_sid, &ad) != 0)
4277 if (avc_has_perm(peer_sid, skb->secmark,
4278 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4284 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4285 struct sk_buff *skb,
4286 const struct net_device *in,
4287 const struct net_device *out,
4288 int (*okfn)(struct sk_buff *))
4290 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4293 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4294 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4295 struct sk_buff *skb,
4296 const struct net_device *in,
4297 const struct net_device *out,
4298 int (*okfn)(struct sk_buff *))
4300 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4304 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4306 struct avc_audit_data *ad,
4307 u16 family, char *addrp)
4310 struct sk_security_struct *sksec = sk->sk_security;
4312 u32 netif_perm, node_perm, send_perm;
4313 u32 port_sid, node_sid, if_sid, sk_sid;
4315 sk_sid = sksec->sid;
4316 sk_class = sksec->sclass;
4319 case SECCLASS_UDP_SOCKET:
4320 netif_perm = NETIF__UDP_SEND;
4321 node_perm = NODE__UDP_SEND;
4322 send_perm = UDP_SOCKET__SEND_MSG;
4324 case SECCLASS_TCP_SOCKET:
4325 netif_perm = NETIF__TCP_SEND;
4326 node_perm = NODE__TCP_SEND;
4327 send_perm = TCP_SOCKET__SEND_MSG;
4329 case SECCLASS_DCCP_SOCKET:
4330 netif_perm = NETIF__DCCP_SEND;
4331 node_perm = NODE__DCCP_SEND;
4332 send_perm = DCCP_SOCKET__SEND_MSG;
4335 netif_perm = NETIF__RAWIP_SEND;
4336 node_perm = NODE__RAWIP_SEND;
4341 err = sel_netif_sid(ifindex, &if_sid);
4344 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4347 err = sel_netnode_sid(addrp, family, &node_sid);
4350 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4357 err = security_port_sid(sk->sk_family, sk->sk_type,
4358 sk->sk_protocol, ntohs(ad->u.net.dport),
4360 if (unlikely(err)) {
4362 "SELinux: failure in"
4363 " selinux_ip_postroute_iptables_compat(),"
4364 " network port label not found\n");
4367 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4370 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4372 struct avc_audit_data *ad,
4377 struct sock *sk = skb->sk;
4378 struct sk_security_struct *sksec;
4382 sksec = sk->sk_security;
4384 if (selinux_compat_net) {
4385 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4389 if (avc_has_perm(sksec->sid, skb->secmark,
4390 SECCLASS_PACKET, PACKET__SEND, ad))
4394 if (selinux_policycap_netpeer)
4395 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4401 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4407 struct avc_audit_data ad;
4413 AVC_AUDIT_DATA_INIT(&ad, NET);
4414 ad.u.net.netif = ifindex;
4415 ad.u.net.family = family;
4416 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4419 /* If any sort of compatibility mode is enabled then handoff processing
4420 * to the selinux_ip_postroute_compat() function to deal with the
4421 * special handling. We do this in an attempt to keep this function
4422 * as fast and as clean as possible. */
4423 if (selinux_compat_net || !selinux_policycap_netpeer)
4424 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4425 family, addrp, proto);
4427 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4428 * packet transformation so allow the packet to pass without any checks
4429 * since we'll have another chance to perform access control checks
4430 * when the packet is on it's final way out.
4431 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4432 * is NULL, in this case go ahead and apply access control. */
4433 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4436 secmark_active = selinux_secmark_enabled();
4437 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4438 if (!secmark_active && !peerlbl_active)
4441 /* if the packet is locally generated (skb->sk != NULL) then use the
4442 * socket's label as the peer label, otherwise the packet is being
4443 * forwarded through this system and we need to fetch the peer label
4444 * directly from the packet */
4447 struct sk_security_struct *sksec = sk->sk_security;
4448 peer_sid = sksec->sid;
4449 secmark_perm = PACKET__SEND;
4451 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4453 secmark_perm = PACKET__FORWARD_OUT;
4457 if (avc_has_perm(peer_sid, skb->secmark,
4458 SECCLASS_PACKET, secmark_perm, &ad))
4461 if (peerlbl_active) {
4465 if (sel_netif_sid(ifindex, &if_sid))
4467 if (avc_has_perm(peer_sid, if_sid,
4468 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4471 if (sel_netnode_sid(addrp, family, &node_sid))
4473 if (avc_has_perm(peer_sid, node_sid,
4474 SECCLASS_NODE, NODE__SENDTO, &ad))
4481 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4482 struct sk_buff *skb,
4483 const struct net_device *in,
4484 const struct net_device *out,
4485 int (*okfn)(struct sk_buff *))
4487 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4490 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4491 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4492 struct sk_buff *skb,
4493 const struct net_device *in,
4494 const struct net_device *out,
4495 int (*okfn)(struct sk_buff *))
4497 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4501 #endif /* CONFIG_NETFILTER */
4503 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4507 err = secondary_ops->netlink_send(sk, skb);
4511 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4512 err = selinux_nlmsg_perm(sk, skb);
4517 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4520 struct avc_audit_data ad;
4522 err = secondary_ops->netlink_recv(skb, capability);
4526 AVC_AUDIT_DATA_INIT(&ad, CAP);
4527 ad.u.cap = capability;
4529 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4530 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4533 static int ipc_alloc_security(struct task_struct *task,
4534 struct kern_ipc_perm *perm,
4537 struct task_security_struct *tsec = task->security;
4538 struct ipc_security_struct *isec;
4540 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4544 isec->sclass = sclass;
4545 isec->ipc_perm = perm;
4546 isec->sid = tsec->sid;
4547 perm->security = isec;
4552 static void ipc_free_security(struct kern_ipc_perm *perm)
4554 struct ipc_security_struct *isec = perm->security;
4555 perm->security = NULL;
4559 static int msg_msg_alloc_security(struct msg_msg *msg)
4561 struct msg_security_struct *msec;
4563 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4568 msec->sid = SECINITSID_UNLABELED;
4569 msg->security = msec;
4574 static void msg_msg_free_security(struct msg_msg *msg)
4576 struct msg_security_struct *msec = msg->security;
4578 msg->security = NULL;
4582 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4585 struct task_security_struct *tsec;
4586 struct ipc_security_struct *isec;
4587 struct avc_audit_data ad;
4589 tsec = current->security;
4590 isec = ipc_perms->security;
4592 AVC_AUDIT_DATA_INIT(&ad, IPC);
4593 ad.u.ipc_id = ipc_perms->key;
4595 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4598 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4600 return msg_msg_alloc_security(msg);
4603 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4605 msg_msg_free_security(msg);
4608 /* message queue security operations */
4609 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4611 struct task_security_struct *tsec;
4612 struct ipc_security_struct *isec;
4613 struct avc_audit_data ad;
4616 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4620 tsec = current->security;
4621 isec = msq->q_perm.security;
4623 AVC_AUDIT_DATA_INIT(&ad, IPC);
4624 ad.u.ipc_id = msq->q_perm.key;
4626 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4629 ipc_free_security(&msq->q_perm);
4635 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4637 ipc_free_security(&msq->q_perm);
4640 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4642 struct task_security_struct *tsec;
4643 struct ipc_security_struct *isec;
4644 struct avc_audit_data ad;
4646 tsec = current->security;
4647 isec = msq->q_perm.security;
4649 AVC_AUDIT_DATA_INIT(&ad, IPC);
4650 ad.u.ipc_id = msq->q_perm.key;
4652 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4653 MSGQ__ASSOCIATE, &ad);
4656 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4664 /* No specific object, just general system-wide information. */
4665 return task_has_system(current, SYSTEM__IPC_INFO);
4668 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4671 perms = MSGQ__SETATTR;
4674 perms = MSGQ__DESTROY;
4680 err = ipc_has_perm(&msq->q_perm, perms);
4684 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4686 struct task_security_struct *tsec;
4687 struct ipc_security_struct *isec;
4688 struct msg_security_struct *msec;
4689 struct avc_audit_data ad;
4692 tsec = current->security;
4693 isec = msq->q_perm.security;
4694 msec = msg->security;
4697 * First time through, need to assign label to the message
4699 if (msec->sid == SECINITSID_UNLABELED) {
4701 * Compute new sid based on current process and
4702 * message queue this message will be stored in
4704 rc = security_transition_sid(tsec->sid,
4712 AVC_AUDIT_DATA_INIT(&ad, IPC);
4713 ad.u.ipc_id = msq->q_perm.key;
4715 /* Can this process write to the queue? */
4716 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4719 /* Can this process send the message */
4720 rc = avc_has_perm(tsec->sid, msec->sid,
4721 SECCLASS_MSG, MSG__SEND, &ad);
4723 /* Can the message be put in the queue? */
4724 rc = avc_has_perm(msec->sid, isec->sid,
4725 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4730 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4731 struct task_struct *target,
4732 long type, int mode)
4734 struct task_security_struct *tsec;
4735 struct ipc_security_struct *isec;
4736 struct msg_security_struct *msec;
4737 struct avc_audit_data ad;
4740 tsec = target->security;
4741 isec = msq->q_perm.security;
4742 msec = msg->security;
4744 AVC_AUDIT_DATA_INIT(&ad, IPC);
4745 ad.u.ipc_id = msq->q_perm.key;
4747 rc = avc_has_perm(tsec->sid, isec->sid,
4748 SECCLASS_MSGQ, MSGQ__READ, &ad);
4750 rc = avc_has_perm(tsec->sid, msec->sid,
4751 SECCLASS_MSG, MSG__RECEIVE, &ad);
4755 /* Shared Memory security operations */
4756 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4758 struct task_security_struct *tsec;
4759 struct ipc_security_struct *isec;
4760 struct avc_audit_data ad;
4763 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4767 tsec = current->security;
4768 isec = shp->shm_perm.security;
4770 AVC_AUDIT_DATA_INIT(&ad, IPC);
4771 ad.u.ipc_id = shp->shm_perm.key;
4773 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4776 ipc_free_security(&shp->shm_perm);
4782 static void selinux_shm_free_security(struct shmid_kernel *shp)
4784 ipc_free_security(&shp->shm_perm);
4787 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4789 struct task_security_struct *tsec;
4790 struct ipc_security_struct *isec;
4791 struct avc_audit_data ad;
4793 tsec = current->security;
4794 isec = shp->shm_perm.security;
4796 AVC_AUDIT_DATA_INIT(&ad, IPC);
4797 ad.u.ipc_id = shp->shm_perm.key;
4799 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4800 SHM__ASSOCIATE, &ad);
4803 /* Note, at this point, shp is locked down */
4804 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4812 /* No specific object, just general system-wide information. */
4813 return task_has_system(current, SYSTEM__IPC_INFO);
4816 perms = SHM__GETATTR | SHM__ASSOCIATE;
4819 perms = SHM__SETATTR;
4826 perms = SHM__DESTROY;
4832 err = ipc_has_perm(&shp->shm_perm, perms);
4836 static int selinux_shm_shmat(struct shmid_kernel *shp,
4837 char __user *shmaddr, int shmflg)
4842 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4846 if (shmflg & SHM_RDONLY)
4849 perms = SHM__READ | SHM__WRITE;
4851 return ipc_has_perm(&shp->shm_perm, perms);
4854 /* Semaphore security operations */
4855 static int selinux_sem_alloc_security(struct sem_array *sma)
4857 struct task_security_struct *tsec;
4858 struct ipc_security_struct *isec;
4859 struct avc_audit_data ad;
4862 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4866 tsec = current->security;
4867 isec = sma->sem_perm.security;
4869 AVC_AUDIT_DATA_INIT(&ad, IPC);
4870 ad.u.ipc_id = sma->sem_perm.key;
4872 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4875 ipc_free_security(&sma->sem_perm);
4881 static void selinux_sem_free_security(struct sem_array *sma)
4883 ipc_free_security(&sma->sem_perm);
4886 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4888 struct task_security_struct *tsec;
4889 struct ipc_security_struct *isec;
4890 struct avc_audit_data ad;
4892 tsec = current->security;
4893 isec = sma->sem_perm.security;
4895 AVC_AUDIT_DATA_INIT(&ad, IPC);
4896 ad.u.ipc_id = sma->sem_perm.key;
4898 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4899 SEM__ASSOCIATE, &ad);
4902 /* Note, at this point, sma is locked down */
4903 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4911 /* No specific object, just general system-wide information. */
4912 return task_has_system(current, SYSTEM__IPC_INFO);
4916 perms = SEM__GETATTR;
4927 perms = SEM__DESTROY;
4930 perms = SEM__SETATTR;
4934 perms = SEM__GETATTR | SEM__ASSOCIATE;
4940 err = ipc_has_perm(&sma->sem_perm, perms);
4944 static int selinux_sem_semop(struct sem_array *sma,
4945 struct sembuf *sops, unsigned nsops, int alter)
4950 perms = SEM__READ | SEM__WRITE;
4954 return ipc_has_perm(&sma->sem_perm, perms);
4957 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4963 av |= IPC__UNIX_READ;
4965 av |= IPC__UNIX_WRITE;
4970 return ipc_has_perm(ipcp, av);
4973 /* module stacking operations */
4974 static int selinux_register_security (const char *name, struct security_operations *ops)
4976 if (secondary_ops != original_ops) {
4977 printk(KERN_ERR "%s: There is already a secondary security "
4978 "module registered.\n", __FUNCTION__);
4982 secondary_ops = ops;
4984 printk(KERN_INFO "%s: Registering secondary module %s\n",
4991 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4994 inode_doinit_with_dentry(inode, dentry);
4997 static int selinux_getprocattr(struct task_struct *p,
4998 char *name, char **value)
5000 struct task_security_struct *tsec;
5006 error = task_has_perm(current, p, PROCESS__GETATTR);
5013 if (!strcmp(name, "current"))
5015 else if (!strcmp(name, "prev"))
5017 else if (!strcmp(name, "exec"))
5018 sid = tsec->exec_sid;
5019 else if (!strcmp(name, "fscreate"))
5020 sid = tsec->create_sid;
5021 else if (!strcmp(name, "keycreate"))
5022 sid = tsec->keycreate_sid;
5023 else if (!strcmp(name, "sockcreate"))
5024 sid = tsec->sockcreate_sid;
5031 error = security_sid_to_context(sid, value, &len);
5037 static int selinux_setprocattr(struct task_struct *p,
5038 char *name, void *value, size_t size)
5040 struct task_security_struct *tsec;
5046 /* SELinux only allows a process to change its own
5047 security attributes. */
5052 * Basic control over ability to set these attributes at all.
5053 * current == p, but we'll pass them separately in case the
5054 * above restriction is ever removed.
5056 if (!strcmp(name, "exec"))
5057 error = task_has_perm(current, p, PROCESS__SETEXEC);
5058 else if (!strcmp(name, "fscreate"))
5059 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5060 else if (!strcmp(name, "keycreate"))
5061 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5062 else if (!strcmp(name, "sockcreate"))
5063 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5064 else if (!strcmp(name, "current"))
5065 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5071 /* Obtain a SID for the context, if one was specified. */
5072 if (size && str[1] && str[1] != '\n') {
5073 if (str[size-1] == '\n') {
5077 error = security_context_to_sid(value, size, &sid);
5082 /* Permission checking based on the specified context is
5083 performed during the actual operation (execve,
5084 open/mkdir/...), when we know the full context of the
5085 operation. See selinux_bprm_set_security for the execve
5086 checks and may_create for the file creation checks. The
5087 operation will then fail if the context is not permitted. */
5089 if (!strcmp(name, "exec"))
5090 tsec->exec_sid = sid;
5091 else if (!strcmp(name, "fscreate"))
5092 tsec->create_sid = sid;
5093 else if (!strcmp(name, "keycreate")) {
5094 error = may_create_key(sid, p);
5097 tsec->keycreate_sid = sid;
5098 } else if (!strcmp(name, "sockcreate"))
5099 tsec->sockcreate_sid = sid;
5100 else if (!strcmp(name, "current")) {
5101 struct av_decision avd;
5106 /* Only allow single threaded processes to change context */
5107 if (atomic_read(&p->mm->mm_users) != 1) {
5108 struct task_struct *g, *t;
5109 struct mm_struct *mm = p->mm;
5110 read_lock(&tasklist_lock);
5111 do_each_thread(g, t)
5112 if (t->mm == mm && t != p) {
5113 read_unlock(&tasklist_lock);
5116 while_each_thread(g, t);
5117 read_unlock(&tasklist_lock);
5120 /* Check permissions for the transition. */
5121 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5122 PROCESS__DYNTRANSITION, NULL);
5126 /* Check for ptracing, and update the task SID if ok.
5127 Otherwise, leave SID unchanged and fail. */
5129 if (p->ptrace & PT_PTRACED) {
5130 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
5132 PROCESS__PTRACE, 0, &avd);
5136 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
5137 PROCESS__PTRACE, &avd, error, NULL);
5151 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5153 return security_sid_to_context(secid, secdata, seclen);
5156 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5158 return security_context_to_sid(secdata, seclen, secid);
5161 static void selinux_release_secctx(char *secdata, u32 seclen)
5168 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5169 unsigned long flags)
5171 struct task_security_struct *tsec = tsk->security;
5172 struct key_security_struct *ksec;
5174 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5179 if (tsec->keycreate_sid)
5180 ksec->sid = tsec->keycreate_sid;
5182 ksec->sid = tsec->sid;
5188 static void selinux_key_free(struct key *k)
5190 struct key_security_struct *ksec = k->security;
5196 static int selinux_key_permission(key_ref_t key_ref,
5197 struct task_struct *ctx,
5201 struct task_security_struct *tsec;
5202 struct key_security_struct *ksec;
5204 key = key_ref_to_ptr(key_ref);
5206 tsec = ctx->security;
5207 ksec = key->security;
5209 /* if no specific permissions are requested, we skip the
5210 permission check. No serious, additional covert channels
5211 appear to be created. */
5215 return avc_has_perm(tsec->sid, ksec->sid,
5216 SECCLASS_KEY, perm, NULL);
5221 static struct security_operations selinux_ops = {
5222 .ptrace = selinux_ptrace,
5223 .capget = selinux_capget,
5224 .capset_check = selinux_capset_check,
5225 .capset_set = selinux_capset_set,
5226 .sysctl = selinux_sysctl,
5227 .capable = selinux_capable,
5228 .quotactl = selinux_quotactl,
5229 .quota_on = selinux_quota_on,
5230 .syslog = selinux_syslog,
5231 .vm_enough_memory = selinux_vm_enough_memory,
5233 .netlink_send = selinux_netlink_send,
5234 .netlink_recv = selinux_netlink_recv,
5236 .bprm_alloc_security = selinux_bprm_alloc_security,
5237 .bprm_free_security = selinux_bprm_free_security,
5238 .bprm_apply_creds = selinux_bprm_apply_creds,
5239 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5240 .bprm_set_security = selinux_bprm_set_security,
5241 .bprm_check_security = selinux_bprm_check_security,
5242 .bprm_secureexec = selinux_bprm_secureexec,
5244 .sb_alloc_security = selinux_sb_alloc_security,
5245 .sb_free_security = selinux_sb_free_security,
5246 .sb_copy_data = selinux_sb_copy_data,
5247 .sb_kern_mount = selinux_sb_kern_mount,
5248 .sb_statfs = selinux_sb_statfs,
5249 .sb_mount = selinux_mount,
5250 .sb_umount = selinux_umount,
5251 .sb_get_mnt_opts = selinux_get_mnt_opts,
5252 .sb_set_mnt_opts = selinux_set_mnt_opts,
5253 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5255 .inode_alloc_security = selinux_inode_alloc_security,
5256 .inode_free_security = selinux_inode_free_security,
5257 .inode_init_security = selinux_inode_init_security,
5258 .inode_create = selinux_inode_create,
5259 .inode_link = selinux_inode_link,
5260 .inode_unlink = selinux_inode_unlink,
5261 .inode_symlink = selinux_inode_symlink,
5262 .inode_mkdir = selinux_inode_mkdir,
5263 .inode_rmdir = selinux_inode_rmdir,
5264 .inode_mknod = selinux_inode_mknod,
5265 .inode_rename = selinux_inode_rename,
5266 .inode_readlink = selinux_inode_readlink,
5267 .inode_follow_link = selinux_inode_follow_link,
5268 .inode_permission = selinux_inode_permission,
5269 .inode_setattr = selinux_inode_setattr,
5270 .inode_getattr = selinux_inode_getattr,
5271 .inode_setxattr = selinux_inode_setxattr,
5272 .inode_post_setxattr = selinux_inode_post_setxattr,
5273 .inode_getxattr = selinux_inode_getxattr,
5274 .inode_listxattr = selinux_inode_listxattr,
5275 .inode_removexattr = selinux_inode_removexattr,
5276 .inode_getsecurity = selinux_inode_getsecurity,
5277 .inode_setsecurity = selinux_inode_setsecurity,
5278 .inode_listsecurity = selinux_inode_listsecurity,
5279 .inode_need_killpriv = selinux_inode_need_killpriv,
5280 .inode_killpriv = selinux_inode_killpriv,
5282 .file_permission = selinux_file_permission,
5283 .file_alloc_security = selinux_file_alloc_security,
5284 .file_free_security = selinux_file_free_security,
5285 .file_ioctl = selinux_file_ioctl,
5286 .file_mmap = selinux_file_mmap,
5287 .file_mprotect = selinux_file_mprotect,
5288 .file_lock = selinux_file_lock,
5289 .file_fcntl = selinux_file_fcntl,
5290 .file_set_fowner = selinux_file_set_fowner,
5291 .file_send_sigiotask = selinux_file_send_sigiotask,
5292 .file_receive = selinux_file_receive,
5294 .dentry_open = selinux_dentry_open,
5296 .task_create = selinux_task_create,
5297 .task_alloc_security = selinux_task_alloc_security,
5298 .task_free_security = selinux_task_free_security,
5299 .task_setuid = selinux_task_setuid,
5300 .task_post_setuid = selinux_task_post_setuid,
5301 .task_setgid = selinux_task_setgid,
5302 .task_setpgid = selinux_task_setpgid,
5303 .task_getpgid = selinux_task_getpgid,
5304 .task_getsid = selinux_task_getsid,
5305 .task_getsecid = selinux_task_getsecid,
5306 .task_setgroups = selinux_task_setgroups,
5307 .task_setnice = selinux_task_setnice,
5308 .task_setioprio = selinux_task_setioprio,
5309 .task_getioprio = selinux_task_getioprio,
5310 .task_setrlimit = selinux_task_setrlimit,
5311 .task_setscheduler = selinux_task_setscheduler,
5312 .task_getscheduler = selinux_task_getscheduler,
5313 .task_movememory = selinux_task_movememory,
5314 .task_kill = selinux_task_kill,
5315 .task_wait = selinux_task_wait,
5316 .task_prctl = selinux_task_prctl,
5317 .task_reparent_to_init = selinux_task_reparent_to_init,
5318 .task_to_inode = selinux_task_to_inode,
5320 .ipc_permission = selinux_ipc_permission,
5322 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5323 .msg_msg_free_security = selinux_msg_msg_free_security,
5325 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5326 .msg_queue_free_security = selinux_msg_queue_free_security,
5327 .msg_queue_associate = selinux_msg_queue_associate,
5328 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5329 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5330 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5332 .shm_alloc_security = selinux_shm_alloc_security,
5333 .shm_free_security = selinux_shm_free_security,
5334 .shm_associate = selinux_shm_associate,
5335 .shm_shmctl = selinux_shm_shmctl,
5336 .shm_shmat = selinux_shm_shmat,
5338 .sem_alloc_security = selinux_sem_alloc_security,
5339 .sem_free_security = selinux_sem_free_security,
5340 .sem_associate = selinux_sem_associate,
5341 .sem_semctl = selinux_sem_semctl,
5342 .sem_semop = selinux_sem_semop,
5344 .register_security = selinux_register_security,
5346 .d_instantiate = selinux_d_instantiate,
5348 .getprocattr = selinux_getprocattr,
5349 .setprocattr = selinux_setprocattr,
5351 .secid_to_secctx = selinux_secid_to_secctx,
5352 .secctx_to_secid = selinux_secctx_to_secid,
5353 .release_secctx = selinux_release_secctx,
5355 .unix_stream_connect = selinux_socket_unix_stream_connect,
5356 .unix_may_send = selinux_socket_unix_may_send,
5358 .socket_create = selinux_socket_create,
5359 .socket_post_create = selinux_socket_post_create,
5360 .socket_bind = selinux_socket_bind,
5361 .socket_connect = selinux_socket_connect,
5362 .socket_listen = selinux_socket_listen,
5363 .socket_accept = selinux_socket_accept,
5364 .socket_sendmsg = selinux_socket_sendmsg,
5365 .socket_recvmsg = selinux_socket_recvmsg,
5366 .socket_getsockname = selinux_socket_getsockname,
5367 .socket_getpeername = selinux_socket_getpeername,
5368 .socket_getsockopt = selinux_socket_getsockopt,
5369 .socket_setsockopt = selinux_socket_setsockopt,
5370 .socket_shutdown = selinux_socket_shutdown,
5371 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5372 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5373 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5374 .sk_alloc_security = selinux_sk_alloc_security,
5375 .sk_free_security = selinux_sk_free_security,
5376 .sk_clone_security = selinux_sk_clone_security,
5377 .sk_getsecid = selinux_sk_getsecid,
5378 .sock_graft = selinux_sock_graft,
5379 .inet_conn_request = selinux_inet_conn_request,
5380 .inet_csk_clone = selinux_inet_csk_clone,
5381 .inet_conn_established = selinux_inet_conn_established,
5382 .req_classify_flow = selinux_req_classify_flow,
5384 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5385 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5386 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5387 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5388 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5389 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5390 .xfrm_state_free_security = selinux_xfrm_state_free,
5391 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5392 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5393 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5394 .xfrm_decode_session = selinux_xfrm_decode_session,
5398 .key_alloc = selinux_key_alloc,
5399 .key_free = selinux_key_free,
5400 .key_permission = selinux_key_permission,
5404 static __init int selinux_init(void)
5406 struct task_security_struct *tsec;
5408 if (!selinux_enabled) {
5409 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5413 printk(KERN_INFO "SELinux: Initializing.\n");
5415 /* Set the security state for the initial task. */
5416 if (task_alloc_security(current))
5417 panic("SELinux: Failed to initialize initial task.\n");
5418 tsec = current->security;
5419 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5421 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5422 sizeof(struct inode_security_struct),
5423 0, SLAB_PANIC, NULL);
5426 original_ops = secondary_ops = security_ops;
5428 panic ("SELinux: No initial security operations\n");
5429 if (register_security (&selinux_ops))
5430 panic("SELinux: Unable to register with kernel.\n");
5432 if (selinux_enforcing) {
5433 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5435 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5439 /* Add security information to initial keyrings */
5440 selinux_key_alloc(&root_user_keyring, current,
5441 KEY_ALLOC_NOT_IN_QUOTA);
5442 selinux_key_alloc(&root_session_keyring, current,
5443 KEY_ALLOC_NOT_IN_QUOTA);
5449 void selinux_complete_init(void)
5451 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5453 /* Set up any superblocks initialized prior to the policy load. */
5454 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5455 spin_lock(&sb_lock);
5456 spin_lock(&sb_security_lock);
5458 if (!list_empty(&superblock_security_head)) {
5459 struct superblock_security_struct *sbsec =
5460 list_entry(superblock_security_head.next,
5461 struct superblock_security_struct,
5463 struct super_block *sb = sbsec->sb;
5465 spin_unlock(&sb_security_lock);
5466 spin_unlock(&sb_lock);
5467 down_read(&sb->s_umount);
5469 superblock_doinit(sb, NULL);
5471 spin_lock(&sb_lock);
5472 spin_lock(&sb_security_lock);
5473 list_del_init(&sbsec->list);
5476 spin_unlock(&sb_security_lock);
5477 spin_unlock(&sb_lock);
5480 /* SELinux requires early initialization in order to label
5481 all processes and objects when they are created. */
5482 security_initcall(selinux_init);
5484 #if defined(CONFIG_NETFILTER)
5486 static struct nf_hook_ops selinux_ipv4_ops[] = {
5488 .hook = selinux_ipv4_postroute,
5489 .owner = THIS_MODULE,
5491 .hooknum = NF_INET_POST_ROUTING,
5492 .priority = NF_IP_PRI_SELINUX_LAST,
5495 .hook = selinux_ipv4_forward,
5496 .owner = THIS_MODULE,
5498 .hooknum = NF_INET_FORWARD,
5499 .priority = NF_IP_PRI_SELINUX_FIRST,
5503 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5505 static struct nf_hook_ops selinux_ipv6_ops[] = {
5507 .hook = selinux_ipv6_postroute,
5508 .owner = THIS_MODULE,
5510 .hooknum = NF_INET_POST_ROUTING,
5511 .priority = NF_IP6_PRI_SELINUX_LAST,
5514 .hook = selinux_ipv6_forward,
5515 .owner = THIS_MODULE,
5517 .hooknum = NF_INET_FORWARD,
5518 .priority = NF_IP6_PRI_SELINUX_FIRST,
5524 static int __init selinux_nf_ip_init(void)
5529 if (!selinux_enabled)
5532 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5534 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5535 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5537 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5541 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5542 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5543 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5545 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5554 __initcall(selinux_nf_ip_init);
5556 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5557 static void selinux_nf_ip_exit(void)
5561 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5563 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5564 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5565 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5566 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5567 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5572 #else /* CONFIG_NETFILTER */
5574 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5575 #define selinux_nf_ip_exit()
5578 #endif /* CONFIG_NETFILTER */
5580 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5581 int selinux_disable(void)
5583 extern void exit_sel_fs(void);
5584 static int selinux_disabled = 0;
5586 if (ss_initialized) {
5587 /* Not permitted after initial policy load. */
5591 if (selinux_disabled) {
5592 /* Only do this once. */
5596 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5598 selinux_disabled = 1;
5599 selinux_enabled = 0;
5601 /* Reset security_ops to the secondary module, dummy or capability. */
5602 security_ops = secondary_ops;
5604 /* Unregister netfilter hooks. */
5605 selinux_nf_ip_exit();
5607 /* Unregister selinuxfs. */