2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
16 * Paul Moore, <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <asm/uaccess.h>
55 #include <asm/ioctls.h>
56 #include <linux/bitops.h>
57 #include <linux/interrupt.h>
58 #include <linux/netdevice.h> /* for network interface checks */
59 #include <linux/netlink.h>
60 #include <linux/tcp.h>
61 #include <linux/udp.h>
62 #include <linux/dccp.h>
63 #include <linux/quota.h>
64 #include <linux/un.h> /* for Unix socket types */
65 #include <net/af_unix.h> /* for Unix socket types */
66 #include <linux/parser.h>
67 #include <linux/nfs_mount.h>
69 #include <linux/hugetlb.h>
70 #include <linux/personality.h>
71 #include <linux/sysctl.h>
72 #include <linux/audit.h>
73 #include <linux/string.h>
74 #include <linux/selinux.h>
75 #include <linux/mutex.h>
84 #define XATTR_SELINUX_SUFFIX "selinux"
85 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
87 #define NUM_SEL_MNT_OPTS 4
89 extern unsigned int policydb_loaded_version;
90 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
91 extern int selinux_compat_net;
92 extern struct security_operations *security_ops;
94 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
95 int selinux_enforcing = 0;
97 static int __init enforcing_setup(char *str)
99 selinux_enforcing = simple_strtol(str,NULL,0);
102 __setup("enforcing=", enforcing_setup);
105 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
106 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
108 static int __init selinux_enabled_setup(char *str)
110 selinux_enabled = simple_strtol(str, NULL, 0);
113 __setup("selinux=", selinux_enabled_setup);
115 int selinux_enabled = 1;
118 /* Original (dummy) security module. */
119 static struct security_operations *original_ops = NULL;
121 /* Minimal support for a secondary security module,
122 just to allow the use of the dummy or capability modules.
123 The owlsm module can alternatively be used as a secondary
124 module as long as CONFIG_OWLSM_FD is not enabled. */
125 static struct security_operations *secondary_ops = NULL;
127 /* Lists of inode and superblock security structures initialized
128 before the policy was loaded. */
129 static LIST_HEAD(superblock_security_head);
130 static DEFINE_SPINLOCK(sb_security_lock);
132 static struct kmem_cache *sel_inode_cache;
134 /* Return security context for a given sid or just the context
135 length if the buffer is null or length is 0 */
136 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
142 rc = security_sid_to_context(sid, &context, &len);
146 if (!buffer || !size)
147 goto getsecurity_exit;
151 goto getsecurity_exit;
153 memcpy(buffer, context, len);
160 /* Allocate and free functions for each kind of security blob. */
162 static int task_alloc_security(struct task_struct *task)
164 struct task_security_struct *tsec;
166 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
171 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
172 task->security = tsec;
177 static void task_free_security(struct task_struct *task)
179 struct task_security_struct *tsec = task->security;
180 task->security = NULL;
184 static int inode_alloc_security(struct inode *inode)
186 struct task_security_struct *tsec = current->security;
187 struct inode_security_struct *isec;
189 isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
193 mutex_init(&isec->lock);
194 INIT_LIST_HEAD(&isec->list);
196 isec->sid = SECINITSID_UNLABELED;
197 isec->sclass = SECCLASS_FILE;
198 isec->task_sid = tsec->sid;
199 inode->i_security = isec;
204 static void inode_free_security(struct inode *inode)
206 struct inode_security_struct *isec = inode->i_security;
207 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
209 spin_lock(&sbsec->isec_lock);
210 if (!list_empty(&isec->list))
211 list_del_init(&isec->list);
212 spin_unlock(&sbsec->isec_lock);
214 inode->i_security = NULL;
215 kmem_cache_free(sel_inode_cache, isec);
218 static int file_alloc_security(struct file *file)
220 struct task_security_struct *tsec = current->security;
221 struct file_security_struct *fsec;
223 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
228 fsec->sid = tsec->sid;
229 fsec->fown_sid = tsec->sid;
230 file->f_security = fsec;
235 static void file_free_security(struct file *file)
237 struct file_security_struct *fsec = file->f_security;
238 file->f_security = NULL;
242 static int superblock_alloc_security(struct super_block *sb)
244 struct superblock_security_struct *sbsec;
246 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
250 mutex_init(&sbsec->lock);
251 INIT_LIST_HEAD(&sbsec->list);
252 INIT_LIST_HEAD(&sbsec->isec_head);
253 spin_lock_init(&sbsec->isec_lock);
255 sbsec->sid = SECINITSID_UNLABELED;
256 sbsec->def_sid = SECINITSID_FILE;
257 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
258 sb->s_security = sbsec;
263 static void superblock_free_security(struct super_block *sb)
265 struct superblock_security_struct *sbsec = sb->s_security;
267 spin_lock(&sb_security_lock);
268 if (!list_empty(&sbsec->list))
269 list_del_init(&sbsec->list);
270 spin_unlock(&sb_security_lock);
272 sb->s_security = NULL;
276 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
278 struct sk_security_struct *ssec;
280 ssec = kzalloc(sizeof(*ssec), priority);
285 ssec->peer_sid = SECINITSID_UNLABELED;
286 ssec->sid = SECINITSID_UNLABELED;
287 sk->sk_security = ssec;
289 selinux_netlbl_sk_security_init(ssec, family);
294 static void sk_free_security(struct sock *sk)
296 struct sk_security_struct *ssec = sk->sk_security;
298 sk->sk_security = NULL;
302 /* The security server must be initialized before
303 any labeling or access decisions can be provided. */
304 extern int ss_initialized;
306 /* The file system's label must be initialized prior to use. */
308 static char *labeling_behaviors[6] = {
310 "uses transition SIDs",
312 "uses genfs_contexts",
313 "not configured for labeling",
314 "uses mountpoint labeling",
317 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
319 static inline int inode_doinit(struct inode *inode)
321 return inode_doinit_with_dentry(inode, NULL);
332 static match_table_t tokens = {
333 {Opt_context, "context=%s"},
334 {Opt_fscontext, "fscontext=%s"},
335 {Opt_defcontext, "defcontext=%s"},
336 {Opt_rootcontext, "rootcontext=%s"},
340 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
342 static int may_context_mount_sb_relabel(u32 sid,
343 struct superblock_security_struct *sbsec,
344 struct task_security_struct *tsec)
348 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
349 FILESYSTEM__RELABELFROM, NULL);
353 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
354 FILESYSTEM__RELABELTO, NULL);
358 static int may_context_mount_inode_relabel(u32 sid,
359 struct superblock_security_struct *sbsec,
360 struct task_security_struct *tsec)
363 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
364 FILESYSTEM__RELABELFROM, NULL);
368 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
369 FILESYSTEM__ASSOCIATE, NULL);
373 static int sb_finish_set_opts(struct super_block *sb)
375 struct superblock_security_struct *sbsec = sb->s_security;
376 struct dentry *root = sb->s_root;
377 struct inode *root_inode = root->d_inode;
380 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
381 /* Make sure that the xattr handler exists and that no
382 error other than -ENODATA is returned by getxattr on
383 the root directory. -ENODATA is ok, as this may be
384 the first boot of the SELinux kernel before we have
385 assigned xattr values to the filesystem. */
386 if (!root_inode->i_op->getxattr) {
387 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
388 "xattr support\n", sb->s_id, sb->s_type->name);
392 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
393 if (rc < 0 && rc != -ENODATA) {
394 if (rc == -EOPNOTSUPP)
395 printk(KERN_WARNING "SELinux: (dev %s, type "
396 "%s) has no security xattr handler\n",
397 sb->s_id, sb->s_type->name);
399 printk(KERN_WARNING "SELinux: (dev %s, type "
400 "%s) getxattr errno %d\n", sb->s_id,
401 sb->s_type->name, -rc);
406 sbsec->initialized = 1;
408 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
409 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
410 sb->s_id, sb->s_type->name);
412 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
413 sb->s_id, sb->s_type->name,
414 labeling_behaviors[sbsec->behavior-1]);
416 /* Initialize the root inode. */
417 rc = inode_doinit_with_dentry(root_inode, root);
419 /* Initialize any other inodes associated with the superblock, e.g.
420 inodes created prior to initial policy load or inodes created
421 during get_sb by a pseudo filesystem that directly
423 spin_lock(&sbsec->isec_lock);
425 if (!list_empty(&sbsec->isec_head)) {
426 struct inode_security_struct *isec =
427 list_entry(sbsec->isec_head.next,
428 struct inode_security_struct, list);
429 struct inode *inode = isec->inode;
430 spin_unlock(&sbsec->isec_lock);
431 inode = igrab(inode);
433 if (!IS_PRIVATE(inode))
437 spin_lock(&sbsec->isec_lock);
438 list_del_init(&isec->list);
441 spin_unlock(&sbsec->isec_lock);
447 * This function should allow an FS to ask what it's mount security
448 * options were so it can use those later for submounts, displaying
449 * mount options, or whatever.
451 static int selinux_get_mnt_opts(const struct super_block *sb,
452 char ***mount_options, int **mnt_opts_flags,
456 struct superblock_security_struct *sbsec = sb->s_security;
457 char *context = NULL;
462 *mount_options = NULL;
463 *mnt_opts_flags = NULL;
465 if (!sbsec->initialized)
472 * if we ever use sbsec flags for anything other than tracking mount
473 * settings this is going to need a mask
476 /* count the number of mount options for this sb */
477 for (i = 0; i < 8; i++) {
483 *mount_options = kcalloc(*num_opts, sizeof(char *), GFP_ATOMIC);
484 if (!*mount_options) {
489 *mnt_opts_flags = kcalloc(*num_opts, sizeof(int), GFP_ATOMIC);
490 if (!*mnt_opts_flags) {
496 if (sbsec->flags & FSCONTEXT_MNT) {
497 rc = security_sid_to_context(sbsec->sid, &context, &len);
500 (*mount_options)[i] = context;
501 (*mnt_opts_flags)[i++] = FSCONTEXT_MNT;
503 if (sbsec->flags & CONTEXT_MNT) {
504 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
507 (*mount_options)[i] = context;
508 (*mnt_opts_flags)[i++] = CONTEXT_MNT;
510 if (sbsec->flags & DEFCONTEXT_MNT) {
511 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
514 (*mount_options)[i] = context;
515 (*mnt_opts_flags)[i++] = DEFCONTEXT_MNT;
517 if (sbsec->flags & ROOTCONTEXT_MNT) {
518 struct inode *root = sbsec->sb->s_root->d_inode;
519 struct inode_security_struct *isec = root->i_security;
521 rc = security_sid_to_context(isec->sid, &context, &len);
524 (*mount_options)[i] = context;
525 (*mnt_opts_flags)[i++] = ROOTCONTEXT_MNT;
528 BUG_ON(i != *num_opts);
533 /* don't leak context string if security_sid_to_context had an error */
534 if (*mount_options && i)
536 kfree((*mount_options)[i-1]);
537 kfree(*mount_options);
538 *mount_options = NULL;
539 kfree(*mnt_opts_flags);
540 *mnt_opts_flags = NULL;
545 static int bad_option(struct superblock_security_struct *sbsec, char flag,
546 u32 old_sid, u32 new_sid)
548 /* check if the old mount command had the same options */
549 if (sbsec->initialized)
550 if (!(sbsec->flags & flag) ||
551 (old_sid != new_sid))
554 /* check if we were passed the same options twice,
555 * aka someone passed context=a,context=b
557 if (!sbsec->initialized)
558 if (sbsec->flags & flag)
563 * Allow filesystems with binary mount data to explicitly set mount point
564 * labeling information.
566 int selinux_set_mnt_opts(struct super_block *sb, char **mount_options,
567 int *flags, int num_opts)
570 struct task_security_struct *tsec = current->security;
571 struct superblock_security_struct *sbsec = sb->s_security;
572 const char *name = sb->s_type->name;
573 struct inode *inode = sbsec->sb->s_root->d_inode;
574 struct inode_security_struct *root_isec = inode->i_security;
575 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
576 u32 defcontext_sid = 0;
578 mutex_lock(&sbsec->lock);
580 if (!ss_initialized) {
582 /* Defer initialization until selinux_complete_init,
583 after the initial policy is loaded and the security
584 server is ready to handle calls. */
585 spin_lock(&sb_security_lock);
586 if (list_empty(&sbsec->list))
587 list_add(&sbsec->list, &superblock_security_head);
588 spin_unlock(&sb_security_lock);
592 printk(KERN_WARNING "Unable to set superblock options before "
593 "the security server is initialized\n");
598 * parse the mount options, check if they are valid sids.
599 * also check if someone is trying to mount the same sb more
600 * than once with different security options.
602 for (i = 0; i < num_opts; i++) {
604 rc = security_context_to_sid(mount_options[i],
605 strlen(mount_options[i]), &sid);
607 printk(KERN_WARNING "SELinux: security_context_to_sid"
608 "(%s) failed for (dev %s, type %s) errno=%d\n",
609 mount_options[i], sb->s_id, name, rc);
616 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
618 goto out_double_mount;
620 sbsec->flags |= FSCONTEXT_MNT;
625 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
627 goto out_double_mount;
629 sbsec->flags |= CONTEXT_MNT;
631 case ROOTCONTEXT_MNT:
632 rootcontext_sid = sid;
634 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
636 goto out_double_mount;
638 sbsec->flags |= ROOTCONTEXT_MNT;
642 defcontext_sid = sid;
644 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
646 goto out_double_mount;
648 sbsec->flags |= DEFCONTEXT_MNT;
657 if (sbsec->initialized) {
658 /* previously mounted with options, but not on this attempt? */
659 if (sbsec->flags && !num_opts)
660 goto out_double_mount;
665 if (strcmp(sb->s_type->name, "proc") == 0)
668 /* Determine the labeling behavior to use for this filesystem type. */
669 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
671 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
672 __FUNCTION__, sb->s_type->name, rc);
676 /* sets the context of the superblock for the fs being mounted. */
679 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
683 sbsec->sid = fscontext_sid;
687 * Switch to using mount point labeling behavior.
688 * sets the label used on all file below the mountpoint, and will set
689 * the superblock context if not already set.
692 if (!fscontext_sid) {
693 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
696 sbsec->sid = context_sid;
698 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
702 if (!rootcontext_sid)
703 rootcontext_sid = context_sid;
705 sbsec->mntpoint_sid = context_sid;
706 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
709 if (rootcontext_sid) {
710 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
714 root_isec->sid = rootcontext_sid;
715 root_isec->initialized = 1;
718 if (defcontext_sid) {
719 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
721 printk(KERN_WARNING "SELinux: defcontext option is "
722 "invalid for this filesystem type\n");
726 if (defcontext_sid != sbsec->def_sid) {
727 rc = may_context_mount_inode_relabel(defcontext_sid,
733 sbsec->def_sid = defcontext_sid;
736 rc = sb_finish_set_opts(sb);
738 mutex_unlock(&sbsec->lock);
742 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
743 "security settings for (dev %s, type %s)\n", sb->s_id, name);
747 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
748 struct super_block *newsb)
750 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
751 struct superblock_security_struct *newsbsec = newsb->s_security;
753 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
754 int set_context = (oldsbsec->flags & CONTEXT_MNT);
755 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
757 /* we can't error, we can't save the info, this shouldn't get called
758 * this early in the boot process. */
759 BUG_ON(!ss_initialized);
761 /* this might go away sometime down the line if there is a new user
762 * of clone, but for now, nfs better not get here... */
763 BUG_ON(newsbsec->initialized);
765 /* how can we clone if the old one wasn't set up?? */
766 BUG_ON(!oldsbsec->initialized);
768 mutex_lock(&newsbsec->lock);
770 newsbsec->flags = oldsbsec->flags;
772 newsbsec->sid = oldsbsec->sid;
773 newsbsec->def_sid = oldsbsec->def_sid;
774 newsbsec->behavior = oldsbsec->behavior;
777 u32 sid = oldsbsec->mntpoint_sid;
781 if (!set_rootcontext) {
782 struct inode *newinode = newsb->s_root->d_inode;
783 struct inode_security_struct *newisec = newinode->i_security;
786 newsbsec->mntpoint_sid = sid;
788 if (set_rootcontext) {
789 const struct inode *oldinode = oldsb->s_root->d_inode;
790 const struct inode_security_struct *oldisec = oldinode->i_security;
791 struct inode *newinode = newsb->s_root->d_inode;
792 struct inode_security_struct *newisec = newinode->i_security;
794 newisec->sid = oldisec->sid;
797 sb_finish_set_opts(newsb);
798 mutex_unlock(&newsbsec->lock);
802 * string mount options parsing and call set the sbsec
804 static int superblock_doinit(struct super_block *sb, void *data)
806 char *context = NULL, *defcontext = NULL;
807 char *fscontext = NULL, *rootcontext = NULL;
809 char *p, *options = data;
810 /* selinux only know about a fixed number of mount options */
811 char *mnt_opts[NUM_SEL_MNT_OPTS];
812 int mnt_opts_flags[NUM_SEL_MNT_OPTS], num_mnt_opts = 0;
817 /* with the nfs patch this will become a goto out; */
818 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
819 const char *name = sb->s_type->name;
820 /* NFS we understand. */
821 if (!strcmp(name, "nfs")) {
822 struct nfs_mount_data *d = data;
824 if (d->version != NFS_MOUNT_VERSION)
828 context = kstrdup(d->context, GFP_KERNEL);
839 /* Standard string-based options. */
840 while ((p = strsep(&options, "|")) != NULL) {
842 substring_t args[MAX_OPT_ARGS];
847 token = match_token(p, tokens, args);
851 if (context || defcontext) {
853 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
856 context = match_strdup(&args[0]);
866 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
869 fscontext = match_strdup(&args[0]);
876 case Opt_rootcontext:
879 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
882 rootcontext = match_strdup(&args[0]);
890 if (context || defcontext) {
892 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
895 defcontext = match_strdup(&args[0]);
904 printk(KERN_WARNING "SELinux: unknown mount option\n");
912 mnt_opts[num_mnt_opts] = fscontext;
913 mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
916 mnt_opts[num_mnt_opts] = context;
917 mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
920 mnt_opts[num_mnt_opts] = rootcontext;
921 mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
924 mnt_opts[num_mnt_opts] = defcontext;
925 mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
929 rc = selinux_set_mnt_opts(sb, mnt_opts, mnt_opts_flags, num_mnt_opts);
938 static inline u16 inode_mode_to_security_class(umode_t mode)
940 switch (mode & S_IFMT) {
942 return SECCLASS_SOCK_FILE;
944 return SECCLASS_LNK_FILE;
946 return SECCLASS_FILE;
948 return SECCLASS_BLK_FILE;
952 return SECCLASS_CHR_FILE;
954 return SECCLASS_FIFO_FILE;
958 return SECCLASS_FILE;
961 static inline int default_protocol_stream(int protocol)
963 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
966 static inline int default_protocol_dgram(int protocol)
968 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
971 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
978 return SECCLASS_UNIX_STREAM_SOCKET;
980 return SECCLASS_UNIX_DGRAM_SOCKET;
987 if (default_protocol_stream(protocol))
988 return SECCLASS_TCP_SOCKET;
990 return SECCLASS_RAWIP_SOCKET;
992 if (default_protocol_dgram(protocol))
993 return SECCLASS_UDP_SOCKET;
995 return SECCLASS_RAWIP_SOCKET;
997 return SECCLASS_DCCP_SOCKET;
999 return SECCLASS_RAWIP_SOCKET;
1005 return SECCLASS_NETLINK_ROUTE_SOCKET;
1006 case NETLINK_FIREWALL:
1007 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1008 case NETLINK_INET_DIAG:
1009 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1011 return SECCLASS_NETLINK_NFLOG_SOCKET;
1013 return SECCLASS_NETLINK_XFRM_SOCKET;
1014 case NETLINK_SELINUX:
1015 return SECCLASS_NETLINK_SELINUX_SOCKET;
1017 return SECCLASS_NETLINK_AUDIT_SOCKET;
1018 case NETLINK_IP6_FW:
1019 return SECCLASS_NETLINK_IP6FW_SOCKET;
1020 case NETLINK_DNRTMSG:
1021 return SECCLASS_NETLINK_DNRT_SOCKET;
1022 case NETLINK_KOBJECT_UEVENT:
1023 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1025 return SECCLASS_NETLINK_SOCKET;
1028 return SECCLASS_PACKET_SOCKET;
1030 return SECCLASS_KEY_SOCKET;
1032 return SECCLASS_APPLETALK_SOCKET;
1035 return SECCLASS_SOCKET;
1038 #ifdef CONFIG_PROC_FS
1039 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1044 char *buffer, *path, *end;
1046 buffer = (char*)__get_free_page(GFP_KERNEL);
1051 end = buffer+buflen;
1056 while (de && de != de->parent) {
1057 buflen -= de->namelen + 1;
1061 memcpy(end, de->name, de->namelen);
1066 rc = security_genfs_sid("proc", path, tclass, sid);
1067 free_page((unsigned long)buffer);
1071 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1079 /* The inode's security attributes must be initialized before first use. */
1080 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1082 struct superblock_security_struct *sbsec = NULL;
1083 struct inode_security_struct *isec = inode->i_security;
1085 struct dentry *dentry;
1086 #define INITCONTEXTLEN 255
1087 char *context = NULL;
1091 if (isec->initialized)
1094 mutex_lock(&isec->lock);
1095 if (isec->initialized)
1098 sbsec = inode->i_sb->s_security;
1099 if (!sbsec->initialized) {
1100 /* Defer initialization until selinux_complete_init,
1101 after the initial policy is loaded and the security
1102 server is ready to handle calls. */
1103 spin_lock(&sbsec->isec_lock);
1104 if (list_empty(&isec->list))
1105 list_add(&isec->list, &sbsec->isec_head);
1106 spin_unlock(&sbsec->isec_lock);
1110 switch (sbsec->behavior) {
1111 case SECURITY_FS_USE_XATTR:
1112 if (!inode->i_op->getxattr) {
1113 isec->sid = sbsec->def_sid;
1117 /* Need a dentry, since the xattr API requires one.
1118 Life would be simpler if we could just pass the inode. */
1120 /* Called from d_instantiate or d_splice_alias. */
1121 dentry = dget(opt_dentry);
1123 /* Called from selinux_complete_init, try to find a dentry. */
1124 dentry = d_find_alias(inode);
1127 printk(KERN_WARNING "%s: no dentry for dev=%s "
1128 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1133 len = INITCONTEXTLEN;
1134 context = kmalloc(len, GFP_KERNEL);
1140 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1142 if (rc == -ERANGE) {
1143 /* Need a larger buffer. Query for the right size. */
1144 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1152 context = kmalloc(len, GFP_KERNEL);
1158 rc = inode->i_op->getxattr(dentry,
1164 if (rc != -ENODATA) {
1165 printk(KERN_WARNING "%s: getxattr returned "
1166 "%d for dev=%s ino=%ld\n", __FUNCTION__,
1167 -rc, inode->i_sb->s_id, inode->i_ino);
1171 /* Map ENODATA to the default file SID */
1172 sid = sbsec->def_sid;
1175 rc = security_context_to_sid_default(context, rc, &sid,
1178 printk(KERN_WARNING "%s: context_to_sid(%s) "
1179 "returned %d for dev=%s ino=%ld\n",
1180 __FUNCTION__, context, -rc,
1181 inode->i_sb->s_id, inode->i_ino);
1183 /* Leave with the unlabeled SID */
1191 case SECURITY_FS_USE_TASK:
1192 isec->sid = isec->task_sid;
1194 case SECURITY_FS_USE_TRANS:
1195 /* Default to the fs SID. */
1196 isec->sid = sbsec->sid;
1198 /* Try to obtain a transition SID. */
1199 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1200 rc = security_transition_sid(isec->task_sid,
1208 case SECURITY_FS_USE_MNTPOINT:
1209 isec->sid = sbsec->mntpoint_sid;
1212 /* Default to the fs superblock SID. */
1213 isec->sid = sbsec->sid;
1216 struct proc_inode *proci = PROC_I(inode);
1218 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1219 rc = selinux_proc_get_sid(proci->pde,
1230 isec->initialized = 1;
1233 mutex_unlock(&isec->lock);
1235 if (isec->sclass == SECCLASS_FILE)
1236 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1240 /* Convert a Linux signal to an access vector. */
1241 static inline u32 signal_to_av(int sig)
1247 /* Commonly granted from child to parent. */
1248 perm = PROCESS__SIGCHLD;
1251 /* Cannot be caught or ignored */
1252 perm = PROCESS__SIGKILL;
1255 /* Cannot be caught or ignored */
1256 perm = PROCESS__SIGSTOP;
1259 /* All other signals. */
1260 perm = PROCESS__SIGNAL;
1267 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1268 fork check, ptrace check, etc. */
1269 static int task_has_perm(struct task_struct *tsk1,
1270 struct task_struct *tsk2,
1273 struct task_security_struct *tsec1, *tsec2;
1275 tsec1 = tsk1->security;
1276 tsec2 = tsk2->security;
1277 return avc_has_perm(tsec1->sid, tsec2->sid,
1278 SECCLASS_PROCESS, perms, NULL);
1281 /* Check whether a task is allowed to use a capability. */
1282 static int task_has_capability(struct task_struct *tsk,
1285 struct task_security_struct *tsec;
1286 struct avc_audit_data ad;
1288 tsec = tsk->security;
1290 AVC_AUDIT_DATA_INIT(&ad,CAP);
1294 return avc_has_perm(tsec->sid, tsec->sid,
1295 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1298 /* Check whether a task is allowed to use a system operation. */
1299 static int task_has_system(struct task_struct *tsk,
1302 struct task_security_struct *tsec;
1304 tsec = tsk->security;
1306 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1307 SECCLASS_SYSTEM, perms, NULL);
1310 /* Check whether a task has a particular permission to an inode.
1311 The 'adp' parameter is optional and allows other audit
1312 data to be passed (e.g. the dentry). */
1313 static int inode_has_perm(struct task_struct *tsk,
1314 struct inode *inode,
1316 struct avc_audit_data *adp)
1318 struct task_security_struct *tsec;
1319 struct inode_security_struct *isec;
1320 struct avc_audit_data ad;
1322 if (unlikely (IS_PRIVATE (inode)))
1325 tsec = tsk->security;
1326 isec = inode->i_security;
1330 AVC_AUDIT_DATA_INIT(&ad, FS);
1331 ad.u.fs.inode = inode;
1334 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1337 /* Same as inode_has_perm, but pass explicit audit data containing
1338 the dentry to help the auditing code to more easily generate the
1339 pathname if needed. */
1340 static inline int dentry_has_perm(struct task_struct *tsk,
1341 struct vfsmount *mnt,
1342 struct dentry *dentry,
1345 struct inode *inode = dentry->d_inode;
1346 struct avc_audit_data ad;
1347 AVC_AUDIT_DATA_INIT(&ad,FS);
1349 ad.u.fs.dentry = dentry;
1350 return inode_has_perm(tsk, inode, av, &ad);
1353 /* Check whether a task can use an open file descriptor to
1354 access an inode in a given way. Check access to the
1355 descriptor itself, and then use dentry_has_perm to
1356 check a particular permission to the file.
1357 Access to the descriptor is implicitly granted if it
1358 has the same SID as the process. If av is zero, then
1359 access to the file is not checked, e.g. for cases
1360 where only the descriptor is affected like seek. */
1361 static int file_has_perm(struct task_struct *tsk,
1365 struct task_security_struct *tsec = tsk->security;
1366 struct file_security_struct *fsec = file->f_security;
1367 struct vfsmount *mnt = file->f_path.mnt;
1368 struct dentry *dentry = file->f_path.dentry;
1369 struct inode *inode = dentry->d_inode;
1370 struct avc_audit_data ad;
1373 AVC_AUDIT_DATA_INIT(&ad, FS);
1375 ad.u.fs.dentry = dentry;
1377 if (tsec->sid != fsec->sid) {
1378 rc = avc_has_perm(tsec->sid, fsec->sid,
1386 /* av is zero if only checking access to the descriptor. */
1388 return inode_has_perm(tsk, inode, av, &ad);
1393 /* Check whether a task can create a file. */
1394 static int may_create(struct inode *dir,
1395 struct dentry *dentry,
1398 struct task_security_struct *tsec;
1399 struct inode_security_struct *dsec;
1400 struct superblock_security_struct *sbsec;
1402 struct avc_audit_data ad;
1405 tsec = current->security;
1406 dsec = dir->i_security;
1407 sbsec = dir->i_sb->s_security;
1409 AVC_AUDIT_DATA_INIT(&ad, FS);
1410 ad.u.fs.dentry = dentry;
1412 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1413 DIR__ADD_NAME | DIR__SEARCH,
1418 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1419 newsid = tsec->create_sid;
1421 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1427 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1431 return avc_has_perm(newsid, sbsec->sid,
1432 SECCLASS_FILESYSTEM,
1433 FILESYSTEM__ASSOCIATE, &ad);
1436 /* Check whether a task can create a key. */
1437 static int may_create_key(u32 ksid,
1438 struct task_struct *ctx)
1440 struct task_security_struct *tsec;
1442 tsec = ctx->security;
1444 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1448 #define MAY_UNLINK 1
1451 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1452 static int may_link(struct inode *dir,
1453 struct dentry *dentry,
1457 struct task_security_struct *tsec;
1458 struct inode_security_struct *dsec, *isec;
1459 struct avc_audit_data ad;
1463 tsec = current->security;
1464 dsec = dir->i_security;
1465 isec = dentry->d_inode->i_security;
1467 AVC_AUDIT_DATA_INIT(&ad, FS);
1468 ad.u.fs.dentry = dentry;
1471 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1472 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1487 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1491 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1495 static inline int may_rename(struct inode *old_dir,
1496 struct dentry *old_dentry,
1497 struct inode *new_dir,
1498 struct dentry *new_dentry)
1500 struct task_security_struct *tsec;
1501 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1502 struct avc_audit_data ad;
1504 int old_is_dir, new_is_dir;
1507 tsec = current->security;
1508 old_dsec = old_dir->i_security;
1509 old_isec = old_dentry->d_inode->i_security;
1510 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1511 new_dsec = new_dir->i_security;
1513 AVC_AUDIT_DATA_INIT(&ad, FS);
1515 ad.u.fs.dentry = old_dentry;
1516 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1517 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1520 rc = avc_has_perm(tsec->sid, old_isec->sid,
1521 old_isec->sclass, FILE__RENAME, &ad);
1524 if (old_is_dir && new_dir != old_dir) {
1525 rc = avc_has_perm(tsec->sid, old_isec->sid,
1526 old_isec->sclass, DIR__REPARENT, &ad);
1531 ad.u.fs.dentry = new_dentry;
1532 av = DIR__ADD_NAME | DIR__SEARCH;
1533 if (new_dentry->d_inode)
1534 av |= DIR__REMOVE_NAME;
1535 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1538 if (new_dentry->d_inode) {
1539 new_isec = new_dentry->d_inode->i_security;
1540 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1541 rc = avc_has_perm(tsec->sid, new_isec->sid,
1543 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1551 /* Check whether a task can perform a filesystem operation. */
1552 static int superblock_has_perm(struct task_struct *tsk,
1553 struct super_block *sb,
1555 struct avc_audit_data *ad)
1557 struct task_security_struct *tsec;
1558 struct superblock_security_struct *sbsec;
1560 tsec = tsk->security;
1561 sbsec = sb->s_security;
1562 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1566 /* Convert a Linux mode and permission mask to an access vector. */
1567 static inline u32 file_mask_to_av(int mode, int mask)
1571 if ((mode & S_IFMT) != S_IFDIR) {
1572 if (mask & MAY_EXEC)
1573 av |= FILE__EXECUTE;
1574 if (mask & MAY_READ)
1577 if (mask & MAY_APPEND)
1579 else if (mask & MAY_WRITE)
1583 if (mask & MAY_EXEC)
1585 if (mask & MAY_WRITE)
1587 if (mask & MAY_READ)
1594 /* Convert a Linux file to an access vector. */
1595 static inline u32 file_to_av(struct file *file)
1599 if (file->f_mode & FMODE_READ)
1601 if (file->f_mode & FMODE_WRITE) {
1602 if (file->f_flags & O_APPEND)
1611 /* Hook functions begin here. */
1613 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1615 struct task_security_struct *psec = parent->security;
1616 struct task_security_struct *csec = child->security;
1619 rc = secondary_ops->ptrace(parent,child);
1623 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1624 /* Save the SID of the tracing process for later use in apply_creds. */
1625 if (!(child->ptrace & PT_PTRACED) && !rc)
1626 csec->ptrace_sid = psec->sid;
1630 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1631 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1635 error = task_has_perm(current, target, PROCESS__GETCAP);
1639 return secondary_ops->capget(target, effective, inheritable, permitted);
1642 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1643 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1647 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1651 return task_has_perm(current, target, PROCESS__SETCAP);
1654 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1655 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1657 secondary_ops->capset_set(target, effective, inheritable, permitted);
1660 static int selinux_capable(struct task_struct *tsk, int cap)
1664 rc = secondary_ops->capable(tsk, cap);
1668 return task_has_capability(tsk,cap);
1671 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1674 char *buffer, *path, *end;
1677 buffer = (char*)__get_free_page(GFP_KERNEL);
1682 end = buffer+buflen;
1688 const char *name = table->procname;
1689 size_t namelen = strlen(name);
1690 buflen -= namelen + 1;
1694 memcpy(end, name, namelen);
1697 table = table->parent;
1703 memcpy(end, "/sys", 4);
1705 rc = security_genfs_sid("proc", path, tclass, sid);
1707 free_page((unsigned long)buffer);
1712 static int selinux_sysctl(ctl_table *table, int op)
1716 struct task_security_struct *tsec;
1720 rc = secondary_ops->sysctl(table, op);
1724 tsec = current->security;
1726 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1727 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1729 /* Default to the well-defined sysctl SID. */
1730 tsid = SECINITSID_SYSCTL;
1733 /* The op values are "defined" in sysctl.c, thereby creating
1734 * a bad coupling between this module and sysctl.c */
1736 error = avc_has_perm(tsec->sid, tsid,
1737 SECCLASS_DIR, DIR__SEARCH, NULL);
1745 error = avc_has_perm(tsec->sid, tsid,
1746 SECCLASS_FILE, av, NULL);
1752 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1765 rc = superblock_has_perm(current,
1767 FILESYSTEM__QUOTAMOD, NULL);
1772 rc = superblock_has_perm(current,
1774 FILESYSTEM__QUOTAGET, NULL);
1777 rc = 0; /* let the kernel handle invalid cmds */
1783 static int selinux_quota_on(struct dentry *dentry)
1785 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1788 static int selinux_syslog(int type)
1792 rc = secondary_ops->syslog(type);
1797 case 3: /* Read last kernel messages */
1798 case 10: /* Return size of the log buffer */
1799 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1801 case 6: /* Disable logging to console */
1802 case 7: /* Enable logging to console */
1803 case 8: /* Set level of messages printed to console */
1804 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1806 case 0: /* Close log */
1807 case 1: /* Open log */
1808 case 2: /* Read from log */
1809 case 4: /* Read/clear last kernel messages */
1810 case 5: /* Clear ring buffer */
1812 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1819 * Check that a process has enough memory to allocate a new virtual
1820 * mapping. 0 means there is enough memory for the allocation to
1821 * succeed and -ENOMEM implies there is not.
1823 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1824 * if the capability is granted, but __vm_enough_memory requires 1 if
1825 * the capability is granted.
1827 * Do not audit the selinux permission check, as this is applied to all
1828 * processes that allocate mappings.
1830 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1832 int rc, cap_sys_admin = 0;
1833 struct task_security_struct *tsec = current->security;
1835 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1837 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1838 SECCLASS_CAPABILITY,
1839 CAP_TO_MASK(CAP_SYS_ADMIN),
1846 return __vm_enough_memory(mm, pages, cap_sys_admin);
1849 /* binprm security operations */
1851 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1853 struct bprm_security_struct *bsec;
1855 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1860 bsec->sid = SECINITSID_UNLABELED;
1863 bprm->security = bsec;
1867 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1869 struct task_security_struct *tsec;
1870 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1871 struct inode_security_struct *isec;
1872 struct bprm_security_struct *bsec;
1874 struct avc_audit_data ad;
1877 rc = secondary_ops->bprm_set_security(bprm);
1881 bsec = bprm->security;
1886 tsec = current->security;
1887 isec = inode->i_security;
1889 /* Default to the current task SID. */
1890 bsec->sid = tsec->sid;
1892 /* Reset fs, key, and sock SIDs on execve. */
1893 tsec->create_sid = 0;
1894 tsec->keycreate_sid = 0;
1895 tsec->sockcreate_sid = 0;
1897 if (tsec->exec_sid) {
1898 newsid = tsec->exec_sid;
1899 /* Reset exec SID on execve. */
1902 /* Check for a default transition on this program. */
1903 rc = security_transition_sid(tsec->sid, isec->sid,
1904 SECCLASS_PROCESS, &newsid);
1909 AVC_AUDIT_DATA_INIT(&ad, FS);
1910 ad.u.fs.mnt = bprm->file->f_path.mnt;
1911 ad.u.fs.dentry = bprm->file->f_path.dentry;
1913 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1916 if (tsec->sid == newsid) {
1917 rc = avc_has_perm(tsec->sid, isec->sid,
1918 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1922 /* Check permissions for the transition. */
1923 rc = avc_has_perm(tsec->sid, newsid,
1924 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1928 rc = avc_has_perm(newsid, isec->sid,
1929 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1933 /* Clear any possibly unsafe personality bits on exec: */
1934 current->personality &= ~PER_CLEAR_ON_SETID;
1936 /* Set the security field to the new SID. */
1944 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1946 return secondary_ops->bprm_check_security(bprm);
1950 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1952 struct task_security_struct *tsec = current->security;
1955 if (tsec->osid != tsec->sid) {
1956 /* Enable secure mode for SIDs transitions unless
1957 the noatsecure permission is granted between
1958 the two SIDs, i.e. ahp returns 0. */
1959 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1961 PROCESS__NOATSECURE, NULL);
1964 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1967 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1969 kfree(bprm->security);
1970 bprm->security = NULL;
1973 extern struct vfsmount *selinuxfs_mount;
1974 extern struct dentry *selinux_null;
1976 /* Derived from fs/exec.c:flush_old_files. */
1977 static inline void flush_unauthorized_files(struct files_struct * files)
1979 struct avc_audit_data ad;
1980 struct file *file, *devnull = NULL;
1981 struct tty_struct *tty;
1982 struct fdtable *fdt;
1986 mutex_lock(&tty_mutex);
1987 tty = get_current_tty();
1990 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1992 /* Revalidate access to controlling tty.
1993 Use inode_has_perm on the tty inode directly rather
1994 than using file_has_perm, as this particular open
1995 file may belong to another process and we are only
1996 interested in the inode-based check here. */
1997 struct inode *inode = file->f_path.dentry->d_inode;
1998 if (inode_has_perm(current, inode,
1999 FILE__READ | FILE__WRITE, NULL)) {
2005 mutex_unlock(&tty_mutex);
2006 /* Reset controlling tty. */
2010 /* Revalidate access to inherited open files. */
2012 AVC_AUDIT_DATA_INIT(&ad,FS);
2014 spin_lock(&files->file_lock);
2016 unsigned long set, i;
2021 fdt = files_fdtable(files);
2022 if (i >= fdt->max_fds)
2024 set = fdt->open_fds->fds_bits[j];
2027 spin_unlock(&files->file_lock);
2028 for ( ; set ; i++,set >>= 1) {
2033 if (file_has_perm(current,
2035 file_to_av(file))) {
2037 fd = get_unused_fd();
2047 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2048 if (IS_ERR(devnull)) {
2055 fd_install(fd, devnull);
2060 spin_lock(&files->file_lock);
2063 spin_unlock(&files->file_lock);
2066 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2068 struct task_security_struct *tsec;
2069 struct bprm_security_struct *bsec;
2073 secondary_ops->bprm_apply_creds(bprm, unsafe);
2075 tsec = current->security;
2077 bsec = bprm->security;
2080 tsec->osid = tsec->sid;
2082 if (tsec->sid != sid) {
2083 /* Check for shared state. If not ok, leave SID
2084 unchanged and kill. */
2085 if (unsafe & LSM_UNSAFE_SHARE) {
2086 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2087 PROCESS__SHARE, NULL);
2094 /* Check for ptracing, and update the task SID if ok.
2095 Otherwise, leave SID unchanged and kill. */
2096 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2097 rc = avc_has_perm(tsec->ptrace_sid, sid,
2098 SECCLASS_PROCESS, PROCESS__PTRACE,
2110 * called after apply_creds without the task lock held
2112 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2114 struct task_security_struct *tsec;
2115 struct rlimit *rlim, *initrlim;
2116 struct itimerval itimer;
2117 struct bprm_security_struct *bsec;
2120 tsec = current->security;
2121 bsec = bprm->security;
2124 force_sig_specific(SIGKILL, current);
2127 if (tsec->osid == tsec->sid)
2130 /* Close files for which the new task SID is not authorized. */
2131 flush_unauthorized_files(current->files);
2133 /* Check whether the new SID can inherit signal state
2134 from the old SID. If not, clear itimers to avoid
2135 subsequent signal generation and flush and unblock
2136 signals. This must occur _after_ the task SID has
2137 been updated so that any kill done after the flush
2138 will be checked against the new SID. */
2139 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2140 PROCESS__SIGINH, NULL);
2142 memset(&itimer, 0, sizeof itimer);
2143 for (i = 0; i < 3; i++)
2144 do_setitimer(i, &itimer, NULL);
2145 flush_signals(current);
2146 spin_lock_irq(¤t->sighand->siglock);
2147 flush_signal_handlers(current, 1);
2148 sigemptyset(¤t->blocked);
2149 recalc_sigpending();
2150 spin_unlock_irq(¤t->sighand->siglock);
2153 /* Always clear parent death signal on SID transitions. */
2154 current->pdeath_signal = 0;
2156 /* Check whether the new SID can inherit resource limits
2157 from the old SID. If not, reset all soft limits to
2158 the lower of the current task's hard limit and the init
2159 task's soft limit. Note that the setting of hard limits
2160 (even to lower them) can be controlled by the setrlimit
2161 check. The inclusion of the init task's soft limit into
2162 the computation is to avoid resetting soft limits higher
2163 than the default soft limit for cases where the default
2164 is lower than the hard limit, e.g. RLIMIT_CORE or
2166 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2167 PROCESS__RLIMITINH, NULL);
2169 for (i = 0; i < RLIM_NLIMITS; i++) {
2170 rlim = current->signal->rlim + i;
2171 initrlim = init_task.signal->rlim+i;
2172 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2174 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2176 * This will cause RLIMIT_CPU calculations
2179 current->it_prof_expires = jiffies_to_cputime(1);
2183 /* Wake up the parent if it is waiting so that it can
2184 recheck wait permission to the new task SID. */
2185 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
2188 /* superblock security operations */
2190 static int selinux_sb_alloc_security(struct super_block *sb)
2192 return superblock_alloc_security(sb);
2195 static void selinux_sb_free_security(struct super_block *sb)
2197 superblock_free_security(sb);
2200 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2205 return !memcmp(prefix, option, plen);
2208 static inline int selinux_option(char *option, int len)
2210 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2211 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
2212 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2213 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
2216 static inline void take_option(char **to, char *from, int *first, int len)
2223 memcpy(*to, from, len);
2227 static inline void take_selinux_option(char **to, char *from, int *first,
2230 int current_size = 0;
2239 while (current_size < len) {
2249 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
2251 int fnosec, fsec, rc = 0;
2252 char *in_save, *in_curr, *in_end;
2253 char *sec_curr, *nosec_save, *nosec;
2259 /* Binary mount data: just copy */
2260 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2261 copy_page(sec_curr, in_curr);
2265 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2273 in_save = in_end = orig;
2277 open_quote = !open_quote;
2278 if ((*in_end == ',' && open_quote == 0) ||
2280 int len = in_end - in_curr;
2282 if (selinux_option(in_curr, len))
2283 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2285 take_option(&nosec, in_curr, &fnosec, len);
2287 in_curr = in_end + 1;
2289 } while (*in_end++);
2291 strcpy(in_save, nosec_save);
2292 free_page((unsigned long)nosec_save);
2297 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2299 struct avc_audit_data ad;
2302 rc = superblock_doinit(sb, data);
2306 AVC_AUDIT_DATA_INIT(&ad,FS);
2307 ad.u.fs.dentry = sb->s_root;
2308 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2311 static int selinux_sb_statfs(struct dentry *dentry)
2313 struct avc_audit_data ad;
2315 AVC_AUDIT_DATA_INIT(&ad,FS);
2316 ad.u.fs.dentry = dentry->d_sb->s_root;
2317 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2320 static int selinux_mount(char * dev_name,
2321 struct nameidata *nd,
2323 unsigned long flags,
2328 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2332 if (flags & MS_REMOUNT)
2333 return superblock_has_perm(current, nd->mnt->mnt_sb,
2334 FILESYSTEM__REMOUNT, NULL);
2336 return dentry_has_perm(current, nd->mnt, nd->dentry,
2340 static int selinux_umount(struct vfsmount *mnt, int flags)
2344 rc = secondary_ops->sb_umount(mnt, flags);
2348 return superblock_has_perm(current,mnt->mnt_sb,
2349 FILESYSTEM__UNMOUNT,NULL);
2352 /* inode security operations */
2354 static int selinux_inode_alloc_security(struct inode *inode)
2356 return inode_alloc_security(inode);
2359 static void selinux_inode_free_security(struct inode *inode)
2361 inode_free_security(inode);
2364 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2365 char **name, void **value,
2368 struct task_security_struct *tsec;
2369 struct inode_security_struct *dsec;
2370 struct superblock_security_struct *sbsec;
2373 char *namep = NULL, *context;
2375 tsec = current->security;
2376 dsec = dir->i_security;
2377 sbsec = dir->i_sb->s_security;
2379 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2380 newsid = tsec->create_sid;
2382 rc = security_transition_sid(tsec->sid, dsec->sid,
2383 inode_mode_to_security_class(inode->i_mode),
2386 printk(KERN_WARNING "%s: "
2387 "security_transition_sid failed, rc=%d (dev=%s "
2390 -rc, inode->i_sb->s_id, inode->i_ino);
2395 /* Possibly defer initialization to selinux_complete_init. */
2396 if (sbsec->initialized) {
2397 struct inode_security_struct *isec = inode->i_security;
2398 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2400 isec->initialized = 1;
2403 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2407 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2414 rc = security_sid_to_context(newsid, &context, &clen);
2426 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2428 return may_create(dir, dentry, SECCLASS_FILE);
2431 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2435 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2438 return may_link(dir, old_dentry, MAY_LINK);
2441 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2445 rc = secondary_ops->inode_unlink(dir, dentry);
2448 return may_link(dir, dentry, MAY_UNLINK);
2451 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2453 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2456 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2458 return may_create(dir, dentry, SECCLASS_DIR);
2461 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2463 return may_link(dir, dentry, MAY_RMDIR);
2466 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2470 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2474 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2477 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2478 struct inode *new_inode, struct dentry *new_dentry)
2480 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2483 static int selinux_inode_readlink(struct dentry *dentry)
2485 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2488 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2492 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2495 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2498 static int selinux_inode_permission(struct inode *inode, int mask,
2499 struct nameidata *nd)
2503 rc = secondary_ops->inode_permission(inode, mask, nd);
2508 /* No permission to check. Existence test. */
2512 return inode_has_perm(current, inode,
2513 file_mask_to_av(inode->i_mode, mask), NULL);
2516 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2520 rc = secondary_ops->inode_setattr(dentry, iattr);
2524 if (iattr->ia_valid & ATTR_FORCE)
2527 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2528 ATTR_ATIME_SET | ATTR_MTIME_SET))
2529 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2531 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2534 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2536 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2539 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2541 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2542 sizeof XATTR_SECURITY_PREFIX - 1)) {
2543 if (!strcmp(name, XATTR_NAME_CAPS)) {
2544 if (!capable(CAP_SETFCAP))
2546 } else if (!capable(CAP_SYS_ADMIN)) {
2547 /* A different attribute in the security namespace.
2548 Restrict to administrator. */
2553 /* Not an attribute we recognize, so just check the
2554 ordinary setattr permission. */
2555 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2558 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2560 struct task_security_struct *tsec = current->security;
2561 struct inode *inode = dentry->d_inode;
2562 struct inode_security_struct *isec = inode->i_security;
2563 struct superblock_security_struct *sbsec;
2564 struct avc_audit_data ad;
2568 if (strcmp(name, XATTR_NAME_SELINUX))
2569 return selinux_inode_setotherxattr(dentry, name);
2571 sbsec = inode->i_sb->s_security;
2572 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2575 if (!is_owner_or_cap(inode))
2578 AVC_AUDIT_DATA_INIT(&ad,FS);
2579 ad.u.fs.dentry = dentry;
2581 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2582 FILE__RELABELFROM, &ad);
2586 rc = security_context_to_sid(value, size, &newsid);
2590 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2591 FILE__RELABELTO, &ad);
2595 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2600 return avc_has_perm(newsid,
2602 SECCLASS_FILESYSTEM,
2603 FILESYSTEM__ASSOCIATE,
2607 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2608 void *value, size_t size, int flags)
2610 struct inode *inode = dentry->d_inode;
2611 struct inode_security_struct *isec = inode->i_security;
2615 if (strcmp(name, XATTR_NAME_SELINUX)) {
2616 /* Not an attribute we recognize, so nothing to do. */
2620 rc = security_context_to_sid(value, size, &newsid);
2622 printk(KERN_WARNING "%s: unable to obtain SID for context "
2623 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2631 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2633 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2636 static int selinux_inode_listxattr (struct dentry *dentry)
2638 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2641 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2643 if (strcmp(name, XATTR_NAME_SELINUX))
2644 return selinux_inode_setotherxattr(dentry, name);
2646 /* No one is allowed to remove a SELinux security label.
2647 You can change the label, but all data must be labeled. */
2652 * Copy the in-core inode security context value to the user. If the
2653 * getxattr() prior to this succeeded, check to see if we need to
2654 * canonicalize the value to be finally returned to the user.
2656 * Permission check is handled by selinux_inode_getxattr hook.
2658 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2660 struct inode_security_struct *isec = inode->i_security;
2662 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2665 return selinux_getsecurity(isec->sid, buffer, size);
2668 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2669 const void *value, size_t size, int flags)
2671 struct inode_security_struct *isec = inode->i_security;
2675 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2678 if (!value || !size)
2681 rc = security_context_to_sid((void*)value, size, &newsid);
2689 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2691 const int len = sizeof(XATTR_NAME_SELINUX);
2692 if (buffer && len <= buffer_size)
2693 memcpy(buffer, XATTR_NAME_SELINUX, len);
2697 static int selinux_inode_need_killpriv(struct dentry *dentry)
2699 return secondary_ops->inode_need_killpriv(dentry);
2702 static int selinux_inode_killpriv(struct dentry *dentry)
2704 return secondary_ops->inode_killpriv(dentry);
2707 /* file security operations */
2709 static int selinux_revalidate_file_permission(struct file *file, int mask)
2712 struct inode *inode = file->f_path.dentry->d_inode;
2715 /* No permission to check. Existence test. */
2719 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2720 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2723 rc = file_has_perm(current, file,
2724 file_mask_to_av(inode->i_mode, mask));
2728 return selinux_netlbl_inode_permission(inode, mask);
2731 static int selinux_file_permission(struct file *file, int mask)
2733 struct inode *inode = file->f_path.dentry->d_inode;
2734 struct task_security_struct *tsec = current->security;
2735 struct file_security_struct *fsec = file->f_security;
2736 struct inode_security_struct *isec = inode->i_security;
2739 /* No permission to check. Existence test. */
2743 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2744 && fsec->pseqno == avc_policy_seqno())
2745 return selinux_netlbl_inode_permission(inode, mask);
2747 return selinux_revalidate_file_permission(file, mask);
2750 static int selinux_file_alloc_security(struct file *file)
2752 return file_alloc_security(file);
2755 static void selinux_file_free_security(struct file *file)
2757 file_free_security(file);
2760 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2772 case EXT2_IOC_GETFLAGS:
2774 case EXT2_IOC_GETVERSION:
2775 error = file_has_perm(current, file, FILE__GETATTR);
2778 case EXT2_IOC_SETFLAGS:
2780 case EXT2_IOC_SETVERSION:
2781 error = file_has_perm(current, file, FILE__SETATTR);
2784 /* sys_ioctl() checks */
2788 error = file_has_perm(current, file, 0);
2793 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2796 /* default case assumes that the command will go
2797 * to the file's ioctl() function.
2800 error = file_has_perm(current, file, FILE__IOCTL);
2806 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2808 #ifndef CONFIG_PPC32
2809 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2811 * We are making executable an anonymous mapping or a
2812 * private file mapping that will also be writable.
2813 * This has an additional check.
2815 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2822 /* read access is always possible with a mapping */
2823 u32 av = FILE__READ;
2825 /* write access only matters if the mapping is shared */
2826 if (shared && (prot & PROT_WRITE))
2829 if (prot & PROT_EXEC)
2830 av |= FILE__EXECUTE;
2832 return file_has_perm(current, file, av);
2837 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2838 unsigned long prot, unsigned long flags,
2839 unsigned long addr, unsigned long addr_only)
2842 u32 sid = ((struct task_security_struct*)(current->security))->sid;
2844 if (addr < mmap_min_addr)
2845 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2846 MEMPROTECT__MMAP_ZERO, NULL);
2847 if (rc || addr_only)
2850 if (selinux_checkreqprot)
2853 return file_map_prot_check(file, prot,
2854 (flags & MAP_TYPE) == MAP_SHARED);
2857 static int selinux_file_mprotect(struct vm_area_struct *vma,
2858 unsigned long reqprot,
2863 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2867 if (selinux_checkreqprot)
2870 #ifndef CONFIG_PPC32
2871 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2873 if (vma->vm_start >= vma->vm_mm->start_brk &&
2874 vma->vm_end <= vma->vm_mm->brk) {
2875 rc = task_has_perm(current, current,
2877 } else if (!vma->vm_file &&
2878 vma->vm_start <= vma->vm_mm->start_stack &&
2879 vma->vm_end >= vma->vm_mm->start_stack) {
2880 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2881 } else if (vma->vm_file && vma->anon_vma) {
2883 * We are making executable a file mapping that has
2884 * had some COW done. Since pages might have been
2885 * written, check ability to execute the possibly
2886 * modified content. This typically should only
2887 * occur for text relocations.
2889 rc = file_has_perm(current, vma->vm_file,
2897 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2900 static int selinux_file_lock(struct file *file, unsigned int cmd)
2902 return file_has_perm(current, file, FILE__LOCK);
2905 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2912 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2917 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2918 err = file_has_perm(current, file,FILE__WRITE);
2927 /* Just check FD__USE permission */
2928 err = file_has_perm(current, file, 0);
2933 #if BITS_PER_LONG == 32
2938 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2942 err = file_has_perm(current, file, FILE__LOCK);
2949 static int selinux_file_set_fowner(struct file *file)
2951 struct task_security_struct *tsec;
2952 struct file_security_struct *fsec;
2954 tsec = current->security;
2955 fsec = file->f_security;
2956 fsec->fown_sid = tsec->sid;
2961 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2962 struct fown_struct *fown, int signum)
2966 struct task_security_struct *tsec;
2967 struct file_security_struct *fsec;
2969 /* struct fown_struct is never outside the context of a struct file */
2970 file = container_of(fown, struct file, f_owner);
2972 tsec = tsk->security;
2973 fsec = file->f_security;
2976 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2978 perm = signal_to_av(signum);
2980 return avc_has_perm(fsec->fown_sid, tsec->sid,
2981 SECCLASS_PROCESS, perm, NULL);
2984 static int selinux_file_receive(struct file *file)
2986 return file_has_perm(current, file, file_to_av(file));
2989 static int selinux_dentry_open(struct file *file)
2991 struct file_security_struct *fsec;
2992 struct inode *inode;
2993 struct inode_security_struct *isec;
2994 inode = file->f_path.dentry->d_inode;
2995 fsec = file->f_security;
2996 isec = inode->i_security;
2998 * Save inode label and policy sequence number
2999 * at open-time so that selinux_file_permission
3000 * can determine whether revalidation is necessary.
3001 * Task label is already saved in the file security
3002 * struct as its SID.
3004 fsec->isid = isec->sid;
3005 fsec->pseqno = avc_policy_seqno();
3007 * Since the inode label or policy seqno may have changed
3008 * between the selinux_inode_permission check and the saving
3009 * of state above, recheck that access is still permitted.
3010 * Otherwise, access might never be revalidated against the
3011 * new inode label or new policy.
3012 * This check is not redundant - do not remove.
3014 return inode_has_perm(current, inode, file_to_av(file), NULL);
3017 /* task security operations */
3019 static int selinux_task_create(unsigned long clone_flags)
3023 rc = secondary_ops->task_create(clone_flags);
3027 return task_has_perm(current, current, PROCESS__FORK);
3030 static int selinux_task_alloc_security(struct task_struct *tsk)
3032 struct task_security_struct *tsec1, *tsec2;
3035 tsec1 = current->security;
3037 rc = task_alloc_security(tsk);
3040 tsec2 = tsk->security;
3042 tsec2->osid = tsec1->osid;
3043 tsec2->sid = tsec1->sid;
3045 /* Retain the exec, fs, key, and sock SIDs across fork */
3046 tsec2->exec_sid = tsec1->exec_sid;
3047 tsec2->create_sid = tsec1->create_sid;
3048 tsec2->keycreate_sid = tsec1->keycreate_sid;
3049 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3051 /* Retain ptracer SID across fork, if any.
3052 This will be reset by the ptrace hook upon any
3053 subsequent ptrace_attach operations. */
3054 tsec2->ptrace_sid = tsec1->ptrace_sid;
3059 static void selinux_task_free_security(struct task_struct *tsk)
3061 task_free_security(tsk);
3064 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3066 /* Since setuid only affects the current process, and
3067 since the SELinux controls are not based on the Linux
3068 identity attributes, SELinux does not need to control
3069 this operation. However, SELinux does control the use
3070 of the CAP_SETUID and CAP_SETGID capabilities using the
3075 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3077 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3080 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3082 /* See the comment for setuid above. */
3086 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3088 return task_has_perm(current, p, PROCESS__SETPGID);
3091 static int selinux_task_getpgid(struct task_struct *p)
3093 return task_has_perm(current, p, PROCESS__GETPGID);
3096 static int selinux_task_getsid(struct task_struct *p)
3098 return task_has_perm(current, p, PROCESS__GETSESSION);
3101 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3103 selinux_get_task_sid(p, secid);
3106 static int selinux_task_setgroups(struct group_info *group_info)
3108 /* See the comment for setuid above. */
3112 static int selinux_task_setnice(struct task_struct *p, int nice)
3116 rc = secondary_ops->task_setnice(p, nice);
3120 return task_has_perm(current,p, PROCESS__SETSCHED);
3123 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3127 rc = secondary_ops->task_setioprio(p, ioprio);
3131 return task_has_perm(current, p, PROCESS__SETSCHED);
3134 static int selinux_task_getioprio(struct task_struct *p)
3136 return task_has_perm(current, p, PROCESS__GETSCHED);
3139 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3141 struct rlimit *old_rlim = current->signal->rlim + resource;
3144 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3148 /* Control the ability to change the hard limit (whether
3149 lowering or raising it), so that the hard limit can
3150 later be used as a safe reset point for the soft limit
3151 upon context transitions. See selinux_bprm_apply_creds. */
3152 if (old_rlim->rlim_max != new_rlim->rlim_max)
3153 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3158 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3162 rc = secondary_ops->task_setscheduler(p, policy, lp);
3166 return task_has_perm(current, p, PROCESS__SETSCHED);
3169 static int selinux_task_getscheduler(struct task_struct *p)
3171 return task_has_perm(current, p, PROCESS__GETSCHED);
3174 static int selinux_task_movememory(struct task_struct *p)
3176 return task_has_perm(current, p, PROCESS__SETSCHED);
3179 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3184 struct task_security_struct *tsec;
3186 rc = secondary_ops->task_kill(p, info, sig, secid);
3190 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3194 perm = PROCESS__SIGNULL; /* null signal; existence test */
3196 perm = signal_to_av(sig);
3199 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3201 rc = task_has_perm(current, p, perm);
3205 static int selinux_task_prctl(int option,
3211 /* The current prctl operations do not appear to require
3212 any SELinux controls since they merely observe or modify
3213 the state of the current process. */
3217 static int selinux_task_wait(struct task_struct *p)
3219 return task_has_perm(p, current, PROCESS__SIGCHLD);
3222 static void selinux_task_reparent_to_init(struct task_struct *p)
3224 struct task_security_struct *tsec;
3226 secondary_ops->task_reparent_to_init(p);
3229 tsec->osid = tsec->sid;
3230 tsec->sid = SECINITSID_KERNEL;
3234 static void selinux_task_to_inode(struct task_struct *p,
3235 struct inode *inode)
3237 struct task_security_struct *tsec = p->security;
3238 struct inode_security_struct *isec = inode->i_security;
3240 isec->sid = tsec->sid;
3241 isec->initialized = 1;
3245 /* Returns error only if unable to parse addresses */
3246 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3247 struct avc_audit_data *ad, u8 *proto)
3249 int offset, ihlen, ret = -EINVAL;
3250 struct iphdr _iph, *ih;
3252 offset = skb_network_offset(skb);
3253 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3257 ihlen = ih->ihl * 4;
3258 if (ihlen < sizeof(_iph))
3261 ad->u.net.v4info.saddr = ih->saddr;
3262 ad->u.net.v4info.daddr = ih->daddr;
3266 *proto = ih->protocol;
3268 switch (ih->protocol) {
3270 struct tcphdr _tcph, *th;
3272 if (ntohs(ih->frag_off) & IP_OFFSET)
3276 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3280 ad->u.net.sport = th->source;
3281 ad->u.net.dport = th->dest;
3286 struct udphdr _udph, *uh;
3288 if (ntohs(ih->frag_off) & IP_OFFSET)
3292 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3296 ad->u.net.sport = uh->source;
3297 ad->u.net.dport = uh->dest;
3301 case IPPROTO_DCCP: {
3302 struct dccp_hdr _dccph, *dh;
3304 if (ntohs(ih->frag_off) & IP_OFFSET)
3308 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3312 ad->u.net.sport = dh->dccph_sport;
3313 ad->u.net.dport = dh->dccph_dport;
3324 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3326 /* Returns error only if unable to parse addresses */
3327 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3328 struct avc_audit_data *ad, u8 *proto)
3331 int ret = -EINVAL, offset;
3332 struct ipv6hdr _ipv6h, *ip6;
3334 offset = skb_network_offset(skb);
3335 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3339 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3340 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3343 nexthdr = ip6->nexthdr;
3344 offset += sizeof(_ipv6h);
3345 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3354 struct tcphdr _tcph, *th;
3356 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3360 ad->u.net.sport = th->source;
3361 ad->u.net.dport = th->dest;
3366 struct udphdr _udph, *uh;
3368 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3372 ad->u.net.sport = uh->source;
3373 ad->u.net.dport = uh->dest;
3377 case IPPROTO_DCCP: {
3378 struct dccp_hdr _dccph, *dh;
3380 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3384 ad->u.net.sport = dh->dccph_sport;
3385 ad->u.net.dport = dh->dccph_dport;
3389 /* includes fragments */
3399 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3400 char **addrp, int src, u8 *proto)
3404 switch (ad->u.net.family) {
3406 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3409 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3410 &ad->u.net.v4info.daddr);
3413 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3415 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3418 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3419 &ad->u.net.v6info.daddr);
3430 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3432 * @family: protocol family
3433 * @sid: the packet's peer label SID
3436 * Check the various different forms of network peer labeling and determine
3437 * the peer label/SID for the packet; most of the magic actually occurs in
3438 * the security server function security_net_peersid_cmp(). The function
3439 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3440 * or -EACCES if @sid is invalid due to inconsistencies with the different
3444 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3450 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3451 selinux_netlbl_skbuff_getsid(skb,
3457 if (security_net_peersid_resolve(nlbl_sid, nlbl_type,
3465 /* socket security operations */
3466 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3469 struct inode_security_struct *isec;
3470 struct task_security_struct *tsec;
3471 struct avc_audit_data ad;
3474 tsec = task->security;
3475 isec = SOCK_INODE(sock)->i_security;
3477 if (isec->sid == SECINITSID_KERNEL)
3480 AVC_AUDIT_DATA_INIT(&ad,NET);
3481 ad.u.net.sk = sock->sk;
3482 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3488 static int selinux_socket_create(int family, int type,
3489 int protocol, int kern)
3492 struct task_security_struct *tsec;
3498 tsec = current->security;
3499 newsid = tsec->sockcreate_sid ? : tsec->sid;
3500 err = avc_has_perm(tsec->sid, newsid,
3501 socket_type_to_security_class(family, type,
3502 protocol), SOCKET__CREATE, NULL);
3508 static int selinux_socket_post_create(struct socket *sock, int family,
3509 int type, int protocol, int kern)
3512 struct inode_security_struct *isec;
3513 struct task_security_struct *tsec;
3514 struct sk_security_struct *sksec;
3517 isec = SOCK_INODE(sock)->i_security;
3519 tsec = current->security;
3520 newsid = tsec->sockcreate_sid ? : tsec->sid;
3521 isec->sclass = socket_type_to_security_class(family, type, protocol);
3522 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3523 isec->initialized = 1;
3526 sksec = sock->sk->sk_security;
3527 sksec->sid = isec->sid;
3528 sksec->sclass = isec->sclass;
3529 err = selinux_netlbl_socket_post_create(sock);
3535 /* Range of port numbers used to automatically bind.
3536 Need to determine whether we should perform a name_bind
3537 permission check between the socket and the port number. */
3539 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3544 err = socket_has_perm(current, sock, SOCKET__BIND);
3549 * If PF_INET or PF_INET6, check name_bind permission for the port.
3550 * Multiple address binding for SCTP is not supported yet: we just
3551 * check the first address now.
3553 family = sock->sk->sk_family;
3554 if (family == PF_INET || family == PF_INET6) {
3556 struct inode_security_struct *isec;
3557 struct task_security_struct *tsec;
3558 struct avc_audit_data ad;
3559 struct sockaddr_in *addr4 = NULL;
3560 struct sockaddr_in6 *addr6 = NULL;
3561 unsigned short snum;
3562 struct sock *sk = sock->sk;
3563 u32 sid, node_perm, addrlen;
3565 tsec = current->security;
3566 isec = SOCK_INODE(sock)->i_security;
3568 if (family == PF_INET) {
3569 addr4 = (struct sockaddr_in *)address;
3570 snum = ntohs(addr4->sin_port);
3571 addrlen = sizeof(addr4->sin_addr.s_addr);
3572 addrp = (char *)&addr4->sin_addr.s_addr;
3574 addr6 = (struct sockaddr_in6 *)address;
3575 snum = ntohs(addr6->sin6_port);
3576 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3577 addrp = (char *)&addr6->sin6_addr.s6_addr;
3583 inet_get_local_port_range(&low, &high);
3585 if (snum < max(PROT_SOCK, low) || snum > high) {
3586 err = security_port_sid(sk->sk_family,
3588 sk->sk_protocol, snum,
3592 AVC_AUDIT_DATA_INIT(&ad,NET);
3593 ad.u.net.sport = htons(snum);
3594 ad.u.net.family = family;
3595 err = avc_has_perm(isec->sid, sid,
3597 SOCKET__NAME_BIND, &ad);
3603 switch(isec->sclass) {
3604 case SECCLASS_TCP_SOCKET:
3605 node_perm = TCP_SOCKET__NODE_BIND;
3608 case SECCLASS_UDP_SOCKET:
3609 node_perm = UDP_SOCKET__NODE_BIND;
3612 case SECCLASS_DCCP_SOCKET:
3613 node_perm = DCCP_SOCKET__NODE_BIND;
3617 node_perm = RAWIP_SOCKET__NODE_BIND;
3621 err = sel_netnode_sid(addrp, family, &sid);
3625 AVC_AUDIT_DATA_INIT(&ad,NET);
3626 ad.u.net.sport = htons(snum);
3627 ad.u.net.family = family;
3629 if (family == PF_INET)
3630 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3632 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3634 err = avc_has_perm(isec->sid, sid,
3635 isec->sclass, node_perm, &ad);
3643 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3645 struct inode_security_struct *isec;
3648 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3653 * If a TCP or DCCP socket, check name_connect permission for the port.
3655 isec = SOCK_INODE(sock)->i_security;
3656 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3657 isec->sclass == SECCLASS_DCCP_SOCKET) {
3658 struct sock *sk = sock->sk;
3659 struct avc_audit_data ad;
3660 struct sockaddr_in *addr4 = NULL;
3661 struct sockaddr_in6 *addr6 = NULL;
3662 unsigned short snum;
3665 if (sk->sk_family == PF_INET) {
3666 addr4 = (struct sockaddr_in *)address;
3667 if (addrlen < sizeof(struct sockaddr_in))
3669 snum = ntohs(addr4->sin_port);
3671 addr6 = (struct sockaddr_in6 *)address;
3672 if (addrlen < SIN6_LEN_RFC2133)
3674 snum = ntohs(addr6->sin6_port);
3677 err = security_port_sid(sk->sk_family, sk->sk_type,
3678 sk->sk_protocol, snum, &sid);
3682 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3683 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3685 AVC_AUDIT_DATA_INIT(&ad,NET);
3686 ad.u.net.dport = htons(snum);
3687 ad.u.net.family = sk->sk_family;
3688 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3697 static int selinux_socket_listen(struct socket *sock, int backlog)
3699 return socket_has_perm(current, sock, SOCKET__LISTEN);
3702 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3705 struct inode_security_struct *isec;
3706 struct inode_security_struct *newisec;
3708 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3712 newisec = SOCK_INODE(newsock)->i_security;
3714 isec = SOCK_INODE(sock)->i_security;
3715 newisec->sclass = isec->sclass;
3716 newisec->sid = isec->sid;
3717 newisec->initialized = 1;
3722 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3727 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3731 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3734 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3735 int size, int flags)
3737 return socket_has_perm(current, sock, SOCKET__READ);
3740 static int selinux_socket_getsockname(struct socket *sock)
3742 return socket_has_perm(current, sock, SOCKET__GETATTR);
3745 static int selinux_socket_getpeername(struct socket *sock)
3747 return socket_has_perm(current, sock, SOCKET__GETATTR);
3750 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3754 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3758 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3761 static int selinux_socket_getsockopt(struct socket *sock, int level,
3764 return socket_has_perm(current, sock, SOCKET__GETOPT);
3767 static int selinux_socket_shutdown(struct socket *sock, int how)
3769 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3772 static int selinux_socket_unix_stream_connect(struct socket *sock,
3773 struct socket *other,
3776 struct sk_security_struct *ssec;
3777 struct inode_security_struct *isec;
3778 struct inode_security_struct *other_isec;
3779 struct avc_audit_data ad;
3782 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3786 isec = SOCK_INODE(sock)->i_security;
3787 other_isec = SOCK_INODE(other)->i_security;
3789 AVC_AUDIT_DATA_INIT(&ad,NET);
3790 ad.u.net.sk = other->sk;
3792 err = avc_has_perm(isec->sid, other_isec->sid,
3794 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3798 /* connecting socket */
3799 ssec = sock->sk->sk_security;
3800 ssec->peer_sid = other_isec->sid;
3802 /* server child socket */
3803 ssec = newsk->sk_security;
3804 ssec->peer_sid = isec->sid;
3805 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3810 static int selinux_socket_unix_may_send(struct socket *sock,
3811 struct socket *other)
3813 struct inode_security_struct *isec;
3814 struct inode_security_struct *other_isec;
3815 struct avc_audit_data ad;
3818 isec = SOCK_INODE(sock)->i_security;
3819 other_isec = SOCK_INODE(other)->i_security;
3821 AVC_AUDIT_DATA_INIT(&ad,NET);
3822 ad.u.net.sk = other->sk;
3824 err = avc_has_perm(isec->sid, other_isec->sid,
3825 isec->sclass, SOCKET__SENDTO, &ad);
3832 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3833 struct sk_buff *skb,
3834 struct avc_audit_data *ad,
3839 struct sk_security_struct *sksec = sk->sk_security;
3841 u32 netif_perm, node_perm, recv_perm;
3842 u32 port_sid, node_sid, if_sid, sk_sid;
3844 sk_sid = sksec->sid;
3845 sk_class = sksec->sclass;
3848 case SECCLASS_UDP_SOCKET:
3849 netif_perm = NETIF__UDP_RECV;
3850 node_perm = NODE__UDP_RECV;
3851 recv_perm = UDP_SOCKET__RECV_MSG;
3853 case SECCLASS_TCP_SOCKET:
3854 netif_perm = NETIF__TCP_RECV;
3855 node_perm = NODE__TCP_RECV;
3856 recv_perm = TCP_SOCKET__RECV_MSG;
3858 case SECCLASS_DCCP_SOCKET:
3859 netif_perm = NETIF__DCCP_RECV;
3860 node_perm = NODE__DCCP_RECV;
3861 recv_perm = DCCP_SOCKET__RECV_MSG;
3864 netif_perm = NETIF__RAWIP_RECV;
3865 node_perm = NODE__RAWIP_RECV;
3870 err = sel_netif_sid(skb->iif, &if_sid);
3873 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3877 err = sel_netnode_sid(addrp, family, &node_sid);
3880 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3886 err = security_port_sid(sk->sk_family, sk->sk_type,
3887 sk->sk_protocol, ntohs(ad->u.net.sport),
3891 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
3894 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3895 struct avc_audit_data *ad,
3896 u16 family, char *addrp)
3899 struct sk_security_struct *sksec = sk->sk_security;
3901 u32 sk_sid = sksec->sid;
3903 if (selinux_compat_net)
3904 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
3907 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
3912 if (selinux_policycap_netpeer) {
3913 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
3916 err = avc_has_perm(sk_sid, peer_sid,
3917 SECCLASS_PEER, PEER__RECV, ad);
3919 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
3922 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
3928 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3931 struct sk_security_struct *sksec = sk->sk_security;
3932 u16 family = sk->sk_family;
3933 u32 sk_sid = sksec->sid;
3935 struct avc_audit_data ad;
3938 if (family != PF_INET && family != PF_INET6)
3941 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3942 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
3945 AVC_AUDIT_DATA_INIT(&ad, NET);
3946 ad.u.net.netif = skb->iif;
3947 ad.u.net.family = family;
3948 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
3952 /* If any sort of compatibility mode is enabled then handoff processing
3953 * to the selinux_sock_rcv_skb_compat() function to deal with the
3954 * special handling. We do this in an attempt to keep this function
3955 * as fast and as clean as possible. */
3956 if (selinux_compat_net || !selinux_policycap_netpeer)
3957 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
3960 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
3965 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
3968 return avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, PEER__RECV, &ad);
3971 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3972 int __user *optlen, unsigned len)
3977 struct sk_security_struct *ssec;
3978 struct inode_security_struct *isec;
3979 u32 peer_sid = SECSID_NULL;
3981 isec = SOCK_INODE(sock)->i_security;
3983 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
3984 isec->sclass == SECCLASS_TCP_SOCKET) {
3985 ssec = sock->sk->sk_security;
3986 peer_sid = ssec->peer_sid;
3988 if (peer_sid == SECSID_NULL) {
3993 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3998 if (scontext_len > len) {
4003 if (copy_to_user(optval, scontext, scontext_len))
4007 if (put_user(scontext_len, optlen))
4015 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4017 u32 peer_secid = SECSID_NULL;
4021 family = sock->sk->sk_family;
4022 else if (skb && skb->sk)
4023 family = skb->sk->sk_family;
4027 if (sock && family == PF_UNIX)
4028 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4030 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4033 *secid = peer_secid;
4034 if (peer_secid == SECSID_NULL)
4039 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4041 return sk_alloc_security(sk, family, priority);
4044 static void selinux_sk_free_security(struct sock *sk)
4046 sk_free_security(sk);
4049 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4051 struct sk_security_struct *ssec = sk->sk_security;
4052 struct sk_security_struct *newssec = newsk->sk_security;
4054 newssec->sid = ssec->sid;
4055 newssec->peer_sid = ssec->peer_sid;
4056 newssec->sclass = ssec->sclass;
4058 selinux_netlbl_sk_security_clone(ssec, newssec);
4061 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4064 *secid = SECINITSID_ANY_SOCKET;
4066 struct sk_security_struct *sksec = sk->sk_security;
4068 *secid = sksec->sid;
4072 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4074 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4075 struct sk_security_struct *sksec = sk->sk_security;
4077 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4078 sk->sk_family == PF_UNIX)
4079 isec->sid = sksec->sid;
4080 sksec->sclass = isec->sclass;
4082 selinux_netlbl_sock_graft(sk, parent);
4085 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4086 struct request_sock *req)
4088 struct sk_security_struct *sksec = sk->sk_security;
4093 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4096 if (peersid == SECSID_NULL) {
4097 req->secid = sksec->sid;
4098 req->peer_secid = SECSID_NULL;
4102 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4106 req->secid = newsid;
4107 req->peer_secid = peersid;
4111 static void selinux_inet_csk_clone(struct sock *newsk,
4112 const struct request_sock *req)
4114 struct sk_security_struct *newsksec = newsk->sk_security;
4116 newsksec->sid = req->secid;
4117 newsksec->peer_sid = req->peer_secid;
4118 /* NOTE: Ideally, we should also get the isec->sid for the
4119 new socket in sync, but we don't have the isec available yet.
4120 So we will wait until sock_graft to do it, by which
4121 time it will have been created and available. */
4123 /* We don't need to take any sort of lock here as we are the only
4124 * thread with access to newsksec */
4125 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4128 static void selinux_inet_conn_established(struct sock *sk,
4129 struct sk_buff *skb)
4131 struct sk_security_struct *sksec = sk->sk_security;
4133 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4136 static void selinux_req_classify_flow(const struct request_sock *req,
4139 fl->secid = req->secid;
4142 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4146 struct nlmsghdr *nlh;
4147 struct socket *sock = sk->sk_socket;
4148 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4150 if (skb->len < NLMSG_SPACE(0)) {
4154 nlh = nlmsg_hdr(skb);
4156 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4158 if (err == -EINVAL) {
4159 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4160 "SELinux: unrecognized netlink message"
4161 " type=%hu for sclass=%hu\n",
4162 nlh->nlmsg_type, isec->sclass);
4163 if (!selinux_enforcing)
4173 err = socket_has_perm(current, sock, perm);
4178 #ifdef CONFIG_NETFILTER
4180 static int selinux_ip_postroute_last_compat(struct sock *sk,
4181 struct net_device *dev,
4182 struct avc_audit_data *ad,
4187 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
4188 struct socket *sock;
4189 struct inode *inode;
4190 struct inode_security_struct *isec;
4192 sock = sk->sk_socket;
4196 inode = SOCK_INODE(sock);
4200 isec = inode->i_security;
4202 err = sel_netif_sid(dev->ifindex, &if_sid);
4206 switch (isec->sclass) {
4207 case SECCLASS_UDP_SOCKET:
4208 netif_perm = NETIF__UDP_SEND;
4209 node_perm = NODE__UDP_SEND;
4210 send_perm = UDP_SOCKET__SEND_MSG;
4213 case SECCLASS_TCP_SOCKET:
4214 netif_perm = NETIF__TCP_SEND;
4215 node_perm = NODE__TCP_SEND;
4216 send_perm = TCP_SOCKET__SEND_MSG;
4219 case SECCLASS_DCCP_SOCKET:
4220 netif_perm = NETIF__DCCP_SEND;
4221 node_perm = NODE__DCCP_SEND;
4222 send_perm = DCCP_SOCKET__SEND_MSG;
4226 netif_perm = NETIF__RAWIP_SEND;
4227 node_perm = NODE__RAWIP_SEND;
4231 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4235 err = sel_netnode_sid(addrp, family, &node_sid);
4239 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
4246 err = security_port_sid(sk->sk_family,
4249 ntohs(ad->u.net.dport),
4254 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
4261 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
4262 struct sk_buff *skb,
4263 const struct net_device *in,
4264 const struct net_device *out,
4265 int (*okfn)(struct sk_buff *),
4271 struct avc_audit_data ad;
4272 struct net_device *dev = (struct net_device *)out;
4273 struct sk_security_struct *sksec;
4280 sksec = sk->sk_security;
4282 AVC_AUDIT_DATA_INIT(&ad, NET);
4283 ad.u.net.netif = dev->ifindex;
4284 ad.u.net.family = family;
4286 err = selinux_parse_skb(skb, &ad, &addrp, 0, &proto);
4290 if (selinux_compat_net)
4291 err = selinux_ip_postroute_last_compat(sk, dev, &ad,
4294 err = avc_has_perm(sksec->sid, skb->secmark, SECCLASS_PACKET,
4300 err = selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto);
4302 return err ? NF_DROP : NF_ACCEPT;
4305 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
4306 struct sk_buff *skb,
4307 const struct net_device *in,
4308 const struct net_device *out,
4309 int (*okfn)(struct sk_buff *))
4311 return selinux_ip_postroute_last(hooknum, skb, in, out, okfn, PF_INET);
4314 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4316 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
4317 struct sk_buff *skb,
4318 const struct net_device *in,
4319 const struct net_device *out,
4320 int (*okfn)(struct sk_buff *))
4322 return selinux_ip_postroute_last(hooknum, skb, in, out, okfn, PF_INET6);
4327 #endif /* CONFIG_NETFILTER */
4329 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4333 err = secondary_ops->netlink_send(sk, skb);
4337 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4338 err = selinux_nlmsg_perm(sk, skb);
4343 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4346 struct avc_audit_data ad;
4348 err = secondary_ops->netlink_recv(skb, capability);
4352 AVC_AUDIT_DATA_INIT(&ad, CAP);
4353 ad.u.cap = capability;
4355 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4356 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4359 static int ipc_alloc_security(struct task_struct *task,
4360 struct kern_ipc_perm *perm,
4363 struct task_security_struct *tsec = task->security;
4364 struct ipc_security_struct *isec;
4366 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4370 isec->sclass = sclass;
4371 isec->ipc_perm = perm;
4372 isec->sid = tsec->sid;
4373 perm->security = isec;
4378 static void ipc_free_security(struct kern_ipc_perm *perm)
4380 struct ipc_security_struct *isec = perm->security;
4381 perm->security = NULL;
4385 static int msg_msg_alloc_security(struct msg_msg *msg)
4387 struct msg_security_struct *msec;
4389 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4394 msec->sid = SECINITSID_UNLABELED;
4395 msg->security = msec;
4400 static void msg_msg_free_security(struct msg_msg *msg)
4402 struct msg_security_struct *msec = msg->security;
4404 msg->security = NULL;
4408 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4411 struct task_security_struct *tsec;
4412 struct ipc_security_struct *isec;
4413 struct avc_audit_data ad;
4415 tsec = current->security;
4416 isec = ipc_perms->security;
4418 AVC_AUDIT_DATA_INIT(&ad, IPC);
4419 ad.u.ipc_id = ipc_perms->key;
4421 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4424 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4426 return msg_msg_alloc_security(msg);
4429 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4431 msg_msg_free_security(msg);
4434 /* message queue security operations */
4435 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4437 struct task_security_struct *tsec;
4438 struct ipc_security_struct *isec;
4439 struct avc_audit_data ad;
4442 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4446 tsec = current->security;
4447 isec = msq->q_perm.security;
4449 AVC_AUDIT_DATA_INIT(&ad, IPC);
4450 ad.u.ipc_id = msq->q_perm.key;
4452 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4455 ipc_free_security(&msq->q_perm);
4461 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4463 ipc_free_security(&msq->q_perm);
4466 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4468 struct task_security_struct *tsec;
4469 struct ipc_security_struct *isec;
4470 struct avc_audit_data ad;
4472 tsec = current->security;
4473 isec = msq->q_perm.security;
4475 AVC_AUDIT_DATA_INIT(&ad, IPC);
4476 ad.u.ipc_id = msq->q_perm.key;
4478 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4479 MSGQ__ASSOCIATE, &ad);
4482 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4490 /* No specific object, just general system-wide information. */
4491 return task_has_system(current, SYSTEM__IPC_INFO);
4494 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4497 perms = MSGQ__SETATTR;
4500 perms = MSGQ__DESTROY;
4506 err = ipc_has_perm(&msq->q_perm, perms);
4510 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4512 struct task_security_struct *tsec;
4513 struct ipc_security_struct *isec;
4514 struct msg_security_struct *msec;
4515 struct avc_audit_data ad;
4518 tsec = current->security;
4519 isec = msq->q_perm.security;
4520 msec = msg->security;
4523 * First time through, need to assign label to the message
4525 if (msec->sid == SECINITSID_UNLABELED) {
4527 * Compute new sid based on current process and
4528 * message queue this message will be stored in
4530 rc = security_transition_sid(tsec->sid,
4538 AVC_AUDIT_DATA_INIT(&ad, IPC);
4539 ad.u.ipc_id = msq->q_perm.key;
4541 /* Can this process write to the queue? */
4542 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4545 /* Can this process send the message */
4546 rc = avc_has_perm(tsec->sid, msec->sid,
4547 SECCLASS_MSG, MSG__SEND, &ad);
4549 /* Can the message be put in the queue? */
4550 rc = avc_has_perm(msec->sid, isec->sid,
4551 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4556 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4557 struct task_struct *target,
4558 long type, int mode)
4560 struct task_security_struct *tsec;
4561 struct ipc_security_struct *isec;
4562 struct msg_security_struct *msec;
4563 struct avc_audit_data ad;
4566 tsec = target->security;
4567 isec = msq->q_perm.security;
4568 msec = msg->security;
4570 AVC_AUDIT_DATA_INIT(&ad, IPC);
4571 ad.u.ipc_id = msq->q_perm.key;
4573 rc = avc_has_perm(tsec->sid, isec->sid,
4574 SECCLASS_MSGQ, MSGQ__READ, &ad);
4576 rc = avc_has_perm(tsec->sid, msec->sid,
4577 SECCLASS_MSG, MSG__RECEIVE, &ad);
4581 /* Shared Memory security operations */
4582 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4584 struct task_security_struct *tsec;
4585 struct ipc_security_struct *isec;
4586 struct avc_audit_data ad;
4589 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4593 tsec = current->security;
4594 isec = shp->shm_perm.security;
4596 AVC_AUDIT_DATA_INIT(&ad, IPC);
4597 ad.u.ipc_id = shp->shm_perm.key;
4599 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4602 ipc_free_security(&shp->shm_perm);
4608 static void selinux_shm_free_security(struct shmid_kernel *shp)
4610 ipc_free_security(&shp->shm_perm);
4613 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4615 struct task_security_struct *tsec;
4616 struct ipc_security_struct *isec;
4617 struct avc_audit_data ad;
4619 tsec = current->security;
4620 isec = shp->shm_perm.security;
4622 AVC_AUDIT_DATA_INIT(&ad, IPC);
4623 ad.u.ipc_id = shp->shm_perm.key;
4625 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4626 SHM__ASSOCIATE, &ad);
4629 /* Note, at this point, shp is locked down */
4630 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4638 /* No specific object, just general system-wide information. */
4639 return task_has_system(current, SYSTEM__IPC_INFO);
4642 perms = SHM__GETATTR | SHM__ASSOCIATE;
4645 perms = SHM__SETATTR;
4652 perms = SHM__DESTROY;
4658 err = ipc_has_perm(&shp->shm_perm, perms);
4662 static int selinux_shm_shmat(struct shmid_kernel *shp,
4663 char __user *shmaddr, int shmflg)
4668 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4672 if (shmflg & SHM_RDONLY)
4675 perms = SHM__READ | SHM__WRITE;
4677 return ipc_has_perm(&shp->shm_perm, perms);
4680 /* Semaphore security operations */
4681 static int selinux_sem_alloc_security(struct sem_array *sma)
4683 struct task_security_struct *tsec;
4684 struct ipc_security_struct *isec;
4685 struct avc_audit_data ad;
4688 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4692 tsec = current->security;
4693 isec = sma->sem_perm.security;
4695 AVC_AUDIT_DATA_INIT(&ad, IPC);
4696 ad.u.ipc_id = sma->sem_perm.key;
4698 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4701 ipc_free_security(&sma->sem_perm);
4707 static void selinux_sem_free_security(struct sem_array *sma)
4709 ipc_free_security(&sma->sem_perm);
4712 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4714 struct task_security_struct *tsec;
4715 struct ipc_security_struct *isec;
4716 struct avc_audit_data ad;
4718 tsec = current->security;
4719 isec = sma->sem_perm.security;
4721 AVC_AUDIT_DATA_INIT(&ad, IPC);
4722 ad.u.ipc_id = sma->sem_perm.key;
4724 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4725 SEM__ASSOCIATE, &ad);
4728 /* Note, at this point, sma is locked down */
4729 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4737 /* No specific object, just general system-wide information. */
4738 return task_has_system(current, SYSTEM__IPC_INFO);
4742 perms = SEM__GETATTR;
4753 perms = SEM__DESTROY;
4756 perms = SEM__SETATTR;
4760 perms = SEM__GETATTR | SEM__ASSOCIATE;
4766 err = ipc_has_perm(&sma->sem_perm, perms);
4770 static int selinux_sem_semop(struct sem_array *sma,
4771 struct sembuf *sops, unsigned nsops, int alter)
4776 perms = SEM__READ | SEM__WRITE;
4780 return ipc_has_perm(&sma->sem_perm, perms);
4783 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4789 av |= IPC__UNIX_READ;
4791 av |= IPC__UNIX_WRITE;
4796 return ipc_has_perm(ipcp, av);
4799 /* module stacking operations */
4800 static int selinux_register_security (const char *name, struct security_operations *ops)
4802 if (secondary_ops != original_ops) {
4803 printk(KERN_ERR "%s: There is already a secondary security "
4804 "module registered.\n", __FUNCTION__);
4808 secondary_ops = ops;
4810 printk(KERN_INFO "%s: Registering secondary module %s\n",
4817 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4820 inode_doinit_with_dentry(inode, dentry);
4823 static int selinux_getprocattr(struct task_struct *p,
4824 char *name, char **value)
4826 struct task_security_struct *tsec;
4832 error = task_has_perm(current, p, PROCESS__GETATTR);
4839 if (!strcmp(name, "current"))
4841 else if (!strcmp(name, "prev"))
4843 else if (!strcmp(name, "exec"))
4844 sid = tsec->exec_sid;
4845 else if (!strcmp(name, "fscreate"))
4846 sid = tsec->create_sid;
4847 else if (!strcmp(name, "keycreate"))
4848 sid = tsec->keycreate_sid;
4849 else if (!strcmp(name, "sockcreate"))
4850 sid = tsec->sockcreate_sid;
4857 error = security_sid_to_context(sid, value, &len);
4863 static int selinux_setprocattr(struct task_struct *p,
4864 char *name, void *value, size_t size)
4866 struct task_security_struct *tsec;
4872 /* SELinux only allows a process to change its own
4873 security attributes. */
4878 * Basic control over ability to set these attributes at all.
4879 * current == p, but we'll pass them separately in case the
4880 * above restriction is ever removed.
4882 if (!strcmp(name, "exec"))
4883 error = task_has_perm(current, p, PROCESS__SETEXEC);
4884 else if (!strcmp(name, "fscreate"))
4885 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4886 else if (!strcmp(name, "keycreate"))
4887 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4888 else if (!strcmp(name, "sockcreate"))
4889 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
4890 else if (!strcmp(name, "current"))
4891 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4897 /* Obtain a SID for the context, if one was specified. */
4898 if (size && str[1] && str[1] != '\n') {
4899 if (str[size-1] == '\n') {
4903 error = security_context_to_sid(value, size, &sid);
4908 /* Permission checking based on the specified context is
4909 performed during the actual operation (execve,
4910 open/mkdir/...), when we know the full context of the
4911 operation. See selinux_bprm_set_security for the execve
4912 checks and may_create for the file creation checks. The
4913 operation will then fail if the context is not permitted. */
4915 if (!strcmp(name, "exec"))
4916 tsec->exec_sid = sid;
4917 else if (!strcmp(name, "fscreate"))
4918 tsec->create_sid = sid;
4919 else if (!strcmp(name, "keycreate")) {
4920 error = may_create_key(sid, p);
4923 tsec->keycreate_sid = sid;
4924 } else if (!strcmp(name, "sockcreate"))
4925 tsec->sockcreate_sid = sid;
4926 else if (!strcmp(name, "current")) {
4927 struct av_decision avd;
4932 /* Only allow single threaded processes to change context */
4933 if (atomic_read(&p->mm->mm_users) != 1) {
4934 struct task_struct *g, *t;
4935 struct mm_struct *mm = p->mm;
4936 read_lock(&tasklist_lock);
4937 do_each_thread(g, t)
4938 if (t->mm == mm && t != p) {
4939 read_unlock(&tasklist_lock);
4942 while_each_thread(g, t);
4943 read_unlock(&tasklist_lock);
4946 /* Check permissions for the transition. */
4947 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4948 PROCESS__DYNTRANSITION, NULL);
4952 /* Check for ptracing, and update the task SID if ok.
4953 Otherwise, leave SID unchanged and fail. */
4955 if (p->ptrace & PT_PTRACED) {
4956 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4958 PROCESS__PTRACE, 0, &avd);
4962 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4963 PROCESS__PTRACE, &avd, error, NULL);
4977 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
4979 return security_sid_to_context(secid, secdata, seclen);
4982 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
4984 return security_context_to_sid(secdata, seclen, secid);
4987 static void selinux_release_secctx(char *secdata, u32 seclen)
4994 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4995 unsigned long flags)
4997 struct task_security_struct *tsec = tsk->security;
4998 struct key_security_struct *ksec;
5000 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5005 if (tsec->keycreate_sid)
5006 ksec->sid = tsec->keycreate_sid;
5008 ksec->sid = tsec->sid;
5014 static void selinux_key_free(struct key *k)
5016 struct key_security_struct *ksec = k->security;
5022 static int selinux_key_permission(key_ref_t key_ref,
5023 struct task_struct *ctx,
5027 struct task_security_struct *tsec;
5028 struct key_security_struct *ksec;
5030 key = key_ref_to_ptr(key_ref);
5032 tsec = ctx->security;
5033 ksec = key->security;
5035 /* if no specific permissions are requested, we skip the
5036 permission check. No serious, additional covert channels
5037 appear to be created. */
5041 return avc_has_perm(tsec->sid, ksec->sid,
5042 SECCLASS_KEY, perm, NULL);
5047 static struct security_operations selinux_ops = {
5048 .ptrace = selinux_ptrace,
5049 .capget = selinux_capget,
5050 .capset_check = selinux_capset_check,
5051 .capset_set = selinux_capset_set,
5052 .sysctl = selinux_sysctl,
5053 .capable = selinux_capable,
5054 .quotactl = selinux_quotactl,
5055 .quota_on = selinux_quota_on,
5056 .syslog = selinux_syslog,
5057 .vm_enough_memory = selinux_vm_enough_memory,
5059 .netlink_send = selinux_netlink_send,
5060 .netlink_recv = selinux_netlink_recv,
5062 .bprm_alloc_security = selinux_bprm_alloc_security,
5063 .bprm_free_security = selinux_bprm_free_security,
5064 .bprm_apply_creds = selinux_bprm_apply_creds,
5065 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5066 .bprm_set_security = selinux_bprm_set_security,
5067 .bprm_check_security = selinux_bprm_check_security,
5068 .bprm_secureexec = selinux_bprm_secureexec,
5070 .sb_alloc_security = selinux_sb_alloc_security,
5071 .sb_free_security = selinux_sb_free_security,
5072 .sb_copy_data = selinux_sb_copy_data,
5073 .sb_kern_mount = selinux_sb_kern_mount,
5074 .sb_statfs = selinux_sb_statfs,
5075 .sb_mount = selinux_mount,
5076 .sb_umount = selinux_umount,
5077 .sb_get_mnt_opts = selinux_get_mnt_opts,
5078 .sb_set_mnt_opts = selinux_set_mnt_opts,
5079 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5081 .inode_alloc_security = selinux_inode_alloc_security,
5082 .inode_free_security = selinux_inode_free_security,
5083 .inode_init_security = selinux_inode_init_security,
5084 .inode_create = selinux_inode_create,
5085 .inode_link = selinux_inode_link,
5086 .inode_unlink = selinux_inode_unlink,
5087 .inode_symlink = selinux_inode_symlink,
5088 .inode_mkdir = selinux_inode_mkdir,
5089 .inode_rmdir = selinux_inode_rmdir,
5090 .inode_mknod = selinux_inode_mknod,
5091 .inode_rename = selinux_inode_rename,
5092 .inode_readlink = selinux_inode_readlink,
5093 .inode_follow_link = selinux_inode_follow_link,
5094 .inode_permission = selinux_inode_permission,
5095 .inode_setattr = selinux_inode_setattr,
5096 .inode_getattr = selinux_inode_getattr,
5097 .inode_setxattr = selinux_inode_setxattr,
5098 .inode_post_setxattr = selinux_inode_post_setxattr,
5099 .inode_getxattr = selinux_inode_getxattr,
5100 .inode_listxattr = selinux_inode_listxattr,
5101 .inode_removexattr = selinux_inode_removexattr,
5102 .inode_getsecurity = selinux_inode_getsecurity,
5103 .inode_setsecurity = selinux_inode_setsecurity,
5104 .inode_listsecurity = selinux_inode_listsecurity,
5105 .inode_need_killpriv = selinux_inode_need_killpriv,
5106 .inode_killpriv = selinux_inode_killpriv,
5108 .file_permission = selinux_file_permission,
5109 .file_alloc_security = selinux_file_alloc_security,
5110 .file_free_security = selinux_file_free_security,
5111 .file_ioctl = selinux_file_ioctl,
5112 .file_mmap = selinux_file_mmap,
5113 .file_mprotect = selinux_file_mprotect,
5114 .file_lock = selinux_file_lock,
5115 .file_fcntl = selinux_file_fcntl,
5116 .file_set_fowner = selinux_file_set_fowner,
5117 .file_send_sigiotask = selinux_file_send_sigiotask,
5118 .file_receive = selinux_file_receive,
5120 .dentry_open = selinux_dentry_open,
5122 .task_create = selinux_task_create,
5123 .task_alloc_security = selinux_task_alloc_security,
5124 .task_free_security = selinux_task_free_security,
5125 .task_setuid = selinux_task_setuid,
5126 .task_post_setuid = selinux_task_post_setuid,
5127 .task_setgid = selinux_task_setgid,
5128 .task_setpgid = selinux_task_setpgid,
5129 .task_getpgid = selinux_task_getpgid,
5130 .task_getsid = selinux_task_getsid,
5131 .task_getsecid = selinux_task_getsecid,
5132 .task_setgroups = selinux_task_setgroups,
5133 .task_setnice = selinux_task_setnice,
5134 .task_setioprio = selinux_task_setioprio,
5135 .task_getioprio = selinux_task_getioprio,
5136 .task_setrlimit = selinux_task_setrlimit,
5137 .task_setscheduler = selinux_task_setscheduler,
5138 .task_getscheduler = selinux_task_getscheduler,
5139 .task_movememory = selinux_task_movememory,
5140 .task_kill = selinux_task_kill,
5141 .task_wait = selinux_task_wait,
5142 .task_prctl = selinux_task_prctl,
5143 .task_reparent_to_init = selinux_task_reparent_to_init,
5144 .task_to_inode = selinux_task_to_inode,
5146 .ipc_permission = selinux_ipc_permission,
5148 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5149 .msg_msg_free_security = selinux_msg_msg_free_security,
5151 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5152 .msg_queue_free_security = selinux_msg_queue_free_security,
5153 .msg_queue_associate = selinux_msg_queue_associate,
5154 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5155 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5156 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5158 .shm_alloc_security = selinux_shm_alloc_security,
5159 .shm_free_security = selinux_shm_free_security,
5160 .shm_associate = selinux_shm_associate,
5161 .shm_shmctl = selinux_shm_shmctl,
5162 .shm_shmat = selinux_shm_shmat,
5164 .sem_alloc_security = selinux_sem_alloc_security,
5165 .sem_free_security = selinux_sem_free_security,
5166 .sem_associate = selinux_sem_associate,
5167 .sem_semctl = selinux_sem_semctl,
5168 .sem_semop = selinux_sem_semop,
5170 .register_security = selinux_register_security,
5172 .d_instantiate = selinux_d_instantiate,
5174 .getprocattr = selinux_getprocattr,
5175 .setprocattr = selinux_setprocattr,
5177 .secid_to_secctx = selinux_secid_to_secctx,
5178 .secctx_to_secid = selinux_secctx_to_secid,
5179 .release_secctx = selinux_release_secctx,
5181 .unix_stream_connect = selinux_socket_unix_stream_connect,
5182 .unix_may_send = selinux_socket_unix_may_send,
5184 .socket_create = selinux_socket_create,
5185 .socket_post_create = selinux_socket_post_create,
5186 .socket_bind = selinux_socket_bind,
5187 .socket_connect = selinux_socket_connect,
5188 .socket_listen = selinux_socket_listen,
5189 .socket_accept = selinux_socket_accept,
5190 .socket_sendmsg = selinux_socket_sendmsg,
5191 .socket_recvmsg = selinux_socket_recvmsg,
5192 .socket_getsockname = selinux_socket_getsockname,
5193 .socket_getpeername = selinux_socket_getpeername,
5194 .socket_getsockopt = selinux_socket_getsockopt,
5195 .socket_setsockopt = selinux_socket_setsockopt,
5196 .socket_shutdown = selinux_socket_shutdown,
5197 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5198 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5199 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5200 .sk_alloc_security = selinux_sk_alloc_security,
5201 .sk_free_security = selinux_sk_free_security,
5202 .sk_clone_security = selinux_sk_clone_security,
5203 .sk_getsecid = selinux_sk_getsecid,
5204 .sock_graft = selinux_sock_graft,
5205 .inet_conn_request = selinux_inet_conn_request,
5206 .inet_csk_clone = selinux_inet_csk_clone,
5207 .inet_conn_established = selinux_inet_conn_established,
5208 .req_classify_flow = selinux_req_classify_flow,
5210 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5211 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5212 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5213 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5214 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5215 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5216 .xfrm_state_free_security = selinux_xfrm_state_free,
5217 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5218 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5219 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5220 .xfrm_decode_session = selinux_xfrm_decode_session,
5224 .key_alloc = selinux_key_alloc,
5225 .key_free = selinux_key_free,
5226 .key_permission = selinux_key_permission,
5230 static __init int selinux_init(void)
5232 struct task_security_struct *tsec;
5234 if (!selinux_enabled) {
5235 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5239 printk(KERN_INFO "SELinux: Initializing.\n");
5241 /* Set the security state for the initial task. */
5242 if (task_alloc_security(current))
5243 panic("SELinux: Failed to initialize initial task.\n");
5244 tsec = current->security;
5245 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5247 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5248 sizeof(struct inode_security_struct),
5249 0, SLAB_PANIC, NULL);
5252 original_ops = secondary_ops = security_ops;
5254 panic ("SELinux: No initial security operations\n");
5255 if (register_security (&selinux_ops))
5256 panic("SELinux: Unable to register with kernel.\n");
5258 if (selinux_enforcing) {
5259 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5261 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5265 /* Add security information to initial keyrings */
5266 selinux_key_alloc(&root_user_keyring, current,
5267 KEY_ALLOC_NOT_IN_QUOTA);
5268 selinux_key_alloc(&root_session_keyring, current,
5269 KEY_ALLOC_NOT_IN_QUOTA);
5275 void selinux_complete_init(void)
5277 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5279 /* Set up any superblocks initialized prior to the policy load. */
5280 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5281 spin_lock(&sb_lock);
5282 spin_lock(&sb_security_lock);
5284 if (!list_empty(&superblock_security_head)) {
5285 struct superblock_security_struct *sbsec =
5286 list_entry(superblock_security_head.next,
5287 struct superblock_security_struct,
5289 struct super_block *sb = sbsec->sb;
5291 spin_unlock(&sb_security_lock);
5292 spin_unlock(&sb_lock);
5293 down_read(&sb->s_umount);
5295 superblock_doinit(sb, NULL);
5297 spin_lock(&sb_lock);
5298 spin_lock(&sb_security_lock);
5299 list_del_init(&sbsec->list);
5302 spin_unlock(&sb_security_lock);
5303 spin_unlock(&sb_lock);
5306 /* SELinux requires early initialization in order to label
5307 all processes and objects when they are created. */
5308 security_initcall(selinux_init);
5310 #if defined(CONFIG_NETFILTER)
5312 static struct nf_hook_ops selinux_ipv4_op = {
5313 .hook = selinux_ipv4_postroute_last,
5314 .owner = THIS_MODULE,
5316 .hooknum = NF_INET_POST_ROUTING,
5317 .priority = NF_IP_PRI_SELINUX_LAST,
5320 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5322 static struct nf_hook_ops selinux_ipv6_op = {
5323 .hook = selinux_ipv6_postroute_last,
5324 .owner = THIS_MODULE,
5326 .hooknum = NF_INET_POST_ROUTING,
5327 .priority = NF_IP6_PRI_SELINUX_LAST,
5332 static int __init selinux_nf_ip_init(void)
5336 if (!selinux_enabled)
5339 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5341 err = nf_register_hook(&selinux_ipv4_op);
5343 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
5345 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5347 err = nf_register_hook(&selinux_ipv6_op);
5349 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
5357 __initcall(selinux_nf_ip_init);
5359 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5360 static void selinux_nf_ip_exit(void)
5362 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5364 nf_unregister_hook(&selinux_ipv4_op);
5365 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5366 nf_unregister_hook(&selinux_ipv6_op);
5371 #else /* CONFIG_NETFILTER */
5373 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5374 #define selinux_nf_ip_exit()
5377 #endif /* CONFIG_NETFILTER */
5379 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5380 int selinux_disable(void)
5382 extern void exit_sel_fs(void);
5383 static int selinux_disabled = 0;
5385 if (ss_initialized) {
5386 /* Not permitted after initial policy load. */
5390 if (selinux_disabled) {
5391 /* Only do this once. */
5395 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5397 selinux_disabled = 1;
5398 selinux_enabled = 0;
5400 /* Reset security_ops to the secondary module, dummy or capability. */
5401 security_ops = secondary_ops;
5403 /* Unregister netfilter hooks. */
5404 selinux_nf_ip_exit();
5406 /* Unregister selinuxfs. */