2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
87 #define XATTR_SELINUX_SUFFIX "selinux"
88 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
90 #define NUM_SEL_MNT_OPTS 4
92 extern unsigned int policydb_loaded_version;
93 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
94 extern int selinux_compat_net;
95 extern struct security_operations *security_ops;
97 /* SECMARK reference count */
98 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing = 0;
103 static int __init enforcing_setup(char *str)
105 selinux_enforcing = simple_strtol(str,NULL,0);
108 __setup("enforcing=", enforcing_setup);
111 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
112 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
114 static int __init selinux_enabled_setup(char *str)
116 selinux_enabled = simple_strtol(str, NULL, 0);
119 __setup("selinux=", selinux_enabled_setup);
121 int selinux_enabled = 1;
124 /* Original (dummy) security module. */
125 static struct security_operations *original_ops = NULL;
127 /* Minimal support for a secondary security module,
128 just to allow the use of the dummy or capability modules.
129 The owlsm module can alternatively be used as a secondary
130 module as long as CONFIG_OWLSM_FD is not enabled. */
131 static struct security_operations *secondary_ops = NULL;
133 /* Lists of inode and superblock security structures initialized
134 before the policy was loaded. */
135 static LIST_HEAD(superblock_security_head);
136 static DEFINE_SPINLOCK(sb_security_lock);
138 static struct kmem_cache *sel_inode_cache;
141 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
144 * This function checks the SECMARK reference counter to see if any SECMARK
145 * targets are currently configured, if the reference counter is greater than
146 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
147 * enabled, false (0) if SECMARK is disabled.
150 static int selinux_secmark_enabled(void)
152 return (atomic_read(&selinux_secmark_refcount) > 0);
155 /* Allocate and free functions for each kind of security blob. */
157 static int task_alloc_security(struct task_struct *task)
159 struct task_security_struct *tsec;
161 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
165 tsec->osid = tsec->sid = SECINITSID_UNLABELED;
166 task->security = tsec;
171 static void task_free_security(struct task_struct *task)
173 struct task_security_struct *tsec = task->security;
174 task->security = NULL;
178 static int inode_alloc_security(struct inode *inode)
180 struct task_security_struct *tsec = current->security;
181 struct inode_security_struct *isec;
183 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
187 mutex_init(&isec->lock);
188 INIT_LIST_HEAD(&isec->list);
190 isec->sid = SECINITSID_UNLABELED;
191 isec->sclass = SECCLASS_FILE;
192 isec->task_sid = tsec->sid;
193 inode->i_security = isec;
198 static void inode_free_security(struct inode *inode)
200 struct inode_security_struct *isec = inode->i_security;
201 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
203 spin_lock(&sbsec->isec_lock);
204 if (!list_empty(&isec->list))
205 list_del_init(&isec->list);
206 spin_unlock(&sbsec->isec_lock);
208 inode->i_security = NULL;
209 kmem_cache_free(sel_inode_cache, isec);
212 static int file_alloc_security(struct file *file)
214 struct task_security_struct *tsec = current->security;
215 struct file_security_struct *fsec;
217 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
221 fsec->sid = tsec->sid;
222 fsec->fown_sid = tsec->sid;
223 file->f_security = fsec;
228 static void file_free_security(struct file *file)
230 struct file_security_struct *fsec = file->f_security;
231 file->f_security = NULL;
235 static int superblock_alloc_security(struct super_block *sb)
237 struct superblock_security_struct *sbsec;
239 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
243 mutex_init(&sbsec->lock);
244 INIT_LIST_HEAD(&sbsec->list);
245 INIT_LIST_HEAD(&sbsec->isec_head);
246 spin_lock_init(&sbsec->isec_lock);
248 sbsec->sid = SECINITSID_UNLABELED;
249 sbsec->def_sid = SECINITSID_FILE;
250 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
251 sb->s_security = sbsec;
256 static void superblock_free_security(struct super_block *sb)
258 struct superblock_security_struct *sbsec = sb->s_security;
260 spin_lock(&sb_security_lock);
261 if (!list_empty(&sbsec->list))
262 list_del_init(&sbsec->list);
263 spin_unlock(&sb_security_lock);
265 sb->s_security = NULL;
269 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
271 struct sk_security_struct *ssec;
273 ssec = kzalloc(sizeof(*ssec), priority);
277 ssec->peer_sid = SECINITSID_UNLABELED;
278 ssec->sid = SECINITSID_UNLABELED;
279 sk->sk_security = ssec;
281 selinux_netlbl_sk_security_reset(ssec, family);
286 static void sk_free_security(struct sock *sk)
288 struct sk_security_struct *ssec = sk->sk_security;
290 sk->sk_security = NULL;
294 /* The security server must be initialized before
295 any labeling or access decisions can be provided. */
296 extern int ss_initialized;
298 /* The file system's label must be initialized prior to use. */
300 static char *labeling_behaviors[6] = {
302 "uses transition SIDs",
304 "uses genfs_contexts",
305 "not configured for labeling",
306 "uses mountpoint labeling",
309 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
311 static inline int inode_doinit(struct inode *inode)
313 return inode_doinit_with_dentry(inode, NULL);
324 static match_table_t tokens = {
325 {Opt_context, CONTEXT_STR "%s"},
326 {Opt_fscontext, FSCONTEXT_STR "%s"},
327 {Opt_defcontext, DEFCONTEXT_STR "%s"},
328 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
332 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
334 static int may_context_mount_sb_relabel(u32 sid,
335 struct superblock_security_struct *sbsec,
336 struct task_security_struct *tsec)
340 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
341 FILESYSTEM__RELABELFROM, NULL);
345 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
346 FILESYSTEM__RELABELTO, NULL);
350 static int may_context_mount_inode_relabel(u32 sid,
351 struct superblock_security_struct *sbsec,
352 struct task_security_struct *tsec)
355 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
356 FILESYSTEM__RELABELFROM, NULL);
360 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
361 FILESYSTEM__ASSOCIATE, NULL);
365 static int sb_finish_set_opts(struct super_block *sb)
367 struct superblock_security_struct *sbsec = sb->s_security;
368 struct dentry *root = sb->s_root;
369 struct inode *root_inode = root->d_inode;
372 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
373 /* Make sure that the xattr handler exists and that no
374 error other than -ENODATA is returned by getxattr on
375 the root directory. -ENODATA is ok, as this may be
376 the first boot of the SELinux kernel before we have
377 assigned xattr values to the filesystem. */
378 if (!root_inode->i_op->getxattr) {
379 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
380 "xattr support\n", sb->s_id, sb->s_type->name);
384 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
385 if (rc < 0 && rc != -ENODATA) {
386 if (rc == -EOPNOTSUPP)
387 printk(KERN_WARNING "SELinux: (dev %s, type "
388 "%s) has no security xattr handler\n",
389 sb->s_id, sb->s_type->name);
391 printk(KERN_WARNING "SELinux: (dev %s, type "
392 "%s) getxattr errno %d\n", sb->s_id,
393 sb->s_type->name, -rc);
398 sbsec->initialized = 1;
400 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
401 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
402 sb->s_id, sb->s_type->name);
404 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
405 sb->s_id, sb->s_type->name,
406 labeling_behaviors[sbsec->behavior-1]);
408 /* Initialize the root inode. */
409 rc = inode_doinit_with_dentry(root_inode, root);
411 /* Initialize any other inodes associated with the superblock, e.g.
412 inodes created prior to initial policy load or inodes created
413 during get_sb by a pseudo filesystem that directly
415 spin_lock(&sbsec->isec_lock);
417 if (!list_empty(&sbsec->isec_head)) {
418 struct inode_security_struct *isec =
419 list_entry(sbsec->isec_head.next,
420 struct inode_security_struct, list);
421 struct inode *inode = isec->inode;
422 spin_unlock(&sbsec->isec_lock);
423 inode = igrab(inode);
425 if (!IS_PRIVATE(inode))
429 spin_lock(&sbsec->isec_lock);
430 list_del_init(&isec->list);
433 spin_unlock(&sbsec->isec_lock);
439 * This function should allow an FS to ask what it's mount security
440 * options were so it can use those later for submounts, displaying
441 * mount options, or whatever.
443 static int selinux_get_mnt_opts(const struct super_block *sb,
444 struct security_mnt_opts *opts)
447 struct superblock_security_struct *sbsec = sb->s_security;
448 char *context = NULL;
452 security_init_mnt_opts(opts);
454 if (!sbsec->initialized)
461 * if we ever use sbsec flags for anything other than tracking mount
462 * settings this is going to need a mask
465 /* count the number of mount options for this sb */
466 for (i = 0; i < 8; i++) {
468 opts->num_mnt_opts++;
472 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
473 if (!opts->mnt_opts) {
478 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
479 if (!opts->mnt_opts_flags) {
485 if (sbsec->flags & FSCONTEXT_MNT) {
486 rc = security_sid_to_context(sbsec->sid, &context, &len);
489 opts->mnt_opts[i] = context;
490 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
492 if (sbsec->flags & CONTEXT_MNT) {
493 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
496 opts->mnt_opts[i] = context;
497 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
499 if (sbsec->flags & DEFCONTEXT_MNT) {
500 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
503 opts->mnt_opts[i] = context;
504 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
506 if (sbsec->flags & ROOTCONTEXT_MNT) {
507 struct inode *root = sbsec->sb->s_root->d_inode;
508 struct inode_security_struct *isec = root->i_security;
510 rc = security_sid_to_context(isec->sid, &context, &len);
513 opts->mnt_opts[i] = context;
514 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
517 BUG_ON(i != opts->num_mnt_opts);
522 security_free_mnt_opts(opts);
526 static int bad_option(struct superblock_security_struct *sbsec, char flag,
527 u32 old_sid, u32 new_sid)
529 /* check if the old mount command had the same options */
530 if (sbsec->initialized)
531 if (!(sbsec->flags & flag) ||
532 (old_sid != new_sid))
535 /* check if we were passed the same options twice,
536 * aka someone passed context=a,context=b
538 if (!sbsec->initialized)
539 if (sbsec->flags & flag)
545 * Allow filesystems with binary mount data to explicitly set mount point
546 * labeling information.
548 static int selinux_set_mnt_opts(struct super_block *sb,
549 struct security_mnt_opts *opts)
552 struct task_security_struct *tsec = current->security;
553 struct superblock_security_struct *sbsec = sb->s_security;
554 const char *name = sb->s_type->name;
555 struct inode *inode = sbsec->sb->s_root->d_inode;
556 struct inode_security_struct *root_isec = inode->i_security;
557 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
558 u32 defcontext_sid = 0;
559 char **mount_options = opts->mnt_opts;
560 int *flags = opts->mnt_opts_flags;
561 int num_opts = opts->num_mnt_opts;
563 mutex_lock(&sbsec->lock);
565 if (!ss_initialized) {
567 /* Defer initialization until selinux_complete_init,
568 after the initial policy is loaded and the security
569 server is ready to handle calls. */
570 spin_lock(&sb_security_lock);
571 if (list_empty(&sbsec->list))
572 list_add(&sbsec->list, &superblock_security_head);
573 spin_unlock(&sb_security_lock);
577 printk(KERN_WARNING "Unable to set superblock options before "
578 "the security server is initialized\n");
583 * Binary mount data FS will come through this function twice. Once
584 * from an explicit call and once from the generic calls from the vfs.
585 * Since the generic VFS calls will not contain any security mount data
586 * we need to skip the double mount verification.
588 * This does open a hole in which we will not notice if the first
589 * mount using this sb set explict options and a second mount using
590 * this sb does not set any security options. (The first options
591 * will be used for both mounts)
593 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
598 * parse the mount options, check if they are valid sids.
599 * also check if someone is trying to mount the same sb more
600 * than once with different security options.
602 for (i = 0; i < num_opts; i++) {
604 rc = security_context_to_sid(mount_options[i],
605 strlen(mount_options[i]), &sid);
607 printk(KERN_WARNING "SELinux: security_context_to_sid"
608 "(%s) failed for (dev %s, type %s) errno=%d\n",
609 mount_options[i], sb->s_id, name, rc);
616 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
618 goto out_double_mount;
620 sbsec->flags |= FSCONTEXT_MNT;
625 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
627 goto out_double_mount;
629 sbsec->flags |= CONTEXT_MNT;
631 case ROOTCONTEXT_MNT:
632 rootcontext_sid = sid;
634 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
636 goto out_double_mount;
638 sbsec->flags |= ROOTCONTEXT_MNT;
642 defcontext_sid = sid;
644 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
646 goto out_double_mount;
648 sbsec->flags |= DEFCONTEXT_MNT;
657 if (sbsec->initialized) {
658 /* previously mounted with options, but not on this attempt? */
659 if (sbsec->flags && !num_opts)
660 goto out_double_mount;
665 if (strcmp(sb->s_type->name, "proc") == 0)
668 /* Determine the labeling behavior to use for this filesystem type. */
669 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
671 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
672 __func__, sb->s_type->name, rc);
676 /* sets the context of the superblock for the fs being mounted. */
679 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
683 sbsec->sid = fscontext_sid;
687 * Switch to using mount point labeling behavior.
688 * sets the label used on all file below the mountpoint, and will set
689 * the superblock context if not already set.
692 if (!fscontext_sid) {
693 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
696 sbsec->sid = context_sid;
698 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
702 if (!rootcontext_sid)
703 rootcontext_sid = context_sid;
705 sbsec->mntpoint_sid = context_sid;
706 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
709 if (rootcontext_sid) {
710 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
714 root_isec->sid = rootcontext_sid;
715 root_isec->initialized = 1;
718 if (defcontext_sid) {
719 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
721 printk(KERN_WARNING "SELinux: defcontext option is "
722 "invalid for this filesystem type\n");
726 if (defcontext_sid != sbsec->def_sid) {
727 rc = may_context_mount_inode_relabel(defcontext_sid,
733 sbsec->def_sid = defcontext_sid;
736 rc = sb_finish_set_opts(sb);
738 mutex_unlock(&sbsec->lock);
742 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
743 "security settings for (dev %s, type %s)\n", sb->s_id, name);
747 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
748 struct super_block *newsb)
750 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
751 struct superblock_security_struct *newsbsec = newsb->s_security;
753 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
754 int set_context = (oldsbsec->flags & CONTEXT_MNT);
755 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
757 /* we can't error, we can't save the info, this shouldn't get called
758 * this early in the boot process. */
759 BUG_ON(!ss_initialized);
761 /* how can we clone if the old one wasn't set up?? */
762 BUG_ON(!oldsbsec->initialized);
764 /* if fs is reusing a sb, just let its options stand... */
765 if (newsbsec->initialized)
768 mutex_lock(&newsbsec->lock);
770 newsbsec->flags = oldsbsec->flags;
772 newsbsec->sid = oldsbsec->sid;
773 newsbsec->def_sid = oldsbsec->def_sid;
774 newsbsec->behavior = oldsbsec->behavior;
777 u32 sid = oldsbsec->mntpoint_sid;
781 if (!set_rootcontext) {
782 struct inode *newinode = newsb->s_root->d_inode;
783 struct inode_security_struct *newisec = newinode->i_security;
786 newsbsec->mntpoint_sid = sid;
788 if (set_rootcontext) {
789 const struct inode *oldinode = oldsb->s_root->d_inode;
790 const struct inode_security_struct *oldisec = oldinode->i_security;
791 struct inode *newinode = newsb->s_root->d_inode;
792 struct inode_security_struct *newisec = newinode->i_security;
794 newisec->sid = oldisec->sid;
797 sb_finish_set_opts(newsb);
798 mutex_unlock(&newsbsec->lock);
801 static int selinux_parse_opts_str(char *options,
802 struct security_mnt_opts *opts)
805 char *context = NULL, *defcontext = NULL;
806 char *fscontext = NULL, *rootcontext = NULL;
807 int rc, num_mnt_opts = 0;
809 opts->num_mnt_opts = 0;
811 /* Standard string-based options. */
812 while ((p = strsep(&options, "|")) != NULL) {
814 substring_t args[MAX_OPT_ARGS];
819 token = match_token(p, tokens, args);
823 if (context || defcontext) {
825 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
828 context = match_strdup(&args[0]);
838 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
841 fscontext = match_strdup(&args[0]);
848 case Opt_rootcontext:
851 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
854 rootcontext = match_strdup(&args[0]);
862 if (context || defcontext) {
864 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
867 defcontext = match_strdup(&args[0]);
876 printk(KERN_WARNING "SELinux: unknown mount option\n");
883 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
887 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
888 if (!opts->mnt_opts_flags) {
889 kfree(opts->mnt_opts);
894 opts->mnt_opts[num_mnt_opts] = fscontext;
895 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
898 opts->mnt_opts[num_mnt_opts] = context;
899 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
902 opts->mnt_opts[num_mnt_opts] = rootcontext;
903 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
906 opts->mnt_opts[num_mnt_opts] = defcontext;
907 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
910 opts->num_mnt_opts = num_mnt_opts;
921 * string mount options parsing and call set the sbsec
923 static int superblock_doinit(struct super_block *sb, void *data)
926 char *options = data;
927 struct security_mnt_opts opts;
929 security_init_mnt_opts(&opts);
934 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
936 rc = selinux_parse_opts_str(options, &opts);
941 rc = selinux_set_mnt_opts(sb, &opts);
944 security_free_mnt_opts(&opts);
948 static inline u16 inode_mode_to_security_class(umode_t mode)
950 switch (mode & S_IFMT) {
952 return SECCLASS_SOCK_FILE;
954 return SECCLASS_LNK_FILE;
956 return SECCLASS_FILE;
958 return SECCLASS_BLK_FILE;
962 return SECCLASS_CHR_FILE;
964 return SECCLASS_FIFO_FILE;
968 return SECCLASS_FILE;
971 static inline int default_protocol_stream(int protocol)
973 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
976 static inline int default_protocol_dgram(int protocol)
978 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
981 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
988 return SECCLASS_UNIX_STREAM_SOCKET;
990 return SECCLASS_UNIX_DGRAM_SOCKET;
997 if (default_protocol_stream(protocol))
998 return SECCLASS_TCP_SOCKET;
1000 return SECCLASS_RAWIP_SOCKET;
1002 if (default_protocol_dgram(protocol))
1003 return SECCLASS_UDP_SOCKET;
1005 return SECCLASS_RAWIP_SOCKET;
1007 return SECCLASS_DCCP_SOCKET;
1009 return SECCLASS_RAWIP_SOCKET;
1015 return SECCLASS_NETLINK_ROUTE_SOCKET;
1016 case NETLINK_FIREWALL:
1017 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1018 case NETLINK_INET_DIAG:
1019 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1021 return SECCLASS_NETLINK_NFLOG_SOCKET;
1023 return SECCLASS_NETLINK_XFRM_SOCKET;
1024 case NETLINK_SELINUX:
1025 return SECCLASS_NETLINK_SELINUX_SOCKET;
1027 return SECCLASS_NETLINK_AUDIT_SOCKET;
1028 case NETLINK_IP6_FW:
1029 return SECCLASS_NETLINK_IP6FW_SOCKET;
1030 case NETLINK_DNRTMSG:
1031 return SECCLASS_NETLINK_DNRT_SOCKET;
1032 case NETLINK_KOBJECT_UEVENT:
1033 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1035 return SECCLASS_NETLINK_SOCKET;
1038 return SECCLASS_PACKET_SOCKET;
1040 return SECCLASS_KEY_SOCKET;
1042 return SECCLASS_APPLETALK_SOCKET;
1045 return SECCLASS_SOCKET;
1048 #ifdef CONFIG_PROC_FS
1049 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1054 char *buffer, *path, *end;
1056 buffer = (char*)__get_free_page(GFP_KERNEL);
1061 end = buffer+buflen;
1066 while (de && de != de->parent) {
1067 buflen -= de->namelen + 1;
1071 memcpy(end, de->name, de->namelen);
1076 rc = security_genfs_sid("proc", path, tclass, sid);
1077 free_page((unsigned long)buffer);
1081 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1089 /* The inode's security attributes must be initialized before first use. */
1090 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1092 struct superblock_security_struct *sbsec = NULL;
1093 struct inode_security_struct *isec = inode->i_security;
1095 struct dentry *dentry;
1096 #define INITCONTEXTLEN 255
1097 char *context = NULL;
1101 if (isec->initialized)
1104 mutex_lock(&isec->lock);
1105 if (isec->initialized)
1108 sbsec = inode->i_sb->s_security;
1109 if (!sbsec->initialized) {
1110 /* Defer initialization until selinux_complete_init,
1111 after the initial policy is loaded and the security
1112 server is ready to handle calls. */
1113 spin_lock(&sbsec->isec_lock);
1114 if (list_empty(&isec->list))
1115 list_add(&isec->list, &sbsec->isec_head);
1116 spin_unlock(&sbsec->isec_lock);
1120 switch (sbsec->behavior) {
1121 case SECURITY_FS_USE_XATTR:
1122 if (!inode->i_op->getxattr) {
1123 isec->sid = sbsec->def_sid;
1127 /* Need a dentry, since the xattr API requires one.
1128 Life would be simpler if we could just pass the inode. */
1130 /* Called from d_instantiate or d_splice_alias. */
1131 dentry = dget(opt_dentry);
1133 /* Called from selinux_complete_init, try to find a dentry. */
1134 dentry = d_find_alias(inode);
1137 printk(KERN_WARNING "%s: no dentry for dev=%s "
1138 "ino=%ld\n", __func__, inode->i_sb->s_id,
1143 len = INITCONTEXTLEN;
1144 context = kmalloc(len, GFP_NOFS);
1150 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1152 if (rc == -ERANGE) {
1153 /* Need a larger buffer. Query for the right size. */
1154 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1162 context = kmalloc(len, GFP_NOFS);
1168 rc = inode->i_op->getxattr(dentry,
1174 if (rc != -ENODATA) {
1175 printk(KERN_WARNING "%s: getxattr returned "
1176 "%d for dev=%s ino=%ld\n", __func__,
1177 -rc, inode->i_sb->s_id, inode->i_ino);
1181 /* Map ENODATA to the default file SID */
1182 sid = sbsec->def_sid;
1185 rc = security_context_to_sid_default(context, rc, &sid,
1189 printk(KERN_WARNING "%s: context_to_sid(%s) "
1190 "returned %d for dev=%s ino=%ld\n",
1191 __func__, context, -rc,
1192 inode->i_sb->s_id, inode->i_ino);
1194 /* Leave with the unlabeled SID */
1202 case SECURITY_FS_USE_TASK:
1203 isec->sid = isec->task_sid;
1205 case SECURITY_FS_USE_TRANS:
1206 /* Default to the fs SID. */
1207 isec->sid = sbsec->sid;
1209 /* Try to obtain a transition SID. */
1210 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1211 rc = security_transition_sid(isec->task_sid,
1219 case SECURITY_FS_USE_MNTPOINT:
1220 isec->sid = sbsec->mntpoint_sid;
1223 /* Default to the fs superblock SID. */
1224 isec->sid = sbsec->sid;
1227 struct proc_inode *proci = PROC_I(inode);
1229 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1230 rc = selinux_proc_get_sid(proci->pde,
1241 isec->initialized = 1;
1244 mutex_unlock(&isec->lock);
1246 if (isec->sclass == SECCLASS_FILE)
1247 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1251 /* Convert a Linux signal to an access vector. */
1252 static inline u32 signal_to_av(int sig)
1258 /* Commonly granted from child to parent. */
1259 perm = PROCESS__SIGCHLD;
1262 /* Cannot be caught or ignored */
1263 perm = PROCESS__SIGKILL;
1266 /* Cannot be caught or ignored */
1267 perm = PROCESS__SIGSTOP;
1270 /* All other signals. */
1271 perm = PROCESS__SIGNAL;
1278 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1279 fork check, ptrace check, etc. */
1280 static int task_has_perm(struct task_struct *tsk1,
1281 struct task_struct *tsk2,
1284 struct task_security_struct *tsec1, *tsec2;
1286 tsec1 = tsk1->security;
1287 tsec2 = tsk2->security;
1288 return avc_has_perm(tsec1->sid, tsec2->sid,
1289 SECCLASS_PROCESS, perms, NULL);
1292 #if CAP_LAST_CAP > 63
1293 #error Fix SELinux to handle capabilities > 63.
1296 /* Check whether a task is allowed to use a capability. */
1297 static int task_has_capability(struct task_struct *tsk,
1300 struct task_security_struct *tsec;
1301 struct avc_audit_data ad;
1303 u32 av = CAP_TO_MASK(cap);
1305 tsec = tsk->security;
1307 AVC_AUDIT_DATA_INIT(&ad,CAP);
1311 switch (CAP_TO_INDEX(cap)) {
1313 sclass = SECCLASS_CAPABILITY;
1316 sclass = SECCLASS_CAPABILITY2;
1320 "SELinux: out of range capability %d\n", cap);
1323 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1326 /* Check whether a task is allowed to use a system operation. */
1327 static int task_has_system(struct task_struct *tsk,
1330 struct task_security_struct *tsec;
1332 tsec = tsk->security;
1334 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1335 SECCLASS_SYSTEM, perms, NULL);
1338 /* Check whether a task has a particular permission to an inode.
1339 The 'adp' parameter is optional and allows other audit
1340 data to be passed (e.g. the dentry). */
1341 static int inode_has_perm(struct task_struct *tsk,
1342 struct inode *inode,
1344 struct avc_audit_data *adp)
1346 struct task_security_struct *tsec;
1347 struct inode_security_struct *isec;
1348 struct avc_audit_data ad;
1350 if (unlikely (IS_PRIVATE (inode)))
1353 tsec = tsk->security;
1354 isec = inode->i_security;
1358 AVC_AUDIT_DATA_INIT(&ad, FS);
1359 ad.u.fs.inode = inode;
1362 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1365 /* Same as inode_has_perm, but pass explicit audit data containing
1366 the dentry to help the auditing code to more easily generate the
1367 pathname if needed. */
1368 static inline int dentry_has_perm(struct task_struct *tsk,
1369 struct vfsmount *mnt,
1370 struct dentry *dentry,
1373 struct inode *inode = dentry->d_inode;
1374 struct avc_audit_data ad;
1375 AVC_AUDIT_DATA_INIT(&ad,FS);
1376 ad.u.fs.path.mnt = mnt;
1377 ad.u.fs.path.dentry = dentry;
1378 return inode_has_perm(tsk, inode, av, &ad);
1381 /* Check whether a task can use an open file descriptor to
1382 access an inode in a given way. Check access to the
1383 descriptor itself, and then use dentry_has_perm to
1384 check a particular permission to the file.
1385 Access to the descriptor is implicitly granted if it
1386 has the same SID as the process. If av is zero, then
1387 access to the file is not checked, e.g. for cases
1388 where only the descriptor is affected like seek. */
1389 static int file_has_perm(struct task_struct *tsk,
1393 struct task_security_struct *tsec = tsk->security;
1394 struct file_security_struct *fsec = file->f_security;
1395 struct inode *inode = file->f_path.dentry->d_inode;
1396 struct avc_audit_data ad;
1399 AVC_AUDIT_DATA_INIT(&ad, FS);
1400 ad.u.fs.path = file->f_path;
1402 if (tsec->sid != fsec->sid) {
1403 rc = avc_has_perm(tsec->sid, fsec->sid,
1411 /* av is zero if only checking access to the descriptor. */
1413 return inode_has_perm(tsk, inode, av, &ad);
1418 /* Check whether a task can create a file. */
1419 static int may_create(struct inode *dir,
1420 struct dentry *dentry,
1423 struct task_security_struct *tsec;
1424 struct inode_security_struct *dsec;
1425 struct superblock_security_struct *sbsec;
1427 struct avc_audit_data ad;
1430 tsec = current->security;
1431 dsec = dir->i_security;
1432 sbsec = dir->i_sb->s_security;
1434 AVC_AUDIT_DATA_INIT(&ad, FS);
1435 ad.u.fs.path.dentry = dentry;
1437 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1438 DIR__ADD_NAME | DIR__SEARCH,
1443 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1444 newsid = tsec->create_sid;
1446 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1452 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1456 return avc_has_perm(newsid, sbsec->sid,
1457 SECCLASS_FILESYSTEM,
1458 FILESYSTEM__ASSOCIATE, &ad);
1461 /* Check whether a task can create a key. */
1462 static int may_create_key(u32 ksid,
1463 struct task_struct *ctx)
1465 struct task_security_struct *tsec;
1467 tsec = ctx->security;
1469 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1473 #define MAY_UNLINK 1
1476 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1477 static int may_link(struct inode *dir,
1478 struct dentry *dentry,
1482 struct task_security_struct *tsec;
1483 struct inode_security_struct *dsec, *isec;
1484 struct avc_audit_data ad;
1488 tsec = current->security;
1489 dsec = dir->i_security;
1490 isec = dentry->d_inode->i_security;
1492 AVC_AUDIT_DATA_INIT(&ad, FS);
1493 ad.u.fs.path.dentry = dentry;
1496 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1497 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1512 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1516 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1520 static inline int may_rename(struct inode *old_dir,
1521 struct dentry *old_dentry,
1522 struct inode *new_dir,
1523 struct dentry *new_dentry)
1525 struct task_security_struct *tsec;
1526 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1527 struct avc_audit_data ad;
1529 int old_is_dir, new_is_dir;
1532 tsec = current->security;
1533 old_dsec = old_dir->i_security;
1534 old_isec = old_dentry->d_inode->i_security;
1535 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1536 new_dsec = new_dir->i_security;
1538 AVC_AUDIT_DATA_INIT(&ad, FS);
1540 ad.u.fs.path.dentry = old_dentry;
1541 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1542 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1545 rc = avc_has_perm(tsec->sid, old_isec->sid,
1546 old_isec->sclass, FILE__RENAME, &ad);
1549 if (old_is_dir && new_dir != old_dir) {
1550 rc = avc_has_perm(tsec->sid, old_isec->sid,
1551 old_isec->sclass, DIR__REPARENT, &ad);
1556 ad.u.fs.path.dentry = new_dentry;
1557 av = DIR__ADD_NAME | DIR__SEARCH;
1558 if (new_dentry->d_inode)
1559 av |= DIR__REMOVE_NAME;
1560 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1563 if (new_dentry->d_inode) {
1564 new_isec = new_dentry->d_inode->i_security;
1565 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1566 rc = avc_has_perm(tsec->sid, new_isec->sid,
1568 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1576 /* Check whether a task can perform a filesystem operation. */
1577 static int superblock_has_perm(struct task_struct *tsk,
1578 struct super_block *sb,
1580 struct avc_audit_data *ad)
1582 struct task_security_struct *tsec;
1583 struct superblock_security_struct *sbsec;
1585 tsec = tsk->security;
1586 sbsec = sb->s_security;
1587 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1591 /* Convert a Linux mode and permission mask to an access vector. */
1592 static inline u32 file_mask_to_av(int mode, int mask)
1596 if ((mode & S_IFMT) != S_IFDIR) {
1597 if (mask & MAY_EXEC)
1598 av |= FILE__EXECUTE;
1599 if (mask & MAY_READ)
1602 if (mask & MAY_APPEND)
1604 else if (mask & MAY_WRITE)
1608 if (mask & MAY_EXEC)
1610 if (mask & MAY_WRITE)
1612 if (mask & MAY_READ)
1620 * Convert a file mask to an access vector and include the correct open
1623 static inline u32 open_file_mask_to_av(int mode, int mask)
1625 u32 av = file_mask_to_av(mode, mask);
1627 if (selinux_policycap_openperm) {
1629 * lnk files and socks do not really have an 'open'
1633 else if (S_ISCHR(mode))
1634 av |= CHR_FILE__OPEN;
1635 else if (S_ISBLK(mode))
1636 av |= BLK_FILE__OPEN;
1637 else if (S_ISFIFO(mode))
1638 av |= FIFO_FILE__OPEN;
1639 else if (S_ISDIR(mode))
1642 printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "
1643 "with unknown mode:%x\n", mode);
1648 /* Convert a Linux file to an access vector. */
1649 static inline u32 file_to_av(struct file *file)
1653 if (file->f_mode & FMODE_READ)
1655 if (file->f_mode & FMODE_WRITE) {
1656 if (file->f_flags & O_APPEND)
1663 * Special file opened with flags 3 for ioctl-only use.
1671 /* Hook functions begin here. */
1673 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1677 rc = secondary_ops->ptrace(parent,child);
1681 return task_has_perm(parent, child, PROCESS__PTRACE);
1684 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1685 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1689 error = task_has_perm(current, target, PROCESS__GETCAP);
1693 return secondary_ops->capget(target, effective, inheritable, permitted);
1696 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1697 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1701 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1705 return task_has_perm(current, target, PROCESS__SETCAP);
1708 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1709 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1711 secondary_ops->capset_set(target, effective, inheritable, permitted);
1714 static int selinux_capable(struct task_struct *tsk, int cap)
1718 rc = secondary_ops->capable(tsk, cap);
1722 return task_has_capability(tsk,cap);
1725 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1728 char *buffer, *path, *end;
1731 buffer = (char*)__get_free_page(GFP_KERNEL);
1736 end = buffer+buflen;
1742 const char *name = table->procname;
1743 size_t namelen = strlen(name);
1744 buflen -= namelen + 1;
1748 memcpy(end, name, namelen);
1751 table = table->parent;
1757 memcpy(end, "/sys", 4);
1759 rc = security_genfs_sid("proc", path, tclass, sid);
1761 free_page((unsigned long)buffer);
1766 static int selinux_sysctl(ctl_table *table, int op)
1770 struct task_security_struct *tsec;
1774 rc = secondary_ops->sysctl(table, op);
1778 tsec = current->security;
1780 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1781 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1783 /* Default to the well-defined sysctl SID. */
1784 tsid = SECINITSID_SYSCTL;
1787 /* The op values are "defined" in sysctl.c, thereby creating
1788 * a bad coupling between this module and sysctl.c */
1790 error = avc_has_perm(tsec->sid, tsid,
1791 SECCLASS_DIR, DIR__SEARCH, NULL);
1799 error = avc_has_perm(tsec->sid, tsid,
1800 SECCLASS_FILE, av, NULL);
1806 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1819 rc = superblock_has_perm(current,
1821 FILESYSTEM__QUOTAMOD, NULL);
1826 rc = superblock_has_perm(current,
1828 FILESYSTEM__QUOTAGET, NULL);
1831 rc = 0; /* let the kernel handle invalid cmds */
1837 static int selinux_quota_on(struct dentry *dentry)
1839 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1842 static int selinux_syslog(int type)
1846 rc = secondary_ops->syslog(type);
1851 case 3: /* Read last kernel messages */
1852 case 10: /* Return size of the log buffer */
1853 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1855 case 6: /* Disable logging to console */
1856 case 7: /* Enable logging to console */
1857 case 8: /* Set level of messages printed to console */
1858 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1860 case 0: /* Close log */
1861 case 1: /* Open log */
1862 case 2: /* Read from log */
1863 case 4: /* Read/clear last kernel messages */
1864 case 5: /* Clear ring buffer */
1866 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1873 * Check that a process has enough memory to allocate a new virtual
1874 * mapping. 0 means there is enough memory for the allocation to
1875 * succeed and -ENOMEM implies there is not.
1877 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1878 * if the capability is granted, but __vm_enough_memory requires 1 if
1879 * the capability is granted.
1881 * Do not audit the selinux permission check, as this is applied to all
1882 * processes that allocate mappings.
1884 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1886 int rc, cap_sys_admin = 0;
1887 struct task_security_struct *tsec = current->security;
1889 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1891 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1892 SECCLASS_CAPABILITY,
1893 CAP_TO_MASK(CAP_SYS_ADMIN),
1900 return __vm_enough_memory(mm, pages, cap_sys_admin);
1904 * task_tracer_task - return the task that is tracing the given task
1905 * @task: task to consider
1907 * Returns NULL if noone is tracing @task, or the &struct task_struct
1908 * pointer to its tracer.
1910 * Must be called under rcu_read_lock().
1912 static struct task_struct *task_tracer_task(struct task_struct *task)
1914 if (task->ptrace & PT_PTRACED)
1915 return rcu_dereference(task->parent);
1919 /* binprm security operations */
1921 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1923 struct bprm_security_struct *bsec;
1925 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1929 bsec->sid = SECINITSID_UNLABELED;
1932 bprm->security = bsec;
1936 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1938 struct task_security_struct *tsec;
1939 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1940 struct inode_security_struct *isec;
1941 struct bprm_security_struct *bsec;
1943 struct avc_audit_data ad;
1946 rc = secondary_ops->bprm_set_security(bprm);
1950 bsec = bprm->security;
1955 tsec = current->security;
1956 isec = inode->i_security;
1958 /* Default to the current task SID. */
1959 bsec->sid = tsec->sid;
1961 /* Reset fs, key, and sock SIDs on execve. */
1962 tsec->create_sid = 0;
1963 tsec->keycreate_sid = 0;
1964 tsec->sockcreate_sid = 0;
1966 if (tsec->exec_sid) {
1967 newsid = tsec->exec_sid;
1968 /* Reset exec SID on execve. */
1971 /* Check for a default transition on this program. */
1972 rc = security_transition_sid(tsec->sid, isec->sid,
1973 SECCLASS_PROCESS, &newsid);
1978 AVC_AUDIT_DATA_INIT(&ad, FS);
1979 ad.u.fs.path = bprm->file->f_path;
1981 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1984 if (tsec->sid == newsid) {
1985 rc = avc_has_perm(tsec->sid, isec->sid,
1986 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1990 /* Check permissions for the transition. */
1991 rc = avc_has_perm(tsec->sid, newsid,
1992 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1996 rc = avc_has_perm(newsid, isec->sid,
1997 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2001 /* Clear any possibly unsafe personality bits on exec: */
2002 current->personality &= ~PER_CLEAR_ON_SETID;
2004 /* Set the security field to the new SID. */
2012 static int selinux_bprm_check_security (struct linux_binprm *bprm)
2014 return secondary_ops->bprm_check_security(bprm);
2018 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
2020 struct task_security_struct *tsec = current->security;
2023 if (tsec->osid != tsec->sid) {
2024 /* Enable secure mode for SIDs transitions unless
2025 the noatsecure permission is granted between
2026 the two SIDs, i.e. ahp returns 0. */
2027 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2029 PROCESS__NOATSECURE, NULL);
2032 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2035 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2037 kfree(bprm->security);
2038 bprm->security = NULL;
2041 extern struct vfsmount *selinuxfs_mount;
2042 extern struct dentry *selinux_null;
2044 /* Derived from fs/exec.c:flush_old_files. */
2045 static inline void flush_unauthorized_files(struct files_struct * files)
2047 struct avc_audit_data ad;
2048 struct file *file, *devnull = NULL;
2049 struct tty_struct *tty;
2050 struct fdtable *fdt;
2054 mutex_lock(&tty_mutex);
2055 tty = get_current_tty();
2058 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2060 /* Revalidate access to controlling tty.
2061 Use inode_has_perm on the tty inode directly rather
2062 than using file_has_perm, as this particular open
2063 file may belong to another process and we are only
2064 interested in the inode-based check here. */
2065 struct inode *inode = file->f_path.dentry->d_inode;
2066 if (inode_has_perm(current, inode,
2067 FILE__READ | FILE__WRITE, NULL)) {
2073 mutex_unlock(&tty_mutex);
2074 /* Reset controlling tty. */
2078 /* Revalidate access to inherited open files. */
2080 AVC_AUDIT_DATA_INIT(&ad,FS);
2082 spin_lock(&files->file_lock);
2084 unsigned long set, i;
2089 fdt = files_fdtable(files);
2090 if (i >= fdt->max_fds)
2092 set = fdt->open_fds->fds_bits[j];
2095 spin_unlock(&files->file_lock);
2096 for ( ; set ; i++,set >>= 1) {
2101 if (file_has_perm(current,
2103 file_to_av(file))) {
2105 fd = get_unused_fd();
2115 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2116 if (IS_ERR(devnull)) {
2123 fd_install(fd, devnull);
2128 spin_lock(&files->file_lock);
2131 spin_unlock(&files->file_lock);
2134 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2136 struct task_security_struct *tsec;
2137 struct bprm_security_struct *bsec;
2141 secondary_ops->bprm_apply_creds(bprm, unsafe);
2143 tsec = current->security;
2145 bsec = bprm->security;
2148 tsec->osid = tsec->sid;
2150 if (tsec->sid != sid) {
2151 /* Check for shared state. If not ok, leave SID
2152 unchanged and kill. */
2153 if (unsafe & LSM_UNSAFE_SHARE) {
2154 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2155 PROCESS__SHARE, NULL);
2162 /* Check for ptracing, and update the task SID if ok.
2163 Otherwise, leave SID unchanged and kill. */
2164 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2165 struct task_struct *tracer;
2166 struct task_security_struct *sec;
2170 tracer = task_tracer_task(current);
2171 if (likely(tracer != NULL)) {
2172 sec = tracer->security;
2178 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2179 PROCESS__PTRACE, NULL);
2191 * called after apply_creds without the task lock held
2193 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2195 struct task_security_struct *tsec;
2196 struct rlimit *rlim, *initrlim;
2197 struct itimerval itimer;
2198 struct bprm_security_struct *bsec;
2201 tsec = current->security;
2202 bsec = bprm->security;
2205 force_sig_specific(SIGKILL, current);
2208 if (tsec->osid == tsec->sid)
2211 /* Close files for which the new task SID is not authorized. */
2212 flush_unauthorized_files(current->files);
2214 /* Check whether the new SID can inherit signal state
2215 from the old SID. If not, clear itimers to avoid
2216 subsequent signal generation and flush and unblock
2217 signals. This must occur _after_ the task SID has
2218 been updated so that any kill done after the flush
2219 will be checked against the new SID. */
2220 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2221 PROCESS__SIGINH, NULL);
2223 memset(&itimer, 0, sizeof itimer);
2224 for (i = 0; i < 3; i++)
2225 do_setitimer(i, &itimer, NULL);
2226 flush_signals(current);
2227 spin_lock_irq(¤t->sighand->siglock);
2228 flush_signal_handlers(current, 1);
2229 sigemptyset(¤t->blocked);
2230 recalc_sigpending();
2231 spin_unlock_irq(¤t->sighand->siglock);
2234 /* Always clear parent death signal on SID transitions. */
2235 current->pdeath_signal = 0;
2237 /* Check whether the new SID can inherit resource limits
2238 from the old SID. If not, reset all soft limits to
2239 the lower of the current task's hard limit and the init
2240 task's soft limit. Note that the setting of hard limits
2241 (even to lower them) can be controlled by the setrlimit
2242 check. The inclusion of the init task's soft limit into
2243 the computation is to avoid resetting soft limits higher
2244 than the default soft limit for cases where the default
2245 is lower than the hard limit, e.g. RLIMIT_CORE or
2247 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2248 PROCESS__RLIMITINH, NULL);
2250 for (i = 0; i < RLIM_NLIMITS; i++) {
2251 rlim = current->signal->rlim + i;
2252 initrlim = init_task.signal->rlim+i;
2253 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2255 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2257 * This will cause RLIMIT_CPU calculations
2260 current->it_prof_expires = jiffies_to_cputime(1);
2264 /* Wake up the parent if it is waiting so that it can
2265 recheck wait permission to the new task SID. */
2266 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
2269 /* superblock security operations */
2271 static int selinux_sb_alloc_security(struct super_block *sb)
2273 return superblock_alloc_security(sb);
2276 static void selinux_sb_free_security(struct super_block *sb)
2278 superblock_free_security(sb);
2281 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2286 return !memcmp(prefix, option, plen);
2289 static inline int selinux_option(char *option, int len)
2291 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2292 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2293 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2294 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2297 static inline void take_option(char **to, char *from, int *first, int len)
2304 memcpy(*to, from, len);
2308 static inline void take_selinux_option(char **to, char *from, int *first,
2311 int current_size = 0;
2320 while (current_size < len) {
2330 static int selinux_sb_copy_data(char *orig, char *copy)
2332 int fnosec, fsec, rc = 0;
2333 char *in_save, *in_curr, *in_end;
2334 char *sec_curr, *nosec_save, *nosec;
2340 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2348 in_save = in_end = orig;
2352 open_quote = !open_quote;
2353 if ((*in_end == ',' && open_quote == 0) ||
2355 int len = in_end - in_curr;
2357 if (selinux_option(in_curr, len))
2358 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2360 take_option(&nosec, in_curr, &fnosec, len);
2362 in_curr = in_end + 1;
2364 } while (*in_end++);
2366 strcpy(in_save, nosec_save);
2367 free_page((unsigned long)nosec_save);
2372 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2374 struct avc_audit_data ad;
2377 rc = superblock_doinit(sb, data);
2381 AVC_AUDIT_DATA_INIT(&ad,FS);
2382 ad.u.fs.path.dentry = sb->s_root;
2383 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2386 static int selinux_sb_statfs(struct dentry *dentry)
2388 struct avc_audit_data ad;
2390 AVC_AUDIT_DATA_INIT(&ad,FS);
2391 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2392 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2395 static int selinux_mount(char * dev_name,
2396 struct nameidata *nd,
2398 unsigned long flags,
2403 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2407 if (flags & MS_REMOUNT)
2408 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2409 FILESYSTEM__REMOUNT, NULL);
2411 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2415 static int selinux_umount(struct vfsmount *mnt, int flags)
2419 rc = secondary_ops->sb_umount(mnt, flags);
2423 return superblock_has_perm(current,mnt->mnt_sb,
2424 FILESYSTEM__UNMOUNT,NULL);
2427 /* inode security operations */
2429 static int selinux_inode_alloc_security(struct inode *inode)
2431 return inode_alloc_security(inode);
2434 static void selinux_inode_free_security(struct inode *inode)
2436 inode_free_security(inode);
2439 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2440 char **name, void **value,
2443 struct task_security_struct *tsec;
2444 struct inode_security_struct *dsec;
2445 struct superblock_security_struct *sbsec;
2448 char *namep = NULL, *context;
2450 tsec = current->security;
2451 dsec = dir->i_security;
2452 sbsec = dir->i_sb->s_security;
2454 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2455 newsid = tsec->create_sid;
2457 rc = security_transition_sid(tsec->sid, dsec->sid,
2458 inode_mode_to_security_class(inode->i_mode),
2461 printk(KERN_WARNING "%s: "
2462 "security_transition_sid failed, rc=%d (dev=%s "
2465 -rc, inode->i_sb->s_id, inode->i_ino);
2470 /* Possibly defer initialization to selinux_complete_init. */
2471 if (sbsec->initialized) {
2472 struct inode_security_struct *isec = inode->i_security;
2473 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2475 isec->initialized = 1;
2478 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2482 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2489 rc = security_sid_to_context(newsid, &context, &clen);
2501 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2503 return may_create(dir, dentry, SECCLASS_FILE);
2506 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2510 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2513 return may_link(dir, old_dentry, MAY_LINK);
2516 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2520 rc = secondary_ops->inode_unlink(dir, dentry);
2523 return may_link(dir, dentry, MAY_UNLINK);
2526 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2528 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2531 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2533 return may_create(dir, dentry, SECCLASS_DIR);
2536 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2538 return may_link(dir, dentry, MAY_RMDIR);
2541 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2545 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2549 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2552 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2553 struct inode *new_inode, struct dentry *new_dentry)
2555 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2558 static int selinux_inode_readlink(struct dentry *dentry)
2560 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2563 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2567 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2570 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2573 static int selinux_inode_permission(struct inode *inode, int mask,
2574 struct nameidata *nd)
2578 rc = secondary_ops->inode_permission(inode, mask, nd);
2583 /* No permission to check. Existence test. */
2587 return inode_has_perm(current, inode,
2588 open_file_mask_to_av(inode->i_mode, mask), NULL);
2591 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2595 rc = secondary_ops->inode_setattr(dentry, iattr);
2599 if (iattr->ia_valid & ATTR_FORCE)
2602 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2603 ATTR_ATIME_SET | ATTR_MTIME_SET))
2604 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2606 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2609 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2611 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2614 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2616 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2617 sizeof XATTR_SECURITY_PREFIX - 1)) {
2618 if (!strcmp(name, XATTR_NAME_CAPS)) {
2619 if (!capable(CAP_SETFCAP))
2621 } else if (!capable(CAP_SYS_ADMIN)) {
2622 /* A different attribute in the security namespace.
2623 Restrict to administrator. */
2628 /* Not an attribute we recognize, so just check the
2629 ordinary setattr permission. */
2630 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2633 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2635 struct task_security_struct *tsec = current->security;
2636 struct inode *inode = dentry->d_inode;
2637 struct inode_security_struct *isec = inode->i_security;
2638 struct superblock_security_struct *sbsec;
2639 struct avc_audit_data ad;
2643 if (strcmp(name, XATTR_NAME_SELINUX))
2644 return selinux_inode_setotherxattr(dentry, name);
2646 sbsec = inode->i_sb->s_security;
2647 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2650 if (!is_owner_or_cap(inode))
2653 AVC_AUDIT_DATA_INIT(&ad,FS);
2654 ad.u.fs.path.dentry = dentry;
2656 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2657 FILE__RELABELFROM, &ad);
2661 rc = security_context_to_sid(value, size, &newsid);
2665 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2666 FILE__RELABELTO, &ad);
2670 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2675 return avc_has_perm(newsid,
2677 SECCLASS_FILESYSTEM,
2678 FILESYSTEM__ASSOCIATE,
2682 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2683 void *value, size_t size, int flags)
2685 struct inode *inode = dentry->d_inode;
2686 struct inode_security_struct *isec = inode->i_security;
2690 if (strcmp(name, XATTR_NAME_SELINUX)) {
2691 /* Not an attribute we recognize, so nothing to do. */
2695 rc = security_context_to_sid(value, size, &newsid);
2697 printk(KERN_WARNING "%s: unable to obtain SID for context "
2698 "%s, rc=%d\n", __func__, (char *)value, -rc);
2706 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2708 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2711 static int selinux_inode_listxattr (struct dentry *dentry)
2713 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2716 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2718 if (strcmp(name, XATTR_NAME_SELINUX))
2719 return selinux_inode_setotherxattr(dentry, name);
2721 /* No one is allowed to remove a SELinux security label.
2722 You can change the label, but all data must be labeled. */
2727 * Copy the in-core inode security context value to the user. If the
2728 * getxattr() prior to this succeeded, check to see if we need to
2729 * canonicalize the value to be finally returned to the user.
2731 * Permission check is handled by selinux_inode_getxattr hook.
2733 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2737 char *context = NULL;
2738 struct inode_security_struct *isec = inode->i_security;
2740 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2743 error = security_sid_to_context(isec->sid, &context, &size);
2756 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2757 const void *value, size_t size, int flags)
2759 struct inode_security_struct *isec = inode->i_security;
2763 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2766 if (!value || !size)
2769 rc = security_context_to_sid((void*)value, size, &newsid);
2777 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2779 const int len = sizeof(XATTR_NAME_SELINUX);
2780 if (buffer && len <= buffer_size)
2781 memcpy(buffer, XATTR_NAME_SELINUX, len);
2785 static int selinux_inode_need_killpriv(struct dentry *dentry)
2787 return secondary_ops->inode_need_killpriv(dentry);
2790 static int selinux_inode_killpriv(struct dentry *dentry)
2792 return secondary_ops->inode_killpriv(dentry);
2795 /* file security operations */
2797 static int selinux_revalidate_file_permission(struct file *file, int mask)
2800 struct inode *inode = file->f_path.dentry->d_inode;
2803 /* No permission to check. Existence test. */
2807 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2808 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2811 rc = file_has_perm(current, file,
2812 file_mask_to_av(inode->i_mode, mask));
2816 return selinux_netlbl_inode_permission(inode, mask);
2819 static int selinux_file_permission(struct file *file, int mask)
2821 struct inode *inode = file->f_path.dentry->d_inode;
2822 struct task_security_struct *tsec = current->security;
2823 struct file_security_struct *fsec = file->f_security;
2824 struct inode_security_struct *isec = inode->i_security;
2827 /* No permission to check. Existence test. */
2831 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2832 && fsec->pseqno == avc_policy_seqno())
2833 return selinux_netlbl_inode_permission(inode, mask);
2835 return selinux_revalidate_file_permission(file, mask);
2838 static int selinux_file_alloc_security(struct file *file)
2840 return file_alloc_security(file);
2843 static void selinux_file_free_security(struct file *file)
2845 file_free_security(file);
2848 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2860 case EXT2_IOC_GETFLAGS:
2862 case EXT2_IOC_GETVERSION:
2863 error = file_has_perm(current, file, FILE__GETATTR);
2866 case EXT2_IOC_SETFLAGS:
2868 case EXT2_IOC_SETVERSION:
2869 error = file_has_perm(current, file, FILE__SETATTR);
2872 /* sys_ioctl() checks */
2876 error = file_has_perm(current, file, 0);
2881 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2884 /* default case assumes that the command will go
2885 * to the file's ioctl() function.
2888 error = file_has_perm(current, file, FILE__IOCTL);
2894 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2896 #ifndef CONFIG_PPC32
2897 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2899 * We are making executable an anonymous mapping or a
2900 * private file mapping that will also be writable.
2901 * This has an additional check.
2903 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2910 /* read access is always possible with a mapping */
2911 u32 av = FILE__READ;
2913 /* write access only matters if the mapping is shared */
2914 if (shared && (prot & PROT_WRITE))
2917 if (prot & PROT_EXEC)
2918 av |= FILE__EXECUTE;
2920 return file_has_perm(current, file, av);
2925 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2926 unsigned long prot, unsigned long flags,
2927 unsigned long addr, unsigned long addr_only)
2930 u32 sid = ((struct task_security_struct*)(current->security))->sid;
2932 if (addr < mmap_min_addr)
2933 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2934 MEMPROTECT__MMAP_ZERO, NULL);
2935 if (rc || addr_only)
2938 if (selinux_checkreqprot)
2941 return file_map_prot_check(file, prot,
2942 (flags & MAP_TYPE) == MAP_SHARED);
2945 static int selinux_file_mprotect(struct vm_area_struct *vma,
2946 unsigned long reqprot,
2951 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2955 if (selinux_checkreqprot)
2958 #ifndef CONFIG_PPC32
2959 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2961 if (vma->vm_start >= vma->vm_mm->start_brk &&
2962 vma->vm_end <= vma->vm_mm->brk) {
2963 rc = task_has_perm(current, current,
2965 } else if (!vma->vm_file &&
2966 vma->vm_start <= vma->vm_mm->start_stack &&
2967 vma->vm_end >= vma->vm_mm->start_stack) {
2968 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2969 } else if (vma->vm_file && vma->anon_vma) {
2971 * We are making executable a file mapping that has
2972 * had some COW done. Since pages might have been
2973 * written, check ability to execute the possibly
2974 * modified content. This typically should only
2975 * occur for text relocations.
2977 rc = file_has_perm(current, vma->vm_file,
2985 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2988 static int selinux_file_lock(struct file *file, unsigned int cmd)
2990 return file_has_perm(current, file, FILE__LOCK);
2993 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3000 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3005 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3006 err = file_has_perm(current, file,FILE__WRITE);
3015 /* Just check FD__USE permission */
3016 err = file_has_perm(current, file, 0);
3021 #if BITS_PER_LONG == 32
3026 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3030 err = file_has_perm(current, file, FILE__LOCK);
3037 static int selinux_file_set_fowner(struct file *file)
3039 struct task_security_struct *tsec;
3040 struct file_security_struct *fsec;
3042 tsec = current->security;
3043 fsec = file->f_security;
3044 fsec->fown_sid = tsec->sid;
3049 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3050 struct fown_struct *fown, int signum)
3054 struct task_security_struct *tsec;
3055 struct file_security_struct *fsec;
3057 /* struct fown_struct is never outside the context of a struct file */
3058 file = container_of(fown, struct file, f_owner);
3060 tsec = tsk->security;
3061 fsec = file->f_security;
3064 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3066 perm = signal_to_av(signum);
3068 return avc_has_perm(fsec->fown_sid, tsec->sid,
3069 SECCLASS_PROCESS, perm, NULL);
3072 static int selinux_file_receive(struct file *file)
3074 return file_has_perm(current, file, file_to_av(file));
3077 static int selinux_dentry_open(struct file *file)
3079 struct file_security_struct *fsec;
3080 struct inode *inode;
3081 struct inode_security_struct *isec;
3082 inode = file->f_path.dentry->d_inode;
3083 fsec = file->f_security;
3084 isec = inode->i_security;
3086 * Save inode label and policy sequence number
3087 * at open-time so that selinux_file_permission
3088 * can determine whether revalidation is necessary.
3089 * Task label is already saved in the file security
3090 * struct as its SID.
3092 fsec->isid = isec->sid;
3093 fsec->pseqno = avc_policy_seqno();
3095 * Since the inode label or policy seqno may have changed
3096 * between the selinux_inode_permission check and the saving
3097 * of state above, recheck that access is still permitted.
3098 * Otherwise, access might never be revalidated against the
3099 * new inode label or new policy.
3100 * This check is not redundant - do not remove.
3102 return inode_has_perm(current, inode, file_to_av(file), NULL);
3105 /* task security operations */
3107 static int selinux_task_create(unsigned long clone_flags)
3111 rc = secondary_ops->task_create(clone_flags);
3115 return task_has_perm(current, current, PROCESS__FORK);
3118 static int selinux_task_alloc_security(struct task_struct *tsk)
3120 struct task_security_struct *tsec1, *tsec2;
3123 tsec1 = current->security;
3125 rc = task_alloc_security(tsk);
3128 tsec2 = tsk->security;
3130 tsec2->osid = tsec1->osid;
3131 tsec2->sid = tsec1->sid;
3133 /* Retain the exec, fs, key, and sock SIDs across fork */
3134 tsec2->exec_sid = tsec1->exec_sid;
3135 tsec2->create_sid = tsec1->create_sid;
3136 tsec2->keycreate_sid = tsec1->keycreate_sid;
3137 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3142 static void selinux_task_free_security(struct task_struct *tsk)
3144 task_free_security(tsk);
3147 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3149 /* Since setuid only affects the current process, and
3150 since the SELinux controls are not based on the Linux
3151 identity attributes, SELinux does not need to control
3152 this operation. However, SELinux does control the use
3153 of the CAP_SETUID and CAP_SETGID capabilities using the
3158 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3160 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3163 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3165 /* See the comment for setuid above. */
3169 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3171 return task_has_perm(current, p, PROCESS__SETPGID);
3174 static int selinux_task_getpgid(struct task_struct *p)
3176 return task_has_perm(current, p, PROCESS__GETPGID);
3179 static int selinux_task_getsid(struct task_struct *p)
3181 return task_has_perm(current, p, PROCESS__GETSESSION);
3184 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3186 selinux_get_task_sid(p, secid);
3189 static int selinux_task_setgroups(struct group_info *group_info)
3191 /* See the comment for setuid above. */
3195 static int selinux_task_setnice(struct task_struct *p, int nice)
3199 rc = secondary_ops->task_setnice(p, nice);
3203 return task_has_perm(current,p, PROCESS__SETSCHED);
3206 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3210 rc = secondary_ops->task_setioprio(p, ioprio);
3214 return task_has_perm(current, p, PROCESS__SETSCHED);
3217 static int selinux_task_getioprio(struct task_struct *p)
3219 return task_has_perm(current, p, PROCESS__GETSCHED);
3222 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3224 struct rlimit *old_rlim = current->signal->rlim + resource;
3227 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3231 /* Control the ability to change the hard limit (whether
3232 lowering or raising it), so that the hard limit can
3233 later be used as a safe reset point for the soft limit
3234 upon context transitions. See selinux_bprm_apply_creds. */
3235 if (old_rlim->rlim_max != new_rlim->rlim_max)
3236 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3241 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3245 rc = secondary_ops->task_setscheduler(p, policy, lp);
3249 return task_has_perm(current, p, PROCESS__SETSCHED);
3252 static int selinux_task_getscheduler(struct task_struct *p)
3254 return task_has_perm(current, p, PROCESS__GETSCHED);
3257 static int selinux_task_movememory(struct task_struct *p)
3259 return task_has_perm(current, p, PROCESS__SETSCHED);
3262 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3267 struct task_security_struct *tsec;
3269 rc = secondary_ops->task_kill(p, info, sig, secid);
3273 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3277 perm = PROCESS__SIGNULL; /* null signal; existence test */
3279 perm = signal_to_av(sig);
3282 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3284 rc = task_has_perm(current, p, perm);
3288 static int selinux_task_prctl(int option,
3294 /* The current prctl operations do not appear to require
3295 any SELinux controls since they merely observe or modify
3296 the state of the current process. */
3300 static int selinux_task_wait(struct task_struct *p)
3302 return task_has_perm(p, current, PROCESS__SIGCHLD);
3305 static void selinux_task_reparent_to_init(struct task_struct *p)
3307 struct task_security_struct *tsec;
3309 secondary_ops->task_reparent_to_init(p);
3312 tsec->osid = tsec->sid;
3313 tsec->sid = SECINITSID_KERNEL;
3317 static void selinux_task_to_inode(struct task_struct *p,
3318 struct inode *inode)
3320 struct task_security_struct *tsec = p->security;
3321 struct inode_security_struct *isec = inode->i_security;
3323 isec->sid = tsec->sid;
3324 isec->initialized = 1;
3328 /* Returns error only if unable to parse addresses */
3329 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3330 struct avc_audit_data *ad, u8 *proto)
3332 int offset, ihlen, ret = -EINVAL;
3333 struct iphdr _iph, *ih;
3335 offset = skb_network_offset(skb);
3336 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3340 ihlen = ih->ihl * 4;
3341 if (ihlen < sizeof(_iph))
3344 ad->u.net.v4info.saddr = ih->saddr;
3345 ad->u.net.v4info.daddr = ih->daddr;
3349 *proto = ih->protocol;
3351 switch (ih->protocol) {
3353 struct tcphdr _tcph, *th;
3355 if (ntohs(ih->frag_off) & IP_OFFSET)
3359 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3363 ad->u.net.sport = th->source;
3364 ad->u.net.dport = th->dest;
3369 struct udphdr _udph, *uh;
3371 if (ntohs(ih->frag_off) & IP_OFFSET)
3375 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3379 ad->u.net.sport = uh->source;
3380 ad->u.net.dport = uh->dest;
3384 case IPPROTO_DCCP: {
3385 struct dccp_hdr _dccph, *dh;
3387 if (ntohs(ih->frag_off) & IP_OFFSET)
3391 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3395 ad->u.net.sport = dh->dccph_sport;
3396 ad->u.net.dport = dh->dccph_dport;
3407 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3409 /* Returns error only if unable to parse addresses */
3410 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3411 struct avc_audit_data *ad, u8 *proto)
3414 int ret = -EINVAL, offset;
3415 struct ipv6hdr _ipv6h, *ip6;
3417 offset = skb_network_offset(skb);
3418 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3422 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3423 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3426 nexthdr = ip6->nexthdr;
3427 offset += sizeof(_ipv6h);
3428 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3437 struct tcphdr _tcph, *th;
3439 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3443 ad->u.net.sport = th->source;
3444 ad->u.net.dport = th->dest;
3449 struct udphdr _udph, *uh;
3451 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3455 ad->u.net.sport = uh->source;
3456 ad->u.net.dport = uh->dest;
3460 case IPPROTO_DCCP: {
3461 struct dccp_hdr _dccph, *dh;
3463 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3467 ad->u.net.sport = dh->dccph_sport;
3468 ad->u.net.dport = dh->dccph_dport;
3472 /* includes fragments */
3482 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3483 char **addrp, int src, u8 *proto)
3487 switch (ad->u.net.family) {
3489 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3492 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3493 &ad->u.net.v4info.daddr);
3496 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3498 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3501 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3502 &ad->u.net.v6info.daddr);
3511 "SELinux: failure in selinux_parse_skb(),"
3512 " unable to parse packet\n");
3518 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3520 * @family: protocol family
3521 * @sid: the packet's peer label SID
3524 * Check the various different forms of network peer labeling and determine
3525 * the peer label/SID for the packet; most of the magic actually occurs in
3526 * the security server function security_net_peersid_cmp(). The function
3527 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3528 * or -EACCES if @sid is invalid due to inconsistencies with the different
3532 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3539 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3540 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3542 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3543 if (unlikely(err)) {
3545 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3546 " unable to determine packet's peer label\n");
3553 /* socket security operations */
3554 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3557 struct inode_security_struct *isec;
3558 struct task_security_struct *tsec;
3559 struct avc_audit_data ad;
3562 tsec = task->security;
3563 isec = SOCK_INODE(sock)->i_security;
3565 if (isec->sid == SECINITSID_KERNEL)
3568 AVC_AUDIT_DATA_INIT(&ad,NET);
3569 ad.u.net.sk = sock->sk;
3570 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3576 static int selinux_socket_create(int family, int type,
3577 int protocol, int kern)
3580 struct task_security_struct *tsec;
3586 tsec = current->security;
3587 newsid = tsec->sockcreate_sid ? : tsec->sid;
3588 err = avc_has_perm(tsec->sid, newsid,
3589 socket_type_to_security_class(family, type,
3590 protocol), SOCKET__CREATE, NULL);
3596 static int selinux_socket_post_create(struct socket *sock, int family,
3597 int type, int protocol, int kern)
3600 struct inode_security_struct *isec;
3601 struct task_security_struct *tsec;
3602 struct sk_security_struct *sksec;
3605 isec = SOCK_INODE(sock)->i_security;
3607 tsec = current->security;
3608 newsid = tsec->sockcreate_sid ? : tsec->sid;
3609 isec->sclass = socket_type_to_security_class(family, type, protocol);
3610 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3611 isec->initialized = 1;
3614 sksec = sock->sk->sk_security;
3615 sksec->sid = isec->sid;
3616 sksec->sclass = isec->sclass;
3617 err = selinux_netlbl_socket_post_create(sock);
3623 /* Range of port numbers used to automatically bind.
3624 Need to determine whether we should perform a name_bind
3625 permission check between the socket and the port number. */
3627 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3632 err = socket_has_perm(current, sock, SOCKET__BIND);
3637 * If PF_INET or PF_INET6, check name_bind permission for the port.
3638 * Multiple address binding for SCTP is not supported yet: we just
3639 * check the first address now.
3641 family = sock->sk->sk_family;
3642 if (family == PF_INET || family == PF_INET6) {
3644 struct inode_security_struct *isec;
3645 struct task_security_struct *tsec;
3646 struct avc_audit_data ad;
3647 struct sockaddr_in *addr4 = NULL;
3648 struct sockaddr_in6 *addr6 = NULL;
3649 unsigned short snum;
3650 struct sock *sk = sock->sk;
3651 u32 sid, node_perm, addrlen;
3653 tsec = current->security;
3654 isec = SOCK_INODE(sock)->i_security;
3656 if (family == PF_INET) {
3657 addr4 = (struct sockaddr_in *)address;
3658 snum = ntohs(addr4->sin_port);
3659 addrlen = sizeof(addr4->sin_addr.s_addr);
3660 addrp = (char *)&addr4->sin_addr.s_addr;
3662 addr6 = (struct sockaddr_in6 *)address;
3663 snum = ntohs(addr6->sin6_port);
3664 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3665 addrp = (char *)&addr6->sin6_addr.s6_addr;
3671 inet_get_local_port_range(&low, &high);
3673 if (snum < max(PROT_SOCK, low) || snum > high) {
3674 err = sel_netport_sid(sk->sk_protocol,
3678 AVC_AUDIT_DATA_INIT(&ad,NET);
3679 ad.u.net.sport = htons(snum);
3680 ad.u.net.family = family;
3681 err = avc_has_perm(isec->sid, sid,
3683 SOCKET__NAME_BIND, &ad);
3689 switch(isec->sclass) {
3690 case SECCLASS_TCP_SOCKET:
3691 node_perm = TCP_SOCKET__NODE_BIND;
3694 case SECCLASS_UDP_SOCKET:
3695 node_perm = UDP_SOCKET__NODE_BIND;
3698 case SECCLASS_DCCP_SOCKET:
3699 node_perm = DCCP_SOCKET__NODE_BIND;
3703 node_perm = RAWIP_SOCKET__NODE_BIND;
3707 err = sel_netnode_sid(addrp, family, &sid);
3711 AVC_AUDIT_DATA_INIT(&ad,NET);
3712 ad.u.net.sport = htons(snum);
3713 ad.u.net.family = family;
3715 if (family == PF_INET)
3716 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3718 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3720 err = avc_has_perm(isec->sid, sid,
3721 isec->sclass, node_perm, &ad);
3729 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3731 struct inode_security_struct *isec;
3734 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3739 * If a TCP or DCCP socket, check name_connect permission for the port.
3741 isec = SOCK_INODE(sock)->i_security;
3742 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3743 isec->sclass == SECCLASS_DCCP_SOCKET) {
3744 struct sock *sk = sock->sk;
3745 struct avc_audit_data ad;
3746 struct sockaddr_in *addr4 = NULL;
3747 struct sockaddr_in6 *addr6 = NULL;
3748 unsigned short snum;
3751 if (sk->sk_family == PF_INET) {
3752 addr4 = (struct sockaddr_in *)address;
3753 if (addrlen < sizeof(struct sockaddr_in))
3755 snum = ntohs(addr4->sin_port);
3757 addr6 = (struct sockaddr_in6 *)address;
3758 if (addrlen < SIN6_LEN_RFC2133)
3760 snum = ntohs(addr6->sin6_port);
3763 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3767 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3768 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3770 AVC_AUDIT_DATA_INIT(&ad,NET);
3771 ad.u.net.dport = htons(snum);
3772 ad.u.net.family = sk->sk_family;
3773 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3782 static int selinux_socket_listen(struct socket *sock, int backlog)
3784 return socket_has_perm(current, sock, SOCKET__LISTEN);
3787 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3790 struct inode_security_struct *isec;
3791 struct inode_security_struct *newisec;
3793 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3797 newisec = SOCK_INODE(newsock)->i_security;
3799 isec = SOCK_INODE(sock)->i_security;
3800 newisec->sclass = isec->sclass;
3801 newisec->sid = isec->sid;
3802 newisec->initialized = 1;
3807 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3812 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3816 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3819 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3820 int size, int flags)
3822 return socket_has_perm(current, sock, SOCKET__READ);
3825 static int selinux_socket_getsockname(struct socket *sock)
3827 return socket_has_perm(current, sock, SOCKET__GETATTR);
3830 static int selinux_socket_getpeername(struct socket *sock)
3832 return socket_has_perm(current, sock, SOCKET__GETATTR);
3835 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3839 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3843 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3846 static int selinux_socket_getsockopt(struct socket *sock, int level,
3849 return socket_has_perm(current, sock, SOCKET__GETOPT);
3852 static int selinux_socket_shutdown(struct socket *sock, int how)
3854 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3857 static int selinux_socket_unix_stream_connect(struct socket *sock,
3858 struct socket *other,
3861 struct sk_security_struct *ssec;
3862 struct inode_security_struct *isec;
3863 struct inode_security_struct *other_isec;
3864 struct avc_audit_data ad;
3867 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3871 isec = SOCK_INODE(sock)->i_security;
3872 other_isec = SOCK_INODE(other)->i_security;
3874 AVC_AUDIT_DATA_INIT(&ad,NET);
3875 ad.u.net.sk = other->sk;
3877 err = avc_has_perm(isec->sid, other_isec->sid,
3879 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3883 /* connecting socket */
3884 ssec = sock->sk->sk_security;
3885 ssec->peer_sid = other_isec->sid;
3887 /* server child socket */
3888 ssec = newsk->sk_security;
3889 ssec->peer_sid = isec->sid;
3890 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3895 static int selinux_socket_unix_may_send(struct socket *sock,
3896 struct socket *other)
3898 struct inode_security_struct *isec;
3899 struct inode_security_struct *other_isec;
3900 struct avc_audit_data ad;
3903 isec = SOCK_INODE(sock)->i_security;
3904 other_isec = SOCK_INODE(other)->i_security;
3906 AVC_AUDIT_DATA_INIT(&ad,NET);
3907 ad.u.net.sk = other->sk;
3909 err = avc_has_perm(isec->sid, other_isec->sid,
3910 isec->sclass, SOCKET__SENDTO, &ad);
3917 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3919 struct avc_audit_data *ad)
3925 err = sel_netif_sid(ifindex, &if_sid);
3928 err = avc_has_perm(peer_sid, if_sid,
3929 SECCLASS_NETIF, NETIF__INGRESS, ad);
3933 err = sel_netnode_sid(addrp, family, &node_sid);
3936 return avc_has_perm(peer_sid, node_sid,
3937 SECCLASS_NODE, NODE__RECVFROM, ad);
3940 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3941 struct sk_buff *skb,
3942 struct avc_audit_data *ad,
3947 struct sk_security_struct *sksec = sk->sk_security;
3949 u32 netif_perm, node_perm, recv_perm;
3950 u32 port_sid, node_sid, if_sid, sk_sid;
3952 sk_sid = sksec->sid;
3953 sk_class = sksec->sclass;
3956 case SECCLASS_UDP_SOCKET:
3957 netif_perm = NETIF__UDP_RECV;
3958 node_perm = NODE__UDP_RECV;
3959 recv_perm = UDP_SOCKET__RECV_MSG;
3961 case SECCLASS_TCP_SOCKET:
3962 netif_perm = NETIF__TCP_RECV;
3963 node_perm = NODE__TCP_RECV;
3964 recv_perm = TCP_SOCKET__RECV_MSG;
3966 case SECCLASS_DCCP_SOCKET:
3967 netif_perm = NETIF__DCCP_RECV;
3968 node_perm = NODE__DCCP_RECV;
3969 recv_perm = DCCP_SOCKET__RECV_MSG;
3972 netif_perm = NETIF__RAWIP_RECV;
3973 node_perm = NODE__RAWIP_RECV;
3978 err = sel_netif_sid(skb->iif, &if_sid);
3981 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3985 err = sel_netnode_sid(addrp, family, &node_sid);
3988 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3994 err = sel_netport_sid(sk->sk_protocol,
3995 ntohs(ad->u.net.sport), &port_sid);
3996 if (unlikely(err)) {
3998 "SELinux: failure in"
3999 " selinux_sock_rcv_skb_iptables_compat(),"
4000 " network port label not found\n");
4003 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4006 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4007 struct avc_audit_data *ad,
4008 u16 family, char *addrp)
4011 struct sk_security_struct *sksec = sk->sk_security;
4013 u32 sk_sid = sksec->sid;
4015 if (selinux_compat_net)
4016 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4019 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4024 if (selinux_policycap_netpeer) {
4025 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4028 err = avc_has_perm(sk_sid, peer_sid,
4029 SECCLASS_PEER, PEER__RECV, ad);
4031 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4034 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4040 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4043 struct sk_security_struct *sksec = sk->sk_security;
4044 u16 family = sk->sk_family;
4045 u32 sk_sid = sksec->sid;
4046 struct avc_audit_data ad;
4049 if (family != PF_INET && family != PF_INET6)
4052 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4053 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4056 AVC_AUDIT_DATA_INIT(&ad, NET);
4057 ad.u.net.netif = skb->iif;
4058 ad.u.net.family = family;
4059 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4063 /* If any sort of compatibility mode is enabled then handoff processing
4064 * to the selinux_sock_rcv_skb_compat() function to deal with the
4065 * special handling. We do this in an attempt to keep this function
4066 * as fast and as clean as possible. */
4067 if (selinux_compat_net || !selinux_policycap_netpeer)
4068 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4071 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4074 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4077 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4081 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4085 if (selinux_secmark_enabled()) {
4086 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4095 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4096 int __user *optlen, unsigned len)
4101 struct sk_security_struct *ssec;
4102 struct inode_security_struct *isec;
4103 u32 peer_sid = SECSID_NULL;
4105 isec = SOCK_INODE(sock)->i_security;
4107 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4108 isec->sclass == SECCLASS_TCP_SOCKET) {
4109 ssec = sock->sk->sk_security;
4110 peer_sid = ssec->peer_sid;
4112 if (peer_sid == SECSID_NULL) {
4117 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4122 if (scontext_len > len) {
4127 if (copy_to_user(optval, scontext, scontext_len))
4131 if (put_user(scontext_len, optlen))
4139 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4141 u32 peer_secid = SECSID_NULL;
4145 family = sock->sk->sk_family;
4146 else if (skb && skb->sk)
4147 family = skb->sk->sk_family;
4151 if (sock && family == PF_UNIX)
4152 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4154 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4157 *secid = peer_secid;
4158 if (peer_secid == SECSID_NULL)
4163 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4165 return sk_alloc_security(sk, family, priority);
4168 static void selinux_sk_free_security(struct sock *sk)
4170 sk_free_security(sk);
4173 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4175 struct sk_security_struct *ssec = sk->sk_security;
4176 struct sk_security_struct *newssec = newsk->sk_security;
4178 newssec->sid = ssec->sid;
4179 newssec->peer_sid = ssec->peer_sid;
4180 newssec->sclass = ssec->sclass;
4182 selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4185 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4188 *secid = SECINITSID_ANY_SOCKET;
4190 struct sk_security_struct *sksec = sk->sk_security;
4192 *secid = sksec->sid;
4196 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4198 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4199 struct sk_security_struct *sksec = sk->sk_security;
4201 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4202 sk->sk_family == PF_UNIX)
4203 isec->sid = sksec->sid;
4204 sksec->sclass = isec->sclass;
4206 selinux_netlbl_sock_graft(sk, parent);
4209 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4210 struct request_sock *req)
4212 struct sk_security_struct *sksec = sk->sk_security;
4217 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4220 if (peersid == SECSID_NULL) {
4221 req->secid = sksec->sid;
4222 req->peer_secid = SECSID_NULL;
4226 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4230 req->secid = newsid;
4231 req->peer_secid = peersid;
4235 static void selinux_inet_csk_clone(struct sock *newsk,
4236 const struct request_sock *req)
4238 struct sk_security_struct *newsksec = newsk->sk_security;
4240 newsksec->sid = req->secid;
4241 newsksec->peer_sid = req->peer_secid;
4242 /* NOTE: Ideally, we should also get the isec->sid for the
4243 new socket in sync, but we don't have the isec available yet.
4244 So we will wait until sock_graft to do it, by which
4245 time it will have been created and available. */
4247 /* We don't need to take any sort of lock here as we are the only
4248 * thread with access to newsksec */
4249 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4252 static void selinux_inet_conn_established(struct sock *sk,
4253 struct sk_buff *skb)
4255 struct sk_security_struct *sksec = sk->sk_security;
4257 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4260 static void selinux_req_classify_flow(const struct request_sock *req,
4263 fl->secid = req->secid;
4266 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4270 struct nlmsghdr *nlh;
4271 struct socket *sock = sk->sk_socket;
4272 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4274 if (skb->len < NLMSG_SPACE(0)) {
4278 nlh = nlmsg_hdr(skb);
4280 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4282 if (err == -EINVAL) {
4283 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4284 "SELinux: unrecognized netlink message"
4285 " type=%hu for sclass=%hu\n",
4286 nlh->nlmsg_type, isec->sclass);
4287 if (!selinux_enforcing)
4297 err = socket_has_perm(current, sock, perm);
4302 #ifdef CONFIG_NETFILTER
4304 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4309 struct avc_audit_data ad;
4313 if (!selinux_policycap_netpeer)
4316 secmark_active = selinux_secmark_enabled();
4317 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4318 if (!secmark_active && !peerlbl_active)
4321 AVC_AUDIT_DATA_INIT(&ad, NET);
4322 ad.u.net.netif = ifindex;
4323 ad.u.net.family = family;
4324 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4327 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4331 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4332 peer_sid, &ad) != 0)
4336 if (avc_has_perm(peer_sid, skb->secmark,
4337 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4343 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4344 struct sk_buff *skb,
4345 const struct net_device *in,
4346 const struct net_device *out,
4347 int (*okfn)(struct sk_buff *))
4349 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4352 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4353 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4354 struct sk_buff *skb,
4355 const struct net_device *in,
4356 const struct net_device *out,
4357 int (*okfn)(struct sk_buff *))
4359 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4363 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4365 struct avc_audit_data *ad,
4366 u16 family, char *addrp)
4369 struct sk_security_struct *sksec = sk->sk_security;
4371 u32 netif_perm, node_perm, send_perm;
4372 u32 port_sid, node_sid, if_sid, sk_sid;
4374 sk_sid = sksec->sid;
4375 sk_class = sksec->sclass;
4378 case SECCLASS_UDP_SOCKET:
4379 netif_perm = NETIF__UDP_SEND;
4380 node_perm = NODE__UDP_SEND;
4381 send_perm = UDP_SOCKET__SEND_MSG;
4383 case SECCLASS_TCP_SOCKET:
4384 netif_perm = NETIF__TCP_SEND;
4385 node_perm = NODE__TCP_SEND;
4386 send_perm = TCP_SOCKET__SEND_MSG;
4388 case SECCLASS_DCCP_SOCKET:
4389 netif_perm = NETIF__DCCP_SEND;
4390 node_perm = NODE__DCCP_SEND;
4391 send_perm = DCCP_SOCKET__SEND_MSG;
4394 netif_perm = NETIF__RAWIP_SEND;
4395 node_perm = NODE__RAWIP_SEND;
4400 err = sel_netif_sid(ifindex, &if_sid);
4403 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4406 err = sel_netnode_sid(addrp, family, &node_sid);
4409 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4416 err = sel_netport_sid(sk->sk_protocol,
4417 ntohs(ad->u.net.dport), &port_sid);
4418 if (unlikely(err)) {
4420 "SELinux: failure in"
4421 " selinux_ip_postroute_iptables_compat(),"
4422 " network port label not found\n");
4425 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4428 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4430 struct avc_audit_data *ad,
4435 struct sock *sk = skb->sk;
4436 struct sk_security_struct *sksec;
4440 sksec = sk->sk_security;
4442 if (selinux_compat_net) {
4443 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4447 if (avc_has_perm(sksec->sid, skb->secmark,
4448 SECCLASS_PACKET, PACKET__SEND, ad))
4452 if (selinux_policycap_netpeer)
4453 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4459 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4465 struct avc_audit_data ad;
4471 AVC_AUDIT_DATA_INIT(&ad, NET);
4472 ad.u.net.netif = ifindex;
4473 ad.u.net.family = family;
4474 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4477 /* If any sort of compatibility mode is enabled then handoff processing
4478 * to the selinux_ip_postroute_compat() function to deal with the
4479 * special handling. We do this in an attempt to keep this function
4480 * as fast and as clean as possible. */
4481 if (selinux_compat_net || !selinux_policycap_netpeer)
4482 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4483 family, addrp, proto);
4485 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4486 * packet transformation so allow the packet to pass without any checks
4487 * since we'll have another chance to perform access control checks
4488 * when the packet is on it's final way out.
4489 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4490 * is NULL, in this case go ahead and apply access control. */
4491 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4494 secmark_active = selinux_secmark_enabled();
4495 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4496 if (!secmark_active && !peerlbl_active)
4499 /* if the packet is locally generated (skb->sk != NULL) then use the
4500 * socket's label as the peer label, otherwise the packet is being
4501 * forwarded through this system and we need to fetch the peer label
4502 * directly from the packet */
4505 struct sk_security_struct *sksec = sk->sk_security;
4506 peer_sid = sksec->sid;
4507 secmark_perm = PACKET__SEND;
4509 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4511 secmark_perm = PACKET__FORWARD_OUT;
4515 if (avc_has_perm(peer_sid, skb->secmark,
4516 SECCLASS_PACKET, secmark_perm, &ad))
4519 if (peerlbl_active) {
4523 if (sel_netif_sid(ifindex, &if_sid))
4525 if (avc_has_perm(peer_sid, if_sid,
4526 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4529 if (sel_netnode_sid(addrp, family, &node_sid))
4531 if (avc_has_perm(peer_sid, node_sid,
4532 SECCLASS_NODE, NODE__SENDTO, &ad))
4539 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4540 struct sk_buff *skb,
4541 const struct net_device *in,
4542 const struct net_device *out,
4543 int (*okfn)(struct sk_buff *))
4545 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4548 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4549 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4550 struct sk_buff *skb,
4551 const struct net_device *in,
4552 const struct net_device *out,
4553 int (*okfn)(struct sk_buff *))
4555 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4559 #endif /* CONFIG_NETFILTER */
4561 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4565 err = secondary_ops->netlink_send(sk, skb);
4569 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4570 err = selinux_nlmsg_perm(sk, skb);
4575 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4578 struct avc_audit_data ad;
4580 err = secondary_ops->netlink_recv(skb, capability);
4584 AVC_AUDIT_DATA_INIT(&ad, CAP);
4585 ad.u.cap = capability;
4587 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4588 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4591 static int ipc_alloc_security(struct task_struct *task,
4592 struct kern_ipc_perm *perm,
4595 struct task_security_struct *tsec = task->security;
4596 struct ipc_security_struct *isec;
4598 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4602 isec->sclass = sclass;
4603 isec->sid = tsec->sid;
4604 perm->security = isec;
4609 static void ipc_free_security(struct kern_ipc_perm *perm)
4611 struct ipc_security_struct *isec = perm->security;
4612 perm->security = NULL;
4616 static int msg_msg_alloc_security(struct msg_msg *msg)
4618 struct msg_security_struct *msec;
4620 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4624 msec->sid = SECINITSID_UNLABELED;
4625 msg->security = msec;
4630 static void msg_msg_free_security(struct msg_msg *msg)
4632 struct msg_security_struct *msec = msg->security;
4634 msg->security = NULL;
4638 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4641 struct task_security_struct *tsec;
4642 struct ipc_security_struct *isec;
4643 struct avc_audit_data ad;
4645 tsec = current->security;
4646 isec = ipc_perms->security;
4648 AVC_AUDIT_DATA_INIT(&ad, IPC);
4649 ad.u.ipc_id = ipc_perms->key;
4651 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4654 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4656 return msg_msg_alloc_security(msg);
4659 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4661 msg_msg_free_security(msg);
4664 /* message queue security operations */
4665 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4667 struct task_security_struct *tsec;
4668 struct ipc_security_struct *isec;
4669 struct avc_audit_data ad;
4672 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4676 tsec = current->security;
4677 isec = msq->q_perm.security;
4679 AVC_AUDIT_DATA_INIT(&ad, IPC);
4680 ad.u.ipc_id = msq->q_perm.key;
4682 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4685 ipc_free_security(&msq->q_perm);
4691 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4693 ipc_free_security(&msq->q_perm);
4696 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4698 struct task_security_struct *tsec;
4699 struct ipc_security_struct *isec;
4700 struct avc_audit_data ad;
4702 tsec = current->security;
4703 isec = msq->q_perm.security;
4705 AVC_AUDIT_DATA_INIT(&ad, IPC);
4706 ad.u.ipc_id = msq->q_perm.key;
4708 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4709 MSGQ__ASSOCIATE, &ad);
4712 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4720 /* No specific object, just general system-wide information. */
4721 return task_has_system(current, SYSTEM__IPC_INFO);
4724 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4727 perms = MSGQ__SETATTR;
4730 perms = MSGQ__DESTROY;
4736 err = ipc_has_perm(&msq->q_perm, perms);
4740 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4742 struct task_security_struct *tsec;
4743 struct ipc_security_struct *isec;
4744 struct msg_security_struct *msec;
4745 struct avc_audit_data ad;
4748 tsec = current->security;
4749 isec = msq->q_perm.security;
4750 msec = msg->security;
4753 * First time through, need to assign label to the message
4755 if (msec->sid == SECINITSID_UNLABELED) {
4757 * Compute new sid based on current process and
4758 * message queue this message will be stored in
4760 rc = security_transition_sid(tsec->sid,
4768 AVC_AUDIT_DATA_INIT(&ad, IPC);
4769 ad.u.ipc_id = msq->q_perm.key;
4771 /* Can this process write to the queue? */
4772 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4775 /* Can this process send the message */
4776 rc = avc_has_perm(tsec->sid, msec->sid,
4777 SECCLASS_MSG, MSG__SEND, &ad);
4779 /* Can the message be put in the queue? */
4780 rc = avc_has_perm(msec->sid, isec->sid,
4781 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4786 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4787 struct task_struct *target,
4788 long type, int mode)
4790 struct task_security_struct *tsec;
4791 struct ipc_security_struct *isec;
4792 struct msg_security_struct *msec;
4793 struct avc_audit_data ad;
4796 tsec = target->security;
4797 isec = msq->q_perm.security;
4798 msec = msg->security;
4800 AVC_AUDIT_DATA_INIT(&ad, IPC);
4801 ad.u.ipc_id = msq->q_perm.key;
4803 rc = avc_has_perm(tsec->sid, isec->sid,
4804 SECCLASS_MSGQ, MSGQ__READ, &ad);
4806 rc = avc_has_perm(tsec->sid, msec->sid,
4807 SECCLASS_MSG, MSG__RECEIVE, &ad);
4811 /* Shared Memory security operations */
4812 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4814 struct task_security_struct *tsec;
4815 struct ipc_security_struct *isec;
4816 struct avc_audit_data ad;
4819 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4823 tsec = current->security;
4824 isec = shp->shm_perm.security;
4826 AVC_AUDIT_DATA_INIT(&ad, IPC);
4827 ad.u.ipc_id = shp->shm_perm.key;
4829 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4832 ipc_free_security(&shp->shm_perm);
4838 static void selinux_shm_free_security(struct shmid_kernel *shp)
4840 ipc_free_security(&shp->shm_perm);
4843 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4845 struct task_security_struct *tsec;
4846 struct ipc_security_struct *isec;
4847 struct avc_audit_data ad;
4849 tsec = current->security;
4850 isec = shp->shm_perm.security;
4852 AVC_AUDIT_DATA_INIT(&ad, IPC);
4853 ad.u.ipc_id = shp->shm_perm.key;
4855 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4856 SHM__ASSOCIATE, &ad);
4859 /* Note, at this point, shp is locked down */
4860 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4868 /* No specific object, just general system-wide information. */
4869 return task_has_system(current, SYSTEM__IPC_INFO);
4872 perms = SHM__GETATTR | SHM__ASSOCIATE;
4875 perms = SHM__SETATTR;
4882 perms = SHM__DESTROY;
4888 err = ipc_has_perm(&shp->shm_perm, perms);
4892 static int selinux_shm_shmat(struct shmid_kernel *shp,
4893 char __user *shmaddr, int shmflg)
4898 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4902 if (shmflg & SHM_RDONLY)
4905 perms = SHM__READ | SHM__WRITE;
4907 return ipc_has_perm(&shp->shm_perm, perms);
4910 /* Semaphore security operations */
4911 static int selinux_sem_alloc_security(struct sem_array *sma)
4913 struct task_security_struct *tsec;
4914 struct ipc_security_struct *isec;
4915 struct avc_audit_data ad;
4918 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4922 tsec = current->security;
4923 isec = sma->sem_perm.security;
4925 AVC_AUDIT_DATA_INIT(&ad, IPC);
4926 ad.u.ipc_id = sma->sem_perm.key;
4928 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4931 ipc_free_security(&sma->sem_perm);
4937 static void selinux_sem_free_security(struct sem_array *sma)
4939 ipc_free_security(&sma->sem_perm);
4942 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4944 struct task_security_struct *tsec;
4945 struct ipc_security_struct *isec;
4946 struct avc_audit_data ad;
4948 tsec = current->security;
4949 isec = sma->sem_perm.security;
4951 AVC_AUDIT_DATA_INIT(&ad, IPC);
4952 ad.u.ipc_id = sma->sem_perm.key;
4954 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4955 SEM__ASSOCIATE, &ad);
4958 /* Note, at this point, sma is locked down */
4959 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4967 /* No specific object, just general system-wide information. */
4968 return task_has_system(current, SYSTEM__IPC_INFO);
4972 perms = SEM__GETATTR;
4983 perms = SEM__DESTROY;
4986 perms = SEM__SETATTR;
4990 perms = SEM__GETATTR | SEM__ASSOCIATE;
4996 err = ipc_has_perm(&sma->sem_perm, perms);
5000 static int selinux_sem_semop(struct sem_array *sma,
5001 struct sembuf *sops, unsigned nsops, int alter)
5006 perms = SEM__READ | SEM__WRITE;
5010 return ipc_has_perm(&sma->sem_perm, perms);
5013 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5019 av |= IPC__UNIX_READ;
5021 av |= IPC__UNIX_WRITE;
5026 return ipc_has_perm(ipcp, av);
5029 /* module stacking operations */
5030 static int selinux_register_security (const char *name, struct security_operations *ops)
5032 if (secondary_ops != original_ops) {
5033 printk(KERN_ERR "%s: There is already a secondary security "
5034 "module registered.\n", __func__);
5038 secondary_ops = ops;
5040 printk(KERN_INFO "%s: Registering secondary module %s\n",
5047 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
5050 inode_doinit_with_dentry(inode, dentry);
5053 static int selinux_getprocattr(struct task_struct *p,
5054 char *name, char **value)
5056 struct task_security_struct *tsec;
5062 error = task_has_perm(current, p, PROCESS__GETATTR);
5069 if (!strcmp(name, "current"))
5071 else if (!strcmp(name, "prev"))
5073 else if (!strcmp(name, "exec"))
5074 sid = tsec->exec_sid;
5075 else if (!strcmp(name, "fscreate"))
5076 sid = tsec->create_sid;
5077 else if (!strcmp(name, "keycreate"))
5078 sid = tsec->keycreate_sid;
5079 else if (!strcmp(name, "sockcreate"))
5080 sid = tsec->sockcreate_sid;
5087 error = security_sid_to_context(sid, value, &len);
5093 static int selinux_setprocattr(struct task_struct *p,
5094 char *name, void *value, size_t size)
5096 struct task_security_struct *tsec;
5097 struct task_struct *tracer;
5103 /* SELinux only allows a process to change its own
5104 security attributes. */
5109 * Basic control over ability to set these attributes at all.
5110 * current == p, but we'll pass them separately in case the
5111 * above restriction is ever removed.
5113 if (!strcmp(name, "exec"))
5114 error = task_has_perm(current, p, PROCESS__SETEXEC);
5115 else if (!strcmp(name, "fscreate"))
5116 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5117 else if (!strcmp(name, "keycreate"))
5118 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5119 else if (!strcmp(name, "sockcreate"))
5120 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5121 else if (!strcmp(name, "current"))
5122 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5128 /* Obtain a SID for the context, if one was specified. */
5129 if (size && str[1] && str[1] != '\n') {
5130 if (str[size-1] == '\n') {
5134 error = security_context_to_sid(value, size, &sid);
5139 /* Permission checking based on the specified context is
5140 performed during the actual operation (execve,
5141 open/mkdir/...), when we know the full context of the
5142 operation. See selinux_bprm_set_security for the execve
5143 checks and may_create for the file creation checks. The
5144 operation will then fail if the context is not permitted. */
5146 if (!strcmp(name, "exec"))
5147 tsec->exec_sid = sid;
5148 else if (!strcmp(name, "fscreate"))
5149 tsec->create_sid = sid;
5150 else if (!strcmp(name, "keycreate")) {
5151 error = may_create_key(sid, p);
5154 tsec->keycreate_sid = sid;
5155 } else if (!strcmp(name, "sockcreate"))
5156 tsec->sockcreate_sid = sid;
5157 else if (!strcmp(name, "current")) {
5158 struct av_decision avd;
5163 /* Only allow single threaded processes to change context */
5164 if (atomic_read(&p->mm->mm_users) != 1) {
5165 struct task_struct *g, *t;
5166 struct mm_struct *mm = p->mm;
5167 read_lock(&tasklist_lock);
5168 do_each_thread(g, t)
5169 if (t->mm == mm && t != p) {
5170 read_unlock(&tasklist_lock);
5173 while_each_thread(g, t);
5174 read_unlock(&tasklist_lock);
5177 /* Check permissions for the transition. */
5178 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5179 PROCESS__DYNTRANSITION, NULL);
5183 /* Check for ptracing, and update the task SID if ok.
5184 Otherwise, leave SID unchanged and fail. */
5187 tracer = task_tracer_task(p);
5188 if (tracer != NULL) {
5189 struct task_security_struct *ptsec = tracer->security;
5190 u32 ptsid = ptsec->sid;
5192 error = avc_has_perm_noaudit(ptsid, sid,
5194 PROCESS__PTRACE, 0, &avd);
5198 avc_audit(ptsid, sid, SECCLASS_PROCESS,
5199 PROCESS__PTRACE, &avd, error, NULL);
5214 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5216 return security_sid_to_context(secid, secdata, seclen);
5219 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5221 return security_context_to_sid(secdata, seclen, secid);
5224 static void selinux_release_secctx(char *secdata, u32 seclen)
5231 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5232 unsigned long flags)
5234 struct task_security_struct *tsec = tsk->security;
5235 struct key_security_struct *ksec;
5237 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5241 if (tsec->keycreate_sid)
5242 ksec->sid = tsec->keycreate_sid;
5244 ksec->sid = tsec->sid;
5250 static void selinux_key_free(struct key *k)
5252 struct key_security_struct *ksec = k->security;
5258 static int selinux_key_permission(key_ref_t key_ref,
5259 struct task_struct *ctx,
5263 struct task_security_struct *tsec;
5264 struct key_security_struct *ksec;
5266 key = key_ref_to_ptr(key_ref);
5268 tsec = ctx->security;
5269 ksec = key->security;
5271 /* if no specific permissions are requested, we skip the
5272 permission check. No serious, additional covert channels
5273 appear to be created. */
5277 return avc_has_perm(tsec->sid, ksec->sid,
5278 SECCLASS_KEY, perm, NULL);
5283 static struct security_operations selinux_ops = {
5284 .ptrace = selinux_ptrace,
5285 .capget = selinux_capget,
5286 .capset_check = selinux_capset_check,
5287 .capset_set = selinux_capset_set,
5288 .sysctl = selinux_sysctl,
5289 .capable = selinux_capable,
5290 .quotactl = selinux_quotactl,
5291 .quota_on = selinux_quota_on,
5292 .syslog = selinux_syslog,
5293 .vm_enough_memory = selinux_vm_enough_memory,
5295 .netlink_send = selinux_netlink_send,
5296 .netlink_recv = selinux_netlink_recv,
5298 .bprm_alloc_security = selinux_bprm_alloc_security,
5299 .bprm_free_security = selinux_bprm_free_security,
5300 .bprm_apply_creds = selinux_bprm_apply_creds,
5301 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5302 .bprm_set_security = selinux_bprm_set_security,
5303 .bprm_check_security = selinux_bprm_check_security,
5304 .bprm_secureexec = selinux_bprm_secureexec,
5306 .sb_alloc_security = selinux_sb_alloc_security,
5307 .sb_free_security = selinux_sb_free_security,
5308 .sb_copy_data = selinux_sb_copy_data,
5309 .sb_kern_mount = selinux_sb_kern_mount,
5310 .sb_statfs = selinux_sb_statfs,
5311 .sb_mount = selinux_mount,
5312 .sb_umount = selinux_umount,
5313 .sb_get_mnt_opts = selinux_get_mnt_opts,
5314 .sb_set_mnt_opts = selinux_set_mnt_opts,
5315 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5316 .sb_parse_opts_str = selinux_parse_opts_str,
5319 .inode_alloc_security = selinux_inode_alloc_security,
5320 .inode_free_security = selinux_inode_free_security,
5321 .inode_init_security = selinux_inode_init_security,
5322 .inode_create = selinux_inode_create,
5323 .inode_link = selinux_inode_link,
5324 .inode_unlink = selinux_inode_unlink,
5325 .inode_symlink = selinux_inode_symlink,
5326 .inode_mkdir = selinux_inode_mkdir,
5327 .inode_rmdir = selinux_inode_rmdir,
5328 .inode_mknod = selinux_inode_mknod,
5329 .inode_rename = selinux_inode_rename,
5330 .inode_readlink = selinux_inode_readlink,
5331 .inode_follow_link = selinux_inode_follow_link,
5332 .inode_permission = selinux_inode_permission,
5333 .inode_setattr = selinux_inode_setattr,
5334 .inode_getattr = selinux_inode_getattr,
5335 .inode_setxattr = selinux_inode_setxattr,
5336 .inode_post_setxattr = selinux_inode_post_setxattr,
5337 .inode_getxattr = selinux_inode_getxattr,
5338 .inode_listxattr = selinux_inode_listxattr,
5339 .inode_removexattr = selinux_inode_removexattr,
5340 .inode_getsecurity = selinux_inode_getsecurity,
5341 .inode_setsecurity = selinux_inode_setsecurity,
5342 .inode_listsecurity = selinux_inode_listsecurity,
5343 .inode_need_killpriv = selinux_inode_need_killpriv,
5344 .inode_killpriv = selinux_inode_killpriv,
5346 .file_permission = selinux_file_permission,
5347 .file_alloc_security = selinux_file_alloc_security,
5348 .file_free_security = selinux_file_free_security,
5349 .file_ioctl = selinux_file_ioctl,
5350 .file_mmap = selinux_file_mmap,
5351 .file_mprotect = selinux_file_mprotect,
5352 .file_lock = selinux_file_lock,
5353 .file_fcntl = selinux_file_fcntl,
5354 .file_set_fowner = selinux_file_set_fowner,
5355 .file_send_sigiotask = selinux_file_send_sigiotask,
5356 .file_receive = selinux_file_receive,
5358 .dentry_open = selinux_dentry_open,
5360 .task_create = selinux_task_create,
5361 .task_alloc_security = selinux_task_alloc_security,
5362 .task_free_security = selinux_task_free_security,
5363 .task_setuid = selinux_task_setuid,
5364 .task_post_setuid = selinux_task_post_setuid,
5365 .task_setgid = selinux_task_setgid,
5366 .task_setpgid = selinux_task_setpgid,
5367 .task_getpgid = selinux_task_getpgid,
5368 .task_getsid = selinux_task_getsid,
5369 .task_getsecid = selinux_task_getsecid,
5370 .task_setgroups = selinux_task_setgroups,
5371 .task_setnice = selinux_task_setnice,
5372 .task_setioprio = selinux_task_setioprio,
5373 .task_getioprio = selinux_task_getioprio,
5374 .task_setrlimit = selinux_task_setrlimit,
5375 .task_setscheduler = selinux_task_setscheduler,
5376 .task_getscheduler = selinux_task_getscheduler,
5377 .task_movememory = selinux_task_movememory,
5378 .task_kill = selinux_task_kill,
5379 .task_wait = selinux_task_wait,
5380 .task_prctl = selinux_task_prctl,
5381 .task_reparent_to_init = selinux_task_reparent_to_init,
5382 .task_to_inode = selinux_task_to_inode,
5384 .ipc_permission = selinux_ipc_permission,
5386 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5387 .msg_msg_free_security = selinux_msg_msg_free_security,
5389 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5390 .msg_queue_free_security = selinux_msg_queue_free_security,
5391 .msg_queue_associate = selinux_msg_queue_associate,
5392 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5393 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5394 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5396 .shm_alloc_security = selinux_shm_alloc_security,
5397 .shm_free_security = selinux_shm_free_security,
5398 .shm_associate = selinux_shm_associate,
5399 .shm_shmctl = selinux_shm_shmctl,
5400 .shm_shmat = selinux_shm_shmat,
5402 .sem_alloc_security = selinux_sem_alloc_security,
5403 .sem_free_security = selinux_sem_free_security,
5404 .sem_associate = selinux_sem_associate,
5405 .sem_semctl = selinux_sem_semctl,
5406 .sem_semop = selinux_sem_semop,
5408 .register_security = selinux_register_security,
5410 .d_instantiate = selinux_d_instantiate,
5412 .getprocattr = selinux_getprocattr,
5413 .setprocattr = selinux_setprocattr,
5415 .secid_to_secctx = selinux_secid_to_secctx,
5416 .secctx_to_secid = selinux_secctx_to_secid,
5417 .release_secctx = selinux_release_secctx,
5419 .unix_stream_connect = selinux_socket_unix_stream_connect,
5420 .unix_may_send = selinux_socket_unix_may_send,
5422 .socket_create = selinux_socket_create,
5423 .socket_post_create = selinux_socket_post_create,
5424 .socket_bind = selinux_socket_bind,
5425 .socket_connect = selinux_socket_connect,
5426 .socket_listen = selinux_socket_listen,
5427 .socket_accept = selinux_socket_accept,
5428 .socket_sendmsg = selinux_socket_sendmsg,
5429 .socket_recvmsg = selinux_socket_recvmsg,
5430 .socket_getsockname = selinux_socket_getsockname,
5431 .socket_getpeername = selinux_socket_getpeername,
5432 .socket_getsockopt = selinux_socket_getsockopt,
5433 .socket_setsockopt = selinux_socket_setsockopt,
5434 .socket_shutdown = selinux_socket_shutdown,
5435 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5436 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5437 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5438 .sk_alloc_security = selinux_sk_alloc_security,
5439 .sk_free_security = selinux_sk_free_security,
5440 .sk_clone_security = selinux_sk_clone_security,
5441 .sk_getsecid = selinux_sk_getsecid,
5442 .sock_graft = selinux_sock_graft,
5443 .inet_conn_request = selinux_inet_conn_request,
5444 .inet_csk_clone = selinux_inet_csk_clone,
5445 .inet_conn_established = selinux_inet_conn_established,
5446 .req_classify_flow = selinux_req_classify_flow,
5448 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5449 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5450 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5451 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5452 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5453 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5454 .xfrm_state_free_security = selinux_xfrm_state_free,
5455 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5456 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5457 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5458 .xfrm_decode_session = selinux_xfrm_decode_session,
5462 .key_alloc = selinux_key_alloc,
5463 .key_free = selinux_key_free,
5464 .key_permission = selinux_key_permission,
5468 static __init int selinux_init(void)
5470 struct task_security_struct *tsec;
5472 if (!selinux_enabled) {
5473 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5477 printk(KERN_INFO "SELinux: Initializing.\n");
5479 /* Set the security state for the initial task. */
5480 if (task_alloc_security(current))
5481 panic("SELinux: Failed to initialize initial task.\n");
5482 tsec = current->security;
5483 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5485 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5486 sizeof(struct inode_security_struct),
5487 0, SLAB_PANIC, NULL);
5490 original_ops = secondary_ops = security_ops;
5492 panic ("SELinux: No initial security operations\n");
5493 if (register_security (&selinux_ops))
5494 panic("SELinux: Unable to register with kernel.\n");
5496 if (selinux_enforcing) {
5497 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5499 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5503 /* Add security information to initial keyrings */
5504 selinux_key_alloc(&root_user_keyring, current,
5505 KEY_ALLOC_NOT_IN_QUOTA);
5506 selinux_key_alloc(&root_session_keyring, current,
5507 KEY_ALLOC_NOT_IN_QUOTA);
5513 void selinux_complete_init(void)
5515 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5517 /* Set up any superblocks initialized prior to the policy load. */
5518 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5519 spin_lock(&sb_lock);
5520 spin_lock(&sb_security_lock);
5522 if (!list_empty(&superblock_security_head)) {
5523 struct superblock_security_struct *sbsec =
5524 list_entry(superblock_security_head.next,
5525 struct superblock_security_struct,
5527 struct super_block *sb = sbsec->sb;
5529 spin_unlock(&sb_security_lock);
5530 spin_unlock(&sb_lock);
5531 down_read(&sb->s_umount);
5533 superblock_doinit(sb, NULL);
5535 spin_lock(&sb_lock);
5536 spin_lock(&sb_security_lock);
5537 list_del_init(&sbsec->list);
5540 spin_unlock(&sb_security_lock);
5541 spin_unlock(&sb_lock);
5544 /* SELinux requires early initialization in order to label
5545 all processes and objects when they are created. */
5546 security_initcall(selinux_init);
5548 #if defined(CONFIG_NETFILTER)
5550 static struct nf_hook_ops selinux_ipv4_ops[] = {
5552 .hook = selinux_ipv4_postroute,
5553 .owner = THIS_MODULE,
5555 .hooknum = NF_INET_POST_ROUTING,
5556 .priority = NF_IP_PRI_SELINUX_LAST,
5559 .hook = selinux_ipv4_forward,
5560 .owner = THIS_MODULE,
5562 .hooknum = NF_INET_FORWARD,
5563 .priority = NF_IP_PRI_SELINUX_FIRST,
5567 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5569 static struct nf_hook_ops selinux_ipv6_ops[] = {
5571 .hook = selinux_ipv6_postroute,
5572 .owner = THIS_MODULE,
5574 .hooknum = NF_INET_POST_ROUTING,
5575 .priority = NF_IP6_PRI_SELINUX_LAST,
5578 .hook = selinux_ipv6_forward,
5579 .owner = THIS_MODULE,
5581 .hooknum = NF_INET_FORWARD,
5582 .priority = NF_IP6_PRI_SELINUX_FIRST,
5588 static int __init selinux_nf_ip_init(void)
5593 if (!selinux_enabled)
5596 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5598 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5599 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5601 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5605 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5606 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5607 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5609 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5618 __initcall(selinux_nf_ip_init);
5620 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5621 static void selinux_nf_ip_exit(void)
5625 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5627 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5628 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5629 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5630 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5631 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5636 #else /* CONFIG_NETFILTER */
5638 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5639 #define selinux_nf_ip_exit()
5642 #endif /* CONFIG_NETFILTER */
5644 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5645 int selinux_disable(void)
5647 extern void exit_sel_fs(void);
5648 static int selinux_disabled = 0;
5650 if (ss_initialized) {
5651 /* Not permitted after initial policy load. */
5655 if (selinux_disabled) {
5656 /* Only do this once. */
5660 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5662 selinux_disabled = 1;
5663 selinux_enabled = 0;
5665 /* Reset security_ops to the secondary module, dummy or capability. */
5666 security_ops = secondary_ops;
5668 /* Unregister netfilter hooks. */
5669 selinux_nf_ip_exit();
5671 /* Unregister selinuxfs. */
projects / linux-2.6 / blob