2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2,
18 * as published by the Free Software Foundation.
21 #include <linux/module.h>
22 #include <linux/init.h>
23 #include <linux/kernel.h>
24 #include <linux/ptrace.h>
25 #include <linux/errno.h>
26 #include <linux/sched.h>
27 #include <linux/security.h>
28 #include <linux/xattr.h>
29 #include <linux/capability.h>
30 #include <linux/unistd.h>
32 #include <linux/mman.h>
33 #include <linux/slab.h>
34 #include <linux/pagemap.h>
35 #include <linux/swap.h>
36 #include <linux/smp_lock.h>
37 #include <linux/spinlock.h>
38 #include <linux/syscalls.h>
39 #include <linux/file.h>
40 #include <linux/namei.h>
41 #include <linux/mount.h>
42 #include <linux/ext2_fs.h>
43 #include <linux/proc_fs.h>
45 #include <linux/netfilter_ipv4.h>
46 #include <linux/netfilter_ipv6.h>
47 #include <linux/tty.h>
49 #include <net/ip.h> /* for sysctl_local_port_range[] */
50 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
51 #include <asm/uaccess.h>
52 #include <asm/semaphore.h>
53 #include <asm/ioctls.h>
54 #include <linux/bitops.h>
55 #include <linux/interrupt.h>
56 #include <linux/netdevice.h> /* for network interface checks */
57 #include <linux/netlink.h>
58 #include <linux/tcp.h>
59 #include <linux/udp.h>
60 #include <linux/quota.h>
61 #include <linux/un.h> /* for Unix socket types */
62 #include <net/af_unix.h> /* for Unix socket types */
63 #include <linux/parser.h>
64 #include <linux/nfs_mount.h>
66 #include <linux/hugetlb.h>
67 #include <linux/personality.h>
68 #include <linux/sysctl.h>
69 #include <linux/audit.h>
70 #include <linux/string.h>
71 #include <linux/selinux.h>
78 #define XATTR_SELINUX_SUFFIX "selinux"
79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
81 extern unsigned int policydb_loaded_version;
82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83 extern int selinux_compat_net;
85 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
86 int selinux_enforcing = 0;
88 static int __init enforcing_setup(char *str)
90 selinux_enforcing = simple_strtol(str,NULL,0);
93 __setup("enforcing=", enforcing_setup);
96 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
97 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
99 static int __init selinux_enabled_setup(char *str)
101 selinux_enabled = simple_strtol(str, NULL, 0);
104 __setup("selinux=", selinux_enabled_setup);
106 int selinux_enabled = 1;
109 /* Original (dummy) security module. */
110 static struct security_operations *original_ops = NULL;
112 /* Minimal support for a secondary security module,
113 just to allow the use of the dummy or capability modules.
114 The owlsm module can alternatively be used as a secondary
115 module as long as CONFIG_OWLSM_FD is not enabled. */
116 static struct security_operations *secondary_ops = NULL;
118 /* Lists of inode and superblock security structures initialized
119 before the policy was loaded. */
120 static LIST_HEAD(superblock_security_head);
121 static DEFINE_SPINLOCK(sb_security_lock);
123 static kmem_cache_t *sel_inode_cache;
125 /* Return security context for a given sid or just the context
126 length if the buffer is null or length is 0 */
127 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
133 rc = security_sid_to_context(sid, &context, &len);
137 if (!buffer || !size)
138 goto getsecurity_exit;
142 goto getsecurity_exit;
144 memcpy(buffer, context, len);
151 /* Allocate and free functions for each kind of security blob. */
153 static int task_alloc_security(struct task_struct *task)
155 struct task_security_struct *tsec;
157 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
162 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
163 task->security = tsec;
168 static void task_free_security(struct task_struct *task)
170 struct task_security_struct *tsec = task->security;
171 task->security = NULL;
175 static int inode_alloc_security(struct inode *inode)
177 struct task_security_struct *tsec = current->security;
178 struct inode_security_struct *isec;
180 isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
184 memset(isec, 0, sizeof(*isec));
185 init_MUTEX(&isec->sem);
186 INIT_LIST_HEAD(&isec->list);
188 isec->sid = SECINITSID_UNLABELED;
189 isec->sclass = SECCLASS_FILE;
190 isec->task_sid = tsec->sid;
191 inode->i_security = isec;
196 static void inode_free_security(struct inode *inode)
198 struct inode_security_struct *isec = inode->i_security;
199 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
201 spin_lock(&sbsec->isec_lock);
202 if (!list_empty(&isec->list))
203 list_del_init(&isec->list);
204 spin_unlock(&sbsec->isec_lock);
206 inode->i_security = NULL;
207 kmem_cache_free(sel_inode_cache, isec);
210 static int file_alloc_security(struct file *file)
212 struct task_security_struct *tsec = current->security;
213 struct file_security_struct *fsec;
215 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
220 fsec->sid = tsec->sid;
221 fsec->fown_sid = tsec->sid;
222 file->f_security = fsec;
227 static void file_free_security(struct file *file)
229 struct file_security_struct *fsec = file->f_security;
230 file->f_security = NULL;
234 static int superblock_alloc_security(struct super_block *sb)
236 struct superblock_security_struct *sbsec;
238 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
242 init_MUTEX(&sbsec->sem);
243 INIT_LIST_HEAD(&sbsec->list);
244 INIT_LIST_HEAD(&sbsec->isec_head);
245 spin_lock_init(&sbsec->isec_lock);
247 sbsec->sid = SECINITSID_UNLABELED;
248 sbsec->def_sid = SECINITSID_FILE;
249 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
250 sb->s_security = sbsec;
255 static void superblock_free_security(struct super_block *sb)
257 struct superblock_security_struct *sbsec = sb->s_security;
259 spin_lock(&sb_security_lock);
260 if (!list_empty(&sbsec->list))
261 list_del_init(&sbsec->list);
262 spin_unlock(&sb_security_lock);
264 sb->s_security = NULL;
268 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
270 struct sk_security_struct *ssec;
272 if (family != PF_UNIX)
275 ssec = kzalloc(sizeof(*ssec), priority);
280 ssec->peer_sid = SECINITSID_UNLABELED;
281 sk->sk_security = ssec;
286 static void sk_free_security(struct sock *sk)
288 struct sk_security_struct *ssec = sk->sk_security;
290 if (sk->sk_family != PF_UNIX)
293 sk->sk_security = NULL;
297 /* The security server must be initialized before
298 any labeling or access decisions can be provided. */
299 extern int ss_initialized;
301 /* The file system's label must be initialized prior to use. */
303 static char *labeling_behaviors[6] = {
305 "uses transition SIDs",
307 "uses genfs_contexts",
308 "not configured for labeling",
309 "uses mountpoint labeling",
312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
314 static inline int inode_doinit(struct inode *inode)
316 return inode_doinit_with_dentry(inode, NULL);
326 static match_table_t tokens = {
327 {Opt_context, "context=%s"},
328 {Opt_fscontext, "fscontext=%s"},
329 {Opt_defcontext, "defcontext=%s"},
330 {Opt_rootcontext, "rootcontext=%s"},
333 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
335 static int may_context_mount_sb_relabel(u32 sid,
336 struct superblock_security_struct *sbsec,
337 struct task_security_struct *tsec)
341 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
342 FILESYSTEM__RELABELFROM, NULL);
346 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
347 FILESYSTEM__RELABELTO, NULL);
351 static int may_context_mount_inode_relabel(u32 sid,
352 struct superblock_security_struct *sbsec,
353 struct task_security_struct *tsec)
356 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
357 FILESYSTEM__RELABELFROM, NULL);
361 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
362 FILESYSTEM__ASSOCIATE, NULL);
366 static int try_context_mount(struct super_block *sb, void *data)
368 char *context = NULL, *defcontext = NULL;
369 char *fscontext = NULL, *rootcontext = NULL;
372 int alloc = 0, rc = 0, seen = 0;
373 struct task_security_struct *tsec = current->security;
374 struct superblock_security_struct *sbsec = sb->s_security;
379 name = sb->s_type->name;
381 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
383 /* NFS we understand. */
384 if (!strcmp(name, "nfs")) {
385 struct nfs_mount_data *d = data;
387 if (d->version < NFS_MOUNT_VERSION)
391 context = d->context;
398 /* Standard string-based options. */
399 char *p, *options = data;
401 while ((p = strsep(&options, ",")) != NULL) {
403 substring_t args[MAX_OPT_ARGS];
408 token = match_token(p, tokens, args);
412 if (seen & (Opt_context|Opt_defcontext)) {
414 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
417 context = match_strdup(&args[0]);
428 if (seen & Opt_fscontext) {
430 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
433 fscontext = match_strdup(&args[0]);
440 seen |= Opt_fscontext;
443 case Opt_rootcontext:
444 if (seen & Opt_rootcontext) {
446 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
449 rootcontext = match_strdup(&args[0]);
456 seen |= Opt_rootcontext;
460 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
462 printk(KERN_WARNING "SELinux: "
463 "defcontext option is invalid "
464 "for this filesystem type\n");
467 if (seen & (Opt_context|Opt_defcontext)) {
469 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
472 defcontext = match_strdup(&args[0]);
479 seen |= Opt_defcontext;
484 printk(KERN_WARNING "SELinux: unknown mount "
495 /* sets the context of the superblock for the fs being mounted. */
497 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
499 printk(KERN_WARNING "SELinux: security_context_to_sid"
500 "(%s) failed for (dev %s, type %s) errno=%d\n",
501 fscontext, sb->s_id, name, rc);
505 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
513 * Switch to using mount point labeling behavior.
514 * sets the label used on all file below the mountpoint, and will set
515 * the superblock context if not already set.
518 rc = security_context_to_sid(context, strlen(context), &sid);
520 printk(KERN_WARNING "SELinux: security_context_to_sid"
521 "(%s) failed for (dev %s, type %s) errno=%d\n",
522 context, sb->s_id, name, rc);
527 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
532 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
536 sbsec->mntpoint_sid = sid;
538 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
542 struct inode *inode = sb->s_root->d_inode;
543 struct inode_security_struct *isec = inode->i_security;
544 rc = security_context_to_sid(rootcontext, strlen(rootcontext), &sid);
546 printk(KERN_WARNING "SELinux: security_context_to_sid"
547 "(%s) failed for (dev %s, type %s) errno=%d\n",
548 rootcontext, sb->s_id, name, rc);
552 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
557 isec->initialized = 1;
561 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
563 printk(KERN_WARNING "SELinux: security_context_to_sid"
564 "(%s) failed for (dev %s, type %s) errno=%d\n",
565 defcontext, sb->s_id, name, rc);
569 if (sid == sbsec->def_sid)
572 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
576 sbsec->def_sid = sid;
590 static int superblock_doinit(struct super_block *sb, void *data)
592 struct superblock_security_struct *sbsec = sb->s_security;
593 struct dentry *root = sb->s_root;
594 struct inode *inode = root->d_inode;
598 if (sbsec->initialized)
601 if (!ss_initialized) {
602 /* Defer initialization until selinux_complete_init,
603 after the initial policy is loaded and the security
604 server is ready to handle calls. */
605 spin_lock(&sb_security_lock);
606 if (list_empty(&sbsec->list))
607 list_add(&sbsec->list, &superblock_security_head);
608 spin_unlock(&sb_security_lock);
612 /* Determine the labeling behavior to use for this filesystem type. */
613 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
615 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
616 __FUNCTION__, sb->s_type->name, rc);
620 rc = try_context_mount(sb, data);
624 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
625 /* Make sure that the xattr handler exists and that no
626 error other than -ENODATA is returned by getxattr on
627 the root directory. -ENODATA is ok, as this may be
628 the first boot of the SELinux kernel before we have
629 assigned xattr values to the filesystem. */
630 if (!inode->i_op->getxattr) {
631 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
632 "xattr support\n", sb->s_id, sb->s_type->name);
636 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
637 if (rc < 0 && rc != -ENODATA) {
638 if (rc == -EOPNOTSUPP)
639 printk(KERN_WARNING "SELinux: (dev %s, type "
640 "%s) has no security xattr handler\n",
641 sb->s_id, sb->s_type->name);
643 printk(KERN_WARNING "SELinux: (dev %s, type "
644 "%s) getxattr errno %d\n", sb->s_id,
645 sb->s_type->name, -rc);
650 if (strcmp(sb->s_type->name, "proc") == 0)
653 sbsec->initialized = 1;
655 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
656 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
657 sb->s_id, sb->s_type->name);
660 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
661 sb->s_id, sb->s_type->name,
662 labeling_behaviors[sbsec->behavior-1]);
665 /* Initialize the root inode. */
666 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
668 /* Initialize any other inodes associated with the superblock, e.g.
669 inodes created prior to initial policy load or inodes created
670 during get_sb by a pseudo filesystem that directly
672 spin_lock(&sbsec->isec_lock);
674 if (!list_empty(&sbsec->isec_head)) {
675 struct inode_security_struct *isec =
676 list_entry(sbsec->isec_head.next,
677 struct inode_security_struct, list);
678 struct inode *inode = isec->inode;
679 spin_unlock(&sbsec->isec_lock);
680 inode = igrab(inode);
682 if (!IS_PRIVATE (inode))
686 spin_lock(&sbsec->isec_lock);
687 list_del_init(&isec->list);
690 spin_unlock(&sbsec->isec_lock);
696 static inline u16 inode_mode_to_security_class(umode_t mode)
698 switch (mode & S_IFMT) {
700 return SECCLASS_SOCK_FILE;
702 return SECCLASS_LNK_FILE;
704 return SECCLASS_FILE;
706 return SECCLASS_BLK_FILE;
710 return SECCLASS_CHR_FILE;
712 return SECCLASS_FIFO_FILE;
716 return SECCLASS_FILE;
719 static inline int default_protocol_stream(int protocol)
721 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
724 static inline int default_protocol_dgram(int protocol)
726 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
729 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
736 return SECCLASS_UNIX_STREAM_SOCKET;
738 return SECCLASS_UNIX_DGRAM_SOCKET;
745 if (default_protocol_stream(protocol))
746 return SECCLASS_TCP_SOCKET;
748 return SECCLASS_RAWIP_SOCKET;
750 if (default_protocol_dgram(protocol))
751 return SECCLASS_UDP_SOCKET;
753 return SECCLASS_RAWIP_SOCKET;
755 return SECCLASS_RAWIP_SOCKET;
761 return SECCLASS_NETLINK_ROUTE_SOCKET;
762 case NETLINK_FIREWALL:
763 return SECCLASS_NETLINK_FIREWALL_SOCKET;
764 case NETLINK_INET_DIAG:
765 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
767 return SECCLASS_NETLINK_NFLOG_SOCKET;
769 return SECCLASS_NETLINK_XFRM_SOCKET;
770 case NETLINK_SELINUX:
771 return SECCLASS_NETLINK_SELINUX_SOCKET;
773 return SECCLASS_NETLINK_AUDIT_SOCKET;
775 return SECCLASS_NETLINK_IP6FW_SOCKET;
776 case NETLINK_DNRTMSG:
777 return SECCLASS_NETLINK_DNRT_SOCKET;
778 case NETLINK_KOBJECT_UEVENT:
779 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
781 return SECCLASS_NETLINK_SOCKET;
784 return SECCLASS_PACKET_SOCKET;
786 return SECCLASS_KEY_SOCKET;
788 return SECCLASS_APPLETALK_SOCKET;
791 return SECCLASS_SOCKET;
794 #ifdef CONFIG_PROC_FS
795 static int selinux_proc_get_sid(struct proc_dir_entry *de,
800 char *buffer, *path, *end;
802 buffer = (char*)__get_free_page(GFP_KERNEL);
812 while (de && de != de->parent) {
813 buflen -= de->namelen + 1;
817 memcpy(end, de->name, de->namelen);
822 rc = security_genfs_sid("proc", path, tclass, sid);
823 free_page((unsigned long)buffer);
827 static int selinux_proc_get_sid(struct proc_dir_entry *de,
835 /* The inode's security attributes must be initialized before first use. */
836 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
838 struct superblock_security_struct *sbsec = NULL;
839 struct inode_security_struct *isec = inode->i_security;
841 struct dentry *dentry;
842 #define INITCONTEXTLEN 255
843 char *context = NULL;
848 if (isec->initialized)
853 if (isec->initialized)
856 sbsec = inode->i_sb->s_security;
857 if (!sbsec->initialized) {
858 /* Defer initialization until selinux_complete_init,
859 after the initial policy is loaded and the security
860 server is ready to handle calls. */
861 spin_lock(&sbsec->isec_lock);
862 if (list_empty(&isec->list))
863 list_add(&isec->list, &sbsec->isec_head);
864 spin_unlock(&sbsec->isec_lock);
868 switch (sbsec->behavior) {
869 case SECURITY_FS_USE_XATTR:
870 if (!inode->i_op->getxattr) {
871 isec->sid = sbsec->def_sid;
875 /* Need a dentry, since the xattr API requires one.
876 Life would be simpler if we could just pass the inode. */
878 /* Called from d_instantiate or d_splice_alias. */
879 dentry = dget(opt_dentry);
881 /* Called from selinux_complete_init, try to find a dentry. */
882 dentry = d_find_alias(inode);
885 printk(KERN_WARNING "%s: no dentry for dev=%s "
886 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
891 len = INITCONTEXTLEN;
892 context = kmalloc(len, GFP_KERNEL);
898 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
901 /* Need a larger buffer. Query for the right size. */
902 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
910 context = kmalloc(len, GFP_KERNEL);
916 rc = inode->i_op->getxattr(dentry,
922 if (rc != -ENODATA) {
923 printk(KERN_WARNING "%s: getxattr returned "
924 "%d for dev=%s ino=%ld\n", __FUNCTION__,
925 -rc, inode->i_sb->s_id, inode->i_ino);
929 /* Map ENODATA to the default file SID */
930 sid = sbsec->def_sid;
933 rc = security_context_to_sid_default(context, rc, &sid,
936 printk(KERN_WARNING "%s: context_to_sid(%s) "
937 "returned %d for dev=%s ino=%ld\n",
938 __FUNCTION__, context, -rc,
939 inode->i_sb->s_id, inode->i_ino);
941 /* Leave with the unlabeled SID */
949 case SECURITY_FS_USE_TASK:
950 isec->sid = isec->task_sid;
952 case SECURITY_FS_USE_TRANS:
953 /* Default to the fs SID. */
954 isec->sid = sbsec->sid;
956 /* Try to obtain a transition SID. */
957 isec->sclass = inode_mode_to_security_class(inode->i_mode);
958 rc = security_transition_sid(isec->task_sid,
966 case SECURITY_FS_USE_MNTPOINT:
967 isec->sid = sbsec->mntpoint_sid;
970 /* Default to the fs superblock SID. */
971 isec->sid = sbsec->sid;
974 struct proc_inode *proci = PROC_I(inode);
976 isec->sclass = inode_mode_to_security_class(inode->i_mode);
977 rc = selinux_proc_get_sid(proci->pde,
988 isec->initialized = 1;
991 if (isec->sclass == SECCLASS_FILE)
992 isec->sclass = inode_mode_to_security_class(inode->i_mode);
999 /* Convert a Linux signal to an access vector. */
1000 static inline u32 signal_to_av(int sig)
1006 /* Commonly granted from child to parent. */
1007 perm = PROCESS__SIGCHLD;
1010 /* Cannot be caught or ignored */
1011 perm = PROCESS__SIGKILL;
1014 /* Cannot be caught or ignored */
1015 perm = PROCESS__SIGSTOP;
1018 /* All other signals. */
1019 perm = PROCESS__SIGNAL;
1026 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1027 fork check, ptrace check, etc. */
1028 static int task_has_perm(struct task_struct *tsk1,
1029 struct task_struct *tsk2,
1032 struct task_security_struct *tsec1, *tsec2;
1034 tsec1 = tsk1->security;
1035 tsec2 = tsk2->security;
1036 return avc_has_perm(tsec1->sid, tsec2->sid,
1037 SECCLASS_PROCESS, perms, NULL);
1040 /* Check whether a task is allowed to use a capability. */
1041 static int task_has_capability(struct task_struct *tsk,
1044 struct task_security_struct *tsec;
1045 struct avc_audit_data ad;
1047 tsec = tsk->security;
1049 AVC_AUDIT_DATA_INIT(&ad,CAP);
1053 return avc_has_perm(tsec->sid, tsec->sid,
1054 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1057 /* Check whether a task is allowed to use a system operation. */
1058 static int task_has_system(struct task_struct *tsk,
1061 struct task_security_struct *tsec;
1063 tsec = tsk->security;
1065 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1066 SECCLASS_SYSTEM, perms, NULL);
1069 /* Check whether a task has a particular permission to an inode.
1070 The 'adp' parameter is optional and allows other audit
1071 data to be passed (e.g. the dentry). */
1072 static int inode_has_perm(struct task_struct *tsk,
1073 struct inode *inode,
1075 struct avc_audit_data *adp)
1077 struct task_security_struct *tsec;
1078 struct inode_security_struct *isec;
1079 struct avc_audit_data ad;
1081 tsec = tsk->security;
1082 isec = inode->i_security;
1086 AVC_AUDIT_DATA_INIT(&ad, FS);
1087 ad.u.fs.inode = inode;
1090 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1093 /* Same as inode_has_perm, but pass explicit audit data containing
1094 the dentry to help the auditing code to more easily generate the
1095 pathname if needed. */
1096 static inline int dentry_has_perm(struct task_struct *tsk,
1097 struct vfsmount *mnt,
1098 struct dentry *dentry,
1101 struct inode *inode = dentry->d_inode;
1102 struct avc_audit_data ad;
1103 AVC_AUDIT_DATA_INIT(&ad,FS);
1105 ad.u.fs.dentry = dentry;
1106 return inode_has_perm(tsk, inode, av, &ad);
1109 /* Check whether a task can use an open file descriptor to
1110 access an inode in a given way. Check access to the
1111 descriptor itself, and then use dentry_has_perm to
1112 check a particular permission to the file.
1113 Access to the descriptor is implicitly granted if it
1114 has the same SID as the process. If av is zero, then
1115 access to the file is not checked, e.g. for cases
1116 where only the descriptor is affected like seek. */
1117 static int file_has_perm(struct task_struct *tsk,
1121 struct task_security_struct *tsec = tsk->security;
1122 struct file_security_struct *fsec = file->f_security;
1123 struct vfsmount *mnt = file->f_vfsmnt;
1124 struct dentry *dentry = file->f_dentry;
1125 struct inode *inode = dentry->d_inode;
1126 struct avc_audit_data ad;
1129 AVC_AUDIT_DATA_INIT(&ad, FS);
1131 ad.u.fs.dentry = dentry;
1133 if (tsec->sid != fsec->sid) {
1134 rc = avc_has_perm(tsec->sid, fsec->sid,
1142 /* av is zero if only checking access to the descriptor. */
1144 return inode_has_perm(tsk, inode, av, &ad);
1149 /* Check whether a task can create a file. */
1150 static int may_create(struct inode *dir,
1151 struct dentry *dentry,
1154 struct task_security_struct *tsec;
1155 struct inode_security_struct *dsec;
1156 struct superblock_security_struct *sbsec;
1158 struct avc_audit_data ad;
1161 tsec = current->security;
1162 dsec = dir->i_security;
1163 sbsec = dir->i_sb->s_security;
1165 AVC_AUDIT_DATA_INIT(&ad, FS);
1166 ad.u.fs.dentry = dentry;
1168 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1169 DIR__ADD_NAME | DIR__SEARCH,
1174 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1175 newsid = tsec->create_sid;
1177 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1183 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1187 return avc_has_perm(newsid, sbsec->sid,
1188 SECCLASS_FILESYSTEM,
1189 FILESYSTEM__ASSOCIATE, &ad);
1192 /* Check whether a task can create a key. */
1193 static int may_create_key(u32 ksid,
1194 struct task_struct *ctx)
1196 struct task_security_struct *tsec;
1198 tsec = ctx->security;
1200 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1204 #define MAY_UNLINK 1
1207 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1208 static int may_link(struct inode *dir,
1209 struct dentry *dentry,
1213 struct task_security_struct *tsec;
1214 struct inode_security_struct *dsec, *isec;
1215 struct avc_audit_data ad;
1219 tsec = current->security;
1220 dsec = dir->i_security;
1221 isec = dentry->d_inode->i_security;
1223 AVC_AUDIT_DATA_INIT(&ad, FS);
1224 ad.u.fs.dentry = dentry;
1227 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1228 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1243 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1247 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1251 static inline int may_rename(struct inode *old_dir,
1252 struct dentry *old_dentry,
1253 struct inode *new_dir,
1254 struct dentry *new_dentry)
1256 struct task_security_struct *tsec;
1257 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1258 struct avc_audit_data ad;
1260 int old_is_dir, new_is_dir;
1263 tsec = current->security;
1264 old_dsec = old_dir->i_security;
1265 old_isec = old_dentry->d_inode->i_security;
1266 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1267 new_dsec = new_dir->i_security;
1269 AVC_AUDIT_DATA_INIT(&ad, FS);
1271 ad.u.fs.dentry = old_dentry;
1272 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1273 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1276 rc = avc_has_perm(tsec->sid, old_isec->sid,
1277 old_isec->sclass, FILE__RENAME, &ad);
1280 if (old_is_dir && new_dir != old_dir) {
1281 rc = avc_has_perm(tsec->sid, old_isec->sid,
1282 old_isec->sclass, DIR__REPARENT, &ad);
1287 ad.u.fs.dentry = new_dentry;
1288 av = DIR__ADD_NAME | DIR__SEARCH;
1289 if (new_dentry->d_inode)
1290 av |= DIR__REMOVE_NAME;
1291 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1294 if (new_dentry->d_inode) {
1295 new_isec = new_dentry->d_inode->i_security;
1296 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1297 rc = avc_has_perm(tsec->sid, new_isec->sid,
1299 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1307 /* Check whether a task can perform a filesystem operation. */
1308 static int superblock_has_perm(struct task_struct *tsk,
1309 struct super_block *sb,
1311 struct avc_audit_data *ad)
1313 struct task_security_struct *tsec;
1314 struct superblock_security_struct *sbsec;
1316 tsec = tsk->security;
1317 sbsec = sb->s_security;
1318 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1322 /* Convert a Linux mode and permission mask to an access vector. */
1323 static inline u32 file_mask_to_av(int mode, int mask)
1327 if ((mode & S_IFMT) != S_IFDIR) {
1328 if (mask & MAY_EXEC)
1329 av |= FILE__EXECUTE;
1330 if (mask & MAY_READ)
1333 if (mask & MAY_APPEND)
1335 else if (mask & MAY_WRITE)
1339 if (mask & MAY_EXEC)
1341 if (mask & MAY_WRITE)
1343 if (mask & MAY_READ)
1350 /* Convert a Linux file to an access vector. */
1351 static inline u32 file_to_av(struct file *file)
1355 if (file->f_mode & FMODE_READ)
1357 if (file->f_mode & FMODE_WRITE) {
1358 if (file->f_flags & O_APPEND)
1367 /* Set an inode's SID to a specified value. */
1368 static int inode_security_set_sid(struct inode *inode, u32 sid)
1370 struct inode_security_struct *isec = inode->i_security;
1371 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1373 if (!sbsec->initialized) {
1374 /* Defer initialization to selinux_complete_init. */
1379 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1381 isec->initialized = 1;
1386 /* Hook functions begin here. */
1388 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1390 struct task_security_struct *psec = parent->security;
1391 struct task_security_struct *csec = child->security;
1394 rc = secondary_ops->ptrace(parent,child);
1398 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1399 /* Save the SID of the tracing process for later use in apply_creds. */
1400 if (!(child->ptrace & PT_PTRACED) && !rc)
1401 csec->ptrace_sid = psec->sid;
1405 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1406 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1410 error = task_has_perm(current, target, PROCESS__GETCAP);
1414 return secondary_ops->capget(target, effective, inheritable, permitted);
1417 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1418 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1422 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1426 return task_has_perm(current, target, PROCESS__SETCAP);
1429 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1430 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1432 secondary_ops->capset_set(target, effective, inheritable, permitted);
1435 static int selinux_capable(struct task_struct *tsk, int cap)
1439 rc = secondary_ops->capable(tsk, cap);
1443 return task_has_capability(tsk,cap);
1446 static int selinux_sysctl(ctl_table *table, int op)
1450 struct task_security_struct *tsec;
1454 rc = secondary_ops->sysctl(table, op);
1458 tsec = current->security;
1460 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1461 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1463 /* Default to the well-defined sysctl SID. */
1464 tsid = SECINITSID_SYSCTL;
1467 /* The op values are "defined" in sysctl.c, thereby creating
1468 * a bad coupling between this module and sysctl.c */
1470 error = avc_has_perm(tsec->sid, tsid,
1471 SECCLASS_DIR, DIR__SEARCH, NULL);
1479 error = avc_has_perm(tsec->sid, tsid,
1480 SECCLASS_FILE, av, NULL);
1486 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1499 rc = superblock_has_perm(current,
1501 FILESYSTEM__QUOTAMOD, NULL);
1506 rc = superblock_has_perm(current,
1508 FILESYSTEM__QUOTAGET, NULL);
1511 rc = 0; /* let the kernel handle invalid cmds */
1517 static int selinux_quota_on(struct dentry *dentry)
1519 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1522 static int selinux_syslog(int type)
1526 rc = secondary_ops->syslog(type);
1531 case 3: /* Read last kernel messages */
1532 case 10: /* Return size of the log buffer */
1533 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1535 case 6: /* Disable logging to console */
1536 case 7: /* Enable logging to console */
1537 case 8: /* Set level of messages printed to console */
1538 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1540 case 0: /* Close log */
1541 case 1: /* Open log */
1542 case 2: /* Read from log */
1543 case 4: /* Read/clear last kernel messages */
1544 case 5: /* Clear ring buffer */
1546 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1553 * Check that a process has enough memory to allocate a new virtual
1554 * mapping. 0 means there is enough memory for the allocation to
1555 * succeed and -ENOMEM implies there is not.
1557 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1558 * if the capability is granted, but __vm_enough_memory requires 1 if
1559 * the capability is granted.
1561 * Do not audit the selinux permission check, as this is applied to all
1562 * processes that allocate mappings.
1564 static int selinux_vm_enough_memory(long pages)
1566 int rc, cap_sys_admin = 0;
1567 struct task_security_struct *tsec = current->security;
1569 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1571 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1572 SECCLASS_CAPABILITY,
1573 CAP_TO_MASK(CAP_SYS_ADMIN),
1579 return __vm_enough_memory(pages, cap_sys_admin);
1582 /* binprm security operations */
1584 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1586 struct bprm_security_struct *bsec;
1588 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1593 bsec->sid = SECINITSID_UNLABELED;
1596 bprm->security = bsec;
1600 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1602 struct task_security_struct *tsec;
1603 struct inode *inode = bprm->file->f_dentry->d_inode;
1604 struct inode_security_struct *isec;
1605 struct bprm_security_struct *bsec;
1607 struct avc_audit_data ad;
1610 rc = secondary_ops->bprm_set_security(bprm);
1614 bsec = bprm->security;
1619 tsec = current->security;
1620 isec = inode->i_security;
1622 /* Default to the current task SID. */
1623 bsec->sid = tsec->sid;
1625 /* Reset fs, key, and sock SIDs on execve. */
1626 tsec->create_sid = 0;
1627 tsec->keycreate_sid = 0;
1628 tsec->sockcreate_sid = 0;
1630 if (tsec->exec_sid) {
1631 newsid = tsec->exec_sid;
1632 /* Reset exec SID on execve. */
1635 /* Check for a default transition on this program. */
1636 rc = security_transition_sid(tsec->sid, isec->sid,
1637 SECCLASS_PROCESS, &newsid);
1642 AVC_AUDIT_DATA_INIT(&ad, FS);
1643 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1644 ad.u.fs.dentry = bprm->file->f_dentry;
1646 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1649 if (tsec->sid == newsid) {
1650 rc = avc_has_perm(tsec->sid, isec->sid,
1651 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1655 /* Check permissions for the transition. */
1656 rc = avc_has_perm(tsec->sid, newsid,
1657 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1661 rc = avc_has_perm(newsid, isec->sid,
1662 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1666 /* Clear any possibly unsafe personality bits on exec: */
1667 current->personality &= ~PER_CLEAR_ON_SETID;
1669 /* Set the security field to the new SID. */
1677 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1679 return secondary_ops->bprm_check_security(bprm);
1683 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1685 struct task_security_struct *tsec = current->security;
1688 if (tsec->osid != tsec->sid) {
1689 /* Enable secure mode for SIDs transitions unless
1690 the noatsecure permission is granted between
1691 the two SIDs, i.e. ahp returns 0. */
1692 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1694 PROCESS__NOATSECURE, NULL);
1697 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1700 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1702 kfree(bprm->security);
1703 bprm->security = NULL;
1706 extern struct vfsmount *selinuxfs_mount;
1707 extern struct dentry *selinux_null;
1709 /* Derived from fs/exec.c:flush_old_files. */
1710 static inline void flush_unauthorized_files(struct files_struct * files)
1712 struct avc_audit_data ad;
1713 struct file *file, *devnull = NULL;
1714 struct tty_struct *tty;
1715 struct fdtable *fdt;
1719 mutex_lock(&tty_mutex);
1720 tty = get_current_tty();
1723 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1725 /* Revalidate access to controlling tty.
1726 Use inode_has_perm on the tty inode directly rather
1727 than using file_has_perm, as this particular open
1728 file may belong to another process and we are only
1729 interested in the inode-based check here. */
1730 struct inode *inode = file->f_dentry->d_inode;
1731 if (inode_has_perm(current, inode,
1732 FILE__READ | FILE__WRITE, NULL)) {
1738 /* Reset controlling tty. */
1740 proc_set_tty(current, NULL);
1742 mutex_unlock(&tty_mutex);
1744 /* Revalidate access to inherited open files. */
1746 AVC_AUDIT_DATA_INIT(&ad,FS);
1748 spin_lock(&files->file_lock);
1750 unsigned long set, i;
1755 fdt = files_fdtable(files);
1756 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1758 set = fdt->open_fds->fds_bits[j];
1761 spin_unlock(&files->file_lock);
1762 for ( ; set ; i++,set >>= 1) {
1767 if (file_has_perm(current,
1769 file_to_av(file))) {
1771 fd = get_unused_fd();
1781 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1788 fd_install(fd, devnull);
1793 spin_lock(&files->file_lock);
1796 spin_unlock(&files->file_lock);
1799 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1801 struct task_security_struct *tsec;
1802 struct bprm_security_struct *bsec;
1806 secondary_ops->bprm_apply_creds(bprm, unsafe);
1808 tsec = current->security;
1810 bsec = bprm->security;
1813 tsec->osid = tsec->sid;
1815 if (tsec->sid != sid) {
1816 /* Check for shared state. If not ok, leave SID
1817 unchanged and kill. */
1818 if (unsafe & LSM_UNSAFE_SHARE) {
1819 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1820 PROCESS__SHARE, NULL);
1827 /* Check for ptracing, and update the task SID if ok.
1828 Otherwise, leave SID unchanged and kill. */
1829 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1830 rc = avc_has_perm(tsec->ptrace_sid, sid,
1831 SECCLASS_PROCESS, PROCESS__PTRACE,
1843 * called after apply_creds without the task lock held
1845 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1847 struct task_security_struct *tsec;
1848 struct rlimit *rlim, *initrlim;
1849 struct itimerval itimer;
1850 struct bprm_security_struct *bsec;
1853 tsec = current->security;
1854 bsec = bprm->security;
1857 force_sig_specific(SIGKILL, current);
1860 if (tsec->osid == tsec->sid)
1863 /* Close files for which the new task SID is not authorized. */
1864 flush_unauthorized_files(current->files);
1866 /* Check whether the new SID can inherit signal state
1867 from the old SID. If not, clear itimers to avoid
1868 subsequent signal generation and flush and unblock
1869 signals. This must occur _after_ the task SID has
1870 been updated so that any kill done after the flush
1871 will be checked against the new SID. */
1872 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1873 PROCESS__SIGINH, NULL);
1875 memset(&itimer, 0, sizeof itimer);
1876 for (i = 0; i < 3; i++)
1877 do_setitimer(i, &itimer, NULL);
1878 flush_signals(current);
1879 spin_lock_irq(¤t->sighand->siglock);
1880 flush_signal_handlers(current, 1);
1881 sigemptyset(¤t->blocked);
1882 recalc_sigpending();
1883 spin_unlock_irq(¤t->sighand->siglock);
1886 /* Check whether the new SID can inherit resource limits
1887 from the old SID. If not, reset all soft limits to
1888 the lower of the current task's hard limit and the init
1889 task's soft limit. Note that the setting of hard limits
1890 (even to lower them) can be controlled by the setrlimit
1891 check. The inclusion of the init task's soft limit into
1892 the computation is to avoid resetting soft limits higher
1893 than the default soft limit for cases where the default
1894 is lower than the hard limit, e.g. RLIMIT_CORE or
1896 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1897 PROCESS__RLIMITINH, NULL);
1899 for (i = 0; i < RLIM_NLIMITS; i++) {
1900 rlim = current->signal->rlim + i;
1901 initrlim = init_task.signal->rlim+i;
1902 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1904 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1906 * This will cause RLIMIT_CPU calculations
1909 current->it_prof_expires = jiffies_to_cputime(1);
1913 /* Wake up the parent if it is waiting so that it can
1914 recheck wait permission to the new task SID. */
1915 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
1918 /* superblock security operations */
1920 static int selinux_sb_alloc_security(struct super_block *sb)
1922 return superblock_alloc_security(sb);
1925 static void selinux_sb_free_security(struct super_block *sb)
1927 superblock_free_security(sb);
1930 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1935 return !memcmp(prefix, option, plen);
1938 static inline int selinux_option(char *option, int len)
1940 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1941 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1942 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
1943 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1946 static inline void take_option(char **to, char *from, int *first, int len)
1954 memcpy(*to, from, len);
1958 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1960 int fnosec, fsec, rc = 0;
1961 char *in_save, *in_curr, *in_end;
1962 char *sec_curr, *nosec_save, *nosec;
1967 /* Binary mount data: just copy */
1968 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1969 copy_page(sec_curr, in_curr);
1973 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1981 in_save = in_end = orig;
1984 if (*in_end == ',' || *in_end == '\0') {
1985 int len = in_end - in_curr;
1987 if (selinux_option(in_curr, len))
1988 take_option(&sec_curr, in_curr, &fsec, len);
1990 take_option(&nosec, in_curr, &fnosec, len);
1992 in_curr = in_end + 1;
1994 } while (*in_end++);
1996 strcpy(in_save, nosec_save);
1997 free_page((unsigned long)nosec_save);
2002 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2004 struct avc_audit_data ad;
2007 rc = superblock_doinit(sb, data);
2011 AVC_AUDIT_DATA_INIT(&ad,FS);
2012 ad.u.fs.dentry = sb->s_root;
2013 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2016 static int selinux_sb_statfs(struct dentry *dentry)
2018 struct avc_audit_data ad;
2020 AVC_AUDIT_DATA_INIT(&ad,FS);
2021 ad.u.fs.dentry = dentry->d_sb->s_root;
2022 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2025 static int selinux_mount(char * dev_name,
2026 struct nameidata *nd,
2028 unsigned long flags,
2033 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2037 if (flags & MS_REMOUNT)
2038 return superblock_has_perm(current, nd->mnt->mnt_sb,
2039 FILESYSTEM__REMOUNT, NULL);
2041 return dentry_has_perm(current, nd->mnt, nd->dentry,
2045 static int selinux_umount(struct vfsmount *mnt, int flags)
2049 rc = secondary_ops->sb_umount(mnt, flags);
2053 return superblock_has_perm(current,mnt->mnt_sb,
2054 FILESYSTEM__UNMOUNT,NULL);
2057 /* inode security operations */
2059 static int selinux_inode_alloc_security(struct inode *inode)
2061 return inode_alloc_security(inode);
2064 static void selinux_inode_free_security(struct inode *inode)
2066 inode_free_security(inode);
2069 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2070 char **name, void **value,
2073 struct task_security_struct *tsec;
2074 struct inode_security_struct *dsec;
2075 struct superblock_security_struct *sbsec;
2078 char *namep = NULL, *context;
2080 tsec = current->security;
2081 dsec = dir->i_security;
2082 sbsec = dir->i_sb->s_security;
2084 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2085 newsid = tsec->create_sid;
2087 rc = security_transition_sid(tsec->sid, dsec->sid,
2088 inode_mode_to_security_class(inode->i_mode),
2091 printk(KERN_WARNING "%s: "
2092 "security_transition_sid failed, rc=%d (dev=%s "
2095 -rc, inode->i_sb->s_id, inode->i_ino);
2100 inode_security_set_sid(inode, newsid);
2102 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2106 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2113 rc = security_sid_to_context(newsid, &context, &clen);
2125 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2127 return may_create(dir, dentry, SECCLASS_FILE);
2130 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2134 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2137 return may_link(dir, old_dentry, MAY_LINK);
2140 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2144 rc = secondary_ops->inode_unlink(dir, dentry);
2147 return may_link(dir, dentry, MAY_UNLINK);
2150 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2152 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2155 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2157 return may_create(dir, dentry, SECCLASS_DIR);
2160 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2162 return may_link(dir, dentry, MAY_RMDIR);
2165 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2169 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2173 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2176 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2177 struct inode *new_inode, struct dentry *new_dentry)
2179 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2182 static int selinux_inode_readlink(struct dentry *dentry)
2184 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2187 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2191 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2194 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2197 static int selinux_inode_permission(struct inode *inode, int mask,
2198 struct nameidata *nd)
2202 rc = secondary_ops->inode_permission(inode, mask, nd);
2207 /* No permission to check. Existence test. */
2211 return inode_has_perm(current, inode,
2212 file_mask_to_av(inode->i_mode, mask), NULL);
2215 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2219 rc = secondary_ops->inode_setattr(dentry, iattr);
2223 if (iattr->ia_valid & ATTR_FORCE)
2226 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2227 ATTR_ATIME_SET | ATTR_MTIME_SET))
2228 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2230 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2233 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2235 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2238 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2240 struct task_security_struct *tsec = current->security;
2241 struct inode *inode = dentry->d_inode;
2242 struct inode_security_struct *isec = inode->i_security;
2243 struct superblock_security_struct *sbsec;
2244 struct avc_audit_data ad;
2248 if (strcmp(name, XATTR_NAME_SELINUX)) {
2249 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2250 sizeof XATTR_SECURITY_PREFIX - 1) &&
2251 !capable(CAP_SYS_ADMIN)) {
2252 /* A different attribute in the security namespace.
2253 Restrict to administrator. */
2257 /* Not an attribute we recognize, so just check the
2258 ordinary setattr permission. */
2259 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2262 sbsec = inode->i_sb->s_security;
2263 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2266 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2269 AVC_AUDIT_DATA_INIT(&ad,FS);
2270 ad.u.fs.dentry = dentry;
2272 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2273 FILE__RELABELFROM, &ad);
2277 rc = security_context_to_sid(value, size, &newsid);
2281 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2282 FILE__RELABELTO, &ad);
2286 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2291 return avc_has_perm(newsid,
2293 SECCLASS_FILESYSTEM,
2294 FILESYSTEM__ASSOCIATE,
2298 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2299 void *value, size_t size, int flags)
2301 struct inode *inode = dentry->d_inode;
2302 struct inode_security_struct *isec = inode->i_security;
2306 if (strcmp(name, XATTR_NAME_SELINUX)) {
2307 /* Not an attribute we recognize, so nothing to do. */
2311 rc = security_context_to_sid(value, size, &newsid);
2313 printk(KERN_WARNING "%s: unable to obtain SID for context "
2314 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2322 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2324 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2327 static int selinux_inode_listxattr (struct dentry *dentry)
2329 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2332 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2334 if (strcmp(name, XATTR_NAME_SELINUX)) {
2335 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2336 sizeof XATTR_SECURITY_PREFIX - 1) &&
2337 !capable(CAP_SYS_ADMIN)) {
2338 /* A different attribute in the security namespace.
2339 Restrict to administrator. */
2343 /* Not an attribute we recognize, so just check the
2344 ordinary setattr permission. Might want a separate
2345 permission for removexattr. */
2346 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2349 /* No one is allowed to remove a SELinux security label.
2350 You can change the label, but all data must be labeled. */
2354 static const char *selinux_inode_xattr_getsuffix(void)
2356 return XATTR_SELINUX_SUFFIX;
2360 * Copy the in-core inode security context value to the user. If the
2361 * getxattr() prior to this succeeded, check to see if we need to
2362 * canonicalize the value to be finally returned to the user.
2364 * Permission check is handled by selinux_inode_getxattr hook.
2366 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2368 struct inode_security_struct *isec = inode->i_security;
2370 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2373 return selinux_getsecurity(isec->sid, buffer, size);
2376 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2377 const void *value, size_t size, int flags)
2379 struct inode_security_struct *isec = inode->i_security;
2383 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2386 if (!value || !size)
2389 rc = security_context_to_sid((void*)value, size, &newsid);
2397 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2399 const int len = sizeof(XATTR_NAME_SELINUX);
2400 if (buffer && len <= buffer_size)
2401 memcpy(buffer, XATTR_NAME_SELINUX, len);
2405 /* file security operations */
2407 static int selinux_file_permission(struct file *file, int mask)
2409 struct inode *inode = file->f_dentry->d_inode;
2412 /* No permission to check. Existence test. */
2416 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2417 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2420 return file_has_perm(current, file,
2421 file_mask_to_av(inode->i_mode, mask));
2424 static int selinux_file_alloc_security(struct file *file)
2426 return file_alloc_security(file);
2429 static void selinux_file_free_security(struct file *file)
2431 file_free_security(file);
2434 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2446 case EXT2_IOC_GETFLAGS:
2448 case EXT2_IOC_GETVERSION:
2449 error = file_has_perm(current, file, FILE__GETATTR);
2452 case EXT2_IOC_SETFLAGS:
2454 case EXT2_IOC_SETVERSION:
2455 error = file_has_perm(current, file, FILE__SETATTR);
2458 /* sys_ioctl() checks */
2462 error = file_has_perm(current, file, 0);
2467 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2470 /* default case assumes that the command will go
2471 * to the file's ioctl() function.
2474 error = file_has_perm(current, file, FILE__IOCTL);
2480 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2482 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2484 * We are making executable an anonymous mapping or a
2485 * private file mapping that will also be writable.
2486 * This has an additional check.
2488 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2494 /* read access is always possible with a mapping */
2495 u32 av = FILE__READ;
2497 /* write access only matters if the mapping is shared */
2498 if (shared && (prot & PROT_WRITE))
2501 if (prot & PROT_EXEC)
2502 av |= FILE__EXECUTE;
2504 return file_has_perm(current, file, av);
2509 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2510 unsigned long prot, unsigned long flags)
2514 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2518 if (selinux_checkreqprot)
2521 return file_map_prot_check(file, prot,
2522 (flags & MAP_TYPE) == MAP_SHARED);
2525 static int selinux_file_mprotect(struct vm_area_struct *vma,
2526 unsigned long reqprot,
2531 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2535 if (selinux_checkreqprot)
2538 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2540 if (vma->vm_start >= vma->vm_mm->start_brk &&
2541 vma->vm_end <= vma->vm_mm->brk) {
2542 rc = task_has_perm(current, current,
2544 } else if (!vma->vm_file &&
2545 vma->vm_start <= vma->vm_mm->start_stack &&
2546 vma->vm_end >= vma->vm_mm->start_stack) {
2547 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2548 } else if (vma->vm_file && vma->anon_vma) {
2550 * We are making executable a file mapping that has
2551 * had some COW done. Since pages might have been
2552 * written, check ability to execute the possibly
2553 * modified content. This typically should only
2554 * occur for text relocations.
2556 rc = file_has_perm(current, vma->vm_file,
2563 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2566 static int selinux_file_lock(struct file *file, unsigned int cmd)
2568 return file_has_perm(current, file, FILE__LOCK);
2571 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2578 if (!file->f_dentry || !file->f_dentry->d_inode) {
2583 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2584 err = file_has_perm(current, file,FILE__WRITE);
2593 /* Just check FD__USE permission */
2594 err = file_has_perm(current, file, 0);
2599 #if BITS_PER_LONG == 32
2604 if (!file->f_dentry || !file->f_dentry->d_inode) {
2608 err = file_has_perm(current, file, FILE__LOCK);
2615 static int selinux_file_set_fowner(struct file *file)
2617 struct task_security_struct *tsec;
2618 struct file_security_struct *fsec;
2620 tsec = current->security;
2621 fsec = file->f_security;
2622 fsec->fown_sid = tsec->sid;
2627 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2628 struct fown_struct *fown, int signum)
2632 struct task_security_struct *tsec;
2633 struct file_security_struct *fsec;
2635 /* struct fown_struct is never outside the context of a struct file */
2636 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2638 tsec = tsk->security;
2639 fsec = file->f_security;
2642 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2644 perm = signal_to_av(signum);
2646 return avc_has_perm(fsec->fown_sid, tsec->sid,
2647 SECCLASS_PROCESS, perm, NULL);
2650 static int selinux_file_receive(struct file *file)
2652 return file_has_perm(current, file, file_to_av(file));
2655 /* task security operations */
2657 static int selinux_task_create(unsigned long clone_flags)
2661 rc = secondary_ops->task_create(clone_flags);
2665 return task_has_perm(current, current, PROCESS__FORK);
2668 static int selinux_task_alloc_security(struct task_struct *tsk)
2670 struct task_security_struct *tsec1, *tsec2;
2673 tsec1 = current->security;
2675 rc = task_alloc_security(tsk);
2678 tsec2 = tsk->security;
2680 tsec2->osid = tsec1->osid;
2681 tsec2->sid = tsec1->sid;
2683 /* Retain the exec, fs, key, and sock SIDs across fork */
2684 tsec2->exec_sid = tsec1->exec_sid;
2685 tsec2->create_sid = tsec1->create_sid;
2686 tsec2->keycreate_sid = tsec1->keycreate_sid;
2687 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
2689 /* Retain ptracer SID across fork, if any.
2690 This will be reset by the ptrace hook upon any
2691 subsequent ptrace_attach operations. */
2692 tsec2->ptrace_sid = tsec1->ptrace_sid;
2697 static void selinux_task_free_security(struct task_struct *tsk)
2699 task_free_security(tsk);
2702 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2704 /* Since setuid only affects the current process, and
2705 since the SELinux controls are not based on the Linux
2706 identity attributes, SELinux does not need to control
2707 this operation. However, SELinux does control the use
2708 of the CAP_SETUID and CAP_SETGID capabilities using the
2713 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2715 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2718 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2720 /* See the comment for setuid above. */
2724 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2726 return task_has_perm(current, p, PROCESS__SETPGID);
2729 static int selinux_task_getpgid(struct task_struct *p)
2731 return task_has_perm(current, p, PROCESS__GETPGID);
2734 static int selinux_task_getsid(struct task_struct *p)
2736 return task_has_perm(current, p, PROCESS__GETSESSION);
2739 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
2741 selinux_get_task_sid(p, secid);
2744 static int selinux_task_setgroups(struct group_info *group_info)
2746 /* See the comment for setuid above. */
2750 static int selinux_task_setnice(struct task_struct *p, int nice)
2754 rc = secondary_ops->task_setnice(p, nice);
2758 return task_has_perm(current,p, PROCESS__SETSCHED);
2761 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
2763 return task_has_perm(current, p, PROCESS__SETSCHED);
2766 static int selinux_task_getioprio(struct task_struct *p)
2768 return task_has_perm(current, p, PROCESS__GETSCHED);
2771 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2773 struct rlimit *old_rlim = current->signal->rlim + resource;
2776 rc = secondary_ops->task_setrlimit(resource, new_rlim);
2780 /* Control the ability to change the hard limit (whether
2781 lowering or raising it), so that the hard limit can
2782 later be used as a safe reset point for the soft limit
2783 upon context transitions. See selinux_bprm_apply_creds. */
2784 if (old_rlim->rlim_max != new_rlim->rlim_max)
2785 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2790 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2792 return task_has_perm(current, p, PROCESS__SETSCHED);
2795 static int selinux_task_getscheduler(struct task_struct *p)
2797 return task_has_perm(current, p, PROCESS__GETSCHED);
2800 static int selinux_task_movememory(struct task_struct *p)
2802 return task_has_perm(current, p, PROCESS__SETSCHED);
2805 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
2810 struct task_security_struct *tsec;
2812 rc = secondary_ops->task_kill(p, info, sig, secid);
2816 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2820 perm = PROCESS__SIGNULL; /* null signal; existence test */
2822 perm = signal_to_av(sig);
2825 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
2827 rc = task_has_perm(current, p, perm);
2831 static int selinux_task_prctl(int option,
2837 /* The current prctl operations do not appear to require
2838 any SELinux controls since they merely observe or modify
2839 the state of the current process. */
2843 static int selinux_task_wait(struct task_struct *p)
2847 perm = signal_to_av(p->exit_signal);
2849 return task_has_perm(p, current, perm);
2852 static void selinux_task_reparent_to_init(struct task_struct *p)
2854 struct task_security_struct *tsec;
2856 secondary_ops->task_reparent_to_init(p);
2859 tsec->osid = tsec->sid;
2860 tsec->sid = SECINITSID_KERNEL;
2864 static void selinux_task_to_inode(struct task_struct *p,
2865 struct inode *inode)
2867 struct task_security_struct *tsec = p->security;
2868 struct inode_security_struct *isec = inode->i_security;
2870 isec->sid = tsec->sid;
2871 isec->initialized = 1;
2875 /* Returns error only if unable to parse addresses */
2876 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2878 int offset, ihlen, ret = -EINVAL;
2879 struct iphdr _iph, *ih;
2881 offset = skb->nh.raw - skb->data;
2882 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2886 ihlen = ih->ihl * 4;
2887 if (ihlen < sizeof(_iph))
2890 ad->u.net.v4info.saddr = ih->saddr;
2891 ad->u.net.v4info.daddr = ih->daddr;
2894 switch (ih->protocol) {
2896 struct tcphdr _tcph, *th;
2898 if (ntohs(ih->frag_off) & IP_OFFSET)
2902 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2906 ad->u.net.sport = th->source;
2907 ad->u.net.dport = th->dest;
2912 struct udphdr _udph, *uh;
2914 if (ntohs(ih->frag_off) & IP_OFFSET)
2918 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2922 ad->u.net.sport = uh->source;
2923 ad->u.net.dport = uh->dest;
2934 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2936 /* Returns error only if unable to parse addresses */
2937 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2940 int ret = -EINVAL, offset;
2941 struct ipv6hdr _ipv6h, *ip6;
2943 offset = skb->nh.raw - skb->data;
2944 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2948 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2949 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2952 nexthdr = ip6->nexthdr;
2953 offset += sizeof(_ipv6h);
2954 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2960 struct tcphdr _tcph, *th;
2962 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2966 ad->u.net.sport = th->source;
2967 ad->u.net.dport = th->dest;
2972 struct udphdr _udph, *uh;
2974 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2978 ad->u.net.sport = uh->source;
2979 ad->u.net.dport = uh->dest;
2983 /* includes fragments */
2993 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2994 char **addrp, int *len, int src)
2998 switch (ad->u.net.family) {
3000 ret = selinux_parse_skb_ipv4(skb, ad);
3004 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3005 &ad->u.net.v4info.daddr);
3008 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3010 ret = selinux_parse_skb_ipv6(skb, ad);
3014 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3015 &ad->u.net.v6info.daddr);
3025 /* socket security operations */
3026 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3029 struct inode_security_struct *isec;
3030 struct task_security_struct *tsec;
3031 struct avc_audit_data ad;
3034 tsec = task->security;
3035 isec = SOCK_INODE(sock)->i_security;
3037 if (isec->sid == SECINITSID_KERNEL)
3040 AVC_AUDIT_DATA_INIT(&ad,NET);
3041 ad.u.net.sk = sock->sk;
3042 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3048 static int selinux_socket_create(int family, int type,
3049 int protocol, int kern)
3052 struct task_security_struct *tsec;
3058 tsec = current->security;
3059 newsid = tsec->sockcreate_sid ? : tsec->sid;
3060 err = avc_has_perm(tsec->sid, newsid,
3061 socket_type_to_security_class(family, type,
3062 protocol), SOCKET__CREATE, NULL);
3068 static void selinux_socket_post_create(struct socket *sock, int family,
3069 int type, int protocol, int kern)
3071 struct inode_security_struct *isec;
3072 struct task_security_struct *tsec;
3075 isec = SOCK_INODE(sock)->i_security;
3077 tsec = current->security;
3078 newsid = tsec->sockcreate_sid ? : tsec->sid;
3079 isec->sclass = socket_type_to_security_class(family, type, protocol);
3080 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3081 isec->initialized = 1;
3086 /* Range of port numbers used to automatically bind.
3087 Need to determine whether we should perform a name_bind
3088 permission check between the socket and the port number. */
3089 #define ip_local_port_range_0 sysctl_local_port_range[0]
3090 #define ip_local_port_range_1 sysctl_local_port_range[1]
3092 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3097 err = socket_has_perm(current, sock, SOCKET__BIND);
3102 * If PF_INET or PF_INET6, check name_bind permission for the port.
3103 * Multiple address binding for SCTP is not supported yet: we just
3104 * check the first address now.
3106 family = sock->sk->sk_family;
3107 if (family == PF_INET || family == PF_INET6) {
3109 struct inode_security_struct *isec;
3110 struct task_security_struct *tsec;
3111 struct avc_audit_data ad;
3112 struct sockaddr_in *addr4 = NULL;
3113 struct sockaddr_in6 *addr6 = NULL;
3114 unsigned short snum;
3115 struct sock *sk = sock->sk;
3116 u32 sid, node_perm, addrlen;
3118 tsec = current->security;
3119 isec = SOCK_INODE(sock)->i_security;
3121 if (family == PF_INET) {
3122 addr4 = (struct sockaddr_in *)address;
3123 snum = ntohs(addr4->sin_port);
3124 addrlen = sizeof(addr4->sin_addr.s_addr);
3125 addrp = (char *)&addr4->sin_addr.s_addr;
3127 addr6 = (struct sockaddr_in6 *)address;
3128 snum = ntohs(addr6->sin6_port);
3129 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3130 addrp = (char *)&addr6->sin6_addr.s6_addr;
3133 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3134 snum > ip_local_port_range_1)) {
3135 err = security_port_sid(sk->sk_family, sk->sk_type,
3136 sk->sk_protocol, snum, &sid);
3139 AVC_AUDIT_DATA_INIT(&ad,NET);
3140 ad.u.net.sport = htons(snum);
3141 ad.u.net.family = family;
3142 err = avc_has_perm(isec->sid, sid,
3144 SOCKET__NAME_BIND, &ad);
3149 switch(isec->sclass) {
3150 case SECCLASS_TCP_SOCKET:
3151 node_perm = TCP_SOCKET__NODE_BIND;
3154 case SECCLASS_UDP_SOCKET:
3155 node_perm = UDP_SOCKET__NODE_BIND;
3159 node_perm = RAWIP_SOCKET__NODE_BIND;
3163 err = security_node_sid(family, addrp, addrlen, &sid);
3167 AVC_AUDIT_DATA_INIT(&ad,NET);
3168 ad.u.net.sport = htons(snum);
3169 ad.u.net.family = family;
3171 if (family == PF_INET)
3172 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3174 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3176 err = avc_has_perm(isec->sid, sid,
3177 isec->sclass, node_perm, &ad);
3185 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3187 struct inode_security_struct *isec;
3190 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3195 * If a TCP socket, check name_connect permission for the port.
3197 isec = SOCK_INODE(sock)->i_security;
3198 if (isec->sclass == SECCLASS_TCP_SOCKET) {
3199 struct sock *sk = sock->sk;
3200 struct avc_audit_data ad;
3201 struct sockaddr_in *addr4 = NULL;
3202 struct sockaddr_in6 *addr6 = NULL;
3203 unsigned short snum;
3206 if (sk->sk_family == PF_INET) {
3207 addr4 = (struct sockaddr_in *)address;
3208 if (addrlen < sizeof(struct sockaddr_in))
3210 snum = ntohs(addr4->sin_port);
3212 addr6 = (struct sockaddr_in6 *)address;
3213 if (addrlen < SIN6_LEN_RFC2133)
3215 snum = ntohs(addr6->sin6_port);
3218 err = security_port_sid(sk->sk_family, sk->sk_type,
3219 sk->sk_protocol, snum, &sid);
3223 AVC_AUDIT_DATA_INIT(&ad,NET);
3224 ad.u.net.dport = htons(snum);
3225 ad.u.net.family = sk->sk_family;
3226 err = avc_has_perm(isec->sid, sid, isec->sclass,
3227 TCP_SOCKET__NAME_CONNECT, &ad);
3236 static int selinux_socket_listen(struct socket *sock, int backlog)
3238 return socket_has_perm(current, sock, SOCKET__LISTEN);
3241 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3244 struct inode_security_struct *isec;
3245 struct inode_security_struct *newisec;
3247 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3251 newisec = SOCK_INODE(newsock)->i_security;
3253 isec = SOCK_INODE(sock)->i_security;
3254 newisec->sclass = isec->sclass;
3255 newisec->sid = isec->sid;
3256 newisec->initialized = 1;
3261 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3264 return socket_has_perm(current, sock, SOCKET__WRITE);
3267 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3268 int size, int flags)
3270 return socket_has_perm(current, sock, SOCKET__READ);
3273 static int selinux_socket_getsockname(struct socket *sock)
3275 return socket_has_perm(current, sock, SOCKET__GETATTR);
3278 static int selinux_socket_getpeername(struct socket *sock)
3280 return socket_has_perm(current, sock, SOCKET__GETATTR);
3283 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3285 return socket_has_perm(current, sock, SOCKET__SETOPT);
3288 static int selinux_socket_getsockopt(struct socket *sock, int level,
3291 return socket_has_perm(current, sock, SOCKET__GETOPT);
3294 static int selinux_socket_shutdown(struct socket *sock, int how)
3296 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3299 static int selinux_socket_unix_stream_connect(struct socket *sock,
3300 struct socket *other,
3303 struct sk_security_struct *ssec;
3304 struct inode_security_struct *isec;
3305 struct inode_security_struct *other_isec;
3306 struct avc_audit_data ad;
3309 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3313 isec = SOCK_INODE(sock)->i_security;
3314 other_isec = SOCK_INODE(other)->i_security;
3316 AVC_AUDIT_DATA_INIT(&ad,NET);
3317 ad.u.net.sk = other->sk;
3319 err = avc_has_perm(isec->sid, other_isec->sid,
3321 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3325 /* connecting socket */
3326 ssec = sock->sk->sk_security;
3327 ssec->peer_sid = other_isec->sid;
3329 /* server child socket */
3330 ssec = newsk->sk_security;
3331 ssec->peer_sid = isec->sid;
3336 static int selinux_socket_unix_may_send(struct socket *sock,
3337 struct socket *other)
3339 struct inode_security_struct *isec;
3340 struct inode_security_struct *other_isec;
3341 struct avc_audit_data ad;
3344 isec = SOCK_INODE(sock)->i_security;
3345 other_isec = SOCK_INODE(other)->i_security;
3347 AVC_AUDIT_DATA_INIT(&ad,NET);
3348 ad.u.net.sk = other->sk;
3350 err = avc_has_perm(isec->sid, other_isec->sid,
3351 isec->sclass, SOCKET__SENDTO, &ad);
3358 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3359 struct avc_audit_data *ad, u32 sock_sid, u16 sock_class,
3360 u16 family, char *addrp, int len)
3363 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3368 err = sel_netif_sids(skb->dev, &if_sid, NULL);
3372 switch (sock_class) {
3373 case SECCLASS_UDP_SOCKET:
3374 netif_perm = NETIF__UDP_RECV;
3375 node_perm = NODE__UDP_RECV;
3376 recv_perm = UDP_SOCKET__RECV_MSG;
3379 case SECCLASS_TCP_SOCKET:
3380 netif_perm = NETIF__TCP_RECV;
3381 node_perm = NODE__TCP_RECV;
3382 recv_perm = TCP_SOCKET__RECV_MSG;
3386 netif_perm = NETIF__RAWIP_RECV;
3387 node_perm = NODE__RAWIP_RECV;
3391 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3395 err = security_node_sid(family, addrp, len, &node_sid);
3399 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3406 err = security_port_sid(sk->sk_family, sk->sk_type,
3407 sk->sk_protocol, ntohs(ad->u.net.sport),
3412 err = avc_has_perm(sock_sid, port_sid,
3413 sock_class, recv_perm, ad);
3420 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3427 struct socket *sock;
3428 struct avc_audit_data ad;
3430 family = sk->sk_family;
3431 if (family != PF_INET && family != PF_INET6)
3434 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3435 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3438 read_lock_bh(&sk->sk_callback_lock);
3439 sock = sk->sk_socket;
3441 struct inode *inode;
3442 inode = SOCK_INODE(sock);
3444 struct inode_security_struct *isec;
3445 isec = inode->i_security;
3446 sock_sid = isec->sid;
3447 sock_class = isec->sclass;
3450 read_unlock_bh(&sk->sk_callback_lock);
3454 AVC_AUDIT_DATA_INIT(&ad, NET);
3455 ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
3456 ad.u.net.family = family;
3458 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3462 if (selinux_compat_net)
3463 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, sock_sid,
3467 err = avc_has_perm(sock_sid, skb->secmark, SECCLASS_PACKET,
3472 err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3477 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3478 int __user *optlen, unsigned len)
3483 struct sk_security_struct *ssec;
3484 struct inode_security_struct *isec;
3487 isec = SOCK_INODE(sock)->i_security;
3489 /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3490 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3491 ssec = sock->sk->sk_security;
3492 peer_sid = ssec->peer_sid;
3494 else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3495 peer_sid = selinux_socket_getpeer_stream(sock->sk);
3497 if (peer_sid == SECSID_NULL) {
3507 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3512 if (scontext_len > len) {
3517 if (copy_to_user(optval, scontext, scontext_len))
3521 if (put_user(scontext_len, optlen))
3529 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
3531 u32 peer_secid = SECSID_NULL;
3534 if (sock && (sock->sk->sk_family == PF_UNIX))
3535 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
3537 peer_secid = selinux_socket_getpeer_dgram(skb);
3539 if (peer_secid == SECSID_NULL)
3541 *secid = peer_secid;
3546 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3548 return sk_alloc_security(sk, family, priority);
3551 static void selinux_sk_free_security(struct sock *sk)
3553 sk_free_security(sk);
3556 static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3558 struct inode_security_struct *isec;
3559 u32 sock_sid = SECINITSID_ANY_SOCKET;
3562 return selinux_no_sk_sid(fl);
3564 read_lock_bh(&sk->sk_callback_lock);
3565 isec = get_sock_isec(sk);
3568 sock_sid = isec->sid;
3570 read_unlock_bh(&sk->sk_callback_lock);
3574 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3578 struct nlmsghdr *nlh;
3579 struct socket *sock = sk->sk_socket;
3580 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3582 if (skb->len < NLMSG_SPACE(0)) {
3586 nlh = (struct nlmsghdr *)skb->data;
3588 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3590 if (err == -EINVAL) {
3591 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3592 "SELinux: unrecognized netlink message"
3593 " type=%hu for sclass=%hu\n",
3594 nlh->nlmsg_type, isec->sclass);
3595 if (!selinux_enforcing)
3605 err = socket_has_perm(current, sock, perm);
3610 #ifdef CONFIG_NETFILTER
3612 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
3613 struct inode_security_struct *isec,
3614 struct avc_audit_data *ad,
3615 u16 family, char *addrp, int len)
3618 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3620 err = sel_netif_sids(dev, &if_sid, NULL);
3624 switch (isec->sclass) {
3625 case SECCLASS_UDP_SOCKET:
3626 netif_perm = NETIF__UDP_SEND;
3627 node_perm = NODE__UDP_SEND;
3628 send_perm = UDP_SOCKET__SEND_MSG;
3631 case SECCLASS_TCP_SOCKET:
3632 netif_perm = NETIF__TCP_SEND;
3633 node_perm = NODE__TCP_SEND;
3634 send_perm = TCP_SOCKET__SEND_MSG;
3638 netif_perm = NETIF__RAWIP_SEND;
3639 node_perm = NODE__RAWIP_SEND;
3643 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3647 err = security_node_sid(family, addrp, len, &node_sid);
3651 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
3658 err = security_port_sid(sk->sk_family,
3661 ntohs(ad->u.net.dport),
3666 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3673 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3674 struct sk_buff **pskb,
3675 const struct net_device *in,
3676 const struct net_device *out,
3677 int (*okfn)(struct sk_buff *),
3683 struct socket *sock;
3684 struct inode *inode;
3685 struct sk_buff *skb = *pskb;
3686 struct inode_security_struct *isec;
3687 struct avc_audit_data ad;
3688 struct net_device *dev = (struct net_device *)out;
3694 sock = sk->sk_socket;
3698 inode = SOCK_INODE(sock);
3702 isec = inode->i_security;
3704 AVC_AUDIT_DATA_INIT(&ad, NET);
3705 ad.u.net.netif = dev->name;
3706 ad.u.net.family = family;
3708 err = selinux_parse_skb(skb, &ad, &addrp, &len, 0);
3712 if (selinux_compat_net)
3713 err = selinux_ip_postroute_last_compat(sk, dev, isec, &ad,
3714 family, addrp, len);
3716 err = avc_has_perm(isec->sid, skb->secmark, SECCLASS_PACKET,
3722 err = selinux_xfrm_postroute_last(isec->sid, skb);
3724 return err ? NF_DROP : NF_ACCEPT;
3727 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3728 struct sk_buff **pskb,
3729 const struct net_device *in,
3730 const struct net_device *out,
3731 int (*okfn)(struct sk_buff *))
3733 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3736 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3738 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3739 struct sk_buff **pskb,
3740 const struct net_device *in,
3741 const struct net_device *out,
3742 int (*okfn)(struct sk_buff *))
3744 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3749 #endif /* CONFIG_NETFILTER */
3751 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3755 err = secondary_ops->netlink_send(sk, skb);
3759 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3760 err = selinux_nlmsg_perm(sk, skb);
3765 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
3768 struct avc_audit_data ad;
3770 err = secondary_ops->netlink_recv(skb, capability);
3774 AVC_AUDIT_DATA_INIT(&ad, CAP);
3775 ad.u.cap = capability;
3777 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
3778 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
3781 static int ipc_alloc_security(struct task_struct *task,
3782 struct kern_ipc_perm *perm,
3785 struct task_security_struct *tsec = task->security;
3786 struct ipc_security_struct *isec;
3788 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3792 isec->sclass = sclass;
3793 isec->ipc_perm = perm;
3794 isec->sid = tsec->sid;
3795 perm->security = isec;
3800 static void ipc_free_security(struct kern_ipc_perm *perm)
3802 struct ipc_security_struct *isec = perm->security;
3803 perm->security = NULL;
3807 static int msg_msg_alloc_security(struct msg_msg *msg)
3809 struct msg_security_struct *msec;
3811 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3816 msec->sid = SECINITSID_UNLABELED;
3817 msg->security = msec;
3822 static void msg_msg_free_security(struct msg_msg *msg)
3824 struct msg_security_struct *msec = msg->security;
3826 msg->security = NULL;
3830 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3833 struct task_security_struct *tsec;
3834 struct ipc_security_struct *isec;
3835 struct avc_audit_data ad;
3837 tsec = current->security;
3838 isec = ipc_perms->security;
3840 AVC_AUDIT_DATA_INIT(&ad, IPC);
3841 ad.u.ipc_id = ipc_perms->key;
3843 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3846 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3848 return msg_msg_alloc_security(msg);
3851 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3853 msg_msg_free_security(msg);
3856 /* message queue security operations */
3857 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3859 struct task_security_struct *tsec;
3860 struct ipc_security_struct *isec;
3861 struct avc_audit_data ad;
3864 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3868 tsec = current->security;
3869 isec = msq->q_perm.security;
3871 AVC_AUDIT_DATA_INIT(&ad, IPC);
3872 ad.u.ipc_id = msq->q_perm.key;
3874 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3877 ipc_free_security(&msq->q_perm);
3883 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3885 ipc_free_security(&msq->q_perm);
3888 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3890 struct task_security_struct *tsec;
3891 struct ipc_security_struct *isec;
3892 struct avc_audit_data ad;
3894 tsec = current->security;
3895 isec = msq->q_perm.security;
3897 AVC_AUDIT_DATA_INIT(&ad, IPC);
3898 ad.u.ipc_id = msq->q_perm.key;
3900 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3901 MSGQ__ASSOCIATE, &ad);
3904 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3912 /* No specific object, just general system-wide information. */
3913 return task_has_system(current, SYSTEM__IPC_INFO);
3916 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3919 perms = MSGQ__SETATTR;
3922 perms = MSGQ__DESTROY;
3928 err = ipc_has_perm(&msq->q_perm, perms);
3932 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3934 struct task_security_struct *tsec;
3935 struct ipc_security_struct *isec;
3936 struct msg_security_struct *msec;
3937 struct avc_audit_data ad;
3940 tsec = current->security;
3941 isec = msq->q_perm.security;
3942 msec = msg->security;
3945 * First time through, need to assign label to the message
3947 if (msec->sid == SECINITSID_UNLABELED) {
3949 * Compute new sid based on current process and
3950 * message queue this message will be stored in
3952 rc = security_transition_sid(tsec->sid,
3960 AVC_AUDIT_DATA_INIT(&ad, IPC);
3961 ad.u.ipc_id = msq->q_perm.key;
3963 /* Can this process write to the queue? */
3964 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3967 /* Can this process send the message */
3968 rc = avc_has_perm(tsec->sid, msec->sid,
3969 SECCLASS_MSG, MSG__SEND, &ad);
3971 /* Can the message be put in the queue? */
3972 rc = avc_has_perm(msec->sid, isec->sid,
3973 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3978 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3979 struct task_struct *target,
3980 long type, int mode)
3982 struct task_security_struct *tsec;
3983 struct ipc_security_struct *isec;
3984 struct msg_security_struct *msec;
3985 struct avc_audit_data ad;
3988 tsec = target->security;
3989 isec = msq->q_perm.security;
3990 msec = msg->security;
3992 AVC_AUDIT_DATA_INIT(&ad, IPC);
3993 ad.u.ipc_id = msq->q_perm.key;
3995 rc = avc_has_perm(tsec->sid, isec->sid,
3996 SECCLASS_MSGQ, MSGQ__READ, &ad);
3998 rc = avc_has_perm(tsec->sid, msec->sid,
3999 SECCLASS_MSG, MSG__RECEIVE, &ad);
4003 /* Shared Memory security operations */
4004 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4006 struct task_security_struct *tsec;
4007 struct ipc_security_struct *isec;
4008 struct avc_audit_data ad;
4011 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4015 tsec = current->security;
4016 isec = shp->shm_perm.security;
4018 AVC_AUDIT_DATA_INIT(&ad, IPC);
4019 ad.u.ipc_id = shp->shm_perm.key;
4021 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4024 ipc_free_security(&shp->shm_perm);
4030 static void selinux_shm_free_security(struct shmid_kernel *shp)
4032 ipc_free_security(&shp->shm_perm);
4035 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4037 struct task_security_struct *tsec;
4038 struct ipc_security_struct *isec;
4039 struct avc_audit_data ad;
4041 tsec = current->security;
4042 isec = shp->shm_perm.security;
4044 AVC_AUDIT_DATA_INIT(&ad, IPC);
4045 ad.u.ipc_id = shp->shm_perm.key;
4047 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4048 SHM__ASSOCIATE, &ad);
4051 /* Note, at this point, shp is locked down */
4052 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4060 /* No specific object, just general system-wide information. */
4061 return task_has_system(current, SYSTEM__IPC_INFO);
4064 perms = SHM__GETATTR | SHM__ASSOCIATE;
4067 perms = SHM__SETATTR;
4074 perms = SHM__DESTROY;
4080 err = ipc_has_perm(&shp->shm_perm, perms);
4084 static int selinux_shm_shmat(struct shmid_kernel *shp,
4085 char __user *shmaddr, int shmflg)
4090 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4094 if (shmflg & SHM_RDONLY)
4097 perms = SHM__READ | SHM__WRITE;
4099 return ipc_has_perm(&shp->shm_perm, perms);
4102 /* Semaphore security operations */
4103 static int selinux_sem_alloc_security(struct sem_array *sma)
4105 struct task_security_struct *tsec;
4106 struct ipc_security_struct *isec;
4107 struct avc_audit_data ad;
4110 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4114 tsec = current->security;
4115 isec = sma->sem_perm.security;
4117 AVC_AUDIT_DATA_INIT(&ad, IPC);
4118 ad.u.ipc_id = sma->sem_perm.key;
4120 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4123 ipc_free_security(&sma->sem_perm);
4129 static void selinux_sem_free_security(struct sem_array *sma)
4131 ipc_free_security(&sma->sem_perm);
4134 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4136 struct task_security_struct *tsec;
4137 struct ipc_security_struct *isec;
4138 struct avc_audit_data ad;
4140 tsec = current->security;
4141 isec = sma->sem_perm.security;
4143 AVC_AUDIT_DATA_INIT(&ad, IPC);
4144 ad.u.ipc_id = sma->sem_perm.key;
4146 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4147 SEM__ASSOCIATE, &ad);
4150 /* Note, at this point, sma is locked down */
4151 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4159 /* No specific object, just general system-wide information. */
4160 return task_has_system(current, SYSTEM__IPC_INFO);
4164 perms = SEM__GETATTR;
4175 perms = SEM__DESTROY;
4178 perms = SEM__SETATTR;
4182 perms = SEM__GETATTR | SEM__ASSOCIATE;
4188 err = ipc_has_perm(&sma->sem_perm, perms);
4192 static int selinux_sem_semop(struct sem_array *sma,
4193 struct sembuf *sops, unsigned nsops, int alter)
4198 perms = SEM__READ | SEM__WRITE;
4202 return ipc_has_perm(&sma->sem_perm, perms);
4205 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4211 av |= IPC__UNIX_READ;
4213 av |= IPC__UNIX_WRITE;
4218 return ipc_has_perm(ipcp, av);
4221 /* module stacking operations */
4222 static int selinux_register_security (const char *name, struct security_operations *ops)
4224 if (secondary_ops != original_ops) {
4225 printk(KERN_INFO "%s: There is already a secondary security "
4226 "module registered.\n", __FUNCTION__);
4230 secondary_ops = ops;
4232 printk(KERN_INFO "%s: Registering secondary module %s\n",
4239 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4241 if (ops != secondary_ops) {
4242 printk (KERN_INFO "%s: trying to unregister a security module "
4243 "that is not registered.\n", __FUNCTION__);
4247 secondary_ops = original_ops;
4252 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4255 inode_doinit_with_dentry(inode, dentry);
4258 static int selinux_getprocattr(struct task_struct *p,
4259 char *name, void *value, size_t size)
4261 struct task_security_struct *tsec;
4266 error = task_has_perm(current, p, PROCESS__GETATTR);
4273 if (!strcmp(name, "current"))
4275 else if (!strcmp(name, "prev"))
4277 else if (!strcmp(name, "exec"))
4278 sid = tsec->exec_sid;
4279 else if (!strcmp(name, "fscreate"))
4280 sid = tsec->create_sid;
4281 else if (!strcmp(name, "keycreate"))
4282 sid = tsec->keycreate_sid;
4283 else if (!strcmp(name, "sockcreate"))
4284 sid = tsec->sockcreate_sid;
4291 return selinux_getsecurity(sid, value, size);
4294 static int selinux_setprocattr(struct task_struct *p,
4295 char *name, void *value, size_t size)
4297 struct task_security_struct *tsec;
4303 /* SELinux only allows a process to change its own
4304 security attributes. */
4309 * Basic control over ability to set these attributes at all.
4310 * current == p, but we'll pass them separately in case the
4311 * above restriction is ever removed.
4313 if (!strcmp(name, "exec"))
4314 error = task_has_perm(current, p, PROCESS__SETEXEC);
4315 else if (!strcmp(name, "fscreate"))
4316 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4317 else if (!strcmp(name, "keycreate"))
4318 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4319 else if (!strcmp(name, "sockcreate"))
4320 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
4321 else if (!strcmp(name, "current"))
4322 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4328 /* Obtain a SID for the context, if one was specified. */
4329 if (size && str[1] && str[1] != '\n') {
4330 if (str[size-1] == '\n') {
4334 error = security_context_to_sid(value, size, &sid);
4339 /* Permission checking based on the specified context is
4340 performed during the actual operation (execve,
4341 open/mkdir/...), when we know the full context of the
4342 operation. See selinux_bprm_set_security for the execve
4343 checks and may_create for the file creation checks. The
4344 operation will then fail if the context is not permitted. */
4346 if (!strcmp(name, "exec"))
4347 tsec->exec_sid = sid;
4348 else if (!strcmp(name, "fscreate"))
4349 tsec->create_sid = sid;
4350 else if (!strcmp(name, "keycreate")) {
4351 error = may_create_key(sid, p);
4354 tsec->keycreate_sid = sid;
4355 } else if (!strcmp(name, "sockcreate"))
4356 tsec->sockcreate_sid = sid;
4357 else if (!strcmp(name, "current")) {
4358 struct av_decision avd;
4363 /* Only allow single threaded processes to change context */
4364 if (atomic_read(&p->mm->mm_users) != 1) {
4365 struct task_struct *g, *t;
4366 struct mm_struct *mm = p->mm;
4367 read_lock(&tasklist_lock);
4368 do_each_thread(g, t)
4369 if (t->mm == mm && t != p) {
4370 read_unlock(&tasklist_lock);
4373 while_each_thread(g, t);
4374 read_unlock(&tasklist_lock);
4377 /* Check permissions for the transition. */
4378 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4379 PROCESS__DYNTRANSITION, NULL);
4383 /* Check for ptracing, and update the task SID if ok.
4384 Otherwise, leave SID unchanged and fail. */
4386 if (p->ptrace & PT_PTRACED) {
4387 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4389 PROCESS__PTRACE, &avd);
4393 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4394 PROCESS__PTRACE, &avd, error, NULL);
4408 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
4410 return security_sid_to_context(secid, secdata, seclen);
4413 static void selinux_release_secctx(char *secdata, u32 seclen)
4421 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4422 unsigned long flags)
4424 struct task_security_struct *tsec = tsk->security;
4425 struct key_security_struct *ksec;
4427 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
4432 if (tsec->keycreate_sid)
4433 ksec->sid = tsec->keycreate_sid;
4435 ksec->sid = tsec->sid;
4441 static void selinux_key_free(struct key *k)
4443 struct key_security_struct *ksec = k->security;
4449 static int selinux_key_permission(key_ref_t key_ref,
4450 struct task_struct *ctx,
4454 struct task_security_struct *tsec;
4455 struct key_security_struct *ksec;
4457 key = key_ref_to_ptr(key_ref);
4459 tsec = ctx->security;
4460 ksec = key->security;
4462 /* if no specific permissions are requested, we skip the
4463 permission check. No serious, additional covert channels
4464 appear to be created. */
4468 return avc_has_perm(tsec->sid, ksec->sid,
4469 SECCLASS_KEY, perm, NULL);
4474 static struct security_operations selinux_ops = {
4475 .ptrace = selinux_ptrace,
4476 .capget = selinux_capget,
4477 .capset_check = selinux_capset_check,
4478 .capset_set = selinux_capset_set,
4479 .sysctl = selinux_sysctl,
4480 .capable = selinux_capable,
4481 .quotactl = selinux_quotactl,
4482 .quota_on = selinux_quota_on,
4483 .syslog = selinux_syslog,
4484 .vm_enough_memory = selinux_vm_enough_memory,
4486 .netlink_send = selinux_netlink_send,
4487 .netlink_recv = selinux_netlink_recv,
4489 .bprm_alloc_security = selinux_bprm_alloc_security,
4490 .bprm_free_security = selinux_bprm_free_security,
4491 .bprm_apply_creds = selinux_bprm_apply_creds,
4492 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
4493 .bprm_set_security = selinux_bprm_set_security,
4494 .bprm_check_security = selinux_bprm_check_security,
4495 .bprm_secureexec = selinux_bprm_secureexec,
4497 .sb_alloc_security = selinux_sb_alloc_security,
4498 .sb_free_security = selinux_sb_free_security,
4499 .sb_copy_data = selinux_sb_copy_data,
4500 .sb_kern_mount = selinux_sb_kern_mount,
4501 .sb_statfs = selinux_sb_statfs,
4502 .sb_mount = selinux_mount,
4503 .sb_umount = selinux_umount,
4505 .inode_alloc_security = selinux_inode_alloc_security,
4506 .inode_free_security = selinux_inode_free_security,
4507 .inode_init_security = selinux_inode_init_security,
4508 .inode_create = selinux_inode_create,
4509 .inode_link = selinux_inode_link,
4510 .inode_unlink = selinux_inode_unlink,
4511 .inode_symlink = selinux_inode_symlink,
4512 .inode_mkdir = selinux_inode_mkdir,
4513 .inode_rmdir = selinux_inode_rmdir,
4514 .inode_mknod = selinux_inode_mknod,
4515 .inode_rename = selinux_inode_rename,
4516 .inode_readlink = selinux_inode_readlink,
4517 .inode_follow_link = selinux_inode_follow_link,
4518 .inode_permission = selinux_inode_permission,
4519 .inode_setattr = selinux_inode_setattr,
4520 .inode_getattr = selinux_inode_getattr,
4521 .inode_setxattr = selinux_inode_setxattr,
4522 .inode_post_setxattr = selinux_inode_post_setxattr,
4523 .inode_getxattr = selinux_inode_getxattr,
4524 .inode_listxattr = selinux_inode_listxattr,
4525 .inode_removexattr = selinux_inode_removexattr,
4526 .inode_xattr_getsuffix = selinux_inode_xattr_getsuffix,
4527 .inode_getsecurity = selinux_inode_getsecurity,
4528 .inode_setsecurity = selinux_inode_setsecurity,
4529 .inode_listsecurity = selinux_inode_listsecurity,
4531 .file_permission = selinux_file_permission,
4532 .file_alloc_security = selinux_file_alloc_security,
4533 .file_free_security = selinux_file_free_security,
4534 .file_ioctl = selinux_file_ioctl,
4535 .file_mmap = selinux_file_mmap,
4536 .file_mprotect = selinux_file_mprotect,
4537 .file_lock = selinux_file_lock,
4538 .file_fcntl = selinux_file_fcntl,
4539 .file_set_fowner = selinux_file_set_fowner,
4540 .file_send_sigiotask = selinux_file_send_sigiotask,
4541 .file_receive = selinux_file_receive,
4543 .task_create = selinux_task_create,
4544 .task_alloc_security = selinux_task_alloc_security,
4545 .task_free_security = selinux_task_free_security,
4546 .task_setuid = selinux_task_setuid,
4547 .task_post_setuid = selinux_task_post_setuid,
4548 .task_setgid = selinux_task_setgid,
4549 .task_setpgid = selinux_task_setpgid,
4550 .task_getpgid = selinux_task_getpgid,
4551 .task_getsid = selinux_task_getsid,
4552 .task_getsecid = selinux_task_getsecid,
4553 .task_setgroups = selinux_task_setgroups,
4554 .task_setnice = selinux_task_setnice,
4555 .task_setioprio = selinux_task_setioprio,
4556 .task_getioprio = selinux_task_getioprio,
4557 .task_setrlimit = selinux_task_setrlimit,
4558 .task_setscheduler = selinux_task_setscheduler,
4559 .task_getscheduler = selinux_task_getscheduler,
4560 .task_movememory = selinux_task_movememory,
4561 .task_kill = selinux_task_kill,
4562 .task_wait = selinux_task_wait,
4563 .task_prctl = selinux_task_prctl,
4564 .task_reparent_to_init = selinux_task_reparent_to_init,
4565 .task_to_inode = selinux_task_to_inode,
4567 .ipc_permission = selinux_ipc_permission,
4569 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4570 .msg_msg_free_security = selinux_msg_msg_free_security,
4572 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4573 .msg_queue_free_security = selinux_msg_queue_free_security,
4574 .msg_queue_associate = selinux_msg_queue_associate,
4575 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4576 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4577 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4579 .shm_alloc_security = selinux_shm_alloc_security,
4580 .shm_free_security = selinux_shm_free_security,
4581 .shm_associate = selinux_shm_associate,
4582 .shm_shmctl = selinux_shm_shmctl,
4583 .shm_shmat = selinux_shm_shmat,
4585 .sem_alloc_security = selinux_sem_alloc_security,
4586 .sem_free_security = selinux_sem_free_security,
4587 .sem_associate = selinux_sem_associate,
4588 .sem_semctl = selinux_sem_semctl,
4589 .sem_semop = selinux_sem_semop,
4591 .register_security = selinux_register_security,
4592 .unregister_security = selinux_unregister_security,
4594 .d_instantiate = selinux_d_instantiate,
4596 .getprocattr = selinux_getprocattr,
4597 .setprocattr = selinux_setprocattr,
4599 .secid_to_secctx = selinux_secid_to_secctx,
4600 .release_secctx = selinux_release_secctx,
4602 .unix_stream_connect = selinux_socket_unix_stream_connect,
4603 .unix_may_send = selinux_socket_unix_may_send,
4605 .socket_create = selinux_socket_create,
4606 .socket_post_create = selinux_socket_post_create,
4607 .socket_bind = selinux_socket_bind,
4608 .socket_connect = selinux_socket_connect,
4609 .socket_listen = selinux_socket_listen,
4610 .socket_accept = selinux_socket_accept,
4611 .socket_sendmsg = selinux_socket_sendmsg,
4612 .socket_recvmsg = selinux_socket_recvmsg,
4613 .socket_getsockname = selinux_socket_getsockname,
4614 .socket_getpeername = selinux_socket_getpeername,
4615 .socket_getsockopt = selinux_socket_getsockopt,
4616 .socket_setsockopt = selinux_socket_setsockopt,
4617 .socket_shutdown = selinux_socket_shutdown,
4618 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
4619 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
4620 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
4621 .sk_alloc_security = selinux_sk_alloc_security,
4622 .sk_free_security = selinux_sk_free_security,
4623 .sk_getsid = selinux_sk_getsid_security,
4625 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4626 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
4627 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
4628 .xfrm_policy_free_security = selinux_xfrm_policy_free,
4629 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
4630 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
4631 .xfrm_state_free_security = selinux_xfrm_state_free,
4632 .xfrm_state_delete_security = selinux_xfrm_state_delete,
4633 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
4637 .key_alloc = selinux_key_alloc,
4638 .key_free = selinux_key_free,
4639 .key_permission = selinux_key_permission,
4643 static __init int selinux_init(void)
4645 struct task_security_struct *tsec;
4647 if (!selinux_enabled) {
4648 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4652 printk(KERN_INFO "SELinux: Initializing.\n");
4654 /* Set the security state for the initial task. */
4655 if (task_alloc_security(current))
4656 panic("SELinux: Failed to initialize initial task.\n");
4657 tsec = current->security;
4658 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4660 sel_inode_cache = kmem_cache_create("selinux_inode_security",
4661 sizeof(struct inode_security_struct),
4662 0, SLAB_PANIC, NULL, NULL);
4665 original_ops = secondary_ops = security_ops;
4667 panic ("SELinux: No initial security operations\n");
4668 if (register_security (&selinux_ops))
4669 panic("SELinux: Unable to register with kernel.\n");
4671 if (selinux_enforcing) {
4672 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4674 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4678 /* Add security information to initial keyrings */
4679 selinux_key_alloc(&root_user_keyring, current,
4680 KEY_ALLOC_NOT_IN_QUOTA);
4681 selinux_key_alloc(&root_session_keyring, current,
4682 KEY_ALLOC_NOT_IN_QUOTA);
4688 void selinux_complete_init(void)
4690 printk(KERN_INFO "SELinux: Completing initialization.\n");
4692 /* Set up any superblocks initialized prior to the policy load. */
4693 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
4694 spin_lock(&sb_lock);
4695 spin_lock(&sb_security_lock);
4697 if (!list_empty(&superblock_security_head)) {
4698 struct superblock_security_struct *sbsec =
4699 list_entry(superblock_security_head.next,
4700 struct superblock_security_struct,
4702 struct super_block *sb = sbsec->sb;
4704 spin_unlock(&sb_security_lock);
4705 spin_unlock(&sb_lock);
4706 down_read(&sb->s_umount);
4708 superblock_doinit(sb, NULL);
4710 spin_lock(&sb_lock);
4711 spin_lock(&sb_security_lock);
4712 list_del_init(&sbsec->list);
4715 spin_unlock(&sb_security_lock);
4716 spin_unlock(&sb_lock);
4719 /* SELinux requires early initialization in order to label
4720 all processes and objects when they are created. */
4721 security_initcall(selinux_init);
4723 #if defined(CONFIG_NETFILTER)
4725 static struct nf_hook_ops selinux_ipv4_op = {
4726 .hook = selinux_ipv4_postroute_last,
4727 .owner = THIS_MODULE,
4729 .hooknum = NF_IP_POST_ROUTING,
4730 .priority = NF_IP_PRI_SELINUX_LAST,
4733 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4735 static struct nf_hook_ops selinux_ipv6_op = {
4736 .hook = selinux_ipv6_postroute_last,
4737 .owner = THIS_MODULE,
4739 .hooknum = NF_IP6_POST_ROUTING,
4740 .priority = NF_IP6_PRI_SELINUX_LAST,
4745 static int __init selinux_nf_ip_init(void)
4749 if (!selinux_enabled)
4752 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4754 err = nf_register_hook(&selinux_ipv4_op);
4756 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4758 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4760 err = nf_register_hook(&selinux_ipv6_op);
4762 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4770 __initcall(selinux_nf_ip_init);
4772 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4773 static void selinux_nf_ip_exit(void)
4775 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4777 nf_unregister_hook(&selinux_ipv4_op);
4778 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4779 nf_unregister_hook(&selinux_ipv6_op);
4784 #else /* CONFIG_NETFILTER */
4786 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4787 #define selinux_nf_ip_exit()
4790 #endif /* CONFIG_NETFILTER */
4792 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4793 int selinux_disable(void)
4795 extern void exit_sel_fs(void);
4796 static int selinux_disabled = 0;
4798 if (ss_initialized) {
4799 /* Not permitted after initial policy load. */
4803 if (selinux_disabled) {
4804 /* Only do this once. */
4808 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4810 selinux_disabled = 1;
4811 selinux_enabled = 0;
4813 /* Reset security_ops to the secondary module, dummy or capability. */
4814 security_ops = secondary_ops;
4816 /* Unregister netfilter hooks. */
4817 selinux_nf_ip_exit();
4819 /* Unregister selinuxfs. */