2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2,
18 * as published by the Free Software Foundation.
21 #include <linux/module.h>
22 #include <linux/init.h>
23 #include <linux/kernel.h>
24 #include <linux/tracehook.h>
25 #include <linux/errno.h>
26 #include <linux/sched.h>
27 #include <linux/security.h>
28 #include <linux/xattr.h>
29 #include <linux/capability.h>
30 #include <linux/unistd.h>
32 #include <linux/mman.h>
33 #include <linux/slab.h>
34 #include <linux/pagemap.h>
35 #include <linux/swap.h>
36 #include <linux/smp_lock.h>
37 #include <linux/spinlock.h>
38 #include <linux/syscalls.h>
39 #include <linux/file.h>
40 #include <linux/namei.h>
41 #include <linux/mount.h>
42 #include <linux/ext2_fs.h>
43 #include <linux/proc_fs.h>
45 #include <linux/netfilter_ipv4.h>
46 #include <linux/netfilter_ipv6.h>
47 #include <linux/tty.h>
49 #include <net/ip.h> /* for sysctl_local_port_range[] */
50 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
51 #include <asm/uaccess.h>
52 #include <asm/semaphore.h>
53 #include <asm/ioctls.h>
54 #include <linux/bitops.h>
55 #include <linux/interrupt.h>
56 #include <linux/netdevice.h> /* for network interface checks */
57 #include <linux/netlink.h>
58 #include <linux/tcp.h>
59 #include <linux/udp.h>
60 #include <linux/quota.h>
61 #include <linux/un.h> /* for Unix socket types */
62 #include <net/af_unix.h> /* for Unix socket types */
63 #include <linux/parser.h>
64 #include <linux/nfs_mount.h>
66 #include <linux/hugetlb.h>
67 #include <linux/personality.h>
68 #include <linux/sysctl.h>
69 #include <linux/audit.h>
70 #include <linux/string.h>
71 #include <linux/selinux.h>
78 #define XATTR_SELINUX_SUFFIX "selinux"
79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
81 extern unsigned int policydb_loaded_version;
82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83 extern int selinux_compat_net;
85 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
86 int selinux_enforcing = 0;
88 static int __init enforcing_setup(char *str)
90 selinux_enforcing = simple_strtol(str,NULL,0);
93 __setup("enforcing=", enforcing_setup);
96 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
97 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
99 static int __init selinux_enabled_setup(char *str)
101 selinux_enabled = simple_strtol(str, NULL, 0);
104 __setup("selinux=", selinux_enabled_setup);
106 int selinux_enabled = 1;
109 /* Original (dummy) security module. */
110 static struct security_operations *original_ops = NULL;
112 /* Minimal support for a secondary security module,
113 just to allow the use of the dummy or capability modules.
114 The owlsm module can alternatively be used as a secondary
115 module as long as CONFIG_OWLSM_FD is not enabled. */
116 static struct security_operations *secondary_ops = NULL;
118 /* Lists of inode and superblock security structures initialized
119 before the policy was loaded. */
120 static LIST_HEAD(superblock_security_head);
121 static DEFINE_SPINLOCK(sb_security_lock);
123 static kmem_cache_t *sel_inode_cache;
125 /* Return security context for a given sid or just the context
126 length if the buffer is null or length is 0 */
127 static int selinux_getsecurity(u32 sid, void *buffer, size_t size)
133 rc = security_sid_to_context(sid, &context, &len);
137 if (!buffer || !size)
138 goto getsecurity_exit;
142 goto getsecurity_exit;
144 memcpy(buffer, context, len);
151 /* Allocate and free functions for each kind of security blob. */
153 static int task_alloc_security(struct task_struct *task)
155 struct task_security_struct *tsec;
157 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
162 tsec->osid = tsec->sid = SECINITSID_UNLABELED;
163 task->security = tsec;
168 static void task_free_security(struct task_struct *task)
170 struct task_security_struct *tsec = task->security;
171 task->security = NULL;
175 static int inode_alloc_security(struct inode *inode)
177 struct task_security_struct *tsec = current->security;
178 struct inode_security_struct *isec;
180 isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
184 memset(isec, 0, sizeof(*isec));
185 init_MUTEX(&isec->sem);
186 INIT_LIST_HEAD(&isec->list);
188 isec->sid = SECINITSID_UNLABELED;
189 isec->sclass = SECCLASS_FILE;
190 isec->task_sid = tsec->sid;
191 inode->i_security = isec;
196 static void inode_free_security(struct inode *inode)
198 struct inode_security_struct *isec = inode->i_security;
199 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
201 spin_lock(&sbsec->isec_lock);
202 if (!list_empty(&isec->list))
203 list_del_init(&isec->list);
204 spin_unlock(&sbsec->isec_lock);
206 inode->i_security = NULL;
207 kmem_cache_free(sel_inode_cache, isec);
210 static int file_alloc_security(struct file *file)
212 struct task_security_struct *tsec = current->security;
213 struct file_security_struct *fsec;
215 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
220 fsec->sid = tsec->sid;
221 fsec->fown_sid = tsec->sid;
222 file->f_security = fsec;
227 static void file_free_security(struct file *file)
229 struct file_security_struct *fsec = file->f_security;
230 file->f_security = NULL;
234 static int superblock_alloc_security(struct super_block *sb)
236 struct superblock_security_struct *sbsec;
238 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
242 init_MUTEX(&sbsec->sem);
243 INIT_LIST_HEAD(&sbsec->list);
244 INIT_LIST_HEAD(&sbsec->isec_head);
245 spin_lock_init(&sbsec->isec_lock);
247 sbsec->sid = SECINITSID_UNLABELED;
248 sbsec->def_sid = SECINITSID_FILE;
249 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
250 sb->s_security = sbsec;
255 static void superblock_free_security(struct super_block *sb)
257 struct superblock_security_struct *sbsec = sb->s_security;
259 spin_lock(&sb_security_lock);
260 if (!list_empty(&sbsec->list))
261 list_del_init(&sbsec->list);
262 spin_unlock(&sb_security_lock);
264 sb->s_security = NULL;
268 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
270 struct sk_security_struct *ssec;
272 if (family != PF_UNIX)
275 ssec = kzalloc(sizeof(*ssec), priority);
280 ssec->peer_sid = SECINITSID_UNLABELED;
281 sk->sk_security = ssec;
286 static void sk_free_security(struct sock *sk)
288 struct sk_security_struct *ssec = sk->sk_security;
290 if (sk->sk_family != PF_UNIX)
293 sk->sk_security = NULL;
297 /* The security server must be initialized before
298 any labeling or access decisions can be provided. */
299 extern int ss_initialized;
301 /* The file system's label must be initialized prior to use. */
303 static char *labeling_behaviors[6] = {
305 "uses transition SIDs",
307 "uses genfs_contexts",
308 "not configured for labeling",
309 "uses mountpoint labeling",
312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
314 static inline int inode_doinit(struct inode *inode)
316 return inode_doinit_with_dentry(inode, NULL);
326 static match_table_t tokens = {
327 {Opt_context, "context=%s"},
328 {Opt_fscontext, "fscontext=%s"},
329 {Opt_defcontext, "defcontext=%s"},
330 {Opt_rootcontext, "rootcontext=%s"},
333 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
335 static int may_context_mount_sb_relabel(u32 sid,
336 struct superblock_security_struct *sbsec,
337 struct task_security_struct *tsec)
341 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
342 FILESYSTEM__RELABELFROM, NULL);
346 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
347 FILESYSTEM__RELABELTO, NULL);
351 static int may_context_mount_inode_relabel(u32 sid,
352 struct superblock_security_struct *sbsec,
353 struct task_security_struct *tsec)
356 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
357 FILESYSTEM__RELABELFROM, NULL);
361 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
362 FILESYSTEM__ASSOCIATE, NULL);
366 static int try_context_mount(struct super_block *sb, void *data)
368 char *context = NULL, *defcontext = NULL;
369 char *fscontext = NULL, *rootcontext = NULL;
372 int alloc = 0, rc = 0, seen = 0;
373 struct task_security_struct *tsec = current->security;
374 struct superblock_security_struct *sbsec = sb->s_security;
379 name = sb->s_type->name;
381 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
383 /* NFS we understand. */
384 if (!strcmp(name, "nfs")) {
385 struct nfs_mount_data *d = data;
387 if (d->version < NFS_MOUNT_VERSION)
391 context = d->context;
398 /* Standard string-based options. */
399 char *p, *options = data;
401 while ((p = strsep(&options, ",")) != NULL) {
403 substring_t args[MAX_OPT_ARGS];
408 token = match_token(p, tokens, args);
412 if (seen & (Opt_context|Opt_defcontext)) {
414 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
417 context = match_strdup(&args[0]);
428 if (seen & Opt_fscontext) {
430 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
433 fscontext = match_strdup(&args[0]);
440 seen |= Opt_fscontext;
443 case Opt_rootcontext:
444 if (seen & Opt_rootcontext) {
446 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
449 rootcontext = match_strdup(&args[0]);
456 seen |= Opt_rootcontext;
460 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
462 printk(KERN_WARNING "SELinux: "
463 "defcontext option is invalid "
464 "for this filesystem type\n");
467 if (seen & (Opt_context|Opt_defcontext)) {
469 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
472 defcontext = match_strdup(&args[0]);
479 seen |= Opt_defcontext;
484 printk(KERN_WARNING "SELinux: unknown mount "
495 /* sets the context of the superblock for the fs being mounted. */
497 rc = security_context_to_sid(fscontext, strlen(fscontext), &sid);
499 printk(KERN_WARNING "SELinux: security_context_to_sid"
500 "(%s) failed for (dev %s, type %s) errno=%d\n",
501 fscontext, sb->s_id, name, rc);
505 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
513 * Switch to using mount point labeling behavior.
514 * sets the label used on all file below the mountpoint, and will set
515 * the superblock context if not already set.
518 rc = security_context_to_sid(context, strlen(context), &sid);
520 printk(KERN_WARNING "SELinux: security_context_to_sid"
521 "(%s) failed for (dev %s, type %s) errno=%d\n",
522 context, sb->s_id, name, rc);
527 rc = may_context_mount_sb_relabel(sid, sbsec, tsec);
532 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
536 sbsec->mntpoint_sid = sid;
538 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
542 struct inode *inode = sb->s_root->d_inode;
543 struct inode_security_struct *isec = inode->i_security;
544 rc = security_context_to_sid(rootcontext, strlen(rootcontext), &sid);
546 printk(KERN_WARNING "SELinux: security_context_to_sid"
547 "(%s) failed for (dev %s, type %s) errno=%d\n",
548 rootcontext, sb->s_id, name, rc);
552 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
557 isec->initialized = 1;
561 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
563 printk(KERN_WARNING "SELinux: security_context_to_sid"
564 "(%s) failed for (dev %s, type %s) errno=%d\n",
565 defcontext, sb->s_id, name, rc);
569 if (sid == sbsec->def_sid)
572 rc = may_context_mount_inode_relabel(sid, sbsec, tsec);
576 sbsec->def_sid = sid;
590 static int superblock_doinit(struct super_block *sb, void *data)
592 struct superblock_security_struct *sbsec = sb->s_security;
593 struct dentry *root = sb->s_root;
594 struct inode *inode = root->d_inode;
598 if (sbsec->initialized)
601 if (!ss_initialized) {
602 /* Defer initialization until selinux_complete_init,
603 after the initial policy is loaded and the security
604 server is ready to handle calls. */
605 spin_lock(&sb_security_lock);
606 if (list_empty(&sbsec->list))
607 list_add(&sbsec->list, &superblock_security_head);
608 spin_unlock(&sb_security_lock);
612 /* Determine the labeling behavior to use for this filesystem type. */
613 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
615 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
616 __FUNCTION__, sb->s_type->name, rc);
620 rc = try_context_mount(sb, data);
624 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
625 /* Make sure that the xattr handler exists and that no
626 error other than -ENODATA is returned by getxattr on
627 the root directory. -ENODATA is ok, as this may be
628 the first boot of the SELinux kernel before we have
629 assigned xattr values to the filesystem. */
630 if (!inode->i_op->getxattr) {
631 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
632 "xattr support\n", sb->s_id, sb->s_type->name);
636 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
637 if (rc < 0 && rc != -ENODATA) {
638 if (rc == -EOPNOTSUPP)
639 printk(KERN_WARNING "SELinux: (dev %s, type "
640 "%s) has no security xattr handler\n",
641 sb->s_id, sb->s_type->name);
643 printk(KERN_WARNING "SELinux: (dev %s, type "
644 "%s) getxattr errno %d\n", sb->s_id,
645 sb->s_type->name, -rc);
650 if (strcmp(sb->s_type->name, "proc") == 0)
653 sbsec->initialized = 1;
655 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
656 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
657 sb->s_id, sb->s_type->name);
660 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
661 sb->s_id, sb->s_type->name,
662 labeling_behaviors[sbsec->behavior-1]);
665 /* Initialize the root inode. */
666 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
668 /* Initialize any other inodes associated with the superblock, e.g.
669 inodes created prior to initial policy load or inodes created
670 during get_sb by a pseudo filesystem that directly
672 spin_lock(&sbsec->isec_lock);
674 if (!list_empty(&sbsec->isec_head)) {
675 struct inode_security_struct *isec =
676 list_entry(sbsec->isec_head.next,
677 struct inode_security_struct, list);
678 struct inode *inode = isec->inode;
679 spin_unlock(&sbsec->isec_lock);
680 inode = igrab(inode);
682 if (!IS_PRIVATE (inode))
686 spin_lock(&sbsec->isec_lock);
687 list_del_init(&isec->list);
690 spin_unlock(&sbsec->isec_lock);
696 static inline u16 inode_mode_to_security_class(umode_t mode)
698 switch (mode & S_IFMT) {
700 return SECCLASS_SOCK_FILE;
702 return SECCLASS_LNK_FILE;
704 return SECCLASS_FILE;
706 return SECCLASS_BLK_FILE;
710 return SECCLASS_CHR_FILE;
712 return SECCLASS_FIFO_FILE;
716 return SECCLASS_FILE;
719 static inline int default_protocol_stream(int protocol)
721 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
724 static inline int default_protocol_dgram(int protocol)
726 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
729 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
736 return SECCLASS_UNIX_STREAM_SOCKET;
738 return SECCLASS_UNIX_DGRAM_SOCKET;
745 if (default_protocol_stream(protocol))
746 return SECCLASS_TCP_SOCKET;
748 return SECCLASS_RAWIP_SOCKET;
750 if (default_protocol_dgram(protocol))
751 return SECCLASS_UDP_SOCKET;
753 return SECCLASS_RAWIP_SOCKET;
755 return SECCLASS_RAWIP_SOCKET;
761 return SECCLASS_NETLINK_ROUTE_SOCKET;
762 case NETLINK_FIREWALL:
763 return SECCLASS_NETLINK_FIREWALL_SOCKET;
764 case NETLINK_INET_DIAG:
765 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
767 return SECCLASS_NETLINK_NFLOG_SOCKET;
769 return SECCLASS_NETLINK_XFRM_SOCKET;
770 case NETLINK_SELINUX:
771 return SECCLASS_NETLINK_SELINUX_SOCKET;
773 return SECCLASS_NETLINK_AUDIT_SOCKET;
775 return SECCLASS_NETLINK_IP6FW_SOCKET;
776 case NETLINK_DNRTMSG:
777 return SECCLASS_NETLINK_DNRT_SOCKET;
778 case NETLINK_KOBJECT_UEVENT:
779 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
781 return SECCLASS_NETLINK_SOCKET;
784 return SECCLASS_PACKET_SOCKET;
786 return SECCLASS_KEY_SOCKET;
788 return SECCLASS_APPLETALK_SOCKET;
791 return SECCLASS_SOCKET;
794 #ifdef CONFIG_PROC_FS
795 static int selinux_proc_get_sid(struct proc_dir_entry *de,
800 char *buffer, *path, *end;
802 buffer = (char*)__get_free_page(GFP_KERNEL);
812 while (de && de != de->parent) {
813 buflen -= de->namelen + 1;
817 memcpy(end, de->name, de->namelen);
822 rc = security_genfs_sid("proc", path, tclass, sid);
823 free_page((unsigned long)buffer);
827 static int selinux_proc_get_sid(struct proc_dir_entry *de,
835 /* The inode's security attributes must be initialized before first use. */
836 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
838 struct superblock_security_struct *sbsec = NULL;
839 struct inode_security_struct *isec = inode->i_security;
841 struct dentry *dentry;
842 #define INITCONTEXTLEN 255
843 char *context = NULL;
848 if (isec->initialized)
853 if (isec->initialized)
856 sbsec = inode->i_sb->s_security;
857 if (!sbsec->initialized) {
858 /* Defer initialization until selinux_complete_init,
859 after the initial policy is loaded and the security
860 server is ready to handle calls. */
861 spin_lock(&sbsec->isec_lock);
862 if (list_empty(&isec->list))
863 list_add(&isec->list, &sbsec->isec_head);
864 spin_unlock(&sbsec->isec_lock);
868 switch (sbsec->behavior) {
869 case SECURITY_FS_USE_XATTR:
870 if (!inode->i_op->getxattr) {
871 isec->sid = sbsec->def_sid;
875 /* Need a dentry, since the xattr API requires one.
876 Life would be simpler if we could just pass the inode. */
878 /* Called from d_instantiate or d_splice_alias. */
879 dentry = dget(opt_dentry);
881 /* Called from selinux_complete_init, try to find a dentry. */
882 dentry = d_find_alias(inode);
885 printk(KERN_WARNING "%s: no dentry for dev=%s "
886 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
891 len = INITCONTEXTLEN;
892 context = kmalloc(len, GFP_KERNEL);
898 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
901 /* Need a larger buffer. Query for the right size. */
902 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
910 context = kmalloc(len, GFP_KERNEL);
916 rc = inode->i_op->getxattr(dentry,
922 if (rc != -ENODATA) {
923 printk(KERN_WARNING "%s: getxattr returned "
924 "%d for dev=%s ino=%ld\n", __FUNCTION__,
925 -rc, inode->i_sb->s_id, inode->i_ino);
929 /* Map ENODATA to the default file SID */
930 sid = sbsec->def_sid;
933 rc = security_context_to_sid_default(context, rc, &sid,
936 printk(KERN_WARNING "%s: context_to_sid(%s) "
937 "returned %d for dev=%s ino=%ld\n",
938 __FUNCTION__, context, -rc,
939 inode->i_sb->s_id, inode->i_ino);
941 /* Leave with the unlabeled SID */
949 case SECURITY_FS_USE_TASK:
950 isec->sid = isec->task_sid;
952 case SECURITY_FS_USE_TRANS:
953 /* Default to the fs SID. */
954 isec->sid = sbsec->sid;
956 /* Try to obtain a transition SID. */
957 isec->sclass = inode_mode_to_security_class(inode->i_mode);
958 rc = security_transition_sid(isec->task_sid,
966 case SECURITY_FS_USE_MNTPOINT:
967 isec->sid = sbsec->mntpoint_sid;
970 /* Default to the fs superblock SID. */
971 isec->sid = sbsec->sid;
974 struct proc_inode *proci = PROC_I(inode);
976 isec->sclass = inode_mode_to_security_class(inode->i_mode);
977 rc = selinux_proc_get_sid(proci->pde,
988 isec->initialized = 1;
991 if (isec->sclass == SECCLASS_FILE)
992 isec->sclass = inode_mode_to_security_class(inode->i_mode);
999 /* Convert a Linux signal to an access vector. */
1000 static inline u32 signal_to_av(int sig)
1006 /* Commonly granted from child to parent. */
1007 perm = PROCESS__SIGCHLD;
1010 /* Cannot be caught or ignored */
1011 perm = PROCESS__SIGKILL;
1014 /* Cannot be caught or ignored */
1015 perm = PROCESS__SIGSTOP;
1018 /* All other signals. */
1019 perm = PROCESS__SIGNAL;
1026 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1027 fork check, ptrace check, etc. */
1028 static int task_has_perm(struct task_struct *tsk1,
1029 struct task_struct *tsk2,
1032 struct task_security_struct *tsec1, *tsec2;
1034 tsec1 = tsk1->security;
1035 tsec2 = tsk2->security;
1036 return avc_has_perm(tsec1->sid, tsec2->sid,
1037 SECCLASS_PROCESS, perms, NULL);
1040 /* Check whether a task is allowed to use a capability. */
1041 static int task_has_capability(struct task_struct *tsk,
1044 struct task_security_struct *tsec;
1045 struct avc_audit_data ad;
1047 tsec = tsk->security;
1049 AVC_AUDIT_DATA_INIT(&ad,CAP);
1053 return avc_has_perm(tsec->sid, tsec->sid,
1054 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
1057 /* Check whether a task is allowed to use a system operation. */
1058 static int task_has_system(struct task_struct *tsk,
1061 struct task_security_struct *tsec;
1063 tsec = tsk->security;
1065 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1066 SECCLASS_SYSTEM, perms, NULL);
1069 /* Check whether a task has a particular permission to an inode.
1070 The 'adp' parameter is optional and allows other audit
1071 data to be passed (e.g. the dentry). */
1072 static int inode_has_perm(struct task_struct *tsk,
1073 struct inode *inode,
1075 struct avc_audit_data *adp)
1077 struct task_security_struct *tsec;
1078 struct inode_security_struct *isec;
1079 struct avc_audit_data ad;
1081 tsec = tsk->security;
1082 isec = inode->i_security;
1086 AVC_AUDIT_DATA_INIT(&ad, FS);
1087 ad.u.fs.inode = inode;
1090 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1093 /* Same as inode_has_perm, but pass explicit audit data containing
1094 the dentry to help the auditing code to more easily generate the
1095 pathname if needed. */
1096 static inline int dentry_has_perm(struct task_struct *tsk,
1097 struct vfsmount *mnt,
1098 struct dentry *dentry,
1101 struct inode *inode = dentry->d_inode;
1102 struct avc_audit_data ad;
1103 AVC_AUDIT_DATA_INIT(&ad,FS);
1105 ad.u.fs.dentry = dentry;
1106 return inode_has_perm(tsk, inode, av, &ad);
1109 /* Check whether a task can use an open file descriptor to
1110 access an inode in a given way. Check access to the
1111 descriptor itself, and then use dentry_has_perm to
1112 check a particular permission to the file.
1113 Access to the descriptor is implicitly granted if it
1114 has the same SID as the process. If av is zero, then
1115 access to the file is not checked, e.g. for cases
1116 where only the descriptor is affected like seek. */
1117 static int file_has_perm(struct task_struct *tsk,
1121 struct task_security_struct *tsec = tsk->security;
1122 struct file_security_struct *fsec = file->f_security;
1123 struct vfsmount *mnt = file->f_vfsmnt;
1124 struct dentry *dentry = file->f_dentry;
1125 struct inode *inode = dentry->d_inode;
1126 struct avc_audit_data ad;
1129 AVC_AUDIT_DATA_INIT(&ad, FS);
1131 ad.u.fs.dentry = dentry;
1133 if (tsec->sid != fsec->sid) {
1134 rc = avc_has_perm(tsec->sid, fsec->sid,
1142 /* av is zero if only checking access to the descriptor. */
1144 return inode_has_perm(tsk, inode, av, &ad);
1149 /* Check whether a task can create a file. */
1150 static int may_create(struct inode *dir,
1151 struct dentry *dentry,
1154 struct task_security_struct *tsec;
1155 struct inode_security_struct *dsec;
1156 struct superblock_security_struct *sbsec;
1158 struct avc_audit_data ad;
1161 tsec = current->security;
1162 dsec = dir->i_security;
1163 sbsec = dir->i_sb->s_security;
1165 AVC_AUDIT_DATA_INIT(&ad, FS);
1166 ad.u.fs.dentry = dentry;
1168 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1169 DIR__ADD_NAME | DIR__SEARCH,
1174 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1175 newsid = tsec->create_sid;
1177 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1183 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1187 return avc_has_perm(newsid, sbsec->sid,
1188 SECCLASS_FILESYSTEM,
1189 FILESYSTEM__ASSOCIATE, &ad);
1192 /* Check whether a task can create a key. */
1193 static int may_create_key(u32 ksid,
1194 struct task_struct *ctx)
1196 struct task_security_struct *tsec;
1198 tsec = ctx->security;
1200 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1204 #define MAY_UNLINK 1
1207 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1208 static int may_link(struct inode *dir,
1209 struct dentry *dentry,
1213 struct task_security_struct *tsec;
1214 struct inode_security_struct *dsec, *isec;
1215 struct avc_audit_data ad;
1219 tsec = current->security;
1220 dsec = dir->i_security;
1221 isec = dentry->d_inode->i_security;
1223 AVC_AUDIT_DATA_INIT(&ad, FS);
1224 ad.u.fs.dentry = dentry;
1227 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1228 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1243 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1247 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1251 static inline int may_rename(struct inode *old_dir,
1252 struct dentry *old_dentry,
1253 struct inode *new_dir,
1254 struct dentry *new_dentry)
1256 struct task_security_struct *tsec;
1257 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1258 struct avc_audit_data ad;
1260 int old_is_dir, new_is_dir;
1263 tsec = current->security;
1264 old_dsec = old_dir->i_security;
1265 old_isec = old_dentry->d_inode->i_security;
1266 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1267 new_dsec = new_dir->i_security;
1269 AVC_AUDIT_DATA_INIT(&ad, FS);
1271 ad.u.fs.dentry = old_dentry;
1272 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1273 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1276 rc = avc_has_perm(tsec->sid, old_isec->sid,
1277 old_isec->sclass, FILE__RENAME, &ad);
1280 if (old_is_dir && new_dir != old_dir) {
1281 rc = avc_has_perm(tsec->sid, old_isec->sid,
1282 old_isec->sclass, DIR__REPARENT, &ad);
1287 ad.u.fs.dentry = new_dentry;
1288 av = DIR__ADD_NAME | DIR__SEARCH;
1289 if (new_dentry->d_inode)
1290 av |= DIR__REMOVE_NAME;
1291 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1294 if (new_dentry->d_inode) {
1295 new_isec = new_dentry->d_inode->i_security;
1296 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1297 rc = avc_has_perm(tsec->sid, new_isec->sid,
1299 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1307 /* Check whether a task can perform a filesystem operation. */
1308 static int superblock_has_perm(struct task_struct *tsk,
1309 struct super_block *sb,
1311 struct avc_audit_data *ad)
1313 struct task_security_struct *tsec;
1314 struct superblock_security_struct *sbsec;
1316 tsec = tsk->security;
1317 sbsec = sb->s_security;
1318 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1322 /* Convert a Linux mode and permission mask to an access vector. */
1323 static inline u32 file_mask_to_av(int mode, int mask)
1327 if ((mode & S_IFMT) != S_IFDIR) {
1328 if (mask & MAY_EXEC)
1329 av |= FILE__EXECUTE;
1330 if (mask & MAY_READ)
1333 if (mask & MAY_APPEND)
1335 else if (mask & MAY_WRITE)
1339 if (mask & MAY_EXEC)
1341 if (mask & MAY_WRITE)
1343 if (mask & MAY_READ)
1350 /* Convert a Linux file to an access vector. */
1351 static inline u32 file_to_av(struct file *file)
1355 if (file->f_mode & FMODE_READ)
1357 if (file->f_mode & FMODE_WRITE) {
1358 if (file->f_flags & O_APPEND)
1367 /* Set an inode's SID to a specified value. */
1368 static int inode_security_set_sid(struct inode *inode, u32 sid)
1370 struct inode_security_struct *isec = inode->i_security;
1371 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1373 if (!sbsec->initialized) {
1374 /* Defer initialization to selinux_complete_init. */
1379 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1381 isec->initialized = 1;
1386 /* Hook functions begin here. */
1388 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1392 rc = secondary_ops->ptrace(parent,child);
1396 return task_has_perm(parent, child, PROCESS__PTRACE);
1399 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1400 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1404 error = task_has_perm(current, target, PROCESS__GETCAP);
1408 return secondary_ops->capget(target, effective, inheritable, permitted);
1411 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1412 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1416 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1420 return task_has_perm(current, target, PROCESS__SETCAP);
1423 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1424 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1426 secondary_ops->capset_set(target, effective, inheritable, permitted);
1429 static int selinux_capable(struct task_struct *tsk, int cap)
1433 rc = secondary_ops->capable(tsk, cap);
1437 return task_has_capability(tsk,cap);
1440 static int selinux_sysctl(ctl_table *table, int op)
1444 struct task_security_struct *tsec;
1448 rc = secondary_ops->sysctl(table, op);
1452 tsec = current->security;
1454 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1455 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1457 /* Default to the well-defined sysctl SID. */
1458 tsid = SECINITSID_SYSCTL;
1461 /* The op values are "defined" in sysctl.c, thereby creating
1462 * a bad coupling between this module and sysctl.c */
1464 error = avc_has_perm(tsec->sid, tsid,
1465 SECCLASS_DIR, DIR__SEARCH, NULL);
1473 error = avc_has_perm(tsec->sid, tsid,
1474 SECCLASS_FILE, av, NULL);
1480 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1493 rc = superblock_has_perm(current,
1495 FILESYSTEM__QUOTAMOD, NULL);
1500 rc = superblock_has_perm(current,
1502 FILESYSTEM__QUOTAGET, NULL);
1505 rc = 0; /* let the kernel handle invalid cmds */
1511 static int selinux_quota_on(struct dentry *dentry)
1513 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1516 static int selinux_syslog(int type)
1520 rc = secondary_ops->syslog(type);
1525 case 3: /* Read last kernel messages */
1526 case 10: /* Return size of the log buffer */
1527 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1529 case 6: /* Disable logging to console */
1530 case 7: /* Enable logging to console */
1531 case 8: /* Set level of messages printed to console */
1532 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1534 case 0: /* Close log */
1535 case 1: /* Open log */
1536 case 2: /* Read from log */
1537 case 4: /* Read/clear last kernel messages */
1538 case 5: /* Clear ring buffer */
1540 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1547 * Check that a process has enough memory to allocate a new virtual
1548 * mapping. 0 means there is enough memory for the allocation to
1549 * succeed and -ENOMEM implies there is not.
1551 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1552 * if the capability is granted, but __vm_enough_memory requires 1 if
1553 * the capability is granted.
1555 * Do not audit the selinux permission check, as this is applied to all
1556 * processes that allocate mappings.
1558 static int selinux_vm_enough_memory(long pages)
1560 int rc, cap_sys_admin = 0;
1561 struct task_security_struct *tsec = current->security;
1563 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1565 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1566 SECCLASS_CAPABILITY,
1567 CAP_TO_MASK(CAP_SYS_ADMIN),
1573 return __vm_enough_memory(pages, cap_sys_admin);
1576 /* binprm security operations */
1578 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1580 struct bprm_security_struct *bsec;
1582 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1587 bsec->sid = SECINITSID_UNLABELED;
1590 bprm->security = bsec;
1594 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1596 struct task_security_struct *tsec;
1597 struct inode *inode = bprm->file->f_dentry->d_inode;
1598 struct inode_security_struct *isec;
1599 struct bprm_security_struct *bsec;
1601 struct avc_audit_data ad;
1604 rc = secondary_ops->bprm_set_security(bprm);
1608 bsec = bprm->security;
1613 tsec = current->security;
1614 isec = inode->i_security;
1616 /* Default to the current task SID. */
1617 bsec->sid = tsec->sid;
1619 /* Reset fs, key, and sock SIDs on execve. */
1620 tsec->create_sid = 0;
1621 tsec->keycreate_sid = 0;
1622 tsec->sockcreate_sid = 0;
1624 if (tsec->exec_sid) {
1625 newsid = tsec->exec_sid;
1626 /* Reset exec SID on execve. */
1629 /* Check for a default transition on this program. */
1630 rc = security_transition_sid(tsec->sid, isec->sid,
1631 SECCLASS_PROCESS, &newsid);
1636 AVC_AUDIT_DATA_INIT(&ad, FS);
1637 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1638 ad.u.fs.dentry = bprm->file->f_dentry;
1640 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1643 if (tsec->sid == newsid) {
1644 rc = avc_has_perm(tsec->sid, isec->sid,
1645 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1649 /* Check permissions for the transition. */
1650 rc = avc_has_perm(tsec->sid, newsid,
1651 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1655 rc = avc_has_perm(newsid, isec->sid,
1656 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1660 /* Clear any possibly unsafe personality bits on exec: */
1661 current->personality &= ~PER_CLEAR_ON_SETID;
1663 /* Set the security field to the new SID. */
1671 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1673 return secondary_ops->bprm_check_security(bprm);
1677 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1679 struct task_security_struct *tsec = current->security;
1682 if (tsec->osid != tsec->sid) {
1683 /* Enable secure mode for SIDs transitions unless
1684 the noatsecure permission is granted between
1685 the two SIDs, i.e. ahp returns 0. */
1686 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1688 PROCESS__NOATSECURE, NULL);
1691 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1694 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1696 kfree(bprm->security);
1697 bprm->security = NULL;
1700 extern struct vfsmount *selinuxfs_mount;
1701 extern struct dentry *selinux_null;
1703 /* Derived from fs/exec.c:flush_old_files. */
1704 static inline void flush_unauthorized_files(struct files_struct * files)
1706 struct avc_audit_data ad;
1707 struct file *file, *devnull = NULL;
1708 struct tty_struct *tty = current->signal->tty;
1709 struct fdtable *fdt;
1714 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1716 /* Revalidate access to controlling tty.
1717 Use inode_has_perm on the tty inode directly rather
1718 than using file_has_perm, as this particular open
1719 file may belong to another process and we are only
1720 interested in the inode-based check here. */
1721 struct inode *inode = file->f_dentry->d_inode;
1722 if (inode_has_perm(current, inode,
1723 FILE__READ | FILE__WRITE, NULL)) {
1724 /* Reset controlling tty. */
1725 current->signal->tty = NULL;
1726 current->signal->tty_old_pgrp = 0;
1732 /* Revalidate access to inherited open files. */
1734 AVC_AUDIT_DATA_INIT(&ad,FS);
1736 spin_lock(&files->file_lock);
1738 unsigned long set, i;
1743 fdt = files_fdtable(files);
1744 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1746 set = fdt->open_fds->fds_bits[j];
1749 spin_unlock(&files->file_lock);
1750 for ( ; set ; i++,set >>= 1) {
1755 if (file_has_perm(current,
1757 file_to_av(file))) {
1759 fd = get_unused_fd();
1769 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1776 fd_install(fd, devnull);
1781 spin_lock(&files->file_lock);
1784 spin_unlock(&files->file_lock);
1787 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1789 struct task_security_struct *tsec;
1790 struct bprm_security_struct *bsec;
1794 secondary_ops->bprm_apply_creds(bprm, unsafe);
1796 tsec = current->security;
1798 bsec = bprm->security;
1801 tsec->osid = tsec->sid;
1803 if (tsec->sid != sid) {
1804 /* Check for shared state. If not ok, leave SID
1805 unchanged and kill. */
1806 if (unsafe & LSM_UNSAFE_SHARE) {
1807 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1808 PROCESS__SHARE, NULL);
1815 /* Check for ptracing, and update the task SID if ok.
1816 Otherwise, leave SID unchanged and kill. */
1817 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1818 struct task_struct *t;
1821 t = tracehook_tracer_task(current);
1822 if (unlikely(t == NULL))
1825 struct task_security_struct *sec = t->security;
1826 u32 ptsid = sec->sid;
1829 rc = avc_has_perm(ptsid, sid,
1831 PROCESS__PTRACE, NULL);
1843 * called after apply_creds without the task lock held
1845 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1847 struct task_security_struct *tsec;
1848 struct rlimit *rlim, *initrlim;
1849 struct itimerval itimer;
1850 struct bprm_security_struct *bsec;
1853 tsec = current->security;
1854 bsec = bprm->security;
1857 force_sig_specific(SIGKILL, current);
1860 if (tsec->osid == tsec->sid)
1863 /* Close files for which the new task SID is not authorized. */
1864 flush_unauthorized_files(current->files);
1866 /* Check whether the new SID can inherit signal state
1867 from the old SID. If not, clear itimers to avoid
1868 subsequent signal generation and flush and unblock
1869 signals. This must occur _after_ the task SID has
1870 been updated so that any kill done after the flush
1871 will be checked against the new SID. */
1872 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1873 PROCESS__SIGINH, NULL);
1875 memset(&itimer, 0, sizeof itimer);
1876 for (i = 0; i < 3; i++)
1877 do_setitimer(i, &itimer, NULL);
1878 flush_signals(current);
1879 spin_lock_irq(¤t->sighand->siglock);
1880 flush_signal_handlers(current, 1);
1881 sigemptyset(¤t->blocked);
1882 recalc_sigpending();
1883 spin_unlock_irq(¤t->sighand->siglock);
1886 /* Check whether the new SID can inherit resource limits
1887 from the old SID. If not, reset all soft limits to
1888 the lower of the current task's hard limit and the init
1889 task's soft limit. Note that the setting of hard limits
1890 (even to lower them) can be controlled by the setrlimit
1891 check. The inclusion of the init task's soft limit into
1892 the computation is to avoid resetting soft limits higher
1893 than the default soft limit for cases where the default
1894 is lower than the hard limit, e.g. RLIMIT_CORE or
1896 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1897 PROCESS__RLIMITINH, NULL);
1899 for (i = 0; i < RLIM_NLIMITS; i++) {
1900 rlim = current->signal->rlim + i;
1901 initrlim = init_task.signal->rlim+i;
1902 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1904 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1906 * This will cause RLIMIT_CPU calculations
1909 current->it_prof_expires = jiffies_to_cputime(1);
1913 /* Wake up the parent if it is waiting so that it can
1914 recheck wait permission to the new task SID. */
1915 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
1918 /* superblock security operations */
1920 static int selinux_sb_alloc_security(struct super_block *sb)
1922 return superblock_alloc_security(sb);
1925 static void selinux_sb_free_security(struct super_block *sb)
1927 superblock_free_security(sb);
1930 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1935 return !memcmp(prefix, option, plen);
1938 static inline int selinux_option(char *option, int len)
1940 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1941 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1942 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
1943 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
1946 static inline void take_option(char **to, char *from, int *first, int len)
1954 memcpy(*to, from, len);
1958 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1960 int fnosec, fsec, rc = 0;
1961 char *in_save, *in_curr, *in_end;
1962 char *sec_curr, *nosec_save, *nosec;
1967 /* Binary mount data: just copy */
1968 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1969 copy_page(sec_curr, in_curr);
1973 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1981 in_save = in_end = orig;
1984 if (*in_end == ',' || *in_end == '\0') {
1985 int len = in_end - in_curr;
1987 if (selinux_option(in_curr, len))
1988 take_option(&sec_curr, in_curr, &fsec, len);
1990 take_option(&nosec, in_curr, &fnosec, len);
1992 in_curr = in_end + 1;
1994 } while (*in_end++);
1996 strcpy(in_save, nosec_save);
1997 free_page((unsigned long)nosec_save);
2002 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2004 struct avc_audit_data ad;
2007 rc = superblock_doinit(sb, data);
2011 AVC_AUDIT_DATA_INIT(&ad,FS);
2012 ad.u.fs.dentry = sb->s_root;
2013 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2016 static int selinux_sb_statfs(struct dentry *dentry)
2018 struct avc_audit_data ad;
2020 AVC_AUDIT_DATA_INIT(&ad,FS);
2021 ad.u.fs.dentry = dentry->d_sb->s_root;
2022 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2025 static int selinux_mount(char * dev_name,
2026 struct nameidata *nd,
2028 unsigned long flags,
2033 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2037 if (flags & MS_REMOUNT)
2038 return superblock_has_perm(current, nd->mnt->mnt_sb,
2039 FILESYSTEM__REMOUNT, NULL);
2041 return dentry_has_perm(current, nd->mnt, nd->dentry,
2045 static int selinux_umount(struct vfsmount *mnt, int flags)
2049 rc = secondary_ops->sb_umount(mnt, flags);
2053 return superblock_has_perm(current,mnt->mnt_sb,
2054 FILESYSTEM__UNMOUNT,NULL);
2057 /* inode security operations */
2059 static int selinux_inode_alloc_security(struct inode *inode)
2061 return inode_alloc_security(inode);
2064 static void selinux_inode_free_security(struct inode *inode)
2066 inode_free_security(inode);
2069 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2070 char **name, void **value,
2073 struct task_security_struct *tsec;
2074 struct inode_security_struct *dsec;
2075 struct superblock_security_struct *sbsec;
2078 char *namep = NULL, *context;
2080 tsec = current->security;
2081 dsec = dir->i_security;
2082 sbsec = dir->i_sb->s_security;
2084 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2085 newsid = tsec->create_sid;
2087 rc = security_transition_sid(tsec->sid, dsec->sid,
2088 inode_mode_to_security_class(inode->i_mode),
2091 printk(KERN_WARNING "%s: "
2092 "security_transition_sid failed, rc=%d (dev=%s "
2095 -rc, inode->i_sb->s_id, inode->i_ino);
2100 inode_security_set_sid(inode, newsid);
2102 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2106 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2113 rc = security_sid_to_context(newsid, &context, &clen);
2125 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2127 return may_create(dir, dentry, SECCLASS_FILE);
2130 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2134 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2137 return may_link(dir, old_dentry, MAY_LINK);
2140 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2144 rc = secondary_ops->inode_unlink(dir, dentry);
2147 return may_link(dir, dentry, MAY_UNLINK);
2150 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2152 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2155 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2157 return may_create(dir, dentry, SECCLASS_DIR);
2160 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2162 return may_link(dir, dentry, MAY_RMDIR);
2165 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2169 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2173 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2176 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2177 struct inode *new_inode, struct dentry *new_dentry)
2179 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2182 static int selinux_inode_readlink(struct dentry *dentry)
2184 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2187 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2191 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2194 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2197 static int selinux_inode_permission(struct inode *inode, int mask,
2198 struct nameidata *nd)
2202 rc = secondary_ops->inode_permission(inode, mask, nd);
2207 /* No permission to check. Existence test. */
2211 return inode_has_perm(current, inode,
2212 file_mask_to_av(inode->i_mode, mask), NULL);
2215 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2219 rc = secondary_ops->inode_setattr(dentry, iattr);
2223 if (iattr->ia_valid & ATTR_FORCE)
2226 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2227 ATTR_ATIME_SET | ATTR_MTIME_SET))
2228 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2230 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2233 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2235 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2238 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2240 struct task_security_struct *tsec = current->security;
2241 struct inode *inode = dentry->d_inode;
2242 struct inode_security_struct *isec = inode->i_security;
2243 struct superblock_security_struct *sbsec;
2244 struct avc_audit_data ad;
2248 if (strcmp(name, XATTR_NAME_SELINUX)) {
2249 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2250 sizeof XATTR_SECURITY_PREFIX - 1) &&
2251 !capable(CAP_SYS_ADMIN)) {
2252 /* A different attribute in the security namespace.
2253 Restrict to administrator. */
2257 /* Not an attribute we recognize, so just check the
2258 ordinary setattr permission. */
2259 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2262 sbsec = inode->i_sb->s_security;
2263 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2266 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2269 AVC_AUDIT_DATA_INIT(&ad,FS);
2270 ad.u.fs.dentry = dentry;
2272 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2273 FILE__RELABELFROM, &ad);
2277 rc = security_context_to_sid(value, size, &newsid);
2281 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2282 FILE__RELABELTO, &ad);
2286 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2291 return avc_has_perm(newsid,
2293 SECCLASS_FILESYSTEM,
2294 FILESYSTEM__ASSOCIATE,
2298 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2299 void *value, size_t size, int flags)
2301 struct inode *inode = dentry->d_inode;
2302 struct inode_security_struct *isec = inode->i_security;
2306 if (strcmp(name, XATTR_NAME_SELINUX)) {
2307 /* Not an attribute we recognize, so nothing to do. */
2311 rc = security_context_to_sid(value, size, &newsid);
2313 printk(KERN_WARNING "%s: unable to obtain SID for context "
2314 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2322 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2324 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2327 static int selinux_inode_listxattr (struct dentry *dentry)
2329 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2332 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2334 if (strcmp(name, XATTR_NAME_SELINUX)) {
2335 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2336 sizeof XATTR_SECURITY_PREFIX - 1) &&
2337 !capable(CAP_SYS_ADMIN)) {
2338 /* A different attribute in the security namespace.
2339 Restrict to administrator. */
2343 /* Not an attribute we recognize, so just check the
2344 ordinary setattr permission. Might want a separate
2345 permission for removexattr. */
2346 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2349 /* No one is allowed to remove a SELinux security label.
2350 You can change the label, but all data must be labeled. */
2354 static const char *selinux_inode_xattr_getsuffix(void)
2356 return XATTR_SELINUX_SUFFIX;
2360 * Copy the in-core inode security context value to the user. If the
2361 * getxattr() prior to this succeeded, check to see if we need to
2362 * canonicalize the value to be finally returned to the user.
2364 * Permission check is handled by selinux_inode_getxattr hook.
2366 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
2368 struct inode_security_struct *isec = inode->i_security;
2370 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2373 return selinux_getsecurity(isec->sid, buffer, size);
2376 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2377 const void *value, size_t size, int flags)
2379 struct inode_security_struct *isec = inode->i_security;
2383 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2386 if (!value || !size)
2389 rc = security_context_to_sid((void*)value, size, &newsid);
2397 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2399 const int len = sizeof(XATTR_NAME_SELINUX);
2400 if (buffer && len <= buffer_size)
2401 memcpy(buffer, XATTR_NAME_SELINUX, len);
2405 /* file security operations */
2407 static int selinux_file_permission(struct file *file, int mask)
2409 struct inode *inode = file->f_dentry->d_inode;
2412 /* No permission to check. Existence test. */
2416 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2417 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2420 return file_has_perm(current, file,
2421 file_mask_to_av(inode->i_mode, mask));
2424 static int selinux_file_alloc_security(struct file *file)
2426 return file_alloc_security(file);
2429 static void selinux_file_free_security(struct file *file)
2431 file_free_security(file);
2434 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2446 case EXT2_IOC_GETFLAGS:
2448 case EXT2_IOC_GETVERSION:
2449 error = file_has_perm(current, file, FILE__GETATTR);
2452 case EXT2_IOC_SETFLAGS:
2454 case EXT2_IOC_SETVERSION:
2455 error = file_has_perm(current, file, FILE__SETATTR);
2458 /* sys_ioctl() checks */
2462 error = file_has_perm(current, file, 0);
2467 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2470 /* default case assumes that the command will go
2471 * to the file's ioctl() function.
2474 error = file_has_perm(current, file, FILE__IOCTL);
2480 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2482 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2484 * We are making executable an anonymous mapping or a
2485 * private file mapping that will also be writable.
2486 * This has an additional check.
2488 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2494 /* read access is always possible with a mapping */
2495 u32 av = FILE__READ;
2497 /* write access only matters if the mapping is shared */
2498 if (shared && (prot & PROT_WRITE))
2501 if (prot & PROT_EXEC)
2502 av |= FILE__EXECUTE;
2504 return file_has_perm(current, file, av);
2509 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2510 unsigned long prot, unsigned long flags)
2514 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2518 if (selinux_checkreqprot)
2521 return file_map_prot_check(file, prot,
2522 (flags & MAP_TYPE) == MAP_SHARED);
2525 static int selinux_file_mprotect(struct vm_area_struct *vma,
2526 unsigned long reqprot,
2531 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2535 if (selinux_checkreqprot)
2538 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2540 if (vma->vm_start >= vma->vm_mm->start_brk &&
2541 vma->vm_end <= vma->vm_mm->brk) {
2542 rc = task_has_perm(current, current,
2544 } else if (!vma->vm_file &&
2545 vma->vm_start <= vma->vm_mm->start_stack &&
2546 vma->vm_end >= vma->vm_mm->start_stack) {
2547 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2548 } else if (vma->vm_file && vma->anon_vma) {
2550 * We are making executable a file mapping that has
2551 * had some COW done. Since pages might have been
2552 * written, check ability to execute the possibly
2553 * modified content. This typically should only
2554 * occur for text relocations.
2556 rc = file_has_perm(current, vma->vm_file,
2563 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2566 static int selinux_file_lock(struct file *file, unsigned int cmd)
2568 return file_has_perm(current, file, FILE__LOCK);
2571 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2578 if (!file->f_dentry || !file->f_dentry->d_inode) {
2583 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2584 err = file_has_perm(current, file,FILE__WRITE);
2593 /* Just check FD__USE permission */
2594 err = file_has_perm(current, file, 0);
2599 #if BITS_PER_LONG == 32
2604 if (!file->f_dentry || !file->f_dentry->d_inode) {
2608 err = file_has_perm(current, file, FILE__LOCK);
2615 static int selinux_file_set_fowner(struct file *file)
2617 struct task_security_struct *tsec;
2618 struct file_security_struct *fsec;
2620 tsec = current->security;
2621 fsec = file->f_security;
2622 fsec->fown_sid = tsec->sid;
2627 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2628 struct fown_struct *fown, int signum)
2632 struct task_security_struct *tsec;
2633 struct file_security_struct *fsec;
2635 /* struct fown_struct is never outside the context of a struct file */
2636 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2638 tsec = tsk->security;
2639 fsec = file->f_security;
2642 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2644 perm = signal_to_av(signum);
2646 return avc_has_perm(fsec->fown_sid, tsec->sid,
2647 SECCLASS_PROCESS, perm, NULL);
2650 static int selinux_file_receive(struct file *file)
2652 return file_has_perm(current, file, file_to_av(file));
2655 /* task security operations */
2657 static int selinux_task_create(unsigned long clone_flags)
2661 rc = secondary_ops->task_create(clone_flags);
2665 return task_has_perm(current, current, PROCESS__FORK);
2668 static int selinux_task_alloc_security(struct task_struct *tsk)
2670 struct task_security_struct *tsec1, *tsec2;
2673 tsec1 = current->security;
2675 rc = task_alloc_security(tsk);
2678 tsec2 = tsk->security;
2680 tsec2->osid = tsec1->osid;
2681 tsec2->sid = tsec1->sid;
2683 /* Retain the exec, fs, key, and sock SIDs across fork */
2684 tsec2->exec_sid = tsec1->exec_sid;
2685 tsec2->create_sid = tsec1->create_sid;
2686 tsec2->keycreate_sid = tsec1->keycreate_sid;
2687 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
2692 static void selinux_task_free_security(struct task_struct *tsk)
2694 task_free_security(tsk);
2697 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2699 /* Since setuid only affects the current process, and
2700 since the SELinux controls are not based on the Linux
2701 identity attributes, SELinux does not need to control
2702 this operation. However, SELinux does control the use
2703 of the CAP_SETUID and CAP_SETGID capabilities using the
2708 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2710 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2713 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2715 /* See the comment for setuid above. */
2719 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2721 return task_has_perm(current, p, PROCESS__SETPGID);
2724 static int selinux_task_getpgid(struct task_struct *p)
2726 return task_has_perm(current, p, PROCESS__GETPGID);
2729 static int selinux_task_getsid(struct task_struct *p)
2731 return task_has_perm(current, p, PROCESS__GETSESSION);
2734 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
2736 selinux_get_task_sid(p, secid);
2739 static int selinux_task_setgroups(struct group_info *group_info)
2741 /* See the comment for setuid above. */
2745 static int selinux_task_setnice(struct task_struct *p, int nice)
2749 rc = secondary_ops->task_setnice(p, nice);
2753 return task_has_perm(current,p, PROCESS__SETSCHED);
2756 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
2758 return task_has_perm(current, p, PROCESS__SETSCHED);
2761 static int selinux_task_getioprio(struct task_struct *p)
2763 return task_has_perm(current, p, PROCESS__GETSCHED);
2766 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2768 struct rlimit *old_rlim = current->signal->rlim + resource;
2771 rc = secondary_ops->task_setrlimit(resource, new_rlim);
2775 /* Control the ability to change the hard limit (whether
2776 lowering or raising it), so that the hard limit can
2777 later be used as a safe reset point for the soft limit
2778 upon context transitions. See selinux_bprm_apply_creds. */
2779 if (old_rlim->rlim_max != new_rlim->rlim_max)
2780 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2785 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2787 return task_has_perm(current, p, PROCESS__SETSCHED);
2790 static int selinux_task_getscheduler(struct task_struct *p)
2792 return task_has_perm(current, p, PROCESS__GETSCHED);
2795 static int selinux_task_movememory(struct task_struct *p)
2797 return task_has_perm(current, p, PROCESS__SETSCHED);
2800 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
2805 struct task_security_struct *tsec;
2807 rc = secondary_ops->task_kill(p, info, sig, secid);
2811 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2815 perm = PROCESS__SIGNULL; /* null signal; existence test */
2817 perm = signal_to_av(sig);
2820 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
2822 rc = task_has_perm(current, p, perm);
2826 static int selinux_task_prctl(int option,
2832 /* The current prctl operations do not appear to require
2833 any SELinux controls since they merely observe or modify
2834 the state of the current process. */
2838 static int selinux_task_wait(struct task_struct *p)
2842 perm = signal_to_av(p->exit_signal);
2844 return task_has_perm(p, current, perm);
2847 static void selinux_task_reparent_to_init(struct task_struct *p)
2849 struct task_security_struct *tsec;
2851 secondary_ops->task_reparent_to_init(p);
2854 tsec->osid = tsec->sid;
2855 tsec->sid = SECINITSID_KERNEL;
2859 static void selinux_task_to_inode(struct task_struct *p,
2860 struct inode *inode)
2862 struct task_security_struct *tsec = p->security;
2863 struct inode_security_struct *isec = inode->i_security;
2865 isec->sid = tsec->sid;
2866 isec->initialized = 1;
2870 /* Returns error only if unable to parse addresses */
2871 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2873 int offset, ihlen, ret = -EINVAL;
2874 struct iphdr _iph, *ih;
2876 offset = skb->nh.raw - skb->data;
2877 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2881 ihlen = ih->ihl * 4;
2882 if (ihlen < sizeof(_iph))
2885 ad->u.net.v4info.saddr = ih->saddr;
2886 ad->u.net.v4info.daddr = ih->daddr;
2889 switch (ih->protocol) {
2891 struct tcphdr _tcph, *th;
2893 if (ntohs(ih->frag_off) & IP_OFFSET)
2897 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2901 ad->u.net.sport = th->source;
2902 ad->u.net.dport = th->dest;
2907 struct udphdr _udph, *uh;
2909 if (ntohs(ih->frag_off) & IP_OFFSET)
2913 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2917 ad->u.net.sport = uh->source;
2918 ad->u.net.dport = uh->dest;
2929 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2931 /* Returns error only if unable to parse addresses */
2932 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2935 int ret = -EINVAL, offset;
2936 struct ipv6hdr _ipv6h, *ip6;
2938 offset = skb->nh.raw - skb->data;
2939 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2943 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2944 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2947 nexthdr = ip6->nexthdr;
2948 offset += sizeof(_ipv6h);
2949 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2955 struct tcphdr _tcph, *th;
2957 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2961 ad->u.net.sport = th->source;
2962 ad->u.net.dport = th->dest;
2967 struct udphdr _udph, *uh;
2969 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2973 ad->u.net.sport = uh->source;
2974 ad->u.net.dport = uh->dest;
2978 /* includes fragments */
2988 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2989 char **addrp, int *len, int src)
2993 switch (ad->u.net.family) {
2995 ret = selinux_parse_skb_ipv4(skb, ad);
2999 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3000 &ad->u.net.v4info.daddr);
3003 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3005 ret = selinux_parse_skb_ipv6(skb, ad);
3009 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3010 &ad->u.net.v6info.daddr);
3020 /* socket security operations */
3021 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3024 struct inode_security_struct *isec;
3025 struct task_security_struct *tsec;
3026 struct avc_audit_data ad;
3029 tsec = task->security;
3030 isec = SOCK_INODE(sock)->i_security;
3032 if (isec->sid == SECINITSID_KERNEL)
3035 AVC_AUDIT_DATA_INIT(&ad,NET);
3036 ad.u.net.sk = sock->sk;
3037 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3043 static int selinux_socket_create(int family, int type,
3044 int protocol, int kern)
3047 struct task_security_struct *tsec;
3053 tsec = current->security;
3054 newsid = tsec->sockcreate_sid ? : tsec->sid;
3055 err = avc_has_perm(tsec->sid, newsid,
3056 socket_type_to_security_class(family, type,
3057 protocol), SOCKET__CREATE, NULL);
3063 static void selinux_socket_post_create(struct socket *sock, int family,
3064 int type, int protocol, int kern)
3066 struct inode_security_struct *isec;
3067 struct task_security_struct *tsec;
3070 isec = SOCK_INODE(sock)->i_security;
3072 tsec = current->security;
3073 newsid = tsec->sockcreate_sid ? : tsec->sid;
3074 isec->sclass = socket_type_to_security_class(family, type, protocol);
3075 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3076 isec->initialized = 1;
3081 /* Range of port numbers used to automatically bind.
3082 Need to determine whether we should perform a name_bind
3083 permission check between the socket and the port number. */
3084 #define ip_local_port_range_0 sysctl_local_port_range[0]
3085 #define ip_local_port_range_1 sysctl_local_port_range[1]
3087 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3092 err = socket_has_perm(current, sock, SOCKET__BIND);
3097 * If PF_INET or PF_INET6, check name_bind permission for the port.
3098 * Multiple address binding for SCTP is not supported yet: we just
3099 * check the first address now.
3101 family = sock->sk->sk_family;
3102 if (family == PF_INET || family == PF_INET6) {
3104 struct inode_security_struct *isec;
3105 struct task_security_struct *tsec;
3106 struct avc_audit_data ad;
3107 struct sockaddr_in *addr4 = NULL;
3108 struct sockaddr_in6 *addr6 = NULL;
3109 unsigned short snum;
3110 struct sock *sk = sock->sk;
3111 u32 sid, node_perm, addrlen;
3113 tsec = current->security;
3114 isec = SOCK_INODE(sock)->i_security;
3116 if (family == PF_INET) {
3117 addr4 = (struct sockaddr_in *)address;
3118 snum = ntohs(addr4->sin_port);
3119 addrlen = sizeof(addr4->sin_addr.s_addr);
3120 addrp = (char *)&addr4->sin_addr.s_addr;
3122 addr6 = (struct sockaddr_in6 *)address;
3123 snum = ntohs(addr6->sin6_port);
3124 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3125 addrp = (char *)&addr6->sin6_addr.s6_addr;
3128 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3129 snum > ip_local_port_range_1)) {
3130 err = security_port_sid(sk->sk_family, sk->sk_type,
3131 sk->sk_protocol, snum, &sid);
3134 AVC_AUDIT_DATA_INIT(&ad,NET);
3135 ad.u.net.sport = htons(snum);
3136 ad.u.net.family = family;
3137 err = avc_has_perm(isec->sid, sid,
3139 SOCKET__NAME_BIND, &ad);
3144 switch(isec->sclass) {
3145 case SECCLASS_TCP_SOCKET:
3146 node_perm = TCP_SOCKET__NODE_BIND;
3149 case SECCLASS_UDP_SOCKET:
3150 node_perm = UDP_SOCKET__NODE_BIND;
3154 node_perm = RAWIP_SOCKET__NODE_BIND;
3158 err = security_node_sid(family, addrp, addrlen, &sid);
3162 AVC_AUDIT_DATA_INIT(&ad,NET);
3163 ad.u.net.sport = htons(snum);
3164 ad.u.net.family = family;
3166 if (family == PF_INET)
3167 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3169 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3171 err = avc_has_perm(isec->sid, sid,
3172 isec->sclass, node_perm, &ad);
3180 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3182 struct inode_security_struct *isec;
3185 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3190 * If a TCP socket, check name_connect permission for the port.
3192 isec = SOCK_INODE(sock)->i_security;
3193 if (isec->sclass == SECCLASS_TCP_SOCKET) {
3194 struct sock *sk = sock->sk;
3195 struct avc_audit_data ad;
3196 struct sockaddr_in *addr4 = NULL;
3197 struct sockaddr_in6 *addr6 = NULL;
3198 unsigned short snum;
3201 if (sk->sk_family == PF_INET) {
3202 addr4 = (struct sockaddr_in *)address;
3203 if (addrlen < sizeof(struct sockaddr_in))
3205 snum = ntohs(addr4->sin_port);
3207 addr6 = (struct sockaddr_in6 *)address;
3208 if (addrlen < SIN6_LEN_RFC2133)
3210 snum = ntohs(addr6->sin6_port);
3213 err = security_port_sid(sk->sk_family, sk->sk_type,
3214 sk->sk_protocol, snum, &sid);
3218 AVC_AUDIT_DATA_INIT(&ad,NET);
3219 ad.u.net.dport = htons(snum);
3220 ad.u.net.family = sk->sk_family;
3221 err = avc_has_perm(isec->sid, sid, isec->sclass,
3222 TCP_SOCKET__NAME_CONNECT, &ad);
3231 static int selinux_socket_listen(struct socket *sock, int backlog)
3233 return socket_has_perm(current, sock, SOCKET__LISTEN);
3236 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3239 struct inode_security_struct *isec;
3240 struct inode_security_struct *newisec;
3242 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3246 newisec = SOCK_INODE(newsock)->i_security;
3248 isec = SOCK_INODE(sock)->i_security;
3249 newisec->sclass = isec->sclass;
3250 newisec->sid = isec->sid;
3251 newisec->initialized = 1;
3256 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3259 return socket_has_perm(current, sock, SOCKET__WRITE);
3262 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3263 int size, int flags)
3265 return socket_has_perm(current, sock, SOCKET__READ);
3268 static int selinux_socket_getsockname(struct socket *sock)
3270 return socket_has_perm(current, sock, SOCKET__GETATTR);
3273 static int selinux_socket_getpeername(struct socket *sock)
3275 return socket_has_perm(current, sock, SOCKET__GETATTR);
3278 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3280 return socket_has_perm(current, sock, SOCKET__SETOPT);
3283 static int selinux_socket_getsockopt(struct socket *sock, int level,
3286 return socket_has_perm(current, sock, SOCKET__GETOPT);
3289 static int selinux_socket_shutdown(struct socket *sock, int how)
3291 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3294 static int selinux_socket_unix_stream_connect(struct socket *sock,
3295 struct socket *other,
3298 struct sk_security_struct *ssec;
3299 struct inode_security_struct *isec;
3300 struct inode_security_struct *other_isec;
3301 struct avc_audit_data ad;
3304 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3308 isec = SOCK_INODE(sock)->i_security;
3309 other_isec = SOCK_INODE(other)->i_security;
3311 AVC_AUDIT_DATA_INIT(&ad,NET);
3312 ad.u.net.sk = other->sk;
3314 err = avc_has_perm(isec->sid, other_isec->sid,
3316 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3320 /* connecting socket */
3321 ssec = sock->sk->sk_security;
3322 ssec->peer_sid = other_isec->sid;
3324 /* server child socket */
3325 ssec = newsk->sk_security;
3326 ssec->peer_sid = isec->sid;
3331 static int selinux_socket_unix_may_send(struct socket *sock,
3332 struct socket *other)
3334 struct inode_security_struct *isec;
3335 struct inode_security_struct *other_isec;
3336 struct avc_audit_data ad;
3339 isec = SOCK_INODE(sock)->i_security;
3340 other_isec = SOCK_INODE(other)->i_security;
3342 AVC_AUDIT_DATA_INIT(&ad,NET);
3343 ad.u.net.sk = other->sk;
3345 err = avc_has_perm(isec->sid, other_isec->sid,
3346 isec->sclass, SOCKET__SENDTO, &ad);
3353 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3354 struct avc_audit_data *ad, u32 sock_sid, u16 sock_class,
3355 u16 family, char *addrp, int len)
3358 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3363 err = sel_netif_sids(skb->dev, &if_sid, NULL);
3367 switch (sock_class) {
3368 case SECCLASS_UDP_SOCKET:
3369 netif_perm = NETIF__UDP_RECV;
3370 node_perm = NODE__UDP_RECV;
3371 recv_perm = UDP_SOCKET__RECV_MSG;
3374 case SECCLASS_TCP_SOCKET:
3375 netif_perm = NETIF__TCP_RECV;
3376 node_perm = NODE__TCP_RECV;
3377 recv_perm = TCP_SOCKET__RECV_MSG;
3381 netif_perm = NETIF__RAWIP_RECV;
3382 node_perm = NODE__RAWIP_RECV;
3386 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3390 err = security_node_sid(family, addrp, len, &node_sid);
3394 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3401 err = security_port_sid(sk->sk_family, sk->sk_type,
3402 sk->sk_protocol, ntohs(ad->u.net.sport),
3407 err = avc_has_perm(sock_sid, port_sid,
3408 sock_class, recv_perm, ad);
3415 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3422 struct socket *sock;
3423 struct avc_audit_data ad;
3425 family = sk->sk_family;
3426 if (family != PF_INET && family != PF_INET6)
3429 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3430 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3433 read_lock_bh(&sk->sk_callback_lock);
3434 sock = sk->sk_socket;
3436 struct inode *inode;
3437 inode = SOCK_INODE(sock);
3439 struct inode_security_struct *isec;
3440 isec = inode->i_security;
3441 sock_sid = isec->sid;
3442 sock_class = isec->sclass;
3445 read_unlock_bh(&sk->sk_callback_lock);
3449 AVC_AUDIT_DATA_INIT(&ad, NET);
3450 ad.u.net.netif = skb->dev ? skb->dev->name : "[unknown]";
3451 ad.u.net.family = family;
3453 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3457 if (selinux_compat_net)
3458 err = selinux_sock_rcv_skb_compat(sk, skb, &ad, sock_sid,
3462 err = avc_has_perm(sock_sid, skb->secmark, SECCLASS_PACKET,
3467 err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3472 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3473 int __user *optlen, unsigned len)
3478 struct sk_security_struct *ssec;
3479 struct inode_security_struct *isec;
3482 isec = SOCK_INODE(sock)->i_security;
3484 /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3485 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3486 ssec = sock->sk->sk_security;
3487 peer_sid = ssec->peer_sid;
3489 else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3490 peer_sid = selinux_socket_getpeer_stream(sock->sk);
3492 if (peer_sid == SECSID_NULL) {
3502 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3507 if (scontext_len > len) {
3512 if (copy_to_user(optval, scontext, scontext_len))
3516 if (put_user(scontext_len, optlen))
3524 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
3526 u32 peer_secid = SECSID_NULL;
3529 if (sock && (sock->sk->sk_family == PF_UNIX))
3530 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
3532 peer_secid = selinux_socket_getpeer_dgram(skb);
3534 if (peer_secid == SECSID_NULL)
3536 *secid = peer_secid;
3541 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3543 return sk_alloc_security(sk, family, priority);
3546 static void selinux_sk_free_security(struct sock *sk)
3548 sk_free_security(sk);
3551 static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3553 struct inode_security_struct *isec;
3554 u32 sock_sid = SECINITSID_ANY_SOCKET;
3557 return selinux_no_sk_sid(fl);
3559 read_lock_bh(&sk->sk_callback_lock);
3560 isec = get_sock_isec(sk);
3563 sock_sid = isec->sid;
3565 read_unlock_bh(&sk->sk_callback_lock);
3569 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3573 struct nlmsghdr *nlh;
3574 struct socket *sock = sk->sk_socket;
3575 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3577 if (skb->len < NLMSG_SPACE(0)) {
3581 nlh = (struct nlmsghdr *)skb->data;
3583 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3585 if (err == -EINVAL) {
3586 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3587 "SELinux: unrecognized netlink message"
3588 " type=%hu for sclass=%hu\n",
3589 nlh->nlmsg_type, isec->sclass);
3590 if (!selinux_enforcing)
3600 err = socket_has_perm(current, sock, perm);
3605 #ifdef CONFIG_NETFILTER
3607 static int selinux_ip_postroute_last_compat(struct sock *sk, struct net_device *dev,
3608 struct inode_security_struct *isec,
3609 struct avc_audit_data *ad,
3610 u16 family, char *addrp, int len)
3613 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3615 err = sel_netif_sids(dev, &if_sid, NULL);
3619 switch (isec->sclass) {
3620 case SECCLASS_UDP_SOCKET:
3621 netif_perm = NETIF__UDP_SEND;
3622 node_perm = NODE__UDP_SEND;
3623 send_perm = UDP_SOCKET__SEND_MSG;
3626 case SECCLASS_TCP_SOCKET:
3627 netif_perm = NETIF__TCP_SEND;
3628 node_perm = NODE__TCP_SEND;
3629 send_perm = TCP_SOCKET__SEND_MSG;
3633 netif_perm = NETIF__RAWIP_SEND;
3634 node_perm = NODE__RAWIP_SEND;
3638 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3642 err = security_node_sid(family, addrp, len, &node_sid);
3646 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, ad);
3653 err = security_port_sid(sk->sk_family,
3656 ntohs(ad->u.net.dport),
3661 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3668 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3669 struct sk_buff **pskb,
3670 const struct net_device *in,
3671 const struct net_device *out,
3672 int (*okfn)(struct sk_buff *),
3678 struct socket *sock;
3679 struct inode *inode;
3680 struct sk_buff *skb = *pskb;
3681 struct inode_security_struct *isec;
3682 struct avc_audit_data ad;
3683 struct net_device *dev = (struct net_device *)out;
3689 sock = sk->sk_socket;
3693 inode = SOCK_INODE(sock);
3697 isec = inode->i_security;
3699 AVC_AUDIT_DATA_INIT(&ad, NET);
3700 ad.u.net.netif = dev->name;
3701 ad.u.net.family = family;
3703 err = selinux_parse_skb(skb, &ad, &addrp, &len, 0);
3707 if (selinux_compat_net)
3708 err = selinux_ip_postroute_last_compat(sk, dev, isec, &ad,
3709 family, addrp, len);
3711 err = avc_has_perm(isec->sid, skb->secmark, SECCLASS_PACKET,
3717 err = selinux_xfrm_postroute_last(isec->sid, skb);
3719 return err ? NF_DROP : NF_ACCEPT;
3722 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3723 struct sk_buff **pskb,
3724 const struct net_device *in,
3725 const struct net_device *out,
3726 int (*okfn)(struct sk_buff *))
3728 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3731 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3733 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3734 struct sk_buff **pskb,
3735 const struct net_device *in,
3736 const struct net_device *out,
3737 int (*okfn)(struct sk_buff *))
3739 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3744 #endif /* CONFIG_NETFILTER */
3746 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3750 err = secondary_ops->netlink_send(sk, skb);
3754 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3755 err = selinux_nlmsg_perm(sk, skb);
3760 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
3763 struct avc_audit_data ad;
3765 err = secondary_ops->netlink_recv(skb, capability);
3769 AVC_AUDIT_DATA_INIT(&ad, CAP);
3770 ad.u.cap = capability;
3772 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
3773 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
3776 static int ipc_alloc_security(struct task_struct *task,
3777 struct kern_ipc_perm *perm,
3780 struct task_security_struct *tsec = task->security;
3781 struct ipc_security_struct *isec;
3783 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3787 isec->sclass = sclass;
3788 isec->ipc_perm = perm;
3789 isec->sid = tsec->sid;
3790 perm->security = isec;
3795 static void ipc_free_security(struct kern_ipc_perm *perm)
3797 struct ipc_security_struct *isec = perm->security;
3798 perm->security = NULL;
3802 static int msg_msg_alloc_security(struct msg_msg *msg)
3804 struct msg_security_struct *msec;
3806 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3811 msec->sid = SECINITSID_UNLABELED;
3812 msg->security = msec;
3817 static void msg_msg_free_security(struct msg_msg *msg)
3819 struct msg_security_struct *msec = msg->security;
3821 msg->security = NULL;
3825 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3828 struct task_security_struct *tsec;
3829 struct ipc_security_struct *isec;
3830 struct avc_audit_data ad;
3832 tsec = current->security;
3833 isec = ipc_perms->security;
3835 AVC_AUDIT_DATA_INIT(&ad, IPC);
3836 ad.u.ipc_id = ipc_perms->key;
3838 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3841 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3843 return msg_msg_alloc_security(msg);
3846 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3848 msg_msg_free_security(msg);
3851 /* message queue security operations */
3852 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3854 struct task_security_struct *tsec;
3855 struct ipc_security_struct *isec;
3856 struct avc_audit_data ad;
3859 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3863 tsec = current->security;
3864 isec = msq->q_perm.security;
3866 AVC_AUDIT_DATA_INIT(&ad, IPC);
3867 ad.u.ipc_id = msq->q_perm.key;
3869 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3872 ipc_free_security(&msq->q_perm);
3878 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3880 ipc_free_security(&msq->q_perm);
3883 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3885 struct task_security_struct *tsec;
3886 struct ipc_security_struct *isec;
3887 struct avc_audit_data ad;
3889 tsec = current->security;
3890 isec = msq->q_perm.security;
3892 AVC_AUDIT_DATA_INIT(&ad, IPC);
3893 ad.u.ipc_id = msq->q_perm.key;
3895 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3896 MSGQ__ASSOCIATE, &ad);
3899 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3907 /* No specific object, just general system-wide information. */
3908 return task_has_system(current, SYSTEM__IPC_INFO);
3911 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3914 perms = MSGQ__SETATTR;
3917 perms = MSGQ__DESTROY;
3923 err = ipc_has_perm(&msq->q_perm, perms);
3927 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3929 struct task_security_struct *tsec;
3930 struct ipc_security_struct *isec;
3931 struct msg_security_struct *msec;
3932 struct avc_audit_data ad;
3935 tsec = current->security;
3936 isec = msq->q_perm.security;
3937 msec = msg->security;
3940 * First time through, need to assign label to the message
3942 if (msec->sid == SECINITSID_UNLABELED) {
3944 * Compute new sid based on current process and
3945 * message queue this message will be stored in
3947 rc = security_transition_sid(tsec->sid,
3955 AVC_AUDIT_DATA_INIT(&ad, IPC);
3956 ad.u.ipc_id = msq->q_perm.key;
3958 /* Can this process write to the queue? */
3959 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3962 /* Can this process send the message */
3963 rc = avc_has_perm(tsec->sid, msec->sid,
3964 SECCLASS_MSG, MSG__SEND, &ad);
3966 /* Can the message be put in the queue? */
3967 rc = avc_has_perm(msec->sid, isec->sid,
3968 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3973 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3974 struct task_struct *target,
3975 long type, int mode)
3977 struct task_security_struct *tsec;
3978 struct ipc_security_struct *isec;
3979 struct msg_security_struct *msec;
3980 struct avc_audit_data ad;
3983 tsec = target->security;
3984 isec = msq->q_perm.security;
3985 msec = msg->security;
3987 AVC_AUDIT_DATA_INIT(&ad, IPC);
3988 ad.u.ipc_id = msq->q_perm.key;
3990 rc = avc_has_perm(tsec->sid, isec->sid,
3991 SECCLASS_MSGQ, MSGQ__READ, &ad);
3993 rc = avc_has_perm(tsec->sid, msec->sid,
3994 SECCLASS_MSG, MSG__RECEIVE, &ad);
3998 /* Shared Memory security operations */
3999 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4001 struct task_security_struct *tsec;
4002 struct ipc_security_struct *isec;
4003 struct avc_audit_data ad;
4006 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4010 tsec = current->security;
4011 isec = shp->shm_perm.security;
4013 AVC_AUDIT_DATA_INIT(&ad, IPC);
4014 ad.u.ipc_id = shp->shm_perm.key;
4016 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4019 ipc_free_security(&shp->shm_perm);
4025 static void selinux_shm_free_security(struct shmid_kernel *shp)
4027 ipc_free_security(&shp->shm_perm);
4030 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4032 struct task_security_struct *tsec;
4033 struct ipc_security_struct *isec;
4034 struct avc_audit_data ad;
4036 tsec = current->security;
4037 isec = shp->shm_perm.security;
4039 AVC_AUDIT_DATA_INIT(&ad, IPC);
4040 ad.u.ipc_id = shp->shm_perm.key;
4042 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4043 SHM__ASSOCIATE, &ad);
4046 /* Note, at this point, shp is locked down */
4047 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4055 /* No specific object, just general system-wide information. */
4056 return task_has_system(current, SYSTEM__IPC_INFO);
4059 perms = SHM__GETATTR | SHM__ASSOCIATE;
4062 perms = SHM__SETATTR;
4069 perms = SHM__DESTROY;
4075 err = ipc_has_perm(&shp->shm_perm, perms);
4079 static int selinux_shm_shmat(struct shmid_kernel *shp,
4080 char __user *shmaddr, int shmflg)
4085 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4089 if (shmflg & SHM_RDONLY)
4092 perms = SHM__READ | SHM__WRITE;
4094 return ipc_has_perm(&shp->shm_perm, perms);
4097 /* Semaphore security operations */
4098 static int selinux_sem_alloc_security(struct sem_array *sma)
4100 struct task_security_struct *tsec;
4101 struct ipc_security_struct *isec;
4102 struct avc_audit_data ad;
4105 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4109 tsec = current->security;
4110 isec = sma->sem_perm.security;
4112 AVC_AUDIT_DATA_INIT(&ad, IPC);
4113 ad.u.ipc_id = sma->sem_perm.key;
4115 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4118 ipc_free_security(&sma->sem_perm);
4124 static void selinux_sem_free_security(struct sem_array *sma)
4126 ipc_free_security(&sma->sem_perm);
4129 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4131 struct task_security_struct *tsec;
4132 struct ipc_security_struct *isec;
4133 struct avc_audit_data ad;
4135 tsec = current->security;
4136 isec = sma->sem_perm.security;
4138 AVC_AUDIT_DATA_INIT(&ad, IPC);
4139 ad.u.ipc_id = sma->sem_perm.key;
4141 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4142 SEM__ASSOCIATE, &ad);
4145 /* Note, at this point, sma is locked down */
4146 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4154 /* No specific object, just general system-wide information. */
4155 return task_has_system(current, SYSTEM__IPC_INFO);
4159 perms = SEM__GETATTR;
4170 perms = SEM__DESTROY;
4173 perms = SEM__SETATTR;
4177 perms = SEM__GETATTR | SEM__ASSOCIATE;
4183 err = ipc_has_perm(&sma->sem_perm, perms);
4187 static int selinux_sem_semop(struct sem_array *sma,
4188 struct sembuf *sops, unsigned nsops, int alter)
4193 perms = SEM__READ | SEM__WRITE;
4197 return ipc_has_perm(&sma->sem_perm, perms);
4200 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4206 av |= IPC__UNIX_READ;
4208 av |= IPC__UNIX_WRITE;
4213 return ipc_has_perm(ipcp, av);
4216 /* module stacking operations */
4217 static int selinux_register_security (const char *name, struct security_operations *ops)
4219 if (secondary_ops != original_ops) {
4220 printk(KERN_INFO "%s: There is already a secondary security "
4221 "module registered.\n", __FUNCTION__);
4225 secondary_ops = ops;
4227 printk(KERN_INFO "%s: Registering secondary module %s\n",
4234 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4236 if (ops != secondary_ops) {
4237 printk (KERN_INFO "%s: trying to unregister a security module "
4238 "that is not registered.\n", __FUNCTION__);
4242 secondary_ops = original_ops;
4247 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4250 inode_doinit_with_dentry(inode, dentry);
4253 static int selinux_getprocattr(struct task_struct *p,
4254 char *name, void *value, size_t size)
4256 struct task_security_struct *tsec;
4261 error = task_has_perm(current, p, PROCESS__GETATTR);
4268 if (!strcmp(name, "current"))
4270 else if (!strcmp(name, "prev"))
4272 else if (!strcmp(name, "exec"))
4273 sid = tsec->exec_sid;
4274 else if (!strcmp(name, "fscreate"))
4275 sid = tsec->create_sid;
4276 else if (!strcmp(name, "keycreate"))
4277 sid = tsec->keycreate_sid;
4278 else if (!strcmp(name, "sockcreate"))
4279 sid = tsec->sockcreate_sid;
4286 return selinux_getsecurity(sid, value, size);
4289 static int selinux_setprocattr(struct task_struct *p,
4290 char *name, void *value, size_t size)
4292 struct task_security_struct *tsec;
4293 struct task_struct *tracer;
4299 /* SELinux only allows a process to change its own
4300 security attributes. */
4305 * Basic control over ability to set these attributes at all.
4306 * current == p, but we'll pass them separately in case the
4307 * above restriction is ever removed.
4309 if (!strcmp(name, "exec"))
4310 error = task_has_perm(current, p, PROCESS__SETEXEC);
4311 else if (!strcmp(name, "fscreate"))
4312 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4313 else if (!strcmp(name, "keycreate"))
4314 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
4315 else if (!strcmp(name, "sockcreate"))
4316 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
4317 else if (!strcmp(name, "current"))
4318 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4324 /* Obtain a SID for the context, if one was specified. */
4325 if (size && str[1] && str[1] != '\n') {
4326 if (str[size-1] == '\n') {
4330 error = security_context_to_sid(value, size, &sid);
4335 /* Permission checking based on the specified context is
4336 performed during the actual operation (execve,
4337 open/mkdir/...), when we know the full context of the
4338 operation. See selinux_bprm_set_security for the execve
4339 checks and may_create for the file creation checks. The
4340 operation will then fail if the context is not permitted. */
4342 if (!strcmp(name, "exec"))
4343 tsec->exec_sid = sid;
4344 else if (!strcmp(name, "fscreate"))
4345 tsec->create_sid = sid;
4346 else if (!strcmp(name, "keycreate")) {
4347 error = may_create_key(sid, p);
4350 tsec->keycreate_sid = sid;
4351 } else if (!strcmp(name, "sockcreate"))
4352 tsec->sockcreate_sid = sid;
4353 else if (!strcmp(name, "current")) {
4354 struct av_decision avd;
4359 /* Only allow single threaded processes to change context */
4360 if (atomic_read(&p->mm->mm_users) != 1) {
4361 struct task_struct *g, *t;
4362 struct mm_struct *mm = p->mm;
4363 read_lock(&tasklist_lock);
4364 do_each_thread(g, t)
4365 if (t->mm == mm && t != p) {
4366 read_unlock(&tasklist_lock);
4369 while_each_thread(g, t);
4370 read_unlock(&tasklist_lock);
4373 /* Check permissions for the transition. */
4374 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4375 PROCESS__DYNTRANSITION, NULL);
4379 /* Check for ptracing, and update the task SID if ok.
4380 Otherwise, leave SID unchanged and fail. */
4383 tracer = tracehook_tracer_task(p);
4384 if (tracer != NULL) {
4385 struct task_security_struct *ptsec = tracer->security;
4386 u32 ptsid = ptsec->sid;
4388 error = avc_has_perm_noaudit(ptsid, sid,
4390 PROCESS__PTRACE, &avd);
4394 avc_audit(ptsid, sid, SECCLASS_PROCESS,
4395 PROCESS__PTRACE, &avd, error, NULL);
4410 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
4412 return security_sid_to_context(secid, secdata, seclen);
4415 static void selinux_release_secctx(char *secdata, u32 seclen)
4423 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
4424 unsigned long flags)
4426 struct task_security_struct *tsec = tsk->security;
4427 struct key_security_struct *ksec;
4429 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
4434 if (tsec->keycreate_sid)
4435 ksec->sid = tsec->keycreate_sid;
4437 ksec->sid = tsec->sid;
4443 static void selinux_key_free(struct key *k)
4445 struct key_security_struct *ksec = k->security;
4451 static int selinux_key_permission(key_ref_t key_ref,
4452 struct task_struct *ctx,
4456 struct task_security_struct *tsec;
4457 struct key_security_struct *ksec;
4459 key = key_ref_to_ptr(key_ref);
4461 tsec = ctx->security;
4462 ksec = key->security;
4464 /* if no specific permissions are requested, we skip the
4465 permission check. No serious, additional covert channels
4466 appear to be created. */
4470 return avc_has_perm(tsec->sid, ksec->sid,
4471 SECCLASS_KEY, perm, NULL);
4476 static struct security_operations selinux_ops = {
4477 .ptrace = selinux_ptrace,
4478 .capget = selinux_capget,
4479 .capset_check = selinux_capset_check,
4480 .capset_set = selinux_capset_set,
4481 .sysctl = selinux_sysctl,
4482 .capable = selinux_capable,
4483 .quotactl = selinux_quotactl,
4484 .quota_on = selinux_quota_on,
4485 .syslog = selinux_syslog,
4486 .vm_enough_memory = selinux_vm_enough_memory,
4488 .netlink_send = selinux_netlink_send,
4489 .netlink_recv = selinux_netlink_recv,
4491 .bprm_alloc_security = selinux_bprm_alloc_security,
4492 .bprm_free_security = selinux_bprm_free_security,
4493 .bprm_apply_creds = selinux_bprm_apply_creds,
4494 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
4495 .bprm_set_security = selinux_bprm_set_security,
4496 .bprm_check_security = selinux_bprm_check_security,
4497 .bprm_secureexec = selinux_bprm_secureexec,
4499 .sb_alloc_security = selinux_sb_alloc_security,
4500 .sb_free_security = selinux_sb_free_security,
4501 .sb_copy_data = selinux_sb_copy_data,
4502 .sb_kern_mount = selinux_sb_kern_mount,
4503 .sb_statfs = selinux_sb_statfs,
4504 .sb_mount = selinux_mount,
4505 .sb_umount = selinux_umount,
4507 .inode_alloc_security = selinux_inode_alloc_security,
4508 .inode_free_security = selinux_inode_free_security,
4509 .inode_init_security = selinux_inode_init_security,
4510 .inode_create = selinux_inode_create,
4511 .inode_link = selinux_inode_link,
4512 .inode_unlink = selinux_inode_unlink,
4513 .inode_symlink = selinux_inode_symlink,
4514 .inode_mkdir = selinux_inode_mkdir,
4515 .inode_rmdir = selinux_inode_rmdir,
4516 .inode_mknod = selinux_inode_mknod,
4517 .inode_rename = selinux_inode_rename,
4518 .inode_readlink = selinux_inode_readlink,
4519 .inode_follow_link = selinux_inode_follow_link,
4520 .inode_permission = selinux_inode_permission,
4521 .inode_setattr = selinux_inode_setattr,
4522 .inode_getattr = selinux_inode_getattr,
4523 .inode_setxattr = selinux_inode_setxattr,
4524 .inode_post_setxattr = selinux_inode_post_setxattr,
4525 .inode_getxattr = selinux_inode_getxattr,
4526 .inode_listxattr = selinux_inode_listxattr,
4527 .inode_removexattr = selinux_inode_removexattr,
4528 .inode_xattr_getsuffix = selinux_inode_xattr_getsuffix,
4529 .inode_getsecurity = selinux_inode_getsecurity,
4530 .inode_setsecurity = selinux_inode_setsecurity,
4531 .inode_listsecurity = selinux_inode_listsecurity,
4533 .file_permission = selinux_file_permission,
4534 .file_alloc_security = selinux_file_alloc_security,
4535 .file_free_security = selinux_file_free_security,
4536 .file_ioctl = selinux_file_ioctl,
4537 .file_mmap = selinux_file_mmap,
4538 .file_mprotect = selinux_file_mprotect,
4539 .file_lock = selinux_file_lock,
4540 .file_fcntl = selinux_file_fcntl,
4541 .file_set_fowner = selinux_file_set_fowner,
4542 .file_send_sigiotask = selinux_file_send_sigiotask,
4543 .file_receive = selinux_file_receive,
4545 .task_create = selinux_task_create,
4546 .task_alloc_security = selinux_task_alloc_security,
4547 .task_free_security = selinux_task_free_security,
4548 .task_setuid = selinux_task_setuid,
4549 .task_post_setuid = selinux_task_post_setuid,
4550 .task_setgid = selinux_task_setgid,
4551 .task_setpgid = selinux_task_setpgid,
4552 .task_getpgid = selinux_task_getpgid,
4553 .task_getsid = selinux_task_getsid,
4554 .task_getsecid = selinux_task_getsecid,
4555 .task_setgroups = selinux_task_setgroups,
4556 .task_setnice = selinux_task_setnice,
4557 .task_setioprio = selinux_task_setioprio,
4558 .task_getioprio = selinux_task_getioprio,
4559 .task_setrlimit = selinux_task_setrlimit,
4560 .task_setscheduler = selinux_task_setscheduler,
4561 .task_getscheduler = selinux_task_getscheduler,
4562 .task_movememory = selinux_task_movememory,
4563 .task_kill = selinux_task_kill,
4564 .task_wait = selinux_task_wait,
4565 .task_prctl = selinux_task_prctl,
4566 .task_reparent_to_init = selinux_task_reparent_to_init,
4567 .task_to_inode = selinux_task_to_inode,
4569 .ipc_permission = selinux_ipc_permission,
4571 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4572 .msg_msg_free_security = selinux_msg_msg_free_security,
4574 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4575 .msg_queue_free_security = selinux_msg_queue_free_security,
4576 .msg_queue_associate = selinux_msg_queue_associate,
4577 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4578 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4579 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4581 .shm_alloc_security = selinux_shm_alloc_security,
4582 .shm_free_security = selinux_shm_free_security,
4583 .shm_associate = selinux_shm_associate,
4584 .shm_shmctl = selinux_shm_shmctl,
4585 .shm_shmat = selinux_shm_shmat,
4587 .sem_alloc_security = selinux_sem_alloc_security,
4588 .sem_free_security = selinux_sem_free_security,
4589 .sem_associate = selinux_sem_associate,
4590 .sem_semctl = selinux_sem_semctl,
4591 .sem_semop = selinux_sem_semop,
4593 .register_security = selinux_register_security,
4594 .unregister_security = selinux_unregister_security,
4596 .d_instantiate = selinux_d_instantiate,
4598 .getprocattr = selinux_getprocattr,
4599 .setprocattr = selinux_setprocattr,
4601 .secid_to_secctx = selinux_secid_to_secctx,
4602 .release_secctx = selinux_release_secctx,
4604 .unix_stream_connect = selinux_socket_unix_stream_connect,
4605 .unix_may_send = selinux_socket_unix_may_send,
4607 .socket_create = selinux_socket_create,
4608 .socket_post_create = selinux_socket_post_create,
4609 .socket_bind = selinux_socket_bind,
4610 .socket_connect = selinux_socket_connect,
4611 .socket_listen = selinux_socket_listen,
4612 .socket_accept = selinux_socket_accept,
4613 .socket_sendmsg = selinux_socket_sendmsg,
4614 .socket_recvmsg = selinux_socket_recvmsg,
4615 .socket_getsockname = selinux_socket_getsockname,
4616 .socket_getpeername = selinux_socket_getpeername,
4617 .socket_getsockopt = selinux_socket_getsockopt,
4618 .socket_setsockopt = selinux_socket_setsockopt,
4619 .socket_shutdown = selinux_socket_shutdown,
4620 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
4621 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
4622 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
4623 .sk_alloc_security = selinux_sk_alloc_security,
4624 .sk_free_security = selinux_sk_free_security,
4625 .sk_getsid = selinux_sk_getsid_security,
4627 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4628 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
4629 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
4630 .xfrm_policy_free_security = selinux_xfrm_policy_free,
4631 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
4632 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
4633 .xfrm_state_free_security = selinux_xfrm_state_free,
4634 .xfrm_state_delete_security = selinux_xfrm_state_delete,
4635 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
4639 .key_alloc = selinux_key_alloc,
4640 .key_free = selinux_key_free,
4641 .key_permission = selinux_key_permission,
4645 static __init int selinux_init(void)
4647 struct task_security_struct *tsec;
4649 if (!selinux_enabled) {
4650 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4654 printk(KERN_INFO "SELinux: Initializing.\n");
4656 /* Set the security state for the initial task. */
4657 if (task_alloc_security(current))
4658 panic("SELinux: Failed to initialize initial task.\n");
4659 tsec = current->security;
4660 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4662 sel_inode_cache = kmem_cache_create("selinux_inode_security",
4663 sizeof(struct inode_security_struct),
4664 0, SLAB_PANIC, NULL, NULL);
4667 original_ops = secondary_ops = security_ops;
4669 panic ("SELinux: No initial security operations\n");
4670 if (register_security (&selinux_ops))
4671 panic("SELinux: Unable to register with kernel.\n");
4673 if (selinux_enforcing) {
4674 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4676 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4680 /* Add security information to initial keyrings */
4681 selinux_key_alloc(&root_user_keyring, current,
4682 KEY_ALLOC_NOT_IN_QUOTA);
4683 selinux_key_alloc(&root_session_keyring, current,
4684 KEY_ALLOC_NOT_IN_QUOTA);
4690 void selinux_complete_init(void)
4692 printk(KERN_INFO "SELinux: Completing initialization.\n");
4694 /* Set up any superblocks initialized prior to the policy load. */
4695 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
4696 spin_lock(&sb_lock);
4697 spin_lock(&sb_security_lock);
4699 if (!list_empty(&superblock_security_head)) {
4700 struct superblock_security_struct *sbsec =
4701 list_entry(superblock_security_head.next,
4702 struct superblock_security_struct,
4704 struct super_block *sb = sbsec->sb;
4706 spin_unlock(&sb_security_lock);
4707 spin_unlock(&sb_lock);
4708 down_read(&sb->s_umount);
4710 superblock_doinit(sb, NULL);
4712 spin_lock(&sb_lock);
4713 spin_lock(&sb_security_lock);
4714 list_del_init(&sbsec->list);
4717 spin_unlock(&sb_security_lock);
4718 spin_unlock(&sb_lock);
4721 /* SELinux requires early initialization in order to label
4722 all processes and objects when they are created. */
4723 security_initcall(selinux_init);
4725 #if defined(CONFIG_NETFILTER)
4727 static struct nf_hook_ops selinux_ipv4_op = {
4728 .hook = selinux_ipv4_postroute_last,
4729 .owner = THIS_MODULE,
4731 .hooknum = NF_IP_POST_ROUTING,
4732 .priority = NF_IP_PRI_SELINUX_LAST,
4735 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4737 static struct nf_hook_ops selinux_ipv6_op = {
4738 .hook = selinux_ipv6_postroute_last,
4739 .owner = THIS_MODULE,
4741 .hooknum = NF_IP6_POST_ROUTING,
4742 .priority = NF_IP6_PRI_SELINUX_LAST,
4747 static int __init selinux_nf_ip_init(void)
4751 if (!selinux_enabled)
4754 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4756 err = nf_register_hook(&selinux_ipv4_op);
4758 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4760 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4762 err = nf_register_hook(&selinux_ipv6_op);
4764 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4772 __initcall(selinux_nf_ip_init);
4774 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4775 static void selinux_nf_ip_exit(void)
4777 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4779 nf_unregister_hook(&selinux_ipv4_op);
4780 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4781 nf_unregister_hook(&selinux_ipv6_op);
4786 #else /* CONFIG_NETFILTER */
4788 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4789 #define selinux_nf_ip_exit()
4792 #endif /* CONFIG_NETFILTER */
4794 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4795 int selinux_disable(void)
4797 extern void exit_sel_fs(void);
4798 static int selinux_disabled = 0;
4800 if (ss_initialized) {
4801 /* Not permitted after initial policy load. */
4805 if (selinux_disabled) {
4806 /* Only do this once. */
4810 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4812 selinux_disabled = 1;
4813 selinux_enabled = 0;
4815 /* Reset security_ops to the secondary module, dummy or capability. */
4816 security_ops = secondary_ops;
4818 /* Unregister netfilter hooks. */
4819 selinux_nf_ip_exit();
4821 /* Unregister selinuxfs. */