2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License version 2,
16 * as published by the Free Software Foundation.
19 #include <linux/config.h>
20 #include <linux/module.h>
21 #include <linux/init.h>
22 #include <linux/kernel.h>
23 #include <linux/ptrace.h>
24 #include <linux/errno.h>
25 #include <linux/sched.h>
26 #include <linux/security.h>
27 #include <linux/xattr.h>
28 #include <linux/capability.h>
29 #include <linux/unistd.h>
31 #include <linux/mman.h>
32 #include <linux/slab.h>
33 #include <linux/pagemap.h>
34 #include <linux/swap.h>
35 #include <linux/smp_lock.h>
36 #include <linux/spinlock.h>
37 #include <linux/syscalls.h>
38 #include <linux/file.h>
39 #include <linux/namei.h>
40 #include <linux/mount.h>
41 #include <linux/ext2_fs.h>
42 #include <linux/proc_fs.h>
44 #include <linux/netfilter_ipv4.h>
45 #include <linux/netfilter_ipv6.h>
47 #include <net/ip.h> /* for sysctl_local_port_range[] */
48 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
49 #include <asm/uaccess.h>
50 #include <asm/semaphore.h>
51 #include <asm/ioctls.h>
52 #include <linux/bitops.h>
53 #include <linux/interrupt.h>
54 #include <linux/netdevice.h> /* for network interface checks */
55 #include <linux/netlink.h>
56 #include <linux/tcp.h>
57 #include <linux/udp.h>
58 #include <linux/quota.h>
59 #include <linux/un.h> /* for Unix socket types */
60 #include <net/af_unix.h> /* for Unix socket types */
61 #include <linux/parser.h>
62 #include <linux/nfs_mount.h>
64 #include <linux/hugetlb.h>
70 #define XATTR_SELINUX_SUFFIX "selinux"
71 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
73 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
74 int selinux_enforcing = 0;
76 static int __init enforcing_setup(char *str)
78 selinux_enforcing = simple_strtol(str,NULL,0);
81 __setup("enforcing=", enforcing_setup);
84 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
85 int selinux_enabled = 1;
87 static int __init selinux_enabled_setup(char *str)
89 selinux_enabled = simple_strtol(str, NULL, 0);
92 __setup("selinux=", selinux_enabled_setup);
95 /* Original (dummy) security module. */
96 static struct security_operations *original_ops = NULL;
98 /* Minimal support for a secondary security module,
99 just to allow the use of the dummy or capability modules.
100 The owlsm module can alternatively be used as a secondary
101 module as long as CONFIG_OWLSM_FD is not enabled. */
102 static struct security_operations *secondary_ops = NULL;
104 /* Lists of inode and superblock security structures initialized
105 before the policy was loaded. */
106 static LIST_HEAD(superblock_security_head);
107 static spinlock_t sb_security_lock = SPIN_LOCK_UNLOCKED;
109 /* Allocate and free functions for each kind of security blob. */
111 static int task_alloc_security(struct task_struct *task)
113 struct task_security_struct *tsec;
115 tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL);
119 memset(tsec, 0, sizeof(struct task_security_struct));
120 tsec->magic = SELINUX_MAGIC;
122 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
123 task->security = tsec;
128 static void task_free_security(struct task_struct *task)
130 struct task_security_struct *tsec = task->security;
132 if (!tsec || tsec->magic != SELINUX_MAGIC)
135 task->security = NULL;
139 static int inode_alloc_security(struct inode *inode)
141 struct task_security_struct *tsec = current->security;
142 struct inode_security_struct *isec;
144 isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
148 memset(isec, 0, sizeof(struct inode_security_struct));
149 init_MUTEX(&isec->sem);
150 INIT_LIST_HEAD(&isec->list);
151 isec->magic = SELINUX_MAGIC;
153 isec->sid = SECINITSID_UNLABELED;
154 isec->sclass = SECCLASS_FILE;
155 if (tsec && tsec->magic == SELINUX_MAGIC)
156 isec->task_sid = tsec->sid;
158 isec->task_sid = SECINITSID_UNLABELED;
159 inode->i_security = isec;
164 static void inode_free_security(struct inode *inode)
166 struct inode_security_struct *isec = inode->i_security;
167 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
169 if (!isec || isec->magic != SELINUX_MAGIC)
172 spin_lock(&sbsec->isec_lock);
173 if (!list_empty(&isec->list))
174 list_del_init(&isec->list);
175 spin_unlock(&sbsec->isec_lock);
177 inode->i_security = NULL;
181 static int file_alloc_security(struct file *file)
183 struct task_security_struct *tsec = current->security;
184 struct file_security_struct *fsec;
186 fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
190 memset(fsec, 0, sizeof(struct file_security_struct));
191 fsec->magic = SELINUX_MAGIC;
193 if (tsec && tsec->magic == SELINUX_MAGIC) {
194 fsec->sid = tsec->sid;
195 fsec->fown_sid = tsec->sid;
197 fsec->sid = SECINITSID_UNLABELED;
198 fsec->fown_sid = SECINITSID_UNLABELED;
200 file->f_security = fsec;
205 static void file_free_security(struct file *file)
207 struct file_security_struct *fsec = file->f_security;
209 if (!fsec || fsec->magic != SELINUX_MAGIC)
212 file->f_security = NULL;
216 static int superblock_alloc_security(struct super_block *sb)
218 struct superblock_security_struct *sbsec;
220 sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
224 memset(sbsec, 0, sizeof(struct superblock_security_struct));
225 init_MUTEX(&sbsec->sem);
226 INIT_LIST_HEAD(&sbsec->list);
227 INIT_LIST_HEAD(&sbsec->isec_head);
228 spin_lock_init(&sbsec->isec_lock);
229 sbsec->magic = SELINUX_MAGIC;
231 sbsec->sid = SECINITSID_UNLABELED;
232 sbsec->def_sid = SECINITSID_FILE;
233 sb->s_security = sbsec;
238 static void superblock_free_security(struct super_block *sb)
240 struct superblock_security_struct *sbsec = sb->s_security;
242 if (!sbsec || sbsec->magic != SELINUX_MAGIC)
245 spin_lock(&sb_security_lock);
246 if (!list_empty(&sbsec->list))
247 list_del_init(&sbsec->list);
248 spin_unlock(&sb_security_lock);
250 sb->s_security = NULL;
254 #ifdef CONFIG_SECURITY_NETWORK
255 static int sk_alloc_security(struct sock *sk, int family, int priority)
257 struct sk_security_struct *ssec;
259 if (family != PF_UNIX)
262 ssec = kmalloc(sizeof(*ssec), priority);
266 memset(ssec, 0, sizeof(*ssec));
267 ssec->magic = SELINUX_MAGIC;
269 ssec->peer_sid = SECINITSID_UNLABELED;
270 sk->sk_security = ssec;
275 static void sk_free_security(struct sock *sk)
277 struct sk_security_struct *ssec = sk->sk_security;
279 if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
282 sk->sk_security = NULL;
285 #endif /* CONFIG_SECURITY_NETWORK */
287 /* The security server must be initialized before
288 any labeling or access decisions can be provided. */
289 extern int ss_initialized;
291 /* The file system's label must be initialized prior to use. */
293 static char *labeling_behaviors[6] = {
295 "uses transition SIDs",
297 "uses genfs_contexts",
298 "not configured for labeling",
299 "uses mountpoint labeling",
302 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
304 static inline int inode_doinit(struct inode *inode)
306 return inode_doinit_with_dentry(inode, NULL);
315 static match_table_t tokens = {
316 {Opt_context, "context=%s"},
317 {Opt_fscontext, "fscontext=%s"},
318 {Opt_defcontext, "defcontext=%s"},
321 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
323 static int try_context_mount(struct super_block *sb, void *data)
325 char *context = NULL, *defcontext = NULL;
328 int alloc = 0, rc = 0, seen = 0;
329 struct task_security_struct *tsec = current->security;
330 struct superblock_security_struct *sbsec = sb->s_security;
335 name = sb->s_type->name;
337 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
339 /* NFS we understand. */
340 if (!strcmp(name, "nfs")) {
341 struct nfs_mount_data *d = data;
343 if (d->version < NFS_MOUNT_VERSION)
347 context = d->context;
354 /* Standard string-based options. */
355 char *p, *options = data;
357 while ((p = strsep(&options, ",")) != NULL) {
359 substring_t args[MAX_OPT_ARGS];
364 token = match_token(p, tokens, args);
370 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
373 context = match_strdup(&args[0]);
384 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
386 printk(KERN_WARNING "SELinux: "
387 "fscontext option is invalid for"
388 " this filesystem type\n");
391 if (seen & (Opt_context|Opt_fscontext)) {
393 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
396 context = match_strdup(&args[0]);
403 seen |= Opt_fscontext;
407 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
409 printk(KERN_WARNING "SELinux: "
410 "defcontext option is invalid "
411 "for this filesystem type\n");
414 if (seen & (Opt_context|Opt_defcontext)) {
416 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
419 defcontext = match_strdup(&args[0]);
426 seen |= Opt_defcontext;
431 printk(KERN_WARNING "SELinux: unknown mount "
443 rc = security_context_to_sid(context, strlen(context), &sid);
445 printk(KERN_WARNING "SELinux: security_context_to_sid"
446 "(%s) failed for (dev %s, type %s) errno=%d\n",
447 context, sb->s_id, name, rc);
451 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
452 FILESYSTEM__RELABELFROM, NULL, NULL);
456 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
457 FILESYSTEM__RELABELTO, NULL, NULL);
463 if (seen & Opt_context)
464 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
468 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
470 printk(KERN_WARNING "SELinux: security_context_to_sid"
471 "(%s) failed for (dev %s, type %s) errno=%d\n",
472 defcontext, sb->s_id, name, rc);
476 if (sid == sbsec->def_sid)
479 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
480 FILESYSTEM__RELABELFROM, NULL, NULL);
484 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
485 FILESYSTEM__ASSOCIATE, NULL, NULL);
489 sbsec->def_sid = sid;
501 static int superblock_doinit(struct super_block *sb, void *data)
503 struct superblock_security_struct *sbsec = sb->s_security;
504 struct dentry *root = sb->s_root;
505 struct inode *inode = root->d_inode;
509 if (sbsec->initialized)
512 if (!ss_initialized) {
513 /* Defer initialization until selinux_complete_init,
514 after the initial policy is loaded and the security
515 server is ready to handle calls. */
516 spin_lock(&sb_security_lock);
517 if (list_empty(&sbsec->list))
518 list_add(&sbsec->list, &superblock_security_head);
519 spin_unlock(&sb_security_lock);
523 /* Determine the labeling behavior to use for this filesystem type. */
524 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
526 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
527 __FUNCTION__, sb->s_type->name, rc);
531 rc = try_context_mount(sb, data);
535 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
536 /* Make sure that the xattr handler exists and that no
537 error other than -ENODATA is returned by getxattr on
538 the root directory. -ENODATA is ok, as this may be
539 the first boot of the SELinux kernel before we have
540 assigned xattr values to the filesystem. */
541 if (!inode->i_op->getxattr) {
542 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
543 "xattr support\n", sb->s_id, sb->s_type->name);
547 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
548 if (rc < 0 && rc != -ENODATA) {
549 if (rc == -EOPNOTSUPP)
550 printk(KERN_WARNING "SELinux: (dev %s, type "
551 "%s) has no security xattr handler\n",
552 sb->s_id, sb->s_type->name);
554 printk(KERN_WARNING "SELinux: (dev %s, type "
555 "%s) getxattr errno %d\n", sb->s_id,
556 sb->s_type->name, -rc);
561 if (strcmp(sb->s_type->name, "proc") == 0)
564 sbsec->initialized = 1;
566 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
567 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
568 sb->s_id, sb->s_type->name);
571 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
572 sb->s_id, sb->s_type->name,
573 labeling_behaviors[sbsec->behavior-1]);
576 /* Initialize the root inode. */
577 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
579 /* Initialize any other inodes associated with the superblock, e.g.
580 inodes created prior to initial policy load or inodes created
581 during get_sb by a pseudo filesystem that directly
583 spin_lock(&sbsec->isec_lock);
585 if (!list_empty(&sbsec->isec_head)) {
586 struct inode_security_struct *isec =
587 list_entry(sbsec->isec_head.next,
588 struct inode_security_struct, list);
589 struct inode *inode = isec->inode;
590 spin_unlock(&sbsec->isec_lock);
591 inode = igrab(inode);
596 spin_lock(&sbsec->isec_lock);
597 list_del_init(&isec->list);
600 spin_unlock(&sbsec->isec_lock);
606 static inline u16 inode_mode_to_security_class(umode_t mode)
608 switch (mode & S_IFMT) {
610 return SECCLASS_SOCK_FILE;
612 return SECCLASS_LNK_FILE;
614 return SECCLASS_FILE;
616 return SECCLASS_BLK_FILE;
620 return SECCLASS_CHR_FILE;
622 return SECCLASS_FIFO_FILE;
626 return SECCLASS_FILE;
629 static inline u16 socket_type_to_security_class(int family, int type)
635 return SECCLASS_UNIX_STREAM_SOCKET;
637 return SECCLASS_UNIX_DGRAM_SOCKET;
643 return SECCLASS_TCP_SOCKET;
645 return SECCLASS_UDP_SOCKET;
647 return SECCLASS_RAWIP_SOCKET;
650 return SECCLASS_NETLINK_SOCKET;
652 return SECCLASS_PACKET_SOCKET;
654 return SECCLASS_KEY_SOCKET;
657 return SECCLASS_SOCKET;
660 #ifdef CONFIG_PROC_FS
661 static int selinux_proc_get_sid(struct proc_dir_entry *de,
666 char *buffer, *path, *end;
668 buffer = (char*)__get_free_page(GFP_KERNEL);
678 while (de && de != de->parent) {
679 buflen -= de->namelen + 1;
683 memcpy(end, de->name, de->namelen);
688 rc = security_genfs_sid("proc", path, tclass, sid);
689 free_page((unsigned long)buffer);
693 static int selinux_proc_get_sid(struct proc_dir_entry *de,
701 /* The inode's security attributes must be initialized before first use. */
702 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
704 struct superblock_security_struct *sbsec = NULL;
705 struct inode_security_struct *isec = inode->i_security;
707 struct dentry *dentry;
708 #define INITCONTEXTLEN 255
709 char *context = NULL;
714 if (isec->initialized)
719 if (isec->initialized)
722 sbsec = inode->i_sb->s_security;
723 if (!sbsec->initialized) {
724 /* Defer initialization until selinux_complete_init,
725 after the initial policy is loaded and the security
726 server is ready to handle calls. */
727 spin_lock(&sbsec->isec_lock);
728 if (list_empty(&isec->list))
729 list_add(&isec->list, &sbsec->isec_head);
730 spin_unlock(&sbsec->isec_lock);
734 switch (sbsec->behavior) {
735 case SECURITY_FS_USE_XATTR:
736 if (!inode->i_op->getxattr) {
737 isec->sid = sbsec->def_sid;
741 /* Need a dentry, since the xattr API requires one.
742 Life would be simpler if we could just pass the inode. */
744 /* Called from d_instantiate or d_splice_alias. */
745 dentry = dget(opt_dentry);
747 /* Called from selinux_complete_init, try to find a dentry. */
748 dentry = d_find_alias(inode);
751 printk(KERN_WARNING "%s: no dentry for dev=%s "
752 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
757 len = INITCONTEXTLEN;
758 context = kmalloc(len, GFP_KERNEL);
764 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
767 /* Need a larger buffer. Query for the right size. */
768 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
776 context = kmalloc(len, GFP_KERNEL);
782 rc = inode->i_op->getxattr(dentry,
788 if (rc != -ENODATA) {
789 printk(KERN_WARNING "%s: getxattr returned "
790 "%d for dev=%s ino=%ld\n", __FUNCTION__,
791 -rc, inode->i_sb->s_id, inode->i_ino);
795 /* Map ENODATA to the default file SID */
796 sid = sbsec->def_sid;
799 rc = security_context_to_sid(context, rc, &sid);
801 printk(KERN_WARNING "%s: context_to_sid(%s) "
802 "returned %d for dev=%s ino=%ld\n",
803 __FUNCTION__, context, -rc,
804 inode->i_sb->s_id, inode->i_ino);
812 case SECURITY_FS_USE_TASK:
813 isec->sid = isec->task_sid;
815 case SECURITY_FS_USE_TRANS:
816 /* Default to the fs SID. */
817 isec->sid = sbsec->sid;
819 /* Try to obtain a transition SID. */
820 isec->sclass = inode_mode_to_security_class(inode->i_mode);
821 rc = security_transition_sid(isec->task_sid,
830 /* Default to the fs SID. */
831 isec->sid = sbsec->sid;
834 struct proc_inode *proci = PROC_I(inode);
836 isec->sclass = inode_mode_to_security_class(inode->i_mode);
837 rc = selinux_proc_get_sid(proci->pde,
848 isec->initialized = 1;
852 struct socket *sock = SOCKET_I(inode);
854 isec->sclass = socket_type_to_security_class(sock->sk->sk_family,
857 isec->sclass = SECCLASS_SOCKET;
860 isec->sclass = inode_mode_to_security_class(inode->i_mode);
868 /* Convert a Linux signal to an access vector. */
869 static inline u32 signal_to_av(int sig)
875 /* Commonly granted from child to parent. */
876 perm = PROCESS__SIGCHLD;
879 /* Cannot be caught or ignored */
880 perm = PROCESS__SIGKILL;
883 /* Cannot be caught or ignored */
884 perm = PROCESS__SIGSTOP;
887 /* All other signals. */
888 perm = PROCESS__SIGNAL;
895 /* Check permission betweeen a pair of tasks, e.g. signal checks,
896 fork check, ptrace check, etc. */
897 int task_has_perm(struct task_struct *tsk1,
898 struct task_struct *tsk2,
901 struct task_security_struct *tsec1, *tsec2;
903 tsec1 = tsk1->security;
904 tsec2 = tsk2->security;
905 return avc_has_perm(tsec1->sid, tsec2->sid,
906 SECCLASS_PROCESS, perms, &tsec2->avcr, NULL);
909 /* Check whether a task is allowed to use a capability. */
910 int task_has_capability(struct task_struct *tsk,
913 struct task_security_struct *tsec;
914 struct avc_audit_data ad;
916 tsec = tsk->security;
918 AVC_AUDIT_DATA_INIT(&ad,CAP);
922 return avc_has_perm(tsec->sid, tsec->sid,
923 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), NULL, &ad);
926 /* Check whether a task is allowed to use a system operation. */
927 int task_has_system(struct task_struct *tsk,
930 struct task_security_struct *tsec;
932 tsec = tsk->security;
934 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
935 SECCLASS_SYSTEM, perms, NULL, NULL);
938 /* Check whether a task has a particular permission to an inode.
939 The 'aeref' parameter is optional and allows other AVC
940 entry references to be passed (e.g. the one in the struct file).
941 The 'adp' parameter is optional and allows other audit
942 data to be passed (e.g. the dentry). */
943 int inode_has_perm(struct task_struct *tsk,
946 struct avc_entry_ref *aeref,
947 struct avc_audit_data *adp)
949 struct task_security_struct *tsec;
950 struct inode_security_struct *isec;
951 struct avc_audit_data ad;
953 tsec = tsk->security;
954 isec = inode->i_security;
958 AVC_AUDIT_DATA_INIT(&ad, FS);
959 ad.u.fs.inode = inode;
962 return avc_has_perm(tsec->sid, isec->sid, isec->sclass,
963 perms, aeref ? aeref : &isec->avcr, adp);
966 /* Same as inode_has_perm, but pass explicit audit data containing
967 the dentry to help the auditing code to more easily generate the
968 pathname if needed. */
969 static inline int dentry_has_perm(struct task_struct *tsk,
970 struct vfsmount *mnt,
971 struct dentry *dentry,
974 struct inode *inode = dentry->d_inode;
975 struct avc_audit_data ad;
976 AVC_AUDIT_DATA_INIT(&ad,FS);
978 ad.u.fs.dentry = dentry;
979 return inode_has_perm(tsk, inode, av, NULL, &ad);
982 /* Check whether a task can use an open file descriptor to
983 access an inode in a given way. Check access to the
984 descriptor itself, and then use dentry_has_perm to
985 check a particular permission to the file.
986 Access to the descriptor is implicitly granted if it
987 has the same SID as the process. If av is zero, then
988 access to the file is not checked, e.g. for cases
989 where only the descriptor is affected like seek. */
990 static inline int file_has_perm(struct task_struct *tsk,
994 struct task_security_struct *tsec = tsk->security;
995 struct file_security_struct *fsec = file->f_security;
996 struct vfsmount *mnt = file->f_vfsmnt;
997 struct dentry *dentry = file->f_dentry;
998 struct inode *inode = dentry->d_inode;
999 struct avc_audit_data ad;
1002 AVC_AUDIT_DATA_INIT(&ad, FS);
1004 ad.u.fs.dentry = dentry;
1006 if (tsec->sid != fsec->sid) {
1007 rc = avc_has_perm(tsec->sid, fsec->sid,
1015 /* av is zero if only checking access to the descriptor. */
1017 return inode_has_perm(tsk, inode, av, &fsec->inode_avcr, &ad);
1022 /* Check whether a task can create a file. */
1023 static int may_create(struct inode *dir,
1024 struct dentry *dentry,
1027 struct task_security_struct *tsec;
1028 struct inode_security_struct *dsec;
1029 struct superblock_security_struct *sbsec;
1031 struct avc_audit_data ad;
1034 tsec = current->security;
1035 dsec = dir->i_security;
1036 sbsec = dir->i_sb->s_security;
1038 AVC_AUDIT_DATA_INIT(&ad, FS);
1039 ad.u.fs.dentry = dentry;
1041 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1042 DIR__ADD_NAME | DIR__SEARCH,
1047 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1048 newsid = tsec->create_sid;
1050 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1056 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, NULL, &ad);
1060 return avc_has_perm(newsid, sbsec->sid,
1061 SECCLASS_FILESYSTEM,
1062 FILESYSTEM__ASSOCIATE, NULL, &ad);
1066 #define MAY_UNLINK 1
1069 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1070 static int may_link(struct inode *dir,
1071 struct dentry *dentry,
1075 struct task_security_struct *tsec;
1076 struct inode_security_struct *dsec, *isec;
1077 struct avc_audit_data ad;
1081 tsec = current->security;
1082 dsec = dir->i_security;
1083 isec = dentry->d_inode->i_security;
1085 AVC_AUDIT_DATA_INIT(&ad, FS);
1086 ad.u.fs.dentry = dentry;
1089 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1090 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1091 av, &dsec->avcr, &ad);
1106 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1110 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
1111 av, &isec->avcr, &ad);
1115 static inline int may_rename(struct inode *old_dir,
1116 struct dentry *old_dentry,
1117 struct inode *new_dir,
1118 struct dentry *new_dentry)
1120 struct task_security_struct *tsec;
1121 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1122 struct avc_audit_data ad;
1124 int old_is_dir, new_is_dir;
1127 tsec = current->security;
1128 old_dsec = old_dir->i_security;
1129 old_isec = old_dentry->d_inode->i_security;
1130 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1131 new_dsec = new_dir->i_security;
1133 AVC_AUDIT_DATA_INIT(&ad, FS);
1135 ad.u.fs.dentry = old_dentry;
1136 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1137 DIR__REMOVE_NAME | DIR__SEARCH,
1138 &old_dsec->avcr, &ad);
1141 rc = avc_has_perm(tsec->sid, old_isec->sid,
1144 &old_isec->avcr, &ad);
1147 if (old_is_dir && new_dir != old_dir) {
1148 rc = avc_has_perm(tsec->sid, old_isec->sid,
1151 &old_isec->avcr, &ad);
1156 ad.u.fs.dentry = new_dentry;
1157 av = DIR__ADD_NAME | DIR__SEARCH;
1158 if (new_dentry->d_inode)
1159 av |= DIR__REMOVE_NAME;
1160 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR,
1161 av,&new_dsec->avcr, &ad);
1164 if (new_dentry->d_inode) {
1165 new_isec = new_dentry->d_inode->i_security;
1166 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1167 rc = avc_has_perm(tsec->sid, new_isec->sid,
1169 (new_is_dir ? DIR__RMDIR : FILE__UNLINK),
1170 &new_isec->avcr, &ad);
1178 /* Check whether a task can perform a filesystem operation. */
1179 int superblock_has_perm(struct task_struct *tsk,
1180 struct super_block *sb,
1182 struct avc_audit_data *ad)
1184 struct task_security_struct *tsec;
1185 struct superblock_security_struct *sbsec;
1187 tsec = tsk->security;
1188 sbsec = sb->s_security;
1189 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1193 /* Convert a Linux mode and permission mask to an access vector. */
1194 static inline u32 file_mask_to_av(int mode, int mask)
1198 if ((mode & S_IFMT) != S_IFDIR) {
1199 if (mask & MAY_EXEC)
1200 av |= FILE__EXECUTE;
1201 if (mask & MAY_READ)
1204 if (mask & MAY_APPEND)
1206 else if (mask & MAY_WRITE)
1210 if (mask & MAY_EXEC)
1212 if (mask & MAY_WRITE)
1214 if (mask & MAY_READ)
1221 /* Convert a Linux file to an access vector. */
1222 static inline u32 file_to_av(struct file *file)
1226 if (file->f_mode & FMODE_READ)
1228 if (file->f_mode & FMODE_WRITE) {
1229 if (file->f_flags & O_APPEND)
1238 /* Set an inode's SID to a specified value. */
1239 int inode_security_set_sid(struct inode *inode, u32 sid)
1241 struct inode_security_struct *isec = inode->i_security;
1244 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1246 isec->initialized = 1;
1251 /* Set the security attributes on a newly created file. */
1252 static int post_create(struct inode *dir,
1253 struct dentry *dentry)
1256 struct task_security_struct *tsec;
1257 struct inode *inode;
1258 struct inode_security_struct *dsec;
1259 struct superblock_security_struct *sbsec;
1265 tsec = current->security;
1266 dsec = dir->i_security;
1267 sbsec = dir->i_sb->s_security;
1269 inode = dentry->d_inode;
1271 /* Some file system types (e.g. NFS) may not instantiate
1272 a dentry for all create operations (e.g. symlink),
1273 so we have to check to see if the inode is non-NULL. */
1274 printk(KERN_WARNING "post_create: no inode, dir (dev=%s, "
1275 "ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
1279 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1280 newsid = tsec->create_sid;
1282 rc = security_transition_sid(tsec->sid, dsec->sid,
1283 inode_mode_to_security_class(inode->i_mode),
1286 printk(KERN_WARNING "post_create: "
1287 "security_transition_sid failed, rc=%d (dev=%s "
1289 -rc, inode->i_sb->s_id, inode->i_ino);
1294 rc = inode_security_set_sid(inode, newsid);
1296 printk(KERN_WARNING "post_create: inode_security_set_sid "
1297 "failed, rc=%d (dev=%s ino=%ld)\n",
1298 -rc, inode->i_sb->s_id, inode->i_ino);
1302 if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
1303 inode->i_op->setxattr) {
1304 /* Use extended attributes. */
1305 rc = security_sid_to_context(newsid, &context, &len);
1307 printk(KERN_WARNING "post_create: sid_to_context "
1308 "failed, rc=%d (dev=%s ino=%ld)\n",
1309 -rc, inode->i_sb->s_id, inode->i_ino);
1312 down(&inode->i_sem);
1313 rc = inode->i_op->setxattr(dentry,
1319 printk(KERN_WARNING "post_create: setxattr failed, "
1320 "rc=%d (dev=%s ino=%ld)\n",
1321 -rc, inode->i_sb->s_id, inode->i_ino);
1330 /* Hook functions begin here. */
1332 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1334 struct task_security_struct *psec = parent->security;
1335 struct task_security_struct *csec = child->security;
1338 rc = secondary_ops->ptrace(parent,child);
1342 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1343 /* Save the SID of the tracing process for later use in apply_creds. */
1345 csec->ptrace_sid = psec->sid;
1349 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1350 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1354 error = task_has_perm(current, target, PROCESS__GETCAP);
1358 return secondary_ops->capget(target, effective, inheritable, permitted);
1361 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1362 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1366 error = task_has_perm(current, target, PROCESS__SETCAP);
1370 return secondary_ops->capset_check(target, effective, inheritable, permitted);
1373 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1374 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1378 error = task_has_perm(current, target, PROCESS__SETCAP);
1382 return secondary_ops->capset_set(target, effective, inheritable, permitted);
1385 static int selinux_capable(struct task_struct *tsk, int cap)
1389 rc = secondary_ops->capable(tsk, cap);
1393 return task_has_capability(tsk,cap);
1396 static int selinux_sysctl(ctl_table *table, int op)
1400 struct task_security_struct *tsec;
1404 tsec = current->security;
1406 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1407 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1409 /* Default to the well-defined sysctl SID. */
1410 tsid = SECINITSID_SYSCTL;
1413 /* The op values are "defined" in sysctl.c, thereby creating
1414 * a bad coupling between this module and sysctl.c */
1416 error = avc_has_perm(tsec->sid, tsid,
1417 SECCLASS_DIR, DIR__SEARCH, NULL, NULL);
1425 error = avc_has_perm(tsec->sid, tsid,
1426 SECCLASS_FILE, av, NULL, NULL);
1432 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1445 rc = superblock_has_perm(current,
1447 FILESYSTEM__QUOTAMOD, NULL);
1452 rc = superblock_has_perm(current,
1454 FILESYSTEM__QUOTAGET, NULL);
1457 rc = 0; /* let the kernel handle invalid cmds */
1463 static int selinux_quota_on(struct file *f)
1465 return file_has_perm(current, f, FILE__QUOTAON);
1468 static int selinux_syslog(int type)
1472 rc = secondary_ops->syslog(type);
1477 case 3: /* Read last kernel messages */
1478 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1480 case 6: /* Disable logging to console */
1481 case 7: /* Enable logging to console */
1482 case 8: /* Set level of messages printed to console */
1483 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1485 case 0: /* Close log */
1486 case 1: /* Open log */
1487 case 2: /* Read from log */
1488 case 4: /* Read/clear last kernel messages */
1489 case 5: /* Clear ring buffer */
1491 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1498 * Check that a process has enough memory to allocate a new virtual
1499 * mapping. 0 means there is enough memory for the allocation to
1500 * succeed and -ENOMEM implies there is not.
1502 * We currently support three overcommit policies, which are set via the
1503 * vm.overcommit_memory sysctl. See Documentation/vm/overcommit-accounting
1505 * Strict overcommit modes added 2002 Feb 26 by Alan Cox.
1506 * Additional code 2002 Jul 20 by Robert Love.
1508 static int selinux_vm_enough_memory(long pages)
1510 unsigned long free, allowed;
1512 struct task_security_struct *tsec = current->security;
1514 vm_acct_memory(pages);
1517 * Sometimes we want to use more memory than we have
1519 if (sysctl_overcommit_memory == 1)
1522 if (sysctl_overcommit_memory == 0) {
1523 free = get_page_cache_size();
1524 free += nr_free_pages();
1525 free += nr_swap_pages;
1528 * Any slabs which are created with the
1529 * SLAB_RECLAIM_ACCOUNT flag claim to have contents
1530 * which are reclaimable, under pressure. The dentry
1531 * cache and most inode caches should fall into this
1533 free += atomic_read(&slab_reclaim_pages);
1536 * Leave the last 3% for privileged processes.
1537 * Don't audit the check, as it is applied to all processes
1538 * that allocate mappings.
1540 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1542 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1543 SECCLASS_CAPABILITY,
1544 CAP_TO_MASK(CAP_SYS_ADMIN),
1552 vm_unacct_memory(pages);
1556 allowed = (totalram_pages - hugetlb_total_pages())
1557 * sysctl_overcommit_ratio / 100;
1558 allowed += total_swap_pages;
1560 if (atomic_read(&vm_committed_space) < allowed)
1563 vm_unacct_memory(pages);
1568 static int selinux_netlink_send(struct sk_buff *skb)
1570 if (capable(CAP_NET_ADMIN))
1571 cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN);
1573 NETLINK_CB(skb).eff_cap = 0;
1577 static int selinux_netlink_recv(struct sk_buff *skb)
1579 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
1584 /* binprm security operations */
1586 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1588 struct bprm_security_struct *bsec;
1590 bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1594 memset(bsec, 0, sizeof *bsec);
1595 bsec->magic = SELINUX_MAGIC;
1597 bsec->sid = SECINITSID_UNLABELED;
1600 bprm->security = bsec;
1604 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1606 struct task_security_struct *tsec;
1607 struct inode *inode = bprm->file->f_dentry->d_inode;
1608 struct inode_security_struct *isec;
1609 struct bprm_security_struct *bsec;
1611 struct avc_audit_data ad;
1614 rc = secondary_ops->bprm_set_security(bprm);
1618 bsec = bprm->security;
1623 tsec = current->security;
1624 isec = inode->i_security;
1626 /* Default to the current task SID. */
1627 bsec->sid = tsec->sid;
1629 /* Reset create SID on execve. */
1630 tsec->create_sid = 0;
1632 if (tsec->exec_sid) {
1633 newsid = tsec->exec_sid;
1634 /* Reset exec SID on execve. */
1637 /* Check for a default transition on this program. */
1638 rc = security_transition_sid(tsec->sid, isec->sid,
1639 SECCLASS_PROCESS, &newsid);
1644 AVC_AUDIT_DATA_INIT(&ad, FS);
1645 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1646 ad.u.fs.dentry = bprm->file->f_dentry;
1648 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1651 if (tsec->sid == newsid) {
1652 rc = avc_has_perm(tsec->sid, isec->sid,
1653 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS,
1658 /* Check permissions for the transition. */
1659 rc = avc_has_perm(tsec->sid, newsid,
1660 SECCLASS_PROCESS, PROCESS__TRANSITION,
1666 rc = avc_has_perm(newsid, isec->sid,
1667 SECCLASS_FILE, FILE__ENTRYPOINT,
1672 /* Set the security field to the new SID. */
1680 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1686 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1688 struct task_security_struct *tsec = current->security;
1691 if (tsec->osid != tsec->sid) {
1692 /* Enable secure mode for SIDs transitions unless
1693 the noatsecure permission is granted between
1694 the two SIDs, i.e. ahp returns 0. */
1695 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1697 PROCESS__NOATSECURE, NULL, NULL);
1700 /* Note that we must include the legacy uid/gid test below
1701 to retain it, as the new userland will simply use the
1702 value passed by AT_SECURE to decide whether to enable
1704 return ( atsecure || current->euid != current->uid ||
1705 current->egid != current->gid);
1708 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1710 struct bprm_security_struct *bsec = bprm->security;
1711 bprm->security = NULL;
1715 /* Derived from fs/exec.c:flush_old_files. */
1716 static inline void flush_unauthorized_files(struct files_struct * files)
1718 struct avc_audit_data ad;
1722 AVC_AUDIT_DATA_INIT(&ad,FS);
1724 spin_lock(&files->file_lock);
1726 unsigned long set, i;
1730 if (i >= files->max_fds || i >= files->max_fdset)
1732 set = files->open_fds->fds_bits[j];
1735 spin_unlock(&files->file_lock);
1736 for ( ; set ; i++,set >>= 1) {
1741 if (file_has_perm(current,
1748 spin_lock(&files->file_lock);
1751 spin_unlock(&files->file_lock);
1754 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1756 struct task_security_struct *tsec;
1757 struct bprm_security_struct *bsec;
1759 struct av_decision avd;
1760 struct itimerval itimer;
1761 struct rlimit *rlim, *initrlim;
1764 secondary_ops->bprm_apply_creds(bprm, unsafe);
1766 tsec = current->security;
1768 bsec = bprm->security;
1771 tsec->osid = tsec->sid;
1772 if (tsec->sid != sid) {
1773 /* Check for shared state. If not ok, leave SID
1774 unchanged and kill. */
1775 if (unsafe & LSM_UNSAFE_SHARE) {
1776 rc = avc_has_perm_noaudit(tsec->sid, sid,
1777 SECCLASS_PROCESS, PROCESS__SHARE,
1780 task_unlock(current);
1781 avc_audit(tsec->sid, sid, SECCLASS_PROCESS,
1782 PROCESS__SHARE, &avd, rc, NULL);
1783 force_sig_specific(SIGKILL, current);
1788 /* Check for ptracing, and update the task SID if ok.
1789 Otherwise, leave SID unchanged and kill. */
1790 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1791 rc = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
1792 SECCLASS_PROCESS, PROCESS__PTRACE,
1796 task_unlock(current);
1797 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
1798 PROCESS__PTRACE, &avd, rc, NULL);
1800 force_sig_specific(SIGKILL, current);
1805 task_unlock(current);
1808 /* Close files for which the new task SID is not authorized. */
1809 flush_unauthorized_files(current->files);
1811 /* Check whether the new SID can inherit signal state
1812 from the old SID. If not, clear itimers to avoid
1813 subsequent signal generation and flush and unblock
1814 signals. This must occur _after_ the task SID has
1815 been updated so that any kill done after the flush
1816 will be checked against the new SID. */
1817 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1818 PROCESS__SIGINH, NULL, NULL);
1820 memset(&itimer, 0, sizeof itimer);
1821 for (i = 0; i < 3; i++)
1822 do_setitimer(i, &itimer, NULL);
1823 flush_signals(current);
1824 spin_lock_irq(¤t->sighand->siglock);
1825 flush_signal_handlers(current, 1);
1826 sigemptyset(¤t->blocked);
1827 recalc_sigpending();
1828 spin_unlock_irq(¤t->sighand->siglock);
1831 /* Check whether the new SID can inherit resource limits
1832 from the old SID. If not, reset all soft limits to
1833 the lower of the current task's hard limit and the init
1834 task's soft limit. Note that the setting of hard limits
1835 (even to lower them) can be controlled by the setrlimit
1836 check. The inclusion of the init task's soft limit into
1837 the computation is to avoid resetting soft limits higher
1838 than the default soft limit for cases where the default
1839 is lower than the hard limit, e.g. RLIMIT_CORE or
1841 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1842 PROCESS__RLIMITINH, NULL, NULL);
1844 for (i = 0; i < RLIM_NLIMITS; i++) {
1845 rlim = current->rlim + i;
1846 initrlim = init_task.rlim+i;
1847 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1851 /* Wake up the parent if it is waiting so that it can
1852 recheck wait permission to the new task SID. */
1853 wake_up_interruptible(¤t->parent->wait_chldexit);
1861 /* superblock security operations */
1863 static int selinux_sb_alloc_security(struct super_block *sb)
1865 return superblock_alloc_security(sb);
1868 static void selinux_sb_free_security(struct super_block *sb)
1870 superblock_free_security(sb);
1873 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1878 return !memcmp(prefix, option, plen);
1881 static inline int selinux_option(char *option, int len)
1883 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1884 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1885 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1888 static inline void take_option(char **to, char *from, int *first, int len)
1896 memcpy(*to, from, len);
1900 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1902 int fnosec, fsec, rc = 0;
1903 char *in_save, *in_curr, *in_end;
1904 char *sec_curr, *nosec_save, *nosec;
1909 /* Binary mount data: just copy */
1910 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1911 copy_page(sec_curr, in_curr);
1915 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1923 in_save = in_end = orig;
1926 if (*in_end == ',' || *in_end == '\0') {
1927 int len = in_end - in_curr;
1929 if (selinux_option(in_curr, len))
1930 take_option(&sec_curr, in_curr, &fsec, len);
1932 take_option(&nosec, in_curr, &fnosec, len);
1934 in_curr = in_end + 1;
1936 } while (*in_end++);
1938 copy_page(in_save, nosec_save);
1943 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1945 struct avc_audit_data ad;
1948 rc = superblock_doinit(sb, data);
1952 AVC_AUDIT_DATA_INIT(&ad,FS);
1953 ad.u.fs.dentry = sb->s_root;
1954 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1957 static int selinux_sb_statfs(struct super_block *sb)
1959 struct avc_audit_data ad;
1961 AVC_AUDIT_DATA_INIT(&ad,FS);
1962 ad.u.fs.dentry = sb->s_root;
1963 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1966 static int selinux_mount(char * dev_name,
1967 struct nameidata *nd,
1969 unsigned long flags,
1972 if (flags & MS_REMOUNT)
1973 return superblock_has_perm(current, nd->mnt->mnt_sb,
1974 FILESYSTEM__REMOUNT, NULL);
1976 return dentry_has_perm(current, nd->mnt, nd->dentry,
1980 static int selinux_umount(struct vfsmount *mnt, int flags)
1982 return superblock_has_perm(current,mnt->mnt_sb,
1983 FILESYSTEM__UNMOUNT,NULL);
1986 /* inode security operations */
1988 static int selinux_inode_alloc_security(struct inode *inode)
1990 return inode_alloc_security(inode);
1993 static void selinux_inode_free_security(struct inode *inode)
1995 inode_free_security(inode);
1998 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2000 return may_create(dir, dentry, SECCLASS_FILE);
2003 static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask)
2005 post_create(dir, dentry);
2008 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2012 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2015 return may_link(dir, old_dentry, MAY_LINK);
2018 static void selinux_inode_post_link(struct dentry *old_dentry, struct inode *inode, struct dentry *new_dentry)
2023 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2025 return may_link(dir, dentry, MAY_UNLINK);
2028 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2030 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2033 static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2035 post_create(dir, dentry);
2038 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2040 return may_create(dir, dentry, SECCLASS_DIR);
2043 static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2045 post_create(dir, dentry);
2048 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2050 return may_link(dir, dentry, MAY_RMDIR);
2053 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2055 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2058 static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2060 post_create(dir, dentry);
2063 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2064 struct inode *new_inode, struct dentry *new_dentry)
2066 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2069 static void selinux_inode_post_rename(struct inode *old_inode, struct dentry *old_dentry,
2070 struct inode *new_inode, struct dentry *new_dentry)
2075 static int selinux_inode_readlink(struct dentry *dentry)
2077 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2080 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2084 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2087 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2090 static int selinux_inode_permission(struct inode *inode, int mask,
2091 struct nameidata *nd)
2094 /* No permission to check. Existence test. */
2098 return inode_has_perm(current, inode,
2099 file_mask_to_av(inode->i_mode, mask), NULL, NULL);
2102 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2104 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2105 ATTR_ATIME_SET | ATTR_MTIME_SET))
2106 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2108 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2111 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2113 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2116 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2118 struct task_security_struct *tsec = current->security;
2119 struct inode *inode = dentry->d_inode;
2120 struct inode_security_struct *isec = inode->i_security;
2121 struct superblock_security_struct *sbsec;
2122 struct avc_audit_data ad;
2126 if (strcmp(name, XATTR_NAME_SELINUX)) {
2127 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2128 sizeof XATTR_SECURITY_PREFIX - 1) &&
2129 !capable(CAP_SYS_ADMIN)) {
2130 /* A different attribute in the security namespace.
2131 Restrict to administrator. */
2135 /* Not an attribute we recognize, so just check the
2136 ordinary setattr permission. */
2137 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2140 sbsec = inode->i_sb->s_security;
2141 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2144 AVC_AUDIT_DATA_INIT(&ad,FS);
2145 ad.u.fs.dentry = dentry;
2147 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2153 rc = security_context_to_sid(value, size, &newsid);
2157 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2158 FILE__RELABELTO, NULL, &ad);
2162 return avc_has_perm(newsid,
2164 SECCLASS_FILESYSTEM,
2165 FILESYSTEM__ASSOCIATE,
2170 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2171 void *value, size_t size, int flags)
2173 struct inode *inode = dentry->d_inode;
2174 struct inode_security_struct *isec = inode->i_security;
2178 if (strcmp(name, XATTR_NAME_SELINUX)) {
2179 /* Not an attribute we recognize, so nothing to do. */
2183 rc = security_context_to_sid(value, size, &newsid);
2185 printk(KERN_WARNING "%s: unable to obtain SID for context "
2186 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2194 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2196 struct inode *inode = dentry->d_inode;
2197 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
2199 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2202 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2205 static int selinux_inode_listxattr (struct dentry *dentry)
2207 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2210 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2212 if (strcmp(name, XATTR_NAME_SELINUX)) {
2213 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2214 sizeof XATTR_SECURITY_PREFIX - 1) &&
2215 !capable(CAP_SYS_ADMIN)) {
2216 /* A different attribute in the security namespace.
2217 Restrict to administrator. */
2221 /* Not an attribute we recognize, so just check the
2222 ordinary setattr permission. Might want a separate
2223 permission for removexattr. */
2224 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2227 /* No one is allowed to remove a SELinux security label.
2228 You can change the label, but all data must be labeled. */
2232 static int selinux_inode_getsecurity(struct dentry *dentry, const char *name, void *buffer, size_t size)
2234 struct inode *inode = dentry->d_inode;
2235 struct inode_security_struct *isec = inode->i_security;
2240 /* Permission check handled by selinux_inode_getxattr hook.*/
2242 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2245 rc = security_sid_to_context(isec->sid, &context, &len);
2249 if (!buffer || !size) {
2257 memcpy(buffer, context, len);
2262 static int selinux_inode_setsecurity(struct dentry *dentry, const char *name,
2263 const void *value, size_t size, int flags)
2265 struct inode *inode = dentry->d_inode;
2266 struct inode_security_struct *isec = inode->i_security;
2270 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2273 if (!value || !size)
2276 rc = security_context_to_sid((void*)value, size, &newsid);
2284 static int selinux_inode_listsecurity(struct dentry *dentry, char *buffer)
2286 const int len = sizeof(XATTR_NAME_SELINUX);
2288 memcpy(buffer, XATTR_NAME_SELINUX, len);
2292 /* file security operations */
2294 static int selinux_file_permission(struct file *file, int mask)
2296 struct inode *inode = file->f_dentry->d_inode;
2299 /* No permission to check. Existence test. */
2303 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2304 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2307 return file_has_perm(current, file,
2308 file_mask_to_av(inode->i_mode, mask));
2311 static int selinux_file_alloc_security(struct file *file)
2313 return file_alloc_security(file);
2316 static void selinux_file_free_security(struct file *file)
2318 file_free_security(file);
2321 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2333 case EXT2_IOC_GETFLAGS:
2335 case EXT2_IOC_GETVERSION:
2336 error = file_has_perm(current, file, FILE__GETATTR);
2339 case EXT2_IOC_SETFLAGS:
2341 case EXT2_IOC_SETVERSION:
2342 error = file_has_perm(current, file, FILE__SETATTR);
2345 /* sys_ioctl() checks */
2349 error = file_has_perm(current, file, 0);
2354 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2357 /* default case assumes that the command will go
2358 * to the file's ioctl() function.
2361 error = file_has_perm(current, file, FILE__IOCTL);
2367 static int selinux_file_mmap(struct file *file, unsigned long prot, unsigned long flags)
2372 /* read access is always possible with a mapping */
2375 /* write access only matters if the mapping is shared */
2376 if ((flags & MAP_TYPE) == MAP_SHARED && (prot & PROT_WRITE))
2379 if (prot & PROT_EXEC)
2380 av |= FILE__EXECUTE;
2382 return file_has_perm(current, file, av);
2387 static int selinux_file_mprotect(struct vm_area_struct *vma,
2390 return selinux_file_mmap(vma->vm_file, prot, vma->vm_flags);
2393 static int selinux_file_lock(struct file *file, unsigned int cmd)
2395 return file_has_perm(current, file, FILE__LOCK);
2398 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2405 if (!file->f_dentry || !file->f_dentry->d_inode) {
2410 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2411 err = file_has_perm(current, file,FILE__WRITE);
2420 /* Just check FD__USE permission */
2421 err = file_has_perm(current, file, 0);
2426 #if BITS_PER_LONG == 32
2431 if (!file->f_dentry || !file->f_dentry->d_inode) {
2435 err = file_has_perm(current, file, FILE__LOCK);
2442 static int selinux_file_set_fowner(struct file *file)
2444 struct task_security_struct *tsec;
2445 struct file_security_struct *fsec;
2447 tsec = current->security;
2448 fsec = file->f_security;
2449 fsec->fown_sid = tsec->sid;
2454 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2455 struct fown_struct *fown,
2460 struct task_security_struct *tsec;
2461 struct file_security_struct *fsec;
2463 /* struct fown_struct is never outside the context of a struct file */
2464 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2466 tsec = tsk->security;
2467 fsec = file->f_security;
2470 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2472 perm = signal_to_av(fown->signum);
2474 return avc_has_perm(fsec->fown_sid, tsec->sid,
2475 SECCLASS_PROCESS, perm, NULL, NULL);
2478 static int selinux_file_receive(struct file *file)
2480 return file_has_perm(current, file, file_to_av(file));
2483 /* task security operations */
2485 static int selinux_task_create(unsigned long clone_flags)
2487 return task_has_perm(current, current, PROCESS__FORK);
2490 static int selinux_task_alloc_security(struct task_struct *tsk)
2492 struct task_security_struct *tsec1, *tsec2;
2495 tsec1 = current->security;
2497 rc = task_alloc_security(tsk);
2500 tsec2 = tsk->security;
2502 tsec2->osid = tsec1->osid;
2503 tsec2->sid = tsec1->sid;
2505 /* Retain the exec and create SIDs across fork */
2506 tsec2->exec_sid = tsec1->exec_sid;
2507 tsec2->create_sid = tsec1->create_sid;
2512 static void selinux_task_free_security(struct task_struct *tsk)
2514 task_free_security(tsk);
2517 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2519 /* Since setuid only affects the current process, and
2520 since the SELinux controls are not based on the Linux
2521 identity attributes, SELinux does not need to control
2522 this operation. However, SELinux does control the use
2523 of the CAP_SETUID and CAP_SETGID capabilities using the
2528 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2530 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2533 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2535 /* See the comment for setuid above. */
2539 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2541 return task_has_perm(current, p, PROCESS__SETPGID);
2544 static int selinux_task_getpgid(struct task_struct *p)
2546 return task_has_perm(current, p, PROCESS__GETPGID);
2549 static int selinux_task_getsid(struct task_struct *p)
2551 return task_has_perm(current, p, PROCESS__GETSESSION);
2554 static int selinux_task_setgroups(struct group_info *group_info)
2556 /* See the comment for setuid above. */
2560 static int selinux_task_setnice(struct task_struct *p, int nice)
2562 return task_has_perm(current,p, PROCESS__SETSCHED);
2565 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2567 struct rlimit *old_rlim = current->rlim + resource;
2569 /* Control the ability to change the hard limit (whether
2570 lowering or raising it), so that the hard limit can
2571 later be used as a safe reset point for the soft limit
2572 upon context transitions. See selinux_bprm_apply_creds. */
2573 if (old_rlim->rlim_max != new_rlim->rlim_max)
2574 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2579 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2581 struct task_security_struct *tsec1, *tsec2;
2583 tsec1 = current->security;
2584 tsec2 = p->security;
2586 /* No auditing from the setscheduler hook, since the runqueue lock
2587 is held and the system will deadlock if we try to log an audit
2589 return avc_has_perm_noaudit(tsec1->sid, tsec2->sid,
2590 SECCLASS_PROCESS, PROCESS__SETSCHED,
2591 &tsec2->avcr, NULL);
2594 static int selinux_task_getscheduler(struct task_struct *p)
2596 return task_has_perm(current, p, PROCESS__GETSCHED);
2599 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2603 if (info && ((unsigned long)info == 1 ||
2604 (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2608 perm = PROCESS__SIGNULL; /* null signal; existence test */
2610 perm = signal_to_av(sig);
2612 return task_has_perm(current, p, perm);
2615 static int selinux_task_prctl(int option,
2621 /* The current prctl operations do not appear to require
2622 any SELinux controls since they merely observe or modify
2623 the state of the current process. */
2627 static int selinux_task_wait(struct task_struct *p)
2631 perm = signal_to_av(p->exit_signal);
2633 return task_has_perm(p, current, perm);
2636 static void selinux_task_reparent_to_init(struct task_struct *p)
2638 struct task_security_struct *tsec;
2640 secondary_ops->task_reparent_to_init(p);
2643 tsec->osid = tsec->sid;
2644 tsec->sid = SECINITSID_KERNEL;
2648 static void selinux_task_to_inode(struct task_struct *p,
2649 struct inode *inode)
2651 struct task_security_struct *tsec = p->security;
2652 struct inode_security_struct *isec = inode->i_security;
2654 isec->sid = tsec->sid;
2655 isec->initialized = 1;
2659 #ifdef CONFIG_SECURITY_NETWORK
2661 /* Returns error only if unable to parse addresses */
2662 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2664 int offset, ihlen, ret;
2667 offset = skb->nh.raw - skb->data;
2668 ret = skb_copy_bits(skb, offset, &iph, sizeof(iph));
2672 ihlen = iph.ihl * 4;
2673 if (ihlen < sizeof(iph))
2676 ad->u.net.v4info.saddr = iph.saddr;
2677 ad->u.net.v4info.daddr = iph.daddr;
2679 switch (iph.protocol) {
2683 if (ntohs(iph.frag_off) & IP_OFFSET)
2687 if (skb_copy_bits(skb, offset, &tcph, sizeof(tcph)) < 0)
2690 ad->u.net.sport = tcph.source;
2691 ad->u.net.dport = tcph.dest;
2698 if (ntohs(iph.frag_off) & IP_OFFSET)
2702 if (skb_copy_bits(skb, offset, &udph, sizeof(udph)) < 0)
2705 ad->u.net.sport = udph.source;
2706 ad->u.net.dport = udph.dest;
2717 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2719 /* Returns error only if unable to parse addresses */
2720 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2724 struct ipv6hdr ipv6h;
2726 offset = skb->nh.raw - skb->data;
2727 ret = skb_copy_bits(skb, offset, &ipv6h, sizeof(ipv6h));
2731 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ipv6h.saddr);
2732 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ipv6h.daddr);
2734 nexthdr = ipv6h.nexthdr;
2735 offset += sizeof(ipv6h);
2736 offset = ipv6_skip_exthdr(skb, offset, &nexthdr,
2737 skb->tail - skb->head - offset);
2745 if (skb_copy_bits(skb, offset, &tcph, sizeof(tcph)) < 0)
2748 ad->u.net.sport = tcph.source;
2749 ad->u.net.dport = tcph.dest;
2756 if (skb_copy_bits(skb, offset, &udph, sizeof(udph)) < 0)
2759 ad->u.net.sport = udph.source;
2760 ad->u.net.dport = udph.dest;
2764 /* includes fragments */
2774 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2775 char **addrp, int *len, int src)
2779 switch (ad->u.net.family) {
2781 ret = selinux_parse_skb_ipv4(skb, ad);
2785 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2786 &ad->u.net.v4info.daddr);
2789 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2791 ret = selinux_parse_skb_ipv6(skb, ad);
2795 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2796 &ad->u.net.v6info.daddr);
2806 /* socket security operations */
2807 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2810 struct inode_security_struct *isec;
2811 struct task_security_struct *tsec;
2812 struct avc_audit_data ad;
2815 tsec = task->security;
2816 isec = SOCK_INODE(sock)->i_security;
2818 if (isec->sid == SECINITSID_KERNEL)
2821 AVC_AUDIT_DATA_INIT(&ad,NET);
2822 ad.u.net.sk = sock->sk;
2823 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2824 perms, &isec->avcr, &ad);
2830 static int selinux_socket_create(int family, int type,
2831 int protocol, int kern)
2834 struct task_security_struct *tsec;
2839 tsec = current->security;
2840 err = avc_has_perm(tsec->sid, tsec->sid,
2841 socket_type_to_security_class(family, type),
2842 SOCKET__CREATE, NULL, NULL);
2848 static void selinux_socket_post_create(struct socket *sock, int family,
2849 int type, int protocol, int kern)
2852 struct inode_security_struct *isec;
2853 struct task_security_struct *tsec;
2855 err = inode_doinit(SOCK_INODE(sock));
2858 isec = SOCK_INODE(sock)->i_security;
2860 tsec = current->security;
2861 isec->sclass = socket_type_to_security_class(family, type);
2862 isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2867 /* Range of port numbers used to automatically bind.
2868 Need to determine whether we should perform a name_bind
2869 permission check between the socket and the port number. */
2870 #define ip_local_port_range_0 sysctl_local_port_range[0]
2871 #define ip_local_port_range_1 sysctl_local_port_range[1]
2873 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2878 err = socket_has_perm(current, sock, SOCKET__BIND);
2883 * If PF_INET or PF_INET6, check name_bind permission for the port.
2885 family = sock->sk->sk_family;
2886 if (family == PF_INET || family == PF_INET6) {
2888 struct inode_security_struct *isec;
2889 struct task_security_struct *tsec;
2890 struct avc_audit_data ad;
2891 struct sockaddr_in *addr4 = NULL;
2892 struct sockaddr_in6 *addr6 = NULL;
2893 unsigned short snum;
2894 struct sock *sk = sock->sk;
2895 u32 sid, node_perm, addrlen;
2897 tsec = current->security;
2898 isec = SOCK_INODE(sock)->i_security;
2900 if (family == PF_INET) {
2901 addr4 = (struct sockaddr_in *)address;
2902 snum = ntohs(addr4->sin_port);
2903 addrlen = sizeof(addr4->sin_addr.s_addr);
2904 addrp = (char *)&addr4->sin_addr.s_addr;
2906 addr6 = (struct sockaddr_in6 *)address;
2907 snum = ntohs(addr6->sin6_port);
2908 addrlen = sizeof(addr6->sin6_addr.s6_addr);
2909 addrp = (char *)&addr6->sin6_addr.s6_addr;
2912 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
2913 snum > ip_local_port_range_1)) {
2914 err = security_port_sid(sk->sk_family, sk->sk_type,
2915 sk->sk_protocol, snum, &sid);
2918 AVC_AUDIT_DATA_INIT(&ad,NET);
2919 ad.u.net.sport = htons(snum);
2920 err = avc_has_perm(isec->sid, sid,
2922 SOCKET__NAME_BIND, NULL, &ad);
2927 switch(sk->sk_protocol) {
2929 node_perm = TCP_SOCKET__NODE_BIND;
2933 node_perm = UDP_SOCKET__NODE_BIND;
2937 node_perm = RAWIP_SOCKET__NODE_BIND;
2941 err = security_node_sid(family, addrp, addrlen, &sid);
2945 AVC_AUDIT_DATA_INIT(&ad,NET);
2946 ad.u.net.sport = htons(snum);
2947 ad.u.net.family = family;
2949 if (family == PF_INET)
2950 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
2952 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
2954 err = avc_has_perm(isec->sid, sid,
2955 isec->sclass, node_perm, NULL, &ad);
2963 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
2965 return socket_has_perm(current, sock, SOCKET__CONNECT);
2968 static int selinux_socket_listen(struct socket *sock, int backlog)
2970 return socket_has_perm(current, sock, SOCKET__LISTEN);
2973 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
2976 struct inode_security_struct *isec;
2977 struct inode_security_struct *newisec;
2979 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
2983 err = inode_doinit(SOCK_INODE(newsock));
2986 newisec = SOCK_INODE(newsock)->i_security;
2988 isec = SOCK_INODE(sock)->i_security;
2989 newisec->sclass = isec->sclass;
2990 newisec->sid = isec->sid;
2995 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
2998 return socket_has_perm(current, sock, SOCKET__WRITE);
3001 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3002 int size, int flags)
3004 return socket_has_perm(current, sock, SOCKET__READ);
3007 static int selinux_socket_getsockname(struct socket *sock)
3009 return socket_has_perm(current, sock, SOCKET__GETATTR);
3012 static int selinux_socket_getpeername(struct socket *sock)
3014 return socket_has_perm(current, sock, SOCKET__GETATTR);
3017 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3019 return socket_has_perm(current, sock, SOCKET__SETOPT);
3022 static int selinux_socket_getsockopt(struct socket *sock, int level,
3025 return socket_has_perm(current, sock, SOCKET__GETOPT);
3028 static int selinux_socket_shutdown(struct socket *sock, int how)
3030 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3033 static int selinux_socket_unix_stream_connect(struct socket *sock,
3034 struct socket *other,
3037 struct sk_security_struct *ssec;
3038 struct inode_security_struct *isec;
3039 struct inode_security_struct *other_isec;
3040 struct avc_audit_data ad;
3043 isec = SOCK_INODE(sock)->i_security;
3044 other_isec = SOCK_INODE(other)->i_security;
3046 AVC_AUDIT_DATA_INIT(&ad,NET);
3047 ad.u.net.sk = other->sk;
3049 err = avc_has_perm(isec->sid, other_isec->sid,
3051 UNIX_STREAM_SOCKET__CONNECTTO,
3052 &other_isec->avcr, &ad);
3056 /* connecting socket */
3057 ssec = sock->sk->sk_security;
3058 ssec->peer_sid = other_isec->sid;
3060 /* server child socket */
3061 ssec = newsk->sk_security;
3062 ssec->peer_sid = isec->sid;
3067 static int selinux_socket_unix_may_send(struct socket *sock,
3068 struct socket *other)
3070 struct inode_security_struct *isec;
3071 struct inode_security_struct *other_isec;
3072 struct avc_audit_data ad;
3075 isec = SOCK_INODE(sock)->i_security;
3076 other_isec = SOCK_INODE(other)->i_security;
3078 AVC_AUDIT_DATA_INIT(&ad,NET);
3079 ad.u.net.sk = other->sk;
3081 err = avc_has_perm(isec->sid, other_isec->sid,
3084 &other_isec->avcr, &ad);
3091 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3096 u32 netif_perm, node_perm, node_sid, recv_perm = 0;
3097 struct socket *sock;
3098 struct inode *inode;
3099 struct net_device *dev;
3100 struct sel_netif *netif;
3101 struct netif_security_struct *nsec;
3102 struct inode_security_struct *isec;
3103 struct avc_audit_data ad;
3105 family = sk->sk_family;
3106 if (family != PF_INET && family != PF_INET6)
3109 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3110 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3113 sock = sk->sk_socket;
3115 /* TCP control messages don't always have a socket. */
3119 inode = SOCK_INODE(sock);
3127 netif = sel_netif_lookup(dev);
3128 if (IS_ERR(netif)) {
3129 err = PTR_ERR(netif);
3133 nsec = &netif->nsec;
3134 isec = inode->i_security;
3136 switch (isec->sclass) {
3137 case SECCLASS_UDP_SOCKET:
3138 netif_perm = NETIF__UDP_RECV;
3139 node_perm = NODE__UDP_RECV;
3140 recv_perm = UDP_SOCKET__RECV_MSG;
3143 case SECCLASS_TCP_SOCKET:
3144 netif_perm = NETIF__TCP_RECV;
3145 node_perm = NODE__TCP_RECV;
3146 recv_perm = TCP_SOCKET__RECV_MSG;
3150 netif_perm = NETIF__RAWIP_RECV;
3151 node_perm = NODE__RAWIP_RECV;
3155 AVC_AUDIT_DATA_INIT(&ad, NET);
3156 ad.u.net.netif = dev->name;
3157 ad.u.net.family = family;
3159 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3161 sel_netif_put(netif);
3165 err = avc_has_perm(isec->sid, nsec->if_sid, SECCLASS_NETIF,
3166 netif_perm, &nsec->avcr, &ad);
3167 sel_netif_put(netif);
3171 /* Fixme: this lookup is inefficient */
3172 err = security_node_sid(family, addrp, len, &node_sid);
3176 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, NULL, &ad);
3183 /* Fixme: make this more efficient */
3184 err = security_port_sid(sk->sk_family, sk->sk_type,
3185 sk->sk_protocol, ntohs(ad.u.net.sport),
3190 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3191 recv_perm, NULL, &ad);
3197 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3198 int __user *optlen, unsigned len)
3203 struct sk_security_struct *ssec;
3204 struct inode_security_struct *isec;
3206 isec = SOCK_INODE(sock)->i_security;
3207 if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3212 ssec = sock->sk->sk_security;
3214 err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3218 if (scontext_len > len) {
3223 if (copy_to_user(optval, scontext, scontext_len))
3227 if (put_user(scontext_len, optlen))
3235 static int selinux_sk_alloc_security(struct sock *sk, int family, int priority)
3237 return sk_alloc_security(sk, family, priority);
3240 static void selinux_sk_free_security(struct sock *sk)
3242 sk_free_security(sk);
3245 #ifdef CONFIG_NETFILTER
3247 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3248 struct sk_buff **pskb,
3249 const struct net_device *in,
3250 const struct net_device *out,
3251 int (*okfn)(struct sk_buff *),
3255 int len, err = NF_ACCEPT;
3256 u32 netif_perm, node_perm, node_sid, send_perm = 0;
3258 struct socket *sock;
3259 struct inode *inode;
3260 struct sel_netif *netif;
3261 struct sk_buff *skb = *pskb;
3262 struct netif_security_struct *nsec;
3263 struct inode_security_struct *isec;
3264 struct avc_audit_data ad;
3265 struct net_device *dev = (struct net_device *)out;
3271 sock = sk->sk_socket;
3275 inode = SOCK_INODE(sock);
3279 netif = sel_netif_lookup(dev);
3280 if (IS_ERR(netif)) {
3285 nsec = &netif->nsec;
3286 isec = inode->i_security;
3288 switch (isec->sclass) {
3289 case SECCLASS_UDP_SOCKET:
3290 netif_perm = NETIF__UDP_SEND;
3291 node_perm = NODE__UDP_SEND;
3292 send_perm = UDP_SOCKET__SEND_MSG;
3295 case SECCLASS_TCP_SOCKET:
3296 netif_perm = NETIF__TCP_SEND;
3297 node_perm = NODE__TCP_SEND;
3298 send_perm = TCP_SOCKET__SEND_MSG;
3302 netif_perm = NETIF__RAWIP_SEND;
3303 node_perm = NODE__RAWIP_SEND;
3308 AVC_AUDIT_DATA_INIT(&ad, NET);
3309 ad.u.net.netif = dev->name;
3310 ad.u.net.family = family;
3312 err = selinux_parse_skb(skb, &ad, &addrp,
3313 &len, 0) ? NF_DROP : NF_ACCEPT;
3314 if (err != NF_ACCEPT) {
3315 sel_netif_put(netif);
3319 err = avc_has_perm(isec->sid, nsec->if_sid, SECCLASS_NETIF,
3320 netif_perm, &nsec->avcr, &ad) ? NF_DROP : NF_ACCEPT;
3321 sel_netif_put(netif);
3322 if (err != NF_ACCEPT)
3325 /* Fixme: this lookup is inefficient */
3326 err = security_node_sid(family, addrp, len,
3327 &node_sid) ? NF_DROP : NF_ACCEPT;
3328 if (err != NF_ACCEPT)
3331 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3332 node_perm, NULL, &ad) ? NF_DROP : NF_ACCEPT;
3333 if (err != NF_ACCEPT)
3339 /* Fixme: make this more efficient */
3340 err = security_port_sid(sk->sk_family,
3343 ntohs(ad.u.net.dport),
3344 &port_sid) ? NF_DROP : NF_ACCEPT;
3345 if (err != NF_ACCEPT)
3348 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3349 send_perm, NULL, &ad) ? NF_DROP : NF_ACCEPT;
3356 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3357 struct sk_buff **pskb,
3358 const struct net_device *in,
3359 const struct net_device *out,
3360 int (*okfn)(struct sk_buff *))
3362 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3365 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3367 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3368 struct sk_buff **pskb,
3369 const struct net_device *in,
3370 const struct net_device *out,
3371 int (*okfn)(struct sk_buff *))
3373 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3378 #endif /* CONFIG_NETFILTER */
3380 #endif /* CONFIG_SECURITY_NETWORK */
3382 static int ipc_alloc_security(struct task_struct *task,
3383 struct kern_ipc_perm *perm,
3386 struct task_security_struct *tsec = task->security;
3387 struct ipc_security_struct *isec;
3389 isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3393 memset(isec, 0, sizeof(struct ipc_security_struct));
3394 isec->magic = SELINUX_MAGIC;
3395 isec->sclass = sclass;
3396 isec->ipc_perm = perm;
3398 isec->sid = tsec->sid;
3400 isec->sid = SECINITSID_UNLABELED;
3402 perm->security = isec;
3407 static void ipc_free_security(struct kern_ipc_perm *perm)
3409 struct ipc_security_struct *isec = perm->security;
3410 if (!isec || isec->magic != SELINUX_MAGIC)
3413 perm->security = NULL;
3417 static int msg_msg_alloc_security(struct msg_msg *msg)
3419 struct msg_security_struct *msec;
3421 msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3425 memset(msec, 0, sizeof(struct msg_security_struct));
3426 msec->magic = SELINUX_MAGIC;
3428 msec->sid = SECINITSID_UNLABELED;
3429 msg->security = msec;
3434 static void msg_msg_free_security(struct msg_msg *msg)
3436 struct msg_security_struct *msec = msg->security;
3437 if (!msec || msec->magic != SELINUX_MAGIC)
3440 msg->security = NULL;
3444 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3445 u16 sclass, u32 perms)
3447 struct task_security_struct *tsec;
3448 struct ipc_security_struct *isec;
3449 struct avc_audit_data ad;
3451 tsec = current->security;
3452 isec = ipc_perms->security;
3454 AVC_AUDIT_DATA_INIT(&ad, IPC);
3455 ad.u.ipc_id = ipc_perms->key;
3457 return avc_has_perm(tsec->sid, isec->sid, sclass,
3458 perms, &isec->avcr, &ad);
3461 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3463 return msg_msg_alloc_security(msg);
3466 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3468 return msg_msg_free_security(msg);
3471 /* message queue security operations */
3472 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3474 struct task_security_struct *tsec;
3475 struct ipc_security_struct *isec;
3476 struct avc_audit_data ad;
3479 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3483 tsec = current->security;
3484 isec = msq->q_perm.security;
3486 AVC_AUDIT_DATA_INIT(&ad, IPC);
3487 ad.u.ipc_id = msq->q_perm.key;
3489 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3490 MSGQ__CREATE, &isec->avcr, &ad);
3492 ipc_free_security(&msq->q_perm);
3498 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3500 ipc_free_security(&msq->q_perm);
3503 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3505 struct task_security_struct *tsec;
3506 struct ipc_security_struct *isec;
3507 struct avc_audit_data ad;
3509 tsec = current->security;
3510 isec = msq->q_perm.security;
3512 AVC_AUDIT_DATA_INIT(&ad, IPC);
3513 ad.u.ipc_id = msq->q_perm.key;
3515 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3516 MSGQ__ASSOCIATE, &isec->avcr, &ad);
3519 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3527 /* No specific object, just general system-wide information. */
3528 return task_has_system(current, SYSTEM__IPC_INFO);
3531 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3534 perms = MSGQ__SETATTR;
3537 perms = MSGQ__DESTROY;
3543 err = ipc_has_perm(&msq->q_perm, SECCLASS_MSGQ, perms);
3547 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3549 struct task_security_struct *tsec;
3550 struct ipc_security_struct *isec;
3551 struct msg_security_struct *msec;
3552 struct avc_audit_data ad;
3555 tsec = current->security;
3556 isec = msq->q_perm.security;
3557 msec = msg->security;
3560 * First time through, need to assign label to the message
3562 if (msec->sid == SECINITSID_UNLABELED) {
3564 * Compute new sid based on current process and
3565 * message queue this message will be stored in
3567 rc = security_transition_sid(tsec->sid,
3575 AVC_AUDIT_DATA_INIT(&ad, IPC);
3576 ad.u.ipc_id = msq->q_perm.key;
3578 /* Can this process write to the queue? */
3579 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3580 MSGQ__WRITE, &isec->avcr, &ad);
3582 /* Can this process send the message */
3583 rc = avc_has_perm(tsec->sid, msec->sid,
3584 SECCLASS_MSG, MSG__SEND,
3587 /* Can the message be put in the queue? */
3588 rc = avc_has_perm(msec->sid, isec->sid,
3589 SECCLASS_MSGQ, MSGQ__ENQUEUE,
3595 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3596 struct task_struct *target,
3597 long type, int mode)
3599 struct task_security_struct *tsec;
3600 struct ipc_security_struct *isec;
3601 struct msg_security_struct *msec;
3602 struct avc_audit_data ad;
3605 tsec = target->security;
3606 isec = msq->q_perm.security;
3607 msec = msg->security;
3609 AVC_AUDIT_DATA_INIT(&ad, IPC);
3610 ad.u.ipc_id = msq->q_perm.key;
3612 rc = avc_has_perm(tsec->sid, isec->sid,
3613 SECCLASS_MSGQ, MSGQ__READ,
3616 rc = avc_has_perm(tsec->sid, msec->sid,
3617 SECCLASS_MSG, MSG__RECEIVE,
3622 /* Shared Memory security operations */
3623 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3625 struct task_security_struct *tsec;
3626 struct ipc_security_struct *isec;
3627 struct avc_audit_data ad;
3630 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3634 tsec = current->security;
3635 isec = shp->shm_perm.security;
3637 AVC_AUDIT_DATA_INIT(&ad, IPC);
3638 ad.u.ipc_id = shp->shm_perm.key;
3640 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3641 SHM__CREATE, &isec->avcr, &ad);
3643 ipc_free_security(&shp->shm_perm);
3649 static void selinux_shm_free_security(struct shmid_kernel *shp)
3651 ipc_free_security(&shp->shm_perm);
3654 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3656 struct task_security_struct *tsec;
3657 struct ipc_security_struct *isec;
3658 struct avc_audit_data ad;
3660 tsec = current->security;
3661 isec = shp->shm_perm.security;
3663 AVC_AUDIT_DATA_INIT(&ad, IPC);
3664 ad.u.ipc_id = shp->shm_perm.key;
3666 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3667 SHM__ASSOCIATE, &isec->avcr, &ad);
3670 /* Note, at this point, shp is locked down */
3671 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3679 /* No specific object, just general system-wide information. */
3680 return task_has_system(current, SYSTEM__IPC_INFO);
3683 perms = SHM__GETATTR | SHM__ASSOCIATE;
3686 perms = SHM__SETATTR;
3693 perms = SHM__DESTROY;
3699 err = ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms);
3703 static int selinux_shm_shmat(struct shmid_kernel *shp,
3704 char *shmaddr, int shmflg)
3708 if (shmflg & SHM_RDONLY)
3711 perms = SHM__READ | SHM__WRITE;
3713 return ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms);
3716 /* Semaphore security operations */
3717 static int selinux_sem_alloc_security(struct sem_array *sma)
3719 struct task_security_struct *tsec;
3720 struct ipc_security_struct *isec;
3721 struct avc_audit_data ad;
3724 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3728 tsec = current->security;
3729 isec = sma->sem_perm.security;
3731 AVC_AUDIT_DATA_INIT(&ad, IPC);
3732 ad.u.ipc_id = sma->sem_perm.key;
3734 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3735 SEM__CREATE, &isec->avcr, &ad);
3737 ipc_free_security(&sma->sem_perm);
3743 static void selinux_sem_free_security(struct sem_array *sma)
3745 ipc_free_security(&sma->sem_perm);
3748 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3750 struct task_security_struct *tsec;
3751 struct ipc_security_struct *isec;
3752 struct avc_audit_data ad;
3754 tsec = current->security;
3755 isec = sma->sem_perm.security;
3757 AVC_AUDIT_DATA_INIT(&ad, IPC);
3758 ad.u.ipc_id = sma->sem_perm.key;
3760 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3761 SEM__ASSOCIATE, &isec->avcr, &ad);
3764 /* Note, at this point, sma is locked down */
3765 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
3773 /* No specific object, just general system-wide information. */
3774 return task_has_system(current, SYSTEM__IPC_INFO);
3778 perms = SEM__GETATTR;
3789 perms = SEM__DESTROY;
3792 perms = SEM__SETATTR;
3796 perms = SEM__GETATTR | SEM__ASSOCIATE;
3802 err = ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms);
3806 static int selinux_sem_semop(struct sem_array *sma,
3807 struct sembuf *sops, unsigned nsops, int alter)
3812 perms = SEM__READ | SEM__WRITE;
3816 return ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms);
3819 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
3821 struct ipc_security_struct *isec = ipcp->security;
3822 u16 sclass = SECCLASS_IPC;
3825 if (isec && isec->magic == SELINUX_MAGIC)
3826 sclass = isec->sclass;
3830 av |= IPC__UNIX_READ;
3832 av |= IPC__UNIX_WRITE;
3837 return ipc_has_perm(ipcp, sclass, av);
3840 /* module stacking operations */
3841 int selinux_register_security (const char *name, struct security_operations *ops)
3843 if (secondary_ops != original_ops) {
3844 printk(KERN_INFO "%s: There is already a secondary security "
3845 "module registered.\n", __FUNCTION__);
3849 secondary_ops = ops;
3851 printk(KERN_INFO "%s: Registering secondary module %s\n",
3858 int selinux_unregister_security (const char *name, struct security_operations *ops)
3860 if (ops != secondary_ops) {
3861 printk (KERN_INFO "%s: trying to unregister a security module "
3862 "that is not registered.\n", __FUNCTION__);
3866 secondary_ops = original_ops;
3871 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
3874 inode_doinit_with_dentry(inode, dentry);
3877 static int selinux_getprocattr(struct task_struct *p,
3878 char *name, void *value, size_t size)
3880 struct task_security_struct *tsec;
3886 error = task_has_perm(current, p, PROCESS__GETATTR);
3896 if (!strcmp(name, "current"))
3898 else if (!strcmp(name, "prev"))
3900 else if (!strcmp(name, "exec"))
3901 sid = tsec->exec_sid;
3902 else if (!strcmp(name, "fscreate"))
3903 sid = tsec->create_sid;
3910 error = security_sid_to_context(sid, &context, &len);
3917 memcpy(value, context, len);
3922 static int selinux_setprocattr(struct task_struct *p,
3923 char *name, void *value, size_t size)
3925 struct task_security_struct *tsec;
3929 if (current != p || !strcmp(name, "current")) {
3930 /* SELinux only allows a process to change its own
3931 security attributes, and it only allows the process
3932 current SID to change via exec. */
3937 * Basic control over ability to set these attributes at all.
3938 * current == p, but we'll pass them separately in case the
3939 * above restriction is ever removed.
3941 if (!strcmp(name, "exec"))
3942 error = task_has_perm(current, p, PROCESS__SETEXEC);
3943 else if (!strcmp(name, "fscreate"))
3944 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
3950 /* Obtain a SID for the context, if one was specified. */
3953 error = security_context_to_sid(value, size, &sid);
3958 /* Permission checking based on the specified context is
3959 performed during the actual operation (execve,
3960 open/mkdir/...), when we know the full context of the
3961 operation. See selinux_bprm_set_security for the execve
3962 checks and may_create for the file creation checks. The
3963 operation will then fail if the context is not permitted. */
3965 if (!strcmp(name, "exec"))
3966 tsec->exec_sid = sid;
3967 else if (!strcmp(name, "fscreate"))
3968 tsec->create_sid = sid;
3975 struct security_operations selinux_ops = {
3976 .ptrace = selinux_ptrace,
3977 .capget = selinux_capget,
3978 .capset_check = selinux_capset_check,
3979 .capset_set = selinux_capset_set,
3980 .sysctl = selinux_sysctl,
3981 .capable = selinux_capable,
3982 .quotactl = selinux_quotactl,
3983 .quota_on = selinux_quota_on,
3984 .syslog = selinux_syslog,
3985 .vm_enough_memory = selinux_vm_enough_memory,
3987 .netlink_send = selinux_netlink_send,
3988 .netlink_recv = selinux_netlink_recv,
3990 .bprm_alloc_security = selinux_bprm_alloc_security,
3991 .bprm_free_security = selinux_bprm_free_security,
3992 .bprm_apply_creds = selinux_bprm_apply_creds,
3993 .bprm_set_security = selinux_bprm_set_security,
3994 .bprm_check_security = selinux_bprm_check_security,
3995 .bprm_secureexec = selinux_bprm_secureexec,
3997 .sb_alloc_security = selinux_sb_alloc_security,
3998 .sb_free_security = selinux_sb_free_security,
3999 .sb_copy_data = selinux_sb_copy_data,
4000 .sb_kern_mount = selinux_sb_kern_mount,
4001 .sb_statfs = selinux_sb_statfs,
4002 .sb_mount = selinux_mount,
4003 .sb_umount = selinux_umount,
4005 .inode_alloc_security = selinux_inode_alloc_security,
4006 .inode_free_security = selinux_inode_free_security,
4007 .inode_create = selinux_inode_create,
4008 .inode_post_create = selinux_inode_post_create,
4009 .inode_link = selinux_inode_link,
4010 .inode_post_link = selinux_inode_post_link,
4011 .inode_unlink = selinux_inode_unlink,
4012 .inode_symlink = selinux_inode_symlink,
4013 .inode_post_symlink = selinux_inode_post_symlink,
4014 .inode_mkdir = selinux_inode_mkdir,
4015 .inode_post_mkdir = selinux_inode_post_mkdir,
4016 .inode_rmdir = selinux_inode_rmdir,
4017 .inode_mknod = selinux_inode_mknod,
4018 .inode_post_mknod = selinux_inode_post_mknod,
4019 .inode_rename = selinux_inode_rename,
4020 .inode_post_rename = selinux_inode_post_rename,
4021 .inode_readlink = selinux_inode_readlink,
4022 .inode_follow_link = selinux_inode_follow_link,
4023 .inode_permission = selinux_inode_permission,
4024 .inode_setattr = selinux_inode_setattr,
4025 .inode_getattr = selinux_inode_getattr,
4026 .inode_setxattr = selinux_inode_setxattr,
4027 .inode_post_setxattr = selinux_inode_post_setxattr,
4028 .inode_getxattr = selinux_inode_getxattr,
4029 .inode_listxattr = selinux_inode_listxattr,
4030 .inode_removexattr = selinux_inode_removexattr,
4031 .inode_getsecurity = selinux_inode_getsecurity,
4032 .inode_setsecurity = selinux_inode_setsecurity,
4033 .inode_listsecurity = selinux_inode_listsecurity,
4035 .file_permission = selinux_file_permission,
4036 .file_alloc_security = selinux_file_alloc_security,
4037 .file_free_security = selinux_file_free_security,
4038 .file_ioctl = selinux_file_ioctl,
4039 .file_mmap = selinux_file_mmap,
4040 .file_mprotect = selinux_file_mprotect,
4041 .file_lock = selinux_file_lock,
4042 .file_fcntl = selinux_file_fcntl,
4043 .file_set_fowner = selinux_file_set_fowner,
4044 .file_send_sigiotask = selinux_file_send_sigiotask,
4045 .file_receive = selinux_file_receive,
4047 .task_create = selinux_task_create,
4048 .task_alloc_security = selinux_task_alloc_security,
4049 .task_free_security = selinux_task_free_security,
4050 .task_setuid = selinux_task_setuid,
4051 .task_post_setuid = selinux_task_post_setuid,
4052 .task_setgid = selinux_task_setgid,
4053 .task_setpgid = selinux_task_setpgid,
4054 .task_getpgid = selinux_task_getpgid,
4055 .task_getsid = selinux_task_getsid,
4056 .task_setgroups = selinux_task_setgroups,
4057 .task_setnice = selinux_task_setnice,
4058 .task_setrlimit = selinux_task_setrlimit,
4059 .task_setscheduler = selinux_task_setscheduler,
4060 .task_getscheduler = selinux_task_getscheduler,
4061 .task_kill = selinux_task_kill,
4062 .task_wait = selinux_task_wait,
4063 .task_prctl = selinux_task_prctl,
4064 .task_reparent_to_init = selinux_task_reparent_to_init,
4065 .task_to_inode = selinux_task_to_inode,
4067 .ipc_permission = selinux_ipc_permission,
4069 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4070 .msg_msg_free_security = selinux_msg_msg_free_security,
4072 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4073 .msg_queue_free_security = selinux_msg_queue_free_security,
4074 .msg_queue_associate = selinux_msg_queue_associate,
4075 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4076 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4077 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4079 .shm_alloc_security = selinux_shm_alloc_security,
4080 .shm_free_security = selinux_shm_free_security,
4081 .shm_associate = selinux_shm_associate,
4082 .shm_shmctl = selinux_shm_shmctl,
4083 .shm_shmat = selinux_shm_shmat,
4085 .sem_alloc_security = selinux_sem_alloc_security,
4086 .sem_free_security = selinux_sem_free_security,
4087 .sem_associate = selinux_sem_associate,
4088 .sem_semctl = selinux_sem_semctl,
4089 .sem_semop = selinux_sem_semop,
4091 .register_security = selinux_register_security,
4092 .unregister_security = selinux_unregister_security,
4094 .d_instantiate = selinux_d_instantiate,
4096 .getprocattr = selinux_getprocattr,
4097 .setprocattr = selinux_setprocattr,
4099 #ifdef CONFIG_SECURITY_NETWORK
4100 .unix_stream_connect = selinux_socket_unix_stream_connect,
4101 .unix_may_send = selinux_socket_unix_may_send,
4103 .socket_create = selinux_socket_create,
4104 .socket_post_create = selinux_socket_post_create,
4105 .socket_bind = selinux_socket_bind,
4106 .socket_connect = selinux_socket_connect,
4107 .socket_listen = selinux_socket_listen,
4108 .socket_accept = selinux_socket_accept,
4109 .socket_sendmsg = selinux_socket_sendmsg,
4110 .socket_recvmsg = selinux_socket_recvmsg,
4111 .socket_getsockname = selinux_socket_getsockname,
4112 .socket_getpeername = selinux_socket_getpeername,
4113 .socket_getsockopt = selinux_socket_getsockopt,
4114 .socket_setsockopt = selinux_socket_setsockopt,
4115 .socket_shutdown = selinux_socket_shutdown,
4116 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
4117 .socket_getpeersec = selinux_socket_getpeersec,
4118 .sk_alloc_security = selinux_sk_alloc_security,
4119 .sk_free_security = selinux_sk_free_security,
4123 __init int selinux_init(void)
4125 struct task_security_struct *tsec;
4127 if (!selinux_enabled) {
4128 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4132 printk(KERN_INFO "SELinux: Initializing.\n");
4134 /* Set the security state for the initial task. */
4135 if (task_alloc_security(current))
4136 panic("SELinux: Failed to initialize initial task.\n");
4137 tsec = current->security;
4138 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4142 original_ops = secondary_ops = security_ops;
4144 panic ("SELinux: No initial security operations\n");
4145 if (register_security (&selinux_ops))
4146 panic("SELinux: Unable to register with kernel.\n");
4148 if (selinux_enforcing) {
4149 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4151 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4156 void selinux_complete_init(void)
4158 printk(KERN_INFO "SELinux: Completing initialization.\n");
4160 /* Set up any superblocks initialized prior to the policy load. */
4161 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
4162 spin_lock(&sb_security_lock);
4164 if (!list_empty(&superblock_security_head)) {
4165 struct superblock_security_struct *sbsec =
4166 list_entry(superblock_security_head.next,
4167 struct superblock_security_struct,
4169 struct super_block *sb = sbsec->sb;
4170 spin_lock(&sb_lock);
4172 spin_unlock(&sb_lock);
4173 spin_unlock(&sb_security_lock);
4174 down_read(&sb->s_umount);
4176 superblock_doinit(sb, NULL);
4178 spin_lock(&sb_security_lock);
4179 list_del_init(&sbsec->list);
4182 spin_unlock(&sb_security_lock);
4185 /* SELinux requires early initialization in order to label
4186 all processes and objects when they are created. */
4187 security_initcall(selinux_init);
4189 #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
4191 static struct nf_hook_ops selinux_ipv4_op = {
4192 .hook = selinux_ipv4_postroute_last,
4193 .owner = THIS_MODULE,
4195 .hooknum = NF_IP_POST_ROUTING,
4196 .priority = NF_IP_PRI_SELINUX_LAST,
4199 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4201 static struct nf_hook_ops selinux_ipv6_op = {
4202 .hook = selinux_ipv6_postroute_last,
4203 .owner = THIS_MODULE,
4205 .hooknum = NF_IP6_POST_ROUTING,
4206 .priority = NF_IP6_PRI_SELINUX_LAST,
4211 static int __init selinux_nf_ip_init(void)
4215 if (!selinux_enabled)
4218 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4220 err = nf_register_hook(&selinux_ipv4_op);
4222 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4224 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4226 err = nf_register_hook(&selinux_ipv6_op);
4228 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4235 __initcall(selinux_nf_ip_init);
4237 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4238 static void selinux_nf_ip_exit(void)
4240 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4242 nf_unregister_hook(&selinux_ipv4_op);
4243 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4244 nf_unregister_hook(&selinux_ipv6_op);
4249 #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4251 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4252 #define selinux_nf_ip_exit()
4255 #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4257 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4258 int selinux_disable(void)
4260 extern void exit_sel_fs(void);
4261 static int selinux_disabled = 0;
4263 if (ss_initialized) {
4264 /* Not permitted after initial policy load. */
4268 if (selinux_disabled) {
4269 /* Only do this once. */
4273 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4275 selinux_disabled = 1;
4277 /* Reset security_ops to the secondary module, dummy or capability. */
4278 security_ops = secondary_ops;
4280 /* Unregister netfilter hooks. */
4281 selinux_nf_ip_exit();
4283 /* Unregister selinuxfs. */