2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License version 2,
16 * as published by the Free Software Foundation.
19 #include <linux/config.h>
20 #include <linux/module.h>
21 #include <linux/init.h>
22 #include <linux/kernel.h>
23 #include <linux/ptrace.h>
24 #include <linux/errno.h>
25 #include <linux/sched.h>
26 #include <linux/security.h>
27 #include <linux/xattr.h>
28 #include <linux/capability.h>
29 #include <linux/unistd.h>
31 #include <linux/mman.h>
32 #include <linux/slab.h>
33 #include <linux/pagemap.h>
34 #include <linux/swap.h>
35 #include <linux/smp_lock.h>
36 #include <linux/spinlock.h>
37 #include <linux/syscalls.h>
38 #include <linux/file.h>
39 #include <linux/namei.h>
40 #include <linux/mount.h>
41 #include <linux/ext2_fs.h>
42 #include <linux/proc_fs.h>
44 #include <linux/netfilter_ipv4.h>
45 #include <linux/netfilter_ipv6.h>
46 #include <linux/tty.h>
48 #include <net/ip.h> /* for sysctl_local_port_range[] */
49 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
50 #include <asm/uaccess.h>
51 #include <asm/semaphore.h>
52 #include <asm/ioctls.h>
53 #include <linux/bitops.h>
54 #include <linux/interrupt.h>
55 #include <linux/netdevice.h> /* for network interface checks */
56 #include <linux/netlink.h>
57 #include <linux/tcp.h>
58 #include <linux/udp.h>
59 #include <linux/quota.h>
60 #include <linux/un.h> /* for Unix socket types */
61 #include <net/af_unix.h> /* for Unix socket types */
62 #include <linux/parser.h>
63 #include <linux/nfs_mount.h>
65 #include <linux/hugetlb.h>
66 #include <linux/personality.h>
72 #define XATTR_SELINUX_SUFFIX "selinux"
73 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
75 extern int policydb_loaded_version;
76 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
78 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
79 int selinux_enforcing = 0;
81 static int __init enforcing_setup(char *str)
83 selinux_enforcing = simple_strtol(str,NULL,0);
86 __setup("enforcing=", enforcing_setup);
89 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
90 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
92 static int __init selinux_enabled_setup(char *str)
94 selinux_enabled = simple_strtol(str, NULL, 0);
97 __setup("selinux=", selinux_enabled_setup);
100 /* Original (dummy) security module. */
101 static struct security_operations *original_ops = NULL;
103 /* Minimal support for a secondary security module,
104 just to allow the use of the dummy or capability modules.
105 The owlsm module can alternatively be used as a secondary
106 module as long as CONFIG_OWLSM_FD is not enabled. */
107 static struct security_operations *secondary_ops = NULL;
109 /* Lists of inode and superblock security structures initialized
110 before the policy was loaded. */
111 static LIST_HEAD(superblock_security_head);
112 static spinlock_t sb_security_lock = SPIN_LOCK_UNLOCKED;
114 /* Allocate and free functions for each kind of security blob. */
116 static int task_alloc_security(struct task_struct *task)
118 struct task_security_struct *tsec;
120 tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL);
124 memset(tsec, 0, sizeof(struct task_security_struct));
125 tsec->magic = SELINUX_MAGIC;
127 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
128 task->security = tsec;
133 static void task_free_security(struct task_struct *task)
135 struct task_security_struct *tsec = task->security;
137 if (!tsec || tsec->magic != SELINUX_MAGIC)
140 task->security = NULL;
144 static int inode_alloc_security(struct inode *inode)
146 struct task_security_struct *tsec = current->security;
147 struct inode_security_struct *isec;
149 isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
153 memset(isec, 0, sizeof(struct inode_security_struct));
154 init_MUTEX(&isec->sem);
155 INIT_LIST_HEAD(&isec->list);
156 isec->magic = SELINUX_MAGIC;
158 isec->sid = SECINITSID_UNLABELED;
159 isec->sclass = SECCLASS_FILE;
160 if (tsec && tsec->magic == SELINUX_MAGIC)
161 isec->task_sid = tsec->sid;
163 isec->task_sid = SECINITSID_UNLABELED;
164 inode->i_security = isec;
169 static void inode_free_security(struct inode *inode)
171 struct inode_security_struct *isec = inode->i_security;
172 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
174 if (!isec || isec->magic != SELINUX_MAGIC)
177 spin_lock(&sbsec->isec_lock);
178 if (!list_empty(&isec->list))
179 list_del_init(&isec->list);
180 spin_unlock(&sbsec->isec_lock);
182 inode->i_security = NULL;
186 static int file_alloc_security(struct file *file)
188 struct task_security_struct *tsec = current->security;
189 struct file_security_struct *fsec;
191 fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
195 memset(fsec, 0, sizeof(struct file_security_struct));
196 fsec->magic = SELINUX_MAGIC;
198 if (tsec && tsec->magic == SELINUX_MAGIC) {
199 fsec->sid = tsec->sid;
200 fsec->fown_sid = tsec->sid;
202 fsec->sid = SECINITSID_UNLABELED;
203 fsec->fown_sid = SECINITSID_UNLABELED;
205 file->f_security = fsec;
210 static void file_free_security(struct file *file)
212 struct file_security_struct *fsec = file->f_security;
214 if (!fsec || fsec->magic != SELINUX_MAGIC)
217 file->f_security = NULL;
221 static int superblock_alloc_security(struct super_block *sb)
223 struct superblock_security_struct *sbsec;
225 sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
229 memset(sbsec, 0, sizeof(struct superblock_security_struct));
230 init_MUTEX(&sbsec->sem);
231 INIT_LIST_HEAD(&sbsec->list);
232 INIT_LIST_HEAD(&sbsec->isec_head);
233 spin_lock_init(&sbsec->isec_lock);
234 sbsec->magic = SELINUX_MAGIC;
236 sbsec->sid = SECINITSID_UNLABELED;
237 sbsec->def_sid = SECINITSID_FILE;
238 sb->s_security = sbsec;
243 static void superblock_free_security(struct super_block *sb)
245 struct superblock_security_struct *sbsec = sb->s_security;
247 if (!sbsec || sbsec->magic != SELINUX_MAGIC)
250 spin_lock(&sb_security_lock);
251 if (!list_empty(&sbsec->list))
252 list_del_init(&sbsec->list);
253 spin_unlock(&sb_security_lock);
255 sb->s_security = NULL;
259 #ifdef CONFIG_SECURITY_NETWORK
260 static int sk_alloc_security(struct sock *sk, int family, int priority)
262 struct sk_security_struct *ssec;
264 if (family != PF_UNIX)
267 ssec = kmalloc(sizeof(*ssec), priority);
271 memset(ssec, 0, sizeof(*ssec));
272 ssec->magic = SELINUX_MAGIC;
274 ssec->peer_sid = SECINITSID_UNLABELED;
275 sk->sk_security = ssec;
280 static void sk_free_security(struct sock *sk)
282 struct sk_security_struct *ssec = sk->sk_security;
284 if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
287 sk->sk_security = NULL;
290 #endif /* CONFIG_SECURITY_NETWORK */
292 /* The security server must be initialized before
293 any labeling or access decisions can be provided. */
294 extern int ss_initialized;
296 /* The file system's label must be initialized prior to use. */
298 static char *labeling_behaviors[6] = {
300 "uses transition SIDs",
302 "uses genfs_contexts",
303 "not configured for labeling",
304 "uses mountpoint labeling",
307 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
309 static inline int inode_doinit(struct inode *inode)
311 return inode_doinit_with_dentry(inode, NULL);
320 static match_table_t tokens = {
321 {Opt_context, "context=%s"},
322 {Opt_fscontext, "fscontext=%s"},
323 {Opt_defcontext, "defcontext=%s"},
326 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
328 static int try_context_mount(struct super_block *sb, void *data)
330 char *context = NULL, *defcontext = NULL;
333 int alloc = 0, rc = 0, seen = 0;
334 struct task_security_struct *tsec = current->security;
335 struct superblock_security_struct *sbsec = sb->s_security;
340 name = sb->s_type->name;
342 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
344 /* NFS we understand. */
345 if (!strcmp(name, "nfs")) {
346 struct nfs_mount_data *d = data;
348 if (d->version < NFS_MOUNT_VERSION)
352 context = d->context;
359 /* Standard string-based options. */
360 char *p, *options = data;
362 while ((p = strsep(&options, ",")) != NULL) {
364 substring_t args[MAX_OPT_ARGS];
369 token = match_token(p, tokens, args);
375 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
378 context = match_strdup(&args[0]);
389 if (seen & (Opt_context|Opt_fscontext)) {
391 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
394 context = match_strdup(&args[0]);
401 seen |= Opt_fscontext;
405 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
407 printk(KERN_WARNING "SELinux: "
408 "defcontext option is invalid "
409 "for this filesystem type\n");
412 if (seen & (Opt_context|Opt_defcontext)) {
414 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
417 defcontext = match_strdup(&args[0]);
424 seen |= Opt_defcontext;
429 printk(KERN_WARNING "SELinux: unknown mount "
441 rc = security_context_to_sid(context, strlen(context), &sid);
443 printk(KERN_WARNING "SELinux: security_context_to_sid"
444 "(%s) failed for (dev %s, type %s) errno=%d\n",
445 context, sb->s_id, name, rc);
449 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450 FILESYSTEM__RELABELFROM, NULL);
454 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
455 FILESYSTEM__RELABELTO, NULL);
461 if (seen & Opt_context)
462 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
466 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
468 printk(KERN_WARNING "SELinux: security_context_to_sid"
469 "(%s) failed for (dev %s, type %s) errno=%d\n",
470 defcontext, sb->s_id, name, rc);
474 if (sid == sbsec->def_sid)
477 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
478 FILESYSTEM__RELABELFROM, NULL);
482 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
483 FILESYSTEM__ASSOCIATE, NULL);
487 sbsec->def_sid = sid;
499 static int superblock_doinit(struct super_block *sb, void *data)
501 struct superblock_security_struct *sbsec = sb->s_security;
502 struct dentry *root = sb->s_root;
503 struct inode *inode = root->d_inode;
507 if (sbsec->initialized)
510 if (!ss_initialized) {
511 /* Defer initialization until selinux_complete_init,
512 after the initial policy is loaded and the security
513 server is ready to handle calls. */
514 spin_lock(&sb_security_lock);
515 if (list_empty(&sbsec->list))
516 list_add(&sbsec->list, &superblock_security_head);
517 spin_unlock(&sb_security_lock);
521 /* Determine the labeling behavior to use for this filesystem type. */
522 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
524 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
525 __FUNCTION__, sb->s_type->name, rc);
529 rc = try_context_mount(sb, data);
533 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
534 /* Make sure that the xattr handler exists and that no
535 error other than -ENODATA is returned by getxattr on
536 the root directory. -ENODATA is ok, as this may be
537 the first boot of the SELinux kernel before we have
538 assigned xattr values to the filesystem. */
539 if (!inode->i_op->getxattr) {
540 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
541 "xattr support\n", sb->s_id, sb->s_type->name);
545 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
546 if (rc < 0 && rc != -ENODATA) {
547 if (rc == -EOPNOTSUPP)
548 printk(KERN_WARNING "SELinux: (dev %s, type "
549 "%s) has no security xattr handler\n",
550 sb->s_id, sb->s_type->name);
552 printk(KERN_WARNING "SELinux: (dev %s, type "
553 "%s) getxattr errno %d\n", sb->s_id,
554 sb->s_type->name, -rc);
559 if (strcmp(sb->s_type->name, "proc") == 0)
562 sbsec->initialized = 1;
564 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
565 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
566 sb->s_id, sb->s_type->name);
569 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
570 sb->s_id, sb->s_type->name,
571 labeling_behaviors[sbsec->behavior-1]);
574 /* Initialize the root inode. */
575 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
577 /* Initialize any other inodes associated with the superblock, e.g.
578 inodes created prior to initial policy load or inodes created
579 during get_sb by a pseudo filesystem that directly
581 spin_lock(&sbsec->isec_lock);
583 if (!list_empty(&sbsec->isec_head)) {
584 struct inode_security_struct *isec =
585 list_entry(sbsec->isec_head.next,
586 struct inode_security_struct, list);
587 struct inode *inode = isec->inode;
588 spin_unlock(&sbsec->isec_lock);
589 inode = igrab(inode);
594 spin_lock(&sbsec->isec_lock);
595 list_del_init(&isec->list);
598 spin_unlock(&sbsec->isec_lock);
604 static inline u16 inode_mode_to_security_class(umode_t mode)
606 switch (mode & S_IFMT) {
608 return SECCLASS_SOCK_FILE;
610 return SECCLASS_LNK_FILE;
612 return SECCLASS_FILE;
614 return SECCLASS_BLK_FILE;
618 return SECCLASS_CHR_FILE;
620 return SECCLASS_FIFO_FILE;
624 return SECCLASS_FILE;
627 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
634 return SECCLASS_UNIX_STREAM_SOCKET;
636 return SECCLASS_UNIX_DGRAM_SOCKET;
643 return SECCLASS_TCP_SOCKET;
645 return SECCLASS_UDP_SOCKET;
647 return SECCLASS_RAWIP_SOCKET;
653 return SECCLASS_NETLINK_ROUTE_SOCKET;
654 case NETLINK_FIREWALL:
655 return SECCLASS_NETLINK_FIREWALL_SOCKET;
656 case NETLINK_TCPDIAG:
657 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
659 return SECCLASS_NETLINK_NFLOG_SOCKET;
661 return SECCLASS_NETLINK_XFRM_SOCKET;
662 case NETLINK_SELINUX:
663 return SECCLASS_NETLINK_SELINUX_SOCKET;
665 return SECCLASS_NETLINK_AUDIT_SOCKET;
667 return SECCLASS_NETLINK_IP6FW_SOCKET;
668 case NETLINK_DNRTMSG:
669 return SECCLASS_NETLINK_DNRT_SOCKET;
671 return SECCLASS_NETLINK_SOCKET;
674 return SECCLASS_PACKET_SOCKET;
676 return SECCLASS_KEY_SOCKET;
679 return SECCLASS_SOCKET;
682 #ifdef CONFIG_PROC_FS
683 static int selinux_proc_get_sid(struct proc_dir_entry *de,
688 char *buffer, *path, *end;
690 buffer = (char*)__get_free_page(GFP_KERNEL);
700 while (de && de != de->parent) {
701 buflen -= de->namelen + 1;
705 memcpy(end, de->name, de->namelen);
710 rc = security_genfs_sid("proc", path, tclass, sid);
711 free_page((unsigned long)buffer);
715 static int selinux_proc_get_sid(struct proc_dir_entry *de,
723 /* The inode's security attributes must be initialized before first use. */
724 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
726 struct superblock_security_struct *sbsec = NULL;
727 struct inode_security_struct *isec = inode->i_security;
729 struct dentry *dentry;
730 #define INITCONTEXTLEN 255
731 char *context = NULL;
736 if (isec->initialized)
741 if (isec->initialized)
744 sbsec = inode->i_sb->s_security;
745 if (!sbsec->initialized) {
746 /* Defer initialization until selinux_complete_init,
747 after the initial policy is loaded and the security
748 server is ready to handle calls. */
749 spin_lock(&sbsec->isec_lock);
750 if (list_empty(&isec->list))
751 list_add(&isec->list, &sbsec->isec_head);
752 spin_unlock(&sbsec->isec_lock);
756 switch (sbsec->behavior) {
757 case SECURITY_FS_USE_XATTR:
758 if (!inode->i_op->getxattr) {
759 isec->sid = sbsec->def_sid;
763 /* Need a dentry, since the xattr API requires one.
764 Life would be simpler if we could just pass the inode. */
766 /* Called from d_instantiate or d_splice_alias. */
767 dentry = dget(opt_dentry);
769 /* Called from selinux_complete_init, try to find a dentry. */
770 dentry = d_find_alias(inode);
773 printk(KERN_WARNING "%s: no dentry for dev=%s "
774 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
779 len = INITCONTEXTLEN;
780 context = kmalloc(len, GFP_KERNEL);
786 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
789 /* Need a larger buffer. Query for the right size. */
790 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
798 context = kmalloc(len, GFP_KERNEL);
804 rc = inode->i_op->getxattr(dentry,
810 if (rc != -ENODATA) {
811 printk(KERN_WARNING "%s: getxattr returned "
812 "%d for dev=%s ino=%ld\n", __FUNCTION__,
813 -rc, inode->i_sb->s_id, inode->i_ino);
817 /* Map ENODATA to the default file SID */
818 sid = sbsec->def_sid;
821 rc = security_context_to_sid(context, rc, &sid);
823 printk(KERN_WARNING "%s: context_to_sid(%s) "
824 "returned %d for dev=%s ino=%ld\n",
825 __FUNCTION__, context, -rc,
826 inode->i_sb->s_id, inode->i_ino);
834 case SECURITY_FS_USE_TASK:
835 isec->sid = isec->task_sid;
837 case SECURITY_FS_USE_TRANS:
838 /* Default to the fs SID. */
839 isec->sid = sbsec->sid;
841 /* Try to obtain a transition SID. */
842 isec->sclass = inode_mode_to_security_class(inode->i_mode);
843 rc = security_transition_sid(isec->task_sid,
852 /* Default to the fs SID. */
853 isec->sid = sbsec->sid;
856 struct proc_inode *proci = PROC_I(inode);
858 isec->sclass = inode_mode_to_security_class(inode->i_mode);
859 rc = selinux_proc_get_sid(proci->pde,
870 isec->initialized = 1;
874 struct socket *sock = SOCKET_I(inode);
876 isec->sclass = socket_type_to_security_class(sock->sk->sk_family,
878 sock->sk->sk_protocol);
880 isec->sclass = SECCLASS_SOCKET;
883 isec->sclass = inode_mode_to_security_class(inode->i_mode);
891 /* Convert a Linux signal to an access vector. */
892 static inline u32 signal_to_av(int sig)
898 /* Commonly granted from child to parent. */
899 perm = PROCESS__SIGCHLD;
902 /* Cannot be caught or ignored */
903 perm = PROCESS__SIGKILL;
906 /* Cannot be caught or ignored */
907 perm = PROCESS__SIGSTOP;
910 /* All other signals. */
911 perm = PROCESS__SIGNAL;
918 /* Check permission betweeen a pair of tasks, e.g. signal checks,
919 fork check, ptrace check, etc. */
920 int task_has_perm(struct task_struct *tsk1,
921 struct task_struct *tsk2,
924 struct task_security_struct *tsec1, *tsec2;
926 tsec1 = tsk1->security;
927 tsec2 = tsk2->security;
928 return avc_has_perm(tsec1->sid, tsec2->sid,
929 SECCLASS_PROCESS, perms, NULL);
932 /* Check whether a task is allowed to use a capability. */
933 int task_has_capability(struct task_struct *tsk,
936 struct task_security_struct *tsec;
937 struct avc_audit_data ad;
939 tsec = tsk->security;
941 AVC_AUDIT_DATA_INIT(&ad,CAP);
945 return avc_has_perm(tsec->sid, tsec->sid,
946 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
949 /* Check whether a task is allowed to use a system operation. */
950 int task_has_system(struct task_struct *tsk,
953 struct task_security_struct *tsec;
955 tsec = tsk->security;
957 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
958 SECCLASS_SYSTEM, perms, NULL);
961 /* Check whether a task has a particular permission to an inode.
962 The 'adp' parameter is optional and allows other audit
963 data to be passed (e.g. the dentry). */
964 int inode_has_perm(struct task_struct *tsk,
967 struct avc_audit_data *adp)
969 struct task_security_struct *tsec;
970 struct inode_security_struct *isec;
971 struct avc_audit_data ad;
973 tsec = tsk->security;
974 isec = inode->i_security;
978 AVC_AUDIT_DATA_INIT(&ad, FS);
979 ad.u.fs.inode = inode;
982 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
985 /* Same as inode_has_perm, but pass explicit audit data containing
986 the dentry to help the auditing code to more easily generate the
987 pathname if needed. */
988 static inline int dentry_has_perm(struct task_struct *tsk,
989 struct vfsmount *mnt,
990 struct dentry *dentry,
993 struct inode *inode = dentry->d_inode;
994 struct avc_audit_data ad;
995 AVC_AUDIT_DATA_INIT(&ad,FS);
997 ad.u.fs.dentry = dentry;
998 return inode_has_perm(tsk, inode, av, &ad);
1001 /* Check whether a task can use an open file descriptor to
1002 access an inode in a given way. Check access to the
1003 descriptor itself, and then use dentry_has_perm to
1004 check a particular permission to the file.
1005 Access to the descriptor is implicitly granted if it
1006 has the same SID as the process. If av is zero, then
1007 access to the file is not checked, e.g. for cases
1008 where only the descriptor is affected like seek. */
1009 static inline int file_has_perm(struct task_struct *tsk,
1013 struct task_security_struct *tsec = tsk->security;
1014 struct file_security_struct *fsec = file->f_security;
1015 struct vfsmount *mnt = file->f_vfsmnt;
1016 struct dentry *dentry = file->f_dentry;
1017 struct inode *inode = dentry->d_inode;
1018 struct avc_audit_data ad;
1021 AVC_AUDIT_DATA_INIT(&ad, FS);
1023 ad.u.fs.dentry = dentry;
1025 if (tsec->sid != fsec->sid) {
1026 rc = avc_has_perm(tsec->sid, fsec->sid,
1034 /* av is zero if only checking access to the descriptor. */
1036 return inode_has_perm(tsk, inode, av, &ad);
1041 /* Check whether a task can create a file. */
1042 static int may_create(struct inode *dir,
1043 struct dentry *dentry,
1046 struct task_security_struct *tsec;
1047 struct inode_security_struct *dsec;
1048 struct superblock_security_struct *sbsec;
1050 struct avc_audit_data ad;
1053 tsec = current->security;
1054 dsec = dir->i_security;
1055 sbsec = dir->i_sb->s_security;
1057 AVC_AUDIT_DATA_INIT(&ad, FS);
1058 ad.u.fs.dentry = dentry;
1060 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1061 DIR__ADD_NAME | DIR__SEARCH,
1066 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1067 newsid = tsec->create_sid;
1069 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1075 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1079 return avc_has_perm(newsid, sbsec->sid,
1080 SECCLASS_FILESYSTEM,
1081 FILESYSTEM__ASSOCIATE, &ad);
1085 #define MAY_UNLINK 1
1088 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1089 static int may_link(struct inode *dir,
1090 struct dentry *dentry,
1094 struct task_security_struct *tsec;
1095 struct inode_security_struct *dsec, *isec;
1096 struct avc_audit_data ad;
1100 tsec = current->security;
1101 dsec = dir->i_security;
1102 isec = dentry->d_inode->i_security;
1104 AVC_AUDIT_DATA_INIT(&ad, FS);
1105 ad.u.fs.dentry = dentry;
1108 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1109 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1124 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1128 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1132 static inline int may_rename(struct inode *old_dir,
1133 struct dentry *old_dentry,
1134 struct inode *new_dir,
1135 struct dentry *new_dentry)
1137 struct task_security_struct *tsec;
1138 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1139 struct avc_audit_data ad;
1141 int old_is_dir, new_is_dir;
1144 tsec = current->security;
1145 old_dsec = old_dir->i_security;
1146 old_isec = old_dentry->d_inode->i_security;
1147 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1148 new_dsec = new_dir->i_security;
1150 AVC_AUDIT_DATA_INIT(&ad, FS);
1152 ad.u.fs.dentry = old_dentry;
1153 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1154 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1157 rc = avc_has_perm(tsec->sid, old_isec->sid,
1158 old_isec->sclass, FILE__RENAME, &ad);
1161 if (old_is_dir && new_dir != old_dir) {
1162 rc = avc_has_perm(tsec->sid, old_isec->sid,
1163 old_isec->sclass, DIR__REPARENT, &ad);
1168 ad.u.fs.dentry = new_dentry;
1169 av = DIR__ADD_NAME | DIR__SEARCH;
1170 if (new_dentry->d_inode)
1171 av |= DIR__REMOVE_NAME;
1172 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1175 if (new_dentry->d_inode) {
1176 new_isec = new_dentry->d_inode->i_security;
1177 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1178 rc = avc_has_perm(tsec->sid, new_isec->sid,
1180 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1188 /* Check whether a task can perform a filesystem operation. */
1189 int superblock_has_perm(struct task_struct *tsk,
1190 struct super_block *sb,
1192 struct avc_audit_data *ad)
1194 struct task_security_struct *tsec;
1195 struct superblock_security_struct *sbsec;
1197 tsec = tsk->security;
1198 sbsec = sb->s_security;
1199 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1203 /* Convert a Linux mode and permission mask to an access vector. */
1204 static inline u32 file_mask_to_av(int mode, int mask)
1208 if ((mode & S_IFMT) != S_IFDIR) {
1209 if (mask & MAY_EXEC)
1210 av |= FILE__EXECUTE;
1211 if (mask & MAY_READ)
1214 if (mask & MAY_APPEND)
1216 else if (mask & MAY_WRITE)
1220 if (mask & MAY_EXEC)
1222 if (mask & MAY_WRITE)
1224 if (mask & MAY_READ)
1231 /* Convert a Linux file to an access vector. */
1232 static inline u32 file_to_av(struct file *file)
1236 if (file->f_mode & FMODE_READ)
1238 if (file->f_mode & FMODE_WRITE) {
1239 if (file->f_flags & O_APPEND)
1248 /* Set an inode's SID to a specified value. */
1249 int inode_security_set_sid(struct inode *inode, u32 sid)
1251 struct inode_security_struct *isec = inode->i_security;
1252 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1254 if (!sbsec->initialized) {
1255 /* Defer initialization to selinux_complete_init. */
1260 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1262 isec->initialized = 1;
1267 /* Set the security attributes on a newly created file. */
1268 static int post_create(struct inode *dir,
1269 struct dentry *dentry)
1272 struct task_security_struct *tsec;
1273 struct inode *inode;
1274 struct inode_security_struct *dsec;
1275 struct superblock_security_struct *sbsec;
1281 tsec = current->security;
1282 dsec = dir->i_security;
1283 sbsec = dir->i_sb->s_security;
1285 inode = dentry->d_inode;
1287 /* Some file system types (e.g. NFS) may not instantiate
1288 a dentry for all create operations (e.g. symlink),
1289 so we have to check to see if the inode is non-NULL. */
1290 printk(KERN_WARNING "post_create: no inode, dir (dev=%s, "
1291 "ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
1295 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1296 newsid = tsec->create_sid;
1298 rc = security_transition_sid(tsec->sid, dsec->sid,
1299 inode_mode_to_security_class(inode->i_mode),
1302 printk(KERN_WARNING "post_create: "
1303 "security_transition_sid failed, rc=%d (dev=%s "
1305 -rc, inode->i_sb->s_id, inode->i_ino);
1310 rc = inode_security_set_sid(inode, newsid);
1312 printk(KERN_WARNING "post_create: inode_security_set_sid "
1313 "failed, rc=%d (dev=%s ino=%ld)\n",
1314 -rc, inode->i_sb->s_id, inode->i_ino);
1318 if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
1319 inode->i_op->setxattr) {
1320 /* Use extended attributes. */
1321 rc = security_sid_to_context(newsid, &context, &len);
1323 printk(KERN_WARNING "post_create: sid_to_context "
1324 "failed, rc=%d (dev=%s ino=%ld)\n",
1325 -rc, inode->i_sb->s_id, inode->i_ino);
1328 down(&inode->i_sem);
1329 rc = inode->i_op->setxattr(dentry,
1335 printk(KERN_WARNING "post_create: setxattr failed, "
1336 "rc=%d (dev=%s ino=%ld)\n",
1337 -rc, inode->i_sb->s_id, inode->i_ino);
1346 /* Hook functions begin here. */
1348 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1350 struct task_security_struct *psec = parent->security;
1351 struct task_security_struct *csec = child->security;
1354 rc = secondary_ops->ptrace(parent,child);
1358 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1359 /* Save the SID of the tracing process for later use in apply_creds. */
1361 csec->ptrace_sid = psec->sid;
1365 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1366 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1370 error = task_has_perm(current, target, PROCESS__GETCAP);
1374 return secondary_ops->capget(target, effective, inheritable, permitted);
1377 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1378 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1382 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1386 return task_has_perm(current, target, PROCESS__SETCAP);
1389 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1390 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1394 error = task_has_perm(current, target, PROCESS__SETCAP);
1398 secondary_ops->capset_set(target, effective, inheritable, permitted);
1401 static int selinux_capable(struct task_struct *tsk, int cap)
1405 rc = secondary_ops->capable(tsk, cap);
1409 return task_has_capability(tsk,cap);
1412 static int selinux_sysctl(ctl_table *table, int op)
1416 struct task_security_struct *tsec;
1420 rc = secondary_ops->sysctl(table, op);
1424 tsec = current->security;
1426 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1427 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1429 /* Default to the well-defined sysctl SID. */
1430 tsid = SECINITSID_SYSCTL;
1433 /* The op values are "defined" in sysctl.c, thereby creating
1434 * a bad coupling between this module and sysctl.c */
1436 error = avc_has_perm(tsec->sid, tsid,
1437 SECCLASS_DIR, DIR__SEARCH, NULL);
1445 error = avc_has_perm(tsec->sid, tsid,
1446 SECCLASS_FILE, av, NULL);
1452 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1465 rc = superblock_has_perm(current,
1467 FILESYSTEM__QUOTAMOD, NULL);
1472 rc = superblock_has_perm(current,
1474 FILESYSTEM__QUOTAGET, NULL);
1477 rc = 0; /* let the kernel handle invalid cmds */
1483 static int selinux_quota_on(struct file *f)
1485 return file_has_perm(current, f, FILE__QUOTAON);
1488 static int selinux_syslog(int type)
1492 rc = secondary_ops->syslog(type);
1497 case 3: /* Read last kernel messages */
1498 case 10: /* Return size of the log buffer */
1499 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1501 case 6: /* Disable logging to console */
1502 case 7: /* Enable logging to console */
1503 case 8: /* Set level of messages printed to console */
1504 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1506 case 0: /* Close log */
1507 case 1: /* Open log */
1508 case 2: /* Read from log */
1509 case 4: /* Read/clear last kernel messages */
1510 case 5: /* Clear ring buffer */
1512 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1519 * Check that a process has enough memory to allocate a new virtual
1520 * mapping. 0 means there is enough memory for the allocation to
1521 * succeed and -ENOMEM implies there is not.
1523 * We currently support three overcommit policies, which are set via the
1524 * vm.overcommit_memory sysctl. See Documentation/vm/overcommit-accounting
1526 * Strict overcommit modes added 2002 Feb 26 by Alan Cox.
1527 * Additional code 2002 Jul 20 by Robert Love.
1529 static int selinux_vm_enough_memory(long pages)
1531 unsigned long free, allowed;
1533 struct task_security_struct *tsec = current->security;
1535 vm_acct_memory(pages);
1538 * Sometimes we want to use more memory than we have
1540 if (sysctl_overcommit_memory == OVERCOMMIT_ALWAYS)
1543 if (sysctl_overcommit_memory == OVERCOMMIT_GUESS) {
1544 free = get_page_cache_size();
1545 free += nr_free_pages();
1546 free += nr_swap_pages;
1549 * Any slabs which are created with the
1550 * SLAB_RECLAIM_ACCOUNT flag claim to have contents
1551 * which are reclaimable, under pressure. The dentry
1552 * cache and most inode caches should fall into this
1554 free += atomic_read(&slab_reclaim_pages);
1557 * Leave the last 3% for privileged processes.
1558 * Don't audit the check, as it is applied to all processes
1559 * that allocate mappings.
1561 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1563 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1564 SECCLASS_CAPABILITY,
1565 CAP_TO_MASK(CAP_SYS_ADMIN), NULL);
1572 vm_unacct_memory(pages);
1576 allowed = (totalram_pages - hugetlb_total_pages())
1577 * sysctl_overcommit_ratio / 100;
1578 allowed += total_swap_pages;
1580 if (atomic_read(&vm_committed_space) < allowed)
1583 vm_unacct_memory(pages);
1588 /* binprm security operations */
1590 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1592 struct bprm_security_struct *bsec;
1594 bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1598 memset(bsec, 0, sizeof *bsec);
1599 bsec->magic = SELINUX_MAGIC;
1601 bsec->sid = SECINITSID_UNLABELED;
1604 bprm->security = bsec;
1608 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1610 struct task_security_struct *tsec;
1611 struct inode *inode = bprm->file->f_dentry->d_inode;
1612 struct inode_security_struct *isec;
1613 struct bprm_security_struct *bsec;
1615 struct avc_audit_data ad;
1618 rc = secondary_ops->bprm_set_security(bprm);
1622 bsec = bprm->security;
1627 tsec = current->security;
1628 isec = inode->i_security;
1630 /* Default to the current task SID. */
1631 bsec->sid = tsec->sid;
1633 /* Reset create SID on execve. */
1634 tsec->create_sid = 0;
1636 if (tsec->exec_sid) {
1637 newsid = tsec->exec_sid;
1638 /* Reset exec SID on execve. */
1641 /* Check for a default transition on this program. */
1642 rc = security_transition_sid(tsec->sid, isec->sid,
1643 SECCLASS_PROCESS, &newsid);
1648 AVC_AUDIT_DATA_INIT(&ad, FS);
1649 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1650 ad.u.fs.dentry = bprm->file->f_dentry;
1652 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1655 if (tsec->sid == newsid) {
1656 rc = avc_has_perm(tsec->sid, isec->sid,
1657 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1661 /* Check permissions for the transition. */
1662 rc = avc_has_perm(tsec->sid, newsid,
1663 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1667 rc = avc_has_perm(newsid, isec->sid,
1668 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1672 /* Clear any possibly unsafe personality bits on exec: */
1673 current->personality &= ~PER_CLEAR_ON_SETID;
1675 /* Set the security field to the new SID. */
1683 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1685 return secondary_ops->bprm_check_security(bprm);
1689 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1691 struct task_security_struct *tsec = current->security;
1694 if (tsec->osid != tsec->sid) {
1695 /* Enable secure mode for SIDs transitions unless
1696 the noatsecure permission is granted between
1697 the two SIDs, i.e. ahp returns 0. */
1698 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1700 PROCESS__NOATSECURE, NULL);
1703 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1706 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1708 struct bprm_security_struct *bsec = bprm->security;
1709 bprm->security = NULL;
1713 extern struct vfsmount *selinuxfs_mount;
1714 extern struct dentry *selinux_null;
1716 /* Derived from fs/exec.c:flush_old_files. */
1717 static inline void flush_unauthorized_files(struct files_struct * files)
1719 struct avc_audit_data ad;
1720 struct file *file, *devnull = NULL;
1721 struct tty_struct *tty = current->signal->tty;
1726 file = list_entry(tty->tty_files.next, typeof(*file), f_list);
1728 /* Revalidate access to controlling tty.
1729 Use inode_has_perm on the tty inode directly rather
1730 than using file_has_perm, as this particular open
1731 file may belong to another process and we are only
1732 interested in the inode-based check here. */
1733 struct inode *inode = file->f_dentry->d_inode;
1734 if (inode_has_perm(current, inode,
1735 FILE__READ | FILE__WRITE, NULL)) {
1736 /* Reset controlling tty. */
1737 current->signal->tty = NULL;
1738 current->signal->tty_old_pgrp = 0;
1744 /* Revalidate access to inherited open files. */
1746 AVC_AUDIT_DATA_INIT(&ad,FS);
1748 spin_lock(&files->file_lock);
1750 unsigned long set, i;
1755 if (i >= files->max_fds || i >= files->max_fdset)
1757 set = files->open_fds->fds_bits[j];
1760 spin_unlock(&files->file_lock);
1761 for ( ; set ; i++,set >>= 1) {
1766 if (file_has_perm(current,
1768 file_to_av(file))) {
1770 fd = get_unused_fd();
1778 atomic_inc(&devnull->f_count);
1780 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1787 fd_install(fd, devnull);
1792 spin_lock(&files->file_lock);
1795 spin_unlock(&files->file_lock);
1798 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1800 struct task_security_struct *tsec;
1801 struct bprm_security_struct *bsec;
1803 struct av_decision avd;
1804 struct itimerval itimer;
1805 struct rlimit *rlim, *initrlim;
1808 secondary_ops->bprm_apply_creds(bprm, unsafe);
1810 tsec = current->security;
1812 bsec = bprm->security;
1815 tsec->osid = tsec->sid;
1816 if (tsec->sid != sid) {
1817 /* Check for shared state. If not ok, leave SID
1818 unchanged and kill. */
1819 if (unsafe & LSM_UNSAFE_SHARE) {
1820 rc = avc_has_perm_noaudit(tsec->sid, sid,
1821 SECCLASS_PROCESS, PROCESS__SHARE, &avd);
1823 task_unlock(current);
1824 avc_audit(tsec->sid, sid, SECCLASS_PROCESS,
1825 PROCESS__SHARE, &avd, rc, NULL);
1826 force_sig_specific(SIGKILL, current);
1831 /* Check for ptracing, and update the task SID if ok.
1832 Otherwise, leave SID unchanged and kill. */
1833 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1834 rc = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
1835 SECCLASS_PROCESS, PROCESS__PTRACE, &avd);
1838 task_unlock(current);
1839 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
1840 PROCESS__PTRACE, &avd, rc, NULL);
1842 force_sig_specific(SIGKILL, current);
1847 task_unlock(current);
1850 /* Close files for which the new task SID is not authorized. */
1851 flush_unauthorized_files(current->files);
1853 /* Check whether the new SID can inherit signal state
1854 from the old SID. If not, clear itimers to avoid
1855 subsequent signal generation and flush and unblock
1856 signals. This must occur _after_ the task SID has
1857 been updated so that any kill done after the flush
1858 will be checked against the new SID. */
1859 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1860 PROCESS__SIGINH, NULL);
1862 memset(&itimer, 0, sizeof itimer);
1863 for (i = 0; i < 3; i++)
1864 do_setitimer(i, &itimer, NULL);
1865 flush_signals(current);
1866 spin_lock_irq(¤t->sighand->siglock);
1867 flush_signal_handlers(current, 1);
1868 sigemptyset(¤t->blocked);
1869 recalc_sigpending();
1870 spin_unlock_irq(¤t->sighand->siglock);
1873 /* Check whether the new SID can inherit resource limits
1874 from the old SID. If not, reset all soft limits to
1875 the lower of the current task's hard limit and the init
1876 task's soft limit. Note that the setting of hard limits
1877 (even to lower them) can be controlled by the setrlimit
1878 check. The inclusion of the init task's soft limit into
1879 the computation is to avoid resetting soft limits higher
1880 than the default soft limit for cases where the default
1881 is lower than the hard limit, e.g. RLIMIT_CORE or
1883 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1884 PROCESS__RLIMITINH, NULL);
1886 for (i = 0; i < RLIM_NLIMITS; i++) {
1887 rlim = current->rlim + i;
1888 initrlim = init_task.rlim+i;
1889 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1893 /* Wake up the parent if it is waiting so that it can
1894 recheck wait permission to the new task SID. */
1895 wake_up_interruptible(¤t->parent->wait_chldexit);
1903 /* superblock security operations */
1905 static int selinux_sb_alloc_security(struct super_block *sb)
1907 return superblock_alloc_security(sb);
1910 static void selinux_sb_free_security(struct super_block *sb)
1912 superblock_free_security(sb);
1915 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1920 return !memcmp(prefix, option, plen);
1923 static inline int selinux_option(char *option, int len)
1925 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1926 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1927 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1930 static inline void take_option(char **to, char *from, int *first, int len)
1938 memcpy(*to, from, len);
1942 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1944 int fnosec, fsec, rc = 0;
1945 char *in_save, *in_curr, *in_end;
1946 char *sec_curr, *nosec_save, *nosec;
1951 /* Binary mount data: just copy */
1952 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1953 copy_page(sec_curr, in_curr);
1957 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1965 in_save = in_end = orig;
1968 if (*in_end == ',' || *in_end == '\0') {
1969 int len = in_end - in_curr;
1971 if (selinux_option(in_curr, len))
1972 take_option(&sec_curr, in_curr, &fsec, len);
1974 take_option(&nosec, in_curr, &fnosec, len);
1976 in_curr = in_end + 1;
1978 } while (*in_end++);
1980 copy_page(in_save, nosec_save);
1985 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1987 struct avc_audit_data ad;
1990 rc = superblock_doinit(sb, data);
1994 AVC_AUDIT_DATA_INIT(&ad,FS);
1995 ad.u.fs.dentry = sb->s_root;
1996 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1999 static int selinux_sb_statfs(struct super_block *sb)
2001 struct avc_audit_data ad;
2003 AVC_AUDIT_DATA_INIT(&ad,FS);
2004 ad.u.fs.dentry = sb->s_root;
2005 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
2008 static int selinux_mount(char * dev_name,
2009 struct nameidata *nd,
2011 unsigned long flags,
2016 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2020 if (flags & MS_REMOUNT)
2021 return superblock_has_perm(current, nd->mnt->mnt_sb,
2022 FILESYSTEM__REMOUNT, NULL);
2024 return dentry_has_perm(current, nd->mnt, nd->dentry,
2028 static int selinux_umount(struct vfsmount *mnt, int flags)
2032 rc = secondary_ops->sb_umount(mnt, flags);
2036 return superblock_has_perm(current,mnt->mnt_sb,
2037 FILESYSTEM__UNMOUNT,NULL);
2040 /* inode security operations */
2042 static int selinux_inode_alloc_security(struct inode *inode)
2044 return inode_alloc_security(inode);
2047 static void selinux_inode_free_security(struct inode *inode)
2049 inode_free_security(inode);
2052 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2054 return may_create(dir, dentry, SECCLASS_FILE);
2057 static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask)
2059 post_create(dir, dentry);
2062 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2066 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2069 return may_link(dir, old_dentry, MAY_LINK);
2072 static void selinux_inode_post_link(struct dentry *old_dentry, struct inode *inode, struct dentry *new_dentry)
2077 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2081 rc = secondary_ops->inode_unlink(dir, dentry);
2084 return may_link(dir, dentry, MAY_UNLINK);
2087 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2089 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2092 static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2094 post_create(dir, dentry);
2097 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2099 return may_create(dir, dentry, SECCLASS_DIR);
2102 static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2104 post_create(dir, dentry);
2107 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2109 return may_link(dir, dentry, MAY_RMDIR);
2112 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2116 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2120 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2123 static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2125 post_create(dir, dentry);
2128 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2129 struct inode *new_inode, struct dentry *new_dentry)
2131 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2134 static void selinux_inode_post_rename(struct inode *old_inode, struct dentry *old_dentry,
2135 struct inode *new_inode, struct dentry *new_dentry)
2140 static int selinux_inode_readlink(struct dentry *dentry)
2142 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2145 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2149 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2152 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2155 static int selinux_inode_permission(struct inode *inode, int mask,
2156 struct nameidata *nd)
2160 rc = secondary_ops->inode_permission(inode, mask, nd);
2165 /* No permission to check. Existence test. */
2169 return inode_has_perm(current, inode,
2170 file_mask_to_av(inode->i_mode, mask), NULL);
2173 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2177 rc = secondary_ops->inode_setattr(dentry, iattr);
2181 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2182 ATTR_ATIME_SET | ATTR_MTIME_SET))
2183 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2185 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2188 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2190 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2193 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2195 struct task_security_struct *tsec = current->security;
2196 struct inode *inode = dentry->d_inode;
2197 struct inode_security_struct *isec = inode->i_security;
2198 struct superblock_security_struct *sbsec;
2199 struct avc_audit_data ad;
2203 if (strcmp(name, XATTR_NAME_SELINUX)) {
2204 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2205 sizeof XATTR_SECURITY_PREFIX - 1) &&
2206 !capable(CAP_SYS_ADMIN)) {
2207 /* A different attribute in the security namespace.
2208 Restrict to administrator. */
2212 /* Not an attribute we recognize, so just check the
2213 ordinary setattr permission. */
2214 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2217 sbsec = inode->i_sb->s_security;
2218 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2221 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2224 AVC_AUDIT_DATA_INIT(&ad,FS);
2225 ad.u.fs.dentry = dentry;
2227 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2228 FILE__RELABELFROM, &ad);
2232 rc = security_context_to_sid(value, size, &newsid);
2236 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2237 FILE__RELABELTO, &ad);
2241 return avc_has_perm(newsid,
2243 SECCLASS_FILESYSTEM,
2244 FILESYSTEM__ASSOCIATE,
2248 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2249 void *value, size_t size, int flags)
2251 struct inode *inode = dentry->d_inode;
2252 struct inode_security_struct *isec = inode->i_security;
2256 if (strcmp(name, XATTR_NAME_SELINUX)) {
2257 /* Not an attribute we recognize, so nothing to do. */
2261 rc = security_context_to_sid(value, size, &newsid);
2263 printk(KERN_WARNING "%s: unable to obtain SID for context "
2264 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2272 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2274 struct inode *inode = dentry->d_inode;
2275 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
2277 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2280 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2283 static int selinux_inode_listxattr (struct dentry *dentry)
2285 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2288 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2290 if (strcmp(name, XATTR_NAME_SELINUX)) {
2291 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2292 sizeof XATTR_SECURITY_PREFIX - 1) &&
2293 !capable(CAP_SYS_ADMIN)) {
2294 /* A different attribute in the security namespace.
2295 Restrict to administrator. */
2299 /* Not an attribute we recognize, so just check the
2300 ordinary setattr permission. Might want a separate
2301 permission for removexattr. */
2302 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2305 /* No one is allowed to remove a SELinux security label.
2306 You can change the label, but all data must be labeled. */
2310 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size)
2312 struct inode_security_struct *isec = inode->i_security;
2317 /* Permission check handled by selinux_inode_getxattr hook.*/
2319 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2322 rc = security_sid_to_context(isec->sid, &context, &len);
2326 if (!buffer || !size) {
2334 memcpy(buffer, context, len);
2339 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2340 const void *value, size_t size, int flags)
2342 struct inode_security_struct *isec = inode->i_security;
2346 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2349 if (!value || !size)
2352 rc = security_context_to_sid((void*)value, size, &newsid);
2360 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2362 const int len = sizeof(XATTR_NAME_SELINUX);
2363 if (buffer && len <= buffer_size)
2364 memcpy(buffer, XATTR_NAME_SELINUX, len);
2368 /* file security operations */
2370 static int selinux_file_permission(struct file *file, int mask)
2372 struct inode *inode = file->f_dentry->d_inode;
2375 /* No permission to check. Existence test. */
2379 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2380 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2383 return file_has_perm(current, file,
2384 file_mask_to_av(inode->i_mode, mask));
2387 static int selinux_file_alloc_security(struct file *file)
2389 return file_alloc_security(file);
2392 static void selinux_file_free_security(struct file *file)
2394 file_free_security(file);
2397 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2409 case EXT2_IOC_GETFLAGS:
2411 case EXT2_IOC_GETVERSION:
2412 error = file_has_perm(current, file, FILE__GETATTR);
2415 case EXT2_IOC_SETFLAGS:
2417 case EXT2_IOC_SETVERSION:
2418 error = file_has_perm(current, file, FILE__SETATTR);
2421 /* sys_ioctl() checks */
2425 error = file_has_perm(current, file, 0);
2430 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2433 /* default case assumes that the command will go
2434 * to the file's ioctl() function.
2437 error = file_has_perm(current, file, FILE__IOCTL);
2443 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2446 /* read access is always possible with a mapping */
2447 u32 av = FILE__READ;
2449 /* write access only matters if the mapping is shared */
2450 if (shared && (prot & PROT_WRITE))
2453 if (prot & PROT_EXEC)
2454 av |= FILE__EXECUTE;
2456 return file_has_perm(current, file, av);
2461 static int selinux_file_mmap(struct file *file, unsigned long prot, unsigned long flags)
2465 rc = secondary_ops->file_mmap(file, prot, flags);
2469 return file_map_prot_check(file, prot,
2470 (flags & MAP_TYPE) == MAP_SHARED);
2473 static int selinux_file_mprotect(struct vm_area_struct *vma,
2478 rc = secondary_ops->file_mprotect(vma, prot);
2482 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2485 static int selinux_file_lock(struct file *file, unsigned int cmd)
2487 return file_has_perm(current, file, FILE__LOCK);
2490 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2497 if (!file->f_dentry || !file->f_dentry->d_inode) {
2502 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2503 err = file_has_perm(current, file,FILE__WRITE);
2512 /* Just check FD__USE permission */
2513 err = file_has_perm(current, file, 0);
2518 #if BITS_PER_LONG == 32
2523 if (!file->f_dentry || !file->f_dentry->d_inode) {
2527 err = file_has_perm(current, file, FILE__LOCK);
2534 static int selinux_file_set_fowner(struct file *file)
2536 struct task_security_struct *tsec;
2537 struct file_security_struct *fsec;
2539 tsec = current->security;
2540 fsec = file->f_security;
2541 fsec->fown_sid = tsec->sid;
2546 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2547 struct fown_struct *fown,
2552 struct task_security_struct *tsec;
2553 struct file_security_struct *fsec;
2555 /* struct fown_struct is never outside the context of a struct file */
2556 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2558 tsec = tsk->security;
2559 fsec = file->f_security;
2562 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2564 perm = signal_to_av(signum);
2566 return avc_has_perm(fsec->fown_sid, tsec->sid,
2567 SECCLASS_PROCESS, perm, NULL);
2570 static int selinux_file_receive(struct file *file)
2572 return file_has_perm(current, file, file_to_av(file));
2575 /* task security operations */
2577 static int selinux_task_create(unsigned long clone_flags)
2581 rc = secondary_ops->task_create(clone_flags);
2585 return task_has_perm(current, current, PROCESS__FORK);
2588 static int selinux_task_alloc_security(struct task_struct *tsk)
2590 struct task_security_struct *tsec1, *tsec2;
2593 tsec1 = current->security;
2595 rc = task_alloc_security(tsk);
2598 tsec2 = tsk->security;
2600 tsec2->osid = tsec1->osid;
2601 tsec2->sid = tsec1->sid;
2603 /* Retain the exec and create SIDs across fork */
2604 tsec2->exec_sid = tsec1->exec_sid;
2605 tsec2->create_sid = tsec1->create_sid;
2607 /* Retain ptracer SID across fork, if any.
2608 This will be reset by the ptrace hook upon any
2609 subsequent ptrace_attach operations. */
2610 tsec2->ptrace_sid = tsec1->ptrace_sid;
2615 static void selinux_task_free_security(struct task_struct *tsk)
2617 task_free_security(tsk);
2620 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2622 /* Since setuid only affects the current process, and
2623 since the SELinux controls are not based on the Linux
2624 identity attributes, SELinux does not need to control
2625 this operation. However, SELinux does control the use
2626 of the CAP_SETUID and CAP_SETGID capabilities using the
2631 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2633 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2636 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2638 /* See the comment for setuid above. */
2642 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2644 return task_has_perm(current, p, PROCESS__SETPGID);
2647 static int selinux_task_getpgid(struct task_struct *p)
2649 return task_has_perm(current, p, PROCESS__GETPGID);
2652 static int selinux_task_getsid(struct task_struct *p)
2654 return task_has_perm(current, p, PROCESS__GETSESSION);
2657 static int selinux_task_setgroups(struct group_info *group_info)
2659 /* See the comment for setuid above. */
2663 static int selinux_task_setnice(struct task_struct *p, int nice)
2667 rc = secondary_ops->task_setnice(p, nice);
2671 return task_has_perm(current,p, PROCESS__SETSCHED);
2674 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2676 struct rlimit *old_rlim = current->rlim + resource;
2679 rc = secondary_ops->task_setrlimit(resource, new_rlim);
2683 /* Control the ability to change the hard limit (whether
2684 lowering or raising it), so that the hard limit can
2685 later be used as a safe reset point for the soft limit
2686 upon context transitions. See selinux_bprm_apply_creds. */
2687 if (old_rlim->rlim_max != new_rlim->rlim_max)
2688 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2693 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2695 struct task_security_struct *tsec1, *tsec2;
2697 tsec1 = current->security;
2698 tsec2 = p->security;
2700 /* No auditing from the setscheduler hook, since the runqueue lock
2701 is held and the system will deadlock if we try to log an audit
2703 return avc_has_perm_noaudit(tsec1->sid, tsec2->sid,
2704 SECCLASS_PROCESS, PROCESS__SETSCHED, NULL);
2707 static int selinux_task_getscheduler(struct task_struct *p)
2709 return task_has_perm(current, p, PROCESS__GETSCHED);
2712 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2717 rc = secondary_ops->task_kill(p, info, sig);
2721 if (info && ((unsigned long)info == 1 ||
2722 (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2726 perm = PROCESS__SIGNULL; /* null signal; existence test */
2728 perm = signal_to_av(sig);
2730 return task_has_perm(current, p, perm);
2733 static int selinux_task_prctl(int option,
2739 /* The current prctl operations do not appear to require
2740 any SELinux controls since they merely observe or modify
2741 the state of the current process. */
2745 static int selinux_task_wait(struct task_struct *p)
2749 perm = signal_to_av(p->exit_signal);
2751 return task_has_perm(p, current, perm);
2754 static void selinux_task_reparent_to_init(struct task_struct *p)
2756 struct task_security_struct *tsec;
2758 secondary_ops->task_reparent_to_init(p);
2761 tsec->osid = tsec->sid;
2762 tsec->sid = SECINITSID_KERNEL;
2766 static void selinux_task_to_inode(struct task_struct *p,
2767 struct inode *inode)
2769 struct task_security_struct *tsec = p->security;
2770 struct inode_security_struct *isec = inode->i_security;
2772 isec->sid = tsec->sid;
2773 isec->initialized = 1;
2777 #ifdef CONFIG_SECURITY_NETWORK
2779 /* Returns error only if unable to parse addresses */
2780 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2782 int offset, ihlen, ret = -EINVAL;
2783 struct iphdr _iph, *ih;
2785 offset = skb->nh.raw - skb->data;
2786 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2790 ihlen = ih->ihl * 4;
2791 if (ihlen < sizeof(_iph))
2794 ad->u.net.v4info.saddr = ih->saddr;
2795 ad->u.net.v4info.daddr = ih->daddr;
2798 switch (ih->protocol) {
2800 struct tcphdr _tcph, *th;
2802 if (ntohs(ih->frag_off) & IP_OFFSET)
2806 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2810 ad->u.net.sport = th->source;
2811 ad->u.net.dport = th->dest;
2816 struct udphdr _udph, *uh;
2818 if (ntohs(ih->frag_off) & IP_OFFSET)
2822 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2826 ad->u.net.sport = uh->source;
2827 ad->u.net.dport = uh->dest;
2838 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2840 /* Returns error only if unable to parse addresses */
2841 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2844 int ret = -EINVAL, offset;
2845 struct ipv6hdr _ipv6h, *ip6;
2847 offset = skb->nh.raw - skb->data;
2848 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2852 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2853 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2856 nexthdr = ip6->nexthdr;
2857 offset += sizeof(_ipv6h);
2858 offset = ipv6_skip_exthdr(skb, offset, &nexthdr,
2859 skb->tail - skb->head - offset);
2865 struct tcphdr _tcph, *th;
2867 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2871 ad->u.net.sport = th->source;
2872 ad->u.net.dport = th->dest;
2877 struct udphdr _udph, *uh;
2879 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2883 ad->u.net.sport = uh->source;
2884 ad->u.net.dport = uh->dest;
2888 /* includes fragments */
2898 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2899 char **addrp, int *len, int src)
2903 switch (ad->u.net.family) {
2905 ret = selinux_parse_skb_ipv4(skb, ad);
2909 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2910 &ad->u.net.v4info.daddr);
2913 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2915 ret = selinux_parse_skb_ipv6(skb, ad);
2919 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2920 &ad->u.net.v6info.daddr);
2930 /* socket security operations */
2931 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2934 struct inode_security_struct *isec;
2935 struct task_security_struct *tsec;
2936 struct avc_audit_data ad;
2939 tsec = task->security;
2940 isec = SOCK_INODE(sock)->i_security;
2942 if (isec->sid == SECINITSID_KERNEL)
2945 AVC_AUDIT_DATA_INIT(&ad,NET);
2946 ad.u.net.sk = sock->sk;
2947 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2953 static int selinux_socket_create(int family, int type,
2954 int protocol, int kern)
2957 struct task_security_struct *tsec;
2962 tsec = current->security;
2963 err = avc_has_perm(tsec->sid, tsec->sid,
2964 socket_type_to_security_class(family, type,
2965 protocol), SOCKET__CREATE, NULL);
2971 static void selinux_socket_post_create(struct socket *sock, int family,
2972 int type, int protocol, int kern)
2975 struct inode_security_struct *isec;
2976 struct task_security_struct *tsec;
2978 err = inode_doinit(SOCK_INODE(sock));
2981 isec = SOCK_INODE(sock)->i_security;
2983 tsec = current->security;
2984 isec->sclass = socket_type_to_security_class(family, type, protocol);
2985 isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2990 /* Range of port numbers used to automatically bind.
2991 Need to determine whether we should perform a name_bind
2992 permission check between the socket and the port number. */
2993 #define ip_local_port_range_0 sysctl_local_port_range[0]
2994 #define ip_local_port_range_1 sysctl_local_port_range[1]
2996 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3001 err = socket_has_perm(current, sock, SOCKET__BIND);
3006 * If PF_INET or PF_INET6, check name_bind permission for the port.
3008 family = sock->sk->sk_family;
3009 if (family == PF_INET || family == PF_INET6) {
3011 struct inode_security_struct *isec;
3012 struct task_security_struct *tsec;
3013 struct avc_audit_data ad;
3014 struct sockaddr_in *addr4 = NULL;
3015 struct sockaddr_in6 *addr6 = NULL;
3016 unsigned short snum;
3017 struct sock *sk = sock->sk;
3018 u32 sid, node_perm, addrlen;
3020 tsec = current->security;
3021 isec = SOCK_INODE(sock)->i_security;
3023 if (family == PF_INET) {
3024 addr4 = (struct sockaddr_in *)address;
3025 snum = ntohs(addr4->sin_port);
3026 addrlen = sizeof(addr4->sin_addr.s_addr);
3027 addrp = (char *)&addr4->sin_addr.s_addr;
3029 addr6 = (struct sockaddr_in6 *)address;
3030 snum = ntohs(addr6->sin6_port);
3031 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3032 addrp = (char *)&addr6->sin6_addr.s6_addr;
3035 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3036 snum > ip_local_port_range_1)) {
3037 err = security_port_sid(sk->sk_family, sk->sk_type,
3038 sk->sk_protocol, snum, &sid);
3041 AVC_AUDIT_DATA_INIT(&ad,NET);
3042 ad.u.net.sport = htons(snum);
3043 ad.u.net.family = family;
3044 err = avc_has_perm(isec->sid, sid,
3046 SOCKET__NAME_BIND, &ad);
3051 switch(sk->sk_protocol) {
3053 node_perm = TCP_SOCKET__NODE_BIND;
3057 node_perm = UDP_SOCKET__NODE_BIND;
3061 node_perm = RAWIP_SOCKET__NODE_BIND;
3065 err = security_node_sid(family, addrp, addrlen, &sid);
3069 AVC_AUDIT_DATA_INIT(&ad,NET);
3070 ad.u.net.sport = htons(snum);
3071 ad.u.net.family = family;
3073 if (family == PF_INET)
3074 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3076 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3078 err = avc_has_perm(isec->sid, sid,
3079 isec->sclass, node_perm, &ad);
3087 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3089 return socket_has_perm(current, sock, SOCKET__CONNECT);
3092 static int selinux_socket_listen(struct socket *sock, int backlog)
3094 return socket_has_perm(current, sock, SOCKET__LISTEN);
3097 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3100 struct inode_security_struct *isec;
3101 struct inode_security_struct *newisec;
3103 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3107 err = inode_doinit(SOCK_INODE(newsock));
3110 newisec = SOCK_INODE(newsock)->i_security;
3112 isec = SOCK_INODE(sock)->i_security;
3113 newisec->sclass = isec->sclass;
3114 newisec->sid = isec->sid;
3119 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3122 return socket_has_perm(current, sock, SOCKET__WRITE);
3125 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3126 int size, int flags)
3128 return socket_has_perm(current, sock, SOCKET__READ);
3131 static int selinux_socket_getsockname(struct socket *sock)
3133 return socket_has_perm(current, sock, SOCKET__GETATTR);
3136 static int selinux_socket_getpeername(struct socket *sock)
3138 return socket_has_perm(current, sock, SOCKET__GETATTR);
3141 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3143 return socket_has_perm(current, sock, SOCKET__SETOPT);
3146 static int selinux_socket_getsockopt(struct socket *sock, int level,
3149 return socket_has_perm(current, sock, SOCKET__GETOPT);
3152 static int selinux_socket_shutdown(struct socket *sock, int how)
3154 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3157 static int selinux_socket_unix_stream_connect(struct socket *sock,
3158 struct socket *other,
3161 struct sk_security_struct *ssec;
3162 struct inode_security_struct *isec;
3163 struct inode_security_struct *other_isec;
3164 struct avc_audit_data ad;
3167 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3171 isec = SOCK_INODE(sock)->i_security;
3172 other_isec = SOCK_INODE(other)->i_security;
3174 AVC_AUDIT_DATA_INIT(&ad,NET);
3175 ad.u.net.sk = other->sk;
3177 err = avc_has_perm(isec->sid, other_isec->sid,
3179 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3183 /* connecting socket */
3184 ssec = sock->sk->sk_security;
3185 ssec->peer_sid = other_isec->sid;
3187 /* server child socket */
3188 ssec = newsk->sk_security;
3189 ssec->peer_sid = isec->sid;
3194 static int selinux_socket_unix_may_send(struct socket *sock,
3195 struct socket *other)
3197 struct inode_security_struct *isec;
3198 struct inode_security_struct *other_isec;
3199 struct avc_audit_data ad;
3202 isec = SOCK_INODE(sock)->i_security;
3203 other_isec = SOCK_INODE(other)->i_security;
3205 AVC_AUDIT_DATA_INIT(&ad,NET);
3206 ad.u.net.sk = other->sk;
3208 err = avc_has_perm(isec->sid, other_isec->sid,
3209 isec->sclass, SOCKET__SENDTO, &ad);
3216 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3221 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3224 struct socket *sock;
3225 struct net_device *dev;
3226 struct avc_audit_data ad;
3228 family = sk->sk_family;
3229 if (family != PF_INET && family != PF_INET6)
3232 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3233 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3236 read_lock_bh(&sk->sk_callback_lock);
3237 sock = sk->sk_socket;
3239 struct inode *inode;
3240 inode = SOCK_INODE(sock);
3242 struct inode_security_struct *isec;
3243 isec = inode->i_security;
3244 sock_sid = isec->sid;
3245 sock_class = isec->sclass;
3248 read_unlock_bh(&sk->sk_callback_lock);
3256 err = sel_netif_sids(dev, &if_sid, NULL);
3260 switch (sock_class) {
3261 case SECCLASS_UDP_SOCKET:
3262 netif_perm = NETIF__UDP_RECV;
3263 node_perm = NODE__UDP_RECV;
3264 recv_perm = UDP_SOCKET__RECV_MSG;
3267 case SECCLASS_TCP_SOCKET:
3268 netif_perm = NETIF__TCP_RECV;
3269 node_perm = NODE__TCP_RECV;
3270 recv_perm = TCP_SOCKET__RECV_MSG;
3274 netif_perm = NETIF__RAWIP_RECV;
3275 node_perm = NODE__RAWIP_RECV;
3279 AVC_AUDIT_DATA_INIT(&ad, NET);
3280 ad.u.net.netif = dev->name;
3281 ad.u.net.family = family;
3283 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3287 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3291 /* Fixme: this lookup is inefficient */
3292 err = security_node_sid(family, addrp, len, &node_sid);
3296 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3303 /* Fixme: make this more efficient */
3304 err = security_port_sid(sk->sk_family, sk->sk_type,
3305 sk->sk_protocol, ntohs(ad.u.net.sport),
3310 err = avc_has_perm(sock_sid, port_sid,
3311 sock_class, recv_perm, &ad);
3317 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3318 int __user *optlen, unsigned len)
3323 struct sk_security_struct *ssec;
3324 struct inode_security_struct *isec;
3326 isec = SOCK_INODE(sock)->i_security;
3327 if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3332 ssec = sock->sk->sk_security;
3334 err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3338 if (scontext_len > len) {
3343 if (copy_to_user(optval, scontext, scontext_len))
3347 if (put_user(scontext_len, optlen))
3355 static int selinux_sk_alloc_security(struct sock *sk, int family, int priority)
3357 return sk_alloc_security(sk, family, priority);
3360 static void selinux_sk_free_security(struct sock *sk)
3362 sk_free_security(sk);
3365 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3369 struct nlmsghdr *nlh;
3370 struct socket *sock = sk->sk_socket;
3371 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3373 if (skb->len < NLMSG_SPACE(0)) {
3377 nlh = (struct nlmsghdr *)skb->data;
3379 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3387 err = socket_has_perm(current, sock, perm);
3392 #ifdef CONFIG_NETFILTER
3394 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3395 struct sk_buff **pskb,
3396 const struct net_device *in,
3397 const struct net_device *out,
3398 int (*okfn)(struct sk_buff *),
3402 int len, err = NF_ACCEPT;
3403 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3405 struct socket *sock;
3406 struct inode *inode;
3407 struct sk_buff *skb = *pskb;
3408 struct inode_security_struct *isec;
3409 struct avc_audit_data ad;
3410 struct net_device *dev = (struct net_device *)out;
3416 sock = sk->sk_socket;
3420 inode = SOCK_INODE(sock);
3424 err = sel_netif_sids(dev, &if_sid, NULL);
3428 isec = inode->i_security;
3430 switch (isec->sclass) {
3431 case SECCLASS_UDP_SOCKET:
3432 netif_perm = NETIF__UDP_SEND;
3433 node_perm = NODE__UDP_SEND;
3434 send_perm = UDP_SOCKET__SEND_MSG;
3437 case SECCLASS_TCP_SOCKET:
3438 netif_perm = NETIF__TCP_SEND;
3439 node_perm = NODE__TCP_SEND;
3440 send_perm = TCP_SOCKET__SEND_MSG;
3444 netif_perm = NETIF__RAWIP_SEND;
3445 node_perm = NODE__RAWIP_SEND;
3450 AVC_AUDIT_DATA_INIT(&ad, NET);
3451 ad.u.net.netif = dev->name;
3452 ad.u.net.family = family;
3454 err = selinux_parse_skb(skb, &ad, &addrp,
3455 &len, 0) ? NF_DROP : NF_ACCEPT;
3456 if (err != NF_ACCEPT)
3459 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3460 netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3461 if (err != NF_ACCEPT)
3464 /* Fixme: this lookup is inefficient */
3465 err = security_node_sid(family, addrp, len,
3466 &node_sid) ? NF_DROP : NF_ACCEPT;
3467 if (err != NF_ACCEPT)
3470 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3471 node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3472 if (err != NF_ACCEPT)
3478 /* Fixme: make this more efficient */
3479 err = security_port_sid(sk->sk_family,
3482 ntohs(ad.u.net.dport),
3483 &port_sid) ? NF_DROP : NF_ACCEPT;
3484 if (err != NF_ACCEPT)
3487 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3488 send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3495 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3496 struct sk_buff **pskb,
3497 const struct net_device *in,
3498 const struct net_device *out,
3499 int (*okfn)(struct sk_buff *))
3501 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3504 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3506 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3507 struct sk_buff **pskb,
3508 const struct net_device *in,
3509 const struct net_device *out,
3510 int (*okfn)(struct sk_buff *))
3512 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3517 #endif /* CONFIG_NETFILTER */
3521 static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3526 #endif /* CONFIG_SECURITY_NETWORK */
3528 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3532 if (capable(CAP_NET_ADMIN))
3533 cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN);
3535 NETLINK_CB(skb).eff_cap = 0;
3537 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3538 err = selinux_nlmsg_perm(sk, skb);
3543 static int selinux_netlink_recv(struct sk_buff *skb)
3545 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3550 static int ipc_alloc_security(struct task_struct *task,
3551 struct kern_ipc_perm *perm,
3554 struct task_security_struct *tsec = task->security;
3555 struct ipc_security_struct *isec;
3557 isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3561 memset(isec, 0, sizeof(struct ipc_security_struct));
3562 isec->magic = SELINUX_MAGIC;
3563 isec->sclass = sclass;
3564 isec->ipc_perm = perm;
3566 isec->sid = tsec->sid;
3568 isec->sid = SECINITSID_UNLABELED;
3570 perm->security = isec;
3575 static void ipc_free_security(struct kern_ipc_perm *perm)
3577 struct ipc_security_struct *isec = perm->security;
3578 if (!isec || isec->magic != SELINUX_MAGIC)
3581 perm->security = NULL;
3585 static int msg_msg_alloc_security(struct msg_msg *msg)
3587 struct msg_security_struct *msec;
3589 msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3593 memset(msec, 0, sizeof(struct msg_security_struct));
3594 msec->magic = SELINUX_MAGIC;
3596 msec->sid = SECINITSID_UNLABELED;
3597 msg->security = msec;
3602 static void msg_msg_free_security(struct msg_msg *msg)
3604 struct msg_security_struct *msec = msg->security;
3605 if (!msec || msec->magic != SELINUX_MAGIC)
3608 msg->security = NULL;
3612 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3613 u16 sclass, u32 perms)
3615 struct task_security_struct *tsec;
3616 struct ipc_security_struct *isec;
3617 struct avc_audit_data ad;
3619 tsec = current->security;
3620 isec = ipc_perms->security;
3622 AVC_AUDIT_DATA_INIT(&ad, IPC);
3623 ad.u.ipc_id = ipc_perms->key;
3625 return avc_has_perm(tsec->sid, isec->sid, sclass, perms, &ad);
3628 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3630 return msg_msg_alloc_security(msg);
3633 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3635 msg_msg_free_security(msg);
3638 /* message queue security operations */
3639 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3641 struct task_security_struct *tsec;
3642 struct ipc_security_struct *isec;
3643 struct avc_audit_data ad;
3646 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3650 tsec = current->security;
3651 isec = msq->q_perm.security;
3653 AVC_AUDIT_DATA_INIT(&ad, IPC);
3654 ad.u.ipc_id = msq->q_perm.key;
3656 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3659 ipc_free_security(&msq->q_perm);
3665 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3667 ipc_free_security(&msq->q_perm);
3670 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3672 struct task_security_struct *tsec;
3673 struct ipc_security_struct *isec;
3674 struct avc_audit_data ad;
3676 tsec = current->security;
3677 isec = msq->q_perm.security;
3679 AVC_AUDIT_DATA_INIT(&ad, IPC);
3680 ad.u.ipc_id = msq->q_perm.key;
3682 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3683 MSGQ__ASSOCIATE, &ad);
3686 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3694 /* No specific object, just general system-wide information. */
3695 return task_has_system(current, SYSTEM__IPC_INFO);
3698 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3701 perms = MSGQ__SETATTR;
3704 perms = MSGQ__DESTROY;
3710 err = ipc_has_perm(&msq->q_perm, SECCLASS_MSGQ, perms);
3714 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3716 struct task_security_struct *tsec;
3717 struct ipc_security_struct *isec;
3718 struct msg_security_struct *msec;
3719 struct avc_audit_data ad;
3722 tsec = current->security;
3723 isec = msq->q_perm.security;
3724 msec = msg->security;
3727 * First time through, need to assign label to the message
3729 if (msec->sid == SECINITSID_UNLABELED) {
3731 * Compute new sid based on current process and
3732 * message queue this message will be stored in
3734 rc = security_transition_sid(tsec->sid,
3742 AVC_AUDIT_DATA_INIT(&ad, IPC);
3743 ad.u.ipc_id = msq->q_perm.key;
3745 /* Can this process write to the queue? */
3746 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3749 /* Can this process send the message */
3750 rc = avc_has_perm(tsec->sid, msec->sid,
3751 SECCLASS_MSG, MSG__SEND, &ad);
3753 /* Can the message be put in the queue? */
3754 rc = avc_has_perm(msec->sid, isec->sid,
3755 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3760 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3761 struct task_struct *target,
3762 long type, int mode)
3764 struct task_security_struct *tsec;
3765 struct ipc_security_struct *isec;
3766 struct msg_security_struct *msec;
3767 struct avc_audit_data ad;
3770 tsec = target->security;
3771 isec = msq->q_perm.security;
3772 msec = msg->security;
3774 AVC_AUDIT_DATA_INIT(&ad, IPC);
3775 ad.u.ipc_id = msq->q_perm.key;
3777 rc = avc_has_perm(tsec->sid, isec->sid,
3778 SECCLASS_MSGQ, MSGQ__READ, &ad);
3780 rc = avc_has_perm(tsec->sid, msec->sid,
3781 SECCLASS_MSG, MSG__RECEIVE, &ad);
3785 /* Shared Memory security operations */
3786 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3788 struct task_security_struct *tsec;
3789 struct ipc_security_struct *isec;
3790 struct avc_audit_data ad;
3793 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3797 tsec = current->security;
3798 isec = shp->shm_perm.security;
3800 AVC_AUDIT_DATA_INIT(&ad, IPC);
3801 ad.u.ipc_id = shp->shm_perm.key;
3803 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3806 ipc_free_security(&shp->shm_perm);
3812 static void selinux_shm_free_security(struct shmid_kernel *shp)
3814 ipc_free_security(&shp->shm_perm);
3817 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3819 struct task_security_struct *tsec;
3820 struct ipc_security_struct *isec;
3821 struct avc_audit_data ad;
3823 tsec = current->security;
3824 isec = shp->shm_perm.security;
3826 AVC_AUDIT_DATA_INIT(&ad, IPC);
3827 ad.u.ipc_id = shp->shm_perm.key;
3829 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3830 SHM__ASSOCIATE, &ad);
3833 /* Note, at this point, shp is locked down */
3834 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3842 /* No specific object, just general system-wide information. */
3843 return task_has_system(current, SYSTEM__IPC_INFO);
3846 perms = SHM__GETATTR | SHM__ASSOCIATE;
3849 perms = SHM__SETATTR;
3856 perms = SHM__DESTROY;
3862 err = ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms);
3866 static int selinux_shm_shmat(struct shmid_kernel *shp,
3867 char __user *shmaddr, int shmflg)
3872 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3876 if (shmflg & SHM_RDONLY)
3879 perms = SHM__READ | SHM__WRITE;
3881 return ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms);
3884 /* Semaphore security operations */
3885 static int selinux_sem_alloc_security(struct sem_array *sma)
3887 struct task_security_struct *tsec;
3888 struct ipc_security_struct *isec;
3889 struct avc_audit_data ad;
3892 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3896 tsec = current->security;
3897 isec = sma->sem_perm.security;
3899 AVC_AUDIT_DATA_INIT(&ad, IPC);
3900 ad.u.ipc_id = sma->sem_perm.key;
3902 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3905 ipc_free_security(&sma->sem_perm);
3911 static void selinux_sem_free_security(struct sem_array *sma)
3913 ipc_free_security(&sma->sem_perm);
3916 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3918 struct task_security_struct *tsec;
3919 struct ipc_security_struct *isec;
3920 struct avc_audit_data ad;
3922 tsec = current->security;
3923 isec = sma->sem_perm.security;
3925 AVC_AUDIT_DATA_INIT(&ad, IPC);
3926 ad.u.ipc_id = sma->sem_perm.key;
3928 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3929 SEM__ASSOCIATE, &ad);
3932 /* Note, at this point, sma is locked down */
3933 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
3941 /* No specific object, just general system-wide information. */
3942 return task_has_system(current, SYSTEM__IPC_INFO);
3946 perms = SEM__GETATTR;
3957 perms = SEM__DESTROY;
3960 perms = SEM__SETATTR;
3964 perms = SEM__GETATTR | SEM__ASSOCIATE;
3970 err = ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms);
3974 static int selinux_sem_semop(struct sem_array *sma,
3975 struct sembuf *sops, unsigned nsops, int alter)
3980 perms = SEM__READ | SEM__WRITE;
3984 return ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms);
3987 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
3989 struct ipc_security_struct *isec = ipcp->security;
3990 u16 sclass = SECCLASS_IPC;
3993 if (isec && isec->magic == SELINUX_MAGIC)
3994 sclass = isec->sclass;
3998 av |= IPC__UNIX_READ;
4000 av |= IPC__UNIX_WRITE;
4005 return ipc_has_perm(ipcp, sclass, av);
4008 /* module stacking operations */
4009 int selinux_register_security (const char *name, struct security_operations *ops)
4011 if (secondary_ops != original_ops) {
4012 printk(KERN_INFO "%s: There is already a secondary security "
4013 "module registered.\n", __FUNCTION__);
4017 secondary_ops = ops;
4019 printk(KERN_INFO "%s: Registering secondary module %s\n",
4026 int selinux_unregister_security (const char *name, struct security_operations *ops)
4028 if (ops != secondary_ops) {
4029 printk (KERN_INFO "%s: trying to unregister a security module "
4030 "that is not registered.\n", __FUNCTION__);
4034 secondary_ops = original_ops;
4039 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4042 inode_doinit_with_dentry(inode, dentry);
4045 static int selinux_getprocattr(struct task_struct *p,
4046 char *name, void *value, size_t size)
4048 struct task_security_struct *tsec;
4054 error = task_has_perm(current, p, PROCESS__GETATTR);
4064 if (!strcmp(name, "current"))
4066 else if (!strcmp(name, "prev"))
4068 else if (!strcmp(name, "exec"))
4069 sid = tsec->exec_sid;
4070 else if (!strcmp(name, "fscreate"))
4071 sid = tsec->create_sid;
4078 error = security_sid_to_context(sid, &context, &len);
4085 memcpy(value, context, len);
4090 static int selinux_setprocattr(struct task_struct *p,
4091 char *name, void *value, size_t size)
4093 struct task_security_struct *tsec;
4097 if (current != p || !strcmp(name, "current")) {
4098 /* SELinux only allows a process to change its own
4099 security attributes, and it only allows the process
4100 current SID to change via exec. */
4105 * Basic control over ability to set these attributes at all.
4106 * current == p, but we'll pass them separately in case the
4107 * above restriction is ever removed.
4109 if (!strcmp(name, "exec"))
4110 error = task_has_perm(current, p, PROCESS__SETEXEC);
4111 else if (!strcmp(name, "fscreate"))
4112 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4118 /* Obtain a SID for the context, if one was specified. */
4121 error = security_context_to_sid(value, size, &sid);
4126 /* Permission checking based on the specified context is
4127 performed during the actual operation (execve,
4128 open/mkdir/...), when we know the full context of the
4129 operation. See selinux_bprm_set_security for the execve
4130 checks and may_create for the file creation checks. The
4131 operation will then fail if the context is not permitted. */
4133 if (!strcmp(name, "exec"))
4134 tsec->exec_sid = sid;
4135 else if (!strcmp(name, "fscreate"))
4136 tsec->create_sid = sid;
4143 struct security_operations selinux_ops = {
4144 .ptrace = selinux_ptrace,
4145 .capget = selinux_capget,
4146 .capset_check = selinux_capset_check,
4147 .capset_set = selinux_capset_set,
4148 .sysctl = selinux_sysctl,
4149 .capable = selinux_capable,
4150 .quotactl = selinux_quotactl,
4151 .quota_on = selinux_quota_on,
4152 .syslog = selinux_syslog,
4153 .vm_enough_memory = selinux_vm_enough_memory,
4155 .netlink_send = selinux_netlink_send,
4156 .netlink_recv = selinux_netlink_recv,
4158 .bprm_alloc_security = selinux_bprm_alloc_security,
4159 .bprm_free_security = selinux_bprm_free_security,
4160 .bprm_apply_creds = selinux_bprm_apply_creds,
4161 .bprm_set_security = selinux_bprm_set_security,
4162 .bprm_check_security = selinux_bprm_check_security,
4163 .bprm_secureexec = selinux_bprm_secureexec,
4165 .sb_alloc_security = selinux_sb_alloc_security,
4166 .sb_free_security = selinux_sb_free_security,
4167 .sb_copy_data = selinux_sb_copy_data,
4168 .sb_kern_mount = selinux_sb_kern_mount,
4169 .sb_statfs = selinux_sb_statfs,
4170 .sb_mount = selinux_mount,
4171 .sb_umount = selinux_umount,
4173 .inode_alloc_security = selinux_inode_alloc_security,
4174 .inode_free_security = selinux_inode_free_security,
4175 .inode_create = selinux_inode_create,
4176 .inode_post_create = selinux_inode_post_create,
4177 .inode_link = selinux_inode_link,
4178 .inode_post_link = selinux_inode_post_link,
4179 .inode_unlink = selinux_inode_unlink,
4180 .inode_symlink = selinux_inode_symlink,
4181 .inode_post_symlink = selinux_inode_post_symlink,
4182 .inode_mkdir = selinux_inode_mkdir,
4183 .inode_post_mkdir = selinux_inode_post_mkdir,
4184 .inode_rmdir = selinux_inode_rmdir,
4185 .inode_mknod = selinux_inode_mknod,
4186 .inode_post_mknod = selinux_inode_post_mknod,
4187 .inode_rename = selinux_inode_rename,
4188 .inode_post_rename = selinux_inode_post_rename,
4189 .inode_readlink = selinux_inode_readlink,
4190 .inode_follow_link = selinux_inode_follow_link,
4191 .inode_permission = selinux_inode_permission,
4192 .inode_setattr = selinux_inode_setattr,
4193 .inode_getattr = selinux_inode_getattr,
4194 .inode_setxattr = selinux_inode_setxattr,
4195 .inode_post_setxattr = selinux_inode_post_setxattr,
4196 .inode_getxattr = selinux_inode_getxattr,
4197 .inode_listxattr = selinux_inode_listxattr,
4198 .inode_removexattr = selinux_inode_removexattr,
4199 .inode_getsecurity = selinux_inode_getsecurity,
4200 .inode_setsecurity = selinux_inode_setsecurity,
4201 .inode_listsecurity = selinux_inode_listsecurity,
4203 .file_permission = selinux_file_permission,
4204 .file_alloc_security = selinux_file_alloc_security,
4205 .file_free_security = selinux_file_free_security,
4206 .file_ioctl = selinux_file_ioctl,
4207 .file_mmap = selinux_file_mmap,
4208 .file_mprotect = selinux_file_mprotect,
4209 .file_lock = selinux_file_lock,
4210 .file_fcntl = selinux_file_fcntl,
4211 .file_set_fowner = selinux_file_set_fowner,
4212 .file_send_sigiotask = selinux_file_send_sigiotask,
4213 .file_receive = selinux_file_receive,
4215 .task_create = selinux_task_create,
4216 .task_alloc_security = selinux_task_alloc_security,
4217 .task_free_security = selinux_task_free_security,
4218 .task_setuid = selinux_task_setuid,
4219 .task_post_setuid = selinux_task_post_setuid,
4220 .task_setgid = selinux_task_setgid,
4221 .task_setpgid = selinux_task_setpgid,
4222 .task_getpgid = selinux_task_getpgid,
4223 .task_getsid = selinux_task_getsid,
4224 .task_setgroups = selinux_task_setgroups,
4225 .task_setnice = selinux_task_setnice,
4226 .task_setrlimit = selinux_task_setrlimit,
4227 .task_setscheduler = selinux_task_setscheduler,
4228 .task_getscheduler = selinux_task_getscheduler,
4229 .task_kill = selinux_task_kill,
4230 .task_wait = selinux_task_wait,
4231 .task_prctl = selinux_task_prctl,
4232 .task_reparent_to_init = selinux_task_reparent_to_init,
4233 .task_to_inode = selinux_task_to_inode,
4235 .ipc_permission = selinux_ipc_permission,
4237 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4238 .msg_msg_free_security = selinux_msg_msg_free_security,
4240 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4241 .msg_queue_free_security = selinux_msg_queue_free_security,
4242 .msg_queue_associate = selinux_msg_queue_associate,
4243 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4244 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4245 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4247 .shm_alloc_security = selinux_shm_alloc_security,
4248 .shm_free_security = selinux_shm_free_security,
4249 .shm_associate = selinux_shm_associate,
4250 .shm_shmctl = selinux_shm_shmctl,
4251 .shm_shmat = selinux_shm_shmat,
4253 .sem_alloc_security = selinux_sem_alloc_security,
4254 .sem_free_security = selinux_sem_free_security,
4255 .sem_associate = selinux_sem_associate,
4256 .sem_semctl = selinux_sem_semctl,
4257 .sem_semop = selinux_sem_semop,
4259 .register_security = selinux_register_security,
4260 .unregister_security = selinux_unregister_security,
4262 .d_instantiate = selinux_d_instantiate,
4264 .getprocattr = selinux_getprocattr,
4265 .setprocattr = selinux_setprocattr,
4267 #ifdef CONFIG_SECURITY_NETWORK
4268 .unix_stream_connect = selinux_socket_unix_stream_connect,
4269 .unix_may_send = selinux_socket_unix_may_send,
4271 .socket_create = selinux_socket_create,
4272 .socket_post_create = selinux_socket_post_create,
4273 .socket_bind = selinux_socket_bind,
4274 .socket_connect = selinux_socket_connect,
4275 .socket_listen = selinux_socket_listen,
4276 .socket_accept = selinux_socket_accept,
4277 .socket_sendmsg = selinux_socket_sendmsg,
4278 .socket_recvmsg = selinux_socket_recvmsg,
4279 .socket_getsockname = selinux_socket_getsockname,
4280 .socket_getpeername = selinux_socket_getpeername,
4281 .socket_getsockopt = selinux_socket_getsockopt,
4282 .socket_setsockopt = selinux_socket_setsockopt,
4283 .socket_shutdown = selinux_socket_shutdown,
4284 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
4285 .socket_getpeersec = selinux_socket_getpeersec,
4286 .sk_alloc_security = selinux_sk_alloc_security,
4287 .sk_free_security = selinux_sk_free_security,
4291 __init int selinux_init(void)
4293 struct task_security_struct *tsec;
4295 if (!selinux_enabled) {
4296 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4300 printk(KERN_INFO "SELinux: Initializing.\n");
4302 /* Set the security state for the initial task. */
4303 if (task_alloc_security(current))
4304 panic("SELinux: Failed to initialize initial task.\n");
4305 tsec = current->security;
4306 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4310 original_ops = secondary_ops = security_ops;
4312 panic ("SELinux: No initial security operations\n");
4313 if (register_security (&selinux_ops))
4314 panic("SELinux: Unable to register with kernel.\n");
4316 if (selinux_enforcing) {
4317 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4319 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4324 void selinux_complete_init(void)
4326 printk(KERN_INFO "SELinux: Completing initialization.\n");
4328 /* Set up any superblocks initialized prior to the policy load. */
4329 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
4330 spin_lock(&sb_security_lock);
4332 if (!list_empty(&superblock_security_head)) {
4333 struct superblock_security_struct *sbsec =
4334 list_entry(superblock_security_head.next,
4335 struct superblock_security_struct,
4337 struct super_block *sb = sbsec->sb;
4338 spin_lock(&sb_lock);
4340 spin_unlock(&sb_lock);
4341 spin_unlock(&sb_security_lock);
4342 down_read(&sb->s_umount);
4344 superblock_doinit(sb, NULL);
4346 spin_lock(&sb_security_lock);
4347 list_del_init(&sbsec->list);
4350 spin_unlock(&sb_security_lock);
4353 /* SELinux requires early initialization in order to label
4354 all processes and objects when they are created. */
4355 security_initcall(selinux_init);
4357 #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
4359 static struct nf_hook_ops selinux_ipv4_op = {
4360 .hook = selinux_ipv4_postroute_last,
4361 .owner = THIS_MODULE,
4363 .hooknum = NF_IP_POST_ROUTING,
4364 .priority = NF_IP_PRI_SELINUX_LAST,
4367 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4369 static struct nf_hook_ops selinux_ipv6_op = {
4370 .hook = selinux_ipv6_postroute_last,
4371 .owner = THIS_MODULE,
4373 .hooknum = NF_IP6_POST_ROUTING,
4374 .priority = NF_IP6_PRI_SELINUX_LAST,
4379 static int __init selinux_nf_ip_init(void)
4383 if (!selinux_enabled)
4386 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4388 err = nf_register_hook(&selinux_ipv4_op);
4390 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4392 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4394 err = nf_register_hook(&selinux_ipv6_op);
4396 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4403 __initcall(selinux_nf_ip_init);
4405 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4406 static void selinux_nf_ip_exit(void)
4408 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4410 nf_unregister_hook(&selinux_ipv4_op);
4411 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4412 nf_unregister_hook(&selinux_ipv6_op);
4417 #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4419 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4420 #define selinux_nf_ip_exit()
4423 #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4425 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4426 int selinux_disable(void)
4428 extern void exit_sel_fs(void);
4429 static int selinux_disabled = 0;
4431 if (ss_initialized) {
4432 /* Not permitted after initial policy load. */
4436 if (selinux_disabled) {
4437 /* Only do this once. */
4441 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4443 selinux_disabled = 1;
4445 /* Reset security_ops to the secondary module, dummy or capability. */
4446 security_ops = secondary_ops;
4448 /* Unregister netfilter hooks. */
4449 selinux_nf_ip_exit();
4451 /* Unregister selinuxfs. */