2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License version 2,
16 * as published by the Free Software Foundation.
19 #include <linux/config.h>
20 #include <linux/module.h>
21 #include <linux/init.h>
22 #include <linux/kernel.h>
23 #include <linux/ptrace.h>
24 #include <linux/errno.h>
25 #include <linux/sched.h>
26 #include <linux/security.h>
27 #include <linux/xattr.h>
28 #include <linux/capability.h>
29 #include <linux/unistd.h>
31 #include <linux/mman.h>
32 #include <linux/slab.h>
33 #include <linux/pagemap.h>
34 #include <linux/swap.h>
35 #include <linux/smp_lock.h>
36 #include <linux/spinlock.h>
37 #include <linux/syscalls.h>
38 #include <linux/file.h>
39 #include <linux/namei.h>
40 #include <linux/mount.h>
41 #include <linux/ext2_fs.h>
42 #include <linux/proc_fs.h>
44 #include <linux/netfilter_ipv4.h>
45 #include <linux/netfilter_ipv6.h>
47 #include <net/ip.h> /* for sysctl_local_port_range[] */
48 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
49 #include <asm/uaccess.h>
50 #include <asm/semaphore.h>
51 #include <asm/ioctls.h>
52 #include <linux/bitops.h>
53 #include <linux/interrupt.h>
54 #include <linux/netdevice.h> /* for network interface checks */
55 #include <linux/netlink.h>
56 #include <linux/tcp.h>
57 #include <linux/udp.h>
58 #include <linux/quota.h>
59 #include <linux/un.h> /* for Unix socket types */
60 #include <net/af_unix.h> /* for Unix socket types */
61 #include <linux/parser.h>
62 #include <linux/nfs_mount.h>
64 #include <linux/hugetlb.h>
65 #include <linux/major.h>
66 #include <linux/personality.h>
72 #define XATTR_SELINUX_SUFFIX "selinux"
73 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
75 extern int policydb_loaded_version;
76 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
78 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
79 int selinux_enforcing = 0;
81 static int __init enforcing_setup(char *str)
83 selinux_enforcing = simple_strtol(str,NULL,0);
86 __setup("enforcing=", enforcing_setup);
89 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
90 int selinux_enabled = 1;
92 static int __init selinux_enabled_setup(char *str)
94 selinux_enabled = simple_strtol(str, NULL, 0);
97 __setup("selinux=", selinux_enabled_setup);
100 /* Original (dummy) security module. */
101 static struct security_operations *original_ops = NULL;
103 /* Minimal support for a secondary security module,
104 just to allow the use of the dummy or capability modules.
105 The owlsm module can alternatively be used as a secondary
106 module as long as CONFIG_OWLSM_FD is not enabled. */
107 static struct security_operations *secondary_ops = NULL;
109 /* Lists of inode and superblock security structures initialized
110 before the policy was loaded. */
111 static LIST_HEAD(superblock_security_head);
112 static spinlock_t sb_security_lock = SPIN_LOCK_UNLOCKED;
114 /* Allocate and free functions for each kind of security blob. */
116 static int task_alloc_security(struct task_struct *task)
118 struct task_security_struct *tsec;
120 tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL);
124 memset(tsec, 0, sizeof(struct task_security_struct));
125 tsec->magic = SELINUX_MAGIC;
127 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
128 task->security = tsec;
133 static void task_free_security(struct task_struct *task)
135 struct task_security_struct *tsec = task->security;
137 if (!tsec || tsec->magic != SELINUX_MAGIC)
140 task->security = NULL;
144 static int inode_alloc_security(struct inode *inode)
146 struct task_security_struct *tsec = current->security;
147 struct inode_security_struct *isec;
149 isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
153 memset(isec, 0, sizeof(struct inode_security_struct));
154 init_MUTEX(&isec->sem);
155 INIT_LIST_HEAD(&isec->list);
156 isec->magic = SELINUX_MAGIC;
158 isec->sid = SECINITSID_UNLABELED;
159 isec->sclass = SECCLASS_FILE;
160 if (tsec && tsec->magic == SELINUX_MAGIC)
161 isec->task_sid = tsec->sid;
163 isec->task_sid = SECINITSID_UNLABELED;
164 inode->i_security = isec;
169 static void inode_free_security(struct inode *inode)
171 struct inode_security_struct *isec = inode->i_security;
172 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
174 if (!isec || isec->magic != SELINUX_MAGIC)
177 spin_lock(&sbsec->isec_lock);
178 if (!list_empty(&isec->list))
179 list_del_init(&isec->list);
180 spin_unlock(&sbsec->isec_lock);
182 inode->i_security = NULL;
186 static int file_alloc_security(struct file *file)
188 struct task_security_struct *tsec = current->security;
189 struct file_security_struct *fsec;
191 fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
195 memset(fsec, 0, sizeof(struct file_security_struct));
196 fsec->magic = SELINUX_MAGIC;
198 if (tsec && tsec->magic == SELINUX_MAGIC) {
199 fsec->sid = tsec->sid;
200 fsec->fown_sid = tsec->sid;
202 fsec->sid = SECINITSID_UNLABELED;
203 fsec->fown_sid = SECINITSID_UNLABELED;
205 file->f_security = fsec;
210 static void file_free_security(struct file *file)
212 struct file_security_struct *fsec = file->f_security;
214 if (!fsec || fsec->magic != SELINUX_MAGIC)
217 file->f_security = NULL;
221 static int superblock_alloc_security(struct super_block *sb)
223 struct superblock_security_struct *sbsec;
225 sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
229 memset(sbsec, 0, sizeof(struct superblock_security_struct));
230 init_MUTEX(&sbsec->sem);
231 INIT_LIST_HEAD(&sbsec->list);
232 INIT_LIST_HEAD(&sbsec->isec_head);
233 spin_lock_init(&sbsec->isec_lock);
234 sbsec->magic = SELINUX_MAGIC;
236 sbsec->sid = SECINITSID_UNLABELED;
237 sbsec->def_sid = SECINITSID_FILE;
238 sb->s_security = sbsec;
243 static void superblock_free_security(struct super_block *sb)
245 struct superblock_security_struct *sbsec = sb->s_security;
247 if (!sbsec || sbsec->magic != SELINUX_MAGIC)
250 spin_lock(&sb_security_lock);
251 if (!list_empty(&sbsec->list))
252 list_del_init(&sbsec->list);
253 spin_unlock(&sb_security_lock);
255 sb->s_security = NULL;
259 #ifdef CONFIG_SECURITY_NETWORK
260 static int sk_alloc_security(struct sock *sk, int family, int priority)
262 struct sk_security_struct *ssec;
264 if (family != PF_UNIX)
267 ssec = kmalloc(sizeof(*ssec), priority);
271 memset(ssec, 0, sizeof(*ssec));
272 ssec->magic = SELINUX_MAGIC;
274 ssec->peer_sid = SECINITSID_UNLABELED;
275 sk->sk_security = ssec;
280 static void sk_free_security(struct sock *sk)
282 struct sk_security_struct *ssec = sk->sk_security;
284 if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
287 sk->sk_security = NULL;
290 #endif /* CONFIG_SECURITY_NETWORK */
292 /* The security server must be initialized before
293 any labeling or access decisions can be provided. */
294 extern int ss_initialized;
296 /* The file system's label must be initialized prior to use. */
298 static char *labeling_behaviors[6] = {
300 "uses transition SIDs",
302 "uses genfs_contexts",
303 "not configured for labeling",
304 "uses mountpoint labeling",
307 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
309 static inline int inode_doinit(struct inode *inode)
311 return inode_doinit_with_dentry(inode, NULL);
320 static match_table_t tokens = {
321 {Opt_context, "context=%s"},
322 {Opt_fscontext, "fscontext=%s"},
323 {Opt_defcontext, "defcontext=%s"},
326 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
328 static int try_context_mount(struct super_block *sb, void *data)
330 char *context = NULL, *defcontext = NULL;
333 int alloc = 0, rc = 0, seen = 0;
334 struct task_security_struct *tsec = current->security;
335 struct superblock_security_struct *sbsec = sb->s_security;
340 name = sb->s_type->name;
342 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
344 /* NFS we understand. */
345 if (!strcmp(name, "nfs")) {
346 struct nfs_mount_data *d = data;
348 if (d->version < NFS_MOUNT_VERSION)
352 context = d->context;
359 /* Standard string-based options. */
360 char *p, *options = data;
362 while ((p = strsep(&options, ",")) != NULL) {
364 substring_t args[MAX_OPT_ARGS];
369 token = match_token(p, tokens, args);
375 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
378 context = match_strdup(&args[0]);
389 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
391 printk(KERN_WARNING "SELinux: "
392 "fscontext option is invalid for"
393 " this filesystem type\n");
396 if (seen & (Opt_context|Opt_fscontext)) {
398 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
401 context = match_strdup(&args[0]);
408 seen |= Opt_fscontext;
412 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
414 printk(KERN_WARNING "SELinux: "
415 "defcontext option is invalid "
416 "for this filesystem type\n");
419 if (seen & (Opt_context|Opt_defcontext)) {
421 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
424 defcontext = match_strdup(&args[0]);
431 seen |= Opt_defcontext;
436 printk(KERN_WARNING "SELinux: unknown mount "
448 rc = security_context_to_sid(context, strlen(context), &sid);
450 printk(KERN_WARNING "SELinux: security_context_to_sid"
451 "(%s) failed for (dev %s, type %s) errno=%d\n",
452 context, sb->s_id, name, rc);
456 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
457 FILESYSTEM__RELABELFROM, NULL, NULL);
461 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
462 FILESYSTEM__RELABELTO, NULL, NULL);
468 if (seen & Opt_context)
469 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
473 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
475 printk(KERN_WARNING "SELinux: security_context_to_sid"
476 "(%s) failed for (dev %s, type %s) errno=%d\n",
477 defcontext, sb->s_id, name, rc);
481 if (sid == sbsec->def_sid)
484 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
485 FILESYSTEM__RELABELFROM, NULL, NULL);
489 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
490 FILESYSTEM__ASSOCIATE, NULL, NULL);
494 sbsec->def_sid = sid;
506 static int superblock_doinit(struct super_block *sb, void *data)
508 struct superblock_security_struct *sbsec = sb->s_security;
509 struct dentry *root = sb->s_root;
510 struct inode *inode = root->d_inode;
514 if (sbsec->initialized)
517 if (!ss_initialized) {
518 /* Defer initialization until selinux_complete_init,
519 after the initial policy is loaded and the security
520 server is ready to handle calls. */
521 spin_lock(&sb_security_lock);
522 if (list_empty(&sbsec->list))
523 list_add(&sbsec->list, &superblock_security_head);
524 spin_unlock(&sb_security_lock);
528 /* Determine the labeling behavior to use for this filesystem type. */
529 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
531 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
532 __FUNCTION__, sb->s_type->name, rc);
536 rc = try_context_mount(sb, data);
540 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
541 /* Make sure that the xattr handler exists and that no
542 error other than -ENODATA is returned by getxattr on
543 the root directory. -ENODATA is ok, as this may be
544 the first boot of the SELinux kernel before we have
545 assigned xattr values to the filesystem. */
546 if (!inode->i_op->getxattr) {
547 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
548 "xattr support\n", sb->s_id, sb->s_type->name);
552 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
553 if (rc < 0 && rc != -ENODATA) {
554 if (rc == -EOPNOTSUPP)
555 printk(KERN_WARNING "SELinux: (dev %s, type "
556 "%s) has no security xattr handler\n",
557 sb->s_id, sb->s_type->name);
559 printk(KERN_WARNING "SELinux: (dev %s, type "
560 "%s) getxattr errno %d\n", sb->s_id,
561 sb->s_type->name, -rc);
566 if (strcmp(sb->s_type->name, "proc") == 0)
569 sbsec->initialized = 1;
571 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
572 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
573 sb->s_id, sb->s_type->name);
576 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
577 sb->s_id, sb->s_type->name,
578 labeling_behaviors[sbsec->behavior-1]);
581 /* Initialize the root inode. */
582 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
584 /* Initialize any other inodes associated with the superblock, e.g.
585 inodes created prior to initial policy load or inodes created
586 during get_sb by a pseudo filesystem that directly
588 spin_lock(&sbsec->isec_lock);
590 if (!list_empty(&sbsec->isec_head)) {
591 struct inode_security_struct *isec =
592 list_entry(sbsec->isec_head.next,
593 struct inode_security_struct, list);
594 struct inode *inode = isec->inode;
595 spin_unlock(&sbsec->isec_lock);
596 inode = igrab(inode);
601 spin_lock(&sbsec->isec_lock);
602 list_del_init(&isec->list);
605 spin_unlock(&sbsec->isec_lock);
611 static inline u16 inode_mode_to_security_class(umode_t mode)
613 switch (mode & S_IFMT) {
615 return SECCLASS_SOCK_FILE;
617 return SECCLASS_LNK_FILE;
619 return SECCLASS_FILE;
621 return SECCLASS_BLK_FILE;
625 return SECCLASS_CHR_FILE;
627 return SECCLASS_FIFO_FILE;
631 return SECCLASS_FILE;
634 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
640 return SECCLASS_UNIX_STREAM_SOCKET;
642 return SECCLASS_UNIX_DGRAM_SOCKET;
648 return SECCLASS_TCP_SOCKET;
650 return SECCLASS_UDP_SOCKET;
652 return SECCLASS_RAWIP_SOCKET;
657 return SECCLASS_NETLINK_ROUTE_SOCKET;
658 case NETLINK_FIREWALL:
659 return SECCLASS_NETLINK_FIREWALL_SOCKET;
660 case NETLINK_TCPDIAG:
661 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
663 return SECCLASS_NETLINK_NFLOG_SOCKET;
665 return SECCLASS_NETLINK_XFRM_SOCKET;
666 case NETLINK_SELINUX:
667 return SECCLASS_NETLINK_SELINUX_SOCKET;
669 return SECCLASS_NETLINK_AUDIT_SOCKET;
671 return SECCLASS_NETLINK_IP6FW_SOCKET;
672 case NETLINK_DNRTMSG:
673 return SECCLASS_NETLINK_DNRT_SOCKET;
675 return SECCLASS_NETLINK_SOCKET;
678 return SECCLASS_PACKET_SOCKET;
680 return SECCLASS_KEY_SOCKET;
683 return SECCLASS_SOCKET;
686 #ifdef CONFIG_PROC_FS
687 static int selinux_proc_get_sid(struct proc_dir_entry *de,
692 char *buffer, *path, *end;
694 buffer = (char*)__get_free_page(GFP_KERNEL);
704 while (de && de != de->parent) {
705 buflen -= de->namelen + 1;
709 memcpy(end, de->name, de->namelen);
714 rc = security_genfs_sid("proc", path, tclass, sid);
715 free_page((unsigned long)buffer);
719 static int selinux_proc_get_sid(struct proc_dir_entry *de,
727 /* The inode's security attributes must be initialized before first use. */
728 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
730 struct superblock_security_struct *sbsec = NULL;
731 struct inode_security_struct *isec = inode->i_security;
733 struct dentry *dentry;
734 #define INITCONTEXTLEN 255
735 char *context = NULL;
740 if (isec->initialized)
745 if (isec->initialized)
748 sbsec = inode->i_sb->s_security;
749 if (!sbsec->initialized) {
750 /* Defer initialization until selinux_complete_init,
751 after the initial policy is loaded and the security
752 server is ready to handle calls. */
753 spin_lock(&sbsec->isec_lock);
754 if (list_empty(&isec->list))
755 list_add(&isec->list, &sbsec->isec_head);
756 spin_unlock(&sbsec->isec_lock);
760 switch (sbsec->behavior) {
761 case SECURITY_FS_USE_XATTR:
762 if (!inode->i_op->getxattr) {
763 isec->sid = sbsec->def_sid;
767 /* Need a dentry, since the xattr API requires one.
768 Life would be simpler if we could just pass the inode. */
770 /* Called from d_instantiate or d_splice_alias. */
771 dentry = dget(opt_dentry);
773 /* Called from selinux_complete_init, try to find a dentry. */
774 dentry = d_find_alias(inode);
777 printk(KERN_WARNING "%s: no dentry for dev=%s "
778 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
783 len = INITCONTEXTLEN;
784 context = kmalloc(len, GFP_KERNEL);
790 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
793 /* Need a larger buffer. Query for the right size. */
794 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
802 context = kmalloc(len, GFP_KERNEL);
808 rc = inode->i_op->getxattr(dentry,
814 if (rc != -ENODATA) {
815 printk(KERN_WARNING "%s: getxattr returned "
816 "%d for dev=%s ino=%ld\n", __FUNCTION__,
817 -rc, inode->i_sb->s_id, inode->i_ino);
821 /* Map ENODATA to the default file SID */
822 sid = sbsec->def_sid;
825 rc = security_context_to_sid(context, rc, &sid);
827 printk(KERN_WARNING "%s: context_to_sid(%s) "
828 "returned %d for dev=%s ino=%ld\n",
829 __FUNCTION__, context, -rc,
830 inode->i_sb->s_id, inode->i_ino);
838 case SECURITY_FS_USE_TASK:
839 isec->sid = isec->task_sid;
841 case SECURITY_FS_USE_TRANS:
842 /* Default to the fs SID. */
843 isec->sid = sbsec->sid;
845 /* Try to obtain a transition SID. */
846 isec->sclass = inode_mode_to_security_class(inode->i_mode);
847 rc = security_transition_sid(isec->task_sid,
856 /* Default to the fs SID. */
857 isec->sid = sbsec->sid;
860 struct proc_inode *proci = PROC_I(inode);
862 isec->sclass = inode_mode_to_security_class(inode->i_mode);
863 rc = selinux_proc_get_sid(proci->pde,
874 isec->initialized = 1;
878 struct socket *sock = SOCKET_I(inode);
880 isec->sclass = socket_type_to_security_class(sock->sk->sk_family,
882 sock->sk->sk_protocol);
884 isec->sclass = SECCLASS_SOCKET;
887 isec->sclass = inode_mode_to_security_class(inode->i_mode);
895 /* Convert a Linux signal to an access vector. */
896 static inline u32 signal_to_av(int sig)
902 /* Commonly granted from child to parent. */
903 perm = PROCESS__SIGCHLD;
906 /* Cannot be caught or ignored */
907 perm = PROCESS__SIGKILL;
910 /* Cannot be caught or ignored */
911 perm = PROCESS__SIGSTOP;
914 /* All other signals. */
915 perm = PROCESS__SIGNAL;
922 /* Check permission betweeen a pair of tasks, e.g. signal checks,
923 fork check, ptrace check, etc. */
924 int task_has_perm(struct task_struct *tsk1,
925 struct task_struct *tsk2,
928 struct task_security_struct *tsec1, *tsec2;
930 tsec1 = tsk1->security;
931 tsec2 = tsk2->security;
932 return avc_has_perm(tsec1->sid, tsec2->sid,
933 SECCLASS_PROCESS, perms, &tsec2->avcr, NULL);
936 /* Check whether a task is allowed to use a capability. */
937 int task_has_capability(struct task_struct *tsk,
940 struct task_security_struct *tsec;
941 struct avc_audit_data ad;
943 tsec = tsk->security;
945 AVC_AUDIT_DATA_INIT(&ad,CAP);
949 return avc_has_perm(tsec->sid, tsec->sid,
950 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), NULL, &ad);
953 /* Check whether a task is allowed to use a system operation. */
954 int task_has_system(struct task_struct *tsk,
957 struct task_security_struct *tsec;
959 tsec = tsk->security;
961 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
962 SECCLASS_SYSTEM, perms, NULL, NULL);
965 /* Check whether a task has a particular permission to an inode.
966 The 'aeref' parameter is optional and allows other AVC
967 entry references to be passed (e.g. the one in the struct file).
968 The 'adp' parameter is optional and allows other audit
969 data to be passed (e.g. the dentry). */
970 int inode_has_perm(struct task_struct *tsk,
973 struct avc_entry_ref *aeref,
974 struct avc_audit_data *adp)
976 struct task_security_struct *tsec;
977 struct inode_security_struct *isec;
978 struct avc_audit_data ad;
980 tsec = tsk->security;
981 isec = inode->i_security;
985 AVC_AUDIT_DATA_INIT(&ad, FS);
986 ad.u.fs.inode = inode;
989 return avc_has_perm(tsec->sid, isec->sid, isec->sclass,
990 perms, aeref ? aeref : &isec->avcr, adp);
993 /* Same as inode_has_perm, but pass explicit audit data containing
994 the dentry to help the auditing code to more easily generate the
995 pathname if needed. */
996 static inline int dentry_has_perm(struct task_struct *tsk,
997 struct vfsmount *mnt,
998 struct dentry *dentry,
1001 struct inode *inode = dentry->d_inode;
1002 struct avc_audit_data ad;
1003 AVC_AUDIT_DATA_INIT(&ad,FS);
1005 ad.u.fs.dentry = dentry;
1006 return inode_has_perm(tsk, inode, av, NULL, &ad);
1009 /* Check whether a task can use an open file descriptor to
1010 access an inode in a given way. Check access to the
1011 descriptor itself, and then use dentry_has_perm to
1012 check a particular permission to the file.
1013 Access to the descriptor is implicitly granted if it
1014 has the same SID as the process. If av is zero, then
1015 access to the file is not checked, e.g. for cases
1016 where only the descriptor is affected like seek. */
1017 static inline int file_has_perm(struct task_struct *tsk,
1021 struct task_security_struct *tsec = tsk->security;
1022 struct file_security_struct *fsec = file->f_security;
1023 struct vfsmount *mnt = file->f_vfsmnt;
1024 struct dentry *dentry = file->f_dentry;
1025 struct inode *inode = dentry->d_inode;
1026 struct avc_audit_data ad;
1029 AVC_AUDIT_DATA_INIT(&ad, FS);
1031 ad.u.fs.dentry = dentry;
1033 if (tsec->sid != fsec->sid) {
1034 rc = avc_has_perm(tsec->sid, fsec->sid,
1042 /* av is zero if only checking access to the descriptor. */
1044 return inode_has_perm(tsk, inode, av, &fsec->inode_avcr, &ad);
1049 /* Check whether a task can create a file. */
1050 static int may_create(struct inode *dir,
1051 struct dentry *dentry,
1054 struct task_security_struct *tsec;
1055 struct inode_security_struct *dsec;
1056 struct superblock_security_struct *sbsec;
1058 struct avc_audit_data ad;
1061 tsec = current->security;
1062 dsec = dir->i_security;
1063 sbsec = dir->i_sb->s_security;
1065 AVC_AUDIT_DATA_INIT(&ad, FS);
1066 ad.u.fs.dentry = dentry;
1068 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1069 DIR__ADD_NAME | DIR__SEARCH,
1074 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1075 newsid = tsec->create_sid;
1077 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1083 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, NULL, &ad);
1087 return avc_has_perm(newsid, sbsec->sid,
1088 SECCLASS_FILESYSTEM,
1089 FILESYSTEM__ASSOCIATE, NULL, &ad);
1093 #define MAY_UNLINK 1
1096 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1097 static int may_link(struct inode *dir,
1098 struct dentry *dentry,
1102 struct task_security_struct *tsec;
1103 struct inode_security_struct *dsec, *isec;
1104 struct avc_audit_data ad;
1108 tsec = current->security;
1109 dsec = dir->i_security;
1110 isec = dentry->d_inode->i_security;
1112 AVC_AUDIT_DATA_INIT(&ad, FS);
1113 ad.u.fs.dentry = dentry;
1116 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1117 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1118 av, &dsec->avcr, &ad);
1133 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1137 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
1138 av, &isec->avcr, &ad);
1142 static inline int may_rename(struct inode *old_dir,
1143 struct dentry *old_dentry,
1144 struct inode *new_dir,
1145 struct dentry *new_dentry)
1147 struct task_security_struct *tsec;
1148 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1149 struct avc_audit_data ad;
1151 int old_is_dir, new_is_dir;
1154 tsec = current->security;
1155 old_dsec = old_dir->i_security;
1156 old_isec = old_dentry->d_inode->i_security;
1157 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1158 new_dsec = new_dir->i_security;
1160 AVC_AUDIT_DATA_INIT(&ad, FS);
1162 ad.u.fs.dentry = old_dentry;
1163 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1164 DIR__REMOVE_NAME | DIR__SEARCH,
1165 &old_dsec->avcr, &ad);
1168 rc = avc_has_perm(tsec->sid, old_isec->sid,
1171 &old_isec->avcr, &ad);
1174 if (old_is_dir && new_dir != old_dir) {
1175 rc = avc_has_perm(tsec->sid, old_isec->sid,
1178 &old_isec->avcr, &ad);
1183 ad.u.fs.dentry = new_dentry;
1184 av = DIR__ADD_NAME | DIR__SEARCH;
1185 if (new_dentry->d_inode)
1186 av |= DIR__REMOVE_NAME;
1187 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR,
1188 av,&new_dsec->avcr, &ad);
1191 if (new_dentry->d_inode) {
1192 new_isec = new_dentry->d_inode->i_security;
1193 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1194 rc = avc_has_perm(tsec->sid, new_isec->sid,
1196 (new_is_dir ? DIR__RMDIR : FILE__UNLINK),
1197 &new_isec->avcr, &ad);
1205 /* Check whether a task can perform a filesystem operation. */
1206 int superblock_has_perm(struct task_struct *tsk,
1207 struct super_block *sb,
1209 struct avc_audit_data *ad)
1211 struct task_security_struct *tsec;
1212 struct superblock_security_struct *sbsec;
1214 tsec = tsk->security;
1215 sbsec = sb->s_security;
1216 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1220 /* Convert a Linux mode and permission mask to an access vector. */
1221 static inline u32 file_mask_to_av(int mode, int mask)
1225 if ((mode & S_IFMT) != S_IFDIR) {
1226 if (mask & MAY_EXEC)
1227 av |= FILE__EXECUTE;
1228 if (mask & MAY_READ)
1231 if (mask & MAY_APPEND)
1233 else if (mask & MAY_WRITE)
1237 if (mask & MAY_EXEC)
1239 if (mask & MAY_WRITE)
1241 if (mask & MAY_READ)
1248 /* Convert a Linux file to an access vector. */
1249 static inline u32 file_to_av(struct file *file)
1253 if (file->f_mode & FMODE_READ)
1255 if (file->f_mode & FMODE_WRITE) {
1256 if (file->f_flags & O_APPEND)
1265 /* Set an inode's SID to a specified value. */
1266 int inode_security_set_sid(struct inode *inode, u32 sid)
1268 struct inode_security_struct *isec = inode->i_security;
1271 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1273 isec->initialized = 1;
1278 /* Set the security attributes on a newly created file. */
1279 static int post_create(struct inode *dir,
1280 struct dentry *dentry)
1283 struct task_security_struct *tsec;
1284 struct inode *inode;
1285 struct inode_security_struct *dsec;
1286 struct superblock_security_struct *sbsec;
1292 tsec = current->security;
1293 dsec = dir->i_security;
1294 sbsec = dir->i_sb->s_security;
1296 inode = dentry->d_inode;
1298 /* Some file system types (e.g. NFS) may not instantiate
1299 a dentry for all create operations (e.g. symlink),
1300 so we have to check to see if the inode is non-NULL. */
1301 printk(KERN_WARNING "post_create: no inode, dir (dev=%s, "
1302 "ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
1306 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1307 newsid = tsec->create_sid;
1309 rc = security_transition_sid(tsec->sid, dsec->sid,
1310 inode_mode_to_security_class(inode->i_mode),
1313 printk(KERN_WARNING "post_create: "
1314 "security_transition_sid failed, rc=%d (dev=%s "
1316 -rc, inode->i_sb->s_id, inode->i_ino);
1321 rc = inode_security_set_sid(inode, newsid);
1323 printk(KERN_WARNING "post_create: inode_security_set_sid "
1324 "failed, rc=%d (dev=%s ino=%ld)\n",
1325 -rc, inode->i_sb->s_id, inode->i_ino);
1329 if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
1330 inode->i_op->setxattr) {
1331 /* Use extended attributes. */
1332 rc = security_sid_to_context(newsid, &context, &len);
1334 printk(KERN_WARNING "post_create: sid_to_context "
1335 "failed, rc=%d (dev=%s ino=%ld)\n",
1336 -rc, inode->i_sb->s_id, inode->i_ino);
1339 down(&inode->i_sem);
1340 rc = inode->i_op->setxattr(dentry,
1346 printk(KERN_WARNING "post_create: setxattr failed, "
1347 "rc=%d (dev=%s ino=%ld)\n",
1348 -rc, inode->i_sb->s_id, inode->i_ino);
1357 /* Hook functions begin here. */
1359 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1361 struct task_security_struct *psec = parent->security;
1362 struct task_security_struct *csec = child->security;
1365 rc = secondary_ops->ptrace(parent,child);
1369 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1370 /* Save the SID of the tracing process for later use in apply_creds. */
1372 csec->ptrace_sid = psec->sid;
1376 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1377 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1381 error = task_has_perm(current, target, PROCESS__GETCAP);
1385 return secondary_ops->capget(target, effective, inheritable, permitted);
1388 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1389 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1393 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1397 return task_has_perm(current, target, PROCESS__SETCAP);
1400 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1401 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1405 error = task_has_perm(current, target, PROCESS__SETCAP);
1409 secondary_ops->capset_set(target, effective, inheritable, permitted);
1412 static int selinux_capable(struct task_struct *tsk, int cap)
1416 rc = secondary_ops->capable(tsk, cap);
1420 return task_has_capability(tsk,cap);
1423 static int selinux_sysctl(ctl_table *table, int op)
1427 struct task_security_struct *tsec;
1431 rc = secondary_ops->sysctl(table, op);
1435 tsec = current->security;
1437 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1438 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1440 /* Default to the well-defined sysctl SID. */
1441 tsid = SECINITSID_SYSCTL;
1444 /* The op values are "defined" in sysctl.c, thereby creating
1445 * a bad coupling between this module and sysctl.c */
1447 error = avc_has_perm(tsec->sid, tsid,
1448 SECCLASS_DIR, DIR__SEARCH, NULL, NULL);
1456 error = avc_has_perm(tsec->sid, tsid,
1457 SECCLASS_FILE, av, NULL, NULL);
1463 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1476 rc = superblock_has_perm(current,
1478 FILESYSTEM__QUOTAMOD, NULL);
1483 rc = superblock_has_perm(current,
1485 FILESYSTEM__QUOTAGET, NULL);
1488 rc = 0; /* let the kernel handle invalid cmds */
1494 static int selinux_quota_on(struct file *f)
1496 return file_has_perm(current, f, FILE__QUOTAON);
1499 static int selinux_syslog(int type)
1503 rc = secondary_ops->syslog(type);
1508 case 3: /* Read last kernel messages */
1509 case 10: /* Return size of the log buffer */
1510 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1512 case 6: /* Disable logging to console */
1513 case 7: /* Enable logging to console */
1514 case 8: /* Set level of messages printed to console */
1515 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1517 case 0: /* Close log */
1518 case 1: /* Open log */
1519 case 2: /* Read from log */
1520 case 4: /* Read/clear last kernel messages */
1521 case 5: /* Clear ring buffer */
1523 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1530 * Check that a process has enough memory to allocate a new virtual
1531 * mapping. 0 means there is enough memory for the allocation to
1532 * succeed and -ENOMEM implies there is not.
1534 * We currently support three overcommit policies, which are set via the
1535 * vm.overcommit_memory sysctl. See Documentation/vm/overcommit-accounting
1537 * Strict overcommit modes added 2002 Feb 26 by Alan Cox.
1538 * Additional code 2002 Jul 20 by Robert Love.
1540 static int selinux_vm_enough_memory(long pages)
1542 unsigned long free, allowed;
1544 struct task_security_struct *tsec = current->security;
1546 vm_acct_memory(pages);
1549 * Sometimes we want to use more memory than we have
1551 if (sysctl_overcommit_memory == 1)
1554 if (sysctl_overcommit_memory == 0) {
1555 free = get_page_cache_size();
1556 free += nr_free_pages();
1557 free += nr_swap_pages;
1560 * Any slabs which are created with the
1561 * SLAB_RECLAIM_ACCOUNT flag claim to have contents
1562 * which are reclaimable, under pressure. The dentry
1563 * cache and most inode caches should fall into this
1565 free += atomic_read(&slab_reclaim_pages);
1568 * Leave the last 3% for privileged processes.
1569 * Don't audit the check, as it is applied to all processes
1570 * that allocate mappings.
1572 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1574 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1575 SECCLASS_CAPABILITY,
1576 CAP_TO_MASK(CAP_SYS_ADMIN),
1584 vm_unacct_memory(pages);
1588 allowed = (totalram_pages - hugetlb_total_pages())
1589 * sysctl_overcommit_ratio / 100;
1590 allowed += total_swap_pages;
1592 if (atomic_read(&vm_committed_space) < allowed)
1595 vm_unacct_memory(pages);
1600 /* binprm security operations */
1602 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1604 struct bprm_security_struct *bsec;
1606 bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1610 memset(bsec, 0, sizeof *bsec);
1611 bsec->magic = SELINUX_MAGIC;
1613 bsec->sid = SECINITSID_UNLABELED;
1616 bprm->security = bsec;
1620 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1622 struct task_security_struct *tsec;
1623 struct inode *inode = bprm->file->f_dentry->d_inode;
1624 struct inode_security_struct *isec;
1625 struct bprm_security_struct *bsec;
1627 struct avc_audit_data ad;
1630 rc = secondary_ops->bprm_set_security(bprm);
1634 bsec = bprm->security;
1639 tsec = current->security;
1640 isec = inode->i_security;
1642 /* Default to the current task SID. */
1643 bsec->sid = tsec->sid;
1645 /* Reset create SID on execve. */
1646 tsec->create_sid = 0;
1648 if (tsec->exec_sid) {
1649 newsid = tsec->exec_sid;
1650 /* Reset exec SID on execve. */
1653 /* Check for a default transition on this program. */
1654 rc = security_transition_sid(tsec->sid, isec->sid,
1655 SECCLASS_PROCESS, &newsid);
1660 AVC_AUDIT_DATA_INIT(&ad, FS);
1661 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1662 ad.u.fs.dentry = bprm->file->f_dentry;
1664 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1667 if (tsec->sid == newsid) {
1668 rc = avc_has_perm(tsec->sid, isec->sid,
1669 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS,
1674 /* Check permissions for the transition. */
1675 rc = avc_has_perm(tsec->sid, newsid,
1676 SECCLASS_PROCESS, PROCESS__TRANSITION,
1682 rc = avc_has_perm(newsid, isec->sid,
1683 SECCLASS_FILE, FILE__ENTRYPOINT,
1688 /* Clear any possibly unsafe personality bits on exec: */
1689 current->personality &= ~PER_CLEAR_ON_SETID;
1691 /* Set the security field to the new SID. */
1699 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1701 return secondary_ops->bprm_check_security(bprm);
1705 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1707 struct task_security_struct *tsec = current->security;
1710 if (tsec->osid != tsec->sid) {
1711 /* Enable secure mode for SIDs transitions unless
1712 the noatsecure permission is granted between
1713 the two SIDs, i.e. ahp returns 0. */
1714 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1716 PROCESS__NOATSECURE, NULL, NULL);
1719 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1722 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1724 struct bprm_security_struct *bsec = bprm->security;
1725 bprm->security = NULL;
1729 /* Create an open file that refers to the null device.
1730 Derived from the OpenWall LSM. */
1731 struct file *open_devnull(void)
1733 struct inode *inode;
1734 struct dentry *dentry;
1735 struct file *file = NULL;
1736 struct inode_security_struct *isec;
1739 inode = new_inode(current->fs->rootmnt->mnt_sb);
1743 dentry = dget(d_alloc_root(inode));
1747 file = get_empty_filp();
1751 dev = MKDEV(MEM_MAJOR, 3); /* null device */
1753 inode->i_uid = current->fsuid;
1754 inode->i_gid = current->fsgid;
1755 inode->i_blksize = PAGE_SIZE;
1756 inode->i_blocks = 0;
1757 inode->i_atime = inode->i_mtime = inode->i_ctime = CURRENT_TIME;
1758 inode->i_state = I_DIRTY; /* so that mark_inode_dirty won't touch us */
1760 isec = inode->i_security;
1761 isec->sid = SECINITSID_DEVNULL;
1762 isec->sclass = SECCLASS_CHR_FILE;
1763 isec->initialized = 1;
1765 file->f_flags = O_RDWR;
1766 file->f_mode = FMODE_READ | FMODE_WRITE;
1767 file->f_dentry = dentry;
1768 file->f_vfsmnt = mntget(current->fs->rootmnt);
1771 init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO, dev);
1772 if (inode->i_fop->open(inode, file))
1778 mntput(file->f_vfsmnt);
1788 /* Derived from fs/exec.c:flush_old_files. */
1789 static inline void flush_unauthorized_files(struct files_struct * files)
1791 struct avc_audit_data ad;
1792 struct file *file, *devnull = NULL;
1795 AVC_AUDIT_DATA_INIT(&ad,FS);
1797 spin_lock(&files->file_lock);
1799 unsigned long set, i;
1804 if (i >= files->max_fds || i >= files->max_fdset)
1806 set = files->open_fds->fds_bits[j];
1809 spin_unlock(&files->file_lock);
1810 for ( ; set ; i++,set >>= 1) {
1815 if (file_has_perm(current,
1817 file_to_av(file))) {
1819 fd = get_unused_fd();
1827 atomic_inc(&devnull->f_count);
1829 devnull = open_devnull();
1836 fd_install(fd, devnull);
1841 spin_lock(&files->file_lock);
1844 spin_unlock(&files->file_lock);
1847 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1849 struct task_security_struct *tsec;
1850 struct bprm_security_struct *bsec;
1852 struct av_decision avd;
1853 struct itimerval itimer;
1854 struct rlimit *rlim, *initrlim;
1857 secondary_ops->bprm_apply_creds(bprm, unsafe);
1859 tsec = current->security;
1861 bsec = bprm->security;
1864 tsec->osid = tsec->sid;
1865 if (tsec->sid != sid) {
1866 /* Check for shared state. If not ok, leave SID
1867 unchanged and kill. */
1868 if (unsafe & LSM_UNSAFE_SHARE) {
1869 rc = avc_has_perm_noaudit(tsec->sid, sid,
1870 SECCLASS_PROCESS, PROCESS__SHARE,
1873 task_unlock(current);
1874 avc_audit(tsec->sid, sid, SECCLASS_PROCESS,
1875 PROCESS__SHARE, &avd, rc, NULL);
1876 force_sig_specific(SIGKILL, current);
1881 /* Check for ptracing, and update the task SID if ok.
1882 Otherwise, leave SID unchanged and kill. */
1883 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1884 rc = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
1885 SECCLASS_PROCESS, PROCESS__PTRACE,
1889 task_unlock(current);
1890 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
1891 PROCESS__PTRACE, &avd, rc, NULL);
1893 force_sig_specific(SIGKILL, current);
1898 task_unlock(current);
1901 /* Close files for which the new task SID is not authorized. */
1902 flush_unauthorized_files(current->files);
1904 /* Check whether the new SID can inherit signal state
1905 from the old SID. If not, clear itimers to avoid
1906 subsequent signal generation and flush and unblock
1907 signals. This must occur _after_ the task SID has
1908 been updated so that any kill done after the flush
1909 will be checked against the new SID. */
1910 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1911 PROCESS__SIGINH, NULL, NULL);
1913 memset(&itimer, 0, sizeof itimer);
1914 for (i = 0; i < 3; i++)
1915 do_setitimer(i, &itimer, NULL);
1916 flush_signals(current);
1917 spin_lock_irq(¤t->sighand->siglock);
1918 flush_signal_handlers(current, 1);
1919 sigemptyset(¤t->blocked);
1920 recalc_sigpending();
1921 spin_unlock_irq(¤t->sighand->siglock);
1924 /* Check whether the new SID can inherit resource limits
1925 from the old SID. If not, reset all soft limits to
1926 the lower of the current task's hard limit and the init
1927 task's soft limit. Note that the setting of hard limits
1928 (even to lower them) can be controlled by the setrlimit
1929 check. The inclusion of the init task's soft limit into
1930 the computation is to avoid resetting soft limits higher
1931 than the default soft limit for cases where the default
1932 is lower than the hard limit, e.g. RLIMIT_CORE or
1934 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1935 PROCESS__RLIMITINH, NULL, NULL);
1937 for (i = 0; i < RLIM_NLIMITS; i++) {
1938 rlim = current->rlim + i;
1939 initrlim = init_task.rlim+i;
1940 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1944 /* Wake up the parent if it is waiting so that it can
1945 recheck wait permission to the new task SID. */
1946 wake_up_interruptible(¤t->parent->wait_chldexit);
1954 /* superblock security operations */
1956 static int selinux_sb_alloc_security(struct super_block *sb)
1958 return superblock_alloc_security(sb);
1961 static void selinux_sb_free_security(struct super_block *sb)
1963 superblock_free_security(sb);
1966 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1971 return !memcmp(prefix, option, plen);
1974 static inline int selinux_option(char *option, int len)
1976 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1977 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1978 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1981 static inline void take_option(char **to, char *from, int *first, int len)
1989 memcpy(*to, from, len);
1993 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1995 int fnosec, fsec, rc = 0;
1996 char *in_save, *in_curr, *in_end;
1997 char *sec_curr, *nosec_save, *nosec;
2002 /* Binary mount data: just copy */
2003 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2004 copy_page(sec_curr, in_curr);
2008 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2016 in_save = in_end = orig;
2019 if (*in_end == ',' || *in_end == '\0') {
2020 int len = in_end - in_curr;
2022 if (selinux_option(in_curr, len))
2023 take_option(&sec_curr, in_curr, &fsec, len);
2025 take_option(&nosec, in_curr, &fnosec, len);
2027 in_curr = in_end + 1;
2029 } while (*in_end++);
2031 copy_page(in_save, nosec_save);
2036 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2038 struct avc_audit_data ad;
2041 rc = superblock_doinit(sb, data);
2045 AVC_AUDIT_DATA_INIT(&ad,FS);
2046 ad.u.fs.dentry = sb->s_root;
2047 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2050 static int selinux_sb_statfs(struct super_block *sb)
2052 struct avc_audit_data ad;
2054 AVC_AUDIT_DATA_INIT(&ad,FS);
2055 ad.u.fs.dentry = sb->s_root;
2056 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
2059 static int selinux_mount(char * dev_name,
2060 struct nameidata *nd,
2062 unsigned long flags,
2067 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2071 if (flags & MS_REMOUNT)
2072 return superblock_has_perm(current, nd->mnt->mnt_sb,
2073 FILESYSTEM__REMOUNT, NULL);
2075 return dentry_has_perm(current, nd->mnt, nd->dentry,
2079 static int selinux_umount(struct vfsmount *mnt, int flags)
2083 rc = secondary_ops->sb_umount(mnt, flags);
2087 return superblock_has_perm(current,mnt->mnt_sb,
2088 FILESYSTEM__UNMOUNT,NULL);
2091 /* inode security operations */
2093 static int selinux_inode_alloc_security(struct inode *inode)
2095 return inode_alloc_security(inode);
2098 static void selinux_inode_free_security(struct inode *inode)
2100 inode_free_security(inode);
2103 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2105 return may_create(dir, dentry, SECCLASS_FILE);
2108 static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask)
2110 post_create(dir, dentry);
2113 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2117 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2120 return may_link(dir, old_dentry, MAY_LINK);
2123 static void selinux_inode_post_link(struct dentry *old_dentry, struct inode *inode, struct dentry *new_dentry)
2128 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2132 rc = secondary_ops->inode_unlink(dir, dentry);
2135 return may_link(dir, dentry, MAY_UNLINK);
2138 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2140 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2143 static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2145 post_create(dir, dentry);
2148 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2150 return may_create(dir, dentry, SECCLASS_DIR);
2153 static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2155 post_create(dir, dentry);
2158 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2160 return may_link(dir, dentry, MAY_RMDIR);
2163 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2167 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2171 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2174 static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2176 post_create(dir, dentry);
2179 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2180 struct inode *new_inode, struct dentry *new_dentry)
2182 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2185 static void selinux_inode_post_rename(struct inode *old_inode, struct dentry *old_dentry,
2186 struct inode *new_inode, struct dentry *new_dentry)
2191 static int selinux_inode_readlink(struct dentry *dentry)
2193 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2196 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2200 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2203 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2206 static int selinux_inode_permission(struct inode *inode, int mask,
2207 struct nameidata *nd)
2211 rc = secondary_ops->inode_permission(inode, mask, nd);
2216 /* No permission to check. Existence test. */
2220 return inode_has_perm(current, inode,
2221 file_mask_to_av(inode->i_mode, mask), NULL, NULL);
2224 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2228 rc = secondary_ops->inode_setattr(dentry, iattr);
2232 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2233 ATTR_ATIME_SET | ATTR_MTIME_SET))
2234 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2236 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2239 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2241 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2244 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2246 struct task_security_struct *tsec = current->security;
2247 struct inode *inode = dentry->d_inode;
2248 struct inode_security_struct *isec = inode->i_security;
2249 struct superblock_security_struct *sbsec;
2250 struct avc_audit_data ad;
2254 if (strcmp(name, XATTR_NAME_SELINUX)) {
2255 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2256 sizeof XATTR_SECURITY_PREFIX - 1) &&
2257 !capable(CAP_SYS_ADMIN)) {
2258 /* A different attribute in the security namespace.
2259 Restrict to administrator. */
2263 /* Not an attribute we recognize, so just check the
2264 ordinary setattr permission. */
2265 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2268 sbsec = inode->i_sb->s_security;
2269 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2272 AVC_AUDIT_DATA_INIT(&ad,FS);
2273 ad.u.fs.dentry = dentry;
2275 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2281 rc = security_context_to_sid(value, size, &newsid);
2285 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2286 FILE__RELABELTO, NULL, &ad);
2290 return avc_has_perm(newsid,
2292 SECCLASS_FILESYSTEM,
2293 FILESYSTEM__ASSOCIATE,
2298 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2299 void *value, size_t size, int flags)
2301 struct inode *inode = dentry->d_inode;
2302 struct inode_security_struct *isec = inode->i_security;
2306 if (strcmp(name, XATTR_NAME_SELINUX)) {
2307 /* Not an attribute we recognize, so nothing to do. */
2311 rc = security_context_to_sid(value, size, &newsid);
2313 printk(KERN_WARNING "%s: unable to obtain SID for context "
2314 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2322 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2324 struct inode *inode = dentry->d_inode;
2325 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
2327 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2330 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2333 static int selinux_inode_listxattr (struct dentry *dentry)
2335 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2338 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2340 if (strcmp(name, XATTR_NAME_SELINUX)) {
2341 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2342 sizeof XATTR_SECURITY_PREFIX - 1) &&
2343 !capable(CAP_SYS_ADMIN)) {
2344 /* A different attribute in the security namespace.
2345 Restrict to administrator. */
2349 /* Not an attribute we recognize, so just check the
2350 ordinary setattr permission. Might want a separate
2351 permission for removexattr. */
2352 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2355 /* No one is allowed to remove a SELinux security label.
2356 You can change the label, but all data must be labeled. */
2360 static int selinux_inode_getsecurity(struct dentry *dentry, const char *name, void *buffer, size_t size)
2362 struct inode *inode = dentry->d_inode;
2363 struct inode_security_struct *isec = inode->i_security;
2368 /* Permission check handled by selinux_inode_getxattr hook.*/
2370 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2373 rc = security_sid_to_context(isec->sid, &context, &len);
2377 if (!buffer || !size) {
2385 memcpy(buffer, context, len);
2390 static int selinux_inode_setsecurity(struct dentry *dentry, const char *name,
2391 const void *value, size_t size, int flags)
2393 struct inode *inode = dentry->d_inode;
2394 struct inode_security_struct *isec = inode->i_security;
2398 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2401 if (!value || !size)
2404 rc = security_context_to_sid((void*)value, size, &newsid);
2412 static int selinux_inode_listsecurity(struct dentry *dentry, char *buffer)
2414 const int len = sizeof(XATTR_NAME_SELINUX);
2416 memcpy(buffer, XATTR_NAME_SELINUX, len);
2420 /* file security operations */
2422 static int selinux_file_permission(struct file *file, int mask)
2424 struct inode *inode = file->f_dentry->d_inode;
2427 /* No permission to check. Existence test. */
2431 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2432 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2435 return file_has_perm(current, file,
2436 file_mask_to_av(inode->i_mode, mask));
2439 static int selinux_file_alloc_security(struct file *file)
2441 return file_alloc_security(file);
2444 static void selinux_file_free_security(struct file *file)
2446 file_free_security(file);
2449 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2461 case EXT2_IOC_GETFLAGS:
2463 case EXT2_IOC_GETVERSION:
2464 error = file_has_perm(current, file, FILE__GETATTR);
2467 case EXT2_IOC_SETFLAGS:
2469 case EXT2_IOC_SETVERSION:
2470 error = file_has_perm(current, file, FILE__SETATTR);
2473 /* sys_ioctl() checks */
2477 error = file_has_perm(current, file, 0);
2482 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2485 /* default case assumes that the command will go
2486 * to the file's ioctl() function.
2489 error = file_has_perm(current, file, FILE__IOCTL);
2495 static int selinux_file_mmap(struct file *file, unsigned long prot, unsigned long flags)
2500 rc = secondary_ops->file_mmap(file, prot, flags);
2505 /* read access is always possible with a mapping */
2508 /* write access only matters if the mapping is shared */
2509 if ((flags & MAP_TYPE) == MAP_SHARED && (prot & PROT_WRITE))
2512 if (prot & PROT_EXEC)
2513 av |= FILE__EXECUTE;
2515 return file_has_perm(current, file, av);
2520 static int selinux_file_mprotect(struct vm_area_struct *vma,
2525 rc = secondary_ops->file_mprotect(vma, prot);
2529 return selinux_file_mmap(vma->vm_file, prot, vma->vm_flags);
2532 static int selinux_file_lock(struct file *file, unsigned int cmd)
2534 return file_has_perm(current, file, FILE__LOCK);
2537 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2544 if (!file->f_dentry || !file->f_dentry->d_inode) {
2549 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2550 err = file_has_perm(current, file,FILE__WRITE);
2559 /* Just check FD__USE permission */
2560 err = file_has_perm(current, file, 0);
2565 #if BITS_PER_LONG == 32
2570 if (!file->f_dentry || !file->f_dentry->d_inode) {
2574 err = file_has_perm(current, file, FILE__LOCK);
2581 static int selinux_file_set_fowner(struct file *file)
2583 struct task_security_struct *tsec;
2584 struct file_security_struct *fsec;
2586 tsec = current->security;
2587 fsec = file->f_security;
2588 fsec->fown_sid = tsec->sid;
2593 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2594 struct fown_struct *fown,
2599 struct task_security_struct *tsec;
2600 struct file_security_struct *fsec;
2602 /* struct fown_struct is never outside the context of a struct file */
2603 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2605 tsec = tsk->security;
2606 fsec = file->f_security;
2609 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2611 perm = signal_to_av(fown->signum);
2613 return avc_has_perm(fsec->fown_sid, tsec->sid,
2614 SECCLASS_PROCESS, perm, NULL, NULL);
2617 static int selinux_file_receive(struct file *file)
2619 return file_has_perm(current, file, file_to_av(file));
2622 /* task security operations */
2624 static int selinux_task_create(unsigned long clone_flags)
2628 rc = secondary_ops->task_create(clone_flags);
2632 return task_has_perm(current, current, PROCESS__FORK);
2635 static int selinux_task_alloc_security(struct task_struct *tsk)
2637 struct task_security_struct *tsec1, *tsec2;
2640 tsec1 = current->security;
2642 rc = task_alloc_security(tsk);
2645 tsec2 = tsk->security;
2647 tsec2->osid = tsec1->osid;
2648 tsec2->sid = tsec1->sid;
2650 /* Retain the exec and create SIDs across fork */
2651 tsec2->exec_sid = tsec1->exec_sid;
2652 tsec2->create_sid = tsec1->create_sid;
2657 static void selinux_task_free_security(struct task_struct *tsk)
2659 task_free_security(tsk);
2662 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2664 /* Since setuid only affects the current process, and
2665 since the SELinux controls are not based on the Linux
2666 identity attributes, SELinux does not need to control
2667 this operation. However, SELinux does control the use
2668 of the CAP_SETUID and CAP_SETGID capabilities using the
2673 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2675 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2678 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2680 /* See the comment for setuid above. */
2684 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2686 return task_has_perm(current, p, PROCESS__SETPGID);
2689 static int selinux_task_getpgid(struct task_struct *p)
2691 return task_has_perm(current, p, PROCESS__GETPGID);
2694 static int selinux_task_getsid(struct task_struct *p)
2696 return task_has_perm(current, p, PROCESS__GETSESSION);
2699 static int selinux_task_setgroups(struct group_info *group_info)
2701 /* See the comment for setuid above. */
2705 static int selinux_task_setnice(struct task_struct *p, int nice)
2709 rc = secondary_ops->task_setnice(p, nice);
2713 return task_has_perm(current,p, PROCESS__SETSCHED);
2716 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2718 struct rlimit *old_rlim = current->rlim + resource;
2721 rc = secondary_ops->task_setrlimit(resource, new_rlim);
2725 /* Control the ability to change the hard limit (whether
2726 lowering or raising it), so that the hard limit can
2727 later be used as a safe reset point for the soft limit
2728 upon context transitions. See selinux_bprm_apply_creds. */
2729 if (old_rlim->rlim_max != new_rlim->rlim_max)
2730 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2735 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2737 struct task_security_struct *tsec1, *tsec2;
2739 tsec1 = current->security;
2740 tsec2 = p->security;
2742 /* No auditing from the setscheduler hook, since the runqueue lock
2743 is held and the system will deadlock if we try to log an audit
2745 return avc_has_perm_noaudit(tsec1->sid, tsec2->sid,
2746 SECCLASS_PROCESS, PROCESS__SETSCHED,
2747 &tsec2->avcr, NULL);
2750 static int selinux_task_getscheduler(struct task_struct *p)
2752 return task_has_perm(current, p, PROCESS__GETSCHED);
2755 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2760 rc = secondary_ops->task_kill(p, info, sig);
2764 if (info && ((unsigned long)info == 1 ||
2765 (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2769 perm = PROCESS__SIGNULL; /* null signal; existence test */
2771 perm = signal_to_av(sig);
2773 return task_has_perm(current, p, perm);
2776 static int selinux_task_prctl(int option,
2782 /* The current prctl operations do not appear to require
2783 any SELinux controls since they merely observe or modify
2784 the state of the current process. */
2788 static int selinux_task_wait(struct task_struct *p)
2792 perm = signal_to_av(p->exit_signal);
2794 return task_has_perm(p, current, perm);
2797 static void selinux_task_reparent_to_init(struct task_struct *p)
2799 struct task_security_struct *tsec;
2801 secondary_ops->task_reparent_to_init(p);
2804 tsec->osid = tsec->sid;
2805 tsec->sid = SECINITSID_KERNEL;
2809 static void selinux_task_to_inode(struct task_struct *p,
2810 struct inode *inode)
2812 struct task_security_struct *tsec = p->security;
2813 struct inode_security_struct *isec = inode->i_security;
2815 isec->sid = tsec->sid;
2816 isec->initialized = 1;
2820 #ifdef CONFIG_SECURITY_NETWORK
2822 /* Returns error only if unable to parse addresses */
2823 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2825 int offset, ihlen, ret;
2828 offset = skb->nh.raw - skb->data;
2829 ret = skb_copy_bits(skb, offset, &iph, sizeof(iph));
2833 ihlen = iph.ihl * 4;
2834 if (ihlen < sizeof(iph))
2837 ad->u.net.v4info.saddr = iph.saddr;
2838 ad->u.net.v4info.daddr = iph.daddr;
2840 switch (iph.protocol) {
2844 if (ntohs(iph.frag_off) & IP_OFFSET)
2848 if (skb_copy_bits(skb, offset, &tcph, sizeof(tcph)) < 0)
2851 ad->u.net.sport = tcph.source;
2852 ad->u.net.dport = tcph.dest;
2859 if (ntohs(iph.frag_off) & IP_OFFSET)
2863 if (skb_copy_bits(skb, offset, &udph, sizeof(udph)) < 0)
2866 ad->u.net.sport = udph.source;
2867 ad->u.net.dport = udph.dest;
2878 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2880 /* Returns error only if unable to parse addresses */
2881 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2885 struct ipv6hdr ipv6h;
2887 offset = skb->nh.raw - skb->data;
2888 ret = skb_copy_bits(skb, offset, &ipv6h, sizeof(ipv6h));
2892 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ipv6h.saddr);
2893 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ipv6h.daddr);
2895 nexthdr = ipv6h.nexthdr;
2896 offset += sizeof(ipv6h);
2897 offset = ipv6_skip_exthdr(skb, offset, &nexthdr,
2898 skb->tail - skb->head - offset);
2906 if (skb_copy_bits(skb, offset, &tcph, sizeof(tcph)) < 0)
2909 ad->u.net.sport = tcph.source;
2910 ad->u.net.dport = tcph.dest;
2917 if (skb_copy_bits(skb, offset, &udph, sizeof(udph)) < 0)
2920 ad->u.net.sport = udph.source;
2921 ad->u.net.dport = udph.dest;
2925 /* includes fragments */
2935 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2936 char **addrp, int *len, int src)
2940 switch (ad->u.net.family) {
2942 ret = selinux_parse_skb_ipv4(skb, ad);
2946 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2947 &ad->u.net.v4info.daddr);
2950 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2952 ret = selinux_parse_skb_ipv6(skb, ad);
2956 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2957 &ad->u.net.v6info.daddr);
2967 /* socket security operations */
2968 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2971 struct inode_security_struct *isec;
2972 struct task_security_struct *tsec;
2973 struct avc_audit_data ad;
2976 tsec = task->security;
2977 isec = SOCK_INODE(sock)->i_security;
2979 if (isec->sid == SECINITSID_KERNEL)
2982 AVC_AUDIT_DATA_INIT(&ad,NET);
2983 ad.u.net.sk = sock->sk;
2984 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2985 perms, &isec->avcr, &ad);
2991 static int selinux_socket_create(int family, int type,
2992 int protocol, int kern)
2995 struct task_security_struct *tsec;
3000 tsec = current->security;
3001 err = avc_has_perm(tsec->sid, tsec->sid,
3002 socket_type_to_security_class(family, type,
3003 protocol), SOCKET__CREATE, NULL, NULL);
3009 static void selinux_socket_post_create(struct socket *sock, int family,
3010 int type, int protocol, int kern)
3013 struct inode_security_struct *isec;
3014 struct task_security_struct *tsec;
3016 err = inode_doinit(SOCK_INODE(sock));
3019 isec = SOCK_INODE(sock)->i_security;
3021 tsec = current->security;
3022 isec->sclass = socket_type_to_security_class(family, type, protocol);
3023 isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
3028 /* Range of port numbers used to automatically bind.
3029 Need to determine whether we should perform a name_bind
3030 permission check between the socket and the port number. */
3031 #define ip_local_port_range_0 sysctl_local_port_range[0]
3032 #define ip_local_port_range_1 sysctl_local_port_range[1]
3034 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3039 err = socket_has_perm(current, sock, SOCKET__BIND);
3044 * If PF_INET or PF_INET6, check name_bind permission for the port.
3046 family = sock->sk->sk_family;
3047 if (family == PF_INET || family == PF_INET6) {
3049 struct inode_security_struct *isec;
3050 struct task_security_struct *tsec;
3051 struct avc_audit_data ad;
3052 struct sockaddr_in *addr4 = NULL;
3053 struct sockaddr_in6 *addr6 = NULL;
3054 unsigned short snum;
3055 struct sock *sk = sock->sk;
3056 u32 sid, node_perm, addrlen;
3058 tsec = current->security;
3059 isec = SOCK_INODE(sock)->i_security;
3061 if (family == PF_INET) {
3062 addr4 = (struct sockaddr_in *)address;
3063 snum = ntohs(addr4->sin_port);
3064 addrlen = sizeof(addr4->sin_addr.s_addr);
3065 addrp = (char *)&addr4->sin_addr.s_addr;
3067 addr6 = (struct sockaddr_in6 *)address;
3068 snum = ntohs(addr6->sin6_port);
3069 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3070 addrp = (char *)&addr6->sin6_addr.s6_addr;
3073 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3074 snum > ip_local_port_range_1)) {
3075 err = security_port_sid(sk->sk_family, sk->sk_type,
3076 sk->sk_protocol, snum, &sid);
3079 AVC_AUDIT_DATA_INIT(&ad,NET);
3080 ad.u.net.sport = htons(snum);
3081 err = avc_has_perm(isec->sid, sid,
3083 SOCKET__NAME_BIND, NULL, &ad);
3088 switch(sk->sk_protocol) {
3090 node_perm = TCP_SOCKET__NODE_BIND;
3094 node_perm = UDP_SOCKET__NODE_BIND;
3098 node_perm = RAWIP_SOCKET__NODE_BIND;
3102 err = security_node_sid(family, addrp, addrlen, &sid);
3106 AVC_AUDIT_DATA_INIT(&ad,NET);
3107 ad.u.net.sport = htons(snum);
3108 ad.u.net.family = family;
3110 if (family == PF_INET)
3111 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3113 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3115 err = avc_has_perm(isec->sid, sid,
3116 isec->sclass, node_perm, NULL, &ad);
3124 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3126 return socket_has_perm(current, sock, SOCKET__CONNECT);
3129 static int selinux_socket_listen(struct socket *sock, int backlog)
3131 return socket_has_perm(current, sock, SOCKET__LISTEN);
3134 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3137 struct inode_security_struct *isec;
3138 struct inode_security_struct *newisec;
3140 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3144 err = inode_doinit(SOCK_INODE(newsock));
3147 newisec = SOCK_INODE(newsock)->i_security;
3149 isec = SOCK_INODE(sock)->i_security;
3150 newisec->sclass = isec->sclass;
3151 newisec->sid = isec->sid;
3156 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3159 return socket_has_perm(current, sock, SOCKET__WRITE);
3162 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3163 int size, int flags)
3165 return socket_has_perm(current, sock, SOCKET__READ);
3168 static int selinux_socket_getsockname(struct socket *sock)
3170 return socket_has_perm(current, sock, SOCKET__GETATTR);
3173 static int selinux_socket_getpeername(struct socket *sock)
3175 return socket_has_perm(current, sock, SOCKET__GETATTR);
3178 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3180 return socket_has_perm(current, sock, SOCKET__SETOPT);
3183 static int selinux_socket_getsockopt(struct socket *sock, int level,
3186 return socket_has_perm(current, sock, SOCKET__GETOPT);
3189 static int selinux_socket_shutdown(struct socket *sock, int how)
3191 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3194 static int selinux_socket_unix_stream_connect(struct socket *sock,
3195 struct socket *other,
3198 struct sk_security_struct *ssec;
3199 struct inode_security_struct *isec;
3200 struct inode_security_struct *other_isec;
3201 struct avc_audit_data ad;
3204 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3208 isec = SOCK_INODE(sock)->i_security;
3209 other_isec = SOCK_INODE(other)->i_security;
3211 AVC_AUDIT_DATA_INIT(&ad,NET);
3212 ad.u.net.sk = other->sk;
3214 err = avc_has_perm(isec->sid, other_isec->sid,
3216 UNIX_STREAM_SOCKET__CONNECTTO,
3217 &other_isec->avcr, &ad);
3221 /* connecting socket */
3222 ssec = sock->sk->sk_security;
3223 ssec->peer_sid = other_isec->sid;
3225 /* server child socket */
3226 ssec = newsk->sk_security;
3227 ssec->peer_sid = isec->sid;
3232 static int selinux_socket_unix_may_send(struct socket *sock,
3233 struct socket *other)
3235 struct inode_security_struct *isec;
3236 struct inode_security_struct *other_isec;
3237 struct avc_audit_data ad;
3240 isec = SOCK_INODE(sock)->i_security;
3241 other_isec = SOCK_INODE(other)->i_security;
3243 AVC_AUDIT_DATA_INIT(&ad,NET);
3244 ad.u.net.sk = other->sk;
3246 err = avc_has_perm(isec->sid, other_isec->sid,
3249 &other_isec->avcr, &ad);
3256 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3261 u32 netif_perm, node_perm, node_sid, recv_perm = 0;
3264 struct socket *sock;
3265 struct net_device *dev;
3266 struct sel_netif *netif;
3267 struct netif_security_struct *nsec;
3268 struct avc_audit_data ad;
3270 family = sk->sk_family;
3271 if (family != PF_INET && family != PF_INET6)
3274 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3275 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3278 read_lock_bh(&sk->sk_callback_lock);
3279 sock = sk->sk_socket;
3281 struct inode *inode;
3282 inode = SOCK_INODE(sock);
3284 struct inode_security_struct *isec;
3285 isec = inode->i_security;
3286 sock_sid = isec->sid;
3287 sock_class = isec->sclass;
3290 read_unlock_bh(&sk->sk_callback_lock);
3298 netif = sel_netif_lookup(dev);
3299 if (IS_ERR(netif)) {
3300 err = PTR_ERR(netif);
3304 nsec = &netif->nsec;
3306 switch (sock_class) {
3307 case SECCLASS_UDP_SOCKET:
3308 netif_perm = NETIF__UDP_RECV;
3309 node_perm = NODE__UDP_RECV;
3310 recv_perm = UDP_SOCKET__RECV_MSG;
3313 case SECCLASS_TCP_SOCKET:
3314 netif_perm = NETIF__TCP_RECV;
3315 node_perm = NODE__TCP_RECV;
3316 recv_perm = TCP_SOCKET__RECV_MSG;
3320 netif_perm = NETIF__RAWIP_RECV;
3321 node_perm = NODE__RAWIP_RECV;
3325 AVC_AUDIT_DATA_INIT(&ad, NET);
3326 ad.u.net.netif = dev->name;
3327 ad.u.net.family = family;
3329 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3331 sel_netif_put(netif);
3335 err = avc_has_perm(sock_sid, nsec->if_sid, SECCLASS_NETIF,
3336 netif_perm, &nsec->avcr, &ad);
3337 sel_netif_put(netif);
3341 /* Fixme: this lookup is inefficient */
3342 err = security_node_sid(family, addrp, len, &node_sid);
3346 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, NULL, &ad);
3353 /* Fixme: make this more efficient */
3354 err = security_port_sid(sk->sk_family, sk->sk_type,
3355 sk->sk_protocol, ntohs(ad.u.net.sport),
3360 err = avc_has_perm(sock_sid, port_sid, sock_class,
3361 recv_perm, NULL, &ad);
3367 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3368 int __user *optlen, unsigned len)
3373 struct sk_security_struct *ssec;
3374 struct inode_security_struct *isec;
3376 isec = SOCK_INODE(sock)->i_security;
3377 if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3382 ssec = sock->sk->sk_security;
3384 err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3388 if (scontext_len > len) {
3393 if (copy_to_user(optval, scontext, scontext_len))
3397 if (put_user(scontext_len, optlen))
3405 static int selinux_sk_alloc_security(struct sock *sk, int family, int priority)
3407 return sk_alloc_security(sk, family, priority);
3410 static void selinux_sk_free_security(struct sock *sk)
3412 sk_free_security(sk);
3415 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3419 struct nlmsghdr *nlh;
3420 struct socket *sock = sk->sk_socket;
3421 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3423 if (skb->len < NLMSG_SPACE(0)) {
3427 nlh = (struct nlmsghdr *)skb->data;
3429 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3437 err = socket_has_perm(current, sock, perm);
3442 #ifdef CONFIG_NETFILTER
3444 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3445 struct sk_buff **pskb,
3446 const struct net_device *in,
3447 const struct net_device *out,
3448 int (*okfn)(struct sk_buff *),
3452 int len, err = NF_ACCEPT;
3453 u32 netif_perm, node_perm, node_sid, send_perm = 0;
3455 struct socket *sock;
3456 struct inode *inode;
3457 struct sel_netif *netif;
3458 struct sk_buff *skb = *pskb;
3459 struct netif_security_struct *nsec;
3460 struct inode_security_struct *isec;
3461 struct avc_audit_data ad;
3462 struct net_device *dev = (struct net_device *)out;
3468 sock = sk->sk_socket;
3472 inode = SOCK_INODE(sock);
3476 netif = sel_netif_lookup(dev);
3477 if (IS_ERR(netif)) {
3482 nsec = &netif->nsec;
3483 isec = inode->i_security;
3485 switch (isec->sclass) {
3486 case SECCLASS_UDP_SOCKET:
3487 netif_perm = NETIF__UDP_SEND;
3488 node_perm = NODE__UDP_SEND;
3489 send_perm = UDP_SOCKET__SEND_MSG;
3492 case SECCLASS_TCP_SOCKET:
3493 netif_perm = NETIF__TCP_SEND;
3494 node_perm = NODE__TCP_SEND;
3495 send_perm = TCP_SOCKET__SEND_MSG;
3499 netif_perm = NETIF__RAWIP_SEND;
3500 node_perm = NODE__RAWIP_SEND;
3505 AVC_AUDIT_DATA_INIT(&ad, NET);
3506 ad.u.net.netif = dev->name;
3507 ad.u.net.family = family;
3509 err = selinux_parse_skb(skb, &ad, &addrp,
3510 &len, 0) ? NF_DROP : NF_ACCEPT;
3511 if (err != NF_ACCEPT) {
3512 sel_netif_put(netif);
3516 err = avc_has_perm(isec->sid, nsec->if_sid, SECCLASS_NETIF,
3517 netif_perm, &nsec->avcr, &ad) ? NF_DROP : NF_ACCEPT;
3518 sel_netif_put(netif);
3519 if (err != NF_ACCEPT)
3522 /* Fixme: this lookup is inefficient */
3523 err = security_node_sid(family, addrp, len,
3524 &node_sid) ? NF_DROP : NF_ACCEPT;
3525 if (err != NF_ACCEPT)
3528 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3529 node_perm, NULL, &ad) ? NF_DROP : NF_ACCEPT;
3530 if (err != NF_ACCEPT)
3536 /* Fixme: make this more efficient */
3537 err = security_port_sid(sk->sk_family,
3540 ntohs(ad.u.net.dport),
3541 &port_sid) ? NF_DROP : NF_ACCEPT;
3542 if (err != NF_ACCEPT)
3545 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3546 send_perm, NULL, &ad) ? NF_DROP : NF_ACCEPT;
3553 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3554 struct sk_buff **pskb,
3555 const struct net_device *in,
3556 const struct net_device *out,
3557 int (*okfn)(struct sk_buff *))
3559 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3562 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3564 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3565 struct sk_buff **pskb,
3566 const struct net_device *in,
3567 const struct net_device *out,
3568 int (*okfn)(struct sk_buff *))
3570 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3575 #endif /* CONFIG_NETFILTER */
3579 static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3584 #endif /* CONFIG_SECURITY_NETWORK */
3586 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3590 if (capable(CAP_NET_ADMIN))
3591 cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN);
3593 NETLINK_CB(skb).eff_cap = 0;
3595 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3596 err = selinux_nlmsg_perm(sk, skb);
3601 static int selinux_netlink_recv(struct sk_buff *skb)
3603 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3608 static int ipc_alloc_security(struct task_struct *task,
3609 struct kern_ipc_perm *perm,
3612 struct task_security_struct *tsec = task->security;
3613 struct ipc_security_struct *isec;
3615 isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3619 memset(isec, 0, sizeof(struct ipc_security_struct));
3620 isec->magic = SELINUX_MAGIC;
3621 isec->sclass = sclass;
3622 isec->ipc_perm = perm;
3624 isec->sid = tsec->sid;
3626 isec->sid = SECINITSID_UNLABELED;
3628 perm->security = isec;
3633 static void ipc_free_security(struct kern_ipc_perm *perm)
3635 struct ipc_security_struct *isec = perm->security;
3636 if (!isec || isec->magic != SELINUX_MAGIC)
3639 perm->security = NULL;
3643 static int msg_msg_alloc_security(struct msg_msg *msg)
3645 struct msg_security_struct *msec;
3647 msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3651 memset(msec, 0, sizeof(struct msg_security_struct));
3652 msec->magic = SELINUX_MAGIC;
3654 msec->sid = SECINITSID_UNLABELED;
3655 msg->security = msec;
3660 static void msg_msg_free_security(struct msg_msg *msg)
3662 struct msg_security_struct *msec = msg->security;
3663 if (!msec || msec->magic != SELINUX_MAGIC)
3666 msg->security = NULL;
3670 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3671 u16 sclass, u32 perms)
3673 struct task_security_struct *tsec;
3674 struct ipc_security_struct *isec;
3675 struct avc_audit_data ad;
3677 tsec = current->security;
3678 isec = ipc_perms->security;
3680 AVC_AUDIT_DATA_INIT(&ad, IPC);
3681 ad.u.ipc_id = ipc_perms->key;
3683 return avc_has_perm(tsec->sid, isec->sid, sclass,
3684 perms, &isec->avcr, &ad);
3687 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3689 return msg_msg_alloc_security(msg);
3692 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3694 msg_msg_free_security(msg);
3697 /* message queue security operations */
3698 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3700 struct task_security_struct *tsec;
3701 struct ipc_security_struct *isec;
3702 struct avc_audit_data ad;
3705 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3709 tsec = current->security;
3710 isec = msq->q_perm.security;
3712 AVC_AUDIT_DATA_INIT(&ad, IPC);
3713 ad.u.ipc_id = msq->q_perm.key;
3715 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3716 MSGQ__CREATE, &isec->avcr, &ad);
3718 ipc_free_security(&msq->q_perm);
3724 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3726 ipc_free_security(&msq->q_perm);
3729 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3731 struct task_security_struct *tsec;
3732 struct ipc_security_struct *isec;
3733 struct avc_audit_data ad;
3735 tsec = current->security;
3736 isec = msq->q_perm.security;
3738 AVC_AUDIT_DATA_INIT(&ad, IPC);
3739 ad.u.ipc_id = msq->q_perm.key;
3741 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3742 MSGQ__ASSOCIATE, &isec->avcr, &ad);
3745 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3753 /* No specific object, just general system-wide information. */
3754 return task_has_system(current, SYSTEM__IPC_INFO);
3757 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3760 perms = MSGQ__SETATTR;
3763 perms = MSGQ__DESTROY;
3769 err = ipc_has_perm(&msq->q_perm, SECCLASS_MSGQ, perms);
3773 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3775 struct task_security_struct *tsec;
3776 struct ipc_security_struct *isec;
3777 struct msg_security_struct *msec;
3778 struct avc_audit_data ad;
3781 tsec = current->security;
3782 isec = msq->q_perm.security;
3783 msec = msg->security;
3786 * First time through, need to assign label to the message
3788 if (msec->sid == SECINITSID_UNLABELED) {
3790 * Compute new sid based on current process and
3791 * message queue this message will be stored in
3793 rc = security_transition_sid(tsec->sid,
3801 AVC_AUDIT_DATA_INIT(&ad, IPC);
3802 ad.u.ipc_id = msq->q_perm.key;
3804 /* Can this process write to the queue? */
3805 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3806 MSGQ__WRITE, &isec->avcr, &ad);
3808 /* Can this process send the message */
3809 rc = avc_has_perm(tsec->sid, msec->sid,
3810 SECCLASS_MSG, MSG__SEND,
3813 /* Can the message be put in the queue? */
3814 rc = avc_has_perm(msec->sid, isec->sid,
3815 SECCLASS_MSGQ, MSGQ__ENQUEUE,
3821 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3822 struct task_struct *target,
3823 long type, int mode)
3825 struct task_security_struct *tsec;
3826 struct ipc_security_struct *isec;
3827 struct msg_security_struct *msec;
3828 struct avc_audit_data ad;
3831 tsec = target->security;
3832 isec = msq->q_perm.security;
3833 msec = msg->security;
3835 AVC_AUDIT_DATA_INIT(&ad, IPC);
3836 ad.u.ipc_id = msq->q_perm.key;
3838 rc = avc_has_perm(tsec->sid, isec->sid,
3839 SECCLASS_MSGQ, MSGQ__READ,
3842 rc = avc_has_perm(tsec->sid, msec->sid,
3843 SECCLASS_MSG, MSG__RECEIVE,
3848 /* Shared Memory security operations */
3849 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3851 struct task_security_struct *tsec;
3852 struct ipc_security_struct *isec;
3853 struct avc_audit_data ad;
3856 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3860 tsec = current->security;
3861 isec = shp->shm_perm.security;
3863 AVC_AUDIT_DATA_INIT(&ad, IPC);
3864 ad.u.ipc_id = shp->shm_perm.key;
3866 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3867 SHM__CREATE, &isec->avcr, &ad);
3869 ipc_free_security(&shp->shm_perm);
3875 static void selinux_shm_free_security(struct shmid_kernel *shp)
3877 ipc_free_security(&shp->shm_perm);
3880 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3882 struct task_security_struct *tsec;
3883 struct ipc_security_struct *isec;
3884 struct avc_audit_data ad;
3886 tsec = current->security;
3887 isec = shp->shm_perm.security;
3889 AVC_AUDIT_DATA_INIT(&ad, IPC);
3890 ad.u.ipc_id = shp->shm_perm.key;
3892 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3893 SHM__ASSOCIATE, &isec->avcr, &ad);
3896 /* Note, at this point, shp is locked down */
3897 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3905 /* No specific object, just general system-wide information. */
3906 return task_has_system(current, SYSTEM__IPC_INFO);
3909 perms = SHM__GETATTR | SHM__ASSOCIATE;
3912 perms = SHM__SETATTR;
3919 perms = SHM__DESTROY;
3925 err = ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms);
3929 static int selinux_shm_shmat(struct shmid_kernel *shp,
3930 char __user *shmaddr, int shmflg)
3935 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3939 if (shmflg & SHM_RDONLY)
3942 perms = SHM__READ | SHM__WRITE;
3944 return ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms);
3947 /* Semaphore security operations */
3948 static int selinux_sem_alloc_security(struct sem_array *sma)
3950 struct task_security_struct *tsec;
3951 struct ipc_security_struct *isec;
3952 struct avc_audit_data ad;
3955 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3959 tsec = current->security;
3960 isec = sma->sem_perm.security;
3962 AVC_AUDIT_DATA_INIT(&ad, IPC);
3963 ad.u.ipc_id = sma->sem_perm.key;
3965 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3966 SEM__CREATE, &isec->avcr, &ad);
3968 ipc_free_security(&sma->sem_perm);
3974 static void selinux_sem_free_security(struct sem_array *sma)
3976 ipc_free_security(&sma->sem_perm);
3979 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3981 struct task_security_struct *tsec;
3982 struct ipc_security_struct *isec;
3983 struct avc_audit_data ad;
3985 tsec = current->security;
3986 isec = sma->sem_perm.security;
3988 AVC_AUDIT_DATA_INIT(&ad, IPC);
3989 ad.u.ipc_id = sma->sem_perm.key;
3991 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3992 SEM__ASSOCIATE, &isec->avcr, &ad);
3995 /* Note, at this point, sma is locked down */
3996 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4004 /* No specific object, just general system-wide information. */
4005 return task_has_system(current, SYSTEM__IPC_INFO);
4009 perms = SEM__GETATTR;
4020 perms = SEM__DESTROY;
4023 perms = SEM__SETATTR;
4027 perms = SEM__GETATTR | SEM__ASSOCIATE;
4033 err = ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms);
4037 static int selinux_sem_semop(struct sem_array *sma,
4038 struct sembuf *sops, unsigned nsops, int alter)
4043 perms = SEM__READ | SEM__WRITE;
4047 return ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms);
4050 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4052 struct ipc_security_struct *isec = ipcp->security;
4053 u16 sclass = SECCLASS_IPC;
4056 if (isec && isec->magic == SELINUX_MAGIC)
4057 sclass = isec->sclass;
4061 av |= IPC__UNIX_READ;
4063 av |= IPC__UNIX_WRITE;
4068 return ipc_has_perm(ipcp, sclass, av);
4071 /* module stacking operations */
4072 int selinux_register_security (const char *name, struct security_operations *ops)
4074 if (secondary_ops != original_ops) {
4075 printk(KERN_INFO "%s: There is already a secondary security "
4076 "module registered.\n", __FUNCTION__);
4080 secondary_ops = ops;
4082 printk(KERN_INFO "%s: Registering secondary module %s\n",
4089 int selinux_unregister_security (const char *name, struct security_operations *ops)
4091 if (ops != secondary_ops) {
4092 printk (KERN_INFO "%s: trying to unregister a security module "
4093 "that is not registered.\n", __FUNCTION__);
4097 secondary_ops = original_ops;
4102 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4105 inode_doinit_with_dentry(inode, dentry);
4108 static int selinux_getprocattr(struct task_struct *p,
4109 char *name, void *value, size_t size)
4111 struct task_security_struct *tsec;
4117 error = task_has_perm(current, p, PROCESS__GETATTR);
4127 if (!strcmp(name, "current"))
4129 else if (!strcmp(name, "prev"))
4131 else if (!strcmp(name, "exec"))
4132 sid = tsec->exec_sid;
4133 else if (!strcmp(name, "fscreate"))
4134 sid = tsec->create_sid;
4141 error = security_sid_to_context(sid, &context, &len);
4148 memcpy(value, context, len);
4153 static int selinux_setprocattr(struct task_struct *p,
4154 char *name, void *value, size_t size)
4156 struct task_security_struct *tsec;
4160 if (current != p || !strcmp(name, "current")) {
4161 /* SELinux only allows a process to change its own
4162 security attributes, and it only allows the process
4163 current SID to change via exec. */
4168 * Basic control over ability to set these attributes at all.
4169 * current == p, but we'll pass them separately in case the
4170 * above restriction is ever removed.
4172 if (!strcmp(name, "exec"))
4173 error = task_has_perm(current, p, PROCESS__SETEXEC);
4174 else if (!strcmp(name, "fscreate"))
4175 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4181 /* Obtain a SID for the context, if one was specified. */
4184 error = security_context_to_sid(value, size, &sid);
4189 /* Permission checking based on the specified context is
4190 performed during the actual operation (execve,
4191 open/mkdir/...), when we know the full context of the
4192 operation. See selinux_bprm_set_security for the execve
4193 checks and may_create for the file creation checks. The
4194 operation will then fail if the context is not permitted. */
4196 if (!strcmp(name, "exec"))
4197 tsec->exec_sid = sid;
4198 else if (!strcmp(name, "fscreate"))
4199 tsec->create_sid = sid;
4206 struct security_operations selinux_ops = {
4207 .ptrace = selinux_ptrace,
4208 .capget = selinux_capget,
4209 .capset_check = selinux_capset_check,
4210 .capset_set = selinux_capset_set,
4211 .sysctl = selinux_sysctl,
4212 .capable = selinux_capable,
4213 .quotactl = selinux_quotactl,
4214 .quota_on = selinux_quota_on,
4215 .syslog = selinux_syslog,
4216 .vm_enough_memory = selinux_vm_enough_memory,
4218 .netlink_send = selinux_netlink_send,
4219 .netlink_recv = selinux_netlink_recv,
4221 .bprm_alloc_security = selinux_bprm_alloc_security,
4222 .bprm_free_security = selinux_bprm_free_security,
4223 .bprm_apply_creds = selinux_bprm_apply_creds,
4224 .bprm_set_security = selinux_bprm_set_security,
4225 .bprm_check_security = selinux_bprm_check_security,
4226 .bprm_secureexec = selinux_bprm_secureexec,
4228 .sb_alloc_security = selinux_sb_alloc_security,
4229 .sb_free_security = selinux_sb_free_security,
4230 .sb_copy_data = selinux_sb_copy_data,
4231 .sb_kern_mount = selinux_sb_kern_mount,
4232 .sb_statfs = selinux_sb_statfs,
4233 .sb_mount = selinux_mount,
4234 .sb_umount = selinux_umount,
4236 .inode_alloc_security = selinux_inode_alloc_security,
4237 .inode_free_security = selinux_inode_free_security,
4238 .inode_create = selinux_inode_create,
4239 .inode_post_create = selinux_inode_post_create,
4240 .inode_link = selinux_inode_link,
4241 .inode_post_link = selinux_inode_post_link,
4242 .inode_unlink = selinux_inode_unlink,
4243 .inode_symlink = selinux_inode_symlink,
4244 .inode_post_symlink = selinux_inode_post_symlink,
4245 .inode_mkdir = selinux_inode_mkdir,
4246 .inode_post_mkdir = selinux_inode_post_mkdir,
4247 .inode_rmdir = selinux_inode_rmdir,
4248 .inode_mknod = selinux_inode_mknod,
4249 .inode_post_mknod = selinux_inode_post_mknod,
4250 .inode_rename = selinux_inode_rename,
4251 .inode_post_rename = selinux_inode_post_rename,
4252 .inode_readlink = selinux_inode_readlink,
4253 .inode_follow_link = selinux_inode_follow_link,
4254 .inode_permission = selinux_inode_permission,
4255 .inode_setattr = selinux_inode_setattr,
4256 .inode_getattr = selinux_inode_getattr,
4257 .inode_setxattr = selinux_inode_setxattr,
4258 .inode_post_setxattr = selinux_inode_post_setxattr,
4259 .inode_getxattr = selinux_inode_getxattr,
4260 .inode_listxattr = selinux_inode_listxattr,
4261 .inode_removexattr = selinux_inode_removexattr,
4262 .inode_getsecurity = selinux_inode_getsecurity,
4263 .inode_setsecurity = selinux_inode_setsecurity,
4264 .inode_listsecurity = selinux_inode_listsecurity,
4266 .file_permission = selinux_file_permission,
4267 .file_alloc_security = selinux_file_alloc_security,
4268 .file_free_security = selinux_file_free_security,
4269 .file_ioctl = selinux_file_ioctl,
4270 .file_mmap = selinux_file_mmap,
4271 .file_mprotect = selinux_file_mprotect,
4272 .file_lock = selinux_file_lock,
4273 .file_fcntl = selinux_file_fcntl,
4274 .file_set_fowner = selinux_file_set_fowner,
4275 .file_send_sigiotask = selinux_file_send_sigiotask,
4276 .file_receive = selinux_file_receive,
4278 .task_create = selinux_task_create,
4279 .task_alloc_security = selinux_task_alloc_security,
4280 .task_free_security = selinux_task_free_security,
4281 .task_setuid = selinux_task_setuid,
4282 .task_post_setuid = selinux_task_post_setuid,
4283 .task_setgid = selinux_task_setgid,
4284 .task_setpgid = selinux_task_setpgid,
4285 .task_getpgid = selinux_task_getpgid,
4286 .task_getsid = selinux_task_getsid,
4287 .task_setgroups = selinux_task_setgroups,
4288 .task_setnice = selinux_task_setnice,
4289 .task_setrlimit = selinux_task_setrlimit,
4290 .task_setscheduler = selinux_task_setscheduler,
4291 .task_getscheduler = selinux_task_getscheduler,
4292 .task_kill = selinux_task_kill,
4293 .task_wait = selinux_task_wait,
4294 .task_prctl = selinux_task_prctl,
4295 .task_reparent_to_init = selinux_task_reparent_to_init,
4296 .task_to_inode = selinux_task_to_inode,
4298 .ipc_permission = selinux_ipc_permission,
4300 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4301 .msg_msg_free_security = selinux_msg_msg_free_security,
4303 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4304 .msg_queue_free_security = selinux_msg_queue_free_security,
4305 .msg_queue_associate = selinux_msg_queue_associate,
4306 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4307 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4308 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4310 .shm_alloc_security = selinux_shm_alloc_security,
4311 .shm_free_security = selinux_shm_free_security,
4312 .shm_associate = selinux_shm_associate,
4313 .shm_shmctl = selinux_shm_shmctl,
4314 .shm_shmat = selinux_shm_shmat,
4316 .sem_alloc_security = selinux_sem_alloc_security,
4317 .sem_free_security = selinux_sem_free_security,
4318 .sem_associate = selinux_sem_associate,
4319 .sem_semctl = selinux_sem_semctl,
4320 .sem_semop = selinux_sem_semop,
4322 .register_security = selinux_register_security,
4323 .unregister_security = selinux_unregister_security,
4325 .d_instantiate = selinux_d_instantiate,
4327 .getprocattr = selinux_getprocattr,
4328 .setprocattr = selinux_setprocattr,
4330 #ifdef CONFIG_SECURITY_NETWORK
4331 .unix_stream_connect = selinux_socket_unix_stream_connect,
4332 .unix_may_send = selinux_socket_unix_may_send,
4334 .socket_create = selinux_socket_create,
4335 .socket_post_create = selinux_socket_post_create,
4336 .socket_bind = selinux_socket_bind,
4337 .socket_connect = selinux_socket_connect,
4338 .socket_listen = selinux_socket_listen,
4339 .socket_accept = selinux_socket_accept,
4340 .socket_sendmsg = selinux_socket_sendmsg,
4341 .socket_recvmsg = selinux_socket_recvmsg,
4342 .socket_getsockname = selinux_socket_getsockname,
4343 .socket_getpeername = selinux_socket_getpeername,
4344 .socket_getsockopt = selinux_socket_getsockopt,
4345 .socket_setsockopt = selinux_socket_setsockopt,
4346 .socket_shutdown = selinux_socket_shutdown,
4347 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
4348 .socket_getpeersec = selinux_socket_getpeersec,
4349 .sk_alloc_security = selinux_sk_alloc_security,
4350 .sk_free_security = selinux_sk_free_security,
4354 __init int selinux_init(void)
4356 struct task_security_struct *tsec;
4358 if (!selinux_enabled) {
4359 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4363 printk(KERN_INFO "SELinux: Initializing.\n");
4365 /* Set the security state for the initial task. */
4366 if (task_alloc_security(current))
4367 panic("SELinux: Failed to initialize initial task.\n");
4368 tsec = current->security;
4369 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4373 original_ops = secondary_ops = security_ops;
4375 panic ("SELinux: No initial security operations\n");
4376 if (register_security (&selinux_ops))
4377 panic("SELinux: Unable to register with kernel.\n");
4379 if (selinux_enforcing) {
4380 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4382 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4387 void selinux_complete_init(void)
4389 printk(KERN_INFO "SELinux: Completing initialization.\n");
4391 /* Set up any superblocks initialized prior to the policy load. */
4392 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
4393 spin_lock(&sb_security_lock);
4395 if (!list_empty(&superblock_security_head)) {
4396 struct superblock_security_struct *sbsec =
4397 list_entry(superblock_security_head.next,
4398 struct superblock_security_struct,
4400 struct super_block *sb = sbsec->sb;
4401 spin_lock(&sb_lock);
4403 spin_unlock(&sb_lock);
4404 spin_unlock(&sb_security_lock);
4405 down_read(&sb->s_umount);
4407 superblock_doinit(sb, NULL);
4409 spin_lock(&sb_security_lock);
4410 list_del_init(&sbsec->list);
4413 spin_unlock(&sb_security_lock);
4416 /* SELinux requires early initialization in order to label
4417 all processes and objects when they are created. */
4418 security_initcall(selinux_init);
4420 #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
4422 static struct nf_hook_ops selinux_ipv4_op = {
4423 .hook = selinux_ipv4_postroute_last,
4424 .owner = THIS_MODULE,
4426 .hooknum = NF_IP_POST_ROUTING,
4427 .priority = NF_IP_PRI_SELINUX_LAST,
4430 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4432 static struct nf_hook_ops selinux_ipv6_op = {
4433 .hook = selinux_ipv6_postroute_last,
4434 .owner = THIS_MODULE,
4436 .hooknum = NF_IP6_POST_ROUTING,
4437 .priority = NF_IP6_PRI_SELINUX_LAST,
4442 static int __init selinux_nf_ip_init(void)
4446 if (!selinux_enabled)
4449 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4451 err = nf_register_hook(&selinux_ipv4_op);
4453 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4455 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4457 err = nf_register_hook(&selinux_ipv6_op);
4459 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4466 __initcall(selinux_nf_ip_init);
4468 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4469 static void selinux_nf_ip_exit(void)
4471 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4473 nf_unregister_hook(&selinux_ipv4_op);
4474 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4475 nf_unregister_hook(&selinux_ipv6_op);
4480 #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4482 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4483 #define selinux_nf_ip_exit()
4486 #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4488 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4489 int selinux_disable(void)
4491 extern void exit_sel_fs(void);
4492 static int selinux_disabled = 0;
4494 if (ss_initialized) {
4495 /* Not permitted after initial policy load. */
4499 if (selinux_disabled) {
4500 /* Only do this once. */
4504 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4506 selinux_disabled = 1;
4508 /* Reset security_ops to the secondary module, dummy or capability. */
4509 security_ops = secondary_ops;
4511 /* Unregister netfilter hooks. */
4512 selinux_nf_ip_exit();
4514 /* Unregister selinuxfs. */