2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License version 2,
16 * as published by the Free Software Foundation.
19 #include <linux/config.h>
20 #include <linux/module.h>
21 #include <linux/init.h>
22 #include <linux/kernel.h>
23 #include <linux/ptrace.h>
24 #include <linux/errno.h>
25 #include <linux/sched.h>
26 #include <linux/security.h>
27 #include <linux/xattr.h>
28 #include <linux/capability.h>
29 #include <linux/unistd.h>
31 #include <linux/mman.h>
32 #include <linux/slab.h>
33 #include <linux/pagemap.h>
34 #include <linux/swap.h>
35 #include <linux/smp_lock.h>
36 #include <linux/spinlock.h>
37 #include <linux/syscalls.h>
38 #include <linux/file.h>
39 #include <linux/namei.h>
40 #include <linux/mount.h>
41 #include <linux/ext2_fs.h>
42 #include <linux/proc_fs.h>
44 #include <linux/netfilter_ipv4.h>
45 #include <linux/netfilter_ipv6.h>
47 #include <net/ip.h> /* for sysctl_local_port_range[] */
48 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
49 #include <asm/uaccess.h>
50 #include <asm/semaphore.h>
51 #include <asm/ioctls.h>
52 #include <linux/bitops.h>
53 #include <linux/interrupt.h>
54 #include <linux/netdevice.h> /* for network interface checks */
55 #include <linux/netlink.h>
56 #include <linux/tcp.h>
57 #include <linux/udp.h>
58 #include <linux/quota.h>
59 #include <linux/un.h> /* for Unix socket types */
60 #include <net/af_unix.h> /* for Unix socket types */
61 #include <linux/parser.h>
62 #include <linux/nfs_mount.h>
64 #include <linux/hugetlb.h>
65 #include <linux/major.h>
71 #define XATTR_SELINUX_SUFFIX "selinux"
72 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
74 extern int policydb_loaded_version;
75 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
77 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
78 int selinux_enforcing = 0;
80 static int __init enforcing_setup(char *str)
82 selinux_enforcing = simple_strtol(str,NULL,0);
85 __setup("enforcing=", enforcing_setup);
88 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
89 int selinux_enabled = 1;
91 static int __init selinux_enabled_setup(char *str)
93 selinux_enabled = simple_strtol(str, NULL, 0);
96 __setup("selinux=", selinux_enabled_setup);
99 /* Original (dummy) security module. */
100 static struct security_operations *original_ops = NULL;
102 /* Minimal support for a secondary security module,
103 just to allow the use of the dummy or capability modules.
104 The owlsm module can alternatively be used as a secondary
105 module as long as CONFIG_OWLSM_FD is not enabled. */
106 static struct security_operations *secondary_ops = NULL;
108 /* Lists of inode and superblock security structures initialized
109 before the policy was loaded. */
110 static LIST_HEAD(superblock_security_head);
111 static spinlock_t sb_security_lock = SPIN_LOCK_UNLOCKED;
113 /* Allocate and free functions for each kind of security blob. */
115 static int task_alloc_security(struct task_struct *task)
117 struct task_security_struct *tsec;
119 tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL);
123 memset(tsec, 0, sizeof(struct task_security_struct));
124 tsec->magic = SELINUX_MAGIC;
126 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
127 task->security = tsec;
132 static void task_free_security(struct task_struct *task)
134 struct task_security_struct *tsec = task->security;
136 if (!tsec || tsec->magic != SELINUX_MAGIC)
139 task->security = NULL;
143 static int inode_alloc_security(struct inode *inode)
145 struct task_security_struct *tsec = current->security;
146 struct inode_security_struct *isec;
148 isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
152 memset(isec, 0, sizeof(struct inode_security_struct));
153 init_MUTEX(&isec->sem);
154 INIT_LIST_HEAD(&isec->list);
155 isec->magic = SELINUX_MAGIC;
157 isec->sid = SECINITSID_UNLABELED;
158 isec->sclass = SECCLASS_FILE;
159 if (tsec && tsec->magic == SELINUX_MAGIC)
160 isec->task_sid = tsec->sid;
162 isec->task_sid = SECINITSID_UNLABELED;
163 inode->i_security = isec;
168 static void inode_free_security(struct inode *inode)
170 struct inode_security_struct *isec = inode->i_security;
171 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
173 if (!isec || isec->magic != SELINUX_MAGIC)
176 spin_lock(&sbsec->isec_lock);
177 if (!list_empty(&isec->list))
178 list_del_init(&isec->list);
179 spin_unlock(&sbsec->isec_lock);
181 inode->i_security = NULL;
185 static int file_alloc_security(struct file *file)
187 struct task_security_struct *tsec = current->security;
188 struct file_security_struct *fsec;
190 fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
194 memset(fsec, 0, sizeof(struct file_security_struct));
195 fsec->magic = SELINUX_MAGIC;
197 if (tsec && tsec->magic == SELINUX_MAGIC) {
198 fsec->sid = tsec->sid;
199 fsec->fown_sid = tsec->sid;
201 fsec->sid = SECINITSID_UNLABELED;
202 fsec->fown_sid = SECINITSID_UNLABELED;
204 file->f_security = fsec;
209 static void file_free_security(struct file *file)
211 struct file_security_struct *fsec = file->f_security;
213 if (!fsec || fsec->magic != SELINUX_MAGIC)
216 file->f_security = NULL;
220 static int superblock_alloc_security(struct super_block *sb)
222 struct superblock_security_struct *sbsec;
224 sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
228 memset(sbsec, 0, sizeof(struct superblock_security_struct));
229 init_MUTEX(&sbsec->sem);
230 INIT_LIST_HEAD(&sbsec->list);
231 INIT_LIST_HEAD(&sbsec->isec_head);
232 spin_lock_init(&sbsec->isec_lock);
233 sbsec->magic = SELINUX_MAGIC;
235 sbsec->sid = SECINITSID_UNLABELED;
236 sbsec->def_sid = SECINITSID_FILE;
237 sb->s_security = sbsec;
242 static void superblock_free_security(struct super_block *sb)
244 struct superblock_security_struct *sbsec = sb->s_security;
246 if (!sbsec || sbsec->magic != SELINUX_MAGIC)
249 spin_lock(&sb_security_lock);
250 if (!list_empty(&sbsec->list))
251 list_del_init(&sbsec->list);
252 spin_unlock(&sb_security_lock);
254 sb->s_security = NULL;
258 #ifdef CONFIG_SECURITY_NETWORK
259 static int sk_alloc_security(struct sock *sk, int family, int priority)
261 struct sk_security_struct *ssec;
263 if (family != PF_UNIX)
266 ssec = kmalloc(sizeof(*ssec), priority);
270 memset(ssec, 0, sizeof(*ssec));
271 ssec->magic = SELINUX_MAGIC;
273 ssec->peer_sid = SECINITSID_UNLABELED;
274 sk->sk_security = ssec;
279 static void sk_free_security(struct sock *sk)
281 struct sk_security_struct *ssec = sk->sk_security;
283 if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
286 sk->sk_security = NULL;
289 #endif /* CONFIG_SECURITY_NETWORK */
291 /* The security server must be initialized before
292 any labeling or access decisions can be provided. */
293 extern int ss_initialized;
295 /* The file system's label must be initialized prior to use. */
297 static char *labeling_behaviors[6] = {
299 "uses transition SIDs",
301 "uses genfs_contexts",
302 "not configured for labeling",
303 "uses mountpoint labeling",
306 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
308 static inline int inode_doinit(struct inode *inode)
310 return inode_doinit_with_dentry(inode, NULL);
319 static match_table_t tokens = {
320 {Opt_context, "context=%s"},
321 {Opt_fscontext, "fscontext=%s"},
322 {Opt_defcontext, "defcontext=%s"},
325 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
327 static int try_context_mount(struct super_block *sb, void *data)
329 char *context = NULL, *defcontext = NULL;
332 int alloc = 0, rc = 0, seen = 0;
333 struct task_security_struct *tsec = current->security;
334 struct superblock_security_struct *sbsec = sb->s_security;
339 name = sb->s_type->name;
341 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
343 /* NFS we understand. */
344 if (!strcmp(name, "nfs")) {
345 struct nfs_mount_data *d = data;
347 if (d->version < NFS_MOUNT_VERSION)
351 context = d->context;
358 /* Standard string-based options. */
359 char *p, *options = data;
361 while ((p = strsep(&options, ",")) != NULL) {
363 substring_t args[MAX_OPT_ARGS];
368 token = match_token(p, tokens, args);
374 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
377 context = match_strdup(&args[0]);
388 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
390 printk(KERN_WARNING "SELinux: "
391 "fscontext option is invalid for"
392 " this filesystem type\n");
395 if (seen & (Opt_context|Opt_fscontext)) {
397 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
400 context = match_strdup(&args[0]);
407 seen |= Opt_fscontext;
411 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
413 printk(KERN_WARNING "SELinux: "
414 "defcontext option is invalid "
415 "for this filesystem type\n");
418 if (seen & (Opt_context|Opt_defcontext)) {
420 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
423 defcontext = match_strdup(&args[0]);
430 seen |= Opt_defcontext;
435 printk(KERN_WARNING "SELinux: unknown mount "
447 rc = security_context_to_sid(context, strlen(context), &sid);
449 printk(KERN_WARNING "SELinux: security_context_to_sid"
450 "(%s) failed for (dev %s, type %s) errno=%d\n",
451 context, sb->s_id, name, rc);
455 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
456 FILESYSTEM__RELABELFROM, NULL, NULL);
460 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
461 FILESYSTEM__RELABELTO, NULL, NULL);
467 if (seen & Opt_context)
468 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
472 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
474 printk(KERN_WARNING "SELinux: security_context_to_sid"
475 "(%s) failed for (dev %s, type %s) errno=%d\n",
476 defcontext, sb->s_id, name, rc);
480 if (sid == sbsec->def_sid)
483 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
484 FILESYSTEM__RELABELFROM, NULL, NULL);
488 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
489 FILESYSTEM__ASSOCIATE, NULL, NULL);
493 sbsec->def_sid = sid;
505 static int superblock_doinit(struct super_block *sb, void *data)
507 struct superblock_security_struct *sbsec = sb->s_security;
508 struct dentry *root = sb->s_root;
509 struct inode *inode = root->d_inode;
513 if (sbsec->initialized)
516 if (!ss_initialized) {
517 /* Defer initialization until selinux_complete_init,
518 after the initial policy is loaded and the security
519 server is ready to handle calls. */
520 spin_lock(&sb_security_lock);
521 if (list_empty(&sbsec->list))
522 list_add(&sbsec->list, &superblock_security_head);
523 spin_unlock(&sb_security_lock);
527 /* Determine the labeling behavior to use for this filesystem type. */
528 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
530 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
531 __FUNCTION__, sb->s_type->name, rc);
535 rc = try_context_mount(sb, data);
539 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
540 /* Make sure that the xattr handler exists and that no
541 error other than -ENODATA is returned by getxattr on
542 the root directory. -ENODATA is ok, as this may be
543 the first boot of the SELinux kernel before we have
544 assigned xattr values to the filesystem. */
545 if (!inode->i_op->getxattr) {
546 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
547 "xattr support\n", sb->s_id, sb->s_type->name);
551 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
552 if (rc < 0 && rc != -ENODATA) {
553 if (rc == -EOPNOTSUPP)
554 printk(KERN_WARNING "SELinux: (dev %s, type "
555 "%s) has no security xattr handler\n",
556 sb->s_id, sb->s_type->name);
558 printk(KERN_WARNING "SELinux: (dev %s, type "
559 "%s) getxattr errno %d\n", sb->s_id,
560 sb->s_type->name, -rc);
565 if (strcmp(sb->s_type->name, "proc") == 0)
568 sbsec->initialized = 1;
570 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
571 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
572 sb->s_id, sb->s_type->name);
575 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
576 sb->s_id, sb->s_type->name,
577 labeling_behaviors[sbsec->behavior-1]);
580 /* Initialize the root inode. */
581 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
583 /* Initialize any other inodes associated with the superblock, e.g.
584 inodes created prior to initial policy load or inodes created
585 during get_sb by a pseudo filesystem that directly
587 spin_lock(&sbsec->isec_lock);
589 if (!list_empty(&sbsec->isec_head)) {
590 struct inode_security_struct *isec =
591 list_entry(sbsec->isec_head.next,
592 struct inode_security_struct, list);
593 struct inode *inode = isec->inode;
594 spin_unlock(&sbsec->isec_lock);
595 inode = igrab(inode);
600 spin_lock(&sbsec->isec_lock);
601 list_del_init(&isec->list);
604 spin_unlock(&sbsec->isec_lock);
610 static inline u16 inode_mode_to_security_class(umode_t mode)
612 switch (mode & S_IFMT) {
614 return SECCLASS_SOCK_FILE;
616 return SECCLASS_LNK_FILE;
618 return SECCLASS_FILE;
620 return SECCLASS_BLK_FILE;
624 return SECCLASS_CHR_FILE;
626 return SECCLASS_FIFO_FILE;
630 return SECCLASS_FILE;
633 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
639 return SECCLASS_UNIX_STREAM_SOCKET;
641 return SECCLASS_UNIX_DGRAM_SOCKET;
647 return SECCLASS_TCP_SOCKET;
649 return SECCLASS_UDP_SOCKET;
651 return SECCLASS_RAWIP_SOCKET;
656 return SECCLASS_NETLINK_ROUTE_SOCKET;
657 case NETLINK_FIREWALL:
658 return SECCLASS_NETLINK_FIREWALL_SOCKET;
659 case NETLINK_TCPDIAG:
660 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
662 return SECCLASS_NETLINK_NFLOG_SOCKET;
664 return SECCLASS_NETLINK_XFRM_SOCKET;
665 case NETLINK_SELINUX:
666 return SECCLASS_NETLINK_SELINUX_SOCKET;
668 return SECCLASS_NETLINK_AUDIT_SOCKET;
670 return SECCLASS_NETLINK_IP6FW_SOCKET;
671 case NETLINK_DNRTMSG:
672 return SECCLASS_NETLINK_DNRT_SOCKET;
674 return SECCLASS_NETLINK_SOCKET;
677 return SECCLASS_PACKET_SOCKET;
679 return SECCLASS_KEY_SOCKET;
682 return SECCLASS_SOCKET;
685 #ifdef CONFIG_PROC_FS
686 static int selinux_proc_get_sid(struct proc_dir_entry *de,
691 char *buffer, *path, *end;
693 buffer = (char*)__get_free_page(GFP_KERNEL);
703 while (de && de != de->parent) {
704 buflen -= de->namelen + 1;
708 memcpy(end, de->name, de->namelen);
713 rc = security_genfs_sid("proc", path, tclass, sid);
714 free_page((unsigned long)buffer);
718 static int selinux_proc_get_sid(struct proc_dir_entry *de,
726 /* The inode's security attributes must be initialized before first use. */
727 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
729 struct superblock_security_struct *sbsec = NULL;
730 struct inode_security_struct *isec = inode->i_security;
732 struct dentry *dentry;
733 #define INITCONTEXTLEN 255
734 char *context = NULL;
739 if (isec->initialized)
744 if (isec->initialized)
747 sbsec = inode->i_sb->s_security;
748 if (!sbsec->initialized) {
749 /* Defer initialization until selinux_complete_init,
750 after the initial policy is loaded and the security
751 server is ready to handle calls. */
752 spin_lock(&sbsec->isec_lock);
753 if (list_empty(&isec->list))
754 list_add(&isec->list, &sbsec->isec_head);
755 spin_unlock(&sbsec->isec_lock);
759 switch (sbsec->behavior) {
760 case SECURITY_FS_USE_XATTR:
761 if (!inode->i_op->getxattr) {
762 isec->sid = sbsec->def_sid;
766 /* Need a dentry, since the xattr API requires one.
767 Life would be simpler if we could just pass the inode. */
769 /* Called from d_instantiate or d_splice_alias. */
770 dentry = dget(opt_dentry);
772 /* Called from selinux_complete_init, try to find a dentry. */
773 dentry = d_find_alias(inode);
776 printk(KERN_WARNING "%s: no dentry for dev=%s "
777 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
782 len = INITCONTEXTLEN;
783 context = kmalloc(len, GFP_KERNEL);
789 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
792 /* Need a larger buffer. Query for the right size. */
793 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
801 context = kmalloc(len, GFP_KERNEL);
807 rc = inode->i_op->getxattr(dentry,
813 if (rc != -ENODATA) {
814 printk(KERN_WARNING "%s: getxattr returned "
815 "%d for dev=%s ino=%ld\n", __FUNCTION__,
816 -rc, inode->i_sb->s_id, inode->i_ino);
820 /* Map ENODATA to the default file SID */
821 sid = sbsec->def_sid;
824 rc = security_context_to_sid(context, rc, &sid);
826 printk(KERN_WARNING "%s: context_to_sid(%s) "
827 "returned %d for dev=%s ino=%ld\n",
828 __FUNCTION__, context, -rc,
829 inode->i_sb->s_id, inode->i_ino);
837 case SECURITY_FS_USE_TASK:
838 isec->sid = isec->task_sid;
840 case SECURITY_FS_USE_TRANS:
841 /* Default to the fs SID. */
842 isec->sid = sbsec->sid;
844 /* Try to obtain a transition SID. */
845 isec->sclass = inode_mode_to_security_class(inode->i_mode);
846 rc = security_transition_sid(isec->task_sid,
855 /* Default to the fs SID. */
856 isec->sid = sbsec->sid;
859 struct proc_inode *proci = PROC_I(inode);
861 isec->sclass = inode_mode_to_security_class(inode->i_mode);
862 rc = selinux_proc_get_sid(proci->pde,
873 isec->initialized = 1;
877 struct socket *sock = SOCKET_I(inode);
879 isec->sclass = socket_type_to_security_class(sock->sk->sk_family,
881 sock->sk->sk_protocol);
883 isec->sclass = SECCLASS_SOCKET;
886 isec->sclass = inode_mode_to_security_class(inode->i_mode);
894 /* Convert a Linux signal to an access vector. */
895 static inline u32 signal_to_av(int sig)
901 /* Commonly granted from child to parent. */
902 perm = PROCESS__SIGCHLD;
905 /* Cannot be caught or ignored */
906 perm = PROCESS__SIGKILL;
909 /* Cannot be caught or ignored */
910 perm = PROCESS__SIGSTOP;
913 /* All other signals. */
914 perm = PROCESS__SIGNAL;
921 /* Check permission betweeen a pair of tasks, e.g. signal checks,
922 fork check, ptrace check, etc. */
923 int task_has_perm(struct task_struct *tsk1,
924 struct task_struct *tsk2,
927 struct task_security_struct *tsec1, *tsec2;
929 tsec1 = tsk1->security;
930 tsec2 = tsk2->security;
931 return avc_has_perm(tsec1->sid, tsec2->sid,
932 SECCLASS_PROCESS, perms, &tsec2->avcr, NULL);
935 /* Check whether a task is allowed to use a capability. */
936 int task_has_capability(struct task_struct *tsk,
939 struct task_security_struct *tsec;
940 struct avc_audit_data ad;
942 tsec = tsk->security;
944 AVC_AUDIT_DATA_INIT(&ad,CAP);
948 return avc_has_perm(tsec->sid, tsec->sid,
949 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), NULL, &ad);
952 /* Check whether a task is allowed to use a system operation. */
953 int task_has_system(struct task_struct *tsk,
956 struct task_security_struct *tsec;
958 tsec = tsk->security;
960 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
961 SECCLASS_SYSTEM, perms, NULL, NULL);
964 /* Check whether a task has a particular permission to an inode.
965 The 'aeref' parameter is optional and allows other AVC
966 entry references to be passed (e.g. the one in the struct file).
967 The 'adp' parameter is optional and allows other audit
968 data to be passed (e.g. the dentry). */
969 int inode_has_perm(struct task_struct *tsk,
972 struct avc_entry_ref *aeref,
973 struct avc_audit_data *adp)
975 struct task_security_struct *tsec;
976 struct inode_security_struct *isec;
977 struct avc_audit_data ad;
979 tsec = tsk->security;
980 isec = inode->i_security;
984 AVC_AUDIT_DATA_INIT(&ad, FS);
985 ad.u.fs.inode = inode;
988 return avc_has_perm(tsec->sid, isec->sid, isec->sclass,
989 perms, aeref ? aeref : &isec->avcr, adp);
992 /* Same as inode_has_perm, but pass explicit audit data containing
993 the dentry to help the auditing code to more easily generate the
994 pathname if needed. */
995 static inline int dentry_has_perm(struct task_struct *tsk,
996 struct vfsmount *mnt,
997 struct dentry *dentry,
1000 struct inode *inode = dentry->d_inode;
1001 struct avc_audit_data ad;
1002 AVC_AUDIT_DATA_INIT(&ad,FS);
1004 ad.u.fs.dentry = dentry;
1005 return inode_has_perm(tsk, inode, av, NULL, &ad);
1008 /* Check whether a task can use an open file descriptor to
1009 access an inode in a given way. Check access to the
1010 descriptor itself, and then use dentry_has_perm to
1011 check a particular permission to the file.
1012 Access to the descriptor is implicitly granted if it
1013 has the same SID as the process. If av is zero, then
1014 access to the file is not checked, e.g. for cases
1015 where only the descriptor is affected like seek. */
1016 static inline int file_has_perm(struct task_struct *tsk,
1020 struct task_security_struct *tsec = tsk->security;
1021 struct file_security_struct *fsec = file->f_security;
1022 struct vfsmount *mnt = file->f_vfsmnt;
1023 struct dentry *dentry = file->f_dentry;
1024 struct inode *inode = dentry->d_inode;
1025 struct avc_audit_data ad;
1028 AVC_AUDIT_DATA_INIT(&ad, FS);
1030 ad.u.fs.dentry = dentry;
1032 if (tsec->sid != fsec->sid) {
1033 rc = avc_has_perm(tsec->sid, fsec->sid,
1041 /* av is zero if only checking access to the descriptor. */
1043 return inode_has_perm(tsk, inode, av, &fsec->inode_avcr, &ad);
1048 /* Check whether a task can create a file. */
1049 static int may_create(struct inode *dir,
1050 struct dentry *dentry,
1053 struct task_security_struct *tsec;
1054 struct inode_security_struct *dsec;
1055 struct superblock_security_struct *sbsec;
1057 struct avc_audit_data ad;
1060 tsec = current->security;
1061 dsec = dir->i_security;
1062 sbsec = dir->i_sb->s_security;
1064 AVC_AUDIT_DATA_INIT(&ad, FS);
1065 ad.u.fs.dentry = dentry;
1067 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1068 DIR__ADD_NAME | DIR__SEARCH,
1073 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1074 newsid = tsec->create_sid;
1076 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1082 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, NULL, &ad);
1086 return avc_has_perm(newsid, sbsec->sid,
1087 SECCLASS_FILESYSTEM,
1088 FILESYSTEM__ASSOCIATE, NULL, &ad);
1092 #define MAY_UNLINK 1
1095 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1096 static int may_link(struct inode *dir,
1097 struct dentry *dentry,
1101 struct task_security_struct *tsec;
1102 struct inode_security_struct *dsec, *isec;
1103 struct avc_audit_data ad;
1107 tsec = current->security;
1108 dsec = dir->i_security;
1109 isec = dentry->d_inode->i_security;
1111 AVC_AUDIT_DATA_INIT(&ad, FS);
1112 ad.u.fs.dentry = dentry;
1115 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1116 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1117 av, &dsec->avcr, &ad);
1132 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1136 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
1137 av, &isec->avcr, &ad);
1141 static inline int may_rename(struct inode *old_dir,
1142 struct dentry *old_dentry,
1143 struct inode *new_dir,
1144 struct dentry *new_dentry)
1146 struct task_security_struct *tsec;
1147 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1148 struct avc_audit_data ad;
1150 int old_is_dir, new_is_dir;
1153 tsec = current->security;
1154 old_dsec = old_dir->i_security;
1155 old_isec = old_dentry->d_inode->i_security;
1156 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1157 new_dsec = new_dir->i_security;
1159 AVC_AUDIT_DATA_INIT(&ad, FS);
1161 ad.u.fs.dentry = old_dentry;
1162 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1163 DIR__REMOVE_NAME | DIR__SEARCH,
1164 &old_dsec->avcr, &ad);
1167 rc = avc_has_perm(tsec->sid, old_isec->sid,
1170 &old_isec->avcr, &ad);
1173 if (old_is_dir && new_dir != old_dir) {
1174 rc = avc_has_perm(tsec->sid, old_isec->sid,
1177 &old_isec->avcr, &ad);
1182 ad.u.fs.dentry = new_dentry;
1183 av = DIR__ADD_NAME | DIR__SEARCH;
1184 if (new_dentry->d_inode)
1185 av |= DIR__REMOVE_NAME;
1186 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR,
1187 av,&new_dsec->avcr, &ad);
1190 if (new_dentry->d_inode) {
1191 new_isec = new_dentry->d_inode->i_security;
1192 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1193 rc = avc_has_perm(tsec->sid, new_isec->sid,
1195 (new_is_dir ? DIR__RMDIR : FILE__UNLINK),
1196 &new_isec->avcr, &ad);
1204 /* Check whether a task can perform a filesystem operation. */
1205 int superblock_has_perm(struct task_struct *tsk,
1206 struct super_block *sb,
1208 struct avc_audit_data *ad)
1210 struct task_security_struct *tsec;
1211 struct superblock_security_struct *sbsec;
1213 tsec = tsk->security;
1214 sbsec = sb->s_security;
1215 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1219 /* Convert a Linux mode and permission mask to an access vector. */
1220 static inline u32 file_mask_to_av(int mode, int mask)
1224 if ((mode & S_IFMT) != S_IFDIR) {
1225 if (mask & MAY_EXEC)
1226 av |= FILE__EXECUTE;
1227 if (mask & MAY_READ)
1230 if (mask & MAY_APPEND)
1232 else if (mask & MAY_WRITE)
1236 if (mask & MAY_EXEC)
1238 if (mask & MAY_WRITE)
1240 if (mask & MAY_READ)
1247 /* Convert a Linux file to an access vector. */
1248 static inline u32 file_to_av(struct file *file)
1252 if (file->f_mode & FMODE_READ)
1254 if (file->f_mode & FMODE_WRITE) {
1255 if (file->f_flags & O_APPEND)
1264 /* Set an inode's SID to a specified value. */
1265 int inode_security_set_sid(struct inode *inode, u32 sid)
1267 struct inode_security_struct *isec = inode->i_security;
1270 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1272 isec->initialized = 1;
1277 /* Set the security attributes on a newly created file. */
1278 static int post_create(struct inode *dir,
1279 struct dentry *dentry)
1282 struct task_security_struct *tsec;
1283 struct inode *inode;
1284 struct inode_security_struct *dsec;
1285 struct superblock_security_struct *sbsec;
1291 tsec = current->security;
1292 dsec = dir->i_security;
1293 sbsec = dir->i_sb->s_security;
1295 inode = dentry->d_inode;
1297 /* Some file system types (e.g. NFS) may not instantiate
1298 a dentry for all create operations (e.g. symlink),
1299 so we have to check to see if the inode is non-NULL. */
1300 printk(KERN_WARNING "post_create: no inode, dir (dev=%s, "
1301 "ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
1305 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1306 newsid = tsec->create_sid;
1308 rc = security_transition_sid(tsec->sid, dsec->sid,
1309 inode_mode_to_security_class(inode->i_mode),
1312 printk(KERN_WARNING "post_create: "
1313 "security_transition_sid failed, rc=%d (dev=%s "
1315 -rc, inode->i_sb->s_id, inode->i_ino);
1320 rc = inode_security_set_sid(inode, newsid);
1322 printk(KERN_WARNING "post_create: inode_security_set_sid "
1323 "failed, rc=%d (dev=%s ino=%ld)\n",
1324 -rc, inode->i_sb->s_id, inode->i_ino);
1328 if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
1329 inode->i_op->setxattr) {
1330 /* Use extended attributes. */
1331 rc = security_sid_to_context(newsid, &context, &len);
1333 printk(KERN_WARNING "post_create: sid_to_context "
1334 "failed, rc=%d (dev=%s ino=%ld)\n",
1335 -rc, inode->i_sb->s_id, inode->i_ino);
1338 down(&inode->i_sem);
1339 rc = inode->i_op->setxattr(dentry,
1345 printk(KERN_WARNING "post_create: setxattr failed, "
1346 "rc=%d (dev=%s ino=%ld)\n",
1347 -rc, inode->i_sb->s_id, inode->i_ino);
1356 /* Hook functions begin here. */
1358 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1360 struct task_security_struct *psec = parent->security;
1361 struct task_security_struct *csec = child->security;
1364 rc = secondary_ops->ptrace(parent,child);
1368 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1369 /* Save the SID of the tracing process for later use in apply_creds. */
1371 csec->ptrace_sid = psec->sid;
1375 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1376 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1380 error = task_has_perm(current, target, PROCESS__GETCAP);
1384 return secondary_ops->capget(target, effective, inheritable, permitted);
1387 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1388 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1392 error = task_has_perm(current, target, PROCESS__SETCAP);
1396 return secondary_ops->capset_check(target, effective, inheritable, permitted);
1399 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1400 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1404 error = task_has_perm(current, target, PROCESS__SETCAP);
1408 secondary_ops->capset_set(target, effective, inheritable, permitted);
1411 static int selinux_capable(struct task_struct *tsk, int cap)
1415 rc = secondary_ops->capable(tsk, cap);
1419 return task_has_capability(tsk,cap);
1422 static int selinux_sysctl(ctl_table *table, int op)
1426 struct task_security_struct *tsec;
1430 tsec = current->security;
1432 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1433 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1435 /* Default to the well-defined sysctl SID. */
1436 tsid = SECINITSID_SYSCTL;
1439 /* The op values are "defined" in sysctl.c, thereby creating
1440 * a bad coupling between this module and sysctl.c */
1442 error = avc_has_perm(tsec->sid, tsid,
1443 SECCLASS_DIR, DIR__SEARCH, NULL, NULL);
1451 error = avc_has_perm(tsec->sid, tsid,
1452 SECCLASS_FILE, av, NULL, NULL);
1458 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1471 rc = superblock_has_perm(current,
1473 FILESYSTEM__QUOTAMOD, NULL);
1478 rc = superblock_has_perm(current,
1480 FILESYSTEM__QUOTAGET, NULL);
1483 rc = 0; /* let the kernel handle invalid cmds */
1489 static int selinux_quota_on(struct file *f)
1491 return file_has_perm(current, f, FILE__QUOTAON);
1494 static int selinux_syslog(int type)
1498 rc = secondary_ops->syslog(type);
1503 case 3: /* Read last kernel messages */
1504 case 10: /* Return size of the log buffer */
1505 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1507 case 6: /* Disable logging to console */
1508 case 7: /* Enable logging to console */
1509 case 8: /* Set level of messages printed to console */
1510 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1512 case 0: /* Close log */
1513 case 1: /* Open log */
1514 case 2: /* Read from log */
1515 case 4: /* Read/clear last kernel messages */
1516 case 5: /* Clear ring buffer */
1518 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1525 * Check that a process has enough memory to allocate a new virtual
1526 * mapping. 0 means there is enough memory for the allocation to
1527 * succeed and -ENOMEM implies there is not.
1529 * We currently support three overcommit policies, which are set via the
1530 * vm.overcommit_memory sysctl. See Documentation/vm/overcommit-accounting
1532 * Strict overcommit modes added 2002 Feb 26 by Alan Cox.
1533 * Additional code 2002 Jul 20 by Robert Love.
1535 static int selinux_vm_enough_memory(long pages)
1537 unsigned long free, allowed;
1539 struct task_security_struct *tsec = current->security;
1541 vm_acct_memory(pages);
1544 * Sometimes we want to use more memory than we have
1546 if (sysctl_overcommit_memory == 1)
1549 if (sysctl_overcommit_memory == 0) {
1550 free = get_page_cache_size();
1551 free += nr_free_pages();
1552 free += nr_swap_pages;
1555 * Any slabs which are created with the
1556 * SLAB_RECLAIM_ACCOUNT flag claim to have contents
1557 * which are reclaimable, under pressure. The dentry
1558 * cache and most inode caches should fall into this
1560 free += atomic_read(&slab_reclaim_pages);
1563 * Leave the last 3% for privileged processes.
1564 * Don't audit the check, as it is applied to all processes
1565 * that allocate mappings.
1567 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1569 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1570 SECCLASS_CAPABILITY,
1571 CAP_TO_MASK(CAP_SYS_ADMIN),
1579 vm_unacct_memory(pages);
1583 allowed = (totalram_pages - hugetlb_total_pages())
1584 * sysctl_overcommit_ratio / 100;
1585 allowed += total_swap_pages;
1587 if (atomic_read(&vm_committed_space) < allowed)
1590 vm_unacct_memory(pages);
1595 /* binprm security operations */
1597 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1599 struct bprm_security_struct *bsec;
1601 bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1605 memset(bsec, 0, sizeof *bsec);
1606 bsec->magic = SELINUX_MAGIC;
1608 bsec->sid = SECINITSID_UNLABELED;
1611 bprm->security = bsec;
1615 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1617 struct task_security_struct *tsec;
1618 struct inode *inode = bprm->file->f_dentry->d_inode;
1619 struct inode_security_struct *isec;
1620 struct bprm_security_struct *bsec;
1622 struct avc_audit_data ad;
1625 rc = secondary_ops->bprm_set_security(bprm);
1629 bsec = bprm->security;
1634 tsec = current->security;
1635 isec = inode->i_security;
1637 /* Default to the current task SID. */
1638 bsec->sid = tsec->sid;
1640 /* Reset create SID on execve. */
1641 tsec->create_sid = 0;
1643 if (tsec->exec_sid) {
1644 newsid = tsec->exec_sid;
1645 /* Reset exec SID on execve. */
1648 /* Check for a default transition on this program. */
1649 rc = security_transition_sid(tsec->sid, isec->sid,
1650 SECCLASS_PROCESS, &newsid);
1655 AVC_AUDIT_DATA_INIT(&ad, FS);
1656 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1657 ad.u.fs.dentry = bprm->file->f_dentry;
1659 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1662 if (tsec->sid == newsid) {
1663 rc = avc_has_perm(tsec->sid, isec->sid,
1664 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS,
1669 /* Check permissions for the transition. */
1670 rc = avc_has_perm(tsec->sid, newsid,
1671 SECCLASS_PROCESS, PROCESS__TRANSITION,
1677 rc = avc_has_perm(newsid, isec->sid,
1678 SECCLASS_FILE, FILE__ENTRYPOINT,
1683 /* Set the security field to the new SID. */
1691 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1697 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1699 struct task_security_struct *tsec = current->security;
1702 if (tsec->osid != tsec->sid) {
1703 /* Enable secure mode for SIDs transitions unless
1704 the noatsecure permission is granted between
1705 the two SIDs, i.e. ahp returns 0. */
1706 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1708 PROCESS__NOATSECURE, NULL, NULL);
1711 /* Note that we must include the legacy uid/gid test below
1712 to retain it, as the new userland will simply use the
1713 value passed by AT_SECURE to decide whether to enable
1715 return ( atsecure || current->euid != current->uid ||
1716 current->egid != current->gid);
1719 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1721 struct bprm_security_struct *bsec = bprm->security;
1722 bprm->security = NULL;
1726 /* Create an open file that refers to the null device.
1727 Derived from the OpenWall LSM. */
1728 struct file *open_devnull(void)
1730 struct inode *inode;
1731 struct dentry *dentry;
1732 struct file *file = NULL;
1733 struct inode_security_struct *isec;
1736 inode = new_inode(current->fs->rootmnt->mnt_sb);
1740 dentry = dget(d_alloc_root(inode));
1744 file = get_empty_filp();
1748 dev = MKDEV(MEM_MAJOR, 3); /* null device */
1750 inode->i_uid = current->fsuid;
1751 inode->i_gid = current->fsgid;
1752 inode->i_blksize = PAGE_SIZE;
1753 inode->i_blocks = 0;
1754 inode->i_atime = inode->i_mtime = inode->i_ctime = CURRENT_TIME;
1755 inode->i_state = I_DIRTY; /* so that mark_inode_dirty won't touch us */
1757 isec = inode->i_security;
1758 isec->sid = SECINITSID_DEVNULL;
1759 isec->sclass = SECCLASS_CHR_FILE;
1760 isec->initialized = 1;
1762 file->f_flags = O_RDWR;
1763 file->f_mode = FMODE_READ | FMODE_WRITE;
1764 file->f_dentry = dentry;
1765 file->f_vfsmnt = mntget(current->fs->rootmnt);
1768 init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO, dev);
1769 if (inode->i_fop->open(inode, file))
1775 mntput(file->f_vfsmnt);
1785 /* Derived from fs/exec.c:flush_old_files. */
1786 static inline void flush_unauthorized_files(struct files_struct * files)
1788 struct avc_audit_data ad;
1789 struct file *file, *devnull = NULL;
1792 AVC_AUDIT_DATA_INIT(&ad,FS);
1794 spin_lock(&files->file_lock);
1796 unsigned long set, i, fd;
1800 if (i >= files->max_fds || i >= files->max_fdset)
1802 set = files->open_fds->fds_bits[j];
1805 spin_unlock(&files->file_lock);
1806 for ( ; set ; i++,set >>= 1) {
1811 if (file_has_perm(current,
1813 file_to_av(file))) {
1815 fd = get_unused_fd();
1823 atomic_inc(&devnull->f_count);
1825 devnull = open_devnull();
1832 fd_install(fd, devnull);
1837 spin_lock(&files->file_lock);
1840 spin_unlock(&files->file_lock);
1843 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1845 struct task_security_struct *tsec;
1846 struct bprm_security_struct *bsec;
1848 struct av_decision avd;
1849 struct itimerval itimer;
1850 struct rlimit *rlim, *initrlim;
1853 secondary_ops->bprm_apply_creds(bprm, unsafe);
1855 tsec = current->security;
1857 bsec = bprm->security;
1860 tsec->osid = tsec->sid;
1861 if (tsec->sid != sid) {
1862 /* Check for shared state. If not ok, leave SID
1863 unchanged and kill. */
1864 if (unsafe & LSM_UNSAFE_SHARE) {
1865 rc = avc_has_perm_noaudit(tsec->sid, sid,
1866 SECCLASS_PROCESS, PROCESS__SHARE,
1869 task_unlock(current);
1870 avc_audit(tsec->sid, sid, SECCLASS_PROCESS,
1871 PROCESS__SHARE, &avd, rc, NULL);
1872 force_sig_specific(SIGKILL, current);
1877 /* Check for ptracing, and update the task SID if ok.
1878 Otherwise, leave SID unchanged and kill. */
1879 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1880 rc = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
1881 SECCLASS_PROCESS, PROCESS__PTRACE,
1885 task_unlock(current);
1886 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
1887 PROCESS__PTRACE, &avd, rc, NULL);
1889 force_sig_specific(SIGKILL, current);
1894 task_unlock(current);
1897 /* Close files for which the new task SID is not authorized. */
1898 flush_unauthorized_files(current->files);
1900 /* Check whether the new SID can inherit signal state
1901 from the old SID. If not, clear itimers to avoid
1902 subsequent signal generation and flush and unblock
1903 signals. This must occur _after_ the task SID has
1904 been updated so that any kill done after the flush
1905 will be checked against the new SID. */
1906 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1907 PROCESS__SIGINH, NULL, NULL);
1909 memset(&itimer, 0, sizeof itimer);
1910 for (i = 0; i < 3; i++)
1911 do_setitimer(i, &itimer, NULL);
1912 flush_signals(current);
1913 spin_lock_irq(¤t->sighand->siglock);
1914 flush_signal_handlers(current, 1);
1915 sigemptyset(¤t->blocked);
1916 recalc_sigpending();
1917 spin_unlock_irq(¤t->sighand->siglock);
1920 /* Check whether the new SID can inherit resource limits
1921 from the old SID. If not, reset all soft limits to
1922 the lower of the current task's hard limit and the init
1923 task's soft limit. Note that the setting of hard limits
1924 (even to lower them) can be controlled by the setrlimit
1925 check. The inclusion of the init task's soft limit into
1926 the computation is to avoid resetting soft limits higher
1927 than the default soft limit for cases where the default
1928 is lower than the hard limit, e.g. RLIMIT_CORE or
1930 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1931 PROCESS__RLIMITINH, NULL, NULL);
1933 for (i = 0; i < RLIM_NLIMITS; i++) {
1934 rlim = current->rlim + i;
1935 initrlim = init_task.rlim+i;
1936 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1940 /* Wake up the parent if it is waiting so that it can
1941 recheck wait permission to the new task SID. */
1942 wake_up_interruptible(¤t->parent->wait_chldexit);
1950 /* superblock security operations */
1952 static int selinux_sb_alloc_security(struct super_block *sb)
1954 return superblock_alloc_security(sb);
1957 static void selinux_sb_free_security(struct super_block *sb)
1959 superblock_free_security(sb);
1962 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1967 return !memcmp(prefix, option, plen);
1970 static inline int selinux_option(char *option, int len)
1972 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1973 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1974 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1977 static inline void take_option(char **to, char *from, int *first, int len)
1985 memcpy(*to, from, len);
1989 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1991 int fnosec, fsec, rc = 0;
1992 char *in_save, *in_curr, *in_end;
1993 char *sec_curr, *nosec_save, *nosec;
1998 /* Binary mount data: just copy */
1999 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2000 copy_page(sec_curr, in_curr);
2004 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2012 in_save = in_end = orig;
2015 if (*in_end == ',' || *in_end == '\0') {
2016 int len = in_end - in_curr;
2018 if (selinux_option(in_curr, len))
2019 take_option(&sec_curr, in_curr, &fsec, len);
2021 take_option(&nosec, in_curr, &fnosec, len);
2023 in_curr = in_end + 1;
2025 } while (*in_end++);
2027 copy_page(in_save, nosec_save);
2032 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2034 struct avc_audit_data ad;
2037 rc = superblock_doinit(sb, data);
2041 AVC_AUDIT_DATA_INIT(&ad,FS);
2042 ad.u.fs.dentry = sb->s_root;
2043 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2046 static int selinux_sb_statfs(struct super_block *sb)
2048 struct avc_audit_data ad;
2050 AVC_AUDIT_DATA_INIT(&ad,FS);
2051 ad.u.fs.dentry = sb->s_root;
2052 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
2055 static int selinux_mount(char * dev_name,
2056 struct nameidata *nd,
2058 unsigned long flags,
2061 if (flags & MS_REMOUNT)
2062 return superblock_has_perm(current, nd->mnt->mnt_sb,
2063 FILESYSTEM__REMOUNT, NULL);
2065 return dentry_has_perm(current, nd->mnt, nd->dentry,
2069 static int selinux_umount(struct vfsmount *mnt, int flags)
2071 return superblock_has_perm(current,mnt->mnt_sb,
2072 FILESYSTEM__UNMOUNT,NULL);
2075 /* inode security operations */
2077 static int selinux_inode_alloc_security(struct inode *inode)
2079 return inode_alloc_security(inode);
2082 static void selinux_inode_free_security(struct inode *inode)
2084 inode_free_security(inode);
2087 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2089 return may_create(dir, dentry, SECCLASS_FILE);
2092 static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask)
2094 post_create(dir, dentry);
2097 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2101 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2104 return may_link(dir, old_dentry, MAY_LINK);
2107 static void selinux_inode_post_link(struct dentry *old_dentry, struct inode *inode, struct dentry *new_dentry)
2112 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2114 return may_link(dir, dentry, MAY_UNLINK);
2117 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2119 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2122 static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2124 post_create(dir, dentry);
2127 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2129 return may_create(dir, dentry, SECCLASS_DIR);
2132 static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2134 post_create(dir, dentry);
2137 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2139 return may_link(dir, dentry, MAY_RMDIR);
2142 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2144 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2147 static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2149 post_create(dir, dentry);
2152 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2153 struct inode *new_inode, struct dentry *new_dentry)
2155 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2158 static void selinux_inode_post_rename(struct inode *old_inode, struct dentry *old_dentry,
2159 struct inode *new_inode, struct dentry *new_dentry)
2164 static int selinux_inode_readlink(struct dentry *dentry)
2166 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2169 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2173 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2176 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2179 static int selinux_inode_permission(struct inode *inode, int mask,
2180 struct nameidata *nd)
2183 /* No permission to check. Existence test. */
2187 return inode_has_perm(current, inode,
2188 file_mask_to_av(inode->i_mode, mask), NULL, NULL);
2191 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2193 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2194 ATTR_ATIME_SET | ATTR_MTIME_SET))
2195 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2197 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2200 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2202 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2205 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2207 struct task_security_struct *tsec = current->security;
2208 struct inode *inode = dentry->d_inode;
2209 struct inode_security_struct *isec = inode->i_security;
2210 struct superblock_security_struct *sbsec;
2211 struct avc_audit_data ad;
2215 if (strcmp(name, XATTR_NAME_SELINUX)) {
2216 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2217 sizeof XATTR_SECURITY_PREFIX - 1) &&
2218 !capable(CAP_SYS_ADMIN)) {
2219 /* A different attribute in the security namespace.
2220 Restrict to administrator. */
2224 /* Not an attribute we recognize, so just check the
2225 ordinary setattr permission. */
2226 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2229 sbsec = inode->i_sb->s_security;
2230 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2233 AVC_AUDIT_DATA_INIT(&ad,FS);
2234 ad.u.fs.dentry = dentry;
2236 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2242 rc = security_context_to_sid(value, size, &newsid);
2246 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2247 FILE__RELABELTO, NULL, &ad);
2251 return avc_has_perm(newsid,
2253 SECCLASS_FILESYSTEM,
2254 FILESYSTEM__ASSOCIATE,
2259 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2260 void *value, size_t size, int flags)
2262 struct inode *inode = dentry->d_inode;
2263 struct inode_security_struct *isec = inode->i_security;
2267 if (strcmp(name, XATTR_NAME_SELINUX)) {
2268 /* Not an attribute we recognize, so nothing to do. */
2272 rc = security_context_to_sid(value, size, &newsid);
2274 printk(KERN_WARNING "%s: unable to obtain SID for context "
2275 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2283 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2285 struct inode *inode = dentry->d_inode;
2286 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
2288 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2291 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2294 static int selinux_inode_listxattr (struct dentry *dentry)
2296 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2299 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2301 if (strcmp(name, XATTR_NAME_SELINUX)) {
2302 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2303 sizeof XATTR_SECURITY_PREFIX - 1) &&
2304 !capable(CAP_SYS_ADMIN)) {
2305 /* A different attribute in the security namespace.
2306 Restrict to administrator. */
2310 /* Not an attribute we recognize, so just check the
2311 ordinary setattr permission. Might want a separate
2312 permission for removexattr. */
2313 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2316 /* No one is allowed to remove a SELinux security label.
2317 You can change the label, but all data must be labeled. */
2321 static int selinux_inode_getsecurity(struct dentry *dentry, const char *name, void *buffer, size_t size)
2323 struct inode *inode = dentry->d_inode;
2324 struct inode_security_struct *isec = inode->i_security;
2329 /* Permission check handled by selinux_inode_getxattr hook.*/
2331 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2334 rc = security_sid_to_context(isec->sid, &context, &len);
2338 if (!buffer || !size) {
2346 memcpy(buffer, context, len);
2351 static int selinux_inode_setsecurity(struct dentry *dentry, const char *name,
2352 const void *value, size_t size, int flags)
2354 struct inode *inode = dentry->d_inode;
2355 struct inode_security_struct *isec = inode->i_security;
2359 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2362 if (!value || !size)
2365 rc = security_context_to_sid((void*)value, size, &newsid);
2373 static int selinux_inode_listsecurity(struct dentry *dentry, char *buffer)
2375 const int len = sizeof(XATTR_NAME_SELINUX);
2377 memcpy(buffer, XATTR_NAME_SELINUX, len);
2381 /* file security operations */
2383 static int selinux_file_permission(struct file *file, int mask)
2385 struct inode *inode = file->f_dentry->d_inode;
2388 /* No permission to check. Existence test. */
2392 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2393 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2396 return file_has_perm(current, file,
2397 file_mask_to_av(inode->i_mode, mask));
2400 static int selinux_file_alloc_security(struct file *file)
2402 return file_alloc_security(file);
2405 static void selinux_file_free_security(struct file *file)
2407 file_free_security(file);
2410 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2422 case EXT2_IOC_GETFLAGS:
2424 case EXT2_IOC_GETVERSION:
2425 error = file_has_perm(current, file, FILE__GETATTR);
2428 case EXT2_IOC_SETFLAGS:
2430 case EXT2_IOC_SETVERSION:
2431 error = file_has_perm(current, file, FILE__SETATTR);
2434 /* sys_ioctl() checks */
2438 error = file_has_perm(current, file, 0);
2443 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2446 /* default case assumes that the command will go
2447 * to the file's ioctl() function.
2450 error = file_has_perm(current, file, FILE__IOCTL);
2456 static int selinux_file_mmap(struct file *file, unsigned long prot, unsigned long flags)
2461 /* read access is always possible with a mapping */
2464 /* write access only matters if the mapping is shared */
2465 if ((flags & MAP_TYPE) == MAP_SHARED && (prot & PROT_WRITE))
2468 if (prot & PROT_EXEC)
2469 av |= FILE__EXECUTE;
2471 return file_has_perm(current, file, av);
2476 static int selinux_file_mprotect(struct vm_area_struct *vma,
2479 return selinux_file_mmap(vma->vm_file, prot, vma->vm_flags);
2482 static int selinux_file_lock(struct file *file, unsigned int cmd)
2484 return file_has_perm(current, file, FILE__LOCK);
2487 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2494 if (!file->f_dentry || !file->f_dentry->d_inode) {
2499 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2500 err = file_has_perm(current, file,FILE__WRITE);
2509 /* Just check FD__USE permission */
2510 err = file_has_perm(current, file, 0);
2515 #if BITS_PER_LONG == 32
2520 if (!file->f_dentry || !file->f_dentry->d_inode) {
2524 err = file_has_perm(current, file, FILE__LOCK);
2531 static int selinux_file_set_fowner(struct file *file)
2533 struct task_security_struct *tsec;
2534 struct file_security_struct *fsec;
2536 tsec = current->security;
2537 fsec = file->f_security;
2538 fsec->fown_sid = tsec->sid;
2543 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2544 struct fown_struct *fown,
2549 struct task_security_struct *tsec;
2550 struct file_security_struct *fsec;
2552 /* struct fown_struct is never outside the context of a struct file */
2553 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2555 tsec = tsk->security;
2556 fsec = file->f_security;
2559 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2561 perm = signal_to_av(fown->signum);
2563 return avc_has_perm(fsec->fown_sid, tsec->sid,
2564 SECCLASS_PROCESS, perm, NULL, NULL);
2567 static int selinux_file_receive(struct file *file)
2569 return file_has_perm(current, file, file_to_av(file));
2572 /* task security operations */
2574 static int selinux_task_create(unsigned long clone_flags)
2576 return task_has_perm(current, current, PROCESS__FORK);
2579 static int selinux_task_alloc_security(struct task_struct *tsk)
2581 struct task_security_struct *tsec1, *tsec2;
2584 tsec1 = current->security;
2586 rc = task_alloc_security(tsk);
2589 tsec2 = tsk->security;
2591 tsec2->osid = tsec1->osid;
2592 tsec2->sid = tsec1->sid;
2594 /* Retain the exec and create SIDs across fork */
2595 tsec2->exec_sid = tsec1->exec_sid;
2596 tsec2->create_sid = tsec1->create_sid;
2601 static void selinux_task_free_security(struct task_struct *tsk)
2603 task_free_security(tsk);
2606 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2608 /* Since setuid only affects the current process, and
2609 since the SELinux controls are not based on the Linux
2610 identity attributes, SELinux does not need to control
2611 this operation. However, SELinux does control the use
2612 of the CAP_SETUID and CAP_SETGID capabilities using the
2617 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2619 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2622 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2624 /* See the comment for setuid above. */
2628 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2630 return task_has_perm(current, p, PROCESS__SETPGID);
2633 static int selinux_task_getpgid(struct task_struct *p)
2635 return task_has_perm(current, p, PROCESS__GETPGID);
2638 static int selinux_task_getsid(struct task_struct *p)
2640 return task_has_perm(current, p, PROCESS__GETSESSION);
2643 static int selinux_task_setgroups(struct group_info *group_info)
2645 /* See the comment for setuid above. */
2649 static int selinux_task_setnice(struct task_struct *p, int nice)
2651 return task_has_perm(current,p, PROCESS__SETSCHED);
2654 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2656 struct rlimit *old_rlim = current->rlim + resource;
2658 /* Control the ability to change the hard limit (whether
2659 lowering or raising it), so that the hard limit can
2660 later be used as a safe reset point for the soft limit
2661 upon context transitions. See selinux_bprm_apply_creds. */
2662 if (old_rlim->rlim_max != new_rlim->rlim_max)
2663 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2668 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2670 struct task_security_struct *tsec1, *tsec2;
2672 tsec1 = current->security;
2673 tsec2 = p->security;
2675 /* No auditing from the setscheduler hook, since the runqueue lock
2676 is held and the system will deadlock if we try to log an audit
2678 return avc_has_perm_noaudit(tsec1->sid, tsec2->sid,
2679 SECCLASS_PROCESS, PROCESS__SETSCHED,
2680 &tsec2->avcr, NULL);
2683 static int selinux_task_getscheduler(struct task_struct *p)
2685 return task_has_perm(current, p, PROCESS__GETSCHED);
2688 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2692 if (info && ((unsigned long)info == 1 ||
2693 (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2697 perm = PROCESS__SIGNULL; /* null signal; existence test */
2699 perm = signal_to_av(sig);
2701 return task_has_perm(current, p, perm);
2704 static int selinux_task_prctl(int option,
2710 /* The current prctl operations do not appear to require
2711 any SELinux controls since they merely observe or modify
2712 the state of the current process. */
2716 static int selinux_task_wait(struct task_struct *p)
2720 perm = signal_to_av(p->exit_signal);
2722 return task_has_perm(p, current, perm);
2725 static void selinux_task_reparent_to_init(struct task_struct *p)
2727 struct task_security_struct *tsec;
2729 secondary_ops->task_reparent_to_init(p);
2732 tsec->osid = tsec->sid;
2733 tsec->sid = SECINITSID_KERNEL;
2737 static void selinux_task_to_inode(struct task_struct *p,
2738 struct inode *inode)
2740 struct task_security_struct *tsec = p->security;
2741 struct inode_security_struct *isec = inode->i_security;
2743 isec->sid = tsec->sid;
2744 isec->initialized = 1;
2748 #ifdef CONFIG_SECURITY_NETWORK
2750 /* Returns error only if unable to parse addresses */
2751 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2753 int offset, ihlen, ret;
2756 offset = skb->nh.raw - skb->data;
2757 ret = skb_copy_bits(skb, offset, &iph, sizeof(iph));
2761 ihlen = iph.ihl * 4;
2762 if (ihlen < sizeof(iph))
2765 ad->u.net.v4info.saddr = iph.saddr;
2766 ad->u.net.v4info.daddr = iph.daddr;
2768 switch (iph.protocol) {
2772 if (ntohs(iph.frag_off) & IP_OFFSET)
2776 if (skb_copy_bits(skb, offset, &tcph, sizeof(tcph)) < 0)
2779 ad->u.net.sport = tcph.source;
2780 ad->u.net.dport = tcph.dest;
2787 if (ntohs(iph.frag_off) & IP_OFFSET)
2791 if (skb_copy_bits(skb, offset, &udph, sizeof(udph)) < 0)
2794 ad->u.net.sport = udph.source;
2795 ad->u.net.dport = udph.dest;
2806 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2808 /* Returns error only if unable to parse addresses */
2809 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2813 struct ipv6hdr ipv6h;
2815 offset = skb->nh.raw - skb->data;
2816 ret = skb_copy_bits(skb, offset, &ipv6h, sizeof(ipv6h));
2820 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ipv6h.saddr);
2821 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ipv6h.daddr);
2823 nexthdr = ipv6h.nexthdr;
2824 offset += sizeof(ipv6h);
2825 offset = ipv6_skip_exthdr(skb, offset, &nexthdr,
2826 skb->tail - skb->head - offset);
2834 if (skb_copy_bits(skb, offset, &tcph, sizeof(tcph)) < 0)
2837 ad->u.net.sport = tcph.source;
2838 ad->u.net.dport = tcph.dest;
2845 if (skb_copy_bits(skb, offset, &udph, sizeof(udph)) < 0)
2848 ad->u.net.sport = udph.source;
2849 ad->u.net.dport = udph.dest;
2853 /* includes fragments */
2863 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2864 char **addrp, int *len, int src)
2868 switch (ad->u.net.family) {
2870 ret = selinux_parse_skb_ipv4(skb, ad);
2874 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2875 &ad->u.net.v4info.daddr);
2878 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2880 ret = selinux_parse_skb_ipv6(skb, ad);
2884 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2885 &ad->u.net.v6info.daddr);
2895 /* socket security operations */
2896 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2899 struct inode_security_struct *isec;
2900 struct task_security_struct *tsec;
2901 struct avc_audit_data ad;
2904 tsec = task->security;
2905 isec = SOCK_INODE(sock)->i_security;
2907 if (isec->sid == SECINITSID_KERNEL)
2910 AVC_AUDIT_DATA_INIT(&ad,NET);
2911 ad.u.net.sk = sock->sk;
2912 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2913 perms, &isec->avcr, &ad);
2919 static int selinux_socket_create(int family, int type,
2920 int protocol, int kern)
2923 struct task_security_struct *tsec;
2928 tsec = current->security;
2929 err = avc_has_perm(tsec->sid, tsec->sid,
2930 socket_type_to_security_class(family, type,
2931 protocol), SOCKET__CREATE, NULL, NULL);
2937 static void selinux_socket_post_create(struct socket *sock, int family,
2938 int type, int protocol, int kern)
2941 struct inode_security_struct *isec;
2942 struct task_security_struct *tsec;
2944 err = inode_doinit(SOCK_INODE(sock));
2947 isec = SOCK_INODE(sock)->i_security;
2949 tsec = current->security;
2950 isec->sclass = socket_type_to_security_class(family, type, protocol);
2951 isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2956 /* Range of port numbers used to automatically bind.
2957 Need to determine whether we should perform a name_bind
2958 permission check between the socket and the port number. */
2959 #define ip_local_port_range_0 sysctl_local_port_range[0]
2960 #define ip_local_port_range_1 sysctl_local_port_range[1]
2962 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2967 err = socket_has_perm(current, sock, SOCKET__BIND);
2972 * If PF_INET or PF_INET6, check name_bind permission for the port.
2974 family = sock->sk->sk_family;
2975 if (family == PF_INET || family == PF_INET6) {
2977 struct inode_security_struct *isec;
2978 struct task_security_struct *tsec;
2979 struct avc_audit_data ad;
2980 struct sockaddr_in *addr4 = NULL;
2981 struct sockaddr_in6 *addr6 = NULL;
2982 unsigned short snum;
2983 struct sock *sk = sock->sk;
2984 u32 sid, node_perm, addrlen;
2986 tsec = current->security;
2987 isec = SOCK_INODE(sock)->i_security;
2989 if (family == PF_INET) {
2990 addr4 = (struct sockaddr_in *)address;
2991 snum = ntohs(addr4->sin_port);
2992 addrlen = sizeof(addr4->sin_addr.s_addr);
2993 addrp = (char *)&addr4->sin_addr.s_addr;
2995 addr6 = (struct sockaddr_in6 *)address;
2996 snum = ntohs(addr6->sin6_port);
2997 addrlen = sizeof(addr6->sin6_addr.s6_addr);
2998 addrp = (char *)&addr6->sin6_addr.s6_addr;
3001 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3002 snum > ip_local_port_range_1)) {
3003 err = security_port_sid(sk->sk_family, sk->sk_type,
3004 sk->sk_protocol, snum, &sid);
3007 AVC_AUDIT_DATA_INIT(&ad,NET);
3008 ad.u.net.sport = htons(snum);
3009 err = avc_has_perm(isec->sid, sid,
3011 SOCKET__NAME_BIND, NULL, &ad);
3016 switch(sk->sk_protocol) {
3018 node_perm = TCP_SOCKET__NODE_BIND;
3022 node_perm = UDP_SOCKET__NODE_BIND;
3026 node_perm = RAWIP_SOCKET__NODE_BIND;
3030 err = security_node_sid(family, addrp, addrlen, &sid);
3034 AVC_AUDIT_DATA_INIT(&ad,NET);
3035 ad.u.net.sport = htons(snum);
3036 ad.u.net.family = family;
3038 if (family == PF_INET)
3039 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3041 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3043 err = avc_has_perm(isec->sid, sid,
3044 isec->sclass, node_perm, NULL, &ad);
3052 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3054 return socket_has_perm(current, sock, SOCKET__CONNECT);
3057 static int selinux_socket_listen(struct socket *sock, int backlog)
3059 return socket_has_perm(current, sock, SOCKET__LISTEN);
3062 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3065 struct inode_security_struct *isec;
3066 struct inode_security_struct *newisec;
3068 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3072 err = inode_doinit(SOCK_INODE(newsock));
3075 newisec = SOCK_INODE(newsock)->i_security;
3077 isec = SOCK_INODE(sock)->i_security;
3078 newisec->sclass = isec->sclass;
3079 newisec->sid = isec->sid;
3084 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3087 return socket_has_perm(current, sock, SOCKET__WRITE);
3090 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3091 int size, int flags)
3093 return socket_has_perm(current, sock, SOCKET__READ);
3096 static int selinux_socket_getsockname(struct socket *sock)
3098 return socket_has_perm(current, sock, SOCKET__GETATTR);
3101 static int selinux_socket_getpeername(struct socket *sock)
3103 return socket_has_perm(current, sock, SOCKET__GETATTR);
3106 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3108 return socket_has_perm(current, sock, SOCKET__SETOPT);
3111 static int selinux_socket_getsockopt(struct socket *sock, int level,
3114 return socket_has_perm(current, sock, SOCKET__GETOPT);
3117 static int selinux_socket_shutdown(struct socket *sock, int how)
3119 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3122 static int selinux_socket_unix_stream_connect(struct socket *sock,
3123 struct socket *other,
3126 struct sk_security_struct *ssec;
3127 struct inode_security_struct *isec;
3128 struct inode_security_struct *other_isec;
3129 struct avc_audit_data ad;
3132 isec = SOCK_INODE(sock)->i_security;
3133 other_isec = SOCK_INODE(other)->i_security;
3135 AVC_AUDIT_DATA_INIT(&ad,NET);
3136 ad.u.net.sk = other->sk;
3138 err = avc_has_perm(isec->sid, other_isec->sid,
3140 UNIX_STREAM_SOCKET__CONNECTTO,
3141 &other_isec->avcr, &ad);
3145 /* connecting socket */
3146 ssec = sock->sk->sk_security;
3147 ssec->peer_sid = other_isec->sid;
3149 /* server child socket */
3150 ssec = newsk->sk_security;
3151 ssec->peer_sid = isec->sid;
3156 static int selinux_socket_unix_may_send(struct socket *sock,
3157 struct socket *other)
3159 struct inode_security_struct *isec;
3160 struct inode_security_struct *other_isec;
3161 struct avc_audit_data ad;
3164 isec = SOCK_INODE(sock)->i_security;
3165 other_isec = SOCK_INODE(other)->i_security;
3167 AVC_AUDIT_DATA_INIT(&ad,NET);
3168 ad.u.net.sk = other->sk;
3170 err = avc_has_perm(isec->sid, other_isec->sid,
3173 &other_isec->avcr, &ad);
3180 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3185 u32 netif_perm, node_perm, node_sid, recv_perm = 0;
3188 struct socket *sock;
3189 struct net_device *dev;
3190 struct sel_netif *netif;
3191 struct netif_security_struct *nsec;
3192 struct avc_audit_data ad;
3194 family = sk->sk_family;
3195 if (family != PF_INET && family != PF_INET6)
3198 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3199 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3202 read_lock_bh(&sk->sk_callback_lock);
3203 sock = sk->sk_socket;
3205 struct inode *inode;
3206 inode = SOCK_INODE(sock);
3208 struct inode_security_struct *isec;
3209 isec = inode->i_security;
3210 sock_sid = isec->sid;
3211 sock_class = isec->sclass;
3214 read_unlock_bh(&sk->sk_callback_lock);
3222 netif = sel_netif_lookup(dev);
3223 if (IS_ERR(netif)) {
3224 err = PTR_ERR(netif);
3228 nsec = &netif->nsec;
3230 switch (sock_class) {
3231 case SECCLASS_UDP_SOCKET:
3232 netif_perm = NETIF__UDP_RECV;
3233 node_perm = NODE__UDP_RECV;
3234 recv_perm = UDP_SOCKET__RECV_MSG;
3237 case SECCLASS_TCP_SOCKET:
3238 netif_perm = NETIF__TCP_RECV;
3239 node_perm = NODE__TCP_RECV;
3240 recv_perm = TCP_SOCKET__RECV_MSG;
3244 netif_perm = NETIF__RAWIP_RECV;
3245 node_perm = NODE__RAWIP_RECV;
3249 AVC_AUDIT_DATA_INIT(&ad, NET);
3250 ad.u.net.netif = dev->name;
3251 ad.u.net.family = family;
3253 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3255 sel_netif_put(netif);
3259 err = avc_has_perm(sock_sid, nsec->if_sid, SECCLASS_NETIF,
3260 netif_perm, &nsec->avcr, &ad);
3261 sel_netif_put(netif);
3265 /* Fixme: this lookup is inefficient */
3266 err = security_node_sid(family, addrp, len, &node_sid);
3270 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, NULL, &ad);
3277 /* Fixme: make this more efficient */
3278 err = security_port_sid(sk->sk_family, sk->sk_type,
3279 sk->sk_protocol, ntohs(ad.u.net.sport),
3284 err = avc_has_perm(sock_sid, port_sid, sock_class,
3285 recv_perm, NULL, &ad);
3291 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3292 int __user *optlen, unsigned len)
3297 struct sk_security_struct *ssec;
3298 struct inode_security_struct *isec;
3300 isec = SOCK_INODE(sock)->i_security;
3301 if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3306 ssec = sock->sk->sk_security;
3308 err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3312 if (scontext_len > len) {
3317 if (copy_to_user(optval, scontext, scontext_len))
3321 if (put_user(scontext_len, optlen))
3329 static int selinux_sk_alloc_security(struct sock *sk, int family, int priority)
3331 return sk_alloc_security(sk, family, priority);
3334 static void selinux_sk_free_security(struct sock *sk)
3336 sk_free_security(sk);
3339 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3343 struct nlmsghdr *nlh;
3344 struct socket *sock = sk->sk_socket;
3345 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3347 if (skb->len < NLMSG_SPACE(0)) {
3351 nlh = (struct nlmsghdr *)skb->data;
3353 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3361 err = socket_has_perm(current, sock, perm);
3366 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3370 if (capable(CAP_NET_ADMIN))
3371 cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN);
3373 NETLINK_CB(skb).eff_cap = 0;
3375 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3376 err = selinux_nlmsg_perm(sk, skb);
3381 static int selinux_netlink_recv(struct sk_buff *skb)
3383 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3388 #ifdef CONFIG_NETFILTER
3390 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3391 struct sk_buff **pskb,
3392 const struct net_device *in,
3393 const struct net_device *out,
3394 int (*okfn)(struct sk_buff *),
3398 int len, err = NF_ACCEPT;
3399 u32 netif_perm, node_perm, node_sid, send_perm = 0;
3401 struct socket *sock;
3402 struct inode *inode;
3403 struct sel_netif *netif;
3404 struct sk_buff *skb = *pskb;
3405 struct netif_security_struct *nsec;
3406 struct inode_security_struct *isec;
3407 struct avc_audit_data ad;
3408 struct net_device *dev = (struct net_device *)out;
3414 sock = sk->sk_socket;
3418 inode = SOCK_INODE(sock);
3422 netif = sel_netif_lookup(dev);
3423 if (IS_ERR(netif)) {
3428 nsec = &netif->nsec;
3429 isec = inode->i_security;
3431 switch (isec->sclass) {
3432 case SECCLASS_UDP_SOCKET:
3433 netif_perm = NETIF__UDP_SEND;
3434 node_perm = NODE__UDP_SEND;
3435 send_perm = UDP_SOCKET__SEND_MSG;
3438 case SECCLASS_TCP_SOCKET:
3439 netif_perm = NETIF__TCP_SEND;
3440 node_perm = NODE__TCP_SEND;
3441 send_perm = TCP_SOCKET__SEND_MSG;
3445 netif_perm = NETIF__RAWIP_SEND;
3446 node_perm = NODE__RAWIP_SEND;
3451 AVC_AUDIT_DATA_INIT(&ad, NET);
3452 ad.u.net.netif = dev->name;
3453 ad.u.net.family = family;
3455 err = selinux_parse_skb(skb, &ad, &addrp,
3456 &len, 0) ? NF_DROP : NF_ACCEPT;
3457 if (err != NF_ACCEPT) {
3458 sel_netif_put(netif);
3462 err = avc_has_perm(isec->sid, nsec->if_sid, SECCLASS_NETIF,
3463 netif_perm, &nsec->avcr, &ad) ? NF_DROP : NF_ACCEPT;
3464 sel_netif_put(netif);
3465 if (err != NF_ACCEPT)
3468 /* Fixme: this lookup is inefficient */
3469 err = security_node_sid(family, addrp, len,
3470 &node_sid) ? NF_DROP : NF_ACCEPT;
3471 if (err != NF_ACCEPT)
3474 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3475 node_perm, NULL, &ad) ? NF_DROP : NF_ACCEPT;
3476 if (err != NF_ACCEPT)
3482 /* Fixme: make this more efficient */
3483 err = security_port_sid(sk->sk_family,
3486 ntohs(ad.u.net.dport),
3487 &port_sid) ? NF_DROP : NF_ACCEPT;
3488 if (err != NF_ACCEPT)
3491 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3492 send_perm, NULL, &ad) ? NF_DROP : NF_ACCEPT;
3499 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3500 struct sk_buff **pskb,
3501 const struct net_device *in,
3502 const struct net_device *out,
3503 int (*okfn)(struct sk_buff *))
3505 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3508 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3510 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3511 struct sk_buff **pskb,
3512 const struct net_device *in,
3513 const struct net_device *out,
3514 int (*okfn)(struct sk_buff *))
3516 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3521 #endif /* CONFIG_NETFILTER */
3523 #endif /* CONFIG_SECURITY_NETWORK */
3525 static int ipc_alloc_security(struct task_struct *task,
3526 struct kern_ipc_perm *perm,
3529 struct task_security_struct *tsec = task->security;
3530 struct ipc_security_struct *isec;
3532 isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3536 memset(isec, 0, sizeof(struct ipc_security_struct));
3537 isec->magic = SELINUX_MAGIC;
3538 isec->sclass = sclass;
3539 isec->ipc_perm = perm;
3541 isec->sid = tsec->sid;
3543 isec->sid = SECINITSID_UNLABELED;
3545 perm->security = isec;
3550 static void ipc_free_security(struct kern_ipc_perm *perm)
3552 struct ipc_security_struct *isec = perm->security;
3553 if (!isec || isec->magic != SELINUX_MAGIC)
3556 perm->security = NULL;
3560 static int msg_msg_alloc_security(struct msg_msg *msg)
3562 struct msg_security_struct *msec;
3564 msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3568 memset(msec, 0, sizeof(struct msg_security_struct));
3569 msec->magic = SELINUX_MAGIC;
3571 msec->sid = SECINITSID_UNLABELED;
3572 msg->security = msec;
3577 static void msg_msg_free_security(struct msg_msg *msg)
3579 struct msg_security_struct *msec = msg->security;
3580 if (!msec || msec->magic != SELINUX_MAGIC)
3583 msg->security = NULL;
3587 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3588 u16 sclass, u32 perms)
3590 struct task_security_struct *tsec;
3591 struct ipc_security_struct *isec;
3592 struct avc_audit_data ad;
3594 tsec = current->security;
3595 isec = ipc_perms->security;
3597 AVC_AUDIT_DATA_INIT(&ad, IPC);
3598 ad.u.ipc_id = ipc_perms->key;
3600 return avc_has_perm(tsec->sid, isec->sid, sclass,
3601 perms, &isec->avcr, &ad);
3604 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3606 return msg_msg_alloc_security(msg);
3609 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3611 msg_msg_free_security(msg);
3614 /* message queue security operations */
3615 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3617 struct task_security_struct *tsec;
3618 struct ipc_security_struct *isec;
3619 struct avc_audit_data ad;
3622 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3626 tsec = current->security;
3627 isec = msq->q_perm.security;
3629 AVC_AUDIT_DATA_INIT(&ad, IPC);
3630 ad.u.ipc_id = msq->q_perm.key;
3632 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3633 MSGQ__CREATE, &isec->avcr, &ad);
3635 ipc_free_security(&msq->q_perm);
3641 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3643 ipc_free_security(&msq->q_perm);
3646 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3648 struct task_security_struct *tsec;
3649 struct ipc_security_struct *isec;
3650 struct avc_audit_data ad;
3652 tsec = current->security;
3653 isec = msq->q_perm.security;
3655 AVC_AUDIT_DATA_INIT(&ad, IPC);
3656 ad.u.ipc_id = msq->q_perm.key;
3658 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3659 MSGQ__ASSOCIATE, &isec->avcr, &ad);
3662 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3670 /* No specific object, just general system-wide information. */
3671 return task_has_system(current, SYSTEM__IPC_INFO);
3674 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3677 perms = MSGQ__SETATTR;
3680 perms = MSGQ__DESTROY;
3686 err = ipc_has_perm(&msq->q_perm, SECCLASS_MSGQ, perms);
3690 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3692 struct task_security_struct *tsec;
3693 struct ipc_security_struct *isec;
3694 struct msg_security_struct *msec;
3695 struct avc_audit_data ad;
3698 tsec = current->security;
3699 isec = msq->q_perm.security;
3700 msec = msg->security;
3703 * First time through, need to assign label to the message
3705 if (msec->sid == SECINITSID_UNLABELED) {
3707 * Compute new sid based on current process and
3708 * message queue this message will be stored in
3710 rc = security_transition_sid(tsec->sid,
3718 AVC_AUDIT_DATA_INIT(&ad, IPC);
3719 ad.u.ipc_id = msq->q_perm.key;
3721 /* Can this process write to the queue? */
3722 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3723 MSGQ__WRITE, &isec->avcr, &ad);
3725 /* Can this process send the message */
3726 rc = avc_has_perm(tsec->sid, msec->sid,
3727 SECCLASS_MSG, MSG__SEND,
3730 /* Can the message be put in the queue? */
3731 rc = avc_has_perm(msec->sid, isec->sid,
3732 SECCLASS_MSGQ, MSGQ__ENQUEUE,
3738 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3739 struct task_struct *target,
3740 long type, int mode)
3742 struct task_security_struct *tsec;
3743 struct ipc_security_struct *isec;
3744 struct msg_security_struct *msec;
3745 struct avc_audit_data ad;
3748 tsec = target->security;
3749 isec = msq->q_perm.security;
3750 msec = msg->security;
3752 AVC_AUDIT_DATA_INIT(&ad, IPC);
3753 ad.u.ipc_id = msq->q_perm.key;
3755 rc = avc_has_perm(tsec->sid, isec->sid,
3756 SECCLASS_MSGQ, MSGQ__READ,
3759 rc = avc_has_perm(tsec->sid, msec->sid,
3760 SECCLASS_MSG, MSG__RECEIVE,
3765 /* Shared Memory security operations */
3766 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3768 struct task_security_struct *tsec;
3769 struct ipc_security_struct *isec;
3770 struct avc_audit_data ad;
3773 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3777 tsec = current->security;
3778 isec = shp->shm_perm.security;
3780 AVC_AUDIT_DATA_INIT(&ad, IPC);
3781 ad.u.ipc_id = shp->shm_perm.key;
3783 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3784 SHM__CREATE, &isec->avcr, &ad);
3786 ipc_free_security(&shp->shm_perm);
3792 static void selinux_shm_free_security(struct shmid_kernel *shp)
3794 ipc_free_security(&shp->shm_perm);
3797 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3799 struct task_security_struct *tsec;
3800 struct ipc_security_struct *isec;
3801 struct avc_audit_data ad;
3803 tsec = current->security;
3804 isec = shp->shm_perm.security;
3806 AVC_AUDIT_DATA_INIT(&ad, IPC);
3807 ad.u.ipc_id = shp->shm_perm.key;
3809 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3810 SHM__ASSOCIATE, &isec->avcr, &ad);
3813 /* Note, at this point, shp is locked down */
3814 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3822 /* No specific object, just general system-wide information. */
3823 return task_has_system(current, SYSTEM__IPC_INFO);
3826 perms = SHM__GETATTR | SHM__ASSOCIATE;
3829 perms = SHM__SETATTR;
3836 perms = SHM__DESTROY;
3842 err = ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms);
3846 static int selinux_shm_shmat(struct shmid_kernel *shp,
3847 char __user *shmaddr, int shmflg)
3851 if (shmflg & SHM_RDONLY)
3854 perms = SHM__READ | SHM__WRITE;
3856 return ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms);
3859 /* Semaphore security operations */
3860 static int selinux_sem_alloc_security(struct sem_array *sma)
3862 struct task_security_struct *tsec;
3863 struct ipc_security_struct *isec;
3864 struct avc_audit_data ad;
3867 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3871 tsec = current->security;
3872 isec = sma->sem_perm.security;
3874 AVC_AUDIT_DATA_INIT(&ad, IPC);
3875 ad.u.ipc_id = sma->sem_perm.key;
3877 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3878 SEM__CREATE, &isec->avcr, &ad);
3880 ipc_free_security(&sma->sem_perm);
3886 static void selinux_sem_free_security(struct sem_array *sma)
3888 ipc_free_security(&sma->sem_perm);
3891 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3893 struct task_security_struct *tsec;
3894 struct ipc_security_struct *isec;
3895 struct avc_audit_data ad;
3897 tsec = current->security;
3898 isec = sma->sem_perm.security;
3900 AVC_AUDIT_DATA_INIT(&ad, IPC);
3901 ad.u.ipc_id = sma->sem_perm.key;
3903 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3904 SEM__ASSOCIATE, &isec->avcr, &ad);
3907 /* Note, at this point, sma is locked down */
3908 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
3916 /* No specific object, just general system-wide information. */
3917 return task_has_system(current, SYSTEM__IPC_INFO);
3921 perms = SEM__GETATTR;
3932 perms = SEM__DESTROY;
3935 perms = SEM__SETATTR;
3939 perms = SEM__GETATTR | SEM__ASSOCIATE;
3945 err = ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms);
3949 static int selinux_sem_semop(struct sem_array *sma,
3950 struct sembuf *sops, unsigned nsops, int alter)
3955 perms = SEM__READ | SEM__WRITE;
3959 return ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms);
3962 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
3964 struct ipc_security_struct *isec = ipcp->security;
3965 u16 sclass = SECCLASS_IPC;
3968 if (isec && isec->magic == SELINUX_MAGIC)
3969 sclass = isec->sclass;
3973 av |= IPC__UNIX_READ;
3975 av |= IPC__UNIX_WRITE;
3980 return ipc_has_perm(ipcp, sclass, av);
3983 /* module stacking operations */
3984 int selinux_register_security (const char *name, struct security_operations *ops)
3986 if (secondary_ops != original_ops) {
3987 printk(KERN_INFO "%s: There is already a secondary security "
3988 "module registered.\n", __FUNCTION__);
3992 secondary_ops = ops;
3994 printk(KERN_INFO "%s: Registering secondary module %s\n",
4001 int selinux_unregister_security (const char *name, struct security_operations *ops)
4003 if (ops != secondary_ops) {
4004 printk (KERN_INFO "%s: trying to unregister a security module "
4005 "that is not registered.\n", __FUNCTION__);
4009 secondary_ops = original_ops;
4014 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4017 inode_doinit_with_dentry(inode, dentry);
4020 static int selinux_getprocattr(struct task_struct *p,
4021 char *name, void *value, size_t size)
4023 struct task_security_struct *tsec;
4029 error = task_has_perm(current, p, PROCESS__GETATTR);
4039 if (!strcmp(name, "current"))
4041 else if (!strcmp(name, "prev"))
4043 else if (!strcmp(name, "exec"))
4044 sid = tsec->exec_sid;
4045 else if (!strcmp(name, "fscreate"))
4046 sid = tsec->create_sid;
4053 error = security_sid_to_context(sid, &context, &len);
4060 memcpy(value, context, len);
4065 static int selinux_setprocattr(struct task_struct *p,
4066 char *name, void *value, size_t size)
4068 struct task_security_struct *tsec;
4072 if (current != p || !strcmp(name, "current")) {
4073 /* SELinux only allows a process to change its own
4074 security attributes, and it only allows the process
4075 current SID to change via exec. */
4080 * Basic control over ability to set these attributes at all.
4081 * current == p, but we'll pass them separately in case the
4082 * above restriction is ever removed.
4084 if (!strcmp(name, "exec"))
4085 error = task_has_perm(current, p, PROCESS__SETEXEC);
4086 else if (!strcmp(name, "fscreate"))
4087 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4093 /* Obtain a SID for the context, if one was specified. */
4096 error = security_context_to_sid(value, size, &sid);
4101 /* Permission checking based on the specified context is
4102 performed during the actual operation (execve,
4103 open/mkdir/...), when we know the full context of the
4104 operation. See selinux_bprm_set_security for the execve
4105 checks and may_create for the file creation checks. The
4106 operation will then fail if the context is not permitted. */
4108 if (!strcmp(name, "exec"))
4109 tsec->exec_sid = sid;
4110 else if (!strcmp(name, "fscreate"))
4111 tsec->create_sid = sid;
4118 struct security_operations selinux_ops = {
4119 .ptrace = selinux_ptrace,
4120 .capget = selinux_capget,
4121 .capset_check = selinux_capset_check,
4122 .capset_set = selinux_capset_set,
4123 .sysctl = selinux_sysctl,
4124 .capable = selinux_capable,
4125 .quotactl = selinux_quotactl,
4126 .quota_on = selinux_quota_on,
4127 .syslog = selinux_syslog,
4128 .vm_enough_memory = selinux_vm_enough_memory,
4130 .netlink_send = selinux_netlink_send,
4131 .netlink_recv = selinux_netlink_recv,
4133 .bprm_alloc_security = selinux_bprm_alloc_security,
4134 .bprm_free_security = selinux_bprm_free_security,
4135 .bprm_apply_creds = selinux_bprm_apply_creds,
4136 .bprm_set_security = selinux_bprm_set_security,
4137 .bprm_check_security = selinux_bprm_check_security,
4138 .bprm_secureexec = selinux_bprm_secureexec,
4140 .sb_alloc_security = selinux_sb_alloc_security,
4141 .sb_free_security = selinux_sb_free_security,
4142 .sb_copy_data = selinux_sb_copy_data,
4143 .sb_kern_mount = selinux_sb_kern_mount,
4144 .sb_statfs = selinux_sb_statfs,
4145 .sb_mount = selinux_mount,
4146 .sb_umount = selinux_umount,
4148 .inode_alloc_security = selinux_inode_alloc_security,
4149 .inode_free_security = selinux_inode_free_security,
4150 .inode_create = selinux_inode_create,
4151 .inode_post_create = selinux_inode_post_create,
4152 .inode_link = selinux_inode_link,
4153 .inode_post_link = selinux_inode_post_link,
4154 .inode_unlink = selinux_inode_unlink,
4155 .inode_symlink = selinux_inode_symlink,
4156 .inode_post_symlink = selinux_inode_post_symlink,
4157 .inode_mkdir = selinux_inode_mkdir,
4158 .inode_post_mkdir = selinux_inode_post_mkdir,
4159 .inode_rmdir = selinux_inode_rmdir,
4160 .inode_mknod = selinux_inode_mknod,
4161 .inode_post_mknod = selinux_inode_post_mknod,
4162 .inode_rename = selinux_inode_rename,
4163 .inode_post_rename = selinux_inode_post_rename,
4164 .inode_readlink = selinux_inode_readlink,
4165 .inode_follow_link = selinux_inode_follow_link,
4166 .inode_permission = selinux_inode_permission,
4167 .inode_setattr = selinux_inode_setattr,
4168 .inode_getattr = selinux_inode_getattr,
4169 .inode_setxattr = selinux_inode_setxattr,
4170 .inode_post_setxattr = selinux_inode_post_setxattr,
4171 .inode_getxattr = selinux_inode_getxattr,
4172 .inode_listxattr = selinux_inode_listxattr,
4173 .inode_removexattr = selinux_inode_removexattr,
4174 .inode_getsecurity = selinux_inode_getsecurity,
4175 .inode_setsecurity = selinux_inode_setsecurity,
4176 .inode_listsecurity = selinux_inode_listsecurity,
4178 .file_permission = selinux_file_permission,
4179 .file_alloc_security = selinux_file_alloc_security,
4180 .file_free_security = selinux_file_free_security,
4181 .file_ioctl = selinux_file_ioctl,
4182 .file_mmap = selinux_file_mmap,
4183 .file_mprotect = selinux_file_mprotect,
4184 .file_lock = selinux_file_lock,
4185 .file_fcntl = selinux_file_fcntl,
4186 .file_set_fowner = selinux_file_set_fowner,
4187 .file_send_sigiotask = selinux_file_send_sigiotask,
4188 .file_receive = selinux_file_receive,
4190 .task_create = selinux_task_create,
4191 .task_alloc_security = selinux_task_alloc_security,
4192 .task_free_security = selinux_task_free_security,
4193 .task_setuid = selinux_task_setuid,
4194 .task_post_setuid = selinux_task_post_setuid,
4195 .task_setgid = selinux_task_setgid,
4196 .task_setpgid = selinux_task_setpgid,
4197 .task_getpgid = selinux_task_getpgid,
4198 .task_getsid = selinux_task_getsid,
4199 .task_setgroups = selinux_task_setgroups,
4200 .task_setnice = selinux_task_setnice,
4201 .task_setrlimit = selinux_task_setrlimit,
4202 .task_setscheduler = selinux_task_setscheduler,
4203 .task_getscheduler = selinux_task_getscheduler,
4204 .task_kill = selinux_task_kill,
4205 .task_wait = selinux_task_wait,
4206 .task_prctl = selinux_task_prctl,
4207 .task_reparent_to_init = selinux_task_reparent_to_init,
4208 .task_to_inode = selinux_task_to_inode,
4210 .ipc_permission = selinux_ipc_permission,
4212 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4213 .msg_msg_free_security = selinux_msg_msg_free_security,
4215 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4216 .msg_queue_free_security = selinux_msg_queue_free_security,
4217 .msg_queue_associate = selinux_msg_queue_associate,
4218 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4219 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4220 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4222 .shm_alloc_security = selinux_shm_alloc_security,
4223 .shm_free_security = selinux_shm_free_security,
4224 .shm_associate = selinux_shm_associate,
4225 .shm_shmctl = selinux_shm_shmctl,
4226 .shm_shmat = selinux_shm_shmat,
4228 .sem_alloc_security = selinux_sem_alloc_security,
4229 .sem_free_security = selinux_sem_free_security,
4230 .sem_associate = selinux_sem_associate,
4231 .sem_semctl = selinux_sem_semctl,
4232 .sem_semop = selinux_sem_semop,
4234 .register_security = selinux_register_security,
4235 .unregister_security = selinux_unregister_security,
4237 .d_instantiate = selinux_d_instantiate,
4239 .getprocattr = selinux_getprocattr,
4240 .setprocattr = selinux_setprocattr,
4242 #ifdef CONFIG_SECURITY_NETWORK
4243 .unix_stream_connect = selinux_socket_unix_stream_connect,
4244 .unix_may_send = selinux_socket_unix_may_send,
4246 .socket_create = selinux_socket_create,
4247 .socket_post_create = selinux_socket_post_create,
4248 .socket_bind = selinux_socket_bind,
4249 .socket_connect = selinux_socket_connect,
4250 .socket_listen = selinux_socket_listen,
4251 .socket_accept = selinux_socket_accept,
4252 .socket_sendmsg = selinux_socket_sendmsg,
4253 .socket_recvmsg = selinux_socket_recvmsg,
4254 .socket_getsockname = selinux_socket_getsockname,
4255 .socket_getpeername = selinux_socket_getpeername,
4256 .socket_getsockopt = selinux_socket_getsockopt,
4257 .socket_setsockopt = selinux_socket_setsockopt,
4258 .socket_shutdown = selinux_socket_shutdown,
4259 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
4260 .socket_getpeersec = selinux_socket_getpeersec,
4261 .sk_alloc_security = selinux_sk_alloc_security,
4262 .sk_free_security = selinux_sk_free_security,
4266 __init int selinux_init(void)
4268 struct task_security_struct *tsec;
4270 if (!selinux_enabled) {
4271 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4275 printk(KERN_INFO "SELinux: Initializing.\n");
4277 /* Set the security state for the initial task. */
4278 if (task_alloc_security(current))
4279 panic("SELinux: Failed to initialize initial task.\n");
4280 tsec = current->security;
4281 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4285 original_ops = secondary_ops = security_ops;
4287 panic ("SELinux: No initial security operations\n");
4288 if (register_security (&selinux_ops))
4289 panic("SELinux: Unable to register with kernel.\n");
4291 if (selinux_enforcing) {
4292 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4294 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4299 void selinux_complete_init(void)
4301 printk(KERN_INFO "SELinux: Completing initialization.\n");
4303 /* Set up any superblocks initialized prior to the policy load. */
4304 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
4305 spin_lock(&sb_security_lock);
4307 if (!list_empty(&superblock_security_head)) {
4308 struct superblock_security_struct *sbsec =
4309 list_entry(superblock_security_head.next,
4310 struct superblock_security_struct,
4312 struct super_block *sb = sbsec->sb;
4313 spin_lock(&sb_lock);
4315 spin_unlock(&sb_lock);
4316 spin_unlock(&sb_security_lock);
4317 down_read(&sb->s_umount);
4319 superblock_doinit(sb, NULL);
4321 spin_lock(&sb_security_lock);
4322 list_del_init(&sbsec->list);
4325 spin_unlock(&sb_security_lock);
4328 /* SELinux requires early initialization in order to label
4329 all processes and objects when they are created. */
4330 security_initcall(selinux_init);
4332 #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
4334 static struct nf_hook_ops selinux_ipv4_op = {
4335 .hook = selinux_ipv4_postroute_last,
4336 .owner = THIS_MODULE,
4338 .hooknum = NF_IP_POST_ROUTING,
4339 .priority = NF_IP_PRI_SELINUX_LAST,
4342 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4344 static struct nf_hook_ops selinux_ipv6_op = {
4345 .hook = selinux_ipv6_postroute_last,
4346 .owner = THIS_MODULE,
4348 .hooknum = NF_IP6_POST_ROUTING,
4349 .priority = NF_IP6_PRI_SELINUX_LAST,
4354 static int __init selinux_nf_ip_init(void)
4358 if (!selinux_enabled)
4361 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4363 err = nf_register_hook(&selinux_ipv4_op);
4365 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4367 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4369 err = nf_register_hook(&selinux_ipv6_op);
4371 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4378 __initcall(selinux_nf_ip_init);
4380 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4381 static void selinux_nf_ip_exit(void)
4383 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4385 nf_unregister_hook(&selinux_ipv4_op);
4386 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4387 nf_unregister_hook(&selinux_ipv6_op);
4392 #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4394 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4395 #define selinux_nf_ip_exit()
4398 #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4400 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4401 int selinux_disable(void)
4403 extern void exit_sel_fs(void);
4404 static int selinux_disabled = 0;
4406 if (ss_initialized) {
4407 /* Not permitted after initial policy load. */
4411 if (selinux_disabled) {
4412 /* Only do this once. */
4416 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4418 selinux_disabled = 1;
4420 /* Reset security_ops to the secondary module, dummy or capability. */
4421 security_ops = secondary_ops;
4423 /* Unregister netfilter hooks. */
4424 selinux_nf_ip_exit();
4426 /* Unregister selinuxfs. */