2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License version 2,
16 * as published by the Free Software Foundation.
19 #include <linux/config.h>
20 #include <linux/module.h>
21 #include <linux/init.h>
22 #include <linux/kernel.h>
23 #include <linux/ptrace.h>
24 #include <linux/errno.h>
25 #include <linux/sched.h>
26 #include <linux/security.h>
27 #include <linux/xattr.h>
28 #include <linux/capability.h>
29 #include <linux/unistd.h>
31 #include <linux/mman.h>
32 #include <linux/slab.h>
33 #include <linux/pagemap.h>
34 #include <linux/swap.h>
35 #include <linux/smp_lock.h>
36 #include <linux/spinlock.h>
37 #include <linux/syscalls.h>
38 #include <linux/file.h>
39 #include <linux/namei.h>
40 #include <linux/mount.h>
41 #include <linux/ext2_fs.h>
42 #include <linux/proc_fs.h>
44 #include <linux/netfilter_ipv4.h>
45 #include <linux/netfilter_ipv6.h>
47 #include <net/ip.h> /* for sysctl_local_port_range[] */
48 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
49 #include <asm/uaccess.h>
50 #include <asm/semaphore.h>
51 #include <asm/ioctls.h>
52 #include <linux/bitops.h>
53 #include <linux/interrupt.h>
54 #include <linux/netdevice.h> /* for network interface checks */
55 #include <linux/netlink.h>
56 #include <linux/tcp.h>
57 #include <linux/udp.h>
58 #include <linux/quota.h>
59 #include <linux/un.h> /* for Unix socket types */
60 #include <net/af_unix.h> /* for Unix socket types */
61 #include <linux/parser.h>
62 #include <linux/nfs_mount.h>
64 #include <linux/hugetlb.h>
65 #include <linux/major.h>
71 #define XATTR_SELINUX_SUFFIX "selinux"
72 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
74 extern int policydb_loaded_version;
75 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
77 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
78 int selinux_enforcing = 0;
80 static int __init enforcing_setup(char *str)
82 selinux_enforcing = simple_strtol(str,NULL,0);
85 __setup("enforcing=", enforcing_setup);
88 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
89 int selinux_enabled = 1;
91 static int __init selinux_enabled_setup(char *str)
93 selinux_enabled = simple_strtol(str, NULL, 0);
96 __setup("selinux=", selinux_enabled_setup);
99 /* Original (dummy) security module. */
100 static struct security_operations *original_ops = NULL;
102 /* Minimal support for a secondary security module,
103 just to allow the use of the dummy or capability modules.
104 The owlsm module can alternatively be used as a secondary
105 module as long as CONFIG_OWLSM_FD is not enabled. */
106 static struct security_operations *secondary_ops = NULL;
108 /* Lists of inode and superblock security structures initialized
109 before the policy was loaded. */
110 static LIST_HEAD(superblock_security_head);
111 static spinlock_t sb_security_lock = SPIN_LOCK_UNLOCKED;
113 /* Allocate and free functions for each kind of security blob. */
115 static int task_alloc_security(struct task_struct *task)
117 struct task_security_struct *tsec;
119 tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL);
123 memset(tsec, 0, sizeof(struct task_security_struct));
124 tsec->magic = SELINUX_MAGIC;
126 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
127 task->security = tsec;
132 static void task_free_security(struct task_struct *task)
134 struct task_security_struct *tsec = task->security;
136 if (!tsec || tsec->magic != SELINUX_MAGIC)
139 task->security = NULL;
143 static int inode_alloc_security(struct inode *inode)
145 struct task_security_struct *tsec = current->security;
146 struct inode_security_struct *isec;
148 isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
152 memset(isec, 0, sizeof(struct inode_security_struct));
153 init_MUTEX(&isec->sem);
154 INIT_LIST_HEAD(&isec->list);
155 isec->magic = SELINUX_MAGIC;
157 isec->sid = SECINITSID_UNLABELED;
158 isec->sclass = SECCLASS_FILE;
159 if (tsec && tsec->magic == SELINUX_MAGIC)
160 isec->task_sid = tsec->sid;
162 isec->task_sid = SECINITSID_UNLABELED;
163 inode->i_security = isec;
168 static void inode_free_security(struct inode *inode)
170 struct inode_security_struct *isec = inode->i_security;
171 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
173 if (!isec || isec->magic != SELINUX_MAGIC)
176 spin_lock(&sbsec->isec_lock);
177 if (!list_empty(&isec->list))
178 list_del_init(&isec->list);
179 spin_unlock(&sbsec->isec_lock);
181 inode->i_security = NULL;
185 static int file_alloc_security(struct file *file)
187 struct task_security_struct *tsec = current->security;
188 struct file_security_struct *fsec;
190 fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
194 memset(fsec, 0, sizeof(struct file_security_struct));
195 fsec->magic = SELINUX_MAGIC;
197 if (tsec && tsec->magic == SELINUX_MAGIC) {
198 fsec->sid = tsec->sid;
199 fsec->fown_sid = tsec->sid;
201 fsec->sid = SECINITSID_UNLABELED;
202 fsec->fown_sid = SECINITSID_UNLABELED;
204 file->f_security = fsec;
209 static void file_free_security(struct file *file)
211 struct file_security_struct *fsec = file->f_security;
213 if (!fsec || fsec->magic != SELINUX_MAGIC)
216 file->f_security = NULL;
220 static int superblock_alloc_security(struct super_block *sb)
222 struct superblock_security_struct *sbsec;
224 sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
228 memset(sbsec, 0, sizeof(struct superblock_security_struct));
229 init_MUTEX(&sbsec->sem);
230 INIT_LIST_HEAD(&sbsec->list);
231 INIT_LIST_HEAD(&sbsec->isec_head);
232 spin_lock_init(&sbsec->isec_lock);
233 sbsec->magic = SELINUX_MAGIC;
235 sbsec->sid = SECINITSID_UNLABELED;
236 sbsec->def_sid = SECINITSID_FILE;
237 sb->s_security = sbsec;
242 static void superblock_free_security(struct super_block *sb)
244 struct superblock_security_struct *sbsec = sb->s_security;
246 if (!sbsec || sbsec->magic != SELINUX_MAGIC)
249 spin_lock(&sb_security_lock);
250 if (!list_empty(&sbsec->list))
251 list_del_init(&sbsec->list);
252 spin_unlock(&sb_security_lock);
254 sb->s_security = NULL;
258 #ifdef CONFIG_SECURITY_NETWORK
259 static int sk_alloc_security(struct sock *sk, int family, int priority)
261 struct sk_security_struct *ssec;
263 if (family != PF_UNIX)
266 ssec = kmalloc(sizeof(*ssec), priority);
270 memset(ssec, 0, sizeof(*ssec));
271 ssec->magic = SELINUX_MAGIC;
273 ssec->peer_sid = SECINITSID_UNLABELED;
274 sk->sk_security = ssec;
279 static void sk_free_security(struct sock *sk)
281 struct sk_security_struct *ssec = sk->sk_security;
283 if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
286 sk->sk_security = NULL;
289 #endif /* CONFIG_SECURITY_NETWORK */
291 /* The security server must be initialized before
292 any labeling or access decisions can be provided. */
293 extern int ss_initialized;
295 /* The file system's label must be initialized prior to use. */
297 static char *labeling_behaviors[6] = {
299 "uses transition SIDs",
301 "uses genfs_contexts",
302 "not configured for labeling",
303 "uses mountpoint labeling",
306 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
308 static inline int inode_doinit(struct inode *inode)
310 return inode_doinit_with_dentry(inode, NULL);
319 static match_table_t tokens = {
320 {Opt_context, "context=%s"},
321 {Opt_fscontext, "fscontext=%s"},
322 {Opt_defcontext, "defcontext=%s"},
325 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
327 static int try_context_mount(struct super_block *sb, void *data)
329 char *context = NULL, *defcontext = NULL;
332 int alloc = 0, rc = 0, seen = 0;
333 struct task_security_struct *tsec = current->security;
334 struct superblock_security_struct *sbsec = sb->s_security;
339 name = sb->s_type->name;
341 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
343 /* NFS we understand. */
344 if (!strcmp(name, "nfs")) {
345 struct nfs_mount_data *d = data;
347 if (d->version < NFS_MOUNT_VERSION)
351 context = d->context;
358 /* Standard string-based options. */
359 char *p, *options = data;
361 while ((p = strsep(&options, ",")) != NULL) {
363 substring_t args[MAX_OPT_ARGS];
368 token = match_token(p, tokens, args);
374 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
377 context = match_strdup(&args[0]);
388 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
390 printk(KERN_WARNING "SELinux: "
391 "fscontext option is invalid for"
392 " this filesystem type\n");
395 if (seen & (Opt_context|Opt_fscontext)) {
397 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
400 context = match_strdup(&args[0]);
407 seen |= Opt_fscontext;
411 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
413 printk(KERN_WARNING "SELinux: "
414 "defcontext option is invalid "
415 "for this filesystem type\n");
418 if (seen & (Opt_context|Opt_defcontext)) {
420 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
423 defcontext = match_strdup(&args[0]);
430 seen |= Opt_defcontext;
435 printk(KERN_WARNING "SELinux: unknown mount "
447 rc = security_context_to_sid(context, strlen(context), &sid);
449 printk(KERN_WARNING "SELinux: security_context_to_sid"
450 "(%s) failed for (dev %s, type %s) errno=%d\n",
451 context, sb->s_id, name, rc);
455 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
456 FILESYSTEM__RELABELFROM, NULL, NULL);
460 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
461 FILESYSTEM__RELABELTO, NULL, NULL);
467 if (seen & Opt_context)
468 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
472 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
474 printk(KERN_WARNING "SELinux: security_context_to_sid"
475 "(%s) failed for (dev %s, type %s) errno=%d\n",
476 defcontext, sb->s_id, name, rc);
480 if (sid == sbsec->def_sid)
483 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
484 FILESYSTEM__RELABELFROM, NULL, NULL);
488 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
489 FILESYSTEM__ASSOCIATE, NULL, NULL);
493 sbsec->def_sid = sid;
505 static int superblock_doinit(struct super_block *sb, void *data)
507 struct superblock_security_struct *sbsec = sb->s_security;
508 struct dentry *root = sb->s_root;
509 struct inode *inode = root->d_inode;
513 if (sbsec->initialized)
516 if (!ss_initialized) {
517 /* Defer initialization until selinux_complete_init,
518 after the initial policy is loaded and the security
519 server is ready to handle calls. */
520 spin_lock(&sb_security_lock);
521 if (list_empty(&sbsec->list))
522 list_add(&sbsec->list, &superblock_security_head);
523 spin_unlock(&sb_security_lock);
527 /* Determine the labeling behavior to use for this filesystem type. */
528 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
530 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
531 __FUNCTION__, sb->s_type->name, rc);
535 rc = try_context_mount(sb, data);
539 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
540 /* Make sure that the xattr handler exists and that no
541 error other than -ENODATA is returned by getxattr on
542 the root directory. -ENODATA is ok, as this may be
543 the first boot of the SELinux kernel before we have
544 assigned xattr values to the filesystem. */
545 if (!inode->i_op->getxattr) {
546 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
547 "xattr support\n", sb->s_id, sb->s_type->name);
551 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
552 if (rc < 0 && rc != -ENODATA) {
553 if (rc == -EOPNOTSUPP)
554 printk(KERN_WARNING "SELinux: (dev %s, type "
555 "%s) has no security xattr handler\n",
556 sb->s_id, sb->s_type->name);
558 printk(KERN_WARNING "SELinux: (dev %s, type "
559 "%s) getxattr errno %d\n", sb->s_id,
560 sb->s_type->name, -rc);
565 if (strcmp(sb->s_type->name, "proc") == 0)
568 sbsec->initialized = 1;
570 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
571 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
572 sb->s_id, sb->s_type->name);
575 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
576 sb->s_id, sb->s_type->name,
577 labeling_behaviors[sbsec->behavior-1]);
580 /* Initialize the root inode. */
581 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
583 /* Initialize any other inodes associated with the superblock, e.g.
584 inodes created prior to initial policy load or inodes created
585 during get_sb by a pseudo filesystem that directly
587 spin_lock(&sbsec->isec_lock);
589 if (!list_empty(&sbsec->isec_head)) {
590 struct inode_security_struct *isec =
591 list_entry(sbsec->isec_head.next,
592 struct inode_security_struct, list);
593 struct inode *inode = isec->inode;
594 spin_unlock(&sbsec->isec_lock);
595 inode = igrab(inode);
600 spin_lock(&sbsec->isec_lock);
601 list_del_init(&isec->list);
604 spin_unlock(&sbsec->isec_lock);
610 static inline u16 inode_mode_to_security_class(umode_t mode)
612 switch (mode & S_IFMT) {
614 return SECCLASS_SOCK_FILE;
616 return SECCLASS_LNK_FILE;
618 return SECCLASS_FILE;
620 return SECCLASS_BLK_FILE;
624 return SECCLASS_CHR_FILE;
626 return SECCLASS_FIFO_FILE;
630 return SECCLASS_FILE;
633 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
639 return SECCLASS_UNIX_STREAM_SOCKET;
641 return SECCLASS_UNIX_DGRAM_SOCKET;
647 return SECCLASS_TCP_SOCKET;
649 return SECCLASS_UDP_SOCKET;
651 return SECCLASS_RAWIP_SOCKET;
656 return SECCLASS_NETLINK_ROUTE_SOCKET;
657 case NETLINK_FIREWALL:
658 return SECCLASS_NETLINK_FIREWALL_SOCKET;
659 case NETLINK_TCPDIAG:
660 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
662 return SECCLASS_NETLINK_NFLOG_SOCKET;
664 return SECCLASS_NETLINK_XFRM_SOCKET;
665 case NETLINK_SELINUX:
666 return SECCLASS_NETLINK_SELINUX_SOCKET;
668 return SECCLASS_NETLINK_AUDIT_SOCKET;
670 return SECCLASS_NETLINK_IP6FW_SOCKET;
671 case NETLINK_DNRTMSG:
672 return SECCLASS_NETLINK_DNRT_SOCKET;
674 return SECCLASS_NETLINK_SOCKET;
677 return SECCLASS_PACKET_SOCKET;
679 return SECCLASS_KEY_SOCKET;
682 return SECCLASS_SOCKET;
685 #ifdef CONFIG_PROC_FS
686 static int selinux_proc_get_sid(struct proc_dir_entry *de,
691 char *buffer, *path, *end;
693 buffer = (char*)__get_free_page(GFP_KERNEL);
703 while (de && de != de->parent) {
704 buflen -= de->namelen + 1;
708 memcpy(end, de->name, de->namelen);
713 rc = security_genfs_sid("proc", path, tclass, sid);
714 free_page((unsigned long)buffer);
718 static int selinux_proc_get_sid(struct proc_dir_entry *de,
726 /* The inode's security attributes must be initialized before first use. */
727 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
729 struct superblock_security_struct *sbsec = NULL;
730 struct inode_security_struct *isec = inode->i_security;
732 struct dentry *dentry;
733 #define INITCONTEXTLEN 255
734 char *context = NULL;
739 if (isec->initialized)
744 if (isec->initialized)
747 sbsec = inode->i_sb->s_security;
748 if (!sbsec->initialized) {
749 /* Defer initialization until selinux_complete_init,
750 after the initial policy is loaded and the security
751 server is ready to handle calls. */
752 spin_lock(&sbsec->isec_lock);
753 if (list_empty(&isec->list))
754 list_add(&isec->list, &sbsec->isec_head);
755 spin_unlock(&sbsec->isec_lock);
759 switch (sbsec->behavior) {
760 case SECURITY_FS_USE_XATTR:
761 if (!inode->i_op->getxattr) {
762 isec->sid = sbsec->def_sid;
766 /* Need a dentry, since the xattr API requires one.
767 Life would be simpler if we could just pass the inode. */
769 /* Called from d_instantiate or d_splice_alias. */
770 dentry = dget(opt_dentry);
772 /* Called from selinux_complete_init, try to find a dentry. */
773 dentry = d_find_alias(inode);
776 printk(KERN_WARNING "%s: no dentry for dev=%s "
777 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
782 len = INITCONTEXTLEN;
783 context = kmalloc(len, GFP_KERNEL);
789 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
792 /* Need a larger buffer. Query for the right size. */
793 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
801 context = kmalloc(len, GFP_KERNEL);
807 rc = inode->i_op->getxattr(dentry,
813 if (rc != -ENODATA) {
814 printk(KERN_WARNING "%s: getxattr returned "
815 "%d for dev=%s ino=%ld\n", __FUNCTION__,
816 -rc, inode->i_sb->s_id, inode->i_ino);
820 /* Map ENODATA to the default file SID */
821 sid = sbsec->def_sid;
824 rc = security_context_to_sid(context, rc, &sid);
826 printk(KERN_WARNING "%s: context_to_sid(%s) "
827 "returned %d for dev=%s ino=%ld\n",
828 __FUNCTION__, context, -rc,
829 inode->i_sb->s_id, inode->i_ino);
837 case SECURITY_FS_USE_TASK:
838 isec->sid = isec->task_sid;
840 case SECURITY_FS_USE_TRANS:
841 /* Default to the fs SID. */
842 isec->sid = sbsec->sid;
844 /* Try to obtain a transition SID. */
845 isec->sclass = inode_mode_to_security_class(inode->i_mode);
846 rc = security_transition_sid(isec->task_sid,
855 /* Default to the fs SID. */
856 isec->sid = sbsec->sid;
859 struct proc_inode *proci = PROC_I(inode);
861 isec->sclass = inode_mode_to_security_class(inode->i_mode);
862 rc = selinux_proc_get_sid(proci->pde,
873 isec->initialized = 1;
877 struct socket *sock = SOCKET_I(inode);
879 isec->sclass = socket_type_to_security_class(sock->sk->sk_family,
881 sock->sk->sk_protocol);
883 isec->sclass = SECCLASS_SOCKET;
886 isec->sclass = inode_mode_to_security_class(inode->i_mode);
894 /* Convert a Linux signal to an access vector. */
895 static inline u32 signal_to_av(int sig)
901 /* Commonly granted from child to parent. */
902 perm = PROCESS__SIGCHLD;
905 /* Cannot be caught or ignored */
906 perm = PROCESS__SIGKILL;
909 /* Cannot be caught or ignored */
910 perm = PROCESS__SIGSTOP;
913 /* All other signals. */
914 perm = PROCESS__SIGNAL;
921 /* Check permission betweeen a pair of tasks, e.g. signal checks,
922 fork check, ptrace check, etc. */
923 int task_has_perm(struct task_struct *tsk1,
924 struct task_struct *tsk2,
927 struct task_security_struct *tsec1, *tsec2;
929 tsec1 = tsk1->security;
930 tsec2 = tsk2->security;
931 return avc_has_perm(tsec1->sid, tsec2->sid,
932 SECCLASS_PROCESS, perms, &tsec2->avcr, NULL);
935 /* Check whether a task is allowed to use a capability. */
936 int task_has_capability(struct task_struct *tsk,
939 struct task_security_struct *tsec;
940 struct avc_audit_data ad;
942 tsec = tsk->security;
944 AVC_AUDIT_DATA_INIT(&ad,CAP);
948 return avc_has_perm(tsec->sid, tsec->sid,
949 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), NULL, &ad);
952 /* Check whether a task is allowed to use a system operation. */
953 int task_has_system(struct task_struct *tsk,
956 struct task_security_struct *tsec;
958 tsec = tsk->security;
960 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
961 SECCLASS_SYSTEM, perms, NULL, NULL);
964 /* Check whether a task has a particular permission to an inode.
965 The 'aeref' parameter is optional and allows other AVC
966 entry references to be passed (e.g. the one in the struct file).
967 The 'adp' parameter is optional and allows other audit
968 data to be passed (e.g. the dentry). */
969 int inode_has_perm(struct task_struct *tsk,
972 struct avc_entry_ref *aeref,
973 struct avc_audit_data *adp)
975 struct task_security_struct *tsec;
976 struct inode_security_struct *isec;
977 struct avc_audit_data ad;
979 tsec = tsk->security;
980 isec = inode->i_security;
984 AVC_AUDIT_DATA_INIT(&ad, FS);
985 ad.u.fs.inode = inode;
988 return avc_has_perm(tsec->sid, isec->sid, isec->sclass,
989 perms, aeref ? aeref : &isec->avcr, adp);
992 /* Same as inode_has_perm, but pass explicit audit data containing
993 the dentry to help the auditing code to more easily generate the
994 pathname if needed. */
995 static inline int dentry_has_perm(struct task_struct *tsk,
996 struct vfsmount *mnt,
997 struct dentry *dentry,
1000 struct inode *inode = dentry->d_inode;
1001 struct avc_audit_data ad;
1002 AVC_AUDIT_DATA_INIT(&ad,FS);
1004 ad.u.fs.dentry = dentry;
1005 return inode_has_perm(tsk, inode, av, NULL, &ad);
1008 /* Check whether a task can use an open file descriptor to
1009 access an inode in a given way. Check access to the
1010 descriptor itself, and then use dentry_has_perm to
1011 check a particular permission to the file.
1012 Access to the descriptor is implicitly granted if it
1013 has the same SID as the process. If av is zero, then
1014 access to the file is not checked, e.g. for cases
1015 where only the descriptor is affected like seek. */
1016 static inline int file_has_perm(struct task_struct *tsk,
1020 struct task_security_struct *tsec = tsk->security;
1021 struct file_security_struct *fsec = file->f_security;
1022 struct vfsmount *mnt = file->f_vfsmnt;
1023 struct dentry *dentry = file->f_dentry;
1024 struct inode *inode = dentry->d_inode;
1025 struct avc_audit_data ad;
1028 AVC_AUDIT_DATA_INIT(&ad, FS);
1030 ad.u.fs.dentry = dentry;
1032 if (tsec->sid != fsec->sid) {
1033 rc = avc_has_perm(tsec->sid, fsec->sid,
1041 /* av is zero if only checking access to the descriptor. */
1043 return inode_has_perm(tsk, inode, av, &fsec->inode_avcr, &ad);
1048 /* Check whether a task can create a file. */
1049 static int may_create(struct inode *dir,
1050 struct dentry *dentry,
1053 struct task_security_struct *tsec;
1054 struct inode_security_struct *dsec;
1055 struct superblock_security_struct *sbsec;
1057 struct avc_audit_data ad;
1060 tsec = current->security;
1061 dsec = dir->i_security;
1062 sbsec = dir->i_sb->s_security;
1064 AVC_AUDIT_DATA_INIT(&ad, FS);
1065 ad.u.fs.dentry = dentry;
1067 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1068 DIR__ADD_NAME | DIR__SEARCH,
1073 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1074 newsid = tsec->create_sid;
1076 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1082 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, NULL, &ad);
1086 return avc_has_perm(newsid, sbsec->sid,
1087 SECCLASS_FILESYSTEM,
1088 FILESYSTEM__ASSOCIATE, NULL, &ad);
1092 #define MAY_UNLINK 1
1095 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1096 static int may_link(struct inode *dir,
1097 struct dentry *dentry,
1101 struct task_security_struct *tsec;
1102 struct inode_security_struct *dsec, *isec;
1103 struct avc_audit_data ad;
1107 tsec = current->security;
1108 dsec = dir->i_security;
1109 isec = dentry->d_inode->i_security;
1111 AVC_AUDIT_DATA_INIT(&ad, FS);
1112 ad.u.fs.dentry = dentry;
1115 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1116 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1117 av, &dsec->avcr, &ad);
1132 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1136 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
1137 av, &isec->avcr, &ad);
1141 static inline int may_rename(struct inode *old_dir,
1142 struct dentry *old_dentry,
1143 struct inode *new_dir,
1144 struct dentry *new_dentry)
1146 struct task_security_struct *tsec;
1147 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1148 struct avc_audit_data ad;
1150 int old_is_dir, new_is_dir;
1153 tsec = current->security;
1154 old_dsec = old_dir->i_security;
1155 old_isec = old_dentry->d_inode->i_security;
1156 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1157 new_dsec = new_dir->i_security;
1159 AVC_AUDIT_DATA_INIT(&ad, FS);
1161 ad.u.fs.dentry = old_dentry;
1162 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1163 DIR__REMOVE_NAME | DIR__SEARCH,
1164 &old_dsec->avcr, &ad);
1167 rc = avc_has_perm(tsec->sid, old_isec->sid,
1170 &old_isec->avcr, &ad);
1173 if (old_is_dir && new_dir != old_dir) {
1174 rc = avc_has_perm(tsec->sid, old_isec->sid,
1177 &old_isec->avcr, &ad);
1182 ad.u.fs.dentry = new_dentry;
1183 av = DIR__ADD_NAME | DIR__SEARCH;
1184 if (new_dentry->d_inode)
1185 av |= DIR__REMOVE_NAME;
1186 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR,
1187 av,&new_dsec->avcr, &ad);
1190 if (new_dentry->d_inode) {
1191 new_isec = new_dentry->d_inode->i_security;
1192 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1193 rc = avc_has_perm(tsec->sid, new_isec->sid,
1195 (new_is_dir ? DIR__RMDIR : FILE__UNLINK),
1196 &new_isec->avcr, &ad);
1204 /* Check whether a task can perform a filesystem operation. */
1205 int superblock_has_perm(struct task_struct *tsk,
1206 struct super_block *sb,
1208 struct avc_audit_data *ad)
1210 struct task_security_struct *tsec;
1211 struct superblock_security_struct *sbsec;
1213 tsec = tsk->security;
1214 sbsec = sb->s_security;
1215 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1219 /* Convert a Linux mode and permission mask to an access vector. */
1220 static inline u32 file_mask_to_av(int mode, int mask)
1224 if ((mode & S_IFMT) != S_IFDIR) {
1225 if (mask & MAY_EXEC)
1226 av |= FILE__EXECUTE;
1227 if (mask & MAY_READ)
1230 if (mask & MAY_APPEND)
1232 else if (mask & MAY_WRITE)
1236 if (mask & MAY_EXEC)
1238 if (mask & MAY_WRITE)
1240 if (mask & MAY_READ)
1247 /* Convert a Linux file to an access vector. */
1248 static inline u32 file_to_av(struct file *file)
1252 if (file->f_mode & FMODE_READ)
1254 if (file->f_mode & FMODE_WRITE) {
1255 if (file->f_flags & O_APPEND)
1264 /* Set an inode's SID to a specified value. */
1265 int inode_security_set_sid(struct inode *inode, u32 sid)
1267 struct inode_security_struct *isec = inode->i_security;
1270 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1272 isec->initialized = 1;
1277 /* Set the security attributes on a newly created file. */
1278 static int post_create(struct inode *dir,
1279 struct dentry *dentry)
1282 struct task_security_struct *tsec;
1283 struct inode *inode;
1284 struct inode_security_struct *dsec;
1285 struct superblock_security_struct *sbsec;
1291 tsec = current->security;
1292 dsec = dir->i_security;
1293 sbsec = dir->i_sb->s_security;
1295 inode = dentry->d_inode;
1297 /* Some file system types (e.g. NFS) may not instantiate
1298 a dentry for all create operations (e.g. symlink),
1299 so we have to check to see if the inode is non-NULL. */
1300 printk(KERN_WARNING "post_create: no inode, dir (dev=%s, "
1301 "ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
1305 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1306 newsid = tsec->create_sid;
1308 rc = security_transition_sid(tsec->sid, dsec->sid,
1309 inode_mode_to_security_class(inode->i_mode),
1312 printk(KERN_WARNING "post_create: "
1313 "security_transition_sid failed, rc=%d (dev=%s "
1315 -rc, inode->i_sb->s_id, inode->i_ino);
1320 rc = inode_security_set_sid(inode, newsid);
1322 printk(KERN_WARNING "post_create: inode_security_set_sid "
1323 "failed, rc=%d (dev=%s ino=%ld)\n",
1324 -rc, inode->i_sb->s_id, inode->i_ino);
1328 if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
1329 inode->i_op->setxattr) {
1330 /* Use extended attributes. */
1331 rc = security_sid_to_context(newsid, &context, &len);
1333 printk(KERN_WARNING "post_create: sid_to_context "
1334 "failed, rc=%d (dev=%s ino=%ld)\n",
1335 -rc, inode->i_sb->s_id, inode->i_ino);
1338 down(&inode->i_sem);
1339 rc = inode->i_op->setxattr(dentry,
1345 printk(KERN_WARNING "post_create: setxattr failed, "
1346 "rc=%d (dev=%s ino=%ld)\n",
1347 -rc, inode->i_sb->s_id, inode->i_ino);
1356 /* Hook functions begin here. */
1358 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1360 struct task_security_struct *psec = parent->security;
1361 struct task_security_struct *csec = child->security;
1364 rc = secondary_ops->ptrace(parent,child);
1368 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1369 /* Save the SID of the tracing process for later use in apply_creds. */
1371 csec->ptrace_sid = psec->sid;
1375 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1376 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1380 error = task_has_perm(current, target, PROCESS__GETCAP);
1384 return secondary_ops->capget(target, effective, inheritable, permitted);
1387 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1388 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1392 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1396 return task_has_perm(current, target, PROCESS__SETCAP);
1399 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1400 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1404 error = task_has_perm(current, target, PROCESS__SETCAP);
1408 secondary_ops->capset_set(target, effective, inheritable, permitted);
1411 static int selinux_capable(struct task_struct *tsk, int cap)
1415 rc = secondary_ops->capable(tsk, cap);
1419 return task_has_capability(tsk,cap);
1422 static int selinux_sysctl(ctl_table *table, int op)
1426 struct task_security_struct *tsec;
1430 rc = secondary_ops->sysctl(table, op);
1434 tsec = current->security;
1436 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1437 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1439 /* Default to the well-defined sysctl SID. */
1440 tsid = SECINITSID_SYSCTL;
1443 /* The op values are "defined" in sysctl.c, thereby creating
1444 * a bad coupling between this module and sysctl.c */
1446 error = avc_has_perm(tsec->sid, tsid,
1447 SECCLASS_DIR, DIR__SEARCH, NULL, NULL);
1455 error = avc_has_perm(tsec->sid, tsid,
1456 SECCLASS_FILE, av, NULL, NULL);
1462 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1475 rc = superblock_has_perm(current,
1477 FILESYSTEM__QUOTAMOD, NULL);
1482 rc = superblock_has_perm(current,
1484 FILESYSTEM__QUOTAGET, NULL);
1487 rc = 0; /* let the kernel handle invalid cmds */
1493 static int selinux_quota_on(struct file *f)
1495 return file_has_perm(current, f, FILE__QUOTAON);
1498 static int selinux_syslog(int type)
1502 rc = secondary_ops->syslog(type);
1507 case 3: /* Read last kernel messages */
1508 case 10: /* Return size of the log buffer */
1509 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1511 case 6: /* Disable logging to console */
1512 case 7: /* Enable logging to console */
1513 case 8: /* Set level of messages printed to console */
1514 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1516 case 0: /* Close log */
1517 case 1: /* Open log */
1518 case 2: /* Read from log */
1519 case 4: /* Read/clear last kernel messages */
1520 case 5: /* Clear ring buffer */
1522 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1529 * Check that a process has enough memory to allocate a new virtual
1530 * mapping. 0 means there is enough memory for the allocation to
1531 * succeed and -ENOMEM implies there is not.
1533 * We currently support three overcommit policies, which are set via the
1534 * vm.overcommit_memory sysctl. See Documentation/vm/overcommit-accounting
1536 * Strict overcommit modes added 2002 Feb 26 by Alan Cox.
1537 * Additional code 2002 Jul 20 by Robert Love.
1539 static int selinux_vm_enough_memory(long pages)
1541 unsigned long free, allowed;
1543 struct task_security_struct *tsec = current->security;
1545 vm_acct_memory(pages);
1548 * Sometimes we want to use more memory than we have
1550 if (sysctl_overcommit_memory == 1)
1553 if (sysctl_overcommit_memory == 0) {
1554 free = get_page_cache_size();
1555 free += nr_free_pages();
1556 free += nr_swap_pages;
1559 * Any slabs which are created with the
1560 * SLAB_RECLAIM_ACCOUNT flag claim to have contents
1561 * which are reclaimable, under pressure. The dentry
1562 * cache and most inode caches should fall into this
1564 free += atomic_read(&slab_reclaim_pages);
1567 * Leave the last 3% for privileged processes.
1568 * Don't audit the check, as it is applied to all processes
1569 * that allocate mappings.
1571 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1573 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1574 SECCLASS_CAPABILITY,
1575 CAP_TO_MASK(CAP_SYS_ADMIN),
1583 vm_unacct_memory(pages);
1587 allowed = (totalram_pages - hugetlb_total_pages())
1588 * sysctl_overcommit_ratio / 100;
1589 allowed += total_swap_pages;
1591 if (atomic_read(&vm_committed_space) < allowed)
1594 vm_unacct_memory(pages);
1599 /* binprm security operations */
1601 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1603 struct bprm_security_struct *bsec;
1605 bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1609 memset(bsec, 0, sizeof *bsec);
1610 bsec->magic = SELINUX_MAGIC;
1612 bsec->sid = SECINITSID_UNLABELED;
1615 bprm->security = bsec;
1619 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1621 struct task_security_struct *tsec;
1622 struct inode *inode = bprm->file->f_dentry->d_inode;
1623 struct inode_security_struct *isec;
1624 struct bprm_security_struct *bsec;
1626 struct avc_audit_data ad;
1629 rc = secondary_ops->bprm_set_security(bprm);
1633 bsec = bprm->security;
1638 tsec = current->security;
1639 isec = inode->i_security;
1641 /* Default to the current task SID. */
1642 bsec->sid = tsec->sid;
1644 /* Reset create SID on execve. */
1645 tsec->create_sid = 0;
1647 if (tsec->exec_sid) {
1648 newsid = tsec->exec_sid;
1649 /* Reset exec SID on execve. */
1652 /* Check for a default transition on this program. */
1653 rc = security_transition_sid(tsec->sid, isec->sid,
1654 SECCLASS_PROCESS, &newsid);
1659 AVC_AUDIT_DATA_INIT(&ad, FS);
1660 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1661 ad.u.fs.dentry = bprm->file->f_dentry;
1663 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1666 if (tsec->sid == newsid) {
1667 rc = avc_has_perm(tsec->sid, isec->sid,
1668 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS,
1673 /* Check permissions for the transition. */
1674 rc = avc_has_perm(tsec->sid, newsid,
1675 SECCLASS_PROCESS, PROCESS__TRANSITION,
1681 rc = avc_has_perm(newsid, isec->sid,
1682 SECCLASS_FILE, FILE__ENTRYPOINT,
1687 /* Set the security field to the new SID. */
1695 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1697 return secondary_ops->bprm_check_security(bprm);
1701 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1703 struct task_security_struct *tsec = current->security;
1706 if (tsec->osid != tsec->sid) {
1707 /* Enable secure mode for SIDs transitions unless
1708 the noatsecure permission is granted between
1709 the two SIDs, i.e. ahp returns 0. */
1710 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1712 PROCESS__NOATSECURE, NULL, NULL);
1715 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1718 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1720 struct bprm_security_struct *bsec = bprm->security;
1721 bprm->security = NULL;
1725 /* Create an open file that refers to the null device.
1726 Derived from the OpenWall LSM. */
1727 struct file *open_devnull(void)
1729 struct inode *inode;
1730 struct dentry *dentry;
1731 struct file *file = NULL;
1732 struct inode_security_struct *isec;
1735 inode = new_inode(current->fs->rootmnt->mnt_sb);
1739 dentry = dget(d_alloc_root(inode));
1743 file = get_empty_filp();
1747 dev = MKDEV(MEM_MAJOR, 3); /* null device */
1749 inode->i_uid = current->fsuid;
1750 inode->i_gid = current->fsgid;
1751 inode->i_blksize = PAGE_SIZE;
1752 inode->i_blocks = 0;
1753 inode->i_atime = inode->i_mtime = inode->i_ctime = CURRENT_TIME;
1754 inode->i_state = I_DIRTY; /* so that mark_inode_dirty won't touch us */
1756 isec = inode->i_security;
1757 isec->sid = SECINITSID_DEVNULL;
1758 isec->sclass = SECCLASS_CHR_FILE;
1759 isec->initialized = 1;
1761 file->f_flags = O_RDWR;
1762 file->f_mode = FMODE_READ | FMODE_WRITE;
1763 file->f_dentry = dentry;
1764 file->f_vfsmnt = mntget(current->fs->rootmnt);
1767 init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO, dev);
1768 if (inode->i_fop->open(inode, file))
1774 mntput(file->f_vfsmnt);
1784 /* Derived from fs/exec.c:flush_old_files. */
1785 static inline void flush_unauthorized_files(struct files_struct * files)
1787 struct avc_audit_data ad;
1788 struct file *file, *devnull = NULL;
1791 AVC_AUDIT_DATA_INIT(&ad,FS);
1793 spin_lock(&files->file_lock);
1795 unsigned long set, i;
1800 if (i >= files->max_fds || i >= files->max_fdset)
1802 set = files->open_fds->fds_bits[j];
1805 spin_unlock(&files->file_lock);
1806 for ( ; set ; i++,set >>= 1) {
1811 if (file_has_perm(current,
1813 file_to_av(file))) {
1815 fd = get_unused_fd();
1823 atomic_inc(&devnull->f_count);
1825 devnull = open_devnull();
1832 fd_install(fd, devnull);
1837 spin_lock(&files->file_lock);
1840 spin_unlock(&files->file_lock);
1843 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1845 struct task_security_struct *tsec;
1846 struct bprm_security_struct *bsec;
1848 struct av_decision avd;
1849 struct itimerval itimer;
1850 struct rlimit *rlim, *initrlim;
1853 secondary_ops->bprm_apply_creds(bprm, unsafe);
1855 tsec = current->security;
1857 bsec = bprm->security;
1860 tsec->osid = tsec->sid;
1861 if (tsec->sid != sid) {
1862 /* Check for shared state. If not ok, leave SID
1863 unchanged and kill. */
1864 if (unsafe & LSM_UNSAFE_SHARE) {
1865 rc = avc_has_perm_noaudit(tsec->sid, sid,
1866 SECCLASS_PROCESS, PROCESS__SHARE,
1869 task_unlock(current);
1870 avc_audit(tsec->sid, sid, SECCLASS_PROCESS,
1871 PROCESS__SHARE, &avd, rc, NULL);
1872 force_sig_specific(SIGKILL, current);
1877 /* Check for ptracing, and update the task SID if ok.
1878 Otherwise, leave SID unchanged and kill. */
1879 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1880 rc = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
1881 SECCLASS_PROCESS, PROCESS__PTRACE,
1885 task_unlock(current);
1886 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
1887 PROCESS__PTRACE, &avd, rc, NULL);
1889 force_sig_specific(SIGKILL, current);
1894 task_unlock(current);
1897 /* Close files for which the new task SID is not authorized. */
1898 flush_unauthorized_files(current->files);
1900 /* Check whether the new SID can inherit signal state
1901 from the old SID. If not, clear itimers to avoid
1902 subsequent signal generation and flush and unblock
1903 signals. This must occur _after_ the task SID has
1904 been updated so that any kill done after the flush
1905 will be checked against the new SID. */
1906 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1907 PROCESS__SIGINH, NULL, NULL);
1909 memset(&itimer, 0, sizeof itimer);
1910 for (i = 0; i < 3; i++)
1911 do_setitimer(i, &itimer, NULL);
1912 flush_signals(current);
1913 spin_lock_irq(¤t->sighand->siglock);
1914 flush_signal_handlers(current, 1);
1915 sigemptyset(¤t->blocked);
1916 recalc_sigpending();
1917 spin_unlock_irq(¤t->sighand->siglock);
1920 /* Check whether the new SID can inherit resource limits
1921 from the old SID. If not, reset all soft limits to
1922 the lower of the current task's hard limit and the init
1923 task's soft limit. Note that the setting of hard limits
1924 (even to lower them) can be controlled by the setrlimit
1925 check. The inclusion of the init task's soft limit into
1926 the computation is to avoid resetting soft limits higher
1927 than the default soft limit for cases where the default
1928 is lower than the hard limit, e.g. RLIMIT_CORE or
1930 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1931 PROCESS__RLIMITINH, NULL, NULL);
1933 for (i = 0; i < RLIM_NLIMITS; i++) {
1934 rlim = current->rlim + i;
1935 initrlim = init_task.rlim+i;
1936 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1940 /* Wake up the parent if it is waiting so that it can
1941 recheck wait permission to the new task SID. */
1942 wake_up_interruptible(¤t->parent->wait_chldexit);
1950 /* superblock security operations */
1952 static int selinux_sb_alloc_security(struct super_block *sb)
1954 return superblock_alloc_security(sb);
1957 static void selinux_sb_free_security(struct super_block *sb)
1959 superblock_free_security(sb);
1962 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1967 return !memcmp(prefix, option, plen);
1970 static inline int selinux_option(char *option, int len)
1972 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1973 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1974 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1977 static inline void take_option(char **to, char *from, int *first, int len)
1985 memcpy(*to, from, len);
1989 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1991 int fnosec, fsec, rc = 0;
1992 char *in_save, *in_curr, *in_end;
1993 char *sec_curr, *nosec_save, *nosec;
1998 /* Binary mount data: just copy */
1999 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2000 copy_page(sec_curr, in_curr);
2004 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2012 in_save = in_end = orig;
2015 if (*in_end == ',' || *in_end == '\0') {
2016 int len = in_end - in_curr;
2018 if (selinux_option(in_curr, len))
2019 take_option(&sec_curr, in_curr, &fsec, len);
2021 take_option(&nosec, in_curr, &fnosec, len);
2023 in_curr = in_end + 1;
2025 } while (*in_end++);
2027 copy_page(in_save, nosec_save);
2032 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2034 struct avc_audit_data ad;
2037 rc = superblock_doinit(sb, data);
2041 AVC_AUDIT_DATA_INIT(&ad,FS);
2042 ad.u.fs.dentry = sb->s_root;
2043 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2046 static int selinux_sb_statfs(struct super_block *sb)
2048 struct avc_audit_data ad;
2050 AVC_AUDIT_DATA_INIT(&ad,FS);
2051 ad.u.fs.dentry = sb->s_root;
2052 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
2055 static int selinux_mount(char * dev_name,
2056 struct nameidata *nd,
2058 unsigned long flags,
2063 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2067 if (flags & MS_REMOUNT)
2068 return superblock_has_perm(current, nd->mnt->mnt_sb,
2069 FILESYSTEM__REMOUNT, NULL);
2071 return dentry_has_perm(current, nd->mnt, nd->dentry,
2075 static int selinux_umount(struct vfsmount *mnt, int flags)
2079 rc = secondary_ops->sb_umount(mnt, flags);
2083 return superblock_has_perm(current,mnt->mnt_sb,
2084 FILESYSTEM__UNMOUNT,NULL);
2087 /* inode security operations */
2089 static int selinux_inode_alloc_security(struct inode *inode)
2091 return inode_alloc_security(inode);
2094 static void selinux_inode_free_security(struct inode *inode)
2096 inode_free_security(inode);
2099 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2101 return may_create(dir, dentry, SECCLASS_FILE);
2104 static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask)
2106 post_create(dir, dentry);
2109 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2113 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2116 return may_link(dir, old_dentry, MAY_LINK);
2119 static void selinux_inode_post_link(struct dentry *old_dentry, struct inode *inode, struct dentry *new_dentry)
2124 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2128 rc = secondary_ops->inode_unlink(dir, dentry);
2131 return may_link(dir, dentry, MAY_UNLINK);
2134 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2136 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2139 static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2141 post_create(dir, dentry);
2144 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2146 return may_create(dir, dentry, SECCLASS_DIR);
2149 static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2151 post_create(dir, dentry);
2154 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2156 return may_link(dir, dentry, MAY_RMDIR);
2159 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2163 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2167 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2170 static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2172 post_create(dir, dentry);
2175 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2176 struct inode *new_inode, struct dentry *new_dentry)
2178 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2181 static void selinux_inode_post_rename(struct inode *old_inode, struct dentry *old_dentry,
2182 struct inode *new_inode, struct dentry *new_dentry)
2187 static int selinux_inode_readlink(struct dentry *dentry)
2189 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2192 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2196 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2199 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2202 static int selinux_inode_permission(struct inode *inode, int mask,
2203 struct nameidata *nd)
2207 rc = secondary_ops->inode_permission(inode, mask, nd);
2212 /* No permission to check. Existence test. */
2216 return inode_has_perm(current, inode,
2217 file_mask_to_av(inode->i_mode, mask), NULL, NULL);
2220 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2224 rc = secondary_ops->inode_setattr(dentry, iattr);
2228 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2229 ATTR_ATIME_SET | ATTR_MTIME_SET))
2230 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2232 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2235 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2237 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2240 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2242 struct task_security_struct *tsec = current->security;
2243 struct inode *inode = dentry->d_inode;
2244 struct inode_security_struct *isec = inode->i_security;
2245 struct superblock_security_struct *sbsec;
2246 struct avc_audit_data ad;
2250 if (strcmp(name, XATTR_NAME_SELINUX)) {
2251 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2252 sizeof XATTR_SECURITY_PREFIX - 1) &&
2253 !capable(CAP_SYS_ADMIN)) {
2254 /* A different attribute in the security namespace.
2255 Restrict to administrator. */
2259 /* Not an attribute we recognize, so just check the
2260 ordinary setattr permission. */
2261 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2264 sbsec = inode->i_sb->s_security;
2265 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2268 AVC_AUDIT_DATA_INIT(&ad,FS);
2269 ad.u.fs.dentry = dentry;
2271 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2277 rc = security_context_to_sid(value, size, &newsid);
2281 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2282 FILE__RELABELTO, NULL, &ad);
2286 return avc_has_perm(newsid,
2288 SECCLASS_FILESYSTEM,
2289 FILESYSTEM__ASSOCIATE,
2294 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2295 void *value, size_t size, int flags)
2297 struct inode *inode = dentry->d_inode;
2298 struct inode_security_struct *isec = inode->i_security;
2302 if (strcmp(name, XATTR_NAME_SELINUX)) {
2303 /* Not an attribute we recognize, so nothing to do. */
2307 rc = security_context_to_sid(value, size, &newsid);
2309 printk(KERN_WARNING "%s: unable to obtain SID for context "
2310 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2318 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2320 struct inode *inode = dentry->d_inode;
2321 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
2323 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2326 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2329 static int selinux_inode_listxattr (struct dentry *dentry)
2331 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2334 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2336 if (strcmp(name, XATTR_NAME_SELINUX)) {
2337 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2338 sizeof XATTR_SECURITY_PREFIX - 1) &&
2339 !capable(CAP_SYS_ADMIN)) {
2340 /* A different attribute in the security namespace.
2341 Restrict to administrator. */
2345 /* Not an attribute we recognize, so just check the
2346 ordinary setattr permission. Might want a separate
2347 permission for removexattr. */
2348 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2351 /* No one is allowed to remove a SELinux security label.
2352 You can change the label, but all data must be labeled. */
2356 static int selinux_inode_getsecurity(struct dentry *dentry, const char *name, void *buffer, size_t size)
2358 struct inode *inode = dentry->d_inode;
2359 struct inode_security_struct *isec = inode->i_security;
2364 /* Permission check handled by selinux_inode_getxattr hook.*/
2366 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2369 rc = security_sid_to_context(isec->sid, &context, &len);
2373 if (!buffer || !size) {
2381 memcpy(buffer, context, len);
2386 static int selinux_inode_setsecurity(struct dentry *dentry, const char *name,
2387 const void *value, size_t size, int flags)
2389 struct inode *inode = dentry->d_inode;
2390 struct inode_security_struct *isec = inode->i_security;
2394 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2397 if (!value || !size)
2400 rc = security_context_to_sid((void*)value, size, &newsid);
2408 static int selinux_inode_listsecurity(struct dentry *dentry, char *buffer)
2410 const int len = sizeof(XATTR_NAME_SELINUX);
2412 memcpy(buffer, XATTR_NAME_SELINUX, len);
2416 /* file security operations */
2418 static int selinux_file_permission(struct file *file, int mask)
2420 struct inode *inode = file->f_dentry->d_inode;
2423 /* No permission to check. Existence test. */
2427 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2428 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2431 return file_has_perm(current, file,
2432 file_mask_to_av(inode->i_mode, mask));
2435 static int selinux_file_alloc_security(struct file *file)
2437 return file_alloc_security(file);
2440 static void selinux_file_free_security(struct file *file)
2442 file_free_security(file);
2445 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2457 case EXT2_IOC_GETFLAGS:
2459 case EXT2_IOC_GETVERSION:
2460 error = file_has_perm(current, file, FILE__GETATTR);
2463 case EXT2_IOC_SETFLAGS:
2465 case EXT2_IOC_SETVERSION:
2466 error = file_has_perm(current, file, FILE__SETATTR);
2469 /* sys_ioctl() checks */
2473 error = file_has_perm(current, file, 0);
2478 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2481 /* default case assumes that the command will go
2482 * to the file's ioctl() function.
2485 error = file_has_perm(current, file, FILE__IOCTL);
2491 static int selinux_file_mmap(struct file *file, unsigned long prot, unsigned long flags)
2496 rc = secondary_ops->file_mmap(file, prot, flags);
2501 /* read access is always possible with a mapping */
2504 /* write access only matters if the mapping is shared */
2505 if ((flags & MAP_TYPE) == MAP_SHARED && (prot & PROT_WRITE))
2508 if (prot & PROT_EXEC)
2509 av |= FILE__EXECUTE;
2511 return file_has_perm(current, file, av);
2516 static int selinux_file_mprotect(struct vm_area_struct *vma,
2521 rc = secondary_ops->file_mprotect(vma, prot);
2525 return selinux_file_mmap(vma->vm_file, prot, vma->vm_flags);
2528 static int selinux_file_lock(struct file *file, unsigned int cmd)
2530 return file_has_perm(current, file, FILE__LOCK);
2533 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2540 if (!file->f_dentry || !file->f_dentry->d_inode) {
2545 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2546 err = file_has_perm(current, file,FILE__WRITE);
2555 /* Just check FD__USE permission */
2556 err = file_has_perm(current, file, 0);
2561 #if BITS_PER_LONG == 32
2566 if (!file->f_dentry || !file->f_dentry->d_inode) {
2570 err = file_has_perm(current, file, FILE__LOCK);
2577 static int selinux_file_set_fowner(struct file *file)
2579 struct task_security_struct *tsec;
2580 struct file_security_struct *fsec;
2582 tsec = current->security;
2583 fsec = file->f_security;
2584 fsec->fown_sid = tsec->sid;
2589 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2590 struct fown_struct *fown,
2595 struct task_security_struct *tsec;
2596 struct file_security_struct *fsec;
2598 /* struct fown_struct is never outside the context of a struct file */
2599 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2601 tsec = tsk->security;
2602 fsec = file->f_security;
2605 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2607 perm = signal_to_av(fown->signum);
2609 return avc_has_perm(fsec->fown_sid, tsec->sid,
2610 SECCLASS_PROCESS, perm, NULL, NULL);
2613 static int selinux_file_receive(struct file *file)
2615 return file_has_perm(current, file, file_to_av(file));
2618 /* task security operations */
2620 static int selinux_task_create(unsigned long clone_flags)
2624 rc = secondary_ops->task_create(clone_flags);
2628 return task_has_perm(current, current, PROCESS__FORK);
2631 static int selinux_task_alloc_security(struct task_struct *tsk)
2633 struct task_security_struct *tsec1, *tsec2;
2636 tsec1 = current->security;
2638 rc = task_alloc_security(tsk);
2641 tsec2 = tsk->security;
2643 tsec2->osid = tsec1->osid;
2644 tsec2->sid = tsec1->sid;
2646 /* Retain the exec and create SIDs across fork */
2647 tsec2->exec_sid = tsec1->exec_sid;
2648 tsec2->create_sid = tsec1->create_sid;
2653 static void selinux_task_free_security(struct task_struct *tsk)
2655 task_free_security(tsk);
2658 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2660 /* Since setuid only affects the current process, and
2661 since the SELinux controls are not based on the Linux
2662 identity attributes, SELinux does not need to control
2663 this operation. However, SELinux does control the use
2664 of the CAP_SETUID and CAP_SETGID capabilities using the
2669 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2671 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2674 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2676 /* See the comment for setuid above. */
2680 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2682 return task_has_perm(current, p, PROCESS__SETPGID);
2685 static int selinux_task_getpgid(struct task_struct *p)
2687 return task_has_perm(current, p, PROCESS__GETPGID);
2690 static int selinux_task_getsid(struct task_struct *p)
2692 return task_has_perm(current, p, PROCESS__GETSESSION);
2695 static int selinux_task_setgroups(struct group_info *group_info)
2697 /* See the comment for setuid above. */
2701 static int selinux_task_setnice(struct task_struct *p, int nice)
2705 rc = secondary_ops->task_setnice(p, nice);
2709 return task_has_perm(current,p, PROCESS__SETSCHED);
2712 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2714 struct rlimit *old_rlim = current->rlim + resource;
2717 rc = secondary_ops->task_setrlimit(resource, new_rlim);
2721 /* Control the ability to change the hard limit (whether
2722 lowering or raising it), so that the hard limit can
2723 later be used as a safe reset point for the soft limit
2724 upon context transitions. See selinux_bprm_apply_creds. */
2725 if (old_rlim->rlim_max != new_rlim->rlim_max)
2726 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2731 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2733 struct task_security_struct *tsec1, *tsec2;
2735 tsec1 = current->security;
2736 tsec2 = p->security;
2738 /* No auditing from the setscheduler hook, since the runqueue lock
2739 is held and the system will deadlock if we try to log an audit
2741 return avc_has_perm_noaudit(tsec1->sid, tsec2->sid,
2742 SECCLASS_PROCESS, PROCESS__SETSCHED,
2743 &tsec2->avcr, NULL);
2746 static int selinux_task_getscheduler(struct task_struct *p)
2748 return task_has_perm(current, p, PROCESS__GETSCHED);
2751 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2756 rc = secondary_ops->task_kill(p, info, sig);
2760 if (info && ((unsigned long)info == 1 ||
2761 (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2765 perm = PROCESS__SIGNULL; /* null signal; existence test */
2767 perm = signal_to_av(sig);
2769 return task_has_perm(current, p, perm);
2772 static int selinux_task_prctl(int option,
2778 /* The current prctl operations do not appear to require
2779 any SELinux controls since they merely observe or modify
2780 the state of the current process. */
2784 static int selinux_task_wait(struct task_struct *p)
2788 perm = signal_to_av(p->exit_signal);
2790 return task_has_perm(p, current, perm);
2793 static void selinux_task_reparent_to_init(struct task_struct *p)
2795 struct task_security_struct *tsec;
2797 secondary_ops->task_reparent_to_init(p);
2800 tsec->osid = tsec->sid;
2801 tsec->sid = SECINITSID_KERNEL;
2805 static void selinux_task_to_inode(struct task_struct *p,
2806 struct inode *inode)
2808 struct task_security_struct *tsec = p->security;
2809 struct inode_security_struct *isec = inode->i_security;
2811 isec->sid = tsec->sid;
2812 isec->initialized = 1;
2816 #ifdef CONFIG_SECURITY_NETWORK
2818 /* Returns error only if unable to parse addresses */
2819 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2821 int offset, ihlen, ret;
2824 offset = skb->nh.raw - skb->data;
2825 ret = skb_copy_bits(skb, offset, &iph, sizeof(iph));
2829 ihlen = iph.ihl * 4;
2830 if (ihlen < sizeof(iph))
2833 ad->u.net.v4info.saddr = iph.saddr;
2834 ad->u.net.v4info.daddr = iph.daddr;
2836 switch (iph.protocol) {
2840 if (ntohs(iph.frag_off) & IP_OFFSET)
2844 if (skb_copy_bits(skb, offset, &tcph, sizeof(tcph)) < 0)
2847 ad->u.net.sport = tcph.source;
2848 ad->u.net.dport = tcph.dest;
2855 if (ntohs(iph.frag_off) & IP_OFFSET)
2859 if (skb_copy_bits(skb, offset, &udph, sizeof(udph)) < 0)
2862 ad->u.net.sport = udph.source;
2863 ad->u.net.dport = udph.dest;
2874 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2876 /* Returns error only if unable to parse addresses */
2877 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2881 struct ipv6hdr ipv6h;
2883 offset = skb->nh.raw - skb->data;
2884 ret = skb_copy_bits(skb, offset, &ipv6h, sizeof(ipv6h));
2888 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ipv6h.saddr);
2889 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ipv6h.daddr);
2891 nexthdr = ipv6h.nexthdr;
2892 offset += sizeof(ipv6h);
2893 offset = ipv6_skip_exthdr(skb, offset, &nexthdr,
2894 skb->tail - skb->head - offset);
2902 if (skb_copy_bits(skb, offset, &tcph, sizeof(tcph)) < 0)
2905 ad->u.net.sport = tcph.source;
2906 ad->u.net.dport = tcph.dest;
2913 if (skb_copy_bits(skb, offset, &udph, sizeof(udph)) < 0)
2916 ad->u.net.sport = udph.source;
2917 ad->u.net.dport = udph.dest;
2921 /* includes fragments */
2931 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2932 char **addrp, int *len, int src)
2936 switch (ad->u.net.family) {
2938 ret = selinux_parse_skb_ipv4(skb, ad);
2942 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2943 &ad->u.net.v4info.daddr);
2946 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2948 ret = selinux_parse_skb_ipv6(skb, ad);
2952 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2953 &ad->u.net.v6info.daddr);
2963 /* socket security operations */
2964 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2967 struct inode_security_struct *isec;
2968 struct task_security_struct *tsec;
2969 struct avc_audit_data ad;
2972 tsec = task->security;
2973 isec = SOCK_INODE(sock)->i_security;
2975 if (isec->sid == SECINITSID_KERNEL)
2978 AVC_AUDIT_DATA_INIT(&ad,NET);
2979 ad.u.net.sk = sock->sk;
2980 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2981 perms, &isec->avcr, &ad);
2987 static int selinux_socket_create(int family, int type,
2988 int protocol, int kern)
2991 struct task_security_struct *tsec;
2996 tsec = current->security;
2997 err = avc_has_perm(tsec->sid, tsec->sid,
2998 socket_type_to_security_class(family, type,
2999 protocol), SOCKET__CREATE, NULL, NULL);
3005 static void selinux_socket_post_create(struct socket *sock, int family,
3006 int type, int protocol, int kern)
3009 struct inode_security_struct *isec;
3010 struct task_security_struct *tsec;
3012 err = inode_doinit(SOCK_INODE(sock));
3015 isec = SOCK_INODE(sock)->i_security;
3017 tsec = current->security;
3018 isec->sclass = socket_type_to_security_class(family, type, protocol);
3019 isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
3024 /* Range of port numbers used to automatically bind.
3025 Need to determine whether we should perform a name_bind
3026 permission check between the socket and the port number. */
3027 #define ip_local_port_range_0 sysctl_local_port_range[0]
3028 #define ip_local_port_range_1 sysctl_local_port_range[1]
3030 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3035 err = socket_has_perm(current, sock, SOCKET__BIND);
3040 * If PF_INET or PF_INET6, check name_bind permission for the port.
3042 family = sock->sk->sk_family;
3043 if (family == PF_INET || family == PF_INET6) {
3045 struct inode_security_struct *isec;
3046 struct task_security_struct *tsec;
3047 struct avc_audit_data ad;
3048 struct sockaddr_in *addr4 = NULL;
3049 struct sockaddr_in6 *addr6 = NULL;
3050 unsigned short snum;
3051 struct sock *sk = sock->sk;
3052 u32 sid, node_perm, addrlen;
3054 tsec = current->security;
3055 isec = SOCK_INODE(sock)->i_security;
3057 if (family == PF_INET) {
3058 addr4 = (struct sockaddr_in *)address;
3059 snum = ntohs(addr4->sin_port);
3060 addrlen = sizeof(addr4->sin_addr.s_addr);
3061 addrp = (char *)&addr4->sin_addr.s_addr;
3063 addr6 = (struct sockaddr_in6 *)address;
3064 snum = ntohs(addr6->sin6_port);
3065 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3066 addrp = (char *)&addr6->sin6_addr.s6_addr;
3069 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3070 snum > ip_local_port_range_1)) {
3071 err = security_port_sid(sk->sk_family, sk->sk_type,
3072 sk->sk_protocol, snum, &sid);
3075 AVC_AUDIT_DATA_INIT(&ad,NET);
3076 ad.u.net.sport = htons(snum);
3077 err = avc_has_perm(isec->sid, sid,
3079 SOCKET__NAME_BIND, NULL, &ad);
3084 switch(sk->sk_protocol) {
3086 node_perm = TCP_SOCKET__NODE_BIND;
3090 node_perm = UDP_SOCKET__NODE_BIND;
3094 node_perm = RAWIP_SOCKET__NODE_BIND;
3098 err = security_node_sid(family, addrp, addrlen, &sid);
3102 AVC_AUDIT_DATA_INIT(&ad,NET);
3103 ad.u.net.sport = htons(snum);
3104 ad.u.net.family = family;
3106 if (family == PF_INET)
3107 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3109 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3111 err = avc_has_perm(isec->sid, sid,
3112 isec->sclass, node_perm, NULL, &ad);
3120 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3122 return socket_has_perm(current, sock, SOCKET__CONNECT);
3125 static int selinux_socket_listen(struct socket *sock, int backlog)
3127 return socket_has_perm(current, sock, SOCKET__LISTEN);
3130 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3133 struct inode_security_struct *isec;
3134 struct inode_security_struct *newisec;
3136 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3140 err = inode_doinit(SOCK_INODE(newsock));
3143 newisec = SOCK_INODE(newsock)->i_security;
3145 isec = SOCK_INODE(sock)->i_security;
3146 newisec->sclass = isec->sclass;
3147 newisec->sid = isec->sid;
3152 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3155 return socket_has_perm(current, sock, SOCKET__WRITE);
3158 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3159 int size, int flags)
3161 return socket_has_perm(current, sock, SOCKET__READ);
3164 static int selinux_socket_getsockname(struct socket *sock)
3166 return socket_has_perm(current, sock, SOCKET__GETATTR);
3169 static int selinux_socket_getpeername(struct socket *sock)
3171 return socket_has_perm(current, sock, SOCKET__GETATTR);
3174 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3176 return socket_has_perm(current, sock, SOCKET__SETOPT);
3179 static int selinux_socket_getsockopt(struct socket *sock, int level,
3182 return socket_has_perm(current, sock, SOCKET__GETOPT);
3185 static int selinux_socket_shutdown(struct socket *sock, int how)
3187 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3190 static int selinux_socket_unix_stream_connect(struct socket *sock,
3191 struct socket *other,
3194 struct sk_security_struct *ssec;
3195 struct inode_security_struct *isec;
3196 struct inode_security_struct *other_isec;
3197 struct avc_audit_data ad;
3200 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3204 isec = SOCK_INODE(sock)->i_security;
3205 other_isec = SOCK_INODE(other)->i_security;
3207 AVC_AUDIT_DATA_INIT(&ad,NET);
3208 ad.u.net.sk = other->sk;
3210 err = avc_has_perm(isec->sid, other_isec->sid,
3212 UNIX_STREAM_SOCKET__CONNECTTO,
3213 &other_isec->avcr, &ad);
3217 /* connecting socket */
3218 ssec = sock->sk->sk_security;
3219 ssec->peer_sid = other_isec->sid;
3221 /* server child socket */
3222 ssec = newsk->sk_security;
3223 ssec->peer_sid = isec->sid;
3228 static int selinux_socket_unix_may_send(struct socket *sock,
3229 struct socket *other)
3231 struct inode_security_struct *isec;
3232 struct inode_security_struct *other_isec;
3233 struct avc_audit_data ad;
3236 isec = SOCK_INODE(sock)->i_security;
3237 other_isec = SOCK_INODE(other)->i_security;
3239 AVC_AUDIT_DATA_INIT(&ad,NET);
3240 ad.u.net.sk = other->sk;
3242 err = avc_has_perm(isec->sid, other_isec->sid,
3245 &other_isec->avcr, &ad);
3252 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3257 u32 netif_perm, node_perm, node_sid, recv_perm = 0;
3260 struct socket *sock;
3261 struct net_device *dev;
3262 struct sel_netif *netif;
3263 struct netif_security_struct *nsec;
3264 struct avc_audit_data ad;
3266 family = sk->sk_family;
3267 if (family != PF_INET && family != PF_INET6)
3270 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3271 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3274 read_lock_bh(&sk->sk_callback_lock);
3275 sock = sk->sk_socket;
3277 struct inode *inode;
3278 inode = SOCK_INODE(sock);
3280 struct inode_security_struct *isec;
3281 isec = inode->i_security;
3282 sock_sid = isec->sid;
3283 sock_class = isec->sclass;
3286 read_unlock_bh(&sk->sk_callback_lock);
3294 netif = sel_netif_lookup(dev);
3295 if (IS_ERR(netif)) {
3296 err = PTR_ERR(netif);
3300 nsec = &netif->nsec;
3302 switch (sock_class) {
3303 case SECCLASS_UDP_SOCKET:
3304 netif_perm = NETIF__UDP_RECV;
3305 node_perm = NODE__UDP_RECV;
3306 recv_perm = UDP_SOCKET__RECV_MSG;
3309 case SECCLASS_TCP_SOCKET:
3310 netif_perm = NETIF__TCP_RECV;
3311 node_perm = NODE__TCP_RECV;
3312 recv_perm = TCP_SOCKET__RECV_MSG;
3316 netif_perm = NETIF__RAWIP_RECV;
3317 node_perm = NODE__RAWIP_RECV;
3321 AVC_AUDIT_DATA_INIT(&ad, NET);
3322 ad.u.net.netif = dev->name;
3323 ad.u.net.family = family;
3325 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3327 sel_netif_put(netif);
3331 err = avc_has_perm(sock_sid, nsec->if_sid, SECCLASS_NETIF,
3332 netif_perm, &nsec->avcr, &ad);
3333 sel_netif_put(netif);
3337 /* Fixme: this lookup is inefficient */
3338 err = security_node_sid(family, addrp, len, &node_sid);
3342 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, NULL, &ad);
3349 /* Fixme: make this more efficient */
3350 err = security_port_sid(sk->sk_family, sk->sk_type,
3351 sk->sk_protocol, ntohs(ad.u.net.sport),
3356 err = avc_has_perm(sock_sid, port_sid, sock_class,
3357 recv_perm, NULL, &ad);
3363 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3364 int __user *optlen, unsigned len)
3369 struct sk_security_struct *ssec;
3370 struct inode_security_struct *isec;
3372 isec = SOCK_INODE(sock)->i_security;
3373 if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3378 ssec = sock->sk->sk_security;
3380 err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3384 if (scontext_len > len) {
3389 if (copy_to_user(optval, scontext, scontext_len))
3393 if (put_user(scontext_len, optlen))
3401 static int selinux_sk_alloc_security(struct sock *sk, int family, int priority)
3403 return sk_alloc_security(sk, family, priority);
3406 static void selinux_sk_free_security(struct sock *sk)
3408 sk_free_security(sk);
3411 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3415 struct nlmsghdr *nlh;
3416 struct socket *sock = sk->sk_socket;
3417 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3419 if (skb->len < NLMSG_SPACE(0)) {
3423 nlh = (struct nlmsghdr *)skb->data;
3425 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3433 err = socket_has_perm(current, sock, perm);
3438 #ifdef CONFIG_NETFILTER
3440 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3441 struct sk_buff **pskb,
3442 const struct net_device *in,
3443 const struct net_device *out,
3444 int (*okfn)(struct sk_buff *),
3448 int len, err = NF_ACCEPT;
3449 u32 netif_perm, node_perm, node_sid, send_perm = 0;
3451 struct socket *sock;
3452 struct inode *inode;
3453 struct sel_netif *netif;
3454 struct sk_buff *skb = *pskb;
3455 struct netif_security_struct *nsec;
3456 struct inode_security_struct *isec;
3457 struct avc_audit_data ad;
3458 struct net_device *dev = (struct net_device *)out;
3464 sock = sk->sk_socket;
3468 inode = SOCK_INODE(sock);
3472 netif = sel_netif_lookup(dev);
3473 if (IS_ERR(netif)) {
3478 nsec = &netif->nsec;
3479 isec = inode->i_security;
3481 switch (isec->sclass) {
3482 case SECCLASS_UDP_SOCKET:
3483 netif_perm = NETIF__UDP_SEND;
3484 node_perm = NODE__UDP_SEND;
3485 send_perm = UDP_SOCKET__SEND_MSG;
3488 case SECCLASS_TCP_SOCKET:
3489 netif_perm = NETIF__TCP_SEND;
3490 node_perm = NODE__TCP_SEND;
3491 send_perm = TCP_SOCKET__SEND_MSG;
3495 netif_perm = NETIF__RAWIP_SEND;
3496 node_perm = NODE__RAWIP_SEND;
3501 AVC_AUDIT_DATA_INIT(&ad, NET);
3502 ad.u.net.netif = dev->name;
3503 ad.u.net.family = family;
3505 err = selinux_parse_skb(skb, &ad, &addrp,
3506 &len, 0) ? NF_DROP : NF_ACCEPT;
3507 if (err != NF_ACCEPT) {
3508 sel_netif_put(netif);
3512 err = avc_has_perm(isec->sid, nsec->if_sid, SECCLASS_NETIF,
3513 netif_perm, &nsec->avcr, &ad) ? NF_DROP : NF_ACCEPT;
3514 sel_netif_put(netif);
3515 if (err != NF_ACCEPT)
3518 /* Fixme: this lookup is inefficient */
3519 err = security_node_sid(family, addrp, len,
3520 &node_sid) ? NF_DROP : NF_ACCEPT;
3521 if (err != NF_ACCEPT)
3524 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3525 node_perm, NULL, &ad) ? NF_DROP : NF_ACCEPT;
3526 if (err != NF_ACCEPT)
3532 /* Fixme: make this more efficient */
3533 err = security_port_sid(sk->sk_family,
3536 ntohs(ad.u.net.dport),
3537 &port_sid) ? NF_DROP : NF_ACCEPT;
3538 if (err != NF_ACCEPT)
3541 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3542 send_perm, NULL, &ad) ? NF_DROP : NF_ACCEPT;
3549 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3550 struct sk_buff **pskb,
3551 const struct net_device *in,
3552 const struct net_device *out,
3553 int (*okfn)(struct sk_buff *))
3555 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3558 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3560 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3561 struct sk_buff **pskb,
3562 const struct net_device *in,
3563 const struct net_device *out,
3564 int (*okfn)(struct sk_buff *))
3566 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3571 #endif /* CONFIG_NETFILTER */
3575 static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3580 #endif /* CONFIG_SECURITY_NETWORK */
3582 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3586 if (capable(CAP_NET_ADMIN))
3587 cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN);
3589 NETLINK_CB(skb).eff_cap = 0;
3591 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3592 err = selinux_nlmsg_perm(sk, skb);
3597 static int selinux_netlink_recv(struct sk_buff *skb)
3599 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3604 static int ipc_alloc_security(struct task_struct *task,
3605 struct kern_ipc_perm *perm,
3608 struct task_security_struct *tsec = task->security;
3609 struct ipc_security_struct *isec;
3611 isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3615 memset(isec, 0, sizeof(struct ipc_security_struct));
3616 isec->magic = SELINUX_MAGIC;
3617 isec->sclass = sclass;
3618 isec->ipc_perm = perm;
3620 isec->sid = tsec->sid;
3622 isec->sid = SECINITSID_UNLABELED;
3624 perm->security = isec;
3629 static void ipc_free_security(struct kern_ipc_perm *perm)
3631 struct ipc_security_struct *isec = perm->security;
3632 if (!isec || isec->magic != SELINUX_MAGIC)
3635 perm->security = NULL;
3639 static int msg_msg_alloc_security(struct msg_msg *msg)
3641 struct msg_security_struct *msec;
3643 msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3647 memset(msec, 0, sizeof(struct msg_security_struct));
3648 msec->magic = SELINUX_MAGIC;
3650 msec->sid = SECINITSID_UNLABELED;
3651 msg->security = msec;
3656 static void msg_msg_free_security(struct msg_msg *msg)
3658 struct msg_security_struct *msec = msg->security;
3659 if (!msec || msec->magic != SELINUX_MAGIC)
3662 msg->security = NULL;
3666 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3667 u16 sclass, u32 perms)
3669 struct task_security_struct *tsec;
3670 struct ipc_security_struct *isec;
3671 struct avc_audit_data ad;
3673 tsec = current->security;
3674 isec = ipc_perms->security;
3676 AVC_AUDIT_DATA_INIT(&ad, IPC);
3677 ad.u.ipc_id = ipc_perms->key;
3679 return avc_has_perm(tsec->sid, isec->sid, sclass,
3680 perms, &isec->avcr, &ad);
3683 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3685 return msg_msg_alloc_security(msg);
3688 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3690 msg_msg_free_security(msg);
3693 /* message queue security operations */
3694 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3696 struct task_security_struct *tsec;
3697 struct ipc_security_struct *isec;
3698 struct avc_audit_data ad;
3701 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3705 tsec = current->security;
3706 isec = msq->q_perm.security;
3708 AVC_AUDIT_DATA_INIT(&ad, IPC);
3709 ad.u.ipc_id = msq->q_perm.key;
3711 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3712 MSGQ__CREATE, &isec->avcr, &ad);
3714 ipc_free_security(&msq->q_perm);
3720 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3722 ipc_free_security(&msq->q_perm);
3725 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3727 struct task_security_struct *tsec;
3728 struct ipc_security_struct *isec;
3729 struct avc_audit_data ad;
3731 tsec = current->security;
3732 isec = msq->q_perm.security;
3734 AVC_AUDIT_DATA_INIT(&ad, IPC);
3735 ad.u.ipc_id = msq->q_perm.key;
3737 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3738 MSGQ__ASSOCIATE, &isec->avcr, &ad);
3741 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3749 /* No specific object, just general system-wide information. */
3750 return task_has_system(current, SYSTEM__IPC_INFO);
3753 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3756 perms = MSGQ__SETATTR;
3759 perms = MSGQ__DESTROY;
3765 err = ipc_has_perm(&msq->q_perm, SECCLASS_MSGQ, perms);
3769 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3771 struct task_security_struct *tsec;
3772 struct ipc_security_struct *isec;
3773 struct msg_security_struct *msec;
3774 struct avc_audit_data ad;
3777 tsec = current->security;
3778 isec = msq->q_perm.security;
3779 msec = msg->security;
3782 * First time through, need to assign label to the message
3784 if (msec->sid == SECINITSID_UNLABELED) {
3786 * Compute new sid based on current process and
3787 * message queue this message will be stored in
3789 rc = security_transition_sid(tsec->sid,
3797 AVC_AUDIT_DATA_INIT(&ad, IPC);
3798 ad.u.ipc_id = msq->q_perm.key;
3800 /* Can this process write to the queue? */
3801 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3802 MSGQ__WRITE, &isec->avcr, &ad);
3804 /* Can this process send the message */
3805 rc = avc_has_perm(tsec->sid, msec->sid,
3806 SECCLASS_MSG, MSG__SEND,
3809 /* Can the message be put in the queue? */
3810 rc = avc_has_perm(msec->sid, isec->sid,
3811 SECCLASS_MSGQ, MSGQ__ENQUEUE,
3817 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3818 struct task_struct *target,
3819 long type, int mode)
3821 struct task_security_struct *tsec;
3822 struct ipc_security_struct *isec;
3823 struct msg_security_struct *msec;
3824 struct avc_audit_data ad;
3827 tsec = target->security;
3828 isec = msq->q_perm.security;
3829 msec = msg->security;
3831 AVC_AUDIT_DATA_INIT(&ad, IPC);
3832 ad.u.ipc_id = msq->q_perm.key;
3834 rc = avc_has_perm(tsec->sid, isec->sid,
3835 SECCLASS_MSGQ, MSGQ__READ,
3838 rc = avc_has_perm(tsec->sid, msec->sid,
3839 SECCLASS_MSG, MSG__RECEIVE,
3844 /* Shared Memory security operations */
3845 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3847 struct task_security_struct *tsec;
3848 struct ipc_security_struct *isec;
3849 struct avc_audit_data ad;
3852 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3856 tsec = current->security;
3857 isec = shp->shm_perm.security;
3859 AVC_AUDIT_DATA_INIT(&ad, IPC);
3860 ad.u.ipc_id = shp->shm_perm.key;
3862 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3863 SHM__CREATE, &isec->avcr, &ad);
3865 ipc_free_security(&shp->shm_perm);
3871 static void selinux_shm_free_security(struct shmid_kernel *shp)
3873 ipc_free_security(&shp->shm_perm);
3876 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3878 struct task_security_struct *tsec;
3879 struct ipc_security_struct *isec;
3880 struct avc_audit_data ad;
3882 tsec = current->security;
3883 isec = shp->shm_perm.security;
3885 AVC_AUDIT_DATA_INIT(&ad, IPC);
3886 ad.u.ipc_id = shp->shm_perm.key;
3888 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3889 SHM__ASSOCIATE, &isec->avcr, &ad);
3892 /* Note, at this point, shp is locked down */
3893 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3901 /* No specific object, just general system-wide information. */
3902 return task_has_system(current, SYSTEM__IPC_INFO);
3905 perms = SHM__GETATTR | SHM__ASSOCIATE;
3908 perms = SHM__SETATTR;
3915 perms = SHM__DESTROY;
3921 err = ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms);
3925 static int selinux_shm_shmat(struct shmid_kernel *shp,
3926 char __user *shmaddr, int shmflg)
3931 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3935 if (shmflg & SHM_RDONLY)
3938 perms = SHM__READ | SHM__WRITE;
3940 return ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms);
3943 /* Semaphore security operations */
3944 static int selinux_sem_alloc_security(struct sem_array *sma)
3946 struct task_security_struct *tsec;
3947 struct ipc_security_struct *isec;
3948 struct avc_audit_data ad;
3951 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3955 tsec = current->security;
3956 isec = sma->sem_perm.security;
3958 AVC_AUDIT_DATA_INIT(&ad, IPC);
3959 ad.u.ipc_id = sma->sem_perm.key;
3961 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3962 SEM__CREATE, &isec->avcr, &ad);
3964 ipc_free_security(&sma->sem_perm);
3970 static void selinux_sem_free_security(struct sem_array *sma)
3972 ipc_free_security(&sma->sem_perm);
3975 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3977 struct task_security_struct *tsec;
3978 struct ipc_security_struct *isec;
3979 struct avc_audit_data ad;
3981 tsec = current->security;
3982 isec = sma->sem_perm.security;
3984 AVC_AUDIT_DATA_INIT(&ad, IPC);
3985 ad.u.ipc_id = sma->sem_perm.key;
3987 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3988 SEM__ASSOCIATE, &isec->avcr, &ad);
3991 /* Note, at this point, sma is locked down */
3992 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4000 /* No specific object, just general system-wide information. */
4001 return task_has_system(current, SYSTEM__IPC_INFO);
4005 perms = SEM__GETATTR;
4016 perms = SEM__DESTROY;
4019 perms = SEM__SETATTR;
4023 perms = SEM__GETATTR | SEM__ASSOCIATE;
4029 err = ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms);
4033 static int selinux_sem_semop(struct sem_array *sma,
4034 struct sembuf *sops, unsigned nsops, int alter)
4039 perms = SEM__READ | SEM__WRITE;
4043 return ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms);
4046 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4048 struct ipc_security_struct *isec = ipcp->security;
4049 u16 sclass = SECCLASS_IPC;
4052 if (isec && isec->magic == SELINUX_MAGIC)
4053 sclass = isec->sclass;
4057 av |= IPC__UNIX_READ;
4059 av |= IPC__UNIX_WRITE;
4064 return ipc_has_perm(ipcp, sclass, av);
4067 /* module stacking operations */
4068 int selinux_register_security (const char *name, struct security_operations *ops)
4070 if (secondary_ops != original_ops) {
4071 printk(KERN_INFO "%s: There is already a secondary security "
4072 "module registered.\n", __FUNCTION__);
4076 secondary_ops = ops;
4078 printk(KERN_INFO "%s: Registering secondary module %s\n",
4085 int selinux_unregister_security (const char *name, struct security_operations *ops)
4087 if (ops != secondary_ops) {
4088 printk (KERN_INFO "%s: trying to unregister a security module "
4089 "that is not registered.\n", __FUNCTION__);
4093 secondary_ops = original_ops;
4098 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4101 inode_doinit_with_dentry(inode, dentry);
4104 static int selinux_getprocattr(struct task_struct *p,
4105 char *name, void *value, size_t size)
4107 struct task_security_struct *tsec;
4113 error = task_has_perm(current, p, PROCESS__GETATTR);
4123 if (!strcmp(name, "current"))
4125 else if (!strcmp(name, "prev"))
4127 else if (!strcmp(name, "exec"))
4128 sid = tsec->exec_sid;
4129 else if (!strcmp(name, "fscreate"))
4130 sid = tsec->create_sid;
4137 error = security_sid_to_context(sid, &context, &len);
4144 memcpy(value, context, len);
4149 static int selinux_setprocattr(struct task_struct *p,
4150 char *name, void *value, size_t size)
4152 struct task_security_struct *tsec;
4156 if (current != p || !strcmp(name, "current")) {
4157 /* SELinux only allows a process to change its own
4158 security attributes, and it only allows the process
4159 current SID to change via exec. */
4164 * Basic control over ability to set these attributes at all.
4165 * current == p, but we'll pass them separately in case the
4166 * above restriction is ever removed.
4168 if (!strcmp(name, "exec"))
4169 error = task_has_perm(current, p, PROCESS__SETEXEC);
4170 else if (!strcmp(name, "fscreate"))
4171 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4177 /* Obtain a SID for the context, if one was specified. */
4180 error = security_context_to_sid(value, size, &sid);
4185 /* Permission checking based on the specified context is
4186 performed during the actual operation (execve,
4187 open/mkdir/...), when we know the full context of the
4188 operation. See selinux_bprm_set_security for the execve
4189 checks and may_create for the file creation checks. The
4190 operation will then fail if the context is not permitted. */
4192 if (!strcmp(name, "exec"))
4193 tsec->exec_sid = sid;
4194 else if (!strcmp(name, "fscreate"))
4195 tsec->create_sid = sid;
4202 struct security_operations selinux_ops = {
4203 .ptrace = selinux_ptrace,
4204 .capget = selinux_capget,
4205 .capset_check = selinux_capset_check,
4206 .capset_set = selinux_capset_set,
4207 .sysctl = selinux_sysctl,
4208 .capable = selinux_capable,
4209 .quotactl = selinux_quotactl,
4210 .quota_on = selinux_quota_on,
4211 .syslog = selinux_syslog,
4212 .vm_enough_memory = selinux_vm_enough_memory,
4214 .netlink_send = selinux_netlink_send,
4215 .netlink_recv = selinux_netlink_recv,
4217 .bprm_alloc_security = selinux_bprm_alloc_security,
4218 .bprm_free_security = selinux_bprm_free_security,
4219 .bprm_apply_creds = selinux_bprm_apply_creds,
4220 .bprm_set_security = selinux_bprm_set_security,
4221 .bprm_check_security = selinux_bprm_check_security,
4222 .bprm_secureexec = selinux_bprm_secureexec,
4224 .sb_alloc_security = selinux_sb_alloc_security,
4225 .sb_free_security = selinux_sb_free_security,
4226 .sb_copy_data = selinux_sb_copy_data,
4227 .sb_kern_mount = selinux_sb_kern_mount,
4228 .sb_statfs = selinux_sb_statfs,
4229 .sb_mount = selinux_mount,
4230 .sb_umount = selinux_umount,
4232 .inode_alloc_security = selinux_inode_alloc_security,
4233 .inode_free_security = selinux_inode_free_security,
4234 .inode_create = selinux_inode_create,
4235 .inode_post_create = selinux_inode_post_create,
4236 .inode_link = selinux_inode_link,
4237 .inode_post_link = selinux_inode_post_link,
4238 .inode_unlink = selinux_inode_unlink,
4239 .inode_symlink = selinux_inode_symlink,
4240 .inode_post_symlink = selinux_inode_post_symlink,
4241 .inode_mkdir = selinux_inode_mkdir,
4242 .inode_post_mkdir = selinux_inode_post_mkdir,
4243 .inode_rmdir = selinux_inode_rmdir,
4244 .inode_mknod = selinux_inode_mknod,
4245 .inode_post_mknod = selinux_inode_post_mknod,
4246 .inode_rename = selinux_inode_rename,
4247 .inode_post_rename = selinux_inode_post_rename,
4248 .inode_readlink = selinux_inode_readlink,
4249 .inode_follow_link = selinux_inode_follow_link,
4250 .inode_permission = selinux_inode_permission,
4251 .inode_setattr = selinux_inode_setattr,
4252 .inode_getattr = selinux_inode_getattr,
4253 .inode_setxattr = selinux_inode_setxattr,
4254 .inode_post_setxattr = selinux_inode_post_setxattr,
4255 .inode_getxattr = selinux_inode_getxattr,
4256 .inode_listxattr = selinux_inode_listxattr,
4257 .inode_removexattr = selinux_inode_removexattr,
4258 .inode_getsecurity = selinux_inode_getsecurity,
4259 .inode_setsecurity = selinux_inode_setsecurity,
4260 .inode_listsecurity = selinux_inode_listsecurity,
4262 .file_permission = selinux_file_permission,
4263 .file_alloc_security = selinux_file_alloc_security,
4264 .file_free_security = selinux_file_free_security,
4265 .file_ioctl = selinux_file_ioctl,
4266 .file_mmap = selinux_file_mmap,
4267 .file_mprotect = selinux_file_mprotect,
4268 .file_lock = selinux_file_lock,
4269 .file_fcntl = selinux_file_fcntl,
4270 .file_set_fowner = selinux_file_set_fowner,
4271 .file_send_sigiotask = selinux_file_send_sigiotask,
4272 .file_receive = selinux_file_receive,
4274 .task_create = selinux_task_create,
4275 .task_alloc_security = selinux_task_alloc_security,
4276 .task_free_security = selinux_task_free_security,
4277 .task_setuid = selinux_task_setuid,
4278 .task_post_setuid = selinux_task_post_setuid,
4279 .task_setgid = selinux_task_setgid,
4280 .task_setpgid = selinux_task_setpgid,
4281 .task_getpgid = selinux_task_getpgid,
4282 .task_getsid = selinux_task_getsid,
4283 .task_setgroups = selinux_task_setgroups,
4284 .task_setnice = selinux_task_setnice,
4285 .task_setrlimit = selinux_task_setrlimit,
4286 .task_setscheduler = selinux_task_setscheduler,
4287 .task_getscheduler = selinux_task_getscheduler,
4288 .task_kill = selinux_task_kill,
4289 .task_wait = selinux_task_wait,
4290 .task_prctl = selinux_task_prctl,
4291 .task_reparent_to_init = selinux_task_reparent_to_init,
4292 .task_to_inode = selinux_task_to_inode,
4294 .ipc_permission = selinux_ipc_permission,
4296 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4297 .msg_msg_free_security = selinux_msg_msg_free_security,
4299 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4300 .msg_queue_free_security = selinux_msg_queue_free_security,
4301 .msg_queue_associate = selinux_msg_queue_associate,
4302 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4303 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4304 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4306 .shm_alloc_security = selinux_shm_alloc_security,
4307 .shm_free_security = selinux_shm_free_security,
4308 .shm_associate = selinux_shm_associate,
4309 .shm_shmctl = selinux_shm_shmctl,
4310 .shm_shmat = selinux_shm_shmat,
4312 .sem_alloc_security = selinux_sem_alloc_security,
4313 .sem_free_security = selinux_sem_free_security,
4314 .sem_associate = selinux_sem_associate,
4315 .sem_semctl = selinux_sem_semctl,
4316 .sem_semop = selinux_sem_semop,
4318 .register_security = selinux_register_security,
4319 .unregister_security = selinux_unregister_security,
4321 .d_instantiate = selinux_d_instantiate,
4323 .getprocattr = selinux_getprocattr,
4324 .setprocattr = selinux_setprocattr,
4326 #ifdef CONFIG_SECURITY_NETWORK
4327 .unix_stream_connect = selinux_socket_unix_stream_connect,
4328 .unix_may_send = selinux_socket_unix_may_send,
4330 .socket_create = selinux_socket_create,
4331 .socket_post_create = selinux_socket_post_create,
4332 .socket_bind = selinux_socket_bind,
4333 .socket_connect = selinux_socket_connect,
4334 .socket_listen = selinux_socket_listen,
4335 .socket_accept = selinux_socket_accept,
4336 .socket_sendmsg = selinux_socket_sendmsg,
4337 .socket_recvmsg = selinux_socket_recvmsg,
4338 .socket_getsockname = selinux_socket_getsockname,
4339 .socket_getpeername = selinux_socket_getpeername,
4340 .socket_getsockopt = selinux_socket_getsockopt,
4341 .socket_setsockopt = selinux_socket_setsockopt,
4342 .socket_shutdown = selinux_socket_shutdown,
4343 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
4344 .socket_getpeersec = selinux_socket_getpeersec,
4345 .sk_alloc_security = selinux_sk_alloc_security,
4346 .sk_free_security = selinux_sk_free_security,
4350 __init int selinux_init(void)
4352 struct task_security_struct *tsec;
4354 if (!selinux_enabled) {
4355 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4359 printk(KERN_INFO "SELinux: Initializing.\n");
4361 /* Set the security state for the initial task. */
4362 if (task_alloc_security(current))
4363 panic("SELinux: Failed to initialize initial task.\n");
4364 tsec = current->security;
4365 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4369 original_ops = secondary_ops = security_ops;
4371 panic ("SELinux: No initial security operations\n");
4372 if (register_security (&selinux_ops))
4373 panic("SELinux: Unable to register with kernel.\n");
4375 if (selinux_enforcing) {
4376 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4378 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4383 void selinux_complete_init(void)
4385 printk(KERN_INFO "SELinux: Completing initialization.\n");
4387 /* Set up any superblocks initialized prior to the policy load. */
4388 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
4389 spin_lock(&sb_security_lock);
4391 if (!list_empty(&superblock_security_head)) {
4392 struct superblock_security_struct *sbsec =
4393 list_entry(superblock_security_head.next,
4394 struct superblock_security_struct,
4396 struct super_block *sb = sbsec->sb;
4397 spin_lock(&sb_lock);
4399 spin_unlock(&sb_lock);
4400 spin_unlock(&sb_security_lock);
4401 down_read(&sb->s_umount);
4403 superblock_doinit(sb, NULL);
4405 spin_lock(&sb_security_lock);
4406 list_del_init(&sbsec->list);
4409 spin_unlock(&sb_security_lock);
4412 /* SELinux requires early initialization in order to label
4413 all processes and objects when they are created. */
4414 security_initcall(selinux_init);
4416 #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
4418 static struct nf_hook_ops selinux_ipv4_op = {
4419 .hook = selinux_ipv4_postroute_last,
4420 .owner = THIS_MODULE,
4422 .hooknum = NF_IP_POST_ROUTING,
4423 .priority = NF_IP_PRI_SELINUX_LAST,
4426 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4428 static struct nf_hook_ops selinux_ipv6_op = {
4429 .hook = selinux_ipv6_postroute_last,
4430 .owner = THIS_MODULE,
4432 .hooknum = NF_IP6_POST_ROUTING,
4433 .priority = NF_IP6_PRI_SELINUX_LAST,
4438 static int __init selinux_nf_ip_init(void)
4442 if (!selinux_enabled)
4445 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4447 err = nf_register_hook(&selinux_ipv4_op);
4449 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4451 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4453 err = nf_register_hook(&selinux_ipv6_op);
4455 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4462 __initcall(selinux_nf_ip_init);
4464 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4465 static void selinux_nf_ip_exit(void)
4467 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4469 nf_unregister_hook(&selinux_ipv4_op);
4470 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4471 nf_unregister_hook(&selinux_ipv6_op);
4476 #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4478 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4479 #define selinux_nf_ip_exit()
4482 #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4484 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4485 int selinux_disable(void)
4487 extern void exit_sel_fs(void);
4488 static int selinux_disabled = 0;
4490 if (ss_initialized) {
4491 /* Not permitted after initial policy load. */
4495 if (selinux_disabled) {
4496 /* Only do this once. */
4500 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4502 selinux_disabled = 1;
4504 /* Reset security_ops to the secondary module, dummy or capability. */
4505 security_ops = secondary_ops;
4507 /* Unregister netfilter hooks. */
4508 selinux_nf_ip_exit();
4510 /* Unregister selinuxfs. */