2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License version 2,
16 * as published by the Free Software Foundation.
19 #include <linux/config.h>
20 #include <linux/module.h>
21 #include <linux/init.h>
22 #include <linux/kernel.h>
23 #include <linux/ptrace.h>
24 #include <linux/errno.h>
25 #include <linux/sched.h>
26 #include <linux/security.h>
27 #include <linux/xattr.h>
28 #include <linux/capability.h>
29 #include <linux/unistd.h>
31 #include <linux/mman.h>
32 #include <linux/slab.h>
33 #include <linux/pagemap.h>
34 #include <linux/swap.h>
35 #include <linux/smp_lock.h>
36 #include <linux/spinlock.h>
37 #include <linux/syscalls.h>
38 #include <linux/file.h>
39 #include <linux/namei.h>
40 #include <linux/mount.h>
41 #include <linux/ext2_fs.h>
42 #include <linux/proc_fs.h>
44 #include <linux/netfilter_ipv4.h>
45 #include <linux/netfilter_ipv6.h>
47 #include <net/ip.h> /* for sysctl_local_port_range[] */
48 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
49 #include <asm/uaccess.h>
50 #include <asm/semaphore.h>
51 #include <asm/ioctls.h>
52 #include <linux/bitops.h>
53 #include <linux/interrupt.h>
54 #include <linux/netdevice.h> /* for network interface checks */
55 #include <linux/netlink.h>
56 #include <linux/tcp.h>
57 #include <linux/udp.h>
58 #include <linux/quota.h>
59 #include <linux/un.h> /* for Unix socket types */
60 #include <net/af_unix.h> /* for Unix socket types */
61 #include <linux/parser.h>
62 #include <linux/nfs_mount.h>
64 #include <linux/hugetlb.h>
65 #include <linux/major.h>
71 #define XATTR_SELINUX_SUFFIX "selinux"
72 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
74 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
75 int selinux_enforcing = 0;
77 static int __init enforcing_setup(char *str)
79 selinux_enforcing = simple_strtol(str,NULL,0);
82 __setup("enforcing=", enforcing_setup);
85 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
86 int selinux_enabled = 1;
88 static int __init selinux_enabled_setup(char *str)
90 selinux_enabled = simple_strtol(str, NULL, 0);
93 __setup("selinux=", selinux_enabled_setup);
96 /* Original (dummy) security module. */
97 static struct security_operations *original_ops = NULL;
99 /* Minimal support for a secondary security module,
100 just to allow the use of the dummy or capability modules.
101 The owlsm module can alternatively be used as a secondary
102 module as long as CONFIG_OWLSM_FD is not enabled. */
103 static struct security_operations *secondary_ops = NULL;
105 /* Lists of inode and superblock security structures initialized
106 before the policy was loaded. */
107 static LIST_HEAD(superblock_security_head);
108 static spinlock_t sb_security_lock = SPIN_LOCK_UNLOCKED;
110 /* Allocate and free functions for each kind of security blob. */
112 static int task_alloc_security(struct task_struct *task)
114 struct task_security_struct *tsec;
116 tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL);
120 memset(tsec, 0, sizeof(struct task_security_struct));
121 tsec->magic = SELINUX_MAGIC;
123 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
124 task->security = tsec;
129 static void task_free_security(struct task_struct *task)
131 struct task_security_struct *tsec = task->security;
133 if (!tsec || tsec->magic != SELINUX_MAGIC)
136 task->security = NULL;
140 static int inode_alloc_security(struct inode *inode)
142 struct task_security_struct *tsec = current->security;
143 struct inode_security_struct *isec;
145 isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
149 memset(isec, 0, sizeof(struct inode_security_struct));
150 init_MUTEX(&isec->sem);
151 INIT_LIST_HEAD(&isec->list);
152 isec->magic = SELINUX_MAGIC;
154 isec->sid = SECINITSID_UNLABELED;
155 isec->sclass = SECCLASS_FILE;
156 if (tsec && tsec->magic == SELINUX_MAGIC)
157 isec->task_sid = tsec->sid;
159 isec->task_sid = SECINITSID_UNLABELED;
160 inode->i_security = isec;
165 static void inode_free_security(struct inode *inode)
167 struct inode_security_struct *isec = inode->i_security;
168 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
170 if (!isec || isec->magic != SELINUX_MAGIC)
173 spin_lock(&sbsec->isec_lock);
174 if (!list_empty(&isec->list))
175 list_del_init(&isec->list);
176 spin_unlock(&sbsec->isec_lock);
178 inode->i_security = NULL;
182 static int file_alloc_security(struct file *file)
184 struct task_security_struct *tsec = current->security;
185 struct file_security_struct *fsec;
187 fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
191 memset(fsec, 0, sizeof(struct file_security_struct));
192 fsec->magic = SELINUX_MAGIC;
194 if (tsec && tsec->magic == SELINUX_MAGIC) {
195 fsec->sid = tsec->sid;
196 fsec->fown_sid = tsec->sid;
198 fsec->sid = SECINITSID_UNLABELED;
199 fsec->fown_sid = SECINITSID_UNLABELED;
201 file->f_security = fsec;
206 static void file_free_security(struct file *file)
208 struct file_security_struct *fsec = file->f_security;
210 if (!fsec || fsec->magic != SELINUX_MAGIC)
213 file->f_security = NULL;
217 static int superblock_alloc_security(struct super_block *sb)
219 struct superblock_security_struct *sbsec;
221 sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
225 memset(sbsec, 0, sizeof(struct superblock_security_struct));
226 init_MUTEX(&sbsec->sem);
227 INIT_LIST_HEAD(&sbsec->list);
228 INIT_LIST_HEAD(&sbsec->isec_head);
229 spin_lock_init(&sbsec->isec_lock);
230 sbsec->magic = SELINUX_MAGIC;
232 sbsec->sid = SECINITSID_UNLABELED;
233 sbsec->def_sid = SECINITSID_FILE;
234 sb->s_security = sbsec;
239 static void superblock_free_security(struct super_block *sb)
241 struct superblock_security_struct *sbsec = sb->s_security;
243 if (!sbsec || sbsec->magic != SELINUX_MAGIC)
246 spin_lock(&sb_security_lock);
247 if (!list_empty(&sbsec->list))
248 list_del_init(&sbsec->list);
249 spin_unlock(&sb_security_lock);
251 sb->s_security = NULL;
255 #ifdef CONFIG_SECURITY_NETWORK
256 static int sk_alloc_security(struct sock *sk, int family, int priority)
258 struct sk_security_struct *ssec;
260 if (family != PF_UNIX)
263 ssec = kmalloc(sizeof(*ssec), priority);
267 memset(ssec, 0, sizeof(*ssec));
268 ssec->magic = SELINUX_MAGIC;
270 ssec->peer_sid = SECINITSID_UNLABELED;
271 sk->sk_security = ssec;
276 static void sk_free_security(struct sock *sk)
278 struct sk_security_struct *ssec = sk->sk_security;
280 if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
283 sk->sk_security = NULL;
286 #endif /* CONFIG_SECURITY_NETWORK */
288 /* The security server must be initialized before
289 any labeling or access decisions can be provided. */
290 extern int ss_initialized;
292 /* The file system's label must be initialized prior to use. */
294 static char *labeling_behaviors[6] = {
296 "uses transition SIDs",
298 "uses genfs_contexts",
299 "not configured for labeling",
300 "uses mountpoint labeling",
303 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
305 static inline int inode_doinit(struct inode *inode)
307 return inode_doinit_with_dentry(inode, NULL);
316 static match_table_t tokens = {
317 {Opt_context, "context=%s"},
318 {Opt_fscontext, "fscontext=%s"},
319 {Opt_defcontext, "defcontext=%s"},
322 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
324 static int try_context_mount(struct super_block *sb, void *data)
326 char *context = NULL, *defcontext = NULL;
329 int alloc = 0, rc = 0, seen = 0;
330 struct task_security_struct *tsec = current->security;
331 struct superblock_security_struct *sbsec = sb->s_security;
336 name = sb->s_type->name;
338 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
340 /* NFS we understand. */
341 if (!strcmp(name, "nfs")) {
342 struct nfs_mount_data *d = data;
344 if (d->version < NFS_MOUNT_VERSION)
348 context = d->context;
355 /* Standard string-based options. */
356 char *p, *options = data;
358 while ((p = strsep(&options, ",")) != NULL) {
360 substring_t args[MAX_OPT_ARGS];
365 token = match_token(p, tokens, args);
371 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
374 context = match_strdup(&args[0]);
385 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
387 printk(KERN_WARNING "SELinux: "
388 "fscontext option is invalid for"
389 " this filesystem type\n");
392 if (seen & (Opt_context|Opt_fscontext)) {
394 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
397 context = match_strdup(&args[0]);
404 seen |= Opt_fscontext;
408 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
410 printk(KERN_WARNING "SELinux: "
411 "defcontext option is invalid "
412 "for this filesystem type\n");
415 if (seen & (Opt_context|Opt_defcontext)) {
417 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
420 defcontext = match_strdup(&args[0]);
427 seen |= Opt_defcontext;
432 printk(KERN_WARNING "SELinux: unknown mount "
444 rc = security_context_to_sid(context, strlen(context), &sid);
446 printk(KERN_WARNING "SELinux: security_context_to_sid"
447 "(%s) failed for (dev %s, type %s) errno=%d\n",
448 context, sb->s_id, name, rc);
452 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
453 FILESYSTEM__RELABELFROM, NULL, NULL);
457 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
458 FILESYSTEM__RELABELTO, NULL, NULL);
464 if (seen & Opt_context)
465 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
469 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
471 printk(KERN_WARNING "SELinux: security_context_to_sid"
472 "(%s) failed for (dev %s, type %s) errno=%d\n",
473 defcontext, sb->s_id, name, rc);
477 if (sid == sbsec->def_sid)
480 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
481 FILESYSTEM__RELABELFROM, NULL, NULL);
485 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
486 FILESYSTEM__ASSOCIATE, NULL, NULL);
490 sbsec->def_sid = sid;
502 static int superblock_doinit(struct super_block *sb, void *data)
504 struct superblock_security_struct *sbsec = sb->s_security;
505 struct dentry *root = sb->s_root;
506 struct inode *inode = root->d_inode;
510 if (sbsec->initialized)
513 if (!ss_initialized) {
514 /* Defer initialization until selinux_complete_init,
515 after the initial policy is loaded and the security
516 server is ready to handle calls. */
517 spin_lock(&sb_security_lock);
518 if (list_empty(&sbsec->list))
519 list_add(&sbsec->list, &superblock_security_head);
520 spin_unlock(&sb_security_lock);
524 /* Determine the labeling behavior to use for this filesystem type. */
525 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
527 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
528 __FUNCTION__, sb->s_type->name, rc);
532 rc = try_context_mount(sb, data);
536 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
537 /* Make sure that the xattr handler exists and that no
538 error other than -ENODATA is returned by getxattr on
539 the root directory. -ENODATA is ok, as this may be
540 the first boot of the SELinux kernel before we have
541 assigned xattr values to the filesystem. */
542 if (!inode->i_op->getxattr) {
543 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
544 "xattr support\n", sb->s_id, sb->s_type->name);
548 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
549 if (rc < 0 && rc != -ENODATA) {
550 if (rc == -EOPNOTSUPP)
551 printk(KERN_WARNING "SELinux: (dev %s, type "
552 "%s) has no security xattr handler\n",
553 sb->s_id, sb->s_type->name);
555 printk(KERN_WARNING "SELinux: (dev %s, type "
556 "%s) getxattr errno %d\n", sb->s_id,
557 sb->s_type->name, -rc);
562 if (strcmp(sb->s_type->name, "proc") == 0)
565 sbsec->initialized = 1;
567 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
568 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
569 sb->s_id, sb->s_type->name);
572 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
573 sb->s_id, sb->s_type->name,
574 labeling_behaviors[sbsec->behavior-1]);
577 /* Initialize the root inode. */
578 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
580 /* Initialize any other inodes associated with the superblock, e.g.
581 inodes created prior to initial policy load or inodes created
582 during get_sb by a pseudo filesystem that directly
584 spin_lock(&sbsec->isec_lock);
586 if (!list_empty(&sbsec->isec_head)) {
587 struct inode_security_struct *isec =
588 list_entry(sbsec->isec_head.next,
589 struct inode_security_struct, list);
590 struct inode *inode = isec->inode;
591 spin_unlock(&sbsec->isec_lock);
592 inode = igrab(inode);
597 spin_lock(&sbsec->isec_lock);
598 list_del_init(&isec->list);
601 spin_unlock(&sbsec->isec_lock);
607 static inline u16 inode_mode_to_security_class(umode_t mode)
609 switch (mode & S_IFMT) {
611 return SECCLASS_SOCK_FILE;
613 return SECCLASS_LNK_FILE;
615 return SECCLASS_FILE;
617 return SECCLASS_BLK_FILE;
621 return SECCLASS_CHR_FILE;
623 return SECCLASS_FIFO_FILE;
627 return SECCLASS_FILE;
630 static inline u16 socket_type_to_security_class(int family, int type)
636 return SECCLASS_UNIX_STREAM_SOCKET;
638 return SECCLASS_UNIX_DGRAM_SOCKET;
644 return SECCLASS_TCP_SOCKET;
646 return SECCLASS_UDP_SOCKET;
648 return SECCLASS_RAWIP_SOCKET;
651 return SECCLASS_NETLINK_SOCKET;
653 return SECCLASS_PACKET_SOCKET;
655 return SECCLASS_KEY_SOCKET;
658 return SECCLASS_SOCKET;
661 #ifdef CONFIG_PROC_FS
662 static int selinux_proc_get_sid(struct proc_dir_entry *de,
667 char *buffer, *path, *end;
669 buffer = (char*)__get_free_page(GFP_KERNEL);
679 while (de && de != de->parent) {
680 buflen -= de->namelen + 1;
684 memcpy(end, de->name, de->namelen);
689 rc = security_genfs_sid("proc", path, tclass, sid);
690 free_page((unsigned long)buffer);
694 static int selinux_proc_get_sid(struct proc_dir_entry *de,
702 /* The inode's security attributes must be initialized before first use. */
703 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
705 struct superblock_security_struct *sbsec = NULL;
706 struct inode_security_struct *isec = inode->i_security;
708 struct dentry *dentry;
709 #define INITCONTEXTLEN 255
710 char *context = NULL;
715 if (isec->initialized)
720 if (isec->initialized)
723 sbsec = inode->i_sb->s_security;
724 if (!sbsec->initialized) {
725 /* Defer initialization until selinux_complete_init,
726 after the initial policy is loaded and the security
727 server is ready to handle calls. */
728 spin_lock(&sbsec->isec_lock);
729 if (list_empty(&isec->list))
730 list_add(&isec->list, &sbsec->isec_head);
731 spin_unlock(&sbsec->isec_lock);
735 switch (sbsec->behavior) {
736 case SECURITY_FS_USE_XATTR:
737 if (!inode->i_op->getxattr) {
738 isec->sid = sbsec->def_sid;
742 /* Need a dentry, since the xattr API requires one.
743 Life would be simpler if we could just pass the inode. */
745 /* Called from d_instantiate or d_splice_alias. */
746 dentry = dget(opt_dentry);
748 /* Called from selinux_complete_init, try to find a dentry. */
749 dentry = d_find_alias(inode);
752 printk(KERN_WARNING "%s: no dentry for dev=%s "
753 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
758 len = INITCONTEXTLEN;
759 context = kmalloc(len, GFP_KERNEL);
765 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
768 /* Need a larger buffer. Query for the right size. */
769 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
777 context = kmalloc(len, GFP_KERNEL);
783 rc = inode->i_op->getxattr(dentry,
789 if (rc != -ENODATA) {
790 printk(KERN_WARNING "%s: getxattr returned "
791 "%d for dev=%s ino=%ld\n", __FUNCTION__,
792 -rc, inode->i_sb->s_id, inode->i_ino);
796 /* Map ENODATA to the default file SID */
797 sid = sbsec->def_sid;
800 rc = security_context_to_sid(context, rc, &sid);
802 printk(KERN_WARNING "%s: context_to_sid(%s) "
803 "returned %d for dev=%s ino=%ld\n",
804 __FUNCTION__, context, -rc,
805 inode->i_sb->s_id, inode->i_ino);
813 case SECURITY_FS_USE_TASK:
814 isec->sid = isec->task_sid;
816 case SECURITY_FS_USE_TRANS:
817 /* Default to the fs SID. */
818 isec->sid = sbsec->sid;
820 /* Try to obtain a transition SID. */
821 isec->sclass = inode_mode_to_security_class(inode->i_mode);
822 rc = security_transition_sid(isec->task_sid,
831 /* Default to the fs SID. */
832 isec->sid = sbsec->sid;
835 struct proc_inode *proci = PROC_I(inode);
837 isec->sclass = inode_mode_to_security_class(inode->i_mode);
838 rc = selinux_proc_get_sid(proci->pde,
849 isec->initialized = 1;
853 struct socket *sock = SOCKET_I(inode);
855 isec->sclass = socket_type_to_security_class(sock->sk->sk_family,
858 isec->sclass = SECCLASS_SOCKET;
861 isec->sclass = inode_mode_to_security_class(inode->i_mode);
869 /* Convert a Linux signal to an access vector. */
870 static inline u32 signal_to_av(int sig)
876 /* Commonly granted from child to parent. */
877 perm = PROCESS__SIGCHLD;
880 /* Cannot be caught or ignored */
881 perm = PROCESS__SIGKILL;
884 /* Cannot be caught or ignored */
885 perm = PROCESS__SIGSTOP;
888 /* All other signals. */
889 perm = PROCESS__SIGNAL;
896 /* Check permission betweeen a pair of tasks, e.g. signal checks,
897 fork check, ptrace check, etc. */
898 int task_has_perm(struct task_struct *tsk1,
899 struct task_struct *tsk2,
902 struct task_security_struct *tsec1, *tsec2;
904 tsec1 = tsk1->security;
905 tsec2 = tsk2->security;
906 return avc_has_perm(tsec1->sid, tsec2->sid,
907 SECCLASS_PROCESS, perms, &tsec2->avcr, NULL);
910 /* Check whether a task is allowed to use a capability. */
911 int task_has_capability(struct task_struct *tsk,
914 struct task_security_struct *tsec;
915 struct avc_audit_data ad;
917 tsec = tsk->security;
919 AVC_AUDIT_DATA_INIT(&ad,CAP);
923 return avc_has_perm(tsec->sid, tsec->sid,
924 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), NULL, &ad);
927 /* Check whether a task is allowed to use a system operation. */
928 int task_has_system(struct task_struct *tsk,
931 struct task_security_struct *tsec;
933 tsec = tsk->security;
935 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
936 SECCLASS_SYSTEM, perms, NULL, NULL);
939 /* Check whether a task has a particular permission to an inode.
940 The 'aeref' parameter is optional and allows other AVC
941 entry references to be passed (e.g. the one in the struct file).
942 The 'adp' parameter is optional and allows other audit
943 data to be passed (e.g. the dentry). */
944 int inode_has_perm(struct task_struct *tsk,
947 struct avc_entry_ref *aeref,
948 struct avc_audit_data *adp)
950 struct task_security_struct *tsec;
951 struct inode_security_struct *isec;
952 struct avc_audit_data ad;
954 tsec = tsk->security;
955 isec = inode->i_security;
959 AVC_AUDIT_DATA_INIT(&ad, FS);
960 ad.u.fs.inode = inode;
963 return avc_has_perm(tsec->sid, isec->sid, isec->sclass,
964 perms, aeref ? aeref : &isec->avcr, adp);
967 /* Same as inode_has_perm, but pass explicit audit data containing
968 the dentry to help the auditing code to more easily generate the
969 pathname if needed. */
970 static inline int dentry_has_perm(struct task_struct *tsk,
971 struct vfsmount *mnt,
972 struct dentry *dentry,
975 struct inode *inode = dentry->d_inode;
976 struct avc_audit_data ad;
977 AVC_AUDIT_DATA_INIT(&ad,FS);
979 ad.u.fs.dentry = dentry;
980 return inode_has_perm(tsk, inode, av, NULL, &ad);
983 /* Check whether a task can use an open file descriptor to
984 access an inode in a given way. Check access to the
985 descriptor itself, and then use dentry_has_perm to
986 check a particular permission to the file.
987 Access to the descriptor is implicitly granted if it
988 has the same SID as the process. If av is zero, then
989 access to the file is not checked, e.g. for cases
990 where only the descriptor is affected like seek. */
991 static inline int file_has_perm(struct task_struct *tsk,
995 struct task_security_struct *tsec = tsk->security;
996 struct file_security_struct *fsec = file->f_security;
997 struct vfsmount *mnt = file->f_vfsmnt;
998 struct dentry *dentry = file->f_dentry;
999 struct inode *inode = dentry->d_inode;
1000 struct avc_audit_data ad;
1003 AVC_AUDIT_DATA_INIT(&ad, FS);
1005 ad.u.fs.dentry = dentry;
1007 if (tsec->sid != fsec->sid) {
1008 rc = avc_has_perm(tsec->sid, fsec->sid,
1016 /* av is zero if only checking access to the descriptor. */
1018 return inode_has_perm(tsk, inode, av, &fsec->inode_avcr, &ad);
1023 /* Check whether a task can create a file. */
1024 static int may_create(struct inode *dir,
1025 struct dentry *dentry,
1028 struct task_security_struct *tsec;
1029 struct inode_security_struct *dsec;
1030 struct superblock_security_struct *sbsec;
1032 struct avc_audit_data ad;
1035 tsec = current->security;
1036 dsec = dir->i_security;
1037 sbsec = dir->i_sb->s_security;
1039 AVC_AUDIT_DATA_INIT(&ad, FS);
1040 ad.u.fs.dentry = dentry;
1042 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1043 DIR__ADD_NAME | DIR__SEARCH,
1048 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1049 newsid = tsec->create_sid;
1051 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1057 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, NULL, &ad);
1061 return avc_has_perm(newsid, sbsec->sid,
1062 SECCLASS_FILESYSTEM,
1063 FILESYSTEM__ASSOCIATE, NULL, &ad);
1067 #define MAY_UNLINK 1
1070 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1071 static int may_link(struct inode *dir,
1072 struct dentry *dentry,
1076 struct task_security_struct *tsec;
1077 struct inode_security_struct *dsec, *isec;
1078 struct avc_audit_data ad;
1082 tsec = current->security;
1083 dsec = dir->i_security;
1084 isec = dentry->d_inode->i_security;
1086 AVC_AUDIT_DATA_INIT(&ad, FS);
1087 ad.u.fs.dentry = dentry;
1090 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1091 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1092 av, &dsec->avcr, &ad);
1107 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1111 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
1112 av, &isec->avcr, &ad);
1116 static inline int may_rename(struct inode *old_dir,
1117 struct dentry *old_dentry,
1118 struct inode *new_dir,
1119 struct dentry *new_dentry)
1121 struct task_security_struct *tsec;
1122 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1123 struct avc_audit_data ad;
1125 int old_is_dir, new_is_dir;
1128 tsec = current->security;
1129 old_dsec = old_dir->i_security;
1130 old_isec = old_dentry->d_inode->i_security;
1131 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1132 new_dsec = new_dir->i_security;
1134 AVC_AUDIT_DATA_INIT(&ad, FS);
1136 ad.u.fs.dentry = old_dentry;
1137 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1138 DIR__REMOVE_NAME | DIR__SEARCH,
1139 &old_dsec->avcr, &ad);
1142 rc = avc_has_perm(tsec->sid, old_isec->sid,
1145 &old_isec->avcr, &ad);
1148 if (old_is_dir && new_dir != old_dir) {
1149 rc = avc_has_perm(tsec->sid, old_isec->sid,
1152 &old_isec->avcr, &ad);
1157 ad.u.fs.dentry = new_dentry;
1158 av = DIR__ADD_NAME | DIR__SEARCH;
1159 if (new_dentry->d_inode)
1160 av |= DIR__REMOVE_NAME;
1161 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR,
1162 av,&new_dsec->avcr, &ad);
1165 if (new_dentry->d_inode) {
1166 new_isec = new_dentry->d_inode->i_security;
1167 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1168 rc = avc_has_perm(tsec->sid, new_isec->sid,
1170 (new_is_dir ? DIR__RMDIR : FILE__UNLINK),
1171 &new_isec->avcr, &ad);
1179 /* Check whether a task can perform a filesystem operation. */
1180 int superblock_has_perm(struct task_struct *tsk,
1181 struct super_block *sb,
1183 struct avc_audit_data *ad)
1185 struct task_security_struct *tsec;
1186 struct superblock_security_struct *sbsec;
1188 tsec = tsk->security;
1189 sbsec = sb->s_security;
1190 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1194 /* Convert a Linux mode and permission mask to an access vector. */
1195 static inline u32 file_mask_to_av(int mode, int mask)
1199 if ((mode & S_IFMT) != S_IFDIR) {
1200 if (mask & MAY_EXEC)
1201 av |= FILE__EXECUTE;
1202 if (mask & MAY_READ)
1205 if (mask & MAY_APPEND)
1207 else if (mask & MAY_WRITE)
1211 if (mask & MAY_EXEC)
1213 if (mask & MAY_WRITE)
1215 if (mask & MAY_READ)
1222 /* Convert a Linux file to an access vector. */
1223 static inline u32 file_to_av(struct file *file)
1227 if (file->f_mode & FMODE_READ)
1229 if (file->f_mode & FMODE_WRITE) {
1230 if (file->f_flags & O_APPEND)
1239 /* Set an inode's SID to a specified value. */
1240 int inode_security_set_sid(struct inode *inode, u32 sid)
1242 struct inode_security_struct *isec = inode->i_security;
1245 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1247 isec->initialized = 1;
1252 /* Set the security attributes on a newly created file. */
1253 static int post_create(struct inode *dir,
1254 struct dentry *dentry)
1257 struct task_security_struct *tsec;
1258 struct inode *inode;
1259 struct inode_security_struct *dsec;
1260 struct superblock_security_struct *sbsec;
1266 tsec = current->security;
1267 dsec = dir->i_security;
1268 sbsec = dir->i_sb->s_security;
1270 inode = dentry->d_inode;
1272 /* Some file system types (e.g. NFS) may not instantiate
1273 a dentry for all create operations (e.g. symlink),
1274 so we have to check to see if the inode is non-NULL. */
1275 printk(KERN_WARNING "post_create: no inode, dir (dev=%s, "
1276 "ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
1280 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1281 newsid = tsec->create_sid;
1283 rc = security_transition_sid(tsec->sid, dsec->sid,
1284 inode_mode_to_security_class(inode->i_mode),
1287 printk(KERN_WARNING "post_create: "
1288 "security_transition_sid failed, rc=%d (dev=%s "
1290 -rc, inode->i_sb->s_id, inode->i_ino);
1295 rc = inode_security_set_sid(inode, newsid);
1297 printk(KERN_WARNING "post_create: inode_security_set_sid "
1298 "failed, rc=%d (dev=%s ino=%ld)\n",
1299 -rc, inode->i_sb->s_id, inode->i_ino);
1303 if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
1304 inode->i_op->setxattr) {
1305 /* Use extended attributes. */
1306 rc = security_sid_to_context(newsid, &context, &len);
1308 printk(KERN_WARNING "post_create: sid_to_context "
1309 "failed, rc=%d (dev=%s ino=%ld)\n",
1310 -rc, inode->i_sb->s_id, inode->i_ino);
1313 down(&inode->i_sem);
1314 rc = inode->i_op->setxattr(dentry,
1320 printk(KERN_WARNING "post_create: setxattr failed, "
1321 "rc=%d (dev=%s ino=%ld)\n",
1322 -rc, inode->i_sb->s_id, inode->i_ino);
1331 /* Hook functions begin here. */
1333 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1335 struct task_security_struct *psec = parent->security;
1336 struct task_security_struct *csec = child->security;
1339 rc = secondary_ops->ptrace(parent,child);
1343 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1344 /* Save the SID of the tracing process for later use in apply_creds. */
1346 csec->ptrace_sid = psec->sid;
1350 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1351 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1355 error = task_has_perm(current, target, PROCESS__GETCAP);
1359 return secondary_ops->capget(target, effective, inheritable, permitted);
1362 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1363 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1367 error = task_has_perm(current, target, PROCESS__SETCAP);
1371 return secondary_ops->capset_check(target, effective, inheritable, permitted);
1374 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1375 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1379 error = task_has_perm(current, target, PROCESS__SETCAP);
1383 secondary_ops->capset_set(target, effective, inheritable, permitted);
1386 static int selinux_capable(struct task_struct *tsk, int cap)
1390 rc = secondary_ops->capable(tsk, cap);
1394 return task_has_capability(tsk,cap);
1397 static int selinux_sysctl(ctl_table *table, int op)
1401 struct task_security_struct *tsec;
1405 tsec = current->security;
1407 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1408 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1410 /* Default to the well-defined sysctl SID. */
1411 tsid = SECINITSID_SYSCTL;
1414 /* The op values are "defined" in sysctl.c, thereby creating
1415 * a bad coupling between this module and sysctl.c */
1417 error = avc_has_perm(tsec->sid, tsid,
1418 SECCLASS_DIR, DIR__SEARCH, NULL, NULL);
1426 error = avc_has_perm(tsec->sid, tsid,
1427 SECCLASS_FILE, av, NULL, NULL);
1433 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1446 rc = superblock_has_perm(current,
1448 FILESYSTEM__QUOTAMOD, NULL);
1453 rc = superblock_has_perm(current,
1455 FILESYSTEM__QUOTAGET, NULL);
1458 rc = 0; /* let the kernel handle invalid cmds */
1464 static int selinux_quota_on(struct file *f)
1466 return file_has_perm(current, f, FILE__QUOTAON);
1469 static int selinux_syslog(int type)
1473 rc = secondary_ops->syslog(type);
1478 case 3: /* Read last kernel messages */
1479 case 10: /* Return size of the log buffer */
1480 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1482 case 6: /* Disable logging to console */
1483 case 7: /* Enable logging to console */
1484 case 8: /* Set level of messages printed to console */
1485 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1487 case 0: /* Close log */
1488 case 1: /* Open log */
1489 case 2: /* Read from log */
1490 case 4: /* Read/clear last kernel messages */
1491 case 5: /* Clear ring buffer */
1493 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1500 * Check that a process has enough memory to allocate a new virtual
1501 * mapping. 0 means there is enough memory for the allocation to
1502 * succeed and -ENOMEM implies there is not.
1504 * We currently support three overcommit policies, which are set via the
1505 * vm.overcommit_memory sysctl. See Documentation/vm/overcommit-accounting
1507 * Strict overcommit modes added 2002 Feb 26 by Alan Cox.
1508 * Additional code 2002 Jul 20 by Robert Love.
1510 static int selinux_vm_enough_memory(long pages)
1512 unsigned long free, allowed;
1514 struct task_security_struct *tsec = current->security;
1516 vm_acct_memory(pages);
1519 * Sometimes we want to use more memory than we have
1521 if (sysctl_overcommit_memory == 1)
1524 if (sysctl_overcommit_memory == 0) {
1525 free = get_page_cache_size();
1526 free += nr_free_pages();
1527 free += nr_swap_pages;
1530 * Any slabs which are created with the
1531 * SLAB_RECLAIM_ACCOUNT flag claim to have contents
1532 * which are reclaimable, under pressure. The dentry
1533 * cache and most inode caches should fall into this
1535 free += atomic_read(&slab_reclaim_pages);
1538 * Leave the last 3% for privileged processes.
1539 * Don't audit the check, as it is applied to all processes
1540 * that allocate mappings.
1542 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1544 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1545 SECCLASS_CAPABILITY,
1546 CAP_TO_MASK(CAP_SYS_ADMIN),
1554 vm_unacct_memory(pages);
1558 allowed = (totalram_pages - hugetlb_total_pages())
1559 * sysctl_overcommit_ratio / 100;
1560 allowed += total_swap_pages;
1562 if (atomic_read(&vm_committed_space) < allowed)
1565 vm_unacct_memory(pages);
1570 static int selinux_netlink_send(struct sk_buff *skb)
1572 if (capable(CAP_NET_ADMIN))
1573 cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN);
1575 NETLINK_CB(skb).eff_cap = 0;
1579 static int selinux_netlink_recv(struct sk_buff *skb)
1581 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
1586 /* binprm security operations */
1588 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1590 struct bprm_security_struct *bsec;
1592 bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1596 memset(bsec, 0, sizeof *bsec);
1597 bsec->magic = SELINUX_MAGIC;
1599 bsec->sid = SECINITSID_UNLABELED;
1602 bprm->security = bsec;
1606 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1608 struct task_security_struct *tsec;
1609 struct inode *inode = bprm->file->f_dentry->d_inode;
1610 struct inode_security_struct *isec;
1611 struct bprm_security_struct *bsec;
1613 struct avc_audit_data ad;
1616 rc = secondary_ops->bprm_set_security(bprm);
1620 bsec = bprm->security;
1625 tsec = current->security;
1626 isec = inode->i_security;
1628 /* Default to the current task SID. */
1629 bsec->sid = tsec->sid;
1631 /* Reset create SID on execve. */
1632 tsec->create_sid = 0;
1634 if (tsec->exec_sid) {
1635 newsid = tsec->exec_sid;
1636 /* Reset exec SID on execve. */
1639 /* Check for a default transition on this program. */
1640 rc = security_transition_sid(tsec->sid, isec->sid,
1641 SECCLASS_PROCESS, &newsid);
1646 AVC_AUDIT_DATA_INIT(&ad, FS);
1647 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1648 ad.u.fs.dentry = bprm->file->f_dentry;
1650 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1653 if (tsec->sid == newsid) {
1654 rc = avc_has_perm(tsec->sid, isec->sid,
1655 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS,
1660 /* Check permissions for the transition. */
1661 rc = avc_has_perm(tsec->sid, newsid,
1662 SECCLASS_PROCESS, PROCESS__TRANSITION,
1668 rc = avc_has_perm(newsid, isec->sid,
1669 SECCLASS_FILE, FILE__ENTRYPOINT,
1674 /* Set the security field to the new SID. */
1682 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1688 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1690 struct task_security_struct *tsec = current->security;
1693 if (tsec->osid != tsec->sid) {
1694 /* Enable secure mode for SIDs transitions unless
1695 the noatsecure permission is granted between
1696 the two SIDs, i.e. ahp returns 0. */
1697 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1699 PROCESS__NOATSECURE, NULL, NULL);
1702 /* Note that we must include the legacy uid/gid test below
1703 to retain it, as the new userland will simply use the
1704 value passed by AT_SECURE to decide whether to enable
1706 return ( atsecure || current->euid != current->uid ||
1707 current->egid != current->gid);
1710 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1712 struct bprm_security_struct *bsec = bprm->security;
1713 bprm->security = NULL;
1717 /* Create an open file that refers to the null device.
1718 Derived from the OpenWall LSM. */
1719 struct file *open_devnull(void)
1721 struct inode *inode;
1722 struct dentry *dentry;
1723 struct file *file = NULL;
1724 struct inode_security_struct *isec;
1727 inode = new_inode(current->fs->rootmnt->mnt_sb);
1731 dentry = dget(d_alloc_root(inode));
1735 file = get_empty_filp();
1739 dev = MKDEV(MEM_MAJOR, 3); /* null device */
1741 inode->i_uid = current->fsuid;
1742 inode->i_gid = current->fsgid;
1743 inode->i_blksize = PAGE_SIZE;
1744 inode->i_blocks = 0;
1745 inode->i_atime = inode->i_mtime = inode->i_ctime = CURRENT_TIME;
1746 inode->i_state = I_DIRTY; /* so that mark_inode_dirty won't touch us */
1748 isec = inode->i_security;
1749 isec->sid = SECINITSID_DEVNULL;
1750 isec->sclass = SECCLASS_CHR_FILE;
1751 isec->initialized = 1;
1753 file->f_flags = O_RDWR;
1754 file->f_mode = FMODE_READ | FMODE_WRITE;
1755 file->f_dentry = dentry;
1756 file->f_vfsmnt = mntget(current->fs->rootmnt);
1759 init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO, dev);
1760 if (inode->i_fop->open(inode, file))
1766 mntput(file->f_vfsmnt);
1776 /* Derived from fs/exec.c:flush_old_files. */
1777 static inline void flush_unauthorized_files(struct files_struct * files)
1779 struct avc_audit_data ad;
1780 struct file *file, *devnull = NULL;
1783 AVC_AUDIT_DATA_INIT(&ad,FS);
1785 spin_lock(&files->file_lock);
1787 unsigned long set, i, fd;
1791 if (i >= files->max_fds || i >= files->max_fdset)
1793 set = files->open_fds->fds_bits[j];
1796 spin_unlock(&files->file_lock);
1797 for ( ; set ; i++,set >>= 1) {
1802 if (file_has_perm(current,
1804 file_to_av(file))) {
1806 fd = get_unused_fd();
1814 atomic_inc(&devnull->f_count);
1816 devnull = open_devnull();
1823 fd_install(fd, devnull);
1828 spin_lock(&files->file_lock);
1831 spin_unlock(&files->file_lock);
1834 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1836 struct task_security_struct *tsec;
1837 struct bprm_security_struct *bsec;
1839 struct av_decision avd;
1840 struct itimerval itimer;
1841 struct rlimit *rlim, *initrlim;
1844 secondary_ops->bprm_apply_creds(bprm, unsafe);
1846 tsec = current->security;
1848 bsec = bprm->security;
1851 tsec->osid = tsec->sid;
1852 if (tsec->sid != sid) {
1853 /* Check for shared state. If not ok, leave SID
1854 unchanged and kill. */
1855 if (unsafe & LSM_UNSAFE_SHARE) {
1856 rc = avc_has_perm_noaudit(tsec->sid, sid,
1857 SECCLASS_PROCESS, PROCESS__SHARE,
1860 task_unlock(current);
1861 avc_audit(tsec->sid, sid, SECCLASS_PROCESS,
1862 PROCESS__SHARE, &avd, rc, NULL);
1863 force_sig_specific(SIGKILL, current);
1868 /* Check for ptracing, and update the task SID if ok.
1869 Otherwise, leave SID unchanged and kill. */
1870 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1871 rc = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
1872 SECCLASS_PROCESS, PROCESS__PTRACE,
1876 task_unlock(current);
1877 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
1878 PROCESS__PTRACE, &avd, rc, NULL);
1880 force_sig_specific(SIGKILL, current);
1885 task_unlock(current);
1888 /* Close files for which the new task SID is not authorized. */
1889 flush_unauthorized_files(current->files);
1891 /* Check whether the new SID can inherit signal state
1892 from the old SID. If not, clear itimers to avoid
1893 subsequent signal generation and flush and unblock
1894 signals. This must occur _after_ the task SID has
1895 been updated so that any kill done after the flush
1896 will be checked against the new SID. */
1897 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1898 PROCESS__SIGINH, NULL, NULL);
1900 memset(&itimer, 0, sizeof itimer);
1901 for (i = 0; i < 3; i++)
1902 do_setitimer(i, &itimer, NULL);
1903 flush_signals(current);
1904 spin_lock_irq(¤t->sighand->siglock);
1905 flush_signal_handlers(current, 1);
1906 sigemptyset(¤t->blocked);
1907 recalc_sigpending();
1908 spin_unlock_irq(¤t->sighand->siglock);
1911 /* Check whether the new SID can inherit resource limits
1912 from the old SID. If not, reset all soft limits to
1913 the lower of the current task's hard limit and the init
1914 task's soft limit. Note that the setting of hard limits
1915 (even to lower them) can be controlled by the setrlimit
1916 check. The inclusion of the init task's soft limit into
1917 the computation is to avoid resetting soft limits higher
1918 than the default soft limit for cases where the default
1919 is lower than the hard limit, e.g. RLIMIT_CORE or
1921 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1922 PROCESS__RLIMITINH, NULL, NULL);
1924 for (i = 0; i < RLIM_NLIMITS; i++) {
1925 rlim = current->rlim + i;
1926 initrlim = init_task.rlim+i;
1927 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1931 /* Wake up the parent if it is waiting so that it can
1932 recheck wait permission to the new task SID. */
1933 wake_up_interruptible(¤t->parent->wait_chldexit);
1941 /* superblock security operations */
1943 static int selinux_sb_alloc_security(struct super_block *sb)
1945 return superblock_alloc_security(sb);
1948 static void selinux_sb_free_security(struct super_block *sb)
1950 superblock_free_security(sb);
1953 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1958 return !memcmp(prefix, option, plen);
1961 static inline int selinux_option(char *option, int len)
1963 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1964 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1965 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1968 static inline void take_option(char **to, char *from, int *first, int len)
1976 memcpy(*to, from, len);
1980 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1982 int fnosec, fsec, rc = 0;
1983 char *in_save, *in_curr, *in_end;
1984 char *sec_curr, *nosec_save, *nosec;
1989 /* Binary mount data: just copy */
1990 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1991 copy_page(sec_curr, in_curr);
1995 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2003 in_save = in_end = orig;
2006 if (*in_end == ',' || *in_end == '\0') {
2007 int len = in_end - in_curr;
2009 if (selinux_option(in_curr, len))
2010 take_option(&sec_curr, in_curr, &fsec, len);
2012 take_option(&nosec, in_curr, &fnosec, len);
2014 in_curr = in_end + 1;
2016 } while (*in_end++);
2018 copy_page(in_save, nosec_save);
2023 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2025 struct avc_audit_data ad;
2028 rc = superblock_doinit(sb, data);
2032 AVC_AUDIT_DATA_INIT(&ad,FS);
2033 ad.u.fs.dentry = sb->s_root;
2034 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2037 static int selinux_sb_statfs(struct super_block *sb)
2039 struct avc_audit_data ad;
2041 AVC_AUDIT_DATA_INIT(&ad,FS);
2042 ad.u.fs.dentry = sb->s_root;
2043 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
2046 static int selinux_mount(char * dev_name,
2047 struct nameidata *nd,
2049 unsigned long flags,
2052 if (flags & MS_REMOUNT)
2053 return superblock_has_perm(current, nd->mnt->mnt_sb,
2054 FILESYSTEM__REMOUNT, NULL);
2056 return dentry_has_perm(current, nd->mnt, nd->dentry,
2060 static int selinux_umount(struct vfsmount *mnt, int flags)
2062 return superblock_has_perm(current,mnt->mnt_sb,
2063 FILESYSTEM__UNMOUNT,NULL);
2066 /* inode security operations */
2068 static int selinux_inode_alloc_security(struct inode *inode)
2070 return inode_alloc_security(inode);
2073 static void selinux_inode_free_security(struct inode *inode)
2075 inode_free_security(inode);
2078 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2080 return may_create(dir, dentry, SECCLASS_FILE);
2083 static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask)
2085 post_create(dir, dentry);
2088 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2092 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2095 return may_link(dir, old_dentry, MAY_LINK);
2098 static void selinux_inode_post_link(struct dentry *old_dentry, struct inode *inode, struct dentry *new_dentry)
2103 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2105 return may_link(dir, dentry, MAY_UNLINK);
2108 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2110 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2113 static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2115 post_create(dir, dentry);
2118 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2120 return may_create(dir, dentry, SECCLASS_DIR);
2123 static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2125 post_create(dir, dentry);
2128 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2130 return may_link(dir, dentry, MAY_RMDIR);
2133 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2135 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2138 static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2140 post_create(dir, dentry);
2143 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2144 struct inode *new_inode, struct dentry *new_dentry)
2146 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2149 static void selinux_inode_post_rename(struct inode *old_inode, struct dentry *old_dentry,
2150 struct inode *new_inode, struct dentry *new_dentry)
2155 static int selinux_inode_readlink(struct dentry *dentry)
2157 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2160 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2164 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2167 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2170 static int selinux_inode_permission(struct inode *inode, int mask,
2171 struct nameidata *nd)
2174 /* No permission to check. Existence test. */
2178 return inode_has_perm(current, inode,
2179 file_mask_to_av(inode->i_mode, mask), NULL, NULL);
2182 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2184 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2185 ATTR_ATIME_SET | ATTR_MTIME_SET))
2186 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2188 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2191 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2193 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2196 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2198 struct task_security_struct *tsec = current->security;
2199 struct inode *inode = dentry->d_inode;
2200 struct inode_security_struct *isec = inode->i_security;
2201 struct superblock_security_struct *sbsec;
2202 struct avc_audit_data ad;
2206 if (strcmp(name, XATTR_NAME_SELINUX)) {
2207 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2208 sizeof XATTR_SECURITY_PREFIX - 1) &&
2209 !capable(CAP_SYS_ADMIN)) {
2210 /* A different attribute in the security namespace.
2211 Restrict to administrator. */
2215 /* Not an attribute we recognize, so just check the
2216 ordinary setattr permission. */
2217 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2220 sbsec = inode->i_sb->s_security;
2221 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2224 AVC_AUDIT_DATA_INIT(&ad,FS);
2225 ad.u.fs.dentry = dentry;
2227 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2233 rc = security_context_to_sid(value, size, &newsid);
2237 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2238 FILE__RELABELTO, NULL, &ad);
2242 return avc_has_perm(newsid,
2244 SECCLASS_FILESYSTEM,
2245 FILESYSTEM__ASSOCIATE,
2250 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2251 void *value, size_t size, int flags)
2253 struct inode *inode = dentry->d_inode;
2254 struct inode_security_struct *isec = inode->i_security;
2258 if (strcmp(name, XATTR_NAME_SELINUX)) {
2259 /* Not an attribute we recognize, so nothing to do. */
2263 rc = security_context_to_sid(value, size, &newsid);
2265 printk(KERN_WARNING "%s: unable to obtain SID for context "
2266 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2274 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2276 struct inode *inode = dentry->d_inode;
2277 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
2279 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2282 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2285 static int selinux_inode_listxattr (struct dentry *dentry)
2287 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2290 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2292 if (strcmp(name, XATTR_NAME_SELINUX)) {
2293 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2294 sizeof XATTR_SECURITY_PREFIX - 1) &&
2295 !capable(CAP_SYS_ADMIN)) {
2296 /* A different attribute in the security namespace.
2297 Restrict to administrator. */
2301 /* Not an attribute we recognize, so just check the
2302 ordinary setattr permission. Might want a separate
2303 permission for removexattr. */
2304 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2307 /* No one is allowed to remove a SELinux security label.
2308 You can change the label, but all data must be labeled. */
2312 static int selinux_inode_getsecurity(struct dentry *dentry, const char *name, void *buffer, size_t size)
2314 struct inode *inode = dentry->d_inode;
2315 struct inode_security_struct *isec = inode->i_security;
2320 /* Permission check handled by selinux_inode_getxattr hook.*/
2322 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2325 rc = security_sid_to_context(isec->sid, &context, &len);
2329 if (!buffer || !size) {
2337 memcpy(buffer, context, len);
2342 static int selinux_inode_setsecurity(struct dentry *dentry, const char *name,
2343 const void *value, size_t size, int flags)
2345 struct inode *inode = dentry->d_inode;
2346 struct inode_security_struct *isec = inode->i_security;
2350 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2353 if (!value || !size)
2356 rc = security_context_to_sid((void*)value, size, &newsid);
2364 static int selinux_inode_listsecurity(struct dentry *dentry, char *buffer)
2366 const int len = sizeof(XATTR_NAME_SELINUX);
2368 memcpy(buffer, XATTR_NAME_SELINUX, len);
2372 /* file security operations */
2374 static int selinux_file_permission(struct file *file, int mask)
2376 struct inode *inode = file->f_dentry->d_inode;
2379 /* No permission to check. Existence test. */
2383 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2384 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2387 return file_has_perm(current, file,
2388 file_mask_to_av(inode->i_mode, mask));
2391 static int selinux_file_alloc_security(struct file *file)
2393 return file_alloc_security(file);
2396 static void selinux_file_free_security(struct file *file)
2398 file_free_security(file);
2401 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2413 case EXT2_IOC_GETFLAGS:
2415 case EXT2_IOC_GETVERSION:
2416 error = file_has_perm(current, file, FILE__GETATTR);
2419 case EXT2_IOC_SETFLAGS:
2421 case EXT2_IOC_SETVERSION:
2422 error = file_has_perm(current, file, FILE__SETATTR);
2425 /* sys_ioctl() checks */
2429 error = file_has_perm(current, file, 0);
2434 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2437 /* default case assumes that the command will go
2438 * to the file's ioctl() function.
2441 error = file_has_perm(current, file, FILE__IOCTL);
2447 static int selinux_file_mmap(struct file *file, unsigned long prot, unsigned long flags)
2452 /* read access is always possible with a mapping */
2455 /* write access only matters if the mapping is shared */
2456 if ((flags & MAP_TYPE) == MAP_SHARED && (prot & PROT_WRITE))
2459 if (prot & PROT_EXEC)
2460 av |= FILE__EXECUTE;
2462 return file_has_perm(current, file, av);
2467 static int selinux_file_mprotect(struct vm_area_struct *vma,
2470 return selinux_file_mmap(vma->vm_file, prot, vma->vm_flags);
2473 static int selinux_file_lock(struct file *file, unsigned int cmd)
2475 return file_has_perm(current, file, FILE__LOCK);
2478 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2485 if (!file->f_dentry || !file->f_dentry->d_inode) {
2490 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2491 err = file_has_perm(current, file,FILE__WRITE);
2500 /* Just check FD__USE permission */
2501 err = file_has_perm(current, file, 0);
2506 #if BITS_PER_LONG == 32
2511 if (!file->f_dentry || !file->f_dentry->d_inode) {
2515 err = file_has_perm(current, file, FILE__LOCK);
2522 static int selinux_file_set_fowner(struct file *file)
2524 struct task_security_struct *tsec;
2525 struct file_security_struct *fsec;
2527 tsec = current->security;
2528 fsec = file->f_security;
2529 fsec->fown_sid = tsec->sid;
2534 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2535 struct fown_struct *fown,
2540 struct task_security_struct *tsec;
2541 struct file_security_struct *fsec;
2543 /* struct fown_struct is never outside the context of a struct file */
2544 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2546 tsec = tsk->security;
2547 fsec = file->f_security;
2550 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2552 perm = signal_to_av(fown->signum);
2554 return avc_has_perm(fsec->fown_sid, tsec->sid,
2555 SECCLASS_PROCESS, perm, NULL, NULL);
2558 static int selinux_file_receive(struct file *file)
2560 return file_has_perm(current, file, file_to_av(file));
2563 /* task security operations */
2565 static int selinux_task_create(unsigned long clone_flags)
2567 return task_has_perm(current, current, PROCESS__FORK);
2570 static int selinux_task_alloc_security(struct task_struct *tsk)
2572 struct task_security_struct *tsec1, *tsec2;
2575 tsec1 = current->security;
2577 rc = task_alloc_security(tsk);
2580 tsec2 = tsk->security;
2582 tsec2->osid = tsec1->osid;
2583 tsec2->sid = tsec1->sid;
2585 /* Retain the exec and create SIDs across fork */
2586 tsec2->exec_sid = tsec1->exec_sid;
2587 tsec2->create_sid = tsec1->create_sid;
2592 static void selinux_task_free_security(struct task_struct *tsk)
2594 task_free_security(tsk);
2597 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2599 /* Since setuid only affects the current process, and
2600 since the SELinux controls are not based on the Linux
2601 identity attributes, SELinux does not need to control
2602 this operation. However, SELinux does control the use
2603 of the CAP_SETUID and CAP_SETGID capabilities using the
2608 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2610 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2613 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2615 /* See the comment for setuid above. */
2619 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2621 return task_has_perm(current, p, PROCESS__SETPGID);
2624 static int selinux_task_getpgid(struct task_struct *p)
2626 return task_has_perm(current, p, PROCESS__GETPGID);
2629 static int selinux_task_getsid(struct task_struct *p)
2631 return task_has_perm(current, p, PROCESS__GETSESSION);
2634 static int selinux_task_setgroups(struct group_info *group_info)
2636 /* See the comment for setuid above. */
2640 static int selinux_task_setnice(struct task_struct *p, int nice)
2642 return task_has_perm(current,p, PROCESS__SETSCHED);
2645 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2647 struct rlimit *old_rlim = current->rlim + resource;
2649 /* Control the ability to change the hard limit (whether
2650 lowering or raising it), so that the hard limit can
2651 later be used as a safe reset point for the soft limit
2652 upon context transitions. See selinux_bprm_apply_creds. */
2653 if (old_rlim->rlim_max != new_rlim->rlim_max)
2654 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2659 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2661 struct task_security_struct *tsec1, *tsec2;
2663 tsec1 = current->security;
2664 tsec2 = p->security;
2666 /* No auditing from the setscheduler hook, since the runqueue lock
2667 is held and the system will deadlock if we try to log an audit
2669 return avc_has_perm_noaudit(tsec1->sid, tsec2->sid,
2670 SECCLASS_PROCESS, PROCESS__SETSCHED,
2671 &tsec2->avcr, NULL);
2674 static int selinux_task_getscheduler(struct task_struct *p)
2676 return task_has_perm(current, p, PROCESS__GETSCHED);
2679 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2683 if (info && ((unsigned long)info == 1 ||
2684 (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2688 perm = PROCESS__SIGNULL; /* null signal; existence test */
2690 perm = signal_to_av(sig);
2692 return task_has_perm(current, p, perm);
2695 static int selinux_task_prctl(int option,
2701 /* The current prctl operations do not appear to require
2702 any SELinux controls since they merely observe or modify
2703 the state of the current process. */
2707 static int selinux_task_wait(struct task_struct *p)
2711 perm = signal_to_av(p->exit_signal);
2713 return task_has_perm(p, current, perm);
2716 static void selinux_task_reparent_to_init(struct task_struct *p)
2718 struct task_security_struct *tsec;
2720 secondary_ops->task_reparent_to_init(p);
2723 tsec->osid = tsec->sid;
2724 tsec->sid = SECINITSID_KERNEL;
2728 static void selinux_task_to_inode(struct task_struct *p,
2729 struct inode *inode)
2731 struct task_security_struct *tsec = p->security;
2732 struct inode_security_struct *isec = inode->i_security;
2734 isec->sid = tsec->sid;
2735 isec->initialized = 1;
2739 #ifdef CONFIG_SECURITY_NETWORK
2741 /* Returns error only if unable to parse addresses */
2742 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2744 int offset, ihlen, ret;
2747 offset = skb->nh.raw - skb->data;
2748 ret = skb_copy_bits(skb, offset, &iph, sizeof(iph));
2752 ihlen = iph.ihl * 4;
2753 if (ihlen < sizeof(iph))
2756 ad->u.net.v4info.saddr = iph.saddr;
2757 ad->u.net.v4info.daddr = iph.daddr;
2759 switch (iph.protocol) {
2763 if (ntohs(iph.frag_off) & IP_OFFSET)
2767 if (skb_copy_bits(skb, offset, &tcph, sizeof(tcph)) < 0)
2770 ad->u.net.sport = tcph.source;
2771 ad->u.net.dport = tcph.dest;
2778 if (ntohs(iph.frag_off) & IP_OFFSET)
2782 if (skb_copy_bits(skb, offset, &udph, sizeof(udph)) < 0)
2785 ad->u.net.sport = udph.source;
2786 ad->u.net.dport = udph.dest;
2797 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2799 /* Returns error only if unable to parse addresses */
2800 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2804 struct ipv6hdr ipv6h;
2806 offset = skb->nh.raw - skb->data;
2807 ret = skb_copy_bits(skb, offset, &ipv6h, sizeof(ipv6h));
2811 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ipv6h.saddr);
2812 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ipv6h.daddr);
2814 nexthdr = ipv6h.nexthdr;
2815 offset += sizeof(ipv6h);
2816 offset = ipv6_skip_exthdr(skb, offset, &nexthdr,
2817 skb->tail - skb->head - offset);
2825 if (skb_copy_bits(skb, offset, &tcph, sizeof(tcph)) < 0)
2828 ad->u.net.sport = tcph.source;
2829 ad->u.net.dport = tcph.dest;
2836 if (skb_copy_bits(skb, offset, &udph, sizeof(udph)) < 0)
2839 ad->u.net.sport = udph.source;
2840 ad->u.net.dport = udph.dest;
2844 /* includes fragments */
2854 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2855 char **addrp, int *len, int src)
2859 switch (ad->u.net.family) {
2861 ret = selinux_parse_skb_ipv4(skb, ad);
2865 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2866 &ad->u.net.v4info.daddr);
2869 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2871 ret = selinux_parse_skb_ipv6(skb, ad);
2875 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2876 &ad->u.net.v6info.daddr);
2886 /* socket security operations */
2887 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2890 struct inode_security_struct *isec;
2891 struct task_security_struct *tsec;
2892 struct avc_audit_data ad;
2895 tsec = task->security;
2896 isec = SOCK_INODE(sock)->i_security;
2898 if (isec->sid == SECINITSID_KERNEL)
2901 AVC_AUDIT_DATA_INIT(&ad,NET);
2902 ad.u.net.sk = sock->sk;
2903 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2904 perms, &isec->avcr, &ad);
2910 static int selinux_socket_create(int family, int type,
2911 int protocol, int kern)
2914 struct task_security_struct *tsec;
2919 tsec = current->security;
2920 err = avc_has_perm(tsec->sid, tsec->sid,
2921 socket_type_to_security_class(family, type),
2922 SOCKET__CREATE, NULL, NULL);
2928 static void selinux_socket_post_create(struct socket *sock, int family,
2929 int type, int protocol, int kern)
2932 struct inode_security_struct *isec;
2933 struct task_security_struct *tsec;
2935 err = inode_doinit(SOCK_INODE(sock));
2938 isec = SOCK_INODE(sock)->i_security;
2940 tsec = current->security;
2941 isec->sclass = socket_type_to_security_class(family, type);
2942 isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2947 /* Range of port numbers used to automatically bind.
2948 Need to determine whether we should perform a name_bind
2949 permission check between the socket and the port number. */
2950 #define ip_local_port_range_0 sysctl_local_port_range[0]
2951 #define ip_local_port_range_1 sysctl_local_port_range[1]
2953 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2958 err = socket_has_perm(current, sock, SOCKET__BIND);
2963 * If PF_INET or PF_INET6, check name_bind permission for the port.
2965 family = sock->sk->sk_family;
2966 if (family == PF_INET || family == PF_INET6) {
2968 struct inode_security_struct *isec;
2969 struct task_security_struct *tsec;
2970 struct avc_audit_data ad;
2971 struct sockaddr_in *addr4 = NULL;
2972 struct sockaddr_in6 *addr6 = NULL;
2973 unsigned short snum;
2974 struct sock *sk = sock->sk;
2975 u32 sid, node_perm, addrlen;
2977 tsec = current->security;
2978 isec = SOCK_INODE(sock)->i_security;
2980 if (family == PF_INET) {
2981 addr4 = (struct sockaddr_in *)address;
2982 snum = ntohs(addr4->sin_port);
2983 addrlen = sizeof(addr4->sin_addr.s_addr);
2984 addrp = (char *)&addr4->sin_addr.s_addr;
2986 addr6 = (struct sockaddr_in6 *)address;
2987 snum = ntohs(addr6->sin6_port);
2988 addrlen = sizeof(addr6->sin6_addr.s6_addr);
2989 addrp = (char *)&addr6->sin6_addr.s6_addr;
2992 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
2993 snum > ip_local_port_range_1)) {
2994 err = security_port_sid(sk->sk_family, sk->sk_type,
2995 sk->sk_protocol, snum, &sid);
2998 AVC_AUDIT_DATA_INIT(&ad,NET);
2999 ad.u.net.sport = htons(snum);
3000 err = avc_has_perm(isec->sid, sid,
3002 SOCKET__NAME_BIND, NULL, &ad);
3007 switch(sk->sk_protocol) {
3009 node_perm = TCP_SOCKET__NODE_BIND;
3013 node_perm = UDP_SOCKET__NODE_BIND;
3017 node_perm = RAWIP_SOCKET__NODE_BIND;
3021 err = security_node_sid(family, addrp, addrlen, &sid);
3025 AVC_AUDIT_DATA_INIT(&ad,NET);
3026 ad.u.net.sport = htons(snum);
3027 ad.u.net.family = family;
3029 if (family == PF_INET)
3030 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3032 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3034 err = avc_has_perm(isec->sid, sid,
3035 isec->sclass, node_perm, NULL, &ad);
3043 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3045 return socket_has_perm(current, sock, SOCKET__CONNECT);
3048 static int selinux_socket_listen(struct socket *sock, int backlog)
3050 return socket_has_perm(current, sock, SOCKET__LISTEN);
3053 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3056 struct inode_security_struct *isec;
3057 struct inode_security_struct *newisec;
3059 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3063 err = inode_doinit(SOCK_INODE(newsock));
3066 newisec = SOCK_INODE(newsock)->i_security;
3068 isec = SOCK_INODE(sock)->i_security;
3069 newisec->sclass = isec->sclass;
3070 newisec->sid = isec->sid;
3075 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3078 return socket_has_perm(current, sock, SOCKET__WRITE);
3081 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3082 int size, int flags)
3084 return socket_has_perm(current, sock, SOCKET__READ);
3087 static int selinux_socket_getsockname(struct socket *sock)
3089 return socket_has_perm(current, sock, SOCKET__GETATTR);
3092 static int selinux_socket_getpeername(struct socket *sock)
3094 return socket_has_perm(current, sock, SOCKET__GETATTR);
3097 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3099 return socket_has_perm(current, sock, SOCKET__SETOPT);
3102 static int selinux_socket_getsockopt(struct socket *sock, int level,
3105 return socket_has_perm(current, sock, SOCKET__GETOPT);
3108 static int selinux_socket_shutdown(struct socket *sock, int how)
3110 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3113 static int selinux_socket_unix_stream_connect(struct socket *sock,
3114 struct socket *other,
3117 struct sk_security_struct *ssec;
3118 struct inode_security_struct *isec;
3119 struct inode_security_struct *other_isec;
3120 struct avc_audit_data ad;
3123 isec = SOCK_INODE(sock)->i_security;
3124 other_isec = SOCK_INODE(other)->i_security;
3126 AVC_AUDIT_DATA_INIT(&ad,NET);
3127 ad.u.net.sk = other->sk;
3129 err = avc_has_perm(isec->sid, other_isec->sid,
3131 UNIX_STREAM_SOCKET__CONNECTTO,
3132 &other_isec->avcr, &ad);
3136 /* connecting socket */
3137 ssec = sock->sk->sk_security;
3138 ssec->peer_sid = other_isec->sid;
3140 /* server child socket */
3141 ssec = newsk->sk_security;
3142 ssec->peer_sid = isec->sid;
3147 static int selinux_socket_unix_may_send(struct socket *sock,
3148 struct socket *other)
3150 struct inode_security_struct *isec;
3151 struct inode_security_struct *other_isec;
3152 struct avc_audit_data ad;
3155 isec = SOCK_INODE(sock)->i_security;
3156 other_isec = SOCK_INODE(other)->i_security;
3158 AVC_AUDIT_DATA_INIT(&ad,NET);
3159 ad.u.net.sk = other->sk;
3161 err = avc_has_perm(isec->sid, other_isec->sid,
3164 &other_isec->avcr, &ad);
3171 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3176 u32 netif_perm, node_perm, node_sid, recv_perm = 0;
3177 struct socket *sock;
3178 struct inode *inode;
3179 struct net_device *dev;
3180 struct sel_netif *netif;
3181 struct netif_security_struct *nsec;
3182 struct inode_security_struct *isec;
3183 struct avc_audit_data ad;
3185 family = sk->sk_family;
3186 if (family != PF_INET && family != PF_INET6)
3189 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3190 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3193 sock = sk->sk_socket;
3195 /* TCP control messages don't always have a socket. */
3199 inode = SOCK_INODE(sock);
3207 netif = sel_netif_lookup(dev);
3208 if (IS_ERR(netif)) {
3209 err = PTR_ERR(netif);
3213 nsec = &netif->nsec;
3214 isec = inode->i_security;
3216 switch (isec->sclass) {
3217 case SECCLASS_UDP_SOCKET:
3218 netif_perm = NETIF__UDP_RECV;
3219 node_perm = NODE__UDP_RECV;
3220 recv_perm = UDP_SOCKET__RECV_MSG;
3223 case SECCLASS_TCP_SOCKET:
3224 netif_perm = NETIF__TCP_RECV;
3225 node_perm = NODE__TCP_RECV;
3226 recv_perm = TCP_SOCKET__RECV_MSG;
3230 netif_perm = NETIF__RAWIP_RECV;
3231 node_perm = NODE__RAWIP_RECV;
3235 AVC_AUDIT_DATA_INIT(&ad, NET);
3236 ad.u.net.netif = dev->name;
3237 ad.u.net.family = family;
3239 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3241 sel_netif_put(netif);
3245 err = avc_has_perm(isec->sid, nsec->if_sid, SECCLASS_NETIF,
3246 netif_perm, &nsec->avcr, &ad);
3247 sel_netif_put(netif);
3251 /* Fixme: this lookup is inefficient */
3252 err = security_node_sid(family, addrp, len, &node_sid);
3256 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE, node_perm, NULL, &ad);
3263 /* Fixme: make this more efficient */
3264 err = security_port_sid(sk->sk_family, sk->sk_type,
3265 sk->sk_protocol, ntohs(ad.u.net.sport),
3270 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3271 recv_perm, NULL, &ad);
3277 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3278 int __user *optlen, unsigned len)
3283 struct sk_security_struct *ssec;
3284 struct inode_security_struct *isec;
3286 isec = SOCK_INODE(sock)->i_security;
3287 if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3292 ssec = sock->sk->sk_security;
3294 err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3298 if (scontext_len > len) {
3303 if (copy_to_user(optval, scontext, scontext_len))
3307 if (put_user(scontext_len, optlen))
3315 static int selinux_sk_alloc_security(struct sock *sk, int family, int priority)
3317 return sk_alloc_security(sk, family, priority);
3320 static void selinux_sk_free_security(struct sock *sk)
3322 sk_free_security(sk);
3325 #ifdef CONFIG_NETFILTER
3327 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3328 struct sk_buff **pskb,
3329 const struct net_device *in,
3330 const struct net_device *out,
3331 int (*okfn)(struct sk_buff *),
3335 int len, err = NF_ACCEPT;
3336 u32 netif_perm, node_perm, node_sid, send_perm = 0;
3338 struct socket *sock;
3339 struct inode *inode;
3340 struct sel_netif *netif;
3341 struct sk_buff *skb = *pskb;
3342 struct netif_security_struct *nsec;
3343 struct inode_security_struct *isec;
3344 struct avc_audit_data ad;
3345 struct net_device *dev = (struct net_device *)out;
3351 sock = sk->sk_socket;
3355 inode = SOCK_INODE(sock);
3359 netif = sel_netif_lookup(dev);
3360 if (IS_ERR(netif)) {
3365 nsec = &netif->nsec;
3366 isec = inode->i_security;
3368 switch (isec->sclass) {
3369 case SECCLASS_UDP_SOCKET:
3370 netif_perm = NETIF__UDP_SEND;
3371 node_perm = NODE__UDP_SEND;
3372 send_perm = UDP_SOCKET__SEND_MSG;
3375 case SECCLASS_TCP_SOCKET:
3376 netif_perm = NETIF__TCP_SEND;
3377 node_perm = NODE__TCP_SEND;
3378 send_perm = TCP_SOCKET__SEND_MSG;
3382 netif_perm = NETIF__RAWIP_SEND;
3383 node_perm = NODE__RAWIP_SEND;
3388 AVC_AUDIT_DATA_INIT(&ad, NET);
3389 ad.u.net.netif = dev->name;
3390 ad.u.net.family = family;
3392 err = selinux_parse_skb(skb, &ad, &addrp,
3393 &len, 0) ? NF_DROP : NF_ACCEPT;
3394 if (err != NF_ACCEPT) {
3395 sel_netif_put(netif);
3399 err = avc_has_perm(isec->sid, nsec->if_sid, SECCLASS_NETIF,
3400 netif_perm, &nsec->avcr, &ad) ? NF_DROP : NF_ACCEPT;
3401 sel_netif_put(netif);
3402 if (err != NF_ACCEPT)
3405 /* Fixme: this lookup is inefficient */
3406 err = security_node_sid(family, addrp, len,
3407 &node_sid) ? NF_DROP : NF_ACCEPT;
3408 if (err != NF_ACCEPT)
3411 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3412 node_perm, NULL, &ad) ? NF_DROP : NF_ACCEPT;
3413 if (err != NF_ACCEPT)
3419 /* Fixme: make this more efficient */
3420 err = security_port_sid(sk->sk_family,
3423 ntohs(ad.u.net.dport),
3424 &port_sid) ? NF_DROP : NF_ACCEPT;
3425 if (err != NF_ACCEPT)
3428 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3429 send_perm, NULL, &ad) ? NF_DROP : NF_ACCEPT;
3436 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3437 struct sk_buff **pskb,
3438 const struct net_device *in,
3439 const struct net_device *out,
3440 int (*okfn)(struct sk_buff *))
3442 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3445 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3447 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3448 struct sk_buff **pskb,
3449 const struct net_device *in,
3450 const struct net_device *out,
3451 int (*okfn)(struct sk_buff *))
3453 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3458 #endif /* CONFIG_NETFILTER */
3460 #endif /* CONFIG_SECURITY_NETWORK */
3462 static int ipc_alloc_security(struct task_struct *task,
3463 struct kern_ipc_perm *perm,
3466 struct task_security_struct *tsec = task->security;
3467 struct ipc_security_struct *isec;
3469 isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3473 memset(isec, 0, sizeof(struct ipc_security_struct));
3474 isec->magic = SELINUX_MAGIC;
3475 isec->sclass = sclass;
3476 isec->ipc_perm = perm;
3478 isec->sid = tsec->sid;
3480 isec->sid = SECINITSID_UNLABELED;
3482 perm->security = isec;
3487 static void ipc_free_security(struct kern_ipc_perm *perm)
3489 struct ipc_security_struct *isec = perm->security;
3490 if (!isec || isec->magic != SELINUX_MAGIC)
3493 perm->security = NULL;
3497 static int msg_msg_alloc_security(struct msg_msg *msg)
3499 struct msg_security_struct *msec;
3501 msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3505 memset(msec, 0, sizeof(struct msg_security_struct));
3506 msec->magic = SELINUX_MAGIC;
3508 msec->sid = SECINITSID_UNLABELED;
3509 msg->security = msec;
3514 static void msg_msg_free_security(struct msg_msg *msg)
3516 struct msg_security_struct *msec = msg->security;
3517 if (!msec || msec->magic != SELINUX_MAGIC)
3520 msg->security = NULL;
3524 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3525 u16 sclass, u32 perms)
3527 struct task_security_struct *tsec;
3528 struct ipc_security_struct *isec;
3529 struct avc_audit_data ad;
3531 tsec = current->security;
3532 isec = ipc_perms->security;
3534 AVC_AUDIT_DATA_INIT(&ad, IPC);
3535 ad.u.ipc_id = ipc_perms->key;
3537 return avc_has_perm(tsec->sid, isec->sid, sclass,
3538 perms, &isec->avcr, &ad);
3541 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3543 return msg_msg_alloc_security(msg);
3546 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3548 msg_msg_free_security(msg);
3551 /* message queue security operations */
3552 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3554 struct task_security_struct *tsec;
3555 struct ipc_security_struct *isec;
3556 struct avc_audit_data ad;
3559 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3563 tsec = current->security;
3564 isec = msq->q_perm.security;
3566 AVC_AUDIT_DATA_INIT(&ad, IPC);
3567 ad.u.ipc_id = msq->q_perm.key;
3569 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3570 MSGQ__CREATE, &isec->avcr, &ad);
3572 ipc_free_security(&msq->q_perm);
3578 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3580 ipc_free_security(&msq->q_perm);
3583 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3585 struct task_security_struct *tsec;
3586 struct ipc_security_struct *isec;
3587 struct avc_audit_data ad;
3589 tsec = current->security;
3590 isec = msq->q_perm.security;
3592 AVC_AUDIT_DATA_INIT(&ad, IPC);
3593 ad.u.ipc_id = msq->q_perm.key;
3595 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3596 MSGQ__ASSOCIATE, &isec->avcr, &ad);
3599 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3607 /* No specific object, just general system-wide information. */
3608 return task_has_system(current, SYSTEM__IPC_INFO);
3611 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3614 perms = MSGQ__SETATTR;
3617 perms = MSGQ__DESTROY;
3623 err = ipc_has_perm(&msq->q_perm, SECCLASS_MSGQ, perms);
3627 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3629 struct task_security_struct *tsec;
3630 struct ipc_security_struct *isec;
3631 struct msg_security_struct *msec;
3632 struct avc_audit_data ad;
3635 tsec = current->security;
3636 isec = msq->q_perm.security;
3637 msec = msg->security;
3640 * First time through, need to assign label to the message
3642 if (msec->sid == SECINITSID_UNLABELED) {
3644 * Compute new sid based on current process and
3645 * message queue this message will be stored in
3647 rc = security_transition_sid(tsec->sid,
3655 AVC_AUDIT_DATA_INIT(&ad, IPC);
3656 ad.u.ipc_id = msq->q_perm.key;
3658 /* Can this process write to the queue? */
3659 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3660 MSGQ__WRITE, &isec->avcr, &ad);
3662 /* Can this process send the message */
3663 rc = avc_has_perm(tsec->sid, msec->sid,
3664 SECCLASS_MSG, MSG__SEND,
3667 /* Can the message be put in the queue? */
3668 rc = avc_has_perm(msec->sid, isec->sid,
3669 SECCLASS_MSGQ, MSGQ__ENQUEUE,
3675 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3676 struct task_struct *target,
3677 long type, int mode)
3679 struct task_security_struct *tsec;
3680 struct ipc_security_struct *isec;
3681 struct msg_security_struct *msec;
3682 struct avc_audit_data ad;
3685 tsec = target->security;
3686 isec = msq->q_perm.security;
3687 msec = msg->security;
3689 AVC_AUDIT_DATA_INIT(&ad, IPC);
3690 ad.u.ipc_id = msq->q_perm.key;
3692 rc = avc_has_perm(tsec->sid, isec->sid,
3693 SECCLASS_MSGQ, MSGQ__READ,
3696 rc = avc_has_perm(tsec->sid, msec->sid,
3697 SECCLASS_MSG, MSG__RECEIVE,
3702 /* Shared Memory security operations */
3703 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3705 struct task_security_struct *tsec;
3706 struct ipc_security_struct *isec;
3707 struct avc_audit_data ad;
3710 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3714 tsec = current->security;
3715 isec = shp->shm_perm.security;
3717 AVC_AUDIT_DATA_INIT(&ad, IPC);
3718 ad.u.ipc_id = shp->shm_perm.key;
3720 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3721 SHM__CREATE, &isec->avcr, &ad);
3723 ipc_free_security(&shp->shm_perm);
3729 static void selinux_shm_free_security(struct shmid_kernel *shp)
3731 ipc_free_security(&shp->shm_perm);
3734 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3736 struct task_security_struct *tsec;
3737 struct ipc_security_struct *isec;
3738 struct avc_audit_data ad;
3740 tsec = current->security;
3741 isec = shp->shm_perm.security;
3743 AVC_AUDIT_DATA_INIT(&ad, IPC);
3744 ad.u.ipc_id = shp->shm_perm.key;
3746 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3747 SHM__ASSOCIATE, &isec->avcr, &ad);
3750 /* Note, at this point, shp is locked down */
3751 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3759 /* No specific object, just general system-wide information. */
3760 return task_has_system(current, SYSTEM__IPC_INFO);
3763 perms = SHM__GETATTR | SHM__ASSOCIATE;
3766 perms = SHM__SETATTR;
3773 perms = SHM__DESTROY;
3779 err = ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms);
3783 static int selinux_shm_shmat(struct shmid_kernel *shp,
3784 char __user *shmaddr, int shmflg)
3788 if (shmflg & SHM_RDONLY)
3791 perms = SHM__READ | SHM__WRITE;
3793 return ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms);
3796 /* Semaphore security operations */
3797 static int selinux_sem_alloc_security(struct sem_array *sma)
3799 struct task_security_struct *tsec;
3800 struct ipc_security_struct *isec;
3801 struct avc_audit_data ad;
3804 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3808 tsec = current->security;
3809 isec = sma->sem_perm.security;
3811 AVC_AUDIT_DATA_INIT(&ad, IPC);
3812 ad.u.ipc_id = sma->sem_perm.key;
3814 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3815 SEM__CREATE, &isec->avcr, &ad);
3817 ipc_free_security(&sma->sem_perm);
3823 static void selinux_sem_free_security(struct sem_array *sma)
3825 ipc_free_security(&sma->sem_perm);
3828 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3830 struct task_security_struct *tsec;
3831 struct ipc_security_struct *isec;
3832 struct avc_audit_data ad;
3834 tsec = current->security;
3835 isec = sma->sem_perm.security;
3837 AVC_AUDIT_DATA_INIT(&ad, IPC);
3838 ad.u.ipc_id = sma->sem_perm.key;
3840 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3841 SEM__ASSOCIATE, &isec->avcr, &ad);
3844 /* Note, at this point, sma is locked down */
3845 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
3853 /* No specific object, just general system-wide information. */
3854 return task_has_system(current, SYSTEM__IPC_INFO);
3858 perms = SEM__GETATTR;
3869 perms = SEM__DESTROY;
3872 perms = SEM__SETATTR;
3876 perms = SEM__GETATTR | SEM__ASSOCIATE;
3882 err = ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms);
3886 static int selinux_sem_semop(struct sem_array *sma,
3887 struct sembuf *sops, unsigned nsops, int alter)
3892 perms = SEM__READ | SEM__WRITE;
3896 return ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms);
3899 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
3901 struct ipc_security_struct *isec = ipcp->security;
3902 u16 sclass = SECCLASS_IPC;
3905 if (isec && isec->magic == SELINUX_MAGIC)
3906 sclass = isec->sclass;
3910 av |= IPC__UNIX_READ;
3912 av |= IPC__UNIX_WRITE;
3917 return ipc_has_perm(ipcp, sclass, av);
3920 /* module stacking operations */
3921 int selinux_register_security (const char *name, struct security_operations *ops)
3923 if (secondary_ops != original_ops) {
3924 printk(KERN_INFO "%s: There is already a secondary security "
3925 "module registered.\n", __FUNCTION__);
3929 secondary_ops = ops;
3931 printk(KERN_INFO "%s: Registering secondary module %s\n",
3938 int selinux_unregister_security (const char *name, struct security_operations *ops)
3940 if (ops != secondary_ops) {
3941 printk (KERN_INFO "%s: trying to unregister a security module "
3942 "that is not registered.\n", __FUNCTION__);
3946 secondary_ops = original_ops;
3951 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
3954 inode_doinit_with_dentry(inode, dentry);
3957 static int selinux_getprocattr(struct task_struct *p,
3958 char *name, void *value, size_t size)
3960 struct task_security_struct *tsec;
3966 error = task_has_perm(current, p, PROCESS__GETATTR);
3976 if (!strcmp(name, "current"))
3978 else if (!strcmp(name, "prev"))
3980 else if (!strcmp(name, "exec"))
3981 sid = tsec->exec_sid;
3982 else if (!strcmp(name, "fscreate"))
3983 sid = tsec->create_sid;
3990 error = security_sid_to_context(sid, &context, &len);
3997 memcpy(value, context, len);
4002 static int selinux_setprocattr(struct task_struct *p,
4003 char *name, void *value, size_t size)
4005 struct task_security_struct *tsec;
4009 if (current != p || !strcmp(name, "current")) {
4010 /* SELinux only allows a process to change its own
4011 security attributes, and it only allows the process
4012 current SID to change via exec. */
4017 * Basic control over ability to set these attributes at all.
4018 * current == p, but we'll pass them separately in case the
4019 * above restriction is ever removed.
4021 if (!strcmp(name, "exec"))
4022 error = task_has_perm(current, p, PROCESS__SETEXEC);
4023 else if (!strcmp(name, "fscreate"))
4024 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4030 /* Obtain a SID for the context, if one was specified. */
4033 error = security_context_to_sid(value, size, &sid);
4038 /* Permission checking based on the specified context is
4039 performed during the actual operation (execve,
4040 open/mkdir/...), when we know the full context of the
4041 operation. See selinux_bprm_set_security for the execve
4042 checks and may_create for the file creation checks. The
4043 operation will then fail if the context is not permitted. */
4045 if (!strcmp(name, "exec"))
4046 tsec->exec_sid = sid;
4047 else if (!strcmp(name, "fscreate"))
4048 tsec->create_sid = sid;
4055 struct security_operations selinux_ops = {
4056 .ptrace = selinux_ptrace,
4057 .capget = selinux_capget,
4058 .capset_check = selinux_capset_check,
4059 .capset_set = selinux_capset_set,
4060 .sysctl = selinux_sysctl,
4061 .capable = selinux_capable,
4062 .quotactl = selinux_quotactl,
4063 .quota_on = selinux_quota_on,
4064 .syslog = selinux_syslog,
4065 .vm_enough_memory = selinux_vm_enough_memory,
4067 .netlink_send = selinux_netlink_send,
4068 .netlink_recv = selinux_netlink_recv,
4070 .bprm_alloc_security = selinux_bprm_alloc_security,
4071 .bprm_free_security = selinux_bprm_free_security,
4072 .bprm_apply_creds = selinux_bprm_apply_creds,
4073 .bprm_set_security = selinux_bprm_set_security,
4074 .bprm_check_security = selinux_bprm_check_security,
4075 .bprm_secureexec = selinux_bprm_secureexec,
4077 .sb_alloc_security = selinux_sb_alloc_security,
4078 .sb_free_security = selinux_sb_free_security,
4079 .sb_copy_data = selinux_sb_copy_data,
4080 .sb_kern_mount = selinux_sb_kern_mount,
4081 .sb_statfs = selinux_sb_statfs,
4082 .sb_mount = selinux_mount,
4083 .sb_umount = selinux_umount,
4085 .inode_alloc_security = selinux_inode_alloc_security,
4086 .inode_free_security = selinux_inode_free_security,
4087 .inode_create = selinux_inode_create,
4088 .inode_post_create = selinux_inode_post_create,
4089 .inode_link = selinux_inode_link,
4090 .inode_post_link = selinux_inode_post_link,
4091 .inode_unlink = selinux_inode_unlink,
4092 .inode_symlink = selinux_inode_symlink,
4093 .inode_post_symlink = selinux_inode_post_symlink,
4094 .inode_mkdir = selinux_inode_mkdir,
4095 .inode_post_mkdir = selinux_inode_post_mkdir,
4096 .inode_rmdir = selinux_inode_rmdir,
4097 .inode_mknod = selinux_inode_mknod,
4098 .inode_post_mknod = selinux_inode_post_mknod,
4099 .inode_rename = selinux_inode_rename,
4100 .inode_post_rename = selinux_inode_post_rename,
4101 .inode_readlink = selinux_inode_readlink,
4102 .inode_follow_link = selinux_inode_follow_link,
4103 .inode_permission = selinux_inode_permission,
4104 .inode_setattr = selinux_inode_setattr,
4105 .inode_getattr = selinux_inode_getattr,
4106 .inode_setxattr = selinux_inode_setxattr,
4107 .inode_post_setxattr = selinux_inode_post_setxattr,
4108 .inode_getxattr = selinux_inode_getxattr,
4109 .inode_listxattr = selinux_inode_listxattr,
4110 .inode_removexattr = selinux_inode_removexattr,
4111 .inode_getsecurity = selinux_inode_getsecurity,
4112 .inode_setsecurity = selinux_inode_setsecurity,
4113 .inode_listsecurity = selinux_inode_listsecurity,
4115 .file_permission = selinux_file_permission,
4116 .file_alloc_security = selinux_file_alloc_security,
4117 .file_free_security = selinux_file_free_security,
4118 .file_ioctl = selinux_file_ioctl,
4119 .file_mmap = selinux_file_mmap,
4120 .file_mprotect = selinux_file_mprotect,
4121 .file_lock = selinux_file_lock,
4122 .file_fcntl = selinux_file_fcntl,
4123 .file_set_fowner = selinux_file_set_fowner,
4124 .file_send_sigiotask = selinux_file_send_sigiotask,
4125 .file_receive = selinux_file_receive,
4127 .task_create = selinux_task_create,
4128 .task_alloc_security = selinux_task_alloc_security,
4129 .task_free_security = selinux_task_free_security,
4130 .task_setuid = selinux_task_setuid,
4131 .task_post_setuid = selinux_task_post_setuid,
4132 .task_setgid = selinux_task_setgid,
4133 .task_setpgid = selinux_task_setpgid,
4134 .task_getpgid = selinux_task_getpgid,
4135 .task_getsid = selinux_task_getsid,
4136 .task_setgroups = selinux_task_setgroups,
4137 .task_setnice = selinux_task_setnice,
4138 .task_setrlimit = selinux_task_setrlimit,
4139 .task_setscheduler = selinux_task_setscheduler,
4140 .task_getscheduler = selinux_task_getscheduler,
4141 .task_kill = selinux_task_kill,
4142 .task_wait = selinux_task_wait,
4143 .task_prctl = selinux_task_prctl,
4144 .task_reparent_to_init = selinux_task_reparent_to_init,
4145 .task_to_inode = selinux_task_to_inode,
4147 .ipc_permission = selinux_ipc_permission,
4149 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4150 .msg_msg_free_security = selinux_msg_msg_free_security,
4152 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4153 .msg_queue_free_security = selinux_msg_queue_free_security,
4154 .msg_queue_associate = selinux_msg_queue_associate,
4155 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4156 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4157 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4159 .shm_alloc_security = selinux_shm_alloc_security,
4160 .shm_free_security = selinux_shm_free_security,
4161 .shm_associate = selinux_shm_associate,
4162 .shm_shmctl = selinux_shm_shmctl,
4163 .shm_shmat = selinux_shm_shmat,
4165 .sem_alloc_security = selinux_sem_alloc_security,
4166 .sem_free_security = selinux_sem_free_security,
4167 .sem_associate = selinux_sem_associate,
4168 .sem_semctl = selinux_sem_semctl,
4169 .sem_semop = selinux_sem_semop,
4171 .register_security = selinux_register_security,
4172 .unregister_security = selinux_unregister_security,
4174 .d_instantiate = selinux_d_instantiate,
4176 .getprocattr = selinux_getprocattr,
4177 .setprocattr = selinux_setprocattr,
4179 #ifdef CONFIG_SECURITY_NETWORK
4180 .unix_stream_connect = selinux_socket_unix_stream_connect,
4181 .unix_may_send = selinux_socket_unix_may_send,
4183 .socket_create = selinux_socket_create,
4184 .socket_post_create = selinux_socket_post_create,
4185 .socket_bind = selinux_socket_bind,
4186 .socket_connect = selinux_socket_connect,
4187 .socket_listen = selinux_socket_listen,
4188 .socket_accept = selinux_socket_accept,
4189 .socket_sendmsg = selinux_socket_sendmsg,
4190 .socket_recvmsg = selinux_socket_recvmsg,
4191 .socket_getsockname = selinux_socket_getsockname,
4192 .socket_getpeername = selinux_socket_getpeername,
4193 .socket_getsockopt = selinux_socket_getsockopt,
4194 .socket_setsockopt = selinux_socket_setsockopt,
4195 .socket_shutdown = selinux_socket_shutdown,
4196 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
4197 .socket_getpeersec = selinux_socket_getpeersec,
4198 .sk_alloc_security = selinux_sk_alloc_security,
4199 .sk_free_security = selinux_sk_free_security,
4203 __init int selinux_init(void)
4205 struct task_security_struct *tsec;
4207 if (!selinux_enabled) {
4208 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4212 printk(KERN_INFO "SELinux: Initializing.\n");
4214 /* Set the security state for the initial task. */
4215 if (task_alloc_security(current))
4216 panic("SELinux: Failed to initialize initial task.\n");
4217 tsec = current->security;
4218 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4222 original_ops = secondary_ops = security_ops;
4224 panic ("SELinux: No initial security operations\n");
4225 if (register_security (&selinux_ops))
4226 panic("SELinux: Unable to register with kernel.\n");
4228 if (selinux_enforcing) {
4229 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4231 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4236 void selinux_complete_init(void)
4238 printk(KERN_INFO "SELinux: Completing initialization.\n");
4240 /* Set up any superblocks initialized prior to the policy load. */
4241 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
4242 spin_lock(&sb_security_lock);
4244 if (!list_empty(&superblock_security_head)) {
4245 struct superblock_security_struct *sbsec =
4246 list_entry(superblock_security_head.next,
4247 struct superblock_security_struct,
4249 struct super_block *sb = sbsec->sb;
4250 spin_lock(&sb_lock);
4252 spin_unlock(&sb_lock);
4253 spin_unlock(&sb_security_lock);
4254 down_read(&sb->s_umount);
4256 superblock_doinit(sb, NULL);
4258 spin_lock(&sb_security_lock);
4259 list_del_init(&sbsec->list);
4262 spin_unlock(&sb_security_lock);
4265 /* SELinux requires early initialization in order to label
4266 all processes and objects when they are created. */
4267 security_initcall(selinux_init);
4269 #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
4271 static struct nf_hook_ops selinux_ipv4_op = {
4272 .hook = selinux_ipv4_postroute_last,
4273 .owner = THIS_MODULE,
4275 .hooknum = NF_IP_POST_ROUTING,
4276 .priority = NF_IP_PRI_SELINUX_LAST,
4279 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4281 static struct nf_hook_ops selinux_ipv6_op = {
4282 .hook = selinux_ipv6_postroute_last,
4283 .owner = THIS_MODULE,
4285 .hooknum = NF_IP6_POST_ROUTING,
4286 .priority = NF_IP6_PRI_SELINUX_LAST,
4291 static int __init selinux_nf_ip_init(void)
4295 if (!selinux_enabled)
4298 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4300 err = nf_register_hook(&selinux_ipv4_op);
4302 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4304 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4306 err = nf_register_hook(&selinux_ipv6_op);
4308 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4315 __initcall(selinux_nf_ip_init);
4317 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4318 static void selinux_nf_ip_exit(void)
4320 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4322 nf_unregister_hook(&selinux_ipv4_op);
4323 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4324 nf_unregister_hook(&selinux_ipv6_op);
4329 #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4331 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4332 #define selinux_nf_ip_exit()
4335 #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4337 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4338 int selinux_disable(void)
4340 extern void exit_sel_fs(void);
4341 static int selinux_disabled = 0;
4343 if (ss_initialized) {
4344 /* Not permitted after initial policy load. */
4348 if (selinux_disabled) {
4349 /* Only do this once. */
4353 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4355 selinux_disabled = 1;
4357 /* Reset security_ops to the secondary module, dummy or capability. */
4358 security_ops = secondary_ops;
4360 /* Unregister netfilter hooks. */
4361 selinux_nf_ip_exit();
4363 /* Unregister selinuxfs. */
git://git.onelab.eu / linux-2.6.git / blob