2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
55 #include <net/inet_connection_sock.h>
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
97 /* SECMARK reference count */
98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
103 static int __init enforcing_setup(char *str)
105 unsigned long enforcing;
106 if (!kstrtoul(str, 0, &enforcing))
107 selinux_enforcing = enforcing ? 1 : 0;
110 __setup("enforcing=", enforcing_setup);
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116 static int __init selinux_enabled_setup(char *str)
118 unsigned long enabled;
119 if (!kstrtoul(str, 0, &enabled))
120 selinux_enabled = enabled ? 1 : 0;
123 __setup("selinux=", selinux_enabled_setup);
125 int selinux_enabled = 1;
128 static struct kmem_cache *sel_inode_cache;
129 static struct kmem_cache *file_security_cache;
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
142 static int selinux_secmark_enabled(void)
144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
157 static int selinux_peerlbl_enabled(void)
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
162 static int selinux_netcache_avc_callback(u32 event)
164 if (event == AVC_CALLBACK_RESET) {
174 * initialise the security for the init task
176 static void cred_init_security(void)
178 struct cred *cred = (struct cred *) current->real_cred;
179 struct task_security_struct *tsec;
181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
183 panic("SELinux: Failed to initialize initial task.\n");
185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
186 cred->security = tsec;
190 * get the security ID of a set of credentials
192 static inline u32 cred_sid(const struct cred *cred)
194 const struct task_security_struct *tsec;
196 tsec = cred->security;
201 * get the objective security ID of a task
203 static inline u32 task_sid(const struct task_struct *task)
208 sid = cred_sid(__task_cred(task));
214 * get the subjective security ID of the current task
216 static inline u32 current_sid(void)
218 const struct task_security_struct *tsec = current_security();
223 /* Allocate and free functions for each kind of security blob. */
225 static int inode_alloc_security(struct inode *inode)
227 struct inode_security_struct *isec;
228 u32 sid = current_sid();
230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
234 mutex_init(&isec->lock);
235 INIT_LIST_HEAD(&isec->list);
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
239 isec->task_sid = sid;
240 inode->i_security = isec;
245 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
248 * Try reloading inode security labels that have been marked as invalid. The
249 * @may_sleep parameter indicates when sleeping and thus reloading labels is
250 * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is
251 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
252 * when no dentry is available, set it to NULL instead.
254 static int __inode_security_revalidate(struct inode *inode,
255 struct dentry *opt_dentry,
258 struct inode_security_struct *isec = inode->i_security;
260 might_sleep_if(may_sleep);
262 if (isec->initialized == LABEL_INVALID) {
267 * Try reloading the inode security label. This will fail if
268 * @opt_dentry is NULL and no dentry for this inode can be
269 * found; in that case, continue using the old label.
271 inode_doinit_with_dentry(inode, opt_dentry);
276 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
278 return inode->i_security;
281 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
285 error = __inode_security_revalidate(inode, NULL, !rcu);
287 return ERR_PTR(error);
288 return inode->i_security;
292 * Get the security label of an inode.
294 static struct inode_security_struct *inode_security(struct inode *inode)
296 __inode_security_revalidate(inode, NULL, true);
297 return inode->i_security;
301 * Get the security label of a dentry's backing inode.
303 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
305 struct inode *inode = d_backing_inode(dentry);
307 __inode_security_revalidate(inode, dentry, true);
308 return inode->i_security;
311 static void inode_free_rcu(struct rcu_head *head)
313 struct inode_security_struct *isec;
315 isec = container_of(head, struct inode_security_struct, rcu);
316 kmem_cache_free(sel_inode_cache, isec);
319 static void inode_free_security(struct inode *inode)
321 struct inode_security_struct *isec = inode->i_security;
322 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
325 * As not all inode security structures are in a list, we check for
326 * empty list outside of the lock to make sure that we won't waste
327 * time taking a lock doing nothing.
329 * The list_del_init() function can be safely called more than once.
330 * It should not be possible for this function to be called with
331 * concurrent list_add(), but for better safety against future changes
332 * in the code, we use list_empty_careful() here.
334 if (!list_empty_careful(&isec->list)) {
335 spin_lock(&sbsec->isec_lock);
336 list_del_init(&isec->list);
337 spin_unlock(&sbsec->isec_lock);
341 * The inode may still be referenced in a path walk and
342 * a call to selinux_inode_permission() can be made
343 * after inode_free_security() is called. Ideally, the VFS
344 * wouldn't do this, but fixing that is a much harder
345 * job. For now, simply free the i_security via RCU, and
346 * leave the current inode->i_security pointer intact.
347 * The inode will be freed after the RCU grace period too.
349 call_rcu(&isec->rcu, inode_free_rcu);
352 static int file_alloc_security(struct file *file)
354 struct file_security_struct *fsec;
355 u32 sid = current_sid();
357 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
362 fsec->fown_sid = sid;
363 file->f_security = fsec;
368 static void file_free_security(struct file *file)
370 struct file_security_struct *fsec = file->f_security;
371 file->f_security = NULL;
372 kmem_cache_free(file_security_cache, fsec);
375 static int superblock_alloc_security(struct super_block *sb)
377 struct superblock_security_struct *sbsec;
379 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
383 mutex_init(&sbsec->lock);
384 INIT_LIST_HEAD(&sbsec->isec_head);
385 spin_lock_init(&sbsec->isec_lock);
387 sbsec->sid = SECINITSID_UNLABELED;
388 sbsec->def_sid = SECINITSID_FILE;
389 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
390 sb->s_security = sbsec;
395 static void superblock_free_security(struct super_block *sb)
397 struct superblock_security_struct *sbsec = sb->s_security;
398 sb->s_security = NULL;
402 /* The file system's label must be initialized prior to use. */
404 static const char *labeling_behaviors[7] = {
406 "uses transition SIDs",
408 "uses genfs_contexts",
409 "not configured for labeling",
410 "uses mountpoint labeling",
411 "uses native labeling",
414 static inline int inode_doinit(struct inode *inode)
416 return inode_doinit_with_dentry(inode, NULL);
425 Opt_labelsupport = 5,
429 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
431 static const match_table_t tokens = {
432 {Opt_context, CONTEXT_STR "%s"},
433 {Opt_fscontext, FSCONTEXT_STR "%s"},
434 {Opt_defcontext, DEFCONTEXT_STR "%s"},
435 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
436 {Opt_labelsupport, LABELSUPP_STR},
440 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
442 static int may_context_mount_sb_relabel(u32 sid,
443 struct superblock_security_struct *sbsec,
444 const struct cred *cred)
446 const struct task_security_struct *tsec = cred->security;
449 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450 FILESYSTEM__RELABELFROM, NULL);
454 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
455 FILESYSTEM__RELABELTO, NULL);
459 static int may_context_mount_inode_relabel(u32 sid,
460 struct superblock_security_struct *sbsec,
461 const struct cred *cred)
463 const struct task_security_struct *tsec = cred->security;
465 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
466 FILESYSTEM__RELABELFROM, NULL);
470 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
471 FILESYSTEM__ASSOCIATE, NULL);
475 static int selinux_is_sblabel_mnt(struct super_block *sb)
477 struct superblock_security_struct *sbsec = sb->s_security;
479 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
480 sbsec->behavior == SECURITY_FS_USE_TRANS ||
481 sbsec->behavior == SECURITY_FS_USE_TASK ||
482 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
483 /* Special handling. Genfs but also in-core setxattr handler */
484 !strcmp(sb->s_type->name, "sysfs") ||
485 !strcmp(sb->s_type->name, "pstore") ||
486 !strcmp(sb->s_type->name, "debugfs") ||
487 !strcmp(sb->s_type->name, "rootfs");
490 static int sb_finish_set_opts(struct super_block *sb)
492 struct superblock_security_struct *sbsec = sb->s_security;
493 struct dentry *root = sb->s_root;
494 struct inode *root_inode = d_backing_inode(root);
497 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
498 /* Make sure that the xattr handler exists and that no
499 error other than -ENODATA is returned by getxattr on
500 the root directory. -ENODATA is ok, as this may be
501 the first boot of the SELinux kernel before we have
502 assigned xattr values to the filesystem. */
503 if (!root_inode->i_op->getxattr) {
504 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
505 "xattr support\n", sb->s_id, sb->s_type->name);
509 rc = root_inode->i_op->getxattr(root, root_inode,
510 XATTR_NAME_SELINUX, NULL, 0);
511 if (rc < 0 && rc != -ENODATA) {
512 if (rc == -EOPNOTSUPP)
513 printk(KERN_WARNING "SELinux: (dev %s, type "
514 "%s) has no security xattr handler\n",
515 sb->s_id, sb->s_type->name);
517 printk(KERN_WARNING "SELinux: (dev %s, type "
518 "%s) getxattr errno %d\n", sb->s_id,
519 sb->s_type->name, -rc);
524 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
525 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
526 sb->s_id, sb->s_type->name);
528 sbsec->flags |= SE_SBINITIALIZED;
529 if (selinux_is_sblabel_mnt(sb))
530 sbsec->flags |= SBLABEL_MNT;
532 /* Initialize the root inode. */
533 rc = inode_doinit_with_dentry(root_inode, root);
535 /* Initialize any other inodes associated with the superblock, e.g.
536 inodes created prior to initial policy load or inodes created
537 during get_sb by a pseudo filesystem that directly
539 spin_lock(&sbsec->isec_lock);
541 if (!list_empty(&sbsec->isec_head)) {
542 struct inode_security_struct *isec =
543 list_entry(sbsec->isec_head.next,
544 struct inode_security_struct, list);
545 struct inode *inode = isec->inode;
546 list_del_init(&isec->list);
547 spin_unlock(&sbsec->isec_lock);
548 inode = igrab(inode);
550 if (!IS_PRIVATE(inode))
554 spin_lock(&sbsec->isec_lock);
557 spin_unlock(&sbsec->isec_lock);
563 * This function should allow an FS to ask what it's mount security
564 * options were so it can use those later for submounts, displaying
565 * mount options, or whatever.
567 static int selinux_get_mnt_opts(const struct super_block *sb,
568 struct security_mnt_opts *opts)
571 struct superblock_security_struct *sbsec = sb->s_security;
572 char *context = NULL;
576 security_init_mnt_opts(opts);
578 if (!(sbsec->flags & SE_SBINITIALIZED))
584 /* make sure we always check enough bits to cover the mask */
585 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
587 tmp = sbsec->flags & SE_MNTMASK;
588 /* count the number of mount options for this sb */
589 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
591 opts->num_mnt_opts++;
594 /* Check if the Label support flag is set */
595 if (sbsec->flags & SBLABEL_MNT)
596 opts->num_mnt_opts++;
598 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
599 if (!opts->mnt_opts) {
604 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
605 if (!opts->mnt_opts_flags) {
611 if (sbsec->flags & FSCONTEXT_MNT) {
612 rc = security_sid_to_context(sbsec->sid, &context, &len);
615 opts->mnt_opts[i] = context;
616 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
618 if (sbsec->flags & CONTEXT_MNT) {
619 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
622 opts->mnt_opts[i] = context;
623 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
625 if (sbsec->flags & DEFCONTEXT_MNT) {
626 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
629 opts->mnt_opts[i] = context;
630 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
632 if (sbsec->flags & ROOTCONTEXT_MNT) {
633 struct dentry *root = sbsec->sb->s_root;
634 struct inode_security_struct *isec = backing_inode_security(root);
636 rc = security_sid_to_context(isec->sid, &context, &len);
639 opts->mnt_opts[i] = context;
640 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
642 if (sbsec->flags & SBLABEL_MNT) {
643 opts->mnt_opts[i] = NULL;
644 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
647 BUG_ON(i != opts->num_mnt_opts);
652 security_free_mnt_opts(opts);
656 static int bad_option(struct superblock_security_struct *sbsec, char flag,
657 u32 old_sid, u32 new_sid)
659 char mnt_flags = sbsec->flags & SE_MNTMASK;
661 /* check if the old mount command had the same options */
662 if (sbsec->flags & SE_SBINITIALIZED)
663 if (!(sbsec->flags & flag) ||
664 (old_sid != new_sid))
667 /* check if we were passed the same options twice,
668 * aka someone passed context=a,context=b
670 if (!(sbsec->flags & SE_SBINITIALIZED))
671 if (mnt_flags & flag)
677 * Allow filesystems with binary mount data to explicitly set mount point
678 * labeling information.
680 static int selinux_set_mnt_opts(struct super_block *sb,
681 struct security_mnt_opts *opts,
682 unsigned long kern_flags,
683 unsigned long *set_kern_flags)
685 const struct cred *cred = current_cred();
687 struct superblock_security_struct *sbsec = sb->s_security;
688 const char *name = sb->s_type->name;
689 struct dentry *root = sbsec->sb->s_root;
690 struct inode_security_struct *root_isec = backing_inode_security(root);
691 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
692 u32 defcontext_sid = 0;
693 char **mount_options = opts->mnt_opts;
694 int *flags = opts->mnt_opts_flags;
695 int num_opts = opts->num_mnt_opts;
697 mutex_lock(&sbsec->lock);
699 if (!ss_initialized) {
701 /* Defer initialization until selinux_complete_init,
702 after the initial policy is loaded and the security
703 server is ready to handle calls. */
707 printk(KERN_WARNING "SELinux: Unable to set superblock options "
708 "before the security server is initialized\n");
711 if (kern_flags && !set_kern_flags) {
712 /* Specifying internal flags without providing a place to
713 * place the results is not allowed */
719 * Binary mount data FS will come through this function twice. Once
720 * from an explicit call and once from the generic calls from the vfs.
721 * Since the generic VFS calls will not contain any security mount data
722 * we need to skip the double mount verification.
724 * This does open a hole in which we will not notice if the first
725 * mount using this sb set explict options and a second mount using
726 * this sb does not set any security options. (The first options
727 * will be used for both mounts)
729 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
734 * parse the mount options, check if they are valid sids.
735 * also check if someone is trying to mount the same sb more
736 * than once with different security options.
738 for (i = 0; i < num_opts; i++) {
741 if (flags[i] == SBLABEL_MNT)
743 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
745 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
746 "(%s) failed for (dev %s, type %s) errno=%d\n",
747 mount_options[i], sb->s_id, name, rc);
754 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
756 goto out_double_mount;
758 sbsec->flags |= FSCONTEXT_MNT;
763 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
765 goto out_double_mount;
767 sbsec->flags |= CONTEXT_MNT;
769 case ROOTCONTEXT_MNT:
770 rootcontext_sid = sid;
772 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
774 goto out_double_mount;
776 sbsec->flags |= ROOTCONTEXT_MNT;
780 defcontext_sid = sid;
782 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
784 goto out_double_mount;
786 sbsec->flags |= DEFCONTEXT_MNT;
795 if (sbsec->flags & SE_SBINITIALIZED) {
796 /* previously mounted with options, but not on this attempt? */
797 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
798 goto out_double_mount;
803 if (strcmp(sb->s_type->name, "proc") == 0)
804 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
806 if (!strcmp(sb->s_type->name, "debugfs") ||
807 !strcmp(sb->s_type->name, "sysfs") ||
808 !strcmp(sb->s_type->name, "pstore"))
809 sbsec->flags |= SE_SBGENFS;
811 if (!sbsec->behavior) {
813 * Determine the labeling behavior to use for this
816 rc = security_fs_use(sb);
819 "%s: security_fs_use(%s) returned %d\n",
820 __func__, sb->s_type->name, rc);
824 /* sets the context of the superblock for the fs being mounted. */
826 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
830 sbsec->sid = fscontext_sid;
834 * Switch to using mount point labeling behavior.
835 * sets the label used on all file below the mountpoint, and will set
836 * the superblock context if not already set.
838 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
839 sbsec->behavior = SECURITY_FS_USE_NATIVE;
840 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
844 if (!fscontext_sid) {
845 rc = may_context_mount_sb_relabel(context_sid, sbsec,
849 sbsec->sid = context_sid;
851 rc = may_context_mount_inode_relabel(context_sid, sbsec,
856 if (!rootcontext_sid)
857 rootcontext_sid = context_sid;
859 sbsec->mntpoint_sid = context_sid;
860 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
863 if (rootcontext_sid) {
864 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
869 root_isec->sid = rootcontext_sid;
870 root_isec->initialized = LABEL_INITIALIZED;
873 if (defcontext_sid) {
874 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
875 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
877 printk(KERN_WARNING "SELinux: defcontext option is "
878 "invalid for this filesystem type\n");
882 if (defcontext_sid != sbsec->def_sid) {
883 rc = may_context_mount_inode_relabel(defcontext_sid,
889 sbsec->def_sid = defcontext_sid;
892 rc = sb_finish_set_opts(sb);
894 mutex_unlock(&sbsec->lock);
898 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
899 "security settings for (dev %s, type %s)\n", sb->s_id, name);
903 static int selinux_cmp_sb_context(const struct super_block *oldsb,
904 const struct super_block *newsb)
906 struct superblock_security_struct *old = oldsb->s_security;
907 struct superblock_security_struct *new = newsb->s_security;
908 char oldflags = old->flags & SE_MNTMASK;
909 char newflags = new->flags & SE_MNTMASK;
911 if (oldflags != newflags)
913 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
915 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
917 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
919 if (oldflags & ROOTCONTEXT_MNT) {
920 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
921 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
922 if (oldroot->sid != newroot->sid)
927 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
928 "different security settings for (dev %s, "
929 "type %s)\n", newsb->s_id, newsb->s_type->name);
933 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
934 struct super_block *newsb)
936 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
937 struct superblock_security_struct *newsbsec = newsb->s_security;
939 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
940 int set_context = (oldsbsec->flags & CONTEXT_MNT);
941 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
944 * if the parent was able to be mounted it clearly had no special lsm
945 * mount options. thus we can safely deal with this superblock later
950 /* how can we clone if the old one wasn't set up?? */
951 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
953 /* if fs is reusing a sb, make sure that the contexts match */
954 if (newsbsec->flags & SE_SBINITIALIZED)
955 return selinux_cmp_sb_context(oldsb, newsb);
957 mutex_lock(&newsbsec->lock);
959 newsbsec->flags = oldsbsec->flags;
961 newsbsec->sid = oldsbsec->sid;
962 newsbsec->def_sid = oldsbsec->def_sid;
963 newsbsec->behavior = oldsbsec->behavior;
966 u32 sid = oldsbsec->mntpoint_sid;
970 if (!set_rootcontext) {
971 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
974 newsbsec->mntpoint_sid = sid;
976 if (set_rootcontext) {
977 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
978 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
980 newisec->sid = oldisec->sid;
983 sb_finish_set_opts(newsb);
984 mutex_unlock(&newsbsec->lock);
988 static int selinux_parse_opts_str(char *options,
989 struct security_mnt_opts *opts)
992 char *context = NULL, *defcontext = NULL;
993 char *fscontext = NULL, *rootcontext = NULL;
994 int rc, num_mnt_opts = 0;
996 opts->num_mnt_opts = 0;
998 /* Standard string-based options. */
999 while ((p = strsep(&options, "|")) != NULL) {
1001 substring_t args[MAX_OPT_ARGS];
1006 token = match_token(p, tokens, args);
1010 if (context || defcontext) {
1012 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1015 context = match_strdup(&args[0]);
1025 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1028 fscontext = match_strdup(&args[0]);
1035 case Opt_rootcontext:
1038 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1041 rootcontext = match_strdup(&args[0]);
1048 case Opt_defcontext:
1049 if (context || defcontext) {
1051 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1054 defcontext = match_strdup(&args[0]);
1060 case Opt_labelsupport:
1064 printk(KERN_WARNING "SELinux: unknown mount option\n");
1071 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1072 if (!opts->mnt_opts)
1075 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1076 if (!opts->mnt_opts_flags) {
1077 kfree(opts->mnt_opts);
1082 opts->mnt_opts[num_mnt_opts] = fscontext;
1083 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1086 opts->mnt_opts[num_mnt_opts] = context;
1087 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1090 opts->mnt_opts[num_mnt_opts] = rootcontext;
1091 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1094 opts->mnt_opts[num_mnt_opts] = defcontext;
1095 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1098 opts->num_mnt_opts = num_mnt_opts;
1109 * string mount options parsing and call set the sbsec
1111 static int superblock_doinit(struct super_block *sb, void *data)
1114 char *options = data;
1115 struct security_mnt_opts opts;
1117 security_init_mnt_opts(&opts);
1122 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1124 rc = selinux_parse_opts_str(options, &opts);
1129 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1132 security_free_mnt_opts(&opts);
1136 static void selinux_write_opts(struct seq_file *m,
1137 struct security_mnt_opts *opts)
1142 for (i = 0; i < opts->num_mnt_opts; i++) {
1145 if (opts->mnt_opts[i])
1146 has_comma = strchr(opts->mnt_opts[i], ',');
1150 switch (opts->mnt_opts_flags[i]) {
1152 prefix = CONTEXT_STR;
1155 prefix = FSCONTEXT_STR;
1157 case ROOTCONTEXT_MNT:
1158 prefix = ROOTCONTEXT_STR;
1160 case DEFCONTEXT_MNT:
1161 prefix = DEFCONTEXT_STR;
1165 seq_puts(m, LABELSUPP_STR);
1171 /* we need a comma before each option */
1173 seq_puts(m, prefix);
1176 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1182 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1184 struct security_mnt_opts opts;
1187 rc = selinux_get_mnt_opts(sb, &opts);
1189 /* before policy load we may get EINVAL, don't show anything */
1195 selinux_write_opts(m, &opts);
1197 security_free_mnt_opts(&opts);
1202 static inline u16 inode_mode_to_security_class(umode_t mode)
1204 switch (mode & S_IFMT) {
1206 return SECCLASS_SOCK_FILE;
1208 return SECCLASS_LNK_FILE;
1210 return SECCLASS_FILE;
1212 return SECCLASS_BLK_FILE;
1214 return SECCLASS_DIR;
1216 return SECCLASS_CHR_FILE;
1218 return SECCLASS_FIFO_FILE;
1222 return SECCLASS_FILE;
1225 static inline int default_protocol_stream(int protocol)
1227 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1230 static inline int default_protocol_dgram(int protocol)
1232 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1235 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1241 case SOCK_SEQPACKET:
1242 return SECCLASS_UNIX_STREAM_SOCKET;
1244 return SECCLASS_UNIX_DGRAM_SOCKET;
1251 if (default_protocol_stream(protocol))
1252 return SECCLASS_TCP_SOCKET;
1254 return SECCLASS_RAWIP_SOCKET;
1256 if (default_protocol_dgram(protocol))
1257 return SECCLASS_UDP_SOCKET;
1259 return SECCLASS_RAWIP_SOCKET;
1261 return SECCLASS_DCCP_SOCKET;
1263 return SECCLASS_RAWIP_SOCKET;
1269 return SECCLASS_NETLINK_ROUTE_SOCKET;
1270 case NETLINK_SOCK_DIAG:
1271 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1273 return SECCLASS_NETLINK_NFLOG_SOCKET;
1275 return SECCLASS_NETLINK_XFRM_SOCKET;
1276 case NETLINK_SELINUX:
1277 return SECCLASS_NETLINK_SELINUX_SOCKET;
1279 return SECCLASS_NETLINK_ISCSI_SOCKET;
1281 return SECCLASS_NETLINK_AUDIT_SOCKET;
1282 case NETLINK_FIB_LOOKUP:
1283 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1284 case NETLINK_CONNECTOR:
1285 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1286 case NETLINK_NETFILTER:
1287 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1288 case NETLINK_DNRTMSG:
1289 return SECCLASS_NETLINK_DNRT_SOCKET;
1290 case NETLINK_KOBJECT_UEVENT:
1291 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1292 case NETLINK_GENERIC:
1293 return SECCLASS_NETLINK_GENERIC_SOCKET;
1294 case NETLINK_SCSITRANSPORT:
1295 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1297 return SECCLASS_NETLINK_RDMA_SOCKET;
1298 case NETLINK_CRYPTO:
1299 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1301 return SECCLASS_NETLINK_SOCKET;
1304 return SECCLASS_PACKET_SOCKET;
1306 return SECCLASS_KEY_SOCKET;
1308 return SECCLASS_APPLETALK_SOCKET;
1311 return SECCLASS_SOCKET;
1314 static int selinux_genfs_get_sid(struct dentry *dentry,
1320 struct super_block *sb = dentry->d_sb;
1321 char *buffer, *path;
1323 buffer = (char *)__get_free_page(GFP_KERNEL);
1327 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1331 if (flags & SE_SBPROC) {
1332 /* each process gets a /proc/PID/ entry. Strip off the
1333 * PID part to get a valid selinux labeling.
1334 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1335 while (path[1] >= '0' && path[1] <= '9') {
1340 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1342 free_page((unsigned long)buffer);
1346 /* The inode's security attributes must be initialized before first use. */
1347 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1349 struct superblock_security_struct *sbsec = NULL;
1350 struct inode_security_struct *isec = inode->i_security;
1352 struct dentry *dentry;
1353 #define INITCONTEXTLEN 255
1354 char *context = NULL;
1358 if (isec->initialized == LABEL_INITIALIZED)
1361 mutex_lock(&isec->lock);
1362 if (isec->initialized == LABEL_INITIALIZED)
1365 sbsec = inode->i_sb->s_security;
1366 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1367 /* Defer initialization until selinux_complete_init,
1368 after the initial policy is loaded and the security
1369 server is ready to handle calls. */
1370 spin_lock(&sbsec->isec_lock);
1371 if (list_empty(&isec->list))
1372 list_add(&isec->list, &sbsec->isec_head);
1373 spin_unlock(&sbsec->isec_lock);
1377 switch (sbsec->behavior) {
1378 case SECURITY_FS_USE_NATIVE:
1380 case SECURITY_FS_USE_XATTR:
1381 if (!inode->i_op->getxattr) {
1382 isec->sid = sbsec->def_sid;
1386 /* Need a dentry, since the xattr API requires one.
1387 Life would be simpler if we could just pass the inode. */
1389 /* Called from d_instantiate or d_splice_alias. */
1390 dentry = dget(opt_dentry);
1392 /* Called from selinux_complete_init, try to find a dentry. */
1393 dentry = d_find_alias(inode);
1397 * this is can be hit on boot when a file is accessed
1398 * before the policy is loaded. When we load policy we
1399 * may find inodes that have no dentry on the
1400 * sbsec->isec_head list. No reason to complain as these
1401 * will get fixed up the next time we go through
1402 * inode_doinit with a dentry, before these inodes could
1403 * be used again by userspace.
1408 len = INITCONTEXTLEN;
1409 context = kmalloc(len+1, GFP_NOFS);
1415 context[len] = '\0';
1416 rc = inode->i_op->getxattr(dentry, inode, XATTR_NAME_SELINUX,
1418 if (rc == -ERANGE) {
1421 /* Need a larger buffer. Query for the right size. */
1422 rc = inode->i_op->getxattr(dentry, inode, XATTR_NAME_SELINUX,
1429 context = kmalloc(len+1, GFP_NOFS);
1435 context[len] = '\0';
1436 rc = inode->i_op->getxattr(dentry, inode,
1442 if (rc != -ENODATA) {
1443 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1444 "%d for dev=%s ino=%ld\n", __func__,
1445 -rc, inode->i_sb->s_id, inode->i_ino);
1449 /* Map ENODATA to the default file SID */
1450 sid = sbsec->def_sid;
1453 rc = security_context_to_sid_default(context, rc, &sid,
1457 char *dev = inode->i_sb->s_id;
1458 unsigned long ino = inode->i_ino;
1460 if (rc == -EINVAL) {
1461 if (printk_ratelimit())
1462 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1463 "context=%s. This indicates you may need to relabel the inode or the "
1464 "filesystem in question.\n", ino, dev, context);
1466 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1467 "returned %d for dev=%s ino=%ld\n",
1468 __func__, context, -rc, dev, ino);
1471 /* Leave with the unlabeled SID */
1479 case SECURITY_FS_USE_TASK:
1480 isec->sid = isec->task_sid;
1482 case SECURITY_FS_USE_TRANS:
1483 /* Default to the fs SID. */
1484 isec->sid = sbsec->sid;
1486 /* Try to obtain a transition SID. */
1487 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1488 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1489 isec->sclass, NULL, &sid);
1494 case SECURITY_FS_USE_MNTPOINT:
1495 isec->sid = sbsec->mntpoint_sid;
1498 /* Default to the fs superblock SID. */
1499 isec->sid = sbsec->sid;
1501 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1502 /* We must have a dentry to determine the label on
1505 /* Called from d_instantiate or
1506 * d_splice_alias. */
1507 dentry = dget(opt_dentry);
1509 /* Called from selinux_complete_init, try to
1511 dentry = d_find_alias(inode);
1513 * This can be hit on boot when a file is accessed
1514 * before the policy is loaded. When we load policy we
1515 * may find inodes that have no dentry on the
1516 * sbsec->isec_head list. No reason to complain as
1517 * these will get fixed up the next time we go through
1518 * inode_doinit() with a dentry, before these inodes
1519 * could be used again by userspace.
1523 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1524 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1525 sbsec->flags, &sid);
1534 isec->initialized = LABEL_INITIALIZED;
1537 mutex_unlock(&isec->lock);
1539 if (isec->sclass == SECCLASS_FILE)
1540 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1544 /* Convert a Linux signal to an access vector. */
1545 static inline u32 signal_to_av(int sig)
1551 /* Commonly granted from child to parent. */
1552 perm = PROCESS__SIGCHLD;
1555 /* Cannot be caught or ignored */
1556 perm = PROCESS__SIGKILL;
1559 /* Cannot be caught or ignored */
1560 perm = PROCESS__SIGSTOP;
1563 /* All other signals. */
1564 perm = PROCESS__SIGNAL;
1572 * Check permission between a pair of credentials
1573 * fork check, ptrace check, etc.
1575 static int cred_has_perm(const struct cred *actor,
1576 const struct cred *target,
1579 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1581 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1585 * Check permission between a pair of tasks, e.g. signal checks,
1586 * fork check, ptrace check, etc.
1587 * tsk1 is the actor and tsk2 is the target
1588 * - this uses the default subjective creds of tsk1
1590 static int task_has_perm(const struct task_struct *tsk1,
1591 const struct task_struct *tsk2,
1594 const struct task_security_struct *__tsec1, *__tsec2;
1598 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1599 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1601 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1605 * Check permission between current and another task, e.g. signal checks,
1606 * fork check, ptrace check, etc.
1607 * current is the actor and tsk2 is the target
1608 * - this uses current's subjective creds
1610 static int current_has_perm(const struct task_struct *tsk,
1615 sid = current_sid();
1616 tsid = task_sid(tsk);
1617 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1620 #if CAP_LAST_CAP > 63
1621 #error Fix SELinux to handle capabilities > 63.
1624 /* Check whether a task is allowed to use a capability. */
1625 static int cred_has_capability(const struct cred *cred,
1628 struct common_audit_data ad;
1629 struct av_decision avd;
1631 u32 sid = cred_sid(cred);
1632 u32 av = CAP_TO_MASK(cap);
1635 ad.type = LSM_AUDIT_DATA_CAP;
1638 switch (CAP_TO_INDEX(cap)) {
1640 sclass = SECCLASS_CAPABILITY;
1643 sclass = SECCLASS_CAPABILITY2;
1647 "SELinux: out of range capability %d\n", cap);
1652 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1653 if (audit == SECURITY_CAP_AUDIT) {
1654 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1661 /* Check whether a task is allowed to use a system operation. */
1662 static int task_has_system(struct task_struct *tsk,
1665 u32 sid = task_sid(tsk);
1667 return avc_has_perm(sid, SECINITSID_KERNEL,
1668 SECCLASS_SYSTEM, perms, NULL);
1671 /* Check whether a task has a particular permission to an inode.
1672 The 'adp' parameter is optional and allows other audit
1673 data to be passed (e.g. the dentry). */
1674 static int inode_has_perm(const struct cred *cred,
1675 struct inode *inode,
1677 struct common_audit_data *adp)
1679 struct inode_security_struct *isec;
1682 validate_creds(cred);
1684 if (unlikely(IS_PRIVATE(inode)))
1687 sid = cred_sid(cred);
1688 isec = inode->i_security;
1690 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1693 /* Same as inode_has_perm, but pass explicit audit data containing
1694 the dentry to help the auditing code to more easily generate the
1695 pathname if needed. */
1696 static inline int dentry_has_perm(const struct cred *cred,
1697 struct dentry *dentry,
1700 struct inode *inode = d_backing_inode(dentry);
1701 struct common_audit_data ad;
1703 ad.type = LSM_AUDIT_DATA_DENTRY;
1704 ad.u.dentry = dentry;
1705 __inode_security_revalidate(inode, dentry, true);
1706 return inode_has_perm(cred, inode, av, &ad);
1709 /* Same as inode_has_perm, but pass explicit audit data containing
1710 the path to help the auditing code to more easily generate the
1711 pathname if needed. */
1712 static inline int path_has_perm(const struct cred *cred,
1713 const struct path *path,
1716 struct inode *inode = d_backing_inode(path->dentry);
1717 struct common_audit_data ad;
1719 ad.type = LSM_AUDIT_DATA_PATH;
1721 __inode_security_revalidate(inode, path->dentry, true);
1722 return inode_has_perm(cred, inode, av, &ad);
1725 /* Same as path_has_perm, but uses the inode from the file struct. */
1726 static inline int file_path_has_perm(const struct cred *cred,
1730 struct common_audit_data ad;
1732 ad.type = LSM_AUDIT_DATA_PATH;
1733 ad.u.path = file->f_path;
1734 return inode_has_perm(cred, file_inode(file), av, &ad);
1737 /* Check whether a task can use an open file descriptor to
1738 access an inode in a given way. Check access to the
1739 descriptor itself, and then use dentry_has_perm to
1740 check a particular permission to the file.
1741 Access to the descriptor is implicitly granted if it
1742 has the same SID as the process. If av is zero, then
1743 access to the file is not checked, e.g. for cases
1744 where only the descriptor is affected like seek. */
1745 static int file_has_perm(const struct cred *cred,
1749 struct file_security_struct *fsec = file->f_security;
1750 struct inode *inode = file_inode(file);
1751 struct common_audit_data ad;
1752 u32 sid = cred_sid(cred);
1755 ad.type = LSM_AUDIT_DATA_PATH;
1756 ad.u.path = file->f_path;
1758 if (sid != fsec->sid) {
1759 rc = avc_has_perm(sid, fsec->sid,
1767 /* av is zero if only checking access to the descriptor. */
1770 rc = inode_has_perm(cred, inode, av, &ad);
1777 * Determine the label for an inode that might be unioned.
1779 static int selinux_determine_inode_label(struct inode *dir,
1780 const struct qstr *name,
1784 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1785 const struct inode_security_struct *dsec = inode_security(dir);
1786 const struct task_security_struct *tsec = current_security();
1788 if ((sbsec->flags & SE_SBINITIALIZED) &&
1789 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1790 *_new_isid = sbsec->mntpoint_sid;
1791 } else if ((sbsec->flags & SBLABEL_MNT) &&
1793 *_new_isid = tsec->create_sid;
1795 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1802 /* Check whether a task can create a file. */
1803 static int may_create(struct inode *dir,
1804 struct dentry *dentry,
1807 const struct task_security_struct *tsec = current_security();
1808 struct inode_security_struct *dsec;
1809 struct superblock_security_struct *sbsec;
1811 struct common_audit_data ad;
1814 dsec = inode_security(dir);
1815 sbsec = dir->i_sb->s_security;
1819 ad.type = LSM_AUDIT_DATA_DENTRY;
1820 ad.u.dentry = dentry;
1822 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1823 DIR__ADD_NAME | DIR__SEARCH,
1828 rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
1833 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1837 return avc_has_perm(newsid, sbsec->sid,
1838 SECCLASS_FILESYSTEM,
1839 FILESYSTEM__ASSOCIATE, &ad);
1842 /* Check whether a task can create a key. */
1843 static int may_create_key(u32 ksid,
1844 struct task_struct *ctx)
1846 u32 sid = task_sid(ctx);
1848 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1852 #define MAY_UNLINK 1
1855 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1856 static int may_link(struct inode *dir,
1857 struct dentry *dentry,
1861 struct inode_security_struct *dsec, *isec;
1862 struct common_audit_data ad;
1863 u32 sid = current_sid();
1867 dsec = inode_security(dir);
1868 isec = backing_inode_security(dentry);
1870 ad.type = LSM_AUDIT_DATA_DENTRY;
1871 ad.u.dentry = dentry;
1874 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1875 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1890 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1895 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1899 static inline int may_rename(struct inode *old_dir,
1900 struct dentry *old_dentry,
1901 struct inode *new_dir,
1902 struct dentry *new_dentry)
1904 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1905 struct common_audit_data ad;
1906 u32 sid = current_sid();
1908 int old_is_dir, new_is_dir;
1911 old_dsec = inode_security(old_dir);
1912 old_isec = backing_inode_security(old_dentry);
1913 old_is_dir = d_is_dir(old_dentry);
1914 new_dsec = inode_security(new_dir);
1916 ad.type = LSM_AUDIT_DATA_DENTRY;
1918 ad.u.dentry = old_dentry;
1919 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1920 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1923 rc = avc_has_perm(sid, old_isec->sid,
1924 old_isec->sclass, FILE__RENAME, &ad);
1927 if (old_is_dir && new_dir != old_dir) {
1928 rc = avc_has_perm(sid, old_isec->sid,
1929 old_isec->sclass, DIR__REPARENT, &ad);
1934 ad.u.dentry = new_dentry;
1935 av = DIR__ADD_NAME | DIR__SEARCH;
1936 if (d_is_positive(new_dentry))
1937 av |= DIR__REMOVE_NAME;
1938 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1941 if (d_is_positive(new_dentry)) {
1942 new_isec = backing_inode_security(new_dentry);
1943 new_is_dir = d_is_dir(new_dentry);
1944 rc = avc_has_perm(sid, new_isec->sid,
1946 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1954 /* Check whether a task can perform a filesystem operation. */
1955 static int superblock_has_perm(const struct cred *cred,
1956 struct super_block *sb,
1958 struct common_audit_data *ad)
1960 struct superblock_security_struct *sbsec;
1961 u32 sid = cred_sid(cred);
1963 sbsec = sb->s_security;
1964 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1967 /* Convert a Linux mode and permission mask to an access vector. */
1968 static inline u32 file_mask_to_av(int mode, int mask)
1972 if (!S_ISDIR(mode)) {
1973 if (mask & MAY_EXEC)
1974 av |= FILE__EXECUTE;
1975 if (mask & MAY_READ)
1978 if (mask & MAY_APPEND)
1980 else if (mask & MAY_WRITE)
1984 if (mask & MAY_EXEC)
1986 if (mask & MAY_WRITE)
1988 if (mask & MAY_READ)
1995 /* Convert a Linux file to an access vector. */
1996 static inline u32 file_to_av(struct file *file)
2000 if (file->f_mode & FMODE_READ)
2002 if (file->f_mode & FMODE_WRITE) {
2003 if (file->f_flags & O_APPEND)
2010 * Special file opened with flags 3 for ioctl-only use.
2019 * Convert a file to an access vector and include the correct open
2022 static inline u32 open_file_to_av(struct file *file)
2024 u32 av = file_to_av(file);
2026 if (selinux_policycap_openperm)
2032 /* Hook functions begin here. */
2034 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2036 u32 mysid = current_sid();
2037 u32 mgrsid = task_sid(mgr);
2039 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2040 BINDER__SET_CONTEXT_MGR, NULL);
2043 static int selinux_binder_transaction(struct task_struct *from,
2044 struct task_struct *to)
2046 u32 mysid = current_sid();
2047 u32 fromsid = task_sid(from);
2048 u32 tosid = task_sid(to);
2051 if (mysid != fromsid) {
2052 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2053 BINDER__IMPERSONATE, NULL);
2058 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2062 static int selinux_binder_transfer_binder(struct task_struct *from,
2063 struct task_struct *to)
2065 u32 fromsid = task_sid(from);
2066 u32 tosid = task_sid(to);
2068 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2072 static int selinux_binder_transfer_file(struct task_struct *from,
2073 struct task_struct *to,
2076 u32 sid = task_sid(to);
2077 struct file_security_struct *fsec = file->f_security;
2078 struct dentry *dentry = file->f_path.dentry;
2079 struct inode_security_struct *isec = backing_inode_security(dentry);
2080 struct common_audit_data ad;
2083 ad.type = LSM_AUDIT_DATA_PATH;
2084 ad.u.path = file->f_path;
2086 if (sid != fsec->sid) {
2087 rc = avc_has_perm(sid, fsec->sid,
2095 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2098 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2102 static int selinux_ptrace_access_check(struct task_struct *child,
2105 if (mode & PTRACE_MODE_READ) {
2106 u32 sid = current_sid();
2107 u32 csid = task_sid(child);
2108 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2111 return current_has_perm(child, PROCESS__PTRACE);
2114 static int selinux_ptrace_traceme(struct task_struct *parent)
2116 return task_has_perm(parent, current, PROCESS__PTRACE);
2119 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2120 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2122 return current_has_perm(target, PROCESS__GETCAP);
2125 static int selinux_capset(struct cred *new, const struct cred *old,
2126 const kernel_cap_t *effective,
2127 const kernel_cap_t *inheritable,
2128 const kernel_cap_t *permitted)
2130 return cred_has_perm(old, new, PROCESS__SETCAP);
2134 * (This comment used to live with the selinux_task_setuid hook,
2135 * which was removed).
2137 * Since setuid only affects the current process, and since the SELinux
2138 * controls are not based on the Linux identity attributes, SELinux does not
2139 * need to control this operation. However, SELinux does control the use of
2140 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2143 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2146 return cred_has_capability(cred, cap, audit);
2149 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2151 const struct cred *cred = current_cred();
2163 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2168 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2171 rc = 0; /* let the kernel handle invalid cmds */
2177 static int selinux_quota_on(struct dentry *dentry)
2179 const struct cred *cred = current_cred();
2181 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2184 static int selinux_syslog(int type)
2189 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2190 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2191 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2193 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2194 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2195 /* Set level of messages printed to console */
2196 case SYSLOG_ACTION_CONSOLE_LEVEL:
2197 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2199 case SYSLOG_ACTION_CLOSE: /* Close log */
2200 case SYSLOG_ACTION_OPEN: /* Open log */
2201 case SYSLOG_ACTION_READ: /* Read from log */
2202 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2203 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
2205 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2212 * Check that a process has enough memory to allocate a new virtual
2213 * mapping. 0 means there is enough memory for the allocation to
2214 * succeed and -ENOMEM implies there is not.
2216 * Do not audit the selinux permission check, as this is applied to all
2217 * processes that allocate mappings.
2219 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2221 int rc, cap_sys_admin = 0;
2223 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2224 SECURITY_CAP_NOAUDIT);
2228 return cap_sys_admin;
2231 /* binprm security operations */
2233 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2234 const struct task_security_struct *old_tsec,
2235 const struct task_security_struct *new_tsec)
2237 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2238 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2241 if (!nnp && !nosuid)
2242 return 0; /* neither NNP nor nosuid */
2244 if (new_tsec->sid == old_tsec->sid)
2245 return 0; /* No change in credentials */
2248 * The only transitions we permit under NNP or nosuid
2249 * are transitions to bounded SIDs, i.e. SIDs that are
2250 * guaranteed to only be allowed a subset of the permissions
2251 * of the current SID.
2253 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2256 * On failure, preserve the errno values for NNP vs nosuid.
2257 * NNP: Operation not permitted for caller.
2258 * nosuid: Permission denied to file.
2268 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2270 const struct task_security_struct *old_tsec;
2271 struct task_security_struct *new_tsec;
2272 struct inode_security_struct *isec;
2273 struct common_audit_data ad;
2274 struct inode *inode = file_inode(bprm->file);
2277 /* SELinux context only depends on initial program or script and not
2278 * the script interpreter */
2279 if (bprm->cred_prepared)
2282 old_tsec = current_security();
2283 new_tsec = bprm->cred->security;
2284 isec = inode_security(inode);
2286 /* Default to the current task SID. */
2287 new_tsec->sid = old_tsec->sid;
2288 new_tsec->osid = old_tsec->sid;
2290 /* Reset fs, key, and sock SIDs on execve. */
2291 new_tsec->create_sid = 0;
2292 new_tsec->keycreate_sid = 0;
2293 new_tsec->sockcreate_sid = 0;
2295 if (old_tsec->exec_sid) {
2296 new_tsec->sid = old_tsec->exec_sid;
2297 /* Reset exec SID on execve. */
2298 new_tsec->exec_sid = 0;
2300 /* Fail on NNP or nosuid if not an allowed transition. */
2301 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2305 /* Check for a default transition on this program. */
2306 rc = security_transition_sid(old_tsec->sid, isec->sid,
2307 SECCLASS_PROCESS, NULL,
2313 * Fallback to old SID on NNP or nosuid if not an allowed
2316 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2318 new_tsec->sid = old_tsec->sid;
2321 ad.type = LSM_AUDIT_DATA_PATH;
2322 ad.u.path = bprm->file->f_path;
2324 if (new_tsec->sid == old_tsec->sid) {
2325 rc = avc_has_perm(old_tsec->sid, isec->sid,
2326 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2330 /* Check permissions for the transition. */
2331 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2332 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2336 rc = avc_has_perm(new_tsec->sid, isec->sid,
2337 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2341 /* Check for shared state */
2342 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2343 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2344 SECCLASS_PROCESS, PROCESS__SHARE,
2350 /* Make sure that anyone attempting to ptrace over a task that
2351 * changes its SID has the appropriate permit */
2353 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2354 struct task_struct *tracer;
2355 struct task_security_struct *sec;
2359 tracer = ptrace_parent(current);
2360 if (likely(tracer != NULL)) {
2361 sec = __task_cred(tracer)->security;
2367 rc = avc_has_perm(ptsid, new_tsec->sid,
2369 PROCESS__PTRACE, NULL);
2375 /* Clear any possibly unsafe personality bits on exec: */
2376 bprm->per_clear |= PER_CLEAR_ON_SETID;
2382 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2384 const struct task_security_struct *tsec = current_security();
2392 /* Enable secure mode for SIDs transitions unless
2393 the noatsecure permission is granted between
2394 the two SIDs, i.e. ahp returns 0. */
2395 atsecure = avc_has_perm(osid, sid,
2397 PROCESS__NOATSECURE, NULL);
2403 static int match_file(const void *p, struct file *file, unsigned fd)
2405 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2408 /* Derived from fs/exec.c:flush_old_files. */
2409 static inline void flush_unauthorized_files(const struct cred *cred,
2410 struct files_struct *files)
2412 struct file *file, *devnull = NULL;
2413 struct tty_struct *tty;
2417 tty = get_current_tty();
2419 spin_lock(&tty->files_lock);
2420 if (!list_empty(&tty->tty_files)) {
2421 struct tty_file_private *file_priv;
2423 /* Revalidate access to controlling tty.
2424 Use file_path_has_perm on the tty path directly
2425 rather than using file_has_perm, as this particular
2426 open file may belong to another process and we are
2427 only interested in the inode-based check here. */
2428 file_priv = list_first_entry(&tty->tty_files,
2429 struct tty_file_private, list);
2430 file = file_priv->file;
2431 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2434 spin_unlock(&tty->files_lock);
2437 /* Reset controlling tty. */
2441 /* Revalidate access to inherited open files. */
2442 n = iterate_fd(files, 0, match_file, cred);
2443 if (!n) /* none found? */
2446 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2447 if (IS_ERR(devnull))
2449 /* replace all the matching ones with this */
2451 replace_fd(n - 1, devnull, 0);
2452 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2458 * Prepare a process for imminent new credential changes due to exec
2460 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2462 struct task_security_struct *new_tsec;
2463 struct rlimit *rlim, *initrlim;
2466 new_tsec = bprm->cred->security;
2467 if (new_tsec->sid == new_tsec->osid)
2470 /* Close files for which the new task SID is not authorized. */
2471 flush_unauthorized_files(bprm->cred, current->files);
2473 /* Always clear parent death signal on SID transitions. */
2474 current->pdeath_signal = 0;
2476 /* Check whether the new SID can inherit resource limits from the old
2477 * SID. If not, reset all soft limits to the lower of the current
2478 * task's hard limit and the init task's soft limit.
2480 * Note that the setting of hard limits (even to lower them) can be
2481 * controlled by the setrlimit check. The inclusion of the init task's
2482 * soft limit into the computation is to avoid resetting soft limits
2483 * higher than the default soft limit for cases where the default is
2484 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2486 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2487 PROCESS__RLIMITINH, NULL);
2489 /* protect against do_prlimit() */
2491 for (i = 0; i < RLIM_NLIMITS; i++) {
2492 rlim = current->signal->rlim + i;
2493 initrlim = init_task.signal->rlim + i;
2494 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2496 task_unlock(current);
2497 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2502 * Clean up the process immediately after the installation of new credentials
2505 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2507 const struct task_security_struct *tsec = current_security();
2508 struct itimerval itimer;
2518 /* Check whether the new SID can inherit signal state from the old SID.
2519 * If not, clear itimers to avoid subsequent signal generation and
2520 * flush and unblock signals.
2522 * This must occur _after_ the task SID has been updated so that any
2523 * kill done after the flush will be checked against the new SID.
2525 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2527 memset(&itimer, 0, sizeof itimer);
2528 for (i = 0; i < 3; i++)
2529 do_setitimer(i, &itimer, NULL);
2530 spin_lock_irq(¤t->sighand->siglock);
2531 if (!fatal_signal_pending(current)) {
2532 flush_sigqueue(¤t->pending);
2533 flush_sigqueue(¤t->signal->shared_pending);
2534 flush_signal_handlers(current, 1);
2535 sigemptyset(¤t->blocked);
2536 recalc_sigpending();
2538 spin_unlock_irq(¤t->sighand->siglock);
2541 /* Wake up the parent if it is waiting so that it can recheck
2542 * wait permission to the new task SID. */
2543 read_lock(&tasklist_lock);
2544 __wake_up_parent(current, current->real_parent);
2545 read_unlock(&tasklist_lock);
2548 /* superblock security operations */
2550 static int selinux_sb_alloc_security(struct super_block *sb)
2552 return superblock_alloc_security(sb);
2555 static void selinux_sb_free_security(struct super_block *sb)
2557 superblock_free_security(sb);
2560 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2565 return !memcmp(prefix, option, plen);
2568 static inline int selinux_option(char *option, int len)
2570 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2571 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2572 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2573 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2574 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2577 static inline void take_option(char **to, char *from, int *first, int len)
2584 memcpy(*to, from, len);
2588 static inline void take_selinux_option(char **to, char *from, int *first,
2591 int current_size = 0;
2599 while (current_size < len) {
2609 static int selinux_sb_copy_data(char *orig, char *copy)
2611 int fnosec, fsec, rc = 0;
2612 char *in_save, *in_curr, *in_end;
2613 char *sec_curr, *nosec_save, *nosec;
2619 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2627 in_save = in_end = orig;
2631 open_quote = !open_quote;
2632 if ((*in_end == ',' && open_quote == 0) ||
2634 int len = in_end - in_curr;
2636 if (selinux_option(in_curr, len))
2637 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2639 take_option(&nosec, in_curr, &fnosec, len);
2641 in_curr = in_end + 1;
2643 } while (*in_end++);
2645 strcpy(in_save, nosec_save);
2646 free_page((unsigned long)nosec_save);
2651 static int selinux_sb_remount(struct super_block *sb, void *data)
2654 struct security_mnt_opts opts;
2655 char *secdata, **mount_options;
2656 struct superblock_security_struct *sbsec = sb->s_security;
2658 if (!(sbsec->flags & SE_SBINITIALIZED))
2664 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2667 security_init_mnt_opts(&opts);
2668 secdata = alloc_secdata();
2671 rc = selinux_sb_copy_data(data, secdata);
2673 goto out_free_secdata;
2675 rc = selinux_parse_opts_str(secdata, &opts);
2677 goto out_free_secdata;
2679 mount_options = opts.mnt_opts;
2680 flags = opts.mnt_opts_flags;
2682 for (i = 0; i < opts.num_mnt_opts; i++) {
2685 if (flags[i] == SBLABEL_MNT)
2687 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2689 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2690 "(%s) failed for (dev %s, type %s) errno=%d\n",
2691 mount_options[i], sb->s_id, sb->s_type->name, rc);
2697 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2698 goto out_bad_option;
2701 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2702 goto out_bad_option;
2704 case ROOTCONTEXT_MNT: {
2705 struct inode_security_struct *root_isec;
2706 root_isec = backing_inode_security(sb->s_root);
2708 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2709 goto out_bad_option;
2712 case DEFCONTEXT_MNT:
2713 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2714 goto out_bad_option;
2723 security_free_mnt_opts(&opts);
2725 free_secdata(secdata);
2728 printk(KERN_WARNING "SELinux: unable to change security options "
2729 "during remount (dev %s, type=%s)\n", sb->s_id,
2734 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2736 const struct cred *cred = current_cred();
2737 struct common_audit_data ad;
2740 rc = superblock_doinit(sb, data);
2744 /* Allow all mounts performed by the kernel */
2745 if (flags & MS_KERNMOUNT)
2748 ad.type = LSM_AUDIT_DATA_DENTRY;
2749 ad.u.dentry = sb->s_root;
2750 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2753 static int selinux_sb_statfs(struct dentry *dentry)
2755 const struct cred *cred = current_cred();
2756 struct common_audit_data ad;
2758 ad.type = LSM_AUDIT_DATA_DENTRY;
2759 ad.u.dentry = dentry->d_sb->s_root;
2760 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2763 static int selinux_mount(const char *dev_name,
2764 const struct path *path,
2766 unsigned long flags,
2769 const struct cred *cred = current_cred();
2771 if (flags & MS_REMOUNT)
2772 return superblock_has_perm(cred, path->dentry->d_sb,
2773 FILESYSTEM__REMOUNT, NULL);
2775 return path_has_perm(cred, path, FILE__MOUNTON);
2778 static int selinux_umount(struct vfsmount *mnt, int flags)
2780 const struct cred *cred = current_cred();
2782 return superblock_has_perm(cred, mnt->mnt_sb,
2783 FILESYSTEM__UNMOUNT, NULL);
2786 /* inode security operations */
2788 static int selinux_inode_alloc_security(struct inode *inode)
2790 return inode_alloc_security(inode);
2793 static void selinux_inode_free_security(struct inode *inode)
2795 inode_free_security(inode);
2798 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2799 struct qstr *name, void **ctx,
2805 rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
2806 inode_mode_to_security_class(mode),
2811 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2814 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2815 const struct qstr *qstr,
2817 void **value, size_t *len)
2819 const struct task_security_struct *tsec = current_security();
2820 struct superblock_security_struct *sbsec;
2821 u32 sid, newsid, clen;
2825 sbsec = dir->i_sb->s_security;
2828 newsid = tsec->create_sid;
2830 rc = selinux_determine_inode_label(
2832 inode_mode_to_security_class(inode->i_mode),
2837 /* Possibly defer initialization to selinux_complete_init. */
2838 if (sbsec->flags & SE_SBINITIALIZED) {
2839 struct inode_security_struct *isec = inode->i_security;
2840 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2842 isec->initialized = LABEL_INITIALIZED;
2845 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2849 *name = XATTR_SELINUX_SUFFIX;
2852 rc = security_sid_to_context_force(newsid, &context, &clen);
2862 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2864 return may_create(dir, dentry, SECCLASS_FILE);
2867 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2869 return may_link(dir, old_dentry, MAY_LINK);
2872 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2874 return may_link(dir, dentry, MAY_UNLINK);
2877 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2879 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2882 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2884 return may_create(dir, dentry, SECCLASS_DIR);
2887 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2889 return may_link(dir, dentry, MAY_RMDIR);
2892 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2894 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2897 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2898 struct inode *new_inode, struct dentry *new_dentry)
2900 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2903 static int selinux_inode_readlink(struct dentry *dentry)
2905 const struct cred *cred = current_cred();
2907 return dentry_has_perm(cred, dentry, FILE__READ);
2910 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2913 const struct cred *cred = current_cred();
2914 struct common_audit_data ad;
2915 struct inode_security_struct *isec;
2918 validate_creds(cred);
2920 ad.type = LSM_AUDIT_DATA_DENTRY;
2921 ad.u.dentry = dentry;
2922 sid = cred_sid(cred);
2923 isec = inode_security_rcu(inode, rcu);
2925 return PTR_ERR(isec);
2927 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2928 rcu ? MAY_NOT_BLOCK : 0);
2931 static noinline int audit_inode_permission(struct inode *inode,
2932 u32 perms, u32 audited, u32 denied,
2936 struct common_audit_data ad;
2937 struct inode_security_struct *isec = inode->i_security;
2940 ad.type = LSM_AUDIT_DATA_INODE;
2943 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2944 audited, denied, result, &ad, flags);
2950 static int selinux_inode_permission(struct inode *inode, int mask)
2952 const struct cred *cred = current_cred();
2955 unsigned flags = mask & MAY_NOT_BLOCK;
2956 struct inode_security_struct *isec;
2958 struct av_decision avd;
2960 u32 audited, denied;
2962 from_access = mask & MAY_ACCESS;
2963 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2965 /* No permission to check. Existence test. */
2969 validate_creds(cred);
2971 if (unlikely(IS_PRIVATE(inode)))
2974 perms = file_mask_to_av(inode->i_mode, mask);
2976 sid = cred_sid(cred);
2977 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
2979 return PTR_ERR(isec);
2981 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2982 audited = avc_audit_required(perms, &avd, rc,
2983 from_access ? FILE__AUDIT_ACCESS : 0,
2985 if (likely(!audited))
2988 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2994 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2996 const struct cred *cred = current_cred();
2997 unsigned int ia_valid = iattr->ia_valid;
2998 __u32 av = FILE__WRITE;
3000 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3001 if (ia_valid & ATTR_FORCE) {
3002 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3008 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3009 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3010 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3012 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3013 && !(ia_valid & ATTR_FILE))
3016 return dentry_has_perm(cred, dentry, av);
3019 static int selinux_inode_getattr(const struct path *path)
3021 return path_has_perm(current_cred(), path, FILE__GETATTR);
3024 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3026 const struct cred *cred = current_cred();
3028 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3029 sizeof XATTR_SECURITY_PREFIX - 1)) {
3030 if (!strcmp(name, XATTR_NAME_CAPS)) {
3031 if (!capable(CAP_SETFCAP))
3033 } else if (!capable(CAP_SYS_ADMIN)) {
3034 /* A different attribute in the security namespace.
3035 Restrict to administrator. */
3040 /* Not an attribute we recognize, so just check the
3041 ordinary setattr permission. */
3042 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3045 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3046 const void *value, size_t size, int flags)
3048 struct inode *inode = d_backing_inode(dentry);
3049 struct inode_security_struct *isec = backing_inode_security(dentry);
3050 struct superblock_security_struct *sbsec;
3051 struct common_audit_data ad;
3052 u32 newsid, sid = current_sid();
3055 if (strcmp(name, XATTR_NAME_SELINUX))
3056 return selinux_inode_setotherxattr(dentry, name);
3058 sbsec = inode->i_sb->s_security;
3059 if (!(sbsec->flags & SBLABEL_MNT))
3062 if (!inode_owner_or_capable(inode))
3065 ad.type = LSM_AUDIT_DATA_DENTRY;
3066 ad.u.dentry = dentry;
3068 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3069 FILE__RELABELFROM, &ad);
3073 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3074 if (rc == -EINVAL) {
3075 if (!capable(CAP_MAC_ADMIN)) {
3076 struct audit_buffer *ab;
3080 /* We strip a nul only if it is at the end, otherwise the
3081 * context contains a nul and we should audit that */
3084 if (str[size - 1] == '\0')
3085 audit_size = size - 1;
3092 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3093 audit_log_format(ab, "op=setxattr invalid_context=");
3094 audit_log_n_untrustedstring(ab, value, audit_size);
3099 rc = security_context_to_sid_force(value, size, &newsid);
3104 rc = avc_has_perm(sid, newsid, isec->sclass,
3105 FILE__RELABELTO, &ad);
3109 rc = security_validate_transition(isec->sid, newsid, sid,
3114 return avc_has_perm(newsid,
3116 SECCLASS_FILESYSTEM,
3117 FILESYSTEM__ASSOCIATE,
3121 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3122 const void *value, size_t size,
3125 struct inode *inode = d_backing_inode(dentry);
3126 struct inode_security_struct *isec = backing_inode_security(dentry);
3130 if (strcmp(name, XATTR_NAME_SELINUX)) {
3131 /* Not an attribute we recognize, so nothing to do. */
3135 rc = security_context_to_sid_force(value, size, &newsid);
3137 printk(KERN_ERR "SELinux: unable to map context to SID"
3138 "for (%s, %lu), rc=%d\n",
3139 inode->i_sb->s_id, inode->i_ino, -rc);
3143 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3145 isec->initialized = LABEL_INITIALIZED;
3150 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3152 const struct cred *cred = current_cred();
3154 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3157 static int selinux_inode_listxattr(struct dentry *dentry)
3159 const struct cred *cred = current_cred();
3161 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3164 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3166 if (strcmp(name, XATTR_NAME_SELINUX))
3167 return selinux_inode_setotherxattr(dentry, name);
3169 /* No one is allowed to remove a SELinux security label.
3170 You can change the label, but all data must be labeled. */
3175 * Copy the inode security context value to the user.
3177 * Permission check is handled by selinux_inode_getxattr hook.
3179 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3183 char *context = NULL;
3184 struct inode_security_struct *isec = inode_security(inode);
3186 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3190 * If the caller has CAP_MAC_ADMIN, then get the raw context
3191 * value even if it is not defined by current policy; otherwise,
3192 * use the in-core value under current policy.
3193 * Use the non-auditing forms of the permission checks since
3194 * getxattr may be called by unprivileged processes commonly
3195 * and lack of permission just means that we fall back to the
3196 * in-core context value, not a denial.
3198 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3199 SECURITY_CAP_NOAUDIT);
3201 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3202 SECURITY_CAP_NOAUDIT);
3204 error = security_sid_to_context_force(isec->sid, &context,
3207 error = security_sid_to_context(isec->sid, &context, &size);
3220 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3221 const void *value, size_t size, int flags)
3223 struct inode_security_struct *isec = inode_security(inode);
3227 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3230 if (!value || !size)
3233 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3237 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3239 isec->initialized = LABEL_INITIALIZED;
3243 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3245 const int len = sizeof(XATTR_NAME_SELINUX);
3246 if (buffer && len <= buffer_size)
3247 memcpy(buffer, XATTR_NAME_SELINUX, len);
3251 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3253 struct inode_security_struct *isec = inode_security_novalidate(inode);
3257 /* file security operations */
3259 static int selinux_revalidate_file_permission(struct file *file, int mask)
3261 const struct cred *cred = current_cred();
3262 struct inode *inode = file_inode(file);
3264 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3265 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3268 return file_has_perm(cred, file,
3269 file_mask_to_av(inode->i_mode, mask));
3272 static int selinux_file_permission(struct file *file, int mask)
3274 struct inode *inode = file_inode(file);
3275 struct file_security_struct *fsec = file->f_security;
3276 struct inode_security_struct *isec;
3277 u32 sid = current_sid();
3280 /* No permission to check. Existence test. */
3283 isec = inode_security(inode);
3284 if (sid == fsec->sid && fsec->isid == isec->sid &&
3285 fsec->pseqno == avc_policy_seqno())
3286 /* No change since file_open check. */
3289 return selinux_revalidate_file_permission(file, mask);
3292 static int selinux_file_alloc_security(struct file *file)
3294 return file_alloc_security(file);
3297 static void selinux_file_free_security(struct file *file)
3299 file_free_security(file);
3303 * Check whether a task has the ioctl permission and cmd
3304 * operation to an inode.
3306 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3307 u32 requested, u16 cmd)
3309 struct common_audit_data ad;
3310 struct file_security_struct *fsec = file->f_security;
3311 struct inode *inode = file_inode(file);
3312 struct inode_security_struct *isec = inode_security(inode);
3313 struct lsm_ioctlop_audit ioctl;
3314 u32 ssid = cred_sid(cred);
3316 u8 driver = cmd >> 8;
3317 u8 xperm = cmd & 0xff;
3319 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3322 ad.u.op->path = file->f_path;
3324 if (ssid != fsec->sid) {
3325 rc = avc_has_perm(ssid, fsec->sid,
3333 if (unlikely(IS_PRIVATE(inode)))
3336 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3337 requested, driver, xperm, &ad);
3342 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3345 const struct cred *cred = current_cred();
3355 case FS_IOC_GETFLAGS:
3357 case FS_IOC_GETVERSION:
3358 error = file_has_perm(cred, file, FILE__GETATTR);
3361 case FS_IOC_SETFLAGS:
3363 case FS_IOC_SETVERSION:
3364 error = file_has_perm(cred, file, FILE__SETATTR);
3367 /* sys_ioctl() checks */
3371 error = file_has_perm(cred, file, 0);
3376 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3377 SECURITY_CAP_AUDIT);
3380 /* default case assumes that the command will go
3381 * to the file's ioctl() function.
3384 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3389 static int default_noexec;
3391 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3393 const struct cred *cred = current_cred();
3396 if (default_noexec &&
3397 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3398 (!shared && (prot & PROT_WRITE)))) {
3400 * We are making executable an anonymous mapping or a
3401 * private file mapping that will also be writable.
3402 * This has an additional check.
3404 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3410 /* read access is always possible with a mapping */
3411 u32 av = FILE__READ;
3413 /* write access only matters if the mapping is shared */
3414 if (shared && (prot & PROT_WRITE))
3417 if (prot & PROT_EXEC)
3418 av |= FILE__EXECUTE;
3420 return file_has_perm(cred, file, av);
3427 static int selinux_mmap_addr(unsigned long addr)
3431 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3432 u32 sid = current_sid();
3433 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3434 MEMPROTECT__MMAP_ZERO, NULL);
3440 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3441 unsigned long prot, unsigned long flags)
3443 if (selinux_checkreqprot)
3446 return file_map_prot_check(file, prot,
3447 (flags & MAP_TYPE) == MAP_SHARED);
3450 static int selinux_file_mprotect(struct vm_area_struct *vma,
3451 unsigned long reqprot,
3454 const struct cred *cred = current_cred();
3456 if (selinux_checkreqprot)
3459 if (default_noexec &&
3460 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3462 if (vma->vm_start >= vma->vm_mm->start_brk &&
3463 vma->vm_end <= vma->vm_mm->brk) {
3464 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3465 } else if (!vma->vm_file &&
3466 vma->vm_start <= vma->vm_mm->start_stack &&
3467 vma->vm_end >= vma->vm_mm->start_stack) {
3468 rc = current_has_perm(current, PROCESS__EXECSTACK);
3469 } else if (vma->vm_file && vma->anon_vma) {
3471 * We are making executable a file mapping that has
3472 * had some COW done. Since pages might have been
3473 * written, check ability to execute the possibly
3474 * modified content. This typically should only
3475 * occur for text relocations.
3477 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3483 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3486 static int selinux_file_lock(struct file *file, unsigned int cmd)
3488 const struct cred *cred = current_cred();
3490 return file_has_perm(cred, file, FILE__LOCK);
3493 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3496 const struct cred *cred = current_cred();
3501 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3502 err = file_has_perm(cred, file, FILE__WRITE);
3511 case F_GETOWNER_UIDS:
3512 /* Just check FD__USE permission */
3513 err = file_has_perm(cred, file, 0);
3521 #if BITS_PER_LONG == 32
3526 err = file_has_perm(cred, file, FILE__LOCK);
3533 static void selinux_file_set_fowner(struct file *file)
3535 struct file_security_struct *fsec;
3537 fsec = file->f_security;
3538 fsec->fown_sid = current_sid();
3541 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3542 struct fown_struct *fown, int signum)
3545 u32 sid = task_sid(tsk);
3547 struct file_security_struct *fsec;
3549 /* struct fown_struct is never outside the context of a struct file */
3550 file = container_of(fown, struct file, f_owner);
3552 fsec = file->f_security;
3555 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3557 perm = signal_to_av(signum);
3559 return avc_has_perm(fsec->fown_sid, sid,
3560 SECCLASS_PROCESS, perm, NULL);
3563 static int selinux_file_receive(struct file *file)
3565 const struct cred *cred = current_cred();
3567 return file_has_perm(cred, file, file_to_av(file));
3570 static int selinux_file_open(struct file *file, const struct cred *cred)
3572 struct file_security_struct *fsec;
3573 struct inode_security_struct *isec;
3575 fsec = file->f_security;
3576 isec = inode_security(file_inode(file));
3578 * Save inode label and policy sequence number
3579 * at open-time so that selinux_file_permission
3580 * can determine whether revalidation is necessary.
3581 * Task label is already saved in the file security
3582 * struct as its SID.
3584 fsec->isid = isec->sid;
3585 fsec->pseqno = avc_policy_seqno();
3587 * Since the inode label or policy seqno may have changed
3588 * between the selinux_inode_permission check and the saving
3589 * of state above, recheck that access is still permitted.
3590 * Otherwise, access might never be revalidated against the
3591 * new inode label or new policy.
3592 * This check is not redundant - do not remove.
3594 return file_path_has_perm(cred, file, open_file_to_av(file));
3597 /* task security operations */
3599 static int selinux_task_create(unsigned long clone_flags)
3601 return current_has_perm(current, PROCESS__FORK);
3605 * allocate the SELinux part of blank credentials
3607 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3609 struct task_security_struct *tsec;
3611 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3615 cred->security = tsec;
3620 * detach and free the LSM part of a set of credentials
3622 static void selinux_cred_free(struct cred *cred)
3624 struct task_security_struct *tsec = cred->security;
3627 * cred->security == NULL if security_cred_alloc_blank() or
3628 * security_prepare_creds() returned an error.
3630 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3631 cred->security = (void *) 0x7UL;
3636 * prepare a new set of credentials for modification
3638 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3641 const struct task_security_struct *old_tsec;
3642 struct task_security_struct *tsec;
3644 old_tsec = old->security;
3646 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3650 new->security = tsec;
3655 * transfer the SELinux data to a blank set of creds
3657 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3659 const struct task_security_struct *old_tsec = old->security;
3660 struct task_security_struct *tsec = new->security;
3666 * set the security data for a kernel service
3667 * - all the creation contexts are set to unlabelled
3669 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3671 struct task_security_struct *tsec = new->security;
3672 u32 sid = current_sid();
3675 ret = avc_has_perm(sid, secid,
3676 SECCLASS_KERNEL_SERVICE,
3677 KERNEL_SERVICE__USE_AS_OVERRIDE,
3681 tsec->create_sid = 0;
3682 tsec->keycreate_sid = 0;
3683 tsec->sockcreate_sid = 0;
3689 * set the file creation context in a security record to the same as the
3690 * objective context of the specified inode
3692 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3694 struct inode_security_struct *isec = inode_security(inode);
3695 struct task_security_struct *tsec = new->security;
3696 u32 sid = current_sid();
3699 ret = avc_has_perm(sid, isec->sid,
3700 SECCLASS_KERNEL_SERVICE,
3701 KERNEL_SERVICE__CREATE_FILES_AS,
3705 tsec->create_sid = isec->sid;
3709 static int selinux_kernel_module_request(char *kmod_name)
3712 struct common_audit_data ad;
3714 sid = task_sid(current);
3716 ad.type = LSM_AUDIT_DATA_KMOD;
3717 ad.u.kmod_name = kmod_name;
3719 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3720 SYSTEM__MODULE_REQUEST, &ad);
3723 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3725 return current_has_perm(p, PROCESS__SETPGID);
3728 static int selinux_task_getpgid(struct task_struct *p)
3730 return current_has_perm(p, PROCESS__GETPGID);
3733 static int selinux_task_getsid(struct task_struct *p)
3735 return current_has_perm(p, PROCESS__GETSESSION);
3738 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3740 *secid = task_sid(p);
3743 static int selinux_task_setnice(struct task_struct *p, int nice)
3745 return current_has_perm(p, PROCESS__SETSCHED);
3748 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3750 return current_has_perm(p, PROCESS__SETSCHED);
3753 static int selinux_task_getioprio(struct task_struct *p)
3755 return current_has_perm(p, PROCESS__GETSCHED);
3758 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3759 struct rlimit *new_rlim)
3761 struct rlimit *old_rlim = p->signal->rlim + resource;
3763 /* Control the ability to change the hard limit (whether
3764 lowering or raising it), so that the hard limit can
3765 later be used as a safe reset point for the soft limit
3766 upon context transitions. See selinux_bprm_committing_creds. */
3767 if (old_rlim->rlim_max != new_rlim->rlim_max)
3768 return current_has_perm(p, PROCESS__SETRLIMIT);
3773 static int selinux_task_setscheduler(struct task_struct *p)
3775 return current_has_perm(p, PROCESS__SETSCHED);
3778 static int selinux_task_getscheduler(struct task_struct *p)
3780 return current_has_perm(p, PROCESS__GETSCHED);
3783 static int selinux_task_movememory(struct task_struct *p)
3785 return current_has_perm(p, PROCESS__SETSCHED);
3788 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3795 perm = PROCESS__SIGNULL; /* null signal; existence test */
3797 perm = signal_to_av(sig);
3799 rc = avc_has_perm(secid, task_sid(p),
3800 SECCLASS_PROCESS, perm, NULL);
3802 rc = current_has_perm(p, perm);
3806 static int selinux_task_wait(struct task_struct *p)
3808 return task_has_perm(p, current, PROCESS__SIGCHLD);
3811 static void selinux_task_to_inode(struct task_struct *p,
3812 struct inode *inode)
3814 struct inode_security_struct *isec = inode->i_security;
3815 u32 sid = task_sid(p);
3818 isec->initialized = LABEL_INITIALIZED;
3821 /* Returns error only if unable to parse addresses */
3822 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3823 struct common_audit_data *ad, u8 *proto)
3825 int offset, ihlen, ret = -EINVAL;
3826 struct iphdr _iph, *ih;
3828 offset = skb_network_offset(skb);
3829 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3833 ihlen = ih->ihl * 4;
3834 if (ihlen < sizeof(_iph))
3837 ad->u.net->v4info.saddr = ih->saddr;
3838 ad->u.net->v4info.daddr = ih->daddr;
3842 *proto = ih->protocol;
3844 switch (ih->protocol) {
3846 struct tcphdr _tcph, *th;
3848 if (ntohs(ih->frag_off) & IP_OFFSET)
3852 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3856 ad->u.net->sport = th->source;
3857 ad->u.net->dport = th->dest;
3862 struct udphdr _udph, *uh;
3864 if (ntohs(ih->frag_off) & IP_OFFSET)
3868 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3872 ad->u.net->sport = uh->source;
3873 ad->u.net->dport = uh->dest;
3877 case IPPROTO_DCCP: {
3878 struct dccp_hdr _dccph, *dh;
3880 if (ntohs(ih->frag_off) & IP_OFFSET)
3884 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3888 ad->u.net->sport = dh->dccph_sport;
3889 ad->u.net->dport = dh->dccph_dport;
3900 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3902 /* Returns error only if unable to parse addresses */
3903 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3904 struct common_audit_data *ad, u8 *proto)
3907 int ret = -EINVAL, offset;
3908 struct ipv6hdr _ipv6h, *ip6;
3911 offset = skb_network_offset(skb);
3912 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3916 ad->u.net->v6info.saddr = ip6->saddr;
3917 ad->u.net->v6info.daddr = ip6->daddr;
3920 nexthdr = ip6->nexthdr;
3921 offset += sizeof(_ipv6h);
3922 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3931 struct tcphdr _tcph, *th;
3933 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3937 ad->u.net->sport = th->source;
3938 ad->u.net->dport = th->dest;
3943 struct udphdr _udph, *uh;
3945 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3949 ad->u.net->sport = uh->source;
3950 ad->u.net->dport = uh->dest;
3954 case IPPROTO_DCCP: {
3955 struct dccp_hdr _dccph, *dh;
3957 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3961 ad->u.net->sport = dh->dccph_sport;
3962 ad->u.net->dport = dh->dccph_dport;
3966 /* includes fragments */
3976 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3977 char **_addrp, int src, u8 *proto)
3982 switch (ad->u.net->family) {
3984 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3987 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3988 &ad->u.net->v4info.daddr);
3991 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3993 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3996 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3997 &ad->u.net->v6info.daddr);
4007 "SELinux: failure in selinux_parse_skb(),"
4008 " unable to parse packet\n");
4018 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4020 * @family: protocol family
4021 * @sid: the packet's peer label SID
4024 * Check the various different forms of network peer labeling and determine
4025 * the peer label/SID for the packet; most of the magic actually occurs in
4026 * the security server function security_net_peersid_cmp(). The function
4027 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4028 * or -EACCES if @sid is invalid due to inconsistencies with the different
4032 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4039 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4042 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4046 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4047 if (unlikely(err)) {
4049 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4050 " unable to determine packet's peer label\n");
4058 * selinux_conn_sid - Determine the child socket label for a connection
4059 * @sk_sid: the parent socket's SID
4060 * @skb_sid: the packet's SID
4061 * @conn_sid: the resulting connection SID
4063 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4064 * combined with the MLS information from @skb_sid in order to create
4065 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4066 * of @sk_sid. Returns zero on success, negative values on failure.
4069 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4073 if (skb_sid != SECSID_NULL)
4074 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4081 /* socket security operations */
4083 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4084 u16 secclass, u32 *socksid)
4086 if (tsec->sockcreate_sid > SECSID_NULL) {
4087 *socksid = tsec->sockcreate_sid;
4091 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4095 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
4097 struct sk_security_struct *sksec = sk->sk_security;
4098 struct common_audit_data ad;
4099 struct lsm_network_audit net = {0,};
4100 u32 tsid = task_sid(task);
4102 if (sksec->sid == SECINITSID_KERNEL)
4105 ad.type = LSM_AUDIT_DATA_NET;
4109 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
4112 static int selinux_socket_create(int family, int type,
4113 int protocol, int kern)
4115 const struct task_security_struct *tsec = current_security();
4123 secclass = socket_type_to_security_class(family, type, protocol);
4124 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4128 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4131 static int selinux_socket_post_create(struct socket *sock, int family,
4132 int type, int protocol, int kern)
4134 const struct task_security_struct *tsec = current_security();
4135 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4136 struct sk_security_struct *sksec;
4139 isec->sclass = socket_type_to_security_class(family, type, protocol);
4142 isec->sid = SECINITSID_KERNEL;
4144 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4149 isec->initialized = LABEL_INITIALIZED;
4152 sksec = sock->sk->sk_security;
4153 sksec->sid = isec->sid;
4154 sksec->sclass = isec->sclass;
4155 err = selinux_netlbl_socket_post_create(sock->sk, family);
4161 /* Range of port numbers used to automatically bind.
4162 Need to determine whether we should perform a name_bind
4163 permission check between the socket and the port number. */
4165 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4167 struct sock *sk = sock->sk;
4171 err = sock_has_perm(current, sk, SOCKET__BIND);
4176 * If PF_INET or PF_INET6, check name_bind permission for the port.
4177 * Multiple address binding for SCTP is not supported yet: we just
4178 * check the first address now.
4180 family = sk->sk_family;
4181 if (family == PF_INET || family == PF_INET6) {
4183 struct sk_security_struct *sksec = sk->sk_security;
4184 struct common_audit_data ad;
4185 struct lsm_network_audit net = {0,};
4186 struct sockaddr_in *addr4 = NULL;
4187 struct sockaddr_in6 *addr6 = NULL;
4188 unsigned short snum;
4191 if (family == PF_INET) {
4192 addr4 = (struct sockaddr_in *)address;
4193 snum = ntohs(addr4->sin_port);
4194 addrp = (char *)&addr4->sin_addr.s_addr;
4196 addr6 = (struct sockaddr_in6 *)address;
4197 snum = ntohs(addr6->sin6_port);
4198 addrp = (char *)&addr6->sin6_addr.s6_addr;
4204 inet_get_local_port_range(sock_net(sk), &low, &high);
4206 if (snum < max(PROT_SOCK, low) || snum > high) {
4207 err = sel_netport_sid(sk->sk_protocol,
4211 ad.type = LSM_AUDIT_DATA_NET;
4213 ad.u.net->sport = htons(snum);
4214 ad.u.net->family = family;
4215 err = avc_has_perm(sksec->sid, sid,
4217 SOCKET__NAME_BIND, &ad);
4223 switch (sksec->sclass) {
4224 case SECCLASS_TCP_SOCKET:
4225 node_perm = TCP_SOCKET__NODE_BIND;
4228 case SECCLASS_UDP_SOCKET:
4229 node_perm = UDP_SOCKET__NODE_BIND;
4232 case SECCLASS_DCCP_SOCKET:
4233 node_perm = DCCP_SOCKET__NODE_BIND;
4237 node_perm = RAWIP_SOCKET__NODE_BIND;
4241 err = sel_netnode_sid(addrp, family, &sid);
4245 ad.type = LSM_AUDIT_DATA_NET;
4247 ad.u.net->sport = htons(snum);
4248 ad.u.net->family = family;
4250 if (family == PF_INET)
4251 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4253 ad.u.net->v6info.saddr = addr6->sin6_addr;
4255 err = avc_has_perm(sksec->sid, sid,
4256 sksec->sclass, node_perm, &ad);
4264 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4266 struct sock *sk = sock->sk;
4267 struct sk_security_struct *sksec = sk->sk_security;
4270 err = sock_has_perm(current, sk, SOCKET__CONNECT);
4275 * If a TCP or DCCP socket, check name_connect permission for the port.
4277 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4278 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4279 struct common_audit_data ad;
4280 struct lsm_network_audit net = {0,};
4281 struct sockaddr_in *addr4 = NULL;
4282 struct sockaddr_in6 *addr6 = NULL;
4283 unsigned short snum;
4286 if (sk->sk_family == PF_INET) {
4287 addr4 = (struct sockaddr_in *)address;
4288 if (addrlen < sizeof(struct sockaddr_in))
4290 snum = ntohs(addr4->sin_port);
4292 addr6 = (struct sockaddr_in6 *)address;
4293 if (addrlen < SIN6_LEN_RFC2133)
4295 snum = ntohs(addr6->sin6_port);
4298 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4302 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4303 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4305 ad.type = LSM_AUDIT_DATA_NET;
4307 ad.u.net->dport = htons(snum);
4308 ad.u.net->family = sk->sk_family;
4309 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4314 err = selinux_netlbl_socket_connect(sk, address);
4320 static int selinux_socket_listen(struct socket *sock, int backlog)
4322 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4325 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4328 struct inode_security_struct *isec;
4329 struct inode_security_struct *newisec;
4331 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4335 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4337 isec = inode_security_novalidate(SOCK_INODE(sock));
4338 newisec->sclass = isec->sclass;
4339 newisec->sid = isec->sid;
4340 newisec->initialized = LABEL_INITIALIZED;
4345 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4348 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4351 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4352 int size, int flags)
4354 return sock_has_perm(current, sock->sk, SOCKET__READ);
4357 static int selinux_socket_getsockname(struct socket *sock)
4359 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4362 static int selinux_socket_getpeername(struct socket *sock)
4364 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4367 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4371 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4375 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4378 static int selinux_socket_getsockopt(struct socket *sock, int level,
4381 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4384 static int selinux_socket_shutdown(struct socket *sock, int how)
4386 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4389 static int selinux_socket_unix_stream_connect(struct sock *sock,
4393 struct sk_security_struct *sksec_sock = sock->sk_security;
4394 struct sk_security_struct *sksec_other = other->sk_security;
4395 struct sk_security_struct *sksec_new = newsk->sk_security;
4396 struct common_audit_data ad;
4397 struct lsm_network_audit net = {0,};
4400 ad.type = LSM_AUDIT_DATA_NET;
4402 ad.u.net->sk = other;
4404 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4405 sksec_other->sclass,
4406 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4410 /* server child socket */
4411 sksec_new->peer_sid = sksec_sock->sid;
4412 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4417 /* connecting socket */
4418 sksec_sock->peer_sid = sksec_new->sid;
4423 static int selinux_socket_unix_may_send(struct socket *sock,
4424 struct socket *other)
4426 struct sk_security_struct *ssec = sock->sk->sk_security;
4427 struct sk_security_struct *osec = other->sk->sk_security;
4428 struct common_audit_data ad;
4429 struct lsm_network_audit net = {0,};
4431 ad.type = LSM_AUDIT_DATA_NET;
4433 ad.u.net->sk = other->sk;
4435 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4439 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4440 char *addrp, u16 family, u32 peer_sid,
4441 struct common_audit_data *ad)
4447 err = sel_netif_sid(ns, ifindex, &if_sid);
4450 err = avc_has_perm(peer_sid, if_sid,
4451 SECCLASS_NETIF, NETIF__INGRESS, ad);
4455 err = sel_netnode_sid(addrp, family, &node_sid);
4458 return avc_has_perm(peer_sid, node_sid,
4459 SECCLASS_NODE, NODE__RECVFROM, ad);
4462 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4466 struct sk_security_struct *sksec = sk->sk_security;
4467 u32 sk_sid = sksec->sid;
4468 struct common_audit_data ad;
4469 struct lsm_network_audit net = {0,};
4472 ad.type = LSM_AUDIT_DATA_NET;
4474 ad.u.net->netif = skb->skb_iif;
4475 ad.u.net->family = family;
4476 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4480 if (selinux_secmark_enabled()) {
4481 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4487 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4490 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4495 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4498 struct sk_security_struct *sksec = sk->sk_security;
4499 u16 family = sk->sk_family;
4500 u32 sk_sid = sksec->sid;
4501 struct common_audit_data ad;
4502 struct lsm_network_audit net = {0,};
4507 if (family != PF_INET && family != PF_INET6)
4510 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4511 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4514 /* If any sort of compatibility mode is enabled then handoff processing
4515 * to the selinux_sock_rcv_skb_compat() function to deal with the
4516 * special handling. We do this in an attempt to keep this function
4517 * as fast and as clean as possible. */
4518 if (!selinux_policycap_netpeer)
4519 return selinux_sock_rcv_skb_compat(sk, skb, family);
4521 secmark_active = selinux_secmark_enabled();
4522 peerlbl_active = selinux_peerlbl_enabled();
4523 if (!secmark_active && !peerlbl_active)
4526 ad.type = LSM_AUDIT_DATA_NET;
4528 ad.u.net->netif = skb->skb_iif;
4529 ad.u.net->family = family;
4530 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4534 if (peerlbl_active) {
4537 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4540 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4541 addrp, family, peer_sid, &ad);
4543 selinux_netlbl_err(skb, err, 0);
4546 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4549 selinux_netlbl_err(skb, err, 0);
4554 if (secmark_active) {
4555 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4564 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4565 int __user *optlen, unsigned len)
4570 struct sk_security_struct *sksec = sock->sk->sk_security;
4571 u32 peer_sid = SECSID_NULL;
4573 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4574 sksec->sclass == SECCLASS_TCP_SOCKET)
4575 peer_sid = sksec->peer_sid;
4576 if (peer_sid == SECSID_NULL)
4577 return -ENOPROTOOPT;
4579 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4583 if (scontext_len > len) {
4588 if (copy_to_user(optval, scontext, scontext_len))
4592 if (put_user(scontext_len, optlen))
4598 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4600 u32 peer_secid = SECSID_NULL;
4603 if (skb && skb->protocol == htons(ETH_P_IP))
4605 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4608 family = sock->sk->sk_family;
4612 if (sock && family == PF_UNIX)
4613 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4615 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4618 *secid = peer_secid;
4619 if (peer_secid == SECSID_NULL)
4624 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4626 struct sk_security_struct *sksec;
4628 sksec = kzalloc(sizeof(*sksec), priority);
4632 sksec->peer_sid = SECINITSID_UNLABELED;
4633 sksec->sid = SECINITSID_UNLABELED;
4634 sksec->sclass = SECCLASS_SOCKET;
4635 selinux_netlbl_sk_security_reset(sksec);
4636 sk->sk_security = sksec;
4641 static void selinux_sk_free_security(struct sock *sk)
4643 struct sk_security_struct *sksec = sk->sk_security;
4645 sk->sk_security = NULL;
4646 selinux_netlbl_sk_security_free(sksec);
4650 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4652 struct sk_security_struct *sksec = sk->sk_security;
4653 struct sk_security_struct *newsksec = newsk->sk_security;
4655 newsksec->sid = sksec->sid;
4656 newsksec->peer_sid = sksec->peer_sid;
4657 newsksec->sclass = sksec->sclass;
4659 selinux_netlbl_sk_security_reset(newsksec);
4662 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4665 *secid = SECINITSID_ANY_SOCKET;
4667 struct sk_security_struct *sksec = sk->sk_security;
4669 *secid = sksec->sid;
4673 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4675 struct inode_security_struct *isec =
4676 inode_security_novalidate(SOCK_INODE(parent));
4677 struct sk_security_struct *sksec = sk->sk_security;
4679 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4680 sk->sk_family == PF_UNIX)
4681 isec->sid = sksec->sid;
4682 sksec->sclass = isec->sclass;
4685 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4686 struct request_sock *req)
4688 struct sk_security_struct *sksec = sk->sk_security;
4690 u16 family = req->rsk_ops->family;
4694 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4697 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4700 req->secid = connsid;
4701 req->peer_secid = peersid;
4703 return selinux_netlbl_inet_conn_request(req, family);
4706 static void selinux_inet_csk_clone(struct sock *newsk,
4707 const struct request_sock *req)
4709 struct sk_security_struct *newsksec = newsk->sk_security;
4711 newsksec->sid = req->secid;
4712 newsksec->peer_sid = req->peer_secid;
4713 /* NOTE: Ideally, we should also get the isec->sid for the
4714 new socket in sync, but we don't have the isec available yet.
4715 So we will wait until sock_graft to do it, by which
4716 time it will have been created and available. */
4718 /* We don't need to take any sort of lock here as we are the only
4719 * thread with access to newsksec */
4720 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4723 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4725 u16 family = sk->sk_family;
4726 struct sk_security_struct *sksec = sk->sk_security;
4728 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4729 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4732 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4735 static int selinux_secmark_relabel_packet(u32 sid)
4737 const struct task_security_struct *__tsec;
4740 __tsec = current_security();
4743 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4746 static void selinux_secmark_refcount_inc(void)
4748 atomic_inc(&selinux_secmark_refcount);
4751 static void selinux_secmark_refcount_dec(void)
4753 atomic_dec(&selinux_secmark_refcount);
4756 static void selinux_req_classify_flow(const struct request_sock *req,
4759 fl->flowi_secid = req->secid;
4762 static int selinux_tun_dev_alloc_security(void **security)
4764 struct tun_security_struct *tunsec;
4766 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4769 tunsec->sid = current_sid();
4775 static void selinux_tun_dev_free_security(void *security)
4780 static int selinux_tun_dev_create(void)
4782 u32 sid = current_sid();
4784 /* we aren't taking into account the "sockcreate" SID since the socket
4785 * that is being created here is not a socket in the traditional sense,
4786 * instead it is a private sock, accessible only to the kernel, and
4787 * representing a wide range of network traffic spanning multiple
4788 * connections unlike traditional sockets - check the TUN driver to
4789 * get a better understanding of why this socket is special */
4791 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4795 static int selinux_tun_dev_attach_queue(void *security)
4797 struct tun_security_struct *tunsec = security;
4799 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4800 TUN_SOCKET__ATTACH_QUEUE, NULL);
4803 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4805 struct tun_security_struct *tunsec = security;
4806 struct sk_security_struct *sksec = sk->sk_security;
4808 /* we don't currently perform any NetLabel based labeling here and it
4809 * isn't clear that we would want to do so anyway; while we could apply
4810 * labeling without the support of the TUN user the resulting labeled
4811 * traffic from the other end of the connection would almost certainly
4812 * cause confusion to the TUN user that had no idea network labeling
4813 * protocols were being used */
4815 sksec->sid = tunsec->sid;
4816 sksec->sclass = SECCLASS_TUN_SOCKET;
4821 static int selinux_tun_dev_open(void *security)
4823 struct tun_security_struct *tunsec = security;
4824 u32 sid = current_sid();
4827 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4828 TUN_SOCKET__RELABELFROM, NULL);
4831 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4832 TUN_SOCKET__RELABELTO, NULL);
4840 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4844 struct nlmsghdr *nlh;
4845 struct sk_security_struct *sksec = sk->sk_security;
4847 if (skb->len < NLMSG_HDRLEN) {
4851 nlh = nlmsg_hdr(skb);
4853 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4855 if (err == -EINVAL) {
4856 pr_warn_ratelimited("SELinux: unrecognized netlink"
4857 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
4858 " pig=%d comm=%s\n",
4859 sk->sk_protocol, nlh->nlmsg_type,
4860 secclass_map[sksec->sclass - 1].name,
4861 task_pid_nr(current), current->comm);
4862 if (!selinux_enforcing || security_get_allow_unknown())
4872 err = sock_has_perm(current, sk, perm);
4877 #ifdef CONFIG_NETFILTER
4879 static unsigned int selinux_ip_forward(struct sk_buff *skb,
4880 const struct net_device *indev,
4886 struct common_audit_data ad;
4887 struct lsm_network_audit net = {0,};
4892 if (!selinux_policycap_netpeer)
4895 secmark_active = selinux_secmark_enabled();
4896 netlbl_active = netlbl_enabled();
4897 peerlbl_active = selinux_peerlbl_enabled();
4898 if (!secmark_active && !peerlbl_active)
4901 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4904 ad.type = LSM_AUDIT_DATA_NET;
4906 ad.u.net->netif = indev->ifindex;
4907 ad.u.net->family = family;
4908 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4911 if (peerlbl_active) {
4912 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
4913 addrp, family, peer_sid, &ad);
4915 selinux_netlbl_err(skb, err, 1);
4921 if (avc_has_perm(peer_sid, skb->secmark,
4922 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4926 /* we do this in the FORWARD path and not the POST_ROUTING
4927 * path because we want to make sure we apply the necessary
4928 * labeling before IPsec is applied so we can leverage AH
4930 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4936 static unsigned int selinux_ipv4_forward(void *priv,
4937 struct sk_buff *skb,
4938 const struct nf_hook_state *state)
4940 return selinux_ip_forward(skb, state->in, PF_INET);
4943 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4944 static unsigned int selinux_ipv6_forward(void *priv,
4945 struct sk_buff *skb,
4946 const struct nf_hook_state *state)
4948 return selinux_ip_forward(skb, state->in, PF_INET6);
4952 static unsigned int selinux_ip_output(struct sk_buff *skb,
4958 if (!netlbl_enabled())
4961 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4962 * because we want to make sure we apply the necessary labeling
4963 * before IPsec is applied so we can leverage AH protection */
4966 struct sk_security_struct *sksec;
4968 if (sk_listener(sk))
4969 /* if the socket is the listening state then this
4970 * packet is a SYN-ACK packet which means it needs to
4971 * be labeled based on the connection/request_sock and
4972 * not the parent socket. unfortunately, we can't
4973 * lookup the request_sock yet as it isn't queued on
4974 * the parent socket until after the SYN-ACK is sent.
4975 * the "solution" is to simply pass the packet as-is
4976 * as any IP option based labeling should be copied
4977 * from the initial connection request (in the IP
4978 * layer). it is far from ideal, but until we get a
4979 * security label in the packet itself this is the
4980 * best we can do. */
4983 /* standard practice, label using the parent socket */
4984 sksec = sk->sk_security;
4987 sid = SECINITSID_KERNEL;
4988 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4994 static unsigned int selinux_ipv4_output(void *priv,
4995 struct sk_buff *skb,
4996 const struct nf_hook_state *state)
4998 return selinux_ip_output(skb, PF_INET);
5001 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5005 struct sock *sk = skb_to_full_sk(skb);
5006 struct sk_security_struct *sksec;
5007 struct common_audit_data ad;
5008 struct lsm_network_audit net = {0,};
5014 sksec = sk->sk_security;
5016 ad.type = LSM_AUDIT_DATA_NET;
5018 ad.u.net->netif = ifindex;
5019 ad.u.net->family = family;
5020 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5023 if (selinux_secmark_enabled())
5024 if (avc_has_perm(sksec->sid, skb->secmark,
5025 SECCLASS_PACKET, PACKET__SEND, &ad))
5026 return NF_DROP_ERR(-ECONNREFUSED);
5028 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5029 return NF_DROP_ERR(-ECONNREFUSED);
5034 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5035 const struct net_device *outdev,
5040 int ifindex = outdev->ifindex;
5042 struct common_audit_data ad;
5043 struct lsm_network_audit net = {0,};
5048 /* If any sort of compatibility mode is enabled then handoff processing
5049 * to the selinux_ip_postroute_compat() function to deal with the
5050 * special handling. We do this in an attempt to keep this function
5051 * as fast and as clean as possible. */
5052 if (!selinux_policycap_netpeer)
5053 return selinux_ip_postroute_compat(skb, ifindex, family);
5055 secmark_active = selinux_secmark_enabled();
5056 peerlbl_active = selinux_peerlbl_enabled();
5057 if (!secmark_active && !peerlbl_active)
5060 sk = skb_to_full_sk(skb);
5063 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5064 * packet transformation so allow the packet to pass without any checks
5065 * since we'll have another chance to perform access control checks
5066 * when the packet is on it's final way out.
5067 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5068 * is NULL, in this case go ahead and apply access control.
5069 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5070 * TCP listening state we cannot wait until the XFRM processing
5071 * is done as we will miss out on the SA label if we do;
5072 * unfortunately, this means more work, but it is only once per
5074 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5075 !(sk && sk_listener(sk)))
5080 /* Without an associated socket the packet is either coming
5081 * from the kernel or it is being forwarded; check the packet
5082 * to determine which and if the packet is being forwarded
5083 * query the packet directly to determine the security label. */
5085 secmark_perm = PACKET__FORWARD_OUT;
5086 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5089 secmark_perm = PACKET__SEND;
5090 peer_sid = SECINITSID_KERNEL;
5092 } else if (sk_listener(sk)) {
5093 /* Locally generated packet but the associated socket is in the
5094 * listening state which means this is a SYN-ACK packet. In
5095 * this particular case the correct security label is assigned
5096 * to the connection/request_sock but unfortunately we can't
5097 * query the request_sock as it isn't queued on the parent
5098 * socket until after the SYN-ACK packet is sent; the only
5099 * viable choice is to regenerate the label like we do in
5100 * selinux_inet_conn_request(). See also selinux_ip_output()
5101 * for similar problems. */
5103 struct sk_security_struct *sksec;
5105 sksec = sk->sk_security;
5106 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5108 /* At this point, if the returned skb peerlbl is SECSID_NULL
5109 * and the packet has been through at least one XFRM
5110 * transformation then we must be dealing with the "final"
5111 * form of labeled IPsec packet; since we've already applied
5112 * all of our access controls on this packet we can safely
5113 * pass the packet. */
5114 if (skb_sid == SECSID_NULL) {
5117 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5121 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5125 return NF_DROP_ERR(-ECONNREFUSED);
5128 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5130 secmark_perm = PACKET__SEND;
5132 /* Locally generated packet, fetch the security label from the
5133 * associated socket. */
5134 struct sk_security_struct *sksec = sk->sk_security;
5135 peer_sid = sksec->sid;
5136 secmark_perm = PACKET__SEND;
5139 ad.type = LSM_AUDIT_DATA_NET;
5141 ad.u.net->netif = ifindex;
5142 ad.u.net->family = family;
5143 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5147 if (avc_has_perm(peer_sid, skb->secmark,
5148 SECCLASS_PACKET, secmark_perm, &ad))
5149 return NF_DROP_ERR(-ECONNREFUSED);
5151 if (peerlbl_active) {
5155 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5157 if (avc_has_perm(peer_sid, if_sid,
5158 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5159 return NF_DROP_ERR(-ECONNREFUSED);
5161 if (sel_netnode_sid(addrp, family, &node_sid))
5163 if (avc_has_perm(peer_sid, node_sid,
5164 SECCLASS_NODE, NODE__SENDTO, &ad))
5165 return NF_DROP_ERR(-ECONNREFUSED);
5171 static unsigned int selinux_ipv4_postroute(void *priv,
5172 struct sk_buff *skb,
5173 const struct nf_hook_state *state)
5175 return selinux_ip_postroute(skb, state->out, PF_INET);
5178 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5179 static unsigned int selinux_ipv6_postroute(void *priv,
5180 struct sk_buff *skb,
5181 const struct nf_hook_state *state)
5183 return selinux_ip_postroute(skb, state->out, PF_INET6);
5187 #endif /* CONFIG_NETFILTER */
5189 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5191 return selinux_nlmsg_perm(sk, skb);
5194 static int ipc_alloc_security(struct task_struct *task,
5195 struct kern_ipc_perm *perm,
5198 struct ipc_security_struct *isec;
5201 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5205 sid = task_sid(task);
5206 isec->sclass = sclass;
5208 perm->security = isec;
5213 static void ipc_free_security(struct kern_ipc_perm *perm)
5215 struct ipc_security_struct *isec = perm->security;
5216 perm->security = NULL;
5220 static int msg_msg_alloc_security(struct msg_msg *msg)
5222 struct msg_security_struct *msec;
5224 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5228 msec->sid = SECINITSID_UNLABELED;
5229 msg->security = msec;
5234 static void msg_msg_free_security(struct msg_msg *msg)
5236 struct msg_security_struct *msec = msg->security;
5238 msg->security = NULL;
5242 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5245 struct ipc_security_struct *isec;
5246 struct common_audit_data ad;
5247 u32 sid = current_sid();
5249 isec = ipc_perms->security;
5251 ad.type = LSM_AUDIT_DATA_IPC;
5252 ad.u.ipc_id = ipc_perms->key;
5254 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5257 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5259 return msg_msg_alloc_security(msg);
5262 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5264 msg_msg_free_security(msg);
5267 /* message queue security operations */
5268 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5270 struct ipc_security_struct *isec;
5271 struct common_audit_data ad;
5272 u32 sid = current_sid();
5275 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5279 isec = msq->q_perm.security;
5281 ad.type = LSM_AUDIT_DATA_IPC;
5282 ad.u.ipc_id = msq->q_perm.key;
5284 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5287 ipc_free_security(&msq->q_perm);
5293 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5295 ipc_free_security(&msq->q_perm);
5298 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5300 struct ipc_security_struct *isec;
5301 struct common_audit_data ad;
5302 u32 sid = current_sid();
5304 isec = msq->q_perm.security;
5306 ad.type = LSM_AUDIT_DATA_IPC;
5307 ad.u.ipc_id = msq->q_perm.key;
5309 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5310 MSGQ__ASSOCIATE, &ad);
5313 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5321 /* No specific object, just general system-wide information. */
5322 return task_has_system(current, SYSTEM__IPC_INFO);
5325 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5328 perms = MSGQ__SETATTR;
5331 perms = MSGQ__DESTROY;
5337 err = ipc_has_perm(&msq->q_perm, perms);
5341 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5343 struct ipc_security_struct *isec;
5344 struct msg_security_struct *msec;
5345 struct common_audit_data ad;
5346 u32 sid = current_sid();
5349 isec = msq->q_perm.security;
5350 msec = msg->security;
5353 * First time through, need to assign label to the message
5355 if (msec->sid == SECINITSID_UNLABELED) {
5357 * Compute new sid based on current process and
5358 * message queue this message will be stored in
5360 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5366 ad.type = LSM_AUDIT_DATA_IPC;
5367 ad.u.ipc_id = msq->q_perm.key;
5369 /* Can this process write to the queue? */
5370 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5373 /* Can this process send the message */
5374 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5377 /* Can the message be put in the queue? */
5378 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5379 MSGQ__ENQUEUE, &ad);
5384 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5385 struct task_struct *target,
5386 long type, int mode)
5388 struct ipc_security_struct *isec;
5389 struct msg_security_struct *msec;
5390 struct common_audit_data ad;
5391 u32 sid = task_sid(target);
5394 isec = msq->q_perm.security;
5395 msec = msg->security;
5397 ad.type = LSM_AUDIT_DATA_IPC;
5398 ad.u.ipc_id = msq->q_perm.key;
5400 rc = avc_has_perm(sid, isec->sid,
5401 SECCLASS_MSGQ, MSGQ__READ, &ad);
5403 rc = avc_has_perm(sid, msec->sid,
5404 SECCLASS_MSG, MSG__RECEIVE, &ad);
5408 /* Shared Memory security operations */
5409 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5411 struct ipc_security_struct *isec;
5412 struct common_audit_data ad;
5413 u32 sid = current_sid();
5416 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5420 isec = shp->shm_perm.security;
5422 ad.type = LSM_AUDIT_DATA_IPC;
5423 ad.u.ipc_id = shp->shm_perm.key;
5425 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5428 ipc_free_security(&shp->shm_perm);
5434 static void selinux_shm_free_security(struct shmid_kernel *shp)
5436 ipc_free_security(&shp->shm_perm);
5439 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5441 struct ipc_security_struct *isec;
5442 struct common_audit_data ad;
5443 u32 sid = current_sid();
5445 isec = shp->shm_perm.security;
5447 ad.type = LSM_AUDIT_DATA_IPC;
5448 ad.u.ipc_id = shp->shm_perm.key;
5450 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5451 SHM__ASSOCIATE, &ad);
5454 /* Note, at this point, shp is locked down */
5455 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5463 /* No specific object, just general system-wide information. */
5464 return task_has_system(current, SYSTEM__IPC_INFO);
5467 perms = SHM__GETATTR | SHM__ASSOCIATE;
5470 perms = SHM__SETATTR;
5477 perms = SHM__DESTROY;
5483 err = ipc_has_perm(&shp->shm_perm, perms);
5487 static int selinux_shm_shmat(struct shmid_kernel *shp,
5488 char __user *shmaddr, int shmflg)
5492 if (shmflg & SHM_RDONLY)
5495 perms = SHM__READ | SHM__WRITE;
5497 return ipc_has_perm(&shp->shm_perm, perms);
5500 /* Semaphore security operations */
5501 static int selinux_sem_alloc_security(struct sem_array *sma)
5503 struct ipc_security_struct *isec;
5504 struct common_audit_data ad;
5505 u32 sid = current_sid();
5508 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5512 isec = sma->sem_perm.security;
5514 ad.type = LSM_AUDIT_DATA_IPC;
5515 ad.u.ipc_id = sma->sem_perm.key;
5517 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5520 ipc_free_security(&sma->sem_perm);
5526 static void selinux_sem_free_security(struct sem_array *sma)
5528 ipc_free_security(&sma->sem_perm);
5531 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5533 struct ipc_security_struct *isec;
5534 struct common_audit_data ad;
5535 u32 sid = current_sid();
5537 isec = sma->sem_perm.security;
5539 ad.type = LSM_AUDIT_DATA_IPC;
5540 ad.u.ipc_id = sma->sem_perm.key;
5542 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5543 SEM__ASSOCIATE, &ad);
5546 /* Note, at this point, sma is locked down */
5547 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5555 /* No specific object, just general system-wide information. */
5556 return task_has_system(current, SYSTEM__IPC_INFO);
5560 perms = SEM__GETATTR;
5571 perms = SEM__DESTROY;
5574 perms = SEM__SETATTR;
5578 perms = SEM__GETATTR | SEM__ASSOCIATE;
5584 err = ipc_has_perm(&sma->sem_perm, perms);
5588 static int selinux_sem_semop(struct sem_array *sma,
5589 struct sembuf *sops, unsigned nsops, int alter)
5594 perms = SEM__READ | SEM__WRITE;
5598 return ipc_has_perm(&sma->sem_perm, perms);
5601 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5607 av |= IPC__UNIX_READ;
5609 av |= IPC__UNIX_WRITE;
5614 return ipc_has_perm(ipcp, av);
5617 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5619 struct ipc_security_struct *isec = ipcp->security;
5623 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5626 inode_doinit_with_dentry(inode, dentry);
5629 static int selinux_getprocattr(struct task_struct *p,
5630 char *name, char **value)
5632 const struct task_security_struct *__tsec;
5638 error = current_has_perm(p, PROCESS__GETATTR);
5644 __tsec = __task_cred(p)->security;
5646 if (!strcmp(name, "current"))
5648 else if (!strcmp(name, "prev"))
5650 else if (!strcmp(name, "exec"))
5651 sid = __tsec->exec_sid;
5652 else if (!strcmp(name, "fscreate"))
5653 sid = __tsec->create_sid;
5654 else if (!strcmp(name, "keycreate"))
5655 sid = __tsec->keycreate_sid;
5656 else if (!strcmp(name, "sockcreate"))
5657 sid = __tsec->sockcreate_sid;
5665 error = security_sid_to_context(sid, value, &len);
5675 static int selinux_setprocattr(struct task_struct *p,
5676 char *name, void *value, size_t size)
5678 struct task_security_struct *tsec;
5679 struct task_struct *tracer;
5686 /* SELinux only allows a process to change its own
5687 security attributes. */
5692 * Basic control over ability to set these attributes at all.
5693 * current == p, but we'll pass them separately in case the
5694 * above restriction is ever removed.
5696 if (!strcmp(name, "exec"))
5697 error = current_has_perm(p, PROCESS__SETEXEC);
5698 else if (!strcmp(name, "fscreate"))
5699 error = current_has_perm(p, PROCESS__SETFSCREATE);
5700 else if (!strcmp(name, "keycreate"))
5701 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5702 else if (!strcmp(name, "sockcreate"))
5703 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5704 else if (!strcmp(name, "current"))
5705 error = current_has_perm(p, PROCESS__SETCURRENT);
5711 /* Obtain a SID for the context, if one was specified. */
5712 if (size && str[1] && str[1] != '\n') {
5713 if (str[size-1] == '\n') {
5717 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5718 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5719 if (!capable(CAP_MAC_ADMIN)) {
5720 struct audit_buffer *ab;
5723 /* We strip a nul only if it is at the end, otherwise the
5724 * context contains a nul and we should audit that */
5725 if (str[size - 1] == '\0')
5726 audit_size = size - 1;
5729 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5730 audit_log_format(ab, "op=fscreate invalid_context=");
5731 audit_log_n_untrustedstring(ab, value, audit_size);
5736 error = security_context_to_sid_force(value, size,
5743 new = prepare_creds();
5747 /* Permission checking based on the specified context is
5748 performed during the actual operation (execve,
5749 open/mkdir/...), when we know the full context of the
5750 operation. See selinux_bprm_set_creds for the execve
5751 checks and may_create for the file creation checks. The
5752 operation will then fail if the context is not permitted. */
5753 tsec = new->security;
5754 if (!strcmp(name, "exec")) {
5755 tsec->exec_sid = sid;
5756 } else if (!strcmp(name, "fscreate")) {
5757 tsec->create_sid = sid;
5758 } else if (!strcmp(name, "keycreate")) {
5759 error = may_create_key(sid, p);
5762 tsec->keycreate_sid = sid;
5763 } else if (!strcmp(name, "sockcreate")) {
5764 tsec->sockcreate_sid = sid;
5765 } else if (!strcmp(name, "current")) {
5770 /* Only allow single threaded processes to change context */
5772 if (!current_is_single_threaded()) {
5773 error = security_bounded_transition(tsec->sid, sid);
5778 /* Check permissions for the transition. */
5779 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5780 PROCESS__DYNTRANSITION, NULL);
5784 /* Check for ptracing, and update the task SID if ok.
5785 Otherwise, leave SID unchanged and fail. */
5788 tracer = ptrace_parent(p);
5790 ptsid = task_sid(tracer);
5794 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5795 PROCESS__PTRACE, NULL);
5814 static int selinux_ismaclabel(const char *name)
5816 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5819 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5821 return security_sid_to_context(secid, secdata, seclen);
5824 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5826 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5829 static void selinux_release_secctx(char *secdata, u32 seclen)
5834 static void selinux_inode_invalidate_secctx(struct inode *inode)
5836 struct inode_security_struct *isec = inode->i_security;
5838 mutex_lock(&isec->lock);
5839 isec->initialized = LABEL_INVALID;
5840 mutex_unlock(&isec->lock);
5844 * called with inode->i_mutex locked
5846 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5848 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5852 * called with inode->i_mutex locked
5854 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5856 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5859 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5862 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5871 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5872 unsigned long flags)
5874 const struct task_security_struct *tsec;
5875 struct key_security_struct *ksec;
5877 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5881 tsec = cred->security;
5882 if (tsec->keycreate_sid)
5883 ksec->sid = tsec->keycreate_sid;
5885 ksec->sid = tsec->sid;
5891 static void selinux_key_free(struct key *k)
5893 struct key_security_struct *ksec = k->security;
5899 static int selinux_key_permission(key_ref_t key_ref,
5900 const struct cred *cred,
5904 struct key_security_struct *ksec;
5907 /* if no specific permissions are requested, we skip the
5908 permission check. No serious, additional covert channels
5909 appear to be created. */
5913 sid = cred_sid(cred);
5915 key = key_ref_to_ptr(key_ref);
5916 ksec = key->security;
5918 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5921 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5923 struct key_security_struct *ksec = key->security;
5924 char *context = NULL;
5928 rc = security_sid_to_context(ksec->sid, &context, &len);
5937 static struct security_hook_list selinux_hooks[] = {
5938 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
5939 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
5940 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
5941 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
5943 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
5944 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
5945 LSM_HOOK_INIT(capget, selinux_capget),
5946 LSM_HOOK_INIT(capset, selinux_capset),
5947 LSM_HOOK_INIT(capable, selinux_capable),
5948 LSM_HOOK_INIT(quotactl, selinux_quotactl),
5949 LSM_HOOK_INIT(quota_on, selinux_quota_on),
5950 LSM_HOOK_INIT(syslog, selinux_syslog),
5951 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
5953 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
5955 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
5956 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
5957 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
5958 LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
5960 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
5961 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
5962 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
5963 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
5964 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
5965 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
5966 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
5967 LSM_HOOK_INIT(sb_mount, selinux_mount),
5968 LSM_HOOK_INIT(sb_umount, selinux_umount),
5969 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
5970 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
5971 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
5973 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
5975 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
5976 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
5977 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
5978 LSM_HOOK_INIT(inode_create, selinux_inode_create),
5979 LSM_HOOK_INIT(inode_link, selinux_inode_link),
5980 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
5981 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
5982 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
5983 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
5984 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
5985 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
5986 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
5987 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
5988 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
5989 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
5990 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
5991 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
5992 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
5993 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
5994 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
5995 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
5996 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
5997 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
5998 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
5999 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6001 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6002 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6003 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6004 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6005 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6006 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6007 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6008 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6009 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6010 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6011 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6012 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6014 LSM_HOOK_INIT(file_open, selinux_file_open),
6016 LSM_HOOK_INIT(task_create, selinux_task_create),
6017 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6018 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6019 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6020 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6021 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6022 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6023 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6024 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6025 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6026 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6027 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6028 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6029 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6030 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6031 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6032 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6033 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6034 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6035 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6036 LSM_HOOK_INIT(task_wait, selinux_task_wait),
6037 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6039 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6040 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6042 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6043 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6045 LSM_HOOK_INIT(msg_queue_alloc_security,
6046 selinux_msg_queue_alloc_security),
6047 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6048 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6049 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6050 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6051 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6053 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6054 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6055 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6056 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6057 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6059 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6060 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6061 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6062 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6063 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6065 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6067 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6068 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6070 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6071 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6072 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6073 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6074 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6075 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6076 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6077 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6079 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6080 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6082 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6083 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6084 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6085 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6086 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6087 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6088 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6089 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6090 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6091 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6092 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6093 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6094 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6095 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6096 LSM_HOOK_INIT(socket_getpeersec_stream,
6097 selinux_socket_getpeersec_stream),
6098 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6099 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6100 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6101 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6102 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6103 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6104 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6105 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6106 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6107 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6108 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6109 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6110 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6111 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6112 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6113 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6114 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6115 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6116 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6118 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6119 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6120 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6121 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6122 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6123 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6124 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6125 selinux_xfrm_state_alloc_acquire),
6126 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6127 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6128 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6129 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6130 selinux_xfrm_state_pol_flow_match),
6131 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6135 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6136 LSM_HOOK_INIT(key_free, selinux_key_free),
6137 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6138 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6142 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6143 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6144 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6145 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6149 static __init int selinux_init(void)
6151 if (!security_module_enable("selinux")) {
6152 selinux_enabled = 0;
6156 if (!selinux_enabled) {
6157 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6161 printk(KERN_INFO "SELinux: Initializing.\n");
6163 /* Set the security state for the initial task. */
6164 cred_init_security();
6166 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6168 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6169 sizeof(struct inode_security_struct),
6170 0, SLAB_PANIC, NULL);
6171 file_security_cache = kmem_cache_create("selinux_file_security",
6172 sizeof(struct file_security_struct),
6173 0, SLAB_PANIC, NULL);
6176 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6178 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6179 panic("SELinux: Unable to register AVC netcache callback\n");
6181 if (selinux_enforcing)
6182 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6184 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6189 static void delayed_superblock_init(struct super_block *sb, void *unused)
6191 superblock_doinit(sb, NULL);
6194 void selinux_complete_init(void)
6196 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6198 /* Set up any superblocks initialized prior to the policy load. */
6199 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6200 iterate_supers(delayed_superblock_init, NULL);
6203 /* SELinux requires early initialization in order to label
6204 all processes and objects when they are created. */
6205 security_initcall(selinux_init);
6207 #if defined(CONFIG_NETFILTER)
6209 static struct nf_hook_ops selinux_nf_ops[] = {
6211 .hook = selinux_ipv4_postroute,
6213 .hooknum = NF_INET_POST_ROUTING,
6214 .priority = NF_IP_PRI_SELINUX_LAST,
6217 .hook = selinux_ipv4_forward,
6219 .hooknum = NF_INET_FORWARD,
6220 .priority = NF_IP_PRI_SELINUX_FIRST,
6223 .hook = selinux_ipv4_output,
6225 .hooknum = NF_INET_LOCAL_OUT,
6226 .priority = NF_IP_PRI_SELINUX_FIRST,
6228 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6230 .hook = selinux_ipv6_postroute,
6232 .hooknum = NF_INET_POST_ROUTING,
6233 .priority = NF_IP6_PRI_SELINUX_LAST,
6236 .hook = selinux_ipv6_forward,
6238 .hooknum = NF_INET_FORWARD,
6239 .priority = NF_IP6_PRI_SELINUX_FIRST,
6244 static int __init selinux_nf_ip_init(void)
6248 if (!selinux_enabled)
6251 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6253 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6255 panic("SELinux: nf_register_hooks: error %d\n", err);
6260 __initcall(selinux_nf_ip_init);
6262 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6263 static void selinux_nf_ip_exit(void)
6265 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6267 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6271 #else /* CONFIG_NETFILTER */
6273 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6274 #define selinux_nf_ip_exit()
6277 #endif /* CONFIG_NETFILTER */
6279 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6280 static int selinux_disabled;
6282 int selinux_disable(void)
6284 if (ss_initialized) {
6285 /* Not permitted after initial policy load. */
6289 if (selinux_disabled) {
6290 /* Only do this once. */
6294 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6296 selinux_disabled = 1;
6297 selinux_enabled = 0;
6299 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6301 /* Try to destroy the avc node cache */
6304 /* Unregister netfilter hooks. */
6305 selinux_nf_ip_exit();
6307 /* Unregister selinuxfs. */