2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul.moore@hp.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/ptrace.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/file.h>
43 #include <linux/fdtable.h>
44 #include <linux/namei.h>
45 #include <linux/mount.h>
46 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
88 #define XATTR_SELINUX_SUFFIX "selinux"
89 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
91 #define NUM_SEL_MNT_OPTS 4
93 extern unsigned int policydb_loaded_version;
94 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
95 extern int selinux_compat_net;
96 extern struct security_operations *security_ops;
98 /* SECMARK reference count */
99 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
104 static int __init enforcing_setup(char *str)
106 unsigned long enforcing;
107 if (!strict_strtoul(str, 0, &enforcing))
108 selinux_enforcing = enforcing ? 1 : 0;
111 __setup("enforcing=", enforcing_setup);
114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
117 static int __init selinux_enabled_setup(char *str)
119 unsigned long enabled;
120 if (!strict_strtoul(str, 0, &enabled))
121 selinux_enabled = enabled ? 1 : 0;
124 __setup("selinux=", selinux_enabled_setup);
126 int selinux_enabled = 1;
129 /* Original (dummy) security module. */
130 static struct security_operations *original_ops;
132 /* Minimal support for a secondary security module,
133 just to allow the use of the dummy or capability modules.
134 The owlsm module can alternatively be used as a secondary
135 module as long as CONFIG_OWLSM_FD is not enabled. */
136 static struct security_operations *secondary_ops;
138 /* Lists of inode and superblock security structures initialized
139 before the policy was loaded. */
140 static LIST_HEAD(superblock_security_head);
141 static DEFINE_SPINLOCK(sb_security_lock);
143 static struct kmem_cache *sel_inode_cache;
146 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
149 * This function checks the SECMARK reference counter to see if any SECMARK
150 * targets are currently configured, if the reference counter is greater than
151 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
152 * enabled, false (0) if SECMARK is disabled.
155 static int selinux_secmark_enabled(void)
157 return (atomic_read(&selinux_secmark_refcount) > 0);
160 /* Allocate and free functions for each kind of security blob. */
162 static int task_alloc_security(struct task_struct *task)
164 struct task_security_struct *tsec;
166 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
170 tsec->osid = tsec->sid = SECINITSID_UNLABELED;
171 task->security = tsec;
176 static void task_free_security(struct task_struct *task)
178 struct task_security_struct *tsec = task->security;
179 task->security = NULL;
183 static int inode_alloc_security(struct inode *inode)
185 struct task_security_struct *tsec = current->security;
186 struct inode_security_struct *isec;
188 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
192 mutex_init(&isec->lock);
193 INIT_LIST_HEAD(&isec->list);
195 isec->sid = SECINITSID_UNLABELED;
196 isec->sclass = SECCLASS_FILE;
197 isec->task_sid = tsec->sid;
198 inode->i_security = isec;
203 static void inode_free_security(struct inode *inode)
205 struct inode_security_struct *isec = inode->i_security;
206 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
208 spin_lock(&sbsec->isec_lock);
209 if (!list_empty(&isec->list))
210 list_del_init(&isec->list);
211 spin_unlock(&sbsec->isec_lock);
213 inode->i_security = NULL;
214 kmem_cache_free(sel_inode_cache, isec);
217 static int file_alloc_security(struct file *file)
219 struct task_security_struct *tsec = current->security;
220 struct file_security_struct *fsec;
222 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
226 fsec->sid = tsec->sid;
227 fsec->fown_sid = tsec->sid;
228 file->f_security = fsec;
233 static void file_free_security(struct file *file)
235 struct file_security_struct *fsec = file->f_security;
236 file->f_security = NULL;
240 static int superblock_alloc_security(struct super_block *sb)
242 struct superblock_security_struct *sbsec;
244 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
248 mutex_init(&sbsec->lock);
249 INIT_LIST_HEAD(&sbsec->list);
250 INIT_LIST_HEAD(&sbsec->isec_head);
251 spin_lock_init(&sbsec->isec_lock);
253 sbsec->sid = SECINITSID_UNLABELED;
254 sbsec->def_sid = SECINITSID_FILE;
255 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
256 sb->s_security = sbsec;
261 static void superblock_free_security(struct super_block *sb)
263 struct superblock_security_struct *sbsec = sb->s_security;
265 spin_lock(&sb_security_lock);
266 if (!list_empty(&sbsec->list))
267 list_del_init(&sbsec->list);
268 spin_unlock(&sb_security_lock);
270 sb->s_security = NULL;
274 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
276 struct sk_security_struct *ssec;
278 ssec = kzalloc(sizeof(*ssec), priority);
282 ssec->peer_sid = SECINITSID_UNLABELED;
283 ssec->sid = SECINITSID_UNLABELED;
284 sk->sk_security = ssec;
286 selinux_netlbl_sk_security_reset(ssec, family);
291 static void sk_free_security(struct sock *sk)
293 struct sk_security_struct *ssec = sk->sk_security;
295 sk->sk_security = NULL;
299 /* The security server must be initialized before
300 any labeling or access decisions can be provided. */
301 extern int ss_initialized;
303 /* The file system's label must be initialized prior to use. */
305 static char *labeling_behaviors[6] = {
307 "uses transition SIDs",
309 "uses genfs_contexts",
310 "not configured for labeling",
311 "uses mountpoint labeling",
314 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
316 static inline int inode_doinit(struct inode *inode)
318 return inode_doinit_with_dentry(inode, NULL);
329 static match_table_t tokens = {
330 {Opt_context, CONTEXT_STR "%s"},
331 {Opt_fscontext, FSCONTEXT_STR "%s"},
332 {Opt_defcontext, DEFCONTEXT_STR "%s"},
333 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
337 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
339 static int may_context_mount_sb_relabel(u32 sid,
340 struct superblock_security_struct *sbsec,
341 struct task_security_struct *tsec)
345 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
346 FILESYSTEM__RELABELFROM, NULL);
350 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
351 FILESYSTEM__RELABELTO, NULL);
355 static int may_context_mount_inode_relabel(u32 sid,
356 struct superblock_security_struct *sbsec,
357 struct task_security_struct *tsec)
360 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
361 FILESYSTEM__RELABELFROM, NULL);
365 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
366 FILESYSTEM__ASSOCIATE, NULL);
370 static int sb_finish_set_opts(struct super_block *sb)
372 struct superblock_security_struct *sbsec = sb->s_security;
373 struct dentry *root = sb->s_root;
374 struct inode *root_inode = root->d_inode;
377 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
378 /* Make sure that the xattr handler exists and that no
379 error other than -ENODATA is returned by getxattr on
380 the root directory. -ENODATA is ok, as this may be
381 the first boot of the SELinux kernel before we have
382 assigned xattr values to the filesystem. */
383 if (!root_inode->i_op->getxattr) {
384 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
385 "xattr support\n", sb->s_id, sb->s_type->name);
389 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
390 if (rc < 0 && rc != -ENODATA) {
391 if (rc == -EOPNOTSUPP)
392 printk(KERN_WARNING "SELinux: (dev %s, type "
393 "%s) has no security xattr handler\n",
394 sb->s_id, sb->s_type->name);
396 printk(KERN_WARNING "SELinux: (dev %s, type "
397 "%s) getxattr errno %d\n", sb->s_id,
398 sb->s_type->name, -rc);
403 sbsec->initialized = 1;
405 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
406 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
407 sb->s_id, sb->s_type->name);
409 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
410 sb->s_id, sb->s_type->name,
411 labeling_behaviors[sbsec->behavior-1]);
413 /* Initialize the root inode. */
414 rc = inode_doinit_with_dentry(root_inode, root);
416 /* Initialize any other inodes associated with the superblock, e.g.
417 inodes created prior to initial policy load or inodes created
418 during get_sb by a pseudo filesystem that directly
420 spin_lock(&sbsec->isec_lock);
422 if (!list_empty(&sbsec->isec_head)) {
423 struct inode_security_struct *isec =
424 list_entry(sbsec->isec_head.next,
425 struct inode_security_struct, list);
426 struct inode *inode = isec->inode;
427 spin_unlock(&sbsec->isec_lock);
428 inode = igrab(inode);
430 if (!IS_PRIVATE(inode))
434 spin_lock(&sbsec->isec_lock);
435 list_del_init(&isec->list);
438 spin_unlock(&sbsec->isec_lock);
444 * This function should allow an FS to ask what it's mount security
445 * options were so it can use those later for submounts, displaying
446 * mount options, or whatever.
448 static int selinux_get_mnt_opts(const struct super_block *sb,
449 struct security_mnt_opts *opts)
452 struct superblock_security_struct *sbsec = sb->s_security;
453 char *context = NULL;
457 security_init_mnt_opts(opts);
459 if (!sbsec->initialized)
466 * if we ever use sbsec flags for anything other than tracking mount
467 * settings this is going to need a mask
470 /* count the number of mount options for this sb */
471 for (i = 0; i < 8; i++) {
473 opts->num_mnt_opts++;
477 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
478 if (!opts->mnt_opts) {
483 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
484 if (!opts->mnt_opts_flags) {
490 if (sbsec->flags & FSCONTEXT_MNT) {
491 rc = security_sid_to_context(sbsec->sid, &context, &len);
494 opts->mnt_opts[i] = context;
495 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
497 if (sbsec->flags & CONTEXT_MNT) {
498 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
501 opts->mnt_opts[i] = context;
502 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
504 if (sbsec->flags & DEFCONTEXT_MNT) {
505 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
508 opts->mnt_opts[i] = context;
509 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
511 if (sbsec->flags & ROOTCONTEXT_MNT) {
512 struct inode *root = sbsec->sb->s_root->d_inode;
513 struct inode_security_struct *isec = root->i_security;
515 rc = security_sid_to_context(isec->sid, &context, &len);
518 opts->mnt_opts[i] = context;
519 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
522 BUG_ON(i != opts->num_mnt_opts);
527 security_free_mnt_opts(opts);
531 static int bad_option(struct superblock_security_struct *sbsec, char flag,
532 u32 old_sid, u32 new_sid)
534 /* check if the old mount command had the same options */
535 if (sbsec->initialized)
536 if (!(sbsec->flags & flag) ||
537 (old_sid != new_sid))
540 /* check if we were passed the same options twice,
541 * aka someone passed context=a,context=b
543 if (!sbsec->initialized)
544 if (sbsec->flags & flag)
550 * Allow filesystems with binary mount data to explicitly set mount point
551 * labeling information.
553 static int selinux_set_mnt_opts(struct super_block *sb,
554 struct security_mnt_opts *opts)
557 struct task_security_struct *tsec = current->security;
558 struct superblock_security_struct *sbsec = sb->s_security;
559 const char *name = sb->s_type->name;
560 struct dentry *root = sb->s_root;
561 struct inode *root_inode = root->d_inode;
562 struct inode_security_struct *root_isec = root_inode->i_security;
563 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
564 u32 defcontext_sid = 0;
565 char **mount_options = opts->mnt_opts;
566 int *flags = opts->mnt_opts_flags;
567 int num_opts = opts->num_mnt_opts;
568 bool can_xattr = false;
570 mutex_lock(&sbsec->lock);
572 if (!ss_initialized) {
574 /* Defer initialization until selinux_complete_init,
575 after the initial policy is loaded and the security
576 server is ready to handle calls. */
577 spin_lock(&sb_security_lock);
578 if (list_empty(&sbsec->list))
579 list_add(&sbsec->list, &superblock_security_head);
580 spin_unlock(&sb_security_lock);
584 printk(KERN_WARNING "SELinux: Unable to set superblock options "
585 "before the security server is initialized\n");
590 * Binary mount data FS will come through this function twice. Once
591 * from an explicit call and once from the generic calls from the vfs.
592 * Since the generic VFS calls will not contain any security mount data
593 * we need to skip the double mount verification.
595 * This does open a hole in which we will not notice if the first
596 * mount using this sb set explict options and a second mount using
597 * this sb does not set any security options. (The first options
598 * will be used for both mounts)
600 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
605 * parse the mount options, check if they are valid sids.
606 * also check if someone is trying to mount the same sb more
607 * than once with different security options.
609 for (i = 0; i < num_opts; i++) {
611 rc = security_context_to_sid(mount_options[i],
612 strlen(mount_options[i]), &sid);
614 printk(KERN_WARNING "SELinux: security_context_to_sid"
615 "(%s) failed for (dev %s, type %s) errno=%d\n",
616 mount_options[i], sb->s_id, name, rc);
623 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
625 goto out_double_mount;
627 sbsec->flags |= FSCONTEXT_MNT;
632 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
634 goto out_double_mount;
636 sbsec->flags |= CONTEXT_MNT;
638 case ROOTCONTEXT_MNT:
639 rootcontext_sid = sid;
641 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
643 goto out_double_mount;
645 sbsec->flags |= ROOTCONTEXT_MNT;
649 defcontext_sid = sid;
651 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
653 goto out_double_mount;
655 sbsec->flags |= DEFCONTEXT_MNT;
664 if (sbsec->initialized) {
665 /* previously mounted with options, but not on this attempt? */
666 if (sbsec->flags && !num_opts)
667 goto out_double_mount;
672 if (strcmp(name, "proc") == 0)
676 * test if the fs supports xattrs, fs_use might make use of this if the
677 * fs has no definition in policy.
679 if (root_inode->i_op->getxattr) {
680 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
681 if (rc >= 0 || rc == -ENODATA)
685 /* Determine the labeling behavior to use for this filesystem type. */
686 rc = security_fs_use(name, &sbsec->behavior, &sbsec->sid, can_xattr);
688 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
693 /* sets the context of the superblock for the fs being mounted. */
696 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
700 sbsec->sid = fscontext_sid;
704 * Switch to using mount point labeling behavior.
705 * sets the label used on all file below the mountpoint, and will set
706 * the superblock context if not already set.
709 if (!fscontext_sid) {
710 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
713 sbsec->sid = context_sid;
715 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
719 if (!rootcontext_sid)
720 rootcontext_sid = context_sid;
722 sbsec->mntpoint_sid = context_sid;
723 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
726 if (rootcontext_sid) {
727 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
731 root_isec->sid = rootcontext_sid;
732 root_isec->initialized = 1;
735 if (defcontext_sid) {
736 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
738 printk(KERN_WARNING "SELinux: defcontext option is "
739 "invalid for this filesystem type\n");
743 if (defcontext_sid != sbsec->def_sid) {
744 rc = may_context_mount_inode_relabel(defcontext_sid,
750 sbsec->def_sid = defcontext_sid;
753 rc = sb_finish_set_opts(sb);
755 mutex_unlock(&sbsec->lock);
759 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
760 "security settings for (dev %s, type %s)\n", sb->s_id, name);
764 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
765 struct super_block *newsb)
767 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
768 struct superblock_security_struct *newsbsec = newsb->s_security;
770 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
771 int set_context = (oldsbsec->flags & CONTEXT_MNT);
772 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
775 * if the parent was able to be mounted it clearly had no special lsm
776 * mount options. thus we can safely put this sb on the list and deal
779 if (!ss_initialized) {
780 spin_lock(&sb_security_lock);
781 if (list_empty(&newsbsec->list))
782 list_add(&newsbsec->list, &superblock_security_head);
783 spin_unlock(&sb_security_lock);
787 /* how can we clone if the old one wasn't set up?? */
788 BUG_ON(!oldsbsec->initialized);
790 /* if fs is reusing a sb, just let its options stand... */
791 if (newsbsec->initialized)
794 mutex_lock(&newsbsec->lock);
796 newsbsec->flags = oldsbsec->flags;
798 newsbsec->sid = oldsbsec->sid;
799 newsbsec->def_sid = oldsbsec->def_sid;
800 newsbsec->behavior = oldsbsec->behavior;
803 u32 sid = oldsbsec->mntpoint_sid;
807 if (!set_rootcontext) {
808 struct inode *newinode = newsb->s_root->d_inode;
809 struct inode_security_struct *newisec = newinode->i_security;
812 newsbsec->mntpoint_sid = sid;
814 if (set_rootcontext) {
815 const struct inode *oldinode = oldsb->s_root->d_inode;
816 const struct inode_security_struct *oldisec = oldinode->i_security;
817 struct inode *newinode = newsb->s_root->d_inode;
818 struct inode_security_struct *newisec = newinode->i_security;
820 newisec->sid = oldisec->sid;
823 sb_finish_set_opts(newsb);
824 mutex_unlock(&newsbsec->lock);
827 static int selinux_parse_opts_str(char *options,
828 struct security_mnt_opts *opts)
831 char *context = NULL, *defcontext = NULL;
832 char *fscontext = NULL, *rootcontext = NULL;
833 int rc, num_mnt_opts = 0;
835 opts->num_mnt_opts = 0;
837 /* Standard string-based options. */
838 while ((p = strsep(&options, "|")) != NULL) {
840 substring_t args[MAX_OPT_ARGS];
845 token = match_token(p, tokens, args);
849 if (context || defcontext) {
851 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
854 context = match_strdup(&args[0]);
864 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
867 fscontext = match_strdup(&args[0]);
874 case Opt_rootcontext:
877 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
880 rootcontext = match_strdup(&args[0]);
888 if (context || defcontext) {
890 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
893 defcontext = match_strdup(&args[0]);
902 printk(KERN_WARNING "SELinux: unknown mount option\n");
909 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
913 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
914 if (!opts->mnt_opts_flags) {
915 kfree(opts->mnt_opts);
920 opts->mnt_opts[num_mnt_opts] = fscontext;
921 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
924 opts->mnt_opts[num_mnt_opts] = context;
925 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
928 opts->mnt_opts[num_mnt_opts] = rootcontext;
929 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
932 opts->mnt_opts[num_mnt_opts] = defcontext;
933 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
936 opts->num_mnt_opts = num_mnt_opts;
947 * string mount options parsing and call set the sbsec
949 static int superblock_doinit(struct super_block *sb, void *data)
952 char *options = data;
953 struct security_mnt_opts opts;
955 security_init_mnt_opts(&opts);
960 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
962 rc = selinux_parse_opts_str(options, &opts);
967 rc = selinux_set_mnt_opts(sb, &opts);
970 security_free_mnt_opts(&opts);
974 void selinux_write_opts(struct seq_file *m, struct security_mnt_opts *opts)
979 for (i = 0; i < opts->num_mnt_opts; i++) {
980 char *has_comma = strchr(opts->mnt_opts[i], ',');
982 switch (opts->mnt_opts_flags[i]) {
984 prefix = CONTEXT_STR;
987 prefix = FSCONTEXT_STR;
989 case ROOTCONTEXT_MNT:
990 prefix = ROOTCONTEXT_STR;
993 prefix = DEFCONTEXT_STR;
998 /* we need a comma before each option */
1000 seq_puts(m, prefix);
1003 seq_puts(m, opts->mnt_opts[i]);
1009 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1011 struct security_mnt_opts opts;
1014 rc = selinux_get_mnt_opts(sb, &opts);
1018 selinux_write_opts(m, &opts);
1020 security_free_mnt_opts(&opts);
1025 static inline u16 inode_mode_to_security_class(umode_t mode)
1027 switch (mode & S_IFMT) {
1029 return SECCLASS_SOCK_FILE;
1031 return SECCLASS_LNK_FILE;
1033 return SECCLASS_FILE;
1035 return SECCLASS_BLK_FILE;
1037 return SECCLASS_DIR;
1039 return SECCLASS_CHR_FILE;
1041 return SECCLASS_FIFO_FILE;
1045 return SECCLASS_FILE;
1048 static inline int default_protocol_stream(int protocol)
1050 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1053 static inline int default_protocol_dgram(int protocol)
1055 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1058 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1064 case SOCK_SEQPACKET:
1065 return SECCLASS_UNIX_STREAM_SOCKET;
1067 return SECCLASS_UNIX_DGRAM_SOCKET;
1074 if (default_protocol_stream(protocol))
1075 return SECCLASS_TCP_SOCKET;
1077 return SECCLASS_RAWIP_SOCKET;
1079 if (default_protocol_dgram(protocol))
1080 return SECCLASS_UDP_SOCKET;
1082 return SECCLASS_RAWIP_SOCKET;
1084 return SECCLASS_DCCP_SOCKET;
1086 return SECCLASS_RAWIP_SOCKET;
1092 return SECCLASS_NETLINK_ROUTE_SOCKET;
1093 case NETLINK_FIREWALL:
1094 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1095 case NETLINK_INET_DIAG:
1096 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1098 return SECCLASS_NETLINK_NFLOG_SOCKET;
1100 return SECCLASS_NETLINK_XFRM_SOCKET;
1101 case NETLINK_SELINUX:
1102 return SECCLASS_NETLINK_SELINUX_SOCKET;
1104 return SECCLASS_NETLINK_AUDIT_SOCKET;
1105 case NETLINK_IP6_FW:
1106 return SECCLASS_NETLINK_IP6FW_SOCKET;
1107 case NETLINK_DNRTMSG:
1108 return SECCLASS_NETLINK_DNRT_SOCKET;
1109 case NETLINK_KOBJECT_UEVENT:
1110 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1112 return SECCLASS_NETLINK_SOCKET;
1115 return SECCLASS_PACKET_SOCKET;
1117 return SECCLASS_KEY_SOCKET;
1119 return SECCLASS_APPLETALK_SOCKET;
1122 return SECCLASS_SOCKET;
1125 #ifdef CONFIG_PROC_FS
1126 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1131 char *buffer, *path, *end;
1133 buffer = (char *)__get_free_page(GFP_KERNEL);
1138 end = buffer+buflen;
1143 while (de && de != de->parent) {
1144 buflen -= de->namelen + 1;
1148 memcpy(end, de->name, de->namelen);
1153 rc = security_genfs_sid("proc", path, tclass, sid);
1154 free_page((unsigned long)buffer);
1158 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1166 /* The inode's security attributes must be initialized before first use. */
1167 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1169 struct superblock_security_struct *sbsec = NULL;
1170 struct inode_security_struct *isec = inode->i_security;
1172 struct dentry *dentry;
1173 #define INITCONTEXTLEN 255
1174 char *context = NULL;
1178 if (isec->initialized)
1181 mutex_lock(&isec->lock);
1182 if (isec->initialized)
1185 sbsec = inode->i_sb->s_security;
1186 if (!sbsec->initialized) {
1187 /* Defer initialization until selinux_complete_init,
1188 after the initial policy is loaded and the security
1189 server is ready to handle calls. */
1190 spin_lock(&sbsec->isec_lock);
1191 if (list_empty(&isec->list))
1192 list_add(&isec->list, &sbsec->isec_head);
1193 spin_unlock(&sbsec->isec_lock);
1197 switch (sbsec->behavior) {
1198 case SECURITY_FS_USE_XATTR:
1199 if (!inode->i_op->getxattr) {
1200 isec->sid = sbsec->def_sid;
1204 /* Need a dentry, since the xattr API requires one.
1205 Life would be simpler if we could just pass the inode. */
1207 /* Called from d_instantiate or d_splice_alias. */
1208 dentry = dget(opt_dentry);
1210 /* Called from selinux_complete_init, try to find a dentry. */
1211 dentry = d_find_alias(inode);
1214 printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s "
1215 "ino=%ld\n", __func__, inode->i_sb->s_id,
1220 len = INITCONTEXTLEN;
1221 context = kmalloc(len, GFP_NOFS);
1227 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1229 if (rc == -ERANGE) {
1230 /* Need a larger buffer. Query for the right size. */
1231 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1239 context = kmalloc(len, GFP_NOFS);
1245 rc = inode->i_op->getxattr(dentry,
1251 if (rc != -ENODATA) {
1252 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1253 "%d for dev=%s ino=%ld\n", __func__,
1254 -rc, inode->i_sb->s_id, inode->i_ino);
1258 /* Map ENODATA to the default file SID */
1259 sid = sbsec->def_sid;
1262 rc = security_context_to_sid_default(context, rc, &sid,
1266 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1267 "returned %d for dev=%s ino=%ld\n",
1268 __func__, context, -rc,
1269 inode->i_sb->s_id, inode->i_ino);
1271 /* Leave with the unlabeled SID */
1279 case SECURITY_FS_USE_TASK:
1280 isec->sid = isec->task_sid;
1282 case SECURITY_FS_USE_TRANS:
1283 /* Default to the fs SID. */
1284 isec->sid = sbsec->sid;
1286 /* Try to obtain a transition SID. */
1287 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1288 rc = security_transition_sid(isec->task_sid,
1296 case SECURITY_FS_USE_MNTPOINT:
1297 isec->sid = sbsec->mntpoint_sid;
1300 /* Default to the fs superblock SID. */
1301 isec->sid = sbsec->sid;
1304 struct proc_inode *proci = PROC_I(inode);
1306 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1307 rc = selinux_proc_get_sid(proci->pde,
1318 isec->initialized = 1;
1321 mutex_unlock(&isec->lock);
1323 if (isec->sclass == SECCLASS_FILE)
1324 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1328 /* Convert a Linux signal to an access vector. */
1329 static inline u32 signal_to_av(int sig)
1335 /* Commonly granted from child to parent. */
1336 perm = PROCESS__SIGCHLD;
1339 /* Cannot be caught or ignored */
1340 perm = PROCESS__SIGKILL;
1343 /* Cannot be caught or ignored */
1344 perm = PROCESS__SIGSTOP;
1347 /* All other signals. */
1348 perm = PROCESS__SIGNAL;
1355 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1356 fork check, ptrace check, etc. */
1357 static int task_has_perm(struct task_struct *tsk1,
1358 struct task_struct *tsk2,
1361 struct task_security_struct *tsec1, *tsec2;
1363 tsec1 = tsk1->security;
1364 tsec2 = tsk2->security;
1365 return avc_has_perm(tsec1->sid, tsec2->sid,
1366 SECCLASS_PROCESS, perms, NULL);
1369 #if CAP_LAST_CAP > 63
1370 #error Fix SELinux to handle capabilities > 63.
1373 /* Check whether a task is allowed to use a capability. */
1374 static int task_has_capability(struct task_struct *tsk,
1377 struct task_security_struct *tsec;
1378 struct avc_audit_data ad;
1380 u32 av = CAP_TO_MASK(cap);
1382 tsec = tsk->security;
1384 AVC_AUDIT_DATA_INIT(&ad, CAP);
1388 switch (CAP_TO_INDEX(cap)) {
1390 sclass = SECCLASS_CAPABILITY;
1393 sclass = SECCLASS_CAPABILITY2;
1397 "SELinux: out of range capability %d\n", cap);
1400 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1403 /* Check whether a task is allowed to use a system operation. */
1404 static int task_has_system(struct task_struct *tsk,
1407 struct task_security_struct *tsec;
1409 tsec = tsk->security;
1411 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1412 SECCLASS_SYSTEM, perms, NULL);
1415 /* Check whether a task has a particular permission to an inode.
1416 The 'adp' parameter is optional and allows other audit
1417 data to be passed (e.g. the dentry). */
1418 static int inode_has_perm(struct task_struct *tsk,
1419 struct inode *inode,
1421 struct avc_audit_data *adp)
1423 struct task_security_struct *tsec;
1424 struct inode_security_struct *isec;
1425 struct avc_audit_data ad;
1427 if (unlikely(IS_PRIVATE(inode)))
1430 tsec = tsk->security;
1431 isec = inode->i_security;
1435 AVC_AUDIT_DATA_INIT(&ad, FS);
1436 ad.u.fs.inode = inode;
1439 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1442 /* Same as inode_has_perm, but pass explicit audit data containing
1443 the dentry to help the auditing code to more easily generate the
1444 pathname if needed. */
1445 static inline int dentry_has_perm(struct task_struct *tsk,
1446 struct vfsmount *mnt,
1447 struct dentry *dentry,
1450 struct inode *inode = dentry->d_inode;
1451 struct avc_audit_data ad;
1452 AVC_AUDIT_DATA_INIT(&ad, FS);
1453 ad.u.fs.path.mnt = mnt;
1454 ad.u.fs.path.dentry = dentry;
1455 return inode_has_perm(tsk, inode, av, &ad);
1458 /* Check whether a task can use an open file descriptor to
1459 access an inode in a given way. Check access to the
1460 descriptor itself, and then use dentry_has_perm to
1461 check a particular permission to the file.
1462 Access to the descriptor is implicitly granted if it
1463 has the same SID as the process. If av is zero, then
1464 access to the file is not checked, e.g. for cases
1465 where only the descriptor is affected like seek. */
1466 static int file_has_perm(struct task_struct *tsk,
1470 struct task_security_struct *tsec = tsk->security;
1471 struct file_security_struct *fsec = file->f_security;
1472 struct inode *inode = file->f_path.dentry->d_inode;
1473 struct avc_audit_data ad;
1476 AVC_AUDIT_DATA_INIT(&ad, FS);
1477 ad.u.fs.path = file->f_path;
1479 if (tsec->sid != fsec->sid) {
1480 rc = avc_has_perm(tsec->sid, fsec->sid,
1488 /* av is zero if only checking access to the descriptor. */
1490 return inode_has_perm(tsk, inode, av, &ad);
1495 /* Check whether a task can create a file. */
1496 static int may_create(struct inode *dir,
1497 struct dentry *dentry,
1500 struct task_security_struct *tsec;
1501 struct inode_security_struct *dsec;
1502 struct superblock_security_struct *sbsec;
1504 struct avc_audit_data ad;
1507 tsec = current->security;
1508 dsec = dir->i_security;
1509 sbsec = dir->i_sb->s_security;
1511 AVC_AUDIT_DATA_INIT(&ad, FS);
1512 ad.u.fs.path.dentry = dentry;
1514 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1515 DIR__ADD_NAME | DIR__SEARCH,
1520 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1521 newsid = tsec->create_sid;
1523 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1529 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1533 return avc_has_perm(newsid, sbsec->sid,
1534 SECCLASS_FILESYSTEM,
1535 FILESYSTEM__ASSOCIATE, &ad);
1538 /* Check whether a task can create a key. */
1539 static int may_create_key(u32 ksid,
1540 struct task_struct *ctx)
1542 struct task_security_struct *tsec;
1544 tsec = ctx->security;
1546 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1550 #define MAY_UNLINK 1
1553 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1554 static int may_link(struct inode *dir,
1555 struct dentry *dentry,
1559 struct task_security_struct *tsec;
1560 struct inode_security_struct *dsec, *isec;
1561 struct avc_audit_data ad;
1565 tsec = current->security;
1566 dsec = dir->i_security;
1567 isec = dentry->d_inode->i_security;
1569 AVC_AUDIT_DATA_INIT(&ad, FS);
1570 ad.u.fs.path.dentry = dentry;
1573 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1574 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1589 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1594 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1598 static inline int may_rename(struct inode *old_dir,
1599 struct dentry *old_dentry,
1600 struct inode *new_dir,
1601 struct dentry *new_dentry)
1603 struct task_security_struct *tsec;
1604 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1605 struct avc_audit_data ad;
1607 int old_is_dir, new_is_dir;
1610 tsec = current->security;
1611 old_dsec = old_dir->i_security;
1612 old_isec = old_dentry->d_inode->i_security;
1613 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1614 new_dsec = new_dir->i_security;
1616 AVC_AUDIT_DATA_INIT(&ad, FS);
1618 ad.u.fs.path.dentry = old_dentry;
1619 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1620 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1623 rc = avc_has_perm(tsec->sid, old_isec->sid,
1624 old_isec->sclass, FILE__RENAME, &ad);
1627 if (old_is_dir && new_dir != old_dir) {
1628 rc = avc_has_perm(tsec->sid, old_isec->sid,
1629 old_isec->sclass, DIR__REPARENT, &ad);
1634 ad.u.fs.path.dentry = new_dentry;
1635 av = DIR__ADD_NAME | DIR__SEARCH;
1636 if (new_dentry->d_inode)
1637 av |= DIR__REMOVE_NAME;
1638 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1641 if (new_dentry->d_inode) {
1642 new_isec = new_dentry->d_inode->i_security;
1643 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1644 rc = avc_has_perm(tsec->sid, new_isec->sid,
1646 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1654 /* Check whether a task can perform a filesystem operation. */
1655 static int superblock_has_perm(struct task_struct *tsk,
1656 struct super_block *sb,
1658 struct avc_audit_data *ad)
1660 struct task_security_struct *tsec;
1661 struct superblock_security_struct *sbsec;
1663 tsec = tsk->security;
1664 sbsec = sb->s_security;
1665 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1669 /* Convert a Linux mode and permission mask to an access vector. */
1670 static inline u32 file_mask_to_av(int mode, int mask)
1674 if ((mode & S_IFMT) != S_IFDIR) {
1675 if (mask & MAY_EXEC)
1676 av |= FILE__EXECUTE;
1677 if (mask & MAY_READ)
1680 if (mask & MAY_APPEND)
1682 else if (mask & MAY_WRITE)
1686 if (mask & MAY_EXEC)
1688 if (mask & MAY_WRITE)
1690 if (mask & MAY_READ)
1698 * Convert a file mask to an access vector and include the correct open
1701 static inline u32 open_file_mask_to_av(int mode, int mask)
1703 u32 av = file_mask_to_av(mode, mask);
1705 if (selinux_policycap_openperm) {
1707 * lnk files and socks do not really have an 'open'
1711 else if (S_ISCHR(mode))
1712 av |= CHR_FILE__OPEN;
1713 else if (S_ISBLK(mode))
1714 av |= BLK_FILE__OPEN;
1715 else if (S_ISFIFO(mode))
1716 av |= FIFO_FILE__OPEN;
1717 else if (S_ISDIR(mode))
1720 printk(KERN_ERR "SELinux: WARNING: inside %s with "
1721 "unknown mode:%x\n", __func__, mode);
1726 /* Convert a Linux file to an access vector. */
1727 static inline u32 file_to_av(struct file *file)
1731 if (file->f_mode & FMODE_READ)
1733 if (file->f_mode & FMODE_WRITE) {
1734 if (file->f_flags & O_APPEND)
1741 * Special file opened with flags 3 for ioctl-only use.
1749 /* Hook functions begin here. */
1751 static int selinux_ptrace(struct task_struct *parent,
1752 struct task_struct *child,
1757 rc = secondary_ops->ptrace(parent, child, mode);
1761 if (mode == PTRACE_MODE_READ) {
1762 struct task_security_struct *tsec = parent->security;
1763 struct task_security_struct *csec = child->security;
1764 return avc_has_perm(tsec->sid, csec->sid,
1765 SECCLASS_FILE, FILE__READ, NULL);
1768 return task_has_perm(parent, child, PROCESS__PTRACE);
1771 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1772 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1776 error = task_has_perm(current, target, PROCESS__GETCAP);
1780 return secondary_ops->capget(target, effective, inheritable, permitted);
1783 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1784 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1788 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1792 return task_has_perm(current, target, PROCESS__SETCAP);
1795 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1796 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1798 secondary_ops->capset_set(target, effective, inheritable, permitted);
1801 static int selinux_capable(struct task_struct *tsk, int cap)
1805 rc = secondary_ops->capable(tsk, cap);
1809 return task_has_capability(tsk, cap);
1812 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1815 char *buffer, *path, *end;
1818 buffer = (char *)__get_free_page(GFP_KERNEL);
1823 end = buffer+buflen;
1829 const char *name = table->procname;
1830 size_t namelen = strlen(name);
1831 buflen -= namelen + 1;
1835 memcpy(end, name, namelen);
1838 table = table->parent;
1844 memcpy(end, "/sys", 4);
1846 rc = security_genfs_sid("proc", path, tclass, sid);
1848 free_page((unsigned long)buffer);
1853 static int selinux_sysctl(ctl_table *table, int op)
1857 struct task_security_struct *tsec;
1861 rc = secondary_ops->sysctl(table, op);
1865 tsec = current->security;
1867 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1868 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1870 /* Default to the well-defined sysctl SID. */
1871 tsid = SECINITSID_SYSCTL;
1874 /* The op values are "defined" in sysctl.c, thereby creating
1875 * a bad coupling between this module and sysctl.c */
1877 error = avc_has_perm(tsec->sid, tsid,
1878 SECCLASS_DIR, DIR__SEARCH, NULL);
1886 error = avc_has_perm(tsec->sid, tsid,
1887 SECCLASS_FILE, av, NULL);
1893 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1906 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,
1912 rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,
1916 rc = 0; /* let the kernel handle invalid cmds */
1922 static int selinux_quota_on(struct dentry *dentry)
1924 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1927 static int selinux_syslog(int type)
1931 rc = secondary_ops->syslog(type);
1936 case 3: /* Read last kernel messages */
1937 case 10: /* Return size of the log buffer */
1938 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1940 case 6: /* Disable logging to console */
1941 case 7: /* Enable logging to console */
1942 case 8: /* Set level of messages printed to console */
1943 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1945 case 0: /* Close log */
1946 case 1: /* Open log */
1947 case 2: /* Read from log */
1948 case 4: /* Read/clear last kernel messages */
1949 case 5: /* Clear ring buffer */
1951 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1958 * Check that a process has enough memory to allocate a new virtual
1959 * mapping. 0 means there is enough memory for the allocation to
1960 * succeed and -ENOMEM implies there is not.
1962 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1963 * if the capability is granted, but __vm_enough_memory requires 1 if
1964 * the capability is granted.
1966 * Do not audit the selinux permission check, as this is applied to all
1967 * processes that allocate mappings.
1969 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1971 int rc, cap_sys_admin = 0;
1972 struct task_security_struct *tsec = current->security;
1974 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1976 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1977 SECCLASS_CAPABILITY,
1978 CAP_TO_MASK(CAP_SYS_ADMIN),
1985 return __vm_enough_memory(mm, pages, cap_sys_admin);
1989 * task_tracer_task - return the task that is tracing the given task
1990 * @task: task to consider
1992 * Returns NULL if noone is tracing @task, or the &struct task_struct
1993 * pointer to its tracer.
1995 * Must be called under rcu_read_lock().
1997 static struct task_struct *task_tracer_task(struct task_struct *task)
1999 if (task->ptrace & PT_PTRACED)
2000 return rcu_dereference(task->parent);
2004 /* binprm security operations */
2006 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
2008 struct bprm_security_struct *bsec;
2010 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
2014 bsec->sid = SECINITSID_UNLABELED;
2017 bprm->security = bsec;
2021 static int selinux_bprm_set_security(struct linux_binprm *bprm)
2023 struct task_security_struct *tsec;
2024 struct inode *inode = bprm->file->f_path.dentry->d_inode;
2025 struct inode_security_struct *isec;
2026 struct bprm_security_struct *bsec;
2028 struct avc_audit_data ad;
2031 rc = secondary_ops->bprm_set_security(bprm);
2035 bsec = bprm->security;
2040 tsec = current->security;
2041 isec = inode->i_security;
2043 /* Default to the current task SID. */
2044 bsec->sid = tsec->sid;
2046 /* Reset fs, key, and sock SIDs on execve. */
2047 tsec->create_sid = 0;
2048 tsec->keycreate_sid = 0;
2049 tsec->sockcreate_sid = 0;
2051 if (tsec->exec_sid) {
2052 newsid = tsec->exec_sid;
2053 /* Reset exec SID on execve. */
2056 /* Check for a default transition on this program. */
2057 rc = security_transition_sid(tsec->sid, isec->sid,
2058 SECCLASS_PROCESS, &newsid);
2063 AVC_AUDIT_DATA_INIT(&ad, FS);
2064 ad.u.fs.path = bprm->file->f_path;
2066 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2069 if (tsec->sid == newsid) {
2070 rc = avc_has_perm(tsec->sid, isec->sid,
2071 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2075 /* Check permissions for the transition. */
2076 rc = avc_has_perm(tsec->sid, newsid,
2077 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2081 rc = avc_has_perm(newsid, isec->sid,
2082 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2086 /* Clear any possibly unsafe personality bits on exec: */
2087 current->personality &= ~PER_CLEAR_ON_SETID;
2089 /* Set the security field to the new SID. */
2097 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2099 return secondary_ops->bprm_check_security(bprm);
2103 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2105 struct task_security_struct *tsec = current->security;
2108 if (tsec->osid != tsec->sid) {
2109 /* Enable secure mode for SIDs transitions unless
2110 the noatsecure permission is granted between
2111 the two SIDs, i.e. ahp returns 0. */
2112 atsecure = avc_has_perm(tsec->osid, tsec->sid,
2114 PROCESS__NOATSECURE, NULL);
2117 return (atsecure || secondary_ops->bprm_secureexec(bprm));
2120 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2122 kfree(bprm->security);
2123 bprm->security = NULL;
2126 extern struct vfsmount *selinuxfs_mount;
2127 extern struct dentry *selinux_null;
2129 /* Derived from fs/exec.c:flush_old_files. */
2130 static inline void flush_unauthorized_files(struct files_struct *files)
2132 struct avc_audit_data ad;
2133 struct file *file, *devnull = NULL;
2134 struct tty_struct *tty;
2135 struct fdtable *fdt;
2139 mutex_lock(&tty_mutex);
2140 tty = get_current_tty();
2143 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2145 /* Revalidate access to controlling tty.
2146 Use inode_has_perm on the tty inode directly rather
2147 than using file_has_perm, as this particular open
2148 file may belong to another process and we are only
2149 interested in the inode-based check here. */
2150 struct inode *inode = file->f_path.dentry->d_inode;
2151 if (inode_has_perm(current, inode,
2152 FILE__READ | FILE__WRITE, NULL)) {
2158 mutex_unlock(&tty_mutex);
2159 /* Reset controlling tty. */
2163 /* Revalidate access to inherited open files. */
2165 AVC_AUDIT_DATA_INIT(&ad, FS);
2167 spin_lock(&files->file_lock);
2169 unsigned long set, i;
2174 fdt = files_fdtable(files);
2175 if (i >= fdt->max_fds)
2177 set = fdt->open_fds->fds_bits[j];
2180 spin_unlock(&files->file_lock);
2181 for ( ; set ; i++, set >>= 1) {
2186 if (file_has_perm(current,
2188 file_to_av(file))) {
2190 fd = get_unused_fd();
2200 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2201 if (IS_ERR(devnull)) {
2208 fd_install(fd, devnull);
2213 spin_lock(&files->file_lock);
2216 spin_unlock(&files->file_lock);
2219 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2221 struct task_security_struct *tsec;
2222 struct bprm_security_struct *bsec;
2226 secondary_ops->bprm_apply_creds(bprm, unsafe);
2228 tsec = current->security;
2230 bsec = bprm->security;
2233 tsec->osid = tsec->sid;
2235 if (tsec->sid != sid) {
2236 /* Check for shared state. If not ok, leave SID
2237 unchanged and kill. */
2238 if (unsafe & LSM_UNSAFE_SHARE) {
2239 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2240 PROCESS__SHARE, NULL);
2247 /* Check for ptracing, and update the task SID if ok.
2248 Otherwise, leave SID unchanged and kill. */
2249 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2250 struct task_struct *tracer;
2251 struct task_security_struct *sec;
2255 tracer = task_tracer_task(current);
2256 if (likely(tracer != NULL)) {
2257 sec = tracer->security;
2263 rc = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
2264 PROCESS__PTRACE, NULL);
2276 * called after apply_creds without the task lock held
2278 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2280 struct task_security_struct *tsec;
2281 struct rlimit *rlim, *initrlim;
2282 struct itimerval itimer;
2283 struct bprm_security_struct *bsec;
2286 tsec = current->security;
2287 bsec = bprm->security;
2290 force_sig_specific(SIGKILL, current);
2293 if (tsec->osid == tsec->sid)
2296 /* Close files for which the new task SID is not authorized. */
2297 flush_unauthorized_files(current->files);
2299 /* Check whether the new SID can inherit signal state
2300 from the old SID. If not, clear itimers to avoid
2301 subsequent signal generation and flush and unblock
2302 signals. This must occur _after_ the task SID has
2303 been updated so that any kill done after the flush
2304 will be checked against the new SID. */
2305 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2306 PROCESS__SIGINH, NULL);
2308 memset(&itimer, 0, sizeof itimer);
2309 for (i = 0; i < 3; i++)
2310 do_setitimer(i, &itimer, NULL);
2311 flush_signals(current);
2312 spin_lock_irq(¤t->sighand->siglock);
2313 flush_signal_handlers(current, 1);
2314 sigemptyset(¤t->blocked);
2315 recalc_sigpending();
2316 spin_unlock_irq(¤t->sighand->siglock);
2319 /* Always clear parent death signal on SID transitions. */
2320 current->pdeath_signal = 0;
2322 /* Check whether the new SID can inherit resource limits
2323 from the old SID. If not, reset all soft limits to
2324 the lower of the current task's hard limit and the init
2325 task's soft limit. Note that the setting of hard limits
2326 (even to lower them) can be controlled by the setrlimit
2327 check. The inclusion of the init task's soft limit into
2328 the computation is to avoid resetting soft limits higher
2329 than the default soft limit for cases where the default
2330 is lower than the hard limit, e.g. RLIMIT_CORE or
2332 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2333 PROCESS__RLIMITINH, NULL);
2335 for (i = 0; i < RLIM_NLIMITS; i++) {
2336 rlim = current->signal->rlim + i;
2337 initrlim = init_task.signal->rlim+i;
2338 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2340 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2342 * This will cause RLIMIT_CPU calculations
2345 current->it_prof_expires = jiffies_to_cputime(1);
2349 /* Wake up the parent if it is waiting so that it can
2350 recheck wait permission to the new task SID. */
2351 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
2354 /* superblock security operations */
2356 static int selinux_sb_alloc_security(struct super_block *sb)
2358 return superblock_alloc_security(sb);
2361 static void selinux_sb_free_security(struct super_block *sb)
2363 superblock_free_security(sb);
2366 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2371 return !memcmp(prefix, option, plen);
2374 static inline int selinux_option(char *option, int len)
2376 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2377 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2378 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2379 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2382 static inline void take_option(char **to, char *from, int *first, int len)
2389 memcpy(*to, from, len);
2393 static inline void take_selinux_option(char **to, char *from, int *first,
2396 int current_size = 0;
2404 while (current_size < len) {
2414 static int selinux_sb_copy_data(char *orig, char *copy)
2416 int fnosec, fsec, rc = 0;
2417 char *in_save, *in_curr, *in_end;
2418 char *sec_curr, *nosec_save, *nosec;
2424 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2432 in_save = in_end = orig;
2436 open_quote = !open_quote;
2437 if ((*in_end == ',' && open_quote == 0) ||
2439 int len = in_end - in_curr;
2441 if (selinux_option(in_curr, len))
2442 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2444 take_option(&nosec, in_curr, &fnosec, len);
2446 in_curr = in_end + 1;
2448 } while (*in_end++);
2450 strcpy(in_save, nosec_save);
2451 free_page((unsigned long)nosec_save);
2456 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2458 struct avc_audit_data ad;
2461 rc = superblock_doinit(sb, data);
2465 AVC_AUDIT_DATA_INIT(&ad, FS);
2466 ad.u.fs.path.dentry = sb->s_root;
2467 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2470 static int selinux_sb_statfs(struct dentry *dentry)
2472 struct avc_audit_data ad;
2474 AVC_AUDIT_DATA_INIT(&ad, FS);
2475 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2476 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2479 static int selinux_mount(char *dev_name,
2482 unsigned long flags,
2487 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2491 if (flags & MS_REMOUNT)
2492 return superblock_has_perm(current, path->mnt->mnt_sb,
2493 FILESYSTEM__REMOUNT, NULL);
2495 return dentry_has_perm(current, path->mnt, path->dentry,
2499 static int selinux_umount(struct vfsmount *mnt, int flags)
2503 rc = secondary_ops->sb_umount(mnt, flags);
2507 return superblock_has_perm(current, mnt->mnt_sb,
2508 FILESYSTEM__UNMOUNT, NULL);
2511 /* inode security operations */
2513 static int selinux_inode_alloc_security(struct inode *inode)
2515 return inode_alloc_security(inode);
2518 static void selinux_inode_free_security(struct inode *inode)
2520 inode_free_security(inode);
2523 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2524 char **name, void **value,
2527 struct task_security_struct *tsec;
2528 struct inode_security_struct *dsec;
2529 struct superblock_security_struct *sbsec;
2532 char *namep = NULL, *context;
2534 tsec = current->security;
2535 dsec = dir->i_security;
2536 sbsec = dir->i_sb->s_security;
2538 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2539 newsid = tsec->create_sid;
2541 rc = security_transition_sid(tsec->sid, dsec->sid,
2542 inode_mode_to_security_class(inode->i_mode),
2545 printk(KERN_WARNING "%s: "
2546 "security_transition_sid failed, rc=%d (dev=%s "
2549 -rc, inode->i_sb->s_id, inode->i_ino);
2554 /* Possibly defer initialization to selinux_complete_init. */
2555 if (sbsec->initialized) {
2556 struct inode_security_struct *isec = inode->i_security;
2557 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2559 isec->initialized = 1;
2562 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2566 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2573 rc = security_sid_to_context_force(newsid, &context, &clen);
2585 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2587 return may_create(dir, dentry, SECCLASS_FILE);
2590 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2594 rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2597 return may_link(dir, old_dentry, MAY_LINK);
2600 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2604 rc = secondary_ops->inode_unlink(dir, dentry);
2607 return may_link(dir, dentry, MAY_UNLINK);
2610 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2612 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2615 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2617 return may_create(dir, dentry, SECCLASS_DIR);
2620 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2622 return may_link(dir, dentry, MAY_RMDIR);
2625 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2629 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2633 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2636 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2637 struct inode *new_inode, struct dentry *new_dentry)
2639 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2642 static int selinux_inode_readlink(struct dentry *dentry)
2644 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2647 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2651 rc = secondary_ops->inode_follow_link(dentry, nameidata);
2654 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2657 static int selinux_inode_permission(struct inode *inode, int mask,
2658 struct nameidata *nd)
2662 rc = secondary_ops->inode_permission(inode, mask, nd);
2667 /* No permission to check. Existence test. */
2671 return inode_has_perm(current, inode,
2672 open_file_mask_to_av(inode->i_mode, mask), NULL);
2675 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2679 rc = secondary_ops->inode_setattr(dentry, iattr);
2683 if (iattr->ia_valid & ATTR_FORCE)
2686 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2687 ATTR_ATIME_SET | ATTR_MTIME_SET))
2688 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2690 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2693 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2695 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2698 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2700 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2701 sizeof XATTR_SECURITY_PREFIX - 1)) {
2702 if (!strcmp(name, XATTR_NAME_CAPS)) {
2703 if (!capable(CAP_SETFCAP))
2705 } else if (!capable(CAP_SYS_ADMIN)) {
2706 /* A different attribute in the security namespace.
2707 Restrict to administrator. */
2712 /* Not an attribute we recognize, so just check the
2713 ordinary setattr permission. */
2714 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2717 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2718 const void *value, size_t size, int flags)
2720 struct task_security_struct *tsec = current->security;
2721 struct inode *inode = dentry->d_inode;
2722 struct inode_security_struct *isec = inode->i_security;
2723 struct superblock_security_struct *sbsec;
2724 struct avc_audit_data ad;
2728 if (strcmp(name, XATTR_NAME_SELINUX))
2729 return selinux_inode_setotherxattr(dentry, name);
2731 sbsec = inode->i_sb->s_security;
2732 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2735 if (!is_owner_or_cap(inode))
2738 AVC_AUDIT_DATA_INIT(&ad, FS);
2739 ad.u.fs.path.dentry = dentry;
2741 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2742 FILE__RELABELFROM, &ad);
2746 rc = security_context_to_sid(value, size, &newsid);
2747 if (rc == -EINVAL) {
2748 if (!capable(CAP_MAC_ADMIN))
2750 rc = security_context_to_sid_force(value, size, &newsid);
2755 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2756 FILE__RELABELTO, &ad);
2760 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2765 return avc_has_perm(newsid,
2767 SECCLASS_FILESYSTEM,
2768 FILESYSTEM__ASSOCIATE,
2772 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2773 const void *value, size_t size,
2776 struct inode *inode = dentry->d_inode;
2777 struct inode_security_struct *isec = inode->i_security;
2781 if (strcmp(name, XATTR_NAME_SELINUX)) {
2782 /* Not an attribute we recognize, so nothing to do. */
2786 rc = security_context_to_sid_force(value, size, &newsid);
2788 printk(KERN_ERR "SELinux: unable to map context to SID"
2789 "for (%s, %lu), rc=%d\n",
2790 inode->i_sb->s_id, inode->i_ino, -rc);
2798 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2800 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2803 static int selinux_inode_listxattr(struct dentry *dentry)
2805 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2808 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2810 if (strcmp(name, XATTR_NAME_SELINUX))
2811 return selinux_inode_setotherxattr(dentry, name);
2813 /* No one is allowed to remove a SELinux security label.
2814 You can change the label, but all data must be labeled. */
2819 * Copy the inode security context value to the user.
2821 * Permission check is handled by selinux_inode_getxattr hook.
2823 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2827 char *context = NULL;
2828 struct task_security_struct *tsec = current->security;
2829 struct inode_security_struct *isec = inode->i_security;
2831 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2835 * If the caller has CAP_MAC_ADMIN, then get the raw context
2836 * value even if it is not defined by current policy; otherwise,
2837 * use the in-core value under current policy.
2838 * Use the non-auditing forms of the permission checks since
2839 * getxattr may be called by unprivileged processes commonly
2840 * and lack of permission just means that we fall back to the
2841 * in-core context value, not a denial.
2843 error = secondary_ops->capable(current, CAP_MAC_ADMIN);
2845 error = avc_has_perm_noaudit(tsec->sid, tsec->sid,
2846 SECCLASS_CAPABILITY2,
2847 CAPABILITY2__MAC_ADMIN,
2851 error = security_sid_to_context_force(isec->sid, &context,
2854 error = security_sid_to_context(isec->sid, &context, &size);
2867 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2868 const void *value, size_t size, int flags)
2870 struct inode_security_struct *isec = inode->i_security;
2874 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2877 if (!value || !size)
2880 rc = security_context_to_sid((void *)value, size, &newsid);
2888 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2890 const int len = sizeof(XATTR_NAME_SELINUX);
2891 if (buffer && len <= buffer_size)
2892 memcpy(buffer, XATTR_NAME_SELINUX, len);
2896 static int selinux_inode_need_killpriv(struct dentry *dentry)
2898 return secondary_ops->inode_need_killpriv(dentry);
2901 static int selinux_inode_killpriv(struct dentry *dentry)
2903 return secondary_ops->inode_killpriv(dentry);
2906 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2908 struct inode_security_struct *isec = inode->i_security;
2912 /* file security operations */
2914 static int selinux_revalidate_file_permission(struct file *file, int mask)
2917 struct inode *inode = file->f_path.dentry->d_inode;
2920 /* No permission to check. Existence test. */
2924 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2925 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2928 rc = file_has_perm(current, file,
2929 file_mask_to_av(inode->i_mode, mask));
2933 return selinux_netlbl_inode_permission(inode, mask);
2936 static int selinux_file_permission(struct file *file, int mask)
2938 struct inode *inode = file->f_path.dentry->d_inode;
2939 struct task_security_struct *tsec = current->security;
2940 struct file_security_struct *fsec = file->f_security;
2941 struct inode_security_struct *isec = inode->i_security;
2944 /* No permission to check. Existence test. */
2948 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2949 && fsec->pseqno == avc_policy_seqno())
2950 return selinux_netlbl_inode_permission(inode, mask);
2952 return selinux_revalidate_file_permission(file, mask);
2955 static int selinux_file_alloc_security(struct file *file)
2957 return file_alloc_security(file);
2960 static void selinux_file_free_security(struct file *file)
2962 file_free_security(file);
2965 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2970 if (_IOC_DIR(cmd) & _IOC_WRITE)
2972 if (_IOC_DIR(cmd) & _IOC_READ)
2977 return file_has_perm(current, file, av);
2980 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2982 #ifndef CONFIG_PPC32
2983 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2985 * We are making executable an anonymous mapping or a
2986 * private file mapping that will also be writable.
2987 * This has an additional check.
2989 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2996 /* read access is always possible with a mapping */
2997 u32 av = FILE__READ;
2999 /* write access only matters if the mapping is shared */
3000 if (shared && (prot & PROT_WRITE))
3003 if (prot & PROT_EXEC)
3004 av |= FILE__EXECUTE;
3006 return file_has_perm(current, file, av);
3011 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3012 unsigned long prot, unsigned long flags,
3013 unsigned long addr, unsigned long addr_only)
3016 u32 sid = ((struct task_security_struct *)(current->security))->sid;
3018 if (addr < mmap_min_addr)
3019 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3020 MEMPROTECT__MMAP_ZERO, NULL);
3021 if (rc || addr_only)
3024 if (selinux_checkreqprot)
3027 return file_map_prot_check(file, prot,
3028 (flags & MAP_TYPE) == MAP_SHARED);
3031 static int selinux_file_mprotect(struct vm_area_struct *vma,
3032 unsigned long reqprot,
3037 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3041 if (selinux_checkreqprot)
3044 #ifndef CONFIG_PPC32
3045 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3047 if (vma->vm_start >= vma->vm_mm->start_brk &&
3048 vma->vm_end <= vma->vm_mm->brk) {
3049 rc = task_has_perm(current, current,
3051 } else if (!vma->vm_file &&
3052 vma->vm_start <= vma->vm_mm->start_stack &&
3053 vma->vm_end >= vma->vm_mm->start_stack) {
3054 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
3055 } else if (vma->vm_file && vma->anon_vma) {
3057 * We are making executable a file mapping that has
3058 * had some COW done. Since pages might have been
3059 * written, check ability to execute the possibly
3060 * modified content. This typically should only
3061 * occur for text relocations.
3063 rc = file_has_perm(current, vma->vm_file,
3071 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3074 static int selinux_file_lock(struct file *file, unsigned int cmd)
3076 return file_has_perm(current, file, FILE__LOCK);
3079 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3086 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3091 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3092 err = file_has_perm(current, file, FILE__WRITE);
3101 /* Just check FD__USE permission */
3102 err = file_has_perm(current, file, 0);
3107 #if BITS_PER_LONG == 32
3112 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3116 err = file_has_perm(current, file, FILE__LOCK);
3123 static int selinux_file_set_fowner(struct file *file)
3125 struct task_security_struct *tsec;
3126 struct file_security_struct *fsec;
3128 tsec = current->security;
3129 fsec = file->f_security;
3130 fsec->fown_sid = tsec->sid;
3135 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3136 struct fown_struct *fown, int signum)
3140 struct task_security_struct *tsec;
3141 struct file_security_struct *fsec;
3143 /* struct fown_struct is never outside the context of a struct file */
3144 file = container_of(fown, struct file, f_owner);
3146 tsec = tsk->security;
3147 fsec = file->f_security;
3150 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3152 perm = signal_to_av(signum);
3154 return avc_has_perm(fsec->fown_sid, tsec->sid,
3155 SECCLASS_PROCESS, perm, NULL);
3158 static int selinux_file_receive(struct file *file)
3160 return file_has_perm(current, file, file_to_av(file));
3163 static int selinux_dentry_open(struct file *file)
3165 struct file_security_struct *fsec;
3166 struct inode *inode;
3167 struct inode_security_struct *isec;
3168 inode = file->f_path.dentry->d_inode;
3169 fsec = file->f_security;
3170 isec = inode->i_security;
3172 * Save inode label and policy sequence number
3173 * at open-time so that selinux_file_permission
3174 * can determine whether revalidation is necessary.
3175 * Task label is already saved in the file security
3176 * struct as its SID.
3178 fsec->isid = isec->sid;
3179 fsec->pseqno = avc_policy_seqno();
3181 * Since the inode label or policy seqno may have changed
3182 * between the selinux_inode_permission check and the saving
3183 * of state above, recheck that access is still permitted.
3184 * Otherwise, access might never be revalidated against the
3185 * new inode label or new policy.
3186 * This check is not redundant - do not remove.
3188 return inode_has_perm(current, inode, file_to_av(file), NULL);
3191 /* task security operations */
3193 static int selinux_task_create(unsigned long clone_flags)
3197 rc = secondary_ops->task_create(clone_flags);
3201 return task_has_perm(current, current, PROCESS__FORK);
3204 static int selinux_task_alloc_security(struct task_struct *tsk)
3206 struct task_security_struct *tsec1, *tsec2;
3209 tsec1 = current->security;
3211 rc = task_alloc_security(tsk);
3214 tsec2 = tsk->security;
3216 tsec2->osid = tsec1->osid;
3217 tsec2->sid = tsec1->sid;
3219 /* Retain the exec, fs, key, and sock SIDs across fork */
3220 tsec2->exec_sid = tsec1->exec_sid;
3221 tsec2->create_sid = tsec1->create_sid;
3222 tsec2->keycreate_sid = tsec1->keycreate_sid;
3223 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3228 static void selinux_task_free_security(struct task_struct *tsk)
3230 task_free_security(tsk);
3233 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3235 /* Since setuid only affects the current process, and
3236 since the SELinux controls are not based on the Linux
3237 identity attributes, SELinux does not need to control
3238 this operation. However, SELinux does control the use
3239 of the CAP_SETUID and CAP_SETGID capabilities using the
3244 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3246 return secondary_ops->task_post_setuid(id0, id1, id2, flags);
3249 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3251 /* See the comment for setuid above. */
3255 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3257 return task_has_perm(current, p, PROCESS__SETPGID);
3260 static int selinux_task_getpgid(struct task_struct *p)
3262 return task_has_perm(current, p, PROCESS__GETPGID);
3265 static int selinux_task_getsid(struct task_struct *p)
3267 return task_has_perm(current, p, PROCESS__GETSESSION);
3270 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3272 struct task_security_struct *tsec = p->security;
3276 static int selinux_task_setgroups(struct group_info *group_info)
3278 /* See the comment for setuid above. */
3282 static int selinux_task_setnice(struct task_struct *p, int nice)
3286 rc = secondary_ops->task_setnice(p, nice);
3290 return task_has_perm(current, p, PROCESS__SETSCHED);
3293 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3297 rc = secondary_ops->task_setioprio(p, ioprio);
3301 return task_has_perm(current, p, PROCESS__SETSCHED);
3304 static int selinux_task_getioprio(struct task_struct *p)
3306 return task_has_perm(current, p, PROCESS__GETSCHED);
3309 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3311 struct rlimit *old_rlim = current->signal->rlim + resource;
3314 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3318 /* Control the ability to change the hard limit (whether
3319 lowering or raising it), so that the hard limit can
3320 later be used as a safe reset point for the soft limit
3321 upon context transitions. See selinux_bprm_apply_creds. */
3322 if (old_rlim->rlim_max != new_rlim->rlim_max)
3323 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3328 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3332 rc = secondary_ops->task_setscheduler(p, policy, lp);
3336 return task_has_perm(current, p, PROCESS__SETSCHED);
3339 static int selinux_task_getscheduler(struct task_struct *p)
3341 return task_has_perm(current, p, PROCESS__GETSCHED);
3344 static int selinux_task_movememory(struct task_struct *p)
3346 return task_has_perm(current, p, PROCESS__SETSCHED);
3349 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3354 struct task_security_struct *tsec;
3356 rc = secondary_ops->task_kill(p, info, sig, secid);
3361 perm = PROCESS__SIGNULL; /* null signal; existence test */
3363 perm = signal_to_av(sig);
3366 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3368 rc = task_has_perm(current, p, perm);
3372 static int selinux_task_prctl(int option,
3379 /* The current prctl operations do not appear to require
3380 any SELinux controls since they merely observe or modify
3381 the state of the current process. */
3382 return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p);
3385 static int selinux_task_wait(struct task_struct *p)
3387 return task_has_perm(p, current, PROCESS__SIGCHLD);
3390 static void selinux_task_reparent_to_init(struct task_struct *p)
3392 struct task_security_struct *tsec;
3394 secondary_ops->task_reparent_to_init(p);
3397 tsec->osid = tsec->sid;
3398 tsec->sid = SECINITSID_KERNEL;
3402 static void selinux_task_to_inode(struct task_struct *p,
3403 struct inode *inode)
3405 struct task_security_struct *tsec = p->security;
3406 struct inode_security_struct *isec = inode->i_security;
3408 isec->sid = tsec->sid;
3409 isec->initialized = 1;
3413 /* Returns error only if unable to parse addresses */
3414 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3415 struct avc_audit_data *ad, u8 *proto)
3417 int offset, ihlen, ret = -EINVAL;
3418 struct iphdr _iph, *ih;
3420 offset = skb_network_offset(skb);
3421 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3425 ihlen = ih->ihl * 4;
3426 if (ihlen < sizeof(_iph))
3429 ad->u.net.v4info.saddr = ih->saddr;
3430 ad->u.net.v4info.daddr = ih->daddr;
3434 *proto = ih->protocol;
3436 switch (ih->protocol) {
3438 struct tcphdr _tcph, *th;
3440 if (ntohs(ih->frag_off) & IP_OFFSET)
3444 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3448 ad->u.net.sport = th->source;
3449 ad->u.net.dport = th->dest;
3454 struct udphdr _udph, *uh;
3456 if (ntohs(ih->frag_off) & IP_OFFSET)
3460 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3464 ad->u.net.sport = uh->source;
3465 ad->u.net.dport = uh->dest;
3469 case IPPROTO_DCCP: {
3470 struct dccp_hdr _dccph, *dh;
3472 if (ntohs(ih->frag_off) & IP_OFFSET)
3476 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3480 ad->u.net.sport = dh->dccph_sport;
3481 ad->u.net.dport = dh->dccph_dport;
3492 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3494 /* Returns error only if unable to parse addresses */
3495 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3496 struct avc_audit_data *ad, u8 *proto)
3499 int ret = -EINVAL, offset;
3500 struct ipv6hdr _ipv6h, *ip6;
3502 offset = skb_network_offset(skb);
3503 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3507 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3508 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3511 nexthdr = ip6->nexthdr;
3512 offset += sizeof(_ipv6h);
3513 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3522 struct tcphdr _tcph, *th;
3524 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3528 ad->u.net.sport = th->source;
3529 ad->u.net.dport = th->dest;
3534 struct udphdr _udph, *uh;
3536 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3540 ad->u.net.sport = uh->source;
3541 ad->u.net.dport = uh->dest;
3545 case IPPROTO_DCCP: {
3546 struct dccp_hdr _dccph, *dh;
3548 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3552 ad->u.net.sport = dh->dccph_sport;
3553 ad->u.net.dport = dh->dccph_dport;
3557 /* includes fragments */
3567 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3568 char **addrp, int src, u8 *proto)
3572 switch (ad->u.net.family) {
3574 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3577 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3578 &ad->u.net.v4info.daddr);
3581 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3583 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3586 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3587 &ad->u.net.v6info.daddr);
3596 "SELinux: failure in selinux_parse_skb(),"
3597 " unable to parse packet\n");
3603 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3605 * @family: protocol family
3606 * @sid: the packet's peer label SID
3609 * Check the various different forms of network peer labeling and determine
3610 * the peer label/SID for the packet; most of the magic actually occurs in
3611 * the security server function security_net_peersid_cmp(). The function
3612 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3613 * or -EACCES if @sid is invalid due to inconsistencies with the different
3617 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3624 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3625 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3627 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3628 if (unlikely(err)) {
3630 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3631 " unable to determine packet's peer label\n");
3638 /* socket security operations */
3639 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3642 struct inode_security_struct *isec;
3643 struct task_security_struct *tsec;
3644 struct avc_audit_data ad;
3647 tsec = task->security;
3648 isec = SOCK_INODE(sock)->i_security;
3650 if (isec->sid == SECINITSID_KERNEL)
3653 AVC_AUDIT_DATA_INIT(&ad, NET);
3654 ad.u.net.sk = sock->sk;
3655 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3661 static int selinux_socket_create(int family, int type,
3662 int protocol, int kern)
3665 struct task_security_struct *tsec;
3671 tsec = current->security;
3672 newsid = tsec->sockcreate_sid ? : tsec->sid;
3673 err = avc_has_perm(tsec->sid, newsid,
3674 socket_type_to_security_class(family, type,
3675 protocol), SOCKET__CREATE, NULL);
3681 static int selinux_socket_post_create(struct socket *sock, int family,
3682 int type, int protocol, int kern)
3685 struct inode_security_struct *isec;
3686 struct task_security_struct *tsec;
3687 struct sk_security_struct *sksec;
3690 isec = SOCK_INODE(sock)->i_security;
3692 tsec = current->security;
3693 newsid = tsec->sockcreate_sid ? : tsec->sid;
3694 isec->sclass = socket_type_to_security_class(family, type, protocol);
3695 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3696 isec->initialized = 1;
3699 sksec = sock->sk->sk_security;
3700 sksec->sid = isec->sid;
3701 sksec->sclass = isec->sclass;
3702 err = selinux_netlbl_socket_post_create(sock);
3708 /* Range of port numbers used to automatically bind.
3709 Need to determine whether we should perform a name_bind
3710 permission check between the socket and the port number. */
3712 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3717 err = socket_has_perm(current, sock, SOCKET__BIND);
3722 * If PF_INET or PF_INET6, check name_bind permission for the port.
3723 * Multiple address binding for SCTP is not supported yet: we just
3724 * check the first address now.
3726 family = sock->sk->sk_family;
3727 if (family == PF_INET || family == PF_INET6) {
3729 struct inode_security_struct *isec;
3730 struct task_security_struct *tsec;
3731 struct avc_audit_data ad;
3732 struct sockaddr_in *addr4 = NULL;
3733 struct sockaddr_in6 *addr6 = NULL;
3734 unsigned short snum;
3735 struct sock *sk = sock->sk;
3738 tsec = current->security;
3739 isec = SOCK_INODE(sock)->i_security;
3741 if (family == PF_INET) {
3742 addr4 = (struct sockaddr_in *)address;
3743 snum = ntohs(addr4->sin_port);
3744 addrp = (char *)&addr4->sin_addr.s_addr;
3746 addr6 = (struct sockaddr_in6 *)address;
3747 snum = ntohs(addr6->sin6_port);
3748 addrp = (char *)&addr6->sin6_addr.s6_addr;
3754 inet_get_local_port_range(&low, &high);
3756 if (snum < max(PROT_SOCK, low) || snum > high) {
3757 err = sel_netport_sid(sk->sk_protocol,
3761 AVC_AUDIT_DATA_INIT(&ad, NET);
3762 ad.u.net.sport = htons(snum);
3763 ad.u.net.family = family;
3764 err = avc_has_perm(isec->sid, sid,
3766 SOCKET__NAME_BIND, &ad);
3772 switch (isec->sclass) {
3773 case SECCLASS_TCP_SOCKET:
3774 node_perm = TCP_SOCKET__NODE_BIND;
3777 case SECCLASS_UDP_SOCKET:
3778 node_perm = UDP_SOCKET__NODE_BIND;
3781 case SECCLASS_DCCP_SOCKET:
3782 node_perm = DCCP_SOCKET__NODE_BIND;
3786 node_perm = RAWIP_SOCKET__NODE_BIND;
3790 err = sel_netnode_sid(addrp, family, &sid);
3794 AVC_AUDIT_DATA_INIT(&ad, NET);
3795 ad.u.net.sport = htons(snum);
3796 ad.u.net.family = family;
3798 if (family == PF_INET)
3799 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3801 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3803 err = avc_has_perm(isec->sid, sid,
3804 isec->sclass, node_perm, &ad);
3812 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3814 struct inode_security_struct *isec;
3817 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3822 * If a TCP or DCCP socket, check name_connect permission for the port.
3824 isec = SOCK_INODE(sock)->i_security;
3825 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3826 isec->sclass == SECCLASS_DCCP_SOCKET) {
3827 struct sock *sk = sock->sk;
3828 struct avc_audit_data ad;
3829 struct sockaddr_in *addr4 = NULL;
3830 struct sockaddr_in6 *addr6 = NULL;
3831 unsigned short snum;
3834 if (sk->sk_family == PF_INET) {
3835 addr4 = (struct sockaddr_in *)address;
3836 if (addrlen < sizeof(struct sockaddr_in))
3838 snum = ntohs(addr4->sin_port);
3840 addr6 = (struct sockaddr_in6 *)address;
3841 if (addrlen < SIN6_LEN_RFC2133)
3843 snum = ntohs(addr6->sin6_port);
3846 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3850 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3851 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3853 AVC_AUDIT_DATA_INIT(&ad, NET);
3854 ad.u.net.dport = htons(snum);
3855 ad.u.net.family = sk->sk_family;
3856 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3865 static int selinux_socket_listen(struct socket *sock, int backlog)
3867 return socket_has_perm(current, sock, SOCKET__LISTEN);
3870 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3873 struct inode_security_struct *isec;
3874 struct inode_security_struct *newisec;
3876 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3880 newisec = SOCK_INODE(newsock)->i_security;
3882 isec = SOCK_INODE(sock)->i_security;
3883 newisec->sclass = isec->sclass;
3884 newisec->sid = isec->sid;
3885 newisec->initialized = 1;
3890 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3895 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3899 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3902 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3903 int size, int flags)
3905 return socket_has_perm(current, sock, SOCKET__READ);
3908 static int selinux_socket_getsockname(struct socket *sock)
3910 return socket_has_perm(current, sock, SOCKET__GETATTR);
3913 static int selinux_socket_getpeername(struct socket *sock)
3915 return socket_has_perm(current, sock, SOCKET__GETATTR);
3918 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
3922 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3926 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3929 static int selinux_socket_getsockopt(struct socket *sock, int level,
3932 return socket_has_perm(current, sock, SOCKET__GETOPT);
3935 static int selinux_socket_shutdown(struct socket *sock, int how)
3937 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3940 static int selinux_socket_unix_stream_connect(struct socket *sock,
3941 struct socket *other,
3944 struct sk_security_struct *ssec;
3945 struct inode_security_struct *isec;
3946 struct inode_security_struct *other_isec;
3947 struct avc_audit_data ad;
3950 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3954 isec = SOCK_INODE(sock)->i_security;
3955 other_isec = SOCK_INODE(other)->i_security;
3957 AVC_AUDIT_DATA_INIT(&ad, NET);
3958 ad.u.net.sk = other->sk;
3960 err = avc_has_perm(isec->sid, other_isec->sid,
3962 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3966 /* connecting socket */
3967 ssec = sock->sk->sk_security;
3968 ssec->peer_sid = other_isec->sid;
3970 /* server child socket */
3971 ssec = newsk->sk_security;
3972 ssec->peer_sid = isec->sid;
3973 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3978 static int selinux_socket_unix_may_send(struct socket *sock,
3979 struct socket *other)
3981 struct inode_security_struct *isec;
3982 struct inode_security_struct *other_isec;
3983 struct avc_audit_data ad;
3986 isec = SOCK_INODE(sock)->i_security;
3987 other_isec = SOCK_INODE(other)->i_security;
3989 AVC_AUDIT_DATA_INIT(&ad, NET);
3990 ad.u.net.sk = other->sk;
3992 err = avc_has_perm(isec->sid, other_isec->sid,
3993 isec->sclass, SOCKET__SENDTO, &ad);
4000 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4002 struct avc_audit_data *ad)
4008 err = sel_netif_sid(ifindex, &if_sid);
4011 err = avc_has_perm(peer_sid, if_sid,
4012 SECCLASS_NETIF, NETIF__INGRESS, ad);
4016 err = sel_netnode_sid(addrp, family, &node_sid);
4019 return avc_has_perm(peer_sid, node_sid,
4020 SECCLASS_NODE, NODE__RECVFROM, ad);
4023 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4024 struct sk_buff *skb,
4025 struct avc_audit_data *ad,
4030 struct sk_security_struct *sksec = sk->sk_security;
4032 u32 netif_perm, node_perm, recv_perm;
4033 u32 port_sid, node_sid, if_sid, sk_sid;
4035 sk_sid = sksec->sid;
4036 sk_class = sksec->sclass;
4039 case SECCLASS_UDP_SOCKET:
4040 netif_perm = NETIF__UDP_RECV;
4041 node_perm = NODE__UDP_RECV;
4042 recv_perm = UDP_SOCKET__RECV_MSG;
4044 case SECCLASS_TCP_SOCKET:
4045 netif_perm = NETIF__TCP_RECV;
4046 node_perm = NODE__TCP_RECV;
4047 recv_perm = TCP_SOCKET__RECV_MSG;
4049 case SECCLASS_DCCP_SOCKET:
4050 netif_perm = NETIF__DCCP_RECV;
4051 node_perm = NODE__DCCP_RECV;
4052 recv_perm = DCCP_SOCKET__RECV_MSG;
4055 netif_perm = NETIF__RAWIP_RECV;
4056 node_perm = NODE__RAWIP_RECV;
4061 err = sel_netif_sid(skb->iif, &if_sid);
4064 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4068 err = sel_netnode_sid(addrp, family, &node_sid);
4071 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4077 err = sel_netport_sid(sk->sk_protocol,
4078 ntohs(ad->u.net.sport), &port_sid);
4079 if (unlikely(err)) {
4081 "SELinux: failure in"
4082 " selinux_sock_rcv_skb_iptables_compat(),"
4083 " network port label not found\n");
4086 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4089 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4090 struct avc_audit_data *ad,
4091 u16 family, char *addrp)
4094 struct sk_security_struct *sksec = sk->sk_security;
4096 u32 sk_sid = sksec->sid;
4098 if (selinux_compat_net)
4099 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
4102 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4107 if (selinux_policycap_netpeer) {
4108 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4111 err = avc_has_perm(sk_sid, peer_sid,
4112 SECCLASS_PEER, PEER__RECV, ad);
4114 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
4117 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
4123 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4126 struct sk_security_struct *sksec = sk->sk_security;
4127 u16 family = sk->sk_family;
4128 u32 sk_sid = sksec->sid;
4129 struct avc_audit_data ad;
4132 if (family != PF_INET && family != PF_INET6)
4135 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4136 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4139 AVC_AUDIT_DATA_INIT(&ad, NET);
4140 ad.u.net.netif = skb->iif;
4141 ad.u.net.family = family;
4142 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4146 /* If any sort of compatibility mode is enabled then handoff processing
4147 * to the selinux_sock_rcv_skb_compat() function to deal with the
4148 * special handling. We do this in an attempt to keep this function
4149 * as fast and as clean as possible. */
4150 if (selinux_compat_net || !selinux_policycap_netpeer)
4151 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4154 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4157 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4160 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4164 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4168 if (selinux_secmark_enabled()) {
4169 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4178 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4179 int __user *optlen, unsigned len)
4184 struct sk_security_struct *ssec;
4185 struct inode_security_struct *isec;
4186 u32 peer_sid = SECSID_NULL;
4188 isec = SOCK_INODE(sock)->i_security;
4190 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4191 isec->sclass == SECCLASS_TCP_SOCKET) {
4192 ssec = sock->sk->sk_security;
4193 peer_sid = ssec->peer_sid;
4195 if (peer_sid == SECSID_NULL) {
4200 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4205 if (scontext_len > len) {
4210 if (copy_to_user(optval, scontext, scontext_len))
4214 if (put_user(scontext_len, optlen))
4222 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4224 u32 peer_secid = SECSID_NULL;
4228 family = sock->sk->sk_family;
4229 else if (skb && skb->sk)
4230 family = skb->sk->sk_family;
4234 if (sock && family == PF_UNIX)
4235 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4237 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4240 *secid = peer_secid;
4241 if (peer_secid == SECSID_NULL)
4246 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4248 return sk_alloc_security(sk, family, priority);
4251 static void selinux_sk_free_security(struct sock *sk)
4253 sk_free_security(sk);
4256 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4258 struct sk_security_struct *ssec = sk->sk_security;
4259 struct sk_security_struct *newssec = newsk->sk_security;
4261 newssec->sid = ssec->sid;
4262 newssec->peer_sid = ssec->peer_sid;
4263 newssec->sclass = ssec->sclass;
4265 selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4268 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4271 *secid = SECINITSID_ANY_SOCKET;
4273 struct sk_security_struct *sksec = sk->sk_security;
4275 *secid = sksec->sid;
4279 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4281 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4282 struct sk_security_struct *sksec = sk->sk_security;
4284 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4285 sk->sk_family == PF_UNIX)
4286 isec->sid = sksec->sid;
4287 sksec->sclass = isec->sclass;
4289 selinux_netlbl_sock_graft(sk, parent);
4292 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4293 struct request_sock *req)
4295 struct sk_security_struct *sksec = sk->sk_security;
4300 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4303 if (peersid == SECSID_NULL) {
4304 req->secid = sksec->sid;
4305 req->peer_secid = SECSID_NULL;
4309 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4313 req->secid = newsid;
4314 req->peer_secid = peersid;
4318 static void selinux_inet_csk_clone(struct sock *newsk,
4319 const struct request_sock *req)
4321 struct sk_security_struct *newsksec = newsk->sk_security;
4323 newsksec->sid = req->secid;
4324 newsksec->peer_sid = req->peer_secid;
4325 /* NOTE: Ideally, we should also get the isec->sid for the
4326 new socket in sync, but we don't have the isec available yet.
4327 So we will wait until sock_graft to do it, by which
4328 time it will have been created and available. */
4330 /* We don't need to take any sort of lock here as we are the only
4331 * thread with access to newsksec */
4332 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4335 static void selinux_inet_conn_established(struct sock *sk,
4336 struct sk_buff *skb)
4338 struct sk_security_struct *sksec = sk->sk_security;
4340 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4343 static void selinux_req_classify_flow(const struct request_sock *req,
4346 fl->secid = req->secid;
4349 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4353 struct nlmsghdr *nlh;
4354 struct socket *sock = sk->sk_socket;
4355 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4357 if (skb->len < NLMSG_SPACE(0)) {
4361 nlh = nlmsg_hdr(skb);
4363 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4365 if (err == -EINVAL) {
4366 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4367 "SELinux: unrecognized netlink message"
4368 " type=%hu for sclass=%hu\n",
4369 nlh->nlmsg_type, isec->sclass);
4370 if (!selinux_enforcing)
4380 err = socket_has_perm(current, sock, perm);
4385 #ifdef CONFIG_NETFILTER
4387 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4392 struct avc_audit_data ad;
4396 if (!selinux_policycap_netpeer)
4399 secmark_active = selinux_secmark_enabled();
4400 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4401 if (!secmark_active && !peerlbl_active)
4404 AVC_AUDIT_DATA_INIT(&ad, NET);
4405 ad.u.net.netif = ifindex;
4406 ad.u.net.family = family;
4407 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4410 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4414 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4415 peer_sid, &ad) != 0)
4419 if (avc_has_perm(peer_sid, skb->secmark,
4420 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4426 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4427 struct sk_buff *skb,
4428 const struct net_device *in,
4429 const struct net_device *out,
4430 int (*okfn)(struct sk_buff *))
4432 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4435 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4436 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4437 struct sk_buff *skb,
4438 const struct net_device *in,
4439 const struct net_device *out,
4440 int (*okfn)(struct sk_buff *))
4442 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4446 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4448 struct avc_audit_data *ad,
4449 u16 family, char *addrp)
4452 struct sk_security_struct *sksec = sk->sk_security;
4454 u32 netif_perm, node_perm, send_perm;
4455 u32 port_sid, node_sid, if_sid, sk_sid;
4457 sk_sid = sksec->sid;
4458 sk_class = sksec->sclass;
4461 case SECCLASS_UDP_SOCKET:
4462 netif_perm = NETIF__UDP_SEND;
4463 node_perm = NODE__UDP_SEND;
4464 send_perm = UDP_SOCKET__SEND_MSG;
4466 case SECCLASS_TCP_SOCKET:
4467 netif_perm = NETIF__TCP_SEND;
4468 node_perm = NODE__TCP_SEND;
4469 send_perm = TCP_SOCKET__SEND_MSG;
4471 case SECCLASS_DCCP_SOCKET:
4472 netif_perm = NETIF__DCCP_SEND;
4473 node_perm = NODE__DCCP_SEND;
4474 send_perm = DCCP_SOCKET__SEND_MSG;
4477 netif_perm = NETIF__RAWIP_SEND;
4478 node_perm = NODE__RAWIP_SEND;
4483 err = sel_netif_sid(ifindex, &if_sid);
4486 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4489 err = sel_netnode_sid(addrp, family, &node_sid);
4492 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4499 err = sel_netport_sid(sk->sk_protocol,
4500 ntohs(ad->u.net.dport), &port_sid);
4501 if (unlikely(err)) {
4503 "SELinux: failure in"
4504 " selinux_ip_postroute_iptables_compat(),"
4505 " network port label not found\n");
4508 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4511 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4513 struct avc_audit_data *ad,
4518 struct sock *sk = skb->sk;
4519 struct sk_security_struct *sksec;
4523 sksec = sk->sk_security;
4525 if (selinux_compat_net) {
4526 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4530 if (avc_has_perm(sksec->sid, skb->secmark,
4531 SECCLASS_PACKET, PACKET__SEND, ad))
4535 if (selinux_policycap_netpeer)
4536 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4542 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4548 struct avc_audit_data ad;
4554 AVC_AUDIT_DATA_INIT(&ad, NET);
4555 ad.u.net.netif = ifindex;
4556 ad.u.net.family = family;
4557 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4560 /* If any sort of compatibility mode is enabled then handoff processing
4561 * to the selinux_ip_postroute_compat() function to deal with the
4562 * special handling. We do this in an attempt to keep this function
4563 * as fast and as clean as possible. */
4564 if (selinux_compat_net || !selinux_policycap_netpeer)
4565 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4566 family, addrp, proto);
4568 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4569 * packet transformation so allow the packet to pass without any checks
4570 * since we'll have another chance to perform access control checks
4571 * when the packet is on it's final way out.
4572 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4573 * is NULL, in this case go ahead and apply access control. */
4574 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4577 secmark_active = selinux_secmark_enabled();
4578 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4579 if (!secmark_active && !peerlbl_active)
4582 /* if the packet is locally generated (skb->sk != NULL) then use the
4583 * socket's label as the peer label, otherwise the packet is being
4584 * forwarded through this system and we need to fetch the peer label
4585 * directly from the packet */
4588 struct sk_security_struct *sksec = sk->sk_security;
4589 peer_sid = sksec->sid;
4590 secmark_perm = PACKET__SEND;
4592 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4594 secmark_perm = PACKET__FORWARD_OUT;
4598 if (avc_has_perm(peer_sid, skb->secmark,
4599 SECCLASS_PACKET, secmark_perm, &ad))
4602 if (peerlbl_active) {
4606 if (sel_netif_sid(ifindex, &if_sid))
4608 if (avc_has_perm(peer_sid, if_sid,
4609 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4612 if (sel_netnode_sid(addrp, family, &node_sid))
4614 if (avc_has_perm(peer_sid, node_sid,
4615 SECCLASS_NODE, NODE__SENDTO, &ad))
4622 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4623 struct sk_buff *skb,
4624 const struct net_device *in,
4625 const struct net_device *out,
4626 int (*okfn)(struct sk_buff *))
4628 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4631 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4632 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4633 struct sk_buff *skb,
4634 const struct net_device *in,
4635 const struct net_device *out,
4636 int (*okfn)(struct sk_buff *))
4638 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4642 #endif /* CONFIG_NETFILTER */
4644 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4648 err = secondary_ops->netlink_send(sk, skb);
4652 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4653 err = selinux_nlmsg_perm(sk, skb);
4658 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4661 struct avc_audit_data ad;
4663 err = secondary_ops->netlink_recv(skb, capability);
4667 AVC_AUDIT_DATA_INIT(&ad, CAP);
4668 ad.u.cap = capability;
4670 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4671 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4674 static int ipc_alloc_security(struct task_struct *task,
4675 struct kern_ipc_perm *perm,
4678 struct task_security_struct *tsec = task->security;
4679 struct ipc_security_struct *isec;
4681 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4685 isec->sclass = sclass;
4686 isec->sid = tsec->sid;
4687 perm->security = isec;
4692 static void ipc_free_security(struct kern_ipc_perm *perm)
4694 struct ipc_security_struct *isec = perm->security;
4695 perm->security = NULL;
4699 static int msg_msg_alloc_security(struct msg_msg *msg)
4701 struct msg_security_struct *msec;
4703 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4707 msec->sid = SECINITSID_UNLABELED;
4708 msg->security = msec;
4713 static void msg_msg_free_security(struct msg_msg *msg)
4715 struct msg_security_struct *msec = msg->security;
4717 msg->security = NULL;
4721 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4724 struct task_security_struct *tsec;
4725 struct ipc_security_struct *isec;
4726 struct avc_audit_data ad;
4728 tsec = current->security;
4729 isec = ipc_perms->security;
4731 AVC_AUDIT_DATA_INIT(&ad, IPC);
4732 ad.u.ipc_id = ipc_perms->key;
4734 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4737 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4739 return msg_msg_alloc_security(msg);
4742 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4744 msg_msg_free_security(msg);
4747 /* message queue security operations */
4748 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4750 struct task_security_struct *tsec;
4751 struct ipc_security_struct *isec;
4752 struct avc_audit_data ad;
4755 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4759 tsec = current->security;
4760 isec = msq->q_perm.security;
4762 AVC_AUDIT_DATA_INIT(&ad, IPC);
4763 ad.u.ipc_id = msq->q_perm.key;
4765 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4768 ipc_free_security(&msq->q_perm);
4774 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4776 ipc_free_security(&msq->q_perm);
4779 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4781 struct task_security_struct *tsec;
4782 struct ipc_security_struct *isec;
4783 struct avc_audit_data ad;
4785 tsec = current->security;
4786 isec = msq->q_perm.security;
4788 AVC_AUDIT_DATA_INIT(&ad, IPC);
4789 ad.u.ipc_id = msq->q_perm.key;
4791 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4792 MSGQ__ASSOCIATE, &ad);
4795 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4803 /* No specific object, just general system-wide information. */
4804 return task_has_system(current, SYSTEM__IPC_INFO);
4807 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4810 perms = MSGQ__SETATTR;
4813 perms = MSGQ__DESTROY;
4819 err = ipc_has_perm(&msq->q_perm, perms);
4823 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4825 struct task_security_struct *tsec;
4826 struct ipc_security_struct *isec;
4827 struct msg_security_struct *msec;
4828 struct avc_audit_data ad;
4831 tsec = current->security;
4832 isec = msq->q_perm.security;
4833 msec = msg->security;
4836 * First time through, need to assign label to the message
4838 if (msec->sid == SECINITSID_UNLABELED) {
4840 * Compute new sid based on current process and
4841 * message queue this message will be stored in
4843 rc = security_transition_sid(tsec->sid,
4851 AVC_AUDIT_DATA_INIT(&ad, IPC);
4852 ad.u.ipc_id = msq->q_perm.key;
4854 /* Can this process write to the queue? */
4855 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4858 /* Can this process send the message */
4859 rc = avc_has_perm(tsec->sid, msec->sid,
4860 SECCLASS_MSG, MSG__SEND, &ad);
4862 /* Can the message be put in the queue? */
4863 rc = avc_has_perm(msec->sid, isec->sid,
4864 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4869 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4870 struct task_struct *target,
4871 long type, int mode)
4873 struct task_security_struct *tsec;
4874 struct ipc_security_struct *isec;
4875 struct msg_security_struct *msec;
4876 struct avc_audit_data ad;
4879 tsec = target->security;
4880 isec = msq->q_perm.security;
4881 msec = msg->security;
4883 AVC_AUDIT_DATA_INIT(&ad, IPC);
4884 ad.u.ipc_id = msq->q_perm.key;
4886 rc = avc_has_perm(tsec->sid, isec->sid,
4887 SECCLASS_MSGQ, MSGQ__READ, &ad);
4889 rc = avc_has_perm(tsec->sid, msec->sid,
4890 SECCLASS_MSG, MSG__RECEIVE, &ad);
4894 /* Shared Memory security operations */
4895 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4897 struct task_security_struct *tsec;
4898 struct ipc_security_struct *isec;
4899 struct avc_audit_data ad;
4902 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4906 tsec = current->security;
4907 isec = shp->shm_perm.security;
4909 AVC_AUDIT_DATA_INIT(&ad, IPC);
4910 ad.u.ipc_id = shp->shm_perm.key;
4912 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4915 ipc_free_security(&shp->shm_perm);
4921 static void selinux_shm_free_security(struct shmid_kernel *shp)
4923 ipc_free_security(&shp->shm_perm);
4926 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4928 struct task_security_struct *tsec;
4929 struct ipc_security_struct *isec;
4930 struct avc_audit_data ad;
4932 tsec = current->security;
4933 isec = shp->shm_perm.security;
4935 AVC_AUDIT_DATA_INIT(&ad, IPC);
4936 ad.u.ipc_id = shp->shm_perm.key;
4938 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4939 SHM__ASSOCIATE, &ad);
4942 /* Note, at this point, shp is locked down */
4943 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4951 /* No specific object, just general system-wide information. */
4952 return task_has_system(current, SYSTEM__IPC_INFO);
4955 perms = SHM__GETATTR | SHM__ASSOCIATE;
4958 perms = SHM__SETATTR;
4965 perms = SHM__DESTROY;
4971 err = ipc_has_perm(&shp->shm_perm, perms);
4975 static int selinux_shm_shmat(struct shmid_kernel *shp,
4976 char __user *shmaddr, int shmflg)
4981 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4985 if (shmflg & SHM_RDONLY)
4988 perms = SHM__READ | SHM__WRITE;
4990 return ipc_has_perm(&shp->shm_perm, perms);
4993 /* Semaphore security operations */
4994 static int selinux_sem_alloc_security(struct sem_array *sma)
4996 struct task_security_struct *tsec;
4997 struct ipc_security_struct *isec;
4998 struct avc_audit_data ad;
5001 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5005 tsec = current->security;
5006 isec = sma->sem_perm.security;
5008 AVC_AUDIT_DATA_INIT(&ad, IPC);
5009 ad.u.ipc_id = sma->sem_perm.key;
5011 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
5014 ipc_free_security(&sma->sem_perm);
5020 static void selinux_sem_free_security(struct sem_array *sma)
5022 ipc_free_security(&sma->sem_perm);
5025 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5027 struct task_security_struct *tsec;
5028 struct ipc_security_struct *isec;
5029 struct avc_audit_data ad;
5031 tsec = current->security;
5032 isec = sma->sem_perm.security;
5034 AVC_AUDIT_DATA_INIT(&ad, IPC);
5035 ad.u.ipc_id = sma->sem_perm.key;
5037 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
5038 SEM__ASSOCIATE, &ad);
5041 /* Note, at this point, sma is locked down */
5042 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5050 /* No specific object, just general system-wide information. */
5051 return task_has_system(current, SYSTEM__IPC_INFO);
5055 perms = SEM__GETATTR;
5066 perms = SEM__DESTROY;
5069 perms = SEM__SETATTR;
5073 perms = SEM__GETATTR | SEM__ASSOCIATE;
5079 err = ipc_has_perm(&sma->sem_perm, perms);
5083 static int selinux_sem_semop(struct sem_array *sma,
5084 struct sembuf *sops, unsigned nsops, int alter)
5089 perms = SEM__READ | SEM__WRITE;
5093 return ipc_has_perm(&sma->sem_perm, perms);
5096 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5102 av |= IPC__UNIX_READ;
5104 av |= IPC__UNIX_WRITE;
5109 return ipc_has_perm(ipcp, av);
5112 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5114 struct ipc_security_struct *isec = ipcp->security;
5118 /* module stacking operations */
5119 static int selinux_register_security(const char *name, struct security_operations *ops)
5121 if (secondary_ops != original_ops) {
5122 printk(KERN_ERR "%s: There is already a secondary security "
5123 "module registered.\n", __func__);
5127 secondary_ops = ops;
5129 printk(KERN_INFO "%s: Registering secondary module %s\n",
5136 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5139 inode_doinit_with_dentry(inode, dentry);
5142 static int selinux_getprocattr(struct task_struct *p,
5143 char *name, char **value)
5145 struct task_security_struct *tsec;
5151 error = task_has_perm(current, p, PROCESS__GETATTR);
5158 if (!strcmp(name, "current"))
5160 else if (!strcmp(name, "prev"))
5162 else if (!strcmp(name, "exec"))
5163 sid = tsec->exec_sid;
5164 else if (!strcmp(name, "fscreate"))
5165 sid = tsec->create_sid;
5166 else if (!strcmp(name, "keycreate"))
5167 sid = tsec->keycreate_sid;
5168 else if (!strcmp(name, "sockcreate"))
5169 sid = tsec->sockcreate_sid;
5176 error = security_sid_to_context(sid, value, &len);
5182 static int selinux_setprocattr(struct task_struct *p,
5183 char *name, void *value, size_t size)
5185 struct task_security_struct *tsec;
5186 struct task_struct *tracer;
5192 /* SELinux only allows a process to change its own
5193 security attributes. */
5198 * Basic control over ability to set these attributes at all.
5199 * current == p, but we'll pass them separately in case the
5200 * above restriction is ever removed.
5202 if (!strcmp(name, "exec"))
5203 error = task_has_perm(current, p, PROCESS__SETEXEC);
5204 else if (!strcmp(name, "fscreate"))
5205 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5206 else if (!strcmp(name, "keycreate"))
5207 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5208 else if (!strcmp(name, "sockcreate"))
5209 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5210 else if (!strcmp(name, "current"))
5211 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5217 /* Obtain a SID for the context, if one was specified. */
5218 if (size && str[1] && str[1] != '\n') {
5219 if (str[size-1] == '\n') {
5223 error = security_context_to_sid(value, size, &sid);
5224 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5225 if (!capable(CAP_MAC_ADMIN))
5227 error = security_context_to_sid_force(value, size,
5234 /* Permission checking based on the specified context is
5235 performed during the actual operation (execve,
5236 open/mkdir/...), when we know the full context of the
5237 operation. See selinux_bprm_set_security for the execve
5238 checks and may_create for the file creation checks. The
5239 operation will then fail if the context is not permitted. */
5241 if (!strcmp(name, "exec"))
5242 tsec->exec_sid = sid;
5243 else if (!strcmp(name, "fscreate"))
5244 tsec->create_sid = sid;
5245 else if (!strcmp(name, "keycreate")) {
5246 error = may_create_key(sid, p);
5249 tsec->keycreate_sid = sid;
5250 } else if (!strcmp(name, "sockcreate"))
5251 tsec->sockcreate_sid = sid;
5252 else if (!strcmp(name, "current")) {
5253 struct av_decision avd;
5258 /* Only allow single threaded processes to change context */
5259 if (atomic_read(&p->mm->mm_users) != 1) {
5260 struct task_struct *g, *t;
5261 struct mm_struct *mm = p->mm;
5262 read_lock(&tasklist_lock);
5263 do_each_thread(g, t) {
5264 if (t->mm == mm && t != p) {
5265 read_unlock(&tasklist_lock);
5268 } while_each_thread(g, t);
5269 read_unlock(&tasklist_lock);
5272 /* Check permissions for the transition. */
5273 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5274 PROCESS__DYNTRANSITION, NULL);
5278 /* Check for ptracing, and update the task SID if ok.
5279 Otherwise, leave SID unchanged and fail. */
5282 tracer = task_tracer_task(p);
5283 if (tracer != NULL) {
5284 struct task_security_struct *ptsec = tracer->security;
5285 u32 ptsid = ptsec->sid;
5287 error = avc_has_perm_noaudit(ptsid, sid,
5289 PROCESS__PTRACE, 0, &avd);
5293 avc_audit(ptsid, sid, SECCLASS_PROCESS,
5294 PROCESS__PTRACE, &avd, error, NULL);
5308 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5310 return security_sid_to_context(secid, secdata, seclen);
5313 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5315 return security_context_to_sid(secdata, seclen, secid);
5318 static void selinux_release_secctx(char *secdata, u32 seclen)
5325 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5326 unsigned long flags)
5328 struct task_security_struct *tsec = tsk->security;
5329 struct key_security_struct *ksec;
5331 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5335 if (tsec->keycreate_sid)
5336 ksec->sid = tsec->keycreate_sid;
5338 ksec->sid = tsec->sid;
5344 static void selinux_key_free(struct key *k)
5346 struct key_security_struct *ksec = k->security;
5352 static int selinux_key_permission(key_ref_t key_ref,
5353 struct task_struct *ctx,
5357 struct task_security_struct *tsec;
5358 struct key_security_struct *ksec;
5360 key = key_ref_to_ptr(key_ref);
5362 tsec = ctx->security;
5363 ksec = key->security;
5365 /* if no specific permissions are requested, we skip the
5366 permission check. No serious, additional covert channels
5367 appear to be created. */
5371 return avc_has_perm(tsec->sid, ksec->sid,
5372 SECCLASS_KEY, perm, NULL);
5375 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5377 struct key_security_struct *ksec = key->security;
5378 char *context = NULL;
5382 rc = security_sid_to_context(ksec->sid, &context, &len);
5391 static struct security_operations selinux_ops = {
5394 .ptrace = selinux_ptrace,
5395 .capget = selinux_capget,
5396 .capset_check = selinux_capset_check,
5397 .capset_set = selinux_capset_set,
5398 .sysctl = selinux_sysctl,
5399 .capable = selinux_capable,
5400 .quotactl = selinux_quotactl,
5401 .quota_on = selinux_quota_on,
5402 .syslog = selinux_syslog,
5403 .vm_enough_memory = selinux_vm_enough_memory,
5405 .netlink_send = selinux_netlink_send,
5406 .netlink_recv = selinux_netlink_recv,
5408 .bprm_alloc_security = selinux_bprm_alloc_security,
5409 .bprm_free_security = selinux_bprm_free_security,
5410 .bprm_apply_creds = selinux_bprm_apply_creds,
5411 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5412 .bprm_set_security = selinux_bprm_set_security,
5413 .bprm_check_security = selinux_bprm_check_security,
5414 .bprm_secureexec = selinux_bprm_secureexec,
5416 .sb_alloc_security = selinux_sb_alloc_security,
5417 .sb_free_security = selinux_sb_free_security,
5418 .sb_copy_data = selinux_sb_copy_data,
5419 .sb_kern_mount = selinux_sb_kern_mount,
5420 .sb_show_options = selinux_sb_show_options,
5421 .sb_statfs = selinux_sb_statfs,
5422 .sb_mount = selinux_mount,
5423 .sb_umount = selinux_umount,
5424 .sb_set_mnt_opts = selinux_set_mnt_opts,
5425 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5426 .sb_parse_opts_str = selinux_parse_opts_str,
5429 .inode_alloc_security = selinux_inode_alloc_security,
5430 .inode_free_security = selinux_inode_free_security,
5431 .inode_init_security = selinux_inode_init_security,
5432 .inode_create = selinux_inode_create,
5433 .inode_link = selinux_inode_link,
5434 .inode_unlink = selinux_inode_unlink,
5435 .inode_symlink = selinux_inode_symlink,
5436 .inode_mkdir = selinux_inode_mkdir,
5437 .inode_rmdir = selinux_inode_rmdir,
5438 .inode_mknod = selinux_inode_mknod,
5439 .inode_rename = selinux_inode_rename,
5440 .inode_readlink = selinux_inode_readlink,
5441 .inode_follow_link = selinux_inode_follow_link,
5442 .inode_permission = selinux_inode_permission,
5443 .inode_setattr = selinux_inode_setattr,
5444 .inode_getattr = selinux_inode_getattr,
5445 .inode_setxattr = selinux_inode_setxattr,
5446 .inode_post_setxattr = selinux_inode_post_setxattr,
5447 .inode_getxattr = selinux_inode_getxattr,
5448 .inode_listxattr = selinux_inode_listxattr,
5449 .inode_removexattr = selinux_inode_removexattr,
5450 .inode_getsecurity = selinux_inode_getsecurity,
5451 .inode_setsecurity = selinux_inode_setsecurity,
5452 .inode_listsecurity = selinux_inode_listsecurity,
5453 .inode_need_killpriv = selinux_inode_need_killpriv,
5454 .inode_killpriv = selinux_inode_killpriv,
5455 .inode_getsecid = selinux_inode_getsecid,
5457 .file_permission = selinux_file_permission,
5458 .file_alloc_security = selinux_file_alloc_security,
5459 .file_free_security = selinux_file_free_security,
5460 .file_ioctl = selinux_file_ioctl,
5461 .file_mmap = selinux_file_mmap,
5462 .file_mprotect = selinux_file_mprotect,
5463 .file_lock = selinux_file_lock,
5464 .file_fcntl = selinux_file_fcntl,
5465 .file_set_fowner = selinux_file_set_fowner,
5466 .file_send_sigiotask = selinux_file_send_sigiotask,
5467 .file_receive = selinux_file_receive,
5469 .dentry_open = selinux_dentry_open,
5471 .task_create = selinux_task_create,
5472 .task_alloc_security = selinux_task_alloc_security,
5473 .task_free_security = selinux_task_free_security,
5474 .task_setuid = selinux_task_setuid,
5475 .task_post_setuid = selinux_task_post_setuid,
5476 .task_setgid = selinux_task_setgid,
5477 .task_setpgid = selinux_task_setpgid,
5478 .task_getpgid = selinux_task_getpgid,
5479 .task_getsid = selinux_task_getsid,
5480 .task_getsecid = selinux_task_getsecid,
5481 .task_setgroups = selinux_task_setgroups,
5482 .task_setnice = selinux_task_setnice,
5483 .task_setioprio = selinux_task_setioprio,
5484 .task_getioprio = selinux_task_getioprio,
5485 .task_setrlimit = selinux_task_setrlimit,
5486 .task_setscheduler = selinux_task_setscheduler,
5487 .task_getscheduler = selinux_task_getscheduler,
5488 .task_movememory = selinux_task_movememory,
5489 .task_kill = selinux_task_kill,
5490 .task_wait = selinux_task_wait,
5491 .task_prctl = selinux_task_prctl,
5492 .task_reparent_to_init = selinux_task_reparent_to_init,
5493 .task_to_inode = selinux_task_to_inode,
5495 .ipc_permission = selinux_ipc_permission,
5496 .ipc_getsecid = selinux_ipc_getsecid,
5498 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5499 .msg_msg_free_security = selinux_msg_msg_free_security,
5501 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5502 .msg_queue_free_security = selinux_msg_queue_free_security,
5503 .msg_queue_associate = selinux_msg_queue_associate,
5504 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5505 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5506 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5508 .shm_alloc_security = selinux_shm_alloc_security,
5509 .shm_free_security = selinux_shm_free_security,
5510 .shm_associate = selinux_shm_associate,
5511 .shm_shmctl = selinux_shm_shmctl,
5512 .shm_shmat = selinux_shm_shmat,
5514 .sem_alloc_security = selinux_sem_alloc_security,
5515 .sem_free_security = selinux_sem_free_security,
5516 .sem_associate = selinux_sem_associate,
5517 .sem_semctl = selinux_sem_semctl,
5518 .sem_semop = selinux_sem_semop,
5520 .register_security = selinux_register_security,
5522 .d_instantiate = selinux_d_instantiate,
5524 .getprocattr = selinux_getprocattr,
5525 .setprocattr = selinux_setprocattr,
5527 .secid_to_secctx = selinux_secid_to_secctx,
5528 .secctx_to_secid = selinux_secctx_to_secid,
5529 .release_secctx = selinux_release_secctx,
5531 .unix_stream_connect = selinux_socket_unix_stream_connect,
5532 .unix_may_send = selinux_socket_unix_may_send,
5534 .socket_create = selinux_socket_create,
5535 .socket_post_create = selinux_socket_post_create,
5536 .socket_bind = selinux_socket_bind,
5537 .socket_connect = selinux_socket_connect,
5538 .socket_listen = selinux_socket_listen,
5539 .socket_accept = selinux_socket_accept,
5540 .socket_sendmsg = selinux_socket_sendmsg,
5541 .socket_recvmsg = selinux_socket_recvmsg,
5542 .socket_getsockname = selinux_socket_getsockname,
5543 .socket_getpeername = selinux_socket_getpeername,
5544 .socket_getsockopt = selinux_socket_getsockopt,
5545 .socket_setsockopt = selinux_socket_setsockopt,
5546 .socket_shutdown = selinux_socket_shutdown,
5547 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5548 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5549 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5550 .sk_alloc_security = selinux_sk_alloc_security,
5551 .sk_free_security = selinux_sk_free_security,
5552 .sk_clone_security = selinux_sk_clone_security,
5553 .sk_getsecid = selinux_sk_getsecid,
5554 .sock_graft = selinux_sock_graft,
5555 .inet_conn_request = selinux_inet_conn_request,
5556 .inet_csk_clone = selinux_inet_csk_clone,
5557 .inet_conn_established = selinux_inet_conn_established,
5558 .req_classify_flow = selinux_req_classify_flow,
5560 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5561 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5562 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5563 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5564 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5565 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5566 .xfrm_state_free_security = selinux_xfrm_state_free,
5567 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5568 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5569 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5570 .xfrm_decode_session = selinux_xfrm_decode_session,
5574 .key_alloc = selinux_key_alloc,
5575 .key_free = selinux_key_free,
5576 .key_permission = selinux_key_permission,
5577 .key_getsecurity = selinux_key_getsecurity,
5581 .audit_rule_init = selinux_audit_rule_init,
5582 .audit_rule_known = selinux_audit_rule_known,
5583 .audit_rule_match = selinux_audit_rule_match,
5584 .audit_rule_free = selinux_audit_rule_free,
5588 static __init int selinux_init(void)
5590 struct task_security_struct *tsec;
5592 if (!security_module_enable(&selinux_ops)) {
5593 selinux_enabled = 0;
5597 if (!selinux_enabled) {
5598 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5602 printk(KERN_INFO "SELinux: Initializing.\n");
5604 /* Set the security state for the initial task. */
5605 if (task_alloc_security(current))
5606 panic("SELinux: Failed to initialize initial task.\n");
5607 tsec = current->security;
5608 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5610 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5611 sizeof(struct inode_security_struct),
5612 0, SLAB_PANIC, NULL);
5615 original_ops = secondary_ops = security_ops;
5617 panic("SELinux: No initial security operations\n");
5618 if (register_security(&selinux_ops))
5619 panic("SELinux: Unable to register with kernel.\n");
5621 if (selinux_enforcing)
5622 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5624 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5629 void selinux_complete_init(void)
5631 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5633 /* Set up any superblocks initialized prior to the policy load. */
5634 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5635 spin_lock(&sb_lock);
5636 spin_lock(&sb_security_lock);
5638 if (!list_empty(&superblock_security_head)) {
5639 struct superblock_security_struct *sbsec =
5640 list_entry(superblock_security_head.next,
5641 struct superblock_security_struct,
5643 struct super_block *sb = sbsec->sb;
5645 spin_unlock(&sb_security_lock);
5646 spin_unlock(&sb_lock);
5647 down_read(&sb->s_umount);
5649 superblock_doinit(sb, NULL);
5651 spin_lock(&sb_lock);
5652 spin_lock(&sb_security_lock);
5653 list_del_init(&sbsec->list);
5656 spin_unlock(&sb_security_lock);
5657 spin_unlock(&sb_lock);
5660 /* SELinux requires early initialization in order to label
5661 all processes and objects when they are created. */
5662 security_initcall(selinux_init);
5664 #if defined(CONFIG_NETFILTER)
5666 static struct nf_hook_ops selinux_ipv4_ops[] = {
5668 .hook = selinux_ipv4_postroute,
5669 .owner = THIS_MODULE,
5671 .hooknum = NF_INET_POST_ROUTING,
5672 .priority = NF_IP_PRI_SELINUX_LAST,
5675 .hook = selinux_ipv4_forward,
5676 .owner = THIS_MODULE,
5678 .hooknum = NF_INET_FORWARD,
5679 .priority = NF_IP_PRI_SELINUX_FIRST,
5683 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5685 static struct nf_hook_ops selinux_ipv6_ops[] = {
5687 .hook = selinux_ipv6_postroute,
5688 .owner = THIS_MODULE,
5690 .hooknum = NF_INET_POST_ROUTING,
5691 .priority = NF_IP6_PRI_SELINUX_LAST,
5694 .hook = selinux_ipv6_forward,
5695 .owner = THIS_MODULE,
5697 .hooknum = NF_INET_FORWARD,
5698 .priority = NF_IP6_PRI_SELINUX_FIRST,
5704 static int __init selinux_nf_ip_init(void)
5709 if (!selinux_enabled)
5712 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5714 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5715 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5717 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5721 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5722 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5723 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5725 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5734 __initcall(selinux_nf_ip_init);
5736 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5737 static void selinux_nf_ip_exit(void)
5741 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5743 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5744 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5745 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5746 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5747 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5752 #else /* CONFIG_NETFILTER */
5754 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5755 #define selinux_nf_ip_exit()
5758 #endif /* CONFIG_NETFILTER */
5760 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5761 static int selinux_disabled;
5763 int selinux_disable(void)
5765 extern void exit_sel_fs(void);
5767 if (ss_initialized) {
5768 /* Not permitted after initial policy load. */
5772 if (selinux_disabled) {
5773 /* Only do this once. */
5777 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5779 selinux_disabled = 1;
5780 selinux_enabled = 0;
5782 /* Reset security_ops to the secondary module, dummy or capability. */
5783 security_ops = secondary_ops;
5785 /* Unregister netfilter hooks. */
5786 selinux_nf_ip_exit();
5788 /* Unregister selinuxfs. */