2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/security.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
53 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h> /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/quota.h>
70 #include <linux/un.h> /* for Unix socket types */
71 #include <net/af_unix.h> /* for Unix socket types */
72 #include <linux/parser.h>
73 #include <linux/nfs_mount.h>
75 #include <linux/hugetlb.h>
76 #include <linux/personality.h>
77 #include <linux/audit.h>
78 #include <linux/string.h>
79 #include <linux/selinux.h>
80 #include <linux/mutex.h>
81 #include <linux/posix-timers.h>
82 #include <linux/syslog.h>
83 #include <linux/user_namespace.h>
84 #include <linux/export.h>
85 #include <linux/msg.h>
86 #include <linux/shm.h>
98 /* SECMARK reference count */
99 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
104 static int __init enforcing_setup(char *str)
106 unsigned long enforcing;
107 if (!kstrtoul(str, 0, &enforcing))
108 selinux_enforcing = enforcing ? 1 : 0;
111 __setup("enforcing=", enforcing_setup);
114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
117 static int __init selinux_enabled_setup(char *str)
119 unsigned long enabled;
120 if (!kstrtoul(str, 0, &enabled))
121 selinux_enabled = enabled ? 1 : 0;
124 __setup("selinux=", selinux_enabled_setup);
126 int selinux_enabled = 1;
129 static struct kmem_cache *sel_inode_cache;
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
142 static int selinux_secmark_enabled(void)
144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
157 static int selinux_peerlbl_enabled(void)
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
162 static int selinux_netcache_avc_callback(u32 event)
164 if (event == AVC_CALLBACK_RESET) {
174 * initialise the security for the init task
176 static void cred_init_security(void)
178 struct cred *cred = (struct cred *) current->real_cred;
179 struct task_security_struct *tsec;
181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
183 panic("SELinux: Failed to initialize initial task.\n");
185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
186 cred->security = tsec;
190 * get the security ID of a set of credentials
192 static inline u32 cred_sid(const struct cred *cred)
194 const struct task_security_struct *tsec;
196 tsec = cred->security;
201 * get the objective security ID of a task
203 static inline u32 task_sid(const struct task_struct *task)
208 sid = cred_sid(__task_cred(task));
214 * get the subjective security ID of the current task
216 static inline u32 current_sid(void)
218 const struct task_security_struct *tsec = current_security();
223 /* Allocate and free functions for each kind of security blob. */
225 static int inode_alloc_security(struct inode *inode)
227 struct inode_security_struct *isec;
228 u32 sid = current_sid();
230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
234 mutex_init(&isec->lock);
235 INIT_LIST_HEAD(&isec->list);
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
239 isec->task_sid = sid;
240 inode->i_security = isec;
245 static void inode_free_rcu(struct rcu_head *head)
247 struct inode_security_struct *isec;
249 isec = container_of(head, struct inode_security_struct, rcu);
250 kmem_cache_free(sel_inode_cache, isec);
253 static void inode_free_security(struct inode *inode)
255 struct inode_security_struct *isec = inode->i_security;
256 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
258 spin_lock(&sbsec->isec_lock);
259 if (!list_empty(&isec->list))
260 list_del_init(&isec->list);
261 spin_unlock(&sbsec->isec_lock);
264 * The inode may still be referenced in a path walk and
265 * a call to selinux_inode_permission() can be made
266 * after inode_free_security() is called. Ideally, the VFS
267 * wouldn't do this, but fixing that is a much harder
268 * job. For now, simply free the i_security via RCU, and
269 * leave the current inode->i_security pointer intact.
270 * The inode will be freed after the RCU grace period too.
272 call_rcu(&isec->rcu, inode_free_rcu);
275 static int file_alloc_security(struct file *file)
277 struct file_security_struct *fsec;
278 u32 sid = current_sid();
280 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
285 fsec->fown_sid = sid;
286 file->f_security = fsec;
291 static void file_free_security(struct file *file)
293 struct file_security_struct *fsec = file->f_security;
294 file->f_security = NULL;
298 static int superblock_alloc_security(struct super_block *sb)
300 struct superblock_security_struct *sbsec;
302 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
306 mutex_init(&sbsec->lock);
307 INIT_LIST_HEAD(&sbsec->isec_head);
308 spin_lock_init(&sbsec->isec_lock);
310 sbsec->sid = SECINITSID_UNLABELED;
311 sbsec->def_sid = SECINITSID_FILE;
312 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
313 sb->s_security = sbsec;
318 static void superblock_free_security(struct super_block *sb)
320 struct superblock_security_struct *sbsec = sb->s_security;
321 sb->s_security = NULL;
325 /* The file system's label must be initialized prior to use. */
327 static const char *labeling_behaviors[7] = {
329 "uses transition SIDs",
331 "uses genfs_contexts",
332 "not configured for labeling",
333 "uses mountpoint labeling",
334 "uses native labeling",
337 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
339 static inline int inode_doinit(struct inode *inode)
341 return inode_doinit_with_dentry(inode, NULL);
350 Opt_labelsupport = 5,
354 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
356 static const match_table_t tokens = {
357 {Opt_context, CONTEXT_STR "%s"},
358 {Opt_fscontext, FSCONTEXT_STR "%s"},
359 {Opt_defcontext, DEFCONTEXT_STR "%s"},
360 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
361 {Opt_labelsupport, LABELSUPP_STR},
365 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
367 static int may_context_mount_sb_relabel(u32 sid,
368 struct superblock_security_struct *sbsec,
369 const struct cred *cred)
371 const struct task_security_struct *tsec = cred->security;
374 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
375 FILESYSTEM__RELABELFROM, NULL);
379 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
380 FILESYSTEM__RELABELTO, NULL);
384 static int may_context_mount_inode_relabel(u32 sid,
385 struct superblock_security_struct *sbsec,
386 const struct cred *cred)
388 const struct task_security_struct *tsec = cred->security;
390 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
391 FILESYSTEM__RELABELFROM, NULL);
395 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
396 FILESYSTEM__ASSOCIATE, NULL);
400 static int selinux_is_sblabel_mnt(struct super_block *sb)
402 struct superblock_security_struct *sbsec = sb->s_security;
404 if (sbsec->behavior == SECURITY_FS_USE_XATTR ||
405 sbsec->behavior == SECURITY_FS_USE_TRANS ||
406 sbsec->behavior == SECURITY_FS_USE_TASK)
409 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
410 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
414 * Special handling for rootfs. Is genfs but supports
415 * setting SELinux context on in-core inodes.
417 if (strncmp(sb->s_type->name, "rootfs", sizeof("rootfs")) == 0)
423 static int sb_finish_set_opts(struct super_block *sb)
425 struct superblock_security_struct *sbsec = sb->s_security;
426 struct dentry *root = sb->s_root;
427 struct inode *root_inode = root->d_inode;
430 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
431 /* Make sure that the xattr handler exists and that no
432 error other than -ENODATA is returned by getxattr on
433 the root directory. -ENODATA is ok, as this may be
434 the first boot of the SELinux kernel before we have
435 assigned xattr values to the filesystem. */
436 if (!root_inode->i_op->getxattr) {
437 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
438 "xattr support\n", sb->s_id, sb->s_type->name);
442 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
443 if (rc < 0 && rc != -ENODATA) {
444 if (rc == -EOPNOTSUPP)
445 printk(KERN_WARNING "SELinux: (dev %s, type "
446 "%s) has no security xattr handler\n",
447 sb->s_id, sb->s_type->name);
449 printk(KERN_WARNING "SELinux: (dev %s, type "
450 "%s) getxattr errno %d\n", sb->s_id,
451 sb->s_type->name, -rc);
456 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
457 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
458 sb->s_id, sb->s_type->name);
460 sbsec->flags |= SE_SBINITIALIZED;
461 if (selinux_is_sblabel_mnt(sb))
462 sbsec->flags |= SBLABEL_MNT;
464 /* Initialize the root inode. */
465 rc = inode_doinit_with_dentry(root_inode, root);
467 /* Initialize any other inodes associated with the superblock, e.g.
468 inodes created prior to initial policy load or inodes created
469 during get_sb by a pseudo filesystem that directly
471 spin_lock(&sbsec->isec_lock);
473 if (!list_empty(&sbsec->isec_head)) {
474 struct inode_security_struct *isec =
475 list_entry(sbsec->isec_head.next,
476 struct inode_security_struct, list);
477 struct inode *inode = isec->inode;
478 list_del_init(&isec->list);
479 spin_unlock(&sbsec->isec_lock);
480 inode = igrab(inode);
482 if (!IS_PRIVATE(inode))
486 spin_lock(&sbsec->isec_lock);
489 spin_unlock(&sbsec->isec_lock);
495 * This function should allow an FS to ask what it's mount security
496 * options were so it can use those later for submounts, displaying
497 * mount options, or whatever.
499 static int selinux_get_mnt_opts(const struct super_block *sb,
500 struct security_mnt_opts *opts)
503 struct superblock_security_struct *sbsec = sb->s_security;
504 char *context = NULL;
508 security_init_mnt_opts(opts);
510 if (!(sbsec->flags & SE_SBINITIALIZED))
516 /* make sure we always check enough bits to cover the mask */
517 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
519 tmp = sbsec->flags & SE_MNTMASK;
520 /* count the number of mount options for this sb */
521 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
523 opts->num_mnt_opts++;
526 /* Check if the Label support flag is set */
527 if (sbsec->flags & SBLABEL_MNT)
528 opts->num_mnt_opts++;
530 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
531 if (!opts->mnt_opts) {
536 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
537 if (!opts->mnt_opts_flags) {
543 if (sbsec->flags & FSCONTEXT_MNT) {
544 rc = security_sid_to_context(sbsec->sid, &context, &len);
547 opts->mnt_opts[i] = context;
548 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
550 if (sbsec->flags & CONTEXT_MNT) {
551 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
554 opts->mnt_opts[i] = context;
555 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
557 if (sbsec->flags & DEFCONTEXT_MNT) {
558 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
561 opts->mnt_opts[i] = context;
562 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
564 if (sbsec->flags & ROOTCONTEXT_MNT) {
565 struct inode *root = sbsec->sb->s_root->d_inode;
566 struct inode_security_struct *isec = root->i_security;
568 rc = security_sid_to_context(isec->sid, &context, &len);
571 opts->mnt_opts[i] = context;
572 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
574 if (sbsec->flags & SBLABEL_MNT) {
575 opts->mnt_opts[i] = NULL;
576 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
579 BUG_ON(i != opts->num_mnt_opts);
584 security_free_mnt_opts(opts);
588 static int bad_option(struct superblock_security_struct *sbsec, char flag,
589 u32 old_sid, u32 new_sid)
591 char mnt_flags = sbsec->flags & SE_MNTMASK;
593 /* check if the old mount command had the same options */
594 if (sbsec->flags & SE_SBINITIALIZED)
595 if (!(sbsec->flags & flag) ||
596 (old_sid != new_sid))
599 /* check if we were passed the same options twice,
600 * aka someone passed context=a,context=b
602 if (!(sbsec->flags & SE_SBINITIALIZED))
603 if (mnt_flags & flag)
609 * Allow filesystems with binary mount data to explicitly set mount point
610 * labeling information.
612 static int selinux_set_mnt_opts(struct super_block *sb,
613 struct security_mnt_opts *opts,
614 unsigned long kern_flags,
615 unsigned long *set_kern_flags)
617 const struct cred *cred = current_cred();
619 struct superblock_security_struct *sbsec = sb->s_security;
620 const char *name = sb->s_type->name;
621 struct inode *inode = sbsec->sb->s_root->d_inode;
622 struct inode_security_struct *root_isec = inode->i_security;
623 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
624 u32 defcontext_sid = 0;
625 char **mount_options = opts->mnt_opts;
626 int *flags = opts->mnt_opts_flags;
627 int num_opts = opts->num_mnt_opts;
629 mutex_lock(&sbsec->lock);
631 if (!ss_initialized) {
633 /* Defer initialization until selinux_complete_init,
634 after the initial policy is loaded and the security
635 server is ready to handle calls. */
639 printk(KERN_WARNING "SELinux: Unable to set superblock options "
640 "before the security server is initialized\n");
643 if (kern_flags && !set_kern_flags) {
644 /* Specifying internal flags without providing a place to
645 * place the results is not allowed */
651 * Binary mount data FS will come through this function twice. Once
652 * from an explicit call and once from the generic calls from the vfs.
653 * Since the generic VFS calls will not contain any security mount data
654 * we need to skip the double mount verification.
656 * This does open a hole in which we will not notice if the first
657 * mount using this sb set explict options and a second mount using
658 * this sb does not set any security options. (The first options
659 * will be used for both mounts)
661 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
666 * parse the mount options, check if they are valid sids.
667 * also check if someone is trying to mount the same sb more
668 * than once with different security options.
670 for (i = 0; i < num_opts; i++) {
673 if (flags[i] == SBLABEL_MNT)
675 rc = security_context_to_sid(mount_options[i],
676 strlen(mount_options[i]), &sid, GFP_KERNEL);
678 printk(KERN_WARNING "SELinux: security_context_to_sid"
679 "(%s) failed for (dev %s, type %s) errno=%d\n",
680 mount_options[i], sb->s_id, name, rc);
687 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
689 goto out_double_mount;
691 sbsec->flags |= FSCONTEXT_MNT;
696 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
698 goto out_double_mount;
700 sbsec->flags |= CONTEXT_MNT;
702 case ROOTCONTEXT_MNT:
703 rootcontext_sid = sid;
705 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
707 goto out_double_mount;
709 sbsec->flags |= ROOTCONTEXT_MNT;
713 defcontext_sid = sid;
715 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
717 goto out_double_mount;
719 sbsec->flags |= DEFCONTEXT_MNT;
728 if (sbsec->flags & SE_SBINITIALIZED) {
729 /* previously mounted with options, but not on this attempt? */
730 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
731 goto out_double_mount;
736 if (strcmp(sb->s_type->name, "proc") == 0)
737 sbsec->flags |= SE_SBPROC;
739 if (!sbsec->behavior) {
741 * Determine the labeling behavior to use for this
744 rc = security_fs_use(sb);
747 "%s: security_fs_use(%s) returned %d\n",
748 __func__, sb->s_type->name, rc);
752 /* sets the context of the superblock for the fs being mounted. */
754 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
758 sbsec->sid = fscontext_sid;
762 * Switch to using mount point labeling behavior.
763 * sets the label used on all file below the mountpoint, and will set
764 * the superblock context if not already set.
766 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
767 sbsec->behavior = SECURITY_FS_USE_NATIVE;
768 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
772 if (!fscontext_sid) {
773 rc = may_context_mount_sb_relabel(context_sid, sbsec,
777 sbsec->sid = context_sid;
779 rc = may_context_mount_inode_relabel(context_sid, sbsec,
784 if (!rootcontext_sid)
785 rootcontext_sid = context_sid;
787 sbsec->mntpoint_sid = context_sid;
788 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
791 if (rootcontext_sid) {
792 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
797 root_isec->sid = rootcontext_sid;
798 root_isec->initialized = 1;
801 if (defcontext_sid) {
802 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
803 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
805 printk(KERN_WARNING "SELinux: defcontext option is "
806 "invalid for this filesystem type\n");
810 if (defcontext_sid != sbsec->def_sid) {
811 rc = may_context_mount_inode_relabel(defcontext_sid,
817 sbsec->def_sid = defcontext_sid;
820 rc = sb_finish_set_opts(sb);
822 mutex_unlock(&sbsec->lock);
826 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
827 "security settings for (dev %s, type %s)\n", sb->s_id, name);
831 static int selinux_cmp_sb_context(const struct super_block *oldsb,
832 const struct super_block *newsb)
834 struct superblock_security_struct *old = oldsb->s_security;
835 struct superblock_security_struct *new = newsb->s_security;
836 char oldflags = old->flags & SE_MNTMASK;
837 char newflags = new->flags & SE_MNTMASK;
839 if (oldflags != newflags)
841 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
843 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
845 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
847 if (oldflags & ROOTCONTEXT_MNT) {
848 struct inode_security_struct *oldroot = oldsb->s_root->d_inode->i_security;
849 struct inode_security_struct *newroot = newsb->s_root->d_inode->i_security;
850 if (oldroot->sid != newroot->sid)
855 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
856 "different security settings for (dev %s, "
857 "type %s)\n", newsb->s_id, newsb->s_type->name);
861 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
862 struct super_block *newsb)
864 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
865 struct superblock_security_struct *newsbsec = newsb->s_security;
867 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
868 int set_context = (oldsbsec->flags & CONTEXT_MNT);
869 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
872 * if the parent was able to be mounted it clearly had no special lsm
873 * mount options. thus we can safely deal with this superblock later
878 /* how can we clone if the old one wasn't set up?? */
879 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
881 /* if fs is reusing a sb, make sure that the contexts match */
882 if (newsbsec->flags & SE_SBINITIALIZED)
883 return selinux_cmp_sb_context(oldsb, newsb);
885 mutex_lock(&newsbsec->lock);
887 newsbsec->flags = oldsbsec->flags;
889 newsbsec->sid = oldsbsec->sid;
890 newsbsec->def_sid = oldsbsec->def_sid;
891 newsbsec->behavior = oldsbsec->behavior;
894 u32 sid = oldsbsec->mntpoint_sid;
898 if (!set_rootcontext) {
899 struct inode *newinode = newsb->s_root->d_inode;
900 struct inode_security_struct *newisec = newinode->i_security;
903 newsbsec->mntpoint_sid = sid;
905 if (set_rootcontext) {
906 const struct inode *oldinode = oldsb->s_root->d_inode;
907 const struct inode_security_struct *oldisec = oldinode->i_security;
908 struct inode *newinode = newsb->s_root->d_inode;
909 struct inode_security_struct *newisec = newinode->i_security;
911 newisec->sid = oldisec->sid;
914 sb_finish_set_opts(newsb);
915 mutex_unlock(&newsbsec->lock);
919 static int selinux_parse_opts_str(char *options,
920 struct security_mnt_opts *opts)
923 char *context = NULL, *defcontext = NULL;
924 char *fscontext = NULL, *rootcontext = NULL;
925 int rc, num_mnt_opts = 0;
927 opts->num_mnt_opts = 0;
929 /* Standard string-based options. */
930 while ((p = strsep(&options, "|")) != NULL) {
932 substring_t args[MAX_OPT_ARGS];
937 token = match_token(p, tokens, args);
941 if (context || defcontext) {
943 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
946 context = match_strdup(&args[0]);
956 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
959 fscontext = match_strdup(&args[0]);
966 case Opt_rootcontext:
969 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
972 rootcontext = match_strdup(&args[0]);
980 if (context || defcontext) {
982 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
985 defcontext = match_strdup(&args[0]);
991 case Opt_labelsupport:
995 printk(KERN_WARNING "SELinux: unknown mount option\n");
1002 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1003 if (!opts->mnt_opts)
1006 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1007 if (!opts->mnt_opts_flags) {
1008 kfree(opts->mnt_opts);
1013 opts->mnt_opts[num_mnt_opts] = fscontext;
1014 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1017 opts->mnt_opts[num_mnt_opts] = context;
1018 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1021 opts->mnt_opts[num_mnt_opts] = rootcontext;
1022 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1025 opts->mnt_opts[num_mnt_opts] = defcontext;
1026 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1029 opts->num_mnt_opts = num_mnt_opts;
1040 * string mount options parsing and call set the sbsec
1042 static int superblock_doinit(struct super_block *sb, void *data)
1045 char *options = data;
1046 struct security_mnt_opts opts;
1048 security_init_mnt_opts(&opts);
1053 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1055 rc = selinux_parse_opts_str(options, &opts);
1060 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1063 security_free_mnt_opts(&opts);
1067 static void selinux_write_opts(struct seq_file *m,
1068 struct security_mnt_opts *opts)
1073 for (i = 0; i < opts->num_mnt_opts; i++) {
1076 if (opts->mnt_opts[i])
1077 has_comma = strchr(opts->mnt_opts[i], ',');
1081 switch (opts->mnt_opts_flags[i]) {
1083 prefix = CONTEXT_STR;
1086 prefix = FSCONTEXT_STR;
1088 case ROOTCONTEXT_MNT:
1089 prefix = ROOTCONTEXT_STR;
1091 case DEFCONTEXT_MNT:
1092 prefix = DEFCONTEXT_STR;
1096 seq_puts(m, LABELSUPP_STR);
1102 /* we need a comma before each option */
1104 seq_puts(m, prefix);
1107 seq_puts(m, opts->mnt_opts[i]);
1113 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1115 struct security_mnt_opts opts;
1118 rc = selinux_get_mnt_opts(sb, &opts);
1120 /* before policy load we may get EINVAL, don't show anything */
1126 selinux_write_opts(m, &opts);
1128 security_free_mnt_opts(&opts);
1133 static inline u16 inode_mode_to_security_class(umode_t mode)
1135 switch (mode & S_IFMT) {
1137 return SECCLASS_SOCK_FILE;
1139 return SECCLASS_LNK_FILE;
1141 return SECCLASS_FILE;
1143 return SECCLASS_BLK_FILE;
1145 return SECCLASS_DIR;
1147 return SECCLASS_CHR_FILE;
1149 return SECCLASS_FIFO_FILE;
1153 return SECCLASS_FILE;
1156 static inline int default_protocol_stream(int protocol)
1158 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1161 static inline int default_protocol_dgram(int protocol)
1163 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1166 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1172 case SOCK_SEQPACKET:
1173 return SECCLASS_UNIX_STREAM_SOCKET;
1175 return SECCLASS_UNIX_DGRAM_SOCKET;
1182 if (default_protocol_stream(protocol))
1183 return SECCLASS_TCP_SOCKET;
1185 return SECCLASS_RAWIP_SOCKET;
1187 if (default_protocol_dgram(protocol))
1188 return SECCLASS_UDP_SOCKET;
1190 return SECCLASS_RAWIP_SOCKET;
1192 return SECCLASS_DCCP_SOCKET;
1194 return SECCLASS_RAWIP_SOCKET;
1200 return SECCLASS_NETLINK_ROUTE_SOCKET;
1201 case NETLINK_FIREWALL:
1202 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1203 case NETLINK_SOCK_DIAG:
1204 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1206 return SECCLASS_NETLINK_NFLOG_SOCKET;
1208 return SECCLASS_NETLINK_XFRM_SOCKET;
1209 case NETLINK_SELINUX:
1210 return SECCLASS_NETLINK_SELINUX_SOCKET;
1212 return SECCLASS_NETLINK_AUDIT_SOCKET;
1213 case NETLINK_IP6_FW:
1214 return SECCLASS_NETLINK_IP6FW_SOCKET;
1215 case NETLINK_DNRTMSG:
1216 return SECCLASS_NETLINK_DNRT_SOCKET;
1217 case NETLINK_KOBJECT_UEVENT:
1218 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1220 return SECCLASS_NETLINK_SOCKET;
1223 return SECCLASS_PACKET_SOCKET;
1225 return SECCLASS_KEY_SOCKET;
1227 return SECCLASS_APPLETALK_SOCKET;
1230 return SECCLASS_SOCKET;
1233 #ifdef CONFIG_PROC_FS
1234 static int selinux_proc_get_sid(struct dentry *dentry,
1239 char *buffer, *path;
1241 buffer = (char *)__get_free_page(GFP_KERNEL);
1245 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1249 /* each process gets a /proc/PID/ entry. Strip off the
1250 * PID part to get a valid selinux labeling.
1251 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1252 while (path[1] >= '0' && path[1] <= '9') {
1256 rc = security_genfs_sid("proc", path, tclass, sid);
1258 free_page((unsigned long)buffer);
1262 static int selinux_proc_get_sid(struct dentry *dentry,
1270 /* The inode's security attributes must be initialized before first use. */
1271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1273 struct superblock_security_struct *sbsec = NULL;
1274 struct inode_security_struct *isec = inode->i_security;
1276 struct dentry *dentry;
1277 #define INITCONTEXTLEN 255
1278 char *context = NULL;
1282 if (isec->initialized)
1285 mutex_lock(&isec->lock);
1286 if (isec->initialized)
1289 sbsec = inode->i_sb->s_security;
1290 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1291 /* Defer initialization until selinux_complete_init,
1292 after the initial policy is loaded and the security
1293 server is ready to handle calls. */
1294 spin_lock(&sbsec->isec_lock);
1295 if (list_empty(&isec->list))
1296 list_add(&isec->list, &sbsec->isec_head);
1297 spin_unlock(&sbsec->isec_lock);
1301 switch (sbsec->behavior) {
1302 case SECURITY_FS_USE_NATIVE:
1304 case SECURITY_FS_USE_XATTR:
1305 if (!inode->i_op->getxattr) {
1306 isec->sid = sbsec->def_sid;
1310 /* Need a dentry, since the xattr API requires one.
1311 Life would be simpler if we could just pass the inode. */
1313 /* Called from d_instantiate or d_splice_alias. */
1314 dentry = dget(opt_dentry);
1316 /* Called from selinux_complete_init, try to find a dentry. */
1317 dentry = d_find_alias(inode);
1321 * this is can be hit on boot when a file is accessed
1322 * before the policy is loaded. When we load policy we
1323 * may find inodes that have no dentry on the
1324 * sbsec->isec_head list. No reason to complain as these
1325 * will get fixed up the next time we go through
1326 * inode_doinit with a dentry, before these inodes could
1327 * be used again by userspace.
1332 len = INITCONTEXTLEN;
1333 context = kmalloc(len+1, GFP_NOFS);
1339 context[len] = '\0';
1340 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1342 if (rc == -ERANGE) {
1345 /* Need a larger buffer. Query for the right size. */
1346 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1353 context = kmalloc(len+1, GFP_NOFS);
1359 context[len] = '\0';
1360 rc = inode->i_op->getxattr(dentry,
1366 if (rc != -ENODATA) {
1367 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1368 "%d for dev=%s ino=%ld\n", __func__,
1369 -rc, inode->i_sb->s_id, inode->i_ino);
1373 /* Map ENODATA to the default file SID */
1374 sid = sbsec->def_sid;
1377 rc = security_context_to_sid_default(context, rc, &sid,
1381 char *dev = inode->i_sb->s_id;
1382 unsigned long ino = inode->i_ino;
1384 if (rc == -EINVAL) {
1385 if (printk_ratelimit())
1386 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1387 "context=%s. This indicates you may need to relabel the inode or the "
1388 "filesystem in question.\n", ino, dev, context);
1390 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1391 "returned %d for dev=%s ino=%ld\n",
1392 __func__, context, -rc, dev, ino);
1395 /* Leave with the unlabeled SID */
1403 case SECURITY_FS_USE_TASK:
1404 isec->sid = isec->task_sid;
1406 case SECURITY_FS_USE_TRANS:
1407 /* Default to the fs SID. */
1408 isec->sid = sbsec->sid;
1410 /* Try to obtain a transition SID. */
1411 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1412 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1413 isec->sclass, NULL, &sid);
1418 case SECURITY_FS_USE_MNTPOINT:
1419 isec->sid = sbsec->mntpoint_sid;
1422 /* Default to the fs superblock SID. */
1423 isec->sid = sbsec->sid;
1425 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
1426 /* We must have a dentry to determine the label on
1429 /* Called from d_instantiate or
1430 * d_splice_alias. */
1431 dentry = dget(opt_dentry);
1433 /* Called from selinux_complete_init, try to
1435 dentry = d_find_alias(inode);
1437 * This can be hit on boot when a file is accessed
1438 * before the policy is loaded. When we load policy we
1439 * may find inodes that have no dentry on the
1440 * sbsec->isec_head list. No reason to complain as
1441 * these will get fixed up the next time we go through
1442 * inode_doinit() with a dentry, before these inodes
1443 * could be used again by userspace.
1447 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1448 rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
1457 isec->initialized = 1;
1460 mutex_unlock(&isec->lock);
1462 if (isec->sclass == SECCLASS_FILE)
1463 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1467 /* Convert a Linux signal to an access vector. */
1468 static inline u32 signal_to_av(int sig)
1474 /* Commonly granted from child to parent. */
1475 perm = PROCESS__SIGCHLD;
1478 /* Cannot be caught or ignored */
1479 perm = PROCESS__SIGKILL;
1482 /* Cannot be caught or ignored */
1483 perm = PROCESS__SIGSTOP;
1486 /* All other signals. */
1487 perm = PROCESS__SIGNAL;
1495 * Check permission between a pair of credentials
1496 * fork check, ptrace check, etc.
1498 static int cred_has_perm(const struct cred *actor,
1499 const struct cred *target,
1502 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1504 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1508 * Check permission between a pair of tasks, e.g. signal checks,
1509 * fork check, ptrace check, etc.
1510 * tsk1 is the actor and tsk2 is the target
1511 * - this uses the default subjective creds of tsk1
1513 static int task_has_perm(const struct task_struct *tsk1,
1514 const struct task_struct *tsk2,
1517 const struct task_security_struct *__tsec1, *__tsec2;
1521 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1522 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1524 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1528 * Check permission between current and another task, e.g. signal checks,
1529 * fork check, ptrace check, etc.
1530 * current is the actor and tsk2 is the target
1531 * - this uses current's subjective creds
1533 static int current_has_perm(const struct task_struct *tsk,
1538 sid = current_sid();
1539 tsid = task_sid(tsk);
1540 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1543 #if CAP_LAST_CAP > 63
1544 #error Fix SELinux to handle capabilities > 63.
1547 /* Check whether a task is allowed to use a capability. */
1548 static int cred_has_capability(const struct cred *cred,
1551 struct common_audit_data ad;
1552 struct av_decision avd;
1554 u32 sid = cred_sid(cred);
1555 u32 av = CAP_TO_MASK(cap);
1558 ad.type = LSM_AUDIT_DATA_CAP;
1561 switch (CAP_TO_INDEX(cap)) {
1563 sclass = SECCLASS_CAPABILITY;
1566 sclass = SECCLASS_CAPABILITY2;
1570 "SELinux: out of range capability %d\n", cap);
1575 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1576 if (audit == SECURITY_CAP_AUDIT) {
1577 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1584 /* Check whether a task is allowed to use a system operation. */
1585 static int task_has_system(struct task_struct *tsk,
1588 u32 sid = task_sid(tsk);
1590 return avc_has_perm(sid, SECINITSID_KERNEL,
1591 SECCLASS_SYSTEM, perms, NULL);
1594 /* Check whether a task has a particular permission to an inode.
1595 The 'adp' parameter is optional and allows other audit
1596 data to be passed (e.g. the dentry). */
1597 static int inode_has_perm(const struct cred *cred,
1598 struct inode *inode,
1600 struct common_audit_data *adp)
1602 struct inode_security_struct *isec;
1605 validate_creds(cred);
1607 if (unlikely(IS_PRIVATE(inode)))
1610 sid = cred_sid(cred);
1611 isec = inode->i_security;
1613 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1616 /* Same as inode_has_perm, but pass explicit audit data containing
1617 the dentry to help the auditing code to more easily generate the
1618 pathname if needed. */
1619 static inline int dentry_has_perm(const struct cred *cred,
1620 struct dentry *dentry,
1623 struct inode *inode = dentry->d_inode;
1624 struct common_audit_data ad;
1626 ad.type = LSM_AUDIT_DATA_DENTRY;
1627 ad.u.dentry = dentry;
1628 return inode_has_perm(cred, inode, av, &ad);
1631 /* Same as inode_has_perm, but pass explicit audit data containing
1632 the path to help the auditing code to more easily generate the
1633 pathname if needed. */
1634 static inline int path_has_perm(const struct cred *cred,
1638 struct inode *inode = path->dentry->d_inode;
1639 struct common_audit_data ad;
1641 ad.type = LSM_AUDIT_DATA_PATH;
1643 return inode_has_perm(cred, inode, av, &ad);
1646 /* Same as path_has_perm, but uses the inode from the file struct. */
1647 static inline int file_path_has_perm(const struct cred *cred,
1651 struct common_audit_data ad;
1653 ad.type = LSM_AUDIT_DATA_PATH;
1654 ad.u.path = file->f_path;
1655 return inode_has_perm(cred, file_inode(file), av, &ad);
1658 /* Check whether a task can use an open file descriptor to
1659 access an inode in a given way. Check access to the
1660 descriptor itself, and then use dentry_has_perm to
1661 check a particular permission to the file.
1662 Access to the descriptor is implicitly granted if it
1663 has the same SID as the process. If av is zero, then
1664 access to the file is not checked, e.g. for cases
1665 where only the descriptor is affected like seek. */
1666 static int file_has_perm(const struct cred *cred,
1670 struct file_security_struct *fsec = file->f_security;
1671 struct inode *inode = file_inode(file);
1672 struct common_audit_data ad;
1673 u32 sid = cred_sid(cred);
1676 ad.type = LSM_AUDIT_DATA_PATH;
1677 ad.u.path = file->f_path;
1679 if (sid != fsec->sid) {
1680 rc = avc_has_perm(sid, fsec->sid,
1688 /* av is zero if only checking access to the descriptor. */
1691 rc = inode_has_perm(cred, inode, av, &ad);
1697 /* Check whether a task can create a file. */
1698 static int may_create(struct inode *dir,
1699 struct dentry *dentry,
1702 const struct task_security_struct *tsec = current_security();
1703 struct inode_security_struct *dsec;
1704 struct superblock_security_struct *sbsec;
1706 struct common_audit_data ad;
1709 dsec = dir->i_security;
1710 sbsec = dir->i_sb->s_security;
1713 newsid = tsec->create_sid;
1715 ad.type = LSM_AUDIT_DATA_DENTRY;
1716 ad.u.dentry = dentry;
1718 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1719 DIR__ADD_NAME | DIR__SEARCH,
1724 if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
1725 rc = security_transition_sid(sid, dsec->sid, tclass,
1726 &dentry->d_name, &newsid);
1731 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1735 return avc_has_perm(newsid, sbsec->sid,
1736 SECCLASS_FILESYSTEM,
1737 FILESYSTEM__ASSOCIATE, &ad);
1740 /* Check whether a task can create a key. */
1741 static int may_create_key(u32 ksid,
1742 struct task_struct *ctx)
1744 u32 sid = task_sid(ctx);
1746 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1750 #define MAY_UNLINK 1
1753 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1754 static int may_link(struct inode *dir,
1755 struct dentry *dentry,
1759 struct inode_security_struct *dsec, *isec;
1760 struct common_audit_data ad;
1761 u32 sid = current_sid();
1765 dsec = dir->i_security;
1766 isec = dentry->d_inode->i_security;
1768 ad.type = LSM_AUDIT_DATA_DENTRY;
1769 ad.u.dentry = dentry;
1772 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1773 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1788 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1793 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1797 static inline int may_rename(struct inode *old_dir,
1798 struct dentry *old_dentry,
1799 struct inode *new_dir,
1800 struct dentry *new_dentry)
1802 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1803 struct common_audit_data ad;
1804 u32 sid = current_sid();
1806 int old_is_dir, new_is_dir;
1809 old_dsec = old_dir->i_security;
1810 old_isec = old_dentry->d_inode->i_security;
1811 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1812 new_dsec = new_dir->i_security;
1814 ad.type = LSM_AUDIT_DATA_DENTRY;
1816 ad.u.dentry = old_dentry;
1817 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1818 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1821 rc = avc_has_perm(sid, old_isec->sid,
1822 old_isec->sclass, FILE__RENAME, &ad);
1825 if (old_is_dir && new_dir != old_dir) {
1826 rc = avc_has_perm(sid, old_isec->sid,
1827 old_isec->sclass, DIR__REPARENT, &ad);
1832 ad.u.dentry = new_dentry;
1833 av = DIR__ADD_NAME | DIR__SEARCH;
1834 if (new_dentry->d_inode)
1835 av |= DIR__REMOVE_NAME;
1836 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1839 if (new_dentry->d_inode) {
1840 new_isec = new_dentry->d_inode->i_security;
1841 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1842 rc = avc_has_perm(sid, new_isec->sid,
1844 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1852 /* Check whether a task can perform a filesystem operation. */
1853 static int superblock_has_perm(const struct cred *cred,
1854 struct super_block *sb,
1856 struct common_audit_data *ad)
1858 struct superblock_security_struct *sbsec;
1859 u32 sid = cred_sid(cred);
1861 sbsec = sb->s_security;
1862 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1865 /* Convert a Linux mode and permission mask to an access vector. */
1866 static inline u32 file_mask_to_av(int mode, int mask)
1870 if (!S_ISDIR(mode)) {
1871 if (mask & MAY_EXEC)
1872 av |= FILE__EXECUTE;
1873 if (mask & MAY_READ)
1876 if (mask & MAY_APPEND)
1878 else if (mask & MAY_WRITE)
1882 if (mask & MAY_EXEC)
1884 if (mask & MAY_WRITE)
1886 if (mask & MAY_READ)
1893 /* Convert a Linux file to an access vector. */
1894 static inline u32 file_to_av(struct file *file)
1898 if (file->f_mode & FMODE_READ)
1900 if (file->f_mode & FMODE_WRITE) {
1901 if (file->f_flags & O_APPEND)
1908 * Special file opened with flags 3 for ioctl-only use.
1917 * Convert a file to an access vector and include the correct open
1920 static inline u32 open_file_to_av(struct file *file)
1922 u32 av = file_to_av(file);
1924 if (selinux_policycap_openperm)
1930 /* Hook functions begin here. */
1932 static int selinux_ptrace_access_check(struct task_struct *child,
1937 rc = cap_ptrace_access_check(child, mode);
1941 if (mode & PTRACE_MODE_READ) {
1942 u32 sid = current_sid();
1943 u32 csid = task_sid(child);
1944 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1947 return current_has_perm(child, PROCESS__PTRACE);
1950 static int selinux_ptrace_traceme(struct task_struct *parent)
1954 rc = cap_ptrace_traceme(parent);
1958 return task_has_perm(parent, current, PROCESS__PTRACE);
1961 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1962 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1966 error = current_has_perm(target, PROCESS__GETCAP);
1970 return cap_capget(target, effective, inheritable, permitted);
1973 static int selinux_capset(struct cred *new, const struct cred *old,
1974 const kernel_cap_t *effective,
1975 const kernel_cap_t *inheritable,
1976 const kernel_cap_t *permitted)
1980 error = cap_capset(new, old,
1981 effective, inheritable, permitted);
1985 return cred_has_perm(old, new, PROCESS__SETCAP);
1989 * (This comment used to live with the selinux_task_setuid hook,
1990 * which was removed).
1992 * Since setuid only affects the current process, and since the SELinux
1993 * controls are not based on the Linux identity attributes, SELinux does not
1994 * need to control this operation. However, SELinux does control the use of
1995 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1998 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2003 rc = cap_capable(cred, ns, cap, audit);
2007 return cred_has_capability(cred, cap, audit);
2010 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2012 const struct cred *cred = current_cred();
2024 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2029 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2032 rc = 0; /* let the kernel handle invalid cmds */
2038 static int selinux_quota_on(struct dentry *dentry)
2040 const struct cred *cred = current_cred();
2042 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2045 static int selinux_syslog(int type)
2050 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2051 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2052 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2054 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2055 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2056 /* Set level of messages printed to console */
2057 case SYSLOG_ACTION_CONSOLE_LEVEL:
2058 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2060 case SYSLOG_ACTION_CLOSE: /* Close log */
2061 case SYSLOG_ACTION_OPEN: /* Open log */
2062 case SYSLOG_ACTION_READ: /* Read from log */
2063 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2064 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
2066 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2073 * Check that a process has enough memory to allocate a new virtual
2074 * mapping. 0 means there is enough memory for the allocation to
2075 * succeed and -ENOMEM implies there is not.
2077 * Do not audit the selinux permission check, as this is applied to all
2078 * processes that allocate mappings.
2080 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2082 int rc, cap_sys_admin = 0;
2084 rc = selinux_capable(current_cred(), &init_user_ns, CAP_SYS_ADMIN,
2085 SECURITY_CAP_NOAUDIT);
2089 return __vm_enough_memory(mm, pages, cap_sys_admin);
2092 /* binprm security operations */
2094 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2095 const struct task_security_struct *old_tsec,
2096 const struct task_security_struct *new_tsec)
2098 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2099 int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID);
2102 if (!nnp && !nosuid)
2103 return 0; /* neither NNP nor nosuid */
2105 if (new_tsec->sid == old_tsec->sid)
2106 return 0; /* No change in credentials */
2109 * The only transitions we permit under NNP or nosuid
2110 * are transitions to bounded SIDs, i.e. SIDs that are
2111 * guaranteed to only be allowed a subset of the permissions
2112 * of the current SID.
2114 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2117 * On failure, preserve the errno values for NNP vs nosuid.
2118 * NNP: Operation not permitted for caller.
2119 * nosuid: Permission denied to file.
2129 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2131 const struct task_security_struct *old_tsec;
2132 struct task_security_struct *new_tsec;
2133 struct inode_security_struct *isec;
2134 struct common_audit_data ad;
2135 struct inode *inode = file_inode(bprm->file);
2138 rc = cap_bprm_set_creds(bprm);
2142 /* SELinux context only depends on initial program or script and not
2143 * the script interpreter */
2144 if (bprm->cred_prepared)
2147 old_tsec = current_security();
2148 new_tsec = bprm->cred->security;
2149 isec = inode->i_security;
2151 /* Default to the current task SID. */
2152 new_tsec->sid = old_tsec->sid;
2153 new_tsec->osid = old_tsec->sid;
2155 /* Reset fs, key, and sock SIDs on execve. */
2156 new_tsec->create_sid = 0;
2157 new_tsec->keycreate_sid = 0;
2158 new_tsec->sockcreate_sid = 0;
2160 if (old_tsec->exec_sid) {
2161 new_tsec->sid = old_tsec->exec_sid;
2162 /* Reset exec SID on execve. */
2163 new_tsec->exec_sid = 0;
2165 /* Fail on NNP or nosuid if not an allowed transition. */
2166 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2170 /* Check for a default transition on this program. */
2171 rc = security_transition_sid(old_tsec->sid, isec->sid,
2172 SECCLASS_PROCESS, NULL,
2178 * Fallback to old SID on NNP or nosuid if not an allowed
2181 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2183 new_tsec->sid = old_tsec->sid;
2186 ad.type = LSM_AUDIT_DATA_PATH;
2187 ad.u.path = bprm->file->f_path;
2189 if (new_tsec->sid == old_tsec->sid) {
2190 rc = avc_has_perm(old_tsec->sid, isec->sid,
2191 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2195 /* Check permissions for the transition. */
2196 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2197 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2201 rc = avc_has_perm(new_tsec->sid, isec->sid,
2202 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2206 /* Check for shared state */
2207 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2208 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2209 SECCLASS_PROCESS, PROCESS__SHARE,
2215 /* Make sure that anyone attempting to ptrace over a task that
2216 * changes its SID has the appropriate permit */
2218 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2219 struct task_struct *tracer;
2220 struct task_security_struct *sec;
2224 tracer = ptrace_parent(current);
2225 if (likely(tracer != NULL)) {
2226 sec = __task_cred(tracer)->security;
2232 rc = avc_has_perm(ptsid, new_tsec->sid,
2234 PROCESS__PTRACE, NULL);
2240 /* Clear any possibly unsafe personality bits on exec: */
2241 bprm->per_clear |= PER_CLEAR_ON_SETID;
2247 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2249 const struct task_security_struct *tsec = current_security();
2257 /* Enable secure mode for SIDs transitions unless
2258 the noatsecure permission is granted between
2259 the two SIDs, i.e. ahp returns 0. */
2260 atsecure = avc_has_perm(osid, sid,
2262 PROCESS__NOATSECURE, NULL);
2265 return (atsecure || cap_bprm_secureexec(bprm));
2268 static int match_file(const void *p, struct file *file, unsigned fd)
2270 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2273 /* Derived from fs/exec.c:flush_old_files. */
2274 static inline void flush_unauthorized_files(const struct cred *cred,
2275 struct files_struct *files)
2277 struct file *file, *devnull = NULL;
2278 struct tty_struct *tty;
2282 tty = get_current_tty();
2284 spin_lock(&tty_files_lock);
2285 if (!list_empty(&tty->tty_files)) {
2286 struct tty_file_private *file_priv;
2288 /* Revalidate access to controlling tty.
2289 Use file_path_has_perm on the tty path directly
2290 rather than using file_has_perm, as this particular
2291 open file may belong to another process and we are
2292 only interested in the inode-based check here. */
2293 file_priv = list_first_entry(&tty->tty_files,
2294 struct tty_file_private, list);
2295 file = file_priv->file;
2296 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2299 spin_unlock(&tty_files_lock);
2302 /* Reset controlling tty. */
2306 /* Revalidate access to inherited open files. */
2307 n = iterate_fd(files, 0, match_file, cred);
2308 if (!n) /* none found? */
2311 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2312 if (IS_ERR(devnull))
2314 /* replace all the matching ones with this */
2316 replace_fd(n - 1, devnull, 0);
2317 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2323 * Prepare a process for imminent new credential changes due to exec
2325 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2327 struct task_security_struct *new_tsec;
2328 struct rlimit *rlim, *initrlim;
2331 new_tsec = bprm->cred->security;
2332 if (new_tsec->sid == new_tsec->osid)
2335 /* Close files for which the new task SID is not authorized. */
2336 flush_unauthorized_files(bprm->cred, current->files);
2338 /* Always clear parent death signal on SID transitions. */
2339 current->pdeath_signal = 0;
2341 /* Check whether the new SID can inherit resource limits from the old
2342 * SID. If not, reset all soft limits to the lower of the current
2343 * task's hard limit and the init task's soft limit.
2345 * Note that the setting of hard limits (even to lower them) can be
2346 * controlled by the setrlimit check. The inclusion of the init task's
2347 * soft limit into the computation is to avoid resetting soft limits
2348 * higher than the default soft limit for cases where the default is
2349 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2351 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2352 PROCESS__RLIMITINH, NULL);
2354 /* protect against do_prlimit() */
2356 for (i = 0; i < RLIM_NLIMITS; i++) {
2357 rlim = current->signal->rlim + i;
2358 initrlim = init_task.signal->rlim + i;
2359 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2361 task_unlock(current);
2362 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2367 * Clean up the process immediately after the installation of new credentials
2370 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2372 const struct task_security_struct *tsec = current_security();
2373 struct itimerval itimer;
2383 /* Check whether the new SID can inherit signal state from the old SID.
2384 * If not, clear itimers to avoid subsequent signal generation and
2385 * flush and unblock signals.
2387 * This must occur _after_ the task SID has been updated so that any
2388 * kill done after the flush will be checked against the new SID.
2390 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2392 memset(&itimer, 0, sizeof itimer);
2393 for (i = 0; i < 3; i++)
2394 do_setitimer(i, &itimer, NULL);
2395 spin_lock_irq(¤t->sighand->siglock);
2396 if (!(current->signal->flags & SIGNAL_GROUP_EXIT)) {
2397 __flush_signals(current);
2398 flush_signal_handlers(current, 1);
2399 sigemptyset(¤t->blocked);
2401 spin_unlock_irq(¤t->sighand->siglock);
2404 /* Wake up the parent if it is waiting so that it can recheck
2405 * wait permission to the new task SID. */
2406 read_lock(&tasklist_lock);
2407 __wake_up_parent(current, current->real_parent);
2408 read_unlock(&tasklist_lock);
2411 /* superblock security operations */
2413 static int selinux_sb_alloc_security(struct super_block *sb)
2415 return superblock_alloc_security(sb);
2418 static void selinux_sb_free_security(struct super_block *sb)
2420 superblock_free_security(sb);
2423 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2428 return !memcmp(prefix, option, plen);
2431 static inline int selinux_option(char *option, int len)
2433 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2434 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2435 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2436 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2437 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2440 static inline void take_option(char **to, char *from, int *first, int len)
2447 memcpy(*to, from, len);
2451 static inline void take_selinux_option(char **to, char *from, int *first,
2454 int current_size = 0;
2462 while (current_size < len) {
2472 static int selinux_sb_copy_data(char *orig, char *copy)
2474 int fnosec, fsec, rc = 0;
2475 char *in_save, *in_curr, *in_end;
2476 char *sec_curr, *nosec_save, *nosec;
2482 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2490 in_save = in_end = orig;
2494 open_quote = !open_quote;
2495 if ((*in_end == ',' && open_quote == 0) ||
2497 int len = in_end - in_curr;
2499 if (selinux_option(in_curr, len))
2500 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2502 take_option(&nosec, in_curr, &fnosec, len);
2504 in_curr = in_end + 1;
2506 } while (*in_end++);
2508 strcpy(in_save, nosec_save);
2509 free_page((unsigned long)nosec_save);
2514 static int selinux_sb_remount(struct super_block *sb, void *data)
2517 struct security_mnt_opts opts;
2518 char *secdata, **mount_options;
2519 struct superblock_security_struct *sbsec = sb->s_security;
2521 if (!(sbsec->flags & SE_SBINITIALIZED))
2527 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2530 security_init_mnt_opts(&opts);
2531 secdata = alloc_secdata();
2534 rc = selinux_sb_copy_data(data, secdata);
2536 goto out_free_secdata;
2538 rc = selinux_parse_opts_str(secdata, &opts);
2540 goto out_free_secdata;
2542 mount_options = opts.mnt_opts;
2543 flags = opts.mnt_opts_flags;
2545 for (i = 0; i < opts.num_mnt_opts; i++) {
2549 if (flags[i] == SBLABEL_MNT)
2551 len = strlen(mount_options[i]);
2552 rc = security_context_to_sid(mount_options[i], len, &sid,
2555 printk(KERN_WARNING "SELinux: security_context_to_sid"
2556 "(%s) failed for (dev %s, type %s) errno=%d\n",
2557 mount_options[i], sb->s_id, sb->s_type->name, rc);
2563 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2564 goto out_bad_option;
2567 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2568 goto out_bad_option;
2570 case ROOTCONTEXT_MNT: {
2571 struct inode_security_struct *root_isec;
2572 root_isec = sb->s_root->d_inode->i_security;
2574 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2575 goto out_bad_option;
2578 case DEFCONTEXT_MNT:
2579 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2580 goto out_bad_option;
2589 security_free_mnt_opts(&opts);
2591 free_secdata(secdata);
2594 printk(KERN_WARNING "SELinux: unable to change security options "
2595 "during remount (dev %s, type=%s)\n", sb->s_id,
2600 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2602 const struct cred *cred = current_cred();
2603 struct common_audit_data ad;
2606 rc = superblock_doinit(sb, data);
2610 /* Allow all mounts performed by the kernel */
2611 if (flags & MS_KERNMOUNT)
2614 ad.type = LSM_AUDIT_DATA_DENTRY;
2615 ad.u.dentry = sb->s_root;
2616 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2619 static int selinux_sb_statfs(struct dentry *dentry)
2621 const struct cred *cred = current_cred();
2622 struct common_audit_data ad;
2624 ad.type = LSM_AUDIT_DATA_DENTRY;
2625 ad.u.dentry = dentry->d_sb->s_root;
2626 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2629 static int selinux_mount(const char *dev_name,
2632 unsigned long flags,
2635 const struct cred *cred = current_cred();
2637 if (flags & MS_REMOUNT)
2638 return superblock_has_perm(cred, path->dentry->d_sb,
2639 FILESYSTEM__REMOUNT, NULL);
2641 return path_has_perm(cred, path, FILE__MOUNTON);
2644 static int selinux_umount(struct vfsmount *mnt, int flags)
2646 const struct cred *cred = current_cred();
2648 return superblock_has_perm(cred, mnt->mnt_sb,
2649 FILESYSTEM__UNMOUNT, NULL);
2652 /* inode security operations */
2654 static int selinux_inode_alloc_security(struct inode *inode)
2656 return inode_alloc_security(inode);
2659 static void selinux_inode_free_security(struct inode *inode)
2661 inode_free_security(inode);
2664 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2665 struct qstr *name, void **ctx,
2668 const struct cred *cred = current_cred();
2669 struct task_security_struct *tsec;
2670 struct inode_security_struct *dsec;
2671 struct superblock_security_struct *sbsec;
2672 struct inode *dir = dentry->d_parent->d_inode;
2676 tsec = cred->security;
2677 dsec = dir->i_security;
2678 sbsec = dir->i_sb->s_security;
2680 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2681 newsid = tsec->create_sid;
2683 rc = security_transition_sid(tsec->sid, dsec->sid,
2684 inode_mode_to_security_class(mode),
2689 "%s: security_transition_sid failed, rc=%d\n",
2695 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2698 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2699 const struct qstr *qstr,
2701 void **value, size_t *len)
2703 const struct task_security_struct *tsec = current_security();
2704 struct inode_security_struct *dsec;
2705 struct superblock_security_struct *sbsec;
2706 u32 sid, newsid, clen;
2710 dsec = dir->i_security;
2711 sbsec = dir->i_sb->s_security;
2714 newsid = tsec->create_sid;
2716 if ((sbsec->flags & SE_SBINITIALIZED) &&
2717 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT))
2718 newsid = sbsec->mntpoint_sid;
2719 else if (!newsid || !(sbsec->flags & SBLABEL_MNT)) {
2720 rc = security_transition_sid(sid, dsec->sid,
2721 inode_mode_to_security_class(inode->i_mode),
2724 printk(KERN_WARNING "%s: "
2725 "security_transition_sid failed, rc=%d (dev=%s "
2728 -rc, inode->i_sb->s_id, inode->i_ino);
2733 /* Possibly defer initialization to selinux_complete_init. */
2734 if (sbsec->flags & SE_SBINITIALIZED) {
2735 struct inode_security_struct *isec = inode->i_security;
2736 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2738 isec->initialized = 1;
2741 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2745 *name = XATTR_SELINUX_SUFFIX;
2748 rc = security_sid_to_context_force(newsid, &context, &clen);
2758 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2760 return may_create(dir, dentry, SECCLASS_FILE);
2763 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2765 return may_link(dir, old_dentry, MAY_LINK);
2768 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2770 return may_link(dir, dentry, MAY_UNLINK);
2773 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2775 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2778 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2780 return may_create(dir, dentry, SECCLASS_DIR);
2783 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2785 return may_link(dir, dentry, MAY_RMDIR);
2788 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2790 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2793 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2794 struct inode *new_inode, struct dentry *new_dentry)
2796 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2799 static int selinux_inode_readlink(struct dentry *dentry)
2801 const struct cred *cred = current_cred();
2803 return dentry_has_perm(cred, dentry, FILE__READ);
2806 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2808 const struct cred *cred = current_cred();
2810 return dentry_has_perm(cred, dentry, FILE__READ);
2813 static noinline int audit_inode_permission(struct inode *inode,
2814 u32 perms, u32 audited, u32 denied,
2818 struct common_audit_data ad;
2819 struct inode_security_struct *isec = inode->i_security;
2822 ad.type = LSM_AUDIT_DATA_INODE;
2825 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2826 audited, denied, result, &ad, flags);
2832 static int selinux_inode_permission(struct inode *inode, int mask)
2834 const struct cred *cred = current_cred();
2837 unsigned flags = mask & MAY_NOT_BLOCK;
2838 struct inode_security_struct *isec;
2840 struct av_decision avd;
2842 u32 audited, denied;
2844 from_access = mask & MAY_ACCESS;
2845 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
2847 /* No permission to check. Existence test. */
2851 validate_creds(cred);
2853 if (unlikely(IS_PRIVATE(inode)))
2856 perms = file_mask_to_av(inode->i_mode, mask);
2858 sid = cred_sid(cred);
2859 isec = inode->i_security;
2861 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2862 audited = avc_audit_required(perms, &avd, rc,
2863 from_access ? FILE__AUDIT_ACCESS : 0,
2865 if (likely(!audited))
2868 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2874 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2876 const struct cred *cred = current_cred();
2877 unsigned int ia_valid = iattr->ia_valid;
2878 __u32 av = FILE__WRITE;
2880 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2881 if (ia_valid & ATTR_FORCE) {
2882 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2888 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2889 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2890 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2892 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE))
2895 return dentry_has_perm(cred, dentry, av);
2898 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2900 const struct cred *cred = current_cred();
2903 path.dentry = dentry;
2906 return path_has_perm(cred, &path, FILE__GETATTR);
2909 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2911 const struct cred *cred = current_cred();
2913 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2914 sizeof XATTR_SECURITY_PREFIX - 1)) {
2915 if (!strcmp(name, XATTR_NAME_CAPS)) {
2916 if (!capable(CAP_SETFCAP))
2918 } else if (!capable(CAP_SYS_ADMIN)) {
2919 /* A different attribute in the security namespace.
2920 Restrict to administrator. */
2925 /* Not an attribute we recognize, so just check the
2926 ordinary setattr permission. */
2927 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2930 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2931 const void *value, size_t size, int flags)
2933 struct inode *inode = dentry->d_inode;
2934 struct inode_security_struct *isec = inode->i_security;
2935 struct superblock_security_struct *sbsec;
2936 struct common_audit_data ad;
2937 u32 newsid, sid = current_sid();
2940 if (strcmp(name, XATTR_NAME_SELINUX))
2941 return selinux_inode_setotherxattr(dentry, name);
2943 sbsec = inode->i_sb->s_security;
2944 if (!(sbsec->flags & SBLABEL_MNT))
2947 if (!inode_owner_or_capable(inode))
2950 ad.type = LSM_AUDIT_DATA_DENTRY;
2951 ad.u.dentry = dentry;
2953 rc = avc_has_perm(sid, isec->sid, isec->sclass,
2954 FILE__RELABELFROM, &ad);
2958 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
2959 if (rc == -EINVAL) {
2960 if (!capable(CAP_MAC_ADMIN)) {
2961 struct audit_buffer *ab;
2965 /* We strip a nul only if it is at the end, otherwise the
2966 * context contains a nul and we should audit that */
2969 if (str[size - 1] == '\0')
2970 audit_size = size - 1;
2977 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2978 audit_log_format(ab, "op=setxattr invalid_context=");
2979 audit_log_n_untrustedstring(ab, value, audit_size);
2984 rc = security_context_to_sid_force(value, size, &newsid);
2989 rc = avc_has_perm(sid, newsid, isec->sclass,
2990 FILE__RELABELTO, &ad);
2994 rc = security_validate_transition(isec->sid, newsid, sid,
2999 return avc_has_perm(newsid,
3001 SECCLASS_FILESYSTEM,
3002 FILESYSTEM__ASSOCIATE,
3006 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3007 const void *value, size_t size,
3010 struct inode *inode = dentry->d_inode;
3011 struct inode_security_struct *isec = inode->i_security;
3015 if (strcmp(name, XATTR_NAME_SELINUX)) {
3016 /* Not an attribute we recognize, so nothing to do. */
3020 rc = security_context_to_sid_force(value, size, &newsid);
3022 printk(KERN_ERR "SELinux: unable to map context to SID"
3023 "for (%s, %lu), rc=%d\n",
3024 inode->i_sb->s_id, inode->i_ino, -rc);
3028 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3030 isec->initialized = 1;
3035 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3037 const struct cred *cred = current_cred();
3039 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3042 static int selinux_inode_listxattr(struct dentry *dentry)
3044 const struct cred *cred = current_cred();
3046 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3049 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3051 if (strcmp(name, XATTR_NAME_SELINUX))
3052 return selinux_inode_setotherxattr(dentry, name);
3054 /* No one is allowed to remove a SELinux security label.
3055 You can change the label, but all data must be labeled. */
3060 * Copy the inode security context value to the user.
3062 * Permission check is handled by selinux_inode_getxattr hook.
3064 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
3068 char *context = NULL;
3069 struct inode_security_struct *isec = inode->i_security;
3071 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3075 * If the caller has CAP_MAC_ADMIN, then get the raw context
3076 * value even if it is not defined by current policy; otherwise,
3077 * use the in-core value under current policy.
3078 * Use the non-auditing forms of the permission checks since
3079 * getxattr may be called by unprivileged processes commonly
3080 * and lack of permission just means that we fall back to the
3081 * in-core context value, not a denial.
3083 error = selinux_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3084 SECURITY_CAP_NOAUDIT);
3086 error = security_sid_to_context_force(isec->sid, &context,
3089 error = security_sid_to_context(isec->sid, &context, &size);
3102 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3103 const void *value, size_t size, int flags)
3105 struct inode_security_struct *isec = inode->i_security;
3109 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3112 if (!value || !size)
3115 rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL);
3119 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3121 isec->initialized = 1;
3125 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3127 const int len = sizeof(XATTR_NAME_SELINUX);
3128 if (buffer && len <= buffer_size)
3129 memcpy(buffer, XATTR_NAME_SELINUX, len);
3133 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
3135 struct inode_security_struct *isec = inode->i_security;
3139 /* file security operations */
3141 static int selinux_revalidate_file_permission(struct file *file, int mask)
3143 const struct cred *cred = current_cred();
3144 struct inode *inode = file_inode(file);
3146 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3147 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3150 return file_has_perm(cred, file,
3151 file_mask_to_av(inode->i_mode, mask));
3154 static int selinux_file_permission(struct file *file, int mask)
3156 struct inode *inode = file_inode(file);
3157 struct file_security_struct *fsec = file->f_security;
3158 struct inode_security_struct *isec = inode->i_security;
3159 u32 sid = current_sid();
3162 /* No permission to check. Existence test. */
3165 if (sid == fsec->sid && fsec->isid == isec->sid &&
3166 fsec->pseqno == avc_policy_seqno())
3167 /* No change since file_open check. */
3170 return selinux_revalidate_file_permission(file, mask);
3173 static int selinux_file_alloc_security(struct file *file)
3175 return file_alloc_security(file);
3178 static void selinux_file_free_security(struct file *file)
3180 file_free_security(file);
3183 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3186 const struct cred *cred = current_cred();
3196 case FS_IOC_GETFLAGS:
3198 case FS_IOC_GETVERSION:
3199 error = file_has_perm(cred, file, FILE__GETATTR);
3202 case FS_IOC_SETFLAGS:
3204 case FS_IOC_SETVERSION:
3205 error = file_has_perm(cred, file, FILE__SETATTR);
3208 /* sys_ioctl() checks */
3212 error = file_has_perm(cred, file, 0);
3217 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3218 SECURITY_CAP_AUDIT);
3221 /* default case assumes that the command will go
3222 * to the file's ioctl() function.
3225 error = file_has_perm(cred, file, FILE__IOCTL);
3230 static int default_noexec;
3232 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3234 const struct cred *cred = current_cred();
3237 if (default_noexec &&
3238 (prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3240 * We are making executable an anonymous mapping or a
3241 * private file mapping that will also be writable.
3242 * This has an additional check.
3244 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3250 /* read access is always possible with a mapping */
3251 u32 av = FILE__READ;
3253 /* write access only matters if the mapping is shared */
3254 if (shared && (prot & PROT_WRITE))
3257 if (prot & PROT_EXEC)
3258 av |= FILE__EXECUTE;
3260 return file_has_perm(cred, file, av);
3267 static int selinux_mmap_addr(unsigned long addr)
3271 /* do DAC check on address space usage */
3272 rc = cap_mmap_addr(addr);
3276 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3277 u32 sid = current_sid();
3278 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3279 MEMPROTECT__MMAP_ZERO, NULL);
3285 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3286 unsigned long prot, unsigned long flags)
3288 if (selinux_checkreqprot)
3291 return file_map_prot_check(file, prot,
3292 (flags & MAP_TYPE) == MAP_SHARED);
3295 static int selinux_file_mprotect(struct vm_area_struct *vma,
3296 unsigned long reqprot,
3299 const struct cred *cred = current_cred();
3301 if (selinux_checkreqprot)
3304 if (default_noexec &&
3305 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3307 if (vma->vm_start >= vma->vm_mm->start_brk &&
3308 vma->vm_end <= vma->vm_mm->brk) {
3309 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3310 } else if (!vma->vm_file &&
3311 vma->vm_start <= vma->vm_mm->start_stack &&
3312 vma->vm_end >= vma->vm_mm->start_stack) {
3313 rc = current_has_perm(current, PROCESS__EXECSTACK);
3314 } else if (vma->vm_file && vma->anon_vma) {
3316 * We are making executable a file mapping that has
3317 * had some COW done. Since pages might have been
3318 * written, check ability to execute the possibly
3319 * modified content. This typically should only
3320 * occur for text relocations.
3322 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3328 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3331 static int selinux_file_lock(struct file *file, unsigned int cmd)
3333 const struct cred *cred = current_cred();
3335 return file_has_perm(cred, file, FILE__LOCK);
3338 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3341 const struct cred *cred = current_cred();
3346 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3347 err = file_has_perm(cred, file, FILE__WRITE);
3356 case F_GETOWNER_UIDS:
3357 /* Just check FD__USE permission */
3358 err = file_has_perm(cred, file, 0);
3366 #if BITS_PER_LONG == 32
3371 err = file_has_perm(cred, file, FILE__LOCK);
3378 static void selinux_file_set_fowner(struct file *file)
3380 struct file_security_struct *fsec;
3382 fsec = file->f_security;
3383 fsec->fown_sid = current_sid();
3386 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3387 struct fown_struct *fown, int signum)
3390 u32 sid = task_sid(tsk);
3392 struct file_security_struct *fsec;
3394 /* struct fown_struct is never outside the context of a struct file */
3395 file = container_of(fown, struct file, f_owner);
3397 fsec = file->f_security;
3400 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3402 perm = signal_to_av(signum);
3404 return avc_has_perm(fsec->fown_sid, sid,
3405 SECCLASS_PROCESS, perm, NULL);
3408 static int selinux_file_receive(struct file *file)
3410 const struct cred *cred = current_cred();
3412 return file_has_perm(cred, file, file_to_av(file));
3415 static int selinux_file_open(struct file *file, const struct cred *cred)
3417 struct file_security_struct *fsec;
3418 struct inode_security_struct *isec;
3420 fsec = file->f_security;
3421 isec = file_inode(file)->i_security;
3423 * Save inode label and policy sequence number
3424 * at open-time so that selinux_file_permission
3425 * can determine whether revalidation is necessary.
3426 * Task label is already saved in the file security
3427 * struct as its SID.
3429 fsec->isid = isec->sid;
3430 fsec->pseqno = avc_policy_seqno();
3432 * Since the inode label or policy seqno may have changed
3433 * between the selinux_inode_permission check and the saving
3434 * of state above, recheck that access is still permitted.
3435 * Otherwise, access might never be revalidated against the
3436 * new inode label or new policy.
3437 * This check is not redundant - do not remove.
3439 return file_path_has_perm(cred, file, open_file_to_av(file));
3442 /* task security operations */
3444 static int selinux_task_create(unsigned long clone_flags)
3446 return current_has_perm(current, PROCESS__FORK);
3450 * allocate the SELinux part of blank credentials
3452 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3454 struct task_security_struct *tsec;
3456 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3460 cred->security = tsec;
3465 * detach and free the LSM part of a set of credentials
3467 static void selinux_cred_free(struct cred *cred)
3469 struct task_security_struct *tsec = cred->security;
3472 * cred->security == NULL if security_cred_alloc_blank() or
3473 * security_prepare_creds() returned an error.
3475 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3476 cred->security = (void *) 0x7UL;
3481 * prepare a new set of credentials for modification
3483 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3486 const struct task_security_struct *old_tsec;
3487 struct task_security_struct *tsec;
3489 old_tsec = old->security;
3491 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3495 new->security = tsec;
3500 * transfer the SELinux data to a blank set of creds
3502 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3504 const struct task_security_struct *old_tsec = old->security;
3505 struct task_security_struct *tsec = new->security;
3511 * set the security data for a kernel service
3512 * - all the creation contexts are set to unlabelled
3514 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3516 struct task_security_struct *tsec = new->security;
3517 u32 sid = current_sid();
3520 ret = avc_has_perm(sid, secid,
3521 SECCLASS_KERNEL_SERVICE,
3522 KERNEL_SERVICE__USE_AS_OVERRIDE,
3526 tsec->create_sid = 0;
3527 tsec->keycreate_sid = 0;
3528 tsec->sockcreate_sid = 0;
3534 * set the file creation context in a security record to the same as the
3535 * objective context of the specified inode
3537 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3539 struct inode_security_struct *isec = inode->i_security;
3540 struct task_security_struct *tsec = new->security;
3541 u32 sid = current_sid();
3544 ret = avc_has_perm(sid, isec->sid,
3545 SECCLASS_KERNEL_SERVICE,
3546 KERNEL_SERVICE__CREATE_FILES_AS,
3550 tsec->create_sid = isec->sid;
3554 static int selinux_kernel_module_request(char *kmod_name)
3557 struct common_audit_data ad;
3559 sid = task_sid(current);
3561 ad.type = LSM_AUDIT_DATA_KMOD;
3562 ad.u.kmod_name = kmod_name;
3564 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3565 SYSTEM__MODULE_REQUEST, &ad);
3568 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3570 return current_has_perm(p, PROCESS__SETPGID);
3573 static int selinux_task_getpgid(struct task_struct *p)
3575 return current_has_perm(p, PROCESS__GETPGID);
3578 static int selinux_task_getsid(struct task_struct *p)
3580 return current_has_perm(p, PROCESS__GETSESSION);
3583 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3585 *secid = task_sid(p);
3588 static int selinux_task_setnice(struct task_struct *p, int nice)
3592 rc = cap_task_setnice(p, nice);
3596 return current_has_perm(p, PROCESS__SETSCHED);
3599 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3603 rc = cap_task_setioprio(p, ioprio);
3607 return current_has_perm(p, PROCESS__SETSCHED);
3610 static int selinux_task_getioprio(struct task_struct *p)
3612 return current_has_perm(p, PROCESS__GETSCHED);
3615 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3616 struct rlimit *new_rlim)
3618 struct rlimit *old_rlim = p->signal->rlim + resource;
3620 /* Control the ability to change the hard limit (whether
3621 lowering or raising it), so that the hard limit can
3622 later be used as a safe reset point for the soft limit
3623 upon context transitions. See selinux_bprm_committing_creds. */
3624 if (old_rlim->rlim_max != new_rlim->rlim_max)
3625 return current_has_perm(p, PROCESS__SETRLIMIT);
3630 static int selinux_task_setscheduler(struct task_struct *p)
3634 rc = cap_task_setscheduler(p);
3638 return current_has_perm(p, PROCESS__SETSCHED);
3641 static int selinux_task_getscheduler(struct task_struct *p)
3643 return current_has_perm(p, PROCESS__GETSCHED);
3646 static int selinux_task_movememory(struct task_struct *p)
3648 return current_has_perm(p, PROCESS__SETSCHED);
3651 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3658 perm = PROCESS__SIGNULL; /* null signal; existence test */
3660 perm = signal_to_av(sig);
3662 rc = avc_has_perm(secid, task_sid(p),
3663 SECCLASS_PROCESS, perm, NULL);
3665 rc = current_has_perm(p, perm);
3669 static int selinux_task_wait(struct task_struct *p)
3671 return task_has_perm(p, current, PROCESS__SIGCHLD);
3674 static void selinux_task_to_inode(struct task_struct *p,
3675 struct inode *inode)
3677 struct inode_security_struct *isec = inode->i_security;
3678 u32 sid = task_sid(p);
3681 isec->initialized = 1;
3684 /* Returns error only if unable to parse addresses */
3685 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3686 struct common_audit_data *ad, u8 *proto)
3688 int offset, ihlen, ret = -EINVAL;
3689 struct iphdr _iph, *ih;
3691 offset = skb_network_offset(skb);
3692 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3696 ihlen = ih->ihl * 4;
3697 if (ihlen < sizeof(_iph))
3700 ad->u.net->v4info.saddr = ih->saddr;
3701 ad->u.net->v4info.daddr = ih->daddr;
3705 *proto = ih->protocol;
3707 switch (ih->protocol) {
3709 struct tcphdr _tcph, *th;
3711 if (ntohs(ih->frag_off) & IP_OFFSET)
3715 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3719 ad->u.net->sport = th->source;
3720 ad->u.net->dport = th->dest;
3725 struct udphdr _udph, *uh;
3727 if (ntohs(ih->frag_off) & IP_OFFSET)
3731 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3735 ad->u.net->sport = uh->source;
3736 ad->u.net->dport = uh->dest;
3740 case IPPROTO_DCCP: {
3741 struct dccp_hdr _dccph, *dh;
3743 if (ntohs(ih->frag_off) & IP_OFFSET)
3747 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3751 ad->u.net->sport = dh->dccph_sport;
3752 ad->u.net->dport = dh->dccph_dport;
3763 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3765 /* Returns error only if unable to parse addresses */
3766 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3767 struct common_audit_data *ad, u8 *proto)
3770 int ret = -EINVAL, offset;
3771 struct ipv6hdr _ipv6h, *ip6;
3774 offset = skb_network_offset(skb);
3775 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3779 ad->u.net->v6info.saddr = ip6->saddr;
3780 ad->u.net->v6info.daddr = ip6->daddr;
3783 nexthdr = ip6->nexthdr;
3784 offset += sizeof(_ipv6h);
3785 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3794 struct tcphdr _tcph, *th;
3796 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3800 ad->u.net->sport = th->source;
3801 ad->u.net->dport = th->dest;
3806 struct udphdr _udph, *uh;
3808 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3812 ad->u.net->sport = uh->source;
3813 ad->u.net->dport = uh->dest;
3817 case IPPROTO_DCCP: {
3818 struct dccp_hdr _dccph, *dh;
3820 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3824 ad->u.net->sport = dh->dccph_sport;
3825 ad->u.net->dport = dh->dccph_dport;
3829 /* includes fragments */
3839 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3840 char **_addrp, int src, u8 *proto)
3845 switch (ad->u.net->family) {
3847 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3850 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
3851 &ad->u.net->v4info.daddr);
3854 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3856 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3859 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
3860 &ad->u.net->v6info.daddr);
3870 "SELinux: failure in selinux_parse_skb(),"
3871 " unable to parse packet\n");
3881 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3883 * @family: protocol family
3884 * @sid: the packet's peer label SID
3887 * Check the various different forms of network peer labeling and determine
3888 * the peer label/SID for the packet; most of the magic actually occurs in
3889 * the security server function security_net_peersid_cmp(). The function
3890 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3891 * or -EACCES if @sid is invalid due to inconsistencies with the different
3895 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3902 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
3905 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3909 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3910 if (unlikely(err)) {
3912 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3913 " unable to determine packet's peer label\n");
3921 * selinux_conn_sid - Determine the child socket label for a connection
3922 * @sk_sid: the parent socket's SID
3923 * @skb_sid: the packet's SID
3924 * @conn_sid: the resulting connection SID
3926 * If @skb_sid is valid then the user:role:type information from @sk_sid is
3927 * combined with the MLS information from @skb_sid in order to create
3928 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
3929 * of @sk_sid. Returns zero on success, negative values on failure.
3932 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
3936 if (skb_sid != SECSID_NULL)
3937 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
3944 /* socket security operations */
3946 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
3947 u16 secclass, u32 *socksid)
3949 if (tsec->sockcreate_sid > SECSID_NULL) {
3950 *socksid = tsec->sockcreate_sid;
3954 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
3958 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3960 struct sk_security_struct *sksec = sk->sk_security;
3961 struct common_audit_data ad;
3962 struct lsm_network_audit net = {0,};
3963 u32 tsid = task_sid(task);
3965 if (sksec->sid == SECINITSID_KERNEL)
3968 ad.type = LSM_AUDIT_DATA_NET;
3972 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
3975 static int selinux_socket_create(int family, int type,
3976 int protocol, int kern)
3978 const struct task_security_struct *tsec = current_security();
3986 secclass = socket_type_to_security_class(family, type, protocol);
3987 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3991 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
3994 static int selinux_socket_post_create(struct socket *sock, int family,
3995 int type, int protocol, int kern)
3997 const struct task_security_struct *tsec = current_security();
3998 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3999 struct sk_security_struct *sksec;
4002 isec->sclass = socket_type_to_security_class(family, type, protocol);
4005 isec->sid = SECINITSID_KERNEL;
4007 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4012 isec->initialized = 1;
4015 sksec = sock->sk->sk_security;
4016 sksec->sid = isec->sid;
4017 sksec->sclass = isec->sclass;
4018 err = selinux_netlbl_socket_post_create(sock->sk, family);
4024 /* Range of port numbers used to automatically bind.
4025 Need to determine whether we should perform a name_bind
4026 permission check between the socket and the port number. */
4028 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4030 struct sock *sk = sock->sk;
4034 err = sock_has_perm(current, sk, SOCKET__BIND);
4039 * If PF_INET or PF_INET6, check name_bind permission for the port.
4040 * Multiple address binding for SCTP is not supported yet: we just
4041 * check the first address now.
4043 family = sk->sk_family;
4044 if (family == PF_INET || family == PF_INET6) {
4046 struct sk_security_struct *sksec = sk->sk_security;
4047 struct common_audit_data ad;
4048 struct lsm_network_audit net = {0,};
4049 struct sockaddr_in *addr4 = NULL;
4050 struct sockaddr_in6 *addr6 = NULL;
4051 unsigned short snum;
4054 if (family == PF_INET) {
4055 addr4 = (struct sockaddr_in *)address;
4056 snum = ntohs(addr4->sin_port);
4057 addrp = (char *)&addr4->sin_addr.s_addr;
4059 addr6 = (struct sockaddr_in6 *)address;
4060 snum = ntohs(addr6->sin6_port);
4061 addrp = (char *)&addr6->sin6_addr.s6_addr;
4067 inet_get_local_port_range(sock_net(sk), &low, &high);
4069 if (snum < max(PROT_SOCK, low) || snum > high) {
4070 err = sel_netport_sid(sk->sk_protocol,
4074 ad.type = LSM_AUDIT_DATA_NET;
4076 ad.u.net->sport = htons(snum);
4077 ad.u.net->family = family;
4078 err = avc_has_perm(sksec->sid, sid,
4080 SOCKET__NAME_BIND, &ad);
4086 switch (sksec->sclass) {
4087 case SECCLASS_TCP_SOCKET:
4088 node_perm = TCP_SOCKET__NODE_BIND;
4091 case SECCLASS_UDP_SOCKET:
4092 node_perm = UDP_SOCKET__NODE_BIND;
4095 case SECCLASS_DCCP_SOCKET:
4096 node_perm = DCCP_SOCKET__NODE_BIND;
4100 node_perm = RAWIP_SOCKET__NODE_BIND;
4104 err = sel_netnode_sid(addrp, family, &sid);
4108 ad.type = LSM_AUDIT_DATA_NET;
4110 ad.u.net->sport = htons(snum);
4111 ad.u.net->family = family;
4113 if (family == PF_INET)
4114 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4116 ad.u.net->v6info.saddr = addr6->sin6_addr;
4118 err = avc_has_perm(sksec->sid, sid,
4119 sksec->sclass, node_perm, &ad);
4127 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4129 struct sock *sk = sock->sk;
4130 struct sk_security_struct *sksec = sk->sk_security;
4133 err = sock_has_perm(current, sk, SOCKET__CONNECT);
4138 * If a TCP or DCCP socket, check name_connect permission for the port.
4140 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4141 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4142 struct common_audit_data ad;
4143 struct lsm_network_audit net = {0,};
4144 struct sockaddr_in *addr4 = NULL;
4145 struct sockaddr_in6 *addr6 = NULL;
4146 unsigned short snum;
4149 if (sk->sk_family == PF_INET) {
4150 addr4 = (struct sockaddr_in *)address;
4151 if (addrlen < sizeof(struct sockaddr_in))
4153 snum = ntohs(addr4->sin_port);
4155 addr6 = (struct sockaddr_in6 *)address;
4156 if (addrlen < SIN6_LEN_RFC2133)
4158 snum = ntohs(addr6->sin6_port);
4161 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4165 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4166 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4168 ad.type = LSM_AUDIT_DATA_NET;
4170 ad.u.net->dport = htons(snum);
4171 ad.u.net->family = sk->sk_family;
4172 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4177 err = selinux_netlbl_socket_connect(sk, address);
4183 static int selinux_socket_listen(struct socket *sock, int backlog)
4185 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4188 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4191 struct inode_security_struct *isec;
4192 struct inode_security_struct *newisec;
4194 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4198 newisec = SOCK_INODE(newsock)->i_security;
4200 isec = SOCK_INODE(sock)->i_security;
4201 newisec->sclass = isec->sclass;
4202 newisec->sid = isec->sid;
4203 newisec->initialized = 1;
4208 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4211 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4214 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4215 int size, int flags)
4217 return sock_has_perm(current, sock->sk, SOCKET__READ);
4220 static int selinux_socket_getsockname(struct socket *sock)
4222 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4225 static int selinux_socket_getpeername(struct socket *sock)
4227 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4230 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4234 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4238 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4241 static int selinux_socket_getsockopt(struct socket *sock, int level,
4244 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4247 static int selinux_socket_shutdown(struct socket *sock, int how)
4249 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4252 static int selinux_socket_unix_stream_connect(struct sock *sock,
4256 struct sk_security_struct *sksec_sock = sock->sk_security;
4257 struct sk_security_struct *sksec_other = other->sk_security;
4258 struct sk_security_struct *sksec_new = newsk->sk_security;
4259 struct common_audit_data ad;
4260 struct lsm_network_audit net = {0,};
4263 ad.type = LSM_AUDIT_DATA_NET;
4265 ad.u.net->sk = other;
4267 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4268 sksec_other->sclass,
4269 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4273 /* server child socket */
4274 sksec_new->peer_sid = sksec_sock->sid;
4275 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4280 /* connecting socket */
4281 sksec_sock->peer_sid = sksec_new->sid;
4286 static int selinux_socket_unix_may_send(struct socket *sock,
4287 struct socket *other)
4289 struct sk_security_struct *ssec = sock->sk->sk_security;
4290 struct sk_security_struct *osec = other->sk->sk_security;
4291 struct common_audit_data ad;
4292 struct lsm_network_audit net = {0,};
4294 ad.type = LSM_AUDIT_DATA_NET;
4296 ad.u.net->sk = other->sk;
4298 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4302 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4303 char *addrp, u16 family, u32 peer_sid,
4304 struct common_audit_data *ad)
4310 err = sel_netif_sid(ns, ifindex, &if_sid);
4313 err = avc_has_perm(peer_sid, if_sid,
4314 SECCLASS_NETIF, NETIF__INGRESS, ad);
4318 err = sel_netnode_sid(addrp, family, &node_sid);
4321 return avc_has_perm(peer_sid, node_sid,
4322 SECCLASS_NODE, NODE__RECVFROM, ad);
4325 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4329 struct sk_security_struct *sksec = sk->sk_security;
4330 u32 sk_sid = sksec->sid;
4331 struct common_audit_data ad;
4332 struct lsm_network_audit net = {0,};
4335 ad.type = LSM_AUDIT_DATA_NET;
4337 ad.u.net->netif = skb->skb_iif;
4338 ad.u.net->family = family;
4339 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4343 if (selinux_secmark_enabled()) {
4344 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4350 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4353 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4358 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4361 struct sk_security_struct *sksec = sk->sk_security;
4362 u16 family = sk->sk_family;
4363 u32 sk_sid = sksec->sid;
4364 struct common_audit_data ad;
4365 struct lsm_network_audit net = {0,};
4370 if (family != PF_INET && family != PF_INET6)
4373 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4374 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4377 /* If any sort of compatibility mode is enabled then handoff processing
4378 * to the selinux_sock_rcv_skb_compat() function to deal with the
4379 * special handling. We do this in an attempt to keep this function
4380 * as fast and as clean as possible. */
4381 if (!selinux_policycap_netpeer)
4382 return selinux_sock_rcv_skb_compat(sk, skb, family);
4384 secmark_active = selinux_secmark_enabled();
4385 peerlbl_active = selinux_peerlbl_enabled();
4386 if (!secmark_active && !peerlbl_active)
4389 ad.type = LSM_AUDIT_DATA_NET;
4391 ad.u.net->netif = skb->skb_iif;
4392 ad.u.net->family = family;
4393 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4397 if (peerlbl_active) {
4400 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4403 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4404 addrp, family, peer_sid, &ad);
4406 selinux_netlbl_err(skb, err, 0);
4409 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4412 selinux_netlbl_err(skb, err, 0);
4417 if (secmark_active) {
4418 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4427 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4428 int __user *optlen, unsigned len)
4433 struct sk_security_struct *sksec = sock->sk->sk_security;
4434 u32 peer_sid = SECSID_NULL;
4436 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4437 sksec->sclass == SECCLASS_TCP_SOCKET)
4438 peer_sid = sksec->peer_sid;
4439 if (peer_sid == SECSID_NULL)
4440 return -ENOPROTOOPT;
4442 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4446 if (scontext_len > len) {
4451 if (copy_to_user(optval, scontext, scontext_len))
4455 if (put_user(scontext_len, optlen))
4461 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4463 u32 peer_secid = SECSID_NULL;
4466 if (skb && skb->protocol == htons(ETH_P_IP))
4468 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4471 family = sock->sk->sk_family;
4475 if (sock && family == PF_UNIX)
4476 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4478 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4481 *secid = peer_secid;
4482 if (peer_secid == SECSID_NULL)
4487 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4489 struct sk_security_struct *sksec;
4491 sksec = kzalloc(sizeof(*sksec), priority);
4495 sksec->peer_sid = SECINITSID_UNLABELED;
4496 sksec->sid = SECINITSID_UNLABELED;
4497 selinux_netlbl_sk_security_reset(sksec);
4498 sk->sk_security = sksec;
4503 static void selinux_sk_free_security(struct sock *sk)
4505 struct sk_security_struct *sksec = sk->sk_security;
4507 sk->sk_security = NULL;
4508 selinux_netlbl_sk_security_free(sksec);
4512 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4514 struct sk_security_struct *sksec = sk->sk_security;
4515 struct sk_security_struct *newsksec = newsk->sk_security;
4517 newsksec->sid = sksec->sid;
4518 newsksec->peer_sid = sksec->peer_sid;
4519 newsksec->sclass = sksec->sclass;
4521 selinux_netlbl_sk_security_reset(newsksec);
4524 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4527 *secid = SECINITSID_ANY_SOCKET;
4529 struct sk_security_struct *sksec = sk->sk_security;
4531 *secid = sksec->sid;
4535 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4537 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4538 struct sk_security_struct *sksec = sk->sk_security;
4540 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4541 sk->sk_family == PF_UNIX)
4542 isec->sid = sksec->sid;
4543 sksec->sclass = isec->sclass;
4546 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4547 struct request_sock *req)
4549 struct sk_security_struct *sksec = sk->sk_security;
4551 u16 family = req->rsk_ops->family;
4555 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4558 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4561 req->secid = connsid;
4562 req->peer_secid = peersid;
4564 return selinux_netlbl_inet_conn_request(req, family);
4567 static void selinux_inet_csk_clone(struct sock *newsk,
4568 const struct request_sock *req)
4570 struct sk_security_struct *newsksec = newsk->sk_security;
4572 newsksec->sid = req->secid;
4573 newsksec->peer_sid = req->peer_secid;
4574 /* NOTE: Ideally, we should also get the isec->sid for the
4575 new socket in sync, but we don't have the isec available yet.
4576 So we will wait until sock_graft to do it, by which
4577 time it will have been created and available. */
4579 /* We don't need to take any sort of lock here as we are the only
4580 * thread with access to newsksec */
4581 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4584 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4586 u16 family = sk->sk_family;
4587 struct sk_security_struct *sksec = sk->sk_security;
4589 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4590 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4593 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4596 static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
4598 skb_set_owner_w(skb, sk);
4601 static int selinux_secmark_relabel_packet(u32 sid)
4603 const struct task_security_struct *__tsec;
4606 __tsec = current_security();
4609 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4612 static void selinux_secmark_refcount_inc(void)
4614 atomic_inc(&selinux_secmark_refcount);
4617 static void selinux_secmark_refcount_dec(void)
4619 atomic_dec(&selinux_secmark_refcount);
4622 static void selinux_req_classify_flow(const struct request_sock *req,
4625 fl->flowi_secid = req->secid;
4628 static int selinux_tun_dev_alloc_security(void **security)
4630 struct tun_security_struct *tunsec;
4632 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4635 tunsec->sid = current_sid();
4641 static void selinux_tun_dev_free_security(void *security)
4646 static int selinux_tun_dev_create(void)
4648 u32 sid = current_sid();
4650 /* we aren't taking into account the "sockcreate" SID since the socket
4651 * that is being created here is not a socket in the traditional sense,
4652 * instead it is a private sock, accessible only to the kernel, and
4653 * representing a wide range of network traffic spanning multiple
4654 * connections unlike traditional sockets - check the TUN driver to
4655 * get a better understanding of why this socket is special */
4657 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4661 static int selinux_tun_dev_attach_queue(void *security)
4663 struct tun_security_struct *tunsec = security;
4665 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4666 TUN_SOCKET__ATTACH_QUEUE, NULL);
4669 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4671 struct tun_security_struct *tunsec = security;
4672 struct sk_security_struct *sksec = sk->sk_security;
4674 /* we don't currently perform any NetLabel based labeling here and it
4675 * isn't clear that we would want to do so anyway; while we could apply
4676 * labeling without the support of the TUN user the resulting labeled
4677 * traffic from the other end of the connection would almost certainly
4678 * cause confusion to the TUN user that had no idea network labeling
4679 * protocols were being used */
4681 sksec->sid = tunsec->sid;
4682 sksec->sclass = SECCLASS_TUN_SOCKET;
4687 static int selinux_tun_dev_open(void *security)
4689 struct tun_security_struct *tunsec = security;
4690 u32 sid = current_sid();
4693 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4694 TUN_SOCKET__RELABELFROM, NULL);
4697 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4698 TUN_SOCKET__RELABELTO, NULL);
4706 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4710 struct nlmsghdr *nlh;
4711 struct sk_security_struct *sksec = sk->sk_security;
4713 if (skb->len < NLMSG_HDRLEN) {
4717 nlh = nlmsg_hdr(skb);
4719 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4721 if (err == -EINVAL) {
4723 "SELinux: unrecognized netlink message:"
4724 " protocol=%hu nlmsg_type=%hu sclass=%hu\n",
4725 sk->sk_protocol, nlh->nlmsg_type, sksec->sclass);
4726 if (!selinux_enforcing || security_get_allow_unknown())
4736 err = sock_has_perm(current, sk, perm);
4741 #ifdef CONFIG_NETFILTER
4743 static unsigned int selinux_ip_forward(struct sk_buff *skb,
4744 const struct net_device *indev,
4750 struct common_audit_data ad;
4751 struct lsm_network_audit net = {0,};
4756 if (!selinux_policycap_netpeer)
4759 secmark_active = selinux_secmark_enabled();
4760 netlbl_active = netlbl_enabled();
4761 peerlbl_active = selinux_peerlbl_enabled();
4762 if (!secmark_active && !peerlbl_active)
4765 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4768 ad.type = LSM_AUDIT_DATA_NET;
4770 ad.u.net->netif = indev->ifindex;
4771 ad.u.net->family = family;
4772 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4775 if (peerlbl_active) {
4776 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
4777 addrp, family, peer_sid, &ad);
4779 selinux_netlbl_err(skb, err, 1);
4785 if (avc_has_perm(peer_sid, skb->secmark,
4786 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4790 /* we do this in the FORWARD path and not the POST_ROUTING
4791 * path because we want to make sure we apply the necessary
4792 * labeling before IPsec is applied so we can leverage AH
4794 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4800 static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
4801 struct sk_buff *skb,
4802 const struct net_device *in,
4803 const struct net_device *out,
4804 int (*okfn)(struct sk_buff *))
4806 return selinux_ip_forward(skb, in, PF_INET);
4809 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4810 static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
4811 struct sk_buff *skb,
4812 const struct net_device *in,
4813 const struct net_device *out,
4814 int (*okfn)(struct sk_buff *))
4816 return selinux_ip_forward(skb, in, PF_INET6);
4820 static unsigned int selinux_ip_output(struct sk_buff *skb,
4826 if (!netlbl_enabled())
4829 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4830 * because we want to make sure we apply the necessary labeling
4831 * before IPsec is applied so we can leverage AH protection */
4834 struct sk_security_struct *sksec;
4836 if (sk->sk_state == TCP_LISTEN)
4837 /* if the socket is the listening state then this
4838 * packet is a SYN-ACK packet which means it needs to
4839 * be labeled based on the connection/request_sock and
4840 * not the parent socket. unfortunately, we can't
4841 * lookup the request_sock yet as it isn't queued on
4842 * the parent socket until after the SYN-ACK is sent.
4843 * the "solution" is to simply pass the packet as-is
4844 * as any IP option based labeling should be copied
4845 * from the initial connection request (in the IP
4846 * layer). it is far from ideal, but until we get a
4847 * security label in the packet itself this is the
4848 * best we can do. */
4851 /* standard practice, label using the parent socket */
4852 sksec = sk->sk_security;
4855 sid = SECINITSID_KERNEL;
4856 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4862 static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops,
4863 struct sk_buff *skb,
4864 const struct net_device *in,
4865 const struct net_device *out,
4866 int (*okfn)(struct sk_buff *))
4868 return selinux_ip_output(skb, PF_INET);
4871 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4875 struct sock *sk = skb->sk;
4876 struct sk_security_struct *sksec;
4877 struct common_audit_data ad;
4878 struct lsm_network_audit net = {0,};
4884 sksec = sk->sk_security;
4886 ad.type = LSM_AUDIT_DATA_NET;
4888 ad.u.net->netif = ifindex;
4889 ad.u.net->family = family;
4890 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4893 if (selinux_secmark_enabled())
4894 if (avc_has_perm(sksec->sid, skb->secmark,
4895 SECCLASS_PACKET, PACKET__SEND, &ad))
4896 return NF_DROP_ERR(-ECONNREFUSED);
4898 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4899 return NF_DROP_ERR(-ECONNREFUSED);
4904 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
4905 const struct net_device *outdev,
4910 int ifindex = outdev->ifindex;
4912 struct common_audit_data ad;
4913 struct lsm_network_audit net = {0,};
4918 /* If any sort of compatibility mode is enabled then handoff processing
4919 * to the selinux_ip_postroute_compat() function to deal with the
4920 * special handling. We do this in an attempt to keep this function
4921 * as fast and as clean as possible. */
4922 if (!selinux_policycap_netpeer)
4923 return selinux_ip_postroute_compat(skb, ifindex, family);
4925 secmark_active = selinux_secmark_enabled();
4926 peerlbl_active = selinux_peerlbl_enabled();
4927 if (!secmark_active && !peerlbl_active)
4933 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4934 * packet transformation so allow the packet to pass without any checks
4935 * since we'll have another chance to perform access control checks
4936 * when the packet is on it's final way out.
4937 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4938 * is NULL, in this case go ahead and apply access control.
4939 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
4940 * TCP listening state we cannot wait until the XFRM processing
4941 * is done as we will miss out on the SA label if we do;
4942 * unfortunately, this means more work, but it is only once per
4944 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
4945 !(sk != NULL && sk->sk_state == TCP_LISTEN))
4950 /* Without an associated socket the packet is either coming
4951 * from the kernel or it is being forwarded; check the packet
4952 * to determine which and if the packet is being forwarded
4953 * query the packet directly to determine the security label. */
4955 secmark_perm = PACKET__FORWARD_OUT;
4956 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4959 secmark_perm = PACKET__SEND;
4960 peer_sid = SECINITSID_KERNEL;
4962 } else if (sk->sk_state == TCP_LISTEN) {
4963 /* Locally generated packet but the associated socket is in the
4964 * listening state which means this is a SYN-ACK packet. In
4965 * this particular case the correct security label is assigned
4966 * to the connection/request_sock but unfortunately we can't
4967 * query the request_sock as it isn't queued on the parent
4968 * socket until after the SYN-ACK packet is sent; the only
4969 * viable choice is to regenerate the label like we do in
4970 * selinux_inet_conn_request(). See also selinux_ip_output()
4971 * for similar problems. */
4973 struct sk_security_struct *sksec = sk->sk_security;
4974 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
4976 /* At this point, if the returned skb peerlbl is SECSID_NULL
4977 * and the packet has been through at least one XFRM
4978 * transformation then we must be dealing with the "final"
4979 * form of labeled IPsec packet; since we've already applied
4980 * all of our access controls on this packet we can safely
4981 * pass the packet. */
4982 if (skb_sid == SECSID_NULL) {
4985 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
4989 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
4993 return NF_DROP_ERR(-ECONNREFUSED);
4996 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
4998 secmark_perm = PACKET__SEND;
5000 /* Locally generated packet, fetch the security label from the
5001 * associated socket. */
5002 struct sk_security_struct *sksec = sk->sk_security;
5003 peer_sid = sksec->sid;
5004 secmark_perm = PACKET__SEND;
5007 ad.type = LSM_AUDIT_DATA_NET;
5009 ad.u.net->netif = ifindex;
5010 ad.u.net->family = family;
5011 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5015 if (avc_has_perm(peer_sid, skb->secmark,
5016 SECCLASS_PACKET, secmark_perm, &ad))
5017 return NF_DROP_ERR(-ECONNREFUSED);
5019 if (peerlbl_active) {
5023 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5025 if (avc_has_perm(peer_sid, if_sid,
5026 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5027 return NF_DROP_ERR(-ECONNREFUSED);
5029 if (sel_netnode_sid(addrp, family, &node_sid))
5031 if (avc_has_perm(peer_sid, node_sid,
5032 SECCLASS_NODE, NODE__SENDTO, &ad))
5033 return NF_DROP_ERR(-ECONNREFUSED);
5039 static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
5040 struct sk_buff *skb,
5041 const struct net_device *in,
5042 const struct net_device *out,
5043 int (*okfn)(struct sk_buff *))
5045 return selinux_ip_postroute(skb, out, PF_INET);
5048 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5049 static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
5050 struct sk_buff *skb,
5051 const struct net_device *in,
5052 const struct net_device *out,
5053 int (*okfn)(struct sk_buff *))
5055 return selinux_ip_postroute(skb, out, PF_INET6);
5059 #endif /* CONFIG_NETFILTER */
5061 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5065 err = cap_netlink_send(sk, skb);
5069 return selinux_nlmsg_perm(sk, skb);
5072 static int ipc_alloc_security(struct task_struct *task,
5073 struct kern_ipc_perm *perm,
5076 struct ipc_security_struct *isec;
5079 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5083 sid = task_sid(task);
5084 isec->sclass = sclass;
5086 perm->security = isec;
5091 static void ipc_free_security(struct kern_ipc_perm *perm)
5093 struct ipc_security_struct *isec = perm->security;
5094 perm->security = NULL;
5098 static int msg_msg_alloc_security(struct msg_msg *msg)
5100 struct msg_security_struct *msec;
5102 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5106 msec->sid = SECINITSID_UNLABELED;
5107 msg->security = msec;
5112 static void msg_msg_free_security(struct msg_msg *msg)
5114 struct msg_security_struct *msec = msg->security;
5116 msg->security = NULL;
5120 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5123 struct ipc_security_struct *isec;
5124 struct common_audit_data ad;
5125 u32 sid = current_sid();
5127 isec = ipc_perms->security;
5129 ad.type = LSM_AUDIT_DATA_IPC;
5130 ad.u.ipc_id = ipc_perms->key;
5132 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5135 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5137 return msg_msg_alloc_security(msg);
5140 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5142 msg_msg_free_security(msg);
5145 /* message queue security operations */
5146 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5148 struct ipc_security_struct *isec;
5149 struct common_audit_data ad;
5150 u32 sid = current_sid();
5153 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5157 isec = msq->q_perm.security;
5159 ad.type = LSM_AUDIT_DATA_IPC;
5160 ad.u.ipc_id = msq->q_perm.key;
5162 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5165 ipc_free_security(&msq->q_perm);
5171 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5173 ipc_free_security(&msq->q_perm);
5176 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5178 struct ipc_security_struct *isec;
5179 struct common_audit_data ad;
5180 u32 sid = current_sid();
5182 isec = msq->q_perm.security;
5184 ad.type = LSM_AUDIT_DATA_IPC;
5185 ad.u.ipc_id = msq->q_perm.key;
5187 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5188 MSGQ__ASSOCIATE, &ad);
5191 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5199 /* No specific object, just general system-wide information. */
5200 return task_has_system(current, SYSTEM__IPC_INFO);
5203 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5206 perms = MSGQ__SETATTR;
5209 perms = MSGQ__DESTROY;
5215 err = ipc_has_perm(&msq->q_perm, perms);
5219 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5221 struct ipc_security_struct *isec;
5222 struct msg_security_struct *msec;
5223 struct common_audit_data ad;
5224 u32 sid = current_sid();
5227 isec = msq->q_perm.security;
5228 msec = msg->security;
5231 * First time through, need to assign label to the message
5233 if (msec->sid == SECINITSID_UNLABELED) {
5235 * Compute new sid based on current process and
5236 * message queue this message will be stored in
5238 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5244 ad.type = LSM_AUDIT_DATA_IPC;
5245 ad.u.ipc_id = msq->q_perm.key;
5247 /* Can this process write to the queue? */
5248 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5251 /* Can this process send the message */
5252 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5255 /* Can the message be put in the queue? */
5256 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5257 MSGQ__ENQUEUE, &ad);
5262 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5263 struct task_struct *target,
5264 long type, int mode)
5266 struct ipc_security_struct *isec;
5267 struct msg_security_struct *msec;
5268 struct common_audit_data ad;
5269 u32 sid = task_sid(target);
5272 isec = msq->q_perm.security;
5273 msec = msg->security;
5275 ad.type = LSM_AUDIT_DATA_IPC;
5276 ad.u.ipc_id = msq->q_perm.key;
5278 rc = avc_has_perm(sid, isec->sid,
5279 SECCLASS_MSGQ, MSGQ__READ, &ad);
5281 rc = avc_has_perm(sid, msec->sid,
5282 SECCLASS_MSG, MSG__RECEIVE, &ad);
5286 /* Shared Memory security operations */
5287 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5289 struct ipc_security_struct *isec;
5290 struct common_audit_data ad;
5291 u32 sid = current_sid();
5294 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5298 isec = shp->shm_perm.security;
5300 ad.type = LSM_AUDIT_DATA_IPC;
5301 ad.u.ipc_id = shp->shm_perm.key;
5303 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5306 ipc_free_security(&shp->shm_perm);
5312 static void selinux_shm_free_security(struct shmid_kernel *shp)
5314 ipc_free_security(&shp->shm_perm);
5317 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5319 struct ipc_security_struct *isec;
5320 struct common_audit_data ad;
5321 u32 sid = current_sid();
5323 isec = shp->shm_perm.security;
5325 ad.type = LSM_AUDIT_DATA_IPC;
5326 ad.u.ipc_id = shp->shm_perm.key;
5328 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5329 SHM__ASSOCIATE, &ad);
5332 /* Note, at this point, shp is locked down */
5333 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5341 /* No specific object, just general system-wide information. */
5342 return task_has_system(current, SYSTEM__IPC_INFO);
5345 perms = SHM__GETATTR | SHM__ASSOCIATE;
5348 perms = SHM__SETATTR;
5355 perms = SHM__DESTROY;
5361 err = ipc_has_perm(&shp->shm_perm, perms);
5365 static int selinux_shm_shmat(struct shmid_kernel *shp,
5366 char __user *shmaddr, int shmflg)
5370 if (shmflg & SHM_RDONLY)
5373 perms = SHM__READ | SHM__WRITE;
5375 return ipc_has_perm(&shp->shm_perm, perms);
5378 /* Semaphore security operations */
5379 static int selinux_sem_alloc_security(struct sem_array *sma)
5381 struct ipc_security_struct *isec;
5382 struct common_audit_data ad;
5383 u32 sid = current_sid();
5386 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5390 isec = sma->sem_perm.security;
5392 ad.type = LSM_AUDIT_DATA_IPC;
5393 ad.u.ipc_id = sma->sem_perm.key;
5395 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5398 ipc_free_security(&sma->sem_perm);
5404 static void selinux_sem_free_security(struct sem_array *sma)
5406 ipc_free_security(&sma->sem_perm);
5409 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5411 struct ipc_security_struct *isec;
5412 struct common_audit_data ad;
5413 u32 sid = current_sid();
5415 isec = sma->sem_perm.security;
5417 ad.type = LSM_AUDIT_DATA_IPC;
5418 ad.u.ipc_id = sma->sem_perm.key;
5420 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5421 SEM__ASSOCIATE, &ad);
5424 /* Note, at this point, sma is locked down */
5425 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5433 /* No specific object, just general system-wide information. */
5434 return task_has_system(current, SYSTEM__IPC_INFO);
5438 perms = SEM__GETATTR;
5449 perms = SEM__DESTROY;
5452 perms = SEM__SETATTR;
5456 perms = SEM__GETATTR | SEM__ASSOCIATE;
5462 err = ipc_has_perm(&sma->sem_perm, perms);
5466 static int selinux_sem_semop(struct sem_array *sma,
5467 struct sembuf *sops, unsigned nsops, int alter)
5472 perms = SEM__READ | SEM__WRITE;
5476 return ipc_has_perm(&sma->sem_perm, perms);
5479 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5485 av |= IPC__UNIX_READ;
5487 av |= IPC__UNIX_WRITE;
5492 return ipc_has_perm(ipcp, av);
5495 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5497 struct ipc_security_struct *isec = ipcp->security;
5501 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5504 inode_doinit_with_dentry(inode, dentry);
5507 static int selinux_getprocattr(struct task_struct *p,
5508 char *name, char **value)
5510 const struct task_security_struct *__tsec;
5516 error = current_has_perm(p, PROCESS__GETATTR);
5522 __tsec = __task_cred(p)->security;
5524 if (!strcmp(name, "current"))
5526 else if (!strcmp(name, "prev"))
5528 else if (!strcmp(name, "exec"))
5529 sid = __tsec->exec_sid;
5530 else if (!strcmp(name, "fscreate"))
5531 sid = __tsec->create_sid;
5532 else if (!strcmp(name, "keycreate"))
5533 sid = __tsec->keycreate_sid;
5534 else if (!strcmp(name, "sockcreate"))
5535 sid = __tsec->sockcreate_sid;
5543 error = security_sid_to_context(sid, value, &len);
5553 static int selinux_setprocattr(struct task_struct *p,
5554 char *name, void *value, size_t size)
5556 struct task_security_struct *tsec;
5557 struct task_struct *tracer;
5564 /* SELinux only allows a process to change its own
5565 security attributes. */
5570 * Basic control over ability to set these attributes at all.
5571 * current == p, but we'll pass them separately in case the
5572 * above restriction is ever removed.
5574 if (!strcmp(name, "exec"))
5575 error = current_has_perm(p, PROCESS__SETEXEC);
5576 else if (!strcmp(name, "fscreate"))
5577 error = current_has_perm(p, PROCESS__SETFSCREATE);
5578 else if (!strcmp(name, "keycreate"))
5579 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5580 else if (!strcmp(name, "sockcreate"))
5581 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5582 else if (!strcmp(name, "current"))
5583 error = current_has_perm(p, PROCESS__SETCURRENT);
5589 /* Obtain a SID for the context, if one was specified. */
5590 if (size && str[1] && str[1] != '\n') {
5591 if (str[size-1] == '\n') {
5595 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5596 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5597 if (!capable(CAP_MAC_ADMIN)) {
5598 struct audit_buffer *ab;
5601 /* We strip a nul only if it is at the end, otherwise the
5602 * context contains a nul and we should audit that */
5603 if (str[size - 1] == '\0')
5604 audit_size = size - 1;
5607 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5608 audit_log_format(ab, "op=fscreate invalid_context=");
5609 audit_log_n_untrustedstring(ab, value, audit_size);
5614 error = security_context_to_sid_force(value, size,
5621 new = prepare_creds();
5625 /* Permission checking based on the specified context is
5626 performed during the actual operation (execve,
5627 open/mkdir/...), when we know the full context of the
5628 operation. See selinux_bprm_set_creds for the execve
5629 checks and may_create for the file creation checks. The
5630 operation will then fail if the context is not permitted. */
5631 tsec = new->security;
5632 if (!strcmp(name, "exec")) {
5633 tsec->exec_sid = sid;
5634 } else if (!strcmp(name, "fscreate")) {
5635 tsec->create_sid = sid;
5636 } else if (!strcmp(name, "keycreate")) {
5637 error = may_create_key(sid, p);
5640 tsec->keycreate_sid = sid;
5641 } else if (!strcmp(name, "sockcreate")) {
5642 tsec->sockcreate_sid = sid;
5643 } else if (!strcmp(name, "current")) {
5648 /* Only allow single threaded processes to change context */
5650 if (!current_is_single_threaded()) {
5651 error = security_bounded_transition(tsec->sid, sid);
5656 /* Check permissions for the transition. */
5657 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5658 PROCESS__DYNTRANSITION, NULL);
5662 /* Check for ptracing, and update the task SID if ok.
5663 Otherwise, leave SID unchanged and fail. */
5666 tracer = ptrace_parent(p);
5668 ptsid = task_sid(tracer);
5672 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5673 PROCESS__PTRACE, NULL);
5692 static int selinux_ismaclabel(const char *name)
5694 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5697 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5699 return security_sid_to_context(secid, secdata, seclen);
5702 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5704 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5707 static void selinux_release_secctx(char *secdata, u32 seclen)
5713 * called with inode->i_mutex locked
5715 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5717 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5721 * called with inode->i_mutex locked
5723 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5725 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5728 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5731 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5740 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5741 unsigned long flags)
5743 const struct task_security_struct *tsec;
5744 struct key_security_struct *ksec;
5746 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5750 tsec = cred->security;
5751 if (tsec->keycreate_sid)
5752 ksec->sid = tsec->keycreate_sid;
5754 ksec->sid = tsec->sid;
5760 static void selinux_key_free(struct key *k)
5762 struct key_security_struct *ksec = k->security;
5768 static int selinux_key_permission(key_ref_t key_ref,
5769 const struct cred *cred,
5773 struct key_security_struct *ksec;
5776 /* if no specific permissions are requested, we skip the
5777 permission check. No serious, additional covert channels
5778 appear to be created. */
5782 sid = cred_sid(cred);
5784 key = key_ref_to_ptr(key_ref);
5785 ksec = key->security;
5787 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5790 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5792 struct key_security_struct *ksec = key->security;
5793 char *context = NULL;
5797 rc = security_sid_to_context(ksec->sid, &context, &len);
5806 static struct security_operations selinux_ops = {
5809 .ptrace_access_check = selinux_ptrace_access_check,
5810 .ptrace_traceme = selinux_ptrace_traceme,
5811 .capget = selinux_capget,
5812 .capset = selinux_capset,
5813 .capable = selinux_capable,
5814 .quotactl = selinux_quotactl,
5815 .quota_on = selinux_quota_on,
5816 .syslog = selinux_syslog,
5817 .vm_enough_memory = selinux_vm_enough_memory,
5819 .netlink_send = selinux_netlink_send,
5821 .bprm_set_creds = selinux_bprm_set_creds,
5822 .bprm_committing_creds = selinux_bprm_committing_creds,
5823 .bprm_committed_creds = selinux_bprm_committed_creds,
5824 .bprm_secureexec = selinux_bprm_secureexec,
5826 .sb_alloc_security = selinux_sb_alloc_security,
5827 .sb_free_security = selinux_sb_free_security,
5828 .sb_copy_data = selinux_sb_copy_data,
5829 .sb_remount = selinux_sb_remount,
5830 .sb_kern_mount = selinux_sb_kern_mount,
5831 .sb_show_options = selinux_sb_show_options,
5832 .sb_statfs = selinux_sb_statfs,
5833 .sb_mount = selinux_mount,
5834 .sb_umount = selinux_umount,
5835 .sb_set_mnt_opts = selinux_set_mnt_opts,
5836 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5837 .sb_parse_opts_str = selinux_parse_opts_str,
5839 .dentry_init_security = selinux_dentry_init_security,
5841 .inode_alloc_security = selinux_inode_alloc_security,
5842 .inode_free_security = selinux_inode_free_security,
5843 .inode_init_security = selinux_inode_init_security,
5844 .inode_create = selinux_inode_create,
5845 .inode_link = selinux_inode_link,
5846 .inode_unlink = selinux_inode_unlink,
5847 .inode_symlink = selinux_inode_symlink,
5848 .inode_mkdir = selinux_inode_mkdir,
5849 .inode_rmdir = selinux_inode_rmdir,
5850 .inode_mknod = selinux_inode_mknod,
5851 .inode_rename = selinux_inode_rename,
5852 .inode_readlink = selinux_inode_readlink,
5853 .inode_follow_link = selinux_inode_follow_link,
5854 .inode_permission = selinux_inode_permission,
5855 .inode_setattr = selinux_inode_setattr,
5856 .inode_getattr = selinux_inode_getattr,
5857 .inode_setxattr = selinux_inode_setxattr,
5858 .inode_post_setxattr = selinux_inode_post_setxattr,
5859 .inode_getxattr = selinux_inode_getxattr,
5860 .inode_listxattr = selinux_inode_listxattr,
5861 .inode_removexattr = selinux_inode_removexattr,
5862 .inode_getsecurity = selinux_inode_getsecurity,
5863 .inode_setsecurity = selinux_inode_setsecurity,
5864 .inode_listsecurity = selinux_inode_listsecurity,
5865 .inode_getsecid = selinux_inode_getsecid,
5867 .file_permission = selinux_file_permission,
5868 .file_alloc_security = selinux_file_alloc_security,
5869 .file_free_security = selinux_file_free_security,
5870 .file_ioctl = selinux_file_ioctl,
5871 .mmap_file = selinux_mmap_file,
5872 .mmap_addr = selinux_mmap_addr,
5873 .file_mprotect = selinux_file_mprotect,
5874 .file_lock = selinux_file_lock,
5875 .file_fcntl = selinux_file_fcntl,
5876 .file_set_fowner = selinux_file_set_fowner,
5877 .file_send_sigiotask = selinux_file_send_sigiotask,
5878 .file_receive = selinux_file_receive,
5880 .file_open = selinux_file_open,
5882 .task_create = selinux_task_create,
5883 .cred_alloc_blank = selinux_cred_alloc_blank,
5884 .cred_free = selinux_cred_free,
5885 .cred_prepare = selinux_cred_prepare,
5886 .cred_transfer = selinux_cred_transfer,
5887 .kernel_act_as = selinux_kernel_act_as,
5888 .kernel_create_files_as = selinux_kernel_create_files_as,
5889 .kernel_module_request = selinux_kernel_module_request,
5890 .task_setpgid = selinux_task_setpgid,
5891 .task_getpgid = selinux_task_getpgid,
5892 .task_getsid = selinux_task_getsid,
5893 .task_getsecid = selinux_task_getsecid,
5894 .task_setnice = selinux_task_setnice,
5895 .task_setioprio = selinux_task_setioprio,
5896 .task_getioprio = selinux_task_getioprio,
5897 .task_setrlimit = selinux_task_setrlimit,
5898 .task_setscheduler = selinux_task_setscheduler,
5899 .task_getscheduler = selinux_task_getscheduler,
5900 .task_movememory = selinux_task_movememory,
5901 .task_kill = selinux_task_kill,
5902 .task_wait = selinux_task_wait,
5903 .task_to_inode = selinux_task_to_inode,
5905 .ipc_permission = selinux_ipc_permission,
5906 .ipc_getsecid = selinux_ipc_getsecid,
5908 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5909 .msg_msg_free_security = selinux_msg_msg_free_security,
5911 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5912 .msg_queue_free_security = selinux_msg_queue_free_security,
5913 .msg_queue_associate = selinux_msg_queue_associate,
5914 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5915 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5916 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5918 .shm_alloc_security = selinux_shm_alloc_security,
5919 .shm_free_security = selinux_shm_free_security,
5920 .shm_associate = selinux_shm_associate,
5921 .shm_shmctl = selinux_shm_shmctl,
5922 .shm_shmat = selinux_shm_shmat,
5924 .sem_alloc_security = selinux_sem_alloc_security,
5925 .sem_free_security = selinux_sem_free_security,
5926 .sem_associate = selinux_sem_associate,
5927 .sem_semctl = selinux_sem_semctl,
5928 .sem_semop = selinux_sem_semop,
5930 .d_instantiate = selinux_d_instantiate,
5932 .getprocattr = selinux_getprocattr,
5933 .setprocattr = selinux_setprocattr,
5935 .ismaclabel = selinux_ismaclabel,
5936 .secid_to_secctx = selinux_secid_to_secctx,
5937 .secctx_to_secid = selinux_secctx_to_secid,
5938 .release_secctx = selinux_release_secctx,
5939 .inode_notifysecctx = selinux_inode_notifysecctx,
5940 .inode_setsecctx = selinux_inode_setsecctx,
5941 .inode_getsecctx = selinux_inode_getsecctx,
5943 .unix_stream_connect = selinux_socket_unix_stream_connect,
5944 .unix_may_send = selinux_socket_unix_may_send,
5946 .socket_create = selinux_socket_create,
5947 .socket_post_create = selinux_socket_post_create,
5948 .socket_bind = selinux_socket_bind,
5949 .socket_connect = selinux_socket_connect,
5950 .socket_listen = selinux_socket_listen,
5951 .socket_accept = selinux_socket_accept,
5952 .socket_sendmsg = selinux_socket_sendmsg,
5953 .socket_recvmsg = selinux_socket_recvmsg,
5954 .socket_getsockname = selinux_socket_getsockname,
5955 .socket_getpeername = selinux_socket_getpeername,
5956 .socket_getsockopt = selinux_socket_getsockopt,
5957 .socket_setsockopt = selinux_socket_setsockopt,
5958 .socket_shutdown = selinux_socket_shutdown,
5959 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5960 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5961 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5962 .sk_alloc_security = selinux_sk_alloc_security,
5963 .sk_free_security = selinux_sk_free_security,
5964 .sk_clone_security = selinux_sk_clone_security,
5965 .sk_getsecid = selinux_sk_getsecid,
5966 .sock_graft = selinux_sock_graft,
5967 .inet_conn_request = selinux_inet_conn_request,
5968 .inet_csk_clone = selinux_inet_csk_clone,
5969 .inet_conn_established = selinux_inet_conn_established,
5970 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5971 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5972 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5973 .req_classify_flow = selinux_req_classify_flow,
5974 .tun_dev_alloc_security = selinux_tun_dev_alloc_security,
5975 .tun_dev_free_security = selinux_tun_dev_free_security,
5976 .tun_dev_create = selinux_tun_dev_create,
5977 .tun_dev_attach_queue = selinux_tun_dev_attach_queue,
5978 .tun_dev_attach = selinux_tun_dev_attach,
5979 .tun_dev_open = selinux_tun_dev_open,
5980 .skb_owned_by = selinux_skb_owned_by,
5982 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5983 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5984 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5985 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5986 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5987 .xfrm_state_alloc = selinux_xfrm_state_alloc,
5988 .xfrm_state_alloc_acquire = selinux_xfrm_state_alloc_acquire,
5989 .xfrm_state_free_security = selinux_xfrm_state_free,
5990 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5991 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5992 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5993 .xfrm_decode_session = selinux_xfrm_decode_session,
5997 .key_alloc = selinux_key_alloc,
5998 .key_free = selinux_key_free,
5999 .key_permission = selinux_key_permission,
6000 .key_getsecurity = selinux_key_getsecurity,
6004 .audit_rule_init = selinux_audit_rule_init,
6005 .audit_rule_known = selinux_audit_rule_known,
6006 .audit_rule_match = selinux_audit_rule_match,
6007 .audit_rule_free = selinux_audit_rule_free,
6011 static __init int selinux_init(void)
6013 if (!security_module_enable(&selinux_ops)) {
6014 selinux_enabled = 0;
6018 if (!selinux_enabled) {
6019 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6023 printk(KERN_INFO "SELinux: Initializing.\n");
6025 /* Set the security state for the initial task. */
6026 cred_init_security();
6028 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6030 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6031 sizeof(struct inode_security_struct),
6032 0, SLAB_PANIC, NULL);
6035 if (register_security(&selinux_ops))
6036 panic("SELinux: Unable to register with kernel.\n");
6038 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6039 panic("SELinux: Unable to register AVC netcache callback\n");
6041 if (selinux_enforcing)
6042 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6044 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6049 static void delayed_superblock_init(struct super_block *sb, void *unused)
6051 superblock_doinit(sb, NULL);
6054 void selinux_complete_init(void)
6056 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6058 /* Set up any superblocks initialized prior to the policy load. */
6059 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6060 iterate_supers(delayed_superblock_init, NULL);
6063 /* SELinux requires early initialization in order to label
6064 all processes and objects when they are created. */
6065 security_initcall(selinux_init);
6067 #if defined(CONFIG_NETFILTER)
6069 static struct nf_hook_ops selinux_nf_ops[] = {
6071 .hook = selinux_ipv4_postroute,
6072 .owner = THIS_MODULE,
6074 .hooknum = NF_INET_POST_ROUTING,
6075 .priority = NF_IP_PRI_SELINUX_LAST,
6078 .hook = selinux_ipv4_forward,
6079 .owner = THIS_MODULE,
6081 .hooknum = NF_INET_FORWARD,
6082 .priority = NF_IP_PRI_SELINUX_FIRST,
6085 .hook = selinux_ipv4_output,
6086 .owner = THIS_MODULE,
6088 .hooknum = NF_INET_LOCAL_OUT,
6089 .priority = NF_IP_PRI_SELINUX_FIRST,
6091 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
6093 .hook = selinux_ipv6_postroute,
6094 .owner = THIS_MODULE,
6096 .hooknum = NF_INET_POST_ROUTING,
6097 .priority = NF_IP6_PRI_SELINUX_LAST,
6100 .hook = selinux_ipv6_forward,
6101 .owner = THIS_MODULE,
6103 .hooknum = NF_INET_FORWARD,
6104 .priority = NF_IP6_PRI_SELINUX_FIRST,
6109 static int __init selinux_nf_ip_init(void)
6113 if (!selinux_enabled)
6116 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6118 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6120 panic("SELinux: nf_register_hooks: error %d\n", err);
6125 __initcall(selinux_nf_ip_init);
6127 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6128 static void selinux_nf_ip_exit(void)
6130 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6132 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6136 #else /* CONFIG_NETFILTER */
6138 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6139 #define selinux_nf_ip_exit()
6142 #endif /* CONFIG_NETFILTER */
6144 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6145 static int selinux_disabled;
6147 int selinux_disable(void)
6149 if (ss_initialized) {
6150 /* Not permitted after initial policy load. */
6154 if (selinux_disabled) {
6155 /* Only do this once. */
6159 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6161 selinux_disabled = 1;
6162 selinux_enabled = 0;
6164 reset_security_ops();
6166 /* Try to destroy the avc node cache */
6169 /* Unregister netfilter hooks. */
6170 selinux_nf_ip_exit();
6172 /* Unregister selinuxfs. */
projects / linux-beck.git / blob