2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
55 #include <net/inet_connection_sock.h>
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
97 /* SECMARK reference count */
98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
103 static int __init enforcing_setup(char *str)
105 unsigned long enforcing;
106 if (!kstrtoul(str, 0, &enforcing))
107 selinux_enforcing = enforcing ? 1 : 0;
110 __setup("enforcing=", enforcing_setup);
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116 static int __init selinux_enabled_setup(char *str)
118 unsigned long enabled;
119 if (!kstrtoul(str, 0, &enabled))
120 selinux_enabled = enabled ? 1 : 0;
123 __setup("selinux=", selinux_enabled_setup);
125 int selinux_enabled = 1;
128 static struct kmem_cache *sel_inode_cache;
129 static struct kmem_cache *file_security_cache;
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
142 static int selinux_secmark_enabled(void)
144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
157 static int selinux_peerlbl_enabled(void)
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
162 static int selinux_netcache_avc_callback(u32 event)
164 if (event == AVC_CALLBACK_RESET) {
174 * initialise the security for the init task
176 static void cred_init_security(void)
178 struct cred *cred = (struct cred *) current->real_cred;
179 struct task_security_struct *tsec;
181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
183 panic("SELinux: Failed to initialize initial task.\n");
185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
186 cred->security = tsec;
190 * get the security ID of a set of credentials
192 static inline u32 cred_sid(const struct cred *cred)
194 const struct task_security_struct *tsec;
196 tsec = cred->security;
201 * get the objective security ID of a task
203 static inline u32 task_sid(const struct task_struct *task)
208 sid = cred_sid(__task_cred(task));
214 * get the subjective security ID of the current task
216 static inline u32 current_sid(void)
218 const struct task_security_struct *tsec = current_security();
223 /* Allocate and free functions for each kind of security blob. */
225 static int inode_alloc_security(struct inode *inode)
227 struct inode_security_struct *isec;
228 u32 sid = current_sid();
230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
234 spin_lock_init(&isec->lock);
235 INIT_LIST_HEAD(&isec->list);
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
239 isec->task_sid = sid;
240 isec->initialized = LABEL_INVALID;
241 inode->i_security = isec;
246 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
249 * Try reloading inode security labels that have been marked as invalid. The
250 * @may_sleep parameter indicates when sleeping and thus reloading labels is
251 * allowed; when set to false, returns -ECHILD when the label is
252 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
253 * when no dentry is available, set it to NULL instead.
255 static int __inode_security_revalidate(struct inode *inode,
256 struct dentry *opt_dentry,
259 struct inode_security_struct *isec = inode->i_security;
261 might_sleep_if(may_sleep);
263 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
268 * Try reloading the inode security label. This will fail if
269 * @opt_dentry is NULL and no dentry for this inode can be
270 * found; in that case, continue using the old label.
272 inode_doinit_with_dentry(inode, opt_dentry);
277 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
279 return inode->i_security;
282 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
286 error = __inode_security_revalidate(inode, NULL, !rcu);
288 return ERR_PTR(error);
289 return inode->i_security;
293 * Get the security label of an inode.
295 static struct inode_security_struct *inode_security(struct inode *inode)
297 __inode_security_revalidate(inode, NULL, true);
298 return inode->i_security;
301 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
303 struct inode *inode = d_backing_inode(dentry);
305 return inode->i_security;
309 * Get the security label of a dentry's backing inode.
311 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
313 struct inode *inode = d_backing_inode(dentry);
315 __inode_security_revalidate(inode, dentry, true);
316 return inode->i_security;
319 static void inode_free_rcu(struct rcu_head *head)
321 struct inode_security_struct *isec;
323 isec = container_of(head, struct inode_security_struct, rcu);
324 kmem_cache_free(sel_inode_cache, isec);
327 static void inode_free_security(struct inode *inode)
329 struct inode_security_struct *isec = inode->i_security;
330 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
333 * As not all inode security structures are in a list, we check for
334 * empty list outside of the lock to make sure that we won't waste
335 * time taking a lock doing nothing.
337 * The list_del_init() function can be safely called more than once.
338 * It should not be possible for this function to be called with
339 * concurrent list_add(), but for better safety against future changes
340 * in the code, we use list_empty_careful() here.
342 if (!list_empty_careful(&isec->list)) {
343 spin_lock(&sbsec->isec_lock);
344 list_del_init(&isec->list);
345 spin_unlock(&sbsec->isec_lock);
349 * The inode may still be referenced in a path walk and
350 * a call to selinux_inode_permission() can be made
351 * after inode_free_security() is called. Ideally, the VFS
352 * wouldn't do this, but fixing that is a much harder
353 * job. For now, simply free the i_security via RCU, and
354 * leave the current inode->i_security pointer intact.
355 * The inode will be freed after the RCU grace period too.
357 call_rcu(&isec->rcu, inode_free_rcu);
360 static int file_alloc_security(struct file *file)
362 struct file_security_struct *fsec;
363 u32 sid = current_sid();
365 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
370 fsec->fown_sid = sid;
371 file->f_security = fsec;
376 static void file_free_security(struct file *file)
378 struct file_security_struct *fsec = file->f_security;
379 file->f_security = NULL;
380 kmem_cache_free(file_security_cache, fsec);
383 static int superblock_alloc_security(struct super_block *sb)
385 struct superblock_security_struct *sbsec;
387 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
391 mutex_init(&sbsec->lock);
392 INIT_LIST_HEAD(&sbsec->isec_head);
393 spin_lock_init(&sbsec->isec_lock);
395 sbsec->sid = SECINITSID_UNLABELED;
396 sbsec->def_sid = SECINITSID_FILE;
397 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
398 sb->s_security = sbsec;
403 static void superblock_free_security(struct super_block *sb)
405 struct superblock_security_struct *sbsec = sb->s_security;
406 sb->s_security = NULL;
410 /* The file system's label must be initialized prior to use. */
412 static const char *labeling_behaviors[7] = {
414 "uses transition SIDs",
416 "uses genfs_contexts",
417 "not configured for labeling",
418 "uses mountpoint labeling",
419 "uses native labeling",
422 static inline int inode_doinit(struct inode *inode)
424 return inode_doinit_with_dentry(inode, NULL);
433 Opt_labelsupport = 5,
437 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
439 static const match_table_t tokens = {
440 {Opt_context, CONTEXT_STR "%s"},
441 {Opt_fscontext, FSCONTEXT_STR "%s"},
442 {Opt_defcontext, DEFCONTEXT_STR "%s"},
443 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
444 {Opt_labelsupport, LABELSUPP_STR},
448 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
450 static int may_context_mount_sb_relabel(u32 sid,
451 struct superblock_security_struct *sbsec,
452 const struct cred *cred)
454 const struct task_security_struct *tsec = cred->security;
457 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
458 FILESYSTEM__RELABELFROM, NULL);
462 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
463 FILESYSTEM__RELABELTO, NULL);
467 static int may_context_mount_inode_relabel(u32 sid,
468 struct superblock_security_struct *sbsec,
469 const struct cred *cred)
471 const struct task_security_struct *tsec = cred->security;
473 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
474 FILESYSTEM__RELABELFROM, NULL);
478 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
479 FILESYSTEM__ASSOCIATE, NULL);
483 static int selinux_is_sblabel_mnt(struct super_block *sb)
485 struct superblock_security_struct *sbsec = sb->s_security;
487 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
488 sbsec->behavior == SECURITY_FS_USE_TRANS ||
489 sbsec->behavior == SECURITY_FS_USE_TASK ||
490 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
491 /* Special handling. Genfs but also in-core setxattr handler */
492 !strcmp(sb->s_type->name, "sysfs") ||
493 !strcmp(sb->s_type->name, "pstore") ||
494 !strcmp(sb->s_type->name, "debugfs") ||
495 !strcmp(sb->s_type->name, "tracefs") ||
496 !strcmp(sb->s_type->name, "rootfs");
499 static int sb_finish_set_opts(struct super_block *sb)
501 struct superblock_security_struct *sbsec = sb->s_security;
502 struct dentry *root = sb->s_root;
503 struct inode *root_inode = d_backing_inode(root);
506 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
507 /* Make sure that the xattr handler exists and that no
508 error other than -ENODATA is returned by getxattr on
509 the root directory. -ENODATA is ok, as this may be
510 the first boot of the SELinux kernel before we have
511 assigned xattr values to the filesystem. */
512 if (!(root_inode->i_opflags & IOP_XATTR)) {
513 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
514 "xattr support\n", sb->s_id, sb->s_type->name);
519 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
520 if (rc < 0 && rc != -ENODATA) {
521 if (rc == -EOPNOTSUPP)
522 printk(KERN_WARNING "SELinux: (dev %s, type "
523 "%s) has no security xattr handler\n",
524 sb->s_id, sb->s_type->name);
526 printk(KERN_WARNING "SELinux: (dev %s, type "
527 "%s) getxattr errno %d\n", sb->s_id,
528 sb->s_type->name, -rc);
533 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
534 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
535 sb->s_id, sb->s_type->name);
537 sbsec->flags |= SE_SBINITIALIZED;
538 if (selinux_is_sblabel_mnt(sb))
539 sbsec->flags |= SBLABEL_MNT;
541 /* Initialize the root inode. */
542 rc = inode_doinit_with_dentry(root_inode, root);
544 /* Initialize any other inodes associated with the superblock, e.g.
545 inodes created prior to initial policy load or inodes created
546 during get_sb by a pseudo filesystem that directly
548 spin_lock(&sbsec->isec_lock);
550 if (!list_empty(&sbsec->isec_head)) {
551 struct inode_security_struct *isec =
552 list_entry(sbsec->isec_head.next,
553 struct inode_security_struct, list);
554 struct inode *inode = isec->inode;
555 list_del_init(&isec->list);
556 spin_unlock(&sbsec->isec_lock);
557 inode = igrab(inode);
559 if (!IS_PRIVATE(inode))
563 spin_lock(&sbsec->isec_lock);
566 spin_unlock(&sbsec->isec_lock);
572 * This function should allow an FS to ask what it's mount security
573 * options were so it can use those later for submounts, displaying
574 * mount options, or whatever.
576 static int selinux_get_mnt_opts(const struct super_block *sb,
577 struct security_mnt_opts *opts)
580 struct superblock_security_struct *sbsec = sb->s_security;
581 char *context = NULL;
585 security_init_mnt_opts(opts);
587 if (!(sbsec->flags & SE_SBINITIALIZED))
593 /* make sure we always check enough bits to cover the mask */
594 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
596 tmp = sbsec->flags & SE_MNTMASK;
597 /* count the number of mount options for this sb */
598 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
600 opts->num_mnt_opts++;
603 /* Check if the Label support flag is set */
604 if (sbsec->flags & SBLABEL_MNT)
605 opts->num_mnt_opts++;
607 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
608 if (!opts->mnt_opts) {
613 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
614 if (!opts->mnt_opts_flags) {
620 if (sbsec->flags & FSCONTEXT_MNT) {
621 rc = security_sid_to_context(sbsec->sid, &context, &len);
624 opts->mnt_opts[i] = context;
625 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
627 if (sbsec->flags & CONTEXT_MNT) {
628 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
631 opts->mnt_opts[i] = context;
632 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
634 if (sbsec->flags & DEFCONTEXT_MNT) {
635 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
638 opts->mnt_opts[i] = context;
639 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
641 if (sbsec->flags & ROOTCONTEXT_MNT) {
642 struct dentry *root = sbsec->sb->s_root;
643 struct inode_security_struct *isec = backing_inode_security(root);
645 rc = security_sid_to_context(isec->sid, &context, &len);
648 opts->mnt_opts[i] = context;
649 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
651 if (sbsec->flags & SBLABEL_MNT) {
652 opts->mnt_opts[i] = NULL;
653 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
656 BUG_ON(i != opts->num_mnt_opts);
661 security_free_mnt_opts(opts);
665 static int bad_option(struct superblock_security_struct *sbsec, char flag,
666 u32 old_sid, u32 new_sid)
668 char mnt_flags = sbsec->flags & SE_MNTMASK;
670 /* check if the old mount command had the same options */
671 if (sbsec->flags & SE_SBINITIALIZED)
672 if (!(sbsec->flags & flag) ||
673 (old_sid != new_sid))
676 /* check if we were passed the same options twice,
677 * aka someone passed context=a,context=b
679 if (!(sbsec->flags & SE_SBINITIALIZED))
680 if (mnt_flags & flag)
686 * Allow filesystems with binary mount data to explicitly set mount point
687 * labeling information.
689 static int selinux_set_mnt_opts(struct super_block *sb,
690 struct security_mnt_opts *opts,
691 unsigned long kern_flags,
692 unsigned long *set_kern_flags)
694 const struct cred *cred = current_cred();
696 struct superblock_security_struct *sbsec = sb->s_security;
697 const char *name = sb->s_type->name;
698 struct dentry *root = sbsec->sb->s_root;
699 struct inode_security_struct *root_isec;
700 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
701 u32 defcontext_sid = 0;
702 char **mount_options = opts->mnt_opts;
703 int *flags = opts->mnt_opts_flags;
704 int num_opts = opts->num_mnt_opts;
706 mutex_lock(&sbsec->lock);
708 if (!ss_initialized) {
710 /* Defer initialization until selinux_complete_init,
711 after the initial policy is loaded and the security
712 server is ready to handle calls. */
716 printk(KERN_WARNING "SELinux: Unable to set superblock options "
717 "before the security server is initialized\n");
720 if (kern_flags && !set_kern_flags) {
721 /* Specifying internal flags without providing a place to
722 * place the results is not allowed */
728 * Binary mount data FS will come through this function twice. Once
729 * from an explicit call and once from the generic calls from the vfs.
730 * Since the generic VFS calls will not contain any security mount data
731 * we need to skip the double mount verification.
733 * This does open a hole in which we will not notice if the first
734 * mount using this sb set explict options and a second mount using
735 * this sb does not set any security options. (The first options
736 * will be used for both mounts)
738 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
742 root_isec = backing_inode_security_novalidate(root);
745 * parse the mount options, check if they are valid sids.
746 * also check if someone is trying to mount the same sb more
747 * than once with different security options.
749 for (i = 0; i < num_opts; i++) {
752 if (flags[i] == SBLABEL_MNT)
754 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
756 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
757 "(%s) failed for (dev %s, type %s) errno=%d\n",
758 mount_options[i], sb->s_id, name, rc);
765 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
767 goto out_double_mount;
769 sbsec->flags |= FSCONTEXT_MNT;
774 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
776 goto out_double_mount;
778 sbsec->flags |= CONTEXT_MNT;
780 case ROOTCONTEXT_MNT:
781 rootcontext_sid = sid;
783 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
785 goto out_double_mount;
787 sbsec->flags |= ROOTCONTEXT_MNT;
791 defcontext_sid = sid;
793 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
795 goto out_double_mount;
797 sbsec->flags |= DEFCONTEXT_MNT;
806 if (sbsec->flags & SE_SBINITIALIZED) {
807 /* previously mounted with options, but not on this attempt? */
808 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
809 goto out_double_mount;
814 if (strcmp(sb->s_type->name, "proc") == 0)
815 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
817 if (!strcmp(sb->s_type->name, "debugfs") ||
818 !strcmp(sb->s_type->name, "sysfs") ||
819 !strcmp(sb->s_type->name, "pstore"))
820 sbsec->flags |= SE_SBGENFS;
822 if (!sbsec->behavior) {
824 * Determine the labeling behavior to use for this
827 rc = security_fs_use(sb);
830 "%s: security_fs_use(%s) returned %d\n",
831 __func__, sb->s_type->name, rc);
837 * If this is a user namespace mount, no contexts are allowed
838 * on the command line and security labels must be ignored.
840 if (sb->s_user_ns != &init_user_ns) {
841 if (context_sid || fscontext_sid || rootcontext_sid ||
846 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
847 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
848 rc = security_transition_sid(current_sid(), current_sid(),
850 &sbsec->mntpoint_sid);
857 /* sets the context of the superblock for the fs being mounted. */
859 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
863 sbsec->sid = fscontext_sid;
867 * Switch to using mount point labeling behavior.
868 * sets the label used on all file below the mountpoint, and will set
869 * the superblock context if not already set.
871 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
872 sbsec->behavior = SECURITY_FS_USE_NATIVE;
873 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
877 if (!fscontext_sid) {
878 rc = may_context_mount_sb_relabel(context_sid, sbsec,
882 sbsec->sid = context_sid;
884 rc = may_context_mount_inode_relabel(context_sid, sbsec,
889 if (!rootcontext_sid)
890 rootcontext_sid = context_sid;
892 sbsec->mntpoint_sid = context_sid;
893 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
896 if (rootcontext_sid) {
897 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
902 root_isec->sid = rootcontext_sid;
903 root_isec->initialized = LABEL_INITIALIZED;
906 if (defcontext_sid) {
907 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
908 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
910 printk(KERN_WARNING "SELinux: defcontext option is "
911 "invalid for this filesystem type\n");
915 if (defcontext_sid != sbsec->def_sid) {
916 rc = may_context_mount_inode_relabel(defcontext_sid,
922 sbsec->def_sid = defcontext_sid;
926 rc = sb_finish_set_opts(sb);
928 mutex_unlock(&sbsec->lock);
932 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
933 "security settings for (dev %s, type %s)\n", sb->s_id, name);
937 static int selinux_cmp_sb_context(const struct super_block *oldsb,
938 const struct super_block *newsb)
940 struct superblock_security_struct *old = oldsb->s_security;
941 struct superblock_security_struct *new = newsb->s_security;
942 char oldflags = old->flags & SE_MNTMASK;
943 char newflags = new->flags & SE_MNTMASK;
945 if (oldflags != newflags)
947 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
949 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
951 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
953 if (oldflags & ROOTCONTEXT_MNT) {
954 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
955 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
956 if (oldroot->sid != newroot->sid)
961 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
962 "different security settings for (dev %s, "
963 "type %s)\n", newsb->s_id, newsb->s_type->name);
967 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
968 struct super_block *newsb)
970 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
971 struct superblock_security_struct *newsbsec = newsb->s_security;
973 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
974 int set_context = (oldsbsec->flags & CONTEXT_MNT);
975 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
978 * if the parent was able to be mounted it clearly had no special lsm
979 * mount options. thus we can safely deal with this superblock later
984 /* how can we clone if the old one wasn't set up?? */
985 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
987 /* if fs is reusing a sb, make sure that the contexts match */
988 if (newsbsec->flags & SE_SBINITIALIZED)
989 return selinux_cmp_sb_context(oldsb, newsb);
991 mutex_lock(&newsbsec->lock);
993 newsbsec->flags = oldsbsec->flags;
995 newsbsec->sid = oldsbsec->sid;
996 newsbsec->def_sid = oldsbsec->def_sid;
997 newsbsec->behavior = oldsbsec->behavior;
1000 u32 sid = oldsbsec->mntpoint_sid;
1003 newsbsec->sid = sid;
1004 if (!set_rootcontext) {
1005 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1008 newsbsec->mntpoint_sid = sid;
1010 if (set_rootcontext) {
1011 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1012 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1014 newisec->sid = oldisec->sid;
1017 sb_finish_set_opts(newsb);
1018 mutex_unlock(&newsbsec->lock);
1022 static int selinux_parse_opts_str(char *options,
1023 struct security_mnt_opts *opts)
1026 char *context = NULL, *defcontext = NULL;
1027 char *fscontext = NULL, *rootcontext = NULL;
1028 int rc, num_mnt_opts = 0;
1030 opts->num_mnt_opts = 0;
1032 /* Standard string-based options. */
1033 while ((p = strsep(&options, "|")) != NULL) {
1035 substring_t args[MAX_OPT_ARGS];
1040 token = match_token(p, tokens, args);
1044 if (context || defcontext) {
1046 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1049 context = match_strdup(&args[0]);
1059 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1062 fscontext = match_strdup(&args[0]);
1069 case Opt_rootcontext:
1072 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1075 rootcontext = match_strdup(&args[0]);
1082 case Opt_defcontext:
1083 if (context || defcontext) {
1085 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1088 defcontext = match_strdup(&args[0]);
1094 case Opt_labelsupport:
1098 printk(KERN_WARNING "SELinux: unknown mount option\n");
1105 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1106 if (!opts->mnt_opts)
1109 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1111 if (!opts->mnt_opts_flags) {
1112 kfree(opts->mnt_opts);
1117 opts->mnt_opts[num_mnt_opts] = fscontext;
1118 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1121 opts->mnt_opts[num_mnt_opts] = context;
1122 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1125 opts->mnt_opts[num_mnt_opts] = rootcontext;
1126 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1129 opts->mnt_opts[num_mnt_opts] = defcontext;
1130 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1133 opts->num_mnt_opts = num_mnt_opts;
1144 * string mount options parsing and call set the sbsec
1146 static int superblock_doinit(struct super_block *sb, void *data)
1149 char *options = data;
1150 struct security_mnt_opts opts;
1152 security_init_mnt_opts(&opts);
1157 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1159 rc = selinux_parse_opts_str(options, &opts);
1164 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1167 security_free_mnt_opts(&opts);
1171 static void selinux_write_opts(struct seq_file *m,
1172 struct security_mnt_opts *opts)
1177 for (i = 0; i < opts->num_mnt_opts; i++) {
1180 if (opts->mnt_opts[i])
1181 has_comma = strchr(opts->mnt_opts[i], ',');
1185 switch (opts->mnt_opts_flags[i]) {
1187 prefix = CONTEXT_STR;
1190 prefix = FSCONTEXT_STR;
1192 case ROOTCONTEXT_MNT:
1193 prefix = ROOTCONTEXT_STR;
1195 case DEFCONTEXT_MNT:
1196 prefix = DEFCONTEXT_STR;
1200 seq_puts(m, LABELSUPP_STR);
1206 /* we need a comma before each option */
1208 seq_puts(m, prefix);
1211 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1217 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1219 struct security_mnt_opts opts;
1222 rc = selinux_get_mnt_opts(sb, &opts);
1224 /* before policy load we may get EINVAL, don't show anything */
1230 selinux_write_opts(m, &opts);
1232 security_free_mnt_opts(&opts);
1237 static inline u16 inode_mode_to_security_class(umode_t mode)
1239 switch (mode & S_IFMT) {
1241 return SECCLASS_SOCK_FILE;
1243 return SECCLASS_LNK_FILE;
1245 return SECCLASS_FILE;
1247 return SECCLASS_BLK_FILE;
1249 return SECCLASS_DIR;
1251 return SECCLASS_CHR_FILE;
1253 return SECCLASS_FIFO_FILE;
1257 return SECCLASS_FILE;
1260 static inline int default_protocol_stream(int protocol)
1262 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1265 static inline int default_protocol_dgram(int protocol)
1267 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1270 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1272 int extsockclass = selinux_policycap_extsockclass;
1278 case SOCK_SEQPACKET:
1279 return SECCLASS_UNIX_STREAM_SOCKET;
1281 return SECCLASS_UNIX_DGRAM_SOCKET;
1288 case SOCK_SEQPACKET:
1289 if (default_protocol_stream(protocol))
1290 return SECCLASS_TCP_SOCKET;
1291 else if (extsockclass && protocol == IPPROTO_SCTP)
1292 return SECCLASS_SCTP_SOCKET;
1294 return SECCLASS_RAWIP_SOCKET;
1296 if (default_protocol_dgram(protocol))
1297 return SECCLASS_UDP_SOCKET;
1298 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1299 protocol == IPPROTO_ICMPV6))
1300 return SECCLASS_ICMP_SOCKET;
1302 return SECCLASS_RAWIP_SOCKET;
1304 return SECCLASS_DCCP_SOCKET;
1306 return SECCLASS_RAWIP_SOCKET;
1312 return SECCLASS_NETLINK_ROUTE_SOCKET;
1313 case NETLINK_SOCK_DIAG:
1314 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1316 return SECCLASS_NETLINK_NFLOG_SOCKET;
1318 return SECCLASS_NETLINK_XFRM_SOCKET;
1319 case NETLINK_SELINUX:
1320 return SECCLASS_NETLINK_SELINUX_SOCKET;
1322 return SECCLASS_NETLINK_ISCSI_SOCKET;
1324 return SECCLASS_NETLINK_AUDIT_SOCKET;
1325 case NETLINK_FIB_LOOKUP:
1326 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1327 case NETLINK_CONNECTOR:
1328 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1329 case NETLINK_NETFILTER:
1330 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1331 case NETLINK_DNRTMSG:
1332 return SECCLASS_NETLINK_DNRT_SOCKET;
1333 case NETLINK_KOBJECT_UEVENT:
1334 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1335 case NETLINK_GENERIC:
1336 return SECCLASS_NETLINK_GENERIC_SOCKET;
1337 case NETLINK_SCSITRANSPORT:
1338 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1340 return SECCLASS_NETLINK_RDMA_SOCKET;
1341 case NETLINK_CRYPTO:
1342 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1344 return SECCLASS_NETLINK_SOCKET;
1347 return SECCLASS_PACKET_SOCKET;
1349 return SECCLASS_KEY_SOCKET;
1351 return SECCLASS_APPLETALK_SOCKET;
1357 return SECCLASS_AX25_SOCKET;
1359 return SECCLASS_IPX_SOCKET;
1361 return SECCLASS_NETROM_SOCKET;
1363 return SECCLASS_BRIDGE_SOCKET;
1365 return SECCLASS_ATMPVC_SOCKET;
1367 return SECCLASS_X25_SOCKET;
1369 return SECCLASS_ROSE_SOCKET;
1371 return SECCLASS_DECNET_SOCKET;
1373 return SECCLASS_ATMSVC_SOCKET;
1375 return SECCLASS_RDS_SOCKET;
1377 return SECCLASS_IRDA_SOCKET;
1379 return SECCLASS_PPPOX_SOCKET;
1381 return SECCLASS_LLC_SOCKET;
1383 return SECCLASS_IB_SOCKET;
1385 return SECCLASS_MPLS_SOCKET;
1387 return SECCLASS_CAN_SOCKET;
1389 return SECCLASS_TIPC_SOCKET;
1391 return SECCLASS_BLUETOOTH_SOCKET;
1393 return SECCLASS_IUCV_SOCKET;
1395 return SECCLASS_RXRPC_SOCKET;
1397 return SECCLASS_ISDN_SOCKET;
1399 return SECCLASS_PHONET_SOCKET;
1401 return SECCLASS_IEEE802154_SOCKET;
1403 return SECCLASS_CAIF_SOCKET;
1405 return SECCLASS_ALG_SOCKET;
1407 return SECCLASS_NFC_SOCKET;
1409 return SECCLASS_VSOCK_SOCKET;
1411 return SECCLASS_KCM_SOCKET;
1413 return SECCLASS_QIPCRTR_SOCKET;
1415 #error New address family defined, please update this function.
1420 return SECCLASS_SOCKET;
1423 static int selinux_genfs_get_sid(struct dentry *dentry,
1429 struct super_block *sb = dentry->d_sb;
1430 char *buffer, *path;
1432 buffer = (char *)__get_free_page(GFP_KERNEL);
1436 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1440 if (flags & SE_SBPROC) {
1441 /* each process gets a /proc/PID/ entry. Strip off the
1442 * PID part to get a valid selinux labeling.
1443 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1444 while (path[1] >= '0' && path[1] <= '9') {
1449 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1451 free_page((unsigned long)buffer);
1455 /* The inode's security attributes must be initialized before first use. */
1456 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1458 struct superblock_security_struct *sbsec = NULL;
1459 struct inode_security_struct *isec = inode->i_security;
1460 u32 task_sid, sid = 0;
1462 struct dentry *dentry;
1463 #define INITCONTEXTLEN 255
1464 char *context = NULL;
1468 if (isec->initialized == LABEL_INITIALIZED)
1471 spin_lock(&isec->lock);
1472 if (isec->initialized == LABEL_INITIALIZED)
1475 if (isec->sclass == SECCLASS_FILE)
1476 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1478 sbsec = inode->i_sb->s_security;
1479 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1480 /* Defer initialization until selinux_complete_init,
1481 after the initial policy is loaded and the security
1482 server is ready to handle calls. */
1483 spin_lock(&sbsec->isec_lock);
1484 if (list_empty(&isec->list))
1485 list_add(&isec->list, &sbsec->isec_head);
1486 spin_unlock(&sbsec->isec_lock);
1490 sclass = isec->sclass;
1491 task_sid = isec->task_sid;
1493 isec->initialized = LABEL_PENDING;
1494 spin_unlock(&isec->lock);
1496 switch (sbsec->behavior) {
1497 case SECURITY_FS_USE_NATIVE:
1499 case SECURITY_FS_USE_XATTR:
1500 if (!(inode->i_opflags & IOP_XATTR)) {
1501 sid = sbsec->def_sid;
1504 /* Need a dentry, since the xattr API requires one.
1505 Life would be simpler if we could just pass the inode. */
1507 /* Called from d_instantiate or d_splice_alias. */
1508 dentry = dget(opt_dentry);
1510 /* Called from selinux_complete_init, try to find a dentry. */
1511 dentry = d_find_alias(inode);
1515 * this is can be hit on boot when a file is accessed
1516 * before the policy is loaded. When we load policy we
1517 * may find inodes that have no dentry on the
1518 * sbsec->isec_head list. No reason to complain as these
1519 * will get fixed up the next time we go through
1520 * inode_doinit with a dentry, before these inodes could
1521 * be used again by userspace.
1526 len = INITCONTEXTLEN;
1527 context = kmalloc(len+1, GFP_NOFS);
1533 context[len] = '\0';
1534 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1535 if (rc == -ERANGE) {
1538 /* Need a larger buffer. Query for the right size. */
1539 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1545 context = kmalloc(len+1, GFP_NOFS);
1551 context[len] = '\0';
1552 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1556 if (rc != -ENODATA) {
1557 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1558 "%d for dev=%s ino=%ld\n", __func__,
1559 -rc, inode->i_sb->s_id, inode->i_ino);
1563 /* Map ENODATA to the default file SID */
1564 sid = sbsec->def_sid;
1567 rc = security_context_to_sid_default(context, rc, &sid,
1571 char *dev = inode->i_sb->s_id;
1572 unsigned long ino = inode->i_ino;
1574 if (rc == -EINVAL) {
1575 if (printk_ratelimit())
1576 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1577 "context=%s. This indicates you may need to relabel the inode or the "
1578 "filesystem in question.\n", ino, dev, context);
1580 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1581 "returned %d for dev=%s ino=%ld\n",
1582 __func__, context, -rc, dev, ino);
1585 /* Leave with the unlabeled SID */
1592 case SECURITY_FS_USE_TASK:
1595 case SECURITY_FS_USE_TRANS:
1596 /* Default to the fs SID. */
1599 /* Try to obtain a transition SID. */
1600 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1604 case SECURITY_FS_USE_MNTPOINT:
1605 sid = sbsec->mntpoint_sid;
1608 /* Default to the fs superblock SID. */
1611 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1612 /* We must have a dentry to determine the label on
1615 /* Called from d_instantiate or
1616 * d_splice_alias. */
1617 dentry = dget(opt_dentry);
1619 /* Called from selinux_complete_init, try to
1621 dentry = d_find_alias(inode);
1623 * This can be hit on boot when a file is accessed
1624 * before the policy is loaded. When we load policy we
1625 * may find inodes that have no dentry on the
1626 * sbsec->isec_head list. No reason to complain as
1627 * these will get fixed up the next time we go through
1628 * inode_doinit() with a dentry, before these inodes
1629 * could be used again by userspace.
1633 rc = selinux_genfs_get_sid(dentry, sclass,
1634 sbsec->flags, &sid);
1643 spin_lock(&isec->lock);
1644 if (isec->initialized == LABEL_PENDING) {
1646 isec->initialized = LABEL_INVALID;
1650 isec->initialized = LABEL_INITIALIZED;
1655 spin_unlock(&isec->lock);
1659 /* Convert a Linux signal to an access vector. */
1660 static inline u32 signal_to_av(int sig)
1666 /* Commonly granted from child to parent. */
1667 perm = PROCESS__SIGCHLD;
1670 /* Cannot be caught or ignored */
1671 perm = PROCESS__SIGKILL;
1674 /* Cannot be caught or ignored */
1675 perm = PROCESS__SIGSTOP;
1678 /* All other signals. */
1679 perm = PROCESS__SIGNAL;
1687 * Check permission between a pair of credentials
1688 * fork check, ptrace check, etc.
1690 static int cred_has_perm(const struct cred *actor,
1691 const struct cred *target,
1694 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1696 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1700 * Check permission between a pair of tasks, e.g. signal checks,
1701 * fork check, ptrace check, etc.
1702 * tsk1 is the actor and tsk2 is the target
1703 * - this uses the default subjective creds of tsk1
1705 static int task_has_perm(const struct task_struct *tsk1,
1706 const struct task_struct *tsk2,
1709 const struct task_security_struct *__tsec1, *__tsec2;
1713 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1714 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1716 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1720 * Check permission between current and another task, e.g. signal checks,
1721 * fork check, ptrace check, etc.
1722 * current is the actor and tsk2 is the target
1723 * - this uses current's subjective creds
1725 static int current_has_perm(const struct task_struct *tsk,
1730 sid = current_sid();
1731 tsid = task_sid(tsk);
1732 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1735 #if CAP_LAST_CAP > 63
1736 #error Fix SELinux to handle capabilities > 63.
1739 /* Check whether a task is allowed to use a capability. */
1740 static int cred_has_capability(const struct cred *cred,
1741 int cap, int audit, bool initns)
1743 struct common_audit_data ad;
1744 struct av_decision avd;
1746 u32 sid = cred_sid(cred);
1747 u32 av = CAP_TO_MASK(cap);
1750 ad.type = LSM_AUDIT_DATA_CAP;
1753 switch (CAP_TO_INDEX(cap)) {
1755 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1758 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1762 "SELinux: out of range capability %d\n", cap);
1767 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1768 if (audit == SECURITY_CAP_AUDIT) {
1769 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1776 /* Check whether a task is allowed to use a system operation. */
1777 static int task_has_system(struct task_struct *tsk,
1780 u32 sid = task_sid(tsk);
1782 return avc_has_perm(sid, SECINITSID_KERNEL,
1783 SECCLASS_SYSTEM, perms, NULL);
1786 /* Check whether a task has a particular permission to an inode.
1787 The 'adp' parameter is optional and allows other audit
1788 data to be passed (e.g. the dentry). */
1789 static int inode_has_perm(const struct cred *cred,
1790 struct inode *inode,
1792 struct common_audit_data *adp)
1794 struct inode_security_struct *isec;
1797 validate_creds(cred);
1799 if (unlikely(IS_PRIVATE(inode)))
1802 sid = cred_sid(cred);
1803 isec = inode->i_security;
1805 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1808 /* Same as inode_has_perm, but pass explicit audit data containing
1809 the dentry to help the auditing code to more easily generate the
1810 pathname if needed. */
1811 static inline int dentry_has_perm(const struct cred *cred,
1812 struct dentry *dentry,
1815 struct inode *inode = d_backing_inode(dentry);
1816 struct common_audit_data ad;
1818 ad.type = LSM_AUDIT_DATA_DENTRY;
1819 ad.u.dentry = dentry;
1820 __inode_security_revalidate(inode, dentry, true);
1821 return inode_has_perm(cred, inode, av, &ad);
1824 /* Same as inode_has_perm, but pass explicit audit data containing
1825 the path to help the auditing code to more easily generate the
1826 pathname if needed. */
1827 static inline int path_has_perm(const struct cred *cred,
1828 const struct path *path,
1831 struct inode *inode = d_backing_inode(path->dentry);
1832 struct common_audit_data ad;
1834 ad.type = LSM_AUDIT_DATA_PATH;
1836 __inode_security_revalidate(inode, path->dentry, true);
1837 return inode_has_perm(cred, inode, av, &ad);
1840 /* Same as path_has_perm, but uses the inode from the file struct. */
1841 static inline int file_path_has_perm(const struct cred *cred,
1845 struct common_audit_data ad;
1847 ad.type = LSM_AUDIT_DATA_FILE;
1849 return inode_has_perm(cred, file_inode(file), av, &ad);
1852 /* Check whether a task can use an open file descriptor to
1853 access an inode in a given way. Check access to the
1854 descriptor itself, and then use dentry_has_perm to
1855 check a particular permission to the file.
1856 Access to the descriptor is implicitly granted if it
1857 has the same SID as the process. If av is zero, then
1858 access to the file is not checked, e.g. for cases
1859 where only the descriptor is affected like seek. */
1860 static int file_has_perm(const struct cred *cred,
1864 struct file_security_struct *fsec = file->f_security;
1865 struct inode *inode = file_inode(file);
1866 struct common_audit_data ad;
1867 u32 sid = cred_sid(cred);
1870 ad.type = LSM_AUDIT_DATA_FILE;
1873 if (sid != fsec->sid) {
1874 rc = avc_has_perm(sid, fsec->sid,
1882 /* av is zero if only checking access to the descriptor. */
1885 rc = inode_has_perm(cred, inode, av, &ad);
1892 * Determine the label for an inode that might be unioned.
1895 selinux_determine_inode_label(const struct task_security_struct *tsec,
1897 const struct qstr *name, u16 tclass,
1900 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1902 if ((sbsec->flags & SE_SBINITIALIZED) &&
1903 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1904 *_new_isid = sbsec->mntpoint_sid;
1905 } else if ((sbsec->flags & SBLABEL_MNT) &&
1907 *_new_isid = tsec->create_sid;
1909 const struct inode_security_struct *dsec = inode_security(dir);
1910 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1917 /* Check whether a task can create a file. */
1918 static int may_create(struct inode *dir,
1919 struct dentry *dentry,
1922 const struct task_security_struct *tsec = current_security();
1923 struct inode_security_struct *dsec;
1924 struct superblock_security_struct *sbsec;
1926 struct common_audit_data ad;
1929 dsec = inode_security(dir);
1930 sbsec = dir->i_sb->s_security;
1934 ad.type = LSM_AUDIT_DATA_DENTRY;
1935 ad.u.dentry = dentry;
1937 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1938 DIR__ADD_NAME | DIR__SEARCH,
1943 rc = selinux_determine_inode_label(current_security(), dir,
1944 &dentry->d_name, tclass, &newsid);
1948 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1952 return avc_has_perm(newsid, sbsec->sid,
1953 SECCLASS_FILESYSTEM,
1954 FILESYSTEM__ASSOCIATE, &ad);
1957 /* Check whether a task can create a key. */
1958 static int may_create_key(u32 ksid,
1959 struct task_struct *ctx)
1961 u32 sid = task_sid(ctx);
1963 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1967 #define MAY_UNLINK 1
1970 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1971 static int may_link(struct inode *dir,
1972 struct dentry *dentry,
1976 struct inode_security_struct *dsec, *isec;
1977 struct common_audit_data ad;
1978 u32 sid = current_sid();
1982 dsec = inode_security(dir);
1983 isec = backing_inode_security(dentry);
1985 ad.type = LSM_AUDIT_DATA_DENTRY;
1986 ad.u.dentry = dentry;
1989 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1990 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
2005 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
2010 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
2014 static inline int may_rename(struct inode *old_dir,
2015 struct dentry *old_dentry,
2016 struct inode *new_dir,
2017 struct dentry *new_dentry)
2019 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2020 struct common_audit_data ad;
2021 u32 sid = current_sid();
2023 int old_is_dir, new_is_dir;
2026 old_dsec = inode_security(old_dir);
2027 old_isec = backing_inode_security(old_dentry);
2028 old_is_dir = d_is_dir(old_dentry);
2029 new_dsec = inode_security(new_dir);
2031 ad.type = LSM_AUDIT_DATA_DENTRY;
2033 ad.u.dentry = old_dentry;
2034 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
2035 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2038 rc = avc_has_perm(sid, old_isec->sid,
2039 old_isec->sclass, FILE__RENAME, &ad);
2042 if (old_is_dir && new_dir != old_dir) {
2043 rc = avc_has_perm(sid, old_isec->sid,
2044 old_isec->sclass, DIR__REPARENT, &ad);
2049 ad.u.dentry = new_dentry;
2050 av = DIR__ADD_NAME | DIR__SEARCH;
2051 if (d_is_positive(new_dentry))
2052 av |= DIR__REMOVE_NAME;
2053 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2056 if (d_is_positive(new_dentry)) {
2057 new_isec = backing_inode_security(new_dentry);
2058 new_is_dir = d_is_dir(new_dentry);
2059 rc = avc_has_perm(sid, new_isec->sid,
2061 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2069 /* Check whether a task can perform a filesystem operation. */
2070 static int superblock_has_perm(const struct cred *cred,
2071 struct super_block *sb,
2073 struct common_audit_data *ad)
2075 struct superblock_security_struct *sbsec;
2076 u32 sid = cred_sid(cred);
2078 sbsec = sb->s_security;
2079 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2082 /* Convert a Linux mode and permission mask to an access vector. */
2083 static inline u32 file_mask_to_av(int mode, int mask)
2087 if (!S_ISDIR(mode)) {
2088 if (mask & MAY_EXEC)
2089 av |= FILE__EXECUTE;
2090 if (mask & MAY_READ)
2093 if (mask & MAY_APPEND)
2095 else if (mask & MAY_WRITE)
2099 if (mask & MAY_EXEC)
2101 if (mask & MAY_WRITE)
2103 if (mask & MAY_READ)
2110 /* Convert a Linux file to an access vector. */
2111 static inline u32 file_to_av(struct file *file)
2115 if (file->f_mode & FMODE_READ)
2117 if (file->f_mode & FMODE_WRITE) {
2118 if (file->f_flags & O_APPEND)
2125 * Special file opened with flags 3 for ioctl-only use.
2134 * Convert a file to an access vector and include the correct open
2137 static inline u32 open_file_to_av(struct file *file)
2139 u32 av = file_to_av(file);
2141 if (selinux_policycap_openperm)
2147 /* Hook functions begin here. */
2149 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2151 u32 mysid = current_sid();
2152 u32 mgrsid = task_sid(mgr);
2154 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2155 BINDER__SET_CONTEXT_MGR, NULL);
2158 static int selinux_binder_transaction(struct task_struct *from,
2159 struct task_struct *to)
2161 u32 mysid = current_sid();
2162 u32 fromsid = task_sid(from);
2163 u32 tosid = task_sid(to);
2166 if (mysid != fromsid) {
2167 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2168 BINDER__IMPERSONATE, NULL);
2173 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2177 static int selinux_binder_transfer_binder(struct task_struct *from,
2178 struct task_struct *to)
2180 u32 fromsid = task_sid(from);
2181 u32 tosid = task_sid(to);
2183 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2187 static int selinux_binder_transfer_file(struct task_struct *from,
2188 struct task_struct *to,
2191 u32 sid = task_sid(to);
2192 struct file_security_struct *fsec = file->f_security;
2193 struct dentry *dentry = file->f_path.dentry;
2194 struct inode_security_struct *isec;
2195 struct common_audit_data ad;
2198 ad.type = LSM_AUDIT_DATA_PATH;
2199 ad.u.path = file->f_path;
2201 if (sid != fsec->sid) {
2202 rc = avc_has_perm(sid, fsec->sid,
2210 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2213 isec = backing_inode_security(dentry);
2214 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2218 static int selinux_ptrace_access_check(struct task_struct *child,
2221 if (mode & PTRACE_MODE_READ) {
2222 u32 sid = current_sid();
2223 u32 csid = task_sid(child);
2224 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2227 return current_has_perm(child, PROCESS__PTRACE);
2230 static int selinux_ptrace_traceme(struct task_struct *parent)
2232 return task_has_perm(parent, current, PROCESS__PTRACE);
2235 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2236 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2238 return current_has_perm(target, PROCESS__GETCAP);
2241 static int selinux_capset(struct cred *new, const struct cred *old,
2242 const kernel_cap_t *effective,
2243 const kernel_cap_t *inheritable,
2244 const kernel_cap_t *permitted)
2246 return cred_has_perm(old, new, PROCESS__SETCAP);
2250 * (This comment used to live with the selinux_task_setuid hook,
2251 * which was removed).
2253 * Since setuid only affects the current process, and since the SELinux
2254 * controls are not based on the Linux identity attributes, SELinux does not
2255 * need to control this operation. However, SELinux does control the use of
2256 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2259 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2262 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2265 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2267 const struct cred *cred = current_cred();
2279 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2284 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2287 rc = 0; /* let the kernel handle invalid cmds */
2293 static int selinux_quota_on(struct dentry *dentry)
2295 const struct cred *cred = current_cred();
2297 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2300 static int selinux_syslog(int type)
2305 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2306 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2307 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2309 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2310 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2311 /* Set level of messages printed to console */
2312 case SYSLOG_ACTION_CONSOLE_LEVEL:
2313 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2315 case SYSLOG_ACTION_CLOSE: /* Close log */
2316 case SYSLOG_ACTION_OPEN: /* Open log */
2317 case SYSLOG_ACTION_READ: /* Read from log */
2318 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2319 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
2321 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2328 * Check that a process has enough memory to allocate a new virtual
2329 * mapping. 0 means there is enough memory for the allocation to
2330 * succeed and -ENOMEM implies there is not.
2332 * Do not audit the selinux permission check, as this is applied to all
2333 * processes that allocate mappings.
2335 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2337 int rc, cap_sys_admin = 0;
2339 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2340 SECURITY_CAP_NOAUDIT, true);
2344 return cap_sys_admin;
2347 /* binprm security operations */
2349 static u32 ptrace_parent_sid(struct task_struct *task)
2352 struct task_struct *tracer;
2355 tracer = ptrace_parent(task);
2357 sid = task_sid(tracer);
2363 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2364 const struct task_security_struct *old_tsec,
2365 const struct task_security_struct *new_tsec)
2367 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2368 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2371 if (!nnp && !nosuid)
2372 return 0; /* neither NNP nor nosuid */
2374 if (new_tsec->sid == old_tsec->sid)
2375 return 0; /* No change in credentials */
2378 * The only transitions we permit under NNP or nosuid
2379 * are transitions to bounded SIDs, i.e. SIDs that are
2380 * guaranteed to only be allowed a subset of the permissions
2381 * of the current SID.
2383 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2386 * On failure, preserve the errno values for NNP vs nosuid.
2387 * NNP: Operation not permitted for caller.
2388 * nosuid: Permission denied to file.
2398 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2400 const struct task_security_struct *old_tsec;
2401 struct task_security_struct *new_tsec;
2402 struct inode_security_struct *isec;
2403 struct common_audit_data ad;
2404 struct inode *inode = file_inode(bprm->file);
2407 /* SELinux context only depends on initial program or script and not
2408 * the script interpreter */
2409 if (bprm->cred_prepared)
2412 old_tsec = current_security();
2413 new_tsec = bprm->cred->security;
2414 isec = inode_security(inode);
2416 /* Default to the current task SID. */
2417 new_tsec->sid = old_tsec->sid;
2418 new_tsec->osid = old_tsec->sid;
2420 /* Reset fs, key, and sock SIDs on execve. */
2421 new_tsec->create_sid = 0;
2422 new_tsec->keycreate_sid = 0;
2423 new_tsec->sockcreate_sid = 0;
2425 if (old_tsec->exec_sid) {
2426 new_tsec->sid = old_tsec->exec_sid;
2427 /* Reset exec SID on execve. */
2428 new_tsec->exec_sid = 0;
2430 /* Fail on NNP or nosuid if not an allowed transition. */
2431 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2435 /* Check for a default transition on this program. */
2436 rc = security_transition_sid(old_tsec->sid, isec->sid,
2437 SECCLASS_PROCESS, NULL,
2443 * Fallback to old SID on NNP or nosuid if not an allowed
2446 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2448 new_tsec->sid = old_tsec->sid;
2451 ad.type = LSM_AUDIT_DATA_FILE;
2452 ad.u.file = bprm->file;
2454 if (new_tsec->sid == old_tsec->sid) {
2455 rc = avc_has_perm(old_tsec->sid, isec->sid,
2456 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2460 /* Check permissions for the transition. */
2461 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2462 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2466 rc = avc_has_perm(new_tsec->sid, isec->sid,
2467 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2471 /* Check for shared state */
2472 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2473 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2474 SECCLASS_PROCESS, PROCESS__SHARE,
2480 /* Make sure that anyone attempting to ptrace over a task that
2481 * changes its SID has the appropriate permit */
2483 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2484 u32 ptsid = ptrace_parent_sid(current);
2486 rc = avc_has_perm(ptsid, new_tsec->sid,
2488 PROCESS__PTRACE, NULL);
2494 /* Clear any possibly unsafe personality bits on exec: */
2495 bprm->per_clear |= PER_CLEAR_ON_SETID;
2501 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2503 const struct task_security_struct *tsec = current_security();
2511 /* Enable secure mode for SIDs transitions unless
2512 the noatsecure permission is granted between
2513 the two SIDs, i.e. ahp returns 0. */
2514 atsecure = avc_has_perm(osid, sid,
2516 PROCESS__NOATSECURE, NULL);
2522 static int match_file(const void *p, struct file *file, unsigned fd)
2524 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2527 /* Derived from fs/exec.c:flush_old_files. */
2528 static inline void flush_unauthorized_files(const struct cred *cred,
2529 struct files_struct *files)
2531 struct file *file, *devnull = NULL;
2532 struct tty_struct *tty;
2536 tty = get_current_tty();
2538 spin_lock(&tty->files_lock);
2539 if (!list_empty(&tty->tty_files)) {
2540 struct tty_file_private *file_priv;
2542 /* Revalidate access to controlling tty.
2543 Use file_path_has_perm on the tty path directly
2544 rather than using file_has_perm, as this particular
2545 open file may belong to another process and we are
2546 only interested in the inode-based check here. */
2547 file_priv = list_first_entry(&tty->tty_files,
2548 struct tty_file_private, list);
2549 file = file_priv->file;
2550 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2553 spin_unlock(&tty->files_lock);
2556 /* Reset controlling tty. */
2560 /* Revalidate access to inherited open files. */
2561 n = iterate_fd(files, 0, match_file, cred);
2562 if (!n) /* none found? */
2565 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2566 if (IS_ERR(devnull))
2568 /* replace all the matching ones with this */
2570 replace_fd(n - 1, devnull, 0);
2571 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2577 * Prepare a process for imminent new credential changes due to exec
2579 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2581 struct task_security_struct *new_tsec;
2582 struct rlimit *rlim, *initrlim;
2585 new_tsec = bprm->cred->security;
2586 if (new_tsec->sid == new_tsec->osid)
2589 /* Close files for which the new task SID is not authorized. */
2590 flush_unauthorized_files(bprm->cred, current->files);
2592 /* Always clear parent death signal on SID transitions. */
2593 current->pdeath_signal = 0;
2595 /* Check whether the new SID can inherit resource limits from the old
2596 * SID. If not, reset all soft limits to the lower of the current
2597 * task's hard limit and the init task's soft limit.
2599 * Note that the setting of hard limits (even to lower them) can be
2600 * controlled by the setrlimit check. The inclusion of the init task's
2601 * soft limit into the computation is to avoid resetting soft limits
2602 * higher than the default soft limit for cases where the default is
2603 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2605 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2606 PROCESS__RLIMITINH, NULL);
2608 /* protect against do_prlimit() */
2610 for (i = 0; i < RLIM_NLIMITS; i++) {
2611 rlim = current->signal->rlim + i;
2612 initrlim = init_task.signal->rlim + i;
2613 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2615 task_unlock(current);
2616 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2617 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2622 * Clean up the process immediately after the installation of new credentials
2625 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2627 const struct task_security_struct *tsec = current_security();
2628 struct itimerval itimer;
2638 /* Check whether the new SID can inherit signal state from the old SID.
2639 * If not, clear itimers to avoid subsequent signal generation and
2640 * flush and unblock signals.
2642 * This must occur _after_ the task SID has been updated so that any
2643 * kill done after the flush will be checked against the new SID.
2645 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2647 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2648 memset(&itimer, 0, sizeof itimer);
2649 for (i = 0; i < 3; i++)
2650 do_setitimer(i, &itimer, NULL);
2652 spin_lock_irq(¤t->sighand->siglock);
2653 if (!fatal_signal_pending(current)) {
2654 flush_sigqueue(¤t->pending);
2655 flush_sigqueue(¤t->signal->shared_pending);
2656 flush_signal_handlers(current, 1);
2657 sigemptyset(¤t->blocked);
2658 recalc_sigpending();
2660 spin_unlock_irq(¤t->sighand->siglock);
2663 /* Wake up the parent if it is waiting so that it can recheck
2664 * wait permission to the new task SID. */
2665 read_lock(&tasklist_lock);
2666 __wake_up_parent(current, current->real_parent);
2667 read_unlock(&tasklist_lock);
2670 /* superblock security operations */
2672 static int selinux_sb_alloc_security(struct super_block *sb)
2674 return superblock_alloc_security(sb);
2677 static void selinux_sb_free_security(struct super_block *sb)
2679 superblock_free_security(sb);
2682 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2687 return !memcmp(prefix, option, plen);
2690 static inline int selinux_option(char *option, int len)
2692 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2693 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2694 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2695 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2696 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2699 static inline void take_option(char **to, char *from, int *first, int len)
2706 memcpy(*to, from, len);
2710 static inline void take_selinux_option(char **to, char *from, int *first,
2713 int current_size = 0;
2721 while (current_size < len) {
2731 static int selinux_sb_copy_data(char *orig, char *copy)
2733 int fnosec, fsec, rc = 0;
2734 char *in_save, *in_curr, *in_end;
2735 char *sec_curr, *nosec_save, *nosec;
2741 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2749 in_save = in_end = orig;
2753 open_quote = !open_quote;
2754 if ((*in_end == ',' && open_quote == 0) ||
2756 int len = in_end - in_curr;
2758 if (selinux_option(in_curr, len))
2759 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2761 take_option(&nosec, in_curr, &fnosec, len);
2763 in_curr = in_end + 1;
2765 } while (*in_end++);
2767 strcpy(in_save, nosec_save);
2768 free_page((unsigned long)nosec_save);
2773 static int selinux_sb_remount(struct super_block *sb, void *data)
2776 struct security_mnt_opts opts;
2777 char *secdata, **mount_options;
2778 struct superblock_security_struct *sbsec = sb->s_security;
2780 if (!(sbsec->flags & SE_SBINITIALIZED))
2786 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2789 security_init_mnt_opts(&opts);
2790 secdata = alloc_secdata();
2793 rc = selinux_sb_copy_data(data, secdata);
2795 goto out_free_secdata;
2797 rc = selinux_parse_opts_str(secdata, &opts);
2799 goto out_free_secdata;
2801 mount_options = opts.mnt_opts;
2802 flags = opts.mnt_opts_flags;
2804 for (i = 0; i < opts.num_mnt_opts; i++) {
2807 if (flags[i] == SBLABEL_MNT)
2809 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2811 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2812 "(%s) failed for (dev %s, type %s) errno=%d\n",
2813 mount_options[i], sb->s_id, sb->s_type->name, rc);
2819 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2820 goto out_bad_option;
2823 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2824 goto out_bad_option;
2826 case ROOTCONTEXT_MNT: {
2827 struct inode_security_struct *root_isec;
2828 root_isec = backing_inode_security(sb->s_root);
2830 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2831 goto out_bad_option;
2834 case DEFCONTEXT_MNT:
2835 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2836 goto out_bad_option;
2845 security_free_mnt_opts(&opts);
2847 free_secdata(secdata);
2850 printk(KERN_WARNING "SELinux: unable to change security options "
2851 "during remount (dev %s, type=%s)\n", sb->s_id,
2856 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2858 const struct cred *cred = current_cred();
2859 struct common_audit_data ad;
2862 rc = superblock_doinit(sb, data);
2866 /* Allow all mounts performed by the kernel */
2867 if (flags & MS_KERNMOUNT)
2870 ad.type = LSM_AUDIT_DATA_DENTRY;
2871 ad.u.dentry = sb->s_root;
2872 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2875 static int selinux_sb_statfs(struct dentry *dentry)
2877 const struct cred *cred = current_cred();
2878 struct common_audit_data ad;
2880 ad.type = LSM_AUDIT_DATA_DENTRY;
2881 ad.u.dentry = dentry->d_sb->s_root;
2882 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2885 static int selinux_mount(const char *dev_name,
2886 const struct path *path,
2888 unsigned long flags,
2891 const struct cred *cred = current_cred();
2893 if (flags & MS_REMOUNT)
2894 return superblock_has_perm(cred, path->dentry->d_sb,
2895 FILESYSTEM__REMOUNT, NULL);
2897 return path_has_perm(cred, path, FILE__MOUNTON);
2900 static int selinux_umount(struct vfsmount *mnt, int flags)
2902 const struct cred *cred = current_cred();
2904 return superblock_has_perm(cred, mnt->mnt_sb,
2905 FILESYSTEM__UNMOUNT, NULL);
2908 /* inode security operations */
2910 static int selinux_inode_alloc_security(struct inode *inode)
2912 return inode_alloc_security(inode);
2915 static void selinux_inode_free_security(struct inode *inode)
2917 inode_free_security(inode);
2920 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2921 const struct qstr *name, void **ctx,
2927 rc = selinux_determine_inode_label(current_security(),
2928 d_inode(dentry->d_parent), name,
2929 inode_mode_to_security_class(mode),
2934 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2937 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2939 const struct cred *old,
2944 struct task_security_struct *tsec;
2946 rc = selinux_determine_inode_label(old->security,
2947 d_inode(dentry->d_parent), name,
2948 inode_mode_to_security_class(mode),
2953 tsec = new->security;
2954 tsec->create_sid = newsid;
2958 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2959 const struct qstr *qstr,
2961 void **value, size_t *len)
2963 const struct task_security_struct *tsec = current_security();
2964 struct superblock_security_struct *sbsec;
2965 u32 sid, newsid, clen;
2969 sbsec = dir->i_sb->s_security;
2972 newsid = tsec->create_sid;
2974 rc = selinux_determine_inode_label(current_security(),
2976 inode_mode_to_security_class(inode->i_mode),
2981 /* Possibly defer initialization to selinux_complete_init. */
2982 if (sbsec->flags & SE_SBINITIALIZED) {
2983 struct inode_security_struct *isec = inode->i_security;
2984 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2986 isec->initialized = LABEL_INITIALIZED;
2989 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2993 *name = XATTR_SELINUX_SUFFIX;
2996 rc = security_sid_to_context_force(newsid, &context, &clen);
3006 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3008 return may_create(dir, dentry, SECCLASS_FILE);
3011 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3013 return may_link(dir, old_dentry, MAY_LINK);
3016 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3018 return may_link(dir, dentry, MAY_UNLINK);
3021 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3023 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3026 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3028 return may_create(dir, dentry, SECCLASS_DIR);
3031 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3033 return may_link(dir, dentry, MAY_RMDIR);
3036 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3038 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3041 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3042 struct inode *new_inode, struct dentry *new_dentry)
3044 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3047 static int selinux_inode_readlink(struct dentry *dentry)
3049 const struct cred *cred = current_cred();
3051 return dentry_has_perm(cred, dentry, FILE__READ);
3054 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3057 const struct cred *cred = current_cred();
3058 struct common_audit_data ad;
3059 struct inode_security_struct *isec;
3062 validate_creds(cred);
3064 ad.type = LSM_AUDIT_DATA_DENTRY;
3065 ad.u.dentry = dentry;
3066 sid = cred_sid(cred);
3067 isec = inode_security_rcu(inode, rcu);
3069 return PTR_ERR(isec);
3071 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3072 rcu ? MAY_NOT_BLOCK : 0);
3075 static noinline int audit_inode_permission(struct inode *inode,
3076 u32 perms, u32 audited, u32 denied,
3080 struct common_audit_data ad;
3081 struct inode_security_struct *isec = inode->i_security;
3084 ad.type = LSM_AUDIT_DATA_INODE;
3087 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3088 audited, denied, result, &ad, flags);
3094 static int selinux_inode_permission(struct inode *inode, int mask)
3096 const struct cred *cred = current_cred();
3099 unsigned flags = mask & MAY_NOT_BLOCK;
3100 struct inode_security_struct *isec;
3102 struct av_decision avd;
3104 u32 audited, denied;
3106 from_access = mask & MAY_ACCESS;
3107 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3109 /* No permission to check. Existence test. */
3113 validate_creds(cred);
3115 if (unlikely(IS_PRIVATE(inode)))
3118 perms = file_mask_to_av(inode->i_mode, mask);
3120 sid = cred_sid(cred);
3121 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3123 return PTR_ERR(isec);
3125 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3126 audited = avc_audit_required(perms, &avd, rc,
3127 from_access ? FILE__AUDIT_ACCESS : 0,
3129 if (likely(!audited))
3132 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3138 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3140 const struct cred *cred = current_cred();
3141 unsigned int ia_valid = iattr->ia_valid;
3142 __u32 av = FILE__WRITE;
3144 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3145 if (ia_valid & ATTR_FORCE) {
3146 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3152 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3153 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3154 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3156 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3157 && !(ia_valid & ATTR_FILE))
3160 return dentry_has_perm(cred, dentry, av);
3163 static int selinux_inode_getattr(const struct path *path)
3165 return path_has_perm(current_cred(), path, FILE__GETATTR);
3168 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3170 const struct cred *cred = current_cred();
3172 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3173 sizeof XATTR_SECURITY_PREFIX - 1)) {
3174 if (!strcmp(name, XATTR_NAME_CAPS)) {
3175 if (!capable(CAP_SETFCAP))
3177 } else if (!capable(CAP_SYS_ADMIN)) {
3178 /* A different attribute in the security namespace.
3179 Restrict to administrator. */
3184 /* Not an attribute we recognize, so just check the
3185 ordinary setattr permission. */
3186 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3189 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3190 const void *value, size_t size, int flags)
3192 struct inode *inode = d_backing_inode(dentry);
3193 struct inode_security_struct *isec;
3194 struct superblock_security_struct *sbsec;
3195 struct common_audit_data ad;
3196 u32 newsid, sid = current_sid();
3199 if (strcmp(name, XATTR_NAME_SELINUX))
3200 return selinux_inode_setotherxattr(dentry, name);
3202 sbsec = inode->i_sb->s_security;
3203 if (!(sbsec->flags & SBLABEL_MNT))
3206 if (!inode_owner_or_capable(inode))
3209 ad.type = LSM_AUDIT_DATA_DENTRY;
3210 ad.u.dentry = dentry;
3212 isec = backing_inode_security(dentry);
3213 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3214 FILE__RELABELFROM, &ad);
3218 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3219 if (rc == -EINVAL) {
3220 if (!capable(CAP_MAC_ADMIN)) {
3221 struct audit_buffer *ab;
3225 /* We strip a nul only if it is at the end, otherwise the
3226 * context contains a nul and we should audit that */
3229 if (str[size - 1] == '\0')
3230 audit_size = size - 1;
3237 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3238 audit_log_format(ab, "op=setxattr invalid_context=");
3239 audit_log_n_untrustedstring(ab, value, audit_size);
3244 rc = security_context_to_sid_force(value, size, &newsid);
3249 rc = avc_has_perm(sid, newsid, isec->sclass,
3250 FILE__RELABELTO, &ad);
3254 rc = security_validate_transition(isec->sid, newsid, sid,
3259 return avc_has_perm(newsid,
3261 SECCLASS_FILESYSTEM,
3262 FILESYSTEM__ASSOCIATE,
3266 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3267 const void *value, size_t size,
3270 struct inode *inode = d_backing_inode(dentry);
3271 struct inode_security_struct *isec;
3275 if (strcmp(name, XATTR_NAME_SELINUX)) {
3276 /* Not an attribute we recognize, so nothing to do. */
3280 rc = security_context_to_sid_force(value, size, &newsid);
3282 printk(KERN_ERR "SELinux: unable to map context to SID"
3283 "for (%s, %lu), rc=%d\n",
3284 inode->i_sb->s_id, inode->i_ino, -rc);
3288 isec = backing_inode_security(dentry);
3289 spin_lock(&isec->lock);
3290 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3292 isec->initialized = LABEL_INITIALIZED;
3293 spin_unlock(&isec->lock);
3298 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3300 const struct cred *cred = current_cred();
3302 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3305 static int selinux_inode_listxattr(struct dentry *dentry)
3307 const struct cred *cred = current_cred();
3309 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3312 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3314 if (strcmp(name, XATTR_NAME_SELINUX))
3315 return selinux_inode_setotherxattr(dentry, name);
3317 /* No one is allowed to remove a SELinux security label.
3318 You can change the label, but all data must be labeled. */
3323 * Copy the inode security context value to the user.
3325 * Permission check is handled by selinux_inode_getxattr hook.
3327 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3331 char *context = NULL;
3332 struct inode_security_struct *isec;
3334 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3338 * If the caller has CAP_MAC_ADMIN, then get the raw context
3339 * value even if it is not defined by current policy; otherwise,
3340 * use the in-core value under current policy.
3341 * Use the non-auditing forms of the permission checks since
3342 * getxattr may be called by unprivileged processes commonly
3343 * and lack of permission just means that we fall back to the
3344 * in-core context value, not a denial.
3346 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3347 SECURITY_CAP_NOAUDIT);
3349 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3350 SECURITY_CAP_NOAUDIT, true);
3351 isec = inode_security(inode);
3353 error = security_sid_to_context_force(isec->sid, &context,
3356 error = security_sid_to_context(isec->sid, &context, &size);
3369 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3370 const void *value, size_t size, int flags)
3372 struct inode_security_struct *isec = inode_security_novalidate(inode);
3376 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3379 if (!value || !size)
3382 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3386 spin_lock(&isec->lock);
3387 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3389 isec->initialized = LABEL_INITIALIZED;
3390 spin_unlock(&isec->lock);
3394 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3396 const int len = sizeof(XATTR_NAME_SELINUX);
3397 if (buffer && len <= buffer_size)
3398 memcpy(buffer, XATTR_NAME_SELINUX, len);
3402 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3404 struct inode_security_struct *isec = inode_security_novalidate(inode);
3408 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3411 struct task_security_struct *tsec;
3412 struct cred *new_creds = *new;
3414 if (new_creds == NULL) {
3415 new_creds = prepare_creds();
3420 tsec = new_creds->security;
3421 /* Get label from overlay inode and set it in create_sid */
3422 selinux_inode_getsecid(d_inode(src), &sid);
3423 tsec->create_sid = sid;
3428 static int selinux_inode_copy_up_xattr(const char *name)
3430 /* The copy_up hook above sets the initial context on an inode, but we
3431 * don't then want to overwrite it by blindly copying all the lower
3432 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3434 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3435 return 1; /* Discard */
3437 * Any other attribute apart from SELINUX is not claimed, supported
3443 /* file security operations */
3445 static int selinux_revalidate_file_permission(struct file *file, int mask)
3447 const struct cred *cred = current_cred();
3448 struct inode *inode = file_inode(file);
3450 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3451 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3454 return file_has_perm(cred, file,
3455 file_mask_to_av(inode->i_mode, mask));
3458 static int selinux_file_permission(struct file *file, int mask)
3460 struct inode *inode = file_inode(file);
3461 struct file_security_struct *fsec = file->f_security;
3462 struct inode_security_struct *isec;
3463 u32 sid = current_sid();
3466 /* No permission to check. Existence test. */
3469 isec = inode_security(inode);
3470 if (sid == fsec->sid && fsec->isid == isec->sid &&
3471 fsec->pseqno == avc_policy_seqno())
3472 /* No change since file_open check. */
3475 return selinux_revalidate_file_permission(file, mask);
3478 static int selinux_file_alloc_security(struct file *file)
3480 return file_alloc_security(file);
3483 static void selinux_file_free_security(struct file *file)
3485 file_free_security(file);
3489 * Check whether a task has the ioctl permission and cmd
3490 * operation to an inode.
3492 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3493 u32 requested, u16 cmd)
3495 struct common_audit_data ad;
3496 struct file_security_struct *fsec = file->f_security;
3497 struct inode *inode = file_inode(file);
3498 struct inode_security_struct *isec;
3499 struct lsm_ioctlop_audit ioctl;
3500 u32 ssid = cred_sid(cred);
3502 u8 driver = cmd >> 8;
3503 u8 xperm = cmd & 0xff;
3505 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3508 ad.u.op->path = file->f_path;
3510 if (ssid != fsec->sid) {
3511 rc = avc_has_perm(ssid, fsec->sid,
3519 if (unlikely(IS_PRIVATE(inode)))
3522 isec = inode_security(inode);
3523 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3524 requested, driver, xperm, &ad);
3529 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3532 const struct cred *cred = current_cred();
3542 case FS_IOC_GETFLAGS:
3544 case FS_IOC_GETVERSION:
3545 error = file_has_perm(cred, file, FILE__GETATTR);
3548 case FS_IOC_SETFLAGS:
3550 case FS_IOC_SETVERSION:
3551 error = file_has_perm(cred, file, FILE__SETATTR);
3554 /* sys_ioctl() checks */
3558 error = file_has_perm(cred, file, 0);
3563 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3564 SECURITY_CAP_AUDIT, true);
3567 /* default case assumes that the command will go
3568 * to the file's ioctl() function.
3571 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3576 static int default_noexec;
3578 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3580 const struct cred *cred = current_cred();
3583 if (default_noexec &&
3584 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3585 (!shared && (prot & PROT_WRITE)))) {
3587 * We are making executable an anonymous mapping or a
3588 * private file mapping that will also be writable.
3589 * This has an additional check.
3591 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3597 /* read access is always possible with a mapping */
3598 u32 av = FILE__READ;
3600 /* write access only matters if the mapping is shared */
3601 if (shared && (prot & PROT_WRITE))
3604 if (prot & PROT_EXEC)
3605 av |= FILE__EXECUTE;
3607 return file_has_perm(cred, file, av);
3614 static int selinux_mmap_addr(unsigned long addr)
3618 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3619 u32 sid = current_sid();
3620 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3621 MEMPROTECT__MMAP_ZERO, NULL);
3627 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3628 unsigned long prot, unsigned long flags)
3630 if (selinux_checkreqprot)
3633 return file_map_prot_check(file, prot,
3634 (flags & MAP_TYPE) == MAP_SHARED);
3637 static int selinux_file_mprotect(struct vm_area_struct *vma,
3638 unsigned long reqprot,
3641 const struct cred *cred = current_cred();
3643 if (selinux_checkreqprot)
3646 if (default_noexec &&
3647 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3649 if (vma->vm_start >= vma->vm_mm->start_brk &&
3650 vma->vm_end <= vma->vm_mm->brk) {
3651 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3652 } else if (!vma->vm_file &&
3653 ((vma->vm_start <= vma->vm_mm->start_stack &&
3654 vma->vm_end >= vma->vm_mm->start_stack) ||
3655 vma_is_stack_for_current(vma))) {
3656 rc = current_has_perm(current, PROCESS__EXECSTACK);
3657 } else if (vma->vm_file && vma->anon_vma) {
3659 * We are making executable a file mapping that has
3660 * had some COW done. Since pages might have been
3661 * written, check ability to execute the possibly
3662 * modified content. This typically should only
3663 * occur for text relocations.
3665 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3671 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3674 static int selinux_file_lock(struct file *file, unsigned int cmd)
3676 const struct cred *cred = current_cred();
3678 return file_has_perm(cred, file, FILE__LOCK);
3681 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3684 const struct cred *cred = current_cred();
3689 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3690 err = file_has_perm(cred, file, FILE__WRITE);
3699 case F_GETOWNER_UIDS:
3700 /* Just check FD__USE permission */
3701 err = file_has_perm(cred, file, 0);
3709 #if BITS_PER_LONG == 32
3714 err = file_has_perm(cred, file, FILE__LOCK);
3721 static void selinux_file_set_fowner(struct file *file)
3723 struct file_security_struct *fsec;
3725 fsec = file->f_security;
3726 fsec->fown_sid = current_sid();
3729 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3730 struct fown_struct *fown, int signum)
3733 u32 sid = task_sid(tsk);
3735 struct file_security_struct *fsec;
3737 /* struct fown_struct is never outside the context of a struct file */
3738 file = container_of(fown, struct file, f_owner);
3740 fsec = file->f_security;
3743 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3745 perm = signal_to_av(signum);
3747 return avc_has_perm(fsec->fown_sid, sid,
3748 SECCLASS_PROCESS, perm, NULL);
3751 static int selinux_file_receive(struct file *file)
3753 const struct cred *cred = current_cred();
3755 return file_has_perm(cred, file, file_to_av(file));
3758 static int selinux_file_open(struct file *file, const struct cred *cred)
3760 struct file_security_struct *fsec;
3761 struct inode_security_struct *isec;
3763 fsec = file->f_security;
3764 isec = inode_security(file_inode(file));
3766 * Save inode label and policy sequence number
3767 * at open-time so that selinux_file_permission
3768 * can determine whether revalidation is necessary.
3769 * Task label is already saved in the file security
3770 * struct as its SID.
3772 fsec->isid = isec->sid;
3773 fsec->pseqno = avc_policy_seqno();
3775 * Since the inode label or policy seqno may have changed
3776 * between the selinux_inode_permission check and the saving
3777 * of state above, recheck that access is still permitted.
3778 * Otherwise, access might never be revalidated against the
3779 * new inode label or new policy.
3780 * This check is not redundant - do not remove.
3782 return file_path_has_perm(cred, file, open_file_to_av(file));
3785 /* task security operations */
3787 static int selinux_task_create(unsigned long clone_flags)
3789 return current_has_perm(current, PROCESS__FORK);
3793 * allocate the SELinux part of blank credentials
3795 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3797 struct task_security_struct *tsec;
3799 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3803 cred->security = tsec;
3808 * detach and free the LSM part of a set of credentials
3810 static void selinux_cred_free(struct cred *cred)
3812 struct task_security_struct *tsec = cred->security;
3815 * cred->security == NULL if security_cred_alloc_blank() or
3816 * security_prepare_creds() returned an error.
3818 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3819 cred->security = (void *) 0x7UL;
3824 * prepare a new set of credentials for modification
3826 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3829 const struct task_security_struct *old_tsec;
3830 struct task_security_struct *tsec;
3832 old_tsec = old->security;
3834 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3838 new->security = tsec;
3843 * transfer the SELinux data to a blank set of creds
3845 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3847 const struct task_security_struct *old_tsec = old->security;
3848 struct task_security_struct *tsec = new->security;
3854 * set the security data for a kernel service
3855 * - all the creation contexts are set to unlabelled
3857 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3859 struct task_security_struct *tsec = new->security;
3860 u32 sid = current_sid();
3863 ret = avc_has_perm(sid, secid,
3864 SECCLASS_KERNEL_SERVICE,
3865 KERNEL_SERVICE__USE_AS_OVERRIDE,
3869 tsec->create_sid = 0;
3870 tsec->keycreate_sid = 0;
3871 tsec->sockcreate_sid = 0;
3877 * set the file creation context in a security record to the same as the
3878 * objective context of the specified inode
3880 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3882 struct inode_security_struct *isec = inode_security(inode);
3883 struct task_security_struct *tsec = new->security;
3884 u32 sid = current_sid();
3887 ret = avc_has_perm(sid, isec->sid,
3888 SECCLASS_KERNEL_SERVICE,
3889 KERNEL_SERVICE__CREATE_FILES_AS,
3893 tsec->create_sid = isec->sid;
3897 static int selinux_kernel_module_request(char *kmod_name)
3900 struct common_audit_data ad;
3902 sid = task_sid(current);
3904 ad.type = LSM_AUDIT_DATA_KMOD;
3905 ad.u.kmod_name = kmod_name;
3907 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3908 SYSTEM__MODULE_REQUEST, &ad);
3911 static int selinux_kernel_module_from_file(struct file *file)
3913 struct common_audit_data ad;
3914 struct inode_security_struct *isec;
3915 struct file_security_struct *fsec;
3916 u32 sid = current_sid();
3921 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3922 SYSTEM__MODULE_LOAD, NULL);
3926 ad.type = LSM_AUDIT_DATA_FILE;
3929 fsec = file->f_security;
3930 if (sid != fsec->sid) {
3931 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3936 isec = inode_security(file_inode(file));
3937 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3938 SYSTEM__MODULE_LOAD, &ad);
3941 static int selinux_kernel_read_file(struct file *file,
3942 enum kernel_read_file_id id)
3947 case READING_MODULE:
3948 rc = selinux_kernel_module_from_file(file);
3957 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3959 return current_has_perm(p, PROCESS__SETPGID);
3962 static int selinux_task_getpgid(struct task_struct *p)
3964 return current_has_perm(p, PROCESS__GETPGID);
3967 static int selinux_task_getsid(struct task_struct *p)
3969 return current_has_perm(p, PROCESS__GETSESSION);
3972 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3974 *secid = task_sid(p);
3977 static int selinux_task_setnice(struct task_struct *p, int nice)
3979 return current_has_perm(p, PROCESS__SETSCHED);
3982 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3984 return current_has_perm(p, PROCESS__SETSCHED);
3987 static int selinux_task_getioprio(struct task_struct *p)
3989 return current_has_perm(p, PROCESS__GETSCHED);
3992 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3993 struct rlimit *new_rlim)
3995 struct rlimit *old_rlim = p->signal->rlim + resource;
3997 /* Control the ability to change the hard limit (whether
3998 lowering or raising it), so that the hard limit can
3999 later be used as a safe reset point for the soft limit
4000 upon context transitions. See selinux_bprm_committing_creds. */
4001 if (old_rlim->rlim_max != new_rlim->rlim_max)
4002 return current_has_perm(p, PROCESS__SETRLIMIT);
4007 static int selinux_task_setscheduler(struct task_struct *p)
4009 return current_has_perm(p, PROCESS__SETSCHED);
4012 static int selinux_task_getscheduler(struct task_struct *p)
4014 return current_has_perm(p, PROCESS__GETSCHED);
4017 static int selinux_task_movememory(struct task_struct *p)
4019 return current_has_perm(p, PROCESS__SETSCHED);
4022 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4029 perm = PROCESS__SIGNULL; /* null signal; existence test */
4031 perm = signal_to_av(sig);
4033 rc = avc_has_perm(secid, task_sid(p),
4034 SECCLASS_PROCESS, perm, NULL);
4036 rc = current_has_perm(p, perm);
4040 static int selinux_task_wait(struct task_struct *p)
4042 return task_has_perm(p, current, PROCESS__SIGCHLD);
4045 static void selinux_task_to_inode(struct task_struct *p,
4046 struct inode *inode)
4048 struct inode_security_struct *isec = inode->i_security;
4049 u32 sid = task_sid(p);
4051 spin_lock(&isec->lock);
4052 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4054 isec->initialized = LABEL_INITIALIZED;
4055 spin_unlock(&isec->lock);
4058 /* Returns error only if unable to parse addresses */
4059 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4060 struct common_audit_data *ad, u8 *proto)
4062 int offset, ihlen, ret = -EINVAL;
4063 struct iphdr _iph, *ih;
4065 offset = skb_network_offset(skb);
4066 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4070 ihlen = ih->ihl * 4;
4071 if (ihlen < sizeof(_iph))
4074 ad->u.net->v4info.saddr = ih->saddr;
4075 ad->u.net->v4info.daddr = ih->daddr;
4079 *proto = ih->protocol;
4081 switch (ih->protocol) {
4083 struct tcphdr _tcph, *th;
4085 if (ntohs(ih->frag_off) & IP_OFFSET)
4089 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4093 ad->u.net->sport = th->source;
4094 ad->u.net->dport = th->dest;
4099 struct udphdr _udph, *uh;
4101 if (ntohs(ih->frag_off) & IP_OFFSET)
4105 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4109 ad->u.net->sport = uh->source;
4110 ad->u.net->dport = uh->dest;
4114 case IPPROTO_DCCP: {
4115 struct dccp_hdr _dccph, *dh;
4117 if (ntohs(ih->frag_off) & IP_OFFSET)
4121 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4125 ad->u.net->sport = dh->dccph_sport;
4126 ad->u.net->dport = dh->dccph_dport;
4137 #if IS_ENABLED(CONFIG_IPV6)
4139 /* Returns error only if unable to parse addresses */
4140 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4141 struct common_audit_data *ad, u8 *proto)
4144 int ret = -EINVAL, offset;
4145 struct ipv6hdr _ipv6h, *ip6;
4148 offset = skb_network_offset(skb);
4149 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4153 ad->u.net->v6info.saddr = ip6->saddr;
4154 ad->u.net->v6info.daddr = ip6->daddr;
4157 nexthdr = ip6->nexthdr;
4158 offset += sizeof(_ipv6h);
4159 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4168 struct tcphdr _tcph, *th;
4170 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4174 ad->u.net->sport = th->source;
4175 ad->u.net->dport = th->dest;
4180 struct udphdr _udph, *uh;
4182 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4186 ad->u.net->sport = uh->source;
4187 ad->u.net->dport = uh->dest;
4191 case IPPROTO_DCCP: {
4192 struct dccp_hdr _dccph, *dh;
4194 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4198 ad->u.net->sport = dh->dccph_sport;
4199 ad->u.net->dport = dh->dccph_dport;
4203 /* includes fragments */
4213 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4214 char **_addrp, int src, u8 *proto)
4219 switch (ad->u.net->family) {
4221 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4224 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4225 &ad->u.net->v4info.daddr);
4228 #if IS_ENABLED(CONFIG_IPV6)
4230 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4233 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4234 &ad->u.net->v6info.daddr);
4244 "SELinux: failure in selinux_parse_skb(),"
4245 " unable to parse packet\n");
4255 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4257 * @family: protocol family
4258 * @sid: the packet's peer label SID
4261 * Check the various different forms of network peer labeling and determine
4262 * the peer label/SID for the packet; most of the magic actually occurs in
4263 * the security server function security_net_peersid_cmp(). The function
4264 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4265 * or -EACCES if @sid is invalid due to inconsistencies with the different
4269 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4276 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4279 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4283 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4284 if (unlikely(err)) {
4286 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4287 " unable to determine packet's peer label\n");
4295 * selinux_conn_sid - Determine the child socket label for a connection
4296 * @sk_sid: the parent socket's SID
4297 * @skb_sid: the packet's SID
4298 * @conn_sid: the resulting connection SID
4300 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4301 * combined with the MLS information from @skb_sid in order to create
4302 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4303 * of @sk_sid. Returns zero on success, negative values on failure.
4306 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4310 if (skb_sid != SECSID_NULL)
4311 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4318 /* socket security operations */
4320 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4321 u16 secclass, u32 *socksid)
4323 if (tsec->sockcreate_sid > SECSID_NULL) {
4324 *socksid = tsec->sockcreate_sid;
4328 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4332 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
4334 struct sk_security_struct *sksec = sk->sk_security;
4335 struct common_audit_data ad;
4336 struct lsm_network_audit net = {0,};
4337 u32 tsid = task_sid(task);
4339 if (sksec->sid == SECINITSID_KERNEL)
4342 ad.type = LSM_AUDIT_DATA_NET;
4346 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
4349 static int selinux_socket_create(int family, int type,
4350 int protocol, int kern)
4352 const struct task_security_struct *tsec = current_security();
4360 secclass = socket_type_to_security_class(family, type, protocol);
4361 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4365 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4368 static int selinux_socket_post_create(struct socket *sock, int family,
4369 int type, int protocol, int kern)
4371 const struct task_security_struct *tsec = current_security();
4372 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4373 struct sk_security_struct *sksec;
4374 u16 sclass = socket_type_to_security_class(family, type, protocol);
4375 u32 sid = SECINITSID_KERNEL;
4379 err = socket_sockcreate_sid(tsec, sclass, &sid);
4384 isec->sclass = sclass;
4386 isec->initialized = LABEL_INITIALIZED;
4389 sksec = sock->sk->sk_security;
4390 sksec->sclass = sclass;
4392 err = selinux_netlbl_socket_post_create(sock->sk, family);
4398 /* Range of port numbers used to automatically bind.
4399 Need to determine whether we should perform a name_bind
4400 permission check between the socket and the port number. */
4402 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4404 struct sock *sk = sock->sk;
4408 err = sock_has_perm(current, sk, SOCKET__BIND);
4413 * If PF_INET or PF_INET6, check name_bind permission for the port.
4414 * Multiple address binding for SCTP is not supported yet: we just
4415 * check the first address now.
4417 family = sk->sk_family;
4418 if (family == PF_INET || family == PF_INET6) {
4420 struct sk_security_struct *sksec = sk->sk_security;
4421 struct common_audit_data ad;
4422 struct lsm_network_audit net = {0,};
4423 struct sockaddr_in *addr4 = NULL;
4424 struct sockaddr_in6 *addr6 = NULL;
4425 unsigned short snum;
4428 if (family == PF_INET) {
4429 addr4 = (struct sockaddr_in *)address;
4430 snum = ntohs(addr4->sin_port);
4431 addrp = (char *)&addr4->sin_addr.s_addr;
4433 addr6 = (struct sockaddr_in6 *)address;
4434 snum = ntohs(addr6->sin6_port);
4435 addrp = (char *)&addr6->sin6_addr.s6_addr;
4441 inet_get_local_port_range(sock_net(sk), &low, &high);
4443 if (snum < max(PROT_SOCK, low) || snum > high) {
4444 err = sel_netport_sid(sk->sk_protocol,
4448 ad.type = LSM_AUDIT_DATA_NET;
4450 ad.u.net->sport = htons(snum);
4451 ad.u.net->family = family;
4452 err = avc_has_perm(sksec->sid, sid,
4454 SOCKET__NAME_BIND, &ad);
4460 switch (sksec->sclass) {
4461 case SECCLASS_TCP_SOCKET:
4462 node_perm = TCP_SOCKET__NODE_BIND;
4465 case SECCLASS_UDP_SOCKET:
4466 node_perm = UDP_SOCKET__NODE_BIND;
4469 case SECCLASS_DCCP_SOCKET:
4470 node_perm = DCCP_SOCKET__NODE_BIND;
4474 node_perm = RAWIP_SOCKET__NODE_BIND;
4478 err = sel_netnode_sid(addrp, family, &sid);
4482 ad.type = LSM_AUDIT_DATA_NET;
4484 ad.u.net->sport = htons(snum);
4485 ad.u.net->family = family;
4487 if (family == PF_INET)
4488 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4490 ad.u.net->v6info.saddr = addr6->sin6_addr;
4492 err = avc_has_perm(sksec->sid, sid,
4493 sksec->sclass, node_perm, &ad);
4501 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4503 struct sock *sk = sock->sk;
4504 struct sk_security_struct *sksec = sk->sk_security;
4507 err = sock_has_perm(current, sk, SOCKET__CONNECT);
4512 * If a TCP or DCCP socket, check name_connect permission for the port.
4514 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4515 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4516 struct common_audit_data ad;
4517 struct lsm_network_audit net = {0,};
4518 struct sockaddr_in *addr4 = NULL;
4519 struct sockaddr_in6 *addr6 = NULL;
4520 unsigned short snum;
4523 if (sk->sk_family == PF_INET) {
4524 addr4 = (struct sockaddr_in *)address;
4525 if (addrlen < sizeof(struct sockaddr_in))
4527 snum = ntohs(addr4->sin_port);
4529 addr6 = (struct sockaddr_in6 *)address;
4530 if (addrlen < SIN6_LEN_RFC2133)
4532 snum = ntohs(addr6->sin6_port);
4535 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4539 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4540 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4542 ad.type = LSM_AUDIT_DATA_NET;
4544 ad.u.net->dport = htons(snum);
4545 ad.u.net->family = sk->sk_family;
4546 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4551 err = selinux_netlbl_socket_connect(sk, address);
4557 static int selinux_socket_listen(struct socket *sock, int backlog)
4559 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4562 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4565 struct inode_security_struct *isec;
4566 struct inode_security_struct *newisec;
4570 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4574 isec = inode_security_novalidate(SOCK_INODE(sock));
4575 spin_lock(&isec->lock);
4576 sclass = isec->sclass;
4578 spin_unlock(&isec->lock);
4580 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4581 newisec->sclass = sclass;
4583 newisec->initialized = LABEL_INITIALIZED;
4588 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4591 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4594 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4595 int size, int flags)
4597 return sock_has_perm(current, sock->sk, SOCKET__READ);
4600 static int selinux_socket_getsockname(struct socket *sock)
4602 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4605 static int selinux_socket_getpeername(struct socket *sock)
4607 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4610 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4614 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4618 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4621 static int selinux_socket_getsockopt(struct socket *sock, int level,
4624 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4627 static int selinux_socket_shutdown(struct socket *sock, int how)
4629 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4632 static int selinux_socket_unix_stream_connect(struct sock *sock,
4636 struct sk_security_struct *sksec_sock = sock->sk_security;
4637 struct sk_security_struct *sksec_other = other->sk_security;
4638 struct sk_security_struct *sksec_new = newsk->sk_security;
4639 struct common_audit_data ad;
4640 struct lsm_network_audit net = {0,};
4643 ad.type = LSM_AUDIT_DATA_NET;
4645 ad.u.net->sk = other;
4647 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4648 sksec_other->sclass,
4649 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4653 /* server child socket */
4654 sksec_new->peer_sid = sksec_sock->sid;
4655 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4660 /* connecting socket */
4661 sksec_sock->peer_sid = sksec_new->sid;
4666 static int selinux_socket_unix_may_send(struct socket *sock,
4667 struct socket *other)
4669 struct sk_security_struct *ssec = sock->sk->sk_security;
4670 struct sk_security_struct *osec = other->sk->sk_security;
4671 struct common_audit_data ad;
4672 struct lsm_network_audit net = {0,};
4674 ad.type = LSM_AUDIT_DATA_NET;
4676 ad.u.net->sk = other->sk;
4678 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4682 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4683 char *addrp, u16 family, u32 peer_sid,
4684 struct common_audit_data *ad)
4690 err = sel_netif_sid(ns, ifindex, &if_sid);
4693 err = avc_has_perm(peer_sid, if_sid,
4694 SECCLASS_NETIF, NETIF__INGRESS, ad);
4698 err = sel_netnode_sid(addrp, family, &node_sid);
4701 return avc_has_perm(peer_sid, node_sid,
4702 SECCLASS_NODE, NODE__RECVFROM, ad);
4705 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4709 struct sk_security_struct *sksec = sk->sk_security;
4710 u32 sk_sid = sksec->sid;
4711 struct common_audit_data ad;
4712 struct lsm_network_audit net = {0,};
4715 ad.type = LSM_AUDIT_DATA_NET;
4717 ad.u.net->netif = skb->skb_iif;
4718 ad.u.net->family = family;
4719 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4723 if (selinux_secmark_enabled()) {
4724 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4730 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4733 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4738 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4741 struct sk_security_struct *sksec = sk->sk_security;
4742 u16 family = sk->sk_family;
4743 u32 sk_sid = sksec->sid;
4744 struct common_audit_data ad;
4745 struct lsm_network_audit net = {0,};
4750 if (family != PF_INET && family != PF_INET6)
4753 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4754 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4757 /* If any sort of compatibility mode is enabled then handoff processing
4758 * to the selinux_sock_rcv_skb_compat() function to deal with the
4759 * special handling. We do this in an attempt to keep this function
4760 * as fast and as clean as possible. */
4761 if (!selinux_policycap_netpeer)
4762 return selinux_sock_rcv_skb_compat(sk, skb, family);
4764 secmark_active = selinux_secmark_enabled();
4765 peerlbl_active = selinux_peerlbl_enabled();
4766 if (!secmark_active && !peerlbl_active)
4769 ad.type = LSM_AUDIT_DATA_NET;
4771 ad.u.net->netif = skb->skb_iif;
4772 ad.u.net->family = family;
4773 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4777 if (peerlbl_active) {
4780 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4783 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4784 addrp, family, peer_sid, &ad);
4786 selinux_netlbl_err(skb, family, err, 0);
4789 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4792 selinux_netlbl_err(skb, family, err, 0);
4797 if (secmark_active) {
4798 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4807 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4808 int __user *optlen, unsigned len)
4813 struct sk_security_struct *sksec = sock->sk->sk_security;
4814 u32 peer_sid = SECSID_NULL;
4816 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4817 sksec->sclass == SECCLASS_TCP_SOCKET)
4818 peer_sid = sksec->peer_sid;
4819 if (peer_sid == SECSID_NULL)
4820 return -ENOPROTOOPT;
4822 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4826 if (scontext_len > len) {
4831 if (copy_to_user(optval, scontext, scontext_len))
4835 if (put_user(scontext_len, optlen))
4841 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4843 u32 peer_secid = SECSID_NULL;
4845 struct inode_security_struct *isec;
4847 if (skb && skb->protocol == htons(ETH_P_IP))
4849 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4852 family = sock->sk->sk_family;
4856 if (sock && family == PF_UNIX) {
4857 isec = inode_security_novalidate(SOCK_INODE(sock));
4858 peer_secid = isec->sid;
4860 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4863 *secid = peer_secid;
4864 if (peer_secid == SECSID_NULL)
4869 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4871 struct sk_security_struct *sksec;
4873 sksec = kzalloc(sizeof(*sksec), priority);
4877 sksec->peer_sid = SECINITSID_UNLABELED;
4878 sksec->sid = SECINITSID_UNLABELED;
4879 sksec->sclass = SECCLASS_SOCKET;
4880 selinux_netlbl_sk_security_reset(sksec);
4881 sk->sk_security = sksec;
4886 static void selinux_sk_free_security(struct sock *sk)
4888 struct sk_security_struct *sksec = sk->sk_security;
4890 sk->sk_security = NULL;
4891 selinux_netlbl_sk_security_free(sksec);
4895 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4897 struct sk_security_struct *sksec = sk->sk_security;
4898 struct sk_security_struct *newsksec = newsk->sk_security;
4900 newsksec->sid = sksec->sid;
4901 newsksec->peer_sid = sksec->peer_sid;
4902 newsksec->sclass = sksec->sclass;
4904 selinux_netlbl_sk_security_reset(newsksec);
4907 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4910 *secid = SECINITSID_ANY_SOCKET;
4912 struct sk_security_struct *sksec = sk->sk_security;
4914 *secid = sksec->sid;
4918 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4920 struct inode_security_struct *isec =
4921 inode_security_novalidate(SOCK_INODE(parent));
4922 struct sk_security_struct *sksec = sk->sk_security;
4924 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4925 sk->sk_family == PF_UNIX)
4926 isec->sid = sksec->sid;
4927 sksec->sclass = isec->sclass;
4930 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4931 struct request_sock *req)
4933 struct sk_security_struct *sksec = sk->sk_security;
4935 u16 family = req->rsk_ops->family;
4939 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4942 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4945 req->secid = connsid;
4946 req->peer_secid = peersid;
4948 return selinux_netlbl_inet_conn_request(req, family);
4951 static void selinux_inet_csk_clone(struct sock *newsk,
4952 const struct request_sock *req)
4954 struct sk_security_struct *newsksec = newsk->sk_security;
4956 newsksec->sid = req->secid;
4957 newsksec->peer_sid = req->peer_secid;
4958 /* NOTE: Ideally, we should also get the isec->sid for the
4959 new socket in sync, but we don't have the isec available yet.
4960 So we will wait until sock_graft to do it, by which
4961 time it will have been created and available. */
4963 /* We don't need to take any sort of lock here as we are the only
4964 * thread with access to newsksec */
4965 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4968 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4970 u16 family = sk->sk_family;
4971 struct sk_security_struct *sksec = sk->sk_security;
4973 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4974 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4977 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4980 static int selinux_secmark_relabel_packet(u32 sid)
4982 const struct task_security_struct *__tsec;
4985 __tsec = current_security();
4988 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4991 static void selinux_secmark_refcount_inc(void)
4993 atomic_inc(&selinux_secmark_refcount);
4996 static void selinux_secmark_refcount_dec(void)
4998 atomic_dec(&selinux_secmark_refcount);
5001 static void selinux_req_classify_flow(const struct request_sock *req,
5004 fl->flowi_secid = req->secid;
5007 static int selinux_tun_dev_alloc_security(void **security)
5009 struct tun_security_struct *tunsec;
5011 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5014 tunsec->sid = current_sid();
5020 static void selinux_tun_dev_free_security(void *security)
5025 static int selinux_tun_dev_create(void)
5027 u32 sid = current_sid();
5029 /* we aren't taking into account the "sockcreate" SID since the socket
5030 * that is being created here is not a socket in the traditional sense,
5031 * instead it is a private sock, accessible only to the kernel, and
5032 * representing a wide range of network traffic spanning multiple
5033 * connections unlike traditional sockets - check the TUN driver to
5034 * get a better understanding of why this socket is special */
5036 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5040 static int selinux_tun_dev_attach_queue(void *security)
5042 struct tun_security_struct *tunsec = security;
5044 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5045 TUN_SOCKET__ATTACH_QUEUE, NULL);
5048 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5050 struct tun_security_struct *tunsec = security;
5051 struct sk_security_struct *sksec = sk->sk_security;
5053 /* we don't currently perform any NetLabel based labeling here and it
5054 * isn't clear that we would want to do so anyway; while we could apply
5055 * labeling without the support of the TUN user the resulting labeled
5056 * traffic from the other end of the connection would almost certainly
5057 * cause confusion to the TUN user that had no idea network labeling
5058 * protocols were being used */
5060 sksec->sid = tunsec->sid;
5061 sksec->sclass = SECCLASS_TUN_SOCKET;
5066 static int selinux_tun_dev_open(void *security)
5068 struct tun_security_struct *tunsec = security;
5069 u32 sid = current_sid();
5072 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5073 TUN_SOCKET__RELABELFROM, NULL);
5076 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5077 TUN_SOCKET__RELABELTO, NULL);
5085 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5089 struct nlmsghdr *nlh;
5090 struct sk_security_struct *sksec = sk->sk_security;
5092 if (skb->len < NLMSG_HDRLEN) {
5096 nlh = nlmsg_hdr(skb);
5098 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5100 if (err == -EINVAL) {
5101 pr_warn_ratelimited("SELinux: unrecognized netlink"
5102 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5103 " pig=%d comm=%s\n",
5104 sk->sk_protocol, nlh->nlmsg_type,
5105 secclass_map[sksec->sclass - 1].name,
5106 task_pid_nr(current), current->comm);
5107 if (!selinux_enforcing || security_get_allow_unknown())
5117 err = sock_has_perm(current, sk, perm);
5122 #ifdef CONFIG_NETFILTER
5124 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5125 const struct net_device *indev,
5131 struct common_audit_data ad;
5132 struct lsm_network_audit net = {0,};
5137 if (!selinux_policycap_netpeer)
5140 secmark_active = selinux_secmark_enabled();
5141 netlbl_active = netlbl_enabled();
5142 peerlbl_active = selinux_peerlbl_enabled();
5143 if (!secmark_active && !peerlbl_active)
5146 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5149 ad.type = LSM_AUDIT_DATA_NET;
5151 ad.u.net->netif = indev->ifindex;
5152 ad.u.net->family = family;
5153 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5156 if (peerlbl_active) {
5157 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5158 addrp, family, peer_sid, &ad);
5160 selinux_netlbl_err(skb, family, err, 1);
5166 if (avc_has_perm(peer_sid, skb->secmark,
5167 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5171 /* we do this in the FORWARD path and not the POST_ROUTING
5172 * path because we want to make sure we apply the necessary
5173 * labeling before IPsec is applied so we can leverage AH
5175 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5181 static unsigned int selinux_ipv4_forward(void *priv,
5182 struct sk_buff *skb,
5183 const struct nf_hook_state *state)
5185 return selinux_ip_forward(skb, state->in, PF_INET);
5188 #if IS_ENABLED(CONFIG_IPV6)
5189 static unsigned int selinux_ipv6_forward(void *priv,
5190 struct sk_buff *skb,
5191 const struct nf_hook_state *state)
5193 return selinux_ip_forward(skb, state->in, PF_INET6);
5197 static unsigned int selinux_ip_output(struct sk_buff *skb,
5203 if (!netlbl_enabled())
5206 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5207 * because we want to make sure we apply the necessary labeling
5208 * before IPsec is applied so we can leverage AH protection */
5211 struct sk_security_struct *sksec;
5213 if (sk_listener(sk))
5214 /* if the socket is the listening state then this
5215 * packet is a SYN-ACK packet which means it needs to
5216 * be labeled based on the connection/request_sock and
5217 * not the parent socket. unfortunately, we can't
5218 * lookup the request_sock yet as it isn't queued on
5219 * the parent socket until after the SYN-ACK is sent.
5220 * the "solution" is to simply pass the packet as-is
5221 * as any IP option based labeling should be copied
5222 * from the initial connection request (in the IP
5223 * layer). it is far from ideal, but until we get a
5224 * security label in the packet itself this is the
5225 * best we can do. */
5228 /* standard practice, label using the parent socket */
5229 sksec = sk->sk_security;
5232 sid = SECINITSID_KERNEL;
5233 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5239 static unsigned int selinux_ipv4_output(void *priv,
5240 struct sk_buff *skb,
5241 const struct nf_hook_state *state)
5243 return selinux_ip_output(skb, PF_INET);
5246 #if IS_ENABLED(CONFIG_IPV6)
5247 static unsigned int selinux_ipv6_output(void *priv,
5248 struct sk_buff *skb,
5249 const struct nf_hook_state *state)
5251 return selinux_ip_output(skb, PF_INET6);
5255 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5259 struct sock *sk = skb_to_full_sk(skb);
5260 struct sk_security_struct *sksec;
5261 struct common_audit_data ad;
5262 struct lsm_network_audit net = {0,};
5268 sksec = sk->sk_security;
5270 ad.type = LSM_AUDIT_DATA_NET;
5272 ad.u.net->netif = ifindex;
5273 ad.u.net->family = family;
5274 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5277 if (selinux_secmark_enabled())
5278 if (avc_has_perm(sksec->sid, skb->secmark,
5279 SECCLASS_PACKET, PACKET__SEND, &ad))
5280 return NF_DROP_ERR(-ECONNREFUSED);
5282 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5283 return NF_DROP_ERR(-ECONNREFUSED);
5288 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5289 const struct net_device *outdev,
5294 int ifindex = outdev->ifindex;
5296 struct common_audit_data ad;
5297 struct lsm_network_audit net = {0,};
5302 /* If any sort of compatibility mode is enabled then handoff processing
5303 * to the selinux_ip_postroute_compat() function to deal with the
5304 * special handling. We do this in an attempt to keep this function
5305 * as fast and as clean as possible. */
5306 if (!selinux_policycap_netpeer)
5307 return selinux_ip_postroute_compat(skb, ifindex, family);
5309 secmark_active = selinux_secmark_enabled();
5310 peerlbl_active = selinux_peerlbl_enabled();
5311 if (!secmark_active && !peerlbl_active)
5314 sk = skb_to_full_sk(skb);
5317 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5318 * packet transformation so allow the packet to pass without any checks
5319 * since we'll have another chance to perform access control checks
5320 * when the packet is on it's final way out.
5321 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5322 * is NULL, in this case go ahead and apply access control.
5323 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5324 * TCP listening state we cannot wait until the XFRM processing
5325 * is done as we will miss out on the SA label if we do;
5326 * unfortunately, this means more work, but it is only once per
5328 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5329 !(sk && sk_listener(sk)))
5334 /* Without an associated socket the packet is either coming
5335 * from the kernel or it is being forwarded; check the packet
5336 * to determine which and if the packet is being forwarded
5337 * query the packet directly to determine the security label. */
5339 secmark_perm = PACKET__FORWARD_OUT;
5340 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5343 secmark_perm = PACKET__SEND;
5344 peer_sid = SECINITSID_KERNEL;
5346 } else if (sk_listener(sk)) {
5347 /* Locally generated packet but the associated socket is in the
5348 * listening state which means this is a SYN-ACK packet. In
5349 * this particular case the correct security label is assigned
5350 * to the connection/request_sock but unfortunately we can't
5351 * query the request_sock as it isn't queued on the parent
5352 * socket until after the SYN-ACK packet is sent; the only
5353 * viable choice is to regenerate the label like we do in
5354 * selinux_inet_conn_request(). See also selinux_ip_output()
5355 * for similar problems. */
5357 struct sk_security_struct *sksec;
5359 sksec = sk->sk_security;
5360 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5362 /* At this point, if the returned skb peerlbl is SECSID_NULL
5363 * and the packet has been through at least one XFRM
5364 * transformation then we must be dealing with the "final"
5365 * form of labeled IPsec packet; since we've already applied
5366 * all of our access controls on this packet we can safely
5367 * pass the packet. */
5368 if (skb_sid == SECSID_NULL) {
5371 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5375 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5379 return NF_DROP_ERR(-ECONNREFUSED);
5382 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5384 secmark_perm = PACKET__SEND;
5386 /* Locally generated packet, fetch the security label from the
5387 * associated socket. */
5388 struct sk_security_struct *sksec = sk->sk_security;
5389 peer_sid = sksec->sid;
5390 secmark_perm = PACKET__SEND;
5393 ad.type = LSM_AUDIT_DATA_NET;
5395 ad.u.net->netif = ifindex;
5396 ad.u.net->family = family;
5397 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5401 if (avc_has_perm(peer_sid, skb->secmark,
5402 SECCLASS_PACKET, secmark_perm, &ad))
5403 return NF_DROP_ERR(-ECONNREFUSED);
5405 if (peerlbl_active) {
5409 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5411 if (avc_has_perm(peer_sid, if_sid,
5412 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5413 return NF_DROP_ERR(-ECONNREFUSED);
5415 if (sel_netnode_sid(addrp, family, &node_sid))
5417 if (avc_has_perm(peer_sid, node_sid,
5418 SECCLASS_NODE, NODE__SENDTO, &ad))
5419 return NF_DROP_ERR(-ECONNREFUSED);
5425 static unsigned int selinux_ipv4_postroute(void *priv,
5426 struct sk_buff *skb,
5427 const struct nf_hook_state *state)
5429 return selinux_ip_postroute(skb, state->out, PF_INET);
5432 #if IS_ENABLED(CONFIG_IPV6)
5433 static unsigned int selinux_ipv6_postroute(void *priv,
5434 struct sk_buff *skb,
5435 const struct nf_hook_state *state)
5437 return selinux_ip_postroute(skb, state->out, PF_INET6);
5441 #endif /* CONFIG_NETFILTER */
5443 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5445 return selinux_nlmsg_perm(sk, skb);
5448 static int ipc_alloc_security(struct task_struct *task,
5449 struct kern_ipc_perm *perm,
5452 struct ipc_security_struct *isec;
5455 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5459 sid = task_sid(task);
5460 isec->sclass = sclass;
5462 perm->security = isec;
5467 static void ipc_free_security(struct kern_ipc_perm *perm)
5469 struct ipc_security_struct *isec = perm->security;
5470 perm->security = NULL;
5474 static int msg_msg_alloc_security(struct msg_msg *msg)
5476 struct msg_security_struct *msec;
5478 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5482 msec->sid = SECINITSID_UNLABELED;
5483 msg->security = msec;
5488 static void msg_msg_free_security(struct msg_msg *msg)
5490 struct msg_security_struct *msec = msg->security;
5492 msg->security = NULL;
5496 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5499 struct ipc_security_struct *isec;
5500 struct common_audit_data ad;
5501 u32 sid = current_sid();
5503 isec = ipc_perms->security;
5505 ad.type = LSM_AUDIT_DATA_IPC;
5506 ad.u.ipc_id = ipc_perms->key;
5508 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5511 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5513 return msg_msg_alloc_security(msg);
5516 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5518 msg_msg_free_security(msg);
5521 /* message queue security operations */
5522 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5524 struct ipc_security_struct *isec;
5525 struct common_audit_data ad;
5526 u32 sid = current_sid();
5529 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5533 isec = msq->q_perm.security;
5535 ad.type = LSM_AUDIT_DATA_IPC;
5536 ad.u.ipc_id = msq->q_perm.key;
5538 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5541 ipc_free_security(&msq->q_perm);
5547 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5549 ipc_free_security(&msq->q_perm);
5552 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5554 struct ipc_security_struct *isec;
5555 struct common_audit_data ad;
5556 u32 sid = current_sid();
5558 isec = msq->q_perm.security;
5560 ad.type = LSM_AUDIT_DATA_IPC;
5561 ad.u.ipc_id = msq->q_perm.key;
5563 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5564 MSGQ__ASSOCIATE, &ad);
5567 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5575 /* No specific object, just general system-wide information. */
5576 return task_has_system(current, SYSTEM__IPC_INFO);
5579 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5582 perms = MSGQ__SETATTR;
5585 perms = MSGQ__DESTROY;
5591 err = ipc_has_perm(&msq->q_perm, perms);
5595 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5597 struct ipc_security_struct *isec;
5598 struct msg_security_struct *msec;
5599 struct common_audit_data ad;
5600 u32 sid = current_sid();
5603 isec = msq->q_perm.security;
5604 msec = msg->security;
5607 * First time through, need to assign label to the message
5609 if (msec->sid == SECINITSID_UNLABELED) {
5611 * Compute new sid based on current process and
5612 * message queue this message will be stored in
5614 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5620 ad.type = LSM_AUDIT_DATA_IPC;
5621 ad.u.ipc_id = msq->q_perm.key;
5623 /* Can this process write to the queue? */
5624 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5627 /* Can this process send the message */
5628 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5631 /* Can the message be put in the queue? */
5632 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5633 MSGQ__ENQUEUE, &ad);
5638 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5639 struct task_struct *target,
5640 long type, int mode)
5642 struct ipc_security_struct *isec;
5643 struct msg_security_struct *msec;
5644 struct common_audit_data ad;
5645 u32 sid = task_sid(target);
5648 isec = msq->q_perm.security;
5649 msec = msg->security;
5651 ad.type = LSM_AUDIT_DATA_IPC;
5652 ad.u.ipc_id = msq->q_perm.key;
5654 rc = avc_has_perm(sid, isec->sid,
5655 SECCLASS_MSGQ, MSGQ__READ, &ad);
5657 rc = avc_has_perm(sid, msec->sid,
5658 SECCLASS_MSG, MSG__RECEIVE, &ad);
5662 /* Shared Memory security operations */
5663 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5665 struct ipc_security_struct *isec;
5666 struct common_audit_data ad;
5667 u32 sid = current_sid();
5670 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5674 isec = shp->shm_perm.security;
5676 ad.type = LSM_AUDIT_DATA_IPC;
5677 ad.u.ipc_id = shp->shm_perm.key;
5679 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5682 ipc_free_security(&shp->shm_perm);
5688 static void selinux_shm_free_security(struct shmid_kernel *shp)
5690 ipc_free_security(&shp->shm_perm);
5693 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5695 struct ipc_security_struct *isec;
5696 struct common_audit_data ad;
5697 u32 sid = current_sid();
5699 isec = shp->shm_perm.security;
5701 ad.type = LSM_AUDIT_DATA_IPC;
5702 ad.u.ipc_id = shp->shm_perm.key;
5704 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5705 SHM__ASSOCIATE, &ad);
5708 /* Note, at this point, shp is locked down */
5709 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5717 /* No specific object, just general system-wide information. */
5718 return task_has_system(current, SYSTEM__IPC_INFO);
5721 perms = SHM__GETATTR | SHM__ASSOCIATE;
5724 perms = SHM__SETATTR;
5731 perms = SHM__DESTROY;
5737 err = ipc_has_perm(&shp->shm_perm, perms);
5741 static int selinux_shm_shmat(struct shmid_kernel *shp,
5742 char __user *shmaddr, int shmflg)
5746 if (shmflg & SHM_RDONLY)
5749 perms = SHM__READ | SHM__WRITE;
5751 return ipc_has_perm(&shp->shm_perm, perms);
5754 /* Semaphore security operations */
5755 static int selinux_sem_alloc_security(struct sem_array *sma)
5757 struct ipc_security_struct *isec;
5758 struct common_audit_data ad;
5759 u32 sid = current_sid();
5762 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5766 isec = sma->sem_perm.security;
5768 ad.type = LSM_AUDIT_DATA_IPC;
5769 ad.u.ipc_id = sma->sem_perm.key;
5771 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5774 ipc_free_security(&sma->sem_perm);
5780 static void selinux_sem_free_security(struct sem_array *sma)
5782 ipc_free_security(&sma->sem_perm);
5785 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5787 struct ipc_security_struct *isec;
5788 struct common_audit_data ad;
5789 u32 sid = current_sid();
5791 isec = sma->sem_perm.security;
5793 ad.type = LSM_AUDIT_DATA_IPC;
5794 ad.u.ipc_id = sma->sem_perm.key;
5796 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5797 SEM__ASSOCIATE, &ad);
5800 /* Note, at this point, sma is locked down */
5801 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5809 /* No specific object, just general system-wide information. */
5810 return task_has_system(current, SYSTEM__IPC_INFO);
5814 perms = SEM__GETATTR;
5825 perms = SEM__DESTROY;
5828 perms = SEM__SETATTR;
5832 perms = SEM__GETATTR | SEM__ASSOCIATE;
5838 err = ipc_has_perm(&sma->sem_perm, perms);
5842 static int selinux_sem_semop(struct sem_array *sma,
5843 struct sembuf *sops, unsigned nsops, int alter)
5848 perms = SEM__READ | SEM__WRITE;
5852 return ipc_has_perm(&sma->sem_perm, perms);
5855 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5861 av |= IPC__UNIX_READ;
5863 av |= IPC__UNIX_WRITE;
5868 return ipc_has_perm(ipcp, av);
5871 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5873 struct ipc_security_struct *isec = ipcp->security;
5877 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5880 inode_doinit_with_dentry(inode, dentry);
5883 static int selinux_getprocattr(struct task_struct *p,
5884 char *name, char **value)
5886 const struct task_security_struct *__tsec;
5892 error = current_has_perm(p, PROCESS__GETATTR);
5898 __tsec = __task_cred(p)->security;
5900 if (!strcmp(name, "current"))
5902 else if (!strcmp(name, "prev"))
5904 else if (!strcmp(name, "exec"))
5905 sid = __tsec->exec_sid;
5906 else if (!strcmp(name, "fscreate"))
5907 sid = __tsec->create_sid;
5908 else if (!strcmp(name, "keycreate"))
5909 sid = __tsec->keycreate_sid;
5910 else if (!strcmp(name, "sockcreate"))
5911 sid = __tsec->sockcreate_sid;
5919 error = security_sid_to_context(sid, value, &len);
5929 static int selinux_setprocattr(struct task_struct *p,
5930 char *name, void *value, size_t size)
5932 struct task_security_struct *tsec;
5939 /* SELinux only allows a process to change its own
5940 security attributes. */
5945 * Basic control over ability to set these attributes at all.
5946 * current == p, but we'll pass them separately in case the
5947 * above restriction is ever removed.
5949 if (!strcmp(name, "exec"))
5950 error = current_has_perm(p, PROCESS__SETEXEC);
5951 else if (!strcmp(name, "fscreate"))
5952 error = current_has_perm(p, PROCESS__SETFSCREATE);
5953 else if (!strcmp(name, "keycreate"))
5954 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5955 else if (!strcmp(name, "sockcreate"))
5956 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5957 else if (!strcmp(name, "current"))
5958 error = current_has_perm(p, PROCESS__SETCURRENT);
5964 /* Obtain a SID for the context, if one was specified. */
5965 if (size && str[1] && str[1] != '\n') {
5966 if (str[size-1] == '\n') {
5970 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5971 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5972 if (!capable(CAP_MAC_ADMIN)) {
5973 struct audit_buffer *ab;
5976 /* We strip a nul only if it is at the end, otherwise the
5977 * context contains a nul and we should audit that */
5978 if (str[size - 1] == '\0')
5979 audit_size = size - 1;
5982 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5983 audit_log_format(ab, "op=fscreate invalid_context=");
5984 audit_log_n_untrustedstring(ab, value, audit_size);
5989 error = security_context_to_sid_force(value, size,
5996 new = prepare_creds();
6000 /* Permission checking based on the specified context is
6001 performed during the actual operation (execve,
6002 open/mkdir/...), when we know the full context of the
6003 operation. See selinux_bprm_set_creds for the execve
6004 checks and may_create for the file creation checks. The
6005 operation will then fail if the context is not permitted. */
6006 tsec = new->security;
6007 if (!strcmp(name, "exec")) {
6008 tsec->exec_sid = sid;
6009 } else if (!strcmp(name, "fscreate")) {
6010 tsec->create_sid = sid;
6011 } else if (!strcmp(name, "keycreate")) {
6012 error = may_create_key(sid, p);
6015 tsec->keycreate_sid = sid;
6016 } else if (!strcmp(name, "sockcreate")) {
6017 tsec->sockcreate_sid = sid;
6018 } else if (!strcmp(name, "current")) {
6023 /* Only allow single threaded processes to change context */
6025 if (!current_is_single_threaded()) {
6026 error = security_bounded_transition(tsec->sid, sid);
6031 /* Check permissions for the transition. */
6032 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6033 PROCESS__DYNTRANSITION, NULL);
6037 /* Check for ptracing, and update the task SID if ok.
6038 Otherwise, leave SID unchanged and fail. */
6039 ptsid = ptrace_parent_sid(p);
6041 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6042 PROCESS__PTRACE, NULL);
6061 static int selinux_ismaclabel(const char *name)
6063 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6066 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6068 return security_sid_to_context(secid, secdata, seclen);
6071 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6073 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
6076 static void selinux_release_secctx(char *secdata, u32 seclen)
6081 static void selinux_inode_invalidate_secctx(struct inode *inode)
6083 struct inode_security_struct *isec = inode->i_security;
6085 spin_lock(&isec->lock);
6086 isec->initialized = LABEL_INVALID;
6087 spin_unlock(&isec->lock);
6091 * called with inode->i_mutex locked
6093 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6095 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6099 * called with inode->i_mutex locked
6101 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6103 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6106 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6109 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6118 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6119 unsigned long flags)
6121 const struct task_security_struct *tsec;
6122 struct key_security_struct *ksec;
6124 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6128 tsec = cred->security;
6129 if (tsec->keycreate_sid)
6130 ksec->sid = tsec->keycreate_sid;
6132 ksec->sid = tsec->sid;
6138 static void selinux_key_free(struct key *k)
6140 struct key_security_struct *ksec = k->security;
6146 static int selinux_key_permission(key_ref_t key_ref,
6147 const struct cred *cred,
6151 struct key_security_struct *ksec;
6154 /* if no specific permissions are requested, we skip the
6155 permission check. No serious, additional covert channels
6156 appear to be created. */
6160 sid = cred_sid(cred);
6162 key = key_ref_to_ptr(key_ref);
6163 ksec = key->security;
6165 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6168 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6170 struct key_security_struct *ksec = key->security;
6171 char *context = NULL;
6175 rc = security_sid_to_context(ksec->sid, &context, &len);
6184 static struct security_hook_list selinux_hooks[] = {
6185 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6186 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6187 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6188 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6190 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6191 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6192 LSM_HOOK_INIT(capget, selinux_capget),
6193 LSM_HOOK_INIT(capset, selinux_capset),
6194 LSM_HOOK_INIT(capable, selinux_capable),
6195 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6196 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6197 LSM_HOOK_INIT(syslog, selinux_syslog),
6198 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6200 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6202 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6203 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6204 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6205 LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
6207 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6208 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6209 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6210 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6211 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6212 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6213 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6214 LSM_HOOK_INIT(sb_mount, selinux_mount),
6215 LSM_HOOK_INIT(sb_umount, selinux_umount),
6216 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6217 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6218 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6220 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6221 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6223 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6224 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6225 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6226 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6227 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6228 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6229 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6230 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6231 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6232 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6233 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6234 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6235 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6236 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6237 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6238 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6239 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6240 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6241 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6242 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6243 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6244 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6245 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6246 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6247 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6248 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6249 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6251 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6252 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6253 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6254 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6255 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6256 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6257 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6258 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6259 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6260 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6261 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6262 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6264 LSM_HOOK_INIT(file_open, selinux_file_open),
6266 LSM_HOOK_INIT(task_create, selinux_task_create),
6267 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6268 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6269 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6270 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6271 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6272 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6273 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6274 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6275 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6276 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6277 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6278 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6279 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6280 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6281 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6282 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6283 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6284 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6285 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6286 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6287 LSM_HOOK_INIT(task_wait, selinux_task_wait),
6288 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6290 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6291 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6293 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6294 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6296 LSM_HOOK_INIT(msg_queue_alloc_security,
6297 selinux_msg_queue_alloc_security),
6298 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6299 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6300 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6301 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6302 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6304 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6305 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6306 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6307 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6308 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6310 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6311 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6312 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6313 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6314 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6316 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6318 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6319 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6321 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6322 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6323 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6324 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6325 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6326 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6327 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6328 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6330 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6331 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6333 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6334 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6335 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6336 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6337 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6338 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6339 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6340 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6341 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6342 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6343 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6344 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6345 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6346 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6347 LSM_HOOK_INIT(socket_getpeersec_stream,
6348 selinux_socket_getpeersec_stream),
6349 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6350 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6351 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6352 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6353 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6354 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6355 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6356 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6357 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6358 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6359 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6360 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6361 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6362 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6363 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6364 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6365 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6366 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6367 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6369 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6370 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6371 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6372 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6373 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6374 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6375 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6376 selinux_xfrm_state_alloc_acquire),
6377 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6378 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6379 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6380 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6381 selinux_xfrm_state_pol_flow_match),
6382 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6386 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6387 LSM_HOOK_INIT(key_free, selinux_key_free),
6388 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6389 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6393 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6394 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6395 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6396 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6400 static __init int selinux_init(void)
6402 if (!security_module_enable("selinux")) {
6403 selinux_enabled = 0;
6407 if (!selinux_enabled) {
6408 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6412 printk(KERN_INFO "SELinux: Initializing.\n");
6414 /* Set the security state for the initial task. */
6415 cred_init_security();
6417 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6419 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6420 sizeof(struct inode_security_struct),
6421 0, SLAB_PANIC, NULL);
6422 file_security_cache = kmem_cache_create("selinux_file_security",
6423 sizeof(struct file_security_struct),
6424 0, SLAB_PANIC, NULL);
6427 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6429 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6430 panic("SELinux: Unable to register AVC netcache callback\n");
6432 if (selinux_enforcing)
6433 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6435 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6440 static void delayed_superblock_init(struct super_block *sb, void *unused)
6442 superblock_doinit(sb, NULL);
6445 void selinux_complete_init(void)
6447 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6449 /* Set up any superblocks initialized prior to the policy load. */
6450 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6451 iterate_supers(delayed_superblock_init, NULL);
6454 /* SELinux requires early initialization in order to label
6455 all processes and objects when they are created. */
6456 security_initcall(selinux_init);
6458 #if defined(CONFIG_NETFILTER)
6460 static struct nf_hook_ops selinux_nf_ops[] = {
6462 .hook = selinux_ipv4_postroute,
6464 .hooknum = NF_INET_POST_ROUTING,
6465 .priority = NF_IP_PRI_SELINUX_LAST,
6468 .hook = selinux_ipv4_forward,
6470 .hooknum = NF_INET_FORWARD,
6471 .priority = NF_IP_PRI_SELINUX_FIRST,
6474 .hook = selinux_ipv4_output,
6476 .hooknum = NF_INET_LOCAL_OUT,
6477 .priority = NF_IP_PRI_SELINUX_FIRST,
6479 #if IS_ENABLED(CONFIG_IPV6)
6481 .hook = selinux_ipv6_postroute,
6483 .hooknum = NF_INET_POST_ROUTING,
6484 .priority = NF_IP6_PRI_SELINUX_LAST,
6487 .hook = selinux_ipv6_forward,
6489 .hooknum = NF_INET_FORWARD,
6490 .priority = NF_IP6_PRI_SELINUX_FIRST,
6493 .hook = selinux_ipv6_output,
6495 .hooknum = NF_INET_LOCAL_OUT,
6496 .priority = NF_IP6_PRI_SELINUX_FIRST,
6501 static int __init selinux_nf_ip_init(void)
6505 if (!selinux_enabled)
6508 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6510 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6512 panic("SELinux: nf_register_hooks: error %d\n", err);
6517 __initcall(selinux_nf_ip_init);
6519 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6520 static void selinux_nf_ip_exit(void)
6522 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6524 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6528 #else /* CONFIG_NETFILTER */
6530 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6531 #define selinux_nf_ip_exit()
6534 #endif /* CONFIG_NETFILTER */
6536 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6537 static int selinux_disabled;
6539 int selinux_disable(void)
6541 if (ss_initialized) {
6542 /* Not permitted after initial policy load. */
6546 if (selinux_disabled) {
6547 /* Only do this once. */
6551 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6553 selinux_disabled = 1;
6554 selinux_enabled = 0;
6556 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6558 /* Try to destroy the avc node cache */
6561 /* Unregister netfilter hooks. */
6562 selinux_nf_ip_exit();
6564 /* Unregister selinuxfs. */
projects / karo-tx-linux.git / blob