2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License version 2,
16 * as published by the Free Software Foundation.
19 #include <linux/config.h>
20 #include <linux/module.h>
21 #include <linux/init.h>
22 #include <linux/kernel.h>
23 #include <linux/ptrace.h>
24 #include <linux/errno.h>
25 #include <linux/sched.h>
26 #include <linux/security.h>
27 #include <linux/xattr.h>
28 #include <linux/capability.h>
29 #include <linux/unistd.h>
31 #include <linux/mman.h>
32 #include <linux/slab.h>
33 #include <linux/pagemap.h>
34 #include <linux/swap.h>
35 #include <linux/smp_lock.h>
36 #include <linux/spinlock.h>
37 #include <linux/syscalls.h>
38 #include <linux/file.h>
39 #include <linux/namei.h>
40 #include <linux/mount.h>
41 #include <linux/ext2_fs.h>
42 #include <linux/proc_fs.h>
44 #include <linux/netfilter_ipv4.h>
45 #include <linux/netfilter_ipv6.h>
47 #include <net/ip.h> /* for sysctl_local_port_range[] */
48 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
49 #include <asm/uaccess.h>
50 #include <asm/semaphore.h>
51 #include <asm/ioctls.h>
52 #include <linux/bitops.h>
53 #include <linux/interrupt.h>
54 #include <linux/netdevice.h> /* for network interface checks */
55 #include <linux/netlink.h>
56 #include <linux/tcp.h>
57 #include <linux/udp.h>
58 #include <linux/quota.h>
59 #include <linux/un.h> /* for Unix socket types */
60 #include <net/af_unix.h> /* for Unix socket types */
61 #include <linux/parser.h>
62 #include <linux/nfs_mount.h>
64 #include <linux/hugetlb.h>
65 #include <linux/major.h>
66 #include <linux/personality.h>
72 #define XATTR_SELINUX_SUFFIX "selinux"
73 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
75 extern int policydb_loaded_version;
76 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
78 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
79 int selinux_enforcing = 0;
81 static int __init enforcing_setup(char *str)
83 selinux_enforcing = simple_strtol(str,NULL,0);
86 __setup("enforcing=", enforcing_setup);
89 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
90 int selinux_enabled = 0;
92 static int __init selinux_enabled_setup(char *str)
94 selinux_enabled = simple_strtol(str, NULL, 0);
97 __setup("selinux=", selinux_enabled_setup);
100 /* Original (dummy) security module. */
101 static struct security_operations *original_ops = NULL;
103 /* Minimal support for a secondary security module,
104 just to allow the use of the dummy or capability modules.
105 The owlsm module can alternatively be used as a secondary
106 module as long as CONFIG_OWLSM_FD is not enabled. */
107 static struct security_operations *secondary_ops = NULL;
109 /* Lists of inode and superblock security structures initialized
110 before the policy was loaded. */
111 static LIST_HEAD(superblock_security_head);
112 static spinlock_t sb_security_lock = SPIN_LOCK_UNLOCKED;
114 /* Allocate and free functions for each kind of security blob. */
116 static int task_alloc_security(struct task_struct *task)
118 struct task_security_struct *tsec;
120 tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL);
124 memset(tsec, 0, sizeof(struct task_security_struct));
125 tsec->magic = SELINUX_MAGIC;
127 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
128 task->security = tsec;
133 static void task_free_security(struct task_struct *task)
135 struct task_security_struct *tsec = task->security;
137 if (!tsec || tsec->magic != SELINUX_MAGIC)
140 task->security = NULL;
144 static int inode_alloc_security(struct inode *inode)
146 struct task_security_struct *tsec = current->security;
147 struct inode_security_struct *isec;
149 isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
153 memset(isec, 0, sizeof(struct inode_security_struct));
154 init_MUTEX(&isec->sem);
155 INIT_LIST_HEAD(&isec->list);
156 isec->magic = SELINUX_MAGIC;
158 isec->sid = SECINITSID_UNLABELED;
159 isec->sclass = SECCLASS_FILE;
160 if (tsec && tsec->magic == SELINUX_MAGIC)
161 isec->task_sid = tsec->sid;
163 isec->task_sid = SECINITSID_UNLABELED;
164 inode->i_security = isec;
169 static void inode_free_security(struct inode *inode)
171 struct inode_security_struct *isec = inode->i_security;
172 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
174 if (!isec || isec->magic != SELINUX_MAGIC)
177 spin_lock(&sbsec->isec_lock);
178 if (!list_empty(&isec->list))
179 list_del_init(&isec->list);
180 spin_unlock(&sbsec->isec_lock);
182 inode->i_security = NULL;
186 static int file_alloc_security(struct file *file)
188 struct task_security_struct *tsec = current->security;
189 struct file_security_struct *fsec;
191 fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
195 memset(fsec, 0, sizeof(struct file_security_struct));
196 fsec->magic = SELINUX_MAGIC;
198 if (tsec && tsec->magic == SELINUX_MAGIC) {
199 fsec->sid = tsec->sid;
200 fsec->fown_sid = tsec->sid;
202 fsec->sid = SECINITSID_UNLABELED;
203 fsec->fown_sid = SECINITSID_UNLABELED;
205 file->f_security = fsec;
210 static void file_free_security(struct file *file)
212 struct file_security_struct *fsec = file->f_security;
214 if (!fsec || fsec->magic != SELINUX_MAGIC)
217 file->f_security = NULL;
221 static int superblock_alloc_security(struct super_block *sb)
223 struct superblock_security_struct *sbsec;
225 sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
229 memset(sbsec, 0, sizeof(struct superblock_security_struct));
230 init_MUTEX(&sbsec->sem);
231 INIT_LIST_HEAD(&sbsec->list);
232 INIT_LIST_HEAD(&sbsec->isec_head);
233 spin_lock_init(&sbsec->isec_lock);
234 sbsec->magic = SELINUX_MAGIC;
236 sbsec->sid = SECINITSID_UNLABELED;
237 sbsec->def_sid = SECINITSID_FILE;
238 sb->s_security = sbsec;
243 static void superblock_free_security(struct super_block *sb)
245 struct superblock_security_struct *sbsec = sb->s_security;
247 if (!sbsec || sbsec->magic != SELINUX_MAGIC)
250 spin_lock(&sb_security_lock);
251 if (!list_empty(&sbsec->list))
252 list_del_init(&sbsec->list);
253 spin_unlock(&sb_security_lock);
255 sb->s_security = NULL;
259 #ifdef CONFIG_SECURITY_NETWORK
260 static int sk_alloc_security(struct sock *sk, int family, int priority)
262 struct sk_security_struct *ssec;
264 if (family != PF_UNIX)
267 ssec = kmalloc(sizeof(*ssec), priority);
271 memset(ssec, 0, sizeof(*ssec));
272 ssec->magic = SELINUX_MAGIC;
274 ssec->peer_sid = SECINITSID_UNLABELED;
275 sk->sk_security = ssec;
280 static void sk_free_security(struct sock *sk)
282 struct sk_security_struct *ssec = sk->sk_security;
284 if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
287 sk->sk_security = NULL;
290 #endif /* CONFIG_SECURITY_NETWORK */
292 /* The security server must be initialized before
293 any labeling or access decisions can be provided. */
294 extern int ss_initialized;
296 /* The file system's label must be initialized prior to use. */
298 static char *labeling_behaviors[6] = {
300 "uses transition SIDs",
302 "uses genfs_contexts",
303 "not configured for labeling",
304 "uses mountpoint labeling",
307 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
309 static inline int inode_doinit(struct inode *inode)
311 return inode_doinit_with_dentry(inode, NULL);
320 static match_table_t tokens = {
321 {Opt_context, "context=%s"},
322 {Opt_fscontext, "fscontext=%s"},
323 {Opt_defcontext, "defcontext=%s"},
326 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
328 static int try_context_mount(struct super_block *sb, void *data)
330 char *context = NULL, *defcontext = NULL;
333 int alloc = 0, rc = 0, seen = 0;
334 struct task_security_struct *tsec = current->security;
335 struct superblock_security_struct *sbsec = sb->s_security;
340 name = sb->s_type->name;
342 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
344 /* NFS we understand. */
345 if (!strcmp(name, "nfs")) {
346 struct nfs_mount_data *d = data;
348 if (d->version < NFS_MOUNT_VERSION)
352 context = d->context;
359 /* Standard string-based options. */
360 char *p, *options = data;
362 while ((p = strsep(&options, ",")) != NULL) {
364 substring_t args[MAX_OPT_ARGS];
369 token = match_token(p, tokens, args);
375 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
378 context = match_strdup(&args[0]);
389 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
391 printk(KERN_WARNING "SELinux: "
392 "fscontext option is invalid for"
393 " this filesystem type\n");
396 if (seen & (Opt_context|Opt_fscontext)) {
398 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
401 context = match_strdup(&args[0]);
408 seen |= Opt_fscontext;
412 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
414 printk(KERN_WARNING "SELinux: "
415 "defcontext option is invalid "
416 "for this filesystem type\n");
419 if (seen & (Opt_context|Opt_defcontext)) {
421 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
424 defcontext = match_strdup(&args[0]);
431 seen |= Opt_defcontext;
436 printk(KERN_WARNING "SELinux: unknown mount "
448 rc = security_context_to_sid(context, strlen(context), &sid);
450 printk(KERN_WARNING "SELinux: security_context_to_sid"
451 "(%s) failed for (dev %s, type %s) errno=%d\n",
452 context, sb->s_id, name, rc);
456 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
457 FILESYSTEM__RELABELFROM, NULL, NULL);
461 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
462 FILESYSTEM__RELABELTO, NULL, NULL);
468 if (seen & Opt_context)
469 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
473 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
475 printk(KERN_WARNING "SELinux: security_context_to_sid"
476 "(%s) failed for (dev %s, type %s) errno=%d\n",
477 defcontext, sb->s_id, name, rc);
481 if (sid == sbsec->def_sid)
484 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
485 FILESYSTEM__RELABELFROM, NULL, NULL);
489 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
490 FILESYSTEM__ASSOCIATE, NULL, NULL);
494 sbsec->def_sid = sid;
506 static int superblock_doinit(struct super_block *sb, void *data)
508 struct superblock_security_struct *sbsec = sb->s_security;
509 struct dentry *root = sb->s_root;
510 struct inode *inode = root->d_inode;
514 if (sbsec->initialized)
517 if (!ss_initialized) {
518 /* Defer initialization until selinux_complete_init,
519 after the initial policy is loaded and the security
520 server is ready to handle calls. */
521 spin_lock(&sb_security_lock);
522 if (list_empty(&sbsec->list))
523 list_add(&sbsec->list, &superblock_security_head);
524 spin_unlock(&sb_security_lock);
528 /* Determine the labeling behavior to use for this filesystem type. */
529 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
531 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
532 __FUNCTION__, sb->s_type->name, rc);
536 rc = try_context_mount(sb, data);
540 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
541 /* Make sure that the xattr handler exists and that no
542 error other than -ENODATA is returned by getxattr on
543 the root directory. -ENODATA is ok, as this may be
544 the first boot of the SELinux kernel before we have
545 assigned xattr values to the filesystem. */
546 if (!inode->i_op->getxattr) {
547 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
548 "xattr support\n", sb->s_id, sb->s_type->name);
552 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
553 if (rc < 0 && rc != -ENODATA) {
554 if (rc == -EOPNOTSUPP)
555 printk(KERN_WARNING "SELinux: (dev %s, type "
556 "%s) has no security xattr handler\n",
557 sb->s_id, sb->s_type->name);
559 printk(KERN_WARNING "SELinux: (dev %s, type "
560 "%s) getxattr errno %d\n", sb->s_id,
561 sb->s_type->name, -rc);
566 if (strcmp(sb->s_type->name, "proc") == 0)
569 sbsec->initialized = 1;
571 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
572 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
573 sb->s_id, sb->s_type->name);
576 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
577 sb->s_id, sb->s_type->name,
578 labeling_behaviors[sbsec->behavior-1]);
581 /* Initialize the root inode. */
582 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
584 /* Initialize any other inodes associated with the superblock, e.g.
585 inodes created prior to initial policy load or inodes created
586 during get_sb by a pseudo filesystem that directly
588 spin_lock(&sbsec->isec_lock);
590 if (!list_empty(&sbsec->isec_head)) {
591 struct inode_security_struct *isec =
592 list_entry(sbsec->isec_head.next,
593 struct inode_security_struct, list);
594 struct inode *inode = isec->inode;
595 spin_unlock(&sbsec->isec_lock);
596 inode = igrab(inode);
601 spin_lock(&sbsec->isec_lock);
602 list_del_init(&isec->list);
605 spin_unlock(&sbsec->isec_lock);
611 static inline u16 inode_mode_to_security_class(umode_t mode)
613 switch (mode & S_IFMT) {
615 return SECCLASS_SOCK_FILE;
617 return SECCLASS_LNK_FILE;
619 return SECCLASS_FILE;
621 return SECCLASS_BLK_FILE;
625 return SECCLASS_CHR_FILE;
627 return SECCLASS_FIFO_FILE;
631 return SECCLASS_FILE;
634 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
640 return SECCLASS_UNIX_STREAM_SOCKET;
642 return SECCLASS_UNIX_DGRAM_SOCKET;
648 return SECCLASS_TCP_SOCKET;
650 return SECCLASS_UDP_SOCKET;
652 return SECCLASS_RAWIP_SOCKET;
657 return SECCLASS_NETLINK_ROUTE_SOCKET;
658 case NETLINK_FIREWALL:
659 return SECCLASS_NETLINK_FIREWALL_SOCKET;
660 case NETLINK_TCPDIAG:
661 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
663 return SECCLASS_NETLINK_NFLOG_SOCKET;
665 return SECCLASS_NETLINK_XFRM_SOCKET;
666 case NETLINK_SELINUX:
667 return SECCLASS_NETLINK_SELINUX_SOCKET;
669 return SECCLASS_NETLINK_AUDIT_SOCKET;
671 return SECCLASS_NETLINK_IP6FW_SOCKET;
672 case NETLINK_DNRTMSG:
673 return SECCLASS_NETLINK_DNRT_SOCKET;
675 return SECCLASS_NETLINK_SOCKET;
678 return SECCLASS_PACKET_SOCKET;
680 return SECCLASS_KEY_SOCKET;
683 return SECCLASS_SOCKET;
686 #ifdef CONFIG_PROC_FS
687 static int selinux_proc_get_sid(struct proc_dir_entry *de,
692 char *buffer, *path, *end;
694 buffer = (char*)__get_free_page(GFP_KERNEL);
704 while (de && de != de->parent) {
705 buflen -= de->namelen + 1;
709 memcpy(end, de->name, de->namelen);
714 rc = security_genfs_sid("proc", path, tclass, sid);
715 free_page((unsigned long)buffer);
719 static int selinux_proc_get_sid(struct proc_dir_entry *de,
727 /* The inode's security attributes must be initialized before first use. */
728 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
730 struct superblock_security_struct *sbsec = NULL;
731 struct inode_security_struct *isec = inode->i_security;
733 struct dentry *dentry;
734 #define INITCONTEXTLEN 255
735 char *context = NULL;
740 if (isec->initialized)
745 if (isec->initialized)
748 sbsec = inode->i_sb->s_security;
749 if (!sbsec->initialized) {
750 /* Defer initialization until selinux_complete_init,
751 after the initial policy is loaded and the security
752 server is ready to handle calls. */
753 spin_lock(&sbsec->isec_lock);
754 if (list_empty(&isec->list))
755 list_add(&isec->list, &sbsec->isec_head);
756 spin_unlock(&sbsec->isec_lock);
760 switch (sbsec->behavior) {
761 case SECURITY_FS_USE_XATTR:
762 if (!inode->i_op->getxattr) {
763 isec->sid = sbsec->def_sid;
767 /* Need a dentry, since the xattr API requires one.
768 Life would be simpler if we could just pass the inode. */
770 /* Called from d_instantiate or d_splice_alias. */
771 dentry = dget(opt_dentry);
773 /* Called from selinux_complete_init, try to find a dentry. */
774 dentry = d_find_alias(inode);
777 printk(KERN_WARNING "%s: no dentry for dev=%s "
778 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
783 len = INITCONTEXTLEN;
784 context = kmalloc(len, GFP_KERNEL);
790 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
793 /* Need a larger buffer. Query for the right size. */
794 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
802 context = kmalloc(len, GFP_KERNEL);
808 rc = inode->i_op->getxattr(dentry,
814 if (rc != -ENODATA) {
815 printk(KERN_WARNING "%s: getxattr returned "
816 "%d for dev=%s ino=%ld\n", __FUNCTION__,
817 -rc, inode->i_sb->s_id, inode->i_ino);
821 /* Map ENODATA to the default file SID */
822 sid = sbsec->def_sid;
825 rc = security_context_to_sid(context, rc, &sid);
827 printk(KERN_WARNING "%s: context_to_sid(%s) "
828 "returned %d for dev=%s ino=%ld\n",
829 __FUNCTION__, context, -rc,
830 inode->i_sb->s_id, inode->i_ino);
838 case SECURITY_FS_USE_TASK:
839 isec->sid = isec->task_sid;
841 case SECURITY_FS_USE_TRANS:
842 /* Default to the fs SID. */
843 isec->sid = sbsec->sid;
845 /* Try to obtain a transition SID. */
846 isec->sclass = inode_mode_to_security_class(inode->i_mode);
847 rc = security_transition_sid(isec->task_sid,
856 /* Default to the fs SID. */
857 isec->sid = sbsec->sid;
860 struct proc_inode *proci = PROC_I(inode);
862 isec->sclass = inode_mode_to_security_class(inode->i_mode);
863 rc = selinux_proc_get_sid(proci->pde,
874 isec->initialized = 1;
878 struct socket *sock = SOCKET_I(inode);
880 isec->sclass = socket_type_to_security_class(sock->sk->sk_family,
882 sock->sk->sk_protocol);
884 isec->sclass = SECCLASS_SOCKET;
887 isec->sclass = inode_mode_to_security_class(inode->i_mode);
895 /* Convert a Linux signal to an access vector. */
896 static inline u32 signal_to_av(int sig)
902 /* Commonly granted from child to parent. */
903 perm = PROCESS__SIGCHLD;
906 /* Cannot be caught or ignored */
907 perm = PROCESS__SIGKILL;
910 /* Cannot be caught or ignored */
911 perm = PROCESS__SIGSTOP;
914 /* All other signals. */
915 perm = PROCESS__SIGNAL;
922 /* Check permission betweeen a pair of tasks, e.g. signal checks,
923 fork check, ptrace check, etc. */
924 int task_has_perm(struct task_struct *tsk1,
925 struct task_struct *tsk2,
928 struct task_security_struct *tsec1, *tsec2;
930 tsec1 = tsk1->security;
931 tsec2 = tsk2->security;
932 return avc_has_perm(tsec1->sid, tsec2->sid,
933 SECCLASS_PROCESS, perms, &tsec2->avcr, NULL);
936 /* Check whether a task is allowed to use a capability. */
937 int task_has_capability(struct task_struct *tsk,
940 struct task_security_struct *tsec;
941 struct avc_audit_data ad;
943 tsec = tsk->security;
945 AVC_AUDIT_DATA_INIT(&ad,CAP);
949 return avc_has_perm(tsec->sid, tsec->sid,
950 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), NULL, &ad);
953 /* Check whether a task is allowed to use a system operation. */
954 int task_has_system(struct task_struct *tsk,
957 struct task_security_struct *tsec;
959 tsec = tsk->security;
961 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
962 SECCLASS_SYSTEM, perms, NULL, NULL);
965 /* Check whether a task has a particular permission to an inode.
966 The 'aeref' parameter is optional and allows other AVC
967 entry references to be passed (e.g. the one in the struct file).
968 The 'adp' parameter is optional and allows other audit
969 data to be passed (e.g. the dentry). */
970 int inode_has_perm(struct task_struct *tsk,
973 struct avc_entry_ref *aeref,
974 struct avc_audit_data *adp)
976 struct task_security_struct *tsec;
977 struct inode_security_struct *isec;
978 struct avc_audit_data ad;
980 tsec = tsk->security;
981 isec = inode->i_security;
985 AVC_AUDIT_DATA_INIT(&ad, FS);
986 ad.u.fs.inode = inode;
989 return avc_has_perm(tsec->sid, isec->sid, isec->sclass,
990 perms, aeref ? aeref : &isec->avcr, adp);
993 /* Same as inode_has_perm, but pass explicit audit data containing
994 the dentry to help the auditing code to more easily generate the
995 pathname if needed. */
996 static inline int dentry_has_perm(struct task_struct *tsk,
997 struct vfsmount *mnt,
998 struct dentry *dentry,
1001 struct inode *inode = dentry->d_inode;
1002 struct avc_audit_data ad;
1003 AVC_AUDIT_DATA_INIT(&ad,FS);
1005 ad.u.fs.dentry = dentry;
1006 return inode_has_perm(tsk, inode, av, NULL, &ad);
1009 /* Check whether a task can use an open file descriptor to
1010 access an inode in a given way. Check access to the
1011 descriptor itself, and then use dentry_has_perm to
1012 check a particular permission to the file.
1013 Access to the descriptor is implicitly granted if it
1014 has the same SID as the process. If av is zero, then
1015 access to the file is not checked, e.g. for cases
1016 where only the descriptor is affected like seek. */
1017 static inline int file_has_perm(struct task_struct *tsk,
1021 struct task_security_struct *tsec = tsk->security;
1022 struct file_security_struct *fsec = file->f_security;
1023 struct vfsmount *mnt = file->f_vfsmnt;
1024 struct dentry *dentry = file->f_dentry;
1025 struct inode *inode = dentry->d_inode;
1026 struct avc_audit_data ad;
1029 AVC_AUDIT_DATA_INIT(&ad, FS);
1031 ad.u.fs.dentry = dentry;
1033 if (tsec->sid != fsec->sid) {
1034 rc = avc_has_perm(tsec->sid, fsec->sid,
1042 /* av is zero if only checking access to the descriptor. */
1044 return inode_has_perm(tsk, inode, av, &fsec->inode_avcr, &ad);
1049 /* Check whether a task can create a file. */
1050 static int may_create(struct inode *dir,
1051 struct dentry *dentry,
1054 struct task_security_struct *tsec;
1055 struct inode_security_struct *dsec;
1056 struct superblock_security_struct *sbsec;
1058 struct avc_audit_data ad;
1061 tsec = current->security;
1062 dsec = dir->i_security;
1063 sbsec = dir->i_sb->s_security;
1065 AVC_AUDIT_DATA_INIT(&ad, FS);
1066 ad.u.fs.dentry = dentry;
1068 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1069 DIR__ADD_NAME | DIR__SEARCH,
1074 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1075 newsid = tsec->create_sid;
1077 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1083 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, NULL, &ad);
1087 return avc_has_perm(newsid, sbsec->sid,
1088 SECCLASS_FILESYSTEM,
1089 FILESYSTEM__ASSOCIATE, NULL, &ad);
1093 #define MAY_UNLINK 1
1096 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1097 static int may_link(struct inode *dir,
1098 struct dentry *dentry,
1102 struct task_security_struct *tsec;
1103 struct inode_security_struct *dsec, *isec;
1104 struct avc_audit_data ad;
1108 tsec = current->security;
1109 dsec = dir->i_security;
1110 isec = dentry->d_inode->i_security;
1112 AVC_AUDIT_DATA_INIT(&ad, FS);
1113 ad.u.fs.dentry = dentry;
1116 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1117 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1118 av, &dsec->avcr, &ad);
1133 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1137 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
1138 av, &isec->avcr, &ad);
1142 static inline int may_rename(struct inode *old_dir,
1143 struct dentry *old_dentry,
1144 struct inode *new_dir,
1145 struct dentry *new_dentry)
1147 struct task_security_struct *tsec;
1148 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1149 struct avc_audit_data ad;
1151 int old_is_dir, new_is_dir;
1154 tsec = current->security;
1155 old_dsec = old_dir->i_security;
1156 old_isec = old_dentry->d_inode->i_security;
1157 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1158 new_dsec = new_dir->i_security;
1160 AVC_AUDIT_DATA_INIT(&ad, FS);
1162 ad.u.fs.dentry = old_dentry;
1163 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1164 DIR__REMOVE_NAME | DIR__SEARCH,
1165 &old_dsec->avcr, &ad);
1168 rc = avc_has_perm(tsec->sid, old_isec->sid,
1171 &old_isec->avcr, &ad);
1174 if (old_is_dir && new_dir != old_dir) {
1175 rc = avc_has_perm(tsec->sid, old_isec->sid,
1178 &old_isec->avcr, &ad);
1183 ad.u.fs.dentry = new_dentry;
1184 av = DIR__ADD_NAME | DIR__SEARCH;
1185 if (new_dentry->d_inode)
1186 av |= DIR__REMOVE_NAME;
1187 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR,
1188 av,&new_dsec->avcr, &ad);
1191 if (new_dentry->d_inode) {
1192 new_isec = new_dentry->d_inode->i_security;
1193 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1194 rc = avc_has_perm(tsec->sid, new_isec->sid,
1196 (new_is_dir ? DIR__RMDIR : FILE__UNLINK),
1197 &new_isec->avcr, &ad);
1205 /* Check whether a task can perform a filesystem operation. */
1206 int superblock_has_perm(struct task_struct *tsk,
1207 struct super_block *sb,
1209 struct avc_audit_data *ad)
1211 struct task_security_struct *tsec;
1212 struct superblock_security_struct *sbsec;
1214 tsec = tsk->security;
1215 sbsec = sb->s_security;
1216 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1220 /* Convert a Linux mode and permission mask to an access vector. */
1221 static inline u32 file_mask_to_av(int mode, int mask)
1225 if ((mode & S_IFMT) != S_IFDIR) {
1226 if (mask & MAY_EXEC)
1227 av |= FILE__EXECUTE;
1228 if (mask & MAY_READ)
1231 if (mask & MAY_APPEND)
1233 else if (mask & MAY_WRITE)
1237 if (mask & MAY_EXEC)
1239 if (mask & MAY_WRITE)
1241 if (mask & MAY_READ)
1248 /* Convert a Linux file to an access vector. */
1249 static inline u32 file_to_av(struct file *file)
1253 if (file->f_mode & FMODE_READ)
1255 if (file->f_mode & FMODE_WRITE) {
1256 if (file->f_flags & O_APPEND)
1265 /* Set an inode's SID to a specified value. */
1266 int inode_security_set_sid(struct inode *inode, u32 sid)
1268 struct inode_security_struct *isec = inode->i_security;
1271 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1273 isec->initialized = 1;
1278 /* Set the security attributes on a newly created file. */
1279 static int post_create(struct inode *dir,
1280 struct dentry *dentry)
1283 struct task_security_struct *tsec;
1284 struct inode *inode;
1285 struct inode_security_struct *dsec;
1286 struct superblock_security_struct *sbsec;
1292 tsec = current->security;
1293 dsec = dir->i_security;
1294 sbsec = dir->i_sb->s_security;
1296 inode = dentry->d_inode;
1298 /* Some file system types (e.g. NFS) may not instantiate
1299 a dentry for all create operations (e.g. symlink),
1300 so we have to check to see if the inode is non-NULL. */
1301 printk(KERN_WARNING "post_create: no inode, dir (dev=%s, "
1302 "ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
1306 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1307 newsid = tsec->create_sid;
1309 rc = security_transition_sid(tsec->sid, dsec->sid,
1310 inode_mode_to_security_class(inode->i_mode),
1313 printk(KERN_WARNING "post_create: "
1314 "security_transition_sid failed, rc=%d (dev=%s "
1316 -rc, inode->i_sb->s_id, inode->i_ino);
1321 rc = inode_security_set_sid(inode, newsid);
1323 printk(KERN_WARNING "post_create: inode_security_set_sid "
1324 "failed, rc=%d (dev=%s ino=%ld)\n",
1325 -rc, inode->i_sb->s_id, inode->i_ino);
1329 if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
1330 inode->i_op->setxattr) {
1331 /* Use extended attributes. */
1332 rc = security_sid_to_context(newsid, &context, &len);
1334 printk(KERN_WARNING "post_create: sid_to_context "
1335 "failed, rc=%d (dev=%s ino=%ld)\n",
1336 -rc, inode->i_sb->s_id, inode->i_ino);
1339 down(&inode->i_sem);
1340 rc = inode->i_op->setxattr(dentry,
1346 printk(KERN_WARNING "post_create: setxattr failed, "
1347 "rc=%d (dev=%s ino=%ld)\n",
1348 -rc, inode->i_sb->s_id, inode->i_ino);
1357 /* Hook functions begin here. */
1359 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1361 struct task_security_struct *psec = parent->security;
1362 struct task_security_struct *csec = child->security;
1365 rc = secondary_ops->ptrace(parent,child);
1369 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1370 /* Save the SID of the tracing process for later use in apply_creds. */
1372 csec->ptrace_sid = psec->sid;
1376 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1377 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1381 error = task_has_perm(current, target, PROCESS__GETCAP);
1385 return secondary_ops->capget(target, effective, inheritable, permitted);
1388 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1389 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1393 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1397 return task_has_perm(current, target, PROCESS__SETCAP);
1400 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1401 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1405 error = task_has_perm(current, target, PROCESS__SETCAP);
1409 secondary_ops->capset_set(target, effective, inheritable, permitted);
1412 static int selinux_capable(struct task_struct *tsk, int cap)
1416 rc = secondary_ops->capable(tsk, cap);
1420 return task_has_capability(tsk,cap);
1423 static int selinux_sysctl(ctl_table *table, int op)
1427 struct task_security_struct *tsec;
1431 rc = secondary_ops->sysctl(table, op);
1435 tsec = current->security;
1437 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1438 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1440 /* Default to the well-defined sysctl SID. */
1441 tsid = SECINITSID_SYSCTL;
1444 /* The op values are "defined" in sysctl.c, thereby creating
1445 * a bad coupling between this module and sysctl.c */
1447 error = avc_has_perm(tsec->sid, tsid,
1448 SECCLASS_DIR, DIR__SEARCH, NULL, NULL);
1456 error = avc_has_perm(tsec->sid, tsid,
1457 SECCLASS_FILE, av, NULL, NULL);
1463 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1476 rc = superblock_has_perm(current,
1478 FILESYSTEM__QUOTAMOD, NULL);
1483 rc = superblock_has_perm(current,
1485 FILESYSTEM__QUOTAGET, NULL);
1488 rc = 0; /* let the kernel handle invalid cmds */
1494 static int selinux_quota_on(struct file *f)
1496 return file_has_perm(current, f, FILE__QUOTAON);
1499 static int selinux_syslog(int type)
1503 rc = secondary_ops->syslog(type);
1508 case 3: /* Read last kernel messages */
1509 case 10: /* Return size of the log buffer */
1510 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1512 case 6: /* Disable logging to console */
1513 case 7: /* Enable logging to console */
1514 case 8: /* Set level of messages printed to console */
1515 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1517 case 0: /* Close log */
1518 case 1: /* Open log */
1519 case 2: /* Read from log */
1520 case 4: /* Read/clear last kernel messages */
1521 case 5: /* Clear ring buffer */
1523 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1530 * Check that a process has enough memory to allocate a new virtual
1531 * mapping. 0 means there is enough memory for the allocation to
1532 * succeed and -ENOMEM implies there is not.
1534 * We currently support three overcommit policies, which are set via the
1535 * vm.overcommit_memory sysctl. See Documentation/vm/overcommit-accounting
1537 * Strict overcommit modes added 2002 Feb 26 by Alan Cox.
1538 * Additional code 2002 Jul 20 by Robert Love.
1540 static int selinux_vm_enough_memory(long pages)
1542 unsigned long free, allowed;
1544 struct task_security_struct *tsec = current->security;
1546 vm_acct_memory(pages);
1549 * Sometimes we want to use more memory than we have
1551 if (sysctl_overcommit_memory == 1)
1554 if (sysctl_overcommit_memory == 0) {
1555 free = get_page_cache_size();
1556 free += nr_free_pages();
1557 free += nr_swap_pages;
1560 * Any slabs which are created with the
1561 * SLAB_RECLAIM_ACCOUNT flag claim to have contents
1562 * which are reclaimable, under pressure. The dentry
1563 * cache and most inode caches should fall into this
1565 free += atomic_read(&slab_reclaim_pages);
1568 * Leave the last 3% for privileged processes.
1569 * Don't audit the check, as it is applied to all processes
1570 * that allocate mappings.
1572 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1574 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1575 SECCLASS_CAPABILITY,
1576 CAP_TO_MASK(CAP_SYS_ADMIN),
1584 vm_unacct_memory(pages);
1588 allowed = (totalram_pages - hugetlb_total_pages())
1589 * sysctl_overcommit_ratio / 100;
1590 allowed += total_swap_pages;
1592 if (atomic_read(&vm_committed_space) < allowed)
1595 vm_unacct_memory(pages);
1600 /* binprm security operations */
1602 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1604 struct bprm_security_struct *bsec;
1606 bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1610 memset(bsec, 0, sizeof *bsec);
1611 bsec->magic = SELINUX_MAGIC;
1613 bsec->sid = SECINITSID_UNLABELED;
1616 bprm->security = bsec;
1620 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1622 struct task_security_struct *tsec;
1623 struct inode *inode = bprm->file->f_dentry->d_inode;
1624 struct inode_security_struct *isec;
1625 struct bprm_security_struct *bsec;
1627 struct avc_audit_data ad;
1630 rc = secondary_ops->bprm_set_security(bprm);
1634 bsec = bprm->security;
1639 tsec = current->security;
1640 isec = inode->i_security;
1642 /* Default to the current task SID. */
1643 bsec->sid = tsec->sid;
1645 /* Reset create SID on execve. */
1646 tsec->create_sid = 0;
1648 if (tsec->exec_sid) {
1649 newsid = tsec->exec_sid;
1650 /* Reset exec SID on execve. */
1653 /* Check for a default transition on this program. */
1654 rc = security_transition_sid(tsec->sid, isec->sid,
1655 SECCLASS_PROCESS, &newsid);
1660 AVC_AUDIT_DATA_INIT(&ad, FS);
1661 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1662 ad.u.fs.dentry = bprm->file->f_dentry;
1664 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1667 if (tsec->sid == newsid) {
1668 rc = avc_has_perm(tsec->sid, isec->sid,
1669 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS,
1674 /* Check permissions for the transition. */
1675 rc = avc_has_perm(tsec->sid, newsid,
1676 SECCLASS_PROCESS, PROCESS__TRANSITION,
1682 rc = avc_has_perm(newsid, isec->sid,
1683 SECCLASS_FILE, FILE__ENTRYPOINT,
1688 /* Clear any possibly unsafe personality bits on exec: */
1689 current->personality &= ~PER_CLEAR_ON_SETID;
1691 /* Set the security field to the new SID. */
1699 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1701 return secondary_ops->bprm_check_security(bprm);
1705 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1707 struct task_security_struct *tsec = current->security;
1710 if (tsec->osid != tsec->sid) {
1711 /* Enable secure mode for SIDs transitions unless
1712 the noatsecure permission is granted between
1713 the two SIDs, i.e. ahp returns 0. */
1714 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1716 PROCESS__NOATSECURE, NULL, NULL);
1719 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1722 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1724 struct bprm_security_struct *bsec = bprm->security;
1725 bprm->security = NULL;
1729 /* Create an open file that refers to the null device.
1730 Derived from the OpenWall LSM. */
1731 struct file *open_devnull(void)
1733 struct inode *inode;
1734 struct dentry *dentry;
1735 struct file *file = NULL;
1736 struct inode_security_struct *isec;
1739 inode = new_inode(current->fs->rootmnt->mnt_sb);
1743 dentry = dget(d_alloc_root(inode));
1747 file = get_empty_filp();
1751 dev = MKDEV(MEM_MAJOR, 3); /* null device */
1753 inode->i_uid = current->fsuid;
1754 inode->i_gid = current->fsgid;
1755 inode->i_blksize = PAGE_SIZE;
1756 inode->i_blocks = 0;
1757 inode->i_atime = inode->i_mtime = inode->i_ctime = CURRENT_TIME;
1758 inode->i_state = I_DIRTY; /* so that mark_inode_dirty won't touch us */
1760 isec = inode->i_security;
1761 isec->sid = SECINITSID_DEVNULL;
1762 isec->sclass = SECCLASS_CHR_FILE;
1763 isec->initialized = 1;
1765 file->f_flags = O_RDWR;
1766 file->f_mode = FMODE_READ | FMODE_WRITE;
1767 file->f_dentry = dentry;
1768 file->f_vfsmnt = mntget(current->fs->rootmnt);
1771 init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO, dev);
1772 if (inode->i_fop->open(inode, file))
1778 mntput(file->f_vfsmnt);
1788 /* Derived from fs/exec.c:flush_old_files. */
1789 static inline void flush_unauthorized_files(struct files_struct * files)
1791 struct avc_audit_data ad;
1792 struct file *file, *devnull = NULL;
1795 AVC_AUDIT_DATA_INIT(&ad,FS);
1797 spin_lock(&files->file_lock);
1799 unsigned long set, i;
1804 if (i >= files->max_fds || i >= files->max_fdset)
1806 set = files->open_fds->fds_bits[j];
1809 spin_unlock(&files->file_lock);
1810 for ( ; set ; i++,set >>= 1) {
1815 if (file_has_perm(current,
1817 file_to_av(file))) {
1819 fd = get_unused_fd();
1827 atomic_inc(&devnull->f_count);
1829 devnull = open_devnull();
1836 fd_install(fd, devnull);
1841 spin_lock(&files->file_lock);
1844 spin_unlock(&files->file_lock);
1847 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1849 struct task_security_struct *tsec;
1850 struct bprm_security_struct *bsec;
1852 struct av_decision avd;
1853 struct itimerval itimer;
1854 struct rlimit *rlim, *initrlim;
1857 secondary_ops->bprm_apply_creds(bprm, unsafe);
1859 tsec = current->security;
1861 bsec = bprm->security;
1864 tsec->osid = tsec->sid;
1865 if (tsec->sid != sid) {
1866 /* Check for shared state. If not ok, leave SID
1867 unchanged and kill. */
1868 if (unsafe & LSM_UNSAFE_SHARE) {
1869 rc = avc_has_perm_noaudit(tsec->sid, sid,
1870 SECCLASS_PROCESS, PROCESS__SHARE,
1873 task_unlock(current);
1874 avc_audit(tsec->sid, sid, SECCLASS_PROCESS,
1875 PROCESS__SHARE, &avd, rc, NULL);
1876 force_sig_specific(SIGKILL, current);
1881 /* Check for ptracing, and update the task SID if ok.
1882 Otherwise, leave SID unchanged and kill. */
1883 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1884 rc = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
1885 SECCLASS_PROCESS, PROCESS__PTRACE,
1889 task_unlock(current);
1890 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
1891 PROCESS__PTRACE, &avd, rc, NULL);
1893 force_sig_specific(SIGKILL, current);
1898 task_unlock(current);
1901 /* Close files for which the new task SID is not authorized. */
1902 flush_unauthorized_files(current->files);
1904 /* Check whether the new SID can inherit signal state
1905 from the old SID. If not, clear itimers to avoid
1906 subsequent signal generation and flush and unblock
1907 signals. This must occur _after_ the task SID has
1908 been updated so that any kill done after the flush
1909 will be checked against the new SID. */
1910 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1911 PROCESS__SIGINH, NULL, NULL);
1913 memset(&itimer, 0, sizeof itimer);
1914 for (i = 0; i < 3; i++)
1915 do_setitimer(i, &itimer, NULL);
1916 flush_signals(current);
1917 spin_lock_irq(¤t->sighand->siglock);
1918 flush_signal_handlers(current, 1);
1919 sigemptyset(¤t->blocked);
1920 recalc_sigpending();
1921 spin_unlock_irq(¤t->sighand->siglock);
1924 /* Check whether the new SID can inherit resource limits
1925 from the old SID. If not, reset all soft limits to
1926 the lower of the current task's hard limit and the init
1927 task's soft limit. Note that the setting of hard limits
1928 (even to lower them) can be controlled by the setrlimit
1929 check. The inclusion of the init task's soft limit into
1930 the computation is to avoid resetting soft limits higher
1931 than the default soft limit for cases where the default
1932 is lower than the hard limit, e.g. RLIMIT_CORE or
1934 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1935 PROCESS__RLIMITINH, NULL, NULL);
1937 for (i = 0; i < RLIM_NLIMITS; i++) {
1938 rlim = current->rlim + i;
1939 initrlim = init_task.rlim+i;
1940 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1944 /* Wake up the parent if it is waiting so that it can
1945 recheck wait permission to the new task SID. */
1946 wake_up_interruptible(¤t->parent->wait_chldexit);
1954 /* superblock security operations */
1956 static int selinux_sb_alloc_security(struct super_block *sb)
1958 return superblock_alloc_security(sb);
1961 static void selinux_sb_free_security(struct super_block *sb)
1963 superblock_free_security(sb);
1966 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1971 return !memcmp(prefix, option, plen);
1974 static inline int selinux_option(char *option, int len)
1976 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1977 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1978 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1981 static inline void take_option(char **to, char *from, int *first, int len)
1989 memcpy(*to, from, len);
1993 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1995 int fnosec, fsec, rc = 0;
1996 char *in_save, *in_curr, *in_end;
1997 char *sec_curr, *nosec_save, *nosec;
2002 /* Binary mount data: just copy */
2003 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
2004 copy_page(sec_curr, in_curr);
2008 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2016 in_save = in_end = orig;
2019 if (*in_end == ',' || *in_end == '\0') {
2020 int len = in_end - in_curr;
2022 if (selinux_option(in_curr, len))
2023 take_option(&sec_curr, in_curr, &fsec, len);
2025 take_option(&nosec, in_curr, &fnosec, len);
2027 in_curr = in_end + 1;
2029 } while (*in_end++);
2031 copy_page(in_save, nosec_save);
2036 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2038 struct avc_audit_data ad;
2041 rc = superblock_doinit(sb, data);
2045 AVC_AUDIT_DATA_INIT(&ad,FS);
2046 ad.u.fs.dentry = sb->s_root;
2047 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2050 static int selinux_sb_statfs(struct super_block *sb)
2052 struct avc_audit_data ad;
2054 AVC_AUDIT_DATA_INIT(&ad,FS);
2055 ad.u.fs.dentry = sb->s_root;
2056 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
2059 static int selinux_mount(char * dev_name,
2060 struct nameidata *nd,
2062 unsigned long flags,
2067 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2071 if (flags & MS_REMOUNT)
2072 return superblock_has_perm(current, nd->mnt->mnt_sb,
2073 FILESYSTEM__REMOUNT, NULL);
2075 return dentry_has_perm(current, nd->mnt, nd->dentry,
2079 static int selinux_umount(struct vfsmount *mnt, int flags)
2083 rc = secondary_ops->sb_umount(mnt, flags);
2087 return superblock_has_perm(current,mnt->mnt_sb,
2088 FILESYSTEM__UNMOUNT,NULL);
2091 /* inode security operations */
2093 static int selinux_inode_alloc_security(struct inode *inode)
2095 return inode_alloc_security(inode);
2098 static void selinux_inode_free_security(struct inode *inode)
2100 inode_free_security(inode);
2103 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2105 return may_create(dir, dentry, SECCLASS_FILE);
2108 static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask)
2110 post_create(dir, dentry);
2113 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2117 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2120 return may_link(dir, old_dentry, MAY_LINK);
2123 static void selinux_inode_post_link(struct dentry *old_dentry, struct inode *inode, struct dentry *new_dentry)
2128 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2132 rc = secondary_ops->inode_unlink(dir, dentry);
2135 return may_link(dir, dentry, MAY_UNLINK);
2138 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2140 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2143 static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2145 post_create(dir, dentry);
2148 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2150 return may_create(dir, dentry, SECCLASS_DIR);
2153 static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2155 post_create(dir, dentry);
2158 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2160 return may_link(dir, dentry, MAY_RMDIR);
2163 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2167 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2171 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2174 static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2176 post_create(dir, dentry);
2179 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2180 struct inode *new_inode, struct dentry *new_dentry)
2182 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2185 static void selinux_inode_post_rename(struct inode *old_inode, struct dentry *old_dentry,
2186 struct inode *new_inode, struct dentry *new_dentry)
2191 static int selinux_inode_readlink(struct dentry *dentry)
2193 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2196 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2200 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2203 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2206 static int selinux_inode_permission(struct inode *inode, int mask,
2207 struct nameidata *nd)
2211 rc = secondary_ops->inode_permission(inode, mask, nd);
2216 /* No permission to check. Existence test. */
2220 return inode_has_perm(current, inode,
2221 file_mask_to_av(inode->i_mode, mask), NULL, NULL);
2224 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2228 rc = secondary_ops->inode_setattr(dentry, iattr);
2232 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2233 ATTR_ATIME_SET | ATTR_MTIME_SET))
2234 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2236 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2239 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2241 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2244 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2246 struct task_security_struct *tsec = current->security;
2247 struct inode *inode = dentry->d_inode;
2248 struct inode_security_struct *isec = inode->i_security;
2249 struct superblock_security_struct *sbsec;
2250 struct avc_audit_data ad;
2254 if (strcmp(name, XATTR_NAME_SELINUX)) {
2255 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2256 sizeof XATTR_SECURITY_PREFIX - 1) &&
2257 !capable(CAP_SYS_ADMIN)) {
2258 /* A different attribute in the security namespace.
2259 Restrict to administrator. */
2263 /* Not an attribute we recognize, so just check the
2264 ordinary setattr permission. */
2265 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2268 sbsec = inode->i_sb->s_security;
2269 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2272 AVC_AUDIT_DATA_INIT(&ad,FS);
2273 ad.u.fs.dentry = dentry;
2275 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2281 rc = security_context_to_sid(value, size, &newsid);
2285 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2286 FILE__RELABELTO, NULL, &ad);
2290 return avc_has_perm(newsid,
2292 SECCLASS_FILESYSTEM,
2293 FILESYSTEM__ASSOCIATE,
2298 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2299 void *value, size_t size, int flags)
2301 struct inode *inode = dentry->d_inode;
2302 struct inode_security_struct *isec = inode->i_security;
2306 if (strcmp(name, XATTR_NAME_SELINUX)) {
2307 /* Not an attribute we recognize, so nothing to do. */
2311 rc = security_context_to_sid(value, size, &newsid);
2313 printk(KERN_WARNING "%s: unable to obtain SID for context "
2314 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2322 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2324 struct inode *inode = dentry->d_inode;
2325 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
2327 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2330 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2333 static int selinux_inode_listxattr (struct dentry *dentry)
2335 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2338 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2340 if (strcmp(name, XATTR_NAME_SELINUX)) {
2341 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2342 sizeof XATTR_SECURITY_PREFIX - 1) &&
2343 !capable(CAP_SYS_ADMIN)) {
2344 /* A different attribute in the security namespace.
2345 Restrict to administrator. */
2349 /* Not an attribute we recognize, so just check the
2350 ordinary setattr permission. Might want a separate
2351 permission for removexattr. */
2352 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2355 /* No one is allowed to remove a SELinux security label.
2356 You can change the label, but all data must be labeled. */
2360 static int selinux_inode_getsecurity(struct dentry *dentry, const char *name, void *buffer, size_t size)
2362 struct inode *inode = dentry->d_inode;
2363 struct inode_security_struct *isec = inode->i_security;
2368 /* Permission check handled by selinux_inode_getxattr hook.*/
2370 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2373 rc = security_sid_to_context(isec->sid, &context, &len);
2377 if (!buffer || !size) {
2385 memcpy(buffer, context, len);
2390 static int selinux_inode_setsecurity(struct dentry *dentry, const char *name,
2391 const void *value, size_t size, int flags)
2393 struct inode *inode = dentry->d_inode;
2394 struct inode_security_struct *isec = inode->i_security;
2398 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2401 if (!value || !size)
2404 rc = security_context_to_sid((void*)value, size, &newsid);
2412 static int selinux_inode_listsecurity(struct dentry *dentry, char *buffer)
2414 const int len = sizeof(XATTR_NAME_SELINUX);
2416 memcpy(buffer, XATTR_NAME_SELINUX, len);
2420 /* file security operations */
2422 static int selinux_file_permission(struct file *file, int mask)
2424 struct inode *inode = file->f_dentry->d_inode;
2427 /* No permission to check. Existence test. */
2431 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2432 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2435 return file_has_perm(current, file,
2436 file_mask_to_av(inode->i_mode, mask));
2439 static int selinux_file_alloc_security(struct file *file)
2441 return file_alloc_security(file);
2444 static void selinux_file_free_security(struct file *file)
2446 file_free_security(file);
2449 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2461 case EXT2_IOC_GETFLAGS:
2463 case EXT2_IOC_GETVERSION:
2464 error = file_has_perm(current, file, FILE__GETATTR);
2467 case EXT2_IOC_SETFLAGS:
2469 case EXT2_IOC_SETVERSION:
2470 error = file_has_perm(current, file, FILE__SETATTR);
2473 /* sys_ioctl() checks */
2477 error = file_has_perm(current, file, 0);
2482 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2485 /* default case assumes that the command will go
2486 * to the file's ioctl() function.
2489 error = file_has_perm(current, file, FILE__IOCTL);
2495 static int selinux_file_mmap(struct file *file, unsigned long prot, unsigned long flags)
2500 rc = secondary_ops->file_mmap(file, prot, flags);
2505 /* read access is always possible with a mapping */
2508 /* write access only matters if the mapping is shared */
2509 if ((flags & MAP_TYPE) == MAP_SHARED && (prot & PROT_WRITE))
2512 if (prot & PROT_EXEC)
2513 av |= FILE__EXECUTE;
2515 return file_has_perm(current, file, av);
2520 static int selinux_file_mprotect(struct vm_area_struct *vma,
2525 rc = secondary_ops->file_mprotect(vma, prot);
2529 return selinux_file_mmap(vma->vm_file, prot, vma->vm_flags);
2532 static int selinux_file_lock(struct file *file, unsigned int cmd)
2534 return file_has_perm(current, file, FILE__LOCK);
2537 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2544 if (!file->f_dentry || !file->f_dentry->d_inode) {
2549 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2550 err = file_has_perm(current, file,FILE__WRITE);
2559 /* Just check FD__USE permission */
2560 err = file_has_perm(current, file, 0);
2565 #if BITS_PER_LONG == 32
2570 if (!file->f_dentry || !file->f_dentry->d_inode) {
2574 err = file_has_perm(current, file, FILE__LOCK);
2581 static int selinux_file_set_fowner(struct file *file)
2583 struct task_security_struct *tsec;
2584 struct file_security_struct *fsec;
2586 tsec = current->security;
2587 fsec = file->f_security;
2588 fsec->fown_sid = tsec->sid;
2593 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2594 struct fown_struct *fown,
2599 struct task_security_struct *tsec;
2600 struct file_security_struct *fsec;
2602 /* struct fown_struct is never outside the context of a struct file */
2603 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2605 tsec = tsk->security;
2606 fsec = file->f_security;
2609 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2611 perm = signal_to_av(fown->signum);
2613 return avc_has_perm(fsec->fown_sid, tsec->sid,
2614 SECCLASS_PROCESS, perm, NULL, NULL);
2617 static int selinux_file_receive(struct file *file)
2619 return file_has_perm(current, file, file_to_av(file));
2622 /* task security operations */
2624 static int selinux_task_create(unsigned long clone_flags)
2628 rc = secondary_ops->task_create(clone_flags);
2632 return task_has_perm(current, current, PROCESS__FORK);
2635 static int selinux_task_alloc_security(struct task_struct *tsk)
2637 struct task_security_struct *tsec1, *tsec2;
2640 tsec1 = current->security;
2642 rc = task_alloc_security(tsk);
2645 tsec2 = tsk->security;
2647 tsec2->osid = tsec1->osid;
2648 tsec2->sid = tsec1->sid;
2650 /* Retain the exec and create SIDs across fork */
2651 tsec2->exec_sid = tsec1->exec_sid;
2652 tsec2->create_sid = tsec1->create_sid;
2657 static void selinux_task_free_security(struct task_struct *tsk)
2659 task_free_security(tsk);
2662 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2664 /* Since setuid only affects the current process, and
2665 since the SELinux controls are not based on the Linux
2666 identity attributes, SELinux does not need to control
2667 this operation. However, SELinux does control the use
2668 of the CAP_SETUID and CAP_SETGID capabilities using the
2673 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2675 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2678 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2680 /* See the comment for setuid above. */
2684 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2686 return task_has_perm(current, p, PROCESS__SETPGID);
2689 static int selinux_task_getpgid(struct task_struct *p)
2691 return task_has_perm(current, p, PROCESS__GETPGID);
2694 static int selinux_task_getsid(struct task_struct *p)
2696 return task_has_perm(current, p, PROCESS__GETSESSION);
2699 static int selinux_task_setgroups(struct group_info *group_info)
2701 /* See the comment for setuid above. */
2705 static int selinux_task_setnice(struct task_struct *p, int nice)
2709 rc = secondary_ops->task_setnice(p, nice);
2713 return task_has_perm(current,p, PROCESS__SETSCHED);
2716 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2718 struct rlimit *old_rlim = current->rlim + resource;
2721 rc = secondary_ops->task_setrlimit(resource, new_rlim);
2725 /* Control the ability to change the hard limit (whether
2726 lowering or raising it), so that the hard limit can
2727 later be used as a safe reset point for the soft limit
2728 upon context transitions. See selinux_bprm_apply_creds. */
2729 if (old_rlim->rlim_max != new_rlim->rlim_max)
2730 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2735 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2737 struct task_security_struct *tsec1, *tsec2;
2739 tsec1 = current->security;
2740 tsec2 = p->security;
2742 /* No auditing from the setscheduler hook, since the runqueue lock
2743 is held and the system will deadlock if we try to log an audit
2745 return avc_has_perm_noaudit(tsec1->sid, tsec2->sid,
2746 SECCLASS_PROCESS, PROCESS__SETSCHED,
2747 &tsec2->avcr, NULL);
2750 static int selinux_task_getscheduler(struct task_struct *p)
2752 return task_has_perm(current, p, PROCESS__GETSCHED);
2755 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2760 rc = secondary_ops->task_kill(p, info, sig);
2764 if (info && ((unsigned long)info == 1 ||
2765 (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2769 perm = PROCESS__SIGNULL; /* null signal; existence test */
2771 perm = signal_to_av(sig);
2773 return task_has_perm(current, p, perm);
2776 static int selinux_task_prctl(int option,
2782 /* The current prctl operations do not appear to require
2783 any SELinux controls since they merely observe or modify
2784 the state of the current process. */
2788 static int selinux_task_wait(struct task_struct *p)
2792 perm = signal_to_av(p->exit_signal);
2794 return task_has_perm(p, current, perm);
2797 static void selinux_task_reparent_to_init(struct task_struct *p)
2799 struct task_security_struct *tsec;
2801 secondary_ops->task_reparent_to_init(p);
2804 tsec->osid = tsec->sid;
2805 tsec->sid = SECINITSID_KERNEL;
2809 static void selinux_task_to_inode(struct task_struct *p,
2810 struct inode *inode)
2812 struct task_security_struct *tsec = p->security;
2813 struct inode_security_struct *isec = inode->i_security;
2815 isec->sid = tsec->sid;
2816 isec->initialized = 1;
2820 #ifdef CONFIG_SECURITY_NETWORK
2822 /* Returns error only if unable to parse addresses */
2823 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2825 int offset, ihlen, ret;
2826 struct iphdr _iph, *ih;
2828 offset = skb->nh.raw - skb->data;
2829 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2833 ihlen = ih->ihl * 4;
2834 if (ihlen < sizeof(_iph))
2837 ad->u.net.v4info.saddr = ih->saddr;
2838 ad->u.net.v4info.daddr = ih->daddr;
2840 switch (ih->protocol) {
2842 struct tcphdr _tcph, *th;
2844 if (ntohs(ih->frag_off) & IP_OFFSET)
2848 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2852 ad->u.net.sport = th->source;
2853 ad->u.net.dport = th->dest;
2858 struct udphdr _udph, *uh;
2860 if (ntohs(ih->frag_off) & IP_OFFSET)
2864 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2868 ad->u.net.sport = uh->source;
2869 ad->u.net.dport = uh->dest;
2880 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2882 /* Returns error only if unable to parse addresses */
2883 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2887 struct ipv6hdr _ipv6h, *ip6;
2889 offset = skb->nh.raw - skb->data;
2890 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2894 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2895 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2897 nexthdr = ip6->nexthdr;
2898 offset += sizeof(_ipv6h);
2899 offset = ipv6_skip_exthdr(skb, offset, &nexthdr,
2900 skb->tail - skb->head - offset);
2906 struct tcphdr _tcph, *th;
2908 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2912 ad->u.net.sport = th->source;
2913 ad->u.net.dport = th->dest;
2918 struct udphdr _udph, *uh;
2920 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2924 ad->u.net.sport = uh->source;
2925 ad->u.net.dport = uh->dest;
2929 /* includes fragments */
2939 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2940 char **addrp, int *len, int src)
2944 switch (ad->u.net.family) {
2946 ret = selinux_parse_skb_ipv4(skb, ad);
2950 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2951 &ad->u.net.v4info.daddr);
2954 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2956 ret = selinux_parse_skb_ipv6(skb, ad);
2960 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2961 &ad->u.net.v6info.daddr);
2971 /* socket security operations */
2972 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2975 struct inode_security_struct *isec;
2976 struct task_security_struct *tsec;
2977 struct avc_audit_data ad;
2980 tsec = task->security;
2981 isec = SOCK_INODE(sock)->i_security;
2983 if (isec->sid == SECINITSID_KERNEL)
2986 AVC_AUDIT_DATA_INIT(&ad,NET);
2987 ad.u.net.sk = sock->sk;
2988 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2989 perms, &isec->avcr, &ad);
2995 static int selinux_socket_create(int family, int type,
2996 int protocol, int kern)
2999 struct task_security_struct *tsec;
3004 tsec = current->security;
3005 err = avc_has_perm(tsec->sid, tsec->sid,
3006 socket_type_to_security_class(family, type,
3007 protocol), SOCKET__CREATE, NULL, NULL);
3013 static void selinux_socket_post_create(struct socket *sock, int family,
3014 int type, int protocol, int kern)
3017 struct inode_security_struct *isec;
3018 struct task_security_struct *tsec;
3020 err = inode_doinit(SOCK_INODE(sock));
3023 isec = SOCK_INODE(sock)->i_security;
3025 tsec = current->security;
3026 isec->sclass = socket_type_to_security_class(family, type, protocol);
3027 isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
3032 /* Range of port numbers used to automatically bind.
3033 Need to determine whether we should perform a name_bind
3034 permission check between the socket and the port number. */
3035 #define ip_local_port_range_0 sysctl_local_port_range[0]
3036 #define ip_local_port_range_1 sysctl_local_port_range[1]
3038 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3043 err = socket_has_perm(current, sock, SOCKET__BIND);
3048 * If PF_INET or PF_INET6, check name_bind permission for the port.
3050 family = sock->sk->sk_family;
3051 if (family == PF_INET || family == PF_INET6) {
3053 struct inode_security_struct *isec;
3054 struct task_security_struct *tsec;
3055 struct avc_audit_data ad;
3056 struct sockaddr_in *addr4 = NULL;
3057 struct sockaddr_in6 *addr6 = NULL;
3058 unsigned short snum;
3059 struct sock *sk = sock->sk;
3060 u32 sid, node_perm, addrlen;
3062 tsec = current->security;
3063 isec = SOCK_INODE(sock)->i_security;
3065 if (family == PF_INET) {
3066 addr4 = (struct sockaddr_in *)address;
3067 snum = ntohs(addr4->sin_port);
3068 addrlen = sizeof(addr4->sin_addr.s_addr);
3069 addrp = (char *)&addr4->sin_addr.s_addr;
3071 addr6 = (struct sockaddr_in6 *)address;
3072 snum = ntohs(addr6->sin6_port);
3073 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3074 addrp = (char *)&addr6->sin6_addr.s6_addr;
3077 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3078 snum > ip_local_port_range_1)) {
3079 err = security_port_sid(sk->sk_family, sk->sk_type,
3080 sk->sk_protocol, snum, &sid);
3083 AVC_AUDIT_DATA_INIT(&ad,NET);
3084 ad.u.net.sport = htons(snum);
3085 err = avc_has_perm(isec->sid, sid,
3087 SOCKET__NAME_BIND, NULL, &ad);
3092 switch(sk->sk_protocol) {
3094 node_perm = TCP_SOCKET__NODE_BIND;
3098 node_perm = UDP_SOCKET__NODE_BIND;
3102 node_perm = RAWIP_SOCKET__NODE_BIND;
3106 err = security_node_sid(family, addrp, addrlen, &sid);
3110 AVC_AUDIT_DATA_INIT(&ad,NET);
3111 ad.u.net.sport = htons(snum);
3112 ad.u.net.family = family;
3114 if (family == PF_INET)
3115 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3117 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3119 err = avc_has_perm(isec->sid, sid,
3120 isec->sclass, node_perm, NULL, &ad);
3128 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3130 return socket_has_perm(current, sock, SOCKET__CONNECT);
3133 static int selinux_socket_listen(struct socket *sock, int backlog)
3135 return socket_has_perm(current, sock, SOCKET__LISTEN);
3138 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3141 struct inode_security_struct *isec;
3142 struct inode_security_struct *newisec;
3144 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3148 err = inode_doinit(SOCK_INODE(newsock));
3151 newisec = SOCK_INODE(newsock)->i_security;
3153 isec = SOCK_INODE(sock)->i_security;
3154 newisec->sclass = isec->sclass;
3155 newisec->sid = isec->sid;
3160 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3163 return socket_has_perm(current, sock, SOCKET__WRITE);
3166 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3167 int size, int flags)
3169 return socket_has_perm(current, sock, SOCKET__READ);
3172 static int selinux_socket_getsockname(struct socket *sock)
3174 return socket_has_perm(current, sock, SOCKET__GETATTR);
3177 static int selinux_socket_getpeername(struct socket *sock)
3179 return socket_has_perm(current, sock, SOCKET__GETATTR);
3182 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3184 return socket_has_perm(current, sock, SOCKET__SETOPT);
3187 static int selinux_socket_getsockopt(struct socket *sock, int level,
3190 return socket_has_perm(current, sock, SOCKET__GETOPT);
3193 static int selinux_socket_shutdown(struct socket *sock, int how)
3195 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3198 static int selinux_socket_unix_stream_connect(struct socket *sock,
3199 struct socket *other,
3202 struct sk_security_struct *ssec;
3203 struct inode_security_struct *isec;
3204 struct inode_security_struct *other_isec;
3205 struct avc_audit_data ad;
3208 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3212 isec = SOCK_INODE(sock)->i_security;
3213 other_isec = SOCK_INODE(other)->i_security;
3215 AVC_AUDIT_DATA_INIT(&ad,NET);
3216 ad.u.net.sk = other->sk;
3218 err = avc_has_perm(isec->sid, other_isec->sid,
3220 UNIX_STREAM_SOCKET__CONNECTTO,
3221 &other_isec->avcr, &ad);
3225 /* connecting socket */
3226 ssec = sock->sk->sk_security;
3227 ssec->peer_sid = other_isec->sid;
3229 /* server child socket */
3230 ssec = newsk->sk_security;
3231 ssec->peer_sid = isec->sid;
3236 static int selinux_socket_unix_may_send(struct socket *sock,
3237 struct socket *other)
3239 struct inode_security_struct *isec;
3240 struct inode_security_struct *other_isec;
3241 struct avc_audit_data ad;
3244 isec = SOCK_INODE(sock)->i_security;
3245 other_isec = SOCK_INODE(other)->i_security;
3247 AVC_AUDIT_DATA_INIT(&ad,NET);
3248 ad.u.net.sk = other->sk;
3250 err = avc_has_perm(isec->sid, other_isec->sid,
3253 &other_isec->avcr, &ad);
3260 static int __selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3265 u32 netif_perm, node_perm, node_sid, recv_perm = 0;
3268 struct socket *sock;
3269 struct net_device *dev;
3270 struct sel_netif *netif;
3271 struct netif_security_struct *nsec;
3272 struct avc_audit_data ad;
3274 family = sk->sk_family;
3275 if (family != PF_INET && family != PF_INET6)
3278 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3279 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3282 read_lock_bh(&sk->sk_callback_lock);
3283 sock = sk->sk_socket;
3285 struct inode *inode;
3286 inode = SOCK_INODE(sock);
3288 struct inode_security_struct *isec;
3289 isec = inode->i_security;
3290 sock_sid = isec->sid;
3291 sock_class = isec->sclass;
3294 read_unlock_bh(&sk->sk_callback_lock);
3302 netif = sel_netif_lookup(dev);
3303 if (IS_ERR(netif)) {
3304 err = PTR_ERR(netif);
3308 nsec = &netif->nsec;
3310 switch (sock_class) {
3311 case SECCLASS_UDP_SOCKET:
3312 netif_perm = NETIF__UDP_RECV;
3313 node_perm = NODE__UDP_RECV;
3314 recv_perm = UDP_SOCKET__RECV_MSG;
3317 case SECCLASS_TCP_SOCKET:
3318 netif_perm = NETIF__TCP_RECV;
3319 node_perm = NODE__TCP_RECV;
3320 recv_perm = TCP_SOCKET__RECV_MSG;
3324 netif_perm = NETIF__RAWIP_RECV;
3325 node_perm = NODE__RAWIP_RECV;
3329 AVC_AUDIT_DATA_INIT(&ad, NET);
3330 ad.u.net.netif = dev->name;
3331 ad.u.net.family = family;
3333 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3335 sel_netif_put(netif);
3339 err = avc_has_perm(sock_sid, nsec->if_sid, SECCLASS_NETIF,
3340 netif_perm, &nsec->avcr, &ad);
3341 sel_netif_put(netif);
3345 /* Fixme: this lookup is inefficient */
3346 err = security_node_sid(family, addrp, len, &node_sid);
3350 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, NULL, &ad);
3357 /* Fixme: make this more efficient */
3358 err = security_port_sid(sk->sk_family, sk->sk_type,
3359 sk->sk_protocol, ntohs(ad.u.net.sport),
3364 err = avc_has_perm(sock_sid, port_sid, sock_class,
3365 recv_perm, NULL, &ad);
3371 /* To make sure sk->sk_socket doesn't disappear while we mess
3372 * with this skb, we need to take sk_callback_lock.
3375 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3379 read_lock_bh(&sk->sk_callback_lock);
3380 res = __selinux_socket_sock_rcv_skb(sk, skb);
3381 read_unlock_bh(&sk->sk_callback_lock);
3385 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3386 int __user *optlen, unsigned len)
3391 struct sk_security_struct *ssec;
3392 struct inode_security_struct *isec;
3394 isec = SOCK_INODE(sock)->i_security;
3395 if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3400 ssec = sock->sk->sk_security;
3402 err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3406 if (scontext_len > len) {
3411 if (copy_to_user(optval, scontext, scontext_len))
3415 if (put_user(scontext_len, optlen))
3423 static int selinux_sk_alloc_security(struct sock *sk, int family, int priority)
3425 return sk_alloc_security(sk, family, priority);
3428 static void selinux_sk_free_security(struct sock *sk)
3430 sk_free_security(sk);
3433 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3437 struct nlmsghdr *nlh;
3438 struct socket *sock = sk->sk_socket;
3439 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3441 if (skb->len < NLMSG_SPACE(0)) {
3445 nlh = (struct nlmsghdr *)skb->data;
3447 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3455 err = socket_has_perm(current, sock, perm);
3460 #ifdef CONFIG_NETFILTER
3462 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3463 struct sk_buff **pskb,
3464 const struct net_device *in,
3465 const struct net_device *out,
3466 int (*okfn)(struct sk_buff *),
3470 int len, err = NF_ACCEPT;
3471 u32 netif_perm, node_perm, node_sid, send_perm = 0;
3473 struct socket *sock;
3474 struct inode *inode;
3475 struct sel_netif *netif;
3476 struct sk_buff *skb = *pskb;
3477 struct netif_security_struct *nsec;
3478 struct inode_security_struct *isec;
3479 struct avc_audit_data ad;
3480 struct net_device *dev = (struct net_device *)out;
3486 sock = sk->sk_socket;
3490 inode = SOCK_INODE(sock);
3494 netif = sel_netif_lookup(dev);
3495 if (IS_ERR(netif)) {
3500 nsec = &netif->nsec;
3501 isec = inode->i_security;
3503 switch (isec->sclass) {
3504 case SECCLASS_UDP_SOCKET:
3505 netif_perm = NETIF__UDP_SEND;
3506 node_perm = NODE__UDP_SEND;
3507 send_perm = UDP_SOCKET__SEND_MSG;
3510 case SECCLASS_TCP_SOCKET:
3511 netif_perm = NETIF__TCP_SEND;
3512 node_perm = NODE__TCP_SEND;
3513 send_perm = TCP_SOCKET__SEND_MSG;
3517 netif_perm = NETIF__RAWIP_SEND;
3518 node_perm = NODE__RAWIP_SEND;
3523 AVC_AUDIT_DATA_INIT(&ad, NET);
3524 ad.u.net.netif = dev->name;
3525 ad.u.net.family = family;
3527 err = selinux_parse_skb(skb, &ad, &addrp,
3528 &len, 0) ? NF_DROP : NF_ACCEPT;
3529 if (err != NF_ACCEPT) {
3530 sel_netif_put(netif);
3534 err = avc_has_perm(isec->sid, nsec->if_sid, SECCLASS_NETIF,
3535 netif_perm, &nsec->avcr, &ad) ? NF_DROP : NF_ACCEPT;
3536 sel_netif_put(netif);
3537 if (err != NF_ACCEPT)
3540 /* Fixme: this lookup is inefficient */
3541 err = security_node_sid(family, addrp, len,
3542 &node_sid) ? NF_DROP : NF_ACCEPT;
3543 if (err != NF_ACCEPT)
3546 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3547 node_perm, NULL, &ad) ? NF_DROP : NF_ACCEPT;
3548 if (err != NF_ACCEPT)
3554 /* Fixme: make this more efficient */
3555 err = security_port_sid(sk->sk_family,
3558 ntohs(ad.u.net.dport),
3559 &port_sid) ? NF_DROP : NF_ACCEPT;
3560 if (err != NF_ACCEPT)
3563 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3564 send_perm, NULL, &ad) ? NF_DROP : NF_ACCEPT;
3571 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3572 struct sk_buff **pskb,
3573 const struct net_device *in,
3574 const struct net_device *out,
3575 int (*okfn)(struct sk_buff *))
3577 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3580 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3582 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3583 struct sk_buff **pskb,
3584 const struct net_device *in,
3585 const struct net_device *out,
3586 int (*okfn)(struct sk_buff *))
3588 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3593 #endif /* CONFIG_NETFILTER */
3597 static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3602 #endif /* CONFIG_SECURITY_NETWORK */
3604 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3608 if (capable(CAP_NET_ADMIN))
3609 cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN);
3611 NETLINK_CB(skb).eff_cap = 0;
3613 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3614 err = selinux_nlmsg_perm(sk, skb);
3619 static int selinux_netlink_recv(struct sk_buff *skb)
3621 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3626 static int ipc_alloc_security(struct task_struct *task,
3627 struct kern_ipc_perm *perm,
3630 struct task_security_struct *tsec = task->security;
3631 struct ipc_security_struct *isec;
3633 isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3637 memset(isec, 0, sizeof(struct ipc_security_struct));
3638 isec->magic = SELINUX_MAGIC;
3639 isec->sclass = sclass;
3640 isec->ipc_perm = perm;
3642 isec->sid = tsec->sid;
3644 isec->sid = SECINITSID_UNLABELED;
3646 perm->security = isec;
3651 static void ipc_free_security(struct kern_ipc_perm *perm)
3653 struct ipc_security_struct *isec = perm->security;
3654 if (!isec || isec->magic != SELINUX_MAGIC)
3657 perm->security = NULL;
3661 static int msg_msg_alloc_security(struct msg_msg *msg)
3663 struct msg_security_struct *msec;
3665 msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3669 memset(msec, 0, sizeof(struct msg_security_struct));
3670 msec->magic = SELINUX_MAGIC;
3672 msec->sid = SECINITSID_UNLABELED;
3673 msg->security = msec;
3678 static void msg_msg_free_security(struct msg_msg *msg)
3680 struct msg_security_struct *msec = msg->security;
3681 if (!msec || msec->magic != SELINUX_MAGIC)
3684 msg->security = NULL;
3688 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3689 u16 sclass, u32 perms)
3691 struct task_security_struct *tsec;
3692 struct ipc_security_struct *isec;
3693 struct avc_audit_data ad;
3695 tsec = current->security;
3696 isec = ipc_perms->security;
3698 AVC_AUDIT_DATA_INIT(&ad, IPC);
3699 ad.u.ipc_id = ipc_perms->key;
3701 return avc_has_perm(tsec->sid, isec->sid, sclass,
3702 perms, &isec->avcr, &ad);
3705 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3707 return msg_msg_alloc_security(msg);
3710 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3712 msg_msg_free_security(msg);
3715 /* message queue security operations */
3716 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3718 struct task_security_struct *tsec;
3719 struct ipc_security_struct *isec;
3720 struct avc_audit_data ad;
3723 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3727 tsec = current->security;
3728 isec = msq->q_perm.security;
3730 AVC_AUDIT_DATA_INIT(&ad, IPC);
3731 ad.u.ipc_id = msq->q_perm.key;
3733 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3734 MSGQ__CREATE, &isec->avcr, &ad);
3736 ipc_free_security(&msq->q_perm);
3742 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3744 ipc_free_security(&msq->q_perm);
3747 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3749 struct task_security_struct *tsec;
3750 struct ipc_security_struct *isec;
3751 struct avc_audit_data ad;
3753 tsec = current->security;
3754 isec = msq->q_perm.security;
3756 AVC_AUDIT_DATA_INIT(&ad, IPC);
3757 ad.u.ipc_id = msq->q_perm.key;
3759 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3760 MSGQ__ASSOCIATE, &isec->avcr, &ad);
3763 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3771 /* No specific object, just general system-wide information. */
3772 return task_has_system(current, SYSTEM__IPC_INFO);
3775 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3778 perms = MSGQ__SETATTR;
3781 perms = MSGQ__DESTROY;
3787 err = ipc_has_perm(&msq->q_perm, SECCLASS_MSGQ, perms);
3791 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3793 struct task_security_struct *tsec;
3794 struct ipc_security_struct *isec;
3795 struct msg_security_struct *msec;
3796 struct avc_audit_data ad;
3799 tsec = current->security;
3800 isec = msq->q_perm.security;
3801 msec = msg->security;
3804 * First time through, need to assign label to the message
3806 if (msec->sid == SECINITSID_UNLABELED) {
3808 * Compute new sid based on current process and
3809 * message queue this message will be stored in
3811 rc = security_transition_sid(tsec->sid,
3819 AVC_AUDIT_DATA_INIT(&ad, IPC);
3820 ad.u.ipc_id = msq->q_perm.key;
3822 /* Can this process write to the queue? */
3823 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3824 MSGQ__WRITE, &isec->avcr, &ad);
3826 /* Can this process send the message */
3827 rc = avc_has_perm(tsec->sid, msec->sid,
3828 SECCLASS_MSG, MSG__SEND,
3831 /* Can the message be put in the queue? */
3832 rc = avc_has_perm(msec->sid, isec->sid,
3833 SECCLASS_MSGQ, MSGQ__ENQUEUE,
3839 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3840 struct task_struct *target,
3841 long type, int mode)
3843 struct task_security_struct *tsec;
3844 struct ipc_security_struct *isec;
3845 struct msg_security_struct *msec;
3846 struct avc_audit_data ad;
3849 tsec = target->security;
3850 isec = msq->q_perm.security;
3851 msec = msg->security;
3853 AVC_AUDIT_DATA_INIT(&ad, IPC);
3854 ad.u.ipc_id = msq->q_perm.key;
3856 rc = avc_has_perm(tsec->sid, isec->sid,
3857 SECCLASS_MSGQ, MSGQ__READ,
3860 rc = avc_has_perm(tsec->sid, msec->sid,
3861 SECCLASS_MSG, MSG__RECEIVE,
3866 /* Shared Memory security operations */
3867 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3869 struct task_security_struct *tsec;
3870 struct ipc_security_struct *isec;
3871 struct avc_audit_data ad;
3874 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3878 tsec = current->security;
3879 isec = shp->shm_perm.security;
3881 AVC_AUDIT_DATA_INIT(&ad, IPC);
3882 ad.u.ipc_id = shp->shm_perm.key;
3884 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3885 SHM__CREATE, &isec->avcr, &ad);
3887 ipc_free_security(&shp->shm_perm);
3893 static void selinux_shm_free_security(struct shmid_kernel *shp)
3895 ipc_free_security(&shp->shm_perm);
3898 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3900 struct task_security_struct *tsec;
3901 struct ipc_security_struct *isec;
3902 struct avc_audit_data ad;
3904 tsec = current->security;
3905 isec = shp->shm_perm.security;
3907 AVC_AUDIT_DATA_INIT(&ad, IPC);
3908 ad.u.ipc_id = shp->shm_perm.key;
3910 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3911 SHM__ASSOCIATE, &isec->avcr, &ad);
3914 /* Note, at this point, shp is locked down */
3915 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3923 /* No specific object, just general system-wide information. */
3924 return task_has_system(current, SYSTEM__IPC_INFO);
3927 perms = SHM__GETATTR | SHM__ASSOCIATE;
3930 perms = SHM__SETATTR;
3937 perms = SHM__DESTROY;
3943 err = ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms);
3947 static int selinux_shm_shmat(struct shmid_kernel *shp,
3948 char __user *shmaddr, int shmflg)
3953 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3957 if (shmflg & SHM_RDONLY)
3960 perms = SHM__READ | SHM__WRITE;
3962 return ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms);
3965 /* Semaphore security operations */
3966 static int selinux_sem_alloc_security(struct sem_array *sma)
3968 struct task_security_struct *tsec;
3969 struct ipc_security_struct *isec;
3970 struct avc_audit_data ad;
3973 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3977 tsec = current->security;
3978 isec = sma->sem_perm.security;
3980 AVC_AUDIT_DATA_INIT(&ad, IPC);
3981 ad.u.ipc_id = sma->sem_perm.key;
3983 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3984 SEM__CREATE, &isec->avcr, &ad);
3986 ipc_free_security(&sma->sem_perm);
3992 static void selinux_sem_free_security(struct sem_array *sma)
3994 ipc_free_security(&sma->sem_perm);
3997 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3999 struct task_security_struct *tsec;
4000 struct ipc_security_struct *isec;
4001 struct avc_audit_data ad;
4003 tsec = current->security;
4004 isec = sma->sem_perm.security;
4006 AVC_AUDIT_DATA_INIT(&ad, IPC);
4007 ad.u.ipc_id = sma->sem_perm.key;
4009 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4010 SEM__ASSOCIATE, &isec->avcr, &ad);
4013 /* Note, at this point, sma is locked down */
4014 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4022 /* No specific object, just general system-wide information. */
4023 return task_has_system(current, SYSTEM__IPC_INFO);
4027 perms = SEM__GETATTR;
4038 perms = SEM__DESTROY;
4041 perms = SEM__SETATTR;
4045 perms = SEM__GETATTR | SEM__ASSOCIATE;
4051 err = ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms);
4055 static int selinux_sem_semop(struct sem_array *sma,
4056 struct sembuf *sops, unsigned nsops, int alter)
4061 perms = SEM__READ | SEM__WRITE;
4065 return ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms);
4068 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4070 struct ipc_security_struct *isec = ipcp->security;
4071 u16 sclass = SECCLASS_IPC;
4074 if (isec && isec->magic == SELINUX_MAGIC)
4075 sclass = isec->sclass;
4079 av |= IPC__UNIX_READ;
4081 av |= IPC__UNIX_WRITE;
4086 return ipc_has_perm(ipcp, sclass, av);
4089 /* module stacking operations */
4090 int selinux_register_security (const char *name, struct security_operations *ops)
4092 if (secondary_ops != original_ops) {
4093 printk(KERN_INFO "%s: There is already a secondary security "
4094 "module registered.\n", __FUNCTION__);
4098 secondary_ops = ops;
4100 printk(KERN_INFO "%s: Registering secondary module %s\n",
4107 int selinux_unregister_security (const char *name, struct security_operations *ops)
4109 if (ops != secondary_ops) {
4110 printk (KERN_INFO "%s: trying to unregister a security module "
4111 "that is not registered.\n", __FUNCTION__);
4115 secondary_ops = original_ops;
4120 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4123 inode_doinit_with_dentry(inode, dentry);
4126 static int selinux_getprocattr(struct task_struct *p,
4127 char *name, void *value, size_t size)
4129 struct task_security_struct *tsec;
4135 error = task_has_perm(current, p, PROCESS__GETATTR);
4145 if (!strcmp(name, "current"))
4147 else if (!strcmp(name, "prev"))
4149 else if (!strcmp(name, "exec"))
4150 sid = tsec->exec_sid;
4151 else if (!strcmp(name, "fscreate"))
4152 sid = tsec->create_sid;
4159 error = security_sid_to_context(sid, &context, &len);
4166 memcpy(value, context, len);
4171 static int selinux_setprocattr(struct task_struct *p,
4172 char *name, void *value, size_t size)
4174 struct task_security_struct *tsec;
4178 if (current != p || !strcmp(name, "current")) {
4179 /* SELinux only allows a process to change its own
4180 security attributes, and it only allows the process
4181 current SID to change via exec. */
4186 * Basic control over ability to set these attributes at all.
4187 * current == p, but we'll pass them separately in case the
4188 * above restriction is ever removed.
4190 if (!strcmp(name, "exec"))
4191 error = task_has_perm(current, p, PROCESS__SETEXEC);
4192 else if (!strcmp(name, "fscreate"))
4193 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4199 /* Obtain a SID for the context, if one was specified. */
4202 error = security_context_to_sid(value, size, &sid);
4207 /* Permission checking based on the specified context is
4208 performed during the actual operation (execve,
4209 open/mkdir/...), when we know the full context of the
4210 operation. See selinux_bprm_set_security for the execve
4211 checks and may_create for the file creation checks. The
4212 operation will then fail if the context is not permitted. */
4214 if (!strcmp(name, "exec"))
4215 tsec->exec_sid = sid;
4216 else if (!strcmp(name, "fscreate"))
4217 tsec->create_sid = sid;
4224 struct security_operations selinux_ops = {
4225 .ptrace = selinux_ptrace,
4226 .capget = selinux_capget,
4227 .capset_check = selinux_capset_check,
4228 .capset_set = selinux_capset_set,
4229 .sysctl = selinux_sysctl,
4230 .capable = selinux_capable,
4231 .quotactl = selinux_quotactl,
4232 .quota_on = selinux_quota_on,
4233 .syslog = selinux_syslog,
4234 .vm_enough_memory = selinux_vm_enough_memory,
4236 .netlink_send = selinux_netlink_send,
4237 .netlink_recv = selinux_netlink_recv,
4239 .bprm_alloc_security = selinux_bprm_alloc_security,
4240 .bprm_free_security = selinux_bprm_free_security,
4241 .bprm_apply_creds = selinux_bprm_apply_creds,
4242 .bprm_set_security = selinux_bprm_set_security,
4243 .bprm_check_security = selinux_bprm_check_security,
4244 .bprm_secureexec = selinux_bprm_secureexec,
4246 .sb_alloc_security = selinux_sb_alloc_security,
4247 .sb_free_security = selinux_sb_free_security,
4248 .sb_copy_data = selinux_sb_copy_data,
4249 .sb_kern_mount = selinux_sb_kern_mount,
4250 .sb_statfs = selinux_sb_statfs,
4251 .sb_mount = selinux_mount,
4252 .sb_umount = selinux_umount,
4254 .inode_alloc_security = selinux_inode_alloc_security,
4255 .inode_free_security = selinux_inode_free_security,
4256 .inode_create = selinux_inode_create,
4257 .inode_post_create = selinux_inode_post_create,
4258 .inode_link = selinux_inode_link,
4259 .inode_post_link = selinux_inode_post_link,
4260 .inode_unlink = selinux_inode_unlink,
4261 .inode_symlink = selinux_inode_symlink,
4262 .inode_post_symlink = selinux_inode_post_symlink,
4263 .inode_mkdir = selinux_inode_mkdir,
4264 .inode_post_mkdir = selinux_inode_post_mkdir,
4265 .inode_rmdir = selinux_inode_rmdir,
4266 .inode_mknod = selinux_inode_mknod,
4267 .inode_post_mknod = selinux_inode_post_mknod,
4268 .inode_rename = selinux_inode_rename,
4269 .inode_post_rename = selinux_inode_post_rename,
4270 .inode_readlink = selinux_inode_readlink,
4271 .inode_follow_link = selinux_inode_follow_link,
4272 .inode_permission = selinux_inode_permission,
4273 .inode_setattr = selinux_inode_setattr,
4274 .inode_getattr = selinux_inode_getattr,
4275 .inode_setxattr = selinux_inode_setxattr,
4276 .inode_post_setxattr = selinux_inode_post_setxattr,
4277 .inode_getxattr = selinux_inode_getxattr,
4278 .inode_listxattr = selinux_inode_listxattr,
4279 .inode_removexattr = selinux_inode_removexattr,
4280 .inode_getsecurity = selinux_inode_getsecurity,
4281 .inode_setsecurity = selinux_inode_setsecurity,
4282 .inode_listsecurity = selinux_inode_listsecurity,
4284 .file_permission = selinux_file_permission,
4285 .file_alloc_security = selinux_file_alloc_security,
4286 .file_free_security = selinux_file_free_security,
4287 .file_ioctl = selinux_file_ioctl,
4288 .file_mmap = selinux_file_mmap,
4289 .file_mprotect = selinux_file_mprotect,
4290 .file_lock = selinux_file_lock,
4291 .file_fcntl = selinux_file_fcntl,
4292 .file_set_fowner = selinux_file_set_fowner,
4293 .file_send_sigiotask = selinux_file_send_sigiotask,
4294 .file_receive = selinux_file_receive,
4296 .task_create = selinux_task_create,
4297 .task_alloc_security = selinux_task_alloc_security,
4298 .task_free_security = selinux_task_free_security,
4299 .task_setuid = selinux_task_setuid,
4300 .task_post_setuid = selinux_task_post_setuid,
4301 .task_setgid = selinux_task_setgid,
4302 .task_setpgid = selinux_task_setpgid,
4303 .task_getpgid = selinux_task_getpgid,
4304 .task_getsid = selinux_task_getsid,
4305 .task_setgroups = selinux_task_setgroups,
4306 .task_setnice = selinux_task_setnice,
4307 .task_setrlimit = selinux_task_setrlimit,
4308 .task_setscheduler = selinux_task_setscheduler,
4309 .task_getscheduler = selinux_task_getscheduler,
4310 .task_kill = selinux_task_kill,
4311 .task_wait = selinux_task_wait,
4312 .task_prctl = selinux_task_prctl,
4313 .task_reparent_to_init = selinux_task_reparent_to_init,
4314 .task_to_inode = selinux_task_to_inode,
4316 .ipc_permission = selinux_ipc_permission,
4318 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4319 .msg_msg_free_security = selinux_msg_msg_free_security,
4321 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4322 .msg_queue_free_security = selinux_msg_queue_free_security,
4323 .msg_queue_associate = selinux_msg_queue_associate,
4324 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4325 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4326 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4328 .shm_alloc_security = selinux_shm_alloc_security,
4329 .shm_free_security = selinux_shm_free_security,
4330 .shm_associate = selinux_shm_associate,
4331 .shm_shmctl = selinux_shm_shmctl,
4332 .shm_shmat = selinux_shm_shmat,
4334 .sem_alloc_security = selinux_sem_alloc_security,
4335 .sem_free_security = selinux_sem_free_security,
4336 .sem_associate = selinux_sem_associate,
4337 .sem_semctl = selinux_sem_semctl,
4338 .sem_semop = selinux_sem_semop,
4340 .register_security = selinux_register_security,
4341 .unregister_security = selinux_unregister_security,
4343 .d_instantiate = selinux_d_instantiate,
4345 .getprocattr = selinux_getprocattr,
4346 .setprocattr = selinux_setprocattr,
4348 #ifdef CONFIG_SECURITY_NETWORK
4349 .unix_stream_connect = selinux_socket_unix_stream_connect,
4350 .unix_may_send = selinux_socket_unix_may_send,
4352 .socket_create = selinux_socket_create,
4353 .socket_post_create = selinux_socket_post_create,
4354 .socket_bind = selinux_socket_bind,
4355 .socket_connect = selinux_socket_connect,
4356 .socket_listen = selinux_socket_listen,
4357 .socket_accept = selinux_socket_accept,
4358 .socket_sendmsg = selinux_socket_sendmsg,
4359 .socket_recvmsg = selinux_socket_recvmsg,
4360 .socket_getsockname = selinux_socket_getsockname,
4361 .socket_getpeername = selinux_socket_getpeername,
4362 .socket_getsockopt = selinux_socket_getsockopt,
4363 .socket_setsockopt = selinux_socket_setsockopt,
4364 .socket_shutdown = selinux_socket_shutdown,
4365 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
4366 .socket_getpeersec = selinux_socket_getpeersec,
4367 .sk_alloc_security = selinux_sk_alloc_security,
4368 .sk_free_security = selinux_sk_free_security,
4372 __init int selinux_init(void)
4374 struct task_security_struct *tsec;
4376 if (!selinux_enabled) {
4377 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4381 printk(KERN_INFO "SELinux: Initializing.\n");
4383 /* Set the security state for the initial task. */
4384 if (task_alloc_security(current))
4385 panic("SELinux: Failed to initialize initial task.\n");
4386 tsec = current->security;
4387 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4391 original_ops = secondary_ops = security_ops;
4393 panic ("SELinux: No initial security operations\n");
4394 if (register_security (&selinux_ops))
4395 panic("SELinux: Unable to register with kernel.\n");
4397 if (selinux_enforcing) {
4398 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4400 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4405 void selinux_complete_init(void)
4407 printk(KERN_INFO "SELinux: Completing initialization.\n");
4409 /* Set up any superblocks initialized prior to the policy load. */
4410 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
4411 spin_lock(&sb_security_lock);
4413 if (!list_empty(&superblock_security_head)) {
4414 struct superblock_security_struct *sbsec =
4415 list_entry(superblock_security_head.next,
4416 struct superblock_security_struct,
4418 struct super_block *sb = sbsec->sb;
4419 spin_lock(&sb_lock);
4421 spin_unlock(&sb_lock);
4422 spin_unlock(&sb_security_lock);
4423 down_read(&sb->s_umount);
4425 superblock_doinit(sb, NULL);
4427 spin_lock(&sb_security_lock);
4428 list_del_init(&sbsec->list);
4431 spin_unlock(&sb_security_lock);
4434 /* SELinux requires early initialization in order to label
4435 all processes and objects when they are created. */
4436 security_initcall(selinux_init);
4438 #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
4440 static struct nf_hook_ops selinux_ipv4_op = {
4441 .hook = selinux_ipv4_postroute_last,
4442 .owner = THIS_MODULE,
4444 .hooknum = NF_IP_POST_ROUTING,
4445 .priority = NF_IP_PRI_SELINUX_LAST,
4448 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4450 static struct nf_hook_ops selinux_ipv6_op = {
4451 .hook = selinux_ipv6_postroute_last,
4452 .owner = THIS_MODULE,
4454 .hooknum = NF_IP6_POST_ROUTING,
4455 .priority = NF_IP6_PRI_SELINUX_LAST,
4460 static int __init selinux_nf_ip_init(void)
4464 if (!selinux_enabled)
4467 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4469 err = nf_register_hook(&selinux_ipv4_op);
4471 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4473 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4475 err = nf_register_hook(&selinux_ipv6_op);
4477 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4484 __initcall(selinux_nf_ip_init);
4486 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4487 static void selinux_nf_ip_exit(void)
4489 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4491 nf_unregister_hook(&selinux_ipv4_op);
4492 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4493 nf_unregister_hook(&selinux_ipv6_op);
4498 #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4500 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4501 #define selinux_nf_ip_exit()
4504 #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */
4506 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4507 int selinux_disable(void)
4509 extern void exit_sel_fs(void);
4510 static int selinux_disabled = 0;
4512 if (ss_initialized) {
4513 /* Not permitted after initial policy load. */
4517 if (selinux_disabled) {
4518 /* Only do this once. */
4522 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4524 selinux_disabled = 1;
4526 /* Reset security_ops to the secondary module, dummy or capability. */
4527 security_ops = secondary_ops;
4529 /* Unregister netfilter hooks. */
4530 selinux_nf_ip_exit();
4532 /* Unregister selinuxfs. */