2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License version 2,
16 * as published by the Free Software Foundation.
19 #define XATTR_SECURITY_PREFIX "security."
20 #define XATTR_SELINUX_SUFFIX "selinux"
21 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
23 #include <linux/config.h>
24 #include <linux/module.h>
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/smp_lock.h>
40 #include <linux/spinlock.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
48 #include <net/ip.h> /* for sysctl_local_port_range[] */
49 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
50 #include <asm/uaccess.h>
51 #include <asm/semaphore.h>
52 #include <asm/ioctls.h>
53 #include <linux/bitops.h>
54 #include <linux/interrupt.h>
55 #include <linux/netdevice.h> /* for network interface checks */
56 #include <linux/netlink.h>
57 #include <linux/tcp.h>
58 #include <linux/quota.h>
59 #include <linux/un.h> /* for Unix socket types */
60 #include <net/af_unix.h> /* for Unix socket types */
65 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
66 int selinux_enforcing = 0;
68 static int __init enforcing_setup(char *str)
70 selinux_enforcing = simple_strtol(str,NULL,0);
73 __setup("enforcing=", enforcing_setup);
76 /* Original (dummy) security module. */
77 static struct security_operations *original_ops = NULL;
79 /* Minimal support for a secondary security module,
80 just to allow the use of the dummy or capability modules.
81 The owlsm module can alternatively be used as a secondary
82 module as long as CONFIG_OWLSM_FD is not enabled. */
83 static struct security_operations *secondary_ops = NULL;
85 /* Lists of inode and superblock security structures initialized
86 before the policy was loaded. */
87 static LIST_HEAD(inode_security_head);
88 static spinlock_t inode_security_lock = SPIN_LOCK_UNLOCKED;
90 static LIST_HEAD(superblock_security_head);
91 static spinlock_t sb_security_lock = SPIN_LOCK_UNLOCKED;
93 /* Allocate and free functions for each kind of security blob. */
95 static int task_alloc_security(struct task_struct *task)
97 struct task_security_struct *tsec;
99 tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL);
103 memset(tsec, 0, sizeof(struct task_security_struct));
104 tsec->magic = SELINUX_MAGIC;
106 tsec->osid = tsec->sid = SECINITSID_UNLABELED;
107 task->security = tsec;
112 static void task_free_security(struct task_struct *task)
114 struct task_security_struct *tsec = task->security;
116 if (!tsec || tsec->magic != SELINUX_MAGIC)
119 task->security = NULL;
123 static int inode_alloc_security(struct inode *inode)
125 struct task_security_struct *tsec = current->security;
126 struct inode_security_struct *isec;
128 isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
132 memset(isec, 0, sizeof(struct inode_security_struct));
133 init_MUTEX(&isec->sem);
134 INIT_LIST_HEAD(&isec->list);
135 isec->magic = SELINUX_MAGIC;
137 isec->sid = SECINITSID_UNLABELED;
138 isec->sclass = SECCLASS_FILE;
139 if (tsec && tsec->magic == SELINUX_MAGIC)
140 isec->task_sid = tsec->sid;
142 isec->task_sid = SECINITSID_UNLABELED;
143 inode->i_security = isec;
148 static void inode_free_security(struct inode *inode)
150 struct inode_security_struct *isec = inode->i_security;
152 if (!isec || isec->magic != SELINUX_MAGIC)
155 spin_lock(&inode_security_lock);
156 if (!list_empty(&isec->list))
157 list_del_init(&isec->list);
158 spin_unlock(&inode_security_lock);
160 inode->i_security = NULL;
164 static int file_alloc_security(struct file *file)
166 struct task_security_struct *tsec = current->security;
167 struct file_security_struct *fsec;
169 fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
173 memset(fsec, 0, sizeof(struct file_security_struct));
174 fsec->magic = SELINUX_MAGIC;
176 if (tsec && tsec->magic == SELINUX_MAGIC) {
177 fsec->sid = tsec->sid;
178 fsec->fown_sid = tsec->sid;
180 fsec->sid = SECINITSID_UNLABELED;
181 fsec->fown_sid = SECINITSID_UNLABELED;
183 file->f_security = fsec;
188 static void file_free_security(struct file *file)
190 struct file_security_struct *fsec = file->f_security;
192 if (!fsec || fsec->magic != SELINUX_MAGIC)
195 file->f_security = NULL;
199 static int superblock_alloc_security(struct super_block *sb)
201 struct superblock_security_struct *sbsec;
203 sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
207 memset(sbsec, 0, sizeof(struct superblock_security_struct));
208 init_MUTEX(&sbsec->sem);
209 INIT_LIST_HEAD(&sbsec->list);
210 sbsec->magic = SELINUX_MAGIC;
212 sbsec->sid = SECINITSID_UNLABELED;
213 sb->s_security = sbsec;
218 static void superblock_free_security(struct super_block *sb)
220 struct superblock_security_struct *sbsec = sb->s_security;
222 if (!sbsec || sbsec->magic != SELINUX_MAGIC)
225 spin_lock(&sb_security_lock);
226 if (!list_empty(&sbsec->list))
227 list_del_init(&sbsec->list);
228 spin_unlock(&sb_security_lock);
230 sb->s_security = NULL;
234 /* The security server must be initialized before
235 any labeling or access decisions can be provided. */
236 extern int ss_initialized;
238 /* The file system's label must be initialized prior to use. */
240 static char *labeling_behaviors[5] = {
242 "uses transition SIDs",
244 "uses genfs_contexts",
245 "not configured for labeling"
248 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
250 static inline int inode_doinit(struct inode *inode)
252 return inode_doinit_with_dentry(inode, NULL);
255 static int superblock_doinit(struct super_block *sb)
257 struct superblock_security_struct *sbsec = sb->s_security;
258 struct dentry *root = sb->s_root;
259 struct inode *inode = root->d_inode;
263 if (sbsec->initialized)
266 if (!ss_initialized) {
267 /* Defer initialization until selinux_complete_init,
268 after the initial policy is loaded and the security
269 server is ready to handle calls. */
270 spin_lock(&sb_security_lock);
271 if (list_empty(&sbsec->list))
272 list_add(&sbsec->list, &superblock_security_head);
273 spin_unlock(&sb_security_lock);
277 /* Determine the labeling behavior to use for this filesystem type. */
278 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
280 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
281 __FUNCTION__, sb->s_type->name, rc);
285 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
286 /* Make sure that the xattr handler exists and that no
287 error other than -ENODATA is returned by getxattr on
288 the root directory. -ENODATA is ok, as this may be
289 the first boot of the SELinux kernel before we have
290 assigned xattr values to the filesystem. */
291 if (!inode->i_op->getxattr) {
292 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
293 "xattr support\n", sb->s_id, sb->s_type->name);
297 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
298 if (rc < 0 && rc != -ENODATA) {
299 if (rc == -EOPNOTSUPP)
300 printk(KERN_WARNING "SELinux: (dev %s, type "
301 "%s) has no security xattr handler\n",
302 sb->s_id, sb->s_type->name);
304 printk(KERN_WARNING "SELinux: (dev %s, type "
305 "%s) getxattr errno %d\n", sb->s_id,
306 sb->s_type->name, -rc);
311 if (strcmp(sb->s_type->name, "proc") == 0)
314 sbsec->initialized = 1;
316 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
317 sb->s_id, sb->s_type->name,
318 labeling_behaviors[sbsec->behavior-1]);
320 /* Initialize the root inode. */
321 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
327 static inline u16 inode_mode_to_security_class(umode_t mode)
329 switch (mode & S_IFMT) {
331 return SECCLASS_SOCK_FILE;
333 return SECCLASS_LNK_FILE;
335 return SECCLASS_FILE;
337 return SECCLASS_BLK_FILE;
341 return SECCLASS_CHR_FILE;
343 return SECCLASS_FIFO_FILE;
347 return SECCLASS_FILE;
350 static inline u16 socket_type_to_security_class(int family, int type)
356 return SECCLASS_UNIX_STREAM_SOCKET;
358 return SECCLASS_UNIX_DGRAM_SOCKET;
364 return SECCLASS_TCP_SOCKET;
366 return SECCLASS_UDP_SOCKET;
368 return SECCLASS_RAWIP_SOCKET;
371 return SECCLASS_NETLINK_SOCKET;
373 return SECCLASS_PACKET_SOCKET;
375 return SECCLASS_KEY_SOCKET;
378 return SECCLASS_SOCKET;
381 #ifdef CONFIG_PROC_FS
382 static int selinux_proc_get_sid(struct proc_dir_entry *de,
387 char *buffer, *path, *end;
389 buffer = (char*)__get_free_page(GFP_KERNEL);
399 while (de && de != de->parent) {
400 buflen -= de->namelen + 1;
404 memcpy(end, de->name, de->namelen);
409 rc = security_genfs_sid("proc", path, tclass, sid);
410 free_page((unsigned long)buffer);
414 static int selinux_proc_get_sid(struct proc_dir_entry *de,
422 /* The inode's security attributes must be initialized before first use. */
423 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
425 struct superblock_security_struct *sbsec = NULL;
426 struct inode_security_struct *isec = inode->i_security;
428 struct dentry *dentry;
429 #define INITCONTEXTLEN 255
430 char *context = NULL;
435 if (isec->initialized)
440 if (isec->initialized)
443 sbsec = inode->i_sb->s_security;
444 if (!sbsec || !sbsec->initialized) {
445 /* Defer initialization until selinux_complete_init,
446 after the initial policy is loaded and the security
447 server is ready to handle calls. */
448 spin_lock(&inode_security_lock);
449 if (list_empty(&isec->list))
450 list_add(&isec->list, &inode_security_head);
451 spin_unlock(&inode_security_lock);
455 switch (sbsec->behavior) {
456 case SECURITY_FS_USE_XATTR:
457 if (!inode->i_op->getxattr) {
458 isec->sid = SECINITSID_FILE;
462 /* Need a dentry, since the xattr API requires one.
463 Life would be simpler if we could just pass the inode. */
465 /* Called from d_instantiate or d_splice_alias. */
466 dentry = dget(opt_dentry);
468 /* Called from selinux_complete_init, try to find a dentry. */
469 dentry = d_find_alias(inode);
472 printk(KERN_WARNING "%s: no dentry for dev=%s "
473 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
478 len = INITCONTEXTLEN;
479 context = kmalloc(len, GFP_KERNEL);
485 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
488 /* Need a larger buffer. Query for the right size. */
489 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
497 context = kmalloc(len, GFP_KERNEL);
503 rc = inode->i_op->getxattr(dentry,
509 if (rc != -ENODATA) {
510 printk(KERN_WARNING "%s: getxattr returned "
511 "%d for dev=%s ino=%ld\n", __FUNCTION__,
512 -rc, inode->i_sb->s_id, inode->i_ino);
516 /* Map ENODATA to the default file SID */
517 sid = SECINITSID_FILE;
520 rc = security_context_to_sid(context, rc, &sid);
522 printk(KERN_WARNING "%s: context_to_sid(%s) "
523 "returned %d for dev=%s ino=%ld\n",
524 __FUNCTION__, context, -rc,
525 inode->i_sb->s_id, inode->i_ino);
533 case SECURITY_FS_USE_TASK:
534 isec->sid = isec->task_sid;
536 case SECURITY_FS_USE_TRANS:
537 /* Default to the fs SID. */
538 isec->sid = sbsec->sid;
540 /* Try to obtain a transition SID. */
541 isec->sclass = inode_mode_to_security_class(inode->i_mode);
542 rc = security_transition_sid(isec->task_sid,
551 /* Default to the fs SID. */
552 isec->sid = sbsec->sid;
555 struct proc_inode *proci = PROC_I(inode);
557 isec->sclass = inode_mode_to_security_class(inode->i_mode);
558 rc = selinux_proc_get_sid(proci->pde,
569 isec->initialized = 1;
573 struct socket *sock = SOCKET_I(inode);
575 isec->sclass = socket_type_to_security_class(sock->sk->sk_family,
578 isec->sclass = SECCLASS_SOCKET;
581 isec->sclass = inode_mode_to_security_class(inode->i_mode);
589 /* Convert a Linux signal to an access vector. */
590 static inline u32 signal_to_av(int sig)
596 /* Commonly granted from child to parent. */
597 perm = PROCESS__SIGCHLD;
600 /* Cannot be caught or ignored */
601 perm = PROCESS__SIGKILL;
604 /* Cannot be caught or ignored */
605 perm = PROCESS__SIGSTOP;
608 /* All other signals. */
609 perm = PROCESS__SIGNAL;
616 /* Check permission betweeen a pair of tasks, e.g. signal checks,
617 fork check, ptrace check, etc. */
618 int task_has_perm(struct task_struct *tsk1,
619 struct task_struct *tsk2,
622 struct task_security_struct *tsec1, *tsec2;
624 tsec1 = tsk1->security;
625 tsec2 = tsk2->security;
626 return avc_has_perm(tsec1->sid, tsec2->sid,
627 SECCLASS_PROCESS, perms, &tsec2->avcr, NULL);
630 /* Check whether a task is allowed to use a capability. */
631 int task_has_capability(struct task_struct *tsk,
634 struct task_security_struct *tsec;
635 struct avc_audit_data ad;
637 tsec = tsk->security;
639 AVC_AUDIT_DATA_INIT(&ad,CAP);
643 return avc_has_perm(tsec->sid, tsec->sid,
644 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), NULL, &ad);
647 /* Check whether a task is allowed to use a system operation. */
648 int task_has_system(struct task_struct *tsk,
651 struct task_security_struct *tsec;
653 tsec = tsk->security;
655 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
656 SECCLASS_SYSTEM, perms, NULL, NULL);
659 /* Check whether a task has a particular permission to an inode.
660 The 'aeref' parameter is optional and allows other AVC
661 entry references to be passed (e.g. the one in the struct file).
662 The 'adp' parameter is optional and allows other audit
663 data to be passed (e.g. the dentry). */
664 int inode_has_perm(struct task_struct *tsk,
667 struct avc_entry_ref *aeref,
668 struct avc_audit_data *adp)
670 struct task_security_struct *tsec;
671 struct inode_security_struct *isec;
672 struct avc_audit_data ad;
674 tsec = tsk->security;
675 isec = inode->i_security;
679 AVC_AUDIT_DATA_INIT(&ad, FS);
680 ad.u.fs.inode = inode;
683 return avc_has_perm(tsec->sid, isec->sid, isec->sclass,
684 perms, aeref ? aeref : &isec->avcr, adp);
687 /* Same as inode_has_perm, but pass explicit audit data containing
688 the dentry to help the auditing code to more easily generate the
689 pathname if needed. */
690 static inline int dentry_has_perm(struct task_struct *tsk,
691 struct vfsmount *mnt,
692 struct dentry *dentry,
695 struct inode *inode = dentry->d_inode;
696 struct avc_audit_data ad;
697 AVC_AUDIT_DATA_INIT(&ad,FS);
699 ad.u.fs.dentry = dentry;
700 return inode_has_perm(tsk, inode, av, NULL, &ad);
703 /* Check whether a task can use an open file descriptor to
704 access an inode in a given way. Check access to the
705 descriptor itself, and then use dentry_has_perm to
706 check a particular permission to the file.
707 Access to the descriptor is implicitly granted if it
708 has the same SID as the process. If av is zero, then
709 access to the file is not checked, e.g. for cases
710 where only the descriptor is affected like seek. */
711 static inline int file_has_perm(struct task_struct *tsk,
715 struct task_security_struct *tsec = tsk->security;
716 struct file_security_struct *fsec = file->f_security;
717 struct vfsmount *mnt = file->f_vfsmnt;
718 struct dentry *dentry = file->f_dentry;
719 struct inode *inode = dentry->d_inode;
720 struct avc_audit_data ad;
723 AVC_AUDIT_DATA_INIT(&ad, FS);
725 ad.u.fs.dentry = dentry;
727 if (tsec->sid != fsec->sid) {
728 rc = avc_has_perm(tsec->sid, fsec->sid,
736 /* av is zero if only checking access to the descriptor. */
738 return inode_has_perm(tsk, inode, av, &fsec->inode_avcr, &ad);
743 /* Check whether a task can create a file. */
744 static int may_create(struct inode *dir,
745 struct dentry *dentry,
748 struct task_security_struct *tsec;
749 struct inode_security_struct *dsec;
750 struct superblock_security_struct *sbsec;
752 struct avc_audit_data ad;
755 tsec = current->security;
756 dsec = dir->i_security;
758 AVC_AUDIT_DATA_INIT(&ad, FS);
759 ad.u.fs.dentry = dentry;
761 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
762 DIR__ADD_NAME | DIR__SEARCH,
767 if (tsec->create_sid) {
768 newsid = tsec->create_sid;
770 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
776 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, NULL, &ad);
780 sbsec = dir->i_sb->s_security;
782 return avc_has_perm(newsid, sbsec->sid,
784 FILESYSTEM__ASSOCIATE, NULL, &ad);
791 /* Check whether a task can link, unlink, or rmdir a file/directory. */
792 static int may_link(struct inode *dir,
793 struct dentry *dentry,
797 struct task_security_struct *tsec;
798 struct inode_security_struct *dsec, *isec;
799 struct avc_audit_data ad;
803 tsec = current->security;
804 dsec = dir->i_security;
805 isec = dentry->d_inode->i_security;
807 AVC_AUDIT_DATA_INIT(&ad, FS);
808 ad.u.fs.dentry = dentry;
811 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
812 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
813 av, &dsec->avcr, &ad);
828 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
832 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
833 av, &isec->avcr, &ad);
837 static inline int may_rename(struct inode *old_dir,
838 struct dentry *old_dentry,
839 struct inode *new_dir,
840 struct dentry *new_dentry)
842 struct task_security_struct *tsec;
843 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
844 struct avc_audit_data ad;
846 int old_is_dir, new_is_dir;
849 tsec = current->security;
850 old_dsec = old_dir->i_security;
851 old_isec = old_dentry->d_inode->i_security;
852 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
853 new_dsec = new_dir->i_security;
855 AVC_AUDIT_DATA_INIT(&ad, FS);
857 ad.u.fs.dentry = old_dentry;
858 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
859 DIR__REMOVE_NAME | DIR__SEARCH,
860 &old_dsec->avcr, &ad);
863 rc = avc_has_perm(tsec->sid, old_isec->sid,
866 &old_isec->avcr, &ad);
869 if (old_is_dir && new_dir != old_dir) {
870 rc = avc_has_perm(tsec->sid, old_isec->sid,
873 &old_isec->avcr, &ad);
878 ad.u.fs.dentry = new_dentry;
879 av = DIR__ADD_NAME | DIR__SEARCH;
880 if (new_dentry->d_inode)
881 av |= DIR__REMOVE_NAME;
882 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR,
883 av,&new_dsec->avcr, &ad);
886 if (new_dentry->d_inode) {
887 new_isec = new_dentry->d_inode->i_security;
888 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
889 rc = avc_has_perm(tsec->sid, new_isec->sid,
891 (new_is_dir ? DIR__RMDIR : FILE__UNLINK),
892 &new_isec->avcr, &ad);
900 /* Check whether a task can perform a filesystem operation. */
901 int superblock_has_perm(struct task_struct *tsk,
902 struct super_block *sb,
904 struct avc_audit_data *ad)
906 struct task_security_struct *tsec;
907 struct superblock_security_struct *sbsec;
909 tsec = tsk->security;
910 sbsec = sb->s_security;
911 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
915 /* Convert a Linux mode and permission mask to an access vector. */
916 static inline u32 file_mask_to_av(int mode, int mask)
920 if ((mode & S_IFMT) != S_IFDIR) {
926 if (mask & MAY_APPEND)
928 else if (mask & MAY_WRITE)
934 if (mask & MAY_WRITE)
943 /* Convert a Linux file to an access vector. */
944 static inline u32 file_to_av(struct file *file)
948 if (file->f_mode & FMODE_READ)
950 if (file->f_mode & FMODE_WRITE) {
951 if (file->f_flags & O_APPEND)
960 /* Set an inode's SID to a specified value. */
961 int inode_security_set_sid(struct inode *inode, u32 sid)
963 struct inode_security_struct *isec = inode->i_security;
966 isec->sclass = inode_mode_to_security_class(inode->i_mode);
968 isec->initialized = 1;
973 /* Set the security attributes on a newly created file. */
974 static int post_create(struct inode *dir,
975 struct dentry *dentry)
978 struct task_security_struct *tsec;
980 struct inode_security_struct *dsec;
981 struct superblock_security_struct *sbsec;
987 tsec = current->security;
988 dsec = dir->i_security;
990 inode = dentry->d_inode;
992 /* Some file system types (e.g. NFS) may not instantiate
993 a dentry for all create operations (e.g. symlink),
994 so we have to check to see if the inode is non-NULL. */
995 printk(KERN_WARNING "post_create: no inode, dir (dev=%s, "
996 "ino=%ld)\n", dir->i_sb->s_id, dir->i_ino);
1000 if (tsec->create_sid) {
1001 newsid = tsec->create_sid;
1003 rc = security_transition_sid(tsec->sid, dsec->sid,
1004 inode_mode_to_security_class(inode->i_mode),
1007 printk(KERN_WARNING "post_create: "
1008 "security_transition_sid failed, rc=%d (dev=%s "
1010 -rc, inode->i_sb->s_id, inode->i_ino);
1015 rc = inode_security_set_sid(inode, newsid);
1017 printk(KERN_WARNING "post_create: inode_security_set_sid "
1018 "failed, rc=%d (dev=%s ino=%ld)\n",
1019 -rc, inode->i_sb->s_id, inode->i_ino);
1023 sbsec = dir->i_sb->s_security;
1027 if (sbsec->behavior == SECURITY_FS_USE_XATTR &&
1028 inode->i_op->setxattr) {
1029 /* Use extended attributes. */
1030 rc = security_sid_to_context(newsid, &context, &len);
1032 printk(KERN_WARNING "post_create: sid_to_context "
1033 "failed, rc=%d (dev=%s ino=%ld)\n",
1034 -rc, inode->i_sb->s_id, inode->i_ino);
1037 down(&inode->i_sem);
1038 rc = inode->i_op->setxattr(dentry,
1044 printk(KERN_WARNING "post_create: setxattr failed, "
1045 "rc=%d (dev=%s ino=%ld)\n",
1046 -rc, inode->i_sb->s_id, inode->i_ino);
1055 /* Hook functions begin here. */
1057 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1061 rc = secondary_ops->ptrace(parent,child);
1065 return task_has_perm(parent, child, PROCESS__PTRACE);
1068 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1069 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1073 error = task_has_perm(current, target, PROCESS__GETCAP);
1077 return secondary_ops->capget(target, effective, inheritable, permitted);
1080 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1081 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1085 error = task_has_perm(current, target, PROCESS__SETCAP);
1089 return secondary_ops->capset_check(target, effective, inheritable, permitted);
1092 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1093 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1097 error = task_has_perm(current, target, PROCESS__SETCAP);
1101 return secondary_ops->capset_set(target, effective, inheritable, permitted);
1104 static int selinux_capable(struct task_struct *tsk, int cap)
1108 rc = secondary_ops->capable(tsk, cap);
1112 return task_has_capability(tsk,cap);
1115 static int selinux_sysctl(ctl_table *table, int op)
1119 struct task_security_struct *tsec;
1123 tsec = current->security;
1125 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1126 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1128 /* Default to the well-defined sysctl SID. */
1129 tsid = SECINITSID_SYSCTL;
1132 /* The op values are "defined" in sysctl.c, thereby creating
1133 * a bad coupling between this module and sysctl.c */
1135 error = avc_has_perm(tsec->sid, tsid,
1136 SECCLASS_DIR, DIR__SEARCH, NULL, NULL);
1144 error = avc_has_perm(tsec->sid, tsid,
1145 SECCLASS_FILE, av, NULL, NULL);
1151 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1164 rc = superblock_has_perm(current,
1166 FILESYSTEM__QUOTAMOD, NULL);
1171 rc = superblock_has_perm(current,
1173 FILESYSTEM__QUOTAGET, NULL);
1176 rc = 0; /* let the kernel handle invalid cmds */
1182 static int selinux_quota_on(struct file *f)
1184 return file_has_perm(current, f, FILE__QUOTAON);;
1187 static int selinux_syslog(int type)
1191 rc = secondary_ops->syslog(type);
1196 case 3: /* Read last kernel messages */
1197 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1199 case 6: /* Disable logging to console */
1200 case 7: /* Enable logging to console */
1201 case 8: /* Set level of messages printed to console */
1202 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1204 case 0: /* Close log */
1205 case 1: /* Open log */
1206 case 2: /* Read from log */
1207 case 4: /* Read/clear last kernel messages */
1208 case 5: /* Clear ring buffer */
1210 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1217 * Check that a process has enough memory to allocate a new virtual
1218 * mapping. 0 means there is enough memory for the allocation to
1219 * succeed and -ENOMEM implies there is not.
1221 * We currently support three overcommit policies, which are set via the
1222 * vm.overcommit_memory sysctl. See Documentation/vm/overcommit-acounting
1224 * Strict overcommit modes added 2002 Feb 26 by Alan Cox.
1225 * Additional code 2002 Jul 20 by Robert Love.
1227 static int selinux_vm_enough_memory(long pages)
1229 unsigned long free, allowed;
1231 struct task_security_struct *tsec = current->security;
1233 vm_acct_memory(pages);
1236 * Sometimes we want to use more memory than we have
1238 if (sysctl_overcommit_memory == 1)
1241 if (sysctl_overcommit_memory == 0) {
1242 free = get_page_cache_size();
1243 free += nr_free_pages();
1244 free += nr_swap_pages;
1247 * Any slabs which are created with the
1248 * SLAB_RECLAIM_ACCOUNT flag claim to have contents
1249 * which are reclaimable, under pressure. The dentry
1250 * cache and most inode caches should fall into this
1252 free += atomic_read(&slab_reclaim_pages);
1255 * Leave the last 3% for privileged processes.
1256 * Don't audit the check, as it is applied to all processes
1257 * that allocate mappings.
1259 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1261 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1262 SECCLASS_CAPABILITY,
1263 CAP_TO_MASK(CAP_SYS_ADMIN),
1271 vm_unacct_memory(pages);
1275 allowed = totalram_pages * sysctl_overcommit_ratio / 100;
1276 allowed += total_swap_pages;
1278 if (atomic_read(&vm_committed_space) < allowed)
1281 vm_unacct_memory(pages);
1286 static int selinux_netlink_send(struct sk_buff *skb)
1288 if (capable(CAP_NET_ADMIN))
1289 cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN);
1291 NETLINK_CB(skb).eff_cap = 0;
1295 static int selinux_netlink_recv(struct sk_buff *skb)
1297 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
1302 /* binprm security operations */
1304 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1308 /* Make sure that the secondary module doesn't use the
1309 bprm->security field, since we do not yet support chaining
1310 of multiple security structures on the field. Neither
1311 the dummy nor the capability module use the field. The owlsm
1312 module uses the field if CONFIG_OWLSM_FD is enabled. */
1313 rc = secondary_ops->bprm_alloc_security(bprm);
1316 if (bprm->security) {
1317 printk(KERN_WARNING "%s: no support yet for chaining on the "
1318 "security field by secondary modules.\n", __FUNCTION__);
1319 /* Release the secondary module's security object. */
1320 secondary_ops->bprm_free_security(bprm);
1321 /* Unregister the secondary module to prevent problems
1322 with subsequent binprm hooks. This will revert to the
1323 original (dummy) module for the secondary operations. */
1324 rc = security_ops->unregister_security("unknown", secondary_ops);
1327 printk(KERN_WARNING "%s: Unregistered the secondary security "
1328 "module.\n", __FUNCTION__);
1330 bprm->security = NULL;
1334 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1336 struct task_security_struct *tsec;
1337 struct inode *inode = bprm->file->f_dentry->d_inode;
1338 struct inode_security_struct *isec;
1340 struct avc_audit_data ad;
1343 rc = secondary_ops->bprm_set_security(bprm);
1347 if (bprm->sh_bang || bprm->security)
1348 /* The security field should already be set properly. */
1351 tsec = current->security;
1352 isec = inode->i_security;
1354 /* Default to the current task SID. */
1355 bprm->security = (void *)tsec->sid;
1357 /* Reset create SID on execve. */
1358 tsec->create_sid = 0;
1360 if (tsec->exec_sid) {
1361 newsid = tsec->exec_sid;
1362 /* Reset exec SID on execve. */
1365 /* Check for a default transition on this program. */
1366 rc = security_transition_sid(tsec->sid, isec->sid,
1367 SECCLASS_PROCESS, &newsid);
1372 AVC_AUDIT_DATA_INIT(&ad, FS);
1373 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1374 ad.u.fs.dentry = bprm->file->f_dentry;
1376 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1379 if (tsec->sid == newsid) {
1380 rc = avc_has_perm(tsec->sid, isec->sid,
1381 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS,
1386 /* Check permissions for the transition. */
1387 rc = avc_has_perm(tsec->sid, newsid,
1388 SECCLASS_PROCESS, PROCESS__TRANSITION,
1394 rc = avc_has_perm(newsid, isec->sid,
1395 SECCLASS_FILE, FILE__ENTRYPOINT,
1400 /* Set the security field to the new SID. */
1401 bprm->security = (void*) newsid;
1407 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1413 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1415 struct task_security_struct *tsec = current->security;
1418 if (tsec->osid != tsec->sid) {
1419 /* Enable secure mode for SIDs transitions unless
1420 the noatsecure permission is granted between
1421 the two SIDs, i.e. ahp returns 0. */
1422 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1424 PROCESS__NOATSECURE, NULL, NULL);
1427 /* Note that we must include the legacy uid/gid test below
1428 to retain it, as the new userland will simply use the
1429 value passed by AT_SECURE to decide whether to enable
1431 return ( atsecure || current->euid != current->uid ||
1432 current->egid != current->gid);
1435 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1437 /* Nothing to do - not dynamically allocated. */
1441 /* Derived from fs/exec.c:flush_old_files. */
1442 static inline void flush_unauthorized_files(struct files_struct * files)
1444 struct avc_audit_data ad;
1448 AVC_AUDIT_DATA_INIT(&ad,FS);
1450 spin_lock(&files->file_lock);
1452 unsigned long set, i;
1456 if (i >= files->max_fds || i >= files->max_fdset)
1458 set = files->open_fds->fds_bits[j];
1461 spin_unlock(&files->file_lock);
1462 for ( ; set ; i++,set >>= 1) {
1467 if (file_has_perm(current,
1474 spin_lock(&files->file_lock);
1477 spin_unlock(&files->file_lock);
1480 static void selinux_bprm_compute_creds(struct linux_binprm *bprm)
1482 struct task_security_struct *tsec, *psec;
1484 struct av_decision avd;
1487 secondary_ops->bprm_compute_creds(bprm);
1489 tsec = current->security;
1491 sid = (u32)bprm->security;
1495 tsec->osid = tsec->sid;
1496 if (tsec->sid != sid) {
1497 /* Check for shared state. If not ok, leave SID
1498 unchanged and kill. */
1499 if ((atomic_read(¤t->fs->count) > 1 ||
1500 atomic_read(¤t->files->count) > 1 ||
1501 atomic_read(¤t->sighand->count) > 1)) {
1502 rc = avc_has_perm(tsec->sid, sid,
1503 SECCLASS_PROCESS, PROCESS__SHARE,
1506 force_sig_specific(SIGKILL, current);
1511 /* Check for ptracing, and update the task SID if ok.
1512 Otherwise, leave SID unchanged and kill. */
1514 if (current->ptrace & PT_PTRACED) {
1515 psec = current->parent->security;
1516 rc = avc_has_perm_noaudit(psec->sid, sid,
1517 SECCLASS_PROCESS, PROCESS__PTRACE,
1521 task_unlock(current);
1522 avc_audit(psec->sid, sid, SECCLASS_PROCESS,
1523 PROCESS__PTRACE, &avd, rc, NULL);
1525 force_sig_specific(SIGKILL, current);
1530 task_unlock(current);
1533 /* Close files for which the new task SID is not authorized. */
1534 flush_unauthorized_files(current->files);
1536 /* Wake up the parent if it is waiting so that it can
1537 recheck wait permission to the new task SID. */
1538 wake_up_interruptible(¤t->parent->wait_chldexit);
1542 /* superblock security operations */
1544 static int selinux_sb_alloc_security(struct super_block *sb)
1546 return superblock_alloc_security(sb);
1549 static void selinux_sb_free_security(struct super_block *sb)
1551 superblock_free_security(sb);
1554 static int selinux_sb_kern_mount(struct super_block *sb)
1556 struct avc_audit_data ad;
1559 rc = superblock_doinit(sb);
1563 AVC_AUDIT_DATA_INIT(&ad,FS);
1564 ad.u.fs.dentry = sb->s_root;
1565 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1568 static int selinux_sb_statfs(struct super_block *sb)
1570 struct avc_audit_data ad;
1572 AVC_AUDIT_DATA_INIT(&ad,FS);
1573 ad.u.fs.dentry = sb->s_root;
1574 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1577 static int selinux_mount(char * dev_name,
1578 struct nameidata *nd,
1580 unsigned long flags,
1583 if (flags & MS_REMOUNT)
1584 return superblock_has_perm(current, nd->mnt->mnt_sb,
1585 FILESYSTEM__REMOUNT, NULL);
1587 return dentry_has_perm(current, nd->mnt, nd->dentry,
1591 static int selinux_umount(struct vfsmount *mnt, int flags)
1593 return superblock_has_perm(current,mnt->mnt_sb,
1594 FILESYSTEM__UNMOUNT,NULL);
1597 /* inode security operations */
1599 static int selinux_inode_alloc_security(struct inode *inode)
1601 return inode_alloc_security(inode);
1604 static void selinux_inode_free_security(struct inode *inode)
1606 inode_free_security(inode);
1609 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
1611 return may_create(dir, dentry, SECCLASS_FILE);
1614 static void selinux_inode_post_create(struct inode *dir, struct dentry *dentry, int mask)
1616 post_create(dir, dentry);
1619 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
1623 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
1626 return may_link(dir, old_dentry, MAY_LINK);
1629 static void selinux_inode_post_link(struct dentry *old_dentry, struct inode *inode, struct dentry *new_dentry)
1634 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
1636 return may_link(dir, dentry, MAY_UNLINK);
1639 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
1641 return may_create(dir, dentry, SECCLASS_LNK_FILE);
1644 static void selinux_inode_post_symlink(struct inode *dir, struct dentry *dentry, const char *name)
1646 post_create(dir, dentry);
1649 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
1651 return may_create(dir, dentry, SECCLASS_DIR);
1654 static void selinux_inode_post_mkdir(struct inode *dir, struct dentry *dentry, int mask)
1656 post_create(dir, dentry);
1659 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
1661 return may_link(dir, dentry, MAY_RMDIR);
1664 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
1666 return may_create(dir, dentry, inode_mode_to_security_class(mode));
1669 static void selinux_inode_post_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
1671 post_create(dir, dentry);
1674 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
1675 struct inode *new_inode, struct dentry *new_dentry)
1677 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
1680 static void selinux_inode_post_rename(struct inode *old_inode, struct dentry *old_dentry,
1681 struct inode *new_inode, struct dentry *new_dentry)
1686 static int selinux_inode_readlink(struct dentry *dentry)
1688 return dentry_has_perm(current, NULL, dentry, FILE__READ);
1691 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
1695 rc = secondary_ops->inode_follow_link(dentry,nameidata);
1698 return dentry_has_perm(current, NULL, dentry, FILE__READ);
1701 static int selinux_inode_permission(struct inode *inode, int mask)
1704 /* No permission to check. Existence test. */
1708 return inode_has_perm(current, inode,
1709 file_mask_to_av(inode->i_mode, mask), NULL, NULL);
1712 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
1714 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
1715 ATTR_ATIME_SET | ATTR_MTIME_SET))
1716 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
1718 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
1721 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
1723 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
1726 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
1728 struct task_security_struct *tsec = current->security;
1729 struct inode *inode = dentry->d_inode;
1730 struct inode_security_struct *isec = inode->i_security;
1731 struct superblock_security_struct *sbsec;
1732 struct avc_audit_data ad;
1736 if (strcmp(name, XATTR_NAME_SELINUX)) {
1737 if (!strncmp(name, XATTR_SECURITY_PREFIX,
1738 sizeof XATTR_SECURITY_PREFIX - 1) &&
1739 !capable(CAP_SYS_ADMIN)) {
1740 /* A different attribute in the security namespace.
1741 Restrict to administrator. */
1745 /* Not an attribute we recognize, so just check the
1746 ordinary setattr permission. */
1747 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
1750 AVC_AUDIT_DATA_INIT(&ad,FS);
1751 ad.u.fs.dentry = dentry;
1753 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
1759 rc = security_context_to_sid(value, size, &newsid);
1763 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
1764 FILE__RELABELTO, NULL, &ad);
1768 sbsec = inode->i_sb->s_security;
1772 return avc_has_perm(newsid,
1774 SECCLASS_FILESYSTEM,
1775 FILESYSTEM__ASSOCIATE,
1780 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
1781 void *value, size_t size, int flags)
1783 struct inode *inode = dentry->d_inode;
1784 struct inode_security_struct *isec = inode->i_security;
1788 if (strcmp(name, XATTR_NAME_SELINUX)) {
1789 /* Not an attribute we recognize, so nothing to do. */
1793 rc = security_context_to_sid(value, size, &newsid);
1795 printk(KERN_WARNING "%s: unable to obtain SID for context "
1796 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
1804 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
1806 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
1809 static int selinux_inode_listxattr (struct dentry *dentry)
1811 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
1814 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
1816 if (strcmp(name, XATTR_NAME_SELINUX)) {
1817 if (!strncmp(name, XATTR_SECURITY_PREFIX,
1818 sizeof XATTR_SECURITY_PREFIX - 1) &&
1819 !capable(CAP_SYS_ADMIN)) {
1820 /* A different attribute in the security namespace.
1821 Restrict to administrator. */
1825 /* Not an attribute we recognize, so just check the
1826 ordinary setattr permission. Might want a separate
1827 permission for removexattr. */
1828 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
1831 /* No one is allowed to remove a SELinux security label.
1832 You can change the label, but all data must be labeled. */
1836 static int selinux_inode_getsecurity(struct dentry *dentry, const char *name, void *buffer, size_t size)
1838 struct inode *inode = dentry->d_inode;
1839 struct inode_security_struct *isec = inode->i_security;
1844 /* Permission check handled by selinux_inode_getxattr hook.*/
1846 if (strcmp(name, XATTR_SELINUX_SUFFIX))
1849 rc = security_sid_to_context(isec->sid, &context, &len);
1853 if (!buffer || !size) {
1861 memcpy(buffer, context, len);
1866 static int selinux_inode_setsecurity(struct dentry *dentry, const char *name,
1867 const void *value, size_t size, int flags)
1869 struct inode *inode = dentry->d_inode;
1870 struct inode_security_struct *isec = inode->i_security;
1874 if (strcmp(name, XATTR_SELINUX_SUFFIX))
1877 if (!value || !size)
1880 rc = security_context_to_sid((void*)value, size, &newsid);
1888 static int selinux_inode_listsecurity(struct dentry *dentry, char *buffer)
1890 const int len = sizeof(XATTR_NAME_SELINUX);
1892 memcpy(buffer, XATTR_NAME_SELINUX, len);
1896 /* file security operations */
1898 static int selinux_file_permission(struct file *file, int mask)
1900 struct inode *inode = file->f_dentry->d_inode;
1903 /* No permission to check. Existence test. */
1907 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
1908 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
1911 return file_has_perm(current, file,
1912 file_mask_to_av(inode->i_mode, mask));
1915 static int selinux_file_alloc_security(struct file *file)
1917 return file_alloc_security(file);
1920 static void selinux_file_free_security(struct file *file)
1922 file_free_security(file);
1925 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
1937 case EXT2_IOC_GETFLAGS:
1939 case EXT2_IOC_GETVERSION:
1940 error = file_has_perm(current, file, FILE__GETATTR);
1943 case EXT2_IOC_SETFLAGS:
1945 case EXT2_IOC_SETVERSION:
1946 error = file_has_perm(current, file, FILE__SETATTR);
1949 /* sys_ioctl() checks */
1953 error = file_has_perm(current, file, 0);
1958 if (!capable(CAP_SYS_TTY_CONFIG))
1962 /* default case assumes that the command will go
1963 * to the file's ioctl() function.
1966 error = file_has_perm(current, file, FILE__IOCTL);
1972 static int selinux_file_mmap(struct file *file, unsigned long prot, unsigned long flags)
1977 /* read access is always possible with a mapping */
1980 /* write access only matters if the mapping is shared */
1981 if ((flags & MAP_TYPE) == MAP_SHARED && (prot & PROT_WRITE))
1984 if (prot & PROT_EXEC)
1985 av |= FILE__EXECUTE;
1987 return file_has_perm(current, file, av);
1992 static int selinux_file_mprotect(struct vm_area_struct *vma,
1995 return selinux_file_mmap(vma->vm_file, prot, vma->vm_flags);
1998 static int selinux_file_lock(struct file *file, unsigned int cmd)
2000 return file_has_perm(current, file, FILE__LOCK);
2003 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2010 if (!file->f_dentry || !file->f_dentry->d_inode) {
2015 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2016 err = file_has_perm(current, file,FILE__WRITE);
2025 /* Just check FD__USE permission */
2026 err = file_has_perm(current, file, 0);
2034 if (!file->f_dentry || !file->f_dentry->d_inode) {
2038 err = file_has_perm(current, file, FILE__LOCK);
2045 static int selinux_file_set_fowner(struct file *file)
2047 struct task_security_struct *tsec;
2048 struct file_security_struct *fsec;
2050 tsec = current->security;
2051 fsec = file->f_security;
2052 fsec->fown_sid = tsec->sid;
2057 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2058 struct fown_struct *fown,
2063 struct task_security_struct *tsec;
2064 struct file_security_struct *fsec;
2066 /* struct fown_struct is never outside the context of a struct file */
2067 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2069 tsec = tsk->security;
2070 fsec = file->f_security;
2073 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2075 perm = signal_to_av(fown->signum);
2077 return avc_has_perm(fsec->fown_sid, tsec->sid,
2078 SECCLASS_PROCESS, perm, NULL, NULL);
2081 static int selinux_file_receive(struct file *file)
2083 return file_has_perm(current, file, file_to_av(file));
2086 /* task security operations */
2088 static int selinux_task_create(unsigned long clone_flags)
2090 return task_has_perm(current, current, PROCESS__FORK);
2093 static int selinux_task_alloc_security(struct task_struct *tsk)
2095 struct task_security_struct *tsec1, *tsec2;
2098 tsec1 = current->security;
2100 rc = task_alloc_security(tsk);
2103 tsec2 = tsk->security;
2105 tsec2->osid = tsec1->osid;
2106 tsec2->sid = tsec1->sid;
2108 /* Retain the exec and create SIDs across fork */
2109 tsec2->exec_sid = tsec1->exec_sid;
2110 tsec2->create_sid = tsec1->create_sid;
2115 static void selinux_task_free_security(struct task_struct *tsk)
2117 task_free_security(tsk);
2120 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2122 /* Since setuid only affects the current process, and
2123 since the SELinux controls are not based on the Linux
2124 identity attributes, SELinux does not need to control
2125 this operation. However, SELinux does control the use
2126 of the CAP_SETUID and CAP_SETGID capabilities using the
2131 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2133 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2136 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2138 /* See the comment for setuid above. */
2142 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2144 return task_has_perm(current, p, PROCESS__SETPGID);
2147 static int selinux_task_getpgid(struct task_struct *p)
2149 return task_has_perm(current, p, PROCESS__GETPGID);
2152 static int selinux_task_getsid(struct task_struct *p)
2154 return task_has_perm(current, p, PROCESS__GETSESSION);
2157 static int selinux_task_setgroups(int gidsetsize, gid_t *grouplist)
2159 /* See the comment for setuid above. */
2163 static int selinux_task_setnice(struct task_struct *p, int nice)
2165 return task_has_perm(current,p, PROCESS__SETSCHED);
2168 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2170 /* SELinux does not currently provide a process
2171 resource limit policy based on security contexts.
2172 It does control the use of the CAP_SYS_RESOURCE capability
2173 using the capable hook. */
2177 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2179 struct task_security_struct *tsec1, *tsec2;
2181 tsec1 = current->security;
2182 tsec2 = p->security;
2184 /* No auditing from the setscheduler hook, since the runqueue lock
2185 is held and the system will deadlock if we try to log an audit
2187 return avc_has_perm_noaudit(tsec1->sid, tsec2->sid,
2188 SECCLASS_PROCESS, PROCESS__SETSCHED,
2189 &tsec2->avcr, NULL);
2192 static int selinux_task_getscheduler(struct task_struct *p)
2194 return task_has_perm(current, p, PROCESS__GETSCHED);
2197 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2201 if (info && ((unsigned long)info == 1 ||
2202 (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2206 perm = PROCESS__SIGNULL; /* null signal; existence test */
2208 perm = signal_to_av(sig);
2210 return task_has_perm(current, p, perm);
2213 static int selinux_task_prctl(int option,
2219 /* The current prctl operations do not appear to require
2220 any SELinux controls since they merely observe or modify
2221 the state of the current process. */
2225 static int selinux_task_wait(struct task_struct *p)
2229 perm = signal_to_av(p->exit_signal);
2231 return task_has_perm(p, current, perm);
2234 static void selinux_task_reparent_to_init(struct task_struct *p)
2236 struct task_security_struct *tsec;
2238 secondary_ops->task_reparent_to_init(p);
2241 tsec->osid = tsec->sid;
2242 tsec->sid = SECINITSID_KERNEL;
2246 static void selinux_task_to_inode(struct task_struct *p,
2247 struct inode *inode)
2249 struct task_security_struct *tsec = p->security;
2250 struct inode_security_struct *isec = inode->i_security;
2252 isec->sid = tsec->sid;
2253 isec->initialized = 1;
2257 #ifdef CONFIG_SECURITY_NETWORK
2259 /* socket security operations */
2260 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2263 struct inode_security_struct *isec;
2264 struct task_security_struct *tsec;
2265 struct avc_audit_data ad;
2268 tsec = task->security;
2269 isec = SOCK_INODE(sock)->i_security;
2271 AVC_AUDIT_DATA_INIT(&ad,NET);
2272 ad.u.net.sk = sock->sk;
2273 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2274 perms, &isec->avcr, &ad);
2279 static int selinux_socket_create(int family, int type, int protocol)
2282 struct task_security_struct *tsec;
2284 tsec = current->security;
2286 err = avc_has_perm(tsec->sid, tsec->sid,
2287 socket_type_to_security_class(family, type),
2288 SOCKET__CREATE, NULL, NULL);
2293 static void selinux_socket_post_create(struct socket *sock, int family, int type, int protocol)
2296 struct inode_security_struct *isec;
2297 struct task_security_struct *tsec;
2299 err = inode_doinit(SOCK_INODE(sock));
2302 isec = SOCK_INODE(sock)->i_security;
2304 tsec = current->security;
2305 isec->sclass = socket_type_to_security_class(family, type);
2306 isec->sid = tsec->sid;
2311 /* Range of port numbers used to automatically bind.
2312 Need to determine whether we should perform a name_bind
2313 permission check between the socket and the port number. */
2314 #define ip_local_port_range_0 sysctl_local_port_range[0]
2315 #define ip_local_port_range_1 sysctl_local_port_range[1]
2317 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2321 err = socket_has_perm(current, sock, SOCKET__BIND);
2326 * If PF_INET, check name_bind permission for the port.
2328 if (sock->sk->sk_family == PF_INET) {
2329 struct inode_security_struct *isec;
2330 struct task_security_struct *tsec;
2331 struct avc_audit_data ad;
2332 struct sockaddr_in *addr = (struct sockaddr_in *)address;
2333 unsigned short snum = ntohs(addr->sin_port);
2334 struct sock *sk = sock->sk;
2337 tsec = current->security;
2338 isec = SOCK_INODE(sock)->i_security;
2340 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
2341 snum > ip_local_port_range_1)) {
2342 err = security_port_sid(sk->sk_family, sk->sk_type,
2343 sk->sk_protocol, snum, &sid);
2346 AVC_AUDIT_DATA_INIT(&ad,NET);
2347 ad.u.net.port = snum;
2348 err = avc_has_perm(isec->sid, sid,
2350 SOCKET__NAME_BIND, NULL, &ad);
2359 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
2362 struct sock *sk = sock->sk;
2363 struct avc_audit_data ad;
2364 struct task_security_struct *tsec;
2365 struct inode_security_struct *isec;
2367 isec = SOCK_INODE(sock)->i_security;
2369 tsec = current->security;
2371 AVC_AUDIT_DATA_INIT(&ad, NET);
2373 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2374 SOCKET__CONNECT, &isec->avcr, &ad);
2381 static int selinux_socket_listen(struct socket *sock, int backlog)
2384 struct task_security_struct *tsec;
2385 struct inode_security_struct *isec;
2386 struct avc_audit_data ad;
2388 tsec = current->security;
2390 isec = SOCK_INODE(sock)->i_security;
2392 AVC_AUDIT_DATA_INIT(&ad, NET);
2393 ad.u.net.sk = sock->sk;
2395 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2396 SOCKET__LISTEN, &isec->avcr, &ad);
2403 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
2406 struct task_security_struct *tsec;
2407 struct inode_security_struct *isec;
2408 struct inode_security_struct *newisec;
2409 struct avc_audit_data ad;
2411 tsec = current->security;
2413 isec = SOCK_INODE(sock)->i_security;
2415 AVC_AUDIT_DATA_INIT(&ad, NET);
2416 ad.u.net.sk = sock->sk;
2418 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2419 SOCKET__ACCEPT, &isec->avcr, &ad);
2423 err = inode_doinit(SOCK_INODE(newsock));
2426 newisec = SOCK_INODE(newsock)->i_security;
2428 newisec->sclass = isec->sclass;
2429 newisec->sid = isec->sid;
2434 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
2437 struct task_security_struct *tsec;
2438 struct inode_security_struct *isec;
2439 struct avc_audit_data ad;
2443 isec = SOCK_INODE(sock)->i_security;
2445 tsec = current->security;
2449 AVC_AUDIT_DATA_INIT(&ad, NET);
2451 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2452 SOCKET__WRITE, &isec->avcr, &ad);
2459 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
2460 int size, int flags)
2462 struct inode_security_struct *isec;
2463 struct task_security_struct *tsec;
2464 struct avc_audit_data ad;
2467 isec = SOCK_INODE(sock)->i_security;
2468 tsec = current->security;
2470 AVC_AUDIT_DATA_INIT(&ad,NET);
2471 ad.u.net.sk = sock->sk;
2472 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2473 SOCKET__READ, &isec->avcr, &ad);
2480 static int selinux_socket_getsockname(struct socket *sock)
2482 struct inode_security_struct *isec;
2483 struct task_security_struct *tsec;
2484 struct avc_audit_data ad;
2487 tsec = current->security;
2488 isec = SOCK_INODE(sock)->i_security;
2490 AVC_AUDIT_DATA_INIT(&ad,NET);
2491 ad.u.net.sk = sock->sk;
2492 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2493 SOCKET__GETATTR, &isec->avcr, &ad);
2500 static int selinux_socket_getpeername(struct socket *sock)
2502 struct inode_security_struct *isec;
2503 struct task_security_struct *tsec;
2504 struct avc_audit_data ad;
2507 tsec = current->security;
2508 isec = SOCK_INODE(sock)->i_security;
2510 AVC_AUDIT_DATA_INIT(&ad,NET);
2511 ad.u.net.sk = sock->sk;
2512 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2513 SOCKET__GETATTR, &isec->avcr, &ad);
2520 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
2522 return socket_has_perm(current, sock, SOCKET__SETOPT);
2525 static int selinux_socket_getsockopt(struct socket *sock, int level,
2528 return socket_has_perm(current, sock, SOCKET__GETOPT);
2531 static int selinux_socket_shutdown(struct socket *sock, int how)
2533 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
2536 static int selinux_socket_unix_stream_connect(struct socket *sock,
2537 struct socket *other,
2540 struct inode_security_struct *isec;
2541 struct inode_security_struct *other_isec;
2542 struct avc_audit_data ad;
2545 isec = SOCK_INODE(sock)->i_security;
2546 other_isec = SOCK_INODE(other)->i_security;
2548 AVC_AUDIT_DATA_INIT(&ad,NET);
2549 ad.u.net.sk = other->sk;
2551 err = avc_has_perm(isec->sid, other_isec->sid,
2553 UNIX_STREAM_SOCKET__CONNECTTO,
2554 &other_isec->avcr, &ad);
2561 static int selinux_socket_unix_may_send(struct socket *sock,
2562 struct socket *other)
2564 struct inode_security_struct *isec;
2565 struct inode_security_struct *other_isec;
2566 struct avc_audit_data ad;
2569 isec = SOCK_INODE(sock)->i_security;
2570 other_isec = SOCK_INODE(other)->i_security;
2572 AVC_AUDIT_DATA_INIT(&ad,NET);
2573 ad.u.net.sk = other->sk;
2575 err = avc_has_perm(isec->sid, other_isec->sid,
2578 &other_isec->avcr, &ad);
2587 static int ipc_alloc_security(struct task_struct *task,
2588 struct kern_ipc_perm *perm,
2591 struct task_security_struct *tsec = task->security;
2592 struct ipc_security_struct *isec;
2594 isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
2598 memset(isec, 0, sizeof(struct ipc_security_struct));
2599 isec->magic = SELINUX_MAGIC;
2600 isec->sclass = sclass;
2601 isec->ipc_perm = perm;
2603 isec->sid = tsec->sid;
2605 isec->sid = SECINITSID_UNLABELED;
2607 perm->security = isec;
2612 static void ipc_free_security(struct kern_ipc_perm *perm)
2614 struct ipc_security_struct *isec = perm->security;
2615 if (!isec || isec->magic != SELINUX_MAGIC)
2618 perm->security = NULL;
2622 static int msg_msg_alloc_security(struct msg_msg *msg)
2624 struct msg_security_struct *msec;
2626 msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
2630 memset(msec, 0, sizeof(struct msg_security_struct));
2631 msec->magic = SELINUX_MAGIC;
2633 msec->sid = SECINITSID_UNLABELED;
2634 msg->security = msec;
2639 static void msg_msg_free_security(struct msg_msg *msg)
2641 struct msg_security_struct *msec = msg->security;
2642 if (!msec || msec->magic != SELINUX_MAGIC)
2645 msg->security = NULL;
2649 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
2650 u16 sclass, u32 perms)
2652 struct task_security_struct *tsec;
2653 struct ipc_security_struct *isec;
2654 struct avc_audit_data ad;
2656 tsec = current->security;
2657 isec = ipc_perms->security;
2659 AVC_AUDIT_DATA_INIT(&ad, IPC);
2660 ad.u.ipc_id = ipc_perms->key;
2662 return avc_has_perm(tsec->sid, isec->sid, sclass,
2663 perms, &isec->avcr, &ad);
2666 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
2668 return msg_msg_alloc_security(msg);
2671 static void selinux_msg_msg_free_security(struct msg_msg *msg)
2673 return msg_msg_free_security(msg);
2676 /* message queue security operations */
2677 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
2679 struct task_security_struct *tsec;
2680 struct ipc_security_struct *isec;
2681 struct avc_audit_data ad;
2684 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
2688 tsec = current->security;
2689 isec = msq->q_perm.security;
2691 AVC_AUDIT_DATA_INIT(&ad, IPC);
2692 ad.u.ipc_id = msq->q_perm.key;
2694 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
2695 MSGQ__CREATE, &isec->avcr, &ad);
2697 ipc_free_security(&msq->q_perm);
2703 static void selinux_msg_queue_free_security(struct msg_queue *msq)
2705 ipc_free_security(&msq->q_perm);
2708 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
2710 struct task_security_struct *tsec;
2711 struct ipc_security_struct *isec;
2712 struct avc_audit_data ad;
2714 tsec = current->security;
2715 isec = msq->q_perm.security;
2717 AVC_AUDIT_DATA_INIT(&ad, IPC);
2718 ad.u.ipc_id = msq->q_perm.key;
2720 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
2721 MSGQ__ASSOCIATE, &isec->avcr, &ad);
2724 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
2732 /* No specific object, just general system-wide information. */
2733 return task_has_system(current, SYSTEM__IPC_INFO);
2736 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
2739 perms = MSGQ__SETATTR;
2742 perms = MSGQ__DESTROY;
2748 err = ipc_has_perm(&msq->q_perm, SECCLASS_MSGQ, perms);
2752 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
2754 struct task_security_struct *tsec;
2755 struct ipc_security_struct *isec;
2756 struct msg_security_struct *msec;
2757 struct avc_audit_data ad;
2760 tsec = current->security;
2761 isec = msq->q_perm.security;
2762 msec = msg->security;
2765 * First time through, need to assign label to the message
2767 if (msec->sid == SECINITSID_UNLABELED) {
2769 * Compute new sid based on current process and
2770 * message queue this message will be stored in
2772 rc = security_transition_sid(tsec->sid,
2780 AVC_AUDIT_DATA_INIT(&ad, IPC);
2781 ad.u.ipc_id = msq->q_perm.key;
2783 /* Can this process write to the queue? */
2784 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
2785 MSGQ__WRITE, &isec->avcr, &ad);
2787 /* Can this process send the message */
2788 rc = avc_has_perm(tsec->sid, msec->sid,
2789 SECCLASS_MSG, MSG__SEND,
2792 /* Can the message be put in the queue? */
2793 rc = avc_has_perm(msec->sid, isec->sid,
2794 SECCLASS_MSGQ, MSGQ__ENQUEUE,
2800 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
2801 struct task_struct *target,
2802 long type, int mode)
2804 struct task_security_struct *tsec;
2805 struct ipc_security_struct *isec;
2806 struct msg_security_struct *msec;
2807 struct avc_audit_data ad;
2810 tsec = target->security;
2811 isec = msq->q_perm.security;
2812 msec = msg->security;
2814 AVC_AUDIT_DATA_INIT(&ad, IPC);
2815 ad.u.ipc_id = msq->q_perm.key;
2817 rc = avc_has_perm(tsec->sid, isec->sid,
2818 SECCLASS_MSGQ, MSGQ__READ,
2821 rc = avc_has_perm(tsec->sid, msec->sid,
2822 SECCLASS_MSG, MSG__RECEIVE,
2827 /* Shared Memory security operations */
2828 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
2830 struct task_security_struct *tsec;
2831 struct ipc_security_struct *isec;
2832 struct avc_audit_data ad;
2835 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
2839 tsec = current->security;
2840 isec = shp->shm_perm.security;
2842 AVC_AUDIT_DATA_INIT(&ad, IPC);
2843 ad.u.ipc_id = shp->shm_perm.key;
2845 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
2846 SHM__CREATE, &isec->avcr, &ad);
2848 ipc_free_security(&shp->shm_perm);
2854 static void selinux_shm_free_security(struct shmid_kernel *shp)
2856 ipc_free_security(&shp->shm_perm);
2859 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
2861 struct task_security_struct *tsec;
2862 struct ipc_security_struct *isec;
2863 struct avc_audit_data ad;
2865 tsec = current->security;
2866 isec = shp->shm_perm.security;
2868 AVC_AUDIT_DATA_INIT(&ad, IPC);
2869 ad.u.ipc_id = shp->shm_perm.key;
2871 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
2872 SHM__ASSOCIATE, &isec->avcr, &ad);
2875 /* Note, at this point, shp is locked down */
2876 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
2884 /* No specific object, just general system-wide information. */
2885 return task_has_system(current, SYSTEM__IPC_INFO);
2888 perms = SHM__GETATTR | SHM__ASSOCIATE;
2891 perms = SHM__SETATTR;
2898 perms = SHM__DESTROY;
2904 err = ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms);
2908 static int selinux_shm_shmat(struct shmid_kernel *shp,
2909 char *shmaddr, int shmflg)
2913 if (shmflg & SHM_RDONLY)
2916 perms = SHM__READ | SHM__WRITE;
2918 return ipc_has_perm(&shp->shm_perm, SECCLASS_SHM, perms);
2921 /* Semaphore security operations */
2922 static int selinux_sem_alloc_security(struct sem_array *sma)
2924 struct task_security_struct *tsec;
2925 struct ipc_security_struct *isec;
2926 struct avc_audit_data ad;
2929 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
2933 tsec = current->security;
2934 isec = sma->sem_perm.security;
2936 AVC_AUDIT_DATA_INIT(&ad, IPC);
2937 ad.u.ipc_id = sma->sem_perm.key;
2939 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
2940 SEM__CREATE, &isec->avcr, &ad);
2942 ipc_free_security(&sma->sem_perm);
2948 static void selinux_sem_free_security(struct sem_array *sma)
2950 ipc_free_security(&sma->sem_perm);
2953 static int selinux_sem_associate(struct sem_array *sma, int semflg)
2955 struct task_security_struct *tsec;
2956 struct ipc_security_struct *isec;
2957 struct avc_audit_data ad;
2959 tsec = current->security;
2960 isec = sma->sem_perm.security;
2962 AVC_AUDIT_DATA_INIT(&ad, IPC);
2963 ad.u.ipc_id = sma->sem_perm.key;
2965 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
2966 SEM__ASSOCIATE, &isec->avcr, &ad);
2969 /* Note, at this point, sma is locked down */
2970 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
2978 /* No specific object, just general system-wide information. */
2979 return task_has_system(current, SYSTEM__IPC_INFO);
2983 perms = SEM__GETATTR;
2994 perms = SEM__DESTROY;
2997 perms = SEM__SETATTR;
3001 perms = SEM__GETATTR | SEM__ASSOCIATE;
3007 err = ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms);
3011 static int selinux_sem_semop(struct sem_array *sma,
3012 struct sembuf *sops, unsigned nsops, int alter)
3017 perms = SEM__READ | SEM__WRITE;
3021 return ipc_has_perm(&sma->sem_perm, SECCLASS_SEM, perms);
3024 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
3026 struct ipc_security_struct *isec = ipcp->security;
3027 u16 sclass = SECCLASS_IPC;
3030 if (isec && isec->magic == SELINUX_MAGIC)
3031 sclass = isec->sclass;
3035 av |= IPC__UNIX_READ;
3037 av |= IPC__UNIX_WRITE;
3042 return ipc_has_perm(ipcp, sclass, av);
3045 /* module stacking operations */
3046 int selinux_register_security (const char *name, struct security_operations *ops)
3048 if (secondary_ops != original_ops) {
3049 printk(KERN_INFO "%s: There is already a secondary security "
3050 "module registered.\n", __FUNCTION__);
3054 secondary_ops = ops;
3056 printk(KERN_INFO "%s: Registering secondary module %s\n",
3063 int selinux_unregister_security (const char *name, struct security_operations *ops)
3065 if (ops != secondary_ops) {
3066 printk (KERN_INFO "%s: trying to unregister a security module "
3067 "that is not registered.\n", __FUNCTION__);
3071 secondary_ops = original_ops;
3076 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
3079 inode_doinit_with_dentry(inode, dentry);
3082 static int selinux_getprocattr(struct task_struct *p,
3083 char *name, void *value, size_t size)
3085 struct task_security_struct *tsec;
3092 error = task_has_perm(current, p, PROCESS__GETATTR);
3102 if (!strcmp(name, "current"))
3104 else if (!strcmp(name, "prev"))
3106 else if (!strcmp(name, "exec"))
3107 sid = tsec->exec_sid;
3108 else if (!strcmp(name, "fscreate"))
3109 sid = tsec->create_sid;
3116 error = security_sid_to_context(sid, &context, &len);
3123 memcpy(value, context, len);
3128 static int selinux_setprocattr(struct task_struct *p,
3129 char *name, void *value, size_t size)
3131 struct task_security_struct *tsec;
3135 if (current != p || !strcmp(name, "current")) {
3136 /* SELinux only allows a process to change its own
3137 security attributes, and it only allows the process
3138 current SID to change via exec. */
3143 * Basic control over ability to set these attributes at all.
3144 * current == p, but we'll pass them separately in case the
3145 * above restriction is ever removed.
3147 if (!strcmp(name, "exec"))
3148 error = task_has_perm(current, p, PROCESS__SETEXEC);
3149 else if (!strcmp(name, "fscreate"))
3150 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
3156 /* Obtain a SID for the context, if one was specified. */
3159 error = security_context_to_sid(value, size, &sid);
3164 /* Permission checking based on the specified context is
3165 performed during the actual operation (execve,
3166 open/mkdir/...), when we know the full context of the
3167 operation. See selinux_bprm_set_security for the execve
3168 checks and may_create for the file creation checks. The
3169 operation will then fail if the context is not permitted. */
3171 if (!strcmp(name, "exec"))
3172 tsec->exec_sid = sid;
3173 else if (!strcmp(name, "fscreate"))
3174 tsec->create_sid = sid;
3181 struct security_operations selinux_ops = {
3182 .ptrace = selinux_ptrace,
3183 .capget = selinux_capget,
3184 .capset_check = selinux_capset_check,
3185 .capset_set = selinux_capset_set,
3186 .sysctl = selinux_sysctl,
3187 .capable = selinux_capable,
3188 .quotactl = selinux_quotactl,
3189 .quota_on = selinux_quota_on,
3190 .syslog = selinux_syslog,
3191 .vm_enough_memory = selinux_vm_enough_memory,
3193 .netlink_send = selinux_netlink_send,
3194 .netlink_recv = selinux_netlink_recv,
3196 .bprm_alloc_security = selinux_bprm_alloc_security,
3197 .bprm_free_security = selinux_bprm_free_security,
3198 .bprm_compute_creds = selinux_bprm_compute_creds,
3199 .bprm_set_security = selinux_bprm_set_security,
3200 .bprm_check_security = selinux_bprm_check_security,
3201 .bprm_secureexec = selinux_bprm_secureexec,
3203 .sb_alloc_security = selinux_sb_alloc_security,
3204 .sb_free_security = selinux_sb_free_security,
3205 .sb_kern_mount = selinux_sb_kern_mount,
3206 .sb_statfs = selinux_sb_statfs,
3207 .sb_mount = selinux_mount,
3208 .sb_umount = selinux_umount,
3210 .inode_alloc_security = selinux_inode_alloc_security,
3211 .inode_free_security = selinux_inode_free_security,
3212 .inode_create = selinux_inode_create,
3213 .inode_post_create = selinux_inode_post_create,
3214 .inode_link = selinux_inode_link,
3215 .inode_post_link = selinux_inode_post_link,
3216 .inode_unlink = selinux_inode_unlink,
3217 .inode_symlink = selinux_inode_symlink,
3218 .inode_post_symlink = selinux_inode_post_symlink,
3219 .inode_mkdir = selinux_inode_mkdir,
3220 .inode_post_mkdir = selinux_inode_post_mkdir,
3221 .inode_rmdir = selinux_inode_rmdir,
3222 .inode_mknod = selinux_inode_mknod,
3223 .inode_post_mknod = selinux_inode_post_mknod,
3224 .inode_rename = selinux_inode_rename,
3225 .inode_post_rename = selinux_inode_post_rename,
3226 .inode_readlink = selinux_inode_readlink,
3227 .inode_follow_link = selinux_inode_follow_link,
3228 .inode_permission = selinux_inode_permission,
3229 .inode_setattr = selinux_inode_setattr,
3230 .inode_getattr = selinux_inode_getattr,
3231 .inode_setxattr = selinux_inode_setxattr,
3232 .inode_post_setxattr = selinux_inode_post_setxattr,
3233 .inode_getxattr = selinux_inode_getxattr,
3234 .inode_listxattr = selinux_inode_listxattr,
3235 .inode_removexattr = selinux_inode_removexattr,
3236 .inode_getsecurity = selinux_inode_getsecurity,
3237 .inode_setsecurity = selinux_inode_setsecurity,
3238 .inode_listsecurity = selinux_inode_listsecurity,
3240 .file_permission = selinux_file_permission,
3241 .file_alloc_security = selinux_file_alloc_security,
3242 .file_free_security = selinux_file_free_security,
3243 .file_ioctl = selinux_file_ioctl,
3244 .file_mmap = selinux_file_mmap,
3245 .file_mprotect = selinux_file_mprotect,
3246 .file_lock = selinux_file_lock,
3247 .file_fcntl = selinux_file_fcntl,
3248 .file_set_fowner = selinux_file_set_fowner,
3249 .file_send_sigiotask = selinux_file_send_sigiotask,
3250 .file_receive = selinux_file_receive,
3252 .task_create = selinux_task_create,
3253 .task_alloc_security = selinux_task_alloc_security,
3254 .task_free_security = selinux_task_free_security,
3255 .task_setuid = selinux_task_setuid,
3256 .task_post_setuid = selinux_task_post_setuid,
3257 .task_setgid = selinux_task_setgid,
3258 .task_setpgid = selinux_task_setpgid,
3259 .task_getpgid = selinux_task_getpgid,
3260 .task_getsid = selinux_task_getsid,
3261 .task_setgroups = selinux_task_setgroups,
3262 .task_setnice = selinux_task_setnice,
3263 .task_setrlimit = selinux_task_setrlimit,
3264 .task_setscheduler = selinux_task_setscheduler,
3265 .task_getscheduler = selinux_task_getscheduler,
3266 .task_kill = selinux_task_kill,
3267 .task_wait = selinux_task_wait,
3268 .task_prctl = selinux_task_prctl,
3269 .task_reparent_to_init = selinux_task_reparent_to_init,
3270 .task_to_inode = selinux_task_to_inode,
3272 .ipc_permission = selinux_ipc_permission,
3274 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
3275 .msg_msg_free_security = selinux_msg_msg_free_security,
3277 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
3278 .msg_queue_free_security = selinux_msg_queue_free_security,
3279 .msg_queue_associate = selinux_msg_queue_associate,
3280 .msg_queue_msgctl = selinux_msg_queue_msgctl,
3281 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
3282 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
3284 .shm_alloc_security = selinux_shm_alloc_security,
3285 .shm_free_security = selinux_shm_free_security,
3286 .shm_associate = selinux_shm_associate,
3287 .shm_shmctl = selinux_shm_shmctl,
3288 .shm_shmat = selinux_shm_shmat,
3290 .sem_alloc_security = selinux_sem_alloc_security,
3291 .sem_free_security = selinux_sem_free_security,
3292 .sem_associate = selinux_sem_associate,
3293 .sem_semctl = selinux_sem_semctl,
3294 .sem_semop = selinux_sem_semop,
3296 .register_security = selinux_register_security,
3297 .unregister_security = selinux_unregister_security,
3299 .d_instantiate = selinux_d_instantiate,
3301 .getprocattr = selinux_getprocattr,
3302 .setprocattr = selinux_setprocattr,
3304 #ifdef CONFIG_SECURITY_NETWORK
3305 .unix_stream_connect = selinux_socket_unix_stream_connect,
3306 .unix_may_send = selinux_socket_unix_may_send,
3308 .socket_create = selinux_socket_create,
3309 .socket_post_create = selinux_socket_post_create,
3310 .socket_bind = selinux_socket_bind,
3311 .socket_connect = selinux_socket_connect,
3312 .socket_listen = selinux_socket_listen,
3313 .socket_accept = selinux_socket_accept,
3314 .socket_sendmsg = selinux_socket_sendmsg,
3315 .socket_recvmsg = selinux_socket_recvmsg,
3316 .socket_getsockname = selinux_socket_getsockname,
3317 .socket_getpeername = selinux_socket_getpeername,
3318 .socket_getsockopt = selinux_socket_getsockopt,
3319 .socket_setsockopt = selinux_socket_setsockopt,
3320 .socket_shutdown = selinux_socket_shutdown,
3324 __init int selinux_init(void)
3326 struct task_security_struct *tsec;
3328 printk(KERN_INFO "SELinux: Initializing.\n");
3330 /* Set the security state for the initial task. */
3331 if (task_alloc_security(current))
3332 panic("SELinux: Failed to initialize initial task.\n");
3333 tsec = current->security;
3334 tsec->osid = tsec->sid = SECINITSID_KERNEL;
3338 original_ops = secondary_ops = security_ops;
3340 panic ("SELinux: No initial security operations\n");
3341 if (register_security (&selinux_ops))
3342 panic("SELinux: Unable to register with kernel.\n");
3344 if (selinux_enforcing) {
3345 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
3347 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
3352 void selinux_complete_init(void)
3354 printk(KERN_INFO "SELinux: Completing initialization.\n");
3356 /* Set up any superblocks initialized prior to the policy load. */
3357 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
3358 spin_lock(&sb_security_lock);
3360 if (!list_empty(&superblock_security_head)) {
3361 struct superblock_security_struct *sbsec =
3362 list_entry(superblock_security_head.next,
3363 struct superblock_security_struct,
3365 struct super_block *sb = sbsec->sb;
3366 spin_lock(&sb_lock);
3368 spin_unlock(&sb_lock);
3369 spin_unlock(&sb_security_lock);
3370 down_read(&sb->s_umount);
3372 superblock_doinit(sb);
3374 spin_lock(&sb_security_lock);
3375 list_del_init(&sbsec->list);
3378 spin_unlock(&sb_security_lock);
3380 /* Set up any inodes initialized prior to the policy load. */
3381 printk(KERN_INFO "SELinux: Setting up existing inodes.\n");
3382 spin_lock(&inode_security_lock);
3384 if (!list_empty(&inode_security_head)) {
3385 struct inode_security_struct *isec =
3386 list_entry(inode_security_head.next,
3387 struct inode_security_struct, list);
3388 struct inode *inode = isec->inode;
3389 spin_unlock(&inode_security_lock);
3390 inode = igrab(inode);
3392 inode_doinit(inode);
3395 spin_lock(&inode_security_lock);
3396 list_del_init(&isec->list);
3399 spin_unlock(&inode_security_lock);
3402 /* SELinux requires early initialization in order to label
3403 all processes and objects when they are created. */
3404 security_initcall(selinux_init);