2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2,
18 * as published by the Free Software Foundation.
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
50 #include <net/ip.h> /* for sysctl_local_port_range[] */
51 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h> /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h> /* for Unix socket types */
63 #include <net/af_unix.h> /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
78 #define XATTR_SELINUX_SUFFIX "selinux"
79 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
81 extern unsigned int policydb_loaded_version;
82 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
84 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
85 int selinux_enforcing = 0;
87 static int __init enforcing_setup(char *str)
89 selinux_enforcing = simple_strtol(str,NULL,0);
92 __setup("enforcing=", enforcing_setup);
95 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
96 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
98 static int __init selinux_enabled_setup(char *str)
100 selinux_enabled = simple_strtol(str, NULL, 0);
103 __setup("selinux=", selinux_enabled_setup);
106 /* Original (dummy) security module. */
107 static struct security_operations *original_ops = NULL;
109 /* Minimal support for a secondary security module,
110 just to allow the use of the dummy or capability modules.
111 The owlsm module can alternatively be used as a secondary
112 module as long as CONFIG_OWLSM_FD is not enabled. */
113 static struct security_operations *secondary_ops = NULL;
115 /* Lists of inode and superblock security structures initialized
116 before the policy was loaded. */
117 static LIST_HEAD(superblock_security_head);
118 static DEFINE_SPINLOCK(sb_security_lock);
120 /* Allocate and free functions for each kind of security blob. */
122 static int task_alloc_security(struct task_struct *task)
124 struct task_security_struct *tsec;
126 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
131 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
132 task->security = tsec;
137 static void task_free_security(struct task_struct *task)
139 struct task_security_struct *tsec = task->security;
140 task->security = NULL;
144 static int inode_alloc_security(struct inode *inode)
146 struct task_security_struct *tsec = current->security;
147 struct inode_security_struct *isec;
149 isec = kzalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
153 init_MUTEX(&isec->sem);
154 INIT_LIST_HEAD(&isec->list);
156 isec->sid = SECINITSID_UNLABELED;
157 isec->sclass = SECCLASS_FILE;
158 isec->task_sid = tsec->sid;
159 inode->i_security = isec;
164 static void inode_free_security(struct inode *inode)
166 struct inode_security_struct *isec = inode->i_security;
167 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
169 spin_lock(&sbsec->isec_lock);
170 if (!list_empty(&isec->list))
171 list_del_init(&isec->list);
172 spin_unlock(&sbsec->isec_lock);
174 inode->i_security = NULL;
178 static int file_alloc_security(struct file *file)
180 struct task_security_struct *tsec = current->security;
181 struct file_security_struct *fsec;
183 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
188 fsec->sid = tsec->sid;
189 fsec->fown_sid = tsec->sid;
190 file->f_security = fsec;
195 static void file_free_security(struct file *file)
197 struct file_security_struct *fsec = file->f_security;
198 file->f_security = NULL;
202 static int superblock_alloc_security(struct super_block *sb)
204 struct superblock_security_struct *sbsec;
206 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
210 init_MUTEX(&sbsec->sem);
211 INIT_LIST_HEAD(&sbsec->list);
212 INIT_LIST_HEAD(&sbsec->isec_head);
213 spin_lock_init(&sbsec->isec_lock);
215 sbsec->sid = SECINITSID_UNLABELED;
216 sbsec->def_sid = SECINITSID_FILE;
217 sb->s_security = sbsec;
222 static void superblock_free_security(struct super_block *sb)
224 struct superblock_security_struct *sbsec = sb->s_security;
226 spin_lock(&sb_security_lock);
227 if (!list_empty(&sbsec->list))
228 list_del_init(&sbsec->list);
229 spin_unlock(&sb_security_lock);
231 sb->s_security = NULL;
235 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
237 struct sk_security_struct *ssec;
239 if (family != PF_UNIX)
242 ssec = kzalloc(sizeof(*ssec), priority);
247 ssec->peer_sid = SECINITSID_UNLABELED;
248 sk->sk_security = ssec;
253 static void sk_free_security(struct sock *sk)
255 struct sk_security_struct *ssec = sk->sk_security;
257 if (sk->sk_family != PF_UNIX)
260 sk->sk_security = NULL;
264 /* The security server must be initialized before
265 any labeling or access decisions can be provided. */
266 extern int ss_initialized;
268 /* The file system's label must be initialized prior to use. */
270 static char *labeling_behaviors[6] = {
272 "uses transition SIDs",
274 "uses genfs_contexts",
275 "not configured for labeling",
276 "uses mountpoint labeling",
279 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
281 static inline int inode_doinit(struct inode *inode)
283 return inode_doinit_with_dentry(inode, NULL);
292 static match_table_t tokens = {
293 {Opt_context, "context=%s"},
294 {Opt_fscontext, "fscontext=%s"},
295 {Opt_defcontext, "defcontext=%s"},
298 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
300 static int try_context_mount(struct super_block *sb, void *data)
302 char *context = NULL, *defcontext = NULL;
305 int alloc = 0, rc = 0, seen = 0;
306 struct task_security_struct *tsec = current->security;
307 struct superblock_security_struct *sbsec = sb->s_security;
312 name = sb->s_type->name;
314 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
316 /* NFS we understand. */
317 if (!strcmp(name, "nfs")) {
318 struct nfs_mount_data *d = data;
320 if (d->version < NFS_MOUNT_VERSION)
324 context = d->context;
331 /* Standard string-based options. */
332 char *p, *options = data;
334 while ((p = strsep(&options, ",")) != NULL) {
336 substring_t args[MAX_OPT_ARGS];
341 token = match_token(p, tokens, args);
347 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
350 context = match_strdup(&args[0]);
361 if (seen & (Opt_context|Opt_fscontext)) {
363 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
366 context = match_strdup(&args[0]);
373 seen |= Opt_fscontext;
377 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
379 printk(KERN_WARNING "SELinux: "
380 "defcontext option is invalid "
381 "for this filesystem type\n");
384 if (seen & (Opt_context|Opt_defcontext)) {
386 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
389 defcontext = match_strdup(&args[0]);
396 seen |= Opt_defcontext;
401 printk(KERN_WARNING "SELinux: unknown mount "
413 rc = security_context_to_sid(context, strlen(context), &sid);
415 printk(KERN_WARNING "SELinux: security_context_to_sid"
416 "(%s) failed for (dev %s, type %s) errno=%d\n",
417 context, sb->s_id, name, rc);
421 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
422 FILESYSTEM__RELABELFROM, NULL);
426 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
427 FILESYSTEM__RELABELTO, NULL);
433 if (seen & Opt_context)
434 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
438 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
440 printk(KERN_WARNING "SELinux: security_context_to_sid"
441 "(%s) failed for (dev %s, type %s) errno=%d\n",
442 defcontext, sb->s_id, name, rc);
446 if (sid == sbsec->def_sid)
449 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450 FILESYSTEM__RELABELFROM, NULL);
454 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
455 FILESYSTEM__ASSOCIATE, NULL);
459 sbsec->def_sid = sid;
471 static int superblock_doinit(struct super_block *sb, void *data)
473 struct superblock_security_struct *sbsec = sb->s_security;
474 struct dentry *root = sb->s_root;
475 struct inode *inode = root->d_inode;
479 if (sbsec->initialized)
482 if (!ss_initialized) {
483 /* Defer initialization until selinux_complete_init,
484 after the initial policy is loaded and the security
485 server is ready to handle calls. */
486 spin_lock(&sb_security_lock);
487 if (list_empty(&sbsec->list))
488 list_add(&sbsec->list, &superblock_security_head);
489 spin_unlock(&sb_security_lock);
493 /* Determine the labeling behavior to use for this filesystem type. */
494 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
496 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
497 __FUNCTION__, sb->s_type->name, rc);
501 rc = try_context_mount(sb, data);
505 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
506 /* Make sure that the xattr handler exists and that no
507 error other than -ENODATA is returned by getxattr on
508 the root directory. -ENODATA is ok, as this may be
509 the first boot of the SELinux kernel before we have
510 assigned xattr values to the filesystem. */
511 if (!inode->i_op->getxattr) {
512 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
513 "xattr support\n", sb->s_id, sb->s_type->name);
517 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
518 if (rc < 0 && rc != -ENODATA) {
519 if (rc == -EOPNOTSUPP)
520 printk(KERN_WARNING "SELinux: (dev %s, type "
521 "%s) has no security xattr handler\n",
522 sb->s_id, sb->s_type->name);
524 printk(KERN_WARNING "SELinux: (dev %s, type "
525 "%s) getxattr errno %d\n", sb->s_id,
526 sb->s_type->name, -rc);
531 if (strcmp(sb->s_type->name, "proc") == 0)
534 sbsec->initialized = 1;
536 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
537 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
538 sb->s_id, sb->s_type->name);
541 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
542 sb->s_id, sb->s_type->name,
543 labeling_behaviors[sbsec->behavior-1]);
546 /* Initialize the root inode. */
547 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
549 /* Initialize any other inodes associated with the superblock, e.g.
550 inodes created prior to initial policy load or inodes created
551 during get_sb by a pseudo filesystem that directly
553 spin_lock(&sbsec->isec_lock);
555 if (!list_empty(&sbsec->isec_head)) {
556 struct inode_security_struct *isec =
557 list_entry(sbsec->isec_head.next,
558 struct inode_security_struct, list);
559 struct inode *inode = isec->inode;
560 spin_unlock(&sbsec->isec_lock);
561 inode = igrab(inode);
563 if (!IS_PRIVATE (inode))
567 spin_lock(&sbsec->isec_lock);
568 list_del_init(&isec->list);
571 spin_unlock(&sbsec->isec_lock);
577 static inline u16 inode_mode_to_security_class(umode_t mode)
579 switch (mode & S_IFMT) {
581 return SECCLASS_SOCK_FILE;
583 return SECCLASS_LNK_FILE;
585 return SECCLASS_FILE;
587 return SECCLASS_BLK_FILE;
591 return SECCLASS_CHR_FILE;
593 return SECCLASS_FIFO_FILE;
597 return SECCLASS_FILE;
600 static inline int default_protocol_stream(int protocol)
602 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
605 static inline int default_protocol_dgram(int protocol)
607 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
610 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
617 return SECCLASS_UNIX_STREAM_SOCKET;
619 return SECCLASS_UNIX_DGRAM_SOCKET;
626 if (default_protocol_stream(protocol))
627 return SECCLASS_TCP_SOCKET;
629 return SECCLASS_RAWIP_SOCKET;
631 if (default_protocol_dgram(protocol))
632 return SECCLASS_UDP_SOCKET;
634 return SECCLASS_RAWIP_SOCKET;
636 return SECCLASS_RAWIP_SOCKET;
642 return SECCLASS_NETLINK_ROUTE_SOCKET;
643 case NETLINK_FIREWALL:
644 return SECCLASS_NETLINK_FIREWALL_SOCKET;
645 case NETLINK_INET_DIAG:
646 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
648 return SECCLASS_NETLINK_NFLOG_SOCKET;
650 return SECCLASS_NETLINK_XFRM_SOCKET;
651 case NETLINK_SELINUX:
652 return SECCLASS_NETLINK_SELINUX_SOCKET;
654 return SECCLASS_NETLINK_AUDIT_SOCKET;
656 return SECCLASS_NETLINK_IP6FW_SOCKET;
657 case NETLINK_DNRTMSG:
658 return SECCLASS_NETLINK_DNRT_SOCKET;
659 case NETLINK_KOBJECT_UEVENT:
660 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
662 return SECCLASS_NETLINK_SOCKET;
665 return SECCLASS_PACKET_SOCKET;
667 return SECCLASS_KEY_SOCKET;
670 return SECCLASS_SOCKET;
673 #ifdef CONFIG_PROC_FS
674 static int selinux_proc_get_sid(struct proc_dir_entry *de,
679 char *buffer, *path, *end;
681 buffer = (char*)__get_free_page(GFP_KERNEL);
691 while (de && de != de->parent) {
692 buflen -= de->namelen + 1;
696 memcpy(end, de->name, de->namelen);
701 rc = security_genfs_sid("proc", path, tclass, sid);
702 free_page((unsigned long)buffer);
706 static int selinux_proc_get_sid(struct proc_dir_entry *de,
714 /* The inode's security attributes must be initialized before first use. */
715 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
717 struct superblock_security_struct *sbsec = NULL;
718 struct inode_security_struct *isec = inode->i_security;
720 struct dentry *dentry;
721 #define INITCONTEXTLEN 255
722 char *context = NULL;
727 if (isec->initialized)
732 if (isec->initialized)
735 sbsec = inode->i_sb->s_security;
736 if (!sbsec->initialized) {
737 /* Defer initialization until selinux_complete_init,
738 after the initial policy is loaded and the security
739 server is ready to handle calls. */
740 spin_lock(&sbsec->isec_lock);
741 if (list_empty(&isec->list))
742 list_add(&isec->list, &sbsec->isec_head);
743 spin_unlock(&sbsec->isec_lock);
747 switch (sbsec->behavior) {
748 case SECURITY_FS_USE_XATTR:
749 if (!inode->i_op->getxattr) {
750 isec->sid = sbsec->def_sid;
754 /* Need a dentry, since the xattr API requires one.
755 Life would be simpler if we could just pass the inode. */
757 /* Called from d_instantiate or d_splice_alias. */
758 dentry = dget(opt_dentry);
760 /* Called from selinux_complete_init, try to find a dentry. */
761 dentry = d_find_alias(inode);
764 printk(KERN_WARNING "%s: no dentry for dev=%s "
765 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
770 len = INITCONTEXTLEN;
771 context = kmalloc(len, GFP_KERNEL);
777 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
780 /* Need a larger buffer. Query for the right size. */
781 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
789 context = kmalloc(len, GFP_KERNEL);
795 rc = inode->i_op->getxattr(dentry,
801 if (rc != -ENODATA) {
802 printk(KERN_WARNING "%s: getxattr returned "
803 "%d for dev=%s ino=%ld\n", __FUNCTION__,
804 -rc, inode->i_sb->s_id, inode->i_ino);
808 /* Map ENODATA to the default file SID */
809 sid = sbsec->def_sid;
812 rc = security_context_to_sid_default(context, rc, &sid,
815 printk(KERN_WARNING "%s: context_to_sid(%s) "
816 "returned %d for dev=%s ino=%ld\n",
817 __FUNCTION__, context, -rc,
818 inode->i_sb->s_id, inode->i_ino);
820 /* Leave with the unlabeled SID */
828 case SECURITY_FS_USE_TASK:
829 isec->sid = isec->task_sid;
831 case SECURITY_FS_USE_TRANS:
832 /* Default to the fs SID. */
833 isec->sid = sbsec->sid;
835 /* Try to obtain a transition SID. */
836 isec->sclass = inode_mode_to_security_class(inode->i_mode);
837 rc = security_transition_sid(isec->task_sid,
846 /* Default to the fs SID. */
847 isec->sid = sbsec->sid;
850 struct proc_inode *proci = PROC_I(inode);
852 isec->sclass = inode_mode_to_security_class(inode->i_mode);
853 rc = selinux_proc_get_sid(proci->pde,
864 isec->initialized = 1;
867 if (isec->sclass == SECCLASS_FILE)
868 isec->sclass = inode_mode_to_security_class(inode->i_mode);
875 /* Convert a Linux signal to an access vector. */
876 static inline u32 signal_to_av(int sig)
882 /* Commonly granted from child to parent. */
883 perm = PROCESS__SIGCHLD;
886 /* Cannot be caught or ignored */
887 perm = PROCESS__SIGKILL;
890 /* Cannot be caught or ignored */
891 perm = PROCESS__SIGSTOP;
894 /* All other signals. */
895 perm = PROCESS__SIGNAL;
902 /* Check permission betweeen a pair of tasks, e.g. signal checks,
903 fork check, ptrace check, etc. */
904 static int task_has_perm(struct task_struct *tsk1,
905 struct task_struct *tsk2,
908 struct task_security_struct *tsec1, *tsec2;
910 tsec1 = tsk1->security;
911 tsec2 = tsk2->security;
912 return avc_has_perm(tsec1->sid, tsec2->sid,
913 SECCLASS_PROCESS, perms, NULL);
916 /* Check whether a task is allowed to use a capability. */
917 static int task_has_capability(struct task_struct *tsk,
920 struct task_security_struct *tsec;
921 struct avc_audit_data ad;
923 tsec = tsk->security;
925 AVC_AUDIT_DATA_INIT(&ad,CAP);
929 return avc_has_perm(tsec->sid, tsec->sid,
930 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
933 /* Check whether a task is allowed to use a system operation. */
934 static int task_has_system(struct task_struct *tsk,
937 struct task_security_struct *tsec;
939 tsec = tsk->security;
941 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
942 SECCLASS_SYSTEM, perms, NULL);
945 /* Check whether a task has a particular permission to an inode.
946 The 'adp' parameter is optional and allows other audit
947 data to be passed (e.g. the dentry). */
948 static int inode_has_perm(struct task_struct *tsk,
951 struct avc_audit_data *adp)
953 struct task_security_struct *tsec;
954 struct inode_security_struct *isec;
955 struct avc_audit_data ad;
957 tsec = tsk->security;
958 isec = inode->i_security;
962 AVC_AUDIT_DATA_INIT(&ad, FS);
963 ad.u.fs.inode = inode;
966 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
969 /* Same as inode_has_perm, but pass explicit audit data containing
970 the dentry to help the auditing code to more easily generate the
971 pathname if needed. */
972 static inline int dentry_has_perm(struct task_struct *tsk,
973 struct vfsmount *mnt,
974 struct dentry *dentry,
977 struct inode *inode = dentry->d_inode;
978 struct avc_audit_data ad;
979 AVC_AUDIT_DATA_INIT(&ad,FS);
981 ad.u.fs.dentry = dentry;
982 return inode_has_perm(tsk, inode, av, &ad);
985 /* Check whether a task can use an open file descriptor to
986 access an inode in a given way. Check access to the
987 descriptor itself, and then use dentry_has_perm to
988 check a particular permission to the file.
989 Access to the descriptor is implicitly granted if it
990 has the same SID as the process. If av is zero, then
991 access to the file is not checked, e.g. for cases
992 where only the descriptor is affected like seek. */
993 static int file_has_perm(struct task_struct *tsk,
997 struct task_security_struct *tsec = tsk->security;
998 struct file_security_struct *fsec = file->f_security;
999 struct vfsmount *mnt = file->f_vfsmnt;
1000 struct dentry *dentry = file->f_dentry;
1001 struct inode *inode = dentry->d_inode;
1002 struct avc_audit_data ad;
1005 AVC_AUDIT_DATA_INIT(&ad, FS);
1007 ad.u.fs.dentry = dentry;
1009 if (tsec->sid != fsec->sid) {
1010 rc = avc_has_perm(tsec->sid, fsec->sid,
1018 /* av is zero if only checking access to the descriptor. */
1020 return inode_has_perm(tsk, inode, av, &ad);
1025 /* Check whether a task can create a file. */
1026 static int may_create(struct inode *dir,
1027 struct dentry *dentry,
1030 struct task_security_struct *tsec;
1031 struct inode_security_struct *dsec;
1032 struct superblock_security_struct *sbsec;
1034 struct avc_audit_data ad;
1037 tsec = current->security;
1038 dsec = dir->i_security;
1039 sbsec = dir->i_sb->s_security;
1041 AVC_AUDIT_DATA_INIT(&ad, FS);
1042 ad.u.fs.dentry = dentry;
1044 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1045 DIR__ADD_NAME | DIR__SEARCH,
1050 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1051 newsid = tsec->create_sid;
1053 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1059 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1063 return avc_has_perm(newsid, sbsec->sid,
1064 SECCLASS_FILESYSTEM,
1065 FILESYSTEM__ASSOCIATE, &ad);
1069 #define MAY_UNLINK 1
1072 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1073 static int may_link(struct inode *dir,
1074 struct dentry *dentry,
1078 struct task_security_struct *tsec;
1079 struct inode_security_struct *dsec, *isec;
1080 struct avc_audit_data ad;
1084 tsec = current->security;
1085 dsec = dir->i_security;
1086 isec = dentry->d_inode->i_security;
1088 AVC_AUDIT_DATA_INIT(&ad, FS);
1089 ad.u.fs.dentry = dentry;
1092 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1093 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1108 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1112 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1116 static inline int may_rename(struct inode *old_dir,
1117 struct dentry *old_dentry,
1118 struct inode *new_dir,
1119 struct dentry *new_dentry)
1121 struct task_security_struct *tsec;
1122 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1123 struct avc_audit_data ad;
1125 int old_is_dir, new_is_dir;
1128 tsec = current->security;
1129 old_dsec = old_dir->i_security;
1130 old_isec = old_dentry->d_inode->i_security;
1131 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1132 new_dsec = new_dir->i_security;
1134 AVC_AUDIT_DATA_INIT(&ad, FS);
1136 ad.u.fs.dentry = old_dentry;
1137 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1138 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1141 rc = avc_has_perm(tsec->sid, old_isec->sid,
1142 old_isec->sclass, FILE__RENAME, &ad);
1145 if (old_is_dir && new_dir != old_dir) {
1146 rc = avc_has_perm(tsec->sid, old_isec->sid,
1147 old_isec->sclass, DIR__REPARENT, &ad);
1152 ad.u.fs.dentry = new_dentry;
1153 av = DIR__ADD_NAME | DIR__SEARCH;
1154 if (new_dentry->d_inode)
1155 av |= DIR__REMOVE_NAME;
1156 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1159 if (new_dentry->d_inode) {
1160 new_isec = new_dentry->d_inode->i_security;
1161 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1162 rc = avc_has_perm(tsec->sid, new_isec->sid,
1164 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1172 /* Check whether a task can perform a filesystem operation. */
1173 static int superblock_has_perm(struct task_struct *tsk,
1174 struct super_block *sb,
1176 struct avc_audit_data *ad)
1178 struct task_security_struct *tsec;
1179 struct superblock_security_struct *sbsec;
1181 tsec = tsk->security;
1182 sbsec = sb->s_security;
1183 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1187 /* Convert a Linux mode and permission mask to an access vector. */
1188 static inline u32 file_mask_to_av(int mode, int mask)
1192 if ((mode & S_IFMT) != S_IFDIR) {
1193 if (mask & MAY_EXEC)
1194 av |= FILE__EXECUTE;
1195 if (mask & MAY_READ)
1198 if (mask & MAY_APPEND)
1200 else if (mask & MAY_WRITE)
1204 if (mask & MAY_EXEC)
1206 if (mask & MAY_WRITE)
1208 if (mask & MAY_READ)
1215 /* Convert a Linux file to an access vector. */
1216 static inline u32 file_to_av(struct file *file)
1220 if (file->f_mode & FMODE_READ)
1222 if (file->f_mode & FMODE_WRITE) {
1223 if (file->f_flags & O_APPEND)
1232 /* Set an inode's SID to a specified value. */
1233 static int inode_security_set_sid(struct inode *inode, u32 sid)
1235 struct inode_security_struct *isec = inode->i_security;
1236 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1238 if (!sbsec->initialized) {
1239 /* Defer initialization to selinux_complete_init. */
1244 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1246 isec->initialized = 1;
1251 /* Hook functions begin here. */
1253 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1255 struct task_security_struct *psec = parent->security;
1256 struct task_security_struct *csec = child->security;
1259 rc = secondary_ops->ptrace(parent,child);
1263 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1264 /* Save the SID of the tracing process for later use in apply_creds. */
1265 if (!(child->ptrace & PT_PTRACED) && !rc)
1266 csec->ptrace_sid = psec->sid;
1270 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1271 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1275 error = task_has_perm(current, target, PROCESS__GETCAP);
1279 return secondary_ops->capget(target, effective, inheritable, permitted);
1282 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1283 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1287 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1291 return task_has_perm(current, target, PROCESS__SETCAP);
1294 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1295 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1297 secondary_ops->capset_set(target, effective, inheritable, permitted);
1300 static int selinux_capable(struct task_struct *tsk, int cap)
1304 rc = secondary_ops->capable(tsk, cap);
1308 return task_has_capability(tsk,cap);
1311 static int selinux_sysctl(ctl_table *table, int op)
1315 struct task_security_struct *tsec;
1319 rc = secondary_ops->sysctl(table, op);
1323 tsec = current->security;
1325 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1326 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1328 /* Default to the well-defined sysctl SID. */
1329 tsid = SECINITSID_SYSCTL;
1332 /* The op values are "defined" in sysctl.c, thereby creating
1333 * a bad coupling between this module and sysctl.c */
1335 error = avc_has_perm(tsec->sid, tsid,
1336 SECCLASS_DIR, DIR__SEARCH, NULL);
1344 error = avc_has_perm(tsec->sid, tsid,
1345 SECCLASS_FILE, av, NULL);
1351 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1364 rc = superblock_has_perm(current,
1366 FILESYSTEM__QUOTAMOD, NULL);
1371 rc = superblock_has_perm(current,
1373 FILESYSTEM__QUOTAGET, NULL);
1376 rc = 0; /* let the kernel handle invalid cmds */
1382 static int selinux_quota_on(struct dentry *dentry)
1384 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1387 static int selinux_syslog(int type)
1391 rc = secondary_ops->syslog(type);
1396 case 3: /* Read last kernel messages */
1397 case 10: /* Return size of the log buffer */
1398 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1400 case 6: /* Disable logging to console */
1401 case 7: /* Enable logging to console */
1402 case 8: /* Set level of messages printed to console */
1403 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1405 case 0: /* Close log */
1406 case 1: /* Open log */
1407 case 2: /* Read from log */
1408 case 4: /* Read/clear last kernel messages */
1409 case 5: /* Clear ring buffer */
1411 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1418 * Check that a process has enough memory to allocate a new virtual
1419 * mapping. 0 means there is enough memory for the allocation to
1420 * succeed and -ENOMEM implies there is not.
1422 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1423 * if the capability is granted, but __vm_enough_memory requires 1 if
1424 * the capability is granted.
1426 * Do not audit the selinux permission check, as this is applied to all
1427 * processes that allocate mappings.
1429 static int selinux_vm_enough_memory(long pages)
1431 int rc, cap_sys_admin = 0;
1432 struct task_security_struct *tsec = current->security;
1434 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1436 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1437 SECCLASS_CAPABILITY,
1438 CAP_TO_MASK(CAP_SYS_ADMIN),
1444 return __vm_enough_memory(pages, cap_sys_admin);
1447 /* binprm security operations */
1449 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1451 struct bprm_security_struct *bsec;
1453 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1458 bsec->sid = SECINITSID_UNLABELED;
1461 bprm->security = bsec;
1465 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1467 struct task_security_struct *tsec;
1468 struct inode *inode = bprm->file->f_dentry->d_inode;
1469 struct inode_security_struct *isec;
1470 struct bprm_security_struct *bsec;
1472 struct avc_audit_data ad;
1475 rc = secondary_ops->bprm_set_security(bprm);
1479 bsec = bprm->security;
1484 tsec = current->security;
1485 isec = inode->i_security;
1487 /* Default to the current task SID. */
1488 bsec->sid = tsec->sid;
1490 /* Reset create SID on execve. */
1491 tsec->create_sid = 0;
1493 if (tsec->exec_sid) {
1494 newsid = tsec->exec_sid;
1495 /* Reset exec SID on execve. */
1498 /* Check for a default transition on this program. */
1499 rc = security_transition_sid(tsec->sid, isec->sid,
1500 SECCLASS_PROCESS, &newsid);
1505 AVC_AUDIT_DATA_INIT(&ad, FS);
1506 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1507 ad.u.fs.dentry = bprm->file->f_dentry;
1509 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1512 if (tsec->sid == newsid) {
1513 rc = avc_has_perm(tsec->sid, isec->sid,
1514 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1518 /* Check permissions for the transition. */
1519 rc = avc_has_perm(tsec->sid, newsid,
1520 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1524 rc = avc_has_perm(newsid, isec->sid,
1525 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1529 /* Clear any possibly unsafe personality bits on exec: */
1530 current->personality &= ~PER_CLEAR_ON_SETID;
1532 /* Set the security field to the new SID. */
1540 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1542 return secondary_ops->bprm_check_security(bprm);
1546 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1548 struct task_security_struct *tsec = current->security;
1551 if (tsec->osid != tsec->sid) {
1552 /* Enable secure mode for SIDs transitions unless
1553 the noatsecure permission is granted between
1554 the two SIDs, i.e. ahp returns 0. */
1555 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1557 PROCESS__NOATSECURE, NULL);
1560 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1563 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1565 kfree(bprm->security);
1566 bprm->security = NULL;
1569 extern struct vfsmount *selinuxfs_mount;
1570 extern struct dentry *selinux_null;
1572 /* Derived from fs/exec.c:flush_old_files. */
1573 static inline void flush_unauthorized_files(struct files_struct * files)
1575 struct avc_audit_data ad;
1576 struct file *file, *devnull = NULL;
1577 struct tty_struct *tty = current->signal->tty;
1578 struct fdtable *fdt;
1583 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
1585 /* Revalidate access to controlling tty.
1586 Use inode_has_perm on the tty inode directly rather
1587 than using file_has_perm, as this particular open
1588 file may belong to another process and we are only
1589 interested in the inode-based check here. */
1590 struct inode *inode = file->f_dentry->d_inode;
1591 if (inode_has_perm(current, inode,
1592 FILE__READ | FILE__WRITE, NULL)) {
1593 /* Reset controlling tty. */
1594 current->signal->tty = NULL;
1595 current->signal->tty_old_pgrp = 0;
1601 /* Revalidate access to inherited open files. */
1603 AVC_AUDIT_DATA_INIT(&ad,FS);
1605 spin_lock(&files->file_lock);
1607 unsigned long set, i;
1612 fdt = files_fdtable(files);
1613 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1615 set = fdt->open_fds->fds_bits[j];
1618 spin_unlock(&files->file_lock);
1619 for ( ; set ; i++,set >>= 1) {
1624 if (file_has_perm(current,
1626 file_to_av(file))) {
1628 fd = get_unused_fd();
1638 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1645 fd_install(fd, devnull);
1650 spin_lock(&files->file_lock);
1653 spin_unlock(&files->file_lock);
1656 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1658 struct task_security_struct *tsec;
1659 struct bprm_security_struct *bsec;
1663 secondary_ops->bprm_apply_creds(bprm, unsafe);
1665 tsec = current->security;
1667 bsec = bprm->security;
1670 tsec->osid = tsec->sid;
1672 if (tsec->sid != sid) {
1673 /* Check for shared state. If not ok, leave SID
1674 unchanged and kill. */
1675 if (unsafe & LSM_UNSAFE_SHARE) {
1676 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1677 PROCESS__SHARE, NULL);
1684 /* Check for ptracing, and update the task SID if ok.
1685 Otherwise, leave SID unchanged and kill. */
1686 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1687 rc = avc_has_perm(tsec->ptrace_sid, sid,
1688 SECCLASS_PROCESS, PROCESS__PTRACE,
1700 * called after apply_creds without the task lock held
1702 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1704 struct task_security_struct *tsec;
1705 struct rlimit *rlim, *initrlim;
1706 struct itimerval itimer;
1707 struct bprm_security_struct *bsec;
1710 tsec = current->security;
1711 bsec = bprm->security;
1714 force_sig_specific(SIGKILL, current);
1717 if (tsec->osid == tsec->sid)
1720 /* Close files for which the new task SID is not authorized. */
1721 flush_unauthorized_files(current->files);
1723 /* Check whether the new SID can inherit signal state
1724 from the old SID. If not, clear itimers to avoid
1725 subsequent signal generation and flush and unblock
1726 signals. This must occur _after_ the task SID has
1727 been updated so that any kill done after the flush
1728 will be checked against the new SID. */
1729 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1730 PROCESS__SIGINH, NULL);
1732 memset(&itimer, 0, sizeof itimer);
1733 for (i = 0; i < 3; i++)
1734 do_setitimer(i, &itimer, NULL);
1735 flush_signals(current);
1736 spin_lock_irq(¤t->sighand->siglock);
1737 flush_signal_handlers(current, 1);
1738 sigemptyset(¤t->blocked);
1739 recalc_sigpending();
1740 spin_unlock_irq(¤t->sighand->siglock);
1743 /* Check whether the new SID can inherit resource limits
1744 from the old SID. If not, reset all soft limits to
1745 the lower of the current task's hard limit and the init
1746 task's soft limit. Note that the setting of hard limits
1747 (even to lower them) can be controlled by the setrlimit
1748 check. The inclusion of the init task's soft limit into
1749 the computation is to avoid resetting soft limits higher
1750 than the default soft limit for cases where the default
1751 is lower than the hard limit, e.g. RLIMIT_CORE or
1753 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1754 PROCESS__RLIMITINH, NULL);
1756 for (i = 0; i < RLIM_NLIMITS; i++) {
1757 rlim = current->signal->rlim + i;
1758 initrlim = init_task.signal->rlim+i;
1759 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1761 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1763 * This will cause RLIMIT_CPU calculations
1766 current->it_prof_expires = jiffies_to_cputime(1);
1770 /* Wake up the parent if it is waiting so that it can
1771 recheck wait permission to the new task SID. */
1772 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
1775 /* superblock security operations */
1777 static int selinux_sb_alloc_security(struct super_block *sb)
1779 return superblock_alloc_security(sb);
1782 static void selinux_sb_free_security(struct super_block *sb)
1784 superblock_free_security(sb);
1787 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1792 return !memcmp(prefix, option, plen);
1795 static inline int selinux_option(char *option, int len)
1797 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1798 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1799 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1802 static inline void take_option(char **to, char *from, int *first, int len)
1810 memcpy(*to, from, len);
1814 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1816 int fnosec, fsec, rc = 0;
1817 char *in_save, *in_curr, *in_end;
1818 char *sec_curr, *nosec_save, *nosec;
1823 /* Binary mount data: just copy */
1824 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1825 copy_page(sec_curr, in_curr);
1829 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1837 in_save = in_end = orig;
1840 if (*in_end == ',' || *in_end == '\0') {
1841 int len = in_end - in_curr;
1843 if (selinux_option(in_curr, len))
1844 take_option(&sec_curr, in_curr, &fsec, len);
1846 take_option(&nosec, in_curr, &fnosec, len);
1848 in_curr = in_end + 1;
1850 } while (*in_end++);
1852 strcpy(in_save, nosec_save);
1853 free_page((unsigned long)nosec_save);
1858 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1860 struct avc_audit_data ad;
1863 rc = superblock_doinit(sb, data);
1867 AVC_AUDIT_DATA_INIT(&ad,FS);
1868 ad.u.fs.dentry = sb->s_root;
1869 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1872 static int selinux_sb_statfs(struct super_block *sb)
1874 struct avc_audit_data ad;
1876 AVC_AUDIT_DATA_INIT(&ad,FS);
1877 ad.u.fs.dentry = sb->s_root;
1878 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1881 static int selinux_mount(char * dev_name,
1882 struct nameidata *nd,
1884 unsigned long flags,
1889 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1893 if (flags & MS_REMOUNT)
1894 return superblock_has_perm(current, nd->mnt->mnt_sb,
1895 FILESYSTEM__REMOUNT, NULL);
1897 return dentry_has_perm(current, nd->mnt, nd->dentry,
1901 static int selinux_umount(struct vfsmount *mnt, int flags)
1905 rc = secondary_ops->sb_umount(mnt, flags);
1909 return superblock_has_perm(current,mnt->mnt_sb,
1910 FILESYSTEM__UNMOUNT,NULL);
1913 /* inode security operations */
1915 static int selinux_inode_alloc_security(struct inode *inode)
1917 return inode_alloc_security(inode);
1920 static void selinux_inode_free_security(struct inode *inode)
1922 inode_free_security(inode);
1925 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1926 char **name, void **value,
1929 struct task_security_struct *tsec;
1930 struct inode_security_struct *dsec;
1931 struct superblock_security_struct *sbsec;
1934 char *namep = NULL, *context;
1936 tsec = current->security;
1937 dsec = dir->i_security;
1938 sbsec = dir->i_sb->s_security;
1940 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1941 newsid = tsec->create_sid;
1943 rc = security_transition_sid(tsec->sid, dsec->sid,
1944 inode_mode_to_security_class(inode->i_mode),
1947 printk(KERN_WARNING "%s: "
1948 "security_transition_sid failed, rc=%d (dev=%s "
1951 -rc, inode->i_sb->s_id, inode->i_ino);
1956 inode_security_set_sid(inode, newsid);
1958 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
1962 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
1969 rc = security_sid_to_context(newsid, &context, &clen);
1981 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
1983 return may_create(dir, dentry, SECCLASS_FILE);
1986 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
1990 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
1993 return may_link(dir, old_dentry, MAY_LINK);
1996 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2000 rc = secondary_ops->inode_unlink(dir, dentry);
2003 return may_link(dir, dentry, MAY_UNLINK);
2006 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2008 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2011 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2013 return may_create(dir, dentry, SECCLASS_DIR);
2016 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2018 return may_link(dir, dentry, MAY_RMDIR);
2021 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2025 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2029 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2032 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2033 struct inode *new_inode, struct dentry *new_dentry)
2035 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2038 static int selinux_inode_readlink(struct dentry *dentry)
2040 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2043 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2047 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2050 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2053 static int selinux_inode_permission(struct inode *inode, int mask,
2054 struct nameidata *nd)
2058 rc = secondary_ops->inode_permission(inode, mask, nd);
2063 /* No permission to check. Existence test. */
2067 return inode_has_perm(current, inode,
2068 file_mask_to_av(inode->i_mode, mask), NULL);
2071 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2075 rc = secondary_ops->inode_setattr(dentry, iattr);
2079 if (iattr->ia_valid & ATTR_FORCE)
2082 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2083 ATTR_ATIME_SET | ATTR_MTIME_SET))
2084 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2086 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2089 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2091 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2094 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2096 struct task_security_struct *tsec = current->security;
2097 struct inode *inode = dentry->d_inode;
2098 struct inode_security_struct *isec = inode->i_security;
2099 struct superblock_security_struct *sbsec;
2100 struct avc_audit_data ad;
2104 if (strcmp(name, XATTR_NAME_SELINUX)) {
2105 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2106 sizeof XATTR_SECURITY_PREFIX - 1) &&
2107 !capable(CAP_SYS_ADMIN)) {
2108 /* A different attribute in the security namespace.
2109 Restrict to administrator. */
2113 /* Not an attribute we recognize, so just check the
2114 ordinary setattr permission. */
2115 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2118 sbsec = inode->i_sb->s_security;
2119 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2122 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2125 AVC_AUDIT_DATA_INIT(&ad,FS);
2126 ad.u.fs.dentry = dentry;
2128 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2129 FILE__RELABELFROM, &ad);
2133 rc = security_context_to_sid(value, size, &newsid);
2137 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2138 FILE__RELABELTO, &ad);
2142 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2147 return avc_has_perm(newsid,
2149 SECCLASS_FILESYSTEM,
2150 FILESYSTEM__ASSOCIATE,
2154 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2155 void *value, size_t size, int flags)
2157 struct inode *inode = dentry->d_inode;
2158 struct inode_security_struct *isec = inode->i_security;
2162 if (strcmp(name, XATTR_NAME_SELINUX)) {
2163 /* Not an attribute we recognize, so nothing to do. */
2167 rc = security_context_to_sid(value, size, &newsid);
2169 printk(KERN_WARNING "%s: unable to obtain SID for context "
2170 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2178 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2180 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2183 static int selinux_inode_listxattr (struct dentry *dentry)
2185 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2188 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2190 if (strcmp(name, XATTR_NAME_SELINUX)) {
2191 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2192 sizeof XATTR_SECURITY_PREFIX - 1) &&
2193 !capable(CAP_SYS_ADMIN)) {
2194 /* A different attribute in the security namespace.
2195 Restrict to administrator. */
2199 /* Not an attribute we recognize, so just check the
2200 ordinary setattr permission. Might want a separate
2201 permission for removexattr. */
2202 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2205 /* No one is allowed to remove a SELinux security label.
2206 You can change the label, but all data must be labeled. */
2211 * Copy the in-core inode security context value to the user. If the
2212 * getxattr() prior to this succeeded, check to see if we need to
2213 * canonicalize the value to be finally returned to the user.
2215 * Permission check is handled by selinux_inode_getxattr hook.
2217 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
2219 struct inode_security_struct *isec = inode->i_security;
2224 if (strcmp(name, XATTR_SELINUX_SUFFIX)) {
2229 rc = security_sid_to_context(isec->sid, &context, &len);
2233 /* Probe for required buffer size */
2234 if (!buffer || !size) {
2245 if ((len == err) && !(memcmp(context, buffer, len))) {
2246 /* Don't need to canonicalize value */
2250 memset(buffer, 0, size);
2252 memcpy(buffer, context, len);
2260 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2261 const void *value, size_t size, int flags)
2263 struct inode_security_struct *isec = inode->i_security;
2267 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2270 if (!value || !size)
2273 rc = security_context_to_sid((void*)value, size, &newsid);
2281 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2283 const int len = sizeof(XATTR_NAME_SELINUX);
2284 if (buffer && len <= buffer_size)
2285 memcpy(buffer, XATTR_NAME_SELINUX, len);
2289 /* file security operations */
2291 static int selinux_file_permission(struct file *file, int mask)
2293 struct inode *inode = file->f_dentry->d_inode;
2296 /* No permission to check. Existence test. */
2300 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2301 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2304 return file_has_perm(current, file,
2305 file_mask_to_av(inode->i_mode, mask));
2308 static int selinux_file_alloc_security(struct file *file)
2310 return file_alloc_security(file);
2313 static void selinux_file_free_security(struct file *file)
2315 file_free_security(file);
2318 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2330 case EXT2_IOC_GETFLAGS:
2332 case EXT2_IOC_GETVERSION:
2333 error = file_has_perm(current, file, FILE__GETATTR);
2336 case EXT2_IOC_SETFLAGS:
2338 case EXT2_IOC_SETVERSION:
2339 error = file_has_perm(current, file, FILE__SETATTR);
2342 /* sys_ioctl() checks */
2346 error = file_has_perm(current, file, 0);
2351 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2354 /* default case assumes that the command will go
2355 * to the file's ioctl() function.
2358 error = file_has_perm(current, file, FILE__IOCTL);
2364 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2366 #ifndef CONFIG_PPC32
2367 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2369 * We are making executable an anonymous mapping or a
2370 * private file mapping that will also be writable.
2371 * This has an additional check.
2373 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2380 /* read access is always possible with a mapping */
2381 u32 av = FILE__READ;
2383 /* write access only matters if the mapping is shared */
2384 if (shared && (prot & PROT_WRITE))
2387 if (prot & PROT_EXEC)
2388 av |= FILE__EXECUTE;
2390 return file_has_perm(current, file, av);
2395 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2396 unsigned long prot, unsigned long flags)
2400 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2404 if (selinux_checkreqprot)
2407 return file_map_prot_check(file, prot,
2408 (flags & MAP_TYPE) == MAP_SHARED);
2411 static int selinux_file_mprotect(struct vm_area_struct *vma,
2412 unsigned long reqprot,
2417 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2421 if (selinux_checkreqprot)
2424 #ifndef CONFIG_PPC32
2425 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2427 if (vma->vm_start >= vma->vm_mm->start_brk &&
2428 vma->vm_end <= vma->vm_mm->brk) {
2429 rc = task_has_perm(current, current,
2431 } else if (!vma->vm_file &&
2432 vma->vm_start <= vma->vm_mm->start_stack &&
2433 vma->vm_end >= vma->vm_mm->start_stack) {
2434 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2435 } else if (vma->vm_file && vma->anon_vma) {
2437 * We are making executable a file mapping that has
2438 * had some COW done. Since pages might have been
2439 * written, check ability to execute the possibly
2440 * modified content. This typically should only
2441 * occur for text relocations.
2443 rc = file_has_perm(current, vma->vm_file,
2451 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2454 static int selinux_file_lock(struct file *file, unsigned int cmd)
2456 return file_has_perm(current, file, FILE__LOCK);
2459 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2466 if (!file->f_dentry || !file->f_dentry->d_inode) {
2471 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2472 err = file_has_perm(current, file,FILE__WRITE);
2481 /* Just check FD__USE permission */
2482 err = file_has_perm(current, file, 0);
2487 #if BITS_PER_LONG == 32
2492 if (!file->f_dentry || !file->f_dentry->d_inode) {
2496 err = file_has_perm(current, file, FILE__LOCK);
2503 static int selinux_file_set_fowner(struct file *file)
2505 struct task_security_struct *tsec;
2506 struct file_security_struct *fsec;
2508 tsec = current->security;
2509 fsec = file->f_security;
2510 fsec->fown_sid = tsec->sid;
2515 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2516 struct fown_struct *fown, int signum)
2520 struct task_security_struct *tsec;
2521 struct file_security_struct *fsec;
2523 /* struct fown_struct is never outside the context of a struct file */
2524 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2526 tsec = tsk->security;
2527 fsec = file->f_security;
2530 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2532 perm = signal_to_av(signum);
2534 return avc_has_perm(fsec->fown_sid, tsec->sid,
2535 SECCLASS_PROCESS, perm, NULL);
2538 static int selinux_file_receive(struct file *file)
2540 return file_has_perm(current, file, file_to_av(file));
2543 /* task security operations */
2545 static int selinux_task_create(unsigned long clone_flags)
2549 rc = secondary_ops->task_create(clone_flags);
2553 return task_has_perm(current, current, PROCESS__FORK);
2556 static int selinux_task_alloc_security(struct task_struct *tsk)
2558 struct task_security_struct *tsec1, *tsec2;
2561 tsec1 = current->security;
2563 rc = task_alloc_security(tsk);
2566 tsec2 = tsk->security;
2568 tsec2->osid = tsec1->osid;
2569 tsec2->sid = tsec1->sid;
2571 /* Retain the exec and create SIDs across fork */
2572 tsec2->exec_sid = tsec1->exec_sid;
2573 tsec2->create_sid = tsec1->create_sid;
2575 /* Retain ptracer SID across fork, if any.
2576 This will be reset by the ptrace hook upon any
2577 subsequent ptrace_attach operations. */
2578 tsec2->ptrace_sid = tsec1->ptrace_sid;
2583 static void selinux_task_free_security(struct task_struct *tsk)
2585 task_free_security(tsk);
2588 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2590 /* Since setuid only affects the current process, and
2591 since the SELinux controls are not based on the Linux
2592 identity attributes, SELinux does not need to control
2593 this operation. However, SELinux does control the use
2594 of the CAP_SETUID and CAP_SETGID capabilities using the
2599 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2601 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2604 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2606 /* See the comment for setuid above. */
2610 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2612 return task_has_perm(current, p, PROCESS__SETPGID);
2615 static int selinux_task_getpgid(struct task_struct *p)
2617 return task_has_perm(current, p, PROCESS__GETPGID);
2620 static int selinux_task_getsid(struct task_struct *p)
2622 return task_has_perm(current, p, PROCESS__GETSESSION);
2625 static int selinux_task_setgroups(struct group_info *group_info)
2627 /* See the comment for setuid above. */
2631 static int selinux_task_setnice(struct task_struct *p, int nice)
2635 rc = secondary_ops->task_setnice(p, nice);
2639 return task_has_perm(current,p, PROCESS__SETSCHED);
2642 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2644 struct rlimit *old_rlim = current->signal->rlim + resource;
2647 rc = secondary_ops->task_setrlimit(resource, new_rlim);
2651 /* Control the ability to change the hard limit (whether
2652 lowering or raising it), so that the hard limit can
2653 later be used as a safe reset point for the soft limit
2654 upon context transitions. See selinux_bprm_apply_creds. */
2655 if (old_rlim->rlim_max != new_rlim->rlim_max)
2656 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2661 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2663 return task_has_perm(current, p, PROCESS__SETSCHED);
2666 static int selinux_task_getscheduler(struct task_struct *p)
2668 return task_has_perm(current, p, PROCESS__GETSCHED);
2671 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2676 rc = secondary_ops->task_kill(p, info, sig);
2680 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
2684 perm = PROCESS__SIGNULL; /* null signal; existence test */
2686 perm = signal_to_av(sig);
2688 return task_has_perm(current, p, perm);
2691 static int selinux_task_prctl(int option,
2697 /* The current prctl operations do not appear to require
2698 any SELinux controls since they merely observe or modify
2699 the state of the current process. */
2703 static int selinux_task_wait(struct task_struct *p)
2707 perm = signal_to_av(p->exit_signal);
2709 return task_has_perm(p, current, perm);
2712 static void selinux_task_reparent_to_init(struct task_struct *p)
2714 struct task_security_struct *tsec;
2716 secondary_ops->task_reparent_to_init(p);
2719 tsec->osid = tsec->sid;
2720 tsec->sid = SECINITSID_KERNEL;
2724 static void selinux_task_to_inode(struct task_struct *p,
2725 struct inode *inode)
2727 struct task_security_struct *tsec = p->security;
2728 struct inode_security_struct *isec = inode->i_security;
2730 isec->sid = tsec->sid;
2731 isec->initialized = 1;
2735 /* Returns error only if unable to parse addresses */
2736 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2738 int offset, ihlen, ret = -EINVAL;
2739 struct iphdr _iph, *ih;
2741 offset = skb->nh.raw - skb->data;
2742 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2746 ihlen = ih->ihl * 4;
2747 if (ihlen < sizeof(_iph))
2750 ad->u.net.v4info.saddr = ih->saddr;
2751 ad->u.net.v4info.daddr = ih->daddr;
2754 switch (ih->protocol) {
2756 struct tcphdr _tcph, *th;
2758 if (ntohs(ih->frag_off) & IP_OFFSET)
2762 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2766 ad->u.net.sport = th->source;
2767 ad->u.net.dport = th->dest;
2772 struct udphdr _udph, *uh;
2774 if (ntohs(ih->frag_off) & IP_OFFSET)
2778 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2782 ad->u.net.sport = uh->source;
2783 ad->u.net.dport = uh->dest;
2794 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2796 /* Returns error only if unable to parse addresses */
2797 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2800 int ret = -EINVAL, offset;
2801 struct ipv6hdr _ipv6h, *ip6;
2803 offset = skb->nh.raw - skb->data;
2804 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2808 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2809 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2812 nexthdr = ip6->nexthdr;
2813 offset += sizeof(_ipv6h);
2814 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2820 struct tcphdr _tcph, *th;
2822 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2826 ad->u.net.sport = th->source;
2827 ad->u.net.dport = th->dest;
2832 struct udphdr _udph, *uh;
2834 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2838 ad->u.net.sport = uh->source;
2839 ad->u.net.dport = uh->dest;
2843 /* includes fragments */
2853 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2854 char **addrp, int *len, int src)
2858 switch (ad->u.net.family) {
2860 ret = selinux_parse_skb_ipv4(skb, ad);
2864 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2865 &ad->u.net.v4info.daddr);
2868 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2870 ret = selinux_parse_skb_ipv6(skb, ad);
2874 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2875 &ad->u.net.v6info.daddr);
2885 /* socket security operations */
2886 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2889 struct inode_security_struct *isec;
2890 struct task_security_struct *tsec;
2891 struct avc_audit_data ad;
2894 tsec = task->security;
2895 isec = SOCK_INODE(sock)->i_security;
2897 if (isec->sid == SECINITSID_KERNEL)
2900 AVC_AUDIT_DATA_INIT(&ad,NET);
2901 ad.u.net.sk = sock->sk;
2902 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2908 static int selinux_socket_create(int family, int type,
2909 int protocol, int kern)
2912 struct task_security_struct *tsec;
2917 tsec = current->security;
2918 err = avc_has_perm(tsec->sid, tsec->sid,
2919 socket_type_to_security_class(family, type,
2920 protocol), SOCKET__CREATE, NULL);
2926 static void selinux_socket_post_create(struct socket *sock, int family,
2927 int type, int protocol, int kern)
2929 struct inode_security_struct *isec;
2930 struct task_security_struct *tsec;
2932 isec = SOCK_INODE(sock)->i_security;
2934 tsec = current->security;
2935 isec->sclass = socket_type_to_security_class(family, type, protocol);
2936 isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2937 isec->initialized = 1;
2942 /* Range of port numbers used to automatically bind.
2943 Need to determine whether we should perform a name_bind
2944 permission check between the socket and the port number. */
2945 #define ip_local_port_range_0 sysctl_local_port_range[0]
2946 #define ip_local_port_range_1 sysctl_local_port_range[1]
2948 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2953 err = socket_has_perm(current, sock, SOCKET__BIND);
2958 * If PF_INET or PF_INET6, check name_bind permission for the port.
2959 * Multiple address binding for SCTP is not supported yet: we just
2960 * check the first address now.
2962 family = sock->sk->sk_family;
2963 if (family == PF_INET || family == PF_INET6) {
2965 struct inode_security_struct *isec;
2966 struct task_security_struct *tsec;
2967 struct avc_audit_data ad;
2968 struct sockaddr_in *addr4 = NULL;
2969 struct sockaddr_in6 *addr6 = NULL;
2970 unsigned short snum;
2971 struct sock *sk = sock->sk;
2972 u32 sid, node_perm, addrlen;
2974 tsec = current->security;
2975 isec = SOCK_INODE(sock)->i_security;
2977 if (family == PF_INET) {
2978 addr4 = (struct sockaddr_in *)address;
2979 snum = ntohs(addr4->sin_port);
2980 addrlen = sizeof(addr4->sin_addr.s_addr);
2981 addrp = (char *)&addr4->sin_addr.s_addr;
2983 addr6 = (struct sockaddr_in6 *)address;
2984 snum = ntohs(addr6->sin6_port);
2985 addrlen = sizeof(addr6->sin6_addr.s6_addr);
2986 addrp = (char *)&addr6->sin6_addr.s6_addr;
2989 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
2990 snum > ip_local_port_range_1)) {
2991 err = security_port_sid(sk->sk_family, sk->sk_type,
2992 sk->sk_protocol, snum, &sid);
2995 AVC_AUDIT_DATA_INIT(&ad,NET);
2996 ad.u.net.sport = htons(snum);
2997 ad.u.net.family = family;
2998 err = avc_has_perm(isec->sid, sid,
3000 SOCKET__NAME_BIND, &ad);
3005 switch(isec->sclass) {
3006 case SECCLASS_TCP_SOCKET:
3007 node_perm = TCP_SOCKET__NODE_BIND;
3010 case SECCLASS_UDP_SOCKET:
3011 node_perm = UDP_SOCKET__NODE_BIND;
3015 node_perm = RAWIP_SOCKET__NODE_BIND;
3019 err = security_node_sid(family, addrp, addrlen, &sid);
3023 AVC_AUDIT_DATA_INIT(&ad,NET);
3024 ad.u.net.sport = htons(snum);
3025 ad.u.net.family = family;
3027 if (family == PF_INET)
3028 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3030 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3032 err = avc_has_perm(isec->sid, sid,
3033 isec->sclass, node_perm, &ad);
3041 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3043 struct inode_security_struct *isec;
3046 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3051 * If a TCP socket, check name_connect permission for the port.
3053 isec = SOCK_INODE(sock)->i_security;
3054 if (isec->sclass == SECCLASS_TCP_SOCKET) {
3055 struct sock *sk = sock->sk;
3056 struct avc_audit_data ad;
3057 struct sockaddr_in *addr4 = NULL;
3058 struct sockaddr_in6 *addr6 = NULL;
3059 unsigned short snum;
3062 if (sk->sk_family == PF_INET) {
3063 addr4 = (struct sockaddr_in *)address;
3064 if (addrlen < sizeof(struct sockaddr_in))
3066 snum = ntohs(addr4->sin_port);
3068 addr6 = (struct sockaddr_in6 *)address;
3069 if (addrlen < SIN6_LEN_RFC2133)
3071 snum = ntohs(addr6->sin6_port);
3074 err = security_port_sid(sk->sk_family, sk->sk_type,
3075 sk->sk_protocol, snum, &sid);
3079 AVC_AUDIT_DATA_INIT(&ad,NET);
3080 ad.u.net.dport = htons(snum);
3081 ad.u.net.family = sk->sk_family;
3082 err = avc_has_perm(isec->sid, sid, isec->sclass,
3083 TCP_SOCKET__NAME_CONNECT, &ad);
3092 static int selinux_socket_listen(struct socket *sock, int backlog)
3094 return socket_has_perm(current, sock, SOCKET__LISTEN);
3097 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3100 struct inode_security_struct *isec;
3101 struct inode_security_struct *newisec;
3103 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3107 newisec = SOCK_INODE(newsock)->i_security;
3109 isec = SOCK_INODE(sock)->i_security;
3110 newisec->sclass = isec->sclass;
3111 newisec->sid = isec->sid;
3112 newisec->initialized = 1;
3117 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3120 return socket_has_perm(current, sock, SOCKET__WRITE);
3123 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3124 int size, int flags)
3126 return socket_has_perm(current, sock, SOCKET__READ);
3129 static int selinux_socket_getsockname(struct socket *sock)
3131 return socket_has_perm(current, sock, SOCKET__GETATTR);
3134 static int selinux_socket_getpeername(struct socket *sock)
3136 return socket_has_perm(current, sock, SOCKET__GETATTR);
3139 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3141 return socket_has_perm(current, sock, SOCKET__SETOPT);
3144 static int selinux_socket_getsockopt(struct socket *sock, int level,
3147 return socket_has_perm(current, sock, SOCKET__GETOPT);
3150 static int selinux_socket_shutdown(struct socket *sock, int how)
3152 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3155 static int selinux_socket_unix_stream_connect(struct socket *sock,
3156 struct socket *other,
3159 struct sk_security_struct *ssec;
3160 struct inode_security_struct *isec;
3161 struct inode_security_struct *other_isec;
3162 struct avc_audit_data ad;
3165 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3169 isec = SOCK_INODE(sock)->i_security;
3170 other_isec = SOCK_INODE(other)->i_security;
3172 AVC_AUDIT_DATA_INIT(&ad,NET);
3173 ad.u.net.sk = other->sk;
3175 err = avc_has_perm(isec->sid, other_isec->sid,
3177 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3181 /* connecting socket */
3182 ssec = sock->sk->sk_security;
3183 ssec->peer_sid = other_isec->sid;
3185 /* server child socket */
3186 ssec = newsk->sk_security;
3187 ssec->peer_sid = isec->sid;
3192 static int selinux_socket_unix_may_send(struct socket *sock,
3193 struct socket *other)
3195 struct inode_security_struct *isec;
3196 struct inode_security_struct *other_isec;
3197 struct avc_audit_data ad;
3200 isec = SOCK_INODE(sock)->i_security;
3201 other_isec = SOCK_INODE(other)->i_security;
3203 AVC_AUDIT_DATA_INIT(&ad,NET);
3204 ad.u.net.sk = other->sk;
3206 err = avc_has_perm(isec->sid, other_isec->sid,
3207 isec->sclass, SOCKET__SENDTO, &ad);
3214 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3219 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3222 struct socket *sock;
3223 struct net_device *dev;
3224 struct avc_audit_data ad;
3226 family = sk->sk_family;
3227 if (family != PF_INET && family != PF_INET6)
3230 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3231 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3234 read_lock_bh(&sk->sk_callback_lock);
3235 sock = sk->sk_socket;
3237 struct inode *inode;
3238 inode = SOCK_INODE(sock);
3240 struct inode_security_struct *isec;
3241 isec = inode->i_security;
3242 sock_sid = isec->sid;
3243 sock_class = isec->sclass;
3246 read_unlock_bh(&sk->sk_callback_lock);
3254 err = sel_netif_sids(dev, &if_sid, NULL);
3258 switch (sock_class) {
3259 case SECCLASS_UDP_SOCKET:
3260 netif_perm = NETIF__UDP_RECV;
3261 node_perm = NODE__UDP_RECV;
3262 recv_perm = UDP_SOCKET__RECV_MSG;
3265 case SECCLASS_TCP_SOCKET:
3266 netif_perm = NETIF__TCP_RECV;
3267 node_perm = NODE__TCP_RECV;
3268 recv_perm = TCP_SOCKET__RECV_MSG;
3272 netif_perm = NETIF__RAWIP_RECV;
3273 node_perm = NODE__RAWIP_RECV;
3277 AVC_AUDIT_DATA_INIT(&ad, NET);
3278 ad.u.net.netif = dev->name;
3279 ad.u.net.family = family;
3281 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3285 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3289 /* Fixme: this lookup is inefficient */
3290 err = security_node_sid(family, addrp, len, &node_sid);
3294 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3301 /* Fixme: make this more efficient */
3302 err = security_port_sid(sk->sk_family, sk->sk_type,
3303 sk->sk_protocol, ntohs(ad.u.net.sport),
3308 err = avc_has_perm(sock_sid, port_sid,
3309 sock_class, recv_perm, &ad);
3313 err = selinux_xfrm_sock_rcv_skb(sock_sid, skb);
3319 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
3320 int __user *optlen, unsigned len)
3325 struct sk_security_struct *ssec;
3326 struct inode_security_struct *isec;
3329 isec = SOCK_INODE(sock)->i_security;
3331 /* if UNIX_STREAM check peer_sid, if TCP check dst for labelled sa */
3332 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET) {
3333 ssec = sock->sk->sk_security;
3334 peer_sid = ssec->peer_sid;
3336 else if (isec->sclass == SECCLASS_TCP_SOCKET) {
3337 peer_sid = selinux_socket_getpeer_stream(sock->sk);
3339 if (peer_sid == SECSID_NULL) {
3349 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
3354 if (scontext_len > len) {
3359 if (copy_to_user(optval, scontext, scontext_len))
3363 if (put_user(scontext_len, optlen))
3371 static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen)
3374 u32 peer_sid = selinux_socket_getpeer_dgram(skb);
3376 if (peer_sid == SECSID_NULL)
3379 err = security_sid_to_context(peer_sid, secdata, seclen);
3388 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3390 return sk_alloc_security(sk, family, priority);
3393 static void selinux_sk_free_security(struct sock *sk)
3395 sk_free_security(sk);
3398 static unsigned int selinux_sk_getsid_security(struct sock *sk, struct flowi *fl, u8 dir)
3400 struct inode_security_struct *isec;
3401 u32 sock_sid = SECINITSID_ANY_SOCKET;
3404 return selinux_no_sk_sid(fl);
3406 read_lock_bh(&sk->sk_callback_lock);
3407 isec = get_sock_isec(sk);
3410 sock_sid = isec->sid;
3412 read_unlock_bh(&sk->sk_callback_lock);
3416 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3420 struct nlmsghdr *nlh;
3421 struct socket *sock = sk->sk_socket;
3422 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3424 if (skb->len < NLMSG_SPACE(0)) {
3428 nlh = (struct nlmsghdr *)skb->data;
3430 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3432 if (err == -EINVAL) {
3433 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3434 "SELinux: unrecognized netlink message"
3435 " type=%hu for sclass=%hu\n",
3436 nlh->nlmsg_type, isec->sclass);
3437 if (!selinux_enforcing)
3447 err = socket_has_perm(current, sock, perm);
3452 #ifdef CONFIG_NETFILTER
3454 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3455 struct sk_buff **pskb,
3456 const struct net_device *in,
3457 const struct net_device *out,
3458 int (*okfn)(struct sk_buff *),
3462 int len, err = NF_ACCEPT;
3463 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3465 struct socket *sock;
3466 struct inode *inode;
3467 struct sk_buff *skb = *pskb;
3468 struct inode_security_struct *isec;
3469 struct avc_audit_data ad;
3470 struct net_device *dev = (struct net_device *)out;
3476 sock = sk->sk_socket;
3480 inode = SOCK_INODE(sock);
3484 err = sel_netif_sids(dev, &if_sid, NULL);
3488 isec = inode->i_security;
3490 switch (isec->sclass) {
3491 case SECCLASS_UDP_SOCKET:
3492 netif_perm = NETIF__UDP_SEND;
3493 node_perm = NODE__UDP_SEND;
3494 send_perm = UDP_SOCKET__SEND_MSG;
3497 case SECCLASS_TCP_SOCKET:
3498 netif_perm = NETIF__TCP_SEND;
3499 node_perm = NODE__TCP_SEND;
3500 send_perm = TCP_SOCKET__SEND_MSG;
3504 netif_perm = NETIF__RAWIP_SEND;
3505 node_perm = NODE__RAWIP_SEND;
3510 AVC_AUDIT_DATA_INIT(&ad, NET);
3511 ad.u.net.netif = dev->name;
3512 ad.u.net.family = family;
3514 err = selinux_parse_skb(skb, &ad, &addrp,
3515 &len, 0) ? NF_DROP : NF_ACCEPT;
3516 if (err != NF_ACCEPT)
3519 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3520 netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3521 if (err != NF_ACCEPT)
3524 /* Fixme: this lookup is inefficient */
3525 err = security_node_sid(family, addrp, len,
3526 &node_sid) ? NF_DROP : NF_ACCEPT;
3527 if (err != NF_ACCEPT)
3530 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3531 node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3532 if (err != NF_ACCEPT)
3538 /* Fixme: make this more efficient */
3539 err = security_port_sid(sk->sk_family,
3542 ntohs(ad.u.net.dport),
3543 &port_sid) ? NF_DROP : NF_ACCEPT;
3544 if (err != NF_ACCEPT)
3547 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3548 send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3551 if (err != NF_ACCEPT)
3554 err = selinux_xfrm_postroute_last(isec->sid, skb);
3560 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3561 struct sk_buff **pskb,
3562 const struct net_device *in,
3563 const struct net_device *out,
3564 int (*okfn)(struct sk_buff *))
3566 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3569 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3571 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3572 struct sk_buff **pskb,
3573 const struct net_device *in,
3574 const struct net_device *out,
3575 int (*okfn)(struct sk_buff *))
3577 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3582 #endif /* CONFIG_NETFILTER */
3584 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3586 struct task_security_struct *tsec;
3587 struct av_decision avd;
3590 err = secondary_ops->netlink_send(sk, skb);
3594 tsec = current->security;
3597 avc_has_perm_noaudit(tsec->sid, tsec->sid,
3598 SECCLASS_CAPABILITY, ~0, &avd);
3599 cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3601 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3602 err = selinux_nlmsg_perm(sk, skb);
3607 static int selinux_netlink_recv(struct sk_buff *skb)
3609 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3614 static int ipc_alloc_security(struct task_struct *task,
3615 struct kern_ipc_perm *perm,
3618 struct task_security_struct *tsec = task->security;
3619 struct ipc_security_struct *isec;
3621 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3625 isec->sclass = sclass;
3626 isec->ipc_perm = perm;
3627 isec->sid = tsec->sid;
3628 perm->security = isec;
3633 static void ipc_free_security(struct kern_ipc_perm *perm)
3635 struct ipc_security_struct *isec = perm->security;
3636 perm->security = NULL;
3640 static int msg_msg_alloc_security(struct msg_msg *msg)
3642 struct msg_security_struct *msec;
3644 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3649 msec->sid = SECINITSID_UNLABELED;
3650 msg->security = msec;
3655 static void msg_msg_free_security(struct msg_msg *msg)
3657 struct msg_security_struct *msec = msg->security;
3659 msg->security = NULL;
3663 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3666 struct task_security_struct *tsec;
3667 struct ipc_security_struct *isec;
3668 struct avc_audit_data ad;
3670 tsec = current->security;
3671 isec = ipc_perms->security;
3673 AVC_AUDIT_DATA_INIT(&ad, IPC);
3674 ad.u.ipc_id = ipc_perms->key;
3676 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3679 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3681 return msg_msg_alloc_security(msg);
3684 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3686 msg_msg_free_security(msg);
3689 /* message queue security operations */
3690 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3692 struct task_security_struct *tsec;
3693 struct ipc_security_struct *isec;
3694 struct avc_audit_data ad;
3697 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3701 tsec = current->security;
3702 isec = msq->q_perm.security;
3704 AVC_AUDIT_DATA_INIT(&ad, IPC);
3705 ad.u.ipc_id = msq->q_perm.key;
3707 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3710 ipc_free_security(&msq->q_perm);
3716 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3718 ipc_free_security(&msq->q_perm);
3721 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3723 struct task_security_struct *tsec;
3724 struct ipc_security_struct *isec;
3725 struct avc_audit_data ad;
3727 tsec = current->security;
3728 isec = msq->q_perm.security;
3730 AVC_AUDIT_DATA_INIT(&ad, IPC);
3731 ad.u.ipc_id = msq->q_perm.key;
3733 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3734 MSGQ__ASSOCIATE, &ad);
3737 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3745 /* No specific object, just general system-wide information. */
3746 return task_has_system(current, SYSTEM__IPC_INFO);
3749 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3752 perms = MSGQ__SETATTR;
3755 perms = MSGQ__DESTROY;
3761 err = ipc_has_perm(&msq->q_perm, perms);
3765 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3767 struct task_security_struct *tsec;
3768 struct ipc_security_struct *isec;
3769 struct msg_security_struct *msec;
3770 struct avc_audit_data ad;
3773 tsec = current->security;
3774 isec = msq->q_perm.security;
3775 msec = msg->security;
3778 * First time through, need to assign label to the message
3780 if (msec->sid == SECINITSID_UNLABELED) {
3782 * Compute new sid based on current process and
3783 * message queue this message will be stored in
3785 rc = security_transition_sid(tsec->sid,
3793 AVC_AUDIT_DATA_INIT(&ad, IPC);
3794 ad.u.ipc_id = msq->q_perm.key;
3796 /* Can this process write to the queue? */
3797 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3800 /* Can this process send the message */
3801 rc = avc_has_perm(tsec->sid, msec->sid,
3802 SECCLASS_MSG, MSG__SEND, &ad);
3804 /* Can the message be put in the queue? */
3805 rc = avc_has_perm(msec->sid, isec->sid,
3806 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3811 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3812 struct task_struct *target,
3813 long type, int mode)
3815 struct task_security_struct *tsec;
3816 struct ipc_security_struct *isec;
3817 struct msg_security_struct *msec;
3818 struct avc_audit_data ad;
3821 tsec = target->security;
3822 isec = msq->q_perm.security;
3823 msec = msg->security;
3825 AVC_AUDIT_DATA_INIT(&ad, IPC);
3826 ad.u.ipc_id = msq->q_perm.key;
3828 rc = avc_has_perm(tsec->sid, isec->sid,
3829 SECCLASS_MSGQ, MSGQ__READ, &ad);
3831 rc = avc_has_perm(tsec->sid, msec->sid,
3832 SECCLASS_MSG, MSG__RECEIVE, &ad);
3836 /* Shared Memory security operations */
3837 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3839 struct task_security_struct *tsec;
3840 struct ipc_security_struct *isec;
3841 struct avc_audit_data ad;
3844 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3848 tsec = current->security;
3849 isec = shp->shm_perm.security;
3851 AVC_AUDIT_DATA_INIT(&ad, IPC);
3852 ad.u.ipc_id = shp->shm_perm.key;
3854 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3857 ipc_free_security(&shp->shm_perm);
3863 static void selinux_shm_free_security(struct shmid_kernel *shp)
3865 ipc_free_security(&shp->shm_perm);
3868 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
3870 struct task_security_struct *tsec;
3871 struct ipc_security_struct *isec;
3872 struct avc_audit_data ad;
3874 tsec = current->security;
3875 isec = shp->shm_perm.security;
3877 AVC_AUDIT_DATA_INIT(&ad, IPC);
3878 ad.u.ipc_id = shp->shm_perm.key;
3880 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3881 SHM__ASSOCIATE, &ad);
3884 /* Note, at this point, shp is locked down */
3885 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
3893 /* No specific object, just general system-wide information. */
3894 return task_has_system(current, SYSTEM__IPC_INFO);
3897 perms = SHM__GETATTR | SHM__ASSOCIATE;
3900 perms = SHM__SETATTR;
3907 perms = SHM__DESTROY;
3913 err = ipc_has_perm(&shp->shm_perm, perms);
3917 static int selinux_shm_shmat(struct shmid_kernel *shp,
3918 char __user *shmaddr, int shmflg)
3923 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
3927 if (shmflg & SHM_RDONLY)
3930 perms = SHM__READ | SHM__WRITE;
3932 return ipc_has_perm(&shp->shm_perm, perms);
3935 /* Semaphore security operations */
3936 static int selinux_sem_alloc_security(struct sem_array *sma)
3938 struct task_security_struct *tsec;
3939 struct ipc_security_struct *isec;
3940 struct avc_audit_data ad;
3943 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
3947 tsec = current->security;
3948 isec = sma->sem_perm.security;
3950 AVC_AUDIT_DATA_INIT(&ad, IPC);
3951 ad.u.ipc_id = sma->sem_perm.key;
3953 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3956 ipc_free_security(&sma->sem_perm);
3962 static void selinux_sem_free_security(struct sem_array *sma)
3964 ipc_free_security(&sma->sem_perm);
3967 static int selinux_sem_associate(struct sem_array *sma, int semflg)
3969 struct task_security_struct *tsec;
3970 struct ipc_security_struct *isec;
3971 struct avc_audit_data ad;
3973 tsec = current->security;
3974 isec = sma->sem_perm.security;
3976 AVC_AUDIT_DATA_INIT(&ad, IPC);
3977 ad.u.ipc_id = sma->sem_perm.key;
3979 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
3980 SEM__ASSOCIATE, &ad);
3983 /* Note, at this point, sma is locked down */
3984 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
3992 /* No specific object, just general system-wide information. */
3993 return task_has_system(current, SYSTEM__IPC_INFO);
3997 perms = SEM__GETATTR;
4008 perms = SEM__DESTROY;
4011 perms = SEM__SETATTR;
4015 perms = SEM__GETATTR | SEM__ASSOCIATE;
4021 err = ipc_has_perm(&sma->sem_perm, perms);
4025 static int selinux_sem_semop(struct sem_array *sma,
4026 struct sembuf *sops, unsigned nsops, int alter)
4031 perms = SEM__READ | SEM__WRITE;
4035 return ipc_has_perm(&sma->sem_perm, perms);
4038 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4044 av |= IPC__UNIX_READ;
4046 av |= IPC__UNIX_WRITE;
4051 return ipc_has_perm(ipcp, av);
4054 /* module stacking operations */
4055 static int selinux_register_security (const char *name, struct security_operations *ops)
4057 if (secondary_ops != original_ops) {
4058 printk(KERN_INFO "%s: There is already a secondary security "
4059 "module registered.\n", __FUNCTION__);
4063 secondary_ops = ops;
4065 printk(KERN_INFO "%s: Registering secondary module %s\n",
4072 static int selinux_unregister_security (const char *name, struct security_operations *ops)
4074 if (ops != secondary_ops) {
4075 printk (KERN_INFO "%s: trying to unregister a security module "
4076 "that is not registered.\n", __FUNCTION__);
4080 secondary_ops = original_ops;
4085 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
4088 inode_doinit_with_dentry(inode, dentry);
4091 static int selinux_getprocattr(struct task_struct *p,
4092 char *name, void *value, size_t size)
4094 struct task_security_struct *tsec;
4100 error = task_has_perm(current, p, PROCESS__GETATTR);
4110 if (!strcmp(name, "current"))
4112 else if (!strcmp(name, "prev"))
4114 else if (!strcmp(name, "exec"))
4115 sid = tsec->exec_sid;
4116 else if (!strcmp(name, "fscreate"))
4117 sid = tsec->create_sid;
4124 error = security_sid_to_context(sid, &context, &len);
4131 memcpy(value, context, len);
4136 static int selinux_setprocattr(struct task_struct *p,
4137 char *name, void *value, size_t size)
4139 struct task_security_struct *tsec;
4145 /* SELinux only allows a process to change its own
4146 security attributes. */
4151 * Basic control over ability to set these attributes at all.
4152 * current == p, but we'll pass them separately in case the
4153 * above restriction is ever removed.
4155 if (!strcmp(name, "exec"))
4156 error = task_has_perm(current, p, PROCESS__SETEXEC);
4157 else if (!strcmp(name, "fscreate"))
4158 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
4159 else if (!strcmp(name, "current"))
4160 error = task_has_perm(current, p, PROCESS__SETCURRENT);
4166 /* Obtain a SID for the context, if one was specified. */
4167 if (size && str[1] && str[1] != '\n') {
4168 if (str[size-1] == '\n') {
4172 error = security_context_to_sid(value, size, &sid);
4177 /* Permission checking based on the specified context is
4178 performed during the actual operation (execve,
4179 open/mkdir/...), when we know the full context of the
4180 operation. See selinux_bprm_set_security for the execve
4181 checks and may_create for the file creation checks. The
4182 operation will then fail if the context is not permitted. */
4184 if (!strcmp(name, "exec"))
4185 tsec->exec_sid = sid;
4186 else if (!strcmp(name, "fscreate"))
4187 tsec->create_sid = sid;
4188 else if (!strcmp(name, "current")) {
4189 struct av_decision avd;
4194 /* Only allow single threaded processes to change context */
4195 if (atomic_read(&p->mm->mm_users) != 1) {
4196 struct task_struct *g, *t;
4197 struct mm_struct *mm = p->mm;
4198 read_lock(&tasklist_lock);
4199 do_each_thread(g, t)
4200 if (t->mm == mm && t != p) {
4201 read_unlock(&tasklist_lock);
4204 while_each_thread(g, t);
4205 read_unlock(&tasklist_lock);
4208 /* Check permissions for the transition. */
4209 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
4210 PROCESS__DYNTRANSITION, NULL);
4214 /* Check for ptracing, and update the task SID if ok.
4215 Otherwise, leave SID unchanged and fail. */
4217 if (p->ptrace & PT_PTRACED) {
4218 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4220 PROCESS__PTRACE, &avd);
4224 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
4225 PROCESS__PTRACE, &avd, error, NULL);
4239 static struct security_operations selinux_ops = {
4240 .ptrace = selinux_ptrace,
4241 .capget = selinux_capget,
4242 .capset_check = selinux_capset_check,
4243 .capset_set = selinux_capset_set,
4244 .sysctl = selinux_sysctl,
4245 .capable = selinux_capable,
4246 .quotactl = selinux_quotactl,
4247 .quota_on = selinux_quota_on,
4248 .syslog = selinux_syslog,
4249 .vm_enough_memory = selinux_vm_enough_memory,
4251 .netlink_send = selinux_netlink_send,
4252 .netlink_recv = selinux_netlink_recv,
4254 .bprm_alloc_security = selinux_bprm_alloc_security,
4255 .bprm_free_security = selinux_bprm_free_security,
4256 .bprm_apply_creds = selinux_bprm_apply_creds,
4257 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
4258 .bprm_set_security = selinux_bprm_set_security,
4259 .bprm_check_security = selinux_bprm_check_security,
4260 .bprm_secureexec = selinux_bprm_secureexec,
4262 .sb_alloc_security = selinux_sb_alloc_security,
4263 .sb_free_security = selinux_sb_free_security,
4264 .sb_copy_data = selinux_sb_copy_data,
4265 .sb_kern_mount = selinux_sb_kern_mount,
4266 .sb_statfs = selinux_sb_statfs,
4267 .sb_mount = selinux_mount,
4268 .sb_umount = selinux_umount,
4270 .inode_alloc_security = selinux_inode_alloc_security,
4271 .inode_free_security = selinux_inode_free_security,
4272 .inode_init_security = selinux_inode_init_security,
4273 .inode_create = selinux_inode_create,
4274 .inode_link = selinux_inode_link,
4275 .inode_unlink = selinux_inode_unlink,
4276 .inode_symlink = selinux_inode_symlink,
4277 .inode_mkdir = selinux_inode_mkdir,
4278 .inode_rmdir = selinux_inode_rmdir,
4279 .inode_mknod = selinux_inode_mknod,
4280 .inode_rename = selinux_inode_rename,
4281 .inode_readlink = selinux_inode_readlink,
4282 .inode_follow_link = selinux_inode_follow_link,
4283 .inode_permission = selinux_inode_permission,
4284 .inode_setattr = selinux_inode_setattr,
4285 .inode_getattr = selinux_inode_getattr,
4286 .inode_setxattr = selinux_inode_setxattr,
4287 .inode_post_setxattr = selinux_inode_post_setxattr,
4288 .inode_getxattr = selinux_inode_getxattr,
4289 .inode_listxattr = selinux_inode_listxattr,
4290 .inode_removexattr = selinux_inode_removexattr,
4291 .inode_getsecurity = selinux_inode_getsecurity,
4292 .inode_setsecurity = selinux_inode_setsecurity,
4293 .inode_listsecurity = selinux_inode_listsecurity,
4295 .file_permission = selinux_file_permission,
4296 .file_alloc_security = selinux_file_alloc_security,
4297 .file_free_security = selinux_file_free_security,
4298 .file_ioctl = selinux_file_ioctl,
4299 .file_mmap = selinux_file_mmap,
4300 .file_mprotect = selinux_file_mprotect,
4301 .file_lock = selinux_file_lock,
4302 .file_fcntl = selinux_file_fcntl,
4303 .file_set_fowner = selinux_file_set_fowner,
4304 .file_send_sigiotask = selinux_file_send_sigiotask,
4305 .file_receive = selinux_file_receive,
4307 .task_create = selinux_task_create,
4308 .task_alloc_security = selinux_task_alloc_security,
4309 .task_free_security = selinux_task_free_security,
4310 .task_setuid = selinux_task_setuid,
4311 .task_post_setuid = selinux_task_post_setuid,
4312 .task_setgid = selinux_task_setgid,
4313 .task_setpgid = selinux_task_setpgid,
4314 .task_getpgid = selinux_task_getpgid,
4315 .task_getsid = selinux_task_getsid,
4316 .task_setgroups = selinux_task_setgroups,
4317 .task_setnice = selinux_task_setnice,
4318 .task_setrlimit = selinux_task_setrlimit,
4319 .task_setscheduler = selinux_task_setscheduler,
4320 .task_getscheduler = selinux_task_getscheduler,
4321 .task_kill = selinux_task_kill,
4322 .task_wait = selinux_task_wait,
4323 .task_prctl = selinux_task_prctl,
4324 .task_reparent_to_init = selinux_task_reparent_to_init,
4325 .task_to_inode = selinux_task_to_inode,
4327 .ipc_permission = selinux_ipc_permission,
4329 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
4330 .msg_msg_free_security = selinux_msg_msg_free_security,
4332 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
4333 .msg_queue_free_security = selinux_msg_queue_free_security,
4334 .msg_queue_associate = selinux_msg_queue_associate,
4335 .msg_queue_msgctl = selinux_msg_queue_msgctl,
4336 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
4337 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
4339 .shm_alloc_security = selinux_shm_alloc_security,
4340 .shm_free_security = selinux_shm_free_security,
4341 .shm_associate = selinux_shm_associate,
4342 .shm_shmctl = selinux_shm_shmctl,
4343 .shm_shmat = selinux_shm_shmat,
4345 .sem_alloc_security = selinux_sem_alloc_security,
4346 .sem_free_security = selinux_sem_free_security,
4347 .sem_associate = selinux_sem_associate,
4348 .sem_semctl = selinux_sem_semctl,
4349 .sem_semop = selinux_sem_semop,
4351 .register_security = selinux_register_security,
4352 .unregister_security = selinux_unregister_security,
4354 .d_instantiate = selinux_d_instantiate,
4356 .getprocattr = selinux_getprocattr,
4357 .setprocattr = selinux_setprocattr,
4359 .unix_stream_connect = selinux_socket_unix_stream_connect,
4360 .unix_may_send = selinux_socket_unix_may_send,
4362 .socket_create = selinux_socket_create,
4363 .socket_post_create = selinux_socket_post_create,
4364 .socket_bind = selinux_socket_bind,
4365 .socket_connect = selinux_socket_connect,
4366 .socket_listen = selinux_socket_listen,
4367 .socket_accept = selinux_socket_accept,
4368 .socket_sendmsg = selinux_socket_sendmsg,
4369 .socket_recvmsg = selinux_socket_recvmsg,
4370 .socket_getsockname = selinux_socket_getsockname,
4371 .socket_getpeername = selinux_socket_getpeername,
4372 .socket_getsockopt = selinux_socket_getsockopt,
4373 .socket_setsockopt = selinux_socket_setsockopt,
4374 .socket_shutdown = selinux_socket_shutdown,
4375 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
4376 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
4377 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
4378 .sk_alloc_security = selinux_sk_alloc_security,
4379 .sk_free_security = selinux_sk_free_security,
4380 .sk_getsid = selinux_sk_getsid_security,
4382 #ifdef CONFIG_SECURITY_NETWORK_XFRM
4383 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
4384 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
4385 .xfrm_policy_free_security = selinux_xfrm_policy_free,
4386 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
4387 .xfrm_state_free_security = selinux_xfrm_state_free,
4388 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
4392 static __init int selinux_init(void)
4394 struct task_security_struct *tsec;
4396 if (!selinux_enabled) {
4397 printk(KERN_INFO "SELinux: Disabled at boot.\n");
4401 printk(KERN_INFO "SELinux: Initializing.\n");
4403 /* Set the security state for the initial task. */
4404 if (task_alloc_security(current))
4405 panic("SELinux: Failed to initialize initial task.\n");
4406 tsec = current->security;
4407 tsec->osid = tsec->sid = SECINITSID_KERNEL;
4411 original_ops = secondary_ops = security_ops;
4413 panic ("SELinux: No initial security operations\n");
4414 if (register_security (&selinux_ops))
4415 panic("SELinux: Unable to register with kernel.\n");
4417 if (selinux_enforcing) {
4418 printk(KERN_INFO "SELinux: Starting in enforcing mode\n");
4420 printk(KERN_INFO "SELinux: Starting in permissive mode\n");
4425 void selinux_complete_init(void)
4427 printk(KERN_INFO "SELinux: Completing initialization.\n");
4429 /* Set up any superblocks initialized prior to the policy load. */
4430 printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
4431 spin_lock(&sb_security_lock);
4433 if (!list_empty(&superblock_security_head)) {
4434 struct superblock_security_struct *sbsec =
4435 list_entry(superblock_security_head.next,
4436 struct superblock_security_struct,
4438 struct super_block *sb = sbsec->sb;
4439 spin_lock(&sb_lock);
4441 spin_unlock(&sb_lock);
4442 spin_unlock(&sb_security_lock);
4443 down_read(&sb->s_umount);
4445 superblock_doinit(sb, NULL);
4447 spin_lock(&sb_security_lock);
4448 list_del_init(&sbsec->list);
4451 spin_unlock(&sb_security_lock);
4454 /* SELinux requires early initialization in order to label
4455 all processes and objects when they are created. */
4456 security_initcall(selinux_init);
4458 #if defined(CONFIG_NETFILTER)
4460 static struct nf_hook_ops selinux_ipv4_op = {
4461 .hook = selinux_ipv4_postroute_last,
4462 .owner = THIS_MODULE,
4464 .hooknum = NF_IP_POST_ROUTING,
4465 .priority = NF_IP_PRI_SELINUX_LAST,
4468 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4470 static struct nf_hook_ops selinux_ipv6_op = {
4471 .hook = selinux_ipv6_postroute_last,
4472 .owner = THIS_MODULE,
4474 .hooknum = NF_IP6_POST_ROUTING,
4475 .priority = NF_IP6_PRI_SELINUX_LAST,
4480 static int __init selinux_nf_ip_init(void)
4484 if (!selinux_enabled)
4487 printk(KERN_INFO "SELinux: Registering netfilter hooks\n");
4489 err = nf_register_hook(&selinux_ipv4_op);
4491 panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
4493 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4495 err = nf_register_hook(&selinux_ipv6_op);
4497 panic("SELinux: nf_register_hook for IPv6: error %d\n", err);
4505 __initcall(selinux_nf_ip_init);
4507 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4508 static void selinux_nf_ip_exit(void)
4510 printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n");
4512 nf_unregister_hook(&selinux_ipv4_op);
4513 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4514 nf_unregister_hook(&selinux_ipv6_op);
4519 #else /* CONFIG_NETFILTER */
4521 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4522 #define selinux_nf_ip_exit()
4525 #endif /* CONFIG_NETFILTER */
4527 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
4528 int selinux_disable(void)
4530 extern void exit_sel_fs(void);
4531 static int selinux_disabled = 0;
4533 if (ss_initialized) {
4534 /* Not permitted after initial policy load. */
4538 if (selinux_disabled) {
4539 /* Only do this once. */
4543 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
4545 selinux_disabled = 1;
4547 /* Reset security_ops to the secondary module, dummy or capability. */
4548 security_ops = secondary_ops;
4550 /* Unregister netfilter hooks. */
4551 selinux_nf_ip_exit();
4553 /* Unregister selinuxfs. */
git://bbs.cooldavid.org / net-next-2.6.git / blob