2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul.moore@hp.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/ext2_fs.h>
32 #include <linux/sched.h>
33 #include <linux/security.h>
34 #include <linux/xattr.h>
35 #include <linux/capability.h>
36 #include <linux/unistd.h>
38 #include <linux/mman.h>
39 #include <linux/slab.h>
40 #include <linux/pagemap.h>
41 #include <linux/proc_fs.h>
42 #include <linux/swap.h>
43 #include <linux/spinlock.h>
44 #include <linux/syscalls.h>
45 #include <linux/dcache.h>
46 #include <linux/file.h>
47 #include <linux/fdtable.h>
48 #include <linux/namei.h>
49 #include <linux/mount.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
54 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <asm/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <linux/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
92 #define NUM_SEL_MNT_OPTS 5
94 extern int selinux_nlmsg_lookup(u16 sclass
, u16 nlmsg_type
, u32
*perm
);
95 extern struct security_operations
*security_ops
;
97 /* SECMARK reference count */
98 atomic_t selinux_secmark_refcount
= ATOMIC_INIT(0);
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing
;
103 static int __init
enforcing_setup(char *str
)
105 unsigned long enforcing
;
106 if (!strict_strtoul(str
, 0, &enforcing
))
107 selinux_enforcing
= enforcing
? 1 : 0;
110 __setup("enforcing=", enforcing_setup
);
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled
= CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE
;
116 static int __init
selinux_enabled_setup(char *str
)
118 unsigned long enabled
;
119 if (!strict_strtoul(str
, 0, &enabled
))
120 selinux_enabled
= enabled
? 1 : 0;
123 __setup("selinux=", selinux_enabled_setup
);
125 int selinux_enabled
= 1;
128 static struct kmem_cache
*sel_inode_cache
;
131 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
134 * This function checks the SECMARK reference counter to see if any SECMARK
135 * targets are currently configured, if the reference counter is greater than
136 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
137 * enabled, false (0) if SECMARK is disabled.
140 static int selinux_secmark_enabled(void)
142 return (atomic_read(&selinux_secmark_refcount
) > 0);
146 * initialise the security for the init task
148 static void cred_init_security(void)
150 struct cred
*cred
= (struct cred
*) current
->real_cred
;
151 struct task_security_struct
*tsec
;
153 tsec
= kzalloc(sizeof(struct task_security_struct
), GFP_KERNEL
);
155 panic("SELinux: Failed to initialize initial task.\n");
157 tsec
->osid
= tsec
->sid
= SECINITSID_KERNEL
;
158 cred
->security
= tsec
;
162 * get the security ID of a set of credentials
164 static inline u32
cred_sid(const struct cred
*cred
)
166 const struct task_security_struct
*tsec
;
168 tsec
= cred
->security
;
173 * get the objective security ID of a task
175 static inline u32
task_sid(const struct task_struct
*task
)
180 sid
= cred_sid(__task_cred(task
));
186 * get the subjective security ID of the current task
188 static inline u32
current_sid(void)
190 const struct task_security_struct
*tsec
= current_security();
195 /* Allocate and free functions for each kind of security blob. */
197 static int inode_alloc_security(struct inode
*inode
)
199 struct inode_security_struct
*isec
;
200 u32 sid
= current_sid();
202 isec
= kmem_cache_zalloc(sel_inode_cache
, GFP_NOFS
);
206 mutex_init(&isec
->lock
);
207 INIT_LIST_HEAD(&isec
->list
);
209 isec
->sid
= SECINITSID_UNLABELED
;
210 isec
->sclass
= SECCLASS_FILE
;
211 isec
->task_sid
= sid
;
212 inode
->i_security
= isec
;
217 static void inode_free_security(struct inode
*inode
)
219 struct inode_security_struct
*isec
= inode
->i_security
;
220 struct superblock_security_struct
*sbsec
= inode
->i_sb
->s_security
;
222 spin_lock(&sbsec
->isec_lock
);
223 if (!list_empty(&isec
->list
))
224 list_del_init(&isec
->list
);
225 spin_unlock(&sbsec
->isec_lock
);
227 inode
->i_security
= NULL
;
228 kmem_cache_free(sel_inode_cache
, isec
);
231 static int file_alloc_security(struct file
*file
)
233 struct file_security_struct
*fsec
;
234 u32 sid
= current_sid();
236 fsec
= kzalloc(sizeof(struct file_security_struct
), GFP_KERNEL
);
241 fsec
->fown_sid
= sid
;
242 file
->f_security
= fsec
;
247 static void file_free_security(struct file
*file
)
249 struct file_security_struct
*fsec
= file
->f_security
;
250 file
->f_security
= NULL
;
254 static int superblock_alloc_security(struct super_block
*sb
)
256 struct superblock_security_struct
*sbsec
;
258 sbsec
= kzalloc(sizeof(struct superblock_security_struct
), GFP_KERNEL
);
262 mutex_init(&sbsec
->lock
);
263 INIT_LIST_HEAD(&sbsec
->isec_head
);
264 spin_lock_init(&sbsec
->isec_lock
);
266 sbsec
->sid
= SECINITSID_UNLABELED
;
267 sbsec
->def_sid
= SECINITSID_FILE
;
268 sbsec
->mntpoint_sid
= SECINITSID_UNLABELED
;
269 sb
->s_security
= sbsec
;
274 static void superblock_free_security(struct super_block
*sb
)
276 struct superblock_security_struct
*sbsec
= sb
->s_security
;
277 sb
->s_security
= NULL
;
281 /* The security server must be initialized before
282 any labeling or access decisions can be provided. */
283 extern int ss_initialized
;
285 /* The file system's label must be initialized prior to use. */
287 static const char *labeling_behaviors
[6] = {
289 "uses transition SIDs",
291 "uses genfs_contexts",
292 "not configured for labeling",
293 "uses mountpoint labeling",
296 static int inode_doinit_with_dentry(struct inode
*inode
, struct dentry
*opt_dentry
);
298 static inline int inode_doinit(struct inode
*inode
)
300 return inode_doinit_with_dentry(inode
, NULL
);
309 Opt_labelsupport
= 5,
312 static const match_table_t tokens
= {
313 {Opt_context
, CONTEXT_STR
"%s"},
314 {Opt_fscontext
, FSCONTEXT_STR
"%s"},
315 {Opt_defcontext
, DEFCONTEXT_STR
"%s"},
316 {Opt_rootcontext
, ROOTCONTEXT_STR
"%s"},
317 {Opt_labelsupport
, LABELSUPP_STR
},
321 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
323 static int may_context_mount_sb_relabel(u32 sid
,
324 struct superblock_security_struct
*sbsec
,
325 const struct cred
*cred
)
327 const struct task_security_struct
*tsec
= cred
->security
;
330 rc
= avc_has_perm(tsec
->sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
331 FILESYSTEM__RELABELFROM
, NULL
);
335 rc
= avc_has_perm(tsec
->sid
, sid
, SECCLASS_FILESYSTEM
,
336 FILESYSTEM__RELABELTO
, NULL
);
340 static int may_context_mount_inode_relabel(u32 sid
,
341 struct superblock_security_struct
*sbsec
,
342 const struct cred
*cred
)
344 const struct task_security_struct
*tsec
= cred
->security
;
346 rc
= avc_has_perm(tsec
->sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
347 FILESYSTEM__RELABELFROM
, NULL
);
351 rc
= avc_has_perm(sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
352 FILESYSTEM__ASSOCIATE
, NULL
);
356 static int sb_finish_set_opts(struct super_block
*sb
)
358 struct superblock_security_struct
*sbsec
= sb
->s_security
;
359 struct dentry
*root
= sb
->s_root
;
360 struct inode
*root_inode
= root
->d_inode
;
363 if (sbsec
->behavior
== SECURITY_FS_USE_XATTR
) {
364 /* Make sure that the xattr handler exists and that no
365 error other than -ENODATA is returned by getxattr on
366 the root directory. -ENODATA is ok, as this may be
367 the first boot of the SELinux kernel before we have
368 assigned xattr values to the filesystem. */
369 if (!root_inode
->i_op
->getxattr
) {
370 printk(KERN_WARNING
"SELinux: (dev %s, type %s) has no "
371 "xattr support\n", sb
->s_id
, sb
->s_type
->name
);
375 rc
= root_inode
->i_op
->getxattr(root
, XATTR_NAME_SELINUX
, NULL
, 0);
376 if (rc
< 0 && rc
!= -ENODATA
) {
377 if (rc
== -EOPNOTSUPP
)
378 printk(KERN_WARNING
"SELinux: (dev %s, type "
379 "%s) has no security xattr handler\n",
380 sb
->s_id
, sb
->s_type
->name
);
382 printk(KERN_WARNING
"SELinux: (dev %s, type "
383 "%s) getxattr errno %d\n", sb
->s_id
,
384 sb
->s_type
->name
, -rc
);
389 sbsec
->flags
|= (SE_SBINITIALIZED
| SE_SBLABELSUPP
);
391 if (sbsec
->behavior
> ARRAY_SIZE(labeling_behaviors
))
392 printk(KERN_ERR
"SELinux: initialized (dev %s, type %s), unknown behavior\n",
393 sb
->s_id
, sb
->s_type
->name
);
395 printk(KERN_DEBUG
"SELinux: initialized (dev %s, type %s), %s\n",
396 sb
->s_id
, sb
->s_type
->name
,
397 labeling_behaviors
[sbsec
->behavior
-1]);
399 if (sbsec
->behavior
== SECURITY_FS_USE_GENFS
||
400 sbsec
->behavior
== SECURITY_FS_USE_MNTPOINT
||
401 sbsec
->behavior
== SECURITY_FS_USE_NONE
||
402 sbsec
->behavior
> ARRAY_SIZE(labeling_behaviors
))
403 sbsec
->flags
&= ~SE_SBLABELSUPP
;
405 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
406 if (strncmp(sb
->s_type
->name
, "sysfs", sizeof("sysfs")) == 0)
407 sbsec
->flags
|= SE_SBLABELSUPP
;
409 /* Initialize the root inode. */
410 rc
= inode_doinit_with_dentry(root_inode
, root
);
412 /* Initialize any other inodes associated with the superblock, e.g.
413 inodes created prior to initial policy load or inodes created
414 during get_sb by a pseudo filesystem that directly
416 spin_lock(&sbsec
->isec_lock
);
418 if (!list_empty(&sbsec
->isec_head
)) {
419 struct inode_security_struct
*isec
=
420 list_entry(sbsec
->isec_head
.next
,
421 struct inode_security_struct
, list
);
422 struct inode
*inode
= isec
->inode
;
423 spin_unlock(&sbsec
->isec_lock
);
424 inode
= igrab(inode
);
426 if (!IS_PRIVATE(inode
))
430 spin_lock(&sbsec
->isec_lock
);
431 list_del_init(&isec
->list
);
434 spin_unlock(&sbsec
->isec_lock
);
440 * This function should allow an FS to ask what it's mount security
441 * options were so it can use those later for submounts, displaying
442 * mount options, or whatever.
444 static int selinux_get_mnt_opts(const struct super_block
*sb
,
445 struct security_mnt_opts
*opts
)
448 struct superblock_security_struct
*sbsec
= sb
->s_security
;
449 char *context
= NULL
;
453 security_init_mnt_opts(opts
);
455 if (!(sbsec
->flags
& SE_SBINITIALIZED
))
461 tmp
= sbsec
->flags
& SE_MNTMASK
;
462 /* count the number of mount options for this sb */
463 for (i
= 0; i
< 8; i
++) {
465 opts
->num_mnt_opts
++;
468 /* Check if the Label support flag is set */
469 if (sbsec
->flags
& SE_SBLABELSUPP
)
470 opts
->num_mnt_opts
++;
472 opts
->mnt_opts
= kcalloc(opts
->num_mnt_opts
, sizeof(char *), GFP_ATOMIC
);
473 if (!opts
->mnt_opts
) {
478 opts
->mnt_opts_flags
= kcalloc(opts
->num_mnt_opts
, sizeof(int), GFP_ATOMIC
);
479 if (!opts
->mnt_opts_flags
) {
485 if (sbsec
->flags
& FSCONTEXT_MNT
) {
486 rc
= security_sid_to_context(sbsec
->sid
, &context
, &len
);
489 opts
->mnt_opts
[i
] = context
;
490 opts
->mnt_opts_flags
[i
++] = FSCONTEXT_MNT
;
492 if (sbsec
->flags
& CONTEXT_MNT
) {
493 rc
= security_sid_to_context(sbsec
->mntpoint_sid
, &context
, &len
);
496 opts
->mnt_opts
[i
] = context
;
497 opts
->mnt_opts_flags
[i
++] = CONTEXT_MNT
;
499 if (sbsec
->flags
& DEFCONTEXT_MNT
) {
500 rc
= security_sid_to_context(sbsec
->def_sid
, &context
, &len
);
503 opts
->mnt_opts
[i
] = context
;
504 opts
->mnt_opts_flags
[i
++] = DEFCONTEXT_MNT
;
506 if (sbsec
->flags
& ROOTCONTEXT_MNT
) {
507 struct inode
*root
= sbsec
->sb
->s_root
->d_inode
;
508 struct inode_security_struct
*isec
= root
->i_security
;
510 rc
= security_sid_to_context(isec
->sid
, &context
, &len
);
513 opts
->mnt_opts
[i
] = context
;
514 opts
->mnt_opts_flags
[i
++] = ROOTCONTEXT_MNT
;
516 if (sbsec
->flags
& SE_SBLABELSUPP
) {
517 opts
->mnt_opts
[i
] = NULL
;
518 opts
->mnt_opts_flags
[i
++] = SE_SBLABELSUPP
;
521 BUG_ON(i
!= opts
->num_mnt_opts
);
526 security_free_mnt_opts(opts
);
530 static int bad_option(struct superblock_security_struct
*sbsec
, char flag
,
531 u32 old_sid
, u32 new_sid
)
533 char mnt_flags
= sbsec
->flags
& SE_MNTMASK
;
535 /* check if the old mount command had the same options */
536 if (sbsec
->flags
& SE_SBINITIALIZED
)
537 if (!(sbsec
->flags
& flag
) ||
538 (old_sid
!= new_sid
))
541 /* check if we were passed the same options twice,
542 * aka someone passed context=a,context=b
544 if (!(sbsec
->flags
& SE_SBINITIALIZED
))
545 if (mnt_flags
& flag
)
551 * Allow filesystems with binary mount data to explicitly set mount point
552 * labeling information.
554 static int selinux_set_mnt_opts(struct super_block
*sb
,
555 struct security_mnt_opts
*opts
)
557 const struct cred
*cred
= current_cred();
559 struct superblock_security_struct
*sbsec
= sb
->s_security
;
560 const char *name
= sb
->s_type
->name
;
561 struct inode
*inode
= sbsec
->sb
->s_root
->d_inode
;
562 struct inode_security_struct
*root_isec
= inode
->i_security
;
563 u32 fscontext_sid
= 0, context_sid
= 0, rootcontext_sid
= 0;
564 u32 defcontext_sid
= 0;
565 char **mount_options
= opts
->mnt_opts
;
566 int *flags
= opts
->mnt_opts_flags
;
567 int num_opts
= opts
->num_mnt_opts
;
569 mutex_lock(&sbsec
->lock
);
571 if (!ss_initialized
) {
573 /* Defer initialization until selinux_complete_init,
574 after the initial policy is loaded and the security
575 server is ready to handle calls. */
579 printk(KERN_WARNING
"SELinux: Unable to set superblock options "
580 "before the security server is initialized\n");
585 * Binary mount data FS will come through this function twice. Once
586 * from an explicit call and once from the generic calls from the vfs.
587 * Since the generic VFS calls will not contain any security mount data
588 * we need to skip the double mount verification.
590 * This does open a hole in which we will not notice if the first
591 * mount using this sb set explict options and a second mount using
592 * this sb does not set any security options. (The first options
593 * will be used for both mounts)
595 if ((sbsec
->flags
& SE_SBINITIALIZED
) && (sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
)
600 * parse the mount options, check if they are valid sids.
601 * also check if someone is trying to mount the same sb more
602 * than once with different security options.
604 for (i
= 0; i
< num_opts
; i
++) {
607 if (flags
[i
] == SE_SBLABELSUPP
)
609 rc
= security_context_to_sid(mount_options
[i
],
610 strlen(mount_options
[i
]), &sid
);
612 printk(KERN_WARNING
"SELinux: security_context_to_sid"
613 "(%s) failed for (dev %s, type %s) errno=%d\n",
614 mount_options
[i
], sb
->s_id
, name
, rc
);
621 if (bad_option(sbsec
, FSCONTEXT_MNT
, sbsec
->sid
,
623 goto out_double_mount
;
625 sbsec
->flags
|= FSCONTEXT_MNT
;
630 if (bad_option(sbsec
, CONTEXT_MNT
, sbsec
->mntpoint_sid
,
632 goto out_double_mount
;
634 sbsec
->flags
|= CONTEXT_MNT
;
636 case ROOTCONTEXT_MNT
:
637 rootcontext_sid
= sid
;
639 if (bad_option(sbsec
, ROOTCONTEXT_MNT
, root_isec
->sid
,
641 goto out_double_mount
;
643 sbsec
->flags
|= ROOTCONTEXT_MNT
;
647 defcontext_sid
= sid
;
649 if (bad_option(sbsec
, DEFCONTEXT_MNT
, sbsec
->def_sid
,
651 goto out_double_mount
;
653 sbsec
->flags
|= DEFCONTEXT_MNT
;
662 if (sbsec
->flags
& SE_SBINITIALIZED
) {
663 /* previously mounted with options, but not on this attempt? */
664 if ((sbsec
->flags
& SE_MNTMASK
) && !num_opts
)
665 goto out_double_mount
;
670 if (strcmp(sb
->s_type
->name
, "proc") == 0)
671 sbsec
->flags
|= SE_SBPROC
;
673 /* Determine the labeling behavior to use for this filesystem type. */
674 rc
= security_fs_use((sbsec
->flags
& SE_SBPROC
) ? "proc" : sb
->s_type
->name
, &sbsec
->behavior
, &sbsec
->sid
);
676 printk(KERN_WARNING
"%s: security_fs_use(%s) returned %d\n",
677 __func__
, sb
->s_type
->name
, rc
);
681 /* sets the context of the superblock for the fs being mounted. */
683 rc
= may_context_mount_sb_relabel(fscontext_sid
, sbsec
, cred
);
687 sbsec
->sid
= fscontext_sid
;
691 * Switch to using mount point labeling behavior.
692 * sets the label used on all file below the mountpoint, and will set
693 * the superblock context if not already set.
696 if (!fscontext_sid
) {
697 rc
= may_context_mount_sb_relabel(context_sid
, sbsec
,
701 sbsec
->sid
= context_sid
;
703 rc
= may_context_mount_inode_relabel(context_sid
, sbsec
,
708 if (!rootcontext_sid
)
709 rootcontext_sid
= context_sid
;
711 sbsec
->mntpoint_sid
= context_sid
;
712 sbsec
->behavior
= SECURITY_FS_USE_MNTPOINT
;
715 if (rootcontext_sid
) {
716 rc
= may_context_mount_inode_relabel(rootcontext_sid
, sbsec
,
721 root_isec
->sid
= rootcontext_sid
;
722 root_isec
->initialized
= 1;
725 if (defcontext_sid
) {
726 if (sbsec
->behavior
!= SECURITY_FS_USE_XATTR
) {
728 printk(KERN_WARNING
"SELinux: defcontext option is "
729 "invalid for this filesystem type\n");
733 if (defcontext_sid
!= sbsec
->def_sid
) {
734 rc
= may_context_mount_inode_relabel(defcontext_sid
,
740 sbsec
->def_sid
= defcontext_sid
;
743 rc
= sb_finish_set_opts(sb
);
745 mutex_unlock(&sbsec
->lock
);
749 printk(KERN_WARNING
"SELinux: mount invalid. Same superblock, different "
750 "security settings for (dev %s, type %s)\n", sb
->s_id
, name
);
754 static void selinux_sb_clone_mnt_opts(const struct super_block
*oldsb
,
755 struct super_block
*newsb
)
757 const struct superblock_security_struct
*oldsbsec
= oldsb
->s_security
;
758 struct superblock_security_struct
*newsbsec
= newsb
->s_security
;
760 int set_fscontext
= (oldsbsec
->flags
& FSCONTEXT_MNT
);
761 int set_context
= (oldsbsec
->flags
& CONTEXT_MNT
);
762 int set_rootcontext
= (oldsbsec
->flags
& ROOTCONTEXT_MNT
);
765 * if the parent was able to be mounted it clearly had no special lsm
766 * mount options. thus we can safely deal with this superblock later
771 /* how can we clone if the old one wasn't set up?? */
772 BUG_ON(!(oldsbsec
->flags
& SE_SBINITIALIZED
));
774 /* if fs is reusing a sb, just let its options stand... */
775 if (newsbsec
->flags
& SE_SBINITIALIZED
)
778 mutex_lock(&newsbsec
->lock
);
780 newsbsec
->flags
= oldsbsec
->flags
;
782 newsbsec
->sid
= oldsbsec
->sid
;
783 newsbsec
->def_sid
= oldsbsec
->def_sid
;
784 newsbsec
->behavior
= oldsbsec
->behavior
;
787 u32 sid
= oldsbsec
->mntpoint_sid
;
791 if (!set_rootcontext
) {
792 struct inode
*newinode
= newsb
->s_root
->d_inode
;
793 struct inode_security_struct
*newisec
= newinode
->i_security
;
796 newsbsec
->mntpoint_sid
= sid
;
798 if (set_rootcontext
) {
799 const struct inode
*oldinode
= oldsb
->s_root
->d_inode
;
800 const struct inode_security_struct
*oldisec
= oldinode
->i_security
;
801 struct inode
*newinode
= newsb
->s_root
->d_inode
;
802 struct inode_security_struct
*newisec
= newinode
->i_security
;
804 newisec
->sid
= oldisec
->sid
;
807 sb_finish_set_opts(newsb
);
808 mutex_unlock(&newsbsec
->lock
);
811 static int selinux_parse_opts_str(char *options
,
812 struct security_mnt_opts
*opts
)
815 char *context
= NULL
, *defcontext
= NULL
;
816 char *fscontext
= NULL
, *rootcontext
= NULL
;
817 int rc
, num_mnt_opts
= 0;
819 opts
->num_mnt_opts
= 0;
821 /* Standard string-based options. */
822 while ((p
= strsep(&options
, "|")) != NULL
) {
824 substring_t args
[MAX_OPT_ARGS
];
829 token
= match_token(p
, tokens
, args
);
833 if (context
|| defcontext
) {
835 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
838 context
= match_strdup(&args
[0]);
848 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
851 fscontext
= match_strdup(&args
[0]);
858 case Opt_rootcontext
:
861 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
864 rootcontext
= match_strdup(&args
[0]);
872 if (context
|| defcontext
) {
874 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
877 defcontext
= match_strdup(&args
[0]);
883 case Opt_labelsupport
:
887 printk(KERN_WARNING
"SELinux: unknown mount option\n");
894 opts
->mnt_opts
= kcalloc(NUM_SEL_MNT_OPTS
, sizeof(char *), GFP_ATOMIC
);
898 opts
->mnt_opts_flags
= kcalloc(NUM_SEL_MNT_OPTS
, sizeof(int), GFP_ATOMIC
);
899 if (!opts
->mnt_opts_flags
) {
900 kfree(opts
->mnt_opts
);
905 opts
->mnt_opts
[num_mnt_opts
] = fscontext
;
906 opts
->mnt_opts_flags
[num_mnt_opts
++] = FSCONTEXT_MNT
;
909 opts
->mnt_opts
[num_mnt_opts
] = context
;
910 opts
->mnt_opts_flags
[num_mnt_opts
++] = CONTEXT_MNT
;
913 opts
->mnt_opts
[num_mnt_opts
] = rootcontext
;
914 opts
->mnt_opts_flags
[num_mnt_opts
++] = ROOTCONTEXT_MNT
;
917 opts
->mnt_opts
[num_mnt_opts
] = defcontext
;
918 opts
->mnt_opts_flags
[num_mnt_opts
++] = DEFCONTEXT_MNT
;
921 opts
->num_mnt_opts
= num_mnt_opts
;
932 * string mount options parsing and call set the sbsec
934 static int superblock_doinit(struct super_block
*sb
, void *data
)
937 char *options
= data
;
938 struct security_mnt_opts opts
;
940 security_init_mnt_opts(&opts
);
945 BUG_ON(sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
);
947 rc
= selinux_parse_opts_str(options
, &opts
);
952 rc
= selinux_set_mnt_opts(sb
, &opts
);
955 security_free_mnt_opts(&opts
);
959 static void selinux_write_opts(struct seq_file
*m
,
960 struct security_mnt_opts
*opts
)
965 for (i
= 0; i
< opts
->num_mnt_opts
; i
++) {
968 if (opts
->mnt_opts
[i
])
969 has_comma
= strchr(opts
->mnt_opts
[i
], ',');
973 switch (opts
->mnt_opts_flags
[i
]) {
975 prefix
= CONTEXT_STR
;
978 prefix
= FSCONTEXT_STR
;
980 case ROOTCONTEXT_MNT
:
981 prefix
= ROOTCONTEXT_STR
;
984 prefix
= DEFCONTEXT_STR
;
988 seq_puts(m
, LABELSUPP_STR
);
993 /* we need a comma before each option */
998 seq_puts(m
, opts
->mnt_opts
[i
]);
1004 static int selinux_sb_show_options(struct seq_file
*m
, struct super_block
*sb
)
1006 struct security_mnt_opts opts
;
1009 rc
= selinux_get_mnt_opts(sb
, &opts
);
1011 /* before policy load we may get EINVAL, don't show anything */
1017 selinux_write_opts(m
, &opts
);
1019 security_free_mnt_opts(&opts
);
1024 static inline u16
inode_mode_to_security_class(umode_t mode
)
1026 switch (mode
& S_IFMT
) {
1028 return SECCLASS_SOCK_FILE
;
1030 return SECCLASS_LNK_FILE
;
1032 return SECCLASS_FILE
;
1034 return SECCLASS_BLK_FILE
;
1036 return SECCLASS_DIR
;
1038 return SECCLASS_CHR_FILE
;
1040 return SECCLASS_FIFO_FILE
;
1044 return SECCLASS_FILE
;
1047 static inline int default_protocol_stream(int protocol
)
1049 return (protocol
== IPPROTO_IP
|| protocol
== IPPROTO_TCP
);
1052 static inline int default_protocol_dgram(int protocol
)
1054 return (protocol
== IPPROTO_IP
|| protocol
== IPPROTO_UDP
);
1057 static inline u16
socket_type_to_security_class(int family
, int type
, int protocol
)
1063 case SOCK_SEQPACKET
:
1064 return SECCLASS_UNIX_STREAM_SOCKET
;
1066 return SECCLASS_UNIX_DGRAM_SOCKET
;
1073 if (default_protocol_stream(protocol
))
1074 return SECCLASS_TCP_SOCKET
;
1076 return SECCLASS_RAWIP_SOCKET
;
1078 if (default_protocol_dgram(protocol
))
1079 return SECCLASS_UDP_SOCKET
;
1081 return SECCLASS_RAWIP_SOCKET
;
1083 return SECCLASS_DCCP_SOCKET
;
1085 return SECCLASS_RAWIP_SOCKET
;
1091 return SECCLASS_NETLINK_ROUTE_SOCKET
;
1092 case NETLINK_FIREWALL
:
1093 return SECCLASS_NETLINK_FIREWALL_SOCKET
;
1094 case NETLINK_INET_DIAG
:
1095 return SECCLASS_NETLINK_TCPDIAG_SOCKET
;
1097 return SECCLASS_NETLINK_NFLOG_SOCKET
;
1099 return SECCLASS_NETLINK_XFRM_SOCKET
;
1100 case NETLINK_SELINUX
:
1101 return SECCLASS_NETLINK_SELINUX_SOCKET
;
1103 return SECCLASS_NETLINK_AUDIT_SOCKET
;
1104 case NETLINK_IP6_FW
:
1105 return SECCLASS_NETLINK_IP6FW_SOCKET
;
1106 case NETLINK_DNRTMSG
:
1107 return SECCLASS_NETLINK_DNRT_SOCKET
;
1108 case NETLINK_KOBJECT_UEVENT
:
1109 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET
;
1111 return SECCLASS_NETLINK_SOCKET
;
1114 return SECCLASS_PACKET_SOCKET
;
1116 return SECCLASS_KEY_SOCKET
;
1118 return SECCLASS_APPLETALK_SOCKET
;
1121 return SECCLASS_SOCKET
;
1124 #ifdef CONFIG_PROC_FS
1125 static int selinux_proc_get_sid(struct dentry
*dentry
,
1130 char *buffer
, *path
;
1132 buffer
= (char *)__get_free_page(GFP_KERNEL
);
1136 path
= dentry_path_raw(dentry
, buffer
, PAGE_SIZE
);
1140 /* each process gets a /proc/PID/ entry. Strip off the
1141 * PID part to get a valid selinux labeling.
1142 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1143 while (path
[1] >= '0' && path
[1] <= '9') {
1147 rc
= security_genfs_sid("proc", path
, tclass
, sid
);
1149 free_page((unsigned long)buffer
);
1153 static int selinux_proc_get_sid(struct dentry
*dentry
,
1161 /* The inode's security attributes must be initialized before first use. */
1162 static int inode_doinit_with_dentry(struct inode
*inode
, struct dentry
*opt_dentry
)
1164 struct superblock_security_struct
*sbsec
= NULL
;
1165 struct inode_security_struct
*isec
= inode
->i_security
;
1167 struct dentry
*dentry
;
1168 #define INITCONTEXTLEN 255
1169 char *context
= NULL
;
1173 if (isec
->initialized
)
1176 mutex_lock(&isec
->lock
);
1177 if (isec
->initialized
)
1180 sbsec
= inode
->i_sb
->s_security
;
1181 if (!(sbsec
->flags
& SE_SBINITIALIZED
)) {
1182 /* Defer initialization until selinux_complete_init,
1183 after the initial policy is loaded and the security
1184 server is ready to handle calls. */
1185 spin_lock(&sbsec
->isec_lock
);
1186 if (list_empty(&isec
->list
))
1187 list_add(&isec
->list
, &sbsec
->isec_head
);
1188 spin_unlock(&sbsec
->isec_lock
);
1192 switch (sbsec
->behavior
) {
1193 case SECURITY_FS_USE_XATTR
:
1194 if (!inode
->i_op
->getxattr
) {
1195 isec
->sid
= sbsec
->def_sid
;
1199 /* Need a dentry, since the xattr API requires one.
1200 Life would be simpler if we could just pass the inode. */
1202 /* Called from d_instantiate or d_splice_alias. */
1203 dentry
= dget(opt_dentry
);
1205 /* Called from selinux_complete_init, try to find a dentry. */
1206 dentry
= d_find_alias(inode
);
1210 * this is can be hit on boot when a file is accessed
1211 * before the policy is loaded. When we load policy we
1212 * may find inodes that have no dentry on the
1213 * sbsec->isec_head list. No reason to complain as these
1214 * will get fixed up the next time we go through
1215 * inode_doinit with a dentry, before these inodes could
1216 * be used again by userspace.
1221 len
= INITCONTEXTLEN
;
1222 context
= kmalloc(len
+1, GFP_NOFS
);
1228 context
[len
] = '\0';
1229 rc
= inode
->i_op
->getxattr(dentry
, XATTR_NAME_SELINUX
,
1231 if (rc
== -ERANGE
) {
1234 /* Need a larger buffer. Query for the right size. */
1235 rc
= inode
->i_op
->getxattr(dentry
, XATTR_NAME_SELINUX
,
1242 context
= kmalloc(len
+1, GFP_NOFS
);
1248 context
[len
] = '\0';
1249 rc
= inode
->i_op
->getxattr(dentry
,
1255 if (rc
!= -ENODATA
) {
1256 printk(KERN_WARNING
"SELinux: %s: getxattr returned "
1257 "%d for dev=%s ino=%ld\n", __func__
,
1258 -rc
, inode
->i_sb
->s_id
, inode
->i_ino
);
1262 /* Map ENODATA to the default file SID */
1263 sid
= sbsec
->def_sid
;
1266 rc
= security_context_to_sid_default(context
, rc
, &sid
,
1270 char *dev
= inode
->i_sb
->s_id
;
1271 unsigned long ino
= inode
->i_ino
;
1273 if (rc
== -EINVAL
) {
1274 if (printk_ratelimit())
1275 printk(KERN_NOTICE
"SELinux: inode=%lu on dev=%s was found to have an invalid "
1276 "context=%s. This indicates you may need to relabel the inode or the "
1277 "filesystem in question.\n", ino
, dev
, context
);
1279 printk(KERN_WARNING
"SELinux: %s: context_to_sid(%s) "
1280 "returned %d for dev=%s ino=%ld\n",
1281 __func__
, context
, -rc
, dev
, ino
);
1284 /* Leave with the unlabeled SID */
1292 case SECURITY_FS_USE_TASK
:
1293 isec
->sid
= isec
->task_sid
;
1295 case SECURITY_FS_USE_TRANS
:
1296 /* Default to the fs SID. */
1297 isec
->sid
= sbsec
->sid
;
1299 /* Try to obtain a transition SID. */
1300 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
1301 rc
= security_transition_sid(isec
->task_sid
, sbsec
->sid
,
1302 isec
->sclass
, NULL
, &sid
);
1307 case SECURITY_FS_USE_MNTPOINT
:
1308 isec
->sid
= sbsec
->mntpoint_sid
;
1311 /* Default to the fs superblock SID. */
1312 isec
->sid
= sbsec
->sid
;
1314 if ((sbsec
->flags
& SE_SBPROC
) && !S_ISLNK(inode
->i_mode
)) {
1316 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
1317 rc
= selinux_proc_get_sid(opt_dentry
,
1328 isec
->initialized
= 1;
1331 mutex_unlock(&isec
->lock
);
1333 if (isec
->sclass
== SECCLASS_FILE
)
1334 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
1338 /* Convert a Linux signal to an access vector. */
1339 static inline u32
signal_to_av(int sig
)
1345 /* Commonly granted from child to parent. */
1346 perm
= PROCESS__SIGCHLD
;
1349 /* Cannot be caught or ignored */
1350 perm
= PROCESS__SIGKILL
;
1353 /* Cannot be caught or ignored */
1354 perm
= PROCESS__SIGSTOP
;
1357 /* All other signals. */
1358 perm
= PROCESS__SIGNAL
;
1366 * Check permission between a pair of credentials
1367 * fork check, ptrace check, etc.
1369 static int cred_has_perm(const struct cred
*actor
,
1370 const struct cred
*target
,
1373 u32 asid
= cred_sid(actor
), tsid
= cred_sid(target
);
1375 return avc_has_perm(asid
, tsid
, SECCLASS_PROCESS
, perms
, NULL
);
1379 * Check permission between a pair of tasks, e.g. signal checks,
1380 * fork check, ptrace check, etc.
1381 * tsk1 is the actor and tsk2 is the target
1382 * - this uses the default subjective creds of tsk1
1384 static int task_has_perm(const struct task_struct
*tsk1
,
1385 const struct task_struct
*tsk2
,
1388 const struct task_security_struct
*__tsec1
, *__tsec2
;
1392 __tsec1
= __task_cred(tsk1
)->security
; sid1
= __tsec1
->sid
;
1393 __tsec2
= __task_cred(tsk2
)->security
; sid2
= __tsec2
->sid
;
1395 return avc_has_perm(sid1
, sid2
, SECCLASS_PROCESS
, perms
, NULL
);
1399 * Check permission between current and another task, e.g. signal checks,
1400 * fork check, ptrace check, etc.
1401 * current is the actor and tsk2 is the target
1402 * - this uses current's subjective creds
1404 static int current_has_perm(const struct task_struct
*tsk
,
1409 sid
= current_sid();
1410 tsid
= task_sid(tsk
);
1411 return avc_has_perm(sid
, tsid
, SECCLASS_PROCESS
, perms
, NULL
);
1414 #if CAP_LAST_CAP > 63
1415 #error Fix SELinux to handle capabilities > 63.
1418 /* Check whether a task is allowed to use a capability. */
1419 static int task_has_capability(struct task_struct
*tsk
,
1420 const struct cred
*cred
,
1423 struct common_audit_data ad
;
1424 struct av_decision avd
;
1426 u32 sid
= cred_sid(cred
);
1427 u32 av
= CAP_TO_MASK(cap
);
1430 COMMON_AUDIT_DATA_INIT(&ad
, CAP
);
1434 switch (CAP_TO_INDEX(cap
)) {
1436 sclass
= SECCLASS_CAPABILITY
;
1439 sclass
= SECCLASS_CAPABILITY2
;
1443 "SELinux: out of range capability %d\n", cap
);
1447 rc
= avc_has_perm_noaudit(sid
, sid
, sclass
, av
, 0, &avd
);
1448 if (audit
== SECURITY_CAP_AUDIT
)
1449 avc_audit(sid
, sid
, sclass
, av
, &avd
, rc
, &ad
);
1453 /* Check whether a task is allowed to use a system operation. */
1454 static int task_has_system(struct task_struct
*tsk
,
1457 u32 sid
= task_sid(tsk
);
1459 return avc_has_perm(sid
, SECINITSID_KERNEL
,
1460 SECCLASS_SYSTEM
, perms
, NULL
);
1463 /* Check whether a task has a particular permission to an inode.
1464 The 'adp' parameter is optional and allows other audit
1465 data to be passed (e.g. the dentry). */
1466 static int inode_has_perm(const struct cred
*cred
,
1467 struct inode
*inode
,
1469 struct common_audit_data
*adp
)
1471 struct inode_security_struct
*isec
;
1472 struct common_audit_data ad
;
1475 validate_creds(cred
);
1477 if (unlikely(IS_PRIVATE(inode
)))
1480 sid
= cred_sid(cred
);
1481 isec
= inode
->i_security
;
1485 COMMON_AUDIT_DATA_INIT(&ad
, FS
);
1486 ad
.u
.fs
.inode
= inode
;
1489 return avc_has_perm(sid
, isec
->sid
, isec
->sclass
, perms
, adp
);
1492 /* Same as inode_has_perm, but pass explicit audit data containing
1493 the dentry to help the auditing code to more easily generate the
1494 pathname if needed. */
1495 static inline int dentry_has_perm(const struct cred
*cred
,
1496 struct vfsmount
*mnt
,
1497 struct dentry
*dentry
,
1500 struct inode
*inode
= dentry
->d_inode
;
1501 struct common_audit_data ad
;
1503 COMMON_AUDIT_DATA_INIT(&ad
, FS
);
1504 ad
.u
.fs
.path
.mnt
= mnt
;
1505 ad
.u
.fs
.path
.dentry
= dentry
;
1506 return inode_has_perm(cred
, inode
, av
, &ad
);
1509 /* Check whether a task can use an open file descriptor to
1510 access an inode in a given way. Check access to the
1511 descriptor itself, and then use dentry_has_perm to
1512 check a particular permission to the file.
1513 Access to the descriptor is implicitly granted if it
1514 has the same SID as the process. If av is zero, then
1515 access to the file is not checked, e.g. for cases
1516 where only the descriptor is affected like seek. */
1517 static int file_has_perm(const struct cred
*cred
,
1521 struct file_security_struct
*fsec
= file
->f_security
;
1522 struct inode
*inode
= file
->f_path
.dentry
->d_inode
;
1523 struct common_audit_data ad
;
1524 u32 sid
= cred_sid(cred
);
1527 COMMON_AUDIT_DATA_INIT(&ad
, FS
);
1528 ad
.u
.fs
.path
= file
->f_path
;
1530 if (sid
!= fsec
->sid
) {
1531 rc
= avc_has_perm(sid
, fsec
->sid
,
1539 /* av is zero if only checking access to the descriptor. */
1542 rc
= inode_has_perm(cred
, inode
, av
, &ad
);
1548 /* Check whether a task can create a file. */
1549 static int may_create(struct inode
*dir
,
1550 struct dentry
*dentry
,
1553 const struct task_security_struct
*tsec
= current_security();
1554 struct inode_security_struct
*dsec
;
1555 struct superblock_security_struct
*sbsec
;
1557 struct common_audit_data ad
;
1560 dsec
= dir
->i_security
;
1561 sbsec
= dir
->i_sb
->s_security
;
1564 newsid
= tsec
->create_sid
;
1566 COMMON_AUDIT_DATA_INIT(&ad
, FS
);
1567 ad
.u
.fs
.path
.dentry
= dentry
;
1569 rc
= avc_has_perm(sid
, dsec
->sid
, SECCLASS_DIR
,
1570 DIR__ADD_NAME
| DIR__SEARCH
,
1575 if (!newsid
|| !(sbsec
->flags
& SE_SBLABELSUPP
)) {
1576 rc
= security_transition_sid(sid
, dsec
->sid
, tclass
, NULL
, &newsid
);
1581 rc
= avc_has_perm(sid
, newsid
, tclass
, FILE__CREATE
, &ad
);
1585 return avc_has_perm(newsid
, sbsec
->sid
,
1586 SECCLASS_FILESYSTEM
,
1587 FILESYSTEM__ASSOCIATE
, &ad
);
1590 /* Check whether a task can create a key. */
1591 static int may_create_key(u32 ksid
,
1592 struct task_struct
*ctx
)
1594 u32 sid
= task_sid(ctx
);
1596 return avc_has_perm(sid
, ksid
, SECCLASS_KEY
, KEY__CREATE
, NULL
);
1600 #define MAY_UNLINK 1
1603 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1604 static int may_link(struct inode
*dir
,
1605 struct dentry
*dentry
,
1609 struct inode_security_struct
*dsec
, *isec
;
1610 struct common_audit_data ad
;
1611 u32 sid
= current_sid();
1615 dsec
= dir
->i_security
;
1616 isec
= dentry
->d_inode
->i_security
;
1618 COMMON_AUDIT_DATA_INIT(&ad
, FS
);
1619 ad
.u
.fs
.path
.dentry
= dentry
;
1622 av
|= (kind
? DIR__REMOVE_NAME
: DIR__ADD_NAME
);
1623 rc
= avc_has_perm(sid
, dsec
->sid
, SECCLASS_DIR
, av
, &ad
);
1638 printk(KERN_WARNING
"SELinux: %s: unrecognized kind %d\n",
1643 rc
= avc_has_perm(sid
, isec
->sid
, isec
->sclass
, av
, &ad
);
1647 static inline int may_rename(struct inode
*old_dir
,
1648 struct dentry
*old_dentry
,
1649 struct inode
*new_dir
,
1650 struct dentry
*new_dentry
)
1652 struct inode_security_struct
*old_dsec
, *new_dsec
, *old_isec
, *new_isec
;
1653 struct common_audit_data ad
;
1654 u32 sid
= current_sid();
1656 int old_is_dir
, new_is_dir
;
1659 old_dsec
= old_dir
->i_security
;
1660 old_isec
= old_dentry
->d_inode
->i_security
;
1661 old_is_dir
= S_ISDIR(old_dentry
->d_inode
->i_mode
);
1662 new_dsec
= new_dir
->i_security
;
1664 COMMON_AUDIT_DATA_INIT(&ad
, FS
);
1666 ad
.u
.fs
.path
.dentry
= old_dentry
;
1667 rc
= avc_has_perm(sid
, old_dsec
->sid
, SECCLASS_DIR
,
1668 DIR__REMOVE_NAME
| DIR__SEARCH
, &ad
);
1671 rc
= avc_has_perm(sid
, old_isec
->sid
,
1672 old_isec
->sclass
, FILE__RENAME
, &ad
);
1675 if (old_is_dir
&& new_dir
!= old_dir
) {
1676 rc
= avc_has_perm(sid
, old_isec
->sid
,
1677 old_isec
->sclass
, DIR__REPARENT
, &ad
);
1682 ad
.u
.fs
.path
.dentry
= new_dentry
;
1683 av
= DIR__ADD_NAME
| DIR__SEARCH
;
1684 if (new_dentry
->d_inode
)
1685 av
|= DIR__REMOVE_NAME
;
1686 rc
= avc_has_perm(sid
, new_dsec
->sid
, SECCLASS_DIR
, av
, &ad
);
1689 if (new_dentry
->d_inode
) {
1690 new_isec
= new_dentry
->d_inode
->i_security
;
1691 new_is_dir
= S_ISDIR(new_dentry
->d_inode
->i_mode
);
1692 rc
= avc_has_perm(sid
, new_isec
->sid
,
1694 (new_is_dir
? DIR__RMDIR
: FILE__UNLINK
), &ad
);
1702 /* Check whether a task can perform a filesystem operation. */
1703 static int superblock_has_perm(const struct cred
*cred
,
1704 struct super_block
*sb
,
1706 struct common_audit_data
*ad
)
1708 struct superblock_security_struct
*sbsec
;
1709 u32 sid
= cred_sid(cred
);
1711 sbsec
= sb
->s_security
;
1712 return avc_has_perm(sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
, perms
, ad
);
1715 /* Convert a Linux mode and permission mask to an access vector. */
1716 static inline u32
file_mask_to_av(int mode
, int mask
)
1720 if ((mode
& S_IFMT
) != S_IFDIR
) {
1721 if (mask
& MAY_EXEC
)
1722 av
|= FILE__EXECUTE
;
1723 if (mask
& MAY_READ
)
1726 if (mask
& MAY_APPEND
)
1728 else if (mask
& MAY_WRITE
)
1732 if (mask
& MAY_EXEC
)
1734 if (mask
& MAY_WRITE
)
1736 if (mask
& MAY_READ
)
1743 /* Convert a Linux file to an access vector. */
1744 static inline u32
file_to_av(struct file
*file
)
1748 if (file
->f_mode
& FMODE_READ
)
1750 if (file
->f_mode
& FMODE_WRITE
) {
1751 if (file
->f_flags
& O_APPEND
)
1758 * Special file opened with flags 3 for ioctl-only use.
1767 * Convert a file to an access vector and include the correct open
1770 static inline u32
open_file_to_av(struct file
*file
)
1772 u32 av
= file_to_av(file
);
1774 if (selinux_policycap_openperm
)
1780 /* Hook functions begin here. */
1782 static int selinux_ptrace_access_check(struct task_struct
*child
,
1787 rc
= cap_ptrace_access_check(child
, mode
);
1791 if (mode
== PTRACE_MODE_READ
) {
1792 u32 sid
= current_sid();
1793 u32 csid
= task_sid(child
);
1794 return avc_has_perm(sid
, csid
, SECCLASS_FILE
, FILE__READ
, NULL
);
1797 return current_has_perm(child
, PROCESS__PTRACE
);
1800 static int selinux_ptrace_traceme(struct task_struct
*parent
)
1804 rc
= cap_ptrace_traceme(parent
);
1808 return task_has_perm(parent
, current
, PROCESS__PTRACE
);
1811 static int selinux_capget(struct task_struct
*target
, kernel_cap_t
*effective
,
1812 kernel_cap_t
*inheritable
, kernel_cap_t
*permitted
)
1816 error
= current_has_perm(target
, PROCESS__GETCAP
);
1820 return cap_capget(target
, effective
, inheritable
, permitted
);
1823 static int selinux_capset(struct cred
*new, const struct cred
*old
,
1824 const kernel_cap_t
*effective
,
1825 const kernel_cap_t
*inheritable
,
1826 const kernel_cap_t
*permitted
)
1830 error
= cap_capset(new, old
,
1831 effective
, inheritable
, permitted
);
1835 return cred_has_perm(old
, new, PROCESS__SETCAP
);
1839 * (This comment used to live with the selinux_task_setuid hook,
1840 * which was removed).
1842 * Since setuid only affects the current process, and since the SELinux
1843 * controls are not based on the Linux identity attributes, SELinux does not
1844 * need to control this operation. However, SELinux does control the use of
1845 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
1848 static int selinux_capable(struct task_struct
*tsk
, const struct cred
*cred
,
1853 rc
= cap_capable(tsk
, cred
, cap
, audit
);
1857 return task_has_capability(tsk
, cred
, cap
, audit
);
1860 static int selinux_quotactl(int cmds
, int type
, int id
, struct super_block
*sb
)
1862 const struct cred
*cred
= current_cred();
1874 rc
= superblock_has_perm(cred
, sb
, FILESYSTEM__QUOTAMOD
, NULL
);
1879 rc
= superblock_has_perm(cred
, sb
, FILESYSTEM__QUOTAGET
, NULL
);
1882 rc
= 0; /* let the kernel handle invalid cmds */
1888 static int selinux_quota_on(struct dentry
*dentry
)
1890 const struct cred
*cred
= current_cred();
1892 return dentry_has_perm(cred
, NULL
, dentry
, FILE__QUOTAON
);
1895 static int selinux_syslog(int type
)
1900 case SYSLOG_ACTION_READ_ALL
: /* Read last kernel messages */
1901 case SYSLOG_ACTION_SIZE_BUFFER
: /* Return size of the log buffer */
1902 rc
= task_has_system(current
, SYSTEM__SYSLOG_READ
);
1904 case SYSLOG_ACTION_CONSOLE_OFF
: /* Disable logging to console */
1905 case SYSLOG_ACTION_CONSOLE_ON
: /* Enable logging to console */
1906 /* Set level of messages printed to console */
1907 case SYSLOG_ACTION_CONSOLE_LEVEL
:
1908 rc
= task_has_system(current
, SYSTEM__SYSLOG_CONSOLE
);
1910 case SYSLOG_ACTION_CLOSE
: /* Close log */
1911 case SYSLOG_ACTION_OPEN
: /* Open log */
1912 case SYSLOG_ACTION_READ
: /* Read from log */
1913 case SYSLOG_ACTION_READ_CLEAR
: /* Read/clear last kernel messages */
1914 case SYSLOG_ACTION_CLEAR
: /* Clear ring buffer */
1916 rc
= task_has_system(current
, SYSTEM__SYSLOG_MOD
);
1923 * Check that a process has enough memory to allocate a new virtual
1924 * mapping. 0 means there is enough memory for the allocation to
1925 * succeed and -ENOMEM implies there is not.
1927 * Do not audit the selinux permission check, as this is applied to all
1928 * processes that allocate mappings.
1930 static int selinux_vm_enough_memory(struct mm_struct
*mm
, long pages
)
1932 int rc
, cap_sys_admin
= 0;
1934 rc
= selinux_capable(current
, current_cred(), CAP_SYS_ADMIN
,
1935 SECURITY_CAP_NOAUDIT
);
1939 return __vm_enough_memory(mm
, pages
, cap_sys_admin
);
1942 /* binprm security operations */
1944 static int selinux_bprm_set_creds(struct linux_binprm
*bprm
)
1946 const struct task_security_struct
*old_tsec
;
1947 struct task_security_struct
*new_tsec
;
1948 struct inode_security_struct
*isec
;
1949 struct common_audit_data ad
;
1950 struct inode
*inode
= bprm
->file
->f_path
.dentry
->d_inode
;
1953 rc
= cap_bprm_set_creds(bprm
);
1957 /* SELinux context only depends on initial program or script and not
1958 * the script interpreter */
1959 if (bprm
->cred_prepared
)
1962 old_tsec
= current_security();
1963 new_tsec
= bprm
->cred
->security
;
1964 isec
= inode
->i_security
;
1966 /* Default to the current task SID. */
1967 new_tsec
->sid
= old_tsec
->sid
;
1968 new_tsec
->osid
= old_tsec
->sid
;
1970 /* Reset fs, key, and sock SIDs on execve. */
1971 new_tsec
->create_sid
= 0;
1972 new_tsec
->keycreate_sid
= 0;
1973 new_tsec
->sockcreate_sid
= 0;
1975 if (old_tsec
->exec_sid
) {
1976 new_tsec
->sid
= old_tsec
->exec_sid
;
1977 /* Reset exec SID on execve. */
1978 new_tsec
->exec_sid
= 0;
1980 /* Check for a default transition on this program. */
1981 rc
= security_transition_sid(old_tsec
->sid
, isec
->sid
,
1982 SECCLASS_PROCESS
, NULL
,
1988 COMMON_AUDIT_DATA_INIT(&ad
, FS
);
1989 ad
.u
.fs
.path
= bprm
->file
->f_path
;
1991 if (bprm
->file
->f_path
.mnt
->mnt_flags
& MNT_NOSUID
)
1992 new_tsec
->sid
= old_tsec
->sid
;
1994 if (new_tsec
->sid
== old_tsec
->sid
) {
1995 rc
= avc_has_perm(old_tsec
->sid
, isec
->sid
,
1996 SECCLASS_FILE
, FILE__EXECUTE_NO_TRANS
, &ad
);
2000 /* Check permissions for the transition. */
2001 rc
= avc_has_perm(old_tsec
->sid
, new_tsec
->sid
,
2002 SECCLASS_PROCESS
, PROCESS__TRANSITION
, &ad
);
2006 rc
= avc_has_perm(new_tsec
->sid
, isec
->sid
,
2007 SECCLASS_FILE
, FILE__ENTRYPOINT
, &ad
);
2011 /* Check for shared state */
2012 if (bprm
->unsafe
& LSM_UNSAFE_SHARE
) {
2013 rc
= avc_has_perm(old_tsec
->sid
, new_tsec
->sid
,
2014 SECCLASS_PROCESS
, PROCESS__SHARE
,
2020 /* Make sure that anyone attempting to ptrace over a task that
2021 * changes its SID has the appropriate permit */
2023 (LSM_UNSAFE_PTRACE
| LSM_UNSAFE_PTRACE_CAP
)) {
2024 struct task_struct
*tracer
;
2025 struct task_security_struct
*sec
;
2029 tracer
= tracehook_tracer_task(current
);
2030 if (likely(tracer
!= NULL
)) {
2031 sec
= __task_cred(tracer
)->security
;
2037 rc
= avc_has_perm(ptsid
, new_tsec
->sid
,
2039 PROCESS__PTRACE
, NULL
);
2045 /* Clear any possibly unsafe personality bits on exec: */
2046 bprm
->per_clear
|= PER_CLEAR_ON_SETID
;
2052 static int selinux_bprm_secureexec(struct linux_binprm
*bprm
)
2054 const struct task_security_struct
*tsec
= current_security();
2062 /* Enable secure mode for SIDs transitions unless
2063 the noatsecure permission is granted between
2064 the two SIDs, i.e. ahp returns 0. */
2065 atsecure
= avc_has_perm(osid
, sid
,
2067 PROCESS__NOATSECURE
, NULL
);
2070 return (atsecure
|| cap_bprm_secureexec(bprm
));
2073 extern struct vfsmount
*selinuxfs_mount
;
2074 extern struct dentry
*selinux_null
;
2076 /* Derived from fs/exec.c:flush_old_files. */
2077 static inline void flush_unauthorized_files(const struct cred
*cred
,
2078 struct files_struct
*files
)
2080 struct common_audit_data ad
;
2081 struct file
*file
, *devnull
= NULL
;
2082 struct tty_struct
*tty
;
2083 struct fdtable
*fdt
;
2087 tty
= get_current_tty();
2089 spin_lock(&tty_files_lock
);
2090 if (!list_empty(&tty
->tty_files
)) {
2091 struct tty_file_private
*file_priv
;
2092 struct inode
*inode
;
2094 /* Revalidate access to controlling tty.
2095 Use inode_has_perm on the tty inode directly rather
2096 than using file_has_perm, as this particular open
2097 file may belong to another process and we are only
2098 interested in the inode-based check here. */
2099 file_priv
= list_first_entry(&tty
->tty_files
,
2100 struct tty_file_private
, list
);
2101 file
= file_priv
->file
;
2102 inode
= file
->f_path
.dentry
->d_inode
;
2103 if (inode_has_perm(cred
, inode
,
2104 FILE__READ
| FILE__WRITE
, NULL
)) {
2108 spin_unlock(&tty_files_lock
);
2111 /* Reset controlling tty. */
2115 /* Revalidate access to inherited open files. */
2117 COMMON_AUDIT_DATA_INIT(&ad
, FS
);
2119 spin_lock(&files
->file_lock
);
2121 unsigned long set
, i
;
2126 fdt
= files_fdtable(files
);
2127 if (i
>= fdt
->max_fds
)
2129 set
= fdt
->open_fds
->fds_bits
[j
];
2132 spin_unlock(&files
->file_lock
);
2133 for ( ; set
; i
++, set
>>= 1) {
2138 if (file_has_perm(cred
,
2140 file_to_av(file
))) {
2142 fd
= get_unused_fd();
2152 devnull
= dentry_open(
2154 mntget(selinuxfs_mount
),
2156 if (IS_ERR(devnull
)) {
2163 fd_install(fd
, devnull
);
2168 spin_lock(&files
->file_lock
);
2171 spin_unlock(&files
->file_lock
);
2175 * Prepare a process for imminent new credential changes due to exec
2177 static void selinux_bprm_committing_creds(struct linux_binprm
*bprm
)
2179 struct task_security_struct
*new_tsec
;
2180 struct rlimit
*rlim
, *initrlim
;
2183 new_tsec
= bprm
->cred
->security
;
2184 if (new_tsec
->sid
== new_tsec
->osid
)
2187 /* Close files for which the new task SID is not authorized. */
2188 flush_unauthorized_files(bprm
->cred
, current
->files
);
2190 /* Always clear parent death signal on SID transitions. */
2191 current
->pdeath_signal
= 0;
2193 /* Check whether the new SID can inherit resource limits from the old
2194 * SID. If not, reset all soft limits to the lower of the current
2195 * task's hard limit and the init task's soft limit.
2197 * Note that the setting of hard limits (even to lower them) can be
2198 * controlled by the setrlimit check. The inclusion of the init task's
2199 * soft limit into the computation is to avoid resetting soft limits
2200 * higher than the default soft limit for cases where the default is
2201 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2203 rc
= avc_has_perm(new_tsec
->osid
, new_tsec
->sid
, SECCLASS_PROCESS
,
2204 PROCESS__RLIMITINH
, NULL
);
2206 /* protect against do_prlimit() */
2208 for (i
= 0; i
< RLIM_NLIMITS
; i
++) {
2209 rlim
= current
->signal
->rlim
+ i
;
2210 initrlim
= init_task
.signal
->rlim
+ i
;
2211 rlim
->rlim_cur
= min(rlim
->rlim_max
, initrlim
->rlim_cur
);
2213 task_unlock(current
);
2214 update_rlimit_cpu(current
, rlimit(RLIMIT_CPU
));
2219 * Clean up the process immediately after the installation of new credentials
2222 static void selinux_bprm_committed_creds(struct linux_binprm
*bprm
)
2224 const struct task_security_struct
*tsec
= current_security();
2225 struct itimerval itimer
;
2235 /* Check whether the new SID can inherit signal state from the old SID.
2236 * If not, clear itimers to avoid subsequent signal generation and
2237 * flush and unblock signals.
2239 * This must occur _after_ the task SID has been updated so that any
2240 * kill done after the flush will be checked against the new SID.
2242 rc
= avc_has_perm(osid
, sid
, SECCLASS_PROCESS
, PROCESS__SIGINH
, NULL
);
2244 memset(&itimer
, 0, sizeof itimer
);
2245 for (i
= 0; i
< 3; i
++)
2246 do_setitimer(i
, &itimer
, NULL
);
2247 spin_lock_irq(¤t
->sighand
->siglock
);
2248 if (!(current
->signal
->flags
& SIGNAL_GROUP_EXIT
)) {
2249 __flush_signals(current
);
2250 flush_signal_handlers(current
, 1);
2251 sigemptyset(¤t
->blocked
);
2253 spin_unlock_irq(¤t
->sighand
->siglock
);
2256 /* Wake up the parent if it is waiting so that it can recheck
2257 * wait permission to the new task SID. */
2258 read_lock(&tasklist_lock
);
2259 __wake_up_parent(current
, current
->real_parent
);
2260 read_unlock(&tasklist_lock
);
2263 /* superblock security operations */
2265 static int selinux_sb_alloc_security(struct super_block
*sb
)
2267 return superblock_alloc_security(sb
);
2270 static void selinux_sb_free_security(struct super_block
*sb
)
2272 superblock_free_security(sb
);
2275 static inline int match_prefix(char *prefix
, int plen
, char *option
, int olen
)
2280 return !memcmp(prefix
, option
, plen
);
2283 static inline int selinux_option(char *option
, int len
)
2285 return (match_prefix(CONTEXT_STR
, sizeof(CONTEXT_STR
)-1, option
, len
) ||
2286 match_prefix(FSCONTEXT_STR
, sizeof(FSCONTEXT_STR
)-1, option
, len
) ||
2287 match_prefix(DEFCONTEXT_STR
, sizeof(DEFCONTEXT_STR
)-1, option
, len
) ||
2288 match_prefix(ROOTCONTEXT_STR
, sizeof(ROOTCONTEXT_STR
)-1, option
, len
) ||
2289 match_prefix(LABELSUPP_STR
, sizeof(LABELSUPP_STR
)-1, option
, len
));
2292 static inline void take_option(char **to
, char *from
, int *first
, int len
)
2299 memcpy(*to
, from
, len
);
2303 static inline void take_selinux_option(char **to
, char *from
, int *first
,
2306 int current_size
= 0;
2314 while (current_size
< len
) {
2324 static int selinux_sb_copy_data(char *orig
, char *copy
)
2326 int fnosec
, fsec
, rc
= 0;
2327 char *in_save
, *in_curr
, *in_end
;
2328 char *sec_curr
, *nosec_save
, *nosec
;
2334 nosec
= (char *)get_zeroed_page(GFP_KERNEL
);
2342 in_save
= in_end
= orig
;
2346 open_quote
= !open_quote
;
2347 if ((*in_end
== ',' && open_quote
== 0) ||
2349 int len
= in_end
- in_curr
;
2351 if (selinux_option(in_curr
, len
))
2352 take_selinux_option(&sec_curr
, in_curr
, &fsec
, len
);
2354 take_option(&nosec
, in_curr
, &fnosec
, len
);
2356 in_curr
= in_end
+ 1;
2358 } while (*in_end
++);
2360 strcpy(in_save
, nosec_save
);
2361 free_page((unsigned long)nosec_save
);
2366 static int selinux_sb_remount(struct super_block
*sb
, void *data
)
2369 struct security_mnt_opts opts
;
2370 char *secdata
, **mount_options
;
2371 struct superblock_security_struct
*sbsec
= sb
->s_security
;
2373 if (!(sbsec
->flags
& SE_SBINITIALIZED
))
2379 if (sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
)
2382 security_init_mnt_opts(&opts
);
2383 secdata
= alloc_secdata();
2386 rc
= selinux_sb_copy_data(data
, secdata
);
2388 goto out_free_secdata
;
2390 rc
= selinux_parse_opts_str(secdata
, &opts
);
2392 goto out_free_secdata
;
2394 mount_options
= opts
.mnt_opts
;
2395 flags
= opts
.mnt_opts_flags
;
2397 for (i
= 0; i
< opts
.num_mnt_opts
; i
++) {
2401 if (flags
[i
] == SE_SBLABELSUPP
)
2403 len
= strlen(mount_options
[i
]);
2404 rc
= security_context_to_sid(mount_options
[i
], len
, &sid
);
2406 printk(KERN_WARNING
"SELinux: security_context_to_sid"
2407 "(%s) failed for (dev %s, type %s) errno=%d\n",
2408 mount_options
[i
], sb
->s_id
, sb
->s_type
->name
, rc
);
2414 if (bad_option(sbsec
, FSCONTEXT_MNT
, sbsec
->sid
, sid
))
2415 goto out_bad_option
;
2418 if (bad_option(sbsec
, CONTEXT_MNT
, sbsec
->mntpoint_sid
, sid
))
2419 goto out_bad_option
;
2421 case ROOTCONTEXT_MNT
: {
2422 struct inode_security_struct
*root_isec
;
2423 root_isec
= sb
->s_root
->d_inode
->i_security
;
2425 if (bad_option(sbsec
, ROOTCONTEXT_MNT
, root_isec
->sid
, sid
))
2426 goto out_bad_option
;
2429 case DEFCONTEXT_MNT
:
2430 if (bad_option(sbsec
, DEFCONTEXT_MNT
, sbsec
->def_sid
, sid
))
2431 goto out_bad_option
;
2440 security_free_mnt_opts(&opts
);
2442 free_secdata(secdata
);
2445 printk(KERN_WARNING
"SELinux: unable to change security options "
2446 "during remount (dev %s, type=%s)\n", sb
->s_id
,
2451 static int selinux_sb_kern_mount(struct super_block
*sb
, int flags
, void *data
)
2453 const struct cred
*cred
= current_cred();
2454 struct common_audit_data ad
;
2457 rc
= superblock_doinit(sb
, data
);
2461 /* Allow all mounts performed by the kernel */
2462 if (flags
& MS_KERNMOUNT
)
2465 COMMON_AUDIT_DATA_INIT(&ad
, FS
);
2466 ad
.u
.fs
.path
.dentry
= sb
->s_root
;
2467 return superblock_has_perm(cred
, sb
, FILESYSTEM__MOUNT
, &ad
);
2470 static int selinux_sb_statfs(struct dentry
*dentry
)
2472 const struct cred
*cred
= current_cred();
2473 struct common_audit_data ad
;
2475 COMMON_AUDIT_DATA_INIT(&ad
, FS
);
2476 ad
.u
.fs
.path
.dentry
= dentry
->d_sb
->s_root
;
2477 return superblock_has_perm(cred
, dentry
->d_sb
, FILESYSTEM__GETATTR
, &ad
);
2480 static int selinux_mount(char *dev_name
,
2483 unsigned long flags
,
2486 const struct cred
*cred
= current_cred();
2488 if (flags
& MS_REMOUNT
)
2489 return superblock_has_perm(cred
, path
->mnt
->mnt_sb
,
2490 FILESYSTEM__REMOUNT
, NULL
);
2492 return dentry_has_perm(cred
, path
->mnt
, path
->dentry
,
2496 static int selinux_umount(struct vfsmount
*mnt
, int flags
)
2498 const struct cred
*cred
= current_cred();
2500 return superblock_has_perm(cred
, mnt
->mnt_sb
,
2501 FILESYSTEM__UNMOUNT
, NULL
);
2504 /* inode security operations */
2506 static int selinux_inode_alloc_security(struct inode
*inode
)
2508 return inode_alloc_security(inode
);
2511 static void selinux_inode_free_security(struct inode
*inode
)
2513 inode_free_security(inode
);
2516 static int selinux_inode_init_security(struct inode
*inode
, struct inode
*dir
,
2517 const struct qstr
*qstr
, char **name
,
2518 void **value
, size_t *len
)
2520 const struct task_security_struct
*tsec
= current_security();
2521 struct inode_security_struct
*dsec
;
2522 struct superblock_security_struct
*sbsec
;
2523 u32 sid
, newsid
, clen
;
2525 char *namep
= NULL
, *context
;
2527 dsec
= dir
->i_security
;
2528 sbsec
= dir
->i_sb
->s_security
;
2531 newsid
= tsec
->create_sid
;
2533 if ((sbsec
->flags
& SE_SBINITIALIZED
) &&
2534 (sbsec
->behavior
== SECURITY_FS_USE_MNTPOINT
))
2535 newsid
= sbsec
->mntpoint_sid
;
2536 else if (!newsid
|| !(sbsec
->flags
& SE_SBLABELSUPP
)) {
2537 rc
= security_transition_sid(sid
, dsec
->sid
,
2538 inode_mode_to_security_class(inode
->i_mode
),
2541 printk(KERN_WARNING
"%s: "
2542 "security_transition_sid failed, rc=%d (dev=%s "
2545 -rc
, inode
->i_sb
->s_id
, inode
->i_ino
);
2550 /* Possibly defer initialization to selinux_complete_init. */
2551 if (sbsec
->flags
& SE_SBINITIALIZED
) {
2552 struct inode_security_struct
*isec
= inode
->i_security
;
2553 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
2555 isec
->initialized
= 1;
2558 if (!ss_initialized
|| !(sbsec
->flags
& SE_SBLABELSUPP
))
2562 namep
= kstrdup(XATTR_SELINUX_SUFFIX
, GFP_NOFS
);
2569 rc
= security_sid_to_context_force(newsid
, &context
, &clen
);
2581 static int selinux_inode_create(struct inode
*dir
, struct dentry
*dentry
, int mask
)
2583 return may_create(dir
, dentry
, SECCLASS_FILE
);
2586 static int selinux_inode_link(struct dentry
*old_dentry
, struct inode
*dir
, struct dentry
*new_dentry
)
2588 return may_link(dir
, old_dentry
, MAY_LINK
);
2591 static int selinux_inode_unlink(struct inode
*dir
, struct dentry
*dentry
)
2593 return may_link(dir
, dentry
, MAY_UNLINK
);
2596 static int selinux_inode_symlink(struct inode
*dir
, struct dentry
*dentry
, const char *name
)
2598 return may_create(dir
, dentry
, SECCLASS_LNK_FILE
);
2601 static int selinux_inode_mkdir(struct inode
*dir
, struct dentry
*dentry
, int mask
)
2603 return may_create(dir
, dentry
, SECCLASS_DIR
);
2606 static int selinux_inode_rmdir(struct inode
*dir
, struct dentry
*dentry
)
2608 return may_link(dir
, dentry
, MAY_RMDIR
);
2611 static int selinux_inode_mknod(struct inode
*dir
, struct dentry
*dentry
, int mode
, dev_t dev
)
2613 return may_create(dir
, dentry
, inode_mode_to_security_class(mode
));
2616 static int selinux_inode_rename(struct inode
*old_inode
, struct dentry
*old_dentry
,
2617 struct inode
*new_inode
, struct dentry
*new_dentry
)
2619 return may_rename(old_inode
, old_dentry
, new_inode
, new_dentry
);
2622 static int selinux_inode_readlink(struct dentry
*dentry
)
2624 const struct cred
*cred
= current_cred();
2626 return dentry_has_perm(cred
, NULL
, dentry
, FILE__READ
);
2629 static int selinux_inode_follow_link(struct dentry
*dentry
, struct nameidata
*nameidata
)
2631 const struct cred
*cred
= current_cred();
2633 return dentry_has_perm(cred
, NULL
, dentry
, FILE__READ
);
2636 static int selinux_inode_permission(struct inode
*inode
, int mask
)
2638 const struct cred
*cred
= current_cred();
2639 struct common_audit_data ad
;
2643 from_access
= mask
& MAY_ACCESS
;
2644 mask
&= (MAY_READ
|MAY_WRITE
|MAY_EXEC
|MAY_APPEND
);
2646 /* No permission to check. Existence test. */
2650 COMMON_AUDIT_DATA_INIT(&ad
, FS
);
2651 ad
.u
.fs
.inode
= inode
;
2654 ad
.selinux_audit_data
.auditdeny
|= FILE__AUDIT_ACCESS
;
2656 perms
= file_mask_to_av(inode
->i_mode
, mask
);
2658 return inode_has_perm(cred
, inode
, perms
, &ad
);
2661 static int selinux_inode_setattr(struct dentry
*dentry
, struct iattr
*iattr
)
2663 const struct cred
*cred
= current_cred();
2664 unsigned int ia_valid
= iattr
->ia_valid
;
2666 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2667 if (ia_valid
& ATTR_FORCE
) {
2668 ia_valid
&= ~(ATTR_KILL_SUID
| ATTR_KILL_SGID
| ATTR_MODE
|
2674 if (ia_valid
& (ATTR_MODE
| ATTR_UID
| ATTR_GID
|
2675 ATTR_ATIME_SET
| ATTR_MTIME_SET
| ATTR_TIMES_SET
))
2676 return dentry_has_perm(cred
, NULL
, dentry
, FILE__SETATTR
);
2678 return dentry_has_perm(cred
, NULL
, dentry
, FILE__WRITE
);
2681 static int selinux_inode_getattr(struct vfsmount
*mnt
, struct dentry
*dentry
)
2683 const struct cred
*cred
= current_cred();
2685 return dentry_has_perm(cred
, mnt
, dentry
, FILE__GETATTR
);
2688 static int selinux_inode_setotherxattr(struct dentry
*dentry
, const char *name
)
2690 const struct cred
*cred
= current_cred();
2692 if (!strncmp(name
, XATTR_SECURITY_PREFIX
,
2693 sizeof XATTR_SECURITY_PREFIX
- 1)) {
2694 if (!strcmp(name
, XATTR_NAME_CAPS
)) {
2695 if (!capable(CAP_SETFCAP
))
2697 } else if (!capable(CAP_SYS_ADMIN
)) {
2698 /* A different attribute in the security namespace.
2699 Restrict to administrator. */
2704 /* Not an attribute we recognize, so just check the
2705 ordinary setattr permission. */
2706 return dentry_has_perm(cred
, NULL
, dentry
, FILE__SETATTR
);
2709 static int selinux_inode_setxattr(struct dentry
*dentry
, const char *name
,
2710 const void *value
, size_t size
, int flags
)
2712 struct inode
*inode
= dentry
->d_inode
;
2713 struct inode_security_struct
*isec
= inode
->i_security
;
2714 struct superblock_security_struct
*sbsec
;
2715 struct common_audit_data ad
;
2716 u32 newsid
, sid
= current_sid();
2719 if (strcmp(name
, XATTR_NAME_SELINUX
))
2720 return selinux_inode_setotherxattr(dentry
, name
);
2722 sbsec
= inode
->i_sb
->s_security
;
2723 if (!(sbsec
->flags
& SE_SBLABELSUPP
))
2726 if (!is_owner_or_cap(inode
))
2729 COMMON_AUDIT_DATA_INIT(&ad
, FS
);
2730 ad
.u
.fs
.path
.dentry
= dentry
;
2732 rc
= avc_has_perm(sid
, isec
->sid
, isec
->sclass
,
2733 FILE__RELABELFROM
, &ad
);
2737 rc
= security_context_to_sid(value
, size
, &newsid
);
2738 if (rc
== -EINVAL
) {
2739 if (!capable(CAP_MAC_ADMIN
))
2741 rc
= security_context_to_sid_force(value
, size
, &newsid
);
2746 rc
= avc_has_perm(sid
, newsid
, isec
->sclass
,
2747 FILE__RELABELTO
, &ad
);
2751 rc
= security_validate_transition(isec
->sid
, newsid
, sid
,
2756 return avc_has_perm(newsid
,
2758 SECCLASS_FILESYSTEM
,
2759 FILESYSTEM__ASSOCIATE
,
2763 static void selinux_inode_post_setxattr(struct dentry
*dentry
, const char *name
,
2764 const void *value
, size_t size
,
2767 struct inode
*inode
= dentry
->d_inode
;
2768 struct inode_security_struct
*isec
= inode
->i_security
;
2772 if (strcmp(name
, XATTR_NAME_SELINUX
)) {
2773 /* Not an attribute we recognize, so nothing to do. */
2777 rc
= security_context_to_sid_force(value
, size
, &newsid
);
2779 printk(KERN_ERR
"SELinux: unable to map context to SID"
2780 "for (%s, %lu), rc=%d\n",
2781 inode
->i_sb
->s_id
, inode
->i_ino
, -rc
);
2789 static int selinux_inode_getxattr(struct dentry
*dentry
, const char *name
)
2791 const struct cred
*cred
= current_cred();
2793 return dentry_has_perm(cred
, NULL
, dentry
, FILE__GETATTR
);
2796 static int selinux_inode_listxattr(struct dentry
*dentry
)
2798 const struct cred
*cred
= current_cred();
2800 return dentry_has_perm(cred
, NULL
, dentry
, FILE__GETATTR
);
2803 static int selinux_inode_removexattr(struct dentry
*dentry
, const char *name
)
2805 if (strcmp(name
, XATTR_NAME_SELINUX
))
2806 return selinux_inode_setotherxattr(dentry
, name
);
2808 /* No one is allowed to remove a SELinux security label.
2809 You can change the label, but all data must be labeled. */
2814 * Copy the inode security context value to the user.
2816 * Permission check is handled by selinux_inode_getxattr hook.
2818 static int selinux_inode_getsecurity(const struct inode
*inode
, const char *name
, void **buffer
, bool alloc
)
2822 char *context
= NULL
;
2823 struct inode_security_struct
*isec
= inode
->i_security
;
2825 if (strcmp(name
, XATTR_SELINUX_SUFFIX
))
2829 * If the caller has CAP_MAC_ADMIN, then get the raw context
2830 * value even if it is not defined by current policy; otherwise,
2831 * use the in-core value under current policy.
2832 * Use the non-auditing forms of the permission checks since
2833 * getxattr may be called by unprivileged processes commonly
2834 * and lack of permission just means that we fall back to the
2835 * in-core context value, not a denial.
2837 error
= selinux_capable(current
, current_cred(), CAP_MAC_ADMIN
,
2838 SECURITY_CAP_NOAUDIT
);
2840 error
= security_sid_to_context_force(isec
->sid
, &context
,
2843 error
= security_sid_to_context(isec
->sid
, &context
, &size
);
2856 static int selinux_inode_setsecurity(struct inode
*inode
, const char *name
,
2857 const void *value
, size_t size
, int flags
)
2859 struct inode_security_struct
*isec
= inode
->i_security
;
2863 if (strcmp(name
, XATTR_SELINUX_SUFFIX
))
2866 if (!value
|| !size
)
2869 rc
= security_context_to_sid((void *)value
, size
, &newsid
);
2874 isec
->initialized
= 1;
2878 static int selinux_inode_listsecurity(struct inode
*inode
, char *buffer
, size_t buffer_size
)
2880 const int len
= sizeof(XATTR_NAME_SELINUX
);
2881 if (buffer
&& len
<= buffer_size
)
2882 memcpy(buffer
, XATTR_NAME_SELINUX
, len
);
2886 static void selinux_inode_getsecid(const struct inode
*inode
, u32
*secid
)
2888 struct inode_security_struct
*isec
= inode
->i_security
;
2892 /* file security operations */
2894 static int selinux_revalidate_file_permission(struct file
*file
, int mask
)
2896 const struct cred
*cred
= current_cred();
2897 struct inode
*inode
= file
->f_path
.dentry
->d_inode
;
2899 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2900 if ((file
->f_flags
& O_APPEND
) && (mask
& MAY_WRITE
))
2903 return file_has_perm(cred
, file
,
2904 file_mask_to_av(inode
->i_mode
, mask
));
2907 static int selinux_file_permission(struct file
*file
, int mask
)
2909 struct inode
*inode
= file
->f_path
.dentry
->d_inode
;
2910 struct file_security_struct
*fsec
= file
->f_security
;
2911 struct inode_security_struct
*isec
= inode
->i_security
;
2912 u32 sid
= current_sid();
2915 /* No permission to check. Existence test. */
2918 if (sid
== fsec
->sid
&& fsec
->isid
== isec
->sid
&&
2919 fsec
->pseqno
== avc_policy_seqno())
2920 /* No change since dentry_open check. */
2923 return selinux_revalidate_file_permission(file
, mask
);
2926 static int selinux_file_alloc_security(struct file
*file
)
2928 return file_alloc_security(file
);
2931 static void selinux_file_free_security(struct file
*file
)
2933 file_free_security(file
);
2936 static int selinux_file_ioctl(struct file
*file
, unsigned int cmd
,
2939 const struct cred
*cred
= current_cred();
2949 case EXT2_IOC_GETFLAGS
:
2951 case EXT2_IOC_GETVERSION
:
2952 error
= file_has_perm(cred
, file
, FILE__GETATTR
);
2955 case EXT2_IOC_SETFLAGS
:
2957 case EXT2_IOC_SETVERSION
:
2958 error
= file_has_perm(cred
, file
, FILE__SETATTR
);
2961 /* sys_ioctl() checks */
2965 error
= file_has_perm(cred
, file
, 0);
2970 error
= task_has_capability(current
, cred
, CAP_SYS_TTY_CONFIG
,
2971 SECURITY_CAP_AUDIT
);
2974 /* default case assumes that the command will go
2975 * to the file's ioctl() function.
2978 error
= file_has_perm(cred
, file
, FILE__IOCTL
);
2983 static int default_noexec
;
2985 static int file_map_prot_check(struct file
*file
, unsigned long prot
, int shared
)
2987 const struct cred
*cred
= current_cred();
2990 if (default_noexec
&&
2991 (prot
& PROT_EXEC
) && (!file
|| (!shared
&& (prot
& PROT_WRITE
)))) {
2993 * We are making executable an anonymous mapping or a
2994 * private file mapping that will also be writable.
2995 * This has an additional check.
2997 rc
= cred_has_perm(cred
, cred
, PROCESS__EXECMEM
);
3003 /* read access is always possible with a mapping */
3004 u32 av
= FILE__READ
;
3006 /* write access only matters if the mapping is shared */
3007 if (shared
&& (prot
& PROT_WRITE
))
3010 if (prot
& PROT_EXEC
)
3011 av
|= FILE__EXECUTE
;
3013 return file_has_perm(cred
, file
, av
);
3020 static int selinux_file_mmap(struct file
*file
, unsigned long reqprot
,
3021 unsigned long prot
, unsigned long flags
,
3022 unsigned long addr
, unsigned long addr_only
)
3025 u32 sid
= current_sid();
3028 * notice that we are intentionally putting the SELinux check before
3029 * the secondary cap_file_mmap check. This is such a likely attempt
3030 * at bad behaviour/exploit that we always want to get the AVC, even
3031 * if DAC would have also denied the operation.
3033 if (addr
< CONFIG_LSM_MMAP_MIN_ADDR
) {
3034 rc
= avc_has_perm(sid
, sid
, SECCLASS_MEMPROTECT
,
3035 MEMPROTECT__MMAP_ZERO
, NULL
);
3040 /* do DAC check on address space usage */
3041 rc
= cap_file_mmap(file
, reqprot
, prot
, flags
, addr
, addr_only
);
3042 if (rc
|| addr_only
)
3045 if (selinux_checkreqprot
)
3048 return file_map_prot_check(file
, prot
,
3049 (flags
& MAP_TYPE
) == MAP_SHARED
);
3052 static int selinux_file_mprotect(struct vm_area_struct
*vma
,
3053 unsigned long reqprot
,
3056 const struct cred
*cred
= current_cred();
3058 if (selinux_checkreqprot
)
3061 if (default_noexec
&&
3062 (prot
& PROT_EXEC
) && !(vma
->vm_flags
& VM_EXEC
)) {
3064 if (vma
->vm_start
>= vma
->vm_mm
->start_brk
&&
3065 vma
->vm_end
<= vma
->vm_mm
->brk
) {
3066 rc
= cred_has_perm(cred
, cred
, PROCESS__EXECHEAP
);
3067 } else if (!vma
->vm_file
&&
3068 vma
->vm_start
<= vma
->vm_mm
->start_stack
&&
3069 vma
->vm_end
>= vma
->vm_mm
->start_stack
) {
3070 rc
= current_has_perm(current
, PROCESS__EXECSTACK
);
3071 } else if (vma
->vm_file
&& vma
->anon_vma
) {
3073 * We are making executable a file mapping that has
3074 * had some COW done. Since pages might have been
3075 * written, check ability to execute the possibly
3076 * modified content. This typically should only
3077 * occur for text relocations.
3079 rc
= file_has_perm(cred
, vma
->vm_file
, FILE__EXECMOD
);
3085 return file_map_prot_check(vma
->vm_file
, prot
, vma
->vm_flags
&VM_SHARED
);
3088 static int selinux_file_lock(struct file
*file
, unsigned int cmd
)
3090 const struct cred
*cred
= current_cred();
3092 return file_has_perm(cred
, file
, FILE__LOCK
);
3095 static int selinux_file_fcntl(struct file
*file
, unsigned int cmd
,
3098 const struct cred
*cred
= current_cred();
3103 if (!file
->f_path
.dentry
|| !file
->f_path
.dentry
->d_inode
) {
3108 if ((file
->f_flags
& O_APPEND
) && !(arg
& O_APPEND
)) {
3109 err
= file_has_perm(cred
, file
, FILE__WRITE
);
3118 /* Just check FD__USE permission */
3119 err
= file_has_perm(cred
, file
, 0);
3124 #if BITS_PER_LONG == 32
3129 if (!file
->f_path
.dentry
|| !file
->f_path
.dentry
->d_inode
) {
3133 err
= file_has_perm(cred
, file
, FILE__LOCK
);
3140 static int selinux_file_set_fowner(struct file
*file
)
3142 struct file_security_struct
*fsec
;
3144 fsec
= file
->f_security
;
3145 fsec
->fown_sid
= current_sid();
3150 static int selinux_file_send_sigiotask(struct task_struct
*tsk
,
3151 struct fown_struct
*fown
, int signum
)
3154 u32 sid
= task_sid(tsk
);
3156 struct file_security_struct
*fsec
;
3158 /* struct fown_struct is never outside the context of a struct file */
3159 file
= container_of(fown
, struct file
, f_owner
);
3161 fsec
= file
->f_security
;
3164 perm
= signal_to_av(SIGIO
); /* as per send_sigio_to_task */
3166 perm
= signal_to_av(signum
);
3168 return avc_has_perm(fsec
->fown_sid
, sid
,
3169 SECCLASS_PROCESS
, perm
, NULL
);
3172 static int selinux_file_receive(struct file
*file
)
3174 const struct cred
*cred
= current_cred();
3176 return file_has_perm(cred
, file
, file_to_av(file
));
3179 static int selinux_dentry_open(struct file
*file
, const struct cred
*cred
)
3181 struct file_security_struct
*fsec
;
3182 struct inode
*inode
;
3183 struct inode_security_struct
*isec
;
3185 inode
= file
->f_path
.dentry
->d_inode
;
3186 fsec
= file
->f_security
;
3187 isec
= inode
->i_security
;
3189 * Save inode label and policy sequence number
3190 * at open-time so that selinux_file_permission
3191 * can determine whether revalidation is necessary.
3192 * Task label is already saved in the file security
3193 * struct as its SID.
3195 fsec
->isid
= isec
->sid
;
3196 fsec
->pseqno
= avc_policy_seqno();
3198 * Since the inode label or policy seqno may have changed
3199 * between the selinux_inode_permission check and the saving
3200 * of state above, recheck that access is still permitted.
3201 * Otherwise, access might never be revalidated against the
3202 * new inode label or new policy.
3203 * This check is not redundant - do not remove.
3205 return inode_has_perm(cred
, inode
, open_file_to_av(file
), NULL
);
3208 /* task security operations */
3210 static int selinux_task_create(unsigned long clone_flags
)
3212 return current_has_perm(current
, PROCESS__FORK
);
3216 * allocate the SELinux part of blank credentials
3218 static int selinux_cred_alloc_blank(struct cred
*cred
, gfp_t gfp
)
3220 struct task_security_struct
*tsec
;
3222 tsec
= kzalloc(sizeof(struct task_security_struct
), gfp
);
3226 cred
->security
= tsec
;
3231 * detach and free the LSM part of a set of credentials
3233 static void selinux_cred_free(struct cred
*cred
)
3235 struct task_security_struct
*tsec
= cred
->security
;
3237 BUG_ON((unsigned long) cred
->security
< PAGE_SIZE
);
3238 cred
->security
= (void *) 0x7UL
;
3243 * prepare a new set of credentials for modification
3245 static int selinux_cred_prepare(struct cred
*new, const struct cred
*old
,
3248 const struct task_security_struct
*old_tsec
;
3249 struct task_security_struct
*tsec
;
3251 old_tsec
= old
->security
;
3253 tsec
= kmemdup(old_tsec
, sizeof(struct task_security_struct
), gfp
);
3257 new->security
= tsec
;
3262 * transfer the SELinux data to a blank set of creds
3264 static void selinux_cred_transfer(struct cred
*new, const struct cred
*old
)
3266 const struct task_security_struct
*old_tsec
= old
->security
;
3267 struct task_security_struct
*tsec
= new->security
;
3273 * set the security data for a kernel service
3274 * - all the creation contexts are set to unlabelled
3276 static int selinux_kernel_act_as(struct cred
*new, u32 secid
)
3278 struct task_security_struct
*tsec
= new->security
;
3279 u32 sid
= current_sid();
3282 ret
= avc_has_perm(sid
, secid
,
3283 SECCLASS_KERNEL_SERVICE
,
3284 KERNEL_SERVICE__USE_AS_OVERRIDE
,
3288 tsec
->create_sid
= 0;
3289 tsec
->keycreate_sid
= 0;
3290 tsec
->sockcreate_sid
= 0;
3296 * set the file creation context in a security record to the same as the
3297 * objective context of the specified inode
3299 static int selinux_kernel_create_files_as(struct cred
*new, struct inode
*inode
)
3301 struct inode_security_struct
*isec
= inode
->i_security
;
3302 struct task_security_struct
*tsec
= new->security
;
3303 u32 sid
= current_sid();
3306 ret
= avc_has_perm(sid
, isec
->sid
,
3307 SECCLASS_KERNEL_SERVICE
,
3308 KERNEL_SERVICE__CREATE_FILES_AS
,
3312 tsec
->create_sid
= isec
->sid
;
3316 static int selinux_kernel_module_request(char *kmod_name
)
3319 struct common_audit_data ad
;
3321 sid
= task_sid(current
);
3323 COMMON_AUDIT_DATA_INIT(&ad
, KMOD
);
3324 ad
.u
.kmod_name
= kmod_name
;
3326 return avc_has_perm(sid
, SECINITSID_KERNEL
, SECCLASS_SYSTEM
,
3327 SYSTEM__MODULE_REQUEST
, &ad
);
3330 static int selinux_task_setpgid(struct task_struct
*p
, pid_t pgid
)
3332 return current_has_perm(p
, PROCESS__SETPGID
);
3335 static int selinux_task_getpgid(struct task_struct
*p
)
3337 return current_has_perm(p
, PROCESS__GETPGID
);
3340 static int selinux_task_getsid(struct task_struct
*p
)
3342 return current_has_perm(p
, PROCESS__GETSESSION
);
3345 static void selinux_task_getsecid(struct task_struct
*p
, u32
*secid
)
3347 *secid
= task_sid(p
);
3350 static int selinux_task_setnice(struct task_struct
*p
, int nice
)
3354 rc
= cap_task_setnice(p
, nice
);
3358 return current_has_perm(p
, PROCESS__SETSCHED
);
3361 static int selinux_task_setioprio(struct task_struct
*p
, int ioprio
)
3365 rc
= cap_task_setioprio(p
, ioprio
);
3369 return current_has_perm(p
, PROCESS__SETSCHED
);
3372 static int selinux_task_getioprio(struct task_struct
*p
)
3374 return current_has_perm(p
, PROCESS__GETSCHED
);
3377 static int selinux_task_setrlimit(struct task_struct
*p
, unsigned int resource
,
3378 struct rlimit
*new_rlim
)
3380 struct rlimit
*old_rlim
= p
->signal
->rlim
+ resource
;
3382 /* Control the ability to change the hard limit (whether
3383 lowering or raising it), so that the hard limit can
3384 later be used as a safe reset point for the soft limit
3385 upon context transitions. See selinux_bprm_committing_creds. */
3386 if (old_rlim
->rlim_max
!= new_rlim
->rlim_max
)
3387 return current_has_perm(p
, PROCESS__SETRLIMIT
);
3392 static int selinux_task_setscheduler(struct task_struct
*p
)
3396 rc
= cap_task_setscheduler(p
);
3400 return current_has_perm(p
, PROCESS__SETSCHED
);
3403 static int selinux_task_getscheduler(struct task_struct
*p
)
3405 return current_has_perm(p
, PROCESS__GETSCHED
);
3408 static int selinux_task_movememory(struct task_struct
*p
)
3410 return current_has_perm(p
, PROCESS__SETSCHED
);
3413 static int selinux_task_kill(struct task_struct
*p
, struct siginfo
*info
,
3420 perm
= PROCESS__SIGNULL
; /* null signal; existence test */
3422 perm
= signal_to_av(sig
);
3424 rc
= avc_has_perm(secid
, task_sid(p
),
3425 SECCLASS_PROCESS
, perm
, NULL
);
3427 rc
= current_has_perm(p
, perm
);
3431 static int selinux_task_wait(struct task_struct
*p
)
3433 return task_has_perm(p
, current
, PROCESS__SIGCHLD
);
3436 static void selinux_task_to_inode(struct task_struct
*p
,
3437 struct inode
*inode
)
3439 struct inode_security_struct
*isec
= inode
->i_security
;
3440 u32 sid
= task_sid(p
);
3443 isec
->initialized
= 1;
3446 /* Returns error only if unable to parse addresses */
3447 static int selinux_parse_skb_ipv4(struct sk_buff
*skb
,
3448 struct common_audit_data
*ad
, u8
*proto
)
3450 int offset
, ihlen
, ret
= -EINVAL
;
3451 struct iphdr _iph
, *ih
;
3453 offset
= skb_network_offset(skb
);
3454 ih
= skb_header_pointer(skb
, offset
, sizeof(_iph
), &_iph
);
3458 ihlen
= ih
->ihl
* 4;
3459 if (ihlen
< sizeof(_iph
))
3462 ad
->u
.net
.v4info
.saddr
= ih
->saddr
;
3463 ad
->u
.net
.v4info
.daddr
= ih
->daddr
;
3467 *proto
= ih
->protocol
;
3469 switch (ih
->protocol
) {
3471 struct tcphdr _tcph
, *th
;
3473 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
3477 th
= skb_header_pointer(skb
, offset
, sizeof(_tcph
), &_tcph
);
3481 ad
->u
.net
.sport
= th
->source
;
3482 ad
->u
.net
.dport
= th
->dest
;
3487 struct udphdr _udph
, *uh
;
3489 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
3493 uh
= skb_header_pointer(skb
, offset
, sizeof(_udph
), &_udph
);
3497 ad
->u
.net
.sport
= uh
->source
;
3498 ad
->u
.net
.dport
= uh
->dest
;
3502 case IPPROTO_DCCP
: {
3503 struct dccp_hdr _dccph
, *dh
;
3505 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
3509 dh
= skb_header_pointer(skb
, offset
, sizeof(_dccph
), &_dccph
);
3513 ad
->u
.net
.sport
= dh
->dccph_sport
;
3514 ad
->u
.net
.dport
= dh
->dccph_dport
;
3525 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3527 /* Returns error only if unable to parse addresses */
3528 static int selinux_parse_skb_ipv6(struct sk_buff
*skb
,
3529 struct common_audit_data
*ad
, u8
*proto
)
3532 int ret
= -EINVAL
, offset
;
3533 struct ipv6hdr _ipv6h
, *ip6
;
3535 offset
= skb_network_offset(skb
);
3536 ip6
= skb_header_pointer(skb
, offset
, sizeof(_ipv6h
), &_ipv6h
);
3540 ipv6_addr_copy(&ad
->u
.net
.v6info
.saddr
, &ip6
->saddr
);
3541 ipv6_addr_copy(&ad
->u
.net
.v6info
.daddr
, &ip6
->daddr
);
3544 nexthdr
= ip6
->nexthdr
;
3545 offset
+= sizeof(_ipv6h
);
3546 offset
= ipv6_skip_exthdr(skb
, offset
, &nexthdr
);
3555 struct tcphdr _tcph
, *th
;
3557 th
= skb_header_pointer(skb
, offset
, sizeof(_tcph
), &_tcph
);
3561 ad
->u
.net
.sport
= th
->source
;
3562 ad
->u
.net
.dport
= th
->dest
;
3567 struct udphdr _udph
, *uh
;
3569 uh
= skb_header_pointer(skb
, offset
, sizeof(_udph
), &_udph
);
3573 ad
->u
.net
.sport
= uh
->source
;
3574 ad
->u
.net
.dport
= uh
->dest
;
3578 case IPPROTO_DCCP
: {
3579 struct dccp_hdr _dccph
, *dh
;
3581 dh
= skb_header_pointer(skb
, offset
, sizeof(_dccph
), &_dccph
);
3585 ad
->u
.net
.sport
= dh
->dccph_sport
;
3586 ad
->u
.net
.dport
= dh
->dccph_dport
;
3590 /* includes fragments */
3600 static int selinux_parse_skb(struct sk_buff
*skb
, struct common_audit_data
*ad
,
3601 char **_addrp
, int src
, u8
*proto
)
3606 switch (ad
->u
.net
.family
) {
3608 ret
= selinux_parse_skb_ipv4(skb
, ad
, proto
);
3611 addrp
= (char *)(src
? &ad
->u
.net
.v4info
.saddr
:
3612 &ad
->u
.net
.v4info
.daddr
);
3615 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3617 ret
= selinux_parse_skb_ipv6(skb
, ad
, proto
);
3620 addrp
= (char *)(src
? &ad
->u
.net
.v6info
.saddr
:
3621 &ad
->u
.net
.v6info
.daddr
);
3631 "SELinux: failure in selinux_parse_skb(),"
3632 " unable to parse packet\n");
3642 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3644 * @family: protocol family
3645 * @sid: the packet's peer label SID
3648 * Check the various different forms of network peer labeling and determine
3649 * the peer label/SID for the packet; most of the magic actually occurs in
3650 * the security server function security_net_peersid_cmp(). The function
3651 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3652 * or -EACCES if @sid is invalid due to inconsistencies with the different
3656 static int selinux_skb_peerlbl_sid(struct sk_buff
*skb
, u16 family
, u32
*sid
)
3663 selinux_skb_xfrm_sid(skb
, &xfrm_sid
);
3664 selinux_netlbl_skbuff_getsid(skb
, family
, &nlbl_type
, &nlbl_sid
);
3666 err
= security_net_peersid_resolve(nlbl_sid
, nlbl_type
, xfrm_sid
, sid
);
3667 if (unlikely(err
)) {
3669 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3670 " unable to determine packet's peer label\n");
3677 /* socket security operations */
3679 static int socket_sockcreate_sid(const struct task_security_struct
*tsec
,
3680 u16 secclass
, u32
*socksid
)
3682 if (tsec
->sockcreate_sid
> SECSID_NULL
) {
3683 *socksid
= tsec
->sockcreate_sid
;
3687 return security_transition_sid(tsec
->sid
, tsec
->sid
, secclass
, NULL
,
3691 static int sock_has_perm(struct task_struct
*task
, struct sock
*sk
, u32 perms
)
3693 struct sk_security_struct
*sksec
= sk
->sk_security
;
3694 struct common_audit_data ad
;
3695 u32 tsid
= task_sid(task
);
3697 if (sksec
->sid
== SECINITSID_KERNEL
)
3700 COMMON_AUDIT_DATA_INIT(&ad
, NET
);
3703 return avc_has_perm(tsid
, sksec
->sid
, sksec
->sclass
, perms
, &ad
);
3706 static int selinux_socket_create(int family
, int type
,
3707 int protocol
, int kern
)
3709 const struct task_security_struct
*tsec
= current_security();
3717 secclass
= socket_type_to_security_class(family
, type
, protocol
);
3718 rc
= socket_sockcreate_sid(tsec
, secclass
, &newsid
);
3722 return avc_has_perm(tsec
->sid
, newsid
, secclass
, SOCKET__CREATE
, NULL
);
3725 static int selinux_socket_post_create(struct socket
*sock
, int family
,
3726 int type
, int protocol
, int kern
)
3728 const struct task_security_struct
*tsec
= current_security();
3729 struct inode_security_struct
*isec
= SOCK_INODE(sock
)->i_security
;
3730 struct sk_security_struct
*sksec
;
3733 isec
->sclass
= socket_type_to_security_class(family
, type
, protocol
);
3736 isec
->sid
= SECINITSID_KERNEL
;
3738 err
= socket_sockcreate_sid(tsec
, isec
->sclass
, &(isec
->sid
));
3743 isec
->initialized
= 1;
3746 sksec
= sock
->sk
->sk_security
;
3747 sksec
->sid
= isec
->sid
;
3748 sksec
->sclass
= isec
->sclass
;
3749 err
= selinux_netlbl_socket_post_create(sock
->sk
, family
);
3755 /* Range of port numbers used to automatically bind.
3756 Need to determine whether we should perform a name_bind
3757 permission check between the socket and the port number. */
3759 static int selinux_socket_bind(struct socket
*sock
, struct sockaddr
*address
, int addrlen
)
3761 struct sock
*sk
= sock
->sk
;
3765 err
= sock_has_perm(current
, sk
, SOCKET__BIND
);
3770 * If PF_INET or PF_INET6, check name_bind permission for the port.
3771 * Multiple address binding for SCTP is not supported yet: we just
3772 * check the first address now.
3774 family
= sk
->sk_family
;
3775 if (family
== PF_INET
|| family
== PF_INET6
) {
3777 struct sk_security_struct
*sksec
= sk
->sk_security
;
3778 struct common_audit_data ad
;
3779 struct sockaddr_in
*addr4
= NULL
;
3780 struct sockaddr_in6
*addr6
= NULL
;
3781 unsigned short snum
;
3784 if (family
== PF_INET
) {
3785 addr4
= (struct sockaddr_in
*)address
;
3786 snum
= ntohs(addr4
->sin_port
);
3787 addrp
= (char *)&addr4
->sin_addr
.s_addr
;
3789 addr6
= (struct sockaddr_in6
*)address
;
3790 snum
= ntohs(addr6
->sin6_port
);
3791 addrp
= (char *)&addr6
->sin6_addr
.s6_addr
;
3797 inet_get_local_port_range(&low
, &high
);
3799 if (snum
< max(PROT_SOCK
, low
) || snum
> high
) {
3800 err
= sel_netport_sid(sk
->sk_protocol
,
3804 COMMON_AUDIT_DATA_INIT(&ad
, NET
);
3805 ad
.u
.net
.sport
= htons(snum
);
3806 ad
.u
.net
.family
= family
;
3807 err
= avc_has_perm(sksec
->sid
, sid
,
3809 SOCKET__NAME_BIND
, &ad
);
3815 switch (sksec
->sclass
) {
3816 case SECCLASS_TCP_SOCKET
:
3817 node_perm
= TCP_SOCKET__NODE_BIND
;
3820 case SECCLASS_UDP_SOCKET
:
3821 node_perm
= UDP_SOCKET__NODE_BIND
;
3824 case SECCLASS_DCCP_SOCKET
:
3825 node_perm
= DCCP_SOCKET__NODE_BIND
;
3829 node_perm
= RAWIP_SOCKET__NODE_BIND
;
3833 err
= sel_netnode_sid(addrp
, family
, &sid
);
3837 COMMON_AUDIT_DATA_INIT(&ad
, NET
);
3838 ad
.u
.net
.sport
= htons(snum
);
3839 ad
.u
.net
.family
= family
;
3841 if (family
== PF_INET
)
3842 ad
.u
.net
.v4info
.saddr
= addr4
->sin_addr
.s_addr
;
3844 ipv6_addr_copy(&ad
.u
.net
.v6info
.saddr
, &addr6
->sin6_addr
);
3846 err
= avc_has_perm(sksec
->sid
, sid
,
3847 sksec
->sclass
, node_perm
, &ad
);
3855 static int selinux_socket_connect(struct socket
*sock
, struct sockaddr
*address
, int addrlen
)
3857 struct sock
*sk
= sock
->sk
;
3858 struct sk_security_struct
*sksec
= sk
->sk_security
;
3861 err
= sock_has_perm(current
, sk
, SOCKET__CONNECT
);
3866 * If a TCP or DCCP socket, check name_connect permission for the port.
3868 if (sksec
->sclass
== SECCLASS_TCP_SOCKET
||
3869 sksec
->sclass
== SECCLASS_DCCP_SOCKET
) {
3870 struct common_audit_data ad
;
3871 struct sockaddr_in
*addr4
= NULL
;
3872 struct sockaddr_in6
*addr6
= NULL
;
3873 unsigned short snum
;
3876 if (sk
->sk_family
== PF_INET
) {
3877 addr4
= (struct sockaddr_in
*)address
;
3878 if (addrlen
< sizeof(struct sockaddr_in
))
3880 snum
= ntohs(addr4
->sin_port
);
3882 addr6
= (struct sockaddr_in6
*)address
;
3883 if (addrlen
< SIN6_LEN_RFC2133
)
3885 snum
= ntohs(addr6
->sin6_port
);
3888 err
= sel_netport_sid(sk
->sk_protocol
, snum
, &sid
);
3892 perm
= (sksec
->sclass
== SECCLASS_TCP_SOCKET
) ?
3893 TCP_SOCKET__NAME_CONNECT
: DCCP_SOCKET__NAME_CONNECT
;
3895 COMMON_AUDIT_DATA_INIT(&ad
, NET
);
3896 ad
.u
.net
.dport
= htons(snum
);
3897 ad
.u
.net
.family
= sk
->sk_family
;
3898 err
= avc_has_perm(sksec
->sid
, sid
, sksec
->sclass
, perm
, &ad
);
3903 err
= selinux_netlbl_socket_connect(sk
, address
);
3909 static int selinux_socket_listen(struct socket
*sock
, int backlog
)
3911 return sock_has_perm(current
, sock
->sk
, SOCKET__LISTEN
);
3914 static int selinux_socket_accept(struct socket
*sock
, struct socket
*newsock
)
3917 struct inode_security_struct
*isec
;
3918 struct inode_security_struct
*newisec
;
3920 err
= sock_has_perm(current
, sock
->sk
, SOCKET__ACCEPT
);
3924 newisec
= SOCK_INODE(newsock
)->i_security
;
3926 isec
= SOCK_INODE(sock
)->i_security
;
3927 newisec
->sclass
= isec
->sclass
;
3928 newisec
->sid
= isec
->sid
;
3929 newisec
->initialized
= 1;
3934 static int selinux_socket_sendmsg(struct socket
*sock
, struct msghdr
*msg
,
3937 return sock_has_perm(current
, sock
->sk
, SOCKET__WRITE
);
3940 static int selinux_socket_recvmsg(struct socket
*sock
, struct msghdr
*msg
,
3941 int size
, int flags
)
3943 return sock_has_perm(current
, sock
->sk
, SOCKET__READ
);
3946 static int selinux_socket_getsockname(struct socket
*sock
)
3948 return sock_has_perm(current
, sock
->sk
, SOCKET__GETATTR
);
3951 static int selinux_socket_getpeername(struct socket
*sock
)
3953 return sock_has_perm(current
, sock
->sk
, SOCKET__GETATTR
);
3956 static int selinux_socket_setsockopt(struct socket
*sock
, int level
, int optname
)
3960 err
= sock_has_perm(current
, sock
->sk
, SOCKET__SETOPT
);
3964 return selinux_netlbl_socket_setsockopt(sock
, level
, optname
);
3967 static int selinux_socket_getsockopt(struct socket
*sock
, int level
,
3970 return sock_has_perm(current
, sock
->sk
, SOCKET__GETOPT
);
3973 static int selinux_socket_shutdown(struct socket
*sock
, int how
)
3975 return sock_has_perm(current
, sock
->sk
, SOCKET__SHUTDOWN
);
3978 static int selinux_socket_unix_stream_connect(struct sock
*sock
,
3982 struct sk_security_struct
*sksec_sock
= sock
->sk_security
;
3983 struct sk_security_struct
*sksec_other
= other
->sk_security
;
3984 struct sk_security_struct
*sksec_new
= newsk
->sk_security
;
3985 struct common_audit_data ad
;
3988 COMMON_AUDIT_DATA_INIT(&ad
, NET
);
3989 ad
.u
.net
.sk
= other
;
3991 err
= avc_has_perm(sksec_sock
->sid
, sksec_other
->sid
,
3992 sksec_other
->sclass
,
3993 UNIX_STREAM_SOCKET__CONNECTTO
, &ad
);
3997 /* server child socket */
3998 sksec_new
->peer_sid
= sksec_sock
->sid
;
3999 err
= security_sid_mls_copy(sksec_other
->sid
, sksec_sock
->sid
,
4004 /* connecting socket */
4005 sksec_sock
->peer_sid
= sksec_new
->sid
;
4010 static int selinux_socket_unix_may_send(struct socket
*sock
,
4011 struct socket
*other
)
4013 struct sk_security_struct
*ssec
= sock
->sk
->sk_security
;
4014 struct sk_security_struct
*osec
= other
->sk
->sk_security
;
4015 struct common_audit_data ad
;
4017 COMMON_AUDIT_DATA_INIT(&ad
, NET
);
4018 ad
.u
.net
.sk
= other
->sk
;
4020 return avc_has_perm(ssec
->sid
, osec
->sid
, osec
->sclass
, SOCKET__SENDTO
,
4024 static int selinux_inet_sys_rcv_skb(int ifindex
, char *addrp
, u16 family
,
4026 struct common_audit_data
*ad
)
4032 err
= sel_netif_sid(ifindex
, &if_sid
);
4035 err
= avc_has_perm(peer_sid
, if_sid
,
4036 SECCLASS_NETIF
, NETIF__INGRESS
, ad
);
4040 err
= sel_netnode_sid(addrp
, family
, &node_sid
);
4043 return avc_has_perm(peer_sid
, node_sid
,
4044 SECCLASS_NODE
, NODE__RECVFROM
, ad
);
4047 static int selinux_sock_rcv_skb_compat(struct sock
*sk
, struct sk_buff
*skb
,
4051 struct sk_security_struct
*sksec
= sk
->sk_security
;
4052 u32 sk_sid
= sksec
->sid
;
4053 struct common_audit_data ad
;
4056 COMMON_AUDIT_DATA_INIT(&ad
, NET
);
4057 ad
.u
.net
.netif
= skb
->skb_iif
;
4058 ad
.u
.net
.family
= family
;
4059 err
= selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
);
4063 if (selinux_secmark_enabled()) {
4064 err
= avc_has_perm(sk_sid
, skb
->secmark
, SECCLASS_PACKET
,
4070 err
= selinux_netlbl_sock_rcv_skb(sksec
, skb
, family
, &ad
);
4073 err
= selinux_xfrm_sock_rcv_skb(sksec
->sid
, skb
, &ad
);
4078 static int selinux_socket_sock_rcv_skb(struct sock
*sk
, struct sk_buff
*skb
)
4081 struct sk_security_struct
*sksec
= sk
->sk_security
;
4082 u16 family
= sk
->sk_family
;
4083 u32 sk_sid
= sksec
->sid
;
4084 struct common_audit_data ad
;
4089 if (family
!= PF_INET
&& family
!= PF_INET6
)
4092 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4093 if (family
== PF_INET6
&& skb
->protocol
== htons(ETH_P_IP
))
4096 /* If any sort of compatibility mode is enabled then handoff processing
4097 * to the selinux_sock_rcv_skb_compat() function to deal with the
4098 * special handling. We do this in an attempt to keep this function
4099 * as fast and as clean as possible. */
4100 if (!selinux_policycap_netpeer
)
4101 return selinux_sock_rcv_skb_compat(sk
, skb
, family
);
4103 secmark_active
= selinux_secmark_enabled();
4104 peerlbl_active
= netlbl_enabled() || selinux_xfrm_enabled();
4105 if (!secmark_active
&& !peerlbl_active
)
4108 COMMON_AUDIT_DATA_INIT(&ad
, NET
);
4109 ad
.u
.net
.netif
= skb
->skb_iif
;
4110 ad
.u
.net
.family
= family
;
4111 err
= selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
);
4115 if (peerlbl_active
) {
4118 err
= selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
);
4121 err
= selinux_inet_sys_rcv_skb(skb
->skb_iif
, addrp
, family
,
4124 selinux_netlbl_err(skb
, err
, 0);
4127 err
= avc_has_perm(sk_sid
, peer_sid
, SECCLASS_PEER
,
4130 selinux_netlbl_err(skb
, err
, 0);
4133 if (secmark_active
) {
4134 err
= avc_has_perm(sk_sid
, skb
->secmark
, SECCLASS_PACKET
,
4143 static int selinux_socket_getpeersec_stream(struct socket
*sock
, char __user
*optval
,
4144 int __user
*optlen
, unsigned len
)
4149 struct sk_security_struct
*sksec
= sock
->sk
->sk_security
;
4150 u32 peer_sid
= SECSID_NULL
;
4152 if (sksec
->sclass
== SECCLASS_UNIX_STREAM_SOCKET
||
4153 sksec
->sclass
== SECCLASS_TCP_SOCKET
)
4154 peer_sid
= sksec
->peer_sid
;
4155 if (peer_sid
== SECSID_NULL
)
4156 return -ENOPROTOOPT
;
4158 err
= security_sid_to_context(peer_sid
, &scontext
, &scontext_len
);
4162 if (scontext_len
> len
) {
4167 if (copy_to_user(optval
, scontext
, scontext_len
))
4171 if (put_user(scontext_len
, optlen
))
4177 static int selinux_socket_getpeersec_dgram(struct socket
*sock
, struct sk_buff
*skb
, u32
*secid
)
4179 u32 peer_secid
= SECSID_NULL
;
4182 if (skb
&& skb
->protocol
== htons(ETH_P_IP
))
4184 else if (skb
&& skb
->protocol
== htons(ETH_P_IPV6
))
4187 family
= sock
->sk
->sk_family
;
4191 if (sock
&& family
== PF_UNIX
)
4192 selinux_inode_getsecid(SOCK_INODE(sock
), &peer_secid
);
4194 selinux_skb_peerlbl_sid(skb
, family
, &peer_secid
);
4197 *secid
= peer_secid
;
4198 if (peer_secid
== SECSID_NULL
)
4203 static int selinux_sk_alloc_security(struct sock
*sk
, int family
, gfp_t priority
)
4205 struct sk_security_struct
*sksec
;
4207 sksec
= kzalloc(sizeof(*sksec
), priority
);
4211 sksec
->peer_sid
= SECINITSID_UNLABELED
;
4212 sksec
->sid
= SECINITSID_UNLABELED
;
4213 selinux_netlbl_sk_security_reset(sksec
);
4214 sk
->sk_security
= sksec
;
4219 static void selinux_sk_free_security(struct sock
*sk
)
4221 struct sk_security_struct
*sksec
= sk
->sk_security
;
4223 sk
->sk_security
= NULL
;
4224 selinux_netlbl_sk_security_free(sksec
);
4228 static void selinux_sk_clone_security(const struct sock
*sk
, struct sock
*newsk
)
4230 struct sk_security_struct
*sksec
= sk
->sk_security
;
4231 struct sk_security_struct
*newsksec
= newsk
->sk_security
;
4233 newsksec
->sid
= sksec
->sid
;
4234 newsksec
->peer_sid
= sksec
->peer_sid
;
4235 newsksec
->sclass
= sksec
->sclass
;
4237 selinux_netlbl_sk_security_reset(newsksec
);
4240 static void selinux_sk_getsecid(struct sock
*sk
, u32
*secid
)
4243 *secid
= SECINITSID_ANY_SOCKET
;
4245 struct sk_security_struct
*sksec
= sk
->sk_security
;
4247 *secid
= sksec
->sid
;
4251 static void selinux_sock_graft(struct sock
*sk
, struct socket
*parent
)
4253 struct inode_security_struct
*isec
= SOCK_INODE(parent
)->i_security
;
4254 struct sk_security_struct
*sksec
= sk
->sk_security
;
4256 if (sk
->sk_family
== PF_INET
|| sk
->sk_family
== PF_INET6
||
4257 sk
->sk_family
== PF_UNIX
)
4258 isec
->sid
= sksec
->sid
;
4259 sksec
->sclass
= isec
->sclass
;
4262 static int selinux_inet_conn_request(struct sock
*sk
, struct sk_buff
*skb
,
4263 struct request_sock
*req
)
4265 struct sk_security_struct
*sksec
= sk
->sk_security
;
4267 u16 family
= sk
->sk_family
;
4271 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4272 if (family
== PF_INET6
&& skb
->protocol
== htons(ETH_P_IP
))
4275 err
= selinux_skb_peerlbl_sid(skb
, family
, &peersid
);
4278 if (peersid
== SECSID_NULL
) {
4279 req
->secid
= sksec
->sid
;
4280 req
->peer_secid
= SECSID_NULL
;
4282 err
= security_sid_mls_copy(sksec
->sid
, peersid
, &newsid
);
4285 req
->secid
= newsid
;
4286 req
->peer_secid
= peersid
;
4289 return selinux_netlbl_inet_conn_request(req
, family
);
4292 static void selinux_inet_csk_clone(struct sock
*newsk
,
4293 const struct request_sock
*req
)
4295 struct sk_security_struct
*newsksec
= newsk
->sk_security
;
4297 newsksec
->sid
= req
->secid
;
4298 newsksec
->peer_sid
= req
->peer_secid
;
4299 /* NOTE: Ideally, we should also get the isec->sid for the
4300 new socket in sync, but we don't have the isec available yet.
4301 So we will wait until sock_graft to do it, by which
4302 time it will have been created and available. */
4304 /* We don't need to take any sort of lock here as we are the only
4305 * thread with access to newsksec */
4306 selinux_netlbl_inet_csk_clone(newsk
, req
->rsk_ops
->family
);
4309 static void selinux_inet_conn_established(struct sock
*sk
, struct sk_buff
*skb
)
4311 u16 family
= sk
->sk_family
;
4312 struct sk_security_struct
*sksec
= sk
->sk_security
;
4314 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4315 if (family
== PF_INET6
&& skb
->protocol
== htons(ETH_P_IP
))
4318 selinux_skb_peerlbl_sid(skb
, family
, &sksec
->peer_sid
);
4321 static int selinux_secmark_relabel_packet(u32 sid
)
4323 const struct task_security_struct
*__tsec
;
4326 __tsec
= current_security();
4329 return avc_has_perm(tsid
, sid
, SECCLASS_PACKET
, PACKET__RELABELTO
, NULL
);
4332 static void selinux_secmark_refcount_inc(void)
4334 atomic_inc(&selinux_secmark_refcount
);
4337 static void selinux_secmark_refcount_dec(void)
4339 atomic_dec(&selinux_secmark_refcount
);
4342 static void selinux_req_classify_flow(const struct request_sock
*req
,
4345 fl
->secid
= req
->secid
;
4348 static int selinux_tun_dev_create(void)
4350 u32 sid
= current_sid();
4352 /* we aren't taking into account the "sockcreate" SID since the socket
4353 * that is being created here is not a socket in the traditional sense,
4354 * instead it is a private sock, accessible only to the kernel, and
4355 * representing a wide range of network traffic spanning multiple
4356 * connections unlike traditional sockets - check the TUN driver to
4357 * get a better understanding of why this socket is special */
4359 return avc_has_perm(sid
, sid
, SECCLASS_TUN_SOCKET
, TUN_SOCKET__CREATE
,
4363 static void selinux_tun_dev_post_create(struct sock
*sk
)
4365 struct sk_security_struct
*sksec
= sk
->sk_security
;
4367 /* we don't currently perform any NetLabel based labeling here and it
4368 * isn't clear that we would want to do so anyway; while we could apply
4369 * labeling without the support of the TUN user the resulting labeled
4370 * traffic from the other end of the connection would almost certainly
4371 * cause confusion to the TUN user that had no idea network labeling
4372 * protocols were being used */
4374 /* see the comments in selinux_tun_dev_create() about why we don't use
4375 * the sockcreate SID here */
4377 sksec
->sid
= current_sid();
4378 sksec
->sclass
= SECCLASS_TUN_SOCKET
;
4381 static int selinux_tun_dev_attach(struct sock
*sk
)
4383 struct sk_security_struct
*sksec
= sk
->sk_security
;
4384 u32 sid
= current_sid();
4387 err
= avc_has_perm(sid
, sksec
->sid
, SECCLASS_TUN_SOCKET
,
4388 TUN_SOCKET__RELABELFROM
, NULL
);
4391 err
= avc_has_perm(sid
, sid
, SECCLASS_TUN_SOCKET
,
4392 TUN_SOCKET__RELABELTO
, NULL
);
4401 static int selinux_nlmsg_perm(struct sock
*sk
, struct sk_buff
*skb
)
4405 struct nlmsghdr
*nlh
;
4406 struct sk_security_struct
*sksec
= sk
->sk_security
;
4408 if (skb
->len
< NLMSG_SPACE(0)) {
4412 nlh
= nlmsg_hdr(skb
);
4414 err
= selinux_nlmsg_lookup(sksec
->sclass
, nlh
->nlmsg_type
, &perm
);
4416 if (err
== -EINVAL
) {
4417 audit_log(current
->audit_context
, GFP_KERNEL
, AUDIT_SELINUX_ERR
,
4418 "SELinux: unrecognized netlink message"
4419 " type=%hu for sclass=%hu\n",
4420 nlh
->nlmsg_type
, sksec
->sclass
);
4421 if (!selinux_enforcing
|| security_get_allow_unknown())
4431 err
= sock_has_perm(current
, sk
, perm
);
4436 #ifdef CONFIG_NETFILTER
4438 static unsigned int selinux_ip_forward(struct sk_buff
*skb
, int ifindex
,
4444 struct common_audit_data ad
;
4449 if (!selinux_policycap_netpeer
)
4452 secmark_active
= selinux_secmark_enabled();
4453 netlbl_active
= netlbl_enabled();
4454 peerlbl_active
= netlbl_active
|| selinux_xfrm_enabled();
4455 if (!secmark_active
&& !peerlbl_active
)
4458 if (selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
) != 0)
4461 COMMON_AUDIT_DATA_INIT(&ad
, NET
);
4462 ad
.u
.net
.netif
= ifindex
;
4463 ad
.u
.net
.family
= family
;
4464 if (selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
) != 0)
4467 if (peerlbl_active
) {
4468 err
= selinux_inet_sys_rcv_skb(ifindex
, addrp
, family
,
4471 selinux_netlbl_err(skb
, err
, 1);
4477 if (avc_has_perm(peer_sid
, skb
->secmark
,
4478 SECCLASS_PACKET
, PACKET__FORWARD_IN
, &ad
))
4482 /* we do this in the FORWARD path and not the POST_ROUTING
4483 * path because we want to make sure we apply the necessary
4484 * labeling before IPsec is applied so we can leverage AH
4486 if (selinux_netlbl_skbuff_setsid(skb
, family
, peer_sid
) != 0)
4492 static unsigned int selinux_ipv4_forward(unsigned int hooknum
,
4493 struct sk_buff
*skb
,
4494 const struct net_device
*in
,
4495 const struct net_device
*out
,
4496 int (*okfn
)(struct sk_buff
*))
4498 return selinux_ip_forward(skb
, in
->ifindex
, PF_INET
);
4501 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4502 static unsigned int selinux_ipv6_forward(unsigned int hooknum
,
4503 struct sk_buff
*skb
,
4504 const struct net_device
*in
,
4505 const struct net_device
*out
,
4506 int (*okfn
)(struct sk_buff
*))
4508 return selinux_ip_forward(skb
, in
->ifindex
, PF_INET6
);
4512 static unsigned int selinux_ip_output(struct sk_buff
*skb
,
4517 if (!netlbl_enabled())
4520 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4521 * because we want to make sure we apply the necessary labeling
4522 * before IPsec is applied so we can leverage AH protection */
4524 struct sk_security_struct
*sksec
= skb
->sk
->sk_security
;
4527 sid
= SECINITSID_KERNEL
;
4528 if (selinux_netlbl_skbuff_setsid(skb
, family
, sid
) != 0)
4534 static unsigned int selinux_ipv4_output(unsigned int hooknum
,
4535 struct sk_buff
*skb
,
4536 const struct net_device
*in
,
4537 const struct net_device
*out
,
4538 int (*okfn
)(struct sk_buff
*))
4540 return selinux_ip_output(skb
, PF_INET
);
4543 static unsigned int selinux_ip_postroute_compat(struct sk_buff
*skb
,
4547 struct sock
*sk
= skb
->sk
;
4548 struct sk_security_struct
*sksec
;
4549 struct common_audit_data ad
;
4555 sksec
= sk
->sk_security
;
4557 COMMON_AUDIT_DATA_INIT(&ad
, NET
);
4558 ad
.u
.net
.netif
= ifindex
;
4559 ad
.u
.net
.family
= family
;
4560 if (selinux_parse_skb(skb
, &ad
, &addrp
, 0, &proto
))
4563 if (selinux_secmark_enabled())
4564 if (avc_has_perm(sksec
->sid
, skb
->secmark
,
4565 SECCLASS_PACKET
, PACKET__SEND
, &ad
))
4566 return NF_DROP_ERR(-ECONNREFUSED
);
4568 if (selinux_xfrm_postroute_last(sksec
->sid
, skb
, &ad
, proto
))
4569 return NF_DROP_ERR(-ECONNREFUSED
);
4574 static unsigned int selinux_ip_postroute(struct sk_buff
*skb
, int ifindex
,
4580 struct common_audit_data ad
;
4585 /* If any sort of compatibility mode is enabled then handoff processing
4586 * to the selinux_ip_postroute_compat() function to deal with the
4587 * special handling. We do this in an attempt to keep this function
4588 * as fast and as clean as possible. */
4589 if (!selinux_policycap_netpeer
)
4590 return selinux_ip_postroute_compat(skb
, ifindex
, family
);
4592 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4593 * packet transformation so allow the packet to pass without any checks
4594 * since we'll have another chance to perform access control checks
4595 * when the packet is on it's final way out.
4596 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4597 * is NULL, in this case go ahead and apply access control. */
4598 if (skb_dst(skb
) != NULL
&& skb_dst(skb
)->xfrm
!= NULL
)
4601 secmark_active
= selinux_secmark_enabled();
4602 peerlbl_active
= netlbl_enabled() || selinux_xfrm_enabled();
4603 if (!secmark_active
&& !peerlbl_active
)
4606 /* if the packet is being forwarded then get the peer label from the
4607 * packet itself; otherwise check to see if it is from a local
4608 * application or the kernel, if from an application get the peer label
4609 * from the sending socket, otherwise use the kernel's sid */
4613 secmark_perm
= PACKET__FORWARD_OUT
;
4614 if (selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
))
4617 secmark_perm
= PACKET__SEND
;
4618 peer_sid
= SECINITSID_KERNEL
;
4621 struct sk_security_struct
*sksec
= sk
->sk_security
;
4622 peer_sid
= sksec
->sid
;
4623 secmark_perm
= PACKET__SEND
;
4626 COMMON_AUDIT_DATA_INIT(&ad
, NET
);
4627 ad
.u
.net
.netif
= ifindex
;
4628 ad
.u
.net
.family
= family
;
4629 if (selinux_parse_skb(skb
, &ad
, &addrp
, 0, NULL
))
4633 if (avc_has_perm(peer_sid
, skb
->secmark
,
4634 SECCLASS_PACKET
, secmark_perm
, &ad
))
4635 return NF_DROP_ERR(-ECONNREFUSED
);
4637 if (peerlbl_active
) {
4641 if (sel_netif_sid(ifindex
, &if_sid
))
4643 if (avc_has_perm(peer_sid
, if_sid
,
4644 SECCLASS_NETIF
, NETIF__EGRESS
, &ad
))
4645 return NF_DROP_ERR(-ECONNREFUSED
);
4647 if (sel_netnode_sid(addrp
, family
, &node_sid
))
4649 if (avc_has_perm(peer_sid
, node_sid
,
4650 SECCLASS_NODE
, NODE__SENDTO
, &ad
))
4651 return NF_DROP_ERR(-ECONNREFUSED
);
4657 static unsigned int selinux_ipv4_postroute(unsigned int hooknum
,
4658 struct sk_buff
*skb
,
4659 const struct net_device
*in
,
4660 const struct net_device
*out
,
4661 int (*okfn
)(struct sk_buff
*))
4663 return selinux_ip_postroute(skb
, out
->ifindex
, PF_INET
);
4666 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4667 static unsigned int selinux_ipv6_postroute(unsigned int hooknum
,
4668 struct sk_buff
*skb
,
4669 const struct net_device
*in
,
4670 const struct net_device
*out
,
4671 int (*okfn
)(struct sk_buff
*))
4673 return selinux_ip_postroute(skb
, out
->ifindex
, PF_INET6
);
4677 #endif /* CONFIG_NETFILTER */
4679 static int selinux_netlink_send(struct sock
*sk
, struct sk_buff
*skb
)
4683 err
= cap_netlink_send(sk
, skb
);
4687 return selinux_nlmsg_perm(sk
, skb
);
4690 static int selinux_netlink_recv(struct sk_buff
*skb
, int capability
)
4693 struct common_audit_data ad
;
4695 err
= cap_netlink_recv(skb
, capability
);
4699 COMMON_AUDIT_DATA_INIT(&ad
, CAP
);
4700 ad
.u
.cap
= capability
;
4702 return avc_has_perm(NETLINK_CB(skb
).sid
, NETLINK_CB(skb
).sid
,
4703 SECCLASS_CAPABILITY
, CAP_TO_MASK(capability
), &ad
);
4706 static int ipc_alloc_security(struct task_struct
*task
,
4707 struct kern_ipc_perm
*perm
,
4710 struct ipc_security_struct
*isec
;
4713 isec
= kzalloc(sizeof(struct ipc_security_struct
), GFP_KERNEL
);
4717 sid
= task_sid(task
);
4718 isec
->sclass
= sclass
;
4720 perm
->security
= isec
;
4725 static void ipc_free_security(struct kern_ipc_perm
*perm
)
4727 struct ipc_security_struct
*isec
= perm
->security
;
4728 perm
->security
= NULL
;
4732 static int msg_msg_alloc_security(struct msg_msg
*msg
)
4734 struct msg_security_struct
*msec
;
4736 msec
= kzalloc(sizeof(struct msg_security_struct
), GFP_KERNEL
);
4740 msec
->sid
= SECINITSID_UNLABELED
;
4741 msg
->security
= msec
;
4746 static void msg_msg_free_security(struct msg_msg
*msg
)
4748 struct msg_security_struct
*msec
= msg
->security
;
4750 msg
->security
= NULL
;
4754 static int ipc_has_perm(struct kern_ipc_perm
*ipc_perms
,
4757 struct ipc_security_struct
*isec
;
4758 struct common_audit_data ad
;
4759 u32 sid
= current_sid();
4761 isec
= ipc_perms
->security
;
4763 COMMON_AUDIT_DATA_INIT(&ad
, IPC
);
4764 ad
.u
.ipc_id
= ipc_perms
->key
;
4766 return avc_has_perm(sid
, isec
->sid
, isec
->sclass
, perms
, &ad
);
4769 static int selinux_msg_msg_alloc_security(struct msg_msg
*msg
)
4771 return msg_msg_alloc_security(msg
);
4774 static void selinux_msg_msg_free_security(struct msg_msg
*msg
)
4776 msg_msg_free_security(msg
);
4779 /* message queue security operations */
4780 static int selinux_msg_queue_alloc_security(struct msg_queue
*msq
)
4782 struct ipc_security_struct
*isec
;
4783 struct common_audit_data ad
;
4784 u32 sid
= current_sid();
4787 rc
= ipc_alloc_security(current
, &msq
->q_perm
, SECCLASS_MSGQ
);
4791 isec
= msq
->q_perm
.security
;
4793 COMMON_AUDIT_DATA_INIT(&ad
, IPC
);
4794 ad
.u
.ipc_id
= msq
->q_perm
.key
;
4796 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_MSGQ
,
4799 ipc_free_security(&msq
->q_perm
);
4805 static void selinux_msg_queue_free_security(struct msg_queue
*msq
)
4807 ipc_free_security(&msq
->q_perm
);
4810 static int selinux_msg_queue_associate(struct msg_queue
*msq
, int msqflg
)
4812 struct ipc_security_struct
*isec
;
4813 struct common_audit_data ad
;
4814 u32 sid
= current_sid();
4816 isec
= msq
->q_perm
.security
;
4818 COMMON_AUDIT_DATA_INIT(&ad
, IPC
);
4819 ad
.u
.ipc_id
= msq
->q_perm
.key
;
4821 return avc_has_perm(sid
, isec
->sid
, SECCLASS_MSGQ
,
4822 MSGQ__ASSOCIATE
, &ad
);
4825 static int selinux_msg_queue_msgctl(struct msg_queue
*msq
, int cmd
)
4833 /* No specific object, just general system-wide information. */
4834 return task_has_system(current
, SYSTEM__IPC_INFO
);
4837 perms
= MSGQ__GETATTR
| MSGQ__ASSOCIATE
;
4840 perms
= MSGQ__SETATTR
;
4843 perms
= MSGQ__DESTROY
;
4849 err
= ipc_has_perm(&msq
->q_perm
, perms
);
4853 static int selinux_msg_queue_msgsnd(struct msg_queue
*msq
, struct msg_msg
*msg
, int msqflg
)
4855 struct ipc_security_struct
*isec
;
4856 struct msg_security_struct
*msec
;
4857 struct common_audit_data ad
;
4858 u32 sid
= current_sid();
4861 isec
= msq
->q_perm
.security
;
4862 msec
= msg
->security
;
4865 * First time through, need to assign label to the message
4867 if (msec
->sid
== SECINITSID_UNLABELED
) {
4869 * Compute new sid based on current process and
4870 * message queue this message will be stored in
4872 rc
= security_transition_sid(sid
, isec
->sid
, SECCLASS_MSG
,
4878 COMMON_AUDIT_DATA_INIT(&ad
, IPC
);
4879 ad
.u
.ipc_id
= msq
->q_perm
.key
;
4881 /* Can this process write to the queue? */
4882 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_MSGQ
,
4885 /* Can this process send the message */
4886 rc
= avc_has_perm(sid
, msec
->sid
, SECCLASS_MSG
,
4889 /* Can the message be put in the queue? */
4890 rc
= avc_has_perm(msec
->sid
, isec
->sid
, SECCLASS_MSGQ
,
4891 MSGQ__ENQUEUE
, &ad
);
4896 static int selinux_msg_queue_msgrcv(struct msg_queue
*msq
, struct msg_msg
*msg
,
4897 struct task_struct
*target
,
4898 long type
, int mode
)
4900 struct ipc_security_struct
*isec
;
4901 struct msg_security_struct
*msec
;
4902 struct common_audit_data ad
;
4903 u32 sid
= task_sid(target
);
4906 isec
= msq
->q_perm
.security
;
4907 msec
= msg
->security
;
4909 COMMON_AUDIT_DATA_INIT(&ad
, IPC
);
4910 ad
.u
.ipc_id
= msq
->q_perm
.key
;
4912 rc
= avc_has_perm(sid
, isec
->sid
,
4913 SECCLASS_MSGQ
, MSGQ__READ
, &ad
);
4915 rc
= avc_has_perm(sid
, msec
->sid
,
4916 SECCLASS_MSG
, MSG__RECEIVE
, &ad
);
4920 /* Shared Memory security operations */
4921 static int selinux_shm_alloc_security(struct shmid_kernel
*shp
)
4923 struct ipc_security_struct
*isec
;
4924 struct common_audit_data ad
;
4925 u32 sid
= current_sid();
4928 rc
= ipc_alloc_security(current
, &shp
->shm_perm
, SECCLASS_SHM
);
4932 isec
= shp
->shm_perm
.security
;
4934 COMMON_AUDIT_DATA_INIT(&ad
, IPC
);
4935 ad
.u
.ipc_id
= shp
->shm_perm
.key
;
4937 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_SHM
,
4940 ipc_free_security(&shp
->shm_perm
);
4946 static void selinux_shm_free_security(struct shmid_kernel
*shp
)
4948 ipc_free_security(&shp
->shm_perm
);
4951 static int selinux_shm_associate(struct shmid_kernel
*shp
, int shmflg
)
4953 struct ipc_security_struct
*isec
;
4954 struct common_audit_data ad
;
4955 u32 sid
= current_sid();
4957 isec
= shp
->shm_perm
.security
;
4959 COMMON_AUDIT_DATA_INIT(&ad
, IPC
);
4960 ad
.u
.ipc_id
= shp
->shm_perm
.key
;
4962 return avc_has_perm(sid
, isec
->sid
, SECCLASS_SHM
,
4963 SHM__ASSOCIATE
, &ad
);
4966 /* Note, at this point, shp is locked down */
4967 static int selinux_shm_shmctl(struct shmid_kernel
*shp
, int cmd
)
4975 /* No specific object, just general system-wide information. */
4976 return task_has_system(current
, SYSTEM__IPC_INFO
);
4979 perms
= SHM__GETATTR
| SHM__ASSOCIATE
;
4982 perms
= SHM__SETATTR
;
4989 perms
= SHM__DESTROY
;
4995 err
= ipc_has_perm(&shp
->shm_perm
, perms
);
4999 static int selinux_shm_shmat(struct shmid_kernel
*shp
,
5000 char __user
*shmaddr
, int shmflg
)
5004 if (shmflg
& SHM_RDONLY
)
5007 perms
= SHM__READ
| SHM__WRITE
;
5009 return ipc_has_perm(&shp
->shm_perm
, perms
);
5012 /* Semaphore security operations */
5013 static int selinux_sem_alloc_security(struct sem_array
*sma
)
5015 struct ipc_security_struct
*isec
;
5016 struct common_audit_data ad
;
5017 u32 sid
= current_sid();
5020 rc
= ipc_alloc_security(current
, &sma
->sem_perm
, SECCLASS_SEM
);
5024 isec
= sma
->sem_perm
.security
;
5026 COMMON_AUDIT_DATA_INIT(&ad
, IPC
);
5027 ad
.u
.ipc_id
= sma
->sem_perm
.key
;
5029 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_SEM
,
5032 ipc_free_security(&sma
->sem_perm
);
5038 static void selinux_sem_free_security(struct sem_array
*sma
)
5040 ipc_free_security(&sma
->sem_perm
);
5043 static int selinux_sem_associate(struct sem_array
*sma
, int semflg
)
5045 struct ipc_security_struct
*isec
;
5046 struct common_audit_data ad
;
5047 u32 sid
= current_sid();
5049 isec
= sma
->sem_perm
.security
;
5051 COMMON_AUDIT_DATA_INIT(&ad
, IPC
);
5052 ad
.u
.ipc_id
= sma
->sem_perm
.key
;
5054 return avc_has_perm(sid
, isec
->sid
, SECCLASS_SEM
,
5055 SEM__ASSOCIATE
, &ad
);
5058 /* Note, at this point, sma is locked down */
5059 static int selinux_sem_semctl(struct sem_array
*sma
, int cmd
)
5067 /* No specific object, just general system-wide information. */
5068 return task_has_system(current
, SYSTEM__IPC_INFO
);
5072 perms
= SEM__GETATTR
;
5083 perms
= SEM__DESTROY
;
5086 perms
= SEM__SETATTR
;
5090 perms
= SEM__GETATTR
| SEM__ASSOCIATE
;
5096 err
= ipc_has_perm(&sma
->sem_perm
, perms
);
5100 static int selinux_sem_semop(struct sem_array
*sma
,
5101 struct sembuf
*sops
, unsigned nsops
, int alter
)
5106 perms
= SEM__READ
| SEM__WRITE
;
5110 return ipc_has_perm(&sma
->sem_perm
, perms
);
5113 static int selinux_ipc_permission(struct kern_ipc_perm
*ipcp
, short flag
)
5119 av
|= IPC__UNIX_READ
;
5121 av
|= IPC__UNIX_WRITE
;
5126 return ipc_has_perm(ipcp
, av
);
5129 static void selinux_ipc_getsecid(struct kern_ipc_perm
*ipcp
, u32
*secid
)
5131 struct ipc_security_struct
*isec
= ipcp
->security
;
5135 static void selinux_d_instantiate(struct dentry
*dentry
, struct inode
*inode
)
5138 inode_doinit_with_dentry(inode
, dentry
);
5141 static int selinux_getprocattr(struct task_struct
*p
,
5142 char *name
, char **value
)
5144 const struct task_security_struct
*__tsec
;
5150 error
= current_has_perm(p
, PROCESS__GETATTR
);
5156 __tsec
= __task_cred(p
)->security
;
5158 if (!strcmp(name
, "current"))
5160 else if (!strcmp(name
, "prev"))
5162 else if (!strcmp(name
, "exec"))
5163 sid
= __tsec
->exec_sid
;
5164 else if (!strcmp(name
, "fscreate"))
5165 sid
= __tsec
->create_sid
;
5166 else if (!strcmp(name
, "keycreate"))
5167 sid
= __tsec
->keycreate_sid
;
5168 else if (!strcmp(name
, "sockcreate"))
5169 sid
= __tsec
->sockcreate_sid
;
5177 error
= security_sid_to_context(sid
, value
, &len
);
5187 static int selinux_setprocattr(struct task_struct
*p
,
5188 char *name
, void *value
, size_t size
)
5190 struct task_security_struct
*tsec
;
5191 struct task_struct
*tracer
;
5198 /* SELinux only allows a process to change its own
5199 security attributes. */
5204 * Basic control over ability to set these attributes at all.
5205 * current == p, but we'll pass them separately in case the
5206 * above restriction is ever removed.
5208 if (!strcmp(name
, "exec"))
5209 error
= current_has_perm(p
, PROCESS__SETEXEC
);
5210 else if (!strcmp(name
, "fscreate"))
5211 error
= current_has_perm(p
, PROCESS__SETFSCREATE
);
5212 else if (!strcmp(name
, "keycreate"))
5213 error
= current_has_perm(p
, PROCESS__SETKEYCREATE
);
5214 else if (!strcmp(name
, "sockcreate"))
5215 error
= current_has_perm(p
, PROCESS__SETSOCKCREATE
);
5216 else if (!strcmp(name
, "current"))
5217 error
= current_has_perm(p
, PROCESS__SETCURRENT
);
5223 /* Obtain a SID for the context, if one was specified. */
5224 if (size
&& str
[1] && str
[1] != '\n') {
5225 if (str
[size
-1] == '\n') {
5229 error
= security_context_to_sid(value
, size
, &sid
);
5230 if (error
== -EINVAL
&& !strcmp(name
, "fscreate")) {
5231 if (!capable(CAP_MAC_ADMIN
))
5233 error
= security_context_to_sid_force(value
, size
,
5240 new = prepare_creds();
5244 /* Permission checking based on the specified context is
5245 performed during the actual operation (execve,
5246 open/mkdir/...), when we know the full context of the
5247 operation. See selinux_bprm_set_creds for the execve
5248 checks and may_create for the file creation checks. The
5249 operation will then fail if the context is not permitted. */
5250 tsec
= new->security
;
5251 if (!strcmp(name
, "exec")) {
5252 tsec
->exec_sid
= sid
;
5253 } else if (!strcmp(name
, "fscreate")) {
5254 tsec
->create_sid
= sid
;
5255 } else if (!strcmp(name
, "keycreate")) {
5256 error
= may_create_key(sid
, p
);
5259 tsec
->keycreate_sid
= sid
;
5260 } else if (!strcmp(name
, "sockcreate")) {
5261 tsec
->sockcreate_sid
= sid
;
5262 } else if (!strcmp(name
, "current")) {
5267 /* Only allow single threaded processes to change context */
5269 if (!current_is_single_threaded()) {
5270 error
= security_bounded_transition(tsec
->sid
, sid
);
5275 /* Check permissions for the transition. */
5276 error
= avc_has_perm(tsec
->sid
, sid
, SECCLASS_PROCESS
,
5277 PROCESS__DYNTRANSITION
, NULL
);
5281 /* Check for ptracing, and update the task SID if ok.
5282 Otherwise, leave SID unchanged and fail. */
5285 tracer
= tracehook_tracer_task(p
);
5287 ptsid
= task_sid(tracer
);
5291 error
= avc_has_perm(ptsid
, sid
, SECCLASS_PROCESS
,
5292 PROCESS__PTRACE
, NULL
);
5311 static int selinux_secid_to_secctx(u32 secid
, char **secdata
, u32
*seclen
)
5313 return security_sid_to_context(secid
, secdata
, seclen
);
5316 static int selinux_secctx_to_secid(const char *secdata
, u32 seclen
, u32
*secid
)
5318 return security_context_to_sid(secdata
, seclen
, secid
);
5321 static void selinux_release_secctx(char *secdata
, u32 seclen
)
5327 * called with inode->i_mutex locked
5329 static int selinux_inode_notifysecctx(struct inode
*inode
, void *ctx
, u32 ctxlen
)
5331 return selinux_inode_setsecurity(inode
, XATTR_SELINUX_SUFFIX
, ctx
, ctxlen
, 0);
5335 * called with inode->i_mutex locked
5337 static int selinux_inode_setsecctx(struct dentry
*dentry
, void *ctx
, u32 ctxlen
)
5339 return __vfs_setxattr_noperm(dentry
, XATTR_NAME_SELINUX
, ctx
, ctxlen
, 0);
5342 static int selinux_inode_getsecctx(struct inode
*inode
, void **ctx
, u32
*ctxlen
)
5345 len
= selinux_inode_getsecurity(inode
, XATTR_SELINUX_SUFFIX
,
5354 static int selinux_key_alloc(struct key
*k
, const struct cred
*cred
,
5355 unsigned long flags
)
5357 const struct task_security_struct
*tsec
;
5358 struct key_security_struct
*ksec
;
5360 ksec
= kzalloc(sizeof(struct key_security_struct
), GFP_KERNEL
);
5364 tsec
= cred
->security
;
5365 if (tsec
->keycreate_sid
)
5366 ksec
->sid
= tsec
->keycreate_sid
;
5368 ksec
->sid
= tsec
->sid
;
5374 static void selinux_key_free(struct key
*k
)
5376 struct key_security_struct
*ksec
= k
->security
;
5382 static int selinux_key_permission(key_ref_t key_ref
,
5383 const struct cred
*cred
,
5387 struct key_security_struct
*ksec
;
5390 /* if no specific permissions are requested, we skip the
5391 permission check. No serious, additional covert channels
5392 appear to be created. */
5396 sid
= cred_sid(cred
);
5398 key
= key_ref_to_ptr(key_ref
);
5399 ksec
= key
->security
;
5401 return avc_has_perm(sid
, ksec
->sid
, SECCLASS_KEY
, perm
, NULL
);
5404 static int selinux_key_getsecurity(struct key
*key
, char **_buffer
)
5406 struct key_security_struct
*ksec
= key
->security
;
5407 char *context
= NULL
;
5411 rc
= security_sid_to_context(ksec
->sid
, &context
, &len
);
5420 static struct security_operations selinux_ops
= {
5423 .ptrace_access_check
= selinux_ptrace_access_check
,
5424 .ptrace_traceme
= selinux_ptrace_traceme
,
5425 .capget
= selinux_capget
,
5426 .capset
= selinux_capset
,
5427 .capable
= selinux_capable
,
5428 .quotactl
= selinux_quotactl
,
5429 .quota_on
= selinux_quota_on
,
5430 .syslog
= selinux_syslog
,
5431 .vm_enough_memory
= selinux_vm_enough_memory
,
5433 .netlink_send
= selinux_netlink_send
,
5434 .netlink_recv
= selinux_netlink_recv
,
5436 .bprm_set_creds
= selinux_bprm_set_creds
,
5437 .bprm_committing_creds
= selinux_bprm_committing_creds
,
5438 .bprm_committed_creds
= selinux_bprm_committed_creds
,
5439 .bprm_secureexec
= selinux_bprm_secureexec
,
5441 .sb_alloc_security
= selinux_sb_alloc_security
,
5442 .sb_free_security
= selinux_sb_free_security
,
5443 .sb_copy_data
= selinux_sb_copy_data
,
5444 .sb_remount
= selinux_sb_remount
,
5445 .sb_kern_mount
= selinux_sb_kern_mount
,
5446 .sb_show_options
= selinux_sb_show_options
,
5447 .sb_statfs
= selinux_sb_statfs
,
5448 .sb_mount
= selinux_mount
,
5449 .sb_umount
= selinux_umount
,
5450 .sb_set_mnt_opts
= selinux_set_mnt_opts
,
5451 .sb_clone_mnt_opts
= selinux_sb_clone_mnt_opts
,
5452 .sb_parse_opts_str
= selinux_parse_opts_str
,
5455 .inode_alloc_security
= selinux_inode_alloc_security
,
5456 .inode_free_security
= selinux_inode_free_security
,
5457 .inode_init_security
= selinux_inode_init_security
,
5458 .inode_create
= selinux_inode_create
,
5459 .inode_link
= selinux_inode_link
,
5460 .inode_unlink
= selinux_inode_unlink
,
5461 .inode_symlink
= selinux_inode_symlink
,
5462 .inode_mkdir
= selinux_inode_mkdir
,
5463 .inode_rmdir
= selinux_inode_rmdir
,
5464 .inode_mknod
= selinux_inode_mknod
,
5465 .inode_rename
= selinux_inode_rename
,
5466 .inode_readlink
= selinux_inode_readlink
,
5467 .inode_follow_link
= selinux_inode_follow_link
,
5468 .inode_permission
= selinux_inode_permission
,
5469 .inode_setattr
= selinux_inode_setattr
,
5470 .inode_getattr
= selinux_inode_getattr
,
5471 .inode_setxattr
= selinux_inode_setxattr
,
5472 .inode_post_setxattr
= selinux_inode_post_setxattr
,
5473 .inode_getxattr
= selinux_inode_getxattr
,
5474 .inode_listxattr
= selinux_inode_listxattr
,
5475 .inode_removexattr
= selinux_inode_removexattr
,
5476 .inode_getsecurity
= selinux_inode_getsecurity
,
5477 .inode_setsecurity
= selinux_inode_setsecurity
,
5478 .inode_listsecurity
= selinux_inode_listsecurity
,
5479 .inode_getsecid
= selinux_inode_getsecid
,
5481 .file_permission
= selinux_file_permission
,
5482 .file_alloc_security
= selinux_file_alloc_security
,
5483 .file_free_security
= selinux_file_free_security
,
5484 .file_ioctl
= selinux_file_ioctl
,
5485 .file_mmap
= selinux_file_mmap
,
5486 .file_mprotect
= selinux_file_mprotect
,
5487 .file_lock
= selinux_file_lock
,
5488 .file_fcntl
= selinux_file_fcntl
,
5489 .file_set_fowner
= selinux_file_set_fowner
,
5490 .file_send_sigiotask
= selinux_file_send_sigiotask
,
5491 .file_receive
= selinux_file_receive
,
5493 .dentry_open
= selinux_dentry_open
,
5495 .task_create
= selinux_task_create
,
5496 .cred_alloc_blank
= selinux_cred_alloc_blank
,
5497 .cred_free
= selinux_cred_free
,
5498 .cred_prepare
= selinux_cred_prepare
,
5499 .cred_transfer
= selinux_cred_transfer
,
5500 .kernel_act_as
= selinux_kernel_act_as
,
5501 .kernel_create_files_as
= selinux_kernel_create_files_as
,
5502 .kernel_module_request
= selinux_kernel_module_request
,
5503 .task_setpgid
= selinux_task_setpgid
,
5504 .task_getpgid
= selinux_task_getpgid
,
5505 .task_getsid
= selinux_task_getsid
,
5506 .task_getsecid
= selinux_task_getsecid
,
5507 .task_setnice
= selinux_task_setnice
,
5508 .task_setioprio
= selinux_task_setioprio
,
5509 .task_getioprio
= selinux_task_getioprio
,
5510 .task_setrlimit
= selinux_task_setrlimit
,
5511 .task_setscheduler
= selinux_task_setscheduler
,
5512 .task_getscheduler
= selinux_task_getscheduler
,
5513 .task_movememory
= selinux_task_movememory
,
5514 .task_kill
= selinux_task_kill
,
5515 .task_wait
= selinux_task_wait
,
5516 .task_to_inode
= selinux_task_to_inode
,
5518 .ipc_permission
= selinux_ipc_permission
,
5519 .ipc_getsecid
= selinux_ipc_getsecid
,
5521 .msg_msg_alloc_security
= selinux_msg_msg_alloc_security
,
5522 .msg_msg_free_security
= selinux_msg_msg_free_security
,
5524 .msg_queue_alloc_security
= selinux_msg_queue_alloc_security
,
5525 .msg_queue_free_security
= selinux_msg_queue_free_security
,
5526 .msg_queue_associate
= selinux_msg_queue_associate
,
5527 .msg_queue_msgctl
= selinux_msg_queue_msgctl
,
5528 .msg_queue_msgsnd
= selinux_msg_queue_msgsnd
,
5529 .msg_queue_msgrcv
= selinux_msg_queue_msgrcv
,
5531 .shm_alloc_security
= selinux_shm_alloc_security
,
5532 .shm_free_security
= selinux_shm_free_security
,
5533 .shm_associate
= selinux_shm_associate
,
5534 .shm_shmctl
= selinux_shm_shmctl
,
5535 .shm_shmat
= selinux_shm_shmat
,
5537 .sem_alloc_security
= selinux_sem_alloc_security
,
5538 .sem_free_security
= selinux_sem_free_security
,
5539 .sem_associate
= selinux_sem_associate
,
5540 .sem_semctl
= selinux_sem_semctl
,
5541 .sem_semop
= selinux_sem_semop
,
5543 .d_instantiate
= selinux_d_instantiate
,
5545 .getprocattr
= selinux_getprocattr
,
5546 .setprocattr
= selinux_setprocattr
,
5548 .secid_to_secctx
= selinux_secid_to_secctx
,
5549 .secctx_to_secid
= selinux_secctx_to_secid
,
5550 .release_secctx
= selinux_release_secctx
,
5551 .inode_notifysecctx
= selinux_inode_notifysecctx
,
5552 .inode_setsecctx
= selinux_inode_setsecctx
,
5553 .inode_getsecctx
= selinux_inode_getsecctx
,
5555 .unix_stream_connect
= selinux_socket_unix_stream_connect
,
5556 .unix_may_send
= selinux_socket_unix_may_send
,
5558 .socket_create
= selinux_socket_create
,
5559 .socket_post_create
= selinux_socket_post_create
,
5560 .socket_bind
= selinux_socket_bind
,
5561 .socket_connect
= selinux_socket_connect
,
5562 .socket_listen
= selinux_socket_listen
,
5563 .socket_accept
= selinux_socket_accept
,
5564 .socket_sendmsg
= selinux_socket_sendmsg
,
5565 .socket_recvmsg
= selinux_socket_recvmsg
,
5566 .socket_getsockname
= selinux_socket_getsockname
,
5567 .socket_getpeername
= selinux_socket_getpeername
,
5568 .socket_getsockopt
= selinux_socket_getsockopt
,
5569 .socket_setsockopt
= selinux_socket_setsockopt
,
5570 .socket_shutdown
= selinux_socket_shutdown
,
5571 .socket_sock_rcv_skb
= selinux_socket_sock_rcv_skb
,
5572 .socket_getpeersec_stream
= selinux_socket_getpeersec_stream
,
5573 .socket_getpeersec_dgram
= selinux_socket_getpeersec_dgram
,
5574 .sk_alloc_security
= selinux_sk_alloc_security
,
5575 .sk_free_security
= selinux_sk_free_security
,
5576 .sk_clone_security
= selinux_sk_clone_security
,
5577 .sk_getsecid
= selinux_sk_getsecid
,
5578 .sock_graft
= selinux_sock_graft
,
5579 .inet_conn_request
= selinux_inet_conn_request
,
5580 .inet_csk_clone
= selinux_inet_csk_clone
,
5581 .inet_conn_established
= selinux_inet_conn_established
,
5582 .secmark_relabel_packet
= selinux_secmark_relabel_packet
,
5583 .secmark_refcount_inc
= selinux_secmark_refcount_inc
,
5584 .secmark_refcount_dec
= selinux_secmark_refcount_dec
,
5585 .req_classify_flow
= selinux_req_classify_flow
,
5586 .tun_dev_create
= selinux_tun_dev_create
,
5587 .tun_dev_post_create
= selinux_tun_dev_post_create
,
5588 .tun_dev_attach
= selinux_tun_dev_attach
,
5590 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5591 .xfrm_policy_alloc_security
= selinux_xfrm_policy_alloc
,
5592 .xfrm_policy_clone_security
= selinux_xfrm_policy_clone
,
5593 .xfrm_policy_free_security
= selinux_xfrm_policy_free
,
5594 .xfrm_policy_delete_security
= selinux_xfrm_policy_delete
,
5595 .xfrm_state_alloc_security
= selinux_xfrm_state_alloc
,
5596 .xfrm_state_free_security
= selinux_xfrm_state_free
,
5597 .xfrm_state_delete_security
= selinux_xfrm_state_delete
,
5598 .xfrm_policy_lookup
= selinux_xfrm_policy_lookup
,
5599 .xfrm_state_pol_flow_match
= selinux_xfrm_state_pol_flow_match
,
5600 .xfrm_decode_session
= selinux_xfrm_decode_session
,
5604 .key_alloc
= selinux_key_alloc
,
5605 .key_free
= selinux_key_free
,
5606 .key_permission
= selinux_key_permission
,
5607 .key_getsecurity
= selinux_key_getsecurity
,
5611 .audit_rule_init
= selinux_audit_rule_init
,
5612 .audit_rule_known
= selinux_audit_rule_known
,
5613 .audit_rule_match
= selinux_audit_rule_match
,
5614 .audit_rule_free
= selinux_audit_rule_free
,
5618 static __init
int selinux_init(void)
5620 if (!security_module_enable(&selinux_ops
)) {
5621 selinux_enabled
= 0;
5625 if (!selinux_enabled
) {
5626 printk(KERN_INFO
"SELinux: Disabled at boot.\n");
5630 printk(KERN_INFO
"SELinux: Initializing.\n");
5632 /* Set the security state for the initial task. */
5633 cred_init_security();
5635 default_noexec
= !(VM_DATA_DEFAULT_FLAGS
& VM_EXEC
);
5637 sel_inode_cache
= kmem_cache_create("selinux_inode_security",
5638 sizeof(struct inode_security_struct
),
5639 0, SLAB_PANIC
, NULL
);
5642 if (register_security(&selinux_ops
))
5643 panic("SELinux: Unable to register with kernel.\n");
5645 if (selinux_enforcing
)
5646 printk(KERN_DEBUG
"SELinux: Starting in enforcing mode\n");
5648 printk(KERN_DEBUG
"SELinux: Starting in permissive mode\n");
5653 static void delayed_superblock_init(struct super_block
*sb
, void *unused
)
5655 superblock_doinit(sb
, NULL
);
5658 void selinux_complete_init(void)
5660 printk(KERN_DEBUG
"SELinux: Completing initialization.\n");
5662 /* Set up any superblocks initialized prior to the policy load. */
5663 printk(KERN_DEBUG
"SELinux: Setting up existing superblocks.\n");
5664 iterate_supers(delayed_superblock_init
, NULL
);
5667 /* SELinux requires early initialization in order to label
5668 all processes and objects when they are created. */
5669 security_initcall(selinux_init
);
5671 #if defined(CONFIG_NETFILTER)
5673 static struct nf_hook_ops selinux_ipv4_ops
[] = {
5675 .hook
= selinux_ipv4_postroute
,
5676 .owner
= THIS_MODULE
,
5678 .hooknum
= NF_INET_POST_ROUTING
,
5679 .priority
= NF_IP_PRI_SELINUX_LAST
,
5682 .hook
= selinux_ipv4_forward
,
5683 .owner
= THIS_MODULE
,
5685 .hooknum
= NF_INET_FORWARD
,
5686 .priority
= NF_IP_PRI_SELINUX_FIRST
,
5689 .hook
= selinux_ipv4_output
,
5690 .owner
= THIS_MODULE
,
5692 .hooknum
= NF_INET_LOCAL_OUT
,
5693 .priority
= NF_IP_PRI_SELINUX_FIRST
,
5697 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5699 static struct nf_hook_ops selinux_ipv6_ops
[] = {
5701 .hook
= selinux_ipv6_postroute
,
5702 .owner
= THIS_MODULE
,
5704 .hooknum
= NF_INET_POST_ROUTING
,
5705 .priority
= NF_IP6_PRI_SELINUX_LAST
,
5708 .hook
= selinux_ipv6_forward
,
5709 .owner
= THIS_MODULE
,
5711 .hooknum
= NF_INET_FORWARD
,
5712 .priority
= NF_IP6_PRI_SELINUX_FIRST
,
5718 static int __init
selinux_nf_ip_init(void)
5722 if (!selinux_enabled
)
5725 printk(KERN_DEBUG
"SELinux: Registering netfilter hooks\n");
5727 err
= nf_register_hooks(selinux_ipv4_ops
, ARRAY_SIZE(selinux_ipv4_ops
));
5729 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err
);
5731 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5732 err
= nf_register_hooks(selinux_ipv6_ops
, ARRAY_SIZE(selinux_ipv6_ops
));
5734 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err
);
5741 __initcall(selinux_nf_ip_init
);
5743 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5744 static void selinux_nf_ip_exit(void)
5746 printk(KERN_DEBUG
"SELinux: Unregistering netfilter hooks\n");
5748 nf_unregister_hooks(selinux_ipv4_ops
, ARRAY_SIZE(selinux_ipv4_ops
));
5749 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5750 nf_unregister_hooks(selinux_ipv6_ops
, ARRAY_SIZE(selinux_ipv6_ops
));
5755 #else /* CONFIG_NETFILTER */
5757 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5758 #define selinux_nf_ip_exit()
5761 #endif /* CONFIG_NETFILTER */
5763 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5764 static int selinux_disabled
;
5766 int selinux_disable(void)
5768 extern void exit_sel_fs(void);
5770 if (ss_initialized
) {
5771 /* Not permitted after initial policy load. */
5775 if (selinux_disabled
) {
5776 /* Only do this once. */
5780 printk(KERN_INFO
"SELinux: Disabled at runtime.\n");
5782 selinux_disabled
= 1;
5783 selinux_enabled
= 0;
5785 reset_security_ops();
5787 /* Try to destroy the avc node cache */
5790 /* Unregister netfilter hooks. */
5791 selinux_nf_ip_exit();
5793 /* Unregister selinuxfs. */