m68k: use KBUILD_DEFCONFIG
[linux-2.6/verdex.git] / security / selinux / hooks.c
blob820d07a60ab0f1bcd32f410637782ad24bb70531
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
15 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
16 * Paul Moore <paul.moore@hp.com>
17 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
18 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * This program is free software; you can redistribute it and/or modify
21 * it under the terms of the GNU General Public License version 2,
22 * as published by the Free Software Foundation.
25 #include <linux/init.h>
26 #include <linux/kernel.h>
27 #include <linux/ptrace.h>
28 #include <linux/errno.h>
29 #include <linux/sched.h>
30 #include <linux/security.h>
31 #include <linux/xattr.h>
32 #include <linux/capability.h>
33 #include <linux/unistd.h>
34 #include <linux/mm.h>
35 #include <linux/mman.h>
36 #include <linux/slab.h>
37 #include <linux/pagemap.h>
38 #include <linux/swap.h>
39 #include <linux/spinlock.h>
40 #include <linux/syscalls.h>
41 #include <linux/file.h>
42 #include <linux/namei.h>
43 #include <linux/mount.h>
44 #include <linux/ext2_fs.h>
45 #include <linux/proc_fs.h>
46 #include <linux/kd.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h> /* for local_port_range[] */
52 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <asm/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h> /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h> /* for Unix socket types */
67 #include <net/af_unix.h> /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
79 #include "avc.h"
80 #include "objsec.h"
81 #include "netif.h"
82 #include "netnode.h"
83 #include "xfrm.h"
84 #include "netlabel.h"
86 #define XATTR_SELINUX_SUFFIX "selinux"
87 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
89 #define NUM_SEL_MNT_OPTS 4
91 extern unsigned int policydb_loaded_version;
92 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
93 extern int selinux_compat_net;
94 extern struct security_operations *security_ops;
96 /* SECMARK reference count */
97 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
100 int selinux_enforcing = 0;
102 static int __init enforcing_setup(char *str)
104 selinux_enforcing = simple_strtol(str,NULL,0);
105 return 1;
107 __setup("enforcing=", enforcing_setup);
108 #endif
110 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
111 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
113 static int __init selinux_enabled_setup(char *str)
115 selinux_enabled = simple_strtol(str, NULL, 0);
116 return 1;
118 __setup("selinux=", selinux_enabled_setup);
119 #else
120 int selinux_enabled = 1;
121 #endif
123 /* Original (dummy) security module. */
124 static struct security_operations *original_ops = NULL;
126 /* Minimal support for a secondary security module,
127 just to allow the use of the dummy or capability modules.
128 The owlsm module can alternatively be used as a secondary
129 module as long as CONFIG_OWLSM_FD is not enabled. */
130 static struct security_operations *secondary_ops = NULL;
132 /* Lists of inode and superblock security structures initialized
133 before the policy was loaded. */
134 static LIST_HEAD(superblock_security_head);
135 static DEFINE_SPINLOCK(sb_security_lock);
137 static struct kmem_cache *sel_inode_cache;
140 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
142 * Description:
143 * This function checks the SECMARK reference counter to see if any SECMARK
144 * targets are currently configured, if the reference counter is greater than
145 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
146 * enabled, false (0) if SECMARK is disabled.
149 static int selinux_secmark_enabled(void)
151 return (atomic_read(&selinux_secmark_refcount) > 0);
154 /* Allocate and free functions for each kind of security blob. */
156 static int task_alloc_security(struct task_struct *task)
158 struct task_security_struct *tsec;
160 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
161 if (!tsec)
162 return -ENOMEM;
164 tsec->task = task;
165 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
166 task->security = tsec;
168 return 0;
171 static void task_free_security(struct task_struct *task)
173 struct task_security_struct *tsec = task->security;
174 task->security = NULL;
175 kfree(tsec);
178 static int inode_alloc_security(struct inode *inode)
180 struct task_security_struct *tsec = current->security;
181 struct inode_security_struct *isec;
183 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
184 if (!isec)
185 return -ENOMEM;
187 mutex_init(&isec->lock);
188 INIT_LIST_HEAD(&isec->list);
189 isec->inode = inode;
190 isec->sid = SECINITSID_UNLABELED;
191 isec->sclass = SECCLASS_FILE;
192 isec->task_sid = tsec->sid;
193 inode->i_security = isec;
195 return 0;
198 static void inode_free_security(struct inode *inode)
200 struct inode_security_struct *isec = inode->i_security;
201 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
203 spin_lock(&sbsec->isec_lock);
204 if (!list_empty(&isec->list))
205 list_del_init(&isec->list);
206 spin_unlock(&sbsec->isec_lock);
208 inode->i_security = NULL;
209 kmem_cache_free(sel_inode_cache, isec);
212 static int file_alloc_security(struct file *file)
214 struct task_security_struct *tsec = current->security;
215 struct file_security_struct *fsec;
217 fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
218 if (!fsec)
219 return -ENOMEM;
221 fsec->file = file;
222 fsec->sid = tsec->sid;
223 fsec->fown_sid = tsec->sid;
224 file->f_security = fsec;
226 return 0;
229 static void file_free_security(struct file *file)
231 struct file_security_struct *fsec = file->f_security;
232 file->f_security = NULL;
233 kfree(fsec);
236 static int superblock_alloc_security(struct super_block *sb)
238 struct superblock_security_struct *sbsec;
240 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
241 if (!sbsec)
242 return -ENOMEM;
244 mutex_init(&sbsec->lock);
245 INIT_LIST_HEAD(&sbsec->list);
246 INIT_LIST_HEAD(&sbsec->isec_head);
247 spin_lock_init(&sbsec->isec_lock);
248 sbsec->sb = sb;
249 sbsec->sid = SECINITSID_UNLABELED;
250 sbsec->def_sid = SECINITSID_FILE;
251 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
252 sb->s_security = sbsec;
254 return 0;
257 static void superblock_free_security(struct super_block *sb)
259 struct superblock_security_struct *sbsec = sb->s_security;
261 spin_lock(&sb_security_lock);
262 if (!list_empty(&sbsec->list))
263 list_del_init(&sbsec->list);
264 spin_unlock(&sb_security_lock);
266 sb->s_security = NULL;
267 kfree(sbsec);
270 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
272 struct sk_security_struct *ssec;
274 ssec = kzalloc(sizeof(*ssec), priority);
275 if (!ssec)
276 return -ENOMEM;
278 ssec->sk = sk;
279 ssec->peer_sid = SECINITSID_UNLABELED;
280 ssec->sid = SECINITSID_UNLABELED;
281 sk->sk_security = ssec;
283 selinux_netlbl_sk_security_init(ssec, family);
285 return 0;
288 static void sk_free_security(struct sock *sk)
290 struct sk_security_struct *ssec = sk->sk_security;
292 sk->sk_security = NULL;
293 kfree(ssec);
296 /* The security server must be initialized before
297 any labeling or access decisions can be provided. */
298 extern int ss_initialized;
300 /* The file system's label must be initialized prior to use. */
302 static char *labeling_behaviors[6] = {
303 "uses xattr",
304 "uses transition SIDs",
305 "uses task SIDs",
306 "uses genfs_contexts",
307 "not configured for labeling",
308 "uses mountpoint labeling",
311 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
313 static inline int inode_doinit(struct inode *inode)
315 return inode_doinit_with_dentry(inode, NULL);
318 enum {
319 Opt_error = -1,
320 Opt_context = 1,
321 Opt_fscontext = 2,
322 Opt_defcontext = 3,
323 Opt_rootcontext = 4,
326 static match_table_t tokens = {
327 {Opt_context, "context=%s"},
328 {Opt_fscontext, "fscontext=%s"},
329 {Opt_defcontext, "defcontext=%s"},
330 {Opt_rootcontext, "rootcontext=%s"},
331 {Opt_error, NULL},
334 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
336 static int may_context_mount_sb_relabel(u32 sid,
337 struct superblock_security_struct *sbsec,
338 struct task_security_struct *tsec)
340 int rc;
342 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
343 FILESYSTEM__RELABELFROM, NULL);
344 if (rc)
345 return rc;
347 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
348 FILESYSTEM__RELABELTO, NULL);
349 return rc;
352 static int may_context_mount_inode_relabel(u32 sid,
353 struct superblock_security_struct *sbsec,
354 struct task_security_struct *tsec)
356 int rc;
357 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
358 FILESYSTEM__RELABELFROM, NULL);
359 if (rc)
360 return rc;
362 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
363 FILESYSTEM__ASSOCIATE, NULL);
364 return rc;
367 static int sb_finish_set_opts(struct super_block *sb)
369 struct superblock_security_struct *sbsec = sb->s_security;
370 struct dentry *root = sb->s_root;
371 struct inode *root_inode = root->d_inode;
372 int rc = 0;
374 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
375 /* Make sure that the xattr handler exists and that no
376 error other than -ENODATA is returned by getxattr on
377 the root directory. -ENODATA is ok, as this may be
378 the first boot of the SELinux kernel before we have
379 assigned xattr values to the filesystem. */
380 if (!root_inode->i_op->getxattr) {
381 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
382 "xattr support\n", sb->s_id, sb->s_type->name);
383 rc = -EOPNOTSUPP;
384 goto out;
386 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
387 if (rc < 0 && rc != -ENODATA) {
388 if (rc == -EOPNOTSUPP)
389 printk(KERN_WARNING "SELinux: (dev %s, type "
390 "%s) has no security xattr handler\n",
391 sb->s_id, sb->s_type->name);
392 else
393 printk(KERN_WARNING "SELinux: (dev %s, type "
394 "%s) getxattr errno %d\n", sb->s_id,
395 sb->s_type->name, -rc);
396 goto out;
400 sbsec->initialized = 1;
402 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
403 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
404 sb->s_id, sb->s_type->name);
405 else
406 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
407 sb->s_id, sb->s_type->name,
408 labeling_behaviors[sbsec->behavior-1]);
410 /* Initialize the root inode. */
411 rc = inode_doinit_with_dentry(root_inode, root);
413 /* Initialize any other inodes associated with the superblock, e.g.
414 inodes created prior to initial policy load or inodes created
415 during get_sb by a pseudo filesystem that directly
416 populates itself. */
417 spin_lock(&sbsec->isec_lock);
418 next_inode:
419 if (!list_empty(&sbsec->isec_head)) {
420 struct inode_security_struct *isec =
421 list_entry(sbsec->isec_head.next,
422 struct inode_security_struct, list);
423 struct inode *inode = isec->inode;
424 spin_unlock(&sbsec->isec_lock);
425 inode = igrab(inode);
426 if (inode) {
427 if (!IS_PRIVATE(inode))
428 inode_doinit(inode);
429 iput(inode);
431 spin_lock(&sbsec->isec_lock);
432 list_del_init(&isec->list);
433 goto next_inode;
435 spin_unlock(&sbsec->isec_lock);
436 out:
437 return rc;
441 * This function should allow an FS to ask what it's mount security
442 * options were so it can use those later for submounts, displaying
443 * mount options, or whatever.
445 static int selinux_get_mnt_opts(const struct super_block *sb,
446 struct security_mnt_opts *opts)
448 int rc = 0, i;
449 struct superblock_security_struct *sbsec = sb->s_security;
450 char *context = NULL;
451 u32 len;
452 char tmp;
454 security_init_mnt_opts(opts);
456 if (!sbsec->initialized)
457 return -EINVAL;
459 if (!ss_initialized)
460 return -EINVAL;
463 * if we ever use sbsec flags for anything other than tracking mount
464 * settings this is going to need a mask
466 tmp = sbsec->flags;
467 /* count the number of mount options for this sb */
468 for (i = 0; i < 8; i++) {
469 if (tmp & 0x01)
470 opts->num_mnt_opts++;
471 tmp >>= 1;
474 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
475 if (!opts->mnt_opts) {
476 rc = -ENOMEM;
477 goto out_free;
480 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
481 if (!opts->mnt_opts_flags) {
482 rc = -ENOMEM;
483 goto out_free;
486 i = 0;
487 if (sbsec->flags & FSCONTEXT_MNT) {
488 rc = security_sid_to_context(sbsec->sid, &context, &len);
489 if (rc)
490 goto out_free;
491 opts->mnt_opts[i] = context;
492 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
494 if (sbsec->flags & CONTEXT_MNT) {
495 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
496 if (rc)
497 goto out_free;
498 opts->mnt_opts[i] = context;
499 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
501 if (sbsec->flags & DEFCONTEXT_MNT) {
502 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
503 if (rc)
504 goto out_free;
505 opts->mnt_opts[i] = context;
506 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
508 if (sbsec->flags & ROOTCONTEXT_MNT) {
509 struct inode *root = sbsec->sb->s_root->d_inode;
510 struct inode_security_struct *isec = root->i_security;
512 rc = security_sid_to_context(isec->sid, &context, &len);
513 if (rc)
514 goto out_free;
515 opts->mnt_opts[i] = context;
516 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
519 BUG_ON(i != opts->num_mnt_opts);
521 return 0;
523 out_free:
524 security_free_mnt_opts(opts);
525 return rc;
528 static int bad_option(struct superblock_security_struct *sbsec, char flag,
529 u32 old_sid, u32 new_sid)
531 /* check if the old mount command had the same options */
532 if (sbsec->initialized)
533 if (!(sbsec->flags & flag) ||
534 (old_sid != new_sid))
535 return 1;
537 /* check if we were passed the same options twice,
538 * aka someone passed context=a,context=b
540 if (!sbsec->initialized)
541 if (sbsec->flags & flag)
542 return 1;
543 return 0;
547 * Allow filesystems with binary mount data to explicitly set mount point
548 * labeling information.
550 static int selinux_set_mnt_opts(struct super_block *sb,
551 struct security_mnt_opts *opts)
553 int rc = 0, i;
554 struct task_security_struct *tsec = current->security;
555 struct superblock_security_struct *sbsec = sb->s_security;
556 const char *name = sb->s_type->name;
557 struct inode *inode = sbsec->sb->s_root->d_inode;
558 struct inode_security_struct *root_isec = inode->i_security;
559 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
560 u32 defcontext_sid = 0;
561 char **mount_options = opts->mnt_opts;
562 int *flags = opts->mnt_opts_flags;
563 int num_opts = opts->num_mnt_opts;
565 mutex_lock(&sbsec->lock);
567 if (!ss_initialized) {
568 if (!num_opts) {
569 /* Defer initialization until selinux_complete_init,
570 after the initial policy is loaded and the security
571 server is ready to handle calls. */
572 spin_lock(&sb_security_lock);
573 if (list_empty(&sbsec->list))
574 list_add(&sbsec->list, &superblock_security_head);
575 spin_unlock(&sb_security_lock);
576 goto out;
578 rc = -EINVAL;
579 printk(KERN_WARNING "Unable to set superblock options before "
580 "the security server is initialized\n");
581 goto out;
585 * Binary mount data FS will come through this function twice. Once
586 * from an explicit call and once from the generic calls from the vfs.
587 * Since the generic VFS calls will not contain any security mount data
588 * we need to skip the double mount verification.
590 * This does open a hole in which we will not notice if the first
591 * mount using this sb set explict options and a second mount using
592 * this sb does not set any security options. (The first options
593 * will be used for both mounts)
595 if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
596 && (num_opts == 0))
597 goto out;
600 * parse the mount options, check if they are valid sids.
601 * also check if someone is trying to mount the same sb more
602 * than once with different security options.
604 for (i = 0; i < num_opts; i++) {
605 u32 sid;
606 rc = security_context_to_sid(mount_options[i],
607 strlen(mount_options[i]), &sid);
608 if (rc) {
609 printk(KERN_WARNING "SELinux: security_context_to_sid"
610 "(%s) failed for (dev %s, type %s) errno=%d\n",
611 mount_options[i], sb->s_id, name, rc);
612 goto out;
614 switch (flags[i]) {
615 case FSCONTEXT_MNT:
616 fscontext_sid = sid;
618 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
619 fscontext_sid))
620 goto out_double_mount;
622 sbsec->flags |= FSCONTEXT_MNT;
623 break;
624 case CONTEXT_MNT:
625 context_sid = sid;
627 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
628 context_sid))
629 goto out_double_mount;
631 sbsec->flags |= CONTEXT_MNT;
632 break;
633 case ROOTCONTEXT_MNT:
634 rootcontext_sid = sid;
636 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
637 rootcontext_sid))
638 goto out_double_mount;
640 sbsec->flags |= ROOTCONTEXT_MNT;
642 break;
643 case DEFCONTEXT_MNT:
644 defcontext_sid = sid;
646 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
647 defcontext_sid))
648 goto out_double_mount;
650 sbsec->flags |= DEFCONTEXT_MNT;
652 break;
653 default:
654 rc = -EINVAL;
655 goto out;
659 if (sbsec->initialized) {
660 /* previously mounted with options, but not on this attempt? */
661 if (sbsec->flags && !num_opts)
662 goto out_double_mount;
663 rc = 0;
664 goto out;
667 if (strcmp(sb->s_type->name, "proc") == 0)
668 sbsec->proc = 1;
670 /* Determine the labeling behavior to use for this filesystem type. */
671 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
672 if (rc) {
673 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
674 __FUNCTION__, sb->s_type->name, rc);
675 goto out;
678 /* sets the context of the superblock for the fs being mounted. */
679 if (fscontext_sid) {
681 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, tsec);
682 if (rc)
683 goto out;
685 sbsec->sid = fscontext_sid;
689 * Switch to using mount point labeling behavior.
690 * sets the label used on all file below the mountpoint, and will set
691 * the superblock context if not already set.
693 if (context_sid) {
694 if (!fscontext_sid) {
695 rc = may_context_mount_sb_relabel(context_sid, sbsec, tsec);
696 if (rc)
697 goto out;
698 sbsec->sid = context_sid;
699 } else {
700 rc = may_context_mount_inode_relabel(context_sid, sbsec, tsec);
701 if (rc)
702 goto out;
704 if (!rootcontext_sid)
705 rootcontext_sid = context_sid;
707 sbsec->mntpoint_sid = context_sid;
708 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
711 if (rootcontext_sid) {
712 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, tsec);
713 if (rc)
714 goto out;
716 root_isec->sid = rootcontext_sid;
717 root_isec->initialized = 1;
720 if (defcontext_sid) {
721 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
722 rc = -EINVAL;
723 printk(KERN_WARNING "SELinux: defcontext option is "
724 "invalid for this filesystem type\n");
725 goto out;
728 if (defcontext_sid != sbsec->def_sid) {
729 rc = may_context_mount_inode_relabel(defcontext_sid,
730 sbsec, tsec);
731 if (rc)
732 goto out;
735 sbsec->def_sid = defcontext_sid;
738 rc = sb_finish_set_opts(sb);
739 out:
740 mutex_unlock(&sbsec->lock);
741 return rc;
742 out_double_mount:
743 rc = -EINVAL;
744 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
745 "security settings for (dev %s, type %s)\n", sb->s_id, name);
746 goto out;
749 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
750 struct super_block *newsb)
752 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
753 struct superblock_security_struct *newsbsec = newsb->s_security;
755 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
756 int set_context = (oldsbsec->flags & CONTEXT_MNT);
757 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
759 /* we can't error, we can't save the info, this shouldn't get called
760 * this early in the boot process. */
761 BUG_ON(!ss_initialized);
763 /* this might go away sometime down the line if there is a new user
764 * of clone, but for now, nfs better not get here... */
765 BUG_ON(newsbsec->initialized);
767 /* how can we clone if the old one wasn't set up?? */
768 BUG_ON(!oldsbsec->initialized);
770 mutex_lock(&newsbsec->lock);
772 newsbsec->flags = oldsbsec->flags;
774 newsbsec->sid = oldsbsec->sid;
775 newsbsec->def_sid = oldsbsec->def_sid;
776 newsbsec->behavior = oldsbsec->behavior;
778 if (set_context) {
779 u32 sid = oldsbsec->mntpoint_sid;
781 if (!set_fscontext)
782 newsbsec->sid = sid;
783 if (!set_rootcontext) {
784 struct inode *newinode = newsb->s_root->d_inode;
785 struct inode_security_struct *newisec = newinode->i_security;
786 newisec->sid = sid;
788 newsbsec->mntpoint_sid = sid;
790 if (set_rootcontext) {
791 const struct inode *oldinode = oldsb->s_root->d_inode;
792 const struct inode_security_struct *oldisec = oldinode->i_security;
793 struct inode *newinode = newsb->s_root->d_inode;
794 struct inode_security_struct *newisec = newinode->i_security;
796 newisec->sid = oldisec->sid;
799 sb_finish_set_opts(newsb);
800 mutex_unlock(&newsbsec->lock);
803 static int selinux_parse_opts_str(char *options,
804 struct security_mnt_opts *opts)
806 char *p;
807 char *context = NULL, *defcontext = NULL;
808 char *fscontext = NULL, *rootcontext = NULL;
809 int rc, num_mnt_opts = 0;
811 opts->num_mnt_opts = 0;
813 /* Standard string-based options. */
814 while ((p = strsep(&options, "|")) != NULL) {
815 int token;
816 substring_t args[MAX_OPT_ARGS];
818 if (!*p)
819 continue;
821 token = match_token(p, tokens, args);
823 switch (token) {
824 case Opt_context:
825 if (context || defcontext) {
826 rc = -EINVAL;
827 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
828 goto out_err;
830 context = match_strdup(&args[0]);
831 if (!context) {
832 rc = -ENOMEM;
833 goto out_err;
835 break;
837 case Opt_fscontext:
838 if (fscontext) {
839 rc = -EINVAL;
840 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
841 goto out_err;
843 fscontext = match_strdup(&args[0]);
844 if (!fscontext) {
845 rc = -ENOMEM;
846 goto out_err;
848 break;
850 case Opt_rootcontext:
851 if (rootcontext) {
852 rc = -EINVAL;
853 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
854 goto out_err;
856 rootcontext = match_strdup(&args[0]);
857 if (!rootcontext) {
858 rc = -ENOMEM;
859 goto out_err;
861 break;
863 case Opt_defcontext:
864 if (context || defcontext) {
865 rc = -EINVAL;
866 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
867 goto out_err;
869 defcontext = match_strdup(&args[0]);
870 if (!defcontext) {
871 rc = -ENOMEM;
872 goto out_err;
874 break;
876 default:
877 rc = -EINVAL;
878 printk(KERN_WARNING "SELinux: unknown mount option\n");
879 goto out_err;
884 rc = -ENOMEM;
885 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
886 if (!opts->mnt_opts)
887 goto out_err;
889 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
890 if (!opts->mnt_opts_flags) {
891 kfree(opts->mnt_opts);
892 goto out_err;
895 if (fscontext) {
896 opts->mnt_opts[num_mnt_opts] = fscontext;
897 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
899 if (context) {
900 opts->mnt_opts[num_mnt_opts] = context;
901 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
903 if (rootcontext) {
904 opts->mnt_opts[num_mnt_opts] = rootcontext;
905 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
907 if (defcontext) {
908 opts->mnt_opts[num_mnt_opts] = defcontext;
909 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
912 opts->num_mnt_opts = num_mnt_opts;
913 return 0;
915 out_err:
916 kfree(context);
917 kfree(defcontext);
918 kfree(fscontext);
919 kfree(rootcontext);
920 return rc;
923 * string mount options parsing and call set the sbsec
925 static int superblock_doinit(struct super_block *sb, void *data)
927 int rc = 0;
928 char *options = data;
929 struct security_mnt_opts opts;
931 security_init_mnt_opts(&opts);
933 if (!data)
934 goto out;
936 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
938 rc = selinux_parse_opts_str(options, &opts);
939 if (rc)
940 goto out_err;
942 out:
943 rc = selinux_set_mnt_opts(sb, &opts);
945 out_err:
946 security_free_mnt_opts(&opts);
947 return rc;
950 static inline u16 inode_mode_to_security_class(umode_t mode)
952 switch (mode & S_IFMT) {
953 case S_IFSOCK:
954 return SECCLASS_SOCK_FILE;
955 case S_IFLNK:
956 return SECCLASS_LNK_FILE;
957 case S_IFREG:
958 return SECCLASS_FILE;
959 case S_IFBLK:
960 return SECCLASS_BLK_FILE;
961 case S_IFDIR:
962 return SECCLASS_DIR;
963 case S_IFCHR:
964 return SECCLASS_CHR_FILE;
965 case S_IFIFO:
966 return SECCLASS_FIFO_FILE;
970 return SECCLASS_FILE;
973 static inline int default_protocol_stream(int protocol)
975 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
978 static inline int default_protocol_dgram(int protocol)
980 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
983 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
985 switch (family) {
986 case PF_UNIX:
987 switch (type) {
988 case SOCK_STREAM:
989 case SOCK_SEQPACKET:
990 return SECCLASS_UNIX_STREAM_SOCKET;
991 case SOCK_DGRAM:
992 return SECCLASS_UNIX_DGRAM_SOCKET;
994 break;
995 case PF_INET:
996 case PF_INET6:
997 switch (type) {
998 case SOCK_STREAM:
999 if (default_protocol_stream(protocol))
1000 return SECCLASS_TCP_SOCKET;
1001 else
1002 return SECCLASS_RAWIP_SOCKET;
1003 case SOCK_DGRAM:
1004 if (default_protocol_dgram(protocol))
1005 return SECCLASS_UDP_SOCKET;
1006 else
1007 return SECCLASS_RAWIP_SOCKET;
1008 case SOCK_DCCP:
1009 return SECCLASS_DCCP_SOCKET;
1010 default:
1011 return SECCLASS_RAWIP_SOCKET;
1013 break;
1014 case PF_NETLINK:
1015 switch (protocol) {
1016 case NETLINK_ROUTE:
1017 return SECCLASS_NETLINK_ROUTE_SOCKET;
1018 case NETLINK_FIREWALL:
1019 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1020 case NETLINK_INET_DIAG:
1021 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1022 case NETLINK_NFLOG:
1023 return SECCLASS_NETLINK_NFLOG_SOCKET;
1024 case NETLINK_XFRM:
1025 return SECCLASS_NETLINK_XFRM_SOCKET;
1026 case NETLINK_SELINUX:
1027 return SECCLASS_NETLINK_SELINUX_SOCKET;
1028 case NETLINK_AUDIT:
1029 return SECCLASS_NETLINK_AUDIT_SOCKET;
1030 case NETLINK_IP6_FW:
1031 return SECCLASS_NETLINK_IP6FW_SOCKET;
1032 case NETLINK_DNRTMSG:
1033 return SECCLASS_NETLINK_DNRT_SOCKET;
1034 case NETLINK_KOBJECT_UEVENT:
1035 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1036 default:
1037 return SECCLASS_NETLINK_SOCKET;
1039 case PF_PACKET:
1040 return SECCLASS_PACKET_SOCKET;
1041 case PF_KEY:
1042 return SECCLASS_KEY_SOCKET;
1043 case PF_APPLETALK:
1044 return SECCLASS_APPLETALK_SOCKET;
1047 return SECCLASS_SOCKET;
1050 #ifdef CONFIG_PROC_FS
1051 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1052 u16 tclass,
1053 u32 *sid)
1055 int buflen, rc;
1056 char *buffer, *path, *end;
1058 buffer = (char*)__get_free_page(GFP_KERNEL);
1059 if (!buffer)
1060 return -ENOMEM;
1062 buflen = PAGE_SIZE;
1063 end = buffer+buflen;
1064 *--end = '\0';
1065 buflen--;
1066 path = end-1;
1067 *path = '/';
1068 while (de && de != de->parent) {
1069 buflen -= de->namelen + 1;
1070 if (buflen < 0)
1071 break;
1072 end -= de->namelen;
1073 memcpy(end, de->name, de->namelen);
1074 *--end = '/';
1075 path = end;
1076 de = de->parent;
1078 rc = security_genfs_sid("proc", path, tclass, sid);
1079 free_page((unsigned long)buffer);
1080 return rc;
1082 #else
1083 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1084 u16 tclass,
1085 u32 *sid)
1087 return -EINVAL;
1089 #endif
1091 /* The inode's security attributes must be initialized before first use. */
1092 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1094 struct superblock_security_struct *sbsec = NULL;
1095 struct inode_security_struct *isec = inode->i_security;
1096 u32 sid;
1097 struct dentry *dentry;
1098 #define INITCONTEXTLEN 255
1099 char *context = NULL;
1100 unsigned len = 0;
1101 int rc = 0;
1103 if (isec->initialized)
1104 goto out;
1106 mutex_lock(&isec->lock);
1107 if (isec->initialized)
1108 goto out_unlock;
1110 sbsec = inode->i_sb->s_security;
1111 if (!sbsec->initialized) {
1112 /* Defer initialization until selinux_complete_init,
1113 after the initial policy is loaded and the security
1114 server is ready to handle calls. */
1115 spin_lock(&sbsec->isec_lock);
1116 if (list_empty(&isec->list))
1117 list_add(&isec->list, &sbsec->isec_head);
1118 spin_unlock(&sbsec->isec_lock);
1119 goto out_unlock;
1122 switch (sbsec->behavior) {
1123 case SECURITY_FS_USE_XATTR:
1124 if (!inode->i_op->getxattr) {
1125 isec->sid = sbsec->def_sid;
1126 break;
1129 /* Need a dentry, since the xattr API requires one.
1130 Life would be simpler if we could just pass the inode. */
1131 if (opt_dentry) {
1132 /* Called from d_instantiate or d_splice_alias. */
1133 dentry = dget(opt_dentry);
1134 } else {
1135 /* Called from selinux_complete_init, try to find a dentry. */
1136 dentry = d_find_alias(inode);
1138 if (!dentry) {
1139 printk(KERN_WARNING "%s: no dentry for dev=%s "
1140 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
1141 inode->i_ino);
1142 goto out_unlock;
1145 len = INITCONTEXTLEN;
1146 context = kmalloc(len, GFP_KERNEL);
1147 if (!context) {
1148 rc = -ENOMEM;
1149 dput(dentry);
1150 goto out_unlock;
1152 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1153 context, len);
1154 if (rc == -ERANGE) {
1155 /* Need a larger buffer. Query for the right size. */
1156 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1157 NULL, 0);
1158 if (rc < 0) {
1159 dput(dentry);
1160 goto out_unlock;
1162 kfree(context);
1163 len = rc;
1164 context = kmalloc(len, GFP_KERNEL);
1165 if (!context) {
1166 rc = -ENOMEM;
1167 dput(dentry);
1168 goto out_unlock;
1170 rc = inode->i_op->getxattr(dentry,
1171 XATTR_NAME_SELINUX,
1172 context, len);
1174 dput(dentry);
1175 if (rc < 0) {
1176 if (rc != -ENODATA) {
1177 printk(KERN_WARNING "%s: getxattr returned "
1178 "%d for dev=%s ino=%ld\n", __FUNCTION__,
1179 -rc, inode->i_sb->s_id, inode->i_ino);
1180 kfree(context);
1181 goto out_unlock;
1183 /* Map ENODATA to the default file SID */
1184 sid = sbsec->def_sid;
1185 rc = 0;
1186 } else {
1187 rc = security_context_to_sid_default(context, rc, &sid,
1188 sbsec->def_sid);
1189 if (rc) {
1190 printk(KERN_WARNING "%s: context_to_sid(%s) "
1191 "returned %d for dev=%s ino=%ld\n",
1192 __FUNCTION__, context, -rc,
1193 inode->i_sb->s_id, inode->i_ino);
1194 kfree(context);
1195 /* Leave with the unlabeled SID */
1196 rc = 0;
1197 break;
1200 kfree(context);
1201 isec->sid = sid;
1202 break;
1203 case SECURITY_FS_USE_TASK:
1204 isec->sid = isec->task_sid;
1205 break;
1206 case SECURITY_FS_USE_TRANS:
1207 /* Default to the fs SID. */
1208 isec->sid = sbsec->sid;
1210 /* Try to obtain a transition SID. */
1211 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1212 rc = security_transition_sid(isec->task_sid,
1213 sbsec->sid,
1214 isec->sclass,
1215 &sid);
1216 if (rc)
1217 goto out_unlock;
1218 isec->sid = sid;
1219 break;
1220 case SECURITY_FS_USE_MNTPOINT:
1221 isec->sid = sbsec->mntpoint_sid;
1222 break;
1223 default:
1224 /* Default to the fs superblock SID. */
1225 isec->sid = sbsec->sid;
1227 if (sbsec->proc) {
1228 struct proc_inode *proci = PROC_I(inode);
1229 if (proci->pde) {
1230 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1231 rc = selinux_proc_get_sid(proci->pde,
1232 isec->sclass,
1233 &sid);
1234 if (rc)
1235 goto out_unlock;
1236 isec->sid = sid;
1239 break;
1242 isec->initialized = 1;
1244 out_unlock:
1245 mutex_unlock(&isec->lock);
1246 out:
1247 if (isec->sclass == SECCLASS_FILE)
1248 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1249 return rc;
1252 /* Convert a Linux signal to an access vector. */
1253 static inline u32 signal_to_av(int sig)
1255 u32 perm = 0;
1257 switch (sig) {
1258 case SIGCHLD:
1259 /* Commonly granted from child to parent. */
1260 perm = PROCESS__SIGCHLD;
1261 break;
1262 case SIGKILL:
1263 /* Cannot be caught or ignored */
1264 perm = PROCESS__SIGKILL;
1265 break;
1266 case SIGSTOP:
1267 /* Cannot be caught or ignored */
1268 perm = PROCESS__SIGSTOP;
1269 break;
1270 default:
1271 /* All other signals. */
1272 perm = PROCESS__SIGNAL;
1273 break;
1276 return perm;
1279 /* Check permission betweeen a pair of tasks, e.g. signal checks,
1280 fork check, ptrace check, etc. */
1281 static int task_has_perm(struct task_struct *tsk1,
1282 struct task_struct *tsk2,
1283 u32 perms)
1285 struct task_security_struct *tsec1, *tsec2;
1287 tsec1 = tsk1->security;
1288 tsec2 = tsk2->security;
1289 return avc_has_perm(tsec1->sid, tsec2->sid,
1290 SECCLASS_PROCESS, perms, NULL);
1293 #if CAP_LAST_CAP > 63
1294 #error Fix SELinux to handle capabilities > 63.
1295 #endif
1297 /* Check whether a task is allowed to use a capability. */
1298 static int task_has_capability(struct task_struct *tsk,
1299 int cap)
1301 struct task_security_struct *tsec;
1302 struct avc_audit_data ad;
1303 u16 sclass;
1304 u32 av = CAP_TO_MASK(cap);
1306 tsec = tsk->security;
1308 AVC_AUDIT_DATA_INIT(&ad,CAP);
1309 ad.tsk = tsk;
1310 ad.u.cap = cap;
1312 switch (CAP_TO_INDEX(cap)) {
1313 case 0:
1314 sclass = SECCLASS_CAPABILITY;
1315 break;
1316 case 1:
1317 sclass = SECCLASS_CAPABILITY2;
1318 break;
1319 default:
1320 printk(KERN_ERR
1321 "SELinux: out of range capability %d\n", cap);
1322 BUG();
1324 return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
1327 /* Check whether a task is allowed to use a system operation. */
1328 static int task_has_system(struct task_struct *tsk,
1329 u32 perms)
1331 struct task_security_struct *tsec;
1333 tsec = tsk->security;
1335 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
1336 SECCLASS_SYSTEM, perms, NULL);
1339 /* Check whether a task has a particular permission to an inode.
1340 The 'adp' parameter is optional and allows other audit
1341 data to be passed (e.g. the dentry). */
1342 static int inode_has_perm(struct task_struct *tsk,
1343 struct inode *inode,
1344 u32 perms,
1345 struct avc_audit_data *adp)
1347 struct task_security_struct *tsec;
1348 struct inode_security_struct *isec;
1349 struct avc_audit_data ad;
1351 if (unlikely (IS_PRIVATE (inode)))
1352 return 0;
1354 tsec = tsk->security;
1355 isec = inode->i_security;
1357 if (!adp) {
1358 adp = &ad;
1359 AVC_AUDIT_DATA_INIT(&ad, FS);
1360 ad.u.fs.inode = inode;
1363 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1366 /* Same as inode_has_perm, but pass explicit audit data containing
1367 the dentry to help the auditing code to more easily generate the
1368 pathname if needed. */
1369 static inline int dentry_has_perm(struct task_struct *tsk,
1370 struct vfsmount *mnt,
1371 struct dentry *dentry,
1372 u32 av)
1374 struct inode *inode = dentry->d_inode;
1375 struct avc_audit_data ad;
1376 AVC_AUDIT_DATA_INIT(&ad,FS);
1377 ad.u.fs.path.mnt = mnt;
1378 ad.u.fs.path.dentry = dentry;
1379 return inode_has_perm(tsk, inode, av, &ad);
1382 /* Check whether a task can use an open file descriptor to
1383 access an inode in a given way. Check access to the
1384 descriptor itself, and then use dentry_has_perm to
1385 check a particular permission to the file.
1386 Access to the descriptor is implicitly granted if it
1387 has the same SID as the process. If av is zero, then
1388 access to the file is not checked, e.g. for cases
1389 where only the descriptor is affected like seek. */
1390 static int file_has_perm(struct task_struct *tsk,
1391 struct file *file,
1392 u32 av)
1394 struct task_security_struct *tsec = tsk->security;
1395 struct file_security_struct *fsec = file->f_security;
1396 struct inode *inode = file->f_path.dentry->d_inode;
1397 struct avc_audit_data ad;
1398 int rc;
1400 AVC_AUDIT_DATA_INIT(&ad, FS);
1401 ad.u.fs.path = file->f_path;
1403 if (tsec->sid != fsec->sid) {
1404 rc = avc_has_perm(tsec->sid, fsec->sid,
1405 SECCLASS_FD,
1406 FD__USE,
1407 &ad);
1408 if (rc)
1409 return rc;
1412 /* av is zero if only checking access to the descriptor. */
1413 if (av)
1414 return inode_has_perm(tsk, inode, av, &ad);
1416 return 0;
1419 /* Check whether a task can create a file. */
1420 static int may_create(struct inode *dir,
1421 struct dentry *dentry,
1422 u16 tclass)
1424 struct task_security_struct *tsec;
1425 struct inode_security_struct *dsec;
1426 struct superblock_security_struct *sbsec;
1427 u32 newsid;
1428 struct avc_audit_data ad;
1429 int rc;
1431 tsec = current->security;
1432 dsec = dir->i_security;
1433 sbsec = dir->i_sb->s_security;
1435 AVC_AUDIT_DATA_INIT(&ad, FS);
1436 ad.u.fs.path.dentry = dentry;
1438 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1439 DIR__ADD_NAME | DIR__SEARCH,
1440 &ad);
1441 if (rc)
1442 return rc;
1444 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1445 newsid = tsec->create_sid;
1446 } else {
1447 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1448 &newsid);
1449 if (rc)
1450 return rc;
1453 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1454 if (rc)
1455 return rc;
1457 return avc_has_perm(newsid, sbsec->sid,
1458 SECCLASS_FILESYSTEM,
1459 FILESYSTEM__ASSOCIATE, &ad);
1462 /* Check whether a task can create a key. */
1463 static int may_create_key(u32 ksid,
1464 struct task_struct *ctx)
1466 struct task_security_struct *tsec;
1468 tsec = ctx->security;
1470 return avc_has_perm(tsec->sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1473 #define MAY_LINK 0
1474 #define MAY_UNLINK 1
1475 #define MAY_RMDIR 2
1477 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1478 static int may_link(struct inode *dir,
1479 struct dentry *dentry,
1480 int kind)
1483 struct task_security_struct *tsec;
1484 struct inode_security_struct *dsec, *isec;
1485 struct avc_audit_data ad;
1486 u32 av;
1487 int rc;
1489 tsec = current->security;
1490 dsec = dir->i_security;
1491 isec = dentry->d_inode->i_security;
1493 AVC_AUDIT_DATA_INIT(&ad, FS);
1494 ad.u.fs.path.dentry = dentry;
1496 av = DIR__SEARCH;
1497 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1498 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1499 if (rc)
1500 return rc;
1502 switch (kind) {
1503 case MAY_LINK:
1504 av = FILE__LINK;
1505 break;
1506 case MAY_UNLINK:
1507 av = FILE__UNLINK;
1508 break;
1509 case MAY_RMDIR:
1510 av = DIR__RMDIR;
1511 break;
1512 default:
1513 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1514 return 0;
1517 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1518 return rc;
1521 static inline int may_rename(struct inode *old_dir,
1522 struct dentry *old_dentry,
1523 struct inode *new_dir,
1524 struct dentry *new_dentry)
1526 struct task_security_struct *tsec;
1527 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1528 struct avc_audit_data ad;
1529 u32 av;
1530 int old_is_dir, new_is_dir;
1531 int rc;
1533 tsec = current->security;
1534 old_dsec = old_dir->i_security;
1535 old_isec = old_dentry->d_inode->i_security;
1536 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1537 new_dsec = new_dir->i_security;
1539 AVC_AUDIT_DATA_INIT(&ad, FS);
1541 ad.u.fs.path.dentry = old_dentry;
1542 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1543 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1544 if (rc)
1545 return rc;
1546 rc = avc_has_perm(tsec->sid, old_isec->sid,
1547 old_isec->sclass, FILE__RENAME, &ad);
1548 if (rc)
1549 return rc;
1550 if (old_is_dir && new_dir != old_dir) {
1551 rc = avc_has_perm(tsec->sid, old_isec->sid,
1552 old_isec->sclass, DIR__REPARENT, &ad);
1553 if (rc)
1554 return rc;
1557 ad.u.fs.path.dentry = new_dentry;
1558 av = DIR__ADD_NAME | DIR__SEARCH;
1559 if (new_dentry->d_inode)
1560 av |= DIR__REMOVE_NAME;
1561 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1562 if (rc)
1563 return rc;
1564 if (new_dentry->d_inode) {
1565 new_isec = new_dentry->d_inode->i_security;
1566 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1567 rc = avc_has_perm(tsec->sid, new_isec->sid,
1568 new_isec->sclass,
1569 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1570 if (rc)
1571 return rc;
1574 return 0;
1577 /* Check whether a task can perform a filesystem operation. */
1578 static int superblock_has_perm(struct task_struct *tsk,
1579 struct super_block *sb,
1580 u32 perms,
1581 struct avc_audit_data *ad)
1583 struct task_security_struct *tsec;
1584 struct superblock_security_struct *sbsec;
1586 tsec = tsk->security;
1587 sbsec = sb->s_security;
1588 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1589 perms, ad);
1592 /* Convert a Linux mode and permission mask to an access vector. */
1593 static inline u32 file_mask_to_av(int mode, int mask)
1595 u32 av = 0;
1597 if ((mode & S_IFMT) != S_IFDIR) {
1598 if (mask & MAY_EXEC)
1599 av |= FILE__EXECUTE;
1600 if (mask & MAY_READ)
1601 av |= FILE__READ;
1603 if (mask & MAY_APPEND)
1604 av |= FILE__APPEND;
1605 else if (mask & MAY_WRITE)
1606 av |= FILE__WRITE;
1608 } else {
1609 if (mask & MAY_EXEC)
1610 av |= DIR__SEARCH;
1611 if (mask & MAY_WRITE)
1612 av |= DIR__WRITE;
1613 if (mask & MAY_READ)
1614 av |= DIR__READ;
1617 return av;
1620 /* Convert a Linux file to an access vector. */
1621 static inline u32 file_to_av(struct file *file)
1623 u32 av = 0;
1625 if (file->f_mode & FMODE_READ)
1626 av |= FILE__READ;
1627 if (file->f_mode & FMODE_WRITE) {
1628 if (file->f_flags & O_APPEND)
1629 av |= FILE__APPEND;
1630 else
1631 av |= FILE__WRITE;
1633 if (!av) {
1635 * Special file opened with flags 3 for ioctl-only use.
1637 av = FILE__IOCTL;
1640 return av;
1643 /* Hook functions begin here. */
1645 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1647 struct task_security_struct *psec = parent->security;
1648 struct task_security_struct *csec = child->security;
1649 int rc;
1651 rc = secondary_ops->ptrace(parent,child);
1652 if (rc)
1653 return rc;
1655 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1656 /* Save the SID of the tracing process for later use in apply_creds. */
1657 if (!(child->ptrace & PT_PTRACED) && !rc)
1658 csec->ptrace_sid = psec->sid;
1659 return rc;
1662 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1663 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1665 int error;
1667 error = task_has_perm(current, target, PROCESS__GETCAP);
1668 if (error)
1669 return error;
1671 return secondary_ops->capget(target, effective, inheritable, permitted);
1674 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1675 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1677 int error;
1679 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1680 if (error)
1681 return error;
1683 return task_has_perm(current, target, PROCESS__SETCAP);
1686 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1687 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1689 secondary_ops->capset_set(target, effective, inheritable, permitted);
1692 static int selinux_capable(struct task_struct *tsk, int cap)
1694 int rc;
1696 rc = secondary_ops->capable(tsk, cap);
1697 if (rc)
1698 return rc;
1700 return task_has_capability(tsk,cap);
1703 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1705 int buflen, rc;
1706 char *buffer, *path, *end;
1708 rc = -ENOMEM;
1709 buffer = (char*)__get_free_page(GFP_KERNEL);
1710 if (!buffer)
1711 goto out;
1713 buflen = PAGE_SIZE;
1714 end = buffer+buflen;
1715 *--end = '\0';
1716 buflen--;
1717 path = end-1;
1718 *path = '/';
1719 while (table) {
1720 const char *name = table->procname;
1721 size_t namelen = strlen(name);
1722 buflen -= namelen + 1;
1723 if (buflen < 0)
1724 goto out_free;
1725 end -= namelen;
1726 memcpy(end, name, namelen);
1727 *--end = '/';
1728 path = end;
1729 table = table->parent;
1731 buflen -= 4;
1732 if (buflen < 0)
1733 goto out_free;
1734 end -= 4;
1735 memcpy(end, "/sys", 4);
1736 path = end;
1737 rc = security_genfs_sid("proc", path, tclass, sid);
1738 out_free:
1739 free_page((unsigned long)buffer);
1740 out:
1741 return rc;
1744 static int selinux_sysctl(ctl_table *table, int op)
1746 int error = 0;
1747 u32 av;
1748 struct task_security_struct *tsec;
1749 u32 tsid;
1750 int rc;
1752 rc = secondary_ops->sysctl(table, op);
1753 if (rc)
1754 return rc;
1756 tsec = current->security;
1758 rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1759 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1760 if (rc) {
1761 /* Default to the well-defined sysctl SID. */
1762 tsid = SECINITSID_SYSCTL;
1765 /* The op values are "defined" in sysctl.c, thereby creating
1766 * a bad coupling between this module and sysctl.c */
1767 if(op == 001) {
1768 error = avc_has_perm(tsec->sid, tsid,
1769 SECCLASS_DIR, DIR__SEARCH, NULL);
1770 } else {
1771 av = 0;
1772 if (op & 004)
1773 av |= FILE__READ;
1774 if (op & 002)
1775 av |= FILE__WRITE;
1776 if (av)
1777 error = avc_has_perm(tsec->sid, tsid,
1778 SECCLASS_FILE, av, NULL);
1781 return error;
1784 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1786 int rc = 0;
1788 if (!sb)
1789 return 0;
1791 switch (cmds) {
1792 case Q_SYNC:
1793 case Q_QUOTAON:
1794 case Q_QUOTAOFF:
1795 case Q_SETINFO:
1796 case Q_SETQUOTA:
1797 rc = superblock_has_perm(current,
1799 FILESYSTEM__QUOTAMOD, NULL);
1800 break;
1801 case Q_GETFMT:
1802 case Q_GETINFO:
1803 case Q_GETQUOTA:
1804 rc = superblock_has_perm(current,
1806 FILESYSTEM__QUOTAGET, NULL);
1807 break;
1808 default:
1809 rc = 0; /* let the kernel handle invalid cmds */
1810 break;
1812 return rc;
1815 static int selinux_quota_on(struct dentry *dentry)
1817 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1820 static int selinux_syslog(int type)
1822 int rc;
1824 rc = secondary_ops->syslog(type);
1825 if (rc)
1826 return rc;
1828 switch (type) {
1829 case 3: /* Read last kernel messages */
1830 case 10: /* Return size of the log buffer */
1831 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1832 break;
1833 case 6: /* Disable logging to console */
1834 case 7: /* Enable logging to console */
1835 case 8: /* Set level of messages printed to console */
1836 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1837 break;
1838 case 0: /* Close log */
1839 case 1: /* Open log */
1840 case 2: /* Read from log */
1841 case 4: /* Read/clear last kernel messages */
1842 case 5: /* Clear ring buffer */
1843 default:
1844 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1845 break;
1847 return rc;
1851 * Check that a process has enough memory to allocate a new virtual
1852 * mapping. 0 means there is enough memory for the allocation to
1853 * succeed and -ENOMEM implies there is not.
1855 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1856 * if the capability is granted, but __vm_enough_memory requires 1 if
1857 * the capability is granted.
1859 * Do not audit the selinux permission check, as this is applied to all
1860 * processes that allocate mappings.
1862 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1864 int rc, cap_sys_admin = 0;
1865 struct task_security_struct *tsec = current->security;
1867 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1868 if (rc == 0)
1869 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1870 SECCLASS_CAPABILITY,
1871 CAP_TO_MASK(CAP_SYS_ADMIN),
1873 NULL);
1875 if (rc == 0)
1876 cap_sys_admin = 1;
1878 return __vm_enough_memory(mm, pages, cap_sys_admin);
1881 /* binprm security operations */
1883 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1885 struct bprm_security_struct *bsec;
1887 bsec = kzalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1888 if (!bsec)
1889 return -ENOMEM;
1891 bsec->bprm = bprm;
1892 bsec->sid = SECINITSID_UNLABELED;
1893 bsec->set = 0;
1895 bprm->security = bsec;
1896 return 0;
1899 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1901 struct task_security_struct *tsec;
1902 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1903 struct inode_security_struct *isec;
1904 struct bprm_security_struct *bsec;
1905 u32 newsid;
1906 struct avc_audit_data ad;
1907 int rc;
1909 rc = secondary_ops->bprm_set_security(bprm);
1910 if (rc)
1911 return rc;
1913 bsec = bprm->security;
1915 if (bsec->set)
1916 return 0;
1918 tsec = current->security;
1919 isec = inode->i_security;
1921 /* Default to the current task SID. */
1922 bsec->sid = tsec->sid;
1924 /* Reset fs, key, and sock SIDs on execve. */
1925 tsec->create_sid = 0;
1926 tsec->keycreate_sid = 0;
1927 tsec->sockcreate_sid = 0;
1929 if (tsec->exec_sid) {
1930 newsid = tsec->exec_sid;
1931 /* Reset exec SID on execve. */
1932 tsec->exec_sid = 0;
1933 } else {
1934 /* Check for a default transition on this program. */
1935 rc = security_transition_sid(tsec->sid, isec->sid,
1936 SECCLASS_PROCESS, &newsid);
1937 if (rc)
1938 return rc;
1941 AVC_AUDIT_DATA_INIT(&ad, FS);
1942 ad.u.fs.path = bprm->file->f_path;
1944 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
1945 newsid = tsec->sid;
1947 if (tsec->sid == newsid) {
1948 rc = avc_has_perm(tsec->sid, isec->sid,
1949 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1950 if (rc)
1951 return rc;
1952 } else {
1953 /* Check permissions for the transition. */
1954 rc = avc_has_perm(tsec->sid, newsid,
1955 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1956 if (rc)
1957 return rc;
1959 rc = avc_has_perm(newsid, isec->sid,
1960 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1961 if (rc)
1962 return rc;
1964 /* Clear any possibly unsafe personality bits on exec: */
1965 current->personality &= ~PER_CLEAR_ON_SETID;
1967 /* Set the security field to the new SID. */
1968 bsec->sid = newsid;
1971 bsec->set = 1;
1972 return 0;
1975 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1977 return secondary_ops->bprm_check_security(bprm);
1981 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1983 struct task_security_struct *tsec = current->security;
1984 int atsecure = 0;
1986 if (tsec->osid != tsec->sid) {
1987 /* Enable secure mode for SIDs transitions unless
1988 the noatsecure permission is granted between
1989 the two SIDs, i.e. ahp returns 0. */
1990 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1991 SECCLASS_PROCESS,
1992 PROCESS__NOATSECURE, NULL);
1995 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1998 static void selinux_bprm_free_security(struct linux_binprm *bprm)
2000 kfree(bprm->security);
2001 bprm->security = NULL;
2004 extern struct vfsmount *selinuxfs_mount;
2005 extern struct dentry *selinux_null;
2007 /* Derived from fs/exec.c:flush_old_files. */
2008 static inline void flush_unauthorized_files(struct files_struct * files)
2010 struct avc_audit_data ad;
2011 struct file *file, *devnull = NULL;
2012 struct tty_struct *tty;
2013 struct fdtable *fdt;
2014 long j = -1;
2015 int drop_tty = 0;
2017 mutex_lock(&tty_mutex);
2018 tty = get_current_tty();
2019 if (tty) {
2020 file_list_lock();
2021 file = list_entry(tty->tty_files.next, typeof(*file), f_u.fu_list);
2022 if (file) {
2023 /* Revalidate access to controlling tty.
2024 Use inode_has_perm on the tty inode directly rather
2025 than using file_has_perm, as this particular open
2026 file may belong to another process and we are only
2027 interested in the inode-based check here. */
2028 struct inode *inode = file->f_path.dentry->d_inode;
2029 if (inode_has_perm(current, inode,
2030 FILE__READ | FILE__WRITE, NULL)) {
2031 drop_tty = 1;
2034 file_list_unlock();
2036 mutex_unlock(&tty_mutex);
2037 /* Reset controlling tty. */
2038 if (drop_tty)
2039 no_tty();
2041 /* Revalidate access to inherited open files. */
2043 AVC_AUDIT_DATA_INIT(&ad,FS);
2045 spin_lock(&files->file_lock);
2046 for (;;) {
2047 unsigned long set, i;
2048 int fd;
2050 j++;
2051 i = j * __NFDBITS;
2052 fdt = files_fdtable(files);
2053 if (i >= fdt->max_fds)
2054 break;
2055 set = fdt->open_fds->fds_bits[j];
2056 if (!set)
2057 continue;
2058 spin_unlock(&files->file_lock);
2059 for ( ; set ; i++,set >>= 1) {
2060 if (set & 1) {
2061 file = fget(i);
2062 if (!file)
2063 continue;
2064 if (file_has_perm(current,
2065 file,
2066 file_to_av(file))) {
2067 sys_close(i);
2068 fd = get_unused_fd();
2069 if (fd != i) {
2070 if (fd >= 0)
2071 put_unused_fd(fd);
2072 fput(file);
2073 continue;
2075 if (devnull) {
2076 get_file(devnull);
2077 } else {
2078 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
2079 if (IS_ERR(devnull)) {
2080 devnull = NULL;
2081 put_unused_fd(fd);
2082 fput(file);
2083 continue;
2086 fd_install(fd, devnull);
2088 fput(file);
2091 spin_lock(&files->file_lock);
2094 spin_unlock(&files->file_lock);
2097 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
2099 struct task_security_struct *tsec;
2100 struct bprm_security_struct *bsec;
2101 u32 sid;
2102 int rc;
2104 secondary_ops->bprm_apply_creds(bprm, unsafe);
2106 tsec = current->security;
2108 bsec = bprm->security;
2109 sid = bsec->sid;
2111 tsec->osid = tsec->sid;
2112 bsec->unsafe = 0;
2113 if (tsec->sid != sid) {
2114 /* Check for shared state. If not ok, leave SID
2115 unchanged and kill. */
2116 if (unsafe & LSM_UNSAFE_SHARE) {
2117 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
2118 PROCESS__SHARE, NULL);
2119 if (rc) {
2120 bsec->unsafe = 1;
2121 return;
2125 /* Check for ptracing, and update the task SID if ok.
2126 Otherwise, leave SID unchanged and kill. */
2127 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2128 rc = avc_has_perm(tsec->ptrace_sid, sid,
2129 SECCLASS_PROCESS, PROCESS__PTRACE,
2130 NULL);
2131 if (rc) {
2132 bsec->unsafe = 1;
2133 return;
2136 tsec->sid = sid;
2141 * called after apply_creds without the task lock held
2143 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
2145 struct task_security_struct *tsec;
2146 struct rlimit *rlim, *initrlim;
2147 struct itimerval itimer;
2148 struct bprm_security_struct *bsec;
2149 int rc, i;
2151 tsec = current->security;
2152 bsec = bprm->security;
2154 if (bsec->unsafe) {
2155 force_sig_specific(SIGKILL, current);
2156 return;
2158 if (tsec->osid == tsec->sid)
2159 return;
2161 /* Close files for which the new task SID is not authorized. */
2162 flush_unauthorized_files(current->files);
2164 /* Check whether the new SID can inherit signal state
2165 from the old SID. If not, clear itimers to avoid
2166 subsequent signal generation and flush and unblock
2167 signals. This must occur _after_ the task SID has
2168 been updated so that any kill done after the flush
2169 will be checked against the new SID. */
2170 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2171 PROCESS__SIGINH, NULL);
2172 if (rc) {
2173 memset(&itimer, 0, sizeof itimer);
2174 for (i = 0; i < 3; i++)
2175 do_setitimer(i, &itimer, NULL);
2176 flush_signals(current);
2177 spin_lock_irq(&current->sighand->siglock);
2178 flush_signal_handlers(current, 1);
2179 sigemptyset(&current->blocked);
2180 recalc_sigpending();
2181 spin_unlock_irq(&current->sighand->siglock);
2184 /* Always clear parent death signal on SID transitions. */
2185 current->pdeath_signal = 0;
2187 /* Check whether the new SID can inherit resource limits
2188 from the old SID. If not, reset all soft limits to
2189 the lower of the current task's hard limit and the init
2190 task's soft limit. Note that the setting of hard limits
2191 (even to lower them) can be controlled by the setrlimit
2192 check. The inclusion of the init task's soft limit into
2193 the computation is to avoid resetting soft limits higher
2194 than the default soft limit for cases where the default
2195 is lower than the hard limit, e.g. RLIMIT_CORE or
2196 RLIMIT_STACK.*/
2197 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
2198 PROCESS__RLIMITINH, NULL);
2199 if (rc) {
2200 for (i = 0; i < RLIM_NLIMITS; i++) {
2201 rlim = current->signal->rlim + i;
2202 initrlim = init_task.signal->rlim+i;
2203 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
2205 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
2207 * This will cause RLIMIT_CPU calculations
2208 * to be refigured.
2210 current->it_prof_expires = jiffies_to_cputime(1);
2214 /* Wake up the parent if it is waiting so that it can
2215 recheck wait permission to the new task SID. */
2216 wake_up_interruptible(&current->parent->signal->wait_chldexit);
2219 /* superblock security operations */
2221 static int selinux_sb_alloc_security(struct super_block *sb)
2223 return superblock_alloc_security(sb);
2226 static void selinux_sb_free_security(struct super_block *sb)
2228 superblock_free_security(sb);
2231 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2233 if (plen > olen)
2234 return 0;
2236 return !memcmp(prefix, option, plen);
2239 static inline int selinux_option(char *option, int len)
2241 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
2242 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
2243 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len) ||
2244 match_prefix("rootcontext=", sizeof("rootcontext=")-1, option, len));
2247 static inline void take_option(char **to, char *from, int *first, int len)
2249 if (!*first) {
2250 **to = ',';
2251 *to += 1;
2252 } else
2253 *first = 0;
2254 memcpy(*to, from, len);
2255 *to += len;
2258 static inline void take_selinux_option(char **to, char *from, int *first,
2259 int len)
2261 int current_size = 0;
2263 if (!*first) {
2264 **to = '|';
2265 *to += 1;
2267 else
2268 *first = 0;
2270 while (current_size < len) {
2271 if (*from != '"') {
2272 **to = *from;
2273 *to += 1;
2275 from += 1;
2276 current_size += 1;
2280 static int selinux_sb_copy_data(char *orig, char *copy)
2282 int fnosec, fsec, rc = 0;
2283 char *in_save, *in_curr, *in_end;
2284 char *sec_curr, *nosec_save, *nosec;
2285 int open_quote = 0;
2287 in_curr = orig;
2288 sec_curr = copy;
2290 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2291 if (!nosec) {
2292 rc = -ENOMEM;
2293 goto out;
2296 nosec_save = nosec;
2297 fnosec = fsec = 1;
2298 in_save = in_end = orig;
2300 do {
2301 if (*in_end == '"')
2302 open_quote = !open_quote;
2303 if ((*in_end == ',' && open_quote == 0) ||
2304 *in_end == '\0') {
2305 int len = in_end - in_curr;
2307 if (selinux_option(in_curr, len))
2308 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2309 else
2310 take_option(&nosec, in_curr, &fnosec, len);
2312 in_curr = in_end + 1;
2314 } while (*in_end++);
2316 strcpy(in_save, nosec_save);
2317 free_page((unsigned long)nosec_save);
2318 out:
2319 return rc;
2322 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
2324 struct avc_audit_data ad;
2325 int rc;
2327 rc = superblock_doinit(sb, data);
2328 if (rc)
2329 return rc;
2331 AVC_AUDIT_DATA_INIT(&ad,FS);
2332 ad.u.fs.path.dentry = sb->s_root;
2333 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
2336 static int selinux_sb_statfs(struct dentry *dentry)
2338 struct avc_audit_data ad;
2340 AVC_AUDIT_DATA_INIT(&ad,FS);
2341 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2342 return superblock_has_perm(current, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2345 static int selinux_mount(char * dev_name,
2346 struct nameidata *nd,
2347 char * type,
2348 unsigned long flags,
2349 void * data)
2351 int rc;
2353 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
2354 if (rc)
2355 return rc;
2357 if (flags & MS_REMOUNT)
2358 return superblock_has_perm(current, nd->path.mnt->mnt_sb,
2359 FILESYSTEM__REMOUNT, NULL);
2360 else
2361 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry,
2362 FILE__MOUNTON);
2365 static int selinux_umount(struct vfsmount *mnt, int flags)
2367 int rc;
2369 rc = secondary_ops->sb_umount(mnt, flags);
2370 if (rc)
2371 return rc;
2373 return superblock_has_perm(current,mnt->mnt_sb,
2374 FILESYSTEM__UNMOUNT,NULL);
2377 /* inode security operations */
2379 static int selinux_inode_alloc_security(struct inode *inode)
2381 return inode_alloc_security(inode);
2384 static void selinux_inode_free_security(struct inode *inode)
2386 inode_free_security(inode);
2389 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2390 char **name, void **value,
2391 size_t *len)
2393 struct task_security_struct *tsec;
2394 struct inode_security_struct *dsec;
2395 struct superblock_security_struct *sbsec;
2396 u32 newsid, clen;
2397 int rc;
2398 char *namep = NULL, *context;
2400 tsec = current->security;
2401 dsec = dir->i_security;
2402 sbsec = dir->i_sb->s_security;
2404 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
2405 newsid = tsec->create_sid;
2406 } else {
2407 rc = security_transition_sid(tsec->sid, dsec->sid,
2408 inode_mode_to_security_class(inode->i_mode),
2409 &newsid);
2410 if (rc) {
2411 printk(KERN_WARNING "%s: "
2412 "security_transition_sid failed, rc=%d (dev=%s "
2413 "ino=%ld)\n",
2414 __FUNCTION__,
2415 -rc, inode->i_sb->s_id, inode->i_ino);
2416 return rc;
2420 /* Possibly defer initialization to selinux_complete_init. */
2421 if (sbsec->initialized) {
2422 struct inode_security_struct *isec = inode->i_security;
2423 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2424 isec->sid = newsid;
2425 isec->initialized = 1;
2428 if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2429 return -EOPNOTSUPP;
2431 if (name) {
2432 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2433 if (!namep)
2434 return -ENOMEM;
2435 *name = namep;
2438 if (value && len) {
2439 rc = security_sid_to_context(newsid, &context, &clen);
2440 if (rc) {
2441 kfree(namep);
2442 return rc;
2444 *value = context;
2445 *len = clen;
2448 return 0;
2451 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2453 return may_create(dir, dentry, SECCLASS_FILE);
2456 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2458 int rc;
2460 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2461 if (rc)
2462 return rc;
2463 return may_link(dir, old_dentry, MAY_LINK);
2466 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2468 int rc;
2470 rc = secondary_ops->inode_unlink(dir, dentry);
2471 if (rc)
2472 return rc;
2473 return may_link(dir, dentry, MAY_UNLINK);
2476 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2478 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2481 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2483 return may_create(dir, dentry, SECCLASS_DIR);
2486 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2488 return may_link(dir, dentry, MAY_RMDIR);
2491 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2493 int rc;
2495 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2496 if (rc)
2497 return rc;
2499 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2502 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2503 struct inode *new_inode, struct dentry *new_dentry)
2505 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2508 static int selinux_inode_readlink(struct dentry *dentry)
2510 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2513 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2515 int rc;
2517 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2518 if (rc)
2519 return rc;
2520 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2523 static int selinux_inode_permission(struct inode *inode, int mask,
2524 struct nameidata *nd)
2526 int rc;
2528 rc = secondary_ops->inode_permission(inode, mask, nd);
2529 if (rc)
2530 return rc;
2532 if (!mask) {
2533 /* No permission to check. Existence test. */
2534 return 0;
2537 return inode_has_perm(current, inode,
2538 file_mask_to_av(inode->i_mode, mask), NULL);
2541 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2543 int rc;
2545 rc = secondary_ops->inode_setattr(dentry, iattr);
2546 if (rc)
2547 return rc;
2549 if (iattr->ia_valid & ATTR_FORCE)
2550 return 0;
2552 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2553 ATTR_ATIME_SET | ATTR_MTIME_SET))
2554 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2556 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2559 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2561 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2564 static int selinux_inode_setotherxattr(struct dentry *dentry, char *name)
2566 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2567 sizeof XATTR_SECURITY_PREFIX - 1)) {
2568 if (!strcmp(name, XATTR_NAME_CAPS)) {
2569 if (!capable(CAP_SETFCAP))
2570 return -EPERM;
2571 } else if (!capable(CAP_SYS_ADMIN)) {
2572 /* A different attribute in the security namespace.
2573 Restrict to administrator. */
2574 return -EPERM;
2578 /* Not an attribute we recognize, so just check the
2579 ordinary setattr permission. */
2580 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2583 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2585 struct task_security_struct *tsec = current->security;
2586 struct inode *inode = dentry->d_inode;
2587 struct inode_security_struct *isec = inode->i_security;
2588 struct superblock_security_struct *sbsec;
2589 struct avc_audit_data ad;
2590 u32 newsid;
2591 int rc = 0;
2593 if (strcmp(name, XATTR_NAME_SELINUX))
2594 return selinux_inode_setotherxattr(dentry, name);
2596 sbsec = inode->i_sb->s_security;
2597 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2598 return -EOPNOTSUPP;
2600 if (!is_owner_or_cap(inode))
2601 return -EPERM;
2603 AVC_AUDIT_DATA_INIT(&ad,FS);
2604 ad.u.fs.path.dentry = dentry;
2606 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2607 FILE__RELABELFROM, &ad);
2608 if (rc)
2609 return rc;
2611 rc = security_context_to_sid(value, size, &newsid);
2612 if (rc)
2613 return rc;
2615 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2616 FILE__RELABELTO, &ad);
2617 if (rc)
2618 return rc;
2620 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2621 isec->sclass);
2622 if (rc)
2623 return rc;
2625 return avc_has_perm(newsid,
2626 sbsec->sid,
2627 SECCLASS_FILESYSTEM,
2628 FILESYSTEM__ASSOCIATE,
2629 &ad);
2632 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2633 void *value, size_t size, int flags)
2635 struct inode *inode = dentry->d_inode;
2636 struct inode_security_struct *isec = inode->i_security;
2637 u32 newsid;
2638 int rc;
2640 if (strcmp(name, XATTR_NAME_SELINUX)) {
2641 /* Not an attribute we recognize, so nothing to do. */
2642 return;
2645 rc = security_context_to_sid(value, size, &newsid);
2646 if (rc) {
2647 printk(KERN_WARNING "%s: unable to obtain SID for context "
2648 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2649 return;
2652 isec->sid = newsid;
2653 return;
2656 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2658 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2661 static int selinux_inode_listxattr (struct dentry *dentry)
2663 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2666 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2668 if (strcmp(name, XATTR_NAME_SELINUX))
2669 return selinux_inode_setotherxattr(dentry, name);
2671 /* No one is allowed to remove a SELinux security label.
2672 You can change the label, but all data must be labeled. */
2673 return -EACCES;
2677 * Copy the in-core inode security context value to the user. If the
2678 * getxattr() prior to this succeeded, check to see if we need to
2679 * canonicalize the value to be finally returned to the user.
2681 * Permission check is handled by selinux_inode_getxattr hook.
2683 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2685 u32 size;
2686 int error;
2687 char *context = NULL;
2688 struct inode_security_struct *isec = inode->i_security;
2690 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2691 return -EOPNOTSUPP;
2693 error = security_sid_to_context(isec->sid, &context, &size);
2694 if (error)
2695 return error;
2696 error = size;
2697 if (alloc) {
2698 *buffer = context;
2699 goto out_nofree;
2701 kfree(context);
2702 out_nofree:
2703 return error;
2706 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2707 const void *value, size_t size, int flags)
2709 struct inode_security_struct *isec = inode->i_security;
2710 u32 newsid;
2711 int rc;
2713 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2714 return -EOPNOTSUPP;
2716 if (!value || !size)
2717 return -EACCES;
2719 rc = security_context_to_sid((void*)value, size, &newsid);
2720 if (rc)
2721 return rc;
2723 isec->sid = newsid;
2724 return 0;
2727 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2729 const int len = sizeof(XATTR_NAME_SELINUX);
2730 if (buffer && len <= buffer_size)
2731 memcpy(buffer, XATTR_NAME_SELINUX, len);
2732 return len;
2735 static int selinux_inode_need_killpriv(struct dentry *dentry)
2737 return secondary_ops->inode_need_killpriv(dentry);
2740 static int selinux_inode_killpriv(struct dentry *dentry)
2742 return secondary_ops->inode_killpriv(dentry);
2745 /* file security operations */
2747 static int selinux_revalidate_file_permission(struct file *file, int mask)
2749 int rc;
2750 struct inode *inode = file->f_path.dentry->d_inode;
2752 if (!mask) {
2753 /* No permission to check. Existence test. */
2754 return 0;
2757 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2758 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2759 mask |= MAY_APPEND;
2761 rc = file_has_perm(current, file,
2762 file_mask_to_av(inode->i_mode, mask));
2763 if (rc)
2764 return rc;
2766 return selinux_netlbl_inode_permission(inode, mask);
2769 static int selinux_file_permission(struct file *file, int mask)
2771 struct inode *inode = file->f_path.dentry->d_inode;
2772 struct task_security_struct *tsec = current->security;
2773 struct file_security_struct *fsec = file->f_security;
2774 struct inode_security_struct *isec = inode->i_security;
2776 if (!mask) {
2777 /* No permission to check. Existence test. */
2778 return 0;
2781 if (tsec->sid == fsec->sid && fsec->isid == isec->sid
2782 && fsec->pseqno == avc_policy_seqno())
2783 return selinux_netlbl_inode_permission(inode, mask);
2785 return selinux_revalidate_file_permission(file, mask);
2788 static int selinux_file_alloc_security(struct file *file)
2790 return file_alloc_security(file);
2793 static void selinux_file_free_security(struct file *file)
2795 file_free_security(file);
2798 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2799 unsigned long arg)
2801 int error = 0;
2803 switch (cmd) {
2804 case FIONREAD:
2805 /* fall through */
2806 case FIBMAP:
2807 /* fall through */
2808 case FIGETBSZ:
2809 /* fall through */
2810 case EXT2_IOC_GETFLAGS:
2811 /* fall through */
2812 case EXT2_IOC_GETVERSION:
2813 error = file_has_perm(current, file, FILE__GETATTR);
2814 break;
2816 case EXT2_IOC_SETFLAGS:
2817 /* fall through */
2818 case EXT2_IOC_SETVERSION:
2819 error = file_has_perm(current, file, FILE__SETATTR);
2820 break;
2822 /* sys_ioctl() checks */
2823 case FIONBIO:
2824 /* fall through */
2825 case FIOASYNC:
2826 error = file_has_perm(current, file, 0);
2827 break;
2829 case KDSKBENT:
2830 case KDSKBSENT:
2831 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2832 break;
2834 /* default case assumes that the command will go
2835 * to the file's ioctl() function.
2837 default:
2838 error = file_has_perm(current, file, FILE__IOCTL);
2841 return error;
2844 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2846 #ifndef CONFIG_PPC32
2847 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2849 * We are making executable an anonymous mapping or a
2850 * private file mapping that will also be writable.
2851 * This has an additional check.
2853 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2854 if (rc)
2855 return rc;
2857 #endif
2859 if (file) {
2860 /* read access is always possible with a mapping */
2861 u32 av = FILE__READ;
2863 /* write access only matters if the mapping is shared */
2864 if (shared && (prot & PROT_WRITE))
2865 av |= FILE__WRITE;
2867 if (prot & PROT_EXEC)
2868 av |= FILE__EXECUTE;
2870 return file_has_perm(current, file, av);
2872 return 0;
2875 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2876 unsigned long prot, unsigned long flags,
2877 unsigned long addr, unsigned long addr_only)
2879 int rc = 0;
2880 u32 sid = ((struct task_security_struct*)(current->security))->sid;
2882 if (addr < mmap_min_addr)
2883 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
2884 MEMPROTECT__MMAP_ZERO, NULL);
2885 if (rc || addr_only)
2886 return rc;
2888 if (selinux_checkreqprot)
2889 prot = reqprot;
2891 return file_map_prot_check(file, prot,
2892 (flags & MAP_TYPE) == MAP_SHARED);
2895 static int selinux_file_mprotect(struct vm_area_struct *vma,
2896 unsigned long reqprot,
2897 unsigned long prot)
2899 int rc;
2901 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2902 if (rc)
2903 return rc;
2905 if (selinux_checkreqprot)
2906 prot = reqprot;
2908 #ifndef CONFIG_PPC32
2909 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
2910 rc = 0;
2911 if (vma->vm_start >= vma->vm_mm->start_brk &&
2912 vma->vm_end <= vma->vm_mm->brk) {
2913 rc = task_has_perm(current, current,
2914 PROCESS__EXECHEAP);
2915 } else if (!vma->vm_file &&
2916 vma->vm_start <= vma->vm_mm->start_stack &&
2917 vma->vm_end >= vma->vm_mm->start_stack) {
2918 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2919 } else if (vma->vm_file && vma->anon_vma) {
2921 * We are making executable a file mapping that has
2922 * had some COW done. Since pages might have been
2923 * written, check ability to execute the possibly
2924 * modified content. This typically should only
2925 * occur for text relocations.
2927 rc = file_has_perm(current, vma->vm_file,
2928 FILE__EXECMOD);
2930 if (rc)
2931 return rc;
2933 #endif
2935 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2938 static int selinux_file_lock(struct file *file, unsigned int cmd)
2940 return file_has_perm(current, file, FILE__LOCK);
2943 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2944 unsigned long arg)
2946 int err = 0;
2948 switch (cmd) {
2949 case F_SETFL:
2950 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2951 err = -EINVAL;
2952 break;
2955 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2956 err = file_has_perm(current, file,FILE__WRITE);
2957 break;
2959 /* fall through */
2960 case F_SETOWN:
2961 case F_SETSIG:
2962 case F_GETFL:
2963 case F_GETOWN:
2964 case F_GETSIG:
2965 /* Just check FD__USE permission */
2966 err = file_has_perm(current, file, 0);
2967 break;
2968 case F_GETLK:
2969 case F_SETLK:
2970 case F_SETLKW:
2971 #if BITS_PER_LONG == 32
2972 case F_GETLK64:
2973 case F_SETLK64:
2974 case F_SETLKW64:
2975 #endif
2976 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
2977 err = -EINVAL;
2978 break;
2980 err = file_has_perm(current, file, FILE__LOCK);
2981 break;
2984 return err;
2987 static int selinux_file_set_fowner(struct file *file)
2989 struct task_security_struct *tsec;
2990 struct file_security_struct *fsec;
2992 tsec = current->security;
2993 fsec = file->f_security;
2994 fsec->fown_sid = tsec->sid;
2996 return 0;
2999 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3000 struct fown_struct *fown, int signum)
3002 struct file *file;
3003 u32 perm;
3004 struct task_security_struct *tsec;
3005 struct file_security_struct *fsec;
3007 /* struct fown_struct is never outside the context of a struct file */
3008 file = container_of(fown, struct file, f_owner);
3010 tsec = tsk->security;
3011 fsec = file->f_security;
3013 if (!signum)
3014 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3015 else
3016 perm = signal_to_av(signum);
3018 return avc_has_perm(fsec->fown_sid, tsec->sid,
3019 SECCLASS_PROCESS, perm, NULL);
3022 static int selinux_file_receive(struct file *file)
3024 return file_has_perm(current, file, file_to_av(file));
3027 static int selinux_dentry_open(struct file *file)
3029 struct file_security_struct *fsec;
3030 struct inode *inode;
3031 struct inode_security_struct *isec;
3032 inode = file->f_path.dentry->d_inode;
3033 fsec = file->f_security;
3034 isec = inode->i_security;
3036 * Save inode label and policy sequence number
3037 * at open-time so that selinux_file_permission
3038 * can determine whether revalidation is necessary.
3039 * Task label is already saved in the file security
3040 * struct as its SID.
3042 fsec->isid = isec->sid;
3043 fsec->pseqno = avc_policy_seqno();
3045 * Since the inode label or policy seqno may have changed
3046 * between the selinux_inode_permission check and the saving
3047 * of state above, recheck that access is still permitted.
3048 * Otherwise, access might never be revalidated against the
3049 * new inode label or new policy.
3050 * This check is not redundant - do not remove.
3052 return inode_has_perm(current, inode, file_to_av(file), NULL);
3055 /* task security operations */
3057 static int selinux_task_create(unsigned long clone_flags)
3059 int rc;
3061 rc = secondary_ops->task_create(clone_flags);
3062 if (rc)
3063 return rc;
3065 return task_has_perm(current, current, PROCESS__FORK);
3068 static int selinux_task_alloc_security(struct task_struct *tsk)
3070 struct task_security_struct *tsec1, *tsec2;
3071 int rc;
3073 tsec1 = current->security;
3075 rc = task_alloc_security(tsk);
3076 if (rc)
3077 return rc;
3078 tsec2 = tsk->security;
3080 tsec2->osid = tsec1->osid;
3081 tsec2->sid = tsec1->sid;
3083 /* Retain the exec, fs, key, and sock SIDs across fork */
3084 tsec2->exec_sid = tsec1->exec_sid;
3085 tsec2->create_sid = tsec1->create_sid;
3086 tsec2->keycreate_sid = tsec1->keycreate_sid;
3087 tsec2->sockcreate_sid = tsec1->sockcreate_sid;
3089 /* Retain ptracer SID across fork, if any.
3090 This will be reset by the ptrace hook upon any
3091 subsequent ptrace_attach operations. */
3092 tsec2->ptrace_sid = tsec1->ptrace_sid;
3094 return 0;
3097 static void selinux_task_free_security(struct task_struct *tsk)
3099 task_free_security(tsk);
3102 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3104 /* Since setuid only affects the current process, and
3105 since the SELinux controls are not based on the Linux
3106 identity attributes, SELinux does not need to control
3107 this operation. However, SELinux does control the use
3108 of the CAP_SETUID and CAP_SETGID capabilities using the
3109 capable hook. */
3110 return 0;
3113 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3115 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
3118 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3120 /* See the comment for setuid above. */
3121 return 0;
3124 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3126 return task_has_perm(current, p, PROCESS__SETPGID);
3129 static int selinux_task_getpgid(struct task_struct *p)
3131 return task_has_perm(current, p, PROCESS__GETPGID);
3134 static int selinux_task_getsid(struct task_struct *p)
3136 return task_has_perm(current, p, PROCESS__GETSESSION);
3139 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3141 selinux_get_task_sid(p, secid);
3144 static int selinux_task_setgroups(struct group_info *group_info)
3146 /* See the comment for setuid above. */
3147 return 0;
3150 static int selinux_task_setnice(struct task_struct *p, int nice)
3152 int rc;
3154 rc = secondary_ops->task_setnice(p, nice);
3155 if (rc)
3156 return rc;
3158 return task_has_perm(current,p, PROCESS__SETSCHED);
3161 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3163 int rc;
3165 rc = secondary_ops->task_setioprio(p, ioprio);
3166 if (rc)
3167 return rc;
3169 return task_has_perm(current, p, PROCESS__SETSCHED);
3172 static int selinux_task_getioprio(struct task_struct *p)
3174 return task_has_perm(current, p, PROCESS__GETSCHED);
3177 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3179 struct rlimit *old_rlim = current->signal->rlim + resource;
3180 int rc;
3182 rc = secondary_ops->task_setrlimit(resource, new_rlim);
3183 if (rc)
3184 return rc;
3186 /* Control the ability to change the hard limit (whether
3187 lowering or raising it), so that the hard limit can
3188 later be used as a safe reset point for the soft limit
3189 upon context transitions. See selinux_bprm_apply_creds. */
3190 if (old_rlim->rlim_max != new_rlim->rlim_max)
3191 return task_has_perm(current, current, PROCESS__SETRLIMIT);
3193 return 0;
3196 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3198 int rc;
3200 rc = secondary_ops->task_setscheduler(p, policy, lp);
3201 if (rc)
3202 return rc;
3204 return task_has_perm(current, p, PROCESS__SETSCHED);
3207 static int selinux_task_getscheduler(struct task_struct *p)
3209 return task_has_perm(current, p, PROCESS__GETSCHED);
3212 static int selinux_task_movememory(struct task_struct *p)
3214 return task_has_perm(current, p, PROCESS__SETSCHED);
3217 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3218 int sig, u32 secid)
3220 u32 perm;
3221 int rc;
3222 struct task_security_struct *tsec;
3224 rc = secondary_ops->task_kill(p, info, sig, secid);
3225 if (rc)
3226 return rc;
3228 if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
3229 return 0;
3231 if (!sig)
3232 perm = PROCESS__SIGNULL; /* null signal; existence test */
3233 else
3234 perm = signal_to_av(sig);
3235 tsec = p->security;
3236 if (secid)
3237 rc = avc_has_perm(secid, tsec->sid, SECCLASS_PROCESS, perm, NULL);
3238 else
3239 rc = task_has_perm(current, p, perm);
3240 return rc;
3243 static int selinux_task_prctl(int option,
3244 unsigned long arg2,
3245 unsigned long arg3,
3246 unsigned long arg4,
3247 unsigned long arg5)
3249 /* The current prctl operations do not appear to require
3250 any SELinux controls since they merely observe or modify
3251 the state of the current process. */
3252 return 0;
3255 static int selinux_task_wait(struct task_struct *p)
3257 return task_has_perm(p, current, PROCESS__SIGCHLD);
3260 static void selinux_task_reparent_to_init(struct task_struct *p)
3262 struct task_security_struct *tsec;
3264 secondary_ops->task_reparent_to_init(p);
3266 tsec = p->security;
3267 tsec->osid = tsec->sid;
3268 tsec->sid = SECINITSID_KERNEL;
3269 return;
3272 static void selinux_task_to_inode(struct task_struct *p,
3273 struct inode *inode)
3275 struct task_security_struct *tsec = p->security;
3276 struct inode_security_struct *isec = inode->i_security;
3278 isec->sid = tsec->sid;
3279 isec->initialized = 1;
3280 return;
3283 /* Returns error only if unable to parse addresses */
3284 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3285 struct avc_audit_data *ad, u8 *proto)
3287 int offset, ihlen, ret = -EINVAL;
3288 struct iphdr _iph, *ih;
3290 offset = skb_network_offset(skb);
3291 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3292 if (ih == NULL)
3293 goto out;
3295 ihlen = ih->ihl * 4;
3296 if (ihlen < sizeof(_iph))
3297 goto out;
3299 ad->u.net.v4info.saddr = ih->saddr;
3300 ad->u.net.v4info.daddr = ih->daddr;
3301 ret = 0;
3303 if (proto)
3304 *proto = ih->protocol;
3306 switch (ih->protocol) {
3307 case IPPROTO_TCP: {
3308 struct tcphdr _tcph, *th;
3310 if (ntohs(ih->frag_off) & IP_OFFSET)
3311 break;
3313 offset += ihlen;
3314 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3315 if (th == NULL)
3316 break;
3318 ad->u.net.sport = th->source;
3319 ad->u.net.dport = th->dest;
3320 break;
3323 case IPPROTO_UDP: {
3324 struct udphdr _udph, *uh;
3326 if (ntohs(ih->frag_off) & IP_OFFSET)
3327 break;
3329 offset += ihlen;
3330 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3331 if (uh == NULL)
3332 break;
3334 ad->u.net.sport = uh->source;
3335 ad->u.net.dport = uh->dest;
3336 break;
3339 case IPPROTO_DCCP: {
3340 struct dccp_hdr _dccph, *dh;
3342 if (ntohs(ih->frag_off) & IP_OFFSET)
3343 break;
3345 offset += ihlen;
3346 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3347 if (dh == NULL)
3348 break;
3350 ad->u.net.sport = dh->dccph_sport;
3351 ad->u.net.dport = dh->dccph_dport;
3352 break;
3355 default:
3356 break;
3358 out:
3359 return ret;
3362 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3364 /* Returns error only if unable to parse addresses */
3365 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3366 struct avc_audit_data *ad, u8 *proto)
3368 u8 nexthdr;
3369 int ret = -EINVAL, offset;
3370 struct ipv6hdr _ipv6h, *ip6;
3372 offset = skb_network_offset(skb);
3373 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3374 if (ip6 == NULL)
3375 goto out;
3377 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3378 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3379 ret = 0;
3381 nexthdr = ip6->nexthdr;
3382 offset += sizeof(_ipv6h);
3383 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3384 if (offset < 0)
3385 goto out;
3387 if (proto)
3388 *proto = nexthdr;
3390 switch (nexthdr) {
3391 case IPPROTO_TCP: {
3392 struct tcphdr _tcph, *th;
3394 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3395 if (th == NULL)
3396 break;
3398 ad->u.net.sport = th->source;
3399 ad->u.net.dport = th->dest;
3400 break;
3403 case IPPROTO_UDP: {
3404 struct udphdr _udph, *uh;
3406 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3407 if (uh == NULL)
3408 break;
3410 ad->u.net.sport = uh->source;
3411 ad->u.net.dport = uh->dest;
3412 break;
3415 case IPPROTO_DCCP: {
3416 struct dccp_hdr _dccph, *dh;
3418 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3419 if (dh == NULL)
3420 break;
3422 ad->u.net.sport = dh->dccph_sport;
3423 ad->u.net.dport = dh->dccph_dport;
3424 break;
3427 /* includes fragments */
3428 default:
3429 break;
3431 out:
3432 return ret;
3435 #endif /* IPV6 */
3437 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3438 char **addrp, int src, u8 *proto)
3440 int ret = 0;
3442 switch (ad->u.net.family) {
3443 case PF_INET:
3444 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3445 if (ret || !addrp)
3446 break;
3447 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3448 &ad->u.net.v4info.daddr);
3449 break;
3451 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3452 case PF_INET6:
3453 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3454 if (ret || !addrp)
3455 break;
3456 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3457 &ad->u.net.v6info.daddr);
3458 break;
3459 #endif /* IPV6 */
3460 default:
3461 break;
3464 if (unlikely(ret))
3465 printk(KERN_WARNING
3466 "SELinux: failure in selinux_parse_skb(),"
3467 " unable to parse packet\n");
3469 return ret;
3473 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3474 * @skb: the packet
3475 * @family: protocol family
3476 * @sid: the packet's peer label SID
3478 * Description:
3479 * Check the various different forms of network peer labeling and determine
3480 * the peer label/SID for the packet; most of the magic actually occurs in
3481 * the security server function security_net_peersid_cmp(). The function
3482 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3483 * or -EACCES if @sid is invalid due to inconsistencies with the different
3484 * peer labels.
3487 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3489 int err;
3490 u32 xfrm_sid;
3491 u32 nlbl_sid;
3492 u32 nlbl_type;
3494 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3495 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3497 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3498 if (unlikely(err)) {
3499 printk(KERN_WARNING
3500 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3501 " unable to determine packet's peer label\n");
3502 return -EACCES;
3505 return 0;
3508 /* socket security operations */
3509 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3510 u32 perms)
3512 struct inode_security_struct *isec;
3513 struct task_security_struct *tsec;
3514 struct avc_audit_data ad;
3515 int err = 0;
3517 tsec = task->security;
3518 isec = SOCK_INODE(sock)->i_security;
3520 if (isec->sid == SECINITSID_KERNEL)
3521 goto out;
3523 AVC_AUDIT_DATA_INIT(&ad,NET);
3524 ad.u.net.sk = sock->sk;
3525 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3527 out:
3528 return err;
3531 static int selinux_socket_create(int family, int type,
3532 int protocol, int kern)
3534 int err = 0;
3535 struct task_security_struct *tsec;
3536 u32 newsid;
3538 if (kern)
3539 goto out;
3541 tsec = current->security;
3542 newsid = tsec->sockcreate_sid ? : tsec->sid;
3543 err = avc_has_perm(tsec->sid, newsid,
3544 socket_type_to_security_class(family, type,
3545 protocol), SOCKET__CREATE, NULL);
3547 out:
3548 return err;
3551 static int selinux_socket_post_create(struct socket *sock, int family,
3552 int type, int protocol, int kern)
3554 int err = 0;
3555 struct inode_security_struct *isec;
3556 struct task_security_struct *tsec;
3557 struct sk_security_struct *sksec;
3558 u32 newsid;
3560 isec = SOCK_INODE(sock)->i_security;
3562 tsec = current->security;
3563 newsid = tsec->sockcreate_sid ? : tsec->sid;
3564 isec->sclass = socket_type_to_security_class(family, type, protocol);
3565 isec->sid = kern ? SECINITSID_KERNEL : newsid;
3566 isec->initialized = 1;
3568 if (sock->sk) {
3569 sksec = sock->sk->sk_security;
3570 sksec->sid = isec->sid;
3571 sksec->sclass = isec->sclass;
3572 err = selinux_netlbl_socket_post_create(sock);
3575 return err;
3578 /* Range of port numbers used to automatically bind.
3579 Need to determine whether we should perform a name_bind
3580 permission check between the socket and the port number. */
3582 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3584 u16 family;
3585 int err;
3587 err = socket_has_perm(current, sock, SOCKET__BIND);
3588 if (err)
3589 goto out;
3592 * If PF_INET or PF_INET6, check name_bind permission for the port.
3593 * Multiple address binding for SCTP is not supported yet: we just
3594 * check the first address now.
3596 family = sock->sk->sk_family;
3597 if (family == PF_INET || family == PF_INET6) {
3598 char *addrp;
3599 struct inode_security_struct *isec;
3600 struct task_security_struct *tsec;
3601 struct avc_audit_data ad;
3602 struct sockaddr_in *addr4 = NULL;
3603 struct sockaddr_in6 *addr6 = NULL;
3604 unsigned short snum;
3605 struct sock *sk = sock->sk;
3606 u32 sid, node_perm, addrlen;
3608 tsec = current->security;
3609 isec = SOCK_INODE(sock)->i_security;
3611 if (family == PF_INET) {
3612 addr4 = (struct sockaddr_in *)address;
3613 snum = ntohs(addr4->sin_port);
3614 addrlen = sizeof(addr4->sin_addr.s_addr);
3615 addrp = (char *)&addr4->sin_addr.s_addr;
3616 } else {
3617 addr6 = (struct sockaddr_in6 *)address;
3618 snum = ntohs(addr6->sin6_port);
3619 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3620 addrp = (char *)&addr6->sin6_addr.s6_addr;
3623 if (snum) {
3624 int low, high;
3626 inet_get_local_port_range(&low, &high);
3628 if (snum < max(PROT_SOCK, low) || snum > high) {
3629 err = security_port_sid(sk->sk_family,
3630 sk->sk_type,
3631 sk->sk_protocol, snum,
3632 &sid);
3633 if (err)
3634 goto out;
3635 AVC_AUDIT_DATA_INIT(&ad,NET);
3636 ad.u.net.sport = htons(snum);
3637 ad.u.net.family = family;
3638 err = avc_has_perm(isec->sid, sid,
3639 isec->sclass,
3640 SOCKET__NAME_BIND, &ad);
3641 if (err)
3642 goto out;
3646 switch(isec->sclass) {
3647 case SECCLASS_TCP_SOCKET:
3648 node_perm = TCP_SOCKET__NODE_BIND;
3649 break;
3651 case SECCLASS_UDP_SOCKET:
3652 node_perm = UDP_SOCKET__NODE_BIND;
3653 break;
3655 case SECCLASS_DCCP_SOCKET:
3656 node_perm = DCCP_SOCKET__NODE_BIND;
3657 break;
3659 default:
3660 node_perm = RAWIP_SOCKET__NODE_BIND;
3661 break;
3664 err = sel_netnode_sid(addrp, family, &sid);
3665 if (err)
3666 goto out;
3668 AVC_AUDIT_DATA_INIT(&ad,NET);
3669 ad.u.net.sport = htons(snum);
3670 ad.u.net.family = family;
3672 if (family == PF_INET)
3673 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3674 else
3675 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3677 err = avc_has_perm(isec->sid, sid,
3678 isec->sclass, node_perm, &ad);
3679 if (err)
3680 goto out;
3682 out:
3683 return err;
3686 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3688 struct inode_security_struct *isec;
3689 int err;
3691 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3692 if (err)
3693 return err;
3696 * If a TCP or DCCP socket, check name_connect permission for the port.
3698 isec = SOCK_INODE(sock)->i_security;
3699 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3700 isec->sclass == SECCLASS_DCCP_SOCKET) {
3701 struct sock *sk = sock->sk;
3702 struct avc_audit_data ad;
3703 struct sockaddr_in *addr4 = NULL;
3704 struct sockaddr_in6 *addr6 = NULL;
3705 unsigned short snum;
3706 u32 sid, perm;
3708 if (sk->sk_family == PF_INET) {
3709 addr4 = (struct sockaddr_in *)address;
3710 if (addrlen < sizeof(struct sockaddr_in))
3711 return -EINVAL;
3712 snum = ntohs(addr4->sin_port);
3713 } else {
3714 addr6 = (struct sockaddr_in6 *)address;
3715 if (addrlen < SIN6_LEN_RFC2133)
3716 return -EINVAL;
3717 snum = ntohs(addr6->sin6_port);
3720 err = security_port_sid(sk->sk_family, sk->sk_type,
3721 sk->sk_protocol, snum, &sid);
3722 if (err)
3723 goto out;
3725 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3726 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3728 AVC_AUDIT_DATA_INIT(&ad,NET);
3729 ad.u.net.dport = htons(snum);
3730 ad.u.net.family = sk->sk_family;
3731 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3732 if (err)
3733 goto out;
3736 out:
3737 return err;
3740 static int selinux_socket_listen(struct socket *sock, int backlog)
3742 return socket_has_perm(current, sock, SOCKET__LISTEN);
3745 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3747 int err;
3748 struct inode_security_struct *isec;
3749 struct inode_security_struct *newisec;
3751 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3752 if (err)
3753 return err;
3755 newisec = SOCK_INODE(newsock)->i_security;
3757 isec = SOCK_INODE(sock)->i_security;
3758 newisec->sclass = isec->sclass;
3759 newisec->sid = isec->sid;
3760 newisec->initialized = 1;
3762 return 0;
3765 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3766 int size)
3768 int rc;
3770 rc = socket_has_perm(current, sock, SOCKET__WRITE);
3771 if (rc)
3772 return rc;
3774 return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
3777 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3778 int size, int flags)
3780 return socket_has_perm(current, sock, SOCKET__READ);
3783 static int selinux_socket_getsockname(struct socket *sock)
3785 return socket_has_perm(current, sock, SOCKET__GETATTR);
3788 static int selinux_socket_getpeername(struct socket *sock)
3790 return socket_has_perm(current, sock, SOCKET__GETATTR);
3793 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3795 int err;
3797 err = socket_has_perm(current, sock, SOCKET__SETOPT);
3798 if (err)
3799 return err;
3801 return selinux_netlbl_socket_setsockopt(sock, level, optname);
3804 static int selinux_socket_getsockopt(struct socket *sock, int level,
3805 int optname)
3807 return socket_has_perm(current, sock, SOCKET__GETOPT);
3810 static int selinux_socket_shutdown(struct socket *sock, int how)
3812 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3815 static int selinux_socket_unix_stream_connect(struct socket *sock,
3816 struct socket *other,
3817 struct sock *newsk)
3819 struct sk_security_struct *ssec;
3820 struct inode_security_struct *isec;
3821 struct inode_security_struct *other_isec;
3822 struct avc_audit_data ad;
3823 int err;
3825 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3826 if (err)
3827 return err;
3829 isec = SOCK_INODE(sock)->i_security;
3830 other_isec = SOCK_INODE(other)->i_security;
3832 AVC_AUDIT_DATA_INIT(&ad,NET);
3833 ad.u.net.sk = other->sk;
3835 err = avc_has_perm(isec->sid, other_isec->sid,
3836 isec->sclass,
3837 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3838 if (err)
3839 return err;
3841 /* connecting socket */
3842 ssec = sock->sk->sk_security;
3843 ssec->peer_sid = other_isec->sid;
3845 /* server child socket */
3846 ssec = newsk->sk_security;
3847 ssec->peer_sid = isec->sid;
3848 err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
3850 return err;
3853 static int selinux_socket_unix_may_send(struct socket *sock,
3854 struct socket *other)
3856 struct inode_security_struct *isec;
3857 struct inode_security_struct *other_isec;
3858 struct avc_audit_data ad;
3859 int err;
3861 isec = SOCK_INODE(sock)->i_security;
3862 other_isec = SOCK_INODE(other)->i_security;
3864 AVC_AUDIT_DATA_INIT(&ad,NET);
3865 ad.u.net.sk = other->sk;
3867 err = avc_has_perm(isec->sid, other_isec->sid,
3868 isec->sclass, SOCKET__SENDTO, &ad);
3869 if (err)
3870 return err;
3872 return 0;
3875 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
3876 u32 peer_sid,
3877 struct avc_audit_data *ad)
3879 int err;
3880 u32 if_sid;
3881 u32 node_sid;
3883 err = sel_netif_sid(ifindex, &if_sid);
3884 if (err)
3885 return err;
3886 err = avc_has_perm(peer_sid, if_sid,
3887 SECCLASS_NETIF, NETIF__INGRESS, ad);
3888 if (err)
3889 return err;
3891 err = sel_netnode_sid(addrp, family, &node_sid);
3892 if (err)
3893 return err;
3894 return avc_has_perm(peer_sid, node_sid,
3895 SECCLASS_NODE, NODE__RECVFROM, ad);
3898 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3899 struct sk_buff *skb,
3900 struct avc_audit_data *ad,
3901 u16 family,
3902 char *addrp)
3904 int err;
3905 struct sk_security_struct *sksec = sk->sk_security;
3906 u16 sk_class;
3907 u32 netif_perm, node_perm, recv_perm;
3908 u32 port_sid, node_sid, if_sid, sk_sid;
3910 sk_sid = sksec->sid;
3911 sk_class = sksec->sclass;
3913 switch (sk_class) {
3914 case SECCLASS_UDP_SOCKET:
3915 netif_perm = NETIF__UDP_RECV;
3916 node_perm = NODE__UDP_RECV;
3917 recv_perm = UDP_SOCKET__RECV_MSG;
3918 break;
3919 case SECCLASS_TCP_SOCKET:
3920 netif_perm = NETIF__TCP_RECV;
3921 node_perm = NODE__TCP_RECV;
3922 recv_perm = TCP_SOCKET__RECV_MSG;
3923 break;
3924 case SECCLASS_DCCP_SOCKET:
3925 netif_perm = NETIF__DCCP_RECV;
3926 node_perm = NODE__DCCP_RECV;
3927 recv_perm = DCCP_SOCKET__RECV_MSG;
3928 break;
3929 default:
3930 netif_perm = NETIF__RAWIP_RECV;
3931 node_perm = NODE__RAWIP_RECV;
3932 recv_perm = 0;
3933 break;
3936 err = sel_netif_sid(skb->iif, &if_sid);
3937 if (err)
3938 return err;
3939 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
3940 if (err)
3941 return err;
3943 err = sel_netnode_sid(addrp, family, &node_sid);
3944 if (err)
3945 return err;
3946 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
3947 if (err)
3948 return err;
3950 if (!recv_perm)
3951 return 0;
3952 err = security_port_sid(sk->sk_family, sk->sk_type,
3953 sk->sk_protocol, ntohs(ad->u.net.sport),
3954 &port_sid);
3955 if (unlikely(err)) {
3956 printk(KERN_WARNING
3957 "SELinux: failure in"
3958 " selinux_sock_rcv_skb_iptables_compat(),"
3959 " network port label not found\n");
3960 return err;
3962 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
3965 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
3966 struct avc_audit_data *ad,
3967 u16 family, char *addrp)
3969 int err;
3970 struct sk_security_struct *sksec = sk->sk_security;
3971 u32 peer_sid;
3972 u32 sk_sid = sksec->sid;
3974 if (selinux_compat_net)
3975 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, ad,
3976 family, addrp);
3977 else
3978 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
3979 PACKET__RECV, ad);
3980 if (err)
3981 return err;
3983 if (selinux_policycap_netpeer) {
3984 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
3985 if (err)
3986 return err;
3987 err = avc_has_perm(sk_sid, peer_sid,
3988 SECCLASS_PEER, PEER__RECV, ad);
3989 } else {
3990 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, ad);
3991 if (err)
3992 return err;
3993 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, ad);
3996 return err;
3999 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4001 int err;
4002 struct sk_security_struct *sksec = sk->sk_security;
4003 u16 family = sk->sk_family;
4004 u32 sk_sid = sksec->sid;
4005 struct avc_audit_data ad;
4006 char *addrp;
4008 if (family != PF_INET && family != PF_INET6)
4009 return 0;
4011 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4012 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4013 family = PF_INET;
4015 AVC_AUDIT_DATA_INIT(&ad, NET);
4016 ad.u.net.netif = skb->iif;
4017 ad.u.net.family = family;
4018 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4019 if (err)
4020 return err;
4022 /* If any sort of compatibility mode is enabled then handoff processing
4023 * to the selinux_sock_rcv_skb_compat() function to deal with the
4024 * special handling. We do this in an attempt to keep this function
4025 * as fast and as clean as possible. */
4026 if (selinux_compat_net || !selinux_policycap_netpeer)
4027 return selinux_sock_rcv_skb_compat(sk, skb, &ad,
4028 family, addrp);
4030 if (netlbl_enabled() || selinux_xfrm_enabled()) {
4031 u32 peer_sid;
4033 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4034 if (err)
4035 return err;
4036 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4037 peer_sid, &ad);
4038 if (err)
4039 return err;
4040 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4041 PEER__RECV, &ad);
4044 if (selinux_secmark_enabled()) {
4045 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4046 PACKET__RECV, &ad);
4047 if (err)
4048 return err;
4051 return err;
4054 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4055 int __user *optlen, unsigned len)
4057 int err = 0;
4058 char *scontext;
4059 u32 scontext_len;
4060 struct sk_security_struct *ssec;
4061 struct inode_security_struct *isec;
4062 u32 peer_sid = SECSID_NULL;
4064 isec = SOCK_INODE(sock)->i_security;
4066 if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4067 isec->sclass == SECCLASS_TCP_SOCKET) {
4068 ssec = sock->sk->sk_security;
4069 peer_sid = ssec->peer_sid;
4071 if (peer_sid == SECSID_NULL) {
4072 err = -ENOPROTOOPT;
4073 goto out;
4076 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4078 if (err)
4079 goto out;
4081 if (scontext_len > len) {
4082 err = -ERANGE;
4083 goto out_len;
4086 if (copy_to_user(optval, scontext, scontext_len))
4087 err = -EFAULT;
4089 out_len:
4090 if (put_user(scontext_len, optlen))
4091 err = -EFAULT;
4093 kfree(scontext);
4094 out:
4095 return err;
4098 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4100 u32 peer_secid = SECSID_NULL;
4101 u16 family;
4103 if (sock)
4104 family = sock->sk->sk_family;
4105 else if (skb && skb->sk)
4106 family = skb->sk->sk_family;
4107 else
4108 goto out;
4110 if (sock && family == PF_UNIX)
4111 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid);
4112 else if (skb)
4113 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4115 out:
4116 *secid = peer_secid;
4117 if (peer_secid == SECSID_NULL)
4118 return -EINVAL;
4119 return 0;
4122 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4124 return sk_alloc_security(sk, family, priority);
4127 static void selinux_sk_free_security(struct sock *sk)
4129 sk_free_security(sk);
4132 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4134 struct sk_security_struct *ssec = sk->sk_security;
4135 struct sk_security_struct *newssec = newsk->sk_security;
4137 newssec->sid = ssec->sid;
4138 newssec->peer_sid = ssec->peer_sid;
4139 newssec->sclass = ssec->sclass;
4141 selinux_netlbl_sk_security_clone(ssec, newssec);
4144 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4146 if (!sk)
4147 *secid = SECINITSID_ANY_SOCKET;
4148 else {
4149 struct sk_security_struct *sksec = sk->sk_security;
4151 *secid = sksec->sid;
4155 static void selinux_sock_graft(struct sock* sk, struct socket *parent)
4157 struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4158 struct sk_security_struct *sksec = sk->sk_security;
4160 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4161 sk->sk_family == PF_UNIX)
4162 isec->sid = sksec->sid;
4163 sksec->sclass = isec->sclass;
4165 selinux_netlbl_sock_graft(sk, parent);
4168 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4169 struct request_sock *req)
4171 struct sk_security_struct *sksec = sk->sk_security;
4172 int err;
4173 u32 newsid;
4174 u32 peersid;
4176 err = selinux_skb_peerlbl_sid(skb, sk->sk_family, &peersid);
4177 if (err)
4178 return err;
4179 if (peersid == SECSID_NULL) {
4180 req->secid = sksec->sid;
4181 req->peer_secid = SECSID_NULL;
4182 return 0;
4185 err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4186 if (err)
4187 return err;
4189 req->secid = newsid;
4190 req->peer_secid = peersid;
4191 return 0;
4194 static void selinux_inet_csk_clone(struct sock *newsk,
4195 const struct request_sock *req)
4197 struct sk_security_struct *newsksec = newsk->sk_security;
4199 newsksec->sid = req->secid;
4200 newsksec->peer_sid = req->peer_secid;
4201 /* NOTE: Ideally, we should also get the isec->sid for the
4202 new socket in sync, but we don't have the isec available yet.
4203 So we will wait until sock_graft to do it, by which
4204 time it will have been created and available. */
4206 /* We don't need to take any sort of lock here as we are the only
4207 * thread with access to newsksec */
4208 selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4211 static void selinux_inet_conn_established(struct sock *sk,
4212 struct sk_buff *skb)
4214 struct sk_security_struct *sksec = sk->sk_security;
4216 selinux_skb_peerlbl_sid(skb, sk->sk_family, &sksec->peer_sid);
4219 static void selinux_req_classify_flow(const struct request_sock *req,
4220 struct flowi *fl)
4222 fl->secid = req->secid;
4225 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4227 int err = 0;
4228 u32 perm;
4229 struct nlmsghdr *nlh;
4230 struct socket *sock = sk->sk_socket;
4231 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4233 if (skb->len < NLMSG_SPACE(0)) {
4234 err = -EINVAL;
4235 goto out;
4237 nlh = nlmsg_hdr(skb);
4239 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4240 if (err) {
4241 if (err == -EINVAL) {
4242 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4243 "SELinux: unrecognized netlink message"
4244 " type=%hu for sclass=%hu\n",
4245 nlh->nlmsg_type, isec->sclass);
4246 if (!selinux_enforcing)
4247 err = 0;
4250 /* Ignore */
4251 if (err == -ENOENT)
4252 err = 0;
4253 goto out;
4256 err = socket_has_perm(current, sock, perm);
4257 out:
4258 return err;
4261 #ifdef CONFIG_NETFILTER
4263 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4264 u16 family)
4266 char *addrp;
4267 u32 peer_sid;
4268 struct avc_audit_data ad;
4269 u8 secmark_active;
4270 u8 peerlbl_active;
4272 if (!selinux_policycap_netpeer)
4273 return NF_ACCEPT;
4275 secmark_active = selinux_secmark_enabled();
4276 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4277 if (!secmark_active && !peerlbl_active)
4278 return NF_ACCEPT;
4280 AVC_AUDIT_DATA_INIT(&ad, NET);
4281 ad.u.net.netif = ifindex;
4282 ad.u.net.family = family;
4283 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4284 return NF_DROP;
4286 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4287 return NF_DROP;
4289 if (peerlbl_active)
4290 if (selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4291 peer_sid, &ad) != 0)
4292 return NF_DROP;
4294 if (secmark_active)
4295 if (avc_has_perm(peer_sid, skb->secmark,
4296 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4297 return NF_DROP;
4299 return NF_ACCEPT;
4302 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4303 struct sk_buff *skb,
4304 const struct net_device *in,
4305 const struct net_device *out,
4306 int (*okfn)(struct sk_buff *))
4308 return selinux_ip_forward(skb, in->ifindex, PF_INET);
4311 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4312 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4313 struct sk_buff *skb,
4314 const struct net_device *in,
4315 const struct net_device *out,
4316 int (*okfn)(struct sk_buff *))
4318 return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4320 #endif /* IPV6 */
4322 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4323 int ifindex,
4324 struct avc_audit_data *ad,
4325 u16 family, char *addrp)
4327 int err;
4328 struct sk_security_struct *sksec = sk->sk_security;
4329 u16 sk_class;
4330 u32 netif_perm, node_perm, send_perm;
4331 u32 port_sid, node_sid, if_sid, sk_sid;
4333 sk_sid = sksec->sid;
4334 sk_class = sksec->sclass;
4336 switch (sk_class) {
4337 case SECCLASS_UDP_SOCKET:
4338 netif_perm = NETIF__UDP_SEND;
4339 node_perm = NODE__UDP_SEND;
4340 send_perm = UDP_SOCKET__SEND_MSG;
4341 break;
4342 case SECCLASS_TCP_SOCKET:
4343 netif_perm = NETIF__TCP_SEND;
4344 node_perm = NODE__TCP_SEND;
4345 send_perm = TCP_SOCKET__SEND_MSG;
4346 break;
4347 case SECCLASS_DCCP_SOCKET:
4348 netif_perm = NETIF__DCCP_SEND;
4349 node_perm = NODE__DCCP_SEND;
4350 send_perm = DCCP_SOCKET__SEND_MSG;
4351 break;
4352 default:
4353 netif_perm = NETIF__RAWIP_SEND;
4354 node_perm = NODE__RAWIP_SEND;
4355 send_perm = 0;
4356 break;
4359 err = sel_netif_sid(ifindex, &if_sid);
4360 if (err)
4361 return err;
4362 err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4363 return err;
4365 err = sel_netnode_sid(addrp, family, &node_sid);
4366 if (err)
4367 return err;
4368 err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4369 if (err)
4370 return err;
4372 if (send_perm != 0)
4373 return 0;
4375 err = security_port_sid(sk->sk_family, sk->sk_type,
4376 sk->sk_protocol, ntohs(ad->u.net.dport),
4377 &port_sid);
4378 if (unlikely(err)) {
4379 printk(KERN_WARNING
4380 "SELinux: failure in"
4381 " selinux_ip_postroute_iptables_compat(),"
4382 " network port label not found\n");
4383 return err;
4385 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4388 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4389 int ifindex,
4390 struct avc_audit_data *ad,
4391 u16 family,
4392 char *addrp,
4393 u8 proto)
4395 struct sock *sk = skb->sk;
4396 struct sk_security_struct *sksec;
4398 if (sk == NULL)
4399 return NF_ACCEPT;
4400 sksec = sk->sk_security;
4402 if (selinux_compat_net) {
4403 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4404 ad, family, addrp))
4405 return NF_DROP;
4406 } else {
4407 if (avc_has_perm(sksec->sid, skb->secmark,
4408 SECCLASS_PACKET, PACKET__SEND, ad))
4409 return NF_DROP;
4412 if (selinux_policycap_netpeer)
4413 if (selinux_xfrm_postroute_last(sksec->sid, skb, ad, proto))
4414 return NF_DROP;
4416 return NF_ACCEPT;
4419 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4420 u16 family)
4422 u32 secmark_perm;
4423 u32 peer_sid;
4424 struct sock *sk;
4425 struct avc_audit_data ad;
4426 char *addrp;
4427 u8 proto;
4428 u8 secmark_active;
4429 u8 peerlbl_active;
4431 AVC_AUDIT_DATA_INIT(&ad, NET);
4432 ad.u.net.netif = ifindex;
4433 ad.u.net.family = family;
4434 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4435 return NF_DROP;
4437 /* If any sort of compatibility mode is enabled then handoff processing
4438 * to the selinux_ip_postroute_compat() function to deal with the
4439 * special handling. We do this in an attempt to keep this function
4440 * as fast and as clean as possible. */
4441 if (selinux_compat_net || !selinux_policycap_netpeer)
4442 return selinux_ip_postroute_compat(skb, ifindex, &ad,
4443 family, addrp, proto);
4445 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4446 * packet transformation so allow the packet to pass without any checks
4447 * since we'll have another chance to perform access control checks
4448 * when the packet is on it's final way out.
4449 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4450 * is NULL, in this case go ahead and apply access control. */
4451 if (skb->dst != NULL && skb->dst->xfrm != NULL)
4452 return NF_ACCEPT;
4454 secmark_active = selinux_secmark_enabled();
4455 peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4456 if (!secmark_active && !peerlbl_active)
4457 return NF_ACCEPT;
4459 /* if the packet is locally generated (skb->sk != NULL) then use the
4460 * socket's label as the peer label, otherwise the packet is being
4461 * forwarded through this system and we need to fetch the peer label
4462 * directly from the packet */
4463 sk = skb->sk;
4464 if (sk) {
4465 struct sk_security_struct *sksec = sk->sk_security;
4466 peer_sid = sksec->sid;
4467 secmark_perm = PACKET__SEND;
4468 } else {
4469 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4470 return NF_DROP;
4471 secmark_perm = PACKET__FORWARD_OUT;
4474 if (secmark_active)
4475 if (avc_has_perm(peer_sid, skb->secmark,
4476 SECCLASS_PACKET, secmark_perm, &ad))
4477 return NF_DROP;
4479 if (peerlbl_active) {
4480 u32 if_sid;
4481 u32 node_sid;
4483 if (sel_netif_sid(ifindex, &if_sid))
4484 return NF_DROP;
4485 if (avc_has_perm(peer_sid, if_sid,
4486 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4487 return NF_DROP;
4489 if (sel_netnode_sid(addrp, family, &node_sid))
4490 return NF_DROP;
4491 if (avc_has_perm(peer_sid, node_sid,
4492 SECCLASS_NODE, NODE__SENDTO, &ad))
4493 return NF_DROP;
4496 return NF_ACCEPT;
4499 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4500 struct sk_buff *skb,
4501 const struct net_device *in,
4502 const struct net_device *out,
4503 int (*okfn)(struct sk_buff *))
4505 return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4508 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4509 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4510 struct sk_buff *skb,
4511 const struct net_device *in,
4512 const struct net_device *out,
4513 int (*okfn)(struct sk_buff *))
4515 return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4517 #endif /* IPV6 */
4519 #endif /* CONFIG_NETFILTER */
4521 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4523 int err;
4525 err = secondary_ops->netlink_send(sk, skb);
4526 if (err)
4527 return err;
4529 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4530 err = selinux_nlmsg_perm(sk, skb);
4532 return err;
4535 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4537 int err;
4538 struct avc_audit_data ad;
4540 err = secondary_ops->netlink_recv(skb, capability);
4541 if (err)
4542 return err;
4544 AVC_AUDIT_DATA_INIT(&ad, CAP);
4545 ad.u.cap = capability;
4547 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4548 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4551 static int ipc_alloc_security(struct task_struct *task,
4552 struct kern_ipc_perm *perm,
4553 u16 sclass)
4555 struct task_security_struct *tsec = task->security;
4556 struct ipc_security_struct *isec;
4558 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4559 if (!isec)
4560 return -ENOMEM;
4562 isec->sclass = sclass;
4563 isec->ipc_perm = perm;
4564 isec->sid = tsec->sid;
4565 perm->security = isec;
4567 return 0;
4570 static void ipc_free_security(struct kern_ipc_perm *perm)
4572 struct ipc_security_struct *isec = perm->security;
4573 perm->security = NULL;
4574 kfree(isec);
4577 static int msg_msg_alloc_security(struct msg_msg *msg)
4579 struct msg_security_struct *msec;
4581 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4582 if (!msec)
4583 return -ENOMEM;
4585 msec->msg = msg;
4586 msec->sid = SECINITSID_UNLABELED;
4587 msg->security = msec;
4589 return 0;
4592 static void msg_msg_free_security(struct msg_msg *msg)
4594 struct msg_security_struct *msec = msg->security;
4596 msg->security = NULL;
4597 kfree(msec);
4600 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4601 u32 perms)
4603 struct task_security_struct *tsec;
4604 struct ipc_security_struct *isec;
4605 struct avc_audit_data ad;
4607 tsec = current->security;
4608 isec = ipc_perms->security;
4610 AVC_AUDIT_DATA_INIT(&ad, IPC);
4611 ad.u.ipc_id = ipc_perms->key;
4613 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
4616 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4618 return msg_msg_alloc_security(msg);
4621 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4623 msg_msg_free_security(msg);
4626 /* message queue security operations */
4627 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4629 struct task_security_struct *tsec;
4630 struct ipc_security_struct *isec;
4631 struct avc_audit_data ad;
4632 int rc;
4634 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4635 if (rc)
4636 return rc;
4638 tsec = current->security;
4639 isec = msq->q_perm.security;
4641 AVC_AUDIT_DATA_INIT(&ad, IPC);
4642 ad.u.ipc_id = msq->q_perm.key;
4644 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4645 MSGQ__CREATE, &ad);
4646 if (rc) {
4647 ipc_free_security(&msq->q_perm);
4648 return rc;
4650 return 0;
4653 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4655 ipc_free_security(&msq->q_perm);
4658 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4660 struct task_security_struct *tsec;
4661 struct ipc_security_struct *isec;
4662 struct avc_audit_data ad;
4664 tsec = current->security;
4665 isec = msq->q_perm.security;
4667 AVC_AUDIT_DATA_INIT(&ad, IPC);
4668 ad.u.ipc_id = msq->q_perm.key;
4670 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4671 MSGQ__ASSOCIATE, &ad);
4674 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
4676 int err;
4677 int perms;
4679 switch(cmd) {
4680 case IPC_INFO:
4681 case MSG_INFO:
4682 /* No specific object, just general system-wide information. */
4683 return task_has_system(current, SYSTEM__IPC_INFO);
4684 case IPC_STAT:
4685 case MSG_STAT:
4686 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4687 break;
4688 case IPC_SET:
4689 perms = MSGQ__SETATTR;
4690 break;
4691 case IPC_RMID:
4692 perms = MSGQ__DESTROY;
4693 break;
4694 default:
4695 return 0;
4698 err = ipc_has_perm(&msq->q_perm, perms);
4699 return err;
4702 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
4704 struct task_security_struct *tsec;
4705 struct ipc_security_struct *isec;
4706 struct msg_security_struct *msec;
4707 struct avc_audit_data ad;
4708 int rc;
4710 tsec = current->security;
4711 isec = msq->q_perm.security;
4712 msec = msg->security;
4715 * First time through, need to assign label to the message
4717 if (msec->sid == SECINITSID_UNLABELED) {
4719 * Compute new sid based on current process and
4720 * message queue this message will be stored in
4722 rc = security_transition_sid(tsec->sid,
4723 isec->sid,
4724 SECCLASS_MSG,
4725 &msec->sid);
4726 if (rc)
4727 return rc;
4730 AVC_AUDIT_DATA_INIT(&ad, IPC);
4731 ad.u.ipc_id = msq->q_perm.key;
4733 /* Can this process write to the queue? */
4734 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
4735 MSGQ__WRITE, &ad);
4736 if (!rc)
4737 /* Can this process send the message */
4738 rc = avc_has_perm(tsec->sid, msec->sid,
4739 SECCLASS_MSG, MSG__SEND, &ad);
4740 if (!rc)
4741 /* Can the message be put in the queue? */
4742 rc = avc_has_perm(msec->sid, isec->sid,
4743 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
4745 return rc;
4748 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4749 struct task_struct *target,
4750 long type, int mode)
4752 struct task_security_struct *tsec;
4753 struct ipc_security_struct *isec;
4754 struct msg_security_struct *msec;
4755 struct avc_audit_data ad;
4756 int rc;
4758 tsec = target->security;
4759 isec = msq->q_perm.security;
4760 msec = msg->security;
4762 AVC_AUDIT_DATA_INIT(&ad, IPC);
4763 ad.u.ipc_id = msq->q_perm.key;
4765 rc = avc_has_perm(tsec->sid, isec->sid,
4766 SECCLASS_MSGQ, MSGQ__READ, &ad);
4767 if (!rc)
4768 rc = avc_has_perm(tsec->sid, msec->sid,
4769 SECCLASS_MSG, MSG__RECEIVE, &ad);
4770 return rc;
4773 /* Shared Memory security operations */
4774 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4776 struct task_security_struct *tsec;
4777 struct ipc_security_struct *isec;
4778 struct avc_audit_data ad;
4779 int rc;
4781 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
4782 if (rc)
4783 return rc;
4785 tsec = current->security;
4786 isec = shp->shm_perm.security;
4788 AVC_AUDIT_DATA_INIT(&ad, IPC);
4789 ad.u.ipc_id = shp->shm_perm.key;
4791 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4792 SHM__CREATE, &ad);
4793 if (rc) {
4794 ipc_free_security(&shp->shm_perm);
4795 return rc;
4797 return 0;
4800 static void selinux_shm_free_security(struct shmid_kernel *shp)
4802 ipc_free_security(&shp->shm_perm);
4805 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4807 struct task_security_struct *tsec;
4808 struct ipc_security_struct *isec;
4809 struct avc_audit_data ad;
4811 tsec = current->security;
4812 isec = shp->shm_perm.security;
4814 AVC_AUDIT_DATA_INIT(&ad, IPC);
4815 ad.u.ipc_id = shp->shm_perm.key;
4817 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
4818 SHM__ASSOCIATE, &ad);
4821 /* Note, at this point, shp is locked down */
4822 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
4824 int perms;
4825 int err;
4827 switch(cmd) {
4828 case IPC_INFO:
4829 case SHM_INFO:
4830 /* No specific object, just general system-wide information. */
4831 return task_has_system(current, SYSTEM__IPC_INFO);
4832 case IPC_STAT:
4833 case SHM_STAT:
4834 perms = SHM__GETATTR | SHM__ASSOCIATE;
4835 break;
4836 case IPC_SET:
4837 perms = SHM__SETATTR;
4838 break;
4839 case SHM_LOCK:
4840 case SHM_UNLOCK:
4841 perms = SHM__LOCK;
4842 break;
4843 case IPC_RMID:
4844 perms = SHM__DESTROY;
4845 break;
4846 default:
4847 return 0;
4850 err = ipc_has_perm(&shp->shm_perm, perms);
4851 return err;
4854 static int selinux_shm_shmat(struct shmid_kernel *shp,
4855 char __user *shmaddr, int shmflg)
4857 u32 perms;
4858 int rc;
4860 rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
4861 if (rc)
4862 return rc;
4864 if (shmflg & SHM_RDONLY)
4865 perms = SHM__READ;
4866 else
4867 perms = SHM__READ | SHM__WRITE;
4869 return ipc_has_perm(&shp->shm_perm, perms);
4872 /* Semaphore security operations */
4873 static int selinux_sem_alloc_security(struct sem_array *sma)
4875 struct task_security_struct *tsec;
4876 struct ipc_security_struct *isec;
4877 struct avc_audit_data ad;
4878 int rc;
4880 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
4881 if (rc)
4882 return rc;
4884 tsec = current->security;
4885 isec = sma->sem_perm.security;
4887 AVC_AUDIT_DATA_INIT(&ad, IPC);
4888 ad.u.ipc_id = sma->sem_perm.key;
4890 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4891 SEM__CREATE, &ad);
4892 if (rc) {
4893 ipc_free_security(&sma->sem_perm);
4894 return rc;
4896 return 0;
4899 static void selinux_sem_free_security(struct sem_array *sma)
4901 ipc_free_security(&sma->sem_perm);
4904 static int selinux_sem_associate(struct sem_array *sma, int semflg)
4906 struct task_security_struct *tsec;
4907 struct ipc_security_struct *isec;
4908 struct avc_audit_data ad;
4910 tsec = current->security;
4911 isec = sma->sem_perm.security;
4913 AVC_AUDIT_DATA_INIT(&ad, IPC);
4914 ad.u.ipc_id = sma->sem_perm.key;
4916 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_SEM,
4917 SEM__ASSOCIATE, &ad);
4920 /* Note, at this point, sma is locked down */
4921 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
4923 int err;
4924 u32 perms;
4926 switch(cmd) {
4927 case IPC_INFO:
4928 case SEM_INFO:
4929 /* No specific object, just general system-wide information. */
4930 return task_has_system(current, SYSTEM__IPC_INFO);
4931 case GETPID:
4932 case GETNCNT:
4933 case GETZCNT:
4934 perms = SEM__GETATTR;
4935 break;
4936 case GETVAL:
4937 case GETALL:
4938 perms = SEM__READ;
4939 break;
4940 case SETVAL:
4941 case SETALL:
4942 perms = SEM__WRITE;
4943 break;
4944 case IPC_RMID:
4945 perms = SEM__DESTROY;
4946 break;
4947 case IPC_SET:
4948 perms = SEM__SETATTR;
4949 break;
4950 case IPC_STAT:
4951 case SEM_STAT:
4952 perms = SEM__GETATTR | SEM__ASSOCIATE;
4953 break;
4954 default:
4955 return 0;
4958 err = ipc_has_perm(&sma->sem_perm, perms);
4959 return err;
4962 static int selinux_sem_semop(struct sem_array *sma,
4963 struct sembuf *sops, unsigned nsops, int alter)
4965 u32 perms;
4967 if (alter)
4968 perms = SEM__READ | SEM__WRITE;
4969 else
4970 perms = SEM__READ;
4972 return ipc_has_perm(&sma->sem_perm, perms);
4975 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
4977 u32 av = 0;
4979 av = 0;
4980 if (flag & S_IRUGO)
4981 av |= IPC__UNIX_READ;
4982 if (flag & S_IWUGO)
4983 av |= IPC__UNIX_WRITE;
4985 if (av == 0)
4986 return 0;
4988 return ipc_has_perm(ipcp, av);
4991 /* module stacking operations */
4992 static int selinux_register_security (const char *name, struct security_operations *ops)
4994 if (secondary_ops != original_ops) {
4995 printk(KERN_ERR "%s: There is already a secondary security "
4996 "module registered.\n", __FUNCTION__);
4997 return -EINVAL;
5000 secondary_ops = ops;
5002 printk(KERN_INFO "%s: Registering secondary module %s\n",
5003 __FUNCTION__,
5004 name);
5006 return 0;
5009 static void selinux_d_instantiate (struct dentry *dentry, struct inode *inode)
5011 if (inode)
5012 inode_doinit_with_dentry(inode, dentry);
5015 static int selinux_getprocattr(struct task_struct *p,
5016 char *name, char **value)
5018 struct task_security_struct *tsec;
5019 u32 sid;
5020 int error;
5021 unsigned len;
5023 if (current != p) {
5024 error = task_has_perm(current, p, PROCESS__GETATTR);
5025 if (error)
5026 return error;
5029 tsec = p->security;
5031 if (!strcmp(name, "current"))
5032 sid = tsec->sid;
5033 else if (!strcmp(name, "prev"))
5034 sid = tsec->osid;
5035 else if (!strcmp(name, "exec"))
5036 sid = tsec->exec_sid;
5037 else if (!strcmp(name, "fscreate"))
5038 sid = tsec->create_sid;
5039 else if (!strcmp(name, "keycreate"))
5040 sid = tsec->keycreate_sid;
5041 else if (!strcmp(name, "sockcreate"))
5042 sid = tsec->sockcreate_sid;
5043 else
5044 return -EINVAL;
5046 if (!sid)
5047 return 0;
5049 error = security_sid_to_context(sid, value, &len);
5050 if (error)
5051 return error;
5052 return len;
5055 static int selinux_setprocattr(struct task_struct *p,
5056 char *name, void *value, size_t size)
5058 struct task_security_struct *tsec;
5059 u32 sid = 0;
5060 int error;
5061 char *str = value;
5063 if (current != p) {
5064 /* SELinux only allows a process to change its own
5065 security attributes. */
5066 return -EACCES;
5070 * Basic control over ability to set these attributes at all.
5071 * current == p, but we'll pass them separately in case the
5072 * above restriction is ever removed.
5074 if (!strcmp(name, "exec"))
5075 error = task_has_perm(current, p, PROCESS__SETEXEC);
5076 else if (!strcmp(name, "fscreate"))
5077 error = task_has_perm(current, p, PROCESS__SETFSCREATE);
5078 else if (!strcmp(name, "keycreate"))
5079 error = task_has_perm(current, p, PROCESS__SETKEYCREATE);
5080 else if (!strcmp(name, "sockcreate"))
5081 error = task_has_perm(current, p, PROCESS__SETSOCKCREATE);
5082 else if (!strcmp(name, "current"))
5083 error = task_has_perm(current, p, PROCESS__SETCURRENT);
5084 else
5085 error = -EINVAL;
5086 if (error)
5087 return error;
5089 /* Obtain a SID for the context, if one was specified. */
5090 if (size && str[1] && str[1] != '\n') {
5091 if (str[size-1] == '\n') {
5092 str[size-1] = 0;
5093 size--;
5095 error = security_context_to_sid(value, size, &sid);
5096 if (error)
5097 return error;
5100 /* Permission checking based on the specified context is
5101 performed during the actual operation (execve,
5102 open/mkdir/...), when we know the full context of the
5103 operation. See selinux_bprm_set_security for the execve
5104 checks and may_create for the file creation checks. The
5105 operation will then fail if the context is not permitted. */
5106 tsec = p->security;
5107 if (!strcmp(name, "exec"))
5108 tsec->exec_sid = sid;
5109 else if (!strcmp(name, "fscreate"))
5110 tsec->create_sid = sid;
5111 else if (!strcmp(name, "keycreate")) {
5112 error = may_create_key(sid, p);
5113 if (error)
5114 return error;
5115 tsec->keycreate_sid = sid;
5116 } else if (!strcmp(name, "sockcreate"))
5117 tsec->sockcreate_sid = sid;
5118 else if (!strcmp(name, "current")) {
5119 struct av_decision avd;
5121 if (sid == 0)
5122 return -EINVAL;
5124 /* Only allow single threaded processes to change context */
5125 if (atomic_read(&p->mm->mm_users) != 1) {
5126 struct task_struct *g, *t;
5127 struct mm_struct *mm = p->mm;
5128 read_lock(&tasklist_lock);
5129 do_each_thread(g, t)
5130 if (t->mm == mm && t != p) {
5131 read_unlock(&tasklist_lock);
5132 return -EPERM;
5134 while_each_thread(g, t);
5135 read_unlock(&tasklist_lock);
5138 /* Check permissions for the transition. */
5139 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5140 PROCESS__DYNTRANSITION, NULL);
5141 if (error)
5142 return error;
5144 /* Check for ptracing, and update the task SID if ok.
5145 Otherwise, leave SID unchanged and fail. */
5146 task_lock(p);
5147 if (p->ptrace & PT_PTRACED) {
5148 error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
5149 SECCLASS_PROCESS,
5150 PROCESS__PTRACE, 0, &avd);
5151 if (!error)
5152 tsec->sid = sid;
5153 task_unlock(p);
5154 avc_audit(tsec->ptrace_sid, sid, SECCLASS_PROCESS,
5155 PROCESS__PTRACE, &avd, error, NULL);
5156 if (error)
5157 return error;
5158 } else {
5159 tsec->sid = sid;
5160 task_unlock(p);
5163 else
5164 return -EINVAL;
5166 return size;
5169 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5171 return security_sid_to_context(secid, secdata, seclen);
5174 static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid)
5176 return security_context_to_sid(secdata, seclen, secid);
5179 static void selinux_release_secctx(char *secdata, u32 seclen)
5181 kfree(secdata);
5184 #ifdef CONFIG_KEYS
5186 static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
5187 unsigned long flags)
5189 struct task_security_struct *tsec = tsk->security;
5190 struct key_security_struct *ksec;
5192 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5193 if (!ksec)
5194 return -ENOMEM;
5196 ksec->obj = k;
5197 if (tsec->keycreate_sid)
5198 ksec->sid = tsec->keycreate_sid;
5199 else
5200 ksec->sid = tsec->sid;
5201 k->security = ksec;
5203 return 0;
5206 static void selinux_key_free(struct key *k)
5208 struct key_security_struct *ksec = k->security;
5210 k->security = NULL;
5211 kfree(ksec);
5214 static int selinux_key_permission(key_ref_t key_ref,
5215 struct task_struct *ctx,
5216 key_perm_t perm)
5218 struct key *key;
5219 struct task_security_struct *tsec;
5220 struct key_security_struct *ksec;
5222 key = key_ref_to_ptr(key_ref);
5224 tsec = ctx->security;
5225 ksec = key->security;
5227 /* if no specific permissions are requested, we skip the
5228 permission check. No serious, additional covert channels
5229 appear to be created. */
5230 if (perm == 0)
5231 return 0;
5233 return avc_has_perm(tsec->sid, ksec->sid,
5234 SECCLASS_KEY, perm, NULL);
5237 #endif
5239 static struct security_operations selinux_ops = {
5240 .ptrace = selinux_ptrace,
5241 .capget = selinux_capget,
5242 .capset_check = selinux_capset_check,
5243 .capset_set = selinux_capset_set,
5244 .sysctl = selinux_sysctl,
5245 .capable = selinux_capable,
5246 .quotactl = selinux_quotactl,
5247 .quota_on = selinux_quota_on,
5248 .syslog = selinux_syslog,
5249 .vm_enough_memory = selinux_vm_enough_memory,
5251 .netlink_send = selinux_netlink_send,
5252 .netlink_recv = selinux_netlink_recv,
5254 .bprm_alloc_security = selinux_bprm_alloc_security,
5255 .bprm_free_security = selinux_bprm_free_security,
5256 .bprm_apply_creds = selinux_bprm_apply_creds,
5257 .bprm_post_apply_creds = selinux_bprm_post_apply_creds,
5258 .bprm_set_security = selinux_bprm_set_security,
5259 .bprm_check_security = selinux_bprm_check_security,
5260 .bprm_secureexec = selinux_bprm_secureexec,
5262 .sb_alloc_security = selinux_sb_alloc_security,
5263 .sb_free_security = selinux_sb_free_security,
5264 .sb_copy_data = selinux_sb_copy_data,
5265 .sb_kern_mount = selinux_sb_kern_mount,
5266 .sb_statfs = selinux_sb_statfs,
5267 .sb_mount = selinux_mount,
5268 .sb_umount = selinux_umount,
5269 .sb_get_mnt_opts = selinux_get_mnt_opts,
5270 .sb_set_mnt_opts = selinux_set_mnt_opts,
5271 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5272 .sb_parse_opts_str = selinux_parse_opts_str,
5275 .inode_alloc_security = selinux_inode_alloc_security,
5276 .inode_free_security = selinux_inode_free_security,
5277 .inode_init_security = selinux_inode_init_security,
5278 .inode_create = selinux_inode_create,
5279 .inode_link = selinux_inode_link,
5280 .inode_unlink = selinux_inode_unlink,
5281 .inode_symlink = selinux_inode_symlink,
5282 .inode_mkdir = selinux_inode_mkdir,
5283 .inode_rmdir = selinux_inode_rmdir,
5284 .inode_mknod = selinux_inode_mknod,
5285 .inode_rename = selinux_inode_rename,
5286 .inode_readlink = selinux_inode_readlink,
5287 .inode_follow_link = selinux_inode_follow_link,
5288 .inode_permission = selinux_inode_permission,
5289 .inode_setattr = selinux_inode_setattr,
5290 .inode_getattr = selinux_inode_getattr,
5291 .inode_setxattr = selinux_inode_setxattr,
5292 .inode_post_setxattr = selinux_inode_post_setxattr,
5293 .inode_getxattr = selinux_inode_getxattr,
5294 .inode_listxattr = selinux_inode_listxattr,
5295 .inode_removexattr = selinux_inode_removexattr,
5296 .inode_getsecurity = selinux_inode_getsecurity,
5297 .inode_setsecurity = selinux_inode_setsecurity,
5298 .inode_listsecurity = selinux_inode_listsecurity,
5299 .inode_need_killpriv = selinux_inode_need_killpriv,
5300 .inode_killpriv = selinux_inode_killpriv,
5302 .file_permission = selinux_file_permission,
5303 .file_alloc_security = selinux_file_alloc_security,
5304 .file_free_security = selinux_file_free_security,
5305 .file_ioctl = selinux_file_ioctl,
5306 .file_mmap = selinux_file_mmap,
5307 .file_mprotect = selinux_file_mprotect,
5308 .file_lock = selinux_file_lock,
5309 .file_fcntl = selinux_file_fcntl,
5310 .file_set_fowner = selinux_file_set_fowner,
5311 .file_send_sigiotask = selinux_file_send_sigiotask,
5312 .file_receive = selinux_file_receive,
5314 .dentry_open = selinux_dentry_open,
5316 .task_create = selinux_task_create,
5317 .task_alloc_security = selinux_task_alloc_security,
5318 .task_free_security = selinux_task_free_security,
5319 .task_setuid = selinux_task_setuid,
5320 .task_post_setuid = selinux_task_post_setuid,
5321 .task_setgid = selinux_task_setgid,
5322 .task_setpgid = selinux_task_setpgid,
5323 .task_getpgid = selinux_task_getpgid,
5324 .task_getsid = selinux_task_getsid,
5325 .task_getsecid = selinux_task_getsecid,
5326 .task_setgroups = selinux_task_setgroups,
5327 .task_setnice = selinux_task_setnice,
5328 .task_setioprio = selinux_task_setioprio,
5329 .task_getioprio = selinux_task_getioprio,
5330 .task_setrlimit = selinux_task_setrlimit,
5331 .task_setscheduler = selinux_task_setscheduler,
5332 .task_getscheduler = selinux_task_getscheduler,
5333 .task_movememory = selinux_task_movememory,
5334 .task_kill = selinux_task_kill,
5335 .task_wait = selinux_task_wait,
5336 .task_prctl = selinux_task_prctl,
5337 .task_reparent_to_init = selinux_task_reparent_to_init,
5338 .task_to_inode = selinux_task_to_inode,
5340 .ipc_permission = selinux_ipc_permission,
5342 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5343 .msg_msg_free_security = selinux_msg_msg_free_security,
5345 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5346 .msg_queue_free_security = selinux_msg_queue_free_security,
5347 .msg_queue_associate = selinux_msg_queue_associate,
5348 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5349 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5350 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5352 .shm_alloc_security = selinux_shm_alloc_security,
5353 .shm_free_security = selinux_shm_free_security,
5354 .shm_associate = selinux_shm_associate,
5355 .shm_shmctl = selinux_shm_shmctl,
5356 .shm_shmat = selinux_shm_shmat,
5358 .sem_alloc_security = selinux_sem_alloc_security,
5359 .sem_free_security = selinux_sem_free_security,
5360 .sem_associate = selinux_sem_associate,
5361 .sem_semctl = selinux_sem_semctl,
5362 .sem_semop = selinux_sem_semop,
5364 .register_security = selinux_register_security,
5366 .d_instantiate = selinux_d_instantiate,
5368 .getprocattr = selinux_getprocattr,
5369 .setprocattr = selinux_setprocattr,
5371 .secid_to_secctx = selinux_secid_to_secctx,
5372 .secctx_to_secid = selinux_secctx_to_secid,
5373 .release_secctx = selinux_release_secctx,
5375 .unix_stream_connect = selinux_socket_unix_stream_connect,
5376 .unix_may_send = selinux_socket_unix_may_send,
5378 .socket_create = selinux_socket_create,
5379 .socket_post_create = selinux_socket_post_create,
5380 .socket_bind = selinux_socket_bind,
5381 .socket_connect = selinux_socket_connect,
5382 .socket_listen = selinux_socket_listen,
5383 .socket_accept = selinux_socket_accept,
5384 .socket_sendmsg = selinux_socket_sendmsg,
5385 .socket_recvmsg = selinux_socket_recvmsg,
5386 .socket_getsockname = selinux_socket_getsockname,
5387 .socket_getpeername = selinux_socket_getpeername,
5388 .socket_getsockopt = selinux_socket_getsockopt,
5389 .socket_setsockopt = selinux_socket_setsockopt,
5390 .socket_shutdown = selinux_socket_shutdown,
5391 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5392 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5393 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5394 .sk_alloc_security = selinux_sk_alloc_security,
5395 .sk_free_security = selinux_sk_free_security,
5396 .sk_clone_security = selinux_sk_clone_security,
5397 .sk_getsecid = selinux_sk_getsecid,
5398 .sock_graft = selinux_sock_graft,
5399 .inet_conn_request = selinux_inet_conn_request,
5400 .inet_csk_clone = selinux_inet_csk_clone,
5401 .inet_conn_established = selinux_inet_conn_established,
5402 .req_classify_flow = selinux_req_classify_flow,
5404 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5405 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
5406 .xfrm_policy_clone_security = selinux_xfrm_policy_clone,
5407 .xfrm_policy_free_security = selinux_xfrm_policy_free,
5408 .xfrm_policy_delete_security = selinux_xfrm_policy_delete,
5409 .xfrm_state_alloc_security = selinux_xfrm_state_alloc,
5410 .xfrm_state_free_security = selinux_xfrm_state_free,
5411 .xfrm_state_delete_security = selinux_xfrm_state_delete,
5412 .xfrm_policy_lookup = selinux_xfrm_policy_lookup,
5413 .xfrm_state_pol_flow_match = selinux_xfrm_state_pol_flow_match,
5414 .xfrm_decode_session = selinux_xfrm_decode_session,
5415 #endif
5417 #ifdef CONFIG_KEYS
5418 .key_alloc = selinux_key_alloc,
5419 .key_free = selinux_key_free,
5420 .key_permission = selinux_key_permission,
5421 #endif
5424 static __init int selinux_init(void)
5426 struct task_security_struct *tsec;
5428 if (!selinux_enabled) {
5429 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5430 return 0;
5433 printk(KERN_INFO "SELinux: Initializing.\n");
5435 /* Set the security state for the initial task. */
5436 if (task_alloc_security(current))
5437 panic("SELinux: Failed to initialize initial task.\n");
5438 tsec = current->security;
5439 tsec->osid = tsec->sid = SECINITSID_KERNEL;
5441 sel_inode_cache = kmem_cache_create("selinux_inode_security",
5442 sizeof(struct inode_security_struct),
5443 0, SLAB_PANIC, NULL);
5444 avc_init();
5446 original_ops = secondary_ops = security_ops;
5447 if (!secondary_ops)
5448 panic ("SELinux: No initial security operations\n");
5449 if (register_security (&selinux_ops))
5450 panic("SELinux: Unable to register with kernel.\n");
5452 if (selinux_enforcing) {
5453 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5454 } else {
5455 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
5458 #ifdef CONFIG_KEYS
5459 /* Add security information to initial keyrings */
5460 selinux_key_alloc(&root_user_keyring, current,
5461 KEY_ALLOC_NOT_IN_QUOTA);
5462 selinux_key_alloc(&root_session_keyring, current,
5463 KEY_ALLOC_NOT_IN_QUOTA);
5464 #endif
5466 return 0;
5469 void selinux_complete_init(void)
5471 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
5473 /* Set up any superblocks initialized prior to the policy load. */
5474 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
5475 spin_lock(&sb_lock);
5476 spin_lock(&sb_security_lock);
5477 next_sb:
5478 if (!list_empty(&superblock_security_head)) {
5479 struct superblock_security_struct *sbsec =
5480 list_entry(superblock_security_head.next,
5481 struct superblock_security_struct,
5482 list);
5483 struct super_block *sb = sbsec->sb;
5484 sb->s_count++;
5485 spin_unlock(&sb_security_lock);
5486 spin_unlock(&sb_lock);
5487 down_read(&sb->s_umount);
5488 if (sb->s_root)
5489 superblock_doinit(sb, NULL);
5490 drop_super(sb);
5491 spin_lock(&sb_lock);
5492 spin_lock(&sb_security_lock);
5493 list_del_init(&sbsec->list);
5494 goto next_sb;
5496 spin_unlock(&sb_security_lock);
5497 spin_unlock(&sb_lock);
5500 /* SELinux requires early initialization in order to label
5501 all processes and objects when they are created. */
5502 security_initcall(selinux_init);
5504 #if defined(CONFIG_NETFILTER)
5506 static struct nf_hook_ops selinux_ipv4_ops[] = {
5508 .hook = selinux_ipv4_postroute,
5509 .owner = THIS_MODULE,
5510 .pf = PF_INET,
5511 .hooknum = NF_INET_POST_ROUTING,
5512 .priority = NF_IP_PRI_SELINUX_LAST,
5515 .hook = selinux_ipv4_forward,
5516 .owner = THIS_MODULE,
5517 .pf = PF_INET,
5518 .hooknum = NF_INET_FORWARD,
5519 .priority = NF_IP_PRI_SELINUX_FIRST,
5523 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5525 static struct nf_hook_ops selinux_ipv6_ops[] = {
5527 .hook = selinux_ipv6_postroute,
5528 .owner = THIS_MODULE,
5529 .pf = PF_INET6,
5530 .hooknum = NF_INET_POST_ROUTING,
5531 .priority = NF_IP6_PRI_SELINUX_LAST,
5534 .hook = selinux_ipv6_forward,
5535 .owner = THIS_MODULE,
5536 .pf = PF_INET6,
5537 .hooknum = NF_INET_FORWARD,
5538 .priority = NF_IP6_PRI_SELINUX_FIRST,
5542 #endif /* IPV6 */
5544 static int __init selinux_nf_ip_init(void)
5546 int err = 0;
5547 u32 iter;
5549 if (!selinux_enabled)
5550 goto out;
5552 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
5554 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++) {
5555 err = nf_register_hook(&selinux_ipv4_ops[iter]);
5556 if (err)
5557 panic("SELinux: nf_register_hook for IPv4: error %d\n",
5558 err);
5561 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5562 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++) {
5563 err = nf_register_hook(&selinux_ipv6_ops[iter]);
5564 if (err)
5565 panic("SELinux: nf_register_hook for IPv6: error %d\n",
5566 err);
5568 #endif /* IPV6 */
5570 out:
5571 return err;
5574 __initcall(selinux_nf_ip_init);
5576 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5577 static void selinux_nf_ip_exit(void)
5579 u32 iter;
5581 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
5583 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv4_ops); iter++)
5584 nf_unregister_hook(&selinux_ipv4_ops[iter]);
5585 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5586 for (iter = 0; iter < ARRAY_SIZE(selinux_ipv6_ops); iter++)
5587 nf_unregister_hook(&selinux_ipv6_ops[iter]);
5588 #endif /* IPV6 */
5590 #endif
5592 #else /* CONFIG_NETFILTER */
5594 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5595 #define selinux_nf_ip_exit()
5596 #endif
5598 #endif /* CONFIG_NETFILTER */
5600 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5601 int selinux_disable(void)
5603 extern void exit_sel_fs(void);
5604 static int selinux_disabled = 0;
5606 if (ss_initialized) {
5607 /* Not permitted after initial policy load. */
5608 return -EINVAL;
5611 if (selinux_disabled) {
5612 /* Only do this once. */
5613 return -EINVAL;
5616 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
5618 selinux_disabled = 1;
5619 selinux_enabled = 0;
5621 /* Reset security_ops to the secondary module, dummy or capability. */
5622 security_ops = secondary_ops;
5624 /* Unregister netfilter hooks. */
5625 selinux_nf_ip_exit();
5627 /* Unregister selinuxfs. */
5628 exit_sel_fs();
5630 return 0;
5632 #endif