2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
14 * <dgoeddel@trustedcs.com>
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2,
18 * as published by the Free Software Foundation.
21 #include <linux/config.h>
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/kernel.h>
25 #include <linux/ptrace.h>
26 #include <linux/errno.h>
27 #include <linux/sched.h>
28 #include <linux/security.h>
29 #include <linux/xattr.h>
30 #include <linux/capability.h>
31 #include <linux/unistd.h>
33 #include <linux/mman.h>
34 #include <linux/slab.h>
35 #include <linux/pagemap.h>
36 #include <linux/swap.h>
37 #include <linux/smp_lock.h>
38 #include <linux/spinlock.h>
39 #include <linux/syscalls.h>
40 #include <linux/file.h>
41 #include <linux/namei.h>
42 #include <linux/mount.h>
43 #include <linux/ext2_fs.h>
44 #include <linux/proc_fs.h>
46 #include <linux/netfilter_ipv4.h>
47 #include <linux/netfilter_ipv6.h>
48 #include <linux/tty.h>
50 #include <net/ip.h> /* for sysctl_local_port_range[] */
51 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
52 #include <asm/uaccess.h>
53 #include <asm/semaphore.h>
54 #include <asm/ioctls.h>
55 #include <linux/bitops.h>
56 #include <linux/interrupt.h>
57 #include <linux/netdevice.h> /* for network interface checks */
58 #include <linux/netlink.h>
59 #include <linux/tcp.h>
60 #include <linux/udp.h>
61 #include <linux/quota.h>
62 #include <linux/un.h> /* for Unix socket types */
63 #include <net/af_unix.h> /* for Unix socket types */
64 #include <linux/parser.h>
65 #include <linux/nfs_mount.h>
67 #include <linux/hugetlb.h>
68 #include <linux/personality.h>
69 #include <linux/sysctl.h>
70 #include <linux/audit.h>
71 #include <linux/string.h>
77 #define XATTR_SELINUX_SUFFIX "selinux"
78 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
80 extern unsigned int policydb_loaded_version;
81 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
83 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
84 int selinux_enforcing = 0;
86 static int __init enforcing_setup(char *str)
88 selinux_enforcing = simple_strtol(str,NULL,0);
91 __setup("enforcing=", enforcing_setup);
94 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
95 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
97 static int __init selinux_enabled_setup(char *str)
99 selinux_enabled = simple_strtol(str, NULL, 0);
102 __setup("selinux=", selinux_enabled_setup);
105 /* Original (dummy) security module. */
106 static struct security_operations *original_ops = NULL;
108 /* Minimal support for a secondary security module,
109 just to allow the use of the dummy or capability modules.
110 The owlsm module can alternatively be used as a secondary
111 module as long as CONFIG_OWLSM_FD is not enabled. */
112 static struct security_operations *secondary_ops = NULL;
114 /* Lists of inode and superblock security structures initialized
115 before the policy was loaded. */
116 static LIST_HEAD(superblock_security_head);
117 static DEFINE_SPINLOCK(sb_security_lock);
119 /* Allocate and free functions for each kind of security blob. */
121 static int task_alloc_security(struct task_struct *task)
123 struct task_security_struct *tsec;
125 tsec = kmalloc(sizeof(struct task_security_struct), GFP_KERNEL);
129 memset(tsec, 0, sizeof(struct task_security_struct));
130 tsec->magic = SELINUX_MAGIC;
132 tsec->osid = tsec->sid = tsec->ptrace_sid = SECINITSID_UNLABELED;
133 task->security = tsec;
138 static void task_free_security(struct task_struct *task)
140 struct task_security_struct *tsec = task->security;
142 if (!tsec || tsec->magic != SELINUX_MAGIC)
145 task->security = NULL;
149 static int inode_alloc_security(struct inode *inode)
151 struct task_security_struct *tsec = current->security;
152 struct inode_security_struct *isec;
154 isec = kmalloc(sizeof(struct inode_security_struct), GFP_KERNEL);
158 memset(isec, 0, sizeof(struct inode_security_struct));
159 init_MUTEX(&isec->sem);
160 INIT_LIST_HEAD(&isec->list);
161 isec->magic = SELINUX_MAGIC;
163 isec->sid = SECINITSID_UNLABELED;
164 isec->sclass = SECCLASS_FILE;
165 if (tsec && tsec->magic == SELINUX_MAGIC)
166 isec->task_sid = tsec->sid;
168 isec->task_sid = SECINITSID_UNLABELED;
169 inode->i_security = isec;
174 static void inode_free_security(struct inode *inode)
176 struct inode_security_struct *isec = inode->i_security;
177 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
179 if (!isec || isec->magic != SELINUX_MAGIC)
182 spin_lock(&sbsec->isec_lock);
183 if (!list_empty(&isec->list))
184 list_del_init(&isec->list);
185 spin_unlock(&sbsec->isec_lock);
187 inode->i_security = NULL;
191 static int file_alloc_security(struct file *file)
193 struct task_security_struct *tsec = current->security;
194 struct file_security_struct *fsec;
196 fsec = kmalloc(sizeof(struct file_security_struct), GFP_ATOMIC);
200 memset(fsec, 0, sizeof(struct file_security_struct));
201 fsec->magic = SELINUX_MAGIC;
203 if (tsec && tsec->magic == SELINUX_MAGIC) {
204 fsec->sid = tsec->sid;
205 fsec->fown_sid = tsec->sid;
207 fsec->sid = SECINITSID_UNLABELED;
208 fsec->fown_sid = SECINITSID_UNLABELED;
210 file->f_security = fsec;
215 static void file_free_security(struct file *file)
217 struct file_security_struct *fsec = file->f_security;
219 if (!fsec || fsec->magic != SELINUX_MAGIC)
222 file->f_security = NULL;
226 static int superblock_alloc_security(struct super_block *sb)
228 struct superblock_security_struct *sbsec;
230 sbsec = kmalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
234 memset(sbsec, 0, sizeof(struct superblock_security_struct));
235 init_MUTEX(&sbsec->sem);
236 INIT_LIST_HEAD(&sbsec->list);
237 INIT_LIST_HEAD(&sbsec->isec_head);
238 spin_lock_init(&sbsec->isec_lock);
239 sbsec->magic = SELINUX_MAGIC;
241 sbsec->sid = SECINITSID_UNLABELED;
242 sbsec->def_sid = SECINITSID_FILE;
243 sb->s_security = sbsec;
248 static void superblock_free_security(struct super_block *sb)
250 struct superblock_security_struct *sbsec = sb->s_security;
252 if (!sbsec || sbsec->magic != SELINUX_MAGIC)
255 spin_lock(&sb_security_lock);
256 if (!list_empty(&sbsec->list))
257 list_del_init(&sbsec->list);
258 spin_unlock(&sb_security_lock);
260 sb->s_security = NULL;
264 #ifdef CONFIG_SECURITY_NETWORK
265 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
267 struct sk_security_struct *ssec;
269 if (family != PF_UNIX)
272 ssec = kmalloc(sizeof(*ssec), priority);
276 memset(ssec, 0, sizeof(*ssec));
277 ssec->magic = SELINUX_MAGIC;
279 ssec->peer_sid = SECINITSID_UNLABELED;
280 sk->sk_security = ssec;
285 static void sk_free_security(struct sock *sk)
287 struct sk_security_struct *ssec = sk->sk_security;
289 if (sk->sk_family != PF_UNIX || ssec->magic != SELINUX_MAGIC)
292 sk->sk_security = NULL;
295 #endif /* CONFIG_SECURITY_NETWORK */
297 /* The security server must be initialized before
298 any labeling or access decisions can be provided. */
299 extern int ss_initialized;
301 /* The file system's label must be initialized prior to use. */
303 static char *labeling_behaviors[6] = {
305 "uses transition SIDs",
307 "uses genfs_contexts",
308 "not configured for labeling",
309 "uses mountpoint labeling",
312 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
314 static inline int inode_doinit(struct inode *inode)
316 return inode_doinit_with_dentry(inode, NULL);
325 static match_table_t tokens = {
326 {Opt_context, "context=%s"},
327 {Opt_fscontext, "fscontext=%s"},
328 {Opt_defcontext, "defcontext=%s"},
331 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
333 static int try_context_mount(struct super_block *sb, void *data)
335 char *context = NULL, *defcontext = NULL;
338 int alloc = 0, rc = 0, seen = 0;
339 struct task_security_struct *tsec = current->security;
340 struct superblock_security_struct *sbsec = sb->s_security;
345 name = sb->s_type->name;
347 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) {
349 /* NFS we understand. */
350 if (!strcmp(name, "nfs")) {
351 struct nfs_mount_data *d = data;
353 if (d->version < NFS_MOUNT_VERSION)
357 context = d->context;
364 /* Standard string-based options. */
365 char *p, *options = data;
367 while ((p = strsep(&options, ",")) != NULL) {
369 substring_t args[MAX_OPT_ARGS];
374 token = match_token(p, tokens, args);
380 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
383 context = match_strdup(&args[0]);
394 if (seen & (Opt_context|Opt_fscontext)) {
396 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
399 context = match_strdup(&args[0]);
406 seen |= Opt_fscontext;
410 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
412 printk(KERN_WARNING "SELinux: "
413 "defcontext option is invalid "
414 "for this filesystem type\n");
417 if (seen & (Opt_context|Opt_defcontext)) {
419 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
422 defcontext = match_strdup(&args[0]);
429 seen |= Opt_defcontext;
434 printk(KERN_WARNING "SELinux: unknown mount "
446 rc = security_context_to_sid(context, strlen(context), &sid);
448 printk(KERN_WARNING "SELinux: security_context_to_sid"
449 "(%s) failed for (dev %s, type %s) errno=%d\n",
450 context, sb->s_id, name, rc);
454 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
455 FILESYSTEM__RELABELFROM, NULL);
459 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
460 FILESYSTEM__RELABELTO, NULL);
466 if (seen & Opt_context)
467 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
471 rc = security_context_to_sid(defcontext, strlen(defcontext), &sid);
473 printk(KERN_WARNING "SELinux: security_context_to_sid"
474 "(%s) failed for (dev %s, type %s) errno=%d\n",
475 defcontext, sb->s_id, name, rc);
479 if (sid == sbsec->def_sid)
482 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
483 FILESYSTEM__RELABELFROM, NULL);
487 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
488 FILESYSTEM__ASSOCIATE, NULL);
492 sbsec->def_sid = sid;
504 static int superblock_doinit(struct super_block *sb, void *data)
506 struct superblock_security_struct *sbsec = sb->s_security;
507 struct dentry *root = sb->s_root;
508 struct inode *inode = root->d_inode;
512 if (sbsec->initialized)
515 if (!ss_initialized) {
516 /* Defer initialization until selinux_complete_init,
517 after the initial policy is loaded and the security
518 server is ready to handle calls. */
519 spin_lock(&sb_security_lock);
520 if (list_empty(&sbsec->list))
521 list_add(&sbsec->list, &superblock_security_head);
522 spin_unlock(&sb_security_lock);
526 /* Determine the labeling behavior to use for this filesystem type. */
527 rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
529 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
530 __FUNCTION__, sb->s_type->name, rc);
534 rc = try_context_mount(sb, data);
538 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
539 /* Make sure that the xattr handler exists and that no
540 error other than -ENODATA is returned by getxattr on
541 the root directory. -ENODATA is ok, as this may be
542 the first boot of the SELinux kernel before we have
543 assigned xattr values to the filesystem. */
544 if (!inode->i_op->getxattr) {
545 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
546 "xattr support\n", sb->s_id, sb->s_type->name);
550 rc = inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
551 if (rc < 0 && rc != -ENODATA) {
552 if (rc == -EOPNOTSUPP)
553 printk(KERN_WARNING "SELinux: (dev %s, type "
554 "%s) has no security xattr handler\n",
555 sb->s_id, sb->s_type->name);
557 printk(KERN_WARNING "SELinux: (dev %s, type "
558 "%s) getxattr errno %d\n", sb->s_id,
559 sb->s_type->name, -rc);
564 if (strcmp(sb->s_type->name, "proc") == 0)
567 sbsec->initialized = 1;
569 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
570 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
571 sb->s_id, sb->s_type->name);
574 printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
575 sb->s_id, sb->s_type->name,
576 labeling_behaviors[sbsec->behavior-1]);
579 /* Initialize the root inode. */
580 rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
582 /* Initialize any other inodes associated with the superblock, e.g.
583 inodes created prior to initial policy load or inodes created
584 during get_sb by a pseudo filesystem that directly
586 spin_lock(&sbsec->isec_lock);
588 if (!list_empty(&sbsec->isec_head)) {
589 struct inode_security_struct *isec =
590 list_entry(sbsec->isec_head.next,
591 struct inode_security_struct, list);
592 struct inode *inode = isec->inode;
593 spin_unlock(&sbsec->isec_lock);
594 inode = igrab(inode);
596 if (!IS_PRIVATE (inode))
600 spin_lock(&sbsec->isec_lock);
601 list_del_init(&isec->list);
604 spin_unlock(&sbsec->isec_lock);
610 static inline u16 inode_mode_to_security_class(umode_t mode)
612 switch (mode & S_IFMT) {
614 return SECCLASS_SOCK_FILE;
616 return SECCLASS_LNK_FILE;
618 return SECCLASS_FILE;
620 return SECCLASS_BLK_FILE;
624 return SECCLASS_CHR_FILE;
626 return SECCLASS_FIFO_FILE;
630 return SECCLASS_FILE;
633 static inline int default_protocol_stream(int protocol)
635 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
638 static inline int default_protocol_dgram(int protocol)
640 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
643 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
650 return SECCLASS_UNIX_STREAM_SOCKET;
652 return SECCLASS_UNIX_DGRAM_SOCKET;
659 if (default_protocol_stream(protocol))
660 return SECCLASS_TCP_SOCKET;
662 return SECCLASS_RAWIP_SOCKET;
664 if (default_protocol_dgram(protocol))
665 return SECCLASS_UDP_SOCKET;
667 return SECCLASS_RAWIP_SOCKET;
669 return SECCLASS_RAWIP_SOCKET;
675 return SECCLASS_NETLINK_ROUTE_SOCKET;
676 case NETLINK_FIREWALL:
677 return SECCLASS_NETLINK_FIREWALL_SOCKET;
678 case NETLINK_INET_DIAG:
679 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
681 return SECCLASS_NETLINK_NFLOG_SOCKET;
683 return SECCLASS_NETLINK_XFRM_SOCKET;
684 case NETLINK_SELINUX:
685 return SECCLASS_NETLINK_SELINUX_SOCKET;
687 return SECCLASS_NETLINK_AUDIT_SOCKET;
689 return SECCLASS_NETLINK_IP6FW_SOCKET;
690 case NETLINK_DNRTMSG:
691 return SECCLASS_NETLINK_DNRT_SOCKET;
692 case NETLINK_KOBJECT_UEVENT:
693 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
695 return SECCLASS_NETLINK_SOCKET;
698 return SECCLASS_PACKET_SOCKET;
700 return SECCLASS_KEY_SOCKET;
703 return SECCLASS_SOCKET;
706 #ifdef CONFIG_PROC_FS
707 static int selinux_proc_get_sid(struct proc_dir_entry *de,
712 char *buffer, *path, *end;
714 buffer = (char*)__get_free_page(GFP_KERNEL);
724 while (de && de != de->parent) {
725 buflen -= de->namelen + 1;
729 memcpy(end, de->name, de->namelen);
734 rc = security_genfs_sid("proc", path, tclass, sid);
735 free_page((unsigned long)buffer);
739 static int selinux_proc_get_sid(struct proc_dir_entry *de,
747 /* The inode's security attributes must be initialized before first use. */
748 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
750 struct superblock_security_struct *sbsec = NULL;
751 struct inode_security_struct *isec = inode->i_security;
753 struct dentry *dentry;
754 #define INITCONTEXTLEN 255
755 char *context = NULL;
760 if (isec->initialized)
765 if (isec->initialized)
768 sbsec = inode->i_sb->s_security;
769 if (!sbsec->initialized) {
770 /* Defer initialization until selinux_complete_init,
771 after the initial policy is loaded and the security
772 server is ready to handle calls. */
773 spin_lock(&sbsec->isec_lock);
774 if (list_empty(&isec->list))
775 list_add(&isec->list, &sbsec->isec_head);
776 spin_unlock(&sbsec->isec_lock);
780 switch (sbsec->behavior) {
781 case SECURITY_FS_USE_XATTR:
782 if (!inode->i_op->getxattr) {
783 isec->sid = sbsec->def_sid;
787 /* Need a dentry, since the xattr API requires one.
788 Life would be simpler if we could just pass the inode. */
790 /* Called from d_instantiate or d_splice_alias. */
791 dentry = dget(opt_dentry);
793 /* Called from selinux_complete_init, try to find a dentry. */
794 dentry = d_find_alias(inode);
797 printk(KERN_WARNING "%s: no dentry for dev=%s "
798 "ino=%ld\n", __FUNCTION__, inode->i_sb->s_id,
803 len = INITCONTEXTLEN;
804 context = kmalloc(len, GFP_KERNEL);
810 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
813 /* Need a larger buffer. Query for the right size. */
814 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
822 context = kmalloc(len, GFP_KERNEL);
828 rc = inode->i_op->getxattr(dentry,
834 if (rc != -ENODATA) {
835 printk(KERN_WARNING "%s: getxattr returned "
836 "%d for dev=%s ino=%ld\n", __FUNCTION__,
837 -rc, inode->i_sb->s_id, inode->i_ino);
841 /* Map ENODATA to the default file SID */
842 sid = sbsec->def_sid;
845 rc = security_context_to_sid_default(context, rc, &sid,
848 printk(KERN_WARNING "%s: context_to_sid(%s) "
849 "returned %d for dev=%s ino=%ld\n",
850 __FUNCTION__, context, -rc,
851 inode->i_sb->s_id, inode->i_ino);
853 /* Leave with the unlabeled SID */
861 case SECURITY_FS_USE_TASK:
862 isec->sid = isec->task_sid;
864 case SECURITY_FS_USE_TRANS:
865 /* Default to the fs SID. */
866 isec->sid = sbsec->sid;
868 /* Try to obtain a transition SID. */
869 isec->sclass = inode_mode_to_security_class(inode->i_mode);
870 rc = security_transition_sid(isec->task_sid,
879 /* Default to the fs SID. */
880 isec->sid = sbsec->sid;
883 struct proc_inode *proci = PROC_I(inode);
885 isec->sclass = inode_mode_to_security_class(inode->i_mode);
886 rc = selinux_proc_get_sid(proci->pde,
897 isec->initialized = 1;
900 if (isec->sclass == SECCLASS_FILE)
901 isec->sclass = inode_mode_to_security_class(inode->i_mode);
908 /* Convert a Linux signal to an access vector. */
909 static inline u32 signal_to_av(int sig)
915 /* Commonly granted from child to parent. */
916 perm = PROCESS__SIGCHLD;
919 /* Cannot be caught or ignored */
920 perm = PROCESS__SIGKILL;
923 /* Cannot be caught or ignored */
924 perm = PROCESS__SIGSTOP;
927 /* All other signals. */
928 perm = PROCESS__SIGNAL;
935 /* Check permission betweeen a pair of tasks, e.g. signal checks,
936 fork check, ptrace check, etc. */
937 static int task_has_perm(struct task_struct *tsk1,
938 struct task_struct *tsk2,
941 struct task_security_struct *tsec1, *tsec2;
943 tsec1 = tsk1->security;
944 tsec2 = tsk2->security;
945 return avc_has_perm(tsec1->sid, tsec2->sid,
946 SECCLASS_PROCESS, perms, NULL);
949 /* Check whether a task is allowed to use a capability. */
950 static int task_has_capability(struct task_struct *tsk,
953 struct task_security_struct *tsec;
954 struct avc_audit_data ad;
956 tsec = tsk->security;
958 AVC_AUDIT_DATA_INIT(&ad,CAP);
962 return avc_has_perm(tsec->sid, tsec->sid,
963 SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
966 /* Check whether a task is allowed to use a system operation. */
967 static int task_has_system(struct task_struct *tsk,
970 struct task_security_struct *tsec;
972 tsec = tsk->security;
974 return avc_has_perm(tsec->sid, SECINITSID_KERNEL,
975 SECCLASS_SYSTEM, perms, NULL);
978 /* Check whether a task has a particular permission to an inode.
979 The 'adp' parameter is optional and allows other audit
980 data to be passed (e.g. the dentry). */
981 static int inode_has_perm(struct task_struct *tsk,
984 struct avc_audit_data *adp)
986 struct task_security_struct *tsec;
987 struct inode_security_struct *isec;
988 struct avc_audit_data ad;
990 tsec = tsk->security;
991 isec = inode->i_security;
995 AVC_AUDIT_DATA_INIT(&ad, FS);
996 ad.u.fs.inode = inode;
999 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, adp);
1002 /* Same as inode_has_perm, but pass explicit audit data containing
1003 the dentry to help the auditing code to more easily generate the
1004 pathname if needed. */
1005 static inline int dentry_has_perm(struct task_struct *tsk,
1006 struct vfsmount *mnt,
1007 struct dentry *dentry,
1010 struct inode *inode = dentry->d_inode;
1011 struct avc_audit_data ad;
1012 AVC_AUDIT_DATA_INIT(&ad,FS);
1014 ad.u.fs.dentry = dentry;
1015 return inode_has_perm(tsk, inode, av, &ad);
1018 /* Check whether a task can use an open file descriptor to
1019 access an inode in a given way. Check access to the
1020 descriptor itself, and then use dentry_has_perm to
1021 check a particular permission to the file.
1022 Access to the descriptor is implicitly granted if it
1023 has the same SID as the process. If av is zero, then
1024 access to the file is not checked, e.g. for cases
1025 where only the descriptor is affected like seek. */
1026 static inline int file_has_perm(struct task_struct *tsk,
1030 struct task_security_struct *tsec = tsk->security;
1031 struct file_security_struct *fsec = file->f_security;
1032 struct vfsmount *mnt = file->f_vfsmnt;
1033 struct dentry *dentry = file->f_dentry;
1034 struct inode *inode = dentry->d_inode;
1035 struct avc_audit_data ad;
1038 AVC_AUDIT_DATA_INIT(&ad, FS);
1040 ad.u.fs.dentry = dentry;
1042 if (tsec->sid != fsec->sid) {
1043 rc = avc_has_perm(tsec->sid, fsec->sid,
1051 /* av is zero if only checking access to the descriptor. */
1053 return inode_has_perm(tsk, inode, av, &ad);
1058 /* Check whether a task can create a file. */
1059 static int may_create(struct inode *dir,
1060 struct dentry *dentry,
1063 struct task_security_struct *tsec;
1064 struct inode_security_struct *dsec;
1065 struct superblock_security_struct *sbsec;
1067 struct avc_audit_data ad;
1070 tsec = current->security;
1071 dsec = dir->i_security;
1072 sbsec = dir->i_sb->s_security;
1074 AVC_AUDIT_DATA_INIT(&ad, FS);
1075 ad.u.fs.dentry = dentry;
1077 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR,
1078 DIR__ADD_NAME | DIR__SEARCH,
1083 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1084 newsid = tsec->create_sid;
1086 rc = security_transition_sid(tsec->sid, dsec->sid, tclass,
1092 rc = avc_has_perm(tsec->sid, newsid, tclass, FILE__CREATE, &ad);
1096 return avc_has_perm(newsid, sbsec->sid,
1097 SECCLASS_FILESYSTEM,
1098 FILESYSTEM__ASSOCIATE, &ad);
1102 #define MAY_UNLINK 1
1105 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1106 static int may_link(struct inode *dir,
1107 struct dentry *dentry,
1111 struct task_security_struct *tsec;
1112 struct inode_security_struct *dsec, *isec;
1113 struct avc_audit_data ad;
1117 tsec = current->security;
1118 dsec = dir->i_security;
1119 isec = dentry->d_inode->i_security;
1121 AVC_AUDIT_DATA_INIT(&ad, FS);
1122 ad.u.fs.dentry = dentry;
1125 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1126 rc = avc_has_perm(tsec->sid, dsec->sid, SECCLASS_DIR, av, &ad);
1141 printk(KERN_WARNING "may_link: unrecognized kind %d\n", kind);
1145 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass, av, &ad);
1149 static inline int may_rename(struct inode *old_dir,
1150 struct dentry *old_dentry,
1151 struct inode *new_dir,
1152 struct dentry *new_dentry)
1154 struct task_security_struct *tsec;
1155 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1156 struct avc_audit_data ad;
1158 int old_is_dir, new_is_dir;
1161 tsec = current->security;
1162 old_dsec = old_dir->i_security;
1163 old_isec = old_dentry->d_inode->i_security;
1164 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1165 new_dsec = new_dir->i_security;
1167 AVC_AUDIT_DATA_INIT(&ad, FS);
1169 ad.u.fs.dentry = old_dentry;
1170 rc = avc_has_perm(tsec->sid, old_dsec->sid, SECCLASS_DIR,
1171 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1174 rc = avc_has_perm(tsec->sid, old_isec->sid,
1175 old_isec->sclass, FILE__RENAME, &ad);
1178 if (old_is_dir && new_dir != old_dir) {
1179 rc = avc_has_perm(tsec->sid, old_isec->sid,
1180 old_isec->sclass, DIR__REPARENT, &ad);
1185 ad.u.fs.dentry = new_dentry;
1186 av = DIR__ADD_NAME | DIR__SEARCH;
1187 if (new_dentry->d_inode)
1188 av |= DIR__REMOVE_NAME;
1189 rc = avc_has_perm(tsec->sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1192 if (new_dentry->d_inode) {
1193 new_isec = new_dentry->d_inode->i_security;
1194 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1195 rc = avc_has_perm(tsec->sid, new_isec->sid,
1197 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1205 /* Check whether a task can perform a filesystem operation. */
1206 static int superblock_has_perm(struct task_struct *tsk,
1207 struct super_block *sb,
1209 struct avc_audit_data *ad)
1211 struct task_security_struct *tsec;
1212 struct superblock_security_struct *sbsec;
1214 tsec = tsk->security;
1215 sbsec = sb->s_security;
1216 return avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
1220 /* Convert a Linux mode and permission mask to an access vector. */
1221 static inline u32 file_mask_to_av(int mode, int mask)
1225 if ((mode & S_IFMT) != S_IFDIR) {
1226 if (mask & MAY_EXEC)
1227 av |= FILE__EXECUTE;
1228 if (mask & MAY_READ)
1231 if (mask & MAY_APPEND)
1233 else if (mask & MAY_WRITE)
1237 if (mask & MAY_EXEC)
1239 if (mask & MAY_WRITE)
1241 if (mask & MAY_READ)
1248 /* Convert a Linux file to an access vector. */
1249 static inline u32 file_to_av(struct file *file)
1253 if (file->f_mode & FMODE_READ)
1255 if (file->f_mode & FMODE_WRITE) {
1256 if (file->f_flags & O_APPEND)
1265 /* Set an inode's SID to a specified value. */
1266 static int inode_security_set_sid(struct inode *inode, u32 sid)
1268 struct inode_security_struct *isec = inode->i_security;
1269 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
1271 if (!sbsec->initialized) {
1272 /* Defer initialization to selinux_complete_init. */
1277 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1279 isec->initialized = 1;
1284 /* Hook functions begin here. */
1286 static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
1288 struct task_security_struct *psec = parent->security;
1289 struct task_security_struct *csec = child->security;
1292 rc = secondary_ops->ptrace(parent,child);
1296 rc = task_has_perm(parent, child, PROCESS__PTRACE);
1297 /* Save the SID of the tracing process for later use in apply_creds. */
1299 csec->ptrace_sid = psec->sid;
1303 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1304 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1308 error = task_has_perm(current, target, PROCESS__GETCAP);
1312 return secondary_ops->capget(target, effective, inheritable, permitted);
1315 static int selinux_capset_check(struct task_struct *target, kernel_cap_t *effective,
1316 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1320 error = secondary_ops->capset_check(target, effective, inheritable, permitted);
1324 return task_has_perm(current, target, PROCESS__SETCAP);
1327 static void selinux_capset_set(struct task_struct *target, kernel_cap_t *effective,
1328 kernel_cap_t *inheritable, kernel_cap_t *permitted)
1330 secondary_ops->capset_set(target, effective, inheritable, permitted);
1333 static int selinux_capable(struct task_struct *tsk, int cap)
1337 rc = secondary_ops->capable(tsk, cap);
1341 return task_has_capability(tsk,cap);
1344 static int selinux_sysctl(ctl_table *table, int op)
1348 struct task_security_struct *tsec;
1352 rc = secondary_ops->sysctl(table, op);
1356 tsec = current->security;
1358 rc = selinux_proc_get_sid(table->de, (op == 001) ?
1359 SECCLASS_DIR : SECCLASS_FILE, &tsid);
1361 /* Default to the well-defined sysctl SID. */
1362 tsid = SECINITSID_SYSCTL;
1365 /* The op values are "defined" in sysctl.c, thereby creating
1366 * a bad coupling between this module and sysctl.c */
1368 error = avc_has_perm(tsec->sid, tsid,
1369 SECCLASS_DIR, DIR__SEARCH, NULL);
1377 error = avc_has_perm(tsec->sid, tsid,
1378 SECCLASS_FILE, av, NULL);
1384 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1397 rc = superblock_has_perm(current,
1399 FILESYSTEM__QUOTAMOD, NULL);
1404 rc = superblock_has_perm(current,
1406 FILESYSTEM__QUOTAGET, NULL);
1409 rc = 0; /* let the kernel handle invalid cmds */
1415 static int selinux_quota_on(struct dentry *dentry)
1417 return dentry_has_perm(current, NULL, dentry, FILE__QUOTAON);
1420 static int selinux_syslog(int type)
1424 rc = secondary_ops->syslog(type);
1429 case 3: /* Read last kernel messages */
1430 case 10: /* Return size of the log buffer */
1431 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
1433 case 6: /* Disable logging to console */
1434 case 7: /* Enable logging to console */
1435 case 8: /* Set level of messages printed to console */
1436 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
1438 case 0: /* Close log */
1439 case 1: /* Open log */
1440 case 2: /* Read from log */
1441 case 4: /* Read/clear last kernel messages */
1442 case 5: /* Clear ring buffer */
1444 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
1451 * Check that a process has enough memory to allocate a new virtual
1452 * mapping. 0 means there is enough memory for the allocation to
1453 * succeed and -ENOMEM implies there is not.
1455 * Note that secondary_ops->capable and task_has_perm_noaudit return 0
1456 * if the capability is granted, but __vm_enough_memory requires 1 if
1457 * the capability is granted.
1459 * Do not audit the selinux permission check, as this is applied to all
1460 * processes that allocate mappings.
1462 static int selinux_vm_enough_memory(long pages)
1464 int rc, cap_sys_admin = 0;
1465 struct task_security_struct *tsec = current->security;
1467 rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1469 rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1470 SECCLASS_CAPABILITY,
1471 CAP_TO_MASK(CAP_SYS_ADMIN),
1477 return __vm_enough_memory(pages, cap_sys_admin);
1480 /* binprm security operations */
1482 static int selinux_bprm_alloc_security(struct linux_binprm *bprm)
1484 struct bprm_security_struct *bsec;
1486 bsec = kmalloc(sizeof(struct bprm_security_struct), GFP_KERNEL);
1490 memset(bsec, 0, sizeof *bsec);
1491 bsec->magic = SELINUX_MAGIC;
1493 bsec->sid = SECINITSID_UNLABELED;
1496 bprm->security = bsec;
1500 static int selinux_bprm_set_security(struct linux_binprm *bprm)
1502 struct task_security_struct *tsec;
1503 struct inode *inode = bprm->file->f_dentry->d_inode;
1504 struct inode_security_struct *isec;
1505 struct bprm_security_struct *bsec;
1507 struct avc_audit_data ad;
1510 rc = secondary_ops->bprm_set_security(bprm);
1514 bsec = bprm->security;
1519 tsec = current->security;
1520 isec = inode->i_security;
1522 /* Default to the current task SID. */
1523 bsec->sid = tsec->sid;
1525 /* Reset create SID on execve. */
1526 tsec->create_sid = 0;
1528 if (tsec->exec_sid) {
1529 newsid = tsec->exec_sid;
1530 /* Reset exec SID on execve. */
1533 /* Check for a default transition on this program. */
1534 rc = security_transition_sid(tsec->sid, isec->sid,
1535 SECCLASS_PROCESS, &newsid);
1540 AVC_AUDIT_DATA_INIT(&ad, FS);
1541 ad.u.fs.mnt = bprm->file->f_vfsmnt;
1542 ad.u.fs.dentry = bprm->file->f_dentry;
1544 if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
1547 if (tsec->sid == newsid) {
1548 rc = avc_has_perm(tsec->sid, isec->sid,
1549 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
1553 /* Check permissions for the transition. */
1554 rc = avc_has_perm(tsec->sid, newsid,
1555 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
1559 rc = avc_has_perm(newsid, isec->sid,
1560 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
1564 /* Clear any possibly unsafe personality bits on exec: */
1565 current->personality &= ~PER_CLEAR_ON_SETID;
1567 /* Set the security field to the new SID. */
1575 static int selinux_bprm_check_security (struct linux_binprm *bprm)
1577 return secondary_ops->bprm_check_security(bprm);
1581 static int selinux_bprm_secureexec (struct linux_binprm *bprm)
1583 struct task_security_struct *tsec = current->security;
1586 if (tsec->osid != tsec->sid) {
1587 /* Enable secure mode for SIDs transitions unless
1588 the noatsecure permission is granted between
1589 the two SIDs, i.e. ahp returns 0. */
1590 atsecure = avc_has_perm(tsec->osid, tsec->sid,
1592 PROCESS__NOATSECURE, NULL);
1595 return (atsecure || secondary_ops->bprm_secureexec(bprm));
1598 static void selinux_bprm_free_security(struct linux_binprm *bprm)
1600 kfree(bprm->security);
1601 bprm->security = NULL;
1604 extern struct vfsmount *selinuxfs_mount;
1605 extern struct dentry *selinux_null;
1607 /* Derived from fs/exec.c:flush_old_files. */
1608 static inline void flush_unauthorized_files(struct files_struct * files)
1610 struct avc_audit_data ad;
1611 struct file *file, *devnull = NULL;
1612 struct tty_struct *tty = current->signal->tty;
1613 struct fdtable *fdt;
1618 file = list_entry(tty->tty_files.next, typeof(*file), f_list);
1620 /* Revalidate access to controlling tty.
1621 Use inode_has_perm on the tty inode directly rather
1622 than using file_has_perm, as this particular open
1623 file may belong to another process and we are only
1624 interested in the inode-based check here. */
1625 struct inode *inode = file->f_dentry->d_inode;
1626 if (inode_has_perm(current, inode,
1627 FILE__READ | FILE__WRITE, NULL)) {
1628 /* Reset controlling tty. */
1629 current->signal->tty = NULL;
1630 current->signal->tty_old_pgrp = 0;
1636 /* Revalidate access to inherited open files. */
1638 AVC_AUDIT_DATA_INIT(&ad,FS);
1640 spin_lock(&files->file_lock);
1642 unsigned long set, i;
1647 fdt = files_fdtable(files);
1648 if (i >= fdt->max_fds || i >= fdt->max_fdset)
1650 set = fdt->open_fds->fds_bits[j];
1653 spin_unlock(&files->file_lock);
1654 for ( ; set ; i++,set >>= 1) {
1659 if (file_has_perm(current,
1661 file_to_av(file))) {
1663 fd = get_unused_fd();
1671 rcuref_inc(&devnull->f_count);
1673 devnull = dentry_open(dget(selinux_null), mntget(selinuxfs_mount), O_RDWR);
1680 fd_install(fd, devnull);
1685 spin_lock(&files->file_lock);
1688 spin_unlock(&files->file_lock);
1691 static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
1693 struct task_security_struct *tsec;
1694 struct bprm_security_struct *bsec;
1698 secondary_ops->bprm_apply_creds(bprm, unsafe);
1700 tsec = current->security;
1702 bsec = bprm->security;
1705 tsec->osid = tsec->sid;
1707 if (tsec->sid != sid) {
1708 /* Check for shared state. If not ok, leave SID
1709 unchanged and kill. */
1710 if (unsafe & LSM_UNSAFE_SHARE) {
1711 rc = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
1712 PROCESS__SHARE, NULL);
1719 /* Check for ptracing, and update the task SID if ok.
1720 Otherwise, leave SID unchanged and kill. */
1721 if (unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1722 rc = avc_has_perm(tsec->ptrace_sid, sid,
1723 SECCLASS_PROCESS, PROCESS__PTRACE,
1735 * called after apply_creds without the task lock held
1737 static void selinux_bprm_post_apply_creds(struct linux_binprm *bprm)
1739 struct task_security_struct *tsec;
1740 struct rlimit *rlim, *initrlim;
1741 struct itimerval itimer;
1742 struct bprm_security_struct *bsec;
1745 tsec = current->security;
1746 bsec = bprm->security;
1749 force_sig_specific(SIGKILL, current);
1752 if (tsec->osid == tsec->sid)
1755 /* Close files for which the new task SID is not authorized. */
1756 flush_unauthorized_files(current->files);
1758 /* Check whether the new SID can inherit signal state
1759 from the old SID. If not, clear itimers to avoid
1760 subsequent signal generation and flush and unblock
1761 signals. This must occur _after_ the task SID has
1762 been updated so that any kill done after the flush
1763 will be checked against the new SID. */
1764 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1765 PROCESS__SIGINH, NULL);
1767 memset(&itimer, 0, sizeof itimer);
1768 for (i = 0; i < 3; i++)
1769 do_setitimer(i, &itimer, NULL);
1770 flush_signals(current);
1771 spin_lock_irq(¤t->sighand->siglock);
1772 flush_signal_handlers(current, 1);
1773 sigemptyset(¤t->blocked);
1774 recalc_sigpending();
1775 spin_unlock_irq(¤t->sighand->siglock);
1778 /* Check whether the new SID can inherit resource limits
1779 from the old SID. If not, reset all soft limits to
1780 the lower of the current task's hard limit and the init
1781 task's soft limit. Note that the setting of hard limits
1782 (even to lower them) can be controlled by the setrlimit
1783 check. The inclusion of the init task's soft limit into
1784 the computation is to avoid resetting soft limits higher
1785 than the default soft limit for cases where the default
1786 is lower than the hard limit, e.g. RLIMIT_CORE or
1788 rc = avc_has_perm(tsec->osid, tsec->sid, SECCLASS_PROCESS,
1789 PROCESS__RLIMITINH, NULL);
1791 for (i = 0; i < RLIM_NLIMITS; i++) {
1792 rlim = current->signal->rlim + i;
1793 initrlim = init_task.signal->rlim+i;
1794 rlim->rlim_cur = min(rlim->rlim_max,initrlim->rlim_cur);
1796 if (current->signal->rlim[RLIMIT_CPU].rlim_cur != RLIM_INFINITY) {
1798 * This will cause RLIMIT_CPU calculations
1801 current->it_prof_expires = jiffies_to_cputime(1);
1805 /* Wake up the parent if it is waiting so that it can
1806 recheck wait permission to the new task SID. */
1807 wake_up_interruptible(¤t->parent->signal->wait_chldexit);
1810 /* superblock security operations */
1812 static int selinux_sb_alloc_security(struct super_block *sb)
1814 return superblock_alloc_security(sb);
1817 static void selinux_sb_free_security(struct super_block *sb)
1819 superblock_free_security(sb);
1822 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
1827 return !memcmp(prefix, option, plen);
1830 static inline int selinux_option(char *option, int len)
1832 return (match_prefix("context=", sizeof("context=")-1, option, len) ||
1833 match_prefix("fscontext=", sizeof("fscontext=")-1, option, len) ||
1834 match_prefix("defcontext=", sizeof("defcontext=")-1, option, len));
1837 static inline void take_option(char **to, char *from, int *first, int len)
1845 memcpy(*to, from, len);
1849 static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
1851 int fnosec, fsec, rc = 0;
1852 char *in_save, *in_curr, *in_end;
1853 char *sec_curr, *nosec_save, *nosec;
1858 /* Binary mount data: just copy */
1859 if (type->fs_flags & FS_BINARY_MOUNTDATA) {
1860 copy_page(sec_curr, in_curr);
1864 nosec = (char *)get_zeroed_page(GFP_KERNEL);
1872 in_save = in_end = orig;
1875 if (*in_end == ',' || *in_end == '\0') {
1876 int len = in_end - in_curr;
1878 if (selinux_option(in_curr, len))
1879 take_option(&sec_curr, in_curr, &fsec, len);
1881 take_option(&nosec, in_curr, &fnosec, len);
1883 in_curr = in_end + 1;
1885 } while (*in_end++);
1887 strcpy(in_save, nosec_save);
1888 free_page((unsigned long)nosec_save);
1893 static int selinux_sb_kern_mount(struct super_block *sb, void *data)
1895 struct avc_audit_data ad;
1898 rc = superblock_doinit(sb, data);
1902 AVC_AUDIT_DATA_INIT(&ad,FS);
1903 ad.u.fs.dentry = sb->s_root;
1904 return superblock_has_perm(current, sb, FILESYSTEM__MOUNT, &ad);
1907 static int selinux_sb_statfs(struct super_block *sb)
1909 struct avc_audit_data ad;
1911 AVC_AUDIT_DATA_INIT(&ad,FS);
1912 ad.u.fs.dentry = sb->s_root;
1913 return superblock_has_perm(current, sb, FILESYSTEM__GETATTR, &ad);
1916 static int selinux_mount(char * dev_name,
1917 struct nameidata *nd,
1919 unsigned long flags,
1924 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data);
1928 if (flags & MS_REMOUNT)
1929 return superblock_has_perm(current, nd->mnt->mnt_sb,
1930 FILESYSTEM__REMOUNT, NULL);
1932 return dentry_has_perm(current, nd->mnt, nd->dentry,
1936 static int selinux_umount(struct vfsmount *mnt, int flags)
1940 rc = secondary_ops->sb_umount(mnt, flags);
1944 return superblock_has_perm(current,mnt->mnt_sb,
1945 FILESYSTEM__UNMOUNT,NULL);
1948 /* inode security operations */
1950 static int selinux_inode_alloc_security(struct inode *inode)
1952 return inode_alloc_security(inode);
1955 static void selinux_inode_free_security(struct inode *inode)
1957 inode_free_security(inode);
1960 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
1961 char **name, void **value,
1964 struct task_security_struct *tsec;
1965 struct inode_security_struct *dsec;
1966 struct superblock_security_struct *sbsec;
1967 struct inode_security_struct *isec;
1970 char *namep = NULL, *context;
1972 tsec = current->security;
1973 dsec = dir->i_security;
1974 sbsec = dir->i_sb->s_security;
1975 isec = inode->i_security;
1977 if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
1978 newsid = tsec->create_sid;
1980 rc = security_transition_sid(tsec->sid, dsec->sid,
1981 inode_mode_to_security_class(inode->i_mode),
1984 printk(KERN_WARNING "%s: "
1985 "security_transition_sid failed, rc=%d (dev=%s "
1988 -rc, inode->i_sb->s_id, inode->i_ino);
1993 inode_security_set_sid(inode, newsid);
1996 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
2003 rc = security_sid_to_context(newsid, &context, &clen);
2015 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2017 return may_create(dir, dentry, SECCLASS_FILE);
2020 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2024 rc = secondary_ops->inode_link(old_dentry,dir,new_dentry);
2027 return may_link(dir, old_dentry, MAY_LINK);
2030 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2034 rc = secondary_ops->inode_unlink(dir, dentry);
2037 return may_link(dir, dentry, MAY_UNLINK);
2040 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2042 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2045 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2047 return may_create(dir, dentry, SECCLASS_DIR);
2050 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2052 return may_link(dir, dentry, MAY_RMDIR);
2055 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2059 rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2063 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2066 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2067 struct inode *new_inode, struct dentry *new_dentry)
2069 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2072 static int selinux_inode_readlink(struct dentry *dentry)
2074 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2077 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2081 rc = secondary_ops->inode_follow_link(dentry,nameidata);
2084 return dentry_has_perm(current, NULL, dentry, FILE__READ);
2087 static int selinux_inode_permission(struct inode *inode, int mask,
2088 struct nameidata *nd)
2092 rc = secondary_ops->inode_permission(inode, mask, nd);
2097 /* No permission to check. Existence test. */
2101 return inode_has_perm(current, inode,
2102 file_mask_to_av(inode->i_mode, mask), NULL);
2105 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2109 rc = secondary_ops->inode_setattr(dentry, iattr);
2113 if (iattr->ia_valid & ATTR_FORCE)
2116 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2117 ATTR_ATIME_SET | ATTR_MTIME_SET))
2118 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2120 return dentry_has_perm(current, NULL, dentry, FILE__WRITE);
2123 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2125 return dentry_has_perm(current, mnt, dentry, FILE__GETATTR);
2128 static int selinux_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags)
2130 struct task_security_struct *tsec = current->security;
2131 struct inode *inode = dentry->d_inode;
2132 struct inode_security_struct *isec = inode->i_security;
2133 struct superblock_security_struct *sbsec;
2134 struct avc_audit_data ad;
2138 if (strcmp(name, XATTR_NAME_SELINUX)) {
2139 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2140 sizeof XATTR_SECURITY_PREFIX - 1) &&
2141 !capable(CAP_SYS_ADMIN)) {
2142 /* A different attribute in the security namespace.
2143 Restrict to administrator. */
2147 /* Not an attribute we recognize, so just check the
2148 ordinary setattr permission. */
2149 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2152 sbsec = inode->i_sb->s_security;
2153 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2156 if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
2159 AVC_AUDIT_DATA_INIT(&ad,FS);
2160 ad.u.fs.dentry = dentry;
2162 rc = avc_has_perm(tsec->sid, isec->sid, isec->sclass,
2163 FILE__RELABELFROM, &ad);
2167 rc = security_context_to_sid(value, size, &newsid);
2171 rc = avc_has_perm(tsec->sid, newsid, isec->sclass,
2172 FILE__RELABELTO, &ad);
2176 rc = security_validate_transition(isec->sid, newsid, tsec->sid,
2181 return avc_has_perm(newsid,
2183 SECCLASS_FILESYSTEM,
2184 FILESYSTEM__ASSOCIATE,
2188 static void selinux_inode_post_setxattr(struct dentry *dentry, char *name,
2189 void *value, size_t size, int flags)
2191 struct inode *inode = dentry->d_inode;
2192 struct inode_security_struct *isec = inode->i_security;
2196 if (strcmp(name, XATTR_NAME_SELINUX)) {
2197 /* Not an attribute we recognize, so nothing to do. */
2201 rc = security_context_to_sid(value, size, &newsid);
2203 printk(KERN_WARNING "%s: unable to obtain SID for context "
2204 "%s, rc=%d\n", __FUNCTION__, (char*)value, -rc);
2212 static int selinux_inode_getxattr (struct dentry *dentry, char *name)
2214 struct inode *inode = dentry->d_inode;
2215 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
2217 if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2220 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2223 static int selinux_inode_listxattr (struct dentry *dentry)
2225 return dentry_has_perm(current, NULL, dentry, FILE__GETATTR);
2228 static int selinux_inode_removexattr (struct dentry *dentry, char *name)
2230 if (strcmp(name, XATTR_NAME_SELINUX)) {
2231 if (!strncmp(name, XATTR_SECURITY_PREFIX,
2232 sizeof XATTR_SECURITY_PREFIX - 1) &&
2233 !capable(CAP_SYS_ADMIN)) {
2234 /* A different attribute in the security namespace.
2235 Restrict to administrator. */
2239 /* Not an attribute we recognize, so just check the
2240 ordinary setattr permission. Might want a separate
2241 permission for removexattr. */
2242 return dentry_has_perm(current, NULL, dentry, FILE__SETATTR);
2245 /* No one is allowed to remove a SELinux security label.
2246 You can change the label, but all data must be labeled. */
2250 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size)
2252 struct inode_security_struct *isec = inode->i_security;
2257 /* Permission check handled by selinux_inode_getxattr hook.*/
2259 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2262 rc = security_sid_to_context(isec->sid, &context, &len);
2266 if (!buffer || !size) {
2274 memcpy(buffer, context, len);
2279 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2280 const void *value, size_t size, int flags)
2282 struct inode_security_struct *isec = inode->i_security;
2286 if (strcmp(name, XATTR_SELINUX_SUFFIX))
2289 if (!value || !size)
2292 rc = security_context_to_sid((void*)value, size, &newsid);
2300 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2302 const int len = sizeof(XATTR_NAME_SELINUX);
2303 if (buffer && len <= buffer_size)
2304 memcpy(buffer, XATTR_NAME_SELINUX, len);
2308 /* file security operations */
2310 static int selinux_file_permission(struct file *file, int mask)
2312 struct inode *inode = file->f_dentry->d_inode;
2315 /* No permission to check. Existence test. */
2319 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2320 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2323 return file_has_perm(current, file,
2324 file_mask_to_av(inode->i_mode, mask));
2327 static int selinux_file_alloc_security(struct file *file)
2329 return file_alloc_security(file);
2332 static void selinux_file_free_security(struct file *file)
2334 file_free_security(file);
2337 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2349 case EXT2_IOC_GETFLAGS:
2351 case EXT2_IOC_GETVERSION:
2352 error = file_has_perm(current, file, FILE__GETATTR);
2355 case EXT2_IOC_SETFLAGS:
2357 case EXT2_IOC_SETVERSION:
2358 error = file_has_perm(current, file, FILE__SETATTR);
2361 /* sys_ioctl() checks */
2365 error = file_has_perm(current, file, 0);
2370 error = task_has_capability(current,CAP_SYS_TTY_CONFIG);
2373 /* default case assumes that the command will go
2374 * to the file's ioctl() function.
2377 error = file_has_perm(current, file, FILE__IOCTL);
2383 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
2385 #ifndef CONFIG_PPC32
2386 if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
2388 * We are making executable an anonymous mapping or a
2389 * private file mapping that will also be writable.
2390 * This has an additional check.
2392 int rc = task_has_perm(current, current, PROCESS__EXECMEM);
2399 /* read access is always possible with a mapping */
2400 u32 av = FILE__READ;
2402 /* write access only matters if the mapping is shared */
2403 if (shared && (prot & PROT_WRITE))
2406 if (prot & PROT_EXEC)
2407 av |= FILE__EXECUTE;
2409 return file_has_perm(current, file, av);
2414 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
2415 unsigned long prot, unsigned long flags)
2419 rc = secondary_ops->file_mmap(file, reqprot, prot, flags);
2423 if (selinux_checkreqprot)
2426 return file_map_prot_check(file, prot,
2427 (flags & MAP_TYPE) == MAP_SHARED);
2430 static int selinux_file_mprotect(struct vm_area_struct *vma,
2431 unsigned long reqprot,
2436 rc = secondary_ops->file_mprotect(vma, reqprot, prot);
2440 if (selinux_checkreqprot)
2443 #ifndef CONFIG_PPC32
2444 if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) &&
2445 (vma->vm_start >= vma->vm_mm->start_brk &&
2446 vma->vm_end <= vma->vm_mm->brk)) {
2448 * We are making an executable mapping in the brk region.
2449 * This has an additional execheap check.
2451 rc = task_has_perm(current, current, PROCESS__EXECHEAP);
2455 if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
2457 * We are making executable a file mapping that has
2458 * had some COW done. Since pages might have been written,
2459 * check ability to execute the possibly modified content.
2460 * This typically should only occur for text relocations.
2462 int rc = file_has_perm(current, vma->vm_file, FILE__EXECMOD);
2466 if (!vma->vm_file && (prot & PROT_EXEC) &&
2467 vma->vm_start <= vma->vm_mm->start_stack &&
2468 vma->vm_end >= vma->vm_mm->start_stack) {
2469 /* Attempt to make the process stack executable.
2470 * This has an additional execstack check.
2472 rc = task_has_perm(current, current, PROCESS__EXECSTACK);
2478 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
2481 static int selinux_file_lock(struct file *file, unsigned int cmd)
2483 return file_has_perm(current, file, FILE__LOCK);
2486 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
2493 if (!file->f_dentry || !file->f_dentry->d_inode) {
2498 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
2499 err = file_has_perm(current, file,FILE__WRITE);
2508 /* Just check FD__USE permission */
2509 err = file_has_perm(current, file, 0);
2514 #if BITS_PER_LONG == 32
2519 if (!file->f_dentry || !file->f_dentry->d_inode) {
2523 err = file_has_perm(current, file, FILE__LOCK);
2530 static int selinux_file_set_fowner(struct file *file)
2532 struct task_security_struct *tsec;
2533 struct file_security_struct *fsec;
2535 tsec = current->security;
2536 fsec = file->f_security;
2537 fsec->fown_sid = tsec->sid;
2542 static int selinux_file_send_sigiotask(struct task_struct *tsk,
2543 struct fown_struct *fown, int signum)
2547 struct task_security_struct *tsec;
2548 struct file_security_struct *fsec;
2550 /* struct fown_struct is never outside the context of a struct file */
2551 file = (struct file *)((long)fown - offsetof(struct file,f_owner));
2553 tsec = tsk->security;
2554 fsec = file->f_security;
2557 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
2559 perm = signal_to_av(signum);
2561 return avc_has_perm(fsec->fown_sid, tsec->sid,
2562 SECCLASS_PROCESS, perm, NULL);
2565 static int selinux_file_receive(struct file *file)
2567 return file_has_perm(current, file, file_to_av(file));
2570 /* task security operations */
2572 static int selinux_task_create(unsigned long clone_flags)
2576 rc = secondary_ops->task_create(clone_flags);
2580 return task_has_perm(current, current, PROCESS__FORK);
2583 static int selinux_task_alloc_security(struct task_struct *tsk)
2585 struct task_security_struct *tsec1, *tsec2;
2588 tsec1 = current->security;
2590 rc = task_alloc_security(tsk);
2593 tsec2 = tsk->security;
2595 tsec2->osid = tsec1->osid;
2596 tsec2->sid = tsec1->sid;
2598 /* Retain the exec and create SIDs across fork */
2599 tsec2->exec_sid = tsec1->exec_sid;
2600 tsec2->create_sid = tsec1->create_sid;
2602 /* Retain ptracer SID across fork, if any.
2603 This will be reset by the ptrace hook upon any
2604 subsequent ptrace_attach operations. */
2605 tsec2->ptrace_sid = tsec1->ptrace_sid;
2610 static void selinux_task_free_security(struct task_struct *tsk)
2612 task_free_security(tsk);
2615 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2617 /* Since setuid only affects the current process, and
2618 since the SELinux controls are not based on the Linux
2619 identity attributes, SELinux does not need to control
2620 this operation. However, SELinux does control the use
2621 of the CAP_SETUID and CAP_SETGID capabilities using the
2626 static int selinux_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
2628 return secondary_ops->task_post_setuid(id0,id1,id2,flags);
2631 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
2633 /* See the comment for setuid above. */
2637 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
2639 return task_has_perm(current, p, PROCESS__SETPGID);
2642 static int selinux_task_getpgid(struct task_struct *p)
2644 return task_has_perm(current, p, PROCESS__GETPGID);
2647 static int selinux_task_getsid(struct task_struct *p)
2649 return task_has_perm(current, p, PROCESS__GETSESSION);
2652 static int selinux_task_setgroups(struct group_info *group_info)
2654 /* See the comment for setuid above. */
2658 static int selinux_task_setnice(struct task_struct *p, int nice)
2662 rc = secondary_ops->task_setnice(p, nice);
2666 return task_has_perm(current,p, PROCESS__SETSCHED);
2669 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
2671 struct rlimit *old_rlim = current->signal->rlim + resource;
2674 rc = secondary_ops->task_setrlimit(resource, new_rlim);
2678 /* Control the ability to change the hard limit (whether
2679 lowering or raising it), so that the hard limit can
2680 later be used as a safe reset point for the soft limit
2681 upon context transitions. See selinux_bprm_apply_creds. */
2682 if (old_rlim->rlim_max != new_rlim->rlim_max)
2683 return task_has_perm(current, current, PROCESS__SETRLIMIT);
2688 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
2690 return task_has_perm(current, p, PROCESS__SETSCHED);
2693 static int selinux_task_getscheduler(struct task_struct *p)
2695 return task_has_perm(current, p, PROCESS__GETSCHED);
2698 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, int sig)
2703 rc = secondary_ops->task_kill(p, info, sig);
2707 if (info && ((unsigned long)info == 1 ||
2708 (unsigned long)info == 2 || SI_FROMKERNEL(info)))
2712 perm = PROCESS__SIGNULL; /* null signal; existence test */
2714 perm = signal_to_av(sig);
2716 return task_has_perm(current, p, perm);
2719 static int selinux_task_prctl(int option,
2725 /* The current prctl operations do not appear to require
2726 any SELinux controls since they merely observe or modify
2727 the state of the current process. */
2731 static int selinux_task_wait(struct task_struct *p)
2735 perm = signal_to_av(p->exit_signal);
2737 return task_has_perm(p, current, perm);
2740 static void selinux_task_reparent_to_init(struct task_struct *p)
2742 struct task_security_struct *tsec;
2744 secondary_ops->task_reparent_to_init(p);
2747 tsec->osid = tsec->sid;
2748 tsec->sid = SECINITSID_KERNEL;
2752 static void selinux_task_to_inode(struct task_struct *p,
2753 struct inode *inode)
2755 struct task_security_struct *tsec = p->security;
2756 struct inode_security_struct *isec = inode->i_security;
2758 isec->sid = tsec->sid;
2759 isec->initialized = 1;
2763 #ifdef CONFIG_SECURITY_NETWORK
2765 /* Returns error only if unable to parse addresses */
2766 static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad)
2768 int offset, ihlen, ret = -EINVAL;
2769 struct iphdr _iph, *ih;
2771 offset = skb->nh.raw - skb->data;
2772 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
2776 ihlen = ih->ihl * 4;
2777 if (ihlen < sizeof(_iph))
2780 ad->u.net.v4info.saddr = ih->saddr;
2781 ad->u.net.v4info.daddr = ih->daddr;
2784 switch (ih->protocol) {
2786 struct tcphdr _tcph, *th;
2788 if (ntohs(ih->frag_off) & IP_OFFSET)
2792 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2796 ad->u.net.sport = th->source;
2797 ad->u.net.dport = th->dest;
2802 struct udphdr _udph, *uh;
2804 if (ntohs(ih->frag_off) & IP_OFFSET)
2808 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2812 ad->u.net.sport = uh->source;
2813 ad->u.net.dport = uh->dest;
2824 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2826 /* Returns error only if unable to parse addresses */
2827 static int selinux_parse_skb_ipv6(struct sk_buff *skb, struct avc_audit_data *ad)
2830 int ret = -EINVAL, offset;
2831 struct ipv6hdr _ipv6h, *ip6;
2833 offset = skb->nh.raw - skb->data;
2834 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
2838 ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
2839 ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
2842 nexthdr = ip6->nexthdr;
2843 offset += sizeof(_ipv6h);
2844 offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
2850 struct tcphdr _tcph, *th;
2852 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
2856 ad->u.net.sport = th->source;
2857 ad->u.net.dport = th->dest;
2862 struct udphdr _udph, *uh;
2864 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
2868 ad->u.net.sport = uh->source;
2869 ad->u.net.dport = uh->dest;
2873 /* includes fragments */
2883 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
2884 char **addrp, int *len, int src)
2888 switch (ad->u.net.family) {
2890 ret = selinux_parse_skb_ipv4(skb, ad);
2894 *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
2895 &ad->u.net.v4info.daddr);
2898 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
2900 ret = selinux_parse_skb_ipv6(skb, ad);
2904 *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
2905 &ad->u.net.v6info.daddr);
2915 /* socket security operations */
2916 static int socket_has_perm(struct task_struct *task, struct socket *sock,
2919 struct inode_security_struct *isec;
2920 struct task_security_struct *tsec;
2921 struct avc_audit_data ad;
2924 tsec = task->security;
2925 isec = SOCK_INODE(sock)->i_security;
2927 if (isec->sid == SECINITSID_KERNEL)
2930 AVC_AUDIT_DATA_INIT(&ad,NET);
2931 ad.u.net.sk = sock->sk;
2932 err = avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
2938 static int selinux_socket_create(int family, int type,
2939 int protocol, int kern)
2942 struct task_security_struct *tsec;
2947 tsec = current->security;
2948 err = avc_has_perm(tsec->sid, tsec->sid,
2949 socket_type_to_security_class(family, type,
2950 protocol), SOCKET__CREATE, NULL);
2956 static void selinux_socket_post_create(struct socket *sock, int family,
2957 int type, int protocol, int kern)
2959 struct inode_security_struct *isec;
2960 struct task_security_struct *tsec;
2962 isec = SOCK_INODE(sock)->i_security;
2964 tsec = current->security;
2965 isec->sclass = socket_type_to_security_class(family, type, protocol);
2966 isec->sid = kern ? SECINITSID_KERNEL : tsec->sid;
2967 isec->initialized = 1;
2972 /* Range of port numbers used to automatically bind.
2973 Need to determine whether we should perform a name_bind
2974 permission check between the socket and the port number. */
2975 #define ip_local_port_range_0 sysctl_local_port_range[0]
2976 #define ip_local_port_range_1 sysctl_local_port_range[1]
2978 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
2983 err = socket_has_perm(current, sock, SOCKET__BIND);
2988 * If PF_INET or PF_INET6, check name_bind permission for the port.
2989 * Multiple address binding for SCTP is not supported yet: we just
2990 * check the first address now.
2992 family = sock->sk->sk_family;
2993 if (family == PF_INET || family == PF_INET6) {
2995 struct inode_security_struct *isec;
2996 struct task_security_struct *tsec;
2997 struct avc_audit_data ad;
2998 struct sockaddr_in *addr4 = NULL;
2999 struct sockaddr_in6 *addr6 = NULL;
3000 unsigned short snum;
3001 struct sock *sk = sock->sk;
3002 u32 sid, node_perm, addrlen;
3004 tsec = current->security;
3005 isec = SOCK_INODE(sock)->i_security;
3007 if (family == PF_INET) {
3008 addr4 = (struct sockaddr_in *)address;
3009 snum = ntohs(addr4->sin_port);
3010 addrlen = sizeof(addr4->sin_addr.s_addr);
3011 addrp = (char *)&addr4->sin_addr.s_addr;
3013 addr6 = (struct sockaddr_in6 *)address;
3014 snum = ntohs(addr6->sin6_port);
3015 addrlen = sizeof(addr6->sin6_addr.s6_addr);
3016 addrp = (char *)&addr6->sin6_addr.s6_addr;
3019 if (snum&&(snum < max(PROT_SOCK,ip_local_port_range_0) ||
3020 snum > ip_local_port_range_1)) {
3021 err = security_port_sid(sk->sk_family, sk->sk_type,
3022 sk->sk_protocol, snum, &sid);
3025 AVC_AUDIT_DATA_INIT(&ad,NET);
3026 ad.u.net.sport = htons(snum);
3027 ad.u.net.family = family;
3028 err = avc_has_perm(isec->sid, sid,
3030 SOCKET__NAME_BIND, &ad);
3035 switch(isec->sclass) {
3036 case SECCLASS_TCP_SOCKET:
3037 node_perm = TCP_SOCKET__NODE_BIND;
3040 case SECCLASS_UDP_SOCKET:
3041 node_perm = UDP_SOCKET__NODE_BIND;
3045 node_perm = RAWIP_SOCKET__NODE_BIND;
3049 err = security_node_sid(family, addrp, addrlen, &sid);
3053 AVC_AUDIT_DATA_INIT(&ad,NET);
3054 ad.u.net.sport = htons(snum);
3055 ad.u.net.family = family;
3057 if (family == PF_INET)
3058 ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3060 ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3062 err = avc_has_perm(isec->sid, sid,
3063 isec->sclass, node_perm, &ad);
3071 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3073 struct inode_security_struct *isec;
3076 err = socket_has_perm(current, sock, SOCKET__CONNECT);
3081 * If a TCP socket, check name_connect permission for the port.
3083 isec = SOCK_INODE(sock)->i_security;
3084 if (isec->sclass == SECCLASS_TCP_SOCKET) {
3085 struct sock *sk = sock->sk;
3086 struct avc_audit_data ad;
3087 struct sockaddr_in *addr4 = NULL;
3088 struct sockaddr_in6 *addr6 = NULL;
3089 unsigned short snum;
3092 if (sk->sk_family == PF_INET) {
3093 addr4 = (struct sockaddr_in *)address;
3094 if (addrlen < sizeof(struct sockaddr_in))
3096 snum = ntohs(addr4->sin_port);
3098 addr6 = (struct sockaddr_in6 *)address;
3099 if (addrlen < SIN6_LEN_RFC2133)
3101 snum = ntohs(addr6->sin6_port);
3104 err = security_port_sid(sk->sk_family, sk->sk_type,
3105 sk->sk_protocol, snum, &sid);
3109 AVC_AUDIT_DATA_INIT(&ad,NET);
3110 ad.u.net.dport = htons(snum);
3111 ad.u.net.family = sk->sk_family;
3112 err = avc_has_perm(isec->sid, sid, isec->sclass,
3113 TCP_SOCKET__NAME_CONNECT, &ad);
3122 static int selinux_socket_listen(struct socket *sock, int backlog)
3124 return socket_has_perm(current, sock, SOCKET__LISTEN);
3127 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3130 struct inode_security_struct *isec;
3131 struct inode_security_struct *newisec;
3133 err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3137 newisec = SOCK_INODE(newsock)->i_security;
3139 isec = SOCK_INODE(sock)->i_security;
3140 newisec->sclass = isec->sclass;
3141 newisec->sid = isec->sid;
3142 newisec->initialized = 1;
3147 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3150 return socket_has_perm(current, sock, SOCKET__WRITE);
3153 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
3154 int size, int flags)
3156 return socket_has_perm(current, sock, SOCKET__READ);
3159 static int selinux_socket_getsockname(struct socket *sock)
3161 return socket_has_perm(current, sock, SOCKET__GETATTR);
3164 static int selinux_socket_getpeername(struct socket *sock)
3166 return socket_has_perm(current, sock, SOCKET__GETATTR);
3169 static int selinux_socket_setsockopt(struct socket *sock,int level,int optname)
3171 return socket_has_perm(current, sock, SOCKET__SETOPT);
3174 static int selinux_socket_getsockopt(struct socket *sock, int level,
3177 return socket_has_perm(current, sock, SOCKET__GETOPT);
3180 static int selinux_socket_shutdown(struct socket *sock, int how)
3182 return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
3185 static int selinux_socket_unix_stream_connect(struct socket *sock,
3186 struct socket *other,
3189 struct sk_security_struct *ssec;
3190 struct inode_security_struct *isec;
3191 struct inode_security_struct *other_isec;
3192 struct avc_audit_data ad;
3195 err = secondary_ops->unix_stream_connect(sock, other, newsk);
3199 isec = SOCK_INODE(sock)->i_security;
3200 other_isec = SOCK_INODE(other)->i_security;
3202 AVC_AUDIT_DATA_INIT(&ad,NET);
3203 ad.u.net.sk = other->sk;
3205 err = avc_has_perm(isec->sid, other_isec->sid,
3207 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
3211 /* connecting socket */
3212 ssec = sock->sk->sk_security;
3213 ssec->peer_sid = other_isec->sid;
3215 /* server child socket */
3216 ssec = newsk->sk_security;
3217 ssec->peer_sid = isec->sid;
3222 static int selinux_socket_unix_may_send(struct socket *sock,
3223 struct socket *other)
3225 struct inode_security_struct *isec;
3226 struct inode_security_struct *other_isec;
3227 struct avc_audit_data ad;
3230 isec = SOCK_INODE(sock)->i_security;
3231 other_isec = SOCK_INODE(other)->i_security;
3233 AVC_AUDIT_DATA_INIT(&ad,NET);
3234 ad.u.net.sk = other->sk;
3236 err = avc_has_perm(isec->sid, other_isec->sid,
3237 isec->sclass, SOCKET__SENDTO, &ad);
3244 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3249 u32 netif_perm, node_perm, node_sid, if_sid, recv_perm = 0;
3252 struct socket *sock;
3253 struct net_device *dev;
3254 struct avc_audit_data ad;
3256 family = sk->sk_family;
3257 if (family != PF_INET && family != PF_INET6)
3260 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
3261 if (family == PF_INET6 && skb->protocol == ntohs(ETH_P_IP))
3264 read_lock_bh(&sk->sk_callback_lock);
3265 sock = sk->sk_socket;
3267 struct inode *inode;
3268 inode = SOCK_INODE(sock);
3270 struct inode_security_struct *isec;
3271 isec = inode->i_security;
3272 sock_sid = isec->sid;
3273 sock_class = isec->sclass;
3276 read_unlock_bh(&sk->sk_callback_lock);
3284 err = sel_netif_sids(dev, &if_sid, NULL);
3288 switch (sock_class) {
3289 case SECCLASS_UDP_SOCKET:
3290 netif_perm = NETIF__UDP_RECV;
3291 node_perm = NODE__UDP_RECV;
3292 recv_perm = UDP_SOCKET__RECV_MSG;
3295 case SECCLASS_TCP_SOCKET:
3296 netif_perm = NETIF__TCP_RECV;
3297 node_perm = NODE__TCP_RECV;
3298 recv_perm = TCP_SOCKET__RECV_MSG;
3302 netif_perm = NETIF__RAWIP_RECV;
3303 node_perm = NODE__RAWIP_RECV;
3307 AVC_AUDIT_DATA_INIT(&ad, NET);
3308 ad.u.net.netif = dev->name;
3309 ad.u.net.family = family;
3311 err = selinux_parse_skb(skb, &ad, &addrp, &len, 1);
3315 err = avc_has_perm(sock_sid, if_sid, SECCLASS_NETIF, netif_perm, &ad);
3319 /* Fixme: this lookup is inefficient */
3320 err = security_node_sid(family, addrp, len, &node_sid);
3324 err = avc_has_perm(sock_sid, node_sid, SECCLASS_NODE, node_perm, &ad);
3331 /* Fixme: make this more efficient */
3332 err = security_port_sid(sk->sk_family, sk->sk_type,
3333 sk->sk_protocol, ntohs(ad.u.net.sport),
3338 err = avc_has_perm(sock_sid, port_sid,
3339 sock_class, recv_perm, &ad);
3345 static int selinux_socket_getpeersec(struct socket *sock, char __user *optval,
3346 int __user *optlen, unsigned len)
3351 struct sk_security_struct *ssec;
3352 struct inode_security_struct *isec;
3354 isec = SOCK_INODE(sock)->i_security;
3355 if (isec->sclass != SECCLASS_UNIX_STREAM_SOCKET) {
3360 ssec = sock->sk->sk_security;
3362 err = security_sid_to_context(ssec->peer_sid, &scontext, &scontext_len);
3366 if (scontext_len > len) {
3371 if (copy_to_user(optval, scontext, scontext_len))
3375 if (put_user(scontext_len, optlen))
3383 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
3385 return sk_alloc_security(sk, family, priority);
3388 static void selinux_sk_free_security(struct sock *sk)
3390 sk_free_security(sk);
3393 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3397 struct nlmsghdr *nlh;
3398 struct socket *sock = sk->sk_socket;
3399 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
3401 if (skb->len < NLMSG_SPACE(0)) {
3405 nlh = (struct nlmsghdr *)skb->data;
3407 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3409 if (err == -EINVAL) {
3410 audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
3411 "SELinux: unrecognized netlink message"
3412 " type=%hu for sclass=%hu\n",
3413 nlh->nlmsg_type, isec->sclass);
3414 if (!selinux_enforcing)
3424 err = socket_has_perm(current, sock, perm);
3429 #ifdef CONFIG_NETFILTER
3431 static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
3432 struct sk_buff **pskb,
3433 const struct net_device *in,
3434 const struct net_device *out,
3435 int (*okfn)(struct sk_buff *),
3439 int len, err = NF_ACCEPT;
3440 u32 netif_perm, node_perm, node_sid, if_sid, send_perm = 0;
3442 struct socket *sock;
3443 struct inode *inode;
3444 struct sk_buff *skb = *pskb;
3445 struct inode_security_struct *isec;
3446 struct avc_audit_data ad;
3447 struct net_device *dev = (struct net_device *)out;
3453 sock = sk->sk_socket;
3457 inode = SOCK_INODE(sock);
3461 err = sel_netif_sids(dev, &if_sid, NULL);
3465 isec = inode->i_security;
3467 switch (isec->sclass) {
3468 case SECCLASS_UDP_SOCKET:
3469 netif_perm = NETIF__UDP_SEND;
3470 node_perm = NODE__UDP_SEND;
3471 send_perm = UDP_SOCKET__SEND_MSG;
3474 case SECCLASS_TCP_SOCKET:
3475 netif_perm = NETIF__TCP_SEND;
3476 node_perm = NODE__TCP_SEND;
3477 send_perm = TCP_SOCKET__SEND_MSG;
3481 netif_perm = NETIF__RAWIP_SEND;
3482 node_perm = NODE__RAWIP_SEND;
3487 AVC_AUDIT_DATA_INIT(&ad, NET);
3488 ad.u.net.netif = dev->name;
3489 ad.u.net.family = family;
3491 err = selinux_parse_skb(skb, &ad, &addrp,
3492 &len, 0) ? NF_DROP : NF_ACCEPT;
3493 if (err != NF_ACCEPT)
3496 err = avc_has_perm(isec->sid, if_sid, SECCLASS_NETIF,
3497 netif_perm, &ad) ? NF_DROP : NF_ACCEPT;
3498 if (err != NF_ACCEPT)
3501 /* Fixme: this lookup is inefficient */
3502 err = security_node_sid(family, addrp, len,
3503 &node_sid) ? NF_DROP : NF_ACCEPT;
3504 if (err != NF_ACCEPT)
3507 err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
3508 node_perm, &ad) ? NF_DROP : NF_ACCEPT;
3509 if (err != NF_ACCEPT)
3515 /* Fixme: make this more efficient */
3516 err = security_port_sid(sk->sk_family,
3519 ntohs(ad.u.net.dport),
3520 &port_sid) ? NF_DROP : NF_ACCEPT;
3521 if (err != NF_ACCEPT)
3524 err = avc_has_perm(isec->sid, port_sid, isec->sclass,
3525 send_perm, &ad) ? NF_DROP : NF_ACCEPT;
3532 static unsigned int selinux_ipv4_postroute_last(unsigned int hooknum,
3533 struct sk_buff **pskb,
3534 const struct net_device *in,
3535 const struct net_device *out,
3536 int (*okfn)(struct sk_buff *))
3538 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET);
3541 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3543 static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
3544 struct sk_buff **pskb,
3545 const struct net_device *in,
3546 const struct net_device *out,
3547 int (*okfn)(struct sk_buff *))
3549 return selinux_ip_postroute_last(hooknum, pskb, in, out, okfn, PF_INET6);
3554 #endif /* CONFIG_NETFILTER */
3558 static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3563 #endif /* CONFIG_SECURITY_NETWORK */
3565 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
3567 struct task_security_struct *tsec;
3568 struct av_decision avd;
3571 err = secondary_ops->netlink_send(sk, skb);
3575 tsec = current->security;
3578 avc_has_perm_noaudit(tsec->sid, tsec->sid,
3579 SECCLASS_CAPABILITY, ~0, &avd);
3580 cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
3582 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
3583 err = selinux_nlmsg_perm(sk, skb);
3588 static int selinux_netlink_recv(struct sk_buff *skb)
3590 if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
3595 static int ipc_alloc_security(struct task_struct *task,
3596 struct kern_ipc_perm *perm,
3599 struct task_security_struct *tsec = task->security;
3600 struct ipc_security_struct *isec;
3602 isec = kmalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
3606 memset(isec, 0, sizeof(struct ipc_security_struct));
3607 isec->magic = SELINUX_MAGIC;
3608 isec->sclass = sclass;
3609 isec->ipc_perm = perm;
3611 isec->sid = tsec->sid;
3613 isec->sid = SECINITSID_UNLABELED;
3615 perm->security = isec;
3620 static void ipc_free_security(struct kern_ipc_perm *perm)
3622 struct ipc_security_struct *isec = perm->security;
3623 if (!isec || isec->magic != SELINUX_MAGIC)
3626 perm->security = NULL;
3630 static int msg_msg_alloc_security(struct msg_msg *msg)
3632 struct msg_security_struct *msec;
3634 msec = kmalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
3638 memset(msec, 0, sizeof(struct msg_security_struct));
3639 msec->magic = SELINUX_MAGIC;
3641 msec->sid = SECINITSID_UNLABELED;
3642 msg->security = msec;
3647 static void msg_msg_free_security(struct msg_msg *msg)
3649 struct msg_security_struct *msec = msg->security;
3650 if (!msec || msec->magic != SELINUX_MAGIC)
3653 msg->security = NULL;
3657 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
3660 struct task_security_struct *tsec;
3661 struct ipc_security_struct *isec;
3662 struct avc_audit_data ad;
3664 tsec = current->security;
3665 isec = ipc_perms->security;
3667 AVC_AUDIT_DATA_INIT(&ad, IPC);
3668 ad.u.ipc_id = ipc_perms->key;
3670 return avc_has_perm(tsec->sid, isec->sid, isec->sclass, perms, &ad);
3673 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
3675 return msg_msg_alloc_security(msg);
3678 static void selinux_msg_msg_free_security(struct msg_msg *msg)
3680 msg_msg_free_security(msg);
3683 /* message queue security operations */
3684 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
3686 struct task_security_struct *tsec;
3687 struct ipc_security_struct *isec;
3688 struct avc_audit_data ad;
3691 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
3695 tsec = current->security;
3696 isec = msq->q_perm.security;
3698 AVC_AUDIT_DATA_INIT(&ad, IPC);
3699 ad.u.ipc_id = msq->q_perm.key;
3701 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3704 ipc_free_security(&msq->q_perm);
3710 static void selinux_msg_queue_free_security(struct msg_queue *msq)
3712 ipc_free_security(&msq->q_perm);
3715 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
3717 struct task_security_struct *tsec;
3718 struct ipc_security_struct *isec;
3719 struct avc_audit_data ad;
3721 tsec = current->security;
3722 isec = msq->q_perm.security;
3724 AVC_AUDIT_DATA_INIT(&ad, IPC);
3725 ad.u.ipc_id = msq->q_perm.key;
3727 return avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3728 MSGQ__ASSOCIATE, &ad);
3731 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3739 /* No specific object, just general system-wide information. */
3740 return task_has_system(current, SYSTEM__IPC_INFO);
3743 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
3746 perms = MSGQ__SETATTR;
3749 perms = MSGQ__DESTROY;
3755 err = ipc_has_perm(&msq->q_perm, perms);
3759 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
3761 struct task_security_struct *tsec;
3762 struct ipc_security_struct *isec;
3763 struct msg_security_struct *msec;
3764 struct avc_audit_data ad;
3767 tsec = current->security;
3768 isec = msq->q_perm.security;
3769 msec = msg->security;
3772 * First time through, need to assign label to the message
3774 if (msec->sid == SECINITSID_UNLABELED) {
3776 * Compute new sid based on current process and
3777 * message queue this message will be stored in
3779 rc = security_transition_sid(tsec->sid,
3787 AVC_AUDIT_DATA_INIT(&ad, IPC);
3788 ad.u.ipc_id = msq->q_perm.key;
3790 /* Can this process write to the queue? */
3791 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_MSGQ,
3794 /* Can this process send the message */
3795 rc = avc_has_perm(tsec->sid, msec->sid,
3796 SECCLASS_MSG, MSG__SEND, &ad);
3798 /* Can the message be put in the queue? */
3799 rc = avc_has_perm(msec->sid, isec->sid,
3800 SECCLASS_MSGQ, MSGQ__ENQUEUE, &ad);
3805 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3806 struct task_struct *target,
3807 long type, int mode)
3809 struct task_security_struct *tsec;
3810 struct ipc_security_struct *isec;
3811 struct msg_security_struct *msec;
3812 struct avc_audit_data ad;
3815 tsec = target->security;
3816 isec = msq->q_perm.security;
3817 msec = msg->security;
3819 AVC_AUDIT_DATA_INIT(&ad, IPC);
3820 ad.u.ipc_id = msq->q_perm.key;
3822 rc = avc_has_perm(tsec->sid, isec->sid,
3823 SECCLASS_MSGQ, MSGQ__READ, &ad);
3825 rc = avc_has_perm(tsec->sid, msec->sid,
3826 SECCLASS_MSG, MSG__RECEIVE, &ad);
3830 /* Shared Memory security operations */
3831 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
3833 struct task_security_struct *tsec;
3834 struct ipc_security_struct *isec;
3835 struct avc_audit_data ad;
3838 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
3842 tsec = current->security;
3843 isec = shp->shm_perm.security;
3845 AVC_AUDIT_DATA_INIT(&ad, IPC);
3846 ad.u.ipc_id = shp->shm_perm.key;
3848 rc = avc_has_perm(tsec->sid, isec->sid, SECCLASS_SHM,
3851 ipc_free_security(&shp->shm_perm);
3857 static void selinux_s
Code Review / linux-2.6.git / blob