2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
26 #include <linux/init.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
55 #include <net/inet_connection_sock.h>
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
97 /* SECMARK reference count */
98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
103 static int __init enforcing_setup(char *str)
105 unsigned long enforcing;
106 if (!kstrtoul(str, 0, &enforcing))
107 selinux_enforcing = enforcing ? 1 : 0;
110 __setup("enforcing=", enforcing_setup);
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116 static int __init selinux_enabled_setup(char *str)
118 unsigned long enabled;
119 if (!kstrtoul(str, 0, &enabled))
120 selinux_enabled = enabled ? 1 : 0;
123 __setup("selinux=", selinux_enabled_setup);
125 int selinux_enabled = 1;
128 static struct kmem_cache *sel_inode_cache;
129 static struct kmem_cache *file_security_cache;
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
142 static int selinux_secmark_enabled(void)
144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
157 static int selinux_peerlbl_enabled(void)
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
162 static int selinux_netcache_avc_callback(u32 event)
164 if (event == AVC_CALLBACK_RESET) {
174 * initialise the security for the init task
176 static void cred_init_security(void)
178 struct cred *cred = (struct cred *) current->real_cred;
179 struct task_security_struct *tsec;
181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
183 panic("SELinux: Failed to initialize initial task.\n");
185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
186 cred->security = tsec;
190 * get the security ID of a set of credentials
192 static inline u32 cred_sid(const struct cred *cred)
194 const struct task_security_struct *tsec;
196 tsec = cred->security;
201 * get the objective security ID of a task
203 static inline u32 task_sid(const struct task_struct *task)
208 sid = cred_sid(__task_cred(task));
214 * get the subjective security ID of the current task
216 static inline u32 current_sid(void)
218 const struct task_security_struct *tsec = current_security();
223 /* Allocate and free functions for each kind of security blob. */
225 static int inode_alloc_security(struct inode *inode)
227 struct inode_security_struct *isec;
228 u32 sid = current_sid();
230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
234 mutex_init(&isec->lock);
235 INIT_LIST_HEAD(&isec->list);
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
239 isec->task_sid = sid;
240 inode->i_security = isec;
245 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
248 * Try reloading inode security labels that have been marked as invalid. The
249 * @may_sleep parameter indicates when sleeping and thus reloading labels is
250 * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is
251 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
252 * when no dentry is available, set it to NULL instead.
254 static int __inode_security_revalidate(struct inode *inode,
255 struct dentry *opt_dentry,
258 struct inode_security_struct *isec = inode->i_security;
260 might_sleep_if(may_sleep);
262 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
267 * Try reloading the inode security label. This will fail if
268 * @opt_dentry is NULL and no dentry for this inode can be
269 * found; in that case, continue using the old label.
271 inode_doinit_with_dentry(inode, opt_dentry);
276 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
278 return inode->i_security;
281 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
285 error = __inode_security_revalidate(inode, NULL, !rcu);
287 return ERR_PTR(error);
288 return inode->i_security;
292 * Get the security label of an inode.
294 static struct inode_security_struct *inode_security(struct inode *inode)
296 __inode_security_revalidate(inode, NULL, true);
297 return inode->i_security;
300 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
302 struct inode *inode = d_backing_inode(dentry);
304 return inode->i_security;
308 * Get the security label of a dentry's backing inode.
310 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
312 struct inode *inode = d_backing_inode(dentry);
314 __inode_security_revalidate(inode, dentry, true);
315 return inode->i_security;
318 static void inode_free_rcu(struct rcu_head *head)
320 struct inode_security_struct *isec;
322 isec = container_of(head, struct inode_security_struct, rcu);
323 kmem_cache_free(sel_inode_cache, isec);
326 static void inode_free_security(struct inode *inode)
328 struct inode_security_struct *isec = inode->i_security;
329 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
332 * As not all inode security structures are in a list, we check for
333 * empty list outside of the lock to make sure that we won't waste
334 * time taking a lock doing nothing.
336 * The list_del_init() function can be safely called more than once.
337 * It should not be possible for this function to be called with
338 * concurrent list_add(), but for better safety against future changes
339 * in the code, we use list_empty_careful() here.
341 if (!list_empty_careful(&isec->list)) {
342 spin_lock(&sbsec->isec_lock);
343 list_del_init(&isec->list);
344 spin_unlock(&sbsec->isec_lock);
348 * The inode may still be referenced in a path walk and
349 * a call to selinux_inode_permission() can be made
350 * after inode_free_security() is called. Ideally, the VFS
351 * wouldn't do this, but fixing that is a much harder
352 * job. For now, simply free the i_security via RCU, and
353 * leave the current inode->i_security pointer intact.
354 * The inode will be freed after the RCU grace period too.
356 call_rcu(&isec->rcu, inode_free_rcu);
359 static int file_alloc_security(struct file *file)
361 struct file_security_struct *fsec;
362 u32 sid = current_sid();
364 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
369 fsec->fown_sid = sid;
370 file->f_security = fsec;
375 static void file_free_security(struct file *file)
377 struct file_security_struct *fsec = file->f_security;
378 file->f_security = NULL;
379 kmem_cache_free(file_security_cache, fsec);
382 static int superblock_alloc_security(struct super_block *sb)
384 struct superblock_security_struct *sbsec;
386 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
390 mutex_init(&sbsec->lock);
391 INIT_LIST_HEAD(&sbsec->isec_head);
392 spin_lock_init(&sbsec->isec_lock);
394 sbsec->sid = SECINITSID_UNLABELED;
395 sbsec->def_sid = SECINITSID_FILE;
396 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
397 sb->s_security = sbsec;
402 static void superblock_free_security(struct super_block *sb)
404 struct superblock_security_struct *sbsec = sb->s_security;
405 sb->s_security = NULL;
409 static inline int inode_doinit(struct inode *inode)
411 return inode_doinit_with_dentry(inode, NULL);
420 Opt_labelsupport = 5,
424 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
426 static const match_table_t tokens = {
427 {Opt_context, CONTEXT_STR "%s"},
428 {Opt_fscontext, FSCONTEXT_STR "%s"},
429 {Opt_defcontext, DEFCONTEXT_STR "%s"},
430 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
431 {Opt_labelsupport, LABELSUPP_STR},
435 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
437 static int may_context_mount_sb_relabel(u32 sid,
438 struct superblock_security_struct *sbsec,
439 const struct cred *cred)
441 const struct task_security_struct *tsec = cred->security;
444 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
445 FILESYSTEM__RELABELFROM, NULL);
449 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
450 FILESYSTEM__RELABELTO, NULL);
454 static int may_context_mount_inode_relabel(u32 sid,
455 struct superblock_security_struct *sbsec,
456 const struct cred *cred)
458 const struct task_security_struct *tsec = cred->security;
460 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
461 FILESYSTEM__RELABELFROM, NULL);
465 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
466 FILESYSTEM__ASSOCIATE, NULL);
470 static int selinux_is_sblabel_mnt(struct super_block *sb)
472 struct superblock_security_struct *sbsec = sb->s_security;
474 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
475 sbsec->behavior == SECURITY_FS_USE_TRANS ||
476 sbsec->behavior == SECURITY_FS_USE_TASK ||
477 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
478 /* Special handling. Genfs but also in-core setxattr handler */
479 !strcmp(sb->s_type->name, "sysfs") ||
480 !strcmp(sb->s_type->name, "pstore") ||
481 !strcmp(sb->s_type->name, "debugfs") ||
482 !strcmp(sb->s_type->name, "rootfs");
485 static int sb_finish_set_opts(struct super_block *sb)
487 struct superblock_security_struct *sbsec = sb->s_security;
488 struct dentry *root = sb->s_root;
489 struct inode *root_inode = d_backing_inode(root);
492 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
493 /* Make sure that the xattr handler exists and that no
494 error other than -ENODATA is returned by getxattr on
495 the root directory. -ENODATA is ok, as this may be
496 the first boot of the SELinux kernel before we have
497 assigned xattr values to the filesystem. */
498 if (!(root_inode->i_opflags & IOP_XATTR)) {
499 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
500 "xattr support\n", sb->s_id, sb->s_type->name);
505 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
506 if (rc < 0 && rc != -ENODATA) {
507 if (rc == -EOPNOTSUPP)
508 printk(KERN_WARNING "SELinux: (dev %s, type "
509 "%s) has no security xattr handler\n",
510 sb->s_id, sb->s_type->name);
512 printk(KERN_WARNING "SELinux: (dev %s, type "
513 "%s) getxattr errno %d\n", sb->s_id,
514 sb->s_type->name, -rc);
519 sbsec->flags |= SE_SBINITIALIZED;
520 if (selinux_is_sblabel_mnt(sb))
521 sbsec->flags |= SBLABEL_MNT;
523 /* Initialize the root inode. */
524 rc = inode_doinit_with_dentry(root_inode, root);
526 /* Initialize any other inodes associated with the superblock, e.g.
527 inodes created prior to initial policy load or inodes created
528 during get_sb by a pseudo filesystem that directly
530 spin_lock(&sbsec->isec_lock);
532 if (!list_empty(&sbsec->isec_head)) {
533 struct inode_security_struct *isec =
534 list_entry(sbsec->isec_head.next,
535 struct inode_security_struct, list);
536 struct inode *inode = isec->inode;
537 list_del_init(&isec->list);
538 spin_unlock(&sbsec->isec_lock);
539 inode = igrab(inode);
541 if (!IS_PRIVATE(inode))
545 spin_lock(&sbsec->isec_lock);
548 spin_unlock(&sbsec->isec_lock);
554 * This function should allow an FS to ask what it's mount security
555 * options were so it can use those later for submounts, displaying
556 * mount options, or whatever.
558 static int selinux_get_mnt_opts(const struct super_block *sb,
559 struct security_mnt_opts *opts)
562 struct superblock_security_struct *sbsec = sb->s_security;
563 char *context = NULL;
567 security_init_mnt_opts(opts);
569 if (!(sbsec->flags & SE_SBINITIALIZED))
575 /* make sure we always check enough bits to cover the mask */
576 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
578 tmp = sbsec->flags & SE_MNTMASK;
579 /* count the number of mount options for this sb */
580 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
582 opts->num_mnt_opts++;
585 /* Check if the Label support flag is set */
586 if (sbsec->flags & SBLABEL_MNT)
587 opts->num_mnt_opts++;
589 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
590 if (!opts->mnt_opts) {
595 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
596 if (!opts->mnt_opts_flags) {
602 if (sbsec->flags & FSCONTEXT_MNT) {
603 rc = security_sid_to_context(sbsec->sid, &context, &len);
606 opts->mnt_opts[i] = context;
607 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
609 if (sbsec->flags & CONTEXT_MNT) {
610 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
613 opts->mnt_opts[i] = context;
614 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
616 if (sbsec->flags & DEFCONTEXT_MNT) {
617 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
620 opts->mnt_opts[i] = context;
621 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
623 if (sbsec->flags & ROOTCONTEXT_MNT) {
624 struct dentry *root = sbsec->sb->s_root;
625 struct inode_security_struct *isec = backing_inode_security(root);
627 rc = security_sid_to_context(isec->sid, &context, &len);
630 opts->mnt_opts[i] = context;
631 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
633 if (sbsec->flags & SBLABEL_MNT) {
634 opts->mnt_opts[i] = NULL;
635 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
638 BUG_ON(i != opts->num_mnt_opts);
643 security_free_mnt_opts(opts);
647 static int bad_option(struct superblock_security_struct *sbsec, char flag,
648 u32 old_sid, u32 new_sid)
650 char mnt_flags = sbsec->flags & SE_MNTMASK;
652 /* check if the old mount command had the same options */
653 if (sbsec->flags & SE_SBINITIALIZED)
654 if (!(sbsec->flags & flag) ||
655 (old_sid != new_sid))
658 /* check if we were passed the same options twice,
659 * aka someone passed context=a,context=b
661 if (!(sbsec->flags & SE_SBINITIALIZED))
662 if (mnt_flags & flag)
668 * Allow filesystems with binary mount data to explicitly set mount point
669 * labeling information.
671 static int selinux_set_mnt_opts(struct super_block *sb,
672 struct security_mnt_opts *opts,
673 unsigned long kern_flags,
674 unsigned long *set_kern_flags)
676 const struct cred *cred = current_cred();
678 struct superblock_security_struct *sbsec = sb->s_security;
679 const char *name = sb->s_type->name;
680 struct dentry *root = sbsec->sb->s_root;
681 struct inode_security_struct *root_isec;
682 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
683 u32 defcontext_sid = 0;
684 char **mount_options = opts->mnt_opts;
685 int *flags = opts->mnt_opts_flags;
686 int num_opts = opts->num_mnt_opts;
688 mutex_lock(&sbsec->lock);
690 if (!ss_initialized) {
692 /* Defer initialization until selinux_complete_init,
693 after the initial policy is loaded and the security
694 server is ready to handle calls. */
698 printk(KERN_WARNING "SELinux: Unable to set superblock options "
699 "before the security server is initialized\n");
702 if (kern_flags && !set_kern_flags) {
703 /* Specifying internal flags without providing a place to
704 * place the results is not allowed */
710 * Binary mount data FS will come through this function twice. Once
711 * from an explicit call and once from the generic calls from the vfs.
712 * Since the generic VFS calls will not contain any security mount data
713 * we need to skip the double mount verification.
715 * This does open a hole in which we will not notice if the first
716 * mount using this sb set explict options and a second mount using
717 * this sb does not set any security options. (The first options
718 * will be used for both mounts)
720 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
724 root_isec = backing_inode_security_novalidate(root);
727 * parse the mount options, check if they are valid sids.
728 * also check if someone is trying to mount the same sb more
729 * than once with different security options.
731 for (i = 0; i < num_opts; i++) {
734 if (flags[i] == SBLABEL_MNT)
736 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
738 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
739 "(%s) failed for (dev %s, type %s) errno=%d\n",
740 mount_options[i], sb->s_id, name, rc);
747 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
749 goto out_double_mount;
751 sbsec->flags |= FSCONTEXT_MNT;
756 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
758 goto out_double_mount;
760 sbsec->flags |= CONTEXT_MNT;
762 case ROOTCONTEXT_MNT:
763 rootcontext_sid = sid;
765 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
767 goto out_double_mount;
769 sbsec->flags |= ROOTCONTEXT_MNT;
773 defcontext_sid = sid;
775 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
777 goto out_double_mount;
779 sbsec->flags |= DEFCONTEXT_MNT;
788 if (sbsec->flags & SE_SBINITIALIZED) {
789 /* previously mounted with options, but not on this attempt? */
790 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
791 goto out_double_mount;
796 if (strcmp(sb->s_type->name, "proc") == 0)
797 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
799 if (!strcmp(sb->s_type->name, "debugfs") ||
800 !strcmp(sb->s_type->name, "sysfs") ||
801 !strcmp(sb->s_type->name, "pstore"))
802 sbsec->flags |= SE_SBGENFS;
804 if (!sbsec->behavior) {
806 * Determine the labeling behavior to use for this
809 rc = security_fs_use(sb);
812 "%s: security_fs_use(%s) returned %d\n",
813 __func__, sb->s_type->name, rc);
819 * If this is a user namespace mount, no contexts are allowed
820 * on the command line and security labels must be ignored.
822 if (sb->s_user_ns != &init_user_ns) {
823 if (context_sid || fscontext_sid || rootcontext_sid ||
828 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
829 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
830 rc = security_transition_sid(current_sid(), current_sid(),
832 &sbsec->mntpoint_sid);
839 /* sets the context of the superblock for the fs being mounted. */
841 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
845 sbsec->sid = fscontext_sid;
849 * Switch to using mount point labeling behavior.
850 * sets the label used on all file below the mountpoint, and will set
851 * the superblock context if not already set.
853 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
854 sbsec->behavior = SECURITY_FS_USE_NATIVE;
855 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
859 if (!fscontext_sid) {
860 rc = may_context_mount_sb_relabel(context_sid, sbsec,
864 sbsec->sid = context_sid;
866 rc = may_context_mount_inode_relabel(context_sid, sbsec,
871 if (!rootcontext_sid)
872 rootcontext_sid = context_sid;
874 sbsec->mntpoint_sid = context_sid;
875 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
878 if (rootcontext_sid) {
879 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
884 root_isec->sid = rootcontext_sid;
885 root_isec->initialized = LABEL_INITIALIZED;
888 if (defcontext_sid) {
889 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
890 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
892 printk(KERN_WARNING "SELinux: defcontext option is "
893 "invalid for this filesystem type\n");
897 if (defcontext_sid != sbsec->def_sid) {
898 rc = may_context_mount_inode_relabel(defcontext_sid,
904 sbsec->def_sid = defcontext_sid;
908 rc = sb_finish_set_opts(sb);
910 mutex_unlock(&sbsec->lock);
914 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
915 "security settings for (dev %s, type %s)\n", sb->s_id, name);
919 static int selinux_cmp_sb_context(const struct super_block *oldsb,
920 const struct super_block *newsb)
922 struct superblock_security_struct *old = oldsb->s_security;
923 struct superblock_security_struct *new = newsb->s_security;
924 char oldflags = old->flags & SE_MNTMASK;
925 char newflags = new->flags & SE_MNTMASK;
927 if (oldflags != newflags)
929 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
931 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
933 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
935 if (oldflags & ROOTCONTEXT_MNT) {
936 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
937 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
938 if (oldroot->sid != newroot->sid)
943 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
944 "different security settings for (dev %s, "
945 "type %s)\n", newsb->s_id, newsb->s_type->name);
949 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
950 struct super_block *newsb)
952 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
953 struct superblock_security_struct *newsbsec = newsb->s_security;
955 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
956 int set_context = (oldsbsec->flags & CONTEXT_MNT);
957 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
960 * if the parent was able to be mounted it clearly had no special lsm
961 * mount options. thus we can safely deal with this superblock later
966 /* how can we clone if the old one wasn't set up?? */
967 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
969 /* if fs is reusing a sb, make sure that the contexts match */
970 if (newsbsec->flags & SE_SBINITIALIZED)
971 return selinux_cmp_sb_context(oldsb, newsb);
973 mutex_lock(&newsbsec->lock);
975 newsbsec->flags = oldsbsec->flags;
977 newsbsec->sid = oldsbsec->sid;
978 newsbsec->def_sid = oldsbsec->def_sid;
979 newsbsec->behavior = oldsbsec->behavior;
982 u32 sid = oldsbsec->mntpoint_sid;
986 if (!set_rootcontext) {
987 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
990 newsbsec->mntpoint_sid = sid;
992 if (set_rootcontext) {
993 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
994 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
996 newisec->sid = oldisec->sid;
999 sb_finish_set_opts(newsb);
1000 mutex_unlock(&newsbsec->lock);
1004 static int selinux_parse_opts_str(char *options,
1005 struct security_mnt_opts *opts)
1008 char *context = NULL, *defcontext = NULL;
1009 char *fscontext = NULL, *rootcontext = NULL;
1010 int rc, num_mnt_opts = 0;
1012 opts->num_mnt_opts = 0;
1014 /* Standard string-based options. */
1015 while ((p = strsep(&options, "|")) != NULL) {
1017 substring_t args[MAX_OPT_ARGS];
1022 token = match_token(p, tokens, args);
1026 if (context || defcontext) {
1028 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1031 context = match_strdup(&args[0]);
1041 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1044 fscontext = match_strdup(&args[0]);
1051 case Opt_rootcontext:
1054 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1057 rootcontext = match_strdup(&args[0]);
1064 case Opt_defcontext:
1065 if (context || defcontext) {
1067 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1070 defcontext = match_strdup(&args[0]);
1076 case Opt_labelsupport:
1080 printk(KERN_WARNING "SELinux: unknown mount option\n");
1087 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1088 if (!opts->mnt_opts)
1091 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1092 if (!opts->mnt_opts_flags) {
1093 kfree(opts->mnt_opts);
1098 opts->mnt_opts[num_mnt_opts] = fscontext;
1099 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1102 opts->mnt_opts[num_mnt_opts] = context;
1103 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1106 opts->mnt_opts[num_mnt_opts] = rootcontext;
1107 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1110 opts->mnt_opts[num_mnt_opts] = defcontext;
1111 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1114 opts->num_mnt_opts = num_mnt_opts;
1125 * string mount options parsing and call set the sbsec
1127 static int superblock_doinit(struct super_block *sb, void *data)
1130 char *options = data;
1131 struct security_mnt_opts opts;
1133 security_init_mnt_opts(&opts);
1138 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1140 rc = selinux_parse_opts_str(options, &opts);
1145 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1148 security_free_mnt_opts(&opts);
1152 static void selinux_write_opts(struct seq_file *m,
1153 struct security_mnt_opts *opts)
1158 for (i = 0; i < opts->num_mnt_opts; i++) {
1161 if (opts->mnt_opts[i])
1162 has_comma = strchr(opts->mnt_opts[i], ',');
1166 switch (opts->mnt_opts_flags[i]) {
1168 prefix = CONTEXT_STR;
1171 prefix = FSCONTEXT_STR;
1173 case ROOTCONTEXT_MNT:
1174 prefix = ROOTCONTEXT_STR;
1176 case DEFCONTEXT_MNT:
1177 prefix = DEFCONTEXT_STR;
1181 seq_puts(m, LABELSUPP_STR);
1187 /* we need a comma before each option */
1189 seq_puts(m, prefix);
1192 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1198 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1200 struct security_mnt_opts opts;
1203 rc = selinux_get_mnt_opts(sb, &opts);
1205 /* before policy load we may get EINVAL, don't show anything */
1211 selinux_write_opts(m, &opts);
1213 security_free_mnt_opts(&opts);
1218 static inline u16 inode_mode_to_security_class(umode_t mode)
1220 switch (mode & S_IFMT) {
1222 return SECCLASS_SOCK_FILE;
1224 return SECCLASS_LNK_FILE;
1226 return SECCLASS_FILE;
1228 return SECCLASS_BLK_FILE;
1230 return SECCLASS_DIR;
1232 return SECCLASS_CHR_FILE;
1234 return SECCLASS_FIFO_FILE;
1238 return SECCLASS_FILE;
1241 static inline int default_protocol_stream(int protocol)
1243 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1246 static inline int default_protocol_dgram(int protocol)
1248 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1251 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1257 case SOCK_SEQPACKET:
1258 return SECCLASS_UNIX_STREAM_SOCKET;
1260 return SECCLASS_UNIX_DGRAM_SOCKET;
1267 if (default_protocol_stream(protocol))
1268 return SECCLASS_TCP_SOCKET;
1270 return SECCLASS_RAWIP_SOCKET;
1272 if (default_protocol_dgram(protocol))
1273 return SECCLASS_UDP_SOCKET;
1275 return SECCLASS_RAWIP_SOCKET;
1277 return SECCLASS_DCCP_SOCKET;
1279 return SECCLASS_RAWIP_SOCKET;
1285 return SECCLASS_NETLINK_ROUTE_SOCKET;
1286 case NETLINK_SOCK_DIAG:
1287 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1289 return SECCLASS_NETLINK_NFLOG_SOCKET;
1291 return SECCLASS_NETLINK_XFRM_SOCKET;
1292 case NETLINK_SELINUX:
1293 return SECCLASS_NETLINK_SELINUX_SOCKET;
1295 return SECCLASS_NETLINK_ISCSI_SOCKET;
1297 return SECCLASS_NETLINK_AUDIT_SOCKET;
1298 case NETLINK_FIB_LOOKUP:
1299 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1300 case NETLINK_CONNECTOR:
1301 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1302 case NETLINK_NETFILTER:
1303 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1304 case NETLINK_DNRTMSG:
1305 return SECCLASS_NETLINK_DNRT_SOCKET;
1306 case NETLINK_KOBJECT_UEVENT:
1307 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1308 case NETLINK_GENERIC:
1309 return SECCLASS_NETLINK_GENERIC_SOCKET;
1310 case NETLINK_SCSITRANSPORT:
1311 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1313 return SECCLASS_NETLINK_RDMA_SOCKET;
1314 case NETLINK_CRYPTO:
1315 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1317 return SECCLASS_NETLINK_SOCKET;
1320 return SECCLASS_PACKET_SOCKET;
1322 return SECCLASS_KEY_SOCKET;
1324 return SECCLASS_APPLETALK_SOCKET;
1327 return SECCLASS_SOCKET;
1330 static int selinux_genfs_get_sid(struct dentry *dentry,
1336 struct super_block *sb = dentry->d_sb;
1337 char *buffer, *path;
1339 buffer = (char *)__get_free_page(GFP_KERNEL);
1343 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1347 if (flags & SE_SBPROC) {
1348 /* each process gets a /proc/PID/ entry. Strip off the
1349 * PID part to get a valid selinux labeling.
1350 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1351 while (path[1] >= '0' && path[1] <= '9') {
1356 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1358 free_page((unsigned long)buffer);
1362 /* The inode's security attributes must be initialized before first use. */
1363 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1365 struct superblock_security_struct *sbsec = NULL;
1366 struct inode_security_struct *isec = inode->i_security;
1368 struct dentry *dentry;
1369 #define INITCONTEXTLEN 255
1370 char *context = NULL;
1374 if (isec->initialized == LABEL_INITIALIZED)
1377 mutex_lock(&isec->lock);
1378 if (isec->initialized == LABEL_INITIALIZED)
1381 sbsec = inode->i_sb->s_security;
1382 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1383 /* Defer initialization until selinux_complete_init,
1384 after the initial policy is loaded and the security
1385 server is ready to handle calls. */
1386 spin_lock(&sbsec->isec_lock);
1387 if (list_empty(&isec->list))
1388 list_add(&isec->list, &sbsec->isec_head);
1389 spin_unlock(&sbsec->isec_lock);
1393 switch (sbsec->behavior) {
1394 case SECURITY_FS_USE_NATIVE:
1396 case SECURITY_FS_USE_XATTR:
1397 if (!(inode->i_opflags & IOP_XATTR)) {
1398 isec->sid = sbsec->def_sid;
1401 /* Need a dentry, since the xattr API requires one.
1402 Life would be simpler if we could just pass the inode. */
1404 /* Called from d_instantiate or d_splice_alias. */
1405 dentry = dget(opt_dentry);
1407 /* Called from selinux_complete_init, try to find a dentry. */
1408 dentry = d_find_alias(inode);
1412 * this is can be hit on boot when a file is accessed
1413 * before the policy is loaded. When we load policy we
1414 * may find inodes that have no dentry on the
1415 * sbsec->isec_head list. No reason to complain as these
1416 * will get fixed up the next time we go through
1417 * inode_doinit with a dentry, before these inodes could
1418 * be used again by userspace.
1423 len = INITCONTEXTLEN;
1424 context = kmalloc(len+1, GFP_NOFS);
1430 context[len] = '\0';
1431 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1432 if (rc == -ERANGE) {
1435 /* Need a larger buffer. Query for the right size. */
1436 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1442 context = kmalloc(len+1, GFP_NOFS);
1448 context[len] = '\0';
1449 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1453 if (rc != -ENODATA) {
1454 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1455 "%d for dev=%s ino=%ld\n", __func__,
1456 -rc, inode->i_sb->s_id, inode->i_ino);
1460 /* Map ENODATA to the default file SID */
1461 sid = sbsec->def_sid;
1464 rc = security_context_to_sid_default(context, rc, &sid,
1468 char *dev = inode->i_sb->s_id;
1469 unsigned long ino = inode->i_ino;
1471 if (rc == -EINVAL) {
1472 if (printk_ratelimit())
1473 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1474 "context=%s. This indicates you may need to relabel the inode or the "
1475 "filesystem in question.\n", ino, dev, context);
1477 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1478 "returned %d for dev=%s ino=%ld\n",
1479 __func__, context, -rc, dev, ino);
1482 /* Leave with the unlabeled SID */
1490 case SECURITY_FS_USE_TASK:
1491 isec->sid = isec->task_sid;
1493 case SECURITY_FS_USE_TRANS:
1494 /* Default to the fs SID. */
1495 isec->sid = sbsec->sid;
1497 /* Try to obtain a transition SID. */
1498 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1499 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1500 isec->sclass, NULL, &sid);
1505 case SECURITY_FS_USE_MNTPOINT:
1506 isec->sid = sbsec->mntpoint_sid;
1509 /* Default to the fs superblock SID. */
1510 isec->sid = sbsec->sid;
1512 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1513 /* We must have a dentry to determine the label on
1516 /* Called from d_instantiate or
1517 * d_splice_alias. */
1518 dentry = dget(opt_dentry);
1520 /* Called from selinux_complete_init, try to
1522 dentry = d_find_alias(inode);
1524 * This can be hit on boot when a file is accessed
1525 * before the policy is loaded. When we load policy we
1526 * may find inodes that have no dentry on the
1527 * sbsec->isec_head list. No reason to complain as
1528 * these will get fixed up the next time we go through
1529 * inode_doinit() with a dentry, before these inodes
1530 * could be used again by userspace.
1534 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1535 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1536 sbsec->flags, &sid);
1545 isec->initialized = LABEL_INITIALIZED;
1548 mutex_unlock(&isec->lock);
1550 if (isec->sclass == SECCLASS_FILE)
1551 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1555 /* Convert a Linux signal to an access vector. */
1556 static inline u32 signal_to_av(int sig)
1562 /* Commonly granted from child to parent. */
1563 perm = PROCESS__SIGCHLD;
1566 /* Cannot be caught or ignored */
1567 perm = PROCESS__SIGKILL;
1570 /* Cannot be caught or ignored */
1571 perm = PROCESS__SIGSTOP;
1574 /* All other signals. */
1575 perm = PROCESS__SIGNAL;
1583 * Check permission between a pair of credentials
1584 * fork check, ptrace check, etc.
1586 static int cred_has_perm(const struct cred *actor,
1587 const struct cred *target,
1590 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1592 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1596 * Check permission between a pair of tasks, e.g. signal checks,
1597 * fork check, ptrace check, etc.
1598 * tsk1 is the actor and tsk2 is the target
1599 * - this uses the default subjective creds of tsk1
1601 static int task_has_perm(const struct task_struct *tsk1,
1602 const struct task_struct *tsk2,
1605 const struct task_security_struct *__tsec1, *__tsec2;
1609 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1610 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1612 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1616 * Check permission between current and another task, e.g. signal checks,
1617 * fork check, ptrace check, etc.
1618 * current is the actor and tsk2 is the target
1619 * - this uses current's subjective creds
1621 static int current_has_perm(const struct task_struct *tsk,
1626 sid = current_sid();
1627 tsid = task_sid(tsk);
1628 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1631 #if CAP_LAST_CAP > 63
1632 #error Fix SELinux to handle capabilities > 63.
1635 /* Check whether a task is allowed to use a capability. */
1636 static int cred_has_capability(const struct cred *cred,
1637 int cap, int audit, bool initns)
1639 struct common_audit_data ad;
1640 struct av_decision avd;
1642 u32 sid = cred_sid(cred);
1643 u32 av = CAP_TO_MASK(cap);
1646 ad.type = LSM_AUDIT_DATA_CAP;
1649 switch (CAP_TO_INDEX(cap)) {
1651 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1654 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1658 "SELinux: out of range capability %d\n", cap);
1663 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1664 if (audit == SECURITY_CAP_AUDIT) {
1665 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1672 /* Check whether a task is allowed to use a system operation. */
1673 static int task_has_system(struct task_struct *tsk,
1676 u32 sid = task_sid(tsk);
1678 return avc_has_perm(sid, SECINITSID_KERNEL,
1679 SECCLASS_SYSTEM, perms, NULL);
1682 /* Check whether a task has a particular permission to an inode.
1683 The 'adp' parameter is optional and allows other audit
1684 data to be passed (e.g. the dentry). */
1685 static int inode_has_perm(const struct cred *cred,
1686 struct inode *inode,
1688 struct common_audit_data *adp)
1690 struct inode_security_struct *isec;
1693 validate_creds(cred);
1695 if (unlikely(IS_PRIVATE(inode)))
1698 sid = cred_sid(cred);
1699 isec = inode->i_security;
1701 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1704 /* Same as inode_has_perm, but pass explicit audit data containing
1705 the dentry to help the auditing code to more easily generate the
1706 pathname if needed. */
1707 static inline int dentry_has_perm(const struct cred *cred,
1708 struct dentry *dentry,
1711 struct inode *inode = d_backing_inode(dentry);
1712 struct common_audit_data ad;
1714 ad.type = LSM_AUDIT_DATA_DENTRY;
1715 ad.u.dentry = dentry;
1716 __inode_security_revalidate(inode, dentry, true);
1717 return inode_has_perm(cred, inode, av, &ad);
1720 /* Same as inode_has_perm, but pass explicit audit data containing
1721 the path to help the auditing code to more easily generate the
1722 pathname if needed. */
1723 static inline int path_has_perm(const struct cred *cred,
1724 const struct path *path,
1727 struct inode *inode = d_backing_inode(path->dentry);
1728 struct common_audit_data ad;
1730 ad.type = LSM_AUDIT_DATA_PATH;
1732 __inode_security_revalidate(inode, path->dentry, true);
1733 return inode_has_perm(cred, inode, av, &ad);
1736 /* Same as path_has_perm, but uses the inode from the file struct. */
1737 static inline int file_path_has_perm(const struct cred *cred,
1741 struct common_audit_data ad;
1743 ad.type = LSM_AUDIT_DATA_FILE;
1745 return inode_has_perm(cred, file_inode(file), av, &ad);
1748 /* Check whether a task can use an open file descriptor to
1749 access an inode in a given way. Check access to the
1750 descriptor itself, and then use dentry_has_perm to
1751 check a particular permission to the file.
1752 Access to the descriptor is implicitly granted if it
1753 has the same SID as the process. If av is zero, then
1754 access to the file is not checked, e.g. for cases
1755 where only the descriptor is affected like seek. */
1756 static int file_has_perm(const struct cred *cred,
1760 struct file_security_struct *fsec = file->f_security;
1761 struct inode *inode = file_inode(file);
1762 struct common_audit_data ad;
1763 u32 sid = cred_sid(cred);
1766 ad.type = LSM_AUDIT_DATA_FILE;
1769 if (sid != fsec->sid) {
1770 rc = avc_has_perm(sid, fsec->sid,
1778 /* av is zero if only checking access to the descriptor. */
1781 rc = inode_has_perm(cred, inode, av, &ad);
1788 * Determine the label for an inode that might be unioned.
1791 selinux_determine_inode_label(const struct task_security_struct *tsec,
1793 const struct qstr *name, u16 tclass,
1796 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1798 if ((sbsec->flags & SE_SBINITIALIZED) &&
1799 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1800 *_new_isid = sbsec->mntpoint_sid;
1801 } else if ((sbsec->flags & SBLABEL_MNT) &&
1803 *_new_isid = tsec->create_sid;
1805 const struct inode_security_struct *dsec = inode_security(dir);
1806 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1813 /* Check whether a task can create a file. */
1814 static int may_create(struct inode *dir,
1815 struct dentry *dentry,
1818 const struct task_security_struct *tsec = current_security();
1819 struct inode_security_struct *dsec;
1820 struct superblock_security_struct *sbsec;
1822 struct common_audit_data ad;
1825 dsec = inode_security(dir);
1826 sbsec = dir->i_sb->s_security;
1830 ad.type = LSM_AUDIT_DATA_DENTRY;
1831 ad.u.dentry = dentry;
1833 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1834 DIR__ADD_NAME | DIR__SEARCH,
1839 rc = selinux_determine_inode_label(current_security(), dir,
1840 &dentry->d_name, tclass, &newsid);
1844 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1848 return avc_has_perm(newsid, sbsec->sid,
1849 SECCLASS_FILESYSTEM,
1850 FILESYSTEM__ASSOCIATE, &ad);
1853 /* Check whether a task can create a key. */
1854 static int may_create_key(u32 ksid,
1855 struct task_struct *ctx)
1857 u32 sid = task_sid(ctx);
1859 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1863 #define MAY_UNLINK 1
1866 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1867 static int may_link(struct inode *dir,
1868 struct dentry *dentry,
1872 struct inode_security_struct *dsec, *isec;
1873 struct common_audit_data ad;
1874 u32 sid = current_sid();
1878 dsec = inode_security(dir);
1879 isec = backing_inode_security(dentry);
1881 ad.type = LSM_AUDIT_DATA_DENTRY;
1882 ad.u.dentry = dentry;
1885 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1886 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1901 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1906 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1910 static inline int may_rename(struct inode *old_dir,
1911 struct dentry *old_dentry,
1912 struct inode *new_dir,
1913 struct dentry *new_dentry)
1915 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1916 struct common_audit_data ad;
1917 u32 sid = current_sid();
1919 int old_is_dir, new_is_dir;
1922 old_dsec = inode_security(old_dir);
1923 old_isec = backing_inode_security(old_dentry);
1924 old_is_dir = d_is_dir(old_dentry);
1925 new_dsec = inode_security(new_dir);
1927 ad.type = LSM_AUDIT_DATA_DENTRY;
1929 ad.u.dentry = old_dentry;
1930 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1931 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1934 rc = avc_has_perm(sid, old_isec->sid,
1935 old_isec->sclass, FILE__RENAME, &ad);
1938 if (old_is_dir && new_dir != old_dir) {
1939 rc = avc_has_perm(sid, old_isec->sid,
1940 old_isec->sclass, DIR__REPARENT, &ad);
1945 ad.u.dentry = new_dentry;
1946 av = DIR__ADD_NAME | DIR__SEARCH;
1947 if (d_is_positive(new_dentry))
1948 av |= DIR__REMOVE_NAME;
1949 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1952 if (d_is_positive(new_dentry)) {
1953 new_isec = backing_inode_security(new_dentry);
1954 new_is_dir = d_is_dir(new_dentry);
1955 rc = avc_has_perm(sid, new_isec->sid,
1957 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1965 /* Check whether a task can perform a filesystem operation. */
1966 static int superblock_has_perm(const struct cred *cred,
1967 struct super_block *sb,
1969 struct common_audit_data *ad)
1971 struct superblock_security_struct *sbsec;
1972 u32 sid = cred_sid(cred);
1974 sbsec = sb->s_security;
1975 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1978 /* Convert a Linux mode and permission mask to an access vector. */
1979 static inline u32 file_mask_to_av(int mode, int mask)
1983 if (!S_ISDIR(mode)) {
1984 if (mask & MAY_EXEC)
1985 av |= FILE__EXECUTE;
1986 if (mask & MAY_READ)
1989 if (mask & MAY_APPEND)
1991 else if (mask & MAY_WRITE)
1995 if (mask & MAY_EXEC)
1997 if (mask & MAY_WRITE)
1999 if (mask & MAY_READ)
2006 /* Convert a Linux file to an access vector. */
2007 static inline u32 file_to_av(struct file *file)
2011 if (file->f_mode & FMODE_READ)
2013 if (file->f_mode & FMODE_WRITE) {
2014 if (file->f_flags & O_APPEND)
2021 * Special file opened with flags 3 for ioctl-only use.
2030 * Convert a file to an access vector and include the correct open
2033 static inline u32 open_file_to_av(struct file *file)
2035 u32 av = file_to_av(file);
2036 struct inode *inode = file_inode(file);
2038 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2044 /* Hook functions begin here. */
2046 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2048 u32 mysid = current_sid();
2049 u32 mgrsid = task_sid(mgr);
2051 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2052 BINDER__SET_CONTEXT_MGR, NULL);
2055 static int selinux_binder_transaction(struct task_struct *from,
2056 struct task_struct *to)
2058 u32 mysid = current_sid();
2059 u32 fromsid = task_sid(from);
2060 u32 tosid = task_sid(to);
2063 if (mysid != fromsid) {
2064 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2065 BINDER__IMPERSONATE, NULL);
2070 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2074 static int selinux_binder_transfer_binder(struct task_struct *from,
2075 struct task_struct *to)
2077 u32 fromsid = task_sid(from);
2078 u32 tosid = task_sid(to);
2080 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2084 static int selinux_binder_transfer_file(struct task_struct *from,
2085 struct task_struct *to,
2088 u32 sid = task_sid(to);
2089 struct file_security_struct *fsec = file->f_security;
2090 struct dentry *dentry = file->f_path.dentry;
2091 struct inode_security_struct *isec;
2092 struct common_audit_data ad;
2095 ad.type = LSM_AUDIT_DATA_PATH;
2096 ad.u.path = file->f_path;
2098 if (sid != fsec->sid) {
2099 rc = avc_has_perm(sid, fsec->sid,
2107 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2110 isec = backing_inode_security(dentry);
2111 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2115 static int selinux_ptrace_access_check(struct task_struct *child,
2118 if (mode & PTRACE_MODE_READ) {
2119 u32 sid = current_sid();
2120 u32 csid = task_sid(child);
2121 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2124 return current_has_perm(child, PROCESS__PTRACE);
2127 static int selinux_ptrace_traceme(struct task_struct *parent)
2129 return task_has_perm(parent, current, PROCESS__PTRACE);
2132 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2133 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2135 return current_has_perm(target, PROCESS__GETCAP);
2138 static int selinux_capset(struct cred *new, const struct cred *old,
2139 const kernel_cap_t *effective,
2140 const kernel_cap_t *inheritable,
2141 const kernel_cap_t *permitted)
2143 return cred_has_perm(old, new, PROCESS__SETCAP);
2147 * (This comment used to live with the selinux_task_setuid hook,
2148 * which was removed).
2150 * Since setuid only affects the current process, and since the SELinux
2151 * controls are not based on the Linux identity attributes, SELinux does not
2152 * need to control this operation. However, SELinux does control the use of
2153 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2156 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2159 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2162 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2164 const struct cred *cred = current_cred();
2176 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2181 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2184 rc = 0; /* let the kernel handle invalid cmds */
2190 static int selinux_quota_on(struct dentry *dentry)
2192 const struct cred *cred = current_cred();
2194 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2197 static int selinux_syslog(int type)
2202 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2203 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2204 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2206 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2207 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2208 /* Set level of messages printed to console */
2209 case SYSLOG_ACTION_CONSOLE_LEVEL:
2210 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2212 case SYSLOG_ACTION_CLOSE: /* Close log */
2213 case SYSLOG_ACTION_OPEN: /* Open log */
2214 case SYSLOG_ACTION_READ: /* Read from log */
2215 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2216 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
2218 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2225 * Check that a process has enough memory to allocate a new virtual
2226 * mapping. 0 means there is enough memory for the allocation to
2227 * succeed and -ENOMEM implies there is not.
2229 * Do not audit the selinux permission check, as this is applied to all
2230 * processes that allocate mappings.
2232 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2234 int rc, cap_sys_admin = 0;
2236 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2237 SECURITY_CAP_NOAUDIT, true);
2241 return cap_sys_admin;
2244 /* binprm security operations */
2246 static u32 ptrace_parent_sid(struct task_struct *task)
2249 struct task_struct *tracer;
2252 tracer = ptrace_parent(task);
2254 sid = task_sid(tracer);
2260 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2261 const struct task_security_struct *old_tsec,
2262 const struct task_security_struct *new_tsec)
2264 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2265 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2268 if (!nnp && !nosuid)
2269 return 0; /* neither NNP nor nosuid */
2271 if (new_tsec->sid == old_tsec->sid)
2272 return 0; /* No change in credentials */
2275 * The only transitions we permit under NNP or nosuid
2276 * are transitions to bounded SIDs, i.e. SIDs that are
2277 * guaranteed to only be allowed a subset of the permissions
2278 * of the current SID.
2280 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2283 * On failure, preserve the errno values for NNP vs nosuid.
2284 * NNP: Operation not permitted for caller.
2285 * nosuid: Permission denied to file.
2295 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2297 const struct task_security_struct *old_tsec;
2298 struct task_security_struct *new_tsec;
2299 struct inode_security_struct *isec;
2300 struct common_audit_data ad;
2301 struct inode *inode = file_inode(bprm->file);
2304 /* SELinux context only depends on initial program or script and not
2305 * the script interpreter */
2306 if (bprm->cred_prepared)
2309 old_tsec = current_security();
2310 new_tsec = bprm->cred->security;
2311 isec = inode_security(inode);
2313 /* Default to the current task SID. */
2314 new_tsec->sid = old_tsec->sid;
2315 new_tsec->osid = old_tsec->sid;
2317 /* Reset fs, key, and sock SIDs on execve. */
2318 new_tsec->create_sid = 0;
2319 new_tsec->keycreate_sid = 0;
2320 new_tsec->sockcreate_sid = 0;
2322 if (old_tsec->exec_sid) {
2323 new_tsec->sid = old_tsec->exec_sid;
2324 /* Reset exec SID on execve. */
2325 new_tsec->exec_sid = 0;
2327 /* Fail on NNP or nosuid if not an allowed transition. */
2328 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2332 /* Check for a default transition on this program. */
2333 rc = security_transition_sid(old_tsec->sid, isec->sid,
2334 SECCLASS_PROCESS, NULL,
2340 * Fallback to old SID on NNP or nosuid if not an allowed
2343 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2345 new_tsec->sid = old_tsec->sid;
2348 ad.type = LSM_AUDIT_DATA_FILE;
2349 ad.u.file = bprm->file;
2351 if (new_tsec->sid == old_tsec->sid) {
2352 rc = avc_has_perm(old_tsec->sid, isec->sid,
2353 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2357 /* Check permissions for the transition. */
2358 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2359 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2363 rc = avc_has_perm(new_tsec->sid, isec->sid,
2364 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2368 /* Check for shared state */
2369 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2370 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2371 SECCLASS_PROCESS, PROCESS__SHARE,
2377 /* Make sure that anyone attempting to ptrace over a task that
2378 * changes its SID has the appropriate permit */
2380 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2381 u32 ptsid = ptrace_parent_sid(current);
2383 rc = avc_has_perm(ptsid, new_tsec->sid,
2385 PROCESS__PTRACE, NULL);
2391 /* Clear any possibly unsafe personality bits on exec: */
2392 bprm->per_clear |= PER_CLEAR_ON_SETID;
2398 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2400 const struct task_security_struct *tsec = current_security();
2408 /* Enable secure mode for SIDs transitions unless
2409 the noatsecure permission is granted between
2410 the two SIDs, i.e. ahp returns 0. */
2411 atsecure = avc_has_perm(osid, sid,
2413 PROCESS__NOATSECURE, NULL);
2419 static int match_file(const void *p, struct file *file, unsigned fd)
2421 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2424 /* Derived from fs/exec.c:flush_old_files. */
2425 static inline void flush_unauthorized_files(const struct cred *cred,
2426 struct files_struct *files)
2428 struct file *file, *devnull = NULL;
2429 struct tty_struct *tty;
2433 tty = get_current_tty();
2435 spin_lock(&tty->files_lock);
2436 if (!list_empty(&tty->tty_files)) {
2437 struct tty_file_private *file_priv;
2439 /* Revalidate access to controlling tty.
2440 Use file_path_has_perm on the tty path directly
2441 rather than using file_has_perm, as this particular
2442 open file may belong to another process and we are
2443 only interested in the inode-based check here. */
2444 file_priv = list_first_entry(&tty->tty_files,
2445 struct tty_file_private, list);
2446 file = file_priv->file;
2447 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2450 spin_unlock(&tty->files_lock);
2453 /* Reset controlling tty. */
2457 /* Revalidate access to inherited open files. */
2458 n = iterate_fd(files, 0, match_file, cred);
2459 if (!n) /* none found? */
2462 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2463 if (IS_ERR(devnull))
2465 /* replace all the matching ones with this */
2467 replace_fd(n - 1, devnull, 0);
2468 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2474 * Prepare a process for imminent new credential changes due to exec
2476 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2478 struct task_security_struct *new_tsec;
2479 struct rlimit *rlim, *initrlim;
2482 new_tsec = bprm->cred->security;
2483 if (new_tsec->sid == new_tsec->osid)
2486 /* Close files for which the new task SID is not authorized. */
2487 flush_unauthorized_files(bprm->cred, current->files);
2489 /* Always clear parent death signal on SID transitions. */
2490 current->pdeath_signal = 0;
2492 /* Check whether the new SID can inherit resource limits from the old
2493 * SID. If not, reset all soft limits to the lower of the current
2494 * task's hard limit and the init task's soft limit.
2496 * Note that the setting of hard limits (even to lower them) can be
2497 * controlled by the setrlimit check. The inclusion of the init task's
2498 * soft limit into the computation is to avoid resetting soft limits
2499 * higher than the default soft limit for cases where the default is
2500 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2502 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2503 PROCESS__RLIMITINH, NULL);
2505 /* protect against do_prlimit() */
2507 for (i = 0; i < RLIM_NLIMITS; i++) {
2508 rlim = current->signal->rlim + i;
2509 initrlim = init_task.signal->rlim + i;
2510 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2512 task_unlock(current);
2513 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2518 * Clean up the process immediately after the installation of new credentials
2521 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2523 const struct task_security_struct *tsec = current_security();
2524 struct itimerval itimer;
2534 /* Check whether the new SID can inherit signal state from the old SID.
2535 * If not, clear itimers to avoid subsequent signal generation and
2536 * flush and unblock signals.
2538 * This must occur _after_ the task SID has been updated so that any
2539 * kill done after the flush will be checked against the new SID.
2541 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2543 memset(&itimer, 0, sizeof itimer);
2544 for (i = 0; i < 3; i++)
2545 do_setitimer(i, &itimer, NULL);
2546 spin_lock_irq(¤t->sighand->siglock);
2547 if (!fatal_signal_pending(current)) {
2548 flush_sigqueue(¤t->pending);
2549 flush_sigqueue(¤t->signal->shared_pending);
2550 flush_signal_handlers(current, 1);
2551 sigemptyset(¤t->blocked);
2552 recalc_sigpending();
2554 spin_unlock_irq(¤t->sighand->siglock);
2557 /* Wake up the parent if it is waiting so that it can recheck
2558 * wait permission to the new task SID. */
2559 read_lock(&tasklist_lock);
2560 __wake_up_parent(current, current->real_parent);
2561 read_unlock(&tasklist_lock);
2564 /* superblock security operations */
2566 static int selinux_sb_alloc_security(struct super_block *sb)
2568 return superblock_alloc_security(sb);
2571 static void selinux_sb_free_security(struct super_block *sb)
2573 superblock_free_security(sb);
2576 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2581 return !memcmp(prefix, option, plen);
2584 static inline int selinux_option(char *option, int len)
2586 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2587 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2588 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2589 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2590 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2593 static inline void take_option(char **to, char *from, int *first, int len)
2600 memcpy(*to, from, len);
2604 static inline void take_selinux_option(char **to, char *from, int *first,
2607 int current_size = 0;
2615 while (current_size < len) {
2625 static int selinux_sb_copy_data(char *orig, char *copy)
2627 int fnosec, fsec, rc = 0;
2628 char *in_save, *in_curr, *in_end;
2629 char *sec_curr, *nosec_save, *nosec;
2635 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2643 in_save = in_end = orig;
2647 open_quote = !open_quote;
2648 if ((*in_end == ',' && open_quote == 0) ||
2650 int len = in_end - in_curr;
2652 if (selinux_option(in_curr, len))
2653 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2655 take_option(&nosec, in_curr, &fnosec, len);
2657 in_curr = in_end + 1;
2659 } while (*in_end++);
2661 strcpy(in_save, nosec_save);
2662 free_page((unsigned long)nosec_save);
2667 static int selinux_sb_remount(struct super_block *sb, void *data)
2670 struct security_mnt_opts opts;
2671 char *secdata, **mount_options;
2672 struct superblock_security_struct *sbsec = sb->s_security;
2674 if (!(sbsec->flags & SE_SBINITIALIZED))
2680 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2683 security_init_mnt_opts(&opts);
2684 secdata = alloc_secdata();
2687 rc = selinux_sb_copy_data(data, secdata);
2689 goto out_free_secdata;
2691 rc = selinux_parse_opts_str(secdata, &opts);
2693 goto out_free_secdata;
2695 mount_options = opts.mnt_opts;
2696 flags = opts.mnt_opts_flags;
2698 for (i = 0; i < opts.num_mnt_opts; i++) {
2701 if (flags[i] == SBLABEL_MNT)
2703 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2705 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2706 "(%s) failed for (dev %s, type %s) errno=%d\n",
2707 mount_options[i], sb->s_id, sb->s_type->name, rc);
2713 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2714 goto out_bad_option;
2717 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2718 goto out_bad_option;
2720 case ROOTCONTEXT_MNT: {
2721 struct inode_security_struct *root_isec;
2722 root_isec = backing_inode_security(sb->s_root);
2724 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2725 goto out_bad_option;
2728 case DEFCONTEXT_MNT:
2729 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2730 goto out_bad_option;
2739 security_free_mnt_opts(&opts);
2741 free_secdata(secdata);
2744 printk(KERN_WARNING "SELinux: unable to change security options "
2745 "during remount (dev %s, type=%s)\n", sb->s_id,
2750 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2752 const struct cred *cred = current_cred();
2753 struct common_audit_data ad;
2756 rc = superblock_doinit(sb, data);
2760 /* Allow all mounts performed by the kernel */
2761 if (flags & MS_KERNMOUNT)
2764 ad.type = LSM_AUDIT_DATA_DENTRY;
2765 ad.u.dentry = sb->s_root;
2766 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2769 static int selinux_sb_statfs(struct dentry *dentry)
2771 const struct cred *cred = current_cred();
2772 struct common_audit_data ad;
2774 ad.type = LSM_AUDIT_DATA_DENTRY;
2775 ad.u.dentry = dentry->d_sb->s_root;
2776 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2779 static int selinux_mount(const char *dev_name,
2780 const struct path *path,
2782 unsigned long flags,
2785 const struct cred *cred = current_cred();
2787 if (flags & MS_REMOUNT)
2788 return superblock_has_perm(cred, path->dentry->d_sb,
2789 FILESYSTEM__REMOUNT, NULL);
2791 return path_has_perm(cred, path, FILE__MOUNTON);
2794 static int selinux_umount(struct vfsmount *mnt, int flags)
2796 const struct cred *cred = current_cred();
2798 return superblock_has_perm(cred, mnt->mnt_sb,
2799 FILESYSTEM__UNMOUNT, NULL);
2802 /* inode security operations */
2804 static int selinux_inode_alloc_security(struct inode *inode)
2806 return inode_alloc_security(inode);
2809 static void selinux_inode_free_security(struct inode *inode)
2811 inode_free_security(inode);
2814 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2815 const struct qstr *name, void **ctx,
2821 rc = selinux_determine_inode_label(current_security(),
2822 d_inode(dentry->d_parent), name,
2823 inode_mode_to_security_class(mode),
2828 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2831 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2833 const struct cred *old,
2838 struct task_security_struct *tsec;
2840 rc = selinux_determine_inode_label(old->security,
2841 d_inode(dentry->d_parent), name,
2842 inode_mode_to_security_class(mode),
2847 tsec = new->security;
2848 tsec->create_sid = newsid;
2852 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2853 const struct qstr *qstr,
2855 void **value, size_t *len)
2857 const struct task_security_struct *tsec = current_security();
2858 struct superblock_security_struct *sbsec;
2859 u32 sid, newsid, clen;
2863 sbsec = dir->i_sb->s_security;
2866 newsid = tsec->create_sid;
2868 rc = selinux_determine_inode_label(current_security(),
2870 inode_mode_to_security_class(inode->i_mode),
2875 /* Possibly defer initialization to selinux_complete_init. */
2876 if (sbsec->flags & SE_SBINITIALIZED) {
2877 struct inode_security_struct *isec = inode->i_security;
2878 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2880 isec->initialized = LABEL_INITIALIZED;
2883 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2887 *name = XATTR_SELINUX_SUFFIX;
2890 rc = security_sid_to_context_force(newsid, &context, &clen);
2900 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2902 return may_create(dir, dentry, SECCLASS_FILE);
2905 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2907 return may_link(dir, old_dentry, MAY_LINK);
2910 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2912 return may_link(dir, dentry, MAY_UNLINK);
2915 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2917 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2920 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2922 return may_create(dir, dentry, SECCLASS_DIR);
2925 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2927 return may_link(dir, dentry, MAY_RMDIR);
2930 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2932 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2935 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2936 struct inode *new_inode, struct dentry *new_dentry)
2938 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2941 static int selinux_inode_readlink(struct dentry *dentry)
2943 const struct cred *cred = current_cred();
2945 return dentry_has_perm(cred, dentry, FILE__READ);
2948 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2951 const struct cred *cred = current_cred();
2952 struct common_audit_data ad;
2953 struct inode_security_struct *isec;
2956 validate_creds(cred);
2958 ad.type = LSM_AUDIT_DATA_DENTRY;
2959 ad.u.dentry = dentry;
2960 sid = cred_sid(cred);
2961 isec = inode_security_rcu(inode, rcu);
2963 return PTR_ERR(isec);
2965 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2966 rcu ? MAY_NOT_BLOCK : 0);
2969 static noinline int audit_inode_permission(struct inode *inode,
2970 u32 perms, u32 audited, u32 denied,
2974 struct common_audit_data ad;
2975 struct inode_security_struct *isec = inode->i_security;
2978 ad.type = LSM_AUDIT_DATA_INODE;
2981 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2982 audited, denied, result, &ad, flags);
2988 static int selinux_inode_permission(struct inode *inode, int mask)
2990 const struct cred *cred = current_cred();
2993 unsigned flags = mask & MAY_NOT_BLOCK;
2994 struct inode_security_struct *isec;
2996 struct av_decision avd;
2998 u32 audited, denied;
3000 from_access = mask & MAY_ACCESS;
3001 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3003 /* No permission to check. Existence test. */
3007 validate_creds(cred);
3009 if (unlikely(IS_PRIVATE(inode)))
3012 perms = file_mask_to_av(inode->i_mode, mask);
3014 sid = cred_sid(cred);
3015 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3017 return PTR_ERR(isec);
3019 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3020 audited = avc_audit_required(perms, &avd, rc,
3021 from_access ? FILE__AUDIT_ACCESS : 0,
3023 if (likely(!audited))
3026 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3032 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3034 const struct cred *cred = current_cred();
3035 struct inode *inode = d_backing_inode(dentry);
3036 unsigned int ia_valid = iattr->ia_valid;
3037 __u32 av = FILE__WRITE;
3039 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3040 if (ia_valid & ATTR_FORCE) {
3041 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3047 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3048 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3049 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3051 if (selinux_policycap_openperm &&
3052 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3053 (ia_valid & ATTR_SIZE) &&
3054 !(ia_valid & ATTR_FILE))
3057 return dentry_has_perm(cred, dentry, av);
3060 static int selinux_inode_getattr(const struct path *path)
3062 return path_has_perm(current_cred(), path, FILE__GETATTR);
3065 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3067 const struct cred *cred = current_cred();
3069 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3070 sizeof XATTR_SECURITY_PREFIX - 1)) {
3071 if (!strcmp(name, XATTR_NAME_CAPS)) {
3072 if (!capable(CAP_SETFCAP))
3074 } else if (!capable(CAP_SYS_ADMIN)) {
3075 /* A different attribute in the security namespace.
3076 Restrict to administrator. */
3081 /* Not an attribute we recognize, so just check the
3082 ordinary setattr permission. */
3083 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3086 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3087 const void *value, size_t size, int flags)
3089 struct inode *inode = d_backing_inode(dentry);
3090 struct inode_security_struct *isec;
3091 struct superblock_security_struct *sbsec;
3092 struct common_audit_data ad;
3093 u32 newsid, sid = current_sid();
3096 if (strcmp(name, XATTR_NAME_SELINUX))
3097 return selinux_inode_setotherxattr(dentry, name);
3099 sbsec = inode->i_sb->s_security;
3100 if (!(sbsec->flags & SBLABEL_MNT))
3103 if (!inode_owner_or_capable(inode))
3106 ad.type = LSM_AUDIT_DATA_DENTRY;
3107 ad.u.dentry = dentry;
3109 isec = backing_inode_security(dentry);
3110 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3111 FILE__RELABELFROM, &ad);
3115 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3116 if (rc == -EINVAL) {
3117 if (!capable(CAP_MAC_ADMIN)) {
3118 struct audit_buffer *ab;
3122 /* We strip a nul only if it is at the end, otherwise the
3123 * context contains a nul and we should audit that */
3126 if (str[size - 1] == '\0')
3127 audit_size = size - 1;
3134 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3135 audit_log_format(ab, "op=setxattr invalid_context=");
3136 audit_log_n_untrustedstring(ab, value, audit_size);
3141 rc = security_context_to_sid_force(value, size, &newsid);
3146 rc = avc_has_perm(sid, newsid, isec->sclass,
3147 FILE__RELABELTO, &ad);
3151 rc = security_validate_transition(isec->sid, newsid, sid,
3156 return avc_has_perm(newsid,
3158 SECCLASS_FILESYSTEM,
3159 FILESYSTEM__ASSOCIATE,
3163 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3164 const void *value, size_t size,
3167 struct inode *inode = d_backing_inode(dentry);
3168 struct inode_security_struct *isec;
3172 if (strcmp(name, XATTR_NAME_SELINUX)) {
3173 /* Not an attribute we recognize, so nothing to do. */
3177 rc = security_context_to_sid_force(value, size, &newsid);
3179 printk(KERN_ERR "SELinux: unable to map context to SID"
3180 "for (%s, %lu), rc=%d\n",
3181 inode->i_sb->s_id, inode->i_ino, -rc);
3185 isec = backing_inode_security(dentry);
3186 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3188 isec->initialized = LABEL_INITIALIZED;
3193 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3195 const struct cred *cred = current_cred();
3197 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3200 static int selinux_inode_listxattr(struct dentry *dentry)
3202 const struct cred *cred = current_cred();
3204 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3207 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3209 if (strcmp(name, XATTR_NAME_SELINUX))
3210 return selinux_inode_setotherxattr(dentry, name);
3212 /* No one is allowed to remove a SELinux security label.
3213 You can change the label, but all data must be labeled. */
3218 * Copy the inode security context value to the user.
3220 * Permission check is handled by selinux_inode_getxattr hook.
3222 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3226 char *context = NULL;
3227 struct inode_security_struct *isec;
3229 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3233 * If the caller has CAP_MAC_ADMIN, then get the raw context
3234 * value even if it is not defined by current policy; otherwise,
3235 * use the in-core value under current policy.
3236 * Use the non-auditing forms of the permission checks since
3237 * getxattr may be called by unprivileged processes commonly
3238 * and lack of permission just means that we fall back to the
3239 * in-core context value, not a denial.
3241 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3242 SECURITY_CAP_NOAUDIT);
3244 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3245 SECURITY_CAP_NOAUDIT, true);
3246 isec = inode_security(inode);
3248 error = security_sid_to_context_force(isec->sid, &context,
3251 error = security_sid_to_context(isec->sid, &context, &size);
3264 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3265 const void *value, size_t size, int flags)
3267 struct inode_security_struct *isec = inode_security_novalidate(inode);
3271 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3274 if (!value || !size)
3277 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3281 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3283 isec->initialized = LABEL_INITIALIZED;
3287 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3289 const int len = sizeof(XATTR_NAME_SELINUX);
3290 if (buffer && len <= buffer_size)
3291 memcpy(buffer, XATTR_NAME_SELINUX, len);
3295 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3297 struct inode_security_struct *isec = inode_security_novalidate(inode);
3301 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3304 struct task_security_struct *tsec;
3305 struct cred *new_creds = *new;
3307 if (new_creds == NULL) {
3308 new_creds = prepare_creds();
3313 tsec = new_creds->security;
3314 /* Get label from overlay inode and set it in create_sid */
3315 selinux_inode_getsecid(d_inode(src), &sid);
3316 tsec->create_sid = sid;
3321 static int selinux_inode_copy_up_xattr(const char *name)
3323 /* The copy_up hook above sets the initial context on an inode, but we
3324 * don't then want to overwrite it by blindly copying all the lower
3325 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3327 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3328 return 1; /* Discard */
3330 * Any other attribute apart from SELINUX is not claimed, supported
3336 /* file security operations */
3338 static int selinux_revalidate_file_permission(struct file *file, int mask)
3340 const struct cred *cred = current_cred();
3341 struct inode *inode = file_inode(file);
3343 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3344 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3347 return file_has_perm(cred, file,
3348 file_mask_to_av(inode->i_mode, mask));
3351 static int selinux_file_permission(struct file *file, int mask)
3353 struct inode *inode = file_inode(file);
3354 struct file_security_struct *fsec = file->f_security;
3355 struct inode_security_struct *isec;
3356 u32 sid = current_sid();
3359 /* No permission to check. Existence test. */
3362 isec = inode_security(inode);
3363 if (sid == fsec->sid && fsec->isid == isec->sid &&
3364 fsec->pseqno == avc_policy_seqno())
3365 /* No change since file_open check. */
3368 return selinux_revalidate_file_permission(file, mask);
3371 static int selinux_file_alloc_security(struct file *file)
3373 return file_alloc_security(file);
3376 static void selinux_file_free_security(struct file *file)
3378 file_free_security(file);
3382 * Check whether a task has the ioctl permission and cmd
3383 * operation to an inode.
3385 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3386 u32 requested, u16 cmd)
3388 struct common_audit_data ad;
3389 struct file_security_struct *fsec = file->f_security;
3390 struct inode *inode = file_inode(file);
3391 struct inode_security_struct *isec;
3392 struct lsm_ioctlop_audit ioctl;
3393 u32 ssid = cred_sid(cred);
3395 u8 driver = cmd >> 8;
3396 u8 xperm = cmd & 0xff;
3398 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3401 ad.u.op->path = file->f_path;
3403 if (ssid != fsec->sid) {
3404 rc = avc_has_perm(ssid, fsec->sid,
3412 if (unlikely(IS_PRIVATE(inode)))
3415 isec = inode_security(inode);
3416 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3417 requested, driver, xperm, &ad);
3422 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3425 const struct cred *cred = current_cred();
3435 case FS_IOC_GETFLAGS:
3437 case FS_IOC_GETVERSION:
3438 error = file_has_perm(cred, file, FILE__GETATTR);
3441 case FS_IOC_SETFLAGS:
3443 case FS_IOC_SETVERSION:
3444 error = file_has_perm(cred, file, FILE__SETATTR);
3447 /* sys_ioctl() checks */
3451 error = file_has_perm(cred, file, 0);
3456 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3457 SECURITY_CAP_AUDIT, true);
3460 /* default case assumes that the command will go
3461 * to the file's ioctl() function.
3464 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3469 static int default_noexec;
3471 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3473 const struct cred *cred = current_cred();
3476 if (default_noexec &&
3477 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3478 (!shared && (prot & PROT_WRITE)))) {
3480 * We are making executable an anonymous mapping or a
3481 * private file mapping that will also be writable.
3482 * This has an additional check.
3484 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3490 /* read access is always possible with a mapping */
3491 u32 av = FILE__READ;
3493 /* write access only matters if the mapping is shared */
3494 if (shared && (prot & PROT_WRITE))
3497 if (prot & PROT_EXEC)
3498 av |= FILE__EXECUTE;
3500 return file_has_perm(cred, file, av);
3507 static int selinux_mmap_addr(unsigned long addr)
3511 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3512 u32 sid = current_sid();
3513 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3514 MEMPROTECT__MMAP_ZERO, NULL);
3520 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3521 unsigned long prot, unsigned long flags)
3523 if (selinux_checkreqprot)
3526 return file_map_prot_check(file, prot,
3527 (flags & MAP_TYPE) == MAP_SHARED);
3530 static int selinux_file_mprotect(struct vm_area_struct *vma,
3531 unsigned long reqprot,
3534 const struct cred *cred = current_cred();
3536 if (selinux_checkreqprot)
3539 if (default_noexec &&
3540 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3542 if (vma->vm_start >= vma->vm_mm->start_brk &&
3543 vma->vm_end <= vma->vm_mm->brk) {
3544 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3545 } else if (!vma->vm_file &&
3546 ((vma->vm_start <= vma->vm_mm->start_stack &&
3547 vma->vm_end >= vma->vm_mm->start_stack) ||
3548 vma_is_stack_for_current(vma))) {
3549 rc = current_has_perm(current, PROCESS__EXECSTACK);
3550 } else if (vma->vm_file && vma->anon_vma) {
3552 * We are making executable a file mapping that has
3553 * had some COW done. Since pages might have been
3554 * written, check ability to execute the possibly
3555 * modified content. This typically should only
3556 * occur for text relocations.
3558 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3564 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3567 static int selinux_file_lock(struct file *file, unsigned int cmd)
3569 const struct cred *cred = current_cred();
3571 return file_has_perm(cred, file, FILE__LOCK);
3574 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3577 const struct cred *cred = current_cred();
3582 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3583 err = file_has_perm(cred, file, FILE__WRITE);
3592 case F_GETOWNER_UIDS:
3593 /* Just check FD__USE permission */
3594 err = file_has_perm(cred, file, 0);
3602 #if BITS_PER_LONG == 32
3607 err = file_has_perm(cred, file, FILE__LOCK);
3614 static void selinux_file_set_fowner(struct file *file)
3616 struct file_security_struct *fsec;
3618 fsec = file->f_security;
3619 fsec->fown_sid = current_sid();
3622 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3623 struct fown_struct *fown, int signum)
3626 u32 sid = task_sid(tsk);
3628 struct file_security_struct *fsec;
3630 /* struct fown_struct is never outside the context of a struct file */
3631 file = container_of(fown, struct file, f_owner);
3633 fsec = file->f_security;
3636 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3638 perm = signal_to_av(signum);
3640 return avc_has_perm(fsec->fown_sid, sid,
3641 SECCLASS_PROCESS, perm, NULL);
3644 static int selinux_file_receive(struct file *file)
3646 const struct cred *cred = current_cred();
3648 return file_has_perm(cred, file, file_to_av(file));
3651 static int selinux_file_open(struct file *file, const struct cred *cred)
3653 struct file_security_struct *fsec;
3654 struct inode_security_struct *isec;
3656 fsec = file->f_security;
3657 isec = inode_security(file_inode(file));
3659 * Save inode label and policy sequence number
3660 * at open-time so that selinux_file_permission
3661 * can determine whether revalidation is necessary.
3662 * Task label is already saved in the file security
3663 * struct as its SID.
3665 fsec->isid = isec->sid;
3666 fsec->pseqno = avc_policy_seqno();
3668 * Since the inode label or policy seqno may have changed
3669 * between the selinux_inode_permission check and the saving
3670 * of state above, recheck that access is still permitted.
3671 * Otherwise, access might never be revalidated against the
3672 * new inode label or new policy.
3673 * This check is not redundant - do not remove.
3675 return file_path_has_perm(cred, file, open_file_to_av(file));
3678 /* task security operations */
3680 static int selinux_task_create(unsigned long clone_flags)
3682 return current_has_perm(current, PROCESS__FORK);
3686 * allocate the SELinux part of blank credentials
3688 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3690 struct task_security_struct *tsec;
3692 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3696 cred->security = tsec;
3701 * detach and free the LSM part of a set of credentials
3703 static void selinux_cred_free(struct cred *cred)
3705 struct task_security_struct *tsec = cred->security;
3708 * cred->security == NULL if security_cred_alloc_blank() or
3709 * security_prepare_creds() returned an error.
3711 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3712 cred->security = (void *) 0x7UL;
3717 * prepare a new set of credentials for modification
3719 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3722 const struct task_security_struct *old_tsec;
3723 struct task_security_struct *tsec;
3725 old_tsec = old->security;
3727 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3731 new->security = tsec;
3736 * transfer the SELinux data to a blank set of creds
3738 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3740 const struct task_security_struct *old_tsec = old->security;
3741 struct task_security_struct *tsec = new->security;
3747 * set the security data for a kernel service
3748 * - all the creation contexts are set to unlabelled
3750 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3752 struct task_security_struct *tsec = new->security;
3753 u32 sid = current_sid();
3756 ret = avc_has_perm(sid, secid,
3757 SECCLASS_KERNEL_SERVICE,
3758 KERNEL_SERVICE__USE_AS_OVERRIDE,
3762 tsec->create_sid = 0;
3763 tsec->keycreate_sid = 0;
3764 tsec->sockcreate_sid = 0;
3770 * set the file creation context in a security record to the same as the
3771 * objective context of the specified inode
3773 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3775 struct inode_security_struct *isec = inode_security(inode);
3776 struct task_security_struct *tsec = new->security;
3777 u32 sid = current_sid();
3780 ret = avc_has_perm(sid, isec->sid,
3781 SECCLASS_KERNEL_SERVICE,
3782 KERNEL_SERVICE__CREATE_FILES_AS,
3786 tsec->create_sid = isec->sid;
3790 static int selinux_kernel_module_request(char *kmod_name)
3793 struct common_audit_data ad;
3795 sid = task_sid(current);
3797 ad.type = LSM_AUDIT_DATA_KMOD;
3798 ad.u.kmod_name = kmod_name;
3800 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3801 SYSTEM__MODULE_REQUEST, &ad);
3804 static int selinux_kernel_module_from_file(struct file *file)
3806 struct common_audit_data ad;
3807 struct inode_security_struct *isec;
3808 struct file_security_struct *fsec;
3809 u32 sid = current_sid();
3814 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3815 SYSTEM__MODULE_LOAD, NULL);
3819 ad.type = LSM_AUDIT_DATA_FILE;
3822 fsec = file->f_security;
3823 if (sid != fsec->sid) {
3824 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3829 isec = inode_security(file_inode(file));
3830 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3831 SYSTEM__MODULE_LOAD, &ad);
3834 static int selinux_kernel_read_file(struct file *file,
3835 enum kernel_read_file_id id)
3840 case READING_MODULE:
3841 rc = selinux_kernel_module_from_file(file);
3850 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3852 return current_has_perm(p, PROCESS__SETPGID);
3855 static int selinux_task_getpgid(struct task_struct *p)
3857 return current_has_perm(p, PROCESS__GETPGID);
3860 static int selinux_task_getsid(struct task_struct *p)
3862 return current_has_perm(p, PROCESS__GETSESSION);
3865 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3867 *secid = task_sid(p);
3870 static int selinux_task_setnice(struct task_struct *p, int nice)
3872 return current_has_perm(p, PROCESS__SETSCHED);
3875 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3877 return current_has_perm(p, PROCESS__SETSCHED);
3880 static int selinux_task_getioprio(struct task_struct *p)
3882 return current_has_perm(p, PROCESS__GETSCHED);
3885 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3886 struct rlimit *new_rlim)
3888 struct rlimit *old_rlim = p->signal->rlim + resource;
3890 /* Control the ability to change the hard limit (whether
3891 lowering or raising it), so that the hard limit can
3892 later be used as a safe reset point for the soft limit
3893 upon context transitions. See selinux_bprm_committing_creds. */
3894 if (old_rlim->rlim_max != new_rlim->rlim_max)
3895 return current_has_perm(p, PROCESS__SETRLIMIT);
3900 static int selinux_task_setscheduler(struct task_struct *p)
3902 return current_has_perm(p, PROCESS__SETSCHED);
3905 static int selinux_task_getscheduler(struct task_struct *p)
3907 return current_has_perm(p, PROCESS__GETSCHED);
3910 static int selinux_task_movememory(struct task_struct *p)
3912 return current_has_perm(p, PROCESS__SETSCHED);
3915 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3922 perm = PROCESS__SIGNULL; /* null signal; existence test */
3924 perm = signal_to_av(sig);
3926 rc = avc_has_perm(secid, task_sid(p),
3927 SECCLASS_PROCESS, perm, NULL);
3929 rc = current_has_perm(p, perm);
3933 static int selinux_task_wait(struct task_struct *p)
3935 return task_has_perm(p, current, PROCESS__SIGCHLD);
3938 static void selinux_task_to_inode(struct task_struct *p,
3939 struct inode *inode)
3941 struct inode_security_struct *isec = inode->i_security;
3942 u32 sid = task_sid(p);
3945 isec->initialized = LABEL_INITIALIZED;
3948 /* Returns error only if unable to parse addresses */
3949 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3950 struct common_audit_data *ad, u8 *proto)
3952 int offset, ihlen, ret = -EINVAL;
3953 struct iphdr _iph, *ih;
3955 offset = skb_network_offset(skb);
3956 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3960 ihlen = ih->ihl * 4;
3961 if (ihlen < sizeof(_iph))
3964 ad->u.net->v4info.saddr = ih->saddr;
3965 ad->u.net->v4info.daddr = ih->daddr;
3969 *proto = ih->protocol;
3971 switch (ih->protocol) {
3973 struct tcphdr _tcph, *th;
3975 if (ntohs(ih->frag_off) & IP_OFFSET)
3979 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3983 ad->u.net->sport = th->source;
3984 ad->u.net->dport = th->dest;
3989 struct udphdr _udph, *uh;
3991 if (ntohs(ih->frag_off) & IP_OFFSET)
3995 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3999 ad->u.net->sport = uh->source;
4000 ad->u.net->dport = uh->dest;
4004 case IPPROTO_DCCP: {
4005 struct dccp_hdr _dccph, *dh;
4007 if (ntohs(ih->frag_off) & IP_OFFSET)
4011 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4015 ad->u.net->sport = dh->dccph_sport;
4016 ad->u.net->dport = dh->dccph_dport;
4027 #if IS_ENABLED(CONFIG_IPV6)
4029 /* Returns error only if unable to parse addresses */
4030 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4031 struct common_audit_data *ad, u8 *proto)
4034 int ret = -EINVAL, offset;
4035 struct ipv6hdr _ipv6h, *ip6;
4038 offset = skb_network_offset(skb);
4039 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4043 ad->u.net->v6info.saddr = ip6->saddr;
4044 ad->u.net->v6info.daddr = ip6->daddr;
4047 nexthdr = ip6->nexthdr;
4048 offset += sizeof(_ipv6h);
4049 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4058 struct tcphdr _tcph, *th;
4060 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4064 ad->u.net->sport = th->source;
4065 ad->u.net->dport = th->dest;
4070 struct udphdr _udph, *uh;
4072 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4076 ad->u.net->sport = uh->source;
4077 ad->u.net->dport = uh->dest;
4081 case IPPROTO_DCCP: {
4082 struct dccp_hdr _dccph, *dh;
4084 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4088 ad->u.net->sport = dh->dccph_sport;
4089 ad->u.net->dport = dh->dccph_dport;
4093 /* includes fragments */
4103 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4104 char **_addrp, int src, u8 *proto)
4109 switch (ad->u.net->family) {
4111 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4114 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4115 &ad->u.net->v4info.daddr);
4118 #if IS_ENABLED(CONFIG_IPV6)
4120 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4123 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4124 &ad->u.net->v6info.daddr);
4134 "SELinux: failure in selinux_parse_skb(),"
4135 " unable to parse packet\n");
4145 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4147 * @family: protocol family
4148 * @sid: the packet's peer label SID
4151 * Check the various different forms of network peer labeling and determine
4152 * the peer label/SID for the packet; most of the magic actually occurs in
4153 * the security server function security_net_peersid_cmp(). The function
4154 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4155 * or -EACCES if @sid is invalid due to inconsistencies with the different
4159 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4166 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4169 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4173 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4174 if (unlikely(err)) {
4176 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4177 " unable to determine packet's peer label\n");
4185 * selinux_conn_sid - Determine the child socket label for a connection
4186 * @sk_sid: the parent socket's SID
4187 * @skb_sid: the packet's SID
4188 * @conn_sid: the resulting connection SID
4190 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4191 * combined with the MLS information from @skb_sid in order to create
4192 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4193 * of @sk_sid. Returns zero on success, negative values on failure.
4196 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4200 if (skb_sid != SECSID_NULL)
4201 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4208 /* socket security operations */
4210 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4211 u16 secclass, u32 *socksid)
4213 if (tsec->sockcreate_sid > SECSID_NULL) {
4214 *socksid = tsec->sockcreate_sid;
4218 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4222 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
4224 struct sk_security_struct *sksec = sk->sk_security;
4225 struct common_audit_data ad;
4226 struct lsm_network_audit net = {0,};
4227 u32 tsid = task_sid(task);
4229 if (sksec->sid == SECINITSID_KERNEL)
4232 ad.type = LSM_AUDIT_DATA_NET;
4236 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
4239 static int selinux_socket_create(int family, int type,
4240 int protocol, int kern)
4242 const struct task_security_struct *tsec = current_security();
4250 secclass = socket_type_to_security_class(family, type, protocol);
4251 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4255 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4258 static int selinux_socket_post_create(struct socket *sock, int family,
4259 int type, int protocol, int kern)
4261 const struct task_security_struct *tsec = current_security();
4262 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4263 struct sk_security_struct *sksec;
4266 isec->sclass = socket_type_to_security_class(family, type, protocol);
4269 isec->sid = SECINITSID_KERNEL;
4271 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4276 isec->initialized = LABEL_INITIALIZED;
4279 sksec = sock->sk->sk_security;
4280 sksec->sid = isec->sid;
4281 sksec->sclass = isec->sclass;
4282 err = selinux_netlbl_socket_post_create(sock->sk, family);
4288 /* Range of port numbers used to automatically bind.
4289 Need to determine whether we should perform a name_bind
4290 permission check between the socket and the port number. */
4292 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4294 struct sock *sk = sock->sk;
4298 err = sock_has_perm(current, sk, SOCKET__BIND);
4303 * If PF_INET or PF_INET6, check name_bind permission for the port.
4304 * Multiple address binding for SCTP is not supported yet: we just
4305 * check the first address now.
4307 family = sk->sk_family;
4308 if (family == PF_INET || family == PF_INET6) {
4310 struct sk_security_struct *sksec = sk->sk_security;
4311 struct common_audit_data ad;
4312 struct lsm_network_audit net = {0,};
4313 struct sockaddr_in *addr4 = NULL;
4314 struct sockaddr_in6 *addr6 = NULL;
4315 unsigned short snum;
4318 if (family == PF_INET) {
4319 if (addrlen < sizeof(struct sockaddr_in)) {
4323 addr4 = (struct sockaddr_in *)address;
4324 snum = ntohs(addr4->sin_port);
4325 addrp = (char *)&addr4->sin_addr.s_addr;
4327 if (addrlen < SIN6_LEN_RFC2133) {
4331 addr6 = (struct sockaddr_in6 *)address;
4332 snum = ntohs(addr6->sin6_port);
4333 addrp = (char *)&addr6->sin6_addr.s6_addr;
4339 inet_get_local_port_range(sock_net(sk), &low, &high);
4341 if (snum < max(PROT_SOCK, low) || snum > high) {
4342 err = sel_netport_sid(sk->sk_protocol,
4346 ad.type = LSM_AUDIT_DATA_NET;
4348 ad.u.net->sport = htons(snum);
4349 ad.u.net->family = family;
4350 err = avc_has_perm(sksec->sid, sid,
4352 SOCKET__NAME_BIND, &ad);
4358 switch (sksec->sclass) {
4359 case SECCLASS_TCP_SOCKET:
4360 node_perm = TCP_SOCKET__NODE_BIND;
4363 case SECCLASS_UDP_SOCKET:
4364 node_perm = UDP_SOCKET__NODE_BIND;
4367 case SECCLASS_DCCP_SOCKET:
4368 node_perm = DCCP_SOCKET__NODE_BIND;
4372 node_perm = RAWIP_SOCKET__NODE_BIND;
4376 err = sel_netnode_sid(addrp, family, &sid);
4380 ad.type = LSM_AUDIT_DATA_NET;
4382 ad.u.net->sport = htons(snum);
4383 ad.u.net->family = family;
4385 if (family == PF_INET)
4386 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4388 ad.u.net->v6info.saddr = addr6->sin6_addr;
4390 err = avc_has_perm(sksec->sid, sid,
4391 sksec->sclass, node_perm, &ad);
4399 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4401 struct sock *sk = sock->sk;
4402 struct sk_security_struct *sksec = sk->sk_security;
4405 err = sock_has_perm(current, sk, SOCKET__CONNECT);
4410 * If a TCP or DCCP socket, check name_connect permission for the port.
4412 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4413 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4414 struct common_audit_data ad;
4415 struct lsm_network_audit net = {0,};
4416 struct sockaddr_in *addr4 = NULL;
4417 struct sockaddr_in6 *addr6 = NULL;
4418 unsigned short snum;
4421 if (sk->sk_family == PF_INET) {
4422 addr4 = (struct sockaddr_in *)address;
4423 if (addrlen < sizeof(struct sockaddr_in))
4425 snum = ntohs(addr4->sin_port);
4427 addr6 = (struct sockaddr_in6 *)address;
4428 if (addrlen < SIN6_LEN_RFC2133)
4430 snum = ntohs(addr6->sin6_port);
4433 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4437 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4438 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4440 ad.type = LSM_AUDIT_DATA_NET;
4442 ad.u.net->dport = htons(snum);
4443 ad.u.net->family = sk->sk_family;
4444 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4449 err = selinux_netlbl_socket_connect(sk, address);
4455 static int selinux_socket_listen(struct socket *sock, int backlog)
4457 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4460 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4463 struct inode_security_struct *isec;
4464 struct inode_security_struct *newisec;
4466 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4470 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4472 isec = inode_security_novalidate(SOCK_INODE(sock));
4473 newisec->sclass = isec->sclass;
4474 newisec->sid = isec->sid;
4475 newisec->initialized = LABEL_INITIALIZED;
4480 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4483 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4486 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4487 int size, int flags)
4489 return sock_has_perm(current, sock->sk, SOCKET__READ);
4492 static int selinux_socket_getsockname(struct socket *sock)
4494 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4497 static int selinux_socket_getpeername(struct socket *sock)
4499 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4502 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4506 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4510 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4513 static int selinux_socket_getsockopt(struct socket *sock, int level,
4516 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4519 static int selinux_socket_shutdown(struct socket *sock, int how)
4521 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4524 static int selinux_socket_unix_stream_connect(struct sock *sock,
4528 struct sk_security_struct *sksec_sock = sock->sk_security;
4529 struct sk_security_struct *sksec_other = other->sk_security;
4530 struct sk_security_struct *sksec_new = newsk->sk_security;
4531 struct common_audit_data ad;
4532 struct lsm_network_audit net = {0,};
4535 ad.type = LSM_AUDIT_DATA_NET;
4537 ad.u.net->sk = other;
4539 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4540 sksec_other->sclass,
4541 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4545 /* server child socket */
4546 sksec_new->peer_sid = sksec_sock->sid;
4547 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4552 /* connecting socket */
4553 sksec_sock->peer_sid = sksec_new->sid;
4558 static int selinux_socket_unix_may_send(struct socket *sock,
4559 struct socket *other)
4561 struct sk_security_struct *ssec = sock->sk->sk_security;
4562 struct sk_security_struct *osec = other->sk->sk_security;
4563 struct common_audit_data ad;
4564 struct lsm_network_audit net = {0,};
4566 ad.type = LSM_AUDIT_DATA_NET;
4568 ad.u.net->sk = other->sk;
4570 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4574 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4575 char *addrp, u16 family, u32 peer_sid,
4576 struct common_audit_data *ad)
4582 err = sel_netif_sid(ns, ifindex, &if_sid);
4585 err = avc_has_perm(peer_sid, if_sid,
4586 SECCLASS_NETIF, NETIF__INGRESS, ad);
4590 err = sel_netnode_sid(addrp, family, &node_sid);
4593 return avc_has_perm(peer_sid, node_sid,
4594 SECCLASS_NODE, NODE__RECVFROM, ad);
4597 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4601 struct sk_security_struct *sksec = sk->sk_security;
4602 u32 sk_sid = sksec->sid;
4603 struct common_audit_data ad;
4604 struct lsm_network_audit net = {0,};
4607 ad.type = LSM_AUDIT_DATA_NET;
4609 ad.u.net->netif = skb->skb_iif;
4610 ad.u.net->family = family;
4611 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4615 if (selinux_secmark_enabled()) {
4616 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4622 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4625 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4630 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4633 struct sk_security_struct *sksec = sk->sk_security;
4634 u16 family = sk->sk_family;
4635 u32 sk_sid = sksec->sid;
4636 struct common_audit_data ad;
4637 struct lsm_network_audit net = {0,};
4642 if (family != PF_INET && family != PF_INET6)
4645 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4646 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4649 /* If any sort of compatibility mode is enabled then handoff processing
4650 * to the selinux_sock_rcv_skb_compat() function to deal with the
4651 * special handling. We do this in an attempt to keep this function
4652 * as fast and as clean as possible. */
4653 if (!selinux_policycap_netpeer)
4654 return selinux_sock_rcv_skb_compat(sk, skb, family);
4656 secmark_active = selinux_secmark_enabled();
4657 peerlbl_active = selinux_peerlbl_enabled();
4658 if (!secmark_active && !peerlbl_active)
4661 ad.type = LSM_AUDIT_DATA_NET;
4663 ad.u.net->netif = skb->skb_iif;
4664 ad.u.net->family = family;
4665 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4669 if (peerlbl_active) {
4672 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4675 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4676 addrp, family, peer_sid, &ad);
4678 selinux_netlbl_err(skb, family, err, 0);
4681 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4684 selinux_netlbl_err(skb, family, err, 0);
4689 if (secmark_active) {
4690 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4699 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4700 int __user *optlen, unsigned len)
4705 struct sk_security_struct *sksec = sock->sk->sk_security;
4706 u32 peer_sid = SECSID_NULL;
4708 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4709 sksec->sclass == SECCLASS_TCP_SOCKET)
4710 peer_sid = sksec->peer_sid;
4711 if (peer_sid == SECSID_NULL)
4712 return -ENOPROTOOPT;
4714 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4718 if (scontext_len > len) {
4723 if (copy_to_user(optval, scontext, scontext_len))
4727 if (put_user(scontext_len, optlen))
4733 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4735 u32 peer_secid = SECSID_NULL;
4737 struct inode_security_struct *isec;
4739 if (skb && skb->protocol == htons(ETH_P_IP))
4741 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4744 family = sock->sk->sk_family;
4748 if (sock && family == PF_UNIX) {
4749 isec = inode_security_novalidate(SOCK_INODE(sock));
4750 peer_secid = isec->sid;
4752 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4755 *secid = peer_secid;
4756 if (peer_secid == SECSID_NULL)
4761 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4763 struct sk_security_struct *sksec;
4765 sksec = kzalloc(sizeof(*sksec), priority);
4769 sksec->peer_sid = SECINITSID_UNLABELED;
4770 sksec->sid = SECINITSID_UNLABELED;
4771 sksec->sclass = SECCLASS_SOCKET;
4772 selinux_netlbl_sk_security_reset(sksec);
4773 sk->sk_security = sksec;
4778 static void selinux_sk_free_security(struct sock *sk)
4780 struct sk_security_struct *sksec = sk->sk_security;
4782 sk->sk_security = NULL;
4783 selinux_netlbl_sk_security_free(sksec);
4787 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4789 struct sk_security_struct *sksec = sk->sk_security;
4790 struct sk_security_struct *newsksec = newsk->sk_security;
4792 newsksec->sid = sksec->sid;
4793 newsksec->peer_sid = sksec->peer_sid;
4794 newsksec->sclass = sksec->sclass;
4796 selinux_netlbl_sk_security_reset(newsksec);
4799 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4802 *secid = SECINITSID_ANY_SOCKET;
4804 struct sk_security_struct *sksec = sk->sk_security;
4806 *secid = sksec->sid;
4810 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4812 struct inode_security_struct *isec =
4813 inode_security_novalidate(SOCK_INODE(parent));
4814 struct sk_security_struct *sksec = sk->sk_security;
4816 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4817 sk->sk_family == PF_UNIX)
4818 isec->sid = sksec->sid;
4819 sksec->sclass = isec->sclass;
4822 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4823 struct request_sock *req)
4825 struct sk_security_struct *sksec = sk->sk_security;
4827 u16 family = req->rsk_ops->family;
4831 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4834 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4837 req->secid = connsid;
4838 req->peer_secid = peersid;
4840 return selinux_netlbl_inet_conn_request(req, family);
4843 static void selinux_inet_csk_clone(struct sock *newsk,
4844 const struct request_sock *req)
4846 struct sk_security_struct *newsksec = newsk->sk_security;
4848 newsksec->sid = req->secid;
4849 newsksec->peer_sid = req->peer_secid;
4850 /* NOTE: Ideally, we should also get the isec->sid for the
4851 new socket in sync, but we don't have the isec available yet.
4852 So we will wait until sock_graft to do it, by which
4853 time it will have been created and available. */
4855 /* We don't need to take any sort of lock here as we are the only
4856 * thread with access to newsksec */
4857 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4860 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4862 u16 family = sk->sk_family;
4863 struct sk_security_struct *sksec = sk->sk_security;
4865 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4866 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4869 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4872 static int selinux_secmark_relabel_packet(u32 sid)
4874 const struct task_security_struct *__tsec;
4877 __tsec = current_security();
4880 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4883 static void selinux_secmark_refcount_inc(void)
4885 atomic_inc(&selinux_secmark_refcount);
4888 static void selinux_secmark_refcount_dec(void)
4890 atomic_dec(&selinux_secmark_refcount);
4893 static void selinux_req_classify_flow(const struct request_sock *req,
4896 fl->flowi_secid = req->secid;
4899 static int selinux_tun_dev_alloc_security(void **security)
4901 struct tun_security_struct *tunsec;
4903 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4906 tunsec->sid = current_sid();
4912 static void selinux_tun_dev_free_security(void *security)
4917 static int selinux_tun_dev_create(void)
4919 u32 sid = current_sid();
4921 /* we aren't taking into account the "sockcreate" SID since the socket
4922 * that is being created here is not a socket in the traditional sense,
4923 * instead it is a private sock, accessible only to the kernel, and
4924 * representing a wide range of network traffic spanning multiple
4925 * connections unlike traditional sockets - check the TUN driver to
4926 * get a better understanding of why this socket is special */
4928 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4932 static int selinux_tun_dev_attach_queue(void *security)
4934 struct tun_security_struct *tunsec = security;
4936 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4937 TUN_SOCKET__ATTACH_QUEUE, NULL);
4940 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4942 struct tun_security_struct *tunsec = security;
4943 struct sk_security_struct *sksec = sk->sk_security;
4945 /* we don't currently perform any NetLabel based labeling here and it
4946 * isn't clear that we would want to do so anyway; while we could apply
4947 * labeling without the support of the TUN user the resulting labeled
4948 * traffic from the other end of the connection would almost certainly
4949 * cause confusion to the TUN user that had no idea network labeling
4950 * protocols were being used */
4952 sksec->sid = tunsec->sid;
4953 sksec->sclass = SECCLASS_TUN_SOCKET;
4958 static int selinux_tun_dev_open(void *security)
4960 struct tun_security_struct *tunsec = security;
4961 u32 sid = current_sid();
4964 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4965 TUN_SOCKET__RELABELFROM, NULL);
4968 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4969 TUN_SOCKET__RELABELTO, NULL);
4977 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4981 struct nlmsghdr *nlh;
4982 struct sk_security_struct *sksec = sk->sk_security;
4984 if (skb->len < NLMSG_HDRLEN) {
4988 nlh = nlmsg_hdr(skb);
4990 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4992 if (err == -EINVAL) {
4993 pr_warn_ratelimited("SELinux: unrecognized netlink"
4994 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
4995 " pig=%d comm=%s\n",
4996 sk->sk_protocol, nlh->nlmsg_type,
4997 secclass_map[sksec->sclass - 1].name,
4998 task_pid_nr(current), current->comm);
4999 if (!selinux_enforcing || security_get_allow_unknown())
5009 err = sock_has_perm(current, sk, perm);
5014 #ifdef CONFIG_NETFILTER
5016 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5017 const struct net_device *indev,
5023 struct common_audit_data ad;
5024 struct lsm_network_audit net = {0,};
5029 if (!selinux_policycap_netpeer)
5032 secmark_active = selinux_secmark_enabled();
5033 netlbl_active = netlbl_enabled();
5034 peerlbl_active = selinux_peerlbl_enabled();
5035 if (!secmark_active && !peerlbl_active)
5038 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5041 ad.type = LSM_AUDIT_DATA_NET;
5043 ad.u.net->netif = indev->ifindex;
5044 ad.u.net->family = family;
5045 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5048 if (peerlbl_active) {
5049 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5050 addrp, family, peer_sid, &ad);
5052 selinux_netlbl_err(skb, family, err, 1);
5058 if (avc_has_perm(peer_sid, skb->secmark,
5059 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5063 /* we do this in the FORWARD path and not the POST_ROUTING
5064 * path because we want to make sure we apply the necessary
5065 * labeling before IPsec is applied so we can leverage AH
5067 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5073 static unsigned int selinux_ipv4_forward(void *priv,
5074 struct sk_buff *skb,
5075 const struct nf_hook_state *state)
5077 return selinux_ip_forward(skb, state->in, PF_INET);
5080 #if IS_ENABLED(CONFIG_IPV6)
5081 static unsigned int selinux_ipv6_forward(void *priv,
5082 struct sk_buff *skb,
5083 const struct nf_hook_state *state)
5085 return selinux_ip_forward(skb, state->in, PF_INET6);
5089 static unsigned int selinux_ip_output(struct sk_buff *skb,
5095 if (!netlbl_enabled())
5098 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5099 * because we want to make sure we apply the necessary labeling
5100 * before IPsec is applied so we can leverage AH protection */
5103 struct sk_security_struct *sksec;
5105 if (sk_listener(sk))
5106 /* if the socket is the listening state then this
5107 * packet is a SYN-ACK packet which means it needs to
5108 * be labeled based on the connection/request_sock and
5109 * not the parent socket. unfortunately, we can't
5110 * lookup the request_sock yet as it isn't queued on
5111 * the parent socket until after the SYN-ACK is sent.
5112 * the "solution" is to simply pass the packet as-is
5113 * as any IP option based labeling should be copied
5114 * from the initial connection request (in the IP
5115 * layer). it is far from ideal, but until we get a
5116 * security label in the packet itself this is the
5117 * best we can do. */
5120 /* standard practice, label using the parent socket */
5121 sksec = sk->sk_security;
5124 sid = SECINITSID_KERNEL;
5125 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5131 static unsigned int selinux_ipv4_output(void *priv,
5132 struct sk_buff *skb,
5133 const struct nf_hook_state *state)
5135 return selinux_ip_output(skb, PF_INET);
5138 #if IS_ENABLED(CONFIG_IPV6)
5139 static unsigned int selinux_ipv6_output(void *priv,
5140 struct sk_buff *skb,
5141 const struct nf_hook_state *state)
5143 return selinux_ip_output(skb, PF_INET6);
5147 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5151 struct sock *sk = skb_to_full_sk(skb);
5152 struct sk_security_struct *sksec;
5153 struct common_audit_data ad;
5154 struct lsm_network_audit net = {0,};
5160 sksec = sk->sk_security;
5162 ad.type = LSM_AUDIT_DATA_NET;
5164 ad.u.net->netif = ifindex;
5165 ad.u.net->family = family;
5166 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5169 if (selinux_secmark_enabled())
5170 if (avc_has_perm(sksec->sid, skb->secmark,
5171 SECCLASS_PACKET, PACKET__SEND, &ad))
5172 return NF_DROP_ERR(-ECONNREFUSED);
5174 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5175 return NF_DROP_ERR(-ECONNREFUSED);
5180 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5181 const struct net_device *outdev,
5186 int ifindex = outdev->ifindex;
5188 struct common_audit_data ad;
5189 struct lsm_network_audit net = {0,};
5194 /* If any sort of compatibility mode is enabled then handoff processing
5195 * to the selinux_ip_postroute_compat() function to deal with the
5196 * special handling. We do this in an attempt to keep this function
5197 * as fast and as clean as possible. */
5198 if (!selinux_policycap_netpeer)
5199 return selinux_ip_postroute_compat(skb, ifindex, family);
5201 secmark_active = selinux_secmark_enabled();
5202 peerlbl_active = selinux_peerlbl_enabled();
5203 if (!secmark_active && !peerlbl_active)
5206 sk = skb_to_full_sk(skb);
5209 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5210 * packet transformation so allow the packet to pass without any checks
5211 * since we'll have another chance to perform access control checks
5212 * when the packet is on it's final way out.
5213 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5214 * is NULL, in this case go ahead and apply access control.
5215 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5216 * TCP listening state we cannot wait until the XFRM processing
5217 * is done as we will miss out on the SA label if we do;
5218 * unfortunately, this means more work, but it is only once per
5220 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5221 !(sk && sk_listener(sk)))
5226 /* Without an associated socket the packet is either coming
5227 * from the kernel or it is being forwarded; check the packet
5228 * to determine which and if the packet is being forwarded
5229 * query the packet directly to determine the security label. */
5231 secmark_perm = PACKET__FORWARD_OUT;
5232 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5235 secmark_perm = PACKET__SEND;
5236 peer_sid = SECINITSID_KERNEL;
5238 } else if (sk_listener(sk)) {
5239 /* Locally generated packet but the associated socket is in the
5240 * listening state which means this is a SYN-ACK packet. In
5241 * this particular case the correct security label is assigned
5242 * to the connection/request_sock but unfortunately we can't
5243 * query the request_sock as it isn't queued on the parent
5244 * socket until after the SYN-ACK packet is sent; the only
5245 * viable choice is to regenerate the label like we do in
5246 * selinux_inet_conn_request(). See also selinux_ip_output()
5247 * for similar problems. */
5249 struct sk_security_struct *sksec;
5251 sksec = sk->sk_security;
5252 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5254 /* At this point, if the returned skb peerlbl is SECSID_NULL
5255 * and the packet has been through at least one XFRM
5256 * transformation then we must be dealing with the "final"
5257 * form of labeled IPsec packet; since we've already applied
5258 * all of our access controls on this packet we can safely
5259 * pass the packet. */
5260 if (skb_sid == SECSID_NULL) {
5263 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5267 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5271 return NF_DROP_ERR(-ECONNREFUSED);
5274 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5276 secmark_perm = PACKET__SEND;
5278 /* Locally generated packet, fetch the security label from the
5279 * associated socket. */
5280 struct sk_security_struct *sksec = sk->sk_security;
5281 peer_sid = sksec->sid;
5282 secmark_perm = PACKET__SEND;
5285 ad.type = LSM_AUDIT_DATA_NET;
5287 ad.u.net->netif = ifindex;
5288 ad.u.net->family = family;
5289 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5293 if (avc_has_perm(peer_sid, skb->secmark,
5294 SECCLASS_PACKET, secmark_perm, &ad))
5295 return NF_DROP_ERR(-ECONNREFUSED);
5297 if (peerlbl_active) {
5301 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5303 if (avc_has_perm(peer_sid, if_sid,
5304 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5305 return NF_DROP_ERR(-ECONNREFUSED);
5307 if (sel_netnode_sid(addrp, family, &node_sid))
5309 if (avc_has_perm(peer_sid, node_sid,
5310 SECCLASS_NODE, NODE__SENDTO, &ad))
5311 return NF_DROP_ERR(-ECONNREFUSED);
5317 static unsigned int selinux_ipv4_postroute(void *priv,
5318 struct sk_buff *skb,
5319 const struct nf_hook_state *state)
5321 return selinux_ip_postroute(skb, state->out, PF_INET);
5324 #if IS_ENABLED(CONFIG_IPV6)
5325 static unsigned int selinux_ipv6_postroute(void *priv,
5326 struct sk_buff *skb,
5327 const struct nf_hook_state *state)
5329 return selinux_ip_postroute(skb, state->out, PF_INET6);
5333 #endif /* CONFIG_NETFILTER */
5335 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5337 return selinux_nlmsg_perm(sk, skb);
5340 static int ipc_alloc_security(struct task_struct *task,
5341 struct kern_ipc_perm *perm,
5344 struct ipc_security_struct *isec;
5347 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5351 sid = task_sid(task);
5352 isec->sclass = sclass;
5354 perm->security = isec;
5359 static void ipc_free_security(struct kern_ipc_perm *perm)
5361 struct ipc_security_struct *isec = perm->security;
5362 perm->security = NULL;
5366 static int msg_msg_alloc_security(struct msg_msg *msg)
5368 struct msg_security_struct *msec;
5370 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5374 msec->sid = SECINITSID_UNLABELED;
5375 msg->security = msec;
5380 static void msg_msg_free_security(struct msg_msg *msg)
5382 struct msg_security_struct *msec = msg->security;
5384 msg->security = NULL;
5388 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5391 struct ipc_security_struct *isec;
5392 struct common_audit_data ad;
5393 u32 sid = current_sid();
5395 isec = ipc_perms->security;
5397 ad.type = LSM_AUDIT_DATA_IPC;
5398 ad.u.ipc_id = ipc_perms->key;
5400 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5403 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5405 return msg_msg_alloc_security(msg);
5408 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5410 msg_msg_free_security(msg);
5413 /* message queue security operations */
5414 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5416 struct ipc_security_struct *isec;
5417 struct common_audit_data ad;
5418 u32 sid = current_sid();
5421 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5425 isec = msq->q_perm.security;
5427 ad.type = LSM_AUDIT_DATA_IPC;
5428 ad.u.ipc_id = msq->q_perm.key;
5430 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5433 ipc_free_security(&msq->q_perm);
5439 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5441 ipc_free_security(&msq->q_perm);
5444 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5446 struct ipc_security_struct *isec;
5447 struct common_audit_data ad;
5448 u32 sid = current_sid();
5450 isec = msq->q_perm.security;
5452 ad.type = LSM_AUDIT_DATA_IPC;
5453 ad.u.ipc_id = msq->q_perm.key;
5455 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5456 MSGQ__ASSOCIATE, &ad);
5459 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5467 /* No specific object, just general system-wide information. */
5468 return task_has_system(current, SYSTEM__IPC_INFO);
5471 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5474 perms = MSGQ__SETATTR;
5477 perms = MSGQ__DESTROY;
5483 err = ipc_has_perm(&msq->q_perm, perms);
5487 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5489 struct ipc_security_struct *isec;
5490 struct msg_security_struct *msec;
5491 struct common_audit_data ad;
5492 u32 sid = current_sid();
5495 isec = msq->q_perm.security;
5496 msec = msg->security;
5499 * First time through, need to assign label to the message
5501 if (msec->sid == SECINITSID_UNLABELED) {
5503 * Compute new sid based on current process and
5504 * message queue this message will be stored in
5506 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5512 ad.type = LSM_AUDIT_DATA_IPC;
5513 ad.u.ipc_id = msq->q_perm.key;
5515 /* Can this process write to the queue? */
5516 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5519 /* Can this process send the message */
5520 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5523 /* Can the message be put in the queue? */
5524 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5525 MSGQ__ENQUEUE, &ad);
5530 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5531 struct task_struct *target,
5532 long type, int mode)
5534 struct ipc_security_struct *isec;
5535 struct msg_security_struct *msec;
5536 struct common_audit_data ad;
5537 u32 sid = task_sid(target);
5540 isec = msq->q_perm.security;
5541 msec = msg->security;
5543 ad.type = LSM_AUDIT_DATA_IPC;
5544 ad.u.ipc_id = msq->q_perm.key;
5546 rc = avc_has_perm(sid, isec->sid,
5547 SECCLASS_MSGQ, MSGQ__READ, &ad);
5549 rc = avc_has_perm(sid, msec->sid,
5550 SECCLASS_MSG, MSG__RECEIVE, &ad);
5554 /* Shared Memory security operations */
5555 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5557 struct ipc_security_struct *isec;
5558 struct common_audit_data ad;
5559 u32 sid = current_sid();
5562 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5566 isec = shp->shm_perm.security;
5568 ad.type = LSM_AUDIT_DATA_IPC;
5569 ad.u.ipc_id = shp->shm_perm.key;
5571 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5574 ipc_free_security(&shp->shm_perm);
5580 static void selinux_shm_free_security(struct shmid_kernel *shp)
5582 ipc_free_security(&shp->shm_perm);
5585 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5587 struct ipc_security_struct *isec;
5588 struct common_audit_data ad;
5589 u32 sid = current_sid();
5591 isec = shp->shm_perm.security;
5593 ad.type = LSM_AUDIT_DATA_IPC;
5594 ad.u.ipc_id = shp->shm_perm.key;
5596 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5597 SHM__ASSOCIATE, &ad);
5600 /* Note, at this point, shp is locked down */
5601 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5609 /* No specific object, just general system-wide information. */
5610 return task_has_system(current, SYSTEM__IPC_INFO);
5613 perms = SHM__GETATTR | SHM__ASSOCIATE;
5616 perms = SHM__SETATTR;
5623 perms = SHM__DESTROY;
5629 err = ipc_has_perm(&shp->shm_perm, perms);
5633 static int selinux_shm_shmat(struct shmid_kernel *shp,
5634 char __user *shmaddr, int shmflg)
5638 if (shmflg & SHM_RDONLY)
5641 perms = SHM__READ | SHM__WRITE;
5643 return ipc_has_perm(&shp->shm_perm, perms);
5646 /* Semaphore security operations */
5647 static int selinux_sem_alloc_security(struct sem_array *sma)
5649 struct ipc_security_struct *isec;
5650 struct common_audit_data ad;
5651 u32 sid = current_sid();
5654 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5658 isec = sma->sem_perm.security;
5660 ad.type = LSM_AUDIT_DATA_IPC;
5661 ad.u.ipc_id = sma->sem_perm.key;
5663 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5666 ipc_free_security(&sma->sem_perm);
5672 static void selinux_sem_free_security(struct sem_array *sma)
5674 ipc_free_security(&sma->sem_perm);
5677 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5679 struct ipc_security_struct *isec;
5680 struct common_audit_data ad;
5681 u32 sid = current_sid();
5683 isec = sma->sem_perm.security;
5685 ad.type = LSM_AUDIT_DATA_IPC;
5686 ad.u.ipc_id = sma->sem_perm.key;
5688 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5689 SEM__ASSOCIATE, &ad);
5692 /* Note, at this point, sma is locked down */
5693 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5701 /* No specific object, just general system-wide information. */
5702 return task_has_system(current, SYSTEM__IPC_INFO);
5706 perms = SEM__GETATTR;
5717 perms = SEM__DESTROY;
5720 perms = SEM__SETATTR;
5724 perms = SEM__GETATTR | SEM__ASSOCIATE;
5730 err = ipc_has_perm(&sma->sem_perm, perms);
5734 static int selinux_sem_semop(struct sem_array *sma,
5735 struct sembuf *sops, unsigned nsops, int alter)
5740 perms = SEM__READ | SEM__WRITE;
5744 return ipc_has_perm(&sma->sem_perm, perms);
5747 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5753 av |= IPC__UNIX_READ;
5755 av |= IPC__UNIX_WRITE;
5760 return ipc_has_perm(ipcp, av);
5763 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5765 struct ipc_security_struct *isec = ipcp->security;
5769 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5772 inode_doinit_with_dentry(inode, dentry);
5775 static int selinux_getprocattr(struct task_struct *p,
5776 char *name, char **value)
5778 const struct task_security_struct *__tsec;
5784 error = current_has_perm(p, PROCESS__GETATTR);
5790 __tsec = __task_cred(p)->security;
5792 if (!strcmp(name, "current"))
5794 else if (!strcmp(name, "prev"))
5796 else if (!strcmp(name, "exec"))
5797 sid = __tsec->exec_sid;
5798 else if (!strcmp(name, "fscreate"))
5799 sid = __tsec->create_sid;
5800 else if (!strcmp(name, "keycreate"))
5801 sid = __tsec->keycreate_sid;
5802 else if (!strcmp(name, "sockcreate"))
5803 sid = __tsec->sockcreate_sid;
5811 error = security_sid_to_context(sid, value, &len);
5821 static int selinux_setprocattr(struct task_struct *p,
5822 char *name, void *value, size_t size)
5824 struct task_security_struct *tsec;
5831 /* SELinux only allows a process to change its own
5832 security attributes. */
5837 * Basic control over ability to set these attributes at all.
5838 * current == p, but we'll pass them separately in case the
5839 * above restriction is ever removed.
5841 if (!strcmp(name, "exec"))
5842 error = current_has_perm(p, PROCESS__SETEXEC);
5843 else if (!strcmp(name, "fscreate"))
5844 error = current_has_perm(p, PROCESS__SETFSCREATE);
5845 else if (!strcmp(name, "keycreate"))
5846 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5847 else if (!strcmp(name, "sockcreate"))
5848 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5849 else if (!strcmp(name, "current"))
5850 error = current_has_perm(p, PROCESS__SETCURRENT);
5856 /* Obtain a SID for the context, if one was specified. */
5857 if (size && str[0] && str[0] != '\n') {
5858 if (str[size-1] == '\n') {
5862 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5863 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5864 if (!capable(CAP_MAC_ADMIN)) {
5865 struct audit_buffer *ab;
5868 /* We strip a nul only if it is at the end, otherwise the
5869 * context contains a nul and we should audit that */
5870 if (str[size - 1] == '\0')
5871 audit_size = size - 1;
5874 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5875 audit_log_format(ab, "op=fscreate invalid_context=");
5876 audit_log_n_untrustedstring(ab, value, audit_size);
5881 error = security_context_to_sid_force(value, size,
5888 new = prepare_creds();
5892 /* Permission checking based on the specified context is
5893 performed during the actual operation (execve,
5894 open/mkdir/...), when we know the full context of the
5895 operation. See selinux_bprm_set_creds for the execve
5896 checks and may_create for the file creation checks. The
5897 operation will then fail if the context is not permitted. */
5898 tsec = new->security;
5899 if (!strcmp(name, "exec")) {
5900 tsec->exec_sid = sid;
5901 } else if (!strcmp(name, "fscreate")) {
5902 tsec->create_sid = sid;
5903 } else if (!strcmp(name, "keycreate")) {
5904 error = may_create_key(sid, p);
5907 tsec->keycreate_sid = sid;
5908 } else if (!strcmp(name, "sockcreate")) {
5909 tsec->sockcreate_sid = sid;
5910 } else if (!strcmp(name, "current")) {
5915 /* Only allow single threaded processes to change context */
5917 if (!current_is_single_threaded()) {
5918 error = security_bounded_transition(tsec->sid, sid);
5923 /* Check permissions for the transition. */
5924 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5925 PROCESS__DYNTRANSITION, NULL);
5929 /* Check for ptracing, and update the task SID if ok.
5930 Otherwise, leave SID unchanged and fail. */
5931 ptsid = ptrace_parent_sid(p);
5933 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5934 PROCESS__PTRACE, NULL);
5953 static int selinux_ismaclabel(const char *name)
5955 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5958 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5960 return security_sid_to_context(secid, secdata, seclen);
5963 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5965 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5968 static void selinux_release_secctx(char *secdata, u32 seclen)
5973 static void selinux_inode_invalidate_secctx(struct inode *inode)
5975 struct inode_security_struct *isec = inode->i_security;
5977 mutex_lock(&isec->lock);
5978 isec->initialized = LABEL_INVALID;
5979 mutex_unlock(&isec->lock);
5983 * called with inode->i_mutex locked
5985 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5987 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5991 * called with inode->i_mutex locked
5993 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5995 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5998 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6001 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6010 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6011 unsigned long flags)
6013 const struct task_security_struct *tsec;
6014 struct key_security_struct *ksec;
6016 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6020 tsec = cred->security;
6021 if (tsec->keycreate_sid)
6022 ksec->sid = tsec->keycreate_sid;
6024 ksec->sid = tsec->sid;
6030 static void selinux_key_free(struct key *k)
6032 struct key_security_struct *ksec = k->security;
6038 static int selinux_key_permission(key_ref_t key_ref,
6039 const struct cred *cred,
6043 struct key_security_struct *ksec;
6046 /* if no specific permissions are requested, we skip the
6047 permission check. No serious, additional covert channels
6048 appear to be created. */
6052 sid = cred_sid(cred);
6054 key = key_ref_to_ptr(key_ref);
6055 ksec = key->security;
6057 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6060 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6062 struct key_security_struct *ksec = key->security;
6063 char *context = NULL;
6067 rc = security_sid_to_context(ksec->sid, &context, &len);
6076 static struct security_hook_list selinux_hooks[] = {
6077 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6078 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6079 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6080 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6082 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6083 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6084 LSM_HOOK_INIT(capget, selinux_capget),
6085 LSM_HOOK_INIT(capset, selinux_capset),
6086 LSM_HOOK_INIT(capable, selinux_capable),
6087 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6088 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6089 LSM_HOOK_INIT(syslog, selinux_syslog),
6090 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6092 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6094 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6095 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6096 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6097 LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
6099 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6100 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6101 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6102 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6103 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6104 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6105 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6106 LSM_HOOK_INIT(sb_mount, selinux_mount),
6107 LSM_HOOK_INIT(sb_umount, selinux_umount),
6108 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6109 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6110 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6112 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6113 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6115 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6116 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6117 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6118 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6119 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6120 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6121 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6122 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6123 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6124 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6125 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6126 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6127 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6128 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6129 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6130 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6131 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6132 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6133 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6134 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6135 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6136 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6137 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6138 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6139 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6140 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6141 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6143 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6144 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6145 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6146 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6147 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6148 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6149 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6150 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6151 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6152 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6153 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6154 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6156 LSM_HOOK_INIT(file_open, selinux_file_open),
6158 LSM_HOOK_INIT(task_create, selinux_task_create),
6159 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6160 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6161 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6162 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6163 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6164 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6165 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6166 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6167 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6168 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6169 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6170 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6171 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6172 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6173 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6174 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6175 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6176 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6177 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6178 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6179 LSM_HOOK_INIT(task_wait, selinux_task_wait),
6180 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6182 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6183 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6185 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6186 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6188 LSM_HOOK_INIT(msg_queue_alloc_security,
6189 selinux_msg_queue_alloc_security),
6190 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6191 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6192 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6193 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6194 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6196 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6197 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6198 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6199 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6200 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6202 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6203 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6204 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6205 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6206 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6208 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6210 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6211 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6213 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6214 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6215 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6216 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6217 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6218 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6219 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6220 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6222 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6223 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6225 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6226 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6227 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6228 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6229 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6230 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6231 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6232 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6233 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6234 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6235 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6236 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6237 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6238 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6239 LSM_HOOK_INIT(socket_getpeersec_stream,
6240 selinux_socket_getpeersec_stream),
6241 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6242 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6243 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6244 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6245 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6246 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6247 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6248 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6249 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6250 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6251 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6252 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6253 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6254 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6255 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6256 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6257 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6258 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6259 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6261 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6262 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6263 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6264 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6265 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6266 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6267 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6268 selinux_xfrm_state_alloc_acquire),
6269 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6270 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6271 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6272 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6273 selinux_xfrm_state_pol_flow_match),
6274 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6278 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6279 LSM_HOOK_INIT(key_free, selinux_key_free),
6280 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6281 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6285 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6286 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6287 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6288 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6292 static __init int selinux_init(void)
6294 if (!security_module_enable("selinux")) {
6295 selinux_enabled = 0;
6299 if (!selinux_enabled) {
6300 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6304 printk(KERN_INFO "SELinux: Initializing.\n");
6306 /* Set the security state for the initial task. */
6307 cred_init_security();
6309 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6311 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6312 sizeof(struct inode_security_struct),
6313 0, SLAB_PANIC, NULL);
6314 file_security_cache = kmem_cache_create("selinux_file_security",
6315 sizeof(struct file_security_struct),
6316 0, SLAB_PANIC, NULL);
6319 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6321 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6322 panic("SELinux: Unable to register AVC netcache callback\n");
6324 if (selinux_enforcing)
6325 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6327 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6332 static void delayed_superblock_init(struct super_block *sb, void *unused)
6334 superblock_doinit(sb, NULL);
6337 void selinux_complete_init(void)
6339 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6341 /* Set up any superblocks initialized prior to the policy load. */
6342 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6343 iterate_supers(delayed_superblock_init, NULL);
6346 /* SELinux requires early initialization in order to label
6347 all processes and objects when they are created. */
6348 security_initcall(selinux_init);
6350 #if defined(CONFIG_NETFILTER)
6352 static struct nf_hook_ops selinux_nf_ops[] = {
6354 .hook = selinux_ipv4_postroute,
6356 .hooknum = NF_INET_POST_ROUTING,
6357 .priority = NF_IP_PRI_SELINUX_LAST,
6360 .hook = selinux_ipv4_forward,
6362 .hooknum = NF_INET_FORWARD,
6363 .priority = NF_IP_PRI_SELINUX_FIRST,
6366 .hook = selinux_ipv4_output,
6368 .hooknum = NF_INET_LOCAL_OUT,
6369 .priority = NF_IP_PRI_SELINUX_FIRST,
6371 #if IS_ENABLED(CONFIG_IPV6)
6373 .hook = selinux_ipv6_postroute,
6375 .hooknum = NF_INET_POST_ROUTING,
6376 .priority = NF_IP6_PRI_SELINUX_LAST,
6379 .hook = selinux_ipv6_forward,
6381 .hooknum = NF_INET_FORWARD,
6382 .priority = NF_IP6_PRI_SELINUX_FIRST,
6385 .hook = selinux_ipv6_output,
6387 .hooknum = NF_INET_LOCAL_OUT,
6388 .priority = NF_IP6_PRI_SELINUX_FIRST,
6393 static int __init selinux_nf_ip_init(void)
6397 if (!selinux_enabled)
6400 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6402 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6404 panic("SELinux: nf_register_hooks: error %d\n", err);
6409 __initcall(selinux_nf_ip_init);
6411 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6412 static void selinux_nf_ip_exit(void)
6414 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6416 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6420 #else /* CONFIG_NETFILTER */
6422 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6423 #define selinux_nf_ip_exit()
6426 #endif /* CONFIG_NETFILTER */
6428 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6429 static int selinux_disabled;
6431 int selinux_disable(void)
6433 if (ss_initialized) {
6434 /* Not permitted after initial policy load. */
6438 if (selinux_disabled) {
6439 /* Only do this once. */
6443 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6445 selinux_disabled = 1;
6446 selinux_enabled = 0;
6448 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6450 /* Try to destroy the avc node cache */
6453 /* Unregister netfilter hooks. */
6454 selinux_nf_ip_exit();
6456 /* Unregister selinuxfs. */