28 #include <linux/kernel.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
58 #include <asm/ioctls.h>
60 #include <linux/bitops.h>
62 #include <linux/netdevice.h>
63 #include <linux/netlink.h>
64 #include <linux/tcp.h>
65 #include <linux/udp.h>
66 #include <linux/dccp.h>
67 #include <linux/quota.h>
74 #include <linux/personality.h>
75 #include <linux/audit.h>
76 #include <linux/string.h>
82 #include <linux/export.h>
83 #include <linux/msg.h>
84 #include <linux/shm.h>
96 #define NUM_SEL_MNT_OPTS 5
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
106 static int __init enforcing_setup(
char *
str)
113 __setup(
"enforcing=", enforcing_setup);
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
119 static int __init selinux_enabled_setup(
char *str)
123 selinux_enabled = enabled ? 1 : 0;
126 __setup(
"selinux=", selinux_enabled_setup);
128 int selinux_enabled = 1;
143 static int selinux_secmark_enabled(
void)
145 return (
atomic_read(&selinux_secmark_refcount) > 0);
151 static void cred_init_security(
void)
158 panic(
"SELinux: Failed to initialize initial task.\n");
160 tsec->osid = tsec->sid = SECINITSID_KERNEL;
161 cred->security = tsec;
167 static inline u32 cred_sid(
const struct cred *cred)
171 tsec = cred->security;
191 static inline u32 current_sid(
void)
200 static int inode_alloc_security(
struct inode *
inode)
203 u32 sid = current_sid();
205 isec = kmem_cache_zalloc(sel_inode_cache,
GFP_NOFS);
210 INIT_LIST_HEAD(&isec->
list);
212 isec->
sid = SECINITSID_UNLABELED;
213 isec->
sclass = SECCLASS_FILE;
215 inode->i_security = isec;
220 static void inode_free_security(
struct inode *inode)
226 if (!list_empty(&isec->
list))
227 list_del_init(&isec->
list);
230 inode->i_security =
NULL;
234 static int file_alloc_security(
struct file *
file)
237 u32 sid = current_sid();
245 file->f_security = fsec;
250 static void file_free_security(
struct file *file)
253 file->f_security =
NULL;
269 sbsec->
sid = SECINITSID_UNLABELED;
270 sbsec->
def_sid = SECINITSID_FILE;
272 sb->s_security = sbsec;
277 static void superblock_free_security(
struct super_block *sb)
280 sb->s_security =
NULL;
286 static const char *labeling_behaviors[6] = {
288 "uses transition SIDs",
290 "uses genfs_contexts",
291 "not configured for labeling",
292 "uses mountpoint labeling",
295 static int inode_doinit_with_dentry(
struct inode *inode,
struct dentry *opt_dentry);
297 static inline int inode_doinit(
struct inode *inode)
299 return inode_doinit_with_dentry(inode,
NULL);
320 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
322 static int may_context_mount_sb_relabel(
u32 sid,
324 const struct cred *cred)
329 rc = avc_has_perm(tsec->
sid, sbsec->
sid, SECCLASS_FILESYSTEM,
330 FILESYSTEM__RELABELFROM,
NULL);
334 rc = avc_has_perm(tsec->
sid, sid, SECCLASS_FILESYSTEM,
335 FILESYSTEM__RELABELTO,
NULL);
339 static int may_context_mount_inode_relabel(
u32 sid,
341 const struct cred *cred)
345 rc = avc_has_perm(tsec->
sid, sbsec->
sid, SECCLASS_FILESYSTEM,
346 FILESYSTEM__RELABELFROM,
NULL);
350 rc = avc_has_perm(sid, sbsec->
sid, SECCLASS_FILESYSTEM,
351 FILESYSTEM__ASSOCIATE,
NULL);
355 static int sb_finish_set_opts(
struct super_block *sb)
359 struct inode *root_inode = root->
d_inode;
368 if (!root_inode->
i_op->getxattr) {
370 "xattr support\n", sb->
s_id, sb->
s_type->name);
375 if (rc < 0 && rc != -
ENODATA) {
378 "%s) has no security xattr handler\n",
382 "%s) getxattr errno %d\n", sb->
s_id,
391 printk(
KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
396 labeling_behaviors[sbsec->
behavior-1]);
405 if (
strncmp(sb->
s_type->name,
"sysfs",
sizeof(
"sysfs")) == 0)
409 rc = inode_doinit_with_dentry(root_inode, root);
421 struct inode *inode = isec->
inode;
423 inode =
igrab(inode);
430 list_del_init(&isec->
list);
443 static int selinux_get_mnt_opts(
const struct super_block *sb,
452 security_init_mnt_opts(opts);
462 for (
i = 0;
i < 8;
i++) {
464 opts->num_mnt_opts++;
469 opts->num_mnt_opts++;
471 opts->mnt_opts = kcalloc(opts->num_mnt_opts,
sizeof(
char *),
GFP_ATOMIC);
472 if (!opts->mnt_opts) {
477 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts,
sizeof(
int),
GFP_ATOMIC);
478 if (!opts->mnt_opts_flags) {
506 struct inode *root = sbsec->
sb->s_root->d_inode;
516 opts->mnt_opts[
i] =
NULL;
520 BUG_ON(
i != opts->num_mnt_opts);
525 security_free_mnt_opts(opts);
536 if (!(sbsec->
flags & flag) ||
537 (old_sid != new_sid))
544 if (mnt_flags & flag)
553 static int selinux_set_mnt_opts(
struct super_block *sb,
560 struct inode *inode = sbsec->
sb->s_root->d_inode;
562 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
563 u32 defcontext_sid = 0;
565 int *
flags = opts->mnt_opts_flags;
566 int num_opts = opts->num_mnt_opts;
579 "before the security server is initialized\n");
603 for (
i = 0;
i < num_opts;
i++) {
609 strlen(mount_options[i]), &sid);
612 "(%s) failed for (dev %s, type %s) errno=%d\n",
613 mount_options[i], sb->
s_id, name, rc);
622 goto out_double_mount;
631 goto out_double_mount;
636 rootcontext_sid =
sid;
640 goto out_double_mount;
646 defcontext_sid =
sid;
650 goto out_double_mount;
664 goto out_double_mount;
676 __func__, sb->
s_type->name, rc);
682 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
686 sbsec->
sid = fscontext_sid;
695 if (!fscontext_sid) {
696 rc = may_context_mount_sb_relabel(context_sid, sbsec,
700 sbsec->
sid = context_sid;
702 rc = may_context_mount_inode_relabel(context_sid, sbsec,
707 if (!rootcontext_sid)
708 rootcontext_sid = context_sid;
714 if (rootcontext_sid) {
715 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
720 root_isec->
sid = rootcontext_sid;
724 if (defcontext_sid) {
728 "invalid for this filesystem type\n");
732 if (defcontext_sid != sbsec->
def_sid) {
733 rc = may_context_mount_inode_relabel(defcontext_sid,
739 sbsec->
def_sid = defcontext_sid;
742 rc = sb_finish_set_opts(sb);
749 "security settings for (dev %s, type %s)\n", sb->
s_id, name);
753 static void selinux_sb_clone_mnt_opts(
const struct super_block *oldsb,
781 newsbsec->
sid = oldsbsec->
sid;
790 if (!set_rootcontext) {
791 struct inode *newinode = newsb->
s_root->d_inode;
797 if (set_rootcontext) {
798 const struct inode *oldinode = oldsb->
s_root->d_inode;
800 struct inode *newinode = newsb->
s_root->d_inode;
803 newisec->
sid = oldisec->
sid;
806 sb_finish_set_opts(newsb);
810 static int selinux_parse_opts_str(
char *
options,
814 char *context =
NULL, *defcontext =
NULL;
815 char *fscontext =
NULL, *rootcontext =
NULL;
816 int rc, num_mnt_opts = 0;
818 opts->num_mnt_opts = 0;
832 if (context || defcontext) {
871 if (context || defcontext) {
898 if (!opts->mnt_opts_flags) {
899 kfree(opts->mnt_opts);
904 opts->mnt_opts[num_mnt_opts] = fscontext;
908 opts->mnt_opts[num_mnt_opts] =
context;
909 opts->mnt_opts_flags[num_mnt_opts++] =
CONTEXT_MNT;
912 opts->mnt_opts[num_mnt_opts] = rootcontext;
916 opts->mnt_opts[num_mnt_opts] = defcontext;
920 opts->num_mnt_opts = num_mnt_opts;
936 char *options =
data;
939 security_init_mnt_opts(&opts);
946 rc = selinux_parse_opts_str(options, &opts);
951 rc = selinux_set_mnt_opts(sb, &opts);
954 security_free_mnt_opts(&opts);
958 static void selinux_write_opts(
struct seq_file *
m,
964 for (i = 0; i < opts->num_mnt_opts; i++) {
967 if (opts->mnt_opts[i])
968 has_comma =
strchr(opts->mnt_opts[i],
',');
972 switch (opts->mnt_opts_flags[i]) {
1009 rc = selinux_get_mnt_opts(sb, &opts);
1017 selinux_write_opts(m, &opts);
1019 security_free_mnt_opts(&opts);
1028 return SECCLASS_SOCK_FILE;
1030 return SECCLASS_LNK_FILE;
1032 return SECCLASS_FILE;
1034 return SECCLASS_BLK_FILE;
1036 return SECCLASS_DIR;
1038 return SECCLASS_CHR_FILE;
1040 return SECCLASS_FIFO_FILE;
1044 return SECCLASS_FILE;
1047 static inline int default_protocol_stream(
int protocol)
1052 static inline int default_protocol_dgram(
int protocol)
1057 static inline u16 socket_type_to_security_class(
int family,
int type,
int protocol)
1064 return SECCLASS_UNIX_STREAM_SOCKET;
1066 return SECCLASS_UNIX_DGRAM_SOCKET;
1073 if (default_protocol_stream(protocol))
1074 return SECCLASS_TCP_SOCKET;
1076 return SECCLASS_RAWIP_SOCKET;
1078 if (default_protocol_dgram(protocol))
1079 return SECCLASS_UDP_SOCKET;
1081 return SECCLASS_RAWIP_SOCKET;
1083 return SECCLASS_DCCP_SOCKET;
1085 return SECCLASS_RAWIP_SOCKET;
1091 return SECCLASS_NETLINK_ROUTE_SOCKET;
1093 return SECCLASS_NETLINK_FIREWALL_SOCKET;
1095 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1097 return SECCLASS_NETLINK_NFLOG_SOCKET;
1099 return SECCLASS_NETLINK_XFRM_SOCKET;
1101 return SECCLASS_NETLINK_SELINUX_SOCKET;
1103 return SECCLASS_NETLINK_AUDIT_SOCKET;
1105 return SECCLASS_NETLINK_IP6FW_SOCKET;
1107 return SECCLASS_NETLINK_DNRT_SOCKET;
1109 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1111 return SECCLASS_NETLINK_SOCKET;
1114 return SECCLASS_PACKET_SOCKET;
1116 return SECCLASS_KEY_SOCKET;
1118 return SECCLASS_APPLETALK_SOCKET;
1121 return SECCLASS_SOCKET;
1124 #ifdef CONFIG_PROC_FS
1143 while (path[1] >=
'0' && path[1] <=
'9') {
1153 static int selinux_proc_get_sid(
struct dentry *dentry,
1162 static int inode_doinit_with_dentry(
struct inode *inode,
struct dentry *opt_dentry)
1167 struct dentry *dentry;
1168 #define INITCONTEXTLEN 255
1169 char *context =
NULL;
1180 sbsec = inode->
i_sb->s_security;
1186 if (list_empty(&isec->
list))
1194 if (!inode->
i_op->getxattr) {
1203 dentry = dget(opt_dentry);
1228 context[len] =
'\0';
1248 context[len] =
'\0';
1249 rc = inode->
i_op->getxattr(dentry,
1257 "%d for dev=%s ino=%ld\n", __func__,
1270 char *
dev = inode->
i_sb->s_id;
1274 if (printk_ratelimit())
1276 "context=%s. This indicates you may need to relabel the inode or the "
1277 "filesystem in question.\n", ino, dev, context);
1280 "returned %d for dev=%s ino=%ld\n",
1281 __func__, context, -rc, dev, ino);
1300 isec->
sclass = inode_mode_to_security_class(inode->
i_mode);
1316 isec->
sclass = inode_mode_to_security_class(inode->
i_mode);
1317 rc = selinux_proc_get_sid(opt_dentry,
1333 if (isec->
sclass == SECCLASS_FILE)
1334 isec->
sclass = inode_mode_to_security_class(inode->
i_mode);
1339 static inline u32 signal_to_av(
int sig)
1346 perm = PROCESS__SIGCHLD;
1350 perm = PROCESS__SIGKILL;
1354 perm = PROCESS__SIGSTOP;
1358 perm = PROCESS__SIGNAL;
1369 static int cred_has_perm(
const struct cred *actor,
1370 const struct cred *
target,
1373 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1375 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms,
NULL);
1384 static int task_has_perm(
const struct task_struct *tsk1,
1395 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms,
NULL);
1404 static int current_has_perm(
const struct task_struct *tsk,
1409 sid = current_sid();
1410 tsid = task_sid(tsk);
1411 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms,
NULL);
1414 #if CAP_LAST_CAP > 63
1415 #error Fix SELinux to handle capabilities > 63.
1419 static int cred_has_capability(
const struct cred *cred,
1425 u32 sid = cred_sid(cred);
1434 sclass = SECCLASS_CAPABILITY;
1437 sclass = SECCLASS_CAPABILITY2;
1441 "SELinux: out of range capability %d\n", cap);
1448 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1456 static int task_has_system(
struct task_struct *tsk,
1459 u32 sid = task_sid(tsk);
1461 return avc_has_perm(sid, SECINITSID_KERNEL,
1462 SECCLASS_SYSTEM, perms,
NULL);
1468 static int inode_has_perm(
const struct cred *cred,
1469 struct inode *inode,
1477 validate_creds(cred);
1482 sid = cred_sid(cred);
1483 isec = inode->i_security;
1491 static inline int dentry_has_perm(
const struct cred *cred,
1492 struct dentry *dentry,
1495 struct inode *inode = dentry->
d_inode;
1500 return inode_has_perm(cred, inode, av, &ad, 0);
1506 static inline int path_has_perm(
const struct cred *cred,
1510 struct inode *inode = path->
dentry->d_inode;
1515 return inode_has_perm(cred, inode, av, &ad, 0);
1526 static int file_has_perm(
const struct cred *cred,
1531 struct inode *inode = file->
f_path.dentry->d_inode;
1533 u32 sid = cred_sid(cred);
1537 ad.u.path = file->
f_path;
1539 if (sid != fsec->
sid) {
1540 rc = avc_has_perm(sid, fsec->
sid,
1551 rc = inode_has_perm(cred, inode, av, &ad, 0);
1558 static int may_create(
struct inode *dir,
1559 struct dentry *dentry,
1569 dsec = dir->i_security;
1570 sbsec = dir->
i_sb->s_security;
1578 rc = avc_has_perm(sid, dsec->
sid, SECCLASS_DIR,
1579 DIR__ADD_NAME | DIR__SEARCH,
1586 &dentry->
d_name, &newsid);
1591 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1595 return avc_has_perm(newsid, sbsec->
sid,
1596 SECCLASS_FILESYSTEM,
1597 FILESYSTEM__ASSOCIATE, &ad);
1601 static int may_create_key(
u32 ksid,
1604 u32 sid = task_sid(ctx);
1606 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE,
NULL);
1610 #define MAY_UNLINK 1
1614 static int may_link(
struct inode *dir,
1615 struct dentry *dentry,
1621 u32 sid = current_sid();
1625 dsec = dir->i_security;
1626 isec = dentry->
d_inode->i_security;
1632 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1633 rc = avc_has_perm(sid, dsec->
sid, SECCLASS_DIR, av, &ad);
1653 rc = avc_has_perm(sid, isec->
sid, isec->
sclass, av, &ad);
1657 static inline int may_rename(
struct inode *old_dir,
1658 struct dentry *old_dentry,
1659 struct inode *new_dir,
1660 struct dentry *new_dentry)
1664 u32 sid = current_sid();
1666 int old_is_dir, new_is_dir;
1669 old_dsec = old_dir->i_security;
1670 old_isec = old_dentry->
d_inode->i_security;
1672 new_dsec = new_dir->i_security;
1676 ad.u.dentry = old_dentry;
1677 rc = avc_has_perm(sid, old_dsec->
sid, SECCLASS_DIR,
1678 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1681 rc = avc_has_perm(sid, old_isec->
sid,
1682 old_isec->
sclass, FILE__RENAME, &ad);
1685 if (old_is_dir && new_dir != old_dir) {
1686 rc = avc_has_perm(sid, old_isec->
sid,
1687 old_isec->
sclass, DIR__REPARENT, &ad);
1692 ad.u.dentry = new_dentry;
1693 av = DIR__ADD_NAME | DIR__SEARCH;
1695 av |= DIR__REMOVE_NAME;
1696 rc = avc_has_perm(sid, new_dsec->
sid, SECCLASS_DIR, av, &ad);
1700 new_isec = new_dentry->
d_inode->i_security;
1702 rc = avc_has_perm(sid, new_isec->
sid,
1704 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1713 static int superblock_has_perm(
const struct cred *cred,
1719 u32 sid = cred_sid(cred);
1721 sbsec = sb->s_security;
1722 return avc_has_perm(sid, sbsec->
sid, SECCLASS_FILESYSTEM, perms, ad);
1726 static inline u32 file_mask_to_av(
int mode,
int mask)
1732 av |= FILE__EXECUTE;
1742 if (mask & MAY_EXEC)
1746 if (mask & MAY_READ)
1754 static inline u32 file_to_av(
struct file *file)
1780 static inline u32 open_file_to_av(
struct file *file)
1782 u32 av = file_to_av(file);
1802 u32 sid = current_sid();
1803 u32 csid = task_sid(child);
1804 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ,
NULL);
1807 return current_has_perm(child, PROCESS__PTRACE);
1810 static int selinux_ptrace_traceme(
struct task_struct *parent)
1818 return task_has_perm(parent,
current, PROCESS__PTRACE);
1826 error = current_has_perm(target, PROCESS__GETCAP);
1830 return cap_capget(target, effective, inheritable, permitted);
1833 static int selinux_capset(
struct cred *
new,
const struct cred *old,
1841 effective, inheritable, permitted);
1845 return cred_has_perm(old,
new, PROCESS__SETCAP);
1858 static int selinux_capable(
const struct cred *cred,
struct user_namespace *
ns,
1867 return cred_has_capability(cred, cap, audit);
1870 static int selinux_quotactl(
int cmds,
int type,
int id,
struct super_block *sb)
1884 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD,
NULL);
1889 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET,
NULL);
1898 static int selinux_quota_on(
struct dentry *dentry)
1902 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
1905 static int selinux_syslog(
int type)
1912 rc = task_has_system(
current, SYSTEM__SYSLOG_READ);
1918 rc = task_has_system(
current, SYSTEM__SYSLOG_CONSOLE);
1926 rc = task_has_system(
current, SYSTEM__SYSLOG_MOD);
1940 static int selinux_vm_enough_memory(
struct mm_struct *mm,
long pages)
1942 int rc, cap_sys_admin = 0;
1954 static int selinux_bprm_set_creds(
struct linux_binprm *bprm)
1960 struct inode *inode = bprm->
file->f_path.dentry->d_inode;
1973 new_tsec = bprm->
cred->security;
1974 isec = inode->i_security;
1977 new_tsec->
sid = old_tsec->
sid;
1978 new_tsec->
osid = old_tsec->
sid;
1999 SECCLASS_PROCESS,
NULL,
2006 ad.u.path = bprm->
file->f_path;
2010 new_tsec->
sid = old_tsec->
sid;
2012 if (new_tsec->
sid == old_tsec->
sid) {
2013 rc = avc_has_perm(old_tsec->
sid, isec->
sid,
2014 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2019 rc = avc_has_perm(old_tsec->
sid, new_tsec->
sid,
2020 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2024 rc = avc_has_perm(new_tsec->
sid, isec->
sid,
2025 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2031 rc = avc_has_perm(old_tsec->
sid, new_tsec->
sid,
2032 SECCLASS_PROCESS, PROCESS__SHARE,
2047 tracer = ptrace_parent(
current);
2055 rc = avc_has_perm(ptsid, new_tsec->
sid,
2057 PROCESS__PTRACE,
NULL);
2070 static int selinux_bprm_secureexec(
struct linux_binprm *bprm)
2083 atsecure = avc_has_perm(osid, sid,
2085 PROCESS__NOATSECURE,
NULL);
2091 static int match_file(
const void *p,
struct file *file,
unsigned fd)
2093 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2097 static inline void flush_unauthorized_files(
const struct cred *cred,
2100 struct file *
file, *devnull =
NULL;
2107 spin_lock(&tty_files_lock);
2118 file = file_priv->
file;
2119 if (path_has_perm(cred, &file->
f_path, FILE__READ | FILE__WRITE))
2122 spin_unlock(&tty_files_lock);
2135 if (IS_ERR(devnull))
2140 }
while ((n =
iterate_fd(files, n, match_file, cred)) != 0);
2148 static void selinux_bprm_committing_creds(
struct linux_binprm *bprm)
2151 struct rlimit *rlim, *initrlim;
2154 new_tsec = bprm->
cred->security;
2155 if (new_tsec->
sid == new_tsec->
osid)
2159 flush_unauthorized_files(bprm->
cred,
current->files);
2174 rc = avc_has_perm(new_tsec->
osid, new_tsec->
sid, SECCLASS_PROCESS,
2175 PROCESS__RLIMITINH,
NULL);
2193 static void selinux_bprm_committed_creds(
struct linux_binprm *bprm)
2213 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH,
NULL);
2215 memset(&itimer, 0,
sizeof itimer);
2216 for (i = 0; i < 3; i++)
2218 spin_lock_irq(&
current->sighand->siglock);
2222 sigemptyset(&
current->blocked);
2224 spin_unlock_irq(&
current->sighand->siglock);
2236 static int selinux_sb_alloc_security(
struct super_block *sb)
2238 return superblock_alloc_security(sb);
2241 static void selinux_sb_free_security(
struct super_block *sb)
2243 superblock_free_security(sb);
2246 static inline int match_prefix(
char *prefix,
int plen,
char *
option,
int olen)
2251 return !
memcmp(prefix, option, plen);
2254 static inline int selinux_option(
char *option,
int len)
2263 static inline void take_option(
char **to,
char *
from,
int *
first,
int len)
2274 static inline void take_selinux_option(
char **to,
char *from,
int *first,
2277 int current_size = 0;
2285 while (current_size < len) {
2295 static int selinux_sb_copy_data(
char *orig,
char *copy)
2297 int fnosec, fsec, rc = 0;
2298 char *in_save, *in_curr, *in_end;
2299 char *sec_curr, *nosec_save, *
nosec;
2313 in_save = in_end = orig;
2317 open_quote = !open_quote;
2318 if ((*in_end ==
',' && open_quote == 0) ||
2320 int len = in_end - in_curr;
2322 if (selinux_option(in_curr, len))
2323 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2325 take_option(&nosec, in_curr, &fnosec, len);
2327 in_curr = in_end + 1;
2329 }
while (*in_end++);
2331 strcpy(in_save, nosec_save);
2337 static int selinux_sb_remount(
struct super_block *sb,
void *data)
2341 char *secdata, **mount_options;
2353 security_init_mnt_opts(&opts);
2354 secdata = alloc_secdata();
2357 rc = selinux_sb_copy_data(data, secdata);
2359 goto out_free_secdata;
2361 rc = selinux_parse_opts_str(secdata, &opts);
2363 goto out_free_secdata;
2365 mount_options = opts.mnt_opts;
2366 flags = opts.mnt_opts_flags;
2368 for (i = 0; i < opts.num_mnt_opts; i++) {
2374 len =
strlen(mount_options[i]);
2378 "(%s) failed for (dev %s, type %s) errno=%d\n",
2379 mount_options[i], sb->
s_id, sb->
s_type->name, rc);
2386 goto out_bad_option;
2390 goto out_bad_option;
2394 root_isec = sb->
s_root->d_inode->i_security;
2397 goto out_bad_option;
2402 goto out_bad_option;
2411 security_free_mnt_opts(&opts);
2413 free_secdata(secdata);
2417 "during remount (dev %s, type=%s)\n", sb->
s_id,
2422 static int selinux_sb_kern_mount(
struct super_block *sb,
int flags,
void *data)
2428 rc = superblock_doinit(sb, data);
2437 ad.u.dentry = sb->
s_root;
2438 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2441 static int selinux_sb_statfs(
struct dentry *dentry)
2447 ad.u.dentry = dentry->
d_sb->s_root;
2448 return superblock_has_perm(cred, dentry->
d_sb, FILESYSTEM__GETATTR, &ad);
2451 static int selinux_mount(
const char *dev_name,
2454 unsigned long flags,
2460 return superblock_has_perm(cred, path->
dentry->d_sb,
2461 FILESYSTEM__REMOUNT,
NULL);
2463 return path_has_perm(cred, path, FILE__MOUNTON);
2466 static int selinux_umount(
struct vfsmount *mnt,
int flags)
2470 return superblock_has_perm(cred, mnt->
mnt_sb,
2471 FILESYSTEM__UNMOUNT,
NULL);
2476 static int selinux_inode_alloc_security(
struct inode *inode)
2478 return inode_alloc_security(inode);
2481 static void selinux_inode_free_security(
struct inode *inode)
2483 inode_free_security(inode);
2486 static int selinux_inode_init_security(
struct inode *inode,
struct inode *dir,
2487 const struct qstr *
qstr,
char **name,
2488 void **
value,
size_t *len)
2497 dsec = dir->i_security;
2498 sbsec = dir->
i_sb->s_security;
2508 inode_mode_to_security_class(inode->
i_mode),
2512 "security_transition_sid failed, rc=%d (dev=%s "
2523 isec->
sclass = inode_mode_to_security_class(inode->
i_mode);
2551 static int selinux_inode_create(
struct inode *dir,
struct dentry *dentry,
umode_t mode)
2553 return may_create(dir, dentry, SECCLASS_FILE);
2556 static int selinux_inode_link(
struct dentry *old_dentry,
struct inode *dir,
struct dentry *new_dentry)
2558 return may_link(dir, old_dentry,
MAY_LINK);
2561 static int selinux_inode_unlink(
struct inode *dir,
struct dentry *dentry)
2566 static int selinux_inode_symlink(
struct inode *dir,
struct dentry *dentry,
const char *name)
2568 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2571 static int selinux_inode_mkdir(
struct inode *dir,
struct dentry *dentry,
umode_t mask)
2573 return may_create(dir, dentry, SECCLASS_DIR);
2576 static int selinux_inode_rmdir(
struct inode *dir,
struct dentry *dentry)
2578 return may_link(dir, dentry,
MAY_RMDIR);
2581 static int selinux_inode_mknod(
struct inode *dir,
struct dentry *dentry,
umode_t mode,
dev_t dev)
2583 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2586 static int selinux_inode_rename(
struct inode *old_inode,
struct dentry *old_dentry,
2587 struct inode *
new_inode,
struct dentry *new_dentry)
2589 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2592 static int selinux_inode_readlink(
struct dentry *dentry)
2596 return dentry_has_perm(cred, dentry, FILE__READ);
2599 static int selinux_inode_follow_link(
struct dentry *dentry,
struct nameidata *
nameidata)
2603 return dentry_has_perm(cred, dentry, FILE__READ);
2606 static noinline int audit_inode_permission(
struct inode *inode,
2618 audited, denied, &ad, flags);
2624 static int selinux_inode_permission(
struct inode *inode,
int mask)
2634 u32 audited, denied;
2643 validate_creds(cred);
2648 perms = file_mask_to_av(inode->
i_mode, mask);
2650 sid = cred_sid(cred);
2651 isec = inode->i_security;
2654 audited = avc_audit_required(perms, &avd, rc,
2655 from_access ? FILE__AUDIT_ACCESS : 0,
2660 rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
2666 static int selinux_inode_setattr(
struct dentry *dentry,
struct iattr *
iattr)
2669 unsigned int ia_valid = iattr->
ia_valid;
2670 __u32 av = FILE__WRITE;
2682 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2687 return dentry_has_perm(cred, dentry, av);
2690 static int selinux_inode_getattr(
struct vfsmount *mnt,
struct dentry *dentry)
2698 return path_has_perm(cred, &path, FILE__GETATTR);
2701 static int selinux_inode_setotherxattr(
struct dentry *dentry,
const char *name)
2719 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2722 static int selinux_inode_setxattr(
struct dentry *dentry,
const char *name,
2723 const void *value,
size_t size,
int flags)
2725 struct inode *inode = dentry->
d_inode;
2729 u32 newsid, sid = current_sid();
2733 return selinux_inode_setotherxattr(dentry, name);
2735 sbsec = inode->
i_sb->s_security;
2745 rc = avc_has_perm(sid, isec->
sid, isec->
sclass,
2746 FILE__RELABELFROM, &ad);
2761 if (str[size - 1] ==
'\0')
2762 audit_size = size - 1;
2781 rc = avc_has_perm(sid, newsid, isec->
sclass,
2782 FILE__RELABELTO, &ad);
2791 return avc_has_perm(newsid,
2793 SECCLASS_FILESYSTEM,
2794 FILESYSTEM__ASSOCIATE,
2798 static void selinux_inode_post_setxattr(
struct dentry *dentry,
const char *name,
2799 const void *value,
size_t size,
2802 struct inode *inode = dentry->
d_inode;
2815 "for (%s, %lu), rc=%d\n",
2824 static int selinux_inode_getxattr(
struct dentry *dentry,
const char *name)
2828 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2831 static int selinux_inode_listxattr(
struct dentry *dentry)
2835 return dentry_has_perm(cred, dentry, FILE__GETATTR);
2838 static int selinux_inode_removexattr(
struct dentry *dentry,
const char *name)
2841 return selinux_inode_setotherxattr(dentry, name);
2853 static int selinux_inode_getsecurity(
const struct inode *inode,
const char *name,
void **buffer,
bool alloc)
2857 char *context =
NULL;
2891 static int selinux_inode_setsecurity(
struct inode *inode,
const char *name,
2892 const void *value,
size_t size,
int flags)
2901 if (!value || !size)
2913 static int selinux_inode_listsecurity(
struct inode *inode,
char *buffer,
size_t buffer_size)
2916 if (buffer && len <= buffer_size)
2921 static void selinux_inode_getsecid(
const struct inode *inode,
u32 *secid)
2929 static int selinux_revalidate_file_permission(
struct file *file,
int mask)
2932 struct inode *inode = file->
f_path.dentry->d_inode;
2938 return file_has_perm(cred, file,
2939 file_mask_to_av(inode->
i_mode, mask));
2942 static int selinux_file_permission(
struct file *file,
int mask)
2944 struct inode *inode = file->
f_path.dentry->d_inode;
2947 u32 sid = current_sid();
2953 if (sid == fsec->
sid && fsec->
isid == isec->
sid &&
2958 return selinux_revalidate_file_permission(file, mask);
2961 static int selinux_file_alloc_security(
struct file *file)
2963 return file_alloc_security(file);
2966 static void selinux_file_free_security(
struct file *file)
2968 file_free_security(file);
2971 static int selinux_file_ioctl(
struct file *file,
unsigned int cmd,
2987 error = file_has_perm(cred, file, FILE__GETATTR);
2993 error = file_has_perm(cred, file, FILE__SETATTR);
3000 error = file_has_perm(cred, file, 0);
3013 error = file_has_perm(cred, file, FILE__IOCTL);
3018 static int default_noexec;
3020 static int file_map_prot_check(
struct file *file,
unsigned long prot,
int shared)
3025 if (default_noexec &&
3032 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3039 u32 av = FILE__READ;
3042 if (shared && (prot & PROT_WRITE))
3045 if (prot & PROT_EXEC)
3046 av |= FILE__EXECUTE;
3048 return file_has_perm(cred, file, av);
3055 static int selinux_mmap_addr(
unsigned long addr)
3058 u32 sid = current_sid();
3066 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3067 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3068 MEMPROTECT__MMAP_ZERO,
NULL);
3077 static int selinux_mmap_file(
struct file *file,
unsigned long reqprot,
3078 unsigned long prot,
unsigned long flags)
3083 return file_map_prot_check(file, prot,
3088 unsigned long reqprot,
3096 if (default_noexec &&
3097 (prot & PROT_EXEC) && !(vma->
vm_flags & VM_EXEC)) {
3101 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3105 rc = current_has_perm(
current, PROCESS__EXECSTACK);
3114 rc = file_has_perm(cred, vma->
vm_file, FILE__EXECMOD);
3120 return file_map_prot_check(vma->
vm_file, prot, vma->
vm_flags&VM_SHARED);
3123 static int selinux_file_lock(
struct file *file,
unsigned int cmd)
3127 return file_has_perm(cred, file, FILE__LOCK);
3130 static int selinux_file_fcntl(
struct file *file,
unsigned int cmd,
3138 if (!file->
f_path.dentry || !file->
f_path.dentry->d_inode) {
3144 err = file_has_perm(cred, file, FILE__WRITE);
3155 err = file_has_perm(cred, file, 0);
3160 #if BITS_PER_LONG == 32
3165 if (!file->
f_path.dentry || !file->
f_path.dentry->d_inode) {
3169 err = file_has_perm(cred, file, FILE__LOCK);
3176 static int selinux_file_set_fowner(
struct file *file)
3180 fsec = file->f_security;
3186 static int selinux_file_send_sigiotask(
struct task_struct *tsk,
3190 u32 sid = task_sid(tsk);
3197 fsec = file->f_security;
3200 perm = signal_to_av(
SIGIO);
3202 perm = signal_to_av(signum);
3204 return avc_has_perm(fsec->
fown_sid, sid,
3205 SECCLASS_PROCESS, perm,
NULL);
3208 static int selinux_file_receive(
struct file *file)
3212 return file_has_perm(cred, file, file_to_av(file));
3215 static int selinux_file_open(
struct file *file,
const struct cred *cred)
3220 fsec = file->f_security;
3221 isec = file->
f_path.dentry->d_inode->i_security;
3239 return path_has_perm(cred, &file->
f_path, open_file_to_av(file));
3244 static int selinux_task_create(
unsigned long clone_flags)
3246 return current_has_perm(
current, PROCESS__FORK);
3252 static int selinux_cred_alloc_blank(
struct cred *cred,
gfp_t gfp)
3260 cred->security = tsec;
3267 static void selinux_cred_free(
struct cred *cred)
3276 cred->security = (
void *) 0x7UL;
3283 static int selinux_cred_prepare(
struct cred *
new,
const struct cred *old,
3289 old_tsec = old->security;
3295 new->security = tsec;
3302 static void selinux_cred_transfer(
struct cred *
new,
const struct cred *old)
3314 static int selinux_kernel_act_as(
struct cred *
new,
u32 secid)
3317 u32 sid = current_sid();
3320 ret = avc_has_perm(sid, secid,
3321 SECCLASS_KERNEL_SERVICE,
3322 KERNEL_SERVICE__USE_AS_OVERRIDE,
3337 static int selinux_kernel_create_files_as(
struct cred *
new,
struct inode *inode)
3341 u32 sid = current_sid();
3344 ret = avc_has_perm(sid, isec->
sid,
3345 SECCLASS_KERNEL_SERVICE,
3346 KERNEL_SERVICE__CREATE_FILES_AS,
3354 static int selinux_kernel_module_request(
char *kmod_name)
3364 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3365 SYSTEM__MODULE_REQUEST, &ad);
3370 return current_has_perm(p, PROCESS__SETPGID);
3373 static int selinux_task_getpgid(
struct task_struct *p)
3375 return current_has_perm(p, PROCESS__GETPGID);
3378 static int selinux_task_getsid(
struct task_struct *p)
3380 return current_has_perm(p, PROCESS__GETSESSION);
3383 static void selinux_task_getsecid(
struct task_struct *p,
u32 *secid)
3385 *secid = task_sid(p);
3388 static int selinux_task_setnice(
struct task_struct *p,
int nice)
3396 return current_has_perm(p, PROCESS__SETSCHED);
3399 static int selinux_task_setioprio(
struct task_struct *p,
int ioprio)
3407 return current_has_perm(p, PROCESS__SETSCHED);
3410 static int selinux_task_getioprio(
struct task_struct *p)
3412 return current_has_perm(p, PROCESS__GETSCHED);
3425 return current_has_perm(p, PROCESS__SETRLIMIT);
3430 static int selinux_task_setscheduler(
struct task_struct *p)
3438 return current_has_perm(p, PROCESS__SETSCHED);
3441 static int selinux_task_getscheduler(
struct task_struct *p)
3443 return current_has_perm(p, PROCESS__GETSCHED);
3446 static int selinux_task_movememory(
struct task_struct *p)
3448 return current_has_perm(p, PROCESS__SETSCHED);
3458 perm = PROCESS__SIGNULL;
3460 perm = signal_to_av(sig);
3462 rc = avc_has_perm(secid, task_sid(p),
3463 SECCLASS_PROCESS, perm,
NULL);
3465 rc = current_has_perm(p, perm);
3469 static int selinux_task_wait(
struct task_struct *p)
3471 return task_has_perm(p,
current, PROCESS__SIGCHLD);
3474 static void selinux_task_to_inode(
struct task_struct *p,
3475 struct inode *inode)
3485 static int selinux_parse_skb_ipv4(
struct sk_buff *
skb,
3489 struct iphdr _iph, *ih;
3491 offset = skb_network_offset(skb);
3492 ih = skb_header_pointer(skb, offset,
sizeof(_iph), &_iph);
3496 ihlen = ih->ihl * 4;
3497 if (ihlen <
sizeof(_iph))
3515 th = skb_header_pointer(skb, offset,
sizeof(_tcph), &_tcph);
3525 struct udphdr _udph, *uh;
3531 uh = skb_header_pointer(skb, offset,
sizeof(_udph), &_udph);
3547 dh = skb_header_pointer(skb, offset,
sizeof(_dccph), &_dccph);
3563 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3566 static int selinux_parse_skb_ipv6(
struct sk_buff *skb,
3574 offset = skb_network_offset(skb);
3575 ip6 = skb_header_pointer(skb, offset,
sizeof(_ipv6h), &_ipv6h);
3584 offset +=
sizeof(_ipv6h);
3596 th = skb_header_pointer(skb, offset,
sizeof(_tcph), &_tcph);
3606 struct udphdr _udph, *uh;
3608 uh = skb_header_pointer(skb, offset,
sizeof(_udph), &_udph);
3620 dh = skb_header_pointer(skb, offset,
sizeof(_dccph), &_dccph);
3640 char **_addrp,
int src,
u8 *proto)
3645 switch (ad->
u.
net->family) {
3647 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3650 addrp = (
char *)(src ? &ad->
u.
net->v4info.saddr :
3651 &ad->
u.
net->v4info.daddr);
3654 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3656 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3659 addrp = (
char *)(src ? &ad->
u.
net->v6info.saddr :
3660 &ad->
u.
net->v6info.daddr);
3670 "SELinux: failure in selinux_parse_skb(),"
3671 " unable to parse packet\n");
3695 static int selinux_skb_peerlbl_sid(
struct sk_buff *skb,
u16 family,
u32 *sid)
3702 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3708 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3709 " unable to determine packet's peer label\n");
3719 u16 secclass,
u32 *socksid)
3735 u32 tsid = task_sid(task);
3737 if (sksec->
sid == SECINITSID_KERNEL)
3744 return avc_has_perm(tsid, sksec->
sid, sksec->
sclass, perms, &ad);
3747 static int selinux_socket_create(
int family,
int type,
3748 int protocol,
int kern)
3758 secclass = socket_type_to_security_class(family, type, protocol);
3759 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
3763 return avc_has_perm(tsec->
sid, newsid, secclass, SOCKET__CREATE,
NULL);
3766 static int selinux_socket_post_create(
struct socket *
sock,
int family,
3767 int type,
int protocol,
int kern)
3774 isec->
sclass = socket_type_to_security_class(family, type, protocol);
3777 isec->
sid = SECINITSID_KERNEL;
3779 err = socket_sockcreate_sid(tsec, isec->
sclass, &(isec->
sid));
3787 sksec = sock->
sk->sk_security;
3802 struct sock *sk = sock->
sk;
3806 err = sock_has_perm(
current, sk, SOCKET__BIND);
3815 family = sk->sk_family;
3823 unsigned short snum;
3829 addrp = (
char *)&addr4->
sin_addr.s_addr;
3833 addrp = (
char *)&addr6->
sin6_addr.s6_addr;
3850 err = avc_has_perm(sksec->
sid, sid,
3852 SOCKET__NAME_BIND, &ad);
3859 case SECCLASS_TCP_SOCKET:
3860 node_perm = TCP_SOCKET__NODE_BIND;
3863 case SECCLASS_UDP_SOCKET:
3864 node_perm = UDP_SOCKET__NODE_BIND;
3867 case SECCLASS_DCCP_SOCKET:
3868 node_perm = DCCP_SOCKET__NODE_BIND;
3872 node_perm = RAWIP_SOCKET__NODE_BIND;
3890 err = avc_has_perm(sksec->
sid, sid,
3891 sksec->
sclass, node_perm, &ad);
3899 static int selinux_socket_connect(
struct socket *sock,
struct sockaddr *address,
int addrlen)
3901 struct sock *sk = sock->
sk;
3905 err = sock_has_perm(
current, sk, SOCKET__CONNECT);
3912 if (sksec->
sclass == SECCLASS_TCP_SOCKET ||
3913 sksec->
sclass == SECCLASS_DCCP_SOCKET) {
3918 unsigned short snum;
3921 if (sk->sk_family ==
PF_INET) {
3937 perm = (sksec->
sclass == SECCLASS_TCP_SOCKET) ?
3938 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3943 ad.
u.
net->family = sk->sk_family;
3944 err = avc_has_perm(sksec->
sid, sid, sksec->
sclass, perm, &ad);
3955 static int selinux_socket_listen(
struct socket *sock,
int backlog)
3957 return sock_has_perm(
current, sock->
sk, SOCKET__LISTEN);
3960 static int selinux_socket_accept(
struct socket *sock,
struct socket *newsock)
3966 err = sock_has_perm(
current, sock->
sk, SOCKET__ACCEPT);
3970 newisec = SOCK_INODE(newsock)->i_security;
3972 isec = SOCK_INODE(sock)->i_security;
3974 newisec->
sid = isec->
sid;
3980 static int selinux_socket_sendmsg(
struct socket *sock,
struct msghdr *
msg,
3983 return sock_has_perm(
current, sock->
sk, SOCKET__WRITE);
3986 static int selinux_socket_recvmsg(
struct socket *sock,
struct msghdr *
msg,
3987 int size,
int flags)
3989 return sock_has_perm(
current, sock->
sk, SOCKET__READ);
3992 static int selinux_socket_getsockname(
struct socket *sock)
3994 return sock_has_perm(
current, sock->
sk, SOCKET__GETATTR);
3997 static int selinux_socket_getpeername(
struct socket *sock)
3999 return sock_has_perm(
current, sock->
sk, SOCKET__GETATTR);
4002 static int selinux_socket_setsockopt(
struct socket *sock,
int level,
int optname)
4006 err = sock_has_perm(
current, sock->
sk, SOCKET__SETOPT);
4013 static int selinux_socket_getsockopt(
struct socket *sock,
int level,
4016 return sock_has_perm(
current, sock->
sk, SOCKET__GETOPT);
4019 static int selinux_socket_shutdown(
struct socket *sock,
int how)
4021 return sock_has_perm(
current, sock->
sk, SOCKET__SHUTDOWN);
4024 static int selinux_socket_unix_stream_connect(
struct sock *sock,
4039 err = avc_has_perm(sksec_sock->
sid, sksec_other->
sid,
4041 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4058 static int selinux_socket_unix_may_send(
struct socket *sock,
4068 ad.
u.
net->sk = other->
sk;
4070 return avc_has_perm(ssec->
sid, osec->
sid, osec->
sclass, SOCKET__SENDTO,
4074 static int selinux_inet_sys_rcv_skb(
int ifindex,
char *addrp,
u16 family,
4085 err = avc_has_perm(peer_sid, if_sid,
4086 SECCLASS_NETIF, NETIF__INGRESS, ad);
4093 return avc_has_perm(peer_sid, node_sid,
4094 SECCLASS_NODE, NODE__RECVFROM, ad);
4097 static int selinux_sock_rcv_skb_compat(
struct sock *sk,
struct sk_buff *skb,
4111 err = selinux_parse_skb(skb, &ad, &addrp, 1,
NULL);
4115 if (selinux_secmark_enabled()) {
4116 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4130 static int selinux_socket_sock_rcv_skb(
struct sock *sk,
struct sk_buff *skb)
4134 u16 family = sk->sk_family;
4154 return selinux_sock_rcv_skb_compat(sk, skb, family);
4156 secmark_active = selinux_secmark_enabled();
4158 if (!secmark_active && !peerlbl_active)
4165 err = selinux_parse_skb(skb, &ad, &addrp, 1,
NULL);
4169 if (peerlbl_active) {
4172 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4175 err = selinux_inet_sys_rcv_skb(skb->
skb_iif, addrp, family,
4181 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4187 if (secmark_active) {
4188 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4197 static int selinux_socket_getpeersec_stream(
struct socket *sock,
char __user *optval,
4198 int __user *optlen,
unsigned len)
4206 if (sksec->
sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4207 sksec->
sclass == SECCLASS_TCP_SOCKET)
4216 if (scontext_len > len) {
4225 if (
put_user(scontext_len, optlen))
4231 static int selinux_socket_getpeersec_dgram(
struct socket *sock,
struct sk_buff *skb,
u32 *secid)
4241 family = sock->
sk->sk_family;
4245 if (sock && family ==
PF_UNIX)
4246 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4248 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4251 *secid = peer_secid;
4257 static int selinux_sk_alloc_security(
struct sock *sk,
int family,
gfp_t priority)
4261 sksec = kzalloc(
sizeof(*sksec), priority);
4265 sksec->
peer_sid = SECINITSID_UNLABELED;
4266 sksec->
sid = SECINITSID_UNLABELED;
4268 sk->sk_security = sksec;
4273 static void selinux_sk_free_security(
struct sock *sk)
4277 sk->sk_security =
NULL;
4282 static void selinux_sk_clone_security(
const struct sock *sk,
struct sock *newsk)
4287 newsksec->
sid = sksec->
sid;
4294 static void selinux_sk_getsecid(
struct sock *sk,
u32 *secid)
4297 *secid = SECINITSID_ANY_SOCKET;
4301 *secid = sksec->
sid;
4305 static void selinux_sock_graft(
struct sock *sk,
struct socket *parent)
4316 static int selinux_inet_conn_request(
struct sock *sk,
struct sk_buff *skb,
4321 u16 family = sk->sk_family;
4329 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4339 req->
secid = newsid;
4346 static void selinux_inet_csk_clone(
struct sock *newsk,
4363 static void selinux_inet_conn_established(
struct sock *sk,
struct sk_buff *skb)
4365 u16 family = sk->sk_family;
4372 selinux_skb_peerlbl_sid(skb, family, &sksec->
peer_sid);
4375 static int selinux_secmark_relabel_packet(
u32 sid)
4383 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
NULL);
4386 static void selinux_secmark_refcount_inc(
void)
4391 static void selinux_secmark_refcount_dec(
void)
4396 static void selinux_req_classify_flow(
const struct request_sock *req,
4399 fl->flowi_secid = req->
secid;
4402 static int selinux_tun_dev_create(
void)
4404 u32 sid = current_sid();
4413 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4417 static void selinux_tun_dev_post_create(
struct sock *sk)
4431 sksec->
sid = current_sid();
4432 sksec->
sclass = SECCLASS_TUN_SOCKET;
4435 static int selinux_tun_dev_attach(
struct sock *sk)
4438 u32 sid = current_sid();
4441 err = avc_has_perm(sid, sksec->
sid, SECCLASS_TUN_SOCKET,
4442 TUN_SOCKET__RELABELFROM,
NULL);
4445 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4446 TUN_SOCKET__RELABELTO,
NULL);
4455 static int selinux_nlmsg_perm(
struct sock *sk,
struct sk_buff *skb)
4466 nlh = nlmsg_hdr(skb);
4472 "SELinux: unrecognized netlink message"
4473 " type=%hu for sclass=%hu\n",
4485 err = sock_has_perm(
current, sk, perm);
4490 #ifdef CONFIG_NETFILTER
4492 static unsigned int selinux_ip_forward(
struct sk_buff *skb,
int ifindex,
4507 secmark_active = selinux_secmark_enabled();
4509 peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4510 if (!secmark_active && !peerlbl_active)
4513 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4518 ad.
u.
net->netif = ifindex;
4520 if (selinux_parse_skb(skb, &ad, &addrp, 1,
NULL) != 0)
4523 if (peerlbl_active) {
4524 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4533 if (avc_has_perm(peer_sid, skb->secmark,
4534 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4548 static unsigned int selinux_ipv4_forward(
unsigned int hooknum,
4552 int (*okfn)(
struct sk_buff *))
4557 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4558 static unsigned int selinux_ipv6_forward(
unsigned int hooknum,
4562 int (*okfn)(
struct sk_buff *))
4568 static unsigned int selinux_ip_output(
struct sk_buff *skb,
4583 sid = SECINITSID_KERNEL;
4590 static unsigned int selinux_ipv4_output(
unsigned int hooknum,
4594 int (*okfn)(
struct sk_buff *))
4596 return selinux_ip_output(skb,
PF_INET);
4599 static unsigned int selinux_ip_postroute_compat(
struct sk_buff *skb,
4603 struct sock *sk = skb->
sk;
4612 sksec = sk->sk_security;
4616 ad.
u.
net->netif = ifindex;
4618 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4621 if (selinux_secmark_enabled())
4622 if (avc_has_perm(sksec->
sid, skb->secmark,
4623 SECCLASS_PACKET, PACKET__SEND, &ad))
4632 static unsigned int selinux_ip_postroute(
struct sk_buff *skb,
int ifindex,
4649 return selinux_ip_postroute_compat(skb, ifindex, family);
4657 if (skb_dst(skb) !=
NULL && skb_dst(skb)->xfrm !=
NULL)
4660 secmark_active = selinux_secmark_enabled();
4662 if (!secmark_active && !peerlbl_active)
4672 secmark_perm = PACKET__FORWARD_OUT;
4673 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4676 secmark_perm = PACKET__SEND;
4677 peer_sid = SECINITSID_KERNEL;
4681 peer_sid = sksec->
sid;
4682 secmark_perm = PACKET__SEND;
4687 ad.
u.
net->netif = ifindex;
4689 if (selinux_parse_skb(skb, &ad, &addrp, 0,
NULL))
4693 if (avc_has_perm(peer_sid, skb->secmark,
4694 SECCLASS_PACKET, secmark_perm, &ad))
4697 if (peerlbl_active) {
4703 if (avc_has_perm(peer_sid, if_sid,
4704 SECCLASS_NETIF, NETIF__EGRESS, &ad))
4709 if (avc_has_perm(peer_sid, node_sid,
4710 SECCLASS_NODE, NODE__SENDTO, &ad))
4717 static unsigned int selinux_ipv4_postroute(
unsigned int hooknum,
4721 int (*okfn)(
struct sk_buff *))
4726 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4727 static unsigned int selinux_ipv6_postroute(
unsigned int hooknum,
4731 int (*okfn)(
struct sk_buff *))
4739 static int selinux_netlink_send(
struct sock *sk,
struct sk_buff *skb)
4747 return selinux_nlmsg_perm(sk, skb);
4750 static int ipc_alloc_security(
struct task_struct *task,
4761 sid = task_sid(task);
4776 static int msg_msg_alloc_security(
struct msg_msg *
msg)
4784 msec->
sid = SECINITSID_UNLABELED;
4790 static void msg_msg_free_security(
struct msg_msg *msg)
4803 u32 sid = current_sid();
4810 return avc_has_perm(sid, isec->
sid, isec->
sclass, perms, &ad);
4813 static int selinux_msg_msg_alloc_security(
struct msg_msg *msg)
4815 return msg_msg_alloc_security(msg);
4818 static void selinux_msg_msg_free_security(
struct msg_msg *msg)
4820 msg_msg_free_security(msg);
4824 static int selinux_msg_queue_alloc_security(
struct msg_queue *msq)
4828 u32 sid = current_sid();
4831 rc = ipc_alloc_security(
current, &msq->
q_perm, SECCLASS_MSGQ);
4835 isec = msq->
q_perm.security;
4840 rc = avc_has_perm(sid, isec->
sid, SECCLASS_MSGQ,
4843 ipc_free_security(&msq->
q_perm);
4849 static void selinux_msg_queue_free_security(
struct msg_queue *msq)
4851 ipc_free_security(&msq->
q_perm);
4854 static int selinux_msg_queue_associate(
struct msg_queue *msq,
int msqflg)
4858 u32 sid = current_sid();
4860 isec = msq->
q_perm.security;
4865 return avc_has_perm(sid, isec->
sid, SECCLASS_MSGQ,
4866 MSGQ__ASSOCIATE, &ad);
4869 static int selinux_msg_queue_msgctl(
struct msg_queue *msq,
int cmd)
4878 return task_has_system(
current, SYSTEM__IPC_INFO);
4881 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
4884 perms = MSGQ__SETATTR;
4887 perms = MSGQ__DESTROY;
4893 err = ipc_has_perm(&msq->
q_perm, perms);
4897 static int selinux_msg_queue_msgsnd(
struct msg_queue *msq,
struct msg_msg *msg,
int msqflg)
4902 u32 sid = current_sid();
4905 isec = msq->
q_perm.security;
4911 if (msec->
sid == SECINITSID_UNLABELED) {
4926 rc = avc_has_perm(sid, isec->
sid, SECCLASS_MSGQ,
4930 rc = avc_has_perm(sid, msec->
sid, SECCLASS_MSG,
4934 rc = avc_has_perm(msec->
sid, isec->
sid, SECCLASS_MSGQ,
4935 MSGQ__ENQUEUE, &ad);
4940 static int selinux_msg_queue_msgrcv(
struct msg_queue *msq,
struct msg_msg *msg,
4942 long type,
int mode)
4947 u32 sid = task_sid(target);
4950 isec = msq->
q_perm.security;
4956 rc = avc_has_perm(sid, isec->
sid,
4957 SECCLASS_MSGQ, MSGQ__READ, &ad);
4959 rc = avc_has_perm(sid, msec->
sid,
4960 SECCLASS_MSG, MSG__RECEIVE, &ad);
4965 static int selinux_shm_alloc_security(
struct shmid_kernel *shp)
4969 u32 sid = current_sid();
4981 rc = avc_has_perm(sid, isec->
sid, SECCLASS_SHM,
4990 static void selinux_shm_free_security(
struct shmid_kernel *shp)
4995 static int selinux_shm_associate(
struct shmid_kernel *shp,
int shmflg)
4999 u32 sid = current_sid();
5006 return avc_has_perm(sid, isec->
sid, SECCLASS_SHM,
5007 SHM__ASSOCIATE, &ad);
5011 static int selinux_shm_shmctl(
struct shmid_kernel *shp,
int cmd)
5020 return task_has_system(
current, SYSTEM__IPC_INFO);
5023 perms = SHM__GETATTR | SHM__ASSOCIATE;
5026 perms = SHM__SETATTR;
5033 perms = SHM__DESTROY;
5039 err = ipc_has_perm(&shp->
shm_perm, perms);
5044 char __user *shmaddr,
int shmflg)
5051 perms = SHM__READ | SHM__WRITE;
5053 return ipc_has_perm(&shp->
shm_perm, perms);
5057 static int selinux_sem_alloc_security(
struct sem_array *sma)
5061 u32 sid = current_sid();
5073 rc = avc_has_perm(sid, isec->
sid, SECCLASS_SEM,
5082 static void selinux_sem_free_security(
struct sem_array *sma)
5087 static int selinux_sem_associate(
struct sem_array *sma,
int semflg)
5091 u32 sid = current_sid();
5098 return avc_has_perm(sid, isec->
sid, SECCLASS_SEM,
5099 SEM__ASSOCIATE, &ad);
5103 static int selinux_sem_semctl(
struct sem_array *sma,
int cmd)
5112 return task_has_system(
current, SYSTEM__IPC_INFO);
5116 perms = SEM__GETATTR;
5127 perms = SEM__DESTROY;
5130 perms = SEM__SETATTR;
5134 perms = SEM__GETATTR | SEM__ASSOCIATE;
5140 err = ipc_has_perm(&sma->
sem_perm, perms);
5144 static int selinux_sem_semop(
struct sem_array *sma,
5145 struct sembuf *sops,
unsigned nsops,
int alter)
5150 perms = SEM__READ | SEM__WRITE;
5154 return ipc_has_perm(&sma->
sem_perm, perms);
5157 static int selinux_ipc_permission(
struct kern_ipc_perm *ipcp,
short flag)
5163 av |= IPC__UNIX_READ;
5165 av |= IPC__UNIX_WRITE;
5170 return ipc_has_perm(ipcp, av);
5179 static void selinux_d_instantiate(
struct dentry *dentry,
struct inode *inode)
5182 inode_doinit_with_dentry(inode, dentry);
5185 static int selinux_getprocattr(
struct task_struct *p,
5186 char *name,
char **value)
5194 error = current_has_perm(p, PROCESS__GETATTR);
5202 if (!
strcmp(name,
"current"))
5204 else if (!
strcmp(name,
"prev"))
5206 else if (!
strcmp(name,
"exec"))
5208 else if (!
strcmp(name,
"fscreate"))
5210 else if (!
strcmp(name,
"keycreate"))
5212 else if (!
strcmp(name,
"sockcreate"))
5231 static int selinux_setprocattr(
struct task_struct *p,
5232 char *name,
void *value,
size_t size)
5252 if (!
strcmp(name,
"exec"))
5253 error = current_has_perm(p, PROCESS__SETEXEC);
5254 else if (!
strcmp(name,
"fscreate"))
5255 error = current_has_perm(p, PROCESS__SETFSCREATE);
5256 else if (!
strcmp(name,
"keycreate"))
5257 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5258 else if (!
strcmp(name,
"sockcreate"))
5259 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5260 else if (!
strcmp(name,
"current"))
5261 error = current_has_perm(p, PROCESS__SETCURRENT);
5268 if (size && str[1] && str[1] !=
'\n') {
5269 if (str[size-1] ==
'\n') {
5281 if (str[size - 1] ==
'\0')
5282 audit_size = size - 1;
5309 tsec =
new->security;
5310 if (!
strcmp(name,
"exec")) {
5312 }
else if (!
strcmp(name,
"fscreate")) {
5314 }
else if (!
strcmp(name,
"keycreate")) {
5315 error = may_create_key(sid, p);
5319 }
else if (!
strcmp(name,
"sockcreate")) {
5321 }
else if (!
strcmp(name,
"current")) {
5335 error = avc_has_perm(tsec->
sid, sid, SECCLASS_PROCESS,
5336 PROCESS__DYNTRANSITION,
NULL);
5344 tracer = ptrace_parent(p);
5346 ptsid = task_sid(tracer);
5350 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5351 PROCESS__PTRACE,
NULL);
5370 static int selinux_secid_to_secctx(
u32 secid,
char **secdata,
u32 *seclen)
5375 static int selinux_secctx_to_secid(
const char *secdata,
u32 seclen,
u32 *secid)
5380 static void selinux_release_secctx(
char *secdata,
u32 seclen)
5388 static int selinux_inode_notifysecctx(
struct inode *inode,
void *
ctx,
u32 ctxlen)
5396 static int selinux_inode_setsecctx(
struct dentry *dentry,
void *
ctx,
u32 ctxlen)
5401 static int selinux_inode_getsecctx(
struct inode *inode,
void **
ctx,
u32 *ctxlen)
5413 static int selinux_key_alloc(
struct key *
k,
const struct cred *cred,
5414 unsigned long flags)
5423 tsec = cred->security;
5433 static void selinux_key_free(
struct key *k)
5441 static int selinux_key_permission(key_ref_t key_ref,
5442 const struct cred *cred,
5455 sid = cred_sid(cred);
5457 key = key_ref_to_ptr(key_ref);
5458 ksec = key->security;
5460 return avc_has_perm(sid, ksec->
sid, SECCLASS_KEY, perm,
NULL);
5463 static int selinux_key_getsecurity(
struct key *key,
char **
_buffer)
5466 char *context =
NULL;
5479 static struct security_operations selinux_ops = {
5482 .ptrace_access_check = selinux_ptrace_access_check,
5483 .ptrace_traceme = selinux_ptrace_traceme,
5484 .capget = selinux_capget,
5485 .capset = selinux_capset,
5486 .capable = selinux_capable,
5487 .quotactl = selinux_quotactl,
5488 .quota_on = selinux_quota_on,
5489 .syslog = selinux_syslog,
5490 .vm_enough_memory = selinux_vm_enough_memory,
5492 .netlink_send = selinux_netlink_send,
5494 .bprm_set_creds = selinux_bprm_set_creds,
5495 .bprm_committing_creds = selinux_bprm_committing_creds,
5496 .bprm_committed_creds = selinux_bprm_committed_creds,
5497 .bprm_secureexec = selinux_bprm_secureexec,
5499 .sb_alloc_security = selinux_sb_alloc_security,
5500 .sb_free_security = selinux_sb_free_security,
5501 .sb_copy_data = selinux_sb_copy_data,
5502 .sb_remount = selinux_sb_remount,
5503 .sb_kern_mount = selinux_sb_kern_mount,
5504 .sb_show_options = selinux_sb_show_options,
5505 .sb_statfs = selinux_sb_statfs,
5506 .sb_mount = selinux_mount,
5507 .sb_umount = selinux_umount,
5508 .sb_set_mnt_opts = selinux_set_mnt_opts,
5509 .sb_clone_mnt_opts = selinux_sb_clone_mnt_opts,
5510 .sb_parse_opts_str = selinux_parse_opts_str,
5513 .inode_alloc_security = selinux_inode_alloc_security,
5514 .inode_free_security = selinux_inode_free_security,
5515 .inode_init_security = selinux_inode_init_security,
5516 .inode_create = selinux_inode_create,
5517 .inode_link = selinux_inode_link,
5518 .inode_unlink = selinux_inode_unlink,
5519 .inode_symlink = selinux_inode_symlink,
5520 .inode_mkdir = selinux_inode_mkdir,
5521 .inode_rmdir = selinux_inode_rmdir,
5522 .inode_mknod = selinux_inode_mknod,
5523 .inode_rename = selinux_inode_rename,
5524 .inode_readlink = selinux_inode_readlink,
5525 .inode_follow_link = selinux_inode_follow_link,
5526 .inode_permission = selinux_inode_permission,
5527 .inode_setattr = selinux_inode_setattr,
5528 .inode_getattr = selinux_inode_getattr,
5529 .inode_setxattr = selinux_inode_setxattr,
5530 .inode_post_setxattr = selinux_inode_post_setxattr,
5531 .inode_getxattr = selinux_inode_getxattr,
5532 .inode_listxattr = selinux_inode_listxattr,
5533 .inode_removexattr = selinux_inode_removexattr,
5534 .inode_getsecurity = selinux_inode_getsecurity,
5535 .inode_setsecurity = selinux_inode_setsecurity,
5536 .inode_listsecurity = selinux_inode_listsecurity,
5537 .inode_getsecid = selinux_inode_getsecid,
5539 .file_permission = selinux_file_permission,
5540 .file_alloc_security = selinux_file_alloc_security,
5541 .file_free_security = selinux_file_free_security,
5542 .file_ioctl = selinux_file_ioctl,
5543 .mmap_file = selinux_mmap_file,
5544 .mmap_addr = selinux_mmap_addr,
5545 .file_mprotect = selinux_file_mprotect,
5546 .file_lock = selinux_file_lock,
5547 .file_fcntl = selinux_file_fcntl,
5548 .file_set_fowner = selinux_file_set_fowner,
5549 .file_send_sigiotask = selinux_file_send_sigiotask,
5550 .file_receive = selinux_file_receive,
5552 .file_open = selinux_file_open,
5554 .task_create = selinux_task_create,
5555 .cred_alloc_blank = selinux_cred_alloc_blank,
5556 .cred_free = selinux_cred_free,
5557 .cred_prepare = selinux_cred_prepare,
5558 .cred_transfer = selinux_cred_transfer,
5559 .kernel_act_as = selinux_kernel_act_as,
5560 .kernel_create_files_as = selinux_kernel_create_files_as,
5561 .kernel_module_request = selinux_kernel_module_request,
5562 .task_setpgid = selinux_task_setpgid,
5563 .task_getpgid = selinux_task_getpgid,
5564 .task_getsid = selinux_task_getsid,
5565 .task_getsecid = selinux_task_getsecid,
5566 .task_setnice = selinux_task_setnice,
5567 .task_setioprio = selinux_task_setioprio,
5568 .task_getioprio = selinux_task_getioprio,
5569 .task_setrlimit = selinux_task_setrlimit,
5570 .task_setscheduler = selinux_task_setscheduler,
5571 .task_getscheduler = selinux_task_getscheduler,
5572 .task_movememory = selinux_task_movememory,
5573 .task_kill = selinux_task_kill,
5574 .task_wait = selinux_task_wait,
5575 .task_to_inode = selinux_task_to_inode,
5577 .ipc_permission = selinux_ipc_permission,
5578 .ipc_getsecid = selinux_ipc_getsecid,
5580 .msg_msg_alloc_security = selinux_msg_msg_alloc_security,
5581 .msg_msg_free_security = selinux_msg_msg_free_security,
5583 .msg_queue_alloc_security = selinux_msg_queue_alloc_security,
5584 .msg_queue_free_security = selinux_msg_queue_free_security,
5585 .msg_queue_associate = selinux_msg_queue_associate,
5586 .msg_queue_msgctl = selinux_msg_queue_msgctl,
5587 .msg_queue_msgsnd = selinux_msg_queue_msgsnd,
5588 .msg_queue_msgrcv = selinux_msg_queue_msgrcv,
5590 .shm_alloc_security = selinux_shm_alloc_security,
5591 .shm_free_security = selinux_shm_free_security,
5592 .shm_associate = selinux_shm_associate,
5593 .shm_shmctl = selinux_shm_shmctl,
5594 .shm_shmat = selinux_shm_shmat,
5596 .sem_alloc_security = selinux_sem_alloc_security,
5597 .sem_free_security = selinux_sem_free_security,
5598 .sem_associate = selinux_sem_associate,
5599 .sem_semctl = selinux_sem_semctl,
5600 .sem_semop = selinux_sem_semop,
5602 .d_instantiate = selinux_d_instantiate,
5604 .getprocattr = selinux_getprocattr,
5605 .setprocattr = selinux_setprocattr,
5607 .secid_to_secctx = selinux_secid_to_secctx,
5608 .secctx_to_secid = selinux_secctx_to_secid,
5609 .release_secctx = selinux_release_secctx,
5610 .inode_notifysecctx = selinux_inode_notifysecctx,
5611 .inode_setsecctx = selinux_inode_setsecctx,
5612 .inode_getsecctx = selinux_inode_getsecctx,
5614 .unix_stream_connect = selinux_socket_unix_stream_connect,
5615 .unix_may_send = selinux_socket_unix_may_send,
5617 .socket_create = selinux_socket_create,
5618 .socket_post_create = selinux_socket_post_create,
5619 .socket_bind = selinux_socket_bind,
5620 .socket_connect = selinux_socket_connect,
5621 .socket_listen = selinux_socket_listen,
5622 .socket_accept = selinux_socket_accept,
5623 .socket_sendmsg = selinux_socket_sendmsg,
5624 .socket_recvmsg = selinux_socket_recvmsg,
5625 .socket_getsockname = selinux_socket_getsockname,
5626 .socket_getpeername = selinux_socket_getpeername,
5627 .socket_getsockopt = selinux_socket_getsockopt,
5628 .socket_setsockopt = selinux_socket_setsockopt,
5629 .socket_shutdown = selinux_socket_shutdown,
5630 .socket_sock_rcv_skb = selinux_socket_sock_rcv_skb,
5631 .socket_getpeersec_stream = selinux_socket_getpeersec_stream,
5632 .socket_getpeersec_dgram = selinux_socket_getpeersec_dgram,
5633 .sk_alloc_security = selinux_sk_alloc_security,
5634 .sk_free_security = selinux_sk_free_security,
5635 .sk_clone_security = selinux_sk_clone_security,
5636 .sk_getsecid = selinux_sk_getsecid,
5637 .sock_graft = selinux_sock_graft,
5638 .inet_conn_request = selinux_inet_conn_request,
5639 .inet_csk_clone = selinux_inet_csk_clone,
5640 .inet_conn_established = selinux_inet_conn_established,
5641 .secmark_relabel_packet = selinux_secmark_relabel_packet,
5642 .secmark_refcount_inc = selinux_secmark_refcount_inc,
5643 .secmark_refcount_dec = selinux_secmark_refcount_dec,
5644 .req_classify_flow = selinux_req_classify_flow,
5645 .tun_dev_create = selinux_tun_dev_create,
5646 .tun_dev_post_create = selinux_tun_dev_post_create,
5647 .tun_dev_attach = selinux_tun_dev_attach,
5649 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5663 .key_alloc = selinux_key_alloc,
5664 .key_free = selinux_key_free,
5665 .key_permission = selinux_key_permission,
5666 .key_getsecurity = selinux_key_getsecurity,
5677 static __init int selinux_init(
void)
5680 selinux_enabled = 0;
5684 if (!selinux_enabled) {
5692 cred_init_security();
5702 panic(
"SELinux: Unable to register with kernel.\n");
5714 superblock_doinit(sb,
NULL);
5730 #if defined(CONFIG_NETFILTER)
5732 static struct nf_hook_ops selinux_ipv4_ops[] = {
5734 .hook = selinux_ipv4_postroute,
5741 .hook = selinux_ipv4_forward,
5748 .hook = selinux_ipv4_output,
5756 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5758 static struct nf_hook_ops selinux_ipv6_ops[] = {
5760 .hook = selinux_ipv6_postroute,
5767 .hook = selinux_ipv6_forward,
5777 static int __init selinux_nf_ip_init(
void)
5781 if (!selinux_enabled)
5788 panic(
"SELinux: nf_register_hooks for IPv4: error %d\n", err);
5790 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5793 panic(
"SELinux: nf_register_hooks for IPv6: error %d\n", err);
5802 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5803 static void selinux_nf_ip_exit(
void)
5808 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5816 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5817 #define selinux_nf_ip_exit()
5822 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5823 static int selinux_disabled;
5832 if (selinux_disabled) {
5839 selinux_disabled = 1;
5840 selinux_enabled = 0;
5848 selinux_nf_ip_exit();