security/selinux/hooks.c
Source file repositories/reference/linux-study-clean/security/selinux/hooks.c
File Facts
- System
- Linux kernel
- Corpus path
security/selinux/hooks.c- Extension
.c- Size
- 211368 bytes
- Lines
- 7976
- Domain
- Core OS
- Bucket
- Security And Isolation
- Inferred role
- Core OS: implementation source
- Status
- source implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Uses kernel synchronization; read lock ordering, sleepability, and interrupt context assumptions before translating.
- Allocates kernel memory; connect allocation flags and lifetime to context constraints.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
linux/init.hlinux/kd.hlinux/kernel.hlinux/kernel_read_file.hlinux/errno.hlinux/sched/signal.hlinux/sched/task.hlinux/lsm_hooks.hlinux/xattr.hlinux/capability.hlinux/unistd.hlinux/mm.hlinux/mman.hlinux/slab.hlinux/pagemap.hlinux/proc_fs.hlinux/swap.hlinux/spinlock.hlinux/syscalls.hlinux/dcache.hlinux/file.hlinux/fdtable.hlinux/namei.hlinux/mount.hlinux/fs_context.hlinux/fs_parser.hlinux/netfilter_ipv4.hlinux/netfilter_ipv6.hlinux/tty.hnet/icmp.hnet/ip.hnet/tcp.h
Detected Declarations
struct selinux_mnt_optsfunction enforcing_setupfunction selinux_enabled_setupfunction checkreqprot_setupfunction selinux_secmark_enabledfunction selinux_peerlbl_enabledfunction selinux_netcache_avc_callbackfunction selinux_lsm_notifier_avc_callbackfunction cred_init_securityfunction cred_sidfunction __ad_net_initfunction ad_net_init_from_skfunction ad_net_init_from_iiffunction task_sid_objfunction __inode_security_revalidatefunction inode_free_securityfunction list_del_initfunction selinux_free_mnt_optsfunction match_opt_prefixfunction may_context_mount_sb_relabelfunction may_context_mount_inode_relabelfunction selinux_is_genfs_special_handlingfunction selinux_is_sblabel_mntfunction sb_check_xattr_supportfunction sb_finish_set_optsfunction bad_optionfunction selinux_set_mnt_optsfunction strcmpfunction selinux_cmp_sb_contextfunction selinux_sb_clone_mnt_optsfunction selinux_add_optfunction show_sidfunction selinux_sb_show_optionsfunction inode_mode_to_security_classfunction default_protocol_streamfunction default_protocol_dgramfunction socket_type_to_security_classfunction selinux_genfs_get_sidfunction inode_doinit_use_xattrfunction inode_doinit_with_dentryfunction signal_to_avfunction cred_has_capabilityfunction passedfunction dentry_has_permfunction path_has_permfunction file_path_has_permfunction __file_has_permfunction file_has_perm
Annotated Snippet
struct selinux_mnt_opts {
u32 fscontext_sid;
u32 context_sid;
u32 rootcontext_sid;
u32 defcontext_sid;
};
static void selinux_free_mnt_opts(void *mnt_opts)
{
kfree(mnt_opts);
}
enum {
Opt_error = -1,
Opt_context = 0,
Opt_defcontext = 1,
Opt_fscontext = 2,
Opt_rootcontext = 3,
Opt_seclabel = 4,
};
#define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
static const struct {
const char *name;
int len;
int opt;
bool has_arg;
} tokens[] = {
A(context, true),
A(fscontext, true),
A(defcontext, true),
A(rootcontext, true),
A(seclabel, false),
};
#undef A
static int match_opt_prefix(char *s, int l, char **arg)
{
unsigned int i;
for (i = 0; i < ARRAY_SIZE(tokens); i++) {
size_t len = tokens[i].len;
if (len > l || memcmp(s, tokens[i].name, len))
continue;
if (tokens[i].has_arg) {
if (len == l || s[len] != '=')
continue;
*arg = s + len + 1;
} else if (len != l)
continue;
return tokens[i].opt;
}
return Opt_error;
}
#define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
static int may_context_mount_sb_relabel(u32 sid,
struct superblock_security_struct *sbsec,
const struct cred *cred)
{
const struct cred_security_struct *crsec = selinux_cred(cred);
int rc;
rc = avc_has_perm(crsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
FILESYSTEM__RELABELFROM, NULL);
if (rc)
return rc;
rc = avc_has_perm(crsec->sid, sid, SECCLASS_FILESYSTEM,
FILESYSTEM__RELABELTO, NULL);
return rc;
}
static int may_context_mount_inode_relabel(u32 sid,
struct superblock_security_struct *sbsec,
const struct cred *cred)
{
const struct cred_security_struct *crsec = selinux_cred(cred);
int rc;
rc = avc_has_perm(crsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
FILESYSTEM__RELABELFROM, NULL);
if (rc)
return rc;
rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
FILESYSTEM__ASSOCIATE, NULL);
return rc;
}
Annotation
- Immediate include surface: `linux/init.h`, `linux/kd.h`, `linux/kernel.h`, `linux/kernel_read_file.h`, `linux/errno.h`, `linux/sched/signal.h`, `linux/sched/task.h`, `linux/lsm_hooks.h`.
- Detected declarations: `struct selinux_mnt_opts`, `function enforcing_setup`, `function selinux_enabled_setup`, `function checkreqprot_setup`, `function selinux_secmark_enabled`, `function selinux_peerlbl_enabled`, `function selinux_netcache_avc_callback`, `function selinux_lsm_notifier_avc_callback`, `function cred_init_security`, `function cred_sid`.
- Atlas domain: Core OS / Security And Isolation.
- Implementation status: source implementation candidate.
- Synchronization appears in or near this file; preserve lock ordering, sleepability, and interrupt-context constraints.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.