]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blob - security/selinux/hooks.c
projects / mirror_ubuntu-bionic-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'work.xattr' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
[mirror_ubuntu-bionic-kernel.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
55 #include <net/inet_connection_sock.h>
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
86
87 #include "avc.h"
88 #include "objsec.h"
89 #include "netif.h"
90 #include "netnode.h"
91 #include "netport.h"
92 #include "xfrm.h"
93 #include "netlabel.h"
94 #include "audit.h"
95 #include "avc_ss.h"
96
97 /* SECMARK reference count */
98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102
103 static int __init enforcing_setup(char *str)
104 {
105 unsigned long enforcing;
106 if (!kstrtoul(str, 0, &enforcing))
107 selinux_enforcing = enforcing ? 1 : 0;
108 return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116 static int __init selinux_enabled_setup(char *str)
117 {
118 unsigned long enabled;
119 if (!kstrtoul(str, 0, &enabled))
120 selinux_enabled = enabled ? 1 : 0;
121 return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127
128 static struct kmem_cache *sel_inode_cache;
129 static struct kmem_cache *file_security_cache;
130
131 /**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
140 *
141 */
142 static int selinux_secmark_enabled(void)
143 {
144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145 }
146
147 /**
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149 *
150 * Description:
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
155 *
156 */
157 static int selinux_peerlbl_enabled(void)
158 {
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
160 }
161
162 static int selinux_netcache_avc_callback(u32 event)
163 {
164 if (event == AVC_CALLBACK_RESET) {
165 sel_netif_flush();
166 sel_netnode_flush();
167 sel_netport_flush();
168 synchronize_net();
169 }
170 return 0;
171 }
172
173 /*
174 * initialise the security for the init task
175 */
176 static void cred_init_security(void)
177 {
178 struct cred *cred = (struct cred *) current->real_cred;
179 struct task_security_struct *tsec;
180
181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
182 if (!tsec)
183 panic("SELinux: Failed to initialize initial task.\n");
184
185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
186 cred->security = tsec;
187 }
188
189 /*
190 * get the security ID of a set of credentials
191 */
192 static inline u32 cred_sid(const struct cred *cred)
193 {
194 const struct task_security_struct *tsec;
195
196 tsec = cred->security;
197 return tsec->sid;
198 }
199
200 /*
201 * get the objective security ID of a task
202 */
203 static inline u32 task_sid(const struct task_struct *task)
204 {
205 u32 sid;
206
207 rcu_read_lock();
208 sid = cred_sid(__task_cred(task));
209 rcu_read_unlock();
210 return sid;
211 }
212
213 /*
214 * get the subjective security ID of the current task
215 */
216 static inline u32 current_sid(void)
217 {
218 const struct task_security_struct *tsec = current_security();
219
220 return tsec->sid;
221 }
222
223 /* Allocate and free functions for each kind of security blob. */
224
225 static int inode_alloc_security(struct inode *inode)
226 {
227 struct inode_security_struct *isec;
228 u32 sid = current_sid();
229
230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
231 if (!isec)
232 return -ENOMEM;
233
234 mutex_init(&isec->lock);
235 INIT_LIST_HEAD(&isec->list);
236 isec->inode = inode;
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
239 isec->task_sid = sid;
240 inode->i_security = isec;
241
242 return 0;
243 }
244
245 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246
247 /*
248 * Try reloading inode security labels that have been marked as invalid. The
249 * @may_sleep parameter indicates when sleeping and thus reloading labels is
250 * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is
251 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
252 * when no dentry is available, set it to NULL instead.
253 */
254 static int __inode_security_revalidate(struct inode *inode,
255 struct dentry *opt_dentry,
256 bool may_sleep)
257 {
258 struct inode_security_struct *isec = inode->i_security;
259
260 might_sleep_if(may_sleep);
261
262 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
263 if (!may_sleep)
264 return -ECHILD;
265
266 /*
267 * Try reloading the inode security label. This will fail if
268 * @opt_dentry is NULL and no dentry for this inode can be
269 * found; in that case, continue using the old label.
270 */
271 inode_doinit_with_dentry(inode, opt_dentry);
272 }
273 return 0;
274 }
275
276 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
277 {
278 return inode->i_security;
279 }
280
281 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
282 {
283 int error;
284
285 error = __inode_security_revalidate(inode, NULL, !rcu);
286 if (error)
287 return ERR_PTR(error);
288 return inode->i_security;
289 }
290
291 /*
292 * Get the security label of an inode.
293 */
294 static struct inode_security_struct *inode_security(struct inode *inode)
295 {
296 __inode_security_revalidate(inode, NULL, true);
297 return inode->i_security;
298 }
299
300 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
301 {
302 struct inode *inode = d_backing_inode(dentry);
303
304 return inode->i_security;
305 }
306
307 /*
308 * Get the security label of a dentry's backing inode.
309 */
310 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
311 {
312 struct inode *inode = d_backing_inode(dentry);
313
314 __inode_security_revalidate(inode, dentry, true);
315 return inode->i_security;
316 }
317
318 static void inode_free_rcu(struct rcu_head *head)
319 {
320 struct inode_security_struct *isec;
321
322 isec = container_of(head, struct inode_security_struct, rcu);
323 kmem_cache_free(sel_inode_cache, isec);
324 }
325
326 static void inode_free_security(struct inode *inode)
327 {
328 struct inode_security_struct *isec = inode->i_security;
329 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
330
331 /*
332 * As not all inode security structures are in a list, we check for
333 * empty list outside of the lock to make sure that we won't waste
334 * time taking a lock doing nothing.
335 *
336 * The list_del_init() function can be safely called more than once.
337 * It should not be possible for this function to be called with
338 * concurrent list_add(), but for better safety against future changes
339 * in the code, we use list_empty_careful() here.
340 */
341 if (!list_empty_careful(&isec->list)) {
342 spin_lock(&sbsec->isec_lock);
343 list_del_init(&isec->list);
344 spin_unlock(&sbsec->isec_lock);
345 }
346
347 /*
348 * The inode may still be referenced in a path walk and
349 * a call to selinux_inode_permission() can be made
350 * after inode_free_security() is called. Ideally, the VFS
351 * wouldn't do this, but fixing that is a much harder
352 * job. For now, simply free the i_security via RCU, and
353 * leave the current inode->i_security pointer intact.
354 * The inode will be freed after the RCU grace period too.
355 */
356 call_rcu(&isec->rcu, inode_free_rcu);
357 }
358
359 static int file_alloc_security(struct file *file)
360 {
361 struct file_security_struct *fsec;
362 u32 sid = current_sid();
363
364 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
365 if (!fsec)
366 return -ENOMEM;
367
368 fsec->sid = sid;
369 fsec->fown_sid = sid;
370 file->f_security = fsec;
371
372 return 0;
373 }
374
375 static void file_free_security(struct file *file)
376 {
377 struct file_security_struct *fsec = file->f_security;
378 file->f_security = NULL;
379 kmem_cache_free(file_security_cache, fsec);
380 }
381
382 static int superblock_alloc_security(struct super_block *sb)
383 {
384 struct superblock_security_struct *sbsec;
385
386 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
387 if (!sbsec)
388 return -ENOMEM;
389
390 mutex_init(&sbsec->lock);
391 INIT_LIST_HEAD(&sbsec->isec_head);
392 spin_lock_init(&sbsec->isec_lock);
393 sbsec->sb = sb;
394 sbsec->sid = SECINITSID_UNLABELED;
395 sbsec->def_sid = SECINITSID_FILE;
396 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
397 sb->s_security = sbsec;
398
399 return 0;
400 }
401
402 static void superblock_free_security(struct super_block *sb)
403 {
404 struct superblock_security_struct *sbsec = sb->s_security;
405 sb->s_security = NULL;
406 kfree(sbsec);
407 }
408
409 /* The file system's label must be initialized prior to use. */
410
411 static const char *labeling_behaviors[7] = {
412 "uses xattr",
413 "uses transition SIDs",
414 "uses task SIDs",
415 "uses genfs_contexts",
416 "not configured for labeling",
417 "uses mountpoint labeling",
418 "uses native labeling",
419 };
420
421 static inline int inode_doinit(struct inode *inode)
422 {
423 return inode_doinit_with_dentry(inode, NULL);
424 }
425
426 enum {
427 Opt_error = -1,
428 Opt_context = 1,
429 Opt_fscontext = 2,
430 Opt_defcontext = 3,
431 Opt_rootcontext = 4,
432 Opt_labelsupport = 5,
433 Opt_nextmntopt = 6,
434 };
435
436 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
437
438 static const match_table_t tokens = {
439 {Opt_context, CONTEXT_STR "%s"},
440 {Opt_fscontext, FSCONTEXT_STR "%s"},
441 {Opt_defcontext, DEFCONTEXT_STR "%s"},
442 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
443 {Opt_labelsupport, LABELSUPP_STR},
444 {Opt_error, NULL},
445 };
446
447 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
448
449 static int may_context_mount_sb_relabel(u32 sid,
450 struct superblock_security_struct *sbsec,
451 const struct cred *cred)
452 {
453 const struct task_security_struct *tsec = cred->security;
454 int rc;
455
456 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
457 FILESYSTEM__RELABELFROM, NULL);
458 if (rc)
459 return rc;
460
461 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
462 FILESYSTEM__RELABELTO, NULL);
463 return rc;
464 }
465
466 static int may_context_mount_inode_relabel(u32 sid,
467 struct superblock_security_struct *sbsec,
468 const struct cred *cred)
469 {
470 const struct task_security_struct *tsec = cred->security;
471 int rc;
472 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
473 FILESYSTEM__RELABELFROM, NULL);
474 if (rc)
475 return rc;
476
477 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
478 FILESYSTEM__ASSOCIATE, NULL);
479 return rc;
480 }
481
482 static int selinux_is_sblabel_mnt(struct super_block *sb)
483 {
484 struct superblock_security_struct *sbsec = sb->s_security;
485
486 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
487 sbsec->behavior == SECURITY_FS_USE_TRANS ||
488 sbsec->behavior == SECURITY_FS_USE_TASK ||
489 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
490 /* Special handling. Genfs but also in-core setxattr handler */
491 !strcmp(sb->s_type->name, "sysfs") ||
492 !strcmp(sb->s_type->name, "pstore") ||
493 !strcmp(sb->s_type->name, "debugfs") ||
494 !strcmp(sb->s_type->name, "rootfs");
495 }
496
497 static int sb_finish_set_opts(struct super_block *sb)
498 {
499 struct superblock_security_struct *sbsec = sb->s_security;
500 struct dentry *root = sb->s_root;
501 struct inode *root_inode = d_backing_inode(root);
502 int rc = 0;
503
504 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
505 /* Make sure that the xattr handler exists and that no
506 error other than -ENODATA is returned by getxattr on
507 the root directory. -ENODATA is ok, as this may be
508 the first boot of the SELinux kernel before we have
509 assigned xattr values to the filesystem. */
510 if (!(root_inode->i_opflags & IOP_XATTR)) {
511 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
512 "xattr support\n", sb->s_id, sb->s_type->name);
513 rc = -EOPNOTSUPP;
514 goto out;
515 }
516
517 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
518 if (rc < 0 && rc != -ENODATA) {
519 if (rc == -EOPNOTSUPP)
520 printk(KERN_WARNING "SELinux: (dev %s, type "
521 "%s) has no security xattr handler\n",
522 sb->s_id, sb->s_type->name);
523 else
524 printk(KERN_WARNING "SELinux: (dev %s, type "
525 "%s) getxattr errno %d\n", sb->s_id,
526 sb->s_type->name, -rc);
527 goto out;
528 }
529 }
530
531 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
532 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
533 sb->s_id, sb->s_type->name);
534
535 sbsec->flags |= SE_SBINITIALIZED;
536 if (selinux_is_sblabel_mnt(sb))
537 sbsec->flags |= SBLABEL_MNT;
538
539 /* Initialize the root inode. */
540 rc = inode_doinit_with_dentry(root_inode, root);
541
542 /* Initialize any other inodes associated with the superblock, e.g.
543 inodes created prior to initial policy load or inodes created
544 during get_sb by a pseudo filesystem that directly
545 populates itself. */
546 spin_lock(&sbsec->isec_lock);
547 next_inode:
548 if (!list_empty(&sbsec->isec_head)) {
549 struct inode_security_struct *isec =
550 list_entry(sbsec->isec_head.next,
551 struct inode_security_struct, list);
552 struct inode *inode = isec->inode;
553 list_del_init(&isec->list);
554 spin_unlock(&sbsec->isec_lock);
555 inode = igrab(inode);
556 if (inode) {
557 if (!IS_PRIVATE(inode))
558 inode_doinit(inode);
559 iput(inode);
560 }
561 spin_lock(&sbsec->isec_lock);
562 goto next_inode;
563 }
564 spin_unlock(&sbsec->isec_lock);
565 out:
566 return rc;
567 }
568
569 /*
570 * This function should allow an FS to ask what it's mount security
571 * options were so it can use those later for submounts, displaying
572 * mount options, or whatever.
573 */
574 static int selinux_get_mnt_opts(const struct super_block *sb,
575 struct security_mnt_opts *opts)
576 {
577 int rc = 0, i;
578 struct superblock_security_struct *sbsec = sb->s_security;
579 char *context = NULL;
580 u32 len;
581 char tmp;
582
583 security_init_mnt_opts(opts);
584
585 if (!(sbsec->flags & SE_SBINITIALIZED))
586 return -EINVAL;
587
588 if (!ss_initialized)
589 return -EINVAL;
590
591 /* make sure we always check enough bits to cover the mask */
592 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
593
594 tmp = sbsec->flags & SE_MNTMASK;
595 /* count the number of mount options for this sb */
596 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
597 if (tmp & 0x01)
598 opts->num_mnt_opts++;
599 tmp >>= 1;
600 }
601 /* Check if the Label support flag is set */
602 if (sbsec->flags & SBLABEL_MNT)
603 opts->num_mnt_opts++;
604
605 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606 if (!opts->mnt_opts) {
607 rc = -ENOMEM;
608 goto out_free;
609 }
610
611 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612 if (!opts->mnt_opts_flags) {
613 rc = -ENOMEM;
614 goto out_free;
615 }
616
617 i = 0;
618 if (sbsec->flags & FSCONTEXT_MNT) {
619 rc = security_sid_to_context(sbsec->sid, &context, &len);
620 if (rc)
621 goto out_free;
622 opts->mnt_opts[i] = context;
623 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
624 }
625 if (sbsec->flags & CONTEXT_MNT) {
626 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
627 if (rc)
628 goto out_free;
629 opts->mnt_opts[i] = context;
630 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
631 }
632 if (sbsec->flags & DEFCONTEXT_MNT) {
633 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
634 if (rc)
635 goto out_free;
636 opts->mnt_opts[i] = context;
637 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
638 }
639 if (sbsec->flags & ROOTCONTEXT_MNT) {
640 struct dentry *root = sbsec->sb->s_root;
641 struct inode_security_struct *isec = backing_inode_security(root);
642
643 rc = security_sid_to_context(isec->sid, &context, &len);
644 if (rc)
645 goto out_free;
646 opts->mnt_opts[i] = context;
647 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
648 }
649 if (sbsec->flags & SBLABEL_MNT) {
650 opts->mnt_opts[i] = NULL;
651 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
652 }
653
654 BUG_ON(i != opts->num_mnt_opts);
655
656 return 0;
657
658 out_free:
659 security_free_mnt_opts(opts);
660 return rc;
661 }
662
663 static int bad_option(struct superblock_security_struct *sbsec, char flag,
664 u32 old_sid, u32 new_sid)
665 {
666 char mnt_flags = sbsec->flags & SE_MNTMASK;
667
668 /* check if the old mount command had the same options */
669 if (sbsec->flags & SE_SBINITIALIZED)
670 if (!(sbsec->flags & flag) ||
671 (old_sid != new_sid))
672 return 1;
673
674 /* check if we were passed the same options twice,
675 * aka someone passed context=a,context=b
676 */
677 if (!(sbsec->flags & SE_SBINITIALIZED))
678 if (mnt_flags & flag)
679 return 1;
680 return 0;
681 }
682
683 /*
684 * Allow filesystems with binary mount data to explicitly set mount point
685 * labeling information.
686 */
687 static int selinux_set_mnt_opts(struct super_block *sb,
688 struct security_mnt_opts *opts,
689 unsigned long kern_flags,
690 unsigned long *set_kern_flags)
691 {
692 const struct cred *cred = current_cred();
693 int rc = 0, i;
694 struct superblock_security_struct *sbsec = sb->s_security;
695 const char *name = sb->s_type->name;
696 struct dentry *root = sbsec->sb->s_root;
697 struct inode_security_struct *root_isec;
698 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699 u32 defcontext_sid = 0;
700 char **mount_options = opts->mnt_opts;
701 int *flags = opts->mnt_opts_flags;
702 int num_opts = opts->num_mnt_opts;
703
704 mutex_lock(&sbsec->lock);
705
706 if (!ss_initialized) {
707 if (!num_opts) {
708 /* Defer initialization until selinux_complete_init,
709 after the initial policy is loaded and the security
710 server is ready to handle calls. */
711 goto out;
712 }
713 rc = -EINVAL;
714 printk(KERN_WARNING "SELinux: Unable to set superblock options "
715 "before the security server is initialized\n");
716 goto out;
717 }
718 if (kern_flags && !set_kern_flags) {
719 /* Specifying internal flags without providing a place to
720 * place the results is not allowed */
721 rc = -EINVAL;
722 goto out;
723 }
724
725 /*
726 * Binary mount data FS will come through this function twice. Once
727 * from an explicit call and once from the generic calls from the vfs.
728 * Since the generic VFS calls will not contain any security mount data
729 * we need to skip the double mount verification.
730 *
731 * This does open a hole in which we will not notice if the first
732 * mount using this sb set explict options and a second mount using
733 * this sb does not set any security options. (The first options
734 * will be used for both mounts)
735 */
736 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
737 && (num_opts == 0))
738 goto out;
739
740 root_isec = backing_inode_security_novalidate(root);
741
742 /*
743 * parse the mount options, check if they are valid sids.
744 * also check if someone is trying to mount the same sb more
745 * than once with different security options.
746 */
747 for (i = 0; i < num_opts; i++) {
748 u32 sid;
749
750 if (flags[i] == SBLABEL_MNT)
751 continue;
752 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
753 if (rc) {
754 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
755 "(%s) failed for (dev %s, type %s) errno=%d\n",
756 mount_options[i], sb->s_id, name, rc);
757 goto out;
758 }
759 switch (flags[i]) {
760 case FSCONTEXT_MNT:
761 fscontext_sid = sid;
762
763 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
764 fscontext_sid))
765 goto out_double_mount;
766
767 sbsec->flags |= FSCONTEXT_MNT;
768 break;
769 case CONTEXT_MNT:
770 context_sid = sid;
771
772 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
773 context_sid))
774 goto out_double_mount;
775
776 sbsec->flags |= CONTEXT_MNT;
777 break;
778 case ROOTCONTEXT_MNT:
779 rootcontext_sid = sid;
780
781 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
782 rootcontext_sid))
783 goto out_double_mount;
784
785 sbsec->flags |= ROOTCONTEXT_MNT;
786
787 break;
788 case DEFCONTEXT_MNT:
789 defcontext_sid = sid;
790
791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
792 defcontext_sid))
793 goto out_double_mount;
794
795 sbsec->flags |= DEFCONTEXT_MNT;
796
797 break;
798 default:
799 rc = -EINVAL;
800 goto out;
801 }
802 }
803
804 if (sbsec->flags & SE_SBINITIALIZED) {
805 /* previously mounted with options, but not on this attempt? */
806 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
807 goto out_double_mount;
808 rc = 0;
809 goto out;
810 }
811
812 if (strcmp(sb->s_type->name, "proc") == 0)
813 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
814
815 if (!strcmp(sb->s_type->name, "debugfs") ||
816 !strcmp(sb->s_type->name, "sysfs") ||
817 !strcmp(sb->s_type->name, "pstore"))
818 sbsec->flags |= SE_SBGENFS;
819
820 if (!sbsec->behavior) {
821 /*
822 * Determine the labeling behavior to use for this
823 * filesystem type.
824 */
825 rc = security_fs_use(sb);
826 if (rc) {
827 printk(KERN_WARNING
828 "%s: security_fs_use(%s) returned %d\n",
829 __func__, sb->s_type->name, rc);
830 goto out;
831 }
832 }
833
834 /*
835 * If this is a user namespace mount, no contexts are allowed
836 * on the command line and security labels must be ignored.
837 */
838 if (sb->s_user_ns != &init_user_ns) {
839 if (context_sid || fscontext_sid || rootcontext_sid ||
840 defcontext_sid) {
841 rc = -EACCES;
842 goto out;
843 }
844 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
845 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
846 rc = security_transition_sid(current_sid(), current_sid(),
847 SECCLASS_FILE, NULL,
848 &sbsec->mntpoint_sid);
849 if (rc)
850 goto out;
851 }
852 goto out_set_opts;
853 }
854
855 /* sets the context of the superblock for the fs being mounted. */
856 if (fscontext_sid) {
857 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
858 if (rc)
859 goto out;
860
861 sbsec->sid = fscontext_sid;
862 }
863
864 /*
865 * Switch to using mount point labeling behavior.
866 * sets the label used on all file below the mountpoint, and will set
867 * the superblock context if not already set.
868 */
869 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
870 sbsec->behavior = SECURITY_FS_USE_NATIVE;
871 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
872 }
873
874 if (context_sid) {
875 if (!fscontext_sid) {
876 rc = may_context_mount_sb_relabel(context_sid, sbsec,
877 cred);
878 if (rc)
879 goto out;
880 sbsec->sid = context_sid;
881 } else {
882 rc = may_context_mount_inode_relabel(context_sid, sbsec,
883 cred);
884 if (rc)
885 goto out;
886 }
887 if (!rootcontext_sid)
888 rootcontext_sid = context_sid;
889
890 sbsec->mntpoint_sid = context_sid;
891 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
892 }
893
894 if (rootcontext_sid) {
895 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
896 cred);
897 if (rc)
898 goto out;
899
900 root_isec->sid = rootcontext_sid;
901 root_isec->initialized = LABEL_INITIALIZED;
902 }
903
904 if (defcontext_sid) {
905 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
906 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
907 rc = -EINVAL;
908 printk(KERN_WARNING "SELinux: defcontext option is "
909 "invalid for this filesystem type\n");
910 goto out;
911 }
912
913 if (defcontext_sid != sbsec->def_sid) {
914 rc = may_context_mount_inode_relabel(defcontext_sid,
915 sbsec, cred);
916 if (rc)
917 goto out;
918 }
919
920 sbsec->def_sid = defcontext_sid;
921 }
922
923 out_set_opts:
924 rc = sb_finish_set_opts(sb);
925 out:
926 mutex_unlock(&sbsec->lock);
927 return rc;
928 out_double_mount:
929 rc = -EINVAL;
930 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
931 "security settings for (dev %s, type %s)\n", sb->s_id, name);
932 goto out;
933 }
934
935 static int selinux_cmp_sb_context(const struct super_block *oldsb,
936 const struct super_block *newsb)
937 {
938 struct superblock_security_struct *old = oldsb->s_security;
939 struct superblock_security_struct *new = newsb->s_security;
940 char oldflags = old->flags & SE_MNTMASK;
941 char newflags = new->flags & SE_MNTMASK;
942
943 if (oldflags != newflags)
944 goto mismatch;
945 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
946 goto mismatch;
947 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
948 goto mismatch;
949 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
950 goto mismatch;
951 if (oldflags & ROOTCONTEXT_MNT) {
952 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
953 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
954 if (oldroot->sid != newroot->sid)
955 goto mismatch;
956 }
957 return 0;
958 mismatch:
959 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
960 "different security settings for (dev %s, "
961 "type %s)\n", newsb->s_id, newsb->s_type->name);
962 return -EBUSY;
963 }
964
965 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
966 struct super_block *newsb)
967 {
968 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
969 struct superblock_security_struct *newsbsec = newsb->s_security;
970
971 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
972 int set_context = (oldsbsec->flags & CONTEXT_MNT);
973 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
974
975 /*
976 * if the parent was able to be mounted it clearly had no special lsm
977 * mount options. thus we can safely deal with this superblock later
978 */
979 if (!ss_initialized)
980 return 0;
981
982 /* how can we clone if the old one wasn't set up?? */
983 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
984
985 /* if fs is reusing a sb, make sure that the contexts match */
986 if (newsbsec->flags & SE_SBINITIALIZED)
987 return selinux_cmp_sb_context(oldsb, newsb);
988
989 mutex_lock(&newsbsec->lock);
990
991 newsbsec->flags = oldsbsec->flags;
992
993 newsbsec->sid = oldsbsec->sid;
994 newsbsec->def_sid = oldsbsec->def_sid;
995 newsbsec->behavior = oldsbsec->behavior;
996
997 if (set_context) {
998 u32 sid = oldsbsec->mntpoint_sid;
999
1000 if (!set_fscontext)
1001 newsbsec->sid = sid;
1002 if (!set_rootcontext) {
1003 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1004 newisec->sid = sid;
1005 }
1006 newsbsec->mntpoint_sid = sid;
1007 }
1008 if (set_rootcontext) {
1009 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1010 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1011
1012 newisec->sid = oldisec->sid;
1013 }
1014
1015 sb_finish_set_opts(newsb);
1016 mutex_unlock(&newsbsec->lock);
1017 return 0;
1018 }
1019
1020 static int selinux_parse_opts_str(char *options,
1021 struct security_mnt_opts *opts)
1022 {
1023 char *p;
1024 char *context = NULL, *defcontext = NULL;
1025 char *fscontext = NULL, *rootcontext = NULL;
1026 int rc, num_mnt_opts = 0;
1027
1028 opts->num_mnt_opts = 0;
1029
1030 /* Standard string-based options. */
1031 while ((p = strsep(&options, "|")) != NULL) {
1032 int token;
1033 substring_t args[MAX_OPT_ARGS];
1034
1035 if (!*p)
1036 continue;
1037
1038 token = match_token(p, tokens, args);
1039
1040 switch (token) {
1041 case Opt_context:
1042 if (context || defcontext) {
1043 rc = -EINVAL;
1044 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1045 goto out_err;
1046 }
1047 context = match_strdup(&args[0]);
1048 if (!context) {
1049 rc = -ENOMEM;
1050 goto out_err;
1051 }
1052 break;
1053
1054 case Opt_fscontext:
1055 if (fscontext) {
1056 rc = -EINVAL;
1057 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1058 goto out_err;
1059 }
1060 fscontext = match_strdup(&args[0]);
1061 if (!fscontext) {
1062 rc = -ENOMEM;
1063 goto out_err;
1064 }
1065 break;
1066
1067 case Opt_rootcontext:
1068 if (rootcontext) {
1069 rc = -EINVAL;
1070 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1071 goto out_err;
1072 }
1073 rootcontext = match_strdup(&args[0]);
1074 if (!rootcontext) {
1075 rc = -ENOMEM;
1076 goto out_err;
1077 }
1078 break;
1079
1080 case Opt_defcontext:
1081 if (context || defcontext) {
1082 rc = -EINVAL;
1083 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1084 goto out_err;
1085 }
1086 defcontext = match_strdup(&args[0]);
1087 if (!defcontext) {
1088 rc = -ENOMEM;
1089 goto out_err;
1090 }
1091 break;
1092 case Opt_labelsupport:
1093 break;
1094 default:
1095 rc = -EINVAL;
1096 printk(KERN_WARNING "SELinux: unknown mount option\n");
1097 goto out_err;
1098
1099 }
1100 }
1101
1102 rc = -ENOMEM;
1103 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1104 if (!opts->mnt_opts)
1105 goto out_err;
1106
1107 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1108 if (!opts->mnt_opts_flags) {
1109 kfree(opts->mnt_opts);
1110 goto out_err;
1111 }
1112
1113 if (fscontext) {
1114 opts->mnt_opts[num_mnt_opts] = fscontext;
1115 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1116 }
1117 if (context) {
1118 opts->mnt_opts[num_mnt_opts] = context;
1119 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1120 }
1121 if (rootcontext) {
1122 opts->mnt_opts[num_mnt_opts] = rootcontext;
1123 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1124 }
1125 if (defcontext) {
1126 opts->mnt_opts[num_mnt_opts] = defcontext;
1127 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1128 }
1129
1130 opts->num_mnt_opts = num_mnt_opts;
1131 return 0;
1132
1133 out_err:
1134 kfree(context);
1135 kfree(defcontext);
1136 kfree(fscontext);
1137 kfree(rootcontext);
1138 return rc;
1139 }
1140 /*
1141 * string mount options parsing and call set the sbsec
1142 */
1143 static int superblock_doinit(struct super_block *sb, void *data)
1144 {
1145 int rc = 0;
1146 char *options = data;
1147 struct security_mnt_opts opts;
1148
1149 security_init_mnt_opts(&opts);
1150
1151 if (!data)
1152 goto out;
1153
1154 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1155
1156 rc = selinux_parse_opts_str(options, &opts);
1157 if (rc)
1158 goto out_err;
1159
1160 out:
1161 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1162
1163 out_err:
1164 security_free_mnt_opts(&opts);
1165 return rc;
1166 }
1167
1168 static void selinux_write_opts(struct seq_file *m,
1169 struct security_mnt_opts *opts)
1170 {
1171 int i;
1172 char *prefix;
1173
1174 for (i = 0; i < opts->num_mnt_opts; i++) {
1175 char *has_comma;
1176
1177 if (opts->mnt_opts[i])
1178 has_comma = strchr(opts->mnt_opts[i], ',');
1179 else
1180 has_comma = NULL;
1181
1182 switch (opts->mnt_opts_flags[i]) {
1183 case CONTEXT_MNT:
1184 prefix = CONTEXT_STR;
1185 break;
1186 case FSCONTEXT_MNT:
1187 prefix = FSCONTEXT_STR;
1188 break;
1189 case ROOTCONTEXT_MNT:
1190 prefix = ROOTCONTEXT_STR;
1191 break;
1192 case DEFCONTEXT_MNT:
1193 prefix = DEFCONTEXT_STR;
1194 break;
1195 case SBLABEL_MNT:
1196 seq_putc(m, ',');
1197 seq_puts(m, LABELSUPP_STR);
1198 continue;
1199 default:
1200 BUG();
1201 return;
1202 };
1203 /* we need a comma before each option */
1204 seq_putc(m, ',');
1205 seq_puts(m, prefix);
1206 if (has_comma)
1207 seq_putc(m, '\"');
1208 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1209 if (has_comma)
1210 seq_putc(m, '\"');
1211 }
1212 }
1213
1214 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1215 {
1216 struct security_mnt_opts opts;
1217 int rc;
1218
1219 rc = selinux_get_mnt_opts(sb, &opts);
1220 if (rc) {
1221 /* before policy load we may get EINVAL, don't show anything */
1222 if (rc == -EINVAL)
1223 rc = 0;
1224 return rc;
1225 }
1226
1227 selinux_write_opts(m, &opts);
1228
1229 security_free_mnt_opts(&opts);
1230
1231 return rc;
1232 }
1233
1234 static inline u16 inode_mode_to_security_class(umode_t mode)
1235 {
1236 switch (mode & S_IFMT) {
1237 case S_IFSOCK:
1238 return SECCLASS_SOCK_FILE;
1239 case S_IFLNK:
1240 return SECCLASS_LNK_FILE;
1241 case S_IFREG:
1242 return SECCLASS_FILE;
1243 case S_IFBLK:
1244 return SECCLASS_BLK_FILE;
1245 case S_IFDIR:
1246 return SECCLASS_DIR;
1247 case S_IFCHR:
1248 return SECCLASS_CHR_FILE;
1249 case S_IFIFO:
1250 return SECCLASS_FIFO_FILE;
1251
1252 }
1253
1254 return SECCLASS_FILE;
1255 }
1256
1257 static inline int default_protocol_stream(int protocol)
1258 {
1259 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1260 }
1261
1262 static inline int default_protocol_dgram(int protocol)
1263 {
1264 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1265 }
1266
1267 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1268 {
1269 switch (family) {
1270 case PF_UNIX:
1271 switch (type) {
1272 case SOCK_STREAM:
1273 case SOCK_SEQPACKET:
1274 return SECCLASS_UNIX_STREAM_SOCKET;
1275 case SOCK_DGRAM:
1276 return SECCLASS_UNIX_DGRAM_SOCKET;
1277 }
1278 break;
1279 case PF_INET:
1280 case PF_INET6:
1281 switch (type) {
1282 case SOCK_STREAM:
1283 if (default_protocol_stream(protocol))
1284 return SECCLASS_TCP_SOCKET;
1285 else
1286 return SECCLASS_RAWIP_SOCKET;
1287 case SOCK_DGRAM:
1288 if (default_protocol_dgram(protocol))
1289 return SECCLASS_UDP_SOCKET;
1290 else
1291 return SECCLASS_RAWIP_SOCKET;
1292 case SOCK_DCCP:
1293 return SECCLASS_DCCP_SOCKET;
1294 default:
1295 return SECCLASS_RAWIP_SOCKET;
1296 }
1297 break;
1298 case PF_NETLINK:
1299 switch (protocol) {
1300 case NETLINK_ROUTE:
1301 return SECCLASS_NETLINK_ROUTE_SOCKET;
1302 case NETLINK_SOCK_DIAG:
1303 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1304 case NETLINK_NFLOG:
1305 return SECCLASS_NETLINK_NFLOG_SOCKET;
1306 case NETLINK_XFRM:
1307 return SECCLASS_NETLINK_XFRM_SOCKET;
1308 case NETLINK_SELINUX:
1309 return SECCLASS_NETLINK_SELINUX_SOCKET;
1310 case NETLINK_ISCSI:
1311 return SECCLASS_NETLINK_ISCSI_SOCKET;
1312 case NETLINK_AUDIT:
1313 return SECCLASS_NETLINK_AUDIT_SOCKET;
1314 case NETLINK_FIB_LOOKUP:
1315 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1316 case NETLINK_CONNECTOR:
1317 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1318 case NETLINK_NETFILTER:
1319 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1320 case NETLINK_DNRTMSG:
1321 return SECCLASS_NETLINK_DNRT_SOCKET;
1322 case NETLINK_KOBJECT_UEVENT:
1323 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1324 case NETLINK_GENERIC:
1325 return SECCLASS_NETLINK_GENERIC_SOCKET;
1326 case NETLINK_SCSITRANSPORT:
1327 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1328 case NETLINK_RDMA:
1329 return SECCLASS_NETLINK_RDMA_SOCKET;
1330 case NETLINK_CRYPTO:
1331 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1332 default:
1333 return SECCLASS_NETLINK_SOCKET;
1334 }
1335 case PF_PACKET:
1336 return SECCLASS_PACKET_SOCKET;
1337 case PF_KEY:
1338 return SECCLASS_KEY_SOCKET;
1339 case PF_APPLETALK:
1340 return SECCLASS_APPLETALK_SOCKET;
1341 }
1342
1343 return SECCLASS_SOCKET;
1344 }
1345
1346 static int selinux_genfs_get_sid(struct dentry *dentry,
1347 u16 tclass,
1348 u16 flags,
1349 u32 *sid)
1350 {
1351 int rc;
1352 struct super_block *sb = dentry->d_sb;
1353 char *buffer, *path;
1354
1355 buffer = (char *)__get_free_page(GFP_KERNEL);
1356 if (!buffer)
1357 return -ENOMEM;
1358
1359 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1360 if (IS_ERR(path))
1361 rc = PTR_ERR(path);
1362 else {
1363 if (flags & SE_SBPROC) {
1364 /* each process gets a /proc/PID/ entry. Strip off the
1365 * PID part to get a valid selinux labeling.
1366 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1367 while (path[1] >= '0' && path[1] <= '9') {
1368 path[1] = '/';
1369 path++;
1370 }
1371 }
1372 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1373 }
1374 free_page((unsigned long)buffer);
1375 return rc;
1376 }
1377
1378 /* The inode's security attributes must be initialized before first use. */
1379 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1380 {
1381 struct superblock_security_struct *sbsec = NULL;
1382 struct inode_security_struct *isec = inode->i_security;
1383 u32 sid;
1384 struct dentry *dentry;
1385 #define INITCONTEXTLEN 255
1386 char *context = NULL;
1387 unsigned len = 0;
1388 int rc = 0;
1389
1390 if (isec->initialized == LABEL_INITIALIZED)
1391 goto out;
1392
1393 mutex_lock(&isec->lock);
1394 if (isec->initialized == LABEL_INITIALIZED)
1395 goto out_unlock;
1396
1397 sbsec = inode->i_sb->s_security;
1398 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1399 /* Defer initialization until selinux_complete_init,
1400 after the initial policy is loaded and the security
1401 server is ready to handle calls. */
1402 spin_lock(&sbsec->isec_lock);
1403 if (list_empty(&isec->list))
1404 list_add(&isec->list, &sbsec->isec_head);
1405 spin_unlock(&sbsec->isec_lock);
1406 goto out_unlock;
1407 }
1408
1409 switch (sbsec->behavior) {
1410 case SECURITY_FS_USE_NATIVE:
1411 break;
1412 case SECURITY_FS_USE_XATTR:
1413 if (!(inode->i_opflags & IOP_XATTR)) {
1414 isec->sid = sbsec->def_sid;
1415 break;
1416 }
1417 /* Need a dentry, since the xattr API requires one.
1418 Life would be simpler if we could just pass the inode. */
1419 if (opt_dentry) {
1420 /* Called from d_instantiate or d_splice_alias. */
1421 dentry = dget(opt_dentry);
1422 } else {
1423 /* Called from selinux_complete_init, try to find a dentry. */
1424 dentry = d_find_alias(inode);
1425 }
1426 if (!dentry) {
1427 /*
1428 * this is can be hit on boot when a file is accessed
1429 * before the policy is loaded. When we load policy we
1430 * may find inodes that have no dentry on the
1431 * sbsec->isec_head list. No reason to complain as these
1432 * will get fixed up the next time we go through
1433 * inode_doinit with a dentry, before these inodes could
1434 * be used again by userspace.
1435 */
1436 goto out_unlock;
1437 }
1438
1439 len = INITCONTEXTLEN;
1440 context = kmalloc(len+1, GFP_NOFS);
1441 if (!context) {
1442 rc = -ENOMEM;
1443 dput(dentry);
1444 goto out_unlock;
1445 }
1446 context[len] = '\0';
1447 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1448 if (rc == -ERANGE) {
1449 kfree(context);
1450
1451 /* Need a larger buffer. Query for the right size. */
1452 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1453 if (rc < 0) {
1454 dput(dentry);
1455 goto out_unlock;
1456 }
1457 len = rc;
1458 context = kmalloc(len+1, GFP_NOFS);
1459 if (!context) {
1460 rc = -ENOMEM;
1461 dput(dentry);
1462 goto out_unlock;
1463 }
1464 context[len] = '\0';
1465 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1466 }
1467 dput(dentry);
1468 if (rc < 0) {
1469 if (rc != -ENODATA) {
1470 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1471 "%d for dev=%s ino=%ld\n", __func__,
1472 -rc, inode->i_sb->s_id, inode->i_ino);
1473 kfree(context);
1474 goto out_unlock;
1475 }
1476 /* Map ENODATA to the default file SID */
1477 sid = sbsec->def_sid;
1478 rc = 0;
1479 } else {
1480 rc = security_context_to_sid_default(context, rc, &sid,
1481 sbsec->def_sid,
1482 GFP_NOFS);
1483 if (rc) {
1484 char *dev = inode->i_sb->s_id;
1485 unsigned long ino = inode->i_ino;
1486
1487 if (rc == -EINVAL) {
1488 if (printk_ratelimit())
1489 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1490 "context=%s. This indicates you may need to relabel the inode or the "
1491 "filesystem in question.\n", ino, dev, context);
1492 } else {
1493 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1494 "returned %d for dev=%s ino=%ld\n",
1495 __func__, context, -rc, dev, ino);
1496 }
1497 kfree(context);
1498 /* Leave with the unlabeled SID */
1499 rc = 0;
1500 break;
1501 }
1502 }
1503 kfree(context);
1504 isec->sid = sid;
1505 break;
1506 case SECURITY_FS_USE_TASK:
1507 isec->sid = isec->task_sid;
1508 break;
1509 case SECURITY_FS_USE_TRANS:
1510 /* Default to the fs SID. */
1511 isec->sid = sbsec->sid;
1512
1513 /* Try to obtain a transition SID. */
1514 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1515 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1516 isec->sclass, NULL, &sid);
1517 if (rc)
1518 goto out_unlock;
1519 isec->sid = sid;
1520 break;
1521 case SECURITY_FS_USE_MNTPOINT:
1522 isec->sid = sbsec->mntpoint_sid;
1523 break;
1524 default:
1525 /* Default to the fs superblock SID. */
1526 isec->sid = sbsec->sid;
1527
1528 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1529 /* We must have a dentry to determine the label on
1530 * procfs inodes */
1531 if (opt_dentry)
1532 /* Called from d_instantiate or
1533 * d_splice_alias. */
1534 dentry = dget(opt_dentry);
1535 else
1536 /* Called from selinux_complete_init, try to
1537 * find a dentry. */
1538 dentry = d_find_alias(inode);
1539 /*
1540 * This can be hit on boot when a file is accessed
1541 * before the policy is loaded. When we load policy we
1542 * may find inodes that have no dentry on the
1543 * sbsec->isec_head list. No reason to complain as
1544 * these will get fixed up the next time we go through
1545 * inode_doinit() with a dentry, before these inodes
1546 * could be used again by userspace.
1547 */
1548 if (!dentry)
1549 goto out_unlock;
1550 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1551 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1552 sbsec->flags, &sid);
1553 dput(dentry);
1554 if (rc)
1555 goto out_unlock;
1556 isec->sid = sid;
1557 }
1558 break;
1559 }
1560
1561 isec->initialized = LABEL_INITIALIZED;
1562
1563 out_unlock:
1564 mutex_unlock(&isec->lock);
1565 out:
1566 if (isec->sclass == SECCLASS_FILE)
1567 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1568 return rc;
1569 }
1570
1571 /* Convert a Linux signal to an access vector. */
1572 static inline u32 signal_to_av(int sig)
1573 {
1574 u32 perm = 0;
1575
1576 switch (sig) {
1577 case SIGCHLD:
1578 /* Commonly granted from child to parent. */
1579 perm = PROCESS__SIGCHLD;
1580 break;
1581 case SIGKILL:
1582 /* Cannot be caught or ignored */
1583 perm = PROCESS__SIGKILL;
1584 break;
1585 case SIGSTOP:
1586 /* Cannot be caught or ignored */
1587 perm = PROCESS__SIGSTOP;
1588 break;
1589 default:
1590 /* All other signals. */
1591 perm = PROCESS__SIGNAL;
1592 break;
1593 }
1594
1595 return perm;
1596 }
1597
1598 /*
1599 * Check permission between a pair of credentials
1600 * fork check, ptrace check, etc.
1601 */
1602 static int cred_has_perm(const struct cred *actor,
1603 const struct cred *target,
1604 u32 perms)
1605 {
1606 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1607
1608 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1609 }
1610
1611 /*
1612 * Check permission between a pair of tasks, e.g. signal checks,
1613 * fork check, ptrace check, etc.
1614 * tsk1 is the actor and tsk2 is the target
1615 * - this uses the default subjective creds of tsk1
1616 */
1617 static int task_has_perm(const struct task_struct *tsk1,
1618 const struct task_struct *tsk2,
1619 u32 perms)
1620 {
1621 const struct task_security_struct *__tsec1, *__tsec2;
1622 u32 sid1, sid2;
1623
1624 rcu_read_lock();
1625 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1626 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1627 rcu_read_unlock();
1628 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1629 }
1630
1631 /*
1632 * Check permission between current and another task, e.g. signal checks,
1633 * fork check, ptrace check, etc.
1634 * current is the actor and tsk2 is the target
1635 * - this uses current's subjective creds
1636 */
1637 static int current_has_perm(const struct task_struct *tsk,
1638 u32 perms)
1639 {
1640 u32 sid, tsid;
1641
1642 sid = current_sid();
1643 tsid = task_sid(tsk);
1644 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1645 }
1646
1647 #if CAP_LAST_CAP > 63
1648 #error Fix SELinux to handle capabilities > 63.
1649 #endif
1650
1651 /* Check whether a task is allowed to use a capability. */
1652 static int cred_has_capability(const struct cred *cred,
1653 int cap, int audit, bool initns)
1654 {
1655 struct common_audit_data ad;
1656 struct av_decision avd;
1657 u16 sclass;
1658 u32 sid = cred_sid(cred);
1659 u32 av = CAP_TO_MASK(cap);
1660 int rc;
1661
1662 ad.type = LSM_AUDIT_DATA_CAP;
1663 ad.u.cap = cap;
1664
1665 switch (CAP_TO_INDEX(cap)) {
1666 case 0:
1667 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1668 break;
1669 case 1:
1670 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1671 break;
1672 default:
1673 printk(KERN_ERR
1674 "SELinux: out of range capability %d\n", cap);
1675 BUG();
1676 return -EINVAL;
1677 }
1678
1679 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1680 if (audit == SECURITY_CAP_AUDIT) {
1681 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1682 if (rc2)
1683 return rc2;
1684 }
1685 return rc;
1686 }
1687
1688 /* Check whether a task is allowed to use a system operation. */
1689 static int task_has_system(struct task_struct *tsk,
1690 u32 perms)
1691 {
1692 u32 sid = task_sid(tsk);
1693
1694 return avc_has_perm(sid, SECINITSID_KERNEL,
1695 SECCLASS_SYSTEM, perms, NULL);
1696 }
1697
1698 /* Check whether a task has a particular permission to an inode.
1699 The 'adp' parameter is optional and allows other audit
1700 data to be passed (e.g. the dentry). */
1701 static int inode_has_perm(const struct cred *cred,
1702 struct inode *inode,
1703 u32 perms,
1704 struct common_audit_data *adp)
1705 {
1706 struct inode_security_struct *isec;
1707 u32 sid;
1708
1709 validate_creds(cred);
1710
1711 if (unlikely(IS_PRIVATE(inode)))
1712 return 0;
1713
1714 sid = cred_sid(cred);
1715 isec = inode->i_security;
1716
1717 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1718 }
1719
1720 /* Same as inode_has_perm, but pass explicit audit data containing
1721 the dentry to help the auditing code to more easily generate the
1722 pathname if needed. */
1723 static inline int dentry_has_perm(const struct cred *cred,
1724 struct dentry *dentry,
1725 u32 av)
1726 {
1727 struct inode *inode = d_backing_inode(dentry);
1728 struct common_audit_data ad;
1729
1730 ad.type = LSM_AUDIT_DATA_DENTRY;
1731 ad.u.dentry = dentry;
1732 __inode_security_revalidate(inode, dentry, true);
1733 return inode_has_perm(cred, inode, av, &ad);
1734 }
1735
1736 /* Same as inode_has_perm, but pass explicit audit data containing
1737 the path to help the auditing code to more easily generate the
1738 pathname if needed. */
1739 static inline int path_has_perm(const struct cred *cred,
1740 const struct path *path,
1741 u32 av)
1742 {
1743 struct inode *inode = d_backing_inode(path->dentry);
1744 struct common_audit_data ad;
1745
1746 ad.type = LSM_AUDIT_DATA_PATH;
1747 ad.u.path = *path;
1748 __inode_security_revalidate(inode, path->dentry, true);
1749 return inode_has_perm(cred, inode, av, &ad);
1750 }
1751
1752 /* Same as path_has_perm, but uses the inode from the file struct. */
1753 static inline int file_path_has_perm(const struct cred *cred,
1754 struct file *file,
1755 u32 av)
1756 {
1757 struct common_audit_data ad;
1758
1759 ad.type = LSM_AUDIT_DATA_FILE;
1760 ad.u.file = file;
1761 return inode_has_perm(cred, file_inode(file), av, &ad);
1762 }
1763
1764 /* Check whether a task can use an open file descriptor to
1765 access an inode in a given way. Check access to the
1766 descriptor itself, and then use dentry_has_perm to
1767 check a particular permission to the file.
1768 Access to the descriptor is implicitly granted if it
1769 has the same SID as the process. If av is zero, then
1770 access to the file is not checked, e.g. for cases
1771 where only the descriptor is affected like seek. */
1772 static int file_has_perm(const struct cred *cred,
1773 struct file *file,
1774 u32 av)
1775 {
1776 struct file_security_struct *fsec = file->f_security;
1777 struct inode *inode = file_inode(file);
1778 struct common_audit_data ad;
1779 u32 sid = cred_sid(cred);
1780 int rc;
1781
1782 ad.type = LSM_AUDIT_DATA_FILE;
1783 ad.u.file = file;
1784
1785 if (sid != fsec->sid) {
1786 rc = avc_has_perm(sid, fsec->sid,
1787 SECCLASS_FD,
1788 FD__USE,
1789 &ad);
1790 if (rc)
1791 goto out;
1792 }
1793
1794 /* av is zero if only checking access to the descriptor. */
1795 rc = 0;
1796 if (av)
1797 rc = inode_has_perm(cred, inode, av, &ad);
1798
1799 out:
1800 return rc;
1801 }
1802
1803 /*
1804 * Determine the label for an inode that might be unioned.
1805 */
1806 static int
1807 selinux_determine_inode_label(const struct task_security_struct *tsec,
1808 struct inode *dir,
1809 const struct qstr *name, u16 tclass,
1810 u32 *_new_isid)
1811 {
1812 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1813
1814 if ((sbsec->flags & SE_SBINITIALIZED) &&
1815 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1816 *_new_isid = sbsec->mntpoint_sid;
1817 } else if ((sbsec->flags & SBLABEL_MNT) &&
1818 tsec->create_sid) {
1819 *_new_isid = tsec->create_sid;
1820 } else {
1821 const struct inode_security_struct *dsec = inode_security(dir);
1822 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1823 name, _new_isid);
1824 }
1825
1826 return 0;
1827 }
1828
1829 /* Check whether a task can create a file. */
1830 static int may_create(struct inode *dir,
1831 struct dentry *dentry,
1832 u16 tclass)
1833 {
1834 const struct task_security_struct *tsec = current_security();
1835 struct inode_security_struct *dsec;
1836 struct superblock_security_struct *sbsec;
1837 u32 sid, newsid;
1838 struct common_audit_data ad;
1839 int rc;
1840
1841 dsec = inode_security(dir);
1842 sbsec = dir->i_sb->s_security;
1843
1844 sid = tsec->sid;
1845
1846 ad.type = LSM_AUDIT_DATA_DENTRY;
1847 ad.u.dentry = dentry;
1848
1849 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1850 DIR__ADD_NAME | DIR__SEARCH,
1851 &ad);
1852 if (rc)
1853 return rc;
1854
1855 rc = selinux_determine_inode_label(current_security(), dir,
1856 &dentry->d_name, tclass, &newsid);
1857 if (rc)
1858 return rc;
1859
1860 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1861 if (rc)
1862 return rc;
1863
1864 return avc_has_perm(newsid, sbsec->sid,
1865 SECCLASS_FILESYSTEM,
1866 FILESYSTEM__ASSOCIATE, &ad);
1867 }
1868
1869 /* Check whether a task can create a key. */
1870 static int may_create_key(u32 ksid,
1871 struct task_struct *ctx)
1872 {
1873 u32 sid = task_sid(ctx);
1874
1875 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1876 }
1877
1878 #define MAY_LINK 0
1879 #define MAY_UNLINK 1
1880 #define MAY_RMDIR 2
1881
1882 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1883 static int may_link(struct inode *dir,
1884 struct dentry *dentry,
1885 int kind)
1886
1887 {
1888 struct inode_security_struct *dsec, *isec;
1889 struct common_audit_data ad;
1890 u32 sid = current_sid();
1891 u32 av;
1892 int rc;
1893
1894 dsec = inode_security(dir);
1895 isec = backing_inode_security(dentry);
1896
1897 ad.type = LSM_AUDIT_DATA_DENTRY;
1898 ad.u.dentry = dentry;
1899
1900 av = DIR__SEARCH;
1901 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1902 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1903 if (rc)
1904 return rc;
1905
1906 switch (kind) {
1907 case MAY_LINK:
1908 av = FILE__LINK;
1909 break;
1910 case MAY_UNLINK:
1911 av = FILE__UNLINK;
1912 break;
1913 case MAY_RMDIR:
1914 av = DIR__RMDIR;
1915 break;
1916 default:
1917 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1918 __func__, kind);
1919 return 0;
1920 }
1921
1922 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1923 return rc;
1924 }
1925
1926 static inline int may_rename(struct inode *old_dir,
1927 struct dentry *old_dentry,
1928 struct inode *new_dir,
1929 struct dentry *new_dentry)
1930 {
1931 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1932 struct common_audit_data ad;
1933 u32 sid = current_sid();
1934 u32 av;
1935 int old_is_dir, new_is_dir;
1936 int rc;
1937
1938 old_dsec = inode_security(old_dir);
1939 old_isec = backing_inode_security(old_dentry);
1940 old_is_dir = d_is_dir(old_dentry);
1941 new_dsec = inode_security(new_dir);
1942
1943 ad.type = LSM_AUDIT_DATA_DENTRY;
1944
1945 ad.u.dentry = old_dentry;
1946 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1947 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1948 if (rc)
1949 return rc;
1950 rc = avc_has_perm(sid, old_isec->sid,
1951 old_isec->sclass, FILE__RENAME, &ad);
1952 if (rc)
1953 return rc;
1954 if (old_is_dir && new_dir != old_dir) {
1955 rc = avc_has_perm(sid, old_isec->sid,
1956 old_isec->sclass, DIR__REPARENT, &ad);
1957 if (rc)
1958 return rc;
1959 }
1960
1961 ad.u.dentry = new_dentry;
1962 av = DIR__ADD_NAME | DIR__SEARCH;
1963 if (d_is_positive(new_dentry))
1964 av |= DIR__REMOVE_NAME;
1965 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1966 if (rc)
1967 return rc;
1968 if (d_is_positive(new_dentry)) {
1969 new_isec = backing_inode_security(new_dentry);
1970 new_is_dir = d_is_dir(new_dentry);
1971 rc = avc_has_perm(sid, new_isec->sid,
1972 new_isec->sclass,
1973 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1974 if (rc)
1975 return rc;
1976 }
1977
1978 return 0;
1979 }
1980
1981 /* Check whether a task can perform a filesystem operation. */
1982 static int superblock_has_perm(const struct cred *cred,
1983 struct super_block *sb,
1984 u32 perms,
1985 struct common_audit_data *ad)
1986 {
1987 struct superblock_security_struct *sbsec;
1988 u32 sid = cred_sid(cred);
1989
1990 sbsec = sb->s_security;
1991 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1992 }
1993
1994 /* Convert a Linux mode and permission mask to an access vector. */
1995 static inline u32 file_mask_to_av(int mode, int mask)
1996 {
1997 u32 av = 0;
1998
1999 if (!S_ISDIR(mode)) {
2000 if (mask & MAY_EXEC)
2001 av |= FILE__EXECUTE;
2002 if (mask & MAY_READ)
2003 av |= FILE__READ;
2004
2005 if (mask & MAY_APPEND)
2006 av |= FILE__APPEND;
2007 else if (mask & MAY_WRITE)
2008 av |= FILE__WRITE;
2009
2010 } else {
2011 if (mask & MAY_EXEC)
2012 av |= DIR__SEARCH;
2013 if (mask & MAY_WRITE)
2014 av |= DIR__WRITE;
2015 if (mask & MAY_READ)
2016 av |= DIR__READ;
2017 }
2018
2019 return av;
2020 }
2021
2022 /* Convert a Linux file to an access vector. */
2023 static inline u32 file_to_av(struct file *file)
2024 {
2025 u32 av = 0;
2026
2027 if (file->f_mode & FMODE_READ)
2028 av |= FILE__READ;
2029 if (file->f_mode & FMODE_WRITE) {
2030 if (file->f_flags & O_APPEND)
2031 av |= FILE__APPEND;
2032 else
2033 av |= FILE__WRITE;
2034 }
2035 if (!av) {
2036 /*
2037 * Special file opened with flags 3 for ioctl-only use.
2038 */
2039 av = FILE__IOCTL;
2040 }
2041
2042 return av;
2043 }
2044
2045 /*
2046 * Convert a file to an access vector and include the correct open
2047 * open permission.
2048 */
2049 static inline u32 open_file_to_av(struct file *file)
2050 {
2051 u32 av = file_to_av(file);
2052
2053 if (selinux_policycap_openperm)
2054 av |= FILE__OPEN;
2055
2056 return av;
2057 }
2058
2059 /* Hook functions begin here. */
2060
2061 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2062 {
2063 u32 mysid = current_sid();
2064 u32 mgrsid = task_sid(mgr);
2065
2066 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2067 BINDER__SET_CONTEXT_MGR, NULL);
2068 }
2069
2070 static int selinux_binder_transaction(struct task_struct *from,
2071 struct task_struct *to)
2072 {
2073 u32 mysid = current_sid();
2074 u32 fromsid = task_sid(from);
2075 u32 tosid = task_sid(to);
2076 int rc;
2077
2078 if (mysid != fromsid) {
2079 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2080 BINDER__IMPERSONATE, NULL);
2081 if (rc)
2082 return rc;
2083 }
2084
2085 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2086 NULL);
2087 }
2088
2089 static int selinux_binder_transfer_binder(struct task_struct *from,
2090 struct task_struct *to)
2091 {
2092 u32 fromsid = task_sid(from);
2093 u32 tosid = task_sid(to);
2094
2095 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2096 NULL);
2097 }
2098
2099 static int selinux_binder_transfer_file(struct task_struct *from,
2100 struct task_struct *to,
2101 struct file *file)
2102 {
2103 u32 sid = task_sid(to);
2104 struct file_security_struct *fsec = file->f_security;
2105 struct dentry *dentry = file->f_path.dentry;
2106 struct inode_security_struct *isec;
2107 struct common_audit_data ad;
2108 int rc;
2109
2110 ad.type = LSM_AUDIT_DATA_PATH;
2111 ad.u.path = file->f_path;
2112
2113 if (sid != fsec->sid) {
2114 rc = avc_has_perm(sid, fsec->sid,
2115 SECCLASS_FD,
2116 FD__USE,
2117 &ad);
2118 if (rc)
2119 return rc;
2120 }
2121
2122 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2123 return 0;
2124
2125 isec = backing_inode_security(dentry);
2126 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2127 &ad);
2128 }
2129
2130 static int selinux_ptrace_access_check(struct task_struct *child,
2131 unsigned int mode)
2132 {
2133 if (mode & PTRACE_MODE_READ) {
2134 u32 sid = current_sid();
2135 u32 csid = task_sid(child);
2136 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2137 }
2138
2139 return current_has_perm(child, PROCESS__PTRACE);
2140 }
2141
2142 static int selinux_ptrace_traceme(struct task_struct *parent)
2143 {
2144 return task_has_perm(parent, current, PROCESS__PTRACE);
2145 }
2146
2147 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2148 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2149 {
2150 return current_has_perm(target, PROCESS__GETCAP);
2151 }
2152
2153 static int selinux_capset(struct cred *new, const struct cred *old,
2154 const kernel_cap_t *effective,
2155 const kernel_cap_t *inheritable,
2156 const kernel_cap_t *permitted)
2157 {
2158 return cred_has_perm(old, new, PROCESS__SETCAP);
2159 }
2160
2161 /*
2162 * (This comment used to live with the selinux_task_setuid hook,
2163 * which was removed).
2164 *
2165 * Since setuid only affects the current process, and since the SELinux
2166 * controls are not based on the Linux identity attributes, SELinux does not
2167 * need to control this operation. However, SELinux does control the use of
2168 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2169 */
2170
2171 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2172 int cap, int audit)
2173 {
2174 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2175 }
2176
2177 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2178 {
2179 const struct cred *cred = current_cred();
2180 int rc = 0;
2181
2182 if (!sb)
2183 return 0;
2184
2185 switch (cmds) {
2186 case Q_SYNC:
2187 case Q_QUOTAON:
2188 case Q_QUOTAOFF:
2189 case Q_SETINFO:
2190 case Q_SETQUOTA:
2191 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2192 break;
2193 case Q_GETFMT:
2194 case Q_GETINFO:
2195 case Q_GETQUOTA:
2196 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2197 break;
2198 default:
2199 rc = 0; /* let the kernel handle invalid cmds */
2200 break;
2201 }
2202 return rc;
2203 }
2204
2205 static int selinux_quota_on(struct dentry *dentry)
2206 {
2207 const struct cred *cred = current_cred();
2208
2209 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2210 }
2211
2212 static int selinux_syslog(int type)
2213 {
2214 int rc;
2215
2216 switch (type) {
2217 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2218 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2219 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2220 break;
2221 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2222 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2223 /* Set level of messages printed to console */
2224 case SYSLOG_ACTION_CONSOLE_LEVEL:
2225 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2226 break;
2227 case SYSLOG_ACTION_CLOSE: /* Close log */
2228 case SYSLOG_ACTION_OPEN: /* Open log */
2229 case SYSLOG_ACTION_READ: /* Read from log */
2230 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2231 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
2232 default:
2233 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2234 break;
2235 }
2236 return rc;
2237 }
2238
2239 /*
2240 * Check that a process has enough memory to allocate a new virtual
2241 * mapping. 0 means there is enough memory for the allocation to
2242 * succeed and -ENOMEM implies there is not.
2243 *
2244 * Do not audit the selinux permission check, as this is applied to all
2245 * processes that allocate mappings.
2246 */
2247 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2248 {
2249 int rc, cap_sys_admin = 0;
2250
2251 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2252 SECURITY_CAP_NOAUDIT, true);
2253 if (rc == 0)
2254 cap_sys_admin = 1;
2255
2256 return cap_sys_admin;
2257 }
2258
2259 /* binprm security operations */
2260
2261 static u32 ptrace_parent_sid(struct task_struct *task)
2262 {
2263 u32 sid = 0;
2264 struct task_struct *tracer;
2265
2266 rcu_read_lock();
2267 tracer = ptrace_parent(task);
2268 if (tracer)
2269 sid = task_sid(tracer);
2270 rcu_read_unlock();
2271
2272 return sid;
2273 }
2274
2275 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2276 const struct task_security_struct *old_tsec,
2277 const struct task_security_struct *new_tsec)
2278 {
2279 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2280 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2281 int rc;
2282
2283 if (!nnp && !nosuid)
2284 return 0; /* neither NNP nor nosuid */
2285
2286 if (new_tsec->sid == old_tsec->sid)
2287 return 0; /* No change in credentials */
2288
2289 /*
2290 * The only transitions we permit under NNP or nosuid
2291 * are transitions to bounded SIDs, i.e. SIDs that are
2292 * guaranteed to only be allowed a subset of the permissions
2293 * of the current SID.
2294 */
2295 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2296 if (rc) {
2297 /*
2298 * On failure, preserve the errno values for NNP vs nosuid.
2299 * NNP: Operation not permitted for caller.
2300 * nosuid: Permission denied to file.
2301 */
2302 if (nnp)
2303 return -EPERM;
2304 else
2305 return -EACCES;
2306 }
2307 return 0;
2308 }
2309
2310 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2311 {
2312 const struct task_security_struct *old_tsec;
2313 struct task_security_struct *new_tsec;
2314 struct inode_security_struct *isec;
2315 struct common_audit_data ad;
2316 struct inode *inode = file_inode(bprm->file);
2317 int rc;
2318
2319 /* SELinux context only depends on initial program or script and not
2320 * the script interpreter */
2321 if (bprm->cred_prepared)
2322 return 0;
2323
2324 old_tsec = current_security();
2325 new_tsec = bprm->cred->security;
2326 isec = inode_security(inode);
2327
2328 /* Default to the current task SID. */
2329 new_tsec->sid = old_tsec->sid;
2330 new_tsec->osid = old_tsec->sid;
2331
2332 /* Reset fs, key, and sock SIDs on execve. */
2333 new_tsec->create_sid = 0;
2334 new_tsec->keycreate_sid = 0;
2335 new_tsec->sockcreate_sid = 0;
2336
2337 if (old_tsec->exec_sid) {
2338 new_tsec->sid = old_tsec->exec_sid;
2339 /* Reset exec SID on execve. */
2340 new_tsec->exec_sid = 0;
2341
2342 /* Fail on NNP or nosuid if not an allowed transition. */
2343 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2344 if (rc)
2345 return rc;
2346 } else {
2347 /* Check for a default transition on this program. */
2348 rc = security_transition_sid(old_tsec->sid, isec->sid,
2349 SECCLASS_PROCESS, NULL,
2350 &new_tsec->sid);
2351 if (rc)
2352 return rc;
2353
2354 /*
2355 * Fallback to old SID on NNP or nosuid if not an allowed
2356 * transition.
2357 */
2358 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2359 if (rc)
2360 new_tsec->sid = old_tsec->sid;
2361 }
2362
2363 ad.type = LSM_AUDIT_DATA_FILE;
2364 ad.u.file = bprm->file;
2365
2366 if (new_tsec->sid == old_tsec->sid) {
2367 rc = avc_has_perm(old_tsec->sid, isec->sid,
2368 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2369 if (rc)
2370 return rc;
2371 } else {
2372 /* Check permissions for the transition. */
2373 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2374 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2375 if (rc)
2376 return rc;
2377
2378 rc = avc_has_perm(new_tsec->sid, isec->sid,
2379 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2380 if (rc)
2381 return rc;
2382
2383 /* Check for shared state */
2384 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2385 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2386 SECCLASS_PROCESS, PROCESS__SHARE,
2387 NULL);
2388 if (rc)
2389 return -EPERM;
2390 }
2391
2392 /* Make sure that anyone attempting to ptrace over a task that
2393 * changes its SID has the appropriate permit */
2394 if (bprm->unsafe &
2395 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2396 u32 ptsid = ptrace_parent_sid(current);
2397 if (ptsid != 0) {
2398 rc = avc_has_perm(ptsid, new_tsec->sid,
2399 SECCLASS_PROCESS,
2400 PROCESS__PTRACE, NULL);
2401 if (rc)
2402 return -EPERM;
2403 }
2404 }
2405
2406 /* Clear any possibly unsafe personality bits on exec: */
2407 bprm->per_clear |= PER_CLEAR_ON_SETID;
2408 }
2409
2410 return 0;
2411 }
2412
2413 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2414 {
2415 const struct task_security_struct *tsec = current_security();
2416 u32 sid, osid;
2417 int atsecure = 0;
2418
2419 sid = tsec->sid;
2420 osid = tsec->osid;
2421
2422 if (osid != sid) {
2423 /* Enable secure mode for SIDs transitions unless
2424 the noatsecure permission is granted between
2425 the two SIDs, i.e. ahp returns 0. */
2426 atsecure = avc_has_perm(osid, sid,
2427 SECCLASS_PROCESS,
2428 PROCESS__NOATSECURE, NULL);
2429 }
2430
2431 return !!atsecure;
2432 }
2433
2434 static int match_file(const void *p, struct file *file, unsigned fd)
2435 {
2436 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2437 }
2438
2439 /* Derived from fs/exec.c:flush_old_files. */
2440 static inline void flush_unauthorized_files(const struct cred *cred,
2441 struct files_struct *files)
2442 {
2443 struct file *file, *devnull = NULL;
2444 struct tty_struct *tty;
2445 int drop_tty = 0;
2446 unsigned n;
2447
2448 tty = get_current_tty();
2449 if (tty) {
2450 spin_lock(&tty->files_lock);
2451 if (!list_empty(&tty->tty_files)) {
2452 struct tty_file_private *file_priv;
2453
2454 /* Revalidate access to controlling tty.
2455 Use file_path_has_perm on the tty path directly
2456 rather than using file_has_perm, as this particular
2457 open file may belong to another process and we are
2458 only interested in the inode-based check here. */
2459 file_priv = list_first_entry(&tty->tty_files,
2460 struct tty_file_private, list);
2461 file = file_priv->file;
2462 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2463 drop_tty = 1;
2464 }
2465 spin_unlock(&tty->files_lock);
2466 tty_kref_put(tty);
2467 }
2468 /* Reset controlling tty. */
2469 if (drop_tty)
2470 no_tty();
2471
2472 /* Revalidate access to inherited open files. */
2473 n = iterate_fd(files, 0, match_file, cred);
2474 if (!n) /* none found? */
2475 return;
2476
2477 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2478 if (IS_ERR(devnull))
2479 devnull = NULL;
2480 /* replace all the matching ones with this */
2481 do {
2482 replace_fd(n - 1, devnull, 0);
2483 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2484 if (devnull)
2485 fput(devnull);
2486 }
2487
2488 /*
2489 * Prepare a process for imminent new credential changes due to exec
2490 */
2491 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2492 {
2493 struct task_security_struct *new_tsec;
2494 struct rlimit *rlim, *initrlim;
2495 int rc, i;
2496
2497 new_tsec = bprm->cred->security;
2498 if (new_tsec->sid == new_tsec->osid)
2499 return;
2500
2501 /* Close files for which the new task SID is not authorized. */
2502 flush_unauthorized_files(bprm->cred, current->files);
2503
2504 /* Always clear parent death signal on SID transitions. */
2505 current->pdeath_signal = 0;
2506
2507 /* Check whether the new SID can inherit resource limits from the old
2508 * SID. If not, reset all soft limits to the lower of the current
2509 * task's hard limit and the init task's soft limit.
2510 *
2511 * Note that the setting of hard limits (even to lower them) can be
2512 * controlled by the setrlimit check. The inclusion of the init task's
2513 * soft limit into the computation is to avoid resetting soft limits
2514 * higher than the default soft limit for cases where the default is
2515 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2516 */
2517 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2518 PROCESS__RLIMITINH, NULL);
2519 if (rc) {
2520 /* protect against do_prlimit() */
2521 task_lock(current);
2522 for (i = 0; i < RLIM_NLIMITS; i++) {
2523 rlim = current->signal->rlim + i;
2524 initrlim = init_task.signal->rlim + i;
2525 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2526 }
2527 task_unlock(current);
2528 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2529 }
2530 }
2531
2532 /*
2533 * Clean up the process immediately after the installation of new credentials
2534 * due to exec
2535 */
2536 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2537 {
2538 const struct task_security_struct *tsec = current_security();
2539 struct itimerval itimer;
2540 u32 osid, sid;
2541 int rc, i;
2542
2543 osid = tsec->osid;
2544 sid = tsec->sid;
2545
2546 if (sid == osid)
2547 return;
2548
2549 /* Check whether the new SID can inherit signal state from the old SID.
2550 * If not, clear itimers to avoid subsequent signal generation and
2551 * flush and unblock signals.
2552 *
2553 * This must occur _after_ the task SID has been updated so that any
2554 * kill done after the flush will be checked against the new SID.
2555 */
2556 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2557 if (rc) {
2558 memset(&itimer, 0, sizeof itimer);
2559 for (i = 0; i < 3; i++)
2560 do_setitimer(i, &itimer, NULL);
2561 spin_lock_irq(&current->sighand->siglock);
2562 if (!fatal_signal_pending(current)) {
2563 flush_sigqueue(&current->pending);
2564 flush_sigqueue(&current->signal->shared_pending);
2565 flush_signal_handlers(current, 1);
2566 sigemptyset(&current->blocked);
2567 recalc_sigpending();
2568 }
2569 spin_unlock_irq(&current->sighand->siglock);
2570 }
2571
2572 /* Wake up the parent if it is waiting so that it can recheck
2573 * wait permission to the new task SID. */
2574 read_lock(&tasklist_lock);
2575 __wake_up_parent(current, current->real_parent);
2576 read_unlock(&tasklist_lock);
2577 }
2578
2579 /* superblock security operations */
2580
2581 static int selinux_sb_alloc_security(struct super_block *sb)
2582 {
2583 return superblock_alloc_security(sb);
2584 }
2585
2586 static void selinux_sb_free_security(struct super_block *sb)
2587 {
2588 superblock_free_security(sb);
2589 }
2590
2591 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2592 {
2593 if (plen > olen)
2594 return 0;
2595
2596 return !memcmp(prefix, option, plen);
2597 }
2598
2599 static inline int selinux_option(char *option, int len)
2600 {
2601 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2602 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2603 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2604 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2605 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2606 }
2607
2608 static inline void take_option(char **to, char *from, int *first, int len)
2609 {
2610 if (!*first) {
2611 **to = ',';
2612 *to += 1;
2613 } else
2614 *first = 0;
2615 memcpy(*to, from, len);
2616 *to += len;
2617 }
2618
2619 static inline void take_selinux_option(char **to, char *from, int *first,
2620 int len)
2621 {
2622 int current_size = 0;
2623
2624 if (!*first) {
2625 **to = '|';
2626 *to += 1;
2627 } else
2628 *first = 0;
2629
2630 while (current_size < len) {
2631 if (*from != '"') {
2632 **to = *from;
2633 *to += 1;
2634 }
2635 from += 1;
2636 current_size += 1;
2637 }
2638 }
2639
2640 static int selinux_sb_copy_data(char *orig, char *copy)
2641 {
2642 int fnosec, fsec, rc = 0;
2643 char *in_save, *in_curr, *in_end;
2644 char *sec_curr, *nosec_save, *nosec;
2645 int open_quote = 0;
2646
2647 in_curr = orig;
2648 sec_curr = copy;
2649
2650 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2651 if (!nosec) {
2652 rc = -ENOMEM;
2653 goto out;
2654 }
2655
2656 nosec_save = nosec;
2657 fnosec = fsec = 1;
2658 in_save = in_end = orig;
2659
2660 do {
2661 if (*in_end == '"')
2662 open_quote = !open_quote;
2663 if ((*in_end == ',' && open_quote == 0) ||
2664 *in_end == '\0') {
2665 int len = in_end - in_curr;
2666
2667 if (selinux_option(in_curr, len))
2668 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2669 else
2670 take_option(&nosec, in_curr, &fnosec, len);
2671
2672 in_curr = in_end + 1;
2673 }
2674 } while (*in_end++);
2675
2676 strcpy(in_save, nosec_save);
2677 free_page((unsigned long)nosec_save);
2678 out:
2679 return rc;
2680 }
2681
2682 static int selinux_sb_remount(struct super_block *sb, void *data)
2683 {
2684 int rc, i, *flags;
2685 struct security_mnt_opts opts;
2686 char *secdata, **mount_options;
2687 struct superblock_security_struct *sbsec = sb->s_security;
2688
2689 if (!(sbsec->flags & SE_SBINITIALIZED))
2690 return 0;
2691
2692 if (!data)
2693 return 0;
2694
2695 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2696 return 0;
2697
2698 security_init_mnt_opts(&opts);
2699 secdata = alloc_secdata();
2700 if (!secdata)
2701 return -ENOMEM;
2702 rc = selinux_sb_copy_data(data, secdata);
2703 if (rc)
2704 goto out_free_secdata;
2705
2706 rc = selinux_parse_opts_str(secdata, &opts);
2707 if (rc)
2708 goto out_free_secdata;
2709
2710 mount_options = opts.mnt_opts;
2711 flags = opts.mnt_opts_flags;
2712
2713 for (i = 0; i < opts.num_mnt_opts; i++) {
2714 u32 sid;
2715
2716 if (flags[i] == SBLABEL_MNT)
2717 continue;
2718 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2719 if (rc) {
2720 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2721 "(%s) failed for (dev %s, type %s) errno=%d\n",
2722 mount_options[i], sb->s_id, sb->s_type->name, rc);
2723 goto out_free_opts;
2724 }
2725 rc = -EINVAL;
2726 switch (flags[i]) {
2727 case FSCONTEXT_MNT:
2728 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2729 goto out_bad_option;
2730 break;
2731 case CONTEXT_MNT:
2732 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2733 goto out_bad_option;
2734 break;
2735 case ROOTCONTEXT_MNT: {
2736 struct inode_security_struct *root_isec;
2737 root_isec = backing_inode_security(sb->s_root);
2738
2739 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2740 goto out_bad_option;
2741 break;
2742 }
2743 case DEFCONTEXT_MNT:
2744 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2745 goto out_bad_option;
2746 break;
2747 default:
2748 goto out_free_opts;
2749 }
2750 }
2751
2752 rc = 0;
2753 out_free_opts:
2754 security_free_mnt_opts(&opts);
2755 out_free_secdata:
2756 free_secdata(secdata);
2757 return rc;
2758 out_bad_option:
2759 printk(KERN_WARNING "SELinux: unable to change security options "
2760 "during remount (dev %s, type=%s)\n", sb->s_id,
2761 sb->s_type->name);
2762 goto out_free_opts;
2763 }
2764
2765 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2766 {
2767 const struct cred *cred = current_cred();
2768 struct common_audit_data ad;
2769 int rc;
2770
2771 rc = superblock_doinit(sb, data);
2772 if (rc)
2773 return rc;
2774
2775 /* Allow all mounts performed by the kernel */
2776 if (flags & MS_KERNMOUNT)
2777 return 0;
2778
2779 ad.type = LSM_AUDIT_DATA_DENTRY;
2780 ad.u.dentry = sb->s_root;
2781 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2782 }
2783
2784 static int selinux_sb_statfs(struct dentry *dentry)
2785 {
2786 const struct cred *cred = current_cred();
2787 struct common_audit_data ad;
2788
2789 ad.type = LSM_AUDIT_DATA_DENTRY;
2790 ad.u.dentry = dentry->d_sb->s_root;
2791 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2792 }
2793
2794 static int selinux_mount(const char *dev_name,
2795 const struct path *path,
2796 const char *type,
2797 unsigned long flags,
2798 void *data)
2799 {
2800 const struct cred *cred = current_cred();
2801
2802 if (flags & MS_REMOUNT)
2803 return superblock_has_perm(cred, path->dentry->d_sb,
2804 FILESYSTEM__REMOUNT, NULL);
2805 else
2806 return path_has_perm(cred, path, FILE__MOUNTON);
2807 }
2808
2809 static int selinux_umount(struct vfsmount *mnt, int flags)
2810 {
2811 const struct cred *cred = current_cred();
2812
2813 return superblock_has_perm(cred, mnt->mnt_sb,
2814 FILESYSTEM__UNMOUNT, NULL);
2815 }
2816
2817 /* inode security operations */
2818
2819 static int selinux_inode_alloc_security(struct inode *inode)
2820 {
2821 return inode_alloc_security(inode);
2822 }
2823
2824 static void selinux_inode_free_security(struct inode *inode)
2825 {
2826 inode_free_security(inode);
2827 }
2828
2829 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2830 const struct qstr *name, void **ctx,
2831 u32 *ctxlen)
2832 {
2833 u32 newsid;
2834 int rc;
2835
2836 rc = selinux_determine_inode_label(current_security(),
2837 d_inode(dentry->d_parent), name,
2838 inode_mode_to_security_class(mode),
2839 &newsid);
2840 if (rc)
2841 return rc;
2842
2843 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2844 }
2845
2846 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2847 struct qstr *name,
2848 const struct cred *old,
2849 struct cred *new)
2850 {
2851 u32 newsid;
2852 int rc;
2853 struct task_security_struct *tsec;
2854
2855 rc = selinux_determine_inode_label(old->security,
2856 d_inode(dentry->d_parent), name,
2857 inode_mode_to_security_class(mode),
2858 &newsid);
2859 if (rc)
2860 return rc;
2861
2862 tsec = new->security;
2863 tsec->create_sid = newsid;
2864 return 0;
2865 }
2866
2867 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2868 const struct qstr *qstr,
2869 const char **name,
2870 void **value, size_t *len)
2871 {
2872 const struct task_security_struct *tsec = current_security();
2873 struct superblock_security_struct *sbsec;
2874 u32 sid, newsid, clen;
2875 int rc;
2876 char *context;
2877
2878 sbsec = dir->i_sb->s_security;
2879
2880 sid = tsec->sid;
2881 newsid = tsec->create_sid;
2882
2883 rc = selinux_determine_inode_label(current_security(),
2884 dir, qstr,
2885 inode_mode_to_security_class(inode->i_mode),
2886 &newsid);
2887 if (rc)
2888 return rc;
2889
2890 /* Possibly defer initialization to selinux_complete_init. */
2891 if (sbsec->flags & SE_SBINITIALIZED) {
2892 struct inode_security_struct *isec = inode->i_security;
2893 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2894 isec->sid = newsid;
2895 isec->initialized = LABEL_INITIALIZED;
2896 }
2897
2898 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2899 return -EOPNOTSUPP;
2900
2901 if (name)
2902 *name = XATTR_SELINUX_SUFFIX;
2903
2904 if (value && len) {
2905 rc = security_sid_to_context_force(newsid, &context, &clen);
2906 if (rc)
2907 return rc;
2908 *value = context;
2909 *len = clen;
2910 }
2911
2912 return 0;
2913 }
2914
2915 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2916 {
2917 return may_create(dir, dentry, SECCLASS_FILE);
2918 }
2919
2920 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2921 {
2922 return may_link(dir, old_dentry, MAY_LINK);
2923 }
2924
2925 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2926 {
2927 return may_link(dir, dentry, MAY_UNLINK);
2928 }
2929
2930 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2931 {
2932 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2933 }
2934
2935 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2936 {
2937 return may_create(dir, dentry, SECCLASS_DIR);
2938 }
2939
2940 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2941 {
2942 return may_link(dir, dentry, MAY_RMDIR);
2943 }
2944
2945 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2946 {
2947 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2948 }
2949
2950 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2951 struct inode *new_inode, struct dentry *new_dentry)
2952 {
2953 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2954 }
2955
2956 static int selinux_inode_readlink(struct dentry *dentry)
2957 {
2958 const struct cred *cred = current_cred();
2959
2960 return dentry_has_perm(cred, dentry, FILE__READ);
2961 }
2962
2963 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2964 bool rcu)
2965 {
2966 const struct cred *cred = current_cred();
2967 struct common_audit_data ad;
2968 struct inode_security_struct *isec;
2969 u32 sid;
2970
2971 validate_creds(cred);
2972
2973 ad.type = LSM_AUDIT_DATA_DENTRY;
2974 ad.u.dentry = dentry;
2975 sid = cred_sid(cred);
2976 isec = inode_security_rcu(inode, rcu);
2977 if (IS_ERR(isec))
2978 return PTR_ERR(isec);
2979
2980 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2981 rcu ? MAY_NOT_BLOCK : 0);
2982 }
2983
2984 static noinline int audit_inode_permission(struct inode *inode,
2985 u32 perms, u32 audited, u32 denied,
2986 int result,
2987 unsigned flags)
2988 {
2989 struct common_audit_data ad;
2990 struct inode_security_struct *isec = inode->i_security;
2991 int rc;
2992
2993 ad.type = LSM_AUDIT_DATA_INODE;
2994 ad.u.inode = inode;
2995
2996 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2997 audited, denied, result, &ad, flags);
2998 if (rc)
2999 return rc;
3000 return 0;
3001 }
3002
3003 static int selinux_inode_permission(struct inode *inode, int mask)
3004 {
3005 const struct cred *cred = current_cred();
3006 u32 perms;
3007 bool from_access;
3008 unsigned flags = mask & MAY_NOT_BLOCK;
3009 struct inode_security_struct *isec;
3010 u32 sid;
3011 struct av_decision avd;
3012 int rc, rc2;
3013 u32 audited, denied;
3014
3015 from_access = mask & MAY_ACCESS;
3016 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3017
3018 /* No permission to check. Existence test. */
3019 if (!mask)
3020 return 0;
3021
3022 validate_creds(cred);
3023
3024 if (unlikely(IS_PRIVATE(inode)))
3025 return 0;
3026
3027 perms = file_mask_to_av(inode->i_mode, mask);
3028
3029 sid = cred_sid(cred);
3030 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3031 if (IS_ERR(isec))
3032 return PTR_ERR(isec);
3033
3034 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3035 audited = avc_audit_required(perms, &avd, rc,
3036 from_access ? FILE__AUDIT_ACCESS : 0,
3037 &denied);
3038 if (likely(!audited))
3039 return rc;
3040
3041 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3042 if (rc2)
3043 return rc2;
3044 return rc;
3045 }
3046
3047 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3048 {
3049 const struct cred *cred = current_cred();
3050 unsigned int ia_valid = iattr->ia_valid;
3051 __u32 av = FILE__WRITE;
3052
3053 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3054 if (ia_valid & ATTR_FORCE) {
3055 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3056 ATTR_FORCE);
3057 if (!ia_valid)
3058 return 0;
3059 }
3060
3061 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3062 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3063 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3064
3065 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3066 && !(ia_valid & ATTR_FILE))
3067 av |= FILE__OPEN;
3068
3069 return dentry_has_perm(cred, dentry, av);
3070 }
3071
3072 static int selinux_inode_getattr(const struct path *path)
3073 {
3074 return path_has_perm(current_cred(), path, FILE__GETATTR);
3075 }
3076
3077 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3078 {
3079 const struct cred *cred = current_cred();
3080
3081 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3082 sizeof XATTR_SECURITY_PREFIX - 1)) {
3083 if (!strcmp(name, XATTR_NAME_CAPS)) {
3084 if (!capable(CAP_SETFCAP))
3085 return -EPERM;
3086 } else if (!capable(CAP_SYS_ADMIN)) {
3087 /* A different attribute in the security namespace.
3088 Restrict to administrator. */
3089 return -EPERM;
3090 }
3091 }
3092
3093 /* Not an attribute we recognize, so just check the
3094 ordinary setattr permission. */
3095 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3096 }
3097
3098 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3099 const void *value, size_t size, int flags)
3100 {
3101 struct inode *inode = d_backing_inode(dentry);
3102 struct inode_security_struct *isec;
3103 struct superblock_security_struct *sbsec;
3104 struct common_audit_data ad;
3105 u32 newsid, sid = current_sid();
3106 int rc = 0;
3107
3108 if (strcmp(name, XATTR_NAME_SELINUX))
3109 return selinux_inode_setotherxattr(dentry, name);
3110
3111 sbsec = inode->i_sb->s_security;
3112 if (!(sbsec->flags & SBLABEL_MNT))
3113 return -EOPNOTSUPP;
3114
3115 if (!inode_owner_or_capable(inode))
3116 return -EPERM;
3117
3118 ad.type = LSM_AUDIT_DATA_DENTRY;
3119 ad.u.dentry = dentry;
3120
3121 isec = backing_inode_security(dentry);
3122 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3123 FILE__RELABELFROM, &ad);
3124 if (rc)
3125 return rc;
3126
3127 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3128 if (rc == -EINVAL) {
3129 if (!capable(CAP_MAC_ADMIN)) {
3130 struct audit_buffer *ab;
3131 size_t audit_size;
3132 const char *str;
3133
3134 /* We strip a nul only if it is at the end, otherwise the
3135 * context contains a nul and we should audit that */
3136 if (value) {
3137 str = value;
3138 if (str[size - 1] == '\0')
3139 audit_size = size - 1;
3140 else
3141 audit_size = size;
3142 } else {
3143 str = "";
3144 audit_size = 0;
3145 }
3146 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3147 audit_log_format(ab, "op=setxattr invalid_context=");
3148 audit_log_n_untrustedstring(ab, value, audit_size);
3149 audit_log_end(ab);
3150
3151 return rc;
3152 }
3153 rc = security_context_to_sid_force(value, size, &newsid);
3154 }
3155 if (rc)
3156 return rc;
3157
3158 rc = avc_has_perm(sid, newsid, isec->sclass,
3159 FILE__RELABELTO, &ad);
3160 if (rc)
3161 return rc;
3162
3163 rc = security_validate_transition(isec->sid, newsid, sid,
3164 isec->sclass);
3165 if (rc)
3166 return rc;
3167
3168 return avc_has_perm(newsid,
3169 sbsec->sid,
3170 SECCLASS_FILESYSTEM,
3171 FILESYSTEM__ASSOCIATE,
3172 &ad);
3173 }
3174
3175 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3176 const void *value, size_t size,
3177 int flags)
3178 {
3179 struct inode *inode = d_backing_inode(dentry);
3180 struct inode_security_struct *isec;
3181 u32 newsid;
3182 int rc;
3183
3184 if (strcmp(name, XATTR_NAME_SELINUX)) {
3185 /* Not an attribute we recognize, so nothing to do. */
3186 return;
3187 }
3188
3189 rc = security_context_to_sid_force(value, size, &newsid);
3190 if (rc) {
3191 printk(KERN_ERR "SELinux: unable to map context to SID"
3192 "for (%s, %lu), rc=%d\n",
3193 inode->i_sb->s_id, inode->i_ino, -rc);
3194 return;
3195 }
3196
3197 isec = backing_inode_security(dentry);
3198 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3199 isec->sid = newsid;
3200 isec->initialized = LABEL_INITIALIZED;
3201
3202 return;
3203 }
3204
3205 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3206 {
3207 const struct cred *cred = current_cred();
3208
3209 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3210 }
3211
3212 static int selinux_inode_listxattr(struct dentry *dentry)
3213 {
3214 const struct cred *cred = current_cred();
3215
3216 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3217 }
3218
3219 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3220 {
3221 if (strcmp(name, XATTR_NAME_SELINUX))
3222 return selinux_inode_setotherxattr(dentry, name);
3223
3224 /* No one is allowed to remove a SELinux security label.
3225 You can change the label, but all data must be labeled. */
3226 return -EACCES;
3227 }
3228
3229 /*
3230 * Copy the inode security context value to the user.
3231 *
3232 * Permission check is handled by selinux_inode_getxattr hook.
3233 */
3234 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3235 {
3236 u32 size;
3237 int error;
3238 char *context = NULL;
3239 struct inode_security_struct *isec;
3240
3241 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3242 return -EOPNOTSUPP;
3243
3244 /*
3245 * If the caller has CAP_MAC_ADMIN, then get the raw context
3246 * value even if it is not defined by current policy; otherwise,
3247 * use the in-core value under current policy.
3248 * Use the non-auditing forms of the permission checks since
3249 * getxattr may be called by unprivileged processes commonly
3250 * and lack of permission just means that we fall back to the
3251 * in-core context value, not a denial.
3252 */
3253 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3254 SECURITY_CAP_NOAUDIT);
3255 if (!error)
3256 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3257 SECURITY_CAP_NOAUDIT, true);
3258 isec = inode_security(inode);
3259 if (!error)
3260 error = security_sid_to_context_force(isec->sid, &context,
3261 &size);
3262 else
3263 error = security_sid_to_context(isec->sid, &context, &size);
3264 if (error)
3265 return error;
3266 error = size;
3267 if (alloc) {
3268 *buffer = context;
3269 goto out_nofree;
3270 }
3271 kfree(context);
3272 out_nofree:
3273 return error;
3274 }
3275
3276 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3277 const void *value, size_t size, int flags)
3278 {
3279 struct inode_security_struct *isec = inode_security_novalidate(inode);
3280 u32 newsid;
3281 int rc;
3282
3283 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3284 return -EOPNOTSUPP;
3285
3286 if (!value || !size)
3287 return -EACCES;
3288
3289 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3290 if (rc)
3291 return rc;
3292
3293 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3294 isec->sid = newsid;
3295 isec->initialized = LABEL_INITIALIZED;
3296 return 0;
3297 }
3298
3299 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3300 {
3301 const int len = sizeof(XATTR_NAME_SELINUX);
3302 if (buffer && len <= buffer_size)
3303 memcpy(buffer, XATTR_NAME_SELINUX, len);
3304 return len;
3305 }
3306
3307 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3308 {
3309 struct inode_security_struct *isec = inode_security_novalidate(inode);
3310 *secid = isec->sid;
3311 }
3312
3313 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3314 {
3315 u32 sid;
3316 struct task_security_struct *tsec;
3317 struct cred *new_creds = *new;
3318
3319 if (new_creds == NULL) {
3320 new_creds = prepare_creds();
3321 if (!new_creds)
3322 return -ENOMEM;
3323 }
3324
3325 tsec = new_creds->security;
3326 /* Get label from overlay inode and set it in create_sid */
3327 selinux_inode_getsecid(d_inode(src), &sid);
3328 tsec->create_sid = sid;
3329 *new = new_creds;
3330 return 0;
3331 }
3332
3333 static int selinux_inode_copy_up_xattr(const char *name)
3334 {
3335 /* The copy_up hook above sets the initial context on an inode, but we
3336 * don't then want to overwrite it by blindly copying all the lower
3337 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3338 */
3339 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3340 return 1; /* Discard */
3341 /*
3342 * Any other attribute apart from SELINUX is not claimed, supported
3343 * by selinux.
3344 */
3345 return -EOPNOTSUPP;
3346 }
3347
3348 /* file security operations */
3349
3350 static int selinux_revalidate_file_permission(struct file *file, int mask)
3351 {
3352 const struct cred *cred = current_cred();
3353 struct inode *inode = file_inode(file);
3354
3355 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3356 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3357 mask |= MAY_APPEND;
3358
3359 return file_has_perm(cred, file,
3360 file_mask_to_av(inode->i_mode, mask));
3361 }
3362
3363 static int selinux_file_permission(struct file *file, int mask)
3364 {
3365 struct inode *inode = file_inode(file);
3366 struct file_security_struct *fsec = file->f_security;
3367 struct inode_security_struct *isec;
3368 u32 sid = current_sid();
3369
3370 if (!mask)
3371 /* No permission to check. Existence test. */
3372 return 0;
3373
3374 isec = inode_security(inode);
3375 if (sid == fsec->sid && fsec->isid == isec->sid &&
3376 fsec->pseqno == avc_policy_seqno())
3377 /* No change since file_open check. */
3378 return 0;
3379
3380 return selinux_revalidate_file_permission(file, mask);
3381 }
3382
3383 static int selinux_file_alloc_security(struct file *file)
3384 {
3385 return file_alloc_security(file);
3386 }
3387
3388 static void selinux_file_free_security(struct file *file)
3389 {
3390 file_free_security(file);
3391 }
3392
3393 /*
3394 * Check whether a task has the ioctl permission and cmd
3395 * operation to an inode.
3396 */
3397 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3398 u32 requested, u16 cmd)
3399 {
3400 struct common_audit_data ad;
3401 struct file_security_struct *fsec = file->f_security;
3402 struct inode *inode = file_inode(file);
3403 struct inode_security_struct *isec;
3404 struct lsm_ioctlop_audit ioctl;
3405 u32 ssid = cred_sid(cred);
3406 int rc;
3407 u8 driver = cmd >> 8;
3408 u8 xperm = cmd & 0xff;
3409
3410 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3411 ad.u.op = &ioctl;
3412 ad.u.op->cmd = cmd;
3413 ad.u.op->path = file->f_path;
3414
3415 if (ssid != fsec->sid) {
3416 rc = avc_has_perm(ssid, fsec->sid,
3417 SECCLASS_FD,
3418 FD__USE,
3419 &ad);
3420 if (rc)
3421 goto out;
3422 }
3423
3424 if (unlikely(IS_PRIVATE(inode)))
3425 return 0;
3426
3427 isec = inode_security(inode);
3428 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3429 requested, driver, xperm, &ad);
3430 out:
3431 return rc;
3432 }
3433
3434 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3435 unsigned long arg)
3436 {
3437 const struct cred *cred = current_cred();
3438 int error = 0;
3439
3440 switch (cmd) {
3441 case FIONREAD:
3442 /* fall through */
3443 case FIBMAP:
3444 /* fall through */
3445 case FIGETBSZ:
3446 /* fall through */
3447 case FS_IOC_GETFLAGS:
3448 /* fall through */
3449 case FS_IOC_GETVERSION:
3450 error = file_has_perm(cred, file, FILE__GETATTR);
3451 break;
3452
3453 case FS_IOC_SETFLAGS:
3454 /* fall through */
3455 case FS_IOC_SETVERSION:
3456 error = file_has_perm(cred, file, FILE__SETATTR);
3457 break;
3458
3459 /* sys_ioctl() checks */
3460 case FIONBIO:
3461 /* fall through */
3462 case FIOASYNC:
3463 error = file_has_perm(cred, file, 0);
3464 break;
3465
3466 case KDSKBENT:
3467 case KDSKBSENT:
3468 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3469 SECURITY_CAP_AUDIT, true);
3470 break;
3471
3472 /* default case assumes that the command will go
3473 * to the file's ioctl() function.
3474 */
3475 default:
3476 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3477 }
3478 return error;
3479 }
3480
3481 static int default_noexec;
3482
3483 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3484 {
3485 const struct cred *cred = current_cred();
3486 int rc = 0;
3487
3488 if (default_noexec &&
3489 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3490 (!shared && (prot & PROT_WRITE)))) {
3491 /*
3492 * We are making executable an anonymous mapping or a
3493 * private file mapping that will also be writable.
3494 * This has an additional check.
3495 */
3496 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3497 if (rc)
3498 goto error;
3499 }
3500
3501 if (file) {
3502 /* read access is always possible with a mapping */
3503 u32 av = FILE__READ;
3504
3505 /* write access only matters if the mapping is shared */
3506 if (shared && (prot & PROT_WRITE))
3507 av |= FILE__WRITE;
3508
3509 if (prot & PROT_EXEC)
3510 av |= FILE__EXECUTE;
3511
3512 return file_has_perm(cred, file, av);
3513 }
3514
3515 error:
3516 return rc;
3517 }
3518
3519 static int selinux_mmap_addr(unsigned long addr)
3520 {
3521 int rc = 0;
3522
3523 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3524 u32 sid = current_sid();
3525 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3526 MEMPROTECT__MMAP_ZERO, NULL);
3527 }
3528
3529 return rc;
3530 }
3531
3532 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3533 unsigned long prot, unsigned long flags)
3534 {
3535 if (selinux_checkreqprot)
3536 prot = reqprot;
3537
3538 return file_map_prot_check(file, prot,
3539 (flags & MAP_TYPE) == MAP_SHARED);
3540 }
3541
3542 static int selinux_file_mprotect(struct vm_area_struct *vma,
3543 unsigned long reqprot,
3544 unsigned long prot)
3545 {
3546 const struct cred *cred = current_cred();
3547
3548 if (selinux_checkreqprot)
3549 prot = reqprot;
3550
3551 if (default_noexec &&
3552 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3553 int rc = 0;
3554 if (vma->vm_start >= vma->vm_mm->start_brk &&
3555 vma->vm_end <= vma->vm_mm->brk) {
3556 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3557 } else if (!vma->vm_file &&
3558 ((vma->vm_start <= vma->vm_mm->start_stack &&
3559 vma->vm_end >= vma->vm_mm->start_stack) ||
3560 vma_is_stack_for_task(vma, current))) {
3561 rc = current_has_perm(current, PROCESS__EXECSTACK);
3562 } else if (vma->vm_file && vma->anon_vma) {
3563 /*
3564 * We are making executable a file mapping that has
3565 * had some COW done. Since pages might have been
3566 * written, check ability to execute the possibly
3567 * modified content. This typically should only
3568 * occur for text relocations.
3569 */
3570 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3571 }
3572 if (rc)
3573 return rc;
3574 }
3575
3576 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3577 }
3578
3579 static int selinux_file_lock(struct file *file, unsigned int cmd)
3580 {
3581 const struct cred *cred = current_cred();
3582
3583 return file_has_perm(cred, file, FILE__LOCK);
3584 }
3585
3586 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3587 unsigned long arg)
3588 {
3589 const struct cred *cred = current_cred();
3590 int err = 0;
3591
3592 switch (cmd) {
3593 case F_SETFL:
3594 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3595 err = file_has_perm(cred, file, FILE__WRITE);
3596 break;
3597 }
3598 /* fall through */
3599 case F_SETOWN:
3600 case F_SETSIG:
3601 case F_GETFL:
3602 case F_GETOWN:
3603 case F_GETSIG:
3604 case F_GETOWNER_UIDS:
3605 /* Just check FD__USE permission */
3606 err = file_has_perm(cred, file, 0);
3607 break;
3608 case F_GETLK:
3609 case F_SETLK:
3610 case F_SETLKW:
3611 case F_OFD_GETLK:
3612 case F_OFD_SETLK:
3613 case F_OFD_SETLKW:
3614 #if BITS_PER_LONG == 32
3615 case F_GETLK64:
3616 case F_SETLK64:
3617 case F_SETLKW64:
3618 #endif
3619 err = file_has_perm(cred, file, FILE__LOCK);
3620 break;
3621 }
3622
3623 return err;
3624 }
3625
3626 static void selinux_file_set_fowner(struct file *file)
3627 {
3628 struct file_security_struct *fsec;
3629
3630 fsec = file->f_security;
3631 fsec->fown_sid = current_sid();
3632 }
3633
3634 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3635 struct fown_struct *fown, int signum)
3636 {
3637 struct file *file;
3638 u32 sid = task_sid(tsk);
3639 u32 perm;
3640 struct file_security_struct *fsec;
3641
3642 /* struct fown_struct is never outside the context of a struct file */
3643 file = container_of(fown, struct file, f_owner);
3644
3645 fsec = file->f_security;
3646
3647 if (!signum)
3648 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3649 else
3650 perm = signal_to_av(signum);
3651
3652 return avc_has_perm(fsec->fown_sid, sid,
3653 SECCLASS_PROCESS, perm, NULL);
3654 }
3655
3656 static int selinux_file_receive(struct file *file)
3657 {
3658 const struct cred *cred = current_cred();
3659
3660 return file_has_perm(cred, file, file_to_av(file));
3661 }
3662
3663 static int selinux_file_open(struct file *file, const struct cred *cred)
3664 {
3665 struct file_security_struct *fsec;
3666 struct inode_security_struct *isec;
3667
3668 fsec = file->f_security;
3669 isec = inode_security(file_inode(file));
3670 /*
3671 * Save inode label and policy sequence number
3672 * at open-time so that selinux_file_permission
3673 * can determine whether revalidation is necessary.
3674 * Task label is already saved in the file security
3675 * struct as its SID.
3676 */
3677 fsec->isid = isec->sid;
3678 fsec->pseqno = avc_policy_seqno();
3679 /*
3680 * Since the inode label or policy seqno may have changed
3681 * between the selinux_inode_permission check and the saving
3682 * of state above, recheck that access is still permitted.
3683 * Otherwise, access might never be revalidated against the
3684 * new inode label or new policy.
3685 * This check is not redundant - do not remove.
3686 */
3687 return file_path_has_perm(cred, file, open_file_to_av(file));
3688 }
3689
3690 /* task security operations */
3691
3692 static int selinux_task_create(unsigned long clone_flags)
3693 {
3694 return current_has_perm(current, PROCESS__FORK);
3695 }
3696
3697 /*
3698 * allocate the SELinux part of blank credentials
3699 */
3700 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3701 {
3702 struct task_security_struct *tsec;
3703
3704 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3705 if (!tsec)
3706 return -ENOMEM;
3707
3708 cred->security = tsec;
3709 return 0;
3710 }
3711
3712 /*
3713 * detach and free the LSM part of a set of credentials
3714 */
3715 static void selinux_cred_free(struct cred *cred)
3716 {
3717 struct task_security_struct *tsec = cred->security;
3718
3719 /*
3720 * cred->security == NULL if security_cred_alloc_blank() or
3721 * security_prepare_creds() returned an error.
3722 */
3723 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3724 cred->security = (void *) 0x7UL;
3725 kfree(tsec);
3726 }
3727
3728 /*
3729 * prepare a new set of credentials for modification
3730 */
3731 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3732 gfp_t gfp)
3733 {
3734 const struct task_security_struct *old_tsec;
3735 struct task_security_struct *tsec;
3736
3737 old_tsec = old->security;
3738
3739 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3740 if (!tsec)
3741 return -ENOMEM;
3742
3743 new->security = tsec;
3744 return 0;
3745 }
3746
3747 /*
3748 * transfer the SELinux data to a blank set of creds
3749 */
3750 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3751 {
3752 const struct task_security_struct *old_tsec = old->security;
3753 struct task_security_struct *tsec = new->security;
3754
3755 *tsec = *old_tsec;
3756 }
3757
3758 /*
3759 * set the security data for a kernel service
3760 * - all the creation contexts are set to unlabelled
3761 */
3762 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3763 {
3764 struct task_security_struct *tsec = new->security;
3765 u32 sid = current_sid();
3766 int ret;
3767
3768 ret = avc_has_perm(sid, secid,
3769 SECCLASS_KERNEL_SERVICE,
3770 KERNEL_SERVICE__USE_AS_OVERRIDE,
3771 NULL);
3772 if (ret == 0) {
3773 tsec->sid = secid;
3774 tsec->create_sid = 0;
3775 tsec->keycreate_sid = 0;
3776 tsec->sockcreate_sid = 0;
3777 }
3778 return ret;
3779 }
3780
3781 /*
3782 * set the file creation context in a security record to the same as the
3783 * objective context of the specified inode
3784 */
3785 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3786 {
3787 struct inode_security_struct *isec = inode_security(inode);
3788 struct task_security_struct *tsec = new->security;
3789 u32 sid = current_sid();
3790 int ret;
3791
3792 ret = avc_has_perm(sid, isec->sid,
3793 SECCLASS_KERNEL_SERVICE,
3794 KERNEL_SERVICE__CREATE_FILES_AS,
3795 NULL);
3796
3797 if (ret == 0)
3798 tsec->create_sid = isec->sid;
3799 return ret;
3800 }
3801
3802 static int selinux_kernel_module_request(char *kmod_name)
3803 {
3804 u32 sid;
3805 struct common_audit_data ad;
3806
3807 sid = task_sid(current);
3808
3809 ad.type = LSM_AUDIT_DATA_KMOD;
3810 ad.u.kmod_name = kmod_name;
3811
3812 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3813 SYSTEM__MODULE_REQUEST, &ad);
3814 }
3815
3816 static int selinux_kernel_module_from_file(struct file *file)
3817 {
3818 struct common_audit_data ad;
3819 struct inode_security_struct *isec;
3820 struct file_security_struct *fsec;
3821 u32 sid = current_sid();
3822 int rc;
3823
3824 /* init_module */
3825 if (file == NULL)
3826 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3827 SYSTEM__MODULE_LOAD, NULL);
3828
3829 /* finit_module */
3830
3831 ad.type = LSM_AUDIT_DATA_FILE;
3832 ad.u.file = file;
3833
3834 fsec = file->f_security;
3835 if (sid != fsec->sid) {
3836 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3837 if (rc)
3838 return rc;
3839 }
3840
3841 isec = inode_security(file_inode(file));
3842 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3843 SYSTEM__MODULE_LOAD, &ad);
3844 }
3845
3846 static int selinux_kernel_read_file(struct file *file,
3847 enum kernel_read_file_id id)
3848 {
3849 int rc = 0;
3850
3851 switch (id) {
3852 case READING_MODULE:
3853 rc = selinux_kernel_module_from_file(file);
3854 break;
3855 default:
3856 break;
3857 }
3858
3859 return rc;
3860 }
3861
3862 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3863 {
3864 return current_has_perm(p, PROCESS__SETPGID);
3865 }
3866
3867 static int selinux_task_getpgid(struct task_struct *p)
3868 {
3869 return current_has_perm(p, PROCESS__GETPGID);
3870 }
3871
3872 static int selinux_task_getsid(struct task_struct *p)
3873 {
3874 return current_has_perm(p, PROCESS__GETSESSION);
3875 }
3876
3877 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3878 {
3879 *secid = task_sid(p);
3880 }
3881
3882 static int selinux_task_setnice(struct task_struct *p, int nice)
3883 {
3884 return current_has_perm(p, PROCESS__SETSCHED);
3885 }
3886
3887 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3888 {
3889 return current_has_perm(p, PROCESS__SETSCHED);
3890 }
3891
3892 static int selinux_task_getioprio(struct task_struct *p)
3893 {
3894 return current_has_perm(p, PROCESS__GETSCHED);
3895 }
3896
3897 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3898 struct rlimit *new_rlim)
3899 {
3900 struct rlimit *old_rlim = p->signal->rlim + resource;
3901
3902 /* Control the ability to change the hard limit (whether
3903 lowering or raising it), so that the hard limit can
3904 later be used as a safe reset point for the soft limit
3905 upon context transitions. See selinux_bprm_committing_creds. */
3906 if (old_rlim->rlim_max != new_rlim->rlim_max)
3907 return current_has_perm(p, PROCESS__SETRLIMIT);
3908
3909 return 0;
3910 }
3911
3912 static int selinux_task_setscheduler(struct task_struct *p)
3913 {
3914 return current_has_perm(p, PROCESS__SETSCHED);
3915 }
3916
3917 static int selinux_task_getscheduler(struct task_struct *p)
3918 {
3919 return current_has_perm(p, PROCESS__GETSCHED);
3920 }
3921
3922 static int selinux_task_movememory(struct task_struct *p)
3923 {
3924 return current_has_perm(p, PROCESS__SETSCHED);
3925 }
3926
3927 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3928 int sig, u32 secid)
3929 {
3930 u32 perm;
3931 int rc;
3932
3933 if (!sig)
3934 perm = PROCESS__SIGNULL; /* null signal; existence test */
3935 else
3936 perm = signal_to_av(sig);
3937 if (secid)
3938 rc = avc_has_perm(secid, task_sid(p),
3939 SECCLASS_PROCESS, perm, NULL);
3940 else
3941 rc = current_has_perm(p, perm);
3942 return rc;
3943 }
3944
3945 static int selinux_task_wait(struct task_struct *p)
3946 {
3947 return task_has_perm(p, current, PROCESS__SIGCHLD);
3948 }
3949
3950 static void selinux_task_to_inode(struct task_struct *p,
3951 struct inode *inode)
3952 {
3953 struct inode_security_struct *isec = inode->i_security;
3954 u32 sid = task_sid(p);
3955
3956 isec->sid = sid;
3957 isec->initialized = LABEL_INITIALIZED;
3958 }
3959
3960 /* Returns error only if unable to parse addresses */
3961 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3962 struct common_audit_data *ad, u8 *proto)
3963 {
3964 int offset, ihlen, ret = -EINVAL;
3965 struct iphdr _iph, *ih;
3966
3967 offset = skb_network_offset(skb);
3968 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3969 if (ih == NULL)
3970 goto out;
3971
3972 ihlen = ih->ihl * 4;
3973 if (ihlen < sizeof(_iph))
3974 goto out;
3975
3976 ad->u.net->v4info.saddr = ih->saddr;
3977 ad->u.net->v4info.daddr = ih->daddr;
3978 ret = 0;
3979
3980 if (proto)
3981 *proto = ih->protocol;
3982
3983 switch (ih->protocol) {
3984 case IPPROTO_TCP: {
3985 struct tcphdr _tcph, *th;
3986
3987 if (ntohs(ih->frag_off) & IP_OFFSET)
3988 break;
3989
3990 offset += ihlen;
3991 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3992 if (th == NULL)
3993 break;
3994
3995 ad->u.net->sport = th->source;
3996 ad->u.net->dport = th->dest;
3997 break;
3998 }
3999
4000 case IPPROTO_UDP: {
4001 struct udphdr _udph, *uh;
4002
4003 if (ntohs(ih->frag_off) & IP_OFFSET)
4004 break;
4005
4006 offset += ihlen;
4007 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4008 if (uh == NULL)
4009 break;
4010
4011 ad->u.net->sport = uh->source;
4012 ad->u.net->dport = uh->dest;
4013 break;
4014 }
4015
4016 case IPPROTO_DCCP: {
4017 struct dccp_hdr _dccph, *dh;
4018
4019 if (ntohs(ih->frag_off) & IP_OFFSET)
4020 break;
4021
4022 offset += ihlen;
4023 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4024 if (dh == NULL)
4025 break;
4026
4027 ad->u.net->sport = dh->dccph_sport;
4028 ad->u.net->dport = dh->dccph_dport;
4029 break;
4030 }
4031
4032 default:
4033 break;
4034 }
4035 out:
4036 return ret;
4037 }
4038
4039 #if IS_ENABLED(CONFIG_IPV6)
4040
4041 /* Returns error only if unable to parse addresses */
4042 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4043 struct common_audit_data *ad, u8 *proto)
4044 {
4045 u8 nexthdr;
4046 int ret = -EINVAL, offset;
4047 struct ipv6hdr _ipv6h, *ip6;
4048 __be16 frag_off;
4049
4050 offset = skb_network_offset(skb);
4051 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4052 if (ip6 == NULL)
4053 goto out;
4054
4055 ad->u.net->v6info.saddr = ip6->saddr;
4056 ad->u.net->v6info.daddr = ip6->daddr;
4057 ret = 0;
4058
4059 nexthdr = ip6->nexthdr;
4060 offset += sizeof(_ipv6h);
4061 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4062 if (offset < 0)
4063 goto out;
4064
4065 if (proto)
4066 *proto = nexthdr;
4067
4068 switch (nexthdr) {
4069 case IPPROTO_TCP: {
4070 struct tcphdr _tcph, *th;
4071
4072 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4073 if (th == NULL)
4074 break;
4075
4076 ad->u.net->sport = th->source;
4077 ad->u.net->dport = th->dest;
4078 break;
4079 }
4080
4081 case IPPROTO_UDP: {
4082 struct udphdr _udph, *uh;
4083
4084 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4085 if (uh == NULL)
4086 break;
4087
4088 ad->u.net->sport = uh->source;
4089 ad->u.net->dport = uh->dest;
4090 break;
4091 }
4092
4093 case IPPROTO_DCCP: {
4094 struct dccp_hdr _dccph, *dh;
4095
4096 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4097 if (dh == NULL)
4098 break;
4099
4100 ad->u.net->sport = dh->dccph_sport;
4101 ad->u.net->dport = dh->dccph_dport;
4102 break;
4103 }
4104
4105 /* includes fragments */
4106 default:
4107 break;
4108 }
4109 out:
4110 return ret;
4111 }
4112
4113 #endif /* IPV6 */
4114
4115 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4116 char **_addrp, int src, u8 *proto)
4117 {
4118 char *addrp;
4119 int ret;
4120
4121 switch (ad->u.net->family) {
4122 case PF_INET:
4123 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4124 if (ret)
4125 goto parse_error;
4126 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4127 &ad->u.net->v4info.daddr);
4128 goto okay;
4129
4130 #if IS_ENABLED(CONFIG_IPV6)
4131 case PF_INET6:
4132 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4133 if (ret)
4134 goto parse_error;
4135 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4136 &ad->u.net->v6info.daddr);
4137 goto okay;
4138 #endif /* IPV6 */
4139 default:
4140 addrp = NULL;
4141 goto okay;
4142 }
4143
4144 parse_error:
4145 printk(KERN_WARNING
4146 "SELinux: failure in selinux_parse_skb(),"
4147 " unable to parse packet\n");
4148 return ret;
4149
4150 okay:
4151 if (_addrp)
4152 *_addrp = addrp;
4153 return 0;
4154 }
4155
4156 /**
4157 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4158 * @skb: the packet
4159 * @family: protocol family
4160 * @sid: the packet's peer label SID
4161 *
4162 * Description:
4163 * Check the various different forms of network peer labeling and determine
4164 * the peer label/SID for the packet; most of the magic actually occurs in
4165 * the security server function security_net_peersid_cmp(). The function
4166 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4167 * or -EACCES if @sid is invalid due to inconsistencies with the different
4168 * peer labels.
4169 *
4170 */
4171 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4172 {
4173 int err;
4174 u32 xfrm_sid;
4175 u32 nlbl_sid;
4176 u32 nlbl_type;
4177
4178 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4179 if (unlikely(err))
4180 return -EACCES;
4181 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4182 if (unlikely(err))
4183 return -EACCES;
4184
4185 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4186 if (unlikely(err)) {
4187 printk(KERN_WARNING
4188 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4189 " unable to determine packet's peer label\n");
4190 return -EACCES;
4191 }
4192
4193 return 0;
4194 }
4195
4196 /**
4197 * selinux_conn_sid - Determine the child socket label for a connection
4198 * @sk_sid: the parent socket's SID
4199 * @skb_sid: the packet's SID
4200 * @conn_sid: the resulting connection SID
4201 *
4202 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4203 * combined with the MLS information from @skb_sid in order to create
4204 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4205 * of @sk_sid. Returns zero on success, negative values on failure.
4206 *
4207 */
4208 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4209 {
4210 int err = 0;
4211
4212 if (skb_sid != SECSID_NULL)
4213 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4214 else
4215 *conn_sid = sk_sid;
4216
4217 return err;
4218 }
4219
4220 /* socket security operations */
4221
4222 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4223 u16 secclass, u32 *socksid)
4224 {
4225 if (tsec->sockcreate_sid > SECSID_NULL) {
4226 *socksid = tsec->sockcreate_sid;
4227 return 0;
4228 }
4229
4230 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4231 socksid);
4232 }
4233
4234 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
4235 {
4236 struct sk_security_struct *sksec = sk->sk_security;
4237 struct common_audit_data ad;
4238 struct lsm_network_audit net = {0,};
4239 u32 tsid = task_sid(task);
4240
4241 if (sksec->sid == SECINITSID_KERNEL)
4242 return 0;
4243
4244 ad.type = LSM_AUDIT_DATA_NET;
4245 ad.u.net = &net;
4246 ad.u.net->sk = sk;
4247
4248 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
4249 }
4250
4251 static int selinux_socket_create(int family, int type,
4252 int protocol, int kern)
4253 {
4254 const struct task_security_struct *tsec = current_security();
4255 u32 newsid;
4256 u16 secclass;
4257 int rc;
4258
4259 if (kern)
4260 return 0;
4261
4262 secclass = socket_type_to_security_class(family, type, protocol);
4263 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4264 if (rc)
4265 return rc;
4266
4267 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4268 }
4269
4270 static int selinux_socket_post_create(struct socket *sock, int family,
4271 int type, int protocol, int kern)
4272 {
4273 const struct task_security_struct *tsec = current_security();
4274 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4275 struct sk_security_struct *sksec;
4276 int err = 0;
4277
4278 isec->sclass = socket_type_to_security_class(family, type, protocol);
4279
4280 if (kern)
4281 isec->sid = SECINITSID_KERNEL;
4282 else {
4283 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4284 if (err)
4285 return err;
4286 }
4287
4288 isec->initialized = LABEL_INITIALIZED;
4289
4290 if (sock->sk) {
4291 sksec = sock->sk->sk_security;
4292 sksec->sid = isec->sid;
4293 sksec->sclass = isec->sclass;
4294 err = selinux_netlbl_socket_post_create(sock->sk, family);
4295 }
4296
4297 return err;
4298 }
4299
4300 /* Range of port numbers used to automatically bind.
4301 Need to determine whether we should perform a name_bind
4302 permission check between the socket and the port number. */
4303
4304 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4305 {
4306 struct sock *sk = sock->sk;
4307 u16 family;
4308 int err;
4309
4310 err = sock_has_perm(current, sk, SOCKET__BIND);
4311 if (err)
4312 goto out;
4313
4314 /*
4315 * If PF_INET or PF_INET6, check name_bind permission for the port.
4316 * Multiple address binding for SCTP is not supported yet: we just
4317 * check the first address now.
4318 */
4319 family = sk->sk_family;
4320 if (family == PF_INET || family == PF_INET6) {
4321 char *addrp;
4322 struct sk_security_struct *sksec = sk->sk_security;
4323 struct common_audit_data ad;
4324 struct lsm_network_audit net = {0,};
4325 struct sockaddr_in *addr4 = NULL;
4326 struct sockaddr_in6 *addr6 = NULL;
4327 unsigned short snum;
4328 u32 sid, node_perm;
4329
4330 if (family == PF_INET) {
4331 addr4 = (struct sockaddr_in *)address;
4332 snum = ntohs(addr4->sin_port);
4333 addrp = (char *)&addr4->sin_addr.s_addr;
4334 } else {
4335 addr6 = (struct sockaddr_in6 *)address;
4336 snum = ntohs(addr6->sin6_port);
4337 addrp = (char *)&addr6->sin6_addr.s6_addr;
4338 }
4339
4340 if (snum) {
4341 int low, high;
4342
4343 inet_get_local_port_range(sock_net(sk), &low, &high);
4344
4345 if (snum < max(PROT_SOCK, low) || snum > high) {
4346 err = sel_netport_sid(sk->sk_protocol,
4347 snum, &sid);
4348 if (err)
4349 goto out;
4350 ad.type = LSM_AUDIT_DATA_NET;
4351 ad.u.net = &net;
4352 ad.u.net->sport = htons(snum);
4353 ad.u.net->family = family;
4354 err = avc_has_perm(sksec->sid, sid,
4355 sksec->sclass,
4356 SOCKET__NAME_BIND, &ad);
4357 if (err)
4358 goto out;
4359 }
4360 }
4361
4362 switch (sksec->sclass) {
4363 case SECCLASS_TCP_SOCKET:
4364 node_perm = TCP_SOCKET__NODE_BIND;
4365 break;
4366
4367 case SECCLASS_UDP_SOCKET:
4368 node_perm = UDP_SOCKET__NODE_BIND;
4369 break;
4370
4371 case SECCLASS_DCCP_SOCKET:
4372 node_perm = DCCP_SOCKET__NODE_BIND;
4373 break;
4374
4375 default:
4376 node_perm = RAWIP_SOCKET__NODE_BIND;
4377 break;
4378 }
4379
4380 err = sel_netnode_sid(addrp, family, &sid);
4381 if (err)
4382 goto out;
4383
4384 ad.type = LSM_AUDIT_DATA_NET;
4385 ad.u.net = &net;
4386 ad.u.net->sport = htons(snum);
4387 ad.u.net->family = family;
4388
4389 if (family == PF_INET)
4390 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4391 else
4392 ad.u.net->v6info.saddr = addr6->sin6_addr;
4393
4394 err = avc_has_perm(sksec->sid, sid,
4395 sksec->sclass, node_perm, &ad);
4396 if (err)
4397 goto out;
4398 }
4399 out:
4400 return err;
4401 }
4402
4403 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4404 {
4405 struct sock *sk = sock->sk;
4406 struct sk_security_struct *sksec = sk->sk_security;
4407 int err;
4408
4409 err = sock_has_perm(current, sk, SOCKET__CONNECT);
4410 if (err)
4411 return err;
4412
4413 /*
4414 * If a TCP or DCCP socket, check name_connect permission for the port.
4415 */
4416 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4417 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4418 struct common_audit_data ad;
4419 struct lsm_network_audit net = {0,};
4420 struct sockaddr_in *addr4 = NULL;
4421 struct sockaddr_in6 *addr6 = NULL;
4422 unsigned short snum;
4423 u32 sid, perm;
4424
4425 if (sk->sk_family == PF_INET) {
4426 addr4 = (struct sockaddr_in *)address;
4427 if (addrlen < sizeof(struct sockaddr_in))
4428 return -EINVAL;
4429 snum = ntohs(addr4->sin_port);
4430 } else {
4431 addr6 = (struct sockaddr_in6 *)address;
4432 if (addrlen < SIN6_LEN_RFC2133)
4433 return -EINVAL;
4434 snum = ntohs(addr6->sin6_port);
4435 }
4436
4437 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4438 if (err)
4439 goto out;
4440
4441 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4442 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4443
4444 ad.type = LSM_AUDIT_DATA_NET;
4445 ad.u.net = &net;
4446 ad.u.net->dport = htons(snum);
4447 ad.u.net->family = sk->sk_family;
4448 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4449 if (err)
4450 goto out;
4451 }
4452
4453 err = selinux_netlbl_socket_connect(sk, address);
4454
4455 out:
4456 return err;
4457 }
4458
4459 static int selinux_socket_listen(struct socket *sock, int backlog)
4460 {
4461 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4462 }
4463
4464 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4465 {
4466 int err;
4467 struct inode_security_struct *isec;
4468 struct inode_security_struct *newisec;
4469
4470 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4471 if (err)
4472 return err;
4473
4474 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4475
4476 isec = inode_security_novalidate(SOCK_INODE(sock));
4477 newisec->sclass = isec->sclass;
4478 newisec->sid = isec->sid;
4479 newisec->initialized = LABEL_INITIALIZED;
4480
4481 return 0;
4482 }
4483
4484 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4485 int size)
4486 {
4487 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4488 }
4489
4490 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4491 int size, int flags)
4492 {
4493 return sock_has_perm(current, sock->sk, SOCKET__READ);
4494 }
4495
4496 static int selinux_socket_getsockname(struct socket *sock)
4497 {
4498 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4499 }
4500
4501 static int selinux_socket_getpeername(struct socket *sock)
4502 {
4503 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4504 }
4505
4506 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4507 {
4508 int err;
4509
4510 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4511 if (err)
4512 return err;
4513
4514 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4515 }
4516
4517 static int selinux_socket_getsockopt(struct socket *sock, int level,
4518 int optname)
4519 {
4520 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4521 }
4522
4523 static int selinux_socket_shutdown(struct socket *sock, int how)
4524 {
4525 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4526 }
4527
4528 static int selinux_socket_unix_stream_connect(struct sock *sock,
4529 struct sock *other,
4530 struct sock *newsk)
4531 {
4532 struct sk_security_struct *sksec_sock = sock->sk_security;
4533 struct sk_security_struct *sksec_other = other->sk_security;
4534 struct sk_security_struct *sksec_new = newsk->sk_security;
4535 struct common_audit_data ad;
4536 struct lsm_network_audit net = {0,};
4537 int err;
4538
4539 ad.type = LSM_AUDIT_DATA_NET;
4540 ad.u.net = &net;
4541 ad.u.net->sk = other;
4542
4543 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4544 sksec_other->sclass,
4545 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4546 if (err)
4547 return err;
4548
4549 /* server child socket */
4550 sksec_new->peer_sid = sksec_sock->sid;
4551 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4552 &sksec_new->sid);
4553 if (err)
4554 return err;
4555
4556 /* connecting socket */
4557 sksec_sock->peer_sid = sksec_new->sid;
4558
4559 return 0;
4560 }
4561
4562 static int selinux_socket_unix_may_send(struct socket *sock,
4563 struct socket *other)
4564 {
4565 struct sk_security_struct *ssec = sock->sk->sk_security;
4566 struct sk_security_struct *osec = other->sk->sk_security;
4567 struct common_audit_data ad;
4568 struct lsm_network_audit net = {0,};
4569
4570 ad.type = LSM_AUDIT_DATA_NET;
4571 ad.u.net = &net;
4572 ad.u.net->sk = other->sk;
4573
4574 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4575 &ad);
4576 }
4577
4578 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4579 char *addrp, u16 family, u32 peer_sid,
4580 struct common_audit_data *ad)
4581 {
4582 int err;
4583 u32 if_sid;
4584 u32 node_sid;
4585
4586 err = sel_netif_sid(ns, ifindex, &if_sid);
4587 if (err)
4588 return err;
4589 err = avc_has_perm(peer_sid, if_sid,
4590 SECCLASS_NETIF, NETIF__INGRESS, ad);
4591 if (err)
4592 return err;
4593
4594 err = sel_netnode_sid(addrp, family, &node_sid);
4595 if (err)
4596 return err;
4597 return avc_has_perm(peer_sid, node_sid,
4598 SECCLASS_NODE, NODE__RECVFROM, ad);
4599 }
4600
4601 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4602 u16 family)
4603 {
4604 int err = 0;
4605 struct sk_security_struct *sksec = sk->sk_security;
4606 u32 sk_sid = sksec->sid;
4607 struct common_audit_data ad;
4608 struct lsm_network_audit net = {0,};
4609 char *addrp;
4610
4611 ad.type = LSM_AUDIT_DATA_NET;
4612 ad.u.net = &net;
4613 ad.u.net->netif = skb->skb_iif;
4614 ad.u.net->family = family;
4615 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4616 if (err)
4617 return err;
4618
4619 if (selinux_secmark_enabled()) {
4620 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4621 PACKET__RECV, &ad);
4622 if (err)
4623 return err;
4624 }
4625
4626 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4627 if (err)
4628 return err;
4629 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4630
4631 return err;
4632 }
4633
4634 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4635 {
4636 int err;
4637 struct sk_security_struct *sksec = sk->sk_security;
4638 u16 family = sk->sk_family;
4639 u32 sk_sid = sksec->sid;
4640 struct common_audit_data ad;
4641 struct lsm_network_audit net = {0,};
4642 char *addrp;
4643 u8 secmark_active;
4644 u8 peerlbl_active;
4645
4646 if (family != PF_INET && family != PF_INET6)
4647 return 0;
4648
4649 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4650 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4651 family = PF_INET;
4652
4653 /* If any sort of compatibility mode is enabled then handoff processing
4654 * to the selinux_sock_rcv_skb_compat() function to deal with the
4655 * special handling. We do this in an attempt to keep this function
4656 * as fast and as clean as possible. */
4657 if (!selinux_policycap_netpeer)
4658 return selinux_sock_rcv_skb_compat(sk, skb, family);
4659
4660 secmark_active = selinux_secmark_enabled();
4661 peerlbl_active = selinux_peerlbl_enabled();
4662 if (!secmark_active && !peerlbl_active)
4663 return 0;
4664
4665 ad.type = LSM_AUDIT_DATA_NET;
4666 ad.u.net = &net;
4667 ad.u.net->netif = skb->skb_iif;
4668 ad.u.net->family = family;
4669 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4670 if (err)
4671 return err;
4672
4673 if (peerlbl_active) {
4674 u32 peer_sid;
4675
4676 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4677 if (err)
4678 return err;
4679 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4680 addrp, family, peer_sid, &ad);
4681 if (err) {
4682 selinux_netlbl_err(skb, family, err, 0);
4683 return err;
4684 }
4685 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4686 PEER__RECV, &ad);
4687 if (err) {
4688 selinux_netlbl_err(skb, family, err, 0);
4689 return err;
4690 }
4691 }
4692
4693 if (secmark_active) {
4694 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4695 PACKET__RECV, &ad);
4696 if (err)
4697 return err;
4698 }
4699
4700 return err;
4701 }
4702
4703 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4704 int __user *optlen, unsigned len)
4705 {
4706 int err = 0;
4707 char *scontext;
4708 u32 scontext_len;
4709 struct sk_security_struct *sksec = sock->sk->sk_security;
4710 u32 peer_sid = SECSID_NULL;
4711
4712 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4713 sksec->sclass == SECCLASS_TCP_SOCKET)
4714 peer_sid = sksec->peer_sid;
4715 if (peer_sid == SECSID_NULL)
4716 return -ENOPROTOOPT;
4717
4718 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4719 if (err)
4720 return err;
4721
4722 if (scontext_len > len) {
4723 err = -ERANGE;
4724 goto out_len;
4725 }
4726
4727 if (copy_to_user(optval, scontext, scontext_len))
4728 err = -EFAULT;
4729
4730 out_len:
4731 if (put_user(scontext_len, optlen))
4732 err = -EFAULT;
4733 kfree(scontext);
4734 return err;
4735 }
4736
4737 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4738 {
4739 u32 peer_secid = SECSID_NULL;
4740 u16 family;
4741 struct inode_security_struct *isec;
4742
4743 if (skb && skb->protocol == htons(ETH_P_IP))
4744 family = PF_INET;
4745 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4746 family = PF_INET6;
4747 else if (sock)
4748 family = sock->sk->sk_family;
4749 else
4750 goto out;
4751
4752 if (sock && family == PF_UNIX) {
4753 isec = inode_security_novalidate(SOCK_INODE(sock));
4754 peer_secid = isec->sid;
4755 } else if (skb)
4756 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4757
4758 out:
4759 *secid = peer_secid;
4760 if (peer_secid == SECSID_NULL)
4761 return -EINVAL;
4762 return 0;
4763 }
4764
4765 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4766 {
4767 struct sk_security_struct *sksec;
4768
4769 sksec = kzalloc(sizeof(*sksec), priority);
4770 if (!sksec)
4771 return -ENOMEM;
4772
4773 sksec->peer_sid = SECINITSID_UNLABELED;
4774 sksec->sid = SECINITSID_UNLABELED;
4775 sksec->sclass = SECCLASS_SOCKET;
4776 selinux_netlbl_sk_security_reset(sksec);
4777 sk->sk_security = sksec;
4778
4779 return 0;
4780 }
4781
4782 static void selinux_sk_free_security(struct sock *sk)
4783 {
4784 struct sk_security_struct *sksec = sk->sk_security;
4785
4786 sk->sk_security = NULL;
4787 selinux_netlbl_sk_security_free(sksec);
4788 kfree(sksec);
4789 }
4790
4791 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4792 {
4793 struct sk_security_struct *sksec = sk->sk_security;
4794 struct sk_security_struct *newsksec = newsk->sk_security;
4795
4796 newsksec->sid = sksec->sid;
4797 newsksec->peer_sid = sksec->peer_sid;
4798 newsksec->sclass = sksec->sclass;
4799
4800 selinux_netlbl_sk_security_reset(newsksec);
4801 }
4802
4803 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4804 {
4805 if (!sk)
4806 *secid = SECINITSID_ANY_SOCKET;
4807 else {
4808 struct sk_security_struct *sksec = sk->sk_security;
4809
4810 *secid = sksec->sid;
4811 }
4812 }
4813
4814 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4815 {
4816 struct inode_security_struct *isec =
4817 inode_security_novalidate(SOCK_INODE(parent));
4818 struct sk_security_struct *sksec = sk->sk_security;
4819
4820 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4821 sk->sk_family == PF_UNIX)
4822 isec->sid = sksec->sid;
4823 sksec->sclass = isec->sclass;
4824 }
4825
4826 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4827 struct request_sock *req)
4828 {
4829 struct sk_security_struct *sksec = sk->sk_security;
4830 int err;
4831 u16 family = req->rsk_ops->family;
4832 u32 connsid;
4833 u32 peersid;
4834
4835 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4836 if (err)
4837 return err;
4838 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4839 if (err)
4840 return err;
4841 req->secid = connsid;
4842 req->peer_secid = peersid;
4843
4844 return selinux_netlbl_inet_conn_request(req, family);
4845 }
4846
4847 static void selinux_inet_csk_clone(struct sock *newsk,
4848 const struct request_sock *req)
4849 {
4850 struct sk_security_struct *newsksec = newsk->sk_security;
4851
4852 newsksec->sid = req->secid;
4853 newsksec->peer_sid = req->peer_secid;
4854 /* NOTE: Ideally, we should also get the isec->sid for the
4855 new socket in sync, but we don't have the isec available yet.
4856 So we will wait until sock_graft to do it, by which
4857 time it will have been created and available. */
4858
4859 /* We don't need to take any sort of lock here as we are the only
4860 * thread with access to newsksec */
4861 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4862 }
4863
4864 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4865 {
4866 u16 family = sk->sk_family;
4867 struct sk_security_struct *sksec = sk->sk_security;
4868
4869 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4870 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4871 family = PF_INET;
4872
4873 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4874 }
4875
4876 static int selinux_secmark_relabel_packet(u32 sid)
4877 {
4878 const struct task_security_struct *__tsec;
4879 u32 tsid;
4880
4881 __tsec = current_security();
4882 tsid = __tsec->sid;
4883
4884 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4885 }
4886
4887 static void selinux_secmark_refcount_inc(void)
4888 {
4889 atomic_inc(&selinux_secmark_refcount);
4890 }
4891
4892 static void selinux_secmark_refcount_dec(void)
4893 {
4894 atomic_dec(&selinux_secmark_refcount);
4895 }
4896
4897 static void selinux_req_classify_flow(const struct request_sock *req,
4898 struct flowi *fl)
4899 {
4900 fl->flowi_secid = req->secid;
4901 }
4902
4903 static int selinux_tun_dev_alloc_security(void **security)
4904 {
4905 struct tun_security_struct *tunsec;
4906
4907 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4908 if (!tunsec)
4909 return -ENOMEM;
4910 tunsec->sid = current_sid();
4911
4912 *security = tunsec;
4913 return 0;
4914 }
4915
4916 static void selinux_tun_dev_free_security(void *security)
4917 {
4918 kfree(security);
4919 }
4920
4921 static int selinux_tun_dev_create(void)
4922 {
4923 u32 sid = current_sid();
4924
4925 /* we aren't taking into account the "sockcreate" SID since the socket
4926 * that is being created here is not a socket in the traditional sense,
4927 * instead it is a private sock, accessible only to the kernel, and
4928 * representing a wide range of network traffic spanning multiple
4929 * connections unlike traditional sockets - check the TUN driver to
4930 * get a better understanding of why this socket is special */
4931
4932 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4933 NULL);
4934 }
4935
4936 static int selinux_tun_dev_attach_queue(void *security)
4937 {
4938 struct tun_security_struct *tunsec = security;
4939
4940 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4941 TUN_SOCKET__ATTACH_QUEUE, NULL);
4942 }
4943
4944 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4945 {
4946 struct tun_security_struct *tunsec = security;
4947 struct sk_security_struct *sksec = sk->sk_security;
4948
4949 /* we don't currently perform any NetLabel based labeling here and it
4950 * isn't clear that we would want to do so anyway; while we could apply
4951 * labeling without the support of the TUN user the resulting labeled
4952 * traffic from the other end of the connection would almost certainly
4953 * cause confusion to the TUN user that had no idea network labeling
4954 * protocols were being used */
4955
4956 sksec->sid = tunsec->sid;
4957 sksec->sclass = SECCLASS_TUN_SOCKET;
4958
4959 return 0;
4960 }
4961
4962 static int selinux_tun_dev_open(void *security)
4963 {
4964 struct tun_security_struct *tunsec = security;
4965 u32 sid = current_sid();
4966 int err;
4967
4968 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4969 TUN_SOCKET__RELABELFROM, NULL);
4970 if (err)
4971 return err;
4972 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4973 TUN_SOCKET__RELABELTO, NULL);
4974 if (err)
4975 return err;
4976 tunsec->sid = sid;
4977
4978 return 0;
4979 }
4980
4981 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4982 {
4983 int err = 0;
4984 u32 perm;
4985 struct nlmsghdr *nlh;
4986 struct sk_security_struct *sksec = sk->sk_security;
4987
4988 if (skb->len < NLMSG_HDRLEN) {
4989 err = -EINVAL;
4990 goto out;
4991 }
4992 nlh = nlmsg_hdr(skb);
4993
4994 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4995 if (err) {
4996 if (err == -EINVAL) {
4997 pr_warn_ratelimited("SELinux: unrecognized netlink"
4998 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
4999 " pig=%d comm=%s\n",
5000 sk->sk_protocol, nlh->nlmsg_type,
5001 secclass_map[sksec->sclass - 1].name,
5002 task_pid_nr(current), current->comm);
5003 if (!selinux_enforcing || security_get_allow_unknown())
5004 err = 0;
5005 }
5006
5007 /* Ignore */
5008 if (err == -ENOENT)
5009 err = 0;
5010 goto out;
5011 }
5012
5013 err = sock_has_perm(current, sk, perm);
5014 out:
5015 return err;
5016 }
5017
5018 #ifdef CONFIG_NETFILTER
5019
5020 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5021 const struct net_device *indev,
5022 u16 family)
5023 {
5024 int err;
5025 char *addrp;
5026 u32 peer_sid;
5027 struct common_audit_data ad;
5028 struct lsm_network_audit net = {0,};
5029 u8 secmark_active;
5030 u8 netlbl_active;
5031 u8 peerlbl_active;
5032
5033 if (!selinux_policycap_netpeer)
5034 return NF_ACCEPT;
5035
5036 secmark_active = selinux_secmark_enabled();
5037 netlbl_active = netlbl_enabled();
5038 peerlbl_active = selinux_peerlbl_enabled();
5039 if (!secmark_active && !peerlbl_active)
5040 return NF_ACCEPT;
5041
5042 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5043 return NF_DROP;
5044
5045 ad.type = LSM_AUDIT_DATA_NET;
5046 ad.u.net = &net;
5047 ad.u.net->netif = indev->ifindex;
5048 ad.u.net->family = family;
5049 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5050 return NF_DROP;
5051
5052 if (peerlbl_active) {
5053 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5054 addrp, family, peer_sid, &ad);
5055 if (err) {
5056 selinux_netlbl_err(skb, family, err, 1);
5057 return NF_DROP;
5058 }
5059 }
5060
5061 if (secmark_active)
5062 if (avc_has_perm(peer_sid, skb->secmark,
5063 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5064 return NF_DROP;
5065
5066 if (netlbl_active)
5067 /* we do this in the FORWARD path and not the POST_ROUTING
5068 * path because we want to make sure we apply the necessary
5069 * labeling before IPsec is applied so we can leverage AH
5070 * protection */
5071 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5072 return NF_DROP;
5073
5074 return NF_ACCEPT;
5075 }
5076
5077 static unsigned int selinux_ipv4_forward(void *priv,
5078 struct sk_buff *skb,
5079 const struct nf_hook_state *state)
5080 {
5081 return selinux_ip_forward(skb, state->in, PF_INET);
5082 }
5083
5084 #if IS_ENABLED(CONFIG_IPV6)
5085 static unsigned int selinux_ipv6_forward(void *priv,
5086 struct sk_buff *skb,
5087 const struct nf_hook_state *state)
5088 {
5089 return selinux_ip_forward(skb, state->in, PF_INET6);
5090 }
5091 #endif /* IPV6 */
5092
5093 static unsigned int selinux_ip_output(struct sk_buff *skb,
5094 u16 family)
5095 {
5096 struct sock *sk;
5097 u32 sid;
5098
5099 if (!netlbl_enabled())
5100 return NF_ACCEPT;
5101
5102 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5103 * because we want to make sure we apply the necessary labeling
5104 * before IPsec is applied so we can leverage AH protection */
5105 sk = skb->sk;
5106 if (sk) {
5107 struct sk_security_struct *sksec;
5108
5109 if (sk_listener(sk))
5110 /* if the socket is the listening state then this
5111 * packet is a SYN-ACK packet which means it needs to
5112 * be labeled based on the connection/request_sock and
5113 * not the parent socket. unfortunately, we can't
5114 * lookup the request_sock yet as it isn't queued on
5115 * the parent socket until after the SYN-ACK is sent.
5116 * the "solution" is to simply pass the packet as-is
5117 * as any IP option based labeling should be copied
5118 * from the initial connection request (in the IP
5119 * layer). it is far from ideal, but until we get a
5120 * security label in the packet itself this is the
5121 * best we can do. */
5122 return NF_ACCEPT;
5123
5124 /* standard practice, label using the parent socket */
5125 sksec = sk->sk_security;
5126 sid = sksec->sid;
5127 } else
5128 sid = SECINITSID_KERNEL;
5129 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5130 return NF_DROP;
5131
5132 return NF_ACCEPT;
5133 }
5134
5135 static unsigned int selinux_ipv4_output(void *priv,
5136 struct sk_buff *skb,
5137 const struct nf_hook_state *state)
5138 {
5139 return selinux_ip_output(skb, PF_INET);
5140 }
5141
5142 #if IS_ENABLED(CONFIG_IPV6)
5143 static unsigned int selinux_ipv6_output(void *priv,
5144 struct sk_buff *skb,
5145 const struct nf_hook_state *state)
5146 {
5147 return selinux_ip_output(skb, PF_INET6);
5148 }
5149 #endif /* IPV6 */
5150
5151 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5152 int ifindex,
5153 u16 family)
5154 {
5155 struct sock *sk = skb_to_full_sk(skb);
5156 struct sk_security_struct *sksec;
5157 struct common_audit_data ad;
5158 struct lsm_network_audit net = {0,};
5159 char *addrp;
5160 u8 proto;
5161
5162 if (sk == NULL)
5163 return NF_ACCEPT;
5164 sksec = sk->sk_security;
5165
5166 ad.type = LSM_AUDIT_DATA_NET;
5167 ad.u.net = &net;
5168 ad.u.net->netif = ifindex;
5169 ad.u.net->family = family;
5170 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5171 return NF_DROP;
5172
5173 if (selinux_secmark_enabled())
5174 if (avc_has_perm(sksec->sid, skb->secmark,
5175 SECCLASS_PACKET, PACKET__SEND, &ad))
5176 return NF_DROP_ERR(-ECONNREFUSED);
5177
5178 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5179 return NF_DROP_ERR(-ECONNREFUSED);
5180
5181 return NF_ACCEPT;
5182 }
5183
5184 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5185 const struct net_device *outdev,
5186 u16 family)
5187 {
5188 u32 secmark_perm;
5189 u32 peer_sid;
5190 int ifindex = outdev->ifindex;
5191 struct sock *sk;
5192 struct common_audit_data ad;
5193 struct lsm_network_audit net = {0,};
5194 char *addrp;
5195 u8 secmark_active;
5196 u8 peerlbl_active;
5197
5198 /* If any sort of compatibility mode is enabled then handoff processing
5199 * to the selinux_ip_postroute_compat() function to deal with the
5200 * special handling. We do this in an attempt to keep this function
5201 * as fast and as clean as possible. */
5202 if (!selinux_policycap_netpeer)
5203 return selinux_ip_postroute_compat(skb, ifindex, family);
5204
5205 secmark_active = selinux_secmark_enabled();
5206 peerlbl_active = selinux_peerlbl_enabled();
5207 if (!secmark_active && !peerlbl_active)
5208 return NF_ACCEPT;
5209
5210 sk = skb_to_full_sk(skb);
5211
5212 #ifdef CONFIG_XFRM
5213 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5214 * packet transformation so allow the packet to pass without any checks
5215 * since we'll have another chance to perform access control checks
5216 * when the packet is on it's final way out.
5217 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5218 * is NULL, in this case go ahead and apply access control.
5219 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5220 * TCP listening state we cannot wait until the XFRM processing
5221 * is done as we will miss out on the SA label if we do;
5222 * unfortunately, this means more work, but it is only once per
5223 * connection. */
5224 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5225 !(sk && sk_listener(sk)))
5226 return NF_ACCEPT;
5227 #endif
5228
5229 if (sk == NULL) {
5230 /* Without an associated socket the packet is either coming
5231 * from the kernel or it is being forwarded; check the packet
5232 * to determine which and if the packet is being forwarded
5233 * query the packet directly to determine the security label. */
5234 if (skb->skb_iif) {
5235 secmark_perm = PACKET__FORWARD_OUT;
5236 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5237 return NF_DROP;
5238 } else {
5239 secmark_perm = PACKET__SEND;
5240 peer_sid = SECINITSID_KERNEL;
5241 }
5242 } else if (sk_listener(sk)) {
5243 /* Locally generated packet but the associated socket is in the
5244 * listening state which means this is a SYN-ACK packet. In
5245 * this particular case the correct security label is assigned
5246 * to the connection/request_sock but unfortunately we can't
5247 * query the request_sock as it isn't queued on the parent
5248 * socket until after the SYN-ACK packet is sent; the only
5249 * viable choice is to regenerate the label like we do in
5250 * selinux_inet_conn_request(). See also selinux_ip_output()
5251 * for similar problems. */
5252 u32 skb_sid;
5253 struct sk_security_struct *sksec;
5254
5255 sksec = sk->sk_security;
5256 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5257 return NF_DROP;
5258 /* At this point, if the returned skb peerlbl is SECSID_NULL
5259 * and the packet has been through at least one XFRM
5260 * transformation then we must be dealing with the "final"
5261 * form of labeled IPsec packet; since we've already applied
5262 * all of our access controls on this packet we can safely
5263 * pass the packet. */
5264 if (skb_sid == SECSID_NULL) {
5265 switch (family) {
5266 case PF_INET:
5267 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5268 return NF_ACCEPT;
5269 break;
5270 case PF_INET6:
5271 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5272 return NF_ACCEPT;
5273 break;
5274 default:
5275 return NF_DROP_ERR(-ECONNREFUSED);
5276 }
5277 }
5278 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5279 return NF_DROP;
5280 secmark_perm = PACKET__SEND;
5281 } else {
5282 /* Locally generated packet, fetch the security label from the
5283 * associated socket. */
5284 struct sk_security_struct *sksec = sk->sk_security;
5285 peer_sid = sksec->sid;
5286 secmark_perm = PACKET__SEND;
5287 }
5288
5289 ad.type = LSM_AUDIT_DATA_NET;
5290 ad.u.net = &net;
5291 ad.u.net->netif = ifindex;
5292 ad.u.net->family = family;
5293 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5294 return NF_DROP;
5295
5296 if (secmark_active)
5297 if (avc_has_perm(peer_sid, skb->secmark,
5298 SECCLASS_PACKET, secmark_perm, &ad))
5299 return NF_DROP_ERR(-ECONNREFUSED);
5300
5301 if (peerlbl_active) {
5302 u32 if_sid;
5303 u32 node_sid;
5304
5305 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5306 return NF_DROP;
5307 if (avc_has_perm(peer_sid, if_sid,
5308 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5309 return NF_DROP_ERR(-ECONNREFUSED);
5310
5311 if (sel_netnode_sid(addrp, family, &node_sid))
5312 return NF_DROP;
5313 if (avc_has_perm(peer_sid, node_sid,
5314 SECCLASS_NODE, NODE__SENDTO, &ad))
5315 return NF_DROP_ERR(-ECONNREFUSED);
5316 }
5317
5318 return NF_ACCEPT;
5319 }
5320
5321 static unsigned int selinux_ipv4_postroute(void *priv,
5322 struct sk_buff *skb,
5323 const struct nf_hook_state *state)
5324 {
5325 return selinux_ip_postroute(skb, state->out, PF_INET);
5326 }
5327
5328 #if IS_ENABLED(CONFIG_IPV6)
5329 static unsigned int selinux_ipv6_postroute(void *priv,
5330 struct sk_buff *skb,
5331 const struct nf_hook_state *state)
5332 {
5333 return selinux_ip_postroute(skb, state->out, PF_INET6);
5334 }
5335 #endif /* IPV6 */
5336
5337 #endif /* CONFIG_NETFILTER */
5338
5339 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5340 {
5341 return selinux_nlmsg_perm(sk, skb);
5342 }
5343
5344 static int ipc_alloc_security(struct task_struct *task,
5345 struct kern_ipc_perm *perm,
5346 u16 sclass)
5347 {
5348 struct ipc_security_struct *isec;
5349 u32 sid;
5350
5351 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5352 if (!isec)
5353 return -ENOMEM;
5354
5355 sid = task_sid(task);
5356 isec->sclass = sclass;
5357 isec->sid = sid;
5358 perm->security = isec;
5359
5360 return 0;
5361 }
5362
5363 static void ipc_free_security(struct kern_ipc_perm *perm)
5364 {
5365 struct ipc_security_struct *isec = perm->security;
5366 perm->security = NULL;
5367 kfree(isec);
5368 }
5369
5370 static int msg_msg_alloc_security(struct msg_msg *msg)
5371 {
5372 struct msg_security_struct *msec;
5373
5374 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5375 if (!msec)
5376 return -ENOMEM;
5377
5378 msec->sid = SECINITSID_UNLABELED;
5379 msg->security = msec;
5380
5381 return 0;
5382 }
5383
5384 static void msg_msg_free_security(struct msg_msg *msg)
5385 {
5386 struct msg_security_struct *msec = msg->security;
5387
5388 msg->security = NULL;
5389 kfree(msec);
5390 }
5391
5392 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5393 u32 perms)
5394 {
5395 struct ipc_security_struct *isec;
5396 struct common_audit_data ad;
5397 u32 sid = current_sid();
5398
5399 isec = ipc_perms->security;
5400
5401 ad.type = LSM_AUDIT_DATA_IPC;
5402 ad.u.ipc_id = ipc_perms->key;
5403
5404 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5405 }
5406
5407 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5408 {
5409 return msg_msg_alloc_security(msg);
5410 }
5411
5412 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5413 {
5414 msg_msg_free_security(msg);
5415 }
5416
5417 /* message queue security operations */
5418 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5419 {
5420 struct ipc_security_struct *isec;
5421 struct common_audit_data ad;
5422 u32 sid = current_sid();
5423 int rc;
5424
5425 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5426 if (rc)
5427 return rc;
5428
5429 isec = msq->q_perm.security;
5430
5431 ad.type = LSM_AUDIT_DATA_IPC;
5432 ad.u.ipc_id = msq->q_perm.key;
5433
5434 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5435 MSGQ__CREATE, &ad);
5436 if (rc) {
5437 ipc_free_security(&msq->q_perm);
5438 return rc;
5439 }
5440 return 0;
5441 }
5442
5443 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5444 {
5445 ipc_free_security(&msq->q_perm);
5446 }
5447
5448 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5449 {
5450 struct ipc_security_struct *isec;
5451 struct common_audit_data ad;
5452 u32 sid = current_sid();
5453
5454 isec = msq->q_perm.security;
5455
5456 ad.type = LSM_AUDIT_DATA_IPC;
5457 ad.u.ipc_id = msq->q_perm.key;
5458
5459 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5460 MSGQ__ASSOCIATE, &ad);
5461 }
5462
5463 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5464 {
5465 int err;
5466 int perms;
5467
5468 switch (cmd) {
5469 case IPC_INFO:
5470 case MSG_INFO:
5471 /* No specific object, just general system-wide information. */
5472 return task_has_system(current, SYSTEM__IPC_INFO);
5473 case IPC_STAT:
5474 case MSG_STAT:
5475 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5476 break;
5477 case IPC_SET:
5478 perms = MSGQ__SETATTR;
5479 break;
5480 case IPC_RMID:
5481 perms = MSGQ__DESTROY;
5482 break;
5483 default:
5484 return 0;
5485 }
5486
5487 err = ipc_has_perm(&msq->q_perm, perms);
5488 return err;
5489 }
5490
5491 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5492 {
5493 struct ipc_security_struct *isec;
5494 struct msg_security_struct *msec;
5495 struct common_audit_data ad;
5496 u32 sid = current_sid();
5497 int rc;
5498
5499 isec = msq->q_perm.security;
5500 msec = msg->security;
5501
5502 /*
5503 * First time through, need to assign label to the message
5504 */
5505 if (msec->sid == SECINITSID_UNLABELED) {
5506 /*
5507 * Compute new sid based on current process and
5508 * message queue this message will be stored in
5509 */
5510 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5511 NULL, &msec->sid);
5512 if (rc)
5513 return rc;
5514 }
5515
5516 ad.type = LSM_AUDIT_DATA_IPC;
5517 ad.u.ipc_id = msq->q_perm.key;
5518
5519 /* Can this process write to the queue? */
5520 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5521 MSGQ__WRITE, &ad);
5522 if (!rc)
5523 /* Can this process send the message */
5524 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5525 MSG__SEND, &ad);
5526 if (!rc)
5527 /* Can the message be put in the queue? */
5528 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5529 MSGQ__ENQUEUE, &ad);
5530
5531 return rc;
5532 }
5533
5534 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5535 struct task_struct *target,
5536 long type, int mode)
5537 {
5538 struct ipc_security_struct *isec;
5539 struct msg_security_struct *msec;
5540 struct common_audit_data ad;
5541 u32 sid = task_sid(target);
5542 int rc;
5543
5544 isec = msq->q_perm.security;
5545 msec = msg->security;
5546
5547 ad.type = LSM_AUDIT_DATA_IPC;
5548 ad.u.ipc_id = msq->q_perm.key;
5549
5550 rc = avc_has_perm(sid, isec->sid,
5551 SECCLASS_MSGQ, MSGQ__READ, &ad);
5552 if (!rc)
5553 rc = avc_has_perm(sid, msec->sid,
5554 SECCLASS_MSG, MSG__RECEIVE, &ad);
5555 return rc;
5556 }
5557
5558 /* Shared Memory security operations */
5559 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5560 {
5561 struct ipc_security_struct *isec;
5562 struct common_audit_data ad;
5563 u32 sid = current_sid();
5564 int rc;
5565
5566 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5567 if (rc)
5568 return rc;
5569
5570 isec = shp->shm_perm.security;
5571
5572 ad.type = LSM_AUDIT_DATA_IPC;
5573 ad.u.ipc_id = shp->shm_perm.key;
5574
5575 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5576 SHM__CREATE, &ad);
5577 if (rc) {
5578 ipc_free_security(&shp->shm_perm);
5579 return rc;
5580 }
5581 return 0;
5582 }
5583
5584 static void selinux_shm_free_security(struct shmid_kernel *shp)
5585 {
5586 ipc_free_security(&shp->shm_perm);
5587 }
5588
5589 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5590 {
5591 struct ipc_security_struct *isec;
5592 struct common_audit_data ad;
5593 u32 sid = current_sid();
5594
5595 isec = shp->shm_perm.security;
5596
5597 ad.type = LSM_AUDIT_DATA_IPC;
5598 ad.u.ipc_id = shp->shm_perm.key;
5599
5600 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5601 SHM__ASSOCIATE, &ad);
5602 }
5603
5604 /* Note, at this point, shp is locked down */
5605 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5606 {
5607 int perms;
5608 int err;
5609
5610 switch (cmd) {
5611 case IPC_INFO:
5612 case SHM_INFO:
5613 /* No specific object, just general system-wide information. */
5614 return task_has_system(current, SYSTEM__IPC_INFO);
5615 case IPC_STAT:
5616 case SHM_STAT:
5617 perms = SHM__GETATTR | SHM__ASSOCIATE;
5618 break;
5619 case IPC_SET:
5620 perms = SHM__SETATTR;
5621 break;
5622 case SHM_LOCK:
5623 case SHM_UNLOCK:
5624 perms = SHM__LOCK;
5625 break;
5626 case IPC_RMID:
5627 perms = SHM__DESTROY;
5628 break;
5629 default:
5630 return 0;
5631 }
5632
5633 err = ipc_has_perm(&shp->shm_perm, perms);
5634 return err;
5635 }
5636
5637 static int selinux_shm_shmat(struct shmid_kernel *shp,
5638 char __user *shmaddr, int shmflg)
5639 {
5640 u32 perms;
5641
5642 if (shmflg & SHM_RDONLY)
5643 perms = SHM__READ;
5644 else
5645 perms = SHM__READ | SHM__WRITE;
5646
5647 return ipc_has_perm(&shp->shm_perm, perms);
5648 }
5649
5650 /* Semaphore security operations */
5651 static int selinux_sem_alloc_security(struct sem_array *sma)
5652 {
5653 struct ipc_security_struct *isec;
5654 struct common_audit_data ad;
5655 u32 sid = current_sid();
5656 int rc;
5657
5658 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5659 if (rc)
5660 return rc;
5661
5662 isec = sma->sem_perm.security;
5663
5664 ad.type = LSM_AUDIT_DATA_IPC;
5665 ad.u.ipc_id = sma->sem_perm.key;
5666
5667 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5668 SEM__CREATE, &ad);
5669 if (rc) {
5670 ipc_free_security(&sma->sem_perm);
5671 return rc;
5672 }
5673 return 0;
5674 }
5675
5676 static void selinux_sem_free_security(struct sem_array *sma)
5677 {
5678 ipc_free_security(&sma->sem_perm);
5679 }
5680
5681 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5682 {
5683 struct ipc_security_struct *isec;
5684 struct common_audit_data ad;
5685 u32 sid = current_sid();
5686
5687 isec = sma->sem_perm.security;
5688
5689 ad.type = LSM_AUDIT_DATA_IPC;
5690 ad.u.ipc_id = sma->sem_perm.key;
5691
5692 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5693 SEM__ASSOCIATE, &ad);
5694 }
5695
5696 /* Note, at this point, sma is locked down */
5697 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5698 {
5699 int err;
5700 u32 perms;
5701
5702 switch (cmd) {
5703 case IPC_INFO:
5704 case SEM_INFO:
5705 /* No specific object, just general system-wide information. */
5706 return task_has_system(current, SYSTEM__IPC_INFO);
5707 case GETPID:
5708 case GETNCNT:
5709 case GETZCNT:
5710 perms = SEM__GETATTR;
5711 break;
5712 case GETVAL:
5713 case GETALL:
5714 perms = SEM__READ;
5715 break;
5716 case SETVAL:
5717 case SETALL:
5718 perms = SEM__WRITE;
5719 break;
5720 case IPC_RMID:
5721 perms = SEM__DESTROY;
5722 break;
5723 case IPC_SET:
5724 perms = SEM__SETATTR;
5725 break;
5726 case IPC_STAT:
5727 case SEM_STAT:
5728 perms = SEM__GETATTR | SEM__ASSOCIATE;
5729 break;
5730 default:
5731 return 0;
5732 }
5733
5734 err = ipc_has_perm(&sma->sem_perm, perms);
5735 return err;
5736 }
5737
5738 static int selinux_sem_semop(struct sem_array *sma,
5739 struct sembuf *sops, unsigned nsops, int alter)
5740 {
5741 u32 perms;
5742
5743 if (alter)
5744 perms = SEM__READ | SEM__WRITE;
5745 else
5746 perms = SEM__READ;
5747
5748 return ipc_has_perm(&sma->sem_perm, perms);
5749 }
5750
5751 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5752 {
5753 u32 av = 0;
5754
5755 av = 0;
5756 if (flag & S_IRUGO)
5757 av |= IPC__UNIX_READ;
5758 if (flag & S_IWUGO)
5759 av |= IPC__UNIX_WRITE;
5760
5761 if (av == 0)
5762 return 0;
5763
5764 return ipc_has_perm(ipcp, av);
5765 }
5766
5767 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5768 {
5769 struct ipc_security_struct *isec = ipcp->security;
5770 *secid = isec->sid;
5771 }
5772
5773 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5774 {
5775 if (inode)
5776 inode_doinit_with_dentry(inode, dentry);
5777 }
5778
5779 static int selinux_getprocattr(struct task_struct *p,
5780 char *name, char **value)
5781 {
5782 const struct task_security_struct *__tsec;
5783 u32 sid;
5784 int error;
5785 unsigned len;
5786
5787 if (current != p) {
5788 error = current_has_perm(p, PROCESS__GETATTR);
5789 if (error)
5790 return error;
5791 }
5792
5793 rcu_read_lock();
5794 __tsec = __task_cred(p)->security;
5795
5796 if (!strcmp(name, "current"))
5797 sid = __tsec->sid;
5798 else if (!strcmp(name, "prev"))
5799 sid = __tsec->osid;
5800 else if (!strcmp(name, "exec"))
5801 sid = __tsec->exec_sid;
5802 else if (!strcmp(name, "fscreate"))
5803 sid = __tsec->create_sid;
5804 else if (!strcmp(name, "keycreate"))
5805 sid = __tsec->keycreate_sid;
5806 else if (!strcmp(name, "sockcreate"))
5807 sid = __tsec->sockcreate_sid;
5808 else
5809 goto invalid;
5810 rcu_read_unlock();
5811
5812 if (!sid)
5813 return 0;
5814
5815 error = security_sid_to_context(sid, value, &len);
5816 if (error)
5817 return error;
5818 return len;
5819
5820 invalid:
5821 rcu_read_unlock();
5822 return -EINVAL;
5823 }
5824
5825 static int selinux_setprocattr(struct task_struct *p,
5826 char *name, void *value, size_t size)
5827 {
5828 struct task_security_struct *tsec;
5829 struct cred *new;
5830 u32 sid = 0, ptsid;
5831 int error;
5832 char *str = value;
5833
5834 if (current != p) {
5835 /* SELinux only allows a process to change its own
5836 security attributes. */
5837 return -EACCES;
5838 }
5839
5840 /*
5841 * Basic control over ability to set these attributes at all.
5842 * current == p, but we'll pass them separately in case the
5843 * above restriction is ever removed.
5844 */
5845 if (!strcmp(name, "exec"))
5846 error = current_has_perm(p, PROCESS__SETEXEC);
5847 else if (!strcmp(name, "fscreate"))
5848 error = current_has_perm(p, PROCESS__SETFSCREATE);
5849 else if (!strcmp(name, "keycreate"))
5850 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5851 else if (!strcmp(name, "sockcreate"))
5852 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5853 else if (!strcmp(name, "current"))
5854 error = current_has_perm(p, PROCESS__SETCURRENT);
5855 else
5856 error = -EINVAL;
5857 if (error)
5858 return error;
5859
5860 /* Obtain a SID for the context, if one was specified. */
5861 if (size && str[1] && str[1] != '\n') {
5862 if (str[size-1] == '\n') {
5863 str[size-1] = 0;
5864 size--;
5865 }
5866 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5867 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5868 if (!capable(CAP_MAC_ADMIN)) {
5869 struct audit_buffer *ab;
5870 size_t audit_size;
5871
5872 /* We strip a nul only if it is at the end, otherwise the
5873 * context contains a nul and we should audit that */
5874 if (str[size - 1] == '\0')
5875 audit_size = size - 1;
5876 else
5877 audit_size = size;
5878 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5879 audit_log_format(ab, "op=fscreate invalid_context=");
5880 audit_log_n_untrustedstring(ab, value, audit_size);
5881 audit_log_end(ab);
5882
5883 return error;
5884 }
5885 error = security_context_to_sid_force(value, size,
5886 &sid);
5887 }
5888 if (error)
5889 return error;
5890 }
5891
5892 new = prepare_creds();
5893 if (!new)
5894 return -ENOMEM;
5895
5896 /* Permission checking based on the specified context is
5897 performed during the actual operation (execve,
5898 open/mkdir/...), when we know the full context of the
5899 operation. See selinux_bprm_set_creds for the execve
5900 checks and may_create for the file creation checks. The
5901 operation will then fail if the context is not permitted. */
5902 tsec = new->security;
5903 if (!strcmp(name, "exec")) {
5904 tsec->exec_sid = sid;
5905 } else if (!strcmp(name, "fscreate")) {
5906 tsec->create_sid = sid;
5907 } else if (!strcmp(name, "keycreate")) {
5908 error = may_create_key(sid, p);
5909 if (error)
5910 goto abort_change;
5911 tsec->keycreate_sid = sid;
5912 } else if (!strcmp(name, "sockcreate")) {
5913 tsec->sockcreate_sid = sid;
5914 } else if (!strcmp(name, "current")) {
5915 error = -EINVAL;
5916 if (sid == 0)
5917 goto abort_change;
5918
5919 /* Only allow single threaded processes to change context */
5920 error = -EPERM;
5921 if (!current_is_single_threaded()) {
5922 error = security_bounded_transition(tsec->sid, sid);
5923 if (error)
5924 goto abort_change;
5925 }
5926
5927 /* Check permissions for the transition. */
5928 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5929 PROCESS__DYNTRANSITION, NULL);
5930 if (error)
5931 goto abort_change;
5932
5933 /* Check for ptracing, and update the task SID if ok.
5934 Otherwise, leave SID unchanged and fail. */
5935 ptsid = ptrace_parent_sid(p);
5936 if (ptsid != 0) {
5937 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5938 PROCESS__PTRACE, NULL);
5939 if (error)
5940 goto abort_change;
5941 }
5942
5943 tsec->sid = sid;
5944 } else {
5945 error = -EINVAL;
5946 goto abort_change;
5947 }
5948
5949 commit_creds(new);
5950 return size;
5951
5952 abort_change:
5953 abort_creds(new);
5954 return error;
5955 }
5956
5957 static int selinux_ismaclabel(const char *name)
5958 {
5959 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5960 }
5961
5962 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5963 {
5964 return security_sid_to_context(secid, secdata, seclen);
5965 }
5966
5967 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5968 {
5969 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5970 }
5971
5972 static void selinux_release_secctx(char *secdata, u32 seclen)
5973 {
5974 kfree(secdata);
5975 }
5976
5977 static void selinux_inode_invalidate_secctx(struct inode *inode)
5978 {
5979 struct inode_security_struct *isec = inode->i_security;
5980
5981 mutex_lock(&isec->lock);
5982 isec->initialized = LABEL_INVALID;
5983 mutex_unlock(&isec->lock);
5984 }
5985
5986 /*
5987 * called with inode->i_mutex locked
5988 */
5989 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5990 {
5991 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5992 }
5993
5994 /*
5995 * called with inode->i_mutex locked
5996 */
5997 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5998 {
5999 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6000 }
6001
6002 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6003 {
6004 int len = 0;
6005 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6006 ctx, true);
6007 if (len < 0)
6008 return len;
6009 *ctxlen = len;
6010 return 0;
6011 }
6012 #ifdef CONFIG_KEYS
6013
6014 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6015 unsigned long flags)
6016 {
6017 const struct task_security_struct *tsec;
6018 struct key_security_struct *ksec;
6019
6020 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6021 if (!ksec)
6022 return -ENOMEM;
6023
6024 tsec = cred->security;
6025 if (tsec->keycreate_sid)
6026 ksec->sid = tsec->keycreate_sid;
6027 else
6028 ksec->sid = tsec->sid;
6029
6030 k->security = ksec;
6031 return 0;
6032 }
6033
6034 static void selinux_key_free(struct key *k)
6035 {
6036 struct key_security_struct *ksec = k->security;
6037
6038 k->security = NULL;
6039 kfree(ksec);
6040 }
6041
6042 static int selinux_key_permission(key_ref_t key_ref,
6043 const struct cred *cred,
6044 unsigned perm)
6045 {
6046 struct key *key;
6047 struct key_security_struct *ksec;
6048 u32 sid;
6049
6050 /* if no specific permissions are requested, we skip the
6051 permission check. No serious, additional covert channels
6052 appear to be created. */
6053 if (perm == 0)
6054 return 0;
6055
6056 sid = cred_sid(cred);
6057
6058 key = key_ref_to_ptr(key_ref);
6059 ksec = key->security;
6060
6061 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6062 }
6063
6064 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6065 {
6066 struct key_security_struct *ksec = key->security;
6067 char *context = NULL;
6068 unsigned len;
6069 int rc;
6070
6071 rc = security_sid_to_context(ksec->sid, &context, &len);
6072 if (!rc)
6073 rc = len;
6074 *_buffer = context;
6075 return rc;
6076 }
6077
6078 #endif
6079
6080 static struct security_hook_list selinux_hooks[] = {
6081 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6082 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6083 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6084 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6085
6086 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6087 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6088 LSM_HOOK_INIT(capget, selinux_capget),
6089 LSM_HOOK_INIT(capset, selinux_capset),
6090 LSM_HOOK_INIT(capable, selinux_capable),
6091 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6092 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6093 LSM_HOOK_INIT(syslog, selinux_syslog),
6094 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6095
6096 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6097
6098 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6099 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6100 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6101 LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
6102
6103 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6104 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6105 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6106 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6107 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6108 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6109 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6110 LSM_HOOK_INIT(sb_mount, selinux_mount),
6111 LSM_HOOK_INIT(sb_umount, selinux_umount),
6112 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6113 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6114 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6115
6116 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6117 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6118
6119 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6120 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6121 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6122 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6123 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6124 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6125 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6126 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6127 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6128 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6129 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6130 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6131 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6132 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6133 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6134 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6135 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6136 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6137 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6138 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6139 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6140 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6141 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6142 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6143 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6144 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6145 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6146
6147 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6148 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6149 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6150 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6151 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6152 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6153 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6154 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6155 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6156 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6157 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6158 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6159
6160 LSM_HOOK_INIT(file_open, selinux_file_open),
6161
6162 LSM_HOOK_INIT(task_create, selinux_task_create),
6163 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6164 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6165 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6166 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6167 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6168 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6169 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6170 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6171 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6172 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6173 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6174 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6175 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6176 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6177 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6178 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6179 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6180 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6181 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6182 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6183 LSM_HOOK_INIT(task_wait, selinux_task_wait),
6184 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6185
6186 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6187 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6188
6189 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6190 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6191
6192 LSM_HOOK_INIT(msg_queue_alloc_security,
6193 selinux_msg_queue_alloc_security),
6194 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6195 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6196 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6197 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6198 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6199
6200 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6201 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6202 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6203 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6204 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6205
6206 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6207 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6208 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6209 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6210 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6211
6212 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6213
6214 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6215 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6216
6217 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6218 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6219 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6220 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6221 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6222 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6223 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6224 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6225
6226 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6227 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6228
6229 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6230 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6231 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6232 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6233 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6234 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6235 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6236 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6237 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6238 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6239 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6240 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6241 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6242 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6243 LSM_HOOK_INIT(socket_getpeersec_stream,
6244 selinux_socket_getpeersec_stream),
6245 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6246 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6247 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6248 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6249 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6250 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6251 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6252 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6253 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6254 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6255 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6256 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6257 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6258 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6259 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6260 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6261 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6262 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6263 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6264
6265 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6266 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6267 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6268 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6269 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6270 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6271 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6272 selinux_xfrm_state_alloc_acquire),
6273 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6274 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6275 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6276 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6277 selinux_xfrm_state_pol_flow_match),
6278 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6279 #endif
6280
6281 #ifdef CONFIG_KEYS
6282 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6283 LSM_HOOK_INIT(key_free, selinux_key_free),
6284 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6285 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6286 #endif
6287
6288 #ifdef CONFIG_AUDIT
6289 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6290 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6291 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6292 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6293 #endif
6294 };
6295
6296 static __init int selinux_init(void)
6297 {
6298 if (!security_module_enable("selinux")) {
6299 selinux_enabled = 0;
6300 return 0;
6301 }
6302
6303 if (!selinux_enabled) {
6304 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6305 return 0;
6306 }
6307
6308 printk(KERN_INFO "SELinux: Initializing.\n");
6309
6310 /* Set the security state for the initial task. */
6311 cred_init_security();
6312
6313 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6314
6315 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6316 sizeof(struct inode_security_struct),
6317 0, SLAB_PANIC, NULL);
6318 file_security_cache = kmem_cache_create("selinux_file_security",
6319 sizeof(struct file_security_struct),
6320 0, SLAB_PANIC, NULL);
6321 avc_init();
6322
6323 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6324
6325 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6326 panic("SELinux: Unable to register AVC netcache callback\n");
6327
6328 if (selinux_enforcing)
6329 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6330 else
6331 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6332
6333 return 0;
6334 }
6335
6336 static void delayed_superblock_init(struct super_block *sb, void *unused)
6337 {
6338 superblock_doinit(sb, NULL);
6339 }
6340
6341 void selinux_complete_init(void)
6342 {
6343 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6344
6345 /* Set up any superblocks initialized prior to the policy load. */
6346 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6347 iterate_supers(delayed_superblock_init, NULL);
6348 }
6349
6350 /* SELinux requires early initialization in order to label
6351 all processes and objects when they are created. */
6352 security_initcall(selinux_init);
6353
6354 #if defined(CONFIG_NETFILTER)
6355
6356 static struct nf_hook_ops selinux_nf_ops[] = {
6357 {
6358 .hook = selinux_ipv4_postroute,
6359 .pf = NFPROTO_IPV4,
6360 .hooknum = NF_INET_POST_ROUTING,
6361 .priority = NF_IP_PRI_SELINUX_LAST,
6362 },
6363 {
6364 .hook = selinux_ipv4_forward,
6365 .pf = NFPROTO_IPV4,
6366 .hooknum = NF_INET_FORWARD,
6367 .priority = NF_IP_PRI_SELINUX_FIRST,
6368 },
6369 {
6370 .hook = selinux_ipv4_output,
6371 .pf = NFPROTO_IPV4,
6372 .hooknum = NF_INET_LOCAL_OUT,
6373 .priority = NF_IP_PRI_SELINUX_FIRST,
6374 },
6375 #if IS_ENABLED(CONFIG_IPV6)
6376 {
6377 .hook = selinux_ipv6_postroute,
6378 .pf = NFPROTO_IPV6,
6379 .hooknum = NF_INET_POST_ROUTING,
6380 .priority = NF_IP6_PRI_SELINUX_LAST,
6381 },
6382 {
6383 .hook = selinux_ipv6_forward,
6384 .pf = NFPROTO_IPV6,
6385 .hooknum = NF_INET_FORWARD,
6386 .priority = NF_IP6_PRI_SELINUX_FIRST,
6387 },
6388 {
6389 .hook = selinux_ipv6_output,
6390 .pf = NFPROTO_IPV6,
6391 .hooknum = NF_INET_LOCAL_OUT,
6392 .priority = NF_IP6_PRI_SELINUX_FIRST,
6393 },
6394 #endif /* IPV6 */
6395 };
6396
6397 static int __init selinux_nf_ip_init(void)
6398 {
6399 int err;
6400
6401 if (!selinux_enabled)
6402 return 0;
6403
6404 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6405
6406 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6407 if (err)
6408 panic("SELinux: nf_register_hooks: error %d\n", err);
6409
6410 return 0;
6411 }
6412
6413 __initcall(selinux_nf_ip_init);
6414
6415 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6416 static void selinux_nf_ip_exit(void)
6417 {
6418 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6419
6420 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6421 }
6422 #endif
6423
6424 #else /* CONFIG_NETFILTER */
6425
6426 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6427 #define selinux_nf_ip_exit()
6428 #endif
6429
6430 #endif /* CONFIG_NETFILTER */
6431
6432 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6433 static int selinux_disabled;
6434
6435 int selinux_disable(void)
6436 {
6437 if (ss_initialized) {
6438 /* Not permitted after initial policy load. */
6439 return -EINVAL;
6440 }
6441
6442 if (selinux_disabled) {
6443 /* Only do this once. */
6444 return -EINVAL;
6445 }
6446
6447 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6448
6449 selinux_disabled = 1;
6450 selinux_enabled = 0;
6451
6452 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6453
6454 /* Try to destroy the avc node cache */
6455 avc_disable();
6456
6457 /* Unregister netfilter hooks. */
6458 selinux_nf_ip_exit();
6459
6460 /* Unregister selinuxfs. */
6461 exit_sel_fs();
6462
6463 return 0;
6464 }
6465 #endif
ubuntu-bionic-kernel mirror