]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/blob - security/selinux/hooks.c
projects / mirror_ubuntu-hirsute-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge tag 'audit-pr-20180605' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoor...
[mirror_ubuntu-hirsute-kernel.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
25 */
26
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h> /* for Unix socket types */
74 #include <net/af_unix.h> /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
77 #include <net/ipv6.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/selinux.h>
83 #include <linux/mutex.h>
84 #include <linux/posix-timers.h>
85 #include <linux/syslog.h>
86 #include <linux/user_namespace.h>
87 #include <linux/export.h>
88 #include <linux/msg.h>
89 #include <linux/shm.h>
90 #include <linux/bpf.h>
91
92 #include "avc.h"
93 #include "objsec.h"
94 #include "netif.h"
95 #include "netnode.h"
96 #include "netport.h"
97 #include "ibpkey.h"
98 #include "xfrm.h"
99 #include "netlabel.h"
100 #include "audit.h"
101 #include "avc_ss.h"
102
103 struct selinux_state selinux_state;
104
105 /* SECMARK reference count */
106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
107
108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109 static int selinux_enforcing_boot;
110
111 static int __init enforcing_setup(char *str)
112 {
113 unsigned long enforcing;
114 if (!kstrtoul(str, 0, &enforcing))
115 selinux_enforcing_boot = enforcing ? 1 : 0;
116 return 1;
117 }
118 __setup("enforcing=", enforcing_setup);
119 #else
120 #define selinux_enforcing_boot 1
121 #endif
122
123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
125
126 static int __init selinux_enabled_setup(char *str)
127 {
128 unsigned long enabled;
129 if (!kstrtoul(str, 0, &enabled))
130 selinux_enabled = enabled ? 1 : 0;
131 return 1;
132 }
133 __setup("selinux=", selinux_enabled_setup);
134 #else
135 int selinux_enabled = 1;
136 #endif
137
138 static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140
141 static int __init checkreqprot_setup(char *str)
142 {
143 unsigned long checkreqprot;
144
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 return 1;
148 }
149 __setup("checkreqprot=", checkreqprot_setup);
150
151 static struct kmem_cache *sel_inode_cache;
152 static struct kmem_cache *file_security_cache;
153
154 /**
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156 *
157 * Description:
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
163 *
164 */
165 static int selinux_secmark_enabled(void)
166 {
167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
169 }
170
171 /**
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173 *
174 * Description:
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
179 *
180 */
181 static int selinux_peerlbl_enabled(void)
182 {
183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
185 }
186
187 static int selinux_netcache_avc_callback(u32 event)
188 {
189 if (event == AVC_CALLBACK_RESET) {
190 sel_netif_flush();
191 sel_netnode_flush();
192 sel_netport_flush();
193 synchronize_net();
194 }
195 return 0;
196 }
197
198 static int selinux_lsm_notifier_avc_callback(u32 event)
199 {
200 if (event == AVC_CALLBACK_RESET) {
201 sel_ib_pkey_flush();
202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
203 }
204
205 return 0;
206 }
207
208 /*
209 * initialise the security for the init task
210 */
211 static void cred_init_security(void)
212 {
213 struct cred *cred = (struct cred *) current->real_cred;
214 struct task_security_struct *tsec;
215
216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
217 if (!tsec)
218 panic("SELinux: Failed to initialize initial task.\n");
219
220 tsec->osid = tsec->sid = SECINITSID_KERNEL;
221 cred->security = tsec;
222 }
223
224 /*
225 * get the security ID of a set of credentials
226 */
227 static inline u32 cred_sid(const struct cred *cred)
228 {
229 const struct task_security_struct *tsec;
230
231 tsec = cred->security;
232 return tsec->sid;
233 }
234
235 /*
236 * get the objective security ID of a task
237 */
238 static inline u32 task_sid(const struct task_struct *task)
239 {
240 u32 sid;
241
242 rcu_read_lock();
243 sid = cred_sid(__task_cred(task));
244 rcu_read_unlock();
245 return sid;
246 }
247
248 /* Allocate and free functions for each kind of security blob. */
249
250 static int inode_alloc_security(struct inode *inode)
251 {
252 struct inode_security_struct *isec;
253 u32 sid = current_sid();
254
255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
256 if (!isec)
257 return -ENOMEM;
258
259 spin_lock_init(&isec->lock);
260 INIT_LIST_HEAD(&isec->list);
261 isec->inode = inode;
262 isec->sid = SECINITSID_UNLABELED;
263 isec->sclass = SECCLASS_FILE;
264 isec->task_sid = sid;
265 isec->initialized = LABEL_INVALID;
266 inode->i_security = isec;
267
268 return 0;
269 }
270
271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
272
273 /*
274 * Try reloading inode security labels that have been marked as invalid. The
275 * @may_sleep parameter indicates when sleeping and thus reloading labels is
276 * allowed; when set to false, returns -ECHILD when the label is
277 * invalid. The @dentry parameter should be set to a dentry of the inode.
278 */
279 static int __inode_security_revalidate(struct inode *inode,
280 struct dentry *dentry,
281 bool may_sleep)
282 {
283 struct inode_security_struct *isec = inode->i_security;
284
285 might_sleep_if(may_sleep);
286
287 if (selinux_state.initialized &&
288 isec->initialized != LABEL_INITIALIZED) {
289 if (!may_sleep)
290 return -ECHILD;
291
292 /*
293 * Try reloading the inode security label. This will fail if
294 * @opt_dentry is NULL and no dentry for this inode can be
295 * found; in that case, continue using the old label.
296 */
297 inode_doinit_with_dentry(inode, dentry);
298 }
299 return 0;
300 }
301
302 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
303 {
304 return inode->i_security;
305 }
306
307 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
308 {
309 int error;
310
311 error = __inode_security_revalidate(inode, NULL, !rcu);
312 if (error)
313 return ERR_PTR(error);
314 return inode->i_security;
315 }
316
317 /*
318 * Get the security label of an inode.
319 */
320 static struct inode_security_struct *inode_security(struct inode *inode)
321 {
322 __inode_security_revalidate(inode, NULL, true);
323 return inode->i_security;
324 }
325
326 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
327 {
328 struct inode *inode = d_backing_inode(dentry);
329
330 return inode->i_security;
331 }
332
333 /*
334 * Get the security label of a dentry's backing inode.
335 */
336 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
337 {
338 struct inode *inode = d_backing_inode(dentry);
339
340 __inode_security_revalidate(inode, dentry, true);
341 return inode->i_security;
342 }
343
344 static void inode_free_rcu(struct rcu_head *head)
345 {
346 struct inode_security_struct *isec;
347
348 isec = container_of(head, struct inode_security_struct, rcu);
349 kmem_cache_free(sel_inode_cache, isec);
350 }
351
352 static void inode_free_security(struct inode *inode)
353 {
354 struct inode_security_struct *isec = inode->i_security;
355 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
356
357 /*
358 * As not all inode security structures are in a list, we check for
359 * empty list outside of the lock to make sure that we won't waste
360 * time taking a lock doing nothing.
361 *
362 * The list_del_init() function can be safely called more than once.
363 * It should not be possible for this function to be called with
364 * concurrent list_add(), but for better safety against future changes
365 * in the code, we use list_empty_careful() here.
366 */
367 if (!list_empty_careful(&isec->list)) {
368 spin_lock(&sbsec->isec_lock);
369 list_del_init(&isec->list);
370 spin_unlock(&sbsec->isec_lock);
371 }
372
373 /*
374 * The inode may still be referenced in a path walk and
375 * a call to selinux_inode_permission() can be made
376 * after inode_free_security() is called. Ideally, the VFS
377 * wouldn't do this, but fixing that is a much harder
378 * job. For now, simply free the i_security via RCU, and
379 * leave the current inode->i_security pointer intact.
380 * The inode will be freed after the RCU grace period too.
381 */
382 call_rcu(&isec->rcu, inode_free_rcu);
383 }
384
385 static int file_alloc_security(struct file *file)
386 {
387 struct file_security_struct *fsec;
388 u32 sid = current_sid();
389
390 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
391 if (!fsec)
392 return -ENOMEM;
393
394 fsec->sid = sid;
395 fsec->fown_sid = sid;
396 file->f_security = fsec;
397
398 return 0;
399 }
400
401 static void file_free_security(struct file *file)
402 {
403 struct file_security_struct *fsec = file->f_security;
404 file->f_security = NULL;
405 kmem_cache_free(file_security_cache, fsec);
406 }
407
408 static int superblock_alloc_security(struct super_block *sb)
409 {
410 struct superblock_security_struct *sbsec;
411
412 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
413 if (!sbsec)
414 return -ENOMEM;
415
416 mutex_init(&sbsec->lock);
417 INIT_LIST_HEAD(&sbsec->isec_head);
418 spin_lock_init(&sbsec->isec_lock);
419 sbsec->sb = sb;
420 sbsec->sid = SECINITSID_UNLABELED;
421 sbsec->def_sid = SECINITSID_FILE;
422 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
423 sb->s_security = sbsec;
424
425 return 0;
426 }
427
428 static void superblock_free_security(struct super_block *sb)
429 {
430 struct superblock_security_struct *sbsec = sb->s_security;
431 sb->s_security = NULL;
432 kfree(sbsec);
433 }
434
435 static inline int inode_doinit(struct inode *inode)
436 {
437 return inode_doinit_with_dentry(inode, NULL);
438 }
439
440 enum {
441 Opt_error = -1,
442 Opt_context = 1,
443 Opt_fscontext = 2,
444 Opt_defcontext = 3,
445 Opt_rootcontext = 4,
446 Opt_labelsupport = 5,
447 Opt_nextmntopt = 6,
448 };
449
450 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
451
452 static const match_table_t tokens = {
453 {Opt_context, CONTEXT_STR "%s"},
454 {Opt_fscontext, FSCONTEXT_STR "%s"},
455 {Opt_defcontext, DEFCONTEXT_STR "%s"},
456 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
457 {Opt_labelsupport, LABELSUPP_STR},
458 {Opt_error, NULL},
459 };
460
461 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
462
463 static int may_context_mount_sb_relabel(u32 sid,
464 struct superblock_security_struct *sbsec,
465 const struct cred *cred)
466 {
467 const struct task_security_struct *tsec = cred->security;
468 int rc;
469
470 rc = avc_has_perm(&selinux_state,
471 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
472 FILESYSTEM__RELABELFROM, NULL);
473 if (rc)
474 return rc;
475
476 rc = avc_has_perm(&selinux_state,
477 tsec->sid, sid, SECCLASS_FILESYSTEM,
478 FILESYSTEM__RELABELTO, NULL);
479 return rc;
480 }
481
482 static int may_context_mount_inode_relabel(u32 sid,
483 struct superblock_security_struct *sbsec,
484 const struct cred *cred)
485 {
486 const struct task_security_struct *tsec = cred->security;
487 int rc;
488 rc = avc_has_perm(&selinux_state,
489 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
490 FILESYSTEM__RELABELFROM, NULL);
491 if (rc)
492 return rc;
493
494 rc = avc_has_perm(&selinux_state,
495 sid, sbsec->sid, SECCLASS_FILESYSTEM,
496 FILESYSTEM__ASSOCIATE, NULL);
497 return rc;
498 }
499
500 static int selinux_is_sblabel_mnt(struct super_block *sb)
501 {
502 struct superblock_security_struct *sbsec = sb->s_security;
503
504 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
505 sbsec->behavior == SECURITY_FS_USE_TRANS ||
506 sbsec->behavior == SECURITY_FS_USE_TASK ||
507 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
508 /* Special handling. Genfs but also in-core setxattr handler */
509 !strcmp(sb->s_type->name, "sysfs") ||
510 !strcmp(sb->s_type->name, "pstore") ||
511 !strcmp(sb->s_type->name, "debugfs") ||
512 !strcmp(sb->s_type->name, "tracefs") ||
513 !strcmp(sb->s_type->name, "rootfs") ||
514 (selinux_policycap_cgroupseclabel() &&
515 (!strcmp(sb->s_type->name, "cgroup") ||
516 !strcmp(sb->s_type->name, "cgroup2")));
517 }
518
519 static int sb_finish_set_opts(struct super_block *sb)
520 {
521 struct superblock_security_struct *sbsec = sb->s_security;
522 struct dentry *root = sb->s_root;
523 struct inode *root_inode = d_backing_inode(root);
524 int rc = 0;
525
526 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
527 /* Make sure that the xattr handler exists and that no
528 error other than -ENODATA is returned by getxattr on
529 the root directory. -ENODATA is ok, as this may be
530 the first boot of the SELinux kernel before we have
531 assigned xattr values to the filesystem. */
532 if (!(root_inode->i_opflags & IOP_XATTR)) {
533 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
534 "xattr support\n", sb->s_id, sb->s_type->name);
535 rc = -EOPNOTSUPP;
536 goto out;
537 }
538
539 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
540 if (rc < 0 && rc != -ENODATA) {
541 if (rc == -EOPNOTSUPP)
542 printk(KERN_WARNING "SELinux: (dev %s, type "
543 "%s) has no security xattr handler\n",
544 sb->s_id, sb->s_type->name);
545 else
546 printk(KERN_WARNING "SELinux: (dev %s, type "
547 "%s) getxattr errno %d\n", sb->s_id,
548 sb->s_type->name, -rc);
549 goto out;
550 }
551 }
552
553 sbsec->flags |= SE_SBINITIALIZED;
554
555 /*
556 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
557 * leave the flag untouched because sb_clone_mnt_opts might be handing
558 * us a superblock that needs the flag to be cleared.
559 */
560 if (selinux_is_sblabel_mnt(sb))
561 sbsec->flags |= SBLABEL_MNT;
562 else
563 sbsec->flags &= ~SBLABEL_MNT;
564
565 /* Initialize the root inode. */
566 rc = inode_doinit_with_dentry(root_inode, root);
567
568 /* Initialize any other inodes associated with the superblock, e.g.
569 inodes created prior to initial policy load or inodes created
570 during get_sb by a pseudo filesystem that directly
571 populates itself. */
572 spin_lock(&sbsec->isec_lock);
573 next_inode:
574 if (!list_empty(&sbsec->isec_head)) {
575 struct inode_security_struct *isec =
576 list_entry(sbsec->isec_head.next,
577 struct inode_security_struct, list);
578 struct inode *inode = isec->inode;
579 list_del_init(&isec->list);
580 spin_unlock(&sbsec->isec_lock);
581 inode = igrab(inode);
582 if (inode) {
583 if (!IS_PRIVATE(inode))
584 inode_doinit(inode);
585 iput(inode);
586 }
587 spin_lock(&sbsec->isec_lock);
588 goto next_inode;
589 }
590 spin_unlock(&sbsec->isec_lock);
591 out:
592 return rc;
593 }
594
595 /*
596 * This function should allow an FS to ask what it's mount security
597 * options were so it can use those later for submounts, displaying
598 * mount options, or whatever.
599 */
600 static int selinux_get_mnt_opts(const struct super_block *sb,
601 struct security_mnt_opts *opts)
602 {
603 int rc = 0, i;
604 struct superblock_security_struct *sbsec = sb->s_security;
605 char *context = NULL;
606 u32 len;
607 char tmp;
608
609 security_init_mnt_opts(opts);
610
611 if (!(sbsec->flags & SE_SBINITIALIZED))
612 return -EINVAL;
613
614 if (!selinux_state.initialized)
615 return -EINVAL;
616
617 /* make sure we always check enough bits to cover the mask */
618 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
619
620 tmp = sbsec->flags & SE_MNTMASK;
621 /* count the number of mount options for this sb */
622 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
623 if (tmp & 0x01)
624 opts->num_mnt_opts++;
625 tmp >>= 1;
626 }
627 /* Check if the Label support flag is set */
628 if (sbsec->flags & SBLABEL_MNT)
629 opts->num_mnt_opts++;
630
631 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
632 if (!opts->mnt_opts) {
633 rc = -ENOMEM;
634 goto out_free;
635 }
636
637 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
638 if (!opts->mnt_opts_flags) {
639 rc = -ENOMEM;
640 goto out_free;
641 }
642
643 i = 0;
644 if (sbsec->flags & FSCONTEXT_MNT) {
645 rc = security_sid_to_context(&selinux_state, sbsec->sid,
646 &context, &len);
647 if (rc)
648 goto out_free;
649 opts->mnt_opts[i] = context;
650 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
651 }
652 if (sbsec->flags & CONTEXT_MNT) {
653 rc = security_sid_to_context(&selinux_state,
654 sbsec->mntpoint_sid,
655 &context, &len);
656 if (rc)
657 goto out_free;
658 opts->mnt_opts[i] = context;
659 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
660 }
661 if (sbsec->flags & DEFCONTEXT_MNT) {
662 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
663 &context, &len);
664 if (rc)
665 goto out_free;
666 opts->mnt_opts[i] = context;
667 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
668 }
669 if (sbsec->flags & ROOTCONTEXT_MNT) {
670 struct dentry *root = sbsec->sb->s_root;
671 struct inode_security_struct *isec = backing_inode_security(root);
672
673 rc = security_sid_to_context(&selinux_state, isec->sid,
674 &context, &len);
675 if (rc)
676 goto out_free;
677 opts->mnt_opts[i] = context;
678 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
679 }
680 if (sbsec->flags & SBLABEL_MNT) {
681 opts->mnt_opts[i] = NULL;
682 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
683 }
684
685 BUG_ON(i != opts->num_mnt_opts);
686
687 return 0;
688
689 out_free:
690 security_free_mnt_opts(opts);
691 return rc;
692 }
693
694 static int bad_option(struct superblock_security_struct *sbsec, char flag,
695 u32 old_sid, u32 new_sid)
696 {
697 char mnt_flags = sbsec->flags & SE_MNTMASK;
698
699 /* check if the old mount command had the same options */
700 if (sbsec->flags & SE_SBINITIALIZED)
701 if (!(sbsec->flags & flag) ||
702 (old_sid != new_sid))
703 return 1;
704
705 /* check if we were passed the same options twice,
706 * aka someone passed context=a,context=b
707 */
708 if (!(sbsec->flags & SE_SBINITIALIZED))
709 if (mnt_flags & flag)
710 return 1;
711 return 0;
712 }
713
714 /*
715 * Allow filesystems with binary mount data to explicitly set mount point
716 * labeling information.
717 */
718 static int selinux_set_mnt_opts(struct super_block *sb,
719 struct security_mnt_opts *opts,
720 unsigned long kern_flags,
721 unsigned long *set_kern_flags)
722 {
723 const struct cred *cred = current_cred();
724 int rc = 0, i;
725 struct superblock_security_struct *sbsec = sb->s_security;
726 const char *name = sb->s_type->name;
727 struct dentry *root = sbsec->sb->s_root;
728 struct inode_security_struct *root_isec;
729 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
730 u32 defcontext_sid = 0;
731 char **mount_options = opts->mnt_opts;
732 int *flags = opts->mnt_opts_flags;
733 int num_opts = opts->num_mnt_opts;
734
735 mutex_lock(&sbsec->lock);
736
737 if (!selinux_state.initialized) {
738 if (!num_opts) {
739 /* Defer initialization until selinux_complete_init,
740 after the initial policy is loaded and the security
741 server is ready to handle calls. */
742 goto out;
743 }
744 rc = -EINVAL;
745 printk(KERN_WARNING "SELinux: Unable to set superblock options "
746 "before the security server is initialized\n");
747 goto out;
748 }
749 if (kern_flags && !set_kern_flags) {
750 /* Specifying internal flags without providing a place to
751 * place the results is not allowed */
752 rc = -EINVAL;
753 goto out;
754 }
755
756 /*
757 * Binary mount data FS will come through this function twice. Once
758 * from an explicit call and once from the generic calls from the vfs.
759 * Since the generic VFS calls will not contain any security mount data
760 * we need to skip the double mount verification.
761 *
762 * This does open a hole in which we will not notice if the first
763 * mount using this sb set explict options and a second mount using
764 * this sb does not set any security options. (The first options
765 * will be used for both mounts)
766 */
767 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
768 && (num_opts == 0))
769 goto out;
770
771 root_isec = backing_inode_security_novalidate(root);
772
773 /*
774 * parse the mount options, check if they are valid sids.
775 * also check if someone is trying to mount the same sb more
776 * than once with different security options.
777 */
778 for (i = 0; i < num_opts; i++) {
779 u32 sid;
780
781 if (flags[i] == SBLABEL_MNT)
782 continue;
783 rc = security_context_str_to_sid(&selinux_state,
784 mount_options[i], &sid,
785 GFP_KERNEL);
786 if (rc) {
787 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
788 "(%s) failed for (dev %s, type %s) errno=%d\n",
789 mount_options[i], sb->s_id, name, rc);
790 goto out;
791 }
792 switch (flags[i]) {
793 case FSCONTEXT_MNT:
794 fscontext_sid = sid;
795
796 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
797 fscontext_sid))
798 goto out_double_mount;
799
800 sbsec->flags |= FSCONTEXT_MNT;
801 break;
802 case CONTEXT_MNT:
803 context_sid = sid;
804
805 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
806 context_sid))
807 goto out_double_mount;
808
809 sbsec->flags |= CONTEXT_MNT;
810 break;
811 case ROOTCONTEXT_MNT:
812 rootcontext_sid = sid;
813
814 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
815 rootcontext_sid))
816 goto out_double_mount;
817
818 sbsec->flags |= ROOTCONTEXT_MNT;
819
820 break;
821 case DEFCONTEXT_MNT:
822 defcontext_sid = sid;
823
824 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
825 defcontext_sid))
826 goto out_double_mount;
827
828 sbsec->flags |= DEFCONTEXT_MNT;
829
830 break;
831 default:
832 rc = -EINVAL;
833 goto out;
834 }
835 }
836
837 if (sbsec->flags & SE_SBINITIALIZED) {
838 /* previously mounted with options, but not on this attempt? */
839 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
840 goto out_double_mount;
841 rc = 0;
842 goto out;
843 }
844
845 if (strcmp(sb->s_type->name, "proc") == 0)
846 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
847
848 if (!strcmp(sb->s_type->name, "debugfs") ||
849 !strcmp(sb->s_type->name, "tracefs") ||
850 !strcmp(sb->s_type->name, "sysfs") ||
851 !strcmp(sb->s_type->name, "pstore") ||
852 !strcmp(sb->s_type->name, "cgroup") ||
853 !strcmp(sb->s_type->name, "cgroup2"))
854 sbsec->flags |= SE_SBGENFS;
855
856 if (!sbsec->behavior) {
857 /*
858 * Determine the labeling behavior to use for this
859 * filesystem type.
860 */
861 rc = security_fs_use(&selinux_state, sb);
862 if (rc) {
863 printk(KERN_WARNING
864 "%s: security_fs_use(%s) returned %d\n",
865 __func__, sb->s_type->name, rc);
866 goto out;
867 }
868 }
869
870 /*
871 * If this is a user namespace mount and the filesystem type is not
872 * explicitly whitelisted, then no contexts are allowed on the command
873 * line and security labels must be ignored.
874 */
875 if (sb->s_user_ns != &init_user_ns &&
876 strcmp(sb->s_type->name, "tmpfs") &&
877 strcmp(sb->s_type->name, "ramfs") &&
878 strcmp(sb->s_type->name, "devpts")) {
879 if (context_sid || fscontext_sid || rootcontext_sid ||
880 defcontext_sid) {
881 rc = -EACCES;
882 goto out;
883 }
884 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
885 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
886 rc = security_transition_sid(&selinux_state,
887 current_sid(),
888 current_sid(),
889 SECCLASS_FILE, NULL,
890 &sbsec->mntpoint_sid);
891 if (rc)
892 goto out;
893 }
894 goto out_set_opts;
895 }
896
897 /* sets the context of the superblock for the fs being mounted. */
898 if (fscontext_sid) {
899 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
900 if (rc)
901 goto out;
902
903 sbsec->sid = fscontext_sid;
904 }
905
906 /*
907 * Switch to using mount point labeling behavior.
908 * sets the label used on all file below the mountpoint, and will set
909 * the superblock context if not already set.
910 */
911 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
912 sbsec->behavior = SECURITY_FS_USE_NATIVE;
913 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
914 }
915
916 if (context_sid) {
917 if (!fscontext_sid) {
918 rc = may_context_mount_sb_relabel(context_sid, sbsec,
919 cred);
920 if (rc)
921 goto out;
922 sbsec->sid = context_sid;
923 } else {
924 rc = may_context_mount_inode_relabel(context_sid, sbsec,
925 cred);
926 if (rc)
927 goto out;
928 }
929 if (!rootcontext_sid)
930 rootcontext_sid = context_sid;
931
932 sbsec->mntpoint_sid = context_sid;
933 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
934 }
935
936 if (rootcontext_sid) {
937 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
938 cred);
939 if (rc)
940 goto out;
941
942 root_isec->sid = rootcontext_sid;
943 root_isec->initialized = LABEL_INITIALIZED;
944 }
945
946 if (defcontext_sid) {
947 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
948 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
949 rc = -EINVAL;
950 printk(KERN_WARNING "SELinux: defcontext option is "
951 "invalid for this filesystem type\n");
952 goto out;
953 }
954
955 if (defcontext_sid != sbsec->def_sid) {
956 rc = may_context_mount_inode_relabel(defcontext_sid,
957 sbsec, cred);
958 if (rc)
959 goto out;
960 }
961
962 sbsec->def_sid = defcontext_sid;
963 }
964
965 out_set_opts:
966 rc = sb_finish_set_opts(sb);
967 out:
968 mutex_unlock(&sbsec->lock);
969 return rc;
970 out_double_mount:
971 rc = -EINVAL;
972 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
973 "security settings for (dev %s, type %s)\n", sb->s_id, name);
974 goto out;
975 }
976
977 static int selinux_cmp_sb_context(const struct super_block *oldsb,
978 const struct super_block *newsb)
979 {
980 struct superblock_security_struct *old = oldsb->s_security;
981 struct superblock_security_struct *new = newsb->s_security;
982 char oldflags = old->flags & SE_MNTMASK;
983 char newflags = new->flags & SE_MNTMASK;
984
985 if (oldflags != newflags)
986 goto mismatch;
987 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
988 goto mismatch;
989 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
990 goto mismatch;
991 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
992 goto mismatch;
993 if (oldflags & ROOTCONTEXT_MNT) {
994 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
995 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
996 if (oldroot->sid != newroot->sid)
997 goto mismatch;
998 }
999 return 0;
1000 mismatch:
1001 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
1002 "different security settings for (dev %s, "
1003 "type %s)\n", newsb->s_id, newsb->s_type->name);
1004 return -EBUSY;
1005 }
1006
1007 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1008 struct super_block *newsb,
1009 unsigned long kern_flags,
1010 unsigned long *set_kern_flags)
1011 {
1012 int rc = 0;
1013 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1014 struct superblock_security_struct *newsbsec = newsb->s_security;
1015
1016 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
1017 int set_context = (oldsbsec->flags & CONTEXT_MNT);
1018 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1019
1020 /*
1021 * if the parent was able to be mounted it clearly had no special lsm
1022 * mount options. thus we can safely deal with this superblock later
1023 */
1024 if (!selinux_state.initialized)
1025 return 0;
1026
1027 /*
1028 * Specifying internal flags without providing a place to
1029 * place the results is not allowed.
1030 */
1031 if (kern_flags && !set_kern_flags)
1032 return -EINVAL;
1033
1034 /* how can we clone if the old one wasn't set up?? */
1035 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1036
1037 /* if fs is reusing a sb, make sure that the contexts match */
1038 if (newsbsec->flags & SE_SBINITIALIZED)
1039 return selinux_cmp_sb_context(oldsb, newsb);
1040
1041 mutex_lock(&newsbsec->lock);
1042
1043 newsbsec->flags = oldsbsec->flags;
1044
1045 newsbsec->sid = oldsbsec->sid;
1046 newsbsec->def_sid = oldsbsec->def_sid;
1047 newsbsec->behavior = oldsbsec->behavior;
1048
1049 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1050 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1051 rc = security_fs_use(&selinux_state, newsb);
1052 if (rc)
1053 goto out;
1054 }
1055
1056 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1057 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1058 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1059 }
1060
1061 if (set_context) {
1062 u32 sid = oldsbsec->mntpoint_sid;
1063
1064 if (!set_fscontext)
1065 newsbsec->sid = sid;
1066 if (!set_rootcontext) {
1067 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1068 newisec->sid = sid;
1069 }
1070 newsbsec->mntpoint_sid = sid;
1071 }
1072 if (set_rootcontext) {
1073 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1074 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1075
1076 newisec->sid = oldisec->sid;
1077 }
1078
1079 sb_finish_set_opts(newsb);
1080 out:
1081 mutex_unlock(&newsbsec->lock);
1082 return rc;
1083 }
1084
1085 static int selinux_parse_opts_str(char *options,
1086 struct security_mnt_opts *opts)
1087 {
1088 char *p;
1089 char *context = NULL, *defcontext = NULL;
1090 char *fscontext = NULL, *rootcontext = NULL;
1091 int rc, num_mnt_opts = 0;
1092
1093 opts->num_mnt_opts = 0;
1094
1095 /* Standard string-based options. */
1096 while ((p = strsep(&options, "|")) != NULL) {
1097 int token;
1098 substring_t args[MAX_OPT_ARGS];
1099
1100 if (!*p)
1101 continue;
1102
1103 token = match_token(p, tokens, args);
1104
1105 switch (token) {
1106 case Opt_context:
1107 if (context || defcontext) {
1108 rc = -EINVAL;
1109 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1110 goto out_err;
1111 }
1112 context = match_strdup(&args[0]);
1113 if (!context) {
1114 rc = -ENOMEM;
1115 goto out_err;
1116 }
1117 break;
1118
1119 case Opt_fscontext:
1120 if (fscontext) {
1121 rc = -EINVAL;
1122 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1123 goto out_err;
1124 }
1125 fscontext = match_strdup(&args[0]);
1126 if (!fscontext) {
1127 rc = -ENOMEM;
1128 goto out_err;
1129 }
1130 break;
1131
1132 case Opt_rootcontext:
1133 if (rootcontext) {
1134 rc = -EINVAL;
1135 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1136 goto out_err;
1137 }
1138 rootcontext = match_strdup(&args[0]);
1139 if (!rootcontext) {
1140 rc = -ENOMEM;
1141 goto out_err;
1142 }
1143 break;
1144
1145 case Opt_defcontext:
1146 if (context || defcontext) {
1147 rc = -EINVAL;
1148 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1149 goto out_err;
1150 }
1151 defcontext = match_strdup(&args[0]);
1152 if (!defcontext) {
1153 rc = -ENOMEM;
1154 goto out_err;
1155 }
1156 break;
1157 case Opt_labelsupport:
1158 break;
1159 default:
1160 rc = -EINVAL;
1161 printk(KERN_WARNING "SELinux: unknown mount option\n");
1162 goto out_err;
1163
1164 }
1165 }
1166
1167 rc = -ENOMEM;
1168 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1169 if (!opts->mnt_opts)
1170 goto out_err;
1171
1172 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1173 GFP_KERNEL);
1174 if (!opts->mnt_opts_flags)
1175 goto out_err;
1176
1177 if (fscontext) {
1178 opts->mnt_opts[num_mnt_opts] = fscontext;
1179 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1180 }
1181 if (context) {
1182 opts->mnt_opts[num_mnt_opts] = context;
1183 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1184 }
1185 if (rootcontext) {
1186 opts->mnt_opts[num_mnt_opts] = rootcontext;
1187 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1188 }
1189 if (defcontext) {
1190 opts->mnt_opts[num_mnt_opts] = defcontext;
1191 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1192 }
1193
1194 opts->num_mnt_opts = num_mnt_opts;
1195 return 0;
1196
1197 out_err:
1198 security_free_mnt_opts(opts);
1199 kfree(context);
1200 kfree(defcontext);
1201 kfree(fscontext);
1202 kfree(rootcontext);
1203 return rc;
1204 }
1205 /*
1206 * string mount options parsing and call set the sbsec
1207 */
1208 static int superblock_doinit(struct super_block *sb, void *data)
1209 {
1210 int rc = 0;
1211 char *options = data;
1212 struct security_mnt_opts opts;
1213
1214 security_init_mnt_opts(&opts);
1215
1216 if (!data)
1217 goto out;
1218
1219 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1220
1221 rc = selinux_parse_opts_str(options, &opts);
1222 if (rc)
1223 goto out_err;
1224
1225 out:
1226 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1227
1228 out_err:
1229 security_free_mnt_opts(&opts);
1230 return rc;
1231 }
1232
1233 static void selinux_write_opts(struct seq_file *m,
1234 struct security_mnt_opts *opts)
1235 {
1236 int i;
1237 char *prefix;
1238
1239 for (i = 0; i < opts->num_mnt_opts; i++) {
1240 char *has_comma;
1241
1242 if (opts->mnt_opts[i])
1243 has_comma = strchr(opts->mnt_opts[i], ',');
1244 else
1245 has_comma = NULL;
1246
1247 switch (opts->mnt_opts_flags[i]) {
1248 case CONTEXT_MNT:
1249 prefix = CONTEXT_STR;
1250 break;
1251 case FSCONTEXT_MNT:
1252 prefix = FSCONTEXT_STR;
1253 break;
1254 case ROOTCONTEXT_MNT:
1255 prefix = ROOTCONTEXT_STR;
1256 break;
1257 case DEFCONTEXT_MNT:
1258 prefix = DEFCONTEXT_STR;
1259 break;
1260 case SBLABEL_MNT:
1261 seq_putc(m, ',');
1262 seq_puts(m, LABELSUPP_STR);
1263 continue;
1264 default:
1265 BUG();
1266 return;
1267 };
1268 /* we need a comma before each option */
1269 seq_putc(m, ',');
1270 seq_puts(m, prefix);
1271 if (has_comma)
1272 seq_putc(m, '\"');
1273 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1274 if (has_comma)
1275 seq_putc(m, '\"');
1276 }
1277 }
1278
1279 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1280 {
1281 struct security_mnt_opts opts;
1282 int rc;
1283
1284 rc = selinux_get_mnt_opts(sb, &opts);
1285 if (rc) {
1286 /* before policy load we may get EINVAL, don't show anything */
1287 if (rc == -EINVAL)
1288 rc = 0;
1289 return rc;
1290 }
1291
1292 selinux_write_opts(m, &opts);
1293
1294 security_free_mnt_opts(&opts);
1295
1296 return rc;
1297 }
1298
1299 static inline u16 inode_mode_to_security_class(umode_t mode)
1300 {
1301 switch (mode & S_IFMT) {
1302 case S_IFSOCK:
1303 return SECCLASS_SOCK_FILE;
1304 case S_IFLNK:
1305 return SECCLASS_LNK_FILE;
1306 case S_IFREG:
1307 return SECCLASS_FILE;
1308 case S_IFBLK:
1309 return SECCLASS_BLK_FILE;
1310 case S_IFDIR:
1311 return SECCLASS_DIR;
1312 case S_IFCHR:
1313 return SECCLASS_CHR_FILE;
1314 case S_IFIFO:
1315 return SECCLASS_FIFO_FILE;
1316
1317 }
1318
1319 return SECCLASS_FILE;
1320 }
1321
1322 static inline int default_protocol_stream(int protocol)
1323 {
1324 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1325 }
1326
1327 static inline int default_protocol_dgram(int protocol)
1328 {
1329 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1330 }
1331
1332 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1333 {
1334 int extsockclass = selinux_policycap_extsockclass();
1335
1336 switch (family) {
1337 case PF_UNIX:
1338 switch (type) {
1339 case SOCK_STREAM:
1340 case SOCK_SEQPACKET:
1341 return SECCLASS_UNIX_STREAM_SOCKET;
1342 case SOCK_DGRAM:
1343 case SOCK_RAW:
1344 return SECCLASS_UNIX_DGRAM_SOCKET;
1345 }
1346 break;
1347 case PF_INET:
1348 case PF_INET6:
1349 switch (type) {
1350 case SOCK_STREAM:
1351 case SOCK_SEQPACKET:
1352 if (default_protocol_stream(protocol))
1353 return SECCLASS_TCP_SOCKET;
1354 else if (extsockclass && protocol == IPPROTO_SCTP)
1355 return SECCLASS_SCTP_SOCKET;
1356 else
1357 return SECCLASS_RAWIP_SOCKET;
1358 case SOCK_DGRAM:
1359 if (default_protocol_dgram(protocol))
1360 return SECCLASS_UDP_SOCKET;
1361 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1362 protocol == IPPROTO_ICMPV6))
1363 return SECCLASS_ICMP_SOCKET;
1364 else
1365 return SECCLASS_RAWIP_SOCKET;
1366 case SOCK_DCCP:
1367 return SECCLASS_DCCP_SOCKET;
1368 default:
1369 return SECCLASS_RAWIP_SOCKET;
1370 }
1371 break;
1372 case PF_NETLINK:
1373 switch (protocol) {
1374 case NETLINK_ROUTE:
1375 return SECCLASS_NETLINK_ROUTE_SOCKET;
1376 case NETLINK_SOCK_DIAG:
1377 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1378 case NETLINK_NFLOG:
1379 return SECCLASS_NETLINK_NFLOG_SOCKET;
1380 case NETLINK_XFRM:
1381 return SECCLASS_NETLINK_XFRM_SOCKET;
1382 case NETLINK_SELINUX:
1383 return SECCLASS_NETLINK_SELINUX_SOCKET;
1384 case NETLINK_ISCSI:
1385 return SECCLASS_NETLINK_ISCSI_SOCKET;
1386 case NETLINK_AUDIT:
1387 return SECCLASS_NETLINK_AUDIT_SOCKET;
1388 case NETLINK_FIB_LOOKUP:
1389 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1390 case NETLINK_CONNECTOR:
1391 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1392 case NETLINK_NETFILTER:
1393 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1394 case NETLINK_DNRTMSG:
1395 return SECCLASS_NETLINK_DNRT_SOCKET;
1396 case NETLINK_KOBJECT_UEVENT:
1397 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1398 case NETLINK_GENERIC:
1399 return SECCLASS_NETLINK_GENERIC_SOCKET;
1400 case NETLINK_SCSITRANSPORT:
1401 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1402 case NETLINK_RDMA:
1403 return SECCLASS_NETLINK_RDMA_SOCKET;
1404 case NETLINK_CRYPTO:
1405 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1406 default:
1407 return SECCLASS_NETLINK_SOCKET;
1408 }
1409 case PF_PACKET:
1410 return SECCLASS_PACKET_SOCKET;
1411 case PF_KEY:
1412 return SECCLASS_KEY_SOCKET;
1413 case PF_APPLETALK:
1414 return SECCLASS_APPLETALK_SOCKET;
1415 }
1416
1417 if (extsockclass) {
1418 switch (family) {
1419 case PF_AX25:
1420 return SECCLASS_AX25_SOCKET;
1421 case PF_IPX:
1422 return SECCLASS_IPX_SOCKET;
1423 case PF_NETROM:
1424 return SECCLASS_NETROM_SOCKET;
1425 case PF_ATMPVC:
1426 return SECCLASS_ATMPVC_SOCKET;
1427 case PF_X25:
1428 return SECCLASS_X25_SOCKET;
1429 case PF_ROSE:
1430 return SECCLASS_ROSE_SOCKET;
1431 case PF_DECnet:
1432 return SECCLASS_DECNET_SOCKET;
1433 case PF_ATMSVC:
1434 return SECCLASS_ATMSVC_SOCKET;
1435 case PF_RDS:
1436 return SECCLASS_RDS_SOCKET;
1437 case PF_IRDA:
1438 return SECCLASS_IRDA_SOCKET;
1439 case PF_PPPOX:
1440 return SECCLASS_PPPOX_SOCKET;
1441 case PF_LLC:
1442 return SECCLASS_LLC_SOCKET;
1443 case PF_CAN:
1444 return SECCLASS_CAN_SOCKET;
1445 case PF_TIPC:
1446 return SECCLASS_TIPC_SOCKET;
1447 case PF_BLUETOOTH:
1448 return SECCLASS_BLUETOOTH_SOCKET;
1449 case PF_IUCV:
1450 return SECCLASS_IUCV_SOCKET;
1451 case PF_RXRPC:
1452 return SECCLASS_RXRPC_SOCKET;
1453 case PF_ISDN:
1454 return SECCLASS_ISDN_SOCKET;
1455 case PF_PHONET:
1456 return SECCLASS_PHONET_SOCKET;
1457 case PF_IEEE802154:
1458 return SECCLASS_IEEE802154_SOCKET;
1459 case PF_CAIF:
1460 return SECCLASS_CAIF_SOCKET;
1461 case PF_ALG:
1462 return SECCLASS_ALG_SOCKET;
1463 case PF_NFC:
1464 return SECCLASS_NFC_SOCKET;
1465 case PF_VSOCK:
1466 return SECCLASS_VSOCK_SOCKET;
1467 case PF_KCM:
1468 return SECCLASS_KCM_SOCKET;
1469 case PF_QIPCRTR:
1470 return SECCLASS_QIPCRTR_SOCKET;
1471 case PF_SMC:
1472 return SECCLASS_SMC_SOCKET;
1473 #if PF_MAX > 44
1474 #error New address family defined, please update this function.
1475 #endif
1476 }
1477 }
1478
1479 return SECCLASS_SOCKET;
1480 }
1481
1482 static int selinux_genfs_get_sid(struct dentry *dentry,
1483 u16 tclass,
1484 u16 flags,
1485 u32 *sid)
1486 {
1487 int rc;
1488 struct super_block *sb = dentry->d_sb;
1489 char *buffer, *path;
1490
1491 buffer = (char *)__get_free_page(GFP_KERNEL);
1492 if (!buffer)
1493 return -ENOMEM;
1494
1495 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1496 if (IS_ERR(path))
1497 rc = PTR_ERR(path);
1498 else {
1499 if (flags & SE_SBPROC) {
1500 /* each process gets a /proc/PID/ entry. Strip off the
1501 * PID part to get a valid selinux labeling.
1502 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1503 while (path[1] >= '0' && path[1] <= '9') {
1504 path[1] = '/';
1505 path++;
1506 }
1507 }
1508 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1509 path, tclass, sid);
1510 }
1511 free_page((unsigned long)buffer);
1512 return rc;
1513 }
1514
1515 /* The inode's security attributes must be initialized before first use. */
1516 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1517 {
1518 struct superblock_security_struct *sbsec = NULL;
1519 struct inode_security_struct *isec = inode->i_security;
1520 u32 task_sid, sid = 0;
1521 u16 sclass;
1522 struct dentry *dentry;
1523 #define INITCONTEXTLEN 255
1524 char *context = NULL;
1525 unsigned len = 0;
1526 int rc = 0;
1527
1528 if (isec->initialized == LABEL_INITIALIZED)
1529 return 0;
1530
1531 spin_lock(&isec->lock);
1532 if (isec->initialized == LABEL_INITIALIZED)
1533 goto out_unlock;
1534
1535 if (isec->sclass == SECCLASS_FILE)
1536 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1537
1538 sbsec = inode->i_sb->s_security;
1539 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1540 /* Defer initialization until selinux_complete_init,
1541 after the initial policy is loaded and the security
1542 server is ready to handle calls. */
1543 spin_lock(&sbsec->isec_lock);
1544 if (list_empty(&isec->list))
1545 list_add(&isec->list, &sbsec->isec_head);
1546 spin_unlock(&sbsec->isec_lock);
1547 goto out_unlock;
1548 }
1549
1550 sclass = isec->sclass;
1551 task_sid = isec->task_sid;
1552 sid = isec->sid;
1553 isec->initialized = LABEL_PENDING;
1554 spin_unlock(&isec->lock);
1555
1556 switch (sbsec->behavior) {
1557 case SECURITY_FS_USE_NATIVE:
1558 break;
1559 case SECURITY_FS_USE_XATTR:
1560 if (!(inode->i_opflags & IOP_XATTR)) {
1561 sid = sbsec->def_sid;
1562 break;
1563 }
1564 /* Need a dentry, since the xattr API requires one.
1565 Life would be simpler if we could just pass the inode. */
1566 if (opt_dentry) {
1567 /* Called from d_instantiate or d_splice_alias. */
1568 dentry = dget(opt_dentry);
1569 } else {
1570 /*
1571 * Called from selinux_complete_init, try to find a dentry.
1572 * Some filesystems really want a connected one, so try
1573 * that first. We could split SECURITY_FS_USE_XATTR in
1574 * two, depending upon that...
1575 */
1576 dentry = d_find_alias(inode);
1577 if (!dentry)
1578 dentry = d_find_any_alias(inode);
1579 }
1580 if (!dentry) {
1581 /*
1582 * this is can be hit on boot when a file is accessed
1583 * before the policy is loaded. When we load policy we
1584 * may find inodes that have no dentry on the
1585 * sbsec->isec_head list. No reason to complain as these
1586 * will get fixed up the next time we go through
1587 * inode_doinit with a dentry, before these inodes could
1588 * be used again by userspace.
1589 */
1590 goto out;
1591 }
1592
1593 len = INITCONTEXTLEN;
1594 context = kmalloc(len+1, GFP_NOFS);
1595 if (!context) {
1596 rc = -ENOMEM;
1597 dput(dentry);
1598 goto out;
1599 }
1600 context[len] = '\0';
1601 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1602 if (rc == -ERANGE) {
1603 kfree(context);
1604
1605 /* Need a larger buffer. Query for the right size. */
1606 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1607 if (rc < 0) {
1608 dput(dentry);
1609 goto out;
1610 }
1611 len = rc;
1612 context = kmalloc(len+1, GFP_NOFS);
1613 if (!context) {
1614 rc = -ENOMEM;
1615 dput(dentry);
1616 goto out;
1617 }
1618 context[len] = '\0';
1619 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1620 }
1621 dput(dentry);
1622 if (rc < 0) {
1623 if (rc != -ENODATA) {
1624 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1625 "%d for dev=%s ino=%ld\n", __func__,
1626 -rc, inode->i_sb->s_id, inode->i_ino);
1627 kfree(context);
1628 goto out;
1629 }
1630 /* Map ENODATA to the default file SID */
1631 sid = sbsec->def_sid;
1632 rc = 0;
1633 } else {
1634 rc = security_context_to_sid_default(&selinux_state,
1635 context, rc, &sid,
1636 sbsec->def_sid,
1637 GFP_NOFS);
1638 if (rc) {
1639 char *dev = inode->i_sb->s_id;
1640 unsigned long ino = inode->i_ino;
1641
1642 if (rc == -EINVAL) {
1643 if (printk_ratelimit())
1644 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1645 "context=%s. This indicates you may need to relabel the inode or the "
1646 "filesystem in question.\n", ino, dev, context);
1647 } else {
1648 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1649 "returned %d for dev=%s ino=%ld\n",
1650 __func__, context, -rc, dev, ino);
1651 }
1652 kfree(context);
1653 /* Leave with the unlabeled SID */
1654 rc = 0;
1655 break;
1656 }
1657 }
1658 kfree(context);
1659 break;
1660 case SECURITY_FS_USE_TASK:
1661 sid = task_sid;
1662 break;
1663 case SECURITY_FS_USE_TRANS:
1664 /* Default to the fs SID. */
1665 sid = sbsec->sid;
1666
1667 /* Try to obtain a transition SID. */
1668 rc = security_transition_sid(&selinux_state, task_sid, sid,
1669 sclass, NULL, &sid);
1670 if (rc)
1671 goto out;
1672 break;
1673 case SECURITY_FS_USE_MNTPOINT:
1674 sid = sbsec->mntpoint_sid;
1675 break;
1676 default:
1677 /* Default to the fs superblock SID. */
1678 sid = sbsec->sid;
1679
1680 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1681 /* We must have a dentry to determine the label on
1682 * procfs inodes */
1683 if (opt_dentry) {
1684 /* Called from d_instantiate or
1685 * d_splice_alias. */
1686 dentry = dget(opt_dentry);
1687 } else {
1688 /* Called from selinux_complete_init, try to
1689 * find a dentry. Some filesystems really want
1690 * a connected one, so try that first.
1691 */
1692 dentry = d_find_alias(inode);
1693 if (!dentry)
1694 dentry = d_find_any_alias(inode);
1695 }
1696 /*
1697 * This can be hit on boot when a file is accessed
1698 * before the policy is loaded. When we load policy we
1699 * may find inodes that have no dentry on the
1700 * sbsec->isec_head list. No reason to complain as
1701 * these will get fixed up the next time we go through
1702 * inode_doinit() with a dentry, before these inodes
1703 * could be used again by userspace.
1704 */
1705 if (!dentry)
1706 goto out;
1707 rc = selinux_genfs_get_sid(dentry, sclass,
1708 sbsec->flags, &sid);
1709 dput(dentry);
1710 if (rc)
1711 goto out;
1712 }
1713 break;
1714 }
1715
1716 out:
1717 spin_lock(&isec->lock);
1718 if (isec->initialized == LABEL_PENDING) {
1719 if (!sid || rc) {
1720 isec->initialized = LABEL_INVALID;
1721 goto out_unlock;
1722 }
1723
1724 isec->initialized = LABEL_INITIALIZED;
1725 isec->sid = sid;
1726 }
1727
1728 out_unlock:
1729 spin_unlock(&isec->lock);
1730 return rc;
1731 }
1732
1733 /* Convert a Linux signal to an access vector. */
1734 static inline u32 signal_to_av(int sig)
1735 {
1736 u32 perm = 0;
1737
1738 switch (sig) {
1739 case SIGCHLD:
1740 /* Commonly granted from child to parent. */
1741 perm = PROCESS__SIGCHLD;
1742 break;
1743 case SIGKILL:
1744 /* Cannot be caught or ignored */
1745 perm = PROCESS__SIGKILL;
1746 break;
1747 case SIGSTOP:
1748 /* Cannot be caught or ignored */
1749 perm = PROCESS__SIGSTOP;
1750 break;
1751 default:
1752 /* All other signals. */
1753 perm = PROCESS__SIGNAL;
1754 break;
1755 }
1756
1757 return perm;
1758 }
1759
1760 #if CAP_LAST_CAP > 63
1761 #error Fix SELinux to handle capabilities > 63.
1762 #endif
1763
1764 /* Check whether a task is allowed to use a capability. */
1765 static int cred_has_capability(const struct cred *cred,
1766 int cap, int audit, bool initns)
1767 {
1768 struct common_audit_data ad;
1769 struct av_decision avd;
1770 u16 sclass;
1771 u32 sid = cred_sid(cred);
1772 u32 av = CAP_TO_MASK(cap);
1773 int rc;
1774
1775 ad.type = LSM_AUDIT_DATA_CAP;
1776 ad.u.cap = cap;
1777
1778 switch (CAP_TO_INDEX(cap)) {
1779 case 0:
1780 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1781 break;
1782 case 1:
1783 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1784 break;
1785 default:
1786 printk(KERN_ERR
1787 "SELinux: out of range capability %d\n", cap);
1788 BUG();
1789 return -EINVAL;
1790 }
1791
1792 rc = avc_has_perm_noaudit(&selinux_state,
1793 sid, sid, sclass, av, 0, &avd);
1794 if (audit == SECURITY_CAP_AUDIT) {
1795 int rc2 = avc_audit(&selinux_state,
1796 sid, sid, sclass, av, &avd, rc, &ad, 0);
1797 if (rc2)
1798 return rc2;
1799 }
1800 return rc;
1801 }
1802
1803 /* Check whether a task has a particular permission to an inode.
1804 The 'adp' parameter is optional and allows other audit
1805 data to be passed (e.g. the dentry). */
1806 static int inode_has_perm(const struct cred *cred,
1807 struct inode *inode,
1808 u32 perms,
1809 struct common_audit_data *adp)
1810 {
1811 struct inode_security_struct *isec;
1812 u32 sid;
1813
1814 validate_creds(cred);
1815
1816 if (unlikely(IS_PRIVATE(inode)))
1817 return 0;
1818
1819 sid = cred_sid(cred);
1820 isec = inode->i_security;
1821
1822 return avc_has_perm(&selinux_state,
1823 sid, isec->sid, isec->sclass, perms, adp);
1824 }
1825
1826 /* Same as inode_has_perm, but pass explicit audit data containing
1827 the dentry to help the auditing code to more easily generate the
1828 pathname if needed. */
1829 static inline int dentry_has_perm(const struct cred *cred,
1830 struct dentry *dentry,
1831 u32 av)
1832 {
1833 struct inode *inode = d_backing_inode(dentry);
1834 struct common_audit_data ad;
1835
1836 ad.type = LSM_AUDIT_DATA_DENTRY;
1837 ad.u.dentry = dentry;
1838 __inode_security_revalidate(inode, dentry, true);
1839 return inode_has_perm(cred, inode, av, &ad);
1840 }
1841
1842 /* Same as inode_has_perm, but pass explicit audit data containing
1843 the path to help the auditing code to more easily generate the
1844 pathname if needed. */
1845 static inline int path_has_perm(const struct cred *cred,
1846 const struct path *path,
1847 u32 av)
1848 {
1849 struct inode *inode = d_backing_inode(path->dentry);
1850 struct common_audit_data ad;
1851
1852 ad.type = LSM_AUDIT_DATA_PATH;
1853 ad.u.path = *path;
1854 __inode_security_revalidate(inode, path->dentry, true);
1855 return inode_has_perm(cred, inode, av, &ad);
1856 }
1857
1858 /* Same as path_has_perm, but uses the inode from the file struct. */
1859 static inline int file_path_has_perm(const struct cred *cred,
1860 struct file *file,
1861 u32 av)
1862 {
1863 struct common_audit_data ad;
1864
1865 ad.type = LSM_AUDIT_DATA_FILE;
1866 ad.u.file = file;
1867 return inode_has_perm(cred, file_inode(file), av, &ad);
1868 }
1869
1870 #ifdef CONFIG_BPF_SYSCALL
1871 static int bpf_fd_pass(struct file *file, u32 sid);
1872 #endif
1873
1874 /* Check whether a task can use an open file descriptor to
1875 access an inode in a given way. Check access to the
1876 descriptor itself, and then use dentry_has_perm to
1877 check a particular permission to the file.
1878 Access to the descriptor is implicitly granted if it
1879 has the same SID as the process. If av is zero, then
1880 access to the file is not checked, e.g. for cases
1881 where only the descriptor is affected like seek. */
1882 static int file_has_perm(const struct cred *cred,
1883 struct file *file,
1884 u32 av)
1885 {
1886 struct file_security_struct *fsec = file->f_security;
1887 struct inode *inode = file_inode(file);
1888 struct common_audit_data ad;
1889 u32 sid = cred_sid(cred);
1890 int rc;
1891
1892 ad.type = LSM_AUDIT_DATA_FILE;
1893 ad.u.file = file;
1894
1895 if (sid != fsec->sid) {
1896 rc = avc_has_perm(&selinux_state,
1897 sid, fsec->sid,
1898 SECCLASS_FD,
1899 FD__USE,
1900 &ad);
1901 if (rc)
1902 goto out;
1903 }
1904
1905 #ifdef CONFIG_BPF_SYSCALL
1906 rc = bpf_fd_pass(file, cred_sid(cred));
1907 if (rc)
1908 return rc;
1909 #endif
1910
1911 /* av is zero if only checking access to the descriptor. */
1912 rc = 0;
1913 if (av)
1914 rc = inode_has_perm(cred, inode, av, &ad);
1915
1916 out:
1917 return rc;
1918 }
1919
1920 /*
1921 * Determine the label for an inode that might be unioned.
1922 */
1923 static int
1924 selinux_determine_inode_label(const struct task_security_struct *tsec,
1925 struct inode *dir,
1926 const struct qstr *name, u16 tclass,
1927 u32 *_new_isid)
1928 {
1929 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1930
1931 if ((sbsec->flags & SE_SBINITIALIZED) &&
1932 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1933 *_new_isid = sbsec->mntpoint_sid;
1934 } else if ((sbsec->flags & SBLABEL_MNT) &&
1935 tsec->create_sid) {
1936 *_new_isid = tsec->create_sid;
1937 } else {
1938 const struct inode_security_struct *dsec = inode_security(dir);
1939 return security_transition_sid(&selinux_state, tsec->sid,
1940 dsec->sid, tclass,
1941 name, _new_isid);
1942 }
1943
1944 return 0;
1945 }
1946
1947 /* Check whether a task can create a file. */
1948 static int may_create(struct inode *dir,
1949 struct dentry *dentry,
1950 u16 tclass)
1951 {
1952 const struct task_security_struct *tsec = current_security();
1953 struct inode_security_struct *dsec;
1954 struct superblock_security_struct *sbsec;
1955 u32 sid, newsid;
1956 struct common_audit_data ad;
1957 int rc;
1958
1959 dsec = inode_security(dir);
1960 sbsec = dir->i_sb->s_security;
1961
1962 sid = tsec->sid;
1963
1964 ad.type = LSM_AUDIT_DATA_DENTRY;
1965 ad.u.dentry = dentry;
1966
1967 rc = avc_has_perm(&selinux_state,
1968 sid, dsec->sid, SECCLASS_DIR,
1969 DIR__ADD_NAME | DIR__SEARCH,
1970 &ad);
1971 if (rc)
1972 return rc;
1973
1974 rc = selinux_determine_inode_label(current_security(), dir,
1975 &dentry->d_name, tclass, &newsid);
1976 if (rc)
1977 return rc;
1978
1979 rc = avc_has_perm(&selinux_state,
1980 sid, newsid, tclass, FILE__CREATE, &ad);
1981 if (rc)
1982 return rc;
1983
1984 return avc_has_perm(&selinux_state,
1985 newsid, sbsec->sid,
1986 SECCLASS_FILESYSTEM,
1987 FILESYSTEM__ASSOCIATE, &ad);
1988 }
1989
1990 #define MAY_LINK 0
1991 #define MAY_UNLINK 1
1992 #define MAY_RMDIR 2
1993
1994 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1995 static int may_link(struct inode *dir,
1996 struct dentry *dentry,
1997 int kind)
1998
1999 {
2000 struct inode_security_struct *dsec, *isec;
2001 struct common_audit_data ad;
2002 u32 sid = current_sid();
2003 u32 av;
2004 int rc;
2005
2006 dsec = inode_security(dir);
2007 isec = backing_inode_security(dentry);
2008
2009 ad.type = LSM_AUDIT_DATA_DENTRY;
2010 ad.u.dentry = dentry;
2011
2012 av = DIR__SEARCH;
2013 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
2014 rc = avc_has_perm(&selinux_state,
2015 sid, dsec->sid, SECCLASS_DIR, av, &ad);
2016 if (rc)
2017 return rc;
2018
2019 switch (kind) {
2020 case MAY_LINK:
2021 av = FILE__LINK;
2022 break;
2023 case MAY_UNLINK:
2024 av = FILE__UNLINK;
2025 break;
2026 case MAY_RMDIR:
2027 av = DIR__RMDIR;
2028 break;
2029 default:
2030 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
2031 __func__, kind);
2032 return 0;
2033 }
2034
2035 rc = avc_has_perm(&selinux_state,
2036 sid, isec->sid, isec->sclass, av, &ad);
2037 return rc;
2038 }
2039
2040 static inline int may_rename(struct inode *old_dir,
2041 struct dentry *old_dentry,
2042 struct inode *new_dir,
2043 struct dentry *new_dentry)
2044 {
2045 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2046 struct common_audit_data ad;
2047 u32 sid = current_sid();
2048 u32 av;
2049 int old_is_dir, new_is_dir;
2050 int rc;
2051
2052 old_dsec = inode_security(old_dir);
2053 old_isec = backing_inode_security(old_dentry);
2054 old_is_dir = d_is_dir(old_dentry);
2055 new_dsec = inode_security(new_dir);
2056
2057 ad.type = LSM_AUDIT_DATA_DENTRY;
2058
2059 ad.u.dentry = old_dentry;
2060 rc = avc_has_perm(&selinux_state,
2061 sid, old_dsec->sid, SECCLASS_DIR,
2062 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2063 if (rc)
2064 return rc;
2065 rc = avc_has_perm(&selinux_state,
2066 sid, old_isec->sid,
2067 old_isec->sclass, FILE__RENAME, &ad);
2068 if (rc)
2069 return rc;
2070 if (old_is_dir && new_dir != old_dir) {
2071 rc = avc_has_perm(&selinux_state,
2072 sid, old_isec->sid,
2073 old_isec->sclass, DIR__REPARENT, &ad);
2074 if (rc)
2075 return rc;
2076 }
2077
2078 ad.u.dentry = new_dentry;
2079 av = DIR__ADD_NAME | DIR__SEARCH;
2080 if (d_is_positive(new_dentry))
2081 av |= DIR__REMOVE_NAME;
2082 rc = avc_has_perm(&selinux_state,
2083 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2084 if (rc)
2085 return rc;
2086 if (d_is_positive(new_dentry)) {
2087 new_isec = backing_inode_security(new_dentry);
2088 new_is_dir = d_is_dir(new_dentry);
2089 rc = avc_has_perm(&selinux_state,
2090 sid, new_isec->sid,
2091 new_isec->sclass,
2092 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2093 if (rc)
2094 return rc;
2095 }
2096
2097 return 0;
2098 }
2099
2100 /* Check whether a task can perform a filesystem operation. */
2101 static int superblock_has_perm(const struct cred *cred,
2102 struct super_block *sb,
2103 u32 perms,
2104 struct common_audit_data *ad)
2105 {
2106 struct superblock_security_struct *sbsec;
2107 u32 sid = cred_sid(cred);
2108
2109 sbsec = sb->s_security;
2110 return avc_has_perm(&selinux_state,
2111 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2112 }
2113
2114 /* Convert a Linux mode and permission mask to an access vector. */
2115 static inline u32 file_mask_to_av(int mode, int mask)
2116 {
2117 u32 av = 0;
2118
2119 if (!S_ISDIR(mode)) {
2120 if (mask & MAY_EXEC)
2121 av |= FILE__EXECUTE;
2122 if (mask & MAY_READ)
2123 av |= FILE__READ;
2124
2125 if (mask & MAY_APPEND)
2126 av |= FILE__APPEND;
2127 else if (mask & MAY_WRITE)
2128 av |= FILE__WRITE;
2129
2130 } else {
2131 if (mask & MAY_EXEC)
2132 av |= DIR__SEARCH;
2133 if (mask & MAY_WRITE)
2134 av |= DIR__WRITE;
2135 if (mask & MAY_READ)
2136 av |= DIR__READ;
2137 }
2138
2139 return av;
2140 }
2141
2142 /* Convert a Linux file to an access vector. */
2143 static inline u32 file_to_av(struct file *file)
2144 {
2145 u32 av = 0;
2146
2147 if (file->f_mode & FMODE_READ)
2148 av |= FILE__READ;
2149 if (file->f_mode & FMODE_WRITE) {
2150 if (file->f_flags & O_APPEND)
2151 av |= FILE__APPEND;
2152 else
2153 av |= FILE__WRITE;
2154 }
2155 if (!av) {
2156 /*
2157 * Special file opened with flags 3 for ioctl-only use.
2158 */
2159 av = FILE__IOCTL;
2160 }
2161
2162 return av;
2163 }
2164
2165 /*
2166 * Convert a file to an access vector and include the correct open
2167 * open permission.
2168 */
2169 static inline u32 open_file_to_av(struct file *file)
2170 {
2171 u32 av = file_to_av(file);
2172 struct inode *inode = file_inode(file);
2173
2174 if (selinux_policycap_openperm() &&
2175 inode->i_sb->s_magic != SOCKFS_MAGIC)
2176 av |= FILE__OPEN;
2177
2178 return av;
2179 }
2180
2181 /* Hook functions begin here. */
2182
2183 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2184 {
2185 u32 mysid = current_sid();
2186 u32 mgrsid = task_sid(mgr);
2187
2188 return avc_has_perm(&selinux_state,
2189 mysid, mgrsid, SECCLASS_BINDER,
2190 BINDER__SET_CONTEXT_MGR, NULL);
2191 }
2192
2193 static int selinux_binder_transaction(struct task_struct *from,
2194 struct task_struct *to)
2195 {
2196 u32 mysid = current_sid();
2197 u32 fromsid = task_sid(from);
2198 u32 tosid = task_sid(to);
2199 int rc;
2200
2201 if (mysid != fromsid) {
2202 rc = avc_has_perm(&selinux_state,
2203 mysid, fromsid, SECCLASS_BINDER,
2204 BINDER__IMPERSONATE, NULL);
2205 if (rc)
2206 return rc;
2207 }
2208
2209 return avc_has_perm(&selinux_state,
2210 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2211 NULL);
2212 }
2213
2214 static int selinux_binder_transfer_binder(struct task_struct *from,
2215 struct task_struct *to)
2216 {
2217 u32 fromsid = task_sid(from);
2218 u32 tosid = task_sid(to);
2219
2220 return avc_has_perm(&selinux_state,
2221 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2222 NULL);
2223 }
2224
2225 static int selinux_binder_transfer_file(struct task_struct *from,
2226 struct task_struct *to,
2227 struct file *file)
2228 {
2229 u32 sid = task_sid(to);
2230 struct file_security_struct *fsec = file->f_security;
2231 struct dentry *dentry = file->f_path.dentry;
2232 struct inode_security_struct *isec;
2233 struct common_audit_data ad;
2234 int rc;
2235
2236 ad.type = LSM_AUDIT_DATA_PATH;
2237 ad.u.path = file->f_path;
2238
2239 if (sid != fsec->sid) {
2240 rc = avc_has_perm(&selinux_state,
2241 sid, fsec->sid,
2242 SECCLASS_FD,
2243 FD__USE,
2244 &ad);
2245 if (rc)
2246 return rc;
2247 }
2248
2249 #ifdef CONFIG_BPF_SYSCALL
2250 rc = bpf_fd_pass(file, sid);
2251 if (rc)
2252 return rc;
2253 #endif
2254
2255 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2256 return 0;
2257
2258 isec = backing_inode_security(dentry);
2259 return avc_has_perm(&selinux_state,
2260 sid, isec->sid, isec->sclass, file_to_av(file),
2261 &ad);
2262 }
2263
2264 static int selinux_ptrace_access_check(struct task_struct *child,
2265 unsigned int mode)
2266 {
2267 u32 sid = current_sid();
2268 u32 csid = task_sid(child);
2269
2270 if (mode & PTRACE_MODE_READ)
2271 return avc_has_perm(&selinux_state,
2272 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2273
2274 return avc_has_perm(&selinux_state,
2275 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2276 }
2277
2278 static int selinux_ptrace_traceme(struct task_struct *parent)
2279 {
2280 return avc_has_perm(&selinux_state,
2281 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2282 PROCESS__PTRACE, NULL);
2283 }
2284
2285 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2286 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2287 {
2288 return avc_has_perm(&selinux_state,
2289 current_sid(), task_sid(target), SECCLASS_PROCESS,
2290 PROCESS__GETCAP, NULL);
2291 }
2292
2293 static int selinux_capset(struct cred *new, const struct cred *old,
2294 const kernel_cap_t *effective,
2295 const kernel_cap_t *inheritable,
2296 const kernel_cap_t *permitted)
2297 {
2298 return avc_has_perm(&selinux_state,
2299 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2300 PROCESS__SETCAP, NULL);
2301 }
2302
2303 /*
2304 * (This comment used to live with the selinux_task_setuid hook,
2305 * which was removed).
2306 *
2307 * Since setuid only affects the current process, and since the SELinux
2308 * controls are not based on the Linux identity attributes, SELinux does not
2309 * need to control this operation. However, SELinux does control the use of
2310 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2311 */
2312
2313 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2314 int cap, int audit)
2315 {
2316 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2317 }
2318
2319 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2320 {
2321 const struct cred *cred = current_cred();
2322 int rc = 0;
2323
2324 if (!sb)
2325 return 0;
2326
2327 switch (cmds) {
2328 case Q_SYNC:
2329 case Q_QUOTAON:
2330 case Q_QUOTAOFF:
2331 case Q_SETINFO:
2332 case Q_SETQUOTA:
2333 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2334 break;
2335 case Q_GETFMT:
2336 case Q_GETINFO:
2337 case Q_GETQUOTA:
2338 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2339 break;
2340 default:
2341 rc = 0; /* let the kernel handle invalid cmds */
2342 break;
2343 }
2344 return rc;
2345 }
2346
2347 static int selinux_quota_on(struct dentry *dentry)
2348 {
2349 const struct cred *cred = current_cred();
2350
2351 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2352 }
2353
2354 static int selinux_syslog(int type)
2355 {
2356 switch (type) {
2357 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2358 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2359 return avc_has_perm(&selinux_state,
2360 current_sid(), SECINITSID_KERNEL,
2361 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2362 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2363 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2364 /* Set level of messages printed to console */
2365 case SYSLOG_ACTION_CONSOLE_LEVEL:
2366 return avc_has_perm(&selinux_state,
2367 current_sid(), SECINITSID_KERNEL,
2368 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2369 NULL);
2370 }
2371 /* All other syslog types */
2372 return avc_has_perm(&selinux_state,
2373 current_sid(), SECINITSID_KERNEL,
2374 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2375 }
2376
2377 /*
2378 * Check that a process has enough memory to allocate a new virtual
2379 * mapping. 0 means there is enough memory for the allocation to
2380 * succeed and -ENOMEM implies there is not.
2381 *
2382 * Do not audit the selinux permission check, as this is applied to all
2383 * processes that allocate mappings.
2384 */
2385 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2386 {
2387 int rc, cap_sys_admin = 0;
2388
2389 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2390 SECURITY_CAP_NOAUDIT, true);
2391 if (rc == 0)
2392 cap_sys_admin = 1;
2393
2394 return cap_sys_admin;
2395 }
2396
2397 /* binprm security operations */
2398
2399 static u32 ptrace_parent_sid(void)
2400 {
2401 u32 sid = 0;
2402 struct task_struct *tracer;
2403
2404 rcu_read_lock();
2405 tracer = ptrace_parent(current);
2406 if (tracer)
2407 sid = task_sid(tracer);
2408 rcu_read_unlock();
2409
2410 return sid;
2411 }
2412
2413 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2414 const struct task_security_struct *old_tsec,
2415 const struct task_security_struct *new_tsec)
2416 {
2417 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2418 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2419 int rc;
2420 u32 av;
2421
2422 if (!nnp && !nosuid)
2423 return 0; /* neither NNP nor nosuid */
2424
2425 if (new_tsec->sid == old_tsec->sid)
2426 return 0; /* No change in credentials */
2427
2428 /*
2429 * If the policy enables the nnp_nosuid_transition policy capability,
2430 * then we permit transitions under NNP or nosuid if the
2431 * policy allows the corresponding permission between
2432 * the old and new contexts.
2433 */
2434 if (selinux_policycap_nnp_nosuid_transition()) {
2435 av = 0;
2436 if (nnp)
2437 av |= PROCESS2__NNP_TRANSITION;
2438 if (nosuid)
2439 av |= PROCESS2__NOSUID_TRANSITION;
2440 rc = avc_has_perm(&selinux_state,
2441 old_tsec->sid, new_tsec->sid,
2442 SECCLASS_PROCESS2, av, NULL);
2443 if (!rc)
2444 return 0;
2445 }
2446
2447 /*
2448 * We also permit NNP or nosuid transitions to bounded SIDs,
2449 * i.e. SIDs that are guaranteed to only be allowed a subset
2450 * of the permissions of the current SID.
2451 */
2452 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2453 new_tsec->sid);
2454 if (!rc)
2455 return 0;
2456
2457 /*
2458 * On failure, preserve the errno values for NNP vs nosuid.
2459 * NNP: Operation not permitted for caller.
2460 * nosuid: Permission denied to file.
2461 */
2462 if (nnp)
2463 return -EPERM;
2464 return -EACCES;
2465 }
2466
2467 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2468 {
2469 const struct task_security_struct *old_tsec;
2470 struct task_security_struct *new_tsec;
2471 struct inode_security_struct *isec;
2472 struct common_audit_data ad;
2473 struct inode *inode = file_inode(bprm->file);
2474 int rc;
2475
2476 /* SELinux context only depends on initial program or script and not
2477 * the script interpreter */
2478 if (bprm->called_set_creds)
2479 return 0;
2480
2481 old_tsec = current_security();
2482 new_tsec = bprm->cred->security;
2483 isec = inode_security(inode);
2484
2485 /* Default to the current task SID. */
2486 new_tsec->sid = old_tsec->sid;
2487 new_tsec->osid = old_tsec->sid;
2488
2489 /* Reset fs, key, and sock SIDs on execve. */
2490 new_tsec->create_sid = 0;
2491 new_tsec->keycreate_sid = 0;
2492 new_tsec->sockcreate_sid = 0;
2493
2494 if (old_tsec->exec_sid) {
2495 new_tsec->sid = old_tsec->exec_sid;
2496 /* Reset exec SID on execve. */
2497 new_tsec->exec_sid = 0;
2498
2499 /* Fail on NNP or nosuid if not an allowed transition. */
2500 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2501 if (rc)
2502 return rc;
2503 } else {
2504 /* Check for a default transition on this program. */
2505 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2506 isec->sid, SECCLASS_PROCESS, NULL,
2507 &new_tsec->sid);
2508 if (rc)
2509 return rc;
2510
2511 /*
2512 * Fallback to old SID on NNP or nosuid if not an allowed
2513 * transition.
2514 */
2515 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2516 if (rc)
2517 new_tsec->sid = old_tsec->sid;
2518 }
2519
2520 ad.type = LSM_AUDIT_DATA_FILE;
2521 ad.u.file = bprm->file;
2522
2523 if (new_tsec->sid == old_tsec->sid) {
2524 rc = avc_has_perm(&selinux_state,
2525 old_tsec->sid, isec->sid,
2526 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2527 if (rc)
2528 return rc;
2529 } else {
2530 /* Check permissions for the transition. */
2531 rc = avc_has_perm(&selinux_state,
2532 old_tsec->sid, new_tsec->sid,
2533 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2534 if (rc)
2535 return rc;
2536
2537 rc = avc_has_perm(&selinux_state,
2538 new_tsec->sid, isec->sid,
2539 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2540 if (rc)
2541 return rc;
2542
2543 /* Check for shared state */
2544 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2545 rc = avc_has_perm(&selinux_state,
2546 old_tsec->sid, new_tsec->sid,
2547 SECCLASS_PROCESS, PROCESS__SHARE,
2548 NULL);
2549 if (rc)
2550 return -EPERM;
2551 }
2552
2553 /* Make sure that anyone attempting to ptrace over a task that
2554 * changes its SID has the appropriate permit */
2555 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2556 u32 ptsid = ptrace_parent_sid();
2557 if (ptsid != 0) {
2558 rc = avc_has_perm(&selinux_state,
2559 ptsid, new_tsec->sid,
2560 SECCLASS_PROCESS,
2561 PROCESS__PTRACE, NULL);
2562 if (rc)
2563 return -EPERM;
2564 }
2565 }
2566
2567 /* Clear any possibly unsafe personality bits on exec: */
2568 bprm->per_clear |= PER_CLEAR_ON_SETID;
2569
2570 /* Enable secure mode for SIDs transitions unless
2571 the noatsecure permission is granted between
2572 the two SIDs, i.e. ahp returns 0. */
2573 rc = avc_has_perm(&selinux_state,
2574 old_tsec->sid, new_tsec->sid,
2575 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2576 NULL);
2577 bprm->secureexec |= !!rc;
2578 }
2579
2580 return 0;
2581 }
2582
2583 static int match_file(const void *p, struct file *file, unsigned fd)
2584 {
2585 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2586 }
2587
2588 /* Derived from fs/exec.c:flush_old_files. */
2589 static inline void flush_unauthorized_files(const struct cred *cred,
2590 struct files_struct *files)
2591 {
2592 struct file *file, *devnull = NULL;
2593 struct tty_struct *tty;
2594 int drop_tty = 0;
2595 unsigned n;
2596
2597 tty = get_current_tty();
2598 if (tty) {
2599 spin_lock(&tty->files_lock);
2600 if (!list_empty(&tty->tty_files)) {
2601 struct tty_file_private *file_priv;
2602
2603 /* Revalidate access to controlling tty.
2604 Use file_path_has_perm on the tty path directly
2605 rather than using file_has_perm, as this particular
2606 open file may belong to another process and we are
2607 only interested in the inode-based check here. */
2608 file_priv = list_first_entry(&tty->tty_files,
2609 struct tty_file_private, list);
2610 file = file_priv->file;
2611 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2612 drop_tty = 1;
2613 }
2614 spin_unlock(&tty->files_lock);
2615 tty_kref_put(tty);
2616 }
2617 /* Reset controlling tty. */
2618 if (drop_tty)
2619 no_tty();
2620
2621 /* Revalidate access to inherited open files. */
2622 n = iterate_fd(files, 0, match_file, cred);
2623 if (!n) /* none found? */
2624 return;
2625
2626 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2627 if (IS_ERR(devnull))
2628 devnull = NULL;
2629 /* replace all the matching ones with this */
2630 do {
2631 replace_fd(n - 1, devnull, 0);
2632 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2633 if (devnull)
2634 fput(devnull);
2635 }
2636
2637 /*
2638 * Prepare a process for imminent new credential changes due to exec
2639 */
2640 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2641 {
2642 struct task_security_struct *new_tsec;
2643 struct rlimit *rlim, *initrlim;
2644 int rc, i;
2645
2646 new_tsec = bprm->cred->security;
2647 if (new_tsec->sid == new_tsec->osid)
2648 return;
2649
2650 /* Close files for which the new task SID is not authorized. */
2651 flush_unauthorized_files(bprm->cred, current->files);
2652
2653 /* Always clear parent death signal on SID transitions. */
2654 current->pdeath_signal = 0;
2655
2656 /* Check whether the new SID can inherit resource limits from the old
2657 * SID. If not, reset all soft limits to the lower of the current
2658 * task's hard limit and the init task's soft limit.
2659 *
2660 * Note that the setting of hard limits (even to lower them) can be
2661 * controlled by the setrlimit check. The inclusion of the init task's
2662 * soft limit into the computation is to avoid resetting soft limits
2663 * higher than the default soft limit for cases where the default is
2664 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2665 */
2666 rc = avc_has_perm(&selinux_state,
2667 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2668 PROCESS__RLIMITINH, NULL);
2669 if (rc) {
2670 /* protect against do_prlimit() */
2671 task_lock(current);
2672 for (i = 0; i < RLIM_NLIMITS; i++) {
2673 rlim = current->signal->rlim + i;
2674 initrlim = init_task.signal->rlim + i;
2675 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2676 }
2677 task_unlock(current);
2678 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2679 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2680 }
2681 }
2682
2683 /*
2684 * Clean up the process immediately after the installation of new credentials
2685 * due to exec
2686 */
2687 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2688 {
2689 const struct task_security_struct *tsec = current_security();
2690 struct itimerval itimer;
2691 u32 osid, sid;
2692 int rc, i;
2693
2694 osid = tsec->osid;
2695 sid = tsec->sid;
2696
2697 if (sid == osid)
2698 return;
2699
2700 /* Check whether the new SID can inherit signal state from the old SID.
2701 * If not, clear itimers to avoid subsequent signal generation and
2702 * flush and unblock signals.
2703 *
2704 * This must occur _after_ the task SID has been updated so that any
2705 * kill done after the flush will be checked against the new SID.
2706 */
2707 rc = avc_has_perm(&selinux_state,
2708 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2709 if (rc) {
2710 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2711 memset(&itimer, 0, sizeof itimer);
2712 for (i = 0; i < 3; i++)
2713 do_setitimer(i, &itimer, NULL);
2714 }
2715 spin_lock_irq(&current->sighand->siglock);
2716 if (!fatal_signal_pending(current)) {
2717 flush_sigqueue(&current->pending);
2718 flush_sigqueue(&current->signal->shared_pending);
2719 flush_signal_handlers(current, 1);
2720 sigemptyset(&current->blocked);
2721 recalc_sigpending();
2722 }
2723 spin_unlock_irq(&current->sighand->siglock);
2724 }
2725
2726 /* Wake up the parent if it is waiting so that it can recheck
2727 * wait permission to the new task SID. */
2728 read_lock(&tasklist_lock);
2729 __wake_up_parent(current, current->real_parent);
2730 read_unlock(&tasklist_lock);
2731 }
2732
2733 /* superblock security operations */
2734
2735 static int selinux_sb_alloc_security(struct super_block *sb)
2736 {
2737 return superblock_alloc_security(sb);
2738 }
2739
2740 static void selinux_sb_free_security(struct super_block *sb)
2741 {
2742 superblock_free_security(sb);
2743 }
2744
2745 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2746 {
2747 if (plen > olen)
2748 return 0;
2749
2750 return !memcmp(prefix, option, plen);
2751 }
2752
2753 static inline int selinux_option(char *option, int len)
2754 {
2755 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2756 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2757 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2758 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2759 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2760 }
2761
2762 static inline void take_option(char **to, char *from, int *first, int len)
2763 {
2764 if (!*first) {
2765 **to = ',';
2766 *to += 1;
2767 } else
2768 *first = 0;
2769 memcpy(*to, from, len);
2770 *to += len;
2771 }
2772
2773 static inline void take_selinux_option(char **to, char *from, int *first,
2774 int len)
2775 {
2776 int current_size = 0;
2777
2778 if (!*first) {
2779 **to = '|';
2780 *to += 1;
2781 } else
2782 *first = 0;
2783
2784 while (current_size < len) {
2785 if (*from != '"') {
2786 **to = *from;
2787 *to += 1;
2788 }
2789 from += 1;
2790 current_size += 1;
2791 }
2792 }
2793
2794 static int selinux_sb_copy_data(char *orig, char *copy)
2795 {
2796 int fnosec, fsec, rc = 0;
2797 char *in_save, *in_curr, *in_end;
2798 char *sec_curr, *nosec_save, *nosec;
2799 int open_quote = 0;
2800
2801 in_curr = orig;
2802 sec_curr = copy;
2803
2804 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2805 if (!nosec) {
2806 rc = -ENOMEM;
2807 goto out;
2808 }
2809
2810 nosec_save = nosec;
2811 fnosec = fsec = 1;
2812 in_save = in_end = orig;
2813
2814 do {
2815 if (*in_end == '"')
2816 open_quote = !open_quote;
2817 if ((*in_end == ',' && open_quote == 0) ||
2818 *in_end == '\0') {
2819 int len = in_end - in_curr;
2820
2821 if (selinux_option(in_curr, len))
2822 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2823 else
2824 take_option(&nosec, in_curr, &fnosec, len);
2825
2826 in_curr = in_end + 1;
2827 }
2828 } while (*in_end++);
2829
2830 strcpy(in_save, nosec_save);
2831 free_page((unsigned long)nosec_save);
2832 out:
2833 return rc;
2834 }
2835
2836 static int selinux_sb_remount(struct super_block *sb, void *data)
2837 {
2838 int rc, i, *flags;
2839 struct security_mnt_opts opts;
2840 char *secdata, **mount_options;
2841 struct superblock_security_struct *sbsec = sb->s_security;
2842
2843 if (!(sbsec->flags & SE_SBINITIALIZED))
2844 return 0;
2845
2846 if (!data)
2847 return 0;
2848
2849 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2850 return 0;
2851
2852 security_init_mnt_opts(&opts);
2853 secdata = alloc_secdata();
2854 if (!secdata)
2855 return -ENOMEM;
2856 rc = selinux_sb_copy_data(data, secdata);
2857 if (rc)
2858 goto out_free_secdata;
2859
2860 rc = selinux_parse_opts_str(secdata, &opts);
2861 if (rc)
2862 goto out_free_secdata;
2863
2864 mount_options = opts.mnt_opts;
2865 flags = opts.mnt_opts_flags;
2866
2867 for (i = 0; i < opts.num_mnt_opts; i++) {
2868 u32 sid;
2869
2870 if (flags[i] == SBLABEL_MNT)
2871 continue;
2872 rc = security_context_str_to_sid(&selinux_state,
2873 mount_options[i], &sid,
2874 GFP_KERNEL);
2875 if (rc) {
2876 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2877 "(%s) failed for (dev %s, type %s) errno=%d\n",
2878 mount_options[i], sb->s_id, sb->s_type->name, rc);
2879 goto out_free_opts;
2880 }
2881 rc = -EINVAL;
2882 switch (flags[i]) {
2883 case FSCONTEXT_MNT:
2884 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2885 goto out_bad_option;
2886 break;
2887 case CONTEXT_MNT:
2888 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2889 goto out_bad_option;
2890 break;
2891 case ROOTCONTEXT_MNT: {
2892 struct inode_security_struct *root_isec;
2893 root_isec = backing_inode_security(sb->s_root);
2894
2895 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2896 goto out_bad_option;
2897 break;
2898 }
2899 case DEFCONTEXT_MNT:
2900 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2901 goto out_bad_option;
2902 break;
2903 default:
2904 goto out_free_opts;
2905 }
2906 }
2907
2908 rc = 0;
2909 out_free_opts:
2910 security_free_mnt_opts(&opts);
2911 out_free_secdata:
2912 free_secdata(secdata);
2913 return rc;
2914 out_bad_option:
2915 printk(KERN_WARNING "SELinux: unable to change security options "
2916 "during remount (dev %s, type=%s)\n", sb->s_id,
2917 sb->s_type->name);
2918 goto out_free_opts;
2919 }
2920
2921 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2922 {
2923 const struct cred *cred = current_cred();
2924 struct common_audit_data ad;
2925 int rc;
2926
2927 rc = superblock_doinit(sb, data);
2928 if (rc)
2929 return rc;
2930
2931 /* Allow all mounts performed by the kernel */
2932 if (flags & MS_KERNMOUNT)
2933 return 0;
2934
2935 ad.type = LSM_AUDIT_DATA_DENTRY;
2936 ad.u.dentry = sb->s_root;
2937 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2938 }
2939
2940 static int selinux_sb_statfs(struct dentry *dentry)
2941 {
2942 const struct cred *cred = current_cred();
2943 struct common_audit_data ad;
2944
2945 ad.type = LSM_AUDIT_DATA_DENTRY;
2946 ad.u.dentry = dentry->d_sb->s_root;
2947 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2948 }
2949
2950 static int selinux_mount(const char *dev_name,
2951 const struct path *path,
2952 const char *type,
2953 unsigned long flags,
2954 void *data)
2955 {
2956 const struct cred *cred = current_cred();
2957
2958 if (flags & MS_REMOUNT)
2959 return superblock_has_perm(cred, path->dentry->d_sb,
2960 FILESYSTEM__REMOUNT, NULL);
2961 else
2962 return path_has_perm(cred, path, FILE__MOUNTON);
2963 }
2964
2965 static int selinux_umount(struct vfsmount *mnt, int flags)
2966 {
2967 const struct cred *cred = current_cred();
2968
2969 return superblock_has_perm(cred, mnt->mnt_sb,
2970 FILESYSTEM__UNMOUNT, NULL);
2971 }
2972
2973 /* inode security operations */
2974
2975 static int selinux_inode_alloc_security(struct inode *inode)
2976 {
2977 return inode_alloc_security(inode);
2978 }
2979
2980 static void selinux_inode_free_security(struct inode *inode)
2981 {
2982 inode_free_security(inode);
2983 }
2984
2985 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2986 const struct qstr *name, void **ctx,
2987 u32 *ctxlen)
2988 {
2989 u32 newsid;
2990 int rc;
2991
2992 rc = selinux_determine_inode_label(current_security(),
2993 d_inode(dentry->d_parent), name,
2994 inode_mode_to_security_class(mode),
2995 &newsid);
2996 if (rc)
2997 return rc;
2998
2999 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
3000 ctxlen);
3001 }
3002
3003 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
3004 struct qstr *name,
3005 const struct cred *old,
3006 struct cred *new)
3007 {
3008 u32 newsid;
3009 int rc;
3010 struct task_security_struct *tsec;
3011
3012 rc = selinux_determine_inode_label(old->security,
3013 d_inode(dentry->d_parent), name,
3014 inode_mode_to_security_class(mode),
3015 &newsid);
3016 if (rc)
3017 return rc;
3018
3019 tsec = new->security;
3020 tsec->create_sid = newsid;
3021 return 0;
3022 }
3023
3024 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
3025 const struct qstr *qstr,
3026 const char **name,
3027 void **value, size_t *len)
3028 {
3029 const struct task_security_struct *tsec = current_security();
3030 struct superblock_security_struct *sbsec;
3031 u32 newsid, clen;
3032 int rc;
3033 char *context;
3034
3035 sbsec = dir->i_sb->s_security;
3036
3037 newsid = tsec->create_sid;
3038
3039 rc = selinux_determine_inode_label(current_security(),
3040 dir, qstr,
3041 inode_mode_to_security_class(inode->i_mode),
3042 &newsid);
3043 if (rc)
3044 return rc;
3045
3046 /* Possibly defer initialization to selinux_complete_init. */
3047 if (sbsec->flags & SE_SBINITIALIZED) {
3048 struct inode_security_struct *isec = inode->i_security;
3049 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3050 isec->sid = newsid;
3051 isec->initialized = LABEL_INITIALIZED;
3052 }
3053
3054 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
3055 return -EOPNOTSUPP;
3056
3057 if (name)
3058 *name = XATTR_SELINUX_SUFFIX;
3059
3060 if (value && len) {
3061 rc = security_sid_to_context_force(&selinux_state, newsid,
3062 &context, &clen);
3063 if (rc)
3064 return rc;
3065 *value = context;
3066 *len = clen;
3067 }
3068
3069 return 0;
3070 }
3071
3072 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3073 {
3074 return may_create(dir, dentry, SECCLASS_FILE);
3075 }
3076
3077 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3078 {
3079 return may_link(dir, old_dentry, MAY_LINK);
3080 }
3081
3082 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3083 {
3084 return may_link(dir, dentry, MAY_UNLINK);
3085 }
3086
3087 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3088 {
3089 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3090 }
3091
3092 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3093 {
3094 return may_create(dir, dentry, SECCLASS_DIR);
3095 }
3096
3097 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3098 {
3099 return may_link(dir, dentry, MAY_RMDIR);
3100 }
3101
3102 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3103 {
3104 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3105 }
3106
3107 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3108 struct inode *new_inode, struct dentry *new_dentry)
3109 {
3110 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3111 }
3112
3113 static int selinux_inode_readlink(struct dentry *dentry)
3114 {
3115 const struct cred *cred = current_cred();
3116
3117 return dentry_has_perm(cred, dentry, FILE__READ);
3118 }
3119
3120 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3121 bool rcu)
3122 {
3123 const struct cred *cred = current_cred();
3124 struct common_audit_data ad;
3125 struct inode_security_struct *isec;
3126 u32 sid;
3127
3128 validate_creds(cred);
3129
3130 ad.type = LSM_AUDIT_DATA_DENTRY;
3131 ad.u.dentry = dentry;
3132 sid = cred_sid(cred);
3133 isec = inode_security_rcu(inode, rcu);
3134 if (IS_ERR(isec))
3135 return PTR_ERR(isec);
3136
3137 return avc_has_perm_flags(&selinux_state,
3138 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3139 rcu ? MAY_NOT_BLOCK : 0);
3140 }
3141
3142 static noinline int audit_inode_permission(struct inode *inode,
3143 u32 perms, u32 audited, u32 denied,
3144 int result,
3145 unsigned flags)
3146 {
3147 struct common_audit_data ad;
3148 struct inode_security_struct *isec = inode->i_security;
3149 int rc;
3150
3151 ad.type = LSM_AUDIT_DATA_INODE;
3152 ad.u.inode = inode;
3153
3154 rc = slow_avc_audit(&selinux_state,
3155 current_sid(), isec->sid, isec->sclass, perms,
3156 audited, denied, result, &ad, flags);
3157 if (rc)
3158 return rc;
3159 return 0;
3160 }
3161
3162 static int selinux_inode_permission(struct inode *inode, int mask)
3163 {
3164 const struct cred *cred = current_cred();
3165 u32 perms;
3166 bool from_access;
3167 unsigned flags = mask & MAY_NOT_BLOCK;
3168 struct inode_security_struct *isec;
3169 u32 sid;
3170 struct av_decision avd;
3171 int rc, rc2;
3172 u32 audited, denied;
3173
3174 from_access = mask & MAY_ACCESS;
3175 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3176
3177 /* No permission to check. Existence test. */
3178 if (!mask)
3179 return 0;
3180
3181 validate_creds(cred);
3182
3183 if (unlikely(IS_PRIVATE(inode)))
3184 return 0;
3185
3186 perms = file_mask_to_av(inode->i_mode, mask);
3187
3188 sid = cred_sid(cred);
3189 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3190 if (IS_ERR(isec))
3191 return PTR_ERR(isec);
3192
3193 rc = avc_has_perm_noaudit(&selinux_state,
3194 sid, isec->sid, isec->sclass, perms, 0, &avd);
3195 audited = avc_audit_required(perms, &avd, rc,
3196 from_access ? FILE__AUDIT_ACCESS : 0,
3197 &denied);
3198 if (likely(!audited))
3199 return rc;
3200
3201 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3202 if (rc2)
3203 return rc2;
3204 return rc;
3205 }
3206
3207 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3208 {
3209 const struct cred *cred = current_cred();
3210 struct inode *inode = d_backing_inode(dentry);
3211 unsigned int ia_valid = iattr->ia_valid;
3212 __u32 av = FILE__WRITE;
3213
3214 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3215 if (ia_valid & ATTR_FORCE) {
3216 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3217 ATTR_FORCE);
3218 if (!ia_valid)
3219 return 0;
3220 }
3221
3222 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3223 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3224 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3225
3226 if (selinux_policycap_openperm() &&
3227 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3228 (ia_valid & ATTR_SIZE) &&
3229 !(ia_valid & ATTR_FILE))
3230 av |= FILE__OPEN;
3231
3232 return dentry_has_perm(cred, dentry, av);
3233 }
3234
3235 static int selinux_inode_getattr(const struct path *path)
3236 {
3237 return path_has_perm(current_cred(), path, FILE__GETATTR);
3238 }
3239
3240 static bool has_cap_mac_admin(bool audit)
3241 {
3242 const struct cred *cred = current_cred();
3243 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3244
3245 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3246 return false;
3247 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3248 return false;
3249 return true;
3250 }
3251
3252 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3253 const void *value, size_t size, int flags)
3254 {
3255 struct inode *inode = d_backing_inode(dentry);
3256 struct inode_security_struct *isec;
3257 struct superblock_security_struct *sbsec;
3258 struct common_audit_data ad;
3259 u32 newsid, sid = current_sid();
3260 int rc = 0;
3261
3262 if (strcmp(name, XATTR_NAME_SELINUX)) {
3263 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3264 if (rc)
3265 return rc;
3266
3267 /* Not an attribute we recognize, so just check the
3268 ordinary setattr permission. */
3269 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3270 }
3271
3272 sbsec = inode->i_sb->s_security;
3273 if (!(sbsec->flags & SBLABEL_MNT))
3274 return -EOPNOTSUPP;
3275
3276 if (!inode_owner_or_capable(inode))
3277 return -EPERM;
3278
3279 ad.type = LSM_AUDIT_DATA_DENTRY;
3280 ad.u.dentry = dentry;
3281
3282 isec = backing_inode_security(dentry);
3283 rc = avc_has_perm(&selinux_state,
3284 sid, isec->sid, isec->sclass,
3285 FILE__RELABELFROM, &ad);
3286 if (rc)
3287 return rc;
3288
3289 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3290 GFP_KERNEL);
3291 if (rc == -EINVAL) {
3292 if (!has_cap_mac_admin(true)) {
3293 struct audit_buffer *ab;
3294 size_t audit_size;
3295
3296 /* We strip a nul only if it is at the end, otherwise the
3297 * context contains a nul and we should audit that */
3298 if (value) {
3299 const char *str = value;
3300
3301 if (str[size - 1] == '\0')
3302 audit_size = size - 1;
3303 else
3304 audit_size = size;
3305 } else {
3306 audit_size = 0;
3307 }
3308 ab = audit_log_start(audit_context(),
3309 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3310 audit_log_format(ab, "op=setxattr invalid_context=");
3311 audit_log_n_untrustedstring(ab, value, audit_size);
3312 audit_log_end(ab);
3313
3314 return rc;
3315 }
3316 rc = security_context_to_sid_force(&selinux_state, value,
3317 size, &newsid);
3318 }
3319 if (rc)
3320 return rc;
3321
3322 rc = avc_has_perm(&selinux_state,
3323 sid, newsid, isec->sclass,
3324 FILE__RELABELTO, &ad);
3325 if (rc)
3326 return rc;
3327
3328 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3329 sid, isec->sclass);
3330 if (rc)
3331 return rc;
3332
3333 return avc_has_perm(&selinux_state,
3334 newsid,
3335 sbsec->sid,
3336 SECCLASS_FILESYSTEM,
3337 FILESYSTEM__ASSOCIATE,
3338 &ad);
3339 }
3340
3341 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3342 const void *value, size_t size,
3343 int flags)
3344 {
3345 struct inode *inode = d_backing_inode(dentry);
3346 struct inode_security_struct *isec;
3347 u32 newsid;
3348 int rc;
3349
3350 if (strcmp(name, XATTR_NAME_SELINUX)) {
3351 /* Not an attribute we recognize, so nothing to do. */
3352 return;
3353 }
3354
3355 rc = security_context_to_sid_force(&selinux_state, value, size,
3356 &newsid);
3357 if (rc) {
3358 printk(KERN_ERR "SELinux: unable to map context to SID"
3359 "for (%s, %lu), rc=%d\n",
3360 inode->i_sb->s_id, inode->i_ino, -rc);
3361 return;
3362 }
3363
3364 isec = backing_inode_security(dentry);
3365 spin_lock(&isec->lock);
3366 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3367 isec->sid = newsid;
3368 isec->initialized = LABEL_INITIALIZED;
3369 spin_unlock(&isec->lock);
3370
3371 return;
3372 }
3373
3374 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3375 {
3376 const struct cred *cred = current_cred();
3377
3378 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3379 }
3380
3381 static int selinux_inode_listxattr(struct dentry *dentry)
3382 {
3383 const struct cred *cred = current_cred();
3384
3385 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3386 }
3387
3388 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3389 {
3390 if (strcmp(name, XATTR_NAME_SELINUX)) {
3391 int rc = cap_inode_removexattr(dentry, name);
3392 if (rc)
3393 return rc;
3394
3395 /* Not an attribute we recognize, so just check the
3396 ordinary setattr permission. */
3397 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3398 }
3399
3400 /* No one is allowed to remove a SELinux security label.
3401 You can change the label, but all data must be labeled. */
3402 return -EACCES;
3403 }
3404
3405 /*
3406 * Copy the inode security context value to the user.
3407 *
3408 * Permission check is handled by selinux_inode_getxattr hook.
3409 */
3410 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3411 {
3412 u32 size;
3413 int error;
3414 char *context = NULL;
3415 struct inode_security_struct *isec;
3416
3417 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3418 return -EOPNOTSUPP;
3419
3420 /*
3421 * If the caller has CAP_MAC_ADMIN, then get the raw context
3422 * value even if it is not defined by current policy; otherwise,
3423 * use the in-core value under current policy.
3424 * Use the non-auditing forms of the permission checks since
3425 * getxattr may be called by unprivileged processes commonly
3426 * and lack of permission just means that we fall back to the
3427 * in-core context value, not a denial.
3428 */
3429 isec = inode_security(inode);
3430 if (has_cap_mac_admin(false))
3431 error = security_sid_to_context_force(&selinux_state,
3432 isec->sid, &context,
3433 &size);
3434 else
3435 error = security_sid_to_context(&selinux_state, isec->sid,
3436 &context, &size);
3437 if (error)
3438 return error;
3439 error = size;
3440 if (alloc) {
3441 *buffer = context;
3442 goto out_nofree;
3443 }
3444 kfree(context);
3445 out_nofree:
3446 return error;
3447 }
3448
3449 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3450 const void *value, size_t size, int flags)
3451 {
3452 struct inode_security_struct *isec = inode_security_novalidate(inode);
3453 u32 newsid;
3454 int rc;
3455
3456 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3457 return -EOPNOTSUPP;
3458
3459 if (!value || !size)
3460 return -EACCES;
3461
3462 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3463 GFP_KERNEL);
3464 if (rc)
3465 return rc;
3466
3467 spin_lock(&isec->lock);
3468 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3469 isec->sid = newsid;
3470 isec->initialized = LABEL_INITIALIZED;
3471 spin_unlock(&isec->lock);
3472 return 0;
3473 }
3474
3475 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3476 {
3477 const int len = sizeof(XATTR_NAME_SELINUX);
3478 if (buffer && len <= buffer_size)
3479 memcpy(buffer, XATTR_NAME_SELINUX, len);
3480 return len;
3481 }
3482
3483 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3484 {
3485 struct inode_security_struct *isec = inode_security_novalidate(inode);
3486 *secid = isec->sid;
3487 }
3488
3489 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3490 {
3491 u32 sid;
3492 struct task_security_struct *tsec;
3493 struct cred *new_creds = *new;
3494
3495 if (new_creds == NULL) {
3496 new_creds = prepare_creds();
3497 if (!new_creds)
3498 return -ENOMEM;
3499 }
3500
3501 tsec = new_creds->security;
3502 /* Get label from overlay inode and set it in create_sid */
3503 selinux_inode_getsecid(d_inode(src), &sid);
3504 tsec->create_sid = sid;
3505 *new = new_creds;
3506 return 0;
3507 }
3508
3509 static int selinux_inode_copy_up_xattr(const char *name)
3510 {
3511 /* The copy_up hook above sets the initial context on an inode, but we
3512 * don't then want to overwrite it by blindly copying all the lower
3513 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3514 */
3515 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3516 return 1; /* Discard */
3517 /*
3518 * Any other attribute apart from SELINUX is not claimed, supported
3519 * by selinux.
3520 */
3521 return -EOPNOTSUPP;
3522 }
3523
3524 /* file security operations */
3525
3526 static int selinux_revalidate_file_permission(struct file *file, int mask)
3527 {
3528 const struct cred *cred = current_cred();
3529 struct inode *inode = file_inode(file);
3530
3531 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3532 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3533 mask |= MAY_APPEND;
3534
3535 return file_has_perm(cred, file,
3536 file_mask_to_av(inode->i_mode, mask));
3537 }
3538
3539 static int selinux_file_permission(struct file *file, int mask)
3540 {
3541 struct inode *inode = file_inode(file);
3542 struct file_security_struct *fsec = file->f_security;
3543 struct inode_security_struct *isec;
3544 u32 sid = current_sid();
3545
3546 if (!mask)
3547 /* No permission to check. Existence test. */
3548 return 0;
3549
3550 isec = inode_security(inode);
3551 if (sid == fsec->sid && fsec->isid == isec->sid &&
3552 fsec->pseqno == avc_policy_seqno(&selinux_state))
3553 /* No change since file_open check. */
3554 return 0;
3555
3556 return selinux_revalidate_file_permission(file, mask);
3557 }
3558
3559 static int selinux_file_alloc_security(struct file *file)
3560 {
3561 return file_alloc_security(file);
3562 }
3563
3564 static void selinux_file_free_security(struct file *file)
3565 {
3566 file_free_security(file);
3567 }
3568
3569 /*
3570 * Check whether a task has the ioctl permission and cmd
3571 * operation to an inode.
3572 */
3573 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3574 u32 requested, u16 cmd)
3575 {
3576 struct common_audit_data ad;
3577 struct file_security_struct *fsec = file->f_security;
3578 struct inode *inode = file_inode(file);
3579 struct inode_security_struct *isec;
3580 struct lsm_ioctlop_audit ioctl;
3581 u32 ssid = cred_sid(cred);
3582 int rc;
3583 u8 driver = cmd >> 8;
3584 u8 xperm = cmd & 0xff;
3585
3586 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3587 ad.u.op = &ioctl;
3588 ad.u.op->cmd = cmd;
3589 ad.u.op->path = file->f_path;
3590
3591 if (ssid != fsec->sid) {
3592 rc = avc_has_perm(&selinux_state,
3593 ssid, fsec->sid,
3594 SECCLASS_FD,
3595 FD__USE,
3596 &ad);
3597 if (rc)
3598 goto out;
3599 }
3600
3601 if (unlikely(IS_PRIVATE(inode)))
3602 return 0;
3603
3604 isec = inode_security(inode);
3605 rc = avc_has_extended_perms(&selinux_state,
3606 ssid, isec->sid, isec->sclass,
3607 requested, driver, xperm, &ad);
3608 out:
3609 return rc;
3610 }
3611
3612 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3613 unsigned long arg)
3614 {
3615 const struct cred *cred = current_cred();
3616 int error = 0;
3617
3618 switch (cmd) {
3619 case FIONREAD:
3620 /* fall through */
3621 case FIBMAP:
3622 /* fall through */
3623 case FIGETBSZ:
3624 /* fall through */
3625 case FS_IOC_GETFLAGS:
3626 /* fall through */
3627 case FS_IOC_GETVERSION:
3628 error = file_has_perm(cred, file, FILE__GETATTR);
3629 break;
3630
3631 case FS_IOC_SETFLAGS:
3632 /* fall through */
3633 case FS_IOC_SETVERSION:
3634 error = file_has_perm(cred, file, FILE__SETATTR);
3635 break;
3636
3637 /* sys_ioctl() checks */
3638 case FIONBIO:
3639 /* fall through */
3640 case FIOASYNC:
3641 error = file_has_perm(cred, file, 0);
3642 break;
3643
3644 case KDSKBENT:
3645 case KDSKBSENT:
3646 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3647 SECURITY_CAP_AUDIT, true);
3648 break;
3649
3650 /* default case assumes that the command will go
3651 * to the file's ioctl() function.
3652 */
3653 default:
3654 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3655 }
3656 return error;
3657 }
3658
3659 static int default_noexec;
3660
3661 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3662 {
3663 const struct cred *cred = current_cred();
3664 u32 sid = cred_sid(cred);
3665 int rc = 0;
3666
3667 if (default_noexec &&
3668 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3669 (!shared && (prot & PROT_WRITE)))) {
3670 /*
3671 * We are making executable an anonymous mapping or a
3672 * private file mapping that will also be writable.
3673 * This has an additional check.
3674 */
3675 rc = avc_has_perm(&selinux_state,
3676 sid, sid, SECCLASS_PROCESS,
3677 PROCESS__EXECMEM, NULL);
3678 if (rc)
3679 goto error;
3680 }
3681
3682 if (file) {
3683 /* read access is always possible with a mapping */
3684 u32 av = FILE__READ;
3685
3686 /* write access only matters if the mapping is shared */
3687 if (shared && (prot & PROT_WRITE))
3688 av |= FILE__WRITE;
3689
3690 if (prot & PROT_EXEC)
3691 av |= FILE__EXECUTE;
3692
3693 return file_has_perm(cred, file, av);
3694 }
3695
3696 error:
3697 return rc;
3698 }
3699
3700 static int selinux_mmap_addr(unsigned long addr)
3701 {
3702 int rc = 0;
3703
3704 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3705 u32 sid = current_sid();
3706 rc = avc_has_perm(&selinux_state,
3707 sid, sid, SECCLASS_MEMPROTECT,
3708 MEMPROTECT__MMAP_ZERO, NULL);
3709 }
3710
3711 return rc;
3712 }
3713
3714 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3715 unsigned long prot, unsigned long flags)
3716 {
3717 struct common_audit_data ad;
3718 int rc;
3719
3720 if (file) {
3721 ad.type = LSM_AUDIT_DATA_FILE;
3722 ad.u.file = file;
3723 rc = inode_has_perm(current_cred(), file_inode(file),
3724 FILE__MAP, &ad);
3725 if (rc)
3726 return rc;
3727 }
3728
3729 if (selinux_state.checkreqprot)
3730 prot = reqprot;
3731
3732 return file_map_prot_check(file, prot,
3733 (flags & MAP_TYPE) == MAP_SHARED);
3734 }
3735
3736 static int selinux_file_mprotect(struct vm_area_struct *vma,
3737 unsigned long reqprot,
3738 unsigned long prot)
3739 {
3740 const struct cred *cred = current_cred();
3741 u32 sid = cred_sid(cred);
3742
3743 if (selinux_state.checkreqprot)
3744 prot = reqprot;
3745
3746 if (default_noexec &&
3747 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3748 int rc = 0;
3749 if (vma->vm_start >= vma->vm_mm->start_brk &&
3750 vma->vm_end <= vma->vm_mm->brk) {
3751 rc = avc_has_perm(&selinux_state,
3752 sid, sid, SECCLASS_PROCESS,
3753 PROCESS__EXECHEAP, NULL);
3754 } else if (!vma->vm_file &&
3755 ((vma->vm_start <= vma->vm_mm->start_stack &&
3756 vma->vm_end >= vma->vm_mm->start_stack) ||
3757 vma_is_stack_for_current(vma))) {
3758 rc = avc_has_perm(&selinux_state,
3759 sid, sid, SECCLASS_PROCESS,
3760 PROCESS__EXECSTACK, NULL);
3761 } else if (vma->vm_file && vma->anon_vma) {
3762 /*
3763 * We are making executable a file mapping that has
3764 * had some COW done. Since pages might have been
3765 * written, check ability to execute the possibly
3766 * modified content. This typically should only
3767 * occur for text relocations.
3768 */
3769 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3770 }
3771 if (rc)
3772 return rc;
3773 }
3774
3775 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3776 }
3777
3778 static int selinux_file_lock(struct file *file, unsigned int cmd)
3779 {
3780 const struct cred *cred = current_cred();
3781
3782 return file_has_perm(cred, file, FILE__LOCK);
3783 }
3784
3785 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3786 unsigned long arg)
3787 {
3788 const struct cred *cred = current_cred();
3789 int err = 0;
3790
3791 switch (cmd) {
3792 case F_SETFL:
3793 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3794 err = file_has_perm(cred, file, FILE__WRITE);
3795 break;
3796 }
3797 /* fall through */
3798 case F_SETOWN:
3799 case F_SETSIG:
3800 case F_GETFL:
3801 case F_GETOWN:
3802 case F_GETSIG:
3803 case F_GETOWNER_UIDS:
3804 /* Just check FD__USE permission */
3805 err = file_has_perm(cred, file, 0);
3806 break;
3807 case F_GETLK:
3808 case F_SETLK:
3809 case F_SETLKW:
3810 case F_OFD_GETLK:
3811 case F_OFD_SETLK:
3812 case F_OFD_SETLKW:
3813 #if BITS_PER_LONG == 32
3814 case F_GETLK64:
3815 case F_SETLK64:
3816 case F_SETLKW64:
3817 #endif
3818 err = file_has_perm(cred, file, FILE__LOCK);
3819 break;
3820 }
3821
3822 return err;
3823 }
3824
3825 static void selinux_file_set_fowner(struct file *file)
3826 {
3827 struct file_security_struct *fsec;
3828
3829 fsec = file->f_security;
3830 fsec->fown_sid = current_sid();
3831 }
3832
3833 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3834 struct fown_struct *fown, int signum)
3835 {
3836 struct file *file;
3837 u32 sid = task_sid(tsk);
3838 u32 perm;
3839 struct file_security_struct *fsec;
3840
3841 /* struct fown_struct is never outside the context of a struct file */
3842 file = container_of(fown, struct file, f_owner);
3843
3844 fsec = file->f_security;
3845
3846 if (!signum)
3847 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3848 else
3849 perm = signal_to_av(signum);
3850
3851 return avc_has_perm(&selinux_state,
3852 fsec->fown_sid, sid,
3853 SECCLASS_PROCESS, perm, NULL);
3854 }
3855
3856 static int selinux_file_receive(struct file *file)
3857 {
3858 const struct cred *cred = current_cred();
3859
3860 return file_has_perm(cred, file, file_to_av(file));
3861 }
3862
3863 static int selinux_file_open(struct file *file, const struct cred *cred)
3864 {
3865 struct file_security_struct *fsec;
3866 struct inode_security_struct *isec;
3867
3868 fsec = file->f_security;
3869 isec = inode_security(file_inode(file));
3870 /*
3871 * Save inode label and policy sequence number
3872 * at open-time so that selinux_file_permission
3873 * can determine whether revalidation is necessary.
3874 * Task label is already saved in the file security
3875 * struct as its SID.
3876 */
3877 fsec->isid = isec->sid;
3878 fsec->pseqno = avc_policy_seqno(&selinux_state);
3879 /*
3880 * Since the inode label or policy seqno may have changed
3881 * between the selinux_inode_permission check and the saving
3882 * of state above, recheck that access is still permitted.
3883 * Otherwise, access might never be revalidated against the
3884 * new inode label or new policy.
3885 * This check is not redundant - do not remove.
3886 */
3887 return file_path_has_perm(cred, file, open_file_to_av(file));
3888 }
3889
3890 /* task security operations */
3891
3892 static int selinux_task_alloc(struct task_struct *task,
3893 unsigned long clone_flags)
3894 {
3895 u32 sid = current_sid();
3896
3897 return avc_has_perm(&selinux_state,
3898 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3899 }
3900
3901 /*
3902 * allocate the SELinux part of blank credentials
3903 */
3904 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3905 {
3906 struct task_security_struct *tsec;
3907
3908 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3909 if (!tsec)
3910 return -ENOMEM;
3911
3912 cred->security = tsec;
3913 return 0;
3914 }
3915
3916 /*
3917 * detach and free the LSM part of a set of credentials
3918 */
3919 static void selinux_cred_free(struct cred *cred)
3920 {
3921 struct task_security_struct *tsec = cred->security;
3922
3923 /*
3924 * cred->security == NULL if security_cred_alloc_blank() or
3925 * security_prepare_creds() returned an error.
3926 */
3927 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3928 cred->security = (void *) 0x7UL;
3929 kfree(tsec);
3930 }
3931
3932 /*
3933 * prepare a new set of credentials for modification
3934 */
3935 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3936 gfp_t gfp)
3937 {
3938 const struct task_security_struct *old_tsec;
3939 struct task_security_struct *tsec;
3940
3941 old_tsec = old->security;
3942
3943 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3944 if (!tsec)
3945 return -ENOMEM;
3946
3947 new->security = tsec;
3948 return 0;
3949 }
3950
3951 /*
3952 * transfer the SELinux data to a blank set of creds
3953 */
3954 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3955 {
3956 const struct task_security_struct *old_tsec = old->security;
3957 struct task_security_struct *tsec = new->security;
3958
3959 *tsec = *old_tsec;
3960 }
3961
3962 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3963 {
3964 *secid = cred_sid(c);
3965 }
3966
3967 /*
3968 * set the security data for a kernel service
3969 * - all the creation contexts are set to unlabelled
3970 */
3971 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3972 {
3973 struct task_security_struct *tsec = new->security;
3974 u32 sid = current_sid();
3975 int ret;
3976
3977 ret = avc_has_perm(&selinux_state,
3978 sid, secid,
3979 SECCLASS_KERNEL_SERVICE,
3980 KERNEL_SERVICE__USE_AS_OVERRIDE,
3981 NULL);
3982 if (ret == 0) {
3983 tsec->sid = secid;
3984 tsec->create_sid = 0;
3985 tsec->keycreate_sid = 0;
3986 tsec->sockcreate_sid = 0;
3987 }
3988 return ret;
3989 }
3990
3991 /*
3992 * set the file creation context in a security record to the same as the
3993 * objective context of the specified inode
3994 */
3995 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3996 {
3997 struct inode_security_struct *isec = inode_security(inode);
3998 struct task_security_struct *tsec = new->security;
3999 u32 sid = current_sid();
4000 int ret;
4001
4002 ret = avc_has_perm(&selinux_state,
4003 sid, isec->sid,
4004 SECCLASS_KERNEL_SERVICE,
4005 KERNEL_SERVICE__CREATE_FILES_AS,
4006 NULL);
4007
4008 if (ret == 0)
4009 tsec->create_sid = isec->sid;
4010 return ret;
4011 }
4012
4013 static int selinux_kernel_module_request(char *kmod_name)
4014 {
4015 struct common_audit_data ad;
4016
4017 ad.type = LSM_AUDIT_DATA_KMOD;
4018 ad.u.kmod_name = kmod_name;
4019
4020 return avc_has_perm(&selinux_state,
4021 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4022 SYSTEM__MODULE_REQUEST, &ad);
4023 }
4024
4025 static int selinux_kernel_module_from_file(struct file *file)
4026 {
4027 struct common_audit_data ad;
4028 struct inode_security_struct *isec;
4029 struct file_security_struct *fsec;
4030 u32 sid = current_sid();
4031 int rc;
4032
4033 /* init_module */
4034 if (file == NULL)
4035 return avc_has_perm(&selinux_state,
4036 sid, sid, SECCLASS_SYSTEM,
4037 SYSTEM__MODULE_LOAD, NULL);
4038
4039 /* finit_module */
4040
4041 ad.type = LSM_AUDIT_DATA_FILE;
4042 ad.u.file = file;
4043
4044 fsec = file->f_security;
4045 if (sid != fsec->sid) {
4046 rc = avc_has_perm(&selinux_state,
4047 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4048 if (rc)
4049 return rc;
4050 }
4051
4052 isec = inode_security(file_inode(file));
4053 return avc_has_perm(&selinux_state,
4054 sid, isec->sid, SECCLASS_SYSTEM,
4055 SYSTEM__MODULE_LOAD, &ad);
4056 }
4057
4058 static int selinux_kernel_read_file(struct file *file,
4059 enum kernel_read_file_id id)
4060 {
4061 int rc = 0;
4062
4063 switch (id) {
4064 case READING_MODULE:
4065 rc = selinux_kernel_module_from_file(file);
4066 break;
4067 default:
4068 break;
4069 }
4070
4071 return rc;
4072 }
4073
4074 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4075 {
4076 return avc_has_perm(&selinux_state,
4077 current_sid(), task_sid(p), SECCLASS_PROCESS,
4078 PROCESS__SETPGID, NULL);
4079 }
4080
4081 static int selinux_task_getpgid(struct task_struct *p)
4082 {
4083 return avc_has_perm(&selinux_state,
4084 current_sid(), task_sid(p), SECCLASS_PROCESS,
4085 PROCESS__GETPGID, NULL);
4086 }
4087
4088 static int selinux_task_getsid(struct task_struct *p)
4089 {
4090 return avc_has_perm(&selinux_state,
4091 current_sid(), task_sid(p), SECCLASS_PROCESS,
4092 PROCESS__GETSESSION, NULL);
4093 }
4094
4095 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4096 {
4097 *secid = task_sid(p);
4098 }
4099
4100 static int selinux_task_setnice(struct task_struct *p, int nice)
4101 {
4102 return avc_has_perm(&selinux_state,
4103 current_sid(), task_sid(p), SECCLASS_PROCESS,
4104 PROCESS__SETSCHED, NULL);
4105 }
4106
4107 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4108 {
4109 return avc_has_perm(&selinux_state,
4110 current_sid(), task_sid(p), SECCLASS_PROCESS,
4111 PROCESS__SETSCHED, NULL);
4112 }
4113
4114 static int selinux_task_getioprio(struct task_struct *p)
4115 {
4116 return avc_has_perm(&selinux_state,
4117 current_sid(), task_sid(p), SECCLASS_PROCESS,
4118 PROCESS__GETSCHED, NULL);
4119 }
4120
4121 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4122 unsigned int flags)
4123 {
4124 u32 av = 0;
4125
4126 if (!flags)
4127 return 0;
4128 if (flags & LSM_PRLIMIT_WRITE)
4129 av |= PROCESS__SETRLIMIT;
4130 if (flags & LSM_PRLIMIT_READ)
4131 av |= PROCESS__GETRLIMIT;
4132 return avc_has_perm(&selinux_state,
4133 cred_sid(cred), cred_sid(tcred),
4134 SECCLASS_PROCESS, av, NULL);
4135 }
4136
4137 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4138 struct rlimit *new_rlim)
4139 {
4140 struct rlimit *old_rlim = p->signal->rlim + resource;
4141
4142 /* Control the ability to change the hard limit (whether
4143 lowering or raising it), so that the hard limit can
4144 later be used as a safe reset point for the soft limit
4145 upon context transitions. See selinux_bprm_committing_creds. */
4146 if (old_rlim->rlim_max != new_rlim->rlim_max)
4147 return avc_has_perm(&selinux_state,
4148 current_sid(), task_sid(p),
4149 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4150
4151 return 0;
4152 }
4153
4154 static int selinux_task_setscheduler(struct task_struct *p)
4155 {
4156 return avc_has_perm(&selinux_state,
4157 current_sid(), task_sid(p), SECCLASS_PROCESS,
4158 PROCESS__SETSCHED, NULL);
4159 }
4160
4161 static int selinux_task_getscheduler(struct task_struct *p)
4162 {
4163 return avc_has_perm(&selinux_state,
4164 current_sid(), task_sid(p), SECCLASS_PROCESS,
4165 PROCESS__GETSCHED, NULL);
4166 }
4167
4168 static int selinux_task_movememory(struct task_struct *p)
4169 {
4170 return avc_has_perm(&selinux_state,
4171 current_sid(), task_sid(p), SECCLASS_PROCESS,
4172 PROCESS__SETSCHED, NULL);
4173 }
4174
4175 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4176 int sig, const struct cred *cred)
4177 {
4178 u32 secid;
4179 u32 perm;
4180
4181 if (!sig)
4182 perm = PROCESS__SIGNULL; /* null signal; existence test */
4183 else
4184 perm = signal_to_av(sig);
4185 if (!cred)
4186 secid = current_sid();
4187 else
4188 secid = cred_sid(cred);
4189 return avc_has_perm(&selinux_state,
4190 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4191 }
4192
4193 static void selinux_task_to_inode(struct task_struct *p,
4194 struct inode *inode)
4195 {
4196 struct inode_security_struct *isec = inode->i_security;
4197 u32 sid = task_sid(p);
4198
4199 spin_lock(&isec->lock);
4200 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4201 isec->sid = sid;
4202 isec->initialized = LABEL_INITIALIZED;
4203 spin_unlock(&isec->lock);
4204 }
4205
4206 /* Returns error only if unable to parse addresses */
4207 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4208 struct common_audit_data *ad, u8 *proto)
4209 {
4210 int offset, ihlen, ret = -EINVAL;
4211 struct iphdr _iph, *ih;
4212
4213 offset = skb_network_offset(skb);
4214 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4215 if (ih == NULL)
4216 goto out;
4217
4218 ihlen = ih->ihl * 4;
4219 if (ihlen < sizeof(_iph))
4220 goto out;
4221
4222 ad->u.net->v4info.saddr = ih->saddr;
4223 ad->u.net->v4info.daddr = ih->daddr;
4224 ret = 0;
4225
4226 if (proto)
4227 *proto = ih->protocol;
4228
4229 switch (ih->protocol) {
4230 case IPPROTO_TCP: {
4231 struct tcphdr _tcph, *th;
4232
4233 if (ntohs(ih->frag_off) & IP_OFFSET)
4234 break;
4235
4236 offset += ihlen;
4237 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4238 if (th == NULL)
4239 break;
4240
4241 ad->u.net->sport = th->source;
4242 ad->u.net->dport = th->dest;
4243 break;
4244 }
4245
4246 case IPPROTO_UDP: {
4247 struct udphdr _udph, *uh;
4248
4249 if (ntohs(ih->frag_off) & IP_OFFSET)
4250 break;
4251
4252 offset += ihlen;
4253 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4254 if (uh == NULL)
4255 break;
4256
4257 ad->u.net->sport = uh->source;
4258 ad->u.net->dport = uh->dest;
4259 break;
4260 }
4261
4262 case IPPROTO_DCCP: {
4263 struct dccp_hdr _dccph, *dh;
4264
4265 if (ntohs(ih->frag_off) & IP_OFFSET)
4266 break;
4267
4268 offset += ihlen;
4269 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4270 if (dh == NULL)
4271 break;
4272
4273 ad->u.net->sport = dh->dccph_sport;
4274 ad->u.net->dport = dh->dccph_dport;
4275 break;
4276 }
4277
4278 #if IS_ENABLED(CONFIG_IP_SCTP)
4279 case IPPROTO_SCTP: {
4280 struct sctphdr _sctph, *sh;
4281
4282 if (ntohs(ih->frag_off) & IP_OFFSET)
4283 break;
4284
4285 offset += ihlen;
4286 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4287 if (sh == NULL)
4288 break;
4289
4290 ad->u.net->sport = sh->source;
4291 ad->u.net->dport = sh->dest;
4292 break;
4293 }
4294 #endif
4295 default:
4296 break;
4297 }
4298 out:
4299 return ret;
4300 }
4301
4302 #if IS_ENABLED(CONFIG_IPV6)
4303
4304 /* Returns error only if unable to parse addresses */
4305 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4306 struct common_audit_data *ad, u8 *proto)
4307 {
4308 u8 nexthdr;
4309 int ret = -EINVAL, offset;
4310 struct ipv6hdr _ipv6h, *ip6;
4311 __be16 frag_off;
4312
4313 offset = skb_network_offset(skb);
4314 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4315 if (ip6 == NULL)
4316 goto out;
4317
4318 ad->u.net->v6info.saddr = ip6->saddr;
4319 ad->u.net->v6info.daddr = ip6->daddr;
4320 ret = 0;
4321
4322 nexthdr = ip6->nexthdr;
4323 offset += sizeof(_ipv6h);
4324 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4325 if (offset < 0)
4326 goto out;
4327
4328 if (proto)
4329 *proto = nexthdr;
4330
4331 switch (nexthdr) {
4332 case IPPROTO_TCP: {
4333 struct tcphdr _tcph, *th;
4334
4335 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4336 if (th == NULL)
4337 break;
4338
4339 ad->u.net->sport = th->source;
4340 ad->u.net->dport = th->dest;
4341 break;
4342 }
4343
4344 case IPPROTO_UDP: {
4345 struct udphdr _udph, *uh;
4346
4347 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4348 if (uh == NULL)
4349 break;
4350
4351 ad->u.net->sport = uh->source;
4352 ad->u.net->dport = uh->dest;
4353 break;
4354 }
4355
4356 case IPPROTO_DCCP: {
4357 struct dccp_hdr _dccph, *dh;
4358
4359 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4360 if (dh == NULL)
4361 break;
4362
4363 ad->u.net->sport = dh->dccph_sport;
4364 ad->u.net->dport = dh->dccph_dport;
4365 break;
4366 }
4367
4368 #if IS_ENABLED(CONFIG_IP_SCTP)
4369 case IPPROTO_SCTP: {
4370 struct sctphdr _sctph, *sh;
4371
4372 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4373 if (sh == NULL)
4374 break;
4375
4376 ad->u.net->sport = sh->source;
4377 ad->u.net->dport = sh->dest;
4378 break;
4379 }
4380 #endif
4381 /* includes fragments */
4382 default:
4383 break;
4384 }
4385 out:
4386 return ret;
4387 }
4388
4389 #endif /* IPV6 */
4390
4391 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4392 char **_addrp, int src, u8 *proto)
4393 {
4394 char *addrp;
4395 int ret;
4396
4397 switch (ad->u.net->family) {
4398 case PF_INET:
4399 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4400 if (ret)
4401 goto parse_error;
4402 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4403 &ad->u.net->v4info.daddr);
4404 goto okay;
4405
4406 #if IS_ENABLED(CONFIG_IPV6)
4407 case PF_INET6:
4408 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4409 if (ret)
4410 goto parse_error;
4411 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4412 &ad->u.net->v6info.daddr);
4413 goto okay;
4414 #endif /* IPV6 */
4415 default:
4416 addrp = NULL;
4417 goto okay;
4418 }
4419
4420 parse_error:
4421 printk(KERN_WARNING
4422 "SELinux: failure in selinux_parse_skb(),"
4423 " unable to parse packet\n");
4424 return ret;
4425
4426 okay:
4427 if (_addrp)
4428 *_addrp = addrp;
4429 return 0;
4430 }
4431
4432 /**
4433 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4434 * @skb: the packet
4435 * @family: protocol family
4436 * @sid: the packet's peer label SID
4437 *
4438 * Description:
4439 * Check the various different forms of network peer labeling and determine
4440 * the peer label/SID for the packet; most of the magic actually occurs in
4441 * the security server function security_net_peersid_cmp(). The function
4442 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4443 * or -EACCES if @sid is invalid due to inconsistencies with the different
4444 * peer labels.
4445 *
4446 */
4447 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4448 {
4449 int err;
4450 u32 xfrm_sid;
4451 u32 nlbl_sid;
4452 u32 nlbl_type;
4453
4454 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4455 if (unlikely(err))
4456 return -EACCES;
4457 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4458 if (unlikely(err))
4459 return -EACCES;
4460
4461 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4462 nlbl_type, xfrm_sid, sid);
4463 if (unlikely(err)) {
4464 printk(KERN_WARNING
4465 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4466 " unable to determine packet's peer label\n");
4467 return -EACCES;
4468 }
4469
4470 return 0;
4471 }
4472
4473 /**
4474 * selinux_conn_sid - Determine the child socket label for a connection
4475 * @sk_sid: the parent socket's SID
4476 * @skb_sid: the packet's SID
4477 * @conn_sid: the resulting connection SID
4478 *
4479 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4480 * combined with the MLS information from @skb_sid in order to create
4481 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4482 * of @sk_sid. Returns zero on success, negative values on failure.
4483 *
4484 */
4485 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4486 {
4487 int err = 0;
4488
4489 if (skb_sid != SECSID_NULL)
4490 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4491 conn_sid);
4492 else
4493 *conn_sid = sk_sid;
4494
4495 return err;
4496 }
4497
4498 /* socket security operations */
4499
4500 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4501 u16 secclass, u32 *socksid)
4502 {
4503 if (tsec->sockcreate_sid > SECSID_NULL) {
4504 *socksid = tsec->sockcreate_sid;
4505 return 0;
4506 }
4507
4508 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4509 secclass, NULL, socksid);
4510 }
4511
4512 static int sock_has_perm(struct sock *sk, u32 perms)
4513 {
4514 struct sk_security_struct *sksec = sk->sk_security;
4515 struct common_audit_data ad;
4516 struct lsm_network_audit net = {0,};
4517
4518 if (sksec->sid == SECINITSID_KERNEL)
4519 return 0;
4520
4521 ad.type = LSM_AUDIT_DATA_NET;
4522 ad.u.net = &net;
4523 ad.u.net->sk = sk;
4524
4525 return avc_has_perm(&selinux_state,
4526 current_sid(), sksec->sid, sksec->sclass, perms,
4527 &ad);
4528 }
4529
4530 static int selinux_socket_create(int family, int type,
4531 int protocol, int kern)
4532 {
4533 const struct task_security_struct *tsec = current_security();
4534 u32 newsid;
4535 u16 secclass;
4536 int rc;
4537
4538 if (kern)
4539 return 0;
4540
4541 secclass = socket_type_to_security_class(family, type, protocol);
4542 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4543 if (rc)
4544 return rc;
4545
4546 return avc_has_perm(&selinux_state,
4547 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4548 }
4549
4550 static int selinux_socket_post_create(struct socket *sock, int family,
4551 int type, int protocol, int kern)
4552 {
4553 const struct task_security_struct *tsec = current_security();
4554 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4555 struct sk_security_struct *sksec;
4556 u16 sclass = socket_type_to_security_class(family, type, protocol);
4557 u32 sid = SECINITSID_KERNEL;
4558 int err = 0;
4559
4560 if (!kern) {
4561 err = socket_sockcreate_sid(tsec, sclass, &sid);
4562 if (err)
4563 return err;
4564 }
4565
4566 isec->sclass = sclass;
4567 isec->sid = sid;
4568 isec->initialized = LABEL_INITIALIZED;
4569
4570 if (sock->sk) {
4571 sksec = sock->sk->sk_security;
4572 sksec->sclass = sclass;
4573 sksec->sid = sid;
4574 /* Allows detection of the first association on this socket */
4575 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4576 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4577
4578 err = selinux_netlbl_socket_post_create(sock->sk, family);
4579 }
4580
4581 return err;
4582 }
4583
4584 static int selinux_socket_socketpair(struct socket *socka,
4585 struct socket *sockb)
4586 {
4587 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4588 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4589
4590 sksec_a->peer_sid = sksec_b->sid;
4591 sksec_b->peer_sid = sksec_a->sid;
4592
4593 return 0;
4594 }
4595
4596 /* Range of port numbers used to automatically bind.
4597 Need to determine whether we should perform a name_bind
4598 permission check between the socket and the port number. */
4599
4600 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4601 {
4602 struct sock *sk = sock->sk;
4603 struct sk_security_struct *sksec = sk->sk_security;
4604 u16 family;
4605 int err;
4606
4607 err = sock_has_perm(sk, SOCKET__BIND);
4608 if (err)
4609 goto out;
4610
4611 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4612 family = sk->sk_family;
4613 if (family == PF_INET || family == PF_INET6) {
4614 char *addrp;
4615 struct common_audit_data ad;
4616 struct lsm_network_audit net = {0,};
4617 struct sockaddr_in *addr4 = NULL;
4618 struct sockaddr_in6 *addr6 = NULL;
4619 u16 family_sa = address->sa_family;
4620 unsigned short snum;
4621 u32 sid, node_perm;
4622
4623 /*
4624 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4625 * that validates multiple binding addresses. Because of this
4626 * need to check address->sa_family as it is possible to have
4627 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4628 */
4629 switch (family_sa) {
4630 case AF_UNSPEC:
4631 case AF_INET:
4632 if (addrlen < sizeof(struct sockaddr_in))
4633 return -EINVAL;
4634 addr4 = (struct sockaddr_in *)address;
4635 if (family_sa == AF_UNSPEC) {
4636 /* see __inet_bind(), we only want to allow
4637 * AF_UNSPEC if the address is INADDR_ANY
4638 */
4639 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4640 goto err_af;
4641 family_sa = AF_INET;
4642 }
4643 snum = ntohs(addr4->sin_port);
4644 addrp = (char *)&addr4->sin_addr.s_addr;
4645 break;
4646 case AF_INET6:
4647 if (addrlen < SIN6_LEN_RFC2133)
4648 return -EINVAL;
4649 addr6 = (struct sockaddr_in6 *)address;
4650 snum = ntohs(addr6->sin6_port);
4651 addrp = (char *)&addr6->sin6_addr.s6_addr;
4652 break;
4653 default:
4654 goto err_af;
4655 }
4656
4657 ad.type = LSM_AUDIT_DATA_NET;
4658 ad.u.net = &net;
4659 ad.u.net->sport = htons(snum);
4660 ad.u.net->family = family_sa;
4661
4662 if (snum) {
4663 int low, high;
4664
4665 inet_get_local_port_range(sock_net(sk), &low, &high);
4666
4667 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4668 snum > high) {
4669 err = sel_netport_sid(sk->sk_protocol,
4670 snum, &sid);
4671 if (err)
4672 goto out;
4673 err = avc_has_perm(&selinux_state,
4674 sksec->sid, sid,
4675 sksec->sclass,
4676 SOCKET__NAME_BIND, &ad);
4677 if (err)
4678 goto out;
4679 }
4680 }
4681
4682 switch (sksec->sclass) {
4683 case SECCLASS_TCP_SOCKET:
4684 node_perm = TCP_SOCKET__NODE_BIND;
4685 break;
4686
4687 case SECCLASS_UDP_SOCKET:
4688 node_perm = UDP_SOCKET__NODE_BIND;
4689 break;
4690
4691 case SECCLASS_DCCP_SOCKET:
4692 node_perm = DCCP_SOCKET__NODE_BIND;
4693 break;
4694
4695 case SECCLASS_SCTP_SOCKET:
4696 node_perm = SCTP_SOCKET__NODE_BIND;
4697 break;
4698
4699 default:
4700 node_perm = RAWIP_SOCKET__NODE_BIND;
4701 break;
4702 }
4703
4704 err = sel_netnode_sid(addrp, family_sa, &sid);
4705 if (err)
4706 goto out;
4707
4708 if (family_sa == AF_INET)
4709 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4710 else
4711 ad.u.net->v6info.saddr = addr6->sin6_addr;
4712
4713 err = avc_has_perm(&selinux_state,
4714 sksec->sid, sid,
4715 sksec->sclass, node_perm, &ad);
4716 if (err)
4717 goto out;
4718 }
4719 out:
4720 return err;
4721 err_af:
4722 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4723 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4724 return -EINVAL;
4725 return -EAFNOSUPPORT;
4726 }
4727
4728 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4729 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.txt
4730 */
4731 static int selinux_socket_connect_helper(struct socket *sock,
4732 struct sockaddr *address, int addrlen)
4733 {
4734 struct sock *sk = sock->sk;
4735 struct sk_security_struct *sksec = sk->sk_security;
4736 int err;
4737
4738 err = sock_has_perm(sk, SOCKET__CONNECT);
4739 if (err)
4740 return err;
4741
4742 /*
4743 * If a TCP, DCCP or SCTP socket, check name_connect permission
4744 * for the port.
4745 */
4746 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4747 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4748 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4749 struct common_audit_data ad;
4750 struct lsm_network_audit net = {0,};
4751 struct sockaddr_in *addr4 = NULL;
4752 struct sockaddr_in6 *addr6 = NULL;
4753 unsigned short snum;
4754 u32 sid, perm;
4755
4756 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4757 * that validates multiple connect addresses. Because of this
4758 * need to check address->sa_family as it is possible to have
4759 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4760 */
4761 switch (address->sa_family) {
4762 case AF_INET:
4763 addr4 = (struct sockaddr_in *)address;
4764 if (addrlen < sizeof(struct sockaddr_in))
4765 return -EINVAL;
4766 snum = ntohs(addr4->sin_port);
4767 break;
4768 case AF_INET6:
4769 addr6 = (struct sockaddr_in6 *)address;
4770 if (addrlen < SIN6_LEN_RFC2133)
4771 return -EINVAL;
4772 snum = ntohs(addr6->sin6_port);
4773 break;
4774 default:
4775 /* Note that SCTP services expect -EINVAL, whereas
4776 * others expect -EAFNOSUPPORT.
4777 */
4778 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4779 return -EINVAL;
4780 else
4781 return -EAFNOSUPPORT;
4782 }
4783
4784 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4785 if (err)
4786 return err;
4787
4788 switch (sksec->sclass) {
4789 case SECCLASS_TCP_SOCKET:
4790 perm = TCP_SOCKET__NAME_CONNECT;
4791 break;
4792 case SECCLASS_DCCP_SOCKET:
4793 perm = DCCP_SOCKET__NAME_CONNECT;
4794 break;
4795 case SECCLASS_SCTP_SOCKET:
4796 perm = SCTP_SOCKET__NAME_CONNECT;
4797 break;
4798 }
4799
4800 ad.type = LSM_AUDIT_DATA_NET;
4801 ad.u.net = &net;
4802 ad.u.net->dport = htons(snum);
4803 ad.u.net->family = address->sa_family;
4804 err = avc_has_perm(&selinux_state,
4805 sksec->sid, sid, sksec->sclass, perm, &ad);
4806 if (err)
4807 return err;
4808 }
4809
4810 return 0;
4811 }
4812
4813 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4814 static int selinux_socket_connect(struct socket *sock,
4815 struct sockaddr *address, int addrlen)
4816 {
4817 int err;
4818 struct sock *sk = sock->sk;
4819
4820 err = selinux_socket_connect_helper(sock, address, addrlen);
4821 if (err)
4822 return err;
4823
4824 return selinux_netlbl_socket_connect(sk, address);
4825 }
4826
4827 static int selinux_socket_listen(struct socket *sock, int backlog)
4828 {
4829 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4830 }
4831
4832 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4833 {
4834 int err;
4835 struct inode_security_struct *isec;
4836 struct inode_security_struct *newisec;
4837 u16 sclass;
4838 u32 sid;
4839
4840 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4841 if (err)
4842 return err;
4843
4844 isec = inode_security_novalidate(SOCK_INODE(sock));
4845 spin_lock(&isec->lock);
4846 sclass = isec->sclass;
4847 sid = isec->sid;
4848 spin_unlock(&isec->lock);
4849
4850 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4851 newisec->sclass = sclass;
4852 newisec->sid = sid;
4853 newisec->initialized = LABEL_INITIALIZED;
4854
4855 return 0;
4856 }
4857
4858 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4859 int size)
4860 {
4861 return sock_has_perm(sock->sk, SOCKET__WRITE);
4862 }
4863
4864 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4865 int size, int flags)
4866 {
4867 return sock_has_perm(sock->sk, SOCKET__READ);
4868 }
4869
4870 static int selinux_socket_getsockname(struct socket *sock)
4871 {
4872 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4873 }
4874
4875 static int selinux_socket_getpeername(struct socket *sock)
4876 {
4877 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4878 }
4879
4880 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4881 {
4882 int err;
4883
4884 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4885 if (err)
4886 return err;
4887
4888 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4889 }
4890
4891 static int selinux_socket_getsockopt(struct socket *sock, int level,
4892 int optname)
4893 {
4894 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4895 }
4896
4897 static int selinux_socket_shutdown(struct socket *sock, int how)
4898 {
4899 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4900 }
4901
4902 static int selinux_socket_unix_stream_connect(struct sock *sock,
4903 struct sock *other,
4904 struct sock *newsk)
4905 {
4906 struct sk_security_struct *sksec_sock = sock->sk_security;
4907 struct sk_security_struct *sksec_other = other->sk_security;
4908 struct sk_security_struct *sksec_new = newsk->sk_security;
4909 struct common_audit_data ad;
4910 struct lsm_network_audit net = {0,};
4911 int err;
4912
4913 ad.type = LSM_AUDIT_DATA_NET;
4914 ad.u.net = &net;
4915 ad.u.net->sk = other;
4916
4917 err = avc_has_perm(&selinux_state,
4918 sksec_sock->sid, sksec_other->sid,
4919 sksec_other->sclass,
4920 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4921 if (err)
4922 return err;
4923
4924 /* server child socket */
4925 sksec_new->peer_sid = sksec_sock->sid;
4926 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4927 sksec_sock->sid, &sksec_new->sid);
4928 if (err)
4929 return err;
4930
4931 /* connecting socket */
4932 sksec_sock->peer_sid = sksec_new->sid;
4933
4934 return 0;
4935 }
4936
4937 static int selinux_socket_unix_may_send(struct socket *sock,
4938 struct socket *other)
4939 {
4940 struct sk_security_struct *ssec = sock->sk->sk_security;
4941 struct sk_security_struct *osec = other->sk->sk_security;
4942 struct common_audit_data ad;
4943 struct lsm_network_audit net = {0,};
4944
4945 ad.type = LSM_AUDIT_DATA_NET;
4946 ad.u.net = &net;
4947 ad.u.net->sk = other->sk;
4948
4949 return avc_has_perm(&selinux_state,
4950 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4951 &ad);
4952 }
4953
4954 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4955 char *addrp, u16 family, u32 peer_sid,
4956 struct common_audit_data *ad)
4957 {
4958 int err;
4959 u32 if_sid;
4960 u32 node_sid;
4961
4962 err = sel_netif_sid(ns, ifindex, &if_sid);
4963 if (err)
4964 return err;
4965 err = avc_has_perm(&selinux_state,
4966 peer_sid, if_sid,
4967 SECCLASS_NETIF, NETIF__INGRESS, ad);
4968 if (err)
4969 return err;
4970
4971 err = sel_netnode_sid(addrp, family, &node_sid);
4972 if (err)
4973 return err;
4974 return avc_has_perm(&selinux_state,
4975 peer_sid, node_sid,
4976 SECCLASS_NODE, NODE__RECVFROM, ad);
4977 }
4978
4979 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4980 u16 family)
4981 {
4982 int err = 0;
4983 struct sk_security_struct *sksec = sk->sk_security;
4984 u32 sk_sid = sksec->sid;
4985 struct common_audit_data ad;
4986 struct lsm_network_audit net = {0,};
4987 char *addrp;
4988
4989 ad.type = LSM_AUDIT_DATA_NET;
4990 ad.u.net = &net;
4991 ad.u.net->netif = skb->skb_iif;
4992 ad.u.net->family = family;
4993 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4994 if (err)
4995 return err;
4996
4997 if (selinux_secmark_enabled()) {
4998 err = avc_has_perm(&selinux_state,
4999 sk_sid, skb->secmark, SECCLASS_PACKET,
5000 PACKET__RECV, &ad);
5001 if (err)
5002 return err;
5003 }
5004
5005 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5006 if (err)
5007 return err;
5008 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5009
5010 return err;
5011 }
5012
5013 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5014 {
5015 int err;
5016 struct sk_security_struct *sksec = sk->sk_security;
5017 u16 family = sk->sk_family;
5018 u32 sk_sid = sksec->sid;
5019 struct common_audit_data ad;
5020 struct lsm_network_audit net = {0,};
5021 char *addrp;
5022 u8 secmark_active;
5023 u8 peerlbl_active;
5024
5025 if (family != PF_INET && family != PF_INET6)
5026 return 0;
5027
5028 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5029 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5030 family = PF_INET;
5031
5032 /* If any sort of compatibility mode is enabled then handoff processing
5033 * to the selinux_sock_rcv_skb_compat() function to deal with the
5034 * special handling. We do this in an attempt to keep this function
5035 * as fast and as clean as possible. */
5036 if (!selinux_policycap_netpeer())
5037 return selinux_sock_rcv_skb_compat(sk, skb, family);
5038
5039 secmark_active = selinux_secmark_enabled();
5040 peerlbl_active = selinux_peerlbl_enabled();
5041 if (!secmark_active && !peerlbl_active)
5042 return 0;
5043
5044 ad.type = LSM_AUDIT_DATA_NET;
5045 ad.u.net = &net;
5046 ad.u.net->netif = skb->skb_iif;
5047 ad.u.net->family = family;
5048 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5049 if (err)
5050 return err;
5051
5052 if (peerlbl_active) {
5053 u32 peer_sid;
5054
5055 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5056 if (err)
5057 return err;
5058 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5059 addrp, family, peer_sid, &ad);
5060 if (err) {
5061 selinux_netlbl_err(skb, family, err, 0);
5062 return err;
5063 }
5064 err = avc_has_perm(&selinux_state,
5065 sk_sid, peer_sid, SECCLASS_PEER,
5066 PEER__RECV, &ad);
5067 if (err) {
5068 selinux_netlbl_err(skb, family, err, 0);
5069 return err;
5070 }
5071 }
5072
5073 if (secmark_active) {
5074 err = avc_has_perm(&selinux_state,
5075 sk_sid, skb->secmark, SECCLASS_PACKET,
5076 PACKET__RECV, &ad);
5077 if (err)
5078 return err;
5079 }
5080
5081 return err;
5082 }
5083
5084 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5085 int __user *optlen, unsigned len)
5086 {
5087 int err = 0;
5088 char *scontext;
5089 u32 scontext_len;
5090 struct sk_security_struct *sksec = sock->sk->sk_security;
5091 u32 peer_sid = SECSID_NULL;
5092
5093 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5094 sksec->sclass == SECCLASS_TCP_SOCKET ||
5095 sksec->sclass == SECCLASS_SCTP_SOCKET)
5096 peer_sid = sksec->peer_sid;
5097 if (peer_sid == SECSID_NULL)
5098 return -ENOPROTOOPT;
5099
5100 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5101 &scontext_len);
5102 if (err)
5103 return err;
5104
5105 if (scontext_len > len) {
5106 err = -ERANGE;
5107 goto out_len;
5108 }
5109
5110 if (copy_to_user(optval, scontext, scontext_len))
5111 err = -EFAULT;
5112
5113 out_len:
5114 if (put_user(scontext_len, optlen))
5115 err = -EFAULT;
5116 kfree(scontext);
5117 return err;
5118 }
5119
5120 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5121 {
5122 u32 peer_secid = SECSID_NULL;
5123 u16 family;
5124 struct inode_security_struct *isec;
5125
5126 if (skb && skb->protocol == htons(ETH_P_IP))
5127 family = PF_INET;
5128 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5129 family = PF_INET6;
5130 else if (sock)
5131 family = sock->sk->sk_family;
5132 else
5133 goto out;
5134
5135 if (sock && family == PF_UNIX) {
5136 isec = inode_security_novalidate(SOCK_INODE(sock));
5137 peer_secid = isec->sid;
5138 } else if (skb)
5139 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5140
5141 out:
5142 *secid = peer_secid;
5143 if (peer_secid == SECSID_NULL)
5144 return -EINVAL;
5145 return 0;
5146 }
5147
5148 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5149 {
5150 struct sk_security_struct *sksec;
5151
5152 sksec = kzalloc(sizeof(*sksec), priority);
5153 if (!sksec)
5154 return -ENOMEM;
5155
5156 sksec->peer_sid = SECINITSID_UNLABELED;
5157 sksec->sid = SECINITSID_UNLABELED;
5158 sksec->sclass = SECCLASS_SOCKET;
5159 selinux_netlbl_sk_security_reset(sksec);
5160 sk->sk_security = sksec;
5161
5162 return 0;
5163 }
5164
5165 static void selinux_sk_free_security(struct sock *sk)
5166 {
5167 struct sk_security_struct *sksec = sk->sk_security;
5168
5169 sk->sk_security = NULL;
5170 selinux_netlbl_sk_security_free(sksec);
5171 kfree(sksec);
5172 }
5173
5174 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5175 {
5176 struct sk_security_struct *sksec = sk->sk_security;
5177 struct sk_security_struct *newsksec = newsk->sk_security;
5178
5179 newsksec->sid = sksec->sid;
5180 newsksec->peer_sid = sksec->peer_sid;
5181 newsksec->sclass = sksec->sclass;
5182
5183 selinux_netlbl_sk_security_reset(newsksec);
5184 }
5185
5186 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5187 {
5188 if (!sk)
5189 *secid = SECINITSID_ANY_SOCKET;
5190 else {
5191 struct sk_security_struct *sksec = sk->sk_security;
5192
5193 *secid = sksec->sid;
5194 }
5195 }
5196
5197 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5198 {
5199 struct inode_security_struct *isec =
5200 inode_security_novalidate(SOCK_INODE(parent));
5201 struct sk_security_struct *sksec = sk->sk_security;
5202
5203 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5204 sk->sk_family == PF_UNIX)
5205 isec->sid = sksec->sid;
5206 sksec->sclass = isec->sclass;
5207 }
5208
5209 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5210 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5211 * already present).
5212 */
5213 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5214 struct sk_buff *skb)
5215 {
5216 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5217 struct common_audit_data ad;
5218 struct lsm_network_audit net = {0,};
5219 u8 peerlbl_active;
5220 u32 peer_sid = SECINITSID_UNLABELED;
5221 u32 conn_sid;
5222 int err = 0;
5223
5224 if (!selinux_policycap_extsockclass())
5225 return 0;
5226
5227 peerlbl_active = selinux_peerlbl_enabled();
5228
5229 if (peerlbl_active) {
5230 /* This will return peer_sid = SECSID_NULL if there are
5231 * no peer labels, see security_net_peersid_resolve().
5232 */
5233 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5234 &peer_sid);
5235 if (err)
5236 return err;
5237
5238 if (peer_sid == SECSID_NULL)
5239 peer_sid = SECINITSID_UNLABELED;
5240 }
5241
5242 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5243 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5244
5245 /* Here as first association on socket. As the peer SID
5246 * was allowed by peer recv (and the netif/node checks),
5247 * then it is approved by policy and used as the primary
5248 * peer SID for getpeercon(3).
5249 */
5250 sksec->peer_sid = peer_sid;
5251 } else if (sksec->peer_sid != peer_sid) {
5252 /* Other association peer SIDs are checked to enforce
5253 * consistency among the peer SIDs.
5254 */
5255 ad.type = LSM_AUDIT_DATA_NET;
5256 ad.u.net = &net;
5257 ad.u.net->sk = ep->base.sk;
5258 err = avc_has_perm(&selinux_state,
5259 sksec->peer_sid, peer_sid, sksec->sclass,
5260 SCTP_SOCKET__ASSOCIATION, &ad);
5261 if (err)
5262 return err;
5263 }
5264
5265 /* Compute the MLS component for the connection and store
5266 * the information in ep. This will be used by SCTP TCP type
5267 * sockets and peeled off connections as they cause a new
5268 * socket to be generated. selinux_sctp_sk_clone() will then
5269 * plug this into the new socket.
5270 */
5271 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5272 if (err)
5273 return err;
5274
5275 ep->secid = conn_sid;
5276 ep->peer_secid = peer_sid;
5277
5278 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5279 return selinux_netlbl_sctp_assoc_request(ep, skb);
5280 }
5281
5282 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5283 * based on their @optname.
5284 */
5285 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5286 struct sockaddr *address,
5287 int addrlen)
5288 {
5289 int len, err = 0, walk_size = 0;
5290 void *addr_buf;
5291 struct sockaddr *addr;
5292 struct socket *sock;
5293
5294 if (!selinux_policycap_extsockclass())
5295 return 0;
5296
5297 /* Process one or more addresses that may be IPv4 or IPv6 */
5298 sock = sk->sk_socket;
5299 addr_buf = address;
5300
5301 while (walk_size < addrlen) {
5302 addr = addr_buf;
5303 switch (addr->sa_family) {
5304 case AF_UNSPEC:
5305 case AF_INET:
5306 len = sizeof(struct sockaddr_in);
5307 break;
5308 case AF_INET6:
5309 len = sizeof(struct sockaddr_in6);
5310 break;
5311 default:
5312 return -EINVAL;
5313 }
5314
5315 err = -EINVAL;
5316 switch (optname) {
5317 /* Bind checks */
5318 case SCTP_PRIMARY_ADDR:
5319 case SCTP_SET_PEER_PRIMARY_ADDR:
5320 case SCTP_SOCKOPT_BINDX_ADD:
5321 err = selinux_socket_bind(sock, addr, len);
5322 break;
5323 /* Connect checks */
5324 case SCTP_SOCKOPT_CONNECTX:
5325 case SCTP_PARAM_SET_PRIMARY:
5326 case SCTP_PARAM_ADD_IP:
5327 case SCTP_SENDMSG_CONNECT:
5328 err = selinux_socket_connect_helper(sock, addr, len);
5329 if (err)
5330 return err;
5331
5332 /* As selinux_sctp_bind_connect() is called by the
5333 * SCTP protocol layer, the socket is already locked,
5334 * therefore selinux_netlbl_socket_connect_locked() is
5335 * is called here. The situations handled are:
5336 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5337 * whenever a new IP address is added or when a new
5338 * primary address is selected.
5339 * Note that an SCTP connect(2) call happens before
5340 * the SCTP protocol layer and is handled via
5341 * selinux_socket_connect().
5342 */
5343 err = selinux_netlbl_socket_connect_locked(sk, addr);
5344 break;
5345 }
5346
5347 if (err)
5348 return err;
5349
5350 addr_buf += len;
5351 walk_size += len;
5352 }
5353
5354 return 0;
5355 }
5356
5357 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5358 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5359 struct sock *newsk)
5360 {
5361 struct sk_security_struct *sksec = sk->sk_security;
5362 struct sk_security_struct *newsksec = newsk->sk_security;
5363
5364 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5365 * the non-sctp clone version.
5366 */
5367 if (!selinux_policycap_extsockclass())
5368 return selinux_sk_clone_security(sk, newsk);
5369
5370 newsksec->sid = ep->secid;
5371 newsksec->peer_sid = ep->peer_secid;
5372 newsksec->sclass = sksec->sclass;
5373 selinux_netlbl_sctp_sk_clone(sk, newsk);
5374 }
5375
5376 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5377 struct request_sock *req)
5378 {
5379 struct sk_security_struct *sksec = sk->sk_security;
5380 int err;
5381 u16 family = req->rsk_ops->family;
5382 u32 connsid;
5383 u32 peersid;
5384
5385 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5386 if (err)
5387 return err;
5388 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5389 if (err)
5390 return err;
5391 req->secid = connsid;
5392 req->peer_secid = peersid;
5393
5394 return selinux_netlbl_inet_conn_request(req, family);
5395 }
5396
5397 static void selinux_inet_csk_clone(struct sock *newsk,
5398 const struct request_sock *req)
5399 {
5400 struct sk_security_struct *newsksec = newsk->sk_security;
5401
5402 newsksec->sid = req->secid;
5403 newsksec->peer_sid = req->peer_secid;
5404 /* NOTE: Ideally, we should also get the isec->sid for the
5405 new socket in sync, but we don't have the isec available yet.
5406 So we will wait until sock_graft to do it, by which
5407 time it will have been created and available. */
5408
5409 /* We don't need to take any sort of lock here as we are the only
5410 * thread with access to newsksec */
5411 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5412 }
5413
5414 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5415 {
5416 u16 family = sk->sk_family;
5417 struct sk_security_struct *sksec = sk->sk_security;
5418
5419 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5420 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5421 family = PF_INET;
5422
5423 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5424 }
5425
5426 static int selinux_secmark_relabel_packet(u32 sid)
5427 {
5428 const struct task_security_struct *__tsec;
5429 u32 tsid;
5430
5431 __tsec = current_security();
5432 tsid = __tsec->sid;
5433
5434 return avc_has_perm(&selinux_state,
5435 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5436 NULL);
5437 }
5438
5439 static void selinux_secmark_refcount_inc(void)
5440 {
5441 atomic_inc(&selinux_secmark_refcount);
5442 }
5443
5444 static void selinux_secmark_refcount_dec(void)
5445 {
5446 atomic_dec(&selinux_secmark_refcount);
5447 }
5448
5449 static void selinux_req_classify_flow(const struct request_sock *req,
5450 struct flowi *fl)
5451 {
5452 fl->flowi_secid = req->secid;
5453 }
5454
5455 static int selinux_tun_dev_alloc_security(void **security)
5456 {
5457 struct tun_security_struct *tunsec;
5458
5459 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5460 if (!tunsec)
5461 return -ENOMEM;
5462 tunsec->sid = current_sid();
5463
5464 *security = tunsec;
5465 return 0;
5466 }
5467
5468 static void selinux_tun_dev_free_security(void *security)
5469 {
5470 kfree(security);
5471 }
5472
5473 static int selinux_tun_dev_create(void)
5474 {
5475 u32 sid = current_sid();
5476
5477 /* we aren't taking into account the "sockcreate" SID since the socket
5478 * that is being created here is not a socket in the traditional sense,
5479 * instead it is a private sock, accessible only to the kernel, and
5480 * representing a wide range of network traffic spanning multiple
5481 * connections unlike traditional sockets - check the TUN driver to
5482 * get a better understanding of why this socket is special */
5483
5484 return avc_has_perm(&selinux_state,
5485 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5486 NULL);
5487 }
5488
5489 static int selinux_tun_dev_attach_queue(void *security)
5490 {
5491 struct tun_security_struct *tunsec = security;
5492
5493 return avc_has_perm(&selinux_state,
5494 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5495 TUN_SOCKET__ATTACH_QUEUE, NULL);
5496 }
5497
5498 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5499 {
5500 struct tun_security_struct *tunsec = security;
5501 struct sk_security_struct *sksec = sk->sk_security;
5502
5503 /* we don't currently perform any NetLabel based labeling here and it
5504 * isn't clear that we would want to do so anyway; while we could apply
5505 * labeling without the support of the TUN user the resulting labeled
5506 * traffic from the other end of the connection would almost certainly
5507 * cause confusion to the TUN user that had no idea network labeling
5508 * protocols were being used */
5509
5510 sksec->sid = tunsec->sid;
5511 sksec->sclass = SECCLASS_TUN_SOCKET;
5512
5513 return 0;
5514 }
5515
5516 static int selinux_tun_dev_open(void *security)
5517 {
5518 struct tun_security_struct *tunsec = security;
5519 u32 sid = current_sid();
5520 int err;
5521
5522 err = avc_has_perm(&selinux_state,
5523 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5524 TUN_SOCKET__RELABELFROM, NULL);
5525 if (err)
5526 return err;
5527 err = avc_has_perm(&selinux_state,
5528 sid, sid, SECCLASS_TUN_SOCKET,
5529 TUN_SOCKET__RELABELTO, NULL);
5530 if (err)
5531 return err;
5532 tunsec->sid = sid;
5533
5534 return 0;
5535 }
5536
5537 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5538 {
5539 int err = 0;
5540 u32 perm;
5541 struct nlmsghdr *nlh;
5542 struct sk_security_struct *sksec = sk->sk_security;
5543
5544 if (skb->len < NLMSG_HDRLEN) {
5545 err = -EINVAL;
5546 goto out;
5547 }
5548 nlh = nlmsg_hdr(skb);
5549
5550 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5551 if (err) {
5552 if (err == -EINVAL) {
5553 pr_warn_ratelimited("SELinux: unrecognized netlink"
5554 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5555 " pig=%d comm=%s\n",
5556 sk->sk_protocol, nlh->nlmsg_type,
5557 secclass_map[sksec->sclass - 1].name,
5558 task_pid_nr(current), current->comm);
5559 if (!enforcing_enabled(&selinux_state) ||
5560 security_get_allow_unknown(&selinux_state))
5561 err = 0;
5562 }
5563
5564 /* Ignore */
5565 if (err == -ENOENT)
5566 err = 0;
5567 goto out;
5568 }
5569
5570 err = sock_has_perm(sk, perm);
5571 out:
5572 return err;
5573 }
5574
5575 #ifdef CONFIG_NETFILTER
5576
5577 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5578 const struct net_device *indev,
5579 u16 family)
5580 {
5581 int err;
5582 char *addrp;
5583 u32 peer_sid;
5584 struct common_audit_data ad;
5585 struct lsm_network_audit net = {0,};
5586 u8 secmark_active;
5587 u8 netlbl_active;
5588 u8 peerlbl_active;
5589
5590 if (!selinux_policycap_netpeer())
5591 return NF_ACCEPT;
5592
5593 secmark_active = selinux_secmark_enabled();
5594 netlbl_active = netlbl_enabled();
5595 peerlbl_active = selinux_peerlbl_enabled();
5596 if (!secmark_active && !peerlbl_active)
5597 return NF_ACCEPT;
5598
5599 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5600 return NF_DROP;
5601
5602 ad.type = LSM_AUDIT_DATA_NET;
5603 ad.u.net = &net;
5604 ad.u.net->netif = indev->ifindex;
5605 ad.u.net->family = family;
5606 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5607 return NF_DROP;
5608
5609 if (peerlbl_active) {
5610 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5611 addrp, family, peer_sid, &ad);
5612 if (err) {
5613 selinux_netlbl_err(skb, family, err, 1);
5614 return NF_DROP;
5615 }
5616 }
5617
5618 if (secmark_active)
5619 if (avc_has_perm(&selinux_state,
5620 peer_sid, skb->secmark,
5621 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5622 return NF_DROP;
5623
5624 if (netlbl_active)
5625 /* we do this in the FORWARD path and not the POST_ROUTING
5626 * path because we want to make sure we apply the necessary
5627 * labeling before IPsec is applied so we can leverage AH
5628 * protection */
5629 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5630 return NF_DROP;
5631
5632 return NF_ACCEPT;
5633 }
5634
5635 static unsigned int selinux_ipv4_forward(void *priv,
5636 struct sk_buff *skb,
5637 const struct nf_hook_state *state)
5638 {
5639 return selinux_ip_forward(skb, state->in, PF_INET);
5640 }
5641
5642 #if IS_ENABLED(CONFIG_IPV6)
5643 static unsigned int selinux_ipv6_forward(void *priv,
5644 struct sk_buff *skb,
5645 const struct nf_hook_state *state)
5646 {
5647 return selinux_ip_forward(skb, state->in, PF_INET6);
5648 }
5649 #endif /* IPV6 */
5650
5651 static unsigned int selinux_ip_output(struct sk_buff *skb,
5652 u16 family)
5653 {
5654 struct sock *sk;
5655 u32 sid;
5656
5657 if (!netlbl_enabled())
5658 return NF_ACCEPT;
5659
5660 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5661 * because we want to make sure we apply the necessary labeling
5662 * before IPsec is applied so we can leverage AH protection */
5663 sk = skb->sk;
5664 if (sk) {
5665 struct sk_security_struct *sksec;
5666
5667 if (sk_listener(sk))
5668 /* if the socket is the listening state then this
5669 * packet is a SYN-ACK packet which means it needs to
5670 * be labeled based on the connection/request_sock and
5671 * not the parent socket. unfortunately, we can't
5672 * lookup the request_sock yet as it isn't queued on
5673 * the parent socket until after the SYN-ACK is sent.
5674 * the "solution" is to simply pass the packet as-is
5675 * as any IP option based labeling should be copied
5676 * from the initial connection request (in the IP
5677 * layer). it is far from ideal, but until we get a
5678 * security label in the packet itself this is the
5679 * best we can do. */
5680 return NF_ACCEPT;
5681
5682 /* standard practice, label using the parent socket */
5683 sksec = sk->sk_security;
5684 sid = sksec->sid;
5685 } else
5686 sid = SECINITSID_KERNEL;
5687 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5688 return NF_DROP;
5689
5690 return NF_ACCEPT;
5691 }
5692
5693 static unsigned int selinux_ipv4_output(void *priv,
5694 struct sk_buff *skb,
5695 const struct nf_hook_state *state)
5696 {
5697 return selinux_ip_output(skb, PF_INET);
5698 }
5699
5700 #if IS_ENABLED(CONFIG_IPV6)
5701 static unsigned int selinux_ipv6_output(void *priv,
5702 struct sk_buff *skb,
5703 const struct nf_hook_state *state)
5704 {
5705 return selinux_ip_output(skb, PF_INET6);
5706 }
5707 #endif /* IPV6 */
5708
5709 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5710 int ifindex,
5711 u16 family)
5712 {
5713 struct sock *sk = skb_to_full_sk(skb);
5714 struct sk_security_struct *sksec;
5715 struct common_audit_data ad;
5716 struct lsm_network_audit net = {0,};
5717 char *addrp;
5718 u8 proto;
5719
5720 if (sk == NULL)
5721 return NF_ACCEPT;
5722 sksec = sk->sk_security;
5723
5724 ad.type = LSM_AUDIT_DATA_NET;
5725 ad.u.net = &net;
5726 ad.u.net->netif = ifindex;
5727 ad.u.net->family = family;
5728 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5729 return NF_DROP;
5730
5731 if (selinux_secmark_enabled())
5732 if (avc_has_perm(&selinux_state,
5733 sksec->sid, skb->secmark,
5734 SECCLASS_PACKET, PACKET__SEND, &ad))
5735 return NF_DROP_ERR(-ECONNREFUSED);
5736
5737 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5738 return NF_DROP_ERR(-ECONNREFUSED);
5739
5740 return NF_ACCEPT;
5741 }
5742
5743 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5744 const struct net_device *outdev,
5745 u16 family)
5746 {
5747 u32 secmark_perm;
5748 u32 peer_sid;
5749 int ifindex = outdev->ifindex;
5750 struct sock *sk;
5751 struct common_audit_data ad;
5752 struct lsm_network_audit net = {0,};
5753 char *addrp;
5754 u8 secmark_active;
5755 u8 peerlbl_active;
5756
5757 /* If any sort of compatibility mode is enabled then handoff processing
5758 * to the selinux_ip_postroute_compat() function to deal with the
5759 * special handling. We do this in an attempt to keep this function
5760 * as fast and as clean as possible. */
5761 if (!selinux_policycap_netpeer())
5762 return selinux_ip_postroute_compat(skb, ifindex, family);
5763
5764 secmark_active = selinux_secmark_enabled();
5765 peerlbl_active = selinux_peerlbl_enabled();
5766 if (!secmark_active && !peerlbl_active)
5767 return NF_ACCEPT;
5768
5769 sk = skb_to_full_sk(skb);
5770
5771 #ifdef CONFIG_XFRM
5772 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5773 * packet transformation so allow the packet to pass without any checks
5774 * since we'll have another chance to perform access control checks
5775 * when the packet is on it's final way out.
5776 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5777 * is NULL, in this case go ahead and apply access control.
5778 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5779 * TCP listening state we cannot wait until the XFRM processing
5780 * is done as we will miss out on the SA label if we do;
5781 * unfortunately, this means more work, but it is only once per
5782 * connection. */
5783 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5784 !(sk && sk_listener(sk)))
5785 return NF_ACCEPT;
5786 #endif
5787
5788 if (sk == NULL) {
5789 /* Without an associated socket the packet is either coming
5790 * from the kernel or it is being forwarded; check the packet
5791 * to determine which and if the packet is being forwarded
5792 * query the packet directly to determine the security label. */
5793 if (skb->skb_iif) {
5794 secmark_perm = PACKET__FORWARD_OUT;
5795 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5796 return NF_DROP;
5797 } else {
5798 secmark_perm = PACKET__SEND;
5799 peer_sid = SECINITSID_KERNEL;
5800 }
5801 } else if (sk_listener(sk)) {
5802 /* Locally generated packet but the associated socket is in the
5803 * listening state which means this is a SYN-ACK packet. In
5804 * this particular case the correct security label is assigned
5805 * to the connection/request_sock but unfortunately we can't
5806 * query the request_sock as it isn't queued on the parent
5807 * socket until after the SYN-ACK packet is sent; the only
5808 * viable choice is to regenerate the label like we do in
5809 * selinux_inet_conn_request(). See also selinux_ip_output()
5810 * for similar problems. */
5811 u32 skb_sid;
5812 struct sk_security_struct *sksec;
5813
5814 sksec = sk->sk_security;
5815 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5816 return NF_DROP;
5817 /* At this point, if the returned skb peerlbl is SECSID_NULL
5818 * and the packet has been through at least one XFRM
5819 * transformation then we must be dealing with the "final"
5820 * form of labeled IPsec packet; since we've already applied
5821 * all of our access controls on this packet we can safely
5822 * pass the packet. */
5823 if (skb_sid == SECSID_NULL) {
5824 switch (family) {
5825 case PF_INET:
5826 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5827 return NF_ACCEPT;
5828 break;
5829 case PF_INET6:
5830 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5831 return NF_ACCEPT;
5832 break;
5833 default:
5834 return NF_DROP_ERR(-ECONNREFUSED);
5835 }
5836 }
5837 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5838 return NF_DROP;
5839 secmark_perm = PACKET__SEND;
5840 } else {
5841 /* Locally generated packet, fetch the security label from the
5842 * associated socket. */
5843 struct sk_security_struct *sksec = sk->sk_security;
5844 peer_sid = sksec->sid;
5845 secmark_perm = PACKET__SEND;
5846 }
5847
5848 ad.type = LSM_AUDIT_DATA_NET;
5849 ad.u.net = &net;
5850 ad.u.net->netif = ifindex;
5851 ad.u.net->family = family;
5852 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5853 return NF_DROP;
5854
5855 if (secmark_active)
5856 if (avc_has_perm(&selinux_state,
5857 peer_sid, skb->secmark,
5858 SECCLASS_PACKET, secmark_perm, &ad))
5859 return NF_DROP_ERR(-ECONNREFUSED);
5860
5861 if (peerlbl_active) {
5862 u32 if_sid;
5863 u32 node_sid;
5864
5865 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5866 return NF_DROP;
5867 if (avc_has_perm(&selinux_state,
5868 peer_sid, if_sid,
5869 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5870 return NF_DROP_ERR(-ECONNREFUSED);
5871
5872 if (sel_netnode_sid(addrp, family, &node_sid))
5873 return NF_DROP;
5874 if (avc_has_perm(&selinux_state,
5875 peer_sid, node_sid,
5876 SECCLASS_NODE, NODE__SENDTO, &ad))
5877 return NF_DROP_ERR(-ECONNREFUSED);
5878 }
5879
5880 return NF_ACCEPT;
5881 }
5882
5883 static unsigned int selinux_ipv4_postroute(void *priv,
5884 struct sk_buff *skb,
5885 const struct nf_hook_state *state)
5886 {
5887 return selinux_ip_postroute(skb, state->out, PF_INET);
5888 }
5889
5890 #if IS_ENABLED(CONFIG_IPV6)
5891 static unsigned int selinux_ipv6_postroute(void *priv,
5892 struct sk_buff *skb,
5893 const struct nf_hook_state *state)
5894 {
5895 return selinux_ip_postroute(skb, state->out, PF_INET6);
5896 }
5897 #endif /* IPV6 */
5898
5899 #endif /* CONFIG_NETFILTER */
5900
5901 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5902 {
5903 return selinux_nlmsg_perm(sk, skb);
5904 }
5905
5906 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5907 u16 sclass)
5908 {
5909 struct ipc_security_struct *isec;
5910
5911 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5912 if (!isec)
5913 return -ENOMEM;
5914
5915 isec->sclass = sclass;
5916 isec->sid = current_sid();
5917 perm->security = isec;
5918
5919 return 0;
5920 }
5921
5922 static void ipc_free_security(struct kern_ipc_perm *perm)
5923 {
5924 struct ipc_security_struct *isec = perm->security;
5925 perm->security = NULL;
5926 kfree(isec);
5927 }
5928
5929 static int msg_msg_alloc_security(struct msg_msg *msg)
5930 {
5931 struct msg_security_struct *msec;
5932
5933 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5934 if (!msec)
5935 return -ENOMEM;
5936
5937 msec->sid = SECINITSID_UNLABELED;
5938 msg->security = msec;
5939
5940 return 0;
5941 }
5942
5943 static void msg_msg_free_security(struct msg_msg *msg)
5944 {
5945 struct msg_security_struct *msec = msg->security;
5946
5947 msg->security = NULL;
5948 kfree(msec);
5949 }
5950
5951 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5952 u32 perms)
5953 {
5954 struct ipc_security_struct *isec;
5955 struct common_audit_data ad;
5956 u32 sid = current_sid();
5957
5958 isec = ipc_perms->security;
5959
5960 ad.type = LSM_AUDIT_DATA_IPC;
5961 ad.u.ipc_id = ipc_perms->key;
5962
5963 return avc_has_perm(&selinux_state,
5964 sid, isec->sid, isec->sclass, perms, &ad);
5965 }
5966
5967 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5968 {
5969 return msg_msg_alloc_security(msg);
5970 }
5971
5972 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5973 {
5974 msg_msg_free_security(msg);
5975 }
5976
5977 /* message queue security operations */
5978 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5979 {
5980 struct ipc_security_struct *isec;
5981 struct common_audit_data ad;
5982 u32 sid = current_sid();
5983 int rc;
5984
5985 rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
5986 if (rc)
5987 return rc;
5988
5989 isec = msq->security;
5990
5991 ad.type = LSM_AUDIT_DATA_IPC;
5992 ad.u.ipc_id = msq->key;
5993
5994 rc = avc_has_perm(&selinux_state,
5995 sid, isec->sid, SECCLASS_MSGQ,
5996 MSGQ__CREATE, &ad);
5997 if (rc) {
5998 ipc_free_security(msq);
5999 return rc;
6000 }
6001 return 0;
6002 }
6003
6004 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
6005 {
6006 ipc_free_security(msq);
6007 }
6008
6009 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6010 {
6011 struct ipc_security_struct *isec;
6012 struct common_audit_data ad;
6013 u32 sid = current_sid();
6014
6015 isec = msq->security;
6016
6017 ad.type = LSM_AUDIT_DATA_IPC;
6018 ad.u.ipc_id = msq->key;
6019
6020 return avc_has_perm(&selinux_state,
6021 sid, isec->sid, SECCLASS_MSGQ,
6022 MSGQ__ASSOCIATE, &ad);
6023 }
6024
6025 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6026 {
6027 int err;
6028 int perms;
6029
6030 switch (cmd) {
6031 case IPC_INFO:
6032 case MSG_INFO:
6033 /* No specific object, just general system-wide information. */
6034 return avc_has_perm(&selinux_state,
6035 current_sid(), SECINITSID_KERNEL,
6036 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6037 case IPC_STAT:
6038 case MSG_STAT:
6039 case MSG_STAT_ANY:
6040 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6041 break;
6042 case IPC_SET:
6043 perms = MSGQ__SETATTR;
6044 break;
6045 case IPC_RMID:
6046 perms = MSGQ__DESTROY;
6047 break;
6048 default:
6049 return 0;
6050 }
6051
6052 err = ipc_has_perm(msq, perms);
6053 return err;
6054 }
6055
6056 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6057 {
6058 struct ipc_security_struct *isec;
6059 struct msg_security_struct *msec;
6060 struct common_audit_data ad;
6061 u32 sid = current_sid();
6062 int rc;
6063
6064 isec = msq->security;
6065 msec = msg->security;
6066
6067 /*
6068 * First time through, need to assign label to the message
6069 */
6070 if (msec->sid == SECINITSID_UNLABELED) {
6071 /*
6072 * Compute new sid based on current process and
6073 * message queue this message will be stored in
6074 */
6075 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6076 SECCLASS_MSG, NULL, &msec->sid);
6077 if (rc)
6078 return rc;
6079 }
6080
6081 ad.type = LSM_AUDIT_DATA_IPC;
6082 ad.u.ipc_id = msq->key;
6083
6084 /* Can this process write to the queue? */
6085 rc = avc_has_perm(&selinux_state,
6086 sid, isec->sid, SECCLASS_MSGQ,
6087 MSGQ__WRITE, &ad);
6088 if (!rc)
6089 /* Can this process send the message */
6090 rc = avc_has_perm(&selinux_state,
6091 sid, msec->sid, SECCLASS_MSG,
6092 MSG__SEND, &ad);
6093 if (!rc)
6094 /* Can the message be put in the queue? */
6095 rc = avc_has_perm(&selinux_state,
6096 msec->sid, isec->sid, SECCLASS_MSGQ,
6097 MSGQ__ENQUEUE, &ad);
6098
6099 return rc;
6100 }
6101
6102 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6103 struct task_struct *target,
6104 long type, int mode)
6105 {
6106 struct ipc_security_struct *isec;
6107 struct msg_security_struct *msec;
6108 struct common_audit_data ad;
6109 u32 sid = task_sid(target);
6110 int rc;
6111
6112 isec = msq->security;
6113 msec = msg->security;
6114
6115 ad.type = LSM_AUDIT_DATA_IPC;
6116 ad.u.ipc_id = msq->key;
6117
6118 rc = avc_has_perm(&selinux_state,
6119 sid, isec->sid,
6120 SECCLASS_MSGQ, MSGQ__READ, &ad);
6121 if (!rc)
6122 rc = avc_has_perm(&selinux_state,
6123 sid, msec->sid,
6124 SECCLASS_MSG, MSG__RECEIVE, &ad);
6125 return rc;
6126 }
6127
6128 /* Shared Memory security operations */
6129 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6130 {
6131 struct ipc_security_struct *isec;
6132 struct common_audit_data ad;
6133 u32 sid = current_sid();
6134 int rc;
6135
6136 rc = ipc_alloc_security(shp, SECCLASS_SHM);
6137 if (rc)
6138 return rc;
6139
6140 isec = shp->security;
6141
6142 ad.type = LSM_AUDIT_DATA_IPC;
6143 ad.u.ipc_id = shp->key;
6144
6145 rc = avc_has_perm(&selinux_state,
6146 sid, isec->sid, SECCLASS_SHM,
6147 SHM__CREATE, &ad);
6148 if (rc) {
6149 ipc_free_security(shp);
6150 return rc;
6151 }
6152 return 0;
6153 }
6154
6155 static void selinux_shm_free_security(struct kern_ipc_perm *shp)
6156 {
6157 ipc_free_security(shp);
6158 }
6159
6160 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6161 {
6162 struct ipc_security_struct *isec;
6163 struct common_audit_data ad;
6164 u32 sid = current_sid();
6165
6166 isec = shp->security;
6167
6168 ad.type = LSM_AUDIT_DATA_IPC;
6169 ad.u.ipc_id = shp->key;
6170
6171 return avc_has_perm(&selinux_state,
6172 sid, isec->sid, SECCLASS_SHM,
6173 SHM__ASSOCIATE, &ad);
6174 }
6175
6176 /* Note, at this point, shp is locked down */
6177 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6178 {
6179 int perms;
6180 int err;
6181
6182 switch (cmd) {
6183 case IPC_INFO:
6184 case SHM_INFO:
6185 /* No specific object, just general system-wide information. */
6186 return avc_has_perm(&selinux_state,
6187 current_sid(), SECINITSID_KERNEL,
6188 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6189 case IPC_STAT:
6190 case SHM_STAT:
6191 case SHM_STAT_ANY:
6192 perms = SHM__GETATTR | SHM__ASSOCIATE;
6193 break;
6194 case IPC_SET:
6195 perms = SHM__SETATTR;
6196 break;
6197 case SHM_LOCK:
6198 case SHM_UNLOCK:
6199 perms = SHM__LOCK;
6200 break;
6201 case IPC_RMID:
6202 perms = SHM__DESTROY;
6203 break;
6204 default:
6205 return 0;
6206 }
6207
6208 err = ipc_has_perm(shp, perms);
6209 return err;
6210 }
6211
6212 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6213 char __user *shmaddr, int shmflg)
6214 {
6215 u32 perms;
6216
6217 if (shmflg & SHM_RDONLY)
6218 perms = SHM__READ;
6219 else
6220 perms = SHM__READ | SHM__WRITE;
6221
6222 return ipc_has_perm(shp, perms);
6223 }
6224
6225 /* Semaphore security operations */
6226 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6227 {
6228 struct ipc_security_struct *isec;
6229 struct common_audit_data ad;
6230 u32 sid = current_sid();
6231 int rc;
6232
6233 rc = ipc_alloc_security(sma, SECCLASS_SEM);
6234 if (rc)
6235 return rc;
6236
6237 isec = sma->security;
6238
6239 ad.type = LSM_AUDIT_DATA_IPC;
6240 ad.u.ipc_id = sma->key;
6241
6242 rc = avc_has_perm(&selinux_state,
6243 sid, isec->sid, SECCLASS_SEM,
6244 SEM__CREATE, &ad);
6245 if (rc) {
6246 ipc_free_security(sma);
6247 return rc;
6248 }
6249 return 0;
6250 }
6251
6252 static void selinux_sem_free_security(struct kern_ipc_perm *sma)
6253 {
6254 ipc_free_security(sma);
6255 }
6256
6257 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6258 {
6259 struct ipc_security_struct *isec;
6260 struct common_audit_data ad;
6261 u32 sid = current_sid();
6262
6263 isec = sma->security;
6264
6265 ad.type = LSM_AUDIT_DATA_IPC;
6266 ad.u.ipc_id = sma->key;
6267
6268 return avc_has_perm(&selinux_state,
6269 sid, isec->sid, SECCLASS_SEM,
6270 SEM__ASSOCIATE, &ad);
6271 }
6272
6273 /* Note, at this point, sma is locked down */
6274 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6275 {
6276 int err;
6277 u32 perms;
6278
6279 switch (cmd) {
6280 case IPC_INFO:
6281 case SEM_INFO:
6282 /* No specific object, just general system-wide information. */
6283 return avc_has_perm(&selinux_state,
6284 current_sid(), SECINITSID_KERNEL,
6285 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6286 case GETPID:
6287 case GETNCNT:
6288 case GETZCNT:
6289 perms = SEM__GETATTR;
6290 break;
6291 case GETVAL:
6292 case GETALL:
6293 perms = SEM__READ;
6294 break;
6295 case SETVAL:
6296 case SETALL:
6297 perms = SEM__WRITE;
6298 break;
6299 case IPC_RMID:
6300 perms = SEM__DESTROY;
6301 break;
6302 case IPC_SET:
6303 perms = SEM__SETATTR;
6304 break;
6305 case IPC_STAT:
6306 case SEM_STAT:
6307 case SEM_STAT_ANY:
6308 perms = SEM__GETATTR | SEM__ASSOCIATE;
6309 break;
6310 default:
6311 return 0;
6312 }
6313
6314 err = ipc_has_perm(sma, perms);
6315 return err;
6316 }
6317
6318 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6319 struct sembuf *sops, unsigned nsops, int alter)
6320 {
6321 u32 perms;
6322
6323 if (alter)
6324 perms = SEM__READ | SEM__WRITE;
6325 else
6326 perms = SEM__READ;
6327
6328 return ipc_has_perm(sma, perms);
6329 }
6330
6331 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6332 {
6333 u32 av = 0;
6334
6335 av = 0;
6336 if (flag & S_IRUGO)
6337 av |= IPC__UNIX_READ;
6338 if (flag & S_IWUGO)
6339 av |= IPC__UNIX_WRITE;
6340
6341 if (av == 0)
6342 return 0;
6343
6344 return ipc_has_perm(ipcp, av);
6345 }
6346
6347 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6348 {
6349 struct ipc_security_struct *isec = ipcp->security;
6350 *secid = isec->sid;
6351 }
6352
6353 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6354 {
6355 if (inode)
6356 inode_doinit_with_dentry(inode, dentry);
6357 }
6358
6359 static int selinux_getprocattr(struct task_struct *p,
6360 char *name, char **value)
6361 {
6362 const struct task_security_struct *__tsec;
6363 u32 sid;
6364 int error;
6365 unsigned len;
6366
6367 rcu_read_lock();
6368 __tsec = __task_cred(p)->security;
6369
6370 if (current != p) {
6371 error = avc_has_perm(&selinux_state,
6372 current_sid(), __tsec->sid,
6373 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6374 if (error)
6375 goto bad;
6376 }
6377
6378 if (!strcmp(name, "current"))
6379 sid = __tsec->sid;
6380 else if (!strcmp(name, "prev"))
6381 sid = __tsec->osid;
6382 else if (!strcmp(name, "exec"))
6383 sid = __tsec->exec_sid;
6384 else if (!strcmp(name, "fscreate"))
6385 sid = __tsec->create_sid;
6386 else if (!strcmp(name, "keycreate"))
6387 sid = __tsec->keycreate_sid;
6388 else if (!strcmp(name, "sockcreate"))
6389 sid = __tsec->sockcreate_sid;
6390 else {
6391 error = -EINVAL;
6392 goto bad;
6393 }
6394 rcu_read_unlock();
6395
6396 if (!sid)
6397 return 0;
6398
6399 error = security_sid_to_context(&selinux_state, sid, value, &len);
6400 if (error)
6401 return error;
6402 return len;
6403
6404 bad:
6405 rcu_read_unlock();
6406 return error;
6407 }
6408
6409 static int selinux_setprocattr(const char *name, void *value, size_t size)
6410 {
6411 struct task_security_struct *tsec;
6412 struct cred *new;
6413 u32 mysid = current_sid(), sid = 0, ptsid;
6414 int error;
6415 char *str = value;
6416
6417 /*
6418 * Basic control over ability to set these attributes at all.
6419 */
6420 if (!strcmp(name, "exec"))
6421 error = avc_has_perm(&selinux_state,
6422 mysid, mysid, SECCLASS_PROCESS,
6423 PROCESS__SETEXEC, NULL);
6424 else if (!strcmp(name, "fscreate"))
6425 error = avc_has_perm(&selinux_state,
6426 mysid, mysid, SECCLASS_PROCESS,
6427 PROCESS__SETFSCREATE, NULL);
6428 else if (!strcmp(name, "keycreate"))
6429 error = avc_has_perm(&selinux_state,
6430 mysid, mysid, SECCLASS_PROCESS,
6431 PROCESS__SETKEYCREATE, NULL);
6432 else if (!strcmp(name, "sockcreate"))
6433 error = avc_has_perm(&selinux_state,
6434 mysid, mysid, SECCLASS_PROCESS,
6435 PROCESS__SETSOCKCREATE, NULL);
6436 else if (!strcmp(name, "current"))
6437 error = avc_has_perm(&selinux_state,
6438 mysid, mysid, SECCLASS_PROCESS,
6439 PROCESS__SETCURRENT, NULL);
6440 else
6441 error = -EINVAL;
6442 if (error)
6443 return error;
6444
6445 /* Obtain a SID for the context, if one was specified. */
6446 if (size && str[0] && str[0] != '\n') {
6447 if (str[size-1] == '\n') {
6448 str[size-1] = 0;
6449 size--;
6450 }
6451 error = security_context_to_sid(&selinux_state, value, size,
6452 &sid, GFP_KERNEL);
6453 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6454 if (!has_cap_mac_admin(true)) {
6455 struct audit_buffer *ab;
6456 size_t audit_size;
6457
6458 /* We strip a nul only if it is at the end, otherwise the
6459 * context contains a nul and we should audit that */
6460 if (str[size - 1] == '\0')
6461 audit_size = size - 1;
6462 else
6463 audit_size = size;
6464 ab = audit_log_start(audit_context(),
6465 GFP_ATOMIC,
6466 AUDIT_SELINUX_ERR);
6467 audit_log_format(ab, "op=fscreate invalid_context=");
6468 audit_log_n_untrustedstring(ab, value, audit_size);
6469 audit_log_end(ab);
6470
6471 return error;
6472 }
6473 error = security_context_to_sid_force(
6474 &selinux_state,
6475 value, size, &sid);
6476 }
6477 if (error)
6478 return error;
6479 }
6480
6481 new = prepare_creds();
6482 if (!new)
6483 return -ENOMEM;
6484
6485 /* Permission checking based on the specified context is
6486 performed during the actual operation (execve,
6487 open/mkdir/...), when we know the full context of the
6488 operation. See selinux_bprm_set_creds for the execve
6489 checks and may_create for the file creation checks. The
6490 operation will then fail if the context is not permitted. */
6491 tsec = new->security;
6492 if (!strcmp(name, "exec")) {
6493 tsec->exec_sid = sid;
6494 } else if (!strcmp(name, "fscreate")) {
6495 tsec->create_sid = sid;
6496 } else if (!strcmp(name, "keycreate")) {
6497 error = avc_has_perm(&selinux_state,
6498 mysid, sid, SECCLASS_KEY, KEY__CREATE,
6499 NULL);
6500 if (error)
6501 goto abort_change;
6502 tsec->keycreate_sid = sid;
6503 } else if (!strcmp(name, "sockcreate")) {
6504 tsec->sockcreate_sid = sid;
6505 } else if (!strcmp(name, "current")) {
6506 error = -EINVAL;
6507 if (sid == 0)
6508 goto abort_change;
6509
6510 /* Only allow single threaded processes to change context */
6511 error = -EPERM;
6512 if (!current_is_single_threaded()) {
6513 error = security_bounded_transition(&selinux_state,
6514 tsec->sid, sid);
6515 if (error)
6516 goto abort_change;
6517 }
6518
6519 /* Check permissions for the transition. */
6520 error = avc_has_perm(&selinux_state,
6521 tsec->sid, sid, SECCLASS_PROCESS,
6522 PROCESS__DYNTRANSITION, NULL);
6523 if (error)
6524 goto abort_change;
6525
6526 /* Check for ptracing, and update the task SID if ok.
6527 Otherwise, leave SID unchanged and fail. */
6528 ptsid = ptrace_parent_sid();
6529 if (ptsid != 0) {
6530 error = avc_has_perm(&selinux_state,
6531 ptsid, sid, SECCLASS_PROCESS,
6532 PROCESS__PTRACE, NULL);
6533 if (error)
6534 goto abort_change;
6535 }
6536
6537 tsec->sid = sid;
6538 } else {
6539 error = -EINVAL;
6540 goto abort_change;
6541 }
6542
6543 commit_creds(new);
6544 return size;
6545
6546 abort_change:
6547 abort_creds(new);
6548 return error;
6549 }
6550
6551 static int selinux_ismaclabel(const char *name)
6552 {
6553 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6554 }
6555
6556 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6557 {
6558 return security_sid_to_context(&selinux_state, secid,
6559 secdata, seclen);
6560 }
6561
6562 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6563 {
6564 return security_context_to_sid(&selinux_state, secdata, seclen,
6565 secid, GFP_KERNEL);
6566 }
6567
6568 static void selinux_release_secctx(char *secdata, u32 seclen)
6569 {
6570 kfree(secdata);
6571 }
6572
6573 static void selinux_inode_invalidate_secctx(struct inode *inode)
6574 {
6575 struct inode_security_struct *isec = inode->i_security;
6576
6577 spin_lock(&isec->lock);
6578 isec->initialized = LABEL_INVALID;
6579 spin_unlock(&isec->lock);
6580 }
6581
6582 /*
6583 * called with inode->i_mutex locked
6584 */
6585 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6586 {
6587 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6588 }
6589
6590 /*
6591 * called with inode->i_mutex locked
6592 */
6593 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6594 {
6595 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6596 }
6597
6598 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6599 {
6600 int len = 0;
6601 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6602 ctx, true);
6603 if (len < 0)
6604 return len;
6605 *ctxlen = len;
6606 return 0;
6607 }
6608 #ifdef CONFIG_KEYS
6609
6610 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6611 unsigned long flags)
6612 {
6613 const struct task_security_struct *tsec;
6614 struct key_security_struct *ksec;
6615
6616 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6617 if (!ksec)
6618 return -ENOMEM;
6619
6620 tsec = cred->security;
6621 if (tsec->keycreate_sid)
6622 ksec->sid = tsec->keycreate_sid;
6623 else
6624 ksec->sid = tsec->sid;
6625
6626 k->security = ksec;
6627 return 0;
6628 }
6629
6630 static void selinux_key_free(struct key *k)
6631 {
6632 struct key_security_struct *ksec = k->security;
6633
6634 k->security = NULL;
6635 kfree(ksec);
6636 }
6637
6638 static int selinux_key_permission(key_ref_t key_ref,
6639 const struct cred *cred,
6640 unsigned perm)
6641 {
6642 struct key *key;
6643 struct key_security_struct *ksec;
6644 u32 sid;
6645
6646 /* if no specific permissions are requested, we skip the
6647 permission check. No serious, additional covert channels
6648 appear to be created. */
6649 if (perm == 0)
6650 return 0;
6651
6652 sid = cred_sid(cred);
6653
6654 key = key_ref_to_ptr(key_ref);
6655 ksec = key->security;
6656
6657 return avc_has_perm(&selinux_state,
6658 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6659 }
6660
6661 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6662 {
6663 struct key_security_struct *ksec = key->security;
6664 char *context = NULL;
6665 unsigned len;
6666 int rc;
6667
6668 rc = security_sid_to_context(&selinux_state, ksec->sid,
6669 &context, &len);
6670 if (!rc)
6671 rc = len;
6672 *_buffer = context;
6673 return rc;
6674 }
6675 #endif
6676
6677 #ifdef CONFIG_SECURITY_INFINIBAND
6678 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6679 {
6680 struct common_audit_data ad;
6681 int err;
6682 u32 sid = 0;
6683 struct ib_security_struct *sec = ib_sec;
6684 struct lsm_ibpkey_audit ibpkey;
6685
6686 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6687 if (err)
6688 return err;
6689
6690 ad.type = LSM_AUDIT_DATA_IBPKEY;
6691 ibpkey.subnet_prefix = subnet_prefix;
6692 ibpkey.pkey = pkey_val;
6693 ad.u.ibpkey = &ibpkey;
6694 return avc_has_perm(&selinux_state,
6695 sec->sid, sid,
6696 SECCLASS_INFINIBAND_PKEY,
6697 INFINIBAND_PKEY__ACCESS, &ad);
6698 }
6699
6700 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6701 u8 port_num)
6702 {
6703 struct common_audit_data ad;
6704 int err;
6705 u32 sid = 0;
6706 struct ib_security_struct *sec = ib_sec;
6707 struct lsm_ibendport_audit ibendport;
6708
6709 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6710 &sid);
6711
6712 if (err)
6713 return err;
6714
6715 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6716 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6717 ibendport.port = port_num;
6718 ad.u.ibendport = &ibendport;
6719 return avc_has_perm(&selinux_state,
6720 sec->sid, sid,
6721 SECCLASS_INFINIBAND_ENDPORT,
6722 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6723 }
6724
6725 static int selinux_ib_alloc_security(void **ib_sec)
6726 {
6727 struct ib_security_struct *sec;
6728
6729 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6730 if (!sec)
6731 return -ENOMEM;
6732 sec->sid = current_sid();
6733
6734 *ib_sec = sec;
6735 return 0;
6736 }
6737
6738 static void selinux_ib_free_security(void *ib_sec)
6739 {
6740 kfree(ib_sec);
6741 }
6742 #endif
6743
6744 #ifdef CONFIG_BPF_SYSCALL
6745 static int selinux_bpf(int cmd, union bpf_attr *attr,
6746 unsigned int size)
6747 {
6748 u32 sid = current_sid();
6749 int ret;
6750
6751 switch (cmd) {
6752 case BPF_MAP_CREATE:
6753 ret = avc_has_perm(&selinux_state,
6754 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6755 NULL);
6756 break;
6757 case BPF_PROG_LOAD:
6758 ret = avc_has_perm(&selinux_state,
6759 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6760 NULL);
6761 break;
6762 default:
6763 ret = 0;
6764 break;
6765 }
6766
6767 return ret;
6768 }
6769
6770 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6771 {
6772 u32 av = 0;
6773
6774 if (fmode & FMODE_READ)
6775 av |= BPF__MAP_READ;
6776 if (fmode & FMODE_WRITE)
6777 av |= BPF__MAP_WRITE;
6778 return av;
6779 }
6780
6781 /* This function will check the file pass through unix socket or binder to see
6782 * if it is a bpf related object. And apply correspinding checks on the bpf
6783 * object based on the type. The bpf maps and programs, not like other files and
6784 * socket, are using a shared anonymous inode inside the kernel as their inode.
6785 * So checking that inode cannot identify if the process have privilege to
6786 * access the bpf object and that's why we have to add this additional check in
6787 * selinux_file_receive and selinux_binder_transfer_files.
6788 */
6789 static int bpf_fd_pass(struct file *file, u32 sid)
6790 {
6791 struct bpf_security_struct *bpfsec;
6792 struct bpf_prog *prog;
6793 struct bpf_map *map;
6794 int ret;
6795
6796 if (file->f_op == &bpf_map_fops) {
6797 map = file->private_data;
6798 bpfsec = map->security;
6799 ret = avc_has_perm(&selinux_state,
6800 sid, bpfsec->sid, SECCLASS_BPF,
6801 bpf_map_fmode_to_av(file->f_mode), NULL);
6802 if (ret)
6803 return ret;
6804 } else if (file->f_op == &bpf_prog_fops) {
6805 prog = file->private_data;
6806 bpfsec = prog->aux->security;
6807 ret = avc_has_perm(&selinux_state,
6808 sid, bpfsec->sid, SECCLASS_BPF,
6809 BPF__PROG_RUN, NULL);
6810 if (ret)
6811 return ret;
6812 }
6813 return 0;
6814 }
6815
6816 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6817 {
6818 u32 sid = current_sid();
6819 struct bpf_security_struct *bpfsec;
6820
6821 bpfsec = map->security;
6822 return avc_has_perm(&selinux_state,
6823 sid, bpfsec->sid, SECCLASS_BPF,
6824 bpf_map_fmode_to_av(fmode), NULL);
6825 }
6826
6827 static int selinux_bpf_prog(struct bpf_prog *prog)
6828 {
6829 u32 sid = current_sid();
6830 struct bpf_security_struct *bpfsec;
6831
6832 bpfsec = prog->aux->security;
6833 return avc_has_perm(&selinux_state,
6834 sid, bpfsec->sid, SECCLASS_BPF,
6835 BPF__PROG_RUN, NULL);
6836 }
6837
6838 static int selinux_bpf_map_alloc(struct bpf_map *map)
6839 {
6840 struct bpf_security_struct *bpfsec;
6841
6842 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6843 if (!bpfsec)
6844 return -ENOMEM;
6845
6846 bpfsec->sid = current_sid();
6847 map->security = bpfsec;
6848
6849 return 0;
6850 }
6851
6852 static void selinux_bpf_map_free(struct bpf_map *map)
6853 {
6854 struct bpf_security_struct *bpfsec = map->security;
6855
6856 map->security = NULL;
6857 kfree(bpfsec);
6858 }
6859
6860 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6861 {
6862 struct bpf_security_struct *bpfsec;
6863
6864 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6865 if (!bpfsec)
6866 return -ENOMEM;
6867
6868 bpfsec->sid = current_sid();
6869 aux->security = bpfsec;
6870
6871 return 0;
6872 }
6873
6874 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6875 {
6876 struct bpf_security_struct *bpfsec = aux->security;
6877
6878 aux->security = NULL;
6879 kfree(bpfsec);
6880 }
6881 #endif
6882
6883 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6884 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6885 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6886 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6887 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6888
6889 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6890 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6891 LSM_HOOK_INIT(capget, selinux_capget),
6892 LSM_HOOK_INIT(capset, selinux_capset),
6893 LSM_HOOK_INIT(capable, selinux_capable),
6894 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6895 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6896 LSM_HOOK_INIT(syslog, selinux_syslog),
6897 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6898
6899 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6900
6901 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6902 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6903 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6904
6905 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6906 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6907 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6908 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6909 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6910 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6911 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6912 LSM_HOOK_INIT(sb_mount, selinux_mount),
6913 LSM_HOOK_INIT(sb_umount, selinux_umount),
6914 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6915 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6916 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6917
6918 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6919 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6920
6921 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6922 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6923 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6924 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6925 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6926 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6927 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6928 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6929 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6930 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6931 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6932 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6933 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6934 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6935 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6936 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6937 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6938 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6939 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6940 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6941 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6942 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6943 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6944 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6945 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6946 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6947 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6948
6949 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6950 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6951 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6952 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6953 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6954 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6955 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6956 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6957 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6958 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6959 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6960 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6961
6962 LSM_HOOK_INIT(file_open, selinux_file_open),
6963
6964 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6965 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6966 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6967 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6968 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6969 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6970 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6971 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6972 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6973 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6974 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6975 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6976 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6977 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6978 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6979 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6980 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6981 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6982 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6983 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6984 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6985 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6986 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6987 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6988
6989 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6990 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6991
6992 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6993 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6994
6995 LSM_HOOK_INIT(msg_queue_alloc_security,
6996 selinux_msg_queue_alloc_security),
6997 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6998 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6999 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7000 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7001 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7002
7003 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7004 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
7005 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7006 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7007 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7008
7009 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7010 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
7011 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7012 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7013 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7014
7015 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7016
7017 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7018 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7019
7020 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7021 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7022 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7023 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7024 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7025 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7026 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7027 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7028
7029 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7030 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7031
7032 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7033 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7034 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7035 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7036 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7037 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7038 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7039 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7040 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7041 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7042 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7043 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7044 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7045 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7046 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7047 LSM_HOOK_INIT(socket_getpeersec_stream,
7048 selinux_socket_getpeersec_stream),
7049 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7050 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7051 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7052 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7053 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7054 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7055 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7056 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7057 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7058 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7059 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7060 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7061 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7062 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7063 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7064 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7065 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7066 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7067 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7068 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7069 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7070 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7071 #ifdef CONFIG_SECURITY_INFINIBAND
7072 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7073 LSM_HOOK_INIT(ib_endport_manage_subnet,
7074 selinux_ib_endport_manage_subnet),
7075 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7076 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7077 #endif
7078 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7079 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7080 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7081 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7082 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7083 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7084 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7085 selinux_xfrm_state_alloc_acquire),
7086 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7087 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7088 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7089 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7090 selinux_xfrm_state_pol_flow_match),
7091 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7092 #endif
7093
7094 #ifdef CONFIG_KEYS
7095 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7096 LSM_HOOK_INIT(key_free, selinux_key_free),
7097 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7098 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7099 #endif
7100
7101 #ifdef CONFIG_AUDIT
7102 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7103 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7104 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7105 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7106 #endif
7107
7108 #ifdef CONFIG_BPF_SYSCALL
7109 LSM_HOOK_INIT(bpf, selinux_bpf),
7110 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7111 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7112 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7113 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7114 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7115 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7116 #endif
7117 };
7118
7119 static __init int selinux_init(void)
7120 {
7121 if (!security_module_enable("selinux")) {
7122 selinux_enabled = 0;
7123 return 0;
7124 }
7125
7126 if (!selinux_enabled) {
7127 printk(KERN_INFO "SELinux: Disabled at boot.\n");
7128 return 0;
7129 }
7130
7131 printk(KERN_INFO "SELinux: Initializing.\n");
7132
7133 memset(&selinux_state, 0, sizeof(selinux_state));
7134 enforcing_set(&selinux_state, selinux_enforcing_boot);
7135 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7136 selinux_ss_init(&selinux_state.ss);
7137 selinux_avc_init(&selinux_state.avc);
7138
7139 /* Set the security state for the initial task. */
7140 cred_init_security();
7141
7142 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7143
7144 sel_inode_cache = kmem_cache_create("selinux_inode_security",
7145 sizeof(struct inode_security_struct),
7146 0, SLAB_PANIC, NULL);
7147 file_security_cache = kmem_cache_create("selinux_file_security",
7148 sizeof(struct file_security_struct),
7149 0, SLAB_PANIC, NULL);
7150 avc_init();
7151
7152 avtab_cache_init();
7153
7154 ebitmap_cache_init();
7155
7156 hashtab_cache_init();
7157
7158 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7159
7160 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7161 panic("SELinux: Unable to register AVC netcache callback\n");
7162
7163 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7164 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7165
7166 if (selinux_enforcing_boot)
7167 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
7168 else
7169 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
7170
7171 return 0;
7172 }
7173
7174 static void delayed_superblock_init(struct super_block *sb, void *unused)
7175 {
7176 superblock_doinit(sb, NULL);
7177 }
7178
7179 void selinux_complete_init(void)
7180 {
7181 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
7182
7183 /* Set up any superblocks initialized prior to the policy load. */
7184 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
7185 iterate_supers(delayed_superblock_init, NULL);
7186 }
7187
7188 /* SELinux requires early initialization in order to label
7189 all processes and objects when they are created. */
7190 security_initcall(selinux_init);
7191
7192 #if defined(CONFIG_NETFILTER)
7193
7194 static const struct nf_hook_ops selinux_nf_ops[] = {
7195 {
7196 .hook = selinux_ipv4_postroute,
7197 .pf = NFPROTO_IPV4,
7198 .hooknum = NF_INET_POST_ROUTING,
7199 .priority = NF_IP_PRI_SELINUX_LAST,
7200 },
7201 {
7202 .hook = selinux_ipv4_forward,
7203 .pf = NFPROTO_IPV4,
7204 .hooknum = NF_INET_FORWARD,
7205 .priority = NF_IP_PRI_SELINUX_FIRST,
7206 },
7207 {
7208 .hook = selinux_ipv4_output,
7209 .pf = NFPROTO_IPV4,
7210 .hooknum = NF_INET_LOCAL_OUT,
7211 .priority = NF_IP_PRI_SELINUX_FIRST,
7212 },
7213 #if IS_ENABLED(CONFIG_IPV6)
7214 {
7215 .hook = selinux_ipv6_postroute,
7216 .pf = NFPROTO_IPV6,
7217 .hooknum = NF_INET_POST_ROUTING,
7218 .priority = NF_IP6_PRI_SELINUX_LAST,
7219 },
7220 {
7221 .hook = selinux_ipv6_forward,
7222 .pf = NFPROTO_IPV6,
7223 .hooknum = NF_INET_FORWARD,
7224 .priority = NF_IP6_PRI_SELINUX_FIRST,
7225 },
7226 {
7227 .hook = selinux_ipv6_output,
7228 .pf = NFPROTO_IPV6,
7229 .hooknum = NF_INET_LOCAL_OUT,
7230 .priority = NF_IP6_PRI_SELINUX_FIRST,
7231 },
7232 #endif /* IPV6 */
7233 };
7234
7235 static int __net_init selinux_nf_register(struct net *net)
7236 {
7237 return nf_register_net_hooks(net, selinux_nf_ops,
7238 ARRAY_SIZE(selinux_nf_ops));
7239 }
7240
7241 static void __net_exit selinux_nf_unregister(struct net *net)
7242 {
7243 nf_unregister_net_hooks(net, selinux_nf_ops,
7244 ARRAY_SIZE(selinux_nf_ops));
7245 }
7246
7247 static struct pernet_operations selinux_net_ops = {
7248 .init = selinux_nf_register,
7249 .exit = selinux_nf_unregister,
7250 };
7251
7252 static int __init selinux_nf_ip_init(void)
7253 {
7254 int err;
7255
7256 if (!selinux_enabled)
7257 return 0;
7258
7259 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
7260
7261 err = register_pernet_subsys(&selinux_net_ops);
7262 if (err)
7263 panic("SELinux: register_pernet_subsys: error %d\n", err);
7264
7265 return 0;
7266 }
7267 __initcall(selinux_nf_ip_init);
7268
7269 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7270 static void selinux_nf_ip_exit(void)
7271 {
7272 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
7273
7274 unregister_pernet_subsys(&selinux_net_ops);
7275 }
7276 #endif
7277
7278 #else /* CONFIG_NETFILTER */
7279
7280 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7281 #define selinux_nf_ip_exit()
7282 #endif
7283
7284 #endif /* CONFIG_NETFILTER */
7285
7286 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7287 int selinux_disable(struct selinux_state *state)
7288 {
7289 if (state->initialized) {
7290 /* Not permitted after initial policy load. */
7291 return -EINVAL;
7292 }
7293
7294 if (state->disabled) {
7295 /* Only do this once. */
7296 return -EINVAL;
7297 }
7298
7299 state->disabled = 1;
7300
7301 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
7302
7303 selinux_enabled = 0;
7304
7305 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7306
7307 /* Try to destroy the avc node cache */
7308 avc_disable();
7309
7310 /* Unregister netfilter hooks. */
7311 selinux_nf_ip_exit();
7312
7313 /* Unregister selinuxfs. */
7314 exit_sel_fs();
7315
7316 return 0;
7317 }
7318 #endif
Ubuntu Hirsute Linux kernel mirror