2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
27 #include <linux/init.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h> /* for Unix socket types */
72 #include <net/af_unix.h> /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
101 /* SECMARK reference count */
102 static atomic_t selinux_secmark_refcount
= ATOMIC_INIT(0);
104 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105 int selinux_enforcing
;
107 static int __init
enforcing_setup(char *str
)
109 unsigned long enforcing
;
110 if (!kstrtoul(str
, 0, &enforcing
))
111 selinux_enforcing
= enforcing
? 1 : 0;
114 __setup("enforcing=", enforcing_setup
);
117 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118 int selinux_enabled
= CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE
;
120 static int __init
selinux_enabled_setup(char *str
)
122 unsigned long enabled
;
123 if (!kstrtoul(str
, 0, &enabled
))
124 selinux_enabled
= enabled
? 1 : 0;
127 __setup("selinux=", selinux_enabled_setup
);
129 int selinux_enabled
= 1;
133 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
136 * This function checks the SECMARK reference counter to see if any SECMARK
137 * targets are currently configured, if the reference counter is greater than
138 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
139 * enabled, false (0) if SECMARK is disabled. If the always_check_network
140 * policy capability is enabled, SECMARK is always considered enabled.
143 static int selinux_secmark_enabled(void)
145 return (selinux_policycap_alwaysnetwork
|| atomic_read(&selinux_secmark_refcount
));
149 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
152 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
153 * (1) if any are enabled or false (0) if neither are enabled. If the
154 * always_check_network policy capability is enabled, peer labeling
155 * is always considered enabled.
158 static int selinux_peerlbl_enabled(void)
160 return (selinux_policycap_alwaysnetwork
|| netlbl_enabled() || selinux_xfrm_enabled());
163 static int selinux_netcache_avc_callback(u32 event
)
165 if (event
== AVC_CALLBACK_RESET
) {
174 static int selinux_lsm_notifier_avc_callback(u32 event
)
176 if (event
== AVC_CALLBACK_RESET
) {
178 call_lsm_notifier(LSM_POLICY_CHANGE
, NULL
);
185 * initialise the security for the init task
187 static void cred_init_security(void)
189 struct cred
*cred
= (struct cred
*) current
->real_cred
;
190 struct task_security_struct
*tsec
;
192 lsm_early_cred(cred
);
193 tsec
= selinux_cred(cred
);
194 tsec
->osid
= tsec
->sid
= SECINITSID_KERNEL
;
198 * get the security ID of a set of credentials
200 static inline u32
cred_sid(const struct cred
*cred
)
202 const struct task_security_struct
*tsec
;
204 tsec
= selinux_cred(cred
);
209 * get the objective security ID of a task
211 static inline u32
task_sid(const struct task_struct
*task
)
216 sid
= cred_sid(__task_cred(task
));
221 /* Allocate and free functions for each kind of security blob. */
223 static int inode_alloc_security(struct inode
*inode
)
225 struct inode_security_struct
*isec
= selinux_inode(inode
);
226 u32 sid
= current_sid();
228 spin_lock_init(&isec
->lock
);
229 INIT_LIST_HEAD(&isec
->list
);
231 isec
->sid
= SECINITSID_UNLABELED
;
232 isec
->sclass
= SECCLASS_FILE
;
233 isec
->task_sid
= sid
;
234 isec
->initialized
= LABEL_INVALID
;
239 static int inode_doinit_with_dentry(struct inode
*inode
, struct dentry
*opt_dentry
);
242 * Try reloading inode security labels that have been marked as invalid. The
243 * @may_sleep parameter indicates when sleeping and thus reloading labels is
244 * allowed; when set to false, returns -ECHILD when the label is
245 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
246 * when no dentry is available, set it to NULL instead.
248 static int __inode_security_revalidate(struct inode
*inode
,
249 struct dentry
*opt_dentry
,
252 struct inode_security_struct
*isec
= selinux_inode(inode
);
254 might_sleep_if(may_sleep
);
256 if (ss_initialized
&& isec
->initialized
!= LABEL_INITIALIZED
) {
261 * Try reloading the inode security label. This will fail if
262 * @opt_dentry is NULL and no dentry for this inode can be
263 * found; in that case, continue using the old label.
265 inode_doinit_with_dentry(inode
, opt_dentry
);
270 static struct inode_security_struct
*inode_security_novalidate(struct inode
*inode
)
272 return selinux_inode(inode
);
275 static struct inode_security_struct
*inode_security_rcu(struct inode
*inode
, bool rcu
)
279 error
= __inode_security_revalidate(inode
, NULL
, !rcu
);
281 return ERR_PTR(error
);
282 return selinux_inode(inode
);
286 * Get the security label of an inode.
288 static struct inode_security_struct
*inode_security(struct inode
*inode
)
290 __inode_security_revalidate(inode
, NULL
, true);
291 return selinux_inode(inode
);
294 static struct inode_security_struct
*backing_inode_security_novalidate(struct dentry
*dentry
)
296 struct inode
*inode
= d_backing_inode(dentry
);
298 return selinux_inode(inode
);
302 * Get the security label of a dentry's backing inode.
304 static struct inode_security_struct
*backing_inode_security(struct dentry
*dentry
)
306 struct inode
*inode
= d_backing_inode(dentry
);
308 __inode_security_revalidate(inode
, dentry
, true);
309 return selinux_inode(inode
);
312 static void inode_free_security(struct inode
*inode
)
314 struct inode_security_struct
*isec
= selinux_inode(inode
);
315 struct superblock_security_struct
*sbsec
=
316 selinux_superblock(inode
->i_sb
);
319 * As not all inode security structures are in a list, we check for
320 * empty list outside of the lock to make sure that we won't waste
321 * time taking a lock doing nothing.
323 * The list_del_init() function can be safely called more than once.
324 * It should not be possible for this function to be called with
325 * concurrent list_add(), but for better safety against future changes
326 * in the code, we use list_empty_careful() here.
328 if (!list_empty_careful(&isec
->list
)) {
329 spin_lock(&sbsec
->isec_lock
);
330 list_del_init(&isec
->list
);
331 spin_unlock(&sbsec
->isec_lock
);
335 static int file_alloc_security(struct file
*file
)
337 struct file_security_struct
*fsec
= selinux_file(file
);
338 u32 sid
= current_sid();
341 fsec
->fown_sid
= sid
;
346 static int superblock_alloc_security(struct super_block
*sb
)
348 struct superblock_security_struct
*sbsec
= selinux_superblock(sb
);
350 mutex_init(&sbsec
->lock
);
351 INIT_LIST_HEAD(&sbsec
->isec_head
);
352 spin_lock_init(&sbsec
->isec_lock
);
354 sbsec
->sid
= SECINITSID_UNLABELED
;
355 sbsec
->def_sid
= SECINITSID_FILE
;
356 sbsec
->mntpoint_sid
= SECINITSID_UNLABELED
;
361 static inline int inode_doinit(struct inode
*inode
)
363 return inode_doinit_with_dentry(inode
, NULL
);
372 Opt_labelsupport
= 5,
376 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
378 static const match_table_t tokens
= {
379 {Opt_context
, CONTEXT_STR
"%s"},
380 {Opt_fscontext
, FSCONTEXT_STR
"%s"},
381 {Opt_defcontext
, DEFCONTEXT_STR
"%s"},
382 {Opt_rootcontext
, ROOTCONTEXT_STR
"%s"},
383 {Opt_labelsupport
, LABELSUPP_STR
},
387 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
389 static int may_context_mount_sb_relabel(u32 sid
,
390 struct superblock_security_struct
*sbsec
,
391 const struct cred
*cred
)
393 const struct task_security_struct
*tsec
= selinux_cred(cred
);
396 rc
= avc_has_perm(tsec
->sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
397 FILESYSTEM__RELABELFROM
, NULL
);
401 rc
= avc_has_perm(tsec
->sid
, sid
, SECCLASS_FILESYSTEM
,
402 FILESYSTEM__RELABELTO
, NULL
);
406 static int may_context_mount_inode_relabel(u32 sid
,
407 struct superblock_security_struct
*sbsec
,
408 const struct cred
*cred
)
410 const struct task_security_struct
*tsec
= selinux_cred(cred
);
412 rc
= avc_has_perm(tsec
->sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
413 FILESYSTEM__RELABELFROM
, NULL
);
417 rc
= avc_has_perm(sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
418 FILESYSTEM__ASSOCIATE
, NULL
);
422 static int selinux_is_sblabel_mnt(struct super_block
*sb
)
424 struct superblock_security_struct
*sbsec
= selinux_superblock(sb
);
426 return sbsec
->behavior
== SECURITY_FS_USE_XATTR
||
427 sbsec
->behavior
== SECURITY_FS_USE_TRANS
||
428 sbsec
->behavior
== SECURITY_FS_USE_TASK
||
429 sbsec
->behavior
== SECURITY_FS_USE_NATIVE
||
430 /* Special handling. Genfs but also in-core setxattr handler */
431 !strcmp(sb
->s_type
->name
, "sysfs") ||
432 !strcmp(sb
->s_type
->name
, "pstore") ||
433 !strcmp(sb
->s_type
->name
, "debugfs") ||
434 !strcmp(sb
->s_type
->name
, "tracefs") ||
435 !strcmp(sb
->s_type
->name
, "rootfs") ||
436 (selinux_policycap_cgroupseclabel
&&
437 (!strcmp(sb
->s_type
->name
, "cgroup") ||
438 !strcmp(sb
->s_type
->name
, "cgroup2")));
441 static int sb_finish_set_opts(struct super_block
*sb
)
443 struct superblock_security_struct
*sbsec
= selinux_superblock(sb
);
444 struct dentry
*root
= sb
->s_root
;
445 struct inode
*root_inode
= d_backing_inode(root
);
448 if (sbsec
->behavior
== SECURITY_FS_USE_XATTR
) {
449 /* Make sure that the xattr handler exists and that no
450 error other than -ENODATA is returned by getxattr on
451 the root directory. -ENODATA is ok, as this may be
452 the first boot of the SELinux kernel before we have
453 assigned xattr values to the filesystem. */
454 if (!(root_inode
->i_opflags
& IOP_XATTR
)) {
455 printk(KERN_WARNING
"SELinux: (dev %s, type %s) has no "
456 "xattr support\n", sb
->s_id
, sb
->s_type
->name
);
461 rc
= __vfs_getxattr(root
, root_inode
, XATTR_NAME_SELINUX
, NULL
, 0);
462 if (rc
< 0 && rc
!= -ENODATA
) {
463 if (rc
== -EOPNOTSUPP
)
464 printk(KERN_WARNING
"SELinux: (dev %s, type "
465 "%s) has no security xattr handler\n",
466 sb
->s_id
, sb
->s_type
->name
);
468 printk(KERN_WARNING
"SELinux: (dev %s, type "
469 "%s) getxattr errno %d\n", sb
->s_id
,
470 sb
->s_type
->name
, -rc
);
475 sbsec
->flags
|= SE_SBINITIALIZED
;
478 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
479 * leave the flag untouched because sb_clone_mnt_opts might be handing
480 * us a superblock that needs the flag to be cleared.
482 if (selinux_is_sblabel_mnt(sb
))
483 sbsec
->flags
|= SBLABEL_MNT
;
485 sbsec
->flags
&= ~SBLABEL_MNT
;
487 /* Initialize the root inode. */
488 rc
= inode_doinit_with_dentry(root_inode
, root
);
490 /* Initialize any other inodes associated with the superblock, e.g.
491 inodes created prior to initial policy load or inodes created
492 during get_sb by a pseudo filesystem that directly
494 spin_lock(&sbsec
->isec_lock
);
496 if (!list_empty(&sbsec
->isec_head
)) {
497 struct inode_security_struct
*isec
=
498 list_entry(sbsec
->isec_head
.next
,
499 struct inode_security_struct
, list
);
500 struct inode
*inode
= isec
->inode
;
501 list_del_init(&isec
->list
);
502 spin_unlock(&sbsec
->isec_lock
);
503 inode
= igrab(inode
);
505 if (!IS_PRIVATE(inode
))
509 spin_lock(&sbsec
->isec_lock
);
512 spin_unlock(&sbsec
->isec_lock
);
518 * This function should allow an FS to ask what it's mount security
519 * options were so it can use those later for submounts, displaying
520 * mount options, or whatever.
522 static int selinux_get_mnt_opts(const struct super_block
*sb
,
523 struct security_mnt_opts
*opts
)
526 struct superblock_security_struct
*sbsec
= selinux_superblock(sb
);
527 char *context
= NULL
;
531 security_init_mnt_opts(opts
);
533 if (!(sbsec
->flags
& SE_SBINITIALIZED
))
539 /* make sure we always check enough bits to cover the mask */
540 BUILD_BUG_ON(SE_MNTMASK
>= (1 << NUM_SEL_MNT_OPTS
));
542 tmp
= sbsec
->flags
& SE_MNTMASK
;
543 /* count the number of mount options for this sb */
544 for (i
= 0; i
< NUM_SEL_MNT_OPTS
; i
++) {
546 opts
->num_mnt_opts
++;
549 /* Check if the Label support flag is set */
550 if (sbsec
->flags
& SBLABEL_MNT
)
551 opts
->num_mnt_opts
++;
553 opts
->mnt_opts
= kcalloc(opts
->num_mnt_opts
, sizeof(char *), GFP_ATOMIC
);
554 if (!opts
->mnt_opts
) {
559 opts
->mnt_opts_flags
= kcalloc(opts
->num_mnt_opts
, sizeof(int), GFP_ATOMIC
);
560 if (!opts
->mnt_opts_flags
) {
566 if (sbsec
->flags
& FSCONTEXT_MNT
) {
567 rc
= security_sid_to_context(sbsec
->sid
, &context
, &len
);
570 opts
->mnt_opts
[i
] = context
;
571 opts
->mnt_opts_flags
[i
++] = FSCONTEXT_MNT
;
573 if (sbsec
->flags
& CONTEXT_MNT
) {
574 rc
= security_sid_to_context(sbsec
->mntpoint_sid
, &context
, &len
);
577 opts
->mnt_opts
[i
] = context
;
578 opts
->mnt_opts_flags
[i
++] = CONTEXT_MNT
;
580 if (sbsec
->flags
& DEFCONTEXT_MNT
) {
581 rc
= security_sid_to_context(sbsec
->def_sid
, &context
, &len
);
584 opts
->mnt_opts
[i
] = context
;
585 opts
->mnt_opts_flags
[i
++] = DEFCONTEXT_MNT
;
587 if (sbsec
->flags
& ROOTCONTEXT_MNT
) {
588 struct dentry
*root
= sbsec
->sb
->s_root
;
589 struct inode_security_struct
*isec
=
590 backing_inode_security(root
);
592 rc
= security_sid_to_context(isec
->sid
, &context
, &len
);
595 opts
->mnt_opts
[i
] = context
;
596 opts
->mnt_opts_flags
[i
++] = ROOTCONTEXT_MNT
;
598 if (sbsec
->flags
& SBLABEL_MNT
) {
599 opts
->mnt_opts
[i
] = NULL
;
600 opts
->mnt_opts_flags
[i
++] = SBLABEL_MNT
;
603 BUG_ON(i
!= opts
->num_mnt_opts
);
608 security_free_mnt_opts(opts
);
612 static int bad_option(struct superblock_security_struct
*sbsec
, char flag
,
613 u32 old_sid
, u32 new_sid
)
615 char mnt_flags
= sbsec
->flags
& SE_MNTMASK
;
617 /* check if the old mount command had the same options */
618 if (sbsec
->flags
& SE_SBINITIALIZED
)
619 if (!(sbsec
->flags
& flag
) ||
620 (old_sid
!= new_sid
))
623 /* check if we were passed the same options twice,
624 * aka someone passed context=a,context=b
626 if (!(sbsec
->flags
& SE_SBINITIALIZED
))
627 if (mnt_flags
& flag
)
633 * Allow filesystems with binary mount data to explicitly set mount point
634 * labeling information.
636 static int selinux_set_mnt_opts(struct super_block
*sb
,
637 struct security_mnt_opts
*opts
,
638 unsigned long kern_flags
,
639 unsigned long *set_kern_flags
)
641 const struct cred
*cred
= current_cred();
643 struct superblock_security_struct
*sbsec
= selinux_superblock(sb
);
644 const char *name
= sb
->s_type
->name
;
645 struct dentry
*root
= sbsec
->sb
->s_root
;
646 struct inode_security_struct
*root_isec
;
647 u32 fscontext_sid
= 0, context_sid
= 0, rootcontext_sid
= 0;
648 u32 defcontext_sid
= 0;
649 char **mount_options
= opts
->mnt_opts
;
650 int *flags
= opts
->mnt_opts_flags
;
651 int num_opts
= opts
->num_mnt_opts
;
653 mutex_lock(&sbsec
->lock
);
655 if (!ss_initialized
) {
657 /* Defer initialization until selinux_complete_init,
658 after the initial policy is loaded and the security
659 server is ready to handle calls. */
663 printk(KERN_WARNING
"SELinux: Unable to set superblock options "
664 "before the security server is initialized\n");
667 if (kern_flags
&& !set_kern_flags
) {
668 /* Specifying internal flags without providing a place to
669 * place the results is not allowed */
675 * Binary mount data FS will come through this function twice. Once
676 * from an explicit call and once from the generic calls from the vfs.
677 * Since the generic VFS calls will not contain any security mount data
678 * we need to skip the double mount verification.
680 * This does open a hole in which we will not notice if the first
681 * mount using this sb set explict options and a second mount using
682 * this sb does not set any security options. (The first options
683 * will be used for both mounts)
685 if ((sbsec
->flags
& SE_SBINITIALIZED
) && (sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
)
689 root_isec
= backing_inode_security_novalidate(root
);
692 * parse the mount options, check if they are valid sids.
693 * also check if someone is trying to mount the same sb more
694 * than once with different security options.
696 for (i
= 0; i
< num_opts
; i
++) {
699 if (flags
[i
] == SBLABEL_MNT
)
701 rc
= security_context_str_to_sid(mount_options
[i
], &sid
, GFP_KERNEL
);
703 printk(KERN_WARNING
"SELinux: security_context_str_to_sid"
704 "(%s) failed for (dev %s, type %s) errno=%d\n",
705 mount_options
[i
], sb
->s_id
, name
, rc
);
712 if (bad_option(sbsec
, FSCONTEXT_MNT
, sbsec
->sid
,
714 goto out_double_mount
;
716 sbsec
->flags
|= FSCONTEXT_MNT
;
721 if (bad_option(sbsec
, CONTEXT_MNT
, sbsec
->mntpoint_sid
,
723 goto out_double_mount
;
725 sbsec
->flags
|= CONTEXT_MNT
;
727 case ROOTCONTEXT_MNT
:
728 rootcontext_sid
= sid
;
730 if (bad_option(sbsec
, ROOTCONTEXT_MNT
, root_isec
->sid
,
732 goto out_double_mount
;
734 sbsec
->flags
|= ROOTCONTEXT_MNT
;
738 defcontext_sid
= sid
;
740 if (bad_option(sbsec
, DEFCONTEXT_MNT
, sbsec
->def_sid
,
742 goto out_double_mount
;
744 sbsec
->flags
|= DEFCONTEXT_MNT
;
753 if (sbsec
->flags
& SE_SBINITIALIZED
) {
754 /* previously mounted with options, but not on this attempt? */
755 if ((sbsec
->flags
& SE_MNTMASK
) && !num_opts
)
756 goto out_double_mount
;
761 if (strcmp(sb
->s_type
->name
, "proc") == 0)
762 sbsec
->flags
|= SE_SBPROC
| SE_SBGENFS
;
764 if (!strcmp(sb
->s_type
->name
, "debugfs") ||
765 !strcmp(sb
->s_type
->name
, "tracefs") ||
766 !strcmp(sb
->s_type
->name
, "sysfs") ||
767 !strcmp(sb
->s_type
->name
, "pstore") ||
768 !strcmp(sb
->s_type
->name
, "cgroup") ||
769 !strcmp(sb
->s_type
->name
, "cgroup2"))
770 sbsec
->flags
|= SE_SBGENFS
;
772 if (!sbsec
->behavior
) {
774 * Determine the labeling behavior to use for this
777 rc
= security_fs_use(sb
);
780 "%s: security_fs_use(%s) returned %d\n",
781 __func__
, sb
->s_type
->name
, rc
);
787 * If this is a user namespace mount and the filesystem type is not
788 * explicitly whitelisted, then no contexts are allowed on the command
789 * line and security labels must be ignored.
791 if (sb
->s_user_ns
!= &init_user_ns
&&
792 strcmp(sb
->s_type
->name
, "tmpfs") &&
793 strcmp(sb
->s_type
->name
, "ramfs") &&
794 strcmp(sb
->s_type
->name
, "devpts")) {
795 if (context_sid
|| fscontext_sid
|| rootcontext_sid
||
800 if (sbsec
->behavior
== SECURITY_FS_USE_XATTR
) {
801 sbsec
->behavior
= SECURITY_FS_USE_MNTPOINT
;
802 rc
= security_transition_sid(current_sid(), current_sid(),
804 &sbsec
->mntpoint_sid
);
811 /* sets the context of the superblock for the fs being mounted. */
813 rc
= may_context_mount_sb_relabel(fscontext_sid
, sbsec
, cred
);
817 sbsec
->sid
= fscontext_sid
;
821 * Switch to using mount point labeling behavior.
822 * sets the label used on all file below the mountpoint, and will set
823 * the superblock context if not already set.
825 if (kern_flags
& SECURITY_LSM_NATIVE_LABELS
&& !context_sid
) {
826 sbsec
->behavior
= SECURITY_FS_USE_NATIVE
;
827 *set_kern_flags
|= SECURITY_LSM_NATIVE_LABELS
;
831 if (!fscontext_sid
) {
832 rc
= may_context_mount_sb_relabel(context_sid
, sbsec
,
836 sbsec
->sid
= context_sid
;
838 rc
= may_context_mount_inode_relabel(context_sid
, sbsec
,
843 if (!rootcontext_sid
)
844 rootcontext_sid
= context_sid
;
846 sbsec
->mntpoint_sid
= context_sid
;
847 sbsec
->behavior
= SECURITY_FS_USE_MNTPOINT
;
850 if (rootcontext_sid
) {
851 rc
= may_context_mount_inode_relabel(rootcontext_sid
, sbsec
,
856 root_isec
->sid
= rootcontext_sid
;
857 root_isec
->initialized
= LABEL_INITIALIZED
;
860 if (defcontext_sid
) {
861 if (sbsec
->behavior
!= SECURITY_FS_USE_XATTR
&&
862 sbsec
->behavior
!= SECURITY_FS_USE_NATIVE
) {
864 printk(KERN_WARNING
"SELinux: defcontext option is "
865 "invalid for this filesystem type\n");
869 if (defcontext_sid
!= sbsec
->def_sid
) {
870 rc
= may_context_mount_inode_relabel(defcontext_sid
,
876 sbsec
->def_sid
= defcontext_sid
;
880 rc
= sb_finish_set_opts(sb
);
882 mutex_unlock(&sbsec
->lock
);
886 printk(KERN_WARNING
"SELinux: mount invalid. Same superblock, different "
887 "security settings for (dev %s, type %s)\n", sb
->s_id
, name
);
891 static int selinux_cmp_sb_context(const struct super_block
*oldsb
,
892 const struct super_block
*newsb
)
894 struct superblock_security_struct
*old
= selinux_superblock(oldsb
);
895 struct superblock_security_struct
*new = selinux_superblock(newsb
);
896 char oldflags
= old
->flags
& SE_MNTMASK
;
897 char newflags
= new->flags
& SE_MNTMASK
;
899 if (oldflags
!= newflags
)
901 if ((oldflags
& FSCONTEXT_MNT
) && old
->sid
!= new->sid
)
903 if ((oldflags
& CONTEXT_MNT
) && old
->mntpoint_sid
!= new->mntpoint_sid
)
905 if ((oldflags
& DEFCONTEXT_MNT
) && old
->def_sid
!= new->def_sid
)
907 if (oldflags
& ROOTCONTEXT_MNT
) {
908 struct inode_security_struct
*oldroot
= backing_inode_security(oldsb
->s_root
);
909 struct inode_security_struct
*newroot
= backing_inode_security(newsb
->s_root
);
910 if (oldroot
->sid
!= newroot
->sid
)
915 printk(KERN_WARNING
"SELinux: mount invalid. Same superblock, "
916 "different security settings for (dev %s, "
917 "type %s)\n", newsb
->s_id
, newsb
->s_type
->name
);
921 static int selinux_sb_clone_mnt_opts(const struct super_block
*oldsb
,
922 struct super_block
*newsb
,
923 unsigned long kern_flags
,
924 unsigned long *set_kern_flags
)
927 const struct superblock_security_struct
*oldsbsec
=
928 selinux_superblock(oldsb
);
929 struct superblock_security_struct
*newsbsec
= selinux_superblock(newsb
);
931 int set_fscontext
= (oldsbsec
->flags
& FSCONTEXT_MNT
);
932 int set_context
= (oldsbsec
->flags
& CONTEXT_MNT
);
933 int set_rootcontext
= (oldsbsec
->flags
& ROOTCONTEXT_MNT
);
936 * if the parent was able to be mounted it clearly had no special lsm
937 * mount options. thus we can safely deal with this superblock later
943 * Specifying internal flags without providing a place to
944 * place the results is not allowed.
946 if (kern_flags
&& !set_kern_flags
)
949 /* how can we clone if the old one wasn't set up?? */
950 BUG_ON(!(oldsbsec
->flags
& SE_SBINITIALIZED
));
952 /* if fs is reusing a sb, make sure that the contexts match */
953 if (newsbsec
->flags
& SE_SBINITIALIZED
)
954 return selinux_cmp_sb_context(oldsb
, newsb
);
956 mutex_lock(&newsbsec
->lock
);
958 newsbsec
->flags
= oldsbsec
->flags
;
960 newsbsec
->sid
= oldsbsec
->sid
;
961 newsbsec
->def_sid
= oldsbsec
->def_sid
;
962 newsbsec
->behavior
= oldsbsec
->behavior
;
964 if (newsbsec
->behavior
== SECURITY_FS_USE_NATIVE
&&
965 !(kern_flags
& SECURITY_LSM_NATIVE_LABELS
) && !set_context
) {
966 rc
= security_fs_use(newsb
);
971 if (kern_flags
& SECURITY_LSM_NATIVE_LABELS
&& !set_context
) {
972 newsbsec
->behavior
= SECURITY_FS_USE_NATIVE
;
973 *set_kern_flags
|= SECURITY_LSM_NATIVE_LABELS
;
977 u32 sid
= oldsbsec
->mntpoint_sid
;
981 if (!set_rootcontext
) {
982 struct inode_security_struct
*newisec
=
983 backing_inode_security(newsb
->s_root
);
986 newsbsec
->mntpoint_sid
= sid
;
988 if (set_rootcontext
) {
989 const struct inode_security_struct
*oldisec
=
990 backing_inode_security(oldsb
->s_root
);
991 struct inode_security_struct
*newisec
=
992 backing_inode_security(newsb
->s_root
);
994 newisec
->sid
= oldisec
->sid
;
997 sb_finish_set_opts(newsb
);
999 mutex_unlock(&newsbsec
->lock
);
1003 static int selinux_parse_opts_str(char *options
,
1004 struct security_mnt_opts
*opts
)
1007 char *context
= NULL
, *defcontext
= NULL
;
1008 char *fscontext
= NULL
, *rootcontext
= NULL
;
1009 int rc
, num_mnt_opts
= 0;
1011 opts
->num_mnt_opts
= 0;
1013 /* Standard string-based options. */
1014 while ((p
= strsep(&options
, "|")) != NULL
) {
1016 substring_t args
[MAX_OPT_ARGS
];
1021 token
= match_token(p
, tokens
, args
);
1025 if (context
|| defcontext
) {
1027 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1030 context
= match_strdup(&args
[0]);
1040 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1043 fscontext
= match_strdup(&args
[0]);
1050 case Opt_rootcontext
:
1053 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1056 rootcontext
= match_strdup(&args
[0]);
1063 case Opt_defcontext
:
1064 if (context
|| defcontext
) {
1066 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1069 defcontext
= match_strdup(&args
[0]);
1075 case Opt_labelsupport
:
1079 printk(KERN_WARNING
"SELinux: unknown mount option\n");
1086 opts
->mnt_opts
= kcalloc(NUM_SEL_MNT_OPTS
, sizeof(char *), GFP_KERNEL
);
1087 if (!opts
->mnt_opts
)
1090 opts
->mnt_opts_flags
= kcalloc(NUM_SEL_MNT_OPTS
, sizeof(int),
1092 if (!opts
->mnt_opts_flags
)
1096 opts
->mnt_opts
[num_mnt_opts
] = fscontext
;
1097 opts
->mnt_opts_flags
[num_mnt_opts
++] = FSCONTEXT_MNT
;
1100 opts
->mnt_opts
[num_mnt_opts
] = context
;
1101 opts
->mnt_opts_flags
[num_mnt_opts
++] = CONTEXT_MNT
;
1104 opts
->mnt_opts
[num_mnt_opts
] = rootcontext
;
1105 opts
->mnt_opts_flags
[num_mnt_opts
++] = ROOTCONTEXT_MNT
;
1108 opts
->mnt_opts
[num_mnt_opts
] = defcontext
;
1109 opts
->mnt_opts_flags
[num_mnt_opts
++] = DEFCONTEXT_MNT
;
1112 opts
->num_mnt_opts
= num_mnt_opts
;
1116 security_free_mnt_opts(opts
);
1124 * string mount options parsing and call set the sbsec
1126 static int superblock_doinit(struct super_block
*sb
, void *data
)
1129 char *options
= data
;
1130 struct security_mnt_opts opts
;
1132 security_init_mnt_opts(&opts
);
1137 BUG_ON(sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
);
1139 rc
= selinux_parse_opts_str(options
, &opts
);
1144 rc
= selinux_set_mnt_opts(sb
, &opts
, 0, NULL
);
1147 security_free_mnt_opts(&opts
);
1151 static void selinux_write_opts(struct seq_file
*m
,
1152 struct security_mnt_opts
*opts
)
1157 for (i
= 0; i
< opts
->num_mnt_opts
; i
++) {
1160 if (opts
->mnt_opts
[i
])
1161 has_comma
= strchr(opts
->mnt_opts
[i
], ',');
1165 switch (opts
->mnt_opts_flags
[i
]) {
1167 prefix
= CONTEXT_STR
;
1170 prefix
= FSCONTEXT_STR
;
1172 case ROOTCONTEXT_MNT
:
1173 prefix
= ROOTCONTEXT_STR
;
1175 case DEFCONTEXT_MNT
:
1176 prefix
= DEFCONTEXT_STR
;
1180 seq_puts(m
, LABELSUPP_STR
);
1186 /* we need a comma before each option */
1188 seq_puts(m
, prefix
);
1191 seq_escape(m
, opts
->mnt_opts
[i
], "\"\n\\");
1197 static int selinux_sb_show_options(struct seq_file
*m
, struct super_block
*sb
)
1199 struct security_mnt_opts opts
;
1202 rc
= selinux_get_mnt_opts(sb
, &opts
);
1204 /* before policy load we may get EINVAL, don't show anything */
1210 selinux_write_opts(m
, &opts
);
1212 security_free_mnt_opts(&opts
);
1217 static inline u16
inode_mode_to_security_class(umode_t mode
)
1219 switch (mode
& S_IFMT
) {
1221 return SECCLASS_SOCK_FILE
;
1223 return SECCLASS_LNK_FILE
;
1225 return SECCLASS_FILE
;
1227 return SECCLASS_BLK_FILE
;
1229 return SECCLASS_DIR
;
1231 return SECCLASS_CHR_FILE
;
1233 return SECCLASS_FIFO_FILE
;
1237 return SECCLASS_FILE
;
1240 static inline int default_protocol_stream(int protocol
)
1242 return (protocol
== IPPROTO_IP
|| protocol
== IPPROTO_TCP
);
1245 static inline int default_protocol_dgram(int protocol
)
1247 return (protocol
== IPPROTO_IP
|| protocol
== IPPROTO_UDP
);
1250 static inline u16
socket_type_to_security_class(int family
, int type
, int protocol
)
1252 int extsockclass
= selinux_policycap_extsockclass
;
1258 case SOCK_SEQPACKET
:
1259 return SECCLASS_UNIX_STREAM_SOCKET
;
1262 return SECCLASS_UNIX_DGRAM_SOCKET
;
1269 case SOCK_SEQPACKET
:
1270 if (default_protocol_stream(protocol
))
1271 return SECCLASS_TCP_SOCKET
;
1272 else if (extsockclass
&& protocol
== IPPROTO_SCTP
)
1273 return SECCLASS_SCTP_SOCKET
;
1275 return SECCLASS_RAWIP_SOCKET
;
1277 if (default_protocol_dgram(protocol
))
1278 return SECCLASS_UDP_SOCKET
;
1279 else if (extsockclass
&& (protocol
== IPPROTO_ICMP
||
1280 protocol
== IPPROTO_ICMPV6
))
1281 return SECCLASS_ICMP_SOCKET
;
1283 return SECCLASS_RAWIP_SOCKET
;
1285 return SECCLASS_DCCP_SOCKET
;
1287 return SECCLASS_RAWIP_SOCKET
;
1293 return SECCLASS_NETLINK_ROUTE_SOCKET
;
1294 case NETLINK_SOCK_DIAG
:
1295 return SECCLASS_NETLINK_TCPDIAG_SOCKET
;
1297 return SECCLASS_NETLINK_NFLOG_SOCKET
;
1299 return SECCLASS_NETLINK_XFRM_SOCKET
;
1300 case NETLINK_SELINUX
:
1301 return SECCLASS_NETLINK_SELINUX_SOCKET
;
1303 return SECCLASS_NETLINK_ISCSI_SOCKET
;
1305 return SECCLASS_NETLINK_AUDIT_SOCKET
;
1306 case NETLINK_FIB_LOOKUP
:
1307 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET
;
1308 case NETLINK_CONNECTOR
:
1309 return SECCLASS_NETLINK_CONNECTOR_SOCKET
;
1310 case NETLINK_NETFILTER
:
1311 return SECCLASS_NETLINK_NETFILTER_SOCKET
;
1312 case NETLINK_DNRTMSG
:
1313 return SECCLASS_NETLINK_DNRT_SOCKET
;
1314 case NETLINK_KOBJECT_UEVENT
:
1315 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET
;
1316 case NETLINK_GENERIC
:
1317 return SECCLASS_NETLINK_GENERIC_SOCKET
;
1318 case NETLINK_SCSITRANSPORT
:
1319 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET
;
1321 return SECCLASS_NETLINK_RDMA_SOCKET
;
1322 case NETLINK_CRYPTO
:
1323 return SECCLASS_NETLINK_CRYPTO_SOCKET
;
1325 return SECCLASS_NETLINK_SOCKET
;
1328 return SECCLASS_PACKET_SOCKET
;
1330 return SECCLASS_KEY_SOCKET
;
1332 return SECCLASS_APPLETALK_SOCKET
;
1338 return SECCLASS_AX25_SOCKET
;
1340 return SECCLASS_IPX_SOCKET
;
1342 return SECCLASS_NETROM_SOCKET
;
1344 return SECCLASS_ATMPVC_SOCKET
;
1346 return SECCLASS_X25_SOCKET
;
1348 return SECCLASS_ROSE_SOCKET
;
1350 return SECCLASS_DECNET_SOCKET
;
1352 return SECCLASS_ATMSVC_SOCKET
;
1354 return SECCLASS_RDS_SOCKET
;
1356 return SECCLASS_IRDA_SOCKET
;
1358 return SECCLASS_PPPOX_SOCKET
;
1360 return SECCLASS_LLC_SOCKET
;
1362 return SECCLASS_CAN_SOCKET
;
1364 return SECCLASS_TIPC_SOCKET
;
1366 return SECCLASS_BLUETOOTH_SOCKET
;
1368 return SECCLASS_IUCV_SOCKET
;
1370 return SECCLASS_RXRPC_SOCKET
;
1372 return SECCLASS_ISDN_SOCKET
;
1374 return SECCLASS_PHONET_SOCKET
;
1376 return SECCLASS_IEEE802154_SOCKET
;
1378 return SECCLASS_CAIF_SOCKET
;
1380 return SECCLASS_ALG_SOCKET
;
1382 return SECCLASS_NFC_SOCKET
;
1384 return SECCLASS_VSOCK_SOCKET
;
1386 return SECCLASS_KCM_SOCKET
;
1388 return SECCLASS_QIPCRTR_SOCKET
;
1390 return SECCLASS_SMC_SOCKET
;
1392 #error New address family defined, please update this function.
1397 return SECCLASS_SOCKET
;
1400 static int selinux_genfs_get_sid(struct dentry
*dentry
,
1406 struct super_block
*sb
= dentry
->d_sb
;
1407 char *buffer
, *path
;
1409 buffer
= (char *)__get_free_page(GFP_KERNEL
);
1413 path
= dentry_path_raw(dentry
, buffer
, PAGE_SIZE
);
1417 if (flags
& SE_SBPROC
) {
1418 /* each process gets a /proc/PID/ entry. Strip off the
1419 * PID part to get a valid selinux labeling.
1420 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1421 while (path
[1] >= '0' && path
[1] <= '9') {
1426 rc
= security_genfs_sid(sb
->s_type
->name
, path
, tclass
, sid
);
1427 if (rc
== -ENOENT
) {
1428 /* No match in policy, mark as unlabeled. */
1429 *sid
= SECINITSID_UNLABELED
;
1433 free_page((unsigned long)buffer
);
1437 /* The inode's security attributes must be initialized before first use. */
1438 static int inode_doinit_with_dentry(struct inode
*inode
, struct dentry
*opt_dentry
)
1440 struct superblock_security_struct
*sbsec
= NULL
;
1441 struct inode_security_struct
*isec
= selinux_inode(inode
);
1442 u32 task_sid
, sid
= 0;
1444 struct dentry
*dentry
;
1445 #define INITCONTEXTLEN 255
1446 char *context
= NULL
;
1450 if (isec
->initialized
== LABEL_INITIALIZED
)
1453 spin_lock(&isec
->lock
);
1454 if (isec
->initialized
== LABEL_INITIALIZED
)
1457 if (isec
->sclass
== SECCLASS_FILE
)
1458 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
1460 sbsec
= selinux_superblock(inode
->i_sb
);
1461 if (!(sbsec
->flags
& SE_SBINITIALIZED
)) {
1462 /* Defer initialization until selinux_complete_init,
1463 after the initial policy is loaded and the security
1464 server is ready to handle calls. */
1465 spin_lock(&sbsec
->isec_lock
);
1466 if (list_empty(&isec
->list
))
1467 list_add(&isec
->list
, &sbsec
->isec_head
);
1468 spin_unlock(&sbsec
->isec_lock
);
1472 sclass
= isec
->sclass
;
1473 task_sid
= isec
->task_sid
;
1475 isec
->initialized
= LABEL_PENDING
;
1476 spin_unlock(&isec
->lock
);
1478 switch (sbsec
->behavior
) {
1479 case SECURITY_FS_USE_NATIVE
:
1481 case SECURITY_FS_USE_XATTR
:
1482 if (!(inode
->i_opflags
& IOP_XATTR
)) {
1483 sid
= sbsec
->def_sid
;
1486 /* Need a dentry, since the xattr API requires one.
1487 Life would be simpler if we could just pass the inode. */
1489 /* Called from d_instantiate or d_splice_alias. */
1490 dentry
= dget(opt_dentry
);
1493 * Called from selinux_complete_init, try to find a dentry.
1494 * Some filesystems really want a connected one, so try
1495 * that first. We could split SECURITY_FS_USE_XATTR in
1496 * two, depending upon that...
1498 dentry
= d_find_alias(inode
);
1500 dentry
= d_find_any_alias(inode
);
1504 * this is can be hit on boot when a file is accessed
1505 * before the policy is loaded. When we load policy we
1506 * may find inodes that have no dentry on the
1507 * sbsec->isec_head list. No reason to complain as these
1508 * will get fixed up the next time we go through
1509 * inode_doinit with a dentry, before these inodes could
1510 * be used again by userspace.
1515 len
= INITCONTEXTLEN
;
1516 context
= kmalloc(len
+1, GFP_NOFS
);
1522 context
[len
] = '\0';
1523 rc
= __vfs_getxattr(dentry
, inode
, XATTR_NAME_SELINUX
, context
, len
);
1524 if (rc
== -ERANGE
) {
1527 /* Need a larger buffer. Query for the right size. */
1528 rc
= __vfs_getxattr(dentry
, inode
, XATTR_NAME_SELINUX
, NULL
, 0);
1534 context
= kmalloc(len
+1, GFP_NOFS
);
1540 context
[len
] = '\0';
1541 rc
= __vfs_getxattr(dentry
, inode
, XATTR_NAME_SELINUX
, context
, len
);
1545 if (rc
!= -ENODATA
) {
1546 printk(KERN_WARNING
"SELinux: %s: getxattr returned "
1547 "%d for dev=%s ino=%ld\n", __func__
,
1548 -rc
, inode
->i_sb
->s_id
, inode
->i_ino
);
1552 /* Map ENODATA to the default file SID */
1553 sid
= sbsec
->def_sid
;
1556 rc
= security_context_to_sid_default(context
, rc
, &sid
,
1560 char *dev
= inode
->i_sb
->s_id
;
1561 unsigned long ino
= inode
->i_ino
;
1563 if (rc
== -EINVAL
) {
1564 if (printk_ratelimit())
1565 printk(KERN_NOTICE
"SELinux: inode=%lu on dev=%s was found to have an invalid "
1566 "context=%s. This indicates you may need to relabel the inode or the "
1567 "filesystem in question.\n", ino
, dev
, context
);
1569 printk(KERN_WARNING
"SELinux: %s: context_to_sid(%s) "
1570 "returned %d for dev=%s ino=%ld\n",
1571 __func__
, context
, -rc
, dev
, ino
);
1574 /* Leave with the unlabeled SID */
1581 case SECURITY_FS_USE_TASK
:
1584 case SECURITY_FS_USE_TRANS
:
1585 /* Default to the fs SID. */
1588 /* Try to obtain a transition SID. */
1589 rc
= security_transition_sid(task_sid
, sid
, sclass
, NULL
, &sid
);
1593 case SECURITY_FS_USE_MNTPOINT
:
1594 sid
= sbsec
->mntpoint_sid
;
1597 /* Default to the fs superblock SID. */
1600 if ((sbsec
->flags
& SE_SBGENFS
) && !S_ISLNK(inode
->i_mode
)) {
1601 /* We must have a dentry to determine the label on
1604 /* Called from d_instantiate or
1605 * d_splice_alias. */
1606 dentry
= dget(opt_dentry
);
1608 /* Called from selinux_complete_init, try to
1609 * find a dentry. Some filesystems really want
1610 * a connected one, so try that first.
1612 dentry
= d_find_alias(inode
);
1614 dentry
= d_find_any_alias(inode
);
1617 * This can be hit on boot when a file is accessed
1618 * before the policy is loaded. When we load policy we
1619 * may find inodes that have no dentry on the
1620 * sbsec->isec_head list. No reason to complain as
1621 * these will get fixed up the next time we go through
1622 * inode_doinit() with a dentry, before these inodes
1623 * could be used again by userspace.
1627 rc
= selinux_genfs_get_sid(dentry
, sclass
,
1628 sbsec
->flags
, &sid
);
1637 spin_lock(&isec
->lock
);
1638 if (isec
->initialized
== LABEL_PENDING
) {
1640 isec
->initialized
= LABEL_INVALID
;
1644 isec
->initialized
= LABEL_INITIALIZED
;
1649 spin_unlock(&isec
->lock
);
1653 /* Convert a Linux signal to an access vector. */
1654 static inline u32
signal_to_av(int sig
)
1660 /* Commonly granted from child to parent. */
1661 perm
= PROCESS__SIGCHLD
;
1664 /* Cannot be caught or ignored */
1665 perm
= PROCESS__SIGKILL
;
1668 /* Cannot be caught or ignored */
1669 perm
= PROCESS__SIGSTOP
;
1672 /* All other signals. */
1673 perm
= PROCESS__SIGNAL
;
1680 #if CAP_LAST_CAP > 63
1681 #error Fix SELinux to handle capabilities > 63.
1684 /* Check whether a task is allowed to use a capability. */
1685 static int cred_has_capability(const struct cred
*cred
,
1686 int cap
, int audit
, bool initns
)
1688 struct common_audit_data ad
;
1689 struct av_decision avd
;
1691 u32 sid
= cred_sid(cred
);
1692 u32 av
= CAP_TO_MASK(cap
);
1695 ad
.type
= LSM_AUDIT_DATA_CAP
;
1698 switch (CAP_TO_INDEX(cap
)) {
1700 sclass
= initns
? SECCLASS_CAPABILITY
: SECCLASS_CAP_USERNS
;
1703 sclass
= initns
? SECCLASS_CAPABILITY2
: SECCLASS_CAP2_USERNS
;
1707 "SELinux: out of range capability %d\n", cap
);
1712 rc
= avc_has_perm_noaudit(sid
, sid
, sclass
, av
, 0, &avd
);
1713 if (audit
== SECURITY_CAP_AUDIT
) {
1714 int rc2
= avc_audit(sid
, sid
, sclass
, av
, &avd
, rc
, &ad
, 0);
1721 /* Check whether a task has a particular permission to an inode.
1722 The 'adp' parameter is optional and allows other audit
1723 data to be passed (e.g. the dentry). */
1724 static int inode_has_perm(const struct cred
*cred
,
1725 struct inode
*inode
,
1727 struct common_audit_data
*adp
)
1729 struct inode_security_struct
*isec
;
1732 validate_creds(cred
);
1734 if (unlikely(IS_PRIVATE(inode
)))
1737 sid
= cred_sid(cred
);
1738 isec
= selinux_inode(inode
);
1740 return avc_has_perm(sid
, isec
->sid
, isec
->sclass
, perms
, adp
);
1743 /* Same as inode_has_perm, but pass explicit audit data containing
1744 the dentry to help the auditing code to more easily generate the
1745 pathname if needed. */
1746 static inline int dentry_has_perm(const struct cred
*cred
,
1747 struct dentry
*dentry
,
1750 struct inode
*inode
= d_backing_inode(dentry
);
1751 struct common_audit_data ad
;
1753 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1754 ad
.u
.dentry
= dentry
;
1755 __inode_security_revalidate(inode
, dentry
, true);
1756 return inode_has_perm(cred
, inode
, av
, &ad
);
1759 /* Same as inode_has_perm, but pass explicit audit data containing
1760 the path to help the auditing code to more easily generate the
1761 pathname if needed. */
1762 static inline int path_has_perm(const struct cred
*cred
,
1763 const struct path
*path
,
1766 struct inode
*inode
= d_backing_inode(path
->dentry
);
1767 struct common_audit_data ad
;
1769 ad
.type
= LSM_AUDIT_DATA_PATH
;
1771 __inode_security_revalidate(inode
, path
->dentry
, true);
1772 return inode_has_perm(cred
, inode
, av
, &ad
);
1775 /* Same as path_has_perm, but uses the inode from the file struct. */
1776 static inline int file_path_has_perm(const struct cred
*cred
,
1780 struct common_audit_data ad
;
1782 ad
.type
= LSM_AUDIT_DATA_FILE
;
1784 return inode_has_perm(cred
, file_inode(file
), av
, &ad
);
1787 #ifdef CONFIG_BPF_SYSCALL
1788 static int bpf_fd_pass(struct file
*file
, u32 sid
);
1791 /* Check whether a task can use an open file descriptor to
1792 access an inode in a given way. Check access to the
1793 descriptor itself, and then use dentry_has_perm to
1794 check a particular permission to the file.
1795 Access to the descriptor is implicitly granted if it
1796 has the same SID as the process. If av is zero, then
1797 access to the file is not checked, e.g. for cases
1798 where only the descriptor is affected like seek. */
1799 static int file_has_perm(const struct cred
*cred
,
1803 struct file_security_struct
*fsec
= selinux_file(file
);
1804 struct inode
*inode
= file_inode(file
);
1805 struct common_audit_data ad
;
1806 u32 sid
= cred_sid(cred
);
1809 ad
.type
= LSM_AUDIT_DATA_FILE
;
1812 if (sid
!= fsec
->sid
) {
1813 rc
= avc_has_perm(sid
, fsec
->sid
,
1821 #ifdef CONFIG_BPF_SYSCALL
1822 rc
= bpf_fd_pass(file
, cred_sid(cred
));
1827 /* av is zero if only checking access to the descriptor. */
1830 rc
= inode_has_perm(cred
, inode
, av
, &ad
);
1837 * Determine the label for an inode that might be unioned.
1840 selinux_determine_inode_label(const struct task_security_struct
*tsec
,
1842 const struct qstr
*name
, u16 tclass
,
1845 const struct superblock_security_struct
*sbsec
=
1846 selinux_superblock(dir
->i_sb
);
1848 if ((sbsec
->flags
& SE_SBINITIALIZED
) &&
1849 (sbsec
->behavior
== SECURITY_FS_USE_MNTPOINT
)) {
1850 *_new_isid
= sbsec
->mntpoint_sid
;
1851 } else if ((sbsec
->flags
& SBLABEL_MNT
) &&
1853 *_new_isid
= tsec
->create_sid
;
1855 const struct inode_security_struct
*dsec
= inode_security(dir
);
1856 return security_transition_sid(tsec
->sid
, dsec
->sid
, tclass
,
1863 /* Check whether a task can create a file. */
1864 static int may_create(struct inode
*dir
,
1865 struct dentry
*dentry
,
1868 const struct task_security_struct
*tsec
= selinux_cred(current_cred());
1869 struct inode_security_struct
*dsec
;
1870 struct superblock_security_struct
*sbsec
;
1872 struct common_audit_data ad
;
1875 dsec
= inode_security(dir
);
1876 sbsec
= selinux_superblock(dir
->i_sb
);
1880 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1881 ad
.u
.dentry
= dentry
;
1883 rc
= avc_has_perm(sid
, dsec
->sid
, SECCLASS_DIR
,
1884 DIR__ADD_NAME
| DIR__SEARCH
,
1889 rc
= selinux_determine_inode_label(selinux_cred(current_cred()), dir
,
1890 &dentry
->d_name
, tclass
, &newsid
);
1894 rc
= avc_has_perm(sid
, newsid
, tclass
, FILE__CREATE
, &ad
);
1898 return avc_has_perm(newsid
, sbsec
->sid
,
1899 SECCLASS_FILESYSTEM
,
1900 FILESYSTEM__ASSOCIATE
, &ad
);
1904 #define MAY_UNLINK 1
1907 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1908 static int may_link(struct inode
*dir
,
1909 struct dentry
*dentry
,
1913 struct inode_security_struct
*dsec
, *isec
;
1914 struct common_audit_data ad
;
1915 u32 sid
= current_sid();
1919 dsec
= inode_security(dir
);
1920 isec
= backing_inode_security(dentry
);
1922 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1923 ad
.u
.dentry
= dentry
;
1926 av
|= (kind
? DIR__REMOVE_NAME
: DIR__ADD_NAME
);
1927 rc
= avc_has_perm(sid
, dsec
->sid
, SECCLASS_DIR
, av
, &ad
);
1942 printk(KERN_WARNING
"SELinux: %s: unrecognized kind %d\n",
1947 rc
= avc_has_perm(sid
, isec
->sid
, isec
->sclass
, av
, &ad
);
1951 static inline int may_rename(struct inode
*old_dir
,
1952 struct dentry
*old_dentry
,
1953 struct inode
*new_dir
,
1954 struct dentry
*new_dentry
)
1956 struct inode_security_struct
*old_dsec
, *new_dsec
, *old_isec
, *new_isec
;
1957 struct common_audit_data ad
;
1958 u32 sid
= current_sid();
1960 int old_is_dir
, new_is_dir
;
1963 old_dsec
= inode_security(old_dir
);
1964 old_isec
= backing_inode_security(old_dentry
);
1965 old_is_dir
= d_is_dir(old_dentry
);
1966 new_dsec
= inode_security(new_dir
);
1968 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1970 ad
.u
.dentry
= old_dentry
;
1971 rc
= avc_has_perm(sid
, old_dsec
->sid
, SECCLASS_DIR
,
1972 DIR__REMOVE_NAME
| DIR__SEARCH
, &ad
);
1975 rc
= avc_has_perm(sid
, old_isec
->sid
,
1976 old_isec
->sclass
, FILE__RENAME
, &ad
);
1979 if (old_is_dir
&& new_dir
!= old_dir
) {
1980 rc
= avc_has_perm(sid
, old_isec
->sid
,
1981 old_isec
->sclass
, DIR__REPARENT
, &ad
);
1986 ad
.u
.dentry
= new_dentry
;
1987 av
= DIR__ADD_NAME
| DIR__SEARCH
;
1988 if (d_is_positive(new_dentry
))
1989 av
|= DIR__REMOVE_NAME
;
1990 rc
= avc_has_perm(sid
, new_dsec
->sid
, SECCLASS_DIR
, av
, &ad
);
1993 if (d_is_positive(new_dentry
)) {
1994 new_isec
= backing_inode_security(new_dentry
);
1995 new_is_dir
= d_is_dir(new_dentry
);
1996 rc
= avc_has_perm(sid
, new_isec
->sid
,
1998 (new_is_dir
? DIR__RMDIR
: FILE__UNLINK
), &ad
);
2006 /* Check whether a task can perform a filesystem operation. */
2007 static int superblock_has_perm(const struct cred
*cred
,
2008 struct super_block
*sb
,
2010 struct common_audit_data
*ad
)
2012 struct superblock_security_struct
*sbsec
;
2013 u32 sid
= cred_sid(cred
);
2015 sbsec
= selinux_superblock(sb
);
2016 return avc_has_perm(sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
, perms
, ad
);
2019 /* Convert a Linux mode and permission mask to an access vector. */
2020 static inline u32
file_mask_to_av(int mode
, int mask
)
2024 if (!S_ISDIR(mode
)) {
2025 if (mask
& MAY_EXEC
)
2026 av
|= FILE__EXECUTE
;
2027 if (mask
& MAY_READ
)
2030 if (mask
& MAY_APPEND
)
2032 else if (mask
& MAY_WRITE
)
2036 if (mask
& MAY_EXEC
)
2038 if (mask
& MAY_WRITE
)
2040 if (mask
& MAY_READ
)
2047 /* Convert a Linux file to an access vector. */
2048 static inline u32
file_to_av(struct file
*file
)
2052 if (file
->f_mode
& FMODE_READ
)
2054 if (file
->f_mode
& FMODE_WRITE
) {
2055 if (file
->f_flags
& O_APPEND
)
2062 * Special file opened with flags 3 for ioctl-only use.
2071 * Convert a file to an access vector and include the correct open
2074 static inline u32
open_file_to_av(struct file
*file
)
2076 u32 av
= file_to_av(file
);
2077 struct inode
*inode
= file_inode(file
);
2079 if (selinux_policycap_openperm
&& inode
->i_sb
->s_magic
!= SOCKFS_MAGIC
)
2085 /* Hook functions begin here. */
2087 static int selinux_binder_set_context_mgr(struct task_struct
*mgr
)
2089 u32 mysid
= current_sid();
2090 u32 mgrsid
= task_sid(mgr
);
2092 return avc_has_perm(mysid
, mgrsid
, SECCLASS_BINDER
,
2093 BINDER__SET_CONTEXT_MGR
, NULL
);
2096 static int selinux_binder_transaction(struct task_struct
*from
,
2097 struct task_struct
*to
)
2099 u32 mysid
= current_sid();
2100 u32 fromsid
= task_sid(from
);
2101 u32 tosid
= task_sid(to
);
2104 if (mysid
!= fromsid
) {
2105 rc
= avc_has_perm(mysid
, fromsid
, SECCLASS_BINDER
,
2106 BINDER__IMPERSONATE
, NULL
);
2111 return avc_has_perm(fromsid
, tosid
, SECCLASS_BINDER
, BINDER__CALL
,
2115 static int selinux_binder_transfer_binder(struct task_struct
*from
,
2116 struct task_struct
*to
)
2118 u32 fromsid
= task_sid(from
);
2119 u32 tosid
= task_sid(to
);
2121 return avc_has_perm(fromsid
, tosid
, SECCLASS_BINDER
, BINDER__TRANSFER
,
2125 static int selinux_binder_transfer_file(struct task_struct
*from
,
2126 struct task_struct
*to
,
2129 u32 sid
= task_sid(to
);
2130 struct file_security_struct
*fsec
= selinux_file(file
);
2131 struct dentry
*dentry
= file
->f_path
.dentry
;
2132 struct inode_security_struct
*isec
;
2133 struct common_audit_data ad
;
2136 ad
.type
= LSM_AUDIT_DATA_PATH
;
2137 ad
.u
.path
= file
->f_path
;
2139 if (sid
!= fsec
->sid
) {
2140 rc
= avc_has_perm(sid
, fsec
->sid
,
2148 #ifdef CONFIG_BPF_SYSCALL
2149 rc
= bpf_fd_pass(file
, sid
);
2154 if (unlikely(IS_PRIVATE(d_backing_inode(dentry
))))
2157 isec
= backing_inode_security(dentry
);
2158 return avc_has_perm(sid
, isec
->sid
, isec
->sclass
, file_to_av(file
),
2162 static int selinux_ptrace_access_check(struct task_struct
*child
,
2165 u32 sid
= current_sid();
2166 u32 csid
= task_sid(child
);
2168 if (mode
& PTRACE_MODE_READ
)
2169 return avc_has_perm(sid
, csid
, SECCLASS_FILE
, FILE__READ
, NULL
);
2171 return avc_has_perm(sid
, csid
, SECCLASS_PROCESS
, PROCESS__PTRACE
, NULL
);
2174 static int selinux_ptrace_traceme(struct task_struct
*parent
)
2176 return avc_has_perm(task_sid(parent
), current_sid(), SECCLASS_PROCESS
,
2177 PROCESS__PTRACE
, NULL
);
2180 static int selinux_capget(struct task_struct
*target
, kernel_cap_t
*effective
,
2181 kernel_cap_t
*inheritable
, kernel_cap_t
*permitted
)
2183 return avc_has_perm(current_sid(), task_sid(target
), SECCLASS_PROCESS
,
2184 PROCESS__GETCAP
, NULL
);
2187 static int selinux_capset(struct cred
*new, const struct cred
*old
,
2188 const kernel_cap_t
*effective
,
2189 const kernel_cap_t
*inheritable
,
2190 const kernel_cap_t
*permitted
)
2192 return avc_has_perm(cred_sid(old
), cred_sid(new), SECCLASS_PROCESS
,
2193 PROCESS__SETCAP
, NULL
);
2197 * (This comment used to live with the selinux_task_setuid hook,
2198 * which was removed).
2200 * Since setuid only affects the current process, and since the SELinux
2201 * controls are not based on the Linux identity attributes, SELinux does not
2202 * need to control this operation. However, SELinux does control the use of
2203 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2206 static int selinux_capable(const struct cred
*cred
, struct user_namespace
*ns
,
2209 return cred_has_capability(cred
, cap
, audit
, ns
== &init_user_ns
);
2212 static int selinux_quotactl(int cmds
, int type
, int id
, struct super_block
*sb
)
2214 const struct cred
*cred
= current_cred();
2226 rc
= superblock_has_perm(cred
, sb
, FILESYSTEM__QUOTAMOD
, NULL
);
2231 rc
= superblock_has_perm(cred
, sb
, FILESYSTEM__QUOTAGET
, NULL
);
2234 rc
= 0; /* let the kernel handle invalid cmds */
2240 static int selinux_quota_on(struct dentry
*dentry
)
2242 const struct cred
*cred
= current_cred();
2244 return dentry_has_perm(cred
, dentry
, FILE__QUOTAON
);
2247 static int selinux_syslog(int type
)
2250 case SYSLOG_ACTION_READ_ALL
: /* Read last kernel messages */
2251 case SYSLOG_ACTION_SIZE_BUFFER
: /* Return size of the log buffer */
2252 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
2253 SECCLASS_SYSTEM
, SYSTEM__SYSLOG_READ
, NULL
);
2254 case SYSLOG_ACTION_CONSOLE_OFF
: /* Disable logging to console */
2255 case SYSLOG_ACTION_CONSOLE_ON
: /* Enable logging to console */
2256 /* Set level of messages printed to console */
2257 case SYSLOG_ACTION_CONSOLE_LEVEL
:
2258 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
2259 SECCLASS_SYSTEM
, SYSTEM__SYSLOG_CONSOLE
,
2262 /* All other syslog types */
2263 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
2264 SECCLASS_SYSTEM
, SYSTEM__SYSLOG_MOD
, NULL
);
2268 * Check that a process has enough memory to allocate a new virtual
2269 * mapping. 0 means there is enough memory for the allocation to
2270 * succeed and -ENOMEM implies there is not.
2272 * Do not audit the selinux permission check, as this is applied to all
2273 * processes that allocate mappings.
2275 static int selinux_vm_enough_memory(struct mm_struct
*mm
, long pages
)
2277 int rc
, cap_sys_admin
= 0;
2279 rc
= cred_has_capability(current_cred(), CAP_SYS_ADMIN
,
2280 SECURITY_CAP_NOAUDIT
, true);
2284 return cap_sys_admin
;
2287 /* binprm security operations */
2289 static u32
ptrace_parent_sid(void)
2292 struct task_struct
*tracer
;
2295 tracer
= ptrace_parent(current
);
2297 sid
= task_sid(tracer
);
2303 static int check_nnp_nosuid(const struct linux_binprm
*bprm
,
2304 const struct task_security_struct
*old_tsec
,
2305 const struct task_security_struct
*new_tsec
)
2307 int nnp
= (bprm
->unsafe
& LSM_UNSAFE_NO_NEW_PRIVS
);
2308 int nosuid
= path_nosuid(&bprm
->file
->f_path
);
2312 if (!nnp
&& !nosuid
)
2313 return 0; /* neither NNP nor nosuid */
2315 if (new_tsec
->sid
== old_tsec
->sid
)
2316 return 0; /* No change in credentials */
2319 * If the policy enables the nnp_nosuid_transition policy capability,
2320 * then we permit transitions under NNP or nosuid if the
2321 * policy allows the corresponding permission between
2322 * the old and new contexts.
2324 if (selinux_policycap_nnp_nosuid_transition
) {
2327 av
|= PROCESS2__NNP_TRANSITION
;
2329 av
|= PROCESS2__NOSUID_TRANSITION
;
2330 rc
= avc_has_perm(old_tsec
->sid
, new_tsec
->sid
,
2331 SECCLASS_PROCESS2
, av
, NULL
);
2337 * We also permit NNP or nosuid transitions to bounded SIDs,
2338 * i.e. SIDs that are guaranteed to only be allowed a subset
2339 * of the permissions of the current SID.
2341 rc
= security_bounded_transition(old_tsec
->sid
, new_tsec
->sid
);
2346 * On failure, preserve the errno values for NNP vs nosuid.
2347 * NNP: Operation not permitted for caller.
2348 * nosuid: Permission denied to file.
2355 static int selinux_bprm_set_creds(struct linux_binprm
*bprm
)
2357 const struct task_security_struct
*old_tsec
;
2358 struct task_security_struct
*new_tsec
;
2359 struct inode_security_struct
*isec
;
2360 struct common_audit_data ad
;
2361 struct inode
*inode
= file_inode(bprm
->file
);
2364 /* SELinux context only depends on initial program or script and not
2365 * the script interpreter */
2366 if (bprm
->called_set_creds
)
2369 old_tsec
= selinux_cred(current_cred());
2370 new_tsec
= selinux_cred(bprm
->cred
);
2371 isec
= inode_security(inode
);
2373 /* Default to the current task SID. */
2374 new_tsec
->sid
= old_tsec
->sid
;
2375 new_tsec
->osid
= old_tsec
->sid
;
2377 /* Reset fs, key, and sock SIDs on execve. */
2378 new_tsec
->create_sid
= 0;
2379 new_tsec
->keycreate_sid
= 0;
2380 new_tsec
->sockcreate_sid
= 0;
2382 if (old_tsec
->exec_sid
) {
2383 new_tsec
->sid
= old_tsec
->exec_sid
;
2384 /* Reset exec SID on execve. */
2385 new_tsec
->exec_sid
= 0;
2387 /* Fail on NNP or nosuid if not an allowed transition. */
2388 rc
= check_nnp_nosuid(bprm
, old_tsec
, new_tsec
);
2392 /* Check for a default transition on this program. */
2393 rc
= security_transition_sid(old_tsec
->sid
, isec
->sid
,
2394 SECCLASS_PROCESS
, NULL
,
2400 * Fallback to old SID on NNP or nosuid if not an allowed
2403 rc
= check_nnp_nosuid(bprm
, old_tsec
, new_tsec
);
2405 new_tsec
->sid
= old_tsec
->sid
;
2408 ad
.type
= LSM_AUDIT_DATA_FILE
;
2409 ad
.u
.file
= bprm
->file
;
2411 if (new_tsec
->sid
== old_tsec
->sid
) {
2412 rc
= avc_has_perm(old_tsec
->sid
, isec
->sid
,
2413 SECCLASS_FILE
, FILE__EXECUTE_NO_TRANS
, &ad
);
2417 /* Check permissions for the transition. */
2418 rc
= avc_has_perm(old_tsec
->sid
, new_tsec
->sid
,
2419 SECCLASS_PROCESS
, PROCESS__TRANSITION
, &ad
);
2423 rc
= avc_has_perm(new_tsec
->sid
, isec
->sid
,
2424 SECCLASS_FILE
, FILE__ENTRYPOINT
, &ad
);
2428 /* Check for shared state */
2429 if (bprm
->unsafe
& LSM_UNSAFE_SHARE
) {
2430 rc
= avc_has_perm(old_tsec
->sid
, new_tsec
->sid
,
2431 SECCLASS_PROCESS
, PROCESS__SHARE
,
2437 /* Make sure that anyone attempting to ptrace over a task that
2438 * changes its SID has the appropriate permit */
2439 if (bprm
->unsafe
& LSM_UNSAFE_PTRACE
) {
2440 u32 ptsid
= ptrace_parent_sid();
2442 rc
= avc_has_perm(ptsid
, new_tsec
->sid
,
2444 PROCESS__PTRACE
, NULL
);
2450 /* Clear any possibly unsafe personality bits on exec: */
2451 bprm
->per_clear
|= PER_CLEAR_ON_SETID
;
2453 /* Enable secure mode for SIDs transitions unless
2454 the noatsecure permission is granted between
2455 the two SIDs, i.e. ahp returns 0. */
2456 rc
= avc_has_perm(old_tsec
->sid
, new_tsec
->sid
,
2457 SECCLASS_PROCESS
, PROCESS__NOATSECURE
,
2459 bprm
->secureexec
|= !!rc
;
2465 static int match_file(const void *p
, struct file
*file
, unsigned fd
)
2467 return file_has_perm(p
, file
, file_to_av(file
)) ? fd
+ 1 : 0;
2470 /* Derived from fs/exec.c:flush_old_files. */
2471 static inline void flush_unauthorized_files(const struct cred
*cred
,
2472 struct files_struct
*files
)
2474 struct file
*file
, *devnull
= NULL
;
2475 struct tty_struct
*tty
;
2479 tty
= get_current_tty();
2481 spin_lock(&tty
->files_lock
);
2482 if (!list_empty(&tty
->tty_files
)) {
2483 struct tty_file_private
*file_priv
;
2485 /* Revalidate access to controlling tty.
2486 Use file_path_has_perm on the tty path directly
2487 rather than using file_has_perm, as this particular
2488 open file may belong to another process and we are
2489 only interested in the inode-based check here. */
2490 file_priv
= list_first_entry(&tty
->tty_files
,
2491 struct tty_file_private
, list
);
2492 file
= file_priv
->file
;
2493 if (file_path_has_perm(cred
, file
, FILE__READ
| FILE__WRITE
))
2496 spin_unlock(&tty
->files_lock
);
2499 /* Reset controlling tty. */
2503 /* Revalidate access to inherited open files. */
2504 n
= iterate_fd(files
, 0, match_file
, cred
);
2505 if (!n
) /* none found? */
2508 devnull
= dentry_open(&selinux_null
, O_RDWR
, cred
);
2509 if (IS_ERR(devnull
))
2511 /* replace all the matching ones with this */
2513 replace_fd(n
- 1, devnull
, 0);
2514 } while ((n
= iterate_fd(files
, n
, match_file
, cred
)) != 0);
2520 * Prepare a process for imminent new credential changes due to exec
2522 static void selinux_bprm_committing_creds(struct linux_binprm
*bprm
)
2524 struct task_security_struct
*new_tsec
;
2525 struct rlimit
*rlim
, *initrlim
;
2528 new_tsec
= selinux_cred(bprm
->cred
);
2529 if (new_tsec
->sid
== new_tsec
->osid
)
2532 /* Close files for which the new task SID is not authorized. */
2533 flush_unauthorized_files(bprm
->cred
, current
->files
);
2535 /* Always clear parent death signal on SID transitions. */
2536 current
->pdeath_signal
= 0;
2538 /* Check whether the new SID can inherit resource limits from the old
2539 * SID. If not, reset all soft limits to the lower of the current
2540 * task's hard limit and the init task's soft limit.
2542 * Note that the setting of hard limits (even to lower them) can be
2543 * controlled by the setrlimit check. The inclusion of the init task's
2544 * soft limit into the computation is to avoid resetting soft limits
2545 * higher than the default soft limit for cases where the default is
2546 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2548 rc
= avc_has_perm(new_tsec
->osid
, new_tsec
->sid
, SECCLASS_PROCESS
,
2549 PROCESS__RLIMITINH
, NULL
);
2551 /* protect against do_prlimit() */
2553 for (i
= 0; i
< RLIM_NLIMITS
; i
++) {
2554 rlim
= current
->signal
->rlim
+ i
;
2555 initrlim
= init_task
.signal
->rlim
+ i
;
2556 rlim
->rlim_cur
= min(rlim
->rlim_max
, initrlim
->rlim_cur
);
2558 task_unlock(current
);
2559 if (IS_ENABLED(CONFIG_POSIX_TIMERS
))
2560 update_rlimit_cpu(current
, rlimit(RLIMIT_CPU
));
2565 * Clean up the process immediately after the installation of new credentials
2568 static void selinux_bprm_committed_creds(struct linux_binprm
*bprm
)
2570 const struct task_security_struct
*tsec
= selinux_cred(current_cred());
2571 struct itimerval itimer
;
2581 /* Check whether the new SID can inherit signal state from the old SID.
2582 * If not, clear itimers to avoid subsequent signal generation and
2583 * flush and unblock signals.
2585 * This must occur _after_ the task SID has been updated so that any
2586 * kill done after the flush will be checked against the new SID.
2588 rc
= avc_has_perm(osid
, sid
, SECCLASS_PROCESS
, PROCESS__SIGINH
, NULL
);
2590 if (IS_ENABLED(CONFIG_POSIX_TIMERS
)) {
2591 memset(&itimer
, 0, sizeof itimer
);
2592 for (i
= 0; i
< 3; i
++)
2593 do_setitimer(i
, &itimer
, NULL
);
2595 spin_lock_irq(¤t
->sighand
->siglock
);
2596 if (!fatal_signal_pending(current
)) {
2597 flush_sigqueue(¤t
->pending
);
2598 flush_sigqueue(¤t
->signal
->shared_pending
);
2599 flush_signal_handlers(current
, 1);
2600 sigemptyset(¤t
->blocked
);
2601 recalc_sigpending();
2603 spin_unlock_irq(¤t
->sighand
->siglock
);
2606 /* Wake up the parent if it is waiting so that it can recheck
2607 * wait permission to the new task SID. */
2608 read_lock(&tasklist_lock
);
2609 __wake_up_parent(current
, current
->real_parent
);
2610 read_unlock(&tasklist_lock
);
2613 /* superblock security operations */
2615 static int selinux_sb_alloc_security(struct super_block
*sb
)
2617 return superblock_alloc_security(sb
);
2620 static inline int match_prefix(char *prefix
, int plen
, char *option
, int olen
)
2625 return !memcmp(prefix
, option
, plen
);
2628 static inline int selinux_option(char *option
, int len
)
2630 return (match_prefix(CONTEXT_STR
, sizeof(CONTEXT_STR
)-1, option
, len
) ||
2631 match_prefix(FSCONTEXT_STR
, sizeof(FSCONTEXT_STR
)-1, option
, len
) ||
2632 match_prefix(DEFCONTEXT_STR
, sizeof(DEFCONTEXT_STR
)-1, option
, len
) ||
2633 match_prefix(ROOTCONTEXT_STR
, sizeof(ROOTCONTEXT_STR
)-1, option
, len
) ||
2634 match_prefix(LABELSUPP_STR
, sizeof(LABELSUPP_STR
)-1, option
, len
));
2637 static inline void take_option(char **to
, char *from
, int *first
, int len
)
2644 memcpy(*to
, from
, len
);
2648 static inline void take_selinux_option(char **to
, char *from
, int *first
,
2651 int current_size
= 0;
2659 while (current_size
< len
) {
2669 static int selinux_sb_copy_data(char *orig
, char *copy
)
2671 int fnosec
, fsec
, rc
= 0;
2672 char *in_save
, *in_curr
, *in_end
;
2673 char *sec_curr
, *nosec_save
, *nosec
;
2679 nosec
= (char *)get_zeroed_page(GFP_KERNEL
);
2687 in_save
= in_end
= orig
;
2691 open_quote
= !open_quote
;
2692 if ((*in_end
== ',' && open_quote
== 0) ||
2694 int len
= in_end
- in_curr
;
2696 if (selinux_option(in_curr
, len
))
2697 take_selinux_option(&sec_curr
, in_curr
, &fsec
, len
);
2699 take_option(&nosec
, in_curr
, &fnosec
, len
);
2701 in_curr
= in_end
+ 1;
2703 } while (*in_end
++);
2705 strcpy(in_save
, nosec_save
);
2706 free_page((unsigned long)nosec_save
);
2711 static int selinux_sb_remount(struct super_block
*sb
, void *data
)
2714 struct security_mnt_opts opts
;
2715 char *secdata
, **mount_options
;
2716 struct superblock_security_struct
*sbsec
= selinux_superblock(sb
);
2718 if (!(sbsec
->flags
& SE_SBINITIALIZED
))
2724 if (sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
)
2727 security_init_mnt_opts(&opts
);
2728 secdata
= alloc_secdata();
2731 rc
= selinux_sb_copy_data(data
, secdata
);
2733 goto out_free_secdata
;
2735 rc
= selinux_parse_opts_str(secdata
, &opts
);
2737 goto out_free_secdata
;
2739 mount_options
= opts
.mnt_opts
;
2740 flags
= opts
.mnt_opts_flags
;
2742 for (i
= 0; i
< opts
.num_mnt_opts
; i
++) {
2745 if (flags
[i
] == SBLABEL_MNT
)
2747 rc
= security_context_str_to_sid(mount_options
[i
], &sid
, GFP_KERNEL
);
2749 printk(KERN_WARNING
"SELinux: security_context_str_to_sid"
2750 "(%s) failed for (dev %s, type %s) errno=%d\n",
2751 mount_options
[i
], sb
->s_id
, sb
->s_type
->name
, rc
);
2757 if (bad_option(sbsec
, FSCONTEXT_MNT
, sbsec
->sid
, sid
))
2758 goto out_bad_option
;
2761 if (bad_option(sbsec
, CONTEXT_MNT
, sbsec
->mntpoint_sid
, sid
))
2762 goto out_bad_option
;
2764 case ROOTCONTEXT_MNT
: {
2765 struct inode_security_struct
*root_isec
;
2766 root_isec
= backing_inode_security(sb
->s_root
);
2768 if (bad_option(sbsec
, ROOTCONTEXT_MNT
, root_isec
->sid
, sid
))
2769 goto out_bad_option
;
2772 case DEFCONTEXT_MNT
:
2773 if (bad_option(sbsec
, DEFCONTEXT_MNT
, sbsec
->def_sid
, sid
))
2774 goto out_bad_option
;
2783 security_free_mnt_opts(&opts
);
2785 free_secdata(secdata
);
2788 printk(KERN_WARNING
"SELinux: unable to change security options "
2789 "during remount (dev %s, type=%s)\n", sb
->s_id
,
2794 static int selinux_sb_kern_mount(struct super_block
*sb
, int flags
, void *data
)
2796 const struct cred
*cred
= current_cred();
2797 struct common_audit_data ad
;
2800 rc
= superblock_doinit(sb
, data
);
2804 /* Allow all mounts performed by the kernel */
2805 if (flags
& (MS_KERNMOUNT
| MS_SUBMOUNT
))
2808 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
2809 ad
.u
.dentry
= sb
->s_root
;
2810 return superblock_has_perm(cred
, sb
, FILESYSTEM__MOUNT
, &ad
);
2813 static int selinux_sb_statfs(struct dentry
*dentry
)
2815 const struct cred
*cred
= current_cred();
2816 struct common_audit_data ad
;
2818 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
2819 ad
.u
.dentry
= dentry
->d_sb
->s_root
;
2820 return superblock_has_perm(cred
, dentry
->d_sb
, FILESYSTEM__GETATTR
, &ad
);
2823 static int selinux_mount(const char *dev_name
,
2824 const struct path
*path
,
2826 unsigned long flags
,
2829 const struct cred
*cred
= current_cred();
2831 if (flags
& MS_REMOUNT
)
2832 return superblock_has_perm(cred
, path
->dentry
->d_sb
,
2833 FILESYSTEM__REMOUNT
, NULL
);
2835 return path_has_perm(cred
, path
, FILE__MOUNTON
);
2838 static int selinux_umount(struct vfsmount
*mnt
, int flags
)
2840 const struct cred
*cred
= current_cred();
2842 return superblock_has_perm(cred
, mnt
->mnt_sb
,
2843 FILESYSTEM__UNMOUNT
, NULL
);
2846 /* inode security operations */
2848 static int selinux_inode_alloc_security(struct inode
*inode
)
2850 return inode_alloc_security(inode
);
2853 static void selinux_inode_free_security(struct inode
*inode
)
2855 inode_free_security(inode
);
2858 static int selinux_dentry_init_security(struct dentry
*dentry
, int mode
,
2859 const struct qstr
*name
, void **ctx
,
2865 rc
= selinux_determine_inode_label(selinux_cred(current_cred()),
2866 d_inode(dentry
->d_parent
), name
,
2867 inode_mode_to_security_class(mode
),
2872 return security_sid_to_context(newsid
, (char **)ctx
, ctxlen
);
2875 static int selinux_dentry_create_files_as(struct dentry
*dentry
, int mode
,
2877 const struct cred
*old
,
2882 struct task_security_struct
*tsec
;
2884 rc
= selinux_determine_inode_label(selinux_cred(old
),
2885 d_inode(dentry
->d_parent
), name
,
2886 inode_mode_to_security_class(mode
),
2891 tsec
= selinux_cred(new);
2892 tsec
->create_sid
= newsid
;
2896 static int selinux_inode_init_security(struct inode
*inode
, struct inode
*dir
,
2897 const struct qstr
*qstr
,
2899 void **value
, size_t *len
)
2901 const struct task_security_struct
*tsec
= selinux_cred(current_cred());
2902 struct superblock_security_struct
*sbsec
;
2907 sbsec
= selinux_superblock(dir
->i_sb
);
2909 newsid
= tsec
->create_sid
;
2911 rc
= selinux_determine_inode_label(selinux_cred(current_cred()),
2913 inode_mode_to_security_class(inode
->i_mode
),
2918 /* Possibly defer initialization to selinux_complete_init. */
2919 if (sbsec
->flags
& SE_SBINITIALIZED
) {
2920 struct inode_security_struct
*isec
= selinux_inode(inode
);
2921 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
2923 isec
->initialized
= LABEL_INITIALIZED
;
2926 if (!ss_initialized
|| !(sbsec
->flags
& SBLABEL_MNT
))
2930 *name
= XATTR_SELINUX_SUFFIX
;
2933 rc
= security_sid_to_context_force(newsid
, &context
, &clen
);
2943 static int selinux_inode_create(struct inode
*dir
, struct dentry
*dentry
, umode_t mode
)
2945 return may_create(dir
, dentry
, SECCLASS_FILE
);
2948 static int selinux_inode_link(struct dentry
*old_dentry
, struct inode
*dir
, struct dentry
*new_dentry
)
2950 return may_link(dir
, old_dentry
, MAY_LINK
);
2953 static int selinux_inode_unlink(struct inode
*dir
, struct dentry
*dentry
)
2955 return may_link(dir
, dentry
, MAY_UNLINK
);
2958 static int selinux_inode_symlink(struct inode
*dir
, struct dentry
*dentry
, const char *name
)
2960 return may_create(dir
, dentry
, SECCLASS_LNK_FILE
);
2963 static int selinux_inode_mkdir(struct inode
*dir
, struct dentry
*dentry
, umode_t mask
)
2965 return may_create(dir
, dentry
, SECCLASS_DIR
);
2968 static int selinux_inode_rmdir(struct inode
*dir
, struct dentry
*dentry
)
2970 return may_link(dir
, dentry
, MAY_RMDIR
);
2973 static int selinux_inode_mknod(struct inode
*dir
, struct dentry
*dentry
, umode_t mode
, dev_t dev
)
2975 return may_create(dir
, dentry
, inode_mode_to_security_class(mode
));
2978 static int selinux_inode_rename(struct inode
*old_inode
, struct dentry
*old_dentry
,
2979 struct inode
*new_inode
, struct dentry
*new_dentry
)
2981 return may_rename(old_inode
, old_dentry
, new_inode
, new_dentry
);
2984 static int selinux_inode_readlink(struct dentry
*dentry
)
2986 const struct cred
*cred
= current_cred();
2988 return dentry_has_perm(cred
, dentry
, FILE__READ
);
2991 static int selinux_inode_follow_link(struct dentry
*dentry
, struct inode
*inode
,
2994 const struct cred
*cred
= current_cred();
2995 struct common_audit_data ad
;
2996 struct inode_security_struct
*isec
;
2999 validate_creds(cred
);
3001 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
3002 ad
.u
.dentry
= dentry
;
3003 sid
= cred_sid(cred
);
3004 isec
= inode_security_rcu(inode
, rcu
);
3006 return PTR_ERR(isec
);
3008 return avc_has_perm_flags(sid
, isec
->sid
, isec
->sclass
, FILE__READ
, &ad
,
3009 rcu
? MAY_NOT_BLOCK
: 0);
3012 static noinline
int audit_inode_permission(struct inode
*inode
,
3013 u32 perms
, u32 audited
, u32 denied
,
3017 struct common_audit_data ad
;
3018 struct inode_security_struct
*isec
= selinux_inode(inode
);
3021 ad
.type
= LSM_AUDIT_DATA_INODE
;
3024 rc
= slow_avc_audit(current_sid(), isec
->sid
, isec
->sclass
, perms
,
3025 audited
, denied
, result
, &ad
, flags
);
3031 static int selinux_inode_permission(struct inode
*inode
, int mask
)
3033 const struct cred
*cred
= current_cred();
3036 unsigned flags
= mask
& MAY_NOT_BLOCK
;
3037 struct inode_security_struct
*isec
;
3039 struct av_decision avd
;
3041 u32 audited
, denied
;
3043 from_access
= mask
& MAY_ACCESS
;
3044 mask
&= (MAY_READ
|MAY_WRITE
|MAY_EXEC
|MAY_APPEND
);
3046 /* No permission to check. Existence test. */
3050 validate_creds(cred
);
3052 if (unlikely(IS_PRIVATE(inode
)))
3055 perms
= file_mask_to_av(inode
->i_mode
, mask
);
3057 sid
= cred_sid(cred
);
3058 isec
= inode_security_rcu(inode
, flags
& MAY_NOT_BLOCK
);
3060 return PTR_ERR(isec
);
3062 rc
= avc_has_perm_noaudit(sid
, isec
->sid
, isec
->sclass
, perms
, 0, &avd
);
3063 audited
= avc_audit_required(perms
, &avd
, rc
,
3064 from_access
? FILE__AUDIT_ACCESS
: 0,
3066 if (likely(!audited
))
3069 rc2
= audit_inode_permission(inode
, perms
, audited
, denied
, rc
, flags
);
3075 static int selinux_inode_setattr(struct dentry
*dentry
, struct iattr
*iattr
)
3077 const struct cred
*cred
= current_cred();
3078 struct inode
*inode
= d_backing_inode(dentry
);
3079 unsigned int ia_valid
= iattr
->ia_valid
;
3080 __u32 av
= FILE__WRITE
;
3082 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3083 if (ia_valid
& ATTR_FORCE
) {
3084 ia_valid
&= ~(ATTR_KILL_SUID
| ATTR_KILL_SGID
| ATTR_MODE
|
3090 if (ia_valid
& (ATTR_MODE
| ATTR_UID
| ATTR_GID
|
3091 ATTR_ATIME_SET
| ATTR_MTIME_SET
| ATTR_TIMES_SET
))
3092 return dentry_has_perm(cred
, dentry
, FILE__SETATTR
);
3094 if (selinux_policycap_openperm
&&
3095 inode
->i_sb
->s_magic
!= SOCKFS_MAGIC
&&
3096 (ia_valid
& ATTR_SIZE
) &&
3097 !(ia_valid
& ATTR_FILE
))
3100 return dentry_has_perm(cred
, dentry
, av
);
3103 static int selinux_inode_getattr(const struct path
*path
)
3105 return path_has_perm(current_cred(), path
, FILE__GETATTR
);
3108 static bool has_cap_mac_admin(bool audit
)
3110 const struct cred
*cred
= current_cred();
3111 int cap_audit
= audit
? SECURITY_CAP_AUDIT
: SECURITY_CAP_NOAUDIT
;
3113 if (cap_capable(cred
, &init_user_ns
, CAP_MAC_ADMIN
, cap_audit
))
3115 if (cred_has_capability(cred
, CAP_MAC_ADMIN
, cap_audit
, true))
3120 static int selinux_inode_setxattr(struct dentry
*dentry
, const char *name
,
3121 const void *value
, size_t size
, int flags
)
3123 struct inode
*inode
= d_backing_inode(dentry
);
3124 struct inode_security_struct
*isec
;
3125 struct superblock_security_struct
*sbsec
;
3126 struct common_audit_data ad
;
3127 u32 newsid
, sid
= current_sid();
3130 if (strcmp(name
, XATTR_NAME_SELINUX
)) {
3131 rc
= cap_inode_setxattr(dentry
, name
, value
, size
, flags
);
3135 /* Not an attribute we recognize, so just check the
3136 ordinary setattr permission. */
3137 return dentry_has_perm(current_cred(), dentry
, FILE__SETATTR
);
3140 sbsec
= selinux_superblock(inode
->i_sb
);
3141 if (!(sbsec
->flags
& SBLABEL_MNT
))
3144 if (!inode_owner_or_capable(inode
))
3147 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
3148 ad
.u
.dentry
= dentry
;
3150 isec
= backing_inode_security(dentry
);
3151 rc
= avc_has_perm(sid
, isec
->sid
, isec
->sclass
,
3152 FILE__RELABELFROM
, &ad
);
3156 rc
= security_context_to_sid(value
, size
, &newsid
, GFP_KERNEL
);
3157 if (rc
== -EINVAL
) {
3158 if (!has_cap_mac_admin(true)) {
3159 struct audit_buffer
*ab
;
3162 /* We strip a nul only if it is at the end, otherwise the
3163 * context contains a nul and we should audit that */
3165 const char *str
= value
;
3167 if (str
[size
- 1] == '\0')
3168 audit_size
= size
- 1;
3174 ab
= audit_log_start(current
->audit_context
, GFP_ATOMIC
, AUDIT_SELINUX_ERR
);
3175 audit_log_format(ab
, "op=setxattr invalid_context=");
3176 audit_log_n_untrustedstring(ab
, value
, audit_size
);
3181 rc
= security_context_to_sid_force(value
, size
, &newsid
);
3186 rc
= avc_has_perm(sid
, newsid
, isec
->sclass
,
3187 FILE__RELABELTO
, &ad
);
3191 rc
= security_validate_transition(isec
->sid
, newsid
, sid
,
3196 return avc_has_perm(newsid
,
3198 SECCLASS_FILESYSTEM
,
3199 FILESYSTEM__ASSOCIATE
,
3203 static void selinux_inode_post_setxattr(struct dentry
*dentry
, const char *name
,
3204 const void *value
, size_t size
,
3207 struct inode
*inode
= d_backing_inode(dentry
);
3208 struct inode_security_struct
*isec
;
3212 if (strcmp(name
, XATTR_NAME_SELINUX
)) {
3213 /* Not an attribute we recognize, so nothing to do. */
3217 rc
= security_context_to_sid_force(value
, size
, &newsid
);
3219 printk(KERN_ERR
"SELinux: unable to map context to SID"
3220 "for (%s, %lu), rc=%d\n",
3221 inode
->i_sb
->s_id
, inode
->i_ino
, -rc
);
3225 isec
= backing_inode_security(dentry
);
3226 spin_lock(&isec
->lock
);
3227 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
3229 isec
->initialized
= LABEL_INITIALIZED
;
3230 spin_unlock(&isec
->lock
);
3235 static int selinux_inode_getxattr(struct dentry
*dentry
, const char *name
)
3237 const struct cred
*cred
= current_cred();
3239 return dentry_has_perm(cred
, dentry
, FILE__GETATTR
);
3242 static int selinux_inode_listxattr(struct dentry
*dentry
)
3244 const struct cred
*cred
= current_cred();
3246 return dentry_has_perm(cred
, dentry
, FILE__GETATTR
);
3249 static int selinux_inode_removexattr(struct dentry
*dentry
, const char *name
)
3251 if (strcmp(name
, XATTR_NAME_SELINUX
)) {
3252 int rc
= cap_inode_removexattr(dentry
, name
);
3256 /* Not an attribute we recognize, so just check the
3257 ordinary setattr permission. */
3258 return dentry_has_perm(current_cred(), dentry
, FILE__SETATTR
);
3261 /* No one is allowed to remove a SELinux security label.
3262 You can change the label, but all data must be labeled. */
3267 * Copy the inode security context value to the user.
3269 * Permission check is handled by selinux_inode_getxattr hook.
3271 static int selinux_inode_getsecurity(struct inode
*inode
, const char *name
, void **buffer
, bool alloc
)
3275 char *context
= NULL
;
3276 struct inode_security_struct
*isec
;
3278 if (strcmp(name
, XATTR_SELINUX_SUFFIX
))
3282 * If the caller has CAP_MAC_ADMIN, then get the raw context
3283 * value even if it is not defined by current policy; otherwise,
3284 * use the in-core value under current policy.
3285 * Use the non-auditing forms of the permission checks since
3286 * getxattr may be called by unprivileged processes commonly
3287 * and lack of permission just means that we fall back to the
3288 * in-core context value, not a denial.
3290 isec
= inode_security(inode
);
3291 if (has_cap_mac_admin(false))
3292 error
= security_sid_to_context_force(isec
->sid
, &context
,
3295 error
= security_sid_to_context(isec
->sid
, &context
, &size
);
3308 static int selinux_inode_setsecurity(struct inode
*inode
, const char *name
,
3309 const void *value
, size_t size
, int flags
)
3311 struct inode_security_struct
*isec
= inode_security_novalidate(inode
);
3315 if (strcmp(name
, XATTR_SELINUX_SUFFIX
))
3318 if (!value
|| !size
)
3321 rc
= security_context_to_sid(value
, size
, &newsid
, GFP_KERNEL
);
3325 spin_lock(&isec
->lock
);
3326 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
3328 isec
->initialized
= LABEL_INITIALIZED
;
3329 spin_unlock(&isec
->lock
);
3333 static int selinux_inode_listsecurity(struct inode
*inode
, char *buffer
, size_t buffer_size
)
3335 const int len
= sizeof(XATTR_NAME_SELINUX
);
3336 if (buffer
&& len
<= buffer_size
)
3337 memcpy(buffer
, XATTR_NAME_SELINUX
, len
);
3341 static void selinux_inode_getsecid(struct inode
*inode
, u32
*secid
)
3343 struct inode_security_struct
*isec
= inode_security_novalidate(inode
);
3347 static int selinux_inode_copy_up(struct dentry
*src
, struct cred
**new)
3350 struct task_security_struct
*tsec
;
3351 struct cred
*new_creds
= *new;
3353 if (new_creds
== NULL
) {
3354 new_creds
= prepare_creds();
3359 tsec
= selinux_cred(new_creds
);
3360 /* Get label from overlay inode and set it in create_sid */
3361 selinux_inode_getsecid(d_inode(src
), &sid
);
3362 tsec
->create_sid
= sid
;
3367 static int selinux_inode_copy_up_xattr(const char *name
)
3369 /* The copy_up hook above sets the initial context on an inode, but we
3370 * don't then want to overwrite it by blindly copying all the lower
3371 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3373 if (strcmp(name
, XATTR_NAME_SELINUX
) == 0)
3374 return 1; /* Discard */
3376 * Any other attribute apart from SELINUX is not claimed, supported
3382 /* file security operations */
3384 static int selinux_revalidate_file_permission(struct file
*file
, int mask
)
3386 const struct cred
*cred
= current_cred();
3387 struct inode
*inode
= file_inode(file
);
3389 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3390 if ((file
->f_flags
& O_APPEND
) && (mask
& MAY_WRITE
))
3393 return file_has_perm(cred
, file
,
3394 file_mask_to_av(inode
->i_mode
, mask
));
3397 static int selinux_file_permission(struct file
*file
, int mask
)
3399 struct inode
*inode
= file_inode(file
);
3400 struct file_security_struct
*fsec
= selinux_file(file
);
3401 struct inode_security_struct
*isec
;
3402 u32 sid
= current_sid();
3405 /* No permission to check. Existence test. */
3408 isec
= inode_security(inode
);
3409 if (sid
== fsec
->sid
&& fsec
->isid
== isec
->sid
&&
3410 fsec
->pseqno
== avc_policy_seqno())
3411 /* No change since file_open check. */
3414 return selinux_revalidate_file_permission(file
, mask
);
3417 static int selinux_file_alloc_security(struct file
*file
)
3419 return file_alloc_security(file
);
3423 * Check whether a task has the ioctl permission and cmd
3424 * operation to an inode.
3426 static int ioctl_has_perm(const struct cred
*cred
, struct file
*file
,
3427 u32 requested
, u16 cmd
)
3429 struct common_audit_data ad
;
3430 struct file_security_struct
*fsec
= selinux_file(file
);
3431 struct inode
*inode
= file_inode(file
);
3432 struct inode_security_struct
*isec
;
3433 struct lsm_ioctlop_audit ioctl
;
3434 u32 ssid
= cred_sid(cred
);
3436 u8 driver
= cmd
>> 8;
3437 u8 xperm
= cmd
& 0xff;
3439 ad
.type
= LSM_AUDIT_DATA_IOCTL_OP
;
3442 ad
.u
.op
->path
= file
->f_path
;
3444 if (ssid
!= fsec
->sid
) {
3445 rc
= avc_has_perm(ssid
, fsec
->sid
,
3453 if (unlikely(IS_PRIVATE(inode
)))
3456 isec
= inode_security(inode
);
3457 rc
= avc_has_extended_perms(ssid
, isec
->sid
, isec
->sclass
,
3458 requested
, driver
, xperm
, &ad
);
3463 static int selinux_file_ioctl(struct file
*file
, unsigned int cmd
,
3466 const struct cred
*cred
= current_cred();
3476 case FS_IOC_GETFLAGS
:
3478 case FS_IOC_GETVERSION
:
3479 error
= file_has_perm(cred
, file
, FILE__GETATTR
);
3482 case FS_IOC_SETFLAGS
:
3484 case FS_IOC_SETVERSION
:
3485 error
= file_has_perm(cred
, file
, FILE__SETATTR
);
3488 /* sys_ioctl() checks */
3492 error
= file_has_perm(cred
, file
, 0);
3497 error
= cred_has_capability(cred
, CAP_SYS_TTY_CONFIG
,
3498 SECURITY_CAP_AUDIT
, true);
3501 /* default case assumes that the command will go
3502 * to the file's ioctl() function.
3505 error
= ioctl_has_perm(cred
, file
, FILE__IOCTL
, (u16
) cmd
);
3510 static int default_noexec
;
3512 static int file_map_prot_check(struct file
*file
, unsigned long prot
, int shared
)
3514 const struct cred
*cred
= current_cred();
3515 u32 sid
= cred_sid(cred
);
3518 if (default_noexec
&&
3519 (prot
& PROT_EXEC
) && (!file
|| IS_PRIVATE(file_inode(file
)) ||
3520 (!shared
&& (prot
& PROT_WRITE
)))) {
3522 * We are making executable an anonymous mapping or a
3523 * private file mapping that will also be writable.
3524 * This has an additional check.
3526 rc
= avc_has_perm(sid
, sid
, SECCLASS_PROCESS
,
3527 PROCESS__EXECMEM
, NULL
);
3533 /* read access is always possible with a mapping */
3534 u32 av
= FILE__READ
;
3536 /* write access only matters if the mapping is shared */
3537 if (shared
&& (prot
& PROT_WRITE
))
3540 if (prot
& PROT_EXEC
)
3541 av
|= FILE__EXECUTE
;
3543 return file_has_perm(cred
, file
, av
);
3550 static int selinux_mmap_addr(unsigned long addr
)
3554 if (addr
< CONFIG_LSM_MMAP_MIN_ADDR
) {
3555 u32 sid
= current_sid();
3556 rc
= avc_has_perm(sid
, sid
, SECCLASS_MEMPROTECT
,
3557 MEMPROTECT__MMAP_ZERO
, NULL
);
3563 static int selinux_mmap_file(struct file
*file
, unsigned long reqprot
,
3564 unsigned long prot
, unsigned long flags
)
3566 struct common_audit_data ad
;
3570 ad
.type
= LSM_AUDIT_DATA_FILE
;
3572 rc
= inode_has_perm(current_cred(), file_inode(file
),
3578 if (selinux_checkreqprot
)
3581 return file_map_prot_check(file
, prot
,
3582 (flags
& MAP_TYPE
) == MAP_SHARED
);
3585 static int selinux_file_mprotect(struct vm_area_struct
*vma
,
3586 unsigned long reqprot
,
3589 const struct cred
*cred
= current_cred();
3590 u32 sid
= cred_sid(cred
);
3592 if (selinux_checkreqprot
)
3595 if (default_noexec
&&
3596 (prot
& PROT_EXEC
) && !(vma
->vm_flags
& VM_EXEC
)) {
3598 if (vma
->vm_start
>= vma
->vm_mm
->start_brk
&&
3599 vma
->vm_end
<= vma
->vm_mm
->brk
) {
3600 rc
= avc_has_perm(sid
, sid
, SECCLASS_PROCESS
,
3601 PROCESS__EXECHEAP
, NULL
);
3602 } else if (!vma
->vm_file
&&
3603 ((vma
->vm_start
<= vma
->vm_mm
->start_stack
&&
3604 vma
->vm_end
>= vma
->vm_mm
->start_stack
) ||
3605 vma_is_stack_for_current(vma
))) {
3606 rc
= avc_has_perm(sid
, sid
, SECCLASS_PROCESS
,
3607 PROCESS__EXECSTACK
, NULL
);
3608 } else if (vma
->vm_file
&& vma
->anon_vma
) {
3610 * We are making executable a file mapping that has
3611 * had some COW done. Since pages might have been
3612 * written, check ability to execute the possibly
3613 * modified content. This typically should only
3614 * occur for text relocations.
3616 rc
= file_has_perm(cred
, vma
->vm_file
, FILE__EXECMOD
);
3622 return file_map_prot_check(vma
->vm_file
, prot
, vma
->vm_flags
&VM_SHARED
);
3625 static int selinux_file_lock(struct file
*file
, unsigned int cmd
)
3627 const struct cred
*cred
= current_cred();
3629 return file_has_perm(cred
, file
, FILE__LOCK
);
3632 static int selinux_file_fcntl(struct file
*file
, unsigned int cmd
,
3635 const struct cred
*cred
= current_cred();
3640 if ((file
->f_flags
& O_APPEND
) && !(arg
& O_APPEND
)) {
3641 err
= file_has_perm(cred
, file
, FILE__WRITE
);
3650 case F_GETOWNER_UIDS
:
3651 /* Just check FD__USE permission */
3652 err
= file_has_perm(cred
, file
, 0);
3660 #if BITS_PER_LONG == 32
3665 err
= file_has_perm(cred
, file
, FILE__LOCK
);
3672 static void selinux_file_set_fowner(struct file
*file
)
3674 struct file_security_struct
*fsec
;
3676 fsec
= selinux_file(file
);
3677 fsec
->fown_sid
= current_sid();
3680 static int selinux_file_send_sigiotask(struct task_struct
*tsk
,
3681 struct fown_struct
*fown
, int signum
)
3684 u32 sid
= task_sid(tsk
);
3686 struct file_security_struct
*fsec
;
3688 /* struct fown_struct is never outside the context of a struct file */
3689 file
= container_of(fown
, struct file
, f_owner
);
3691 fsec
= selinux_file(file
);
3694 perm
= signal_to_av(SIGIO
); /* as per send_sigio_to_task */
3696 perm
= signal_to_av(signum
);
3698 return avc_has_perm(fsec
->fown_sid
, sid
,
3699 SECCLASS_PROCESS
, perm
, NULL
);
3702 static int selinux_file_receive(struct file
*file
)
3704 const struct cred
*cred
= current_cred();
3706 return file_has_perm(cred
, file
, file_to_av(file
));
3709 static int selinux_file_open(struct file
*file
, const struct cred
*cred
)
3711 struct file_security_struct
*fsec
;
3712 struct inode_security_struct
*isec
;
3714 fsec
= selinux_file(file
);
3715 isec
= inode_security(file_inode(file
));
3717 * Save inode label and policy sequence number
3718 * at open-time so that selinux_file_permission
3719 * can determine whether revalidation is necessary.
3720 * Task label is already saved in the file security
3721 * struct as its SID.
3723 fsec
->isid
= isec
->sid
;
3724 fsec
->pseqno
= avc_policy_seqno();
3726 * Since the inode label or policy seqno may have changed
3727 * between the selinux_inode_permission check and the saving
3728 * of state above, recheck that access is still permitted.
3729 * Otherwise, access might never be revalidated against the
3730 * new inode label or new policy.
3731 * This check is not redundant - do not remove.
3733 return file_path_has_perm(cred
, file
, open_file_to_av(file
));
3736 /* task security operations */
3738 static int selinux_task_alloc(struct task_struct
*task
,
3739 unsigned long clone_flags
)
3741 u32 sid
= current_sid();
3743 return avc_has_perm(sid
, sid
, SECCLASS_PROCESS
, PROCESS__FORK
, NULL
);
3747 * prepare a new set of credentials for modification
3749 static int selinux_cred_prepare(struct cred
*new, const struct cred
*old
,
3752 const struct task_security_struct
*old_tsec
= selinux_cred(old
);
3753 struct task_security_struct
*tsec
= selinux_cred(new);
3761 * transfer the SELinux data to a blank set of creds
3763 static void selinux_cred_transfer(struct cred
*new, const struct cred
*old
)
3765 const struct task_security_struct
*old_tsec
= selinux_cred(old
);
3766 struct task_security_struct
*tsec
= selinux_cred(new);
3772 * set the security data for a kernel service
3773 * - all the creation contexts are set to unlabelled
3775 static int selinux_kernel_act_as(struct cred
*new, u32 secid
)
3777 struct task_security_struct
*tsec
= selinux_cred(new);
3778 u32 sid
= current_sid();
3781 ret
= avc_has_perm(sid
, secid
,
3782 SECCLASS_KERNEL_SERVICE
,
3783 KERNEL_SERVICE__USE_AS_OVERRIDE
,
3787 tsec
->create_sid
= 0;
3788 tsec
->keycreate_sid
= 0;
3789 tsec
->sockcreate_sid
= 0;
3795 * set the file creation context in a security record to the same as the
3796 * objective context of the specified inode
3798 static int selinux_kernel_create_files_as(struct cred
*new, struct inode
*inode
)
3800 struct inode_security_struct
*isec
= inode_security(inode
);
3801 struct task_security_struct
*tsec
= selinux_cred(new);
3802 u32 sid
= current_sid();
3805 ret
= avc_has_perm(sid
, isec
->sid
,
3806 SECCLASS_KERNEL_SERVICE
,
3807 KERNEL_SERVICE__CREATE_FILES_AS
,
3811 tsec
->create_sid
= isec
->sid
;
3815 static int selinux_kernel_module_request(char *kmod_name
)
3817 struct common_audit_data ad
;
3819 ad
.type
= LSM_AUDIT_DATA_KMOD
;
3820 ad
.u
.kmod_name
= kmod_name
;
3822 return avc_has_perm(current_sid(), SECINITSID_KERNEL
, SECCLASS_SYSTEM
,
3823 SYSTEM__MODULE_REQUEST
, &ad
);
3826 static int selinux_kernel_module_from_file(struct file
*file
)
3828 struct common_audit_data ad
;
3829 struct inode_security_struct
*isec
;
3830 struct file_security_struct
*fsec
;
3831 u32 sid
= current_sid();
3836 return avc_has_perm(sid
, sid
, SECCLASS_SYSTEM
,
3837 SYSTEM__MODULE_LOAD
, NULL
);
3841 ad
.type
= LSM_AUDIT_DATA_FILE
;
3844 fsec
= selinux_file(file
);
3845 if (sid
!= fsec
->sid
) {
3846 rc
= avc_has_perm(sid
, fsec
->sid
, SECCLASS_FD
, FD__USE
, &ad
);
3851 isec
= inode_security(file_inode(file
));
3852 return avc_has_perm(sid
, isec
->sid
, SECCLASS_SYSTEM
,
3853 SYSTEM__MODULE_LOAD
, &ad
);
3856 static int selinux_kernel_read_file(struct file
*file
,
3857 enum kernel_read_file_id id
)
3862 case READING_MODULE
:
3863 rc
= selinux_kernel_module_from_file(file
);
3872 static int selinux_task_setpgid(struct task_struct
*p
, pid_t pgid
)
3874 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3875 PROCESS__SETPGID
, NULL
);
3878 static int selinux_task_getpgid(struct task_struct
*p
)
3880 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3881 PROCESS__GETPGID
, NULL
);
3884 static int selinux_task_getsid(struct task_struct
*p
)
3886 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3887 PROCESS__GETSESSION
, NULL
);
3890 static void selinux_task_getsecid(struct task_struct
*p
, u32
*secid
)
3892 *secid
= task_sid(p
);
3895 static int selinux_task_setnice(struct task_struct
*p
, int nice
)
3897 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3898 PROCESS__SETSCHED
, NULL
);
3901 static int selinux_task_setioprio(struct task_struct
*p
, int ioprio
)
3903 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3904 PROCESS__SETSCHED
, NULL
);
3907 static int selinux_task_getioprio(struct task_struct
*p
)
3909 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3910 PROCESS__GETSCHED
, NULL
);
3913 static int selinux_task_prlimit(const struct cred
*cred
, const struct cred
*tcred
,
3920 if (flags
& LSM_PRLIMIT_WRITE
)
3921 av
|= PROCESS__SETRLIMIT
;
3922 if (flags
& LSM_PRLIMIT_READ
)
3923 av
|= PROCESS__GETRLIMIT
;
3924 return avc_has_perm(cred_sid(cred
), cred_sid(tcred
),
3925 SECCLASS_PROCESS
, av
, NULL
);
3928 static int selinux_task_setrlimit(struct task_struct
*p
, unsigned int resource
,
3929 struct rlimit
*new_rlim
)
3931 struct rlimit
*old_rlim
= p
->signal
->rlim
+ resource
;
3933 /* Control the ability to change the hard limit (whether
3934 lowering or raising it), so that the hard limit can
3935 later be used as a safe reset point for the soft limit
3936 upon context transitions. See selinux_bprm_committing_creds. */
3937 if (old_rlim
->rlim_max
!= new_rlim
->rlim_max
)
3938 return avc_has_perm(current_sid(), task_sid(p
),
3939 SECCLASS_PROCESS
, PROCESS__SETRLIMIT
, NULL
);
3944 static int selinux_task_setscheduler(struct task_struct
*p
)
3946 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3947 PROCESS__SETSCHED
, NULL
);
3950 static int selinux_task_getscheduler(struct task_struct
*p
)
3952 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3953 PROCESS__GETSCHED
, NULL
);
3956 static int selinux_task_movememory(struct task_struct
*p
)
3958 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3959 PROCESS__SETSCHED
, NULL
);
3962 static int selinux_task_kill(struct task_struct
*p
, struct siginfo
*info
,
3968 perm
= PROCESS__SIGNULL
; /* null signal; existence test */
3970 perm
= signal_to_av(sig
);
3972 secid
= current_sid();
3973 return avc_has_perm(secid
, task_sid(p
), SECCLASS_PROCESS
, perm
, NULL
);
3976 static void selinux_task_to_inode(struct task_struct
*p
,
3977 struct inode
*inode
)
3979 struct inode_security_struct
*isec
= selinux_inode(inode
);
3980 u32 sid
= task_sid(p
);
3982 spin_lock(&isec
->lock
);
3983 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
3985 isec
->initialized
= LABEL_INITIALIZED
;
3986 spin_unlock(&isec
->lock
);
3989 /* Returns error only if unable to parse addresses */
3990 static int selinux_parse_skb_ipv4(struct sk_buff
*skb
,
3991 struct common_audit_data
*ad
, u8
*proto
)
3993 int offset
, ihlen
, ret
= -EINVAL
;
3994 struct iphdr _iph
, *ih
;
3996 offset
= skb_network_offset(skb
);
3997 ih
= skb_header_pointer(skb
, offset
, sizeof(_iph
), &_iph
);
4001 ihlen
= ih
->ihl
* 4;
4002 if (ihlen
< sizeof(_iph
))
4005 ad
->u
.net
->v4info
.saddr
= ih
->saddr
;
4006 ad
->u
.net
->v4info
.daddr
= ih
->daddr
;
4010 *proto
= ih
->protocol
;
4012 switch (ih
->protocol
) {
4014 struct tcphdr _tcph
, *th
;
4016 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
4020 th
= skb_header_pointer(skb
, offset
, sizeof(_tcph
), &_tcph
);
4024 ad
->u
.net
->sport
= th
->source
;
4025 ad
->u
.net
->dport
= th
->dest
;
4030 struct udphdr _udph
, *uh
;
4032 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
4036 uh
= skb_header_pointer(skb
, offset
, sizeof(_udph
), &_udph
);
4040 ad
->u
.net
->sport
= uh
->source
;
4041 ad
->u
.net
->dport
= uh
->dest
;
4045 case IPPROTO_DCCP
: {
4046 struct dccp_hdr _dccph
, *dh
;
4048 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
4052 dh
= skb_header_pointer(skb
, offset
, sizeof(_dccph
), &_dccph
);
4056 ad
->u
.net
->sport
= dh
->dccph_sport
;
4057 ad
->u
.net
->dport
= dh
->dccph_dport
;
4068 #if IS_ENABLED(CONFIG_IPV6)
4070 /* Returns error only if unable to parse addresses */
4071 static int selinux_parse_skb_ipv6(struct sk_buff
*skb
,
4072 struct common_audit_data
*ad
, u8
*proto
)
4075 int ret
= -EINVAL
, offset
;
4076 struct ipv6hdr _ipv6h
, *ip6
;
4079 offset
= skb_network_offset(skb
);
4080 ip6
= skb_header_pointer(skb
, offset
, sizeof(_ipv6h
), &_ipv6h
);
4084 ad
->u
.net
->v6info
.saddr
= ip6
->saddr
;
4085 ad
->u
.net
->v6info
.daddr
= ip6
->daddr
;
4088 nexthdr
= ip6
->nexthdr
;
4089 offset
+= sizeof(_ipv6h
);
4090 offset
= ipv6_skip_exthdr(skb
, offset
, &nexthdr
, &frag_off
);
4099 struct tcphdr _tcph
, *th
;
4101 th
= skb_header_pointer(skb
, offset
, sizeof(_tcph
), &_tcph
);
4105 ad
->u
.net
->sport
= th
->source
;
4106 ad
->u
.net
->dport
= th
->dest
;
4111 struct udphdr _udph
, *uh
;
4113 uh
= skb_header_pointer(skb
, offset
, sizeof(_udph
), &_udph
);
4117 ad
->u
.net
->sport
= uh
->source
;
4118 ad
->u
.net
->dport
= uh
->dest
;
4122 case IPPROTO_DCCP
: {
4123 struct dccp_hdr _dccph
, *dh
;
4125 dh
= skb_header_pointer(skb
, offset
, sizeof(_dccph
), &_dccph
);
4129 ad
->u
.net
->sport
= dh
->dccph_sport
;
4130 ad
->u
.net
->dport
= dh
->dccph_dport
;
4134 /* includes fragments */
4144 static int selinux_parse_skb(struct sk_buff
*skb
, struct common_audit_data
*ad
,
4145 char **_addrp
, int src
, u8
*proto
)
4150 switch (ad
->u
.net
->family
) {
4152 ret
= selinux_parse_skb_ipv4(skb
, ad
, proto
);
4155 addrp
= (char *)(src
? &ad
->u
.net
->v4info
.saddr
:
4156 &ad
->u
.net
->v4info
.daddr
);
4159 #if IS_ENABLED(CONFIG_IPV6)
4161 ret
= selinux_parse_skb_ipv6(skb
, ad
, proto
);
4164 addrp
= (char *)(src
? &ad
->u
.net
->v6info
.saddr
:
4165 &ad
->u
.net
->v6info
.daddr
);
4175 "SELinux: failure in selinux_parse_skb(),"
4176 " unable to parse packet\n");
4186 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4188 * @family: protocol family
4189 * @sid: the packet's peer label SID
4192 * Check the various different forms of network peer labeling and determine
4193 * the peer label/SID for the packet; most of the magic actually occurs in
4194 * the security server function security_net_peersid_cmp(). The function
4195 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4196 * or -EACCES if @sid is invalid due to inconsistencies with the different
4200 static int selinux_skb_peerlbl_sid(struct sk_buff
*skb
, u16 family
, u32
*sid
)
4207 err
= selinux_xfrm_skb_sid(skb
, &xfrm_sid
);
4210 err
= selinux_netlbl_skbuff_getsid(skb
, family
, &nlbl_type
, &nlbl_sid
);
4214 err
= security_net_peersid_resolve(nlbl_sid
, nlbl_type
, xfrm_sid
, sid
);
4215 if (unlikely(err
)) {
4217 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4218 " unable to determine packet's peer label\n");
4226 * selinux_conn_sid - Determine the child socket label for a connection
4227 * @sk_sid: the parent socket's SID
4228 * @skb_sid: the packet's SID
4229 * @conn_sid: the resulting connection SID
4231 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4232 * combined with the MLS information from @skb_sid in order to create
4233 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4234 * of @sk_sid. Returns zero on success, negative values on failure.
4237 static int selinux_conn_sid(u32 sk_sid
, u32 skb_sid
, u32
*conn_sid
)
4241 if (skb_sid
!= SECSID_NULL
)
4242 err
= security_sid_mls_copy(sk_sid
, skb_sid
, conn_sid
);
4249 /* socket security operations */
4251 static int socket_sockcreate_sid(const struct task_security_struct
*tsec
,
4252 u16 secclass
, u32
*socksid
)
4254 if (tsec
->sockcreate_sid
> SECSID_NULL
) {
4255 *socksid
= tsec
->sockcreate_sid
;
4259 return security_transition_sid(tsec
->sid
, tsec
->sid
, secclass
, NULL
,
4263 static int sock_has_perm(struct sock
*sk
, u32 perms
)
4265 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4266 struct common_audit_data ad
;
4267 struct lsm_network_audit net
= {0,};
4269 if (sksec
->sid
== SECINITSID_KERNEL
)
4272 ad
.type
= LSM_AUDIT_DATA_NET
;
4276 return avc_has_perm(current_sid(), sksec
->sid
, sksec
->sclass
, perms
,
4280 static int selinux_socket_create(int family
, int type
,
4281 int protocol
, int kern
)
4283 const struct task_security_struct
*tsec
= selinux_cred(current_cred());
4291 secclass
= socket_type_to_security_class(family
, type
, protocol
);
4292 rc
= socket_sockcreate_sid(tsec
, secclass
, &newsid
);
4296 return avc_has_perm(tsec
->sid
, newsid
, secclass
, SOCKET__CREATE
, NULL
);
4299 static int selinux_socket_post_create(struct socket
*sock
, int family
,
4300 int type
, int protocol
, int kern
)
4302 const struct task_security_struct
*tsec
= selinux_cred(current_cred());
4303 struct inode_security_struct
*isec
= inode_security_novalidate(SOCK_INODE(sock
));
4304 struct sk_security_struct
*sksec
;
4305 u16 sclass
= socket_type_to_security_class(family
, type
, protocol
);
4306 u32 sid
= SECINITSID_KERNEL
;
4310 err
= socket_sockcreate_sid(tsec
, sclass
, &sid
);
4315 isec
->sclass
= sclass
;
4317 isec
->initialized
= LABEL_INITIALIZED
;
4320 sksec
= selinux_sock(sock
->sk
);
4321 sksec
->sclass
= sclass
;
4323 err
= selinux_netlbl_socket_post_create(sock
->sk
, family
);
4329 /* Range of port numbers used to automatically bind.
4330 Need to determine whether we should perform a name_bind
4331 permission check between the socket and the port number. */
4333 static int selinux_socket_bind(struct socket
*sock
, struct sockaddr
*address
, int addrlen
)
4335 struct sock
*sk
= sock
->sk
;
4339 err
= sock_has_perm(sk
, SOCKET__BIND
);
4344 * If PF_INET or PF_INET6, check name_bind permission for the port.
4345 * Multiple address binding for SCTP is not supported yet: we just
4346 * check the first address now.
4348 family
= sk
->sk_family
;
4349 if (family
== PF_INET
|| family
== PF_INET6
) {
4351 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4352 struct common_audit_data ad
;
4353 struct lsm_network_audit net
= {0,};
4354 struct sockaddr_in
*addr4
= NULL
;
4355 struct sockaddr_in6
*addr6
= NULL
;
4356 unsigned short snum
;
4359 if (family
== PF_INET
) {
4360 if (addrlen
< sizeof(struct sockaddr_in
)) {
4364 addr4
= (struct sockaddr_in
*)address
;
4365 snum
= ntohs(addr4
->sin_port
);
4366 addrp
= (char *)&addr4
->sin_addr
.s_addr
;
4368 if (addrlen
< SIN6_LEN_RFC2133
) {
4372 addr6
= (struct sockaddr_in6
*)address
;
4373 snum
= ntohs(addr6
->sin6_port
);
4374 addrp
= (char *)&addr6
->sin6_addr
.s6_addr
;
4380 inet_get_local_port_range(sock_net(sk
), &low
, &high
);
4382 if (snum
< max(inet_prot_sock(sock_net(sk
)), low
) ||
4384 err
= sel_netport_sid(sk
->sk_protocol
,
4388 ad
.type
= LSM_AUDIT_DATA_NET
;
4390 ad
.u
.net
->sport
= htons(snum
);
4391 ad
.u
.net
->family
= family
;
4392 err
= avc_has_perm(sksec
->sid
, sid
,
4394 SOCKET__NAME_BIND
, &ad
);
4400 switch (sksec
->sclass
) {
4401 case SECCLASS_TCP_SOCKET
:
4402 node_perm
= TCP_SOCKET__NODE_BIND
;
4405 case SECCLASS_UDP_SOCKET
:
4406 node_perm
= UDP_SOCKET__NODE_BIND
;
4409 case SECCLASS_DCCP_SOCKET
:
4410 node_perm
= DCCP_SOCKET__NODE_BIND
;
4414 node_perm
= RAWIP_SOCKET__NODE_BIND
;
4418 err
= sel_netnode_sid(addrp
, family
, &sid
);
4422 ad
.type
= LSM_AUDIT_DATA_NET
;
4424 ad
.u
.net
->sport
= htons(snum
);
4425 ad
.u
.net
->family
= family
;
4427 if (family
== PF_INET
)
4428 ad
.u
.net
->v4info
.saddr
= addr4
->sin_addr
.s_addr
;
4430 ad
.u
.net
->v6info
.saddr
= addr6
->sin6_addr
;
4432 err
= avc_has_perm(sksec
->sid
, sid
,
4433 sksec
->sclass
, node_perm
, &ad
);
4441 static int selinux_socket_connect(struct socket
*sock
, struct sockaddr
*address
, int addrlen
)
4443 struct sock
*sk
= sock
->sk
;
4444 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4447 err
= sock_has_perm(sk
, SOCKET__CONNECT
);
4452 * If a TCP or DCCP socket, check name_connect permission for the port.
4454 if (sksec
->sclass
== SECCLASS_TCP_SOCKET
||
4455 sksec
->sclass
== SECCLASS_DCCP_SOCKET
) {
4456 struct common_audit_data ad
;
4457 struct lsm_network_audit net
= {0,};
4458 struct sockaddr_in
*addr4
= NULL
;
4459 struct sockaddr_in6
*addr6
= NULL
;
4460 unsigned short snum
;
4463 if (sk
->sk_family
== PF_INET
) {
4464 addr4
= (struct sockaddr_in
*)address
;
4465 if (addrlen
< sizeof(struct sockaddr_in
))
4467 snum
= ntohs(addr4
->sin_port
);
4469 addr6
= (struct sockaddr_in6
*)address
;
4470 if (addrlen
< SIN6_LEN_RFC2133
)
4472 snum
= ntohs(addr6
->sin6_port
);
4475 err
= sel_netport_sid(sk
->sk_protocol
, snum
, &sid
);
4479 perm
= (sksec
->sclass
== SECCLASS_TCP_SOCKET
) ?
4480 TCP_SOCKET__NAME_CONNECT
: DCCP_SOCKET__NAME_CONNECT
;
4482 ad
.type
= LSM_AUDIT_DATA_NET
;
4484 ad
.u
.net
->dport
= htons(snum
);
4485 ad
.u
.net
->family
= sk
->sk_family
;
4486 err
= avc_has_perm(sksec
->sid
, sid
, sksec
->sclass
, perm
, &ad
);
4491 err
= selinux_netlbl_socket_connect(sk
, address
);
4497 static int selinux_socket_listen(struct socket
*sock
, int backlog
)
4499 return sock_has_perm(sock
->sk
, SOCKET__LISTEN
);
4502 static int selinux_socket_accept(struct socket
*sock
, struct socket
*newsock
)
4505 struct inode_security_struct
*isec
;
4506 struct inode_security_struct
*newisec
;
4510 err
= sock_has_perm(sock
->sk
, SOCKET__ACCEPT
);
4514 isec
= inode_security_novalidate(SOCK_INODE(sock
));
4515 spin_lock(&isec
->lock
);
4516 sclass
= isec
->sclass
;
4518 spin_unlock(&isec
->lock
);
4520 newisec
= inode_security_novalidate(SOCK_INODE(newsock
));
4521 newisec
->sclass
= sclass
;
4523 newisec
->initialized
= LABEL_INITIALIZED
;
4528 static int selinux_socket_sendmsg(struct socket
*sock
, struct msghdr
*msg
,
4531 return sock_has_perm(sock
->sk
, SOCKET__WRITE
);
4534 static int selinux_socket_recvmsg(struct socket
*sock
, struct msghdr
*msg
,
4535 int size
, int flags
)
4537 return sock_has_perm(sock
->sk
, SOCKET__READ
);
4540 static int selinux_socket_getsockname(struct socket
*sock
)
4542 return sock_has_perm(sock
->sk
, SOCKET__GETATTR
);
4545 static int selinux_socket_getpeername(struct socket
*sock
)
4547 return sock_has_perm(sock
->sk
, SOCKET__GETATTR
);
4550 static int selinux_socket_setsockopt(struct socket
*sock
, int level
, int optname
)
4554 err
= sock_has_perm(sock
->sk
, SOCKET__SETOPT
);
4558 return selinux_netlbl_socket_setsockopt(sock
, level
, optname
);
4561 static int selinux_socket_getsockopt(struct socket
*sock
, int level
,
4564 return sock_has_perm(sock
->sk
, SOCKET__GETOPT
);
4567 static int selinux_socket_shutdown(struct socket
*sock
, int how
)
4569 return sock_has_perm(sock
->sk
, SOCKET__SHUTDOWN
);
4572 static int selinux_socket_unix_stream_connect(struct sock
*sock
,
4576 struct sk_security_struct
*sksec_sock
= selinux_sock(sock
);
4577 struct sk_security_struct
*sksec_other
= selinux_sock(other
);
4578 struct sk_security_struct
*sksec_new
= selinux_sock(newsk
);
4579 struct common_audit_data ad
;
4580 struct lsm_network_audit net
= {0,};
4583 ad
.type
= LSM_AUDIT_DATA_NET
;
4585 ad
.u
.net
->sk
= other
;
4587 err
= avc_has_perm(sksec_sock
->sid
, sksec_other
->sid
,
4588 sksec_other
->sclass
,
4589 UNIX_STREAM_SOCKET__CONNECTTO
, &ad
);
4593 /* server child socket */
4594 sksec_new
->peer_sid
= sksec_sock
->sid
;
4595 err
= security_sid_mls_copy(sksec_other
->sid
, sksec_sock
->sid
,
4600 /* connecting socket */
4601 sksec_sock
->peer_sid
= sksec_new
->sid
;
4606 static int selinux_socket_unix_may_send(struct socket
*sock
,
4607 struct socket
*other
)
4609 struct sk_security_struct
*ssec
= selinux_sock(sock
->sk
);
4610 struct sk_security_struct
*osec
= selinux_sock(other
->sk
);
4611 struct common_audit_data ad
;
4612 struct lsm_network_audit net
= {0,};
4614 ad
.type
= LSM_AUDIT_DATA_NET
;
4616 ad
.u
.net
->sk
= other
->sk
;
4618 return avc_has_perm(ssec
->sid
, osec
->sid
, osec
->sclass
, SOCKET__SENDTO
,
4622 static int selinux_inet_sys_rcv_skb(struct net
*ns
, int ifindex
,
4623 char *addrp
, u16 family
, u32 peer_sid
,
4624 struct common_audit_data
*ad
)
4630 err
= sel_netif_sid(ns
, ifindex
, &if_sid
);
4633 err
= avc_has_perm(peer_sid
, if_sid
,
4634 SECCLASS_NETIF
, NETIF__INGRESS
, ad
);
4638 err
= sel_netnode_sid(addrp
, family
, &node_sid
);
4641 return avc_has_perm(peer_sid
, node_sid
,
4642 SECCLASS_NODE
, NODE__RECVFROM
, ad
);
4645 static int selinux_sock_rcv_skb_compat(struct sock
*sk
, struct sk_buff
*skb
,
4649 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4650 u32 sk_sid
= sksec
->sid
;
4651 struct common_audit_data ad
;
4652 struct lsm_network_audit net
= {0,};
4655 ad
.type
= LSM_AUDIT_DATA_NET
;
4657 ad
.u
.net
->netif
= skb
->skb_iif
;
4658 ad
.u
.net
->family
= family
;
4659 err
= selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
);
4663 if (selinux_secmark_enabled()) {
4664 err
= avc_has_perm(sk_sid
, skb
->secmark
, SECCLASS_PACKET
,
4670 err
= selinux_netlbl_sock_rcv_skb(sksec
, skb
, family
, &ad
);
4673 err
= selinux_xfrm_sock_rcv_skb(sksec
->sid
, skb
, &ad
);
4678 static int selinux_socket_sock_rcv_skb(struct sock
*sk
, struct sk_buff
*skb
)
4681 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4682 u16 family
= sk
->sk_family
;
4683 u32 sk_sid
= sksec
->sid
;
4684 struct common_audit_data ad
;
4685 struct lsm_network_audit net
= {0,};
4690 if (family
!= PF_INET
&& family
!= PF_INET6
)
4693 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4694 if (family
== PF_INET6
&& skb
->protocol
== htons(ETH_P_IP
))
4697 /* If any sort of compatibility mode is enabled then handoff processing
4698 * to the selinux_sock_rcv_skb_compat() function to deal with the
4699 * special handling. We do this in an attempt to keep this function
4700 * as fast and as clean as possible. */
4701 if (!selinux_policycap_netpeer
)
4702 return selinux_sock_rcv_skb_compat(sk
, skb
, family
);
4704 secmark_active
= selinux_secmark_enabled();
4705 peerlbl_active
= selinux_peerlbl_enabled();
4706 if (!secmark_active
&& !peerlbl_active
)
4709 ad
.type
= LSM_AUDIT_DATA_NET
;
4711 ad
.u
.net
->netif
= skb
->skb_iif
;
4712 ad
.u
.net
->family
= family
;
4713 err
= selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
);
4717 if (peerlbl_active
) {
4720 err
= selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
);
4723 err
= selinux_inet_sys_rcv_skb(sock_net(sk
), skb
->skb_iif
,
4724 addrp
, family
, peer_sid
, &ad
);
4726 selinux_netlbl_err(skb
, family
, err
, 0);
4729 err
= avc_has_perm(sk_sid
, peer_sid
, SECCLASS_PEER
,
4732 selinux_netlbl_err(skb
, family
, err
, 0);
4737 if (secmark_active
) {
4738 err
= avc_has_perm(sk_sid
, skb
->secmark
, SECCLASS_PACKET
,
4747 static int selinux_socket_getpeersec_stream(struct socket
*sock
,
4748 __user
char *optval
,
4755 struct sk_security_struct
*sksec
= selinux_sock(sock
->sk
);
4756 u32 peer_sid
= SECSID_NULL
;
4758 if (sksec
->sclass
== SECCLASS_UNIX_STREAM_SOCKET
||
4759 sksec
->sclass
== SECCLASS_TCP_SOCKET
)
4760 peer_sid
= sksec
->peer_sid
;
4761 if (peer_sid
== SECSID_NULL
)
4762 return -ENOPROTOOPT
;
4764 err
= security_sid_to_context(peer_sid
, &scontext
, &scontext_len
);
4768 if (scontext_len
> len
) {
4773 if (copy_to_user(optval
, scontext
, scontext_len
))
4777 if (put_user(scontext_len
, optlen
))
4783 static int selinux_socket_getpeersec_dgram(struct socket
*sock
, struct sk_buff
*skb
, u32
*secid
)
4785 u32 peer_secid
= SECSID_NULL
;
4787 struct inode_security_struct
*isec
;
4789 if (skb
&& skb
->protocol
== htons(ETH_P_IP
))
4791 else if (skb
&& skb
->protocol
== htons(ETH_P_IPV6
))
4794 family
= sock
->sk
->sk_family
;
4798 if (sock
&& family
== PF_UNIX
) {
4799 isec
= inode_security_novalidate(SOCK_INODE(sock
));
4800 peer_secid
= isec
->sid
;
4802 selinux_skb_peerlbl_sid(skb
, family
, &peer_secid
);
4805 *secid
= peer_secid
;
4806 if (peer_secid
== SECSID_NULL
)
4811 static int selinux_sk_alloc_security(struct sock
*sk
, int family
, gfp_t priority
)
4813 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4815 sksec
->peer_sid
= SECINITSID_UNLABELED
;
4816 sksec
->sid
= SECINITSID_UNLABELED
;
4817 sksec
->sclass
= SECCLASS_SOCKET
;
4818 selinux_netlbl_sk_security_reset(sksec
);
4823 static void selinux_sk_free_security(struct sock
*sk
)
4825 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4827 selinux_netlbl_sk_security_free(sksec
);
4830 static void selinux_sk_clone_security(const struct sock
*sk
, struct sock
*newsk
)
4832 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4833 struct sk_security_struct
*newsksec
= selinux_sock(newsk
);
4835 newsksec
->sid
= sksec
->sid
;
4836 newsksec
->peer_sid
= sksec
->peer_sid
;
4837 newsksec
->sclass
= sksec
->sclass
;
4839 selinux_netlbl_sk_security_reset(newsksec
);
4842 static void selinux_sk_getsecid(struct sock
*sk
, u32
*secid
)
4845 *secid
= SECINITSID_ANY_SOCKET
;
4847 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4849 *secid
= sksec
->sid
;
4853 static void selinux_sock_graft(struct sock
*sk
, struct socket
*parent
)
4855 struct inode_security_struct
*isec
=
4856 inode_security_novalidate(SOCK_INODE(parent
));
4857 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4859 if (sk
->sk_family
== PF_INET
|| sk
->sk_family
== PF_INET6
||
4860 sk
->sk_family
== PF_UNIX
)
4861 isec
->sid
= sksec
->sid
;
4862 sksec
->sclass
= isec
->sclass
;
4865 static int selinux_inet_conn_request(struct sock
*sk
, struct sk_buff
*skb
,
4866 struct request_sock
*req
)
4868 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4870 u16 family
= req
->rsk_ops
->family
;
4874 err
= selinux_skb_peerlbl_sid(skb
, family
, &peersid
);
4877 err
= selinux_conn_sid(sksec
->sid
, peersid
, &connsid
);
4880 req
->secid
= connsid
;
4881 req
->peer_secid
= peersid
;
4883 return selinux_netlbl_inet_conn_request(req
, family
);
4886 static void selinux_inet_csk_clone(struct sock
*newsk
,
4887 const struct request_sock
*req
)
4889 struct sk_security_struct
*newsksec
= selinux_sock(newsk
);
4891 newsksec
->sid
= req
->secid
;
4892 newsksec
->peer_sid
= req
->peer_secid
;
4893 /* NOTE: Ideally, we should also get the isec->sid for the
4894 new socket in sync, but we don't have the isec available yet.
4895 So we will wait until sock_graft to do it, by which
4896 time it will have been created and available. */
4898 /* We don't need to take any sort of lock here as we are the only
4899 * thread with access to newsksec */
4900 selinux_netlbl_inet_csk_clone(newsk
, req
->rsk_ops
->family
);
4903 static void selinux_inet_conn_established(struct sock
*sk
, struct sk_buff
*skb
)
4905 u16 family
= sk
->sk_family
;
4906 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4908 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4909 if (family
== PF_INET6
&& skb
->protocol
== htons(ETH_P_IP
))
4912 selinux_skb_peerlbl_sid(skb
, family
, &sksec
->peer_sid
);
4915 static int selinux_secmark_relabel_packet(u32 sid
)
4917 const struct task_security_struct
*__tsec
;
4920 __tsec
= selinux_cred(current_cred());
4923 return avc_has_perm(tsid
, sid
, SECCLASS_PACKET
, PACKET__RELABELTO
, NULL
);
4926 static void selinux_secmark_refcount_inc(void)
4928 atomic_inc(&selinux_secmark_refcount
);
4931 static void selinux_secmark_refcount_dec(void)
4933 atomic_dec(&selinux_secmark_refcount
);
4936 static void selinux_req_classify_flow(const struct request_sock
*req
,
4939 fl
->flowi_secid
= req
->secid
;
4942 static int selinux_tun_dev_alloc_security(void **security
)
4944 struct tun_security_struct
*tunsec
;
4946 tunsec
= kzalloc(sizeof(*tunsec
), GFP_KERNEL
);
4949 tunsec
->sid
= current_sid();
4955 static void selinux_tun_dev_free_security(void *security
)
4960 static int selinux_tun_dev_create(void)
4962 u32 sid
= current_sid();
4964 /* we aren't taking into account the "sockcreate" SID since the socket
4965 * that is being created here is not a socket in the traditional sense,
4966 * instead it is a private sock, accessible only to the kernel, and
4967 * representing a wide range of network traffic spanning multiple
4968 * connections unlike traditional sockets - check the TUN driver to
4969 * get a better understanding of why this socket is special */
4971 return avc_has_perm(sid
, sid
, SECCLASS_TUN_SOCKET
, TUN_SOCKET__CREATE
,
4975 static int selinux_tun_dev_attach_queue(void *security
)
4977 struct tun_security_struct
*tunsec
= security
;
4979 return avc_has_perm(current_sid(), tunsec
->sid
, SECCLASS_TUN_SOCKET
,
4980 TUN_SOCKET__ATTACH_QUEUE
, NULL
);
4983 static int selinux_tun_dev_attach(struct sock
*sk
, void *security
)
4985 struct tun_security_struct
*tunsec
= security
;
4986 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4988 /* we don't currently perform any NetLabel based labeling here and it
4989 * isn't clear that we would want to do so anyway; while we could apply
4990 * labeling without the support of the TUN user the resulting labeled
4991 * traffic from the other end of the connection would almost certainly
4992 * cause confusion to the TUN user that had no idea network labeling
4993 * protocols were being used */
4995 sksec
->sid
= tunsec
->sid
;
4996 sksec
->sclass
= SECCLASS_TUN_SOCKET
;
5001 static int selinux_tun_dev_open(void *security
)
5003 struct tun_security_struct
*tunsec
= security
;
5004 u32 sid
= current_sid();
5007 err
= avc_has_perm(sid
, tunsec
->sid
, SECCLASS_TUN_SOCKET
,
5008 TUN_SOCKET__RELABELFROM
, NULL
);
5011 err
= avc_has_perm(sid
, sid
, SECCLASS_TUN_SOCKET
,
5012 TUN_SOCKET__RELABELTO
, NULL
);
5020 static int selinux_nlmsg_perm(struct sock
*sk
, struct sk_buff
*skb
)
5024 struct nlmsghdr
*nlh
;
5025 struct sk_security_struct
*sksec
= selinux_sock(sk
);
5027 if (skb
->len
< NLMSG_HDRLEN
) {
5031 nlh
= nlmsg_hdr(skb
);
5033 err
= selinux_nlmsg_lookup(sksec
->sclass
, nlh
->nlmsg_type
, &perm
);
5035 if (err
== -EINVAL
) {
5036 pr_warn_ratelimited("SELinux: unrecognized netlink"
5037 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5038 " pig=%d comm=%s\n",
5039 sk
->sk_protocol
, nlh
->nlmsg_type
,
5040 secclass_map
[sksec
->sclass
- 1].name
,
5041 task_pid_nr(current
), current
->comm
);
5042 if (!selinux_enforcing
|| security_get_allow_unknown())
5052 err
= sock_has_perm(sk
, perm
);
5057 #ifdef CONFIG_NETFILTER
5059 static unsigned int selinux_ip_forward(struct sk_buff
*skb
,
5060 const struct net_device
*indev
,
5066 struct common_audit_data ad
;
5067 struct lsm_network_audit net
= {0,};
5072 if (!selinux_policycap_netpeer
)
5075 secmark_active
= selinux_secmark_enabled();
5076 netlbl_active
= netlbl_enabled();
5077 peerlbl_active
= selinux_peerlbl_enabled();
5078 if (!secmark_active
&& !peerlbl_active
)
5081 if (selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
) != 0)
5084 ad
.type
= LSM_AUDIT_DATA_NET
;
5086 ad
.u
.net
->netif
= indev
->ifindex
;
5087 ad
.u
.net
->family
= family
;
5088 if (selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
) != 0)
5091 if (peerlbl_active
) {
5092 err
= selinux_inet_sys_rcv_skb(dev_net(indev
), indev
->ifindex
,
5093 addrp
, family
, peer_sid
, &ad
);
5095 selinux_netlbl_err(skb
, family
, err
, 1);
5101 if (avc_has_perm(peer_sid
, skb
->secmark
,
5102 SECCLASS_PACKET
, PACKET__FORWARD_IN
, &ad
))
5106 /* we do this in the FORWARD path and not the POST_ROUTING
5107 * path because we want to make sure we apply the necessary
5108 * labeling before IPsec is applied so we can leverage AH
5110 if (selinux_netlbl_skbuff_setsid(skb
, family
, peer_sid
) != 0)
5116 static unsigned int selinux_ipv4_forward(void *priv
,
5117 struct sk_buff
*skb
,
5118 const struct nf_hook_state
*state
)
5120 return selinux_ip_forward(skb
, state
->in
, PF_INET
);
5123 #if IS_ENABLED(CONFIG_IPV6)
5124 static unsigned int selinux_ipv6_forward(void *priv
,
5125 struct sk_buff
*skb
,
5126 const struct nf_hook_state
*state
)
5128 return selinux_ip_forward(skb
, state
->in
, PF_INET6
);
5132 static unsigned int selinux_ip_output(struct sk_buff
*skb
,
5138 if (!netlbl_enabled())
5141 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5142 * because we want to make sure we apply the necessary labeling
5143 * before IPsec is applied so we can leverage AH protection */
5146 struct sk_security_struct
*sksec
;
5148 if (sk_listener(sk
))
5149 /* if the socket is the listening state then this
5150 * packet is a SYN-ACK packet which means it needs to
5151 * be labeled based on the connection/request_sock and
5152 * not the parent socket. unfortunately, we can't
5153 * lookup the request_sock yet as it isn't queued on
5154 * the parent socket until after the SYN-ACK is sent.
5155 * the "solution" is to simply pass the packet as-is
5156 * as any IP option based labeling should be copied
5157 * from the initial connection request (in the IP
5158 * layer). it is far from ideal, but until we get a
5159 * security label in the packet itself this is the
5160 * best we can do. */
5163 /* standard practice, label using the parent socket */
5164 sksec
= selinux_sock(sk
);
5167 sid
= SECINITSID_KERNEL
;
5168 if (selinux_netlbl_skbuff_setsid(skb
, family
, sid
) != 0)
5174 static unsigned int selinux_ipv4_output(void *priv
,
5175 struct sk_buff
*skb
,
5176 const struct nf_hook_state
*state
)
5178 return selinux_ip_output(skb
, PF_INET
);
5181 #if IS_ENABLED(CONFIG_IPV6)
5182 static unsigned int selinux_ipv6_output(void *priv
,
5183 struct sk_buff
*skb
,
5184 const struct nf_hook_state
*state
)
5186 return selinux_ip_output(skb
, PF_INET6
);
5190 static unsigned int selinux_ip_postroute_compat(struct sk_buff
*skb
,
5194 struct sock
*sk
= skb_to_full_sk(skb
);
5195 struct sk_security_struct
*sksec
;
5196 struct common_audit_data ad
;
5197 struct lsm_network_audit net
= {0,};
5203 sksec
= selinux_sock(sk
);
5205 ad
.type
= LSM_AUDIT_DATA_NET
;
5207 ad
.u
.net
->netif
= ifindex
;
5208 ad
.u
.net
->family
= family
;
5209 if (selinux_parse_skb(skb
, &ad
, &addrp
, 0, &proto
))
5212 if (selinux_secmark_enabled())
5213 if (avc_has_perm(sksec
->sid
, skb
->secmark
,
5214 SECCLASS_PACKET
, PACKET__SEND
, &ad
))
5215 return NF_DROP_ERR(-ECONNREFUSED
);
5217 if (selinux_xfrm_postroute_last(sksec
->sid
, skb
, &ad
, proto
))
5218 return NF_DROP_ERR(-ECONNREFUSED
);
5223 static unsigned int selinux_ip_postroute(struct sk_buff
*skb
,
5224 const struct net_device
*outdev
,
5229 int ifindex
= outdev
->ifindex
;
5231 struct common_audit_data ad
;
5232 struct lsm_network_audit net
= {0,};
5237 /* If any sort of compatibility mode is enabled then handoff processing
5238 * to the selinux_ip_postroute_compat() function to deal with the
5239 * special handling. We do this in an attempt to keep this function
5240 * as fast and as clean as possible. */
5241 if (!selinux_policycap_netpeer
)
5242 return selinux_ip_postroute_compat(skb
, ifindex
, family
);
5244 secmark_active
= selinux_secmark_enabled();
5245 peerlbl_active
= selinux_peerlbl_enabled();
5246 if (!secmark_active
&& !peerlbl_active
)
5249 sk
= skb_to_full_sk(skb
);
5252 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5253 * packet transformation so allow the packet to pass without any checks
5254 * since we'll have another chance to perform access control checks
5255 * when the packet is on it's final way out.
5256 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5257 * is NULL, in this case go ahead and apply access control.
5258 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5259 * TCP listening state we cannot wait until the XFRM processing
5260 * is done as we will miss out on the SA label if we do;
5261 * unfortunately, this means more work, but it is only once per
5263 if (skb_dst(skb
) != NULL
&& skb_dst(skb
)->xfrm
!= NULL
&&
5264 !(sk
&& sk_listener(sk
)))
5269 /* Without an associated socket the packet is either coming
5270 * from the kernel or it is being forwarded; check the packet
5271 * to determine which and if the packet is being forwarded
5272 * query the packet directly to determine the security label. */
5274 secmark_perm
= PACKET__FORWARD_OUT
;
5275 if (selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
))
5278 secmark_perm
= PACKET__SEND
;
5279 peer_sid
= SECINITSID_KERNEL
;
5281 } else if (sk_listener(sk
)) {
5282 /* Locally generated packet but the associated socket is in the
5283 * listening state which means this is a SYN-ACK packet. In
5284 * this particular case the correct security label is assigned
5285 * to the connection/request_sock but unfortunately we can't
5286 * query the request_sock as it isn't queued on the parent
5287 * socket until after the SYN-ACK packet is sent; the only
5288 * viable choice is to regenerate the label like we do in
5289 * selinux_inet_conn_request(). See also selinux_ip_output()
5290 * for similar problems. */
5292 struct sk_security_struct
*sksec
;
5294 sksec
= selinux_sock(sk
);
5295 if (selinux_skb_peerlbl_sid(skb
, family
, &skb_sid
))
5297 /* At this point, if the returned skb peerlbl is SECSID_NULL
5298 * and the packet has been through at least one XFRM
5299 * transformation then we must be dealing with the "final"
5300 * form of labeled IPsec packet; since we've already applied
5301 * all of our access controls on this packet we can safely
5302 * pass the packet. */
5303 if (skb_sid
== SECSID_NULL
) {
5306 if (IPCB(skb
)->flags
& IPSKB_XFRM_TRANSFORMED
)
5310 if (IP6CB(skb
)->flags
& IP6SKB_XFRM_TRANSFORMED
)
5314 return NF_DROP_ERR(-ECONNREFUSED
);
5317 if (selinux_conn_sid(sksec
->sid
, skb_sid
, &peer_sid
))
5319 secmark_perm
= PACKET__SEND
;
5321 /* Locally generated packet, fetch the security label from the
5322 * associated socket. */
5323 struct sk_security_struct
*sksec
= selinux_sock(sk
);
5324 peer_sid
= sksec
->sid
;
5325 secmark_perm
= PACKET__SEND
;
5328 ad
.type
= LSM_AUDIT_DATA_NET
;
5330 ad
.u
.net
->netif
= ifindex
;
5331 ad
.u
.net
->family
= family
;
5332 if (selinux_parse_skb(skb
, &ad
, &addrp
, 0, NULL
))
5336 if (avc_has_perm(peer_sid
, skb
->secmark
,
5337 SECCLASS_PACKET
, secmark_perm
, &ad
))
5338 return NF_DROP_ERR(-ECONNREFUSED
);
5340 if (peerlbl_active
) {
5344 if (sel_netif_sid(dev_net(outdev
), ifindex
, &if_sid
))
5346 if (avc_has_perm(peer_sid
, if_sid
,
5347 SECCLASS_NETIF
, NETIF__EGRESS
, &ad
))
5348 return NF_DROP_ERR(-ECONNREFUSED
);
5350 if (sel_netnode_sid(addrp
, family
, &node_sid
))
5352 if (avc_has_perm(peer_sid
, node_sid
,
5353 SECCLASS_NODE
, NODE__SENDTO
, &ad
))
5354 return NF_DROP_ERR(-ECONNREFUSED
);
5360 static unsigned int selinux_ipv4_postroute(void *priv
,
5361 struct sk_buff
*skb
,
5362 const struct nf_hook_state
*state
)
5364 return selinux_ip_postroute(skb
, state
->out
, PF_INET
);
5367 #if IS_ENABLED(CONFIG_IPV6)
5368 static unsigned int selinux_ipv6_postroute(void *priv
,
5369 struct sk_buff
*skb
,
5370 const struct nf_hook_state
*state
)
5372 return selinux_ip_postroute(skb
, state
->out
, PF_INET6
);
5376 #endif /* CONFIG_NETFILTER */
5378 static int selinux_netlink_send(struct sock
*sk
, struct sk_buff
*skb
)
5380 return selinux_nlmsg_perm(sk
, skb
);
5383 static void ipc_init_security(struct ipc_security_struct
*isec
, u16 sclass
)
5385 isec
->sclass
= sclass
;
5386 isec
->sid
= current_sid();
5389 static int msg_msg_alloc_security(struct msg_msg
*msg
)
5391 struct msg_security_struct
*msec
;
5393 msec
= selinux_msg_msg(msg
);
5394 msec
->sid
= SECINITSID_UNLABELED
;
5399 static int ipc_has_perm(struct kern_ipc_perm
*ipc_perms
,
5402 struct ipc_security_struct
*isec
;
5403 struct common_audit_data ad
;
5404 u32 sid
= current_sid();
5406 isec
= selinux_ipc(ipc_perms
);
5408 ad
.type
= LSM_AUDIT_DATA_IPC
;
5409 ad
.u
.ipc_id
= ipc_perms
->key
;
5411 return avc_has_perm(sid
, isec
->sid
, isec
->sclass
, perms
, &ad
);
5414 static int selinux_msg_msg_alloc_security(struct msg_msg
*msg
)
5416 return msg_msg_alloc_security(msg
);
5419 /* message queue security operations */
5420 static int selinux_msg_queue_alloc_security(struct msg_queue
*msq
)
5422 struct ipc_security_struct
*isec
;
5423 struct common_audit_data ad
;
5424 u32 sid
= current_sid();
5427 isec
= selinux_ipc(&msq
->q_perm
);
5428 ipc_init_security(isec
, SECCLASS_MSGQ
);
5430 ad
.type
= LSM_AUDIT_DATA_IPC
;
5431 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5433 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_MSGQ
,
5438 static int selinux_msg_queue_associate(struct msg_queue
*msq
, int msqflg
)
5440 struct ipc_security_struct
*isec
;
5441 struct common_audit_data ad
;
5442 u32 sid
= current_sid();
5444 isec
= selinux_ipc(&msq
->q_perm
);
5446 ad
.type
= LSM_AUDIT_DATA_IPC
;
5447 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5449 return avc_has_perm(sid
, isec
->sid
, SECCLASS_MSGQ
,
5450 MSGQ__ASSOCIATE
, &ad
);
5453 static int selinux_msg_queue_msgctl(struct msg_queue
*msq
, int cmd
)
5461 /* No specific object, just general system-wide information. */
5462 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
5463 SECCLASS_SYSTEM
, SYSTEM__IPC_INFO
, NULL
);
5466 perms
= MSGQ__GETATTR
| MSGQ__ASSOCIATE
;
5469 perms
= MSGQ__SETATTR
;
5472 perms
= MSGQ__DESTROY
;
5478 err
= ipc_has_perm(&msq
->q_perm
, perms
);
5482 static int selinux_msg_queue_msgsnd(struct msg_queue
*msq
, struct msg_msg
*msg
, int msqflg
)
5484 struct ipc_security_struct
*isec
;
5485 struct msg_security_struct
*msec
;
5486 struct common_audit_data ad
;
5487 u32 sid
= current_sid();
5490 isec
= selinux_ipc(&msq
->q_perm
);
5491 msec
= selinux_msg_msg(msg
);
5494 * First time through, need to assign label to the message
5496 if (msec
->sid
== SECINITSID_UNLABELED
) {
5498 * Compute new sid based on current process and
5499 * message queue this message will be stored in
5501 rc
= security_transition_sid(sid
, isec
->sid
, SECCLASS_MSG
,
5507 ad
.type
= LSM_AUDIT_DATA_IPC
;
5508 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5510 /* Can this process write to the queue? */
5511 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_MSGQ
,
5514 /* Can this process send the message */
5515 rc
= avc_has_perm(sid
, msec
->sid
, SECCLASS_MSG
,
5518 /* Can the message be put in the queue? */
5519 rc
= avc_has_perm(msec
->sid
, isec
->sid
, SECCLASS_MSGQ
,
5520 MSGQ__ENQUEUE
, &ad
);
5525 static int selinux_msg_queue_msgrcv(struct msg_queue
*msq
, struct msg_msg
*msg
,
5526 struct task_struct
*target
,
5527 long type
, int mode
)
5529 struct ipc_security_struct
*isec
;
5530 struct msg_security_struct
*msec
;
5531 struct common_audit_data ad
;
5532 u32 sid
= task_sid(target
);
5535 isec
= selinux_ipc(&msq
->q_perm
);
5536 msec
= selinux_msg_msg(msg
);
5538 ad
.type
= LSM_AUDIT_DATA_IPC
;
5539 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5541 rc
= avc_has_perm(sid
, isec
->sid
,
5542 SECCLASS_MSGQ
, MSGQ__READ
, &ad
);
5544 rc
= avc_has_perm(sid
, msec
->sid
,
5545 SECCLASS_MSG
, MSG__RECEIVE
, &ad
);
5549 /* Shared Memory security operations */
5550 static int selinux_shm_alloc_security(struct shmid_kernel
*shp
)
5552 struct ipc_security_struct
*isec
;
5553 struct common_audit_data ad
;
5554 u32 sid
= current_sid();
5557 isec
= selinux_ipc(&shp
->shm_perm
);
5558 ipc_init_security(isec
, SECCLASS_SHM
);
5560 ad
.type
= LSM_AUDIT_DATA_IPC
;
5561 ad
.u
.ipc_id
= shp
->shm_perm
.key
;
5563 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_SHM
,
5568 static int selinux_shm_associate(struct shmid_kernel
*shp
, int shmflg
)
5570 struct ipc_security_struct
*isec
;
5571 struct common_audit_data ad
;
5572 u32 sid
= current_sid();
5574 isec
= selinux_ipc(&shp
->shm_perm
);
5576 ad
.type
= LSM_AUDIT_DATA_IPC
;
5577 ad
.u
.ipc_id
= shp
->shm_perm
.key
;
5579 return avc_has_perm(sid
, isec
->sid
, SECCLASS_SHM
,
5580 SHM__ASSOCIATE
, &ad
);
5583 /* Note, at this point, shp is locked down */
5584 static int selinux_shm_shmctl(struct shmid_kernel
*shp
, int cmd
)
5592 /* No specific object, just general system-wide information. */
5593 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
5594 SECCLASS_SYSTEM
, SYSTEM__IPC_INFO
, NULL
);
5597 perms
= SHM__GETATTR
| SHM__ASSOCIATE
;
5600 perms
= SHM__SETATTR
;
5607 perms
= SHM__DESTROY
;
5613 err
= ipc_has_perm(&shp
->shm_perm
, perms
);
5617 static int selinux_shm_shmat(struct shmid_kernel
*shp
,
5618 char __user
*shmaddr
, int shmflg
)
5622 if (shmflg
& SHM_RDONLY
)
5625 perms
= SHM__READ
| SHM__WRITE
;
5627 return ipc_has_perm(&shp
->shm_perm
, perms
);
5630 /* Semaphore security operations */
5631 static int selinux_sem_alloc_security(struct sem_array
*sma
)
5633 struct ipc_security_struct
*isec
;
5634 struct common_audit_data ad
;
5635 u32 sid
= current_sid();
5638 isec
= selinux_ipc(&sma
->sem_perm
);
5639 ipc_init_security(isec
, SECCLASS_SEM
);
5641 ad
.type
= LSM_AUDIT_DATA_IPC
;
5642 ad
.u
.ipc_id
= sma
->sem_perm
.key
;
5644 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_SEM
,
5649 static int selinux_sem_associate(struct sem_array
*sma
, int semflg
)
5651 struct ipc_security_struct
*isec
;
5652 struct common_audit_data ad
;
5653 u32 sid
= current_sid();
5655 isec
= selinux_ipc(&sma
->sem_perm
);
5657 ad
.type
= LSM_AUDIT_DATA_IPC
;
5658 ad
.u
.ipc_id
= sma
->sem_perm
.key
;
5660 return avc_has_perm(sid
, isec
->sid
, SECCLASS_SEM
,
5661 SEM__ASSOCIATE
, &ad
);
5664 /* Note, at this point, sma is locked down */
5665 static int selinux_sem_semctl(struct sem_array
*sma
, int cmd
)
5673 /* No specific object, just general system-wide information. */
5674 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
5675 SECCLASS_SYSTEM
, SYSTEM__IPC_INFO
, NULL
);
5679 perms
= SEM__GETATTR
;
5690 perms
= SEM__DESTROY
;
5693 perms
= SEM__SETATTR
;
5697 perms
= SEM__GETATTR
| SEM__ASSOCIATE
;
5703 err
= ipc_has_perm(&sma
->sem_perm
, perms
);
5707 static int selinux_sem_semop(struct sem_array
*sma
,
5708 struct sembuf
*sops
, unsigned nsops
, int alter
)
5713 perms
= SEM__READ
| SEM__WRITE
;
5717 return ipc_has_perm(&sma
->sem_perm
, perms
);
5720 static int selinux_ipc_permission(struct kern_ipc_perm
*ipcp
, short flag
)
5726 av
|= IPC__UNIX_READ
;
5728 av
|= IPC__UNIX_WRITE
;
5733 return ipc_has_perm(ipcp
, av
);
5736 static void selinux_ipc_getsecid(struct kern_ipc_perm
*ipcp
, u32
*secid
)
5738 struct ipc_security_struct
*isec
= selinux_ipc(ipcp
);
5742 static void selinux_d_instantiate(struct dentry
*dentry
, struct inode
*inode
)
5745 inode_doinit_with_dentry(inode
, dentry
);
5748 static int selinux_getprocattr(struct task_struct
*p
,
5749 char *name
, char **value
)
5751 const struct task_security_struct
*__tsec
;
5757 __tsec
= selinux_cred(__task_cred(p
));
5760 error
= avc_has_perm(current_sid(), __tsec
->sid
,
5761 SECCLASS_PROCESS
, PROCESS__GETATTR
, NULL
);
5766 if (!strcmp(name
, "current"))
5768 else if (!strcmp(name
, "prev"))
5770 else if (!strcmp(name
, "exec"))
5771 sid
= __tsec
->exec_sid
;
5772 else if (!strcmp(name
, "fscreate"))
5773 sid
= __tsec
->create_sid
;
5774 else if (!strcmp(name
, "keycreate"))
5775 sid
= __tsec
->keycreate_sid
;
5776 else if (!strcmp(name
, "sockcreate"))
5777 sid
= __tsec
->sockcreate_sid
;
5787 error
= security_sid_to_context(sid
, value
, &len
);
5797 static int selinux_setprocattr(const char *name
, void *value
, size_t size
)
5799 struct task_security_struct
*tsec
;
5801 u32 mysid
= current_sid(), sid
= 0, ptsid
;
5806 * Basic control over ability to set these attributes at all.
5808 if (!strcmp(name
, "exec"))
5809 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5810 PROCESS__SETEXEC
, NULL
);
5811 else if (!strcmp(name
, "fscreate"))
5812 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5813 PROCESS__SETFSCREATE
, NULL
);
5814 else if (!strcmp(name
, "keycreate"))
5815 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5816 PROCESS__SETKEYCREATE
, NULL
);
5817 else if (!strcmp(name
, "sockcreate"))
5818 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5819 PROCESS__SETSOCKCREATE
, NULL
);
5820 else if (!strcmp(name
, "current"))
5821 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5822 PROCESS__SETCURRENT
, NULL
);
5828 /* Obtain a SID for the context, if one was specified. */
5829 if (size
&& str
[0] && str
[0] != '\n') {
5830 if (str
[size
-1] == '\n') {
5834 error
= security_context_to_sid(value
, size
, &sid
, GFP_KERNEL
);
5835 if (error
== -EINVAL
&& !strcmp(name
, "fscreate")) {
5836 if (!has_cap_mac_admin(true)) {
5837 struct audit_buffer
*ab
;
5840 /* We strip a nul only if it is at the end, otherwise the
5841 * context contains a nul and we should audit that */
5842 if (str
[size
- 1] == '\0')
5843 audit_size
= size
- 1;
5846 ab
= audit_log_start(current
->audit_context
, GFP_ATOMIC
, AUDIT_SELINUX_ERR
);
5847 audit_log_format(ab
, "op=fscreate invalid_context=");
5848 audit_log_n_untrustedstring(ab
, value
, audit_size
);
5853 error
= security_context_to_sid_force(value
, size
,
5860 new = prepare_creds();
5864 /* Permission checking based on the specified context is
5865 performed during the actual operation (execve,
5866 open/mkdir/...), when we know the full context of the
5867 operation. See selinux_bprm_set_creds for the execve
5868 checks and may_create for the file creation checks. The
5869 operation will then fail if the context is not permitted. */
5870 tsec
= selinux_cred(new);
5871 if (!strcmp(name
, "exec")) {
5872 tsec
->exec_sid
= sid
;
5873 } else if (!strcmp(name
, "fscreate")) {
5874 tsec
->create_sid
= sid
;
5875 } else if (!strcmp(name
, "keycreate")) {
5876 error
= avc_has_perm(mysid
, sid
, SECCLASS_KEY
, KEY__CREATE
,
5880 tsec
->keycreate_sid
= sid
;
5881 } else if (!strcmp(name
, "sockcreate")) {
5882 tsec
->sockcreate_sid
= sid
;
5883 } else if (!strcmp(name
, "current")) {
5888 /* Only allow single threaded processes to change context */
5890 if (!current_is_single_threaded()) {
5891 error
= security_bounded_transition(tsec
->sid
, sid
);
5896 /* Check permissions for the transition. */
5897 error
= avc_has_perm(tsec
->sid
, sid
, SECCLASS_PROCESS
,
5898 PROCESS__DYNTRANSITION
, NULL
);
5902 /* Check for ptracing, and update the task SID if ok.
5903 Otherwise, leave SID unchanged and fail. */
5904 ptsid
= ptrace_parent_sid();
5906 error
= avc_has_perm(ptsid
, sid
, SECCLASS_PROCESS
,
5907 PROCESS__PTRACE
, NULL
);
5926 static int selinux_ismaclabel(const char *name
)
5928 return (strcmp(name
, XATTR_SELINUX_SUFFIX
) == 0);
5931 static int selinux_secid_to_secctx(u32 secid
, char **secdata
, u32
*seclen
)
5933 return security_sid_to_context(secid
, secdata
, seclen
);
5936 static int selinux_secctx_to_secid(const char *secdata
, u32 seclen
, u32
*secid
)
5938 return security_context_to_sid(secdata
, seclen
, secid
, GFP_KERNEL
);
5941 static void selinux_release_secctx(char *secdata
, u32 seclen
)
5946 static void selinux_inode_invalidate_secctx(struct inode
*inode
)
5948 struct inode_security_struct
*isec
= selinux_inode(inode
);
5950 spin_lock(&isec
->lock
);
5951 isec
->initialized
= LABEL_INVALID
;
5952 spin_unlock(&isec
->lock
);
5956 * called with inode->i_mutex locked
5958 static int selinux_inode_notifysecctx(struct inode
*inode
, void *ctx
, u32 ctxlen
)
5960 return selinux_inode_setsecurity(inode
, XATTR_SELINUX_SUFFIX
, ctx
, ctxlen
, 0);
5964 * called with inode->i_mutex locked
5966 static int selinux_inode_setsecctx(struct dentry
*dentry
, void *ctx
, u32 ctxlen
)
5968 return __vfs_setxattr_noperm(dentry
, XATTR_NAME_SELINUX
, ctx
, ctxlen
, 0);
5971 static int selinux_inode_getsecctx(struct inode
*inode
, void **ctx
, u32
*ctxlen
)
5974 len
= selinux_inode_getsecurity(inode
, XATTR_SELINUX_SUFFIX
,
5983 static int selinux_key_alloc(struct key
*k
, const struct cred
*cred
,
5984 unsigned long flags
)
5986 const struct task_security_struct
*tsec
;
5987 struct key_security_struct
*ksec
= selinux_key(k
);
5989 tsec
= selinux_cred(cred
);
5990 if (tsec
->keycreate_sid
)
5991 ksec
->sid
= tsec
->keycreate_sid
;
5993 ksec
->sid
= tsec
->sid
;
5998 static int selinux_key_permission(key_ref_t key_ref
,
5999 const struct cred
*cred
,
6003 struct key_security_struct
*ksec
;
6006 /* if no specific permissions are requested, we skip the
6007 permission check. No serious, additional covert channels
6008 appear to be created. */
6012 sid
= cred_sid(cred
);
6014 key
= key_ref_to_ptr(key_ref
);
6015 ksec
= selinux_key(key
);
6017 return avc_has_perm(sid
, ksec
->sid
, SECCLASS_KEY
, perm
, NULL
);
6020 static int selinux_key_getsecurity(struct key
*key
, char **_buffer
)
6022 struct key_security_struct
*ksec
= selinux_key(key
);
6023 char *context
= NULL
;
6027 rc
= security_sid_to_context(ksec
->sid
, &context
, &len
);
6035 #ifdef CONFIG_SECURITY_INFINIBAND
6036 static int selinux_ib_pkey_access(void *ib_sec
, u64 subnet_prefix
, u16 pkey_val
)
6038 struct common_audit_data ad
;
6041 struct ib_security_struct
*sec
= ib_sec
;
6042 struct lsm_ibpkey_audit ibpkey
;
6044 err
= sel_ib_pkey_sid(subnet_prefix
, pkey_val
, &sid
);
6048 ad
.type
= LSM_AUDIT_DATA_IBPKEY
;
6049 ibpkey
.subnet_prefix
= subnet_prefix
;
6050 ibpkey
.pkey
= pkey_val
;
6051 ad
.u
.ibpkey
= &ibpkey
;
6052 return avc_has_perm(sec
->sid
, sid
,
6053 SECCLASS_INFINIBAND_PKEY
,
6054 INFINIBAND_PKEY__ACCESS
, &ad
);
6057 static int selinux_ib_endport_manage_subnet(void *ib_sec
, const char *dev_name
,
6060 struct common_audit_data ad
;
6063 struct ib_security_struct
*sec
= ib_sec
;
6064 struct lsm_ibendport_audit ibendport
;
6066 err
= security_ib_endport_sid(dev_name
, port_num
, &sid
);
6071 ad
.type
= LSM_AUDIT_DATA_IBENDPORT
;
6072 strncpy(ibendport
.dev_name
, dev_name
, sizeof(ibendport
.dev_name
));
6073 ibendport
.port
= port_num
;
6074 ad
.u
.ibendport
= &ibendport
;
6075 return avc_has_perm(sec
->sid
, sid
,
6076 SECCLASS_INFINIBAND_ENDPORT
,
6077 INFINIBAND_ENDPORT__MANAGE_SUBNET
, &ad
);
6080 static int selinux_ib_alloc_security(void **ib_sec
)
6082 struct ib_security_struct
*sec
;
6084 sec
= kzalloc(sizeof(*sec
), GFP_KERNEL
);
6087 sec
->sid
= current_sid();
6093 static void selinux_ib_free_security(void *ib_sec
)
6099 #ifdef CONFIG_BPF_SYSCALL
6100 static int selinux_bpf(int cmd
, union bpf_attr
*attr
,
6103 u32 sid
= current_sid();
6107 case BPF_MAP_CREATE
:
6108 ret
= avc_has_perm(sid
, sid
, SECCLASS_BPF
, BPF__MAP_CREATE
,
6112 ret
= avc_has_perm(sid
, sid
, SECCLASS_BPF
, BPF__PROG_LOAD
,
6123 static u32
bpf_map_fmode_to_av(fmode_t fmode
)
6127 if (fmode
& FMODE_READ
)
6128 av
|= BPF__MAP_READ
;
6129 if (fmode
& FMODE_WRITE
)
6130 av
|= BPF__MAP_WRITE
;
6134 /* This function will check the file pass through unix socket or binder to see
6135 * if it is a bpf related object. And apply correspinding checks on the bpf
6136 * object based on the type. The bpf maps and programs, not like other files and
6137 * socket, are using a shared anonymous inode inside the kernel as their inode.
6138 * So checking that inode cannot identify if the process have privilege to
6139 * access the bpf object and that's why we have to add this additional check in
6140 * selinux_file_receive and selinux_binder_transfer_files.
6142 static int bpf_fd_pass(struct file
*file
, u32 sid
)
6144 struct bpf_security_struct
*bpfsec
;
6145 struct bpf_prog
*prog
;
6146 struct bpf_map
*map
;
6149 if (file
->f_op
== &bpf_map_fops
) {
6150 map
= file
->private_data
;
6151 bpfsec
= map
->security
;
6152 ret
= avc_has_perm(sid
, bpfsec
->sid
, SECCLASS_BPF
,
6153 bpf_map_fmode_to_av(file
->f_mode
), NULL
);
6156 } else if (file
->f_op
== &bpf_prog_fops
) {
6157 prog
= file
->private_data
;
6158 bpfsec
= prog
->aux
->security
;
6159 ret
= avc_has_perm(sid
, bpfsec
->sid
, SECCLASS_BPF
,
6160 BPF__PROG_RUN
, NULL
);
6167 static int selinux_bpf_map(struct bpf_map
*map
, fmode_t fmode
)
6169 u32 sid
= current_sid();
6170 struct bpf_security_struct
*bpfsec
;
6172 bpfsec
= map
->security
;
6173 return avc_has_perm(sid
, bpfsec
->sid
, SECCLASS_BPF
,
6174 bpf_map_fmode_to_av(fmode
), NULL
);
6177 static int selinux_bpf_prog(struct bpf_prog
*prog
)
6179 u32 sid
= current_sid();
6180 struct bpf_security_struct
*bpfsec
;
6182 bpfsec
= prog
->aux
->security
;
6183 return avc_has_perm(sid
, bpfsec
->sid
, SECCLASS_BPF
,
6184 BPF__PROG_RUN
, NULL
);
6187 static int selinux_bpf_map_alloc(struct bpf_map
*map
)
6189 struct bpf_security_struct
*bpfsec
;
6191 bpfsec
= kzalloc(sizeof(*bpfsec
), GFP_KERNEL
);
6195 bpfsec
->sid
= current_sid();
6196 map
->security
= bpfsec
;
6201 static void selinux_bpf_map_free(struct bpf_map
*map
)
6203 struct bpf_security_struct
*bpfsec
= map
->security
;
6205 map
->security
= NULL
;
6209 static int selinux_bpf_prog_alloc(struct bpf_prog_aux
*aux
)
6211 struct bpf_security_struct
*bpfsec
;
6213 bpfsec
= kzalloc(sizeof(*bpfsec
), GFP_KERNEL
);
6217 bpfsec
->sid
= current_sid();
6218 aux
->security
= bpfsec
;
6223 static void selinux_bpf_prog_free(struct bpf_prog_aux
*aux
)
6225 struct bpf_security_struct
*bpfsec
= aux
->security
;
6227 aux
->security
= NULL
;
6232 struct lsm_blob_sizes selinux_blob_sizes
= {
6233 .lbs_cred
= sizeof(struct task_security_struct
),
6234 .lbs_file
= sizeof(struct file_security_struct
),
6235 .lbs_inode
= sizeof(struct inode_security_struct
),
6236 .lbs_ipc
= sizeof(struct ipc_security_struct
),
6238 .lbs_key
= sizeof(struct key_security_struct
),
6239 #endif /* CONFIG_KEYS */
6240 .lbs_msg_msg
= sizeof(struct msg_security_struct
),
6241 .lbs_sock
= sizeof(struct sk_security_struct
),
6242 .lbs_superblock
= sizeof(struct superblock_security_struct
),
6245 static struct security_hook_list selinux_hooks
[] __lsm_ro_after_init
= {
6246 LSM_HOOK_INIT(binder_set_context_mgr
, selinux_binder_set_context_mgr
),
6247 LSM_HOOK_INIT(binder_transaction
, selinux_binder_transaction
),
6248 LSM_HOOK_INIT(binder_transfer_binder
, selinux_binder_transfer_binder
),
6249 LSM_HOOK_INIT(binder_transfer_file
, selinux_binder_transfer_file
),
6251 LSM_HOOK_INIT(ptrace_access_check
, selinux_ptrace_access_check
),
6252 LSM_HOOK_INIT(ptrace_traceme
, selinux_ptrace_traceme
),
6253 LSM_HOOK_INIT(capget
, selinux_capget
),
6254 LSM_HOOK_INIT(capset
, selinux_capset
),
6255 LSM_HOOK_INIT(capable
, selinux_capable
),
6256 LSM_HOOK_INIT(quotactl
, selinux_quotactl
),
6257 LSM_HOOK_INIT(quota_on
, selinux_quota_on
),
6258 LSM_HOOK_INIT(syslog
, selinux_syslog
),
6259 LSM_HOOK_INIT(vm_enough_memory
, selinux_vm_enough_memory
),
6261 LSM_HOOK_INIT(netlink_send
, selinux_netlink_send
),
6263 LSM_HOOK_INIT(bprm_set_creds
, selinux_bprm_set_creds
),
6264 LSM_HOOK_INIT(bprm_committing_creds
, selinux_bprm_committing_creds
),
6265 LSM_HOOK_INIT(bprm_committed_creds
, selinux_bprm_committed_creds
),
6267 LSM_HOOK_INIT(sb_alloc_security
, selinux_sb_alloc_security
),
6268 LSM_HOOK_INIT(sb_copy_data
, selinux_sb_copy_data
),
6269 LSM_HOOK_INIT(sb_remount
, selinux_sb_remount
),
6270 LSM_HOOK_INIT(sb_kern_mount
, selinux_sb_kern_mount
),
6271 LSM_HOOK_INIT(sb_show_options
, selinux_sb_show_options
),
6272 LSM_HOOK_INIT(sb_statfs
, selinux_sb_statfs
),
6273 LSM_HOOK_INIT(sb_mount
, selinux_mount
),
6274 LSM_HOOK_INIT(sb_umount
, selinux_umount
),
6275 LSM_HOOK_INIT(sb_set_mnt_opts
, selinux_set_mnt_opts
),
6276 LSM_HOOK_INIT(sb_clone_mnt_opts
, selinux_sb_clone_mnt_opts
),
6277 LSM_HOOK_INIT(sb_parse_opts_str
, selinux_parse_opts_str
),
6279 LSM_HOOK_INIT(dentry_init_security
, selinux_dentry_init_security
),
6280 LSM_HOOK_INIT(dentry_create_files_as
, selinux_dentry_create_files_as
),
6282 LSM_HOOK_INIT(inode_alloc_security
, selinux_inode_alloc_security
),
6283 LSM_HOOK_INIT(inode_free_security
, selinux_inode_free_security
),
6284 LSM_HOOK_INIT(inode_init_security
, selinux_inode_init_security
),
6285 LSM_HOOK_INIT(inode_create
, selinux_inode_create
),
6286 LSM_HOOK_INIT(inode_link
, selinux_inode_link
),
6287 LSM_HOOK_INIT(inode_unlink
, selinux_inode_unlink
),
6288 LSM_HOOK_INIT(inode_symlink
, selinux_inode_symlink
),
6289 LSM_HOOK_INIT(inode_mkdir
, selinux_inode_mkdir
),
6290 LSM_HOOK_INIT(inode_rmdir
, selinux_inode_rmdir
),
6291 LSM_HOOK_INIT(inode_mknod
, selinux_inode_mknod
),
6292 LSM_HOOK_INIT(inode_rename
, selinux_inode_rename
),
6293 LSM_HOOK_INIT(inode_readlink
, selinux_inode_readlink
),
6294 LSM_HOOK_INIT(inode_follow_link
, selinux_inode_follow_link
),
6295 LSM_HOOK_INIT(inode_permission
, selinux_inode_permission
),
6296 LSM_HOOK_INIT(inode_setattr
, selinux_inode_setattr
),
6297 LSM_HOOK_INIT(inode_getattr
, selinux_inode_getattr
),
6298 LSM_HOOK_INIT(inode_setxattr
, selinux_inode_setxattr
),
6299 LSM_HOOK_INIT(inode_post_setxattr
, selinux_inode_post_setxattr
),
6300 LSM_HOOK_INIT(inode_getxattr
, selinux_inode_getxattr
),
6301 LSM_HOOK_INIT(inode_listxattr
, selinux_inode_listxattr
),
6302 LSM_HOOK_INIT(inode_removexattr
, selinux_inode_removexattr
),
6303 LSM_HOOK_INIT(inode_getsecurity
, selinux_inode_getsecurity
),
6304 LSM_HOOK_INIT(inode_setsecurity
, selinux_inode_setsecurity
),
6305 LSM_HOOK_INIT(inode_listsecurity
, selinux_inode_listsecurity
),
6306 LSM_HOOK_INIT(inode_getsecid
, selinux_inode_getsecid
),
6307 LSM_HOOK_INIT(inode_copy_up
, selinux_inode_copy_up
),
6308 LSM_HOOK_INIT(inode_copy_up_xattr
, selinux_inode_copy_up_xattr
),
6310 LSM_HOOK_INIT(file_permission
, selinux_file_permission
),
6311 LSM_HOOK_INIT(file_alloc_security
, selinux_file_alloc_security
),
6312 LSM_HOOK_INIT(file_ioctl
, selinux_file_ioctl
),
6313 LSM_HOOK_INIT(mmap_file
, selinux_mmap_file
),
6314 LSM_HOOK_INIT(mmap_addr
, selinux_mmap_addr
),
6315 LSM_HOOK_INIT(file_mprotect
, selinux_file_mprotect
),
6316 LSM_HOOK_INIT(file_lock
, selinux_file_lock
),
6317 LSM_HOOK_INIT(file_fcntl
, selinux_file_fcntl
),
6318 LSM_HOOK_INIT(file_set_fowner
, selinux_file_set_fowner
),
6319 LSM_HOOK_INIT(file_send_sigiotask
, selinux_file_send_sigiotask
),
6320 LSM_HOOK_INIT(file_receive
, selinux_file_receive
),
6322 LSM_HOOK_INIT(file_open
, selinux_file_open
),
6324 LSM_HOOK_INIT(task_alloc
, selinux_task_alloc
),
6325 LSM_HOOK_INIT(cred_prepare
, selinux_cred_prepare
),
6326 LSM_HOOK_INIT(cred_transfer
, selinux_cred_transfer
),
6327 LSM_HOOK_INIT(kernel_act_as
, selinux_kernel_act_as
),
6328 LSM_HOOK_INIT(kernel_create_files_as
, selinux_kernel_create_files_as
),
6329 LSM_HOOK_INIT(kernel_module_request
, selinux_kernel_module_request
),
6330 LSM_HOOK_INIT(kernel_read_file
, selinux_kernel_read_file
),
6331 LSM_HOOK_INIT(task_setpgid
, selinux_task_setpgid
),
6332 LSM_HOOK_INIT(task_getpgid
, selinux_task_getpgid
),
6333 LSM_HOOK_INIT(task_getsid
, selinux_task_getsid
),
6334 LSM_HOOK_INIT(task_getsecid
, selinux_task_getsecid
),
6335 LSM_HOOK_INIT(task_setnice
, selinux_task_setnice
),
6336 LSM_HOOK_INIT(task_setioprio
, selinux_task_setioprio
),
6337 LSM_HOOK_INIT(task_getioprio
, selinux_task_getioprio
),
6338 LSM_HOOK_INIT(task_prlimit
, selinux_task_prlimit
),
6339 LSM_HOOK_INIT(task_setrlimit
, selinux_task_setrlimit
),
6340 LSM_HOOK_INIT(task_setscheduler
, selinux_task_setscheduler
),
6341 LSM_HOOK_INIT(task_getscheduler
, selinux_task_getscheduler
),
6342 LSM_HOOK_INIT(task_movememory
, selinux_task_movememory
),
6343 LSM_HOOK_INIT(task_kill
, selinux_task_kill
),
6344 LSM_HOOK_INIT(task_to_inode
, selinux_task_to_inode
),
6346 LSM_HOOK_INIT(ipc_permission
, selinux_ipc_permission
),
6347 LSM_HOOK_INIT(ipc_getsecid
, selinux_ipc_getsecid
),
6349 LSM_HOOK_INIT(msg_msg_alloc_security
, selinux_msg_msg_alloc_security
),
6351 LSM_HOOK_INIT(msg_queue_alloc_security
,
6352 selinux_msg_queue_alloc_security
),
6353 LSM_HOOK_INIT(msg_queue_associate
, selinux_msg_queue_associate
),
6354 LSM_HOOK_INIT(msg_queue_msgctl
, selinux_msg_queue_msgctl
),
6355 LSM_HOOK_INIT(msg_queue_msgsnd
, selinux_msg_queue_msgsnd
),
6356 LSM_HOOK_INIT(msg_queue_msgrcv
, selinux_msg_queue_msgrcv
),
6358 LSM_HOOK_INIT(shm_alloc_security
, selinux_shm_alloc_security
),
6359 LSM_HOOK_INIT(shm_associate
, selinux_shm_associate
),
6360 LSM_HOOK_INIT(shm_shmctl
, selinux_shm_shmctl
),
6361 LSM_HOOK_INIT(shm_shmat
, selinux_shm_shmat
),
6363 LSM_HOOK_INIT(sem_alloc_security
, selinux_sem_alloc_security
),
6364 LSM_HOOK_INIT(sem_associate
, selinux_sem_associate
),
6365 LSM_HOOK_INIT(sem_semctl
, selinux_sem_semctl
),
6366 LSM_HOOK_INIT(sem_semop
, selinux_sem_semop
),
6368 LSM_HOOK_INIT(d_instantiate
, selinux_d_instantiate
),
6370 LSM_HOOK_INIT(getprocattr
, selinux_getprocattr
),
6371 LSM_HOOK_INIT(setprocattr
, selinux_setprocattr
),
6373 LSM_HOOK_INIT(ismaclabel
, selinux_ismaclabel
),
6374 LSM_HOOK_INIT(secid_to_secctx
, selinux_secid_to_secctx
),
6375 LSM_HOOK_INIT(secctx_to_secid
, selinux_secctx_to_secid
),
6376 LSM_HOOK_INIT(release_secctx
, selinux_release_secctx
),
6377 LSM_HOOK_INIT(inode_invalidate_secctx
, selinux_inode_invalidate_secctx
),
6378 LSM_HOOK_INIT(inode_notifysecctx
, selinux_inode_notifysecctx
),
6379 LSM_HOOK_INIT(inode_setsecctx
, selinux_inode_setsecctx
),
6380 LSM_HOOK_INIT(inode_getsecctx
, selinux_inode_getsecctx
),
6382 LSM_HOOK_INIT(unix_stream_connect
, selinux_socket_unix_stream_connect
),
6383 LSM_HOOK_INIT(unix_may_send
, selinux_socket_unix_may_send
),
6385 LSM_HOOK_INIT(socket_create
, selinux_socket_create
),
6386 LSM_HOOK_INIT(socket_post_create
, selinux_socket_post_create
),
6387 LSM_HOOK_INIT(socket_bind
, selinux_socket_bind
),
6388 LSM_HOOK_INIT(socket_connect
, selinux_socket_connect
),
6389 LSM_HOOK_INIT(socket_listen
, selinux_socket_listen
),
6390 LSM_HOOK_INIT(socket_accept
, selinux_socket_accept
),
6391 LSM_HOOK_INIT(socket_sendmsg
, selinux_socket_sendmsg
),
6392 LSM_HOOK_INIT(socket_recvmsg
, selinux_socket_recvmsg
),
6393 LSM_HOOK_INIT(socket_getsockname
, selinux_socket_getsockname
),
6394 LSM_HOOK_INIT(socket_getpeername
, selinux_socket_getpeername
),
6395 LSM_HOOK_INIT(socket_getsockopt
, selinux_socket_getsockopt
),
6396 LSM_HOOK_INIT(socket_setsockopt
, selinux_socket_setsockopt
),
6397 LSM_HOOK_INIT(socket_shutdown
, selinux_socket_shutdown
),
6398 LSM_HOOK_INIT(socket_sock_rcv_skb
, selinux_socket_sock_rcv_skb
),
6399 LSM_HOOK_INIT(socket_getpeersec_stream
,
6400 selinux_socket_getpeersec_stream
),
6401 LSM_HOOK_INIT(socket_getpeersec_dgram
, selinux_socket_getpeersec_dgram
),
6402 LSM_HOOK_INIT(sk_alloc_security
, selinux_sk_alloc_security
),
6403 LSM_HOOK_INIT(sk_free_security
, selinux_sk_free_security
),
6404 LSM_HOOK_INIT(sk_clone_security
, selinux_sk_clone_security
),
6405 LSM_HOOK_INIT(sk_getsecid
, selinux_sk_getsecid
),
6406 LSM_HOOK_INIT(sock_graft
, selinux_sock_graft
),
6407 LSM_HOOK_INIT(inet_conn_request
, selinux_inet_conn_request
),
6408 LSM_HOOK_INIT(inet_csk_clone
, selinux_inet_csk_clone
),
6409 LSM_HOOK_INIT(inet_conn_established
, selinux_inet_conn_established
),
6410 LSM_HOOK_INIT(secmark_relabel_packet
, selinux_secmark_relabel_packet
),
6411 LSM_HOOK_INIT(secmark_refcount_inc
, selinux_secmark_refcount_inc
),
6412 LSM_HOOK_INIT(secmark_refcount_dec
, selinux_secmark_refcount_dec
),
6413 LSM_HOOK_INIT(req_classify_flow
, selinux_req_classify_flow
),
6414 LSM_HOOK_INIT(tun_dev_alloc_security
, selinux_tun_dev_alloc_security
),
6415 LSM_HOOK_INIT(tun_dev_free_security
, selinux_tun_dev_free_security
),
6416 LSM_HOOK_INIT(tun_dev_create
, selinux_tun_dev_create
),
6417 LSM_HOOK_INIT(tun_dev_attach_queue
, selinux_tun_dev_attach_queue
),
6418 LSM_HOOK_INIT(tun_dev_attach
, selinux_tun_dev_attach
),
6419 LSM_HOOK_INIT(tun_dev_open
, selinux_tun_dev_open
),
6420 #ifdef CONFIG_SECURITY_INFINIBAND
6421 LSM_HOOK_INIT(ib_pkey_access
, selinux_ib_pkey_access
),
6422 LSM_HOOK_INIT(ib_endport_manage_subnet
,
6423 selinux_ib_endport_manage_subnet
),
6424 LSM_HOOK_INIT(ib_alloc_security
, selinux_ib_alloc_security
),
6425 LSM_HOOK_INIT(ib_free_security
, selinux_ib_free_security
),
6427 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6428 LSM_HOOK_INIT(xfrm_policy_alloc_security
, selinux_xfrm_policy_alloc
),
6429 LSM_HOOK_INIT(xfrm_policy_clone_security
, selinux_xfrm_policy_clone
),
6430 LSM_HOOK_INIT(xfrm_policy_free_security
, selinux_xfrm_policy_free
),
6431 LSM_HOOK_INIT(xfrm_policy_delete_security
, selinux_xfrm_policy_delete
),
6432 LSM_HOOK_INIT(xfrm_state_alloc
, selinux_xfrm_state_alloc
),
6433 LSM_HOOK_INIT(xfrm_state_alloc_acquire
,
6434 selinux_xfrm_state_alloc_acquire
),
6435 LSM_HOOK_INIT(xfrm_state_free_security
, selinux_xfrm_state_free
),
6436 LSM_HOOK_INIT(xfrm_state_delete_security
, selinux_xfrm_state_delete
),
6437 LSM_HOOK_INIT(xfrm_policy_lookup
, selinux_xfrm_policy_lookup
),
6438 LSM_HOOK_INIT(xfrm_state_pol_flow_match
,
6439 selinux_xfrm_state_pol_flow_match
),
6440 LSM_HOOK_INIT(xfrm_decode_session
, selinux_xfrm_decode_session
),
6444 LSM_HOOK_INIT(key_alloc
, selinux_key_alloc
),
6445 LSM_HOOK_INIT(key_permission
, selinux_key_permission
),
6446 LSM_HOOK_INIT(key_getsecurity
, selinux_key_getsecurity
),
6450 LSM_HOOK_INIT(audit_rule_init
, selinux_audit_rule_init
),
6451 LSM_HOOK_INIT(audit_rule_known
, selinux_audit_rule_known
),
6452 LSM_HOOK_INIT(audit_rule_match
, selinux_audit_rule_match
),
6453 LSM_HOOK_INIT(audit_rule_free
, selinux_audit_rule_free
),
6456 #ifdef CONFIG_BPF_SYSCALL
6457 LSM_HOOK_INIT(bpf
, selinux_bpf
),
6458 LSM_HOOK_INIT(bpf_map
, selinux_bpf_map
),
6459 LSM_HOOK_INIT(bpf_prog
, selinux_bpf_prog
),
6460 LSM_HOOK_INIT(bpf_map_alloc_security
, selinux_bpf_map_alloc
),
6461 LSM_HOOK_INIT(bpf_prog_alloc_security
, selinux_bpf_prog_alloc
),
6462 LSM_HOOK_INIT(bpf_map_free_security
, selinux_bpf_map_free
),
6463 LSM_HOOK_INIT(bpf_prog_free_security
, selinux_bpf_prog_free
),
6467 static __init
int selinux_init(void)
6471 if (!security_module_enable("selinux",
6472 IS_ENABLED(CONFIG_SECURITY_SELINUX_STACKED
))) {
6473 selinux_enabled
= 0;
6478 security_add_blobs(&selinux_blob_sizes
);
6483 if (!selinux_enabled
) {
6484 printk(KERN_INFO
"SELinux: Disabled at boot.\n");
6488 printk(KERN_INFO
"SELinux: Initializing.\n");
6490 /* Set the security state for the initial task. */
6491 cred_init_security();
6493 default_noexec
= !(VM_DATA_DEFAULT_FLAGS
& VM_EXEC
);
6497 security_add_hooks(selinux_hooks
, ARRAY_SIZE(selinux_hooks
), "selinux");
6499 if (avc_add_callback(selinux_netcache_avc_callback
, AVC_CALLBACK_RESET
))
6500 panic("SELinux: Unable to register AVC netcache callback\n");
6502 if (avc_add_callback(selinux_lsm_notifier_avc_callback
, AVC_CALLBACK_RESET
))
6503 panic("SELinux: Unable to register AVC LSM notifier callback\n");
6505 if (selinux_enforcing
)
6506 printk(KERN_DEBUG
"SELinux: Starting in enforcing mode\n");
6508 printk(KERN_DEBUG
"SELinux: Starting in permissive mode\n");
6513 static void delayed_superblock_init(struct super_block
*sb
, void *unused
)
6515 superblock_doinit(sb
, NULL
);
6518 void selinux_complete_init(void)
6520 printk(KERN_DEBUG
"SELinux: Completing initialization.\n");
6522 /* Set up any superblocks initialized prior to the policy load. */
6523 printk(KERN_DEBUG
"SELinux: Setting up existing superblocks.\n");
6524 iterate_supers(delayed_superblock_init
, NULL
);
6527 /* SELinux requires early initialization in order to label
6528 all processes and objects when they are created. */
6529 security_initcall(selinux_init
);
6531 #if defined(CONFIG_NETFILTER)
6533 static const struct nf_hook_ops selinux_nf_ops
[] = {
6535 .hook
= selinux_ipv4_postroute
,
6537 .hooknum
= NF_INET_POST_ROUTING
,
6538 .priority
= NF_IP_PRI_SELINUX_LAST
,
6541 .hook
= selinux_ipv4_forward
,
6543 .hooknum
= NF_INET_FORWARD
,
6544 .priority
= NF_IP_PRI_SELINUX_FIRST
,
6547 .hook
= selinux_ipv4_output
,
6549 .hooknum
= NF_INET_LOCAL_OUT
,
6550 .priority
= NF_IP_PRI_SELINUX_FIRST
,
6552 #if IS_ENABLED(CONFIG_IPV6)
6554 .hook
= selinux_ipv6_postroute
,
6556 .hooknum
= NF_INET_POST_ROUTING
,
6557 .priority
= NF_IP6_PRI_SELINUX_LAST
,
6560 .hook
= selinux_ipv6_forward
,
6562 .hooknum
= NF_INET_FORWARD
,
6563 .priority
= NF_IP6_PRI_SELINUX_FIRST
,
6566 .hook
= selinux_ipv6_output
,
6568 .hooknum
= NF_INET_LOCAL_OUT
,
6569 .priority
= NF_IP6_PRI_SELINUX_FIRST
,
6574 static int __net_init
selinux_nf_register(struct net
*net
)
6576 return nf_register_net_hooks(net
, selinux_nf_ops
,
6577 ARRAY_SIZE(selinux_nf_ops
));
6580 static void __net_exit
selinux_nf_unregister(struct net
*net
)
6582 nf_unregister_net_hooks(net
, selinux_nf_ops
,
6583 ARRAY_SIZE(selinux_nf_ops
));
6586 static struct pernet_operations selinux_net_ops
= {
6587 .init
= selinux_nf_register
,
6588 .exit
= selinux_nf_unregister
,
6591 static int __init
selinux_nf_ip_init(void)
6595 if (!selinux_enabled
)
6598 printk(KERN_DEBUG
"SELinux: Registering netfilter hooks\n");
6600 err
= register_pernet_subsys(&selinux_net_ops
);
6602 panic("SELinux: register_pernet_subsys: error %d\n", err
);
6606 __initcall(selinux_nf_ip_init
);
6608 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6609 static void selinux_nf_ip_exit(void)
6611 printk(KERN_DEBUG
"SELinux: Unregistering netfilter hooks\n");
6613 unregister_pernet_subsys(&selinux_net_ops
);
6617 #else /* CONFIG_NETFILTER */
6619 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6620 #define selinux_nf_ip_exit()
6623 #endif /* CONFIG_NETFILTER */
6625 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6626 static int selinux_disabled
;
6628 int selinux_disable(void)
6630 if (ss_initialized
) {
6631 /* Not permitted after initial policy load. */
6635 if (selinux_disabled
) {
6636 /* Only do this once. */
6640 printk(KERN_INFO
"SELinux: Disabled at runtime.\n");
6642 selinux_disabled
= 1;
6643 selinux_enabled
= 0;
6645 security_delete_hooks(selinux_hooks
, ARRAY_SIZE(selinux_hooks
));
6647 /* Try to destroy the avc node cache */
6650 /* Unregister netfilter hooks. */
6651 selinux_nf_ip_exit();
6653 /* Unregister selinuxfs. */