]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blob - security/selinux/hooks.c
projects / mirror_ubuntu-bionic-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
jbd2: fix compile warning when using JBUFFER_TRACE
[mirror_ubuntu-bionic-kernel.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
25 */
26
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h> /* for Unix socket types */
72 #include <net/af_unix.h> /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
75 #include <net/ipv6.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89
90 #include "avc.h"
91 #include "objsec.h"
92 #include "netif.h"
93 #include "netnode.h"
94 #include "netport.h"
95 #include "ibpkey.h"
96 #include "xfrm.h"
97 #include "netlabel.h"
98 #include "audit.h"
99 #include "avc_ss.h"
100
101 /* SECMARK reference count */
102 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103
104 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105 int selinux_enforcing;
106
107 static int __init enforcing_setup(char *str)
108 {
109 unsigned long enforcing;
110 if (!kstrtoul(str, 0, &enforcing))
111 selinux_enforcing = enforcing ? 1 : 0;
112 return 1;
113 }
114 __setup("enforcing=", enforcing_setup);
115 #endif
116
117 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
119
120 static int __init selinux_enabled_setup(char *str)
121 {
122 unsigned long enabled;
123 if (!kstrtoul(str, 0, &enabled))
124 selinux_enabled = enabled ? 1 : 0;
125 return 1;
126 }
127 __setup("selinux=", selinux_enabled_setup);
128 #else
129 int selinux_enabled = 1;
130 #endif
131
132 /**
133 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
134 *
135 * Description:
136 * This function checks the SECMARK reference counter to see if any SECMARK
137 * targets are currently configured, if the reference counter is greater than
138 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
139 * enabled, false (0) if SECMARK is disabled. If the always_check_network
140 * policy capability is enabled, SECMARK is always considered enabled.
141 *
142 */
143 static int selinux_secmark_enabled(void)
144 {
145 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
146 }
147
148 /**
149 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
150 *
151 * Description:
152 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
153 * (1) if any are enabled or false (0) if neither are enabled. If the
154 * always_check_network policy capability is enabled, peer labeling
155 * is always considered enabled.
156 *
157 */
158 static int selinux_peerlbl_enabled(void)
159 {
160 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
161 }
162
163 static int selinux_netcache_avc_callback(u32 event)
164 {
165 if (event == AVC_CALLBACK_RESET) {
166 sel_netif_flush();
167 sel_netnode_flush();
168 sel_netport_flush();
169 synchronize_net();
170 }
171 return 0;
172 }
173
174 static int selinux_lsm_notifier_avc_callback(u32 event)
175 {
176 if (event == AVC_CALLBACK_RESET) {
177 sel_ib_pkey_flush();
178 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
179 }
180
181 return 0;
182 }
183
184 /*
185 * initialise the security for the init task
186 */
187 static void cred_init_security(void)
188 {
189 struct cred *cred = (struct cred *) current->real_cred;
190 struct task_security_struct *tsec;
191
192 lsm_early_cred(cred);
193 tsec = selinux_cred(cred);
194 tsec->osid = tsec->sid = SECINITSID_KERNEL;
195 }
196
197 /*
198 * get the security ID of a set of credentials
199 */
200 static inline u32 cred_sid(const struct cred *cred)
201 {
202 const struct task_security_struct *tsec;
203
204 tsec = selinux_cred(cred);
205 return tsec->sid;
206 }
207
208 /*
209 * get the objective security ID of a task
210 */
211 static inline u32 task_sid(const struct task_struct *task)
212 {
213 u32 sid;
214
215 rcu_read_lock();
216 sid = cred_sid(__task_cred(task));
217 rcu_read_unlock();
218 return sid;
219 }
220
221 /* Allocate and free functions for each kind of security blob. */
222
223 static int inode_alloc_security(struct inode *inode)
224 {
225 struct inode_security_struct *isec = selinux_inode(inode);
226 u32 sid = current_sid();
227
228 spin_lock_init(&isec->lock);
229 INIT_LIST_HEAD(&isec->list);
230 isec->inode = inode;
231 isec->sid = SECINITSID_UNLABELED;
232 isec->sclass = SECCLASS_FILE;
233 isec->task_sid = sid;
234 isec->initialized = LABEL_INVALID;
235
236 return 0;
237 }
238
239 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
240
241 /*
242 * Try reloading inode security labels that have been marked as invalid. The
243 * @may_sleep parameter indicates when sleeping and thus reloading labels is
244 * allowed; when set to false, returns -ECHILD when the label is
245 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
246 * when no dentry is available, set it to NULL instead.
247 */
248 static int __inode_security_revalidate(struct inode *inode,
249 struct dentry *opt_dentry,
250 bool may_sleep)
251 {
252 struct inode_security_struct *isec = selinux_inode(inode);
253
254 might_sleep_if(may_sleep);
255
256 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
257 if (!may_sleep)
258 return -ECHILD;
259
260 /*
261 * Try reloading the inode security label. This will fail if
262 * @opt_dentry is NULL and no dentry for this inode can be
263 * found; in that case, continue using the old label.
264 */
265 inode_doinit_with_dentry(inode, opt_dentry);
266 }
267 return 0;
268 }
269
270 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
271 {
272 return selinux_inode(inode);
273 }
274
275 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
276 {
277 int error;
278
279 error = __inode_security_revalidate(inode, NULL, !rcu);
280 if (error)
281 return ERR_PTR(error);
282 return selinux_inode(inode);
283 }
284
285 /*
286 * Get the security label of an inode.
287 */
288 static struct inode_security_struct *inode_security(struct inode *inode)
289 {
290 __inode_security_revalidate(inode, NULL, true);
291 return selinux_inode(inode);
292 }
293
294 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
295 {
296 struct inode *inode = d_backing_inode(dentry);
297
298 return selinux_inode(inode);
299 }
300
301 /*
302 * Get the security label of a dentry's backing inode.
303 */
304 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
305 {
306 struct inode *inode = d_backing_inode(dentry);
307
308 __inode_security_revalidate(inode, dentry, true);
309 return selinux_inode(inode);
310 }
311
312 static void inode_free_security(struct inode *inode)
313 {
314 struct inode_security_struct *isec = selinux_inode(inode);
315 struct superblock_security_struct *sbsec =
316 selinux_superblock(inode->i_sb);
317
318 /*
319 * As not all inode security structures are in a list, we check for
320 * empty list outside of the lock to make sure that we won't waste
321 * time taking a lock doing nothing.
322 *
323 * The list_del_init() function can be safely called more than once.
324 * It should not be possible for this function to be called with
325 * concurrent list_add(), but for better safety against future changes
326 * in the code, we use list_empty_careful() here.
327 */
328 if (!list_empty_careful(&isec->list)) {
329 spin_lock(&sbsec->isec_lock);
330 list_del_init(&isec->list);
331 spin_unlock(&sbsec->isec_lock);
332 }
333 }
334
335 static int file_alloc_security(struct file *file)
336 {
337 struct file_security_struct *fsec = selinux_file(file);
338 u32 sid = current_sid();
339
340 fsec->sid = sid;
341 fsec->fown_sid = sid;
342
343 return 0;
344 }
345
346 static int superblock_alloc_security(struct super_block *sb)
347 {
348 struct superblock_security_struct *sbsec = selinux_superblock(sb);
349
350 mutex_init(&sbsec->lock);
351 INIT_LIST_HEAD(&sbsec->isec_head);
352 spin_lock_init(&sbsec->isec_lock);
353 sbsec->sb = sb;
354 sbsec->sid = SECINITSID_UNLABELED;
355 sbsec->def_sid = SECINITSID_FILE;
356 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
357
358 return 0;
359 }
360
361 static inline int inode_doinit(struct inode *inode)
362 {
363 return inode_doinit_with_dentry(inode, NULL);
364 }
365
366 enum {
367 Opt_error = -1,
368 Opt_context = 1,
369 Opt_fscontext = 2,
370 Opt_defcontext = 3,
371 Opt_rootcontext = 4,
372 Opt_labelsupport = 5,
373 Opt_nextmntopt = 6,
374 };
375
376 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
377
378 static const match_table_t tokens = {
379 {Opt_context, CONTEXT_STR "%s"},
380 {Opt_fscontext, FSCONTEXT_STR "%s"},
381 {Opt_defcontext, DEFCONTEXT_STR "%s"},
382 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
383 {Opt_labelsupport, LABELSUPP_STR},
384 {Opt_error, NULL},
385 };
386
387 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
388
389 static int may_context_mount_sb_relabel(u32 sid,
390 struct superblock_security_struct *sbsec,
391 const struct cred *cred)
392 {
393 const struct task_security_struct *tsec = selinux_cred(cred);
394 int rc;
395
396 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
397 FILESYSTEM__RELABELFROM, NULL);
398 if (rc)
399 return rc;
400
401 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
402 FILESYSTEM__RELABELTO, NULL);
403 return rc;
404 }
405
406 static int may_context_mount_inode_relabel(u32 sid,
407 struct superblock_security_struct *sbsec,
408 const struct cred *cred)
409 {
410 const struct task_security_struct *tsec = selinux_cred(cred);
411 int rc;
412 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
413 FILESYSTEM__RELABELFROM, NULL);
414 if (rc)
415 return rc;
416
417 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
418 FILESYSTEM__ASSOCIATE, NULL);
419 return rc;
420 }
421
422 static int selinux_is_sblabel_mnt(struct super_block *sb)
423 {
424 struct superblock_security_struct *sbsec = selinux_superblock(sb);
425
426 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
427 sbsec->behavior == SECURITY_FS_USE_TRANS ||
428 sbsec->behavior == SECURITY_FS_USE_TASK ||
429 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
430 /* Special handling. Genfs but also in-core setxattr handler */
431 !strcmp(sb->s_type->name, "sysfs") ||
432 !strcmp(sb->s_type->name, "pstore") ||
433 !strcmp(sb->s_type->name, "debugfs") ||
434 !strcmp(sb->s_type->name, "tracefs") ||
435 !strcmp(sb->s_type->name, "rootfs") ||
436 (selinux_policycap_cgroupseclabel &&
437 (!strcmp(sb->s_type->name, "cgroup") ||
438 !strcmp(sb->s_type->name, "cgroup2")));
439 }
440
441 static int sb_finish_set_opts(struct super_block *sb)
442 {
443 struct superblock_security_struct *sbsec = selinux_superblock(sb);
444 struct dentry *root = sb->s_root;
445 struct inode *root_inode = d_backing_inode(root);
446 int rc = 0;
447
448 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
449 /* Make sure that the xattr handler exists and that no
450 error other than -ENODATA is returned by getxattr on
451 the root directory. -ENODATA is ok, as this may be
452 the first boot of the SELinux kernel before we have
453 assigned xattr values to the filesystem. */
454 if (!(root_inode->i_opflags & IOP_XATTR)) {
455 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
456 "xattr support\n", sb->s_id, sb->s_type->name);
457 rc = -EOPNOTSUPP;
458 goto out;
459 }
460
461 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
462 if (rc < 0 && rc != -ENODATA) {
463 if (rc == -EOPNOTSUPP)
464 printk(KERN_WARNING "SELinux: (dev %s, type "
465 "%s) has no security xattr handler\n",
466 sb->s_id, sb->s_type->name);
467 else
468 printk(KERN_WARNING "SELinux: (dev %s, type "
469 "%s) getxattr errno %d\n", sb->s_id,
470 sb->s_type->name, -rc);
471 goto out;
472 }
473 }
474
475 sbsec->flags |= SE_SBINITIALIZED;
476
477 /*
478 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
479 * leave the flag untouched because sb_clone_mnt_opts might be handing
480 * us a superblock that needs the flag to be cleared.
481 */
482 if (selinux_is_sblabel_mnt(sb))
483 sbsec->flags |= SBLABEL_MNT;
484 else
485 sbsec->flags &= ~SBLABEL_MNT;
486
487 /* Initialize the root inode. */
488 rc = inode_doinit_with_dentry(root_inode, root);
489
490 /* Initialize any other inodes associated with the superblock, e.g.
491 inodes created prior to initial policy load or inodes created
492 during get_sb by a pseudo filesystem that directly
493 populates itself. */
494 spin_lock(&sbsec->isec_lock);
495 next_inode:
496 if (!list_empty(&sbsec->isec_head)) {
497 struct inode_security_struct *isec =
498 list_entry(sbsec->isec_head.next,
499 struct inode_security_struct, list);
500 struct inode *inode = isec->inode;
501 list_del_init(&isec->list);
502 spin_unlock(&sbsec->isec_lock);
503 inode = igrab(inode);
504 if (inode) {
505 if (!IS_PRIVATE(inode))
506 inode_doinit(inode);
507 iput(inode);
508 }
509 spin_lock(&sbsec->isec_lock);
510 goto next_inode;
511 }
512 spin_unlock(&sbsec->isec_lock);
513 out:
514 return rc;
515 }
516
517 /*
518 * This function should allow an FS to ask what it's mount security
519 * options were so it can use those later for submounts, displaying
520 * mount options, or whatever.
521 */
522 static int selinux_get_mnt_opts(const struct super_block *sb,
523 struct security_mnt_opts *opts)
524 {
525 int rc = 0, i;
526 struct superblock_security_struct *sbsec = selinux_superblock(sb);
527 char *context = NULL;
528 u32 len;
529 char tmp;
530
531 security_init_mnt_opts(opts);
532
533 if (!(sbsec->flags & SE_SBINITIALIZED))
534 return -EINVAL;
535
536 if (!ss_initialized)
537 return -EINVAL;
538
539 /* make sure we always check enough bits to cover the mask */
540 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
541
542 tmp = sbsec->flags & SE_MNTMASK;
543 /* count the number of mount options for this sb */
544 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
545 if (tmp & 0x01)
546 opts->num_mnt_opts++;
547 tmp >>= 1;
548 }
549 /* Check if the Label support flag is set */
550 if (sbsec->flags & SBLABEL_MNT)
551 opts->num_mnt_opts++;
552
553 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
554 if (!opts->mnt_opts) {
555 rc = -ENOMEM;
556 goto out_free;
557 }
558
559 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
560 if (!opts->mnt_opts_flags) {
561 rc = -ENOMEM;
562 goto out_free;
563 }
564
565 i = 0;
566 if (sbsec->flags & FSCONTEXT_MNT) {
567 rc = security_sid_to_context(sbsec->sid, &context, &len);
568 if (rc)
569 goto out_free;
570 opts->mnt_opts[i] = context;
571 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
572 }
573 if (sbsec->flags & CONTEXT_MNT) {
574 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
575 if (rc)
576 goto out_free;
577 opts->mnt_opts[i] = context;
578 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
579 }
580 if (sbsec->flags & DEFCONTEXT_MNT) {
581 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
582 if (rc)
583 goto out_free;
584 opts->mnt_opts[i] = context;
585 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
586 }
587 if (sbsec->flags & ROOTCONTEXT_MNT) {
588 struct dentry *root = sbsec->sb->s_root;
589 struct inode_security_struct *isec =
590 backing_inode_security(root);
591
592 rc = security_sid_to_context(isec->sid, &context, &len);
593 if (rc)
594 goto out_free;
595 opts->mnt_opts[i] = context;
596 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
597 }
598 if (sbsec->flags & SBLABEL_MNT) {
599 opts->mnt_opts[i] = NULL;
600 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
601 }
602
603 BUG_ON(i != opts->num_mnt_opts);
604
605 return 0;
606
607 out_free:
608 security_free_mnt_opts(opts);
609 return rc;
610 }
611
612 static int bad_option(struct superblock_security_struct *sbsec, char flag,
613 u32 old_sid, u32 new_sid)
614 {
615 char mnt_flags = sbsec->flags & SE_MNTMASK;
616
617 /* check if the old mount command had the same options */
618 if (sbsec->flags & SE_SBINITIALIZED)
619 if (!(sbsec->flags & flag) ||
620 (old_sid != new_sid))
621 return 1;
622
623 /* check if we were passed the same options twice,
624 * aka someone passed context=a,context=b
625 */
626 if (!(sbsec->flags & SE_SBINITIALIZED))
627 if (mnt_flags & flag)
628 return 1;
629 return 0;
630 }
631
632 /*
633 * Allow filesystems with binary mount data to explicitly set mount point
634 * labeling information.
635 */
636 static int selinux_set_mnt_opts(struct super_block *sb,
637 struct security_mnt_opts *opts,
638 unsigned long kern_flags,
639 unsigned long *set_kern_flags)
640 {
641 const struct cred *cred = current_cred();
642 int rc = 0, i;
643 struct superblock_security_struct *sbsec = selinux_superblock(sb);
644 const char *name = sb->s_type->name;
645 struct dentry *root = sbsec->sb->s_root;
646 struct inode_security_struct *root_isec;
647 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
648 u32 defcontext_sid = 0;
649 char **mount_options = opts->mnt_opts;
650 int *flags = opts->mnt_opts_flags;
651 int num_opts = opts->num_mnt_opts;
652
653 mutex_lock(&sbsec->lock);
654
655 if (!ss_initialized) {
656 if (!num_opts) {
657 /* Defer initialization until selinux_complete_init,
658 after the initial policy is loaded and the security
659 server is ready to handle calls. */
660 goto out;
661 }
662 rc = -EINVAL;
663 printk(KERN_WARNING "SELinux: Unable to set superblock options "
664 "before the security server is initialized\n");
665 goto out;
666 }
667 if (kern_flags && !set_kern_flags) {
668 /* Specifying internal flags without providing a place to
669 * place the results is not allowed */
670 rc = -EINVAL;
671 goto out;
672 }
673
674 /*
675 * Binary mount data FS will come through this function twice. Once
676 * from an explicit call and once from the generic calls from the vfs.
677 * Since the generic VFS calls will not contain any security mount data
678 * we need to skip the double mount verification.
679 *
680 * This does open a hole in which we will not notice if the first
681 * mount using this sb set explict options and a second mount using
682 * this sb does not set any security options. (The first options
683 * will be used for both mounts)
684 */
685 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
686 && (num_opts == 0))
687 goto out;
688
689 root_isec = backing_inode_security_novalidate(root);
690
691 /*
692 * parse the mount options, check if they are valid sids.
693 * also check if someone is trying to mount the same sb more
694 * than once with different security options.
695 */
696 for (i = 0; i < num_opts; i++) {
697 u32 sid;
698
699 if (flags[i] == SBLABEL_MNT)
700 continue;
701 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
702 if (rc) {
703 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
704 "(%s) failed for (dev %s, type %s) errno=%d\n",
705 mount_options[i], sb->s_id, name, rc);
706 goto out;
707 }
708 switch (flags[i]) {
709 case FSCONTEXT_MNT:
710 fscontext_sid = sid;
711
712 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
713 fscontext_sid))
714 goto out_double_mount;
715
716 sbsec->flags |= FSCONTEXT_MNT;
717 break;
718 case CONTEXT_MNT:
719 context_sid = sid;
720
721 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
722 context_sid))
723 goto out_double_mount;
724
725 sbsec->flags |= CONTEXT_MNT;
726 break;
727 case ROOTCONTEXT_MNT:
728 rootcontext_sid = sid;
729
730 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
731 rootcontext_sid))
732 goto out_double_mount;
733
734 sbsec->flags |= ROOTCONTEXT_MNT;
735
736 break;
737 case DEFCONTEXT_MNT:
738 defcontext_sid = sid;
739
740 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
741 defcontext_sid))
742 goto out_double_mount;
743
744 sbsec->flags |= DEFCONTEXT_MNT;
745
746 break;
747 default:
748 rc = -EINVAL;
749 goto out;
750 }
751 }
752
753 if (sbsec->flags & SE_SBINITIALIZED) {
754 /* previously mounted with options, but not on this attempt? */
755 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
756 goto out_double_mount;
757 rc = 0;
758 goto out;
759 }
760
761 if (strcmp(sb->s_type->name, "proc") == 0)
762 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
763
764 if (!strcmp(sb->s_type->name, "debugfs") ||
765 !strcmp(sb->s_type->name, "tracefs") ||
766 !strcmp(sb->s_type->name, "sysfs") ||
767 !strcmp(sb->s_type->name, "pstore") ||
768 !strcmp(sb->s_type->name, "cgroup") ||
769 !strcmp(sb->s_type->name, "cgroup2"))
770 sbsec->flags |= SE_SBGENFS;
771
772 if (!sbsec->behavior) {
773 /*
774 * Determine the labeling behavior to use for this
775 * filesystem type.
776 */
777 rc = security_fs_use(sb);
778 if (rc) {
779 printk(KERN_WARNING
780 "%s: security_fs_use(%s) returned %d\n",
781 __func__, sb->s_type->name, rc);
782 goto out;
783 }
784 }
785
786 /*
787 * If this is a user namespace mount and the filesystem type is not
788 * explicitly whitelisted, then no contexts are allowed on the command
789 * line and security labels must be ignored.
790 */
791 if (sb->s_user_ns != &init_user_ns &&
792 strcmp(sb->s_type->name, "tmpfs") &&
793 strcmp(sb->s_type->name, "ramfs") &&
794 strcmp(sb->s_type->name, "devpts")) {
795 if (context_sid || fscontext_sid || rootcontext_sid ||
796 defcontext_sid) {
797 rc = -EACCES;
798 goto out;
799 }
800 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
801 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
802 rc = security_transition_sid(current_sid(), current_sid(),
803 SECCLASS_FILE, NULL,
804 &sbsec->mntpoint_sid);
805 if (rc)
806 goto out;
807 }
808 goto out_set_opts;
809 }
810
811 /* sets the context of the superblock for the fs being mounted. */
812 if (fscontext_sid) {
813 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
814 if (rc)
815 goto out;
816
817 sbsec->sid = fscontext_sid;
818 }
819
820 /*
821 * Switch to using mount point labeling behavior.
822 * sets the label used on all file below the mountpoint, and will set
823 * the superblock context if not already set.
824 */
825 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
826 sbsec->behavior = SECURITY_FS_USE_NATIVE;
827 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
828 }
829
830 if (context_sid) {
831 if (!fscontext_sid) {
832 rc = may_context_mount_sb_relabel(context_sid, sbsec,
833 cred);
834 if (rc)
835 goto out;
836 sbsec->sid = context_sid;
837 } else {
838 rc = may_context_mount_inode_relabel(context_sid, sbsec,
839 cred);
840 if (rc)
841 goto out;
842 }
843 if (!rootcontext_sid)
844 rootcontext_sid = context_sid;
845
846 sbsec->mntpoint_sid = context_sid;
847 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
848 }
849
850 if (rootcontext_sid) {
851 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
852 cred);
853 if (rc)
854 goto out;
855
856 root_isec->sid = rootcontext_sid;
857 root_isec->initialized = LABEL_INITIALIZED;
858 }
859
860 if (defcontext_sid) {
861 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
862 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
863 rc = -EINVAL;
864 printk(KERN_WARNING "SELinux: defcontext option is "
865 "invalid for this filesystem type\n");
866 goto out;
867 }
868
869 if (defcontext_sid != sbsec->def_sid) {
870 rc = may_context_mount_inode_relabel(defcontext_sid,
871 sbsec, cred);
872 if (rc)
873 goto out;
874 }
875
876 sbsec->def_sid = defcontext_sid;
877 }
878
879 out_set_opts:
880 rc = sb_finish_set_opts(sb);
881 out:
882 mutex_unlock(&sbsec->lock);
883 return rc;
884 out_double_mount:
885 rc = -EINVAL;
886 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
887 "security settings for (dev %s, type %s)\n", sb->s_id, name);
888 goto out;
889 }
890
891 static int selinux_cmp_sb_context(const struct super_block *oldsb,
892 const struct super_block *newsb)
893 {
894 struct superblock_security_struct *old = selinux_superblock(oldsb);
895 struct superblock_security_struct *new = selinux_superblock(newsb);
896 char oldflags = old->flags & SE_MNTMASK;
897 char newflags = new->flags & SE_MNTMASK;
898
899 if (oldflags != newflags)
900 goto mismatch;
901 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
902 goto mismatch;
903 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
904 goto mismatch;
905 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
906 goto mismatch;
907 if (oldflags & ROOTCONTEXT_MNT) {
908 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
909 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
910 if (oldroot->sid != newroot->sid)
911 goto mismatch;
912 }
913 return 0;
914 mismatch:
915 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
916 "different security settings for (dev %s, "
917 "type %s)\n", newsb->s_id, newsb->s_type->name);
918 return -EBUSY;
919 }
920
921 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
922 struct super_block *newsb,
923 unsigned long kern_flags,
924 unsigned long *set_kern_flags)
925 {
926 int rc = 0;
927 const struct superblock_security_struct *oldsbsec =
928 selinux_superblock(oldsb);
929 struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
930
931 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
932 int set_context = (oldsbsec->flags & CONTEXT_MNT);
933 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
934
935 /*
936 * if the parent was able to be mounted it clearly had no special lsm
937 * mount options. thus we can safely deal with this superblock later
938 */
939 if (!ss_initialized)
940 return 0;
941
942 /*
943 * Specifying internal flags without providing a place to
944 * place the results is not allowed.
945 */
946 if (kern_flags && !set_kern_flags)
947 return -EINVAL;
948
949 /* how can we clone if the old one wasn't set up?? */
950 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
951
952 /* if fs is reusing a sb, make sure that the contexts match */
953 if (newsbsec->flags & SE_SBINITIALIZED)
954 return selinux_cmp_sb_context(oldsb, newsb);
955
956 mutex_lock(&newsbsec->lock);
957
958 newsbsec->flags = oldsbsec->flags;
959
960 newsbsec->sid = oldsbsec->sid;
961 newsbsec->def_sid = oldsbsec->def_sid;
962 newsbsec->behavior = oldsbsec->behavior;
963
964 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
965 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
966 rc = security_fs_use(newsb);
967 if (rc)
968 goto out;
969 }
970
971 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
972 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
973 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
974 }
975
976 if (set_context) {
977 u32 sid = oldsbsec->mntpoint_sid;
978
979 if (!set_fscontext)
980 newsbsec->sid = sid;
981 if (!set_rootcontext) {
982 struct inode_security_struct *newisec =
983 backing_inode_security(newsb->s_root);
984 newisec->sid = sid;
985 }
986 newsbsec->mntpoint_sid = sid;
987 }
988 if (set_rootcontext) {
989 const struct inode_security_struct *oldisec =
990 backing_inode_security(oldsb->s_root);
991 struct inode_security_struct *newisec =
992 backing_inode_security(newsb->s_root);
993
994 newisec->sid = oldisec->sid;
995 }
996
997 sb_finish_set_opts(newsb);
998 out:
999 mutex_unlock(&newsbsec->lock);
1000 return rc;
1001 }
1002
1003 static int selinux_parse_opts_str(char *options,
1004 struct security_mnt_opts *opts)
1005 {
1006 char *p;
1007 char *context = NULL, *defcontext = NULL;
1008 char *fscontext = NULL, *rootcontext = NULL;
1009 int rc, num_mnt_opts = 0;
1010
1011 opts->num_mnt_opts = 0;
1012
1013 /* Standard string-based options. */
1014 while ((p = strsep(&options, "|")) != NULL) {
1015 int token;
1016 substring_t args[MAX_OPT_ARGS];
1017
1018 if (!*p)
1019 continue;
1020
1021 token = match_token(p, tokens, args);
1022
1023 switch (token) {
1024 case Opt_context:
1025 if (context || defcontext) {
1026 rc = -EINVAL;
1027 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1028 goto out_err;
1029 }
1030 context = match_strdup(&args[0]);
1031 if (!context) {
1032 rc = -ENOMEM;
1033 goto out_err;
1034 }
1035 break;
1036
1037 case Opt_fscontext:
1038 if (fscontext) {
1039 rc = -EINVAL;
1040 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1041 goto out_err;
1042 }
1043 fscontext = match_strdup(&args[0]);
1044 if (!fscontext) {
1045 rc = -ENOMEM;
1046 goto out_err;
1047 }
1048 break;
1049
1050 case Opt_rootcontext:
1051 if (rootcontext) {
1052 rc = -EINVAL;
1053 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1054 goto out_err;
1055 }
1056 rootcontext = match_strdup(&args[0]);
1057 if (!rootcontext) {
1058 rc = -ENOMEM;
1059 goto out_err;
1060 }
1061 break;
1062
1063 case Opt_defcontext:
1064 if (context || defcontext) {
1065 rc = -EINVAL;
1066 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1067 goto out_err;
1068 }
1069 defcontext = match_strdup(&args[0]);
1070 if (!defcontext) {
1071 rc = -ENOMEM;
1072 goto out_err;
1073 }
1074 break;
1075 case Opt_labelsupport:
1076 break;
1077 default:
1078 rc = -EINVAL;
1079 printk(KERN_WARNING "SELinux: unknown mount option\n");
1080 goto out_err;
1081
1082 }
1083 }
1084
1085 rc = -ENOMEM;
1086 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1087 if (!opts->mnt_opts)
1088 goto out_err;
1089
1090 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1091 GFP_KERNEL);
1092 if (!opts->mnt_opts_flags)
1093 goto out_err;
1094
1095 if (fscontext) {
1096 opts->mnt_opts[num_mnt_opts] = fscontext;
1097 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1098 }
1099 if (context) {
1100 opts->mnt_opts[num_mnt_opts] = context;
1101 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1102 }
1103 if (rootcontext) {
1104 opts->mnt_opts[num_mnt_opts] = rootcontext;
1105 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1106 }
1107 if (defcontext) {
1108 opts->mnt_opts[num_mnt_opts] = defcontext;
1109 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1110 }
1111
1112 opts->num_mnt_opts = num_mnt_opts;
1113 return 0;
1114
1115 out_err:
1116 security_free_mnt_opts(opts);
1117 kfree(context);
1118 kfree(defcontext);
1119 kfree(fscontext);
1120 kfree(rootcontext);
1121 return rc;
1122 }
1123 /*
1124 * string mount options parsing and call set the sbsec
1125 */
1126 static int superblock_doinit(struct super_block *sb, void *data)
1127 {
1128 int rc = 0;
1129 char *options = data;
1130 struct security_mnt_opts opts;
1131
1132 security_init_mnt_opts(&opts);
1133
1134 if (!data)
1135 goto out;
1136
1137 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1138
1139 rc = selinux_parse_opts_str(options, &opts);
1140 if (rc)
1141 goto out_err;
1142
1143 out:
1144 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1145
1146 out_err:
1147 security_free_mnt_opts(&opts);
1148 return rc;
1149 }
1150
1151 static void selinux_write_opts(struct seq_file *m,
1152 struct security_mnt_opts *opts)
1153 {
1154 int i;
1155 char *prefix;
1156
1157 for (i = 0; i < opts->num_mnt_opts; i++) {
1158 char *has_comma;
1159
1160 if (opts->mnt_opts[i])
1161 has_comma = strchr(opts->mnt_opts[i], ',');
1162 else
1163 has_comma = NULL;
1164
1165 switch (opts->mnt_opts_flags[i]) {
1166 case CONTEXT_MNT:
1167 prefix = CONTEXT_STR;
1168 break;
1169 case FSCONTEXT_MNT:
1170 prefix = FSCONTEXT_STR;
1171 break;
1172 case ROOTCONTEXT_MNT:
1173 prefix = ROOTCONTEXT_STR;
1174 break;
1175 case DEFCONTEXT_MNT:
1176 prefix = DEFCONTEXT_STR;
1177 break;
1178 case SBLABEL_MNT:
1179 seq_putc(m, ',');
1180 seq_puts(m, LABELSUPP_STR);
1181 continue;
1182 default:
1183 BUG();
1184 return;
1185 };
1186 /* we need a comma before each option */
1187 seq_putc(m, ',');
1188 seq_puts(m, prefix);
1189 if (has_comma)
1190 seq_putc(m, '\"');
1191 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1192 if (has_comma)
1193 seq_putc(m, '\"');
1194 }
1195 }
1196
1197 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1198 {
1199 struct security_mnt_opts opts;
1200 int rc;
1201
1202 rc = selinux_get_mnt_opts(sb, &opts);
1203 if (rc) {
1204 /* before policy load we may get EINVAL, don't show anything */
1205 if (rc == -EINVAL)
1206 rc = 0;
1207 return rc;
1208 }
1209
1210 selinux_write_opts(m, &opts);
1211
1212 security_free_mnt_opts(&opts);
1213
1214 return rc;
1215 }
1216
1217 static inline u16 inode_mode_to_security_class(umode_t mode)
1218 {
1219 switch (mode & S_IFMT) {
1220 case S_IFSOCK:
1221 return SECCLASS_SOCK_FILE;
1222 case S_IFLNK:
1223 return SECCLASS_LNK_FILE;
1224 case S_IFREG:
1225 return SECCLASS_FILE;
1226 case S_IFBLK:
1227 return SECCLASS_BLK_FILE;
1228 case S_IFDIR:
1229 return SECCLASS_DIR;
1230 case S_IFCHR:
1231 return SECCLASS_CHR_FILE;
1232 case S_IFIFO:
1233 return SECCLASS_FIFO_FILE;
1234
1235 }
1236
1237 return SECCLASS_FILE;
1238 }
1239
1240 static inline int default_protocol_stream(int protocol)
1241 {
1242 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1243 }
1244
1245 static inline int default_protocol_dgram(int protocol)
1246 {
1247 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1248 }
1249
1250 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1251 {
1252 int extsockclass = selinux_policycap_extsockclass;
1253
1254 switch (family) {
1255 case PF_UNIX:
1256 switch (type) {
1257 case SOCK_STREAM:
1258 case SOCK_SEQPACKET:
1259 return SECCLASS_UNIX_STREAM_SOCKET;
1260 case SOCK_DGRAM:
1261 case SOCK_RAW:
1262 return SECCLASS_UNIX_DGRAM_SOCKET;
1263 }
1264 break;
1265 case PF_INET:
1266 case PF_INET6:
1267 switch (type) {
1268 case SOCK_STREAM:
1269 case SOCK_SEQPACKET:
1270 if (default_protocol_stream(protocol))
1271 return SECCLASS_TCP_SOCKET;
1272 else if (extsockclass && protocol == IPPROTO_SCTP)
1273 return SECCLASS_SCTP_SOCKET;
1274 else
1275 return SECCLASS_RAWIP_SOCKET;
1276 case SOCK_DGRAM:
1277 if (default_protocol_dgram(protocol))
1278 return SECCLASS_UDP_SOCKET;
1279 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1280 protocol == IPPROTO_ICMPV6))
1281 return SECCLASS_ICMP_SOCKET;
1282 else
1283 return SECCLASS_RAWIP_SOCKET;
1284 case SOCK_DCCP:
1285 return SECCLASS_DCCP_SOCKET;
1286 default:
1287 return SECCLASS_RAWIP_SOCKET;
1288 }
1289 break;
1290 case PF_NETLINK:
1291 switch (protocol) {
1292 case NETLINK_ROUTE:
1293 return SECCLASS_NETLINK_ROUTE_SOCKET;
1294 case NETLINK_SOCK_DIAG:
1295 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1296 case NETLINK_NFLOG:
1297 return SECCLASS_NETLINK_NFLOG_SOCKET;
1298 case NETLINK_XFRM:
1299 return SECCLASS_NETLINK_XFRM_SOCKET;
1300 case NETLINK_SELINUX:
1301 return SECCLASS_NETLINK_SELINUX_SOCKET;
1302 case NETLINK_ISCSI:
1303 return SECCLASS_NETLINK_ISCSI_SOCKET;
1304 case NETLINK_AUDIT:
1305 return SECCLASS_NETLINK_AUDIT_SOCKET;
1306 case NETLINK_FIB_LOOKUP:
1307 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1308 case NETLINK_CONNECTOR:
1309 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1310 case NETLINK_NETFILTER:
1311 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1312 case NETLINK_DNRTMSG:
1313 return SECCLASS_NETLINK_DNRT_SOCKET;
1314 case NETLINK_KOBJECT_UEVENT:
1315 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1316 case NETLINK_GENERIC:
1317 return SECCLASS_NETLINK_GENERIC_SOCKET;
1318 case NETLINK_SCSITRANSPORT:
1319 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1320 case NETLINK_RDMA:
1321 return SECCLASS_NETLINK_RDMA_SOCKET;
1322 case NETLINK_CRYPTO:
1323 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1324 default:
1325 return SECCLASS_NETLINK_SOCKET;
1326 }
1327 case PF_PACKET:
1328 return SECCLASS_PACKET_SOCKET;
1329 case PF_KEY:
1330 return SECCLASS_KEY_SOCKET;
1331 case PF_APPLETALK:
1332 return SECCLASS_APPLETALK_SOCKET;
1333 }
1334
1335 if (extsockclass) {
1336 switch (family) {
1337 case PF_AX25:
1338 return SECCLASS_AX25_SOCKET;
1339 case PF_IPX:
1340 return SECCLASS_IPX_SOCKET;
1341 case PF_NETROM:
1342 return SECCLASS_NETROM_SOCKET;
1343 case PF_ATMPVC:
1344 return SECCLASS_ATMPVC_SOCKET;
1345 case PF_X25:
1346 return SECCLASS_X25_SOCKET;
1347 case PF_ROSE:
1348 return SECCLASS_ROSE_SOCKET;
1349 case PF_DECnet:
1350 return SECCLASS_DECNET_SOCKET;
1351 case PF_ATMSVC:
1352 return SECCLASS_ATMSVC_SOCKET;
1353 case PF_RDS:
1354 return SECCLASS_RDS_SOCKET;
1355 case PF_IRDA:
1356 return SECCLASS_IRDA_SOCKET;
1357 case PF_PPPOX:
1358 return SECCLASS_PPPOX_SOCKET;
1359 case PF_LLC:
1360 return SECCLASS_LLC_SOCKET;
1361 case PF_CAN:
1362 return SECCLASS_CAN_SOCKET;
1363 case PF_TIPC:
1364 return SECCLASS_TIPC_SOCKET;
1365 case PF_BLUETOOTH:
1366 return SECCLASS_BLUETOOTH_SOCKET;
1367 case PF_IUCV:
1368 return SECCLASS_IUCV_SOCKET;
1369 case PF_RXRPC:
1370 return SECCLASS_RXRPC_SOCKET;
1371 case PF_ISDN:
1372 return SECCLASS_ISDN_SOCKET;
1373 case PF_PHONET:
1374 return SECCLASS_PHONET_SOCKET;
1375 case PF_IEEE802154:
1376 return SECCLASS_IEEE802154_SOCKET;
1377 case PF_CAIF:
1378 return SECCLASS_CAIF_SOCKET;
1379 case PF_ALG:
1380 return SECCLASS_ALG_SOCKET;
1381 case PF_NFC:
1382 return SECCLASS_NFC_SOCKET;
1383 case PF_VSOCK:
1384 return SECCLASS_VSOCK_SOCKET;
1385 case PF_KCM:
1386 return SECCLASS_KCM_SOCKET;
1387 case PF_QIPCRTR:
1388 return SECCLASS_QIPCRTR_SOCKET;
1389 case PF_SMC:
1390 return SECCLASS_SMC_SOCKET;
1391 #if PF_MAX > 44
1392 #error New address family defined, please update this function.
1393 #endif
1394 }
1395 }
1396
1397 return SECCLASS_SOCKET;
1398 }
1399
1400 static int selinux_genfs_get_sid(struct dentry *dentry,
1401 u16 tclass,
1402 u16 flags,
1403 u32 *sid)
1404 {
1405 int rc;
1406 struct super_block *sb = dentry->d_sb;
1407 char *buffer, *path;
1408
1409 buffer = (char *)__get_free_page(GFP_KERNEL);
1410 if (!buffer)
1411 return -ENOMEM;
1412
1413 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1414 if (IS_ERR(path))
1415 rc = PTR_ERR(path);
1416 else {
1417 if (flags & SE_SBPROC) {
1418 /* each process gets a /proc/PID/ entry. Strip off the
1419 * PID part to get a valid selinux labeling.
1420 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1421 while (path[1] >= '0' && path[1] <= '9') {
1422 path[1] = '/';
1423 path++;
1424 }
1425 }
1426 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1427 if (rc == -ENOENT) {
1428 /* No match in policy, mark as unlabeled. */
1429 *sid = SECINITSID_UNLABELED;
1430 rc = 0;
1431 }
1432 }
1433 free_page((unsigned long)buffer);
1434 return rc;
1435 }
1436
1437 /* The inode's security attributes must be initialized before first use. */
1438 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1439 {
1440 struct superblock_security_struct *sbsec = NULL;
1441 struct inode_security_struct *isec = selinux_inode(inode);
1442 u32 task_sid, sid = 0;
1443 u16 sclass;
1444 struct dentry *dentry;
1445 #define INITCONTEXTLEN 255
1446 char *context = NULL;
1447 unsigned len = 0;
1448 int rc = 0;
1449
1450 if (isec->initialized == LABEL_INITIALIZED)
1451 return 0;
1452
1453 spin_lock(&isec->lock);
1454 if (isec->initialized == LABEL_INITIALIZED)
1455 goto out_unlock;
1456
1457 if (isec->sclass == SECCLASS_FILE)
1458 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1459
1460 sbsec = selinux_superblock(inode->i_sb);
1461 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1462 /* Defer initialization until selinux_complete_init,
1463 after the initial policy is loaded and the security
1464 server is ready to handle calls. */
1465 spin_lock(&sbsec->isec_lock);
1466 if (list_empty(&isec->list))
1467 list_add(&isec->list, &sbsec->isec_head);
1468 spin_unlock(&sbsec->isec_lock);
1469 goto out_unlock;
1470 }
1471
1472 sclass = isec->sclass;
1473 task_sid = isec->task_sid;
1474 sid = isec->sid;
1475 isec->initialized = LABEL_PENDING;
1476 spin_unlock(&isec->lock);
1477
1478 switch (sbsec->behavior) {
1479 case SECURITY_FS_USE_NATIVE:
1480 break;
1481 case SECURITY_FS_USE_XATTR:
1482 if (!(inode->i_opflags & IOP_XATTR)) {
1483 sid = sbsec->def_sid;
1484 break;
1485 }
1486 /* Need a dentry, since the xattr API requires one.
1487 Life would be simpler if we could just pass the inode. */
1488 if (opt_dentry) {
1489 /* Called from d_instantiate or d_splice_alias. */
1490 dentry = dget(opt_dentry);
1491 } else {
1492 /*
1493 * Called from selinux_complete_init, try to find a dentry.
1494 * Some filesystems really want a connected one, so try
1495 * that first. We could split SECURITY_FS_USE_XATTR in
1496 * two, depending upon that...
1497 */
1498 dentry = d_find_alias(inode);
1499 if (!dentry)
1500 dentry = d_find_any_alias(inode);
1501 }
1502 if (!dentry) {
1503 /*
1504 * this is can be hit on boot when a file is accessed
1505 * before the policy is loaded. When we load policy we
1506 * may find inodes that have no dentry on the
1507 * sbsec->isec_head list. No reason to complain as these
1508 * will get fixed up the next time we go through
1509 * inode_doinit with a dentry, before these inodes could
1510 * be used again by userspace.
1511 */
1512 goto out;
1513 }
1514
1515 len = INITCONTEXTLEN;
1516 context = kmalloc(len+1, GFP_NOFS);
1517 if (!context) {
1518 rc = -ENOMEM;
1519 dput(dentry);
1520 goto out;
1521 }
1522 context[len] = '\0';
1523 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1524 if (rc == -ERANGE) {
1525 kfree(context);
1526
1527 /* Need a larger buffer. Query for the right size. */
1528 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1529 if (rc < 0) {
1530 dput(dentry);
1531 goto out;
1532 }
1533 len = rc;
1534 context = kmalloc(len+1, GFP_NOFS);
1535 if (!context) {
1536 rc = -ENOMEM;
1537 dput(dentry);
1538 goto out;
1539 }
1540 context[len] = '\0';
1541 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1542 }
1543 dput(dentry);
1544 if (rc < 0) {
1545 if (rc != -ENODATA) {
1546 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1547 "%d for dev=%s ino=%ld\n", __func__,
1548 -rc, inode->i_sb->s_id, inode->i_ino);
1549 kfree(context);
1550 goto out;
1551 }
1552 /* Map ENODATA to the default file SID */
1553 sid = sbsec->def_sid;
1554 rc = 0;
1555 } else {
1556 rc = security_context_to_sid_default(context, rc, &sid,
1557 sbsec->def_sid,
1558 GFP_NOFS);
1559 if (rc) {
1560 char *dev = inode->i_sb->s_id;
1561 unsigned long ino = inode->i_ino;
1562
1563 if (rc == -EINVAL) {
1564 if (printk_ratelimit())
1565 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1566 "context=%s. This indicates you may need to relabel the inode or the "
1567 "filesystem in question.\n", ino, dev, context);
1568 } else {
1569 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1570 "returned %d for dev=%s ino=%ld\n",
1571 __func__, context, -rc, dev, ino);
1572 }
1573 kfree(context);
1574 /* Leave with the unlabeled SID */
1575 rc = 0;
1576 break;
1577 }
1578 }
1579 kfree(context);
1580 break;
1581 case SECURITY_FS_USE_TASK:
1582 sid = task_sid;
1583 break;
1584 case SECURITY_FS_USE_TRANS:
1585 /* Default to the fs SID. */
1586 sid = sbsec->sid;
1587
1588 /* Try to obtain a transition SID. */
1589 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1590 if (rc)
1591 goto out;
1592 break;
1593 case SECURITY_FS_USE_MNTPOINT:
1594 sid = sbsec->mntpoint_sid;
1595 break;
1596 default:
1597 /* Default to the fs superblock SID. */
1598 sid = sbsec->sid;
1599
1600 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1601 /* We must have a dentry to determine the label on
1602 * procfs inodes */
1603 if (opt_dentry) {
1604 /* Called from d_instantiate or
1605 * d_splice_alias. */
1606 dentry = dget(opt_dentry);
1607 } else {
1608 /* Called from selinux_complete_init, try to
1609 * find a dentry. Some filesystems really want
1610 * a connected one, so try that first.
1611 */
1612 dentry = d_find_alias(inode);
1613 if (!dentry)
1614 dentry = d_find_any_alias(inode);
1615 }
1616 /*
1617 * This can be hit on boot when a file is accessed
1618 * before the policy is loaded. When we load policy we
1619 * may find inodes that have no dentry on the
1620 * sbsec->isec_head list. No reason to complain as
1621 * these will get fixed up the next time we go through
1622 * inode_doinit() with a dentry, before these inodes
1623 * could be used again by userspace.
1624 */
1625 if (!dentry)
1626 goto out;
1627 rc = selinux_genfs_get_sid(dentry, sclass,
1628 sbsec->flags, &sid);
1629 dput(dentry);
1630 if (rc)
1631 goto out;
1632 }
1633 break;
1634 }
1635
1636 out:
1637 spin_lock(&isec->lock);
1638 if (isec->initialized == LABEL_PENDING) {
1639 if (!sid || rc) {
1640 isec->initialized = LABEL_INVALID;
1641 goto out_unlock;
1642 }
1643
1644 isec->initialized = LABEL_INITIALIZED;
1645 isec->sid = sid;
1646 }
1647
1648 out_unlock:
1649 spin_unlock(&isec->lock);
1650 return rc;
1651 }
1652
1653 /* Convert a Linux signal to an access vector. */
1654 static inline u32 signal_to_av(int sig)
1655 {
1656 u32 perm = 0;
1657
1658 switch (sig) {
1659 case SIGCHLD:
1660 /* Commonly granted from child to parent. */
1661 perm = PROCESS__SIGCHLD;
1662 break;
1663 case SIGKILL:
1664 /* Cannot be caught or ignored */
1665 perm = PROCESS__SIGKILL;
1666 break;
1667 case SIGSTOP:
1668 /* Cannot be caught or ignored */
1669 perm = PROCESS__SIGSTOP;
1670 break;
1671 default:
1672 /* All other signals. */
1673 perm = PROCESS__SIGNAL;
1674 break;
1675 }
1676
1677 return perm;
1678 }
1679
1680 #if CAP_LAST_CAP > 63
1681 #error Fix SELinux to handle capabilities > 63.
1682 #endif
1683
1684 /* Check whether a task is allowed to use a capability. */
1685 static int cred_has_capability(const struct cred *cred,
1686 int cap, int audit, bool initns)
1687 {
1688 struct common_audit_data ad;
1689 struct av_decision avd;
1690 u16 sclass;
1691 u32 sid = cred_sid(cred);
1692 u32 av = CAP_TO_MASK(cap);
1693 int rc;
1694
1695 ad.type = LSM_AUDIT_DATA_CAP;
1696 ad.u.cap = cap;
1697
1698 switch (CAP_TO_INDEX(cap)) {
1699 case 0:
1700 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1701 break;
1702 case 1:
1703 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1704 break;
1705 default:
1706 printk(KERN_ERR
1707 "SELinux: out of range capability %d\n", cap);
1708 BUG();
1709 return -EINVAL;
1710 }
1711
1712 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1713 if (audit == SECURITY_CAP_AUDIT) {
1714 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1715 if (rc2)
1716 return rc2;
1717 }
1718 return rc;
1719 }
1720
1721 /* Check whether a task has a particular permission to an inode.
1722 The 'adp' parameter is optional and allows other audit
1723 data to be passed (e.g. the dentry). */
1724 static int inode_has_perm(const struct cred *cred,
1725 struct inode *inode,
1726 u32 perms,
1727 struct common_audit_data *adp)
1728 {
1729 struct inode_security_struct *isec;
1730 u32 sid;
1731
1732 validate_creds(cred);
1733
1734 if (unlikely(IS_PRIVATE(inode)))
1735 return 0;
1736
1737 sid = cred_sid(cred);
1738 isec = selinux_inode(inode);
1739
1740 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1741 }
1742
1743 /* Same as inode_has_perm, but pass explicit audit data containing
1744 the dentry to help the auditing code to more easily generate the
1745 pathname if needed. */
1746 static inline int dentry_has_perm(const struct cred *cred,
1747 struct dentry *dentry,
1748 u32 av)
1749 {
1750 struct inode *inode = d_backing_inode(dentry);
1751 struct common_audit_data ad;
1752
1753 ad.type = LSM_AUDIT_DATA_DENTRY;
1754 ad.u.dentry = dentry;
1755 __inode_security_revalidate(inode, dentry, true);
1756 return inode_has_perm(cred, inode, av, &ad);
1757 }
1758
1759 /* Same as inode_has_perm, but pass explicit audit data containing
1760 the path to help the auditing code to more easily generate the
1761 pathname if needed. */
1762 static inline int path_has_perm(const struct cred *cred,
1763 const struct path *path,
1764 u32 av)
1765 {
1766 struct inode *inode = d_backing_inode(path->dentry);
1767 struct common_audit_data ad;
1768
1769 ad.type = LSM_AUDIT_DATA_PATH;
1770 ad.u.path = *path;
1771 __inode_security_revalidate(inode, path->dentry, true);
1772 return inode_has_perm(cred, inode, av, &ad);
1773 }
1774
1775 /* Same as path_has_perm, but uses the inode from the file struct. */
1776 static inline int file_path_has_perm(const struct cred *cred,
1777 struct file *file,
1778 u32 av)
1779 {
1780 struct common_audit_data ad;
1781
1782 ad.type = LSM_AUDIT_DATA_FILE;
1783 ad.u.file = file;
1784 return inode_has_perm(cred, file_inode(file), av, &ad);
1785 }
1786
1787 #ifdef CONFIG_BPF_SYSCALL
1788 static int bpf_fd_pass(struct file *file, u32 sid);
1789 #endif
1790
1791 /* Check whether a task can use an open file descriptor to
1792 access an inode in a given way. Check access to the
1793 descriptor itself, and then use dentry_has_perm to
1794 check a particular permission to the file.
1795 Access to the descriptor is implicitly granted if it
1796 has the same SID as the process. If av is zero, then
1797 access to the file is not checked, e.g. for cases
1798 where only the descriptor is affected like seek. */
1799 static int file_has_perm(const struct cred *cred,
1800 struct file *file,
1801 u32 av)
1802 {
1803 struct file_security_struct *fsec = selinux_file(file);
1804 struct inode *inode = file_inode(file);
1805 struct common_audit_data ad;
1806 u32 sid = cred_sid(cred);
1807 int rc;
1808
1809 ad.type = LSM_AUDIT_DATA_FILE;
1810 ad.u.file = file;
1811
1812 if (sid != fsec->sid) {
1813 rc = avc_has_perm(sid, fsec->sid,
1814 SECCLASS_FD,
1815 FD__USE,
1816 &ad);
1817 if (rc)
1818 goto out;
1819 }
1820
1821 #ifdef CONFIG_BPF_SYSCALL
1822 rc = bpf_fd_pass(file, cred_sid(cred));
1823 if (rc)
1824 return rc;
1825 #endif
1826
1827 /* av is zero if only checking access to the descriptor. */
1828 rc = 0;
1829 if (av)
1830 rc = inode_has_perm(cred, inode, av, &ad);
1831
1832 out:
1833 return rc;
1834 }
1835
1836 /*
1837 * Determine the label for an inode that might be unioned.
1838 */
1839 static int
1840 selinux_determine_inode_label(const struct task_security_struct *tsec,
1841 struct inode *dir,
1842 const struct qstr *name, u16 tclass,
1843 u32 *_new_isid)
1844 {
1845 const struct superblock_security_struct *sbsec =
1846 selinux_superblock(dir->i_sb);
1847
1848 if ((sbsec->flags & SE_SBINITIALIZED) &&
1849 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1850 *_new_isid = sbsec->mntpoint_sid;
1851 } else if ((sbsec->flags & SBLABEL_MNT) &&
1852 tsec->create_sid) {
1853 *_new_isid = tsec->create_sid;
1854 } else {
1855 const struct inode_security_struct *dsec = inode_security(dir);
1856 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1857 name, _new_isid);
1858 }
1859
1860 return 0;
1861 }
1862
1863 /* Check whether a task can create a file. */
1864 static int may_create(struct inode *dir,
1865 struct dentry *dentry,
1866 u16 tclass)
1867 {
1868 const struct task_security_struct *tsec = selinux_cred(current_cred());
1869 struct inode_security_struct *dsec;
1870 struct superblock_security_struct *sbsec;
1871 u32 sid, newsid;
1872 struct common_audit_data ad;
1873 int rc;
1874
1875 dsec = inode_security(dir);
1876 sbsec = selinux_superblock(dir->i_sb);
1877
1878 sid = tsec->sid;
1879
1880 ad.type = LSM_AUDIT_DATA_DENTRY;
1881 ad.u.dentry = dentry;
1882
1883 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1884 DIR__ADD_NAME | DIR__SEARCH,
1885 &ad);
1886 if (rc)
1887 return rc;
1888
1889 rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
1890 &dentry->d_name, tclass, &newsid);
1891 if (rc)
1892 return rc;
1893
1894 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1895 if (rc)
1896 return rc;
1897
1898 return avc_has_perm(newsid, sbsec->sid,
1899 SECCLASS_FILESYSTEM,
1900 FILESYSTEM__ASSOCIATE, &ad);
1901 }
1902
1903 #define MAY_LINK 0
1904 #define MAY_UNLINK 1
1905 #define MAY_RMDIR 2
1906
1907 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1908 static int may_link(struct inode *dir,
1909 struct dentry *dentry,
1910 int kind)
1911
1912 {
1913 struct inode_security_struct *dsec, *isec;
1914 struct common_audit_data ad;
1915 u32 sid = current_sid();
1916 u32 av;
1917 int rc;
1918
1919 dsec = inode_security(dir);
1920 isec = backing_inode_security(dentry);
1921
1922 ad.type = LSM_AUDIT_DATA_DENTRY;
1923 ad.u.dentry = dentry;
1924
1925 av = DIR__SEARCH;
1926 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1927 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1928 if (rc)
1929 return rc;
1930
1931 switch (kind) {
1932 case MAY_LINK:
1933 av = FILE__LINK;
1934 break;
1935 case MAY_UNLINK:
1936 av = FILE__UNLINK;
1937 break;
1938 case MAY_RMDIR:
1939 av = DIR__RMDIR;
1940 break;
1941 default:
1942 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1943 __func__, kind);
1944 return 0;
1945 }
1946
1947 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1948 return rc;
1949 }
1950
1951 static inline int may_rename(struct inode *old_dir,
1952 struct dentry *old_dentry,
1953 struct inode *new_dir,
1954 struct dentry *new_dentry)
1955 {
1956 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1957 struct common_audit_data ad;
1958 u32 sid = current_sid();
1959 u32 av;
1960 int old_is_dir, new_is_dir;
1961 int rc;
1962
1963 old_dsec = inode_security(old_dir);
1964 old_isec = backing_inode_security(old_dentry);
1965 old_is_dir = d_is_dir(old_dentry);
1966 new_dsec = inode_security(new_dir);
1967
1968 ad.type = LSM_AUDIT_DATA_DENTRY;
1969
1970 ad.u.dentry = old_dentry;
1971 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1972 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1973 if (rc)
1974 return rc;
1975 rc = avc_has_perm(sid, old_isec->sid,
1976 old_isec->sclass, FILE__RENAME, &ad);
1977 if (rc)
1978 return rc;
1979 if (old_is_dir && new_dir != old_dir) {
1980 rc = avc_has_perm(sid, old_isec->sid,
1981 old_isec->sclass, DIR__REPARENT, &ad);
1982 if (rc)
1983 return rc;
1984 }
1985
1986 ad.u.dentry = new_dentry;
1987 av = DIR__ADD_NAME | DIR__SEARCH;
1988 if (d_is_positive(new_dentry))
1989 av |= DIR__REMOVE_NAME;
1990 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1991 if (rc)
1992 return rc;
1993 if (d_is_positive(new_dentry)) {
1994 new_isec = backing_inode_security(new_dentry);
1995 new_is_dir = d_is_dir(new_dentry);
1996 rc = avc_has_perm(sid, new_isec->sid,
1997 new_isec->sclass,
1998 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1999 if (rc)
2000 return rc;
2001 }
2002
2003 return 0;
2004 }
2005
2006 /* Check whether a task can perform a filesystem operation. */
2007 static int superblock_has_perm(const struct cred *cred,
2008 struct super_block *sb,
2009 u32 perms,
2010 struct common_audit_data *ad)
2011 {
2012 struct superblock_security_struct *sbsec;
2013 u32 sid = cred_sid(cred);
2014
2015 sbsec = selinux_superblock(sb);
2016 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2017 }
2018
2019 /* Convert a Linux mode and permission mask to an access vector. */
2020 static inline u32 file_mask_to_av(int mode, int mask)
2021 {
2022 u32 av = 0;
2023
2024 if (!S_ISDIR(mode)) {
2025 if (mask & MAY_EXEC)
2026 av |= FILE__EXECUTE;
2027 if (mask & MAY_READ)
2028 av |= FILE__READ;
2029
2030 if (mask & MAY_APPEND)
2031 av |= FILE__APPEND;
2032 else if (mask & MAY_WRITE)
2033 av |= FILE__WRITE;
2034
2035 } else {
2036 if (mask & MAY_EXEC)
2037 av |= DIR__SEARCH;
2038 if (mask & MAY_WRITE)
2039 av |= DIR__WRITE;
2040 if (mask & MAY_READ)
2041 av |= DIR__READ;
2042 }
2043
2044 return av;
2045 }
2046
2047 /* Convert a Linux file to an access vector. */
2048 static inline u32 file_to_av(struct file *file)
2049 {
2050 u32 av = 0;
2051
2052 if (file->f_mode & FMODE_READ)
2053 av |= FILE__READ;
2054 if (file->f_mode & FMODE_WRITE) {
2055 if (file->f_flags & O_APPEND)
2056 av |= FILE__APPEND;
2057 else
2058 av |= FILE__WRITE;
2059 }
2060 if (!av) {
2061 /*
2062 * Special file opened with flags 3 for ioctl-only use.
2063 */
2064 av = FILE__IOCTL;
2065 }
2066
2067 return av;
2068 }
2069
2070 /*
2071 * Convert a file to an access vector and include the correct open
2072 * open permission.
2073 */
2074 static inline u32 open_file_to_av(struct file *file)
2075 {
2076 u32 av = file_to_av(file);
2077 struct inode *inode = file_inode(file);
2078
2079 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2080 av |= FILE__OPEN;
2081
2082 return av;
2083 }
2084
2085 /* Hook functions begin here. */
2086
2087 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2088 {
2089 u32 mysid = current_sid();
2090 u32 mgrsid = task_sid(mgr);
2091
2092 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2093 BINDER__SET_CONTEXT_MGR, NULL);
2094 }
2095
2096 static int selinux_binder_transaction(struct task_struct *from,
2097 struct task_struct *to)
2098 {
2099 u32 mysid = current_sid();
2100 u32 fromsid = task_sid(from);
2101 u32 tosid = task_sid(to);
2102 int rc;
2103
2104 if (mysid != fromsid) {
2105 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2106 BINDER__IMPERSONATE, NULL);
2107 if (rc)
2108 return rc;
2109 }
2110
2111 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2112 NULL);
2113 }
2114
2115 static int selinux_binder_transfer_binder(struct task_struct *from,
2116 struct task_struct *to)
2117 {
2118 u32 fromsid = task_sid(from);
2119 u32 tosid = task_sid(to);
2120
2121 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2122 NULL);
2123 }
2124
2125 static int selinux_binder_transfer_file(struct task_struct *from,
2126 struct task_struct *to,
2127 struct file *file)
2128 {
2129 u32 sid = task_sid(to);
2130 struct file_security_struct *fsec = selinux_file(file);
2131 struct dentry *dentry = file->f_path.dentry;
2132 struct inode_security_struct *isec;
2133 struct common_audit_data ad;
2134 int rc;
2135
2136 ad.type = LSM_AUDIT_DATA_PATH;
2137 ad.u.path = file->f_path;
2138
2139 if (sid != fsec->sid) {
2140 rc = avc_has_perm(sid, fsec->sid,
2141 SECCLASS_FD,
2142 FD__USE,
2143 &ad);
2144 if (rc)
2145 return rc;
2146 }
2147
2148 #ifdef CONFIG_BPF_SYSCALL
2149 rc = bpf_fd_pass(file, sid);
2150 if (rc)
2151 return rc;
2152 #endif
2153
2154 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2155 return 0;
2156
2157 isec = backing_inode_security(dentry);
2158 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2159 &ad);
2160 }
2161
2162 static int selinux_ptrace_access_check(struct task_struct *child,
2163 unsigned int mode)
2164 {
2165 u32 sid = current_sid();
2166 u32 csid = task_sid(child);
2167
2168 if (mode & PTRACE_MODE_READ)
2169 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2170
2171 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2172 }
2173
2174 static int selinux_ptrace_traceme(struct task_struct *parent)
2175 {
2176 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2177 PROCESS__PTRACE, NULL);
2178 }
2179
2180 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2181 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2182 {
2183 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2184 PROCESS__GETCAP, NULL);
2185 }
2186
2187 static int selinux_capset(struct cred *new, const struct cred *old,
2188 const kernel_cap_t *effective,
2189 const kernel_cap_t *inheritable,
2190 const kernel_cap_t *permitted)
2191 {
2192 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2193 PROCESS__SETCAP, NULL);
2194 }
2195
2196 /*
2197 * (This comment used to live with the selinux_task_setuid hook,
2198 * which was removed).
2199 *
2200 * Since setuid only affects the current process, and since the SELinux
2201 * controls are not based on the Linux identity attributes, SELinux does not
2202 * need to control this operation. However, SELinux does control the use of
2203 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2204 */
2205
2206 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2207 int cap, int audit)
2208 {
2209 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2210 }
2211
2212 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2213 {
2214 const struct cred *cred = current_cred();
2215 int rc = 0;
2216
2217 if (!sb)
2218 return 0;
2219
2220 switch (cmds) {
2221 case Q_SYNC:
2222 case Q_QUOTAON:
2223 case Q_QUOTAOFF:
2224 case Q_SETINFO:
2225 case Q_SETQUOTA:
2226 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2227 break;
2228 case Q_GETFMT:
2229 case Q_GETINFO:
2230 case Q_GETQUOTA:
2231 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2232 break;
2233 default:
2234 rc = 0; /* let the kernel handle invalid cmds */
2235 break;
2236 }
2237 return rc;
2238 }
2239
2240 static int selinux_quota_on(struct dentry *dentry)
2241 {
2242 const struct cred *cred = current_cred();
2243
2244 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2245 }
2246
2247 static int selinux_syslog(int type)
2248 {
2249 switch (type) {
2250 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2251 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2252 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2253 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2254 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2255 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2256 /* Set level of messages printed to console */
2257 case SYSLOG_ACTION_CONSOLE_LEVEL:
2258 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2259 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2260 NULL);
2261 }
2262 /* All other syslog types */
2263 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2264 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2265 }
2266
2267 /*
2268 * Check that a process has enough memory to allocate a new virtual
2269 * mapping. 0 means there is enough memory for the allocation to
2270 * succeed and -ENOMEM implies there is not.
2271 *
2272 * Do not audit the selinux permission check, as this is applied to all
2273 * processes that allocate mappings.
2274 */
2275 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2276 {
2277 int rc, cap_sys_admin = 0;
2278
2279 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2280 SECURITY_CAP_NOAUDIT, true);
2281 if (rc == 0)
2282 cap_sys_admin = 1;
2283
2284 return cap_sys_admin;
2285 }
2286
2287 /* binprm security operations */
2288
2289 static u32 ptrace_parent_sid(void)
2290 {
2291 u32 sid = 0;
2292 struct task_struct *tracer;
2293
2294 rcu_read_lock();
2295 tracer = ptrace_parent(current);
2296 if (tracer)
2297 sid = task_sid(tracer);
2298 rcu_read_unlock();
2299
2300 return sid;
2301 }
2302
2303 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2304 const struct task_security_struct *old_tsec,
2305 const struct task_security_struct *new_tsec)
2306 {
2307 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2308 int nosuid = path_nosuid(&bprm->file->f_path);
2309 int rc;
2310 u32 av;
2311
2312 if (!nnp && !nosuid)
2313 return 0; /* neither NNP nor nosuid */
2314
2315 if (new_tsec->sid == old_tsec->sid)
2316 return 0; /* No change in credentials */
2317
2318 /*
2319 * If the policy enables the nnp_nosuid_transition policy capability,
2320 * then we permit transitions under NNP or nosuid if the
2321 * policy allows the corresponding permission between
2322 * the old and new contexts.
2323 */
2324 if (selinux_policycap_nnp_nosuid_transition) {
2325 av = 0;
2326 if (nnp)
2327 av |= PROCESS2__NNP_TRANSITION;
2328 if (nosuid)
2329 av |= PROCESS2__NOSUID_TRANSITION;
2330 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2331 SECCLASS_PROCESS2, av, NULL);
2332 if (!rc)
2333 return 0;
2334 }
2335
2336 /*
2337 * We also permit NNP or nosuid transitions to bounded SIDs,
2338 * i.e. SIDs that are guaranteed to only be allowed a subset
2339 * of the permissions of the current SID.
2340 */
2341 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2342 if (!rc)
2343 return 0;
2344
2345 /*
2346 * On failure, preserve the errno values for NNP vs nosuid.
2347 * NNP: Operation not permitted for caller.
2348 * nosuid: Permission denied to file.
2349 */
2350 if (nnp)
2351 return -EPERM;
2352 return -EACCES;
2353 }
2354
2355 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2356 {
2357 const struct task_security_struct *old_tsec;
2358 struct task_security_struct *new_tsec;
2359 struct inode_security_struct *isec;
2360 struct common_audit_data ad;
2361 struct inode *inode = file_inode(bprm->file);
2362 int rc;
2363
2364 /* SELinux context only depends on initial program or script and not
2365 * the script interpreter */
2366 if (bprm->called_set_creds)
2367 return 0;
2368
2369 old_tsec = selinux_cred(current_cred());
2370 new_tsec = selinux_cred(bprm->cred);
2371 isec = inode_security(inode);
2372
2373 /* Default to the current task SID. */
2374 new_tsec->sid = old_tsec->sid;
2375 new_tsec->osid = old_tsec->sid;
2376
2377 /* Reset fs, key, and sock SIDs on execve. */
2378 new_tsec->create_sid = 0;
2379 new_tsec->keycreate_sid = 0;
2380 new_tsec->sockcreate_sid = 0;
2381
2382 if (old_tsec->exec_sid) {
2383 new_tsec->sid = old_tsec->exec_sid;
2384 /* Reset exec SID on execve. */
2385 new_tsec->exec_sid = 0;
2386
2387 /* Fail on NNP or nosuid if not an allowed transition. */
2388 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2389 if (rc)
2390 return rc;
2391 } else {
2392 /* Check for a default transition on this program. */
2393 rc = security_transition_sid(old_tsec->sid, isec->sid,
2394 SECCLASS_PROCESS, NULL,
2395 &new_tsec->sid);
2396 if (rc)
2397 return rc;
2398
2399 /*
2400 * Fallback to old SID on NNP or nosuid if not an allowed
2401 * transition.
2402 */
2403 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2404 if (rc)
2405 new_tsec->sid = old_tsec->sid;
2406 }
2407
2408 ad.type = LSM_AUDIT_DATA_FILE;
2409 ad.u.file = bprm->file;
2410
2411 if (new_tsec->sid == old_tsec->sid) {
2412 rc = avc_has_perm(old_tsec->sid, isec->sid,
2413 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2414 if (rc)
2415 return rc;
2416 } else {
2417 /* Check permissions for the transition. */
2418 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2419 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2420 if (rc)
2421 return rc;
2422
2423 rc = avc_has_perm(new_tsec->sid, isec->sid,
2424 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2425 if (rc)
2426 return rc;
2427
2428 /* Check for shared state */
2429 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2430 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2431 SECCLASS_PROCESS, PROCESS__SHARE,
2432 NULL);
2433 if (rc)
2434 return -EPERM;
2435 }
2436
2437 /* Make sure that anyone attempting to ptrace over a task that
2438 * changes its SID has the appropriate permit */
2439 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2440 u32 ptsid = ptrace_parent_sid();
2441 if (ptsid != 0) {
2442 rc = avc_has_perm(ptsid, new_tsec->sid,
2443 SECCLASS_PROCESS,
2444 PROCESS__PTRACE, NULL);
2445 if (rc)
2446 return -EPERM;
2447 }
2448 }
2449
2450 /* Clear any possibly unsafe personality bits on exec: */
2451 bprm->per_clear |= PER_CLEAR_ON_SETID;
2452
2453 /* Enable secure mode for SIDs transitions unless
2454 the noatsecure permission is granted between
2455 the two SIDs, i.e. ahp returns 0. */
2456 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2457 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2458 NULL);
2459 bprm->secureexec |= !!rc;
2460 }
2461
2462 return 0;
2463 }
2464
2465 static int match_file(const void *p, struct file *file, unsigned fd)
2466 {
2467 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2468 }
2469
2470 /* Derived from fs/exec.c:flush_old_files. */
2471 static inline void flush_unauthorized_files(const struct cred *cred,
2472 struct files_struct *files)
2473 {
2474 struct file *file, *devnull = NULL;
2475 struct tty_struct *tty;
2476 int drop_tty = 0;
2477 unsigned n;
2478
2479 tty = get_current_tty();
2480 if (tty) {
2481 spin_lock(&tty->files_lock);
2482 if (!list_empty(&tty->tty_files)) {
2483 struct tty_file_private *file_priv;
2484
2485 /* Revalidate access to controlling tty.
2486 Use file_path_has_perm on the tty path directly
2487 rather than using file_has_perm, as this particular
2488 open file may belong to another process and we are
2489 only interested in the inode-based check here. */
2490 file_priv = list_first_entry(&tty->tty_files,
2491 struct tty_file_private, list);
2492 file = file_priv->file;
2493 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2494 drop_tty = 1;
2495 }
2496 spin_unlock(&tty->files_lock);
2497 tty_kref_put(tty);
2498 }
2499 /* Reset controlling tty. */
2500 if (drop_tty)
2501 no_tty();
2502
2503 /* Revalidate access to inherited open files. */
2504 n = iterate_fd(files, 0, match_file, cred);
2505 if (!n) /* none found? */
2506 return;
2507
2508 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2509 if (IS_ERR(devnull))
2510 devnull = NULL;
2511 /* replace all the matching ones with this */
2512 do {
2513 replace_fd(n - 1, devnull, 0);
2514 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2515 if (devnull)
2516 fput(devnull);
2517 }
2518
2519 /*
2520 * Prepare a process for imminent new credential changes due to exec
2521 */
2522 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2523 {
2524 struct task_security_struct *new_tsec;
2525 struct rlimit *rlim, *initrlim;
2526 int rc, i;
2527
2528 new_tsec = selinux_cred(bprm->cred);
2529 if (new_tsec->sid == new_tsec->osid)
2530 return;
2531
2532 /* Close files for which the new task SID is not authorized. */
2533 flush_unauthorized_files(bprm->cred, current->files);
2534
2535 /* Always clear parent death signal on SID transitions. */
2536 current->pdeath_signal = 0;
2537
2538 /* Check whether the new SID can inherit resource limits from the old
2539 * SID. If not, reset all soft limits to the lower of the current
2540 * task's hard limit and the init task's soft limit.
2541 *
2542 * Note that the setting of hard limits (even to lower them) can be
2543 * controlled by the setrlimit check. The inclusion of the init task's
2544 * soft limit into the computation is to avoid resetting soft limits
2545 * higher than the default soft limit for cases where the default is
2546 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2547 */
2548 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2549 PROCESS__RLIMITINH, NULL);
2550 if (rc) {
2551 /* protect against do_prlimit() */
2552 task_lock(current);
2553 for (i = 0; i < RLIM_NLIMITS; i++) {
2554 rlim = current->signal->rlim + i;
2555 initrlim = init_task.signal->rlim + i;
2556 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2557 }
2558 task_unlock(current);
2559 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2560 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2561 }
2562 }
2563
2564 /*
2565 * Clean up the process immediately after the installation of new credentials
2566 * due to exec
2567 */
2568 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2569 {
2570 const struct task_security_struct *tsec = selinux_cred(current_cred());
2571 struct itimerval itimer;
2572 u32 osid, sid;
2573 int rc, i;
2574
2575 osid = tsec->osid;
2576 sid = tsec->sid;
2577
2578 if (sid == osid)
2579 return;
2580
2581 /* Check whether the new SID can inherit signal state from the old SID.
2582 * If not, clear itimers to avoid subsequent signal generation and
2583 * flush and unblock signals.
2584 *
2585 * This must occur _after_ the task SID has been updated so that any
2586 * kill done after the flush will be checked against the new SID.
2587 */
2588 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2589 if (rc) {
2590 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2591 memset(&itimer, 0, sizeof itimer);
2592 for (i = 0; i < 3; i++)
2593 do_setitimer(i, &itimer, NULL);
2594 }
2595 spin_lock_irq(&current->sighand->siglock);
2596 if (!fatal_signal_pending(current)) {
2597 flush_sigqueue(&current->pending);
2598 flush_sigqueue(&current->signal->shared_pending);
2599 flush_signal_handlers(current, 1);
2600 sigemptyset(&current->blocked);
2601 recalc_sigpending();
2602 }
2603 spin_unlock_irq(&current->sighand->siglock);
2604 }
2605
2606 /* Wake up the parent if it is waiting so that it can recheck
2607 * wait permission to the new task SID. */
2608 read_lock(&tasklist_lock);
2609 __wake_up_parent(current, current->real_parent);
2610 read_unlock(&tasklist_lock);
2611 }
2612
2613 /* superblock security operations */
2614
2615 static int selinux_sb_alloc_security(struct super_block *sb)
2616 {
2617 return superblock_alloc_security(sb);
2618 }
2619
2620 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2621 {
2622 if (plen > olen)
2623 return 0;
2624
2625 return !memcmp(prefix, option, plen);
2626 }
2627
2628 static inline int selinux_option(char *option, int len)
2629 {
2630 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2631 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2632 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2633 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2634 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2635 }
2636
2637 static inline void take_option(char **to, char *from, int *first, int len)
2638 {
2639 if (!*first) {
2640 **to = ',';
2641 *to += 1;
2642 } else
2643 *first = 0;
2644 memcpy(*to, from, len);
2645 *to += len;
2646 }
2647
2648 static inline void take_selinux_option(char **to, char *from, int *first,
2649 int len)
2650 {
2651 int current_size = 0;
2652
2653 if (!*first) {
2654 **to = '|';
2655 *to += 1;
2656 } else
2657 *first = 0;
2658
2659 while (current_size < len) {
2660 if (*from != '"') {
2661 **to = *from;
2662 *to += 1;
2663 }
2664 from += 1;
2665 current_size += 1;
2666 }
2667 }
2668
2669 static int selinux_sb_copy_data(char *orig, char *copy)
2670 {
2671 int fnosec, fsec, rc = 0;
2672 char *in_save, *in_curr, *in_end;
2673 char *sec_curr, *nosec_save, *nosec;
2674 int open_quote = 0;
2675
2676 in_curr = orig;
2677 sec_curr = copy;
2678
2679 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2680 if (!nosec) {
2681 rc = -ENOMEM;
2682 goto out;
2683 }
2684
2685 nosec_save = nosec;
2686 fnosec = fsec = 1;
2687 in_save = in_end = orig;
2688
2689 do {
2690 if (*in_end == '"')
2691 open_quote = !open_quote;
2692 if ((*in_end == ',' && open_quote == 0) ||
2693 *in_end == '\0') {
2694 int len = in_end - in_curr;
2695
2696 if (selinux_option(in_curr, len))
2697 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2698 else
2699 take_option(&nosec, in_curr, &fnosec, len);
2700
2701 in_curr = in_end + 1;
2702 }
2703 } while (*in_end++);
2704
2705 strcpy(in_save, nosec_save);
2706 free_page((unsigned long)nosec_save);
2707 out:
2708 return rc;
2709 }
2710
2711 static int selinux_sb_remount(struct super_block *sb, void *data)
2712 {
2713 int rc, i, *flags;
2714 struct security_mnt_opts opts;
2715 char *secdata, **mount_options;
2716 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2717
2718 if (!(sbsec->flags & SE_SBINITIALIZED))
2719 return 0;
2720
2721 if (!data)
2722 return 0;
2723
2724 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2725 return 0;
2726
2727 security_init_mnt_opts(&opts);
2728 secdata = alloc_secdata();
2729 if (!secdata)
2730 return -ENOMEM;
2731 rc = selinux_sb_copy_data(data, secdata);
2732 if (rc)
2733 goto out_free_secdata;
2734
2735 rc = selinux_parse_opts_str(secdata, &opts);
2736 if (rc)
2737 goto out_free_secdata;
2738
2739 mount_options = opts.mnt_opts;
2740 flags = opts.mnt_opts_flags;
2741
2742 for (i = 0; i < opts.num_mnt_opts; i++) {
2743 u32 sid;
2744
2745 if (flags[i] == SBLABEL_MNT)
2746 continue;
2747 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2748 if (rc) {
2749 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2750 "(%s) failed for (dev %s, type %s) errno=%d\n",
2751 mount_options[i], sb->s_id, sb->s_type->name, rc);
2752 goto out_free_opts;
2753 }
2754 rc = -EINVAL;
2755 switch (flags[i]) {
2756 case FSCONTEXT_MNT:
2757 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2758 goto out_bad_option;
2759 break;
2760 case CONTEXT_MNT:
2761 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2762 goto out_bad_option;
2763 break;
2764 case ROOTCONTEXT_MNT: {
2765 struct inode_security_struct *root_isec;
2766 root_isec = backing_inode_security(sb->s_root);
2767
2768 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2769 goto out_bad_option;
2770 break;
2771 }
2772 case DEFCONTEXT_MNT:
2773 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2774 goto out_bad_option;
2775 break;
2776 default:
2777 goto out_free_opts;
2778 }
2779 }
2780
2781 rc = 0;
2782 out_free_opts:
2783 security_free_mnt_opts(&opts);
2784 out_free_secdata:
2785 free_secdata(secdata);
2786 return rc;
2787 out_bad_option:
2788 printk(KERN_WARNING "SELinux: unable to change security options "
2789 "during remount (dev %s, type=%s)\n", sb->s_id,
2790 sb->s_type->name);
2791 goto out_free_opts;
2792 }
2793
2794 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2795 {
2796 const struct cred *cred = current_cred();
2797 struct common_audit_data ad;
2798 int rc;
2799
2800 rc = superblock_doinit(sb, data);
2801 if (rc)
2802 return rc;
2803
2804 /* Allow all mounts performed by the kernel */
2805 if (flags & (MS_KERNMOUNT | MS_SUBMOUNT))
2806 return 0;
2807
2808 ad.type = LSM_AUDIT_DATA_DENTRY;
2809 ad.u.dentry = sb->s_root;
2810 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2811 }
2812
2813 static int selinux_sb_statfs(struct dentry *dentry)
2814 {
2815 const struct cred *cred = current_cred();
2816 struct common_audit_data ad;
2817
2818 ad.type = LSM_AUDIT_DATA_DENTRY;
2819 ad.u.dentry = dentry->d_sb->s_root;
2820 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2821 }
2822
2823 static int selinux_mount(const char *dev_name,
2824 const struct path *path,
2825 const char *type,
2826 unsigned long flags,
2827 void *data)
2828 {
2829 const struct cred *cred = current_cred();
2830
2831 if (flags & MS_REMOUNT)
2832 return superblock_has_perm(cred, path->dentry->d_sb,
2833 FILESYSTEM__REMOUNT, NULL);
2834 else
2835 return path_has_perm(cred, path, FILE__MOUNTON);
2836 }
2837
2838 static int selinux_umount(struct vfsmount *mnt, int flags)
2839 {
2840 const struct cred *cred = current_cred();
2841
2842 return superblock_has_perm(cred, mnt->mnt_sb,
2843 FILESYSTEM__UNMOUNT, NULL);
2844 }
2845
2846 /* inode security operations */
2847
2848 static int selinux_inode_alloc_security(struct inode *inode)
2849 {
2850 return inode_alloc_security(inode);
2851 }
2852
2853 static void selinux_inode_free_security(struct inode *inode)
2854 {
2855 inode_free_security(inode);
2856 }
2857
2858 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2859 const struct qstr *name, void **ctx,
2860 u32 *ctxlen)
2861 {
2862 u32 newsid;
2863 int rc;
2864
2865 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2866 d_inode(dentry->d_parent), name,
2867 inode_mode_to_security_class(mode),
2868 &newsid);
2869 if (rc)
2870 return rc;
2871
2872 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2873 }
2874
2875 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2876 struct qstr *name,
2877 const struct cred *old,
2878 struct cred *new)
2879 {
2880 u32 newsid;
2881 int rc;
2882 struct task_security_struct *tsec;
2883
2884 rc = selinux_determine_inode_label(selinux_cred(old),
2885 d_inode(dentry->d_parent), name,
2886 inode_mode_to_security_class(mode),
2887 &newsid);
2888 if (rc)
2889 return rc;
2890
2891 tsec = selinux_cred(new);
2892 tsec->create_sid = newsid;
2893 return 0;
2894 }
2895
2896 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2897 const struct qstr *qstr,
2898 const char **name,
2899 void **value, size_t *len)
2900 {
2901 const struct task_security_struct *tsec = selinux_cred(current_cred());
2902 struct superblock_security_struct *sbsec;
2903 u32 newsid, clen;
2904 int rc;
2905 char *context;
2906
2907 sbsec = selinux_superblock(dir->i_sb);
2908
2909 newsid = tsec->create_sid;
2910
2911 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2912 dir, qstr,
2913 inode_mode_to_security_class(inode->i_mode),
2914 &newsid);
2915 if (rc)
2916 return rc;
2917
2918 /* Possibly defer initialization to selinux_complete_init. */
2919 if (sbsec->flags & SE_SBINITIALIZED) {
2920 struct inode_security_struct *isec = selinux_inode(inode);
2921 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2922 isec->sid = newsid;
2923 isec->initialized = LABEL_INITIALIZED;
2924 }
2925
2926 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2927 return -EOPNOTSUPP;
2928
2929 if (name)
2930 *name = XATTR_SELINUX_SUFFIX;
2931
2932 if (value && len) {
2933 rc = security_sid_to_context_force(newsid, &context, &clen);
2934 if (rc)
2935 return rc;
2936 *value = context;
2937 *len = clen;
2938 }
2939
2940 return 0;
2941 }
2942
2943 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2944 {
2945 return may_create(dir, dentry, SECCLASS_FILE);
2946 }
2947
2948 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2949 {
2950 return may_link(dir, old_dentry, MAY_LINK);
2951 }
2952
2953 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2954 {
2955 return may_link(dir, dentry, MAY_UNLINK);
2956 }
2957
2958 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2959 {
2960 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2961 }
2962
2963 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2964 {
2965 return may_create(dir, dentry, SECCLASS_DIR);
2966 }
2967
2968 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2969 {
2970 return may_link(dir, dentry, MAY_RMDIR);
2971 }
2972
2973 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2974 {
2975 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2976 }
2977
2978 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2979 struct inode *new_inode, struct dentry *new_dentry)
2980 {
2981 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2982 }
2983
2984 static int selinux_inode_readlink(struct dentry *dentry)
2985 {
2986 const struct cred *cred = current_cred();
2987
2988 return dentry_has_perm(cred, dentry, FILE__READ);
2989 }
2990
2991 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2992 bool rcu)
2993 {
2994 const struct cred *cred = current_cred();
2995 struct common_audit_data ad;
2996 struct inode_security_struct *isec;
2997 u32 sid;
2998
2999 validate_creds(cred);
3000
3001 ad.type = LSM_AUDIT_DATA_DENTRY;
3002 ad.u.dentry = dentry;
3003 sid = cred_sid(cred);
3004 isec = inode_security_rcu(inode, rcu);
3005 if (IS_ERR(isec))
3006 return PTR_ERR(isec);
3007
3008 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3009 rcu ? MAY_NOT_BLOCK : 0);
3010 }
3011
3012 static noinline int audit_inode_permission(struct inode *inode,
3013 u32 perms, u32 audited, u32 denied,
3014 int result,
3015 unsigned flags)
3016 {
3017 struct common_audit_data ad;
3018 struct inode_security_struct *isec = selinux_inode(inode);
3019 int rc;
3020
3021 ad.type = LSM_AUDIT_DATA_INODE;
3022 ad.u.inode = inode;
3023
3024 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3025 audited, denied, result, &ad, flags);
3026 if (rc)
3027 return rc;
3028 return 0;
3029 }
3030
3031 static int selinux_inode_permission(struct inode *inode, int mask)
3032 {
3033 const struct cred *cred = current_cred();
3034 u32 perms;
3035 bool from_access;
3036 unsigned flags = mask & MAY_NOT_BLOCK;
3037 struct inode_security_struct *isec;
3038 u32 sid;
3039 struct av_decision avd;
3040 int rc, rc2;
3041 u32 audited, denied;
3042
3043 from_access = mask & MAY_ACCESS;
3044 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3045
3046 /* No permission to check. Existence test. */
3047 if (!mask)
3048 return 0;
3049
3050 validate_creds(cred);
3051
3052 if (unlikely(IS_PRIVATE(inode)))
3053 return 0;
3054
3055 perms = file_mask_to_av(inode->i_mode, mask);
3056
3057 sid = cred_sid(cred);
3058 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3059 if (IS_ERR(isec))
3060 return PTR_ERR(isec);
3061
3062 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3063 audited = avc_audit_required(perms, &avd, rc,
3064 from_access ? FILE__AUDIT_ACCESS : 0,
3065 &denied);
3066 if (likely(!audited))
3067 return rc;
3068
3069 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3070 if (rc2)
3071 return rc2;
3072 return rc;
3073 }
3074
3075 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3076 {
3077 const struct cred *cred = current_cred();
3078 struct inode *inode = d_backing_inode(dentry);
3079 unsigned int ia_valid = iattr->ia_valid;
3080 __u32 av = FILE__WRITE;
3081
3082 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3083 if (ia_valid & ATTR_FORCE) {
3084 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3085 ATTR_FORCE);
3086 if (!ia_valid)
3087 return 0;
3088 }
3089
3090 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3091 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3092 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3093
3094 if (selinux_policycap_openperm &&
3095 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3096 (ia_valid & ATTR_SIZE) &&
3097 !(ia_valid & ATTR_FILE))
3098 av |= FILE__OPEN;
3099
3100 return dentry_has_perm(cred, dentry, av);
3101 }
3102
3103 static int selinux_inode_getattr(const struct path *path)
3104 {
3105 return path_has_perm(current_cred(), path, FILE__GETATTR);
3106 }
3107
3108 static bool has_cap_mac_admin(bool audit)
3109 {
3110 const struct cred *cred = current_cred();
3111 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3112
3113 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3114 return false;
3115 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3116 return false;
3117 return true;
3118 }
3119
3120 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3121 const void *value, size_t size, int flags)
3122 {
3123 struct inode *inode = d_backing_inode(dentry);
3124 struct inode_security_struct *isec;
3125 struct superblock_security_struct *sbsec;
3126 struct common_audit_data ad;
3127 u32 newsid, sid = current_sid();
3128 int rc = 0;
3129
3130 if (strcmp(name, XATTR_NAME_SELINUX)) {
3131 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3132 if (rc)
3133 return rc;
3134
3135 /* Not an attribute we recognize, so just check the
3136 ordinary setattr permission. */
3137 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3138 }
3139
3140 sbsec = selinux_superblock(inode->i_sb);
3141 if (!(sbsec->flags & SBLABEL_MNT))
3142 return -EOPNOTSUPP;
3143
3144 if (!inode_owner_or_capable(inode))
3145 return -EPERM;
3146
3147 ad.type = LSM_AUDIT_DATA_DENTRY;
3148 ad.u.dentry = dentry;
3149
3150 isec = backing_inode_security(dentry);
3151 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3152 FILE__RELABELFROM, &ad);
3153 if (rc)
3154 return rc;
3155
3156 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3157 if (rc == -EINVAL) {
3158 if (!has_cap_mac_admin(true)) {
3159 struct audit_buffer *ab;
3160 size_t audit_size;
3161
3162 /* We strip a nul only if it is at the end, otherwise the
3163 * context contains a nul and we should audit that */
3164 if (value) {
3165 const char *str = value;
3166
3167 if (str[size - 1] == '\0')
3168 audit_size = size - 1;
3169 else
3170 audit_size = size;
3171 } else {
3172 audit_size = 0;
3173 }
3174 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3175 audit_log_format(ab, "op=setxattr invalid_context=");
3176 audit_log_n_untrustedstring(ab, value, audit_size);
3177 audit_log_end(ab);
3178
3179 return rc;
3180 }
3181 rc = security_context_to_sid_force(value, size, &newsid);
3182 }
3183 if (rc)
3184 return rc;
3185
3186 rc = avc_has_perm(sid, newsid, isec->sclass,
3187 FILE__RELABELTO, &ad);
3188 if (rc)
3189 return rc;
3190
3191 rc = security_validate_transition(isec->sid, newsid, sid,
3192 isec->sclass);
3193 if (rc)
3194 return rc;
3195
3196 return avc_has_perm(newsid,
3197 sbsec->sid,
3198 SECCLASS_FILESYSTEM,
3199 FILESYSTEM__ASSOCIATE,
3200 &ad);
3201 }
3202
3203 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3204 const void *value, size_t size,
3205 int flags)
3206 {
3207 struct inode *inode = d_backing_inode(dentry);
3208 struct inode_security_struct *isec;
3209 u32 newsid;
3210 int rc;
3211
3212 if (strcmp(name, XATTR_NAME_SELINUX)) {
3213 /* Not an attribute we recognize, so nothing to do. */
3214 return;
3215 }
3216
3217 rc = security_context_to_sid_force(value, size, &newsid);
3218 if (rc) {
3219 printk(KERN_ERR "SELinux: unable to map context to SID"
3220 "for (%s, %lu), rc=%d\n",
3221 inode->i_sb->s_id, inode->i_ino, -rc);
3222 return;
3223 }
3224
3225 isec = backing_inode_security(dentry);
3226 spin_lock(&isec->lock);
3227 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3228 isec->sid = newsid;
3229 isec->initialized = LABEL_INITIALIZED;
3230 spin_unlock(&isec->lock);
3231
3232 return;
3233 }
3234
3235 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3236 {
3237 const struct cred *cred = current_cred();
3238
3239 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3240 }
3241
3242 static int selinux_inode_listxattr(struct dentry *dentry)
3243 {
3244 const struct cred *cred = current_cred();
3245
3246 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3247 }
3248
3249 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3250 {
3251 if (strcmp(name, XATTR_NAME_SELINUX)) {
3252 int rc = cap_inode_removexattr(dentry, name);
3253 if (rc)
3254 return rc;
3255
3256 /* Not an attribute we recognize, so just check the
3257 ordinary setattr permission. */
3258 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3259 }
3260
3261 /* No one is allowed to remove a SELinux security label.
3262 You can change the label, but all data must be labeled. */
3263 return -EACCES;
3264 }
3265
3266 /*
3267 * Copy the inode security context value to the user.
3268 *
3269 * Permission check is handled by selinux_inode_getxattr hook.
3270 */
3271 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3272 {
3273 u32 size;
3274 int error;
3275 char *context = NULL;
3276 struct inode_security_struct *isec;
3277
3278 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3279 return -EOPNOTSUPP;
3280
3281 /*
3282 * If the caller has CAP_MAC_ADMIN, then get the raw context
3283 * value even if it is not defined by current policy; otherwise,
3284 * use the in-core value under current policy.
3285 * Use the non-auditing forms of the permission checks since
3286 * getxattr may be called by unprivileged processes commonly
3287 * and lack of permission just means that we fall back to the
3288 * in-core context value, not a denial.
3289 */
3290 isec = inode_security(inode);
3291 if (has_cap_mac_admin(false))
3292 error = security_sid_to_context_force(isec->sid, &context,
3293 &size);
3294 else
3295 error = security_sid_to_context(isec->sid, &context, &size);
3296 if (error)
3297 return error;
3298 error = size;
3299 if (alloc) {
3300 *buffer = context;
3301 goto out_nofree;
3302 }
3303 kfree(context);
3304 out_nofree:
3305 return error;
3306 }
3307
3308 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3309 const void *value, size_t size, int flags)
3310 {
3311 struct inode_security_struct *isec = inode_security_novalidate(inode);
3312 u32 newsid;
3313 int rc;
3314
3315 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3316 return -EOPNOTSUPP;
3317
3318 if (!value || !size)
3319 return -EACCES;
3320
3321 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3322 if (rc)
3323 return rc;
3324
3325 spin_lock(&isec->lock);
3326 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3327 isec->sid = newsid;
3328 isec->initialized = LABEL_INITIALIZED;
3329 spin_unlock(&isec->lock);
3330 return 0;
3331 }
3332
3333 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3334 {
3335 const int len = sizeof(XATTR_NAME_SELINUX);
3336 if (buffer && len <= buffer_size)
3337 memcpy(buffer, XATTR_NAME_SELINUX, len);
3338 return len;
3339 }
3340
3341 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3342 {
3343 struct inode_security_struct *isec = inode_security_novalidate(inode);
3344 *secid = isec->sid;
3345 }
3346
3347 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3348 {
3349 u32 sid;
3350 struct task_security_struct *tsec;
3351 struct cred *new_creds = *new;
3352
3353 if (new_creds == NULL) {
3354 new_creds = prepare_creds();
3355 if (!new_creds)
3356 return -ENOMEM;
3357 }
3358
3359 tsec = selinux_cred(new_creds);
3360 /* Get label from overlay inode and set it in create_sid */
3361 selinux_inode_getsecid(d_inode(src), &sid);
3362 tsec->create_sid = sid;
3363 *new = new_creds;
3364 return 0;
3365 }
3366
3367 static int selinux_inode_copy_up_xattr(const char *name)
3368 {
3369 /* The copy_up hook above sets the initial context on an inode, but we
3370 * don't then want to overwrite it by blindly copying all the lower
3371 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3372 */
3373 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3374 return 1; /* Discard */
3375 /*
3376 * Any other attribute apart from SELINUX is not claimed, supported
3377 * by selinux.
3378 */
3379 return -EOPNOTSUPP;
3380 }
3381
3382 /* file security operations */
3383
3384 static int selinux_revalidate_file_permission(struct file *file, int mask)
3385 {
3386 const struct cred *cred = current_cred();
3387 struct inode *inode = file_inode(file);
3388
3389 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3390 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3391 mask |= MAY_APPEND;
3392
3393 return file_has_perm(cred, file,
3394 file_mask_to_av(inode->i_mode, mask));
3395 }
3396
3397 static int selinux_file_permission(struct file *file, int mask)
3398 {
3399 struct inode *inode = file_inode(file);
3400 struct file_security_struct *fsec = selinux_file(file);
3401 struct inode_security_struct *isec;
3402 u32 sid = current_sid();
3403
3404 if (!mask)
3405 /* No permission to check. Existence test. */
3406 return 0;
3407
3408 isec = inode_security(inode);
3409 if (sid == fsec->sid && fsec->isid == isec->sid &&
3410 fsec->pseqno == avc_policy_seqno())
3411 /* No change since file_open check. */
3412 return 0;
3413
3414 return selinux_revalidate_file_permission(file, mask);
3415 }
3416
3417 static int selinux_file_alloc_security(struct file *file)
3418 {
3419 return file_alloc_security(file);
3420 }
3421
3422 /*
3423 * Check whether a task has the ioctl permission and cmd
3424 * operation to an inode.
3425 */
3426 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3427 u32 requested, u16 cmd)
3428 {
3429 struct common_audit_data ad;
3430 struct file_security_struct *fsec = selinux_file(file);
3431 struct inode *inode = file_inode(file);
3432 struct inode_security_struct *isec;
3433 struct lsm_ioctlop_audit ioctl;
3434 u32 ssid = cred_sid(cred);
3435 int rc;
3436 u8 driver = cmd >> 8;
3437 u8 xperm = cmd & 0xff;
3438
3439 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3440 ad.u.op = &ioctl;
3441 ad.u.op->cmd = cmd;
3442 ad.u.op->path = file->f_path;
3443
3444 if (ssid != fsec->sid) {
3445 rc = avc_has_perm(ssid, fsec->sid,
3446 SECCLASS_FD,
3447 FD__USE,
3448 &ad);
3449 if (rc)
3450 goto out;
3451 }
3452
3453 if (unlikely(IS_PRIVATE(inode)))
3454 return 0;
3455
3456 isec = inode_security(inode);
3457 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3458 requested, driver, xperm, &ad);
3459 out:
3460 return rc;
3461 }
3462
3463 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3464 unsigned long arg)
3465 {
3466 const struct cred *cred = current_cred();
3467 int error = 0;
3468
3469 switch (cmd) {
3470 case FIONREAD:
3471 /* fall through */
3472 case FIBMAP:
3473 /* fall through */
3474 case FIGETBSZ:
3475 /* fall through */
3476 case FS_IOC_GETFLAGS:
3477 /* fall through */
3478 case FS_IOC_GETVERSION:
3479 error = file_has_perm(cred, file, FILE__GETATTR);
3480 break;
3481
3482 case FS_IOC_SETFLAGS:
3483 /* fall through */
3484 case FS_IOC_SETVERSION:
3485 error = file_has_perm(cred, file, FILE__SETATTR);
3486 break;
3487
3488 /* sys_ioctl() checks */
3489 case FIONBIO:
3490 /* fall through */
3491 case FIOASYNC:
3492 error = file_has_perm(cred, file, 0);
3493 break;
3494
3495 case KDSKBENT:
3496 case KDSKBSENT:
3497 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3498 SECURITY_CAP_AUDIT, true);
3499 break;
3500
3501 /* default case assumes that the command will go
3502 * to the file's ioctl() function.
3503 */
3504 default:
3505 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3506 }
3507 return error;
3508 }
3509
3510 static int default_noexec;
3511
3512 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3513 {
3514 const struct cred *cred = current_cred();
3515 u32 sid = cred_sid(cred);
3516 int rc = 0;
3517
3518 if (default_noexec &&
3519 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3520 (!shared && (prot & PROT_WRITE)))) {
3521 /*
3522 * We are making executable an anonymous mapping or a
3523 * private file mapping that will also be writable.
3524 * This has an additional check.
3525 */
3526 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3527 PROCESS__EXECMEM, NULL);
3528 if (rc)
3529 goto error;
3530 }
3531
3532 if (file) {
3533 /* read access is always possible with a mapping */
3534 u32 av = FILE__READ;
3535
3536 /* write access only matters if the mapping is shared */
3537 if (shared && (prot & PROT_WRITE))
3538 av |= FILE__WRITE;
3539
3540 if (prot & PROT_EXEC)
3541 av |= FILE__EXECUTE;
3542
3543 return file_has_perm(cred, file, av);
3544 }
3545
3546 error:
3547 return rc;
3548 }
3549
3550 static int selinux_mmap_addr(unsigned long addr)
3551 {
3552 int rc = 0;
3553
3554 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3555 u32 sid = current_sid();
3556 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3557 MEMPROTECT__MMAP_ZERO, NULL);
3558 }
3559
3560 return rc;
3561 }
3562
3563 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3564 unsigned long prot, unsigned long flags)
3565 {
3566 struct common_audit_data ad;
3567 int rc;
3568
3569 if (file) {
3570 ad.type = LSM_AUDIT_DATA_FILE;
3571 ad.u.file = file;
3572 rc = inode_has_perm(current_cred(), file_inode(file),
3573 FILE__MAP, &ad);
3574 if (rc)
3575 return rc;
3576 }
3577
3578 if (selinux_checkreqprot)
3579 prot = reqprot;
3580
3581 return file_map_prot_check(file, prot,
3582 (flags & MAP_TYPE) == MAP_SHARED);
3583 }
3584
3585 static int selinux_file_mprotect(struct vm_area_struct *vma,
3586 unsigned long reqprot,
3587 unsigned long prot)
3588 {
3589 const struct cred *cred = current_cred();
3590 u32 sid = cred_sid(cred);
3591
3592 if (selinux_checkreqprot)
3593 prot = reqprot;
3594
3595 if (default_noexec &&
3596 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3597 int rc = 0;
3598 if (vma->vm_start >= vma->vm_mm->start_brk &&
3599 vma->vm_end <= vma->vm_mm->brk) {
3600 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3601 PROCESS__EXECHEAP, NULL);
3602 } else if (!vma->vm_file &&
3603 ((vma->vm_start <= vma->vm_mm->start_stack &&
3604 vma->vm_end >= vma->vm_mm->start_stack) ||
3605 vma_is_stack_for_current(vma))) {
3606 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3607 PROCESS__EXECSTACK, NULL);
3608 } else if (vma->vm_file && vma->anon_vma) {
3609 /*
3610 * We are making executable a file mapping that has
3611 * had some COW done. Since pages might have been
3612 * written, check ability to execute the possibly
3613 * modified content. This typically should only
3614 * occur for text relocations.
3615 */
3616 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3617 }
3618 if (rc)
3619 return rc;
3620 }
3621
3622 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3623 }
3624
3625 static int selinux_file_lock(struct file *file, unsigned int cmd)
3626 {
3627 const struct cred *cred = current_cred();
3628
3629 return file_has_perm(cred, file, FILE__LOCK);
3630 }
3631
3632 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3633 unsigned long arg)
3634 {
3635 const struct cred *cred = current_cred();
3636 int err = 0;
3637
3638 switch (cmd) {
3639 case F_SETFL:
3640 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3641 err = file_has_perm(cred, file, FILE__WRITE);
3642 break;
3643 }
3644 /* fall through */
3645 case F_SETOWN:
3646 case F_SETSIG:
3647 case F_GETFL:
3648 case F_GETOWN:
3649 case F_GETSIG:
3650 case F_GETOWNER_UIDS:
3651 /* Just check FD__USE permission */
3652 err = file_has_perm(cred, file, 0);
3653 break;
3654 case F_GETLK:
3655 case F_SETLK:
3656 case F_SETLKW:
3657 case F_OFD_GETLK:
3658 case F_OFD_SETLK:
3659 case F_OFD_SETLKW:
3660 #if BITS_PER_LONG == 32
3661 case F_GETLK64:
3662 case F_SETLK64:
3663 case F_SETLKW64:
3664 #endif
3665 err = file_has_perm(cred, file, FILE__LOCK);
3666 break;
3667 }
3668
3669 return err;
3670 }
3671
3672 static void selinux_file_set_fowner(struct file *file)
3673 {
3674 struct file_security_struct *fsec;
3675
3676 fsec = selinux_file(file);
3677 fsec->fown_sid = current_sid();
3678 }
3679
3680 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3681 struct fown_struct *fown, int signum)
3682 {
3683 struct file *file;
3684 u32 sid = task_sid(tsk);
3685 u32 perm;
3686 struct file_security_struct *fsec;
3687
3688 /* struct fown_struct is never outside the context of a struct file */
3689 file = container_of(fown, struct file, f_owner);
3690
3691 fsec = selinux_file(file);
3692
3693 if (!signum)
3694 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3695 else
3696 perm = signal_to_av(signum);
3697
3698 return avc_has_perm(fsec->fown_sid, sid,
3699 SECCLASS_PROCESS, perm, NULL);
3700 }
3701
3702 static int selinux_file_receive(struct file *file)
3703 {
3704 const struct cred *cred = current_cred();
3705
3706 return file_has_perm(cred, file, file_to_av(file));
3707 }
3708
3709 static int selinux_file_open(struct file *file, const struct cred *cred)
3710 {
3711 struct file_security_struct *fsec;
3712 struct inode_security_struct *isec;
3713
3714 fsec = selinux_file(file);
3715 isec = inode_security(file_inode(file));
3716 /*
3717 * Save inode label and policy sequence number
3718 * at open-time so that selinux_file_permission
3719 * can determine whether revalidation is necessary.
3720 * Task label is already saved in the file security
3721 * struct as its SID.
3722 */
3723 fsec->isid = isec->sid;
3724 fsec->pseqno = avc_policy_seqno();
3725 /*
3726 * Since the inode label or policy seqno may have changed
3727 * between the selinux_inode_permission check and the saving
3728 * of state above, recheck that access is still permitted.
3729 * Otherwise, access might never be revalidated against the
3730 * new inode label or new policy.
3731 * This check is not redundant - do not remove.
3732 */
3733 return file_path_has_perm(cred, file, open_file_to_av(file));
3734 }
3735
3736 /* task security operations */
3737
3738 static int selinux_task_alloc(struct task_struct *task,
3739 unsigned long clone_flags)
3740 {
3741 u32 sid = current_sid();
3742
3743 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3744 }
3745
3746 /*
3747 * prepare a new set of credentials for modification
3748 */
3749 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3750 gfp_t gfp)
3751 {
3752 const struct task_security_struct *old_tsec = selinux_cred(old);
3753 struct task_security_struct *tsec = selinux_cred(new);
3754
3755 *tsec = *old_tsec;
3756
3757 return 0;
3758 }
3759
3760 /*
3761 * transfer the SELinux data to a blank set of creds
3762 */
3763 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3764 {
3765 const struct task_security_struct *old_tsec = selinux_cred(old);
3766 struct task_security_struct *tsec = selinux_cred(new);
3767
3768 *tsec = *old_tsec;
3769 }
3770
3771 /*
3772 * set the security data for a kernel service
3773 * - all the creation contexts are set to unlabelled
3774 */
3775 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3776 {
3777 struct task_security_struct *tsec = selinux_cred(new);
3778 u32 sid = current_sid();
3779 int ret;
3780
3781 ret = avc_has_perm(sid, secid,
3782 SECCLASS_KERNEL_SERVICE,
3783 KERNEL_SERVICE__USE_AS_OVERRIDE,
3784 NULL);
3785 if (ret == 0) {
3786 tsec->sid = secid;
3787 tsec->create_sid = 0;
3788 tsec->keycreate_sid = 0;
3789 tsec->sockcreate_sid = 0;
3790 }
3791 return ret;
3792 }
3793
3794 /*
3795 * set the file creation context in a security record to the same as the
3796 * objective context of the specified inode
3797 */
3798 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3799 {
3800 struct inode_security_struct *isec = inode_security(inode);
3801 struct task_security_struct *tsec = selinux_cred(new);
3802 u32 sid = current_sid();
3803 int ret;
3804
3805 ret = avc_has_perm(sid, isec->sid,
3806 SECCLASS_KERNEL_SERVICE,
3807 KERNEL_SERVICE__CREATE_FILES_AS,
3808 NULL);
3809
3810 if (ret == 0)
3811 tsec->create_sid = isec->sid;
3812 return ret;
3813 }
3814
3815 static int selinux_kernel_module_request(char *kmod_name)
3816 {
3817 struct common_audit_data ad;
3818
3819 ad.type = LSM_AUDIT_DATA_KMOD;
3820 ad.u.kmod_name = kmod_name;
3821
3822 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3823 SYSTEM__MODULE_REQUEST, &ad);
3824 }
3825
3826 static int selinux_kernel_module_from_file(struct file *file)
3827 {
3828 struct common_audit_data ad;
3829 struct inode_security_struct *isec;
3830 struct file_security_struct *fsec;
3831 u32 sid = current_sid();
3832 int rc;
3833
3834 /* init_module */
3835 if (file == NULL)
3836 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3837 SYSTEM__MODULE_LOAD, NULL);
3838
3839 /* finit_module */
3840
3841 ad.type = LSM_AUDIT_DATA_FILE;
3842 ad.u.file = file;
3843
3844 fsec = selinux_file(file);
3845 if (sid != fsec->sid) {
3846 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3847 if (rc)
3848 return rc;
3849 }
3850
3851 isec = inode_security(file_inode(file));
3852 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3853 SYSTEM__MODULE_LOAD, &ad);
3854 }
3855
3856 static int selinux_kernel_read_file(struct file *file,
3857 enum kernel_read_file_id id)
3858 {
3859 int rc = 0;
3860
3861 switch (id) {
3862 case READING_MODULE:
3863 rc = selinux_kernel_module_from_file(file);
3864 break;
3865 default:
3866 break;
3867 }
3868
3869 return rc;
3870 }
3871
3872 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3873 {
3874 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3875 PROCESS__SETPGID, NULL);
3876 }
3877
3878 static int selinux_task_getpgid(struct task_struct *p)
3879 {
3880 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3881 PROCESS__GETPGID, NULL);
3882 }
3883
3884 static int selinux_task_getsid(struct task_struct *p)
3885 {
3886 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3887 PROCESS__GETSESSION, NULL);
3888 }
3889
3890 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3891 {
3892 *secid = task_sid(p);
3893 }
3894
3895 static int selinux_task_setnice(struct task_struct *p, int nice)
3896 {
3897 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3898 PROCESS__SETSCHED, NULL);
3899 }
3900
3901 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3902 {
3903 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3904 PROCESS__SETSCHED, NULL);
3905 }
3906
3907 static int selinux_task_getioprio(struct task_struct *p)
3908 {
3909 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3910 PROCESS__GETSCHED, NULL);
3911 }
3912
3913 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
3914 unsigned int flags)
3915 {
3916 u32 av = 0;
3917
3918 if (!flags)
3919 return 0;
3920 if (flags & LSM_PRLIMIT_WRITE)
3921 av |= PROCESS__SETRLIMIT;
3922 if (flags & LSM_PRLIMIT_READ)
3923 av |= PROCESS__GETRLIMIT;
3924 return avc_has_perm(cred_sid(cred), cred_sid(tcred),
3925 SECCLASS_PROCESS, av, NULL);
3926 }
3927
3928 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3929 struct rlimit *new_rlim)
3930 {
3931 struct rlimit *old_rlim = p->signal->rlim + resource;
3932
3933 /* Control the ability to change the hard limit (whether
3934 lowering or raising it), so that the hard limit can
3935 later be used as a safe reset point for the soft limit
3936 upon context transitions. See selinux_bprm_committing_creds. */
3937 if (old_rlim->rlim_max != new_rlim->rlim_max)
3938 return avc_has_perm(current_sid(), task_sid(p),
3939 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
3940
3941 return 0;
3942 }
3943
3944 static int selinux_task_setscheduler(struct task_struct *p)
3945 {
3946 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3947 PROCESS__SETSCHED, NULL);
3948 }
3949
3950 static int selinux_task_getscheduler(struct task_struct *p)
3951 {
3952 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3953 PROCESS__GETSCHED, NULL);
3954 }
3955
3956 static int selinux_task_movememory(struct task_struct *p)
3957 {
3958 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3959 PROCESS__SETSCHED, NULL);
3960 }
3961
3962 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3963 int sig, u32 secid)
3964 {
3965 u32 perm;
3966
3967 if (!sig)
3968 perm = PROCESS__SIGNULL; /* null signal; existence test */
3969 else
3970 perm = signal_to_av(sig);
3971 if (!secid)
3972 secid = current_sid();
3973 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
3974 }
3975
3976 static void selinux_task_to_inode(struct task_struct *p,
3977 struct inode *inode)
3978 {
3979 struct inode_security_struct *isec = selinux_inode(inode);
3980 u32 sid = task_sid(p);
3981
3982 spin_lock(&isec->lock);
3983 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3984 isec->sid = sid;
3985 isec->initialized = LABEL_INITIALIZED;
3986 spin_unlock(&isec->lock);
3987 }
3988
3989 /* Returns error only if unable to parse addresses */
3990 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3991 struct common_audit_data *ad, u8 *proto)
3992 {
3993 int offset, ihlen, ret = -EINVAL;
3994 struct iphdr _iph, *ih;
3995
3996 offset = skb_network_offset(skb);
3997 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3998 if (ih == NULL)
3999 goto out;
4000
4001 ihlen = ih->ihl * 4;
4002 if (ihlen < sizeof(_iph))
4003 goto out;
4004
4005 ad->u.net->v4info.saddr = ih->saddr;
4006 ad->u.net->v4info.daddr = ih->daddr;
4007 ret = 0;
4008
4009 if (proto)
4010 *proto = ih->protocol;
4011
4012 switch (ih->protocol) {
4013 case IPPROTO_TCP: {
4014 struct tcphdr _tcph, *th;
4015
4016 if (ntohs(ih->frag_off) & IP_OFFSET)
4017 break;
4018
4019 offset += ihlen;
4020 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4021 if (th == NULL)
4022 break;
4023
4024 ad->u.net->sport = th->source;
4025 ad->u.net->dport = th->dest;
4026 break;
4027 }
4028
4029 case IPPROTO_UDP: {
4030 struct udphdr _udph, *uh;
4031
4032 if (ntohs(ih->frag_off) & IP_OFFSET)
4033 break;
4034
4035 offset += ihlen;
4036 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4037 if (uh == NULL)
4038 break;
4039
4040 ad->u.net->sport = uh->source;
4041 ad->u.net->dport = uh->dest;
4042 break;
4043 }
4044
4045 case IPPROTO_DCCP: {
4046 struct dccp_hdr _dccph, *dh;
4047
4048 if (ntohs(ih->frag_off) & IP_OFFSET)
4049 break;
4050
4051 offset += ihlen;
4052 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4053 if (dh == NULL)
4054 break;
4055
4056 ad->u.net->sport = dh->dccph_sport;
4057 ad->u.net->dport = dh->dccph_dport;
4058 break;
4059 }
4060
4061 default:
4062 break;
4063 }
4064 out:
4065 return ret;
4066 }
4067
4068 #if IS_ENABLED(CONFIG_IPV6)
4069
4070 /* Returns error only if unable to parse addresses */
4071 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4072 struct common_audit_data *ad, u8 *proto)
4073 {
4074 u8 nexthdr;
4075 int ret = -EINVAL, offset;
4076 struct ipv6hdr _ipv6h, *ip6;
4077 __be16 frag_off;
4078
4079 offset = skb_network_offset(skb);
4080 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4081 if (ip6 == NULL)
4082 goto out;
4083
4084 ad->u.net->v6info.saddr = ip6->saddr;
4085 ad->u.net->v6info.daddr = ip6->daddr;
4086 ret = 0;
4087
4088 nexthdr = ip6->nexthdr;
4089 offset += sizeof(_ipv6h);
4090 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4091 if (offset < 0)
4092 goto out;
4093
4094 if (proto)
4095 *proto = nexthdr;
4096
4097 switch (nexthdr) {
4098 case IPPROTO_TCP: {
4099 struct tcphdr _tcph, *th;
4100
4101 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4102 if (th == NULL)
4103 break;
4104
4105 ad->u.net->sport = th->source;
4106 ad->u.net->dport = th->dest;
4107 break;
4108 }
4109
4110 case IPPROTO_UDP: {
4111 struct udphdr _udph, *uh;
4112
4113 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4114 if (uh == NULL)
4115 break;
4116
4117 ad->u.net->sport = uh->source;
4118 ad->u.net->dport = uh->dest;
4119 break;
4120 }
4121
4122 case IPPROTO_DCCP: {
4123 struct dccp_hdr _dccph, *dh;
4124
4125 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4126 if (dh == NULL)
4127 break;
4128
4129 ad->u.net->sport = dh->dccph_sport;
4130 ad->u.net->dport = dh->dccph_dport;
4131 break;
4132 }
4133
4134 /* includes fragments */
4135 default:
4136 break;
4137 }
4138 out:
4139 return ret;
4140 }
4141
4142 #endif /* IPV6 */
4143
4144 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4145 char **_addrp, int src, u8 *proto)
4146 {
4147 char *addrp;
4148 int ret;
4149
4150 switch (ad->u.net->family) {
4151 case PF_INET:
4152 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4153 if (ret)
4154 goto parse_error;
4155 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4156 &ad->u.net->v4info.daddr);
4157 goto okay;
4158
4159 #if IS_ENABLED(CONFIG_IPV6)
4160 case PF_INET6:
4161 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4162 if (ret)
4163 goto parse_error;
4164 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4165 &ad->u.net->v6info.daddr);
4166 goto okay;
4167 #endif /* IPV6 */
4168 default:
4169 addrp = NULL;
4170 goto okay;
4171 }
4172
4173 parse_error:
4174 printk(KERN_WARNING
4175 "SELinux: failure in selinux_parse_skb(),"
4176 " unable to parse packet\n");
4177 return ret;
4178
4179 okay:
4180 if (_addrp)
4181 *_addrp = addrp;
4182 return 0;
4183 }
4184
4185 /**
4186 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4187 * @skb: the packet
4188 * @family: protocol family
4189 * @sid: the packet's peer label SID
4190 *
4191 * Description:
4192 * Check the various different forms of network peer labeling and determine
4193 * the peer label/SID for the packet; most of the magic actually occurs in
4194 * the security server function security_net_peersid_cmp(). The function
4195 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4196 * or -EACCES if @sid is invalid due to inconsistencies with the different
4197 * peer labels.
4198 *
4199 */
4200 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4201 {
4202 int err;
4203 u32 xfrm_sid;
4204 u32 nlbl_sid;
4205 u32 nlbl_type;
4206
4207 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4208 if (unlikely(err))
4209 return -EACCES;
4210 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4211 if (unlikely(err))
4212 return -EACCES;
4213
4214 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4215 if (unlikely(err)) {
4216 printk(KERN_WARNING
4217 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4218 " unable to determine packet's peer label\n");
4219 return -EACCES;
4220 }
4221
4222 return 0;
4223 }
4224
4225 /**
4226 * selinux_conn_sid - Determine the child socket label for a connection
4227 * @sk_sid: the parent socket's SID
4228 * @skb_sid: the packet's SID
4229 * @conn_sid: the resulting connection SID
4230 *
4231 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4232 * combined with the MLS information from @skb_sid in order to create
4233 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4234 * of @sk_sid. Returns zero on success, negative values on failure.
4235 *
4236 */
4237 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4238 {
4239 int err = 0;
4240
4241 if (skb_sid != SECSID_NULL)
4242 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4243 else
4244 *conn_sid = sk_sid;
4245
4246 return err;
4247 }
4248
4249 /* socket security operations */
4250
4251 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4252 u16 secclass, u32 *socksid)
4253 {
4254 if (tsec->sockcreate_sid > SECSID_NULL) {
4255 *socksid = tsec->sockcreate_sid;
4256 return 0;
4257 }
4258
4259 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4260 socksid);
4261 }
4262
4263 static int sock_has_perm(struct sock *sk, u32 perms)
4264 {
4265 struct sk_security_struct *sksec = selinux_sock(sk);
4266 struct common_audit_data ad;
4267 struct lsm_network_audit net = {0,};
4268
4269 if (sksec->sid == SECINITSID_KERNEL)
4270 return 0;
4271
4272 ad.type = LSM_AUDIT_DATA_NET;
4273 ad.u.net = &net;
4274 ad.u.net->sk = sk;
4275
4276 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4277 &ad);
4278 }
4279
4280 static int selinux_socket_create(int family, int type,
4281 int protocol, int kern)
4282 {
4283 const struct task_security_struct *tsec = selinux_cred(current_cred());
4284 u32 newsid;
4285 u16 secclass;
4286 int rc;
4287
4288 if (kern)
4289 return 0;
4290
4291 secclass = socket_type_to_security_class(family, type, protocol);
4292 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4293 if (rc)
4294 return rc;
4295
4296 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4297 }
4298
4299 static int selinux_socket_post_create(struct socket *sock, int family,
4300 int type, int protocol, int kern)
4301 {
4302 const struct task_security_struct *tsec = selinux_cred(current_cred());
4303 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4304 struct sk_security_struct *sksec;
4305 u16 sclass = socket_type_to_security_class(family, type, protocol);
4306 u32 sid = SECINITSID_KERNEL;
4307 int err = 0;
4308
4309 if (!kern) {
4310 err = socket_sockcreate_sid(tsec, sclass, &sid);
4311 if (err)
4312 return err;
4313 }
4314
4315 isec->sclass = sclass;
4316 isec->sid = sid;
4317 isec->initialized = LABEL_INITIALIZED;
4318
4319 if (sock->sk) {
4320 sksec = selinux_sock(sock->sk);
4321 sksec->sclass = sclass;
4322 sksec->sid = sid;
4323 err = selinux_netlbl_socket_post_create(sock->sk, family);
4324 }
4325
4326 return err;
4327 }
4328
4329 /* Range of port numbers used to automatically bind.
4330 Need to determine whether we should perform a name_bind
4331 permission check between the socket and the port number. */
4332
4333 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4334 {
4335 struct sock *sk = sock->sk;
4336 u16 family;
4337 int err;
4338
4339 err = sock_has_perm(sk, SOCKET__BIND);
4340 if (err)
4341 goto out;
4342
4343 /*
4344 * If PF_INET or PF_INET6, check name_bind permission for the port.
4345 * Multiple address binding for SCTP is not supported yet: we just
4346 * check the first address now.
4347 */
4348 family = sk->sk_family;
4349 if (family == PF_INET || family == PF_INET6) {
4350 char *addrp;
4351 struct sk_security_struct *sksec = selinux_sock(sk);
4352 struct common_audit_data ad;
4353 struct lsm_network_audit net = {0,};
4354 struct sockaddr_in *addr4 = NULL;
4355 struct sockaddr_in6 *addr6 = NULL;
4356 unsigned short snum;
4357 u32 sid, node_perm;
4358
4359 if (family == PF_INET) {
4360 if (addrlen < sizeof(struct sockaddr_in)) {
4361 err = -EINVAL;
4362 goto out;
4363 }
4364 addr4 = (struct sockaddr_in *)address;
4365 snum = ntohs(addr4->sin_port);
4366 addrp = (char *)&addr4->sin_addr.s_addr;
4367 } else {
4368 if (addrlen < SIN6_LEN_RFC2133) {
4369 err = -EINVAL;
4370 goto out;
4371 }
4372 addr6 = (struct sockaddr_in6 *)address;
4373 snum = ntohs(addr6->sin6_port);
4374 addrp = (char *)&addr6->sin6_addr.s6_addr;
4375 }
4376
4377 if (snum) {
4378 int low, high;
4379
4380 inet_get_local_port_range(sock_net(sk), &low, &high);
4381
4382 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4383 snum > high) {
4384 err = sel_netport_sid(sk->sk_protocol,
4385 snum, &sid);
4386 if (err)
4387 goto out;
4388 ad.type = LSM_AUDIT_DATA_NET;
4389 ad.u.net = &net;
4390 ad.u.net->sport = htons(snum);
4391 ad.u.net->family = family;
4392 err = avc_has_perm(sksec->sid, sid,
4393 sksec->sclass,
4394 SOCKET__NAME_BIND, &ad);
4395 if (err)
4396 goto out;
4397 }
4398 }
4399
4400 switch (sksec->sclass) {
4401 case SECCLASS_TCP_SOCKET:
4402 node_perm = TCP_SOCKET__NODE_BIND;
4403 break;
4404
4405 case SECCLASS_UDP_SOCKET:
4406 node_perm = UDP_SOCKET__NODE_BIND;
4407 break;
4408
4409 case SECCLASS_DCCP_SOCKET:
4410 node_perm = DCCP_SOCKET__NODE_BIND;
4411 break;
4412
4413 default:
4414 node_perm = RAWIP_SOCKET__NODE_BIND;
4415 break;
4416 }
4417
4418 err = sel_netnode_sid(addrp, family, &sid);
4419 if (err)
4420 goto out;
4421
4422 ad.type = LSM_AUDIT_DATA_NET;
4423 ad.u.net = &net;
4424 ad.u.net->sport = htons(snum);
4425 ad.u.net->family = family;
4426
4427 if (family == PF_INET)
4428 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4429 else
4430 ad.u.net->v6info.saddr = addr6->sin6_addr;
4431
4432 err = avc_has_perm(sksec->sid, sid,
4433 sksec->sclass, node_perm, &ad);
4434 if (err)
4435 goto out;
4436 }
4437 out:
4438 return err;
4439 }
4440
4441 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4442 {
4443 struct sock *sk = sock->sk;
4444 struct sk_security_struct *sksec = selinux_sock(sk);
4445 int err;
4446
4447 err = sock_has_perm(sk, SOCKET__CONNECT);
4448 if (err)
4449 return err;
4450
4451 /*
4452 * If a TCP or DCCP socket, check name_connect permission for the port.
4453 */
4454 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4455 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4456 struct common_audit_data ad;
4457 struct lsm_network_audit net = {0,};
4458 struct sockaddr_in *addr4 = NULL;
4459 struct sockaddr_in6 *addr6 = NULL;
4460 unsigned short snum;
4461 u32 sid, perm;
4462
4463 if (sk->sk_family == PF_INET) {
4464 addr4 = (struct sockaddr_in *)address;
4465 if (addrlen < sizeof(struct sockaddr_in))
4466 return -EINVAL;
4467 snum = ntohs(addr4->sin_port);
4468 } else {
4469 addr6 = (struct sockaddr_in6 *)address;
4470 if (addrlen < SIN6_LEN_RFC2133)
4471 return -EINVAL;
4472 snum = ntohs(addr6->sin6_port);
4473 }
4474
4475 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4476 if (err)
4477 goto out;
4478
4479 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4480 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4481
4482 ad.type = LSM_AUDIT_DATA_NET;
4483 ad.u.net = &net;
4484 ad.u.net->dport = htons(snum);
4485 ad.u.net->family = sk->sk_family;
4486 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4487 if (err)
4488 goto out;
4489 }
4490
4491 err = selinux_netlbl_socket_connect(sk, address);
4492
4493 out:
4494 return err;
4495 }
4496
4497 static int selinux_socket_listen(struct socket *sock, int backlog)
4498 {
4499 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4500 }
4501
4502 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4503 {
4504 int err;
4505 struct inode_security_struct *isec;
4506 struct inode_security_struct *newisec;
4507 u16 sclass;
4508 u32 sid;
4509
4510 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4511 if (err)
4512 return err;
4513
4514 isec = inode_security_novalidate(SOCK_INODE(sock));
4515 spin_lock(&isec->lock);
4516 sclass = isec->sclass;
4517 sid = isec->sid;
4518 spin_unlock(&isec->lock);
4519
4520 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4521 newisec->sclass = sclass;
4522 newisec->sid = sid;
4523 newisec->initialized = LABEL_INITIALIZED;
4524
4525 return 0;
4526 }
4527
4528 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4529 int size)
4530 {
4531 return sock_has_perm(sock->sk, SOCKET__WRITE);
4532 }
4533
4534 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4535 int size, int flags)
4536 {
4537 return sock_has_perm(sock->sk, SOCKET__READ);
4538 }
4539
4540 static int selinux_socket_getsockname(struct socket *sock)
4541 {
4542 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4543 }
4544
4545 static int selinux_socket_getpeername(struct socket *sock)
4546 {
4547 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4548 }
4549
4550 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4551 {
4552 int err;
4553
4554 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4555 if (err)
4556 return err;
4557
4558 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4559 }
4560
4561 static int selinux_socket_getsockopt(struct socket *sock, int level,
4562 int optname)
4563 {
4564 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4565 }
4566
4567 static int selinux_socket_shutdown(struct socket *sock, int how)
4568 {
4569 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4570 }
4571
4572 static int selinux_socket_unix_stream_connect(struct sock *sock,
4573 struct sock *other,
4574 struct sock *newsk)
4575 {
4576 struct sk_security_struct *sksec_sock = selinux_sock(sock);
4577 struct sk_security_struct *sksec_other = selinux_sock(other);
4578 struct sk_security_struct *sksec_new = selinux_sock(newsk);
4579 struct common_audit_data ad;
4580 struct lsm_network_audit net = {0,};
4581 int err;
4582
4583 ad.type = LSM_AUDIT_DATA_NET;
4584 ad.u.net = &net;
4585 ad.u.net->sk = other;
4586
4587 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4588 sksec_other->sclass,
4589 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4590 if (err)
4591 return err;
4592
4593 /* server child socket */
4594 sksec_new->peer_sid = sksec_sock->sid;
4595 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4596 &sksec_new->sid);
4597 if (err)
4598 return err;
4599
4600 /* connecting socket */
4601 sksec_sock->peer_sid = sksec_new->sid;
4602
4603 return 0;
4604 }
4605
4606 static int selinux_socket_unix_may_send(struct socket *sock,
4607 struct socket *other)
4608 {
4609 struct sk_security_struct *ssec = selinux_sock(sock->sk);
4610 struct sk_security_struct *osec = selinux_sock(other->sk);
4611 struct common_audit_data ad;
4612 struct lsm_network_audit net = {0,};
4613
4614 ad.type = LSM_AUDIT_DATA_NET;
4615 ad.u.net = &net;
4616 ad.u.net->sk = other->sk;
4617
4618 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4619 &ad);
4620 }
4621
4622 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4623 char *addrp, u16 family, u32 peer_sid,
4624 struct common_audit_data *ad)
4625 {
4626 int err;
4627 u32 if_sid;
4628 u32 node_sid;
4629
4630 err = sel_netif_sid(ns, ifindex, &if_sid);
4631 if (err)
4632 return err;
4633 err = avc_has_perm(peer_sid, if_sid,
4634 SECCLASS_NETIF, NETIF__INGRESS, ad);
4635 if (err)
4636 return err;
4637
4638 err = sel_netnode_sid(addrp, family, &node_sid);
4639 if (err)
4640 return err;
4641 return avc_has_perm(peer_sid, node_sid,
4642 SECCLASS_NODE, NODE__RECVFROM, ad);
4643 }
4644
4645 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4646 u16 family)
4647 {
4648 int err = 0;
4649 struct sk_security_struct *sksec = selinux_sock(sk);
4650 u32 sk_sid = sksec->sid;
4651 struct common_audit_data ad;
4652 struct lsm_network_audit net = {0,};
4653 char *addrp;
4654
4655 ad.type = LSM_AUDIT_DATA_NET;
4656 ad.u.net = &net;
4657 ad.u.net->netif = skb->skb_iif;
4658 ad.u.net->family = family;
4659 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4660 if (err)
4661 return err;
4662
4663 if (selinux_secmark_enabled()) {
4664 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4665 PACKET__RECV, &ad);
4666 if (err)
4667 return err;
4668 }
4669
4670 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4671 if (err)
4672 return err;
4673 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4674
4675 return err;
4676 }
4677
4678 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4679 {
4680 int err;
4681 struct sk_security_struct *sksec = selinux_sock(sk);
4682 u16 family = sk->sk_family;
4683 u32 sk_sid = sksec->sid;
4684 struct common_audit_data ad;
4685 struct lsm_network_audit net = {0,};
4686 char *addrp;
4687 u8 secmark_active;
4688 u8 peerlbl_active;
4689
4690 if (family != PF_INET && family != PF_INET6)
4691 return 0;
4692
4693 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4694 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4695 family = PF_INET;
4696
4697 /* If any sort of compatibility mode is enabled then handoff processing
4698 * to the selinux_sock_rcv_skb_compat() function to deal with the
4699 * special handling. We do this in an attempt to keep this function
4700 * as fast and as clean as possible. */
4701 if (!selinux_policycap_netpeer)
4702 return selinux_sock_rcv_skb_compat(sk, skb, family);
4703
4704 secmark_active = selinux_secmark_enabled();
4705 peerlbl_active = selinux_peerlbl_enabled();
4706 if (!secmark_active && !peerlbl_active)
4707 return 0;
4708
4709 ad.type = LSM_AUDIT_DATA_NET;
4710 ad.u.net = &net;
4711 ad.u.net->netif = skb->skb_iif;
4712 ad.u.net->family = family;
4713 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4714 if (err)
4715 return err;
4716
4717 if (peerlbl_active) {
4718 u32 peer_sid;
4719
4720 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4721 if (err)
4722 return err;
4723 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4724 addrp, family, peer_sid, &ad);
4725 if (err) {
4726 selinux_netlbl_err(skb, family, err, 0);
4727 return err;
4728 }
4729 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4730 PEER__RECV, &ad);
4731 if (err) {
4732 selinux_netlbl_err(skb, family, err, 0);
4733 return err;
4734 }
4735 }
4736
4737 if (secmark_active) {
4738 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4739 PACKET__RECV, &ad);
4740 if (err)
4741 return err;
4742 }
4743
4744 return err;
4745 }
4746
4747 static int selinux_socket_getpeersec_stream(struct socket *sock,
4748 __user char *optval,
4749 __user int *optlen,
4750 unsigned int len)
4751 {
4752 int err = 0;
4753 char *scontext;
4754 u32 scontext_len;
4755 struct sk_security_struct *sksec = selinux_sock(sock->sk);
4756 u32 peer_sid = SECSID_NULL;
4757
4758 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4759 sksec->sclass == SECCLASS_TCP_SOCKET)
4760 peer_sid = sksec->peer_sid;
4761 if (peer_sid == SECSID_NULL)
4762 return -ENOPROTOOPT;
4763
4764 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4765 if (err)
4766 return err;
4767
4768 if (scontext_len > len) {
4769 err = -ERANGE;
4770 goto out_len;
4771 }
4772
4773 if (copy_to_user(optval, scontext, scontext_len))
4774 err = -EFAULT;
4775
4776 out_len:
4777 if (put_user(scontext_len, optlen))
4778 err = -EFAULT;
4779 kfree(scontext);
4780 return err;
4781 }
4782
4783 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4784 {
4785 u32 peer_secid = SECSID_NULL;
4786 u16 family;
4787 struct inode_security_struct *isec;
4788
4789 if (skb && skb->protocol == htons(ETH_P_IP))
4790 family = PF_INET;
4791 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4792 family = PF_INET6;
4793 else if (sock)
4794 family = sock->sk->sk_family;
4795 else
4796 goto out;
4797
4798 if (sock && family == PF_UNIX) {
4799 isec = inode_security_novalidate(SOCK_INODE(sock));
4800 peer_secid = isec->sid;
4801 } else if (skb)
4802 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4803
4804 out:
4805 *secid = peer_secid;
4806 if (peer_secid == SECSID_NULL)
4807 return -EINVAL;
4808 return 0;
4809 }
4810
4811 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4812 {
4813 struct sk_security_struct *sksec = selinux_sock(sk);
4814
4815 sksec->peer_sid = SECINITSID_UNLABELED;
4816 sksec->sid = SECINITSID_UNLABELED;
4817 sksec->sclass = SECCLASS_SOCKET;
4818 selinux_netlbl_sk_security_reset(sksec);
4819
4820 return 0;
4821 }
4822
4823 static void selinux_sk_free_security(struct sock *sk)
4824 {
4825 struct sk_security_struct *sksec = selinux_sock(sk);
4826
4827 selinux_netlbl_sk_security_free(sksec);
4828 }
4829
4830 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4831 {
4832 struct sk_security_struct *sksec = selinux_sock(sk);
4833 struct sk_security_struct *newsksec = selinux_sock(newsk);
4834
4835 newsksec->sid = sksec->sid;
4836 newsksec->peer_sid = sksec->peer_sid;
4837 newsksec->sclass = sksec->sclass;
4838
4839 selinux_netlbl_sk_security_reset(newsksec);
4840 }
4841
4842 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4843 {
4844 if (!sk)
4845 *secid = SECINITSID_ANY_SOCKET;
4846 else {
4847 struct sk_security_struct *sksec = selinux_sock(sk);
4848
4849 *secid = sksec->sid;
4850 }
4851 }
4852
4853 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4854 {
4855 struct inode_security_struct *isec =
4856 inode_security_novalidate(SOCK_INODE(parent));
4857 struct sk_security_struct *sksec = selinux_sock(sk);
4858
4859 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4860 sk->sk_family == PF_UNIX)
4861 isec->sid = sksec->sid;
4862 sksec->sclass = isec->sclass;
4863 }
4864
4865 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4866 struct request_sock *req)
4867 {
4868 struct sk_security_struct *sksec = selinux_sock(sk);
4869 int err;
4870 u16 family = req->rsk_ops->family;
4871 u32 connsid;
4872 u32 peersid;
4873
4874 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4875 if (err)
4876 return err;
4877 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4878 if (err)
4879 return err;
4880 req->secid = connsid;
4881 req->peer_secid = peersid;
4882
4883 return selinux_netlbl_inet_conn_request(req, family);
4884 }
4885
4886 static void selinux_inet_csk_clone(struct sock *newsk,
4887 const struct request_sock *req)
4888 {
4889 struct sk_security_struct *newsksec = selinux_sock(newsk);
4890
4891 newsksec->sid = req->secid;
4892 newsksec->peer_sid = req->peer_secid;
4893 /* NOTE: Ideally, we should also get the isec->sid for the
4894 new socket in sync, but we don't have the isec available yet.
4895 So we will wait until sock_graft to do it, by which
4896 time it will have been created and available. */
4897
4898 /* We don't need to take any sort of lock here as we are the only
4899 * thread with access to newsksec */
4900 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4901 }
4902
4903 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4904 {
4905 u16 family = sk->sk_family;
4906 struct sk_security_struct *sksec = selinux_sock(sk);
4907
4908 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4909 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4910 family = PF_INET;
4911
4912 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4913 }
4914
4915 static int selinux_secmark_relabel_packet(u32 sid)
4916 {
4917 const struct task_security_struct *__tsec;
4918 u32 tsid;
4919
4920 __tsec = selinux_cred(current_cred());
4921 tsid = __tsec->sid;
4922
4923 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4924 }
4925
4926 static void selinux_secmark_refcount_inc(void)
4927 {
4928 atomic_inc(&selinux_secmark_refcount);
4929 }
4930
4931 static void selinux_secmark_refcount_dec(void)
4932 {
4933 atomic_dec(&selinux_secmark_refcount);
4934 }
4935
4936 static void selinux_req_classify_flow(const struct request_sock *req,
4937 struct flowi *fl)
4938 {
4939 fl->flowi_secid = req->secid;
4940 }
4941
4942 static int selinux_tun_dev_alloc_security(void **security)
4943 {
4944 struct tun_security_struct *tunsec;
4945
4946 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4947 if (!tunsec)
4948 return -ENOMEM;
4949 tunsec->sid = current_sid();
4950
4951 *security = tunsec;
4952 return 0;
4953 }
4954
4955 static void selinux_tun_dev_free_security(void *security)
4956 {
4957 kfree(security);
4958 }
4959
4960 static int selinux_tun_dev_create(void)
4961 {
4962 u32 sid = current_sid();
4963
4964 /* we aren't taking into account the "sockcreate" SID since the socket
4965 * that is being created here is not a socket in the traditional sense,
4966 * instead it is a private sock, accessible only to the kernel, and
4967 * representing a wide range of network traffic spanning multiple
4968 * connections unlike traditional sockets - check the TUN driver to
4969 * get a better understanding of why this socket is special */
4970
4971 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4972 NULL);
4973 }
4974
4975 static int selinux_tun_dev_attach_queue(void *security)
4976 {
4977 struct tun_security_struct *tunsec = security;
4978
4979 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4980 TUN_SOCKET__ATTACH_QUEUE, NULL);
4981 }
4982
4983 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4984 {
4985 struct tun_security_struct *tunsec = security;
4986 struct sk_security_struct *sksec = selinux_sock(sk);
4987
4988 /* we don't currently perform any NetLabel based labeling here and it
4989 * isn't clear that we would want to do so anyway; while we could apply
4990 * labeling without the support of the TUN user the resulting labeled
4991 * traffic from the other end of the connection would almost certainly
4992 * cause confusion to the TUN user that had no idea network labeling
4993 * protocols were being used */
4994
4995 sksec->sid = tunsec->sid;
4996 sksec->sclass = SECCLASS_TUN_SOCKET;
4997
4998 return 0;
4999 }
5000
5001 static int selinux_tun_dev_open(void *security)
5002 {
5003 struct tun_security_struct *tunsec = security;
5004 u32 sid = current_sid();
5005 int err;
5006
5007 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5008 TUN_SOCKET__RELABELFROM, NULL);
5009 if (err)
5010 return err;
5011 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5012 TUN_SOCKET__RELABELTO, NULL);
5013 if (err)
5014 return err;
5015 tunsec->sid = sid;
5016
5017 return 0;
5018 }
5019
5020 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5021 {
5022 int err = 0;
5023 u32 perm;
5024 struct nlmsghdr *nlh;
5025 struct sk_security_struct *sksec = selinux_sock(sk);
5026
5027 if (skb->len < NLMSG_HDRLEN) {
5028 err = -EINVAL;
5029 goto out;
5030 }
5031 nlh = nlmsg_hdr(skb);
5032
5033 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5034 if (err) {
5035 if (err == -EINVAL) {
5036 pr_warn_ratelimited("SELinux: unrecognized netlink"
5037 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5038 " pig=%d comm=%s\n",
5039 sk->sk_protocol, nlh->nlmsg_type,
5040 secclass_map[sksec->sclass - 1].name,
5041 task_pid_nr(current), current->comm);
5042 if (!selinux_enforcing || security_get_allow_unknown())
5043 err = 0;
5044 }
5045
5046 /* Ignore */
5047 if (err == -ENOENT)
5048 err = 0;
5049 goto out;
5050 }
5051
5052 err = sock_has_perm(sk, perm);
5053 out:
5054 return err;
5055 }
5056
5057 #ifdef CONFIG_NETFILTER
5058
5059 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5060 const struct net_device *indev,
5061 u16 family)
5062 {
5063 int err;
5064 char *addrp;
5065 u32 peer_sid;
5066 struct common_audit_data ad;
5067 struct lsm_network_audit net = {0,};
5068 u8 secmark_active;
5069 u8 netlbl_active;
5070 u8 peerlbl_active;
5071
5072 if (!selinux_policycap_netpeer)
5073 return NF_ACCEPT;
5074
5075 secmark_active = selinux_secmark_enabled();
5076 netlbl_active = netlbl_enabled();
5077 peerlbl_active = selinux_peerlbl_enabled();
5078 if (!secmark_active && !peerlbl_active)
5079 return NF_ACCEPT;
5080
5081 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5082 return NF_DROP;
5083
5084 ad.type = LSM_AUDIT_DATA_NET;
5085 ad.u.net = &net;
5086 ad.u.net->netif = indev->ifindex;
5087 ad.u.net->family = family;
5088 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5089 return NF_DROP;
5090
5091 if (peerlbl_active) {
5092 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5093 addrp, family, peer_sid, &ad);
5094 if (err) {
5095 selinux_netlbl_err(skb, family, err, 1);
5096 return NF_DROP;
5097 }
5098 }
5099
5100 if (secmark_active)
5101 if (avc_has_perm(peer_sid, skb->secmark,
5102 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5103 return NF_DROP;
5104
5105 if (netlbl_active)
5106 /* we do this in the FORWARD path and not the POST_ROUTING
5107 * path because we want to make sure we apply the necessary
5108 * labeling before IPsec is applied so we can leverage AH
5109 * protection */
5110 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5111 return NF_DROP;
5112
5113 return NF_ACCEPT;
5114 }
5115
5116 static unsigned int selinux_ipv4_forward(void *priv,
5117 struct sk_buff *skb,
5118 const struct nf_hook_state *state)
5119 {
5120 return selinux_ip_forward(skb, state->in, PF_INET);
5121 }
5122
5123 #if IS_ENABLED(CONFIG_IPV6)
5124 static unsigned int selinux_ipv6_forward(void *priv,
5125 struct sk_buff *skb,
5126 const struct nf_hook_state *state)
5127 {
5128 return selinux_ip_forward(skb, state->in, PF_INET6);
5129 }
5130 #endif /* IPV6 */
5131
5132 static unsigned int selinux_ip_output(struct sk_buff *skb,
5133 u16 family)
5134 {
5135 struct sock *sk;
5136 u32 sid;
5137
5138 if (!netlbl_enabled())
5139 return NF_ACCEPT;
5140
5141 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5142 * because we want to make sure we apply the necessary labeling
5143 * before IPsec is applied so we can leverage AH protection */
5144 sk = skb->sk;
5145 if (sk) {
5146 struct sk_security_struct *sksec;
5147
5148 if (sk_listener(sk))
5149 /* if the socket is the listening state then this
5150 * packet is a SYN-ACK packet which means it needs to
5151 * be labeled based on the connection/request_sock and
5152 * not the parent socket. unfortunately, we can't
5153 * lookup the request_sock yet as it isn't queued on
5154 * the parent socket until after the SYN-ACK is sent.
5155 * the "solution" is to simply pass the packet as-is
5156 * as any IP option based labeling should be copied
5157 * from the initial connection request (in the IP
5158 * layer). it is far from ideal, but until we get a
5159 * security label in the packet itself this is the
5160 * best we can do. */
5161 return NF_ACCEPT;
5162
5163 /* standard practice, label using the parent socket */
5164 sksec = selinux_sock(sk);
5165 sid = sksec->sid;
5166 } else
5167 sid = SECINITSID_KERNEL;
5168 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5169 return NF_DROP;
5170
5171 return NF_ACCEPT;
5172 }
5173
5174 static unsigned int selinux_ipv4_output(void *priv,
5175 struct sk_buff *skb,
5176 const struct nf_hook_state *state)
5177 {
5178 return selinux_ip_output(skb, PF_INET);
5179 }
5180
5181 #if IS_ENABLED(CONFIG_IPV6)
5182 static unsigned int selinux_ipv6_output(void *priv,
5183 struct sk_buff *skb,
5184 const struct nf_hook_state *state)
5185 {
5186 return selinux_ip_output(skb, PF_INET6);
5187 }
5188 #endif /* IPV6 */
5189
5190 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5191 int ifindex,
5192 u16 family)
5193 {
5194 struct sock *sk = skb_to_full_sk(skb);
5195 struct sk_security_struct *sksec;
5196 struct common_audit_data ad;
5197 struct lsm_network_audit net = {0,};
5198 char *addrp;
5199 u8 proto;
5200
5201 if (sk == NULL)
5202 return NF_ACCEPT;
5203 sksec = selinux_sock(sk);
5204
5205 ad.type = LSM_AUDIT_DATA_NET;
5206 ad.u.net = &net;
5207 ad.u.net->netif = ifindex;
5208 ad.u.net->family = family;
5209 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5210 return NF_DROP;
5211
5212 if (selinux_secmark_enabled())
5213 if (avc_has_perm(sksec->sid, skb->secmark,
5214 SECCLASS_PACKET, PACKET__SEND, &ad))
5215 return NF_DROP_ERR(-ECONNREFUSED);
5216
5217 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5218 return NF_DROP_ERR(-ECONNREFUSED);
5219
5220 return NF_ACCEPT;
5221 }
5222
5223 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5224 const struct net_device *outdev,
5225 u16 family)
5226 {
5227 u32 secmark_perm;
5228 u32 peer_sid;
5229 int ifindex = outdev->ifindex;
5230 struct sock *sk;
5231 struct common_audit_data ad;
5232 struct lsm_network_audit net = {0,};
5233 char *addrp;
5234 u8 secmark_active;
5235 u8 peerlbl_active;
5236
5237 /* If any sort of compatibility mode is enabled then handoff processing
5238 * to the selinux_ip_postroute_compat() function to deal with the
5239 * special handling. We do this in an attempt to keep this function
5240 * as fast and as clean as possible. */
5241 if (!selinux_policycap_netpeer)
5242 return selinux_ip_postroute_compat(skb, ifindex, family);
5243
5244 secmark_active = selinux_secmark_enabled();
5245 peerlbl_active = selinux_peerlbl_enabled();
5246 if (!secmark_active && !peerlbl_active)
5247 return NF_ACCEPT;
5248
5249 sk = skb_to_full_sk(skb);
5250
5251 #ifdef CONFIG_XFRM
5252 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5253 * packet transformation so allow the packet to pass without any checks
5254 * since we'll have another chance to perform access control checks
5255 * when the packet is on it's final way out.
5256 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5257 * is NULL, in this case go ahead and apply access control.
5258 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5259 * TCP listening state we cannot wait until the XFRM processing
5260 * is done as we will miss out on the SA label if we do;
5261 * unfortunately, this means more work, but it is only once per
5262 * connection. */
5263 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5264 !(sk && sk_listener(sk)))
5265 return NF_ACCEPT;
5266 #endif
5267
5268 if (sk == NULL) {
5269 /* Without an associated socket the packet is either coming
5270 * from the kernel or it is being forwarded; check the packet
5271 * to determine which and if the packet is being forwarded
5272 * query the packet directly to determine the security label. */
5273 if (skb->skb_iif) {
5274 secmark_perm = PACKET__FORWARD_OUT;
5275 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5276 return NF_DROP;
5277 } else {
5278 secmark_perm = PACKET__SEND;
5279 peer_sid = SECINITSID_KERNEL;
5280 }
5281 } else if (sk_listener(sk)) {
5282 /* Locally generated packet but the associated socket is in the
5283 * listening state which means this is a SYN-ACK packet. In
5284 * this particular case the correct security label is assigned
5285 * to the connection/request_sock but unfortunately we can't
5286 * query the request_sock as it isn't queued on the parent
5287 * socket until after the SYN-ACK packet is sent; the only
5288 * viable choice is to regenerate the label like we do in
5289 * selinux_inet_conn_request(). See also selinux_ip_output()
5290 * for similar problems. */
5291 u32 skb_sid;
5292 struct sk_security_struct *sksec;
5293
5294 sksec = selinux_sock(sk);
5295 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5296 return NF_DROP;
5297 /* At this point, if the returned skb peerlbl is SECSID_NULL
5298 * and the packet has been through at least one XFRM
5299 * transformation then we must be dealing with the "final"
5300 * form of labeled IPsec packet; since we've already applied
5301 * all of our access controls on this packet we can safely
5302 * pass the packet. */
5303 if (skb_sid == SECSID_NULL) {
5304 switch (family) {
5305 case PF_INET:
5306 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5307 return NF_ACCEPT;
5308 break;
5309 case PF_INET6:
5310 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5311 return NF_ACCEPT;
5312 break;
5313 default:
5314 return NF_DROP_ERR(-ECONNREFUSED);
5315 }
5316 }
5317 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5318 return NF_DROP;
5319 secmark_perm = PACKET__SEND;
5320 } else {
5321 /* Locally generated packet, fetch the security label from the
5322 * associated socket. */
5323 struct sk_security_struct *sksec = selinux_sock(sk);
5324 peer_sid = sksec->sid;
5325 secmark_perm = PACKET__SEND;
5326 }
5327
5328 ad.type = LSM_AUDIT_DATA_NET;
5329 ad.u.net = &net;
5330 ad.u.net->netif = ifindex;
5331 ad.u.net->family = family;
5332 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5333 return NF_DROP;
5334
5335 if (secmark_active)
5336 if (avc_has_perm(peer_sid, skb->secmark,
5337 SECCLASS_PACKET, secmark_perm, &ad))
5338 return NF_DROP_ERR(-ECONNREFUSED);
5339
5340 if (peerlbl_active) {
5341 u32 if_sid;
5342 u32 node_sid;
5343
5344 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5345 return NF_DROP;
5346 if (avc_has_perm(peer_sid, if_sid,
5347 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5348 return NF_DROP_ERR(-ECONNREFUSED);
5349
5350 if (sel_netnode_sid(addrp, family, &node_sid))
5351 return NF_DROP;
5352 if (avc_has_perm(peer_sid, node_sid,
5353 SECCLASS_NODE, NODE__SENDTO, &ad))
5354 return NF_DROP_ERR(-ECONNREFUSED);
5355 }
5356
5357 return NF_ACCEPT;
5358 }
5359
5360 static unsigned int selinux_ipv4_postroute(void *priv,
5361 struct sk_buff *skb,
5362 const struct nf_hook_state *state)
5363 {
5364 return selinux_ip_postroute(skb, state->out, PF_INET);
5365 }
5366
5367 #if IS_ENABLED(CONFIG_IPV6)
5368 static unsigned int selinux_ipv6_postroute(void *priv,
5369 struct sk_buff *skb,
5370 const struct nf_hook_state *state)
5371 {
5372 return selinux_ip_postroute(skb, state->out, PF_INET6);
5373 }
5374 #endif /* IPV6 */
5375
5376 #endif /* CONFIG_NETFILTER */
5377
5378 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5379 {
5380 return selinux_nlmsg_perm(sk, skb);
5381 }
5382
5383 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5384 {
5385 isec->sclass = sclass;
5386 isec->sid = current_sid();
5387 }
5388
5389 static int msg_msg_alloc_security(struct msg_msg *msg)
5390 {
5391 struct msg_security_struct *msec;
5392
5393 msec = selinux_msg_msg(msg);
5394 msec->sid = SECINITSID_UNLABELED;
5395
5396 return 0;
5397 }
5398
5399 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5400 u32 perms)
5401 {
5402 struct ipc_security_struct *isec;
5403 struct common_audit_data ad;
5404 u32 sid = current_sid();
5405
5406 isec = selinux_ipc(ipc_perms);
5407
5408 ad.type = LSM_AUDIT_DATA_IPC;
5409 ad.u.ipc_id = ipc_perms->key;
5410
5411 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5412 }
5413
5414 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5415 {
5416 return msg_msg_alloc_security(msg);
5417 }
5418
5419 /* message queue security operations */
5420 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5421 {
5422 struct ipc_security_struct *isec;
5423 struct common_audit_data ad;
5424 u32 sid = current_sid();
5425 int rc;
5426
5427 isec = selinux_ipc(&msq->q_perm);
5428 ipc_init_security(isec, SECCLASS_MSGQ);
5429
5430 ad.type = LSM_AUDIT_DATA_IPC;
5431 ad.u.ipc_id = msq->q_perm.key;
5432
5433 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5434 MSGQ__CREATE, &ad);
5435 return rc;
5436 }
5437
5438 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5439 {
5440 struct ipc_security_struct *isec;
5441 struct common_audit_data ad;
5442 u32 sid = current_sid();
5443
5444 isec = selinux_ipc(&msq->q_perm);
5445
5446 ad.type = LSM_AUDIT_DATA_IPC;
5447 ad.u.ipc_id = msq->q_perm.key;
5448
5449 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5450 MSGQ__ASSOCIATE, &ad);
5451 }
5452
5453 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5454 {
5455 int err;
5456 int perms;
5457
5458 switch (cmd) {
5459 case IPC_INFO:
5460 case MSG_INFO:
5461 /* No specific object, just general system-wide information. */
5462 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5463 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5464 case IPC_STAT:
5465 case MSG_STAT:
5466 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5467 break;
5468 case IPC_SET:
5469 perms = MSGQ__SETATTR;
5470 break;
5471 case IPC_RMID:
5472 perms = MSGQ__DESTROY;
5473 break;
5474 default:
5475 return 0;
5476 }
5477
5478 err = ipc_has_perm(&msq->q_perm, perms);
5479 return err;
5480 }
5481
5482 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5483 {
5484 struct ipc_security_struct *isec;
5485 struct msg_security_struct *msec;
5486 struct common_audit_data ad;
5487 u32 sid = current_sid();
5488 int rc;
5489
5490 isec = selinux_ipc(&msq->q_perm);
5491 msec = selinux_msg_msg(msg);
5492
5493 /*
5494 * First time through, need to assign label to the message
5495 */
5496 if (msec->sid == SECINITSID_UNLABELED) {
5497 /*
5498 * Compute new sid based on current process and
5499 * message queue this message will be stored in
5500 */
5501 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5502 NULL, &msec->sid);
5503 if (rc)
5504 return rc;
5505 }
5506
5507 ad.type = LSM_AUDIT_DATA_IPC;
5508 ad.u.ipc_id = msq->q_perm.key;
5509
5510 /* Can this process write to the queue? */
5511 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5512 MSGQ__WRITE, &ad);
5513 if (!rc)
5514 /* Can this process send the message */
5515 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5516 MSG__SEND, &ad);
5517 if (!rc)
5518 /* Can the message be put in the queue? */
5519 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5520 MSGQ__ENQUEUE, &ad);
5521
5522 return rc;
5523 }
5524
5525 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5526 struct task_struct *target,
5527 long type, int mode)
5528 {
5529 struct ipc_security_struct *isec;
5530 struct msg_security_struct *msec;
5531 struct common_audit_data ad;
5532 u32 sid = task_sid(target);
5533 int rc;
5534
5535 isec = selinux_ipc(&msq->q_perm);
5536 msec = selinux_msg_msg(msg);
5537
5538 ad.type = LSM_AUDIT_DATA_IPC;
5539 ad.u.ipc_id = msq->q_perm.key;
5540
5541 rc = avc_has_perm(sid, isec->sid,
5542 SECCLASS_MSGQ, MSGQ__READ, &ad);
5543 if (!rc)
5544 rc = avc_has_perm(sid, msec->sid,
5545 SECCLASS_MSG, MSG__RECEIVE, &ad);
5546 return rc;
5547 }
5548
5549 /* Shared Memory security operations */
5550 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5551 {
5552 struct ipc_security_struct *isec;
5553 struct common_audit_data ad;
5554 u32 sid = current_sid();
5555 int rc;
5556
5557 isec = selinux_ipc(&shp->shm_perm);
5558 ipc_init_security(isec, SECCLASS_SHM);
5559
5560 ad.type = LSM_AUDIT_DATA_IPC;
5561 ad.u.ipc_id = shp->shm_perm.key;
5562
5563 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5564 SHM__CREATE, &ad);
5565 return rc;
5566 }
5567
5568 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5569 {
5570 struct ipc_security_struct *isec;
5571 struct common_audit_data ad;
5572 u32 sid = current_sid();
5573
5574 isec = selinux_ipc(&shp->shm_perm);
5575
5576 ad.type = LSM_AUDIT_DATA_IPC;
5577 ad.u.ipc_id = shp->shm_perm.key;
5578
5579 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5580 SHM__ASSOCIATE, &ad);
5581 }
5582
5583 /* Note, at this point, shp is locked down */
5584 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5585 {
5586 int perms;
5587 int err;
5588
5589 switch (cmd) {
5590 case IPC_INFO:
5591 case SHM_INFO:
5592 /* No specific object, just general system-wide information. */
5593 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5594 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5595 case IPC_STAT:
5596 case SHM_STAT:
5597 perms = SHM__GETATTR | SHM__ASSOCIATE;
5598 break;
5599 case IPC_SET:
5600 perms = SHM__SETATTR;
5601 break;
5602 case SHM_LOCK:
5603 case SHM_UNLOCK:
5604 perms = SHM__LOCK;
5605 break;
5606 case IPC_RMID:
5607 perms = SHM__DESTROY;
5608 break;
5609 default:
5610 return 0;
5611 }
5612
5613 err = ipc_has_perm(&shp->shm_perm, perms);
5614 return err;
5615 }
5616
5617 static int selinux_shm_shmat(struct shmid_kernel *shp,
5618 char __user *shmaddr, int shmflg)
5619 {
5620 u32 perms;
5621
5622 if (shmflg & SHM_RDONLY)
5623 perms = SHM__READ;
5624 else
5625 perms = SHM__READ | SHM__WRITE;
5626
5627 return ipc_has_perm(&shp->shm_perm, perms);
5628 }
5629
5630 /* Semaphore security operations */
5631 static int selinux_sem_alloc_security(struct sem_array *sma)
5632 {
5633 struct ipc_security_struct *isec;
5634 struct common_audit_data ad;
5635 u32 sid = current_sid();
5636 int rc;
5637
5638 isec = selinux_ipc(&sma->sem_perm);
5639 ipc_init_security(isec, SECCLASS_SEM);
5640
5641 ad.type = LSM_AUDIT_DATA_IPC;
5642 ad.u.ipc_id = sma->sem_perm.key;
5643
5644 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5645 SEM__CREATE, &ad);
5646 return rc;
5647 }
5648
5649 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5650 {
5651 struct ipc_security_struct *isec;
5652 struct common_audit_data ad;
5653 u32 sid = current_sid();
5654
5655 isec = selinux_ipc(&sma->sem_perm);
5656
5657 ad.type = LSM_AUDIT_DATA_IPC;
5658 ad.u.ipc_id = sma->sem_perm.key;
5659
5660 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5661 SEM__ASSOCIATE, &ad);
5662 }
5663
5664 /* Note, at this point, sma is locked down */
5665 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5666 {
5667 int err;
5668 u32 perms;
5669
5670 switch (cmd) {
5671 case IPC_INFO:
5672 case SEM_INFO:
5673 /* No specific object, just general system-wide information. */
5674 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5675 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5676 case GETPID:
5677 case GETNCNT:
5678 case GETZCNT:
5679 perms = SEM__GETATTR;
5680 break;
5681 case GETVAL:
5682 case GETALL:
5683 perms = SEM__READ;
5684 break;
5685 case SETVAL:
5686 case SETALL:
5687 perms = SEM__WRITE;
5688 break;
5689 case IPC_RMID:
5690 perms = SEM__DESTROY;
5691 break;
5692 case IPC_SET:
5693 perms = SEM__SETATTR;
5694 break;
5695 case IPC_STAT:
5696 case SEM_STAT:
5697 perms = SEM__GETATTR | SEM__ASSOCIATE;
5698 break;
5699 default:
5700 return 0;
5701 }
5702
5703 err = ipc_has_perm(&sma->sem_perm, perms);
5704 return err;
5705 }
5706
5707 static int selinux_sem_semop(struct sem_array *sma,
5708 struct sembuf *sops, unsigned nsops, int alter)
5709 {
5710 u32 perms;
5711
5712 if (alter)
5713 perms = SEM__READ | SEM__WRITE;
5714 else
5715 perms = SEM__READ;
5716
5717 return ipc_has_perm(&sma->sem_perm, perms);
5718 }
5719
5720 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5721 {
5722 u32 av = 0;
5723
5724 av = 0;
5725 if (flag & S_IRUGO)
5726 av |= IPC__UNIX_READ;
5727 if (flag & S_IWUGO)
5728 av |= IPC__UNIX_WRITE;
5729
5730 if (av == 0)
5731 return 0;
5732
5733 return ipc_has_perm(ipcp, av);
5734 }
5735
5736 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5737 {
5738 struct ipc_security_struct *isec = selinux_ipc(ipcp);
5739 *secid = isec->sid;
5740 }
5741
5742 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5743 {
5744 if (inode)
5745 inode_doinit_with_dentry(inode, dentry);
5746 }
5747
5748 static int selinux_getprocattr(struct task_struct *p,
5749 char *name, char **value)
5750 {
5751 const struct task_security_struct *__tsec;
5752 u32 sid;
5753 int error;
5754 unsigned len;
5755
5756 rcu_read_lock();
5757 __tsec = selinux_cred(__task_cred(p));
5758
5759 if (current != p) {
5760 error = avc_has_perm(current_sid(), __tsec->sid,
5761 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
5762 if (error)
5763 goto bad;
5764 }
5765
5766 if (!strcmp(name, "current"))
5767 sid = __tsec->sid;
5768 else if (!strcmp(name, "prev"))
5769 sid = __tsec->osid;
5770 else if (!strcmp(name, "exec"))
5771 sid = __tsec->exec_sid;
5772 else if (!strcmp(name, "fscreate"))
5773 sid = __tsec->create_sid;
5774 else if (!strcmp(name, "keycreate"))
5775 sid = __tsec->keycreate_sid;
5776 else if (!strcmp(name, "sockcreate"))
5777 sid = __tsec->sockcreate_sid;
5778 else {
5779 error = -EINVAL;
5780 goto bad;
5781 }
5782 rcu_read_unlock();
5783
5784 if (!sid)
5785 return 0;
5786
5787 error = security_sid_to_context(sid, value, &len);
5788 if (error)
5789 return error;
5790 return len;
5791
5792 bad:
5793 rcu_read_unlock();
5794 return error;
5795 }
5796
5797 static int selinux_setprocattr(const char *name, void *value, size_t size)
5798 {
5799 struct task_security_struct *tsec;
5800 struct cred *new;
5801 u32 mysid = current_sid(), sid = 0, ptsid;
5802 int error;
5803 char *str = value;
5804
5805 /*
5806 * Basic control over ability to set these attributes at all.
5807 */
5808 if (!strcmp(name, "exec"))
5809 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5810 PROCESS__SETEXEC, NULL);
5811 else if (!strcmp(name, "fscreate"))
5812 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5813 PROCESS__SETFSCREATE, NULL);
5814 else if (!strcmp(name, "keycreate"))
5815 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5816 PROCESS__SETKEYCREATE, NULL);
5817 else if (!strcmp(name, "sockcreate"))
5818 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5819 PROCESS__SETSOCKCREATE, NULL);
5820 else if (!strcmp(name, "current"))
5821 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5822 PROCESS__SETCURRENT, NULL);
5823 else
5824 error = -EINVAL;
5825 if (error)
5826 return error;
5827
5828 /* Obtain a SID for the context, if one was specified. */
5829 if (size && str[0] && str[0] != '\n') {
5830 if (str[size-1] == '\n') {
5831 str[size-1] = 0;
5832 size--;
5833 }
5834 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5835 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5836 if (!has_cap_mac_admin(true)) {
5837 struct audit_buffer *ab;
5838 size_t audit_size;
5839
5840 /* We strip a nul only if it is at the end, otherwise the
5841 * context contains a nul and we should audit that */
5842 if (str[size - 1] == '\0')
5843 audit_size = size - 1;
5844 else
5845 audit_size = size;
5846 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5847 audit_log_format(ab, "op=fscreate invalid_context=");
5848 audit_log_n_untrustedstring(ab, value, audit_size);
5849 audit_log_end(ab);
5850
5851 return error;
5852 }
5853 error = security_context_to_sid_force(value, size,
5854 &sid);
5855 }
5856 if (error)
5857 return error;
5858 }
5859
5860 new = prepare_creds();
5861 if (!new)
5862 return -ENOMEM;
5863
5864 /* Permission checking based on the specified context is
5865 performed during the actual operation (execve,
5866 open/mkdir/...), when we know the full context of the
5867 operation. See selinux_bprm_set_creds for the execve
5868 checks and may_create for the file creation checks. The
5869 operation will then fail if the context is not permitted. */
5870 tsec = selinux_cred(new);
5871 if (!strcmp(name, "exec")) {
5872 tsec->exec_sid = sid;
5873 } else if (!strcmp(name, "fscreate")) {
5874 tsec->create_sid = sid;
5875 } else if (!strcmp(name, "keycreate")) {
5876 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE,
5877 NULL);
5878 if (error)
5879 goto abort_change;
5880 tsec->keycreate_sid = sid;
5881 } else if (!strcmp(name, "sockcreate")) {
5882 tsec->sockcreate_sid = sid;
5883 } else if (!strcmp(name, "current")) {
5884 error = -EINVAL;
5885 if (sid == 0)
5886 goto abort_change;
5887
5888 /* Only allow single threaded processes to change context */
5889 error = -EPERM;
5890 if (!current_is_single_threaded()) {
5891 error = security_bounded_transition(tsec->sid, sid);
5892 if (error)
5893 goto abort_change;
5894 }
5895
5896 /* Check permissions for the transition. */
5897 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5898 PROCESS__DYNTRANSITION, NULL);
5899 if (error)
5900 goto abort_change;
5901
5902 /* Check for ptracing, and update the task SID if ok.
5903 Otherwise, leave SID unchanged and fail. */
5904 ptsid = ptrace_parent_sid();
5905 if (ptsid != 0) {
5906 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5907 PROCESS__PTRACE, NULL);
5908 if (error)
5909 goto abort_change;
5910 }
5911
5912 tsec->sid = sid;
5913 } else {
5914 error = -EINVAL;
5915 goto abort_change;
5916 }
5917
5918 commit_creds(new);
5919 return size;
5920
5921 abort_change:
5922 abort_creds(new);
5923 return error;
5924 }
5925
5926 static int selinux_ismaclabel(const char *name)
5927 {
5928 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5929 }
5930
5931 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5932 {
5933 return security_sid_to_context(secid, secdata, seclen);
5934 }
5935
5936 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5937 {
5938 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5939 }
5940
5941 static void selinux_release_secctx(char *secdata, u32 seclen)
5942 {
5943 kfree(secdata);
5944 }
5945
5946 static void selinux_inode_invalidate_secctx(struct inode *inode)
5947 {
5948 struct inode_security_struct *isec = selinux_inode(inode);
5949
5950 spin_lock(&isec->lock);
5951 isec->initialized = LABEL_INVALID;
5952 spin_unlock(&isec->lock);
5953 }
5954
5955 /*
5956 * called with inode->i_mutex locked
5957 */
5958 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5959 {
5960 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5961 }
5962
5963 /*
5964 * called with inode->i_mutex locked
5965 */
5966 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5967 {
5968 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5969 }
5970
5971 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5972 {
5973 int len = 0;
5974 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5975 ctx, true);
5976 if (len < 0)
5977 return len;
5978 *ctxlen = len;
5979 return 0;
5980 }
5981 #ifdef CONFIG_KEYS
5982
5983 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5984 unsigned long flags)
5985 {
5986 const struct task_security_struct *tsec;
5987 struct key_security_struct *ksec = selinux_key(k);
5988
5989 tsec = selinux_cred(cred);
5990 if (tsec->keycreate_sid)
5991 ksec->sid = tsec->keycreate_sid;
5992 else
5993 ksec->sid = tsec->sid;
5994
5995 return 0;
5996 }
5997
5998 static int selinux_key_permission(key_ref_t key_ref,
5999 const struct cred *cred,
6000 unsigned perm)
6001 {
6002 struct key *key;
6003 struct key_security_struct *ksec;
6004 u32 sid;
6005
6006 /* if no specific permissions are requested, we skip the
6007 permission check. No serious, additional covert channels
6008 appear to be created. */
6009 if (perm == 0)
6010 return 0;
6011
6012 sid = cred_sid(cred);
6013
6014 key = key_ref_to_ptr(key_ref);
6015 ksec = selinux_key(key);
6016
6017 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6018 }
6019
6020 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6021 {
6022 struct key_security_struct *ksec = selinux_key(key);
6023 char *context = NULL;
6024 unsigned len;
6025 int rc;
6026
6027 rc = security_sid_to_context(ksec->sid, &context, &len);
6028 if (!rc)
6029 rc = len;
6030 *_buffer = context;
6031 return rc;
6032 }
6033 #endif
6034
6035 #ifdef CONFIG_SECURITY_INFINIBAND
6036 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6037 {
6038 struct common_audit_data ad;
6039 int err;
6040 u32 sid = 0;
6041 struct ib_security_struct *sec = ib_sec;
6042 struct lsm_ibpkey_audit ibpkey;
6043
6044 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6045 if (err)
6046 return err;
6047
6048 ad.type = LSM_AUDIT_DATA_IBPKEY;
6049 ibpkey.subnet_prefix = subnet_prefix;
6050 ibpkey.pkey = pkey_val;
6051 ad.u.ibpkey = &ibpkey;
6052 return avc_has_perm(sec->sid, sid,
6053 SECCLASS_INFINIBAND_PKEY,
6054 INFINIBAND_PKEY__ACCESS, &ad);
6055 }
6056
6057 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6058 u8 port_num)
6059 {
6060 struct common_audit_data ad;
6061 int err;
6062 u32 sid = 0;
6063 struct ib_security_struct *sec = ib_sec;
6064 struct lsm_ibendport_audit ibendport;
6065
6066 err = security_ib_endport_sid(dev_name, port_num, &sid);
6067
6068 if (err)
6069 return err;
6070
6071 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6072 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6073 ibendport.port = port_num;
6074 ad.u.ibendport = &ibendport;
6075 return avc_has_perm(sec->sid, sid,
6076 SECCLASS_INFINIBAND_ENDPORT,
6077 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6078 }
6079
6080 static int selinux_ib_alloc_security(void **ib_sec)
6081 {
6082 struct ib_security_struct *sec;
6083
6084 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6085 if (!sec)
6086 return -ENOMEM;
6087 sec->sid = current_sid();
6088
6089 *ib_sec = sec;
6090 return 0;
6091 }
6092
6093 static void selinux_ib_free_security(void *ib_sec)
6094 {
6095 kfree(ib_sec);
6096 }
6097 #endif
6098
6099 #ifdef CONFIG_BPF_SYSCALL
6100 static int selinux_bpf(int cmd, union bpf_attr *attr,
6101 unsigned int size)
6102 {
6103 u32 sid = current_sid();
6104 int ret;
6105
6106 switch (cmd) {
6107 case BPF_MAP_CREATE:
6108 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6109 NULL);
6110 break;
6111 case BPF_PROG_LOAD:
6112 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6113 NULL);
6114 break;
6115 default:
6116 ret = 0;
6117 break;
6118 }
6119
6120 return ret;
6121 }
6122
6123 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6124 {
6125 u32 av = 0;
6126
6127 if (fmode & FMODE_READ)
6128 av |= BPF__MAP_READ;
6129 if (fmode & FMODE_WRITE)
6130 av |= BPF__MAP_WRITE;
6131 return av;
6132 }
6133
6134 /* This function will check the file pass through unix socket or binder to see
6135 * if it is a bpf related object. And apply correspinding checks on the bpf
6136 * object based on the type. The bpf maps and programs, not like other files and
6137 * socket, are using a shared anonymous inode inside the kernel as their inode.
6138 * So checking that inode cannot identify if the process have privilege to
6139 * access the bpf object and that's why we have to add this additional check in
6140 * selinux_file_receive and selinux_binder_transfer_files.
6141 */
6142 static int bpf_fd_pass(struct file *file, u32 sid)
6143 {
6144 struct bpf_security_struct *bpfsec;
6145 struct bpf_prog *prog;
6146 struct bpf_map *map;
6147 int ret;
6148
6149 if (file->f_op == &bpf_map_fops) {
6150 map = file->private_data;
6151 bpfsec = map->security;
6152 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6153 bpf_map_fmode_to_av(file->f_mode), NULL);
6154 if (ret)
6155 return ret;
6156 } else if (file->f_op == &bpf_prog_fops) {
6157 prog = file->private_data;
6158 bpfsec = prog->aux->security;
6159 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6160 BPF__PROG_RUN, NULL);
6161 if (ret)
6162 return ret;
6163 }
6164 return 0;
6165 }
6166
6167 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6168 {
6169 u32 sid = current_sid();
6170 struct bpf_security_struct *bpfsec;
6171
6172 bpfsec = map->security;
6173 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6174 bpf_map_fmode_to_av(fmode), NULL);
6175 }
6176
6177 static int selinux_bpf_prog(struct bpf_prog *prog)
6178 {
6179 u32 sid = current_sid();
6180 struct bpf_security_struct *bpfsec;
6181
6182 bpfsec = prog->aux->security;
6183 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6184 BPF__PROG_RUN, NULL);
6185 }
6186
6187 static int selinux_bpf_map_alloc(struct bpf_map *map)
6188 {
6189 struct bpf_security_struct *bpfsec;
6190
6191 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6192 if (!bpfsec)
6193 return -ENOMEM;
6194
6195 bpfsec->sid = current_sid();
6196 map->security = bpfsec;
6197
6198 return 0;
6199 }
6200
6201 static void selinux_bpf_map_free(struct bpf_map *map)
6202 {
6203 struct bpf_security_struct *bpfsec = map->security;
6204
6205 map->security = NULL;
6206 kfree(bpfsec);
6207 }
6208
6209 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6210 {
6211 struct bpf_security_struct *bpfsec;
6212
6213 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6214 if (!bpfsec)
6215 return -ENOMEM;
6216
6217 bpfsec->sid = current_sid();
6218 aux->security = bpfsec;
6219
6220 return 0;
6221 }
6222
6223 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6224 {
6225 struct bpf_security_struct *bpfsec = aux->security;
6226
6227 aux->security = NULL;
6228 kfree(bpfsec);
6229 }
6230 #endif
6231
6232 struct lsm_blob_sizes selinux_blob_sizes = {
6233 .lbs_cred = sizeof(struct task_security_struct),
6234 .lbs_file = sizeof(struct file_security_struct),
6235 .lbs_inode = sizeof(struct inode_security_struct),
6236 .lbs_ipc = sizeof(struct ipc_security_struct),
6237 #ifdef CONFIG_KEYS
6238 .lbs_key = sizeof(struct key_security_struct),
6239 #endif /* CONFIG_KEYS */
6240 .lbs_msg_msg = sizeof(struct msg_security_struct),
6241 .lbs_sock = sizeof(struct sk_security_struct),
6242 .lbs_superblock = sizeof(struct superblock_security_struct),
6243 };
6244
6245 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6246 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6247 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6248 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6249 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6250
6251 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6252 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6253 LSM_HOOK_INIT(capget, selinux_capget),
6254 LSM_HOOK_INIT(capset, selinux_capset),
6255 LSM_HOOK_INIT(capable, selinux_capable),
6256 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6257 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6258 LSM_HOOK_INIT(syslog, selinux_syslog),
6259 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6260
6261 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6262
6263 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6264 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6265 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6266
6267 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6268 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6269 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6270 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6271 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6272 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6273 LSM_HOOK_INIT(sb_mount, selinux_mount),
6274 LSM_HOOK_INIT(sb_umount, selinux_umount),
6275 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6276 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6277 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6278
6279 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6280 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6281
6282 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6283 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6284 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6285 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6286 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6287 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6288 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6289 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6290 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6291 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6292 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6293 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6294 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6295 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6296 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6297 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6298 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6299 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6300 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6301 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6302 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6303 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6304 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6305 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6306 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6307 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6308 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6309
6310 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6311 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6312 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6313 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6314 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6315 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6316 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6317 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6318 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6319 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6320 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6321
6322 LSM_HOOK_INIT(file_open, selinux_file_open),
6323
6324 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6325 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6326 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6327 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6328 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6329 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6330 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6331 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6332 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6333 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6334 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6335 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6336 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6337 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6338 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6339 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6340 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6341 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6342 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6343 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6344 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6345
6346 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6347 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6348
6349 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6350
6351 LSM_HOOK_INIT(msg_queue_alloc_security,
6352 selinux_msg_queue_alloc_security),
6353 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6354 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6355 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6356 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6357
6358 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6359 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6360 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6361 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6362
6363 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6364 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6365 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6366 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6367
6368 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6369
6370 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6371 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6372
6373 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6374 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6375 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6376 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6377 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6378 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6379 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6380 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6381
6382 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6383 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6384
6385 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6386 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6387 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6388 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6389 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6390 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6391 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6392 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6393 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6394 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6395 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6396 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6397 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6398 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6399 LSM_HOOK_INIT(socket_getpeersec_stream,
6400 selinux_socket_getpeersec_stream),
6401 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6402 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6403 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6404 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6405 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6406 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6407 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6408 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6409 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6410 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6411 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6412 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6413 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6414 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6415 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6416 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6417 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6418 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6419 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6420 #ifdef CONFIG_SECURITY_INFINIBAND
6421 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
6422 LSM_HOOK_INIT(ib_endport_manage_subnet,
6423 selinux_ib_endport_manage_subnet),
6424 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
6425 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
6426 #endif
6427 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6428 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6429 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6430 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6431 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6432 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6433 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6434 selinux_xfrm_state_alloc_acquire),
6435 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6436 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6437 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6438 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6439 selinux_xfrm_state_pol_flow_match),
6440 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6441 #endif
6442
6443 #ifdef CONFIG_KEYS
6444 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6445 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6446 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6447 #endif
6448
6449 #ifdef CONFIG_AUDIT
6450 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6451 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6452 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6453 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6454 #endif
6455
6456 #ifdef CONFIG_BPF_SYSCALL
6457 LSM_HOOK_INIT(bpf, selinux_bpf),
6458 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
6459 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
6460 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
6461 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
6462 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
6463 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
6464 #endif
6465 };
6466
6467 static __init int selinux_init(void)
6468 {
6469 static int finish;
6470
6471 if (!security_module_enable("selinux",
6472 IS_ENABLED(CONFIG_SECURITY_SELINUX_STACKED))) {
6473 selinux_enabled = 0;
6474 return 0;
6475 }
6476
6477 if (!finish) {
6478 security_add_blobs(&selinux_blob_sizes);
6479 finish = 1;
6480 return 0;
6481 }
6482
6483 if (!selinux_enabled) {
6484 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6485 return 0;
6486 }
6487
6488 printk(KERN_INFO "SELinux: Initializing.\n");
6489
6490 /* Set the security state for the initial task. */
6491 cred_init_security();
6492
6493 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6494
6495 avc_init();
6496
6497 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
6498
6499 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6500 panic("SELinux: Unable to register AVC netcache callback\n");
6501
6502 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
6503 panic("SELinux: Unable to register AVC LSM notifier callback\n");
6504
6505 if (selinux_enforcing)
6506 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6507 else
6508 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6509
6510 return 0;
6511 }
6512
6513 static void delayed_superblock_init(struct super_block *sb, void *unused)
6514 {
6515 superblock_doinit(sb, NULL);
6516 }
6517
6518 void selinux_complete_init(void)
6519 {
6520 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6521
6522 /* Set up any superblocks initialized prior to the policy load. */
6523 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6524 iterate_supers(delayed_superblock_init, NULL);
6525 }
6526
6527 /* SELinux requires early initialization in order to label
6528 all processes and objects when they are created. */
6529 security_initcall(selinux_init);
6530
6531 #if defined(CONFIG_NETFILTER)
6532
6533 static const struct nf_hook_ops selinux_nf_ops[] = {
6534 {
6535 .hook = selinux_ipv4_postroute,
6536 .pf = NFPROTO_IPV4,
6537 .hooknum = NF_INET_POST_ROUTING,
6538 .priority = NF_IP_PRI_SELINUX_LAST,
6539 },
6540 {
6541 .hook = selinux_ipv4_forward,
6542 .pf = NFPROTO_IPV4,
6543 .hooknum = NF_INET_FORWARD,
6544 .priority = NF_IP_PRI_SELINUX_FIRST,
6545 },
6546 {
6547 .hook = selinux_ipv4_output,
6548 .pf = NFPROTO_IPV4,
6549 .hooknum = NF_INET_LOCAL_OUT,
6550 .priority = NF_IP_PRI_SELINUX_FIRST,
6551 },
6552 #if IS_ENABLED(CONFIG_IPV6)
6553 {
6554 .hook = selinux_ipv6_postroute,
6555 .pf = NFPROTO_IPV6,
6556 .hooknum = NF_INET_POST_ROUTING,
6557 .priority = NF_IP6_PRI_SELINUX_LAST,
6558 },
6559 {
6560 .hook = selinux_ipv6_forward,
6561 .pf = NFPROTO_IPV6,
6562 .hooknum = NF_INET_FORWARD,
6563 .priority = NF_IP6_PRI_SELINUX_FIRST,
6564 },
6565 {
6566 .hook = selinux_ipv6_output,
6567 .pf = NFPROTO_IPV6,
6568 .hooknum = NF_INET_LOCAL_OUT,
6569 .priority = NF_IP6_PRI_SELINUX_FIRST,
6570 },
6571 #endif /* IPV6 */
6572 };
6573
6574 static int __net_init selinux_nf_register(struct net *net)
6575 {
6576 return nf_register_net_hooks(net, selinux_nf_ops,
6577 ARRAY_SIZE(selinux_nf_ops));
6578 }
6579
6580 static void __net_exit selinux_nf_unregister(struct net *net)
6581 {
6582 nf_unregister_net_hooks(net, selinux_nf_ops,
6583 ARRAY_SIZE(selinux_nf_ops));
6584 }
6585
6586 static struct pernet_operations selinux_net_ops = {
6587 .init = selinux_nf_register,
6588 .exit = selinux_nf_unregister,
6589 };
6590
6591 static int __init selinux_nf_ip_init(void)
6592 {
6593 int err;
6594
6595 if (!selinux_enabled)
6596 return 0;
6597
6598 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6599
6600 err = register_pernet_subsys(&selinux_net_ops);
6601 if (err)
6602 panic("SELinux: register_pernet_subsys: error %d\n", err);
6603
6604 return 0;
6605 }
6606 __initcall(selinux_nf_ip_init);
6607
6608 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6609 static void selinux_nf_ip_exit(void)
6610 {
6611 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6612
6613 unregister_pernet_subsys(&selinux_net_ops);
6614 }
6615 #endif
6616
6617 #else /* CONFIG_NETFILTER */
6618
6619 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6620 #define selinux_nf_ip_exit()
6621 #endif
6622
6623 #endif /* CONFIG_NETFILTER */
6624
6625 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6626 static int selinux_disabled;
6627
6628 int selinux_disable(void)
6629 {
6630 if (ss_initialized) {
6631 /* Not permitted after initial policy load. */
6632 return -EINVAL;
6633 }
6634
6635 if (selinux_disabled) {
6636 /* Only do this once. */
6637 return -EINVAL;
6638 }
6639
6640 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6641
6642 selinux_disabled = 1;
6643 selinux_enabled = 0;
6644
6645 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6646
6647 /* Try to destroy the avc node cache */
6648 avc_disable();
6649
6650 /* Unregister netfilter hooks. */
6651 selinux_nf_ip_exit();
6652
6653 /* Unregister selinuxfs. */
6654 exit_sel_fs();
6655
6656 return 0;
6657 }
6658 #endif
ubuntu-bionic-kernel mirror