]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - security/selinux/hooks.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:


33fd061305c40376c7f632ebcdf6fe5fd7b1e3fc
[mirror_ubuntu-artful-kernel.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
25 */
26
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h> /* for Unix socket types */
72 #include <net/af_unix.h> /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
75 #include <net/ipv6.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88
89 #include "avc.h"
90 #include "objsec.h"
91 #include "netif.h"
92 #include "netnode.h"
93 #include "netport.h"
94 #include "ibpkey.h"
95 #include "xfrm.h"
96 #include "netlabel.h"
97 #include "audit.h"
98 #include "avc_ss.h"
99
100 /* SECMARK reference count */
101 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
102
103 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
104 int selinux_enforcing;
105
106 static int __init enforcing_setup(char *str)
107 {
108 unsigned long enforcing;
109 if (!kstrtoul(str, 0, &enforcing))
110 selinux_enforcing = enforcing ? 1 : 0;
111 return 1;
112 }
113 __setup("enforcing=", enforcing_setup);
114 #endif
115
116 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
117 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
118
119 static int __init selinux_enabled_setup(char *str)
120 {
121 unsigned long enabled;
122 if (!kstrtoul(str, 0, &enabled))
123 selinux_enabled = enabled ? 1 : 0;
124 return 1;
125 }
126 __setup("selinux=", selinux_enabled_setup);
127 #else
128 int selinux_enabled = 1;
129 #endif
130
131 static struct kmem_cache *sel_inode_cache;
132 static struct kmem_cache *file_security_cache;
133
134 /**
135 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
136 *
137 * Description:
138 * This function checks the SECMARK reference counter to see if any SECMARK
139 * targets are currently configured, if the reference counter is greater than
140 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
141 * enabled, false (0) if SECMARK is disabled. If the always_check_network
142 * policy capability is enabled, SECMARK is always considered enabled.
143 *
144 */
145 static int selinux_secmark_enabled(void)
146 {
147 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
148 }
149
150 /**
151 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
152 *
153 * Description:
154 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
155 * (1) if any are enabled or false (0) if neither are enabled. If the
156 * always_check_network policy capability is enabled, peer labeling
157 * is always considered enabled.
158 *
159 */
160 static int selinux_peerlbl_enabled(void)
161 {
162 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
163 }
164
165 static int selinux_netcache_avc_callback(u32 event)
166 {
167 if (event == AVC_CALLBACK_RESET) {
168 sel_netif_flush();
169 sel_netnode_flush();
170 sel_netport_flush();
171 synchronize_net();
172 }
173 return 0;
174 }
175
176 static int selinux_lsm_notifier_avc_callback(u32 event)
177 {
178 if (event == AVC_CALLBACK_RESET) {
179 sel_ib_pkey_flush();
180 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
181 }
182
183 return 0;
184 }
185
186 /*
187 * initialise the security for the init task
188 */
189 static void cred_init_security(void)
190 {
191 struct cred *cred = (struct cred *) current->real_cred;
192 struct task_security_struct *tsec;
193
194 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
195 if (!tsec)
196 panic("SELinux: Failed to initialize initial task.\n");
197
198 tsec->osid = tsec->sid = SECINITSID_KERNEL;
199 cred->security = tsec;
200 }
201
202 /*
203 * get the security ID of a set of credentials
204 */
205 static inline u32 cred_sid(const struct cred *cred)
206 {
207 const struct task_security_struct *tsec;
208
209 tsec = cred->security;
210 return tsec->sid;
211 }
212
213 /*
214 * get the objective security ID of a task
215 */
216 static inline u32 task_sid(const struct task_struct *task)
217 {
218 u32 sid;
219
220 rcu_read_lock();
221 sid = cred_sid(__task_cred(task));
222 rcu_read_unlock();
223 return sid;
224 }
225
226 /* Allocate and free functions for each kind of security blob. */
227
228 static int inode_alloc_security(struct inode *inode)
229 {
230 struct inode_security_struct *isec;
231 u32 sid = current_sid();
232
233 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
234 if (!isec)
235 return -ENOMEM;
236
237 spin_lock_init(&isec->lock);
238 INIT_LIST_HEAD(&isec->list);
239 isec->inode = inode;
240 isec->sid = SECINITSID_UNLABELED;
241 isec->sclass = SECCLASS_FILE;
242 isec->task_sid = sid;
243 isec->initialized = LABEL_INVALID;
244 inode->i_security = isec;
245
246 return 0;
247 }
248
249 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
250
251 /*
252 * Try reloading inode security labels that have been marked as invalid. The
253 * @may_sleep parameter indicates when sleeping and thus reloading labels is
254 * allowed; when set to false, returns -ECHILD when the label is
255 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
256 * when no dentry is available, set it to NULL instead.
257 */
258 static int __inode_security_revalidate(struct inode *inode,
259 struct dentry *opt_dentry,
260 bool may_sleep)
261 {
262 struct inode_security_struct *isec = inode->i_security;
263
264 might_sleep_if(may_sleep);
265
266 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
267 if (!may_sleep)
268 return -ECHILD;
269
270 /*
271 * Try reloading the inode security label. This will fail if
272 * @opt_dentry is NULL and no dentry for this inode can be
273 * found; in that case, continue using the old label.
274 */
275 inode_doinit_with_dentry(inode, opt_dentry);
276 }
277 return 0;
278 }
279
280 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
281 {
282 return inode->i_security;
283 }
284
285 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
286 {
287 int error;
288
289 error = __inode_security_revalidate(inode, NULL, !rcu);
290 if (error)
291 return ERR_PTR(error);
292 return inode->i_security;
293 }
294
295 /*
296 * Get the security label of an inode.
297 */
298 static struct inode_security_struct *inode_security(struct inode *inode)
299 {
300 __inode_security_revalidate(inode, NULL, true);
301 return inode->i_security;
302 }
303
304 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
305 {
306 struct inode *inode = d_backing_inode(dentry);
307
308 return inode->i_security;
309 }
310
311 /*
312 * Get the security label of a dentry's backing inode.
313 */
314 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
315 {
316 struct inode *inode = d_backing_inode(dentry);
317
318 __inode_security_revalidate(inode, dentry, true);
319 return inode->i_security;
320 }
321
322 static void inode_free_rcu(struct rcu_head *head)
323 {
324 struct inode_security_struct *isec;
325
326 isec = container_of(head, struct inode_security_struct, rcu);
327 kmem_cache_free(sel_inode_cache, isec);
328 }
329
330 static void inode_free_security(struct inode *inode)
331 {
332 struct inode_security_struct *isec = inode->i_security;
333 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
334
335 /*
336 * As not all inode security structures are in a list, we check for
337 * empty list outside of the lock to make sure that we won't waste
338 * time taking a lock doing nothing.
339 *
340 * The list_del_init() function can be safely called more than once.
341 * It should not be possible for this function to be called with
342 * concurrent list_add(), but for better safety against future changes
343 * in the code, we use list_empty_careful() here.
344 */
345 if (!list_empty_careful(&isec->list)) {
346 spin_lock(&sbsec->isec_lock);
347 list_del_init(&isec->list);
348 spin_unlock(&sbsec->isec_lock);
349 }
350
351 /*
352 * The inode may still be referenced in a path walk and
353 * a call to selinux_inode_permission() can be made
354 * after inode_free_security() is called. Ideally, the VFS
355 * wouldn't do this, but fixing that is a much harder
356 * job. For now, simply free the i_security via RCU, and
357 * leave the current inode->i_security pointer intact.
358 * The inode will be freed after the RCU grace period too.
359 */
360 call_rcu(&isec->rcu, inode_free_rcu);
361 }
362
363 static int file_alloc_security(struct file *file)
364 {
365 struct file_security_struct *fsec;
366 u32 sid = current_sid();
367
368 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
369 if (!fsec)
370 return -ENOMEM;
371
372 fsec->sid = sid;
373 fsec->fown_sid = sid;
374 file->f_security = fsec;
375
376 return 0;
377 }
378
379 static void file_free_security(struct file *file)
380 {
381 struct file_security_struct *fsec = file->f_security;
382 file->f_security = NULL;
383 kmem_cache_free(file_security_cache, fsec);
384 }
385
386 static int superblock_alloc_security(struct super_block *sb)
387 {
388 struct superblock_security_struct *sbsec;
389
390 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
391 if (!sbsec)
392 return -ENOMEM;
393
394 mutex_init(&sbsec->lock);
395 INIT_LIST_HEAD(&sbsec->isec_head);
396 spin_lock_init(&sbsec->isec_lock);
397 sbsec->sb = sb;
398 sbsec->sid = SECINITSID_UNLABELED;
399 sbsec->def_sid = SECINITSID_FILE;
400 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
401 sb->s_security = sbsec;
402
403 return 0;
404 }
405
406 static void superblock_free_security(struct super_block *sb)
407 {
408 struct superblock_security_struct *sbsec = sb->s_security;
409 sb->s_security = NULL;
410 kfree(sbsec);
411 }
412
413 static inline int inode_doinit(struct inode *inode)
414 {
415 return inode_doinit_with_dentry(inode, NULL);
416 }
417
418 enum {
419 Opt_error = -1,
420 Opt_context = 1,
421 Opt_fscontext = 2,
422 Opt_defcontext = 3,
423 Opt_rootcontext = 4,
424 Opt_labelsupport = 5,
425 Opt_nextmntopt = 6,
426 };
427
428 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
429
430 static const match_table_t tokens = {
431 {Opt_context, CONTEXT_STR "%s"},
432 {Opt_fscontext, FSCONTEXT_STR "%s"},
433 {Opt_defcontext, DEFCONTEXT_STR "%s"},
434 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
435 {Opt_labelsupport, LABELSUPP_STR},
436 {Opt_error, NULL},
437 };
438
439 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
440
441 static int may_context_mount_sb_relabel(u32 sid,
442 struct superblock_security_struct *sbsec,
443 const struct cred *cred)
444 {
445 const struct task_security_struct *tsec = cred->security;
446 int rc;
447
448 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
449 FILESYSTEM__RELABELFROM, NULL);
450 if (rc)
451 return rc;
452
453 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
454 FILESYSTEM__RELABELTO, NULL);
455 return rc;
456 }
457
458 static int may_context_mount_inode_relabel(u32 sid,
459 struct superblock_security_struct *sbsec,
460 const struct cred *cred)
461 {
462 const struct task_security_struct *tsec = cred->security;
463 int rc;
464 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
465 FILESYSTEM__RELABELFROM, NULL);
466 if (rc)
467 return rc;
468
469 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
470 FILESYSTEM__ASSOCIATE, NULL);
471 return rc;
472 }
473
474 static int selinux_is_sblabel_mnt(struct super_block *sb)
475 {
476 struct superblock_security_struct *sbsec = sb->s_security;
477
478 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
479 sbsec->behavior == SECURITY_FS_USE_TRANS ||
480 sbsec->behavior == SECURITY_FS_USE_TASK ||
481 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
482 /* Special handling. Genfs but also in-core setxattr handler */
483 !strcmp(sb->s_type->name, "sysfs") ||
484 !strcmp(sb->s_type->name, "pstore") ||
485 !strcmp(sb->s_type->name, "debugfs") ||
486 !strcmp(sb->s_type->name, "tracefs") ||
487 !strcmp(sb->s_type->name, "rootfs") ||
488 (selinux_policycap_cgroupseclabel &&
489 (!strcmp(sb->s_type->name, "cgroup") ||
490 !strcmp(sb->s_type->name, "cgroup2")));
491 }
492
493 static int sb_finish_set_opts(struct super_block *sb)
494 {
495 struct superblock_security_struct *sbsec = sb->s_security;
496 struct dentry *root = sb->s_root;
497 struct inode *root_inode = d_backing_inode(root);
498 int rc = 0;
499
500 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
501 /* Make sure that the xattr handler exists and that no
502 error other than -ENODATA is returned by getxattr on
503 the root directory. -ENODATA is ok, as this may be
504 the first boot of the SELinux kernel before we have
505 assigned xattr values to the filesystem. */
506 if (!(root_inode->i_opflags & IOP_XATTR)) {
507 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
508 "xattr support\n", sb->s_id, sb->s_type->name);
509 rc = -EOPNOTSUPP;
510 goto out;
511 }
512
513 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
514 if (rc < 0 && rc != -ENODATA) {
515 if (rc == -EOPNOTSUPP)
516 printk(KERN_WARNING "SELinux: (dev %s, type "
517 "%s) has no security xattr handler\n",
518 sb->s_id, sb->s_type->name);
519 else
520 printk(KERN_WARNING "SELinux: (dev %s, type "
521 "%s) getxattr errno %d\n", sb->s_id,
522 sb->s_type->name, -rc);
523 goto out;
524 }
525 }
526
527 sbsec->flags |= SE_SBINITIALIZED;
528
529 /*
530 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
531 * leave the flag untouched because sb_clone_mnt_opts might be handing
532 * us a superblock that needs the flag to be cleared.
533 */
534 if (selinux_is_sblabel_mnt(sb))
535 sbsec->flags |= SBLABEL_MNT;
536 else
537 sbsec->flags &= ~SBLABEL_MNT;
538
539 /* Initialize the root inode. */
540 rc = inode_doinit_with_dentry(root_inode, root);
541
542 /* Initialize any other inodes associated with the superblock, e.g.
543 inodes created prior to initial policy load or inodes created
544 during get_sb by a pseudo filesystem that directly
545 populates itself. */
546 spin_lock(&sbsec->isec_lock);
547 next_inode:
548 if (!list_empty(&sbsec->isec_head)) {
549 struct inode_security_struct *isec =
550 list_entry(sbsec->isec_head.next,
551 struct inode_security_struct, list);
552 struct inode *inode = isec->inode;
553 list_del_init(&isec->list);
554 spin_unlock(&sbsec->isec_lock);
555 inode = igrab(inode);
556 if (inode) {
557 if (!IS_PRIVATE(inode))
558 inode_doinit(inode);
559 iput(inode);
560 }
561 spin_lock(&sbsec->isec_lock);
562 goto next_inode;
563 }
564 spin_unlock(&sbsec->isec_lock);
565 out:
566 return rc;
567 }
568
569 /*
570 * This function should allow an FS to ask what it's mount security
571 * options were so it can use those later for submounts, displaying
572 * mount options, or whatever.
573 */
574 static int selinux_get_mnt_opts(const struct super_block *sb,
575 struct security_mnt_opts *opts)
576 {
577 int rc = 0, i;
578 struct superblock_security_struct *sbsec = sb->s_security;
579 char *context = NULL;
580 u32 len;
581 char tmp;
582
583 security_init_mnt_opts(opts);
584
585 if (!(sbsec->flags & SE_SBINITIALIZED))
586 return -EINVAL;
587
588 if (!ss_initialized)
589 return -EINVAL;
590
591 /* make sure we always check enough bits to cover the mask */
592 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
593
594 tmp = sbsec->flags & SE_MNTMASK;
595 /* count the number of mount options for this sb */
596 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
597 if (tmp & 0x01)
598 opts->num_mnt_opts++;
599 tmp >>= 1;
600 }
601 /* Check if the Label support flag is set */
602 if (sbsec->flags & SBLABEL_MNT)
603 opts->num_mnt_opts++;
604
605 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606 if (!opts->mnt_opts) {
607 rc = -ENOMEM;
608 goto out_free;
609 }
610
611 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612 if (!opts->mnt_opts_flags) {
613 rc = -ENOMEM;
614 goto out_free;
615 }
616
617 i = 0;
618 if (sbsec->flags & FSCONTEXT_MNT) {
619 rc = security_sid_to_context(sbsec->sid, &context, &len);
620 if (rc)
621 goto out_free;
622 opts->mnt_opts[i] = context;
623 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
624 }
625 if (sbsec->flags & CONTEXT_MNT) {
626 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
627 if (rc)
628 goto out_free;
629 opts->mnt_opts[i] = context;
630 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
631 }
632 if (sbsec->flags & DEFCONTEXT_MNT) {
633 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
634 if (rc)
635 goto out_free;
636 opts->mnt_opts[i] = context;
637 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
638 }
639 if (sbsec->flags & ROOTCONTEXT_MNT) {
640 struct dentry *root = sbsec->sb->s_root;
641 struct inode_security_struct *isec = backing_inode_security(root);
642
643 rc = security_sid_to_context(isec->sid, &context, &len);
644 if (rc)
645 goto out_free;
646 opts->mnt_opts[i] = context;
647 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
648 }
649 if (sbsec->flags & SBLABEL_MNT) {
650 opts->mnt_opts[i] = NULL;
651 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
652 }
653
654 BUG_ON(i != opts->num_mnt_opts);
655
656 return 0;
657
658 out_free:
659 security_free_mnt_opts(opts);
660 return rc;
661 }
662
663 static int bad_option(struct superblock_security_struct *sbsec, char flag,
664 u32 old_sid, u32 new_sid)
665 {
666 char mnt_flags = sbsec->flags & SE_MNTMASK;
667
668 /* check if the old mount command had the same options */
669 if (sbsec->flags & SE_SBINITIALIZED)
670 if (!(sbsec->flags & flag) ||
671 (old_sid != new_sid))
672 return 1;
673
674 /* check if we were passed the same options twice,
675 * aka someone passed context=a,context=b
676 */
677 if (!(sbsec->flags & SE_SBINITIALIZED))
678 if (mnt_flags & flag)
679 return 1;
680 return 0;
681 }
682
683 /*
684 * Allow filesystems with binary mount data to explicitly set mount point
685 * labeling information.
686 */
687 static int selinux_set_mnt_opts(struct super_block *sb,
688 struct security_mnt_opts *opts,
689 unsigned long kern_flags,
690 unsigned long *set_kern_flags)
691 {
692 const struct cred *cred = current_cred();
693 int rc = 0, i;
694 struct superblock_security_struct *sbsec = sb->s_security;
695 const char *name = sb->s_type->name;
696 struct dentry *root = sbsec->sb->s_root;
697 struct inode_security_struct *root_isec;
698 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699 u32 defcontext_sid = 0;
700 char **mount_options = opts->mnt_opts;
701 int *flags = opts->mnt_opts_flags;
702 int num_opts = opts->num_mnt_opts;
703
704 mutex_lock(&sbsec->lock);
705
706 if (!ss_initialized) {
707 if (!num_opts) {
708 /* Defer initialization until selinux_complete_init,
709 after the initial policy is loaded and the security
710 server is ready to handle calls. */
711 goto out;
712 }
713 rc = -EINVAL;
714 printk(KERN_WARNING "SELinux: Unable to set superblock options "
715 "before the security server is initialized\n");
716 goto out;
717 }
718 if (kern_flags && !set_kern_flags) {
719 /* Specifying internal flags without providing a place to
720 * place the results is not allowed */
721 rc = -EINVAL;
722 goto out;
723 }
724
725 /*
726 * Binary mount data FS will come through this function twice. Once
727 * from an explicit call and once from the generic calls from the vfs.
728 * Since the generic VFS calls will not contain any security mount data
729 * we need to skip the double mount verification.
730 *
731 * This does open a hole in which we will not notice if the first
732 * mount using this sb set explict options and a second mount using
733 * this sb does not set any security options. (The first options
734 * will be used for both mounts)
735 */
736 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
737 && (num_opts == 0))
738 goto out;
739
740 root_isec = backing_inode_security_novalidate(root);
741
742 /*
743 * parse the mount options, check if they are valid sids.
744 * also check if someone is trying to mount the same sb more
745 * than once with different security options.
746 */
747 for (i = 0; i < num_opts; i++) {
748 u32 sid;
749
750 if (flags[i] == SBLABEL_MNT)
751 continue;
752 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
753 if (rc) {
754 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
755 "(%s) failed for (dev %s, type %s) errno=%d\n",
756 mount_options[i], sb->s_id, name, rc);
757 goto out;
758 }
759 switch (flags[i]) {
760 case FSCONTEXT_MNT:
761 fscontext_sid = sid;
762
763 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
764 fscontext_sid))
765 goto out_double_mount;
766
767 sbsec->flags |= FSCONTEXT_MNT;
768 break;
769 case CONTEXT_MNT:
770 context_sid = sid;
771
772 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
773 context_sid))
774 goto out_double_mount;
775
776 sbsec->flags |= CONTEXT_MNT;
777 break;
778 case ROOTCONTEXT_MNT:
779 rootcontext_sid = sid;
780
781 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
782 rootcontext_sid))
783 goto out_double_mount;
784
785 sbsec->flags |= ROOTCONTEXT_MNT;
786
787 break;
788 case DEFCONTEXT_MNT:
789 defcontext_sid = sid;
790
791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
792 defcontext_sid))
793 goto out_double_mount;
794
795 sbsec->flags |= DEFCONTEXT_MNT;
796
797 break;
798 default:
799 rc = -EINVAL;
800 goto out;
801 }
802 }
803
804 if (sbsec->flags & SE_SBINITIALIZED) {
805 /* previously mounted with options, but not on this attempt? */
806 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
807 goto out_double_mount;
808 rc = 0;
809 goto out;
810 }
811
812 if (strcmp(sb->s_type->name, "proc") == 0)
813 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
814
815 if (!strcmp(sb->s_type->name, "debugfs") ||
816 !strcmp(sb->s_type->name, "tracefs") ||
817 !strcmp(sb->s_type->name, "sysfs") ||
818 !strcmp(sb->s_type->name, "pstore"))
819 sbsec->flags |= SE_SBGENFS;
820
821 if (!sbsec->behavior) {
822 /*
823 * Determine the labeling behavior to use for this
824 * filesystem type.
825 */
826 rc = security_fs_use(sb);
827 if (rc) {
828 printk(KERN_WARNING
829 "%s: security_fs_use(%s) returned %d\n",
830 __func__, sb->s_type->name, rc);
831 goto out;
832 }
833 }
834
835 /*
836 * If this is a user namespace mount and the filesystem type is not
837 * explicitly whitelisted, then no contexts are allowed on the command
838 * line and security labels must be ignored.
839 */
840 if (sb->s_user_ns != &init_user_ns &&
841 strcmp(sb->s_type->name, "tmpfs") &&
842 strcmp(sb->s_type->name, "ramfs") &&
843 strcmp(sb->s_type->name, "devpts")) {
844 if (context_sid || fscontext_sid || rootcontext_sid ||
845 defcontext_sid) {
846 rc = -EACCES;
847 goto out;
848 }
849 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
850 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
851 rc = security_transition_sid(current_sid(), current_sid(),
852 SECCLASS_FILE, NULL,
853 &sbsec->mntpoint_sid);
854 if (rc)
855 goto out;
856 }
857 goto out_set_opts;
858 }
859
860 /* sets the context of the superblock for the fs being mounted. */
861 if (fscontext_sid) {
862 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
863 if (rc)
864 goto out;
865
866 sbsec->sid = fscontext_sid;
867 }
868
869 /*
870 * Switch to using mount point labeling behavior.
871 * sets the label used on all file below the mountpoint, and will set
872 * the superblock context if not already set.
873 */
874 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
875 sbsec->behavior = SECURITY_FS_USE_NATIVE;
876 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
877 }
878
879 if (context_sid) {
880 if (!fscontext_sid) {
881 rc = may_context_mount_sb_relabel(context_sid, sbsec,
882 cred);
883 if (rc)
884 goto out;
885 sbsec->sid = context_sid;
886 } else {
887 rc = may_context_mount_inode_relabel(context_sid, sbsec,
888 cred);
889 if (rc)
890 goto out;
891 }
892 if (!rootcontext_sid)
893 rootcontext_sid = context_sid;
894
895 sbsec->mntpoint_sid = context_sid;
896 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
897 }
898
899 if (rootcontext_sid) {
900 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
901 cred);
902 if (rc)
903 goto out;
904
905 root_isec->sid = rootcontext_sid;
906 root_isec->initialized = LABEL_INITIALIZED;
907 }
908
909 if (defcontext_sid) {
910 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
911 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
912 rc = -EINVAL;
913 printk(KERN_WARNING "SELinux: defcontext option is "
914 "invalid for this filesystem type\n");
915 goto out;
916 }
917
918 if (defcontext_sid != sbsec->def_sid) {
919 rc = may_context_mount_inode_relabel(defcontext_sid,
920 sbsec, cred);
921 if (rc)
922 goto out;
923 }
924
925 sbsec->def_sid = defcontext_sid;
926 }
927
928 out_set_opts:
929 rc = sb_finish_set_opts(sb);
930 out:
931 mutex_unlock(&sbsec->lock);
932 return rc;
933 out_double_mount:
934 rc = -EINVAL;
935 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
936 "security settings for (dev %s, type %s)\n", sb->s_id, name);
937 goto out;
938 }
939
940 static int selinux_cmp_sb_context(const struct super_block *oldsb,
941 const struct super_block *newsb)
942 {
943 struct superblock_security_struct *old = oldsb->s_security;
944 struct superblock_security_struct *new = newsb->s_security;
945 char oldflags = old->flags & SE_MNTMASK;
946 char newflags = new->flags & SE_MNTMASK;
947
948 if (oldflags != newflags)
949 goto mismatch;
950 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
951 goto mismatch;
952 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
953 goto mismatch;
954 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
955 goto mismatch;
956 if (oldflags & ROOTCONTEXT_MNT) {
957 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
958 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
959 if (oldroot->sid != newroot->sid)
960 goto mismatch;
961 }
962 return 0;
963 mismatch:
964 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
965 "different security settings for (dev %s, "
966 "type %s)\n", newsb->s_id, newsb->s_type->name);
967 return -EBUSY;
968 }
969
970 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
971 struct super_block *newsb,
972 unsigned long kern_flags,
973 unsigned long *set_kern_flags)
974 {
975 int rc = 0;
976 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
977 struct superblock_security_struct *newsbsec = newsb->s_security;
978
979 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
980 int set_context = (oldsbsec->flags & CONTEXT_MNT);
981 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
982
983 /*
984 * if the parent was able to be mounted it clearly had no special lsm
985 * mount options. thus we can safely deal with this superblock later
986 */
987 if (!ss_initialized)
988 return 0;
989
990 /*
991 * Specifying internal flags without providing a place to
992 * place the results is not allowed.
993 */
994 if (kern_flags && !set_kern_flags)
995 return -EINVAL;
996
997 /* how can we clone if the old one wasn't set up?? */
998 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
999
1000 /* if fs is reusing a sb, make sure that the contexts match */
1001 if (newsbsec->flags & SE_SBINITIALIZED)
1002 return selinux_cmp_sb_context(oldsb, newsb);
1003
1004 mutex_lock(&newsbsec->lock);
1005
1006 newsbsec->flags = oldsbsec->flags;
1007
1008 newsbsec->sid = oldsbsec->sid;
1009 newsbsec->def_sid = oldsbsec->def_sid;
1010 newsbsec->behavior = oldsbsec->behavior;
1011
1012 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1013 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1014 rc = security_fs_use(newsb);
1015 if (rc)
1016 goto out;
1017 }
1018
1019 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1020 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1021 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1022 }
1023
1024 if (set_context) {
1025 u32 sid = oldsbsec->mntpoint_sid;
1026
1027 if (!set_fscontext)
1028 newsbsec->sid = sid;
1029 if (!set_rootcontext) {
1030 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1031 newisec->sid = sid;
1032 }
1033 newsbsec->mntpoint_sid = sid;
1034 }
1035 if (set_rootcontext) {
1036 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1037 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1038
1039 newisec->sid = oldisec->sid;
1040 }
1041
1042 sb_finish_set_opts(newsb);
1043 out:
1044 mutex_unlock(&newsbsec->lock);
1045 return rc;
1046 }
1047
1048 static int selinux_parse_opts_str(char *options,
1049 struct security_mnt_opts *opts)
1050 {
1051 char *p;
1052 char *context = NULL, *defcontext = NULL;
1053 char *fscontext = NULL, *rootcontext = NULL;
1054 int rc, num_mnt_opts = 0;
1055
1056 opts->num_mnt_opts = 0;
1057
1058 /* Standard string-based options. */
1059 while ((p = strsep(&options, "|")) != NULL) {
1060 int token;
1061 substring_t args[MAX_OPT_ARGS];
1062
1063 if (!*p)
1064 continue;
1065
1066 token = match_token(p, tokens, args);
1067
1068 switch (token) {
1069 case Opt_context:
1070 if (context || defcontext) {
1071 rc = -EINVAL;
1072 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1073 goto out_err;
1074 }
1075 context = match_strdup(&args[0]);
1076 if (!context) {
1077 rc = -ENOMEM;
1078 goto out_err;
1079 }
1080 break;
1081
1082 case Opt_fscontext:
1083 if (fscontext) {
1084 rc = -EINVAL;
1085 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1086 goto out_err;
1087 }
1088 fscontext = match_strdup(&args[0]);
1089 if (!fscontext) {
1090 rc = -ENOMEM;
1091 goto out_err;
1092 }
1093 break;
1094
1095 case Opt_rootcontext:
1096 if (rootcontext) {
1097 rc = -EINVAL;
1098 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1099 goto out_err;
1100 }
1101 rootcontext = match_strdup(&args[0]);
1102 if (!rootcontext) {
1103 rc = -ENOMEM;
1104 goto out_err;
1105 }
1106 break;
1107
1108 case Opt_defcontext:
1109 if (context || defcontext) {
1110 rc = -EINVAL;
1111 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1112 goto out_err;
1113 }
1114 defcontext = match_strdup(&args[0]);
1115 if (!defcontext) {
1116 rc = -ENOMEM;
1117 goto out_err;
1118 }
1119 break;
1120 case Opt_labelsupport:
1121 break;
1122 default:
1123 rc = -EINVAL;
1124 printk(KERN_WARNING "SELinux: unknown mount option\n");
1125 goto out_err;
1126
1127 }
1128 }
1129
1130 rc = -ENOMEM;
1131 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1132 if (!opts->mnt_opts)
1133 goto out_err;
1134
1135 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1136 GFP_KERNEL);
1137 if (!opts->mnt_opts_flags)
1138 goto out_err;
1139
1140 if (fscontext) {
1141 opts->mnt_opts[num_mnt_opts] = fscontext;
1142 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1143 }
1144 if (context) {
1145 opts->mnt_opts[num_mnt_opts] = context;
1146 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1147 }
1148 if (rootcontext) {
1149 opts->mnt_opts[num_mnt_opts] = rootcontext;
1150 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1151 }
1152 if (defcontext) {
1153 opts->mnt_opts[num_mnt_opts] = defcontext;
1154 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1155 }
1156
1157 opts->num_mnt_opts = num_mnt_opts;
1158 return 0;
1159
1160 out_err:
1161 security_free_mnt_opts(opts);
1162 kfree(context);
1163 kfree(defcontext);
1164 kfree(fscontext);
1165 kfree(rootcontext);
1166 return rc;
1167 }
1168 /*
1169 * string mount options parsing and call set the sbsec
1170 */
1171 static int superblock_doinit(struct super_block *sb, void *data)
1172 {
1173 int rc = 0;
1174 char *options = data;
1175 struct security_mnt_opts opts;
1176
1177 security_init_mnt_opts(&opts);
1178
1179 if (!data)
1180 goto out;
1181
1182 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1183
1184 rc = selinux_parse_opts_str(options, &opts);
1185 if (rc)
1186 goto out_err;
1187
1188 out:
1189 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1190
1191 out_err:
1192 security_free_mnt_opts(&opts);
1193 return rc;
1194 }
1195
1196 static void selinux_write_opts(struct seq_file *m,
1197 struct security_mnt_opts *opts)
1198 {
1199 int i;
1200 char *prefix;
1201
1202 for (i = 0; i < opts->num_mnt_opts; i++) {
1203 char *has_comma;
1204
1205 if (opts->mnt_opts[i])
1206 has_comma = strchr(opts->mnt_opts[i], ',');
1207 else
1208 has_comma = NULL;
1209
1210 switch (opts->mnt_opts_flags[i]) {
1211 case CONTEXT_MNT:
1212 prefix = CONTEXT_STR;
1213 break;
1214 case FSCONTEXT_MNT:
1215 prefix = FSCONTEXT_STR;
1216 break;
1217 case ROOTCONTEXT_MNT:
1218 prefix = ROOTCONTEXT_STR;
1219 break;
1220 case DEFCONTEXT_MNT:
1221 prefix = DEFCONTEXT_STR;
1222 break;
1223 case SBLABEL_MNT:
1224 seq_putc(m, ',');
1225 seq_puts(m, LABELSUPP_STR);
1226 continue;
1227 default:
1228 BUG();
1229 return;
1230 };
1231 /* we need a comma before each option */
1232 seq_putc(m, ',');
1233 seq_puts(m, prefix);
1234 if (has_comma)
1235 seq_putc(m, '\"');
1236 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1237 if (has_comma)
1238 seq_putc(m, '\"');
1239 }
1240 }
1241
1242 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1243 {
1244 struct security_mnt_opts opts;
1245 int rc;
1246
1247 rc = selinux_get_mnt_opts(sb, &opts);
1248 if (rc) {
1249 /* before policy load we may get EINVAL, don't show anything */
1250 if (rc == -EINVAL)
1251 rc = 0;
1252 return rc;
1253 }
1254
1255 selinux_write_opts(m, &opts);
1256
1257 security_free_mnt_opts(&opts);
1258
1259 return rc;
1260 }
1261
1262 static inline u16 inode_mode_to_security_class(umode_t mode)
1263 {
1264 switch (mode & S_IFMT) {
1265 case S_IFSOCK:
1266 return SECCLASS_SOCK_FILE;
1267 case S_IFLNK:
1268 return SECCLASS_LNK_FILE;
1269 case S_IFREG:
1270 return SECCLASS_FILE;
1271 case S_IFBLK:
1272 return SECCLASS_BLK_FILE;
1273 case S_IFDIR:
1274 return SECCLASS_DIR;
1275 case S_IFCHR:
1276 return SECCLASS_CHR_FILE;
1277 case S_IFIFO:
1278 return SECCLASS_FIFO_FILE;
1279
1280 }
1281
1282 return SECCLASS_FILE;
1283 }
1284
1285 static inline int default_protocol_stream(int protocol)
1286 {
1287 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1288 }
1289
1290 static inline int default_protocol_dgram(int protocol)
1291 {
1292 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1293 }
1294
1295 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1296 {
1297 int extsockclass = selinux_policycap_extsockclass;
1298
1299 switch (family) {
1300 case PF_UNIX:
1301 switch (type) {
1302 case SOCK_STREAM:
1303 case SOCK_SEQPACKET:
1304 return SECCLASS_UNIX_STREAM_SOCKET;
1305 case SOCK_DGRAM:
1306 return SECCLASS_UNIX_DGRAM_SOCKET;
1307 }
1308 break;
1309 case PF_INET:
1310 case PF_INET6:
1311 switch (type) {
1312 case SOCK_STREAM:
1313 case SOCK_SEQPACKET:
1314 if (default_protocol_stream(protocol))
1315 return SECCLASS_TCP_SOCKET;
1316 else if (extsockclass && protocol == IPPROTO_SCTP)
1317 return SECCLASS_SCTP_SOCKET;
1318 else
1319 return SECCLASS_RAWIP_SOCKET;
1320 case SOCK_DGRAM:
1321 if (default_protocol_dgram(protocol))
1322 return SECCLASS_UDP_SOCKET;
1323 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1324 protocol == IPPROTO_ICMPV6))
1325 return SECCLASS_ICMP_SOCKET;
1326 else
1327 return SECCLASS_RAWIP_SOCKET;
1328 case SOCK_DCCP:
1329 return SECCLASS_DCCP_SOCKET;
1330 default:
1331 return SECCLASS_RAWIP_SOCKET;
1332 }
1333 break;
1334 case PF_NETLINK:
1335 switch (protocol) {
1336 case NETLINK_ROUTE:
1337 return SECCLASS_NETLINK_ROUTE_SOCKET;
1338 case NETLINK_SOCK_DIAG:
1339 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1340 case NETLINK_NFLOG:
1341 return SECCLASS_NETLINK_NFLOG_SOCKET;
1342 case NETLINK_XFRM:
1343 return SECCLASS_NETLINK_XFRM_SOCKET;
1344 case NETLINK_SELINUX:
1345 return SECCLASS_NETLINK_SELINUX_SOCKET;
1346 case NETLINK_ISCSI:
1347 return SECCLASS_NETLINK_ISCSI_SOCKET;
1348 case NETLINK_AUDIT:
1349 return SECCLASS_NETLINK_AUDIT_SOCKET;
1350 case NETLINK_FIB_LOOKUP:
1351 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1352 case NETLINK_CONNECTOR:
1353 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1354 case NETLINK_NETFILTER:
1355 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1356 case NETLINK_DNRTMSG:
1357 return SECCLASS_NETLINK_DNRT_SOCKET;
1358 case NETLINK_KOBJECT_UEVENT:
1359 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1360 case NETLINK_GENERIC:
1361 return SECCLASS_NETLINK_GENERIC_SOCKET;
1362 case NETLINK_SCSITRANSPORT:
1363 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1364 case NETLINK_RDMA:
1365 return SECCLASS_NETLINK_RDMA_SOCKET;
1366 case NETLINK_CRYPTO:
1367 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1368 default:
1369 return SECCLASS_NETLINK_SOCKET;
1370 }
1371 case PF_PACKET:
1372 return SECCLASS_PACKET_SOCKET;
1373 case PF_KEY:
1374 return SECCLASS_KEY_SOCKET;
1375 case PF_APPLETALK:
1376 return SECCLASS_APPLETALK_SOCKET;
1377 }
1378
1379 if (extsockclass) {
1380 switch (family) {
1381 case PF_AX25:
1382 return SECCLASS_AX25_SOCKET;
1383 case PF_IPX:
1384 return SECCLASS_IPX_SOCKET;
1385 case PF_NETROM:
1386 return SECCLASS_NETROM_SOCKET;
1387 case PF_ATMPVC:
1388 return SECCLASS_ATMPVC_SOCKET;
1389 case PF_X25:
1390 return SECCLASS_X25_SOCKET;
1391 case PF_ROSE:
1392 return SECCLASS_ROSE_SOCKET;
1393 case PF_DECnet:
1394 return SECCLASS_DECNET_SOCKET;
1395 case PF_ATMSVC:
1396 return SECCLASS_ATMSVC_SOCKET;
1397 case PF_RDS:
1398 return SECCLASS_RDS_SOCKET;
1399 case PF_IRDA:
1400 return SECCLASS_IRDA_SOCKET;
1401 case PF_PPPOX:
1402 return SECCLASS_PPPOX_SOCKET;
1403 case PF_LLC:
1404 return SECCLASS_LLC_SOCKET;
1405 case PF_CAN:
1406 return SECCLASS_CAN_SOCKET;
1407 case PF_TIPC:
1408 return SECCLASS_TIPC_SOCKET;
1409 case PF_BLUETOOTH:
1410 return SECCLASS_BLUETOOTH_SOCKET;
1411 case PF_IUCV:
1412 return SECCLASS_IUCV_SOCKET;
1413 case PF_RXRPC:
1414 return SECCLASS_RXRPC_SOCKET;
1415 case PF_ISDN:
1416 return SECCLASS_ISDN_SOCKET;
1417 case PF_PHONET:
1418 return SECCLASS_PHONET_SOCKET;
1419 case PF_IEEE802154:
1420 return SECCLASS_IEEE802154_SOCKET;
1421 case PF_CAIF:
1422 return SECCLASS_CAIF_SOCKET;
1423 case PF_ALG:
1424 return SECCLASS_ALG_SOCKET;
1425 case PF_NFC:
1426 return SECCLASS_NFC_SOCKET;
1427 case PF_VSOCK:
1428 return SECCLASS_VSOCK_SOCKET;
1429 case PF_KCM:
1430 return SECCLASS_KCM_SOCKET;
1431 case PF_QIPCRTR:
1432 return SECCLASS_QIPCRTR_SOCKET;
1433 case PF_SMC:
1434 return SECCLASS_SMC_SOCKET;
1435 #if PF_MAX > 44
1436 #error New address family defined, please update this function.
1437 #endif
1438 }
1439 }
1440
1441 return SECCLASS_SOCKET;
1442 }
1443
1444 static int selinux_genfs_get_sid(struct dentry *dentry,
1445 u16 tclass,
1446 u16 flags,
1447 u32 *sid)
1448 {
1449 int rc;
1450 struct super_block *sb = dentry->d_sb;
1451 char *buffer, *path;
1452
1453 buffer = (char *)__get_free_page(GFP_KERNEL);
1454 if (!buffer)
1455 return -ENOMEM;
1456
1457 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1458 if (IS_ERR(path))
1459 rc = PTR_ERR(path);
1460 else {
1461 if (flags & SE_SBPROC) {
1462 /* each process gets a /proc/PID/ entry. Strip off the
1463 * PID part to get a valid selinux labeling.
1464 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1465 while (path[1] >= '0' && path[1] <= '9') {
1466 path[1] = '/';
1467 path++;
1468 }
1469 }
1470 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1471 }
1472 free_page((unsigned long)buffer);
1473 return rc;
1474 }
1475
1476 /* The inode's security attributes must be initialized before first use. */
1477 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1478 {
1479 struct superblock_security_struct *sbsec = NULL;
1480 struct inode_security_struct *isec = inode->i_security;
1481 u32 task_sid, sid = 0;
1482 u16 sclass;
1483 struct dentry *dentry;
1484 #define INITCONTEXTLEN 255
1485 char *context = NULL;
1486 unsigned len = 0;
1487 int rc = 0;
1488
1489 if (isec->initialized == LABEL_INITIALIZED)
1490 return 0;
1491
1492 spin_lock(&isec->lock);
1493 if (isec->initialized == LABEL_INITIALIZED)
1494 goto out_unlock;
1495
1496 if (isec->sclass == SECCLASS_FILE)
1497 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1498
1499 sbsec = inode->i_sb->s_security;
1500 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1501 /* Defer initialization until selinux_complete_init,
1502 after the initial policy is loaded and the security
1503 server is ready to handle calls. */
1504 spin_lock(&sbsec->isec_lock);
1505 if (list_empty(&isec->list))
1506 list_add(&isec->list, &sbsec->isec_head);
1507 spin_unlock(&sbsec->isec_lock);
1508 goto out_unlock;
1509 }
1510
1511 sclass = isec->sclass;
1512 task_sid = isec->task_sid;
1513 sid = isec->sid;
1514 isec->initialized = LABEL_PENDING;
1515 spin_unlock(&isec->lock);
1516
1517 switch (sbsec->behavior) {
1518 case SECURITY_FS_USE_NATIVE:
1519 break;
1520 case SECURITY_FS_USE_XATTR:
1521 if (!(inode->i_opflags & IOP_XATTR)) {
1522 sid = sbsec->def_sid;
1523 break;
1524 }
1525 /* Need a dentry, since the xattr API requires one.
1526 Life would be simpler if we could just pass the inode. */
1527 if (opt_dentry) {
1528 /* Called from d_instantiate or d_splice_alias. */
1529 dentry = dget(opt_dentry);
1530 } else {
1531 /* Called from selinux_complete_init, try to find a dentry. */
1532 dentry = d_find_alias(inode);
1533 }
1534 if (!dentry) {
1535 /*
1536 * this is can be hit on boot when a file is accessed
1537 * before the policy is loaded. When we load policy we
1538 * may find inodes that have no dentry on the
1539 * sbsec->isec_head list. No reason to complain as these
1540 * will get fixed up the next time we go through
1541 * inode_doinit with a dentry, before these inodes could
1542 * be used again by userspace.
1543 */
1544 goto out;
1545 }
1546
1547 len = INITCONTEXTLEN;
1548 context = kmalloc(len+1, GFP_NOFS);
1549 if (!context) {
1550 rc = -ENOMEM;
1551 dput(dentry);
1552 goto out;
1553 }
1554 context[len] = '\0';
1555 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1556 if (rc == -ERANGE) {
1557 kfree(context);
1558
1559 /* Need a larger buffer. Query for the right size. */
1560 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1561 if (rc < 0) {
1562 dput(dentry);
1563 goto out;
1564 }
1565 len = rc;
1566 context = kmalloc(len+1, GFP_NOFS);
1567 if (!context) {
1568 rc = -ENOMEM;
1569 dput(dentry);
1570 goto out;
1571 }
1572 context[len] = '\0';
1573 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1574 }
1575 dput(dentry);
1576 if (rc < 0) {
1577 if (rc != -ENODATA) {
1578 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1579 "%d for dev=%s ino=%ld\n", __func__,
1580 -rc, inode->i_sb->s_id, inode->i_ino);
1581 kfree(context);
1582 goto out;
1583 }
1584 /* Map ENODATA to the default file SID */
1585 sid = sbsec->def_sid;
1586 rc = 0;
1587 } else {
1588 rc = security_context_to_sid_default(context, rc, &sid,
1589 sbsec->def_sid,
1590 GFP_NOFS);
1591 if (rc) {
1592 char *dev = inode->i_sb->s_id;
1593 unsigned long ino = inode->i_ino;
1594
1595 if (rc == -EINVAL) {
1596 if (printk_ratelimit())
1597 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1598 "context=%s. This indicates you may need to relabel the inode or the "
1599 "filesystem in question.\n", ino, dev, context);
1600 } else {
1601 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1602 "returned %d for dev=%s ino=%ld\n",
1603 __func__, context, -rc, dev, ino);
1604 }
1605 kfree(context);
1606 /* Leave with the unlabeled SID */
1607 rc = 0;
1608 break;
1609 }
1610 }
1611 kfree(context);
1612 break;
1613 case SECURITY_FS_USE_TASK:
1614 sid = task_sid;
1615 break;
1616 case SECURITY_FS_USE_TRANS:
1617 /* Default to the fs SID. */
1618 sid = sbsec->sid;
1619
1620 /* Try to obtain a transition SID. */
1621 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1622 if (rc)
1623 goto out;
1624 break;
1625 case SECURITY_FS_USE_MNTPOINT:
1626 sid = sbsec->mntpoint_sid;
1627 break;
1628 default:
1629 /* Default to the fs superblock SID. */
1630 sid = sbsec->sid;
1631
1632 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1633 /* We must have a dentry to determine the label on
1634 * procfs inodes */
1635 if (opt_dentry)
1636 /* Called from d_instantiate or
1637 * d_splice_alias. */
1638 dentry = dget(opt_dentry);
1639 else
1640 /* Called from selinux_complete_init, try to
1641 * find a dentry. */
1642 dentry = d_find_alias(inode);
1643 /*
1644 * This can be hit on boot when a file is accessed
1645 * before the policy is loaded. When we load policy we
1646 * may find inodes that have no dentry on the
1647 * sbsec->isec_head list. No reason to complain as
1648 * these will get fixed up the next time we go through
1649 * inode_doinit() with a dentry, before these inodes
1650 * could be used again by userspace.
1651 */
1652 if (!dentry)
1653 goto out;
1654 rc = selinux_genfs_get_sid(dentry, sclass,
1655 sbsec->flags, &sid);
1656 dput(dentry);
1657 if (rc)
1658 goto out;
1659 }
1660 break;
1661 }
1662
1663 out:
1664 spin_lock(&isec->lock);
1665 if (isec->initialized == LABEL_PENDING) {
1666 if (!sid || rc) {
1667 isec->initialized = LABEL_INVALID;
1668 goto out_unlock;
1669 }
1670
1671 isec->initialized = LABEL_INITIALIZED;
1672 isec->sid = sid;
1673 }
1674
1675 out_unlock:
1676 spin_unlock(&isec->lock);
1677 return rc;
1678 }
1679
1680 /* Convert a Linux signal to an access vector. */
1681 static inline u32 signal_to_av(int sig)
1682 {
1683 u32 perm = 0;
1684
1685 switch (sig) {
1686 case SIGCHLD:
1687 /* Commonly granted from child to parent. */
1688 perm = PROCESS__SIGCHLD;
1689 break;
1690 case SIGKILL:
1691 /* Cannot be caught or ignored */
1692 perm = PROCESS__SIGKILL;
1693 break;
1694 case SIGSTOP:
1695 /* Cannot be caught or ignored */
1696 perm = PROCESS__SIGSTOP;
1697 break;
1698 default:
1699 /* All other signals. */
1700 perm = PROCESS__SIGNAL;
1701 break;
1702 }
1703
1704 return perm;
1705 }
1706
1707 #if CAP_LAST_CAP > 63
1708 #error Fix SELinux to handle capabilities > 63.
1709 #endif
1710
1711 /* Check whether a task is allowed to use a capability. */
1712 static int cred_has_capability(const struct cred *cred,
1713 int cap, int audit, bool initns)
1714 {
1715 struct common_audit_data ad;
1716 struct av_decision avd;
1717 u16 sclass;
1718 u32 sid = cred_sid(cred);
1719 u32 av = CAP_TO_MASK(cap);
1720 int rc;
1721
1722 ad.type = LSM_AUDIT_DATA_CAP;
1723 ad.u.cap = cap;
1724
1725 switch (CAP_TO_INDEX(cap)) {
1726 case 0:
1727 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1728 break;
1729 case 1:
1730 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1731 break;
1732 default:
1733 printk(KERN_ERR
1734 "SELinux: out of range capability %d\n", cap);
1735 BUG();
1736 return -EINVAL;
1737 }
1738
1739 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1740 if (audit == SECURITY_CAP_AUDIT) {
1741 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1742 if (rc2)
1743 return rc2;
1744 }
1745 return rc;
1746 }
1747
1748 /* Check whether a task has a particular permission to an inode.
1749 The 'adp' parameter is optional and allows other audit
1750 data to be passed (e.g. the dentry). */
1751 static int inode_has_perm(const struct cred *cred,
1752 struct inode *inode,
1753 u32 perms,
1754 struct common_audit_data *adp)
1755 {
1756 struct inode_security_struct *isec;
1757 u32 sid;
1758
1759 validate_creds(cred);
1760
1761 if (unlikely(IS_PRIVATE(inode)))
1762 return 0;
1763
1764 sid = cred_sid(cred);
1765 isec = inode->i_security;
1766
1767 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1768 }
1769
1770 /* Same as inode_has_perm, but pass explicit audit data containing
1771 the dentry to help the auditing code to more easily generate the
1772 pathname if needed. */
1773 static inline int dentry_has_perm(const struct cred *cred,
1774 struct dentry *dentry,
1775 u32 av)
1776 {
1777 struct inode *inode = d_backing_inode(dentry);
1778 struct common_audit_data ad;
1779
1780 ad.type = LSM_AUDIT_DATA_DENTRY;
1781 ad.u.dentry = dentry;
1782 __inode_security_revalidate(inode, dentry, true);
1783 return inode_has_perm(cred, inode, av, &ad);
1784 }
1785
1786 /* Same as inode_has_perm, but pass explicit audit data containing
1787 the path to help the auditing code to more easily generate the
1788 pathname if needed. */
1789 static inline int path_has_perm(const struct cred *cred,
1790 const struct path *path,
1791 u32 av)
1792 {
1793 struct inode *inode = d_backing_inode(path->dentry);
1794 struct common_audit_data ad;
1795
1796 ad.type = LSM_AUDIT_DATA_PATH;
1797 ad.u.path = *path;
1798 __inode_security_revalidate(inode, path->dentry, true);
1799 return inode_has_perm(cred, inode, av, &ad);
1800 }
1801
1802 /* Same as path_has_perm, but uses the inode from the file struct. */
1803 static inline int file_path_has_perm(const struct cred *cred,
1804 struct file *file,
1805 u32 av)
1806 {
1807 struct common_audit_data ad;
1808
1809 ad.type = LSM_AUDIT_DATA_FILE;
1810 ad.u.file = file;
1811 return inode_has_perm(cred, file_inode(file), av, &ad);
1812 }
1813
1814 /* Check whether a task can use an open file descriptor to
1815 access an inode in a given way. Check access to the
1816 descriptor itself, and then use dentry_has_perm to
1817 check a particular permission to the file.
1818 Access to the descriptor is implicitly granted if it
1819 has the same SID as the process. If av is zero, then
1820 access to the file is not checked, e.g. for cases
1821 where only the descriptor is affected like seek. */
1822 static int file_has_perm(const struct cred *cred,
1823 struct file *file,
1824 u32 av)
1825 {
1826 struct file_security_struct *fsec = file->f_security;
1827 struct inode *inode = file_inode(file);
1828 struct common_audit_data ad;
1829 u32 sid = cred_sid(cred);
1830 int rc;
1831
1832 ad.type = LSM_AUDIT_DATA_FILE;
1833 ad.u.file = file;
1834
1835 if (sid != fsec->sid) {
1836 rc = avc_has_perm(sid, fsec->sid,
1837 SECCLASS_FD,
1838 FD__USE,
1839 &ad);
1840 if (rc)
1841 goto out;
1842 }
1843
1844 /* av is zero if only checking access to the descriptor. */
1845 rc = 0;
1846 if (av)
1847 rc = inode_has_perm(cred, inode, av, &ad);
1848
1849 out:
1850 return rc;
1851 }
1852
1853 /*
1854 * Determine the label for an inode that might be unioned.
1855 */
1856 static int
1857 selinux_determine_inode_label(const struct task_security_struct *tsec,
1858 struct inode *dir,
1859 const struct qstr *name, u16 tclass,
1860 u32 *_new_isid)
1861 {
1862 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1863
1864 if ((sbsec->flags & SE_SBINITIALIZED) &&
1865 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1866 *_new_isid = sbsec->mntpoint_sid;
1867 } else if ((sbsec->flags & SBLABEL_MNT) &&
1868 tsec->create_sid) {
1869 *_new_isid = tsec->create_sid;
1870 } else {
1871 const struct inode_security_struct *dsec = inode_security(dir);
1872 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1873 name, _new_isid);
1874 }
1875
1876 return 0;
1877 }
1878
1879 /* Check whether a task can create a file. */
1880 static int may_create(struct inode *dir,
1881 struct dentry *dentry,
1882 u16 tclass)
1883 {
1884 const struct task_security_struct *tsec = current_security();
1885 struct inode_security_struct *dsec;
1886 struct superblock_security_struct *sbsec;
1887 u32 sid, newsid;
1888 struct common_audit_data ad;
1889 int rc;
1890
1891 dsec = inode_security(dir);
1892 sbsec = dir->i_sb->s_security;
1893
1894 sid = tsec->sid;
1895
1896 ad.type = LSM_AUDIT_DATA_DENTRY;
1897 ad.u.dentry = dentry;
1898
1899 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1900 DIR__ADD_NAME | DIR__SEARCH,
1901 &ad);
1902 if (rc)
1903 return rc;
1904
1905 rc = selinux_determine_inode_label(current_security(), dir,
1906 &dentry->d_name, tclass, &newsid);
1907 if (rc)
1908 return rc;
1909
1910 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1911 if (rc)
1912 return rc;
1913
1914 return avc_has_perm(newsid, sbsec->sid,
1915 SECCLASS_FILESYSTEM,
1916 FILESYSTEM__ASSOCIATE, &ad);
1917 }
1918
1919 #define MAY_LINK 0
1920 #define MAY_UNLINK 1
1921 #define MAY_RMDIR 2
1922
1923 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1924 static int may_link(struct inode *dir,
1925 struct dentry *dentry,
1926 int kind)
1927
1928 {
1929 struct inode_security_struct *dsec, *isec;
1930 struct common_audit_data ad;
1931 u32 sid = current_sid();
1932 u32 av;
1933 int rc;
1934
1935 dsec = inode_security(dir);
1936 isec = backing_inode_security(dentry);
1937
1938 ad.type = LSM_AUDIT_DATA_DENTRY;
1939 ad.u.dentry = dentry;
1940
1941 av = DIR__SEARCH;
1942 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1943 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1944 if (rc)
1945 return rc;
1946
1947 switch (kind) {
1948 case MAY_LINK:
1949 av = FILE__LINK;
1950 break;
1951 case MAY_UNLINK:
1952 av = FILE__UNLINK;
1953 break;
1954 case MAY_RMDIR:
1955 av = DIR__RMDIR;
1956 break;
1957 default:
1958 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1959 __func__, kind);
1960 return 0;
1961 }
1962
1963 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1964 return rc;
1965 }
1966
1967 static inline int may_rename(struct inode *old_dir,
1968 struct dentry *old_dentry,
1969 struct inode *new_dir,
1970 struct dentry *new_dentry)
1971 {
1972 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1973 struct common_audit_data ad;
1974 u32 sid = current_sid();
1975 u32 av;
1976 int old_is_dir, new_is_dir;
1977 int rc;
1978
1979 old_dsec = inode_security(old_dir);
1980 old_isec = backing_inode_security(old_dentry);
1981 old_is_dir = d_is_dir(old_dentry);
1982 new_dsec = inode_security(new_dir);
1983
1984 ad.type = LSM_AUDIT_DATA_DENTRY;
1985
1986 ad.u.dentry = old_dentry;
1987 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1988 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1989 if (rc)
1990 return rc;
1991 rc = avc_has_perm(sid, old_isec->sid,
1992 old_isec->sclass, FILE__RENAME, &ad);
1993 if (rc)
1994 return rc;
1995 if (old_is_dir && new_dir != old_dir) {
1996 rc = avc_has_perm(sid, old_isec->sid,
1997 old_isec->sclass, DIR__REPARENT, &ad);
1998 if (rc)
1999 return rc;
2000 }
2001
2002 ad.u.dentry = new_dentry;
2003 av = DIR__ADD_NAME | DIR__SEARCH;
2004 if (d_is_positive(new_dentry))
2005 av |= DIR__REMOVE_NAME;
2006 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2007 if (rc)
2008 return rc;
2009 if (d_is_positive(new_dentry)) {
2010 new_isec = backing_inode_security(new_dentry);
2011 new_is_dir = d_is_dir(new_dentry);
2012 rc = avc_has_perm(sid, new_isec->sid,
2013 new_isec->sclass,
2014 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2015 if (rc)
2016 return rc;
2017 }
2018
2019 return 0;
2020 }
2021
2022 /* Check whether a task can perform a filesystem operation. */
2023 static int superblock_has_perm(const struct cred *cred,
2024 struct super_block *sb,
2025 u32 perms,
2026 struct common_audit_data *ad)
2027 {
2028 struct superblock_security_struct *sbsec;
2029 u32 sid = cred_sid(cred);
2030
2031 sbsec = sb->s_security;
2032 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2033 }
2034
2035 /* Convert a Linux mode and permission mask to an access vector. */
2036 static inline u32 file_mask_to_av(int mode, int mask)
2037 {
2038 u32 av = 0;
2039
2040 if (!S_ISDIR(mode)) {
2041 if (mask & MAY_EXEC)
2042 av |= FILE__EXECUTE;
2043 if (mask & MAY_READ)
2044 av |= FILE__READ;
2045
2046 if (mask & MAY_APPEND)
2047 av |= FILE__APPEND;
2048 else if (mask & MAY_WRITE)
2049 av |= FILE__WRITE;
2050
2051 } else {
2052 if (mask & MAY_EXEC)
2053 av |= DIR__SEARCH;
2054 if (mask & MAY_WRITE)
2055 av |= DIR__WRITE;
2056 if (mask & MAY_READ)
2057 av |= DIR__READ;
2058 }
2059
2060 return av;
2061 }
2062
2063 /* Convert a Linux file to an access vector. */
2064 static inline u32 file_to_av(struct file *file)
2065 {
2066 u32 av = 0;
2067
2068 if (file->f_mode & FMODE_READ)
2069 av |= FILE__READ;
2070 if (file->f_mode & FMODE_WRITE) {
2071 if (file->f_flags & O_APPEND)
2072 av |= FILE__APPEND;
2073 else
2074 av |= FILE__WRITE;
2075 }
2076 if (!av) {
2077 /*
2078 * Special file opened with flags 3 for ioctl-only use.
2079 */
2080 av = FILE__IOCTL;
2081 }
2082
2083 return av;
2084 }
2085
2086 /*
2087 * Convert a file to an access vector and include the correct open
2088 * open permission.
2089 */
2090 static inline u32 open_file_to_av(struct file *file)
2091 {
2092 u32 av = file_to_av(file);
2093 struct inode *inode = file_inode(file);
2094
2095 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2096 av |= FILE__OPEN;
2097
2098 return av;
2099 }
2100
2101 /* Hook functions begin here. */
2102
2103 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2104 {
2105 u32 mysid = current_sid();
2106 u32 mgrsid = task_sid(mgr);
2107
2108 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2109 BINDER__SET_CONTEXT_MGR, NULL);
2110 }
2111
2112 static int selinux_binder_transaction(struct task_struct *from,
2113 struct task_struct *to)
2114 {
2115 u32 mysid = current_sid();
2116 u32 fromsid = task_sid(from);
2117 u32 tosid = task_sid(to);
2118 int rc;
2119
2120 if (mysid != fromsid) {
2121 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2122 BINDER__IMPERSONATE, NULL);
2123 if (rc)
2124 return rc;
2125 }
2126
2127 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2128 NULL);
2129 }
2130
2131 static int selinux_binder_transfer_binder(struct task_struct *from,
2132 struct task_struct *to)
2133 {
2134 u32 fromsid = task_sid(from);
2135 u32 tosid = task_sid(to);
2136
2137 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2138 NULL);
2139 }
2140
2141 static int selinux_binder_transfer_file(struct task_struct *from,
2142 struct task_struct *to,
2143 struct file *file)
2144 {
2145 u32 sid = task_sid(to);
2146 struct file_security_struct *fsec = file->f_security;
2147 struct dentry *dentry = file->f_path.dentry;
2148 struct inode_security_struct *isec;
2149 struct common_audit_data ad;
2150 int rc;
2151
2152 ad.type = LSM_AUDIT_DATA_PATH;
2153 ad.u.path = file->f_path;
2154
2155 if (sid != fsec->sid) {
2156 rc = avc_has_perm(sid, fsec->sid,
2157 SECCLASS_FD,
2158 FD__USE,
2159 &ad);
2160 if (rc)
2161 return rc;
2162 }
2163
2164 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2165 return 0;
2166
2167 isec = backing_inode_security(dentry);
2168 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2169 &ad);
2170 }
2171
2172 static int selinux_ptrace_access_check(struct task_struct *child,
2173 unsigned int mode)
2174 {
2175 u32 sid = current_sid();
2176 u32 csid = task_sid(child);
2177
2178 if (mode & PTRACE_MODE_READ)
2179 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2180
2181 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2182 }
2183
2184 static int selinux_ptrace_traceme(struct task_struct *parent)
2185 {
2186 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2187 PROCESS__PTRACE, NULL);
2188 }
2189
2190 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2191 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2192 {
2193 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2194 PROCESS__GETCAP, NULL);
2195 }
2196
2197 static int selinux_capset(struct cred *new, const struct cred *old,
2198 const kernel_cap_t *effective,
2199 const kernel_cap_t *inheritable,
2200 const kernel_cap_t *permitted)
2201 {
2202 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2203 PROCESS__SETCAP, NULL);
2204 }
2205
2206 /*
2207 * (This comment used to live with the selinux_task_setuid hook,
2208 * which was removed).
2209 *
2210 * Since setuid only affects the current process, and since the SELinux
2211 * controls are not based on the Linux identity attributes, SELinux does not
2212 * need to control this operation. However, SELinux does control the use of
2213 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2214 */
2215
2216 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2217 int cap, int audit)
2218 {
2219 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2220 }
2221
2222 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2223 {
2224 const struct cred *cred = current_cred();
2225 int rc = 0;
2226
2227 if (!sb)
2228 return 0;
2229
2230 switch (cmds) {
2231 case Q_SYNC:
2232 case Q_QUOTAON:
2233 case Q_QUOTAOFF:
2234 case Q_SETINFO:
2235 case Q_SETQUOTA:
2236 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2237 break;
2238 case Q_GETFMT:
2239 case Q_GETINFO:
2240 case Q_GETQUOTA:
2241 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2242 break;
2243 default:
2244 rc = 0; /* let the kernel handle invalid cmds */
2245 break;
2246 }
2247 return rc;
2248 }
2249
2250 static int selinux_quota_on(struct dentry *dentry)
2251 {
2252 const struct cred *cred = current_cred();
2253
2254 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2255 }
2256
2257 static int selinux_syslog(int type)
2258 {
2259 switch (type) {
2260 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2261 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2262 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2263 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2264 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2265 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2266 /* Set level of messages printed to console */
2267 case SYSLOG_ACTION_CONSOLE_LEVEL:
2268 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2269 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2270 NULL);
2271 }
2272 /* All other syslog types */
2273 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2274 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2275 }
2276
2277 /*
2278 * Check that a process has enough memory to allocate a new virtual
2279 * mapping. 0 means there is enough memory for the allocation to
2280 * succeed and -ENOMEM implies there is not.
2281 *
2282 * Do not audit the selinux permission check, as this is applied to all
2283 * processes that allocate mappings.
2284 */
2285 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2286 {
2287 int rc, cap_sys_admin = 0;
2288
2289 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2290 SECURITY_CAP_NOAUDIT, true);
2291 if (rc == 0)
2292 cap_sys_admin = 1;
2293
2294 return cap_sys_admin;
2295 }
2296
2297 /* binprm security operations */
2298
2299 static u32 ptrace_parent_sid(void)
2300 {
2301 u32 sid = 0;
2302 struct task_struct *tracer;
2303
2304 rcu_read_lock();
2305 tracer = ptrace_parent(current);
2306 if (tracer)
2307 sid = task_sid(tracer);
2308 rcu_read_unlock();
2309
2310 return sid;
2311 }
2312
2313 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2314 const struct task_security_struct *old_tsec,
2315 const struct task_security_struct *new_tsec)
2316 {
2317 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2318 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2319 int rc;
2320
2321 if (!nnp && !nosuid)
2322 return 0; /* neither NNP nor nosuid */
2323
2324 if (new_tsec->sid == old_tsec->sid)
2325 return 0; /* No change in credentials */
2326
2327 /*
2328 * The only transitions we permit under NNP or nosuid
2329 * are transitions to bounded SIDs, i.e. SIDs that are
2330 * guaranteed to only be allowed a subset of the permissions
2331 * of the current SID.
2332 */
2333 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2334 if (rc) {
2335 /*
2336 * On failure, preserve the errno values for NNP vs nosuid.
2337 * NNP: Operation not permitted for caller.
2338 * nosuid: Permission denied to file.
2339 */
2340 if (nnp)
2341 return -EPERM;
2342 else
2343 return -EACCES;
2344 }
2345 return 0;
2346 }
2347
2348 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2349 {
2350 const struct task_security_struct *old_tsec;
2351 struct task_security_struct *new_tsec;
2352 struct inode_security_struct *isec;
2353 struct common_audit_data ad;
2354 struct inode *inode = file_inode(bprm->file);
2355 int rc;
2356
2357 /* SELinux context only depends on initial program or script and not
2358 * the script interpreter */
2359 if (bprm->cred_prepared)
2360 return 0;
2361
2362 old_tsec = current_security();
2363 new_tsec = bprm->cred->security;
2364 isec = inode_security(inode);
2365
2366 /* Default to the current task SID. */
2367 new_tsec->sid = old_tsec->sid;
2368 new_tsec->osid = old_tsec->sid;
2369
2370 /* Reset fs, key, and sock SIDs on execve. */
2371 new_tsec->create_sid = 0;
2372 new_tsec->keycreate_sid = 0;
2373 new_tsec->sockcreate_sid = 0;
2374
2375 if (old_tsec->exec_sid) {
2376 new_tsec->sid = old_tsec->exec_sid;
2377 /* Reset exec SID on execve. */
2378 new_tsec->exec_sid = 0;
2379
2380 /* Fail on NNP or nosuid if not an allowed transition. */
2381 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2382 if (rc)
2383 return rc;
2384 } else {
2385 /* Check for a default transition on this program. */
2386 rc = security_transition_sid(old_tsec->sid, isec->sid,
2387 SECCLASS_PROCESS, NULL,
2388 &new_tsec->sid);
2389 if (rc)
2390 return rc;
2391
2392 /*
2393 * Fallback to old SID on NNP or nosuid if not an allowed
2394 * transition.
2395 */
2396 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2397 if (rc)
2398 new_tsec->sid = old_tsec->sid;
2399 }
2400
2401 ad.type = LSM_AUDIT_DATA_FILE;
2402 ad.u.file = bprm->file;
2403
2404 if (new_tsec->sid == old_tsec->sid) {
2405 rc = avc_has_perm(old_tsec->sid, isec->sid,
2406 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2407 if (rc)
2408 return rc;
2409 } else {
2410 /* Check permissions for the transition. */
2411 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2412 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2413 if (rc)
2414 return rc;
2415
2416 rc = avc_has_perm(new_tsec->sid, isec->sid,
2417 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2418 if (rc)
2419 return rc;
2420
2421 /* Check for shared state */
2422 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2423 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2424 SECCLASS_PROCESS, PROCESS__SHARE,
2425 NULL);
2426 if (rc)
2427 return -EPERM;
2428 }
2429
2430 /* Make sure that anyone attempting to ptrace over a task that
2431 * changes its SID has the appropriate permit */
2432 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2433 u32 ptsid = ptrace_parent_sid();
2434 if (ptsid != 0) {
2435 rc = avc_has_perm(ptsid, new_tsec->sid,
2436 SECCLASS_PROCESS,
2437 PROCESS__PTRACE, NULL);
2438 if (rc)
2439 return -EPERM;
2440 }
2441 }
2442
2443 /* Clear any possibly unsafe personality bits on exec: */
2444 bprm->per_clear |= PER_CLEAR_ON_SETID;
2445 }
2446
2447 return 0;
2448 }
2449
2450 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2451 {
2452 const struct task_security_struct *tsec = current_security();
2453 u32 sid, osid;
2454 int atsecure = 0;
2455
2456 sid = tsec->sid;
2457 osid = tsec->osid;
2458
2459 if (osid != sid) {
2460 /* Enable secure mode for SIDs transitions unless
2461 the noatsecure permission is granted between
2462 the two SIDs, i.e. ahp returns 0. */
2463 atsecure = avc_has_perm(osid, sid,
2464 SECCLASS_PROCESS,
2465 PROCESS__NOATSECURE, NULL);
2466 }
2467
2468 return !!atsecure;
2469 }
2470
2471 static int match_file(const void *p, struct file *file, unsigned fd)
2472 {
2473 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2474 }
2475
2476 /* Derived from fs/exec.c:flush_old_files. */
2477 static inline void flush_unauthorized_files(const struct cred *cred,
2478 struct files_struct *files)
2479 {
2480 struct file *file, *devnull = NULL;
2481 struct tty_struct *tty;
2482 int drop_tty = 0;
2483 unsigned n;
2484
2485 tty = get_current_tty();
2486 if (tty) {
2487 spin_lock(&tty->files_lock);
2488 if (!list_empty(&tty->tty_files)) {
2489 struct tty_file_private *file_priv;
2490
2491 /* Revalidate access to controlling tty.
2492 Use file_path_has_perm on the tty path directly
2493 rather than using file_has_perm, as this particular
2494 open file may belong to another process and we are
2495 only interested in the inode-based check here. */
2496 file_priv = list_first_entry(&tty->tty_files,
2497 struct tty_file_private, list);
2498 file = file_priv->file;
2499 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2500 drop_tty = 1;
2501 }
2502 spin_unlock(&tty->files_lock);
2503 tty_kref_put(tty);
2504 }
2505 /* Reset controlling tty. */
2506 if (drop_tty)
2507 no_tty();
2508
2509 /* Revalidate access to inherited open files. */
2510 n = iterate_fd(files, 0, match_file, cred);
2511 if (!n) /* none found? */
2512 return;
2513
2514 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2515 if (IS_ERR(devnull))
2516 devnull = NULL;
2517 /* replace all the matching ones with this */
2518 do {
2519 replace_fd(n - 1, devnull, 0);
2520 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2521 if (devnull)
2522 fput(devnull);
2523 }
2524
2525 /*
2526 * Prepare a process for imminent new credential changes due to exec
2527 */
2528 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2529 {
2530 struct task_security_struct *new_tsec;
2531 struct rlimit *rlim, *initrlim;
2532 int rc, i;
2533
2534 new_tsec = bprm->cred->security;
2535 if (new_tsec->sid == new_tsec->osid)
2536 return;
2537
2538 /* Close files for which the new task SID is not authorized. */
2539 flush_unauthorized_files(bprm->cred, current->files);
2540
2541 /* Always clear parent death signal on SID transitions. */
2542 current->pdeath_signal = 0;
2543
2544 /* Check whether the new SID can inherit resource limits from the old
2545 * SID. If not, reset all soft limits to the lower of the current
2546 * task's hard limit and the init task's soft limit.
2547 *
2548 * Note that the setting of hard limits (even to lower them) can be
2549 * controlled by the setrlimit check. The inclusion of the init task's
2550 * soft limit into the computation is to avoid resetting soft limits
2551 * higher than the default soft limit for cases where the default is
2552 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2553 */
2554 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2555 PROCESS__RLIMITINH, NULL);
2556 if (rc) {
2557 /* protect against do_prlimit() */
2558 task_lock(current);
2559 for (i = 0; i < RLIM_NLIMITS; i++) {
2560 rlim = current->signal->rlim + i;
2561 initrlim = init_task.signal->rlim + i;
2562 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2563 }
2564 task_unlock(current);
2565 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2566 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2567 }
2568 }
2569
2570 /*
2571 * Clean up the process immediately after the installation of new credentials
2572 * due to exec
2573 */
2574 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2575 {
2576 const struct task_security_struct *tsec = current_security();
2577 struct itimerval itimer;
2578 u32 osid, sid;
2579 int rc, i;
2580
2581 osid = tsec->osid;
2582 sid = tsec->sid;
2583
2584 if (sid == osid)
2585 return;
2586
2587 /* Check whether the new SID can inherit signal state from the old SID.
2588 * If not, clear itimers to avoid subsequent signal generation and
2589 * flush and unblock signals.
2590 *
2591 * This must occur _after_ the task SID has been updated so that any
2592 * kill done after the flush will be checked against the new SID.
2593 */
2594 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2595 if (rc) {
2596 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2597 memset(&itimer, 0, sizeof itimer);
2598 for (i = 0; i < 3; i++)
2599 do_setitimer(i, &itimer, NULL);
2600 }
2601 spin_lock_irq(&current->sighand->siglock);
2602 if (!fatal_signal_pending(current)) {
2603 flush_sigqueue(&current->pending);
2604 flush_sigqueue(&current->signal->shared_pending);
2605 flush_signal_handlers(current, 1);
2606 sigemptyset(&current->blocked);
2607 recalc_sigpending();
2608 }
2609 spin_unlock_irq(&current->sighand->siglock);
2610 }
2611
2612 /* Wake up the parent if it is waiting so that it can recheck
2613 * wait permission to the new task SID. */
2614 read_lock(&tasklist_lock);
2615 __wake_up_parent(current, current->real_parent);
2616 read_unlock(&tasklist_lock);
2617 }
2618
2619 /* superblock security operations */
2620
2621 static int selinux_sb_alloc_security(struct super_block *sb)
2622 {
2623 return superblock_alloc_security(sb);
2624 }
2625
2626 static void selinux_sb_free_security(struct super_block *sb)
2627 {
2628 superblock_free_security(sb);
2629 }
2630
2631 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2632 {
2633 if (plen > olen)
2634 return 0;
2635
2636 return !memcmp(prefix, option, plen);
2637 }
2638
2639 static inline int selinux_option(char *option, int len)
2640 {
2641 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2642 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2643 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2644 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2645 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2646 }
2647
2648 static inline void take_option(char **to, char *from, int *first, int len)
2649 {
2650 if (!*first) {
2651 **to = ',';
2652 *to += 1;
2653 } else
2654 *first = 0;
2655 memcpy(*to, from, len);
2656 *to += len;
2657 }
2658
2659 static inline void take_selinux_option(char **to, char *from, int *first,
2660 int len)
2661 {
2662 int current_size = 0;
2663
2664 if (!*first) {
2665 **to = '|';
2666 *to += 1;
2667 } else
2668 *first = 0;
2669
2670 while (current_size < len) {
2671 if (*from != '"') {
2672 **to = *from;
2673 *to += 1;
2674 }
2675 from += 1;
2676 current_size += 1;
2677 }
2678 }
2679
2680 static int selinux_sb_copy_data(char *orig, char *copy)
2681 {
2682 int fnosec, fsec, rc = 0;
2683 char *in_save, *in_curr, *in_end;
2684 char *sec_curr, *nosec_save, *nosec;
2685 int open_quote = 0;
2686
2687 in_curr = orig;
2688 sec_curr = copy;
2689
2690 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2691 if (!nosec) {
2692 rc = -ENOMEM;
2693 goto out;
2694 }
2695
2696 nosec_save = nosec;
2697 fnosec = fsec = 1;
2698 in_save = in_end = orig;
2699
2700 do {
2701 if (*in_end == '"')
2702 open_quote = !open_quote;
2703 if ((*in_end == ',' && open_quote == 0) ||
2704 *in_end == '\0') {
2705 int len = in_end - in_curr;
2706
2707 if (selinux_option(in_curr, len))
2708 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2709 else
2710 take_option(&nosec, in_curr, &fnosec, len);
2711
2712 in_curr = in_end + 1;
2713 }
2714 } while (*in_end++);
2715
2716 strcpy(in_save, nosec_save);
2717 free_page((unsigned long)nosec_save);
2718 out:
2719 return rc;
2720 }
2721
2722 static int selinux_sb_remount(struct super_block *sb, void *data)
2723 {
2724 int rc, i, *flags;
2725 struct security_mnt_opts opts;
2726 char *secdata, **mount_options;
2727 struct superblock_security_struct *sbsec = sb->s_security;
2728
2729 if (!(sbsec->flags & SE_SBINITIALIZED))
2730 return 0;
2731
2732 if (!data)
2733 return 0;
2734
2735 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2736 return 0;
2737
2738 security_init_mnt_opts(&opts);
2739 secdata = alloc_secdata();
2740 if (!secdata)
2741 return -ENOMEM;
2742 rc = selinux_sb_copy_data(data, secdata);
2743 if (rc)
2744 goto out_free_secdata;
2745
2746 rc = selinux_parse_opts_str(secdata, &opts);
2747 if (rc)
2748 goto out_free_secdata;
2749
2750 mount_options = opts.mnt_opts;
2751 flags = opts.mnt_opts_flags;
2752
2753 for (i = 0; i < opts.num_mnt_opts; i++) {
2754 u32 sid;
2755
2756 if (flags[i] == SBLABEL_MNT)
2757 continue;
2758 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2759 if (rc) {
2760 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2761 "(%s) failed for (dev %s, type %s) errno=%d\n",
2762 mount_options[i], sb->s_id, sb->s_type->name, rc);
2763 goto out_free_opts;
2764 }
2765 rc = -EINVAL;
2766 switch (flags[i]) {
2767 case FSCONTEXT_MNT:
2768 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2769 goto out_bad_option;
2770 break;
2771 case CONTEXT_MNT:
2772 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2773 goto out_bad_option;
2774 break;
2775 case ROOTCONTEXT_MNT: {
2776 struct inode_security_struct *root_isec;
2777 root_isec = backing_inode_security(sb->s_root);
2778
2779 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2780 goto out_bad_option;
2781 break;
2782 }
2783 case DEFCONTEXT_MNT:
2784 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2785 goto out_bad_option;
2786 break;
2787 default:
2788 goto out_free_opts;
2789 }
2790 }
2791
2792 rc = 0;
2793 out_free_opts:
2794 security_free_mnt_opts(&opts);
2795 out_free_secdata:
2796 free_secdata(secdata);
2797 return rc;
2798 out_bad_option:
2799 printk(KERN_WARNING "SELinux: unable to change security options "
2800 "during remount (dev %s, type=%s)\n", sb->s_id,
2801 sb->s_type->name);
2802 goto out_free_opts;
2803 }
2804
2805 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2806 {
2807 const struct cred *cred = current_cred();
2808 struct common_audit_data ad;
2809 int rc;
2810
2811 rc = superblock_doinit(sb, data);
2812 if (rc)
2813 return rc;
2814
2815 /* Allow all mounts performed by the kernel */
2816 if (flags & MS_KERNMOUNT)
2817 return 0;
2818
2819 ad.type = LSM_AUDIT_DATA_DENTRY;
2820 ad.u.dentry = sb->s_root;
2821 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2822 }
2823
2824 static int selinux_sb_statfs(struct dentry *dentry)
2825 {
2826 const struct cred *cred = current_cred();
2827 struct common_audit_data ad;
2828
2829 ad.type = LSM_AUDIT_DATA_DENTRY;
2830 ad.u.dentry = dentry->d_sb->s_root;
2831 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2832 }
2833
2834 static int selinux_mount(const char *dev_name,
2835 const struct path *path,
2836 const char *type,
2837 unsigned long flags,
2838 void *data)
2839 {
2840 const struct cred *cred = current_cred();
2841
2842 if (flags & MS_REMOUNT)
2843 return superblock_has_perm(cred, path->dentry->d_sb,
2844 FILESYSTEM__REMOUNT, NULL);
2845 else
2846 return path_has_perm(cred, path, FILE__MOUNTON);
2847 }
2848
2849 static int selinux_umount(struct vfsmount *mnt, int flags)
2850 {
2851 const struct cred *cred = current_cred();
2852
2853 return superblock_has_perm(cred, mnt->mnt_sb,
2854 FILESYSTEM__UNMOUNT, NULL);
2855 }
2856
2857 /* inode security operations */
2858
2859 static int selinux_inode_alloc_security(struct inode *inode)
2860 {
2861 return inode_alloc_security(inode);
2862 }
2863
2864 static void selinux_inode_free_security(struct inode *inode)
2865 {
2866 inode_free_security(inode);
2867 }
2868
2869 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2870 const struct qstr *name, void **ctx,
2871 u32 *ctxlen)
2872 {
2873 u32 newsid;
2874 int rc;
2875
2876 rc = selinux_determine_inode_label(current_security(),
2877 d_inode(dentry->d_parent), name,
2878 inode_mode_to_security_class(mode),
2879 &newsid);
2880 if (rc)
2881 return rc;
2882
2883 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2884 }
2885
2886 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2887 struct qstr *name,
2888 const struct cred *old,
2889 struct cred *new)
2890 {
2891 u32 newsid;
2892 int rc;
2893 struct task_security_struct *tsec;
2894
2895 rc = selinux_determine_inode_label(old->security,
2896 d_inode(dentry->d_parent), name,
2897 inode_mode_to_security_class(mode),
2898 &newsid);
2899 if (rc)
2900 return rc;
2901
2902 tsec = new->security;
2903 tsec->create_sid = newsid;
2904 return 0;
2905 }
2906
2907 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2908 const struct qstr *qstr,
2909 const char **name,
2910 void **value, size_t *len)
2911 {
2912 const struct task_security_struct *tsec = current_security();
2913 struct superblock_security_struct *sbsec;
2914 u32 sid, newsid, clen;
2915 int rc;
2916 char *context;
2917
2918 sbsec = dir->i_sb->s_security;
2919
2920 sid = tsec->sid;
2921 newsid = tsec->create_sid;
2922
2923 rc = selinux_determine_inode_label(current_security(),
2924 dir, qstr,
2925 inode_mode_to_security_class(inode->i_mode),
2926 &newsid);
2927 if (rc)
2928 return rc;
2929
2930 /* Possibly defer initialization to selinux_complete_init. */
2931 if (sbsec->flags & SE_SBINITIALIZED) {
2932 struct inode_security_struct *isec = inode->i_security;
2933 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2934 isec->sid = newsid;
2935 isec->initialized = LABEL_INITIALIZED;
2936 }
2937
2938 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2939 return -EOPNOTSUPP;
2940
2941 if (name)
2942 *name = XATTR_SELINUX_SUFFIX;
2943
2944 if (value && len) {
2945 rc = security_sid_to_context_force(newsid, &context, &clen);
2946 if (rc)
2947 return rc;
2948 *value = context;
2949 *len = clen;
2950 }
2951
2952 return 0;
2953 }
2954
2955 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2956 {
2957 return may_create(dir, dentry, SECCLASS_FILE);
2958 }
2959
2960 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2961 {
2962 return may_link(dir, old_dentry, MAY_LINK);
2963 }
2964
2965 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2966 {
2967 return may_link(dir, dentry, MAY_UNLINK);
2968 }
2969
2970 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2971 {
2972 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2973 }
2974
2975 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2976 {
2977 return may_create(dir, dentry, SECCLASS_DIR);
2978 }
2979
2980 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2981 {
2982 return may_link(dir, dentry, MAY_RMDIR);
2983 }
2984
2985 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2986 {
2987 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2988 }
2989
2990 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2991 struct inode *new_inode, struct dentry *new_dentry)
2992 {
2993 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2994 }
2995
2996 static int selinux_inode_readlink(struct dentry *dentry)
2997 {
2998 const struct cred *cred = current_cred();
2999
3000 return dentry_has_perm(cred, dentry, FILE__READ);
3001 }
3002
3003 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3004 bool rcu)
3005 {
3006 const struct cred *cred = current_cred();
3007 struct common_audit_data ad;
3008 struct inode_security_struct *isec;
3009 u32 sid;
3010
3011 validate_creds(cred);
3012
3013 ad.type = LSM_AUDIT_DATA_DENTRY;
3014 ad.u.dentry = dentry;
3015 sid = cred_sid(cred);
3016 isec = inode_security_rcu(inode, rcu);
3017 if (IS_ERR(isec))
3018 return PTR_ERR(isec);
3019
3020 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3021 rcu ? MAY_NOT_BLOCK : 0);
3022 }
3023
3024 static noinline int audit_inode_permission(struct inode *inode,
3025 u32 perms, u32 audited, u32 denied,
3026 int result,
3027 unsigned flags)
3028 {
3029 struct common_audit_data ad;
3030 struct inode_security_struct *isec = inode->i_security;
3031 int rc;
3032
3033 ad.type = LSM_AUDIT_DATA_INODE;
3034 ad.u.inode = inode;
3035
3036 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3037 audited, denied, result, &ad, flags);
3038 if (rc)
3039 return rc;
3040 return 0;
3041 }
3042
3043 static int selinux_inode_permission(struct inode *inode, int mask)
3044 {
3045 const struct cred *cred = current_cred();
3046 u32 perms;
3047 bool from_access;
3048 unsigned flags = mask & MAY_NOT_BLOCK;
3049 struct inode_security_struct *isec;
3050 u32 sid;
3051 struct av_decision avd;
3052 int rc, rc2;
3053 u32 audited, denied;
3054
3055 from_access = mask & MAY_ACCESS;
3056 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3057
3058 /* No permission to check. Existence test. */
3059 if (!mask)
3060 return 0;
3061
3062 validate_creds(cred);
3063
3064 if (unlikely(IS_PRIVATE(inode)))
3065 return 0;
3066
3067 perms = file_mask_to_av(inode->i_mode, mask);
3068
3069 sid = cred_sid(cred);
3070 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3071 if (IS_ERR(isec))
3072 return PTR_ERR(isec);
3073
3074 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3075 audited = avc_audit_required(perms, &avd, rc,
3076 from_access ? FILE__AUDIT_ACCESS : 0,
3077 &denied);
3078 if (likely(!audited))
3079 return rc;
3080
3081 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3082 if (rc2)
3083 return rc2;
3084 return rc;
3085 }
3086
3087 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3088 {
3089 const struct cred *cred = current_cred();
3090 struct inode *inode = d_backing_inode(dentry);
3091 unsigned int ia_valid = iattr->ia_valid;
3092 __u32 av = FILE__WRITE;
3093
3094 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3095 if (ia_valid & ATTR_FORCE) {
3096 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3097 ATTR_FORCE);
3098 if (!ia_valid)
3099 return 0;
3100 }
3101
3102 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3103 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3104 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3105
3106 if (selinux_policycap_openperm &&
3107 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3108 (ia_valid & ATTR_SIZE) &&
3109 !(ia_valid & ATTR_FILE))
3110 av |= FILE__OPEN;
3111
3112 return dentry_has_perm(cred, dentry, av);
3113 }
3114
3115 static int selinux_inode_getattr(const struct path *path)
3116 {
3117 return path_has_perm(current_cred(), path, FILE__GETATTR);
3118 }
3119
3120 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3121 {
3122 const struct cred *cred = current_cred();
3123
3124 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3125 sizeof XATTR_SECURITY_PREFIX - 1)) {
3126 if (!strcmp(name, XATTR_NAME_CAPS)) {
3127 if (!capable(CAP_SETFCAP))
3128 return -EPERM;
3129 } else if (!capable(CAP_SYS_ADMIN)) {
3130 /* A different attribute in the security namespace.
3131 Restrict to administrator. */
3132 return -EPERM;
3133 }
3134 }
3135
3136 /* Not an attribute we recognize, so just check the
3137 ordinary setattr permission. */
3138 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3139 }
3140
3141 static bool has_cap_mac_admin(bool audit)
3142 {
3143 const struct cred *cred = current_cred();
3144 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3145
3146 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3147 return false;
3148 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3149 return false;
3150 return true;
3151 }
3152
3153 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3154 const void *value, size_t size, int flags)
3155 {
3156 struct inode *inode = d_backing_inode(dentry);
3157 struct inode_security_struct *isec;
3158 struct superblock_security_struct *sbsec;
3159 struct common_audit_data ad;
3160 u32 newsid, sid = current_sid();
3161 int rc = 0;
3162
3163 if (strcmp(name, XATTR_NAME_SELINUX))
3164 return selinux_inode_setotherxattr(dentry, name);
3165
3166 sbsec = inode->i_sb->s_security;
3167 if (!(sbsec->flags & SBLABEL_MNT))
3168 return -EOPNOTSUPP;
3169
3170 if (!inode_owner_or_capable(inode))
3171 return -EPERM;
3172
3173 ad.type = LSM_AUDIT_DATA_DENTRY;
3174 ad.u.dentry = dentry;
3175
3176 isec = backing_inode_security(dentry);
3177 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3178 FILE__RELABELFROM, &ad);
3179 if (rc)
3180 return rc;
3181
3182 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3183 if (rc == -EINVAL) {
3184 if (!has_cap_mac_admin(true)) {
3185 struct audit_buffer *ab;
3186 size_t audit_size;
3187 const char *str;
3188
3189 /* We strip a nul only if it is at the end, otherwise the
3190 * context contains a nul and we should audit that */
3191 if (value) {
3192 str = value;
3193 if (str[size - 1] == '\0')
3194 audit_size = size - 1;
3195 else
3196 audit_size = size;
3197 } else {
3198 str = "";
3199 audit_size = 0;
3200 }
3201 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3202 audit_log_format(ab, "op=setxattr invalid_context=");
3203 audit_log_n_untrustedstring(ab, value, audit_size);
3204 audit_log_end(ab);
3205
3206 return rc;
3207 }
3208 rc = security_context_to_sid_force(value, size, &newsid);
3209 }
3210 if (rc)
3211 return rc;
3212
3213 rc = avc_has_perm(sid, newsid, isec->sclass,
3214 FILE__RELABELTO, &ad);
3215 if (rc)
3216 return rc;
3217
3218 rc = security_validate_transition(isec->sid, newsid, sid,
3219 isec->sclass);
3220 if (rc)
3221 return rc;
3222
3223 return avc_has_perm(newsid,
3224 sbsec->sid,
3225 SECCLASS_FILESYSTEM,
3226 FILESYSTEM__ASSOCIATE,
3227 &ad);
3228 }
3229
3230 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3231 const void *value, size_t size,
3232 int flags)
3233 {
3234 struct inode *inode = d_backing_inode(dentry);
3235 struct inode_security_struct *isec;
3236 u32 newsid;
3237 int rc;
3238
3239 if (strcmp(name, XATTR_NAME_SELINUX)) {
3240 /* Not an attribute we recognize, so nothing to do. */
3241 return;
3242 }
3243
3244 rc = security_context_to_sid_force(value, size, &newsid);
3245 if (rc) {
3246 printk(KERN_ERR "SELinux: unable to map context to SID"
3247 "for (%s, %lu), rc=%d\n",
3248 inode->i_sb->s_id, inode->i_ino, -rc);
3249 return;
3250 }
3251
3252 isec = backing_inode_security(dentry);
3253 spin_lock(&isec->lock);
3254 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3255 isec->sid = newsid;
3256 isec->initialized = LABEL_INITIALIZED;
3257 spin_unlock(&isec->lock);
3258
3259 return;
3260 }
3261
3262 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3263 {
3264 const struct cred *cred = current_cred();
3265
3266 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3267 }
3268
3269 static int selinux_inode_listxattr(struct dentry *dentry)
3270 {
3271 const struct cred *cred = current_cred();
3272
3273 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3274 }
3275
3276 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3277 {
3278 if (strcmp(name, XATTR_NAME_SELINUX))
3279 return selinux_inode_setotherxattr(dentry, name);
3280
3281 /* No one is allowed to remove a SELinux security label.
3282 You can change the label, but all data must be labeled. */
3283 return -EACCES;
3284 }
3285
3286 /*
3287 * Copy the inode security context value to the user.
3288 *
3289 * Permission check is handled by selinux_inode_getxattr hook.
3290 */
3291 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3292 {
3293 u32 size;
3294 int error;
3295 char *context = NULL;
3296 struct inode_security_struct *isec;
3297
3298 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3299 return -EOPNOTSUPP;
3300
3301 /*
3302 * If the caller has CAP_MAC_ADMIN, then get the raw context
3303 * value even if it is not defined by current policy; otherwise,
3304 * use the in-core value under current policy.
3305 * Use the non-auditing forms of the permission checks since
3306 * getxattr may be called by unprivileged processes commonly
3307 * and lack of permission just means that we fall back to the
3308 * in-core context value, not a denial.
3309 */
3310 isec = inode_security(inode);
3311 if (has_cap_mac_admin(false))
3312 error = security_sid_to_context_force(isec->sid, &context,
3313 &size);
3314 else
3315 error = security_sid_to_context(isec->sid, &context, &size);
3316 if (error)
3317 return error;
3318 error = size;
3319 if (alloc) {
3320 *buffer = context;
3321 goto out_nofree;
3322 }
3323 kfree(context);
3324 out_nofree:
3325 return error;
3326 }
3327
3328 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3329 const void *value, size_t size, int flags)
3330 {
3331 struct inode_security_struct *isec = inode_security_novalidate(inode);
3332 u32 newsid;
3333 int rc;
3334
3335 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3336 return -EOPNOTSUPP;
3337
3338 if (!value || !size)
3339 return -EACCES;
3340
3341 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3342 if (rc)
3343 return rc;
3344
3345 spin_lock(&isec->lock);
3346 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3347 isec->sid = newsid;
3348 isec->initialized = LABEL_INITIALIZED;
3349 spin_unlock(&isec->lock);
3350 return 0;
3351 }
3352
3353 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3354 {
3355 const int len = sizeof(XATTR_NAME_SELINUX);
3356 if (buffer && len <= buffer_size)
3357 memcpy(buffer, XATTR_NAME_SELINUX, len);
3358 return len;
3359 }
3360
3361 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3362 {
3363 struct inode_security_struct *isec = inode_security_novalidate(inode);
3364 *secid = isec->sid;
3365 }
3366
3367 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3368 {
3369 u32 sid;
3370 struct task_security_struct *tsec;
3371 struct cred *new_creds = *new;
3372
3373 if (new_creds == NULL) {
3374 new_creds = prepare_creds();
3375 if (!new_creds)
3376 return -ENOMEM;
3377 }
3378
3379 tsec = new_creds->security;
3380 /* Get label from overlay inode and set it in create_sid */
3381 selinux_inode_getsecid(d_inode(src), &sid);
3382 tsec->create_sid = sid;
3383 *new = new_creds;
3384 return 0;
3385 }
3386
3387 static int selinux_inode_copy_up_xattr(const char *name)
3388 {
3389 /* The copy_up hook above sets the initial context on an inode, but we
3390 * don't then want to overwrite it by blindly copying all the lower
3391 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3392 */
3393 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3394 return 1; /* Discard */
3395 /*
3396 * Any other attribute apart from SELINUX is not claimed, supported
3397 * by selinux.
3398 */
3399 return -EOPNOTSUPP;
3400 }
3401
3402 /* file security operations */
3403
3404 static int selinux_revalidate_file_permission(struct file *file, int mask)
3405 {
3406 const struct cred *cred = current_cred();
3407 struct inode *inode = file_inode(file);
3408
3409 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3410 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3411 mask |= MAY_APPEND;
3412
3413 return file_has_perm(cred, file,
3414 file_mask_to_av(inode->i_mode, mask));
3415 }
3416
3417 static int selinux_file_permission(struct file *file, int mask)
3418 {
3419 struct inode *inode = file_inode(file);
3420 struct file_security_struct *fsec = file->f_security;
3421 struct inode_security_struct *isec;
3422 u32 sid = current_sid();
3423
3424 if (!mask)
3425 /* No permission to check. Existence test. */
3426 return 0;
3427
3428 isec = inode_security(inode);
3429 if (sid == fsec->sid && fsec->isid == isec->sid &&
3430 fsec->pseqno == avc_policy_seqno())
3431 /* No change since file_open check. */
3432 return 0;
3433
3434 return selinux_revalidate_file_permission(file, mask);
3435 }
3436
3437 static int selinux_file_alloc_security(struct file *file)
3438 {
3439 return file_alloc_security(file);
3440 }
3441
3442 static void selinux_file_free_security(struct file *file)
3443 {
3444 file_free_security(file);
3445 }
3446
3447 /*
3448 * Check whether a task has the ioctl permission and cmd
3449 * operation to an inode.
3450 */
3451 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3452 u32 requested, u16 cmd)
3453 {
3454 struct common_audit_data ad;
3455 struct file_security_struct *fsec = file->f_security;
3456 struct inode *inode = file_inode(file);
3457 struct inode_security_struct *isec;
3458 struct lsm_ioctlop_audit ioctl;
3459 u32 ssid = cred_sid(cred);
3460 int rc;
3461 u8 driver = cmd >> 8;
3462 u8 xperm = cmd & 0xff;
3463
3464 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3465 ad.u.op = &ioctl;
3466 ad.u.op->cmd = cmd;
3467 ad.u.op->path = file->f_path;
3468
3469 if (ssid != fsec->sid) {
3470 rc = avc_has_perm(ssid, fsec->sid,
3471 SECCLASS_FD,
3472 FD__USE,
3473 &ad);
3474 if (rc)
3475 goto out;
3476 }
3477
3478 if (unlikely(IS_PRIVATE(inode)))
3479 return 0;
3480
3481 isec = inode_security(inode);
3482 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3483 requested, driver, xperm, &ad);
3484 out:
3485 return rc;
3486 }
3487
3488 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3489 unsigned long arg)
3490 {
3491 const struct cred *cred = current_cred();
3492 int error = 0;
3493
3494 switch (cmd) {
3495 case FIONREAD:
3496 /* fall through */
3497 case FIBMAP:
3498 /* fall through */
3499 case FIGETBSZ:
3500 /* fall through */
3501 case FS_IOC_GETFLAGS:
3502 /* fall through */
3503 case FS_IOC_GETVERSION:
3504 error = file_has_perm(cred, file, FILE__GETATTR);
3505 break;
3506
3507 case FS_IOC_SETFLAGS:
3508 /* fall through */
3509 case FS_IOC_SETVERSION:
3510 error = file_has_perm(cred, file, FILE__SETATTR);
3511 break;
3512
3513 /* sys_ioctl() checks */
3514 case FIONBIO:
3515 /* fall through */
3516 case FIOASYNC:
3517 error = file_has_perm(cred, file, 0);
3518 break;
3519
3520 case KDSKBENT:
3521 case KDSKBSENT:
3522 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3523 SECURITY_CAP_AUDIT, true);
3524 break;
3525
3526 /* default case assumes that the command will go
3527 * to the file's ioctl() function.
3528 */
3529 default:
3530 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3531 }
3532 return error;
3533 }
3534
3535 static int default_noexec;
3536
3537 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3538 {
3539 const struct cred *cred = current_cred();
3540 u32 sid = cred_sid(cred);
3541 int rc = 0;
3542
3543 if (default_noexec &&
3544 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3545 (!shared && (prot & PROT_WRITE)))) {
3546 /*
3547 * We are making executable an anonymous mapping or a
3548 * private file mapping that will also be writable.
3549 * This has an additional check.
3550 */
3551 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3552 PROCESS__EXECMEM, NULL);
3553 if (rc)
3554 goto error;
3555 }
3556
3557 if (file) {
3558 /* read access is always possible with a mapping */
3559 u32 av = FILE__READ;
3560
3561 /* write access only matters if the mapping is shared */
3562 if (shared && (prot & PROT_WRITE))
3563 av |= FILE__WRITE;
3564
3565 if (prot & PROT_EXEC)
3566 av |= FILE__EXECUTE;
3567
3568 return file_has_perm(cred, file, av);
3569 }
3570
3571 error:
3572 return rc;
3573 }
3574
3575 static int selinux_mmap_addr(unsigned long addr)
3576 {
3577 int rc = 0;
3578
3579 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3580 u32 sid = current_sid();
3581 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3582 MEMPROTECT__MMAP_ZERO, NULL);
3583 }
3584
3585 return rc;
3586 }
3587
3588 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3589 unsigned long prot, unsigned long flags)
3590 {
3591 struct common_audit_data ad;
3592 int rc;
3593
3594 if (file) {
3595 ad.type = LSM_AUDIT_DATA_FILE;
3596 ad.u.file = file;
3597 rc = inode_has_perm(current_cred(), file_inode(file),
3598 FILE__MAP, &ad);
3599 if (rc)
3600 return rc;
3601 }
3602
3603 if (selinux_checkreqprot)
3604 prot = reqprot;
3605
3606 return file_map_prot_check(file, prot,
3607 (flags & MAP_TYPE) == MAP_SHARED);
3608 }
3609
3610 static int selinux_file_mprotect(struct vm_area_struct *vma,
3611 unsigned long reqprot,
3612 unsigned long prot)
3613 {
3614 const struct cred *cred = current_cred();
3615 u32 sid = cred_sid(cred);
3616
3617 if (selinux_checkreqprot)
3618 prot = reqprot;
3619
3620 if (default_noexec &&
3621 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3622 int rc = 0;
3623 if (vma->vm_start >= vma->vm_mm->start_brk &&
3624 vma->vm_end <= vma->vm_mm->brk) {
3625 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3626 PROCESS__EXECHEAP, NULL);
3627 } else if (!vma->vm_file &&
3628 ((vma->vm_start <= vma->vm_mm->start_stack &&
3629 vma->vm_end >= vma->vm_mm->start_stack) ||
3630 vma_is_stack_for_current(vma))) {
3631 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3632 PROCESS__EXECSTACK, NULL);
3633 } else if (vma->vm_file && vma->anon_vma) {
3634 /*
3635 * We are making executable a file mapping that has
3636 * had some COW done. Since pages might have been
3637 * written, check ability to execute the possibly
3638 * modified content. This typically should only
3639 * occur for text relocations.
3640 */
3641 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3642 }
3643 if (rc)
3644 return rc;
3645 }
3646
3647 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3648 }
3649
3650 static int selinux_file_lock(struct file *file, unsigned int cmd)
3651 {
3652 const struct cred *cred = current_cred();
3653
3654 return file_has_perm(cred, file, FILE__LOCK);
3655 }
3656
3657 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3658 unsigned long arg)
3659 {
3660 const struct cred *cred = current_cred();
3661 int err = 0;
3662
3663 switch (cmd) {
3664 case F_SETFL:
3665 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3666 err = file_has_perm(cred, file, FILE__WRITE);
3667 break;
3668 }
3669 /* fall through */
3670 case F_SETOWN:
3671 case F_SETSIG:
3672 case F_GETFL:
3673 case F_GETOWN:
3674 case F_GETSIG:
3675 case F_GETOWNER_UIDS:
3676 /* Just check FD__USE permission */
3677 err = file_has_perm(cred, file, 0);
3678 break;
3679 case F_GETLK:
3680 case F_SETLK:
3681 case F_SETLKW:
3682 case F_OFD_GETLK:
3683 case F_OFD_SETLK:
3684 case F_OFD_SETLKW:
3685 #if BITS_PER_LONG == 32
3686 case F_GETLK64:
3687 case F_SETLK64:
3688 case F_SETLKW64:
3689 #endif
3690 err = file_has_perm(cred, file, FILE__LOCK);
3691 break;
3692 }
3693
3694 return err;
3695 }
3696
3697 static void selinux_file_set_fowner(struct file *file)
3698 {
3699 struct file_security_struct *fsec;
3700
3701 fsec = file->f_security;
3702 fsec->fown_sid = current_sid();
3703 }
3704
3705 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3706 struct fown_struct *fown, int signum)
3707 {
3708 struct file *file;
3709 u32 sid = task_sid(tsk);
3710 u32 perm;
3711 struct file_security_struct *fsec;
3712
3713 /* struct fown_struct is never outside the context of a struct file */
3714 file = container_of(fown, struct file, f_owner);
3715
3716 fsec = file->f_security;
3717
3718 if (!signum)
3719 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3720 else
3721 perm = signal_to_av(signum);
3722
3723 return avc_has_perm(fsec->fown_sid, sid,
3724 SECCLASS_PROCESS, perm, NULL);
3725 }
3726
3727 static int selinux_file_receive(struct file *file)
3728 {
3729 const struct cred *cred = current_cred();
3730
3731 return file_has_perm(cred, file, file_to_av(file));
3732 }
3733
3734 static int selinux_file_open(struct file *file, const struct cred *cred)
3735 {
3736 struct file_security_struct *fsec;
3737 struct inode_security_struct *isec;
3738
3739 fsec = file->f_security;
3740 isec = inode_security(file_inode(file));
3741 /*
3742 * Save inode label and policy sequence number
3743 * at open-time so that selinux_file_permission
3744 * can determine whether revalidation is necessary.
3745 * Task label is already saved in the file security
3746 * struct as its SID.
3747 */
3748 fsec->isid = isec->sid;
3749 fsec->pseqno = avc_policy_seqno();
3750 /*
3751 * Since the inode label or policy seqno may have changed
3752 * between the selinux_inode_permission check and the saving
3753 * of state above, recheck that access is still permitted.
3754 * Otherwise, access might never be revalidated against the
3755 * new inode label or new policy.
3756 * This check is not redundant - do not remove.
3757 */
3758 return file_path_has_perm(cred, file, open_file_to_av(file));
3759 }
3760
3761 /* task security operations */
3762
3763 static int selinux_task_alloc(struct task_struct *task,
3764 unsigned long clone_flags)
3765 {
3766 u32 sid = current_sid();
3767
3768 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3769 }
3770
3771 /*
3772 * allocate the SELinux part of blank credentials
3773 */
3774 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3775 {
3776 struct task_security_struct *tsec;
3777
3778 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3779 if (!tsec)
3780 return -ENOMEM;
3781
3782 cred->security = tsec;
3783 return 0;
3784 }
3785
3786 /*
3787 * detach and free the LSM part of a set of credentials
3788 */
3789 static void selinux_cred_free(struct cred *cred)
3790 {
3791 struct task_security_struct *tsec = cred->security;
3792
3793 /*
3794 * cred->security == NULL if security_cred_alloc_blank() or
3795 * security_prepare_creds() returned an error.
3796 */
3797 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3798 cred->security = (void *) 0x7UL;
3799 kfree(tsec);
3800 }
3801
3802 /*
3803 * prepare a new set of credentials for modification
3804 */
3805 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3806 gfp_t gfp)
3807 {
3808 const struct task_security_struct *old_tsec;
3809 struct task_security_struct *tsec;
3810
3811 old_tsec = old->security;
3812
3813 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3814 if (!tsec)
3815 return -ENOMEM;
3816
3817 new->security = tsec;
3818 return 0;
3819 }
3820
3821 /*
3822 * transfer the SELinux data to a blank set of creds
3823 */
3824 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3825 {
3826 const struct task_security_struct *old_tsec = old->security;
3827 struct task_security_struct *tsec = new->security;
3828
3829 *tsec = *old_tsec;
3830 }
3831
3832 /*
3833 * set the security data for a kernel service
3834 * - all the creation contexts are set to unlabelled
3835 */
3836 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3837 {
3838 struct task_security_struct *tsec = new->security;
3839 u32 sid = current_sid();
3840 int ret;
3841
3842 ret = avc_has_perm(sid, secid,
3843 SECCLASS_KERNEL_SERVICE,
3844 KERNEL_SERVICE__USE_AS_OVERRIDE,
3845 NULL);
3846 if (ret == 0) {
3847 tsec->sid = secid;
3848 tsec->create_sid = 0;
3849 tsec->keycreate_sid = 0;
3850 tsec->sockcreate_sid = 0;
3851 }
3852 return ret;
3853 }
3854
3855 /*
3856 * set the file creation context in a security record to the same as the
3857 * objective context of the specified inode
3858 */
3859 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3860 {
3861 struct inode_security_struct *isec = inode_security(inode);
3862 struct task_security_struct *tsec = new->security;
3863 u32 sid = current_sid();
3864 int ret;
3865
3866 ret = avc_has_perm(sid, isec->sid,
3867 SECCLASS_KERNEL_SERVICE,
3868 KERNEL_SERVICE__CREATE_FILES_AS,
3869 NULL);
3870
3871 if (ret == 0)
3872 tsec->create_sid = isec->sid;
3873 return ret;
3874 }
3875
3876 static int selinux_kernel_module_request(char *kmod_name)
3877 {
3878 struct common_audit_data ad;
3879
3880 ad.type = LSM_AUDIT_DATA_KMOD;
3881 ad.u.kmod_name = kmod_name;
3882
3883 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3884 SYSTEM__MODULE_REQUEST, &ad);
3885 }
3886
3887 static int selinux_kernel_module_from_file(struct file *file)
3888 {
3889 struct common_audit_data ad;
3890 struct inode_security_struct *isec;
3891 struct file_security_struct *fsec;
3892 u32 sid = current_sid();
3893 int rc;
3894
3895 /* init_module */
3896 if (file == NULL)
3897 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3898 SYSTEM__MODULE_LOAD, NULL);
3899
3900 /* finit_module */
3901
3902 ad.type = LSM_AUDIT_DATA_FILE;
3903 ad.u.file = file;
3904
3905 fsec = file->f_security;
3906 if (sid != fsec->sid) {
3907 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3908 if (rc)
3909 return rc;
3910 }
3911
3912 isec = inode_security(file_inode(file));
3913 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3914 SYSTEM__MODULE_LOAD, &ad);
3915 }
3916
3917 static int selinux_kernel_read_file(struct file *file,
3918 enum kernel_read_file_id id)
3919 {
3920 int rc = 0;
3921
3922 switch (id) {
3923 case READING_MODULE:
3924 rc = selinux_kernel_module_from_file(file);
3925 break;
3926 default:
3927 break;
3928 }
3929
3930 return rc;
3931 }
3932
3933 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3934 {
3935 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3936 PROCESS__SETPGID, NULL);
3937 }
3938
3939 static int selinux_task_getpgid(struct task_struct *p)
3940 {
3941 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3942 PROCESS__GETPGID, NULL);
3943 }
3944
3945 static int selinux_task_getsid(struct task_struct *p)
3946 {
3947 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3948 PROCESS__GETSESSION, NULL);
3949 }
3950
3951 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3952 {
3953 *secid = task_sid(p);
3954 }
3955
3956 static int selinux_task_setnice(struct task_struct *p, int nice)
3957 {
3958 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3959 PROCESS__SETSCHED, NULL);
3960 }
3961
3962 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3963 {
3964 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3965 PROCESS__SETSCHED, NULL);
3966 }
3967
3968 static int selinux_task_getioprio(struct task_struct *p)
3969 {
3970 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3971 PROCESS__GETSCHED, NULL);
3972 }
3973
3974 int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
3975 unsigned int flags)
3976 {
3977 u32 av = 0;
3978
3979 if (!flags)
3980 return 0;
3981 if (flags & LSM_PRLIMIT_WRITE)
3982 av |= PROCESS__SETRLIMIT;
3983 if (flags & LSM_PRLIMIT_READ)
3984 av |= PROCESS__GETRLIMIT;
3985 return avc_has_perm(cred_sid(cred), cred_sid(tcred),
3986 SECCLASS_PROCESS, av, NULL);
3987 }
3988
3989 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3990 struct rlimit *new_rlim)
3991 {
3992 struct rlimit *old_rlim = p->signal->rlim + resource;
3993
3994 /* Control the ability to change the hard limit (whether
3995 lowering or raising it), so that the hard limit can
3996 later be used as a safe reset point for the soft limit
3997 upon context transitions. See selinux_bprm_committing_creds. */
3998 if (old_rlim->rlim_max != new_rlim->rlim_max)
3999 return avc_has_perm(current_sid(), task_sid(p),
4000 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4001
4002 return 0;
4003 }
4004
4005 static int selinux_task_setscheduler(struct task_struct *p)
4006 {
4007 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4008 PROCESS__SETSCHED, NULL);
4009 }
4010
4011 static int selinux_task_getscheduler(struct task_struct *p)
4012 {
4013 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4014 PROCESS__GETSCHED, NULL);
4015 }
4016
4017 static int selinux_task_movememory(struct task_struct *p)
4018 {
4019 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4020 PROCESS__SETSCHED, NULL);
4021 }
4022
4023 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4024 int sig, u32 secid)
4025 {
4026 u32 perm;
4027
4028 if (!sig)
4029 perm = PROCESS__SIGNULL; /* null signal; existence test */
4030 else
4031 perm = signal_to_av(sig);
4032 if (!secid)
4033 secid = current_sid();
4034 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4035 }
4036
4037 static void selinux_task_to_inode(struct task_struct *p,
4038 struct inode *inode)
4039 {
4040 struct inode_security_struct *isec = inode->i_security;
4041 u32 sid = task_sid(p);
4042
4043 spin_lock(&isec->lock);
4044 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4045 isec->sid = sid;
4046 isec->initialized = LABEL_INITIALIZED;
4047 spin_unlock(&isec->lock);
4048 }
4049
4050 /* Returns error only if unable to parse addresses */
4051 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4052 struct common_audit_data *ad, u8 *proto)
4053 {
4054 int offset, ihlen, ret = -EINVAL;
4055 struct iphdr _iph, *ih;
4056
4057 offset = skb_network_offset(skb);
4058 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4059 if (ih == NULL)
4060 goto out;
4061
4062 ihlen = ih->ihl * 4;
4063 if (ihlen < sizeof(_iph))
4064 goto out;
4065
4066 ad->u.net->v4info.saddr = ih->saddr;
4067 ad->u.net->v4info.daddr = ih->daddr;
4068 ret = 0;
4069
4070 if (proto)
4071 *proto = ih->protocol;
4072
4073 switch (ih->protocol) {
4074 case IPPROTO_TCP: {
4075 struct tcphdr _tcph, *th;
4076
4077 if (ntohs(ih->frag_off) & IP_OFFSET)
4078 break;
4079
4080 offset += ihlen;
4081 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4082 if (th == NULL)
4083 break;
4084
4085 ad->u.net->sport = th->source;
4086 ad->u.net->dport = th->dest;
4087 break;
4088 }
4089
4090 case IPPROTO_UDP: {
4091 struct udphdr _udph, *uh;
4092
4093 if (ntohs(ih->frag_off) & IP_OFFSET)
4094 break;
4095
4096 offset += ihlen;
4097 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4098 if (uh == NULL)
4099 break;
4100
4101 ad->u.net->sport = uh->source;
4102 ad->u.net->dport = uh->dest;
4103 break;
4104 }
4105
4106 case IPPROTO_DCCP: {
4107 struct dccp_hdr _dccph, *dh;
4108
4109 if (ntohs(ih->frag_off) & IP_OFFSET)
4110 break;
4111
4112 offset += ihlen;
4113 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4114 if (dh == NULL)
4115 break;
4116
4117 ad->u.net->sport = dh->dccph_sport;
4118 ad->u.net->dport = dh->dccph_dport;
4119 break;
4120 }
4121
4122 default:
4123 break;
4124 }
4125 out:
4126 return ret;
4127 }
4128
4129 #if IS_ENABLED(CONFIG_IPV6)
4130
4131 /* Returns error only if unable to parse addresses */
4132 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4133 struct common_audit_data *ad, u8 *proto)
4134 {
4135 u8 nexthdr;
4136 int ret = -EINVAL, offset;
4137 struct ipv6hdr _ipv6h, *ip6;
4138 __be16 frag_off;
4139
4140 offset = skb_network_offset(skb);
4141 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4142 if (ip6 == NULL)
4143 goto out;
4144
4145 ad->u.net->v6info.saddr = ip6->saddr;
4146 ad->u.net->v6info.daddr = ip6->daddr;
4147 ret = 0;
4148
4149 nexthdr = ip6->nexthdr;
4150 offset += sizeof(_ipv6h);
4151 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4152 if (offset < 0)
4153 goto out;
4154
4155 if (proto)
4156 *proto = nexthdr;
4157
4158 switch (nexthdr) {
4159 case IPPROTO_TCP: {
4160 struct tcphdr _tcph, *th;
4161
4162 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4163 if (th == NULL)
4164 break;
4165
4166 ad->u.net->sport = th->source;
4167 ad->u.net->dport = th->dest;
4168 break;
4169 }
4170
4171 case IPPROTO_UDP: {
4172 struct udphdr _udph, *uh;
4173
4174 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4175 if (uh == NULL)
4176 break;
4177
4178 ad->u.net->sport = uh->source;
4179 ad->u.net->dport = uh->dest;
4180 break;
4181 }
4182
4183 case IPPROTO_DCCP: {
4184 struct dccp_hdr _dccph, *dh;
4185
4186 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4187 if (dh == NULL)
4188 break;
4189
4190 ad->u.net->sport = dh->dccph_sport;
4191 ad->u.net->dport = dh->dccph_dport;
4192 break;
4193 }
4194
4195 /* includes fragments */
4196 default:
4197 break;
4198 }
4199 out:
4200 return ret;
4201 }
4202
4203 #endif /* IPV6 */
4204
4205 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4206 char **_addrp, int src, u8 *proto)
4207 {
4208 char *addrp;
4209 int ret;
4210
4211 switch (ad->u.net->family) {
4212 case PF_INET:
4213 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4214 if (ret)
4215 goto parse_error;
4216 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4217 &ad->u.net->v4info.daddr);
4218 goto okay;
4219
4220 #if IS_ENABLED(CONFIG_IPV6)
4221 case PF_INET6:
4222 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4223 if (ret)
4224 goto parse_error;
4225 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4226 &ad->u.net->v6info.daddr);
4227 goto okay;
4228 #endif /* IPV6 */
4229 default:
4230 addrp = NULL;
4231 goto okay;
4232 }
4233
4234 parse_error:
4235 printk(KERN_WARNING
4236 "SELinux: failure in selinux_parse_skb(),"
4237 " unable to parse packet\n");
4238 return ret;
4239
4240 okay:
4241 if (_addrp)
4242 *_addrp = addrp;
4243 return 0;
4244 }
4245
4246 /**
4247 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4248 * @skb: the packet
4249 * @family: protocol family
4250 * @sid: the packet's peer label SID
4251 *
4252 * Description:
4253 * Check the various different forms of network peer labeling and determine
4254 * the peer label/SID for the packet; most of the magic actually occurs in
4255 * the security server function security_net_peersid_cmp(). The function
4256 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4257 * or -EACCES if @sid is invalid due to inconsistencies with the different
4258 * peer labels.
4259 *
4260 */
4261 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4262 {
4263 int err;
4264 u32 xfrm_sid;
4265 u32 nlbl_sid;
4266 u32 nlbl_type;
4267
4268 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4269 if (unlikely(err))
4270 return -EACCES;
4271 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4272 if (unlikely(err))
4273 return -EACCES;
4274
4275 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4276 if (unlikely(err)) {
4277 printk(KERN_WARNING
4278 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4279 " unable to determine packet's peer label\n");
4280 return -EACCES;
4281 }
4282
4283 return 0;
4284 }
4285
4286 /**
4287 * selinux_conn_sid - Determine the child socket label for a connection
4288 * @sk_sid: the parent socket's SID
4289 * @skb_sid: the packet's SID
4290 * @conn_sid: the resulting connection SID
4291 *
4292 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4293 * combined with the MLS information from @skb_sid in order to create
4294 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4295 * of @sk_sid. Returns zero on success, negative values on failure.
4296 *
4297 */
4298 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4299 {
4300 int err = 0;
4301
4302 if (skb_sid != SECSID_NULL)
4303 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4304 else
4305 *conn_sid = sk_sid;
4306
4307 return err;
4308 }
4309
4310 /* socket security operations */
4311
4312 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4313 u16 secclass, u32 *socksid)
4314 {
4315 if (tsec->sockcreate_sid > SECSID_NULL) {
4316 *socksid = tsec->sockcreate_sid;
4317 return 0;
4318 }
4319
4320 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4321 socksid);
4322 }
4323
4324 static int sock_has_perm(struct sock *sk, u32 perms)
4325 {
4326 struct sk_security_struct *sksec = sk->sk_security;
4327 struct common_audit_data ad;
4328 struct lsm_network_audit net = {0,};
4329
4330 if (sksec->sid == SECINITSID_KERNEL)
4331 return 0;
4332
4333 ad.type = LSM_AUDIT_DATA_NET;
4334 ad.u.net = &net;
4335 ad.u.net->sk = sk;
4336
4337 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4338 &ad);
4339 }
4340
4341 static int selinux_socket_create(int family, int type,
4342 int protocol, int kern)
4343 {
4344 const struct task_security_struct *tsec = current_security();
4345 u32 newsid;
4346 u16 secclass;
4347 int rc;
4348
4349 if (kern)
4350 return 0;
4351
4352 secclass = socket_type_to_security_class(family, type, protocol);
4353 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4354 if (rc)
4355 return rc;
4356
4357 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4358 }
4359
4360 static int selinux_socket_post_create(struct socket *sock, int family,
4361 int type, int protocol, int kern)
4362 {
4363 const struct task_security_struct *tsec = current_security();
4364 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4365 struct sk_security_struct *sksec;
4366 u16 sclass = socket_type_to_security_class(family, type, protocol);
4367 u32 sid = SECINITSID_KERNEL;
4368 int err = 0;
4369
4370 if (!kern) {
4371 err = socket_sockcreate_sid(tsec, sclass, &sid);
4372 if (err)
4373 return err;
4374 }
4375
4376 isec->sclass = sclass;
4377 isec->sid = sid;
4378 isec->initialized = LABEL_INITIALIZED;
4379
4380 if (sock->sk) {
4381 sksec = sock->sk->sk_security;
4382 sksec->sclass = sclass;
4383 sksec->sid = sid;
4384 err = selinux_netlbl_socket_post_create(sock->sk, family);
4385 }
4386
4387 return err;
4388 }
4389
4390 /* Range of port numbers used to automatically bind.
4391 Need to determine whether we should perform a name_bind
4392 permission check between the socket and the port number. */
4393
4394 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4395 {
4396 struct sock *sk = sock->sk;
4397 u16 family;
4398 int err;
4399
4400 err = sock_has_perm(sk, SOCKET__BIND);
4401 if (err)
4402 goto out;
4403
4404 /*
4405 * If PF_INET or PF_INET6, check name_bind permission for the port.
4406 * Multiple address binding for SCTP is not supported yet: we just
4407 * check the first address now.
4408 */
4409 family = sk->sk_family;
4410 if (family == PF_INET || family == PF_INET6) {
4411 char *addrp;
4412 struct sk_security_struct *sksec = sk->sk_security;
4413 struct common_audit_data ad;
4414 struct lsm_network_audit net = {0,};
4415 struct sockaddr_in *addr4 = NULL;
4416 struct sockaddr_in6 *addr6 = NULL;
4417 unsigned short snum;
4418 u32 sid, node_perm;
4419
4420 if (family == PF_INET) {
4421 if (addrlen < sizeof(struct sockaddr_in)) {
4422 err = -EINVAL;
4423 goto out;
4424 }
4425 addr4 = (struct sockaddr_in *)address;
4426 snum = ntohs(addr4->sin_port);
4427 addrp = (char *)&addr4->sin_addr.s_addr;
4428 } else {
4429 if (addrlen < SIN6_LEN_RFC2133) {
4430 err = -EINVAL;
4431 goto out;
4432 }
4433 addr6 = (struct sockaddr_in6 *)address;
4434 snum = ntohs(addr6->sin6_port);
4435 addrp = (char *)&addr6->sin6_addr.s6_addr;
4436 }
4437
4438 if (snum) {
4439 int low, high;
4440
4441 inet_get_local_port_range(sock_net(sk), &low, &high);
4442
4443 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4444 snum > high) {
4445 err = sel_netport_sid(sk->sk_protocol,
4446 snum, &sid);
4447 if (err)
4448 goto out;
4449 ad.type = LSM_AUDIT_DATA_NET;
4450 ad.u.net = &net;
4451 ad.u.net->sport = htons(snum);
4452 ad.u.net->family = family;
4453 err = avc_has_perm(sksec->sid, sid,
4454 sksec->sclass,
4455 SOCKET__NAME_BIND, &ad);
4456 if (err)
4457 goto out;
4458 }
4459 }
4460
4461 switch (sksec->sclass) {
4462 case SECCLASS_TCP_SOCKET:
4463 node_perm = TCP_SOCKET__NODE_BIND;
4464 break;
4465
4466 case SECCLASS_UDP_SOCKET:
4467 node_perm = UDP_SOCKET__NODE_BIND;
4468 break;
4469
4470 case SECCLASS_DCCP_SOCKET:
4471 node_perm = DCCP_SOCKET__NODE_BIND;
4472 break;
4473
4474 default:
4475 node_perm = RAWIP_SOCKET__NODE_BIND;
4476 break;
4477 }
4478
4479 err = sel_netnode_sid(addrp, family, &sid);
4480 if (err)
4481 goto out;
4482
4483 ad.type = LSM_AUDIT_DATA_NET;
4484 ad.u.net = &net;
4485 ad.u.net->sport = htons(snum);
4486 ad.u.net->family = family;
4487
4488 if (family == PF_INET)
4489 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4490 else
4491 ad.u.net->v6info.saddr = addr6->sin6_addr;
4492
4493 err = avc_has_perm(sksec->sid, sid,
4494 sksec->sclass, node_perm, &ad);
4495 if (err)
4496 goto out;
4497 }
4498 out:
4499 return err;
4500 }
4501
4502 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4503 {
4504 struct sock *sk = sock->sk;
4505 struct sk_security_struct *sksec = sk->sk_security;
4506 int err;
4507
4508 err = sock_has_perm(sk, SOCKET__CONNECT);
4509 if (err)
4510 return err;
4511
4512 /*
4513 * If a TCP or DCCP socket, check name_connect permission for the port.
4514 */
4515 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4516 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4517 struct common_audit_data ad;
4518 struct lsm_network_audit net = {0,};
4519 struct sockaddr_in *addr4 = NULL;
4520 struct sockaddr_in6 *addr6 = NULL;
4521 unsigned short snum;
4522 u32 sid, perm;
4523
4524 if (sk->sk_family == PF_INET) {
4525 addr4 = (struct sockaddr_in *)address;
4526 if (addrlen < sizeof(struct sockaddr_in))
4527 return -EINVAL;
4528 snum = ntohs(addr4->sin_port);
4529 } else {
4530 addr6 = (struct sockaddr_in6 *)address;
4531 if (addrlen < SIN6_LEN_RFC2133)
4532 return -EINVAL;
4533 snum = ntohs(addr6->sin6_port);
4534 }
4535
4536 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4537 if (err)
4538 goto out;
4539
4540 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4541 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4542
4543 ad.type = LSM_AUDIT_DATA_NET;
4544 ad.u.net = &net;
4545 ad.u.net->dport = htons(snum);
4546 ad.u.net->family = sk->sk_family;
4547 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4548 if (err)
4549 goto out;
4550 }
4551
4552 err = selinux_netlbl_socket_connect(sk, address);
4553
4554 out:
4555 return err;
4556 }
4557
4558 static int selinux_socket_listen(struct socket *sock, int backlog)
4559 {
4560 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4561 }
4562
4563 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4564 {
4565 int err;
4566 struct inode_security_struct *isec;
4567 struct inode_security_struct *newisec;
4568 u16 sclass;
4569 u32 sid;
4570
4571 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4572 if (err)
4573 return err;
4574
4575 isec = inode_security_novalidate(SOCK_INODE(sock));
4576 spin_lock(&isec->lock);
4577 sclass = isec->sclass;
4578 sid = isec->sid;
4579 spin_unlock(&isec->lock);
4580
4581 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4582 newisec->sclass = sclass;
4583 newisec->sid = sid;
4584 newisec->initialized = LABEL_INITIALIZED;
4585
4586 return 0;
4587 }
4588
4589 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4590 int size)
4591 {
4592 return sock_has_perm(sock->sk, SOCKET__WRITE);
4593 }
4594
4595 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4596 int size, int flags)
4597 {
4598 return sock_has_perm(sock->sk, SOCKET__READ);
4599 }
4600
4601 static int selinux_socket_getsockname(struct socket *sock)
4602 {
4603 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4604 }
4605
4606 static int selinux_socket_getpeername(struct socket *sock)
4607 {
4608 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4609 }
4610
4611 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4612 {
4613 int err;
4614
4615 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4616 if (err)
4617 return err;
4618
4619 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4620 }
4621
4622 static int selinux_socket_getsockopt(struct socket *sock, int level,
4623 int optname)
4624 {
4625 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4626 }
4627
4628 static int selinux_socket_shutdown(struct socket *sock, int how)
4629 {
4630 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4631 }
4632
4633 static int selinux_socket_unix_stream_connect(struct sock *sock,
4634 struct sock *other,
4635 struct sock *newsk)
4636 {
4637 struct sk_security_struct *sksec_sock = sock->sk_security;
4638 struct sk_security_struct *sksec_other = other->sk_security;
4639 struct sk_security_struct *sksec_new = newsk->sk_security;
4640 struct common_audit_data ad;
4641 struct lsm_network_audit net = {0,};
4642 int err;
4643
4644 ad.type = LSM_AUDIT_DATA_NET;
4645 ad.u.net = &net;
4646 ad.u.net->sk = other;
4647
4648 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4649 sksec_other->sclass,
4650 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4651 if (err)
4652 return err;
4653
4654 /* server child socket */
4655 sksec_new->peer_sid = sksec_sock->sid;
4656 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4657 &sksec_new->sid);
4658 if (err)
4659 return err;
4660
4661 /* connecting socket */
4662 sksec_sock->peer_sid = sksec_new->sid;
4663
4664 return 0;
4665 }
4666
4667 static int selinux_socket_unix_may_send(struct socket *sock,
4668 struct socket *other)
4669 {
4670 struct sk_security_struct *ssec = sock->sk->sk_security;
4671 struct sk_security_struct *osec = other->sk->sk_security;
4672 struct common_audit_data ad;
4673 struct lsm_network_audit net = {0,};
4674
4675 ad.type = LSM_AUDIT_DATA_NET;
4676 ad.u.net = &net;
4677 ad.u.net->sk = other->sk;
4678
4679 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4680 &ad);
4681 }
4682
4683 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4684 char *addrp, u16 family, u32 peer_sid,
4685 struct common_audit_data *ad)
4686 {
4687 int err;
4688 u32 if_sid;
4689 u32 node_sid;
4690
4691 err = sel_netif_sid(ns, ifindex, &if_sid);
4692 if (err)
4693 return err;
4694 err = avc_has_perm(peer_sid, if_sid,
4695 SECCLASS_NETIF, NETIF__INGRESS, ad);
4696 if (err)
4697 return err;
4698
4699 err = sel_netnode_sid(addrp, family, &node_sid);
4700 if (err)
4701 return err;
4702 return avc_has_perm(peer_sid, node_sid,
4703 SECCLASS_NODE, NODE__RECVFROM, ad);
4704 }
4705
4706 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4707 u16 family)
4708 {
4709 int err = 0;
4710 struct sk_security_struct *sksec = sk->sk_security;
4711 u32 sk_sid = sksec->sid;
4712 struct common_audit_data ad;
4713 struct lsm_network_audit net = {0,};
4714 char *addrp;
4715
4716 ad.type = LSM_AUDIT_DATA_NET;
4717 ad.u.net = &net;
4718 ad.u.net->netif = skb->skb_iif;
4719 ad.u.net->family = family;
4720 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4721 if (err)
4722 return err;
4723
4724 if (selinux_secmark_enabled()) {
4725 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4726 PACKET__RECV, &ad);
4727 if (err)
4728 return err;
4729 }
4730
4731 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4732 if (err)
4733 return err;
4734 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4735
4736 return err;
4737 }
4738
4739 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4740 {
4741 int err;
4742 struct sk_security_struct *sksec = sk->sk_security;
4743 u16 family = sk->sk_family;
4744 u32 sk_sid = sksec->sid;
4745 struct common_audit_data ad;
4746 struct lsm_network_audit net = {0,};
4747 char *addrp;
4748 u8 secmark_active;
4749 u8 peerlbl_active;
4750
4751 if (family != PF_INET && family != PF_INET6)
4752 return 0;
4753
4754 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4755 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4756 family = PF_INET;
4757
4758 /* If any sort of compatibility mode is enabled then handoff processing
4759 * to the selinux_sock_rcv_skb_compat() function to deal with the
4760 * special handling. We do this in an attempt to keep this function
4761 * as fast and as clean as possible. */
4762 if (!selinux_policycap_netpeer)
4763 return selinux_sock_rcv_skb_compat(sk, skb, family);
4764
4765 secmark_active = selinux_secmark_enabled();
4766 peerlbl_active = selinux_peerlbl_enabled();
4767 if (!secmark_active && !peerlbl_active)
4768 return 0;
4769
4770 ad.type = LSM_AUDIT_DATA_NET;
4771 ad.u.net = &net;
4772 ad.u.net->netif = skb->skb_iif;
4773 ad.u.net->family = family;
4774 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4775 if (err)
4776 return err;
4777
4778 if (peerlbl_active) {
4779 u32 peer_sid;
4780
4781 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4782 if (err)
4783 return err;
4784 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4785 addrp, family, peer_sid, &ad);
4786 if (err) {
4787 selinux_netlbl_err(skb, family, err, 0);
4788 return err;
4789 }
4790 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4791 PEER__RECV, &ad);
4792 if (err) {
4793 selinux_netlbl_err(skb, family, err, 0);
4794 return err;
4795 }
4796 }
4797
4798 if (secmark_active) {
4799 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4800 PACKET__RECV, &ad);
4801 if (err)
4802 return err;
4803 }
4804
4805 return err;
4806 }
4807
4808 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4809 int __user *optlen, unsigned len)
4810 {
4811 int err = 0;
4812 char *scontext;
4813 u32 scontext_len;
4814 struct sk_security_struct *sksec = sock->sk->sk_security;
4815 u32 peer_sid = SECSID_NULL;
4816
4817 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4818 sksec->sclass == SECCLASS_TCP_SOCKET)
4819 peer_sid = sksec->peer_sid;
4820 if (peer_sid == SECSID_NULL)
4821 return -ENOPROTOOPT;
4822
4823 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4824 if (err)
4825 return err;
4826
4827 if (scontext_len > len) {
4828 err = -ERANGE;
4829 goto out_len;
4830 }
4831
4832 if (copy_to_user(optval, scontext, scontext_len))
4833 err = -EFAULT;
4834
4835 out_len:
4836 if (put_user(scontext_len, optlen))
4837 err = -EFAULT;
4838 kfree(scontext);
4839 return err;
4840 }
4841
4842 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4843 {
4844 u32 peer_secid = SECSID_NULL;
4845 u16 family;
4846 struct inode_security_struct *isec;
4847
4848 if (skb && skb->protocol == htons(ETH_P_IP))
4849 family = PF_INET;
4850 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4851 family = PF_INET6;
4852 else if (sock)
4853 family = sock->sk->sk_family;
4854 else
4855 goto out;
4856
4857 if (sock && family == PF_UNIX) {
4858 isec = inode_security_novalidate(SOCK_INODE(sock));
4859 peer_secid = isec->sid;
4860 } else if (skb)
4861 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4862
4863 out:
4864 *secid = peer_secid;
4865 if (peer_secid == SECSID_NULL)
4866 return -EINVAL;
4867 return 0;
4868 }
4869
4870 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4871 {
4872 struct sk_security_struct *sksec;
4873
4874 sksec = kzalloc(sizeof(*sksec), priority);
4875 if (!sksec)
4876 return -ENOMEM;
4877
4878 sksec->peer_sid = SECINITSID_UNLABELED;
4879 sksec->sid = SECINITSID_UNLABELED;
4880 sksec->sclass = SECCLASS_SOCKET;
4881 selinux_netlbl_sk_security_reset(sksec);
4882 sk->sk_security = sksec;
4883
4884 return 0;
4885 }
4886
4887 static void selinux_sk_free_security(struct sock *sk)
4888 {
4889 struct sk_security_struct *sksec = sk->sk_security;
4890
4891 sk->sk_security = NULL;
4892 selinux_netlbl_sk_security_free(sksec);
4893 kfree(sksec);
4894 }
4895
4896 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4897 {
4898 struct sk_security_struct *sksec = sk->sk_security;
4899 struct sk_security_struct *newsksec = newsk->sk_security;
4900
4901 newsksec->sid = sksec->sid;
4902 newsksec->peer_sid = sksec->peer_sid;
4903 newsksec->sclass = sksec->sclass;
4904
4905 selinux_netlbl_sk_security_reset(newsksec);
4906 }
4907
4908 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4909 {
4910 if (!sk)
4911 *secid = SECINITSID_ANY_SOCKET;
4912 else {
4913 struct sk_security_struct *sksec = sk->sk_security;
4914
4915 *secid = sksec->sid;
4916 }
4917 }
4918
4919 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4920 {
4921 struct inode_security_struct *isec =
4922 inode_security_novalidate(SOCK_INODE(parent));
4923 struct sk_security_struct *sksec = sk->sk_security;
4924
4925 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4926 sk->sk_family == PF_UNIX)
4927 isec->sid = sksec->sid;
4928 sksec->sclass = isec->sclass;
4929 }
4930
4931 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4932 struct request_sock *req)
4933 {
4934 struct sk_security_struct *sksec = sk->sk_security;
4935 int err;
4936 u16 family = req->rsk_ops->family;
4937 u32 connsid;
4938 u32 peersid;
4939
4940 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4941 if (err)
4942 return err;
4943 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4944 if (err)
4945 return err;
4946 req->secid = connsid;
4947 req->peer_secid = peersid;
4948
4949 return selinux_netlbl_inet_conn_request(req, family);
4950 }
4951
4952 static void selinux_inet_csk_clone(struct sock *newsk,
4953 const struct request_sock *req)
4954 {
4955 struct sk_security_struct *newsksec = newsk->sk_security;
4956
4957 newsksec->sid = req->secid;
4958 newsksec->peer_sid = req->peer_secid;
4959 /* NOTE: Ideally, we should also get the isec->sid for the
4960 new socket in sync, but we don't have the isec available yet.
4961 So we will wait until sock_graft to do it, by which
4962 time it will have been created and available. */
4963
4964 /* We don't need to take any sort of lock here as we are the only
4965 * thread with access to newsksec */
4966 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4967 }
4968
4969 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4970 {
4971 u16 family = sk->sk_family;
4972 struct sk_security_struct *sksec = sk->sk_security;
4973
4974 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4975 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4976 family = PF_INET;
4977
4978 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4979 }
4980
4981 static int selinux_secmark_relabel_packet(u32 sid)
4982 {
4983 const struct task_security_struct *__tsec;
4984 u32 tsid;
4985
4986 __tsec = current_security();
4987 tsid = __tsec->sid;
4988
4989 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4990 }
4991
4992 static void selinux_secmark_refcount_inc(void)
4993 {
4994 atomic_inc(&selinux_secmark_refcount);
4995 }
4996
4997 static void selinux_secmark_refcount_dec(void)
4998 {
4999 atomic_dec(&selinux_secmark_refcount);
5000 }
5001
5002 static void selinux_req_classify_flow(const struct request_sock *req,
5003 struct flowi *fl)
5004 {
5005 fl->flowi_secid = req->secid;
5006 }
5007
5008 static int selinux_tun_dev_alloc_security(void **security)
5009 {
5010 struct tun_security_struct *tunsec;
5011
5012 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5013 if (!tunsec)
5014 return -ENOMEM;
5015 tunsec->sid = current_sid();
5016
5017 *security = tunsec;
5018 return 0;
5019 }
5020
5021 static void selinux_tun_dev_free_security(void *security)
5022 {
5023 kfree(security);
5024 }
5025
5026 static int selinux_tun_dev_create(void)
5027 {
5028 u32 sid = current_sid();
5029
5030 /* we aren't taking into account the "sockcreate" SID since the socket
5031 * that is being created here is not a socket in the traditional sense,
5032 * instead it is a private sock, accessible only to the kernel, and
5033 * representing a wide range of network traffic spanning multiple
5034 * connections unlike traditional sockets - check the TUN driver to
5035 * get a better understanding of why this socket is special */
5036
5037 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5038 NULL);
5039 }
5040
5041 static int selinux_tun_dev_attach_queue(void *security)
5042 {
5043 struct tun_security_struct *tunsec = security;
5044
5045 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5046 TUN_SOCKET__ATTACH_QUEUE, NULL);
5047 }
5048
5049 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5050 {
5051 struct tun_security_struct *tunsec = security;
5052 struct sk_security_struct *sksec = sk->sk_security;
5053
5054 /* we don't currently perform any NetLabel based labeling here and it
5055 * isn't clear that we would want to do so anyway; while we could apply
5056 * labeling without the support of the TUN user the resulting labeled
5057 * traffic from the other end of the connection would almost certainly
5058 * cause confusion to the TUN user that had no idea network labeling
5059 * protocols were being used */
5060
5061 sksec->sid = tunsec->sid;
5062 sksec->sclass = SECCLASS_TUN_SOCKET;
5063
5064 return 0;
5065 }
5066
5067 static int selinux_tun_dev_open(void *security)
5068 {
5069 struct tun_security_struct *tunsec = security;
5070 u32 sid = current_sid();
5071 int err;
5072
5073 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5074 TUN_SOCKET__RELABELFROM, NULL);
5075 if (err)
5076 return err;
5077 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5078 TUN_SOCKET__RELABELTO, NULL);
5079 if (err)
5080 return err;
5081 tunsec->sid = sid;
5082
5083 return 0;
5084 }
5085
5086 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5087 {
5088 int err = 0;
5089 u32 perm;
5090 struct nlmsghdr *nlh;
5091 struct sk_security_struct *sksec = sk->sk_security;
5092
5093 if (skb->len < NLMSG_HDRLEN) {
5094 err = -EINVAL;
5095 goto out;
5096 }
5097 nlh = nlmsg_hdr(skb);
5098
5099 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5100 if (err) {
5101 if (err == -EINVAL) {
5102 pr_warn_ratelimited("SELinux: unrecognized netlink"
5103 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5104 " pig=%d comm=%s\n",
5105 sk->sk_protocol, nlh->nlmsg_type,
5106 secclass_map[sksec->sclass - 1].name,
5107 task_pid_nr(current), current->comm);
5108 if (!selinux_enforcing || security_get_allow_unknown())
5109 err = 0;
5110 }
5111
5112 /* Ignore */
5113 if (err == -ENOENT)
5114 err = 0;
5115 goto out;
5116 }
5117
5118 err = sock_has_perm(sk, perm);
5119 out:
5120 return err;
5121 }
5122
5123 #ifdef CONFIG_NETFILTER
5124
5125 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5126 const struct net_device *indev,
5127 u16 family)
5128 {
5129 int err;
5130 char *addrp;
5131 u32 peer_sid;
5132 struct common_audit_data ad;
5133 struct lsm_network_audit net = {0,};
5134 u8 secmark_active;
5135 u8 netlbl_active;
5136 u8 peerlbl_active;
5137
5138 if (!selinux_policycap_netpeer)
5139 return NF_ACCEPT;
5140
5141 secmark_active = selinux_secmark_enabled();
5142 netlbl_active = netlbl_enabled();
5143 peerlbl_active = selinux_peerlbl_enabled();
5144 if (!secmark_active && !peerlbl_active)
5145 return NF_ACCEPT;
5146
5147 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5148 return NF_DROP;
5149
5150 ad.type = LSM_AUDIT_DATA_NET;
5151 ad.u.net = &net;
5152 ad.u.net->netif = indev->ifindex;
5153 ad.u.net->family = family;
5154 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5155 return NF_DROP;
5156
5157 if (peerlbl_active) {
5158 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5159 addrp, family, peer_sid, &ad);
5160 if (err) {
5161 selinux_netlbl_err(skb, family, err, 1);
5162 return NF_DROP;
5163 }
5164 }
5165
5166 if (secmark_active)
5167 if (avc_has_perm(peer_sid, skb->secmark,
5168 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5169 return NF_DROP;
5170
5171 if (netlbl_active)
5172 /* we do this in the FORWARD path and not the POST_ROUTING
5173 * path because we want to make sure we apply the necessary
5174 * labeling before IPsec is applied so we can leverage AH
5175 * protection */
5176 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5177 return NF_DROP;
5178
5179 return NF_ACCEPT;
5180 }
5181
5182 static unsigned int selinux_ipv4_forward(void *priv,
5183 struct sk_buff *skb,
5184 const struct nf_hook_state *state)
5185 {
5186 return selinux_ip_forward(skb, state->in, PF_INET);
5187 }
5188
5189 #if IS_ENABLED(CONFIG_IPV6)
5190 static unsigned int selinux_ipv6_forward(void *priv,
5191 struct sk_buff *skb,
5192 const struct nf_hook_state *state)
5193 {
5194 return selinux_ip_forward(skb, state->in, PF_INET6);
5195 }
5196 #endif /* IPV6 */
5197
5198 static unsigned int selinux_ip_output(struct sk_buff *skb,
5199 u16 family)
5200 {
5201 struct sock *sk;
5202 u32 sid;
5203
5204 if (!netlbl_enabled())
5205 return NF_ACCEPT;
5206
5207 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5208 * because we want to make sure we apply the necessary labeling
5209 * before IPsec is applied so we can leverage AH protection */
5210 sk = skb->sk;
5211 if (sk) {
5212 struct sk_security_struct *sksec;
5213
5214 if (sk_listener(sk))
5215 /* if the socket is the listening state then this
5216 * packet is a SYN-ACK packet which means it needs to
5217 * be labeled based on the connection/request_sock and
5218 * not the parent socket. unfortunately, we can't
5219 * lookup the request_sock yet as it isn't queued on
5220 * the parent socket until after the SYN-ACK is sent.
5221 * the "solution" is to simply pass the packet as-is
5222 * as any IP option based labeling should be copied
5223 * from the initial connection request (in the IP
5224 * layer). it is far from ideal, but until we get a
5225 * security label in the packet itself this is the
5226 * best we can do. */
5227 return NF_ACCEPT;
5228
5229 /* standard practice, label using the parent socket */
5230 sksec = sk->sk_security;
5231 sid = sksec->sid;
5232 } else
5233 sid = SECINITSID_KERNEL;
5234 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5235 return NF_DROP;
5236
5237 return NF_ACCEPT;
5238 }
5239
5240 static unsigned int selinux_ipv4_output(void *priv,
5241 struct sk_buff *skb,
5242 const struct nf_hook_state *state)
5243 {
5244 return selinux_ip_output(skb, PF_INET);
5245 }
5246
5247 #if IS_ENABLED(CONFIG_IPV6)
5248 static unsigned int selinux_ipv6_output(void *priv,
5249 struct sk_buff *skb,
5250 const struct nf_hook_state *state)
5251 {
5252 return selinux_ip_output(skb, PF_INET6);
5253 }
5254 #endif /* IPV6 */
5255
5256 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5257 int ifindex,
5258 u16 family)
5259 {
5260 struct sock *sk = skb_to_full_sk(skb);
5261 struct sk_security_struct *sksec;
5262 struct common_audit_data ad;
5263 struct lsm_network_audit net = {0,};
5264 char *addrp;
5265 u8 proto;
5266
5267 if (sk == NULL)
5268 return NF_ACCEPT;
5269 sksec = sk->sk_security;
5270
5271 ad.type = LSM_AUDIT_DATA_NET;
5272 ad.u.net = &net;
5273 ad.u.net->netif = ifindex;
5274 ad.u.net->family = family;
5275 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5276 return NF_DROP;
5277
5278 if (selinux_secmark_enabled())
5279 if (avc_has_perm(sksec->sid, skb->secmark,
5280 SECCLASS_PACKET, PACKET__SEND, &ad))
5281 return NF_DROP_ERR(-ECONNREFUSED);
5282
5283 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5284 return NF_DROP_ERR(-ECONNREFUSED);
5285
5286 return NF_ACCEPT;
5287 }
5288
5289 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5290 const struct net_device *outdev,
5291 u16 family)
5292 {
5293 u32 secmark_perm;
5294 u32 peer_sid;
5295 int ifindex = outdev->ifindex;
5296 struct sock *sk;
5297 struct common_audit_data ad;
5298 struct lsm_network_audit net = {0,};
5299 char *addrp;
5300 u8 secmark_active;
5301 u8 peerlbl_active;
5302
5303 /* If any sort of compatibility mode is enabled then handoff processing
5304 * to the selinux_ip_postroute_compat() function to deal with the
5305 * special handling. We do this in an attempt to keep this function
5306 * as fast and as clean as possible. */
5307 if (!selinux_policycap_netpeer)
5308 return selinux_ip_postroute_compat(skb, ifindex, family);
5309
5310 secmark_active = selinux_secmark_enabled();
5311 peerlbl_active = selinux_peerlbl_enabled();
5312 if (!secmark_active && !peerlbl_active)
5313 return NF_ACCEPT;
5314
5315 sk = skb_to_full_sk(skb);
5316
5317 #ifdef CONFIG_XFRM
5318 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5319 * packet transformation so allow the packet to pass without any checks
5320 * since we'll have another chance to perform access control checks
5321 * when the packet is on it's final way out.
5322 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5323 * is NULL, in this case go ahead and apply access control.
5324 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5325 * TCP listening state we cannot wait until the XFRM processing
5326 * is done as we will miss out on the SA label if we do;
5327 * unfortunately, this means more work, but it is only once per
5328 * connection. */
5329 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5330 !(sk && sk_listener(sk)))
5331 return NF_ACCEPT;
5332 #endif
5333
5334 if (sk == NULL) {
5335 /* Without an associated socket the packet is either coming
5336 * from the kernel or it is being forwarded; check the packet
5337 * to determine which and if the packet is being forwarded
5338 * query the packet directly to determine the security label. */
5339 if (skb->skb_iif) {
5340 secmark_perm = PACKET__FORWARD_OUT;
5341 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5342 return NF_DROP;
5343 } else {
5344 secmark_perm = PACKET__SEND;
5345 peer_sid = SECINITSID_KERNEL;
5346 }
5347 } else if (sk_listener(sk)) {
5348 /* Locally generated packet but the associated socket is in the
5349 * listening state which means this is a SYN-ACK packet. In
5350 * this particular case the correct security label is assigned
5351 * to the connection/request_sock but unfortunately we can't
5352 * query the request_sock as it isn't queued on the parent
5353 * socket until after the SYN-ACK packet is sent; the only
5354 * viable choice is to regenerate the label like we do in
5355 * selinux_inet_conn_request(). See also selinux_ip_output()
5356 * for similar problems. */
5357 u32 skb_sid;
5358 struct sk_security_struct *sksec;
5359
5360 sksec = sk->sk_security;
5361 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5362 return NF_DROP;
5363 /* At this point, if the returned skb peerlbl is SECSID_NULL
5364 * and the packet has been through at least one XFRM
5365 * transformation then we must be dealing with the "final"
5366 * form of labeled IPsec packet; since we've already applied
5367 * all of our access controls on this packet we can safely
5368 * pass the packet. */
5369 if (skb_sid == SECSID_NULL) {
5370 switch (family) {
5371 case PF_INET:
5372 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5373 return NF_ACCEPT;
5374 break;
5375 case PF_INET6:
5376 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5377 return NF_ACCEPT;
5378 break;
5379 default:
5380 return NF_DROP_ERR(-ECONNREFUSED);
5381 }
5382 }
5383 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5384 return NF_DROP;
5385 secmark_perm = PACKET__SEND;
5386 } else {
5387 /* Locally generated packet, fetch the security label from the
5388 * associated socket. */
5389 struct sk_security_struct *sksec = sk->sk_security;
5390 peer_sid = sksec->sid;
5391 secmark_perm = PACKET__SEND;
5392 }
5393
5394 ad.type = LSM_AUDIT_DATA_NET;
5395 ad.u.net = &net;
5396 ad.u.net->netif = ifindex;
5397 ad.u.net->family = family;
5398 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5399 return NF_DROP;
5400
5401 if (secmark_active)
5402 if (avc_has_perm(peer_sid, skb->secmark,
5403 SECCLASS_PACKET, secmark_perm, &ad))
5404 return NF_DROP_ERR(-ECONNREFUSED);
5405
5406 if (peerlbl_active) {
5407 u32 if_sid;
5408 u32 node_sid;
5409
5410 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5411 return NF_DROP;
5412 if (avc_has_perm(peer_sid, if_sid,
5413 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5414 return NF_DROP_ERR(-ECONNREFUSED);
5415
5416 if (sel_netnode_sid(addrp, family, &node_sid))
5417 return NF_DROP;
5418 if (avc_has_perm(peer_sid, node_sid,
5419 SECCLASS_NODE, NODE__SENDTO, &ad))
5420 return NF_DROP_ERR(-ECONNREFUSED);
5421 }
5422
5423 return NF_ACCEPT;
5424 }
5425
5426 static unsigned int selinux_ipv4_postroute(void *priv,
5427 struct sk_buff *skb,
5428 const struct nf_hook_state *state)
5429 {
5430 return selinux_ip_postroute(skb, state->out, PF_INET);
5431 }
5432
5433 #if IS_ENABLED(CONFIG_IPV6)
5434 static unsigned int selinux_ipv6_postroute(void *priv,
5435 struct sk_buff *skb,
5436 const struct nf_hook_state *state)
5437 {
5438 return selinux_ip_postroute(skb, state->out, PF_INET6);
5439 }
5440 #endif /* IPV6 */
5441
5442 #endif /* CONFIG_NETFILTER */
5443
5444 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5445 {
5446 return selinux_nlmsg_perm(sk, skb);
5447 }
5448
5449 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5450 u16 sclass)
5451 {
5452 struct ipc_security_struct *isec;
5453
5454 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5455 if (!isec)
5456 return -ENOMEM;
5457
5458 isec->sclass = sclass;
5459 isec->sid = current_sid();
5460 perm->security = isec;
5461
5462 return 0;
5463 }
5464
5465 static void ipc_free_security(struct kern_ipc_perm *perm)
5466 {
5467 struct ipc_security_struct *isec = perm->security;
5468 perm->security = NULL;
5469 kfree(isec);
5470 }
5471
5472 static int msg_msg_alloc_security(struct msg_msg *msg)
5473 {
5474 struct msg_security_struct *msec;
5475
5476 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5477 if (!msec)
5478 return -ENOMEM;
5479
5480 msec->sid = SECINITSID_UNLABELED;
5481 msg->security = msec;
5482
5483 return 0;
5484 }
5485
5486 static void msg_msg_free_security(struct msg_msg *msg)
5487 {
5488 struct msg_security_struct *msec = msg->security;
5489
5490 msg->security = NULL;
5491 kfree(msec);
5492 }
5493
5494 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5495 u32 perms)
5496 {
5497 struct ipc_security_struct *isec;
5498 struct common_audit_data ad;
5499 u32 sid = current_sid();
5500
5501 isec = ipc_perms->security;
5502
5503 ad.type = LSM_AUDIT_DATA_IPC;
5504 ad.u.ipc_id = ipc_perms->key;
5505
5506 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5507 }
5508
5509 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5510 {
5511 return msg_msg_alloc_security(msg);
5512 }
5513
5514 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5515 {
5516 msg_msg_free_security(msg);
5517 }
5518
5519 /* message queue security operations */
5520 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5521 {
5522 struct ipc_security_struct *isec;
5523 struct common_audit_data ad;
5524 u32 sid = current_sid();
5525 int rc;
5526
5527 rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ);
5528 if (rc)
5529 return rc;
5530
5531 isec = msq->q_perm.security;
5532
5533 ad.type = LSM_AUDIT_DATA_IPC;
5534 ad.u.ipc_id = msq->q_perm.key;
5535
5536 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5537 MSGQ__CREATE, &ad);
5538 if (rc) {
5539 ipc_free_security(&msq->q_perm);
5540 return rc;
5541 }
5542 return 0;
5543 }
5544
5545 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5546 {
5547 ipc_free_security(&msq->q_perm);
5548 }
5549
5550 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5551 {
5552 struct ipc_security_struct *isec;
5553 struct common_audit_data ad;
5554 u32 sid = current_sid();
5555
5556 isec = msq->q_perm.security;
5557
5558 ad.type = LSM_AUDIT_DATA_IPC;
5559 ad.u.ipc_id = msq->q_perm.key;
5560
5561 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5562 MSGQ__ASSOCIATE, &ad);
5563 }
5564
5565 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5566 {
5567 int err;
5568 int perms;
5569
5570 switch (cmd) {
5571 case IPC_INFO:
5572 case MSG_INFO:
5573 /* No specific object, just general system-wide information. */
5574 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5575 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5576 case IPC_STAT:
5577 case MSG_STAT:
5578 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5579 break;
5580 case IPC_SET:
5581 perms = MSGQ__SETATTR;
5582 break;
5583 case IPC_RMID:
5584 perms = MSGQ__DESTROY;
5585 break;
5586 default:
5587 return 0;
5588 }
5589
5590 err = ipc_has_perm(&msq->q_perm, perms);
5591 return err;
5592 }
5593
5594 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5595 {
5596 struct ipc_security_struct *isec;
5597 struct msg_security_struct *msec;
5598 struct common_audit_data ad;
5599 u32 sid = current_sid();
5600 int rc;
5601
5602 isec = msq->q_perm.security;
5603 msec = msg->security;
5604
5605 /*
5606 * First time through, need to assign label to the message
5607 */
5608 if (msec->sid == SECINITSID_UNLABELED) {
5609 /*
5610 * Compute new sid based on current process and
5611 * message queue this message will be stored in
5612 */
5613 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5614 NULL, &msec->sid);
5615 if (rc)
5616 return rc;
5617 }
5618
5619 ad.type = LSM_AUDIT_DATA_IPC;
5620 ad.u.ipc_id = msq->q_perm.key;
5621
5622 /* Can this process write to the queue? */
5623 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5624 MSGQ__WRITE, &ad);
5625 if (!rc)
5626 /* Can this process send the message */
5627 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5628 MSG__SEND, &ad);
5629 if (!rc)
5630 /* Can the message be put in the queue? */
5631 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5632 MSGQ__ENQUEUE, &ad);
5633
5634 return rc;
5635 }
5636
5637 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5638 struct task_struct *target,
5639 long type, int mode)
5640 {
5641 struct ipc_security_struct *isec;
5642 struct msg_security_struct *msec;
5643 struct common_audit_data ad;
5644 u32 sid = task_sid(target);
5645 int rc;
5646
5647 isec = msq->q_perm.security;
5648 msec = msg->security;
5649
5650 ad.type = LSM_AUDIT_DATA_IPC;
5651 ad.u.ipc_id = msq->q_perm.key;
5652
5653 rc = avc_has_perm(sid, isec->sid,
5654 SECCLASS_MSGQ, MSGQ__READ, &ad);
5655 if (!rc)
5656 rc = avc_has_perm(sid, msec->sid,
5657 SECCLASS_MSG, MSG__RECEIVE, &ad);
5658 return rc;
5659 }
5660
5661 /* Shared Memory security operations */
5662 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5663 {
5664 struct ipc_security_struct *isec;
5665 struct common_audit_data ad;
5666 u32 sid = current_sid();
5667 int rc;
5668
5669 rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM);
5670 if (rc)
5671 return rc;
5672
5673 isec = shp->shm_perm.security;
5674
5675 ad.type = LSM_AUDIT_DATA_IPC;
5676 ad.u.ipc_id = shp->shm_perm.key;
5677
5678 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5679 SHM__CREATE, &ad);
5680 if (rc) {
5681 ipc_free_security(&shp->shm_perm);
5682 return rc;
5683 }
5684 return 0;
5685 }
5686
5687 static void selinux_shm_free_security(struct shmid_kernel *shp)
5688 {
5689 ipc_free_security(&shp->shm_perm);
5690 }
5691
5692 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5693 {
5694 struct ipc_security_struct *isec;
5695 struct common_audit_data ad;
5696 u32 sid = current_sid();
5697
5698 isec = shp->shm_perm.security;
5699
5700 ad.type = LSM_AUDIT_DATA_IPC;
5701 ad.u.ipc_id = shp->shm_perm.key;
5702
5703 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5704 SHM__ASSOCIATE, &ad);
5705 }
5706
5707 /* Note, at this point, shp is locked down */
5708 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5709 {
5710 int perms;
5711 int err;
5712
5713 switch (cmd) {
5714 case IPC_INFO:
5715 case SHM_INFO:
5716 /* No specific object, just general system-wide information. */
5717 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5718 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5719 case IPC_STAT:
5720 case SHM_STAT:
5721 perms = SHM__GETATTR | SHM__ASSOCIATE;
5722 break;
5723 case IPC_SET:
5724 perms = SHM__SETATTR;
5725 break;
5726 case SHM_LOCK:
5727 case SHM_UNLOCK:
5728 perms = SHM__LOCK;
5729 break;
5730 case IPC_RMID:
5731 perms = SHM__DESTROY;
5732 break;
5733 default:
5734 return 0;
5735 }
5736
5737 err = ipc_has_perm(&shp->shm_perm, perms);
5738 return err;
5739 }
5740
5741 static int selinux_shm_shmat(struct shmid_kernel *shp,
5742 char __user *shmaddr, int shmflg)
5743 {
5744 u32 perms;
5745
5746 if (shmflg & SHM_RDONLY)
5747 perms = SHM__READ;
5748 else
5749 perms = SHM__READ | SHM__WRITE;
5750
5751 return ipc_has_perm(&shp->shm_perm, perms);
5752 }
5753
5754 /* Semaphore security operations */
5755 static int selinux_sem_alloc_security(struct sem_array *sma)
5756 {
5757 struct ipc_security_struct *isec;
5758 struct common_audit_data ad;
5759 u32 sid = current_sid();
5760 int rc;
5761
5762 rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM);
5763 if (rc)
5764 return rc;
5765
5766 isec = sma->sem_perm.security;
5767
5768 ad.type = LSM_AUDIT_DATA_IPC;
5769 ad.u.ipc_id = sma->sem_perm.key;
5770
5771 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5772 SEM__CREATE, &ad);
5773 if (rc) {
5774 ipc_free_security(&sma->sem_perm);
5775 return rc;
5776 }
5777 return 0;
5778 }
5779
5780 static void selinux_sem_free_security(struct sem_array *sma)
5781 {
5782 ipc_free_security(&sma->sem_perm);
5783 }
5784
5785 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5786 {
5787 struct ipc_security_struct *isec;
5788 struct common_audit_data ad;
5789 u32 sid = current_sid();
5790
5791 isec = sma->sem_perm.security;
5792
5793 ad.type = LSM_AUDIT_DATA_IPC;
5794 ad.u.ipc_id = sma->sem_perm.key;
5795
5796 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5797 SEM__ASSOCIATE, &ad);
5798 }
5799
5800 /* Note, at this point, sma is locked down */
5801 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5802 {
5803 int err;
5804 u32 perms;
5805
5806 switch (cmd) {
5807 case IPC_INFO:
5808 case SEM_INFO:
5809 /* No specific object, just general system-wide information. */
5810 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5811 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5812 case GETPID:
5813 case GETNCNT:
5814 case GETZCNT:
5815 perms = SEM__GETATTR;
5816 break;
5817 case GETVAL:
5818 case GETALL:
5819 perms = SEM__READ;
5820 break;
5821 case SETVAL:
5822 case SETALL:
5823 perms = SEM__WRITE;
5824 break;
5825 case IPC_RMID:
5826 perms = SEM__DESTROY;
5827 break;
5828 case IPC_SET:
5829 perms = SEM__SETATTR;
5830 break;
5831 case IPC_STAT:
5832 case SEM_STAT:
5833 perms = SEM__GETATTR | SEM__ASSOCIATE;
5834 break;
5835 default:
5836 return 0;
5837 }
5838
5839 err = ipc_has_perm(&sma->sem_perm, perms);
5840 return err;
5841 }
5842
5843 static int selinux_sem_semop(struct sem_array *sma,
5844 struct sembuf *sops, unsigned nsops, int alter)
5845 {
5846 u32 perms;
5847
5848 if (alter)
5849 perms = SEM__READ | SEM__WRITE;
5850 else
5851 perms = SEM__READ;
5852
5853 return ipc_has_perm(&sma->sem_perm, perms);
5854 }
5855
5856 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5857 {
5858 u32 av = 0;
5859
5860 av = 0;
5861 if (flag & S_IRUGO)
5862 av |= IPC__UNIX_READ;
5863 if (flag & S_IWUGO)
5864 av |= IPC__UNIX_WRITE;
5865
5866 if (av == 0)
5867 return 0;
5868
5869 return ipc_has_perm(ipcp, av);
5870 }
5871
5872 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5873 {
5874 struct ipc_security_struct *isec = ipcp->security;
5875 *secid = isec->sid;
5876 }
5877
5878 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5879 {
5880 if (inode)
5881 inode_doinit_with_dentry(inode, dentry);
5882 }
5883
5884 static int selinux_getprocattr(struct task_struct *p,
5885 char *name, char **value)
5886 {
5887 const struct task_security_struct *__tsec;
5888 u32 sid;
5889 int error;
5890 unsigned len;
5891
5892 rcu_read_lock();
5893 __tsec = __task_cred(p)->security;
5894
5895 if (current != p) {
5896 error = avc_has_perm(current_sid(), __tsec->sid,
5897 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
5898 if (error)
5899 goto bad;
5900 }
5901
5902 if (!strcmp(name, "current"))
5903 sid = __tsec->sid;
5904 else if (!strcmp(name, "prev"))
5905 sid = __tsec->osid;
5906 else if (!strcmp(name, "exec"))
5907 sid = __tsec->exec_sid;
5908 else if (!strcmp(name, "fscreate"))
5909 sid = __tsec->create_sid;
5910 else if (!strcmp(name, "keycreate"))
5911 sid = __tsec->keycreate_sid;
5912 else if (!strcmp(name, "sockcreate"))
5913 sid = __tsec->sockcreate_sid;
5914 else {
5915 error = -EINVAL;
5916 goto bad;
5917 }
5918 rcu_read_unlock();
5919
5920 if (!sid)
5921 return 0;
5922
5923 error = security_sid_to_context(sid, value, &len);
5924 if (error)
5925 return error;
5926 return len;
5927
5928 bad:
5929 rcu_read_unlock();
5930 return error;
5931 }
5932
5933 static int selinux_setprocattr(const char *name, void *value, size_t size)
5934 {
5935 struct task_security_struct *tsec;
5936 struct cred *new;
5937 u32 mysid = current_sid(), sid = 0, ptsid;
5938 int error;
5939 char *str = value;
5940
5941 /*
5942 * Basic control over ability to set these attributes at all.
5943 */
5944 if (!strcmp(name, "exec"))
5945 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5946 PROCESS__SETEXEC, NULL);
5947 else if (!strcmp(name, "fscreate"))
5948 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5949 PROCESS__SETFSCREATE, NULL);
5950 else if (!strcmp(name, "keycreate"))
5951 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5952 PROCESS__SETKEYCREATE, NULL);
5953 else if (!strcmp(name, "sockcreate"))
5954 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5955 PROCESS__SETSOCKCREATE, NULL);
5956 else if (!strcmp(name, "current"))
5957 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5958 PROCESS__SETCURRENT, NULL);
5959 else
5960 error = -EINVAL;
5961 if (error)
5962 return error;
5963
5964 /* Obtain a SID for the context, if one was specified. */
5965 if (size && str[0] && str[0] != '\n') {
5966 if (str[size-1] == '\n') {
5967 str[size-1] = 0;
5968 size--;
5969 }
5970 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5971 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5972 if (!has_cap_mac_admin(true)) {
5973 struct audit_buffer *ab;
5974 size_t audit_size;
5975
5976 /* We strip a nul only if it is at the end, otherwise the
5977 * context contains a nul and we should audit that */
5978 if (str[size - 1] == '\0')
5979 audit_size = size - 1;
5980 else
5981 audit_size = size;
5982 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5983 audit_log_format(ab, "op=fscreate invalid_context=");
5984 audit_log_n_untrustedstring(ab, value, audit_size);
5985 audit_log_end(ab);
5986
5987 return error;
5988 }
5989 error = security_context_to_sid_force(value, size,
5990 &sid);
5991 }
5992 if (error)
5993 return error;
5994 }
5995
5996 new = prepare_creds();
5997 if (!new)
5998 return -ENOMEM;
5999
6000 /* Permission checking based on the specified context is
6001 performed during the actual operation (execve,
6002 open/mkdir/...), when we know the full context of the
6003 operation. See selinux_bprm_set_creds for the execve
6004 checks and may_create for the file creation checks. The
6005 operation will then fail if the context is not permitted. */
6006 tsec = new->security;
6007 if (!strcmp(name, "exec")) {
6008 tsec->exec_sid = sid;
6009 } else if (!strcmp(name, "fscreate")) {
6010 tsec->create_sid = sid;
6011 } else if (!strcmp(name, "keycreate")) {
6012 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE,
6013 NULL);
6014 if (error)
6015 goto abort_change;
6016 tsec->keycreate_sid = sid;
6017 } else if (!strcmp(name, "sockcreate")) {
6018 tsec->sockcreate_sid = sid;
6019 } else if (!strcmp(name, "current")) {
6020 error = -EINVAL;
6021 if (sid == 0)
6022 goto abort_change;
6023
6024 /* Only allow single threaded processes to change context */
6025 error = -EPERM;
6026 if (!current_is_single_threaded()) {
6027 error = security_bounded_transition(tsec->sid, sid);
6028 if (error)
6029 goto abort_change;
6030 }
6031
6032 /* Check permissions for the transition. */
6033 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6034 PROCESS__DYNTRANSITION, NULL);
6035 if (error)
6036 goto abort_change;
6037
6038 /* Check for ptracing, and update the task SID if ok.
6039 Otherwise, leave SID unchanged and fail. */
6040 ptsid = ptrace_parent_sid();
6041 if (ptsid != 0) {
6042 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6043 PROCESS__PTRACE, NULL);
6044 if (error)
6045 goto abort_change;
6046 }
6047
6048 tsec->sid = sid;
6049 } else {
6050 error = -EINVAL;
6051 goto abort_change;
6052 }
6053
6054 commit_creds(new);
6055 return size;
6056
6057 abort_change:
6058 abort_creds(new);
6059 return error;
6060 }
6061
6062 static int selinux_ismaclabel(const char *name)
6063 {
6064 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6065 }
6066
6067 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6068 {
6069 return security_sid_to_context(secid, secdata, seclen);
6070 }
6071
6072 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6073 {
6074 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
6075 }
6076
6077 static void selinux_release_secctx(char *secdata, u32 seclen)
6078 {
6079 kfree(secdata);
6080 }
6081
6082 static void selinux_inode_invalidate_secctx(struct inode *inode)
6083 {
6084 struct inode_security_struct *isec = inode->i_security;
6085
6086 spin_lock(&isec->lock);
6087 isec->initialized = LABEL_INVALID;
6088 spin_unlock(&isec->lock);
6089 }
6090
6091 /*
6092 * called with inode->i_mutex locked
6093 */
6094 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6095 {
6096 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6097 }
6098
6099 /*
6100 * called with inode->i_mutex locked
6101 */
6102 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6103 {
6104 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6105 }
6106
6107 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6108 {
6109 int len = 0;
6110 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6111 ctx, true);
6112 if (len < 0)
6113 return len;
6114 *ctxlen = len;
6115 return 0;
6116 }
6117 #ifdef CONFIG_KEYS
6118
6119 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6120 unsigned long flags)
6121 {
6122 const struct task_security_struct *tsec;
6123 struct key_security_struct *ksec;
6124
6125 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6126 if (!ksec)
6127 return -ENOMEM;
6128
6129 tsec = cred->security;
6130 if (tsec->keycreate_sid)
6131 ksec->sid = tsec->keycreate_sid;
6132 else
6133 ksec->sid = tsec->sid;
6134
6135 k->security = ksec;
6136 return 0;
6137 }
6138
6139 static void selinux_key_free(struct key *k)
6140 {
6141 struct key_security_struct *ksec = k->security;
6142
6143 k->security = NULL;
6144 kfree(ksec);
6145 }
6146
6147 static int selinux_key_permission(key_ref_t key_ref,
6148 const struct cred *cred,
6149 unsigned perm)
6150 {
6151 struct key *key;
6152 struct key_security_struct *ksec;
6153 u32 sid;
6154
6155 /* if no specific permissions are requested, we skip the
6156 permission check. No serious, additional covert channels
6157 appear to be created. */
6158 if (perm == 0)
6159 return 0;
6160
6161 sid = cred_sid(cred);
6162
6163 key = key_ref_to_ptr(key_ref);
6164 ksec = key->security;
6165
6166 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6167 }
6168
6169 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6170 {
6171 struct key_security_struct *ksec = key->security;
6172 char *context = NULL;
6173 unsigned len;
6174 int rc;
6175
6176 rc = security_sid_to_context(ksec->sid, &context, &len);
6177 if (!rc)
6178 rc = len;
6179 *_buffer = context;
6180 return rc;
6181 }
6182 #endif
6183
6184 #ifdef CONFIG_SECURITY_INFINIBAND
6185 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6186 {
6187 struct common_audit_data ad;
6188 int err;
6189 u32 sid = 0;
6190 struct ib_security_struct *sec = ib_sec;
6191 struct lsm_ibpkey_audit ibpkey;
6192
6193 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6194 if (err)
6195 return err;
6196
6197 ad.type = LSM_AUDIT_DATA_IBPKEY;
6198 ibpkey.subnet_prefix = subnet_prefix;
6199 ibpkey.pkey = pkey_val;
6200 ad.u.ibpkey = &ibpkey;
6201 return avc_has_perm(sec->sid, sid,
6202 SECCLASS_INFINIBAND_PKEY,
6203 INFINIBAND_PKEY__ACCESS, &ad);
6204 }
6205
6206 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6207 u8 port_num)
6208 {
6209 struct common_audit_data ad;
6210 int err;
6211 u32 sid = 0;
6212 struct ib_security_struct *sec = ib_sec;
6213 struct lsm_ibendport_audit ibendport;
6214
6215 err = security_ib_endport_sid(dev_name, port_num, &sid);
6216
6217 if (err)
6218 return err;
6219
6220 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6221 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6222 ibendport.port = port_num;
6223 ad.u.ibendport = &ibendport;
6224 return avc_has_perm(sec->sid, sid,
6225 SECCLASS_INFINIBAND_ENDPORT,
6226 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6227 }
6228
6229 static int selinux_ib_alloc_security(void **ib_sec)
6230 {
6231 struct ib_security_struct *sec;
6232
6233 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6234 if (!sec)
6235 return -ENOMEM;
6236 sec->sid = current_sid();
6237
6238 *ib_sec = sec;
6239 return 0;
6240 }
6241
6242 static void selinux_ib_free_security(void *ib_sec)
6243 {
6244 kfree(ib_sec);
6245 }
6246 #endif
6247
6248 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6249 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6250 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6251 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6252 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6253
6254 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6255 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6256 LSM_HOOK_INIT(capget, selinux_capget),
6257 LSM_HOOK_INIT(capset, selinux_capset),
6258 LSM_HOOK_INIT(capable, selinux_capable),
6259 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6260 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6261 LSM_HOOK_INIT(syslog, selinux_syslog),
6262 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6263
6264 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6265
6266 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6267 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6268 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6269 LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
6270
6271 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6272 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6273 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6274 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6275 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6276 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6277 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6278 LSM_HOOK_INIT(sb_mount, selinux_mount),
6279 LSM_HOOK_INIT(sb_umount, selinux_umount),
6280 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6281 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6282 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6283
6284 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6285 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6286
6287 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6288 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6289 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6290 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6291 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6292 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6293 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6294 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6295 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6296 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6297 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6298 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6299 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6300 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6301 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6302 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6303 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6304 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6305 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6306 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6307 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6308 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6309 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6310 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6311 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6312 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6313 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6314
6315 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6316 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6317 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6318 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6319 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6320 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6321 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6322 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6323 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6324 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6325 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6326 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6327
6328 LSM_HOOK_INIT(file_open, selinux_file_open),
6329
6330 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6331 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6332 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6333 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6334 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6335 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6336 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6337 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6338 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6339 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6340 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6341 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6342 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6343 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6344 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6345 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6346 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6347 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6348 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6349 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6350 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6351 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6352 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6353
6354 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6355 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6356
6357 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6358 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6359
6360 LSM_HOOK_INIT(msg_queue_alloc_security,
6361 selinux_msg_queue_alloc_security),
6362 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6363 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6364 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6365 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6366 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6367
6368 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6369 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6370 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6371 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6372 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6373
6374 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6375 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6376 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6377 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6378 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6379
6380 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6381
6382 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6383 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6384
6385 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6386 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6387 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6388 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6389 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6390 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6391 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6392 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6393
6394 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6395 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6396
6397 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6398 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6399 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6400 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6401 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6402 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6403 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6404 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6405 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6406 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6407 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6408 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6409 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6410 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6411 LSM_HOOK_INIT(socket_getpeersec_stream,
6412 selinux_socket_getpeersec_stream),
6413 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6414 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6415 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6416 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6417 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6418 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6419 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6420 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6421 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6422 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6423 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6424 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6425 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6426 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6427 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6428 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6429 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6430 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6431 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6432 #ifdef CONFIG_SECURITY_INFINIBAND
6433 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
6434 LSM_HOOK_INIT(ib_endport_manage_subnet,
6435 selinux_ib_endport_manage_subnet),
6436 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
6437 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
6438 #endif
6439 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6440 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6441 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6442 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6443 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6444 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6445 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6446 selinux_xfrm_state_alloc_acquire),
6447 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6448 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6449 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6450 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6451 selinux_xfrm_state_pol_flow_match),
6452 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6453 #endif
6454
6455 #ifdef CONFIG_KEYS
6456 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6457 LSM_HOOK_INIT(key_free, selinux_key_free),
6458 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6459 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6460 #endif
6461
6462 #ifdef CONFIG_AUDIT
6463 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6464 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6465 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6466 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6467 #endif
6468 };
6469
6470 static __init int selinux_init(void)
6471 {
6472 if (!security_module_enable("selinux")) {
6473 selinux_enabled = 0;
6474 return 0;
6475 }
6476
6477 if (!selinux_enabled) {
6478 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6479 return 0;
6480 }
6481
6482 printk(KERN_INFO "SELinux: Initializing.\n");
6483
6484 /* Set the security state for the initial task. */
6485 cred_init_security();
6486
6487 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6488
6489 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6490 sizeof(struct inode_security_struct),
6491 0, SLAB_PANIC, NULL);
6492 file_security_cache = kmem_cache_create("selinux_file_security",
6493 sizeof(struct file_security_struct),
6494 0, SLAB_PANIC, NULL);
6495 avc_init();
6496
6497 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
6498
6499 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6500 panic("SELinux: Unable to register AVC netcache callback\n");
6501
6502 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
6503 panic("SELinux: Unable to register AVC LSM notifier callback\n");
6504
6505 if (selinux_enforcing)
6506 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6507 else
6508 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6509
6510 return 0;
6511 }
6512
6513 static void delayed_superblock_init(struct super_block *sb, void *unused)
6514 {
6515 superblock_doinit(sb, NULL);
6516 }
6517
6518 void selinux_complete_init(void)
6519 {
6520 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6521
6522 /* Set up any superblocks initialized prior to the policy load. */
6523 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6524 iterate_supers(delayed_superblock_init, NULL);
6525 }
6526
6527 /* SELinux requires early initialization in order to label
6528 all processes and objects when they are created. */
6529 security_initcall(selinux_init);
6530
6531 #if defined(CONFIG_NETFILTER)
6532
6533 static struct nf_hook_ops selinux_nf_ops[] = {
6534 {
6535 .hook = selinux_ipv4_postroute,
6536 .pf = NFPROTO_IPV4,
6537 .hooknum = NF_INET_POST_ROUTING,
6538 .priority = NF_IP_PRI_SELINUX_LAST,
6539 },
6540 {
6541 .hook = selinux_ipv4_forward,
6542 .pf = NFPROTO_IPV4,
6543 .hooknum = NF_INET_FORWARD,
6544 .priority = NF_IP_PRI_SELINUX_FIRST,
6545 },
6546 {
6547 .hook = selinux_ipv4_output,
6548 .pf = NFPROTO_IPV4,
6549 .hooknum = NF_INET_LOCAL_OUT,
6550 .priority = NF_IP_PRI_SELINUX_FIRST,
6551 },
6552 #if IS_ENABLED(CONFIG_IPV6)
6553 {
6554 .hook = selinux_ipv6_postroute,
6555 .pf = NFPROTO_IPV6,
6556 .hooknum = NF_INET_POST_ROUTING,
6557 .priority = NF_IP6_PRI_SELINUX_LAST,
6558 },
6559 {
6560 .hook = selinux_ipv6_forward,
6561 .pf = NFPROTO_IPV6,
6562 .hooknum = NF_INET_FORWARD,
6563 .priority = NF_IP6_PRI_SELINUX_FIRST,
6564 },
6565 {
6566 .hook = selinux_ipv6_output,
6567 .pf = NFPROTO_IPV6,
6568 .hooknum = NF_INET_LOCAL_OUT,
6569 .priority = NF_IP6_PRI_SELINUX_FIRST,
6570 },
6571 #endif /* IPV6 */
6572 };
6573
6574 static int __net_init selinux_nf_register(struct net *net)
6575 {
6576 return nf_register_net_hooks(net, selinux_nf_ops,
6577 ARRAY_SIZE(selinux_nf_ops));
6578 }
6579
6580 static void __net_exit selinux_nf_unregister(struct net *net)
6581 {
6582 nf_unregister_net_hooks(net, selinux_nf_ops,
6583 ARRAY_SIZE(selinux_nf_ops));
6584 }
6585
6586 static struct pernet_operations selinux_net_ops = {
6587 .init = selinux_nf_register,
6588 .exit = selinux_nf_unregister,
6589 };
6590
6591 static int __init selinux_nf_ip_init(void)
6592 {
6593 int err;
6594
6595 if (!selinux_enabled)
6596 return 0;
6597
6598 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6599
6600 err = register_pernet_subsys(&selinux_net_ops);
6601 if (err)
6602 panic("SELinux: register_pernet_subsys: error %d\n", err);
6603
6604 return 0;
6605 }
6606 __initcall(selinux_nf_ip_init);
6607
6608 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6609 static void selinux_nf_ip_exit(void)
6610 {
6611 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6612
6613 unregister_pernet_subsys(&selinux_net_ops);
6614 }
6615 #endif
6616
6617 #else /* CONFIG_NETFILTER */
6618
6619 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6620 #define selinux_nf_ip_exit()
6621 #endif
6622
6623 #endif /* CONFIG_NETFILTER */
6624
6625 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6626 static int selinux_disabled;
6627
6628 int selinux_disable(void)
6629 {
6630 if (ss_initialized) {
6631 /* Not permitted after initial policy load. */
6632 return -EINVAL;
6633 }
6634
6635 if (selinux_disabled) {
6636 /* Only do this once. */
6637 return -EINVAL;
6638 }
6639
6640 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6641
6642 selinux_disabled = 1;
6643 selinux_enabled = 0;
6644
6645 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6646
6647 /* Try to destroy the avc node cache */
6648 avc_disable();
6649
6650 /* Unregister netfilter hooks. */
6651 selinux_nf_ip_exit();
6652
6653 /* Unregister selinuxfs. */
6654 exit_sel_fs();
6655
6656 return 0;
6657 }
6658 #endif
Ubuntu Artful kernel mirror