2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
27 #include <linux/init.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h> /* for Unix socket types */
72 #include <net/af_unix.h> /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
101 /* SECMARK reference count */
102 static atomic_t selinux_secmark_refcount
= ATOMIC_INIT(0);
104 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105 int selinux_enforcing
;
107 static int __init
enforcing_setup(char *str
)
109 unsigned long enforcing
;
110 if (!kstrtoul(str
, 0, &enforcing
))
111 selinux_enforcing
= enforcing
? 1 : 0;
114 __setup("enforcing=", enforcing_setup
);
117 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118 int selinux_enabled
= CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE
;
120 static int __init
selinux_enabled_setup(char *str
)
122 unsigned long enabled
;
123 if (!kstrtoul(str
, 0, &enabled
))
124 selinux_enabled
= enabled
? 1 : 0;
127 __setup("selinux=", selinux_enabled_setup
);
129 int selinux_enabled
= 1;
133 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
136 * This function checks the SECMARK reference counter to see if any SECMARK
137 * targets are currently configured, if the reference counter is greater than
138 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
139 * enabled, false (0) if SECMARK is disabled. If the always_check_network
140 * policy capability is enabled, SECMARK is always considered enabled.
143 static int selinux_secmark_enabled(void)
145 return (selinux_policycap_alwaysnetwork
|| atomic_read(&selinux_secmark_refcount
));
149 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
152 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
153 * (1) if any are enabled or false (0) if neither are enabled. If the
154 * always_check_network policy capability is enabled, peer labeling
155 * is always considered enabled.
158 static int selinux_peerlbl_enabled(void)
160 return (selinux_policycap_alwaysnetwork
|| netlbl_enabled() || selinux_xfrm_enabled());
163 static int selinux_netcache_avc_callback(u32 event
)
165 if (event
== AVC_CALLBACK_RESET
) {
174 static int selinux_lsm_notifier_avc_callback(u32 event
)
176 if (event
== AVC_CALLBACK_RESET
) {
178 call_lsm_notifier(LSM_POLICY_CHANGE
, NULL
);
185 * initialise the security for the init task
187 static void cred_init_security(void)
189 struct cred
*cred
= (struct cred
*) current
->real_cred
;
190 struct task_security_struct
*tsec
;
192 lsm_early_cred(cred
);
193 tsec
= selinux_cred(cred
);
194 tsec
->osid
= tsec
->sid
= SECINITSID_KERNEL
;
198 * get the security ID of a set of credentials
200 static inline u32
cred_sid(const struct cred
*cred
)
202 const struct task_security_struct
*tsec
;
204 tsec
= selinux_cred(cred
);
209 * get the objective security ID of a task
211 static inline u32
task_sid(const struct task_struct
*task
)
216 sid
= cred_sid(__task_cred(task
));
221 /* Allocate and free functions for each kind of security blob. */
223 static int inode_alloc_security(struct inode
*inode
)
225 struct inode_security_struct
*isec
= selinux_inode(inode
);
226 u32 sid
= current_sid();
228 spin_lock_init(&isec
->lock
);
229 INIT_LIST_HEAD(&isec
->list
);
231 isec
->sid
= SECINITSID_UNLABELED
;
232 isec
->sclass
= SECCLASS_FILE
;
233 isec
->task_sid
= sid
;
234 isec
->initialized
= LABEL_INVALID
;
239 static int inode_doinit_with_dentry(struct inode
*inode
, struct dentry
*opt_dentry
);
242 * Try reloading inode security labels that have been marked as invalid. The
243 * @may_sleep parameter indicates when sleeping and thus reloading labels is
244 * allowed; when set to false, returns -ECHILD when the label is
245 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
246 * when no dentry is available, set it to NULL instead.
248 static int __inode_security_revalidate(struct inode
*inode
,
249 struct dentry
*opt_dentry
,
252 struct inode_security_struct
*isec
= selinux_inode(inode
);
254 might_sleep_if(may_sleep
);
256 if (ss_initialized
&& isec
->initialized
!= LABEL_INITIALIZED
) {
261 * Try reloading the inode security label. This will fail if
262 * @opt_dentry is NULL and no dentry for this inode can be
263 * found; in that case, continue using the old label.
265 inode_doinit_with_dentry(inode
, opt_dentry
);
270 static struct inode_security_struct
*inode_security_novalidate(struct inode
*inode
)
272 return selinux_inode(inode
);
275 static struct inode_security_struct
*inode_security_rcu(struct inode
*inode
, bool rcu
)
279 error
= __inode_security_revalidate(inode
, NULL
, !rcu
);
281 return ERR_PTR(error
);
282 return selinux_inode(inode
);
286 * Get the security label of an inode.
288 static struct inode_security_struct
*inode_security(struct inode
*inode
)
290 __inode_security_revalidate(inode
, NULL
, true);
291 return selinux_inode(inode
);
294 static struct inode_security_struct
*backing_inode_security_novalidate(struct dentry
*dentry
)
296 struct inode
*inode
= d_backing_inode(dentry
);
298 return selinux_inode(inode
);
302 * Get the security label of a dentry's backing inode.
304 static struct inode_security_struct
*backing_inode_security(struct dentry
*dentry
)
306 struct inode
*inode
= d_backing_inode(dentry
);
308 __inode_security_revalidate(inode
, dentry
, true);
309 return selinux_inode(inode
);
312 static void inode_free_security(struct inode
*inode
)
314 struct inode_security_struct
*isec
= selinux_inode(inode
);
315 struct superblock_security_struct
*sbsec
=
316 selinux_superblock(inode
->i_sb
);
319 * As not all inode security structures are in a list, we check for
320 * empty list outside of the lock to make sure that we won't waste
321 * time taking a lock doing nothing.
323 * The list_del_init() function can be safely called more than once.
324 * It should not be possible for this function to be called with
325 * concurrent list_add(), but for better safety against future changes
326 * in the code, we use list_empty_careful() here.
328 if (!list_empty_careful(&isec
->list
)) {
329 spin_lock(&sbsec
->isec_lock
);
330 list_del_init(&isec
->list
);
331 spin_unlock(&sbsec
->isec_lock
);
335 static int file_alloc_security(struct file
*file
)
337 struct file_security_struct
*fsec
= selinux_file(file
);
338 u32 sid
= current_sid();
341 fsec
->fown_sid
= sid
;
346 static int superblock_alloc_security(struct super_block
*sb
)
348 struct superblock_security_struct
*sbsec
= selinux_superblock(sb
);
350 mutex_init(&sbsec
->lock
);
351 INIT_LIST_HEAD(&sbsec
->isec_head
);
352 spin_lock_init(&sbsec
->isec_lock
);
354 sbsec
->sid
= SECINITSID_UNLABELED
;
355 sbsec
->def_sid
= SECINITSID_FILE
;
356 sbsec
->mntpoint_sid
= SECINITSID_UNLABELED
;
361 static inline int inode_doinit(struct inode
*inode
)
363 return inode_doinit_with_dentry(inode
, NULL
);
372 Opt_labelsupport
= 5,
376 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
378 static const match_table_t tokens
= {
379 {Opt_context
, CONTEXT_STR
"%s"},
380 {Opt_fscontext
, FSCONTEXT_STR
"%s"},
381 {Opt_defcontext
, DEFCONTEXT_STR
"%s"},
382 {Opt_rootcontext
, ROOTCONTEXT_STR
"%s"},
383 {Opt_labelsupport
, LABELSUPP_STR
},
387 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
389 static int may_context_mount_sb_relabel(u32 sid
,
390 struct superblock_security_struct
*sbsec
,
391 const struct cred
*cred
)
393 const struct task_security_struct
*tsec
= selinux_cred(cred
);
396 rc
= avc_has_perm(tsec
->sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
397 FILESYSTEM__RELABELFROM
, NULL
);
401 rc
= avc_has_perm(tsec
->sid
, sid
, SECCLASS_FILESYSTEM
,
402 FILESYSTEM__RELABELTO
, NULL
);
406 static int may_context_mount_inode_relabel(u32 sid
,
407 struct superblock_security_struct
*sbsec
,
408 const struct cred
*cred
)
410 const struct task_security_struct
*tsec
= selinux_cred(cred
);
412 rc
= avc_has_perm(tsec
->sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
413 FILESYSTEM__RELABELFROM
, NULL
);
417 rc
= avc_has_perm(sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
418 FILESYSTEM__ASSOCIATE
, NULL
);
422 static int selinux_is_sblabel_mnt(struct super_block
*sb
)
424 struct superblock_security_struct
*sbsec
= selinux_superblock(sb
);
426 return sbsec
->behavior
== SECURITY_FS_USE_XATTR
||
427 sbsec
->behavior
== SECURITY_FS_USE_TRANS
||
428 sbsec
->behavior
== SECURITY_FS_USE_TASK
||
429 sbsec
->behavior
== SECURITY_FS_USE_NATIVE
||
430 /* Special handling. Genfs but also in-core setxattr handler */
431 !strcmp(sb
->s_type
->name
, "sysfs") ||
432 !strcmp(sb
->s_type
->name
, "pstore") ||
433 !strcmp(sb
->s_type
->name
, "debugfs") ||
434 !strcmp(sb
->s_type
->name
, "tracefs") ||
435 !strcmp(sb
->s_type
->name
, "rootfs") ||
436 (selinux_policycap_cgroupseclabel
&&
437 (!strcmp(sb
->s_type
->name
, "cgroup") ||
438 !strcmp(sb
->s_type
->name
, "cgroup2")));
441 static int sb_finish_set_opts(struct super_block
*sb
)
443 struct superblock_security_struct
*sbsec
= selinux_superblock(sb
);
444 struct dentry
*root
= sb
->s_root
;
445 struct inode
*root_inode
= d_backing_inode(root
);
448 if (sbsec
->behavior
== SECURITY_FS_USE_XATTR
) {
449 /* Make sure that the xattr handler exists and that no
450 error other than -ENODATA is returned by getxattr on
451 the root directory. -ENODATA is ok, as this may be
452 the first boot of the SELinux kernel before we have
453 assigned xattr values to the filesystem. */
454 if (!(root_inode
->i_opflags
& IOP_XATTR
)) {
455 printk(KERN_WARNING
"SELinux: (dev %s, type %s) has no "
456 "xattr support\n", sb
->s_id
, sb
->s_type
->name
);
461 rc
= __vfs_getxattr(root
, root_inode
, XATTR_NAME_SELINUX
, NULL
, 0);
462 if (rc
< 0 && rc
!= -ENODATA
) {
463 if (rc
== -EOPNOTSUPP
)
464 printk(KERN_WARNING
"SELinux: (dev %s, type "
465 "%s) has no security xattr handler\n",
466 sb
->s_id
, sb
->s_type
->name
);
468 printk(KERN_WARNING
"SELinux: (dev %s, type "
469 "%s) getxattr errno %d\n", sb
->s_id
,
470 sb
->s_type
->name
, -rc
);
475 sbsec
->flags
|= SE_SBINITIALIZED
;
478 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
479 * leave the flag untouched because sb_clone_mnt_opts might be handing
480 * us a superblock that needs the flag to be cleared.
482 if (selinux_is_sblabel_mnt(sb
))
483 sbsec
->flags
|= SBLABEL_MNT
;
485 sbsec
->flags
&= ~SBLABEL_MNT
;
487 /* Initialize the root inode. */
488 rc
= inode_doinit_with_dentry(root_inode
, root
);
490 /* Initialize any other inodes associated with the superblock, e.g.
491 inodes created prior to initial policy load or inodes created
492 during get_sb by a pseudo filesystem that directly
494 spin_lock(&sbsec
->isec_lock
);
496 if (!list_empty(&sbsec
->isec_head
)) {
497 struct inode_security_struct
*isec
=
498 list_entry(sbsec
->isec_head
.next
,
499 struct inode_security_struct
, list
);
500 struct inode
*inode
= isec
->inode
;
501 list_del_init(&isec
->list
);
502 spin_unlock(&sbsec
->isec_lock
);
503 inode
= igrab(inode
);
505 if (!IS_PRIVATE(inode
))
509 spin_lock(&sbsec
->isec_lock
);
512 spin_unlock(&sbsec
->isec_lock
);
518 * This function should allow an FS to ask what it's mount security
519 * options were so it can use those later for submounts, displaying
520 * mount options, or whatever.
522 static int selinux_get_mnt_opts(const struct super_block
*sb
,
523 struct security_mnt_opts
*opts
)
526 struct superblock_security_struct
*sbsec
= selinux_superblock(sb
);
527 char *context
= NULL
;
531 security_init_mnt_opts(opts
);
533 if (!(sbsec
->flags
& SE_SBINITIALIZED
))
539 /* make sure we always check enough bits to cover the mask */
540 BUILD_BUG_ON(SE_MNTMASK
>= (1 << NUM_SEL_MNT_OPTS
));
542 tmp
= sbsec
->flags
& SE_MNTMASK
;
543 /* count the number of mount options for this sb */
544 for (i
= 0; i
< NUM_SEL_MNT_OPTS
; i
++) {
546 opts
->num_mnt_opts
++;
549 /* Check if the Label support flag is set */
550 if (sbsec
->flags
& SBLABEL_MNT
)
551 opts
->num_mnt_opts
++;
553 opts
->mnt_opts
= kcalloc(opts
->num_mnt_opts
, sizeof(char *), GFP_ATOMIC
);
554 if (!opts
->mnt_opts
) {
559 opts
->mnt_opts_flags
= kcalloc(opts
->num_mnt_opts
, sizeof(int), GFP_ATOMIC
);
560 if (!opts
->mnt_opts_flags
) {
566 if (sbsec
->flags
& FSCONTEXT_MNT
) {
567 rc
= security_sid_to_context(sbsec
->sid
, &context
, &len
);
570 opts
->mnt_opts
[i
] = context
;
571 opts
->mnt_opts_flags
[i
++] = FSCONTEXT_MNT
;
573 if (sbsec
->flags
& CONTEXT_MNT
) {
574 rc
= security_sid_to_context(sbsec
->mntpoint_sid
, &context
, &len
);
577 opts
->mnt_opts
[i
] = context
;
578 opts
->mnt_opts_flags
[i
++] = CONTEXT_MNT
;
580 if (sbsec
->flags
& DEFCONTEXT_MNT
) {
581 rc
= security_sid_to_context(sbsec
->def_sid
, &context
, &len
);
584 opts
->mnt_opts
[i
] = context
;
585 opts
->mnt_opts_flags
[i
++] = DEFCONTEXT_MNT
;
587 if (sbsec
->flags
& ROOTCONTEXT_MNT
) {
588 struct dentry
*root
= sbsec
->sb
->s_root
;
589 struct inode_security_struct
*isec
=
590 backing_inode_security(root
);
592 rc
= security_sid_to_context(isec
->sid
, &context
, &len
);
595 opts
->mnt_opts
[i
] = context
;
596 opts
->mnt_opts_flags
[i
++] = ROOTCONTEXT_MNT
;
598 if (sbsec
->flags
& SBLABEL_MNT
) {
599 opts
->mnt_opts
[i
] = NULL
;
600 opts
->mnt_opts_flags
[i
++] = SBLABEL_MNT
;
603 BUG_ON(i
!= opts
->num_mnt_opts
);
608 security_free_mnt_opts(opts
);
612 static int bad_option(struct superblock_security_struct
*sbsec
, char flag
,
613 u32 old_sid
, u32 new_sid
)
615 char mnt_flags
= sbsec
->flags
& SE_MNTMASK
;
617 /* check if the old mount command had the same options */
618 if (sbsec
->flags
& SE_SBINITIALIZED
)
619 if (!(sbsec
->flags
& flag
) ||
620 (old_sid
!= new_sid
))
623 /* check if we were passed the same options twice,
624 * aka someone passed context=a,context=b
626 if (!(sbsec
->flags
& SE_SBINITIALIZED
))
627 if (mnt_flags
& flag
)
633 * Allow filesystems with binary mount data to explicitly set mount point
634 * labeling information.
636 static int selinux_set_mnt_opts(struct super_block
*sb
,
637 struct security_mnt_opts
*opts
,
638 unsigned long kern_flags
,
639 unsigned long *set_kern_flags
)
641 const struct cred
*cred
= current_cred();
643 struct superblock_security_struct
*sbsec
= selinux_superblock(sb
);
644 const char *name
= sb
->s_type
->name
;
645 struct dentry
*root
= sbsec
->sb
->s_root
;
646 struct inode_security_struct
*root_isec
;
647 u32 fscontext_sid
= 0, context_sid
= 0, rootcontext_sid
= 0;
648 u32 defcontext_sid
= 0;
649 char **mount_options
= opts
->mnt_opts
;
650 int *flags
= opts
->mnt_opts_flags
;
651 int num_opts
= opts
->num_mnt_opts
;
653 mutex_lock(&sbsec
->lock
);
655 if (!ss_initialized
) {
657 /* Defer initialization until selinux_complete_init,
658 after the initial policy is loaded and the security
659 server is ready to handle calls. */
663 printk(KERN_WARNING
"SELinux: Unable to set superblock options "
664 "before the security server is initialized\n");
667 if (kern_flags
&& !set_kern_flags
) {
668 /* Specifying internal flags without providing a place to
669 * place the results is not allowed */
675 * Binary mount data FS will come through this function twice. Once
676 * from an explicit call and once from the generic calls from the vfs.
677 * Since the generic VFS calls will not contain any security mount data
678 * we need to skip the double mount verification.
680 * This does open a hole in which we will not notice if the first
681 * mount using this sb set explict options and a second mount using
682 * this sb does not set any security options. (The first options
683 * will be used for both mounts)
685 if ((sbsec
->flags
& SE_SBINITIALIZED
) && (sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
)
689 root_isec
= backing_inode_security_novalidate(root
);
692 * parse the mount options, check if they are valid sids.
693 * also check if someone is trying to mount the same sb more
694 * than once with different security options.
696 for (i
= 0; i
< num_opts
; i
++) {
699 if (flags
[i
] == SBLABEL_MNT
)
701 rc
= security_context_str_to_sid(mount_options
[i
], &sid
, GFP_KERNEL
);
703 printk(KERN_WARNING
"SELinux: security_context_str_to_sid"
704 "(%s) failed for (dev %s, type %s) errno=%d\n",
705 mount_options
[i
], sb
->s_id
, name
, rc
);
712 if (bad_option(sbsec
, FSCONTEXT_MNT
, sbsec
->sid
,
714 goto out_double_mount
;
716 sbsec
->flags
|= FSCONTEXT_MNT
;
721 if (bad_option(sbsec
, CONTEXT_MNT
, sbsec
->mntpoint_sid
,
723 goto out_double_mount
;
725 sbsec
->flags
|= CONTEXT_MNT
;
727 case ROOTCONTEXT_MNT
:
728 rootcontext_sid
= sid
;
730 if (bad_option(sbsec
, ROOTCONTEXT_MNT
, root_isec
->sid
,
732 goto out_double_mount
;
734 sbsec
->flags
|= ROOTCONTEXT_MNT
;
738 defcontext_sid
= sid
;
740 if (bad_option(sbsec
, DEFCONTEXT_MNT
, sbsec
->def_sid
,
742 goto out_double_mount
;
744 sbsec
->flags
|= DEFCONTEXT_MNT
;
753 if (sbsec
->flags
& SE_SBINITIALIZED
) {
754 /* previously mounted with options, but not on this attempt? */
755 if ((sbsec
->flags
& SE_MNTMASK
) && !num_opts
)
756 goto out_double_mount
;
761 if (strcmp(sb
->s_type
->name
, "proc") == 0)
762 sbsec
->flags
|= SE_SBPROC
| SE_SBGENFS
;
764 if (!strcmp(sb
->s_type
->name
, "debugfs") ||
765 !strcmp(sb
->s_type
->name
, "tracefs") ||
766 !strcmp(sb
->s_type
->name
, "sysfs") ||
767 !strcmp(sb
->s_type
->name
, "pstore") ||
768 !strcmp(sb
->s_type
->name
, "cgroup") ||
769 !strcmp(sb
->s_type
->name
, "cgroup2"))
770 sbsec
->flags
|= SE_SBGENFS
;
772 if (!sbsec
->behavior
) {
774 * Determine the labeling behavior to use for this
777 rc
= security_fs_use(sb
);
780 "%s: security_fs_use(%s) returned %d\n",
781 __func__
, sb
->s_type
->name
, rc
);
787 * If this is a user namespace mount and the filesystem type is not
788 * explicitly whitelisted, then no contexts are allowed on the command
789 * line and security labels must be ignored.
791 if (sb
->s_user_ns
!= &init_user_ns
&&
792 strcmp(sb
->s_type
->name
, "tmpfs") &&
793 strcmp(sb
->s_type
->name
, "ramfs") &&
794 strcmp(sb
->s_type
->name
, "devpts")) {
795 if (context_sid
|| fscontext_sid
|| rootcontext_sid
||
800 if (sbsec
->behavior
== SECURITY_FS_USE_XATTR
) {
801 sbsec
->behavior
= SECURITY_FS_USE_MNTPOINT
;
802 rc
= security_transition_sid(current_sid(), current_sid(),
804 &sbsec
->mntpoint_sid
);
811 /* sets the context of the superblock for the fs being mounted. */
813 rc
= may_context_mount_sb_relabel(fscontext_sid
, sbsec
, cred
);
817 sbsec
->sid
= fscontext_sid
;
821 * Switch to using mount point labeling behavior.
822 * sets the label used on all file below the mountpoint, and will set
823 * the superblock context if not already set.
825 if (kern_flags
& SECURITY_LSM_NATIVE_LABELS
&& !context_sid
) {
826 sbsec
->behavior
= SECURITY_FS_USE_NATIVE
;
827 *set_kern_flags
|= SECURITY_LSM_NATIVE_LABELS
;
831 if (!fscontext_sid
) {
832 rc
= may_context_mount_sb_relabel(context_sid
, sbsec
,
836 sbsec
->sid
= context_sid
;
838 rc
= may_context_mount_inode_relabel(context_sid
, sbsec
,
843 if (!rootcontext_sid
)
844 rootcontext_sid
= context_sid
;
846 sbsec
->mntpoint_sid
= context_sid
;
847 sbsec
->behavior
= SECURITY_FS_USE_MNTPOINT
;
850 if (rootcontext_sid
) {
851 rc
= may_context_mount_inode_relabel(rootcontext_sid
, sbsec
,
856 root_isec
->sid
= rootcontext_sid
;
857 root_isec
->initialized
= LABEL_INITIALIZED
;
860 if (defcontext_sid
) {
861 if (sbsec
->behavior
!= SECURITY_FS_USE_XATTR
&&
862 sbsec
->behavior
!= SECURITY_FS_USE_NATIVE
) {
864 printk(KERN_WARNING
"SELinux: defcontext option is "
865 "invalid for this filesystem type\n");
869 if (defcontext_sid
!= sbsec
->def_sid
) {
870 rc
= may_context_mount_inode_relabel(defcontext_sid
,
876 sbsec
->def_sid
= defcontext_sid
;
880 rc
= sb_finish_set_opts(sb
);
882 mutex_unlock(&sbsec
->lock
);
886 printk(KERN_WARNING
"SELinux: mount invalid. Same superblock, different "
887 "security settings for (dev %s, type %s)\n", sb
->s_id
, name
);
891 static int selinux_cmp_sb_context(const struct super_block
*oldsb
,
892 const struct super_block
*newsb
)
894 struct superblock_security_struct
*old
= selinux_superblock(oldsb
);
895 struct superblock_security_struct
*new = selinux_superblock(newsb
);
896 char oldflags
= old
->flags
& SE_MNTMASK
;
897 char newflags
= new->flags
& SE_MNTMASK
;
899 if (oldflags
!= newflags
)
901 if ((oldflags
& FSCONTEXT_MNT
) && old
->sid
!= new->sid
)
903 if ((oldflags
& CONTEXT_MNT
) && old
->mntpoint_sid
!= new->mntpoint_sid
)
905 if ((oldflags
& DEFCONTEXT_MNT
) && old
->def_sid
!= new->def_sid
)
907 if (oldflags
& ROOTCONTEXT_MNT
) {
908 struct inode_security_struct
*oldroot
= backing_inode_security(oldsb
->s_root
);
909 struct inode_security_struct
*newroot
= backing_inode_security(newsb
->s_root
);
910 if (oldroot
->sid
!= newroot
->sid
)
915 printk(KERN_WARNING
"SELinux: mount invalid. Same superblock, "
916 "different security settings for (dev %s, "
917 "type %s)\n", newsb
->s_id
, newsb
->s_type
->name
);
921 static int selinux_sb_clone_mnt_opts(const struct super_block
*oldsb
,
922 struct super_block
*newsb
,
923 unsigned long kern_flags
,
924 unsigned long *set_kern_flags
)
927 const struct superblock_security_struct
*oldsbsec
=
928 selinux_superblock(oldsb
);
929 struct superblock_security_struct
*newsbsec
= selinux_superblock(newsb
);
931 int set_fscontext
= (oldsbsec
->flags
& FSCONTEXT_MNT
);
932 int set_context
= (oldsbsec
->flags
& CONTEXT_MNT
);
933 int set_rootcontext
= (oldsbsec
->flags
& ROOTCONTEXT_MNT
);
936 * if the parent was able to be mounted it clearly had no special lsm
937 * mount options. thus we can safely deal with this superblock later
943 * Specifying internal flags without providing a place to
944 * place the results is not allowed.
946 if (kern_flags
&& !set_kern_flags
)
949 /* how can we clone if the old one wasn't set up?? */
950 BUG_ON(!(oldsbsec
->flags
& SE_SBINITIALIZED
));
952 /* if fs is reusing a sb, make sure that the contexts match */
953 if (newsbsec
->flags
& SE_SBINITIALIZED
)
954 return selinux_cmp_sb_context(oldsb
, newsb
);
956 mutex_lock(&newsbsec
->lock
);
958 newsbsec
->flags
= oldsbsec
->flags
;
960 newsbsec
->sid
= oldsbsec
->sid
;
961 newsbsec
->def_sid
= oldsbsec
->def_sid
;
962 newsbsec
->behavior
= oldsbsec
->behavior
;
964 if (newsbsec
->behavior
== SECURITY_FS_USE_NATIVE
&&
965 !(kern_flags
& SECURITY_LSM_NATIVE_LABELS
) && !set_context
) {
966 rc
= security_fs_use(newsb
);
971 if (kern_flags
& SECURITY_LSM_NATIVE_LABELS
&& !set_context
) {
972 newsbsec
->behavior
= SECURITY_FS_USE_NATIVE
;
973 *set_kern_flags
|= SECURITY_LSM_NATIVE_LABELS
;
977 u32 sid
= oldsbsec
->mntpoint_sid
;
981 if (!set_rootcontext
) {
982 struct inode_security_struct
*newisec
=
983 backing_inode_security(newsb
->s_root
);
986 newsbsec
->mntpoint_sid
= sid
;
988 if (set_rootcontext
) {
989 const struct inode_security_struct
*oldisec
=
990 backing_inode_security(oldsb
->s_root
);
991 struct inode_security_struct
*newisec
=
992 backing_inode_security(newsb
->s_root
);
994 newisec
->sid
= oldisec
->sid
;
997 sb_finish_set_opts(newsb
);
999 mutex_unlock(&newsbsec
->lock
);
1003 static int selinux_parse_opts_str(char *options
,
1004 struct security_mnt_opts
*opts
)
1007 char *context
= NULL
, *defcontext
= NULL
;
1008 char *fscontext
= NULL
, *rootcontext
= NULL
;
1009 int rc
, num_mnt_opts
= 0;
1011 opts
->num_mnt_opts
= 0;
1013 /* Standard string-based options. */
1014 while ((p
= strsep(&options
, "|")) != NULL
) {
1016 substring_t args
[MAX_OPT_ARGS
];
1021 token
= match_token(p
, tokens
, args
);
1025 if (context
|| defcontext
) {
1027 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1030 context
= match_strdup(&args
[0]);
1040 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1043 fscontext
= match_strdup(&args
[0]);
1050 case Opt_rootcontext
:
1053 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1056 rootcontext
= match_strdup(&args
[0]);
1063 case Opt_defcontext
:
1064 if (context
|| defcontext
) {
1066 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1069 defcontext
= match_strdup(&args
[0]);
1075 case Opt_labelsupport
:
1079 printk(KERN_WARNING
"SELinux: unknown mount option\n");
1086 opts
->mnt_opts
= kcalloc(NUM_SEL_MNT_OPTS
, sizeof(char *), GFP_KERNEL
);
1087 if (!opts
->mnt_opts
)
1090 opts
->mnt_opts_flags
= kcalloc(NUM_SEL_MNT_OPTS
, sizeof(int),
1092 if (!opts
->mnt_opts_flags
)
1096 opts
->mnt_opts
[num_mnt_opts
] = fscontext
;
1097 opts
->mnt_opts_flags
[num_mnt_opts
++] = FSCONTEXT_MNT
;
1100 opts
->mnt_opts
[num_mnt_opts
] = context
;
1101 opts
->mnt_opts_flags
[num_mnt_opts
++] = CONTEXT_MNT
;
1104 opts
->mnt_opts
[num_mnt_opts
] = rootcontext
;
1105 opts
->mnt_opts_flags
[num_mnt_opts
++] = ROOTCONTEXT_MNT
;
1108 opts
->mnt_opts
[num_mnt_opts
] = defcontext
;
1109 opts
->mnt_opts_flags
[num_mnt_opts
++] = DEFCONTEXT_MNT
;
1112 opts
->num_mnt_opts
= num_mnt_opts
;
1116 security_free_mnt_opts(opts
);
1124 * string mount options parsing and call set the sbsec
1126 static int superblock_doinit(struct super_block
*sb
, void *data
)
1129 char *options
= data
;
1130 struct security_mnt_opts opts
;
1132 security_init_mnt_opts(&opts
);
1137 BUG_ON(sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
);
1139 rc
= selinux_parse_opts_str(options
, &opts
);
1144 rc
= selinux_set_mnt_opts(sb
, &opts
, 0, NULL
);
1147 security_free_mnt_opts(&opts
);
1151 static void selinux_write_opts(struct seq_file
*m
,
1152 struct security_mnt_opts
*opts
)
1157 for (i
= 0; i
< opts
->num_mnt_opts
; i
++) {
1160 if (opts
->mnt_opts
[i
])
1161 has_comma
= strchr(opts
->mnt_opts
[i
], ',');
1165 switch (opts
->mnt_opts_flags
[i
]) {
1167 prefix
= CONTEXT_STR
;
1170 prefix
= FSCONTEXT_STR
;
1172 case ROOTCONTEXT_MNT
:
1173 prefix
= ROOTCONTEXT_STR
;
1175 case DEFCONTEXT_MNT
:
1176 prefix
= DEFCONTEXT_STR
;
1180 seq_puts(m
, LABELSUPP_STR
);
1186 /* we need a comma before each option */
1188 seq_puts(m
, prefix
);
1191 seq_escape(m
, opts
->mnt_opts
[i
], "\"\n\\");
1197 static int selinux_sb_show_options(struct seq_file
*m
, struct super_block
*sb
)
1199 struct security_mnt_opts opts
;
1202 rc
= selinux_get_mnt_opts(sb
, &opts
);
1204 /* before policy load we may get EINVAL, don't show anything */
1210 selinux_write_opts(m
, &opts
);
1212 security_free_mnt_opts(&opts
);
1217 static inline u16
inode_mode_to_security_class(umode_t mode
)
1219 switch (mode
& S_IFMT
) {
1221 return SECCLASS_SOCK_FILE
;
1223 return SECCLASS_LNK_FILE
;
1225 return SECCLASS_FILE
;
1227 return SECCLASS_BLK_FILE
;
1229 return SECCLASS_DIR
;
1231 return SECCLASS_CHR_FILE
;
1233 return SECCLASS_FIFO_FILE
;
1237 return SECCLASS_FILE
;
1240 static inline int default_protocol_stream(int protocol
)
1242 return (protocol
== IPPROTO_IP
|| protocol
== IPPROTO_TCP
);
1245 static inline int default_protocol_dgram(int protocol
)
1247 return (protocol
== IPPROTO_IP
|| protocol
== IPPROTO_UDP
);
1250 static inline u16
socket_type_to_security_class(int family
, int type
, int protocol
)
1252 int extsockclass
= selinux_policycap_extsockclass
;
1258 case SOCK_SEQPACKET
:
1259 return SECCLASS_UNIX_STREAM_SOCKET
;
1262 return SECCLASS_UNIX_DGRAM_SOCKET
;
1269 case SOCK_SEQPACKET
:
1270 if (default_protocol_stream(protocol
))
1271 return SECCLASS_TCP_SOCKET
;
1272 else if (extsockclass
&& protocol
== IPPROTO_SCTP
)
1273 return SECCLASS_SCTP_SOCKET
;
1275 return SECCLASS_RAWIP_SOCKET
;
1277 if (default_protocol_dgram(protocol
))
1278 return SECCLASS_UDP_SOCKET
;
1279 else if (extsockclass
&& (protocol
== IPPROTO_ICMP
||
1280 protocol
== IPPROTO_ICMPV6
))
1281 return SECCLASS_ICMP_SOCKET
;
1283 return SECCLASS_RAWIP_SOCKET
;
1285 return SECCLASS_DCCP_SOCKET
;
1287 return SECCLASS_RAWIP_SOCKET
;
1293 return SECCLASS_NETLINK_ROUTE_SOCKET
;
1294 case NETLINK_SOCK_DIAG
:
1295 return SECCLASS_NETLINK_TCPDIAG_SOCKET
;
1297 return SECCLASS_NETLINK_NFLOG_SOCKET
;
1299 return SECCLASS_NETLINK_XFRM_SOCKET
;
1300 case NETLINK_SELINUX
:
1301 return SECCLASS_NETLINK_SELINUX_SOCKET
;
1303 return SECCLASS_NETLINK_ISCSI_SOCKET
;
1305 return SECCLASS_NETLINK_AUDIT_SOCKET
;
1306 case NETLINK_FIB_LOOKUP
:
1307 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET
;
1308 case NETLINK_CONNECTOR
:
1309 return SECCLASS_NETLINK_CONNECTOR_SOCKET
;
1310 case NETLINK_NETFILTER
:
1311 return SECCLASS_NETLINK_NETFILTER_SOCKET
;
1312 case NETLINK_DNRTMSG
:
1313 return SECCLASS_NETLINK_DNRT_SOCKET
;
1314 case NETLINK_KOBJECT_UEVENT
:
1315 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET
;
1316 case NETLINK_GENERIC
:
1317 return SECCLASS_NETLINK_GENERIC_SOCKET
;
1318 case NETLINK_SCSITRANSPORT
:
1319 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET
;
1321 return SECCLASS_NETLINK_RDMA_SOCKET
;
1322 case NETLINK_CRYPTO
:
1323 return SECCLASS_NETLINK_CRYPTO_SOCKET
;
1325 return SECCLASS_NETLINK_SOCKET
;
1328 return SECCLASS_PACKET_SOCKET
;
1330 return SECCLASS_KEY_SOCKET
;
1332 return SECCLASS_APPLETALK_SOCKET
;
1338 return SECCLASS_AX25_SOCKET
;
1340 return SECCLASS_IPX_SOCKET
;
1342 return SECCLASS_NETROM_SOCKET
;
1344 return SECCLASS_ATMPVC_SOCKET
;
1346 return SECCLASS_X25_SOCKET
;
1348 return SECCLASS_ROSE_SOCKET
;
1350 return SECCLASS_DECNET_SOCKET
;
1352 return SECCLASS_ATMSVC_SOCKET
;
1354 return SECCLASS_RDS_SOCKET
;
1356 return SECCLASS_IRDA_SOCKET
;
1358 return SECCLASS_PPPOX_SOCKET
;
1360 return SECCLASS_LLC_SOCKET
;
1362 return SECCLASS_CAN_SOCKET
;
1364 return SECCLASS_TIPC_SOCKET
;
1366 return SECCLASS_BLUETOOTH_SOCKET
;
1368 return SECCLASS_IUCV_SOCKET
;
1370 return SECCLASS_RXRPC_SOCKET
;
1372 return SECCLASS_ISDN_SOCKET
;
1374 return SECCLASS_PHONET_SOCKET
;
1376 return SECCLASS_IEEE802154_SOCKET
;
1378 return SECCLASS_CAIF_SOCKET
;
1380 return SECCLASS_ALG_SOCKET
;
1382 return SECCLASS_NFC_SOCKET
;
1384 return SECCLASS_VSOCK_SOCKET
;
1386 return SECCLASS_KCM_SOCKET
;
1388 return SECCLASS_QIPCRTR_SOCKET
;
1390 return SECCLASS_SMC_SOCKET
;
1392 #error New address family defined, please update this function.
1397 return SECCLASS_SOCKET
;
1400 static int selinux_genfs_get_sid(struct dentry
*dentry
,
1406 struct super_block
*sb
= dentry
->d_sb
;
1407 char *buffer
, *path
;
1409 buffer
= (char *)__get_free_page(GFP_KERNEL
);
1413 path
= dentry_path_raw(dentry
, buffer
, PAGE_SIZE
);
1417 if (flags
& SE_SBPROC
) {
1418 /* each process gets a /proc/PID/ entry. Strip off the
1419 * PID part to get a valid selinux labeling.
1420 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1421 while (path
[1] >= '0' && path
[1] <= '9') {
1426 rc
= security_genfs_sid(sb
->s_type
->name
, path
, tclass
, sid
);
1428 free_page((unsigned long)buffer
);
1432 /* The inode's security attributes must be initialized before first use. */
1433 static int inode_doinit_with_dentry(struct inode
*inode
, struct dentry
*opt_dentry
)
1435 struct superblock_security_struct
*sbsec
= NULL
;
1436 struct inode_security_struct
*isec
= selinux_inode(inode
);
1437 u32 task_sid
, sid
= 0;
1439 struct dentry
*dentry
;
1440 #define INITCONTEXTLEN 255
1441 char *context
= NULL
;
1445 if (isec
->initialized
== LABEL_INITIALIZED
)
1448 spin_lock(&isec
->lock
);
1449 if (isec
->initialized
== LABEL_INITIALIZED
)
1452 if (isec
->sclass
== SECCLASS_FILE
)
1453 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
1455 sbsec
= selinux_superblock(inode
->i_sb
);
1456 if (!(sbsec
->flags
& SE_SBINITIALIZED
)) {
1457 /* Defer initialization until selinux_complete_init,
1458 after the initial policy is loaded and the security
1459 server is ready to handle calls. */
1460 spin_lock(&sbsec
->isec_lock
);
1461 if (list_empty(&isec
->list
))
1462 list_add(&isec
->list
, &sbsec
->isec_head
);
1463 spin_unlock(&sbsec
->isec_lock
);
1467 sclass
= isec
->sclass
;
1468 task_sid
= isec
->task_sid
;
1470 isec
->initialized
= LABEL_PENDING
;
1471 spin_unlock(&isec
->lock
);
1473 switch (sbsec
->behavior
) {
1474 case SECURITY_FS_USE_NATIVE
:
1476 case SECURITY_FS_USE_XATTR
:
1477 if (!(inode
->i_opflags
& IOP_XATTR
)) {
1478 sid
= sbsec
->def_sid
;
1481 /* Need a dentry, since the xattr API requires one.
1482 Life would be simpler if we could just pass the inode. */
1484 /* Called from d_instantiate or d_splice_alias. */
1485 dentry
= dget(opt_dentry
);
1487 /* Called from selinux_complete_init, try to find a dentry. */
1488 dentry
= d_find_alias(inode
);
1492 * this is can be hit on boot when a file is accessed
1493 * before the policy is loaded. When we load policy we
1494 * may find inodes that have no dentry on the
1495 * sbsec->isec_head list. No reason to complain as these
1496 * will get fixed up the next time we go through
1497 * inode_doinit with a dentry, before these inodes could
1498 * be used again by userspace.
1503 len
= INITCONTEXTLEN
;
1504 context
= kmalloc(len
+1, GFP_NOFS
);
1510 context
[len
] = '\0';
1511 rc
= __vfs_getxattr(dentry
, inode
, XATTR_NAME_SELINUX
, context
, len
);
1512 if (rc
== -ERANGE
) {
1515 /* Need a larger buffer. Query for the right size. */
1516 rc
= __vfs_getxattr(dentry
, inode
, XATTR_NAME_SELINUX
, NULL
, 0);
1522 context
= kmalloc(len
+1, GFP_NOFS
);
1528 context
[len
] = '\0';
1529 rc
= __vfs_getxattr(dentry
, inode
, XATTR_NAME_SELINUX
, context
, len
);
1533 if (rc
!= -ENODATA
) {
1534 printk(KERN_WARNING
"SELinux: %s: getxattr returned "
1535 "%d for dev=%s ino=%ld\n", __func__
,
1536 -rc
, inode
->i_sb
->s_id
, inode
->i_ino
);
1540 /* Map ENODATA to the default file SID */
1541 sid
= sbsec
->def_sid
;
1544 rc
= security_context_to_sid_default(context
, rc
, &sid
,
1548 char *dev
= inode
->i_sb
->s_id
;
1549 unsigned long ino
= inode
->i_ino
;
1551 if (rc
== -EINVAL
) {
1552 if (printk_ratelimit())
1553 printk(KERN_NOTICE
"SELinux: inode=%lu on dev=%s was found to have an invalid "
1554 "context=%s. This indicates you may need to relabel the inode or the "
1555 "filesystem in question.\n", ino
, dev
, context
);
1557 printk(KERN_WARNING
"SELinux: %s: context_to_sid(%s) "
1558 "returned %d for dev=%s ino=%ld\n",
1559 __func__
, context
, -rc
, dev
, ino
);
1562 /* Leave with the unlabeled SID */
1569 case SECURITY_FS_USE_TASK
:
1572 case SECURITY_FS_USE_TRANS
:
1573 /* Default to the fs SID. */
1576 /* Try to obtain a transition SID. */
1577 rc
= security_transition_sid(task_sid
, sid
, sclass
, NULL
, &sid
);
1581 case SECURITY_FS_USE_MNTPOINT
:
1582 sid
= sbsec
->mntpoint_sid
;
1585 /* Default to the fs superblock SID. */
1588 if ((sbsec
->flags
& SE_SBGENFS
) && !S_ISLNK(inode
->i_mode
)) {
1589 /* We must have a dentry to determine the label on
1592 /* Called from d_instantiate or
1593 * d_splice_alias. */
1594 dentry
= dget(opt_dentry
);
1596 /* Called from selinux_complete_init, try to
1598 dentry
= d_find_alias(inode
);
1600 * This can be hit on boot when a file is accessed
1601 * before the policy is loaded. When we load policy we
1602 * may find inodes that have no dentry on the
1603 * sbsec->isec_head list. No reason to complain as
1604 * these will get fixed up the next time we go through
1605 * inode_doinit() with a dentry, before these inodes
1606 * could be used again by userspace.
1610 rc
= selinux_genfs_get_sid(dentry
, sclass
,
1611 sbsec
->flags
, &sid
);
1620 spin_lock(&isec
->lock
);
1621 if (isec
->initialized
== LABEL_PENDING
) {
1623 isec
->initialized
= LABEL_INVALID
;
1627 isec
->initialized
= LABEL_INITIALIZED
;
1632 spin_unlock(&isec
->lock
);
1636 /* Convert a Linux signal to an access vector. */
1637 static inline u32
signal_to_av(int sig
)
1643 /* Commonly granted from child to parent. */
1644 perm
= PROCESS__SIGCHLD
;
1647 /* Cannot be caught or ignored */
1648 perm
= PROCESS__SIGKILL
;
1651 /* Cannot be caught or ignored */
1652 perm
= PROCESS__SIGSTOP
;
1655 /* All other signals. */
1656 perm
= PROCESS__SIGNAL
;
1663 #if CAP_LAST_CAP > 63
1664 #error Fix SELinux to handle capabilities > 63.
1667 /* Check whether a task is allowed to use a capability. */
1668 static int cred_has_capability(const struct cred
*cred
,
1669 int cap
, int audit
, bool initns
)
1671 struct common_audit_data ad
;
1672 struct av_decision avd
;
1674 u32 sid
= cred_sid(cred
);
1675 u32 av
= CAP_TO_MASK(cap
);
1678 ad
.type
= LSM_AUDIT_DATA_CAP
;
1681 switch (CAP_TO_INDEX(cap
)) {
1683 sclass
= initns
? SECCLASS_CAPABILITY
: SECCLASS_CAP_USERNS
;
1686 sclass
= initns
? SECCLASS_CAPABILITY2
: SECCLASS_CAP2_USERNS
;
1690 "SELinux: out of range capability %d\n", cap
);
1695 rc
= avc_has_perm_noaudit(sid
, sid
, sclass
, av
, 0, &avd
);
1696 if (audit
== SECURITY_CAP_AUDIT
) {
1697 int rc2
= avc_audit(sid
, sid
, sclass
, av
, &avd
, rc
, &ad
, 0);
1704 /* Check whether a task has a particular permission to an inode.
1705 The 'adp' parameter is optional and allows other audit
1706 data to be passed (e.g. the dentry). */
1707 static int inode_has_perm(const struct cred
*cred
,
1708 struct inode
*inode
,
1710 struct common_audit_data
*adp
)
1712 struct inode_security_struct
*isec
;
1715 validate_creds(cred
);
1717 if (unlikely(IS_PRIVATE(inode
)))
1720 sid
= cred_sid(cred
);
1721 isec
= selinux_inode(inode
);
1723 return avc_has_perm(sid
, isec
->sid
, isec
->sclass
, perms
, adp
);
1726 /* Same as inode_has_perm, but pass explicit audit data containing
1727 the dentry to help the auditing code to more easily generate the
1728 pathname if needed. */
1729 static inline int dentry_has_perm(const struct cred
*cred
,
1730 struct dentry
*dentry
,
1733 struct inode
*inode
= d_backing_inode(dentry
);
1734 struct common_audit_data ad
;
1736 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1737 ad
.u
.dentry
= dentry
;
1738 __inode_security_revalidate(inode
, dentry
, true);
1739 return inode_has_perm(cred
, inode
, av
, &ad
);
1742 /* Same as inode_has_perm, but pass explicit audit data containing
1743 the path to help the auditing code to more easily generate the
1744 pathname if needed. */
1745 static inline int path_has_perm(const struct cred
*cred
,
1746 const struct path
*path
,
1749 struct inode
*inode
= d_backing_inode(path
->dentry
);
1750 struct common_audit_data ad
;
1752 ad
.type
= LSM_AUDIT_DATA_PATH
;
1754 __inode_security_revalidate(inode
, path
->dentry
, true);
1755 return inode_has_perm(cred
, inode
, av
, &ad
);
1758 /* Same as path_has_perm, but uses the inode from the file struct. */
1759 static inline int file_path_has_perm(const struct cred
*cred
,
1763 struct common_audit_data ad
;
1765 ad
.type
= LSM_AUDIT_DATA_FILE
;
1767 return inode_has_perm(cred
, file_inode(file
), av
, &ad
);
1770 #ifdef CONFIG_BPF_SYSCALL
1771 static int bpf_fd_pass(struct file
*file
, u32 sid
);
1774 /* Check whether a task can use an open file descriptor to
1775 access an inode in a given way. Check access to the
1776 descriptor itself, and then use dentry_has_perm to
1777 check a particular permission to the file.
1778 Access to the descriptor is implicitly granted if it
1779 has the same SID as the process. If av is zero, then
1780 access to the file is not checked, e.g. for cases
1781 where only the descriptor is affected like seek. */
1782 static int file_has_perm(const struct cred
*cred
,
1786 struct file_security_struct
*fsec
= selinux_file(file
);
1787 struct inode
*inode
= file_inode(file
);
1788 struct common_audit_data ad
;
1789 u32 sid
= cred_sid(cred
);
1792 ad
.type
= LSM_AUDIT_DATA_FILE
;
1795 if (sid
!= fsec
->sid
) {
1796 rc
= avc_has_perm(sid
, fsec
->sid
,
1804 #ifdef CONFIG_BPF_SYSCALL
1805 rc
= bpf_fd_pass(file
, cred_sid(cred
));
1810 /* av is zero if only checking access to the descriptor. */
1813 rc
= inode_has_perm(cred
, inode
, av
, &ad
);
1820 * Determine the label for an inode that might be unioned.
1823 selinux_determine_inode_label(const struct task_security_struct
*tsec
,
1825 const struct qstr
*name
, u16 tclass
,
1828 const struct superblock_security_struct
*sbsec
=
1829 selinux_superblock(dir
->i_sb
);
1831 if ((sbsec
->flags
& SE_SBINITIALIZED
) &&
1832 (sbsec
->behavior
== SECURITY_FS_USE_MNTPOINT
)) {
1833 *_new_isid
= sbsec
->mntpoint_sid
;
1834 } else if ((sbsec
->flags
& SBLABEL_MNT
) &&
1836 *_new_isid
= tsec
->create_sid
;
1838 const struct inode_security_struct
*dsec
= inode_security(dir
);
1839 return security_transition_sid(tsec
->sid
, dsec
->sid
, tclass
,
1846 /* Check whether a task can create a file. */
1847 static int may_create(struct inode
*dir
,
1848 struct dentry
*dentry
,
1851 const struct task_security_struct
*tsec
= selinux_cred(current_cred());
1852 struct inode_security_struct
*dsec
;
1853 struct superblock_security_struct
*sbsec
;
1855 struct common_audit_data ad
;
1858 dsec
= inode_security(dir
);
1859 sbsec
= selinux_superblock(dir
->i_sb
);
1863 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1864 ad
.u
.dentry
= dentry
;
1866 rc
= avc_has_perm(sid
, dsec
->sid
, SECCLASS_DIR
,
1867 DIR__ADD_NAME
| DIR__SEARCH
,
1872 rc
= selinux_determine_inode_label(selinux_cred(current_cred()), dir
,
1873 &dentry
->d_name
, tclass
, &newsid
);
1877 rc
= avc_has_perm(sid
, newsid
, tclass
, FILE__CREATE
, &ad
);
1881 return avc_has_perm(newsid
, sbsec
->sid
,
1882 SECCLASS_FILESYSTEM
,
1883 FILESYSTEM__ASSOCIATE
, &ad
);
1887 #define MAY_UNLINK 1
1890 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1891 static int may_link(struct inode
*dir
,
1892 struct dentry
*dentry
,
1896 struct inode_security_struct
*dsec
, *isec
;
1897 struct common_audit_data ad
;
1898 u32 sid
= current_sid();
1902 dsec
= inode_security(dir
);
1903 isec
= backing_inode_security(dentry
);
1905 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1906 ad
.u
.dentry
= dentry
;
1909 av
|= (kind
? DIR__REMOVE_NAME
: DIR__ADD_NAME
);
1910 rc
= avc_has_perm(sid
, dsec
->sid
, SECCLASS_DIR
, av
, &ad
);
1925 printk(KERN_WARNING
"SELinux: %s: unrecognized kind %d\n",
1930 rc
= avc_has_perm(sid
, isec
->sid
, isec
->sclass
, av
, &ad
);
1934 static inline int may_rename(struct inode
*old_dir
,
1935 struct dentry
*old_dentry
,
1936 struct inode
*new_dir
,
1937 struct dentry
*new_dentry
)
1939 struct inode_security_struct
*old_dsec
, *new_dsec
, *old_isec
, *new_isec
;
1940 struct common_audit_data ad
;
1941 u32 sid
= current_sid();
1943 int old_is_dir
, new_is_dir
;
1946 old_dsec
= inode_security(old_dir
);
1947 old_isec
= backing_inode_security(old_dentry
);
1948 old_is_dir
= d_is_dir(old_dentry
);
1949 new_dsec
= inode_security(new_dir
);
1951 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1953 ad
.u
.dentry
= old_dentry
;
1954 rc
= avc_has_perm(sid
, old_dsec
->sid
, SECCLASS_DIR
,
1955 DIR__REMOVE_NAME
| DIR__SEARCH
, &ad
);
1958 rc
= avc_has_perm(sid
, old_isec
->sid
,
1959 old_isec
->sclass
, FILE__RENAME
, &ad
);
1962 if (old_is_dir
&& new_dir
!= old_dir
) {
1963 rc
= avc_has_perm(sid
, old_isec
->sid
,
1964 old_isec
->sclass
, DIR__REPARENT
, &ad
);
1969 ad
.u
.dentry
= new_dentry
;
1970 av
= DIR__ADD_NAME
| DIR__SEARCH
;
1971 if (d_is_positive(new_dentry
))
1972 av
|= DIR__REMOVE_NAME
;
1973 rc
= avc_has_perm(sid
, new_dsec
->sid
, SECCLASS_DIR
, av
, &ad
);
1976 if (d_is_positive(new_dentry
)) {
1977 new_isec
= backing_inode_security(new_dentry
);
1978 new_is_dir
= d_is_dir(new_dentry
);
1979 rc
= avc_has_perm(sid
, new_isec
->sid
,
1981 (new_is_dir
? DIR__RMDIR
: FILE__UNLINK
), &ad
);
1989 /* Check whether a task can perform a filesystem operation. */
1990 static int superblock_has_perm(const struct cred
*cred
,
1991 struct super_block
*sb
,
1993 struct common_audit_data
*ad
)
1995 struct superblock_security_struct
*sbsec
;
1996 u32 sid
= cred_sid(cred
);
1998 sbsec
= selinux_superblock(sb
);
1999 return avc_has_perm(sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
, perms
, ad
);
2002 /* Convert a Linux mode and permission mask to an access vector. */
2003 static inline u32
file_mask_to_av(int mode
, int mask
)
2007 if (!S_ISDIR(mode
)) {
2008 if (mask
& MAY_EXEC
)
2009 av
|= FILE__EXECUTE
;
2010 if (mask
& MAY_READ
)
2013 if (mask
& MAY_APPEND
)
2015 else if (mask
& MAY_WRITE
)
2019 if (mask
& MAY_EXEC
)
2021 if (mask
& MAY_WRITE
)
2023 if (mask
& MAY_READ
)
2030 /* Convert a Linux file to an access vector. */
2031 static inline u32
file_to_av(struct file
*file
)
2035 if (file
->f_mode
& FMODE_READ
)
2037 if (file
->f_mode
& FMODE_WRITE
) {
2038 if (file
->f_flags
& O_APPEND
)
2045 * Special file opened with flags 3 for ioctl-only use.
2054 * Convert a file to an access vector and include the correct open
2057 static inline u32
open_file_to_av(struct file
*file
)
2059 u32 av
= file_to_av(file
);
2060 struct inode
*inode
= file_inode(file
);
2062 if (selinux_policycap_openperm
&& inode
->i_sb
->s_magic
!= SOCKFS_MAGIC
)
2068 /* Hook functions begin here. */
2070 static int selinux_binder_set_context_mgr(struct task_struct
*mgr
)
2072 u32 mysid
= current_sid();
2073 u32 mgrsid
= task_sid(mgr
);
2075 return avc_has_perm(mysid
, mgrsid
, SECCLASS_BINDER
,
2076 BINDER__SET_CONTEXT_MGR
, NULL
);
2079 static int selinux_binder_transaction(struct task_struct
*from
,
2080 struct task_struct
*to
)
2082 u32 mysid
= current_sid();
2083 u32 fromsid
= task_sid(from
);
2084 u32 tosid
= task_sid(to
);
2087 if (mysid
!= fromsid
) {
2088 rc
= avc_has_perm(mysid
, fromsid
, SECCLASS_BINDER
,
2089 BINDER__IMPERSONATE
, NULL
);
2094 return avc_has_perm(fromsid
, tosid
, SECCLASS_BINDER
, BINDER__CALL
,
2098 static int selinux_binder_transfer_binder(struct task_struct
*from
,
2099 struct task_struct
*to
)
2101 u32 fromsid
= task_sid(from
);
2102 u32 tosid
= task_sid(to
);
2104 return avc_has_perm(fromsid
, tosid
, SECCLASS_BINDER
, BINDER__TRANSFER
,
2108 static int selinux_binder_transfer_file(struct task_struct
*from
,
2109 struct task_struct
*to
,
2112 u32 sid
= task_sid(to
);
2113 struct file_security_struct
*fsec
= selinux_file(file
);
2114 struct dentry
*dentry
= file
->f_path
.dentry
;
2115 struct inode_security_struct
*isec
;
2116 struct common_audit_data ad
;
2119 ad
.type
= LSM_AUDIT_DATA_PATH
;
2120 ad
.u
.path
= file
->f_path
;
2122 if (sid
!= fsec
->sid
) {
2123 rc
= avc_has_perm(sid
, fsec
->sid
,
2131 #ifdef CONFIG_BPF_SYSCALL
2132 rc
= bpf_fd_pass(file
, sid
);
2137 if (unlikely(IS_PRIVATE(d_backing_inode(dentry
))))
2140 isec
= backing_inode_security(dentry
);
2141 return avc_has_perm(sid
, isec
->sid
, isec
->sclass
, file_to_av(file
),
2145 static int selinux_ptrace_access_check(struct task_struct
*child
,
2148 u32 sid
= current_sid();
2149 u32 csid
= task_sid(child
);
2151 if (mode
& PTRACE_MODE_READ
)
2152 return avc_has_perm(sid
, csid
, SECCLASS_FILE
, FILE__READ
, NULL
);
2154 return avc_has_perm(sid
, csid
, SECCLASS_PROCESS
, PROCESS__PTRACE
, NULL
);
2157 static int selinux_ptrace_traceme(struct task_struct
*parent
)
2159 return avc_has_perm(task_sid(parent
), current_sid(), SECCLASS_PROCESS
,
2160 PROCESS__PTRACE
, NULL
);
2163 static int selinux_capget(struct task_struct
*target
, kernel_cap_t
*effective
,
2164 kernel_cap_t
*inheritable
, kernel_cap_t
*permitted
)
2166 return avc_has_perm(current_sid(), task_sid(target
), SECCLASS_PROCESS
,
2167 PROCESS__GETCAP
, NULL
);
2170 static int selinux_capset(struct cred
*new, const struct cred
*old
,
2171 const kernel_cap_t
*effective
,
2172 const kernel_cap_t
*inheritable
,
2173 const kernel_cap_t
*permitted
)
2175 return avc_has_perm(cred_sid(old
), cred_sid(new), SECCLASS_PROCESS
,
2176 PROCESS__SETCAP
, NULL
);
2180 * (This comment used to live with the selinux_task_setuid hook,
2181 * which was removed).
2183 * Since setuid only affects the current process, and since the SELinux
2184 * controls are not based on the Linux identity attributes, SELinux does not
2185 * need to control this operation. However, SELinux does control the use of
2186 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2189 static int selinux_capable(const struct cred
*cred
, struct user_namespace
*ns
,
2192 return cred_has_capability(cred
, cap
, audit
, ns
== &init_user_ns
);
2195 static int selinux_quotactl(int cmds
, int type
, int id
, struct super_block
*sb
)
2197 const struct cred
*cred
= current_cred();
2209 rc
= superblock_has_perm(cred
, sb
, FILESYSTEM__QUOTAMOD
, NULL
);
2214 rc
= superblock_has_perm(cred
, sb
, FILESYSTEM__QUOTAGET
, NULL
);
2217 rc
= 0; /* let the kernel handle invalid cmds */
2223 static int selinux_quota_on(struct dentry
*dentry
)
2225 const struct cred
*cred
= current_cred();
2227 return dentry_has_perm(cred
, dentry
, FILE__QUOTAON
);
2230 static int selinux_syslog(int type
)
2233 case SYSLOG_ACTION_READ_ALL
: /* Read last kernel messages */
2234 case SYSLOG_ACTION_SIZE_BUFFER
: /* Return size of the log buffer */
2235 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
2236 SECCLASS_SYSTEM
, SYSTEM__SYSLOG_READ
, NULL
);
2237 case SYSLOG_ACTION_CONSOLE_OFF
: /* Disable logging to console */
2238 case SYSLOG_ACTION_CONSOLE_ON
: /* Enable logging to console */
2239 /* Set level of messages printed to console */
2240 case SYSLOG_ACTION_CONSOLE_LEVEL
:
2241 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
2242 SECCLASS_SYSTEM
, SYSTEM__SYSLOG_CONSOLE
,
2245 /* All other syslog types */
2246 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
2247 SECCLASS_SYSTEM
, SYSTEM__SYSLOG_MOD
, NULL
);
2251 * Check that a process has enough memory to allocate a new virtual
2252 * mapping. 0 means there is enough memory for the allocation to
2253 * succeed and -ENOMEM implies there is not.
2255 * Do not audit the selinux permission check, as this is applied to all
2256 * processes that allocate mappings.
2258 static int selinux_vm_enough_memory(struct mm_struct
*mm
, long pages
)
2260 int rc
, cap_sys_admin
= 0;
2262 rc
= cred_has_capability(current_cred(), CAP_SYS_ADMIN
,
2263 SECURITY_CAP_NOAUDIT
, true);
2267 return cap_sys_admin
;
2270 /* binprm security operations */
2272 static u32
ptrace_parent_sid(void)
2275 struct task_struct
*tracer
;
2278 tracer
= ptrace_parent(current
);
2280 sid
= task_sid(tracer
);
2286 static int check_nnp_nosuid(const struct linux_binprm
*bprm
,
2287 const struct task_security_struct
*old_tsec
,
2288 const struct task_security_struct
*new_tsec
)
2290 int nnp
= (bprm
->unsafe
& LSM_UNSAFE_NO_NEW_PRIVS
);
2291 int nosuid
= path_nosuid(&bprm
->file
->f_path
);
2295 if (!nnp
&& !nosuid
)
2296 return 0; /* neither NNP nor nosuid */
2298 if (new_tsec
->sid
== old_tsec
->sid
)
2299 return 0; /* No change in credentials */
2302 * If the policy enables the nnp_nosuid_transition policy capability,
2303 * then we permit transitions under NNP or nosuid if the
2304 * policy allows the corresponding permission between
2305 * the old and new contexts.
2307 if (selinux_policycap_nnp_nosuid_transition
) {
2310 av
|= PROCESS2__NNP_TRANSITION
;
2312 av
|= PROCESS2__NOSUID_TRANSITION
;
2313 rc
= avc_has_perm(old_tsec
->sid
, new_tsec
->sid
,
2314 SECCLASS_PROCESS2
, av
, NULL
);
2320 * We also permit NNP or nosuid transitions to bounded SIDs,
2321 * i.e. SIDs that are guaranteed to only be allowed a subset
2322 * of the permissions of the current SID.
2324 rc
= security_bounded_transition(old_tsec
->sid
, new_tsec
->sid
);
2329 * On failure, preserve the errno values for NNP vs nosuid.
2330 * NNP: Operation not permitted for caller.
2331 * nosuid: Permission denied to file.
2338 static int selinux_bprm_set_creds(struct linux_binprm
*bprm
)
2340 const struct task_security_struct
*old_tsec
;
2341 struct task_security_struct
*new_tsec
;
2342 struct inode_security_struct
*isec
;
2343 struct common_audit_data ad
;
2344 struct inode
*inode
= file_inode(bprm
->file
);
2347 /* SELinux context only depends on initial program or script and not
2348 * the script interpreter */
2349 if (bprm
->called_set_creds
)
2352 old_tsec
= selinux_cred(current_cred());
2353 new_tsec
= selinux_cred(bprm
->cred
);
2354 isec
= inode_security(inode
);
2356 /* Default to the current task SID. */
2357 new_tsec
->sid
= old_tsec
->sid
;
2358 new_tsec
->osid
= old_tsec
->sid
;
2360 /* Reset fs, key, and sock SIDs on execve. */
2361 new_tsec
->create_sid
= 0;
2362 new_tsec
->keycreate_sid
= 0;
2363 new_tsec
->sockcreate_sid
= 0;
2365 if (old_tsec
->exec_sid
) {
2366 new_tsec
->sid
= old_tsec
->exec_sid
;
2367 /* Reset exec SID on execve. */
2368 new_tsec
->exec_sid
= 0;
2370 /* Fail on NNP or nosuid if not an allowed transition. */
2371 rc
= check_nnp_nosuid(bprm
, old_tsec
, new_tsec
);
2375 /* Check for a default transition on this program. */
2376 rc
= security_transition_sid(old_tsec
->sid
, isec
->sid
,
2377 SECCLASS_PROCESS
, NULL
,
2383 * Fallback to old SID on NNP or nosuid if not an allowed
2386 rc
= check_nnp_nosuid(bprm
, old_tsec
, new_tsec
);
2388 new_tsec
->sid
= old_tsec
->sid
;
2391 ad
.type
= LSM_AUDIT_DATA_FILE
;
2392 ad
.u
.file
= bprm
->file
;
2394 if (new_tsec
->sid
== old_tsec
->sid
) {
2395 rc
= avc_has_perm(old_tsec
->sid
, isec
->sid
,
2396 SECCLASS_FILE
, FILE__EXECUTE_NO_TRANS
, &ad
);
2400 /* Check permissions for the transition. */
2401 rc
= avc_has_perm(old_tsec
->sid
, new_tsec
->sid
,
2402 SECCLASS_PROCESS
, PROCESS__TRANSITION
, &ad
);
2406 rc
= avc_has_perm(new_tsec
->sid
, isec
->sid
,
2407 SECCLASS_FILE
, FILE__ENTRYPOINT
, &ad
);
2411 /* Check for shared state */
2412 if (bprm
->unsafe
& LSM_UNSAFE_SHARE
) {
2413 rc
= avc_has_perm(old_tsec
->sid
, new_tsec
->sid
,
2414 SECCLASS_PROCESS
, PROCESS__SHARE
,
2420 /* Make sure that anyone attempting to ptrace over a task that
2421 * changes its SID has the appropriate permit */
2422 if (bprm
->unsafe
& LSM_UNSAFE_PTRACE
) {
2423 u32 ptsid
= ptrace_parent_sid();
2425 rc
= avc_has_perm(ptsid
, new_tsec
->sid
,
2427 PROCESS__PTRACE
, NULL
);
2433 /* Clear any possibly unsafe personality bits on exec: */
2434 bprm
->per_clear
|= PER_CLEAR_ON_SETID
;
2436 /* Enable secure mode for SIDs transitions unless
2437 the noatsecure permission is granted between
2438 the two SIDs, i.e. ahp returns 0. */
2439 rc
= avc_has_perm(old_tsec
->sid
, new_tsec
->sid
,
2440 SECCLASS_PROCESS
, PROCESS__NOATSECURE
,
2442 bprm
->secureexec
|= !!rc
;
2448 static int match_file(const void *p
, struct file
*file
, unsigned fd
)
2450 return file_has_perm(p
, file
, file_to_av(file
)) ? fd
+ 1 : 0;
2453 /* Derived from fs/exec.c:flush_old_files. */
2454 static inline void flush_unauthorized_files(const struct cred
*cred
,
2455 struct files_struct
*files
)
2457 struct file
*file
, *devnull
= NULL
;
2458 struct tty_struct
*tty
;
2462 tty
= get_current_tty();
2464 spin_lock(&tty
->files_lock
);
2465 if (!list_empty(&tty
->tty_files
)) {
2466 struct tty_file_private
*file_priv
;
2468 /* Revalidate access to controlling tty.
2469 Use file_path_has_perm on the tty path directly
2470 rather than using file_has_perm, as this particular
2471 open file may belong to another process and we are
2472 only interested in the inode-based check here. */
2473 file_priv
= list_first_entry(&tty
->tty_files
,
2474 struct tty_file_private
, list
);
2475 file
= file_priv
->file
;
2476 if (file_path_has_perm(cred
, file
, FILE__READ
| FILE__WRITE
))
2479 spin_unlock(&tty
->files_lock
);
2482 /* Reset controlling tty. */
2486 /* Revalidate access to inherited open files. */
2487 n
= iterate_fd(files
, 0, match_file
, cred
);
2488 if (!n
) /* none found? */
2491 devnull
= dentry_open(&selinux_null
, O_RDWR
, cred
);
2492 if (IS_ERR(devnull
))
2494 /* replace all the matching ones with this */
2496 replace_fd(n
- 1, devnull
, 0);
2497 } while ((n
= iterate_fd(files
, n
, match_file
, cred
)) != 0);
2503 * Prepare a process for imminent new credential changes due to exec
2505 static void selinux_bprm_committing_creds(struct linux_binprm
*bprm
)
2507 struct task_security_struct
*new_tsec
;
2508 struct rlimit
*rlim
, *initrlim
;
2511 new_tsec
= selinux_cred(bprm
->cred
);
2512 if (new_tsec
->sid
== new_tsec
->osid
)
2515 /* Close files for which the new task SID is not authorized. */
2516 flush_unauthorized_files(bprm
->cred
, current
->files
);
2518 /* Always clear parent death signal on SID transitions. */
2519 current
->pdeath_signal
= 0;
2521 /* Check whether the new SID can inherit resource limits from the old
2522 * SID. If not, reset all soft limits to the lower of the current
2523 * task's hard limit and the init task's soft limit.
2525 * Note that the setting of hard limits (even to lower them) can be
2526 * controlled by the setrlimit check. The inclusion of the init task's
2527 * soft limit into the computation is to avoid resetting soft limits
2528 * higher than the default soft limit for cases where the default is
2529 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2531 rc
= avc_has_perm(new_tsec
->osid
, new_tsec
->sid
, SECCLASS_PROCESS
,
2532 PROCESS__RLIMITINH
, NULL
);
2534 /* protect against do_prlimit() */
2536 for (i
= 0; i
< RLIM_NLIMITS
; i
++) {
2537 rlim
= current
->signal
->rlim
+ i
;
2538 initrlim
= init_task
.signal
->rlim
+ i
;
2539 rlim
->rlim_cur
= min(rlim
->rlim_max
, initrlim
->rlim_cur
);
2541 task_unlock(current
);
2542 if (IS_ENABLED(CONFIG_POSIX_TIMERS
))
2543 update_rlimit_cpu(current
, rlimit(RLIMIT_CPU
));
2548 * Clean up the process immediately after the installation of new credentials
2551 static void selinux_bprm_committed_creds(struct linux_binprm
*bprm
)
2553 const struct task_security_struct
*tsec
= selinux_cred(current_cred());
2554 struct itimerval itimer
;
2564 /* Check whether the new SID can inherit signal state from the old SID.
2565 * If not, clear itimers to avoid subsequent signal generation and
2566 * flush and unblock signals.
2568 * This must occur _after_ the task SID has been updated so that any
2569 * kill done after the flush will be checked against the new SID.
2571 rc
= avc_has_perm(osid
, sid
, SECCLASS_PROCESS
, PROCESS__SIGINH
, NULL
);
2573 if (IS_ENABLED(CONFIG_POSIX_TIMERS
)) {
2574 memset(&itimer
, 0, sizeof itimer
);
2575 for (i
= 0; i
< 3; i
++)
2576 do_setitimer(i
, &itimer
, NULL
);
2578 spin_lock_irq(¤t
->sighand
->siglock
);
2579 if (!fatal_signal_pending(current
)) {
2580 flush_sigqueue(¤t
->pending
);
2581 flush_sigqueue(¤t
->signal
->shared_pending
);
2582 flush_signal_handlers(current
, 1);
2583 sigemptyset(¤t
->blocked
);
2584 recalc_sigpending();
2586 spin_unlock_irq(¤t
->sighand
->siglock
);
2589 /* Wake up the parent if it is waiting so that it can recheck
2590 * wait permission to the new task SID. */
2591 read_lock(&tasklist_lock
);
2592 __wake_up_parent(current
, current
->real_parent
);
2593 read_unlock(&tasklist_lock
);
2596 /* superblock security operations */
2598 static int selinux_sb_alloc_security(struct super_block
*sb
)
2600 return superblock_alloc_security(sb
);
2603 static inline int match_prefix(char *prefix
, int plen
, char *option
, int olen
)
2608 return !memcmp(prefix
, option
, plen
);
2611 static inline int selinux_option(char *option
, int len
)
2613 return (match_prefix(CONTEXT_STR
, sizeof(CONTEXT_STR
)-1, option
, len
) ||
2614 match_prefix(FSCONTEXT_STR
, sizeof(FSCONTEXT_STR
)-1, option
, len
) ||
2615 match_prefix(DEFCONTEXT_STR
, sizeof(DEFCONTEXT_STR
)-1, option
, len
) ||
2616 match_prefix(ROOTCONTEXT_STR
, sizeof(ROOTCONTEXT_STR
)-1, option
, len
) ||
2617 match_prefix(LABELSUPP_STR
, sizeof(LABELSUPP_STR
)-1, option
, len
));
2620 static inline void take_option(char **to
, char *from
, int *first
, int len
)
2627 memcpy(*to
, from
, len
);
2631 static inline void take_selinux_option(char **to
, char *from
, int *first
,
2634 int current_size
= 0;
2642 while (current_size
< len
) {
2652 static int selinux_sb_copy_data(char *orig
, char *copy
)
2654 int fnosec
, fsec
, rc
= 0;
2655 char *in_save
, *in_curr
, *in_end
;
2656 char *sec_curr
, *nosec_save
, *nosec
;
2662 nosec
= (char *)get_zeroed_page(GFP_KERNEL
);
2670 in_save
= in_end
= orig
;
2674 open_quote
= !open_quote
;
2675 if ((*in_end
== ',' && open_quote
== 0) ||
2677 int len
= in_end
- in_curr
;
2679 if (selinux_option(in_curr
, len
))
2680 take_selinux_option(&sec_curr
, in_curr
, &fsec
, len
);
2682 take_option(&nosec
, in_curr
, &fnosec
, len
);
2684 in_curr
= in_end
+ 1;
2686 } while (*in_end
++);
2688 strcpy(in_save
, nosec_save
);
2689 free_page((unsigned long)nosec_save
);
2694 static int selinux_sb_remount(struct super_block
*sb
, void *data
)
2697 struct security_mnt_opts opts
;
2698 char *secdata
, **mount_options
;
2699 struct superblock_security_struct
*sbsec
= selinux_superblock(sb
);
2701 if (!(sbsec
->flags
& SE_SBINITIALIZED
))
2707 if (sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
)
2710 security_init_mnt_opts(&opts
);
2711 secdata
= alloc_secdata();
2714 rc
= selinux_sb_copy_data(data
, secdata
);
2716 goto out_free_secdata
;
2718 rc
= selinux_parse_opts_str(secdata
, &opts
);
2720 goto out_free_secdata
;
2722 mount_options
= opts
.mnt_opts
;
2723 flags
= opts
.mnt_opts_flags
;
2725 for (i
= 0; i
< opts
.num_mnt_opts
; i
++) {
2728 if (flags
[i
] == SBLABEL_MNT
)
2730 rc
= security_context_str_to_sid(mount_options
[i
], &sid
, GFP_KERNEL
);
2732 printk(KERN_WARNING
"SELinux: security_context_str_to_sid"
2733 "(%s) failed for (dev %s, type %s) errno=%d\n",
2734 mount_options
[i
], sb
->s_id
, sb
->s_type
->name
, rc
);
2740 if (bad_option(sbsec
, FSCONTEXT_MNT
, sbsec
->sid
, sid
))
2741 goto out_bad_option
;
2744 if (bad_option(sbsec
, CONTEXT_MNT
, sbsec
->mntpoint_sid
, sid
))
2745 goto out_bad_option
;
2747 case ROOTCONTEXT_MNT
: {
2748 struct inode_security_struct
*root_isec
;
2749 root_isec
= backing_inode_security(sb
->s_root
);
2751 if (bad_option(sbsec
, ROOTCONTEXT_MNT
, root_isec
->sid
, sid
))
2752 goto out_bad_option
;
2755 case DEFCONTEXT_MNT
:
2756 if (bad_option(sbsec
, DEFCONTEXT_MNT
, sbsec
->def_sid
, sid
))
2757 goto out_bad_option
;
2766 security_free_mnt_opts(&opts
);
2768 free_secdata(secdata
);
2771 printk(KERN_WARNING
"SELinux: unable to change security options "
2772 "during remount (dev %s, type=%s)\n", sb
->s_id
,
2777 static int selinux_sb_kern_mount(struct super_block
*sb
, int flags
, void *data
)
2779 const struct cred
*cred
= current_cred();
2780 struct common_audit_data ad
;
2783 rc
= superblock_doinit(sb
, data
);
2787 /* Allow all mounts performed by the kernel */
2788 if (flags
& MS_KERNMOUNT
)
2791 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
2792 ad
.u
.dentry
= sb
->s_root
;
2793 return superblock_has_perm(cred
, sb
, FILESYSTEM__MOUNT
, &ad
);
2796 static int selinux_sb_statfs(struct dentry
*dentry
)
2798 const struct cred
*cred
= current_cred();
2799 struct common_audit_data ad
;
2801 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
2802 ad
.u
.dentry
= dentry
->d_sb
->s_root
;
2803 return superblock_has_perm(cred
, dentry
->d_sb
, FILESYSTEM__GETATTR
, &ad
);
2806 static int selinux_mount(const char *dev_name
,
2807 const struct path
*path
,
2809 unsigned long flags
,
2812 const struct cred
*cred
= current_cred();
2814 if (flags
& MS_REMOUNT
)
2815 return superblock_has_perm(cred
, path
->dentry
->d_sb
,
2816 FILESYSTEM__REMOUNT
, NULL
);
2818 return path_has_perm(cred
, path
, FILE__MOUNTON
);
2821 static int selinux_umount(struct vfsmount
*mnt
, int flags
)
2823 const struct cred
*cred
= current_cred();
2825 return superblock_has_perm(cred
, mnt
->mnt_sb
,
2826 FILESYSTEM__UNMOUNT
, NULL
);
2829 /* inode security operations */
2831 static int selinux_inode_alloc_security(struct inode
*inode
)
2833 return inode_alloc_security(inode
);
2836 static void selinux_inode_free_security(struct inode
*inode
)
2838 inode_free_security(inode
);
2841 static int selinux_dentry_init_security(struct dentry
*dentry
, int mode
,
2842 const struct qstr
*name
, void **ctx
,
2848 rc
= selinux_determine_inode_label(selinux_cred(current_cred()),
2849 d_inode(dentry
->d_parent
), name
,
2850 inode_mode_to_security_class(mode
),
2855 return security_sid_to_context(newsid
, (char **)ctx
, ctxlen
);
2858 static int selinux_dentry_create_files_as(struct dentry
*dentry
, int mode
,
2860 const struct cred
*old
,
2865 struct task_security_struct
*tsec
;
2867 rc
= selinux_determine_inode_label(selinux_cred(old
),
2868 d_inode(dentry
->d_parent
), name
,
2869 inode_mode_to_security_class(mode
),
2874 tsec
= selinux_cred(new);
2875 tsec
->create_sid
= newsid
;
2879 static int selinux_inode_init_security(struct inode
*inode
, struct inode
*dir
,
2880 const struct qstr
*qstr
,
2882 void **value
, size_t *len
)
2884 const struct task_security_struct
*tsec
= selinux_cred(current_cred());
2885 struct superblock_security_struct
*sbsec
;
2890 sbsec
= selinux_superblock(dir
->i_sb
);
2892 newsid
= tsec
->create_sid
;
2894 rc
= selinux_determine_inode_label(selinux_cred(current_cred()),
2896 inode_mode_to_security_class(inode
->i_mode
),
2901 /* Possibly defer initialization to selinux_complete_init. */
2902 if (sbsec
->flags
& SE_SBINITIALIZED
) {
2903 struct inode_security_struct
*isec
= selinux_inode(inode
);
2904 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
2906 isec
->initialized
= LABEL_INITIALIZED
;
2909 if (!ss_initialized
|| !(sbsec
->flags
& SBLABEL_MNT
))
2913 *name
= XATTR_SELINUX_SUFFIX
;
2916 rc
= security_sid_to_context_force(newsid
, &context
, &clen
);
2926 static int selinux_inode_create(struct inode
*dir
, struct dentry
*dentry
, umode_t mode
)
2928 return may_create(dir
, dentry
, SECCLASS_FILE
);
2931 static int selinux_inode_link(struct dentry
*old_dentry
, struct inode
*dir
, struct dentry
*new_dentry
)
2933 return may_link(dir
, old_dentry
, MAY_LINK
);
2936 static int selinux_inode_unlink(struct inode
*dir
, struct dentry
*dentry
)
2938 return may_link(dir
, dentry
, MAY_UNLINK
);
2941 static int selinux_inode_symlink(struct inode
*dir
, struct dentry
*dentry
, const char *name
)
2943 return may_create(dir
, dentry
, SECCLASS_LNK_FILE
);
2946 static int selinux_inode_mkdir(struct inode
*dir
, struct dentry
*dentry
, umode_t mask
)
2948 return may_create(dir
, dentry
, SECCLASS_DIR
);
2951 static int selinux_inode_rmdir(struct inode
*dir
, struct dentry
*dentry
)
2953 return may_link(dir
, dentry
, MAY_RMDIR
);
2956 static int selinux_inode_mknod(struct inode
*dir
, struct dentry
*dentry
, umode_t mode
, dev_t dev
)
2958 return may_create(dir
, dentry
, inode_mode_to_security_class(mode
));
2961 static int selinux_inode_rename(struct inode
*old_inode
, struct dentry
*old_dentry
,
2962 struct inode
*new_inode
, struct dentry
*new_dentry
)
2964 return may_rename(old_inode
, old_dentry
, new_inode
, new_dentry
);
2967 static int selinux_inode_readlink(struct dentry
*dentry
)
2969 const struct cred
*cred
= current_cred();
2971 return dentry_has_perm(cred
, dentry
, FILE__READ
);
2974 static int selinux_inode_follow_link(struct dentry
*dentry
, struct inode
*inode
,
2977 const struct cred
*cred
= current_cred();
2978 struct common_audit_data ad
;
2979 struct inode_security_struct
*isec
;
2982 validate_creds(cred
);
2984 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
2985 ad
.u
.dentry
= dentry
;
2986 sid
= cred_sid(cred
);
2987 isec
= inode_security_rcu(inode
, rcu
);
2989 return PTR_ERR(isec
);
2991 return avc_has_perm_flags(sid
, isec
->sid
, isec
->sclass
, FILE__READ
, &ad
,
2992 rcu
? MAY_NOT_BLOCK
: 0);
2995 static noinline
int audit_inode_permission(struct inode
*inode
,
2996 u32 perms
, u32 audited
, u32 denied
,
3000 struct common_audit_data ad
;
3001 struct inode_security_struct
*isec
= selinux_inode(inode
);
3004 ad
.type
= LSM_AUDIT_DATA_INODE
;
3007 rc
= slow_avc_audit(current_sid(), isec
->sid
, isec
->sclass
, perms
,
3008 audited
, denied
, result
, &ad
, flags
);
3014 static int selinux_inode_permission(struct inode
*inode
, int mask
)
3016 const struct cred
*cred
= current_cred();
3019 unsigned flags
= mask
& MAY_NOT_BLOCK
;
3020 struct inode_security_struct
*isec
;
3022 struct av_decision avd
;
3024 u32 audited
, denied
;
3026 from_access
= mask
& MAY_ACCESS
;
3027 mask
&= (MAY_READ
|MAY_WRITE
|MAY_EXEC
|MAY_APPEND
);
3029 /* No permission to check. Existence test. */
3033 validate_creds(cred
);
3035 if (unlikely(IS_PRIVATE(inode
)))
3038 perms
= file_mask_to_av(inode
->i_mode
, mask
);
3040 sid
= cred_sid(cred
);
3041 isec
= inode_security_rcu(inode
, flags
& MAY_NOT_BLOCK
);
3043 return PTR_ERR(isec
);
3045 rc
= avc_has_perm_noaudit(sid
, isec
->sid
, isec
->sclass
, perms
, 0, &avd
);
3046 audited
= avc_audit_required(perms
, &avd
, rc
,
3047 from_access
? FILE__AUDIT_ACCESS
: 0,
3049 if (likely(!audited
))
3052 rc2
= audit_inode_permission(inode
, perms
, audited
, denied
, rc
, flags
);
3058 static int selinux_inode_setattr(struct dentry
*dentry
, struct iattr
*iattr
)
3060 const struct cred
*cred
= current_cred();
3061 struct inode
*inode
= d_backing_inode(dentry
);
3062 unsigned int ia_valid
= iattr
->ia_valid
;
3063 __u32 av
= FILE__WRITE
;
3065 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3066 if (ia_valid
& ATTR_FORCE
) {
3067 ia_valid
&= ~(ATTR_KILL_SUID
| ATTR_KILL_SGID
| ATTR_MODE
|
3073 if (ia_valid
& (ATTR_MODE
| ATTR_UID
| ATTR_GID
|
3074 ATTR_ATIME_SET
| ATTR_MTIME_SET
| ATTR_TIMES_SET
))
3075 return dentry_has_perm(cred
, dentry
, FILE__SETATTR
);
3077 if (selinux_policycap_openperm
&&
3078 inode
->i_sb
->s_magic
!= SOCKFS_MAGIC
&&
3079 (ia_valid
& ATTR_SIZE
) &&
3080 !(ia_valid
& ATTR_FILE
))
3083 return dentry_has_perm(cred
, dentry
, av
);
3086 static int selinux_inode_getattr(const struct path
*path
)
3088 return path_has_perm(current_cred(), path
, FILE__GETATTR
);
3091 static bool has_cap_mac_admin(bool audit
)
3093 const struct cred
*cred
= current_cred();
3094 int cap_audit
= audit
? SECURITY_CAP_AUDIT
: SECURITY_CAP_NOAUDIT
;
3096 if (cap_capable(cred
, &init_user_ns
, CAP_MAC_ADMIN
, cap_audit
))
3098 if (cred_has_capability(cred
, CAP_MAC_ADMIN
, cap_audit
, true))
3103 static int selinux_inode_setxattr(struct dentry
*dentry
, const char *name
,
3104 const void *value
, size_t size
, int flags
)
3106 struct inode
*inode
= d_backing_inode(dentry
);
3107 struct inode_security_struct
*isec
;
3108 struct superblock_security_struct
*sbsec
;
3109 struct common_audit_data ad
;
3110 u32 newsid
, sid
= current_sid();
3113 if (strcmp(name
, XATTR_NAME_SELINUX
)) {
3114 rc
= cap_inode_setxattr(dentry
, name
, value
, size
, flags
);
3118 /* Not an attribute we recognize, so just check the
3119 ordinary setattr permission. */
3120 return dentry_has_perm(current_cred(), dentry
, FILE__SETATTR
);
3123 sbsec
= selinux_superblock(inode
->i_sb
);
3124 if (!(sbsec
->flags
& SBLABEL_MNT
))
3127 if (!inode_owner_or_capable(inode
))
3130 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
3131 ad
.u
.dentry
= dentry
;
3133 isec
= backing_inode_security(dentry
);
3134 rc
= avc_has_perm(sid
, isec
->sid
, isec
->sclass
,
3135 FILE__RELABELFROM
, &ad
);
3139 rc
= security_context_to_sid(value
, size
, &newsid
, GFP_KERNEL
);
3140 if (rc
== -EINVAL
) {
3141 if (!has_cap_mac_admin(true)) {
3142 struct audit_buffer
*ab
;
3145 /* We strip a nul only if it is at the end, otherwise the
3146 * context contains a nul and we should audit that */
3148 const char *str
= value
;
3150 if (str
[size
- 1] == '\0')
3151 audit_size
= size
- 1;
3157 ab
= audit_log_start(current
->audit_context
, GFP_ATOMIC
, AUDIT_SELINUX_ERR
);
3158 audit_log_format(ab
, "op=setxattr invalid_context=");
3159 audit_log_n_untrustedstring(ab
, value
, audit_size
);
3164 rc
= security_context_to_sid_force(value
, size
, &newsid
);
3169 rc
= avc_has_perm(sid
, newsid
, isec
->sclass
,
3170 FILE__RELABELTO
, &ad
);
3174 rc
= security_validate_transition(isec
->sid
, newsid
, sid
,
3179 return avc_has_perm(newsid
,
3181 SECCLASS_FILESYSTEM
,
3182 FILESYSTEM__ASSOCIATE
,
3186 static void selinux_inode_post_setxattr(struct dentry
*dentry
, const char *name
,
3187 const void *value
, size_t size
,
3190 struct inode
*inode
= d_backing_inode(dentry
);
3191 struct inode_security_struct
*isec
;
3195 if (strcmp(name
, XATTR_NAME_SELINUX
)) {
3196 /* Not an attribute we recognize, so nothing to do. */
3200 rc
= security_context_to_sid_force(value
, size
, &newsid
);
3202 printk(KERN_ERR
"SELinux: unable to map context to SID"
3203 "for (%s, %lu), rc=%d\n",
3204 inode
->i_sb
->s_id
, inode
->i_ino
, -rc
);
3208 isec
= backing_inode_security(dentry
);
3209 spin_lock(&isec
->lock
);
3210 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
3212 isec
->initialized
= LABEL_INITIALIZED
;
3213 spin_unlock(&isec
->lock
);
3218 static int selinux_inode_getxattr(struct dentry
*dentry
, const char *name
)
3220 const struct cred
*cred
= current_cred();
3222 return dentry_has_perm(cred
, dentry
, FILE__GETATTR
);
3225 static int selinux_inode_listxattr(struct dentry
*dentry
)
3227 const struct cred
*cred
= current_cred();
3229 return dentry_has_perm(cred
, dentry
, FILE__GETATTR
);
3232 static int selinux_inode_removexattr(struct dentry
*dentry
, const char *name
)
3234 if (strcmp(name
, XATTR_NAME_SELINUX
)) {
3235 int rc
= cap_inode_removexattr(dentry
, name
);
3239 /* Not an attribute we recognize, so just check the
3240 ordinary setattr permission. */
3241 return dentry_has_perm(current_cred(), dentry
, FILE__SETATTR
);
3244 /* No one is allowed to remove a SELinux security label.
3245 You can change the label, but all data must be labeled. */
3250 * Copy the inode security context value to the user.
3252 * Permission check is handled by selinux_inode_getxattr hook.
3254 static int selinux_inode_getsecurity(struct inode
*inode
, const char *name
, void **buffer
, bool alloc
)
3258 char *context
= NULL
;
3259 struct inode_security_struct
*isec
;
3261 if (strcmp(name
, XATTR_SELINUX_SUFFIX
))
3265 * If the caller has CAP_MAC_ADMIN, then get the raw context
3266 * value even if it is not defined by current policy; otherwise,
3267 * use the in-core value under current policy.
3268 * Use the non-auditing forms of the permission checks since
3269 * getxattr may be called by unprivileged processes commonly
3270 * and lack of permission just means that we fall back to the
3271 * in-core context value, not a denial.
3273 isec
= inode_security(inode
);
3274 if (has_cap_mac_admin(false))
3275 error
= security_sid_to_context_force(isec
->sid
, &context
,
3278 error
= security_sid_to_context(isec
->sid
, &context
, &size
);
3291 static int selinux_inode_setsecurity(struct inode
*inode
, const char *name
,
3292 const void *value
, size_t size
, int flags
)
3294 struct inode_security_struct
*isec
= inode_security_novalidate(inode
);
3298 if (strcmp(name
, XATTR_SELINUX_SUFFIX
))
3301 if (!value
|| !size
)
3304 rc
= security_context_to_sid(value
, size
, &newsid
, GFP_KERNEL
);
3308 spin_lock(&isec
->lock
);
3309 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
3311 isec
->initialized
= LABEL_INITIALIZED
;
3312 spin_unlock(&isec
->lock
);
3316 static int selinux_inode_listsecurity(struct inode
*inode
, char *buffer
, size_t buffer_size
)
3318 const int len
= sizeof(XATTR_NAME_SELINUX
);
3319 if (buffer
&& len
<= buffer_size
)
3320 memcpy(buffer
, XATTR_NAME_SELINUX
, len
);
3324 static void selinux_inode_getsecid(struct inode
*inode
, u32
*secid
)
3326 struct inode_security_struct
*isec
= inode_security_novalidate(inode
);
3330 static int selinux_inode_copy_up(struct dentry
*src
, struct cred
**new)
3333 struct task_security_struct
*tsec
;
3334 struct cred
*new_creds
= *new;
3336 if (new_creds
== NULL
) {
3337 new_creds
= prepare_creds();
3342 tsec
= selinux_cred(new_creds
);
3343 /* Get label from overlay inode and set it in create_sid */
3344 selinux_inode_getsecid(d_inode(src
), &sid
);
3345 tsec
->create_sid
= sid
;
3350 static int selinux_inode_copy_up_xattr(const char *name
)
3352 /* The copy_up hook above sets the initial context on an inode, but we
3353 * don't then want to overwrite it by blindly copying all the lower
3354 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3356 if (strcmp(name
, XATTR_NAME_SELINUX
) == 0)
3357 return 1; /* Discard */
3359 * Any other attribute apart from SELINUX is not claimed, supported
3365 /* file security operations */
3367 static int selinux_revalidate_file_permission(struct file
*file
, int mask
)
3369 const struct cred
*cred
= current_cred();
3370 struct inode
*inode
= file_inode(file
);
3372 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3373 if ((file
->f_flags
& O_APPEND
) && (mask
& MAY_WRITE
))
3376 return file_has_perm(cred
, file
,
3377 file_mask_to_av(inode
->i_mode
, mask
));
3380 static int selinux_file_permission(struct file
*file
, int mask
)
3382 struct inode
*inode
= file_inode(file
);
3383 struct file_security_struct
*fsec
= selinux_file(file
);
3384 struct inode_security_struct
*isec
;
3385 u32 sid
= current_sid();
3388 /* No permission to check. Existence test. */
3391 isec
= inode_security(inode
);
3392 if (sid
== fsec
->sid
&& fsec
->isid
== isec
->sid
&&
3393 fsec
->pseqno
== avc_policy_seqno())
3394 /* No change since file_open check. */
3397 return selinux_revalidate_file_permission(file
, mask
);
3400 static int selinux_file_alloc_security(struct file
*file
)
3402 return file_alloc_security(file
);
3406 * Check whether a task has the ioctl permission and cmd
3407 * operation to an inode.
3409 static int ioctl_has_perm(const struct cred
*cred
, struct file
*file
,
3410 u32 requested
, u16 cmd
)
3412 struct common_audit_data ad
;
3413 struct file_security_struct
*fsec
= selinux_file(file
);
3414 struct inode
*inode
= file_inode(file
);
3415 struct inode_security_struct
*isec
;
3416 struct lsm_ioctlop_audit ioctl
;
3417 u32 ssid
= cred_sid(cred
);
3419 u8 driver
= cmd
>> 8;
3420 u8 xperm
= cmd
& 0xff;
3422 ad
.type
= LSM_AUDIT_DATA_IOCTL_OP
;
3425 ad
.u
.op
->path
= file
->f_path
;
3427 if (ssid
!= fsec
->sid
) {
3428 rc
= avc_has_perm(ssid
, fsec
->sid
,
3436 if (unlikely(IS_PRIVATE(inode
)))
3439 isec
= inode_security(inode
);
3440 rc
= avc_has_extended_perms(ssid
, isec
->sid
, isec
->sclass
,
3441 requested
, driver
, xperm
, &ad
);
3446 static int selinux_file_ioctl(struct file
*file
, unsigned int cmd
,
3449 const struct cred
*cred
= current_cred();
3459 case FS_IOC_GETFLAGS
:
3461 case FS_IOC_GETVERSION
:
3462 error
= file_has_perm(cred
, file
, FILE__GETATTR
);
3465 case FS_IOC_SETFLAGS
:
3467 case FS_IOC_SETVERSION
:
3468 error
= file_has_perm(cred
, file
, FILE__SETATTR
);
3471 /* sys_ioctl() checks */
3475 error
= file_has_perm(cred
, file
, 0);
3480 error
= cred_has_capability(cred
, CAP_SYS_TTY_CONFIG
,
3481 SECURITY_CAP_AUDIT
, true);
3484 /* default case assumes that the command will go
3485 * to the file's ioctl() function.
3488 error
= ioctl_has_perm(cred
, file
, FILE__IOCTL
, (u16
) cmd
);
3493 static int default_noexec
;
3495 static int file_map_prot_check(struct file
*file
, unsigned long prot
, int shared
)
3497 const struct cred
*cred
= current_cred();
3498 u32 sid
= cred_sid(cred
);
3501 if (default_noexec
&&
3502 (prot
& PROT_EXEC
) && (!file
|| IS_PRIVATE(file_inode(file
)) ||
3503 (!shared
&& (prot
& PROT_WRITE
)))) {
3505 * We are making executable an anonymous mapping or a
3506 * private file mapping that will also be writable.
3507 * This has an additional check.
3509 rc
= avc_has_perm(sid
, sid
, SECCLASS_PROCESS
,
3510 PROCESS__EXECMEM
, NULL
);
3516 /* read access is always possible with a mapping */
3517 u32 av
= FILE__READ
;
3519 /* write access only matters if the mapping is shared */
3520 if (shared
&& (prot
& PROT_WRITE
))
3523 if (prot
& PROT_EXEC
)
3524 av
|= FILE__EXECUTE
;
3526 return file_has_perm(cred
, file
, av
);
3533 static int selinux_mmap_addr(unsigned long addr
)
3537 if (addr
< CONFIG_LSM_MMAP_MIN_ADDR
) {
3538 u32 sid
= current_sid();
3539 rc
= avc_has_perm(sid
, sid
, SECCLASS_MEMPROTECT
,
3540 MEMPROTECT__MMAP_ZERO
, NULL
);
3546 static int selinux_mmap_file(struct file
*file
, unsigned long reqprot
,
3547 unsigned long prot
, unsigned long flags
)
3549 struct common_audit_data ad
;
3553 ad
.type
= LSM_AUDIT_DATA_FILE
;
3555 rc
= inode_has_perm(current_cred(), file_inode(file
),
3561 if (selinux_checkreqprot
)
3564 return file_map_prot_check(file
, prot
,
3565 (flags
& MAP_TYPE
) == MAP_SHARED
);
3568 static int selinux_file_mprotect(struct vm_area_struct
*vma
,
3569 unsigned long reqprot
,
3572 const struct cred
*cred
= current_cred();
3573 u32 sid
= cred_sid(cred
);
3575 if (selinux_checkreqprot
)
3578 if (default_noexec
&&
3579 (prot
& PROT_EXEC
) && !(vma
->vm_flags
& VM_EXEC
)) {
3581 if (vma
->vm_start
>= vma
->vm_mm
->start_brk
&&
3582 vma
->vm_end
<= vma
->vm_mm
->brk
) {
3583 rc
= avc_has_perm(sid
, sid
, SECCLASS_PROCESS
,
3584 PROCESS__EXECHEAP
, NULL
);
3585 } else if (!vma
->vm_file
&&
3586 ((vma
->vm_start
<= vma
->vm_mm
->start_stack
&&
3587 vma
->vm_end
>= vma
->vm_mm
->start_stack
) ||
3588 vma_is_stack_for_current(vma
))) {
3589 rc
= avc_has_perm(sid
, sid
, SECCLASS_PROCESS
,
3590 PROCESS__EXECSTACK
, NULL
);
3591 } else if (vma
->vm_file
&& vma
->anon_vma
) {
3593 * We are making executable a file mapping that has
3594 * had some COW done. Since pages might have been
3595 * written, check ability to execute the possibly
3596 * modified content. This typically should only
3597 * occur for text relocations.
3599 rc
= file_has_perm(cred
, vma
->vm_file
, FILE__EXECMOD
);
3605 return file_map_prot_check(vma
->vm_file
, prot
, vma
->vm_flags
&VM_SHARED
);
3608 static int selinux_file_lock(struct file
*file
, unsigned int cmd
)
3610 const struct cred
*cred
= current_cred();
3612 return file_has_perm(cred
, file
, FILE__LOCK
);
3615 static int selinux_file_fcntl(struct file
*file
, unsigned int cmd
,
3618 const struct cred
*cred
= current_cred();
3623 if ((file
->f_flags
& O_APPEND
) && !(arg
& O_APPEND
)) {
3624 err
= file_has_perm(cred
, file
, FILE__WRITE
);
3633 case F_GETOWNER_UIDS
:
3634 /* Just check FD__USE permission */
3635 err
= file_has_perm(cred
, file
, 0);
3643 #if BITS_PER_LONG == 32
3648 err
= file_has_perm(cred
, file
, FILE__LOCK
);
3655 static void selinux_file_set_fowner(struct file
*file
)
3657 struct file_security_struct
*fsec
;
3659 fsec
= selinux_file(file
);
3660 fsec
->fown_sid
= current_sid();
3663 static int selinux_file_send_sigiotask(struct task_struct
*tsk
,
3664 struct fown_struct
*fown
, int signum
)
3667 u32 sid
= task_sid(tsk
);
3669 struct file_security_struct
*fsec
;
3671 /* struct fown_struct is never outside the context of a struct file */
3672 file
= container_of(fown
, struct file
, f_owner
);
3674 fsec
= selinux_file(file
);
3677 perm
= signal_to_av(SIGIO
); /* as per send_sigio_to_task */
3679 perm
= signal_to_av(signum
);
3681 return avc_has_perm(fsec
->fown_sid
, sid
,
3682 SECCLASS_PROCESS
, perm
, NULL
);
3685 static int selinux_file_receive(struct file
*file
)
3687 const struct cred
*cred
= current_cred();
3689 return file_has_perm(cred
, file
, file_to_av(file
));
3692 static int selinux_file_open(struct file
*file
, const struct cred
*cred
)
3694 struct file_security_struct
*fsec
;
3695 struct inode_security_struct
*isec
;
3697 fsec
= selinux_file(file
);
3698 isec
= inode_security(file_inode(file
));
3700 * Save inode label and policy sequence number
3701 * at open-time so that selinux_file_permission
3702 * can determine whether revalidation is necessary.
3703 * Task label is already saved in the file security
3704 * struct as its SID.
3706 fsec
->isid
= isec
->sid
;
3707 fsec
->pseqno
= avc_policy_seqno();
3709 * Since the inode label or policy seqno may have changed
3710 * between the selinux_inode_permission check and the saving
3711 * of state above, recheck that access is still permitted.
3712 * Otherwise, access might never be revalidated against the
3713 * new inode label or new policy.
3714 * This check is not redundant - do not remove.
3716 return file_path_has_perm(cred
, file
, open_file_to_av(file
));
3719 /* task security operations */
3721 static int selinux_task_alloc(struct task_struct
*task
,
3722 unsigned long clone_flags
)
3724 u32 sid
= current_sid();
3726 return avc_has_perm(sid
, sid
, SECCLASS_PROCESS
, PROCESS__FORK
, NULL
);
3730 * prepare a new set of credentials for modification
3732 static int selinux_cred_prepare(struct cred
*new, const struct cred
*old
,
3735 const struct task_security_struct
*old_tsec
= selinux_cred(old
);
3736 struct task_security_struct
*tsec
= selinux_cred(new);
3744 * transfer the SELinux data to a blank set of creds
3746 static void selinux_cred_transfer(struct cred
*new, const struct cred
*old
)
3748 const struct task_security_struct
*old_tsec
= selinux_cred(old
);
3749 struct task_security_struct
*tsec
= selinux_cred(new);
3755 * set the security data for a kernel service
3756 * - all the creation contexts are set to unlabelled
3758 static int selinux_kernel_act_as(struct cred
*new, u32 secid
)
3760 struct task_security_struct
*tsec
= selinux_cred(new);
3761 u32 sid
= current_sid();
3764 ret
= avc_has_perm(sid
, secid
,
3765 SECCLASS_KERNEL_SERVICE
,
3766 KERNEL_SERVICE__USE_AS_OVERRIDE
,
3770 tsec
->create_sid
= 0;
3771 tsec
->keycreate_sid
= 0;
3772 tsec
->sockcreate_sid
= 0;
3778 * set the file creation context in a security record to the same as the
3779 * objective context of the specified inode
3781 static int selinux_kernel_create_files_as(struct cred
*new, struct inode
*inode
)
3783 struct inode_security_struct
*isec
= inode_security(inode
);
3784 struct task_security_struct
*tsec
= selinux_cred(new);
3785 u32 sid
= current_sid();
3788 ret
= avc_has_perm(sid
, isec
->sid
,
3789 SECCLASS_KERNEL_SERVICE
,
3790 KERNEL_SERVICE__CREATE_FILES_AS
,
3794 tsec
->create_sid
= isec
->sid
;
3798 static int selinux_kernel_module_request(char *kmod_name
)
3800 struct common_audit_data ad
;
3802 ad
.type
= LSM_AUDIT_DATA_KMOD
;
3803 ad
.u
.kmod_name
= kmod_name
;
3805 return avc_has_perm(current_sid(), SECINITSID_KERNEL
, SECCLASS_SYSTEM
,
3806 SYSTEM__MODULE_REQUEST
, &ad
);
3809 static int selinux_kernel_module_from_file(struct file
*file
)
3811 struct common_audit_data ad
;
3812 struct inode_security_struct
*isec
;
3813 struct file_security_struct
*fsec
;
3814 u32 sid
= current_sid();
3819 return avc_has_perm(sid
, sid
, SECCLASS_SYSTEM
,
3820 SYSTEM__MODULE_LOAD
, NULL
);
3824 ad
.type
= LSM_AUDIT_DATA_FILE
;
3827 fsec
= selinux_file(file
);
3828 if (sid
!= fsec
->sid
) {
3829 rc
= avc_has_perm(sid
, fsec
->sid
, SECCLASS_FD
, FD__USE
, &ad
);
3834 isec
= inode_security(file_inode(file
));
3835 return avc_has_perm(sid
, isec
->sid
, SECCLASS_SYSTEM
,
3836 SYSTEM__MODULE_LOAD
, &ad
);
3839 static int selinux_kernel_read_file(struct file
*file
,
3840 enum kernel_read_file_id id
)
3845 case READING_MODULE
:
3846 rc
= selinux_kernel_module_from_file(file
);
3855 static int selinux_task_setpgid(struct task_struct
*p
, pid_t pgid
)
3857 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3858 PROCESS__SETPGID
, NULL
);
3861 static int selinux_task_getpgid(struct task_struct
*p
)
3863 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3864 PROCESS__GETPGID
, NULL
);
3867 static int selinux_task_getsid(struct task_struct
*p
)
3869 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3870 PROCESS__GETSESSION
, NULL
);
3873 static void selinux_task_getsecid(struct task_struct
*p
, u32
*secid
)
3875 *secid
= task_sid(p
);
3878 static int selinux_task_setnice(struct task_struct
*p
, int nice
)
3880 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3881 PROCESS__SETSCHED
, NULL
);
3884 static int selinux_task_setioprio(struct task_struct
*p
, int ioprio
)
3886 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3887 PROCESS__SETSCHED
, NULL
);
3890 static int selinux_task_getioprio(struct task_struct
*p
)
3892 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3893 PROCESS__GETSCHED
, NULL
);
3896 static int selinux_task_prlimit(const struct cred
*cred
, const struct cred
*tcred
,
3903 if (flags
& LSM_PRLIMIT_WRITE
)
3904 av
|= PROCESS__SETRLIMIT
;
3905 if (flags
& LSM_PRLIMIT_READ
)
3906 av
|= PROCESS__GETRLIMIT
;
3907 return avc_has_perm(cred_sid(cred
), cred_sid(tcred
),
3908 SECCLASS_PROCESS
, av
, NULL
);
3911 static int selinux_task_setrlimit(struct task_struct
*p
, unsigned int resource
,
3912 struct rlimit
*new_rlim
)
3914 struct rlimit
*old_rlim
= p
->signal
->rlim
+ resource
;
3916 /* Control the ability to change the hard limit (whether
3917 lowering or raising it), so that the hard limit can
3918 later be used as a safe reset point for the soft limit
3919 upon context transitions. See selinux_bprm_committing_creds. */
3920 if (old_rlim
->rlim_max
!= new_rlim
->rlim_max
)
3921 return avc_has_perm(current_sid(), task_sid(p
),
3922 SECCLASS_PROCESS
, PROCESS__SETRLIMIT
, NULL
);
3927 static int selinux_task_setscheduler(struct task_struct
*p
)
3929 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3930 PROCESS__SETSCHED
, NULL
);
3933 static int selinux_task_getscheduler(struct task_struct
*p
)
3935 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3936 PROCESS__GETSCHED
, NULL
);
3939 static int selinux_task_movememory(struct task_struct
*p
)
3941 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3942 PROCESS__SETSCHED
, NULL
);
3945 static int selinux_task_kill(struct task_struct
*p
, struct siginfo
*info
,
3951 perm
= PROCESS__SIGNULL
; /* null signal; existence test */
3953 perm
= signal_to_av(sig
);
3955 secid
= current_sid();
3956 return avc_has_perm(secid
, task_sid(p
), SECCLASS_PROCESS
, perm
, NULL
);
3959 static void selinux_task_to_inode(struct task_struct
*p
,
3960 struct inode
*inode
)
3962 struct inode_security_struct
*isec
= selinux_inode(inode
);
3963 u32 sid
= task_sid(p
);
3965 spin_lock(&isec
->lock
);
3966 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
3968 isec
->initialized
= LABEL_INITIALIZED
;
3969 spin_unlock(&isec
->lock
);
3972 /* Returns error only if unable to parse addresses */
3973 static int selinux_parse_skb_ipv4(struct sk_buff
*skb
,
3974 struct common_audit_data
*ad
, u8
*proto
)
3976 int offset
, ihlen
, ret
= -EINVAL
;
3977 struct iphdr _iph
, *ih
;
3979 offset
= skb_network_offset(skb
);
3980 ih
= skb_header_pointer(skb
, offset
, sizeof(_iph
), &_iph
);
3984 ihlen
= ih
->ihl
* 4;
3985 if (ihlen
< sizeof(_iph
))
3988 ad
->u
.net
->v4info
.saddr
= ih
->saddr
;
3989 ad
->u
.net
->v4info
.daddr
= ih
->daddr
;
3993 *proto
= ih
->protocol
;
3995 switch (ih
->protocol
) {
3997 struct tcphdr _tcph
, *th
;
3999 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
4003 th
= skb_header_pointer(skb
, offset
, sizeof(_tcph
), &_tcph
);
4007 ad
->u
.net
->sport
= th
->source
;
4008 ad
->u
.net
->dport
= th
->dest
;
4013 struct udphdr _udph
, *uh
;
4015 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
4019 uh
= skb_header_pointer(skb
, offset
, sizeof(_udph
), &_udph
);
4023 ad
->u
.net
->sport
= uh
->source
;
4024 ad
->u
.net
->dport
= uh
->dest
;
4028 case IPPROTO_DCCP
: {
4029 struct dccp_hdr _dccph
, *dh
;
4031 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
4035 dh
= skb_header_pointer(skb
, offset
, sizeof(_dccph
), &_dccph
);
4039 ad
->u
.net
->sport
= dh
->dccph_sport
;
4040 ad
->u
.net
->dport
= dh
->dccph_dport
;
4051 #if IS_ENABLED(CONFIG_IPV6)
4053 /* Returns error only if unable to parse addresses */
4054 static int selinux_parse_skb_ipv6(struct sk_buff
*skb
,
4055 struct common_audit_data
*ad
, u8
*proto
)
4058 int ret
= -EINVAL
, offset
;
4059 struct ipv6hdr _ipv6h
, *ip6
;
4062 offset
= skb_network_offset(skb
);
4063 ip6
= skb_header_pointer(skb
, offset
, sizeof(_ipv6h
), &_ipv6h
);
4067 ad
->u
.net
->v6info
.saddr
= ip6
->saddr
;
4068 ad
->u
.net
->v6info
.daddr
= ip6
->daddr
;
4071 nexthdr
= ip6
->nexthdr
;
4072 offset
+= sizeof(_ipv6h
);
4073 offset
= ipv6_skip_exthdr(skb
, offset
, &nexthdr
, &frag_off
);
4082 struct tcphdr _tcph
, *th
;
4084 th
= skb_header_pointer(skb
, offset
, sizeof(_tcph
), &_tcph
);
4088 ad
->u
.net
->sport
= th
->source
;
4089 ad
->u
.net
->dport
= th
->dest
;
4094 struct udphdr _udph
, *uh
;
4096 uh
= skb_header_pointer(skb
, offset
, sizeof(_udph
), &_udph
);
4100 ad
->u
.net
->sport
= uh
->source
;
4101 ad
->u
.net
->dport
= uh
->dest
;
4105 case IPPROTO_DCCP
: {
4106 struct dccp_hdr _dccph
, *dh
;
4108 dh
= skb_header_pointer(skb
, offset
, sizeof(_dccph
), &_dccph
);
4112 ad
->u
.net
->sport
= dh
->dccph_sport
;
4113 ad
->u
.net
->dport
= dh
->dccph_dport
;
4117 /* includes fragments */
4127 static int selinux_parse_skb(struct sk_buff
*skb
, struct common_audit_data
*ad
,
4128 char **_addrp
, int src
, u8
*proto
)
4133 switch (ad
->u
.net
->family
) {
4135 ret
= selinux_parse_skb_ipv4(skb
, ad
, proto
);
4138 addrp
= (char *)(src
? &ad
->u
.net
->v4info
.saddr
:
4139 &ad
->u
.net
->v4info
.daddr
);
4142 #if IS_ENABLED(CONFIG_IPV6)
4144 ret
= selinux_parse_skb_ipv6(skb
, ad
, proto
);
4147 addrp
= (char *)(src
? &ad
->u
.net
->v6info
.saddr
:
4148 &ad
->u
.net
->v6info
.daddr
);
4158 "SELinux: failure in selinux_parse_skb(),"
4159 " unable to parse packet\n");
4169 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4171 * @family: protocol family
4172 * @sid: the packet's peer label SID
4175 * Check the various different forms of network peer labeling and determine
4176 * the peer label/SID for the packet; most of the magic actually occurs in
4177 * the security server function security_net_peersid_cmp(). The function
4178 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4179 * or -EACCES if @sid is invalid due to inconsistencies with the different
4183 static int selinux_skb_peerlbl_sid(struct sk_buff
*skb
, u16 family
, u32
*sid
)
4190 err
= selinux_xfrm_skb_sid(skb
, &xfrm_sid
);
4193 err
= selinux_netlbl_skbuff_getsid(skb
, family
, &nlbl_type
, &nlbl_sid
);
4197 err
= security_net_peersid_resolve(nlbl_sid
, nlbl_type
, xfrm_sid
, sid
);
4198 if (unlikely(err
)) {
4200 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4201 " unable to determine packet's peer label\n");
4209 * selinux_conn_sid - Determine the child socket label for a connection
4210 * @sk_sid: the parent socket's SID
4211 * @skb_sid: the packet's SID
4212 * @conn_sid: the resulting connection SID
4214 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4215 * combined with the MLS information from @skb_sid in order to create
4216 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4217 * of @sk_sid. Returns zero on success, negative values on failure.
4220 static int selinux_conn_sid(u32 sk_sid
, u32 skb_sid
, u32
*conn_sid
)
4224 if (skb_sid
!= SECSID_NULL
)
4225 err
= security_sid_mls_copy(sk_sid
, skb_sid
, conn_sid
);
4232 /* socket security operations */
4234 static int socket_sockcreate_sid(const struct task_security_struct
*tsec
,
4235 u16 secclass
, u32
*socksid
)
4237 if (tsec
->sockcreate_sid
> SECSID_NULL
) {
4238 *socksid
= tsec
->sockcreate_sid
;
4242 return security_transition_sid(tsec
->sid
, tsec
->sid
, secclass
, NULL
,
4246 static int sock_has_perm(struct sock
*sk
, u32 perms
)
4248 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4249 struct common_audit_data ad
;
4250 struct lsm_network_audit net
= {0,};
4252 if (sksec
->sid
== SECINITSID_KERNEL
)
4255 ad
.type
= LSM_AUDIT_DATA_NET
;
4259 return avc_has_perm(current_sid(), sksec
->sid
, sksec
->sclass
, perms
,
4263 static int selinux_socket_create(int family
, int type
,
4264 int protocol
, int kern
)
4266 const struct task_security_struct
*tsec
= selinux_cred(current_cred());
4274 secclass
= socket_type_to_security_class(family
, type
, protocol
);
4275 rc
= socket_sockcreate_sid(tsec
, secclass
, &newsid
);
4279 return avc_has_perm(tsec
->sid
, newsid
, secclass
, SOCKET__CREATE
, NULL
);
4282 static int selinux_socket_post_create(struct socket
*sock
, int family
,
4283 int type
, int protocol
, int kern
)
4285 const struct task_security_struct
*tsec
= selinux_cred(current_cred());
4286 struct inode_security_struct
*isec
= inode_security_novalidate(SOCK_INODE(sock
));
4287 struct sk_security_struct
*sksec
;
4288 u16 sclass
= socket_type_to_security_class(family
, type
, protocol
);
4289 u32 sid
= SECINITSID_KERNEL
;
4293 err
= socket_sockcreate_sid(tsec
, sclass
, &sid
);
4298 isec
->sclass
= sclass
;
4300 isec
->initialized
= LABEL_INITIALIZED
;
4303 sksec
= selinux_sock(sock
->sk
);
4304 sksec
->sclass
= sclass
;
4306 err
= selinux_netlbl_socket_post_create(sock
->sk
, family
);
4312 /* Range of port numbers used to automatically bind.
4313 Need to determine whether we should perform a name_bind
4314 permission check between the socket and the port number. */
4316 static int selinux_socket_bind(struct socket
*sock
, struct sockaddr
*address
, int addrlen
)
4318 struct sock
*sk
= sock
->sk
;
4322 err
= sock_has_perm(sk
, SOCKET__BIND
);
4327 * If PF_INET or PF_INET6, check name_bind permission for the port.
4328 * Multiple address binding for SCTP is not supported yet: we just
4329 * check the first address now.
4331 family
= sk
->sk_family
;
4332 if (family
== PF_INET
|| family
== PF_INET6
) {
4334 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4335 struct common_audit_data ad
;
4336 struct lsm_network_audit net
= {0,};
4337 struct sockaddr_in
*addr4
= NULL
;
4338 struct sockaddr_in6
*addr6
= NULL
;
4339 unsigned short snum
;
4342 if (family
== PF_INET
) {
4343 if (addrlen
< sizeof(struct sockaddr_in
)) {
4347 addr4
= (struct sockaddr_in
*)address
;
4348 snum
= ntohs(addr4
->sin_port
);
4349 addrp
= (char *)&addr4
->sin_addr
.s_addr
;
4351 if (addrlen
< SIN6_LEN_RFC2133
) {
4355 addr6
= (struct sockaddr_in6
*)address
;
4356 snum
= ntohs(addr6
->sin6_port
);
4357 addrp
= (char *)&addr6
->sin6_addr
.s6_addr
;
4363 inet_get_local_port_range(sock_net(sk
), &low
, &high
);
4365 if (snum
< max(inet_prot_sock(sock_net(sk
)), low
) ||
4367 err
= sel_netport_sid(sk
->sk_protocol
,
4371 ad
.type
= LSM_AUDIT_DATA_NET
;
4373 ad
.u
.net
->sport
= htons(snum
);
4374 ad
.u
.net
->family
= family
;
4375 err
= avc_has_perm(sksec
->sid
, sid
,
4377 SOCKET__NAME_BIND
, &ad
);
4383 switch (sksec
->sclass
) {
4384 case SECCLASS_TCP_SOCKET
:
4385 node_perm
= TCP_SOCKET__NODE_BIND
;
4388 case SECCLASS_UDP_SOCKET
:
4389 node_perm
= UDP_SOCKET__NODE_BIND
;
4392 case SECCLASS_DCCP_SOCKET
:
4393 node_perm
= DCCP_SOCKET__NODE_BIND
;
4397 node_perm
= RAWIP_SOCKET__NODE_BIND
;
4401 err
= sel_netnode_sid(addrp
, family
, &sid
);
4405 ad
.type
= LSM_AUDIT_DATA_NET
;
4407 ad
.u
.net
->sport
= htons(snum
);
4408 ad
.u
.net
->family
= family
;
4410 if (family
== PF_INET
)
4411 ad
.u
.net
->v4info
.saddr
= addr4
->sin_addr
.s_addr
;
4413 ad
.u
.net
->v6info
.saddr
= addr6
->sin6_addr
;
4415 err
= avc_has_perm(sksec
->sid
, sid
,
4416 sksec
->sclass
, node_perm
, &ad
);
4424 static int selinux_socket_connect(struct socket
*sock
, struct sockaddr
*address
, int addrlen
)
4426 struct sock
*sk
= sock
->sk
;
4427 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4430 err
= sock_has_perm(sk
, SOCKET__CONNECT
);
4435 * If a TCP or DCCP socket, check name_connect permission for the port.
4437 if (sksec
->sclass
== SECCLASS_TCP_SOCKET
||
4438 sksec
->sclass
== SECCLASS_DCCP_SOCKET
) {
4439 struct common_audit_data ad
;
4440 struct lsm_network_audit net
= {0,};
4441 struct sockaddr_in
*addr4
= NULL
;
4442 struct sockaddr_in6
*addr6
= NULL
;
4443 unsigned short snum
;
4446 if (sk
->sk_family
== PF_INET
) {
4447 addr4
= (struct sockaddr_in
*)address
;
4448 if (addrlen
< sizeof(struct sockaddr_in
))
4450 snum
= ntohs(addr4
->sin_port
);
4452 addr6
= (struct sockaddr_in6
*)address
;
4453 if (addrlen
< SIN6_LEN_RFC2133
)
4455 snum
= ntohs(addr6
->sin6_port
);
4458 err
= sel_netport_sid(sk
->sk_protocol
, snum
, &sid
);
4462 perm
= (sksec
->sclass
== SECCLASS_TCP_SOCKET
) ?
4463 TCP_SOCKET__NAME_CONNECT
: DCCP_SOCKET__NAME_CONNECT
;
4465 ad
.type
= LSM_AUDIT_DATA_NET
;
4467 ad
.u
.net
->dport
= htons(snum
);
4468 ad
.u
.net
->family
= sk
->sk_family
;
4469 err
= avc_has_perm(sksec
->sid
, sid
, sksec
->sclass
, perm
, &ad
);
4474 err
= selinux_netlbl_socket_connect(sk
, address
);
4480 static int selinux_socket_listen(struct socket
*sock
, int backlog
)
4482 return sock_has_perm(sock
->sk
, SOCKET__LISTEN
);
4485 static int selinux_socket_accept(struct socket
*sock
, struct socket
*newsock
)
4488 struct inode_security_struct
*isec
;
4489 struct inode_security_struct
*newisec
;
4493 err
= sock_has_perm(sock
->sk
, SOCKET__ACCEPT
);
4497 isec
= inode_security_novalidate(SOCK_INODE(sock
));
4498 spin_lock(&isec
->lock
);
4499 sclass
= isec
->sclass
;
4501 spin_unlock(&isec
->lock
);
4503 newisec
= inode_security_novalidate(SOCK_INODE(newsock
));
4504 newisec
->sclass
= sclass
;
4506 newisec
->initialized
= LABEL_INITIALIZED
;
4511 static int selinux_socket_sendmsg(struct socket
*sock
, struct msghdr
*msg
,
4514 return sock_has_perm(sock
->sk
, SOCKET__WRITE
);
4517 static int selinux_socket_recvmsg(struct socket
*sock
, struct msghdr
*msg
,
4518 int size
, int flags
)
4520 return sock_has_perm(sock
->sk
, SOCKET__READ
);
4523 static int selinux_socket_getsockname(struct socket
*sock
)
4525 return sock_has_perm(sock
->sk
, SOCKET__GETATTR
);
4528 static int selinux_socket_getpeername(struct socket
*sock
)
4530 return sock_has_perm(sock
->sk
, SOCKET__GETATTR
);
4533 static int selinux_socket_setsockopt(struct socket
*sock
, int level
, int optname
)
4537 err
= sock_has_perm(sock
->sk
, SOCKET__SETOPT
);
4541 return selinux_netlbl_socket_setsockopt(sock
, level
, optname
);
4544 static int selinux_socket_getsockopt(struct socket
*sock
, int level
,
4547 return sock_has_perm(sock
->sk
, SOCKET__GETOPT
);
4550 static int selinux_socket_shutdown(struct socket
*sock
, int how
)
4552 return sock_has_perm(sock
->sk
, SOCKET__SHUTDOWN
);
4555 static int selinux_socket_unix_stream_connect(struct sock
*sock
,
4559 struct sk_security_struct
*sksec_sock
= selinux_sock(sock
);
4560 struct sk_security_struct
*sksec_other
= selinux_sock(other
);
4561 struct sk_security_struct
*sksec_new
= selinux_sock(newsk
);
4562 struct common_audit_data ad
;
4563 struct lsm_network_audit net
= {0,};
4566 ad
.type
= LSM_AUDIT_DATA_NET
;
4568 ad
.u
.net
->sk
= other
;
4570 err
= avc_has_perm(sksec_sock
->sid
, sksec_other
->sid
,
4571 sksec_other
->sclass
,
4572 UNIX_STREAM_SOCKET__CONNECTTO
, &ad
);
4576 /* server child socket */
4577 sksec_new
->peer_sid
= sksec_sock
->sid
;
4578 err
= security_sid_mls_copy(sksec_other
->sid
, sksec_sock
->sid
,
4583 /* connecting socket */
4584 sksec_sock
->peer_sid
= sksec_new
->sid
;
4589 static int selinux_socket_unix_may_send(struct socket
*sock
,
4590 struct socket
*other
)
4592 struct sk_security_struct
*ssec
= selinux_sock(sock
->sk
);
4593 struct sk_security_struct
*osec
= selinux_sock(other
->sk
);
4594 struct common_audit_data ad
;
4595 struct lsm_network_audit net
= {0,};
4597 ad
.type
= LSM_AUDIT_DATA_NET
;
4599 ad
.u
.net
->sk
= other
->sk
;
4601 return avc_has_perm(ssec
->sid
, osec
->sid
, osec
->sclass
, SOCKET__SENDTO
,
4605 static int selinux_inet_sys_rcv_skb(struct net
*ns
, int ifindex
,
4606 char *addrp
, u16 family
, u32 peer_sid
,
4607 struct common_audit_data
*ad
)
4613 err
= sel_netif_sid(ns
, ifindex
, &if_sid
);
4616 err
= avc_has_perm(peer_sid
, if_sid
,
4617 SECCLASS_NETIF
, NETIF__INGRESS
, ad
);
4621 err
= sel_netnode_sid(addrp
, family
, &node_sid
);
4624 return avc_has_perm(peer_sid
, node_sid
,
4625 SECCLASS_NODE
, NODE__RECVFROM
, ad
);
4628 static int selinux_sock_rcv_skb_compat(struct sock
*sk
, struct sk_buff
*skb
,
4632 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4633 u32 sk_sid
= sksec
->sid
;
4634 struct common_audit_data ad
;
4635 struct lsm_network_audit net
= {0,};
4638 ad
.type
= LSM_AUDIT_DATA_NET
;
4640 ad
.u
.net
->netif
= skb
->skb_iif
;
4641 ad
.u
.net
->family
= family
;
4642 err
= selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
);
4646 if (selinux_secmark_enabled()) {
4647 err
= avc_has_perm(sk_sid
, skb
->secmark
, SECCLASS_PACKET
,
4653 err
= selinux_netlbl_sock_rcv_skb(sksec
, skb
, family
, &ad
);
4656 err
= selinux_xfrm_sock_rcv_skb(sksec
->sid
, skb
, &ad
);
4661 static int selinux_socket_sock_rcv_skb(struct sock
*sk
, struct sk_buff
*skb
)
4664 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4665 u16 family
= sk
->sk_family
;
4666 u32 sk_sid
= sksec
->sid
;
4667 struct common_audit_data ad
;
4668 struct lsm_network_audit net
= {0,};
4673 if (family
!= PF_INET
&& family
!= PF_INET6
)
4676 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4677 if (family
== PF_INET6
&& skb
->protocol
== htons(ETH_P_IP
))
4680 /* If any sort of compatibility mode is enabled then handoff processing
4681 * to the selinux_sock_rcv_skb_compat() function to deal with the
4682 * special handling. We do this in an attempt to keep this function
4683 * as fast and as clean as possible. */
4684 if (!selinux_policycap_netpeer
)
4685 return selinux_sock_rcv_skb_compat(sk
, skb
, family
);
4687 secmark_active
= selinux_secmark_enabled();
4688 peerlbl_active
= selinux_peerlbl_enabled();
4689 if (!secmark_active
&& !peerlbl_active
)
4692 ad
.type
= LSM_AUDIT_DATA_NET
;
4694 ad
.u
.net
->netif
= skb
->skb_iif
;
4695 ad
.u
.net
->family
= family
;
4696 err
= selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
);
4700 if (peerlbl_active
) {
4703 err
= selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
);
4706 err
= selinux_inet_sys_rcv_skb(sock_net(sk
), skb
->skb_iif
,
4707 addrp
, family
, peer_sid
, &ad
);
4709 selinux_netlbl_err(skb
, family
, err
, 0);
4712 err
= avc_has_perm(sk_sid
, peer_sid
, SECCLASS_PEER
,
4715 selinux_netlbl_err(skb
, family
, err
, 0);
4720 if (secmark_active
) {
4721 err
= avc_has_perm(sk_sid
, skb
->secmark
, SECCLASS_PACKET
,
4730 static int selinux_socket_getpeersec_stream(struct socket
*sock
,
4731 __user
char *optval
,
4738 struct sk_security_struct
*sksec
= selinux_sock(sock
->sk
);
4739 u32 peer_sid
= SECSID_NULL
;
4741 if (sksec
->sclass
== SECCLASS_UNIX_STREAM_SOCKET
||
4742 sksec
->sclass
== SECCLASS_TCP_SOCKET
)
4743 peer_sid
= sksec
->peer_sid
;
4744 if (peer_sid
== SECSID_NULL
)
4745 return -ENOPROTOOPT
;
4747 err
= security_sid_to_context(peer_sid
, &scontext
, &scontext_len
);
4751 if (scontext_len
> len
) {
4756 if (copy_to_user(optval
, scontext
, scontext_len
))
4760 if (put_user(scontext_len
, optlen
))
4766 static int selinux_socket_getpeersec_dgram(struct socket
*sock
, struct sk_buff
*skb
, u32
*secid
)
4768 u32 peer_secid
= SECSID_NULL
;
4770 struct inode_security_struct
*isec
;
4772 if (skb
&& skb
->protocol
== htons(ETH_P_IP
))
4774 else if (skb
&& skb
->protocol
== htons(ETH_P_IPV6
))
4777 family
= sock
->sk
->sk_family
;
4781 if (sock
&& family
== PF_UNIX
) {
4782 isec
= inode_security_novalidate(SOCK_INODE(sock
));
4783 peer_secid
= isec
->sid
;
4785 selinux_skb_peerlbl_sid(skb
, family
, &peer_secid
);
4788 *secid
= peer_secid
;
4789 if (peer_secid
== SECSID_NULL
)
4794 static int selinux_sk_alloc_security(struct sock
*sk
, int family
, gfp_t priority
)
4796 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4798 sksec
->peer_sid
= SECINITSID_UNLABELED
;
4799 sksec
->sid
= SECINITSID_UNLABELED
;
4800 sksec
->sclass
= SECCLASS_SOCKET
;
4801 selinux_netlbl_sk_security_reset(sksec
);
4806 static void selinux_sk_free_security(struct sock
*sk
)
4808 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4810 selinux_netlbl_sk_security_free(sksec
);
4813 static void selinux_sk_clone_security(const struct sock
*sk
, struct sock
*newsk
)
4815 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4816 struct sk_security_struct
*newsksec
= selinux_sock(newsk
);
4818 newsksec
->sid
= sksec
->sid
;
4819 newsksec
->peer_sid
= sksec
->peer_sid
;
4820 newsksec
->sclass
= sksec
->sclass
;
4822 selinux_netlbl_sk_security_reset(newsksec
);
4825 static void selinux_sk_getsecid(struct sock
*sk
, u32
*secid
)
4828 *secid
= SECINITSID_ANY_SOCKET
;
4830 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4832 *secid
= sksec
->sid
;
4836 static void selinux_sock_graft(struct sock
*sk
, struct socket
*parent
)
4838 struct inode_security_struct
*isec
=
4839 inode_security_novalidate(SOCK_INODE(parent
));
4840 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4842 if (sk
->sk_family
== PF_INET
|| sk
->sk_family
== PF_INET6
||
4843 sk
->sk_family
== PF_UNIX
)
4844 isec
->sid
= sksec
->sid
;
4845 sksec
->sclass
= isec
->sclass
;
4848 static int selinux_inet_conn_request(struct sock
*sk
, struct sk_buff
*skb
,
4849 struct request_sock
*req
)
4851 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4853 u16 family
= req
->rsk_ops
->family
;
4857 err
= selinux_skb_peerlbl_sid(skb
, family
, &peersid
);
4860 err
= selinux_conn_sid(sksec
->sid
, peersid
, &connsid
);
4863 req
->secid
= connsid
;
4864 req
->peer_secid
= peersid
;
4866 return selinux_netlbl_inet_conn_request(req
, family
);
4869 static void selinux_inet_csk_clone(struct sock
*newsk
,
4870 const struct request_sock
*req
)
4872 struct sk_security_struct
*newsksec
= selinux_sock(newsk
);
4874 newsksec
->sid
= req
->secid
;
4875 newsksec
->peer_sid
= req
->peer_secid
;
4876 /* NOTE: Ideally, we should also get the isec->sid for the
4877 new socket in sync, but we don't have the isec available yet.
4878 So we will wait until sock_graft to do it, by which
4879 time it will have been created and available. */
4881 /* We don't need to take any sort of lock here as we are the only
4882 * thread with access to newsksec */
4883 selinux_netlbl_inet_csk_clone(newsk
, req
->rsk_ops
->family
);
4886 static void selinux_inet_conn_established(struct sock
*sk
, struct sk_buff
*skb
)
4888 u16 family
= sk
->sk_family
;
4889 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4891 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4892 if (family
== PF_INET6
&& skb
->protocol
== htons(ETH_P_IP
))
4895 selinux_skb_peerlbl_sid(skb
, family
, &sksec
->peer_sid
);
4898 static int selinux_secmark_relabel_packet(u32 sid
)
4900 const struct task_security_struct
*__tsec
;
4903 __tsec
= selinux_cred(current_cred());
4906 return avc_has_perm(tsid
, sid
, SECCLASS_PACKET
, PACKET__RELABELTO
, NULL
);
4909 static void selinux_secmark_refcount_inc(void)
4911 atomic_inc(&selinux_secmark_refcount
);
4914 static void selinux_secmark_refcount_dec(void)
4916 atomic_dec(&selinux_secmark_refcount
);
4919 static void selinux_req_classify_flow(const struct request_sock
*req
,
4922 fl
->flowi_secid
= req
->secid
;
4925 static int selinux_tun_dev_alloc_security(void **security
)
4927 struct tun_security_struct
*tunsec
;
4929 tunsec
= kzalloc(sizeof(*tunsec
), GFP_KERNEL
);
4932 tunsec
->sid
= current_sid();
4938 static void selinux_tun_dev_free_security(void *security
)
4943 static int selinux_tun_dev_create(void)
4945 u32 sid
= current_sid();
4947 /* we aren't taking into account the "sockcreate" SID since the socket
4948 * that is being created here is not a socket in the traditional sense,
4949 * instead it is a private sock, accessible only to the kernel, and
4950 * representing a wide range of network traffic spanning multiple
4951 * connections unlike traditional sockets - check the TUN driver to
4952 * get a better understanding of why this socket is special */
4954 return avc_has_perm(sid
, sid
, SECCLASS_TUN_SOCKET
, TUN_SOCKET__CREATE
,
4958 static int selinux_tun_dev_attach_queue(void *security
)
4960 struct tun_security_struct
*tunsec
= security
;
4962 return avc_has_perm(current_sid(), tunsec
->sid
, SECCLASS_TUN_SOCKET
,
4963 TUN_SOCKET__ATTACH_QUEUE
, NULL
);
4966 static int selinux_tun_dev_attach(struct sock
*sk
, void *security
)
4968 struct tun_security_struct
*tunsec
= security
;
4969 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4971 /* we don't currently perform any NetLabel based labeling here and it
4972 * isn't clear that we would want to do so anyway; while we could apply
4973 * labeling without the support of the TUN user the resulting labeled
4974 * traffic from the other end of the connection would almost certainly
4975 * cause confusion to the TUN user that had no idea network labeling
4976 * protocols were being used */
4978 sksec
->sid
= tunsec
->sid
;
4979 sksec
->sclass
= SECCLASS_TUN_SOCKET
;
4984 static int selinux_tun_dev_open(void *security
)
4986 struct tun_security_struct
*tunsec
= security
;
4987 u32 sid
= current_sid();
4990 err
= avc_has_perm(sid
, tunsec
->sid
, SECCLASS_TUN_SOCKET
,
4991 TUN_SOCKET__RELABELFROM
, NULL
);
4994 err
= avc_has_perm(sid
, sid
, SECCLASS_TUN_SOCKET
,
4995 TUN_SOCKET__RELABELTO
, NULL
);
5003 static int selinux_nlmsg_perm(struct sock
*sk
, struct sk_buff
*skb
)
5007 struct nlmsghdr
*nlh
;
5008 struct sk_security_struct
*sksec
= selinux_sock(sk
);
5010 if (skb
->len
< NLMSG_HDRLEN
) {
5014 nlh
= nlmsg_hdr(skb
);
5016 err
= selinux_nlmsg_lookup(sksec
->sclass
, nlh
->nlmsg_type
, &perm
);
5018 if (err
== -EINVAL
) {
5019 pr_warn_ratelimited("SELinux: unrecognized netlink"
5020 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5021 " pig=%d comm=%s\n",
5022 sk
->sk_protocol
, nlh
->nlmsg_type
,
5023 secclass_map
[sksec
->sclass
- 1].name
,
5024 task_pid_nr(current
), current
->comm
);
5025 if (!selinux_enforcing
|| security_get_allow_unknown())
5035 err
= sock_has_perm(sk
, perm
);
5040 #ifdef CONFIG_NETFILTER
5042 static unsigned int selinux_ip_forward(struct sk_buff
*skb
,
5043 const struct net_device
*indev
,
5049 struct common_audit_data ad
;
5050 struct lsm_network_audit net
= {0,};
5055 if (!selinux_policycap_netpeer
)
5058 secmark_active
= selinux_secmark_enabled();
5059 netlbl_active
= netlbl_enabled();
5060 peerlbl_active
= selinux_peerlbl_enabled();
5061 if (!secmark_active
&& !peerlbl_active
)
5064 if (selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
) != 0)
5067 ad
.type
= LSM_AUDIT_DATA_NET
;
5069 ad
.u
.net
->netif
= indev
->ifindex
;
5070 ad
.u
.net
->family
= family
;
5071 if (selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
) != 0)
5074 if (peerlbl_active
) {
5075 err
= selinux_inet_sys_rcv_skb(dev_net(indev
), indev
->ifindex
,
5076 addrp
, family
, peer_sid
, &ad
);
5078 selinux_netlbl_err(skb
, family
, err
, 1);
5084 if (avc_has_perm(peer_sid
, skb
->secmark
,
5085 SECCLASS_PACKET
, PACKET__FORWARD_IN
, &ad
))
5089 /* we do this in the FORWARD path and not the POST_ROUTING
5090 * path because we want to make sure we apply the necessary
5091 * labeling before IPsec is applied so we can leverage AH
5093 if (selinux_netlbl_skbuff_setsid(skb
, family
, peer_sid
) != 0)
5099 static unsigned int selinux_ipv4_forward(void *priv
,
5100 struct sk_buff
*skb
,
5101 const struct nf_hook_state
*state
)
5103 return selinux_ip_forward(skb
, state
->in
, PF_INET
);
5106 #if IS_ENABLED(CONFIG_IPV6)
5107 static unsigned int selinux_ipv6_forward(void *priv
,
5108 struct sk_buff
*skb
,
5109 const struct nf_hook_state
*state
)
5111 return selinux_ip_forward(skb
, state
->in
, PF_INET6
);
5115 static unsigned int selinux_ip_output(struct sk_buff
*skb
,
5121 if (!netlbl_enabled())
5124 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5125 * because we want to make sure we apply the necessary labeling
5126 * before IPsec is applied so we can leverage AH protection */
5129 struct sk_security_struct
*sksec
;
5131 if (sk_listener(sk
))
5132 /* if the socket is the listening state then this
5133 * packet is a SYN-ACK packet which means it needs to
5134 * be labeled based on the connection/request_sock and
5135 * not the parent socket. unfortunately, we can't
5136 * lookup the request_sock yet as it isn't queued on
5137 * the parent socket until after the SYN-ACK is sent.
5138 * the "solution" is to simply pass the packet as-is
5139 * as any IP option based labeling should be copied
5140 * from the initial connection request (in the IP
5141 * layer). it is far from ideal, but until we get a
5142 * security label in the packet itself this is the
5143 * best we can do. */
5146 /* standard practice, label using the parent socket */
5147 sksec
= selinux_sock(sk
);
5150 sid
= SECINITSID_KERNEL
;
5151 if (selinux_netlbl_skbuff_setsid(skb
, family
, sid
) != 0)
5157 static unsigned int selinux_ipv4_output(void *priv
,
5158 struct sk_buff
*skb
,
5159 const struct nf_hook_state
*state
)
5161 return selinux_ip_output(skb
, PF_INET
);
5164 #if IS_ENABLED(CONFIG_IPV6)
5165 static unsigned int selinux_ipv6_output(void *priv
,
5166 struct sk_buff
*skb
,
5167 const struct nf_hook_state
*state
)
5169 return selinux_ip_output(skb
, PF_INET6
);
5173 static unsigned int selinux_ip_postroute_compat(struct sk_buff
*skb
,
5177 struct sock
*sk
= skb_to_full_sk(skb
);
5178 struct sk_security_struct
*sksec
;
5179 struct common_audit_data ad
;
5180 struct lsm_network_audit net
= {0,};
5186 sksec
= selinux_sock(sk
);
5188 ad
.type
= LSM_AUDIT_DATA_NET
;
5190 ad
.u
.net
->netif
= ifindex
;
5191 ad
.u
.net
->family
= family
;
5192 if (selinux_parse_skb(skb
, &ad
, &addrp
, 0, &proto
))
5195 if (selinux_secmark_enabled())
5196 if (avc_has_perm(sksec
->sid
, skb
->secmark
,
5197 SECCLASS_PACKET
, PACKET__SEND
, &ad
))
5198 return NF_DROP_ERR(-ECONNREFUSED
);
5200 if (selinux_xfrm_postroute_last(sksec
->sid
, skb
, &ad
, proto
))
5201 return NF_DROP_ERR(-ECONNREFUSED
);
5206 static unsigned int selinux_ip_postroute(struct sk_buff
*skb
,
5207 const struct net_device
*outdev
,
5212 int ifindex
= outdev
->ifindex
;
5214 struct common_audit_data ad
;
5215 struct lsm_network_audit net
= {0,};
5220 /* If any sort of compatibility mode is enabled then handoff processing
5221 * to the selinux_ip_postroute_compat() function to deal with the
5222 * special handling. We do this in an attempt to keep this function
5223 * as fast and as clean as possible. */
5224 if (!selinux_policycap_netpeer
)
5225 return selinux_ip_postroute_compat(skb
, ifindex
, family
);
5227 secmark_active
= selinux_secmark_enabled();
5228 peerlbl_active
= selinux_peerlbl_enabled();
5229 if (!secmark_active
&& !peerlbl_active
)
5232 sk
= skb_to_full_sk(skb
);
5235 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5236 * packet transformation so allow the packet to pass without any checks
5237 * since we'll have another chance to perform access control checks
5238 * when the packet is on it's final way out.
5239 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5240 * is NULL, in this case go ahead and apply access control.
5241 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5242 * TCP listening state we cannot wait until the XFRM processing
5243 * is done as we will miss out on the SA label if we do;
5244 * unfortunately, this means more work, but it is only once per
5246 if (skb_dst(skb
) != NULL
&& skb_dst(skb
)->xfrm
!= NULL
&&
5247 !(sk
&& sk_listener(sk
)))
5252 /* Without an associated socket the packet is either coming
5253 * from the kernel or it is being forwarded; check the packet
5254 * to determine which and if the packet is being forwarded
5255 * query the packet directly to determine the security label. */
5257 secmark_perm
= PACKET__FORWARD_OUT
;
5258 if (selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
))
5261 secmark_perm
= PACKET__SEND
;
5262 peer_sid
= SECINITSID_KERNEL
;
5264 } else if (sk_listener(sk
)) {
5265 /* Locally generated packet but the associated socket is in the
5266 * listening state which means this is a SYN-ACK packet. In
5267 * this particular case the correct security label is assigned
5268 * to the connection/request_sock but unfortunately we can't
5269 * query the request_sock as it isn't queued on the parent
5270 * socket until after the SYN-ACK packet is sent; the only
5271 * viable choice is to regenerate the label like we do in
5272 * selinux_inet_conn_request(). See also selinux_ip_output()
5273 * for similar problems. */
5275 struct sk_security_struct
*sksec
;
5277 sksec
= selinux_sock(sk
);
5278 if (selinux_skb_peerlbl_sid(skb
, family
, &skb_sid
))
5280 /* At this point, if the returned skb peerlbl is SECSID_NULL
5281 * and the packet has been through at least one XFRM
5282 * transformation then we must be dealing with the "final"
5283 * form of labeled IPsec packet; since we've already applied
5284 * all of our access controls on this packet we can safely
5285 * pass the packet. */
5286 if (skb_sid
== SECSID_NULL
) {
5289 if (IPCB(skb
)->flags
& IPSKB_XFRM_TRANSFORMED
)
5293 if (IP6CB(skb
)->flags
& IP6SKB_XFRM_TRANSFORMED
)
5297 return NF_DROP_ERR(-ECONNREFUSED
);
5300 if (selinux_conn_sid(sksec
->sid
, skb_sid
, &peer_sid
))
5302 secmark_perm
= PACKET__SEND
;
5304 /* Locally generated packet, fetch the security label from the
5305 * associated socket. */
5306 struct sk_security_struct
*sksec
= selinux_sock(sk
);
5307 peer_sid
= sksec
->sid
;
5308 secmark_perm
= PACKET__SEND
;
5311 ad
.type
= LSM_AUDIT_DATA_NET
;
5313 ad
.u
.net
->netif
= ifindex
;
5314 ad
.u
.net
->family
= family
;
5315 if (selinux_parse_skb(skb
, &ad
, &addrp
, 0, NULL
))
5319 if (avc_has_perm(peer_sid
, skb
->secmark
,
5320 SECCLASS_PACKET
, secmark_perm
, &ad
))
5321 return NF_DROP_ERR(-ECONNREFUSED
);
5323 if (peerlbl_active
) {
5327 if (sel_netif_sid(dev_net(outdev
), ifindex
, &if_sid
))
5329 if (avc_has_perm(peer_sid
, if_sid
,
5330 SECCLASS_NETIF
, NETIF__EGRESS
, &ad
))
5331 return NF_DROP_ERR(-ECONNREFUSED
);
5333 if (sel_netnode_sid(addrp
, family
, &node_sid
))
5335 if (avc_has_perm(peer_sid
, node_sid
,
5336 SECCLASS_NODE
, NODE__SENDTO
, &ad
))
5337 return NF_DROP_ERR(-ECONNREFUSED
);
5343 static unsigned int selinux_ipv4_postroute(void *priv
,
5344 struct sk_buff
*skb
,
5345 const struct nf_hook_state
*state
)
5347 return selinux_ip_postroute(skb
, state
->out
, PF_INET
);
5350 #if IS_ENABLED(CONFIG_IPV6)
5351 static unsigned int selinux_ipv6_postroute(void *priv
,
5352 struct sk_buff
*skb
,
5353 const struct nf_hook_state
*state
)
5355 return selinux_ip_postroute(skb
, state
->out
, PF_INET6
);
5359 #endif /* CONFIG_NETFILTER */
5361 static int selinux_netlink_send(struct sock
*sk
, struct sk_buff
*skb
)
5363 return selinux_nlmsg_perm(sk
, skb
);
5366 static void ipc_init_security(struct ipc_security_struct
*isec
, u16 sclass
)
5368 isec
->sclass
= sclass
;
5369 isec
->sid
= current_sid();
5372 static int msg_msg_alloc_security(struct msg_msg
*msg
)
5374 struct msg_security_struct
*msec
;
5376 msec
= selinux_msg_msg(msg
);
5377 msec
->sid
= SECINITSID_UNLABELED
;
5382 static int ipc_has_perm(struct kern_ipc_perm
*ipc_perms
,
5385 struct ipc_security_struct
*isec
;
5386 struct common_audit_data ad
;
5387 u32 sid
= current_sid();
5389 isec
= selinux_ipc(ipc_perms
);
5391 ad
.type
= LSM_AUDIT_DATA_IPC
;
5392 ad
.u
.ipc_id
= ipc_perms
->key
;
5394 return avc_has_perm(sid
, isec
->sid
, isec
->sclass
, perms
, &ad
);
5397 static int selinux_msg_msg_alloc_security(struct msg_msg
*msg
)
5399 return msg_msg_alloc_security(msg
);
5402 /* message queue security operations */
5403 static int selinux_msg_queue_alloc_security(struct msg_queue
*msq
)
5405 struct ipc_security_struct
*isec
;
5406 struct common_audit_data ad
;
5407 u32 sid
= current_sid();
5410 isec
= selinux_ipc(&msq
->q_perm
);
5411 ipc_init_security(isec
, SECCLASS_MSGQ
);
5413 ad
.type
= LSM_AUDIT_DATA_IPC
;
5414 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5416 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_MSGQ
,
5421 static int selinux_msg_queue_associate(struct msg_queue
*msq
, int msqflg
)
5423 struct ipc_security_struct
*isec
;
5424 struct common_audit_data ad
;
5425 u32 sid
= current_sid();
5427 isec
= selinux_ipc(&msq
->q_perm
);
5429 ad
.type
= LSM_AUDIT_DATA_IPC
;
5430 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5432 return avc_has_perm(sid
, isec
->sid
, SECCLASS_MSGQ
,
5433 MSGQ__ASSOCIATE
, &ad
);
5436 static int selinux_msg_queue_msgctl(struct msg_queue
*msq
, int cmd
)
5444 /* No specific object, just general system-wide information. */
5445 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
5446 SECCLASS_SYSTEM
, SYSTEM__IPC_INFO
, NULL
);
5449 perms
= MSGQ__GETATTR
| MSGQ__ASSOCIATE
;
5452 perms
= MSGQ__SETATTR
;
5455 perms
= MSGQ__DESTROY
;
5461 err
= ipc_has_perm(&msq
->q_perm
, perms
);
5465 static int selinux_msg_queue_msgsnd(struct msg_queue
*msq
, struct msg_msg
*msg
, int msqflg
)
5467 struct ipc_security_struct
*isec
;
5468 struct msg_security_struct
*msec
;
5469 struct common_audit_data ad
;
5470 u32 sid
= current_sid();
5473 isec
= selinux_ipc(&msq
->q_perm
);
5474 msec
= selinux_msg_msg(msg
);
5477 * First time through, need to assign label to the message
5479 if (msec
->sid
== SECINITSID_UNLABELED
) {
5481 * Compute new sid based on current process and
5482 * message queue this message will be stored in
5484 rc
= security_transition_sid(sid
, isec
->sid
, SECCLASS_MSG
,
5490 ad
.type
= LSM_AUDIT_DATA_IPC
;
5491 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5493 /* Can this process write to the queue? */
5494 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_MSGQ
,
5497 /* Can this process send the message */
5498 rc
= avc_has_perm(sid
, msec
->sid
, SECCLASS_MSG
,
5501 /* Can the message be put in the queue? */
5502 rc
= avc_has_perm(msec
->sid
, isec
->sid
, SECCLASS_MSGQ
,
5503 MSGQ__ENQUEUE
, &ad
);
5508 static int selinux_msg_queue_msgrcv(struct msg_queue
*msq
, struct msg_msg
*msg
,
5509 struct task_struct
*target
,
5510 long type
, int mode
)
5512 struct ipc_security_struct
*isec
;
5513 struct msg_security_struct
*msec
;
5514 struct common_audit_data ad
;
5515 u32 sid
= task_sid(target
);
5518 isec
= selinux_ipc(&msq
->q_perm
);
5519 msec
= selinux_msg_msg(msg
);
5521 ad
.type
= LSM_AUDIT_DATA_IPC
;
5522 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5524 rc
= avc_has_perm(sid
, isec
->sid
,
5525 SECCLASS_MSGQ
, MSGQ__READ
, &ad
);
5527 rc
= avc_has_perm(sid
, msec
->sid
,
5528 SECCLASS_MSG
, MSG__RECEIVE
, &ad
);
5532 /* Shared Memory security operations */
5533 static int selinux_shm_alloc_security(struct shmid_kernel
*shp
)
5535 struct ipc_security_struct
*isec
;
5536 struct common_audit_data ad
;
5537 u32 sid
= current_sid();
5540 isec
= selinux_ipc(&shp
->shm_perm
);
5541 ipc_init_security(isec
, SECCLASS_SHM
);
5543 ad
.type
= LSM_AUDIT_DATA_IPC
;
5544 ad
.u
.ipc_id
= shp
->shm_perm
.key
;
5546 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_SHM
,
5551 static int selinux_shm_associate(struct shmid_kernel
*shp
, int shmflg
)
5553 struct ipc_security_struct
*isec
;
5554 struct common_audit_data ad
;
5555 u32 sid
= current_sid();
5557 isec
= selinux_ipc(&shp
->shm_perm
);
5559 ad
.type
= LSM_AUDIT_DATA_IPC
;
5560 ad
.u
.ipc_id
= shp
->shm_perm
.key
;
5562 return avc_has_perm(sid
, isec
->sid
, SECCLASS_SHM
,
5563 SHM__ASSOCIATE
, &ad
);
5566 /* Note, at this point, shp is locked down */
5567 static int selinux_shm_shmctl(struct shmid_kernel
*shp
, int cmd
)
5575 /* No specific object, just general system-wide information. */
5576 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
5577 SECCLASS_SYSTEM
, SYSTEM__IPC_INFO
, NULL
);
5580 perms
= SHM__GETATTR
| SHM__ASSOCIATE
;
5583 perms
= SHM__SETATTR
;
5590 perms
= SHM__DESTROY
;
5596 err
= ipc_has_perm(&shp
->shm_perm
, perms
);
5600 static int selinux_shm_shmat(struct shmid_kernel
*shp
,
5601 char __user
*shmaddr
, int shmflg
)
5605 if (shmflg
& SHM_RDONLY
)
5608 perms
= SHM__READ
| SHM__WRITE
;
5610 return ipc_has_perm(&shp
->shm_perm
, perms
);
5613 /* Semaphore security operations */
5614 static int selinux_sem_alloc_security(struct sem_array
*sma
)
5616 struct ipc_security_struct
*isec
;
5617 struct common_audit_data ad
;
5618 u32 sid
= current_sid();
5621 isec
= selinux_ipc(&sma
->sem_perm
);
5622 ipc_init_security(isec
, SECCLASS_SEM
);
5624 ad
.type
= LSM_AUDIT_DATA_IPC
;
5625 ad
.u
.ipc_id
= sma
->sem_perm
.key
;
5627 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_SEM
,
5632 static int selinux_sem_associate(struct sem_array
*sma
, int semflg
)
5634 struct ipc_security_struct
*isec
;
5635 struct common_audit_data ad
;
5636 u32 sid
= current_sid();
5638 isec
= selinux_ipc(&sma
->sem_perm
);
5640 ad
.type
= LSM_AUDIT_DATA_IPC
;
5641 ad
.u
.ipc_id
= sma
->sem_perm
.key
;
5643 return avc_has_perm(sid
, isec
->sid
, SECCLASS_SEM
,
5644 SEM__ASSOCIATE
, &ad
);
5647 /* Note, at this point, sma is locked down */
5648 static int selinux_sem_semctl(struct sem_array
*sma
, int cmd
)
5656 /* No specific object, just general system-wide information. */
5657 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
5658 SECCLASS_SYSTEM
, SYSTEM__IPC_INFO
, NULL
);
5662 perms
= SEM__GETATTR
;
5673 perms
= SEM__DESTROY
;
5676 perms
= SEM__SETATTR
;
5680 perms
= SEM__GETATTR
| SEM__ASSOCIATE
;
5686 err
= ipc_has_perm(&sma
->sem_perm
, perms
);
5690 static int selinux_sem_semop(struct sem_array
*sma
,
5691 struct sembuf
*sops
, unsigned nsops
, int alter
)
5696 perms
= SEM__READ
| SEM__WRITE
;
5700 return ipc_has_perm(&sma
->sem_perm
, perms
);
5703 static int selinux_ipc_permission(struct kern_ipc_perm
*ipcp
, short flag
)
5709 av
|= IPC__UNIX_READ
;
5711 av
|= IPC__UNIX_WRITE
;
5716 return ipc_has_perm(ipcp
, av
);
5719 static void selinux_ipc_getsecid(struct kern_ipc_perm
*ipcp
, u32
*secid
)
5721 struct ipc_security_struct
*isec
= selinux_ipc(ipcp
);
5725 static void selinux_d_instantiate(struct dentry
*dentry
, struct inode
*inode
)
5728 inode_doinit_with_dentry(inode
, dentry
);
5731 static int selinux_getprocattr(struct task_struct
*p
,
5732 char *name
, char **value
)
5734 const struct task_security_struct
*__tsec
;
5740 __tsec
= selinux_cred(__task_cred(p
));
5743 error
= avc_has_perm(current_sid(), __tsec
->sid
,
5744 SECCLASS_PROCESS
, PROCESS__GETATTR
, NULL
);
5749 if (!strcmp(name
, "current"))
5751 else if (!strcmp(name
, "prev"))
5753 else if (!strcmp(name
, "exec"))
5754 sid
= __tsec
->exec_sid
;
5755 else if (!strcmp(name
, "fscreate"))
5756 sid
= __tsec
->create_sid
;
5757 else if (!strcmp(name
, "keycreate"))
5758 sid
= __tsec
->keycreate_sid
;
5759 else if (!strcmp(name
, "sockcreate"))
5760 sid
= __tsec
->sockcreate_sid
;
5770 error
= security_sid_to_context(sid
, value
, &len
);
5780 static int selinux_setprocattr(const char *name
, void *value
, size_t size
)
5782 struct task_security_struct
*tsec
;
5784 u32 mysid
= current_sid(), sid
= 0, ptsid
;
5789 * Basic control over ability to set these attributes at all.
5791 if (!strcmp(name
, "exec"))
5792 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5793 PROCESS__SETEXEC
, NULL
);
5794 else if (!strcmp(name
, "fscreate"))
5795 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5796 PROCESS__SETFSCREATE
, NULL
);
5797 else if (!strcmp(name
, "keycreate"))
5798 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5799 PROCESS__SETKEYCREATE
, NULL
);
5800 else if (!strcmp(name
, "sockcreate"))
5801 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5802 PROCESS__SETSOCKCREATE
, NULL
);
5803 else if (!strcmp(name
, "current"))
5804 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5805 PROCESS__SETCURRENT
, NULL
);
5811 /* Obtain a SID for the context, if one was specified. */
5812 if (size
&& str
[0] && str
[0] != '\n') {
5813 if (str
[size
-1] == '\n') {
5817 error
= security_context_to_sid(value
, size
, &sid
, GFP_KERNEL
);
5818 if (error
== -EINVAL
&& !strcmp(name
, "fscreate")) {
5819 if (!has_cap_mac_admin(true)) {
5820 struct audit_buffer
*ab
;
5823 /* We strip a nul only if it is at the end, otherwise the
5824 * context contains a nul and we should audit that */
5825 if (str
[size
- 1] == '\0')
5826 audit_size
= size
- 1;
5829 ab
= audit_log_start(current
->audit_context
, GFP_ATOMIC
, AUDIT_SELINUX_ERR
);
5830 audit_log_format(ab
, "op=fscreate invalid_context=");
5831 audit_log_n_untrustedstring(ab
, value
, audit_size
);
5836 error
= security_context_to_sid_force(value
, size
,
5843 new = prepare_creds();
5847 /* Permission checking based on the specified context is
5848 performed during the actual operation (execve,
5849 open/mkdir/...), when we know the full context of the
5850 operation. See selinux_bprm_set_creds for the execve
5851 checks and may_create for the file creation checks. The
5852 operation will then fail if the context is not permitted. */
5853 tsec
= selinux_cred(new);
5854 if (!strcmp(name
, "exec")) {
5855 tsec
->exec_sid
= sid
;
5856 } else if (!strcmp(name
, "fscreate")) {
5857 tsec
->create_sid
= sid
;
5858 } else if (!strcmp(name
, "keycreate")) {
5859 error
= avc_has_perm(mysid
, sid
, SECCLASS_KEY
, KEY__CREATE
,
5863 tsec
->keycreate_sid
= sid
;
5864 } else if (!strcmp(name
, "sockcreate")) {
5865 tsec
->sockcreate_sid
= sid
;
5866 } else if (!strcmp(name
, "current")) {
5871 /* Only allow single threaded processes to change context */
5873 if (!current_is_single_threaded()) {
5874 error
= security_bounded_transition(tsec
->sid
, sid
);
5879 /* Check permissions for the transition. */
5880 error
= avc_has_perm(tsec
->sid
, sid
, SECCLASS_PROCESS
,
5881 PROCESS__DYNTRANSITION
, NULL
);
5885 /* Check for ptracing, and update the task SID if ok.
5886 Otherwise, leave SID unchanged and fail. */
5887 ptsid
= ptrace_parent_sid();
5889 error
= avc_has_perm(ptsid
, sid
, SECCLASS_PROCESS
,
5890 PROCESS__PTRACE
, NULL
);
5909 static int selinux_ismaclabel(const char *name
)
5911 return (strcmp(name
, XATTR_SELINUX_SUFFIX
) == 0);
5914 static int selinux_secid_to_secctx(u32 secid
, char **secdata
, u32
*seclen
)
5916 return security_sid_to_context(secid
, secdata
, seclen
);
5919 static int selinux_secctx_to_secid(const char *secdata
, u32 seclen
, u32
*secid
)
5921 return security_context_to_sid(secdata
, seclen
, secid
, GFP_KERNEL
);
5924 static void selinux_release_secctx(char *secdata
, u32 seclen
)
5929 static void selinux_inode_invalidate_secctx(struct inode
*inode
)
5931 struct inode_security_struct
*isec
= selinux_inode(inode
);
5933 spin_lock(&isec
->lock
);
5934 isec
->initialized
= LABEL_INVALID
;
5935 spin_unlock(&isec
->lock
);
5939 * called with inode->i_mutex locked
5941 static int selinux_inode_notifysecctx(struct inode
*inode
, void *ctx
, u32 ctxlen
)
5943 return selinux_inode_setsecurity(inode
, XATTR_SELINUX_SUFFIX
, ctx
, ctxlen
, 0);
5947 * called with inode->i_mutex locked
5949 static int selinux_inode_setsecctx(struct dentry
*dentry
, void *ctx
, u32 ctxlen
)
5951 return __vfs_setxattr_noperm(dentry
, XATTR_NAME_SELINUX
, ctx
, ctxlen
, 0);
5954 static int selinux_inode_getsecctx(struct inode
*inode
, void **ctx
, u32
*ctxlen
)
5957 len
= selinux_inode_getsecurity(inode
, XATTR_SELINUX_SUFFIX
,
5966 static int selinux_key_alloc(struct key
*k
, const struct cred
*cred
,
5967 unsigned long flags
)
5969 const struct task_security_struct
*tsec
;
5970 struct key_security_struct
*ksec
= selinux_key(k
);
5972 tsec
= selinux_cred(cred
);
5973 if (tsec
->keycreate_sid
)
5974 ksec
->sid
= tsec
->keycreate_sid
;
5976 ksec
->sid
= tsec
->sid
;
5981 static int selinux_key_permission(key_ref_t key_ref
,
5982 const struct cred
*cred
,
5986 struct key_security_struct
*ksec
;
5989 /* if no specific permissions are requested, we skip the
5990 permission check. No serious, additional covert channels
5991 appear to be created. */
5995 sid
= cred_sid(cred
);
5997 key
= key_ref_to_ptr(key_ref
);
5998 ksec
= selinux_key(key
);
6000 return avc_has_perm(sid
, ksec
->sid
, SECCLASS_KEY
, perm
, NULL
);
6003 static int selinux_key_getsecurity(struct key
*key
, char **_buffer
)
6005 struct key_security_struct
*ksec
= selinux_key(key
);
6006 char *context
= NULL
;
6010 rc
= security_sid_to_context(ksec
->sid
, &context
, &len
);
6018 #ifdef CONFIG_SECURITY_INFINIBAND
6019 static int selinux_ib_pkey_access(void *ib_sec
, u64 subnet_prefix
, u16 pkey_val
)
6021 struct common_audit_data ad
;
6024 struct ib_security_struct
*sec
= ib_sec
;
6025 struct lsm_ibpkey_audit ibpkey
;
6027 err
= sel_ib_pkey_sid(subnet_prefix
, pkey_val
, &sid
);
6031 ad
.type
= LSM_AUDIT_DATA_IBPKEY
;
6032 ibpkey
.subnet_prefix
= subnet_prefix
;
6033 ibpkey
.pkey
= pkey_val
;
6034 ad
.u
.ibpkey
= &ibpkey
;
6035 return avc_has_perm(sec
->sid
, sid
,
6036 SECCLASS_INFINIBAND_PKEY
,
6037 INFINIBAND_PKEY__ACCESS
, &ad
);
6040 static int selinux_ib_endport_manage_subnet(void *ib_sec
, const char *dev_name
,
6043 struct common_audit_data ad
;
6046 struct ib_security_struct
*sec
= ib_sec
;
6047 struct lsm_ibendport_audit ibendport
;
6049 err
= security_ib_endport_sid(dev_name
, port_num
, &sid
);
6054 ad
.type
= LSM_AUDIT_DATA_IBENDPORT
;
6055 strncpy(ibendport
.dev_name
, dev_name
, sizeof(ibendport
.dev_name
));
6056 ibendport
.port
= port_num
;
6057 ad
.u
.ibendport
= &ibendport
;
6058 return avc_has_perm(sec
->sid
, sid
,
6059 SECCLASS_INFINIBAND_ENDPORT
,
6060 INFINIBAND_ENDPORT__MANAGE_SUBNET
, &ad
);
6063 static int selinux_ib_alloc_security(void **ib_sec
)
6065 struct ib_security_struct
*sec
;
6067 sec
= kzalloc(sizeof(*sec
), GFP_KERNEL
);
6070 sec
->sid
= current_sid();
6076 static void selinux_ib_free_security(void *ib_sec
)
6082 #ifdef CONFIG_BPF_SYSCALL
6083 static int selinux_bpf(int cmd
, union bpf_attr
*attr
,
6086 u32 sid
= current_sid();
6090 case BPF_MAP_CREATE
:
6091 ret
= avc_has_perm(sid
, sid
, SECCLASS_BPF
, BPF__MAP_CREATE
,
6095 ret
= avc_has_perm(sid
, sid
, SECCLASS_BPF
, BPF__PROG_LOAD
,
6106 static u32
bpf_map_fmode_to_av(fmode_t fmode
)
6110 if (fmode
& FMODE_READ
)
6111 av
|= BPF__MAP_READ
;
6112 if (fmode
& FMODE_WRITE
)
6113 av
|= BPF__MAP_WRITE
;
6117 /* This function will check the file pass through unix socket or binder to see
6118 * if it is a bpf related object. And apply correspinding checks on the bpf
6119 * object based on the type. The bpf maps and programs, not like other files and
6120 * socket, are using a shared anonymous inode inside the kernel as their inode.
6121 * So checking that inode cannot identify if the process have privilege to
6122 * access the bpf object and that's why we have to add this additional check in
6123 * selinux_file_receive and selinux_binder_transfer_files.
6125 static int bpf_fd_pass(struct file
*file
, u32 sid
)
6127 struct bpf_security_struct
*bpfsec
;
6128 struct bpf_prog
*prog
;
6129 struct bpf_map
*map
;
6132 if (file
->f_op
== &bpf_map_fops
) {
6133 map
= file
->private_data
;
6134 bpfsec
= map
->security
;
6135 ret
= avc_has_perm(sid
, bpfsec
->sid
, SECCLASS_BPF
,
6136 bpf_map_fmode_to_av(file
->f_mode
), NULL
);
6139 } else if (file
->f_op
== &bpf_prog_fops
) {
6140 prog
= file
->private_data
;
6141 bpfsec
= prog
->aux
->security
;
6142 ret
= avc_has_perm(sid
, bpfsec
->sid
, SECCLASS_BPF
,
6143 BPF__PROG_RUN
, NULL
);
6150 static int selinux_bpf_map(struct bpf_map
*map
, fmode_t fmode
)
6152 u32 sid
= current_sid();
6153 struct bpf_security_struct
*bpfsec
;
6155 bpfsec
= map
->security
;
6156 return avc_has_perm(sid
, bpfsec
->sid
, SECCLASS_BPF
,
6157 bpf_map_fmode_to_av(fmode
), NULL
);
6160 static int selinux_bpf_prog(struct bpf_prog
*prog
)
6162 u32 sid
= current_sid();
6163 struct bpf_security_struct
*bpfsec
;
6165 bpfsec
= prog
->aux
->security
;
6166 return avc_has_perm(sid
, bpfsec
->sid
, SECCLASS_BPF
,
6167 BPF__PROG_RUN
, NULL
);
6170 static int selinux_bpf_map_alloc(struct bpf_map
*map
)
6172 struct bpf_security_struct
*bpfsec
;
6174 bpfsec
= kzalloc(sizeof(*bpfsec
), GFP_KERNEL
);
6178 bpfsec
->sid
= current_sid();
6179 map
->security
= bpfsec
;
6184 static void selinux_bpf_map_free(struct bpf_map
*map
)
6186 struct bpf_security_struct
*bpfsec
= map
->security
;
6188 map
->security
= NULL
;
6192 static int selinux_bpf_prog_alloc(struct bpf_prog_aux
*aux
)
6194 struct bpf_security_struct
*bpfsec
;
6196 bpfsec
= kzalloc(sizeof(*bpfsec
), GFP_KERNEL
);
6200 bpfsec
->sid
= current_sid();
6201 aux
->security
= bpfsec
;
6206 static void selinux_bpf_prog_free(struct bpf_prog_aux
*aux
)
6208 struct bpf_security_struct
*bpfsec
= aux
->security
;
6210 aux
->security
= NULL
;
6215 struct lsm_blob_sizes selinux_blob_sizes
= {
6216 .lbs_cred
= sizeof(struct task_security_struct
),
6217 .lbs_file
= sizeof(struct file_security_struct
),
6218 .lbs_inode
= sizeof(struct inode_security_struct
),
6219 .lbs_ipc
= sizeof(struct ipc_security_struct
),
6221 .lbs_key
= sizeof(struct key_security_struct
),
6222 #endif /* CONFIG_KEYS */
6223 .lbs_msg_msg
= sizeof(struct msg_security_struct
),
6224 .lbs_sock
= sizeof(struct sk_security_struct
),
6225 .lbs_superblock
= sizeof(struct superblock_security_struct
),
6228 static struct security_hook_list selinux_hooks
[] __lsm_ro_after_init
= {
6229 LSM_HOOK_INIT(binder_set_context_mgr
, selinux_binder_set_context_mgr
),
6230 LSM_HOOK_INIT(binder_transaction
, selinux_binder_transaction
),
6231 LSM_HOOK_INIT(binder_transfer_binder
, selinux_binder_transfer_binder
),
6232 LSM_HOOK_INIT(binder_transfer_file
, selinux_binder_transfer_file
),
6234 LSM_HOOK_INIT(ptrace_access_check
, selinux_ptrace_access_check
),
6235 LSM_HOOK_INIT(ptrace_traceme
, selinux_ptrace_traceme
),
6236 LSM_HOOK_INIT(capget
, selinux_capget
),
6237 LSM_HOOK_INIT(capset
, selinux_capset
),
6238 LSM_HOOK_INIT(capable
, selinux_capable
),
6239 LSM_HOOK_INIT(quotactl
, selinux_quotactl
),
6240 LSM_HOOK_INIT(quota_on
, selinux_quota_on
),
6241 LSM_HOOK_INIT(syslog
, selinux_syslog
),
6242 LSM_HOOK_INIT(vm_enough_memory
, selinux_vm_enough_memory
),
6244 LSM_HOOK_INIT(netlink_send
, selinux_netlink_send
),
6246 LSM_HOOK_INIT(bprm_set_creds
, selinux_bprm_set_creds
),
6247 LSM_HOOK_INIT(bprm_committing_creds
, selinux_bprm_committing_creds
),
6248 LSM_HOOK_INIT(bprm_committed_creds
, selinux_bprm_committed_creds
),
6250 LSM_HOOK_INIT(sb_alloc_security
, selinux_sb_alloc_security
),
6251 LSM_HOOK_INIT(sb_copy_data
, selinux_sb_copy_data
),
6252 LSM_HOOK_INIT(sb_remount
, selinux_sb_remount
),
6253 LSM_HOOK_INIT(sb_kern_mount
, selinux_sb_kern_mount
),
6254 LSM_HOOK_INIT(sb_show_options
, selinux_sb_show_options
),
6255 LSM_HOOK_INIT(sb_statfs
, selinux_sb_statfs
),
6256 LSM_HOOK_INIT(sb_mount
, selinux_mount
),
6257 LSM_HOOK_INIT(sb_umount
, selinux_umount
),
6258 LSM_HOOK_INIT(sb_set_mnt_opts
, selinux_set_mnt_opts
),
6259 LSM_HOOK_INIT(sb_clone_mnt_opts
, selinux_sb_clone_mnt_opts
),
6260 LSM_HOOK_INIT(sb_parse_opts_str
, selinux_parse_opts_str
),
6262 LSM_HOOK_INIT(dentry_init_security
, selinux_dentry_init_security
),
6263 LSM_HOOK_INIT(dentry_create_files_as
, selinux_dentry_create_files_as
),
6265 LSM_HOOK_INIT(inode_alloc_security
, selinux_inode_alloc_security
),
6266 LSM_HOOK_INIT(inode_free_security
, selinux_inode_free_security
),
6267 LSM_HOOK_INIT(inode_init_security
, selinux_inode_init_security
),
6268 LSM_HOOK_INIT(inode_create
, selinux_inode_create
),
6269 LSM_HOOK_INIT(inode_link
, selinux_inode_link
),
6270 LSM_HOOK_INIT(inode_unlink
, selinux_inode_unlink
),
6271 LSM_HOOK_INIT(inode_symlink
, selinux_inode_symlink
),
6272 LSM_HOOK_INIT(inode_mkdir
, selinux_inode_mkdir
),
6273 LSM_HOOK_INIT(inode_rmdir
, selinux_inode_rmdir
),
6274 LSM_HOOK_INIT(inode_mknod
, selinux_inode_mknod
),
6275 LSM_HOOK_INIT(inode_rename
, selinux_inode_rename
),
6276 LSM_HOOK_INIT(inode_readlink
, selinux_inode_readlink
),
6277 LSM_HOOK_INIT(inode_follow_link
, selinux_inode_follow_link
),
6278 LSM_HOOK_INIT(inode_permission
, selinux_inode_permission
),
6279 LSM_HOOK_INIT(inode_setattr
, selinux_inode_setattr
),
6280 LSM_HOOK_INIT(inode_getattr
, selinux_inode_getattr
),
6281 LSM_HOOK_INIT(inode_setxattr
, selinux_inode_setxattr
),
6282 LSM_HOOK_INIT(inode_post_setxattr
, selinux_inode_post_setxattr
),
6283 LSM_HOOK_INIT(inode_getxattr
, selinux_inode_getxattr
),
6284 LSM_HOOK_INIT(inode_listxattr
, selinux_inode_listxattr
),
6285 LSM_HOOK_INIT(inode_removexattr
, selinux_inode_removexattr
),
6286 LSM_HOOK_INIT(inode_getsecurity
, selinux_inode_getsecurity
),
6287 LSM_HOOK_INIT(inode_setsecurity
, selinux_inode_setsecurity
),
6288 LSM_HOOK_INIT(inode_listsecurity
, selinux_inode_listsecurity
),
6289 LSM_HOOK_INIT(inode_getsecid
, selinux_inode_getsecid
),
6290 LSM_HOOK_INIT(inode_copy_up
, selinux_inode_copy_up
),
6291 LSM_HOOK_INIT(inode_copy_up_xattr
, selinux_inode_copy_up_xattr
),
6293 LSM_HOOK_INIT(file_permission
, selinux_file_permission
),
6294 LSM_HOOK_INIT(file_alloc_security
, selinux_file_alloc_security
),
6295 LSM_HOOK_INIT(file_ioctl
, selinux_file_ioctl
),
6296 LSM_HOOK_INIT(mmap_file
, selinux_mmap_file
),
6297 LSM_HOOK_INIT(mmap_addr
, selinux_mmap_addr
),
6298 LSM_HOOK_INIT(file_mprotect
, selinux_file_mprotect
),
6299 LSM_HOOK_INIT(file_lock
, selinux_file_lock
),
6300 LSM_HOOK_INIT(file_fcntl
, selinux_file_fcntl
),
6301 LSM_HOOK_INIT(file_set_fowner
, selinux_file_set_fowner
),
6302 LSM_HOOK_INIT(file_send_sigiotask
, selinux_file_send_sigiotask
),
6303 LSM_HOOK_INIT(file_receive
, selinux_file_receive
),
6305 LSM_HOOK_INIT(file_open
, selinux_file_open
),
6307 LSM_HOOK_INIT(task_alloc
, selinux_task_alloc
),
6308 LSM_HOOK_INIT(cred_prepare
, selinux_cred_prepare
),
6309 LSM_HOOK_INIT(cred_transfer
, selinux_cred_transfer
),
6310 LSM_HOOK_INIT(kernel_act_as
, selinux_kernel_act_as
),
6311 LSM_HOOK_INIT(kernel_create_files_as
, selinux_kernel_create_files_as
),
6312 LSM_HOOK_INIT(kernel_module_request
, selinux_kernel_module_request
),
6313 LSM_HOOK_INIT(kernel_read_file
, selinux_kernel_read_file
),
6314 LSM_HOOK_INIT(task_setpgid
, selinux_task_setpgid
),
6315 LSM_HOOK_INIT(task_getpgid
, selinux_task_getpgid
),
6316 LSM_HOOK_INIT(task_getsid
, selinux_task_getsid
),
6317 LSM_HOOK_INIT(task_getsecid
, selinux_task_getsecid
),
6318 LSM_HOOK_INIT(task_setnice
, selinux_task_setnice
),
6319 LSM_HOOK_INIT(task_setioprio
, selinux_task_setioprio
),
6320 LSM_HOOK_INIT(task_getioprio
, selinux_task_getioprio
),
6321 LSM_HOOK_INIT(task_prlimit
, selinux_task_prlimit
),
6322 LSM_HOOK_INIT(task_setrlimit
, selinux_task_setrlimit
),
6323 LSM_HOOK_INIT(task_setscheduler
, selinux_task_setscheduler
),
6324 LSM_HOOK_INIT(task_getscheduler
, selinux_task_getscheduler
),
6325 LSM_HOOK_INIT(task_movememory
, selinux_task_movememory
),
6326 LSM_HOOK_INIT(task_kill
, selinux_task_kill
),
6327 LSM_HOOK_INIT(task_to_inode
, selinux_task_to_inode
),
6329 LSM_HOOK_INIT(ipc_permission
, selinux_ipc_permission
),
6330 LSM_HOOK_INIT(ipc_getsecid
, selinux_ipc_getsecid
),
6332 LSM_HOOK_INIT(msg_msg_alloc_security
, selinux_msg_msg_alloc_security
),
6334 LSM_HOOK_INIT(msg_queue_alloc_security
,
6335 selinux_msg_queue_alloc_security
),
6336 LSM_HOOK_INIT(msg_queue_associate
, selinux_msg_queue_associate
),
6337 LSM_HOOK_INIT(msg_queue_msgctl
, selinux_msg_queue_msgctl
),
6338 LSM_HOOK_INIT(msg_queue_msgsnd
, selinux_msg_queue_msgsnd
),
6339 LSM_HOOK_INIT(msg_queue_msgrcv
, selinux_msg_queue_msgrcv
),
6341 LSM_HOOK_INIT(shm_alloc_security
, selinux_shm_alloc_security
),
6342 LSM_HOOK_INIT(shm_associate
, selinux_shm_associate
),
6343 LSM_HOOK_INIT(shm_shmctl
, selinux_shm_shmctl
),
6344 LSM_HOOK_INIT(shm_shmat
, selinux_shm_shmat
),
6346 LSM_HOOK_INIT(sem_alloc_security
, selinux_sem_alloc_security
),
6347 LSM_HOOK_INIT(sem_associate
, selinux_sem_associate
),
6348 LSM_HOOK_INIT(sem_semctl
, selinux_sem_semctl
),
6349 LSM_HOOK_INIT(sem_semop
, selinux_sem_semop
),
6351 LSM_HOOK_INIT(d_instantiate
, selinux_d_instantiate
),
6353 LSM_HOOK_INIT(getprocattr
, selinux_getprocattr
),
6354 LSM_HOOK_INIT(setprocattr
, selinux_setprocattr
),
6356 LSM_HOOK_INIT(ismaclabel
, selinux_ismaclabel
),
6357 LSM_HOOK_INIT(secid_to_secctx
, selinux_secid_to_secctx
),
6358 LSM_HOOK_INIT(secctx_to_secid
, selinux_secctx_to_secid
),
6359 LSM_HOOK_INIT(release_secctx
, selinux_release_secctx
),
6360 LSM_HOOK_INIT(inode_invalidate_secctx
, selinux_inode_invalidate_secctx
),
6361 LSM_HOOK_INIT(inode_notifysecctx
, selinux_inode_notifysecctx
),
6362 LSM_HOOK_INIT(inode_setsecctx
, selinux_inode_setsecctx
),
6363 LSM_HOOK_INIT(inode_getsecctx
, selinux_inode_getsecctx
),
6365 LSM_HOOK_INIT(unix_stream_connect
, selinux_socket_unix_stream_connect
),
6366 LSM_HOOK_INIT(unix_may_send
, selinux_socket_unix_may_send
),
6368 LSM_HOOK_INIT(socket_create
, selinux_socket_create
),
6369 LSM_HOOK_INIT(socket_post_create
, selinux_socket_post_create
),
6370 LSM_HOOK_INIT(socket_bind
, selinux_socket_bind
),
6371 LSM_HOOK_INIT(socket_connect
, selinux_socket_connect
),
6372 LSM_HOOK_INIT(socket_listen
, selinux_socket_listen
),
6373 LSM_HOOK_INIT(socket_accept
, selinux_socket_accept
),
6374 LSM_HOOK_INIT(socket_sendmsg
, selinux_socket_sendmsg
),
6375 LSM_HOOK_INIT(socket_recvmsg
, selinux_socket_recvmsg
),
6376 LSM_HOOK_INIT(socket_getsockname
, selinux_socket_getsockname
),
6377 LSM_HOOK_INIT(socket_getpeername
, selinux_socket_getpeername
),
6378 LSM_HOOK_INIT(socket_getsockopt
, selinux_socket_getsockopt
),
6379 LSM_HOOK_INIT(socket_setsockopt
, selinux_socket_setsockopt
),
6380 LSM_HOOK_INIT(socket_shutdown
, selinux_socket_shutdown
),
6381 LSM_HOOK_INIT(socket_sock_rcv_skb
, selinux_socket_sock_rcv_skb
),
6382 LSM_HOOK_INIT(socket_getpeersec_stream
,
6383 selinux_socket_getpeersec_stream
),
6384 LSM_HOOK_INIT(socket_getpeersec_dgram
, selinux_socket_getpeersec_dgram
),
6385 LSM_HOOK_INIT(sk_alloc_security
, selinux_sk_alloc_security
),
6386 LSM_HOOK_INIT(sk_free_security
, selinux_sk_free_security
),
6387 LSM_HOOK_INIT(sk_clone_security
, selinux_sk_clone_security
),
6388 LSM_HOOK_INIT(sk_getsecid
, selinux_sk_getsecid
),
6389 LSM_HOOK_INIT(sock_graft
, selinux_sock_graft
),
6390 LSM_HOOK_INIT(inet_conn_request
, selinux_inet_conn_request
),
6391 LSM_HOOK_INIT(inet_csk_clone
, selinux_inet_csk_clone
),
6392 LSM_HOOK_INIT(inet_conn_established
, selinux_inet_conn_established
),
6393 LSM_HOOK_INIT(secmark_relabel_packet
, selinux_secmark_relabel_packet
),
6394 LSM_HOOK_INIT(secmark_refcount_inc
, selinux_secmark_refcount_inc
),
6395 LSM_HOOK_INIT(secmark_refcount_dec
, selinux_secmark_refcount_dec
),
6396 LSM_HOOK_INIT(req_classify_flow
, selinux_req_classify_flow
),
6397 LSM_HOOK_INIT(tun_dev_alloc_security
, selinux_tun_dev_alloc_security
),
6398 LSM_HOOK_INIT(tun_dev_free_security
, selinux_tun_dev_free_security
),
6399 LSM_HOOK_INIT(tun_dev_create
, selinux_tun_dev_create
),
6400 LSM_HOOK_INIT(tun_dev_attach_queue
, selinux_tun_dev_attach_queue
),
6401 LSM_HOOK_INIT(tun_dev_attach
, selinux_tun_dev_attach
),
6402 LSM_HOOK_INIT(tun_dev_open
, selinux_tun_dev_open
),
6403 #ifdef CONFIG_SECURITY_INFINIBAND
6404 LSM_HOOK_INIT(ib_pkey_access
, selinux_ib_pkey_access
),
6405 LSM_HOOK_INIT(ib_endport_manage_subnet
,
6406 selinux_ib_endport_manage_subnet
),
6407 LSM_HOOK_INIT(ib_alloc_security
, selinux_ib_alloc_security
),
6408 LSM_HOOK_INIT(ib_free_security
, selinux_ib_free_security
),
6410 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6411 LSM_HOOK_INIT(xfrm_policy_alloc_security
, selinux_xfrm_policy_alloc
),
6412 LSM_HOOK_INIT(xfrm_policy_clone_security
, selinux_xfrm_policy_clone
),
6413 LSM_HOOK_INIT(xfrm_policy_free_security
, selinux_xfrm_policy_free
),
6414 LSM_HOOK_INIT(xfrm_policy_delete_security
, selinux_xfrm_policy_delete
),
6415 LSM_HOOK_INIT(xfrm_state_alloc
, selinux_xfrm_state_alloc
),
6416 LSM_HOOK_INIT(xfrm_state_alloc_acquire
,
6417 selinux_xfrm_state_alloc_acquire
),
6418 LSM_HOOK_INIT(xfrm_state_free_security
, selinux_xfrm_state_free
),
6419 LSM_HOOK_INIT(xfrm_state_delete_security
, selinux_xfrm_state_delete
),
6420 LSM_HOOK_INIT(xfrm_policy_lookup
, selinux_xfrm_policy_lookup
),
6421 LSM_HOOK_INIT(xfrm_state_pol_flow_match
,
6422 selinux_xfrm_state_pol_flow_match
),
6423 LSM_HOOK_INIT(xfrm_decode_session
, selinux_xfrm_decode_session
),
6427 LSM_HOOK_INIT(key_alloc
, selinux_key_alloc
),
6428 LSM_HOOK_INIT(key_permission
, selinux_key_permission
),
6429 LSM_HOOK_INIT(key_getsecurity
, selinux_key_getsecurity
),
6433 LSM_HOOK_INIT(audit_rule_init
, selinux_audit_rule_init
),
6434 LSM_HOOK_INIT(audit_rule_known
, selinux_audit_rule_known
),
6435 LSM_HOOK_INIT(audit_rule_match
, selinux_audit_rule_match
),
6436 LSM_HOOK_INIT(audit_rule_free
, selinux_audit_rule_free
),
6439 #ifdef CONFIG_BPF_SYSCALL
6440 LSM_HOOK_INIT(bpf
, selinux_bpf
),
6441 LSM_HOOK_INIT(bpf_map
, selinux_bpf_map
),
6442 LSM_HOOK_INIT(bpf_prog
, selinux_bpf_prog
),
6443 LSM_HOOK_INIT(bpf_map_alloc_security
, selinux_bpf_map_alloc
),
6444 LSM_HOOK_INIT(bpf_prog_alloc_security
, selinux_bpf_prog_alloc
),
6445 LSM_HOOK_INIT(bpf_map_free_security
, selinux_bpf_map_free
),
6446 LSM_HOOK_INIT(bpf_prog_free_security
, selinux_bpf_prog_free
),
6450 static __init
int selinux_init(void)
6454 if (!security_module_enable("selinux",
6455 IS_ENABLED(CONFIG_SECURITY_SELINUX_STACKED
))) {
6456 selinux_enabled
= 0;
6461 security_add_blobs(&selinux_blob_sizes
);
6466 if (!selinux_enabled
) {
6467 printk(KERN_INFO
"SELinux: Disabled at boot.\n");
6471 printk(KERN_INFO
"SELinux: Initializing.\n");
6473 /* Set the security state for the initial task. */
6474 cred_init_security();
6476 default_noexec
= !(VM_DATA_DEFAULT_FLAGS
& VM_EXEC
);
6480 security_add_hooks(selinux_hooks
, ARRAY_SIZE(selinux_hooks
), "selinux");
6482 if (avc_add_callback(selinux_netcache_avc_callback
, AVC_CALLBACK_RESET
))
6483 panic("SELinux: Unable to register AVC netcache callback\n");
6485 if (avc_add_callback(selinux_lsm_notifier_avc_callback
, AVC_CALLBACK_RESET
))
6486 panic("SELinux: Unable to register AVC LSM notifier callback\n");
6488 if (selinux_enforcing
)
6489 printk(KERN_DEBUG
"SELinux: Starting in enforcing mode\n");
6491 printk(KERN_DEBUG
"SELinux: Starting in permissive mode\n");
6496 static void delayed_superblock_init(struct super_block
*sb
, void *unused
)
6498 superblock_doinit(sb
, NULL
);
6501 void selinux_complete_init(void)
6503 printk(KERN_DEBUG
"SELinux: Completing initialization.\n");
6505 /* Set up any superblocks initialized prior to the policy load. */
6506 printk(KERN_DEBUG
"SELinux: Setting up existing superblocks.\n");
6507 iterate_supers(delayed_superblock_init
, NULL
);
6510 /* SELinux requires early initialization in order to label
6511 all processes and objects when they are created. */
6512 security_initcall(selinux_init
);
6514 #if defined(CONFIG_NETFILTER)
6516 static const struct nf_hook_ops selinux_nf_ops
[] = {
6518 .hook
= selinux_ipv4_postroute
,
6520 .hooknum
= NF_INET_POST_ROUTING
,
6521 .priority
= NF_IP_PRI_SELINUX_LAST
,
6524 .hook
= selinux_ipv4_forward
,
6526 .hooknum
= NF_INET_FORWARD
,
6527 .priority
= NF_IP_PRI_SELINUX_FIRST
,
6530 .hook
= selinux_ipv4_output
,
6532 .hooknum
= NF_INET_LOCAL_OUT
,
6533 .priority
= NF_IP_PRI_SELINUX_FIRST
,
6535 #if IS_ENABLED(CONFIG_IPV6)
6537 .hook
= selinux_ipv6_postroute
,
6539 .hooknum
= NF_INET_POST_ROUTING
,
6540 .priority
= NF_IP6_PRI_SELINUX_LAST
,
6543 .hook
= selinux_ipv6_forward
,
6545 .hooknum
= NF_INET_FORWARD
,
6546 .priority
= NF_IP6_PRI_SELINUX_FIRST
,
6549 .hook
= selinux_ipv6_output
,
6551 .hooknum
= NF_INET_LOCAL_OUT
,
6552 .priority
= NF_IP6_PRI_SELINUX_FIRST
,
6557 static int __net_init
selinux_nf_register(struct net
*net
)
6559 return nf_register_net_hooks(net
, selinux_nf_ops
,
6560 ARRAY_SIZE(selinux_nf_ops
));
6563 static void __net_exit
selinux_nf_unregister(struct net
*net
)
6565 nf_unregister_net_hooks(net
, selinux_nf_ops
,
6566 ARRAY_SIZE(selinux_nf_ops
));
6569 static struct pernet_operations selinux_net_ops
= {
6570 .init
= selinux_nf_register
,
6571 .exit
= selinux_nf_unregister
,
6574 static int __init
selinux_nf_ip_init(void)
6578 if (!selinux_enabled
)
6581 printk(KERN_DEBUG
"SELinux: Registering netfilter hooks\n");
6583 err
= register_pernet_subsys(&selinux_net_ops
);
6585 panic("SELinux: register_pernet_subsys: error %d\n", err
);
6589 __initcall(selinux_nf_ip_init
);
6591 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6592 static void selinux_nf_ip_exit(void)
6594 printk(KERN_DEBUG
"SELinux: Unregistering netfilter hooks\n");
6596 unregister_pernet_subsys(&selinux_net_ops
);
6600 #else /* CONFIG_NETFILTER */
6602 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6603 #define selinux_nf_ip_exit()
6606 #endif /* CONFIG_NETFILTER */
6608 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6609 static int selinux_disabled
;
6611 int selinux_disable(void)
6613 if (ss_initialized
) {
6614 /* Not permitted after initial policy load. */
6618 if (selinux_disabled
) {
6619 /* Only do this once. */
6623 printk(KERN_INFO
"SELinux: Disabled at runtime.\n");
6625 selinux_disabled
= 1;
6626 selinux_enabled
= 0;
6628 security_delete_hooks(selinux_hooks
, ARRAY_SIZE(selinux_hooks
));
6630 /* Try to destroy the avc node cache */
6633 /* Unregister netfilter hooks. */
6634 selinux_nf_ip_exit();
6636 /* Unregister selinuxfs. */