]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blob - security/selinux/hooks.c
projects / mirror_ubuntu-bionic-kernel.git / blob
? search:


5e61498098f6cc11f1422882e3d818f87b039ab5
[mirror_ubuntu-bionic-kernel.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
25 */
26
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h> /* for Unix socket types */
72 #include <net/af_unix.h> /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
75 #include <net/ipv6.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89
90 #include "avc.h"
91 #include "objsec.h"
92 #include "netif.h"
93 #include "netnode.h"
94 #include "netport.h"
95 #include "ibpkey.h"
96 #include "xfrm.h"
97 #include "netlabel.h"
98 #include "audit.h"
99 #include "avc_ss.h"
100
101 /* SECMARK reference count */
102 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103
104 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105 int selinux_enforcing;
106
107 static int __init enforcing_setup(char *str)
108 {
109 unsigned long enforcing;
110 if (!kstrtoul(str, 0, &enforcing))
111 selinux_enforcing = enforcing ? 1 : 0;
112 return 1;
113 }
114 __setup("enforcing=", enforcing_setup);
115 #endif
116
117 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
119
120 static int __init selinux_enabled_setup(char *str)
121 {
122 unsigned long enabled;
123 if (!kstrtoul(str, 0, &enabled))
124 selinux_enabled = enabled ? 1 : 0;
125 return 1;
126 }
127 __setup("selinux=", selinux_enabled_setup);
128 #else
129 int selinux_enabled = 1;
130 #endif
131
132 /**
133 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
134 *
135 * Description:
136 * This function checks the SECMARK reference counter to see if any SECMARK
137 * targets are currently configured, if the reference counter is greater than
138 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
139 * enabled, false (0) if SECMARK is disabled. If the always_check_network
140 * policy capability is enabled, SECMARK is always considered enabled.
141 *
142 */
143 static int selinux_secmark_enabled(void)
144 {
145 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
146 }
147
148 /**
149 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
150 *
151 * Description:
152 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
153 * (1) if any are enabled or false (0) if neither are enabled. If the
154 * always_check_network policy capability is enabled, peer labeling
155 * is always considered enabled.
156 *
157 */
158 static int selinux_peerlbl_enabled(void)
159 {
160 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
161 }
162
163 static int selinux_netcache_avc_callback(u32 event)
164 {
165 if (event == AVC_CALLBACK_RESET) {
166 sel_netif_flush();
167 sel_netnode_flush();
168 sel_netport_flush();
169 synchronize_net();
170 }
171 return 0;
172 }
173
174 static int selinux_lsm_notifier_avc_callback(u32 event)
175 {
176 if (event == AVC_CALLBACK_RESET) {
177 sel_ib_pkey_flush();
178 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
179 }
180
181 return 0;
182 }
183
184 /*
185 * initialise the security for the init task
186 */
187 static void cred_init_security(void)
188 {
189 struct cred *cred = (struct cred *) current->real_cred;
190 struct task_security_struct *tsec;
191
192 lsm_early_cred(cred);
193 tsec = selinux_cred(cred);
194 tsec->osid = tsec->sid = SECINITSID_KERNEL;
195 }
196
197 /*
198 * get the security ID of a set of credentials
199 */
200 static inline u32 cred_sid(const struct cred *cred)
201 {
202 const struct task_security_struct *tsec;
203
204 tsec = selinux_cred(cred);
205 return tsec->sid;
206 }
207
208 /*
209 * get the objective security ID of a task
210 */
211 static inline u32 task_sid(const struct task_struct *task)
212 {
213 u32 sid;
214
215 rcu_read_lock();
216 sid = cred_sid(__task_cred(task));
217 rcu_read_unlock();
218 return sid;
219 }
220
221 /* Allocate and free functions for each kind of security blob. */
222
223 static int inode_alloc_security(struct inode *inode)
224 {
225 struct inode_security_struct *isec = selinux_inode(inode);
226 u32 sid = current_sid();
227
228 spin_lock_init(&isec->lock);
229 INIT_LIST_HEAD(&isec->list);
230 isec->inode = inode;
231 isec->sid = SECINITSID_UNLABELED;
232 isec->sclass = SECCLASS_FILE;
233 isec->task_sid = sid;
234 isec->initialized = LABEL_INVALID;
235
236 return 0;
237 }
238
239 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
240
241 /*
242 * Try reloading inode security labels that have been marked as invalid. The
243 * @may_sleep parameter indicates when sleeping and thus reloading labels is
244 * allowed; when set to false, returns -ECHILD when the label is
245 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
246 * when no dentry is available, set it to NULL instead.
247 */
248 static int __inode_security_revalidate(struct inode *inode,
249 struct dentry *opt_dentry,
250 bool may_sleep)
251 {
252 struct inode_security_struct *isec = selinux_inode(inode);
253
254 might_sleep_if(may_sleep);
255
256 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
257 if (!may_sleep)
258 return -ECHILD;
259
260 /*
261 * Try reloading the inode security label. This will fail if
262 * @opt_dentry is NULL and no dentry for this inode can be
263 * found; in that case, continue using the old label.
264 */
265 inode_doinit_with_dentry(inode, opt_dentry);
266 }
267 return 0;
268 }
269
270 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
271 {
272 return selinux_inode(inode);
273 }
274
275 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
276 {
277 int error;
278
279 error = __inode_security_revalidate(inode, NULL, !rcu);
280 if (error)
281 return ERR_PTR(error);
282 return selinux_inode(inode);
283 }
284
285 /*
286 * Get the security label of an inode.
287 */
288 static struct inode_security_struct *inode_security(struct inode *inode)
289 {
290 __inode_security_revalidate(inode, NULL, true);
291 return selinux_inode(inode);
292 }
293
294 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
295 {
296 struct inode *inode = d_backing_inode(dentry);
297
298 return selinux_inode(inode);
299 }
300
301 /*
302 * Get the security label of a dentry's backing inode.
303 */
304 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
305 {
306 struct inode *inode = d_backing_inode(dentry);
307
308 __inode_security_revalidate(inode, dentry, true);
309 return selinux_inode(inode);
310 }
311
312 static void inode_free_security(struct inode *inode)
313 {
314 struct inode_security_struct *isec = selinux_inode(inode);
315 struct superblock_security_struct *sbsec =
316 selinux_superblock(inode->i_sb);
317
318 /*
319 * As not all inode security structures are in a list, we check for
320 * empty list outside of the lock to make sure that we won't waste
321 * time taking a lock doing nothing.
322 *
323 * The list_del_init() function can be safely called more than once.
324 * It should not be possible for this function to be called with
325 * concurrent list_add(), but for better safety against future changes
326 * in the code, we use list_empty_careful() here.
327 */
328 if (!list_empty_careful(&isec->list)) {
329 spin_lock(&sbsec->isec_lock);
330 list_del_init(&isec->list);
331 spin_unlock(&sbsec->isec_lock);
332 }
333 }
334
335 static int file_alloc_security(struct file *file)
336 {
337 struct file_security_struct *fsec = selinux_file(file);
338 u32 sid = current_sid();
339
340 fsec->sid = sid;
341 fsec->fown_sid = sid;
342
343 return 0;
344 }
345
346 static int superblock_alloc_security(struct super_block *sb)
347 {
348 struct superblock_security_struct *sbsec = selinux_superblock(sb);
349
350 mutex_init(&sbsec->lock);
351 INIT_LIST_HEAD(&sbsec->isec_head);
352 spin_lock_init(&sbsec->isec_lock);
353 sbsec->sb = sb;
354 sbsec->sid = SECINITSID_UNLABELED;
355 sbsec->def_sid = SECINITSID_FILE;
356 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
357
358 return 0;
359 }
360
361 static inline int inode_doinit(struct inode *inode)
362 {
363 return inode_doinit_with_dentry(inode, NULL);
364 }
365
366 enum {
367 Opt_error = -1,
368 Opt_context = 1,
369 Opt_fscontext = 2,
370 Opt_defcontext = 3,
371 Opt_rootcontext = 4,
372 Opt_labelsupport = 5,
373 Opt_nextmntopt = 6,
374 };
375
376 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
377
378 static const match_table_t tokens = {
379 {Opt_context, CONTEXT_STR "%s"},
380 {Opt_fscontext, FSCONTEXT_STR "%s"},
381 {Opt_defcontext, DEFCONTEXT_STR "%s"},
382 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
383 {Opt_labelsupport, LABELSUPP_STR},
384 {Opt_error, NULL},
385 };
386
387 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
388
389 static int may_context_mount_sb_relabel(u32 sid,
390 struct superblock_security_struct *sbsec,
391 const struct cred *cred)
392 {
393 const struct task_security_struct *tsec = selinux_cred(cred);
394 int rc;
395
396 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
397 FILESYSTEM__RELABELFROM, NULL);
398 if (rc)
399 return rc;
400
401 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
402 FILESYSTEM__RELABELTO, NULL);
403 return rc;
404 }
405
406 static int may_context_mount_inode_relabel(u32 sid,
407 struct superblock_security_struct *sbsec,
408 const struct cred *cred)
409 {
410 const struct task_security_struct *tsec = selinux_cred(cred);
411 int rc;
412 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
413 FILESYSTEM__RELABELFROM, NULL);
414 if (rc)
415 return rc;
416
417 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
418 FILESYSTEM__ASSOCIATE, NULL);
419 return rc;
420 }
421
422 static int selinux_is_sblabel_mnt(struct super_block *sb)
423 {
424 struct superblock_security_struct *sbsec = selinux_superblock(sb);
425
426 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
427 sbsec->behavior == SECURITY_FS_USE_TRANS ||
428 sbsec->behavior == SECURITY_FS_USE_TASK ||
429 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
430 /* Special handling. Genfs but also in-core setxattr handler */
431 !strcmp(sb->s_type->name, "sysfs") ||
432 !strcmp(sb->s_type->name, "pstore") ||
433 !strcmp(sb->s_type->name, "debugfs") ||
434 !strcmp(sb->s_type->name, "tracefs") ||
435 !strcmp(sb->s_type->name, "rootfs") ||
436 (selinux_policycap_cgroupseclabel &&
437 (!strcmp(sb->s_type->name, "cgroup") ||
438 !strcmp(sb->s_type->name, "cgroup2")));
439 }
440
441 static int sb_finish_set_opts(struct super_block *sb)
442 {
443 struct superblock_security_struct *sbsec = selinux_superblock(sb);
444 struct dentry *root = sb->s_root;
445 struct inode *root_inode = d_backing_inode(root);
446 int rc = 0;
447
448 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
449 /* Make sure that the xattr handler exists and that no
450 error other than -ENODATA is returned by getxattr on
451 the root directory. -ENODATA is ok, as this may be
452 the first boot of the SELinux kernel before we have
453 assigned xattr values to the filesystem. */
454 if (!(root_inode->i_opflags & IOP_XATTR)) {
455 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
456 "xattr support\n", sb->s_id, sb->s_type->name);
457 rc = -EOPNOTSUPP;
458 goto out;
459 }
460
461 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
462 if (rc < 0 && rc != -ENODATA) {
463 if (rc == -EOPNOTSUPP)
464 printk(KERN_WARNING "SELinux: (dev %s, type "
465 "%s) has no security xattr handler\n",
466 sb->s_id, sb->s_type->name);
467 else
468 printk(KERN_WARNING "SELinux: (dev %s, type "
469 "%s) getxattr errno %d\n", sb->s_id,
470 sb->s_type->name, -rc);
471 goto out;
472 }
473 }
474
475 sbsec->flags |= SE_SBINITIALIZED;
476
477 /*
478 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
479 * leave the flag untouched because sb_clone_mnt_opts might be handing
480 * us a superblock that needs the flag to be cleared.
481 */
482 if (selinux_is_sblabel_mnt(sb))
483 sbsec->flags |= SBLABEL_MNT;
484 else
485 sbsec->flags &= ~SBLABEL_MNT;
486
487 /* Initialize the root inode. */
488 rc = inode_doinit_with_dentry(root_inode, root);
489
490 /* Initialize any other inodes associated with the superblock, e.g.
491 inodes created prior to initial policy load or inodes created
492 during get_sb by a pseudo filesystem that directly
493 populates itself. */
494 spin_lock(&sbsec->isec_lock);
495 next_inode:
496 if (!list_empty(&sbsec->isec_head)) {
497 struct inode_security_struct *isec =
498 list_entry(sbsec->isec_head.next,
499 struct inode_security_struct, list);
500 struct inode *inode = isec->inode;
501 list_del_init(&isec->list);
502 spin_unlock(&sbsec->isec_lock);
503 inode = igrab(inode);
504 if (inode) {
505 if (!IS_PRIVATE(inode))
506 inode_doinit(inode);
507 iput(inode);
508 }
509 spin_lock(&sbsec->isec_lock);
510 goto next_inode;
511 }
512 spin_unlock(&sbsec->isec_lock);
513 out:
514 return rc;
515 }
516
517 /*
518 * This function should allow an FS to ask what it's mount security
519 * options were so it can use those later for submounts, displaying
520 * mount options, or whatever.
521 */
522 static int selinux_get_mnt_opts(const struct super_block *sb,
523 struct security_mnt_opts *opts)
524 {
525 int rc = 0, i;
526 struct superblock_security_struct *sbsec = selinux_superblock(sb);
527 char *context = NULL;
528 u32 len;
529 char tmp;
530
531 security_init_mnt_opts(opts);
532
533 if (!(sbsec->flags & SE_SBINITIALIZED))
534 return -EINVAL;
535
536 if (!ss_initialized)
537 return -EINVAL;
538
539 /* make sure we always check enough bits to cover the mask */
540 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
541
542 tmp = sbsec->flags & SE_MNTMASK;
543 /* count the number of mount options for this sb */
544 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
545 if (tmp & 0x01)
546 opts->num_mnt_opts++;
547 tmp >>= 1;
548 }
549 /* Check if the Label support flag is set */
550 if (sbsec->flags & SBLABEL_MNT)
551 opts->num_mnt_opts++;
552
553 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
554 if (!opts->mnt_opts) {
555 rc = -ENOMEM;
556 goto out_free;
557 }
558
559 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
560 if (!opts->mnt_opts_flags) {
561 rc = -ENOMEM;
562 goto out_free;
563 }
564
565 i = 0;
566 if (sbsec->flags & FSCONTEXT_MNT) {
567 rc = security_sid_to_context(sbsec->sid, &context, &len);
568 if (rc)
569 goto out_free;
570 opts->mnt_opts[i] = context;
571 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
572 }
573 if (sbsec->flags & CONTEXT_MNT) {
574 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
575 if (rc)
576 goto out_free;
577 opts->mnt_opts[i] = context;
578 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
579 }
580 if (sbsec->flags & DEFCONTEXT_MNT) {
581 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
582 if (rc)
583 goto out_free;
584 opts->mnt_opts[i] = context;
585 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
586 }
587 if (sbsec->flags & ROOTCONTEXT_MNT) {
588 struct dentry *root = sbsec->sb->s_root;
589 struct inode_security_struct *isec =
590 backing_inode_security(root);
591
592 rc = security_sid_to_context(isec->sid, &context, &len);
593 if (rc)
594 goto out_free;
595 opts->mnt_opts[i] = context;
596 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
597 }
598 if (sbsec->flags & SBLABEL_MNT) {
599 opts->mnt_opts[i] = NULL;
600 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
601 }
602
603 BUG_ON(i != opts->num_mnt_opts);
604
605 return 0;
606
607 out_free:
608 security_free_mnt_opts(opts);
609 return rc;
610 }
611
612 static int bad_option(struct superblock_security_struct *sbsec, char flag,
613 u32 old_sid, u32 new_sid)
614 {
615 char mnt_flags = sbsec->flags & SE_MNTMASK;
616
617 /* check if the old mount command had the same options */
618 if (sbsec->flags & SE_SBINITIALIZED)
619 if (!(sbsec->flags & flag) ||
620 (old_sid != new_sid))
621 return 1;
622
623 /* check if we were passed the same options twice,
624 * aka someone passed context=a,context=b
625 */
626 if (!(sbsec->flags & SE_SBINITIALIZED))
627 if (mnt_flags & flag)
628 return 1;
629 return 0;
630 }
631
632 /*
633 * Allow filesystems with binary mount data to explicitly set mount point
634 * labeling information.
635 */
636 static int selinux_set_mnt_opts(struct super_block *sb,
637 struct security_mnt_opts *opts,
638 unsigned long kern_flags,
639 unsigned long *set_kern_flags)
640 {
641 const struct cred *cred = current_cred();
642 int rc = 0, i;
643 struct superblock_security_struct *sbsec = selinux_superblock(sb);
644 const char *name = sb->s_type->name;
645 struct dentry *root = sbsec->sb->s_root;
646 struct inode_security_struct *root_isec;
647 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
648 u32 defcontext_sid = 0;
649 char **mount_options = opts->mnt_opts;
650 int *flags = opts->mnt_opts_flags;
651 int num_opts = opts->num_mnt_opts;
652
653 mutex_lock(&sbsec->lock);
654
655 if (!ss_initialized) {
656 if (!num_opts) {
657 /* Defer initialization until selinux_complete_init,
658 after the initial policy is loaded and the security
659 server is ready to handle calls. */
660 goto out;
661 }
662 rc = -EINVAL;
663 printk(KERN_WARNING "SELinux: Unable to set superblock options "
664 "before the security server is initialized\n");
665 goto out;
666 }
667 if (kern_flags && !set_kern_flags) {
668 /* Specifying internal flags without providing a place to
669 * place the results is not allowed */
670 rc = -EINVAL;
671 goto out;
672 }
673
674 /*
675 * Binary mount data FS will come through this function twice. Once
676 * from an explicit call and once from the generic calls from the vfs.
677 * Since the generic VFS calls will not contain any security mount data
678 * we need to skip the double mount verification.
679 *
680 * This does open a hole in which we will not notice if the first
681 * mount using this sb set explict options and a second mount using
682 * this sb does not set any security options. (The first options
683 * will be used for both mounts)
684 */
685 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
686 && (num_opts == 0))
687 goto out;
688
689 root_isec = backing_inode_security_novalidate(root);
690
691 /*
692 * parse the mount options, check if they are valid sids.
693 * also check if someone is trying to mount the same sb more
694 * than once with different security options.
695 */
696 for (i = 0; i < num_opts; i++) {
697 u32 sid;
698
699 if (flags[i] == SBLABEL_MNT)
700 continue;
701 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
702 if (rc) {
703 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
704 "(%s) failed for (dev %s, type %s) errno=%d\n",
705 mount_options[i], sb->s_id, name, rc);
706 goto out;
707 }
708 switch (flags[i]) {
709 case FSCONTEXT_MNT:
710 fscontext_sid = sid;
711
712 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
713 fscontext_sid))
714 goto out_double_mount;
715
716 sbsec->flags |= FSCONTEXT_MNT;
717 break;
718 case CONTEXT_MNT:
719 context_sid = sid;
720
721 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
722 context_sid))
723 goto out_double_mount;
724
725 sbsec->flags |= CONTEXT_MNT;
726 break;
727 case ROOTCONTEXT_MNT:
728 rootcontext_sid = sid;
729
730 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
731 rootcontext_sid))
732 goto out_double_mount;
733
734 sbsec->flags |= ROOTCONTEXT_MNT;
735
736 break;
737 case DEFCONTEXT_MNT:
738 defcontext_sid = sid;
739
740 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
741 defcontext_sid))
742 goto out_double_mount;
743
744 sbsec->flags |= DEFCONTEXT_MNT;
745
746 break;
747 default:
748 rc = -EINVAL;
749 goto out;
750 }
751 }
752
753 if (sbsec->flags & SE_SBINITIALIZED) {
754 /* previously mounted with options, but not on this attempt? */
755 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
756 goto out_double_mount;
757 rc = 0;
758 goto out;
759 }
760
761 if (strcmp(sb->s_type->name, "proc") == 0)
762 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
763
764 if (!strcmp(sb->s_type->name, "debugfs") ||
765 !strcmp(sb->s_type->name, "tracefs") ||
766 !strcmp(sb->s_type->name, "sysfs") ||
767 !strcmp(sb->s_type->name, "pstore") ||
768 !strcmp(sb->s_type->name, "cgroup") ||
769 !strcmp(sb->s_type->name, "cgroup2"))
770 sbsec->flags |= SE_SBGENFS;
771
772 if (!sbsec->behavior) {
773 /*
774 * Determine the labeling behavior to use for this
775 * filesystem type.
776 */
777 rc = security_fs_use(sb);
778 if (rc) {
779 printk(KERN_WARNING
780 "%s: security_fs_use(%s) returned %d\n",
781 __func__, sb->s_type->name, rc);
782 goto out;
783 }
784 }
785
786 /*
787 * If this is a user namespace mount and the filesystem type is not
788 * explicitly whitelisted, then no contexts are allowed on the command
789 * line and security labels must be ignored.
790 */
791 if (sb->s_user_ns != &init_user_ns &&
792 strcmp(sb->s_type->name, "tmpfs") &&
793 strcmp(sb->s_type->name, "ramfs") &&
794 strcmp(sb->s_type->name, "devpts")) {
795 if (context_sid || fscontext_sid || rootcontext_sid ||
796 defcontext_sid) {
797 rc = -EACCES;
798 goto out;
799 }
800 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
801 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
802 rc = security_transition_sid(current_sid(), current_sid(),
803 SECCLASS_FILE, NULL,
804 &sbsec->mntpoint_sid);
805 if (rc)
806 goto out;
807 }
808 goto out_set_opts;
809 }
810
811 /* sets the context of the superblock for the fs being mounted. */
812 if (fscontext_sid) {
813 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
814 if (rc)
815 goto out;
816
817 sbsec->sid = fscontext_sid;
818 }
819
820 /*
821 * Switch to using mount point labeling behavior.
822 * sets the label used on all file below the mountpoint, and will set
823 * the superblock context if not already set.
824 */
825 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
826 sbsec->behavior = SECURITY_FS_USE_NATIVE;
827 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
828 }
829
830 if (context_sid) {
831 if (!fscontext_sid) {
832 rc = may_context_mount_sb_relabel(context_sid, sbsec,
833 cred);
834 if (rc)
835 goto out;
836 sbsec->sid = context_sid;
837 } else {
838 rc = may_context_mount_inode_relabel(context_sid, sbsec,
839 cred);
840 if (rc)
841 goto out;
842 }
843 if (!rootcontext_sid)
844 rootcontext_sid = context_sid;
845
846 sbsec->mntpoint_sid = context_sid;
847 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
848 }
849
850 if (rootcontext_sid) {
851 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
852 cred);
853 if (rc)
854 goto out;
855
856 root_isec->sid = rootcontext_sid;
857 root_isec->initialized = LABEL_INITIALIZED;
858 }
859
860 if (defcontext_sid) {
861 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
862 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
863 rc = -EINVAL;
864 printk(KERN_WARNING "SELinux: defcontext option is "
865 "invalid for this filesystem type\n");
866 goto out;
867 }
868
869 if (defcontext_sid != sbsec->def_sid) {
870 rc = may_context_mount_inode_relabel(defcontext_sid,
871 sbsec, cred);
872 if (rc)
873 goto out;
874 }
875
876 sbsec->def_sid = defcontext_sid;
877 }
878
879 out_set_opts:
880 rc = sb_finish_set_opts(sb);
881 out:
882 mutex_unlock(&sbsec->lock);
883 return rc;
884 out_double_mount:
885 rc = -EINVAL;
886 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
887 "security settings for (dev %s, type %s)\n", sb->s_id, name);
888 goto out;
889 }
890
891 static int selinux_cmp_sb_context(const struct super_block *oldsb,
892 const struct super_block *newsb)
893 {
894 struct superblock_security_struct *old = selinux_superblock(oldsb);
895 struct superblock_security_struct *new = selinux_superblock(newsb);
896 char oldflags = old->flags & SE_MNTMASK;
897 char newflags = new->flags & SE_MNTMASK;
898
899 if (oldflags != newflags)
900 goto mismatch;
901 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
902 goto mismatch;
903 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
904 goto mismatch;
905 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
906 goto mismatch;
907 if (oldflags & ROOTCONTEXT_MNT) {
908 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
909 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
910 if (oldroot->sid != newroot->sid)
911 goto mismatch;
912 }
913 return 0;
914 mismatch:
915 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
916 "different security settings for (dev %s, "
917 "type %s)\n", newsb->s_id, newsb->s_type->name);
918 return -EBUSY;
919 }
920
921 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
922 struct super_block *newsb,
923 unsigned long kern_flags,
924 unsigned long *set_kern_flags)
925 {
926 int rc = 0;
927 const struct superblock_security_struct *oldsbsec =
928 selinux_superblock(oldsb);
929 struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
930
931 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
932 int set_context = (oldsbsec->flags & CONTEXT_MNT);
933 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
934
935 /*
936 * if the parent was able to be mounted it clearly had no special lsm
937 * mount options. thus we can safely deal with this superblock later
938 */
939 if (!ss_initialized)
940 return 0;
941
942 /*
943 * Specifying internal flags without providing a place to
944 * place the results is not allowed.
945 */
946 if (kern_flags && !set_kern_flags)
947 return -EINVAL;
948
949 /* how can we clone if the old one wasn't set up?? */
950 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
951
952 /* if fs is reusing a sb, make sure that the contexts match */
953 if (newsbsec->flags & SE_SBINITIALIZED) {
954 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
955 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
956 return selinux_cmp_sb_context(oldsb, newsb);
957 }
958
959 mutex_lock(&newsbsec->lock);
960
961 newsbsec->flags = oldsbsec->flags;
962
963 newsbsec->sid = oldsbsec->sid;
964 newsbsec->def_sid = oldsbsec->def_sid;
965 newsbsec->behavior = oldsbsec->behavior;
966
967 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
968 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
969 rc = security_fs_use(newsb);
970 if (rc)
971 goto out;
972 }
973
974 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
975 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
976 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
977 }
978
979 if (set_context) {
980 u32 sid = oldsbsec->mntpoint_sid;
981
982 if (!set_fscontext)
983 newsbsec->sid = sid;
984 if (!set_rootcontext) {
985 struct inode_security_struct *newisec =
986 backing_inode_security(newsb->s_root);
987 newisec->sid = sid;
988 }
989 newsbsec->mntpoint_sid = sid;
990 }
991 if (set_rootcontext) {
992 const struct inode_security_struct *oldisec =
993 backing_inode_security(oldsb->s_root);
994 struct inode_security_struct *newisec =
995 backing_inode_security(newsb->s_root);
996
997 newisec->sid = oldisec->sid;
998 }
999
1000 sb_finish_set_opts(newsb);
1001 out:
1002 mutex_unlock(&newsbsec->lock);
1003 return rc;
1004 }
1005
1006 static int selinux_parse_opts_str(char *options,
1007 struct security_mnt_opts *opts)
1008 {
1009 char *p;
1010 char *context = NULL, *defcontext = NULL;
1011 char *fscontext = NULL, *rootcontext = NULL;
1012 int rc, num_mnt_opts = 0;
1013
1014 opts->num_mnt_opts = 0;
1015
1016 /* Standard string-based options. */
1017 while ((p = strsep(&options, "|")) != NULL) {
1018 int token;
1019 substring_t args[MAX_OPT_ARGS];
1020
1021 if (!*p)
1022 continue;
1023
1024 token = match_token(p, tokens, args);
1025
1026 switch (token) {
1027 case Opt_context:
1028 if (context || defcontext) {
1029 rc = -EINVAL;
1030 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1031 goto out_err;
1032 }
1033 context = match_strdup(&args[0]);
1034 if (!context) {
1035 rc = -ENOMEM;
1036 goto out_err;
1037 }
1038 break;
1039
1040 case Opt_fscontext:
1041 if (fscontext) {
1042 rc = -EINVAL;
1043 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1044 goto out_err;
1045 }
1046 fscontext = match_strdup(&args[0]);
1047 if (!fscontext) {
1048 rc = -ENOMEM;
1049 goto out_err;
1050 }
1051 break;
1052
1053 case Opt_rootcontext:
1054 if (rootcontext) {
1055 rc = -EINVAL;
1056 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1057 goto out_err;
1058 }
1059 rootcontext = match_strdup(&args[0]);
1060 if (!rootcontext) {
1061 rc = -ENOMEM;
1062 goto out_err;
1063 }
1064 break;
1065
1066 case Opt_defcontext:
1067 if (context || defcontext) {
1068 rc = -EINVAL;
1069 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1070 goto out_err;
1071 }
1072 defcontext = match_strdup(&args[0]);
1073 if (!defcontext) {
1074 rc = -ENOMEM;
1075 goto out_err;
1076 }
1077 break;
1078 case Opt_labelsupport:
1079 break;
1080 default:
1081 rc = -EINVAL;
1082 printk(KERN_WARNING "SELinux: unknown mount option\n");
1083 goto out_err;
1084
1085 }
1086 }
1087
1088 rc = -ENOMEM;
1089 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1090 if (!opts->mnt_opts)
1091 goto out_err;
1092
1093 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1094 GFP_KERNEL);
1095 if (!opts->mnt_opts_flags)
1096 goto out_err;
1097
1098 if (fscontext) {
1099 opts->mnt_opts[num_mnt_opts] = fscontext;
1100 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1101 }
1102 if (context) {
1103 opts->mnt_opts[num_mnt_opts] = context;
1104 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1105 }
1106 if (rootcontext) {
1107 opts->mnt_opts[num_mnt_opts] = rootcontext;
1108 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1109 }
1110 if (defcontext) {
1111 opts->mnt_opts[num_mnt_opts] = defcontext;
1112 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1113 }
1114
1115 opts->num_mnt_opts = num_mnt_opts;
1116 return 0;
1117
1118 out_err:
1119 security_free_mnt_opts(opts);
1120 kfree(context);
1121 kfree(defcontext);
1122 kfree(fscontext);
1123 kfree(rootcontext);
1124 return rc;
1125 }
1126 /*
1127 * string mount options parsing and call set the sbsec
1128 */
1129 static int superblock_doinit(struct super_block *sb, void *data)
1130 {
1131 int rc = 0;
1132 char *options = data;
1133 struct security_mnt_opts opts;
1134
1135 security_init_mnt_opts(&opts);
1136
1137 if (!data)
1138 goto out;
1139
1140 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1141
1142 rc = selinux_parse_opts_str(options, &opts);
1143 if (rc)
1144 goto out_err;
1145
1146 out:
1147 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1148
1149 out_err:
1150 security_free_mnt_opts(&opts);
1151 return rc;
1152 }
1153
1154 static void selinux_write_opts(struct seq_file *m,
1155 struct security_mnt_opts *opts)
1156 {
1157 int i;
1158 char *prefix;
1159
1160 for (i = 0; i < opts->num_mnt_opts; i++) {
1161 char *has_comma;
1162
1163 if (opts->mnt_opts[i])
1164 has_comma = strchr(opts->mnt_opts[i], ',');
1165 else
1166 has_comma = NULL;
1167
1168 switch (opts->mnt_opts_flags[i]) {
1169 case CONTEXT_MNT:
1170 prefix = CONTEXT_STR;
1171 break;
1172 case FSCONTEXT_MNT:
1173 prefix = FSCONTEXT_STR;
1174 break;
1175 case ROOTCONTEXT_MNT:
1176 prefix = ROOTCONTEXT_STR;
1177 break;
1178 case DEFCONTEXT_MNT:
1179 prefix = DEFCONTEXT_STR;
1180 break;
1181 case SBLABEL_MNT:
1182 seq_putc(m, ',');
1183 seq_puts(m, LABELSUPP_STR);
1184 continue;
1185 default:
1186 BUG();
1187 return;
1188 };
1189 /* we need a comma before each option */
1190 seq_putc(m, ',');
1191 seq_puts(m, prefix);
1192 if (has_comma)
1193 seq_putc(m, '\"');
1194 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1195 if (has_comma)
1196 seq_putc(m, '\"');
1197 }
1198 }
1199
1200 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1201 {
1202 struct security_mnt_opts opts;
1203 int rc;
1204
1205 rc = selinux_get_mnt_opts(sb, &opts);
1206 if (rc) {
1207 /* before policy load we may get EINVAL, don't show anything */
1208 if (rc == -EINVAL)
1209 rc = 0;
1210 return rc;
1211 }
1212
1213 selinux_write_opts(m, &opts);
1214
1215 security_free_mnt_opts(&opts);
1216
1217 return rc;
1218 }
1219
1220 static inline u16 inode_mode_to_security_class(umode_t mode)
1221 {
1222 switch (mode & S_IFMT) {
1223 case S_IFSOCK:
1224 return SECCLASS_SOCK_FILE;
1225 case S_IFLNK:
1226 return SECCLASS_LNK_FILE;
1227 case S_IFREG:
1228 return SECCLASS_FILE;
1229 case S_IFBLK:
1230 return SECCLASS_BLK_FILE;
1231 case S_IFDIR:
1232 return SECCLASS_DIR;
1233 case S_IFCHR:
1234 return SECCLASS_CHR_FILE;
1235 case S_IFIFO:
1236 return SECCLASS_FIFO_FILE;
1237
1238 }
1239
1240 return SECCLASS_FILE;
1241 }
1242
1243 static inline int default_protocol_stream(int protocol)
1244 {
1245 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1246 }
1247
1248 static inline int default_protocol_dgram(int protocol)
1249 {
1250 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1251 }
1252
1253 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1254 {
1255 int extsockclass = selinux_policycap_extsockclass;
1256
1257 switch (family) {
1258 case PF_UNIX:
1259 switch (type) {
1260 case SOCK_STREAM:
1261 case SOCK_SEQPACKET:
1262 return SECCLASS_UNIX_STREAM_SOCKET;
1263 case SOCK_DGRAM:
1264 case SOCK_RAW:
1265 return SECCLASS_UNIX_DGRAM_SOCKET;
1266 }
1267 break;
1268 case PF_INET:
1269 case PF_INET6:
1270 switch (type) {
1271 case SOCK_STREAM:
1272 case SOCK_SEQPACKET:
1273 if (default_protocol_stream(protocol))
1274 return SECCLASS_TCP_SOCKET;
1275 else if (extsockclass && protocol == IPPROTO_SCTP)
1276 return SECCLASS_SCTP_SOCKET;
1277 else
1278 return SECCLASS_RAWIP_SOCKET;
1279 case SOCK_DGRAM:
1280 if (default_protocol_dgram(protocol))
1281 return SECCLASS_UDP_SOCKET;
1282 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1283 protocol == IPPROTO_ICMPV6))
1284 return SECCLASS_ICMP_SOCKET;
1285 else
1286 return SECCLASS_RAWIP_SOCKET;
1287 case SOCK_DCCP:
1288 return SECCLASS_DCCP_SOCKET;
1289 default:
1290 return SECCLASS_RAWIP_SOCKET;
1291 }
1292 break;
1293 case PF_NETLINK:
1294 switch (protocol) {
1295 case NETLINK_ROUTE:
1296 return SECCLASS_NETLINK_ROUTE_SOCKET;
1297 case NETLINK_SOCK_DIAG:
1298 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1299 case NETLINK_NFLOG:
1300 return SECCLASS_NETLINK_NFLOG_SOCKET;
1301 case NETLINK_XFRM:
1302 return SECCLASS_NETLINK_XFRM_SOCKET;
1303 case NETLINK_SELINUX:
1304 return SECCLASS_NETLINK_SELINUX_SOCKET;
1305 case NETLINK_ISCSI:
1306 return SECCLASS_NETLINK_ISCSI_SOCKET;
1307 case NETLINK_AUDIT:
1308 return SECCLASS_NETLINK_AUDIT_SOCKET;
1309 case NETLINK_FIB_LOOKUP:
1310 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1311 case NETLINK_CONNECTOR:
1312 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1313 case NETLINK_NETFILTER:
1314 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1315 case NETLINK_DNRTMSG:
1316 return SECCLASS_NETLINK_DNRT_SOCKET;
1317 case NETLINK_KOBJECT_UEVENT:
1318 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1319 case NETLINK_GENERIC:
1320 return SECCLASS_NETLINK_GENERIC_SOCKET;
1321 case NETLINK_SCSITRANSPORT:
1322 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1323 case NETLINK_RDMA:
1324 return SECCLASS_NETLINK_RDMA_SOCKET;
1325 case NETLINK_CRYPTO:
1326 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1327 default:
1328 return SECCLASS_NETLINK_SOCKET;
1329 }
1330 case PF_PACKET:
1331 return SECCLASS_PACKET_SOCKET;
1332 case PF_KEY:
1333 return SECCLASS_KEY_SOCKET;
1334 case PF_APPLETALK:
1335 return SECCLASS_APPLETALK_SOCKET;
1336 }
1337
1338 if (extsockclass) {
1339 switch (family) {
1340 case PF_AX25:
1341 return SECCLASS_AX25_SOCKET;
1342 case PF_IPX:
1343 return SECCLASS_IPX_SOCKET;
1344 case PF_NETROM:
1345 return SECCLASS_NETROM_SOCKET;
1346 case PF_ATMPVC:
1347 return SECCLASS_ATMPVC_SOCKET;
1348 case PF_X25:
1349 return SECCLASS_X25_SOCKET;
1350 case PF_ROSE:
1351 return SECCLASS_ROSE_SOCKET;
1352 case PF_DECnet:
1353 return SECCLASS_DECNET_SOCKET;
1354 case PF_ATMSVC:
1355 return SECCLASS_ATMSVC_SOCKET;
1356 case PF_RDS:
1357 return SECCLASS_RDS_SOCKET;
1358 case PF_IRDA:
1359 return SECCLASS_IRDA_SOCKET;
1360 case PF_PPPOX:
1361 return SECCLASS_PPPOX_SOCKET;
1362 case PF_LLC:
1363 return SECCLASS_LLC_SOCKET;
1364 case PF_CAN:
1365 return SECCLASS_CAN_SOCKET;
1366 case PF_TIPC:
1367 return SECCLASS_TIPC_SOCKET;
1368 case PF_BLUETOOTH:
1369 return SECCLASS_BLUETOOTH_SOCKET;
1370 case PF_IUCV:
1371 return SECCLASS_IUCV_SOCKET;
1372 case PF_RXRPC:
1373 return SECCLASS_RXRPC_SOCKET;
1374 case PF_ISDN:
1375 return SECCLASS_ISDN_SOCKET;
1376 case PF_PHONET:
1377 return SECCLASS_PHONET_SOCKET;
1378 case PF_IEEE802154:
1379 return SECCLASS_IEEE802154_SOCKET;
1380 case PF_CAIF:
1381 return SECCLASS_CAIF_SOCKET;
1382 case PF_ALG:
1383 return SECCLASS_ALG_SOCKET;
1384 case PF_NFC:
1385 return SECCLASS_NFC_SOCKET;
1386 case PF_VSOCK:
1387 return SECCLASS_VSOCK_SOCKET;
1388 case PF_KCM:
1389 return SECCLASS_KCM_SOCKET;
1390 case PF_QIPCRTR:
1391 return SECCLASS_QIPCRTR_SOCKET;
1392 case PF_SMC:
1393 return SECCLASS_SMC_SOCKET;
1394 #if PF_MAX > 44
1395 #error New address family defined, please update this function.
1396 #endif
1397 }
1398 }
1399
1400 return SECCLASS_SOCKET;
1401 }
1402
1403 static int selinux_genfs_get_sid(struct dentry *dentry,
1404 u16 tclass,
1405 u16 flags,
1406 u32 *sid)
1407 {
1408 int rc;
1409 struct super_block *sb = dentry->d_sb;
1410 char *buffer, *path;
1411
1412 buffer = (char *)__get_free_page(GFP_KERNEL);
1413 if (!buffer)
1414 return -ENOMEM;
1415
1416 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1417 if (IS_ERR(path))
1418 rc = PTR_ERR(path);
1419 else {
1420 if (flags & SE_SBPROC) {
1421 /* each process gets a /proc/PID/ entry. Strip off the
1422 * PID part to get a valid selinux labeling.
1423 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1424 while (path[1] >= '0' && path[1] <= '9') {
1425 path[1] = '/';
1426 path++;
1427 }
1428 }
1429 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1430 if (rc == -ENOENT) {
1431 /* No match in policy, mark as unlabeled. */
1432 *sid = SECINITSID_UNLABELED;
1433 rc = 0;
1434 }
1435 }
1436 free_page((unsigned long)buffer);
1437 return rc;
1438 }
1439
1440 /* The inode's security attributes must be initialized before first use. */
1441 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1442 {
1443 struct superblock_security_struct *sbsec = NULL;
1444 struct inode_security_struct *isec = selinux_inode(inode);
1445 u32 task_sid, sid = 0;
1446 u16 sclass;
1447 struct dentry *dentry;
1448 #define INITCONTEXTLEN 255
1449 char *context = NULL;
1450 unsigned len = 0;
1451 int rc = 0;
1452
1453 if (isec->initialized == LABEL_INITIALIZED)
1454 return 0;
1455
1456 spin_lock(&isec->lock);
1457 if (isec->initialized == LABEL_INITIALIZED)
1458 goto out_unlock;
1459
1460 if (isec->sclass == SECCLASS_FILE)
1461 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1462
1463 sbsec = selinux_superblock(inode->i_sb);
1464 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1465 /* Defer initialization until selinux_complete_init,
1466 after the initial policy is loaded and the security
1467 server is ready to handle calls. */
1468 spin_lock(&sbsec->isec_lock);
1469 if (list_empty(&isec->list))
1470 list_add(&isec->list, &sbsec->isec_head);
1471 spin_unlock(&sbsec->isec_lock);
1472 goto out_unlock;
1473 }
1474
1475 sclass = isec->sclass;
1476 task_sid = isec->task_sid;
1477 sid = isec->sid;
1478 isec->initialized = LABEL_PENDING;
1479 spin_unlock(&isec->lock);
1480
1481 switch (sbsec->behavior) {
1482 case SECURITY_FS_USE_NATIVE:
1483 break;
1484 case SECURITY_FS_USE_XATTR:
1485 if (!(inode->i_opflags & IOP_XATTR)) {
1486 sid = sbsec->def_sid;
1487 break;
1488 }
1489 /* Need a dentry, since the xattr API requires one.
1490 Life would be simpler if we could just pass the inode. */
1491 if (opt_dentry) {
1492 /* Called from d_instantiate or d_splice_alias. */
1493 dentry = dget(opt_dentry);
1494 } else {
1495 /*
1496 * Called from selinux_complete_init, try to find a dentry.
1497 * Some filesystems really want a connected one, so try
1498 * that first. We could split SECURITY_FS_USE_XATTR in
1499 * two, depending upon that...
1500 */
1501 dentry = d_find_alias(inode);
1502 if (!dentry)
1503 dentry = d_find_any_alias(inode);
1504 }
1505 if (!dentry) {
1506 /*
1507 * this is can be hit on boot when a file is accessed
1508 * before the policy is loaded. When we load policy we
1509 * may find inodes that have no dentry on the
1510 * sbsec->isec_head list. No reason to complain as these
1511 * will get fixed up the next time we go through
1512 * inode_doinit with a dentry, before these inodes could
1513 * be used again by userspace.
1514 */
1515 goto out;
1516 }
1517
1518 len = INITCONTEXTLEN;
1519 context = kmalloc(len+1, GFP_NOFS);
1520 if (!context) {
1521 rc = -ENOMEM;
1522 dput(dentry);
1523 goto out;
1524 }
1525 context[len] = '\0';
1526 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1527 if (rc == -ERANGE) {
1528 kfree(context);
1529
1530 /* Need a larger buffer. Query for the right size. */
1531 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1532 if (rc < 0) {
1533 dput(dentry);
1534 goto out;
1535 }
1536 len = rc;
1537 context = kmalloc(len+1, GFP_NOFS);
1538 if (!context) {
1539 rc = -ENOMEM;
1540 dput(dentry);
1541 goto out;
1542 }
1543 context[len] = '\0';
1544 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1545 }
1546 dput(dentry);
1547 if (rc < 0) {
1548 if (rc != -ENODATA) {
1549 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1550 "%d for dev=%s ino=%ld\n", __func__,
1551 -rc, inode->i_sb->s_id, inode->i_ino);
1552 kfree(context);
1553 goto out;
1554 }
1555 /* Map ENODATA to the default file SID */
1556 sid = sbsec->def_sid;
1557 rc = 0;
1558 } else {
1559 rc = security_context_to_sid_default(context, rc, &sid,
1560 sbsec->def_sid,
1561 GFP_NOFS);
1562 if (rc) {
1563 char *dev = inode->i_sb->s_id;
1564 unsigned long ino = inode->i_ino;
1565
1566 if (rc == -EINVAL) {
1567 if (printk_ratelimit())
1568 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1569 "context=%s. This indicates you may need to relabel the inode or the "
1570 "filesystem in question.\n", ino, dev, context);
1571 } else {
1572 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1573 "returned %d for dev=%s ino=%ld\n",
1574 __func__, context, -rc, dev, ino);
1575 }
1576 kfree(context);
1577 /* Leave with the unlabeled SID */
1578 rc = 0;
1579 break;
1580 }
1581 }
1582 kfree(context);
1583 break;
1584 case SECURITY_FS_USE_TASK:
1585 sid = task_sid;
1586 break;
1587 case SECURITY_FS_USE_TRANS:
1588 /* Default to the fs SID. */
1589 sid = sbsec->sid;
1590
1591 /* Try to obtain a transition SID. */
1592 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1593 if (rc)
1594 goto out;
1595 break;
1596 case SECURITY_FS_USE_MNTPOINT:
1597 sid = sbsec->mntpoint_sid;
1598 break;
1599 default:
1600 /* Default to the fs superblock SID. */
1601 sid = sbsec->sid;
1602
1603 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1604 /* We must have a dentry to determine the label on
1605 * procfs inodes */
1606 if (opt_dentry) {
1607 /* Called from d_instantiate or
1608 * d_splice_alias. */
1609 dentry = dget(opt_dentry);
1610 } else {
1611 /* Called from selinux_complete_init, try to
1612 * find a dentry. Some filesystems really want
1613 * a connected one, so try that first.
1614 */
1615 dentry = d_find_alias(inode);
1616 if (!dentry)
1617 dentry = d_find_any_alias(inode);
1618 }
1619 /*
1620 * This can be hit on boot when a file is accessed
1621 * before the policy is loaded. When we load policy we
1622 * may find inodes that have no dentry on the
1623 * sbsec->isec_head list. No reason to complain as
1624 * these will get fixed up the next time we go through
1625 * inode_doinit() with a dentry, before these inodes
1626 * could be used again by userspace.
1627 */
1628 if (!dentry)
1629 goto out;
1630 rc = selinux_genfs_get_sid(dentry, sclass,
1631 sbsec->flags, &sid);
1632 dput(dentry);
1633 if (rc)
1634 goto out;
1635 }
1636 break;
1637 }
1638
1639 out:
1640 spin_lock(&isec->lock);
1641 if (isec->initialized == LABEL_PENDING) {
1642 if (!sid || rc) {
1643 isec->initialized = LABEL_INVALID;
1644 goto out_unlock;
1645 }
1646
1647 isec->initialized = LABEL_INITIALIZED;
1648 isec->sid = sid;
1649 }
1650
1651 out_unlock:
1652 spin_unlock(&isec->lock);
1653 return rc;
1654 }
1655
1656 /* Convert a Linux signal to an access vector. */
1657 static inline u32 signal_to_av(int sig)
1658 {
1659 u32 perm = 0;
1660
1661 switch (sig) {
1662 case SIGCHLD:
1663 /* Commonly granted from child to parent. */
1664 perm = PROCESS__SIGCHLD;
1665 break;
1666 case SIGKILL:
1667 /* Cannot be caught or ignored */
1668 perm = PROCESS__SIGKILL;
1669 break;
1670 case SIGSTOP:
1671 /* Cannot be caught or ignored */
1672 perm = PROCESS__SIGSTOP;
1673 break;
1674 default:
1675 /* All other signals. */
1676 perm = PROCESS__SIGNAL;
1677 break;
1678 }
1679
1680 return perm;
1681 }
1682
1683 #if CAP_LAST_CAP > 63
1684 #error Fix SELinux to handle capabilities > 63.
1685 #endif
1686
1687 /* Check whether a task is allowed to use a capability. */
1688 static int cred_has_capability(const struct cred *cred,
1689 int cap, int audit, bool initns)
1690 {
1691 struct common_audit_data ad;
1692 struct av_decision avd;
1693 u16 sclass;
1694 u32 sid = cred_sid(cred);
1695 u32 av = CAP_TO_MASK(cap);
1696 int rc;
1697
1698 ad.type = LSM_AUDIT_DATA_CAP;
1699 ad.u.cap = cap;
1700
1701 switch (CAP_TO_INDEX(cap)) {
1702 case 0:
1703 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1704 break;
1705 case 1:
1706 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1707 break;
1708 default:
1709 printk(KERN_ERR
1710 "SELinux: out of range capability %d\n", cap);
1711 BUG();
1712 return -EINVAL;
1713 }
1714
1715 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1716 if (audit == SECURITY_CAP_AUDIT) {
1717 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1718 if (rc2)
1719 return rc2;
1720 }
1721 return rc;
1722 }
1723
1724 /* Check whether a task has a particular permission to an inode.
1725 The 'adp' parameter is optional and allows other audit
1726 data to be passed (e.g. the dentry). */
1727 static int inode_has_perm(const struct cred *cred,
1728 struct inode *inode,
1729 u32 perms,
1730 struct common_audit_data *adp)
1731 {
1732 struct inode_security_struct *isec;
1733 u32 sid;
1734
1735 validate_creds(cred);
1736
1737 if (unlikely(IS_PRIVATE(inode)))
1738 return 0;
1739
1740 sid = cred_sid(cred);
1741 isec = selinux_inode(inode);
1742
1743 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1744 }
1745
1746 /* Same as inode_has_perm, but pass explicit audit data containing
1747 the dentry to help the auditing code to more easily generate the
1748 pathname if needed. */
1749 static inline int dentry_has_perm(const struct cred *cred,
1750 struct dentry *dentry,
1751 u32 av)
1752 {
1753 struct inode *inode = d_backing_inode(dentry);
1754 struct common_audit_data ad;
1755
1756 ad.type = LSM_AUDIT_DATA_DENTRY;
1757 ad.u.dentry = dentry;
1758 __inode_security_revalidate(inode, dentry, true);
1759 return inode_has_perm(cred, inode, av, &ad);
1760 }
1761
1762 /* Same as inode_has_perm, but pass explicit audit data containing
1763 the path to help the auditing code to more easily generate the
1764 pathname if needed. */
1765 static inline int path_has_perm(const struct cred *cred,
1766 const struct path *path,
1767 u32 av)
1768 {
1769 struct inode *inode = d_backing_inode(path->dentry);
1770 struct common_audit_data ad;
1771
1772 ad.type = LSM_AUDIT_DATA_PATH;
1773 ad.u.path = *path;
1774 __inode_security_revalidate(inode, path->dentry, true);
1775 return inode_has_perm(cred, inode, av, &ad);
1776 }
1777
1778 /* Same as path_has_perm, but uses the inode from the file struct. */
1779 static inline int file_path_has_perm(const struct cred *cred,
1780 struct file *file,
1781 u32 av)
1782 {
1783 struct common_audit_data ad;
1784
1785 ad.type = LSM_AUDIT_DATA_FILE;
1786 ad.u.file = file;
1787 return inode_has_perm(cred, file_inode(file), av, &ad);
1788 }
1789
1790 #ifdef CONFIG_BPF_SYSCALL
1791 static int bpf_fd_pass(struct file *file, u32 sid);
1792 #endif
1793
1794 /* Check whether a task can use an open file descriptor to
1795 access an inode in a given way. Check access to the
1796 descriptor itself, and then use dentry_has_perm to
1797 check a particular permission to the file.
1798 Access to the descriptor is implicitly granted if it
1799 has the same SID as the process. If av is zero, then
1800 access to the file is not checked, e.g. for cases
1801 where only the descriptor is affected like seek. */
1802 static int file_has_perm(const struct cred *cred,
1803 struct file *file,
1804 u32 av)
1805 {
1806 struct file_security_struct *fsec = selinux_file(file);
1807 struct inode *inode = file_inode(file);
1808 struct common_audit_data ad;
1809 u32 sid = cred_sid(cred);
1810 int rc;
1811
1812 ad.type = LSM_AUDIT_DATA_FILE;
1813 ad.u.file = file;
1814
1815 if (sid != fsec->sid) {
1816 rc = avc_has_perm(sid, fsec->sid,
1817 SECCLASS_FD,
1818 FD__USE,
1819 &ad);
1820 if (rc)
1821 goto out;
1822 }
1823
1824 #ifdef CONFIG_BPF_SYSCALL
1825 rc = bpf_fd_pass(file, cred_sid(cred));
1826 if (rc)
1827 return rc;
1828 #endif
1829
1830 /* av is zero if only checking access to the descriptor. */
1831 rc = 0;
1832 if (av)
1833 rc = inode_has_perm(cred, inode, av, &ad);
1834
1835 out:
1836 return rc;
1837 }
1838
1839 /*
1840 * Determine the label for an inode that might be unioned.
1841 */
1842 static int
1843 selinux_determine_inode_label(const struct task_security_struct *tsec,
1844 struct inode *dir,
1845 const struct qstr *name, u16 tclass,
1846 u32 *_new_isid)
1847 {
1848 const struct superblock_security_struct *sbsec =
1849 selinux_superblock(dir->i_sb);
1850
1851 if ((sbsec->flags & SE_SBINITIALIZED) &&
1852 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1853 *_new_isid = sbsec->mntpoint_sid;
1854 } else if ((sbsec->flags & SBLABEL_MNT) &&
1855 tsec->create_sid) {
1856 *_new_isid = tsec->create_sid;
1857 } else {
1858 const struct inode_security_struct *dsec = inode_security(dir);
1859 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1860 name, _new_isid);
1861 }
1862
1863 return 0;
1864 }
1865
1866 /* Check whether a task can create a file. */
1867 static int may_create(struct inode *dir,
1868 struct dentry *dentry,
1869 u16 tclass)
1870 {
1871 const struct task_security_struct *tsec = selinux_cred(current_cred());
1872 struct inode_security_struct *dsec;
1873 struct superblock_security_struct *sbsec;
1874 u32 sid, newsid;
1875 struct common_audit_data ad;
1876 int rc;
1877
1878 dsec = inode_security(dir);
1879 sbsec = selinux_superblock(dir->i_sb);
1880
1881 sid = tsec->sid;
1882
1883 ad.type = LSM_AUDIT_DATA_DENTRY;
1884 ad.u.dentry = dentry;
1885
1886 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1887 DIR__ADD_NAME | DIR__SEARCH,
1888 &ad);
1889 if (rc)
1890 return rc;
1891
1892 rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
1893 &dentry->d_name, tclass, &newsid);
1894 if (rc)
1895 return rc;
1896
1897 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1898 if (rc)
1899 return rc;
1900
1901 return avc_has_perm(newsid, sbsec->sid,
1902 SECCLASS_FILESYSTEM,
1903 FILESYSTEM__ASSOCIATE, &ad);
1904 }
1905
1906 #define MAY_LINK 0
1907 #define MAY_UNLINK 1
1908 #define MAY_RMDIR 2
1909
1910 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1911 static int may_link(struct inode *dir,
1912 struct dentry *dentry,
1913 int kind)
1914
1915 {
1916 struct inode_security_struct *dsec, *isec;
1917 struct common_audit_data ad;
1918 u32 sid = current_sid();
1919 u32 av;
1920 int rc;
1921
1922 dsec = inode_security(dir);
1923 isec = backing_inode_security(dentry);
1924
1925 ad.type = LSM_AUDIT_DATA_DENTRY;
1926 ad.u.dentry = dentry;
1927
1928 av = DIR__SEARCH;
1929 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1930 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1931 if (rc)
1932 return rc;
1933
1934 switch (kind) {
1935 case MAY_LINK:
1936 av = FILE__LINK;
1937 break;
1938 case MAY_UNLINK:
1939 av = FILE__UNLINK;
1940 break;
1941 case MAY_RMDIR:
1942 av = DIR__RMDIR;
1943 break;
1944 default:
1945 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1946 __func__, kind);
1947 return 0;
1948 }
1949
1950 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1951 return rc;
1952 }
1953
1954 static inline int may_rename(struct inode *old_dir,
1955 struct dentry *old_dentry,
1956 struct inode *new_dir,
1957 struct dentry *new_dentry)
1958 {
1959 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1960 struct common_audit_data ad;
1961 u32 sid = current_sid();
1962 u32 av;
1963 int old_is_dir, new_is_dir;
1964 int rc;
1965
1966 old_dsec = inode_security(old_dir);
1967 old_isec = backing_inode_security(old_dentry);
1968 old_is_dir = d_is_dir(old_dentry);
1969 new_dsec = inode_security(new_dir);
1970
1971 ad.type = LSM_AUDIT_DATA_DENTRY;
1972
1973 ad.u.dentry = old_dentry;
1974 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1975 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1976 if (rc)
1977 return rc;
1978 rc = avc_has_perm(sid, old_isec->sid,
1979 old_isec->sclass, FILE__RENAME, &ad);
1980 if (rc)
1981 return rc;
1982 if (old_is_dir && new_dir != old_dir) {
1983 rc = avc_has_perm(sid, old_isec->sid,
1984 old_isec->sclass, DIR__REPARENT, &ad);
1985 if (rc)
1986 return rc;
1987 }
1988
1989 ad.u.dentry = new_dentry;
1990 av = DIR__ADD_NAME | DIR__SEARCH;
1991 if (d_is_positive(new_dentry))
1992 av |= DIR__REMOVE_NAME;
1993 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1994 if (rc)
1995 return rc;
1996 if (d_is_positive(new_dentry)) {
1997 new_isec = backing_inode_security(new_dentry);
1998 new_is_dir = d_is_dir(new_dentry);
1999 rc = avc_has_perm(sid, new_isec->sid,
2000 new_isec->sclass,
2001 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2002 if (rc)
2003 return rc;
2004 }
2005
2006 return 0;
2007 }
2008
2009 /* Check whether a task can perform a filesystem operation. */
2010 static int superblock_has_perm(const struct cred *cred,
2011 struct super_block *sb,
2012 u32 perms,
2013 struct common_audit_data *ad)
2014 {
2015 struct superblock_security_struct *sbsec;
2016 u32 sid = cred_sid(cred);
2017
2018 sbsec = selinux_superblock(sb);
2019 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2020 }
2021
2022 /* Convert a Linux mode and permission mask to an access vector. */
2023 static inline u32 file_mask_to_av(int mode, int mask)
2024 {
2025 u32 av = 0;
2026
2027 if (!S_ISDIR(mode)) {
2028 if (mask & MAY_EXEC)
2029 av |= FILE__EXECUTE;
2030 if (mask & MAY_READ)
2031 av |= FILE__READ;
2032
2033 if (mask & MAY_APPEND)
2034 av |= FILE__APPEND;
2035 else if (mask & MAY_WRITE)
2036 av |= FILE__WRITE;
2037
2038 } else {
2039 if (mask & MAY_EXEC)
2040 av |= DIR__SEARCH;
2041 if (mask & MAY_WRITE)
2042 av |= DIR__WRITE;
2043 if (mask & MAY_READ)
2044 av |= DIR__READ;
2045 }
2046
2047 return av;
2048 }
2049
2050 /* Convert a Linux file to an access vector. */
2051 static inline u32 file_to_av(struct file *file)
2052 {
2053 u32 av = 0;
2054
2055 if (file->f_mode & FMODE_READ)
2056 av |= FILE__READ;
2057 if (file->f_mode & FMODE_WRITE) {
2058 if (file->f_flags & O_APPEND)
2059 av |= FILE__APPEND;
2060 else
2061 av |= FILE__WRITE;
2062 }
2063 if (!av) {
2064 /*
2065 * Special file opened with flags 3 for ioctl-only use.
2066 */
2067 av = FILE__IOCTL;
2068 }
2069
2070 return av;
2071 }
2072
2073 /*
2074 * Convert a file to an access vector and include the correct open
2075 * open permission.
2076 */
2077 static inline u32 open_file_to_av(struct file *file)
2078 {
2079 u32 av = file_to_av(file);
2080 struct inode *inode = file_inode(file);
2081
2082 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2083 av |= FILE__OPEN;
2084
2085 return av;
2086 }
2087
2088 /* Hook functions begin here. */
2089
2090 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2091 {
2092 u32 mysid = current_sid();
2093 u32 mgrsid = task_sid(mgr);
2094
2095 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2096 BINDER__SET_CONTEXT_MGR, NULL);
2097 }
2098
2099 static int selinux_binder_transaction(struct task_struct *from,
2100 struct task_struct *to)
2101 {
2102 u32 mysid = current_sid();
2103 u32 fromsid = task_sid(from);
2104 u32 tosid = task_sid(to);
2105 int rc;
2106
2107 if (mysid != fromsid) {
2108 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2109 BINDER__IMPERSONATE, NULL);
2110 if (rc)
2111 return rc;
2112 }
2113
2114 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2115 NULL);
2116 }
2117
2118 static int selinux_binder_transfer_binder(struct task_struct *from,
2119 struct task_struct *to)
2120 {
2121 u32 fromsid = task_sid(from);
2122 u32 tosid = task_sid(to);
2123
2124 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2125 NULL);
2126 }
2127
2128 static int selinux_binder_transfer_file(struct task_struct *from,
2129 struct task_struct *to,
2130 struct file *file)
2131 {
2132 u32 sid = task_sid(to);
2133 struct file_security_struct *fsec = selinux_file(file);
2134 struct dentry *dentry = file->f_path.dentry;
2135 struct inode_security_struct *isec;
2136 struct common_audit_data ad;
2137 int rc;
2138
2139 ad.type = LSM_AUDIT_DATA_PATH;
2140 ad.u.path = file->f_path;
2141
2142 if (sid != fsec->sid) {
2143 rc = avc_has_perm(sid, fsec->sid,
2144 SECCLASS_FD,
2145 FD__USE,
2146 &ad);
2147 if (rc)
2148 return rc;
2149 }
2150
2151 #ifdef CONFIG_BPF_SYSCALL
2152 rc = bpf_fd_pass(file, sid);
2153 if (rc)
2154 return rc;
2155 #endif
2156
2157 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2158 return 0;
2159
2160 isec = backing_inode_security(dentry);
2161 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2162 &ad);
2163 }
2164
2165 static int selinux_ptrace_access_check(struct task_struct *child,
2166 unsigned int mode)
2167 {
2168 u32 sid = current_sid();
2169 u32 csid = task_sid(child);
2170
2171 if (mode & PTRACE_MODE_READ)
2172 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2173
2174 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2175 }
2176
2177 static int selinux_ptrace_traceme(struct task_struct *parent)
2178 {
2179 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2180 PROCESS__PTRACE, NULL);
2181 }
2182
2183 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2184 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2185 {
2186 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2187 PROCESS__GETCAP, NULL);
2188 }
2189
2190 static int selinux_capset(struct cred *new, const struct cred *old,
2191 const kernel_cap_t *effective,
2192 const kernel_cap_t *inheritable,
2193 const kernel_cap_t *permitted)
2194 {
2195 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2196 PROCESS__SETCAP, NULL);
2197 }
2198
2199 /*
2200 * (This comment used to live with the selinux_task_setuid hook,
2201 * which was removed).
2202 *
2203 * Since setuid only affects the current process, and since the SELinux
2204 * controls are not based on the Linux identity attributes, SELinux does not
2205 * need to control this operation. However, SELinux does control the use of
2206 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2207 */
2208
2209 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2210 int cap, int audit)
2211 {
2212 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2213 }
2214
2215 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2216 {
2217 const struct cred *cred = current_cred();
2218 int rc = 0;
2219
2220 if (!sb)
2221 return 0;
2222
2223 switch (cmds) {
2224 case Q_SYNC:
2225 case Q_QUOTAON:
2226 case Q_QUOTAOFF:
2227 case Q_SETINFO:
2228 case Q_SETQUOTA:
2229 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2230 break;
2231 case Q_GETFMT:
2232 case Q_GETINFO:
2233 case Q_GETQUOTA:
2234 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2235 break;
2236 default:
2237 rc = 0; /* let the kernel handle invalid cmds */
2238 break;
2239 }
2240 return rc;
2241 }
2242
2243 static int selinux_quota_on(struct dentry *dentry)
2244 {
2245 const struct cred *cred = current_cred();
2246
2247 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2248 }
2249
2250 static int selinux_syslog(int type)
2251 {
2252 switch (type) {
2253 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2254 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2255 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2256 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2257 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2258 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2259 /* Set level of messages printed to console */
2260 case SYSLOG_ACTION_CONSOLE_LEVEL:
2261 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2262 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2263 NULL);
2264 }
2265 /* All other syslog types */
2266 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2267 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2268 }
2269
2270 /*
2271 * Check that a process has enough memory to allocate a new virtual
2272 * mapping. 0 means there is enough memory for the allocation to
2273 * succeed and -ENOMEM implies there is not.
2274 *
2275 * Do not audit the selinux permission check, as this is applied to all
2276 * processes that allocate mappings.
2277 */
2278 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2279 {
2280 int rc, cap_sys_admin = 0;
2281
2282 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2283 SECURITY_CAP_NOAUDIT, true);
2284 if (rc == 0)
2285 cap_sys_admin = 1;
2286
2287 return cap_sys_admin;
2288 }
2289
2290 /* binprm security operations */
2291
2292 static u32 ptrace_parent_sid(void)
2293 {
2294 u32 sid = 0;
2295 struct task_struct *tracer;
2296
2297 rcu_read_lock();
2298 tracer = ptrace_parent(current);
2299 if (tracer)
2300 sid = task_sid(tracer);
2301 rcu_read_unlock();
2302
2303 return sid;
2304 }
2305
2306 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2307 const struct task_security_struct *old_tsec,
2308 const struct task_security_struct *new_tsec)
2309 {
2310 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2311 int nosuid = path_nosuid(&bprm->file->f_path);
2312 int rc;
2313 u32 av;
2314
2315 if (!nnp && !nosuid)
2316 return 0; /* neither NNP nor nosuid */
2317
2318 if (new_tsec->sid == old_tsec->sid)
2319 return 0; /* No change in credentials */
2320
2321 /*
2322 * If the policy enables the nnp_nosuid_transition policy capability,
2323 * then we permit transitions under NNP or nosuid if the
2324 * policy allows the corresponding permission between
2325 * the old and new contexts.
2326 */
2327 if (selinux_policycap_nnp_nosuid_transition) {
2328 av = 0;
2329 if (nnp)
2330 av |= PROCESS2__NNP_TRANSITION;
2331 if (nosuid)
2332 av |= PROCESS2__NOSUID_TRANSITION;
2333 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2334 SECCLASS_PROCESS2, av, NULL);
2335 if (!rc)
2336 return 0;
2337 }
2338
2339 /*
2340 * We also permit NNP or nosuid transitions to bounded SIDs,
2341 * i.e. SIDs that are guaranteed to only be allowed a subset
2342 * of the permissions of the current SID.
2343 */
2344 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2345 if (!rc)
2346 return 0;
2347
2348 /*
2349 * On failure, preserve the errno values for NNP vs nosuid.
2350 * NNP: Operation not permitted for caller.
2351 * nosuid: Permission denied to file.
2352 */
2353 if (nnp)
2354 return -EPERM;
2355 return -EACCES;
2356 }
2357
2358 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2359 {
2360 const struct task_security_struct *old_tsec;
2361 struct task_security_struct *new_tsec;
2362 struct inode_security_struct *isec;
2363 struct common_audit_data ad;
2364 struct inode *inode = file_inode(bprm->file);
2365 int rc;
2366
2367 /* SELinux context only depends on initial program or script and not
2368 * the script interpreter */
2369 if (bprm->called_set_creds)
2370 return 0;
2371
2372 old_tsec = selinux_cred(current_cred());
2373 new_tsec = selinux_cred(bprm->cred);
2374 isec = inode_security(inode);
2375
2376 /* Default to the current task SID. */
2377 new_tsec->sid = old_tsec->sid;
2378 new_tsec->osid = old_tsec->sid;
2379
2380 /* Reset fs, key, and sock SIDs on execve. */
2381 new_tsec->create_sid = 0;
2382 new_tsec->keycreate_sid = 0;
2383 new_tsec->sockcreate_sid = 0;
2384
2385 if (old_tsec->exec_sid) {
2386 new_tsec->sid = old_tsec->exec_sid;
2387 /* Reset exec SID on execve. */
2388 new_tsec->exec_sid = 0;
2389
2390 /* Fail on NNP or nosuid if not an allowed transition. */
2391 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2392 if (rc)
2393 return rc;
2394 } else {
2395 /* Check for a default transition on this program. */
2396 rc = security_transition_sid(old_tsec->sid, isec->sid,
2397 SECCLASS_PROCESS, NULL,
2398 &new_tsec->sid);
2399 if (rc)
2400 return rc;
2401
2402 /*
2403 * Fallback to old SID on NNP or nosuid if not an allowed
2404 * transition.
2405 */
2406 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2407 if (rc)
2408 new_tsec->sid = old_tsec->sid;
2409 }
2410
2411 ad.type = LSM_AUDIT_DATA_FILE;
2412 ad.u.file = bprm->file;
2413
2414 if (new_tsec->sid == old_tsec->sid) {
2415 rc = avc_has_perm(old_tsec->sid, isec->sid,
2416 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2417 if (rc)
2418 return rc;
2419 } else {
2420 /* Check permissions for the transition. */
2421 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2422 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2423 if (rc)
2424 return rc;
2425
2426 rc = avc_has_perm(new_tsec->sid, isec->sid,
2427 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2428 if (rc)
2429 return rc;
2430
2431 /* Check for shared state */
2432 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2433 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2434 SECCLASS_PROCESS, PROCESS__SHARE,
2435 NULL);
2436 if (rc)
2437 return -EPERM;
2438 }
2439
2440 /* Make sure that anyone attempting to ptrace over a task that
2441 * changes its SID has the appropriate permit */
2442 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2443 u32 ptsid = ptrace_parent_sid();
2444 if (ptsid != 0) {
2445 rc = avc_has_perm(ptsid, new_tsec->sid,
2446 SECCLASS_PROCESS,
2447 PROCESS__PTRACE, NULL);
2448 if (rc)
2449 return -EPERM;
2450 }
2451 }
2452
2453 /* Clear any possibly unsafe personality bits on exec: */
2454 bprm->per_clear |= PER_CLEAR_ON_SETID;
2455
2456 /* Enable secure mode for SIDs transitions unless
2457 the noatsecure permission is granted between
2458 the two SIDs, i.e. ahp returns 0. */
2459 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2460 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2461 NULL);
2462 bprm->secureexec |= !!rc;
2463 }
2464
2465 return 0;
2466 }
2467
2468 static int match_file(const void *p, struct file *file, unsigned fd)
2469 {
2470 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2471 }
2472
2473 /* Derived from fs/exec.c:flush_old_files. */
2474 static inline void flush_unauthorized_files(const struct cred *cred,
2475 struct files_struct *files)
2476 {
2477 struct file *file, *devnull = NULL;
2478 struct tty_struct *tty;
2479 int drop_tty = 0;
2480 unsigned n;
2481
2482 tty = get_current_tty();
2483 if (tty) {
2484 spin_lock(&tty->files_lock);
2485 if (!list_empty(&tty->tty_files)) {
2486 struct tty_file_private *file_priv;
2487
2488 /* Revalidate access to controlling tty.
2489 Use file_path_has_perm on the tty path directly
2490 rather than using file_has_perm, as this particular
2491 open file may belong to another process and we are
2492 only interested in the inode-based check here. */
2493 file_priv = list_first_entry(&tty->tty_files,
2494 struct tty_file_private, list);
2495 file = file_priv->file;
2496 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2497 drop_tty = 1;
2498 }
2499 spin_unlock(&tty->files_lock);
2500 tty_kref_put(tty);
2501 }
2502 /* Reset controlling tty. */
2503 if (drop_tty)
2504 no_tty();
2505
2506 /* Revalidate access to inherited open files. */
2507 n = iterate_fd(files, 0, match_file, cred);
2508 if (!n) /* none found? */
2509 return;
2510
2511 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2512 if (IS_ERR(devnull))
2513 devnull = NULL;
2514 /* replace all the matching ones with this */
2515 do {
2516 replace_fd(n - 1, devnull, 0);
2517 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2518 if (devnull)
2519 fput(devnull);
2520 }
2521
2522 /*
2523 * Prepare a process for imminent new credential changes due to exec
2524 */
2525 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2526 {
2527 struct task_security_struct *new_tsec;
2528 struct rlimit *rlim, *initrlim;
2529 int rc, i;
2530
2531 new_tsec = selinux_cred(bprm->cred);
2532 if (new_tsec->sid == new_tsec->osid)
2533 return;
2534
2535 /* Close files for which the new task SID is not authorized. */
2536 flush_unauthorized_files(bprm->cred, current->files);
2537
2538 /* Always clear parent death signal on SID transitions. */
2539 current->pdeath_signal = 0;
2540
2541 /* Check whether the new SID can inherit resource limits from the old
2542 * SID. If not, reset all soft limits to the lower of the current
2543 * task's hard limit and the init task's soft limit.
2544 *
2545 * Note that the setting of hard limits (even to lower them) can be
2546 * controlled by the setrlimit check. The inclusion of the init task's
2547 * soft limit into the computation is to avoid resetting soft limits
2548 * higher than the default soft limit for cases where the default is
2549 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2550 */
2551 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2552 PROCESS__RLIMITINH, NULL);
2553 if (rc) {
2554 /* protect against do_prlimit() */
2555 task_lock(current);
2556 for (i = 0; i < RLIM_NLIMITS; i++) {
2557 rlim = current->signal->rlim + i;
2558 initrlim = init_task.signal->rlim + i;
2559 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2560 }
2561 task_unlock(current);
2562 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2563 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2564 }
2565 }
2566
2567 /*
2568 * Clean up the process immediately after the installation of new credentials
2569 * due to exec
2570 */
2571 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2572 {
2573 const struct task_security_struct *tsec = selinux_cred(current_cred());
2574 struct itimerval itimer;
2575 u32 osid, sid;
2576 int rc, i;
2577
2578 osid = tsec->osid;
2579 sid = tsec->sid;
2580
2581 if (sid == osid)
2582 return;
2583
2584 /* Check whether the new SID can inherit signal state from the old SID.
2585 * If not, clear itimers to avoid subsequent signal generation and
2586 * flush and unblock signals.
2587 *
2588 * This must occur _after_ the task SID has been updated so that any
2589 * kill done after the flush will be checked against the new SID.
2590 */
2591 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2592 if (rc) {
2593 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2594 memset(&itimer, 0, sizeof itimer);
2595 for (i = 0; i < 3; i++)
2596 do_setitimer(i, &itimer, NULL);
2597 }
2598 spin_lock_irq(&current->sighand->siglock);
2599 if (!fatal_signal_pending(current)) {
2600 flush_sigqueue(&current->pending);
2601 flush_sigqueue(&current->signal->shared_pending);
2602 flush_signal_handlers(current, 1);
2603 sigemptyset(&current->blocked);
2604 recalc_sigpending();
2605 }
2606 spin_unlock_irq(&current->sighand->siglock);
2607 }
2608
2609 /* Wake up the parent if it is waiting so that it can recheck
2610 * wait permission to the new task SID. */
2611 read_lock(&tasklist_lock);
2612 __wake_up_parent(current, current->real_parent);
2613 read_unlock(&tasklist_lock);
2614 }
2615
2616 /* superblock security operations */
2617
2618 static int selinux_sb_alloc_security(struct super_block *sb)
2619 {
2620 return superblock_alloc_security(sb);
2621 }
2622
2623 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2624 {
2625 if (plen > olen)
2626 return 0;
2627
2628 return !memcmp(prefix, option, plen);
2629 }
2630
2631 static inline int selinux_option(char *option, int len)
2632 {
2633 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2634 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2635 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2636 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2637 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2638 }
2639
2640 static inline void take_option(char **to, char *from, int *first, int len)
2641 {
2642 if (!*first) {
2643 **to = ',';
2644 *to += 1;
2645 } else
2646 *first = 0;
2647 memcpy(*to, from, len);
2648 *to += len;
2649 }
2650
2651 static inline void take_selinux_option(char **to, char *from, int *first,
2652 int len)
2653 {
2654 int current_size = 0;
2655
2656 if (!*first) {
2657 **to = '|';
2658 *to += 1;
2659 } else
2660 *first = 0;
2661
2662 while (current_size < len) {
2663 if (*from != '"') {
2664 **to = *from;
2665 *to += 1;
2666 }
2667 from += 1;
2668 current_size += 1;
2669 }
2670 }
2671
2672 static int selinux_sb_copy_data(char *orig, char *copy)
2673 {
2674 int fnosec, fsec, rc = 0;
2675 char *in_save, *in_curr, *in_end;
2676 char *sec_curr, *nosec_save, *nosec;
2677 int open_quote = 0;
2678
2679 in_curr = orig;
2680 sec_curr = copy;
2681
2682 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2683 if (!nosec) {
2684 rc = -ENOMEM;
2685 goto out;
2686 }
2687
2688 nosec_save = nosec;
2689 fnosec = fsec = 1;
2690 in_save = in_end = orig;
2691
2692 do {
2693 if (*in_end == '"')
2694 open_quote = !open_quote;
2695 if ((*in_end == ',' && open_quote == 0) ||
2696 *in_end == '\0') {
2697 int len = in_end - in_curr;
2698
2699 if (selinux_option(in_curr, len))
2700 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2701 else
2702 take_option(&nosec, in_curr, &fnosec, len);
2703
2704 in_curr = in_end + 1;
2705 }
2706 } while (*in_end++);
2707
2708 strcpy(in_save, nosec_save);
2709 free_page((unsigned long)nosec_save);
2710 out:
2711 return rc;
2712 }
2713
2714 static int selinux_sb_remount(struct super_block *sb, void *data)
2715 {
2716 int rc, i, *flags;
2717 struct security_mnt_opts opts;
2718 char *secdata, **mount_options;
2719 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2720
2721 if (!(sbsec->flags & SE_SBINITIALIZED))
2722 return 0;
2723
2724 if (!data)
2725 return 0;
2726
2727 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2728 return 0;
2729
2730 security_init_mnt_opts(&opts);
2731 secdata = alloc_secdata();
2732 if (!secdata)
2733 return -ENOMEM;
2734 rc = selinux_sb_copy_data(data, secdata);
2735 if (rc)
2736 goto out_free_secdata;
2737
2738 rc = selinux_parse_opts_str(secdata, &opts);
2739 if (rc)
2740 goto out_free_secdata;
2741
2742 mount_options = opts.mnt_opts;
2743 flags = opts.mnt_opts_flags;
2744
2745 for (i = 0; i < opts.num_mnt_opts; i++) {
2746 u32 sid;
2747
2748 if (flags[i] == SBLABEL_MNT)
2749 continue;
2750 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2751 if (rc) {
2752 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2753 "(%s) failed for (dev %s, type %s) errno=%d\n",
2754 mount_options[i], sb->s_id, sb->s_type->name, rc);
2755 goto out_free_opts;
2756 }
2757 rc = -EINVAL;
2758 switch (flags[i]) {
2759 case FSCONTEXT_MNT:
2760 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2761 goto out_bad_option;
2762 break;
2763 case CONTEXT_MNT:
2764 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2765 goto out_bad_option;
2766 break;
2767 case ROOTCONTEXT_MNT: {
2768 struct inode_security_struct *root_isec;
2769 root_isec = backing_inode_security(sb->s_root);
2770
2771 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2772 goto out_bad_option;
2773 break;
2774 }
2775 case DEFCONTEXT_MNT:
2776 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2777 goto out_bad_option;
2778 break;
2779 default:
2780 goto out_free_opts;
2781 }
2782 }
2783
2784 rc = 0;
2785 out_free_opts:
2786 security_free_mnt_opts(&opts);
2787 out_free_secdata:
2788 free_secdata(secdata);
2789 return rc;
2790 out_bad_option:
2791 printk(KERN_WARNING "SELinux: unable to change security options "
2792 "during remount (dev %s, type=%s)\n", sb->s_id,
2793 sb->s_type->name);
2794 goto out_free_opts;
2795 }
2796
2797 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2798 {
2799 const struct cred *cred = current_cred();
2800 struct common_audit_data ad;
2801 int rc;
2802
2803 rc = superblock_doinit(sb, data);
2804 if (rc)
2805 return rc;
2806
2807 /* Allow all mounts performed by the kernel */
2808 if (flags & (MS_KERNMOUNT | MS_SUBMOUNT))
2809 return 0;
2810
2811 ad.type = LSM_AUDIT_DATA_DENTRY;
2812 ad.u.dentry = sb->s_root;
2813 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2814 }
2815
2816 static int selinux_sb_statfs(struct dentry *dentry)
2817 {
2818 const struct cred *cred = current_cred();
2819 struct common_audit_data ad;
2820
2821 ad.type = LSM_AUDIT_DATA_DENTRY;
2822 ad.u.dentry = dentry->d_sb->s_root;
2823 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2824 }
2825
2826 static int selinux_mount(const char *dev_name,
2827 const struct path *path,
2828 const char *type,
2829 unsigned long flags,
2830 void *data)
2831 {
2832 const struct cred *cred = current_cred();
2833
2834 if (flags & MS_REMOUNT)
2835 return superblock_has_perm(cred, path->dentry->d_sb,
2836 FILESYSTEM__REMOUNT, NULL);
2837 else
2838 return path_has_perm(cred, path, FILE__MOUNTON);
2839 }
2840
2841 static int selinux_umount(struct vfsmount *mnt, int flags)
2842 {
2843 const struct cred *cred = current_cred();
2844
2845 return superblock_has_perm(cred, mnt->mnt_sb,
2846 FILESYSTEM__UNMOUNT, NULL);
2847 }
2848
2849 /* inode security operations */
2850
2851 static int selinux_inode_alloc_security(struct inode *inode)
2852 {
2853 return inode_alloc_security(inode);
2854 }
2855
2856 static void selinux_inode_free_security(struct inode *inode)
2857 {
2858 inode_free_security(inode);
2859 }
2860
2861 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2862 const struct qstr *name, void **ctx,
2863 u32 *ctxlen)
2864 {
2865 u32 newsid;
2866 int rc;
2867
2868 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2869 d_inode(dentry->d_parent), name,
2870 inode_mode_to_security_class(mode),
2871 &newsid);
2872 if (rc)
2873 return rc;
2874
2875 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2876 }
2877
2878 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2879 struct qstr *name,
2880 const struct cred *old,
2881 struct cred *new)
2882 {
2883 u32 newsid;
2884 int rc;
2885 struct task_security_struct *tsec;
2886
2887 rc = selinux_determine_inode_label(selinux_cred(old),
2888 d_inode(dentry->d_parent), name,
2889 inode_mode_to_security_class(mode),
2890 &newsid);
2891 if (rc)
2892 return rc;
2893
2894 tsec = selinux_cred(new);
2895 tsec->create_sid = newsid;
2896 return 0;
2897 }
2898
2899 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2900 const struct qstr *qstr,
2901 const char **name,
2902 void **value, size_t *len)
2903 {
2904 const struct task_security_struct *tsec = selinux_cred(current_cred());
2905 struct superblock_security_struct *sbsec;
2906 u32 newsid, clen;
2907 int rc;
2908 char *context;
2909
2910 sbsec = selinux_superblock(dir->i_sb);
2911
2912 newsid = tsec->create_sid;
2913
2914 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2915 dir, qstr,
2916 inode_mode_to_security_class(inode->i_mode),
2917 &newsid);
2918 if (rc)
2919 return rc;
2920
2921 /* Possibly defer initialization to selinux_complete_init. */
2922 if (sbsec->flags & SE_SBINITIALIZED) {
2923 struct inode_security_struct *isec = selinux_inode(inode);
2924 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2925 isec->sid = newsid;
2926 isec->initialized = LABEL_INITIALIZED;
2927 }
2928
2929 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2930 return -EOPNOTSUPP;
2931
2932 if (name)
2933 *name = XATTR_SELINUX_SUFFIX;
2934
2935 if (value && len) {
2936 rc = security_sid_to_context_force(newsid, &context, &clen);
2937 if (rc)
2938 return rc;
2939 *value = context;
2940 *len = clen;
2941 }
2942
2943 return 0;
2944 }
2945
2946 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2947 {
2948 return may_create(dir, dentry, SECCLASS_FILE);
2949 }
2950
2951 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2952 {
2953 return may_link(dir, old_dentry, MAY_LINK);
2954 }
2955
2956 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2957 {
2958 return may_link(dir, dentry, MAY_UNLINK);
2959 }
2960
2961 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2962 {
2963 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2964 }
2965
2966 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2967 {
2968 return may_create(dir, dentry, SECCLASS_DIR);
2969 }
2970
2971 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2972 {
2973 return may_link(dir, dentry, MAY_RMDIR);
2974 }
2975
2976 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2977 {
2978 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2979 }
2980
2981 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2982 struct inode *new_inode, struct dentry *new_dentry)
2983 {
2984 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2985 }
2986
2987 static int selinux_inode_readlink(struct dentry *dentry)
2988 {
2989 const struct cred *cred = current_cred();
2990
2991 return dentry_has_perm(cred, dentry, FILE__READ);
2992 }
2993
2994 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2995 bool rcu)
2996 {
2997 const struct cred *cred = current_cred();
2998 struct common_audit_data ad;
2999 struct inode_security_struct *isec;
3000 u32 sid;
3001
3002 validate_creds(cred);
3003
3004 ad.type = LSM_AUDIT_DATA_DENTRY;
3005 ad.u.dentry = dentry;
3006 sid = cred_sid(cred);
3007 isec = inode_security_rcu(inode, rcu);
3008 if (IS_ERR(isec))
3009 return PTR_ERR(isec);
3010
3011 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3012 rcu ? MAY_NOT_BLOCK : 0);
3013 }
3014
3015 static noinline int audit_inode_permission(struct inode *inode,
3016 u32 perms, u32 audited, u32 denied,
3017 int result,
3018 unsigned flags)
3019 {
3020 struct common_audit_data ad;
3021 struct inode_security_struct *isec = selinux_inode(inode);
3022 int rc;
3023
3024 ad.type = LSM_AUDIT_DATA_INODE;
3025 ad.u.inode = inode;
3026
3027 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3028 audited, denied, result, &ad, flags);
3029 if (rc)
3030 return rc;
3031 return 0;
3032 }
3033
3034 static int selinux_inode_permission(struct inode *inode, int mask)
3035 {
3036 const struct cred *cred = current_cred();
3037 u32 perms;
3038 bool from_access;
3039 unsigned flags = mask & MAY_NOT_BLOCK;
3040 struct inode_security_struct *isec;
3041 u32 sid;
3042 struct av_decision avd;
3043 int rc, rc2;
3044 u32 audited, denied;
3045
3046 from_access = mask & MAY_ACCESS;
3047 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3048
3049 /* No permission to check. Existence test. */
3050 if (!mask)
3051 return 0;
3052
3053 validate_creds(cred);
3054
3055 if (unlikely(IS_PRIVATE(inode)))
3056 return 0;
3057
3058 perms = file_mask_to_av(inode->i_mode, mask);
3059
3060 sid = cred_sid(cred);
3061 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3062 if (IS_ERR(isec))
3063 return PTR_ERR(isec);
3064
3065 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3066 audited = avc_audit_required(perms, &avd, rc,
3067 from_access ? FILE__AUDIT_ACCESS : 0,
3068 &denied);
3069 if (likely(!audited))
3070 return rc;
3071
3072 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3073 if (rc2)
3074 return rc2;
3075 return rc;
3076 }
3077
3078 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3079 {
3080 const struct cred *cred = current_cred();
3081 struct inode *inode = d_backing_inode(dentry);
3082 unsigned int ia_valid = iattr->ia_valid;
3083 __u32 av = FILE__WRITE;
3084
3085 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3086 if (ia_valid & ATTR_FORCE) {
3087 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3088 ATTR_FORCE);
3089 if (!ia_valid)
3090 return 0;
3091 }
3092
3093 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3094 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3095 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3096
3097 if (selinux_policycap_openperm &&
3098 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3099 (ia_valid & ATTR_SIZE) &&
3100 !(ia_valid & ATTR_FILE))
3101 av |= FILE__OPEN;
3102
3103 return dentry_has_perm(cred, dentry, av);
3104 }
3105
3106 static int selinux_inode_getattr(const struct path *path)
3107 {
3108 return path_has_perm(current_cred(), path, FILE__GETATTR);
3109 }
3110
3111 static bool has_cap_mac_admin(bool audit)
3112 {
3113 const struct cred *cred = current_cred();
3114 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3115
3116 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3117 return false;
3118 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3119 return false;
3120 return true;
3121 }
3122
3123 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3124 const void *value, size_t size, int flags)
3125 {
3126 struct inode *inode = d_backing_inode(dentry);
3127 struct inode_security_struct *isec;
3128 struct superblock_security_struct *sbsec;
3129 struct common_audit_data ad;
3130 u32 newsid, sid = current_sid();
3131 int rc = 0;
3132
3133 if (strcmp(name, XATTR_NAME_SELINUX)) {
3134 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3135 if (rc)
3136 return rc;
3137
3138 /* Not an attribute we recognize, so just check the
3139 ordinary setattr permission. */
3140 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3141 }
3142
3143 sbsec = selinux_superblock(inode->i_sb);
3144 if (!(sbsec->flags & SBLABEL_MNT))
3145 return -EOPNOTSUPP;
3146
3147 if (!inode_owner_or_capable(inode))
3148 return -EPERM;
3149
3150 ad.type = LSM_AUDIT_DATA_DENTRY;
3151 ad.u.dentry = dentry;
3152
3153 isec = backing_inode_security(dentry);
3154 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3155 FILE__RELABELFROM, &ad);
3156 if (rc)
3157 return rc;
3158
3159 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3160 if (rc == -EINVAL) {
3161 if (!has_cap_mac_admin(true)) {
3162 struct audit_buffer *ab;
3163 size_t audit_size;
3164
3165 /* We strip a nul only if it is at the end, otherwise the
3166 * context contains a nul and we should audit that */
3167 if (value) {
3168 const char *str = value;
3169
3170 if (str[size - 1] == '\0')
3171 audit_size = size - 1;
3172 else
3173 audit_size = size;
3174 } else {
3175 audit_size = 0;
3176 }
3177 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3178 audit_log_format(ab, "op=setxattr invalid_context=");
3179 audit_log_n_untrustedstring(ab, value, audit_size);
3180 audit_log_end(ab);
3181
3182 return rc;
3183 }
3184 rc = security_context_to_sid_force(value, size, &newsid);
3185 }
3186 if (rc)
3187 return rc;
3188
3189 rc = avc_has_perm(sid, newsid, isec->sclass,
3190 FILE__RELABELTO, &ad);
3191 if (rc)
3192 return rc;
3193
3194 rc = security_validate_transition(isec->sid, newsid, sid,
3195 isec->sclass);
3196 if (rc)
3197 return rc;
3198
3199 return avc_has_perm(newsid,
3200 sbsec->sid,
3201 SECCLASS_FILESYSTEM,
3202 FILESYSTEM__ASSOCIATE,
3203 &ad);
3204 }
3205
3206 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3207 const void *value, size_t size,
3208 int flags)
3209 {
3210 struct inode *inode = d_backing_inode(dentry);
3211 struct inode_security_struct *isec;
3212 u32 newsid;
3213 int rc;
3214
3215 if (strcmp(name, XATTR_NAME_SELINUX)) {
3216 /* Not an attribute we recognize, so nothing to do. */
3217 return;
3218 }
3219
3220 rc = security_context_to_sid_force(value, size, &newsid);
3221 if (rc) {
3222 printk(KERN_ERR "SELinux: unable to map context to SID"
3223 "for (%s, %lu), rc=%d\n",
3224 inode->i_sb->s_id, inode->i_ino, -rc);
3225 return;
3226 }
3227
3228 isec = backing_inode_security(dentry);
3229 spin_lock(&isec->lock);
3230 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3231 isec->sid = newsid;
3232 isec->initialized = LABEL_INITIALIZED;
3233 spin_unlock(&isec->lock);
3234
3235 return;
3236 }
3237
3238 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3239 {
3240 const struct cred *cred = current_cred();
3241
3242 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3243 }
3244
3245 static int selinux_inode_listxattr(struct dentry *dentry)
3246 {
3247 const struct cred *cred = current_cred();
3248
3249 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3250 }
3251
3252 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3253 {
3254 if (strcmp(name, XATTR_NAME_SELINUX)) {
3255 int rc = cap_inode_removexattr(dentry, name);
3256 if (rc)
3257 return rc;
3258
3259 /* Not an attribute we recognize, so just check the
3260 ordinary setattr permission. */
3261 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3262 }
3263
3264 /* No one is allowed to remove a SELinux security label.
3265 You can change the label, but all data must be labeled. */
3266 return -EACCES;
3267 }
3268
3269 /*
3270 * Copy the inode security context value to the user.
3271 *
3272 * Permission check is handled by selinux_inode_getxattr hook.
3273 */
3274 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3275 {
3276 u32 size;
3277 int error;
3278 char *context = NULL;
3279 struct inode_security_struct *isec;
3280
3281 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3282 return -EOPNOTSUPP;
3283
3284 /*
3285 * If the caller has CAP_MAC_ADMIN, then get the raw context
3286 * value even if it is not defined by current policy; otherwise,
3287 * use the in-core value under current policy.
3288 * Use the non-auditing forms of the permission checks since
3289 * getxattr may be called by unprivileged processes commonly
3290 * and lack of permission just means that we fall back to the
3291 * in-core context value, not a denial.
3292 */
3293 isec = inode_security(inode);
3294 if (has_cap_mac_admin(false))
3295 error = security_sid_to_context_force(isec->sid, &context,
3296 &size);
3297 else
3298 error = security_sid_to_context(isec->sid, &context, &size);
3299 if (error)
3300 return error;
3301 error = size;
3302 if (alloc) {
3303 *buffer = context;
3304 goto out_nofree;
3305 }
3306 kfree(context);
3307 out_nofree:
3308 return error;
3309 }
3310
3311 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3312 const void *value, size_t size, int flags)
3313 {
3314 struct inode_security_struct *isec = inode_security_novalidate(inode);
3315 u32 newsid;
3316 int rc;
3317
3318 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3319 return -EOPNOTSUPP;
3320
3321 if (!value || !size)
3322 return -EACCES;
3323
3324 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3325 if (rc)
3326 return rc;
3327
3328 spin_lock(&isec->lock);
3329 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3330 isec->sid = newsid;
3331 isec->initialized = LABEL_INITIALIZED;
3332 spin_unlock(&isec->lock);
3333 return 0;
3334 }
3335
3336 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3337 {
3338 const int len = sizeof(XATTR_NAME_SELINUX);
3339 if (buffer && len <= buffer_size)
3340 memcpy(buffer, XATTR_NAME_SELINUX, len);
3341 return len;
3342 }
3343
3344 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3345 {
3346 struct inode_security_struct *isec = inode_security_novalidate(inode);
3347 *secid = isec->sid;
3348 }
3349
3350 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3351 {
3352 u32 sid;
3353 struct task_security_struct *tsec;
3354 struct cred *new_creds = *new;
3355
3356 if (new_creds == NULL) {
3357 new_creds = prepare_creds();
3358 if (!new_creds)
3359 return -ENOMEM;
3360 }
3361
3362 tsec = selinux_cred(new_creds);
3363 /* Get label from overlay inode and set it in create_sid */
3364 selinux_inode_getsecid(d_inode(src), &sid);
3365 tsec->create_sid = sid;
3366 *new = new_creds;
3367 return 0;
3368 }
3369
3370 static int selinux_inode_copy_up_xattr(const char *name)
3371 {
3372 /* The copy_up hook above sets the initial context on an inode, but we
3373 * don't then want to overwrite it by blindly copying all the lower
3374 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3375 */
3376 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3377 return 1; /* Discard */
3378 /*
3379 * Any other attribute apart from SELINUX is not claimed, supported
3380 * by selinux.
3381 */
3382 return -EOPNOTSUPP;
3383 }
3384
3385 /* file security operations */
3386
3387 static int selinux_revalidate_file_permission(struct file *file, int mask)
3388 {
3389 const struct cred *cred = current_cred();
3390 struct inode *inode = file_inode(file);
3391
3392 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3393 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3394 mask |= MAY_APPEND;
3395
3396 return file_has_perm(cred, file,
3397 file_mask_to_av(inode->i_mode, mask));
3398 }
3399
3400 static int selinux_file_permission(struct file *file, int mask)
3401 {
3402 struct inode *inode = file_inode(file);
3403 struct file_security_struct *fsec = selinux_file(file);
3404 struct inode_security_struct *isec;
3405 u32 sid = current_sid();
3406
3407 if (!mask)
3408 /* No permission to check. Existence test. */
3409 return 0;
3410
3411 isec = inode_security(inode);
3412 if (sid == fsec->sid && fsec->isid == isec->sid &&
3413 fsec->pseqno == avc_policy_seqno())
3414 /* No change since file_open check. */
3415 return 0;
3416
3417 return selinux_revalidate_file_permission(file, mask);
3418 }
3419
3420 static int selinux_file_alloc_security(struct file *file)
3421 {
3422 return file_alloc_security(file);
3423 }
3424
3425 /*
3426 * Check whether a task has the ioctl permission and cmd
3427 * operation to an inode.
3428 */
3429 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3430 u32 requested, u16 cmd)
3431 {
3432 struct common_audit_data ad;
3433 struct file_security_struct *fsec = selinux_file(file);
3434 struct inode *inode = file_inode(file);
3435 struct inode_security_struct *isec;
3436 struct lsm_ioctlop_audit ioctl;
3437 u32 ssid = cred_sid(cred);
3438 int rc;
3439 u8 driver = cmd >> 8;
3440 u8 xperm = cmd & 0xff;
3441
3442 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3443 ad.u.op = &ioctl;
3444 ad.u.op->cmd = cmd;
3445 ad.u.op->path = file->f_path;
3446
3447 if (ssid != fsec->sid) {
3448 rc = avc_has_perm(ssid, fsec->sid,
3449 SECCLASS_FD,
3450 FD__USE,
3451 &ad);
3452 if (rc)
3453 goto out;
3454 }
3455
3456 if (unlikely(IS_PRIVATE(inode)))
3457 return 0;
3458
3459 isec = inode_security(inode);
3460 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3461 requested, driver, xperm, &ad);
3462 out:
3463 return rc;
3464 }
3465
3466 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3467 unsigned long arg)
3468 {
3469 const struct cred *cred = current_cred();
3470 int error = 0;
3471
3472 switch (cmd) {
3473 case FIONREAD:
3474 /* fall through */
3475 case FIBMAP:
3476 /* fall through */
3477 case FIGETBSZ:
3478 /* fall through */
3479 case FS_IOC_GETFLAGS:
3480 /* fall through */
3481 case FS_IOC_GETVERSION:
3482 error = file_has_perm(cred, file, FILE__GETATTR);
3483 break;
3484
3485 case FS_IOC_SETFLAGS:
3486 /* fall through */
3487 case FS_IOC_SETVERSION:
3488 error = file_has_perm(cred, file, FILE__SETATTR);
3489 break;
3490
3491 /* sys_ioctl() checks */
3492 case FIONBIO:
3493 /* fall through */
3494 case FIOASYNC:
3495 error = file_has_perm(cred, file, 0);
3496 break;
3497
3498 case KDSKBENT:
3499 case KDSKBSENT:
3500 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3501 SECURITY_CAP_AUDIT, true);
3502 break;
3503
3504 /* default case assumes that the command will go
3505 * to the file's ioctl() function.
3506 */
3507 default:
3508 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3509 }
3510 return error;
3511 }
3512
3513 static int default_noexec;
3514
3515 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3516 {
3517 const struct cred *cred = current_cred();
3518 u32 sid = cred_sid(cred);
3519 int rc = 0;
3520
3521 if (default_noexec &&
3522 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3523 (!shared && (prot & PROT_WRITE)))) {
3524 /*
3525 * We are making executable an anonymous mapping or a
3526 * private file mapping that will also be writable.
3527 * This has an additional check.
3528 */
3529 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3530 PROCESS__EXECMEM, NULL);
3531 if (rc)
3532 goto error;
3533 }
3534
3535 if (file) {
3536 /* read access is always possible with a mapping */
3537 u32 av = FILE__READ;
3538
3539 /* write access only matters if the mapping is shared */
3540 if (shared && (prot & PROT_WRITE))
3541 av |= FILE__WRITE;
3542
3543 if (prot & PROT_EXEC)
3544 av |= FILE__EXECUTE;
3545
3546 return file_has_perm(cred, file, av);
3547 }
3548
3549 error:
3550 return rc;
3551 }
3552
3553 static int selinux_mmap_addr(unsigned long addr)
3554 {
3555 int rc = 0;
3556
3557 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3558 u32 sid = current_sid();
3559 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3560 MEMPROTECT__MMAP_ZERO, NULL);
3561 }
3562
3563 return rc;
3564 }
3565
3566 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3567 unsigned long prot, unsigned long flags)
3568 {
3569 struct common_audit_data ad;
3570 int rc;
3571
3572 if (file) {
3573 ad.type = LSM_AUDIT_DATA_FILE;
3574 ad.u.file = file;
3575 rc = inode_has_perm(current_cred(), file_inode(file),
3576 FILE__MAP, &ad);
3577 if (rc)
3578 return rc;
3579 }
3580
3581 if (selinux_checkreqprot)
3582 prot = reqprot;
3583
3584 return file_map_prot_check(file, prot,
3585 (flags & MAP_TYPE) == MAP_SHARED);
3586 }
3587
3588 static int selinux_file_mprotect(struct vm_area_struct *vma,
3589 unsigned long reqprot,
3590 unsigned long prot)
3591 {
3592 const struct cred *cred = current_cred();
3593 u32 sid = cred_sid(cred);
3594
3595 if (selinux_checkreqprot)
3596 prot = reqprot;
3597
3598 if (default_noexec &&
3599 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3600 int rc = 0;
3601 if (vma->vm_start >= vma->vm_mm->start_brk &&
3602 vma->vm_end <= vma->vm_mm->brk) {
3603 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3604 PROCESS__EXECHEAP, NULL);
3605 } else if (!vma->vm_file &&
3606 ((vma->vm_start <= vma->vm_mm->start_stack &&
3607 vma->vm_end >= vma->vm_mm->start_stack) ||
3608 vma_is_stack_for_current(vma))) {
3609 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3610 PROCESS__EXECSTACK, NULL);
3611 } else if (vma->vm_file && vma->anon_vma) {
3612 /*
3613 * We are making executable a file mapping that has
3614 * had some COW done. Since pages might have been
3615 * written, check ability to execute the possibly
3616 * modified content. This typically should only
3617 * occur for text relocations.
3618 */
3619 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3620 }
3621 if (rc)
3622 return rc;
3623 }
3624
3625 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3626 }
3627
3628 static int selinux_file_lock(struct file *file, unsigned int cmd)
3629 {
3630 const struct cred *cred = current_cred();
3631
3632 return file_has_perm(cred, file, FILE__LOCK);
3633 }
3634
3635 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3636 unsigned long arg)
3637 {
3638 const struct cred *cred = current_cred();
3639 int err = 0;
3640
3641 switch (cmd) {
3642 case F_SETFL:
3643 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3644 err = file_has_perm(cred, file, FILE__WRITE);
3645 break;
3646 }
3647 /* fall through */
3648 case F_SETOWN:
3649 case F_SETSIG:
3650 case F_GETFL:
3651 case F_GETOWN:
3652 case F_GETSIG:
3653 case F_GETOWNER_UIDS:
3654 /* Just check FD__USE permission */
3655 err = file_has_perm(cred, file, 0);
3656 break;
3657 case F_GETLK:
3658 case F_SETLK:
3659 case F_SETLKW:
3660 case F_OFD_GETLK:
3661 case F_OFD_SETLK:
3662 case F_OFD_SETLKW:
3663 #if BITS_PER_LONG == 32
3664 case F_GETLK64:
3665 case F_SETLK64:
3666 case F_SETLKW64:
3667 #endif
3668 err = file_has_perm(cred, file, FILE__LOCK);
3669 break;
3670 }
3671
3672 return err;
3673 }
3674
3675 static void selinux_file_set_fowner(struct file *file)
3676 {
3677 struct file_security_struct *fsec;
3678
3679 fsec = selinux_file(file);
3680 fsec->fown_sid = current_sid();
3681 }
3682
3683 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3684 struct fown_struct *fown, int signum)
3685 {
3686 struct file *file;
3687 u32 sid = task_sid(tsk);
3688 u32 perm;
3689 struct file_security_struct *fsec;
3690
3691 /* struct fown_struct is never outside the context of a struct file */
3692 file = container_of(fown, struct file, f_owner);
3693
3694 fsec = selinux_file(file);
3695
3696 if (!signum)
3697 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3698 else
3699 perm = signal_to_av(signum);
3700
3701 return avc_has_perm(fsec->fown_sid, sid,
3702 SECCLASS_PROCESS, perm, NULL);
3703 }
3704
3705 static int selinux_file_receive(struct file *file)
3706 {
3707 const struct cred *cred = current_cred();
3708
3709 return file_has_perm(cred, file, file_to_av(file));
3710 }
3711
3712 static int selinux_file_open(struct file *file, const struct cred *cred)
3713 {
3714 struct file_security_struct *fsec;
3715 struct inode_security_struct *isec;
3716
3717 fsec = selinux_file(file);
3718 isec = inode_security(file_inode(file));
3719 /*
3720 * Save inode label and policy sequence number
3721 * at open-time so that selinux_file_permission
3722 * can determine whether revalidation is necessary.
3723 * Task label is already saved in the file security
3724 * struct as its SID.
3725 */
3726 fsec->isid = isec->sid;
3727 fsec->pseqno = avc_policy_seqno();
3728 /*
3729 * Since the inode label or policy seqno may have changed
3730 * between the selinux_inode_permission check and the saving
3731 * of state above, recheck that access is still permitted.
3732 * Otherwise, access might never be revalidated against the
3733 * new inode label or new policy.
3734 * This check is not redundant - do not remove.
3735 */
3736 return file_path_has_perm(cred, file, open_file_to_av(file));
3737 }
3738
3739 /* task security operations */
3740
3741 static int selinux_task_alloc(struct task_struct *task,
3742 unsigned long clone_flags)
3743 {
3744 u32 sid = current_sid();
3745
3746 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3747 }
3748
3749 /*
3750 * prepare a new set of credentials for modification
3751 */
3752 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3753 gfp_t gfp)
3754 {
3755 const struct task_security_struct *old_tsec = selinux_cred(old);
3756 struct task_security_struct *tsec = selinux_cred(new);
3757
3758 *tsec = *old_tsec;
3759
3760 return 0;
3761 }
3762
3763 /*
3764 * transfer the SELinux data to a blank set of creds
3765 */
3766 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3767 {
3768 const struct task_security_struct *old_tsec = selinux_cred(old);
3769 struct task_security_struct *tsec = selinux_cred(new);
3770
3771 *tsec = *old_tsec;
3772 }
3773
3774 /*
3775 * set the security data for a kernel service
3776 * - all the creation contexts are set to unlabelled
3777 */
3778 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3779 {
3780 struct task_security_struct *tsec = selinux_cred(new);
3781 u32 sid = current_sid();
3782 int ret;
3783
3784 ret = avc_has_perm(sid, secid,
3785 SECCLASS_KERNEL_SERVICE,
3786 KERNEL_SERVICE__USE_AS_OVERRIDE,
3787 NULL);
3788 if (ret == 0) {
3789 tsec->sid = secid;
3790 tsec->create_sid = 0;
3791 tsec->keycreate_sid = 0;
3792 tsec->sockcreate_sid = 0;
3793 }
3794 return ret;
3795 }
3796
3797 /*
3798 * set the file creation context in a security record to the same as the
3799 * objective context of the specified inode
3800 */
3801 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3802 {
3803 struct inode_security_struct *isec = inode_security(inode);
3804 struct task_security_struct *tsec = selinux_cred(new);
3805 u32 sid = current_sid();
3806 int ret;
3807
3808 ret = avc_has_perm(sid, isec->sid,
3809 SECCLASS_KERNEL_SERVICE,
3810 KERNEL_SERVICE__CREATE_FILES_AS,
3811 NULL);
3812
3813 if (ret == 0)
3814 tsec->create_sid = isec->sid;
3815 return ret;
3816 }
3817
3818 static int selinux_kernel_module_request(char *kmod_name)
3819 {
3820 struct common_audit_data ad;
3821
3822 ad.type = LSM_AUDIT_DATA_KMOD;
3823 ad.u.kmod_name = kmod_name;
3824
3825 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3826 SYSTEM__MODULE_REQUEST, &ad);
3827 }
3828
3829 static int selinux_kernel_module_from_file(struct file *file)
3830 {
3831 struct common_audit_data ad;
3832 struct inode_security_struct *isec;
3833 struct file_security_struct *fsec;
3834 u32 sid = current_sid();
3835 int rc;
3836
3837 /* init_module */
3838 if (file == NULL)
3839 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3840 SYSTEM__MODULE_LOAD, NULL);
3841
3842 /* finit_module */
3843
3844 ad.type = LSM_AUDIT_DATA_FILE;
3845 ad.u.file = file;
3846
3847 fsec = selinux_file(file);
3848 if (sid != fsec->sid) {
3849 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3850 if (rc)
3851 return rc;
3852 }
3853
3854 isec = inode_security(file_inode(file));
3855 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3856 SYSTEM__MODULE_LOAD, &ad);
3857 }
3858
3859 static int selinux_kernel_read_file(struct file *file,
3860 enum kernel_read_file_id id)
3861 {
3862 int rc = 0;
3863
3864 switch (id) {
3865 case READING_MODULE:
3866 rc = selinux_kernel_module_from_file(file);
3867 break;
3868 default:
3869 break;
3870 }
3871
3872 return rc;
3873 }
3874
3875 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3876 {
3877 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3878 PROCESS__SETPGID, NULL);
3879 }
3880
3881 static int selinux_task_getpgid(struct task_struct *p)
3882 {
3883 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3884 PROCESS__GETPGID, NULL);
3885 }
3886
3887 static int selinux_task_getsid(struct task_struct *p)
3888 {
3889 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3890 PROCESS__GETSESSION, NULL);
3891 }
3892
3893 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3894 {
3895 *secid = task_sid(p);
3896 }
3897
3898 static int selinux_task_setnice(struct task_struct *p, int nice)
3899 {
3900 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3901 PROCESS__SETSCHED, NULL);
3902 }
3903
3904 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3905 {
3906 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3907 PROCESS__SETSCHED, NULL);
3908 }
3909
3910 static int selinux_task_getioprio(struct task_struct *p)
3911 {
3912 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3913 PROCESS__GETSCHED, NULL);
3914 }
3915
3916 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
3917 unsigned int flags)
3918 {
3919 u32 av = 0;
3920
3921 if (!flags)
3922 return 0;
3923 if (flags & LSM_PRLIMIT_WRITE)
3924 av |= PROCESS__SETRLIMIT;
3925 if (flags & LSM_PRLIMIT_READ)
3926 av |= PROCESS__GETRLIMIT;
3927 return avc_has_perm(cred_sid(cred), cred_sid(tcred),
3928 SECCLASS_PROCESS, av, NULL);
3929 }
3930
3931 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3932 struct rlimit *new_rlim)
3933 {
3934 struct rlimit *old_rlim = p->signal->rlim + resource;
3935
3936 /* Control the ability to change the hard limit (whether
3937 lowering or raising it), so that the hard limit can
3938 later be used as a safe reset point for the soft limit
3939 upon context transitions. See selinux_bprm_committing_creds. */
3940 if (old_rlim->rlim_max != new_rlim->rlim_max)
3941 return avc_has_perm(current_sid(), task_sid(p),
3942 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
3943
3944 return 0;
3945 }
3946
3947 static int selinux_task_setscheduler(struct task_struct *p)
3948 {
3949 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3950 PROCESS__SETSCHED, NULL);
3951 }
3952
3953 static int selinux_task_getscheduler(struct task_struct *p)
3954 {
3955 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3956 PROCESS__GETSCHED, NULL);
3957 }
3958
3959 static int selinux_task_movememory(struct task_struct *p)
3960 {
3961 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3962 PROCESS__SETSCHED, NULL);
3963 }
3964
3965 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3966 int sig, u32 secid)
3967 {
3968 u32 perm;
3969
3970 if (!sig)
3971 perm = PROCESS__SIGNULL; /* null signal; existence test */
3972 else
3973 perm = signal_to_av(sig);
3974 if (!secid)
3975 secid = current_sid();
3976 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
3977 }
3978
3979 static void selinux_task_to_inode(struct task_struct *p,
3980 struct inode *inode)
3981 {
3982 struct inode_security_struct *isec = selinux_inode(inode);
3983 u32 sid = task_sid(p);
3984
3985 spin_lock(&isec->lock);
3986 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3987 isec->sid = sid;
3988 isec->initialized = LABEL_INITIALIZED;
3989 spin_unlock(&isec->lock);
3990 }
3991
3992 /* Returns error only if unable to parse addresses */
3993 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3994 struct common_audit_data *ad, u8 *proto)
3995 {
3996 int offset, ihlen, ret = -EINVAL;
3997 struct iphdr _iph, *ih;
3998
3999 offset = skb_network_offset(skb);
4000 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4001 if (ih == NULL)
4002 goto out;
4003
4004 ihlen = ih->ihl * 4;
4005 if (ihlen < sizeof(_iph))
4006 goto out;
4007
4008 ad->u.net->v4info.saddr = ih->saddr;
4009 ad->u.net->v4info.daddr = ih->daddr;
4010 ret = 0;
4011
4012 if (proto)
4013 *proto = ih->protocol;
4014
4015 switch (ih->protocol) {
4016 case IPPROTO_TCP: {
4017 struct tcphdr _tcph, *th;
4018
4019 if (ntohs(ih->frag_off) & IP_OFFSET)
4020 break;
4021
4022 offset += ihlen;
4023 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4024 if (th == NULL)
4025 break;
4026
4027 ad->u.net->sport = th->source;
4028 ad->u.net->dport = th->dest;
4029 break;
4030 }
4031
4032 case IPPROTO_UDP: {
4033 struct udphdr _udph, *uh;
4034
4035 if (ntohs(ih->frag_off) & IP_OFFSET)
4036 break;
4037
4038 offset += ihlen;
4039 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4040 if (uh == NULL)
4041 break;
4042
4043 ad->u.net->sport = uh->source;
4044 ad->u.net->dport = uh->dest;
4045 break;
4046 }
4047
4048 case IPPROTO_DCCP: {
4049 struct dccp_hdr _dccph, *dh;
4050
4051 if (ntohs(ih->frag_off) & IP_OFFSET)
4052 break;
4053
4054 offset += ihlen;
4055 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4056 if (dh == NULL)
4057 break;
4058
4059 ad->u.net->sport = dh->dccph_sport;
4060 ad->u.net->dport = dh->dccph_dport;
4061 break;
4062 }
4063
4064 default:
4065 break;
4066 }
4067 out:
4068 return ret;
4069 }
4070
4071 #if IS_ENABLED(CONFIG_IPV6)
4072
4073 /* Returns error only if unable to parse addresses */
4074 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4075 struct common_audit_data *ad, u8 *proto)
4076 {
4077 u8 nexthdr;
4078 int ret = -EINVAL, offset;
4079 struct ipv6hdr _ipv6h, *ip6;
4080 __be16 frag_off;
4081
4082 offset = skb_network_offset(skb);
4083 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4084 if (ip6 == NULL)
4085 goto out;
4086
4087 ad->u.net->v6info.saddr = ip6->saddr;
4088 ad->u.net->v6info.daddr = ip6->daddr;
4089 ret = 0;
4090
4091 nexthdr = ip6->nexthdr;
4092 offset += sizeof(_ipv6h);
4093 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4094 if (offset < 0)
4095 goto out;
4096
4097 if (proto)
4098 *proto = nexthdr;
4099
4100 switch (nexthdr) {
4101 case IPPROTO_TCP: {
4102 struct tcphdr _tcph, *th;
4103
4104 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4105 if (th == NULL)
4106 break;
4107
4108 ad->u.net->sport = th->source;
4109 ad->u.net->dport = th->dest;
4110 break;
4111 }
4112
4113 case IPPROTO_UDP: {
4114 struct udphdr _udph, *uh;
4115
4116 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4117 if (uh == NULL)
4118 break;
4119
4120 ad->u.net->sport = uh->source;
4121 ad->u.net->dport = uh->dest;
4122 break;
4123 }
4124
4125 case IPPROTO_DCCP: {
4126 struct dccp_hdr _dccph, *dh;
4127
4128 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4129 if (dh == NULL)
4130 break;
4131
4132 ad->u.net->sport = dh->dccph_sport;
4133 ad->u.net->dport = dh->dccph_dport;
4134 break;
4135 }
4136
4137 /* includes fragments */
4138 default:
4139 break;
4140 }
4141 out:
4142 return ret;
4143 }
4144
4145 #endif /* IPV6 */
4146
4147 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4148 char **_addrp, int src, u8 *proto)
4149 {
4150 char *addrp;
4151 int ret;
4152
4153 switch (ad->u.net->family) {
4154 case PF_INET:
4155 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4156 if (ret)
4157 goto parse_error;
4158 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4159 &ad->u.net->v4info.daddr);
4160 goto okay;
4161
4162 #if IS_ENABLED(CONFIG_IPV6)
4163 case PF_INET6:
4164 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4165 if (ret)
4166 goto parse_error;
4167 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4168 &ad->u.net->v6info.daddr);
4169 goto okay;
4170 #endif /* IPV6 */
4171 default:
4172 addrp = NULL;
4173 goto okay;
4174 }
4175
4176 parse_error:
4177 printk(KERN_WARNING
4178 "SELinux: failure in selinux_parse_skb(),"
4179 " unable to parse packet\n");
4180 return ret;
4181
4182 okay:
4183 if (_addrp)
4184 *_addrp = addrp;
4185 return 0;
4186 }
4187
4188 /**
4189 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4190 * @skb: the packet
4191 * @family: protocol family
4192 * @sid: the packet's peer label SID
4193 *
4194 * Description:
4195 * Check the various different forms of network peer labeling and determine
4196 * the peer label/SID for the packet; most of the magic actually occurs in
4197 * the security server function security_net_peersid_cmp(). The function
4198 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4199 * or -EACCES if @sid is invalid due to inconsistencies with the different
4200 * peer labels.
4201 *
4202 */
4203 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4204 {
4205 int err;
4206 u32 xfrm_sid;
4207 u32 nlbl_sid;
4208 u32 nlbl_type;
4209
4210 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4211 if (unlikely(err))
4212 return -EACCES;
4213 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4214 if (unlikely(err))
4215 return -EACCES;
4216
4217 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4218 if (unlikely(err)) {
4219 printk(KERN_WARNING
4220 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4221 " unable to determine packet's peer label\n");
4222 return -EACCES;
4223 }
4224
4225 return 0;
4226 }
4227
4228 /**
4229 * selinux_conn_sid - Determine the child socket label for a connection
4230 * @sk_sid: the parent socket's SID
4231 * @skb_sid: the packet's SID
4232 * @conn_sid: the resulting connection SID
4233 *
4234 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4235 * combined with the MLS information from @skb_sid in order to create
4236 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4237 * of @sk_sid. Returns zero on success, negative values on failure.
4238 *
4239 */
4240 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4241 {
4242 int err = 0;
4243
4244 if (skb_sid != SECSID_NULL)
4245 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4246 else
4247 *conn_sid = sk_sid;
4248
4249 return err;
4250 }
4251
4252 /* socket security operations */
4253
4254 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4255 u16 secclass, u32 *socksid)
4256 {
4257 if (tsec->sockcreate_sid > SECSID_NULL) {
4258 *socksid = tsec->sockcreate_sid;
4259 return 0;
4260 }
4261
4262 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4263 socksid);
4264 }
4265
4266 static int sock_has_perm(struct sock *sk, u32 perms)
4267 {
4268 struct sk_security_struct *sksec = selinux_sock(sk);
4269 struct common_audit_data ad;
4270 struct lsm_network_audit net = {0,};
4271
4272 if (sksec->sid == SECINITSID_KERNEL)
4273 return 0;
4274
4275 ad.type = LSM_AUDIT_DATA_NET;
4276 ad.u.net = &net;
4277 ad.u.net->sk = sk;
4278
4279 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4280 &ad);
4281 }
4282
4283 static int selinux_socket_create(int family, int type,
4284 int protocol, int kern)
4285 {
4286 const struct task_security_struct *tsec = selinux_cred(current_cred());
4287 u32 newsid;
4288 u16 secclass;
4289 int rc;
4290
4291 if (kern)
4292 return 0;
4293
4294 secclass = socket_type_to_security_class(family, type, protocol);
4295 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4296 if (rc)
4297 return rc;
4298
4299 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4300 }
4301
4302 static int selinux_socket_post_create(struct socket *sock, int family,
4303 int type, int protocol, int kern)
4304 {
4305 const struct task_security_struct *tsec = selinux_cred(current_cred());
4306 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4307 struct sk_security_struct *sksec;
4308 u16 sclass = socket_type_to_security_class(family, type, protocol);
4309 u32 sid = SECINITSID_KERNEL;
4310 int err = 0;
4311
4312 if (!kern) {
4313 err = socket_sockcreate_sid(tsec, sclass, &sid);
4314 if (err)
4315 return err;
4316 }
4317
4318 isec->sclass = sclass;
4319 isec->sid = sid;
4320 isec->initialized = LABEL_INITIALIZED;
4321
4322 if (sock->sk) {
4323 sksec = selinux_sock(sock->sk);
4324 sksec->sclass = sclass;
4325 sksec->sid = sid;
4326 err = selinux_netlbl_socket_post_create(sock->sk, family);
4327 }
4328
4329 return err;
4330 }
4331
4332 /* Range of port numbers used to automatically bind.
4333 Need to determine whether we should perform a name_bind
4334 permission check between the socket and the port number. */
4335
4336 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4337 {
4338 struct sock *sk = sock->sk;
4339 u16 family;
4340 int err;
4341
4342 err = sock_has_perm(sk, SOCKET__BIND);
4343 if (err)
4344 goto out;
4345
4346 /*
4347 * If PF_INET or PF_INET6, check name_bind permission for the port.
4348 * Multiple address binding for SCTP is not supported yet: we just
4349 * check the first address now.
4350 */
4351 family = sk->sk_family;
4352 if (family == PF_INET || family == PF_INET6) {
4353 char *addrp;
4354 struct sk_security_struct *sksec = selinux_sock(sk);
4355 struct common_audit_data ad;
4356 struct lsm_network_audit net = {0,};
4357 struct sockaddr_in *addr4 = NULL;
4358 struct sockaddr_in6 *addr6 = NULL;
4359 unsigned short snum;
4360 u32 sid, node_perm;
4361
4362 if (family == PF_INET) {
4363 if (addrlen < sizeof(struct sockaddr_in)) {
4364 err = -EINVAL;
4365 goto out;
4366 }
4367 addr4 = (struct sockaddr_in *)address;
4368 snum = ntohs(addr4->sin_port);
4369 addrp = (char *)&addr4->sin_addr.s_addr;
4370 } else {
4371 if (addrlen < SIN6_LEN_RFC2133) {
4372 err = -EINVAL;
4373 goto out;
4374 }
4375 addr6 = (struct sockaddr_in6 *)address;
4376 snum = ntohs(addr6->sin6_port);
4377 addrp = (char *)&addr6->sin6_addr.s6_addr;
4378 }
4379
4380 if (snum) {
4381 int low, high;
4382
4383 inet_get_local_port_range(sock_net(sk), &low, &high);
4384
4385 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4386 snum > high) {
4387 err = sel_netport_sid(sk->sk_protocol,
4388 snum, &sid);
4389 if (err)
4390 goto out;
4391 ad.type = LSM_AUDIT_DATA_NET;
4392 ad.u.net = &net;
4393 ad.u.net->sport = htons(snum);
4394 ad.u.net->family = family;
4395 err = avc_has_perm(sksec->sid, sid,
4396 sksec->sclass,
4397 SOCKET__NAME_BIND, &ad);
4398 if (err)
4399 goto out;
4400 }
4401 }
4402
4403 switch (sksec->sclass) {
4404 case SECCLASS_TCP_SOCKET:
4405 node_perm = TCP_SOCKET__NODE_BIND;
4406 break;
4407
4408 case SECCLASS_UDP_SOCKET:
4409 node_perm = UDP_SOCKET__NODE_BIND;
4410 break;
4411
4412 case SECCLASS_DCCP_SOCKET:
4413 node_perm = DCCP_SOCKET__NODE_BIND;
4414 break;
4415
4416 default:
4417 node_perm = RAWIP_SOCKET__NODE_BIND;
4418 break;
4419 }
4420
4421 err = sel_netnode_sid(addrp, family, &sid);
4422 if (err)
4423 goto out;
4424
4425 ad.type = LSM_AUDIT_DATA_NET;
4426 ad.u.net = &net;
4427 ad.u.net->sport = htons(snum);
4428 ad.u.net->family = family;
4429
4430 if (family == PF_INET)
4431 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4432 else
4433 ad.u.net->v6info.saddr = addr6->sin6_addr;
4434
4435 err = avc_has_perm(sksec->sid, sid,
4436 sksec->sclass, node_perm, &ad);
4437 if (err)
4438 goto out;
4439 }
4440 out:
4441 return err;
4442 }
4443
4444 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4445 {
4446 struct sock *sk = sock->sk;
4447 struct sk_security_struct *sksec = selinux_sock(sk);
4448 int err;
4449
4450 err = sock_has_perm(sk, SOCKET__CONNECT);
4451 if (err)
4452 return err;
4453
4454 /*
4455 * If a TCP or DCCP socket, check name_connect permission for the port.
4456 */
4457 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4458 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4459 struct common_audit_data ad;
4460 struct lsm_network_audit net = {0,};
4461 struct sockaddr_in *addr4 = NULL;
4462 struct sockaddr_in6 *addr6 = NULL;
4463 unsigned short snum;
4464 u32 sid, perm;
4465
4466 if (sk->sk_family == PF_INET) {
4467 addr4 = (struct sockaddr_in *)address;
4468 if (addrlen < sizeof(struct sockaddr_in))
4469 return -EINVAL;
4470 snum = ntohs(addr4->sin_port);
4471 } else {
4472 addr6 = (struct sockaddr_in6 *)address;
4473 if (addrlen < SIN6_LEN_RFC2133)
4474 return -EINVAL;
4475 snum = ntohs(addr6->sin6_port);
4476 }
4477
4478 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4479 if (err)
4480 goto out;
4481
4482 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4483 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4484
4485 ad.type = LSM_AUDIT_DATA_NET;
4486 ad.u.net = &net;
4487 ad.u.net->dport = htons(snum);
4488 ad.u.net->family = sk->sk_family;
4489 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4490 if (err)
4491 goto out;
4492 }
4493
4494 err = selinux_netlbl_socket_connect(sk, address);
4495
4496 out:
4497 return err;
4498 }
4499
4500 static int selinux_socket_listen(struct socket *sock, int backlog)
4501 {
4502 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4503 }
4504
4505 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4506 {
4507 int err;
4508 struct inode_security_struct *isec;
4509 struct inode_security_struct *newisec;
4510 u16 sclass;
4511 u32 sid;
4512
4513 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4514 if (err)
4515 return err;
4516
4517 isec = inode_security_novalidate(SOCK_INODE(sock));
4518 spin_lock(&isec->lock);
4519 sclass = isec->sclass;
4520 sid = isec->sid;
4521 spin_unlock(&isec->lock);
4522
4523 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4524 newisec->sclass = sclass;
4525 newisec->sid = sid;
4526 newisec->initialized = LABEL_INITIALIZED;
4527
4528 return 0;
4529 }
4530
4531 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4532 int size)
4533 {
4534 return sock_has_perm(sock->sk, SOCKET__WRITE);
4535 }
4536
4537 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4538 int size, int flags)
4539 {
4540 return sock_has_perm(sock->sk, SOCKET__READ);
4541 }
4542
4543 static int selinux_socket_getsockname(struct socket *sock)
4544 {
4545 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4546 }
4547
4548 static int selinux_socket_getpeername(struct socket *sock)
4549 {
4550 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4551 }
4552
4553 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4554 {
4555 int err;
4556
4557 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4558 if (err)
4559 return err;
4560
4561 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4562 }
4563
4564 static int selinux_socket_getsockopt(struct socket *sock, int level,
4565 int optname)
4566 {
4567 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4568 }
4569
4570 static int selinux_socket_shutdown(struct socket *sock, int how)
4571 {
4572 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4573 }
4574
4575 static int selinux_socket_unix_stream_connect(struct sock *sock,
4576 struct sock *other,
4577 struct sock *newsk)
4578 {
4579 struct sk_security_struct *sksec_sock = selinux_sock(sock);
4580 struct sk_security_struct *sksec_other = selinux_sock(other);
4581 struct sk_security_struct *sksec_new = selinux_sock(newsk);
4582 struct common_audit_data ad;
4583 struct lsm_network_audit net = {0,};
4584 int err;
4585
4586 ad.type = LSM_AUDIT_DATA_NET;
4587 ad.u.net = &net;
4588 ad.u.net->sk = other;
4589
4590 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4591 sksec_other->sclass,
4592 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4593 if (err)
4594 return err;
4595
4596 /* server child socket */
4597 sksec_new->peer_sid = sksec_sock->sid;
4598 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4599 &sksec_new->sid);
4600 if (err)
4601 return err;
4602
4603 /* connecting socket */
4604 sksec_sock->peer_sid = sksec_new->sid;
4605
4606 return 0;
4607 }
4608
4609 static int selinux_socket_unix_may_send(struct socket *sock,
4610 struct socket *other)
4611 {
4612 struct sk_security_struct *ssec = selinux_sock(sock->sk);
4613 struct sk_security_struct *osec = selinux_sock(other->sk);
4614 struct common_audit_data ad;
4615 struct lsm_network_audit net = {0,};
4616
4617 ad.type = LSM_AUDIT_DATA_NET;
4618 ad.u.net = &net;
4619 ad.u.net->sk = other->sk;
4620
4621 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4622 &ad);
4623 }
4624
4625 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4626 char *addrp, u16 family, u32 peer_sid,
4627 struct common_audit_data *ad)
4628 {
4629 int err;
4630 u32 if_sid;
4631 u32 node_sid;
4632
4633 err = sel_netif_sid(ns, ifindex, &if_sid);
4634 if (err)
4635 return err;
4636 err = avc_has_perm(peer_sid, if_sid,
4637 SECCLASS_NETIF, NETIF__INGRESS, ad);
4638 if (err)
4639 return err;
4640
4641 err = sel_netnode_sid(addrp, family, &node_sid);
4642 if (err)
4643 return err;
4644 return avc_has_perm(peer_sid, node_sid,
4645 SECCLASS_NODE, NODE__RECVFROM, ad);
4646 }
4647
4648 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4649 u16 family)
4650 {
4651 int err = 0;
4652 struct sk_security_struct *sksec = selinux_sock(sk);
4653 u32 sk_sid = sksec->sid;
4654 struct common_audit_data ad;
4655 struct lsm_network_audit net = {0,};
4656 char *addrp;
4657
4658 ad.type = LSM_AUDIT_DATA_NET;
4659 ad.u.net = &net;
4660 ad.u.net->netif = skb->skb_iif;
4661 ad.u.net->family = family;
4662 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4663 if (err)
4664 return err;
4665
4666 if (selinux_secmark_enabled()) {
4667 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4668 PACKET__RECV, &ad);
4669 if (err)
4670 return err;
4671 }
4672
4673 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4674 if (err)
4675 return err;
4676 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4677
4678 return err;
4679 }
4680
4681 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4682 {
4683 int err;
4684 struct sk_security_struct *sksec = selinux_sock(sk);
4685 u16 family = sk->sk_family;
4686 u32 sk_sid = sksec->sid;
4687 struct common_audit_data ad;
4688 struct lsm_network_audit net = {0,};
4689 char *addrp;
4690 u8 secmark_active;
4691 u8 peerlbl_active;
4692
4693 if (family != PF_INET && family != PF_INET6)
4694 return 0;
4695
4696 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4697 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4698 family = PF_INET;
4699
4700 /* If any sort of compatibility mode is enabled then handoff processing
4701 * to the selinux_sock_rcv_skb_compat() function to deal with the
4702 * special handling. We do this in an attempt to keep this function
4703 * as fast and as clean as possible. */
4704 if (!selinux_policycap_netpeer)
4705 return selinux_sock_rcv_skb_compat(sk, skb, family);
4706
4707 secmark_active = selinux_secmark_enabled();
4708 peerlbl_active = selinux_peerlbl_enabled();
4709 if (!secmark_active && !peerlbl_active)
4710 return 0;
4711
4712 ad.type = LSM_AUDIT_DATA_NET;
4713 ad.u.net = &net;
4714 ad.u.net->netif = skb->skb_iif;
4715 ad.u.net->family = family;
4716 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4717 if (err)
4718 return err;
4719
4720 if (peerlbl_active) {
4721 u32 peer_sid;
4722
4723 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4724 if (err)
4725 return err;
4726 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4727 addrp, family, peer_sid, &ad);
4728 if (err) {
4729 selinux_netlbl_err(skb, family, err, 0);
4730 return err;
4731 }
4732 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4733 PEER__RECV, &ad);
4734 if (err) {
4735 selinux_netlbl_err(skb, family, err, 0);
4736 return err;
4737 }
4738 }
4739
4740 if (secmark_active) {
4741 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4742 PACKET__RECV, &ad);
4743 if (err)
4744 return err;
4745 }
4746
4747 return err;
4748 }
4749
4750 static int selinux_socket_getpeersec_stream(struct socket *sock,
4751 __user char *optval,
4752 __user int *optlen,
4753 unsigned int len)
4754 {
4755 int err = 0;
4756 char *scontext;
4757 u32 scontext_len;
4758 struct sk_security_struct *sksec = selinux_sock(sock->sk);
4759 u32 peer_sid = SECSID_NULL;
4760
4761 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4762 sksec->sclass == SECCLASS_TCP_SOCKET)
4763 peer_sid = sksec->peer_sid;
4764 if (peer_sid == SECSID_NULL)
4765 return -ENOPROTOOPT;
4766
4767 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4768 if (err)
4769 return err;
4770
4771 if (scontext_len > len) {
4772 err = -ERANGE;
4773 goto out_len;
4774 }
4775
4776 if (copy_to_user(optval, scontext, scontext_len))
4777 err = -EFAULT;
4778
4779 out_len:
4780 if (put_user(scontext_len, optlen))
4781 err = -EFAULT;
4782 kfree(scontext);
4783 return err;
4784 }
4785
4786 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4787 {
4788 u32 peer_secid = SECSID_NULL;
4789 u16 family;
4790 struct inode_security_struct *isec;
4791
4792 if (skb && skb->protocol == htons(ETH_P_IP))
4793 family = PF_INET;
4794 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4795 family = PF_INET6;
4796 else if (sock)
4797 family = sock->sk->sk_family;
4798 else
4799 goto out;
4800
4801 if (sock && family == PF_UNIX) {
4802 isec = inode_security_novalidate(SOCK_INODE(sock));
4803 peer_secid = isec->sid;
4804 } else if (skb)
4805 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4806
4807 out:
4808 *secid = peer_secid;
4809 if (peer_secid == SECSID_NULL)
4810 return -EINVAL;
4811 return 0;
4812 }
4813
4814 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4815 {
4816 struct sk_security_struct *sksec = selinux_sock(sk);
4817
4818 sksec->peer_sid = SECINITSID_UNLABELED;
4819 sksec->sid = SECINITSID_UNLABELED;
4820 sksec->sclass = SECCLASS_SOCKET;
4821 selinux_netlbl_sk_security_reset(sksec);
4822
4823 return 0;
4824 }
4825
4826 static void selinux_sk_free_security(struct sock *sk)
4827 {
4828 struct sk_security_struct *sksec = selinux_sock(sk);
4829
4830 selinux_netlbl_sk_security_free(sksec);
4831 }
4832
4833 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4834 {
4835 struct sk_security_struct *sksec = selinux_sock(sk);
4836 struct sk_security_struct *newsksec = selinux_sock(newsk);
4837
4838 newsksec->sid = sksec->sid;
4839 newsksec->peer_sid = sksec->peer_sid;
4840 newsksec->sclass = sksec->sclass;
4841
4842 selinux_netlbl_sk_security_reset(newsksec);
4843 }
4844
4845 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4846 {
4847 if (!sk)
4848 *secid = SECINITSID_ANY_SOCKET;
4849 else {
4850 struct sk_security_struct *sksec = selinux_sock(sk);
4851
4852 *secid = sksec->sid;
4853 }
4854 }
4855
4856 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4857 {
4858 struct inode_security_struct *isec =
4859 inode_security_novalidate(SOCK_INODE(parent));
4860 struct sk_security_struct *sksec = selinux_sock(sk);
4861
4862 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4863 sk->sk_family == PF_UNIX)
4864 isec->sid = sksec->sid;
4865 sksec->sclass = isec->sclass;
4866 }
4867
4868 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4869 struct request_sock *req)
4870 {
4871 struct sk_security_struct *sksec = selinux_sock(sk);
4872 int err;
4873 u16 family = req->rsk_ops->family;
4874 u32 connsid;
4875 u32 peersid;
4876
4877 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4878 if (err)
4879 return err;
4880 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4881 if (err)
4882 return err;
4883 req->secid = connsid;
4884 req->peer_secid = peersid;
4885
4886 return selinux_netlbl_inet_conn_request(req, family);
4887 }
4888
4889 static void selinux_inet_csk_clone(struct sock *newsk,
4890 const struct request_sock *req)
4891 {
4892 struct sk_security_struct *newsksec = selinux_sock(newsk);
4893
4894 newsksec->sid = req->secid;
4895 newsksec->peer_sid = req->peer_secid;
4896 /* NOTE: Ideally, we should also get the isec->sid for the
4897 new socket in sync, but we don't have the isec available yet.
4898 So we will wait until sock_graft to do it, by which
4899 time it will have been created and available. */
4900
4901 /* We don't need to take any sort of lock here as we are the only
4902 * thread with access to newsksec */
4903 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4904 }
4905
4906 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4907 {
4908 u16 family = sk->sk_family;
4909 struct sk_security_struct *sksec = selinux_sock(sk);
4910
4911 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4912 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4913 family = PF_INET;
4914
4915 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4916 }
4917
4918 static int selinux_secmark_relabel_packet(u32 sid)
4919 {
4920 const struct task_security_struct *__tsec;
4921 u32 tsid;
4922
4923 __tsec = selinux_cred(current_cred());
4924 tsid = __tsec->sid;
4925
4926 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4927 }
4928
4929 static void selinux_secmark_refcount_inc(void)
4930 {
4931 atomic_inc(&selinux_secmark_refcount);
4932 }
4933
4934 static void selinux_secmark_refcount_dec(void)
4935 {
4936 atomic_dec(&selinux_secmark_refcount);
4937 }
4938
4939 static void selinux_req_classify_flow(const struct request_sock *req,
4940 struct flowi *fl)
4941 {
4942 fl->flowi_secid = req->secid;
4943 }
4944
4945 static int selinux_tun_dev_alloc_security(void **security)
4946 {
4947 struct tun_security_struct *tunsec;
4948
4949 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4950 if (!tunsec)
4951 return -ENOMEM;
4952 tunsec->sid = current_sid();
4953
4954 *security = tunsec;
4955 return 0;
4956 }
4957
4958 static void selinux_tun_dev_free_security(void *security)
4959 {
4960 kfree(security);
4961 }
4962
4963 static int selinux_tun_dev_create(void)
4964 {
4965 u32 sid = current_sid();
4966
4967 /* we aren't taking into account the "sockcreate" SID since the socket
4968 * that is being created here is not a socket in the traditional sense,
4969 * instead it is a private sock, accessible only to the kernel, and
4970 * representing a wide range of network traffic spanning multiple
4971 * connections unlike traditional sockets - check the TUN driver to
4972 * get a better understanding of why this socket is special */
4973
4974 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4975 NULL);
4976 }
4977
4978 static int selinux_tun_dev_attach_queue(void *security)
4979 {
4980 struct tun_security_struct *tunsec = security;
4981
4982 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4983 TUN_SOCKET__ATTACH_QUEUE, NULL);
4984 }
4985
4986 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4987 {
4988 struct tun_security_struct *tunsec = security;
4989 struct sk_security_struct *sksec = selinux_sock(sk);
4990
4991 /* we don't currently perform any NetLabel based labeling here and it
4992 * isn't clear that we would want to do so anyway; while we could apply
4993 * labeling without the support of the TUN user the resulting labeled
4994 * traffic from the other end of the connection would almost certainly
4995 * cause confusion to the TUN user that had no idea network labeling
4996 * protocols were being used */
4997
4998 sksec->sid = tunsec->sid;
4999 sksec->sclass = SECCLASS_TUN_SOCKET;
5000
5001 return 0;
5002 }
5003
5004 static int selinux_tun_dev_open(void *security)
5005 {
5006 struct tun_security_struct *tunsec = security;
5007 u32 sid = current_sid();
5008 int err;
5009
5010 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5011 TUN_SOCKET__RELABELFROM, NULL);
5012 if (err)
5013 return err;
5014 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5015 TUN_SOCKET__RELABELTO, NULL);
5016 if (err)
5017 return err;
5018 tunsec->sid = sid;
5019
5020 return 0;
5021 }
5022
5023 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5024 {
5025 int err = 0;
5026 u32 perm;
5027 struct nlmsghdr *nlh;
5028 struct sk_security_struct *sksec = selinux_sock(sk);
5029
5030 if (skb->len < NLMSG_HDRLEN) {
5031 err = -EINVAL;
5032 goto out;
5033 }
5034 nlh = nlmsg_hdr(skb);
5035
5036 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5037 if (err) {
5038 if (err == -EINVAL) {
5039 pr_warn_ratelimited("SELinux: unrecognized netlink"
5040 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5041 " pig=%d comm=%s\n",
5042 sk->sk_protocol, nlh->nlmsg_type,
5043 secclass_map[sksec->sclass - 1].name,
5044 task_pid_nr(current), current->comm);
5045 if (!selinux_enforcing || security_get_allow_unknown())
5046 err = 0;
5047 }
5048
5049 /* Ignore */
5050 if (err == -ENOENT)
5051 err = 0;
5052 goto out;
5053 }
5054
5055 err = sock_has_perm(sk, perm);
5056 out:
5057 return err;
5058 }
5059
5060 #ifdef CONFIG_NETFILTER
5061
5062 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5063 const struct net_device *indev,
5064 u16 family)
5065 {
5066 int err;
5067 char *addrp;
5068 u32 peer_sid;
5069 struct common_audit_data ad;
5070 struct lsm_network_audit net = {0,};
5071 u8 secmark_active;
5072 u8 netlbl_active;
5073 u8 peerlbl_active;
5074
5075 if (!selinux_policycap_netpeer)
5076 return NF_ACCEPT;
5077
5078 secmark_active = selinux_secmark_enabled();
5079 netlbl_active = netlbl_enabled();
5080 peerlbl_active = selinux_peerlbl_enabled();
5081 if (!secmark_active && !peerlbl_active)
5082 return NF_ACCEPT;
5083
5084 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5085 return NF_DROP;
5086
5087 ad.type = LSM_AUDIT_DATA_NET;
5088 ad.u.net = &net;
5089 ad.u.net->netif = indev->ifindex;
5090 ad.u.net->family = family;
5091 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5092 return NF_DROP;
5093
5094 if (peerlbl_active) {
5095 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5096 addrp, family, peer_sid, &ad);
5097 if (err) {
5098 selinux_netlbl_err(skb, family, err, 1);
5099 return NF_DROP;
5100 }
5101 }
5102
5103 if (secmark_active)
5104 if (avc_has_perm(peer_sid, skb->secmark,
5105 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5106 return NF_DROP;
5107
5108 if (netlbl_active)
5109 /* we do this in the FORWARD path and not the POST_ROUTING
5110 * path because we want to make sure we apply the necessary
5111 * labeling before IPsec is applied so we can leverage AH
5112 * protection */
5113 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5114 return NF_DROP;
5115
5116 return NF_ACCEPT;
5117 }
5118
5119 static unsigned int selinux_ipv4_forward(void *priv,
5120 struct sk_buff *skb,
5121 const struct nf_hook_state *state)
5122 {
5123 return selinux_ip_forward(skb, state->in, PF_INET);
5124 }
5125
5126 #if IS_ENABLED(CONFIG_IPV6)
5127 static unsigned int selinux_ipv6_forward(void *priv,
5128 struct sk_buff *skb,
5129 const struct nf_hook_state *state)
5130 {
5131 return selinux_ip_forward(skb, state->in, PF_INET6);
5132 }
5133 #endif /* IPV6 */
5134
5135 static unsigned int selinux_ip_output(struct sk_buff *skb,
5136 u16 family)
5137 {
5138 struct sock *sk;
5139 u32 sid;
5140
5141 if (!netlbl_enabled())
5142 return NF_ACCEPT;
5143
5144 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5145 * because we want to make sure we apply the necessary labeling
5146 * before IPsec is applied so we can leverage AH protection */
5147 sk = skb->sk;
5148 if (sk) {
5149 struct sk_security_struct *sksec;
5150
5151 if (sk_listener(sk))
5152 /* if the socket is the listening state then this
5153 * packet is a SYN-ACK packet which means it needs to
5154 * be labeled based on the connection/request_sock and
5155 * not the parent socket. unfortunately, we can't
5156 * lookup the request_sock yet as it isn't queued on
5157 * the parent socket until after the SYN-ACK is sent.
5158 * the "solution" is to simply pass the packet as-is
5159 * as any IP option based labeling should be copied
5160 * from the initial connection request (in the IP
5161 * layer). it is far from ideal, but until we get a
5162 * security label in the packet itself this is the
5163 * best we can do. */
5164 return NF_ACCEPT;
5165
5166 /* standard practice, label using the parent socket */
5167 sksec = selinux_sock(sk);
5168 sid = sksec->sid;
5169 } else
5170 sid = SECINITSID_KERNEL;
5171 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5172 return NF_DROP;
5173
5174 return NF_ACCEPT;
5175 }
5176
5177 static unsigned int selinux_ipv4_output(void *priv,
5178 struct sk_buff *skb,
5179 const struct nf_hook_state *state)
5180 {
5181 return selinux_ip_output(skb, PF_INET);
5182 }
5183
5184 #if IS_ENABLED(CONFIG_IPV6)
5185 static unsigned int selinux_ipv6_output(void *priv,
5186 struct sk_buff *skb,
5187 const struct nf_hook_state *state)
5188 {
5189 return selinux_ip_output(skb, PF_INET6);
5190 }
5191 #endif /* IPV6 */
5192
5193 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5194 int ifindex,
5195 u16 family)
5196 {
5197 struct sock *sk = skb_to_full_sk(skb);
5198 struct sk_security_struct *sksec;
5199 struct common_audit_data ad;
5200 struct lsm_network_audit net = {0,};
5201 char *addrp;
5202 u8 proto;
5203
5204 if (sk == NULL)
5205 return NF_ACCEPT;
5206 sksec = selinux_sock(sk);
5207
5208 ad.type = LSM_AUDIT_DATA_NET;
5209 ad.u.net = &net;
5210 ad.u.net->netif = ifindex;
5211 ad.u.net->family = family;
5212 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5213 return NF_DROP;
5214
5215 if (selinux_secmark_enabled())
5216 if (avc_has_perm(sksec->sid, skb->secmark,
5217 SECCLASS_PACKET, PACKET__SEND, &ad))
5218 return NF_DROP_ERR(-ECONNREFUSED);
5219
5220 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5221 return NF_DROP_ERR(-ECONNREFUSED);
5222
5223 return NF_ACCEPT;
5224 }
5225
5226 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5227 const struct net_device *outdev,
5228 u16 family)
5229 {
5230 u32 secmark_perm;
5231 u32 peer_sid;
5232 int ifindex = outdev->ifindex;
5233 struct sock *sk;
5234 struct common_audit_data ad;
5235 struct lsm_network_audit net = {0,};
5236 char *addrp;
5237 u8 secmark_active;
5238 u8 peerlbl_active;
5239
5240 /* If any sort of compatibility mode is enabled then handoff processing
5241 * to the selinux_ip_postroute_compat() function to deal with the
5242 * special handling. We do this in an attempt to keep this function
5243 * as fast and as clean as possible. */
5244 if (!selinux_policycap_netpeer)
5245 return selinux_ip_postroute_compat(skb, ifindex, family);
5246
5247 secmark_active = selinux_secmark_enabled();
5248 peerlbl_active = selinux_peerlbl_enabled();
5249 if (!secmark_active && !peerlbl_active)
5250 return NF_ACCEPT;
5251
5252 sk = skb_to_full_sk(skb);
5253
5254 #ifdef CONFIG_XFRM
5255 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5256 * packet transformation so allow the packet to pass without any checks
5257 * since we'll have another chance to perform access control checks
5258 * when the packet is on it's final way out.
5259 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5260 * is NULL, in this case go ahead and apply access control.
5261 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5262 * TCP listening state we cannot wait until the XFRM processing
5263 * is done as we will miss out on the SA label if we do;
5264 * unfortunately, this means more work, but it is only once per
5265 * connection. */
5266 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5267 !(sk && sk_listener(sk)))
5268 return NF_ACCEPT;
5269 #endif
5270
5271 if (sk == NULL) {
5272 /* Without an associated socket the packet is either coming
5273 * from the kernel or it is being forwarded; check the packet
5274 * to determine which and if the packet is being forwarded
5275 * query the packet directly to determine the security label. */
5276 if (skb->skb_iif) {
5277 secmark_perm = PACKET__FORWARD_OUT;
5278 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5279 return NF_DROP;
5280 } else {
5281 secmark_perm = PACKET__SEND;
5282 peer_sid = SECINITSID_KERNEL;
5283 }
5284 } else if (sk_listener(sk)) {
5285 /* Locally generated packet but the associated socket is in the
5286 * listening state which means this is a SYN-ACK packet. In
5287 * this particular case the correct security label is assigned
5288 * to the connection/request_sock but unfortunately we can't
5289 * query the request_sock as it isn't queued on the parent
5290 * socket until after the SYN-ACK packet is sent; the only
5291 * viable choice is to regenerate the label like we do in
5292 * selinux_inet_conn_request(). See also selinux_ip_output()
5293 * for similar problems. */
5294 u32 skb_sid;
5295 struct sk_security_struct *sksec;
5296
5297 sksec = selinux_sock(sk);
5298 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5299 return NF_DROP;
5300 /* At this point, if the returned skb peerlbl is SECSID_NULL
5301 * and the packet has been through at least one XFRM
5302 * transformation then we must be dealing with the "final"
5303 * form of labeled IPsec packet; since we've already applied
5304 * all of our access controls on this packet we can safely
5305 * pass the packet. */
5306 if (skb_sid == SECSID_NULL) {
5307 switch (family) {
5308 case PF_INET:
5309 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5310 return NF_ACCEPT;
5311 break;
5312 case PF_INET6:
5313 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5314 return NF_ACCEPT;
5315 break;
5316 default:
5317 return NF_DROP_ERR(-ECONNREFUSED);
5318 }
5319 }
5320 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5321 return NF_DROP;
5322 secmark_perm = PACKET__SEND;
5323 } else {
5324 /* Locally generated packet, fetch the security label from the
5325 * associated socket. */
5326 struct sk_security_struct *sksec = selinux_sock(sk);
5327 peer_sid = sksec->sid;
5328 secmark_perm = PACKET__SEND;
5329 }
5330
5331 ad.type = LSM_AUDIT_DATA_NET;
5332 ad.u.net = &net;
5333 ad.u.net->netif = ifindex;
5334 ad.u.net->family = family;
5335 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5336 return NF_DROP;
5337
5338 if (secmark_active)
5339 if (avc_has_perm(peer_sid, skb->secmark,
5340 SECCLASS_PACKET, secmark_perm, &ad))
5341 return NF_DROP_ERR(-ECONNREFUSED);
5342
5343 if (peerlbl_active) {
5344 u32 if_sid;
5345 u32 node_sid;
5346
5347 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5348 return NF_DROP;
5349 if (avc_has_perm(peer_sid, if_sid,
5350 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5351 return NF_DROP_ERR(-ECONNREFUSED);
5352
5353 if (sel_netnode_sid(addrp, family, &node_sid))
5354 return NF_DROP;
5355 if (avc_has_perm(peer_sid, node_sid,
5356 SECCLASS_NODE, NODE__SENDTO, &ad))
5357 return NF_DROP_ERR(-ECONNREFUSED);
5358 }
5359
5360 return NF_ACCEPT;
5361 }
5362
5363 static unsigned int selinux_ipv4_postroute(void *priv,
5364 struct sk_buff *skb,
5365 const struct nf_hook_state *state)
5366 {
5367 return selinux_ip_postroute(skb, state->out, PF_INET);
5368 }
5369
5370 #if IS_ENABLED(CONFIG_IPV6)
5371 static unsigned int selinux_ipv6_postroute(void *priv,
5372 struct sk_buff *skb,
5373 const struct nf_hook_state *state)
5374 {
5375 return selinux_ip_postroute(skb, state->out, PF_INET6);
5376 }
5377 #endif /* IPV6 */
5378
5379 #endif /* CONFIG_NETFILTER */
5380
5381 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5382 {
5383 return selinux_nlmsg_perm(sk, skb);
5384 }
5385
5386 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5387 {
5388 isec->sclass = sclass;
5389 isec->sid = current_sid();
5390 }
5391
5392 static int msg_msg_alloc_security(struct msg_msg *msg)
5393 {
5394 struct msg_security_struct *msec;
5395
5396 msec = selinux_msg_msg(msg);
5397 msec->sid = SECINITSID_UNLABELED;
5398
5399 return 0;
5400 }
5401
5402 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5403 u32 perms)
5404 {
5405 struct ipc_security_struct *isec;
5406 struct common_audit_data ad;
5407 u32 sid = current_sid();
5408
5409 isec = selinux_ipc(ipc_perms);
5410
5411 ad.type = LSM_AUDIT_DATA_IPC;
5412 ad.u.ipc_id = ipc_perms->key;
5413
5414 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5415 }
5416
5417 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5418 {
5419 return msg_msg_alloc_security(msg);
5420 }
5421
5422 /* message queue security operations */
5423 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5424 {
5425 struct ipc_security_struct *isec;
5426 struct common_audit_data ad;
5427 u32 sid = current_sid();
5428 int rc;
5429
5430 isec = selinux_ipc(&msq->q_perm);
5431 ipc_init_security(isec, SECCLASS_MSGQ);
5432
5433 ad.type = LSM_AUDIT_DATA_IPC;
5434 ad.u.ipc_id = msq->q_perm.key;
5435
5436 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5437 MSGQ__CREATE, &ad);
5438 return rc;
5439 }
5440
5441 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5442 {
5443 struct ipc_security_struct *isec;
5444 struct common_audit_data ad;
5445 u32 sid = current_sid();
5446
5447 isec = selinux_ipc(&msq->q_perm);
5448
5449 ad.type = LSM_AUDIT_DATA_IPC;
5450 ad.u.ipc_id = msq->q_perm.key;
5451
5452 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5453 MSGQ__ASSOCIATE, &ad);
5454 }
5455
5456 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5457 {
5458 int err;
5459 int perms;
5460
5461 switch (cmd) {
5462 case IPC_INFO:
5463 case MSG_INFO:
5464 /* No specific object, just general system-wide information. */
5465 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5466 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5467 case IPC_STAT:
5468 case MSG_STAT:
5469 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5470 break;
5471 case IPC_SET:
5472 perms = MSGQ__SETATTR;
5473 break;
5474 case IPC_RMID:
5475 perms = MSGQ__DESTROY;
5476 break;
5477 default:
5478 return 0;
5479 }
5480
5481 err = ipc_has_perm(&msq->q_perm, perms);
5482 return err;
5483 }
5484
5485 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5486 {
5487 struct ipc_security_struct *isec;
5488 struct msg_security_struct *msec;
5489 struct common_audit_data ad;
5490 u32 sid = current_sid();
5491 int rc;
5492
5493 isec = selinux_ipc(&msq->q_perm);
5494 msec = selinux_msg_msg(msg);
5495
5496 /*
5497 * First time through, need to assign label to the message
5498 */
5499 if (msec->sid == SECINITSID_UNLABELED) {
5500 /*
5501 * Compute new sid based on current process and
5502 * message queue this message will be stored in
5503 */
5504 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5505 NULL, &msec->sid);
5506 if (rc)
5507 return rc;
5508 }
5509
5510 ad.type = LSM_AUDIT_DATA_IPC;
5511 ad.u.ipc_id = msq->q_perm.key;
5512
5513 /* Can this process write to the queue? */
5514 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5515 MSGQ__WRITE, &ad);
5516 if (!rc)
5517 /* Can this process send the message */
5518 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5519 MSG__SEND, &ad);
5520 if (!rc)
5521 /* Can the message be put in the queue? */
5522 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5523 MSGQ__ENQUEUE, &ad);
5524
5525 return rc;
5526 }
5527
5528 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5529 struct task_struct *target,
5530 long type, int mode)
5531 {
5532 struct ipc_security_struct *isec;
5533 struct msg_security_struct *msec;
5534 struct common_audit_data ad;
5535 u32 sid = task_sid(target);
5536 int rc;
5537
5538 isec = selinux_ipc(&msq->q_perm);
5539 msec = selinux_msg_msg(msg);
5540
5541 ad.type = LSM_AUDIT_DATA_IPC;
5542 ad.u.ipc_id = msq->q_perm.key;
5543
5544 rc = avc_has_perm(sid, isec->sid,
5545 SECCLASS_MSGQ, MSGQ__READ, &ad);
5546 if (!rc)
5547 rc = avc_has_perm(sid, msec->sid,
5548 SECCLASS_MSG, MSG__RECEIVE, &ad);
5549 return rc;
5550 }
5551
5552 /* Shared Memory security operations */
5553 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5554 {
5555 struct ipc_security_struct *isec;
5556 struct common_audit_data ad;
5557 u32 sid = current_sid();
5558 int rc;
5559
5560 isec = selinux_ipc(&shp->shm_perm);
5561 ipc_init_security(isec, SECCLASS_SHM);
5562
5563 ad.type = LSM_AUDIT_DATA_IPC;
5564 ad.u.ipc_id = shp->shm_perm.key;
5565
5566 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5567 SHM__CREATE, &ad);
5568 return rc;
5569 }
5570
5571 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5572 {
5573 struct ipc_security_struct *isec;
5574 struct common_audit_data ad;
5575 u32 sid = current_sid();
5576
5577 isec = selinux_ipc(&shp->shm_perm);
5578
5579 ad.type = LSM_AUDIT_DATA_IPC;
5580 ad.u.ipc_id = shp->shm_perm.key;
5581
5582 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5583 SHM__ASSOCIATE, &ad);
5584 }
5585
5586 /* Note, at this point, shp is locked down */
5587 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5588 {
5589 int perms;
5590 int err;
5591
5592 switch (cmd) {
5593 case IPC_INFO:
5594 case SHM_INFO:
5595 /* No specific object, just general system-wide information. */
5596 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5597 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5598 case IPC_STAT:
5599 case SHM_STAT:
5600 perms = SHM__GETATTR | SHM__ASSOCIATE;
5601 break;
5602 case IPC_SET:
5603 perms = SHM__SETATTR;
5604 break;
5605 case SHM_LOCK:
5606 case SHM_UNLOCK:
5607 perms = SHM__LOCK;
5608 break;
5609 case IPC_RMID:
5610 perms = SHM__DESTROY;
5611 break;
5612 default:
5613 return 0;
5614 }
5615
5616 err = ipc_has_perm(&shp->shm_perm, perms);
5617 return err;
5618 }
5619
5620 static int selinux_shm_shmat(struct shmid_kernel *shp,
5621 char __user *shmaddr, int shmflg)
5622 {
5623 u32 perms;
5624
5625 if (shmflg & SHM_RDONLY)
5626 perms = SHM__READ;
5627 else
5628 perms = SHM__READ | SHM__WRITE;
5629
5630 return ipc_has_perm(&shp->shm_perm, perms);
5631 }
5632
5633 /* Semaphore security operations */
5634 static int selinux_sem_alloc_security(struct sem_array *sma)
5635 {
5636 struct ipc_security_struct *isec;
5637 struct common_audit_data ad;
5638 u32 sid = current_sid();
5639 int rc;
5640
5641 isec = selinux_ipc(&sma->sem_perm);
5642 ipc_init_security(isec, SECCLASS_SEM);
5643
5644 ad.type = LSM_AUDIT_DATA_IPC;
5645 ad.u.ipc_id = sma->sem_perm.key;
5646
5647 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5648 SEM__CREATE, &ad);
5649 return rc;
5650 }
5651
5652 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5653 {
5654 struct ipc_security_struct *isec;
5655 struct common_audit_data ad;
5656 u32 sid = current_sid();
5657
5658 isec = selinux_ipc(&sma->sem_perm);
5659
5660 ad.type = LSM_AUDIT_DATA_IPC;
5661 ad.u.ipc_id = sma->sem_perm.key;
5662
5663 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5664 SEM__ASSOCIATE, &ad);
5665 }
5666
5667 /* Note, at this point, sma is locked down */
5668 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5669 {
5670 int err;
5671 u32 perms;
5672
5673 switch (cmd) {
5674 case IPC_INFO:
5675 case SEM_INFO:
5676 /* No specific object, just general system-wide information. */
5677 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5678 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5679 case GETPID:
5680 case GETNCNT:
5681 case GETZCNT:
5682 perms = SEM__GETATTR;
5683 break;
5684 case GETVAL:
5685 case GETALL:
5686 perms = SEM__READ;
5687 break;
5688 case SETVAL:
5689 case SETALL:
5690 perms = SEM__WRITE;
5691 break;
5692 case IPC_RMID:
5693 perms = SEM__DESTROY;
5694 break;
5695 case IPC_SET:
5696 perms = SEM__SETATTR;
5697 break;
5698 case IPC_STAT:
5699 case SEM_STAT:
5700 perms = SEM__GETATTR | SEM__ASSOCIATE;
5701 break;
5702 default:
5703 return 0;
5704 }
5705
5706 err = ipc_has_perm(&sma->sem_perm, perms);
5707 return err;
5708 }
5709
5710 static int selinux_sem_semop(struct sem_array *sma,
5711 struct sembuf *sops, unsigned nsops, int alter)
5712 {
5713 u32 perms;
5714
5715 if (alter)
5716 perms = SEM__READ | SEM__WRITE;
5717 else
5718 perms = SEM__READ;
5719
5720 return ipc_has_perm(&sma->sem_perm, perms);
5721 }
5722
5723 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5724 {
5725 u32 av = 0;
5726
5727 av = 0;
5728 if (flag & S_IRUGO)
5729 av |= IPC__UNIX_READ;
5730 if (flag & S_IWUGO)
5731 av |= IPC__UNIX_WRITE;
5732
5733 if (av == 0)
5734 return 0;
5735
5736 return ipc_has_perm(ipcp, av);
5737 }
5738
5739 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5740 {
5741 struct ipc_security_struct *isec = selinux_ipc(ipcp);
5742 *secid = isec->sid;
5743 }
5744
5745 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5746 {
5747 if (inode)
5748 inode_doinit_with_dentry(inode, dentry);
5749 }
5750
5751 static int selinux_getprocattr(struct task_struct *p,
5752 char *name, char **value)
5753 {
5754 const struct task_security_struct *__tsec;
5755 u32 sid;
5756 int error;
5757 unsigned len;
5758
5759 rcu_read_lock();
5760 __tsec = selinux_cred(__task_cred(p));
5761
5762 if (current != p) {
5763 error = avc_has_perm(current_sid(), __tsec->sid,
5764 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
5765 if (error)
5766 goto bad;
5767 }
5768
5769 if (!strcmp(name, "current"))
5770 sid = __tsec->sid;
5771 else if (!strcmp(name, "prev"))
5772 sid = __tsec->osid;
5773 else if (!strcmp(name, "exec"))
5774 sid = __tsec->exec_sid;
5775 else if (!strcmp(name, "fscreate"))
5776 sid = __tsec->create_sid;
5777 else if (!strcmp(name, "keycreate"))
5778 sid = __tsec->keycreate_sid;
5779 else if (!strcmp(name, "sockcreate"))
5780 sid = __tsec->sockcreate_sid;
5781 else {
5782 error = -EINVAL;
5783 goto bad;
5784 }
5785 rcu_read_unlock();
5786
5787 if (!sid)
5788 return 0;
5789
5790 error = security_sid_to_context(sid, value, &len);
5791 if (error)
5792 return error;
5793 return len;
5794
5795 bad:
5796 rcu_read_unlock();
5797 return error;
5798 }
5799
5800 static int selinux_setprocattr(const char *name, void *value, size_t size)
5801 {
5802 struct task_security_struct *tsec;
5803 struct cred *new;
5804 u32 mysid = current_sid(), sid = 0, ptsid;
5805 int error;
5806 char *str = value;
5807
5808 /*
5809 * Basic control over ability to set these attributes at all.
5810 */
5811 if (!strcmp(name, "exec"))
5812 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5813 PROCESS__SETEXEC, NULL);
5814 else if (!strcmp(name, "fscreate"))
5815 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5816 PROCESS__SETFSCREATE, NULL);
5817 else if (!strcmp(name, "keycreate"))
5818 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5819 PROCESS__SETKEYCREATE, NULL);
5820 else if (!strcmp(name, "sockcreate"))
5821 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5822 PROCESS__SETSOCKCREATE, NULL);
5823 else if (!strcmp(name, "current"))
5824 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5825 PROCESS__SETCURRENT, NULL);
5826 else
5827 error = -EINVAL;
5828 if (error)
5829 return error;
5830
5831 /* Obtain a SID for the context, if one was specified. */
5832 if (size && str[0] && str[0] != '\n') {
5833 if (str[size-1] == '\n') {
5834 str[size-1] = 0;
5835 size--;
5836 }
5837 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5838 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5839 if (!has_cap_mac_admin(true)) {
5840 struct audit_buffer *ab;
5841 size_t audit_size;
5842
5843 /* We strip a nul only if it is at the end, otherwise the
5844 * context contains a nul and we should audit that */
5845 if (str[size - 1] == '\0')
5846 audit_size = size - 1;
5847 else
5848 audit_size = size;
5849 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5850 audit_log_format(ab, "op=fscreate invalid_context=");
5851 audit_log_n_untrustedstring(ab, value, audit_size);
5852 audit_log_end(ab);
5853
5854 return error;
5855 }
5856 error = security_context_to_sid_force(value, size,
5857 &sid);
5858 }
5859 if (error)
5860 return error;
5861 }
5862
5863 new = prepare_creds();
5864 if (!new)
5865 return -ENOMEM;
5866
5867 /* Permission checking based on the specified context is
5868 performed during the actual operation (execve,
5869 open/mkdir/...), when we know the full context of the
5870 operation. See selinux_bprm_set_creds for the execve
5871 checks and may_create for the file creation checks. The
5872 operation will then fail if the context is not permitted. */
5873 tsec = selinux_cred(new);
5874 if (!strcmp(name, "exec")) {
5875 tsec->exec_sid = sid;
5876 } else if (!strcmp(name, "fscreate")) {
5877 tsec->create_sid = sid;
5878 } else if (!strcmp(name, "keycreate")) {
5879 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE,
5880 NULL);
5881 if (error)
5882 goto abort_change;
5883 tsec->keycreate_sid = sid;
5884 } else if (!strcmp(name, "sockcreate")) {
5885 tsec->sockcreate_sid = sid;
5886 } else if (!strcmp(name, "current")) {
5887 error = -EINVAL;
5888 if (sid == 0)
5889 goto abort_change;
5890
5891 /* Only allow single threaded processes to change context */
5892 error = -EPERM;
5893 if (!current_is_single_threaded()) {
5894 error = security_bounded_transition(tsec->sid, sid);
5895 if (error)
5896 goto abort_change;
5897 }
5898
5899 /* Check permissions for the transition. */
5900 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5901 PROCESS__DYNTRANSITION, NULL);
5902 if (error)
5903 goto abort_change;
5904
5905 /* Check for ptracing, and update the task SID if ok.
5906 Otherwise, leave SID unchanged and fail. */
5907 ptsid = ptrace_parent_sid();
5908 if (ptsid != 0) {
5909 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5910 PROCESS__PTRACE, NULL);
5911 if (error)
5912 goto abort_change;
5913 }
5914
5915 tsec->sid = sid;
5916 } else {
5917 error = -EINVAL;
5918 goto abort_change;
5919 }
5920
5921 commit_creds(new);
5922 return size;
5923
5924 abort_change:
5925 abort_creds(new);
5926 return error;
5927 }
5928
5929 static int selinux_ismaclabel(const char *name)
5930 {
5931 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5932 }
5933
5934 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5935 {
5936 return security_sid_to_context(secid, secdata, seclen);
5937 }
5938
5939 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5940 {
5941 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5942 }
5943
5944 static void selinux_release_secctx(char *secdata, u32 seclen)
5945 {
5946 kfree(secdata);
5947 }
5948
5949 static void selinux_inode_invalidate_secctx(struct inode *inode)
5950 {
5951 struct inode_security_struct *isec = selinux_inode(inode);
5952
5953 spin_lock(&isec->lock);
5954 isec->initialized = LABEL_INVALID;
5955 spin_unlock(&isec->lock);
5956 }
5957
5958 /*
5959 * called with inode->i_mutex locked
5960 */
5961 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5962 {
5963 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5964 }
5965
5966 /*
5967 * called with inode->i_mutex locked
5968 */
5969 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5970 {
5971 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5972 }
5973
5974 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5975 {
5976 int len = 0;
5977 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5978 ctx, true);
5979 if (len < 0)
5980 return len;
5981 *ctxlen = len;
5982 return 0;
5983 }
5984 #ifdef CONFIG_KEYS
5985
5986 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5987 unsigned long flags)
5988 {
5989 const struct task_security_struct *tsec;
5990 struct key_security_struct *ksec = selinux_key(k);
5991
5992 tsec = selinux_cred(cred);
5993 if (tsec->keycreate_sid)
5994 ksec->sid = tsec->keycreate_sid;
5995 else
5996 ksec->sid = tsec->sid;
5997
5998 return 0;
5999 }
6000
6001 static int selinux_key_permission(key_ref_t key_ref,
6002 const struct cred *cred,
6003 unsigned perm)
6004 {
6005 struct key *key;
6006 struct key_security_struct *ksec;
6007 u32 sid;
6008
6009 /* if no specific permissions are requested, we skip the
6010 permission check. No serious, additional covert channels
6011 appear to be created. */
6012 if (perm == 0)
6013 return 0;
6014
6015 sid = cred_sid(cred);
6016
6017 key = key_ref_to_ptr(key_ref);
6018 ksec = selinux_key(key);
6019
6020 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6021 }
6022
6023 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6024 {
6025 struct key_security_struct *ksec = selinux_key(key);
6026 char *context = NULL;
6027 unsigned len;
6028 int rc;
6029
6030 rc = security_sid_to_context(ksec->sid, &context, &len);
6031 if (!rc)
6032 rc = len;
6033 *_buffer = context;
6034 return rc;
6035 }
6036 #endif
6037
6038 #ifdef CONFIG_SECURITY_INFINIBAND
6039 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6040 {
6041 struct common_audit_data ad;
6042 int err;
6043 u32 sid = 0;
6044 struct ib_security_struct *sec = ib_sec;
6045 struct lsm_ibpkey_audit ibpkey;
6046
6047 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6048 if (err)
6049 return err;
6050
6051 ad.type = LSM_AUDIT_DATA_IBPKEY;
6052 ibpkey.subnet_prefix = subnet_prefix;
6053 ibpkey.pkey = pkey_val;
6054 ad.u.ibpkey = &ibpkey;
6055 return avc_has_perm(sec->sid, sid,
6056 SECCLASS_INFINIBAND_PKEY,
6057 INFINIBAND_PKEY__ACCESS, &ad);
6058 }
6059
6060 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6061 u8 port_num)
6062 {
6063 struct common_audit_data ad;
6064 int err;
6065 u32 sid = 0;
6066 struct ib_security_struct *sec = ib_sec;
6067 struct lsm_ibendport_audit ibendport;
6068
6069 err = security_ib_endport_sid(dev_name, port_num, &sid);
6070
6071 if (err)
6072 return err;
6073
6074 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6075 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6076 ibendport.port = port_num;
6077 ad.u.ibendport = &ibendport;
6078 return avc_has_perm(sec->sid, sid,
6079 SECCLASS_INFINIBAND_ENDPORT,
6080 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6081 }
6082
6083 static int selinux_ib_alloc_security(void **ib_sec)
6084 {
6085 struct ib_security_struct *sec;
6086
6087 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6088 if (!sec)
6089 return -ENOMEM;
6090 sec->sid = current_sid();
6091
6092 *ib_sec = sec;
6093 return 0;
6094 }
6095
6096 static void selinux_ib_free_security(void *ib_sec)
6097 {
6098 kfree(ib_sec);
6099 }
6100 #endif
6101
6102 #ifdef CONFIG_BPF_SYSCALL
6103 static int selinux_bpf(int cmd, union bpf_attr *attr,
6104 unsigned int size)
6105 {
6106 u32 sid = current_sid();
6107 int ret;
6108
6109 switch (cmd) {
6110 case BPF_MAP_CREATE:
6111 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6112 NULL);
6113 break;
6114 case BPF_PROG_LOAD:
6115 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6116 NULL);
6117 break;
6118 default:
6119 ret = 0;
6120 break;
6121 }
6122
6123 return ret;
6124 }
6125
6126 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6127 {
6128 u32 av = 0;
6129
6130 if (fmode & FMODE_READ)
6131 av |= BPF__MAP_READ;
6132 if (fmode & FMODE_WRITE)
6133 av |= BPF__MAP_WRITE;
6134 return av;
6135 }
6136
6137 /* This function will check the file pass through unix socket or binder to see
6138 * if it is a bpf related object. And apply correspinding checks on the bpf
6139 * object based on the type. The bpf maps and programs, not like other files and
6140 * socket, are using a shared anonymous inode inside the kernel as their inode.
6141 * So checking that inode cannot identify if the process have privilege to
6142 * access the bpf object and that's why we have to add this additional check in
6143 * selinux_file_receive and selinux_binder_transfer_files.
6144 */
6145 static int bpf_fd_pass(struct file *file, u32 sid)
6146 {
6147 struct bpf_security_struct *bpfsec;
6148 struct bpf_prog *prog;
6149 struct bpf_map *map;
6150 int ret;
6151
6152 if (file->f_op == &bpf_map_fops) {
6153 map = file->private_data;
6154 bpfsec = map->security;
6155 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6156 bpf_map_fmode_to_av(file->f_mode), NULL);
6157 if (ret)
6158 return ret;
6159 } else if (file->f_op == &bpf_prog_fops) {
6160 prog = file->private_data;
6161 bpfsec = prog->aux->security;
6162 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6163 BPF__PROG_RUN, NULL);
6164 if (ret)
6165 return ret;
6166 }
6167 return 0;
6168 }
6169
6170 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6171 {
6172 u32 sid = current_sid();
6173 struct bpf_security_struct *bpfsec;
6174
6175 bpfsec = map->security;
6176 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6177 bpf_map_fmode_to_av(fmode), NULL);
6178 }
6179
6180 static int selinux_bpf_prog(struct bpf_prog *prog)
6181 {
6182 u32 sid = current_sid();
6183 struct bpf_security_struct *bpfsec;
6184
6185 bpfsec = prog->aux->security;
6186 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6187 BPF__PROG_RUN, NULL);
6188 }
6189
6190 static int selinux_bpf_map_alloc(struct bpf_map *map)
6191 {
6192 struct bpf_security_struct *bpfsec;
6193
6194 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6195 if (!bpfsec)
6196 return -ENOMEM;
6197
6198 bpfsec->sid = current_sid();
6199 map->security = bpfsec;
6200
6201 return 0;
6202 }
6203
6204 static void selinux_bpf_map_free(struct bpf_map *map)
6205 {
6206 struct bpf_security_struct *bpfsec = map->security;
6207
6208 map->security = NULL;
6209 kfree(bpfsec);
6210 }
6211
6212 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6213 {
6214 struct bpf_security_struct *bpfsec;
6215
6216 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6217 if (!bpfsec)
6218 return -ENOMEM;
6219
6220 bpfsec->sid = current_sid();
6221 aux->security = bpfsec;
6222
6223 return 0;
6224 }
6225
6226 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6227 {
6228 struct bpf_security_struct *bpfsec = aux->security;
6229
6230 aux->security = NULL;
6231 kfree(bpfsec);
6232 }
6233 #endif
6234
6235 struct lsm_blob_sizes selinux_blob_sizes = {
6236 .lbs_cred = sizeof(struct task_security_struct),
6237 .lbs_file = sizeof(struct file_security_struct),
6238 .lbs_inode = sizeof(struct inode_security_struct),
6239 .lbs_ipc = sizeof(struct ipc_security_struct),
6240 #ifdef CONFIG_KEYS
6241 .lbs_key = sizeof(struct key_security_struct),
6242 #endif /* CONFIG_KEYS */
6243 .lbs_msg_msg = sizeof(struct msg_security_struct),
6244 .lbs_sock = sizeof(struct sk_security_struct),
6245 .lbs_superblock = sizeof(struct superblock_security_struct),
6246 };
6247
6248 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6249 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6250 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6251 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6252 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6253
6254 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6255 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6256 LSM_HOOK_INIT(capget, selinux_capget),
6257 LSM_HOOK_INIT(capset, selinux_capset),
6258 LSM_HOOK_INIT(capable, selinux_capable),
6259 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6260 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6261 LSM_HOOK_INIT(syslog, selinux_syslog),
6262 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6263
6264 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6265
6266 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6267 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6268 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6269
6270 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6271 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6272 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6273 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6274 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6275 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6276 LSM_HOOK_INIT(sb_mount, selinux_mount),
6277 LSM_HOOK_INIT(sb_umount, selinux_umount),
6278 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6279 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6280 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6281
6282 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6283 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6284
6285 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6286 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6287 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6288 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6289 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6290 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6291 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6292 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6293 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6294 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6295 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6296 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6297 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6298 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6299 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6300 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6301 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6302 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6303 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6304 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6305 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6306 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6307 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6308 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6309 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6310 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6311 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6312
6313 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6314 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6315 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6316 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6317 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6318 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6319 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6320 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6321 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6322 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6323 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6324
6325 LSM_HOOK_INIT(file_open, selinux_file_open),
6326
6327 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6328 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6329 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6330 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6331 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6332 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6333 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6334 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6335 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6336 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6337 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6338 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6339 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6340 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6341 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6342 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6343 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6344 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6345 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6346 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6347 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6348
6349 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6350 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6351
6352 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6353
6354 LSM_HOOK_INIT(msg_queue_alloc_security,
6355 selinux_msg_queue_alloc_security),
6356 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6357 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6358 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6359 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6360
6361 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6362 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6363 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6364 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6365
6366 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6367 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6368 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6369 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6370
6371 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6372
6373 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6374 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6375
6376 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6377 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6378 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6379 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6380 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6381 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6382 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6383 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6384
6385 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6386 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6387
6388 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6389 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6390 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6391 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6392 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6393 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6394 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6395 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6396 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6397 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6398 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6399 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6400 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6401 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6402 LSM_HOOK_INIT(socket_getpeersec_stream,
6403 selinux_socket_getpeersec_stream),
6404 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6405 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6406 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6407 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6408 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6409 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6410 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6411 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6412 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6413 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6414 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6415 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6416 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6417 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6418 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6419 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6420 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6421 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6422 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6423 #ifdef CONFIG_SECURITY_INFINIBAND
6424 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
6425 LSM_HOOK_INIT(ib_endport_manage_subnet,
6426 selinux_ib_endport_manage_subnet),
6427 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
6428 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
6429 #endif
6430 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6431 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6432 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6433 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6434 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6435 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6436 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6437 selinux_xfrm_state_alloc_acquire),
6438 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6439 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6440 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6441 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6442 selinux_xfrm_state_pol_flow_match),
6443 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6444 #endif
6445
6446 #ifdef CONFIG_KEYS
6447 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6448 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6449 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6450 #endif
6451
6452 #ifdef CONFIG_AUDIT
6453 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6454 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6455 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6456 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6457 #endif
6458
6459 #ifdef CONFIG_BPF_SYSCALL
6460 LSM_HOOK_INIT(bpf, selinux_bpf),
6461 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
6462 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
6463 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
6464 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
6465 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
6466 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
6467 #endif
6468 };
6469
6470 static __init int selinux_init(void)
6471 {
6472 static int finish;
6473
6474 if (!security_module_enable("selinux",
6475 IS_ENABLED(CONFIG_SECURITY_SELINUX_STACKED))) {
6476 selinux_enabled = 0;
6477 return 0;
6478 }
6479
6480 if (!finish) {
6481 security_add_blobs(&selinux_blob_sizes);
6482 finish = 1;
6483 return 0;
6484 }
6485
6486 if (!selinux_enabled) {
6487 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6488 return 0;
6489 }
6490
6491 printk(KERN_INFO "SELinux: Initializing.\n");
6492
6493 /* Set the security state for the initial task. */
6494 cred_init_security();
6495
6496 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6497
6498 avc_init();
6499
6500 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
6501
6502 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6503 panic("SELinux: Unable to register AVC netcache callback\n");
6504
6505 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
6506 panic("SELinux: Unable to register AVC LSM notifier callback\n");
6507
6508 if (selinux_enforcing)
6509 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6510 else
6511 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6512
6513 return 0;
6514 }
6515
6516 static void delayed_superblock_init(struct super_block *sb, void *unused)
6517 {
6518 superblock_doinit(sb, NULL);
6519 }
6520
6521 void selinux_complete_init(void)
6522 {
6523 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6524
6525 /* Set up any superblocks initialized prior to the policy load. */
6526 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6527 iterate_supers(delayed_superblock_init, NULL);
6528 }
6529
6530 /* SELinux requires early initialization in order to label
6531 all processes and objects when they are created. */
6532 security_initcall(selinux_init);
6533
6534 #if defined(CONFIG_NETFILTER)
6535
6536 static const struct nf_hook_ops selinux_nf_ops[] = {
6537 {
6538 .hook = selinux_ipv4_postroute,
6539 .pf = NFPROTO_IPV4,
6540 .hooknum = NF_INET_POST_ROUTING,
6541 .priority = NF_IP_PRI_SELINUX_LAST,
6542 },
6543 {
6544 .hook = selinux_ipv4_forward,
6545 .pf = NFPROTO_IPV4,
6546 .hooknum = NF_INET_FORWARD,
6547 .priority = NF_IP_PRI_SELINUX_FIRST,
6548 },
6549 {
6550 .hook = selinux_ipv4_output,
6551 .pf = NFPROTO_IPV4,
6552 .hooknum = NF_INET_LOCAL_OUT,
6553 .priority = NF_IP_PRI_SELINUX_FIRST,
6554 },
6555 #if IS_ENABLED(CONFIG_IPV6)
6556 {
6557 .hook = selinux_ipv6_postroute,
6558 .pf = NFPROTO_IPV6,
6559 .hooknum = NF_INET_POST_ROUTING,
6560 .priority = NF_IP6_PRI_SELINUX_LAST,
6561 },
6562 {
6563 .hook = selinux_ipv6_forward,
6564 .pf = NFPROTO_IPV6,
6565 .hooknum = NF_INET_FORWARD,
6566 .priority = NF_IP6_PRI_SELINUX_FIRST,
6567 },
6568 {
6569 .hook = selinux_ipv6_output,
6570 .pf = NFPROTO_IPV6,
6571 .hooknum = NF_INET_LOCAL_OUT,
6572 .priority = NF_IP6_PRI_SELINUX_FIRST,
6573 },
6574 #endif /* IPV6 */
6575 };
6576
6577 static int __net_init selinux_nf_register(struct net *net)
6578 {
6579 return nf_register_net_hooks(net, selinux_nf_ops,
6580 ARRAY_SIZE(selinux_nf_ops));
6581 }
6582
6583 static void __net_exit selinux_nf_unregister(struct net *net)
6584 {
6585 nf_unregister_net_hooks(net, selinux_nf_ops,
6586 ARRAY_SIZE(selinux_nf_ops));
6587 }
6588
6589 static struct pernet_operations selinux_net_ops = {
6590 .init = selinux_nf_register,
6591 .exit = selinux_nf_unregister,
6592 };
6593
6594 static int __init selinux_nf_ip_init(void)
6595 {
6596 int err;
6597
6598 if (!selinux_enabled)
6599 return 0;
6600
6601 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6602
6603 err = register_pernet_subsys(&selinux_net_ops);
6604 if (err)
6605 panic("SELinux: register_pernet_subsys: error %d\n", err);
6606
6607 return 0;
6608 }
6609 __initcall(selinux_nf_ip_init);
6610
6611 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6612 static void selinux_nf_ip_exit(void)
6613 {
6614 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6615
6616 unregister_pernet_subsys(&selinux_net_ops);
6617 }
6618 #endif
6619
6620 #else /* CONFIG_NETFILTER */
6621
6622 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6623 #define selinux_nf_ip_exit()
6624 #endif
6625
6626 #endif /* CONFIG_NETFILTER */
6627
6628 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6629 static int selinux_disabled;
6630
6631 int selinux_disable(void)
6632 {
6633 if (ss_initialized) {
6634 /* Not permitted after initial policy load. */
6635 return -EINVAL;
6636 }
6637
6638 if (selinux_disabled) {
6639 /* Only do this once. */
6640 return -EINVAL;
6641 }
6642
6643 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6644
6645 selinux_disabled = 1;
6646 selinux_enabled = 0;
6647
6648 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6649
6650 /* Try to destroy the avc node cache */
6651 avc_disable();
6652
6653 /* Unregister netfilter hooks. */
6654 selinux_nf_ip_exit();
6655
6656 /* Unregister selinuxfs. */
6657 exit_sel_fs();
6658
6659 return 0;
6660 }
6661 #endif
ubuntu-bionic-kernel mirror