]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - security/selinux/hooks.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branches 'for-4.11/upstream-fixes', 'for-4.12/accutouch', 'for-4.12/cp2112...
[mirror_ubuntu-artful-kernel.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
55 #include <net/inet_connection_sock.h>
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
86
87 #include "avc.h"
88 #include "objsec.h"
89 #include "netif.h"
90 #include "netnode.h"
91 #include "netport.h"
92 #include "xfrm.h"
93 #include "netlabel.h"
94 #include "audit.h"
95 #include "avc_ss.h"
96
97 /* SECMARK reference count */
98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102
103 static int __init enforcing_setup(char *str)
104 {
105 unsigned long enforcing;
106 if (!kstrtoul(str, 0, &enforcing))
107 selinux_enforcing = enforcing ? 1 : 0;
108 return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116 static int __init selinux_enabled_setup(char *str)
117 {
118 unsigned long enabled;
119 if (!kstrtoul(str, 0, &enabled))
120 selinux_enabled = enabled ? 1 : 0;
121 return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127
128 static struct kmem_cache *sel_inode_cache;
129 static struct kmem_cache *file_security_cache;
130
131 /**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
140 *
141 */
142 static int selinux_secmark_enabled(void)
143 {
144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145 }
146
147 /**
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149 *
150 * Description:
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
155 *
156 */
157 static int selinux_peerlbl_enabled(void)
158 {
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
160 }
161
162 static int selinux_netcache_avc_callback(u32 event)
163 {
164 if (event == AVC_CALLBACK_RESET) {
165 sel_netif_flush();
166 sel_netnode_flush();
167 sel_netport_flush();
168 synchronize_net();
169 }
170 return 0;
171 }
172
173 /*
174 * initialise the security for the init task
175 */
176 static void cred_init_security(void)
177 {
178 struct cred *cred = (struct cred *) current->real_cred;
179 struct task_security_struct *tsec;
180
181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
182 if (!tsec)
183 panic("SELinux: Failed to initialize initial task.\n");
184
185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
186 cred->security = tsec;
187 }
188
189 /*
190 * get the security ID of a set of credentials
191 */
192 static inline u32 cred_sid(const struct cred *cred)
193 {
194 const struct task_security_struct *tsec;
195
196 tsec = cred->security;
197 return tsec->sid;
198 }
199
200 /*
201 * get the objective security ID of a task
202 */
203 static inline u32 task_sid(const struct task_struct *task)
204 {
205 u32 sid;
206
207 rcu_read_lock();
208 sid = cred_sid(__task_cred(task));
209 rcu_read_unlock();
210 return sid;
211 }
212
213 /* Allocate and free functions for each kind of security blob. */
214
215 static int inode_alloc_security(struct inode *inode)
216 {
217 struct inode_security_struct *isec;
218 u32 sid = current_sid();
219
220 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
221 if (!isec)
222 return -ENOMEM;
223
224 spin_lock_init(&isec->lock);
225 INIT_LIST_HEAD(&isec->list);
226 isec->inode = inode;
227 isec->sid = SECINITSID_UNLABELED;
228 isec->sclass = SECCLASS_FILE;
229 isec->task_sid = sid;
230 isec->initialized = LABEL_INVALID;
231 inode->i_security = isec;
232
233 return 0;
234 }
235
236 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
237
238 /*
239 * Try reloading inode security labels that have been marked as invalid. The
240 * @may_sleep parameter indicates when sleeping and thus reloading labels is
241 * allowed; when set to false, returns -ECHILD when the label is
242 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
243 * when no dentry is available, set it to NULL instead.
244 */
245 static int __inode_security_revalidate(struct inode *inode,
246 struct dentry *opt_dentry,
247 bool may_sleep)
248 {
249 struct inode_security_struct *isec = inode->i_security;
250
251 might_sleep_if(may_sleep);
252
253 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
254 if (!may_sleep)
255 return -ECHILD;
256
257 /*
258 * Try reloading the inode security label. This will fail if
259 * @opt_dentry is NULL and no dentry for this inode can be
260 * found; in that case, continue using the old label.
261 */
262 inode_doinit_with_dentry(inode, opt_dentry);
263 }
264 return 0;
265 }
266
267 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
268 {
269 return inode->i_security;
270 }
271
272 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
273 {
274 int error;
275
276 error = __inode_security_revalidate(inode, NULL, !rcu);
277 if (error)
278 return ERR_PTR(error);
279 return inode->i_security;
280 }
281
282 /*
283 * Get the security label of an inode.
284 */
285 static struct inode_security_struct *inode_security(struct inode *inode)
286 {
287 __inode_security_revalidate(inode, NULL, true);
288 return inode->i_security;
289 }
290
291 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
292 {
293 struct inode *inode = d_backing_inode(dentry);
294
295 return inode->i_security;
296 }
297
298 /*
299 * Get the security label of a dentry's backing inode.
300 */
301 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
302 {
303 struct inode *inode = d_backing_inode(dentry);
304
305 __inode_security_revalidate(inode, dentry, true);
306 return inode->i_security;
307 }
308
309 static void inode_free_rcu(struct rcu_head *head)
310 {
311 struct inode_security_struct *isec;
312
313 isec = container_of(head, struct inode_security_struct, rcu);
314 kmem_cache_free(sel_inode_cache, isec);
315 }
316
317 static void inode_free_security(struct inode *inode)
318 {
319 struct inode_security_struct *isec = inode->i_security;
320 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
321
322 /*
323 * As not all inode security structures are in a list, we check for
324 * empty list outside of the lock to make sure that we won't waste
325 * time taking a lock doing nothing.
326 *
327 * The list_del_init() function can be safely called more than once.
328 * It should not be possible for this function to be called with
329 * concurrent list_add(), but for better safety against future changes
330 * in the code, we use list_empty_careful() here.
331 */
332 if (!list_empty_careful(&isec->list)) {
333 spin_lock(&sbsec->isec_lock);
334 list_del_init(&isec->list);
335 spin_unlock(&sbsec->isec_lock);
336 }
337
338 /*
339 * The inode may still be referenced in a path walk and
340 * a call to selinux_inode_permission() can be made
341 * after inode_free_security() is called. Ideally, the VFS
342 * wouldn't do this, but fixing that is a much harder
343 * job. For now, simply free the i_security via RCU, and
344 * leave the current inode->i_security pointer intact.
345 * The inode will be freed after the RCU grace period too.
346 */
347 call_rcu(&isec->rcu, inode_free_rcu);
348 }
349
350 static int file_alloc_security(struct file *file)
351 {
352 struct file_security_struct *fsec;
353 u32 sid = current_sid();
354
355 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
356 if (!fsec)
357 return -ENOMEM;
358
359 fsec->sid = sid;
360 fsec->fown_sid = sid;
361 file->f_security = fsec;
362
363 return 0;
364 }
365
366 static void file_free_security(struct file *file)
367 {
368 struct file_security_struct *fsec = file->f_security;
369 file->f_security = NULL;
370 kmem_cache_free(file_security_cache, fsec);
371 }
372
373 static int superblock_alloc_security(struct super_block *sb)
374 {
375 struct superblock_security_struct *sbsec;
376
377 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
378 if (!sbsec)
379 return -ENOMEM;
380
381 mutex_init(&sbsec->lock);
382 INIT_LIST_HEAD(&sbsec->isec_head);
383 spin_lock_init(&sbsec->isec_lock);
384 sbsec->sb = sb;
385 sbsec->sid = SECINITSID_UNLABELED;
386 sbsec->def_sid = SECINITSID_FILE;
387 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
388 sb->s_security = sbsec;
389
390 return 0;
391 }
392
393 static void superblock_free_security(struct super_block *sb)
394 {
395 struct superblock_security_struct *sbsec = sb->s_security;
396 sb->s_security = NULL;
397 kfree(sbsec);
398 }
399
400 /* The file system's label must be initialized prior to use. */
401
402 static const char *labeling_behaviors[7] = {
403 "uses xattr",
404 "uses transition SIDs",
405 "uses task SIDs",
406 "uses genfs_contexts",
407 "not configured for labeling",
408 "uses mountpoint labeling",
409 "uses native labeling",
410 };
411
412 static inline int inode_doinit(struct inode *inode)
413 {
414 return inode_doinit_with_dentry(inode, NULL);
415 }
416
417 enum {
418 Opt_error = -1,
419 Opt_context = 1,
420 Opt_fscontext = 2,
421 Opt_defcontext = 3,
422 Opt_rootcontext = 4,
423 Opt_labelsupport = 5,
424 Opt_nextmntopt = 6,
425 };
426
427 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
428
429 static const match_table_t tokens = {
430 {Opt_context, CONTEXT_STR "%s"},
431 {Opt_fscontext, FSCONTEXT_STR "%s"},
432 {Opt_defcontext, DEFCONTEXT_STR "%s"},
433 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
434 {Opt_labelsupport, LABELSUPP_STR},
435 {Opt_error, NULL},
436 };
437
438 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
439
440 static int may_context_mount_sb_relabel(u32 sid,
441 struct superblock_security_struct *sbsec,
442 const struct cred *cred)
443 {
444 const struct task_security_struct *tsec = cred->security;
445 int rc;
446
447 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
448 FILESYSTEM__RELABELFROM, NULL);
449 if (rc)
450 return rc;
451
452 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
453 FILESYSTEM__RELABELTO, NULL);
454 return rc;
455 }
456
457 static int may_context_mount_inode_relabel(u32 sid,
458 struct superblock_security_struct *sbsec,
459 const struct cred *cred)
460 {
461 const struct task_security_struct *tsec = cred->security;
462 int rc;
463 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
464 FILESYSTEM__RELABELFROM, NULL);
465 if (rc)
466 return rc;
467
468 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
469 FILESYSTEM__ASSOCIATE, NULL);
470 return rc;
471 }
472
473 static int selinux_is_sblabel_mnt(struct super_block *sb)
474 {
475 struct superblock_security_struct *sbsec = sb->s_security;
476
477 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
478 sbsec->behavior == SECURITY_FS_USE_TRANS ||
479 sbsec->behavior == SECURITY_FS_USE_TASK ||
480 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
481 /* Special handling. Genfs but also in-core setxattr handler */
482 !strcmp(sb->s_type->name, "sysfs") ||
483 !strcmp(sb->s_type->name, "cgroup") ||
484 !strcmp(sb->s_type->name, "cgroup2") ||
485 !strcmp(sb->s_type->name, "pstore") ||
486 !strcmp(sb->s_type->name, "debugfs") ||
487 !strcmp(sb->s_type->name, "tracefs") ||
488 !strcmp(sb->s_type->name, "rootfs");
489 }
490
491 static int sb_finish_set_opts(struct super_block *sb)
492 {
493 struct superblock_security_struct *sbsec = sb->s_security;
494 struct dentry *root = sb->s_root;
495 struct inode *root_inode = d_backing_inode(root);
496 int rc = 0;
497
498 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
499 /* Make sure that the xattr handler exists and that no
500 error other than -ENODATA is returned by getxattr on
501 the root directory. -ENODATA is ok, as this may be
502 the first boot of the SELinux kernel before we have
503 assigned xattr values to the filesystem. */
504 if (!(root_inode->i_opflags & IOP_XATTR)) {
505 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
506 "xattr support\n", sb->s_id, sb->s_type->name);
507 rc = -EOPNOTSUPP;
508 goto out;
509 }
510
511 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
512 if (rc < 0 && rc != -ENODATA) {
513 if (rc == -EOPNOTSUPP)
514 printk(KERN_WARNING "SELinux: (dev %s, type "
515 "%s) has no security xattr handler\n",
516 sb->s_id, sb->s_type->name);
517 else
518 printk(KERN_WARNING "SELinux: (dev %s, type "
519 "%s) getxattr errno %d\n", sb->s_id,
520 sb->s_type->name, -rc);
521 goto out;
522 }
523 }
524
525 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
526 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
527 sb->s_id, sb->s_type->name);
528
529 sbsec->flags |= SE_SBINITIALIZED;
530 if (selinux_is_sblabel_mnt(sb))
531 sbsec->flags |= SBLABEL_MNT;
532
533 /* Initialize the root inode. */
534 rc = inode_doinit_with_dentry(root_inode, root);
535
536 /* Initialize any other inodes associated with the superblock, e.g.
537 inodes created prior to initial policy load or inodes created
538 during get_sb by a pseudo filesystem that directly
539 populates itself. */
540 spin_lock(&sbsec->isec_lock);
541 next_inode:
542 if (!list_empty(&sbsec->isec_head)) {
543 struct inode_security_struct *isec =
544 list_entry(sbsec->isec_head.next,
545 struct inode_security_struct, list);
546 struct inode *inode = isec->inode;
547 list_del_init(&isec->list);
548 spin_unlock(&sbsec->isec_lock);
549 inode = igrab(inode);
550 if (inode) {
551 if (!IS_PRIVATE(inode))
552 inode_doinit(inode);
553 iput(inode);
554 }
555 spin_lock(&sbsec->isec_lock);
556 goto next_inode;
557 }
558 spin_unlock(&sbsec->isec_lock);
559 out:
560 return rc;
561 }
562
563 /*
564 * This function should allow an FS to ask what it's mount security
565 * options were so it can use those later for submounts, displaying
566 * mount options, or whatever.
567 */
568 static int selinux_get_mnt_opts(const struct super_block *sb,
569 struct security_mnt_opts *opts)
570 {
571 int rc = 0, i;
572 struct superblock_security_struct *sbsec = sb->s_security;
573 char *context = NULL;
574 u32 len;
575 char tmp;
576
577 security_init_mnt_opts(opts);
578
579 if (!(sbsec->flags & SE_SBINITIALIZED))
580 return -EINVAL;
581
582 if (!ss_initialized)
583 return -EINVAL;
584
585 /* make sure we always check enough bits to cover the mask */
586 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
587
588 tmp = sbsec->flags & SE_MNTMASK;
589 /* count the number of mount options for this sb */
590 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
591 if (tmp & 0x01)
592 opts->num_mnt_opts++;
593 tmp >>= 1;
594 }
595 /* Check if the Label support flag is set */
596 if (sbsec->flags & SBLABEL_MNT)
597 opts->num_mnt_opts++;
598
599 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
600 if (!opts->mnt_opts) {
601 rc = -ENOMEM;
602 goto out_free;
603 }
604
605 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
606 if (!opts->mnt_opts_flags) {
607 rc = -ENOMEM;
608 goto out_free;
609 }
610
611 i = 0;
612 if (sbsec->flags & FSCONTEXT_MNT) {
613 rc = security_sid_to_context(sbsec->sid, &context, &len);
614 if (rc)
615 goto out_free;
616 opts->mnt_opts[i] = context;
617 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
618 }
619 if (sbsec->flags & CONTEXT_MNT) {
620 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
621 if (rc)
622 goto out_free;
623 opts->mnt_opts[i] = context;
624 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
625 }
626 if (sbsec->flags & DEFCONTEXT_MNT) {
627 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
628 if (rc)
629 goto out_free;
630 opts->mnt_opts[i] = context;
631 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
632 }
633 if (sbsec->flags & ROOTCONTEXT_MNT) {
634 struct dentry *root = sbsec->sb->s_root;
635 struct inode_security_struct *isec = backing_inode_security(root);
636
637 rc = security_sid_to_context(isec->sid, &context, &len);
638 if (rc)
639 goto out_free;
640 opts->mnt_opts[i] = context;
641 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
642 }
643 if (sbsec->flags & SBLABEL_MNT) {
644 opts->mnt_opts[i] = NULL;
645 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
646 }
647
648 BUG_ON(i != opts->num_mnt_opts);
649
650 return 0;
651
652 out_free:
653 security_free_mnt_opts(opts);
654 return rc;
655 }
656
657 static int bad_option(struct superblock_security_struct *sbsec, char flag,
658 u32 old_sid, u32 new_sid)
659 {
660 char mnt_flags = sbsec->flags & SE_MNTMASK;
661
662 /* check if the old mount command had the same options */
663 if (sbsec->flags & SE_SBINITIALIZED)
664 if (!(sbsec->flags & flag) ||
665 (old_sid != new_sid))
666 return 1;
667
668 /* check if we were passed the same options twice,
669 * aka someone passed context=a,context=b
670 */
671 if (!(sbsec->flags & SE_SBINITIALIZED))
672 if (mnt_flags & flag)
673 return 1;
674 return 0;
675 }
676
677 /*
678 * Allow filesystems with binary mount data to explicitly set mount point
679 * labeling information.
680 */
681 static int selinux_set_mnt_opts(struct super_block *sb,
682 struct security_mnt_opts *opts,
683 unsigned long kern_flags,
684 unsigned long *set_kern_flags)
685 {
686 const struct cred *cred = current_cred();
687 int rc = 0, i;
688 struct superblock_security_struct *sbsec = sb->s_security;
689 const char *name = sb->s_type->name;
690 struct dentry *root = sbsec->sb->s_root;
691 struct inode_security_struct *root_isec;
692 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
693 u32 defcontext_sid = 0;
694 char **mount_options = opts->mnt_opts;
695 int *flags = opts->mnt_opts_flags;
696 int num_opts = opts->num_mnt_opts;
697
698 mutex_lock(&sbsec->lock);
699
700 if (!ss_initialized) {
701 if (!num_opts) {
702 /* Defer initialization until selinux_complete_init,
703 after the initial policy is loaded and the security
704 server is ready to handle calls. */
705 goto out;
706 }
707 rc = -EINVAL;
708 printk(KERN_WARNING "SELinux: Unable to set superblock options "
709 "before the security server is initialized\n");
710 goto out;
711 }
712 if (kern_flags && !set_kern_flags) {
713 /* Specifying internal flags without providing a place to
714 * place the results is not allowed */
715 rc = -EINVAL;
716 goto out;
717 }
718
719 /*
720 * Binary mount data FS will come through this function twice. Once
721 * from an explicit call and once from the generic calls from the vfs.
722 * Since the generic VFS calls will not contain any security mount data
723 * we need to skip the double mount verification.
724 *
725 * This does open a hole in which we will not notice if the first
726 * mount using this sb set explict options and a second mount using
727 * this sb does not set any security options. (The first options
728 * will be used for both mounts)
729 */
730 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
731 && (num_opts == 0))
732 goto out;
733
734 root_isec = backing_inode_security_novalidate(root);
735
736 /*
737 * parse the mount options, check if they are valid sids.
738 * also check if someone is trying to mount the same sb more
739 * than once with different security options.
740 */
741 for (i = 0; i < num_opts; i++) {
742 u32 sid;
743
744 if (flags[i] == SBLABEL_MNT)
745 continue;
746 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
747 if (rc) {
748 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
749 "(%s) failed for (dev %s, type %s) errno=%d\n",
750 mount_options[i], sb->s_id, name, rc);
751 goto out;
752 }
753 switch (flags[i]) {
754 case FSCONTEXT_MNT:
755 fscontext_sid = sid;
756
757 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
758 fscontext_sid))
759 goto out_double_mount;
760
761 sbsec->flags |= FSCONTEXT_MNT;
762 break;
763 case CONTEXT_MNT:
764 context_sid = sid;
765
766 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
767 context_sid))
768 goto out_double_mount;
769
770 sbsec->flags |= CONTEXT_MNT;
771 break;
772 case ROOTCONTEXT_MNT:
773 rootcontext_sid = sid;
774
775 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
776 rootcontext_sid))
777 goto out_double_mount;
778
779 sbsec->flags |= ROOTCONTEXT_MNT;
780
781 break;
782 case DEFCONTEXT_MNT:
783 defcontext_sid = sid;
784
785 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
786 defcontext_sid))
787 goto out_double_mount;
788
789 sbsec->flags |= DEFCONTEXT_MNT;
790
791 break;
792 default:
793 rc = -EINVAL;
794 goto out;
795 }
796 }
797
798 if (sbsec->flags & SE_SBINITIALIZED) {
799 /* previously mounted with options, but not on this attempt? */
800 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
801 goto out_double_mount;
802 rc = 0;
803 goto out;
804 }
805
806 if (strcmp(sb->s_type->name, "proc") == 0)
807 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
808
809 if (!strcmp(sb->s_type->name, "debugfs") ||
810 !strcmp(sb->s_type->name, "sysfs") ||
811 !strcmp(sb->s_type->name, "pstore"))
812 sbsec->flags |= SE_SBGENFS;
813
814 if (!sbsec->behavior) {
815 /*
816 * Determine the labeling behavior to use for this
817 * filesystem type.
818 */
819 rc = security_fs_use(sb);
820 if (rc) {
821 printk(KERN_WARNING
822 "%s: security_fs_use(%s) returned %d\n",
823 __func__, sb->s_type->name, rc);
824 goto out;
825 }
826 }
827
828 /*
829 * If this is a user namespace mount and the filesystem type is not
830 * explicitly whitelisted, then no contexts are allowed on the command
831 * line and security labels must be ignored.
832 */
833 if (sb->s_user_ns != &init_user_ns &&
834 strcmp(sb->s_type->name, "tmpfs") &&
835 strcmp(sb->s_type->name, "ramfs") &&
836 strcmp(sb->s_type->name, "devpts")) {
837 if (context_sid || fscontext_sid || rootcontext_sid ||
838 defcontext_sid) {
839 rc = -EACCES;
840 goto out;
841 }
842 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
843 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
844 rc = security_transition_sid(current_sid(), current_sid(),
845 SECCLASS_FILE, NULL,
846 &sbsec->mntpoint_sid);
847 if (rc)
848 goto out;
849 }
850 goto out_set_opts;
851 }
852
853 /* sets the context of the superblock for the fs being mounted. */
854 if (fscontext_sid) {
855 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
856 if (rc)
857 goto out;
858
859 sbsec->sid = fscontext_sid;
860 }
861
862 /*
863 * Switch to using mount point labeling behavior.
864 * sets the label used on all file below the mountpoint, and will set
865 * the superblock context if not already set.
866 */
867 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
868 sbsec->behavior = SECURITY_FS_USE_NATIVE;
869 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
870 }
871
872 if (context_sid) {
873 if (!fscontext_sid) {
874 rc = may_context_mount_sb_relabel(context_sid, sbsec,
875 cred);
876 if (rc)
877 goto out;
878 sbsec->sid = context_sid;
879 } else {
880 rc = may_context_mount_inode_relabel(context_sid, sbsec,
881 cred);
882 if (rc)
883 goto out;
884 }
885 if (!rootcontext_sid)
886 rootcontext_sid = context_sid;
887
888 sbsec->mntpoint_sid = context_sid;
889 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
890 }
891
892 if (rootcontext_sid) {
893 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
894 cred);
895 if (rc)
896 goto out;
897
898 root_isec->sid = rootcontext_sid;
899 root_isec->initialized = LABEL_INITIALIZED;
900 }
901
902 if (defcontext_sid) {
903 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
904 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
905 rc = -EINVAL;
906 printk(KERN_WARNING "SELinux: defcontext option is "
907 "invalid for this filesystem type\n");
908 goto out;
909 }
910
911 if (defcontext_sid != sbsec->def_sid) {
912 rc = may_context_mount_inode_relabel(defcontext_sid,
913 sbsec, cred);
914 if (rc)
915 goto out;
916 }
917
918 sbsec->def_sid = defcontext_sid;
919 }
920
921 out_set_opts:
922 rc = sb_finish_set_opts(sb);
923 out:
924 mutex_unlock(&sbsec->lock);
925 return rc;
926 out_double_mount:
927 rc = -EINVAL;
928 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
929 "security settings for (dev %s, type %s)\n", sb->s_id, name);
930 goto out;
931 }
932
933 static int selinux_cmp_sb_context(const struct super_block *oldsb,
934 const struct super_block *newsb)
935 {
936 struct superblock_security_struct *old = oldsb->s_security;
937 struct superblock_security_struct *new = newsb->s_security;
938 char oldflags = old->flags & SE_MNTMASK;
939 char newflags = new->flags & SE_MNTMASK;
940
941 if (oldflags != newflags)
942 goto mismatch;
943 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
944 goto mismatch;
945 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
946 goto mismatch;
947 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
948 goto mismatch;
949 if (oldflags & ROOTCONTEXT_MNT) {
950 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
951 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
952 if (oldroot->sid != newroot->sid)
953 goto mismatch;
954 }
955 return 0;
956 mismatch:
957 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
958 "different security settings for (dev %s, "
959 "type %s)\n", newsb->s_id, newsb->s_type->name);
960 return -EBUSY;
961 }
962
963 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
964 struct super_block *newsb)
965 {
966 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
967 struct superblock_security_struct *newsbsec = newsb->s_security;
968
969 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
970 int set_context = (oldsbsec->flags & CONTEXT_MNT);
971 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
972
973 /*
974 * if the parent was able to be mounted it clearly had no special lsm
975 * mount options. thus we can safely deal with this superblock later
976 */
977 if (!ss_initialized)
978 return 0;
979
980 /* how can we clone if the old one wasn't set up?? */
981 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
982
983 /* if fs is reusing a sb, make sure that the contexts match */
984 if (newsbsec->flags & SE_SBINITIALIZED)
985 return selinux_cmp_sb_context(oldsb, newsb);
986
987 mutex_lock(&newsbsec->lock);
988
989 newsbsec->flags = oldsbsec->flags;
990
991 newsbsec->sid = oldsbsec->sid;
992 newsbsec->def_sid = oldsbsec->def_sid;
993 newsbsec->behavior = oldsbsec->behavior;
994
995 if (set_context) {
996 u32 sid = oldsbsec->mntpoint_sid;
997
998 if (!set_fscontext)
999 newsbsec->sid = sid;
1000 if (!set_rootcontext) {
1001 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1002 newisec->sid = sid;
1003 }
1004 newsbsec->mntpoint_sid = sid;
1005 }
1006 if (set_rootcontext) {
1007 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1008 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1009
1010 newisec->sid = oldisec->sid;
1011 }
1012
1013 sb_finish_set_opts(newsb);
1014 mutex_unlock(&newsbsec->lock);
1015 return 0;
1016 }
1017
1018 static int selinux_parse_opts_str(char *options,
1019 struct security_mnt_opts *opts)
1020 {
1021 char *p;
1022 char *context = NULL, *defcontext = NULL;
1023 char *fscontext = NULL, *rootcontext = NULL;
1024 int rc, num_mnt_opts = 0;
1025
1026 opts->num_mnt_opts = 0;
1027
1028 /* Standard string-based options. */
1029 while ((p = strsep(&options, "|")) != NULL) {
1030 int token;
1031 substring_t args[MAX_OPT_ARGS];
1032
1033 if (!*p)
1034 continue;
1035
1036 token = match_token(p, tokens, args);
1037
1038 switch (token) {
1039 case Opt_context:
1040 if (context || defcontext) {
1041 rc = -EINVAL;
1042 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1043 goto out_err;
1044 }
1045 context = match_strdup(&args[0]);
1046 if (!context) {
1047 rc = -ENOMEM;
1048 goto out_err;
1049 }
1050 break;
1051
1052 case Opt_fscontext:
1053 if (fscontext) {
1054 rc = -EINVAL;
1055 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1056 goto out_err;
1057 }
1058 fscontext = match_strdup(&args[0]);
1059 if (!fscontext) {
1060 rc = -ENOMEM;
1061 goto out_err;
1062 }
1063 break;
1064
1065 case Opt_rootcontext:
1066 if (rootcontext) {
1067 rc = -EINVAL;
1068 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1069 goto out_err;
1070 }
1071 rootcontext = match_strdup(&args[0]);
1072 if (!rootcontext) {
1073 rc = -ENOMEM;
1074 goto out_err;
1075 }
1076 break;
1077
1078 case Opt_defcontext:
1079 if (context || defcontext) {
1080 rc = -EINVAL;
1081 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1082 goto out_err;
1083 }
1084 defcontext = match_strdup(&args[0]);
1085 if (!defcontext) {
1086 rc = -ENOMEM;
1087 goto out_err;
1088 }
1089 break;
1090 case Opt_labelsupport:
1091 break;
1092 default:
1093 rc = -EINVAL;
1094 printk(KERN_WARNING "SELinux: unknown mount option\n");
1095 goto out_err;
1096
1097 }
1098 }
1099
1100 rc = -ENOMEM;
1101 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1102 if (!opts->mnt_opts)
1103 goto out_err;
1104
1105 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1106 GFP_KERNEL);
1107 if (!opts->mnt_opts_flags) {
1108 kfree(opts->mnt_opts);
1109 goto out_err;
1110 }
1111
1112 if (fscontext) {
1113 opts->mnt_opts[num_mnt_opts] = fscontext;
1114 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1115 }
1116 if (context) {
1117 opts->mnt_opts[num_mnt_opts] = context;
1118 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1119 }
1120 if (rootcontext) {
1121 opts->mnt_opts[num_mnt_opts] = rootcontext;
1122 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1123 }
1124 if (defcontext) {
1125 opts->mnt_opts[num_mnt_opts] = defcontext;
1126 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1127 }
1128
1129 opts->num_mnt_opts = num_mnt_opts;
1130 return 0;
1131
1132 out_err:
1133 kfree(context);
1134 kfree(defcontext);
1135 kfree(fscontext);
1136 kfree(rootcontext);
1137 return rc;
1138 }
1139 /*
1140 * string mount options parsing and call set the sbsec
1141 */
1142 static int superblock_doinit(struct super_block *sb, void *data)
1143 {
1144 int rc = 0;
1145 char *options = data;
1146 struct security_mnt_opts opts;
1147
1148 security_init_mnt_opts(&opts);
1149
1150 if (!data)
1151 goto out;
1152
1153 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1154
1155 rc = selinux_parse_opts_str(options, &opts);
1156 if (rc)
1157 goto out_err;
1158
1159 out:
1160 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1161
1162 out_err:
1163 security_free_mnt_opts(&opts);
1164 return rc;
1165 }
1166
1167 static void selinux_write_opts(struct seq_file *m,
1168 struct security_mnt_opts *opts)
1169 {
1170 int i;
1171 char *prefix;
1172
1173 for (i = 0; i < opts->num_mnt_opts; i++) {
1174 char *has_comma;
1175
1176 if (opts->mnt_opts[i])
1177 has_comma = strchr(opts->mnt_opts[i], ',');
1178 else
1179 has_comma = NULL;
1180
1181 switch (opts->mnt_opts_flags[i]) {
1182 case CONTEXT_MNT:
1183 prefix = CONTEXT_STR;
1184 break;
1185 case FSCONTEXT_MNT:
1186 prefix = FSCONTEXT_STR;
1187 break;
1188 case ROOTCONTEXT_MNT:
1189 prefix = ROOTCONTEXT_STR;
1190 break;
1191 case DEFCONTEXT_MNT:
1192 prefix = DEFCONTEXT_STR;
1193 break;
1194 case SBLABEL_MNT:
1195 seq_putc(m, ',');
1196 seq_puts(m, LABELSUPP_STR);
1197 continue;
1198 default:
1199 BUG();
1200 return;
1201 };
1202 /* we need a comma before each option */
1203 seq_putc(m, ',');
1204 seq_puts(m, prefix);
1205 if (has_comma)
1206 seq_putc(m, '\"');
1207 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1208 if (has_comma)
1209 seq_putc(m, '\"');
1210 }
1211 }
1212
1213 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1214 {
1215 struct security_mnt_opts opts;
1216 int rc;
1217
1218 rc = selinux_get_mnt_opts(sb, &opts);
1219 if (rc) {
1220 /* before policy load we may get EINVAL, don't show anything */
1221 if (rc == -EINVAL)
1222 rc = 0;
1223 return rc;
1224 }
1225
1226 selinux_write_opts(m, &opts);
1227
1228 security_free_mnt_opts(&opts);
1229
1230 return rc;
1231 }
1232
1233 static inline u16 inode_mode_to_security_class(umode_t mode)
1234 {
1235 switch (mode & S_IFMT) {
1236 case S_IFSOCK:
1237 return SECCLASS_SOCK_FILE;
1238 case S_IFLNK:
1239 return SECCLASS_LNK_FILE;
1240 case S_IFREG:
1241 return SECCLASS_FILE;
1242 case S_IFBLK:
1243 return SECCLASS_BLK_FILE;
1244 case S_IFDIR:
1245 return SECCLASS_DIR;
1246 case S_IFCHR:
1247 return SECCLASS_CHR_FILE;
1248 case S_IFIFO:
1249 return SECCLASS_FIFO_FILE;
1250
1251 }
1252
1253 return SECCLASS_FILE;
1254 }
1255
1256 static inline int default_protocol_stream(int protocol)
1257 {
1258 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1259 }
1260
1261 static inline int default_protocol_dgram(int protocol)
1262 {
1263 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1264 }
1265
1266 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1267 {
1268 int extsockclass = selinux_policycap_extsockclass;
1269
1270 switch (family) {
1271 case PF_UNIX:
1272 switch (type) {
1273 case SOCK_STREAM:
1274 case SOCK_SEQPACKET:
1275 return SECCLASS_UNIX_STREAM_SOCKET;
1276 case SOCK_DGRAM:
1277 return SECCLASS_UNIX_DGRAM_SOCKET;
1278 }
1279 break;
1280 case PF_INET:
1281 case PF_INET6:
1282 switch (type) {
1283 case SOCK_STREAM:
1284 case SOCK_SEQPACKET:
1285 if (default_protocol_stream(protocol))
1286 return SECCLASS_TCP_SOCKET;
1287 else if (extsockclass && protocol == IPPROTO_SCTP)
1288 return SECCLASS_SCTP_SOCKET;
1289 else
1290 return SECCLASS_RAWIP_SOCKET;
1291 case SOCK_DGRAM:
1292 if (default_protocol_dgram(protocol))
1293 return SECCLASS_UDP_SOCKET;
1294 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1295 protocol == IPPROTO_ICMPV6))
1296 return SECCLASS_ICMP_SOCKET;
1297 else
1298 return SECCLASS_RAWIP_SOCKET;
1299 case SOCK_DCCP:
1300 return SECCLASS_DCCP_SOCKET;
1301 default:
1302 return SECCLASS_RAWIP_SOCKET;
1303 }
1304 break;
1305 case PF_NETLINK:
1306 switch (protocol) {
1307 case NETLINK_ROUTE:
1308 return SECCLASS_NETLINK_ROUTE_SOCKET;
1309 case NETLINK_SOCK_DIAG:
1310 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1311 case NETLINK_NFLOG:
1312 return SECCLASS_NETLINK_NFLOG_SOCKET;
1313 case NETLINK_XFRM:
1314 return SECCLASS_NETLINK_XFRM_SOCKET;
1315 case NETLINK_SELINUX:
1316 return SECCLASS_NETLINK_SELINUX_SOCKET;
1317 case NETLINK_ISCSI:
1318 return SECCLASS_NETLINK_ISCSI_SOCKET;
1319 case NETLINK_AUDIT:
1320 return SECCLASS_NETLINK_AUDIT_SOCKET;
1321 case NETLINK_FIB_LOOKUP:
1322 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1323 case NETLINK_CONNECTOR:
1324 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1325 case NETLINK_NETFILTER:
1326 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1327 case NETLINK_DNRTMSG:
1328 return SECCLASS_NETLINK_DNRT_SOCKET;
1329 case NETLINK_KOBJECT_UEVENT:
1330 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1331 case NETLINK_GENERIC:
1332 return SECCLASS_NETLINK_GENERIC_SOCKET;
1333 case NETLINK_SCSITRANSPORT:
1334 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1335 case NETLINK_RDMA:
1336 return SECCLASS_NETLINK_RDMA_SOCKET;
1337 case NETLINK_CRYPTO:
1338 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1339 default:
1340 return SECCLASS_NETLINK_SOCKET;
1341 }
1342 case PF_PACKET:
1343 return SECCLASS_PACKET_SOCKET;
1344 case PF_KEY:
1345 return SECCLASS_KEY_SOCKET;
1346 case PF_APPLETALK:
1347 return SECCLASS_APPLETALK_SOCKET;
1348 }
1349
1350 if (extsockclass) {
1351 switch (family) {
1352 case PF_AX25:
1353 return SECCLASS_AX25_SOCKET;
1354 case PF_IPX:
1355 return SECCLASS_IPX_SOCKET;
1356 case PF_NETROM:
1357 return SECCLASS_NETROM_SOCKET;
1358 case PF_ATMPVC:
1359 return SECCLASS_ATMPVC_SOCKET;
1360 case PF_X25:
1361 return SECCLASS_X25_SOCKET;
1362 case PF_ROSE:
1363 return SECCLASS_ROSE_SOCKET;
1364 case PF_DECnet:
1365 return SECCLASS_DECNET_SOCKET;
1366 case PF_ATMSVC:
1367 return SECCLASS_ATMSVC_SOCKET;
1368 case PF_RDS:
1369 return SECCLASS_RDS_SOCKET;
1370 case PF_IRDA:
1371 return SECCLASS_IRDA_SOCKET;
1372 case PF_PPPOX:
1373 return SECCLASS_PPPOX_SOCKET;
1374 case PF_LLC:
1375 return SECCLASS_LLC_SOCKET;
1376 case PF_CAN:
1377 return SECCLASS_CAN_SOCKET;
1378 case PF_TIPC:
1379 return SECCLASS_TIPC_SOCKET;
1380 case PF_BLUETOOTH:
1381 return SECCLASS_BLUETOOTH_SOCKET;
1382 case PF_IUCV:
1383 return SECCLASS_IUCV_SOCKET;
1384 case PF_RXRPC:
1385 return SECCLASS_RXRPC_SOCKET;
1386 case PF_ISDN:
1387 return SECCLASS_ISDN_SOCKET;
1388 case PF_PHONET:
1389 return SECCLASS_PHONET_SOCKET;
1390 case PF_IEEE802154:
1391 return SECCLASS_IEEE802154_SOCKET;
1392 case PF_CAIF:
1393 return SECCLASS_CAIF_SOCKET;
1394 case PF_ALG:
1395 return SECCLASS_ALG_SOCKET;
1396 case PF_NFC:
1397 return SECCLASS_NFC_SOCKET;
1398 case PF_VSOCK:
1399 return SECCLASS_VSOCK_SOCKET;
1400 case PF_KCM:
1401 return SECCLASS_KCM_SOCKET;
1402 case PF_QIPCRTR:
1403 return SECCLASS_QIPCRTR_SOCKET;
1404 #if PF_MAX > 43
1405 #error New address family defined, please update this function.
1406 #endif
1407 }
1408 }
1409
1410 return SECCLASS_SOCKET;
1411 }
1412
1413 static int selinux_genfs_get_sid(struct dentry *dentry,
1414 u16 tclass,
1415 u16 flags,
1416 u32 *sid)
1417 {
1418 int rc;
1419 struct super_block *sb = dentry->d_sb;
1420 char *buffer, *path;
1421
1422 buffer = (char *)__get_free_page(GFP_KERNEL);
1423 if (!buffer)
1424 return -ENOMEM;
1425
1426 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1427 if (IS_ERR(path))
1428 rc = PTR_ERR(path);
1429 else {
1430 if (flags & SE_SBPROC) {
1431 /* each process gets a /proc/PID/ entry. Strip off the
1432 * PID part to get a valid selinux labeling.
1433 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1434 while (path[1] >= '0' && path[1] <= '9') {
1435 path[1] = '/';
1436 path++;
1437 }
1438 }
1439 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1440 }
1441 free_page((unsigned long)buffer);
1442 return rc;
1443 }
1444
1445 /* The inode's security attributes must be initialized before first use. */
1446 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1447 {
1448 struct superblock_security_struct *sbsec = NULL;
1449 struct inode_security_struct *isec = inode->i_security;
1450 u32 task_sid, sid = 0;
1451 u16 sclass;
1452 struct dentry *dentry;
1453 #define INITCONTEXTLEN 255
1454 char *context = NULL;
1455 unsigned len = 0;
1456 int rc = 0;
1457
1458 if (isec->initialized == LABEL_INITIALIZED)
1459 return 0;
1460
1461 spin_lock(&isec->lock);
1462 if (isec->initialized == LABEL_INITIALIZED)
1463 goto out_unlock;
1464
1465 if (isec->sclass == SECCLASS_FILE)
1466 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1467
1468 sbsec = inode->i_sb->s_security;
1469 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1470 /* Defer initialization until selinux_complete_init,
1471 after the initial policy is loaded and the security
1472 server is ready to handle calls. */
1473 spin_lock(&sbsec->isec_lock);
1474 if (list_empty(&isec->list))
1475 list_add(&isec->list, &sbsec->isec_head);
1476 spin_unlock(&sbsec->isec_lock);
1477 goto out_unlock;
1478 }
1479
1480 sclass = isec->sclass;
1481 task_sid = isec->task_sid;
1482 sid = isec->sid;
1483 isec->initialized = LABEL_PENDING;
1484 spin_unlock(&isec->lock);
1485
1486 switch (sbsec->behavior) {
1487 case SECURITY_FS_USE_NATIVE:
1488 break;
1489 case SECURITY_FS_USE_XATTR:
1490 if (!(inode->i_opflags & IOP_XATTR)) {
1491 sid = sbsec->def_sid;
1492 break;
1493 }
1494 /* Need a dentry, since the xattr API requires one.
1495 Life would be simpler if we could just pass the inode. */
1496 if (opt_dentry) {
1497 /* Called from d_instantiate or d_splice_alias. */
1498 dentry = dget(opt_dentry);
1499 } else {
1500 /* Called from selinux_complete_init, try to find a dentry. */
1501 dentry = d_find_alias(inode);
1502 }
1503 if (!dentry) {
1504 /*
1505 * this is can be hit on boot when a file is accessed
1506 * before the policy is loaded. When we load policy we
1507 * may find inodes that have no dentry on the
1508 * sbsec->isec_head list. No reason to complain as these
1509 * will get fixed up the next time we go through
1510 * inode_doinit with a dentry, before these inodes could
1511 * be used again by userspace.
1512 */
1513 goto out;
1514 }
1515
1516 len = INITCONTEXTLEN;
1517 context = kmalloc(len+1, GFP_NOFS);
1518 if (!context) {
1519 rc = -ENOMEM;
1520 dput(dentry);
1521 goto out;
1522 }
1523 context[len] = '\0';
1524 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1525 if (rc == -ERANGE) {
1526 kfree(context);
1527
1528 /* Need a larger buffer. Query for the right size. */
1529 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1530 if (rc < 0) {
1531 dput(dentry);
1532 goto out;
1533 }
1534 len = rc;
1535 context = kmalloc(len+1, GFP_NOFS);
1536 if (!context) {
1537 rc = -ENOMEM;
1538 dput(dentry);
1539 goto out;
1540 }
1541 context[len] = '\0';
1542 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1543 }
1544 dput(dentry);
1545 if (rc < 0) {
1546 if (rc != -ENODATA) {
1547 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1548 "%d for dev=%s ino=%ld\n", __func__,
1549 -rc, inode->i_sb->s_id, inode->i_ino);
1550 kfree(context);
1551 goto out;
1552 }
1553 /* Map ENODATA to the default file SID */
1554 sid = sbsec->def_sid;
1555 rc = 0;
1556 } else {
1557 rc = security_context_to_sid_default(context, rc, &sid,
1558 sbsec->def_sid,
1559 GFP_NOFS);
1560 if (rc) {
1561 char *dev = inode->i_sb->s_id;
1562 unsigned long ino = inode->i_ino;
1563
1564 if (rc == -EINVAL) {
1565 if (printk_ratelimit())
1566 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1567 "context=%s. This indicates you may need to relabel the inode or the "
1568 "filesystem in question.\n", ino, dev, context);
1569 } else {
1570 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1571 "returned %d for dev=%s ino=%ld\n",
1572 __func__, context, -rc, dev, ino);
1573 }
1574 kfree(context);
1575 /* Leave with the unlabeled SID */
1576 rc = 0;
1577 break;
1578 }
1579 }
1580 kfree(context);
1581 break;
1582 case SECURITY_FS_USE_TASK:
1583 sid = task_sid;
1584 break;
1585 case SECURITY_FS_USE_TRANS:
1586 /* Default to the fs SID. */
1587 sid = sbsec->sid;
1588
1589 /* Try to obtain a transition SID. */
1590 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1591 if (rc)
1592 goto out;
1593 break;
1594 case SECURITY_FS_USE_MNTPOINT:
1595 sid = sbsec->mntpoint_sid;
1596 break;
1597 default:
1598 /* Default to the fs superblock SID. */
1599 sid = sbsec->sid;
1600
1601 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1602 /* We must have a dentry to determine the label on
1603 * procfs inodes */
1604 if (opt_dentry)
1605 /* Called from d_instantiate or
1606 * d_splice_alias. */
1607 dentry = dget(opt_dentry);
1608 else
1609 /* Called from selinux_complete_init, try to
1610 * find a dentry. */
1611 dentry = d_find_alias(inode);
1612 /*
1613 * This can be hit on boot when a file is accessed
1614 * before the policy is loaded. When we load policy we
1615 * may find inodes that have no dentry on the
1616 * sbsec->isec_head list. No reason to complain as
1617 * these will get fixed up the next time we go through
1618 * inode_doinit() with a dentry, before these inodes
1619 * could be used again by userspace.
1620 */
1621 if (!dentry)
1622 goto out;
1623 rc = selinux_genfs_get_sid(dentry, sclass,
1624 sbsec->flags, &sid);
1625 dput(dentry);
1626 if (rc)
1627 goto out;
1628 }
1629 break;
1630 }
1631
1632 out:
1633 spin_lock(&isec->lock);
1634 if (isec->initialized == LABEL_PENDING) {
1635 if (!sid || rc) {
1636 isec->initialized = LABEL_INVALID;
1637 goto out_unlock;
1638 }
1639
1640 isec->initialized = LABEL_INITIALIZED;
1641 isec->sid = sid;
1642 }
1643
1644 out_unlock:
1645 spin_unlock(&isec->lock);
1646 return rc;
1647 }
1648
1649 /* Convert a Linux signal to an access vector. */
1650 static inline u32 signal_to_av(int sig)
1651 {
1652 u32 perm = 0;
1653
1654 switch (sig) {
1655 case SIGCHLD:
1656 /* Commonly granted from child to parent. */
1657 perm = PROCESS__SIGCHLD;
1658 break;
1659 case SIGKILL:
1660 /* Cannot be caught or ignored */
1661 perm = PROCESS__SIGKILL;
1662 break;
1663 case SIGSTOP:
1664 /* Cannot be caught or ignored */
1665 perm = PROCESS__SIGSTOP;
1666 break;
1667 default:
1668 /* All other signals. */
1669 perm = PROCESS__SIGNAL;
1670 break;
1671 }
1672
1673 return perm;
1674 }
1675
1676 #if CAP_LAST_CAP > 63
1677 #error Fix SELinux to handle capabilities > 63.
1678 #endif
1679
1680 /* Check whether a task is allowed to use a capability. */
1681 static int cred_has_capability(const struct cred *cred,
1682 int cap, int audit, bool initns)
1683 {
1684 struct common_audit_data ad;
1685 struct av_decision avd;
1686 u16 sclass;
1687 u32 sid = cred_sid(cred);
1688 u32 av = CAP_TO_MASK(cap);
1689 int rc;
1690
1691 ad.type = LSM_AUDIT_DATA_CAP;
1692 ad.u.cap = cap;
1693
1694 switch (CAP_TO_INDEX(cap)) {
1695 case 0:
1696 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1697 break;
1698 case 1:
1699 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1700 break;
1701 default:
1702 printk(KERN_ERR
1703 "SELinux: out of range capability %d\n", cap);
1704 BUG();
1705 return -EINVAL;
1706 }
1707
1708 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1709 if (audit == SECURITY_CAP_AUDIT) {
1710 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1711 if (rc2)
1712 return rc2;
1713 }
1714 return rc;
1715 }
1716
1717 /* Check whether a task has a particular permission to an inode.
1718 The 'adp' parameter is optional and allows other audit
1719 data to be passed (e.g. the dentry). */
1720 static int inode_has_perm(const struct cred *cred,
1721 struct inode *inode,
1722 u32 perms,
1723 struct common_audit_data *adp)
1724 {
1725 struct inode_security_struct *isec;
1726 u32 sid;
1727
1728 validate_creds(cred);
1729
1730 if (unlikely(IS_PRIVATE(inode)))
1731 return 0;
1732
1733 sid = cred_sid(cred);
1734 isec = inode->i_security;
1735
1736 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1737 }
1738
1739 /* Same as inode_has_perm, but pass explicit audit data containing
1740 the dentry to help the auditing code to more easily generate the
1741 pathname if needed. */
1742 static inline int dentry_has_perm(const struct cred *cred,
1743 struct dentry *dentry,
1744 u32 av)
1745 {
1746 struct inode *inode = d_backing_inode(dentry);
1747 struct common_audit_data ad;
1748
1749 ad.type = LSM_AUDIT_DATA_DENTRY;
1750 ad.u.dentry = dentry;
1751 __inode_security_revalidate(inode, dentry, true);
1752 return inode_has_perm(cred, inode, av, &ad);
1753 }
1754
1755 /* Same as inode_has_perm, but pass explicit audit data containing
1756 the path to help the auditing code to more easily generate the
1757 pathname if needed. */
1758 static inline int path_has_perm(const struct cred *cred,
1759 const struct path *path,
1760 u32 av)
1761 {
1762 struct inode *inode = d_backing_inode(path->dentry);
1763 struct common_audit_data ad;
1764
1765 ad.type = LSM_AUDIT_DATA_PATH;
1766 ad.u.path = *path;
1767 __inode_security_revalidate(inode, path->dentry, true);
1768 return inode_has_perm(cred, inode, av, &ad);
1769 }
1770
1771 /* Same as path_has_perm, but uses the inode from the file struct. */
1772 static inline int file_path_has_perm(const struct cred *cred,
1773 struct file *file,
1774 u32 av)
1775 {
1776 struct common_audit_data ad;
1777
1778 ad.type = LSM_AUDIT_DATA_FILE;
1779 ad.u.file = file;
1780 return inode_has_perm(cred, file_inode(file), av, &ad);
1781 }
1782
1783 /* Check whether a task can use an open file descriptor to
1784 access an inode in a given way. Check access to the
1785 descriptor itself, and then use dentry_has_perm to
1786 check a particular permission to the file.
1787 Access to the descriptor is implicitly granted if it
1788 has the same SID as the process. If av is zero, then
1789 access to the file is not checked, e.g. for cases
1790 where only the descriptor is affected like seek. */
1791 static int file_has_perm(const struct cred *cred,
1792 struct file *file,
1793 u32 av)
1794 {
1795 struct file_security_struct *fsec = file->f_security;
1796 struct inode *inode = file_inode(file);
1797 struct common_audit_data ad;
1798 u32 sid = cred_sid(cred);
1799 int rc;
1800
1801 ad.type = LSM_AUDIT_DATA_FILE;
1802 ad.u.file = file;
1803
1804 if (sid != fsec->sid) {
1805 rc = avc_has_perm(sid, fsec->sid,
1806 SECCLASS_FD,
1807 FD__USE,
1808 &ad);
1809 if (rc)
1810 goto out;
1811 }
1812
1813 /* av is zero if only checking access to the descriptor. */
1814 rc = 0;
1815 if (av)
1816 rc = inode_has_perm(cred, inode, av, &ad);
1817
1818 out:
1819 return rc;
1820 }
1821
1822 /*
1823 * Determine the label for an inode that might be unioned.
1824 */
1825 static int
1826 selinux_determine_inode_label(const struct task_security_struct *tsec,
1827 struct inode *dir,
1828 const struct qstr *name, u16 tclass,
1829 u32 *_new_isid)
1830 {
1831 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1832
1833 if ((sbsec->flags & SE_SBINITIALIZED) &&
1834 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1835 *_new_isid = sbsec->mntpoint_sid;
1836 } else if ((sbsec->flags & SBLABEL_MNT) &&
1837 tsec->create_sid) {
1838 *_new_isid = tsec->create_sid;
1839 } else {
1840 const struct inode_security_struct *dsec = inode_security(dir);
1841 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1842 name, _new_isid);
1843 }
1844
1845 return 0;
1846 }
1847
1848 /* Check whether a task can create a file. */
1849 static int may_create(struct inode *dir,
1850 struct dentry *dentry,
1851 u16 tclass)
1852 {
1853 const struct task_security_struct *tsec = current_security();
1854 struct inode_security_struct *dsec;
1855 struct superblock_security_struct *sbsec;
1856 u32 sid, newsid;
1857 struct common_audit_data ad;
1858 int rc;
1859
1860 dsec = inode_security(dir);
1861 sbsec = dir->i_sb->s_security;
1862
1863 sid = tsec->sid;
1864
1865 ad.type = LSM_AUDIT_DATA_DENTRY;
1866 ad.u.dentry = dentry;
1867
1868 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1869 DIR__ADD_NAME | DIR__SEARCH,
1870 &ad);
1871 if (rc)
1872 return rc;
1873
1874 rc = selinux_determine_inode_label(current_security(), dir,
1875 &dentry->d_name, tclass, &newsid);
1876 if (rc)
1877 return rc;
1878
1879 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1880 if (rc)
1881 return rc;
1882
1883 return avc_has_perm(newsid, sbsec->sid,
1884 SECCLASS_FILESYSTEM,
1885 FILESYSTEM__ASSOCIATE, &ad);
1886 }
1887
1888 #define MAY_LINK 0
1889 #define MAY_UNLINK 1
1890 #define MAY_RMDIR 2
1891
1892 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1893 static int may_link(struct inode *dir,
1894 struct dentry *dentry,
1895 int kind)
1896
1897 {
1898 struct inode_security_struct *dsec, *isec;
1899 struct common_audit_data ad;
1900 u32 sid = current_sid();
1901 u32 av;
1902 int rc;
1903
1904 dsec = inode_security(dir);
1905 isec = backing_inode_security(dentry);
1906
1907 ad.type = LSM_AUDIT_DATA_DENTRY;
1908 ad.u.dentry = dentry;
1909
1910 av = DIR__SEARCH;
1911 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1912 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1913 if (rc)
1914 return rc;
1915
1916 switch (kind) {
1917 case MAY_LINK:
1918 av = FILE__LINK;
1919 break;
1920 case MAY_UNLINK:
1921 av = FILE__UNLINK;
1922 break;
1923 case MAY_RMDIR:
1924 av = DIR__RMDIR;
1925 break;
1926 default:
1927 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1928 __func__, kind);
1929 return 0;
1930 }
1931
1932 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1933 return rc;
1934 }
1935
1936 static inline int may_rename(struct inode *old_dir,
1937 struct dentry *old_dentry,
1938 struct inode *new_dir,
1939 struct dentry *new_dentry)
1940 {
1941 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1942 struct common_audit_data ad;
1943 u32 sid = current_sid();
1944 u32 av;
1945 int old_is_dir, new_is_dir;
1946 int rc;
1947
1948 old_dsec = inode_security(old_dir);
1949 old_isec = backing_inode_security(old_dentry);
1950 old_is_dir = d_is_dir(old_dentry);
1951 new_dsec = inode_security(new_dir);
1952
1953 ad.type = LSM_AUDIT_DATA_DENTRY;
1954
1955 ad.u.dentry = old_dentry;
1956 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1957 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1958 if (rc)
1959 return rc;
1960 rc = avc_has_perm(sid, old_isec->sid,
1961 old_isec->sclass, FILE__RENAME, &ad);
1962 if (rc)
1963 return rc;
1964 if (old_is_dir && new_dir != old_dir) {
1965 rc = avc_has_perm(sid, old_isec->sid,
1966 old_isec->sclass, DIR__REPARENT, &ad);
1967 if (rc)
1968 return rc;
1969 }
1970
1971 ad.u.dentry = new_dentry;
1972 av = DIR__ADD_NAME | DIR__SEARCH;
1973 if (d_is_positive(new_dentry))
1974 av |= DIR__REMOVE_NAME;
1975 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1976 if (rc)
1977 return rc;
1978 if (d_is_positive(new_dentry)) {
1979 new_isec = backing_inode_security(new_dentry);
1980 new_is_dir = d_is_dir(new_dentry);
1981 rc = avc_has_perm(sid, new_isec->sid,
1982 new_isec->sclass,
1983 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1984 if (rc)
1985 return rc;
1986 }
1987
1988 return 0;
1989 }
1990
1991 /* Check whether a task can perform a filesystem operation. */
1992 static int superblock_has_perm(const struct cred *cred,
1993 struct super_block *sb,
1994 u32 perms,
1995 struct common_audit_data *ad)
1996 {
1997 struct superblock_security_struct *sbsec;
1998 u32 sid = cred_sid(cred);
1999
2000 sbsec = sb->s_security;
2001 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2002 }
2003
2004 /* Convert a Linux mode and permission mask to an access vector. */
2005 static inline u32 file_mask_to_av(int mode, int mask)
2006 {
2007 u32 av = 0;
2008
2009 if (!S_ISDIR(mode)) {
2010 if (mask & MAY_EXEC)
2011 av |= FILE__EXECUTE;
2012 if (mask & MAY_READ)
2013 av |= FILE__READ;
2014
2015 if (mask & MAY_APPEND)
2016 av |= FILE__APPEND;
2017 else if (mask & MAY_WRITE)
2018 av |= FILE__WRITE;
2019
2020 } else {
2021 if (mask & MAY_EXEC)
2022 av |= DIR__SEARCH;
2023 if (mask & MAY_WRITE)
2024 av |= DIR__WRITE;
2025 if (mask & MAY_READ)
2026 av |= DIR__READ;
2027 }
2028
2029 return av;
2030 }
2031
2032 /* Convert a Linux file to an access vector. */
2033 static inline u32 file_to_av(struct file *file)
2034 {
2035 u32 av = 0;
2036
2037 if (file->f_mode & FMODE_READ)
2038 av |= FILE__READ;
2039 if (file->f_mode & FMODE_WRITE) {
2040 if (file->f_flags & O_APPEND)
2041 av |= FILE__APPEND;
2042 else
2043 av |= FILE__WRITE;
2044 }
2045 if (!av) {
2046 /*
2047 * Special file opened with flags 3 for ioctl-only use.
2048 */
2049 av = FILE__IOCTL;
2050 }
2051
2052 return av;
2053 }
2054
2055 /*
2056 * Convert a file to an access vector and include the correct open
2057 * open permission.
2058 */
2059 static inline u32 open_file_to_av(struct file *file)
2060 {
2061 u32 av = file_to_av(file);
2062
2063 if (selinux_policycap_openperm)
2064 av |= FILE__OPEN;
2065
2066 return av;
2067 }
2068
2069 /* Hook functions begin here. */
2070
2071 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2072 {
2073 u32 mysid = current_sid();
2074 u32 mgrsid = task_sid(mgr);
2075
2076 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2077 BINDER__SET_CONTEXT_MGR, NULL);
2078 }
2079
2080 static int selinux_binder_transaction(struct task_struct *from,
2081 struct task_struct *to)
2082 {
2083 u32 mysid = current_sid();
2084 u32 fromsid = task_sid(from);
2085 u32 tosid = task_sid(to);
2086 int rc;
2087
2088 if (mysid != fromsid) {
2089 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2090 BINDER__IMPERSONATE, NULL);
2091 if (rc)
2092 return rc;
2093 }
2094
2095 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2096 NULL);
2097 }
2098
2099 static int selinux_binder_transfer_binder(struct task_struct *from,
2100 struct task_struct *to)
2101 {
2102 u32 fromsid = task_sid(from);
2103 u32 tosid = task_sid(to);
2104
2105 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2106 NULL);
2107 }
2108
2109 static int selinux_binder_transfer_file(struct task_struct *from,
2110 struct task_struct *to,
2111 struct file *file)
2112 {
2113 u32 sid = task_sid(to);
2114 struct file_security_struct *fsec = file->f_security;
2115 struct dentry *dentry = file->f_path.dentry;
2116 struct inode_security_struct *isec;
2117 struct common_audit_data ad;
2118 int rc;
2119
2120 ad.type = LSM_AUDIT_DATA_PATH;
2121 ad.u.path = file->f_path;
2122
2123 if (sid != fsec->sid) {
2124 rc = avc_has_perm(sid, fsec->sid,
2125 SECCLASS_FD,
2126 FD__USE,
2127 &ad);
2128 if (rc)
2129 return rc;
2130 }
2131
2132 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2133 return 0;
2134
2135 isec = backing_inode_security(dentry);
2136 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2137 &ad);
2138 }
2139
2140 static int selinux_ptrace_access_check(struct task_struct *child,
2141 unsigned int mode)
2142 {
2143 u32 sid = current_sid();
2144 u32 csid = task_sid(child);
2145
2146 if (mode & PTRACE_MODE_READ)
2147 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2148
2149 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2150 }
2151
2152 static int selinux_ptrace_traceme(struct task_struct *parent)
2153 {
2154 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2155 PROCESS__PTRACE, NULL);
2156 }
2157
2158 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2159 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2160 {
2161 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2162 PROCESS__GETCAP, NULL);
2163 }
2164
2165 static int selinux_capset(struct cred *new, const struct cred *old,
2166 const kernel_cap_t *effective,
2167 const kernel_cap_t *inheritable,
2168 const kernel_cap_t *permitted)
2169 {
2170 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2171 PROCESS__SETCAP, NULL);
2172 }
2173
2174 /*
2175 * (This comment used to live with the selinux_task_setuid hook,
2176 * which was removed).
2177 *
2178 * Since setuid only affects the current process, and since the SELinux
2179 * controls are not based on the Linux identity attributes, SELinux does not
2180 * need to control this operation. However, SELinux does control the use of
2181 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2182 */
2183
2184 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2185 int cap, int audit)
2186 {
2187 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2188 }
2189
2190 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2191 {
2192 const struct cred *cred = current_cred();
2193 int rc = 0;
2194
2195 if (!sb)
2196 return 0;
2197
2198 switch (cmds) {
2199 case Q_SYNC:
2200 case Q_QUOTAON:
2201 case Q_QUOTAOFF:
2202 case Q_SETINFO:
2203 case Q_SETQUOTA:
2204 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2205 break;
2206 case Q_GETFMT:
2207 case Q_GETINFO:
2208 case Q_GETQUOTA:
2209 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2210 break;
2211 default:
2212 rc = 0; /* let the kernel handle invalid cmds */
2213 break;
2214 }
2215 return rc;
2216 }
2217
2218 static int selinux_quota_on(struct dentry *dentry)
2219 {
2220 const struct cred *cred = current_cred();
2221
2222 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2223 }
2224
2225 static int selinux_syslog(int type)
2226 {
2227 switch (type) {
2228 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2229 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2230 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2231 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2232 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2233 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2234 /* Set level of messages printed to console */
2235 case SYSLOG_ACTION_CONSOLE_LEVEL:
2236 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2237 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2238 NULL);
2239 }
2240 /* All other syslog types */
2241 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2242 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2243 }
2244
2245 /*
2246 * Check that a process has enough memory to allocate a new virtual
2247 * mapping. 0 means there is enough memory for the allocation to
2248 * succeed and -ENOMEM implies there is not.
2249 *
2250 * Do not audit the selinux permission check, as this is applied to all
2251 * processes that allocate mappings.
2252 */
2253 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2254 {
2255 int rc, cap_sys_admin = 0;
2256
2257 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2258 SECURITY_CAP_NOAUDIT, true);
2259 if (rc == 0)
2260 cap_sys_admin = 1;
2261
2262 return cap_sys_admin;
2263 }
2264
2265 /* binprm security operations */
2266
2267 static u32 ptrace_parent_sid(void)
2268 {
2269 u32 sid = 0;
2270 struct task_struct *tracer;
2271
2272 rcu_read_lock();
2273 tracer = ptrace_parent(current);
2274 if (tracer)
2275 sid = task_sid(tracer);
2276 rcu_read_unlock();
2277
2278 return sid;
2279 }
2280
2281 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2282 const struct task_security_struct *old_tsec,
2283 const struct task_security_struct *new_tsec)
2284 {
2285 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2286 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2287 int rc;
2288
2289 if (!nnp && !nosuid)
2290 return 0; /* neither NNP nor nosuid */
2291
2292 if (new_tsec->sid == old_tsec->sid)
2293 return 0; /* No change in credentials */
2294
2295 /*
2296 * The only transitions we permit under NNP or nosuid
2297 * are transitions to bounded SIDs, i.e. SIDs that are
2298 * guaranteed to only be allowed a subset of the permissions
2299 * of the current SID.
2300 */
2301 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2302 if (rc) {
2303 /*
2304 * On failure, preserve the errno values for NNP vs nosuid.
2305 * NNP: Operation not permitted for caller.
2306 * nosuid: Permission denied to file.
2307 */
2308 if (nnp)
2309 return -EPERM;
2310 else
2311 return -EACCES;
2312 }
2313 return 0;
2314 }
2315
2316 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2317 {
2318 const struct task_security_struct *old_tsec;
2319 struct task_security_struct *new_tsec;
2320 struct inode_security_struct *isec;
2321 struct common_audit_data ad;
2322 struct inode *inode = file_inode(bprm->file);
2323 int rc;
2324
2325 /* SELinux context only depends on initial program or script and not
2326 * the script interpreter */
2327 if (bprm->cred_prepared)
2328 return 0;
2329
2330 old_tsec = current_security();
2331 new_tsec = bprm->cred->security;
2332 isec = inode_security(inode);
2333
2334 /* Default to the current task SID. */
2335 new_tsec->sid = old_tsec->sid;
2336 new_tsec->osid = old_tsec->sid;
2337
2338 /* Reset fs, key, and sock SIDs on execve. */
2339 new_tsec->create_sid = 0;
2340 new_tsec->keycreate_sid = 0;
2341 new_tsec->sockcreate_sid = 0;
2342
2343 if (old_tsec->exec_sid) {
2344 new_tsec->sid = old_tsec->exec_sid;
2345 /* Reset exec SID on execve. */
2346 new_tsec->exec_sid = 0;
2347
2348 /* Fail on NNP or nosuid if not an allowed transition. */
2349 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2350 if (rc)
2351 return rc;
2352 } else {
2353 /* Check for a default transition on this program. */
2354 rc = security_transition_sid(old_tsec->sid, isec->sid,
2355 SECCLASS_PROCESS, NULL,
2356 &new_tsec->sid);
2357 if (rc)
2358 return rc;
2359
2360 /*
2361 * Fallback to old SID on NNP or nosuid if not an allowed
2362 * transition.
2363 */
2364 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2365 if (rc)
2366 new_tsec->sid = old_tsec->sid;
2367 }
2368
2369 ad.type = LSM_AUDIT_DATA_FILE;
2370 ad.u.file = bprm->file;
2371
2372 if (new_tsec->sid == old_tsec->sid) {
2373 rc = avc_has_perm(old_tsec->sid, isec->sid,
2374 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2375 if (rc)
2376 return rc;
2377 } else {
2378 /* Check permissions for the transition. */
2379 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2380 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2381 if (rc)
2382 return rc;
2383
2384 rc = avc_has_perm(new_tsec->sid, isec->sid,
2385 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2386 if (rc)
2387 return rc;
2388
2389 /* Check for shared state */
2390 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2391 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2392 SECCLASS_PROCESS, PROCESS__SHARE,
2393 NULL);
2394 if (rc)
2395 return -EPERM;
2396 }
2397
2398 /* Make sure that anyone attempting to ptrace over a task that
2399 * changes its SID has the appropriate permit */
2400 if (bprm->unsafe &
2401 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2402 u32 ptsid = ptrace_parent_sid();
2403 if (ptsid != 0) {
2404 rc = avc_has_perm(ptsid, new_tsec->sid,
2405 SECCLASS_PROCESS,
2406 PROCESS__PTRACE, NULL);
2407 if (rc)
2408 return -EPERM;
2409 }
2410 }
2411
2412 /* Clear any possibly unsafe personality bits on exec: */
2413 bprm->per_clear |= PER_CLEAR_ON_SETID;
2414 }
2415
2416 return 0;
2417 }
2418
2419 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2420 {
2421 const struct task_security_struct *tsec = current_security();
2422 u32 sid, osid;
2423 int atsecure = 0;
2424
2425 sid = tsec->sid;
2426 osid = tsec->osid;
2427
2428 if (osid != sid) {
2429 /* Enable secure mode for SIDs transitions unless
2430 the noatsecure permission is granted between
2431 the two SIDs, i.e. ahp returns 0. */
2432 atsecure = avc_has_perm(osid, sid,
2433 SECCLASS_PROCESS,
2434 PROCESS__NOATSECURE, NULL);
2435 }
2436
2437 return !!atsecure;
2438 }
2439
2440 static int match_file(const void *p, struct file *file, unsigned fd)
2441 {
2442 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2443 }
2444
2445 /* Derived from fs/exec.c:flush_old_files. */
2446 static inline void flush_unauthorized_files(const struct cred *cred,
2447 struct files_struct *files)
2448 {
2449 struct file *file, *devnull = NULL;
2450 struct tty_struct *tty;
2451 int drop_tty = 0;
2452 unsigned n;
2453
2454 tty = get_current_tty();
2455 if (tty) {
2456 spin_lock(&tty->files_lock);
2457 if (!list_empty(&tty->tty_files)) {
2458 struct tty_file_private *file_priv;
2459
2460 /* Revalidate access to controlling tty.
2461 Use file_path_has_perm on the tty path directly
2462 rather than using file_has_perm, as this particular
2463 open file may belong to another process and we are
2464 only interested in the inode-based check here. */
2465 file_priv = list_first_entry(&tty->tty_files,
2466 struct tty_file_private, list);
2467 file = file_priv->file;
2468 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2469 drop_tty = 1;
2470 }
2471 spin_unlock(&tty->files_lock);
2472 tty_kref_put(tty);
2473 }
2474 /* Reset controlling tty. */
2475 if (drop_tty)
2476 no_tty();
2477
2478 /* Revalidate access to inherited open files. */
2479 n = iterate_fd(files, 0, match_file, cred);
2480 if (!n) /* none found? */
2481 return;
2482
2483 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2484 if (IS_ERR(devnull))
2485 devnull = NULL;
2486 /* replace all the matching ones with this */
2487 do {
2488 replace_fd(n - 1, devnull, 0);
2489 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2490 if (devnull)
2491 fput(devnull);
2492 }
2493
2494 /*
2495 * Prepare a process for imminent new credential changes due to exec
2496 */
2497 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2498 {
2499 struct task_security_struct *new_tsec;
2500 struct rlimit *rlim, *initrlim;
2501 int rc, i;
2502
2503 new_tsec = bprm->cred->security;
2504 if (new_tsec->sid == new_tsec->osid)
2505 return;
2506
2507 /* Close files for which the new task SID is not authorized. */
2508 flush_unauthorized_files(bprm->cred, current->files);
2509
2510 /* Always clear parent death signal on SID transitions. */
2511 current->pdeath_signal = 0;
2512
2513 /* Check whether the new SID can inherit resource limits from the old
2514 * SID. If not, reset all soft limits to the lower of the current
2515 * task's hard limit and the init task's soft limit.
2516 *
2517 * Note that the setting of hard limits (even to lower them) can be
2518 * controlled by the setrlimit check. The inclusion of the init task's
2519 * soft limit into the computation is to avoid resetting soft limits
2520 * higher than the default soft limit for cases where the default is
2521 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2522 */
2523 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2524 PROCESS__RLIMITINH, NULL);
2525 if (rc) {
2526 /* protect against do_prlimit() */
2527 task_lock(current);
2528 for (i = 0; i < RLIM_NLIMITS; i++) {
2529 rlim = current->signal->rlim + i;
2530 initrlim = init_task.signal->rlim + i;
2531 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2532 }
2533 task_unlock(current);
2534 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2535 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2536 }
2537 }
2538
2539 /*
2540 * Clean up the process immediately after the installation of new credentials
2541 * due to exec
2542 */
2543 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2544 {
2545 const struct task_security_struct *tsec = current_security();
2546 struct itimerval itimer;
2547 u32 osid, sid;
2548 int rc, i;
2549
2550 osid = tsec->osid;
2551 sid = tsec->sid;
2552
2553 if (sid == osid)
2554 return;
2555
2556 /* Check whether the new SID can inherit signal state from the old SID.
2557 * If not, clear itimers to avoid subsequent signal generation and
2558 * flush and unblock signals.
2559 *
2560 * This must occur _after_ the task SID has been updated so that any
2561 * kill done after the flush will be checked against the new SID.
2562 */
2563 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2564 if (rc) {
2565 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2566 memset(&itimer, 0, sizeof itimer);
2567 for (i = 0; i < 3; i++)
2568 do_setitimer(i, &itimer, NULL);
2569 }
2570 spin_lock_irq(&current->sighand->siglock);
2571 if (!fatal_signal_pending(current)) {
2572 flush_sigqueue(&current->pending);
2573 flush_sigqueue(&current->signal->shared_pending);
2574 flush_signal_handlers(current, 1);
2575 sigemptyset(&current->blocked);
2576 recalc_sigpending();
2577 }
2578 spin_unlock_irq(&current->sighand->siglock);
2579 }
2580
2581 /* Wake up the parent if it is waiting so that it can recheck
2582 * wait permission to the new task SID. */
2583 read_lock(&tasklist_lock);
2584 __wake_up_parent(current, current->real_parent);
2585 read_unlock(&tasklist_lock);
2586 }
2587
2588 /* superblock security operations */
2589
2590 static int selinux_sb_alloc_security(struct super_block *sb)
2591 {
2592 return superblock_alloc_security(sb);
2593 }
2594
2595 static void selinux_sb_free_security(struct super_block *sb)
2596 {
2597 superblock_free_security(sb);
2598 }
2599
2600 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2601 {
2602 if (plen > olen)
2603 return 0;
2604
2605 return !memcmp(prefix, option, plen);
2606 }
2607
2608 static inline int selinux_option(char *option, int len)
2609 {
2610 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2611 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2612 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2613 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2614 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2615 }
2616
2617 static inline void take_option(char **to, char *from, int *first, int len)
2618 {
2619 if (!*first) {
2620 **to = ',';
2621 *to += 1;
2622 } else
2623 *first = 0;
2624 memcpy(*to, from, len);
2625 *to += len;
2626 }
2627
2628 static inline void take_selinux_option(char **to, char *from, int *first,
2629 int len)
2630 {
2631 int current_size = 0;
2632
2633 if (!*first) {
2634 **to = '|';
2635 *to += 1;
2636 } else
2637 *first = 0;
2638
2639 while (current_size < len) {
2640 if (*from != '"') {
2641 **to = *from;
2642 *to += 1;
2643 }
2644 from += 1;
2645 current_size += 1;
2646 }
2647 }
2648
2649 static int selinux_sb_copy_data(char *orig, char *copy)
2650 {
2651 int fnosec, fsec, rc = 0;
2652 char *in_save, *in_curr, *in_end;
2653 char *sec_curr, *nosec_save, *nosec;
2654 int open_quote = 0;
2655
2656 in_curr = orig;
2657 sec_curr = copy;
2658
2659 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2660 if (!nosec) {
2661 rc = -ENOMEM;
2662 goto out;
2663 }
2664
2665 nosec_save = nosec;
2666 fnosec = fsec = 1;
2667 in_save = in_end = orig;
2668
2669 do {
2670 if (*in_end == '"')
2671 open_quote = !open_quote;
2672 if ((*in_end == ',' && open_quote == 0) ||
2673 *in_end == '\0') {
2674 int len = in_end - in_curr;
2675
2676 if (selinux_option(in_curr, len))
2677 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2678 else
2679 take_option(&nosec, in_curr, &fnosec, len);
2680
2681 in_curr = in_end + 1;
2682 }
2683 } while (*in_end++);
2684
2685 strcpy(in_save, nosec_save);
2686 free_page((unsigned long)nosec_save);
2687 out:
2688 return rc;
2689 }
2690
2691 static int selinux_sb_remount(struct super_block *sb, void *data)
2692 {
2693 int rc, i, *flags;
2694 struct security_mnt_opts opts;
2695 char *secdata, **mount_options;
2696 struct superblock_security_struct *sbsec = sb->s_security;
2697
2698 if (!(sbsec->flags & SE_SBINITIALIZED))
2699 return 0;
2700
2701 if (!data)
2702 return 0;
2703
2704 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2705 return 0;
2706
2707 security_init_mnt_opts(&opts);
2708 secdata = alloc_secdata();
2709 if (!secdata)
2710 return -ENOMEM;
2711 rc = selinux_sb_copy_data(data, secdata);
2712 if (rc)
2713 goto out_free_secdata;
2714
2715 rc = selinux_parse_opts_str(secdata, &opts);
2716 if (rc)
2717 goto out_free_secdata;
2718
2719 mount_options = opts.mnt_opts;
2720 flags = opts.mnt_opts_flags;
2721
2722 for (i = 0; i < opts.num_mnt_opts; i++) {
2723 u32 sid;
2724
2725 if (flags[i] == SBLABEL_MNT)
2726 continue;
2727 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2728 if (rc) {
2729 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2730 "(%s) failed for (dev %s, type %s) errno=%d\n",
2731 mount_options[i], sb->s_id, sb->s_type->name, rc);
2732 goto out_free_opts;
2733 }
2734 rc = -EINVAL;
2735 switch (flags[i]) {
2736 case FSCONTEXT_MNT:
2737 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2738 goto out_bad_option;
2739 break;
2740 case CONTEXT_MNT:
2741 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2742 goto out_bad_option;
2743 break;
2744 case ROOTCONTEXT_MNT: {
2745 struct inode_security_struct *root_isec;
2746 root_isec = backing_inode_security(sb->s_root);
2747
2748 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2749 goto out_bad_option;
2750 break;
2751 }
2752 case DEFCONTEXT_MNT:
2753 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2754 goto out_bad_option;
2755 break;
2756 default:
2757 goto out_free_opts;
2758 }
2759 }
2760
2761 rc = 0;
2762 out_free_opts:
2763 security_free_mnt_opts(&opts);
2764 out_free_secdata:
2765 free_secdata(secdata);
2766 return rc;
2767 out_bad_option:
2768 printk(KERN_WARNING "SELinux: unable to change security options "
2769 "during remount (dev %s, type=%s)\n", sb->s_id,
2770 sb->s_type->name);
2771 goto out_free_opts;
2772 }
2773
2774 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2775 {
2776 const struct cred *cred = current_cred();
2777 struct common_audit_data ad;
2778 int rc;
2779
2780 rc = superblock_doinit(sb, data);
2781 if (rc)
2782 return rc;
2783
2784 /* Allow all mounts performed by the kernel */
2785 if (flags & MS_KERNMOUNT)
2786 return 0;
2787
2788 ad.type = LSM_AUDIT_DATA_DENTRY;
2789 ad.u.dentry = sb->s_root;
2790 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2791 }
2792
2793 static int selinux_sb_statfs(struct dentry *dentry)
2794 {
2795 const struct cred *cred = current_cred();
2796 struct common_audit_data ad;
2797
2798 ad.type = LSM_AUDIT_DATA_DENTRY;
2799 ad.u.dentry = dentry->d_sb->s_root;
2800 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2801 }
2802
2803 static int selinux_mount(const char *dev_name,
2804 const struct path *path,
2805 const char *type,
2806 unsigned long flags,
2807 void *data)
2808 {
2809 const struct cred *cred = current_cred();
2810
2811 if (flags & MS_REMOUNT)
2812 return superblock_has_perm(cred, path->dentry->d_sb,
2813 FILESYSTEM__REMOUNT, NULL);
2814 else
2815 return path_has_perm(cred, path, FILE__MOUNTON);
2816 }
2817
2818 static int selinux_umount(struct vfsmount *mnt, int flags)
2819 {
2820 const struct cred *cred = current_cred();
2821
2822 return superblock_has_perm(cred, mnt->mnt_sb,
2823 FILESYSTEM__UNMOUNT, NULL);
2824 }
2825
2826 /* inode security operations */
2827
2828 static int selinux_inode_alloc_security(struct inode *inode)
2829 {
2830 return inode_alloc_security(inode);
2831 }
2832
2833 static void selinux_inode_free_security(struct inode *inode)
2834 {
2835 inode_free_security(inode);
2836 }
2837
2838 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2839 const struct qstr *name, void **ctx,
2840 u32 *ctxlen)
2841 {
2842 u32 newsid;
2843 int rc;
2844
2845 rc = selinux_determine_inode_label(current_security(),
2846 d_inode(dentry->d_parent), name,
2847 inode_mode_to_security_class(mode),
2848 &newsid);
2849 if (rc)
2850 return rc;
2851
2852 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2853 }
2854
2855 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2856 struct qstr *name,
2857 const struct cred *old,
2858 struct cred *new)
2859 {
2860 u32 newsid;
2861 int rc;
2862 struct task_security_struct *tsec;
2863
2864 rc = selinux_determine_inode_label(old->security,
2865 d_inode(dentry->d_parent), name,
2866 inode_mode_to_security_class(mode),
2867 &newsid);
2868 if (rc)
2869 return rc;
2870
2871 tsec = new->security;
2872 tsec->create_sid = newsid;
2873 return 0;
2874 }
2875
2876 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2877 const struct qstr *qstr,
2878 const char **name,
2879 void **value, size_t *len)
2880 {
2881 const struct task_security_struct *tsec = current_security();
2882 struct superblock_security_struct *sbsec;
2883 u32 sid, newsid, clen;
2884 int rc;
2885 char *context;
2886
2887 sbsec = dir->i_sb->s_security;
2888
2889 sid = tsec->sid;
2890 newsid = tsec->create_sid;
2891
2892 rc = selinux_determine_inode_label(current_security(),
2893 dir, qstr,
2894 inode_mode_to_security_class(inode->i_mode),
2895 &newsid);
2896 if (rc)
2897 return rc;
2898
2899 /* Possibly defer initialization to selinux_complete_init. */
2900 if (sbsec->flags & SE_SBINITIALIZED) {
2901 struct inode_security_struct *isec = inode->i_security;
2902 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2903 isec->sid = newsid;
2904 isec->initialized = LABEL_INITIALIZED;
2905 }
2906
2907 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2908 return -EOPNOTSUPP;
2909
2910 if (name)
2911 *name = XATTR_SELINUX_SUFFIX;
2912
2913 if (value && len) {
2914 rc = security_sid_to_context_force(newsid, &context, &clen);
2915 if (rc)
2916 return rc;
2917 *value = context;
2918 *len = clen;
2919 }
2920
2921 return 0;
2922 }
2923
2924 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2925 {
2926 return may_create(dir, dentry, SECCLASS_FILE);
2927 }
2928
2929 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2930 {
2931 return may_link(dir, old_dentry, MAY_LINK);
2932 }
2933
2934 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2935 {
2936 return may_link(dir, dentry, MAY_UNLINK);
2937 }
2938
2939 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2940 {
2941 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2942 }
2943
2944 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2945 {
2946 return may_create(dir, dentry, SECCLASS_DIR);
2947 }
2948
2949 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2950 {
2951 return may_link(dir, dentry, MAY_RMDIR);
2952 }
2953
2954 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2955 {
2956 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2957 }
2958
2959 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2960 struct inode *new_inode, struct dentry *new_dentry)
2961 {
2962 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2963 }
2964
2965 static int selinux_inode_readlink(struct dentry *dentry)
2966 {
2967 const struct cred *cred = current_cred();
2968
2969 return dentry_has_perm(cred, dentry, FILE__READ);
2970 }
2971
2972 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2973 bool rcu)
2974 {
2975 const struct cred *cred = current_cred();
2976 struct common_audit_data ad;
2977 struct inode_security_struct *isec;
2978 u32 sid;
2979
2980 validate_creds(cred);
2981
2982 ad.type = LSM_AUDIT_DATA_DENTRY;
2983 ad.u.dentry = dentry;
2984 sid = cred_sid(cred);
2985 isec = inode_security_rcu(inode, rcu);
2986 if (IS_ERR(isec))
2987 return PTR_ERR(isec);
2988
2989 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2990 rcu ? MAY_NOT_BLOCK : 0);
2991 }
2992
2993 static noinline int audit_inode_permission(struct inode *inode,
2994 u32 perms, u32 audited, u32 denied,
2995 int result,
2996 unsigned flags)
2997 {
2998 struct common_audit_data ad;
2999 struct inode_security_struct *isec = inode->i_security;
3000 int rc;
3001
3002 ad.type = LSM_AUDIT_DATA_INODE;
3003 ad.u.inode = inode;
3004
3005 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3006 audited, denied, result, &ad, flags);
3007 if (rc)
3008 return rc;
3009 return 0;
3010 }
3011
3012 static int selinux_inode_permission(struct inode *inode, int mask)
3013 {
3014 const struct cred *cred = current_cred();
3015 u32 perms;
3016 bool from_access;
3017 unsigned flags = mask & MAY_NOT_BLOCK;
3018 struct inode_security_struct *isec;
3019 u32 sid;
3020 struct av_decision avd;
3021 int rc, rc2;
3022 u32 audited, denied;
3023
3024 from_access = mask & MAY_ACCESS;
3025 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3026
3027 /* No permission to check. Existence test. */
3028 if (!mask)
3029 return 0;
3030
3031 validate_creds(cred);
3032
3033 if (unlikely(IS_PRIVATE(inode)))
3034 return 0;
3035
3036 perms = file_mask_to_av(inode->i_mode, mask);
3037
3038 sid = cred_sid(cred);
3039 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3040 if (IS_ERR(isec))
3041 return PTR_ERR(isec);
3042
3043 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3044 audited = avc_audit_required(perms, &avd, rc,
3045 from_access ? FILE__AUDIT_ACCESS : 0,
3046 &denied);
3047 if (likely(!audited))
3048 return rc;
3049
3050 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3051 if (rc2)
3052 return rc2;
3053 return rc;
3054 }
3055
3056 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3057 {
3058 const struct cred *cred = current_cred();
3059 unsigned int ia_valid = iattr->ia_valid;
3060 __u32 av = FILE__WRITE;
3061
3062 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3063 if (ia_valid & ATTR_FORCE) {
3064 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3065 ATTR_FORCE);
3066 if (!ia_valid)
3067 return 0;
3068 }
3069
3070 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3071 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3072 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3073
3074 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3075 && !(ia_valid & ATTR_FILE))
3076 av |= FILE__OPEN;
3077
3078 return dentry_has_perm(cred, dentry, av);
3079 }
3080
3081 static int selinux_inode_getattr(const struct path *path)
3082 {
3083 return path_has_perm(current_cred(), path, FILE__GETATTR);
3084 }
3085
3086 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3087 {
3088 const struct cred *cred = current_cred();
3089
3090 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3091 sizeof XATTR_SECURITY_PREFIX - 1)) {
3092 if (!strcmp(name, XATTR_NAME_CAPS)) {
3093 if (!capable(CAP_SETFCAP))
3094 return -EPERM;
3095 } else if (!capable(CAP_SYS_ADMIN)) {
3096 /* A different attribute in the security namespace.
3097 Restrict to administrator. */
3098 return -EPERM;
3099 }
3100 }
3101
3102 /* Not an attribute we recognize, so just check the
3103 ordinary setattr permission. */
3104 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3105 }
3106
3107 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3108 const void *value, size_t size, int flags)
3109 {
3110 struct inode *inode = d_backing_inode(dentry);
3111 struct inode_security_struct *isec;
3112 struct superblock_security_struct *sbsec;
3113 struct common_audit_data ad;
3114 u32 newsid, sid = current_sid();
3115 int rc = 0;
3116
3117 if (strcmp(name, XATTR_NAME_SELINUX))
3118 return selinux_inode_setotherxattr(dentry, name);
3119
3120 sbsec = inode->i_sb->s_security;
3121 if (!(sbsec->flags & SBLABEL_MNT))
3122 return -EOPNOTSUPP;
3123
3124 if (!inode_owner_or_capable(inode))
3125 return -EPERM;
3126
3127 ad.type = LSM_AUDIT_DATA_DENTRY;
3128 ad.u.dentry = dentry;
3129
3130 isec = backing_inode_security(dentry);
3131 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3132 FILE__RELABELFROM, &ad);
3133 if (rc)
3134 return rc;
3135
3136 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3137 if (rc == -EINVAL) {
3138 if (!capable(CAP_MAC_ADMIN)) {
3139 struct audit_buffer *ab;
3140 size_t audit_size;
3141 const char *str;
3142
3143 /* We strip a nul only if it is at the end, otherwise the
3144 * context contains a nul and we should audit that */
3145 if (value) {
3146 str = value;
3147 if (str[size - 1] == '\0')
3148 audit_size = size - 1;
3149 else
3150 audit_size = size;
3151 } else {
3152 str = "";
3153 audit_size = 0;
3154 }
3155 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3156 audit_log_format(ab, "op=setxattr invalid_context=");
3157 audit_log_n_untrustedstring(ab, value, audit_size);
3158 audit_log_end(ab);
3159
3160 return rc;
3161 }
3162 rc = security_context_to_sid_force(value, size, &newsid);
3163 }
3164 if (rc)
3165 return rc;
3166
3167 rc = avc_has_perm(sid, newsid, isec->sclass,
3168 FILE__RELABELTO, &ad);
3169 if (rc)
3170 return rc;
3171
3172 rc = security_validate_transition(isec->sid, newsid, sid,
3173 isec->sclass);
3174 if (rc)
3175 return rc;
3176
3177 return avc_has_perm(newsid,
3178 sbsec->sid,
3179 SECCLASS_FILESYSTEM,
3180 FILESYSTEM__ASSOCIATE,
3181 &ad);
3182 }
3183
3184 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3185 const void *value, size_t size,
3186 int flags)
3187 {
3188 struct inode *inode = d_backing_inode(dentry);
3189 struct inode_security_struct *isec;
3190 u32 newsid;
3191 int rc;
3192
3193 if (strcmp(name, XATTR_NAME_SELINUX)) {
3194 /* Not an attribute we recognize, so nothing to do. */
3195 return;
3196 }
3197
3198 rc = security_context_to_sid_force(value, size, &newsid);
3199 if (rc) {
3200 printk(KERN_ERR "SELinux: unable to map context to SID"
3201 "for (%s, %lu), rc=%d\n",
3202 inode->i_sb->s_id, inode->i_ino, -rc);
3203 return;
3204 }
3205
3206 isec = backing_inode_security(dentry);
3207 spin_lock(&isec->lock);
3208 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3209 isec->sid = newsid;
3210 isec->initialized = LABEL_INITIALIZED;
3211 spin_unlock(&isec->lock);
3212
3213 return;
3214 }
3215
3216 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3217 {
3218 const struct cred *cred = current_cred();
3219
3220 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3221 }
3222
3223 static int selinux_inode_listxattr(struct dentry *dentry)
3224 {
3225 const struct cred *cred = current_cred();
3226
3227 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3228 }
3229
3230 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3231 {
3232 if (strcmp(name, XATTR_NAME_SELINUX))
3233 return selinux_inode_setotherxattr(dentry, name);
3234
3235 /* No one is allowed to remove a SELinux security label.
3236 You can change the label, but all data must be labeled. */
3237 return -EACCES;
3238 }
3239
3240 /*
3241 * Copy the inode security context value to the user.
3242 *
3243 * Permission check is handled by selinux_inode_getxattr hook.
3244 */
3245 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3246 {
3247 u32 size;
3248 int error;
3249 char *context = NULL;
3250 struct inode_security_struct *isec;
3251
3252 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3253 return -EOPNOTSUPP;
3254
3255 /*
3256 * If the caller has CAP_MAC_ADMIN, then get the raw context
3257 * value even if it is not defined by current policy; otherwise,
3258 * use the in-core value under current policy.
3259 * Use the non-auditing forms of the permission checks since
3260 * getxattr may be called by unprivileged processes commonly
3261 * and lack of permission just means that we fall back to the
3262 * in-core context value, not a denial.
3263 */
3264 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3265 SECURITY_CAP_NOAUDIT);
3266 if (!error)
3267 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3268 SECURITY_CAP_NOAUDIT, true);
3269 isec = inode_security(inode);
3270 if (!error)
3271 error = security_sid_to_context_force(isec->sid, &context,
3272 &size);
3273 else
3274 error = security_sid_to_context(isec->sid, &context, &size);
3275 if (error)
3276 return error;
3277 error = size;
3278 if (alloc) {
3279 *buffer = context;
3280 goto out_nofree;
3281 }
3282 kfree(context);
3283 out_nofree:
3284 return error;
3285 }
3286
3287 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3288 const void *value, size_t size, int flags)
3289 {
3290 struct inode_security_struct *isec = inode_security_novalidate(inode);
3291 u32 newsid;
3292 int rc;
3293
3294 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3295 return -EOPNOTSUPP;
3296
3297 if (!value || !size)
3298 return -EACCES;
3299
3300 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3301 if (rc)
3302 return rc;
3303
3304 spin_lock(&isec->lock);
3305 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3306 isec->sid = newsid;
3307 isec->initialized = LABEL_INITIALIZED;
3308 spin_unlock(&isec->lock);
3309 return 0;
3310 }
3311
3312 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3313 {
3314 const int len = sizeof(XATTR_NAME_SELINUX);
3315 if (buffer && len <= buffer_size)
3316 memcpy(buffer, XATTR_NAME_SELINUX, len);
3317 return len;
3318 }
3319
3320 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3321 {
3322 struct inode_security_struct *isec = inode_security_novalidate(inode);
3323 *secid = isec->sid;
3324 }
3325
3326 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3327 {
3328 u32 sid;
3329 struct task_security_struct *tsec;
3330 struct cred *new_creds = *new;
3331
3332 if (new_creds == NULL) {
3333 new_creds = prepare_creds();
3334 if (!new_creds)
3335 return -ENOMEM;
3336 }
3337
3338 tsec = new_creds->security;
3339 /* Get label from overlay inode and set it in create_sid */
3340 selinux_inode_getsecid(d_inode(src), &sid);
3341 tsec->create_sid = sid;
3342 *new = new_creds;
3343 return 0;
3344 }
3345
3346 static int selinux_inode_copy_up_xattr(const char *name)
3347 {
3348 /* The copy_up hook above sets the initial context on an inode, but we
3349 * don't then want to overwrite it by blindly copying all the lower
3350 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3351 */
3352 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3353 return 1; /* Discard */
3354 /*
3355 * Any other attribute apart from SELINUX is not claimed, supported
3356 * by selinux.
3357 */
3358 return -EOPNOTSUPP;
3359 }
3360
3361 /* file security operations */
3362
3363 static int selinux_revalidate_file_permission(struct file *file, int mask)
3364 {
3365 const struct cred *cred = current_cred();
3366 struct inode *inode = file_inode(file);
3367
3368 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3369 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3370 mask |= MAY_APPEND;
3371
3372 return file_has_perm(cred, file,
3373 file_mask_to_av(inode->i_mode, mask));
3374 }
3375
3376 static int selinux_file_permission(struct file *file, int mask)
3377 {
3378 struct inode *inode = file_inode(file);
3379 struct file_security_struct *fsec = file->f_security;
3380 struct inode_security_struct *isec;
3381 u32 sid = current_sid();
3382
3383 if (!mask)
3384 /* No permission to check. Existence test. */
3385 return 0;
3386
3387 isec = inode_security(inode);
3388 if (sid == fsec->sid && fsec->isid == isec->sid &&
3389 fsec->pseqno == avc_policy_seqno())
3390 /* No change since file_open check. */
3391 return 0;
3392
3393 return selinux_revalidate_file_permission(file, mask);
3394 }
3395
3396 static int selinux_file_alloc_security(struct file *file)
3397 {
3398 return file_alloc_security(file);
3399 }
3400
3401 static void selinux_file_free_security(struct file *file)
3402 {
3403 file_free_security(file);
3404 }
3405
3406 /*
3407 * Check whether a task has the ioctl permission and cmd
3408 * operation to an inode.
3409 */
3410 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3411 u32 requested, u16 cmd)
3412 {
3413 struct common_audit_data ad;
3414 struct file_security_struct *fsec = file->f_security;
3415 struct inode *inode = file_inode(file);
3416 struct inode_security_struct *isec;
3417 struct lsm_ioctlop_audit ioctl;
3418 u32 ssid = cred_sid(cred);
3419 int rc;
3420 u8 driver = cmd >> 8;
3421 u8 xperm = cmd & 0xff;
3422
3423 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3424 ad.u.op = &ioctl;
3425 ad.u.op->cmd = cmd;
3426 ad.u.op->path = file->f_path;
3427
3428 if (ssid != fsec->sid) {
3429 rc = avc_has_perm(ssid, fsec->sid,
3430 SECCLASS_FD,
3431 FD__USE,
3432 &ad);
3433 if (rc)
3434 goto out;
3435 }
3436
3437 if (unlikely(IS_PRIVATE(inode)))
3438 return 0;
3439
3440 isec = inode_security(inode);
3441 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3442 requested, driver, xperm, &ad);
3443 out:
3444 return rc;
3445 }
3446
3447 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3448 unsigned long arg)
3449 {
3450 const struct cred *cred = current_cred();
3451 int error = 0;
3452
3453 switch (cmd) {
3454 case FIONREAD:
3455 /* fall through */
3456 case FIBMAP:
3457 /* fall through */
3458 case FIGETBSZ:
3459 /* fall through */
3460 case FS_IOC_GETFLAGS:
3461 /* fall through */
3462 case FS_IOC_GETVERSION:
3463 error = file_has_perm(cred, file, FILE__GETATTR);
3464 break;
3465
3466 case FS_IOC_SETFLAGS:
3467 /* fall through */
3468 case FS_IOC_SETVERSION:
3469 error = file_has_perm(cred, file, FILE__SETATTR);
3470 break;
3471
3472 /* sys_ioctl() checks */
3473 case FIONBIO:
3474 /* fall through */
3475 case FIOASYNC:
3476 error = file_has_perm(cred, file, 0);
3477 break;
3478
3479 case KDSKBENT:
3480 case KDSKBSENT:
3481 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3482 SECURITY_CAP_AUDIT, true);
3483 break;
3484
3485 /* default case assumes that the command will go
3486 * to the file's ioctl() function.
3487 */
3488 default:
3489 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3490 }
3491 return error;
3492 }
3493
3494 static int default_noexec;
3495
3496 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3497 {
3498 const struct cred *cred = current_cred();
3499 u32 sid = cred_sid(cred);
3500 int rc = 0;
3501
3502 if (default_noexec &&
3503 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3504 (!shared && (prot & PROT_WRITE)))) {
3505 /*
3506 * We are making executable an anonymous mapping or a
3507 * private file mapping that will also be writable.
3508 * This has an additional check.
3509 */
3510 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3511 PROCESS__EXECMEM, NULL);
3512 if (rc)
3513 goto error;
3514 }
3515
3516 if (file) {
3517 /* read access is always possible with a mapping */
3518 u32 av = FILE__READ;
3519
3520 /* write access only matters if the mapping is shared */
3521 if (shared && (prot & PROT_WRITE))
3522 av |= FILE__WRITE;
3523
3524 if (prot & PROT_EXEC)
3525 av |= FILE__EXECUTE;
3526
3527 return file_has_perm(cred, file, av);
3528 }
3529
3530 error:
3531 return rc;
3532 }
3533
3534 static int selinux_mmap_addr(unsigned long addr)
3535 {
3536 int rc = 0;
3537
3538 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3539 u32 sid = current_sid();
3540 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3541 MEMPROTECT__MMAP_ZERO, NULL);
3542 }
3543
3544 return rc;
3545 }
3546
3547 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3548 unsigned long prot, unsigned long flags)
3549 {
3550 if (selinux_checkreqprot)
3551 prot = reqprot;
3552
3553 return file_map_prot_check(file, prot,
3554 (flags & MAP_TYPE) == MAP_SHARED);
3555 }
3556
3557 static int selinux_file_mprotect(struct vm_area_struct *vma,
3558 unsigned long reqprot,
3559 unsigned long prot)
3560 {
3561 const struct cred *cred = current_cred();
3562 u32 sid = cred_sid(cred);
3563
3564 if (selinux_checkreqprot)
3565 prot = reqprot;
3566
3567 if (default_noexec &&
3568 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3569 int rc = 0;
3570 if (vma->vm_start >= vma->vm_mm->start_brk &&
3571 vma->vm_end <= vma->vm_mm->brk) {
3572 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3573 PROCESS__EXECHEAP, NULL);
3574 } else if (!vma->vm_file &&
3575 ((vma->vm_start <= vma->vm_mm->start_stack &&
3576 vma->vm_end >= vma->vm_mm->start_stack) ||
3577 vma_is_stack_for_current(vma))) {
3578 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3579 PROCESS__EXECSTACK, NULL);
3580 } else if (vma->vm_file && vma->anon_vma) {
3581 /*
3582 * We are making executable a file mapping that has
3583 * had some COW done. Since pages might have been
3584 * written, check ability to execute the possibly
3585 * modified content. This typically should only
3586 * occur for text relocations.
3587 */
3588 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3589 }
3590 if (rc)
3591 return rc;
3592 }
3593
3594 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3595 }
3596
3597 static int selinux_file_lock(struct file *file, unsigned int cmd)
3598 {
3599 const struct cred *cred = current_cred();
3600
3601 return file_has_perm(cred, file, FILE__LOCK);
3602 }
3603
3604 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3605 unsigned long arg)
3606 {
3607 const struct cred *cred = current_cred();
3608 int err = 0;
3609
3610 switch (cmd) {
3611 case F_SETFL:
3612 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3613 err = file_has_perm(cred, file, FILE__WRITE);
3614 break;
3615 }
3616 /* fall through */
3617 case F_SETOWN:
3618 case F_SETSIG:
3619 case F_GETFL:
3620 case F_GETOWN:
3621 case F_GETSIG:
3622 case F_GETOWNER_UIDS:
3623 /* Just check FD__USE permission */
3624 err = file_has_perm(cred, file, 0);
3625 break;
3626 case F_GETLK:
3627 case F_SETLK:
3628 case F_SETLKW:
3629 case F_OFD_GETLK:
3630 case F_OFD_SETLK:
3631 case F_OFD_SETLKW:
3632 #if BITS_PER_LONG == 32
3633 case F_GETLK64:
3634 case F_SETLK64:
3635 case F_SETLKW64:
3636 #endif
3637 err = file_has_perm(cred, file, FILE__LOCK);
3638 break;
3639 }
3640
3641 return err;
3642 }
3643
3644 static void selinux_file_set_fowner(struct file *file)
3645 {
3646 struct file_security_struct *fsec;
3647
3648 fsec = file->f_security;
3649 fsec->fown_sid = current_sid();
3650 }
3651
3652 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3653 struct fown_struct *fown, int signum)
3654 {
3655 struct file *file;
3656 u32 sid = task_sid(tsk);
3657 u32 perm;
3658 struct file_security_struct *fsec;
3659
3660 /* struct fown_struct is never outside the context of a struct file */
3661 file = container_of(fown, struct file, f_owner);
3662
3663 fsec = file->f_security;
3664
3665 if (!signum)
3666 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3667 else
3668 perm = signal_to_av(signum);
3669
3670 return avc_has_perm(fsec->fown_sid, sid,
3671 SECCLASS_PROCESS, perm, NULL);
3672 }
3673
3674 static int selinux_file_receive(struct file *file)
3675 {
3676 const struct cred *cred = current_cred();
3677
3678 return file_has_perm(cred, file, file_to_av(file));
3679 }
3680
3681 static int selinux_file_open(struct file *file, const struct cred *cred)
3682 {
3683 struct file_security_struct *fsec;
3684 struct inode_security_struct *isec;
3685
3686 fsec = file->f_security;
3687 isec = inode_security(file_inode(file));
3688 /*
3689 * Save inode label and policy sequence number
3690 * at open-time so that selinux_file_permission
3691 * can determine whether revalidation is necessary.
3692 * Task label is already saved in the file security
3693 * struct as its SID.
3694 */
3695 fsec->isid = isec->sid;
3696 fsec->pseqno = avc_policy_seqno();
3697 /*
3698 * Since the inode label or policy seqno may have changed
3699 * between the selinux_inode_permission check and the saving
3700 * of state above, recheck that access is still permitted.
3701 * Otherwise, access might never be revalidated against the
3702 * new inode label or new policy.
3703 * This check is not redundant - do not remove.
3704 */
3705 return file_path_has_perm(cred, file, open_file_to_av(file));
3706 }
3707
3708 /* task security operations */
3709
3710 static int selinux_task_create(unsigned long clone_flags)
3711 {
3712 u32 sid = current_sid();
3713
3714 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3715 }
3716
3717 /*
3718 * allocate the SELinux part of blank credentials
3719 */
3720 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3721 {
3722 struct task_security_struct *tsec;
3723
3724 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3725 if (!tsec)
3726 return -ENOMEM;
3727
3728 cred->security = tsec;
3729 return 0;
3730 }
3731
3732 /*
3733 * detach and free the LSM part of a set of credentials
3734 */
3735 static void selinux_cred_free(struct cred *cred)
3736 {
3737 struct task_security_struct *tsec = cred->security;
3738
3739 /*
3740 * cred->security == NULL if security_cred_alloc_blank() or
3741 * security_prepare_creds() returned an error.
3742 */
3743 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3744 cred->security = (void *) 0x7UL;
3745 kfree(tsec);
3746 }
3747
3748 /*
3749 * prepare a new set of credentials for modification
3750 */
3751 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3752 gfp_t gfp)
3753 {
3754 const struct task_security_struct *old_tsec;
3755 struct task_security_struct *tsec;
3756
3757 old_tsec = old->security;
3758
3759 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3760 if (!tsec)
3761 return -ENOMEM;
3762
3763 new->security = tsec;
3764 return 0;
3765 }
3766
3767 /*
3768 * transfer the SELinux data to a blank set of creds
3769 */
3770 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3771 {
3772 const struct task_security_struct *old_tsec = old->security;
3773 struct task_security_struct *tsec = new->security;
3774
3775 *tsec = *old_tsec;
3776 }
3777
3778 /*
3779 * set the security data for a kernel service
3780 * - all the creation contexts are set to unlabelled
3781 */
3782 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3783 {
3784 struct task_security_struct *tsec = new->security;
3785 u32 sid = current_sid();
3786 int ret;
3787
3788 ret = avc_has_perm(sid, secid,
3789 SECCLASS_KERNEL_SERVICE,
3790 KERNEL_SERVICE__USE_AS_OVERRIDE,
3791 NULL);
3792 if (ret == 0) {
3793 tsec->sid = secid;
3794 tsec->create_sid = 0;
3795 tsec->keycreate_sid = 0;
3796 tsec->sockcreate_sid = 0;
3797 }
3798 return ret;
3799 }
3800
3801 /*
3802 * set the file creation context in a security record to the same as the
3803 * objective context of the specified inode
3804 */
3805 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3806 {
3807 struct inode_security_struct *isec = inode_security(inode);
3808 struct task_security_struct *tsec = new->security;
3809 u32 sid = current_sid();
3810 int ret;
3811
3812 ret = avc_has_perm(sid, isec->sid,
3813 SECCLASS_KERNEL_SERVICE,
3814 KERNEL_SERVICE__CREATE_FILES_AS,
3815 NULL);
3816
3817 if (ret == 0)
3818 tsec->create_sid = isec->sid;
3819 return ret;
3820 }
3821
3822 static int selinux_kernel_module_request(char *kmod_name)
3823 {
3824 struct common_audit_data ad;
3825
3826 ad.type = LSM_AUDIT_DATA_KMOD;
3827 ad.u.kmod_name = kmod_name;
3828
3829 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3830 SYSTEM__MODULE_REQUEST, &ad);
3831 }
3832
3833 static int selinux_kernel_module_from_file(struct file *file)
3834 {
3835 struct common_audit_data ad;
3836 struct inode_security_struct *isec;
3837 struct file_security_struct *fsec;
3838 u32 sid = current_sid();
3839 int rc;
3840
3841 /* init_module */
3842 if (file == NULL)
3843 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3844 SYSTEM__MODULE_LOAD, NULL);
3845
3846 /* finit_module */
3847
3848 ad.type = LSM_AUDIT_DATA_FILE;
3849 ad.u.file = file;
3850
3851 fsec = file->f_security;
3852 if (sid != fsec->sid) {
3853 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3854 if (rc)
3855 return rc;
3856 }
3857
3858 isec = inode_security(file_inode(file));
3859 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3860 SYSTEM__MODULE_LOAD, &ad);
3861 }
3862
3863 static int selinux_kernel_read_file(struct file *file,
3864 enum kernel_read_file_id id)
3865 {
3866 int rc = 0;
3867
3868 switch (id) {
3869 case READING_MODULE:
3870 rc = selinux_kernel_module_from_file(file);
3871 break;
3872 default:
3873 break;
3874 }
3875
3876 return rc;
3877 }
3878
3879 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3880 {
3881 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3882 PROCESS__SETPGID, NULL);
3883 }
3884
3885 static int selinux_task_getpgid(struct task_struct *p)
3886 {
3887 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3888 PROCESS__GETPGID, NULL);
3889 }
3890
3891 static int selinux_task_getsid(struct task_struct *p)
3892 {
3893 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3894 PROCESS__GETSESSION, NULL);
3895 }
3896
3897 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3898 {
3899 *secid = task_sid(p);
3900 }
3901
3902 static int selinux_task_setnice(struct task_struct *p, int nice)
3903 {
3904 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3905 PROCESS__SETSCHED, NULL);
3906 }
3907
3908 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3909 {
3910 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3911 PROCESS__SETSCHED, NULL);
3912 }
3913
3914 static int selinux_task_getioprio(struct task_struct *p)
3915 {
3916 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3917 PROCESS__GETSCHED, NULL);
3918 }
3919
3920 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3921 struct rlimit *new_rlim)
3922 {
3923 struct rlimit *old_rlim = p->signal->rlim + resource;
3924
3925 /* Control the ability to change the hard limit (whether
3926 lowering or raising it), so that the hard limit can
3927 later be used as a safe reset point for the soft limit
3928 upon context transitions. See selinux_bprm_committing_creds. */
3929 if (old_rlim->rlim_max != new_rlim->rlim_max)
3930 return avc_has_perm(current_sid(), task_sid(p),
3931 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
3932
3933 return 0;
3934 }
3935
3936 static int selinux_task_setscheduler(struct task_struct *p)
3937 {
3938 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3939 PROCESS__SETSCHED, NULL);
3940 }
3941
3942 static int selinux_task_getscheduler(struct task_struct *p)
3943 {
3944 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3945 PROCESS__GETSCHED, NULL);
3946 }
3947
3948 static int selinux_task_movememory(struct task_struct *p)
3949 {
3950 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3951 PROCESS__SETSCHED, NULL);
3952 }
3953
3954 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3955 int sig, u32 secid)
3956 {
3957 u32 perm;
3958
3959 if (!sig)
3960 perm = PROCESS__SIGNULL; /* null signal; existence test */
3961 else
3962 perm = signal_to_av(sig);
3963 if (!secid)
3964 secid = current_sid();
3965 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
3966 }
3967
3968 static void selinux_task_to_inode(struct task_struct *p,
3969 struct inode *inode)
3970 {
3971 struct inode_security_struct *isec = inode->i_security;
3972 u32 sid = task_sid(p);
3973
3974 spin_lock(&isec->lock);
3975 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3976 isec->sid = sid;
3977 isec->initialized = LABEL_INITIALIZED;
3978 spin_unlock(&isec->lock);
3979 }
3980
3981 /* Returns error only if unable to parse addresses */
3982 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3983 struct common_audit_data *ad, u8 *proto)
3984 {
3985 int offset, ihlen, ret = -EINVAL;
3986 struct iphdr _iph, *ih;
3987
3988 offset = skb_network_offset(skb);
3989 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3990 if (ih == NULL)
3991 goto out;
3992
3993 ihlen = ih->ihl * 4;
3994 if (ihlen < sizeof(_iph))
3995 goto out;
3996
3997 ad->u.net->v4info.saddr = ih->saddr;
3998 ad->u.net->v4info.daddr = ih->daddr;
3999 ret = 0;
4000
4001 if (proto)
4002 *proto = ih->protocol;
4003
4004 switch (ih->protocol) {
4005 case IPPROTO_TCP: {
4006 struct tcphdr _tcph, *th;
4007
4008 if (ntohs(ih->frag_off) & IP_OFFSET)
4009 break;
4010
4011 offset += ihlen;
4012 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4013 if (th == NULL)
4014 break;
4015
4016 ad->u.net->sport = th->source;
4017 ad->u.net->dport = th->dest;
4018 break;
4019 }
4020
4021 case IPPROTO_UDP: {
4022 struct udphdr _udph, *uh;
4023
4024 if (ntohs(ih->frag_off) & IP_OFFSET)
4025 break;
4026
4027 offset += ihlen;
4028 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4029 if (uh == NULL)
4030 break;
4031
4032 ad->u.net->sport = uh->source;
4033 ad->u.net->dport = uh->dest;
4034 break;
4035 }
4036
4037 case IPPROTO_DCCP: {
4038 struct dccp_hdr _dccph, *dh;
4039
4040 if (ntohs(ih->frag_off) & IP_OFFSET)
4041 break;
4042
4043 offset += ihlen;
4044 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4045 if (dh == NULL)
4046 break;
4047
4048 ad->u.net->sport = dh->dccph_sport;
4049 ad->u.net->dport = dh->dccph_dport;
4050 break;
4051 }
4052
4053 default:
4054 break;
4055 }
4056 out:
4057 return ret;
4058 }
4059
4060 #if IS_ENABLED(CONFIG_IPV6)
4061
4062 /* Returns error only if unable to parse addresses */
4063 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4064 struct common_audit_data *ad, u8 *proto)
4065 {
4066 u8 nexthdr;
4067 int ret = -EINVAL, offset;
4068 struct ipv6hdr _ipv6h, *ip6;
4069 __be16 frag_off;
4070
4071 offset = skb_network_offset(skb);
4072 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4073 if (ip6 == NULL)
4074 goto out;
4075
4076 ad->u.net->v6info.saddr = ip6->saddr;
4077 ad->u.net->v6info.daddr = ip6->daddr;
4078 ret = 0;
4079
4080 nexthdr = ip6->nexthdr;
4081 offset += sizeof(_ipv6h);
4082 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4083 if (offset < 0)
4084 goto out;
4085
4086 if (proto)
4087 *proto = nexthdr;
4088
4089 switch (nexthdr) {
4090 case IPPROTO_TCP: {
4091 struct tcphdr _tcph, *th;
4092
4093 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4094 if (th == NULL)
4095 break;
4096
4097 ad->u.net->sport = th->source;
4098 ad->u.net->dport = th->dest;
4099 break;
4100 }
4101
4102 case IPPROTO_UDP: {
4103 struct udphdr _udph, *uh;
4104
4105 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4106 if (uh == NULL)
4107 break;
4108
4109 ad->u.net->sport = uh->source;
4110 ad->u.net->dport = uh->dest;
4111 break;
4112 }
4113
4114 case IPPROTO_DCCP: {
4115 struct dccp_hdr _dccph, *dh;
4116
4117 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4118 if (dh == NULL)
4119 break;
4120
4121 ad->u.net->sport = dh->dccph_sport;
4122 ad->u.net->dport = dh->dccph_dport;
4123 break;
4124 }
4125
4126 /* includes fragments */
4127 default:
4128 break;
4129 }
4130 out:
4131 return ret;
4132 }
4133
4134 #endif /* IPV6 */
4135
4136 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4137 char **_addrp, int src, u8 *proto)
4138 {
4139 char *addrp;
4140 int ret;
4141
4142 switch (ad->u.net->family) {
4143 case PF_INET:
4144 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4145 if (ret)
4146 goto parse_error;
4147 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4148 &ad->u.net->v4info.daddr);
4149 goto okay;
4150
4151 #if IS_ENABLED(CONFIG_IPV6)
4152 case PF_INET6:
4153 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4154 if (ret)
4155 goto parse_error;
4156 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4157 &ad->u.net->v6info.daddr);
4158 goto okay;
4159 #endif /* IPV6 */
4160 default:
4161 addrp = NULL;
4162 goto okay;
4163 }
4164
4165 parse_error:
4166 printk(KERN_WARNING
4167 "SELinux: failure in selinux_parse_skb(),"
4168 " unable to parse packet\n");
4169 return ret;
4170
4171 okay:
4172 if (_addrp)
4173 *_addrp = addrp;
4174 return 0;
4175 }
4176
4177 /**
4178 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4179 * @skb: the packet
4180 * @family: protocol family
4181 * @sid: the packet's peer label SID
4182 *
4183 * Description:
4184 * Check the various different forms of network peer labeling and determine
4185 * the peer label/SID for the packet; most of the magic actually occurs in
4186 * the security server function security_net_peersid_cmp(). The function
4187 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4188 * or -EACCES if @sid is invalid due to inconsistencies with the different
4189 * peer labels.
4190 *
4191 */
4192 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4193 {
4194 int err;
4195 u32 xfrm_sid;
4196 u32 nlbl_sid;
4197 u32 nlbl_type;
4198
4199 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4200 if (unlikely(err))
4201 return -EACCES;
4202 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4203 if (unlikely(err))
4204 return -EACCES;
4205
4206 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4207 if (unlikely(err)) {
4208 printk(KERN_WARNING
4209 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4210 " unable to determine packet's peer label\n");
4211 return -EACCES;
4212 }
4213
4214 return 0;
4215 }
4216
4217 /**
4218 * selinux_conn_sid - Determine the child socket label for a connection
4219 * @sk_sid: the parent socket's SID
4220 * @skb_sid: the packet's SID
4221 * @conn_sid: the resulting connection SID
4222 *
4223 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4224 * combined with the MLS information from @skb_sid in order to create
4225 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4226 * of @sk_sid. Returns zero on success, negative values on failure.
4227 *
4228 */
4229 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4230 {
4231 int err = 0;
4232
4233 if (skb_sid != SECSID_NULL)
4234 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4235 else
4236 *conn_sid = sk_sid;
4237
4238 return err;
4239 }
4240
4241 /* socket security operations */
4242
4243 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4244 u16 secclass, u32 *socksid)
4245 {
4246 if (tsec->sockcreate_sid > SECSID_NULL) {
4247 *socksid = tsec->sockcreate_sid;
4248 return 0;
4249 }
4250
4251 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4252 socksid);
4253 }
4254
4255 static int sock_has_perm(struct sock *sk, u32 perms)
4256 {
4257 struct sk_security_struct *sksec = sk->sk_security;
4258 struct common_audit_data ad;
4259 struct lsm_network_audit net = {0,};
4260
4261 if (sksec->sid == SECINITSID_KERNEL)
4262 return 0;
4263
4264 ad.type = LSM_AUDIT_DATA_NET;
4265 ad.u.net = &net;
4266 ad.u.net->sk = sk;
4267
4268 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4269 &ad);
4270 }
4271
4272 static int selinux_socket_create(int family, int type,
4273 int protocol, int kern)
4274 {
4275 const struct task_security_struct *tsec = current_security();
4276 u32 newsid;
4277 u16 secclass;
4278 int rc;
4279
4280 if (kern)
4281 return 0;
4282
4283 secclass = socket_type_to_security_class(family, type, protocol);
4284 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4285 if (rc)
4286 return rc;
4287
4288 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4289 }
4290
4291 static int selinux_socket_post_create(struct socket *sock, int family,
4292 int type, int protocol, int kern)
4293 {
4294 const struct task_security_struct *tsec = current_security();
4295 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4296 struct sk_security_struct *sksec;
4297 u16 sclass = socket_type_to_security_class(family, type, protocol);
4298 u32 sid = SECINITSID_KERNEL;
4299 int err = 0;
4300
4301 if (!kern) {
4302 err = socket_sockcreate_sid(tsec, sclass, &sid);
4303 if (err)
4304 return err;
4305 }
4306
4307 isec->sclass = sclass;
4308 isec->sid = sid;
4309 isec->initialized = LABEL_INITIALIZED;
4310
4311 if (sock->sk) {
4312 sksec = sock->sk->sk_security;
4313 sksec->sclass = sclass;
4314 sksec->sid = sid;
4315 err = selinux_netlbl_socket_post_create(sock->sk, family);
4316 }
4317
4318 return err;
4319 }
4320
4321 /* Range of port numbers used to automatically bind.
4322 Need to determine whether we should perform a name_bind
4323 permission check between the socket and the port number. */
4324
4325 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4326 {
4327 struct sock *sk = sock->sk;
4328 u16 family;
4329 int err;
4330
4331 err = sock_has_perm(sk, SOCKET__BIND);
4332 if (err)
4333 goto out;
4334
4335 /*
4336 * If PF_INET or PF_INET6, check name_bind permission for the port.
4337 * Multiple address binding for SCTP is not supported yet: we just
4338 * check the first address now.
4339 */
4340 family = sk->sk_family;
4341 if (family == PF_INET || family == PF_INET6) {
4342 char *addrp;
4343 struct sk_security_struct *sksec = sk->sk_security;
4344 struct common_audit_data ad;
4345 struct lsm_network_audit net = {0,};
4346 struct sockaddr_in *addr4 = NULL;
4347 struct sockaddr_in6 *addr6 = NULL;
4348 unsigned short snum;
4349 u32 sid, node_perm;
4350
4351 if (family == PF_INET) {
4352 addr4 = (struct sockaddr_in *)address;
4353 snum = ntohs(addr4->sin_port);
4354 addrp = (char *)&addr4->sin_addr.s_addr;
4355 } else {
4356 addr6 = (struct sockaddr_in6 *)address;
4357 snum = ntohs(addr6->sin6_port);
4358 addrp = (char *)&addr6->sin6_addr.s6_addr;
4359 }
4360
4361 if (snum) {
4362 int low, high;
4363
4364 inet_get_local_port_range(sock_net(sk), &low, &high);
4365
4366 if (snum < max(PROT_SOCK, low) || snum > high) {
4367 err = sel_netport_sid(sk->sk_protocol,
4368 snum, &sid);
4369 if (err)
4370 goto out;
4371 ad.type = LSM_AUDIT_DATA_NET;
4372 ad.u.net = &net;
4373 ad.u.net->sport = htons(snum);
4374 ad.u.net->family = family;
4375 err = avc_has_perm(sksec->sid, sid,
4376 sksec->sclass,
4377 SOCKET__NAME_BIND, &ad);
4378 if (err)
4379 goto out;
4380 }
4381 }
4382
4383 switch (sksec->sclass) {
4384 case SECCLASS_TCP_SOCKET:
4385 node_perm = TCP_SOCKET__NODE_BIND;
4386 break;
4387
4388 case SECCLASS_UDP_SOCKET:
4389 node_perm = UDP_SOCKET__NODE_BIND;
4390 break;
4391
4392 case SECCLASS_DCCP_SOCKET:
4393 node_perm = DCCP_SOCKET__NODE_BIND;
4394 break;
4395
4396 default:
4397 node_perm = RAWIP_SOCKET__NODE_BIND;
4398 break;
4399 }
4400
4401 err = sel_netnode_sid(addrp, family, &sid);
4402 if (err)
4403 goto out;
4404
4405 ad.type = LSM_AUDIT_DATA_NET;
4406 ad.u.net = &net;
4407 ad.u.net->sport = htons(snum);
4408 ad.u.net->family = family;
4409
4410 if (family == PF_INET)
4411 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4412 else
4413 ad.u.net->v6info.saddr = addr6->sin6_addr;
4414
4415 err = avc_has_perm(sksec->sid, sid,
4416 sksec->sclass, node_perm, &ad);
4417 if (err)
4418 goto out;
4419 }
4420 out:
4421 return err;
4422 }
4423
4424 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4425 {
4426 struct sock *sk = sock->sk;
4427 struct sk_security_struct *sksec = sk->sk_security;
4428 int err;
4429
4430 err = sock_has_perm(sk, SOCKET__CONNECT);
4431 if (err)
4432 return err;
4433
4434 /*
4435 * If a TCP or DCCP socket, check name_connect permission for the port.
4436 */
4437 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4438 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4439 struct common_audit_data ad;
4440 struct lsm_network_audit net = {0,};
4441 struct sockaddr_in *addr4 = NULL;
4442 struct sockaddr_in6 *addr6 = NULL;
4443 unsigned short snum;
4444 u32 sid, perm;
4445
4446 if (sk->sk_family == PF_INET) {
4447 addr4 = (struct sockaddr_in *)address;
4448 if (addrlen < sizeof(struct sockaddr_in))
4449 return -EINVAL;
4450 snum = ntohs(addr4->sin_port);
4451 } else {
4452 addr6 = (struct sockaddr_in6 *)address;
4453 if (addrlen < SIN6_LEN_RFC2133)
4454 return -EINVAL;
4455 snum = ntohs(addr6->sin6_port);
4456 }
4457
4458 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4459 if (err)
4460 goto out;
4461
4462 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4463 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4464
4465 ad.type = LSM_AUDIT_DATA_NET;
4466 ad.u.net = &net;
4467 ad.u.net->dport = htons(snum);
4468 ad.u.net->family = sk->sk_family;
4469 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4470 if (err)
4471 goto out;
4472 }
4473
4474 err = selinux_netlbl_socket_connect(sk, address);
4475
4476 out:
4477 return err;
4478 }
4479
4480 static int selinux_socket_listen(struct socket *sock, int backlog)
4481 {
4482 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4483 }
4484
4485 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4486 {
4487 int err;
4488 struct inode_security_struct *isec;
4489 struct inode_security_struct *newisec;
4490 u16 sclass;
4491 u32 sid;
4492
4493 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4494 if (err)
4495 return err;
4496
4497 isec = inode_security_novalidate(SOCK_INODE(sock));
4498 spin_lock(&isec->lock);
4499 sclass = isec->sclass;
4500 sid = isec->sid;
4501 spin_unlock(&isec->lock);
4502
4503 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4504 newisec->sclass = sclass;
4505 newisec->sid = sid;
4506 newisec->initialized = LABEL_INITIALIZED;
4507
4508 return 0;
4509 }
4510
4511 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4512 int size)
4513 {
4514 return sock_has_perm(sock->sk, SOCKET__WRITE);
4515 }
4516
4517 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4518 int size, int flags)
4519 {
4520 return sock_has_perm(sock->sk, SOCKET__READ);
4521 }
4522
4523 static int selinux_socket_getsockname(struct socket *sock)
4524 {
4525 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4526 }
4527
4528 static int selinux_socket_getpeername(struct socket *sock)
4529 {
4530 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4531 }
4532
4533 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4534 {
4535 int err;
4536
4537 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4538 if (err)
4539 return err;
4540
4541 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4542 }
4543
4544 static int selinux_socket_getsockopt(struct socket *sock, int level,
4545 int optname)
4546 {
4547 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4548 }
4549
4550 static int selinux_socket_shutdown(struct socket *sock, int how)
4551 {
4552 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4553 }
4554
4555 static int selinux_socket_unix_stream_connect(struct sock *sock,
4556 struct sock *other,
4557 struct sock *newsk)
4558 {
4559 struct sk_security_struct *sksec_sock = sock->sk_security;
4560 struct sk_security_struct *sksec_other = other->sk_security;
4561 struct sk_security_struct *sksec_new = newsk->sk_security;
4562 struct common_audit_data ad;
4563 struct lsm_network_audit net = {0,};
4564 int err;
4565
4566 ad.type = LSM_AUDIT_DATA_NET;
4567 ad.u.net = &net;
4568 ad.u.net->sk = other;
4569
4570 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4571 sksec_other->sclass,
4572 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4573 if (err)
4574 return err;
4575
4576 /* server child socket */
4577 sksec_new->peer_sid = sksec_sock->sid;
4578 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4579 &sksec_new->sid);
4580 if (err)
4581 return err;
4582
4583 /* connecting socket */
4584 sksec_sock->peer_sid = sksec_new->sid;
4585
4586 return 0;
4587 }
4588
4589 static int selinux_socket_unix_may_send(struct socket *sock,
4590 struct socket *other)
4591 {
4592 struct sk_security_struct *ssec = sock->sk->sk_security;
4593 struct sk_security_struct *osec = other->sk->sk_security;
4594 struct common_audit_data ad;
4595 struct lsm_network_audit net = {0,};
4596
4597 ad.type = LSM_AUDIT_DATA_NET;
4598 ad.u.net = &net;
4599 ad.u.net->sk = other->sk;
4600
4601 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4602 &ad);
4603 }
4604
4605 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4606 char *addrp, u16 family, u32 peer_sid,
4607 struct common_audit_data *ad)
4608 {
4609 int err;
4610 u32 if_sid;
4611 u32 node_sid;
4612
4613 err = sel_netif_sid(ns, ifindex, &if_sid);
4614 if (err)
4615 return err;
4616 err = avc_has_perm(peer_sid, if_sid,
4617 SECCLASS_NETIF, NETIF__INGRESS, ad);
4618 if (err)
4619 return err;
4620
4621 err = sel_netnode_sid(addrp, family, &node_sid);
4622 if (err)
4623 return err;
4624 return avc_has_perm(peer_sid, node_sid,
4625 SECCLASS_NODE, NODE__RECVFROM, ad);
4626 }
4627
4628 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4629 u16 family)
4630 {
4631 int err = 0;
4632 struct sk_security_struct *sksec = sk->sk_security;
4633 u32 sk_sid = sksec->sid;
4634 struct common_audit_data ad;
4635 struct lsm_network_audit net = {0,};
4636 char *addrp;
4637
4638 ad.type = LSM_AUDIT_DATA_NET;
4639 ad.u.net = &net;
4640 ad.u.net->netif = skb->skb_iif;
4641 ad.u.net->family = family;
4642 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4643 if (err)
4644 return err;
4645
4646 if (selinux_secmark_enabled()) {
4647 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4648 PACKET__RECV, &ad);
4649 if (err)
4650 return err;
4651 }
4652
4653 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4654 if (err)
4655 return err;
4656 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4657
4658 return err;
4659 }
4660
4661 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4662 {
4663 int err;
4664 struct sk_security_struct *sksec = sk->sk_security;
4665 u16 family = sk->sk_family;
4666 u32 sk_sid = sksec->sid;
4667 struct common_audit_data ad;
4668 struct lsm_network_audit net = {0,};
4669 char *addrp;
4670 u8 secmark_active;
4671 u8 peerlbl_active;
4672
4673 if (family != PF_INET && family != PF_INET6)
4674 return 0;
4675
4676 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4677 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4678 family = PF_INET;
4679
4680 /* If any sort of compatibility mode is enabled then handoff processing
4681 * to the selinux_sock_rcv_skb_compat() function to deal with the
4682 * special handling. We do this in an attempt to keep this function
4683 * as fast and as clean as possible. */
4684 if (!selinux_policycap_netpeer)
4685 return selinux_sock_rcv_skb_compat(sk, skb, family);
4686
4687 secmark_active = selinux_secmark_enabled();
4688 peerlbl_active = selinux_peerlbl_enabled();
4689 if (!secmark_active && !peerlbl_active)
4690 return 0;
4691
4692 ad.type = LSM_AUDIT_DATA_NET;
4693 ad.u.net = &net;
4694 ad.u.net->netif = skb->skb_iif;
4695 ad.u.net->family = family;
4696 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4697 if (err)
4698 return err;
4699
4700 if (peerlbl_active) {
4701 u32 peer_sid;
4702
4703 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4704 if (err)
4705 return err;
4706 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4707 addrp, family, peer_sid, &ad);
4708 if (err) {
4709 selinux_netlbl_err(skb, family, err, 0);
4710 return err;
4711 }
4712 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4713 PEER__RECV, &ad);
4714 if (err) {
4715 selinux_netlbl_err(skb, family, err, 0);
4716 return err;
4717 }
4718 }
4719
4720 if (secmark_active) {
4721 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4722 PACKET__RECV, &ad);
4723 if (err)
4724 return err;
4725 }
4726
4727 return err;
4728 }
4729
4730 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4731 int __user *optlen, unsigned len)
4732 {
4733 int err = 0;
4734 char *scontext;
4735 u32 scontext_len;
4736 struct sk_security_struct *sksec = sock->sk->sk_security;
4737 u32 peer_sid = SECSID_NULL;
4738
4739 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4740 sksec->sclass == SECCLASS_TCP_SOCKET)
4741 peer_sid = sksec->peer_sid;
4742 if (peer_sid == SECSID_NULL)
4743 return -ENOPROTOOPT;
4744
4745 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4746 if (err)
4747 return err;
4748
4749 if (scontext_len > len) {
4750 err = -ERANGE;
4751 goto out_len;
4752 }
4753
4754 if (copy_to_user(optval, scontext, scontext_len))
4755 err = -EFAULT;
4756
4757 out_len:
4758 if (put_user(scontext_len, optlen))
4759 err = -EFAULT;
4760 kfree(scontext);
4761 return err;
4762 }
4763
4764 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4765 {
4766 u32 peer_secid = SECSID_NULL;
4767 u16 family;
4768 struct inode_security_struct *isec;
4769
4770 if (skb && skb->protocol == htons(ETH_P_IP))
4771 family = PF_INET;
4772 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4773 family = PF_INET6;
4774 else if (sock)
4775 family = sock->sk->sk_family;
4776 else
4777 goto out;
4778
4779 if (sock && family == PF_UNIX) {
4780 isec = inode_security_novalidate(SOCK_INODE(sock));
4781 peer_secid = isec->sid;
4782 } else if (skb)
4783 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4784
4785 out:
4786 *secid = peer_secid;
4787 if (peer_secid == SECSID_NULL)
4788 return -EINVAL;
4789 return 0;
4790 }
4791
4792 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4793 {
4794 struct sk_security_struct *sksec;
4795
4796 sksec = kzalloc(sizeof(*sksec), priority);
4797 if (!sksec)
4798 return -ENOMEM;
4799
4800 sksec->peer_sid = SECINITSID_UNLABELED;
4801 sksec->sid = SECINITSID_UNLABELED;
4802 sksec->sclass = SECCLASS_SOCKET;
4803 selinux_netlbl_sk_security_reset(sksec);
4804 sk->sk_security = sksec;
4805
4806 return 0;
4807 }
4808
4809 static void selinux_sk_free_security(struct sock *sk)
4810 {
4811 struct sk_security_struct *sksec = sk->sk_security;
4812
4813 sk->sk_security = NULL;
4814 selinux_netlbl_sk_security_free(sksec);
4815 kfree(sksec);
4816 }
4817
4818 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4819 {
4820 struct sk_security_struct *sksec = sk->sk_security;
4821 struct sk_security_struct *newsksec = newsk->sk_security;
4822
4823 newsksec->sid = sksec->sid;
4824 newsksec->peer_sid = sksec->peer_sid;
4825 newsksec->sclass = sksec->sclass;
4826
4827 selinux_netlbl_sk_security_reset(newsksec);
4828 }
4829
4830 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4831 {
4832 if (!sk)
4833 *secid = SECINITSID_ANY_SOCKET;
4834 else {
4835 struct sk_security_struct *sksec = sk->sk_security;
4836
4837 *secid = sksec->sid;
4838 }
4839 }
4840
4841 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4842 {
4843 struct inode_security_struct *isec =
4844 inode_security_novalidate(SOCK_INODE(parent));
4845 struct sk_security_struct *sksec = sk->sk_security;
4846
4847 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4848 sk->sk_family == PF_UNIX)
4849 isec->sid = sksec->sid;
4850 sksec->sclass = isec->sclass;
4851 }
4852
4853 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4854 struct request_sock *req)
4855 {
4856 struct sk_security_struct *sksec = sk->sk_security;
4857 int err;
4858 u16 family = req->rsk_ops->family;
4859 u32 connsid;
4860 u32 peersid;
4861
4862 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4863 if (err)
4864 return err;
4865 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4866 if (err)
4867 return err;
4868 req->secid = connsid;
4869 req->peer_secid = peersid;
4870
4871 return selinux_netlbl_inet_conn_request(req, family);
4872 }
4873
4874 static void selinux_inet_csk_clone(struct sock *newsk,
4875 const struct request_sock *req)
4876 {
4877 struct sk_security_struct *newsksec = newsk->sk_security;
4878
4879 newsksec->sid = req->secid;
4880 newsksec->peer_sid = req->peer_secid;
4881 /* NOTE: Ideally, we should also get the isec->sid for the
4882 new socket in sync, but we don't have the isec available yet.
4883 So we will wait until sock_graft to do it, by which
4884 time it will have been created and available. */
4885
4886 /* We don't need to take any sort of lock here as we are the only
4887 * thread with access to newsksec */
4888 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4889 }
4890
4891 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4892 {
4893 u16 family = sk->sk_family;
4894 struct sk_security_struct *sksec = sk->sk_security;
4895
4896 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4897 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4898 family = PF_INET;
4899
4900 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4901 }
4902
4903 static int selinux_secmark_relabel_packet(u32 sid)
4904 {
4905 const struct task_security_struct *__tsec;
4906 u32 tsid;
4907
4908 __tsec = current_security();
4909 tsid = __tsec->sid;
4910
4911 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4912 }
4913
4914 static void selinux_secmark_refcount_inc(void)
4915 {
4916 atomic_inc(&selinux_secmark_refcount);
4917 }
4918
4919 static void selinux_secmark_refcount_dec(void)
4920 {
4921 atomic_dec(&selinux_secmark_refcount);
4922 }
4923
4924 static void selinux_req_classify_flow(const struct request_sock *req,
4925 struct flowi *fl)
4926 {
4927 fl->flowi_secid = req->secid;
4928 }
4929
4930 static int selinux_tun_dev_alloc_security(void **security)
4931 {
4932 struct tun_security_struct *tunsec;
4933
4934 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4935 if (!tunsec)
4936 return -ENOMEM;
4937 tunsec->sid = current_sid();
4938
4939 *security = tunsec;
4940 return 0;
4941 }
4942
4943 static void selinux_tun_dev_free_security(void *security)
4944 {
4945 kfree(security);
4946 }
4947
4948 static int selinux_tun_dev_create(void)
4949 {
4950 u32 sid = current_sid();
4951
4952 /* we aren't taking into account the "sockcreate" SID since the socket
4953 * that is being created here is not a socket in the traditional sense,
4954 * instead it is a private sock, accessible only to the kernel, and
4955 * representing a wide range of network traffic spanning multiple
4956 * connections unlike traditional sockets - check the TUN driver to
4957 * get a better understanding of why this socket is special */
4958
4959 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4960 NULL);
4961 }
4962
4963 static int selinux_tun_dev_attach_queue(void *security)
4964 {
4965 struct tun_security_struct *tunsec = security;
4966
4967 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4968 TUN_SOCKET__ATTACH_QUEUE, NULL);
4969 }
4970
4971 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4972 {
4973 struct tun_security_struct *tunsec = security;
4974 struct sk_security_struct *sksec = sk->sk_security;
4975
4976 /* we don't currently perform any NetLabel based labeling here and it
4977 * isn't clear that we would want to do so anyway; while we could apply
4978 * labeling without the support of the TUN user the resulting labeled
4979 * traffic from the other end of the connection would almost certainly
4980 * cause confusion to the TUN user that had no idea network labeling
4981 * protocols were being used */
4982
4983 sksec->sid = tunsec->sid;
4984 sksec->sclass = SECCLASS_TUN_SOCKET;
4985
4986 return 0;
4987 }
4988
4989 static int selinux_tun_dev_open(void *security)
4990 {
4991 struct tun_security_struct *tunsec = security;
4992 u32 sid = current_sid();
4993 int err;
4994
4995 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4996 TUN_SOCKET__RELABELFROM, NULL);
4997 if (err)
4998 return err;
4999 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5000 TUN_SOCKET__RELABELTO, NULL);
5001 if (err)
5002 return err;
5003 tunsec->sid = sid;
5004
5005 return 0;
5006 }
5007
5008 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5009 {
5010 int err = 0;
5011 u32 perm;
5012 struct nlmsghdr *nlh;
5013 struct sk_security_struct *sksec = sk->sk_security;
5014
5015 if (skb->len < NLMSG_HDRLEN) {
5016 err = -EINVAL;
5017 goto out;
5018 }
5019 nlh = nlmsg_hdr(skb);
5020
5021 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5022 if (err) {
5023 if (err == -EINVAL) {
5024 pr_warn_ratelimited("SELinux: unrecognized netlink"
5025 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5026 " pig=%d comm=%s\n",
5027 sk->sk_protocol, nlh->nlmsg_type,
5028 secclass_map[sksec->sclass - 1].name,
5029 task_pid_nr(current), current->comm);
5030 if (!selinux_enforcing || security_get_allow_unknown())
5031 err = 0;
5032 }
5033
5034 /* Ignore */
5035 if (err == -ENOENT)
5036 err = 0;
5037 goto out;
5038 }
5039
5040 err = sock_has_perm(sk, perm);
5041 out:
5042 return err;
5043 }
5044
5045 #ifdef CONFIG_NETFILTER
5046
5047 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5048 const struct net_device *indev,
5049 u16 family)
5050 {
5051 int err;
5052 char *addrp;
5053 u32 peer_sid;
5054 struct common_audit_data ad;
5055 struct lsm_network_audit net = {0,};
5056 u8 secmark_active;
5057 u8 netlbl_active;
5058 u8 peerlbl_active;
5059
5060 if (!selinux_policycap_netpeer)
5061 return NF_ACCEPT;
5062
5063 secmark_active = selinux_secmark_enabled();
5064 netlbl_active = netlbl_enabled();
5065 peerlbl_active = selinux_peerlbl_enabled();
5066 if (!secmark_active && !peerlbl_active)
5067 return NF_ACCEPT;
5068
5069 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5070 return NF_DROP;
5071
5072 ad.type = LSM_AUDIT_DATA_NET;
5073 ad.u.net = &net;
5074 ad.u.net->netif = indev->ifindex;
5075 ad.u.net->family = family;
5076 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5077 return NF_DROP;
5078
5079 if (peerlbl_active) {
5080 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5081 addrp, family, peer_sid, &ad);
5082 if (err) {
5083 selinux_netlbl_err(skb, family, err, 1);
5084 return NF_DROP;
5085 }
5086 }
5087
5088 if (secmark_active)
5089 if (avc_has_perm(peer_sid, skb->secmark,
5090 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5091 return NF_DROP;
5092
5093 if (netlbl_active)
5094 /* we do this in the FORWARD path and not the POST_ROUTING
5095 * path because we want to make sure we apply the necessary
5096 * labeling before IPsec is applied so we can leverage AH
5097 * protection */
5098 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5099 return NF_DROP;
5100
5101 return NF_ACCEPT;
5102 }
5103
5104 static unsigned int selinux_ipv4_forward(void *priv,
5105 struct sk_buff *skb,
5106 const struct nf_hook_state *state)
5107 {
5108 return selinux_ip_forward(skb, state->in, PF_INET);
5109 }
5110
5111 #if IS_ENABLED(CONFIG_IPV6)
5112 static unsigned int selinux_ipv6_forward(void *priv,
5113 struct sk_buff *skb,
5114 const struct nf_hook_state *state)
5115 {
5116 return selinux_ip_forward(skb, state->in, PF_INET6);
5117 }
5118 #endif /* IPV6 */
5119
5120 static unsigned int selinux_ip_output(struct sk_buff *skb,
5121 u16 family)
5122 {
5123 struct sock *sk;
5124 u32 sid;
5125
5126 if (!netlbl_enabled())
5127 return NF_ACCEPT;
5128
5129 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5130 * because we want to make sure we apply the necessary labeling
5131 * before IPsec is applied so we can leverage AH protection */
5132 sk = skb->sk;
5133 if (sk) {
5134 struct sk_security_struct *sksec;
5135
5136 if (sk_listener(sk))
5137 /* if the socket is the listening state then this
5138 * packet is a SYN-ACK packet which means it needs to
5139 * be labeled based on the connection/request_sock and
5140 * not the parent socket. unfortunately, we can't
5141 * lookup the request_sock yet as it isn't queued on
5142 * the parent socket until after the SYN-ACK is sent.
5143 * the "solution" is to simply pass the packet as-is
5144 * as any IP option based labeling should be copied
5145 * from the initial connection request (in the IP
5146 * layer). it is far from ideal, but until we get a
5147 * security label in the packet itself this is the
5148 * best we can do. */
5149 return NF_ACCEPT;
5150
5151 /* standard practice, label using the parent socket */
5152 sksec = sk->sk_security;
5153 sid = sksec->sid;
5154 } else
5155 sid = SECINITSID_KERNEL;
5156 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5157 return NF_DROP;
5158
5159 return NF_ACCEPT;
5160 }
5161
5162 static unsigned int selinux_ipv4_output(void *priv,
5163 struct sk_buff *skb,
5164 const struct nf_hook_state *state)
5165 {
5166 return selinux_ip_output(skb, PF_INET);
5167 }
5168
5169 #if IS_ENABLED(CONFIG_IPV6)
5170 static unsigned int selinux_ipv6_output(void *priv,
5171 struct sk_buff *skb,
5172 const struct nf_hook_state *state)
5173 {
5174 return selinux_ip_output(skb, PF_INET6);
5175 }
5176 #endif /* IPV6 */
5177
5178 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5179 int ifindex,
5180 u16 family)
5181 {
5182 struct sock *sk = skb_to_full_sk(skb);
5183 struct sk_security_struct *sksec;
5184 struct common_audit_data ad;
5185 struct lsm_network_audit net = {0,};
5186 char *addrp;
5187 u8 proto;
5188
5189 if (sk == NULL)
5190 return NF_ACCEPT;
5191 sksec = sk->sk_security;
5192
5193 ad.type = LSM_AUDIT_DATA_NET;
5194 ad.u.net = &net;
5195 ad.u.net->netif = ifindex;
5196 ad.u.net->family = family;
5197 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5198 return NF_DROP;
5199
5200 if (selinux_secmark_enabled())
5201 if (avc_has_perm(sksec->sid, skb->secmark,
5202 SECCLASS_PACKET, PACKET__SEND, &ad))
5203 return NF_DROP_ERR(-ECONNREFUSED);
5204
5205 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5206 return NF_DROP_ERR(-ECONNREFUSED);
5207
5208 return NF_ACCEPT;
5209 }
5210
5211 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5212 const struct net_device *outdev,
5213 u16 family)
5214 {
5215 u32 secmark_perm;
5216 u32 peer_sid;
5217 int ifindex = outdev->ifindex;
5218 struct sock *sk;
5219 struct common_audit_data ad;
5220 struct lsm_network_audit net = {0,};
5221 char *addrp;
5222 u8 secmark_active;
5223 u8 peerlbl_active;
5224
5225 /* If any sort of compatibility mode is enabled then handoff processing
5226 * to the selinux_ip_postroute_compat() function to deal with the
5227 * special handling. We do this in an attempt to keep this function
5228 * as fast and as clean as possible. */
5229 if (!selinux_policycap_netpeer)
5230 return selinux_ip_postroute_compat(skb, ifindex, family);
5231
5232 secmark_active = selinux_secmark_enabled();
5233 peerlbl_active = selinux_peerlbl_enabled();
5234 if (!secmark_active && !peerlbl_active)
5235 return NF_ACCEPT;
5236
5237 sk = skb_to_full_sk(skb);
5238
5239 #ifdef CONFIG_XFRM
5240 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5241 * packet transformation so allow the packet to pass without any checks
5242 * since we'll have another chance to perform access control checks
5243 * when the packet is on it's final way out.
5244 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5245 * is NULL, in this case go ahead and apply access control.
5246 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5247 * TCP listening state we cannot wait until the XFRM processing
5248 * is done as we will miss out on the SA label if we do;
5249 * unfortunately, this means more work, but it is only once per
5250 * connection. */
5251 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5252 !(sk && sk_listener(sk)))
5253 return NF_ACCEPT;
5254 #endif
5255
5256 if (sk == NULL) {
5257 /* Without an associated socket the packet is either coming
5258 * from the kernel or it is being forwarded; check the packet
5259 * to determine which and if the packet is being forwarded
5260 * query the packet directly to determine the security label. */
5261 if (skb->skb_iif) {
5262 secmark_perm = PACKET__FORWARD_OUT;
5263 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5264 return NF_DROP;
5265 } else {
5266 secmark_perm = PACKET__SEND;
5267 peer_sid = SECINITSID_KERNEL;
5268 }
5269 } else if (sk_listener(sk)) {
5270 /* Locally generated packet but the associated socket is in the
5271 * listening state which means this is a SYN-ACK packet. In
5272 * this particular case the correct security label is assigned
5273 * to the connection/request_sock but unfortunately we can't
5274 * query the request_sock as it isn't queued on the parent
5275 * socket until after the SYN-ACK packet is sent; the only
5276 * viable choice is to regenerate the label like we do in
5277 * selinux_inet_conn_request(). See also selinux_ip_output()
5278 * for similar problems. */
5279 u32 skb_sid;
5280 struct sk_security_struct *sksec;
5281
5282 sksec = sk->sk_security;
5283 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5284 return NF_DROP;
5285 /* At this point, if the returned skb peerlbl is SECSID_NULL
5286 * and the packet has been through at least one XFRM
5287 * transformation then we must be dealing with the "final"
5288 * form of labeled IPsec packet; since we've already applied
5289 * all of our access controls on this packet we can safely
5290 * pass the packet. */
5291 if (skb_sid == SECSID_NULL) {
5292 switch (family) {
5293 case PF_INET:
5294 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5295 return NF_ACCEPT;
5296 break;
5297 case PF_INET6:
5298 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5299 return NF_ACCEPT;
5300 break;
5301 default:
5302 return NF_DROP_ERR(-ECONNREFUSED);
5303 }
5304 }
5305 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5306 return NF_DROP;
5307 secmark_perm = PACKET__SEND;
5308 } else {
5309 /* Locally generated packet, fetch the security label from the
5310 * associated socket. */
5311 struct sk_security_struct *sksec = sk->sk_security;
5312 peer_sid = sksec->sid;
5313 secmark_perm = PACKET__SEND;
5314 }
5315
5316 ad.type = LSM_AUDIT_DATA_NET;
5317 ad.u.net = &net;
5318 ad.u.net->netif = ifindex;
5319 ad.u.net->family = family;
5320 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5321 return NF_DROP;
5322
5323 if (secmark_active)
5324 if (avc_has_perm(peer_sid, skb->secmark,
5325 SECCLASS_PACKET, secmark_perm, &ad))
5326 return NF_DROP_ERR(-ECONNREFUSED);
5327
5328 if (peerlbl_active) {
5329 u32 if_sid;
5330 u32 node_sid;
5331
5332 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5333 return NF_DROP;
5334 if (avc_has_perm(peer_sid, if_sid,
5335 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5336 return NF_DROP_ERR(-ECONNREFUSED);
5337
5338 if (sel_netnode_sid(addrp, family, &node_sid))
5339 return NF_DROP;
5340 if (avc_has_perm(peer_sid, node_sid,
5341 SECCLASS_NODE, NODE__SENDTO, &ad))
5342 return NF_DROP_ERR(-ECONNREFUSED);
5343 }
5344
5345 return NF_ACCEPT;
5346 }
5347
5348 static unsigned int selinux_ipv4_postroute(void *priv,
5349 struct sk_buff *skb,
5350 const struct nf_hook_state *state)
5351 {
5352 return selinux_ip_postroute(skb, state->out, PF_INET);
5353 }
5354
5355 #if IS_ENABLED(CONFIG_IPV6)
5356 static unsigned int selinux_ipv6_postroute(void *priv,
5357 struct sk_buff *skb,
5358 const struct nf_hook_state *state)
5359 {
5360 return selinux_ip_postroute(skb, state->out, PF_INET6);
5361 }
5362 #endif /* IPV6 */
5363
5364 #endif /* CONFIG_NETFILTER */
5365
5366 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5367 {
5368 return selinux_nlmsg_perm(sk, skb);
5369 }
5370
5371 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5372 u16 sclass)
5373 {
5374 struct ipc_security_struct *isec;
5375
5376 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5377 if (!isec)
5378 return -ENOMEM;
5379
5380 isec->sclass = sclass;
5381 isec->sid = current_sid();
5382 perm->security = isec;
5383
5384 return 0;
5385 }
5386
5387 static void ipc_free_security(struct kern_ipc_perm *perm)
5388 {
5389 struct ipc_security_struct *isec = perm->security;
5390 perm->security = NULL;
5391 kfree(isec);
5392 }
5393
5394 static int msg_msg_alloc_security(struct msg_msg *msg)
5395 {
5396 struct msg_security_struct *msec;
5397
5398 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5399 if (!msec)
5400 return -ENOMEM;
5401
5402 msec->sid = SECINITSID_UNLABELED;
5403 msg->security = msec;
5404
5405 return 0;
5406 }
5407
5408 static void msg_msg_free_security(struct msg_msg *msg)
5409 {
5410 struct msg_security_struct *msec = msg->security;
5411
5412 msg->security = NULL;
5413 kfree(msec);
5414 }
5415
5416 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5417 u32 perms)
5418 {
5419 struct ipc_security_struct *isec;
5420 struct common_audit_data ad;
5421 u32 sid = current_sid();
5422
5423 isec = ipc_perms->security;
5424
5425 ad.type = LSM_AUDIT_DATA_IPC;
5426 ad.u.ipc_id = ipc_perms->key;
5427
5428 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5429 }
5430
5431 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5432 {
5433 return msg_msg_alloc_security(msg);
5434 }
5435
5436 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5437 {
5438 msg_msg_free_security(msg);
5439 }
5440
5441 /* message queue security operations */
5442 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5443 {
5444 struct ipc_security_struct *isec;
5445 struct common_audit_data ad;
5446 u32 sid = current_sid();
5447 int rc;
5448
5449 rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ);
5450 if (rc)
5451 return rc;
5452
5453 isec = msq->q_perm.security;
5454
5455 ad.type = LSM_AUDIT_DATA_IPC;
5456 ad.u.ipc_id = msq->q_perm.key;
5457
5458 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5459 MSGQ__CREATE, &ad);
5460 if (rc) {
5461 ipc_free_security(&msq->q_perm);
5462 return rc;
5463 }
5464 return 0;
5465 }
5466
5467 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5468 {
5469 ipc_free_security(&msq->q_perm);
5470 }
5471
5472 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5473 {
5474 struct ipc_security_struct *isec;
5475 struct common_audit_data ad;
5476 u32 sid = current_sid();
5477
5478 isec = msq->q_perm.security;
5479
5480 ad.type = LSM_AUDIT_DATA_IPC;
5481 ad.u.ipc_id = msq->q_perm.key;
5482
5483 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5484 MSGQ__ASSOCIATE, &ad);
5485 }
5486
5487 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5488 {
5489 int err;
5490 int perms;
5491
5492 switch (cmd) {
5493 case IPC_INFO:
5494 case MSG_INFO:
5495 /* No specific object, just general system-wide information. */
5496 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5497 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5498 case IPC_STAT:
5499 case MSG_STAT:
5500 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5501 break;
5502 case IPC_SET:
5503 perms = MSGQ__SETATTR;
5504 break;
5505 case IPC_RMID:
5506 perms = MSGQ__DESTROY;
5507 break;
5508 default:
5509 return 0;
5510 }
5511
5512 err = ipc_has_perm(&msq->q_perm, perms);
5513 return err;
5514 }
5515
5516 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5517 {
5518 struct ipc_security_struct *isec;
5519 struct msg_security_struct *msec;
5520 struct common_audit_data ad;
5521 u32 sid = current_sid();
5522 int rc;
5523
5524 isec = msq->q_perm.security;
5525 msec = msg->security;
5526
5527 /*
5528 * First time through, need to assign label to the message
5529 */
5530 if (msec->sid == SECINITSID_UNLABELED) {
5531 /*
5532 * Compute new sid based on current process and
5533 * message queue this message will be stored in
5534 */
5535 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5536 NULL, &msec->sid);
5537 if (rc)
5538 return rc;
5539 }
5540
5541 ad.type = LSM_AUDIT_DATA_IPC;
5542 ad.u.ipc_id = msq->q_perm.key;
5543
5544 /* Can this process write to the queue? */
5545 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5546 MSGQ__WRITE, &ad);
5547 if (!rc)
5548 /* Can this process send the message */
5549 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5550 MSG__SEND, &ad);
5551 if (!rc)
5552 /* Can the message be put in the queue? */
5553 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5554 MSGQ__ENQUEUE, &ad);
5555
5556 return rc;
5557 }
5558
5559 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5560 struct task_struct *target,
5561 long type, int mode)
5562 {
5563 struct ipc_security_struct *isec;
5564 struct msg_security_struct *msec;
5565 struct common_audit_data ad;
5566 u32 sid = task_sid(target);
5567 int rc;
5568
5569 isec = msq->q_perm.security;
5570 msec = msg->security;
5571
5572 ad.type = LSM_AUDIT_DATA_IPC;
5573 ad.u.ipc_id = msq->q_perm.key;
5574
5575 rc = avc_has_perm(sid, isec->sid,
5576 SECCLASS_MSGQ, MSGQ__READ, &ad);
5577 if (!rc)
5578 rc = avc_has_perm(sid, msec->sid,
5579 SECCLASS_MSG, MSG__RECEIVE, &ad);
5580 return rc;
5581 }
5582
5583 /* Shared Memory security operations */
5584 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5585 {
5586 struct ipc_security_struct *isec;
5587 struct common_audit_data ad;
5588 u32 sid = current_sid();
5589 int rc;
5590
5591 rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM);
5592 if (rc)
5593 return rc;
5594
5595 isec = shp->shm_perm.security;
5596
5597 ad.type = LSM_AUDIT_DATA_IPC;
5598 ad.u.ipc_id = shp->shm_perm.key;
5599
5600 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5601 SHM__CREATE, &ad);
5602 if (rc) {
5603 ipc_free_security(&shp->shm_perm);
5604 return rc;
5605 }
5606 return 0;
5607 }
5608
5609 static void selinux_shm_free_security(struct shmid_kernel *shp)
5610 {
5611 ipc_free_security(&shp->shm_perm);
5612 }
5613
5614 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5615 {
5616 struct ipc_security_struct *isec;
5617 struct common_audit_data ad;
5618 u32 sid = current_sid();
5619
5620 isec = shp->shm_perm.security;
5621
5622 ad.type = LSM_AUDIT_DATA_IPC;
5623 ad.u.ipc_id = shp->shm_perm.key;
5624
5625 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5626 SHM__ASSOCIATE, &ad);
5627 }
5628
5629 /* Note, at this point, shp is locked down */
5630 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5631 {
5632 int perms;
5633 int err;
5634
5635 switch (cmd) {
5636 case IPC_INFO:
5637 case SHM_INFO:
5638 /* No specific object, just general system-wide information. */
5639 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5640 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5641 case IPC_STAT:
5642 case SHM_STAT:
5643 perms = SHM__GETATTR | SHM__ASSOCIATE;
5644 break;
5645 case IPC_SET:
5646 perms = SHM__SETATTR;
5647 break;
5648 case SHM_LOCK:
5649 case SHM_UNLOCK:
5650 perms = SHM__LOCK;
5651 break;
5652 case IPC_RMID:
5653 perms = SHM__DESTROY;
5654 break;
5655 default:
5656 return 0;
5657 }
5658
5659 err = ipc_has_perm(&shp->shm_perm, perms);
5660 return err;
5661 }
5662
5663 static int selinux_shm_shmat(struct shmid_kernel *shp,
5664 char __user *shmaddr, int shmflg)
5665 {
5666 u32 perms;
5667
5668 if (shmflg & SHM_RDONLY)
5669 perms = SHM__READ;
5670 else
5671 perms = SHM__READ | SHM__WRITE;
5672
5673 return ipc_has_perm(&shp->shm_perm, perms);
5674 }
5675
5676 /* Semaphore security operations */
5677 static int selinux_sem_alloc_security(struct sem_array *sma)
5678 {
5679 struct ipc_security_struct *isec;
5680 struct common_audit_data ad;
5681 u32 sid = current_sid();
5682 int rc;
5683
5684 rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM);
5685 if (rc)
5686 return rc;
5687
5688 isec = sma->sem_perm.security;
5689
5690 ad.type = LSM_AUDIT_DATA_IPC;
5691 ad.u.ipc_id = sma->sem_perm.key;
5692
5693 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5694 SEM__CREATE, &ad);
5695 if (rc) {
5696 ipc_free_security(&sma->sem_perm);
5697 return rc;
5698 }
5699 return 0;
5700 }
5701
5702 static void selinux_sem_free_security(struct sem_array *sma)
5703 {
5704 ipc_free_security(&sma->sem_perm);
5705 }
5706
5707 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5708 {
5709 struct ipc_security_struct *isec;
5710 struct common_audit_data ad;
5711 u32 sid = current_sid();
5712
5713 isec = sma->sem_perm.security;
5714
5715 ad.type = LSM_AUDIT_DATA_IPC;
5716 ad.u.ipc_id = sma->sem_perm.key;
5717
5718 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5719 SEM__ASSOCIATE, &ad);
5720 }
5721
5722 /* Note, at this point, sma is locked down */
5723 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5724 {
5725 int err;
5726 u32 perms;
5727
5728 switch (cmd) {
5729 case IPC_INFO:
5730 case SEM_INFO:
5731 /* No specific object, just general system-wide information. */
5732 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5733 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5734 case GETPID:
5735 case GETNCNT:
5736 case GETZCNT:
5737 perms = SEM__GETATTR;
5738 break;
5739 case GETVAL:
5740 case GETALL:
5741 perms = SEM__READ;
5742 break;
5743 case SETVAL:
5744 case SETALL:
5745 perms = SEM__WRITE;
5746 break;
5747 case IPC_RMID:
5748 perms = SEM__DESTROY;
5749 break;
5750 case IPC_SET:
5751 perms = SEM__SETATTR;
5752 break;
5753 case IPC_STAT:
5754 case SEM_STAT:
5755 perms = SEM__GETATTR | SEM__ASSOCIATE;
5756 break;
5757 default:
5758 return 0;
5759 }
5760
5761 err = ipc_has_perm(&sma->sem_perm, perms);
5762 return err;
5763 }
5764
5765 static int selinux_sem_semop(struct sem_array *sma,
5766 struct sembuf *sops, unsigned nsops, int alter)
5767 {
5768 u32 perms;
5769
5770 if (alter)
5771 perms = SEM__READ | SEM__WRITE;
5772 else
5773 perms = SEM__READ;
5774
5775 return ipc_has_perm(&sma->sem_perm, perms);
5776 }
5777
5778 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5779 {
5780 u32 av = 0;
5781
5782 av = 0;
5783 if (flag & S_IRUGO)
5784 av |= IPC__UNIX_READ;
5785 if (flag & S_IWUGO)
5786 av |= IPC__UNIX_WRITE;
5787
5788 if (av == 0)
5789 return 0;
5790
5791 return ipc_has_perm(ipcp, av);
5792 }
5793
5794 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5795 {
5796 struct ipc_security_struct *isec = ipcp->security;
5797 *secid = isec->sid;
5798 }
5799
5800 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5801 {
5802 if (inode)
5803 inode_doinit_with_dentry(inode, dentry);
5804 }
5805
5806 static int selinux_getprocattr(struct task_struct *p,
5807 char *name, char **value)
5808 {
5809 const struct task_security_struct *__tsec;
5810 u32 sid;
5811 int error;
5812 unsigned len;
5813
5814 rcu_read_lock();
5815 __tsec = __task_cred(p)->security;
5816
5817 if (current != p) {
5818 error = avc_has_perm(current_sid(), __tsec->sid,
5819 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
5820 if (error)
5821 goto bad;
5822 }
5823
5824 if (!strcmp(name, "current"))
5825 sid = __tsec->sid;
5826 else if (!strcmp(name, "prev"))
5827 sid = __tsec->osid;
5828 else if (!strcmp(name, "exec"))
5829 sid = __tsec->exec_sid;
5830 else if (!strcmp(name, "fscreate"))
5831 sid = __tsec->create_sid;
5832 else if (!strcmp(name, "keycreate"))
5833 sid = __tsec->keycreate_sid;
5834 else if (!strcmp(name, "sockcreate"))
5835 sid = __tsec->sockcreate_sid;
5836 else {
5837 error = -EINVAL;
5838 goto bad;
5839 }
5840 rcu_read_unlock();
5841
5842 if (!sid)
5843 return 0;
5844
5845 error = security_sid_to_context(sid, value, &len);
5846 if (error)
5847 return error;
5848 return len;
5849
5850 bad:
5851 rcu_read_unlock();
5852 return error;
5853 }
5854
5855 static int selinux_setprocattr(const char *name, void *value, size_t size)
5856 {
5857 struct task_security_struct *tsec;
5858 struct cred *new;
5859 u32 mysid = current_sid(), sid = 0, ptsid;
5860 int error;
5861 char *str = value;
5862
5863 /*
5864 * Basic control over ability to set these attributes at all.
5865 */
5866 if (!strcmp(name, "exec"))
5867 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5868 PROCESS__SETEXEC, NULL);
5869 else if (!strcmp(name, "fscreate"))
5870 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5871 PROCESS__SETFSCREATE, NULL);
5872 else if (!strcmp(name, "keycreate"))
5873 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5874 PROCESS__SETKEYCREATE, NULL);
5875 else if (!strcmp(name, "sockcreate"))
5876 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5877 PROCESS__SETSOCKCREATE, NULL);
5878 else if (!strcmp(name, "current"))
5879 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5880 PROCESS__SETCURRENT, NULL);
5881 else
5882 error = -EINVAL;
5883 if (error)
5884 return error;
5885
5886 /* Obtain a SID for the context, if one was specified. */
5887 if (size && str[0] && str[0] != '\n') {
5888 if (str[size-1] == '\n') {
5889 str[size-1] = 0;
5890 size--;
5891 }
5892 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5893 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5894 if (!capable(CAP_MAC_ADMIN)) {
5895 struct audit_buffer *ab;
5896 size_t audit_size;
5897
5898 /* We strip a nul only if it is at the end, otherwise the
5899 * context contains a nul and we should audit that */
5900 if (str[size - 1] == '\0')
5901 audit_size = size - 1;
5902 else
5903 audit_size = size;
5904 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5905 audit_log_format(ab, "op=fscreate invalid_context=");
5906 audit_log_n_untrustedstring(ab, value, audit_size);
5907 audit_log_end(ab);
5908
5909 return error;
5910 }
5911 error = security_context_to_sid_force(value, size,
5912 &sid);
5913 }
5914 if (error)
5915 return error;
5916 }
5917
5918 new = prepare_creds();
5919 if (!new)
5920 return -ENOMEM;
5921
5922 /* Permission checking based on the specified context is
5923 performed during the actual operation (execve,
5924 open/mkdir/...), when we know the full context of the
5925 operation. See selinux_bprm_set_creds for the execve
5926 checks and may_create for the file creation checks. The
5927 operation will then fail if the context is not permitted. */
5928 tsec = new->security;
5929 if (!strcmp(name, "exec")) {
5930 tsec->exec_sid = sid;
5931 } else if (!strcmp(name, "fscreate")) {
5932 tsec->create_sid = sid;
5933 } else if (!strcmp(name, "keycreate")) {
5934 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE,
5935 NULL);
5936 if (error)
5937 goto abort_change;
5938 tsec->keycreate_sid = sid;
5939 } else if (!strcmp(name, "sockcreate")) {
5940 tsec->sockcreate_sid = sid;
5941 } else if (!strcmp(name, "current")) {
5942 error = -EINVAL;
5943 if (sid == 0)
5944 goto abort_change;
5945
5946 /* Only allow single threaded processes to change context */
5947 error = -EPERM;
5948 if (!current_is_single_threaded()) {
5949 error = security_bounded_transition(tsec->sid, sid);
5950 if (error)
5951 goto abort_change;
5952 }
5953
5954 /* Check permissions for the transition. */
5955 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5956 PROCESS__DYNTRANSITION, NULL);
5957 if (error)
5958 goto abort_change;
5959
5960 /* Check for ptracing, and update the task SID if ok.
5961 Otherwise, leave SID unchanged and fail. */
5962 ptsid = ptrace_parent_sid();
5963 if (ptsid != 0) {
5964 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5965 PROCESS__PTRACE, NULL);
5966 if (error)
5967 goto abort_change;
5968 }
5969
5970 tsec->sid = sid;
5971 } else {
5972 error = -EINVAL;
5973 goto abort_change;
5974 }
5975
5976 commit_creds(new);
5977 return size;
5978
5979 abort_change:
5980 abort_creds(new);
5981 return error;
5982 }
5983
5984 static int selinux_ismaclabel(const char *name)
5985 {
5986 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5987 }
5988
5989 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5990 {
5991 return security_sid_to_context(secid, secdata, seclen);
5992 }
5993
5994 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5995 {
5996 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5997 }
5998
5999 static void selinux_release_secctx(char *secdata, u32 seclen)
6000 {
6001 kfree(secdata);
6002 }
6003
6004 static void selinux_inode_invalidate_secctx(struct inode *inode)
6005 {
6006 struct inode_security_struct *isec = inode->i_security;
6007
6008 spin_lock(&isec->lock);
6009 isec->initialized = LABEL_INVALID;
6010 spin_unlock(&isec->lock);
6011 }
6012
6013 /*
6014 * called with inode->i_mutex locked
6015 */
6016 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6017 {
6018 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6019 }
6020
6021 /*
6022 * called with inode->i_mutex locked
6023 */
6024 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6025 {
6026 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6027 }
6028
6029 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6030 {
6031 int len = 0;
6032 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6033 ctx, true);
6034 if (len < 0)
6035 return len;
6036 *ctxlen = len;
6037 return 0;
6038 }
6039 #ifdef CONFIG_KEYS
6040
6041 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6042 unsigned long flags)
6043 {
6044 const struct task_security_struct *tsec;
6045 struct key_security_struct *ksec;
6046
6047 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6048 if (!ksec)
6049 return -ENOMEM;
6050
6051 tsec = cred->security;
6052 if (tsec->keycreate_sid)
6053 ksec->sid = tsec->keycreate_sid;
6054 else
6055 ksec->sid = tsec->sid;
6056
6057 k->security = ksec;
6058 return 0;
6059 }
6060
6061 static void selinux_key_free(struct key *k)
6062 {
6063 struct key_security_struct *ksec = k->security;
6064
6065 k->security = NULL;
6066 kfree(ksec);
6067 }
6068
6069 static int selinux_key_permission(key_ref_t key_ref,
6070 const struct cred *cred,
6071 unsigned perm)
6072 {
6073 struct key *key;
6074 struct key_security_struct *ksec;
6075 u32 sid;
6076
6077 /* if no specific permissions are requested, we skip the
6078 permission check. No serious, additional covert channels
6079 appear to be created. */
6080 if (perm == 0)
6081 return 0;
6082
6083 sid = cred_sid(cred);
6084
6085 key = key_ref_to_ptr(key_ref);
6086 ksec = key->security;
6087
6088 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6089 }
6090
6091 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6092 {
6093 struct key_security_struct *ksec = key->security;
6094 char *context = NULL;
6095 unsigned len;
6096 int rc;
6097
6098 rc = security_sid_to_context(ksec->sid, &context, &len);
6099 if (!rc)
6100 rc = len;
6101 *_buffer = context;
6102 return rc;
6103 }
6104
6105 #endif
6106
6107 static struct security_hook_list selinux_hooks[] = {
6108 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6109 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6110 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6111 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6112
6113 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6114 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6115 LSM_HOOK_INIT(capget, selinux_capget),
6116 LSM_HOOK_INIT(capset, selinux_capset),
6117 LSM_HOOK_INIT(capable, selinux_capable),
6118 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6119 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6120 LSM_HOOK_INIT(syslog, selinux_syslog),
6121 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6122
6123 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6124
6125 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6126 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6127 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6128 LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
6129
6130 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6131 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6132 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6133 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6134 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6135 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6136 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6137 LSM_HOOK_INIT(sb_mount, selinux_mount),
6138 LSM_HOOK_INIT(sb_umount, selinux_umount),
6139 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6140 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6141 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6142
6143 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6144 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6145
6146 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6147 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6148 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6149 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6150 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6151 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6152 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6153 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6154 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6155 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6156 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6157 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6158 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6159 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6160 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6161 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6162 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6163 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6164 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6165 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6166 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6167 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6168 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6169 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6170 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6171 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6172 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6173
6174 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6175 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6176 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6177 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6178 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6179 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6180 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6181 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6182 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6183 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6184 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6185 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6186
6187 LSM_HOOK_INIT(file_open, selinux_file_open),
6188
6189 LSM_HOOK_INIT(task_create, selinux_task_create),
6190 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6191 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6192 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6193 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6194 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6195 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6196 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6197 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6198 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6199 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6200 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6201 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6202 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6203 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6204 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6205 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6206 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6207 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6208 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6209 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6210 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6211
6212 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6213 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6214
6215 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6216 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6217
6218 LSM_HOOK_INIT(msg_queue_alloc_security,
6219 selinux_msg_queue_alloc_security),
6220 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6221 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6222 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6223 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6224 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6225
6226 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6227 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6228 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6229 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6230 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6231
6232 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6233 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6234 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6235 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6236 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6237
6238 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6239
6240 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6241 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6242
6243 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6244 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6245 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6246 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6247 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6248 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6249 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6250 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6251
6252 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6253 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6254
6255 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6256 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6257 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6258 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6259 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6260 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6261 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6262 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6263 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6264 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6265 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6266 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6267 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6268 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6269 LSM_HOOK_INIT(socket_getpeersec_stream,
6270 selinux_socket_getpeersec_stream),
6271 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6272 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6273 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6274 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6275 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6276 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6277 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6278 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6279 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6280 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6281 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6282 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6283 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6284 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6285 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6286 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6287 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6288 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6289 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6290
6291 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6292 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6293 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6294 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6295 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6296 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6297 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6298 selinux_xfrm_state_alloc_acquire),
6299 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6300 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6301 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6302 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6303 selinux_xfrm_state_pol_flow_match),
6304 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6305 #endif
6306
6307 #ifdef CONFIG_KEYS
6308 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6309 LSM_HOOK_INIT(key_free, selinux_key_free),
6310 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6311 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6312 #endif
6313
6314 #ifdef CONFIG_AUDIT
6315 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6316 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6317 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6318 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6319 #endif
6320 };
6321
6322 static __init int selinux_init(void)
6323 {
6324 if (!security_module_enable("selinux")) {
6325 selinux_enabled = 0;
6326 return 0;
6327 }
6328
6329 if (!selinux_enabled) {
6330 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6331 return 0;
6332 }
6333
6334 printk(KERN_INFO "SELinux: Initializing.\n");
6335
6336 /* Set the security state for the initial task. */
6337 cred_init_security();
6338
6339 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6340
6341 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6342 sizeof(struct inode_security_struct),
6343 0, SLAB_PANIC, NULL);
6344 file_security_cache = kmem_cache_create("selinux_file_security",
6345 sizeof(struct file_security_struct),
6346 0, SLAB_PANIC, NULL);
6347 avc_init();
6348
6349 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
6350
6351 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6352 panic("SELinux: Unable to register AVC netcache callback\n");
6353
6354 if (selinux_enforcing)
6355 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6356 else
6357 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6358
6359 return 0;
6360 }
6361
6362 static void delayed_superblock_init(struct super_block *sb, void *unused)
6363 {
6364 superblock_doinit(sb, NULL);
6365 }
6366
6367 void selinux_complete_init(void)
6368 {
6369 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6370
6371 /* Set up any superblocks initialized prior to the policy load. */
6372 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6373 iterate_supers(delayed_superblock_init, NULL);
6374 }
6375
6376 /* SELinux requires early initialization in order to label
6377 all processes and objects when they are created. */
6378 security_initcall(selinux_init);
6379
6380 #if defined(CONFIG_NETFILTER)
6381
6382 static struct nf_hook_ops selinux_nf_ops[] = {
6383 {
6384 .hook = selinux_ipv4_postroute,
6385 .pf = NFPROTO_IPV4,
6386 .hooknum = NF_INET_POST_ROUTING,
6387 .priority = NF_IP_PRI_SELINUX_LAST,
6388 },
6389 {
6390 .hook = selinux_ipv4_forward,
6391 .pf = NFPROTO_IPV4,
6392 .hooknum = NF_INET_FORWARD,
6393 .priority = NF_IP_PRI_SELINUX_FIRST,
6394 },
6395 {
6396 .hook = selinux_ipv4_output,
6397 .pf = NFPROTO_IPV4,
6398 .hooknum = NF_INET_LOCAL_OUT,
6399 .priority = NF_IP_PRI_SELINUX_FIRST,
6400 },
6401 #if IS_ENABLED(CONFIG_IPV6)
6402 {
6403 .hook = selinux_ipv6_postroute,
6404 .pf = NFPROTO_IPV6,
6405 .hooknum = NF_INET_POST_ROUTING,
6406 .priority = NF_IP6_PRI_SELINUX_LAST,
6407 },
6408 {
6409 .hook = selinux_ipv6_forward,
6410 .pf = NFPROTO_IPV6,
6411 .hooknum = NF_INET_FORWARD,
6412 .priority = NF_IP6_PRI_SELINUX_FIRST,
6413 },
6414 {
6415 .hook = selinux_ipv6_output,
6416 .pf = NFPROTO_IPV6,
6417 .hooknum = NF_INET_LOCAL_OUT,
6418 .priority = NF_IP6_PRI_SELINUX_FIRST,
6419 },
6420 #endif /* IPV6 */
6421 };
6422
6423 static int __init selinux_nf_ip_init(void)
6424 {
6425 int err;
6426
6427 if (!selinux_enabled)
6428 return 0;
6429
6430 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6431
6432 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6433 if (err)
6434 panic("SELinux: nf_register_hooks: error %d\n", err);
6435
6436 return 0;
6437 }
6438
6439 __initcall(selinux_nf_ip_init);
6440
6441 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6442 static void selinux_nf_ip_exit(void)
6443 {
6444 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6445
6446 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6447 }
6448 #endif
6449
6450 #else /* CONFIG_NETFILTER */
6451
6452 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6453 #define selinux_nf_ip_exit()
6454 #endif
6455
6456 #endif /* CONFIG_NETFILTER */
6457
6458 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6459 static int selinux_disabled;
6460
6461 int selinux_disable(void)
6462 {
6463 if (ss_initialized) {
6464 /* Not permitted after initial policy load. */
6465 return -EINVAL;
6466 }
6467
6468 if (selinux_disabled) {
6469 /* Only do this once. */
6470 return -EINVAL;
6471 }
6472
6473 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6474
6475 selinux_disabled = 1;
6476 selinux_enabled = 0;
6477
6478 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6479
6480 /* Try to destroy the avc node cache */
6481 avc_disable();
6482
6483 /* Unregister netfilter hooks. */
6484 selinux_nf_ip_exit();
6485
6486 /* Unregister selinuxfs. */
6487 exit_sel_fs();
6488
6489 return 0;
6490 }
6491 #endif
Ubuntu Artful kernel mirror