2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
27 #include <linux/init.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h> /* for Unix socket types */
72 #include <net/af_unix.h> /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
101 /* SECMARK reference count */
102 static atomic_t selinux_secmark_refcount
= ATOMIC_INIT(0);
104 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105 int selinux_enforcing
;
107 static int __init
enforcing_setup(char *str
)
109 unsigned long enforcing
;
110 if (!kstrtoul(str
, 0, &enforcing
))
111 selinux_enforcing
= enforcing
? 1 : 0;
114 __setup("enforcing=", enforcing_setup
);
117 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118 int selinux_enabled
= CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE
;
120 static int __init
selinux_enabled_setup(char *str
)
122 unsigned long enabled
;
123 if (!kstrtoul(str
, 0, &enabled
))
124 selinux_enabled
= enabled
? 1 : 0;
127 __setup("selinux=", selinux_enabled_setup
);
129 int selinux_enabled
= 1;
132 static struct kmem_cache
*sel_inode_cache
;
133 static struct kmem_cache
*file_security_cache
;
136 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
139 * This function checks the SECMARK reference counter to see if any SECMARK
140 * targets are currently configured, if the reference counter is greater than
141 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
142 * enabled, false (0) if SECMARK is disabled. If the always_check_network
143 * policy capability is enabled, SECMARK is always considered enabled.
146 static int selinux_secmark_enabled(void)
148 return (selinux_policycap_alwaysnetwork
|| atomic_read(&selinux_secmark_refcount
));
152 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
155 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
156 * (1) if any are enabled or false (0) if neither are enabled. If the
157 * always_check_network policy capability is enabled, peer labeling
158 * is always considered enabled.
161 static int selinux_peerlbl_enabled(void)
163 return (selinux_policycap_alwaysnetwork
|| netlbl_enabled() || selinux_xfrm_enabled());
166 static int selinux_netcache_avc_callback(u32 event
)
168 if (event
== AVC_CALLBACK_RESET
) {
177 static int selinux_lsm_notifier_avc_callback(u32 event
)
179 if (event
== AVC_CALLBACK_RESET
) {
181 call_lsm_notifier(LSM_POLICY_CHANGE
, NULL
);
188 * initialise the security for the init task
190 static void cred_init_security(void)
192 struct cred
*cred
= (struct cred
*) current
->real_cred
;
193 struct task_security_struct
*tsec
;
195 tsec
= kzalloc(sizeof(struct task_security_struct
), GFP_KERNEL
);
197 panic("SELinux: Failed to initialize initial task.\n");
199 tsec
->osid
= tsec
->sid
= SECINITSID_KERNEL
;
200 cred
->security
= tsec
;
204 * get the security ID of a set of credentials
206 static inline u32
cred_sid(const struct cred
*cred
)
208 const struct task_security_struct
*tsec
;
210 tsec
= cred
->security
;
215 * get the objective security ID of a task
217 static inline u32
task_sid(const struct task_struct
*task
)
222 sid
= cred_sid(__task_cred(task
));
227 /* Allocate and free functions for each kind of security blob. */
229 static int inode_alloc_security(struct inode
*inode
)
231 struct inode_security_struct
*isec
;
232 u32 sid
= current_sid();
234 isec
= kmem_cache_zalloc(sel_inode_cache
, GFP_NOFS
);
238 spin_lock_init(&isec
->lock
);
239 INIT_LIST_HEAD(&isec
->list
);
241 isec
->sid
= SECINITSID_UNLABELED
;
242 isec
->sclass
= SECCLASS_FILE
;
243 isec
->task_sid
= sid
;
244 isec
->initialized
= LABEL_INVALID
;
245 inode
->i_security
= isec
;
250 static int inode_doinit_with_dentry(struct inode
*inode
, struct dentry
*opt_dentry
);
253 * Try reloading inode security labels that have been marked as invalid. The
254 * @may_sleep parameter indicates when sleeping and thus reloading labels is
255 * allowed; when set to false, returns -ECHILD when the label is
256 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
257 * when no dentry is available, set it to NULL instead.
259 static int __inode_security_revalidate(struct inode
*inode
,
260 struct dentry
*opt_dentry
,
263 struct inode_security_struct
*isec
= inode
->i_security
;
265 might_sleep_if(may_sleep
);
267 if (ss_initialized
&& isec
->initialized
!= LABEL_INITIALIZED
) {
272 * Try reloading the inode security label. This will fail if
273 * @opt_dentry is NULL and no dentry for this inode can be
274 * found; in that case, continue using the old label.
276 inode_doinit_with_dentry(inode
, opt_dentry
);
281 static struct inode_security_struct
*inode_security_novalidate(struct inode
*inode
)
283 return inode
->i_security
;
286 static struct inode_security_struct
*inode_security_rcu(struct inode
*inode
, bool rcu
)
290 error
= __inode_security_revalidate(inode
, NULL
, !rcu
);
292 return ERR_PTR(error
);
293 return inode
->i_security
;
297 * Get the security label of an inode.
299 static struct inode_security_struct
*inode_security(struct inode
*inode
)
301 __inode_security_revalidate(inode
, NULL
, true);
302 return inode
->i_security
;
305 static struct inode_security_struct
*backing_inode_security_novalidate(struct dentry
*dentry
)
307 struct inode
*inode
= d_backing_inode(dentry
);
309 return inode
->i_security
;
313 * Get the security label of a dentry's backing inode.
315 static struct inode_security_struct
*backing_inode_security(struct dentry
*dentry
)
317 struct inode
*inode
= d_backing_inode(dentry
);
319 __inode_security_revalidate(inode
, dentry
, true);
320 return inode
->i_security
;
323 static void inode_free_rcu(struct rcu_head
*head
)
325 struct inode_security_struct
*isec
;
327 isec
= container_of(head
, struct inode_security_struct
, rcu
);
328 kmem_cache_free(sel_inode_cache
, isec
);
331 static void inode_free_security(struct inode
*inode
)
333 struct inode_security_struct
*isec
= inode
->i_security
;
334 struct superblock_security_struct
*sbsec
= inode
->i_sb
->s_security
;
337 * As not all inode security structures are in a list, we check for
338 * empty list outside of the lock to make sure that we won't waste
339 * time taking a lock doing nothing.
341 * The list_del_init() function can be safely called more than once.
342 * It should not be possible for this function to be called with
343 * concurrent list_add(), but for better safety against future changes
344 * in the code, we use list_empty_careful() here.
346 if (!list_empty_careful(&isec
->list
)) {
347 spin_lock(&sbsec
->isec_lock
);
348 list_del_init(&isec
->list
);
349 spin_unlock(&sbsec
->isec_lock
);
353 * The inode may still be referenced in a path walk and
354 * a call to selinux_inode_permission() can be made
355 * after inode_free_security() is called. Ideally, the VFS
356 * wouldn't do this, but fixing that is a much harder
357 * job. For now, simply free the i_security via RCU, and
358 * leave the current inode->i_security pointer intact.
359 * The inode will be freed after the RCU grace period too.
361 call_rcu(&isec
->rcu
, inode_free_rcu
);
364 static int file_alloc_security(struct file
*file
)
366 struct file_security_struct
*fsec
;
367 u32 sid
= current_sid();
369 fsec
= kmem_cache_zalloc(file_security_cache
, GFP_KERNEL
);
374 fsec
->fown_sid
= sid
;
375 file
->f_security
= fsec
;
380 static void file_free_security(struct file
*file
)
382 struct file_security_struct
*fsec
= file
->f_security
;
383 file
->f_security
= NULL
;
384 kmem_cache_free(file_security_cache
, fsec
);
387 static int superblock_alloc_security(struct super_block
*sb
)
389 struct superblock_security_struct
*sbsec
;
391 sbsec
= kzalloc(sizeof(struct superblock_security_struct
), GFP_KERNEL
);
395 mutex_init(&sbsec
->lock
);
396 INIT_LIST_HEAD(&sbsec
->isec_head
);
397 spin_lock_init(&sbsec
->isec_lock
);
399 sbsec
->sid
= SECINITSID_UNLABELED
;
400 sbsec
->def_sid
= SECINITSID_FILE
;
401 sbsec
->mntpoint_sid
= SECINITSID_UNLABELED
;
402 sb
->s_security
= sbsec
;
407 static void superblock_free_security(struct super_block
*sb
)
409 struct superblock_security_struct
*sbsec
= sb
->s_security
;
410 sb
->s_security
= NULL
;
414 static inline int inode_doinit(struct inode
*inode
)
416 return inode_doinit_with_dentry(inode
, NULL
);
425 Opt_labelsupport
= 5,
429 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
431 static const match_table_t tokens
= {
432 {Opt_context
, CONTEXT_STR
"%s"},
433 {Opt_fscontext
, FSCONTEXT_STR
"%s"},
434 {Opt_defcontext
, DEFCONTEXT_STR
"%s"},
435 {Opt_rootcontext
, ROOTCONTEXT_STR
"%s"},
436 {Opt_labelsupport
, LABELSUPP_STR
},
440 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
442 static int may_context_mount_sb_relabel(u32 sid
,
443 struct superblock_security_struct
*sbsec
,
444 const struct cred
*cred
)
446 const struct task_security_struct
*tsec
= cred
->security
;
449 rc
= avc_has_perm(tsec
->sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
450 FILESYSTEM__RELABELFROM
, NULL
);
454 rc
= avc_has_perm(tsec
->sid
, sid
, SECCLASS_FILESYSTEM
,
455 FILESYSTEM__RELABELTO
, NULL
);
459 static int may_context_mount_inode_relabel(u32 sid
,
460 struct superblock_security_struct
*sbsec
,
461 const struct cred
*cred
)
463 const struct task_security_struct
*tsec
= cred
->security
;
465 rc
= avc_has_perm(tsec
->sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
466 FILESYSTEM__RELABELFROM
, NULL
);
470 rc
= avc_has_perm(sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
471 FILESYSTEM__ASSOCIATE
, NULL
);
475 static int selinux_is_sblabel_mnt(struct super_block
*sb
)
477 struct superblock_security_struct
*sbsec
= sb
->s_security
;
479 return sbsec
->behavior
== SECURITY_FS_USE_XATTR
||
480 sbsec
->behavior
== SECURITY_FS_USE_TRANS
||
481 sbsec
->behavior
== SECURITY_FS_USE_TASK
||
482 sbsec
->behavior
== SECURITY_FS_USE_NATIVE
||
483 /* Special handling. Genfs but also in-core setxattr handler */
484 !strcmp(sb
->s_type
->name
, "sysfs") ||
485 !strcmp(sb
->s_type
->name
, "pstore") ||
486 !strcmp(sb
->s_type
->name
, "debugfs") ||
487 !strcmp(sb
->s_type
->name
, "tracefs") ||
488 !strcmp(sb
->s_type
->name
, "rootfs") ||
489 (selinux_policycap_cgroupseclabel
&&
490 (!strcmp(sb
->s_type
->name
, "cgroup") ||
491 !strcmp(sb
->s_type
->name
, "cgroup2")));
494 static int sb_finish_set_opts(struct super_block
*sb
)
496 struct superblock_security_struct
*sbsec
= sb
->s_security
;
497 struct dentry
*root
= sb
->s_root
;
498 struct inode
*root_inode
= d_backing_inode(root
);
501 if (sbsec
->behavior
== SECURITY_FS_USE_XATTR
) {
502 /* Make sure that the xattr handler exists and that no
503 error other than -ENODATA is returned by getxattr on
504 the root directory. -ENODATA is ok, as this may be
505 the first boot of the SELinux kernel before we have
506 assigned xattr values to the filesystem. */
507 if (!(root_inode
->i_opflags
& IOP_XATTR
)) {
508 printk(KERN_WARNING
"SELinux: (dev %s, type %s) has no "
509 "xattr support\n", sb
->s_id
, sb
->s_type
->name
);
514 rc
= __vfs_getxattr(root
, root_inode
, XATTR_NAME_SELINUX
, NULL
, 0);
515 if (rc
< 0 && rc
!= -ENODATA
) {
516 if (rc
== -EOPNOTSUPP
)
517 printk(KERN_WARNING
"SELinux: (dev %s, type "
518 "%s) has no security xattr handler\n",
519 sb
->s_id
, sb
->s_type
->name
);
521 printk(KERN_WARNING
"SELinux: (dev %s, type "
522 "%s) getxattr errno %d\n", sb
->s_id
,
523 sb
->s_type
->name
, -rc
);
528 sbsec
->flags
|= SE_SBINITIALIZED
;
531 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
532 * leave the flag untouched because sb_clone_mnt_opts might be handing
533 * us a superblock that needs the flag to be cleared.
535 if (selinux_is_sblabel_mnt(sb
))
536 sbsec
->flags
|= SBLABEL_MNT
;
538 sbsec
->flags
&= ~SBLABEL_MNT
;
540 /* Initialize the root inode. */
541 rc
= inode_doinit_with_dentry(root_inode
, root
);
543 /* Initialize any other inodes associated with the superblock, e.g.
544 inodes created prior to initial policy load or inodes created
545 during get_sb by a pseudo filesystem that directly
547 spin_lock(&sbsec
->isec_lock
);
549 if (!list_empty(&sbsec
->isec_head
)) {
550 struct inode_security_struct
*isec
=
551 list_entry(sbsec
->isec_head
.next
,
552 struct inode_security_struct
, list
);
553 struct inode
*inode
= isec
->inode
;
554 list_del_init(&isec
->list
);
555 spin_unlock(&sbsec
->isec_lock
);
556 inode
= igrab(inode
);
558 if (!IS_PRIVATE(inode
))
562 spin_lock(&sbsec
->isec_lock
);
565 spin_unlock(&sbsec
->isec_lock
);
571 * This function should allow an FS to ask what it's mount security
572 * options were so it can use those later for submounts, displaying
573 * mount options, or whatever.
575 static int selinux_get_mnt_opts(const struct super_block
*sb
,
576 struct security_mnt_opts
*opts
)
579 struct superblock_security_struct
*sbsec
= sb
->s_security
;
580 char *context
= NULL
;
584 security_init_mnt_opts(opts
);
586 if (!(sbsec
->flags
& SE_SBINITIALIZED
))
592 /* make sure we always check enough bits to cover the mask */
593 BUILD_BUG_ON(SE_MNTMASK
>= (1 << NUM_SEL_MNT_OPTS
));
595 tmp
= sbsec
->flags
& SE_MNTMASK
;
596 /* count the number of mount options for this sb */
597 for (i
= 0; i
< NUM_SEL_MNT_OPTS
; i
++) {
599 opts
->num_mnt_opts
++;
602 /* Check if the Label support flag is set */
603 if (sbsec
->flags
& SBLABEL_MNT
)
604 opts
->num_mnt_opts
++;
606 opts
->mnt_opts
= kcalloc(opts
->num_mnt_opts
, sizeof(char *), GFP_ATOMIC
);
607 if (!opts
->mnt_opts
) {
612 opts
->mnt_opts_flags
= kcalloc(opts
->num_mnt_opts
, sizeof(int), GFP_ATOMIC
);
613 if (!opts
->mnt_opts_flags
) {
619 if (sbsec
->flags
& FSCONTEXT_MNT
) {
620 rc
= security_sid_to_context(sbsec
->sid
, &context
, &len
);
623 opts
->mnt_opts
[i
] = context
;
624 opts
->mnt_opts_flags
[i
++] = FSCONTEXT_MNT
;
626 if (sbsec
->flags
& CONTEXT_MNT
) {
627 rc
= security_sid_to_context(sbsec
->mntpoint_sid
, &context
, &len
);
630 opts
->mnt_opts
[i
] = context
;
631 opts
->mnt_opts_flags
[i
++] = CONTEXT_MNT
;
633 if (sbsec
->flags
& DEFCONTEXT_MNT
) {
634 rc
= security_sid_to_context(sbsec
->def_sid
, &context
, &len
);
637 opts
->mnt_opts
[i
] = context
;
638 opts
->mnt_opts_flags
[i
++] = DEFCONTEXT_MNT
;
640 if (sbsec
->flags
& ROOTCONTEXT_MNT
) {
641 struct dentry
*root
= sbsec
->sb
->s_root
;
642 struct inode_security_struct
*isec
= backing_inode_security(root
);
644 rc
= security_sid_to_context(isec
->sid
, &context
, &len
);
647 opts
->mnt_opts
[i
] = context
;
648 opts
->mnt_opts_flags
[i
++] = ROOTCONTEXT_MNT
;
650 if (sbsec
->flags
& SBLABEL_MNT
) {
651 opts
->mnt_opts
[i
] = NULL
;
652 opts
->mnt_opts_flags
[i
++] = SBLABEL_MNT
;
655 BUG_ON(i
!= opts
->num_mnt_opts
);
660 security_free_mnt_opts(opts
);
664 static int bad_option(struct superblock_security_struct
*sbsec
, char flag
,
665 u32 old_sid
, u32 new_sid
)
667 char mnt_flags
= sbsec
->flags
& SE_MNTMASK
;
669 /* check if the old mount command had the same options */
670 if (sbsec
->flags
& SE_SBINITIALIZED
)
671 if (!(sbsec
->flags
& flag
) ||
672 (old_sid
!= new_sid
))
675 /* check if we were passed the same options twice,
676 * aka someone passed context=a,context=b
678 if (!(sbsec
->flags
& SE_SBINITIALIZED
))
679 if (mnt_flags
& flag
)
685 * Allow filesystems with binary mount data to explicitly set mount point
686 * labeling information.
688 static int selinux_set_mnt_opts(struct super_block
*sb
,
689 struct security_mnt_opts
*opts
,
690 unsigned long kern_flags
,
691 unsigned long *set_kern_flags
)
693 const struct cred
*cred
= current_cred();
695 struct superblock_security_struct
*sbsec
= sb
->s_security
;
696 const char *name
= sb
->s_type
->name
;
697 struct dentry
*root
= sbsec
->sb
->s_root
;
698 struct inode_security_struct
*root_isec
;
699 u32 fscontext_sid
= 0, context_sid
= 0, rootcontext_sid
= 0;
700 u32 defcontext_sid
= 0;
701 char **mount_options
= opts
->mnt_opts
;
702 int *flags
= opts
->mnt_opts_flags
;
703 int num_opts
= opts
->num_mnt_opts
;
705 mutex_lock(&sbsec
->lock
);
707 if (!ss_initialized
) {
709 /* Defer initialization until selinux_complete_init,
710 after the initial policy is loaded and the security
711 server is ready to handle calls. */
715 printk(KERN_WARNING
"SELinux: Unable to set superblock options "
716 "before the security server is initialized\n");
719 if (kern_flags
&& !set_kern_flags
) {
720 /* Specifying internal flags without providing a place to
721 * place the results is not allowed */
727 * Binary mount data FS will come through this function twice. Once
728 * from an explicit call and once from the generic calls from the vfs.
729 * Since the generic VFS calls will not contain any security mount data
730 * we need to skip the double mount verification.
732 * This does open a hole in which we will not notice if the first
733 * mount using this sb set explict options and a second mount using
734 * this sb does not set any security options. (The first options
735 * will be used for both mounts)
737 if ((sbsec
->flags
& SE_SBINITIALIZED
) && (sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
)
741 root_isec
= backing_inode_security_novalidate(root
);
744 * parse the mount options, check if they are valid sids.
745 * also check if someone is trying to mount the same sb more
746 * than once with different security options.
748 for (i
= 0; i
< num_opts
; i
++) {
751 if (flags
[i
] == SBLABEL_MNT
)
753 rc
= security_context_str_to_sid(mount_options
[i
], &sid
, GFP_KERNEL
);
755 printk(KERN_WARNING
"SELinux: security_context_str_to_sid"
756 "(%s) failed for (dev %s, type %s) errno=%d\n",
757 mount_options
[i
], sb
->s_id
, name
, rc
);
764 if (bad_option(sbsec
, FSCONTEXT_MNT
, sbsec
->sid
,
766 goto out_double_mount
;
768 sbsec
->flags
|= FSCONTEXT_MNT
;
773 if (bad_option(sbsec
, CONTEXT_MNT
, sbsec
->mntpoint_sid
,
775 goto out_double_mount
;
777 sbsec
->flags
|= CONTEXT_MNT
;
779 case ROOTCONTEXT_MNT
:
780 rootcontext_sid
= sid
;
782 if (bad_option(sbsec
, ROOTCONTEXT_MNT
, root_isec
->sid
,
784 goto out_double_mount
;
786 sbsec
->flags
|= ROOTCONTEXT_MNT
;
790 defcontext_sid
= sid
;
792 if (bad_option(sbsec
, DEFCONTEXT_MNT
, sbsec
->def_sid
,
794 goto out_double_mount
;
796 sbsec
->flags
|= DEFCONTEXT_MNT
;
805 if (sbsec
->flags
& SE_SBINITIALIZED
) {
806 /* previously mounted with options, but not on this attempt? */
807 if ((sbsec
->flags
& SE_MNTMASK
) && !num_opts
)
808 goto out_double_mount
;
813 if (strcmp(sb
->s_type
->name
, "proc") == 0)
814 sbsec
->flags
|= SE_SBPROC
| SE_SBGENFS
;
816 if (!strcmp(sb
->s_type
->name
, "debugfs") ||
817 !strcmp(sb
->s_type
->name
, "tracefs") ||
818 !strcmp(sb
->s_type
->name
, "sysfs") ||
819 !strcmp(sb
->s_type
->name
, "pstore") ||
820 !strcmp(sb
->s_type
->name
, "cgroup") ||
821 !strcmp(sb
->s_type
->name
, "cgroup2"))
822 sbsec
->flags
|= SE_SBGENFS
;
824 if (!sbsec
->behavior
) {
826 * Determine the labeling behavior to use for this
829 rc
= security_fs_use(sb
);
832 "%s: security_fs_use(%s) returned %d\n",
833 __func__
, sb
->s_type
->name
, rc
);
839 * If this is a user namespace mount and the filesystem type is not
840 * explicitly whitelisted, then no contexts are allowed on the command
841 * line and security labels must be ignored.
843 if (sb
->s_user_ns
!= &init_user_ns
&&
844 strcmp(sb
->s_type
->name
, "tmpfs") &&
845 strcmp(sb
->s_type
->name
, "ramfs") &&
846 strcmp(sb
->s_type
->name
, "devpts")) {
847 if (context_sid
|| fscontext_sid
|| rootcontext_sid
||
852 if (sbsec
->behavior
== SECURITY_FS_USE_XATTR
) {
853 sbsec
->behavior
= SECURITY_FS_USE_MNTPOINT
;
854 rc
= security_transition_sid(current_sid(), current_sid(),
856 &sbsec
->mntpoint_sid
);
863 /* sets the context of the superblock for the fs being mounted. */
865 rc
= may_context_mount_sb_relabel(fscontext_sid
, sbsec
, cred
);
869 sbsec
->sid
= fscontext_sid
;
873 * Switch to using mount point labeling behavior.
874 * sets the label used on all file below the mountpoint, and will set
875 * the superblock context if not already set.
877 if (kern_flags
& SECURITY_LSM_NATIVE_LABELS
&& !context_sid
) {
878 sbsec
->behavior
= SECURITY_FS_USE_NATIVE
;
879 *set_kern_flags
|= SECURITY_LSM_NATIVE_LABELS
;
883 if (!fscontext_sid
) {
884 rc
= may_context_mount_sb_relabel(context_sid
, sbsec
,
888 sbsec
->sid
= context_sid
;
890 rc
= may_context_mount_inode_relabel(context_sid
, sbsec
,
895 if (!rootcontext_sid
)
896 rootcontext_sid
= context_sid
;
898 sbsec
->mntpoint_sid
= context_sid
;
899 sbsec
->behavior
= SECURITY_FS_USE_MNTPOINT
;
902 if (rootcontext_sid
) {
903 rc
= may_context_mount_inode_relabel(rootcontext_sid
, sbsec
,
908 root_isec
->sid
= rootcontext_sid
;
909 root_isec
->initialized
= LABEL_INITIALIZED
;
912 if (defcontext_sid
) {
913 if (sbsec
->behavior
!= SECURITY_FS_USE_XATTR
&&
914 sbsec
->behavior
!= SECURITY_FS_USE_NATIVE
) {
916 printk(KERN_WARNING
"SELinux: defcontext option is "
917 "invalid for this filesystem type\n");
921 if (defcontext_sid
!= sbsec
->def_sid
) {
922 rc
= may_context_mount_inode_relabel(defcontext_sid
,
928 sbsec
->def_sid
= defcontext_sid
;
932 rc
= sb_finish_set_opts(sb
);
934 mutex_unlock(&sbsec
->lock
);
938 printk(KERN_WARNING
"SELinux: mount invalid. Same superblock, different "
939 "security settings for (dev %s, type %s)\n", sb
->s_id
, name
);
943 static int selinux_cmp_sb_context(const struct super_block
*oldsb
,
944 const struct super_block
*newsb
)
946 struct superblock_security_struct
*old
= oldsb
->s_security
;
947 struct superblock_security_struct
*new = newsb
->s_security
;
948 char oldflags
= old
->flags
& SE_MNTMASK
;
949 char newflags
= new->flags
& SE_MNTMASK
;
951 if (oldflags
!= newflags
)
953 if ((oldflags
& FSCONTEXT_MNT
) && old
->sid
!= new->sid
)
955 if ((oldflags
& CONTEXT_MNT
) && old
->mntpoint_sid
!= new->mntpoint_sid
)
957 if ((oldflags
& DEFCONTEXT_MNT
) && old
->def_sid
!= new->def_sid
)
959 if (oldflags
& ROOTCONTEXT_MNT
) {
960 struct inode_security_struct
*oldroot
= backing_inode_security(oldsb
->s_root
);
961 struct inode_security_struct
*newroot
= backing_inode_security(newsb
->s_root
);
962 if (oldroot
->sid
!= newroot
->sid
)
967 printk(KERN_WARNING
"SELinux: mount invalid. Same superblock, "
968 "different security settings for (dev %s, "
969 "type %s)\n", newsb
->s_id
, newsb
->s_type
->name
);
973 static int selinux_sb_clone_mnt_opts(const struct super_block
*oldsb
,
974 struct super_block
*newsb
,
975 unsigned long kern_flags
,
976 unsigned long *set_kern_flags
)
979 const struct superblock_security_struct
*oldsbsec
= oldsb
->s_security
;
980 struct superblock_security_struct
*newsbsec
= newsb
->s_security
;
982 int set_fscontext
= (oldsbsec
->flags
& FSCONTEXT_MNT
);
983 int set_context
= (oldsbsec
->flags
& CONTEXT_MNT
);
984 int set_rootcontext
= (oldsbsec
->flags
& ROOTCONTEXT_MNT
);
987 * if the parent was able to be mounted it clearly had no special lsm
988 * mount options. thus we can safely deal with this superblock later
994 * Specifying internal flags without providing a place to
995 * place the results is not allowed.
997 if (kern_flags
&& !set_kern_flags
)
1000 /* how can we clone if the old one wasn't set up?? */
1001 BUG_ON(!(oldsbsec
->flags
& SE_SBINITIALIZED
));
1003 /* if fs is reusing a sb, make sure that the contexts match */
1004 if (newsbsec
->flags
& SE_SBINITIALIZED
)
1005 return selinux_cmp_sb_context(oldsb
, newsb
);
1007 mutex_lock(&newsbsec
->lock
);
1009 newsbsec
->flags
= oldsbsec
->flags
;
1011 newsbsec
->sid
= oldsbsec
->sid
;
1012 newsbsec
->def_sid
= oldsbsec
->def_sid
;
1013 newsbsec
->behavior
= oldsbsec
->behavior
;
1015 if (newsbsec
->behavior
== SECURITY_FS_USE_NATIVE
&&
1016 !(kern_flags
& SECURITY_LSM_NATIVE_LABELS
) && !set_context
) {
1017 rc
= security_fs_use(newsb
);
1022 if (kern_flags
& SECURITY_LSM_NATIVE_LABELS
&& !set_context
) {
1023 newsbsec
->behavior
= SECURITY_FS_USE_NATIVE
;
1024 *set_kern_flags
|= SECURITY_LSM_NATIVE_LABELS
;
1028 u32 sid
= oldsbsec
->mntpoint_sid
;
1031 newsbsec
->sid
= sid
;
1032 if (!set_rootcontext
) {
1033 struct inode_security_struct
*newisec
= backing_inode_security(newsb
->s_root
);
1036 newsbsec
->mntpoint_sid
= sid
;
1038 if (set_rootcontext
) {
1039 const struct inode_security_struct
*oldisec
= backing_inode_security(oldsb
->s_root
);
1040 struct inode_security_struct
*newisec
= backing_inode_security(newsb
->s_root
);
1042 newisec
->sid
= oldisec
->sid
;
1045 sb_finish_set_opts(newsb
);
1047 mutex_unlock(&newsbsec
->lock
);
1051 static int selinux_parse_opts_str(char *options
,
1052 struct security_mnt_opts
*opts
)
1055 char *context
= NULL
, *defcontext
= NULL
;
1056 char *fscontext
= NULL
, *rootcontext
= NULL
;
1057 int rc
, num_mnt_opts
= 0;
1059 opts
->num_mnt_opts
= 0;
1061 /* Standard string-based options. */
1062 while ((p
= strsep(&options
, "|")) != NULL
) {
1064 substring_t args
[MAX_OPT_ARGS
];
1069 token
= match_token(p
, tokens
, args
);
1073 if (context
|| defcontext
) {
1075 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1078 context
= match_strdup(&args
[0]);
1088 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1091 fscontext
= match_strdup(&args
[0]);
1098 case Opt_rootcontext
:
1101 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1104 rootcontext
= match_strdup(&args
[0]);
1111 case Opt_defcontext
:
1112 if (context
|| defcontext
) {
1114 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1117 defcontext
= match_strdup(&args
[0]);
1123 case Opt_labelsupport
:
1127 printk(KERN_WARNING
"SELinux: unknown mount option\n");
1134 opts
->mnt_opts
= kcalloc(NUM_SEL_MNT_OPTS
, sizeof(char *), GFP_KERNEL
);
1135 if (!opts
->mnt_opts
)
1138 opts
->mnt_opts_flags
= kcalloc(NUM_SEL_MNT_OPTS
, sizeof(int),
1140 if (!opts
->mnt_opts_flags
)
1144 opts
->mnt_opts
[num_mnt_opts
] = fscontext
;
1145 opts
->mnt_opts_flags
[num_mnt_opts
++] = FSCONTEXT_MNT
;
1148 opts
->mnt_opts
[num_mnt_opts
] = context
;
1149 opts
->mnt_opts_flags
[num_mnt_opts
++] = CONTEXT_MNT
;
1152 opts
->mnt_opts
[num_mnt_opts
] = rootcontext
;
1153 opts
->mnt_opts_flags
[num_mnt_opts
++] = ROOTCONTEXT_MNT
;
1156 opts
->mnt_opts
[num_mnt_opts
] = defcontext
;
1157 opts
->mnt_opts_flags
[num_mnt_opts
++] = DEFCONTEXT_MNT
;
1160 opts
->num_mnt_opts
= num_mnt_opts
;
1164 security_free_mnt_opts(opts
);
1172 * string mount options parsing and call set the sbsec
1174 static int superblock_doinit(struct super_block
*sb
, void *data
)
1177 char *options
= data
;
1178 struct security_mnt_opts opts
;
1180 security_init_mnt_opts(&opts
);
1185 BUG_ON(sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
);
1187 rc
= selinux_parse_opts_str(options
, &opts
);
1192 rc
= selinux_set_mnt_opts(sb
, &opts
, 0, NULL
);
1195 security_free_mnt_opts(&opts
);
1199 static void selinux_write_opts(struct seq_file
*m
,
1200 struct security_mnt_opts
*opts
)
1205 for (i
= 0; i
< opts
->num_mnt_opts
; i
++) {
1208 if (opts
->mnt_opts
[i
])
1209 has_comma
= strchr(opts
->mnt_opts
[i
], ',');
1213 switch (opts
->mnt_opts_flags
[i
]) {
1215 prefix
= CONTEXT_STR
;
1218 prefix
= FSCONTEXT_STR
;
1220 case ROOTCONTEXT_MNT
:
1221 prefix
= ROOTCONTEXT_STR
;
1223 case DEFCONTEXT_MNT
:
1224 prefix
= DEFCONTEXT_STR
;
1228 seq_puts(m
, LABELSUPP_STR
);
1234 /* we need a comma before each option */
1236 seq_puts(m
, prefix
);
1239 seq_escape(m
, opts
->mnt_opts
[i
], "\"\n\\");
1245 static int selinux_sb_show_options(struct seq_file
*m
, struct super_block
*sb
)
1247 struct security_mnt_opts opts
;
1250 rc
= selinux_get_mnt_opts(sb
, &opts
);
1252 /* before policy load we may get EINVAL, don't show anything */
1258 selinux_write_opts(m
, &opts
);
1260 security_free_mnt_opts(&opts
);
1265 static inline u16
inode_mode_to_security_class(umode_t mode
)
1267 switch (mode
& S_IFMT
) {
1269 return SECCLASS_SOCK_FILE
;
1271 return SECCLASS_LNK_FILE
;
1273 return SECCLASS_FILE
;
1275 return SECCLASS_BLK_FILE
;
1277 return SECCLASS_DIR
;
1279 return SECCLASS_CHR_FILE
;
1281 return SECCLASS_FIFO_FILE
;
1285 return SECCLASS_FILE
;
1288 static inline int default_protocol_stream(int protocol
)
1290 return (protocol
== IPPROTO_IP
|| protocol
== IPPROTO_TCP
);
1293 static inline int default_protocol_dgram(int protocol
)
1295 return (protocol
== IPPROTO_IP
|| protocol
== IPPROTO_UDP
);
1298 static inline u16
socket_type_to_security_class(int family
, int type
, int protocol
)
1300 int extsockclass
= selinux_policycap_extsockclass
;
1306 case SOCK_SEQPACKET
:
1307 return SECCLASS_UNIX_STREAM_SOCKET
;
1310 return SECCLASS_UNIX_DGRAM_SOCKET
;
1317 case SOCK_SEQPACKET
:
1318 if (default_protocol_stream(protocol
))
1319 return SECCLASS_TCP_SOCKET
;
1320 else if (extsockclass
&& protocol
== IPPROTO_SCTP
)
1321 return SECCLASS_SCTP_SOCKET
;
1323 return SECCLASS_RAWIP_SOCKET
;
1325 if (default_protocol_dgram(protocol
))
1326 return SECCLASS_UDP_SOCKET
;
1327 else if (extsockclass
&& (protocol
== IPPROTO_ICMP
||
1328 protocol
== IPPROTO_ICMPV6
))
1329 return SECCLASS_ICMP_SOCKET
;
1331 return SECCLASS_RAWIP_SOCKET
;
1333 return SECCLASS_DCCP_SOCKET
;
1335 return SECCLASS_RAWIP_SOCKET
;
1341 return SECCLASS_NETLINK_ROUTE_SOCKET
;
1342 case NETLINK_SOCK_DIAG
:
1343 return SECCLASS_NETLINK_TCPDIAG_SOCKET
;
1345 return SECCLASS_NETLINK_NFLOG_SOCKET
;
1347 return SECCLASS_NETLINK_XFRM_SOCKET
;
1348 case NETLINK_SELINUX
:
1349 return SECCLASS_NETLINK_SELINUX_SOCKET
;
1351 return SECCLASS_NETLINK_ISCSI_SOCKET
;
1353 return SECCLASS_NETLINK_AUDIT_SOCKET
;
1354 case NETLINK_FIB_LOOKUP
:
1355 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET
;
1356 case NETLINK_CONNECTOR
:
1357 return SECCLASS_NETLINK_CONNECTOR_SOCKET
;
1358 case NETLINK_NETFILTER
:
1359 return SECCLASS_NETLINK_NETFILTER_SOCKET
;
1360 case NETLINK_DNRTMSG
:
1361 return SECCLASS_NETLINK_DNRT_SOCKET
;
1362 case NETLINK_KOBJECT_UEVENT
:
1363 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET
;
1364 case NETLINK_GENERIC
:
1365 return SECCLASS_NETLINK_GENERIC_SOCKET
;
1366 case NETLINK_SCSITRANSPORT
:
1367 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET
;
1369 return SECCLASS_NETLINK_RDMA_SOCKET
;
1370 case NETLINK_CRYPTO
:
1371 return SECCLASS_NETLINK_CRYPTO_SOCKET
;
1373 return SECCLASS_NETLINK_SOCKET
;
1376 return SECCLASS_PACKET_SOCKET
;
1378 return SECCLASS_KEY_SOCKET
;
1380 return SECCLASS_APPLETALK_SOCKET
;
1386 return SECCLASS_AX25_SOCKET
;
1388 return SECCLASS_IPX_SOCKET
;
1390 return SECCLASS_NETROM_SOCKET
;
1392 return SECCLASS_ATMPVC_SOCKET
;
1394 return SECCLASS_X25_SOCKET
;
1396 return SECCLASS_ROSE_SOCKET
;
1398 return SECCLASS_DECNET_SOCKET
;
1400 return SECCLASS_ATMSVC_SOCKET
;
1402 return SECCLASS_RDS_SOCKET
;
1404 return SECCLASS_IRDA_SOCKET
;
1406 return SECCLASS_PPPOX_SOCKET
;
1408 return SECCLASS_LLC_SOCKET
;
1410 return SECCLASS_CAN_SOCKET
;
1412 return SECCLASS_TIPC_SOCKET
;
1414 return SECCLASS_BLUETOOTH_SOCKET
;
1416 return SECCLASS_IUCV_SOCKET
;
1418 return SECCLASS_RXRPC_SOCKET
;
1420 return SECCLASS_ISDN_SOCKET
;
1422 return SECCLASS_PHONET_SOCKET
;
1424 return SECCLASS_IEEE802154_SOCKET
;
1426 return SECCLASS_CAIF_SOCKET
;
1428 return SECCLASS_ALG_SOCKET
;
1430 return SECCLASS_NFC_SOCKET
;
1432 return SECCLASS_VSOCK_SOCKET
;
1434 return SECCLASS_KCM_SOCKET
;
1436 return SECCLASS_QIPCRTR_SOCKET
;
1438 return SECCLASS_SMC_SOCKET
;
1440 #error New address family defined, please update this function.
1445 return SECCLASS_SOCKET
;
1448 static int selinux_genfs_get_sid(struct dentry
*dentry
,
1454 struct super_block
*sb
= dentry
->d_sb
;
1455 char *buffer
, *path
;
1457 buffer
= (char *)__get_free_page(GFP_KERNEL
);
1461 path
= dentry_path_raw(dentry
, buffer
, PAGE_SIZE
);
1465 if (flags
& SE_SBPROC
) {
1466 /* each process gets a /proc/PID/ entry. Strip off the
1467 * PID part to get a valid selinux labeling.
1468 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1469 while (path
[1] >= '0' && path
[1] <= '9') {
1474 rc
= security_genfs_sid(sb
->s_type
->name
, path
, tclass
, sid
);
1476 free_page((unsigned long)buffer
);
1480 /* The inode's security attributes must be initialized before first use. */
1481 static int inode_doinit_with_dentry(struct inode
*inode
, struct dentry
*opt_dentry
)
1483 struct superblock_security_struct
*sbsec
= NULL
;
1484 struct inode_security_struct
*isec
= inode
->i_security
;
1485 u32 task_sid
, sid
= 0;
1487 struct dentry
*dentry
;
1488 #define INITCONTEXTLEN 255
1489 char *context
= NULL
;
1493 if (isec
->initialized
== LABEL_INITIALIZED
)
1496 spin_lock(&isec
->lock
);
1497 if (isec
->initialized
== LABEL_INITIALIZED
)
1500 if (isec
->sclass
== SECCLASS_FILE
)
1501 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
1503 sbsec
= inode
->i_sb
->s_security
;
1504 if (!(sbsec
->flags
& SE_SBINITIALIZED
)) {
1505 /* Defer initialization until selinux_complete_init,
1506 after the initial policy is loaded and the security
1507 server is ready to handle calls. */
1508 spin_lock(&sbsec
->isec_lock
);
1509 if (list_empty(&isec
->list
))
1510 list_add(&isec
->list
, &sbsec
->isec_head
);
1511 spin_unlock(&sbsec
->isec_lock
);
1515 sclass
= isec
->sclass
;
1516 task_sid
= isec
->task_sid
;
1518 isec
->initialized
= LABEL_PENDING
;
1519 spin_unlock(&isec
->lock
);
1521 switch (sbsec
->behavior
) {
1522 case SECURITY_FS_USE_NATIVE
:
1524 case SECURITY_FS_USE_XATTR
:
1525 if (!(inode
->i_opflags
& IOP_XATTR
)) {
1526 sid
= sbsec
->def_sid
;
1529 /* Need a dentry, since the xattr API requires one.
1530 Life would be simpler if we could just pass the inode. */
1532 /* Called from d_instantiate or d_splice_alias. */
1533 dentry
= dget(opt_dentry
);
1535 /* Called from selinux_complete_init, try to find a dentry. */
1536 dentry
= d_find_alias(inode
);
1540 * this is can be hit on boot when a file is accessed
1541 * before the policy is loaded. When we load policy we
1542 * may find inodes that have no dentry on the
1543 * sbsec->isec_head list. No reason to complain as these
1544 * will get fixed up the next time we go through
1545 * inode_doinit with a dentry, before these inodes could
1546 * be used again by userspace.
1551 len
= INITCONTEXTLEN
;
1552 context
= kmalloc(len
+1, GFP_NOFS
);
1558 context
[len
] = '\0';
1559 rc
= __vfs_getxattr(dentry
, inode
, XATTR_NAME_SELINUX
, context
, len
);
1560 if (rc
== -ERANGE
) {
1563 /* Need a larger buffer. Query for the right size. */
1564 rc
= __vfs_getxattr(dentry
, inode
, XATTR_NAME_SELINUX
, NULL
, 0);
1570 context
= kmalloc(len
+1, GFP_NOFS
);
1576 context
[len
] = '\0';
1577 rc
= __vfs_getxattr(dentry
, inode
, XATTR_NAME_SELINUX
, context
, len
);
1581 if (rc
!= -ENODATA
) {
1582 printk(KERN_WARNING
"SELinux: %s: getxattr returned "
1583 "%d for dev=%s ino=%ld\n", __func__
,
1584 -rc
, inode
->i_sb
->s_id
, inode
->i_ino
);
1588 /* Map ENODATA to the default file SID */
1589 sid
= sbsec
->def_sid
;
1592 rc
= security_context_to_sid_default(context
, rc
, &sid
,
1596 char *dev
= inode
->i_sb
->s_id
;
1597 unsigned long ino
= inode
->i_ino
;
1599 if (rc
== -EINVAL
) {
1600 if (printk_ratelimit())
1601 printk(KERN_NOTICE
"SELinux: inode=%lu on dev=%s was found to have an invalid "
1602 "context=%s. This indicates you may need to relabel the inode or the "
1603 "filesystem in question.\n", ino
, dev
, context
);
1605 printk(KERN_WARNING
"SELinux: %s: context_to_sid(%s) "
1606 "returned %d for dev=%s ino=%ld\n",
1607 __func__
, context
, -rc
, dev
, ino
);
1610 /* Leave with the unlabeled SID */
1617 case SECURITY_FS_USE_TASK
:
1620 case SECURITY_FS_USE_TRANS
:
1621 /* Default to the fs SID. */
1624 /* Try to obtain a transition SID. */
1625 rc
= security_transition_sid(task_sid
, sid
, sclass
, NULL
, &sid
);
1629 case SECURITY_FS_USE_MNTPOINT
:
1630 sid
= sbsec
->mntpoint_sid
;
1633 /* Default to the fs superblock SID. */
1636 if ((sbsec
->flags
& SE_SBGENFS
) && !S_ISLNK(inode
->i_mode
)) {
1637 /* We must have a dentry to determine the label on
1640 /* Called from d_instantiate or
1641 * d_splice_alias. */
1642 dentry
= dget(opt_dentry
);
1644 /* Called from selinux_complete_init, try to
1646 dentry
= d_find_alias(inode
);
1648 * This can be hit on boot when a file is accessed
1649 * before the policy is loaded. When we load policy we
1650 * may find inodes that have no dentry on the
1651 * sbsec->isec_head list. No reason to complain as
1652 * these will get fixed up the next time we go through
1653 * inode_doinit() with a dentry, before these inodes
1654 * could be used again by userspace.
1658 rc
= selinux_genfs_get_sid(dentry
, sclass
,
1659 sbsec
->flags
, &sid
);
1668 spin_lock(&isec
->lock
);
1669 if (isec
->initialized
== LABEL_PENDING
) {
1671 isec
->initialized
= LABEL_INVALID
;
1675 isec
->initialized
= LABEL_INITIALIZED
;
1680 spin_unlock(&isec
->lock
);
1684 /* Convert a Linux signal to an access vector. */
1685 static inline u32
signal_to_av(int sig
)
1691 /* Commonly granted from child to parent. */
1692 perm
= PROCESS__SIGCHLD
;
1695 /* Cannot be caught or ignored */
1696 perm
= PROCESS__SIGKILL
;
1699 /* Cannot be caught or ignored */
1700 perm
= PROCESS__SIGSTOP
;
1703 /* All other signals. */
1704 perm
= PROCESS__SIGNAL
;
1711 #if CAP_LAST_CAP > 63
1712 #error Fix SELinux to handle capabilities > 63.
1715 /* Check whether a task is allowed to use a capability. */
1716 static int cred_has_capability(const struct cred
*cred
,
1717 int cap
, int audit
, bool initns
)
1719 struct common_audit_data ad
;
1720 struct av_decision avd
;
1722 u32 sid
= cred_sid(cred
);
1723 u32 av
= CAP_TO_MASK(cap
);
1726 ad
.type
= LSM_AUDIT_DATA_CAP
;
1729 switch (CAP_TO_INDEX(cap
)) {
1731 sclass
= initns
? SECCLASS_CAPABILITY
: SECCLASS_CAP_USERNS
;
1734 sclass
= initns
? SECCLASS_CAPABILITY2
: SECCLASS_CAP2_USERNS
;
1738 "SELinux: out of range capability %d\n", cap
);
1743 rc
= avc_has_perm_noaudit(sid
, sid
, sclass
, av
, 0, &avd
);
1744 if (audit
== SECURITY_CAP_AUDIT
) {
1745 int rc2
= avc_audit(sid
, sid
, sclass
, av
, &avd
, rc
, &ad
, 0);
1752 /* Check whether a task has a particular permission to an inode.
1753 The 'adp' parameter is optional and allows other audit
1754 data to be passed (e.g. the dentry). */
1755 static int inode_has_perm(const struct cred
*cred
,
1756 struct inode
*inode
,
1758 struct common_audit_data
*adp
)
1760 struct inode_security_struct
*isec
;
1763 validate_creds(cred
);
1765 if (unlikely(IS_PRIVATE(inode
)))
1768 sid
= cred_sid(cred
);
1769 isec
= inode
->i_security
;
1771 return avc_has_perm(sid
, isec
->sid
, isec
->sclass
, perms
, adp
);
1774 /* Same as inode_has_perm, but pass explicit audit data containing
1775 the dentry to help the auditing code to more easily generate the
1776 pathname if needed. */
1777 static inline int dentry_has_perm(const struct cred
*cred
,
1778 struct dentry
*dentry
,
1781 struct inode
*inode
= d_backing_inode(dentry
);
1782 struct common_audit_data ad
;
1784 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1785 ad
.u
.dentry
= dentry
;
1786 __inode_security_revalidate(inode
, dentry
, true);
1787 return inode_has_perm(cred
, inode
, av
, &ad
);
1790 /* Same as inode_has_perm, but pass explicit audit data containing
1791 the path to help the auditing code to more easily generate the
1792 pathname if needed. */
1793 static inline int path_has_perm(const struct cred
*cred
,
1794 const struct path
*path
,
1797 struct inode
*inode
= d_backing_inode(path
->dentry
);
1798 struct common_audit_data ad
;
1800 ad
.type
= LSM_AUDIT_DATA_PATH
;
1802 __inode_security_revalidate(inode
, path
->dentry
, true);
1803 return inode_has_perm(cred
, inode
, av
, &ad
);
1806 /* Same as path_has_perm, but uses the inode from the file struct. */
1807 static inline int file_path_has_perm(const struct cred
*cred
,
1811 struct common_audit_data ad
;
1813 ad
.type
= LSM_AUDIT_DATA_FILE
;
1815 return inode_has_perm(cred
, file_inode(file
), av
, &ad
);
1818 #ifdef CONFIG_BPF_SYSCALL
1819 static int bpf_fd_pass(struct file
*file
, u32 sid
);
1822 /* Check whether a task can use an open file descriptor to
1823 access an inode in a given way. Check access to the
1824 descriptor itself, and then use dentry_has_perm to
1825 check a particular permission to the file.
1826 Access to the descriptor is implicitly granted if it
1827 has the same SID as the process. If av is zero, then
1828 access to the file is not checked, e.g. for cases
1829 where only the descriptor is affected like seek. */
1830 static int file_has_perm(const struct cred
*cred
,
1834 struct file_security_struct
*fsec
= file
->f_security
;
1835 struct inode
*inode
= file_inode(file
);
1836 struct common_audit_data ad
;
1837 u32 sid
= cred_sid(cred
);
1840 ad
.type
= LSM_AUDIT_DATA_FILE
;
1843 if (sid
!= fsec
->sid
) {
1844 rc
= avc_has_perm(sid
, fsec
->sid
,
1852 #ifdef CONFIG_BPF_SYSCALL
1853 rc
= bpf_fd_pass(file
, cred_sid(cred
));
1858 /* av is zero if only checking access to the descriptor. */
1861 rc
= inode_has_perm(cred
, inode
, av
, &ad
);
1868 * Determine the label for an inode that might be unioned.
1871 selinux_determine_inode_label(const struct task_security_struct
*tsec
,
1873 const struct qstr
*name
, u16 tclass
,
1876 const struct superblock_security_struct
*sbsec
= dir
->i_sb
->s_security
;
1878 if ((sbsec
->flags
& SE_SBINITIALIZED
) &&
1879 (sbsec
->behavior
== SECURITY_FS_USE_MNTPOINT
)) {
1880 *_new_isid
= sbsec
->mntpoint_sid
;
1881 } else if ((sbsec
->flags
& SBLABEL_MNT
) &&
1883 *_new_isid
= tsec
->create_sid
;
1885 const struct inode_security_struct
*dsec
= inode_security(dir
);
1886 return security_transition_sid(tsec
->sid
, dsec
->sid
, tclass
,
1893 /* Check whether a task can create a file. */
1894 static int may_create(struct inode
*dir
,
1895 struct dentry
*dentry
,
1898 const struct task_security_struct
*tsec
= current_security();
1899 struct inode_security_struct
*dsec
;
1900 struct superblock_security_struct
*sbsec
;
1902 struct common_audit_data ad
;
1905 dsec
= inode_security(dir
);
1906 sbsec
= dir
->i_sb
->s_security
;
1910 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1911 ad
.u
.dentry
= dentry
;
1913 rc
= avc_has_perm(sid
, dsec
->sid
, SECCLASS_DIR
,
1914 DIR__ADD_NAME
| DIR__SEARCH
,
1919 rc
= selinux_determine_inode_label(current_security(), dir
,
1920 &dentry
->d_name
, tclass
, &newsid
);
1924 rc
= avc_has_perm(sid
, newsid
, tclass
, FILE__CREATE
, &ad
);
1928 return avc_has_perm(newsid
, sbsec
->sid
,
1929 SECCLASS_FILESYSTEM
,
1930 FILESYSTEM__ASSOCIATE
, &ad
);
1934 #define MAY_UNLINK 1
1937 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1938 static int may_link(struct inode
*dir
,
1939 struct dentry
*dentry
,
1943 struct inode_security_struct
*dsec
, *isec
;
1944 struct common_audit_data ad
;
1945 u32 sid
= current_sid();
1949 dsec
= inode_security(dir
);
1950 isec
= backing_inode_security(dentry
);
1952 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1953 ad
.u
.dentry
= dentry
;
1956 av
|= (kind
? DIR__REMOVE_NAME
: DIR__ADD_NAME
);
1957 rc
= avc_has_perm(sid
, dsec
->sid
, SECCLASS_DIR
, av
, &ad
);
1972 printk(KERN_WARNING
"SELinux: %s: unrecognized kind %d\n",
1977 rc
= avc_has_perm(sid
, isec
->sid
, isec
->sclass
, av
, &ad
);
1981 static inline int may_rename(struct inode
*old_dir
,
1982 struct dentry
*old_dentry
,
1983 struct inode
*new_dir
,
1984 struct dentry
*new_dentry
)
1986 struct inode_security_struct
*old_dsec
, *new_dsec
, *old_isec
, *new_isec
;
1987 struct common_audit_data ad
;
1988 u32 sid
= current_sid();
1990 int old_is_dir
, new_is_dir
;
1993 old_dsec
= inode_security(old_dir
);
1994 old_isec
= backing_inode_security(old_dentry
);
1995 old_is_dir
= d_is_dir(old_dentry
);
1996 new_dsec
= inode_security(new_dir
);
1998 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
2000 ad
.u
.dentry
= old_dentry
;
2001 rc
= avc_has_perm(sid
, old_dsec
->sid
, SECCLASS_DIR
,
2002 DIR__REMOVE_NAME
| DIR__SEARCH
, &ad
);
2005 rc
= avc_has_perm(sid
, old_isec
->sid
,
2006 old_isec
->sclass
, FILE__RENAME
, &ad
);
2009 if (old_is_dir
&& new_dir
!= old_dir
) {
2010 rc
= avc_has_perm(sid
, old_isec
->sid
,
2011 old_isec
->sclass
, DIR__REPARENT
, &ad
);
2016 ad
.u
.dentry
= new_dentry
;
2017 av
= DIR__ADD_NAME
| DIR__SEARCH
;
2018 if (d_is_positive(new_dentry
))
2019 av
|= DIR__REMOVE_NAME
;
2020 rc
= avc_has_perm(sid
, new_dsec
->sid
, SECCLASS_DIR
, av
, &ad
);
2023 if (d_is_positive(new_dentry
)) {
2024 new_isec
= backing_inode_security(new_dentry
);
2025 new_is_dir
= d_is_dir(new_dentry
);
2026 rc
= avc_has_perm(sid
, new_isec
->sid
,
2028 (new_is_dir
? DIR__RMDIR
: FILE__UNLINK
), &ad
);
2036 /* Check whether a task can perform a filesystem operation. */
2037 static int superblock_has_perm(const struct cred
*cred
,
2038 struct super_block
*sb
,
2040 struct common_audit_data
*ad
)
2042 struct superblock_security_struct
*sbsec
;
2043 u32 sid
= cred_sid(cred
);
2045 sbsec
= sb
->s_security
;
2046 return avc_has_perm(sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
, perms
, ad
);
2049 /* Convert a Linux mode and permission mask to an access vector. */
2050 static inline u32
file_mask_to_av(int mode
, int mask
)
2054 if (!S_ISDIR(mode
)) {
2055 if (mask
& MAY_EXEC
)
2056 av
|= FILE__EXECUTE
;
2057 if (mask
& MAY_READ
)
2060 if (mask
& MAY_APPEND
)
2062 else if (mask
& MAY_WRITE
)
2066 if (mask
& MAY_EXEC
)
2068 if (mask
& MAY_WRITE
)
2070 if (mask
& MAY_READ
)
2077 /* Convert a Linux file to an access vector. */
2078 static inline u32
file_to_av(struct file
*file
)
2082 if (file
->f_mode
& FMODE_READ
)
2084 if (file
->f_mode
& FMODE_WRITE
) {
2085 if (file
->f_flags
& O_APPEND
)
2092 * Special file opened with flags 3 for ioctl-only use.
2101 * Convert a file to an access vector and include the correct open
2104 static inline u32
open_file_to_av(struct file
*file
)
2106 u32 av
= file_to_av(file
);
2107 struct inode
*inode
= file_inode(file
);
2109 if (selinux_policycap_openperm
&& inode
->i_sb
->s_magic
!= SOCKFS_MAGIC
)
2115 /* Hook functions begin here. */
2117 static int selinux_binder_set_context_mgr(struct task_struct
*mgr
)
2119 u32 mysid
= current_sid();
2120 u32 mgrsid
= task_sid(mgr
);
2122 return avc_has_perm(mysid
, mgrsid
, SECCLASS_BINDER
,
2123 BINDER__SET_CONTEXT_MGR
, NULL
);
2126 static int selinux_binder_transaction(struct task_struct
*from
,
2127 struct task_struct
*to
)
2129 u32 mysid
= current_sid();
2130 u32 fromsid
= task_sid(from
);
2131 u32 tosid
= task_sid(to
);
2134 if (mysid
!= fromsid
) {
2135 rc
= avc_has_perm(mysid
, fromsid
, SECCLASS_BINDER
,
2136 BINDER__IMPERSONATE
, NULL
);
2141 return avc_has_perm(fromsid
, tosid
, SECCLASS_BINDER
, BINDER__CALL
,
2145 static int selinux_binder_transfer_binder(struct task_struct
*from
,
2146 struct task_struct
*to
)
2148 u32 fromsid
= task_sid(from
);
2149 u32 tosid
= task_sid(to
);
2151 return avc_has_perm(fromsid
, tosid
, SECCLASS_BINDER
, BINDER__TRANSFER
,
2155 static int selinux_binder_transfer_file(struct task_struct
*from
,
2156 struct task_struct
*to
,
2159 u32 sid
= task_sid(to
);
2160 struct file_security_struct
*fsec
= file
->f_security
;
2161 struct dentry
*dentry
= file
->f_path
.dentry
;
2162 struct inode_security_struct
*isec
;
2163 struct common_audit_data ad
;
2166 ad
.type
= LSM_AUDIT_DATA_PATH
;
2167 ad
.u
.path
= file
->f_path
;
2169 if (sid
!= fsec
->sid
) {
2170 rc
= avc_has_perm(sid
, fsec
->sid
,
2178 #ifdef CONFIG_BPF_SYSCALL
2179 rc
= bpf_fd_pass(file
, sid
);
2184 if (unlikely(IS_PRIVATE(d_backing_inode(dentry
))))
2187 isec
= backing_inode_security(dentry
);
2188 return avc_has_perm(sid
, isec
->sid
, isec
->sclass
, file_to_av(file
),
2192 static int selinux_ptrace_access_check(struct task_struct
*child
,
2195 u32 sid
= current_sid();
2196 u32 csid
= task_sid(child
);
2198 if (mode
& PTRACE_MODE_READ
)
2199 return avc_has_perm(sid
, csid
, SECCLASS_FILE
, FILE__READ
, NULL
);
2201 return avc_has_perm(sid
, csid
, SECCLASS_PROCESS
, PROCESS__PTRACE
, NULL
);
2204 static int selinux_ptrace_traceme(struct task_struct
*parent
)
2206 return avc_has_perm(task_sid(parent
), current_sid(), SECCLASS_PROCESS
,
2207 PROCESS__PTRACE
, NULL
);
2210 static int selinux_capget(struct task_struct
*target
, kernel_cap_t
*effective
,
2211 kernel_cap_t
*inheritable
, kernel_cap_t
*permitted
)
2213 return avc_has_perm(current_sid(), task_sid(target
), SECCLASS_PROCESS
,
2214 PROCESS__GETCAP
, NULL
);
2217 static int selinux_capset(struct cred
*new, const struct cred
*old
,
2218 const kernel_cap_t
*effective
,
2219 const kernel_cap_t
*inheritable
,
2220 const kernel_cap_t
*permitted
)
2222 return avc_has_perm(cred_sid(old
), cred_sid(new), SECCLASS_PROCESS
,
2223 PROCESS__SETCAP
, NULL
);
2227 * (This comment used to live with the selinux_task_setuid hook,
2228 * which was removed).
2230 * Since setuid only affects the current process, and since the SELinux
2231 * controls are not based on the Linux identity attributes, SELinux does not
2232 * need to control this operation. However, SELinux does control the use of
2233 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2236 static int selinux_capable(const struct cred
*cred
, struct user_namespace
*ns
,
2239 return cred_has_capability(cred
, cap
, audit
, ns
== &init_user_ns
);
2242 static int selinux_quotactl(int cmds
, int type
, int id
, struct super_block
*sb
)
2244 const struct cred
*cred
= current_cred();
2256 rc
= superblock_has_perm(cred
, sb
, FILESYSTEM__QUOTAMOD
, NULL
);
2261 rc
= superblock_has_perm(cred
, sb
, FILESYSTEM__QUOTAGET
, NULL
);
2264 rc
= 0; /* let the kernel handle invalid cmds */
2270 static int selinux_quota_on(struct dentry
*dentry
)
2272 const struct cred
*cred
= current_cred();
2274 return dentry_has_perm(cred
, dentry
, FILE__QUOTAON
);
2277 static int selinux_syslog(int type
)
2280 case SYSLOG_ACTION_READ_ALL
: /* Read last kernel messages */
2281 case SYSLOG_ACTION_SIZE_BUFFER
: /* Return size of the log buffer */
2282 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
2283 SECCLASS_SYSTEM
, SYSTEM__SYSLOG_READ
, NULL
);
2284 case SYSLOG_ACTION_CONSOLE_OFF
: /* Disable logging to console */
2285 case SYSLOG_ACTION_CONSOLE_ON
: /* Enable logging to console */
2286 /* Set level of messages printed to console */
2287 case SYSLOG_ACTION_CONSOLE_LEVEL
:
2288 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
2289 SECCLASS_SYSTEM
, SYSTEM__SYSLOG_CONSOLE
,
2292 /* All other syslog types */
2293 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
2294 SECCLASS_SYSTEM
, SYSTEM__SYSLOG_MOD
, NULL
);
2298 * Check that a process has enough memory to allocate a new virtual
2299 * mapping. 0 means there is enough memory for the allocation to
2300 * succeed and -ENOMEM implies there is not.
2302 * Do not audit the selinux permission check, as this is applied to all
2303 * processes that allocate mappings.
2305 static int selinux_vm_enough_memory(struct mm_struct
*mm
, long pages
)
2307 int rc
, cap_sys_admin
= 0;
2309 rc
= cred_has_capability(current_cred(), CAP_SYS_ADMIN
,
2310 SECURITY_CAP_NOAUDIT
, true);
2314 return cap_sys_admin
;
2317 /* binprm security operations */
2319 static u32
ptrace_parent_sid(void)
2322 struct task_struct
*tracer
;
2325 tracer
= ptrace_parent(current
);
2327 sid
= task_sid(tracer
);
2333 static int check_nnp_nosuid(const struct linux_binprm
*bprm
,
2334 const struct task_security_struct
*old_tsec
,
2335 const struct task_security_struct
*new_tsec
)
2337 int nnp
= (bprm
->unsafe
& LSM_UNSAFE_NO_NEW_PRIVS
);
2338 int nosuid
= !mnt_may_suid(bprm
->file
->f_path
.mnt
);
2342 if (!nnp
&& !nosuid
)
2343 return 0; /* neither NNP nor nosuid */
2345 if (new_tsec
->sid
== old_tsec
->sid
)
2346 return 0; /* No change in credentials */
2349 * If the policy enables the nnp_nosuid_transition policy capability,
2350 * then we permit transitions under NNP or nosuid if the
2351 * policy allows the corresponding permission between
2352 * the old and new contexts.
2354 if (selinux_policycap_nnp_nosuid_transition
) {
2357 av
|= PROCESS2__NNP_TRANSITION
;
2359 av
|= PROCESS2__NOSUID_TRANSITION
;
2360 rc
= avc_has_perm(old_tsec
->sid
, new_tsec
->sid
,
2361 SECCLASS_PROCESS2
, av
, NULL
);
2367 * We also permit NNP or nosuid transitions to bounded SIDs,
2368 * i.e. SIDs that are guaranteed to only be allowed a subset
2369 * of the permissions of the current SID.
2371 rc
= security_bounded_transition(old_tsec
->sid
, new_tsec
->sid
);
2376 * On failure, preserve the errno values for NNP vs nosuid.
2377 * NNP: Operation not permitted for caller.
2378 * nosuid: Permission denied to file.
2385 static int selinux_bprm_set_creds(struct linux_binprm
*bprm
)
2387 const struct task_security_struct
*old_tsec
;
2388 struct task_security_struct
*new_tsec
;
2389 struct inode_security_struct
*isec
;
2390 struct common_audit_data ad
;
2391 struct inode
*inode
= file_inode(bprm
->file
);
2394 /* SELinux context only depends on initial program or script and not
2395 * the script interpreter */
2396 if (bprm
->called_set_creds
)
2399 old_tsec
= current_security();
2400 new_tsec
= bprm
->cred
->security
;
2401 isec
= inode_security(inode
);
2403 /* Default to the current task SID. */
2404 new_tsec
->sid
= old_tsec
->sid
;
2405 new_tsec
->osid
= old_tsec
->sid
;
2407 /* Reset fs, key, and sock SIDs on execve. */
2408 new_tsec
->create_sid
= 0;
2409 new_tsec
->keycreate_sid
= 0;
2410 new_tsec
->sockcreate_sid
= 0;
2412 if (old_tsec
->exec_sid
) {
2413 new_tsec
->sid
= old_tsec
->exec_sid
;
2414 /* Reset exec SID on execve. */
2415 new_tsec
->exec_sid
= 0;
2417 /* Fail on NNP or nosuid if not an allowed transition. */
2418 rc
= check_nnp_nosuid(bprm
, old_tsec
, new_tsec
);
2422 /* Check for a default transition on this program. */
2423 rc
= security_transition_sid(old_tsec
->sid
, isec
->sid
,
2424 SECCLASS_PROCESS
, NULL
,
2430 * Fallback to old SID on NNP or nosuid if not an allowed
2433 rc
= check_nnp_nosuid(bprm
, old_tsec
, new_tsec
);
2435 new_tsec
->sid
= old_tsec
->sid
;
2438 ad
.type
= LSM_AUDIT_DATA_FILE
;
2439 ad
.u
.file
= bprm
->file
;
2441 if (new_tsec
->sid
== old_tsec
->sid
) {
2442 rc
= avc_has_perm(old_tsec
->sid
, isec
->sid
,
2443 SECCLASS_FILE
, FILE__EXECUTE_NO_TRANS
, &ad
);
2447 /* Check permissions for the transition. */
2448 rc
= avc_has_perm(old_tsec
->sid
, new_tsec
->sid
,
2449 SECCLASS_PROCESS
, PROCESS__TRANSITION
, &ad
);
2453 rc
= avc_has_perm(new_tsec
->sid
, isec
->sid
,
2454 SECCLASS_FILE
, FILE__ENTRYPOINT
, &ad
);
2458 /* Check for shared state */
2459 if (bprm
->unsafe
& LSM_UNSAFE_SHARE
) {
2460 rc
= avc_has_perm(old_tsec
->sid
, new_tsec
->sid
,
2461 SECCLASS_PROCESS
, PROCESS__SHARE
,
2467 /* Make sure that anyone attempting to ptrace over a task that
2468 * changes its SID has the appropriate permit */
2469 if (bprm
->unsafe
& LSM_UNSAFE_PTRACE
) {
2470 u32 ptsid
= ptrace_parent_sid();
2472 rc
= avc_has_perm(ptsid
, new_tsec
->sid
,
2474 PROCESS__PTRACE
, NULL
);
2480 /* Clear any possibly unsafe personality bits on exec: */
2481 bprm
->per_clear
|= PER_CLEAR_ON_SETID
;
2483 /* Enable secure mode for SIDs transitions unless
2484 the noatsecure permission is granted between
2485 the two SIDs, i.e. ahp returns 0. */
2486 rc
= avc_has_perm(old_tsec
->sid
, new_tsec
->sid
,
2487 SECCLASS_PROCESS
, PROCESS__NOATSECURE
,
2489 bprm
->secureexec
|= !!rc
;
2495 static int match_file(const void *p
, struct file
*file
, unsigned fd
)
2497 return file_has_perm(p
, file
, file_to_av(file
)) ? fd
+ 1 : 0;
2500 /* Derived from fs/exec.c:flush_old_files. */
2501 static inline void flush_unauthorized_files(const struct cred
*cred
,
2502 struct files_struct
*files
)
2504 struct file
*file
, *devnull
= NULL
;
2505 struct tty_struct
*tty
;
2509 tty
= get_current_tty();
2511 spin_lock(&tty
->files_lock
);
2512 if (!list_empty(&tty
->tty_files
)) {
2513 struct tty_file_private
*file_priv
;
2515 /* Revalidate access to controlling tty.
2516 Use file_path_has_perm on the tty path directly
2517 rather than using file_has_perm, as this particular
2518 open file may belong to another process and we are
2519 only interested in the inode-based check here. */
2520 file_priv
= list_first_entry(&tty
->tty_files
,
2521 struct tty_file_private
, list
);
2522 file
= file_priv
->file
;
2523 if (file_path_has_perm(cred
, file
, FILE__READ
| FILE__WRITE
))
2526 spin_unlock(&tty
->files_lock
);
2529 /* Reset controlling tty. */
2533 /* Revalidate access to inherited open files. */
2534 n
= iterate_fd(files
, 0, match_file
, cred
);
2535 if (!n
) /* none found? */
2538 devnull
= dentry_open(&selinux_null
, O_RDWR
, cred
);
2539 if (IS_ERR(devnull
))
2541 /* replace all the matching ones with this */
2543 replace_fd(n
- 1, devnull
, 0);
2544 } while ((n
= iterate_fd(files
, n
, match_file
, cred
)) != 0);
2550 * Prepare a process for imminent new credential changes due to exec
2552 static void selinux_bprm_committing_creds(struct linux_binprm
*bprm
)
2554 struct task_security_struct
*new_tsec
;
2555 struct rlimit
*rlim
, *initrlim
;
2558 new_tsec
= bprm
->cred
->security
;
2559 if (new_tsec
->sid
== new_tsec
->osid
)
2562 /* Close files for which the new task SID is not authorized. */
2563 flush_unauthorized_files(bprm
->cred
, current
->files
);
2565 /* Always clear parent death signal on SID transitions. */
2566 current
->pdeath_signal
= 0;
2568 /* Check whether the new SID can inherit resource limits from the old
2569 * SID. If not, reset all soft limits to the lower of the current
2570 * task's hard limit and the init task's soft limit.
2572 * Note that the setting of hard limits (even to lower them) can be
2573 * controlled by the setrlimit check. The inclusion of the init task's
2574 * soft limit into the computation is to avoid resetting soft limits
2575 * higher than the default soft limit for cases where the default is
2576 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2578 rc
= avc_has_perm(new_tsec
->osid
, new_tsec
->sid
, SECCLASS_PROCESS
,
2579 PROCESS__RLIMITINH
, NULL
);
2581 /* protect against do_prlimit() */
2583 for (i
= 0; i
< RLIM_NLIMITS
; i
++) {
2584 rlim
= current
->signal
->rlim
+ i
;
2585 initrlim
= init_task
.signal
->rlim
+ i
;
2586 rlim
->rlim_cur
= min(rlim
->rlim_max
, initrlim
->rlim_cur
);
2588 task_unlock(current
);
2589 if (IS_ENABLED(CONFIG_POSIX_TIMERS
))
2590 update_rlimit_cpu(current
, rlimit(RLIMIT_CPU
));
2595 * Clean up the process immediately after the installation of new credentials
2598 static void selinux_bprm_committed_creds(struct linux_binprm
*bprm
)
2600 const struct task_security_struct
*tsec
= current_security();
2601 struct itimerval itimer
;
2611 /* Check whether the new SID can inherit signal state from the old SID.
2612 * If not, clear itimers to avoid subsequent signal generation and
2613 * flush and unblock signals.
2615 * This must occur _after_ the task SID has been updated so that any
2616 * kill done after the flush will be checked against the new SID.
2618 rc
= avc_has_perm(osid
, sid
, SECCLASS_PROCESS
, PROCESS__SIGINH
, NULL
);
2620 if (IS_ENABLED(CONFIG_POSIX_TIMERS
)) {
2621 memset(&itimer
, 0, sizeof itimer
);
2622 for (i
= 0; i
< 3; i
++)
2623 do_setitimer(i
, &itimer
, NULL
);
2625 spin_lock_irq(¤t
->sighand
->siglock
);
2626 if (!fatal_signal_pending(current
)) {
2627 flush_sigqueue(¤t
->pending
);
2628 flush_sigqueue(¤t
->signal
->shared_pending
);
2629 flush_signal_handlers(current
, 1);
2630 sigemptyset(¤t
->blocked
);
2631 recalc_sigpending();
2633 spin_unlock_irq(¤t
->sighand
->siglock
);
2636 /* Wake up the parent if it is waiting so that it can recheck
2637 * wait permission to the new task SID. */
2638 read_lock(&tasklist_lock
);
2639 __wake_up_parent(current
, current
->real_parent
);
2640 read_unlock(&tasklist_lock
);
2643 /* superblock security operations */
2645 static int selinux_sb_alloc_security(struct super_block
*sb
)
2647 return superblock_alloc_security(sb
);
2650 static void selinux_sb_free_security(struct super_block
*sb
)
2652 superblock_free_security(sb
);
2655 static inline int match_prefix(char *prefix
, int plen
, char *option
, int olen
)
2660 return !memcmp(prefix
, option
, plen
);
2663 static inline int selinux_option(char *option
, int len
)
2665 return (match_prefix(CONTEXT_STR
, sizeof(CONTEXT_STR
)-1, option
, len
) ||
2666 match_prefix(FSCONTEXT_STR
, sizeof(FSCONTEXT_STR
)-1, option
, len
) ||
2667 match_prefix(DEFCONTEXT_STR
, sizeof(DEFCONTEXT_STR
)-1, option
, len
) ||
2668 match_prefix(ROOTCONTEXT_STR
, sizeof(ROOTCONTEXT_STR
)-1, option
, len
) ||
2669 match_prefix(LABELSUPP_STR
, sizeof(LABELSUPP_STR
)-1, option
, len
));
2672 static inline void take_option(char **to
, char *from
, int *first
, int len
)
2679 memcpy(*to
, from
, len
);
2683 static inline void take_selinux_option(char **to
, char *from
, int *first
,
2686 int current_size
= 0;
2694 while (current_size
< len
) {
2704 static int selinux_sb_copy_data(char *orig
, char *copy
)
2706 int fnosec
, fsec
, rc
= 0;
2707 char *in_save
, *in_curr
, *in_end
;
2708 char *sec_curr
, *nosec_save
, *nosec
;
2714 nosec
= (char *)get_zeroed_page(GFP_KERNEL
);
2722 in_save
= in_end
= orig
;
2726 open_quote
= !open_quote
;
2727 if ((*in_end
== ',' && open_quote
== 0) ||
2729 int len
= in_end
- in_curr
;
2731 if (selinux_option(in_curr
, len
))
2732 take_selinux_option(&sec_curr
, in_curr
, &fsec
, len
);
2734 take_option(&nosec
, in_curr
, &fnosec
, len
);
2736 in_curr
= in_end
+ 1;
2738 } while (*in_end
++);
2740 strcpy(in_save
, nosec_save
);
2741 free_page((unsigned long)nosec_save
);
2746 static int selinux_sb_remount(struct super_block
*sb
, void *data
)
2749 struct security_mnt_opts opts
;
2750 char *secdata
, **mount_options
;
2751 struct superblock_security_struct
*sbsec
= sb
->s_security
;
2753 if (!(sbsec
->flags
& SE_SBINITIALIZED
))
2759 if (sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
)
2762 security_init_mnt_opts(&opts
);
2763 secdata
= alloc_secdata();
2766 rc
= selinux_sb_copy_data(data
, secdata
);
2768 goto out_free_secdata
;
2770 rc
= selinux_parse_opts_str(secdata
, &opts
);
2772 goto out_free_secdata
;
2774 mount_options
= opts
.mnt_opts
;
2775 flags
= opts
.mnt_opts_flags
;
2777 for (i
= 0; i
< opts
.num_mnt_opts
; i
++) {
2780 if (flags
[i
] == SBLABEL_MNT
)
2782 rc
= security_context_str_to_sid(mount_options
[i
], &sid
, GFP_KERNEL
);
2784 printk(KERN_WARNING
"SELinux: security_context_str_to_sid"
2785 "(%s) failed for (dev %s, type %s) errno=%d\n",
2786 mount_options
[i
], sb
->s_id
, sb
->s_type
->name
, rc
);
2792 if (bad_option(sbsec
, FSCONTEXT_MNT
, sbsec
->sid
, sid
))
2793 goto out_bad_option
;
2796 if (bad_option(sbsec
, CONTEXT_MNT
, sbsec
->mntpoint_sid
, sid
))
2797 goto out_bad_option
;
2799 case ROOTCONTEXT_MNT
: {
2800 struct inode_security_struct
*root_isec
;
2801 root_isec
= backing_inode_security(sb
->s_root
);
2803 if (bad_option(sbsec
, ROOTCONTEXT_MNT
, root_isec
->sid
, sid
))
2804 goto out_bad_option
;
2807 case DEFCONTEXT_MNT
:
2808 if (bad_option(sbsec
, DEFCONTEXT_MNT
, sbsec
->def_sid
, sid
))
2809 goto out_bad_option
;
2818 security_free_mnt_opts(&opts
);
2820 free_secdata(secdata
);
2823 printk(KERN_WARNING
"SELinux: unable to change security options "
2824 "during remount (dev %s, type=%s)\n", sb
->s_id
,
2829 static int selinux_sb_kern_mount(struct super_block
*sb
, int flags
, void *data
)
2831 const struct cred
*cred
= current_cred();
2832 struct common_audit_data ad
;
2835 rc
= superblock_doinit(sb
, data
);
2839 /* Allow all mounts performed by the kernel */
2840 if (flags
& MS_KERNMOUNT
)
2843 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
2844 ad
.u
.dentry
= sb
->s_root
;
2845 return superblock_has_perm(cred
, sb
, FILESYSTEM__MOUNT
, &ad
);
2848 static int selinux_sb_statfs(struct dentry
*dentry
)
2850 const struct cred
*cred
= current_cred();
2851 struct common_audit_data ad
;
2853 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
2854 ad
.u
.dentry
= dentry
->d_sb
->s_root
;
2855 return superblock_has_perm(cred
, dentry
->d_sb
, FILESYSTEM__GETATTR
, &ad
);
2858 static int selinux_mount(const char *dev_name
,
2859 const struct path
*path
,
2861 unsigned long flags
,
2864 const struct cred
*cred
= current_cred();
2866 if (flags
& MS_REMOUNT
)
2867 return superblock_has_perm(cred
, path
->dentry
->d_sb
,
2868 FILESYSTEM__REMOUNT
, NULL
);
2870 return path_has_perm(cred
, path
, FILE__MOUNTON
);
2873 static int selinux_umount(struct vfsmount
*mnt
, int flags
)
2875 const struct cred
*cred
= current_cred();
2877 return superblock_has_perm(cred
, mnt
->mnt_sb
,
2878 FILESYSTEM__UNMOUNT
, NULL
);
2881 /* inode security operations */
2883 static int selinux_inode_alloc_security(struct inode
*inode
)
2885 return inode_alloc_security(inode
);
2888 static void selinux_inode_free_security(struct inode
*inode
)
2890 inode_free_security(inode
);
2893 static int selinux_dentry_init_security(struct dentry
*dentry
, int mode
,
2894 const struct qstr
*name
, void **ctx
,
2900 rc
= selinux_determine_inode_label(current_security(),
2901 d_inode(dentry
->d_parent
), name
,
2902 inode_mode_to_security_class(mode
),
2907 return security_sid_to_context(newsid
, (char **)ctx
, ctxlen
);
2910 static int selinux_dentry_create_files_as(struct dentry
*dentry
, int mode
,
2912 const struct cred
*old
,
2917 struct task_security_struct
*tsec
;
2919 rc
= selinux_determine_inode_label(old
->security
,
2920 d_inode(dentry
->d_parent
), name
,
2921 inode_mode_to_security_class(mode
),
2926 tsec
= new->security
;
2927 tsec
->create_sid
= newsid
;
2931 static int selinux_inode_init_security(struct inode
*inode
, struct inode
*dir
,
2932 const struct qstr
*qstr
,
2934 void **value
, size_t *len
)
2936 const struct task_security_struct
*tsec
= current_security();
2937 struct superblock_security_struct
*sbsec
;
2942 sbsec
= dir
->i_sb
->s_security
;
2944 newsid
= tsec
->create_sid
;
2946 rc
= selinux_determine_inode_label(current_security(),
2948 inode_mode_to_security_class(inode
->i_mode
),
2953 /* Possibly defer initialization to selinux_complete_init. */
2954 if (sbsec
->flags
& SE_SBINITIALIZED
) {
2955 struct inode_security_struct
*isec
= inode
->i_security
;
2956 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
2958 isec
->initialized
= LABEL_INITIALIZED
;
2961 if (!ss_initialized
|| !(sbsec
->flags
& SBLABEL_MNT
))
2965 *name
= XATTR_SELINUX_SUFFIX
;
2968 rc
= security_sid_to_context_force(newsid
, &context
, &clen
);
2978 static int selinux_inode_create(struct inode
*dir
, struct dentry
*dentry
, umode_t mode
)
2980 return may_create(dir
, dentry
, SECCLASS_FILE
);
2983 static int selinux_inode_link(struct dentry
*old_dentry
, struct inode
*dir
, struct dentry
*new_dentry
)
2985 return may_link(dir
, old_dentry
, MAY_LINK
);
2988 static int selinux_inode_unlink(struct inode
*dir
, struct dentry
*dentry
)
2990 return may_link(dir
, dentry
, MAY_UNLINK
);
2993 static int selinux_inode_symlink(struct inode
*dir
, struct dentry
*dentry
, const char *name
)
2995 return may_create(dir
, dentry
, SECCLASS_LNK_FILE
);
2998 static int selinux_inode_mkdir(struct inode
*dir
, struct dentry
*dentry
, umode_t mask
)
3000 return may_create(dir
, dentry
, SECCLASS_DIR
);
3003 static int selinux_inode_rmdir(struct inode
*dir
, struct dentry
*dentry
)
3005 return may_link(dir
, dentry
, MAY_RMDIR
);
3008 static int selinux_inode_mknod(struct inode
*dir
, struct dentry
*dentry
, umode_t mode
, dev_t dev
)
3010 return may_create(dir
, dentry
, inode_mode_to_security_class(mode
));
3013 static int selinux_inode_rename(struct inode
*old_inode
, struct dentry
*old_dentry
,
3014 struct inode
*new_inode
, struct dentry
*new_dentry
)
3016 return may_rename(old_inode
, old_dentry
, new_inode
, new_dentry
);
3019 static int selinux_inode_readlink(struct dentry
*dentry
)
3021 const struct cred
*cred
= current_cred();
3023 return dentry_has_perm(cred
, dentry
, FILE__READ
);
3026 static int selinux_inode_follow_link(struct dentry
*dentry
, struct inode
*inode
,
3029 const struct cred
*cred
= current_cred();
3030 struct common_audit_data ad
;
3031 struct inode_security_struct
*isec
;
3034 validate_creds(cred
);
3036 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
3037 ad
.u
.dentry
= dentry
;
3038 sid
= cred_sid(cred
);
3039 isec
= inode_security_rcu(inode
, rcu
);
3041 return PTR_ERR(isec
);
3043 return avc_has_perm_flags(sid
, isec
->sid
, isec
->sclass
, FILE__READ
, &ad
,
3044 rcu
? MAY_NOT_BLOCK
: 0);
3047 static noinline
int audit_inode_permission(struct inode
*inode
,
3048 u32 perms
, u32 audited
, u32 denied
,
3052 struct common_audit_data ad
;
3053 struct inode_security_struct
*isec
= inode
->i_security
;
3056 ad
.type
= LSM_AUDIT_DATA_INODE
;
3059 rc
= slow_avc_audit(current_sid(), isec
->sid
, isec
->sclass
, perms
,
3060 audited
, denied
, result
, &ad
, flags
);
3066 static int selinux_inode_permission(struct inode
*inode
, int mask
)
3068 const struct cred
*cred
= current_cred();
3071 unsigned flags
= mask
& MAY_NOT_BLOCK
;
3072 struct inode_security_struct
*isec
;
3074 struct av_decision avd
;
3076 u32 audited
, denied
;
3078 from_access
= mask
& MAY_ACCESS
;
3079 mask
&= (MAY_READ
|MAY_WRITE
|MAY_EXEC
|MAY_APPEND
);
3081 /* No permission to check. Existence test. */
3085 validate_creds(cred
);
3087 if (unlikely(IS_PRIVATE(inode
)))
3090 perms
= file_mask_to_av(inode
->i_mode
, mask
);
3092 sid
= cred_sid(cred
);
3093 isec
= inode_security_rcu(inode
, flags
& MAY_NOT_BLOCK
);
3095 return PTR_ERR(isec
);
3097 rc
= avc_has_perm_noaudit(sid
, isec
->sid
, isec
->sclass
, perms
, 0, &avd
);
3098 audited
= avc_audit_required(perms
, &avd
, rc
,
3099 from_access
? FILE__AUDIT_ACCESS
: 0,
3101 if (likely(!audited
))
3104 rc2
= audit_inode_permission(inode
, perms
, audited
, denied
, rc
, flags
);
3110 static int selinux_inode_setattr(struct dentry
*dentry
, struct iattr
*iattr
)
3112 const struct cred
*cred
= current_cred();
3113 struct inode
*inode
= d_backing_inode(dentry
);
3114 unsigned int ia_valid
= iattr
->ia_valid
;
3115 __u32 av
= FILE__WRITE
;
3117 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3118 if (ia_valid
& ATTR_FORCE
) {
3119 ia_valid
&= ~(ATTR_KILL_SUID
| ATTR_KILL_SGID
| ATTR_MODE
|
3125 if (ia_valid
& (ATTR_MODE
| ATTR_UID
| ATTR_GID
|
3126 ATTR_ATIME_SET
| ATTR_MTIME_SET
| ATTR_TIMES_SET
))
3127 return dentry_has_perm(cred
, dentry
, FILE__SETATTR
);
3129 if (selinux_policycap_openperm
&&
3130 inode
->i_sb
->s_magic
!= SOCKFS_MAGIC
&&
3131 (ia_valid
& ATTR_SIZE
) &&
3132 !(ia_valid
& ATTR_FILE
))
3135 return dentry_has_perm(cred
, dentry
, av
);
3138 static int selinux_inode_getattr(const struct path
*path
)
3140 return path_has_perm(current_cred(), path
, FILE__GETATTR
);
3143 static bool has_cap_mac_admin(bool audit
)
3145 const struct cred
*cred
= current_cred();
3146 int cap_audit
= audit
? SECURITY_CAP_AUDIT
: SECURITY_CAP_NOAUDIT
;
3148 if (cap_capable(cred
, &init_user_ns
, CAP_MAC_ADMIN
, cap_audit
))
3150 if (cred_has_capability(cred
, CAP_MAC_ADMIN
, cap_audit
, true))
3155 static int selinux_inode_setxattr(struct dentry
*dentry
, const char *name
,
3156 const void *value
, size_t size
, int flags
)
3158 struct inode
*inode
= d_backing_inode(dentry
);
3159 struct inode_security_struct
*isec
;
3160 struct superblock_security_struct
*sbsec
;
3161 struct common_audit_data ad
;
3162 u32 newsid
, sid
= current_sid();
3165 if (strcmp(name
, XATTR_NAME_SELINUX
)) {
3166 rc
= cap_inode_setxattr(dentry
, name
, value
, size
, flags
);
3170 /* Not an attribute we recognize, so just check the
3171 ordinary setattr permission. */
3172 return dentry_has_perm(current_cred(), dentry
, FILE__SETATTR
);
3175 sbsec
= inode
->i_sb
->s_security
;
3176 if (!(sbsec
->flags
& SBLABEL_MNT
))
3179 if (!inode_owner_or_capable(inode
))
3182 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
3183 ad
.u
.dentry
= dentry
;
3185 isec
= backing_inode_security(dentry
);
3186 rc
= avc_has_perm(sid
, isec
->sid
, isec
->sclass
,
3187 FILE__RELABELFROM
, &ad
);
3191 rc
= security_context_to_sid(value
, size
, &newsid
, GFP_KERNEL
);
3192 if (rc
== -EINVAL
) {
3193 if (!has_cap_mac_admin(true)) {
3194 struct audit_buffer
*ab
;
3197 /* We strip a nul only if it is at the end, otherwise the
3198 * context contains a nul and we should audit that */
3200 const char *str
= value
;
3202 if (str
[size
- 1] == '\0')
3203 audit_size
= size
- 1;
3209 ab
= audit_log_start(current
->audit_context
, GFP_ATOMIC
, AUDIT_SELINUX_ERR
);
3210 audit_log_format(ab
, "op=setxattr invalid_context=");
3211 audit_log_n_untrustedstring(ab
, value
, audit_size
);
3216 rc
= security_context_to_sid_force(value
, size
, &newsid
);
3221 rc
= avc_has_perm(sid
, newsid
, isec
->sclass
,
3222 FILE__RELABELTO
, &ad
);
3226 rc
= security_validate_transition(isec
->sid
, newsid
, sid
,
3231 return avc_has_perm(newsid
,
3233 SECCLASS_FILESYSTEM
,
3234 FILESYSTEM__ASSOCIATE
,
3238 static void selinux_inode_post_setxattr(struct dentry
*dentry
, const char *name
,
3239 const void *value
, size_t size
,
3242 struct inode
*inode
= d_backing_inode(dentry
);
3243 struct inode_security_struct
*isec
;
3247 if (strcmp(name
, XATTR_NAME_SELINUX
)) {
3248 /* Not an attribute we recognize, so nothing to do. */
3252 rc
= security_context_to_sid_force(value
, size
, &newsid
);
3254 printk(KERN_ERR
"SELinux: unable to map context to SID"
3255 "for (%s, %lu), rc=%d\n",
3256 inode
->i_sb
->s_id
, inode
->i_ino
, -rc
);
3260 isec
= backing_inode_security(dentry
);
3261 spin_lock(&isec
->lock
);
3262 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
3264 isec
->initialized
= LABEL_INITIALIZED
;
3265 spin_unlock(&isec
->lock
);
3270 static int selinux_inode_getxattr(struct dentry
*dentry
, const char *name
)
3272 const struct cred
*cred
= current_cred();
3274 return dentry_has_perm(cred
, dentry
, FILE__GETATTR
);
3277 static int selinux_inode_listxattr(struct dentry
*dentry
)
3279 const struct cred
*cred
= current_cred();
3281 return dentry_has_perm(cred
, dentry
, FILE__GETATTR
);
3284 static int selinux_inode_removexattr(struct dentry
*dentry
, const char *name
)
3286 if (strcmp(name
, XATTR_NAME_SELINUX
)) {
3287 int rc
= cap_inode_removexattr(dentry
, name
);
3291 /* Not an attribute we recognize, so just check the
3292 ordinary setattr permission. */
3293 return dentry_has_perm(current_cred(), dentry
, FILE__SETATTR
);
3296 /* No one is allowed to remove a SELinux security label.
3297 You can change the label, but all data must be labeled. */
3302 * Copy the inode security context value to the user.
3304 * Permission check is handled by selinux_inode_getxattr hook.
3306 static int selinux_inode_getsecurity(struct inode
*inode
, const char *name
, void **buffer
, bool alloc
)
3310 char *context
= NULL
;
3311 struct inode_security_struct
*isec
;
3313 if (strcmp(name
, XATTR_SELINUX_SUFFIX
))
3317 * If the caller has CAP_MAC_ADMIN, then get the raw context
3318 * value even if it is not defined by current policy; otherwise,
3319 * use the in-core value under current policy.
3320 * Use the non-auditing forms of the permission checks since
3321 * getxattr may be called by unprivileged processes commonly
3322 * and lack of permission just means that we fall back to the
3323 * in-core context value, not a denial.
3325 isec
= inode_security(inode
);
3326 if (has_cap_mac_admin(false))
3327 error
= security_sid_to_context_force(isec
->sid
, &context
,
3330 error
= security_sid_to_context(isec
->sid
, &context
, &size
);
3343 static int selinux_inode_setsecurity(struct inode
*inode
, const char *name
,
3344 const void *value
, size_t size
, int flags
)
3346 struct inode_security_struct
*isec
= inode_security_novalidate(inode
);
3350 if (strcmp(name
, XATTR_SELINUX_SUFFIX
))
3353 if (!value
|| !size
)
3356 rc
= security_context_to_sid(value
, size
, &newsid
, GFP_KERNEL
);
3360 spin_lock(&isec
->lock
);
3361 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
3363 isec
->initialized
= LABEL_INITIALIZED
;
3364 spin_unlock(&isec
->lock
);
3368 static int selinux_inode_listsecurity(struct inode
*inode
, char *buffer
, size_t buffer_size
)
3370 const int len
= sizeof(XATTR_NAME_SELINUX
);
3371 if (buffer
&& len
<= buffer_size
)
3372 memcpy(buffer
, XATTR_NAME_SELINUX
, len
);
3376 static void selinux_inode_getsecid(struct inode
*inode
, u32
*secid
)
3378 struct inode_security_struct
*isec
= inode_security_novalidate(inode
);
3382 static int selinux_inode_copy_up(struct dentry
*src
, struct cred
**new)
3385 struct task_security_struct
*tsec
;
3386 struct cred
*new_creds
= *new;
3388 if (new_creds
== NULL
) {
3389 new_creds
= prepare_creds();
3394 tsec
= new_creds
->security
;
3395 /* Get label from overlay inode and set it in create_sid */
3396 selinux_inode_getsecid(d_inode(src
), &sid
);
3397 tsec
->create_sid
= sid
;
3402 static int selinux_inode_copy_up_xattr(const char *name
)
3404 /* The copy_up hook above sets the initial context on an inode, but we
3405 * don't then want to overwrite it by blindly copying all the lower
3406 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3408 if (strcmp(name
, XATTR_NAME_SELINUX
) == 0)
3409 return 1; /* Discard */
3411 * Any other attribute apart from SELINUX is not claimed, supported
3417 /* file security operations */
3419 static int selinux_revalidate_file_permission(struct file
*file
, int mask
)
3421 const struct cred
*cred
= current_cred();
3422 struct inode
*inode
= file_inode(file
);
3424 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3425 if ((file
->f_flags
& O_APPEND
) && (mask
& MAY_WRITE
))
3428 return file_has_perm(cred
, file
,
3429 file_mask_to_av(inode
->i_mode
, mask
));
3432 static int selinux_file_permission(struct file
*file
, int mask
)
3434 struct inode
*inode
= file_inode(file
);
3435 struct file_security_struct
*fsec
= file
->f_security
;
3436 struct inode_security_struct
*isec
;
3437 u32 sid
= current_sid();
3440 /* No permission to check. Existence test. */
3443 isec
= inode_security(inode
);
3444 if (sid
== fsec
->sid
&& fsec
->isid
== isec
->sid
&&
3445 fsec
->pseqno
== avc_policy_seqno())
3446 /* No change since file_open check. */
3449 return selinux_revalidate_file_permission(file
, mask
);
3452 static int selinux_file_alloc_security(struct file
*file
)
3454 return file_alloc_security(file
);
3457 static void selinux_file_free_security(struct file
*file
)
3459 file_free_security(file
);
3463 * Check whether a task has the ioctl permission and cmd
3464 * operation to an inode.
3466 static int ioctl_has_perm(const struct cred
*cred
, struct file
*file
,
3467 u32 requested
, u16 cmd
)
3469 struct common_audit_data ad
;
3470 struct file_security_struct
*fsec
= file
->f_security
;
3471 struct inode
*inode
= file_inode(file
);
3472 struct inode_security_struct
*isec
;
3473 struct lsm_ioctlop_audit ioctl
;
3474 u32 ssid
= cred_sid(cred
);
3476 u8 driver
= cmd
>> 8;
3477 u8 xperm
= cmd
& 0xff;
3479 ad
.type
= LSM_AUDIT_DATA_IOCTL_OP
;
3482 ad
.u
.op
->path
= file
->f_path
;
3484 if (ssid
!= fsec
->sid
) {
3485 rc
= avc_has_perm(ssid
, fsec
->sid
,
3493 if (unlikely(IS_PRIVATE(inode
)))
3496 isec
= inode_security(inode
);
3497 rc
= avc_has_extended_perms(ssid
, isec
->sid
, isec
->sclass
,
3498 requested
, driver
, xperm
, &ad
);
3503 static int selinux_file_ioctl(struct file
*file
, unsigned int cmd
,
3506 const struct cred
*cred
= current_cred();
3516 case FS_IOC_GETFLAGS
:
3518 case FS_IOC_GETVERSION
:
3519 error
= file_has_perm(cred
, file
, FILE__GETATTR
);
3522 case FS_IOC_SETFLAGS
:
3524 case FS_IOC_SETVERSION
:
3525 error
= file_has_perm(cred
, file
, FILE__SETATTR
);
3528 /* sys_ioctl() checks */
3532 error
= file_has_perm(cred
, file
, 0);
3537 error
= cred_has_capability(cred
, CAP_SYS_TTY_CONFIG
,
3538 SECURITY_CAP_AUDIT
, true);
3541 /* default case assumes that the command will go
3542 * to the file's ioctl() function.
3545 error
= ioctl_has_perm(cred
, file
, FILE__IOCTL
, (u16
) cmd
);
3550 static int default_noexec
;
3552 static int file_map_prot_check(struct file
*file
, unsigned long prot
, int shared
)
3554 const struct cred
*cred
= current_cred();
3555 u32 sid
= cred_sid(cred
);
3558 if (default_noexec
&&
3559 (prot
& PROT_EXEC
) && (!file
|| IS_PRIVATE(file_inode(file
)) ||
3560 (!shared
&& (prot
& PROT_WRITE
)))) {
3562 * We are making executable an anonymous mapping or a
3563 * private file mapping that will also be writable.
3564 * This has an additional check.
3566 rc
= avc_has_perm(sid
, sid
, SECCLASS_PROCESS
,
3567 PROCESS__EXECMEM
, NULL
);
3573 /* read access is always possible with a mapping */
3574 u32 av
= FILE__READ
;
3576 /* write access only matters if the mapping is shared */
3577 if (shared
&& (prot
& PROT_WRITE
))
3580 if (prot
& PROT_EXEC
)
3581 av
|= FILE__EXECUTE
;
3583 return file_has_perm(cred
, file
, av
);
3590 static int selinux_mmap_addr(unsigned long addr
)
3594 if (addr
< CONFIG_LSM_MMAP_MIN_ADDR
) {
3595 u32 sid
= current_sid();
3596 rc
= avc_has_perm(sid
, sid
, SECCLASS_MEMPROTECT
,
3597 MEMPROTECT__MMAP_ZERO
, NULL
);
3603 static int selinux_mmap_file(struct file
*file
, unsigned long reqprot
,
3604 unsigned long prot
, unsigned long flags
)
3606 struct common_audit_data ad
;
3610 ad
.type
= LSM_AUDIT_DATA_FILE
;
3612 rc
= inode_has_perm(current_cred(), file_inode(file
),
3618 if (selinux_checkreqprot
)
3621 return file_map_prot_check(file
, prot
,
3622 (flags
& MAP_TYPE
) == MAP_SHARED
);
3625 static int selinux_file_mprotect(struct vm_area_struct
*vma
,
3626 unsigned long reqprot
,
3629 const struct cred
*cred
= current_cred();
3630 u32 sid
= cred_sid(cred
);
3632 if (selinux_checkreqprot
)
3635 if (default_noexec
&&
3636 (prot
& PROT_EXEC
) && !(vma
->vm_flags
& VM_EXEC
)) {
3638 if (vma
->vm_start
>= vma
->vm_mm
->start_brk
&&
3639 vma
->vm_end
<= vma
->vm_mm
->brk
) {
3640 rc
= avc_has_perm(sid
, sid
, SECCLASS_PROCESS
,
3641 PROCESS__EXECHEAP
, NULL
);
3642 } else if (!vma
->vm_file
&&
3643 ((vma
->vm_start
<= vma
->vm_mm
->start_stack
&&
3644 vma
->vm_end
>= vma
->vm_mm
->start_stack
) ||
3645 vma_is_stack_for_current(vma
))) {
3646 rc
= avc_has_perm(sid
, sid
, SECCLASS_PROCESS
,
3647 PROCESS__EXECSTACK
, NULL
);
3648 } else if (vma
->vm_file
&& vma
->anon_vma
) {
3650 * We are making executable a file mapping that has
3651 * had some COW done. Since pages might have been
3652 * written, check ability to execute the possibly
3653 * modified content. This typically should only
3654 * occur for text relocations.
3656 rc
= file_has_perm(cred
, vma
->vm_file
, FILE__EXECMOD
);
3662 return file_map_prot_check(vma
->vm_file
, prot
, vma
->vm_flags
&VM_SHARED
);
3665 static int selinux_file_lock(struct file
*file
, unsigned int cmd
)
3667 const struct cred
*cred
= current_cred();
3669 return file_has_perm(cred
, file
, FILE__LOCK
);
3672 static int selinux_file_fcntl(struct file
*file
, unsigned int cmd
,
3675 const struct cred
*cred
= current_cred();
3680 if ((file
->f_flags
& O_APPEND
) && !(arg
& O_APPEND
)) {
3681 err
= file_has_perm(cred
, file
, FILE__WRITE
);
3690 case F_GETOWNER_UIDS
:
3691 /* Just check FD__USE permission */
3692 err
= file_has_perm(cred
, file
, 0);
3700 #if BITS_PER_LONG == 32
3705 err
= file_has_perm(cred
, file
, FILE__LOCK
);
3712 static void selinux_file_set_fowner(struct file
*file
)
3714 struct file_security_struct
*fsec
;
3716 fsec
= file
->f_security
;
3717 fsec
->fown_sid
= current_sid();
3720 static int selinux_file_send_sigiotask(struct task_struct
*tsk
,
3721 struct fown_struct
*fown
, int signum
)
3724 u32 sid
= task_sid(tsk
);
3726 struct file_security_struct
*fsec
;
3728 /* struct fown_struct is never outside the context of a struct file */
3729 file
= container_of(fown
, struct file
, f_owner
);
3731 fsec
= file
->f_security
;
3734 perm
= signal_to_av(SIGIO
); /* as per send_sigio_to_task */
3736 perm
= signal_to_av(signum
);
3738 return avc_has_perm(fsec
->fown_sid
, sid
,
3739 SECCLASS_PROCESS
, perm
, NULL
);
3742 static int selinux_file_receive(struct file
*file
)
3744 const struct cred
*cred
= current_cred();
3746 return file_has_perm(cred
, file
, file_to_av(file
));
3749 static int selinux_file_open(struct file
*file
, const struct cred
*cred
)
3751 struct file_security_struct
*fsec
;
3752 struct inode_security_struct
*isec
;
3754 fsec
= file
->f_security
;
3755 isec
= inode_security(file_inode(file
));
3757 * Save inode label and policy sequence number
3758 * at open-time so that selinux_file_permission
3759 * can determine whether revalidation is necessary.
3760 * Task label is already saved in the file security
3761 * struct as its SID.
3763 fsec
->isid
= isec
->sid
;
3764 fsec
->pseqno
= avc_policy_seqno();
3766 * Since the inode label or policy seqno may have changed
3767 * between the selinux_inode_permission check and the saving
3768 * of state above, recheck that access is still permitted.
3769 * Otherwise, access might never be revalidated against the
3770 * new inode label or new policy.
3771 * This check is not redundant - do not remove.
3773 return file_path_has_perm(cred
, file
, open_file_to_av(file
));
3776 /* task security operations */
3778 static int selinux_task_alloc(struct task_struct
*task
,
3779 unsigned long clone_flags
)
3781 u32 sid
= current_sid();
3783 return avc_has_perm(sid
, sid
, SECCLASS_PROCESS
, PROCESS__FORK
, NULL
);
3787 * allocate the SELinux part of blank credentials
3789 static int selinux_cred_alloc_blank(struct cred
*cred
, gfp_t gfp
)
3791 struct task_security_struct
*tsec
;
3793 tsec
= kzalloc(sizeof(struct task_security_struct
), gfp
);
3797 cred
->security
= tsec
;
3802 * detach and free the LSM part of a set of credentials
3804 static void selinux_cred_free(struct cred
*cred
)
3806 struct task_security_struct
*tsec
= cred
->security
;
3809 * cred->security == NULL if security_cred_alloc_blank() or
3810 * security_prepare_creds() returned an error.
3812 BUG_ON(cred
->security
&& (unsigned long) cred
->security
< PAGE_SIZE
);
3813 cred
->security
= (void *) 0x7UL
;
3818 * prepare a new set of credentials for modification
3820 static int selinux_cred_prepare(struct cred
*new, const struct cred
*old
,
3823 const struct task_security_struct
*old_tsec
;
3824 struct task_security_struct
*tsec
;
3826 old_tsec
= old
->security
;
3828 tsec
= kmemdup(old_tsec
, sizeof(struct task_security_struct
), gfp
);
3832 new->security
= tsec
;
3837 * transfer the SELinux data to a blank set of creds
3839 static void selinux_cred_transfer(struct cred
*new, const struct cred
*old
)
3841 const struct task_security_struct
*old_tsec
= old
->security
;
3842 struct task_security_struct
*tsec
= new->security
;
3847 static void selinux_cred_getsecid(const struct cred
*c
, u32
*secid
)
3849 *secid
= cred_sid(c
);
3853 * set the security data for a kernel service
3854 * - all the creation contexts are set to unlabelled
3856 static int selinux_kernel_act_as(struct cred
*new, u32 secid
)
3858 struct task_security_struct
*tsec
= new->security
;
3859 u32 sid
= current_sid();
3862 ret
= avc_has_perm(sid
, secid
,
3863 SECCLASS_KERNEL_SERVICE
,
3864 KERNEL_SERVICE__USE_AS_OVERRIDE
,
3868 tsec
->create_sid
= 0;
3869 tsec
->keycreate_sid
= 0;
3870 tsec
->sockcreate_sid
= 0;
3876 * set the file creation context in a security record to the same as the
3877 * objective context of the specified inode
3879 static int selinux_kernel_create_files_as(struct cred
*new, struct inode
*inode
)
3881 struct inode_security_struct
*isec
= inode_security(inode
);
3882 struct task_security_struct
*tsec
= new->security
;
3883 u32 sid
= current_sid();
3886 ret
= avc_has_perm(sid
, isec
->sid
,
3887 SECCLASS_KERNEL_SERVICE
,
3888 KERNEL_SERVICE__CREATE_FILES_AS
,
3892 tsec
->create_sid
= isec
->sid
;
3896 static int selinux_kernel_module_request(char *kmod_name
)
3898 struct common_audit_data ad
;
3900 ad
.type
= LSM_AUDIT_DATA_KMOD
;
3901 ad
.u
.kmod_name
= kmod_name
;
3903 return avc_has_perm(current_sid(), SECINITSID_KERNEL
, SECCLASS_SYSTEM
,
3904 SYSTEM__MODULE_REQUEST
, &ad
);
3907 static int selinux_kernel_module_from_file(struct file
*file
)
3909 struct common_audit_data ad
;
3910 struct inode_security_struct
*isec
;
3911 struct file_security_struct
*fsec
;
3912 u32 sid
= current_sid();
3917 return avc_has_perm(sid
, sid
, SECCLASS_SYSTEM
,
3918 SYSTEM__MODULE_LOAD
, NULL
);
3922 ad
.type
= LSM_AUDIT_DATA_FILE
;
3925 fsec
= file
->f_security
;
3926 if (sid
!= fsec
->sid
) {
3927 rc
= avc_has_perm(sid
, fsec
->sid
, SECCLASS_FD
, FD__USE
, &ad
);
3932 isec
= inode_security(file_inode(file
));
3933 return avc_has_perm(sid
, isec
->sid
, SECCLASS_SYSTEM
,
3934 SYSTEM__MODULE_LOAD
, &ad
);
3937 static int selinux_kernel_read_file(struct file
*file
,
3938 enum kernel_read_file_id id
)
3943 case READING_MODULE
:
3944 rc
= selinux_kernel_module_from_file(file
);
3953 static int selinux_task_setpgid(struct task_struct
*p
, pid_t pgid
)
3955 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3956 PROCESS__SETPGID
, NULL
);
3959 static int selinux_task_getpgid(struct task_struct
*p
)
3961 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3962 PROCESS__GETPGID
, NULL
);
3965 static int selinux_task_getsid(struct task_struct
*p
)
3967 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3968 PROCESS__GETSESSION
, NULL
);
3971 static void selinux_task_getsecid(struct task_struct
*p
, u32
*secid
)
3973 *secid
= task_sid(p
);
3976 static int selinux_task_setnice(struct task_struct
*p
, int nice
)
3978 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3979 PROCESS__SETSCHED
, NULL
);
3982 static int selinux_task_setioprio(struct task_struct
*p
, int ioprio
)
3984 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3985 PROCESS__SETSCHED
, NULL
);
3988 static int selinux_task_getioprio(struct task_struct
*p
)
3990 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3991 PROCESS__GETSCHED
, NULL
);
3994 static int selinux_task_prlimit(const struct cred
*cred
, const struct cred
*tcred
,
4001 if (flags
& LSM_PRLIMIT_WRITE
)
4002 av
|= PROCESS__SETRLIMIT
;
4003 if (flags
& LSM_PRLIMIT_READ
)
4004 av
|= PROCESS__GETRLIMIT
;
4005 return avc_has_perm(cred_sid(cred
), cred_sid(tcred
),
4006 SECCLASS_PROCESS
, av
, NULL
);
4009 static int selinux_task_setrlimit(struct task_struct
*p
, unsigned int resource
,
4010 struct rlimit
*new_rlim
)
4012 struct rlimit
*old_rlim
= p
->signal
->rlim
+ resource
;
4014 /* Control the ability to change the hard limit (whether
4015 lowering or raising it), so that the hard limit can
4016 later be used as a safe reset point for the soft limit
4017 upon context transitions. See selinux_bprm_committing_creds. */
4018 if (old_rlim
->rlim_max
!= new_rlim
->rlim_max
)
4019 return avc_has_perm(current_sid(), task_sid(p
),
4020 SECCLASS_PROCESS
, PROCESS__SETRLIMIT
, NULL
);
4025 static int selinux_task_setscheduler(struct task_struct
*p
)
4027 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
4028 PROCESS__SETSCHED
, NULL
);
4031 static int selinux_task_getscheduler(struct task_struct
*p
)
4033 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
4034 PROCESS__GETSCHED
, NULL
);
4037 static int selinux_task_movememory(struct task_struct
*p
)
4039 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
4040 PROCESS__SETSCHED
, NULL
);
4043 static int selinux_task_kill(struct task_struct
*p
, struct siginfo
*info
,
4044 int sig
, const struct cred
*cred
)
4050 perm
= PROCESS__SIGNULL
; /* null signal; existence test */
4052 perm
= signal_to_av(sig
);
4054 secid
= current_sid();
4056 secid
= cred_sid(cred
);
4057 return avc_has_perm(secid
, task_sid(p
), SECCLASS_PROCESS
, perm
, NULL
);
4060 static void selinux_task_to_inode(struct task_struct
*p
,
4061 struct inode
*inode
)
4063 struct inode_security_struct
*isec
= inode
->i_security
;
4064 u32 sid
= task_sid(p
);
4066 spin_lock(&isec
->lock
);
4067 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
4069 isec
->initialized
= LABEL_INITIALIZED
;
4070 spin_unlock(&isec
->lock
);
4073 /* Returns error only if unable to parse addresses */
4074 static int selinux_parse_skb_ipv4(struct sk_buff
*skb
,
4075 struct common_audit_data
*ad
, u8
*proto
)
4077 int offset
, ihlen
, ret
= -EINVAL
;
4078 struct iphdr _iph
, *ih
;
4080 offset
= skb_network_offset(skb
);
4081 ih
= skb_header_pointer(skb
, offset
, sizeof(_iph
), &_iph
);
4085 ihlen
= ih
->ihl
* 4;
4086 if (ihlen
< sizeof(_iph
))
4089 ad
->u
.net
->v4info
.saddr
= ih
->saddr
;
4090 ad
->u
.net
->v4info
.daddr
= ih
->daddr
;
4094 *proto
= ih
->protocol
;
4096 switch (ih
->protocol
) {
4098 struct tcphdr _tcph
, *th
;
4100 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
4104 th
= skb_header_pointer(skb
, offset
, sizeof(_tcph
), &_tcph
);
4108 ad
->u
.net
->sport
= th
->source
;
4109 ad
->u
.net
->dport
= th
->dest
;
4114 struct udphdr _udph
, *uh
;
4116 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
4120 uh
= skb_header_pointer(skb
, offset
, sizeof(_udph
), &_udph
);
4124 ad
->u
.net
->sport
= uh
->source
;
4125 ad
->u
.net
->dport
= uh
->dest
;
4129 case IPPROTO_DCCP
: {
4130 struct dccp_hdr _dccph
, *dh
;
4132 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
4136 dh
= skb_header_pointer(skb
, offset
, sizeof(_dccph
), &_dccph
);
4140 ad
->u
.net
->sport
= dh
->dccph_sport
;
4141 ad
->u
.net
->dport
= dh
->dccph_dport
;
4152 #if IS_ENABLED(CONFIG_IPV6)
4154 /* Returns error only if unable to parse addresses */
4155 static int selinux_parse_skb_ipv6(struct sk_buff
*skb
,
4156 struct common_audit_data
*ad
, u8
*proto
)
4159 int ret
= -EINVAL
, offset
;
4160 struct ipv6hdr _ipv6h
, *ip6
;
4163 offset
= skb_network_offset(skb
);
4164 ip6
= skb_header_pointer(skb
, offset
, sizeof(_ipv6h
), &_ipv6h
);
4168 ad
->u
.net
->v6info
.saddr
= ip6
->saddr
;
4169 ad
->u
.net
->v6info
.daddr
= ip6
->daddr
;
4172 nexthdr
= ip6
->nexthdr
;
4173 offset
+= sizeof(_ipv6h
);
4174 offset
= ipv6_skip_exthdr(skb
, offset
, &nexthdr
, &frag_off
);
4183 struct tcphdr _tcph
, *th
;
4185 th
= skb_header_pointer(skb
, offset
, sizeof(_tcph
), &_tcph
);
4189 ad
->u
.net
->sport
= th
->source
;
4190 ad
->u
.net
->dport
= th
->dest
;
4195 struct udphdr _udph
, *uh
;
4197 uh
= skb_header_pointer(skb
, offset
, sizeof(_udph
), &_udph
);
4201 ad
->u
.net
->sport
= uh
->source
;
4202 ad
->u
.net
->dport
= uh
->dest
;
4206 case IPPROTO_DCCP
: {
4207 struct dccp_hdr _dccph
, *dh
;
4209 dh
= skb_header_pointer(skb
, offset
, sizeof(_dccph
), &_dccph
);
4213 ad
->u
.net
->sport
= dh
->dccph_sport
;
4214 ad
->u
.net
->dport
= dh
->dccph_dport
;
4218 /* includes fragments */
4228 static int selinux_parse_skb(struct sk_buff
*skb
, struct common_audit_data
*ad
,
4229 char **_addrp
, int src
, u8
*proto
)
4234 switch (ad
->u
.net
->family
) {
4236 ret
= selinux_parse_skb_ipv4(skb
, ad
, proto
);
4239 addrp
= (char *)(src
? &ad
->u
.net
->v4info
.saddr
:
4240 &ad
->u
.net
->v4info
.daddr
);
4243 #if IS_ENABLED(CONFIG_IPV6)
4245 ret
= selinux_parse_skb_ipv6(skb
, ad
, proto
);
4248 addrp
= (char *)(src
? &ad
->u
.net
->v6info
.saddr
:
4249 &ad
->u
.net
->v6info
.daddr
);
4259 "SELinux: failure in selinux_parse_skb(),"
4260 " unable to parse packet\n");
4270 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4272 * @family: protocol family
4273 * @sid: the packet's peer label SID
4276 * Check the various different forms of network peer labeling and determine
4277 * the peer label/SID for the packet; most of the magic actually occurs in
4278 * the security server function security_net_peersid_cmp(). The function
4279 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4280 * or -EACCES if @sid is invalid due to inconsistencies with the different
4284 static int selinux_skb_peerlbl_sid(struct sk_buff
*skb
, u16 family
, u32
*sid
)
4291 err
= selinux_xfrm_skb_sid(skb
, &xfrm_sid
);
4294 err
= selinux_netlbl_skbuff_getsid(skb
, family
, &nlbl_type
, &nlbl_sid
);
4298 err
= security_net_peersid_resolve(nlbl_sid
, nlbl_type
, xfrm_sid
, sid
);
4299 if (unlikely(err
)) {
4301 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4302 " unable to determine packet's peer label\n");
4310 * selinux_conn_sid - Determine the child socket label for a connection
4311 * @sk_sid: the parent socket's SID
4312 * @skb_sid: the packet's SID
4313 * @conn_sid: the resulting connection SID
4315 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4316 * combined with the MLS information from @skb_sid in order to create
4317 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4318 * of @sk_sid. Returns zero on success, negative values on failure.
4321 static int selinux_conn_sid(u32 sk_sid
, u32 skb_sid
, u32
*conn_sid
)
4325 if (skb_sid
!= SECSID_NULL
)
4326 err
= security_sid_mls_copy(sk_sid
, skb_sid
, conn_sid
);
4333 /* socket security operations */
4335 static int socket_sockcreate_sid(const struct task_security_struct
*tsec
,
4336 u16 secclass
, u32
*socksid
)
4338 if (tsec
->sockcreate_sid
> SECSID_NULL
) {
4339 *socksid
= tsec
->sockcreate_sid
;
4343 return security_transition_sid(tsec
->sid
, tsec
->sid
, secclass
, NULL
,
4347 static int sock_has_perm(struct sock
*sk
, u32 perms
)
4349 struct sk_security_struct
*sksec
= sk
->sk_security
;
4350 struct common_audit_data ad
;
4351 struct lsm_network_audit net
= {0,};
4353 if (sksec
->sid
== SECINITSID_KERNEL
)
4356 ad
.type
= LSM_AUDIT_DATA_NET
;
4360 return avc_has_perm(current_sid(), sksec
->sid
, sksec
->sclass
, perms
,
4364 static int selinux_socket_create(int family
, int type
,
4365 int protocol
, int kern
)
4367 const struct task_security_struct
*tsec
= current_security();
4375 secclass
= socket_type_to_security_class(family
, type
, protocol
);
4376 rc
= socket_sockcreate_sid(tsec
, secclass
, &newsid
);
4380 return avc_has_perm(tsec
->sid
, newsid
, secclass
, SOCKET__CREATE
, NULL
);
4383 static int selinux_socket_post_create(struct socket
*sock
, int family
,
4384 int type
, int protocol
, int kern
)
4386 const struct task_security_struct
*tsec
= current_security();
4387 struct inode_security_struct
*isec
= inode_security_novalidate(SOCK_INODE(sock
));
4388 struct sk_security_struct
*sksec
;
4389 u16 sclass
= socket_type_to_security_class(family
, type
, protocol
);
4390 u32 sid
= SECINITSID_KERNEL
;
4394 err
= socket_sockcreate_sid(tsec
, sclass
, &sid
);
4399 isec
->sclass
= sclass
;
4401 isec
->initialized
= LABEL_INITIALIZED
;
4404 sksec
= sock
->sk
->sk_security
;
4405 sksec
->sclass
= sclass
;
4407 err
= selinux_netlbl_socket_post_create(sock
->sk
, family
);
4413 /* Range of port numbers used to automatically bind.
4414 Need to determine whether we should perform a name_bind
4415 permission check between the socket and the port number. */
4417 static int selinux_socket_bind(struct socket
*sock
, struct sockaddr
*address
, int addrlen
)
4419 struct sock
*sk
= sock
->sk
;
4423 err
= sock_has_perm(sk
, SOCKET__BIND
);
4428 * If PF_INET or PF_INET6, check name_bind permission for the port.
4429 * Multiple address binding for SCTP is not supported yet: we just
4430 * check the first address now.
4432 family
= sk
->sk_family
;
4433 if (family
== PF_INET
|| family
== PF_INET6
) {
4435 struct sk_security_struct
*sksec
= sk
->sk_security
;
4436 struct common_audit_data ad
;
4437 struct lsm_network_audit net
= {0,};
4438 struct sockaddr_in
*addr4
= NULL
;
4439 struct sockaddr_in6
*addr6
= NULL
;
4440 unsigned short snum
;
4443 if (family
== PF_INET
) {
4444 if (addrlen
< sizeof(struct sockaddr_in
)) {
4448 addr4
= (struct sockaddr_in
*)address
;
4449 snum
= ntohs(addr4
->sin_port
);
4450 addrp
= (char *)&addr4
->sin_addr
.s_addr
;
4452 if (addrlen
< SIN6_LEN_RFC2133
) {
4456 addr6
= (struct sockaddr_in6
*)address
;
4457 snum
= ntohs(addr6
->sin6_port
);
4458 addrp
= (char *)&addr6
->sin6_addr
.s6_addr
;
4464 inet_get_local_port_range(sock_net(sk
), &low
, &high
);
4466 if (snum
< max(inet_prot_sock(sock_net(sk
)), low
) ||
4468 err
= sel_netport_sid(sk
->sk_protocol
,
4472 ad
.type
= LSM_AUDIT_DATA_NET
;
4474 ad
.u
.net
->sport
= htons(snum
);
4475 ad
.u
.net
->family
= family
;
4476 err
= avc_has_perm(sksec
->sid
, sid
,
4478 SOCKET__NAME_BIND
, &ad
);
4484 switch (sksec
->sclass
) {
4485 case SECCLASS_TCP_SOCKET
:
4486 node_perm
= TCP_SOCKET__NODE_BIND
;
4489 case SECCLASS_UDP_SOCKET
:
4490 node_perm
= UDP_SOCKET__NODE_BIND
;
4493 case SECCLASS_DCCP_SOCKET
:
4494 node_perm
= DCCP_SOCKET__NODE_BIND
;
4498 node_perm
= RAWIP_SOCKET__NODE_BIND
;
4502 err
= sel_netnode_sid(addrp
, family
, &sid
);
4506 ad
.type
= LSM_AUDIT_DATA_NET
;
4508 ad
.u
.net
->sport
= htons(snum
);
4509 ad
.u
.net
->family
= family
;
4511 if (family
== PF_INET
)
4512 ad
.u
.net
->v4info
.saddr
= addr4
->sin_addr
.s_addr
;
4514 ad
.u
.net
->v6info
.saddr
= addr6
->sin6_addr
;
4516 err
= avc_has_perm(sksec
->sid
, sid
,
4517 sksec
->sclass
, node_perm
, &ad
);
4525 static int selinux_socket_connect(struct socket
*sock
, struct sockaddr
*address
, int addrlen
)
4527 struct sock
*sk
= sock
->sk
;
4528 struct sk_security_struct
*sksec
= sk
->sk_security
;
4531 err
= sock_has_perm(sk
, SOCKET__CONNECT
);
4536 * If a TCP or DCCP socket, check name_connect permission for the port.
4538 if (sksec
->sclass
== SECCLASS_TCP_SOCKET
||
4539 sksec
->sclass
== SECCLASS_DCCP_SOCKET
) {
4540 struct common_audit_data ad
;
4541 struct lsm_network_audit net
= {0,};
4542 struct sockaddr_in
*addr4
= NULL
;
4543 struct sockaddr_in6
*addr6
= NULL
;
4544 unsigned short snum
;
4547 if (sk
->sk_family
== PF_INET
) {
4548 addr4
= (struct sockaddr_in
*)address
;
4549 if (addrlen
< sizeof(struct sockaddr_in
))
4551 snum
= ntohs(addr4
->sin_port
);
4553 addr6
= (struct sockaddr_in6
*)address
;
4554 if (addrlen
< SIN6_LEN_RFC2133
)
4556 snum
= ntohs(addr6
->sin6_port
);
4559 err
= sel_netport_sid(sk
->sk_protocol
, snum
, &sid
);
4563 perm
= (sksec
->sclass
== SECCLASS_TCP_SOCKET
) ?
4564 TCP_SOCKET__NAME_CONNECT
: DCCP_SOCKET__NAME_CONNECT
;
4566 ad
.type
= LSM_AUDIT_DATA_NET
;
4568 ad
.u
.net
->dport
= htons(snum
);
4569 ad
.u
.net
->family
= sk
->sk_family
;
4570 err
= avc_has_perm(sksec
->sid
, sid
, sksec
->sclass
, perm
, &ad
);
4575 err
= selinux_netlbl_socket_connect(sk
, address
);
4581 static int selinux_socket_listen(struct socket
*sock
, int backlog
)
4583 return sock_has_perm(sock
->sk
, SOCKET__LISTEN
);
4586 static int selinux_socket_accept(struct socket
*sock
, struct socket
*newsock
)
4589 struct inode_security_struct
*isec
;
4590 struct inode_security_struct
*newisec
;
4594 err
= sock_has_perm(sock
->sk
, SOCKET__ACCEPT
);
4598 isec
= inode_security_novalidate(SOCK_INODE(sock
));
4599 spin_lock(&isec
->lock
);
4600 sclass
= isec
->sclass
;
4602 spin_unlock(&isec
->lock
);
4604 newisec
= inode_security_novalidate(SOCK_INODE(newsock
));
4605 newisec
->sclass
= sclass
;
4607 newisec
->initialized
= LABEL_INITIALIZED
;
4612 static int selinux_socket_sendmsg(struct socket
*sock
, struct msghdr
*msg
,
4615 return sock_has_perm(sock
->sk
, SOCKET__WRITE
);
4618 static int selinux_socket_recvmsg(struct socket
*sock
, struct msghdr
*msg
,
4619 int size
, int flags
)
4621 return sock_has_perm(sock
->sk
, SOCKET__READ
);
4624 static int selinux_socket_getsockname(struct socket
*sock
)
4626 return sock_has_perm(sock
->sk
, SOCKET__GETATTR
);
4629 static int selinux_socket_getpeername(struct socket
*sock
)
4631 return sock_has_perm(sock
->sk
, SOCKET__GETATTR
);
4634 static int selinux_socket_setsockopt(struct socket
*sock
, int level
, int optname
)
4638 err
= sock_has_perm(sock
->sk
, SOCKET__SETOPT
);
4642 return selinux_netlbl_socket_setsockopt(sock
, level
, optname
);
4645 static int selinux_socket_getsockopt(struct socket
*sock
, int level
,
4648 return sock_has_perm(sock
->sk
, SOCKET__GETOPT
);
4651 static int selinux_socket_shutdown(struct socket
*sock
, int how
)
4653 return sock_has_perm(sock
->sk
, SOCKET__SHUTDOWN
);
4656 static int selinux_socket_unix_stream_connect(struct sock
*sock
,
4660 struct sk_security_struct
*sksec_sock
= sock
->sk_security
;
4661 struct sk_security_struct
*sksec_other
= other
->sk_security
;
4662 struct sk_security_struct
*sksec_new
= newsk
->sk_security
;
4663 struct common_audit_data ad
;
4664 struct lsm_network_audit net
= {0,};
4667 ad
.type
= LSM_AUDIT_DATA_NET
;
4669 ad
.u
.net
->sk
= other
;
4671 err
= avc_has_perm(sksec_sock
->sid
, sksec_other
->sid
,
4672 sksec_other
->sclass
,
4673 UNIX_STREAM_SOCKET__CONNECTTO
, &ad
);
4677 /* server child socket */
4678 sksec_new
->peer_sid
= sksec_sock
->sid
;
4679 err
= security_sid_mls_copy(sksec_other
->sid
, sksec_sock
->sid
,
4684 /* connecting socket */
4685 sksec_sock
->peer_sid
= sksec_new
->sid
;
4690 static int selinux_socket_unix_may_send(struct socket
*sock
,
4691 struct socket
*other
)
4693 struct sk_security_struct
*ssec
= sock
->sk
->sk_security
;
4694 struct sk_security_struct
*osec
= other
->sk
->sk_security
;
4695 struct common_audit_data ad
;
4696 struct lsm_network_audit net
= {0,};
4698 ad
.type
= LSM_AUDIT_DATA_NET
;
4700 ad
.u
.net
->sk
= other
->sk
;
4702 return avc_has_perm(ssec
->sid
, osec
->sid
, osec
->sclass
, SOCKET__SENDTO
,
4706 static int selinux_inet_sys_rcv_skb(struct net
*ns
, int ifindex
,
4707 char *addrp
, u16 family
, u32 peer_sid
,
4708 struct common_audit_data
*ad
)
4714 err
= sel_netif_sid(ns
, ifindex
, &if_sid
);
4717 err
= avc_has_perm(peer_sid
, if_sid
,
4718 SECCLASS_NETIF
, NETIF__INGRESS
, ad
);
4722 err
= sel_netnode_sid(addrp
, family
, &node_sid
);
4725 return avc_has_perm(peer_sid
, node_sid
,
4726 SECCLASS_NODE
, NODE__RECVFROM
, ad
);
4729 static int selinux_sock_rcv_skb_compat(struct sock
*sk
, struct sk_buff
*skb
,
4733 struct sk_security_struct
*sksec
= sk
->sk_security
;
4734 u32 sk_sid
= sksec
->sid
;
4735 struct common_audit_data ad
;
4736 struct lsm_network_audit net
= {0,};
4739 ad
.type
= LSM_AUDIT_DATA_NET
;
4741 ad
.u
.net
->netif
= skb
->skb_iif
;
4742 ad
.u
.net
->family
= family
;
4743 err
= selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
);
4747 if (selinux_secmark_enabled()) {
4748 err
= avc_has_perm(sk_sid
, skb
->secmark
, SECCLASS_PACKET
,
4754 err
= selinux_netlbl_sock_rcv_skb(sksec
, skb
, family
, &ad
);
4757 err
= selinux_xfrm_sock_rcv_skb(sksec
->sid
, skb
, &ad
);
4762 static int selinux_socket_sock_rcv_skb(struct sock
*sk
, struct sk_buff
*skb
)
4765 struct sk_security_struct
*sksec
= sk
->sk_security
;
4766 u16 family
= sk
->sk_family
;
4767 u32 sk_sid
= sksec
->sid
;
4768 struct common_audit_data ad
;
4769 struct lsm_network_audit net
= {0,};
4774 if (family
!= PF_INET
&& family
!= PF_INET6
)
4777 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4778 if (family
== PF_INET6
&& skb
->protocol
== htons(ETH_P_IP
))
4781 /* If any sort of compatibility mode is enabled then handoff processing
4782 * to the selinux_sock_rcv_skb_compat() function to deal with the
4783 * special handling. We do this in an attempt to keep this function
4784 * as fast and as clean as possible. */
4785 if (!selinux_policycap_netpeer
)
4786 return selinux_sock_rcv_skb_compat(sk
, skb
, family
);
4788 secmark_active
= selinux_secmark_enabled();
4789 peerlbl_active
= selinux_peerlbl_enabled();
4790 if (!secmark_active
&& !peerlbl_active
)
4793 ad
.type
= LSM_AUDIT_DATA_NET
;
4795 ad
.u
.net
->netif
= skb
->skb_iif
;
4796 ad
.u
.net
->family
= family
;
4797 err
= selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
);
4801 if (peerlbl_active
) {
4804 err
= selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
);
4807 err
= selinux_inet_sys_rcv_skb(sock_net(sk
), skb
->skb_iif
,
4808 addrp
, family
, peer_sid
, &ad
);
4810 selinux_netlbl_err(skb
, family
, err
, 0);
4813 err
= avc_has_perm(sk_sid
, peer_sid
, SECCLASS_PEER
,
4816 selinux_netlbl_err(skb
, family
, err
, 0);
4821 if (secmark_active
) {
4822 err
= avc_has_perm(sk_sid
, skb
->secmark
, SECCLASS_PACKET
,
4831 static int selinux_socket_getpeersec_stream(struct socket
*sock
, char __user
*optval
,
4832 int __user
*optlen
, unsigned len
)
4837 struct sk_security_struct
*sksec
= sock
->sk
->sk_security
;
4838 u32 peer_sid
= SECSID_NULL
;
4840 if (sksec
->sclass
== SECCLASS_UNIX_STREAM_SOCKET
||
4841 sksec
->sclass
== SECCLASS_TCP_SOCKET
)
4842 peer_sid
= sksec
->peer_sid
;
4843 if (peer_sid
== SECSID_NULL
)
4844 return -ENOPROTOOPT
;
4846 err
= security_sid_to_context(peer_sid
, &scontext
, &scontext_len
);
4850 if (scontext_len
> len
) {
4855 if (copy_to_user(optval
, scontext
, scontext_len
))
4859 if (put_user(scontext_len
, optlen
))
4865 static int selinux_socket_getpeersec_dgram(struct socket
*sock
, struct sk_buff
*skb
, u32
*secid
)
4867 u32 peer_secid
= SECSID_NULL
;
4869 struct inode_security_struct
*isec
;
4871 if (skb
&& skb
->protocol
== htons(ETH_P_IP
))
4873 else if (skb
&& skb
->protocol
== htons(ETH_P_IPV6
))
4876 family
= sock
->sk
->sk_family
;
4880 if (sock
&& family
== PF_UNIX
) {
4881 isec
= inode_security_novalidate(SOCK_INODE(sock
));
4882 peer_secid
= isec
->sid
;
4884 selinux_skb_peerlbl_sid(skb
, family
, &peer_secid
);
4887 *secid
= peer_secid
;
4888 if (peer_secid
== SECSID_NULL
)
4893 static int selinux_sk_alloc_security(struct sock
*sk
, int family
, gfp_t priority
)
4895 struct sk_security_struct
*sksec
;
4897 sksec
= kzalloc(sizeof(*sksec
), priority
);
4901 sksec
->peer_sid
= SECINITSID_UNLABELED
;
4902 sksec
->sid
= SECINITSID_UNLABELED
;
4903 sksec
->sclass
= SECCLASS_SOCKET
;
4904 selinux_netlbl_sk_security_reset(sksec
);
4905 sk
->sk_security
= sksec
;
4910 static void selinux_sk_free_security(struct sock
*sk
)
4912 struct sk_security_struct
*sksec
= sk
->sk_security
;
4914 sk
->sk_security
= NULL
;
4915 selinux_netlbl_sk_security_free(sksec
);
4919 static void selinux_sk_clone_security(const struct sock
*sk
, struct sock
*newsk
)
4921 struct sk_security_struct
*sksec
= sk
->sk_security
;
4922 struct sk_security_struct
*newsksec
= newsk
->sk_security
;
4924 newsksec
->sid
= sksec
->sid
;
4925 newsksec
->peer_sid
= sksec
->peer_sid
;
4926 newsksec
->sclass
= sksec
->sclass
;
4928 selinux_netlbl_sk_security_reset(newsksec
);
4931 static void selinux_sk_getsecid(struct sock
*sk
, u32
*secid
)
4934 *secid
= SECINITSID_ANY_SOCKET
;
4936 struct sk_security_struct
*sksec
= sk
->sk_security
;
4938 *secid
= sksec
->sid
;
4942 static void selinux_sock_graft(struct sock
*sk
, struct socket
*parent
)
4944 struct inode_security_struct
*isec
=
4945 inode_security_novalidate(SOCK_INODE(parent
));
4946 struct sk_security_struct
*sksec
= sk
->sk_security
;
4948 if (sk
->sk_family
== PF_INET
|| sk
->sk_family
== PF_INET6
||
4949 sk
->sk_family
== PF_UNIX
)
4950 isec
->sid
= sksec
->sid
;
4951 sksec
->sclass
= isec
->sclass
;
4954 static int selinux_inet_conn_request(struct sock
*sk
, struct sk_buff
*skb
,
4955 struct request_sock
*req
)
4957 struct sk_security_struct
*sksec
= sk
->sk_security
;
4959 u16 family
= req
->rsk_ops
->family
;
4963 err
= selinux_skb_peerlbl_sid(skb
, family
, &peersid
);
4966 err
= selinux_conn_sid(sksec
->sid
, peersid
, &connsid
);
4969 req
->secid
= connsid
;
4970 req
->peer_secid
= peersid
;
4972 return selinux_netlbl_inet_conn_request(req
, family
);
4975 static void selinux_inet_csk_clone(struct sock
*newsk
,
4976 const struct request_sock
*req
)
4978 struct sk_security_struct
*newsksec
= newsk
->sk_security
;
4980 newsksec
->sid
= req
->secid
;
4981 newsksec
->peer_sid
= req
->peer_secid
;
4982 /* NOTE: Ideally, we should also get the isec->sid for the
4983 new socket in sync, but we don't have the isec available yet.
4984 So we will wait until sock_graft to do it, by which
4985 time it will have been created and available. */
4987 /* We don't need to take any sort of lock here as we are the only
4988 * thread with access to newsksec */
4989 selinux_netlbl_inet_csk_clone(newsk
, req
->rsk_ops
->family
);
4992 static void selinux_inet_conn_established(struct sock
*sk
, struct sk_buff
*skb
)
4994 u16 family
= sk
->sk_family
;
4995 struct sk_security_struct
*sksec
= sk
->sk_security
;
4997 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4998 if (family
== PF_INET6
&& skb
->protocol
== htons(ETH_P_IP
))
5001 selinux_skb_peerlbl_sid(skb
, family
, &sksec
->peer_sid
);
5004 static int selinux_secmark_relabel_packet(u32 sid
)
5006 const struct task_security_struct
*__tsec
;
5009 __tsec
= current_security();
5012 return avc_has_perm(tsid
, sid
, SECCLASS_PACKET
, PACKET__RELABELTO
, NULL
);
5015 static void selinux_secmark_refcount_inc(void)
5017 atomic_inc(&selinux_secmark_refcount
);
5020 static void selinux_secmark_refcount_dec(void)
5022 atomic_dec(&selinux_secmark_refcount
);
5025 static void selinux_req_classify_flow(const struct request_sock
*req
,
5028 fl
->flowi_secid
= req
->secid
;
5031 static int selinux_tun_dev_alloc_security(void **security
)
5033 struct tun_security_struct
*tunsec
;
5035 tunsec
= kzalloc(sizeof(*tunsec
), GFP_KERNEL
);
5038 tunsec
->sid
= current_sid();
5044 static void selinux_tun_dev_free_security(void *security
)
5049 static int selinux_tun_dev_create(void)
5051 u32 sid
= current_sid();
5053 /* we aren't taking into account the "sockcreate" SID since the socket
5054 * that is being created here is not a socket in the traditional sense,
5055 * instead it is a private sock, accessible only to the kernel, and
5056 * representing a wide range of network traffic spanning multiple
5057 * connections unlike traditional sockets - check the TUN driver to
5058 * get a better understanding of why this socket is special */
5060 return avc_has_perm(sid
, sid
, SECCLASS_TUN_SOCKET
, TUN_SOCKET__CREATE
,
5064 static int selinux_tun_dev_attach_queue(void *security
)
5066 struct tun_security_struct
*tunsec
= security
;
5068 return avc_has_perm(current_sid(), tunsec
->sid
, SECCLASS_TUN_SOCKET
,
5069 TUN_SOCKET__ATTACH_QUEUE
, NULL
);
5072 static int selinux_tun_dev_attach(struct sock
*sk
, void *security
)
5074 struct tun_security_struct
*tunsec
= security
;
5075 struct sk_security_struct
*sksec
= sk
->sk_security
;
5077 /* we don't currently perform any NetLabel based labeling here and it
5078 * isn't clear that we would want to do so anyway; while we could apply
5079 * labeling without the support of the TUN user the resulting labeled
5080 * traffic from the other end of the connection would almost certainly
5081 * cause confusion to the TUN user that had no idea network labeling
5082 * protocols were being used */
5084 sksec
->sid
= tunsec
->sid
;
5085 sksec
->sclass
= SECCLASS_TUN_SOCKET
;
5090 static int selinux_tun_dev_open(void *security
)
5092 struct tun_security_struct
*tunsec
= security
;
5093 u32 sid
= current_sid();
5096 err
= avc_has_perm(sid
, tunsec
->sid
, SECCLASS_TUN_SOCKET
,
5097 TUN_SOCKET__RELABELFROM
, NULL
);
5100 err
= avc_has_perm(sid
, sid
, SECCLASS_TUN_SOCKET
,
5101 TUN_SOCKET__RELABELTO
, NULL
);
5109 static int selinux_nlmsg_perm(struct sock
*sk
, struct sk_buff
*skb
)
5113 struct nlmsghdr
*nlh
;
5114 struct sk_security_struct
*sksec
= sk
->sk_security
;
5116 if (skb
->len
< NLMSG_HDRLEN
) {
5120 nlh
= nlmsg_hdr(skb
);
5122 err
= selinux_nlmsg_lookup(sksec
->sclass
, nlh
->nlmsg_type
, &perm
);
5124 if (err
== -EINVAL
) {
5125 pr_warn_ratelimited("SELinux: unrecognized netlink"
5126 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5127 " pig=%d comm=%s\n",
5128 sk
->sk_protocol
, nlh
->nlmsg_type
,
5129 secclass_map
[sksec
->sclass
- 1].name
,
5130 task_pid_nr(current
), current
->comm
);
5131 if (!selinux_enforcing
|| security_get_allow_unknown())
5141 err
= sock_has_perm(sk
, perm
);
5146 #ifdef CONFIG_NETFILTER
5148 static unsigned int selinux_ip_forward(struct sk_buff
*skb
,
5149 const struct net_device
*indev
,
5155 struct common_audit_data ad
;
5156 struct lsm_network_audit net
= {0,};
5161 if (!selinux_policycap_netpeer
)
5164 secmark_active
= selinux_secmark_enabled();
5165 netlbl_active
= netlbl_enabled();
5166 peerlbl_active
= selinux_peerlbl_enabled();
5167 if (!secmark_active
&& !peerlbl_active
)
5170 if (selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
) != 0)
5173 ad
.type
= LSM_AUDIT_DATA_NET
;
5175 ad
.u
.net
->netif
= indev
->ifindex
;
5176 ad
.u
.net
->family
= family
;
5177 if (selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
) != 0)
5180 if (peerlbl_active
) {
5181 err
= selinux_inet_sys_rcv_skb(dev_net(indev
), indev
->ifindex
,
5182 addrp
, family
, peer_sid
, &ad
);
5184 selinux_netlbl_err(skb
, family
, err
, 1);
5190 if (avc_has_perm(peer_sid
, skb
->secmark
,
5191 SECCLASS_PACKET
, PACKET__FORWARD_IN
, &ad
))
5195 /* we do this in the FORWARD path and not the POST_ROUTING
5196 * path because we want to make sure we apply the necessary
5197 * labeling before IPsec is applied so we can leverage AH
5199 if (selinux_netlbl_skbuff_setsid(skb
, family
, peer_sid
) != 0)
5205 static unsigned int selinux_ipv4_forward(void *priv
,
5206 struct sk_buff
*skb
,
5207 const struct nf_hook_state
*state
)
5209 return selinux_ip_forward(skb
, state
->in
, PF_INET
);
5212 #if IS_ENABLED(CONFIG_IPV6)
5213 static unsigned int selinux_ipv6_forward(void *priv
,
5214 struct sk_buff
*skb
,
5215 const struct nf_hook_state
*state
)
5217 return selinux_ip_forward(skb
, state
->in
, PF_INET6
);
5221 static unsigned int selinux_ip_output(struct sk_buff
*skb
,
5227 if (!netlbl_enabled())
5230 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5231 * because we want to make sure we apply the necessary labeling
5232 * before IPsec is applied so we can leverage AH protection */
5235 struct sk_security_struct
*sksec
;
5237 if (sk_listener(sk
))
5238 /* if the socket is the listening state then this
5239 * packet is a SYN-ACK packet which means it needs to
5240 * be labeled based on the connection/request_sock and
5241 * not the parent socket. unfortunately, we can't
5242 * lookup the request_sock yet as it isn't queued on
5243 * the parent socket until after the SYN-ACK is sent.
5244 * the "solution" is to simply pass the packet as-is
5245 * as any IP option based labeling should be copied
5246 * from the initial connection request (in the IP
5247 * layer). it is far from ideal, but until we get a
5248 * security label in the packet itself this is the
5249 * best we can do. */
5252 /* standard practice, label using the parent socket */
5253 sksec
= sk
->sk_security
;
5256 sid
= SECINITSID_KERNEL
;
5257 if (selinux_netlbl_skbuff_setsid(skb
, family
, sid
) != 0)
5263 static unsigned int selinux_ipv4_output(void *priv
,
5264 struct sk_buff
*skb
,
5265 const struct nf_hook_state
*state
)
5267 return selinux_ip_output(skb
, PF_INET
);
5270 #if IS_ENABLED(CONFIG_IPV6)
5271 static unsigned int selinux_ipv6_output(void *priv
,
5272 struct sk_buff
*skb
,
5273 const struct nf_hook_state
*state
)
5275 return selinux_ip_output(skb
, PF_INET6
);
5279 static unsigned int selinux_ip_postroute_compat(struct sk_buff
*skb
,
5283 struct sock
*sk
= skb_to_full_sk(skb
);
5284 struct sk_security_struct
*sksec
;
5285 struct common_audit_data ad
;
5286 struct lsm_network_audit net
= {0,};
5292 sksec
= sk
->sk_security
;
5294 ad
.type
= LSM_AUDIT_DATA_NET
;
5296 ad
.u
.net
->netif
= ifindex
;
5297 ad
.u
.net
->family
= family
;
5298 if (selinux_parse_skb(skb
, &ad
, &addrp
, 0, &proto
))
5301 if (selinux_secmark_enabled())
5302 if (avc_has_perm(sksec
->sid
, skb
->secmark
,
5303 SECCLASS_PACKET
, PACKET__SEND
, &ad
))
5304 return NF_DROP_ERR(-ECONNREFUSED
);
5306 if (selinux_xfrm_postroute_last(sksec
->sid
, skb
, &ad
, proto
))
5307 return NF_DROP_ERR(-ECONNREFUSED
);
5312 static unsigned int selinux_ip_postroute(struct sk_buff
*skb
,
5313 const struct net_device
*outdev
,
5318 int ifindex
= outdev
->ifindex
;
5320 struct common_audit_data ad
;
5321 struct lsm_network_audit net
= {0,};
5326 /* If any sort of compatibility mode is enabled then handoff processing
5327 * to the selinux_ip_postroute_compat() function to deal with the
5328 * special handling. We do this in an attempt to keep this function
5329 * as fast and as clean as possible. */
5330 if (!selinux_policycap_netpeer
)
5331 return selinux_ip_postroute_compat(skb
, ifindex
, family
);
5333 secmark_active
= selinux_secmark_enabled();
5334 peerlbl_active
= selinux_peerlbl_enabled();
5335 if (!secmark_active
&& !peerlbl_active
)
5338 sk
= skb_to_full_sk(skb
);
5341 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5342 * packet transformation so allow the packet to pass without any checks
5343 * since we'll have another chance to perform access control checks
5344 * when the packet is on it's final way out.
5345 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5346 * is NULL, in this case go ahead and apply access control.
5347 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5348 * TCP listening state we cannot wait until the XFRM processing
5349 * is done as we will miss out on the SA label if we do;
5350 * unfortunately, this means more work, but it is only once per
5352 if (skb_dst(skb
) != NULL
&& skb_dst(skb
)->xfrm
!= NULL
&&
5353 !(sk
&& sk_listener(sk
)))
5358 /* Without an associated socket the packet is either coming
5359 * from the kernel or it is being forwarded; check the packet
5360 * to determine which and if the packet is being forwarded
5361 * query the packet directly to determine the security label. */
5363 secmark_perm
= PACKET__FORWARD_OUT
;
5364 if (selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
))
5367 secmark_perm
= PACKET__SEND
;
5368 peer_sid
= SECINITSID_KERNEL
;
5370 } else if (sk_listener(sk
)) {
5371 /* Locally generated packet but the associated socket is in the
5372 * listening state which means this is a SYN-ACK packet. In
5373 * this particular case the correct security label is assigned
5374 * to the connection/request_sock but unfortunately we can't
5375 * query the request_sock as it isn't queued on the parent
5376 * socket until after the SYN-ACK packet is sent; the only
5377 * viable choice is to regenerate the label like we do in
5378 * selinux_inet_conn_request(). See also selinux_ip_output()
5379 * for similar problems. */
5381 struct sk_security_struct
*sksec
;
5383 sksec
= sk
->sk_security
;
5384 if (selinux_skb_peerlbl_sid(skb
, family
, &skb_sid
))
5386 /* At this point, if the returned skb peerlbl is SECSID_NULL
5387 * and the packet has been through at least one XFRM
5388 * transformation then we must be dealing with the "final"
5389 * form of labeled IPsec packet; since we've already applied
5390 * all of our access controls on this packet we can safely
5391 * pass the packet. */
5392 if (skb_sid
== SECSID_NULL
) {
5395 if (IPCB(skb
)->flags
& IPSKB_XFRM_TRANSFORMED
)
5399 if (IP6CB(skb
)->flags
& IP6SKB_XFRM_TRANSFORMED
)
5403 return NF_DROP_ERR(-ECONNREFUSED
);
5406 if (selinux_conn_sid(sksec
->sid
, skb_sid
, &peer_sid
))
5408 secmark_perm
= PACKET__SEND
;
5410 /* Locally generated packet, fetch the security label from the
5411 * associated socket. */
5412 struct sk_security_struct
*sksec
= sk
->sk_security
;
5413 peer_sid
= sksec
->sid
;
5414 secmark_perm
= PACKET__SEND
;
5417 ad
.type
= LSM_AUDIT_DATA_NET
;
5419 ad
.u
.net
->netif
= ifindex
;
5420 ad
.u
.net
->family
= family
;
5421 if (selinux_parse_skb(skb
, &ad
, &addrp
, 0, NULL
))
5425 if (avc_has_perm(peer_sid
, skb
->secmark
,
5426 SECCLASS_PACKET
, secmark_perm
, &ad
))
5427 return NF_DROP_ERR(-ECONNREFUSED
);
5429 if (peerlbl_active
) {
5433 if (sel_netif_sid(dev_net(outdev
), ifindex
, &if_sid
))
5435 if (avc_has_perm(peer_sid
, if_sid
,
5436 SECCLASS_NETIF
, NETIF__EGRESS
, &ad
))
5437 return NF_DROP_ERR(-ECONNREFUSED
);
5439 if (sel_netnode_sid(addrp
, family
, &node_sid
))
5441 if (avc_has_perm(peer_sid
, node_sid
,
5442 SECCLASS_NODE
, NODE__SENDTO
, &ad
))
5443 return NF_DROP_ERR(-ECONNREFUSED
);
5449 static unsigned int selinux_ipv4_postroute(void *priv
,
5450 struct sk_buff
*skb
,
5451 const struct nf_hook_state
*state
)
5453 return selinux_ip_postroute(skb
, state
->out
, PF_INET
);
5456 #if IS_ENABLED(CONFIG_IPV6)
5457 static unsigned int selinux_ipv6_postroute(void *priv
,
5458 struct sk_buff
*skb
,
5459 const struct nf_hook_state
*state
)
5461 return selinux_ip_postroute(skb
, state
->out
, PF_INET6
);
5465 #endif /* CONFIG_NETFILTER */
5467 static int selinux_netlink_send(struct sock
*sk
, struct sk_buff
*skb
)
5469 return selinux_nlmsg_perm(sk
, skb
);
5472 static int ipc_alloc_security(struct kern_ipc_perm
*perm
,
5475 struct ipc_security_struct
*isec
;
5477 isec
= kzalloc(sizeof(struct ipc_security_struct
), GFP_KERNEL
);
5481 isec
->sclass
= sclass
;
5482 isec
->sid
= current_sid();
5483 perm
->security
= isec
;
5488 static void ipc_free_security(struct kern_ipc_perm
*perm
)
5490 struct ipc_security_struct
*isec
= perm
->security
;
5491 perm
->security
= NULL
;
5495 static int msg_msg_alloc_security(struct msg_msg
*msg
)
5497 struct msg_security_struct
*msec
;
5499 msec
= kzalloc(sizeof(struct msg_security_struct
), GFP_KERNEL
);
5503 msec
->sid
= SECINITSID_UNLABELED
;
5504 msg
->security
= msec
;
5509 static void msg_msg_free_security(struct msg_msg
*msg
)
5511 struct msg_security_struct
*msec
= msg
->security
;
5513 msg
->security
= NULL
;
5517 static int ipc_has_perm(struct kern_ipc_perm
*ipc_perms
,
5520 struct ipc_security_struct
*isec
;
5521 struct common_audit_data ad
;
5522 u32 sid
= current_sid();
5524 isec
= ipc_perms
->security
;
5526 ad
.type
= LSM_AUDIT_DATA_IPC
;
5527 ad
.u
.ipc_id
= ipc_perms
->key
;
5529 return avc_has_perm(sid
, isec
->sid
, isec
->sclass
, perms
, &ad
);
5532 static int selinux_msg_msg_alloc_security(struct msg_msg
*msg
)
5534 return msg_msg_alloc_security(msg
);
5537 static void selinux_msg_msg_free_security(struct msg_msg
*msg
)
5539 msg_msg_free_security(msg
);
5542 /* message queue security operations */
5543 static int selinux_msg_queue_alloc_security(struct msg_queue
*msq
)
5545 struct ipc_security_struct
*isec
;
5546 struct common_audit_data ad
;
5547 u32 sid
= current_sid();
5550 rc
= ipc_alloc_security(&msq
->q_perm
, SECCLASS_MSGQ
);
5554 isec
= msq
->q_perm
.security
;
5556 ad
.type
= LSM_AUDIT_DATA_IPC
;
5557 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5559 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_MSGQ
,
5562 ipc_free_security(&msq
->q_perm
);
5568 static void selinux_msg_queue_free_security(struct msg_queue
*msq
)
5570 ipc_free_security(&msq
->q_perm
);
5573 static int selinux_msg_queue_associate(struct msg_queue
*msq
, int msqflg
)
5575 struct ipc_security_struct
*isec
;
5576 struct common_audit_data ad
;
5577 u32 sid
= current_sid();
5579 isec
= msq
->q_perm
.security
;
5581 ad
.type
= LSM_AUDIT_DATA_IPC
;
5582 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5584 return avc_has_perm(sid
, isec
->sid
, SECCLASS_MSGQ
,
5585 MSGQ__ASSOCIATE
, &ad
);
5588 static int selinux_msg_queue_msgctl(struct msg_queue
*msq
, int cmd
)
5596 /* No specific object, just general system-wide information. */
5597 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
5598 SECCLASS_SYSTEM
, SYSTEM__IPC_INFO
, NULL
);
5601 perms
= MSGQ__GETATTR
| MSGQ__ASSOCIATE
;
5604 perms
= MSGQ__SETATTR
;
5607 perms
= MSGQ__DESTROY
;
5613 err
= ipc_has_perm(&msq
->q_perm
, perms
);
5617 static int selinux_msg_queue_msgsnd(struct msg_queue
*msq
, struct msg_msg
*msg
, int msqflg
)
5619 struct ipc_security_struct
*isec
;
5620 struct msg_security_struct
*msec
;
5621 struct common_audit_data ad
;
5622 u32 sid
= current_sid();
5625 isec
= msq
->q_perm
.security
;
5626 msec
= msg
->security
;
5629 * First time through, need to assign label to the message
5631 if (msec
->sid
== SECINITSID_UNLABELED
) {
5633 * Compute new sid based on current process and
5634 * message queue this message will be stored in
5636 rc
= security_transition_sid(sid
, isec
->sid
, SECCLASS_MSG
,
5642 ad
.type
= LSM_AUDIT_DATA_IPC
;
5643 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5645 /* Can this process write to the queue? */
5646 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_MSGQ
,
5649 /* Can this process send the message */
5650 rc
= avc_has_perm(sid
, msec
->sid
, SECCLASS_MSG
,
5653 /* Can the message be put in the queue? */
5654 rc
= avc_has_perm(msec
->sid
, isec
->sid
, SECCLASS_MSGQ
,
5655 MSGQ__ENQUEUE
, &ad
);
5660 static int selinux_msg_queue_msgrcv(struct msg_queue
*msq
, struct msg_msg
*msg
,
5661 struct task_struct
*target
,
5662 long type
, int mode
)
5664 struct ipc_security_struct
*isec
;
5665 struct msg_security_struct
*msec
;
5666 struct common_audit_data ad
;
5667 u32 sid
= task_sid(target
);
5670 isec
= msq
->q_perm
.security
;
5671 msec
= msg
->security
;
5673 ad
.type
= LSM_AUDIT_DATA_IPC
;
5674 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5676 rc
= avc_has_perm(sid
, isec
->sid
,
5677 SECCLASS_MSGQ
, MSGQ__READ
, &ad
);
5679 rc
= avc_has_perm(sid
, msec
->sid
,
5680 SECCLASS_MSG
, MSG__RECEIVE
, &ad
);
5684 /* Shared Memory security operations */
5685 static int selinux_shm_alloc_security(struct shmid_kernel
*shp
)
5687 struct ipc_security_struct
*isec
;
5688 struct common_audit_data ad
;
5689 u32 sid
= current_sid();
5692 rc
= ipc_alloc_security(&shp
->shm_perm
, SECCLASS_SHM
);
5696 isec
= shp
->shm_perm
.security
;
5698 ad
.type
= LSM_AUDIT_DATA_IPC
;
5699 ad
.u
.ipc_id
= shp
->shm_perm
.key
;
5701 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_SHM
,
5704 ipc_free_security(&shp
->shm_perm
);
5710 static void selinux_shm_free_security(struct shmid_kernel
*shp
)
5712 ipc_free_security(&shp
->shm_perm
);
5715 static int selinux_shm_associate(struct shmid_kernel
*shp
, int shmflg
)
5717 struct ipc_security_struct
*isec
;
5718 struct common_audit_data ad
;
5719 u32 sid
= current_sid();
5721 isec
= shp
->shm_perm
.security
;
5723 ad
.type
= LSM_AUDIT_DATA_IPC
;
5724 ad
.u
.ipc_id
= shp
->shm_perm
.key
;
5726 return avc_has_perm(sid
, isec
->sid
, SECCLASS_SHM
,
5727 SHM__ASSOCIATE
, &ad
);
5730 /* Note, at this point, shp is locked down */
5731 static int selinux_shm_shmctl(struct shmid_kernel
*shp
, int cmd
)
5739 /* No specific object, just general system-wide information. */
5740 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
5741 SECCLASS_SYSTEM
, SYSTEM__IPC_INFO
, NULL
);
5744 perms
= SHM__GETATTR
| SHM__ASSOCIATE
;
5747 perms
= SHM__SETATTR
;
5754 perms
= SHM__DESTROY
;
5760 err
= ipc_has_perm(&shp
->shm_perm
, perms
);
5764 static int selinux_shm_shmat(struct shmid_kernel
*shp
,
5765 char __user
*shmaddr
, int shmflg
)
5769 if (shmflg
& SHM_RDONLY
)
5772 perms
= SHM__READ
| SHM__WRITE
;
5774 return ipc_has_perm(&shp
->shm_perm
, perms
);
5777 /* Semaphore security operations */
5778 static int selinux_sem_alloc_security(struct sem_array
*sma
)
5780 struct ipc_security_struct
*isec
;
5781 struct common_audit_data ad
;
5782 u32 sid
= current_sid();
5785 rc
= ipc_alloc_security(&sma
->sem_perm
, SECCLASS_SEM
);
5789 isec
= sma
->sem_perm
.security
;
5791 ad
.type
= LSM_AUDIT_DATA_IPC
;
5792 ad
.u
.ipc_id
= sma
->sem_perm
.key
;
5794 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_SEM
,
5797 ipc_free_security(&sma
->sem_perm
);
5803 static void selinux_sem_free_security(struct sem_array
*sma
)
5805 ipc_free_security(&sma
->sem_perm
);
5808 static int selinux_sem_associate(struct sem_array
*sma
, int semflg
)
5810 struct ipc_security_struct
*isec
;
5811 struct common_audit_data ad
;
5812 u32 sid
= current_sid();
5814 isec
= sma
->sem_perm
.security
;
5816 ad
.type
= LSM_AUDIT_DATA_IPC
;
5817 ad
.u
.ipc_id
= sma
->sem_perm
.key
;
5819 return avc_has_perm(sid
, isec
->sid
, SECCLASS_SEM
,
5820 SEM__ASSOCIATE
, &ad
);
5823 /* Note, at this point, sma is locked down */
5824 static int selinux_sem_semctl(struct sem_array
*sma
, int cmd
)
5832 /* No specific object, just general system-wide information. */
5833 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
5834 SECCLASS_SYSTEM
, SYSTEM__IPC_INFO
, NULL
);
5838 perms
= SEM__GETATTR
;
5849 perms
= SEM__DESTROY
;
5852 perms
= SEM__SETATTR
;
5856 perms
= SEM__GETATTR
| SEM__ASSOCIATE
;
5862 err
= ipc_has_perm(&sma
->sem_perm
, perms
);
5866 static int selinux_sem_semop(struct sem_array
*sma
,
5867 struct sembuf
*sops
, unsigned nsops
, int alter
)
5872 perms
= SEM__READ
| SEM__WRITE
;
5876 return ipc_has_perm(&sma
->sem_perm
, perms
);
5879 static int selinux_ipc_permission(struct kern_ipc_perm
*ipcp
, short flag
)
5885 av
|= IPC__UNIX_READ
;
5887 av
|= IPC__UNIX_WRITE
;
5892 return ipc_has_perm(ipcp
, av
);
5895 static void selinux_ipc_getsecid(struct kern_ipc_perm
*ipcp
, u32
*secid
)
5897 struct ipc_security_struct
*isec
= ipcp
->security
;
5901 static void selinux_d_instantiate(struct dentry
*dentry
, struct inode
*inode
)
5904 inode_doinit_with_dentry(inode
, dentry
);
5907 static int selinux_getprocattr(struct task_struct
*p
,
5908 char *name
, char **value
)
5910 const struct task_security_struct
*__tsec
;
5916 __tsec
= __task_cred(p
)->security
;
5919 error
= avc_has_perm(current_sid(), __tsec
->sid
,
5920 SECCLASS_PROCESS
, PROCESS__GETATTR
, NULL
);
5925 if (!strcmp(name
, "current"))
5927 else if (!strcmp(name
, "prev"))
5929 else if (!strcmp(name
, "exec"))
5930 sid
= __tsec
->exec_sid
;
5931 else if (!strcmp(name
, "fscreate"))
5932 sid
= __tsec
->create_sid
;
5933 else if (!strcmp(name
, "keycreate"))
5934 sid
= __tsec
->keycreate_sid
;
5935 else if (!strcmp(name
, "sockcreate"))
5936 sid
= __tsec
->sockcreate_sid
;
5946 error
= security_sid_to_context(sid
, value
, &len
);
5956 static int selinux_setprocattr(const char *name
, void *value
, size_t size
)
5958 struct task_security_struct
*tsec
;
5960 u32 mysid
= current_sid(), sid
= 0, ptsid
;
5965 * Basic control over ability to set these attributes at all.
5967 if (!strcmp(name
, "exec"))
5968 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5969 PROCESS__SETEXEC
, NULL
);
5970 else if (!strcmp(name
, "fscreate"))
5971 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5972 PROCESS__SETFSCREATE
, NULL
);
5973 else if (!strcmp(name
, "keycreate"))
5974 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5975 PROCESS__SETKEYCREATE
, NULL
);
5976 else if (!strcmp(name
, "sockcreate"))
5977 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5978 PROCESS__SETSOCKCREATE
, NULL
);
5979 else if (!strcmp(name
, "current"))
5980 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5981 PROCESS__SETCURRENT
, NULL
);
5987 /* Obtain a SID for the context, if one was specified. */
5988 if (size
&& str
[0] && str
[0] != '\n') {
5989 if (str
[size
-1] == '\n') {
5993 error
= security_context_to_sid(value
, size
, &sid
, GFP_KERNEL
);
5994 if (error
== -EINVAL
&& !strcmp(name
, "fscreate")) {
5995 if (!has_cap_mac_admin(true)) {
5996 struct audit_buffer
*ab
;
5999 /* We strip a nul only if it is at the end, otherwise the
6000 * context contains a nul and we should audit that */
6001 if (str
[size
- 1] == '\0')
6002 audit_size
= size
- 1;
6005 ab
= audit_log_start(current
->audit_context
, GFP_ATOMIC
, AUDIT_SELINUX_ERR
);
6006 audit_log_format(ab
, "op=fscreate invalid_context=");
6007 audit_log_n_untrustedstring(ab
, value
, audit_size
);
6012 error
= security_context_to_sid_force(value
, size
,
6019 new = prepare_creds();
6023 /* Permission checking based on the specified context is
6024 performed during the actual operation (execve,
6025 open/mkdir/...), when we know the full context of the
6026 operation. See selinux_bprm_set_creds for the execve
6027 checks and may_create for the file creation checks. The
6028 operation will then fail if the context is not permitted. */
6029 tsec
= new->security
;
6030 if (!strcmp(name
, "exec")) {
6031 tsec
->exec_sid
= sid
;
6032 } else if (!strcmp(name
, "fscreate")) {
6033 tsec
->create_sid
= sid
;
6034 } else if (!strcmp(name
, "keycreate")) {
6035 error
= avc_has_perm(mysid
, sid
, SECCLASS_KEY
, KEY__CREATE
,
6039 tsec
->keycreate_sid
= sid
;
6040 } else if (!strcmp(name
, "sockcreate")) {
6041 tsec
->sockcreate_sid
= sid
;
6042 } else if (!strcmp(name
, "current")) {
6047 /* Only allow single threaded processes to change context */
6049 if (!current_is_single_threaded()) {
6050 error
= security_bounded_transition(tsec
->sid
, sid
);
6055 /* Check permissions for the transition. */
6056 error
= avc_has_perm(tsec
->sid
, sid
, SECCLASS_PROCESS
,
6057 PROCESS__DYNTRANSITION
, NULL
);
6061 /* Check for ptracing, and update the task SID if ok.
6062 Otherwise, leave SID unchanged and fail. */
6063 ptsid
= ptrace_parent_sid();
6065 error
= avc_has_perm(ptsid
, sid
, SECCLASS_PROCESS
,
6066 PROCESS__PTRACE
, NULL
);
6085 static int selinux_ismaclabel(const char *name
)
6087 return (strcmp(name
, XATTR_SELINUX_SUFFIX
) == 0);
6090 static int selinux_secid_to_secctx(u32 secid
, char **secdata
, u32
*seclen
)
6092 return security_sid_to_context(secid
, secdata
, seclen
);
6095 static int selinux_secctx_to_secid(const char *secdata
, u32 seclen
, u32
*secid
)
6097 return security_context_to_sid(secdata
, seclen
, secid
, GFP_KERNEL
);
6100 static void selinux_release_secctx(char *secdata
, u32 seclen
)
6105 static void selinux_inode_invalidate_secctx(struct inode
*inode
)
6107 struct inode_security_struct
*isec
= inode
->i_security
;
6109 spin_lock(&isec
->lock
);
6110 isec
->initialized
= LABEL_INVALID
;
6111 spin_unlock(&isec
->lock
);
6115 * called with inode->i_mutex locked
6117 static int selinux_inode_notifysecctx(struct inode
*inode
, void *ctx
, u32 ctxlen
)
6119 return selinux_inode_setsecurity(inode
, XATTR_SELINUX_SUFFIX
, ctx
, ctxlen
, 0);
6123 * called with inode->i_mutex locked
6125 static int selinux_inode_setsecctx(struct dentry
*dentry
, void *ctx
, u32 ctxlen
)
6127 return __vfs_setxattr_noperm(dentry
, XATTR_NAME_SELINUX
, ctx
, ctxlen
, 0);
6130 static int selinux_inode_getsecctx(struct inode
*inode
, void **ctx
, u32
*ctxlen
)
6133 len
= selinux_inode_getsecurity(inode
, XATTR_SELINUX_SUFFIX
,
6142 static int selinux_key_alloc(struct key
*k
, const struct cred
*cred
,
6143 unsigned long flags
)
6145 const struct task_security_struct
*tsec
;
6146 struct key_security_struct
*ksec
;
6148 ksec
= kzalloc(sizeof(struct key_security_struct
), GFP_KERNEL
);
6152 tsec
= cred
->security
;
6153 if (tsec
->keycreate_sid
)
6154 ksec
->sid
= tsec
->keycreate_sid
;
6156 ksec
->sid
= tsec
->sid
;
6162 static void selinux_key_free(struct key
*k
)
6164 struct key_security_struct
*ksec
= k
->security
;
6170 static int selinux_key_permission(key_ref_t key_ref
,
6171 const struct cred
*cred
,
6175 struct key_security_struct
*ksec
;
6178 /* if no specific permissions are requested, we skip the
6179 permission check. No serious, additional covert channels
6180 appear to be created. */
6184 sid
= cred_sid(cred
);
6186 key
= key_ref_to_ptr(key_ref
);
6187 ksec
= key
->security
;
6189 return avc_has_perm(sid
, ksec
->sid
, SECCLASS_KEY
, perm
, NULL
);
6192 static int selinux_key_getsecurity(struct key
*key
, char **_buffer
)
6194 struct key_security_struct
*ksec
= key
->security
;
6195 char *context
= NULL
;
6199 rc
= security_sid_to_context(ksec
->sid
, &context
, &len
);
6207 #ifdef CONFIG_SECURITY_INFINIBAND
6208 static int selinux_ib_pkey_access(void *ib_sec
, u64 subnet_prefix
, u16 pkey_val
)
6210 struct common_audit_data ad
;
6213 struct ib_security_struct
*sec
= ib_sec
;
6214 struct lsm_ibpkey_audit ibpkey
;
6216 err
= sel_ib_pkey_sid(subnet_prefix
, pkey_val
, &sid
);
6220 ad
.type
= LSM_AUDIT_DATA_IBPKEY
;
6221 ibpkey
.subnet_prefix
= subnet_prefix
;
6222 ibpkey
.pkey
= pkey_val
;
6223 ad
.u
.ibpkey
= &ibpkey
;
6224 return avc_has_perm(sec
->sid
, sid
,
6225 SECCLASS_INFINIBAND_PKEY
,
6226 INFINIBAND_PKEY__ACCESS
, &ad
);
6229 static int selinux_ib_endport_manage_subnet(void *ib_sec
, const char *dev_name
,
6232 struct common_audit_data ad
;
6235 struct ib_security_struct
*sec
= ib_sec
;
6236 struct lsm_ibendport_audit ibendport
;
6238 err
= security_ib_endport_sid(dev_name
, port_num
, &sid
);
6243 ad
.type
= LSM_AUDIT_DATA_IBENDPORT
;
6244 strncpy(ibendport
.dev_name
, dev_name
, sizeof(ibendport
.dev_name
));
6245 ibendport
.port
= port_num
;
6246 ad
.u
.ibendport
= &ibendport
;
6247 return avc_has_perm(sec
->sid
, sid
,
6248 SECCLASS_INFINIBAND_ENDPORT
,
6249 INFINIBAND_ENDPORT__MANAGE_SUBNET
, &ad
);
6252 static int selinux_ib_alloc_security(void **ib_sec
)
6254 struct ib_security_struct
*sec
;
6256 sec
= kzalloc(sizeof(*sec
), GFP_KERNEL
);
6259 sec
->sid
= current_sid();
6265 static void selinux_ib_free_security(void *ib_sec
)
6271 #ifdef CONFIG_BPF_SYSCALL
6272 static int selinux_bpf(int cmd
, union bpf_attr
*attr
,
6275 u32 sid
= current_sid();
6279 case BPF_MAP_CREATE
:
6280 ret
= avc_has_perm(sid
, sid
, SECCLASS_BPF
, BPF__MAP_CREATE
,
6284 ret
= avc_has_perm(sid
, sid
, SECCLASS_BPF
, BPF__PROG_LOAD
,
6295 static u32
bpf_map_fmode_to_av(fmode_t fmode
)
6299 if (fmode
& FMODE_READ
)
6300 av
|= BPF__MAP_READ
;
6301 if (fmode
& FMODE_WRITE
)
6302 av
|= BPF__MAP_WRITE
;
6306 /* This function will check the file pass through unix socket or binder to see
6307 * if it is a bpf related object. And apply correspinding checks on the bpf
6308 * object based on the type. The bpf maps and programs, not like other files and
6309 * socket, are using a shared anonymous inode inside the kernel as their inode.
6310 * So checking that inode cannot identify if the process have privilege to
6311 * access the bpf object and that's why we have to add this additional check in
6312 * selinux_file_receive and selinux_binder_transfer_files.
6314 static int bpf_fd_pass(struct file
*file
, u32 sid
)
6316 struct bpf_security_struct
*bpfsec
;
6317 struct bpf_prog
*prog
;
6318 struct bpf_map
*map
;
6321 if (file
->f_op
== &bpf_map_fops
) {
6322 map
= file
->private_data
;
6323 bpfsec
= map
->security
;
6324 ret
= avc_has_perm(sid
, bpfsec
->sid
, SECCLASS_BPF
,
6325 bpf_map_fmode_to_av(file
->f_mode
), NULL
);
6328 } else if (file
->f_op
== &bpf_prog_fops
) {
6329 prog
= file
->private_data
;
6330 bpfsec
= prog
->aux
->security
;
6331 ret
= avc_has_perm(sid
, bpfsec
->sid
, SECCLASS_BPF
,
6332 BPF__PROG_RUN
, NULL
);
6339 static int selinux_bpf_map(struct bpf_map
*map
, fmode_t fmode
)
6341 u32 sid
= current_sid();
6342 struct bpf_security_struct
*bpfsec
;
6344 bpfsec
= map
->security
;
6345 return avc_has_perm(sid
, bpfsec
->sid
, SECCLASS_BPF
,
6346 bpf_map_fmode_to_av(fmode
), NULL
);
6349 static int selinux_bpf_prog(struct bpf_prog
*prog
)
6351 u32 sid
= current_sid();
6352 struct bpf_security_struct
*bpfsec
;
6354 bpfsec
= prog
->aux
->security
;
6355 return avc_has_perm(sid
, bpfsec
->sid
, SECCLASS_BPF
,
6356 BPF__PROG_RUN
, NULL
);
6359 static int selinux_bpf_map_alloc(struct bpf_map
*map
)
6361 struct bpf_security_struct
*bpfsec
;
6363 bpfsec
= kzalloc(sizeof(*bpfsec
), GFP_KERNEL
);
6367 bpfsec
->sid
= current_sid();
6368 map
->security
= bpfsec
;
6373 static void selinux_bpf_map_free(struct bpf_map
*map
)
6375 struct bpf_security_struct
*bpfsec
= map
->security
;
6377 map
->security
= NULL
;
6381 static int selinux_bpf_prog_alloc(struct bpf_prog_aux
*aux
)
6383 struct bpf_security_struct
*bpfsec
;
6385 bpfsec
= kzalloc(sizeof(*bpfsec
), GFP_KERNEL
);
6389 bpfsec
->sid
= current_sid();
6390 aux
->security
= bpfsec
;
6395 static void selinux_bpf_prog_free(struct bpf_prog_aux
*aux
)
6397 struct bpf_security_struct
*bpfsec
= aux
->security
;
6399 aux
->security
= NULL
;
6404 static struct security_hook_list selinux_hooks
[] __lsm_ro_after_init
= {
6405 LSM_HOOK_INIT(binder_set_context_mgr
, selinux_binder_set_context_mgr
),
6406 LSM_HOOK_INIT(binder_transaction
, selinux_binder_transaction
),
6407 LSM_HOOK_INIT(binder_transfer_binder
, selinux_binder_transfer_binder
),
6408 LSM_HOOK_INIT(binder_transfer_file
, selinux_binder_transfer_file
),
6410 LSM_HOOK_INIT(ptrace_access_check
, selinux_ptrace_access_check
),
6411 LSM_HOOK_INIT(ptrace_traceme
, selinux_ptrace_traceme
),
6412 LSM_HOOK_INIT(capget
, selinux_capget
),
6413 LSM_HOOK_INIT(capset
, selinux_capset
),
6414 LSM_HOOK_INIT(capable
, selinux_capable
),
6415 LSM_HOOK_INIT(quotactl
, selinux_quotactl
),
6416 LSM_HOOK_INIT(quota_on
, selinux_quota_on
),
6417 LSM_HOOK_INIT(syslog
, selinux_syslog
),
6418 LSM_HOOK_INIT(vm_enough_memory
, selinux_vm_enough_memory
),
6420 LSM_HOOK_INIT(netlink_send
, selinux_netlink_send
),
6422 LSM_HOOK_INIT(bprm_set_creds
, selinux_bprm_set_creds
),
6423 LSM_HOOK_INIT(bprm_committing_creds
, selinux_bprm_committing_creds
),
6424 LSM_HOOK_INIT(bprm_committed_creds
, selinux_bprm_committed_creds
),
6426 LSM_HOOK_INIT(sb_alloc_security
, selinux_sb_alloc_security
),
6427 LSM_HOOK_INIT(sb_free_security
, selinux_sb_free_security
),
6428 LSM_HOOK_INIT(sb_copy_data
, selinux_sb_copy_data
),
6429 LSM_HOOK_INIT(sb_remount
, selinux_sb_remount
),
6430 LSM_HOOK_INIT(sb_kern_mount
, selinux_sb_kern_mount
),
6431 LSM_HOOK_INIT(sb_show_options
, selinux_sb_show_options
),
6432 LSM_HOOK_INIT(sb_statfs
, selinux_sb_statfs
),
6433 LSM_HOOK_INIT(sb_mount
, selinux_mount
),
6434 LSM_HOOK_INIT(sb_umount
, selinux_umount
),
6435 LSM_HOOK_INIT(sb_set_mnt_opts
, selinux_set_mnt_opts
),
6436 LSM_HOOK_INIT(sb_clone_mnt_opts
, selinux_sb_clone_mnt_opts
),
6437 LSM_HOOK_INIT(sb_parse_opts_str
, selinux_parse_opts_str
),
6439 LSM_HOOK_INIT(dentry_init_security
, selinux_dentry_init_security
),
6440 LSM_HOOK_INIT(dentry_create_files_as
, selinux_dentry_create_files_as
),
6442 LSM_HOOK_INIT(inode_alloc_security
, selinux_inode_alloc_security
),
6443 LSM_HOOK_INIT(inode_free_security
, selinux_inode_free_security
),
6444 LSM_HOOK_INIT(inode_init_security
, selinux_inode_init_security
),
6445 LSM_HOOK_INIT(inode_create
, selinux_inode_create
),
6446 LSM_HOOK_INIT(inode_link
, selinux_inode_link
),
6447 LSM_HOOK_INIT(inode_unlink
, selinux_inode_unlink
),
6448 LSM_HOOK_INIT(inode_symlink
, selinux_inode_symlink
),
6449 LSM_HOOK_INIT(inode_mkdir
, selinux_inode_mkdir
),
6450 LSM_HOOK_INIT(inode_rmdir
, selinux_inode_rmdir
),
6451 LSM_HOOK_INIT(inode_mknod
, selinux_inode_mknod
),
6452 LSM_HOOK_INIT(inode_rename
, selinux_inode_rename
),
6453 LSM_HOOK_INIT(inode_readlink
, selinux_inode_readlink
),
6454 LSM_HOOK_INIT(inode_follow_link
, selinux_inode_follow_link
),
6455 LSM_HOOK_INIT(inode_permission
, selinux_inode_permission
),
6456 LSM_HOOK_INIT(inode_setattr
, selinux_inode_setattr
),
6457 LSM_HOOK_INIT(inode_getattr
, selinux_inode_getattr
),
6458 LSM_HOOK_INIT(inode_setxattr
, selinux_inode_setxattr
),
6459 LSM_HOOK_INIT(inode_post_setxattr
, selinux_inode_post_setxattr
),
6460 LSM_HOOK_INIT(inode_getxattr
, selinux_inode_getxattr
),
6461 LSM_HOOK_INIT(inode_listxattr
, selinux_inode_listxattr
),
6462 LSM_HOOK_INIT(inode_removexattr
, selinux_inode_removexattr
),
6463 LSM_HOOK_INIT(inode_getsecurity
, selinux_inode_getsecurity
),
6464 LSM_HOOK_INIT(inode_setsecurity
, selinux_inode_setsecurity
),
6465 LSM_HOOK_INIT(inode_listsecurity
, selinux_inode_listsecurity
),
6466 LSM_HOOK_INIT(inode_getsecid
, selinux_inode_getsecid
),
6467 LSM_HOOK_INIT(inode_copy_up
, selinux_inode_copy_up
),
6468 LSM_HOOK_INIT(inode_copy_up_xattr
, selinux_inode_copy_up_xattr
),
6470 LSM_HOOK_INIT(file_permission
, selinux_file_permission
),
6471 LSM_HOOK_INIT(file_alloc_security
, selinux_file_alloc_security
),
6472 LSM_HOOK_INIT(file_free_security
, selinux_file_free_security
),
6473 LSM_HOOK_INIT(file_ioctl
, selinux_file_ioctl
),
6474 LSM_HOOK_INIT(mmap_file
, selinux_mmap_file
),
6475 LSM_HOOK_INIT(mmap_addr
, selinux_mmap_addr
),
6476 LSM_HOOK_INIT(file_mprotect
, selinux_file_mprotect
),
6477 LSM_HOOK_INIT(file_lock
, selinux_file_lock
),
6478 LSM_HOOK_INIT(file_fcntl
, selinux_file_fcntl
),
6479 LSM_HOOK_INIT(file_set_fowner
, selinux_file_set_fowner
),
6480 LSM_HOOK_INIT(file_send_sigiotask
, selinux_file_send_sigiotask
),
6481 LSM_HOOK_INIT(file_receive
, selinux_file_receive
),
6483 LSM_HOOK_INIT(file_open
, selinux_file_open
),
6485 LSM_HOOK_INIT(task_alloc
, selinux_task_alloc
),
6486 LSM_HOOK_INIT(cred_alloc_blank
, selinux_cred_alloc_blank
),
6487 LSM_HOOK_INIT(cred_free
, selinux_cred_free
),
6488 LSM_HOOK_INIT(cred_prepare
, selinux_cred_prepare
),
6489 LSM_HOOK_INIT(cred_transfer
, selinux_cred_transfer
),
6490 LSM_HOOK_INIT(cred_getsecid
, selinux_cred_getsecid
),
6491 LSM_HOOK_INIT(kernel_act_as
, selinux_kernel_act_as
),
6492 LSM_HOOK_INIT(kernel_create_files_as
, selinux_kernel_create_files_as
),
6493 LSM_HOOK_INIT(kernel_module_request
, selinux_kernel_module_request
),
6494 LSM_HOOK_INIT(kernel_read_file
, selinux_kernel_read_file
),
6495 LSM_HOOK_INIT(task_setpgid
, selinux_task_setpgid
),
6496 LSM_HOOK_INIT(task_getpgid
, selinux_task_getpgid
),
6497 LSM_HOOK_INIT(task_getsid
, selinux_task_getsid
),
6498 LSM_HOOK_INIT(task_getsecid
, selinux_task_getsecid
),
6499 LSM_HOOK_INIT(task_setnice
, selinux_task_setnice
),
6500 LSM_HOOK_INIT(task_setioprio
, selinux_task_setioprio
),
6501 LSM_HOOK_INIT(task_getioprio
, selinux_task_getioprio
),
6502 LSM_HOOK_INIT(task_prlimit
, selinux_task_prlimit
),
6503 LSM_HOOK_INIT(task_setrlimit
, selinux_task_setrlimit
),
6504 LSM_HOOK_INIT(task_setscheduler
, selinux_task_setscheduler
),
6505 LSM_HOOK_INIT(task_getscheduler
, selinux_task_getscheduler
),
6506 LSM_HOOK_INIT(task_movememory
, selinux_task_movememory
),
6507 LSM_HOOK_INIT(task_kill
, selinux_task_kill
),
6508 LSM_HOOK_INIT(task_to_inode
, selinux_task_to_inode
),
6510 LSM_HOOK_INIT(ipc_permission
, selinux_ipc_permission
),
6511 LSM_HOOK_INIT(ipc_getsecid
, selinux_ipc_getsecid
),
6513 LSM_HOOK_INIT(msg_msg_alloc_security
, selinux_msg_msg_alloc_security
),
6514 LSM_HOOK_INIT(msg_msg_free_security
, selinux_msg_msg_free_security
),
6516 LSM_HOOK_INIT(msg_queue_alloc_security
,
6517 selinux_msg_queue_alloc_security
),
6518 LSM_HOOK_INIT(msg_queue_free_security
, selinux_msg_queue_free_security
),
6519 LSM_HOOK_INIT(msg_queue_associate
, selinux_msg_queue_associate
),
6520 LSM_HOOK_INIT(msg_queue_msgctl
, selinux_msg_queue_msgctl
),
6521 LSM_HOOK_INIT(msg_queue_msgsnd
, selinux_msg_queue_msgsnd
),
6522 LSM_HOOK_INIT(msg_queue_msgrcv
, selinux_msg_queue_msgrcv
),
6524 LSM_HOOK_INIT(shm_alloc_security
, selinux_shm_alloc_security
),
6525 LSM_HOOK_INIT(shm_free_security
, selinux_shm_free_security
),
6526 LSM_HOOK_INIT(shm_associate
, selinux_shm_associate
),
6527 LSM_HOOK_INIT(shm_shmctl
, selinux_shm_shmctl
),
6528 LSM_HOOK_INIT(shm_shmat
, selinux_shm_shmat
),
6530 LSM_HOOK_INIT(sem_alloc_security
, selinux_sem_alloc_security
),
6531 LSM_HOOK_INIT(sem_free_security
, selinux_sem_free_security
),
6532 LSM_HOOK_INIT(sem_associate
, selinux_sem_associate
),
6533 LSM_HOOK_INIT(sem_semctl
, selinux_sem_semctl
),
6534 LSM_HOOK_INIT(sem_semop
, selinux_sem_semop
),
6536 LSM_HOOK_INIT(d_instantiate
, selinux_d_instantiate
),
6538 LSM_HOOK_INIT(getprocattr
, selinux_getprocattr
),
6539 LSM_HOOK_INIT(setprocattr
, selinux_setprocattr
),
6541 LSM_HOOK_INIT(ismaclabel
, selinux_ismaclabel
),
6542 LSM_HOOK_INIT(secid_to_secctx
, selinux_secid_to_secctx
),
6543 LSM_HOOK_INIT(secctx_to_secid
, selinux_secctx_to_secid
),
6544 LSM_HOOK_INIT(release_secctx
, selinux_release_secctx
),
6545 LSM_HOOK_INIT(inode_invalidate_secctx
, selinux_inode_invalidate_secctx
),
6546 LSM_HOOK_INIT(inode_notifysecctx
, selinux_inode_notifysecctx
),
6547 LSM_HOOK_INIT(inode_setsecctx
, selinux_inode_setsecctx
),
6548 LSM_HOOK_INIT(inode_getsecctx
, selinux_inode_getsecctx
),
6550 LSM_HOOK_INIT(unix_stream_connect
, selinux_socket_unix_stream_connect
),
6551 LSM_HOOK_INIT(unix_may_send
, selinux_socket_unix_may_send
),
6553 LSM_HOOK_INIT(socket_create
, selinux_socket_create
),
6554 LSM_HOOK_INIT(socket_post_create
, selinux_socket_post_create
),
6555 LSM_HOOK_INIT(socket_bind
, selinux_socket_bind
),
6556 LSM_HOOK_INIT(socket_connect
, selinux_socket_connect
),
6557 LSM_HOOK_INIT(socket_listen
, selinux_socket_listen
),
6558 LSM_HOOK_INIT(socket_accept
, selinux_socket_accept
),
6559 LSM_HOOK_INIT(socket_sendmsg
, selinux_socket_sendmsg
),
6560 LSM_HOOK_INIT(socket_recvmsg
, selinux_socket_recvmsg
),
6561 LSM_HOOK_INIT(socket_getsockname
, selinux_socket_getsockname
),
6562 LSM_HOOK_INIT(socket_getpeername
, selinux_socket_getpeername
),
6563 LSM_HOOK_INIT(socket_getsockopt
, selinux_socket_getsockopt
),
6564 LSM_HOOK_INIT(socket_setsockopt
, selinux_socket_setsockopt
),
6565 LSM_HOOK_INIT(socket_shutdown
, selinux_socket_shutdown
),
6566 LSM_HOOK_INIT(socket_sock_rcv_skb
, selinux_socket_sock_rcv_skb
),
6567 LSM_HOOK_INIT(socket_getpeersec_stream
,
6568 selinux_socket_getpeersec_stream
),
6569 LSM_HOOK_INIT(socket_getpeersec_dgram
, selinux_socket_getpeersec_dgram
),
6570 LSM_HOOK_INIT(sk_alloc_security
, selinux_sk_alloc_security
),
6571 LSM_HOOK_INIT(sk_free_security
, selinux_sk_free_security
),
6572 LSM_HOOK_INIT(sk_clone_security
, selinux_sk_clone_security
),
6573 LSM_HOOK_INIT(sk_getsecid
, selinux_sk_getsecid
),
6574 LSM_HOOK_INIT(sock_graft
, selinux_sock_graft
),
6575 LSM_HOOK_INIT(inet_conn_request
, selinux_inet_conn_request
),
6576 LSM_HOOK_INIT(inet_csk_clone
, selinux_inet_csk_clone
),
6577 LSM_HOOK_INIT(inet_conn_established
, selinux_inet_conn_established
),
6578 LSM_HOOK_INIT(secmark_relabel_packet
, selinux_secmark_relabel_packet
),
6579 LSM_HOOK_INIT(secmark_refcount_inc
, selinux_secmark_refcount_inc
),
6580 LSM_HOOK_INIT(secmark_refcount_dec
, selinux_secmark_refcount_dec
),
6581 LSM_HOOK_INIT(req_classify_flow
, selinux_req_classify_flow
),
6582 LSM_HOOK_INIT(tun_dev_alloc_security
, selinux_tun_dev_alloc_security
),
6583 LSM_HOOK_INIT(tun_dev_free_security
, selinux_tun_dev_free_security
),
6584 LSM_HOOK_INIT(tun_dev_create
, selinux_tun_dev_create
),
6585 LSM_HOOK_INIT(tun_dev_attach_queue
, selinux_tun_dev_attach_queue
),
6586 LSM_HOOK_INIT(tun_dev_attach
, selinux_tun_dev_attach
),
6587 LSM_HOOK_INIT(tun_dev_open
, selinux_tun_dev_open
),
6588 #ifdef CONFIG_SECURITY_INFINIBAND
6589 LSM_HOOK_INIT(ib_pkey_access
, selinux_ib_pkey_access
),
6590 LSM_HOOK_INIT(ib_endport_manage_subnet
,
6591 selinux_ib_endport_manage_subnet
),
6592 LSM_HOOK_INIT(ib_alloc_security
, selinux_ib_alloc_security
),
6593 LSM_HOOK_INIT(ib_free_security
, selinux_ib_free_security
),
6595 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6596 LSM_HOOK_INIT(xfrm_policy_alloc_security
, selinux_xfrm_policy_alloc
),
6597 LSM_HOOK_INIT(xfrm_policy_clone_security
, selinux_xfrm_policy_clone
),
6598 LSM_HOOK_INIT(xfrm_policy_free_security
, selinux_xfrm_policy_free
),
6599 LSM_HOOK_INIT(xfrm_policy_delete_security
, selinux_xfrm_policy_delete
),
6600 LSM_HOOK_INIT(xfrm_state_alloc
, selinux_xfrm_state_alloc
),
6601 LSM_HOOK_INIT(xfrm_state_alloc_acquire
,
6602 selinux_xfrm_state_alloc_acquire
),
6603 LSM_HOOK_INIT(xfrm_state_free_security
, selinux_xfrm_state_free
),
6604 LSM_HOOK_INIT(xfrm_state_delete_security
, selinux_xfrm_state_delete
),
6605 LSM_HOOK_INIT(xfrm_policy_lookup
, selinux_xfrm_policy_lookup
),
6606 LSM_HOOK_INIT(xfrm_state_pol_flow_match
,
6607 selinux_xfrm_state_pol_flow_match
),
6608 LSM_HOOK_INIT(xfrm_decode_session
, selinux_xfrm_decode_session
),
6612 LSM_HOOK_INIT(key_alloc
, selinux_key_alloc
),
6613 LSM_HOOK_INIT(key_free
, selinux_key_free
),
6614 LSM_HOOK_INIT(key_permission
, selinux_key_permission
),
6615 LSM_HOOK_INIT(key_getsecurity
, selinux_key_getsecurity
),
6619 LSM_HOOK_INIT(audit_rule_init
, selinux_audit_rule_init
),
6620 LSM_HOOK_INIT(audit_rule_known
, selinux_audit_rule_known
),
6621 LSM_HOOK_INIT(audit_rule_match
, selinux_audit_rule_match
),
6622 LSM_HOOK_INIT(audit_rule_free
, selinux_audit_rule_free
),
6625 #ifdef CONFIG_BPF_SYSCALL
6626 LSM_HOOK_INIT(bpf
, selinux_bpf
),
6627 LSM_HOOK_INIT(bpf_map
, selinux_bpf_map
),
6628 LSM_HOOK_INIT(bpf_prog
, selinux_bpf_prog
),
6629 LSM_HOOK_INIT(bpf_map_alloc_security
, selinux_bpf_map_alloc
),
6630 LSM_HOOK_INIT(bpf_prog_alloc_security
, selinux_bpf_prog_alloc
),
6631 LSM_HOOK_INIT(bpf_map_free_security
, selinux_bpf_map_free
),
6632 LSM_HOOK_INIT(bpf_prog_free_security
, selinux_bpf_prog_free
),
6636 static __init
int selinux_init(void)
6638 if (!security_module_enable("selinux")) {
6639 selinux_enabled
= 0;
6643 if (!selinux_enabled
) {
6644 printk(KERN_INFO
"SELinux: Disabled at boot.\n");
6648 printk(KERN_INFO
"SELinux: Initializing.\n");
6650 /* Set the security state for the initial task. */
6651 cred_init_security();
6653 default_noexec
= !(VM_DATA_DEFAULT_FLAGS
& VM_EXEC
);
6655 sel_inode_cache
= kmem_cache_create("selinux_inode_security",
6656 sizeof(struct inode_security_struct
),
6657 0, SLAB_PANIC
, NULL
);
6658 file_security_cache
= kmem_cache_create("selinux_file_security",
6659 sizeof(struct file_security_struct
),
6660 0, SLAB_PANIC
, NULL
);
6663 security_add_hooks(selinux_hooks
, ARRAY_SIZE(selinux_hooks
), "selinux");
6665 if (avc_add_callback(selinux_netcache_avc_callback
, AVC_CALLBACK_RESET
))
6666 panic("SELinux: Unable to register AVC netcache callback\n");
6668 if (avc_add_callback(selinux_lsm_notifier_avc_callback
, AVC_CALLBACK_RESET
))
6669 panic("SELinux: Unable to register AVC LSM notifier callback\n");
6671 if (selinux_enforcing
)
6672 printk(KERN_DEBUG
"SELinux: Starting in enforcing mode\n");
6674 printk(KERN_DEBUG
"SELinux: Starting in permissive mode\n");
6679 static void delayed_superblock_init(struct super_block
*sb
, void *unused
)
6681 superblock_doinit(sb
, NULL
);
6684 void selinux_complete_init(void)
6686 printk(KERN_DEBUG
"SELinux: Completing initialization.\n");
6688 /* Set up any superblocks initialized prior to the policy load. */
6689 printk(KERN_DEBUG
"SELinux: Setting up existing superblocks.\n");
6690 iterate_supers(delayed_superblock_init
, NULL
);
6693 /* SELinux requires early initialization in order to label
6694 all processes and objects when they are created. */
6695 security_initcall(selinux_init
);
6697 #if defined(CONFIG_NETFILTER)
6699 static const struct nf_hook_ops selinux_nf_ops
[] = {
6701 .hook
= selinux_ipv4_postroute
,
6703 .hooknum
= NF_INET_POST_ROUTING
,
6704 .priority
= NF_IP_PRI_SELINUX_LAST
,
6707 .hook
= selinux_ipv4_forward
,
6709 .hooknum
= NF_INET_FORWARD
,
6710 .priority
= NF_IP_PRI_SELINUX_FIRST
,
6713 .hook
= selinux_ipv4_output
,
6715 .hooknum
= NF_INET_LOCAL_OUT
,
6716 .priority
= NF_IP_PRI_SELINUX_FIRST
,
6718 #if IS_ENABLED(CONFIG_IPV6)
6720 .hook
= selinux_ipv6_postroute
,
6722 .hooknum
= NF_INET_POST_ROUTING
,
6723 .priority
= NF_IP6_PRI_SELINUX_LAST
,
6726 .hook
= selinux_ipv6_forward
,
6728 .hooknum
= NF_INET_FORWARD
,
6729 .priority
= NF_IP6_PRI_SELINUX_FIRST
,
6732 .hook
= selinux_ipv6_output
,
6734 .hooknum
= NF_INET_LOCAL_OUT
,
6735 .priority
= NF_IP6_PRI_SELINUX_FIRST
,
6740 static int __net_init
selinux_nf_register(struct net
*net
)
6742 return nf_register_net_hooks(net
, selinux_nf_ops
,
6743 ARRAY_SIZE(selinux_nf_ops
));
6746 static void __net_exit
selinux_nf_unregister(struct net
*net
)
6748 nf_unregister_net_hooks(net
, selinux_nf_ops
,
6749 ARRAY_SIZE(selinux_nf_ops
));
6752 static struct pernet_operations selinux_net_ops
= {
6753 .init
= selinux_nf_register
,
6754 .exit
= selinux_nf_unregister
,
6757 static int __init
selinux_nf_ip_init(void)
6761 if (!selinux_enabled
)
6764 printk(KERN_DEBUG
"SELinux: Registering netfilter hooks\n");
6766 err
= register_pernet_subsys(&selinux_net_ops
);
6768 panic("SELinux: register_pernet_subsys: error %d\n", err
);
6772 __initcall(selinux_nf_ip_init
);
6774 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6775 static void selinux_nf_ip_exit(void)
6777 printk(KERN_DEBUG
"SELinux: Unregistering netfilter hooks\n");
6779 unregister_pernet_subsys(&selinux_net_ops
);
6783 #else /* CONFIG_NETFILTER */
6785 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6786 #define selinux_nf_ip_exit()
6789 #endif /* CONFIG_NETFILTER */
6791 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6792 static int selinux_disabled
;
6794 int selinux_disable(void)
6796 if (ss_initialized
) {
6797 /* Not permitted after initial policy load. */
6801 if (selinux_disabled
) {
6802 /* Only do this once. */
6806 printk(KERN_INFO
"SELinux: Disabled at runtime.\n");
6808 selinux_disabled
= 1;
6809 selinux_enabled
= 0;
6811 security_delete_hooks(selinux_hooks
, ARRAY_SIZE(selinux_hooks
));
6813 /* Try to destroy the avc node cache */
6816 /* Unregister netfilter hooks. */
6817 selinux_nf_ip_exit();
6819 /* Unregister selinuxfs. */