]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - security/selinux/hooks.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
selinux: Remove redundant check for unknown labeling behavior
[mirror_ubuntu-artful-kernel.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched/signal.h>
32 #include <linux/sched/task.h>
33 #include <linux/lsm_hooks.h>
34 #include <linux/xattr.h>
35 #include <linux/capability.h>
36 #include <linux/unistd.h>
37 #include <linux/mm.h>
38 #include <linux/mman.h>
39 #include <linux/slab.h>
40 #include <linux/pagemap.h>
41 #include <linux/proc_fs.h>
42 #include <linux/swap.h>
43 #include <linux/spinlock.h>
44 #include <linux/syscalls.h>
45 #include <linux/dcache.h>
46 #include <linux/file.h>
47 #include <linux/fdtable.h>
48 #include <linux/namei.h>
49 #include <linux/mount.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h> /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/quota.h>
70 #include <linux/un.h> /* for Unix socket types */
71 #include <net/af_unix.h> /* for Unix socket types */
72 #include <linux/parser.h>
73 #include <linux/nfs_mount.h>
74 #include <net/ipv6.h>
75 #include <linux/hugetlb.h>
76 #include <linux/personality.h>
77 #include <linux/audit.h>
78 #include <linux/string.h>
79 #include <linux/selinux.h>
80 #include <linux/mutex.h>
81 #include <linux/posix-timers.h>
82 #include <linux/syslog.h>
83 #include <linux/user_namespace.h>
84 #include <linux/export.h>
85 #include <linux/msg.h>
86 #include <linux/shm.h>
87
88 #include "avc.h"
89 #include "objsec.h"
90 #include "netif.h"
91 #include "netnode.h"
92 #include "netport.h"
93 #include "xfrm.h"
94 #include "netlabel.h"
95 #include "audit.h"
96 #include "avc_ss.h"
97
98 /* SECMARK reference count */
99 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
100
101 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
102 int selinux_enforcing;
103
104 static int __init enforcing_setup(char *str)
105 {
106 unsigned long enforcing;
107 if (!kstrtoul(str, 0, &enforcing))
108 selinux_enforcing = enforcing ? 1 : 0;
109 return 1;
110 }
111 __setup("enforcing=", enforcing_setup);
112 #endif
113
114 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
115 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
116
117 static int __init selinux_enabled_setup(char *str)
118 {
119 unsigned long enabled;
120 if (!kstrtoul(str, 0, &enabled))
121 selinux_enabled = enabled ? 1 : 0;
122 return 1;
123 }
124 __setup("selinux=", selinux_enabled_setup);
125 #else
126 int selinux_enabled = 1;
127 #endif
128
129 static struct kmem_cache *sel_inode_cache;
130 static struct kmem_cache *file_security_cache;
131
132 /**
133 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
134 *
135 * Description:
136 * This function checks the SECMARK reference counter to see if any SECMARK
137 * targets are currently configured, if the reference counter is greater than
138 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
139 * enabled, false (0) if SECMARK is disabled. If the always_check_network
140 * policy capability is enabled, SECMARK is always considered enabled.
141 *
142 */
143 static int selinux_secmark_enabled(void)
144 {
145 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
146 }
147
148 /**
149 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
150 *
151 * Description:
152 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
153 * (1) if any are enabled or false (0) if neither are enabled. If the
154 * always_check_network policy capability is enabled, peer labeling
155 * is always considered enabled.
156 *
157 */
158 static int selinux_peerlbl_enabled(void)
159 {
160 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
161 }
162
163 static int selinux_netcache_avc_callback(u32 event)
164 {
165 if (event == AVC_CALLBACK_RESET) {
166 sel_netif_flush();
167 sel_netnode_flush();
168 sel_netport_flush();
169 synchronize_net();
170 }
171 return 0;
172 }
173
174 /*
175 * initialise the security for the init task
176 */
177 static void cred_init_security(void)
178 {
179 struct cred *cred = (struct cred *) current->real_cred;
180 struct task_security_struct *tsec;
181
182 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
183 if (!tsec)
184 panic("SELinux: Failed to initialize initial task.\n");
185
186 tsec->osid = tsec->sid = SECINITSID_KERNEL;
187 cred->security = tsec;
188 }
189
190 /*
191 * get the security ID of a set of credentials
192 */
193 static inline u32 cred_sid(const struct cred *cred)
194 {
195 const struct task_security_struct *tsec;
196
197 tsec = cred->security;
198 return tsec->sid;
199 }
200
201 /*
202 * get the objective security ID of a task
203 */
204 static inline u32 task_sid(const struct task_struct *task)
205 {
206 u32 sid;
207
208 rcu_read_lock();
209 sid = cred_sid(__task_cred(task));
210 rcu_read_unlock();
211 return sid;
212 }
213
214 /* Allocate and free functions for each kind of security blob. */
215
216 static int inode_alloc_security(struct inode *inode)
217 {
218 struct inode_security_struct *isec;
219 u32 sid = current_sid();
220
221 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
222 if (!isec)
223 return -ENOMEM;
224
225 spin_lock_init(&isec->lock);
226 INIT_LIST_HEAD(&isec->list);
227 isec->inode = inode;
228 isec->sid = SECINITSID_UNLABELED;
229 isec->sclass = SECCLASS_FILE;
230 isec->task_sid = sid;
231 isec->initialized = LABEL_INVALID;
232 inode->i_security = isec;
233
234 return 0;
235 }
236
237 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
238
239 /*
240 * Try reloading inode security labels that have been marked as invalid. The
241 * @may_sleep parameter indicates when sleeping and thus reloading labels is
242 * allowed; when set to false, returns -ECHILD when the label is
243 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
244 * when no dentry is available, set it to NULL instead.
245 */
246 static int __inode_security_revalidate(struct inode *inode,
247 struct dentry *opt_dentry,
248 bool may_sleep)
249 {
250 struct inode_security_struct *isec = inode->i_security;
251
252 might_sleep_if(may_sleep);
253
254 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
255 if (!may_sleep)
256 return -ECHILD;
257
258 /*
259 * Try reloading the inode security label. This will fail if
260 * @opt_dentry is NULL and no dentry for this inode can be
261 * found; in that case, continue using the old label.
262 */
263 inode_doinit_with_dentry(inode, opt_dentry);
264 }
265 return 0;
266 }
267
268 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
269 {
270 return inode->i_security;
271 }
272
273 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
274 {
275 int error;
276
277 error = __inode_security_revalidate(inode, NULL, !rcu);
278 if (error)
279 return ERR_PTR(error);
280 return inode->i_security;
281 }
282
283 /*
284 * Get the security label of an inode.
285 */
286 static struct inode_security_struct *inode_security(struct inode *inode)
287 {
288 __inode_security_revalidate(inode, NULL, true);
289 return inode->i_security;
290 }
291
292 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
293 {
294 struct inode *inode = d_backing_inode(dentry);
295
296 return inode->i_security;
297 }
298
299 /*
300 * Get the security label of a dentry's backing inode.
301 */
302 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
303 {
304 struct inode *inode = d_backing_inode(dentry);
305
306 __inode_security_revalidate(inode, dentry, true);
307 return inode->i_security;
308 }
309
310 static void inode_free_rcu(struct rcu_head *head)
311 {
312 struct inode_security_struct *isec;
313
314 isec = container_of(head, struct inode_security_struct, rcu);
315 kmem_cache_free(sel_inode_cache, isec);
316 }
317
318 static void inode_free_security(struct inode *inode)
319 {
320 struct inode_security_struct *isec = inode->i_security;
321 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
322
323 /*
324 * As not all inode security structures are in a list, we check for
325 * empty list outside of the lock to make sure that we won't waste
326 * time taking a lock doing nothing.
327 *
328 * The list_del_init() function can be safely called more than once.
329 * It should not be possible for this function to be called with
330 * concurrent list_add(), but for better safety against future changes
331 * in the code, we use list_empty_careful() here.
332 */
333 if (!list_empty_careful(&isec->list)) {
334 spin_lock(&sbsec->isec_lock);
335 list_del_init(&isec->list);
336 spin_unlock(&sbsec->isec_lock);
337 }
338
339 /*
340 * The inode may still be referenced in a path walk and
341 * a call to selinux_inode_permission() can be made
342 * after inode_free_security() is called. Ideally, the VFS
343 * wouldn't do this, but fixing that is a much harder
344 * job. For now, simply free the i_security via RCU, and
345 * leave the current inode->i_security pointer intact.
346 * The inode will be freed after the RCU grace period too.
347 */
348 call_rcu(&isec->rcu, inode_free_rcu);
349 }
350
351 static int file_alloc_security(struct file *file)
352 {
353 struct file_security_struct *fsec;
354 u32 sid = current_sid();
355
356 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
357 if (!fsec)
358 return -ENOMEM;
359
360 fsec->sid = sid;
361 fsec->fown_sid = sid;
362 file->f_security = fsec;
363
364 return 0;
365 }
366
367 static void file_free_security(struct file *file)
368 {
369 struct file_security_struct *fsec = file->f_security;
370 file->f_security = NULL;
371 kmem_cache_free(file_security_cache, fsec);
372 }
373
374 static int superblock_alloc_security(struct super_block *sb)
375 {
376 struct superblock_security_struct *sbsec;
377
378 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
379 if (!sbsec)
380 return -ENOMEM;
381
382 mutex_init(&sbsec->lock);
383 INIT_LIST_HEAD(&sbsec->isec_head);
384 spin_lock_init(&sbsec->isec_lock);
385 sbsec->sb = sb;
386 sbsec->sid = SECINITSID_UNLABELED;
387 sbsec->def_sid = SECINITSID_FILE;
388 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
389 sb->s_security = sbsec;
390
391 return 0;
392 }
393
394 static void superblock_free_security(struct super_block *sb)
395 {
396 struct superblock_security_struct *sbsec = sb->s_security;
397 sb->s_security = NULL;
398 kfree(sbsec);
399 }
400
401 static inline int inode_doinit(struct inode *inode)
402 {
403 return inode_doinit_with_dentry(inode, NULL);
404 }
405
406 enum {
407 Opt_error = -1,
408 Opt_context = 1,
409 Opt_fscontext = 2,
410 Opt_defcontext = 3,
411 Opt_rootcontext = 4,
412 Opt_labelsupport = 5,
413 Opt_nextmntopt = 6,
414 };
415
416 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
417
418 static const match_table_t tokens = {
419 {Opt_context, CONTEXT_STR "%s"},
420 {Opt_fscontext, FSCONTEXT_STR "%s"},
421 {Opt_defcontext, DEFCONTEXT_STR "%s"},
422 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
423 {Opt_labelsupport, LABELSUPP_STR},
424 {Opt_error, NULL},
425 };
426
427 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
428
429 static int may_context_mount_sb_relabel(u32 sid,
430 struct superblock_security_struct *sbsec,
431 const struct cred *cred)
432 {
433 const struct task_security_struct *tsec = cred->security;
434 int rc;
435
436 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
437 FILESYSTEM__RELABELFROM, NULL);
438 if (rc)
439 return rc;
440
441 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
442 FILESYSTEM__RELABELTO, NULL);
443 return rc;
444 }
445
446 static int may_context_mount_inode_relabel(u32 sid,
447 struct superblock_security_struct *sbsec,
448 const struct cred *cred)
449 {
450 const struct task_security_struct *tsec = cred->security;
451 int rc;
452 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
453 FILESYSTEM__RELABELFROM, NULL);
454 if (rc)
455 return rc;
456
457 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
458 FILESYSTEM__ASSOCIATE, NULL);
459 return rc;
460 }
461
462 static int selinux_is_sblabel_mnt(struct super_block *sb)
463 {
464 struct superblock_security_struct *sbsec = sb->s_security;
465
466 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
467 sbsec->behavior == SECURITY_FS_USE_TRANS ||
468 sbsec->behavior == SECURITY_FS_USE_TASK ||
469 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
470 /* Special handling. Genfs but also in-core setxattr handler */
471 !strcmp(sb->s_type->name, "sysfs") ||
472 !strcmp(sb->s_type->name, "pstore") ||
473 !strcmp(sb->s_type->name, "debugfs") ||
474 !strcmp(sb->s_type->name, "tracefs") ||
475 !strcmp(sb->s_type->name, "rootfs") ||
476 (selinux_policycap_cgroupseclabel &&
477 (!strcmp(sb->s_type->name, "cgroup") ||
478 !strcmp(sb->s_type->name, "cgroup2")));
479 }
480
481 static int sb_finish_set_opts(struct super_block *sb)
482 {
483 struct superblock_security_struct *sbsec = sb->s_security;
484 struct dentry *root = sb->s_root;
485 struct inode *root_inode = d_backing_inode(root);
486 int rc = 0;
487
488 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
489 /* Make sure that the xattr handler exists and that no
490 error other than -ENODATA is returned by getxattr on
491 the root directory. -ENODATA is ok, as this may be
492 the first boot of the SELinux kernel before we have
493 assigned xattr values to the filesystem. */
494 if (!(root_inode->i_opflags & IOP_XATTR)) {
495 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
496 "xattr support\n", sb->s_id, sb->s_type->name);
497 rc = -EOPNOTSUPP;
498 goto out;
499 }
500
501 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
502 if (rc < 0 && rc != -ENODATA) {
503 if (rc == -EOPNOTSUPP)
504 printk(KERN_WARNING "SELinux: (dev %s, type "
505 "%s) has no security xattr handler\n",
506 sb->s_id, sb->s_type->name);
507 else
508 printk(KERN_WARNING "SELinux: (dev %s, type "
509 "%s) getxattr errno %d\n", sb->s_id,
510 sb->s_type->name, -rc);
511 goto out;
512 }
513 }
514
515 sbsec->flags |= SE_SBINITIALIZED;
516 if (selinux_is_sblabel_mnt(sb))
517 sbsec->flags |= SBLABEL_MNT;
518
519 /* Initialize the root inode. */
520 rc = inode_doinit_with_dentry(root_inode, root);
521
522 /* Initialize any other inodes associated with the superblock, e.g.
523 inodes created prior to initial policy load or inodes created
524 during get_sb by a pseudo filesystem that directly
525 populates itself. */
526 spin_lock(&sbsec->isec_lock);
527 next_inode:
528 if (!list_empty(&sbsec->isec_head)) {
529 struct inode_security_struct *isec =
530 list_entry(sbsec->isec_head.next,
531 struct inode_security_struct, list);
532 struct inode *inode = isec->inode;
533 list_del_init(&isec->list);
534 spin_unlock(&sbsec->isec_lock);
535 inode = igrab(inode);
536 if (inode) {
537 if (!IS_PRIVATE(inode))
538 inode_doinit(inode);
539 iput(inode);
540 }
541 spin_lock(&sbsec->isec_lock);
542 goto next_inode;
543 }
544 spin_unlock(&sbsec->isec_lock);
545 out:
546 return rc;
547 }
548
549 /*
550 * This function should allow an FS to ask what it's mount security
551 * options were so it can use those later for submounts, displaying
552 * mount options, or whatever.
553 */
554 static int selinux_get_mnt_opts(const struct super_block *sb,
555 struct security_mnt_opts *opts)
556 {
557 int rc = 0, i;
558 struct superblock_security_struct *sbsec = sb->s_security;
559 char *context = NULL;
560 u32 len;
561 char tmp;
562
563 security_init_mnt_opts(opts);
564
565 if (!(sbsec->flags & SE_SBINITIALIZED))
566 return -EINVAL;
567
568 if (!ss_initialized)
569 return -EINVAL;
570
571 /* make sure we always check enough bits to cover the mask */
572 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
573
574 tmp = sbsec->flags & SE_MNTMASK;
575 /* count the number of mount options for this sb */
576 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
577 if (tmp & 0x01)
578 opts->num_mnt_opts++;
579 tmp >>= 1;
580 }
581 /* Check if the Label support flag is set */
582 if (sbsec->flags & SBLABEL_MNT)
583 opts->num_mnt_opts++;
584
585 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
586 if (!opts->mnt_opts) {
587 rc = -ENOMEM;
588 goto out_free;
589 }
590
591 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
592 if (!opts->mnt_opts_flags) {
593 rc = -ENOMEM;
594 goto out_free;
595 }
596
597 i = 0;
598 if (sbsec->flags & FSCONTEXT_MNT) {
599 rc = security_sid_to_context(sbsec->sid, &context, &len);
600 if (rc)
601 goto out_free;
602 opts->mnt_opts[i] = context;
603 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
604 }
605 if (sbsec->flags & CONTEXT_MNT) {
606 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
607 if (rc)
608 goto out_free;
609 opts->mnt_opts[i] = context;
610 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
611 }
612 if (sbsec->flags & DEFCONTEXT_MNT) {
613 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
614 if (rc)
615 goto out_free;
616 opts->mnt_opts[i] = context;
617 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
618 }
619 if (sbsec->flags & ROOTCONTEXT_MNT) {
620 struct dentry *root = sbsec->sb->s_root;
621 struct inode_security_struct *isec = backing_inode_security(root);
622
623 rc = security_sid_to_context(isec->sid, &context, &len);
624 if (rc)
625 goto out_free;
626 opts->mnt_opts[i] = context;
627 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
628 }
629 if (sbsec->flags & SBLABEL_MNT) {
630 opts->mnt_opts[i] = NULL;
631 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
632 }
633
634 BUG_ON(i != opts->num_mnt_opts);
635
636 return 0;
637
638 out_free:
639 security_free_mnt_opts(opts);
640 return rc;
641 }
642
643 static int bad_option(struct superblock_security_struct *sbsec, char flag,
644 u32 old_sid, u32 new_sid)
645 {
646 char mnt_flags = sbsec->flags & SE_MNTMASK;
647
648 /* check if the old mount command had the same options */
649 if (sbsec->flags & SE_SBINITIALIZED)
650 if (!(sbsec->flags & flag) ||
651 (old_sid != new_sid))
652 return 1;
653
654 /* check if we were passed the same options twice,
655 * aka someone passed context=a,context=b
656 */
657 if (!(sbsec->flags & SE_SBINITIALIZED))
658 if (mnt_flags & flag)
659 return 1;
660 return 0;
661 }
662
663 /*
664 * Allow filesystems with binary mount data to explicitly set mount point
665 * labeling information.
666 */
667 static int selinux_set_mnt_opts(struct super_block *sb,
668 struct security_mnt_opts *opts,
669 unsigned long kern_flags,
670 unsigned long *set_kern_flags)
671 {
672 const struct cred *cred = current_cred();
673 int rc = 0, i;
674 struct superblock_security_struct *sbsec = sb->s_security;
675 const char *name = sb->s_type->name;
676 struct dentry *root = sbsec->sb->s_root;
677 struct inode_security_struct *root_isec;
678 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
679 u32 defcontext_sid = 0;
680 char **mount_options = opts->mnt_opts;
681 int *flags = opts->mnt_opts_flags;
682 int num_opts = opts->num_mnt_opts;
683
684 mutex_lock(&sbsec->lock);
685
686 if (!ss_initialized) {
687 if (!num_opts) {
688 /* Defer initialization until selinux_complete_init,
689 after the initial policy is loaded and the security
690 server is ready to handle calls. */
691 goto out;
692 }
693 rc = -EINVAL;
694 printk(KERN_WARNING "SELinux: Unable to set superblock options "
695 "before the security server is initialized\n");
696 goto out;
697 }
698 if (kern_flags && !set_kern_flags) {
699 /* Specifying internal flags without providing a place to
700 * place the results is not allowed */
701 rc = -EINVAL;
702 goto out;
703 }
704
705 /*
706 * Binary mount data FS will come through this function twice. Once
707 * from an explicit call and once from the generic calls from the vfs.
708 * Since the generic VFS calls will not contain any security mount data
709 * we need to skip the double mount verification.
710 *
711 * This does open a hole in which we will not notice if the first
712 * mount using this sb set explict options and a second mount using
713 * this sb does not set any security options. (The first options
714 * will be used for both mounts)
715 */
716 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
717 && (num_opts == 0))
718 goto out;
719
720 root_isec = backing_inode_security_novalidate(root);
721
722 /*
723 * parse the mount options, check if they are valid sids.
724 * also check if someone is trying to mount the same sb more
725 * than once with different security options.
726 */
727 for (i = 0; i < num_opts; i++) {
728 u32 sid;
729
730 if (flags[i] == SBLABEL_MNT)
731 continue;
732 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
733 if (rc) {
734 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
735 "(%s) failed for (dev %s, type %s) errno=%d\n",
736 mount_options[i], sb->s_id, name, rc);
737 goto out;
738 }
739 switch (flags[i]) {
740 case FSCONTEXT_MNT:
741 fscontext_sid = sid;
742
743 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
744 fscontext_sid))
745 goto out_double_mount;
746
747 sbsec->flags |= FSCONTEXT_MNT;
748 break;
749 case CONTEXT_MNT:
750 context_sid = sid;
751
752 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
753 context_sid))
754 goto out_double_mount;
755
756 sbsec->flags |= CONTEXT_MNT;
757 break;
758 case ROOTCONTEXT_MNT:
759 rootcontext_sid = sid;
760
761 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
762 rootcontext_sid))
763 goto out_double_mount;
764
765 sbsec->flags |= ROOTCONTEXT_MNT;
766
767 break;
768 case DEFCONTEXT_MNT:
769 defcontext_sid = sid;
770
771 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
772 defcontext_sid))
773 goto out_double_mount;
774
775 sbsec->flags |= DEFCONTEXT_MNT;
776
777 break;
778 default:
779 rc = -EINVAL;
780 goto out;
781 }
782 }
783
784 if (sbsec->flags & SE_SBINITIALIZED) {
785 /* previously mounted with options, but not on this attempt? */
786 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
787 goto out_double_mount;
788 rc = 0;
789 goto out;
790 }
791
792 if (strcmp(sb->s_type->name, "proc") == 0)
793 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
794
795 if (!strcmp(sb->s_type->name, "debugfs") ||
796 !strcmp(sb->s_type->name, "sysfs") ||
797 !strcmp(sb->s_type->name, "pstore"))
798 sbsec->flags |= SE_SBGENFS;
799
800 if (!sbsec->behavior) {
801 /*
802 * Determine the labeling behavior to use for this
803 * filesystem type.
804 */
805 rc = security_fs_use(sb);
806 if (rc) {
807 printk(KERN_WARNING
808 "%s: security_fs_use(%s) returned %d\n",
809 __func__, sb->s_type->name, rc);
810 goto out;
811 }
812 }
813
814 /*
815 * If this is a user namespace mount and the filesystem type is not
816 * explicitly whitelisted, then no contexts are allowed on the command
817 * line and security labels must be ignored.
818 */
819 if (sb->s_user_ns != &init_user_ns &&
820 strcmp(sb->s_type->name, "tmpfs") &&
821 strcmp(sb->s_type->name, "ramfs") &&
822 strcmp(sb->s_type->name, "devpts")) {
823 if (context_sid || fscontext_sid || rootcontext_sid ||
824 defcontext_sid) {
825 rc = -EACCES;
826 goto out;
827 }
828 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
829 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
830 rc = security_transition_sid(current_sid(), current_sid(),
831 SECCLASS_FILE, NULL,
832 &sbsec->mntpoint_sid);
833 if (rc)
834 goto out;
835 }
836 goto out_set_opts;
837 }
838
839 /* sets the context of the superblock for the fs being mounted. */
840 if (fscontext_sid) {
841 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
842 if (rc)
843 goto out;
844
845 sbsec->sid = fscontext_sid;
846 }
847
848 /*
849 * Switch to using mount point labeling behavior.
850 * sets the label used on all file below the mountpoint, and will set
851 * the superblock context if not already set.
852 */
853 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
854 sbsec->behavior = SECURITY_FS_USE_NATIVE;
855 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
856 }
857
858 if (context_sid) {
859 if (!fscontext_sid) {
860 rc = may_context_mount_sb_relabel(context_sid, sbsec,
861 cred);
862 if (rc)
863 goto out;
864 sbsec->sid = context_sid;
865 } else {
866 rc = may_context_mount_inode_relabel(context_sid, sbsec,
867 cred);
868 if (rc)
869 goto out;
870 }
871 if (!rootcontext_sid)
872 rootcontext_sid = context_sid;
873
874 sbsec->mntpoint_sid = context_sid;
875 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
876 }
877
878 if (rootcontext_sid) {
879 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
880 cred);
881 if (rc)
882 goto out;
883
884 root_isec->sid = rootcontext_sid;
885 root_isec->initialized = LABEL_INITIALIZED;
886 }
887
888 if (defcontext_sid) {
889 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
890 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
891 rc = -EINVAL;
892 printk(KERN_WARNING "SELinux: defcontext option is "
893 "invalid for this filesystem type\n");
894 goto out;
895 }
896
897 if (defcontext_sid != sbsec->def_sid) {
898 rc = may_context_mount_inode_relabel(defcontext_sid,
899 sbsec, cred);
900 if (rc)
901 goto out;
902 }
903
904 sbsec->def_sid = defcontext_sid;
905 }
906
907 out_set_opts:
908 rc = sb_finish_set_opts(sb);
909 out:
910 mutex_unlock(&sbsec->lock);
911 return rc;
912 out_double_mount:
913 rc = -EINVAL;
914 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
915 "security settings for (dev %s, type %s)\n", sb->s_id, name);
916 goto out;
917 }
918
919 static int selinux_cmp_sb_context(const struct super_block *oldsb,
920 const struct super_block *newsb)
921 {
922 struct superblock_security_struct *old = oldsb->s_security;
923 struct superblock_security_struct *new = newsb->s_security;
924 char oldflags = old->flags & SE_MNTMASK;
925 char newflags = new->flags & SE_MNTMASK;
926
927 if (oldflags != newflags)
928 goto mismatch;
929 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
930 goto mismatch;
931 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
932 goto mismatch;
933 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
934 goto mismatch;
935 if (oldflags & ROOTCONTEXT_MNT) {
936 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
937 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
938 if (oldroot->sid != newroot->sid)
939 goto mismatch;
940 }
941 return 0;
942 mismatch:
943 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
944 "different security settings for (dev %s, "
945 "type %s)\n", newsb->s_id, newsb->s_type->name);
946 return -EBUSY;
947 }
948
949 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
950 struct super_block *newsb)
951 {
952 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
953 struct superblock_security_struct *newsbsec = newsb->s_security;
954
955 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
956 int set_context = (oldsbsec->flags & CONTEXT_MNT);
957 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
958
959 /*
960 * if the parent was able to be mounted it clearly had no special lsm
961 * mount options. thus we can safely deal with this superblock later
962 */
963 if (!ss_initialized)
964 return 0;
965
966 /* how can we clone if the old one wasn't set up?? */
967 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
968
969 /* if fs is reusing a sb, make sure that the contexts match */
970 if (newsbsec->flags & SE_SBINITIALIZED)
971 return selinux_cmp_sb_context(oldsb, newsb);
972
973 mutex_lock(&newsbsec->lock);
974
975 newsbsec->flags = oldsbsec->flags;
976
977 newsbsec->sid = oldsbsec->sid;
978 newsbsec->def_sid = oldsbsec->def_sid;
979 newsbsec->behavior = oldsbsec->behavior;
980
981 if (set_context) {
982 u32 sid = oldsbsec->mntpoint_sid;
983
984 if (!set_fscontext)
985 newsbsec->sid = sid;
986 if (!set_rootcontext) {
987 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
988 newisec->sid = sid;
989 }
990 newsbsec->mntpoint_sid = sid;
991 }
992 if (set_rootcontext) {
993 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
994 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
995
996 newisec->sid = oldisec->sid;
997 }
998
999 sb_finish_set_opts(newsb);
1000 mutex_unlock(&newsbsec->lock);
1001 return 0;
1002 }
1003
1004 static int selinux_parse_opts_str(char *options,
1005 struct security_mnt_opts *opts)
1006 {
1007 char *p;
1008 char *context = NULL, *defcontext = NULL;
1009 char *fscontext = NULL, *rootcontext = NULL;
1010 int rc, num_mnt_opts = 0;
1011
1012 opts->num_mnt_opts = 0;
1013
1014 /* Standard string-based options. */
1015 while ((p = strsep(&options, "|")) != NULL) {
1016 int token;
1017 substring_t args[MAX_OPT_ARGS];
1018
1019 if (!*p)
1020 continue;
1021
1022 token = match_token(p, tokens, args);
1023
1024 switch (token) {
1025 case Opt_context:
1026 if (context || defcontext) {
1027 rc = -EINVAL;
1028 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1029 goto out_err;
1030 }
1031 context = match_strdup(&args[0]);
1032 if (!context) {
1033 rc = -ENOMEM;
1034 goto out_err;
1035 }
1036 break;
1037
1038 case Opt_fscontext:
1039 if (fscontext) {
1040 rc = -EINVAL;
1041 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1042 goto out_err;
1043 }
1044 fscontext = match_strdup(&args[0]);
1045 if (!fscontext) {
1046 rc = -ENOMEM;
1047 goto out_err;
1048 }
1049 break;
1050
1051 case Opt_rootcontext:
1052 if (rootcontext) {
1053 rc = -EINVAL;
1054 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1055 goto out_err;
1056 }
1057 rootcontext = match_strdup(&args[0]);
1058 if (!rootcontext) {
1059 rc = -ENOMEM;
1060 goto out_err;
1061 }
1062 break;
1063
1064 case Opt_defcontext:
1065 if (context || defcontext) {
1066 rc = -EINVAL;
1067 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1068 goto out_err;
1069 }
1070 defcontext = match_strdup(&args[0]);
1071 if (!defcontext) {
1072 rc = -ENOMEM;
1073 goto out_err;
1074 }
1075 break;
1076 case Opt_labelsupport:
1077 break;
1078 default:
1079 rc = -EINVAL;
1080 printk(KERN_WARNING "SELinux: unknown mount option\n");
1081 goto out_err;
1082
1083 }
1084 }
1085
1086 rc = -ENOMEM;
1087 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1088 if (!opts->mnt_opts)
1089 goto out_err;
1090
1091 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1092 GFP_KERNEL);
1093 if (!opts->mnt_opts_flags) {
1094 kfree(opts->mnt_opts);
1095 goto out_err;
1096 }
1097
1098 if (fscontext) {
1099 opts->mnt_opts[num_mnt_opts] = fscontext;
1100 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1101 }
1102 if (context) {
1103 opts->mnt_opts[num_mnt_opts] = context;
1104 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1105 }
1106 if (rootcontext) {
1107 opts->mnt_opts[num_mnt_opts] = rootcontext;
1108 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1109 }
1110 if (defcontext) {
1111 opts->mnt_opts[num_mnt_opts] = defcontext;
1112 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1113 }
1114
1115 opts->num_mnt_opts = num_mnt_opts;
1116 return 0;
1117
1118 out_err:
1119 kfree(context);
1120 kfree(defcontext);
1121 kfree(fscontext);
1122 kfree(rootcontext);
1123 return rc;
1124 }
1125 /*
1126 * string mount options parsing and call set the sbsec
1127 */
1128 static int superblock_doinit(struct super_block *sb, void *data)
1129 {
1130 int rc = 0;
1131 char *options = data;
1132 struct security_mnt_opts opts;
1133
1134 security_init_mnt_opts(&opts);
1135
1136 if (!data)
1137 goto out;
1138
1139 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1140
1141 rc = selinux_parse_opts_str(options, &opts);
1142 if (rc)
1143 goto out_err;
1144
1145 out:
1146 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1147
1148 out_err:
1149 security_free_mnt_opts(&opts);
1150 return rc;
1151 }
1152
1153 static void selinux_write_opts(struct seq_file *m,
1154 struct security_mnt_opts *opts)
1155 {
1156 int i;
1157 char *prefix;
1158
1159 for (i = 0; i < opts->num_mnt_opts; i++) {
1160 char *has_comma;
1161
1162 if (opts->mnt_opts[i])
1163 has_comma = strchr(opts->mnt_opts[i], ',');
1164 else
1165 has_comma = NULL;
1166
1167 switch (opts->mnt_opts_flags[i]) {
1168 case CONTEXT_MNT:
1169 prefix = CONTEXT_STR;
1170 break;
1171 case FSCONTEXT_MNT:
1172 prefix = FSCONTEXT_STR;
1173 break;
1174 case ROOTCONTEXT_MNT:
1175 prefix = ROOTCONTEXT_STR;
1176 break;
1177 case DEFCONTEXT_MNT:
1178 prefix = DEFCONTEXT_STR;
1179 break;
1180 case SBLABEL_MNT:
1181 seq_putc(m, ',');
1182 seq_puts(m, LABELSUPP_STR);
1183 continue;
1184 default:
1185 BUG();
1186 return;
1187 };
1188 /* we need a comma before each option */
1189 seq_putc(m, ',');
1190 seq_puts(m, prefix);
1191 if (has_comma)
1192 seq_putc(m, '\"');
1193 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1194 if (has_comma)
1195 seq_putc(m, '\"');
1196 }
1197 }
1198
1199 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1200 {
1201 struct security_mnt_opts opts;
1202 int rc;
1203
1204 rc = selinux_get_mnt_opts(sb, &opts);
1205 if (rc) {
1206 /* before policy load we may get EINVAL, don't show anything */
1207 if (rc == -EINVAL)
1208 rc = 0;
1209 return rc;
1210 }
1211
1212 selinux_write_opts(m, &opts);
1213
1214 security_free_mnt_opts(&opts);
1215
1216 return rc;
1217 }
1218
1219 static inline u16 inode_mode_to_security_class(umode_t mode)
1220 {
1221 switch (mode & S_IFMT) {
1222 case S_IFSOCK:
1223 return SECCLASS_SOCK_FILE;
1224 case S_IFLNK:
1225 return SECCLASS_LNK_FILE;
1226 case S_IFREG:
1227 return SECCLASS_FILE;
1228 case S_IFBLK:
1229 return SECCLASS_BLK_FILE;
1230 case S_IFDIR:
1231 return SECCLASS_DIR;
1232 case S_IFCHR:
1233 return SECCLASS_CHR_FILE;
1234 case S_IFIFO:
1235 return SECCLASS_FIFO_FILE;
1236
1237 }
1238
1239 return SECCLASS_FILE;
1240 }
1241
1242 static inline int default_protocol_stream(int protocol)
1243 {
1244 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1245 }
1246
1247 static inline int default_protocol_dgram(int protocol)
1248 {
1249 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1250 }
1251
1252 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1253 {
1254 int extsockclass = selinux_policycap_extsockclass;
1255
1256 switch (family) {
1257 case PF_UNIX:
1258 switch (type) {
1259 case SOCK_STREAM:
1260 case SOCK_SEQPACKET:
1261 return SECCLASS_UNIX_STREAM_SOCKET;
1262 case SOCK_DGRAM:
1263 return SECCLASS_UNIX_DGRAM_SOCKET;
1264 }
1265 break;
1266 case PF_INET:
1267 case PF_INET6:
1268 switch (type) {
1269 case SOCK_STREAM:
1270 case SOCK_SEQPACKET:
1271 if (default_protocol_stream(protocol))
1272 return SECCLASS_TCP_SOCKET;
1273 else if (extsockclass && protocol == IPPROTO_SCTP)
1274 return SECCLASS_SCTP_SOCKET;
1275 else
1276 return SECCLASS_RAWIP_SOCKET;
1277 case SOCK_DGRAM:
1278 if (default_protocol_dgram(protocol))
1279 return SECCLASS_UDP_SOCKET;
1280 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1281 protocol == IPPROTO_ICMPV6))
1282 return SECCLASS_ICMP_SOCKET;
1283 else
1284 return SECCLASS_RAWIP_SOCKET;
1285 case SOCK_DCCP:
1286 return SECCLASS_DCCP_SOCKET;
1287 default:
1288 return SECCLASS_RAWIP_SOCKET;
1289 }
1290 break;
1291 case PF_NETLINK:
1292 switch (protocol) {
1293 case NETLINK_ROUTE:
1294 return SECCLASS_NETLINK_ROUTE_SOCKET;
1295 case NETLINK_SOCK_DIAG:
1296 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1297 case NETLINK_NFLOG:
1298 return SECCLASS_NETLINK_NFLOG_SOCKET;
1299 case NETLINK_XFRM:
1300 return SECCLASS_NETLINK_XFRM_SOCKET;
1301 case NETLINK_SELINUX:
1302 return SECCLASS_NETLINK_SELINUX_SOCKET;
1303 case NETLINK_ISCSI:
1304 return SECCLASS_NETLINK_ISCSI_SOCKET;
1305 case NETLINK_AUDIT:
1306 return SECCLASS_NETLINK_AUDIT_SOCKET;
1307 case NETLINK_FIB_LOOKUP:
1308 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1309 case NETLINK_CONNECTOR:
1310 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1311 case NETLINK_NETFILTER:
1312 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1313 case NETLINK_DNRTMSG:
1314 return SECCLASS_NETLINK_DNRT_SOCKET;
1315 case NETLINK_KOBJECT_UEVENT:
1316 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1317 case NETLINK_GENERIC:
1318 return SECCLASS_NETLINK_GENERIC_SOCKET;
1319 case NETLINK_SCSITRANSPORT:
1320 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1321 case NETLINK_RDMA:
1322 return SECCLASS_NETLINK_RDMA_SOCKET;
1323 case NETLINK_CRYPTO:
1324 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1325 default:
1326 return SECCLASS_NETLINK_SOCKET;
1327 }
1328 case PF_PACKET:
1329 return SECCLASS_PACKET_SOCKET;
1330 case PF_KEY:
1331 return SECCLASS_KEY_SOCKET;
1332 case PF_APPLETALK:
1333 return SECCLASS_APPLETALK_SOCKET;
1334 }
1335
1336 if (extsockclass) {
1337 switch (family) {
1338 case PF_AX25:
1339 return SECCLASS_AX25_SOCKET;
1340 case PF_IPX:
1341 return SECCLASS_IPX_SOCKET;
1342 case PF_NETROM:
1343 return SECCLASS_NETROM_SOCKET;
1344 case PF_ATMPVC:
1345 return SECCLASS_ATMPVC_SOCKET;
1346 case PF_X25:
1347 return SECCLASS_X25_SOCKET;
1348 case PF_ROSE:
1349 return SECCLASS_ROSE_SOCKET;
1350 case PF_DECnet:
1351 return SECCLASS_DECNET_SOCKET;
1352 case PF_ATMSVC:
1353 return SECCLASS_ATMSVC_SOCKET;
1354 case PF_RDS:
1355 return SECCLASS_RDS_SOCKET;
1356 case PF_IRDA:
1357 return SECCLASS_IRDA_SOCKET;
1358 case PF_PPPOX:
1359 return SECCLASS_PPPOX_SOCKET;
1360 case PF_LLC:
1361 return SECCLASS_LLC_SOCKET;
1362 case PF_CAN:
1363 return SECCLASS_CAN_SOCKET;
1364 case PF_TIPC:
1365 return SECCLASS_TIPC_SOCKET;
1366 case PF_BLUETOOTH:
1367 return SECCLASS_BLUETOOTH_SOCKET;
1368 case PF_IUCV:
1369 return SECCLASS_IUCV_SOCKET;
1370 case PF_RXRPC:
1371 return SECCLASS_RXRPC_SOCKET;
1372 case PF_ISDN:
1373 return SECCLASS_ISDN_SOCKET;
1374 case PF_PHONET:
1375 return SECCLASS_PHONET_SOCKET;
1376 case PF_IEEE802154:
1377 return SECCLASS_IEEE802154_SOCKET;
1378 case PF_CAIF:
1379 return SECCLASS_CAIF_SOCKET;
1380 case PF_ALG:
1381 return SECCLASS_ALG_SOCKET;
1382 case PF_NFC:
1383 return SECCLASS_NFC_SOCKET;
1384 case PF_VSOCK:
1385 return SECCLASS_VSOCK_SOCKET;
1386 case PF_KCM:
1387 return SECCLASS_KCM_SOCKET;
1388 case PF_QIPCRTR:
1389 return SECCLASS_QIPCRTR_SOCKET;
1390 case PF_SMC:
1391 return SECCLASS_SMC_SOCKET;
1392 #if PF_MAX > 44
1393 #error New address family defined, please update this function.
1394 #endif
1395 }
1396 }
1397
1398 return SECCLASS_SOCKET;
1399 }
1400
1401 static int selinux_genfs_get_sid(struct dentry *dentry,
1402 u16 tclass,
1403 u16 flags,
1404 u32 *sid)
1405 {
1406 int rc;
1407 struct super_block *sb = dentry->d_sb;
1408 char *buffer, *path;
1409
1410 buffer = (char *)__get_free_page(GFP_KERNEL);
1411 if (!buffer)
1412 return -ENOMEM;
1413
1414 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1415 if (IS_ERR(path))
1416 rc = PTR_ERR(path);
1417 else {
1418 if (flags & SE_SBPROC) {
1419 /* each process gets a /proc/PID/ entry. Strip off the
1420 * PID part to get a valid selinux labeling.
1421 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1422 while (path[1] >= '0' && path[1] <= '9') {
1423 path[1] = '/';
1424 path++;
1425 }
1426 }
1427 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1428 }
1429 free_page((unsigned long)buffer);
1430 return rc;
1431 }
1432
1433 /* The inode's security attributes must be initialized before first use. */
1434 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1435 {
1436 struct superblock_security_struct *sbsec = NULL;
1437 struct inode_security_struct *isec = inode->i_security;
1438 u32 task_sid, sid = 0;
1439 u16 sclass;
1440 struct dentry *dentry;
1441 #define INITCONTEXTLEN 255
1442 char *context = NULL;
1443 unsigned len = 0;
1444 int rc = 0;
1445
1446 if (isec->initialized == LABEL_INITIALIZED)
1447 return 0;
1448
1449 spin_lock(&isec->lock);
1450 if (isec->initialized == LABEL_INITIALIZED)
1451 goto out_unlock;
1452
1453 if (isec->sclass == SECCLASS_FILE)
1454 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1455
1456 sbsec = inode->i_sb->s_security;
1457 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1458 /* Defer initialization until selinux_complete_init,
1459 after the initial policy is loaded and the security
1460 server is ready to handle calls. */
1461 spin_lock(&sbsec->isec_lock);
1462 if (list_empty(&isec->list))
1463 list_add(&isec->list, &sbsec->isec_head);
1464 spin_unlock(&sbsec->isec_lock);
1465 goto out_unlock;
1466 }
1467
1468 sclass = isec->sclass;
1469 task_sid = isec->task_sid;
1470 sid = isec->sid;
1471 isec->initialized = LABEL_PENDING;
1472 spin_unlock(&isec->lock);
1473
1474 switch (sbsec->behavior) {
1475 case SECURITY_FS_USE_NATIVE:
1476 break;
1477 case SECURITY_FS_USE_XATTR:
1478 if (!(inode->i_opflags & IOP_XATTR)) {
1479 sid = sbsec->def_sid;
1480 break;
1481 }
1482 /* Need a dentry, since the xattr API requires one.
1483 Life would be simpler if we could just pass the inode. */
1484 if (opt_dentry) {
1485 /* Called from d_instantiate or d_splice_alias. */
1486 dentry = dget(opt_dentry);
1487 } else {
1488 /* Called from selinux_complete_init, try to find a dentry. */
1489 dentry = d_find_alias(inode);
1490 }
1491 if (!dentry) {
1492 /*
1493 * this is can be hit on boot when a file is accessed
1494 * before the policy is loaded. When we load policy we
1495 * may find inodes that have no dentry on the
1496 * sbsec->isec_head list. No reason to complain as these
1497 * will get fixed up the next time we go through
1498 * inode_doinit with a dentry, before these inodes could
1499 * be used again by userspace.
1500 */
1501 goto out;
1502 }
1503
1504 len = INITCONTEXTLEN;
1505 context = kmalloc(len+1, GFP_NOFS);
1506 if (!context) {
1507 rc = -ENOMEM;
1508 dput(dentry);
1509 goto out;
1510 }
1511 context[len] = '\0';
1512 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1513 if (rc == -ERANGE) {
1514 kfree(context);
1515
1516 /* Need a larger buffer. Query for the right size. */
1517 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1518 if (rc < 0) {
1519 dput(dentry);
1520 goto out;
1521 }
1522 len = rc;
1523 context = kmalloc(len+1, GFP_NOFS);
1524 if (!context) {
1525 rc = -ENOMEM;
1526 dput(dentry);
1527 goto out;
1528 }
1529 context[len] = '\0';
1530 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1531 }
1532 dput(dentry);
1533 if (rc < 0) {
1534 if (rc != -ENODATA) {
1535 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1536 "%d for dev=%s ino=%ld\n", __func__,
1537 -rc, inode->i_sb->s_id, inode->i_ino);
1538 kfree(context);
1539 goto out;
1540 }
1541 /* Map ENODATA to the default file SID */
1542 sid = sbsec->def_sid;
1543 rc = 0;
1544 } else {
1545 rc = security_context_to_sid_default(context, rc, &sid,
1546 sbsec->def_sid,
1547 GFP_NOFS);
1548 if (rc) {
1549 char *dev = inode->i_sb->s_id;
1550 unsigned long ino = inode->i_ino;
1551
1552 if (rc == -EINVAL) {
1553 if (printk_ratelimit())
1554 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1555 "context=%s. This indicates you may need to relabel the inode or the "
1556 "filesystem in question.\n", ino, dev, context);
1557 } else {
1558 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1559 "returned %d for dev=%s ino=%ld\n",
1560 __func__, context, -rc, dev, ino);
1561 }
1562 kfree(context);
1563 /* Leave with the unlabeled SID */
1564 rc = 0;
1565 break;
1566 }
1567 }
1568 kfree(context);
1569 break;
1570 case SECURITY_FS_USE_TASK:
1571 sid = task_sid;
1572 break;
1573 case SECURITY_FS_USE_TRANS:
1574 /* Default to the fs SID. */
1575 sid = sbsec->sid;
1576
1577 /* Try to obtain a transition SID. */
1578 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1579 if (rc)
1580 goto out;
1581 break;
1582 case SECURITY_FS_USE_MNTPOINT:
1583 sid = sbsec->mntpoint_sid;
1584 break;
1585 default:
1586 /* Default to the fs superblock SID. */
1587 sid = sbsec->sid;
1588
1589 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1590 /* We must have a dentry to determine the label on
1591 * procfs inodes */
1592 if (opt_dentry)
1593 /* Called from d_instantiate or
1594 * d_splice_alias. */
1595 dentry = dget(opt_dentry);
1596 else
1597 /* Called from selinux_complete_init, try to
1598 * find a dentry. */
1599 dentry = d_find_alias(inode);
1600 /*
1601 * This can be hit on boot when a file is accessed
1602 * before the policy is loaded. When we load policy we
1603 * may find inodes that have no dentry on the
1604 * sbsec->isec_head list. No reason to complain as
1605 * these will get fixed up the next time we go through
1606 * inode_doinit() with a dentry, before these inodes
1607 * could be used again by userspace.
1608 */
1609 if (!dentry)
1610 goto out;
1611 rc = selinux_genfs_get_sid(dentry, sclass,
1612 sbsec->flags, &sid);
1613 dput(dentry);
1614 if (rc)
1615 goto out;
1616 }
1617 break;
1618 }
1619
1620 out:
1621 spin_lock(&isec->lock);
1622 if (isec->initialized == LABEL_PENDING) {
1623 if (!sid || rc) {
1624 isec->initialized = LABEL_INVALID;
1625 goto out_unlock;
1626 }
1627
1628 isec->initialized = LABEL_INITIALIZED;
1629 isec->sid = sid;
1630 }
1631
1632 out_unlock:
1633 spin_unlock(&isec->lock);
1634 return rc;
1635 }
1636
1637 /* Convert a Linux signal to an access vector. */
1638 static inline u32 signal_to_av(int sig)
1639 {
1640 u32 perm = 0;
1641
1642 switch (sig) {
1643 case SIGCHLD:
1644 /* Commonly granted from child to parent. */
1645 perm = PROCESS__SIGCHLD;
1646 break;
1647 case SIGKILL:
1648 /* Cannot be caught or ignored */
1649 perm = PROCESS__SIGKILL;
1650 break;
1651 case SIGSTOP:
1652 /* Cannot be caught or ignored */
1653 perm = PROCESS__SIGSTOP;
1654 break;
1655 default:
1656 /* All other signals. */
1657 perm = PROCESS__SIGNAL;
1658 break;
1659 }
1660
1661 return perm;
1662 }
1663
1664 #if CAP_LAST_CAP > 63
1665 #error Fix SELinux to handle capabilities > 63.
1666 #endif
1667
1668 /* Check whether a task is allowed to use a capability. */
1669 static int cred_has_capability(const struct cred *cred,
1670 int cap, int audit, bool initns)
1671 {
1672 struct common_audit_data ad;
1673 struct av_decision avd;
1674 u16 sclass;
1675 u32 sid = cred_sid(cred);
1676 u32 av = CAP_TO_MASK(cap);
1677 int rc;
1678
1679 ad.type = LSM_AUDIT_DATA_CAP;
1680 ad.u.cap = cap;
1681
1682 switch (CAP_TO_INDEX(cap)) {
1683 case 0:
1684 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1685 break;
1686 case 1:
1687 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1688 break;
1689 default:
1690 printk(KERN_ERR
1691 "SELinux: out of range capability %d\n", cap);
1692 BUG();
1693 return -EINVAL;
1694 }
1695
1696 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1697 if (audit == SECURITY_CAP_AUDIT) {
1698 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1699 if (rc2)
1700 return rc2;
1701 }
1702 return rc;
1703 }
1704
1705 /* Check whether a task has a particular permission to an inode.
1706 The 'adp' parameter is optional and allows other audit
1707 data to be passed (e.g. the dentry). */
1708 static int inode_has_perm(const struct cred *cred,
1709 struct inode *inode,
1710 u32 perms,
1711 struct common_audit_data *adp)
1712 {
1713 struct inode_security_struct *isec;
1714 u32 sid;
1715
1716 validate_creds(cred);
1717
1718 if (unlikely(IS_PRIVATE(inode)))
1719 return 0;
1720
1721 sid = cred_sid(cred);
1722 isec = inode->i_security;
1723
1724 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1725 }
1726
1727 /* Same as inode_has_perm, but pass explicit audit data containing
1728 the dentry to help the auditing code to more easily generate the
1729 pathname if needed. */
1730 static inline int dentry_has_perm(const struct cred *cred,
1731 struct dentry *dentry,
1732 u32 av)
1733 {
1734 struct inode *inode = d_backing_inode(dentry);
1735 struct common_audit_data ad;
1736
1737 ad.type = LSM_AUDIT_DATA_DENTRY;
1738 ad.u.dentry = dentry;
1739 __inode_security_revalidate(inode, dentry, true);
1740 return inode_has_perm(cred, inode, av, &ad);
1741 }
1742
1743 /* Same as inode_has_perm, but pass explicit audit data containing
1744 the path to help the auditing code to more easily generate the
1745 pathname if needed. */
1746 static inline int path_has_perm(const struct cred *cred,
1747 const struct path *path,
1748 u32 av)
1749 {
1750 struct inode *inode = d_backing_inode(path->dentry);
1751 struct common_audit_data ad;
1752
1753 ad.type = LSM_AUDIT_DATA_PATH;
1754 ad.u.path = *path;
1755 __inode_security_revalidate(inode, path->dentry, true);
1756 return inode_has_perm(cred, inode, av, &ad);
1757 }
1758
1759 /* Same as path_has_perm, but uses the inode from the file struct. */
1760 static inline int file_path_has_perm(const struct cred *cred,
1761 struct file *file,
1762 u32 av)
1763 {
1764 struct common_audit_data ad;
1765
1766 ad.type = LSM_AUDIT_DATA_FILE;
1767 ad.u.file = file;
1768 return inode_has_perm(cred, file_inode(file), av, &ad);
1769 }
1770
1771 /* Check whether a task can use an open file descriptor to
1772 access an inode in a given way. Check access to the
1773 descriptor itself, and then use dentry_has_perm to
1774 check a particular permission to the file.
1775 Access to the descriptor is implicitly granted if it
1776 has the same SID as the process. If av is zero, then
1777 access to the file is not checked, e.g. for cases
1778 where only the descriptor is affected like seek. */
1779 static int file_has_perm(const struct cred *cred,
1780 struct file *file,
1781 u32 av)
1782 {
1783 struct file_security_struct *fsec = file->f_security;
1784 struct inode *inode = file_inode(file);
1785 struct common_audit_data ad;
1786 u32 sid = cred_sid(cred);
1787 int rc;
1788
1789 ad.type = LSM_AUDIT_DATA_FILE;
1790 ad.u.file = file;
1791
1792 if (sid != fsec->sid) {
1793 rc = avc_has_perm(sid, fsec->sid,
1794 SECCLASS_FD,
1795 FD__USE,
1796 &ad);
1797 if (rc)
1798 goto out;
1799 }
1800
1801 /* av is zero if only checking access to the descriptor. */
1802 rc = 0;
1803 if (av)
1804 rc = inode_has_perm(cred, inode, av, &ad);
1805
1806 out:
1807 return rc;
1808 }
1809
1810 /*
1811 * Determine the label for an inode that might be unioned.
1812 */
1813 static int
1814 selinux_determine_inode_label(const struct task_security_struct *tsec,
1815 struct inode *dir,
1816 const struct qstr *name, u16 tclass,
1817 u32 *_new_isid)
1818 {
1819 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1820
1821 if ((sbsec->flags & SE_SBINITIALIZED) &&
1822 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1823 *_new_isid = sbsec->mntpoint_sid;
1824 } else if ((sbsec->flags & SBLABEL_MNT) &&
1825 tsec->create_sid) {
1826 *_new_isid = tsec->create_sid;
1827 } else {
1828 const struct inode_security_struct *dsec = inode_security(dir);
1829 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1830 name, _new_isid);
1831 }
1832
1833 return 0;
1834 }
1835
1836 /* Check whether a task can create a file. */
1837 static int may_create(struct inode *dir,
1838 struct dentry *dentry,
1839 u16 tclass)
1840 {
1841 const struct task_security_struct *tsec = current_security();
1842 struct inode_security_struct *dsec;
1843 struct superblock_security_struct *sbsec;
1844 u32 sid, newsid;
1845 struct common_audit_data ad;
1846 int rc;
1847
1848 dsec = inode_security(dir);
1849 sbsec = dir->i_sb->s_security;
1850
1851 sid = tsec->sid;
1852
1853 ad.type = LSM_AUDIT_DATA_DENTRY;
1854 ad.u.dentry = dentry;
1855
1856 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1857 DIR__ADD_NAME | DIR__SEARCH,
1858 &ad);
1859 if (rc)
1860 return rc;
1861
1862 rc = selinux_determine_inode_label(current_security(), dir,
1863 &dentry->d_name, tclass, &newsid);
1864 if (rc)
1865 return rc;
1866
1867 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1868 if (rc)
1869 return rc;
1870
1871 return avc_has_perm(newsid, sbsec->sid,
1872 SECCLASS_FILESYSTEM,
1873 FILESYSTEM__ASSOCIATE, &ad);
1874 }
1875
1876 #define MAY_LINK 0
1877 #define MAY_UNLINK 1
1878 #define MAY_RMDIR 2
1879
1880 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1881 static int may_link(struct inode *dir,
1882 struct dentry *dentry,
1883 int kind)
1884
1885 {
1886 struct inode_security_struct *dsec, *isec;
1887 struct common_audit_data ad;
1888 u32 sid = current_sid();
1889 u32 av;
1890 int rc;
1891
1892 dsec = inode_security(dir);
1893 isec = backing_inode_security(dentry);
1894
1895 ad.type = LSM_AUDIT_DATA_DENTRY;
1896 ad.u.dentry = dentry;
1897
1898 av = DIR__SEARCH;
1899 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1900 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1901 if (rc)
1902 return rc;
1903
1904 switch (kind) {
1905 case MAY_LINK:
1906 av = FILE__LINK;
1907 break;
1908 case MAY_UNLINK:
1909 av = FILE__UNLINK;
1910 break;
1911 case MAY_RMDIR:
1912 av = DIR__RMDIR;
1913 break;
1914 default:
1915 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1916 __func__, kind);
1917 return 0;
1918 }
1919
1920 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1921 return rc;
1922 }
1923
1924 static inline int may_rename(struct inode *old_dir,
1925 struct dentry *old_dentry,
1926 struct inode *new_dir,
1927 struct dentry *new_dentry)
1928 {
1929 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1930 struct common_audit_data ad;
1931 u32 sid = current_sid();
1932 u32 av;
1933 int old_is_dir, new_is_dir;
1934 int rc;
1935
1936 old_dsec = inode_security(old_dir);
1937 old_isec = backing_inode_security(old_dentry);
1938 old_is_dir = d_is_dir(old_dentry);
1939 new_dsec = inode_security(new_dir);
1940
1941 ad.type = LSM_AUDIT_DATA_DENTRY;
1942
1943 ad.u.dentry = old_dentry;
1944 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1945 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1946 if (rc)
1947 return rc;
1948 rc = avc_has_perm(sid, old_isec->sid,
1949 old_isec->sclass, FILE__RENAME, &ad);
1950 if (rc)
1951 return rc;
1952 if (old_is_dir && new_dir != old_dir) {
1953 rc = avc_has_perm(sid, old_isec->sid,
1954 old_isec->sclass, DIR__REPARENT, &ad);
1955 if (rc)
1956 return rc;
1957 }
1958
1959 ad.u.dentry = new_dentry;
1960 av = DIR__ADD_NAME | DIR__SEARCH;
1961 if (d_is_positive(new_dentry))
1962 av |= DIR__REMOVE_NAME;
1963 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1964 if (rc)
1965 return rc;
1966 if (d_is_positive(new_dentry)) {
1967 new_isec = backing_inode_security(new_dentry);
1968 new_is_dir = d_is_dir(new_dentry);
1969 rc = avc_has_perm(sid, new_isec->sid,
1970 new_isec->sclass,
1971 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1972 if (rc)
1973 return rc;
1974 }
1975
1976 return 0;
1977 }
1978
1979 /* Check whether a task can perform a filesystem operation. */
1980 static int superblock_has_perm(const struct cred *cred,
1981 struct super_block *sb,
1982 u32 perms,
1983 struct common_audit_data *ad)
1984 {
1985 struct superblock_security_struct *sbsec;
1986 u32 sid = cred_sid(cred);
1987
1988 sbsec = sb->s_security;
1989 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1990 }
1991
1992 /* Convert a Linux mode and permission mask to an access vector. */
1993 static inline u32 file_mask_to_av(int mode, int mask)
1994 {
1995 u32 av = 0;
1996
1997 if (!S_ISDIR(mode)) {
1998 if (mask & MAY_EXEC)
1999 av |= FILE__EXECUTE;
2000 if (mask & MAY_READ)
2001 av |= FILE__READ;
2002
2003 if (mask & MAY_APPEND)
2004 av |= FILE__APPEND;
2005 else if (mask & MAY_WRITE)
2006 av |= FILE__WRITE;
2007
2008 } else {
2009 if (mask & MAY_EXEC)
2010 av |= DIR__SEARCH;
2011 if (mask & MAY_WRITE)
2012 av |= DIR__WRITE;
2013 if (mask & MAY_READ)
2014 av |= DIR__READ;
2015 }
2016
2017 return av;
2018 }
2019
2020 /* Convert a Linux file to an access vector. */
2021 static inline u32 file_to_av(struct file *file)
2022 {
2023 u32 av = 0;
2024
2025 if (file->f_mode & FMODE_READ)
2026 av |= FILE__READ;
2027 if (file->f_mode & FMODE_WRITE) {
2028 if (file->f_flags & O_APPEND)
2029 av |= FILE__APPEND;
2030 else
2031 av |= FILE__WRITE;
2032 }
2033 if (!av) {
2034 /*
2035 * Special file opened with flags 3 for ioctl-only use.
2036 */
2037 av = FILE__IOCTL;
2038 }
2039
2040 return av;
2041 }
2042
2043 /*
2044 * Convert a file to an access vector and include the correct open
2045 * open permission.
2046 */
2047 static inline u32 open_file_to_av(struct file *file)
2048 {
2049 u32 av = file_to_av(file);
2050 struct inode *inode = file_inode(file);
2051
2052 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2053 av |= FILE__OPEN;
2054
2055 return av;
2056 }
2057
2058 /* Hook functions begin here. */
2059
2060 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2061 {
2062 u32 mysid = current_sid();
2063 u32 mgrsid = task_sid(mgr);
2064
2065 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2066 BINDER__SET_CONTEXT_MGR, NULL);
2067 }
2068
2069 static int selinux_binder_transaction(struct task_struct *from,
2070 struct task_struct *to)
2071 {
2072 u32 mysid = current_sid();
2073 u32 fromsid = task_sid(from);
2074 u32 tosid = task_sid(to);
2075 int rc;
2076
2077 if (mysid != fromsid) {
2078 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2079 BINDER__IMPERSONATE, NULL);
2080 if (rc)
2081 return rc;
2082 }
2083
2084 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2085 NULL);
2086 }
2087
2088 static int selinux_binder_transfer_binder(struct task_struct *from,
2089 struct task_struct *to)
2090 {
2091 u32 fromsid = task_sid(from);
2092 u32 tosid = task_sid(to);
2093
2094 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2095 NULL);
2096 }
2097
2098 static int selinux_binder_transfer_file(struct task_struct *from,
2099 struct task_struct *to,
2100 struct file *file)
2101 {
2102 u32 sid = task_sid(to);
2103 struct file_security_struct *fsec = file->f_security;
2104 struct dentry *dentry = file->f_path.dentry;
2105 struct inode_security_struct *isec;
2106 struct common_audit_data ad;
2107 int rc;
2108
2109 ad.type = LSM_AUDIT_DATA_PATH;
2110 ad.u.path = file->f_path;
2111
2112 if (sid != fsec->sid) {
2113 rc = avc_has_perm(sid, fsec->sid,
2114 SECCLASS_FD,
2115 FD__USE,
2116 &ad);
2117 if (rc)
2118 return rc;
2119 }
2120
2121 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2122 return 0;
2123
2124 isec = backing_inode_security(dentry);
2125 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2126 &ad);
2127 }
2128
2129 static int selinux_ptrace_access_check(struct task_struct *child,
2130 unsigned int mode)
2131 {
2132 u32 sid = current_sid();
2133 u32 csid = task_sid(child);
2134
2135 if (mode & PTRACE_MODE_READ)
2136 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2137
2138 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2139 }
2140
2141 static int selinux_ptrace_traceme(struct task_struct *parent)
2142 {
2143 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2144 PROCESS__PTRACE, NULL);
2145 }
2146
2147 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2148 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2149 {
2150 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2151 PROCESS__GETCAP, NULL);
2152 }
2153
2154 static int selinux_capset(struct cred *new, const struct cred *old,
2155 const kernel_cap_t *effective,
2156 const kernel_cap_t *inheritable,
2157 const kernel_cap_t *permitted)
2158 {
2159 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2160 PROCESS__SETCAP, NULL);
2161 }
2162
2163 /*
2164 * (This comment used to live with the selinux_task_setuid hook,
2165 * which was removed).
2166 *
2167 * Since setuid only affects the current process, and since the SELinux
2168 * controls are not based on the Linux identity attributes, SELinux does not
2169 * need to control this operation. However, SELinux does control the use of
2170 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2171 */
2172
2173 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2174 int cap, int audit)
2175 {
2176 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2177 }
2178
2179 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2180 {
2181 const struct cred *cred = current_cred();
2182 int rc = 0;
2183
2184 if (!sb)
2185 return 0;
2186
2187 switch (cmds) {
2188 case Q_SYNC:
2189 case Q_QUOTAON:
2190 case Q_QUOTAOFF:
2191 case Q_SETINFO:
2192 case Q_SETQUOTA:
2193 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2194 break;
2195 case Q_GETFMT:
2196 case Q_GETINFO:
2197 case Q_GETQUOTA:
2198 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2199 break;
2200 default:
2201 rc = 0; /* let the kernel handle invalid cmds */
2202 break;
2203 }
2204 return rc;
2205 }
2206
2207 static int selinux_quota_on(struct dentry *dentry)
2208 {
2209 const struct cred *cred = current_cred();
2210
2211 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2212 }
2213
2214 static int selinux_syslog(int type)
2215 {
2216 switch (type) {
2217 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2218 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2219 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2220 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2221 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2222 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2223 /* Set level of messages printed to console */
2224 case SYSLOG_ACTION_CONSOLE_LEVEL:
2225 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2226 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2227 NULL);
2228 }
2229 /* All other syslog types */
2230 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2231 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2232 }
2233
2234 /*
2235 * Check that a process has enough memory to allocate a new virtual
2236 * mapping. 0 means there is enough memory for the allocation to
2237 * succeed and -ENOMEM implies there is not.
2238 *
2239 * Do not audit the selinux permission check, as this is applied to all
2240 * processes that allocate mappings.
2241 */
2242 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2243 {
2244 int rc, cap_sys_admin = 0;
2245
2246 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2247 SECURITY_CAP_NOAUDIT, true);
2248 if (rc == 0)
2249 cap_sys_admin = 1;
2250
2251 return cap_sys_admin;
2252 }
2253
2254 /* binprm security operations */
2255
2256 static u32 ptrace_parent_sid(void)
2257 {
2258 u32 sid = 0;
2259 struct task_struct *tracer;
2260
2261 rcu_read_lock();
2262 tracer = ptrace_parent(current);
2263 if (tracer)
2264 sid = task_sid(tracer);
2265 rcu_read_unlock();
2266
2267 return sid;
2268 }
2269
2270 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2271 const struct task_security_struct *old_tsec,
2272 const struct task_security_struct *new_tsec)
2273 {
2274 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2275 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2276 int rc;
2277
2278 if (!nnp && !nosuid)
2279 return 0; /* neither NNP nor nosuid */
2280
2281 if (new_tsec->sid == old_tsec->sid)
2282 return 0; /* No change in credentials */
2283
2284 /*
2285 * The only transitions we permit under NNP or nosuid
2286 * are transitions to bounded SIDs, i.e. SIDs that are
2287 * guaranteed to only be allowed a subset of the permissions
2288 * of the current SID.
2289 */
2290 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2291 if (rc) {
2292 /*
2293 * On failure, preserve the errno values for NNP vs nosuid.
2294 * NNP: Operation not permitted for caller.
2295 * nosuid: Permission denied to file.
2296 */
2297 if (nnp)
2298 return -EPERM;
2299 else
2300 return -EACCES;
2301 }
2302 return 0;
2303 }
2304
2305 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2306 {
2307 const struct task_security_struct *old_tsec;
2308 struct task_security_struct *new_tsec;
2309 struct inode_security_struct *isec;
2310 struct common_audit_data ad;
2311 struct inode *inode = file_inode(bprm->file);
2312 int rc;
2313
2314 /* SELinux context only depends on initial program or script and not
2315 * the script interpreter */
2316 if (bprm->cred_prepared)
2317 return 0;
2318
2319 old_tsec = current_security();
2320 new_tsec = bprm->cred->security;
2321 isec = inode_security(inode);
2322
2323 /* Default to the current task SID. */
2324 new_tsec->sid = old_tsec->sid;
2325 new_tsec->osid = old_tsec->sid;
2326
2327 /* Reset fs, key, and sock SIDs on execve. */
2328 new_tsec->create_sid = 0;
2329 new_tsec->keycreate_sid = 0;
2330 new_tsec->sockcreate_sid = 0;
2331
2332 if (old_tsec->exec_sid) {
2333 new_tsec->sid = old_tsec->exec_sid;
2334 /* Reset exec SID on execve. */
2335 new_tsec->exec_sid = 0;
2336
2337 /* Fail on NNP or nosuid if not an allowed transition. */
2338 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2339 if (rc)
2340 return rc;
2341 } else {
2342 /* Check for a default transition on this program. */
2343 rc = security_transition_sid(old_tsec->sid, isec->sid,
2344 SECCLASS_PROCESS, NULL,
2345 &new_tsec->sid);
2346 if (rc)
2347 return rc;
2348
2349 /*
2350 * Fallback to old SID on NNP or nosuid if not an allowed
2351 * transition.
2352 */
2353 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2354 if (rc)
2355 new_tsec->sid = old_tsec->sid;
2356 }
2357
2358 ad.type = LSM_AUDIT_DATA_FILE;
2359 ad.u.file = bprm->file;
2360
2361 if (new_tsec->sid == old_tsec->sid) {
2362 rc = avc_has_perm(old_tsec->sid, isec->sid,
2363 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2364 if (rc)
2365 return rc;
2366 } else {
2367 /* Check permissions for the transition. */
2368 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2369 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2370 if (rc)
2371 return rc;
2372
2373 rc = avc_has_perm(new_tsec->sid, isec->sid,
2374 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2375 if (rc)
2376 return rc;
2377
2378 /* Check for shared state */
2379 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2380 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2381 SECCLASS_PROCESS, PROCESS__SHARE,
2382 NULL);
2383 if (rc)
2384 return -EPERM;
2385 }
2386
2387 /* Make sure that anyone attempting to ptrace over a task that
2388 * changes its SID has the appropriate permit */
2389 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2390 u32 ptsid = ptrace_parent_sid();
2391 if (ptsid != 0) {
2392 rc = avc_has_perm(ptsid, new_tsec->sid,
2393 SECCLASS_PROCESS,
2394 PROCESS__PTRACE, NULL);
2395 if (rc)
2396 return -EPERM;
2397 }
2398 }
2399
2400 /* Clear any possibly unsafe personality bits on exec: */
2401 bprm->per_clear |= PER_CLEAR_ON_SETID;
2402 }
2403
2404 return 0;
2405 }
2406
2407 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2408 {
2409 const struct task_security_struct *tsec = current_security();
2410 u32 sid, osid;
2411 int atsecure = 0;
2412
2413 sid = tsec->sid;
2414 osid = tsec->osid;
2415
2416 if (osid != sid) {
2417 /* Enable secure mode for SIDs transitions unless
2418 the noatsecure permission is granted between
2419 the two SIDs, i.e. ahp returns 0. */
2420 atsecure = avc_has_perm(osid, sid,
2421 SECCLASS_PROCESS,
2422 PROCESS__NOATSECURE, NULL);
2423 }
2424
2425 return !!atsecure;
2426 }
2427
2428 static int match_file(const void *p, struct file *file, unsigned fd)
2429 {
2430 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2431 }
2432
2433 /* Derived from fs/exec.c:flush_old_files. */
2434 static inline void flush_unauthorized_files(const struct cred *cred,
2435 struct files_struct *files)
2436 {
2437 struct file *file, *devnull = NULL;
2438 struct tty_struct *tty;
2439 int drop_tty = 0;
2440 unsigned n;
2441
2442 tty = get_current_tty();
2443 if (tty) {
2444 spin_lock(&tty->files_lock);
2445 if (!list_empty(&tty->tty_files)) {
2446 struct tty_file_private *file_priv;
2447
2448 /* Revalidate access to controlling tty.
2449 Use file_path_has_perm on the tty path directly
2450 rather than using file_has_perm, as this particular
2451 open file may belong to another process and we are
2452 only interested in the inode-based check here. */
2453 file_priv = list_first_entry(&tty->tty_files,
2454 struct tty_file_private, list);
2455 file = file_priv->file;
2456 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2457 drop_tty = 1;
2458 }
2459 spin_unlock(&tty->files_lock);
2460 tty_kref_put(tty);
2461 }
2462 /* Reset controlling tty. */
2463 if (drop_tty)
2464 no_tty();
2465
2466 /* Revalidate access to inherited open files. */
2467 n = iterate_fd(files, 0, match_file, cred);
2468 if (!n) /* none found? */
2469 return;
2470
2471 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2472 if (IS_ERR(devnull))
2473 devnull = NULL;
2474 /* replace all the matching ones with this */
2475 do {
2476 replace_fd(n - 1, devnull, 0);
2477 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2478 if (devnull)
2479 fput(devnull);
2480 }
2481
2482 /*
2483 * Prepare a process for imminent new credential changes due to exec
2484 */
2485 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2486 {
2487 struct task_security_struct *new_tsec;
2488 struct rlimit *rlim, *initrlim;
2489 int rc, i;
2490
2491 new_tsec = bprm->cred->security;
2492 if (new_tsec->sid == new_tsec->osid)
2493 return;
2494
2495 /* Close files for which the new task SID is not authorized. */
2496 flush_unauthorized_files(bprm->cred, current->files);
2497
2498 /* Always clear parent death signal on SID transitions. */
2499 current->pdeath_signal = 0;
2500
2501 /* Check whether the new SID can inherit resource limits from the old
2502 * SID. If not, reset all soft limits to the lower of the current
2503 * task's hard limit and the init task's soft limit.
2504 *
2505 * Note that the setting of hard limits (even to lower them) can be
2506 * controlled by the setrlimit check. The inclusion of the init task's
2507 * soft limit into the computation is to avoid resetting soft limits
2508 * higher than the default soft limit for cases where the default is
2509 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2510 */
2511 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2512 PROCESS__RLIMITINH, NULL);
2513 if (rc) {
2514 /* protect against do_prlimit() */
2515 task_lock(current);
2516 for (i = 0; i < RLIM_NLIMITS; i++) {
2517 rlim = current->signal->rlim + i;
2518 initrlim = init_task.signal->rlim + i;
2519 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2520 }
2521 task_unlock(current);
2522 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2523 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2524 }
2525 }
2526
2527 /*
2528 * Clean up the process immediately after the installation of new credentials
2529 * due to exec
2530 */
2531 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2532 {
2533 const struct task_security_struct *tsec = current_security();
2534 struct itimerval itimer;
2535 u32 osid, sid;
2536 int rc, i;
2537
2538 osid = tsec->osid;
2539 sid = tsec->sid;
2540
2541 if (sid == osid)
2542 return;
2543
2544 /* Check whether the new SID can inherit signal state from the old SID.
2545 * If not, clear itimers to avoid subsequent signal generation and
2546 * flush and unblock signals.
2547 *
2548 * This must occur _after_ the task SID has been updated so that any
2549 * kill done after the flush will be checked against the new SID.
2550 */
2551 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2552 if (rc) {
2553 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2554 memset(&itimer, 0, sizeof itimer);
2555 for (i = 0; i < 3; i++)
2556 do_setitimer(i, &itimer, NULL);
2557 }
2558 spin_lock_irq(&current->sighand->siglock);
2559 if (!fatal_signal_pending(current)) {
2560 flush_sigqueue(&current->pending);
2561 flush_sigqueue(&current->signal->shared_pending);
2562 flush_signal_handlers(current, 1);
2563 sigemptyset(&current->blocked);
2564 recalc_sigpending();
2565 }
2566 spin_unlock_irq(&current->sighand->siglock);
2567 }
2568
2569 /* Wake up the parent if it is waiting so that it can recheck
2570 * wait permission to the new task SID. */
2571 read_lock(&tasklist_lock);
2572 __wake_up_parent(current, current->real_parent);
2573 read_unlock(&tasklist_lock);
2574 }
2575
2576 /* superblock security operations */
2577
2578 static int selinux_sb_alloc_security(struct super_block *sb)
2579 {
2580 return superblock_alloc_security(sb);
2581 }
2582
2583 static void selinux_sb_free_security(struct super_block *sb)
2584 {
2585 superblock_free_security(sb);
2586 }
2587
2588 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2589 {
2590 if (plen > olen)
2591 return 0;
2592
2593 return !memcmp(prefix, option, plen);
2594 }
2595
2596 static inline int selinux_option(char *option, int len)
2597 {
2598 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2599 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2600 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2601 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2602 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2603 }
2604
2605 static inline void take_option(char **to, char *from, int *first, int len)
2606 {
2607 if (!*first) {
2608 **to = ',';
2609 *to += 1;
2610 } else
2611 *first = 0;
2612 memcpy(*to, from, len);
2613 *to += len;
2614 }
2615
2616 static inline void take_selinux_option(char **to, char *from, int *first,
2617 int len)
2618 {
2619 int current_size = 0;
2620
2621 if (!*first) {
2622 **to = '|';
2623 *to += 1;
2624 } else
2625 *first = 0;
2626
2627 while (current_size < len) {
2628 if (*from != '"') {
2629 **to = *from;
2630 *to += 1;
2631 }
2632 from += 1;
2633 current_size += 1;
2634 }
2635 }
2636
2637 static int selinux_sb_copy_data(char *orig, char *copy)
2638 {
2639 int fnosec, fsec, rc = 0;
2640 char *in_save, *in_curr, *in_end;
2641 char *sec_curr, *nosec_save, *nosec;
2642 int open_quote = 0;
2643
2644 in_curr = orig;
2645 sec_curr = copy;
2646
2647 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2648 if (!nosec) {
2649 rc = -ENOMEM;
2650 goto out;
2651 }
2652
2653 nosec_save = nosec;
2654 fnosec = fsec = 1;
2655 in_save = in_end = orig;
2656
2657 do {
2658 if (*in_end == '"')
2659 open_quote = !open_quote;
2660 if ((*in_end == ',' && open_quote == 0) ||
2661 *in_end == '\0') {
2662 int len = in_end - in_curr;
2663
2664 if (selinux_option(in_curr, len))
2665 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2666 else
2667 take_option(&nosec, in_curr, &fnosec, len);
2668
2669 in_curr = in_end + 1;
2670 }
2671 } while (*in_end++);
2672
2673 strcpy(in_save, nosec_save);
2674 free_page((unsigned long)nosec_save);
2675 out:
2676 return rc;
2677 }
2678
2679 static int selinux_sb_remount(struct super_block *sb, void *data)
2680 {
2681 int rc, i, *flags;
2682 struct security_mnt_opts opts;
2683 char *secdata, **mount_options;
2684 struct superblock_security_struct *sbsec = sb->s_security;
2685
2686 if (!(sbsec->flags & SE_SBINITIALIZED))
2687 return 0;
2688
2689 if (!data)
2690 return 0;
2691
2692 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2693 return 0;
2694
2695 security_init_mnt_opts(&opts);
2696 secdata = alloc_secdata();
2697 if (!secdata)
2698 return -ENOMEM;
2699 rc = selinux_sb_copy_data(data, secdata);
2700 if (rc)
2701 goto out_free_secdata;
2702
2703 rc = selinux_parse_opts_str(secdata, &opts);
2704 if (rc)
2705 goto out_free_secdata;
2706
2707 mount_options = opts.mnt_opts;
2708 flags = opts.mnt_opts_flags;
2709
2710 for (i = 0; i < opts.num_mnt_opts; i++) {
2711 u32 sid;
2712
2713 if (flags[i] == SBLABEL_MNT)
2714 continue;
2715 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2716 if (rc) {
2717 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2718 "(%s) failed for (dev %s, type %s) errno=%d\n",
2719 mount_options[i], sb->s_id, sb->s_type->name, rc);
2720 goto out_free_opts;
2721 }
2722 rc = -EINVAL;
2723 switch (flags[i]) {
2724 case FSCONTEXT_MNT:
2725 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2726 goto out_bad_option;
2727 break;
2728 case CONTEXT_MNT:
2729 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2730 goto out_bad_option;
2731 break;
2732 case ROOTCONTEXT_MNT: {
2733 struct inode_security_struct *root_isec;
2734 root_isec = backing_inode_security(sb->s_root);
2735
2736 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2737 goto out_bad_option;
2738 break;
2739 }
2740 case DEFCONTEXT_MNT:
2741 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2742 goto out_bad_option;
2743 break;
2744 default:
2745 goto out_free_opts;
2746 }
2747 }
2748
2749 rc = 0;
2750 out_free_opts:
2751 security_free_mnt_opts(&opts);
2752 out_free_secdata:
2753 free_secdata(secdata);
2754 return rc;
2755 out_bad_option:
2756 printk(KERN_WARNING "SELinux: unable to change security options "
2757 "during remount (dev %s, type=%s)\n", sb->s_id,
2758 sb->s_type->name);
2759 goto out_free_opts;
2760 }
2761
2762 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2763 {
2764 const struct cred *cred = current_cred();
2765 struct common_audit_data ad;
2766 int rc;
2767
2768 rc = superblock_doinit(sb, data);
2769 if (rc)
2770 return rc;
2771
2772 /* Allow all mounts performed by the kernel */
2773 if (flags & MS_KERNMOUNT)
2774 return 0;
2775
2776 ad.type = LSM_AUDIT_DATA_DENTRY;
2777 ad.u.dentry = sb->s_root;
2778 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2779 }
2780
2781 static int selinux_sb_statfs(struct dentry *dentry)
2782 {
2783 const struct cred *cred = current_cred();
2784 struct common_audit_data ad;
2785
2786 ad.type = LSM_AUDIT_DATA_DENTRY;
2787 ad.u.dentry = dentry->d_sb->s_root;
2788 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2789 }
2790
2791 static int selinux_mount(const char *dev_name,
2792 const struct path *path,
2793 const char *type,
2794 unsigned long flags,
2795 void *data)
2796 {
2797 const struct cred *cred = current_cred();
2798
2799 if (flags & MS_REMOUNT)
2800 return superblock_has_perm(cred, path->dentry->d_sb,
2801 FILESYSTEM__REMOUNT, NULL);
2802 else
2803 return path_has_perm(cred, path, FILE__MOUNTON);
2804 }
2805
2806 static int selinux_umount(struct vfsmount *mnt, int flags)
2807 {
2808 const struct cred *cred = current_cred();
2809
2810 return superblock_has_perm(cred, mnt->mnt_sb,
2811 FILESYSTEM__UNMOUNT, NULL);
2812 }
2813
2814 /* inode security operations */
2815
2816 static int selinux_inode_alloc_security(struct inode *inode)
2817 {
2818 return inode_alloc_security(inode);
2819 }
2820
2821 static void selinux_inode_free_security(struct inode *inode)
2822 {
2823 inode_free_security(inode);
2824 }
2825
2826 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2827 const struct qstr *name, void **ctx,
2828 u32 *ctxlen)
2829 {
2830 u32 newsid;
2831 int rc;
2832
2833 rc = selinux_determine_inode_label(current_security(),
2834 d_inode(dentry->d_parent), name,
2835 inode_mode_to_security_class(mode),
2836 &newsid);
2837 if (rc)
2838 return rc;
2839
2840 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2841 }
2842
2843 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2844 struct qstr *name,
2845 const struct cred *old,
2846 struct cred *new)
2847 {
2848 u32 newsid;
2849 int rc;
2850 struct task_security_struct *tsec;
2851
2852 rc = selinux_determine_inode_label(old->security,
2853 d_inode(dentry->d_parent), name,
2854 inode_mode_to_security_class(mode),
2855 &newsid);
2856 if (rc)
2857 return rc;
2858
2859 tsec = new->security;
2860 tsec->create_sid = newsid;
2861 return 0;
2862 }
2863
2864 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2865 const struct qstr *qstr,
2866 const char **name,
2867 void **value, size_t *len)
2868 {
2869 const struct task_security_struct *tsec = current_security();
2870 struct superblock_security_struct *sbsec;
2871 u32 sid, newsid, clen;
2872 int rc;
2873 char *context;
2874
2875 sbsec = dir->i_sb->s_security;
2876
2877 sid = tsec->sid;
2878 newsid = tsec->create_sid;
2879
2880 rc = selinux_determine_inode_label(current_security(),
2881 dir, qstr,
2882 inode_mode_to_security_class(inode->i_mode),
2883 &newsid);
2884 if (rc)
2885 return rc;
2886
2887 /* Possibly defer initialization to selinux_complete_init. */
2888 if (sbsec->flags & SE_SBINITIALIZED) {
2889 struct inode_security_struct *isec = inode->i_security;
2890 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2891 isec->sid = newsid;
2892 isec->initialized = LABEL_INITIALIZED;
2893 }
2894
2895 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2896 return -EOPNOTSUPP;
2897
2898 if (name)
2899 *name = XATTR_SELINUX_SUFFIX;
2900
2901 if (value && len) {
2902 rc = security_sid_to_context_force(newsid, &context, &clen);
2903 if (rc)
2904 return rc;
2905 *value = context;
2906 *len = clen;
2907 }
2908
2909 return 0;
2910 }
2911
2912 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2913 {
2914 return may_create(dir, dentry, SECCLASS_FILE);
2915 }
2916
2917 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2918 {
2919 return may_link(dir, old_dentry, MAY_LINK);
2920 }
2921
2922 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2923 {
2924 return may_link(dir, dentry, MAY_UNLINK);
2925 }
2926
2927 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2928 {
2929 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2930 }
2931
2932 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2933 {
2934 return may_create(dir, dentry, SECCLASS_DIR);
2935 }
2936
2937 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2938 {
2939 return may_link(dir, dentry, MAY_RMDIR);
2940 }
2941
2942 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2943 {
2944 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2945 }
2946
2947 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2948 struct inode *new_inode, struct dentry *new_dentry)
2949 {
2950 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2951 }
2952
2953 static int selinux_inode_readlink(struct dentry *dentry)
2954 {
2955 const struct cred *cred = current_cred();
2956
2957 return dentry_has_perm(cred, dentry, FILE__READ);
2958 }
2959
2960 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2961 bool rcu)
2962 {
2963 const struct cred *cred = current_cred();
2964 struct common_audit_data ad;
2965 struct inode_security_struct *isec;
2966 u32 sid;
2967
2968 validate_creds(cred);
2969
2970 ad.type = LSM_AUDIT_DATA_DENTRY;
2971 ad.u.dentry = dentry;
2972 sid = cred_sid(cred);
2973 isec = inode_security_rcu(inode, rcu);
2974 if (IS_ERR(isec))
2975 return PTR_ERR(isec);
2976
2977 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2978 rcu ? MAY_NOT_BLOCK : 0);
2979 }
2980
2981 static noinline int audit_inode_permission(struct inode *inode,
2982 u32 perms, u32 audited, u32 denied,
2983 int result,
2984 unsigned flags)
2985 {
2986 struct common_audit_data ad;
2987 struct inode_security_struct *isec = inode->i_security;
2988 int rc;
2989
2990 ad.type = LSM_AUDIT_DATA_INODE;
2991 ad.u.inode = inode;
2992
2993 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2994 audited, denied, result, &ad, flags);
2995 if (rc)
2996 return rc;
2997 return 0;
2998 }
2999
3000 static int selinux_inode_permission(struct inode *inode, int mask)
3001 {
3002 const struct cred *cred = current_cred();
3003 u32 perms;
3004 bool from_access;
3005 unsigned flags = mask & MAY_NOT_BLOCK;
3006 struct inode_security_struct *isec;
3007 u32 sid;
3008 struct av_decision avd;
3009 int rc, rc2;
3010 u32 audited, denied;
3011
3012 from_access = mask & MAY_ACCESS;
3013 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3014
3015 /* No permission to check. Existence test. */
3016 if (!mask)
3017 return 0;
3018
3019 validate_creds(cred);
3020
3021 if (unlikely(IS_PRIVATE(inode)))
3022 return 0;
3023
3024 perms = file_mask_to_av(inode->i_mode, mask);
3025
3026 sid = cred_sid(cred);
3027 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3028 if (IS_ERR(isec))
3029 return PTR_ERR(isec);
3030
3031 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3032 audited = avc_audit_required(perms, &avd, rc,
3033 from_access ? FILE__AUDIT_ACCESS : 0,
3034 &denied);
3035 if (likely(!audited))
3036 return rc;
3037
3038 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3039 if (rc2)
3040 return rc2;
3041 return rc;
3042 }
3043
3044 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3045 {
3046 const struct cred *cred = current_cred();
3047 struct inode *inode = d_backing_inode(dentry);
3048 unsigned int ia_valid = iattr->ia_valid;
3049 __u32 av = FILE__WRITE;
3050
3051 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3052 if (ia_valid & ATTR_FORCE) {
3053 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3054 ATTR_FORCE);
3055 if (!ia_valid)
3056 return 0;
3057 }
3058
3059 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3060 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3061 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3062
3063 if (selinux_policycap_openperm &&
3064 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3065 (ia_valid & ATTR_SIZE) &&
3066 !(ia_valid & ATTR_FILE))
3067 av |= FILE__OPEN;
3068
3069 return dentry_has_perm(cred, dentry, av);
3070 }
3071
3072 static int selinux_inode_getattr(const struct path *path)
3073 {
3074 return path_has_perm(current_cred(), path, FILE__GETATTR);
3075 }
3076
3077 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3078 {
3079 const struct cred *cred = current_cred();
3080
3081 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3082 sizeof XATTR_SECURITY_PREFIX - 1)) {
3083 if (!strcmp(name, XATTR_NAME_CAPS)) {
3084 if (!capable(CAP_SETFCAP))
3085 return -EPERM;
3086 } else if (!capable(CAP_SYS_ADMIN)) {
3087 /* A different attribute in the security namespace.
3088 Restrict to administrator. */
3089 return -EPERM;
3090 }
3091 }
3092
3093 /* Not an attribute we recognize, so just check the
3094 ordinary setattr permission. */
3095 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3096 }
3097
3098 static bool has_cap_mac_admin(bool audit)
3099 {
3100 const struct cred *cred = current_cred();
3101 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3102
3103 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3104 return false;
3105 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3106 return false;
3107 return true;
3108 }
3109
3110 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3111 const void *value, size_t size, int flags)
3112 {
3113 struct inode *inode = d_backing_inode(dentry);
3114 struct inode_security_struct *isec;
3115 struct superblock_security_struct *sbsec;
3116 struct common_audit_data ad;
3117 u32 newsid, sid = current_sid();
3118 int rc = 0;
3119
3120 if (strcmp(name, XATTR_NAME_SELINUX))
3121 return selinux_inode_setotherxattr(dentry, name);
3122
3123 sbsec = inode->i_sb->s_security;
3124 if (!(sbsec->flags & SBLABEL_MNT))
3125 return -EOPNOTSUPP;
3126
3127 if (!inode_owner_or_capable(inode))
3128 return -EPERM;
3129
3130 ad.type = LSM_AUDIT_DATA_DENTRY;
3131 ad.u.dentry = dentry;
3132
3133 isec = backing_inode_security(dentry);
3134 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3135 FILE__RELABELFROM, &ad);
3136 if (rc)
3137 return rc;
3138
3139 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3140 if (rc == -EINVAL) {
3141 if (!has_cap_mac_admin(true)) {
3142 struct audit_buffer *ab;
3143 size_t audit_size;
3144 const char *str;
3145
3146 /* We strip a nul only if it is at the end, otherwise the
3147 * context contains a nul and we should audit that */
3148 if (value) {
3149 str = value;
3150 if (str[size - 1] == '\0')
3151 audit_size = size - 1;
3152 else
3153 audit_size = size;
3154 } else {
3155 str = "";
3156 audit_size = 0;
3157 }
3158 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3159 audit_log_format(ab, "op=setxattr invalid_context=");
3160 audit_log_n_untrustedstring(ab, value, audit_size);
3161 audit_log_end(ab);
3162
3163 return rc;
3164 }
3165 rc = security_context_to_sid_force(value, size, &newsid);
3166 }
3167 if (rc)
3168 return rc;
3169
3170 rc = avc_has_perm(sid, newsid, isec->sclass,
3171 FILE__RELABELTO, &ad);
3172 if (rc)
3173 return rc;
3174
3175 rc = security_validate_transition(isec->sid, newsid, sid,
3176 isec->sclass);
3177 if (rc)
3178 return rc;
3179
3180 return avc_has_perm(newsid,
3181 sbsec->sid,
3182 SECCLASS_FILESYSTEM,
3183 FILESYSTEM__ASSOCIATE,
3184 &ad);
3185 }
3186
3187 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3188 const void *value, size_t size,
3189 int flags)
3190 {
3191 struct inode *inode = d_backing_inode(dentry);
3192 struct inode_security_struct *isec;
3193 u32 newsid;
3194 int rc;
3195
3196 if (strcmp(name, XATTR_NAME_SELINUX)) {
3197 /* Not an attribute we recognize, so nothing to do. */
3198 return;
3199 }
3200
3201 rc = security_context_to_sid_force(value, size, &newsid);
3202 if (rc) {
3203 printk(KERN_ERR "SELinux: unable to map context to SID"
3204 "for (%s, %lu), rc=%d\n",
3205 inode->i_sb->s_id, inode->i_ino, -rc);
3206 return;
3207 }
3208
3209 isec = backing_inode_security(dentry);
3210 spin_lock(&isec->lock);
3211 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3212 isec->sid = newsid;
3213 isec->initialized = LABEL_INITIALIZED;
3214 spin_unlock(&isec->lock);
3215
3216 return;
3217 }
3218
3219 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3220 {
3221 const struct cred *cred = current_cred();
3222
3223 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3224 }
3225
3226 static int selinux_inode_listxattr(struct dentry *dentry)
3227 {
3228 const struct cred *cred = current_cred();
3229
3230 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3231 }
3232
3233 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3234 {
3235 if (strcmp(name, XATTR_NAME_SELINUX))
3236 return selinux_inode_setotherxattr(dentry, name);
3237
3238 /* No one is allowed to remove a SELinux security label.
3239 You can change the label, but all data must be labeled. */
3240 return -EACCES;
3241 }
3242
3243 /*
3244 * Copy the inode security context value to the user.
3245 *
3246 * Permission check is handled by selinux_inode_getxattr hook.
3247 */
3248 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3249 {
3250 u32 size;
3251 int error;
3252 char *context = NULL;
3253 struct inode_security_struct *isec;
3254
3255 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3256 return -EOPNOTSUPP;
3257
3258 /*
3259 * If the caller has CAP_MAC_ADMIN, then get the raw context
3260 * value even if it is not defined by current policy; otherwise,
3261 * use the in-core value under current policy.
3262 * Use the non-auditing forms of the permission checks since
3263 * getxattr may be called by unprivileged processes commonly
3264 * and lack of permission just means that we fall back to the
3265 * in-core context value, not a denial.
3266 */
3267 isec = inode_security(inode);
3268 if (has_cap_mac_admin(false))
3269 error = security_sid_to_context_force(isec->sid, &context,
3270 &size);
3271 else
3272 error = security_sid_to_context(isec->sid, &context, &size);
3273 if (error)
3274 return error;
3275 error = size;
3276 if (alloc) {
3277 *buffer = context;
3278 goto out_nofree;
3279 }
3280 kfree(context);
3281 out_nofree:
3282 return error;
3283 }
3284
3285 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3286 const void *value, size_t size, int flags)
3287 {
3288 struct inode_security_struct *isec = inode_security_novalidate(inode);
3289 u32 newsid;
3290 int rc;
3291
3292 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3293 return -EOPNOTSUPP;
3294
3295 if (!value || !size)
3296 return -EACCES;
3297
3298 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3299 if (rc)
3300 return rc;
3301
3302 spin_lock(&isec->lock);
3303 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3304 isec->sid = newsid;
3305 isec->initialized = LABEL_INITIALIZED;
3306 spin_unlock(&isec->lock);
3307 return 0;
3308 }
3309
3310 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3311 {
3312 const int len = sizeof(XATTR_NAME_SELINUX);
3313 if (buffer && len <= buffer_size)
3314 memcpy(buffer, XATTR_NAME_SELINUX, len);
3315 return len;
3316 }
3317
3318 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3319 {
3320 struct inode_security_struct *isec = inode_security_novalidate(inode);
3321 *secid = isec->sid;
3322 }
3323
3324 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3325 {
3326 u32 sid;
3327 struct task_security_struct *tsec;
3328 struct cred *new_creds = *new;
3329
3330 if (new_creds == NULL) {
3331 new_creds = prepare_creds();
3332 if (!new_creds)
3333 return -ENOMEM;
3334 }
3335
3336 tsec = new_creds->security;
3337 /* Get label from overlay inode and set it in create_sid */
3338 selinux_inode_getsecid(d_inode(src), &sid);
3339 tsec->create_sid = sid;
3340 *new = new_creds;
3341 return 0;
3342 }
3343
3344 static int selinux_inode_copy_up_xattr(const char *name)
3345 {
3346 /* The copy_up hook above sets the initial context on an inode, but we
3347 * don't then want to overwrite it by blindly copying all the lower
3348 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3349 */
3350 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3351 return 1; /* Discard */
3352 /*
3353 * Any other attribute apart from SELINUX is not claimed, supported
3354 * by selinux.
3355 */
3356 return -EOPNOTSUPP;
3357 }
3358
3359 /* file security operations */
3360
3361 static int selinux_revalidate_file_permission(struct file *file, int mask)
3362 {
3363 const struct cred *cred = current_cred();
3364 struct inode *inode = file_inode(file);
3365
3366 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3367 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3368 mask |= MAY_APPEND;
3369
3370 return file_has_perm(cred, file,
3371 file_mask_to_av(inode->i_mode, mask));
3372 }
3373
3374 static int selinux_file_permission(struct file *file, int mask)
3375 {
3376 struct inode *inode = file_inode(file);
3377 struct file_security_struct *fsec = file->f_security;
3378 struct inode_security_struct *isec;
3379 u32 sid = current_sid();
3380
3381 if (!mask)
3382 /* No permission to check. Existence test. */
3383 return 0;
3384
3385 isec = inode_security(inode);
3386 if (sid == fsec->sid && fsec->isid == isec->sid &&
3387 fsec->pseqno == avc_policy_seqno())
3388 /* No change since file_open check. */
3389 return 0;
3390
3391 return selinux_revalidate_file_permission(file, mask);
3392 }
3393
3394 static int selinux_file_alloc_security(struct file *file)
3395 {
3396 return file_alloc_security(file);
3397 }
3398
3399 static void selinux_file_free_security(struct file *file)
3400 {
3401 file_free_security(file);
3402 }
3403
3404 /*
3405 * Check whether a task has the ioctl permission and cmd
3406 * operation to an inode.
3407 */
3408 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3409 u32 requested, u16 cmd)
3410 {
3411 struct common_audit_data ad;
3412 struct file_security_struct *fsec = file->f_security;
3413 struct inode *inode = file_inode(file);
3414 struct inode_security_struct *isec;
3415 struct lsm_ioctlop_audit ioctl;
3416 u32 ssid = cred_sid(cred);
3417 int rc;
3418 u8 driver = cmd >> 8;
3419 u8 xperm = cmd & 0xff;
3420
3421 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3422 ad.u.op = &ioctl;
3423 ad.u.op->cmd = cmd;
3424 ad.u.op->path = file->f_path;
3425
3426 if (ssid != fsec->sid) {
3427 rc = avc_has_perm(ssid, fsec->sid,
3428 SECCLASS_FD,
3429 FD__USE,
3430 &ad);
3431 if (rc)
3432 goto out;
3433 }
3434
3435 if (unlikely(IS_PRIVATE(inode)))
3436 return 0;
3437
3438 isec = inode_security(inode);
3439 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3440 requested, driver, xperm, &ad);
3441 out:
3442 return rc;
3443 }
3444
3445 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3446 unsigned long arg)
3447 {
3448 const struct cred *cred = current_cred();
3449 int error = 0;
3450
3451 switch (cmd) {
3452 case FIONREAD:
3453 /* fall through */
3454 case FIBMAP:
3455 /* fall through */
3456 case FIGETBSZ:
3457 /* fall through */
3458 case FS_IOC_GETFLAGS:
3459 /* fall through */
3460 case FS_IOC_GETVERSION:
3461 error = file_has_perm(cred, file, FILE__GETATTR);
3462 break;
3463
3464 case FS_IOC_SETFLAGS:
3465 /* fall through */
3466 case FS_IOC_SETVERSION:
3467 error = file_has_perm(cred, file, FILE__SETATTR);
3468 break;
3469
3470 /* sys_ioctl() checks */
3471 case FIONBIO:
3472 /* fall through */
3473 case FIOASYNC:
3474 error = file_has_perm(cred, file, 0);
3475 break;
3476
3477 case KDSKBENT:
3478 case KDSKBSENT:
3479 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3480 SECURITY_CAP_AUDIT, true);
3481 break;
3482
3483 /* default case assumes that the command will go
3484 * to the file's ioctl() function.
3485 */
3486 default:
3487 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3488 }
3489 return error;
3490 }
3491
3492 static int default_noexec;
3493
3494 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3495 {
3496 const struct cred *cred = current_cred();
3497 u32 sid = cred_sid(cred);
3498 int rc = 0;
3499
3500 if (default_noexec &&
3501 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3502 (!shared && (prot & PROT_WRITE)))) {
3503 /*
3504 * We are making executable an anonymous mapping or a
3505 * private file mapping that will also be writable.
3506 * This has an additional check.
3507 */
3508 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3509 PROCESS__EXECMEM, NULL);
3510 if (rc)
3511 goto error;
3512 }
3513
3514 if (file) {
3515 /* read access is always possible with a mapping */
3516 u32 av = FILE__READ;
3517
3518 /* write access only matters if the mapping is shared */
3519 if (shared && (prot & PROT_WRITE))
3520 av |= FILE__WRITE;
3521
3522 if (prot & PROT_EXEC)
3523 av |= FILE__EXECUTE;
3524
3525 return file_has_perm(cred, file, av);
3526 }
3527
3528 error:
3529 return rc;
3530 }
3531
3532 static int selinux_mmap_addr(unsigned long addr)
3533 {
3534 int rc = 0;
3535
3536 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3537 u32 sid = current_sid();
3538 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3539 MEMPROTECT__MMAP_ZERO, NULL);
3540 }
3541
3542 return rc;
3543 }
3544
3545 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3546 unsigned long prot, unsigned long flags)
3547 {
3548 struct common_audit_data ad;
3549 int rc;
3550
3551 if (file) {
3552 ad.type = LSM_AUDIT_DATA_FILE;
3553 ad.u.file = file;
3554 rc = inode_has_perm(current_cred(), file_inode(file),
3555 FILE__MAP, &ad);
3556 if (rc)
3557 return rc;
3558 }
3559
3560 if (selinux_checkreqprot)
3561 prot = reqprot;
3562
3563 return file_map_prot_check(file, prot,
3564 (flags & MAP_TYPE) == MAP_SHARED);
3565 }
3566
3567 static int selinux_file_mprotect(struct vm_area_struct *vma,
3568 unsigned long reqprot,
3569 unsigned long prot)
3570 {
3571 const struct cred *cred = current_cred();
3572 u32 sid = cred_sid(cred);
3573
3574 if (selinux_checkreqprot)
3575 prot = reqprot;
3576
3577 if (default_noexec &&
3578 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3579 int rc = 0;
3580 if (vma->vm_start >= vma->vm_mm->start_brk &&
3581 vma->vm_end <= vma->vm_mm->brk) {
3582 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3583 PROCESS__EXECHEAP, NULL);
3584 } else if (!vma->vm_file &&
3585 ((vma->vm_start <= vma->vm_mm->start_stack &&
3586 vma->vm_end >= vma->vm_mm->start_stack) ||
3587 vma_is_stack_for_current(vma))) {
3588 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3589 PROCESS__EXECSTACK, NULL);
3590 } else if (vma->vm_file && vma->anon_vma) {
3591 /*
3592 * We are making executable a file mapping that has
3593 * had some COW done. Since pages might have been
3594 * written, check ability to execute the possibly
3595 * modified content. This typically should only
3596 * occur for text relocations.
3597 */
3598 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3599 }
3600 if (rc)
3601 return rc;
3602 }
3603
3604 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3605 }
3606
3607 static int selinux_file_lock(struct file *file, unsigned int cmd)
3608 {
3609 const struct cred *cred = current_cred();
3610
3611 return file_has_perm(cred, file, FILE__LOCK);
3612 }
3613
3614 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3615 unsigned long arg)
3616 {
3617 const struct cred *cred = current_cred();
3618 int err = 0;
3619
3620 switch (cmd) {
3621 case F_SETFL:
3622 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3623 err = file_has_perm(cred, file, FILE__WRITE);
3624 break;
3625 }
3626 /* fall through */
3627 case F_SETOWN:
3628 case F_SETSIG:
3629 case F_GETFL:
3630 case F_GETOWN:
3631 case F_GETSIG:
3632 case F_GETOWNER_UIDS:
3633 /* Just check FD__USE permission */
3634 err = file_has_perm(cred, file, 0);
3635 break;
3636 case F_GETLK:
3637 case F_SETLK:
3638 case F_SETLKW:
3639 case F_OFD_GETLK:
3640 case F_OFD_SETLK:
3641 case F_OFD_SETLKW:
3642 #if BITS_PER_LONG == 32
3643 case F_GETLK64:
3644 case F_SETLK64:
3645 case F_SETLKW64:
3646 #endif
3647 err = file_has_perm(cred, file, FILE__LOCK);
3648 break;
3649 }
3650
3651 return err;
3652 }
3653
3654 static void selinux_file_set_fowner(struct file *file)
3655 {
3656 struct file_security_struct *fsec;
3657
3658 fsec = file->f_security;
3659 fsec->fown_sid = current_sid();
3660 }
3661
3662 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3663 struct fown_struct *fown, int signum)
3664 {
3665 struct file *file;
3666 u32 sid = task_sid(tsk);
3667 u32 perm;
3668 struct file_security_struct *fsec;
3669
3670 /* struct fown_struct is never outside the context of a struct file */
3671 file = container_of(fown, struct file, f_owner);
3672
3673 fsec = file->f_security;
3674
3675 if (!signum)
3676 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3677 else
3678 perm = signal_to_av(signum);
3679
3680 return avc_has_perm(fsec->fown_sid, sid,
3681 SECCLASS_PROCESS, perm, NULL);
3682 }
3683
3684 static int selinux_file_receive(struct file *file)
3685 {
3686 const struct cred *cred = current_cred();
3687
3688 return file_has_perm(cred, file, file_to_av(file));
3689 }
3690
3691 static int selinux_file_open(struct file *file, const struct cred *cred)
3692 {
3693 struct file_security_struct *fsec;
3694 struct inode_security_struct *isec;
3695
3696 fsec = file->f_security;
3697 isec = inode_security(file_inode(file));
3698 /*
3699 * Save inode label and policy sequence number
3700 * at open-time so that selinux_file_permission
3701 * can determine whether revalidation is necessary.
3702 * Task label is already saved in the file security
3703 * struct as its SID.
3704 */
3705 fsec->isid = isec->sid;
3706 fsec->pseqno = avc_policy_seqno();
3707 /*
3708 * Since the inode label or policy seqno may have changed
3709 * between the selinux_inode_permission check and the saving
3710 * of state above, recheck that access is still permitted.
3711 * Otherwise, access might never be revalidated against the
3712 * new inode label or new policy.
3713 * This check is not redundant - do not remove.
3714 */
3715 return file_path_has_perm(cred, file, open_file_to_av(file));
3716 }
3717
3718 /* task security operations */
3719
3720 static int selinux_task_alloc(struct task_struct *task,
3721 unsigned long clone_flags)
3722 {
3723 u32 sid = current_sid();
3724
3725 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3726 }
3727
3728 /*
3729 * allocate the SELinux part of blank credentials
3730 */
3731 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3732 {
3733 struct task_security_struct *tsec;
3734
3735 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3736 if (!tsec)
3737 return -ENOMEM;
3738
3739 cred->security = tsec;
3740 return 0;
3741 }
3742
3743 /*
3744 * detach and free the LSM part of a set of credentials
3745 */
3746 static void selinux_cred_free(struct cred *cred)
3747 {
3748 struct task_security_struct *tsec = cred->security;
3749
3750 /*
3751 * cred->security == NULL if security_cred_alloc_blank() or
3752 * security_prepare_creds() returned an error.
3753 */
3754 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3755 cred->security = (void *) 0x7UL;
3756 kfree(tsec);
3757 }
3758
3759 /*
3760 * prepare a new set of credentials for modification
3761 */
3762 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3763 gfp_t gfp)
3764 {
3765 const struct task_security_struct *old_tsec;
3766 struct task_security_struct *tsec;
3767
3768 old_tsec = old->security;
3769
3770 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3771 if (!tsec)
3772 return -ENOMEM;
3773
3774 new->security = tsec;
3775 return 0;
3776 }
3777
3778 /*
3779 * transfer the SELinux data to a blank set of creds
3780 */
3781 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3782 {
3783 const struct task_security_struct *old_tsec = old->security;
3784 struct task_security_struct *tsec = new->security;
3785
3786 *tsec = *old_tsec;
3787 }
3788
3789 /*
3790 * set the security data for a kernel service
3791 * - all the creation contexts are set to unlabelled
3792 */
3793 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3794 {
3795 struct task_security_struct *tsec = new->security;
3796 u32 sid = current_sid();
3797 int ret;
3798
3799 ret = avc_has_perm(sid, secid,
3800 SECCLASS_KERNEL_SERVICE,
3801 KERNEL_SERVICE__USE_AS_OVERRIDE,
3802 NULL);
3803 if (ret == 0) {
3804 tsec->sid = secid;
3805 tsec->create_sid = 0;
3806 tsec->keycreate_sid = 0;
3807 tsec->sockcreate_sid = 0;
3808 }
3809 return ret;
3810 }
3811
3812 /*
3813 * set the file creation context in a security record to the same as the
3814 * objective context of the specified inode
3815 */
3816 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3817 {
3818 struct inode_security_struct *isec = inode_security(inode);
3819 struct task_security_struct *tsec = new->security;
3820 u32 sid = current_sid();
3821 int ret;
3822
3823 ret = avc_has_perm(sid, isec->sid,
3824 SECCLASS_KERNEL_SERVICE,
3825 KERNEL_SERVICE__CREATE_FILES_AS,
3826 NULL);
3827
3828 if (ret == 0)
3829 tsec->create_sid = isec->sid;
3830 return ret;
3831 }
3832
3833 static int selinux_kernel_module_request(char *kmod_name)
3834 {
3835 struct common_audit_data ad;
3836
3837 ad.type = LSM_AUDIT_DATA_KMOD;
3838 ad.u.kmod_name = kmod_name;
3839
3840 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3841 SYSTEM__MODULE_REQUEST, &ad);
3842 }
3843
3844 static int selinux_kernel_module_from_file(struct file *file)
3845 {
3846 struct common_audit_data ad;
3847 struct inode_security_struct *isec;
3848 struct file_security_struct *fsec;
3849 u32 sid = current_sid();
3850 int rc;
3851
3852 /* init_module */
3853 if (file == NULL)
3854 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3855 SYSTEM__MODULE_LOAD, NULL);
3856
3857 /* finit_module */
3858
3859 ad.type = LSM_AUDIT_DATA_FILE;
3860 ad.u.file = file;
3861
3862 fsec = file->f_security;
3863 if (sid != fsec->sid) {
3864 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3865 if (rc)
3866 return rc;
3867 }
3868
3869 isec = inode_security(file_inode(file));
3870 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3871 SYSTEM__MODULE_LOAD, &ad);
3872 }
3873
3874 static int selinux_kernel_read_file(struct file *file,
3875 enum kernel_read_file_id id)
3876 {
3877 int rc = 0;
3878
3879 switch (id) {
3880 case READING_MODULE:
3881 rc = selinux_kernel_module_from_file(file);
3882 break;
3883 default:
3884 break;
3885 }
3886
3887 return rc;
3888 }
3889
3890 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3891 {
3892 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3893 PROCESS__SETPGID, NULL);
3894 }
3895
3896 static int selinux_task_getpgid(struct task_struct *p)
3897 {
3898 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3899 PROCESS__GETPGID, NULL);
3900 }
3901
3902 static int selinux_task_getsid(struct task_struct *p)
3903 {
3904 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3905 PROCESS__GETSESSION, NULL);
3906 }
3907
3908 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3909 {
3910 *secid = task_sid(p);
3911 }
3912
3913 static int selinux_task_setnice(struct task_struct *p, int nice)
3914 {
3915 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3916 PROCESS__SETSCHED, NULL);
3917 }
3918
3919 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3920 {
3921 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3922 PROCESS__SETSCHED, NULL);
3923 }
3924
3925 static int selinux_task_getioprio(struct task_struct *p)
3926 {
3927 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3928 PROCESS__GETSCHED, NULL);
3929 }
3930
3931 int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
3932 unsigned int flags)
3933 {
3934 u32 av = 0;
3935
3936 if (!flags)
3937 return 0;
3938 if (flags & LSM_PRLIMIT_WRITE)
3939 av |= PROCESS__SETRLIMIT;
3940 if (flags & LSM_PRLIMIT_READ)
3941 av |= PROCESS__GETRLIMIT;
3942 return avc_has_perm(cred_sid(cred), cred_sid(tcred),
3943 SECCLASS_PROCESS, av, NULL);
3944 }
3945
3946 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3947 struct rlimit *new_rlim)
3948 {
3949 struct rlimit *old_rlim = p->signal->rlim + resource;
3950
3951 /* Control the ability to change the hard limit (whether
3952 lowering or raising it), so that the hard limit can
3953 later be used as a safe reset point for the soft limit
3954 upon context transitions. See selinux_bprm_committing_creds. */
3955 if (old_rlim->rlim_max != new_rlim->rlim_max)
3956 return avc_has_perm(current_sid(), task_sid(p),
3957 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
3958
3959 return 0;
3960 }
3961
3962 static int selinux_task_setscheduler(struct task_struct *p)
3963 {
3964 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3965 PROCESS__SETSCHED, NULL);
3966 }
3967
3968 static int selinux_task_getscheduler(struct task_struct *p)
3969 {
3970 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3971 PROCESS__GETSCHED, NULL);
3972 }
3973
3974 static int selinux_task_movememory(struct task_struct *p)
3975 {
3976 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3977 PROCESS__SETSCHED, NULL);
3978 }
3979
3980 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3981 int sig, u32 secid)
3982 {
3983 u32 perm;
3984
3985 if (!sig)
3986 perm = PROCESS__SIGNULL; /* null signal; existence test */
3987 else
3988 perm = signal_to_av(sig);
3989 if (!secid)
3990 secid = current_sid();
3991 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
3992 }
3993
3994 static void selinux_task_to_inode(struct task_struct *p,
3995 struct inode *inode)
3996 {
3997 struct inode_security_struct *isec = inode->i_security;
3998 u32 sid = task_sid(p);
3999
4000 spin_lock(&isec->lock);
4001 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4002 isec->sid = sid;
4003 isec->initialized = LABEL_INITIALIZED;
4004 spin_unlock(&isec->lock);
4005 }
4006
4007 /* Returns error only if unable to parse addresses */
4008 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4009 struct common_audit_data *ad, u8 *proto)
4010 {
4011 int offset, ihlen, ret = -EINVAL;
4012 struct iphdr _iph, *ih;
4013
4014 offset = skb_network_offset(skb);
4015 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4016 if (ih == NULL)
4017 goto out;
4018
4019 ihlen = ih->ihl * 4;
4020 if (ihlen < sizeof(_iph))
4021 goto out;
4022
4023 ad->u.net->v4info.saddr = ih->saddr;
4024 ad->u.net->v4info.daddr = ih->daddr;
4025 ret = 0;
4026
4027 if (proto)
4028 *proto = ih->protocol;
4029
4030 switch (ih->protocol) {
4031 case IPPROTO_TCP: {
4032 struct tcphdr _tcph, *th;
4033
4034 if (ntohs(ih->frag_off) & IP_OFFSET)
4035 break;
4036
4037 offset += ihlen;
4038 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4039 if (th == NULL)
4040 break;
4041
4042 ad->u.net->sport = th->source;
4043 ad->u.net->dport = th->dest;
4044 break;
4045 }
4046
4047 case IPPROTO_UDP: {
4048 struct udphdr _udph, *uh;
4049
4050 if (ntohs(ih->frag_off) & IP_OFFSET)
4051 break;
4052
4053 offset += ihlen;
4054 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4055 if (uh == NULL)
4056 break;
4057
4058 ad->u.net->sport = uh->source;
4059 ad->u.net->dport = uh->dest;
4060 break;
4061 }
4062
4063 case IPPROTO_DCCP: {
4064 struct dccp_hdr _dccph, *dh;
4065
4066 if (ntohs(ih->frag_off) & IP_OFFSET)
4067 break;
4068
4069 offset += ihlen;
4070 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4071 if (dh == NULL)
4072 break;
4073
4074 ad->u.net->sport = dh->dccph_sport;
4075 ad->u.net->dport = dh->dccph_dport;
4076 break;
4077 }
4078
4079 default:
4080 break;
4081 }
4082 out:
4083 return ret;
4084 }
4085
4086 #if IS_ENABLED(CONFIG_IPV6)
4087
4088 /* Returns error only if unable to parse addresses */
4089 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4090 struct common_audit_data *ad, u8 *proto)
4091 {
4092 u8 nexthdr;
4093 int ret = -EINVAL, offset;
4094 struct ipv6hdr _ipv6h, *ip6;
4095 __be16 frag_off;
4096
4097 offset = skb_network_offset(skb);
4098 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4099 if (ip6 == NULL)
4100 goto out;
4101
4102 ad->u.net->v6info.saddr = ip6->saddr;
4103 ad->u.net->v6info.daddr = ip6->daddr;
4104 ret = 0;
4105
4106 nexthdr = ip6->nexthdr;
4107 offset += sizeof(_ipv6h);
4108 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4109 if (offset < 0)
4110 goto out;
4111
4112 if (proto)
4113 *proto = nexthdr;
4114
4115 switch (nexthdr) {
4116 case IPPROTO_TCP: {
4117 struct tcphdr _tcph, *th;
4118
4119 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4120 if (th == NULL)
4121 break;
4122
4123 ad->u.net->sport = th->source;
4124 ad->u.net->dport = th->dest;
4125 break;
4126 }
4127
4128 case IPPROTO_UDP: {
4129 struct udphdr _udph, *uh;
4130
4131 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4132 if (uh == NULL)
4133 break;
4134
4135 ad->u.net->sport = uh->source;
4136 ad->u.net->dport = uh->dest;
4137 break;
4138 }
4139
4140 case IPPROTO_DCCP: {
4141 struct dccp_hdr _dccph, *dh;
4142
4143 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4144 if (dh == NULL)
4145 break;
4146
4147 ad->u.net->sport = dh->dccph_sport;
4148 ad->u.net->dport = dh->dccph_dport;
4149 break;
4150 }
4151
4152 /* includes fragments */
4153 default:
4154 break;
4155 }
4156 out:
4157 return ret;
4158 }
4159
4160 #endif /* IPV6 */
4161
4162 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4163 char **_addrp, int src, u8 *proto)
4164 {
4165 char *addrp;
4166 int ret;
4167
4168 switch (ad->u.net->family) {
4169 case PF_INET:
4170 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4171 if (ret)
4172 goto parse_error;
4173 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4174 &ad->u.net->v4info.daddr);
4175 goto okay;
4176
4177 #if IS_ENABLED(CONFIG_IPV6)
4178 case PF_INET6:
4179 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4180 if (ret)
4181 goto parse_error;
4182 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4183 &ad->u.net->v6info.daddr);
4184 goto okay;
4185 #endif /* IPV6 */
4186 default:
4187 addrp = NULL;
4188 goto okay;
4189 }
4190
4191 parse_error:
4192 printk(KERN_WARNING
4193 "SELinux: failure in selinux_parse_skb(),"
4194 " unable to parse packet\n");
4195 return ret;
4196
4197 okay:
4198 if (_addrp)
4199 *_addrp = addrp;
4200 return 0;
4201 }
4202
4203 /**
4204 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4205 * @skb: the packet
4206 * @family: protocol family
4207 * @sid: the packet's peer label SID
4208 *
4209 * Description:
4210 * Check the various different forms of network peer labeling and determine
4211 * the peer label/SID for the packet; most of the magic actually occurs in
4212 * the security server function security_net_peersid_cmp(). The function
4213 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4214 * or -EACCES if @sid is invalid due to inconsistencies with the different
4215 * peer labels.
4216 *
4217 */
4218 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4219 {
4220 int err;
4221 u32 xfrm_sid;
4222 u32 nlbl_sid;
4223 u32 nlbl_type;
4224
4225 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4226 if (unlikely(err))
4227 return -EACCES;
4228 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4229 if (unlikely(err))
4230 return -EACCES;
4231
4232 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4233 if (unlikely(err)) {
4234 printk(KERN_WARNING
4235 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4236 " unable to determine packet's peer label\n");
4237 return -EACCES;
4238 }
4239
4240 return 0;
4241 }
4242
4243 /**
4244 * selinux_conn_sid - Determine the child socket label for a connection
4245 * @sk_sid: the parent socket's SID
4246 * @skb_sid: the packet's SID
4247 * @conn_sid: the resulting connection SID
4248 *
4249 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4250 * combined with the MLS information from @skb_sid in order to create
4251 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4252 * of @sk_sid. Returns zero on success, negative values on failure.
4253 *
4254 */
4255 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4256 {
4257 int err = 0;
4258
4259 if (skb_sid != SECSID_NULL)
4260 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4261 else
4262 *conn_sid = sk_sid;
4263
4264 return err;
4265 }
4266
4267 /* socket security operations */
4268
4269 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4270 u16 secclass, u32 *socksid)
4271 {
4272 if (tsec->sockcreate_sid > SECSID_NULL) {
4273 *socksid = tsec->sockcreate_sid;
4274 return 0;
4275 }
4276
4277 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4278 socksid);
4279 }
4280
4281 static int sock_has_perm(struct sock *sk, u32 perms)
4282 {
4283 struct sk_security_struct *sksec = sk->sk_security;
4284 struct common_audit_data ad;
4285 struct lsm_network_audit net = {0,};
4286
4287 if (sksec->sid == SECINITSID_KERNEL)
4288 return 0;
4289
4290 ad.type = LSM_AUDIT_DATA_NET;
4291 ad.u.net = &net;
4292 ad.u.net->sk = sk;
4293
4294 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4295 &ad);
4296 }
4297
4298 static int selinux_socket_create(int family, int type,
4299 int protocol, int kern)
4300 {
4301 const struct task_security_struct *tsec = current_security();
4302 u32 newsid;
4303 u16 secclass;
4304 int rc;
4305
4306 if (kern)
4307 return 0;
4308
4309 secclass = socket_type_to_security_class(family, type, protocol);
4310 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4311 if (rc)
4312 return rc;
4313
4314 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4315 }
4316
4317 static int selinux_socket_post_create(struct socket *sock, int family,
4318 int type, int protocol, int kern)
4319 {
4320 const struct task_security_struct *tsec = current_security();
4321 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4322 struct sk_security_struct *sksec;
4323 u16 sclass = socket_type_to_security_class(family, type, protocol);
4324 u32 sid = SECINITSID_KERNEL;
4325 int err = 0;
4326
4327 if (!kern) {
4328 err = socket_sockcreate_sid(tsec, sclass, &sid);
4329 if (err)
4330 return err;
4331 }
4332
4333 isec->sclass = sclass;
4334 isec->sid = sid;
4335 isec->initialized = LABEL_INITIALIZED;
4336
4337 if (sock->sk) {
4338 sksec = sock->sk->sk_security;
4339 sksec->sclass = sclass;
4340 sksec->sid = sid;
4341 err = selinux_netlbl_socket_post_create(sock->sk, family);
4342 }
4343
4344 return err;
4345 }
4346
4347 /* Range of port numbers used to automatically bind.
4348 Need to determine whether we should perform a name_bind
4349 permission check between the socket and the port number. */
4350
4351 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4352 {
4353 struct sock *sk = sock->sk;
4354 u16 family;
4355 int err;
4356
4357 err = sock_has_perm(sk, SOCKET__BIND);
4358 if (err)
4359 goto out;
4360
4361 /*
4362 * If PF_INET or PF_INET6, check name_bind permission for the port.
4363 * Multiple address binding for SCTP is not supported yet: we just
4364 * check the first address now.
4365 */
4366 family = sk->sk_family;
4367 if (family == PF_INET || family == PF_INET6) {
4368 char *addrp;
4369 struct sk_security_struct *sksec = sk->sk_security;
4370 struct common_audit_data ad;
4371 struct lsm_network_audit net = {0,};
4372 struct sockaddr_in *addr4 = NULL;
4373 struct sockaddr_in6 *addr6 = NULL;
4374 unsigned short snum;
4375 u32 sid, node_perm;
4376
4377 if (family == PF_INET) {
4378 if (addrlen < sizeof(struct sockaddr_in)) {
4379 err = -EINVAL;
4380 goto out;
4381 }
4382 addr4 = (struct sockaddr_in *)address;
4383 snum = ntohs(addr4->sin_port);
4384 addrp = (char *)&addr4->sin_addr.s_addr;
4385 } else {
4386 if (addrlen < SIN6_LEN_RFC2133) {
4387 err = -EINVAL;
4388 goto out;
4389 }
4390 addr6 = (struct sockaddr_in6 *)address;
4391 snum = ntohs(addr6->sin6_port);
4392 addrp = (char *)&addr6->sin6_addr.s6_addr;
4393 }
4394
4395 if (snum) {
4396 int low, high;
4397
4398 inet_get_local_port_range(sock_net(sk), &low, &high);
4399
4400 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4401 snum > high) {
4402 err = sel_netport_sid(sk->sk_protocol,
4403 snum, &sid);
4404 if (err)
4405 goto out;
4406 ad.type = LSM_AUDIT_DATA_NET;
4407 ad.u.net = &net;
4408 ad.u.net->sport = htons(snum);
4409 ad.u.net->family = family;
4410 err = avc_has_perm(sksec->sid, sid,
4411 sksec->sclass,
4412 SOCKET__NAME_BIND, &ad);
4413 if (err)
4414 goto out;
4415 }
4416 }
4417
4418 switch (sksec->sclass) {
4419 case SECCLASS_TCP_SOCKET:
4420 node_perm = TCP_SOCKET__NODE_BIND;
4421 break;
4422
4423 case SECCLASS_UDP_SOCKET:
4424 node_perm = UDP_SOCKET__NODE_BIND;
4425 break;
4426
4427 case SECCLASS_DCCP_SOCKET:
4428 node_perm = DCCP_SOCKET__NODE_BIND;
4429 break;
4430
4431 default:
4432 node_perm = RAWIP_SOCKET__NODE_BIND;
4433 break;
4434 }
4435
4436 err = sel_netnode_sid(addrp, family, &sid);
4437 if (err)
4438 goto out;
4439
4440 ad.type = LSM_AUDIT_DATA_NET;
4441 ad.u.net = &net;
4442 ad.u.net->sport = htons(snum);
4443 ad.u.net->family = family;
4444
4445 if (family == PF_INET)
4446 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4447 else
4448 ad.u.net->v6info.saddr = addr6->sin6_addr;
4449
4450 err = avc_has_perm(sksec->sid, sid,
4451 sksec->sclass, node_perm, &ad);
4452 if (err)
4453 goto out;
4454 }
4455 out:
4456 return err;
4457 }
4458
4459 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4460 {
4461 struct sock *sk = sock->sk;
4462 struct sk_security_struct *sksec = sk->sk_security;
4463 int err;
4464
4465 err = sock_has_perm(sk, SOCKET__CONNECT);
4466 if (err)
4467 return err;
4468
4469 /*
4470 * If a TCP or DCCP socket, check name_connect permission for the port.
4471 */
4472 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4473 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4474 struct common_audit_data ad;
4475 struct lsm_network_audit net = {0,};
4476 struct sockaddr_in *addr4 = NULL;
4477 struct sockaddr_in6 *addr6 = NULL;
4478 unsigned short snum;
4479 u32 sid, perm;
4480
4481 if (sk->sk_family == PF_INET) {
4482 addr4 = (struct sockaddr_in *)address;
4483 if (addrlen < sizeof(struct sockaddr_in))
4484 return -EINVAL;
4485 snum = ntohs(addr4->sin_port);
4486 } else {
4487 addr6 = (struct sockaddr_in6 *)address;
4488 if (addrlen < SIN6_LEN_RFC2133)
4489 return -EINVAL;
4490 snum = ntohs(addr6->sin6_port);
4491 }
4492
4493 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4494 if (err)
4495 goto out;
4496
4497 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4498 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4499
4500 ad.type = LSM_AUDIT_DATA_NET;
4501 ad.u.net = &net;
4502 ad.u.net->dport = htons(snum);
4503 ad.u.net->family = sk->sk_family;
4504 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4505 if (err)
4506 goto out;
4507 }
4508
4509 err = selinux_netlbl_socket_connect(sk, address);
4510
4511 out:
4512 return err;
4513 }
4514
4515 static int selinux_socket_listen(struct socket *sock, int backlog)
4516 {
4517 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4518 }
4519
4520 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4521 {
4522 int err;
4523 struct inode_security_struct *isec;
4524 struct inode_security_struct *newisec;
4525 u16 sclass;
4526 u32 sid;
4527
4528 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4529 if (err)
4530 return err;
4531
4532 isec = inode_security_novalidate(SOCK_INODE(sock));
4533 spin_lock(&isec->lock);
4534 sclass = isec->sclass;
4535 sid = isec->sid;
4536 spin_unlock(&isec->lock);
4537
4538 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4539 newisec->sclass = sclass;
4540 newisec->sid = sid;
4541 newisec->initialized = LABEL_INITIALIZED;
4542
4543 return 0;
4544 }
4545
4546 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4547 int size)
4548 {
4549 return sock_has_perm(sock->sk, SOCKET__WRITE);
4550 }
4551
4552 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4553 int size, int flags)
4554 {
4555 return sock_has_perm(sock->sk, SOCKET__READ);
4556 }
4557
4558 static int selinux_socket_getsockname(struct socket *sock)
4559 {
4560 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4561 }
4562
4563 static int selinux_socket_getpeername(struct socket *sock)
4564 {
4565 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4566 }
4567
4568 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4569 {
4570 int err;
4571
4572 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4573 if (err)
4574 return err;
4575
4576 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4577 }
4578
4579 static int selinux_socket_getsockopt(struct socket *sock, int level,
4580 int optname)
4581 {
4582 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4583 }
4584
4585 static int selinux_socket_shutdown(struct socket *sock, int how)
4586 {
4587 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4588 }
4589
4590 static int selinux_socket_unix_stream_connect(struct sock *sock,
4591 struct sock *other,
4592 struct sock *newsk)
4593 {
4594 struct sk_security_struct *sksec_sock = sock->sk_security;
4595 struct sk_security_struct *sksec_other = other->sk_security;
4596 struct sk_security_struct *sksec_new = newsk->sk_security;
4597 struct common_audit_data ad;
4598 struct lsm_network_audit net = {0,};
4599 int err;
4600
4601 ad.type = LSM_AUDIT_DATA_NET;
4602 ad.u.net = &net;
4603 ad.u.net->sk = other;
4604
4605 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4606 sksec_other->sclass,
4607 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4608 if (err)
4609 return err;
4610
4611 /* server child socket */
4612 sksec_new->peer_sid = sksec_sock->sid;
4613 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4614 &sksec_new->sid);
4615 if (err)
4616 return err;
4617
4618 /* connecting socket */
4619 sksec_sock->peer_sid = sksec_new->sid;
4620
4621 return 0;
4622 }
4623
4624 static int selinux_socket_unix_may_send(struct socket *sock,
4625 struct socket *other)
4626 {
4627 struct sk_security_struct *ssec = sock->sk->sk_security;
4628 struct sk_security_struct *osec = other->sk->sk_security;
4629 struct common_audit_data ad;
4630 struct lsm_network_audit net = {0,};
4631
4632 ad.type = LSM_AUDIT_DATA_NET;
4633 ad.u.net = &net;
4634 ad.u.net->sk = other->sk;
4635
4636 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4637 &ad);
4638 }
4639
4640 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4641 char *addrp, u16 family, u32 peer_sid,
4642 struct common_audit_data *ad)
4643 {
4644 int err;
4645 u32 if_sid;
4646 u32 node_sid;
4647
4648 err = sel_netif_sid(ns, ifindex, &if_sid);
4649 if (err)
4650 return err;
4651 err = avc_has_perm(peer_sid, if_sid,
4652 SECCLASS_NETIF, NETIF__INGRESS, ad);
4653 if (err)
4654 return err;
4655
4656 err = sel_netnode_sid(addrp, family, &node_sid);
4657 if (err)
4658 return err;
4659 return avc_has_perm(peer_sid, node_sid,
4660 SECCLASS_NODE, NODE__RECVFROM, ad);
4661 }
4662
4663 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4664 u16 family)
4665 {
4666 int err = 0;
4667 struct sk_security_struct *sksec = sk->sk_security;
4668 u32 sk_sid = sksec->sid;
4669 struct common_audit_data ad;
4670 struct lsm_network_audit net = {0,};
4671 char *addrp;
4672
4673 ad.type = LSM_AUDIT_DATA_NET;
4674 ad.u.net = &net;
4675 ad.u.net->netif = skb->skb_iif;
4676 ad.u.net->family = family;
4677 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4678 if (err)
4679 return err;
4680
4681 if (selinux_secmark_enabled()) {
4682 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4683 PACKET__RECV, &ad);
4684 if (err)
4685 return err;
4686 }
4687
4688 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4689 if (err)
4690 return err;
4691 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4692
4693 return err;
4694 }
4695
4696 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4697 {
4698 int err;
4699 struct sk_security_struct *sksec = sk->sk_security;
4700 u16 family = sk->sk_family;
4701 u32 sk_sid = sksec->sid;
4702 struct common_audit_data ad;
4703 struct lsm_network_audit net = {0,};
4704 char *addrp;
4705 u8 secmark_active;
4706 u8 peerlbl_active;
4707
4708 if (family != PF_INET && family != PF_INET6)
4709 return 0;
4710
4711 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4712 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4713 family = PF_INET;
4714
4715 /* If any sort of compatibility mode is enabled then handoff processing
4716 * to the selinux_sock_rcv_skb_compat() function to deal with the
4717 * special handling. We do this in an attempt to keep this function
4718 * as fast and as clean as possible. */
4719 if (!selinux_policycap_netpeer)
4720 return selinux_sock_rcv_skb_compat(sk, skb, family);
4721
4722 secmark_active = selinux_secmark_enabled();
4723 peerlbl_active = selinux_peerlbl_enabled();
4724 if (!secmark_active && !peerlbl_active)
4725 return 0;
4726
4727 ad.type = LSM_AUDIT_DATA_NET;
4728 ad.u.net = &net;
4729 ad.u.net->netif = skb->skb_iif;
4730 ad.u.net->family = family;
4731 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4732 if (err)
4733 return err;
4734
4735 if (peerlbl_active) {
4736 u32 peer_sid;
4737
4738 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4739 if (err)
4740 return err;
4741 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4742 addrp, family, peer_sid, &ad);
4743 if (err) {
4744 selinux_netlbl_err(skb, family, err, 0);
4745 return err;
4746 }
4747 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4748 PEER__RECV, &ad);
4749 if (err) {
4750 selinux_netlbl_err(skb, family, err, 0);
4751 return err;
4752 }
4753 }
4754
4755 if (secmark_active) {
4756 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4757 PACKET__RECV, &ad);
4758 if (err)
4759 return err;
4760 }
4761
4762 return err;
4763 }
4764
4765 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4766 int __user *optlen, unsigned len)
4767 {
4768 int err = 0;
4769 char *scontext;
4770 u32 scontext_len;
4771 struct sk_security_struct *sksec = sock->sk->sk_security;
4772 u32 peer_sid = SECSID_NULL;
4773
4774 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4775 sksec->sclass == SECCLASS_TCP_SOCKET)
4776 peer_sid = sksec->peer_sid;
4777 if (peer_sid == SECSID_NULL)
4778 return -ENOPROTOOPT;
4779
4780 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4781 if (err)
4782 return err;
4783
4784 if (scontext_len > len) {
4785 err = -ERANGE;
4786 goto out_len;
4787 }
4788
4789 if (copy_to_user(optval, scontext, scontext_len))
4790 err = -EFAULT;
4791
4792 out_len:
4793 if (put_user(scontext_len, optlen))
4794 err = -EFAULT;
4795 kfree(scontext);
4796 return err;
4797 }
4798
4799 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4800 {
4801 u32 peer_secid = SECSID_NULL;
4802 u16 family;
4803 struct inode_security_struct *isec;
4804
4805 if (skb && skb->protocol == htons(ETH_P_IP))
4806 family = PF_INET;
4807 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4808 family = PF_INET6;
4809 else if (sock)
4810 family = sock->sk->sk_family;
4811 else
4812 goto out;
4813
4814 if (sock && family == PF_UNIX) {
4815 isec = inode_security_novalidate(SOCK_INODE(sock));
4816 peer_secid = isec->sid;
4817 } else if (skb)
4818 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4819
4820 out:
4821 *secid = peer_secid;
4822 if (peer_secid == SECSID_NULL)
4823 return -EINVAL;
4824 return 0;
4825 }
4826
4827 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4828 {
4829 struct sk_security_struct *sksec;
4830
4831 sksec = kzalloc(sizeof(*sksec), priority);
4832 if (!sksec)
4833 return -ENOMEM;
4834
4835 sksec->peer_sid = SECINITSID_UNLABELED;
4836 sksec->sid = SECINITSID_UNLABELED;
4837 sksec->sclass = SECCLASS_SOCKET;
4838 selinux_netlbl_sk_security_reset(sksec);
4839 sk->sk_security = sksec;
4840
4841 return 0;
4842 }
4843
4844 static void selinux_sk_free_security(struct sock *sk)
4845 {
4846 struct sk_security_struct *sksec = sk->sk_security;
4847
4848 sk->sk_security = NULL;
4849 selinux_netlbl_sk_security_free(sksec);
4850 kfree(sksec);
4851 }
4852
4853 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4854 {
4855 struct sk_security_struct *sksec = sk->sk_security;
4856 struct sk_security_struct *newsksec = newsk->sk_security;
4857
4858 newsksec->sid = sksec->sid;
4859 newsksec->peer_sid = sksec->peer_sid;
4860 newsksec->sclass = sksec->sclass;
4861
4862 selinux_netlbl_sk_security_reset(newsksec);
4863 }
4864
4865 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4866 {
4867 if (!sk)
4868 *secid = SECINITSID_ANY_SOCKET;
4869 else {
4870 struct sk_security_struct *sksec = sk->sk_security;
4871
4872 *secid = sksec->sid;
4873 }
4874 }
4875
4876 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4877 {
4878 struct inode_security_struct *isec =
4879 inode_security_novalidate(SOCK_INODE(parent));
4880 struct sk_security_struct *sksec = sk->sk_security;
4881
4882 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4883 sk->sk_family == PF_UNIX)
4884 isec->sid = sksec->sid;
4885 sksec->sclass = isec->sclass;
4886 }
4887
4888 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4889 struct request_sock *req)
4890 {
4891 struct sk_security_struct *sksec = sk->sk_security;
4892 int err;
4893 u16 family = req->rsk_ops->family;
4894 u32 connsid;
4895 u32 peersid;
4896
4897 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4898 if (err)
4899 return err;
4900 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4901 if (err)
4902 return err;
4903 req->secid = connsid;
4904 req->peer_secid = peersid;
4905
4906 return selinux_netlbl_inet_conn_request(req, family);
4907 }
4908
4909 static void selinux_inet_csk_clone(struct sock *newsk,
4910 const struct request_sock *req)
4911 {
4912 struct sk_security_struct *newsksec = newsk->sk_security;
4913
4914 newsksec->sid = req->secid;
4915 newsksec->peer_sid = req->peer_secid;
4916 /* NOTE: Ideally, we should also get the isec->sid for the
4917 new socket in sync, but we don't have the isec available yet.
4918 So we will wait until sock_graft to do it, by which
4919 time it will have been created and available. */
4920
4921 /* We don't need to take any sort of lock here as we are the only
4922 * thread with access to newsksec */
4923 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4924 }
4925
4926 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4927 {
4928 u16 family = sk->sk_family;
4929 struct sk_security_struct *sksec = sk->sk_security;
4930
4931 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4932 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4933 family = PF_INET;
4934
4935 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4936 }
4937
4938 static int selinux_secmark_relabel_packet(u32 sid)
4939 {
4940 const struct task_security_struct *__tsec;
4941 u32 tsid;
4942
4943 __tsec = current_security();
4944 tsid = __tsec->sid;
4945
4946 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4947 }
4948
4949 static void selinux_secmark_refcount_inc(void)
4950 {
4951 atomic_inc(&selinux_secmark_refcount);
4952 }
4953
4954 static void selinux_secmark_refcount_dec(void)
4955 {
4956 atomic_dec(&selinux_secmark_refcount);
4957 }
4958
4959 static void selinux_req_classify_flow(const struct request_sock *req,
4960 struct flowi *fl)
4961 {
4962 fl->flowi_secid = req->secid;
4963 }
4964
4965 static int selinux_tun_dev_alloc_security(void **security)
4966 {
4967 struct tun_security_struct *tunsec;
4968
4969 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4970 if (!tunsec)
4971 return -ENOMEM;
4972 tunsec->sid = current_sid();
4973
4974 *security = tunsec;
4975 return 0;
4976 }
4977
4978 static void selinux_tun_dev_free_security(void *security)
4979 {
4980 kfree(security);
4981 }
4982
4983 static int selinux_tun_dev_create(void)
4984 {
4985 u32 sid = current_sid();
4986
4987 /* we aren't taking into account the "sockcreate" SID since the socket
4988 * that is being created here is not a socket in the traditional sense,
4989 * instead it is a private sock, accessible only to the kernel, and
4990 * representing a wide range of network traffic spanning multiple
4991 * connections unlike traditional sockets - check the TUN driver to
4992 * get a better understanding of why this socket is special */
4993
4994 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4995 NULL);
4996 }
4997
4998 static int selinux_tun_dev_attach_queue(void *security)
4999 {
5000 struct tun_security_struct *tunsec = security;
5001
5002 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5003 TUN_SOCKET__ATTACH_QUEUE, NULL);
5004 }
5005
5006 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5007 {
5008 struct tun_security_struct *tunsec = security;
5009 struct sk_security_struct *sksec = sk->sk_security;
5010
5011 /* we don't currently perform any NetLabel based labeling here and it
5012 * isn't clear that we would want to do so anyway; while we could apply
5013 * labeling without the support of the TUN user the resulting labeled
5014 * traffic from the other end of the connection would almost certainly
5015 * cause confusion to the TUN user that had no idea network labeling
5016 * protocols were being used */
5017
5018 sksec->sid = tunsec->sid;
5019 sksec->sclass = SECCLASS_TUN_SOCKET;
5020
5021 return 0;
5022 }
5023
5024 static int selinux_tun_dev_open(void *security)
5025 {
5026 struct tun_security_struct *tunsec = security;
5027 u32 sid = current_sid();
5028 int err;
5029
5030 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5031 TUN_SOCKET__RELABELFROM, NULL);
5032 if (err)
5033 return err;
5034 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5035 TUN_SOCKET__RELABELTO, NULL);
5036 if (err)
5037 return err;
5038 tunsec->sid = sid;
5039
5040 return 0;
5041 }
5042
5043 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5044 {
5045 int err = 0;
5046 u32 perm;
5047 struct nlmsghdr *nlh;
5048 struct sk_security_struct *sksec = sk->sk_security;
5049
5050 if (skb->len < NLMSG_HDRLEN) {
5051 err = -EINVAL;
5052 goto out;
5053 }
5054 nlh = nlmsg_hdr(skb);
5055
5056 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5057 if (err) {
5058 if (err == -EINVAL) {
5059 pr_warn_ratelimited("SELinux: unrecognized netlink"
5060 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5061 " pig=%d comm=%s\n",
5062 sk->sk_protocol, nlh->nlmsg_type,
5063 secclass_map[sksec->sclass - 1].name,
5064 task_pid_nr(current), current->comm);
5065 if (!selinux_enforcing || security_get_allow_unknown())
5066 err = 0;
5067 }
5068
5069 /* Ignore */
5070 if (err == -ENOENT)
5071 err = 0;
5072 goto out;
5073 }
5074
5075 err = sock_has_perm(sk, perm);
5076 out:
5077 return err;
5078 }
5079
5080 #ifdef CONFIG_NETFILTER
5081
5082 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5083 const struct net_device *indev,
5084 u16 family)
5085 {
5086 int err;
5087 char *addrp;
5088 u32 peer_sid;
5089 struct common_audit_data ad;
5090 struct lsm_network_audit net = {0,};
5091 u8 secmark_active;
5092 u8 netlbl_active;
5093 u8 peerlbl_active;
5094
5095 if (!selinux_policycap_netpeer)
5096 return NF_ACCEPT;
5097
5098 secmark_active = selinux_secmark_enabled();
5099 netlbl_active = netlbl_enabled();
5100 peerlbl_active = selinux_peerlbl_enabled();
5101 if (!secmark_active && !peerlbl_active)
5102 return NF_ACCEPT;
5103
5104 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5105 return NF_DROP;
5106
5107 ad.type = LSM_AUDIT_DATA_NET;
5108 ad.u.net = &net;
5109 ad.u.net->netif = indev->ifindex;
5110 ad.u.net->family = family;
5111 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5112 return NF_DROP;
5113
5114 if (peerlbl_active) {
5115 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5116 addrp, family, peer_sid, &ad);
5117 if (err) {
5118 selinux_netlbl_err(skb, family, err, 1);
5119 return NF_DROP;
5120 }
5121 }
5122
5123 if (secmark_active)
5124 if (avc_has_perm(peer_sid, skb->secmark,
5125 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5126 return NF_DROP;
5127
5128 if (netlbl_active)
5129 /* we do this in the FORWARD path and not the POST_ROUTING
5130 * path because we want to make sure we apply the necessary
5131 * labeling before IPsec is applied so we can leverage AH
5132 * protection */
5133 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5134 return NF_DROP;
5135
5136 return NF_ACCEPT;
5137 }
5138
5139 static unsigned int selinux_ipv4_forward(void *priv,
5140 struct sk_buff *skb,
5141 const struct nf_hook_state *state)
5142 {
5143 return selinux_ip_forward(skb, state->in, PF_INET);
5144 }
5145
5146 #if IS_ENABLED(CONFIG_IPV6)
5147 static unsigned int selinux_ipv6_forward(void *priv,
5148 struct sk_buff *skb,
5149 const struct nf_hook_state *state)
5150 {
5151 return selinux_ip_forward(skb, state->in, PF_INET6);
5152 }
5153 #endif /* IPV6 */
5154
5155 static unsigned int selinux_ip_output(struct sk_buff *skb,
5156 u16 family)
5157 {
5158 struct sock *sk;
5159 u32 sid;
5160
5161 if (!netlbl_enabled())
5162 return NF_ACCEPT;
5163
5164 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5165 * because we want to make sure we apply the necessary labeling
5166 * before IPsec is applied so we can leverage AH protection */
5167 sk = skb->sk;
5168 if (sk) {
5169 struct sk_security_struct *sksec;
5170
5171 if (sk_listener(sk))
5172 /* if the socket is the listening state then this
5173 * packet is a SYN-ACK packet which means it needs to
5174 * be labeled based on the connection/request_sock and
5175 * not the parent socket. unfortunately, we can't
5176 * lookup the request_sock yet as it isn't queued on
5177 * the parent socket until after the SYN-ACK is sent.
5178 * the "solution" is to simply pass the packet as-is
5179 * as any IP option based labeling should be copied
5180 * from the initial connection request (in the IP
5181 * layer). it is far from ideal, but until we get a
5182 * security label in the packet itself this is the
5183 * best we can do. */
5184 return NF_ACCEPT;
5185
5186 /* standard practice, label using the parent socket */
5187 sksec = sk->sk_security;
5188 sid = sksec->sid;
5189 } else
5190 sid = SECINITSID_KERNEL;
5191 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5192 return NF_DROP;
5193
5194 return NF_ACCEPT;
5195 }
5196
5197 static unsigned int selinux_ipv4_output(void *priv,
5198 struct sk_buff *skb,
5199 const struct nf_hook_state *state)
5200 {
5201 return selinux_ip_output(skb, PF_INET);
5202 }
5203
5204 #if IS_ENABLED(CONFIG_IPV6)
5205 static unsigned int selinux_ipv6_output(void *priv,
5206 struct sk_buff *skb,
5207 const struct nf_hook_state *state)
5208 {
5209 return selinux_ip_output(skb, PF_INET6);
5210 }
5211 #endif /* IPV6 */
5212
5213 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5214 int ifindex,
5215 u16 family)
5216 {
5217 struct sock *sk = skb_to_full_sk(skb);
5218 struct sk_security_struct *sksec;
5219 struct common_audit_data ad;
5220 struct lsm_network_audit net = {0,};
5221 char *addrp;
5222 u8 proto;
5223
5224 if (sk == NULL)
5225 return NF_ACCEPT;
5226 sksec = sk->sk_security;
5227
5228 ad.type = LSM_AUDIT_DATA_NET;
5229 ad.u.net = &net;
5230 ad.u.net->netif = ifindex;
5231 ad.u.net->family = family;
5232 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5233 return NF_DROP;
5234
5235 if (selinux_secmark_enabled())
5236 if (avc_has_perm(sksec->sid, skb->secmark,
5237 SECCLASS_PACKET, PACKET__SEND, &ad))
5238 return NF_DROP_ERR(-ECONNREFUSED);
5239
5240 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5241 return NF_DROP_ERR(-ECONNREFUSED);
5242
5243 return NF_ACCEPT;
5244 }
5245
5246 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5247 const struct net_device *outdev,
5248 u16 family)
5249 {
5250 u32 secmark_perm;
5251 u32 peer_sid;
5252 int ifindex = outdev->ifindex;
5253 struct sock *sk;
5254 struct common_audit_data ad;
5255 struct lsm_network_audit net = {0,};
5256 char *addrp;
5257 u8 secmark_active;
5258 u8 peerlbl_active;
5259
5260 /* If any sort of compatibility mode is enabled then handoff processing
5261 * to the selinux_ip_postroute_compat() function to deal with the
5262 * special handling. We do this in an attempt to keep this function
5263 * as fast and as clean as possible. */
5264 if (!selinux_policycap_netpeer)
5265 return selinux_ip_postroute_compat(skb, ifindex, family);
5266
5267 secmark_active = selinux_secmark_enabled();
5268 peerlbl_active = selinux_peerlbl_enabled();
5269 if (!secmark_active && !peerlbl_active)
5270 return NF_ACCEPT;
5271
5272 sk = skb_to_full_sk(skb);
5273
5274 #ifdef CONFIG_XFRM
5275 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5276 * packet transformation so allow the packet to pass without any checks
5277 * since we'll have another chance to perform access control checks
5278 * when the packet is on it's final way out.
5279 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5280 * is NULL, in this case go ahead and apply access control.
5281 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5282 * TCP listening state we cannot wait until the XFRM processing
5283 * is done as we will miss out on the SA label if we do;
5284 * unfortunately, this means more work, but it is only once per
5285 * connection. */
5286 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5287 !(sk && sk_listener(sk)))
5288 return NF_ACCEPT;
5289 #endif
5290
5291 if (sk == NULL) {
5292 /* Without an associated socket the packet is either coming
5293 * from the kernel or it is being forwarded; check the packet
5294 * to determine which and if the packet is being forwarded
5295 * query the packet directly to determine the security label. */
5296 if (skb->skb_iif) {
5297 secmark_perm = PACKET__FORWARD_OUT;
5298 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5299 return NF_DROP;
5300 } else {
5301 secmark_perm = PACKET__SEND;
5302 peer_sid = SECINITSID_KERNEL;
5303 }
5304 } else if (sk_listener(sk)) {
5305 /* Locally generated packet but the associated socket is in the
5306 * listening state which means this is a SYN-ACK packet. In
5307 * this particular case the correct security label is assigned
5308 * to the connection/request_sock but unfortunately we can't
5309 * query the request_sock as it isn't queued on the parent
5310 * socket until after the SYN-ACK packet is sent; the only
5311 * viable choice is to regenerate the label like we do in
5312 * selinux_inet_conn_request(). See also selinux_ip_output()
5313 * for similar problems. */
5314 u32 skb_sid;
5315 struct sk_security_struct *sksec;
5316
5317 sksec = sk->sk_security;
5318 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5319 return NF_DROP;
5320 /* At this point, if the returned skb peerlbl is SECSID_NULL
5321 * and the packet has been through at least one XFRM
5322 * transformation then we must be dealing with the "final"
5323 * form of labeled IPsec packet; since we've already applied
5324 * all of our access controls on this packet we can safely
5325 * pass the packet. */
5326 if (skb_sid == SECSID_NULL) {
5327 switch (family) {
5328 case PF_INET:
5329 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5330 return NF_ACCEPT;
5331 break;
5332 case PF_INET6:
5333 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5334 return NF_ACCEPT;
5335 break;
5336 default:
5337 return NF_DROP_ERR(-ECONNREFUSED);
5338 }
5339 }
5340 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5341 return NF_DROP;
5342 secmark_perm = PACKET__SEND;
5343 } else {
5344 /* Locally generated packet, fetch the security label from the
5345 * associated socket. */
5346 struct sk_security_struct *sksec = sk->sk_security;
5347 peer_sid = sksec->sid;
5348 secmark_perm = PACKET__SEND;
5349 }
5350
5351 ad.type = LSM_AUDIT_DATA_NET;
5352 ad.u.net = &net;
5353 ad.u.net->netif = ifindex;
5354 ad.u.net->family = family;
5355 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5356 return NF_DROP;
5357
5358 if (secmark_active)
5359 if (avc_has_perm(peer_sid, skb->secmark,
5360 SECCLASS_PACKET, secmark_perm, &ad))
5361 return NF_DROP_ERR(-ECONNREFUSED);
5362
5363 if (peerlbl_active) {
5364 u32 if_sid;
5365 u32 node_sid;
5366
5367 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5368 return NF_DROP;
5369 if (avc_has_perm(peer_sid, if_sid,
5370 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5371 return NF_DROP_ERR(-ECONNREFUSED);
5372
5373 if (sel_netnode_sid(addrp, family, &node_sid))
5374 return NF_DROP;
5375 if (avc_has_perm(peer_sid, node_sid,
5376 SECCLASS_NODE, NODE__SENDTO, &ad))
5377 return NF_DROP_ERR(-ECONNREFUSED);
5378 }
5379
5380 return NF_ACCEPT;
5381 }
5382
5383 static unsigned int selinux_ipv4_postroute(void *priv,
5384 struct sk_buff *skb,
5385 const struct nf_hook_state *state)
5386 {
5387 return selinux_ip_postroute(skb, state->out, PF_INET);
5388 }
5389
5390 #if IS_ENABLED(CONFIG_IPV6)
5391 static unsigned int selinux_ipv6_postroute(void *priv,
5392 struct sk_buff *skb,
5393 const struct nf_hook_state *state)
5394 {
5395 return selinux_ip_postroute(skb, state->out, PF_INET6);
5396 }
5397 #endif /* IPV6 */
5398
5399 #endif /* CONFIG_NETFILTER */
5400
5401 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5402 {
5403 return selinux_nlmsg_perm(sk, skb);
5404 }
5405
5406 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5407 u16 sclass)
5408 {
5409 struct ipc_security_struct *isec;
5410
5411 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5412 if (!isec)
5413 return -ENOMEM;
5414
5415 isec->sclass = sclass;
5416 isec->sid = current_sid();
5417 perm->security = isec;
5418
5419 return 0;
5420 }
5421
5422 static void ipc_free_security(struct kern_ipc_perm *perm)
5423 {
5424 struct ipc_security_struct *isec = perm->security;
5425 perm->security = NULL;
5426 kfree(isec);
5427 }
5428
5429 static int msg_msg_alloc_security(struct msg_msg *msg)
5430 {
5431 struct msg_security_struct *msec;
5432
5433 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5434 if (!msec)
5435 return -ENOMEM;
5436
5437 msec->sid = SECINITSID_UNLABELED;
5438 msg->security = msec;
5439
5440 return 0;
5441 }
5442
5443 static void msg_msg_free_security(struct msg_msg *msg)
5444 {
5445 struct msg_security_struct *msec = msg->security;
5446
5447 msg->security = NULL;
5448 kfree(msec);
5449 }
5450
5451 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5452 u32 perms)
5453 {
5454 struct ipc_security_struct *isec;
5455 struct common_audit_data ad;
5456 u32 sid = current_sid();
5457
5458 isec = ipc_perms->security;
5459
5460 ad.type = LSM_AUDIT_DATA_IPC;
5461 ad.u.ipc_id = ipc_perms->key;
5462
5463 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5464 }
5465
5466 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5467 {
5468 return msg_msg_alloc_security(msg);
5469 }
5470
5471 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5472 {
5473 msg_msg_free_security(msg);
5474 }
5475
5476 /* message queue security operations */
5477 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5478 {
5479 struct ipc_security_struct *isec;
5480 struct common_audit_data ad;
5481 u32 sid = current_sid();
5482 int rc;
5483
5484 rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ);
5485 if (rc)
5486 return rc;
5487
5488 isec = msq->q_perm.security;
5489
5490 ad.type = LSM_AUDIT_DATA_IPC;
5491 ad.u.ipc_id = msq->q_perm.key;
5492
5493 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5494 MSGQ__CREATE, &ad);
5495 if (rc) {
5496 ipc_free_security(&msq->q_perm);
5497 return rc;
5498 }
5499 return 0;
5500 }
5501
5502 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5503 {
5504 ipc_free_security(&msq->q_perm);
5505 }
5506
5507 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5508 {
5509 struct ipc_security_struct *isec;
5510 struct common_audit_data ad;
5511 u32 sid = current_sid();
5512
5513 isec = msq->q_perm.security;
5514
5515 ad.type = LSM_AUDIT_DATA_IPC;
5516 ad.u.ipc_id = msq->q_perm.key;
5517
5518 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5519 MSGQ__ASSOCIATE, &ad);
5520 }
5521
5522 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5523 {
5524 int err;
5525 int perms;
5526
5527 switch (cmd) {
5528 case IPC_INFO:
5529 case MSG_INFO:
5530 /* No specific object, just general system-wide information. */
5531 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5532 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5533 case IPC_STAT:
5534 case MSG_STAT:
5535 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5536 break;
5537 case IPC_SET:
5538 perms = MSGQ__SETATTR;
5539 break;
5540 case IPC_RMID:
5541 perms = MSGQ__DESTROY;
5542 break;
5543 default:
5544 return 0;
5545 }
5546
5547 err = ipc_has_perm(&msq->q_perm, perms);
5548 return err;
5549 }
5550
5551 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5552 {
5553 struct ipc_security_struct *isec;
5554 struct msg_security_struct *msec;
5555 struct common_audit_data ad;
5556 u32 sid = current_sid();
5557 int rc;
5558
5559 isec = msq->q_perm.security;
5560 msec = msg->security;
5561
5562 /*
5563 * First time through, need to assign label to the message
5564 */
5565 if (msec->sid == SECINITSID_UNLABELED) {
5566 /*
5567 * Compute new sid based on current process and
5568 * message queue this message will be stored in
5569 */
5570 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5571 NULL, &msec->sid);
5572 if (rc)
5573 return rc;
5574 }
5575
5576 ad.type = LSM_AUDIT_DATA_IPC;
5577 ad.u.ipc_id = msq->q_perm.key;
5578
5579 /* Can this process write to the queue? */
5580 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5581 MSGQ__WRITE, &ad);
5582 if (!rc)
5583 /* Can this process send the message */
5584 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5585 MSG__SEND, &ad);
5586 if (!rc)
5587 /* Can the message be put in the queue? */
5588 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5589 MSGQ__ENQUEUE, &ad);
5590
5591 return rc;
5592 }
5593
5594 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5595 struct task_struct *target,
5596 long type, int mode)
5597 {
5598 struct ipc_security_struct *isec;
5599 struct msg_security_struct *msec;
5600 struct common_audit_data ad;
5601 u32 sid = task_sid(target);
5602 int rc;
5603
5604 isec = msq->q_perm.security;
5605 msec = msg->security;
5606
5607 ad.type = LSM_AUDIT_DATA_IPC;
5608 ad.u.ipc_id = msq->q_perm.key;
5609
5610 rc = avc_has_perm(sid, isec->sid,
5611 SECCLASS_MSGQ, MSGQ__READ, &ad);
5612 if (!rc)
5613 rc = avc_has_perm(sid, msec->sid,
5614 SECCLASS_MSG, MSG__RECEIVE, &ad);
5615 return rc;
5616 }
5617
5618 /* Shared Memory security operations */
5619 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5620 {
5621 struct ipc_security_struct *isec;
5622 struct common_audit_data ad;
5623 u32 sid = current_sid();
5624 int rc;
5625
5626 rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM);
5627 if (rc)
5628 return rc;
5629
5630 isec = shp->shm_perm.security;
5631
5632 ad.type = LSM_AUDIT_DATA_IPC;
5633 ad.u.ipc_id = shp->shm_perm.key;
5634
5635 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5636 SHM__CREATE, &ad);
5637 if (rc) {
5638 ipc_free_security(&shp->shm_perm);
5639 return rc;
5640 }
5641 return 0;
5642 }
5643
5644 static void selinux_shm_free_security(struct shmid_kernel *shp)
5645 {
5646 ipc_free_security(&shp->shm_perm);
5647 }
5648
5649 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5650 {
5651 struct ipc_security_struct *isec;
5652 struct common_audit_data ad;
5653 u32 sid = current_sid();
5654
5655 isec = shp->shm_perm.security;
5656
5657 ad.type = LSM_AUDIT_DATA_IPC;
5658 ad.u.ipc_id = shp->shm_perm.key;
5659
5660 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5661 SHM__ASSOCIATE, &ad);
5662 }
5663
5664 /* Note, at this point, shp is locked down */
5665 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5666 {
5667 int perms;
5668 int err;
5669
5670 switch (cmd) {
5671 case IPC_INFO:
5672 case SHM_INFO:
5673 /* No specific object, just general system-wide information. */
5674 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5675 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5676 case IPC_STAT:
5677 case SHM_STAT:
5678 perms = SHM__GETATTR | SHM__ASSOCIATE;
5679 break;
5680 case IPC_SET:
5681 perms = SHM__SETATTR;
5682 break;
5683 case SHM_LOCK:
5684 case SHM_UNLOCK:
5685 perms = SHM__LOCK;
5686 break;
5687 case IPC_RMID:
5688 perms = SHM__DESTROY;
5689 break;
5690 default:
5691 return 0;
5692 }
5693
5694 err = ipc_has_perm(&shp->shm_perm, perms);
5695 return err;
5696 }
5697
5698 static int selinux_shm_shmat(struct shmid_kernel *shp,
5699 char __user *shmaddr, int shmflg)
5700 {
5701 u32 perms;
5702
5703 if (shmflg & SHM_RDONLY)
5704 perms = SHM__READ;
5705 else
5706 perms = SHM__READ | SHM__WRITE;
5707
5708 return ipc_has_perm(&shp->shm_perm, perms);
5709 }
5710
5711 /* Semaphore security operations */
5712 static int selinux_sem_alloc_security(struct sem_array *sma)
5713 {
5714 struct ipc_security_struct *isec;
5715 struct common_audit_data ad;
5716 u32 sid = current_sid();
5717 int rc;
5718
5719 rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM);
5720 if (rc)
5721 return rc;
5722
5723 isec = sma->sem_perm.security;
5724
5725 ad.type = LSM_AUDIT_DATA_IPC;
5726 ad.u.ipc_id = sma->sem_perm.key;
5727
5728 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5729 SEM__CREATE, &ad);
5730 if (rc) {
5731 ipc_free_security(&sma->sem_perm);
5732 return rc;
5733 }
5734 return 0;
5735 }
5736
5737 static void selinux_sem_free_security(struct sem_array *sma)
5738 {
5739 ipc_free_security(&sma->sem_perm);
5740 }
5741
5742 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5743 {
5744 struct ipc_security_struct *isec;
5745 struct common_audit_data ad;
5746 u32 sid = current_sid();
5747
5748 isec = sma->sem_perm.security;
5749
5750 ad.type = LSM_AUDIT_DATA_IPC;
5751 ad.u.ipc_id = sma->sem_perm.key;
5752
5753 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5754 SEM__ASSOCIATE, &ad);
5755 }
5756
5757 /* Note, at this point, sma is locked down */
5758 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5759 {
5760 int err;
5761 u32 perms;
5762
5763 switch (cmd) {
5764 case IPC_INFO:
5765 case SEM_INFO:
5766 /* No specific object, just general system-wide information. */
5767 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5768 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5769 case GETPID:
5770 case GETNCNT:
5771 case GETZCNT:
5772 perms = SEM__GETATTR;
5773 break;
5774 case GETVAL:
5775 case GETALL:
5776 perms = SEM__READ;
5777 break;
5778 case SETVAL:
5779 case SETALL:
5780 perms = SEM__WRITE;
5781 break;
5782 case IPC_RMID:
5783 perms = SEM__DESTROY;
5784 break;
5785 case IPC_SET:
5786 perms = SEM__SETATTR;
5787 break;
5788 case IPC_STAT:
5789 case SEM_STAT:
5790 perms = SEM__GETATTR | SEM__ASSOCIATE;
5791 break;
5792 default:
5793 return 0;
5794 }
5795
5796 err = ipc_has_perm(&sma->sem_perm, perms);
5797 return err;
5798 }
5799
5800 static int selinux_sem_semop(struct sem_array *sma,
5801 struct sembuf *sops, unsigned nsops, int alter)
5802 {
5803 u32 perms;
5804
5805 if (alter)
5806 perms = SEM__READ | SEM__WRITE;
5807 else
5808 perms = SEM__READ;
5809
5810 return ipc_has_perm(&sma->sem_perm, perms);
5811 }
5812
5813 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5814 {
5815 u32 av = 0;
5816
5817 av = 0;
5818 if (flag & S_IRUGO)
5819 av |= IPC__UNIX_READ;
5820 if (flag & S_IWUGO)
5821 av |= IPC__UNIX_WRITE;
5822
5823 if (av == 0)
5824 return 0;
5825
5826 return ipc_has_perm(ipcp, av);
5827 }
5828
5829 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5830 {
5831 struct ipc_security_struct *isec = ipcp->security;
5832 *secid = isec->sid;
5833 }
5834
5835 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5836 {
5837 if (inode)
5838 inode_doinit_with_dentry(inode, dentry);
5839 }
5840
5841 static int selinux_getprocattr(struct task_struct *p,
5842 char *name, char **value)
5843 {
5844 const struct task_security_struct *__tsec;
5845 u32 sid;
5846 int error;
5847 unsigned len;
5848
5849 rcu_read_lock();
5850 __tsec = __task_cred(p)->security;
5851
5852 if (current != p) {
5853 error = avc_has_perm(current_sid(), __tsec->sid,
5854 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
5855 if (error)
5856 goto bad;
5857 }
5858
5859 if (!strcmp(name, "current"))
5860 sid = __tsec->sid;
5861 else if (!strcmp(name, "prev"))
5862 sid = __tsec->osid;
5863 else if (!strcmp(name, "exec"))
5864 sid = __tsec->exec_sid;
5865 else if (!strcmp(name, "fscreate"))
5866 sid = __tsec->create_sid;
5867 else if (!strcmp(name, "keycreate"))
5868 sid = __tsec->keycreate_sid;
5869 else if (!strcmp(name, "sockcreate"))
5870 sid = __tsec->sockcreate_sid;
5871 else {
5872 error = -EINVAL;
5873 goto bad;
5874 }
5875 rcu_read_unlock();
5876
5877 if (!sid)
5878 return 0;
5879
5880 error = security_sid_to_context(sid, value, &len);
5881 if (error)
5882 return error;
5883 return len;
5884
5885 bad:
5886 rcu_read_unlock();
5887 return error;
5888 }
5889
5890 static int selinux_setprocattr(const char *name, void *value, size_t size)
5891 {
5892 struct task_security_struct *tsec;
5893 struct cred *new;
5894 u32 mysid = current_sid(), sid = 0, ptsid;
5895 int error;
5896 char *str = value;
5897
5898 /*
5899 * Basic control over ability to set these attributes at all.
5900 */
5901 if (!strcmp(name, "exec"))
5902 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5903 PROCESS__SETEXEC, NULL);
5904 else if (!strcmp(name, "fscreate"))
5905 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5906 PROCESS__SETFSCREATE, NULL);
5907 else if (!strcmp(name, "keycreate"))
5908 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5909 PROCESS__SETKEYCREATE, NULL);
5910 else if (!strcmp(name, "sockcreate"))
5911 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5912 PROCESS__SETSOCKCREATE, NULL);
5913 else if (!strcmp(name, "current"))
5914 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5915 PROCESS__SETCURRENT, NULL);
5916 else
5917 error = -EINVAL;
5918 if (error)
5919 return error;
5920
5921 /* Obtain a SID for the context, if one was specified. */
5922 if (size && str[0] && str[0] != '\n') {
5923 if (str[size-1] == '\n') {
5924 str[size-1] = 0;
5925 size--;
5926 }
5927 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5928 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5929 if (!has_cap_mac_admin(true)) {
5930 struct audit_buffer *ab;
5931 size_t audit_size;
5932
5933 /* We strip a nul only if it is at the end, otherwise the
5934 * context contains a nul and we should audit that */
5935 if (str[size - 1] == '\0')
5936 audit_size = size - 1;
5937 else
5938 audit_size = size;
5939 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5940 audit_log_format(ab, "op=fscreate invalid_context=");
5941 audit_log_n_untrustedstring(ab, value, audit_size);
5942 audit_log_end(ab);
5943
5944 return error;
5945 }
5946 error = security_context_to_sid_force(value, size,
5947 &sid);
5948 }
5949 if (error)
5950 return error;
5951 }
5952
5953 new = prepare_creds();
5954 if (!new)
5955 return -ENOMEM;
5956
5957 /* Permission checking based on the specified context is
5958 performed during the actual operation (execve,
5959 open/mkdir/...), when we know the full context of the
5960 operation. See selinux_bprm_set_creds for the execve
5961 checks and may_create for the file creation checks. The
5962 operation will then fail if the context is not permitted. */
5963 tsec = new->security;
5964 if (!strcmp(name, "exec")) {
5965 tsec->exec_sid = sid;
5966 } else if (!strcmp(name, "fscreate")) {
5967 tsec->create_sid = sid;
5968 } else if (!strcmp(name, "keycreate")) {
5969 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE,
5970 NULL);
5971 if (error)
5972 goto abort_change;
5973 tsec->keycreate_sid = sid;
5974 } else if (!strcmp(name, "sockcreate")) {
5975 tsec->sockcreate_sid = sid;
5976 } else if (!strcmp(name, "current")) {
5977 error = -EINVAL;
5978 if (sid == 0)
5979 goto abort_change;
5980
5981 /* Only allow single threaded processes to change context */
5982 error = -EPERM;
5983 if (!current_is_single_threaded()) {
5984 error = security_bounded_transition(tsec->sid, sid);
5985 if (error)
5986 goto abort_change;
5987 }
5988
5989 /* Check permissions for the transition. */
5990 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5991 PROCESS__DYNTRANSITION, NULL);
5992 if (error)
5993 goto abort_change;
5994
5995 /* Check for ptracing, and update the task SID if ok.
5996 Otherwise, leave SID unchanged and fail. */
5997 ptsid = ptrace_parent_sid();
5998 if (ptsid != 0) {
5999 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6000 PROCESS__PTRACE, NULL);
6001 if (error)
6002 goto abort_change;
6003 }
6004
6005 tsec->sid = sid;
6006 } else {
6007 error = -EINVAL;
6008 goto abort_change;
6009 }
6010
6011 commit_creds(new);
6012 return size;
6013
6014 abort_change:
6015 abort_creds(new);
6016 return error;
6017 }
6018
6019 static int selinux_ismaclabel(const char *name)
6020 {
6021 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6022 }
6023
6024 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6025 {
6026 return security_sid_to_context(secid, secdata, seclen);
6027 }
6028
6029 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6030 {
6031 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
6032 }
6033
6034 static void selinux_release_secctx(char *secdata, u32 seclen)
6035 {
6036 kfree(secdata);
6037 }
6038
6039 static void selinux_inode_invalidate_secctx(struct inode *inode)
6040 {
6041 struct inode_security_struct *isec = inode->i_security;
6042
6043 spin_lock(&isec->lock);
6044 isec->initialized = LABEL_INVALID;
6045 spin_unlock(&isec->lock);
6046 }
6047
6048 /*
6049 * called with inode->i_mutex locked
6050 */
6051 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6052 {
6053 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6054 }
6055
6056 /*
6057 * called with inode->i_mutex locked
6058 */
6059 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6060 {
6061 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6062 }
6063
6064 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6065 {
6066 int len = 0;
6067 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6068 ctx, true);
6069 if (len < 0)
6070 return len;
6071 *ctxlen = len;
6072 return 0;
6073 }
6074 #ifdef CONFIG_KEYS
6075
6076 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6077 unsigned long flags)
6078 {
6079 const struct task_security_struct *tsec;
6080 struct key_security_struct *ksec;
6081
6082 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6083 if (!ksec)
6084 return -ENOMEM;
6085
6086 tsec = cred->security;
6087 if (tsec->keycreate_sid)
6088 ksec->sid = tsec->keycreate_sid;
6089 else
6090 ksec->sid = tsec->sid;
6091
6092 k->security = ksec;
6093 return 0;
6094 }
6095
6096 static void selinux_key_free(struct key *k)
6097 {
6098 struct key_security_struct *ksec = k->security;
6099
6100 k->security = NULL;
6101 kfree(ksec);
6102 }
6103
6104 static int selinux_key_permission(key_ref_t key_ref,
6105 const struct cred *cred,
6106 unsigned perm)
6107 {
6108 struct key *key;
6109 struct key_security_struct *ksec;
6110 u32 sid;
6111
6112 /* if no specific permissions are requested, we skip the
6113 permission check. No serious, additional covert channels
6114 appear to be created. */
6115 if (perm == 0)
6116 return 0;
6117
6118 sid = cred_sid(cred);
6119
6120 key = key_ref_to_ptr(key_ref);
6121 ksec = key->security;
6122
6123 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6124 }
6125
6126 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6127 {
6128 struct key_security_struct *ksec = key->security;
6129 char *context = NULL;
6130 unsigned len;
6131 int rc;
6132
6133 rc = security_sid_to_context(ksec->sid, &context, &len);
6134 if (!rc)
6135 rc = len;
6136 *_buffer = context;
6137 return rc;
6138 }
6139
6140 #endif
6141
6142 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6143 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6144 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6145 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6146 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6147
6148 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6149 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6150 LSM_HOOK_INIT(capget, selinux_capget),
6151 LSM_HOOK_INIT(capset, selinux_capset),
6152 LSM_HOOK_INIT(capable, selinux_capable),
6153 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6154 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6155 LSM_HOOK_INIT(syslog, selinux_syslog),
6156 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6157
6158 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6159
6160 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6161 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6162 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6163 LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
6164
6165 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6166 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6167 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6168 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6169 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6170 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6171 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6172 LSM_HOOK_INIT(sb_mount, selinux_mount),
6173 LSM_HOOK_INIT(sb_umount, selinux_umount),
6174 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6175 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6176 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6177
6178 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6179 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6180
6181 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6182 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6183 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6184 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6185 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6186 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6187 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6188 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6189 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6190 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6191 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6192 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6193 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6194 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6195 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6196 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6197 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6198 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6199 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6200 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6201 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6202 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6203 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6204 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6205 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6206 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6207 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6208
6209 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6210 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6211 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6212 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6213 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6214 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6215 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6216 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6217 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6218 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6219 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6220 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6221
6222 LSM_HOOK_INIT(file_open, selinux_file_open),
6223
6224 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6225 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6226 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6227 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6228 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6229 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6230 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6231 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6232 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6233 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6234 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6235 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6236 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6237 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6238 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6239 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6240 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6241 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6242 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6243 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6244 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6245 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6246 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6247
6248 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6249 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6250
6251 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6252 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6253
6254 LSM_HOOK_INIT(msg_queue_alloc_security,
6255 selinux_msg_queue_alloc_security),
6256 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6257 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6258 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6259 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6260 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6261
6262 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6263 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6264 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6265 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6266 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6267
6268 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6269 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6270 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6271 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6272 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6273
6274 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6275
6276 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6277 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6278
6279 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6280 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6281 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6282 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6283 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6284 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6285 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6286 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6287
6288 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6289 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6290
6291 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6292 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6293 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6294 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6295 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6296 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6297 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6298 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6299 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6300 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6301 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6302 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6303 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6304 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6305 LSM_HOOK_INIT(socket_getpeersec_stream,
6306 selinux_socket_getpeersec_stream),
6307 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6308 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6309 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6310 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6311 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6312 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6313 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6314 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6315 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6316 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6317 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6318 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6319 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6320 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6321 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6322 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6323 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6324 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6325 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6326
6327 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6328 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6329 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6330 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6331 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6332 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6333 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6334 selinux_xfrm_state_alloc_acquire),
6335 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6336 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6337 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6338 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6339 selinux_xfrm_state_pol_flow_match),
6340 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6341 #endif
6342
6343 #ifdef CONFIG_KEYS
6344 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6345 LSM_HOOK_INIT(key_free, selinux_key_free),
6346 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6347 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6348 #endif
6349
6350 #ifdef CONFIG_AUDIT
6351 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6352 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6353 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6354 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6355 #endif
6356 };
6357
6358 static __init int selinux_init(void)
6359 {
6360 if (!security_module_enable("selinux")) {
6361 selinux_enabled = 0;
6362 return 0;
6363 }
6364
6365 if (!selinux_enabled) {
6366 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6367 return 0;
6368 }
6369
6370 printk(KERN_INFO "SELinux: Initializing.\n");
6371
6372 /* Set the security state for the initial task. */
6373 cred_init_security();
6374
6375 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6376
6377 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6378 sizeof(struct inode_security_struct),
6379 0, SLAB_PANIC, NULL);
6380 file_security_cache = kmem_cache_create("selinux_file_security",
6381 sizeof(struct file_security_struct),
6382 0, SLAB_PANIC, NULL);
6383 avc_init();
6384
6385 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
6386
6387 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6388 panic("SELinux: Unable to register AVC netcache callback\n");
6389
6390 if (selinux_enforcing)
6391 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6392 else
6393 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6394
6395 return 0;
6396 }
6397
6398 static void delayed_superblock_init(struct super_block *sb, void *unused)
6399 {
6400 superblock_doinit(sb, NULL);
6401 }
6402
6403 void selinux_complete_init(void)
6404 {
6405 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6406
6407 /* Set up any superblocks initialized prior to the policy load. */
6408 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6409 iterate_supers(delayed_superblock_init, NULL);
6410 }
6411
6412 /* SELinux requires early initialization in order to label
6413 all processes and objects when they are created. */
6414 security_initcall(selinux_init);
6415
6416 #if defined(CONFIG_NETFILTER)
6417
6418 static struct nf_hook_ops selinux_nf_ops[] = {
6419 {
6420 .hook = selinux_ipv4_postroute,
6421 .pf = NFPROTO_IPV4,
6422 .hooknum = NF_INET_POST_ROUTING,
6423 .priority = NF_IP_PRI_SELINUX_LAST,
6424 },
6425 {
6426 .hook = selinux_ipv4_forward,
6427 .pf = NFPROTO_IPV4,
6428 .hooknum = NF_INET_FORWARD,
6429 .priority = NF_IP_PRI_SELINUX_FIRST,
6430 },
6431 {
6432 .hook = selinux_ipv4_output,
6433 .pf = NFPROTO_IPV4,
6434 .hooknum = NF_INET_LOCAL_OUT,
6435 .priority = NF_IP_PRI_SELINUX_FIRST,
6436 },
6437 #if IS_ENABLED(CONFIG_IPV6)
6438 {
6439 .hook = selinux_ipv6_postroute,
6440 .pf = NFPROTO_IPV6,
6441 .hooknum = NF_INET_POST_ROUTING,
6442 .priority = NF_IP6_PRI_SELINUX_LAST,
6443 },
6444 {
6445 .hook = selinux_ipv6_forward,
6446 .pf = NFPROTO_IPV6,
6447 .hooknum = NF_INET_FORWARD,
6448 .priority = NF_IP6_PRI_SELINUX_FIRST,
6449 },
6450 {
6451 .hook = selinux_ipv6_output,
6452 .pf = NFPROTO_IPV6,
6453 .hooknum = NF_INET_LOCAL_OUT,
6454 .priority = NF_IP6_PRI_SELINUX_FIRST,
6455 },
6456 #endif /* IPV6 */
6457 };
6458
6459 static int __init selinux_nf_ip_init(void)
6460 {
6461 int err;
6462
6463 if (!selinux_enabled)
6464 return 0;
6465
6466 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6467
6468 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6469 if (err)
6470 panic("SELinux: nf_register_hooks: error %d\n", err);
6471
6472 return 0;
6473 }
6474
6475 __initcall(selinux_nf_ip_init);
6476
6477 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6478 static void selinux_nf_ip_exit(void)
6479 {
6480 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6481
6482 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6483 }
6484 #endif
6485
6486 #else /* CONFIG_NETFILTER */
6487
6488 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6489 #define selinux_nf_ip_exit()
6490 #endif
6491
6492 #endif /* CONFIG_NETFILTER */
6493
6494 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6495 static int selinux_disabled;
6496
6497 int selinux_disable(void)
6498 {
6499 if (ss_initialized) {
6500 /* Not permitted after initial policy load. */
6501 return -EINVAL;
6502 }
6503
6504 if (selinux_disabled) {
6505 /* Only do this once. */
6506 return -EINVAL;
6507 }
6508
6509 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6510
6511 selinux_disabled = 1;
6512 selinux_enabled = 0;
6513
6514 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6515
6516 /* Try to destroy the avc node cache */
6517 avc_disable();
6518
6519 /* Unregister netfilter hooks. */
6520 selinux_nf_ip_exit();
6521
6522 /* Unregister selinuxfs. */
6523 exit_sel_fs();
6524
6525 return 0;
6526 }
6527 #endif
Ubuntu Artful kernel mirror