]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - security/selinux/hooks.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
SELinux: Use GFP_KERNEL for selinux_parse_opts_str().
[mirror_ubuntu-artful-kernel.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
55 #include <net/inet_connection_sock.h>
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
86
87 #include "avc.h"
88 #include "objsec.h"
89 #include "netif.h"
90 #include "netnode.h"
91 #include "netport.h"
92 #include "xfrm.h"
93 #include "netlabel.h"
94 #include "audit.h"
95 #include "avc_ss.h"
96
97 /* SECMARK reference count */
98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102
103 static int __init enforcing_setup(char *str)
104 {
105 unsigned long enforcing;
106 if (!kstrtoul(str, 0, &enforcing))
107 selinux_enforcing = enforcing ? 1 : 0;
108 return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116 static int __init selinux_enabled_setup(char *str)
117 {
118 unsigned long enabled;
119 if (!kstrtoul(str, 0, &enabled))
120 selinux_enabled = enabled ? 1 : 0;
121 return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127
128 static struct kmem_cache *sel_inode_cache;
129 static struct kmem_cache *file_security_cache;
130
131 /**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
140 *
141 */
142 static int selinux_secmark_enabled(void)
143 {
144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145 }
146
147 /**
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149 *
150 * Description:
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
155 *
156 */
157 static int selinux_peerlbl_enabled(void)
158 {
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
160 }
161
162 static int selinux_netcache_avc_callback(u32 event)
163 {
164 if (event == AVC_CALLBACK_RESET) {
165 sel_netif_flush();
166 sel_netnode_flush();
167 sel_netport_flush();
168 synchronize_net();
169 }
170 return 0;
171 }
172
173 /*
174 * initialise the security for the init task
175 */
176 static void cred_init_security(void)
177 {
178 struct cred *cred = (struct cred *) current->real_cred;
179 struct task_security_struct *tsec;
180
181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
182 if (!tsec)
183 panic("SELinux: Failed to initialize initial task.\n");
184
185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
186 cred->security = tsec;
187 }
188
189 /*
190 * get the security ID of a set of credentials
191 */
192 static inline u32 cred_sid(const struct cred *cred)
193 {
194 const struct task_security_struct *tsec;
195
196 tsec = cred->security;
197 return tsec->sid;
198 }
199
200 /*
201 * get the objective security ID of a task
202 */
203 static inline u32 task_sid(const struct task_struct *task)
204 {
205 u32 sid;
206
207 rcu_read_lock();
208 sid = cred_sid(__task_cred(task));
209 rcu_read_unlock();
210 return sid;
211 }
212
213 /*
214 * get the subjective security ID of the current task
215 */
216 static inline u32 current_sid(void)
217 {
218 const struct task_security_struct *tsec = current_security();
219
220 return tsec->sid;
221 }
222
223 /* Allocate and free functions for each kind of security blob. */
224
225 static int inode_alloc_security(struct inode *inode)
226 {
227 struct inode_security_struct *isec;
228 u32 sid = current_sid();
229
230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
231 if (!isec)
232 return -ENOMEM;
233
234 mutex_init(&isec->lock);
235 INIT_LIST_HEAD(&isec->list);
236 isec->inode = inode;
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
239 isec->task_sid = sid;
240 inode->i_security = isec;
241
242 return 0;
243 }
244
245 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246
247 /*
248 * Try reloading inode security labels that have been marked as invalid. The
249 * @may_sleep parameter indicates when sleeping and thus reloading labels is
250 * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is
251 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
252 * when no dentry is available, set it to NULL instead.
253 */
254 static int __inode_security_revalidate(struct inode *inode,
255 struct dentry *opt_dentry,
256 bool may_sleep)
257 {
258 struct inode_security_struct *isec = inode->i_security;
259
260 might_sleep_if(may_sleep);
261
262 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
263 if (!may_sleep)
264 return -ECHILD;
265
266 /*
267 * Try reloading the inode security label. This will fail if
268 * @opt_dentry is NULL and no dentry for this inode can be
269 * found; in that case, continue using the old label.
270 */
271 inode_doinit_with_dentry(inode, opt_dentry);
272 }
273 return 0;
274 }
275
276 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
277 {
278 return inode->i_security;
279 }
280
281 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
282 {
283 int error;
284
285 error = __inode_security_revalidate(inode, NULL, !rcu);
286 if (error)
287 return ERR_PTR(error);
288 return inode->i_security;
289 }
290
291 /*
292 * Get the security label of an inode.
293 */
294 static struct inode_security_struct *inode_security(struct inode *inode)
295 {
296 __inode_security_revalidate(inode, NULL, true);
297 return inode->i_security;
298 }
299
300 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
301 {
302 struct inode *inode = d_backing_inode(dentry);
303
304 return inode->i_security;
305 }
306
307 /*
308 * Get the security label of a dentry's backing inode.
309 */
310 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
311 {
312 struct inode *inode = d_backing_inode(dentry);
313
314 __inode_security_revalidate(inode, dentry, true);
315 return inode->i_security;
316 }
317
318 static void inode_free_rcu(struct rcu_head *head)
319 {
320 struct inode_security_struct *isec;
321
322 isec = container_of(head, struct inode_security_struct, rcu);
323 kmem_cache_free(sel_inode_cache, isec);
324 }
325
326 static void inode_free_security(struct inode *inode)
327 {
328 struct inode_security_struct *isec = inode->i_security;
329 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
330
331 /*
332 * As not all inode security structures are in a list, we check for
333 * empty list outside of the lock to make sure that we won't waste
334 * time taking a lock doing nothing.
335 *
336 * The list_del_init() function can be safely called more than once.
337 * It should not be possible for this function to be called with
338 * concurrent list_add(), but for better safety against future changes
339 * in the code, we use list_empty_careful() here.
340 */
341 if (!list_empty_careful(&isec->list)) {
342 spin_lock(&sbsec->isec_lock);
343 list_del_init(&isec->list);
344 spin_unlock(&sbsec->isec_lock);
345 }
346
347 /*
348 * The inode may still be referenced in a path walk and
349 * a call to selinux_inode_permission() can be made
350 * after inode_free_security() is called. Ideally, the VFS
351 * wouldn't do this, but fixing that is a much harder
352 * job. For now, simply free the i_security via RCU, and
353 * leave the current inode->i_security pointer intact.
354 * The inode will be freed after the RCU grace period too.
355 */
356 call_rcu(&isec->rcu, inode_free_rcu);
357 }
358
359 static int file_alloc_security(struct file *file)
360 {
361 struct file_security_struct *fsec;
362 u32 sid = current_sid();
363
364 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
365 if (!fsec)
366 return -ENOMEM;
367
368 fsec->sid = sid;
369 fsec->fown_sid = sid;
370 file->f_security = fsec;
371
372 return 0;
373 }
374
375 static void file_free_security(struct file *file)
376 {
377 struct file_security_struct *fsec = file->f_security;
378 file->f_security = NULL;
379 kmem_cache_free(file_security_cache, fsec);
380 }
381
382 static int superblock_alloc_security(struct super_block *sb)
383 {
384 struct superblock_security_struct *sbsec;
385
386 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
387 if (!sbsec)
388 return -ENOMEM;
389
390 mutex_init(&sbsec->lock);
391 INIT_LIST_HEAD(&sbsec->isec_head);
392 spin_lock_init(&sbsec->isec_lock);
393 sbsec->sb = sb;
394 sbsec->sid = SECINITSID_UNLABELED;
395 sbsec->def_sid = SECINITSID_FILE;
396 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
397 sb->s_security = sbsec;
398
399 return 0;
400 }
401
402 static void superblock_free_security(struct super_block *sb)
403 {
404 struct superblock_security_struct *sbsec = sb->s_security;
405 sb->s_security = NULL;
406 kfree(sbsec);
407 }
408
409 /* The file system's label must be initialized prior to use. */
410
411 static const char *labeling_behaviors[7] = {
412 "uses xattr",
413 "uses transition SIDs",
414 "uses task SIDs",
415 "uses genfs_contexts",
416 "not configured for labeling",
417 "uses mountpoint labeling",
418 "uses native labeling",
419 };
420
421 static inline int inode_doinit(struct inode *inode)
422 {
423 return inode_doinit_with_dentry(inode, NULL);
424 }
425
426 enum {
427 Opt_error = -1,
428 Opt_context = 1,
429 Opt_fscontext = 2,
430 Opt_defcontext = 3,
431 Opt_rootcontext = 4,
432 Opt_labelsupport = 5,
433 Opt_nextmntopt = 6,
434 };
435
436 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
437
438 static const match_table_t tokens = {
439 {Opt_context, CONTEXT_STR "%s"},
440 {Opt_fscontext, FSCONTEXT_STR "%s"},
441 {Opt_defcontext, DEFCONTEXT_STR "%s"},
442 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
443 {Opt_labelsupport, LABELSUPP_STR},
444 {Opt_error, NULL},
445 };
446
447 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
448
449 static int may_context_mount_sb_relabel(u32 sid,
450 struct superblock_security_struct *sbsec,
451 const struct cred *cred)
452 {
453 const struct task_security_struct *tsec = cred->security;
454 int rc;
455
456 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
457 FILESYSTEM__RELABELFROM, NULL);
458 if (rc)
459 return rc;
460
461 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
462 FILESYSTEM__RELABELTO, NULL);
463 return rc;
464 }
465
466 static int may_context_mount_inode_relabel(u32 sid,
467 struct superblock_security_struct *sbsec,
468 const struct cred *cred)
469 {
470 const struct task_security_struct *tsec = cred->security;
471 int rc;
472 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
473 FILESYSTEM__RELABELFROM, NULL);
474 if (rc)
475 return rc;
476
477 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
478 FILESYSTEM__ASSOCIATE, NULL);
479 return rc;
480 }
481
482 static int selinux_is_sblabel_mnt(struct super_block *sb)
483 {
484 struct superblock_security_struct *sbsec = sb->s_security;
485
486 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
487 sbsec->behavior == SECURITY_FS_USE_TRANS ||
488 sbsec->behavior == SECURITY_FS_USE_TASK ||
489 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
490 /* Special handling. Genfs but also in-core setxattr handler */
491 !strcmp(sb->s_type->name, "sysfs") ||
492 !strcmp(sb->s_type->name, "pstore") ||
493 !strcmp(sb->s_type->name, "debugfs") ||
494 !strcmp(sb->s_type->name, "rootfs");
495 }
496
497 static int sb_finish_set_opts(struct super_block *sb)
498 {
499 struct superblock_security_struct *sbsec = sb->s_security;
500 struct dentry *root = sb->s_root;
501 struct inode *root_inode = d_backing_inode(root);
502 int rc = 0;
503
504 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
505 /* Make sure that the xattr handler exists and that no
506 error other than -ENODATA is returned by getxattr on
507 the root directory. -ENODATA is ok, as this may be
508 the first boot of the SELinux kernel before we have
509 assigned xattr values to the filesystem. */
510 if (!(root_inode->i_opflags & IOP_XATTR)) {
511 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
512 "xattr support\n", sb->s_id, sb->s_type->name);
513 rc = -EOPNOTSUPP;
514 goto out;
515 }
516
517 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
518 if (rc < 0 && rc != -ENODATA) {
519 if (rc == -EOPNOTSUPP)
520 printk(KERN_WARNING "SELinux: (dev %s, type "
521 "%s) has no security xattr handler\n",
522 sb->s_id, sb->s_type->name);
523 else
524 printk(KERN_WARNING "SELinux: (dev %s, type "
525 "%s) getxattr errno %d\n", sb->s_id,
526 sb->s_type->name, -rc);
527 goto out;
528 }
529 }
530
531 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
532 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
533 sb->s_id, sb->s_type->name);
534
535 sbsec->flags |= SE_SBINITIALIZED;
536 if (selinux_is_sblabel_mnt(sb))
537 sbsec->flags |= SBLABEL_MNT;
538
539 /* Initialize the root inode. */
540 rc = inode_doinit_with_dentry(root_inode, root);
541
542 /* Initialize any other inodes associated with the superblock, e.g.
543 inodes created prior to initial policy load or inodes created
544 during get_sb by a pseudo filesystem that directly
545 populates itself. */
546 spin_lock(&sbsec->isec_lock);
547 next_inode:
548 if (!list_empty(&sbsec->isec_head)) {
549 struct inode_security_struct *isec =
550 list_entry(sbsec->isec_head.next,
551 struct inode_security_struct, list);
552 struct inode *inode = isec->inode;
553 list_del_init(&isec->list);
554 spin_unlock(&sbsec->isec_lock);
555 inode = igrab(inode);
556 if (inode) {
557 if (!IS_PRIVATE(inode))
558 inode_doinit(inode);
559 iput(inode);
560 }
561 spin_lock(&sbsec->isec_lock);
562 goto next_inode;
563 }
564 spin_unlock(&sbsec->isec_lock);
565 out:
566 return rc;
567 }
568
569 /*
570 * This function should allow an FS to ask what it's mount security
571 * options were so it can use those later for submounts, displaying
572 * mount options, or whatever.
573 */
574 static int selinux_get_mnt_opts(const struct super_block *sb,
575 struct security_mnt_opts *opts)
576 {
577 int rc = 0, i;
578 struct superblock_security_struct *sbsec = sb->s_security;
579 char *context = NULL;
580 u32 len;
581 char tmp;
582
583 security_init_mnt_opts(opts);
584
585 if (!(sbsec->flags & SE_SBINITIALIZED))
586 return -EINVAL;
587
588 if (!ss_initialized)
589 return -EINVAL;
590
591 /* make sure we always check enough bits to cover the mask */
592 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
593
594 tmp = sbsec->flags & SE_MNTMASK;
595 /* count the number of mount options for this sb */
596 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
597 if (tmp & 0x01)
598 opts->num_mnt_opts++;
599 tmp >>= 1;
600 }
601 /* Check if the Label support flag is set */
602 if (sbsec->flags & SBLABEL_MNT)
603 opts->num_mnt_opts++;
604
605 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606 if (!opts->mnt_opts) {
607 rc = -ENOMEM;
608 goto out_free;
609 }
610
611 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612 if (!opts->mnt_opts_flags) {
613 rc = -ENOMEM;
614 goto out_free;
615 }
616
617 i = 0;
618 if (sbsec->flags & FSCONTEXT_MNT) {
619 rc = security_sid_to_context(sbsec->sid, &context, &len);
620 if (rc)
621 goto out_free;
622 opts->mnt_opts[i] = context;
623 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
624 }
625 if (sbsec->flags & CONTEXT_MNT) {
626 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
627 if (rc)
628 goto out_free;
629 opts->mnt_opts[i] = context;
630 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
631 }
632 if (sbsec->flags & DEFCONTEXT_MNT) {
633 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
634 if (rc)
635 goto out_free;
636 opts->mnt_opts[i] = context;
637 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
638 }
639 if (sbsec->flags & ROOTCONTEXT_MNT) {
640 struct dentry *root = sbsec->sb->s_root;
641 struct inode_security_struct *isec = backing_inode_security(root);
642
643 rc = security_sid_to_context(isec->sid, &context, &len);
644 if (rc)
645 goto out_free;
646 opts->mnt_opts[i] = context;
647 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
648 }
649 if (sbsec->flags & SBLABEL_MNT) {
650 opts->mnt_opts[i] = NULL;
651 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
652 }
653
654 BUG_ON(i != opts->num_mnt_opts);
655
656 return 0;
657
658 out_free:
659 security_free_mnt_opts(opts);
660 return rc;
661 }
662
663 static int bad_option(struct superblock_security_struct *sbsec, char flag,
664 u32 old_sid, u32 new_sid)
665 {
666 char mnt_flags = sbsec->flags & SE_MNTMASK;
667
668 /* check if the old mount command had the same options */
669 if (sbsec->flags & SE_SBINITIALIZED)
670 if (!(sbsec->flags & flag) ||
671 (old_sid != new_sid))
672 return 1;
673
674 /* check if we were passed the same options twice,
675 * aka someone passed context=a,context=b
676 */
677 if (!(sbsec->flags & SE_SBINITIALIZED))
678 if (mnt_flags & flag)
679 return 1;
680 return 0;
681 }
682
683 /*
684 * Allow filesystems with binary mount data to explicitly set mount point
685 * labeling information.
686 */
687 static int selinux_set_mnt_opts(struct super_block *sb,
688 struct security_mnt_opts *opts,
689 unsigned long kern_flags,
690 unsigned long *set_kern_flags)
691 {
692 const struct cred *cred = current_cred();
693 int rc = 0, i;
694 struct superblock_security_struct *sbsec = sb->s_security;
695 const char *name = sb->s_type->name;
696 struct dentry *root = sbsec->sb->s_root;
697 struct inode_security_struct *root_isec;
698 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699 u32 defcontext_sid = 0;
700 char **mount_options = opts->mnt_opts;
701 int *flags = opts->mnt_opts_flags;
702 int num_opts = opts->num_mnt_opts;
703
704 mutex_lock(&sbsec->lock);
705
706 if (!ss_initialized) {
707 if (!num_opts) {
708 /* Defer initialization until selinux_complete_init,
709 after the initial policy is loaded and the security
710 server is ready to handle calls. */
711 goto out;
712 }
713 rc = -EINVAL;
714 printk(KERN_WARNING "SELinux: Unable to set superblock options "
715 "before the security server is initialized\n");
716 goto out;
717 }
718 if (kern_flags && !set_kern_flags) {
719 /* Specifying internal flags without providing a place to
720 * place the results is not allowed */
721 rc = -EINVAL;
722 goto out;
723 }
724
725 /*
726 * Binary mount data FS will come through this function twice. Once
727 * from an explicit call and once from the generic calls from the vfs.
728 * Since the generic VFS calls will not contain any security mount data
729 * we need to skip the double mount verification.
730 *
731 * This does open a hole in which we will not notice if the first
732 * mount using this sb set explict options and a second mount using
733 * this sb does not set any security options. (The first options
734 * will be used for both mounts)
735 */
736 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
737 && (num_opts == 0))
738 goto out;
739
740 root_isec = backing_inode_security_novalidate(root);
741
742 /*
743 * parse the mount options, check if they are valid sids.
744 * also check if someone is trying to mount the same sb more
745 * than once with different security options.
746 */
747 for (i = 0; i < num_opts; i++) {
748 u32 sid;
749
750 if (flags[i] == SBLABEL_MNT)
751 continue;
752 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
753 if (rc) {
754 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
755 "(%s) failed for (dev %s, type %s) errno=%d\n",
756 mount_options[i], sb->s_id, name, rc);
757 goto out;
758 }
759 switch (flags[i]) {
760 case FSCONTEXT_MNT:
761 fscontext_sid = sid;
762
763 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
764 fscontext_sid))
765 goto out_double_mount;
766
767 sbsec->flags |= FSCONTEXT_MNT;
768 break;
769 case CONTEXT_MNT:
770 context_sid = sid;
771
772 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
773 context_sid))
774 goto out_double_mount;
775
776 sbsec->flags |= CONTEXT_MNT;
777 break;
778 case ROOTCONTEXT_MNT:
779 rootcontext_sid = sid;
780
781 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
782 rootcontext_sid))
783 goto out_double_mount;
784
785 sbsec->flags |= ROOTCONTEXT_MNT;
786
787 break;
788 case DEFCONTEXT_MNT:
789 defcontext_sid = sid;
790
791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
792 defcontext_sid))
793 goto out_double_mount;
794
795 sbsec->flags |= DEFCONTEXT_MNT;
796
797 break;
798 default:
799 rc = -EINVAL;
800 goto out;
801 }
802 }
803
804 if (sbsec->flags & SE_SBINITIALIZED) {
805 /* previously mounted with options, but not on this attempt? */
806 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
807 goto out_double_mount;
808 rc = 0;
809 goto out;
810 }
811
812 if (strcmp(sb->s_type->name, "proc") == 0)
813 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
814
815 if (!strcmp(sb->s_type->name, "debugfs") ||
816 !strcmp(sb->s_type->name, "sysfs") ||
817 !strcmp(sb->s_type->name, "pstore"))
818 sbsec->flags |= SE_SBGENFS;
819
820 if (!sbsec->behavior) {
821 /*
822 * Determine the labeling behavior to use for this
823 * filesystem type.
824 */
825 rc = security_fs_use(sb);
826 if (rc) {
827 printk(KERN_WARNING
828 "%s: security_fs_use(%s) returned %d\n",
829 __func__, sb->s_type->name, rc);
830 goto out;
831 }
832 }
833
834 /*
835 * If this is a user namespace mount, no contexts are allowed
836 * on the command line and security labels must be ignored.
837 */
838 if (sb->s_user_ns != &init_user_ns) {
839 if (context_sid || fscontext_sid || rootcontext_sid ||
840 defcontext_sid) {
841 rc = -EACCES;
842 goto out;
843 }
844 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
845 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
846 rc = security_transition_sid(current_sid(), current_sid(),
847 SECCLASS_FILE, NULL,
848 &sbsec->mntpoint_sid);
849 if (rc)
850 goto out;
851 }
852 goto out_set_opts;
853 }
854
855 /* sets the context of the superblock for the fs being mounted. */
856 if (fscontext_sid) {
857 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
858 if (rc)
859 goto out;
860
861 sbsec->sid = fscontext_sid;
862 }
863
864 /*
865 * Switch to using mount point labeling behavior.
866 * sets the label used on all file below the mountpoint, and will set
867 * the superblock context if not already set.
868 */
869 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
870 sbsec->behavior = SECURITY_FS_USE_NATIVE;
871 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
872 }
873
874 if (context_sid) {
875 if (!fscontext_sid) {
876 rc = may_context_mount_sb_relabel(context_sid, sbsec,
877 cred);
878 if (rc)
879 goto out;
880 sbsec->sid = context_sid;
881 } else {
882 rc = may_context_mount_inode_relabel(context_sid, sbsec,
883 cred);
884 if (rc)
885 goto out;
886 }
887 if (!rootcontext_sid)
888 rootcontext_sid = context_sid;
889
890 sbsec->mntpoint_sid = context_sid;
891 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
892 }
893
894 if (rootcontext_sid) {
895 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
896 cred);
897 if (rc)
898 goto out;
899
900 root_isec->sid = rootcontext_sid;
901 root_isec->initialized = LABEL_INITIALIZED;
902 }
903
904 if (defcontext_sid) {
905 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
906 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
907 rc = -EINVAL;
908 printk(KERN_WARNING "SELinux: defcontext option is "
909 "invalid for this filesystem type\n");
910 goto out;
911 }
912
913 if (defcontext_sid != sbsec->def_sid) {
914 rc = may_context_mount_inode_relabel(defcontext_sid,
915 sbsec, cred);
916 if (rc)
917 goto out;
918 }
919
920 sbsec->def_sid = defcontext_sid;
921 }
922
923 out_set_opts:
924 rc = sb_finish_set_opts(sb);
925 out:
926 mutex_unlock(&sbsec->lock);
927 return rc;
928 out_double_mount:
929 rc = -EINVAL;
930 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
931 "security settings for (dev %s, type %s)\n", sb->s_id, name);
932 goto out;
933 }
934
935 static int selinux_cmp_sb_context(const struct super_block *oldsb,
936 const struct super_block *newsb)
937 {
938 struct superblock_security_struct *old = oldsb->s_security;
939 struct superblock_security_struct *new = newsb->s_security;
940 char oldflags = old->flags & SE_MNTMASK;
941 char newflags = new->flags & SE_MNTMASK;
942
943 if (oldflags != newflags)
944 goto mismatch;
945 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
946 goto mismatch;
947 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
948 goto mismatch;
949 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
950 goto mismatch;
951 if (oldflags & ROOTCONTEXT_MNT) {
952 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
953 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
954 if (oldroot->sid != newroot->sid)
955 goto mismatch;
956 }
957 return 0;
958 mismatch:
959 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
960 "different security settings for (dev %s, "
961 "type %s)\n", newsb->s_id, newsb->s_type->name);
962 return -EBUSY;
963 }
964
965 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
966 struct super_block *newsb)
967 {
968 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
969 struct superblock_security_struct *newsbsec = newsb->s_security;
970
971 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
972 int set_context = (oldsbsec->flags & CONTEXT_MNT);
973 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
974
975 /*
976 * if the parent was able to be mounted it clearly had no special lsm
977 * mount options. thus we can safely deal with this superblock later
978 */
979 if (!ss_initialized)
980 return 0;
981
982 /* how can we clone if the old one wasn't set up?? */
983 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
984
985 /* if fs is reusing a sb, make sure that the contexts match */
986 if (newsbsec->flags & SE_SBINITIALIZED)
987 return selinux_cmp_sb_context(oldsb, newsb);
988
989 mutex_lock(&newsbsec->lock);
990
991 newsbsec->flags = oldsbsec->flags;
992
993 newsbsec->sid = oldsbsec->sid;
994 newsbsec->def_sid = oldsbsec->def_sid;
995 newsbsec->behavior = oldsbsec->behavior;
996
997 if (set_context) {
998 u32 sid = oldsbsec->mntpoint_sid;
999
1000 if (!set_fscontext)
1001 newsbsec->sid = sid;
1002 if (!set_rootcontext) {
1003 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1004 newisec->sid = sid;
1005 }
1006 newsbsec->mntpoint_sid = sid;
1007 }
1008 if (set_rootcontext) {
1009 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1010 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1011
1012 newisec->sid = oldisec->sid;
1013 }
1014
1015 sb_finish_set_opts(newsb);
1016 mutex_unlock(&newsbsec->lock);
1017 return 0;
1018 }
1019
1020 static int selinux_parse_opts_str(char *options,
1021 struct security_mnt_opts *opts)
1022 {
1023 char *p;
1024 char *context = NULL, *defcontext = NULL;
1025 char *fscontext = NULL, *rootcontext = NULL;
1026 int rc, num_mnt_opts = 0;
1027
1028 opts->num_mnt_opts = 0;
1029
1030 /* Standard string-based options. */
1031 while ((p = strsep(&options, "|")) != NULL) {
1032 int token;
1033 substring_t args[MAX_OPT_ARGS];
1034
1035 if (!*p)
1036 continue;
1037
1038 token = match_token(p, tokens, args);
1039
1040 switch (token) {
1041 case Opt_context:
1042 if (context || defcontext) {
1043 rc = -EINVAL;
1044 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1045 goto out_err;
1046 }
1047 context = match_strdup(&args[0]);
1048 if (!context) {
1049 rc = -ENOMEM;
1050 goto out_err;
1051 }
1052 break;
1053
1054 case Opt_fscontext:
1055 if (fscontext) {
1056 rc = -EINVAL;
1057 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1058 goto out_err;
1059 }
1060 fscontext = match_strdup(&args[0]);
1061 if (!fscontext) {
1062 rc = -ENOMEM;
1063 goto out_err;
1064 }
1065 break;
1066
1067 case Opt_rootcontext:
1068 if (rootcontext) {
1069 rc = -EINVAL;
1070 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1071 goto out_err;
1072 }
1073 rootcontext = match_strdup(&args[0]);
1074 if (!rootcontext) {
1075 rc = -ENOMEM;
1076 goto out_err;
1077 }
1078 break;
1079
1080 case Opt_defcontext:
1081 if (context || defcontext) {
1082 rc = -EINVAL;
1083 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1084 goto out_err;
1085 }
1086 defcontext = match_strdup(&args[0]);
1087 if (!defcontext) {
1088 rc = -ENOMEM;
1089 goto out_err;
1090 }
1091 break;
1092 case Opt_labelsupport:
1093 break;
1094 default:
1095 rc = -EINVAL;
1096 printk(KERN_WARNING "SELinux: unknown mount option\n");
1097 goto out_err;
1098
1099 }
1100 }
1101
1102 rc = -ENOMEM;
1103 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1104 if (!opts->mnt_opts)
1105 goto out_err;
1106
1107 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1108 GFP_KERNEL);
1109 if (!opts->mnt_opts_flags) {
1110 kfree(opts->mnt_opts);
1111 goto out_err;
1112 }
1113
1114 if (fscontext) {
1115 opts->mnt_opts[num_mnt_opts] = fscontext;
1116 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1117 }
1118 if (context) {
1119 opts->mnt_opts[num_mnt_opts] = context;
1120 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1121 }
1122 if (rootcontext) {
1123 opts->mnt_opts[num_mnt_opts] = rootcontext;
1124 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1125 }
1126 if (defcontext) {
1127 opts->mnt_opts[num_mnt_opts] = defcontext;
1128 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1129 }
1130
1131 opts->num_mnt_opts = num_mnt_opts;
1132 return 0;
1133
1134 out_err:
1135 kfree(context);
1136 kfree(defcontext);
1137 kfree(fscontext);
1138 kfree(rootcontext);
1139 return rc;
1140 }
1141 /*
1142 * string mount options parsing and call set the sbsec
1143 */
1144 static int superblock_doinit(struct super_block *sb, void *data)
1145 {
1146 int rc = 0;
1147 char *options = data;
1148 struct security_mnt_opts opts;
1149
1150 security_init_mnt_opts(&opts);
1151
1152 if (!data)
1153 goto out;
1154
1155 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1156
1157 rc = selinux_parse_opts_str(options, &opts);
1158 if (rc)
1159 goto out_err;
1160
1161 out:
1162 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1163
1164 out_err:
1165 security_free_mnt_opts(&opts);
1166 return rc;
1167 }
1168
1169 static void selinux_write_opts(struct seq_file *m,
1170 struct security_mnt_opts *opts)
1171 {
1172 int i;
1173 char *prefix;
1174
1175 for (i = 0; i < opts->num_mnt_opts; i++) {
1176 char *has_comma;
1177
1178 if (opts->mnt_opts[i])
1179 has_comma = strchr(opts->mnt_opts[i], ',');
1180 else
1181 has_comma = NULL;
1182
1183 switch (opts->mnt_opts_flags[i]) {
1184 case CONTEXT_MNT:
1185 prefix = CONTEXT_STR;
1186 break;
1187 case FSCONTEXT_MNT:
1188 prefix = FSCONTEXT_STR;
1189 break;
1190 case ROOTCONTEXT_MNT:
1191 prefix = ROOTCONTEXT_STR;
1192 break;
1193 case DEFCONTEXT_MNT:
1194 prefix = DEFCONTEXT_STR;
1195 break;
1196 case SBLABEL_MNT:
1197 seq_putc(m, ',');
1198 seq_puts(m, LABELSUPP_STR);
1199 continue;
1200 default:
1201 BUG();
1202 return;
1203 };
1204 /* we need a comma before each option */
1205 seq_putc(m, ',');
1206 seq_puts(m, prefix);
1207 if (has_comma)
1208 seq_putc(m, '\"');
1209 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1210 if (has_comma)
1211 seq_putc(m, '\"');
1212 }
1213 }
1214
1215 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1216 {
1217 struct security_mnt_opts opts;
1218 int rc;
1219
1220 rc = selinux_get_mnt_opts(sb, &opts);
1221 if (rc) {
1222 /* before policy load we may get EINVAL, don't show anything */
1223 if (rc == -EINVAL)
1224 rc = 0;
1225 return rc;
1226 }
1227
1228 selinux_write_opts(m, &opts);
1229
1230 security_free_mnt_opts(&opts);
1231
1232 return rc;
1233 }
1234
1235 static inline u16 inode_mode_to_security_class(umode_t mode)
1236 {
1237 switch (mode & S_IFMT) {
1238 case S_IFSOCK:
1239 return SECCLASS_SOCK_FILE;
1240 case S_IFLNK:
1241 return SECCLASS_LNK_FILE;
1242 case S_IFREG:
1243 return SECCLASS_FILE;
1244 case S_IFBLK:
1245 return SECCLASS_BLK_FILE;
1246 case S_IFDIR:
1247 return SECCLASS_DIR;
1248 case S_IFCHR:
1249 return SECCLASS_CHR_FILE;
1250 case S_IFIFO:
1251 return SECCLASS_FIFO_FILE;
1252
1253 }
1254
1255 return SECCLASS_FILE;
1256 }
1257
1258 static inline int default_protocol_stream(int protocol)
1259 {
1260 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1261 }
1262
1263 static inline int default_protocol_dgram(int protocol)
1264 {
1265 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1266 }
1267
1268 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1269 {
1270 switch (family) {
1271 case PF_UNIX:
1272 switch (type) {
1273 case SOCK_STREAM:
1274 case SOCK_SEQPACKET:
1275 return SECCLASS_UNIX_STREAM_SOCKET;
1276 case SOCK_DGRAM:
1277 return SECCLASS_UNIX_DGRAM_SOCKET;
1278 }
1279 break;
1280 case PF_INET:
1281 case PF_INET6:
1282 switch (type) {
1283 case SOCK_STREAM:
1284 if (default_protocol_stream(protocol))
1285 return SECCLASS_TCP_SOCKET;
1286 else
1287 return SECCLASS_RAWIP_SOCKET;
1288 case SOCK_DGRAM:
1289 if (default_protocol_dgram(protocol))
1290 return SECCLASS_UDP_SOCKET;
1291 else
1292 return SECCLASS_RAWIP_SOCKET;
1293 case SOCK_DCCP:
1294 return SECCLASS_DCCP_SOCKET;
1295 default:
1296 return SECCLASS_RAWIP_SOCKET;
1297 }
1298 break;
1299 case PF_NETLINK:
1300 switch (protocol) {
1301 case NETLINK_ROUTE:
1302 return SECCLASS_NETLINK_ROUTE_SOCKET;
1303 case NETLINK_SOCK_DIAG:
1304 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1305 case NETLINK_NFLOG:
1306 return SECCLASS_NETLINK_NFLOG_SOCKET;
1307 case NETLINK_XFRM:
1308 return SECCLASS_NETLINK_XFRM_SOCKET;
1309 case NETLINK_SELINUX:
1310 return SECCLASS_NETLINK_SELINUX_SOCKET;
1311 case NETLINK_ISCSI:
1312 return SECCLASS_NETLINK_ISCSI_SOCKET;
1313 case NETLINK_AUDIT:
1314 return SECCLASS_NETLINK_AUDIT_SOCKET;
1315 case NETLINK_FIB_LOOKUP:
1316 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1317 case NETLINK_CONNECTOR:
1318 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1319 case NETLINK_NETFILTER:
1320 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1321 case NETLINK_DNRTMSG:
1322 return SECCLASS_NETLINK_DNRT_SOCKET;
1323 case NETLINK_KOBJECT_UEVENT:
1324 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1325 case NETLINK_GENERIC:
1326 return SECCLASS_NETLINK_GENERIC_SOCKET;
1327 case NETLINK_SCSITRANSPORT:
1328 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1329 case NETLINK_RDMA:
1330 return SECCLASS_NETLINK_RDMA_SOCKET;
1331 case NETLINK_CRYPTO:
1332 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1333 default:
1334 return SECCLASS_NETLINK_SOCKET;
1335 }
1336 case PF_PACKET:
1337 return SECCLASS_PACKET_SOCKET;
1338 case PF_KEY:
1339 return SECCLASS_KEY_SOCKET;
1340 case PF_APPLETALK:
1341 return SECCLASS_APPLETALK_SOCKET;
1342 }
1343
1344 return SECCLASS_SOCKET;
1345 }
1346
1347 static int selinux_genfs_get_sid(struct dentry *dentry,
1348 u16 tclass,
1349 u16 flags,
1350 u32 *sid)
1351 {
1352 int rc;
1353 struct super_block *sb = dentry->d_sb;
1354 char *buffer, *path;
1355
1356 buffer = (char *)__get_free_page(GFP_KERNEL);
1357 if (!buffer)
1358 return -ENOMEM;
1359
1360 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1361 if (IS_ERR(path))
1362 rc = PTR_ERR(path);
1363 else {
1364 if (flags & SE_SBPROC) {
1365 /* each process gets a /proc/PID/ entry. Strip off the
1366 * PID part to get a valid selinux labeling.
1367 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1368 while (path[1] >= '0' && path[1] <= '9') {
1369 path[1] = '/';
1370 path++;
1371 }
1372 }
1373 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1374 }
1375 free_page((unsigned long)buffer);
1376 return rc;
1377 }
1378
1379 /* The inode's security attributes must be initialized before first use. */
1380 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1381 {
1382 struct superblock_security_struct *sbsec = NULL;
1383 struct inode_security_struct *isec = inode->i_security;
1384 u32 sid;
1385 struct dentry *dentry;
1386 #define INITCONTEXTLEN 255
1387 char *context = NULL;
1388 unsigned len = 0;
1389 int rc = 0;
1390
1391 if (isec->initialized == LABEL_INITIALIZED)
1392 goto out;
1393
1394 mutex_lock(&isec->lock);
1395 if (isec->initialized == LABEL_INITIALIZED)
1396 goto out_unlock;
1397
1398 sbsec = inode->i_sb->s_security;
1399 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1400 /* Defer initialization until selinux_complete_init,
1401 after the initial policy is loaded and the security
1402 server is ready to handle calls. */
1403 spin_lock(&sbsec->isec_lock);
1404 if (list_empty(&isec->list))
1405 list_add(&isec->list, &sbsec->isec_head);
1406 spin_unlock(&sbsec->isec_lock);
1407 goto out_unlock;
1408 }
1409
1410 switch (sbsec->behavior) {
1411 case SECURITY_FS_USE_NATIVE:
1412 break;
1413 case SECURITY_FS_USE_XATTR:
1414 if (!(inode->i_opflags & IOP_XATTR)) {
1415 isec->sid = sbsec->def_sid;
1416 break;
1417 }
1418 /* Need a dentry, since the xattr API requires one.
1419 Life would be simpler if we could just pass the inode. */
1420 if (opt_dentry) {
1421 /* Called from d_instantiate or d_splice_alias. */
1422 dentry = dget(opt_dentry);
1423 } else {
1424 /* Called from selinux_complete_init, try to find a dentry. */
1425 dentry = d_find_alias(inode);
1426 }
1427 if (!dentry) {
1428 /*
1429 * this is can be hit on boot when a file is accessed
1430 * before the policy is loaded. When we load policy we
1431 * may find inodes that have no dentry on the
1432 * sbsec->isec_head list. No reason to complain as these
1433 * will get fixed up the next time we go through
1434 * inode_doinit with a dentry, before these inodes could
1435 * be used again by userspace.
1436 */
1437 goto out_unlock;
1438 }
1439
1440 len = INITCONTEXTLEN;
1441 context = kmalloc(len+1, GFP_NOFS);
1442 if (!context) {
1443 rc = -ENOMEM;
1444 dput(dentry);
1445 goto out_unlock;
1446 }
1447 context[len] = '\0';
1448 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1449 if (rc == -ERANGE) {
1450 kfree(context);
1451
1452 /* Need a larger buffer. Query for the right size. */
1453 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1454 if (rc < 0) {
1455 dput(dentry);
1456 goto out_unlock;
1457 }
1458 len = rc;
1459 context = kmalloc(len+1, GFP_NOFS);
1460 if (!context) {
1461 rc = -ENOMEM;
1462 dput(dentry);
1463 goto out_unlock;
1464 }
1465 context[len] = '\0';
1466 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1467 }
1468 dput(dentry);
1469 if (rc < 0) {
1470 if (rc != -ENODATA) {
1471 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1472 "%d for dev=%s ino=%ld\n", __func__,
1473 -rc, inode->i_sb->s_id, inode->i_ino);
1474 kfree(context);
1475 goto out_unlock;
1476 }
1477 /* Map ENODATA to the default file SID */
1478 sid = sbsec->def_sid;
1479 rc = 0;
1480 } else {
1481 rc = security_context_to_sid_default(context, rc, &sid,
1482 sbsec->def_sid,
1483 GFP_NOFS);
1484 if (rc) {
1485 char *dev = inode->i_sb->s_id;
1486 unsigned long ino = inode->i_ino;
1487
1488 if (rc == -EINVAL) {
1489 if (printk_ratelimit())
1490 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1491 "context=%s. This indicates you may need to relabel the inode or the "
1492 "filesystem in question.\n", ino, dev, context);
1493 } else {
1494 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1495 "returned %d for dev=%s ino=%ld\n",
1496 __func__, context, -rc, dev, ino);
1497 }
1498 kfree(context);
1499 /* Leave with the unlabeled SID */
1500 rc = 0;
1501 break;
1502 }
1503 }
1504 kfree(context);
1505 isec->sid = sid;
1506 break;
1507 case SECURITY_FS_USE_TASK:
1508 isec->sid = isec->task_sid;
1509 break;
1510 case SECURITY_FS_USE_TRANS:
1511 /* Default to the fs SID. */
1512 isec->sid = sbsec->sid;
1513
1514 /* Try to obtain a transition SID. */
1515 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1516 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1517 isec->sclass, NULL, &sid);
1518 if (rc)
1519 goto out_unlock;
1520 isec->sid = sid;
1521 break;
1522 case SECURITY_FS_USE_MNTPOINT:
1523 isec->sid = sbsec->mntpoint_sid;
1524 break;
1525 default:
1526 /* Default to the fs superblock SID. */
1527 isec->sid = sbsec->sid;
1528
1529 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1530 /* We must have a dentry to determine the label on
1531 * procfs inodes */
1532 if (opt_dentry)
1533 /* Called from d_instantiate or
1534 * d_splice_alias. */
1535 dentry = dget(opt_dentry);
1536 else
1537 /* Called from selinux_complete_init, try to
1538 * find a dentry. */
1539 dentry = d_find_alias(inode);
1540 /*
1541 * This can be hit on boot when a file is accessed
1542 * before the policy is loaded. When we load policy we
1543 * may find inodes that have no dentry on the
1544 * sbsec->isec_head list. No reason to complain as
1545 * these will get fixed up the next time we go through
1546 * inode_doinit() with a dentry, before these inodes
1547 * could be used again by userspace.
1548 */
1549 if (!dentry)
1550 goto out_unlock;
1551 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1552 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1553 sbsec->flags, &sid);
1554 dput(dentry);
1555 if (rc)
1556 goto out_unlock;
1557 isec->sid = sid;
1558 }
1559 break;
1560 }
1561
1562 isec->initialized = LABEL_INITIALIZED;
1563
1564 out_unlock:
1565 mutex_unlock(&isec->lock);
1566 out:
1567 if (isec->sclass == SECCLASS_FILE)
1568 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1569 return rc;
1570 }
1571
1572 /* Convert a Linux signal to an access vector. */
1573 static inline u32 signal_to_av(int sig)
1574 {
1575 u32 perm = 0;
1576
1577 switch (sig) {
1578 case SIGCHLD:
1579 /* Commonly granted from child to parent. */
1580 perm = PROCESS__SIGCHLD;
1581 break;
1582 case SIGKILL:
1583 /* Cannot be caught or ignored */
1584 perm = PROCESS__SIGKILL;
1585 break;
1586 case SIGSTOP:
1587 /* Cannot be caught or ignored */
1588 perm = PROCESS__SIGSTOP;
1589 break;
1590 default:
1591 /* All other signals. */
1592 perm = PROCESS__SIGNAL;
1593 break;
1594 }
1595
1596 return perm;
1597 }
1598
1599 /*
1600 * Check permission between a pair of credentials
1601 * fork check, ptrace check, etc.
1602 */
1603 static int cred_has_perm(const struct cred *actor,
1604 const struct cred *target,
1605 u32 perms)
1606 {
1607 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1608
1609 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1610 }
1611
1612 /*
1613 * Check permission between a pair of tasks, e.g. signal checks,
1614 * fork check, ptrace check, etc.
1615 * tsk1 is the actor and tsk2 is the target
1616 * - this uses the default subjective creds of tsk1
1617 */
1618 static int task_has_perm(const struct task_struct *tsk1,
1619 const struct task_struct *tsk2,
1620 u32 perms)
1621 {
1622 const struct task_security_struct *__tsec1, *__tsec2;
1623 u32 sid1, sid2;
1624
1625 rcu_read_lock();
1626 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1627 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1628 rcu_read_unlock();
1629 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1630 }
1631
1632 /*
1633 * Check permission between current and another task, e.g. signal checks,
1634 * fork check, ptrace check, etc.
1635 * current is the actor and tsk2 is the target
1636 * - this uses current's subjective creds
1637 */
1638 static int current_has_perm(const struct task_struct *tsk,
1639 u32 perms)
1640 {
1641 u32 sid, tsid;
1642
1643 sid = current_sid();
1644 tsid = task_sid(tsk);
1645 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1646 }
1647
1648 #if CAP_LAST_CAP > 63
1649 #error Fix SELinux to handle capabilities > 63.
1650 #endif
1651
1652 /* Check whether a task is allowed to use a capability. */
1653 static int cred_has_capability(const struct cred *cred,
1654 int cap, int audit, bool initns)
1655 {
1656 struct common_audit_data ad;
1657 struct av_decision avd;
1658 u16 sclass;
1659 u32 sid = cred_sid(cred);
1660 u32 av = CAP_TO_MASK(cap);
1661 int rc;
1662
1663 ad.type = LSM_AUDIT_DATA_CAP;
1664 ad.u.cap = cap;
1665
1666 switch (CAP_TO_INDEX(cap)) {
1667 case 0:
1668 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1669 break;
1670 case 1:
1671 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1672 break;
1673 default:
1674 printk(KERN_ERR
1675 "SELinux: out of range capability %d\n", cap);
1676 BUG();
1677 return -EINVAL;
1678 }
1679
1680 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1681 if (audit == SECURITY_CAP_AUDIT) {
1682 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1683 if (rc2)
1684 return rc2;
1685 }
1686 return rc;
1687 }
1688
1689 /* Check whether a task is allowed to use a system operation. */
1690 static int task_has_system(struct task_struct *tsk,
1691 u32 perms)
1692 {
1693 u32 sid = task_sid(tsk);
1694
1695 return avc_has_perm(sid, SECINITSID_KERNEL,
1696 SECCLASS_SYSTEM, perms, NULL);
1697 }
1698
1699 /* Check whether a task has a particular permission to an inode.
1700 The 'adp' parameter is optional and allows other audit
1701 data to be passed (e.g. the dentry). */
1702 static int inode_has_perm(const struct cred *cred,
1703 struct inode *inode,
1704 u32 perms,
1705 struct common_audit_data *adp)
1706 {
1707 struct inode_security_struct *isec;
1708 u32 sid;
1709
1710 validate_creds(cred);
1711
1712 if (unlikely(IS_PRIVATE(inode)))
1713 return 0;
1714
1715 sid = cred_sid(cred);
1716 isec = inode->i_security;
1717
1718 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1719 }
1720
1721 /* Same as inode_has_perm, but pass explicit audit data containing
1722 the dentry to help the auditing code to more easily generate the
1723 pathname if needed. */
1724 static inline int dentry_has_perm(const struct cred *cred,
1725 struct dentry *dentry,
1726 u32 av)
1727 {
1728 struct inode *inode = d_backing_inode(dentry);
1729 struct common_audit_data ad;
1730
1731 ad.type = LSM_AUDIT_DATA_DENTRY;
1732 ad.u.dentry = dentry;
1733 __inode_security_revalidate(inode, dentry, true);
1734 return inode_has_perm(cred, inode, av, &ad);
1735 }
1736
1737 /* Same as inode_has_perm, but pass explicit audit data containing
1738 the path to help the auditing code to more easily generate the
1739 pathname if needed. */
1740 static inline int path_has_perm(const struct cred *cred,
1741 const struct path *path,
1742 u32 av)
1743 {
1744 struct inode *inode = d_backing_inode(path->dentry);
1745 struct common_audit_data ad;
1746
1747 ad.type = LSM_AUDIT_DATA_PATH;
1748 ad.u.path = *path;
1749 __inode_security_revalidate(inode, path->dentry, true);
1750 return inode_has_perm(cred, inode, av, &ad);
1751 }
1752
1753 /* Same as path_has_perm, but uses the inode from the file struct. */
1754 static inline int file_path_has_perm(const struct cred *cred,
1755 struct file *file,
1756 u32 av)
1757 {
1758 struct common_audit_data ad;
1759
1760 ad.type = LSM_AUDIT_DATA_FILE;
1761 ad.u.file = file;
1762 return inode_has_perm(cred, file_inode(file), av, &ad);
1763 }
1764
1765 /* Check whether a task can use an open file descriptor to
1766 access an inode in a given way. Check access to the
1767 descriptor itself, and then use dentry_has_perm to
1768 check a particular permission to the file.
1769 Access to the descriptor is implicitly granted if it
1770 has the same SID as the process. If av is zero, then
1771 access to the file is not checked, e.g. for cases
1772 where only the descriptor is affected like seek. */
1773 static int file_has_perm(const struct cred *cred,
1774 struct file *file,
1775 u32 av)
1776 {
1777 struct file_security_struct *fsec = file->f_security;
1778 struct inode *inode = file_inode(file);
1779 struct common_audit_data ad;
1780 u32 sid = cred_sid(cred);
1781 int rc;
1782
1783 ad.type = LSM_AUDIT_DATA_FILE;
1784 ad.u.file = file;
1785
1786 if (sid != fsec->sid) {
1787 rc = avc_has_perm(sid, fsec->sid,
1788 SECCLASS_FD,
1789 FD__USE,
1790 &ad);
1791 if (rc)
1792 goto out;
1793 }
1794
1795 /* av is zero if only checking access to the descriptor. */
1796 rc = 0;
1797 if (av)
1798 rc = inode_has_perm(cred, inode, av, &ad);
1799
1800 out:
1801 return rc;
1802 }
1803
1804 /*
1805 * Determine the label for an inode that might be unioned.
1806 */
1807 static int
1808 selinux_determine_inode_label(const struct task_security_struct *tsec,
1809 struct inode *dir,
1810 const struct qstr *name, u16 tclass,
1811 u32 *_new_isid)
1812 {
1813 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1814
1815 if ((sbsec->flags & SE_SBINITIALIZED) &&
1816 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1817 *_new_isid = sbsec->mntpoint_sid;
1818 } else if ((sbsec->flags & SBLABEL_MNT) &&
1819 tsec->create_sid) {
1820 *_new_isid = tsec->create_sid;
1821 } else {
1822 const struct inode_security_struct *dsec = inode_security(dir);
1823 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1824 name, _new_isid);
1825 }
1826
1827 return 0;
1828 }
1829
1830 /* Check whether a task can create a file. */
1831 static int may_create(struct inode *dir,
1832 struct dentry *dentry,
1833 u16 tclass)
1834 {
1835 const struct task_security_struct *tsec = current_security();
1836 struct inode_security_struct *dsec;
1837 struct superblock_security_struct *sbsec;
1838 u32 sid, newsid;
1839 struct common_audit_data ad;
1840 int rc;
1841
1842 dsec = inode_security(dir);
1843 sbsec = dir->i_sb->s_security;
1844
1845 sid = tsec->sid;
1846
1847 ad.type = LSM_AUDIT_DATA_DENTRY;
1848 ad.u.dentry = dentry;
1849
1850 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1851 DIR__ADD_NAME | DIR__SEARCH,
1852 &ad);
1853 if (rc)
1854 return rc;
1855
1856 rc = selinux_determine_inode_label(current_security(), dir,
1857 &dentry->d_name, tclass, &newsid);
1858 if (rc)
1859 return rc;
1860
1861 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1862 if (rc)
1863 return rc;
1864
1865 return avc_has_perm(newsid, sbsec->sid,
1866 SECCLASS_FILESYSTEM,
1867 FILESYSTEM__ASSOCIATE, &ad);
1868 }
1869
1870 /* Check whether a task can create a key. */
1871 static int may_create_key(u32 ksid,
1872 struct task_struct *ctx)
1873 {
1874 u32 sid = task_sid(ctx);
1875
1876 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1877 }
1878
1879 #define MAY_LINK 0
1880 #define MAY_UNLINK 1
1881 #define MAY_RMDIR 2
1882
1883 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1884 static int may_link(struct inode *dir,
1885 struct dentry *dentry,
1886 int kind)
1887
1888 {
1889 struct inode_security_struct *dsec, *isec;
1890 struct common_audit_data ad;
1891 u32 sid = current_sid();
1892 u32 av;
1893 int rc;
1894
1895 dsec = inode_security(dir);
1896 isec = backing_inode_security(dentry);
1897
1898 ad.type = LSM_AUDIT_DATA_DENTRY;
1899 ad.u.dentry = dentry;
1900
1901 av = DIR__SEARCH;
1902 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1903 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1904 if (rc)
1905 return rc;
1906
1907 switch (kind) {
1908 case MAY_LINK:
1909 av = FILE__LINK;
1910 break;
1911 case MAY_UNLINK:
1912 av = FILE__UNLINK;
1913 break;
1914 case MAY_RMDIR:
1915 av = DIR__RMDIR;
1916 break;
1917 default:
1918 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1919 __func__, kind);
1920 return 0;
1921 }
1922
1923 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1924 return rc;
1925 }
1926
1927 static inline int may_rename(struct inode *old_dir,
1928 struct dentry *old_dentry,
1929 struct inode *new_dir,
1930 struct dentry *new_dentry)
1931 {
1932 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1933 struct common_audit_data ad;
1934 u32 sid = current_sid();
1935 u32 av;
1936 int old_is_dir, new_is_dir;
1937 int rc;
1938
1939 old_dsec = inode_security(old_dir);
1940 old_isec = backing_inode_security(old_dentry);
1941 old_is_dir = d_is_dir(old_dentry);
1942 new_dsec = inode_security(new_dir);
1943
1944 ad.type = LSM_AUDIT_DATA_DENTRY;
1945
1946 ad.u.dentry = old_dentry;
1947 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1948 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1949 if (rc)
1950 return rc;
1951 rc = avc_has_perm(sid, old_isec->sid,
1952 old_isec->sclass, FILE__RENAME, &ad);
1953 if (rc)
1954 return rc;
1955 if (old_is_dir && new_dir != old_dir) {
1956 rc = avc_has_perm(sid, old_isec->sid,
1957 old_isec->sclass, DIR__REPARENT, &ad);
1958 if (rc)
1959 return rc;
1960 }
1961
1962 ad.u.dentry = new_dentry;
1963 av = DIR__ADD_NAME | DIR__SEARCH;
1964 if (d_is_positive(new_dentry))
1965 av |= DIR__REMOVE_NAME;
1966 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1967 if (rc)
1968 return rc;
1969 if (d_is_positive(new_dentry)) {
1970 new_isec = backing_inode_security(new_dentry);
1971 new_is_dir = d_is_dir(new_dentry);
1972 rc = avc_has_perm(sid, new_isec->sid,
1973 new_isec->sclass,
1974 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1975 if (rc)
1976 return rc;
1977 }
1978
1979 return 0;
1980 }
1981
1982 /* Check whether a task can perform a filesystem operation. */
1983 static int superblock_has_perm(const struct cred *cred,
1984 struct super_block *sb,
1985 u32 perms,
1986 struct common_audit_data *ad)
1987 {
1988 struct superblock_security_struct *sbsec;
1989 u32 sid = cred_sid(cred);
1990
1991 sbsec = sb->s_security;
1992 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1993 }
1994
1995 /* Convert a Linux mode and permission mask to an access vector. */
1996 static inline u32 file_mask_to_av(int mode, int mask)
1997 {
1998 u32 av = 0;
1999
2000 if (!S_ISDIR(mode)) {
2001 if (mask & MAY_EXEC)
2002 av |= FILE__EXECUTE;
2003 if (mask & MAY_READ)
2004 av |= FILE__READ;
2005
2006 if (mask & MAY_APPEND)
2007 av |= FILE__APPEND;
2008 else if (mask & MAY_WRITE)
2009 av |= FILE__WRITE;
2010
2011 } else {
2012 if (mask & MAY_EXEC)
2013 av |= DIR__SEARCH;
2014 if (mask & MAY_WRITE)
2015 av |= DIR__WRITE;
2016 if (mask & MAY_READ)
2017 av |= DIR__READ;
2018 }
2019
2020 return av;
2021 }
2022
2023 /* Convert a Linux file to an access vector. */
2024 static inline u32 file_to_av(struct file *file)
2025 {
2026 u32 av = 0;
2027
2028 if (file->f_mode & FMODE_READ)
2029 av |= FILE__READ;
2030 if (file->f_mode & FMODE_WRITE) {
2031 if (file->f_flags & O_APPEND)
2032 av |= FILE__APPEND;
2033 else
2034 av |= FILE__WRITE;
2035 }
2036 if (!av) {
2037 /*
2038 * Special file opened with flags 3 for ioctl-only use.
2039 */
2040 av = FILE__IOCTL;
2041 }
2042
2043 return av;
2044 }
2045
2046 /*
2047 * Convert a file to an access vector and include the correct open
2048 * open permission.
2049 */
2050 static inline u32 open_file_to_av(struct file *file)
2051 {
2052 u32 av = file_to_av(file);
2053
2054 if (selinux_policycap_openperm)
2055 av |= FILE__OPEN;
2056
2057 return av;
2058 }
2059
2060 /* Hook functions begin here. */
2061
2062 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2063 {
2064 u32 mysid = current_sid();
2065 u32 mgrsid = task_sid(mgr);
2066
2067 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2068 BINDER__SET_CONTEXT_MGR, NULL);
2069 }
2070
2071 static int selinux_binder_transaction(struct task_struct *from,
2072 struct task_struct *to)
2073 {
2074 u32 mysid = current_sid();
2075 u32 fromsid = task_sid(from);
2076 u32 tosid = task_sid(to);
2077 int rc;
2078
2079 if (mysid != fromsid) {
2080 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2081 BINDER__IMPERSONATE, NULL);
2082 if (rc)
2083 return rc;
2084 }
2085
2086 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2087 NULL);
2088 }
2089
2090 static int selinux_binder_transfer_binder(struct task_struct *from,
2091 struct task_struct *to)
2092 {
2093 u32 fromsid = task_sid(from);
2094 u32 tosid = task_sid(to);
2095
2096 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2097 NULL);
2098 }
2099
2100 static int selinux_binder_transfer_file(struct task_struct *from,
2101 struct task_struct *to,
2102 struct file *file)
2103 {
2104 u32 sid = task_sid(to);
2105 struct file_security_struct *fsec = file->f_security;
2106 struct dentry *dentry = file->f_path.dentry;
2107 struct inode_security_struct *isec;
2108 struct common_audit_data ad;
2109 int rc;
2110
2111 ad.type = LSM_AUDIT_DATA_PATH;
2112 ad.u.path = file->f_path;
2113
2114 if (sid != fsec->sid) {
2115 rc = avc_has_perm(sid, fsec->sid,
2116 SECCLASS_FD,
2117 FD__USE,
2118 &ad);
2119 if (rc)
2120 return rc;
2121 }
2122
2123 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2124 return 0;
2125
2126 isec = backing_inode_security(dentry);
2127 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2128 &ad);
2129 }
2130
2131 static int selinux_ptrace_access_check(struct task_struct *child,
2132 unsigned int mode)
2133 {
2134 if (mode & PTRACE_MODE_READ) {
2135 u32 sid = current_sid();
2136 u32 csid = task_sid(child);
2137 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2138 }
2139
2140 return current_has_perm(child, PROCESS__PTRACE);
2141 }
2142
2143 static int selinux_ptrace_traceme(struct task_struct *parent)
2144 {
2145 return task_has_perm(parent, current, PROCESS__PTRACE);
2146 }
2147
2148 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2149 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2150 {
2151 return current_has_perm(target, PROCESS__GETCAP);
2152 }
2153
2154 static int selinux_capset(struct cred *new, const struct cred *old,
2155 const kernel_cap_t *effective,
2156 const kernel_cap_t *inheritable,
2157 const kernel_cap_t *permitted)
2158 {
2159 return cred_has_perm(old, new, PROCESS__SETCAP);
2160 }
2161
2162 /*
2163 * (This comment used to live with the selinux_task_setuid hook,
2164 * which was removed).
2165 *
2166 * Since setuid only affects the current process, and since the SELinux
2167 * controls are not based on the Linux identity attributes, SELinux does not
2168 * need to control this operation. However, SELinux does control the use of
2169 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2170 */
2171
2172 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2173 int cap, int audit)
2174 {
2175 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2176 }
2177
2178 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2179 {
2180 const struct cred *cred = current_cred();
2181 int rc = 0;
2182
2183 if (!sb)
2184 return 0;
2185
2186 switch (cmds) {
2187 case Q_SYNC:
2188 case Q_QUOTAON:
2189 case Q_QUOTAOFF:
2190 case Q_SETINFO:
2191 case Q_SETQUOTA:
2192 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2193 break;
2194 case Q_GETFMT:
2195 case Q_GETINFO:
2196 case Q_GETQUOTA:
2197 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2198 break;
2199 default:
2200 rc = 0; /* let the kernel handle invalid cmds */
2201 break;
2202 }
2203 return rc;
2204 }
2205
2206 static int selinux_quota_on(struct dentry *dentry)
2207 {
2208 const struct cred *cred = current_cred();
2209
2210 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2211 }
2212
2213 static int selinux_syslog(int type)
2214 {
2215 int rc;
2216
2217 switch (type) {
2218 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2219 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2220 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2221 break;
2222 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2223 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2224 /* Set level of messages printed to console */
2225 case SYSLOG_ACTION_CONSOLE_LEVEL:
2226 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2227 break;
2228 case SYSLOG_ACTION_CLOSE: /* Close log */
2229 case SYSLOG_ACTION_OPEN: /* Open log */
2230 case SYSLOG_ACTION_READ: /* Read from log */
2231 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2232 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
2233 default:
2234 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2235 break;
2236 }
2237 return rc;
2238 }
2239
2240 /*
2241 * Check that a process has enough memory to allocate a new virtual
2242 * mapping. 0 means there is enough memory for the allocation to
2243 * succeed and -ENOMEM implies there is not.
2244 *
2245 * Do not audit the selinux permission check, as this is applied to all
2246 * processes that allocate mappings.
2247 */
2248 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2249 {
2250 int rc, cap_sys_admin = 0;
2251
2252 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2253 SECURITY_CAP_NOAUDIT, true);
2254 if (rc == 0)
2255 cap_sys_admin = 1;
2256
2257 return cap_sys_admin;
2258 }
2259
2260 /* binprm security operations */
2261
2262 static u32 ptrace_parent_sid(struct task_struct *task)
2263 {
2264 u32 sid = 0;
2265 struct task_struct *tracer;
2266
2267 rcu_read_lock();
2268 tracer = ptrace_parent(task);
2269 if (tracer)
2270 sid = task_sid(tracer);
2271 rcu_read_unlock();
2272
2273 return sid;
2274 }
2275
2276 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2277 const struct task_security_struct *old_tsec,
2278 const struct task_security_struct *new_tsec)
2279 {
2280 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2281 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2282 int rc;
2283
2284 if (!nnp && !nosuid)
2285 return 0; /* neither NNP nor nosuid */
2286
2287 if (new_tsec->sid == old_tsec->sid)
2288 return 0; /* No change in credentials */
2289
2290 /*
2291 * The only transitions we permit under NNP or nosuid
2292 * are transitions to bounded SIDs, i.e. SIDs that are
2293 * guaranteed to only be allowed a subset of the permissions
2294 * of the current SID.
2295 */
2296 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2297 if (rc) {
2298 /*
2299 * On failure, preserve the errno values for NNP vs nosuid.
2300 * NNP: Operation not permitted for caller.
2301 * nosuid: Permission denied to file.
2302 */
2303 if (nnp)
2304 return -EPERM;
2305 else
2306 return -EACCES;
2307 }
2308 return 0;
2309 }
2310
2311 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2312 {
2313 const struct task_security_struct *old_tsec;
2314 struct task_security_struct *new_tsec;
2315 struct inode_security_struct *isec;
2316 struct common_audit_data ad;
2317 struct inode *inode = file_inode(bprm->file);
2318 int rc;
2319
2320 /* SELinux context only depends on initial program or script and not
2321 * the script interpreter */
2322 if (bprm->cred_prepared)
2323 return 0;
2324
2325 old_tsec = current_security();
2326 new_tsec = bprm->cred->security;
2327 isec = inode_security(inode);
2328
2329 /* Default to the current task SID. */
2330 new_tsec->sid = old_tsec->sid;
2331 new_tsec->osid = old_tsec->sid;
2332
2333 /* Reset fs, key, and sock SIDs on execve. */
2334 new_tsec->create_sid = 0;
2335 new_tsec->keycreate_sid = 0;
2336 new_tsec->sockcreate_sid = 0;
2337
2338 if (old_tsec->exec_sid) {
2339 new_tsec->sid = old_tsec->exec_sid;
2340 /* Reset exec SID on execve. */
2341 new_tsec->exec_sid = 0;
2342
2343 /* Fail on NNP or nosuid if not an allowed transition. */
2344 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2345 if (rc)
2346 return rc;
2347 } else {
2348 /* Check for a default transition on this program. */
2349 rc = security_transition_sid(old_tsec->sid, isec->sid,
2350 SECCLASS_PROCESS, NULL,
2351 &new_tsec->sid);
2352 if (rc)
2353 return rc;
2354
2355 /*
2356 * Fallback to old SID on NNP or nosuid if not an allowed
2357 * transition.
2358 */
2359 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2360 if (rc)
2361 new_tsec->sid = old_tsec->sid;
2362 }
2363
2364 ad.type = LSM_AUDIT_DATA_FILE;
2365 ad.u.file = bprm->file;
2366
2367 if (new_tsec->sid == old_tsec->sid) {
2368 rc = avc_has_perm(old_tsec->sid, isec->sid,
2369 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2370 if (rc)
2371 return rc;
2372 } else {
2373 /* Check permissions for the transition. */
2374 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2375 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2376 if (rc)
2377 return rc;
2378
2379 rc = avc_has_perm(new_tsec->sid, isec->sid,
2380 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2381 if (rc)
2382 return rc;
2383
2384 /* Check for shared state */
2385 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2386 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2387 SECCLASS_PROCESS, PROCESS__SHARE,
2388 NULL);
2389 if (rc)
2390 return -EPERM;
2391 }
2392
2393 /* Make sure that anyone attempting to ptrace over a task that
2394 * changes its SID has the appropriate permit */
2395 if (bprm->unsafe &
2396 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2397 u32 ptsid = ptrace_parent_sid(current);
2398 if (ptsid != 0) {
2399 rc = avc_has_perm(ptsid, new_tsec->sid,
2400 SECCLASS_PROCESS,
2401 PROCESS__PTRACE, NULL);
2402 if (rc)
2403 return -EPERM;
2404 }
2405 }
2406
2407 /* Clear any possibly unsafe personality bits on exec: */
2408 bprm->per_clear |= PER_CLEAR_ON_SETID;
2409 }
2410
2411 return 0;
2412 }
2413
2414 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2415 {
2416 const struct task_security_struct *tsec = current_security();
2417 u32 sid, osid;
2418 int atsecure = 0;
2419
2420 sid = tsec->sid;
2421 osid = tsec->osid;
2422
2423 if (osid != sid) {
2424 /* Enable secure mode for SIDs transitions unless
2425 the noatsecure permission is granted between
2426 the two SIDs, i.e. ahp returns 0. */
2427 atsecure = avc_has_perm(osid, sid,
2428 SECCLASS_PROCESS,
2429 PROCESS__NOATSECURE, NULL);
2430 }
2431
2432 return !!atsecure;
2433 }
2434
2435 static int match_file(const void *p, struct file *file, unsigned fd)
2436 {
2437 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2438 }
2439
2440 /* Derived from fs/exec.c:flush_old_files. */
2441 static inline void flush_unauthorized_files(const struct cred *cred,
2442 struct files_struct *files)
2443 {
2444 struct file *file, *devnull = NULL;
2445 struct tty_struct *tty;
2446 int drop_tty = 0;
2447 unsigned n;
2448
2449 tty = get_current_tty();
2450 if (tty) {
2451 spin_lock(&tty->files_lock);
2452 if (!list_empty(&tty->tty_files)) {
2453 struct tty_file_private *file_priv;
2454
2455 /* Revalidate access to controlling tty.
2456 Use file_path_has_perm on the tty path directly
2457 rather than using file_has_perm, as this particular
2458 open file may belong to another process and we are
2459 only interested in the inode-based check here. */
2460 file_priv = list_first_entry(&tty->tty_files,
2461 struct tty_file_private, list);
2462 file = file_priv->file;
2463 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2464 drop_tty = 1;
2465 }
2466 spin_unlock(&tty->files_lock);
2467 tty_kref_put(tty);
2468 }
2469 /* Reset controlling tty. */
2470 if (drop_tty)
2471 no_tty();
2472
2473 /* Revalidate access to inherited open files. */
2474 n = iterate_fd(files, 0, match_file, cred);
2475 if (!n) /* none found? */
2476 return;
2477
2478 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2479 if (IS_ERR(devnull))
2480 devnull = NULL;
2481 /* replace all the matching ones with this */
2482 do {
2483 replace_fd(n - 1, devnull, 0);
2484 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2485 if (devnull)
2486 fput(devnull);
2487 }
2488
2489 /*
2490 * Prepare a process for imminent new credential changes due to exec
2491 */
2492 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2493 {
2494 struct task_security_struct *new_tsec;
2495 struct rlimit *rlim, *initrlim;
2496 int rc, i;
2497
2498 new_tsec = bprm->cred->security;
2499 if (new_tsec->sid == new_tsec->osid)
2500 return;
2501
2502 /* Close files for which the new task SID is not authorized. */
2503 flush_unauthorized_files(bprm->cred, current->files);
2504
2505 /* Always clear parent death signal on SID transitions. */
2506 current->pdeath_signal = 0;
2507
2508 /* Check whether the new SID can inherit resource limits from the old
2509 * SID. If not, reset all soft limits to the lower of the current
2510 * task's hard limit and the init task's soft limit.
2511 *
2512 * Note that the setting of hard limits (even to lower them) can be
2513 * controlled by the setrlimit check. The inclusion of the init task's
2514 * soft limit into the computation is to avoid resetting soft limits
2515 * higher than the default soft limit for cases where the default is
2516 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2517 */
2518 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2519 PROCESS__RLIMITINH, NULL);
2520 if (rc) {
2521 /* protect against do_prlimit() */
2522 task_lock(current);
2523 for (i = 0; i < RLIM_NLIMITS; i++) {
2524 rlim = current->signal->rlim + i;
2525 initrlim = init_task.signal->rlim + i;
2526 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2527 }
2528 task_unlock(current);
2529 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2530 }
2531 }
2532
2533 /*
2534 * Clean up the process immediately after the installation of new credentials
2535 * due to exec
2536 */
2537 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2538 {
2539 const struct task_security_struct *tsec = current_security();
2540 struct itimerval itimer;
2541 u32 osid, sid;
2542 int rc, i;
2543
2544 osid = tsec->osid;
2545 sid = tsec->sid;
2546
2547 if (sid == osid)
2548 return;
2549
2550 /* Check whether the new SID can inherit signal state from the old SID.
2551 * If not, clear itimers to avoid subsequent signal generation and
2552 * flush and unblock signals.
2553 *
2554 * This must occur _after_ the task SID has been updated so that any
2555 * kill done after the flush will be checked against the new SID.
2556 */
2557 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2558 if (rc) {
2559 memset(&itimer, 0, sizeof itimer);
2560 for (i = 0; i < 3; i++)
2561 do_setitimer(i, &itimer, NULL);
2562 spin_lock_irq(&current->sighand->siglock);
2563 if (!fatal_signal_pending(current)) {
2564 flush_sigqueue(&current->pending);
2565 flush_sigqueue(&current->signal->shared_pending);
2566 flush_signal_handlers(current, 1);
2567 sigemptyset(&current->blocked);
2568 recalc_sigpending();
2569 }
2570 spin_unlock_irq(&current->sighand->siglock);
2571 }
2572
2573 /* Wake up the parent if it is waiting so that it can recheck
2574 * wait permission to the new task SID. */
2575 read_lock(&tasklist_lock);
2576 __wake_up_parent(current, current->real_parent);
2577 read_unlock(&tasklist_lock);
2578 }
2579
2580 /* superblock security operations */
2581
2582 static int selinux_sb_alloc_security(struct super_block *sb)
2583 {
2584 return superblock_alloc_security(sb);
2585 }
2586
2587 static void selinux_sb_free_security(struct super_block *sb)
2588 {
2589 superblock_free_security(sb);
2590 }
2591
2592 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2593 {
2594 if (plen > olen)
2595 return 0;
2596
2597 return !memcmp(prefix, option, plen);
2598 }
2599
2600 static inline int selinux_option(char *option, int len)
2601 {
2602 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2603 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2604 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2605 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2606 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2607 }
2608
2609 static inline void take_option(char **to, char *from, int *first, int len)
2610 {
2611 if (!*first) {
2612 **to = ',';
2613 *to += 1;
2614 } else
2615 *first = 0;
2616 memcpy(*to, from, len);
2617 *to += len;
2618 }
2619
2620 static inline void take_selinux_option(char **to, char *from, int *first,
2621 int len)
2622 {
2623 int current_size = 0;
2624
2625 if (!*first) {
2626 **to = '|';
2627 *to += 1;
2628 } else
2629 *first = 0;
2630
2631 while (current_size < len) {
2632 if (*from != '"') {
2633 **to = *from;
2634 *to += 1;
2635 }
2636 from += 1;
2637 current_size += 1;
2638 }
2639 }
2640
2641 static int selinux_sb_copy_data(char *orig, char *copy)
2642 {
2643 int fnosec, fsec, rc = 0;
2644 char *in_save, *in_curr, *in_end;
2645 char *sec_curr, *nosec_save, *nosec;
2646 int open_quote = 0;
2647
2648 in_curr = orig;
2649 sec_curr = copy;
2650
2651 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2652 if (!nosec) {
2653 rc = -ENOMEM;
2654 goto out;
2655 }
2656
2657 nosec_save = nosec;
2658 fnosec = fsec = 1;
2659 in_save = in_end = orig;
2660
2661 do {
2662 if (*in_end == '"')
2663 open_quote = !open_quote;
2664 if ((*in_end == ',' && open_quote == 0) ||
2665 *in_end == '\0') {
2666 int len = in_end - in_curr;
2667
2668 if (selinux_option(in_curr, len))
2669 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2670 else
2671 take_option(&nosec, in_curr, &fnosec, len);
2672
2673 in_curr = in_end + 1;
2674 }
2675 } while (*in_end++);
2676
2677 strcpy(in_save, nosec_save);
2678 free_page((unsigned long)nosec_save);
2679 out:
2680 return rc;
2681 }
2682
2683 static int selinux_sb_remount(struct super_block *sb, void *data)
2684 {
2685 int rc, i, *flags;
2686 struct security_mnt_opts opts;
2687 char *secdata, **mount_options;
2688 struct superblock_security_struct *sbsec = sb->s_security;
2689
2690 if (!(sbsec->flags & SE_SBINITIALIZED))
2691 return 0;
2692
2693 if (!data)
2694 return 0;
2695
2696 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2697 return 0;
2698
2699 security_init_mnt_opts(&opts);
2700 secdata = alloc_secdata();
2701 if (!secdata)
2702 return -ENOMEM;
2703 rc = selinux_sb_copy_data(data, secdata);
2704 if (rc)
2705 goto out_free_secdata;
2706
2707 rc = selinux_parse_opts_str(secdata, &opts);
2708 if (rc)
2709 goto out_free_secdata;
2710
2711 mount_options = opts.mnt_opts;
2712 flags = opts.mnt_opts_flags;
2713
2714 for (i = 0; i < opts.num_mnt_opts; i++) {
2715 u32 sid;
2716
2717 if (flags[i] == SBLABEL_MNT)
2718 continue;
2719 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2720 if (rc) {
2721 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2722 "(%s) failed for (dev %s, type %s) errno=%d\n",
2723 mount_options[i], sb->s_id, sb->s_type->name, rc);
2724 goto out_free_opts;
2725 }
2726 rc = -EINVAL;
2727 switch (flags[i]) {
2728 case FSCONTEXT_MNT:
2729 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2730 goto out_bad_option;
2731 break;
2732 case CONTEXT_MNT:
2733 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2734 goto out_bad_option;
2735 break;
2736 case ROOTCONTEXT_MNT: {
2737 struct inode_security_struct *root_isec;
2738 root_isec = backing_inode_security(sb->s_root);
2739
2740 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2741 goto out_bad_option;
2742 break;
2743 }
2744 case DEFCONTEXT_MNT:
2745 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2746 goto out_bad_option;
2747 break;
2748 default:
2749 goto out_free_opts;
2750 }
2751 }
2752
2753 rc = 0;
2754 out_free_opts:
2755 security_free_mnt_opts(&opts);
2756 out_free_secdata:
2757 free_secdata(secdata);
2758 return rc;
2759 out_bad_option:
2760 printk(KERN_WARNING "SELinux: unable to change security options "
2761 "during remount (dev %s, type=%s)\n", sb->s_id,
2762 sb->s_type->name);
2763 goto out_free_opts;
2764 }
2765
2766 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2767 {
2768 const struct cred *cred = current_cred();
2769 struct common_audit_data ad;
2770 int rc;
2771
2772 rc = superblock_doinit(sb, data);
2773 if (rc)
2774 return rc;
2775
2776 /* Allow all mounts performed by the kernel */
2777 if (flags & MS_KERNMOUNT)
2778 return 0;
2779
2780 ad.type = LSM_AUDIT_DATA_DENTRY;
2781 ad.u.dentry = sb->s_root;
2782 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2783 }
2784
2785 static int selinux_sb_statfs(struct dentry *dentry)
2786 {
2787 const struct cred *cred = current_cred();
2788 struct common_audit_data ad;
2789
2790 ad.type = LSM_AUDIT_DATA_DENTRY;
2791 ad.u.dentry = dentry->d_sb->s_root;
2792 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2793 }
2794
2795 static int selinux_mount(const char *dev_name,
2796 const struct path *path,
2797 const char *type,
2798 unsigned long flags,
2799 void *data)
2800 {
2801 const struct cred *cred = current_cred();
2802
2803 if (flags & MS_REMOUNT)
2804 return superblock_has_perm(cred, path->dentry->d_sb,
2805 FILESYSTEM__REMOUNT, NULL);
2806 else
2807 return path_has_perm(cred, path, FILE__MOUNTON);
2808 }
2809
2810 static int selinux_umount(struct vfsmount *mnt, int flags)
2811 {
2812 const struct cred *cred = current_cred();
2813
2814 return superblock_has_perm(cred, mnt->mnt_sb,
2815 FILESYSTEM__UNMOUNT, NULL);
2816 }
2817
2818 /* inode security operations */
2819
2820 static int selinux_inode_alloc_security(struct inode *inode)
2821 {
2822 return inode_alloc_security(inode);
2823 }
2824
2825 static void selinux_inode_free_security(struct inode *inode)
2826 {
2827 inode_free_security(inode);
2828 }
2829
2830 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2831 const struct qstr *name, void **ctx,
2832 u32 *ctxlen)
2833 {
2834 u32 newsid;
2835 int rc;
2836
2837 rc = selinux_determine_inode_label(current_security(),
2838 d_inode(dentry->d_parent), name,
2839 inode_mode_to_security_class(mode),
2840 &newsid);
2841 if (rc)
2842 return rc;
2843
2844 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2845 }
2846
2847 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2848 struct qstr *name,
2849 const struct cred *old,
2850 struct cred *new)
2851 {
2852 u32 newsid;
2853 int rc;
2854 struct task_security_struct *tsec;
2855
2856 rc = selinux_determine_inode_label(old->security,
2857 d_inode(dentry->d_parent), name,
2858 inode_mode_to_security_class(mode),
2859 &newsid);
2860 if (rc)
2861 return rc;
2862
2863 tsec = new->security;
2864 tsec->create_sid = newsid;
2865 return 0;
2866 }
2867
2868 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2869 const struct qstr *qstr,
2870 const char **name,
2871 void **value, size_t *len)
2872 {
2873 const struct task_security_struct *tsec = current_security();
2874 struct superblock_security_struct *sbsec;
2875 u32 sid, newsid, clen;
2876 int rc;
2877 char *context;
2878
2879 sbsec = dir->i_sb->s_security;
2880
2881 sid = tsec->sid;
2882 newsid = tsec->create_sid;
2883
2884 rc = selinux_determine_inode_label(current_security(),
2885 dir, qstr,
2886 inode_mode_to_security_class(inode->i_mode),
2887 &newsid);
2888 if (rc)
2889 return rc;
2890
2891 /* Possibly defer initialization to selinux_complete_init. */
2892 if (sbsec->flags & SE_SBINITIALIZED) {
2893 struct inode_security_struct *isec = inode->i_security;
2894 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2895 isec->sid = newsid;
2896 isec->initialized = LABEL_INITIALIZED;
2897 }
2898
2899 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2900 return -EOPNOTSUPP;
2901
2902 if (name)
2903 *name = XATTR_SELINUX_SUFFIX;
2904
2905 if (value && len) {
2906 rc = security_sid_to_context_force(newsid, &context, &clen);
2907 if (rc)
2908 return rc;
2909 *value = context;
2910 *len = clen;
2911 }
2912
2913 return 0;
2914 }
2915
2916 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2917 {
2918 return may_create(dir, dentry, SECCLASS_FILE);
2919 }
2920
2921 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2922 {
2923 return may_link(dir, old_dentry, MAY_LINK);
2924 }
2925
2926 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2927 {
2928 return may_link(dir, dentry, MAY_UNLINK);
2929 }
2930
2931 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2932 {
2933 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2934 }
2935
2936 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2937 {
2938 return may_create(dir, dentry, SECCLASS_DIR);
2939 }
2940
2941 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2942 {
2943 return may_link(dir, dentry, MAY_RMDIR);
2944 }
2945
2946 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2947 {
2948 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2949 }
2950
2951 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2952 struct inode *new_inode, struct dentry *new_dentry)
2953 {
2954 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2955 }
2956
2957 static int selinux_inode_readlink(struct dentry *dentry)
2958 {
2959 const struct cred *cred = current_cred();
2960
2961 return dentry_has_perm(cred, dentry, FILE__READ);
2962 }
2963
2964 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2965 bool rcu)
2966 {
2967 const struct cred *cred = current_cred();
2968 struct common_audit_data ad;
2969 struct inode_security_struct *isec;
2970 u32 sid;
2971
2972 validate_creds(cred);
2973
2974 ad.type = LSM_AUDIT_DATA_DENTRY;
2975 ad.u.dentry = dentry;
2976 sid = cred_sid(cred);
2977 isec = inode_security_rcu(inode, rcu);
2978 if (IS_ERR(isec))
2979 return PTR_ERR(isec);
2980
2981 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2982 rcu ? MAY_NOT_BLOCK : 0);
2983 }
2984
2985 static noinline int audit_inode_permission(struct inode *inode,
2986 u32 perms, u32 audited, u32 denied,
2987 int result,
2988 unsigned flags)
2989 {
2990 struct common_audit_data ad;
2991 struct inode_security_struct *isec = inode->i_security;
2992 int rc;
2993
2994 ad.type = LSM_AUDIT_DATA_INODE;
2995 ad.u.inode = inode;
2996
2997 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2998 audited, denied, result, &ad, flags);
2999 if (rc)
3000 return rc;
3001 return 0;
3002 }
3003
3004 static int selinux_inode_permission(struct inode *inode, int mask)
3005 {
3006 const struct cred *cred = current_cred();
3007 u32 perms;
3008 bool from_access;
3009 unsigned flags = mask & MAY_NOT_BLOCK;
3010 struct inode_security_struct *isec;
3011 u32 sid;
3012 struct av_decision avd;
3013 int rc, rc2;
3014 u32 audited, denied;
3015
3016 from_access = mask & MAY_ACCESS;
3017 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3018
3019 /* No permission to check. Existence test. */
3020 if (!mask)
3021 return 0;
3022
3023 validate_creds(cred);
3024
3025 if (unlikely(IS_PRIVATE(inode)))
3026 return 0;
3027
3028 perms = file_mask_to_av(inode->i_mode, mask);
3029
3030 sid = cred_sid(cred);
3031 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3032 if (IS_ERR(isec))
3033 return PTR_ERR(isec);
3034
3035 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3036 audited = avc_audit_required(perms, &avd, rc,
3037 from_access ? FILE__AUDIT_ACCESS : 0,
3038 &denied);
3039 if (likely(!audited))
3040 return rc;
3041
3042 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3043 if (rc2)
3044 return rc2;
3045 return rc;
3046 }
3047
3048 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3049 {
3050 const struct cred *cred = current_cred();
3051 unsigned int ia_valid = iattr->ia_valid;
3052 __u32 av = FILE__WRITE;
3053
3054 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3055 if (ia_valid & ATTR_FORCE) {
3056 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3057 ATTR_FORCE);
3058 if (!ia_valid)
3059 return 0;
3060 }
3061
3062 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3063 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3064 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3065
3066 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3067 && !(ia_valid & ATTR_FILE))
3068 av |= FILE__OPEN;
3069
3070 return dentry_has_perm(cred, dentry, av);
3071 }
3072
3073 static int selinux_inode_getattr(const struct path *path)
3074 {
3075 return path_has_perm(current_cred(), path, FILE__GETATTR);
3076 }
3077
3078 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3079 {
3080 const struct cred *cred = current_cred();
3081
3082 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3083 sizeof XATTR_SECURITY_PREFIX - 1)) {
3084 if (!strcmp(name, XATTR_NAME_CAPS)) {
3085 if (!capable(CAP_SETFCAP))
3086 return -EPERM;
3087 } else if (!capable(CAP_SYS_ADMIN)) {
3088 /* A different attribute in the security namespace.
3089 Restrict to administrator. */
3090 return -EPERM;
3091 }
3092 }
3093
3094 /* Not an attribute we recognize, so just check the
3095 ordinary setattr permission. */
3096 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3097 }
3098
3099 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3100 const void *value, size_t size, int flags)
3101 {
3102 struct inode *inode = d_backing_inode(dentry);
3103 struct inode_security_struct *isec;
3104 struct superblock_security_struct *sbsec;
3105 struct common_audit_data ad;
3106 u32 newsid, sid = current_sid();
3107 int rc = 0;
3108
3109 if (strcmp(name, XATTR_NAME_SELINUX))
3110 return selinux_inode_setotherxattr(dentry, name);
3111
3112 sbsec = inode->i_sb->s_security;
3113 if (!(sbsec->flags & SBLABEL_MNT))
3114 return -EOPNOTSUPP;
3115
3116 if (!inode_owner_or_capable(inode))
3117 return -EPERM;
3118
3119 ad.type = LSM_AUDIT_DATA_DENTRY;
3120 ad.u.dentry = dentry;
3121
3122 isec = backing_inode_security(dentry);
3123 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3124 FILE__RELABELFROM, &ad);
3125 if (rc)
3126 return rc;
3127
3128 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3129 if (rc == -EINVAL) {
3130 if (!capable(CAP_MAC_ADMIN)) {
3131 struct audit_buffer *ab;
3132 size_t audit_size;
3133 const char *str;
3134
3135 /* We strip a nul only if it is at the end, otherwise the
3136 * context contains a nul and we should audit that */
3137 if (value) {
3138 str = value;
3139 if (str[size - 1] == '\0')
3140 audit_size = size - 1;
3141 else
3142 audit_size = size;
3143 } else {
3144 str = "";
3145 audit_size = 0;
3146 }
3147 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3148 audit_log_format(ab, "op=setxattr invalid_context=");
3149 audit_log_n_untrustedstring(ab, value, audit_size);
3150 audit_log_end(ab);
3151
3152 return rc;
3153 }
3154 rc = security_context_to_sid_force(value, size, &newsid);
3155 }
3156 if (rc)
3157 return rc;
3158
3159 rc = avc_has_perm(sid, newsid, isec->sclass,
3160 FILE__RELABELTO, &ad);
3161 if (rc)
3162 return rc;
3163
3164 rc = security_validate_transition(isec->sid, newsid, sid,
3165 isec->sclass);
3166 if (rc)
3167 return rc;
3168
3169 return avc_has_perm(newsid,
3170 sbsec->sid,
3171 SECCLASS_FILESYSTEM,
3172 FILESYSTEM__ASSOCIATE,
3173 &ad);
3174 }
3175
3176 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3177 const void *value, size_t size,
3178 int flags)
3179 {
3180 struct inode *inode = d_backing_inode(dentry);
3181 struct inode_security_struct *isec;
3182 u32 newsid;
3183 int rc;
3184
3185 if (strcmp(name, XATTR_NAME_SELINUX)) {
3186 /* Not an attribute we recognize, so nothing to do. */
3187 return;
3188 }
3189
3190 rc = security_context_to_sid_force(value, size, &newsid);
3191 if (rc) {
3192 printk(KERN_ERR "SELinux: unable to map context to SID"
3193 "for (%s, %lu), rc=%d\n",
3194 inode->i_sb->s_id, inode->i_ino, -rc);
3195 return;
3196 }
3197
3198 isec = backing_inode_security(dentry);
3199 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3200 isec->sid = newsid;
3201 isec->initialized = LABEL_INITIALIZED;
3202
3203 return;
3204 }
3205
3206 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3207 {
3208 const struct cred *cred = current_cred();
3209
3210 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3211 }
3212
3213 static int selinux_inode_listxattr(struct dentry *dentry)
3214 {
3215 const struct cred *cred = current_cred();
3216
3217 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3218 }
3219
3220 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3221 {
3222 if (strcmp(name, XATTR_NAME_SELINUX))
3223 return selinux_inode_setotherxattr(dentry, name);
3224
3225 /* No one is allowed to remove a SELinux security label.
3226 You can change the label, but all data must be labeled. */
3227 return -EACCES;
3228 }
3229
3230 /*
3231 * Copy the inode security context value to the user.
3232 *
3233 * Permission check is handled by selinux_inode_getxattr hook.
3234 */
3235 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3236 {
3237 u32 size;
3238 int error;
3239 char *context = NULL;
3240 struct inode_security_struct *isec;
3241
3242 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3243 return -EOPNOTSUPP;
3244
3245 /*
3246 * If the caller has CAP_MAC_ADMIN, then get the raw context
3247 * value even if it is not defined by current policy; otherwise,
3248 * use the in-core value under current policy.
3249 * Use the non-auditing forms of the permission checks since
3250 * getxattr may be called by unprivileged processes commonly
3251 * and lack of permission just means that we fall back to the
3252 * in-core context value, not a denial.
3253 */
3254 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3255 SECURITY_CAP_NOAUDIT);
3256 if (!error)
3257 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3258 SECURITY_CAP_NOAUDIT, true);
3259 isec = inode_security(inode);
3260 if (!error)
3261 error = security_sid_to_context_force(isec->sid, &context,
3262 &size);
3263 else
3264 error = security_sid_to_context(isec->sid, &context, &size);
3265 if (error)
3266 return error;
3267 error = size;
3268 if (alloc) {
3269 *buffer = context;
3270 goto out_nofree;
3271 }
3272 kfree(context);
3273 out_nofree:
3274 return error;
3275 }
3276
3277 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3278 const void *value, size_t size, int flags)
3279 {
3280 struct inode_security_struct *isec = inode_security_novalidate(inode);
3281 u32 newsid;
3282 int rc;
3283
3284 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3285 return -EOPNOTSUPP;
3286
3287 if (!value || !size)
3288 return -EACCES;
3289
3290 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3291 if (rc)
3292 return rc;
3293
3294 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3295 isec->sid = newsid;
3296 isec->initialized = LABEL_INITIALIZED;
3297 return 0;
3298 }
3299
3300 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3301 {
3302 const int len = sizeof(XATTR_NAME_SELINUX);
3303 if (buffer && len <= buffer_size)
3304 memcpy(buffer, XATTR_NAME_SELINUX, len);
3305 return len;
3306 }
3307
3308 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3309 {
3310 struct inode_security_struct *isec = inode_security_novalidate(inode);
3311 *secid = isec->sid;
3312 }
3313
3314 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3315 {
3316 u32 sid;
3317 struct task_security_struct *tsec;
3318 struct cred *new_creds = *new;
3319
3320 if (new_creds == NULL) {
3321 new_creds = prepare_creds();
3322 if (!new_creds)
3323 return -ENOMEM;
3324 }
3325
3326 tsec = new_creds->security;
3327 /* Get label from overlay inode and set it in create_sid */
3328 selinux_inode_getsecid(d_inode(src), &sid);
3329 tsec->create_sid = sid;
3330 *new = new_creds;
3331 return 0;
3332 }
3333
3334 static int selinux_inode_copy_up_xattr(const char *name)
3335 {
3336 /* The copy_up hook above sets the initial context on an inode, but we
3337 * don't then want to overwrite it by blindly copying all the lower
3338 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3339 */
3340 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3341 return 1; /* Discard */
3342 /*
3343 * Any other attribute apart from SELINUX is not claimed, supported
3344 * by selinux.
3345 */
3346 return -EOPNOTSUPP;
3347 }
3348
3349 /* file security operations */
3350
3351 static int selinux_revalidate_file_permission(struct file *file, int mask)
3352 {
3353 const struct cred *cred = current_cred();
3354 struct inode *inode = file_inode(file);
3355
3356 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3357 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3358 mask |= MAY_APPEND;
3359
3360 return file_has_perm(cred, file,
3361 file_mask_to_av(inode->i_mode, mask));
3362 }
3363
3364 static int selinux_file_permission(struct file *file, int mask)
3365 {
3366 struct inode *inode = file_inode(file);
3367 struct file_security_struct *fsec = file->f_security;
3368 struct inode_security_struct *isec;
3369 u32 sid = current_sid();
3370
3371 if (!mask)
3372 /* No permission to check. Existence test. */
3373 return 0;
3374
3375 isec = inode_security(inode);
3376 if (sid == fsec->sid && fsec->isid == isec->sid &&
3377 fsec->pseqno == avc_policy_seqno())
3378 /* No change since file_open check. */
3379 return 0;
3380
3381 return selinux_revalidate_file_permission(file, mask);
3382 }
3383
3384 static int selinux_file_alloc_security(struct file *file)
3385 {
3386 return file_alloc_security(file);
3387 }
3388
3389 static void selinux_file_free_security(struct file *file)
3390 {
3391 file_free_security(file);
3392 }
3393
3394 /*
3395 * Check whether a task has the ioctl permission and cmd
3396 * operation to an inode.
3397 */
3398 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3399 u32 requested, u16 cmd)
3400 {
3401 struct common_audit_data ad;
3402 struct file_security_struct *fsec = file->f_security;
3403 struct inode *inode = file_inode(file);
3404 struct inode_security_struct *isec;
3405 struct lsm_ioctlop_audit ioctl;
3406 u32 ssid = cred_sid(cred);
3407 int rc;
3408 u8 driver = cmd >> 8;
3409 u8 xperm = cmd & 0xff;
3410
3411 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3412 ad.u.op = &ioctl;
3413 ad.u.op->cmd = cmd;
3414 ad.u.op->path = file->f_path;
3415
3416 if (ssid != fsec->sid) {
3417 rc = avc_has_perm(ssid, fsec->sid,
3418 SECCLASS_FD,
3419 FD__USE,
3420 &ad);
3421 if (rc)
3422 goto out;
3423 }
3424
3425 if (unlikely(IS_PRIVATE(inode)))
3426 return 0;
3427
3428 isec = inode_security(inode);
3429 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3430 requested, driver, xperm, &ad);
3431 out:
3432 return rc;
3433 }
3434
3435 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3436 unsigned long arg)
3437 {
3438 const struct cred *cred = current_cred();
3439 int error = 0;
3440
3441 switch (cmd) {
3442 case FIONREAD:
3443 /* fall through */
3444 case FIBMAP:
3445 /* fall through */
3446 case FIGETBSZ:
3447 /* fall through */
3448 case FS_IOC_GETFLAGS:
3449 /* fall through */
3450 case FS_IOC_GETVERSION:
3451 error = file_has_perm(cred, file, FILE__GETATTR);
3452 break;
3453
3454 case FS_IOC_SETFLAGS:
3455 /* fall through */
3456 case FS_IOC_SETVERSION:
3457 error = file_has_perm(cred, file, FILE__SETATTR);
3458 break;
3459
3460 /* sys_ioctl() checks */
3461 case FIONBIO:
3462 /* fall through */
3463 case FIOASYNC:
3464 error = file_has_perm(cred, file, 0);
3465 break;
3466
3467 case KDSKBENT:
3468 case KDSKBSENT:
3469 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3470 SECURITY_CAP_AUDIT, true);
3471 break;
3472
3473 /* default case assumes that the command will go
3474 * to the file's ioctl() function.
3475 */
3476 default:
3477 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3478 }
3479 return error;
3480 }
3481
3482 static int default_noexec;
3483
3484 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3485 {
3486 const struct cred *cred = current_cred();
3487 int rc = 0;
3488
3489 if (default_noexec &&
3490 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3491 (!shared && (prot & PROT_WRITE)))) {
3492 /*
3493 * We are making executable an anonymous mapping or a
3494 * private file mapping that will also be writable.
3495 * This has an additional check.
3496 */
3497 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3498 if (rc)
3499 goto error;
3500 }
3501
3502 if (file) {
3503 /* read access is always possible with a mapping */
3504 u32 av = FILE__READ;
3505
3506 /* write access only matters if the mapping is shared */
3507 if (shared && (prot & PROT_WRITE))
3508 av |= FILE__WRITE;
3509
3510 if (prot & PROT_EXEC)
3511 av |= FILE__EXECUTE;
3512
3513 return file_has_perm(cred, file, av);
3514 }
3515
3516 error:
3517 return rc;
3518 }
3519
3520 static int selinux_mmap_addr(unsigned long addr)
3521 {
3522 int rc = 0;
3523
3524 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3525 u32 sid = current_sid();
3526 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3527 MEMPROTECT__MMAP_ZERO, NULL);
3528 }
3529
3530 return rc;
3531 }
3532
3533 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3534 unsigned long prot, unsigned long flags)
3535 {
3536 if (selinux_checkreqprot)
3537 prot = reqprot;
3538
3539 return file_map_prot_check(file, prot,
3540 (flags & MAP_TYPE) == MAP_SHARED);
3541 }
3542
3543 static int selinux_file_mprotect(struct vm_area_struct *vma,
3544 unsigned long reqprot,
3545 unsigned long prot)
3546 {
3547 const struct cred *cred = current_cred();
3548
3549 if (selinux_checkreqprot)
3550 prot = reqprot;
3551
3552 if (default_noexec &&
3553 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3554 int rc = 0;
3555 if (vma->vm_start >= vma->vm_mm->start_brk &&
3556 vma->vm_end <= vma->vm_mm->brk) {
3557 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3558 } else if (!vma->vm_file &&
3559 ((vma->vm_start <= vma->vm_mm->start_stack &&
3560 vma->vm_end >= vma->vm_mm->start_stack) ||
3561 vma_is_stack_for_current(vma))) {
3562 rc = current_has_perm(current, PROCESS__EXECSTACK);
3563 } else if (vma->vm_file && vma->anon_vma) {
3564 /*
3565 * We are making executable a file mapping that has
3566 * had some COW done. Since pages might have been
3567 * written, check ability to execute the possibly
3568 * modified content. This typically should only
3569 * occur for text relocations.
3570 */
3571 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3572 }
3573 if (rc)
3574 return rc;
3575 }
3576
3577 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3578 }
3579
3580 static int selinux_file_lock(struct file *file, unsigned int cmd)
3581 {
3582 const struct cred *cred = current_cred();
3583
3584 return file_has_perm(cred, file, FILE__LOCK);
3585 }
3586
3587 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3588 unsigned long arg)
3589 {
3590 const struct cred *cred = current_cred();
3591 int err = 0;
3592
3593 switch (cmd) {
3594 case F_SETFL:
3595 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3596 err = file_has_perm(cred, file, FILE__WRITE);
3597 break;
3598 }
3599 /* fall through */
3600 case F_SETOWN:
3601 case F_SETSIG:
3602 case F_GETFL:
3603 case F_GETOWN:
3604 case F_GETSIG:
3605 case F_GETOWNER_UIDS:
3606 /* Just check FD__USE permission */
3607 err = file_has_perm(cred, file, 0);
3608 break;
3609 case F_GETLK:
3610 case F_SETLK:
3611 case F_SETLKW:
3612 case F_OFD_GETLK:
3613 case F_OFD_SETLK:
3614 case F_OFD_SETLKW:
3615 #if BITS_PER_LONG == 32
3616 case F_GETLK64:
3617 case F_SETLK64:
3618 case F_SETLKW64:
3619 #endif
3620 err = file_has_perm(cred, file, FILE__LOCK);
3621 break;
3622 }
3623
3624 return err;
3625 }
3626
3627 static void selinux_file_set_fowner(struct file *file)
3628 {
3629 struct file_security_struct *fsec;
3630
3631 fsec = file->f_security;
3632 fsec->fown_sid = current_sid();
3633 }
3634
3635 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3636 struct fown_struct *fown, int signum)
3637 {
3638 struct file *file;
3639 u32 sid = task_sid(tsk);
3640 u32 perm;
3641 struct file_security_struct *fsec;
3642
3643 /* struct fown_struct is never outside the context of a struct file */
3644 file = container_of(fown, struct file, f_owner);
3645
3646 fsec = file->f_security;
3647
3648 if (!signum)
3649 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3650 else
3651 perm = signal_to_av(signum);
3652
3653 return avc_has_perm(fsec->fown_sid, sid,
3654 SECCLASS_PROCESS, perm, NULL);
3655 }
3656
3657 static int selinux_file_receive(struct file *file)
3658 {
3659 const struct cred *cred = current_cred();
3660
3661 return file_has_perm(cred, file, file_to_av(file));
3662 }
3663
3664 static int selinux_file_open(struct file *file, const struct cred *cred)
3665 {
3666 struct file_security_struct *fsec;
3667 struct inode_security_struct *isec;
3668
3669 fsec = file->f_security;
3670 isec = inode_security(file_inode(file));
3671 /*
3672 * Save inode label and policy sequence number
3673 * at open-time so that selinux_file_permission
3674 * can determine whether revalidation is necessary.
3675 * Task label is already saved in the file security
3676 * struct as its SID.
3677 */
3678 fsec->isid = isec->sid;
3679 fsec->pseqno = avc_policy_seqno();
3680 /*
3681 * Since the inode label or policy seqno may have changed
3682 * between the selinux_inode_permission check and the saving
3683 * of state above, recheck that access is still permitted.
3684 * Otherwise, access might never be revalidated against the
3685 * new inode label or new policy.
3686 * This check is not redundant - do not remove.
3687 */
3688 return file_path_has_perm(cred, file, open_file_to_av(file));
3689 }
3690
3691 /* task security operations */
3692
3693 static int selinux_task_create(unsigned long clone_flags)
3694 {
3695 return current_has_perm(current, PROCESS__FORK);
3696 }
3697
3698 /*
3699 * allocate the SELinux part of blank credentials
3700 */
3701 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3702 {
3703 struct task_security_struct *tsec;
3704
3705 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3706 if (!tsec)
3707 return -ENOMEM;
3708
3709 cred->security = tsec;
3710 return 0;
3711 }
3712
3713 /*
3714 * detach and free the LSM part of a set of credentials
3715 */
3716 static void selinux_cred_free(struct cred *cred)
3717 {
3718 struct task_security_struct *tsec = cred->security;
3719
3720 /*
3721 * cred->security == NULL if security_cred_alloc_blank() or
3722 * security_prepare_creds() returned an error.
3723 */
3724 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3725 cred->security = (void *) 0x7UL;
3726 kfree(tsec);
3727 }
3728
3729 /*
3730 * prepare a new set of credentials for modification
3731 */
3732 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3733 gfp_t gfp)
3734 {
3735 const struct task_security_struct *old_tsec;
3736 struct task_security_struct *tsec;
3737
3738 old_tsec = old->security;
3739
3740 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3741 if (!tsec)
3742 return -ENOMEM;
3743
3744 new->security = tsec;
3745 return 0;
3746 }
3747
3748 /*
3749 * transfer the SELinux data to a blank set of creds
3750 */
3751 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3752 {
3753 const struct task_security_struct *old_tsec = old->security;
3754 struct task_security_struct *tsec = new->security;
3755
3756 *tsec = *old_tsec;
3757 }
3758
3759 /*
3760 * set the security data for a kernel service
3761 * - all the creation contexts are set to unlabelled
3762 */
3763 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3764 {
3765 struct task_security_struct *tsec = new->security;
3766 u32 sid = current_sid();
3767 int ret;
3768
3769 ret = avc_has_perm(sid, secid,
3770 SECCLASS_KERNEL_SERVICE,
3771 KERNEL_SERVICE__USE_AS_OVERRIDE,
3772 NULL);
3773 if (ret == 0) {
3774 tsec->sid = secid;
3775 tsec->create_sid = 0;
3776 tsec->keycreate_sid = 0;
3777 tsec->sockcreate_sid = 0;
3778 }
3779 return ret;
3780 }
3781
3782 /*
3783 * set the file creation context in a security record to the same as the
3784 * objective context of the specified inode
3785 */
3786 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3787 {
3788 struct inode_security_struct *isec = inode_security(inode);
3789 struct task_security_struct *tsec = new->security;
3790 u32 sid = current_sid();
3791 int ret;
3792
3793 ret = avc_has_perm(sid, isec->sid,
3794 SECCLASS_KERNEL_SERVICE,
3795 KERNEL_SERVICE__CREATE_FILES_AS,
3796 NULL);
3797
3798 if (ret == 0)
3799 tsec->create_sid = isec->sid;
3800 return ret;
3801 }
3802
3803 static int selinux_kernel_module_request(char *kmod_name)
3804 {
3805 u32 sid;
3806 struct common_audit_data ad;
3807
3808 sid = task_sid(current);
3809
3810 ad.type = LSM_AUDIT_DATA_KMOD;
3811 ad.u.kmod_name = kmod_name;
3812
3813 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3814 SYSTEM__MODULE_REQUEST, &ad);
3815 }
3816
3817 static int selinux_kernel_module_from_file(struct file *file)
3818 {
3819 struct common_audit_data ad;
3820 struct inode_security_struct *isec;
3821 struct file_security_struct *fsec;
3822 u32 sid = current_sid();
3823 int rc;
3824
3825 /* init_module */
3826 if (file == NULL)
3827 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3828 SYSTEM__MODULE_LOAD, NULL);
3829
3830 /* finit_module */
3831
3832 ad.type = LSM_AUDIT_DATA_FILE;
3833 ad.u.file = file;
3834
3835 fsec = file->f_security;
3836 if (sid != fsec->sid) {
3837 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3838 if (rc)
3839 return rc;
3840 }
3841
3842 isec = inode_security(file_inode(file));
3843 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3844 SYSTEM__MODULE_LOAD, &ad);
3845 }
3846
3847 static int selinux_kernel_read_file(struct file *file,
3848 enum kernel_read_file_id id)
3849 {
3850 int rc = 0;
3851
3852 switch (id) {
3853 case READING_MODULE:
3854 rc = selinux_kernel_module_from_file(file);
3855 break;
3856 default:
3857 break;
3858 }
3859
3860 return rc;
3861 }
3862
3863 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3864 {
3865 return current_has_perm(p, PROCESS__SETPGID);
3866 }
3867
3868 static int selinux_task_getpgid(struct task_struct *p)
3869 {
3870 return current_has_perm(p, PROCESS__GETPGID);
3871 }
3872
3873 static int selinux_task_getsid(struct task_struct *p)
3874 {
3875 return current_has_perm(p, PROCESS__GETSESSION);
3876 }
3877
3878 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3879 {
3880 *secid = task_sid(p);
3881 }
3882
3883 static int selinux_task_setnice(struct task_struct *p, int nice)
3884 {
3885 return current_has_perm(p, PROCESS__SETSCHED);
3886 }
3887
3888 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3889 {
3890 return current_has_perm(p, PROCESS__SETSCHED);
3891 }
3892
3893 static int selinux_task_getioprio(struct task_struct *p)
3894 {
3895 return current_has_perm(p, PROCESS__GETSCHED);
3896 }
3897
3898 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3899 struct rlimit *new_rlim)
3900 {
3901 struct rlimit *old_rlim = p->signal->rlim + resource;
3902
3903 /* Control the ability to change the hard limit (whether
3904 lowering or raising it), so that the hard limit can
3905 later be used as a safe reset point for the soft limit
3906 upon context transitions. See selinux_bprm_committing_creds. */
3907 if (old_rlim->rlim_max != new_rlim->rlim_max)
3908 return current_has_perm(p, PROCESS__SETRLIMIT);
3909
3910 return 0;
3911 }
3912
3913 static int selinux_task_setscheduler(struct task_struct *p)
3914 {
3915 return current_has_perm(p, PROCESS__SETSCHED);
3916 }
3917
3918 static int selinux_task_getscheduler(struct task_struct *p)
3919 {
3920 return current_has_perm(p, PROCESS__GETSCHED);
3921 }
3922
3923 static int selinux_task_movememory(struct task_struct *p)
3924 {
3925 return current_has_perm(p, PROCESS__SETSCHED);
3926 }
3927
3928 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3929 int sig, u32 secid)
3930 {
3931 u32 perm;
3932 int rc;
3933
3934 if (!sig)
3935 perm = PROCESS__SIGNULL; /* null signal; existence test */
3936 else
3937 perm = signal_to_av(sig);
3938 if (secid)
3939 rc = avc_has_perm(secid, task_sid(p),
3940 SECCLASS_PROCESS, perm, NULL);
3941 else
3942 rc = current_has_perm(p, perm);
3943 return rc;
3944 }
3945
3946 static int selinux_task_wait(struct task_struct *p)
3947 {
3948 return task_has_perm(p, current, PROCESS__SIGCHLD);
3949 }
3950
3951 static void selinux_task_to_inode(struct task_struct *p,
3952 struct inode *inode)
3953 {
3954 struct inode_security_struct *isec = inode->i_security;
3955 u32 sid = task_sid(p);
3956
3957 isec->sid = sid;
3958 isec->initialized = LABEL_INITIALIZED;
3959 }
3960
3961 /* Returns error only if unable to parse addresses */
3962 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3963 struct common_audit_data *ad, u8 *proto)
3964 {
3965 int offset, ihlen, ret = -EINVAL;
3966 struct iphdr _iph, *ih;
3967
3968 offset = skb_network_offset(skb);
3969 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3970 if (ih == NULL)
3971 goto out;
3972
3973 ihlen = ih->ihl * 4;
3974 if (ihlen < sizeof(_iph))
3975 goto out;
3976
3977 ad->u.net->v4info.saddr = ih->saddr;
3978 ad->u.net->v4info.daddr = ih->daddr;
3979 ret = 0;
3980
3981 if (proto)
3982 *proto = ih->protocol;
3983
3984 switch (ih->protocol) {
3985 case IPPROTO_TCP: {
3986 struct tcphdr _tcph, *th;
3987
3988 if (ntohs(ih->frag_off) & IP_OFFSET)
3989 break;
3990
3991 offset += ihlen;
3992 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3993 if (th == NULL)
3994 break;
3995
3996 ad->u.net->sport = th->source;
3997 ad->u.net->dport = th->dest;
3998 break;
3999 }
4000
4001 case IPPROTO_UDP: {
4002 struct udphdr _udph, *uh;
4003
4004 if (ntohs(ih->frag_off) & IP_OFFSET)
4005 break;
4006
4007 offset += ihlen;
4008 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4009 if (uh == NULL)
4010 break;
4011
4012 ad->u.net->sport = uh->source;
4013 ad->u.net->dport = uh->dest;
4014 break;
4015 }
4016
4017 case IPPROTO_DCCP: {
4018 struct dccp_hdr _dccph, *dh;
4019
4020 if (ntohs(ih->frag_off) & IP_OFFSET)
4021 break;
4022
4023 offset += ihlen;
4024 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4025 if (dh == NULL)
4026 break;
4027
4028 ad->u.net->sport = dh->dccph_sport;
4029 ad->u.net->dport = dh->dccph_dport;
4030 break;
4031 }
4032
4033 default:
4034 break;
4035 }
4036 out:
4037 return ret;
4038 }
4039
4040 #if IS_ENABLED(CONFIG_IPV6)
4041
4042 /* Returns error only if unable to parse addresses */
4043 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4044 struct common_audit_data *ad, u8 *proto)
4045 {
4046 u8 nexthdr;
4047 int ret = -EINVAL, offset;
4048 struct ipv6hdr _ipv6h, *ip6;
4049 __be16 frag_off;
4050
4051 offset = skb_network_offset(skb);
4052 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4053 if (ip6 == NULL)
4054 goto out;
4055
4056 ad->u.net->v6info.saddr = ip6->saddr;
4057 ad->u.net->v6info.daddr = ip6->daddr;
4058 ret = 0;
4059
4060 nexthdr = ip6->nexthdr;
4061 offset += sizeof(_ipv6h);
4062 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4063 if (offset < 0)
4064 goto out;
4065
4066 if (proto)
4067 *proto = nexthdr;
4068
4069 switch (nexthdr) {
4070 case IPPROTO_TCP: {
4071 struct tcphdr _tcph, *th;
4072
4073 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4074 if (th == NULL)
4075 break;
4076
4077 ad->u.net->sport = th->source;
4078 ad->u.net->dport = th->dest;
4079 break;
4080 }
4081
4082 case IPPROTO_UDP: {
4083 struct udphdr _udph, *uh;
4084
4085 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4086 if (uh == NULL)
4087 break;
4088
4089 ad->u.net->sport = uh->source;
4090 ad->u.net->dport = uh->dest;
4091 break;
4092 }
4093
4094 case IPPROTO_DCCP: {
4095 struct dccp_hdr _dccph, *dh;
4096
4097 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4098 if (dh == NULL)
4099 break;
4100
4101 ad->u.net->sport = dh->dccph_sport;
4102 ad->u.net->dport = dh->dccph_dport;
4103 break;
4104 }
4105
4106 /* includes fragments */
4107 default:
4108 break;
4109 }
4110 out:
4111 return ret;
4112 }
4113
4114 #endif /* IPV6 */
4115
4116 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4117 char **_addrp, int src, u8 *proto)
4118 {
4119 char *addrp;
4120 int ret;
4121
4122 switch (ad->u.net->family) {
4123 case PF_INET:
4124 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4125 if (ret)
4126 goto parse_error;
4127 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4128 &ad->u.net->v4info.daddr);
4129 goto okay;
4130
4131 #if IS_ENABLED(CONFIG_IPV6)
4132 case PF_INET6:
4133 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4134 if (ret)
4135 goto parse_error;
4136 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4137 &ad->u.net->v6info.daddr);
4138 goto okay;
4139 #endif /* IPV6 */
4140 default:
4141 addrp = NULL;
4142 goto okay;
4143 }
4144
4145 parse_error:
4146 printk(KERN_WARNING
4147 "SELinux: failure in selinux_parse_skb(),"
4148 " unable to parse packet\n");
4149 return ret;
4150
4151 okay:
4152 if (_addrp)
4153 *_addrp = addrp;
4154 return 0;
4155 }
4156
4157 /**
4158 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4159 * @skb: the packet
4160 * @family: protocol family
4161 * @sid: the packet's peer label SID
4162 *
4163 * Description:
4164 * Check the various different forms of network peer labeling and determine
4165 * the peer label/SID for the packet; most of the magic actually occurs in
4166 * the security server function security_net_peersid_cmp(). The function
4167 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4168 * or -EACCES if @sid is invalid due to inconsistencies with the different
4169 * peer labels.
4170 *
4171 */
4172 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4173 {
4174 int err;
4175 u32 xfrm_sid;
4176 u32 nlbl_sid;
4177 u32 nlbl_type;
4178
4179 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4180 if (unlikely(err))
4181 return -EACCES;
4182 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4183 if (unlikely(err))
4184 return -EACCES;
4185
4186 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4187 if (unlikely(err)) {
4188 printk(KERN_WARNING
4189 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4190 " unable to determine packet's peer label\n");
4191 return -EACCES;
4192 }
4193
4194 return 0;
4195 }
4196
4197 /**
4198 * selinux_conn_sid - Determine the child socket label for a connection
4199 * @sk_sid: the parent socket's SID
4200 * @skb_sid: the packet's SID
4201 * @conn_sid: the resulting connection SID
4202 *
4203 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4204 * combined with the MLS information from @skb_sid in order to create
4205 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4206 * of @sk_sid. Returns zero on success, negative values on failure.
4207 *
4208 */
4209 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4210 {
4211 int err = 0;
4212
4213 if (skb_sid != SECSID_NULL)
4214 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4215 else
4216 *conn_sid = sk_sid;
4217
4218 return err;
4219 }
4220
4221 /* socket security operations */
4222
4223 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4224 u16 secclass, u32 *socksid)
4225 {
4226 if (tsec->sockcreate_sid > SECSID_NULL) {
4227 *socksid = tsec->sockcreate_sid;
4228 return 0;
4229 }
4230
4231 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4232 socksid);
4233 }
4234
4235 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
4236 {
4237 struct sk_security_struct *sksec = sk->sk_security;
4238 struct common_audit_data ad;
4239 struct lsm_network_audit net = {0,};
4240 u32 tsid = task_sid(task);
4241
4242 if (sksec->sid == SECINITSID_KERNEL)
4243 return 0;
4244
4245 ad.type = LSM_AUDIT_DATA_NET;
4246 ad.u.net = &net;
4247 ad.u.net->sk = sk;
4248
4249 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
4250 }
4251
4252 static int selinux_socket_create(int family, int type,
4253 int protocol, int kern)
4254 {
4255 const struct task_security_struct *tsec = current_security();
4256 u32 newsid;
4257 u16 secclass;
4258 int rc;
4259
4260 if (kern)
4261 return 0;
4262
4263 secclass = socket_type_to_security_class(family, type, protocol);
4264 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4265 if (rc)
4266 return rc;
4267
4268 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4269 }
4270
4271 static int selinux_socket_post_create(struct socket *sock, int family,
4272 int type, int protocol, int kern)
4273 {
4274 const struct task_security_struct *tsec = current_security();
4275 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4276 struct sk_security_struct *sksec;
4277 int err = 0;
4278
4279 isec->sclass = socket_type_to_security_class(family, type, protocol);
4280
4281 if (kern)
4282 isec->sid = SECINITSID_KERNEL;
4283 else {
4284 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4285 if (err)
4286 return err;
4287 }
4288
4289 isec->initialized = LABEL_INITIALIZED;
4290
4291 if (sock->sk) {
4292 sksec = sock->sk->sk_security;
4293 sksec->sid = isec->sid;
4294 sksec->sclass = isec->sclass;
4295 err = selinux_netlbl_socket_post_create(sock->sk, family);
4296 }
4297
4298 return err;
4299 }
4300
4301 /* Range of port numbers used to automatically bind.
4302 Need to determine whether we should perform a name_bind
4303 permission check between the socket and the port number. */
4304
4305 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4306 {
4307 struct sock *sk = sock->sk;
4308 u16 family;
4309 int err;
4310
4311 err = sock_has_perm(current, sk, SOCKET__BIND);
4312 if (err)
4313 goto out;
4314
4315 /*
4316 * If PF_INET or PF_INET6, check name_bind permission for the port.
4317 * Multiple address binding for SCTP is not supported yet: we just
4318 * check the first address now.
4319 */
4320 family = sk->sk_family;
4321 if (family == PF_INET || family == PF_INET6) {
4322 char *addrp;
4323 struct sk_security_struct *sksec = sk->sk_security;
4324 struct common_audit_data ad;
4325 struct lsm_network_audit net = {0,};
4326 struct sockaddr_in *addr4 = NULL;
4327 struct sockaddr_in6 *addr6 = NULL;
4328 unsigned short snum;
4329 u32 sid, node_perm;
4330
4331 if (family == PF_INET) {
4332 addr4 = (struct sockaddr_in *)address;
4333 snum = ntohs(addr4->sin_port);
4334 addrp = (char *)&addr4->sin_addr.s_addr;
4335 } else {
4336 addr6 = (struct sockaddr_in6 *)address;
4337 snum = ntohs(addr6->sin6_port);
4338 addrp = (char *)&addr6->sin6_addr.s6_addr;
4339 }
4340
4341 if (snum) {
4342 int low, high;
4343
4344 inet_get_local_port_range(sock_net(sk), &low, &high);
4345
4346 if (snum < max(PROT_SOCK, low) || snum > high) {
4347 err = sel_netport_sid(sk->sk_protocol,
4348 snum, &sid);
4349 if (err)
4350 goto out;
4351 ad.type = LSM_AUDIT_DATA_NET;
4352 ad.u.net = &net;
4353 ad.u.net->sport = htons(snum);
4354 ad.u.net->family = family;
4355 err = avc_has_perm(sksec->sid, sid,
4356 sksec->sclass,
4357 SOCKET__NAME_BIND, &ad);
4358 if (err)
4359 goto out;
4360 }
4361 }
4362
4363 switch (sksec->sclass) {
4364 case SECCLASS_TCP_SOCKET:
4365 node_perm = TCP_SOCKET__NODE_BIND;
4366 break;
4367
4368 case SECCLASS_UDP_SOCKET:
4369 node_perm = UDP_SOCKET__NODE_BIND;
4370 break;
4371
4372 case SECCLASS_DCCP_SOCKET:
4373 node_perm = DCCP_SOCKET__NODE_BIND;
4374 break;
4375
4376 default:
4377 node_perm = RAWIP_SOCKET__NODE_BIND;
4378 break;
4379 }
4380
4381 err = sel_netnode_sid(addrp, family, &sid);
4382 if (err)
4383 goto out;
4384
4385 ad.type = LSM_AUDIT_DATA_NET;
4386 ad.u.net = &net;
4387 ad.u.net->sport = htons(snum);
4388 ad.u.net->family = family;
4389
4390 if (family == PF_INET)
4391 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4392 else
4393 ad.u.net->v6info.saddr = addr6->sin6_addr;
4394
4395 err = avc_has_perm(sksec->sid, sid,
4396 sksec->sclass, node_perm, &ad);
4397 if (err)
4398 goto out;
4399 }
4400 out:
4401 return err;
4402 }
4403
4404 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4405 {
4406 struct sock *sk = sock->sk;
4407 struct sk_security_struct *sksec = sk->sk_security;
4408 int err;
4409
4410 err = sock_has_perm(current, sk, SOCKET__CONNECT);
4411 if (err)
4412 return err;
4413
4414 /*
4415 * If a TCP or DCCP socket, check name_connect permission for the port.
4416 */
4417 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4418 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4419 struct common_audit_data ad;
4420 struct lsm_network_audit net = {0,};
4421 struct sockaddr_in *addr4 = NULL;
4422 struct sockaddr_in6 *addr6 = NULL;
4423 unsigned short snum;
4424 u32 sid, perm;
4425
4426 if (sk->sk_family == PF_INET) {
4427 addr4 = (struct sockaddr_in *)address;
4428 if (addrlen < sizeof(struct sockaddr_in))
4429 return -EINVAL;
4430 snum = ntohs(addr4->sin_port);
4431 } else {
4432 addr6 = (struct sockaddr_in6 *)address;
4433 if (addrlen < SIN6_LEN_RFC2133)
4434 return -EINVAL;
4435 snum = ntohs(addr6->sin6_port);
4436 }
4437
4438 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4439 if (err)
4440 goto out;
4441
4442 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4443 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4444
4445 ad.type = LSM_AUDIT_DATA_NET;
4446 ad.u.net = &net;
4447 ad.u.net->dport = htons(snum);
4448 ad.u.net->family = sk->sk_family;
4449 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4450 if (err)
4451 goto out;
4452 }
4453
4454 err = selinux_netlbl_socket_connect(sk, address);
4455
4456 out:
4457 return err;
4458 }
4459
4460 static int selinux_socket_listen(struct socket *sock, int backlog)
4461 {
4462 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4463 }
4464
4465 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4466 {
4467 int err;
4468 struct inode_security_struct *isec;
4469 struct inode_security_struct *newisec;
4470
4471 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4472 if (err)
4473 return err;
4474
4475 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4476
4477 isec = inode_security_novalidate(SOCK_INODE(sock));
4478 newisec->sclass = isec->sclass;
4479 newisec->sid = isec->sid;
4480 newisec->initialized = LABEL_INITIALIZED;
4481
4482 return 0;
4483 }
4484
4485 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4486 int size)
4487 {
4488 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4489 }
4490
4491 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4492 int size, int flags)
4493 {
4494 return sock_has_perm(current, sock->sk, SOCKET__READ);
4495 }
4496
4497 static int selinux_socket_getsockname(struct socket *sock)
4498 {
4499 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4500 }
4501
4502 static int selinux_socket_getpeername(struct socket *sock)
4503 {
4504 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4505 }
4506
4507 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4508 {
4509 int err;
4510
4511 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4512 if (err)
4513 return err;
4514
4515 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4516 }
4517
4518 static int selinux_socket_getsockopt(struct socket *sock, int level,
4519 int optname)
4520 {
4521 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4522 }
4523
4524 static int selinux_socket_shutdown(struct socket *sock, int how)
4525 {
4526 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4527 }
4528
4529 static int selinux_socket_unix_stream_connect(struct sock *sock,
4530 struct sock *other,
4531 struct sock *newsk)
4532 {
4533 struct sk_security_struct *sksec_sock = sock->sk_security;
4534 struct sk_security_struct *sksec_other = other->sk_security;
4535 struct sk_security_struct *sksec_new = newsk->sk_security;
4536 struct common_audit_data ad;
4537 struct lsm_network_audit net = {0,};
4538 int err;
4539
4540 ad.type = LSM_AUDIT_DATA_NET;
4541 ad.u.net = &net;
4542 ad.u.net->sk = other;
4543
4544 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4545 sksec_other->sclass,
4546 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4547 if (err)
4548 return err;
4549
4550 /* server child socket */
4551 sksec_new->peer_sid = sksec_sock->sid;
4552 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4553 &sksec_new->sid);
4554 if (err)
4555 return err;
4556
4557 /* connecting socket */
4558 sksec_sock->peer_sid = sksec_new->sid;
4559
4560 return 0;
4561 }
4562
4563 static int selinux_socket_unix_may_send(struct socket *sock,
4564 struct socket *other)
4565 {
4566 struct sk_security_struct *ssec = sock->sk->sk_security;
4567 struct sk_security_struct *osec = other->sk->sk_security;
4568 struct common_audit_data ad;
4569 struct lsm_network_audit net = {0,};
4570
4571 ad.type = LSM_AUDIT_DATA_NET;
4572 ad.u.net = &net;
4573 ad.u.net->sk = other->sk;
4574
4575 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4576 &ad);
4577 }
4578
4579 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4580 char *addrp, u16 family, u32 peer_sid,
4581 struct common_audit_data *ad)
4582 {
4583 int err;
4584 u32 if_sid;
4585 u32 node_sid;
4586
4587 err = sel_netif_sid(ns, ifindex, &if_sid);
4588 if (err)
4589 return err;
4590 err = avc_has_perm(peer_sid, if_sid,
4591 SECCLASS_NETIF, NETIF__INGRESS, ad);
4592 if (err)
4593 return err;
4594
4595 err = sel_netnode_sid(addrp, family, &node_sid);
4596 if (err)
4597 return err;
4598 return avc_has_perm(peer_sid, node_sid,
4599 SECCLASS_NODE, NODE__RECVFROM, ad);
4600 }
4601
4602 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4603 u16 family)
4604 {
4605 int err = 0;
4606 struct sk_security_struct *sksec = sk->sk_security;
4607 u32 sk_sid = sksec->sid;
4608 struct common_audit_data ad;
4609 struct lsm_network_audit net = {0,};
4610 char *addrp;
4611
4612 ad.type = LSM_AUDIT_DATA_NET;
4613 ad.u.net = &net;
4614 ad.u.net->netif = skb->skb_iif;
4615 ad.u.net->family = family;
4616 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4617 if (err)
4618 return err;
4619
4620 if (selinux_secmark_enabled()) {
4621 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4622 PACKET__RECV, &ad);
4623 if (err)
4624 return err;
4625 }
4626
4627 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4628 if (err)
4629 return err;
4630 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4631
4632 return err;
4633 }
4634
4635 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4636 {
4637 int err;
4638 struct sk_security_struct *sksec = sk->sk_security;
4639 u16 family = sk->sk_family;
4640 u32 sk_sid = sksec->sid;
4641 struct common_audit_data ad;
4642 struct lsm_network_audit net = {0,};
4643 char *addrp;
4644 u8 secmark_active;
4645 u8 peerlbl_active;
4646
4647 if (family != PF_INET && family != PF_INET6)
4648 return 0;
4649
4650 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4651 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4652 family = PF_INET;
4653
4654 /* If any sort of compatibility mode is enabled then handoff processing
4655 * to the selinux_sock_rcv_skb_compat() function to deal with the
4656 * special handling. We do this in an attempt to keep this function
4657 * as fast and as clean as possible. */
4658 if (!selinux_policycap_netpeer)
4659 return selinux_sock_rcv_skb_compat(sk, skb, family);
4660
4661 secmark_active = selinux_secmark_enabled();
4662 peerlbl_active = selinux_peerlbl_enabled();
4663 if (!secmark_active && !peerlbl_active)
4664 return 0;
4665
4666 ad.type = LSM_AUDIT_DATA_NET;
4667 ad.u.net = &net;
4668 ad.u.net->netif = skb->skb_iif;
4669 ad.u.net->family = family;
4670 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4671 if (err)
4672 return err;
4673
4674 if (peerlbl_active) {
4675 u32 peer_sid;
4676
4677 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4678 if (err)
4679 return err;
4680 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4681 addrp, family, peer_sid, &ad);
4682 if (err) {
4683 selinux_netlbl_err(skb, family, err, 0);
4684 return err;
4685 }
4686 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4687 PEER__RECV, &ad);
4688 if (err) {
4689 selinux_netlbl_err(skb, family, err, 0);
4690 return err;
4691 }
4692 }
4693
4694 if (secmark_active) {
4695 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4696 PACKET__RECV, &ad);
4697 if (err)
4698 return err;
4699 }
4700
4701 return err;
4702 }
4703
4704 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4705 int __user *optlen, unsigned len)
4706 {
4707 int err = 0;
4708 char *scontext;
4709 u32 scontext_len;
4710 struct sk_security_struct *sksec = sock->sk->sk_security;
4711 u32 peer_sid = SECSID_NULL;
4712
4713 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4714 sksec->sclass == SECCLASS_TCP_SOCKET)
4715 peer_sid = sksec->peer_sid;
4716 if (peer_sid == SECSID_NULL)
4717 return -ENOPROTOOPT;
4718
4719 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4720 if (err)
4721 return err;
4722
4723 if (scontext_len > len) {
4724 err = -ERANGE;
4725 goto out_len;
4726 }
4727
4728 if (copy_to_user(optval, scontext, scontext_len))
4729 err = -EFAULT;
4730
4731 out_len:
4732 if (put_user(scontext_len, optlen))
4733 err = -EFAULT;
4734 kfree(scontext);
4735 return err;
4736 }
4737
4738 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4739 {
4740 u32 peer_secid = SECSID_NULL;
4741 u16 family;
4742 struct inode_security_struct *isec;
4743
4744 if (skb && skb->protocol == htons(ETH_P_IP))
4745 family = PF_INET;
4746 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4747 family = PF_INET6;
4748 else if (sock)
4749 family = sock->sk->sk_family;
4750 else
4751 goto out;
4752
4753 if (sock && family == PF_UNIX) {
4754 isec = inode_security_novalidate(SOCK_INODE(sock));
4755 peer_secid = isec->sid;
4756 } else if (skb)
4757 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4758
4759 out:
4760 *secid = peer_secid;
4761 if (peer_secid == SECSID_NULL)
4762 return -EINVAL;
4763 return 0;
4764 }
4765
4766 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4767 {
4768 struct sk_security_struct *sksec;
4769
4770 sksec = kzalloc(sizeof(*sksec), priority);
4771 if (!sksec)
4772 return -ENOMEM;
4773
4774 sksec->peer_sid = SECINITSID_UNLABELED;
4775 sksec->sid = SECINITSID_UNLABELED;
4776 sksec->sclass = SECCLASS_SOCKET;
4777 selinux_netlbl_sk_security_reset(sksec);
4778 sk->sk_security = sksec;
4779
4780 return 0;
4781 }
4782
4783 static void selinux_sk_free_security(struct sock *sk)
4784 {
4785 struct sk_security_struct *sksec = sk->sk_security;
4786
4787 sk->sk_security = NULL;
4788 selinux_netlbl_sk_security_free(sksec);
4789 kfree(sksec);
4790 }
4791
4792 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4793 {
4794 struct sk_security_struct *sksec = sk->sk_security;
4795 struct sk_security_struct *newsksec = newsk->sk_security;
4796
4797 newsksec->sid = sksec->sid;
4798 newsksec->peer_sid = sksec->peer_sid;
4799 newsksec->sclass = sksec->sclass;
4800
4801 selinux_netlbl_sk_security_reset(newsksec);
4802 }
4803
4804 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4805 {
4806 if (!sk)
4807 *secid = SECINITSID_ANY_SOCKET;
4808 else {
4809 struct sk_security_struct *sksec = sk->sk_security;
4810
4811 *secid = sksec->sid;
4812 }
4813 }
4814
4815 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4816 {
4817 struct inode_security_struct *isec =
4818 inode_security_novalidate(SOCK_INODE(parent));
4819 struct sk_security_struct *sksec = sk->sk_security;
4820
4821 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4822 sk->sk_family == PF_UNIX)
4823 isec->sid = sksec->sid;
4824 sksec->sclass = isec->sclass;
4825 }
4826
4827 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4828 struct request_sock *req)
4829 {
4830 struct sk_security_struct *sksec = sk->sk_security;
4831 int err;
4832 u16 family = req->rsk_ops->family;
4833 u32 connsid;
4834 u32 peersid;
4835
4836 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4837 if (err)
4838 return err;
4839 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4840 if (err)
4841 return err;
4842 req->secid = connsid;
4843 req->peer_secid = peersid;
4844
4845 return selinux_netlbl_inet_conn_request(req, family);
4846 }
4847
4848 static void selinux_inet_csk_clone(struct sock *newsk,
4849 const struct request_sock *req)
4850 {
4851 struct sk_security_struct *newsksec = newsk->sk_security;
4852
4853 newsksec->sid = req->secid;
4854 newsksec->peer_sid = req->peer_secid;
4855 /* NOTE: Ideally, we should also get the isec->sid for the
4856 new socket in sync, but we don't have the isec available yet.
4857 So we will wait until sock_graft to do it, by which
4858 time it will have been created and available. */
4859
4860 /* We don't need to take any sort of lock here as we are the only
4861 * thread with access to newsksec */
4862 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4863 }
4864
4865 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4866 {
4867 u16 family = sk->sk_family;
4868 struct sk_security_struct *sksec = sk->sk_security;
4869
4870 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4871 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4872 family = PF_INET;
4873
4874 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4875 }
4876
4877 static int selinux_secmark_relabel_packet(u32 sid)
4878 {
4879 const struct task_security_struct *__tsec;
4880 u32 tsid;
4881
4882 __tsec = current_security();
4883 tsid = __tsec->sid;
4884
4885 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4886 }
4887
4888 static void selinux_secmark_refcount_inc(void)
4889 {
4890 atomic_inc(&selinux_secmark_refcount);
4891 }
4892
4893 static void selinux_secmark_refcount_dec(void)
4894 {
4895 atomic_dec(&selinux_secmark_refcount);
4896 }
4897
4898 static void selinux_req_classify_flow(const struct request_sock *req,
4899 struct flowi *fl)
4900 {
4901 fl->flowi_secid = req->secid;
4902 }
4903
4904 static int selinux_tun_dev_alloc_security(void **security)
4905 {
4906 struct tun_security_struct *tunsec;
4907
4908 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4909 if (!tunsec)
4910 return -ENOMEM;
4911 tunsec->sid = current_sid();
4912
4913 *security = tunsec;
4914 return 0;
4915 }
4916
4917 static void selinux_tun_dev_free_security(void *security)
4918 {
4919 kfree(security);
4920 }
4921
4922 static int selinux_tun_dev_create(void)
4923 {
4924 u32 sid = current_sid();
4925
4926 /* we aren't taking into account the "sockcreate" SID since the socket
4927 * that is being created here is not a socket in the traditional sense,
4928 * instead it is a private sock, accessible only to the kernel, and
4929 * representing a wide range of network traffic spanning multiple
4930 * connections unlike traditional sockets - check the TUN driver to
4931 * get a better understanding of why this socket is special */
4932
4933 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4934 NULL);
4935 }
4936
4937 static int selinux_tun_dev_attach_queue(void *security)
4938 {
4939 struct tun_security_struct *tunsec = security;
4940
4941 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4942 TUN_SOCKET__ATTACH_QUEUE, NULL);
4943 }
4944
4945 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4946 {
4947 struct tun_security_struct *tunsec = security;
4948 struct sk_security_struct *sksec = sk->sk_security;
4949
4950 /* we don't currently perform any NetLabel based labeling here and it
4951 * isn't clear that we would want to do so anyway; while we could apply
4952 * labeling without the support of the TUN user the resulting labeled
4953 * traffic from the other end of the connection would almost certainly
4954 * cause confusion to the TUN user that had no idea network labeling
4955 * protocols were being used */
4956
4957 sksec->sid = tunsec->sid;
4958 sksec->sclass = SECCLASS_TUN_SOCKET;
4959
4960 return 0;
4961 }
4962
4963 static int selinux_tun_dev_open(void *security)
4964 {
4965 struct tun_security_struct *tunsec = security;
4966 u32 sid = current_sid();
4967 int err;
4968
4969 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4970 TUN_SOCKET__RELABELFROM, NULL);
4971 if (err)
4972 return err;
4973 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4974 TUN_SOCKET__RELABELTO, NULL);
4975 if (err)
4976 return err;
4977 tunsec->sid = sid;
4978
4979 return 0;
4980 }
4981
4982 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4983 {
4984 int err = 0;
4985 u32 perm;
4986 struct nlmsghdr *nlh;
4987 struct sk_security_struct *sksec = sk->sk_security;
4988
4989 if (skb->len < NLMSG_HDRLEN) {
4990 err = -EINVAL;
4991 goto out;
4992 }
4993 nlh = nlmsg_hdr(skb);
4994
4995 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4996 if (err) {
4997 if (err == -EINVAL) {
4998 pr_warn_ratelimited("SELinux: unrecognized netlink"
4999 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5000 " pig=%d comm=%s\n",
5001 sk->sk_protocol, nlh->nlmsg_type,
5002 secclass_map[sksec->sclass - 1].name,
5003 task_pid_nr(current), current->comm);
5004 if (!selinux_enforcing || security_get_allow_unknown())
5005 err = 0;
5006 }
5007
5008 /* Ignore */
5009 if (err == -ENOENT)
5010 err = 0;
5011 goto out;
5012 }
5013
5014 err = sock_has_perm(current, sk, perm);
5015 out:
5016 return err;
5017 }
5018
5019 #ifdef CONFIG_NETFILTER
5020
5021 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5022 const struct net_device *indev,
5023 u16 family)
5024 {
5025 int err;
5026 char *addrp;
5027 u32 peer_sid;
5028 struct common_audit_data ad;
5029 struct lsm_network_audit net = {0,};
5030 u8 secmark_active;
5031 u8 netlbl_active;
5032 u8 peerlbl_active;
5033
5034 if (!selinux_policycap_netpeer)
5035 return NF_ACCEPT;
5036
5037 secmark_active = selinux_secmark_enabled();
5038 netlbl_active = netlbl_enabled();
5039 peerlbl_active = selinux_peerlbl_enabled();
5040 if (!secmark_active && !peerlbl_active)
5041 return NF_ACCEPT;
5042
5043 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5044 return NF_DROP;
5045
5046 ad.type = LSM_AUDIT_DATA_NET;
5047 ad.u.net = &net;
5048 ad.u.net->netif = indev->ifindex;
5049 ad.u.net->family = family;
5050 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5051 return NF_DROP;
5052
5053 if (peerlbl_active) {
5054 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5055 addrp, family, peer_sid, &ad);
5056 if (err) {
5057 selinux_netlbl_err(skb, family, err, 1);
5058 return NF_DROP;
5059 }
5060 }
5061
5062 if (secmark_active)
5063 if (avc_has_perm(peer_sid, skb->secmark,
5064 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5065 return NF_DROP;
5066
5067 if (netlbl_active)
5068 /* we do this in the FORWARD path and not the POST_ROUTING
5069 * path because we want to make sure we apply the necessary
5070 * labeling before IPsec is applied so we can leverage AH
5071 * protection */
5072 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5073 return NF_DROP;
5074
5075 return NF_ACCEPT;
5076 }
5077
5078 static unsigned int selinux_ipv4_forward(void *priv,
5079 struct sk_buff *skb,
5080 const struct nf_hook_state *state)
5081 {
5082 return selinux_ip_forward(skb, state->in, PF_INET);
5083 }
5084
5085 #if IS_ENABLED(CONFIG_IPV6)
5086 static unsigned int selinux_ipv6_forward(void *priv,
5087 struct sk_buff *skb,
5088 const struct nf_hook_state *state)
5089 {
5090 return selinux_ip_forward(skb, state->in, PF_INET6);
5091 }
5092 #endif /* IPV6 */
5093
5094 static unsigned int selinux_ip_output(struct sk_buff *skb,
5095 u16 family)
5096 {
5097 struct sock *sk;
5098 u32 sid;
5099
5100 if (!netlbl_enabled())
5101 return NF_ACCEPT;
5102
5103 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5104 * because we want to make sure we apply the necessary labeling
5105 * before IPsec is applied so we can leverage AH protection */
5106 sk = skb->sk;
5107 if (sk) {
5108 struct sk_security_struct *sksec;
5109
5110 if (sk_listener(sk))
5111 /* if the socket is the listening state then this
5112 * packet is a SYN-ACK packet which means it needs to
5113 * be labeled based on the connection/request_sock and
5114 * not the parent socket. unfortunately, we can't
5115 * lookup the request_sock yet as it isn't queued on
5116 * the parent socket until after the SYN-ACK is sent.
5117 * the "solution" is to simply pass the packet as-is
5118 * as any IP option based labeling should be copied
5119 * from the initial connection request (in the IP
5120 * layer). it is far from ideal, but until we get a
5121 * security label in the packet itself this is the
5122 * best we can do. */
5123 return NF_ACCEPT;
5124
5125 /* standard practice, label using the parent socket */
5126 sksec = sk->sk_security;
5127 sid = sksec->sid;
5128 } else
5129 sid = SECINITSID_KERNEL;
5130 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5131 return NF_DROP;
5132
5133 return NF_ACCEPT;
5134 }
5135
5136 static unsigned int selinux_ipv4_output(void *priv,
5137 struct sk_buff *skb,
5138 const struct nf_hook_state *state)
5139 {
5140 return selinux_ip_output(skb, PF_INET);
5141 }
5142
5143 #if IS_ENABLED(CONFIG_IPV6)
5144 static unsigned int selinux_ipv6_output(void *priv,
5145 struct sk_buff *skb,
5146 const struct nf_hook_state *state)
5147 {
5148 return selinux_ip_output(skb, PF_INET6);
5149 }
5150 #endif /* IPV6 */
5151
5152 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5153 int ifindex,
5154 u16 family)
5155 {
5156 struct sock *sk = skb_to_full_sk(skb);
5157 struct sk_security_struct *sksec;
5158 struct common_audit_data ad;
5159 struct lsm_network_audit net = {0,};
5160 char *addrp;
5161 u8 proto;
5162
5163 if (sk == NULL)
5164 return NF_ACCEPT;
5165 sksec = sk->sk_security;
5166
5167 ad.type = LSM_AUDIT_DATA_NET;
5168 ad.u.net = &net;
5169 ad.u.net->netif = ifindex;
5170 ad.u.net->family = family;
5171 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5172 return NF_DROP;
5173
5174 if (selinux_secmark_enabled())
5175 if (avc_has_perm(sksec->sid, skb->secmark,
5176 SECCLASS_PACKET, PACKET__SEND, &ad))
5177 return NF_DROP_ERR(-ECONNREFUSED);
5178
5179 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5180 return NF_DROP_ERR(-ECONNREFUSED);
5181
5182 return NF_ACCEPT;
5183 }
5184
5185 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5186 const struct net_device *outdev,
5187 u16 family)
5188 {
5189 u32 secmark_perm;
5190 u32 peer_sid;
5191 int ifindex = outdev->ifindex;
5192 struct sock *sk;
5193 struct common_audit_data ad;
5194 struct lsm_network_audit net = {0,};
5195 char *addrp;
5196 u8 secmark_active;
5197 u8 peerlbl_active;
5198
5199 /* If any sort of compatibility mode is enabled then handoff processing
5200 * to the selinux_ip_postroute_compat() function to deal with the
5201 * special handling. We do this in an attempt to keep this function
5202 * as fast and as clean as possible. */
5203 if (!selinux_policycap_netpeer)
5204 return selinux_ip_postroute_compat(skb, ifindex, family);
5205
5206 secmark_active = selinux_secmark_enabled();
5207 peerlbl_active = selinux_peerlbl_enabled();
5208 if (!secmark_active && !peerlbl_active)
5209 return NF_ACCEPT;
5210
5211 sk = skb_to_full_sk(skb);
5212
5213 #ifdef CONFIG_XFRM
5214 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5215 * packet transformation so allow the packet to pass without any checks
5216 * since we'll have another chance to perform access control checks
5217 * when the packet is on it's final way out.
5218 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5219 * is NULL, in this case go ahead and apply access control.
5220 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5221 * TCP listening state we cannot wait until the XFRM processing
5222 * is done as we will miss out on the SA label if we do;
5223 * unfortunately, this means more work, but it is only once per
5224 * connection. */
5225 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5226 !(sk && sk_listener(sk)))
5227 return NF_ACCEPT;
5228 #endif
5229
5230 if (sk == NULL) {
5231 /* Without an associated socket the packet is either coming
5232 * from the kernel or it is being forwarded; check the packet
5233 * to determine which and if the packet is being forwarded
5234 * query the packet directly to determine the security label. */
5235 if (skb->skb_iif) {
5236 secmark_perm = PACKET__FORWARD_OUT;
5237 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5238 return NF_DROP;
5239 } else {
5240 secmark_perm = PACKET__SEND;
5241 peer_sid = SECINITSID_KERNEL;
5242 }
5243 } else if (sk_listener(sk)) {
5244 /* Locally generated packet but the associated socket is in the
5245 * listening state which means this is a SYN-ACK packet. In
5246 * this particular case the correct security label is assigned
5247 * to the connection/request_sock but unfortunately we can't
5248 * query the request_sock as it isn't queued on the parent
5249 * socket until after the SYN-ACK packet is sent; the only
5250 * viable choice is to regenerate the label like we do in
5251 * selinux_inet_conn_request(). See also selinux_ip_output()
5252 * for similar problems. */
5253 u32 skb_sid;
5254 struct sk_security_struct *sksec;
5255
5256 sksec = sk->sk_security;
5257 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5258 return NF_DROP;
5259 /* At this point, if the returned skb peerlbl is SECSID_NULL
5260 * and the packet has been through at least one XFRM
5261 * transformation then we must be dealing with the "final"
5262 * form of labeled IPsec packet; since we've already applied
5263 * all of our access controls on this packet we can safely
5264 * pass the packet. */
5265 if (skb_sid == SECSID_NULL) {
5266 switch (family) {
5267 case PF_INET:
5268 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5269 return NF_ACCEPT;
5270 break;
5271 case PF_INET6:
5272 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5273 return NF_ACCEPT;
5274 break;
5275 default:
5276 return NF_DROP_ERR(-ECONNREFUSED);
5277 }
5278 }
5279 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5280 return NF_DROP;
5281 secmark_perm = PACKET__SEND;
5282 } else {
5283 /* Locally generated packet, fetch the security label from the
5284 * associated socket. */
5285 struct sk_security_struct *sksec = sk->sk_security;
5286 peer_sid = sksec->sid;
5287 secmark_perm = PACKET__SEND;
5288 }
5289
5290 ad.type = LSM_AUDIT_DATA_NET;
5291 ad.u.net = &net;
5292 ad.u.net->netif = ifindex;
5293 ad.u.net->family = family;
5294 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5295 return NF_DROP;
5296
5297 if (secmark_active)
5298 if (avc_has_perm(peer_sid, skb->secmark,
5299 SECCLASS_PACKET, secmark_perm, &ad))
5300 return NF_DROP_ERR(-ECONNREFUSED);
5301
5302 if (peerlbl_active) {
5303 u32 if_sid;
5304 u32 node_sid;
5305
5306 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5307 return NF_DROP;
5308 if (avc_has_perm(peer_sid, if_sid,
5309 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5310 return NF_DROP_ERR(-ECONNREFUSED);
5311
5312 if (sel_netnode_sid(addrp, family, &node_sid))
5313 return NF_DROP;
5314 if (avc_has_perm(peer_sid, node_sid,
5315 SECCLASS_NODE, NODE__SENDTO, &ad))
5316 return NF_DROP_ERR(-ECONNREFUSED);
5317 }
5318
5319 return NF_ACCEPT;
5320 }
5321
5322 static unsigned int selinux_ipv4_postroute(void *priv,
5323 struct sk_buff *skb,
5324 const struct nf_hook_state *state)
5325 {
5326 return selinux_ip_postroute(skb, state->out, PF_INET);
5327 }
5328
5329 #if IS_ENABLED(CONFIG_IPV6)
5330 static unsigned int selinux_ipv6_postroute(void *priv,
5331 struct sk_buff *skb,
5332 const struct nf_hook_state *state)
5333 {
5334 return selinux_ip_postroute(skb, state->out, PF_INET6);
5335 }
5336 #endif /* IPV6 */
5337
5338 #endif /* CONFIG_NETFILTER */
5339
5340 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5341 {
5342 return selinux_nlmsg_perm(sk, skb);
5343 }
5344
5345 static int ipc_alloc_security(struct task_struct *task,
5346 struct kern_ipc_perm *perm,
5347 u16 sclass)
5348 {
5349 struct ipc_security_struct *isec;
5350 u32 sid;
5351
5352 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5353 if (!isec)
5354 return -ENOMEM;
5355
5356 sid = task_sid(task);
5357 isec->sclass = sclass;
5358 isec->sid = sid;
5359 perm->security = isec;
5360
5361 return 0;
5362 }
5363
5364 static void ipc_free_security(struct kern_ipc_perm *perm)
5365 {
5366 struct ipc_security_struct *isec = perm->security;
5367 perm->security = NULL;
5368 kfree(isec);
5369 }
5370
5371 static int msg_msg_alloc_security(struct msg_msg *msg)
5372 {
5373 struct msg_security_struct *msec;
5374
5375 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5376 if (!msec)
5377 return -ENOMEM;
5378
5379 msec->sid = SECINITSID_UNLABELED;
5380 msg->security = msec;
5381
5382 return 0;
5383 }
5384
5385 static void msg_msg_free_security(struct msg_msg *msg)
5386 {
5387 struct msg_security_struct *msec = msg->security;
5388
5389 msg->security = NULL;
5390 kfree(msec);
5391 }
5392
5393 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5394 u32 perms)
5395 {
5396 struct ipc_security_struct *isec;
5397 struct common_audit_data ad;
5398 u32 sid = current_sid();
5399
5400 isec = ipc_perms->security;
5401
5402 ad.type = LSM_AUDIT_DATA_IPC;
5403 ad.u.ipc_id = ipc_perms->key;
5404
5405 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5406 }
5407
5408 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5409 {
5410 return msg_msg_alloc_security(msg);
5411 }
5412
5413 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5414 {
5415 msg_msg_free_security(msg);
5416 }
5417
5418 /* message queue security operations */
5419 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5420 {
5421 struct ipc_security_struct *isec;
5422 struct common_audit_data ad;
5423 u32 sid = current_sid();
5424 int rc;
5425
5426 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5427 if (rc)
5428 return rc;
5429
5430 isec = msq->q_perm.security;
5431
5432 ad.type = LSM_AUDIT_DATA_IPC;
5433 ad.u.ipc_id = msq->q_perm.key;
5434
5435 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5436 MSGQ__CREATE, &ad);
5437 if (rc) {
5438 ipc_free_security(&msq->q_perm);
5439 return rc;
5440 }
5441 return 0;
5442 }
5443
5444 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5445 {
5446 ipc_free_security(&msq->q_perm);
5447 }
5448
5449 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5450 {
5451 struct ipc_security_struct *isec;
5452 struct common_audit_data ad;
5453 u32 sid = current_sid();
5454
5455 isec = msq->q_perm.security;
5456
5457 ad.type = LSM_AUDIT_DATA_IPC;
5458 ad.u.ipc_id = msq->q_perm.key;
5459
5460 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5461 MSGQ__ASSOCIATE, &ad);
5462 }
5463
5464 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5465 {
5466 int err;
5467 int perms;
5468
5469 switch (cmd) {
5470 case IPC_INFO:
5471 case MSG_INFO:
5472 /* No specific object, just general system-wide information. */
5473 return task_has_system(current, SYSTEM__IPC_INFO);
5474 case IPC_STAT:
5475 case MSG_STAT:
5476 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5477 break;
5478 case IPC_SET:
5479 perms = MSGQ__SETATTR;
5480 break;
5481 case IPC_RMID:
5482 perms = MSGQ__DESTROY;
5483 break;
5484 default:
5485 return 0;
5486 }
5487
5488 err = ipc_has_perm(&msq->q_perm, perms);
5489 return err;
5490 }
5491
5492 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5493 {
5494 struct ipc_security_struct *isec;
5495 struct msg_security_struct *msec;
5496 struct common_audit_data ad;
5497 u32 sid = current_sid();
5498 int rc;
5499
5500 isec = msq->q_perm.security;
5501 msec = msg->security;
5502
5503 /*
5504 * First time through, need to assign label to the message
5505 */
5506 if (msec->sid == SECINITSID_UNLABELED) {
5507 /*
5508 * Compute new sid based on current process and
5509 * message queue this message will be stored in
5510 */
5511 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5512 NULL, &msec->sid);
5513 if (rc)
5514 return rc;
5515 }
5516
5517 ad.type = LSM_AUDIT_DATA_IPC;
5518 ad.u.ipc_id = msq->q_perm.key;
5519
5520 /* Can this process write to the queue? */
5521 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5522 MSGQ__WRITE, &ad);
5523 if (!rc)
5524 /* Can this process send the message */
5525 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5526 MSG__SEND, &ad);
5527 if (!rc)
5528 /* Can the message be put in the queue? */
5529 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5530 MSGQ__ENQUEUE, &ad);
5531
5532 return rc;
5533 }
5534
5535 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5536 struct task_struct *target,
5537 long type, int mode)
5538 {
5539 struct ipc_security_struct *isec;
5540 struct msg_security_struct *msec;
5541 struct common_audit_data ad;
5542 u32 sid = task_sid(target);
5543 int rc;
5544
5545 isec = msq->q_perm.security;
5546 msec = msg->security;
5547
5548 ad.type = LSM_AUDIT_DATA_IPC;
5549 ad.u.ipc_id = msq->q_perm.key;
5550
5551 rc = avc_has_perm(sid, isec->sid,
5552 SECCLASS_MSGQ, MSGQ__READ, &ad);
5553 if (!rc)
5554 rc = avc_has_perm(sid, msec->sid,
5555 SECCLASS_MSG, MSG__RECEIVE, &ad);
5556 return rc;
5557 }
5558
5559 /* Shared Memory security operations */
5560 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5561 {
5562 struct ipc_security_struct *isec;
5563 struct common_audit_data ad;
5564 u32 sid = current_sid();
5565 int rc;
5566
5567 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5568 if (rc)
5569 return rc;
5570
5571 isec = shp->shm_perm.security;
5572
5573 ad.type = LSM_AUDIT_DATA_IPC;
5574 ad.u.ipc_id = shp->shm_perm.key;
5575
5576 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5577 SHM__CREATE, &ad);
5578 if (rc) {
5579 ipc_free_security(&shp->shm_perm);
5580 return rc;
5581 }
5582 return 0;
5583 }
5584
5585 static void selinux_shm_free_security(struct shmid_kernel *shp)
5586 {
5587 ipc_free_security(&shp->shm_perm);
5588 }
5589
5590 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5591 {
5592 struct ipc_security_struct *isec;
5593 struct common_audit_data ad;
5594 u32 sid = current_sid();
5595
5596 isec = shp->shm_perm.security;
5597
5598 ad.type = LSM_AUDIT_DATA_IPC;
5599 ad.u.ipc_id = shp->shm_perm.key;
5600
5601 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5602 SHM__ASSOCIATE, &ad);
5603 }
5604
5605 /* Note, at this point, shp is locked down */
5606 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5607 {
5608 int perms;
5609 int err;
5610
5611 switch (cmd) {
5612 case IPC_INFO:
5613 case SHM_INFO:
5614 /* No specific object, just general system-wide information. */
5615 return task_has_system(current, SYSTEM__IPC_INFO);
5616 case IPC_STAT:
5617 case SHM_STAT:
5618 perms = SHM__GETATTR | SHM__ASSOCIATE;
5619 break;
5620 case IPC_SET:
5621 perms = SHM__SETATTR;
5622 break;
5623 case SHM_LOCK:
5624 case SHM_UNLOCK:
5625 perms = SHM__LOCK;
5626 break;
5627 case IPC_RMID:
5628 perms = SHM__DESTROY;
5629 break;
5630 default:
5631 return 0;
5632 }
5633
5634 err = ipc_has_perm(&shp->shm_perm, perms);
5635 return err;
5636 }
5637
5638 static int selinux_shm_shmat(struct shmid_kernel *shp,
5639 char __user *shmaddr, int shmflg)
5640 {
5641 u32 perms;
5642
5643 if (shmflg & SHM_RDONLY)
5644 perms = SHM__READ;
5645 else
5646 perms = SHM__READ | SHM__WRITE;
5647
5648 return ipc_has_perm(&shp->shm_perm, perms);
5649 }
5650
5651 /* Semaphore security operations */
5652 static int selinux_sem_alloc_security(struct sem_array *sma)
5653 {
5654 struct ipc_security_struct *isec;
5655 struct common_audit_data ad;
5656 u32 sid = current_sid();
5657 int rc;
5658
5659 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5660 if (rc)
5661 return rc;
5662
5663 isec = sma->sem_perm.security;
5664
5665 ad.type = LSM_AUDIT_DATA_IPC;
5666 ad.u.ipc_id = sma->sem_perm.key;
5667
5668 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5669 SEM__CREATE, &ad);
5670 if (rc) {
5671 ipc_free_security(&sma->sem_perm);
5672 return rc;
5673 }
5674 return 0;
5675 }
5676
5677 static void selinux_sem_free_security(struct sem_array *sma)
5678 {
5679 ipc_free_security(&sma->sem_perm);
5680 }
5681
5682 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5683 {
5684 struct ipc_security_struct *isec;
5685 struct common_audit_data ad;
5686 u32 sid = current_sid();
5687
5688 isec = sma->sem_perm.security;
5689
5690 ad.type = LSM_AUDIT_DATA_IPC;
5691 ad.u.ipc_id = sma->sem_perm.key;
5692
5693 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5694 SEM__ASSOCIATE, &ad);
5695 }
5696
5697 /* Note, at this point, sma is locked down */
5698 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5699 {
5700 int err;
5701 u32 perms;
5702
5703 switch (cmd) {
5704 case IPC_INFO:
5705 case SEM_INFO:
5706 /* No specific object, just general system-wide information. */
5707 return task_has_system(current, SYSTEM__IPC_INFO);
5708 case GETPID:
5709 case GETNCNT:
5710 case GETZCNT:
5711 perms = SEM__GETATTR;
5712 break;
5713 case GETVAL:
5714 case GETALL:
5715 perms = SEM__READ;
5716 break;
5717 case SETVAL:
5718 case SETALL:
5719 perms = SEM__WRITE;
5720 break;
5721 case IPC_RMID:
5722 perms = SEM__DESTROY;
5723 break;
5724 case IPC_SET:
5725 perms = SEM__SETATTR;
5726 break;
5727 case IPC_STAT:
5728 case SEM_STAT:
5729 perms = SEM__GETATTR | SEM__ASSOCIATE;
5730 break;
5731 default:
5732 return 0;
5733 }
5734
5735 err = ipc_has_perm(&sma->sem_perm, perms);
5736 return err;
5737 }
5738
5739 static int selinux_sem_semop(struct sem_array *sma,
5740 struct sembuf *sops, unsigned nsops, int alter)
5741 {
5742 u32 perms;
5743
5744 if (alter)
5745 perms = SEM__READ | SEM__WRITE;
5746 else
5747 perms = SEM__READ;
5748
5749 return ipc_has_perm(&sma->sem_perm, perms);
5750 }
5751
5752 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5753 {
5754 u32 av = 0;
5755
5756 av = 0;
5757 if (flag & S_IRUGO)
5758 av |= IPC__UNIX_READ;
5759 if (flag & S_IWUGO)
5760 av |= IPC__UNIX_WRITE;
5761
5762 if (av == 0)
5763 return 0;
5764
5765 return ipc_has_perm(ipcp, av);
5766 }
5767
5768 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5769 {
5770 struct ipc_security_struct *isec = ipcp->security;
5771 *secid = isec->sid;
5772 }
5773
5774 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5775 {
5776 if (inode)
5777 inode_doinit_with_dentry(inode, dentry);
5778 }
5779
5780 static int selinux_getprocattr(struct task_struct *p,
5781 char *name, char **value)
5782 {
5783 const struct task_security_struct *__tsec;
5784 u32 sid;
5785 int error;
5786 unsigned len;
5787
5788 if (current != p) {
5789 error = current_has_perm(p, PROCESS__GETATTR);
5790 if (error)
5791 return error;
5792 }
5793
5794 rcu_read_lock();
5795 __tsec = __task_cred(p)->security;
5796
5797 if (!strcmp(name, "current"))
5798 sid = __tsec->sid;
5799 else if (!strcmp(name, "prev"))
5800 sid = __tsec->osid;
5801 else if (!strcmp(name, "exec"))
5802 sid = __tsec->exec_sid;
5803 else if (!strcmp(name, "fscreate"))
5804 sid = __tsec->create_sid;
5805 else if (!strcmp(name, "keycreate"))
5806 sid = __tsec->keycreate_sid;
5807 else if (!strcmp(name, "sockcreate"))
5808 sid = __tsec->sockcreate_sid;
5809 else
5810 goto invalid;
5811 rcu_read_unlock();
5812
5813 if (!sid)
5814 return 0;
5815
5816 error = security_sid_to_context(sid, value, &len);
5817 if (error)
5818 return error;
5819 return len;
5820
5821 invalid:
5822 rcu_read_unlock();
5823 return -EINVAL;
5824 }
5825
5826 static int selinux_setprocattr(struct task_struct *p,
5827 char *name, void *value, size_t size)
5828 {
5829 struct task_security_struct *tsec;
5830 struct cred *new;
5831 u32 sid = 0, ptsid;
5832 int error;
5833 char *str = value;
5834
5835 if (current != p) {
5836 /* SELinux only allows a process to change its own
5837 security attributes. */
5838 return -EACCES;
5839 }
5840
5841 /*
5842 * Basic control over ability to set these attributes at all.
5843 * current == p, but we'll pass them separately in case the
5844 * above restriction is ever removed.
5845 */
5846 if (!strcmp(name, "exec"))
5847 error = current_has_perm(p, PROCESS__SETEXEC);
5848 else if (!strcmp(name, "fscreate"))
5849 error = current_has_perm(p, PROCESS__SETFSCREATE);
5850 else if (!strcmp(name, "keycreate"))
5851 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5852 else if (!strcmp(name, "sockcreate"))
5853 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5854 else if (!strcmp(name, "current"))
5855 error = current_has_perm(p, PROCESS__SETCURRENT);
5856 else
5857 error = -EINVAL;
5858 if (error)
5859 return error;
5860
5861 /* Obtain a SID for the context, if one was specified. */
5862 if (size && str[1] && str[1] != '\n') {
5863 if (str[size-1] == '\n') {
5864 str[size-1] = 0;
5865 size--;
5866 }
5867 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5868 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5869 if (!capable(CAP_MAC_ADMIN)) {
5870 struct audit_buffer *ab;
5871 size_t audit_size;
5872
5873 /* We strip a nul only if it is at the end, otherwise the
5874 * context contains a nul and we should audit that */
5875 if (str[size - 1] == '\0')
5876 audit_size = size - 1;
5877 else
5878 audit_size = size;
5879 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5880 audit_log_format(ab, "op=fscreate invalid_context=");
5881 audit_log_n_untrustedstring(ab, value, audit_size);
5882 audit_log_end(ab);
5883
5884 return error;
5885 }
5886 error = security_context_to_sid_force(value, size,
5887 &sid);
5888 }
5889 if (error)
5890 return error;
5891 }
5892
5893 new = prepare_creds();
5894 if (!new)
5895 return -ENOMEM;
5896
5897 /* Permission checking based on the specified context is
5898 performed during the actual operation (execve,
5899 open/mkdir/...), when we know the full context of the
5900 operation. See selinux_bprm_set_creds for the execve
5901 checks and may_create for the file creation checks. The
5902 operation will then fail if the context is not permitted. */
5903 tsec = new->security;
5904 if (!strcmp(name, "exec")) {
5905 tsec->exec_sid = sid;
5906 } else if (!strcmp(name, "fscreate")) {
5907 tsec->create_sid = sid;
5908 } else if (!strcmp(name, "keycreate")) {
5909 error = may_create_key(sid, p);
5910 if (error)
5911 goto abort_change;
5912 tsec->keycreate_sid = sid;
5913 } else if (!strcmp(name, "sockcreate")) {
5914 tsec->sockcreate_sid = sid;
5915 } else if (!strcmp(name, "current")) {
5916 error = -EINVAL;
5917 if (sid == 0)
5918 goto abort_change;
5919
5920 /* Only allow single threaded processes to change context */
5921 error = -EPERM;
5922 if (!current_is_single_threaded()) {
5923 error = security_bounded_transition(tsec->sid, sid);
5924 if (error)
5925 goto abort_change;
5926 }
5927
5928 /* Check permissions for the transition. */
5929 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5930 PROCESS__DYNTRANSITION, NULL);
5931 if (error)
5932 goto abort_change;
5933
5934 /* Check for ptracing, and update the task SID if ok.
5935 Otherwise, leave SID unchanged and fail. */
5936 ptsid = ptrace_parent_sid(p);
5937 if (ptsid != 0) {
5938 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5939 PROCESS__PTRACE, NULL);
5940 if (error)
5941 goto abort_change;
5942 }
5943
5944 tsec->sid = sid;
5945 } else {
5946 error = -EINVAL;
5947 goto abort_change;
5948 }
5949
5950 commit_creds(new);
5951 return size;
5952
5953 abort_change:
5954 abort_creds(new);
5955 return error;
5956 }
5957
5958 static int selinux_ismaclabel(const char *name)
5959 {
5960 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5961 }
5962
5963 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5964 {
5965 return security_sid_to_context(secid, secdata, seclen);
5966 }
5967
5968 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5969 {
5970 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5971 }
5972
5973 static void selinux_release_secctx(char *secdata, u32 seclen)
5974 {
5975 kfree(secdata);
5976 }
5977
5978 static void selinux_inode_invalidate_secctx(struct inode *inode)
5979 {
5980 struct inode_security_struct *isec = inode->i_security;
5981
5982 mutex_lock(&isec->lock);
5983 isec->initialized = LABEL_INVALID;
5984 mutex_unlock(&isec->lock);
5985 }
5986
5987 /*
5988 * called with inode->i_mutex locked
5989 */
5990 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5991 {
5992 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5993 }
5994
5995 /*
5996 * called with inode->i_mutex locked
5997 */
5998 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5999 {
6000 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6001 }
6002
6003 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6004 {
6005 int len = 0;
6006 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6007 ctx, true);
6008 if (len < 0)
6009 return len;
6010 *ctxlen = len;
6011 return 0;
6012 }
6013 #ifdef CONFIG_KEYS
6014
6015 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6016 unsigned long flags)
6017 {
6018 const struct task_security_struct *tsec;
6019 struct key_security_struct *ksec;
6020
6021 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6022 if (!ksec)
6023 return -ENOMEM;
6024
6025 tsec = cred->security;
6026 if (tsec->keycreate_sid)
6027 ksec->sid = tsec->keycreate_sid;
6028 else
6029 ksec->sid = tsec->sid;
6030
6031 k->security = ksec;
6032 return 0;
6033 }
6034
6035 static void selinux_key_free(struct key *k)
6036 {
6037 struct key_security_struct *ksec = k->security;
6038
6039 k->security = NULL;
6040 kfree(ksec);
6041 }
6042
6043 static int selinux_key_permission(key_ref_t key_ref,
6044 const struct cred *cred,
6045 unsigned perm)
6046 {
6047 struct key *key;
6048 struct key_security_struct *ksec;
6049 u32 sid;
6050
6051 /* if no specific permissions are requested, we skip the
6052 permission check. No serious, additional covert channels
6053 appear to be created. */
6054 if (perm == 0)
6055 return 0;
6056
6057 sid = cred_sid(cred);
6058
6059 key = key_ref_to_ptr(key_ref);
6060 ksec = key->security;
6061
6062 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6063 }
6064
6065 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6066 {
6067 struct key_security_struct *ksec = key->security;
6068 char *context = NULL;
6069 unsigned len;
6070 int rc;
6071
6072 rc = security_sid_to_context(ksec->sid, &context, &len);
6073 if (!rc)
6074 rc = len;
6075 *_buffer = context;
6076 return rc;
6077 }
6078
6079 #endif
6080
6081 static struct security_hook_list selinux_hooks[] = {
6082 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6083 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6084 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6085 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6086
6087 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6088 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6089 LSM_HOOK_INIT(capget, selinux_capget),
6090 LSM_HOOK_INIT(capset, selinux_capset),
6091 LSM_HOOK_INIT(capable, selinux_capable),
6092 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6093 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6094 LSM_HOOK_INIT(syslog, selinux_syslog),
6095 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6096
6097 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6098
6099 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6100 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6101 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6102 LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
6103
6104 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6105 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6106 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6107 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6108 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6109 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6110 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6111 LSM_HOOK_INIT(sb_mount, selinux_mount),
6112 LSM_HOOK_INIT(sb_umount, selinux_umount),
6113 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6114 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6115 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6116
6117 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6118 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6119
6120 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6121 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6122 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6123 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6124 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6125 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6126 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6127 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6128 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6129 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6130 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6131 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6132 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6133 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6134 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6135 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6136 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6137 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6138 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6139 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6140 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6141 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6142 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6143 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6144 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6145 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6146 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6147
6148 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6149 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6150 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6151 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6152 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6153 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6154 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6155 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6156 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6157 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6158 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6159 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6160
6161 LSM_HOOK_INIT(file_open, selinux_file_open),
6162
6163 LSM_HOOK_INIT(task_create, selinux_task_create),
6164 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6165 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6166 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6167 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6168 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6169 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6170 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6171 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6172 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6173 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6174 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6175 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6176 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6177 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6178 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6179 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6180 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6181 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6182 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6183 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6184 LSM_HOOK_INIT(task_wait, selinux_task_wait),
6185 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6186
6187 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6188 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6189
6190 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6191 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6192
6193 LSM_HOOK_INIT(msg_queue_alloc_security,
6194 selinux_msg_queue_alloc_security),
6195 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6196 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6197 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6198 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6199 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6200
6201 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6202 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6203 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6204 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6205 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6206
6207 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6208 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6209 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6210 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6211 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6212
6213 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6214
6215 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6216 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6217
6218 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6219 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6220 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6221 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6222 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6223 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6224 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6225 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6226
6227 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6228 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6229
6230 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6231 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6232 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6233 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6234 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6235 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6236 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6237 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6238 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6239 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6240 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6241 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6242 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6243 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6244 LSM_HOOK_INIT(socket_getpeersec_stream,
6245 selinux_socket_getpeersec_stream),
6246 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6247 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6248 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6249 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6250 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6251 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6252 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6253 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6254 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6255 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6256 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6257 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6258 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6259 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6260 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6261 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6262 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6263 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6264 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6265
6266 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6267 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6268 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6269 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6270 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6271 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6272 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6273 selinux_xfrm_state_alloc_acquire),
6274 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6275 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6276 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6277 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6278 selinux_xfrm_state_pol_flow_match),
6279 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6280 #endif
6281
6282 #ifdef CONFIG_KEYS
6283 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6284 LSM_HOOK_INIT(key_free, selinux_key_free),
6285 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6286 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6287 #endif
6288
6289 #ifdef CONFIG_AUDIT
6290 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6291 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6292 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6293 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6294 #endif
6295 };
6296
6297 static __init int selinux_init(void)
6298 {
6299 if (!security_module_enable("selinux")) {
6300 selinux_enabled = 0;
6301 return 0;
6302 }
6303
6304 if (!selinux_enabled) {
6305 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6306 return 0;
6307 }
6308
6309 printk(KERN_INFO "SELinux: Initializing.\n");
6310
6311 /* Set the security state for the initial task. */
6312 cred_init_security();
6313
6314 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6315
6316 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6317 sizeof(struct inode_security_struct),
6318 0, SLAB_PANIC, NULL);
6319 file_security_cache = kmem_cache_create("selinux_file_security",
6320 sizeof(struct file_security_struct),
6321 0, SLAB_PANIC, NULL);
6322 avc_init();
6323
6324 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6325
6326 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6327 panic("SELinux: Unable to register AVC netcache callback\n");
6328
6329 if (selinux_enforcing)
6330 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6331 else
6332 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6333
6334 return 0;
6335 }
6336
6337 static void delayed_superblock_init(struct super_block *sb, void *unused)
6338 {
6339 superblock_doinit(sb, NULL);
6340 }
6341
6342 void selinux_complete_init(void)
6343 {
6344 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6345
6346 /* Set up any superblocks initialized prior to the policy load. */
6347 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6348 iterate_supers(delayed_superblock_init, NULL);
6349 }
6350
6351 /* SELinux requires early initialization in order to label
6352 all processes and objects when they are created. */
6353 security_initcall(selinux_init);
6354
6355 #if defined(CONFIG_NETFILTER)
6356
6357 static struct nf_hook_ops selinux_nf_ops[] = {
6358 {
6359 .hook = selinux_ipv4_postroute,
6360 .pf = NFPROTO_IPV4,
6361 .hooknum = NF_INET_POST_ROUTING,
6362 .priority = NF_IP_PRI_SELINUX_LAST,
6363 },
6364 {
6365 .hook = selinux_ipv4_forward,
6366 .pf = NFPROTO_IPV4,
6367 .hooknum = NF_INET_FORWARD,
6368 .priority = NF_IP_PRI_SELINUX_FIRST,
6369 },
6370 {
6371 .hook = selinux_ipv4_output,
6372 .pf = NFPROTO_IPV4,
6373 .hooknum = NF_INET_LOCAL_OUT,
6374 .priority = NF_IP_PRI_SELINUX_FIRST,
6375 },
6376 #if IS_ENABLED(CONFIG_IPV6)
6377 {
6378 .hook = selinux_ipv6_postroute,
6379 .pf = NFPROTO_IPV6,
6380 .hooknum = NF_INET_POST_ROUTING,
6381 .priority = NF_IP6_PRI_SELINUX_LAST,
6382 },
6383 {
6384 .hook = selinux_ipv6_forward,
6385 .pf = NFPROTO_IPV6,
6386 .hooknum = NF_INET_FORWARD,
6387 .priority = NF_IP6_PRI_SELINUX_FIRST,
6388 },
6389 {
6390 .hook = selinux_ipv6_output,
6391 .pf = NFPROTO_IPV6,
6392 .hooknum = NF_INET_LOCAL_OUT,
6393 .priority = NF_IP6_PRI_SELINUX_FIRST,
6394 },
6395 #endif /* IPV6 */
6396 };
6397
6398 static int __init selinux_nf_ip_init(void)
6399 {
6400 int err;
6401
6402 if (!selinux_enabled)
6403 return 0;
6404
6405 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6406
6407 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6408 if (err)
6409 panic("SELinux: nf_register_hooks: error %d\n", err);
6410
6411 return 0;
6412 }
6413
6414 __initcall(selinux_nf_ip_init);
6415
6416 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6417 static void selinux_nf_ip_exit(void)
6418 {
6419 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6420
6421 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6422 }
6423 #endif
6424
6425 #else /* CONFIG_NETFILTER */
6426
6427 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6428 #define selinux_nf_ip_exit()
6429 #endif
6430
6431 #endif /* CONFIG_NETFILTER */
6432
6433 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6434 static int selinux_disabled;
6435
6436 int selinux_disable(void)
6437 {
6438 if (ss_initialized) {
6439 /* Not permitted after initial policy load. */
6440 return -EINVAL;
6441 }
6442
6443 if (selinux_disabled) {
6444 /* Only do this once. */
6445 return -EINVAL;
6446 }
6447
6448 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6449
6450 selinux_disabled = 1;
6451 selinux_enabled = 0;
6452
6453 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6454
6455 /* Try to destroy the avc node cache */
6456 avc_disable();
6457
6458 /* Unregister netfilter hooks. */
6459 selinux_nf_ip_exit();
6460
6461 /* Unregister selinuxfs. */
6462 exit_sel_fs();
6463
6464 return 0;
6465 }
6466 #endif
Ubuntu Artful kernel mirror