]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - security/selinux/hooks.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
selinux: Add IB Port SMP access vector
[mirror_ubuntu-artful-kernel.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
25 */
26
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h> /* for Unix socket types */
72 #include <net/af_unix.h> /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
75 #include <net/ipv6.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88
89 #include "avc.h"
90 #include "objsec.h"
91 #include "netif.h"
92 #include "netnode.h"
93 #include "netport.h"
94 #include "xfrm.h"
95 #include "netlabel.h"
96 #include "audit.h"
97 #include "avc_ss.h"
98
99 /* SECMARK reference count */
100 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
101
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing;
104
105 static int __init enforcing_setup(char *str)
106 {
107 unsigned long enforcing;
108 if (!kstrtoul(str, 0, &enforcing))
109 selinux_enforcing = enforcing ? 1 : 0;
110 return 1;
111 }
112 __setup("enforcing=", enforcing_setup);
113 #endif
114
115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
117
118 static int __init selinux_enabled_setup(char *str)
119 {
120 unsigned long enabled;
121 if (!kstrtoul(str, 0, &enabled))
122 selinux_enabled = enabled ? 1 : 0;
123 return 1;
124 }
125 __setup("selinux=", selinux_enabled_setup);
126 #else
127 int selinux_enabled = 1;
128 #endif
129
130 static struct kmem_cache *sel_inode_cache;
131 static struct kmem_cache *file_security_cache;
132
133 /**
134 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
135 *
136 * Description:
137 * This function checks the SECMARK reference counter to see if any SECMARK
138 * targets are currently configured, if the reference counter is greater than
139 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
140 * enabled, false (0) if SECMARK is disabled. If the always_check_network
141 * policy capability is enabled, SECMARK is always considered enabled.
142 *
143 */
144 static int selinux_secmark_enabled(void)
145 {
146 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
147 }
148
149 /**
150 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
151 *
152 * Description:
153 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
154 * (1) if any are enabled or false (0) if neither are enabled. If the
155 * always_check_network policy capability is enabled, peer labeling
156 * is always considered enabled.
157 *
158 */
159 static int selinux_peerlbl_enabled(void)
160 {
161 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
162 }
163
164 static int selinux_netcache_avc_callback(u32 event)
165 {
166 if (event == AVC_CALLBACK_RESET) {
167 sel_netif_flush();
168 sel_netnode_flush();
169 sel_netport_flush();
170 synchronize_net();
171 }
172 return 0;
173 }
174
175 static int selinux_lsm_notifier_avc_callback(u32 event)
176 {
177 if (event == AVC_CALLBACK_RESET)
178 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
179
180 return 0;
181 }
182
183 /*
184 * initialise the security for the init task
185 */
186 static void cred_init_security(void)
187 {
188 struct cred *cred = (struct cred *) current->real_cred;
189 struct task_security_struct *tsec;
190
191 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
192 if (!tsec)
193 panic("SELinux: Failed to initialize initial task.\n");
194
195 tsec->osid = tsec->sid = SECINITSID_KERNEL;
196 cred->security = tsec;
197 }
198
199 /*
200 * get the security ID of a set of credentials
201 */
202 static inline u32 cred_sid(const struct cred *cred)
203 {
204 const struct task_security_struct *tsec;
205
206 tsec = cred->security;
207 return tsec->sid;
208 }
209
210 /*
211 * get the objective security ID of a task
212 */
213 static inline u32 task_sid(const struct task_struct *task)
214 {
215 u32 sid;
216
217 rcu_read_lock();
218 sid = cred_sid(__task_cred(task));
219 rcu_read_unlock();
220 return sid;
221 }
222
223 /* Allocate and free functions for each kind of security blob. */
224
225 static int inode_alloc_security(struct inode *inode)
226 {
227 struct inode_security_struct *isec;
228 u32 sid = current_sid();
229
230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
231 if (!isec)
232 return -ENOMEM;
233
234 spin_lock_init(&isec->lock);
235 INIT_LIST_HEAD(&isec->list);
236 isec->inode = inode;
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
239 isec->task_sid = sid;
240 isec->initialized = LABEL_INVALID;
241 inode->i_security = isec;
242
243 return 0;
244 }
245
246 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
247
248 /*
249 * Try reloading inode security labels that have been marked as invalid. The
250 * @may_sleep parameter indicates when sleeping and thus reloading labels is
251 * allowed; when set to false, returns -ECHILD when the label is
252 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
253 * when no dentry is available, set it to NULL instead.
254 */
255 static int __inode_security_revalidate(struct inode *inode,
256 struct dentry *opt_dentry,
257 bool may_sleep)
258 {
259 struct inode_security_struct *isec = inode->i_security;
260
261 might_sleep_if(may_sleep);
262
263 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
264 if (!may_sleep)
265 return -ECHILD;
266
267 /*
268 * Try reloading the inode security label. This will fail if
269 * @opt_dentry is NULL and no dentry for this inode can be
270 * found; in that case, continue using the old label.
271 */
272 inode_doinit_with_dentry(inode, opt_dentry);
273 }
274 return 0;
275 }
276
277 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
278 {
279 return inode->i_security;
280 }
281
282 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
283 {
284 int error;
285
286 error = __inode_security_revalidate(inode, NULL, !rcu);
287 if (error)
288 return ERR_PTR(error);
289 return inode->i_security;
290 }
291
292 /*
293 * Get the security label of an inode.
294 */
295 static struct inode_security_struct *inode_security(struct inode *inode)
296 {
297 __inode_security_revalidate(inode, NULL, true);
298 return inode->i_security;
299 }
300
301 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
302 {
303 struct inode *inode = d_backing_inode(dentry);
304
305 return inode->i_security;
306 }
307
308 /*
309 * Get the security label of a dentry's backing inode.
310 */
311 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
312 {
313 struct inode *inode = d_backing_inode(dentry);
314
315 __inode_security_revalidate(inode, dentry, true);
316 return inode->i_security;
317 }
318
319 static void inode_free_rcu(struct rcu_head *head)
320 {
321 struct inode_security_struct *isec;
322
323 isec = container_of(head, struct inode_security_struct, rcu);
324 kmem_cache_free(sel_inode_cache, isec);
325 }
326
327 static void inode_free_security(struct inode *inode)
328 {
329 struct inode_security_struct *isec = inode->i_security;
330 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
331
332 /*
333 * As not all inode security structures are in a list, we check for
334 * empty list outside of the lock to make sure that we won't waste
335 * time taking a lock doing nothing.
336 *
337 * The list_del_init() function can be safely called more than once.
338 * It should not be possible for this function to be called with
339 * concurrent list_add(), but for better safety against future changes
340 * in the code, we use list_empty_careful() here.
341 */
342 if (!list_empty_careful(&isec->list)) {
343 spin_lock(&sbsec->isec_lock);
344 list_del_init(&isec->list);
345 spin_unlock(&sbsec->isec_lock);
346 }
347
348 /*
349 * The inode may still be referenced in a path walk and
350 * a call to selinux_inode_permission() can be made
351 * after inode_free_security() is called. Ideally, the VFS
352 * wouldn't do this, but fixing that is a much harder
353 * job. For now, simply free the i_security via RCU, and
354 * leave the current inode->i_security pointer intact.
355 * The inode will be freed after the RCU grace period too.
356 */
357 call_rcu(&isec->rcu, inode_free_rcu);
358 }
359
360 static int file_alloc_security(struct file *file)
361 {
362 struct file_security_struct *fsec;
363 u32 sid = current_sid();
364
365 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
366 if (!fsec)
367 return -ENOMEM;
368
369 fsec->sid = sid;
370 fsec->fown_sid = sid;
371 file->f_security = fsec;
372
373 return 0;
374 }
375
376 static void file_free_security(struct file *file)
377 {
378 struct file_security_struct *fsec = file->f_security;
379 file->f_security = NULL;
380 kmem_cache_free(file_security_cache, fsec);
381 }
382
383 static int superblock_alloc_security(struct super_block *sb)
384 {
385 struct superblock_security_struct *sbsec;
386
387 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
388 if (!sbsec)
389 return -ENOMEM;
390
391 mutex_init(&sbsec->lock);
392 INIT_LIST_HEAD(&sbsec->isec_head);
393 spin_lock_init(&sbsec->isec_lock);
394 sbsec->sb = sb;
395 sbsec->sid = SECINITSID_UNLABELED;
396 sbsec->def_sid = SECINITSID_FILE;
397 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
398 sb->s_security = sbsec;
399
400 return 0;
401 }
402
403 static void superblock_free_security(struct super_block *sb)
404 {
405 struct superblock_security_struct *sbsec = sb->s_security;
406 sb->s_security = NULL;
407 kfree(sbsec);
408 }
409
410 static inline int inode_doinit(struct inode *inode)
411 {
412 return inode_doinit_with_dentry(inode, NULL);
413 }
414
415 enum {
416 Opt_error = -1,
417 Opt_context = 1,
418 Opt_fscontext = 2,
419 Opt_defcontext = 3,
420 Opt_rootcontext = 4,
421 Opt_labelsupport = 5,
422 Opt_nextmntopt = 6,
423 };
424
425 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
426
427 static const match_table_t tokens = {
428 {Opt_context, CONTEXT_STR "%s"},
429 {Opt_fscontext, FSCONTEXT_STR "%s"},
430 {Opt_defcontext, DEFCONTEXT_STR "%s"},
431 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
432 {Opt_labelsupport, LABELSUPP_STR},
433 {Opt_error, NULL},
434 };
435
436 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
437
438 static int may_context_mount_sb_relabel(u32 sid,
439 struct superblock_security_struct *sbsec,
440 const struct cred *cred)
441 {
442 const struct task_security_struct *tsec = cred->security;
443 int rc;
444
445 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
446 FILESYSTEM__RELABELFROM, NULL);
447 if (rc)
448 return rc;
449
450 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
451 FILESYSTEM__RELABELTO, NULL);
452 return rc;
453 }
454
455 static int may_context_mount_inode_relabel(u32 sid,
456 struct superblock_security_struct *sbsec,
457 const struct cred *cred)
458 {
459 const struct task_security_struct *tsec = cred->security;
460 int rc;
461 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
462 FILESYSTEM__RELABELFROM, NULL);
463 if (rc)
464 return rc;
465
466 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
467 FILESYSTEM__ASSOCIATE, NULL);
468 return rc;
469 }
470
471 static int selinux_is_sblabel_mnt(struct super_block *sb)
472 {
473 struct superblock_security_struct *sbsec = sb->s_security;
474
475 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
476 sbsec->behavior == SECURITY_FS_USE_TRANS ||
477 sbsec->behavior == SECURITY_FS_USE_TASK ||
478 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
479 /* Special handling. Genfs but also in-core setxattr handler */
480 !strcmp(sb->s_type->name, "sysfs") ||
481 !strcmp(sb->s_type->name, "pstore") ||
482 !strcmp(sb->s_type->name, "debugfs") ||
483 !strcmp(sb->s_type->name, "tracefs") ||
484 !strcmp(sb->s_type->name, "rootfs") ||
485 (selinux_policycap_cgroupseclabel &&
486 (!strcmp(sb->s_type->name, "cgroup") ||
487 !strcmp(sb->s_type->name, "cgroup2")));
488 }
489
490 static int sb_finish_set_opts(struct super_block *sb)
491 {
492 struct superblock_security_struct *sbsec = sb->s_security;
493 struct dentry *root = sb->s_root;
494 struct inode *root_inode = d_backing_inode(root);
495 int rc = 0;
496
497 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
498 /* Make sure that the xattr handler exists and that no
499 error other than -ENODATA is returned by getxattr on
500 the root directory. -ENODATA is ok, as this may be
501 the first boot of the SELinux kernel before we have
502 assigned xattr values to the filesystem. */
503 if (!(root_inode->i_opflags & IOP_XATTR)) {
504 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
505 "xattr support\n", sb->s_id, sb->s_type->name);
506 rc = -EOPNOTSUPP;
507 goto out;
508 }
509
510 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
511 if (rc < 0 && rc != -ENODATA) {
512 if (rc == -EOPNOTSUPP)
513 printk(KERN_WARNING "SELinux: (dev %s, type "
514 "%s) has no security xattr handler\n",
515 sb->s_id, sb->s_type->name);
516 else
517 printk(KERN_WARNING "SELinux: (dev %s, type "
518 "%s) getxattr errno %d\n", sb->s_id,
519 sb->s_type->name, -rc);
520 goto out;
521 }
522 }
523
524 sbsec->flags |= SE_SBINITIALIZED;
525 if (selinux_is_sblabel_mnt(sb))
526 sbsec->flags |= SBLABEL_MNT;
527
528 /* Initialize the root inode. */
529 rc = inode_doinit_with_dentry(root_inode, root);
530
531 /* Initialize any other inodes associated with the superblock, e.g.
532 inodes created prior to initial policy load or inodes created
533 during get_sb by a pseudo filesystem that directly
534 populates itself. */
535 spin_lock(&sbsec->isec_lock);
536 next_inode:
537 if (!list_empty(&sbsec->isec_head)) {
538 struct inode_security_struct *isec =
539 list_entry(sbsec->isec_head.next,
540 struct inode_security_struct, list);
541 struct inode *inode = isec->inode;
542 list_del_init(&isec->list);
543 spin_unlock(&sbsec->isec_lock);
544 inode = igrab(inode);
545 if (inode) {
546 if (!IS_PRIVATE(inode))
547 inode_doinit(inode);
548 iput(inode);
549 }
550 spin_lock(&sbsec->isec_lock);
551 goto next_inode;
552 }
553 spin_unlock(&sbsec->isec_lock);
554 out:
555 return rc;
556 }
557
558 /*
559 * This function should allow an FS to ask what it's mount security
560 * options were so it can use those later for submounts, displaying
561 * mount options, or whatever.
562 */
563 static int selinux_get_mnt_opts(const struct super_block *sb,
564 struct security_mnt_opts *opts)
565 {
566 int rc = 0, i;
567 struct superblock_security_struct *sbsec = sb->s_security;
568 char *context = NULL;
569 u32 len;
570 char tmp;
571
572 security_init_mnt_opts(opts);
573
574 if (!(sbsec->flags & SE_SBINITIALIZED))
575 return -EINVAL;
576
577 if (!ss_initialized)
578 return -EINVAL;
579
580 /* make sure we always check enough bits to cover the mask */
581 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
582
583 tmp = sbsec->flags & SE_MNTMASK;
584 /* count the number of mount options for this sb */
585 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
586 if (tmp & 0x01)
587 opts->num_mnt_opts++;
588 tmp >>= 1;
589 }
590 /* Check if the Label support flag is set */
591 if (sbsec->flags & SBLABEL_MNT)
592 opts->num_mnt_opts++;
593
594 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
595 if (!opts->mnt_opts) {
596 rc = -ENOMEM;
597 goto out_free;
598 }
599
600 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
601 if (!opts->mnt_opts_flags) {
602 rc = -ENOMEM;
603 goto out_free;
604 }
605
606 i = 0;
607 if (sbsec->flags & FSCONTEXT_MNT) {
608 rc = security_sid_to_context(sbsec->sid, &context, &len);
609 if (rc)
610 goto out_free;
611 opts->mnt_opts[i] = context;
612 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
613 }
614 if (sbsec->flags & CONTEXT_MNT) {
615 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
616 if (rc)
617 goto out_free;
618 opts->mnt_opts[i] = context;
619 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
620 }
621 if (sbsec->flags & DEFCONTEXT_MNT) {
622 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
623 if (rc)
624 goto out_free;
625 opts->mnt_opts[i] = context;
626 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
627 }
628 if (sbsec->flags & ROOTCONTEXT_MNT) {
629 struct dentry *root = sbsec->sb->s_root;
630 struct inode_security_struct *isec = backing_inode_security(root);
631
632 rc = security_sid_to_context(isec->sid, &context, &len);
633 if (rc)
634 goto out_free;
635 opts->mnt_opts[i] = context;
636 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
637 }
638 if (sbsec->flags & SBLABEL_MNT) {
639 opts->mnt_opts[i] = NULL;
640 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
641 }
642
643 BUG_ON(i != opts->num_mnt_opts);
644
645 return 0;
646
647 out_free:
648 security_free_mnt_opts(opts);
649 return rc;
650 }
651
652 static int bad_option(struct superblock_security_struct *sbsec, char flag,
653 u32 old_sid, u32 new_sid)
654 {
655 char mnt_flags = sbsec->flags & SE_MNTMASK;
656
657 /* check if the old mount command had the same options */
658 if (sbsec->flags & SE_SBINITIALIZED)
659 if (!(sbsec->flags & flag) ||
660 (old_sid != new_sid))
661 return 1;
662
663 /* check if we were passed the same options twice,
664 * aka someone passed context=a,context=b
665 */
666 if (!(sbsec->flags & SE_SBINITIALIZED))
667 if (mnt_flags & flag)
668 return 1;
669 return 0;
670 }
671
672 /*
673 * Allow filesystems with binary mount data to explicitly set mount point
674 * labeling information.
675 */
676 static int selinux_set_mnt_opts(struct super_block *sb,
677 struct security_mnt_opts *opts,
678 unsigned long kern_flags,
679 unsigned long *set_kern_flags)
680 {
681 const struct cred *cred = current_cred();
682 int rc = 0, i;
683 struct superblock_security_struct *sbsec = sb->s_security;
684 const char *name = sb->s_type->name;
685 struct dentry *root = sbsec->sb->s_root;
686 struct inode_security_struct *root_isec;
687 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
688 u32 defcontext_sid = 0;
689 char **mount_options = opts->mnt_opts;
690 int *flags = opts->mnt_opts_flags;
691 int num_opts = opts->num_mnt_opts;
692
693 mutex_lock(&sbsec->lock);
694
695 if (!ss_initialized) {
696 if (!num_opts) {
697 /* Defer initialization until selinux_complete_init,
698 after the initial policy is loaded and the security
699 server is ready to handle calls. */
700 goto out;
701 }
702 rc = -EINVAL;
703 printk(KERN_WARNING "SELinux: Unable to set superblock options "
704 "before the security server is initialized\n");
705 goto out;
706 }
707 if (kern_flags && !set_kern_flags) {
708 /* Specifying internal flags without providing a place to
709 * place the results is not allowed */
710 rc = -EINVAL;
711 goto out;
712 }
713
714 /*
715 * Binary mount data FS will come through this function twice. Once
716 * from an explicit call and once from the generic calls from the vfs.
717 * Since the generic VFS calls will not contain any security mount data
718 * we need to skip the double mount verification.
719 *
720 * This does open a hole in which we will not notice if the first
721 * mount using this sb set explict options and a second mount using
722 * this sb does not set any security options. (The first options
723 * will be used for both mounts)
724 */
725 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
726 && (num_opts == 0))
727 goto out;
728
729 root_isec = backing_inode_security_novalidate(root);
730
731 /*
732 * parse the mount options, check if they are valid sids.
733 * also check if someone is trying to mount the same sb more
734 * than once with different security options.
735 */
736 for (i = 0; i < num_opts; i++) {
737 u32 sid;
738
739 if (flags[i] == SBLABEL_MNT)
740 continue;
741 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
742 if (rc) {
743 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
744 "(%s) failed for (dev %s, type %s) errno=%d\n",
745 mount_options[i], sb->s_id, name, rc);
746 goto out;
747 }
748 switch (flags[i]) {
749 case FSCONTEXT_MNT:
750 fscontext_sid = sid;
751
752 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
753 fscontext_sid))
754 goto out_double_mount;
755
756 sbsec->flags |= FSCONTEXT_MNT;
757 break;
758 case CONTEXT_MNT:
759 context_sid = sid;
760
761 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
762 context_sid))
763 goto out_double_mount;
764
765 sbsec->flags |= CONTEXT_MNT;
766 break;
767 case ROOTCONTEXT_MNT:
768 rootcontext_sid = sid;
769
770 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
771 rootcontext_sid))
772 goto out_double_mount;
773
774 sbsec->flags |= ROOTCONTEXT_MNT;
775
776 break;
777 case DEFCONTEXT_MNT:
778 defcontext_sid = sid;
779
780 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
781 defcontext_sid))
782 goto out_double_mount;
783
784 sbsec->flags |= DEFCONTEXT_MNT;
785
786 break;
787 default:
788 rc = -EINVAL;
789 goto out;
790 }
791 }
792
793 if (sbsec->flags & SE_SBINITIALIZED) {
794 /* previously mounted with options, but not on this attempt? */
795 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
796 goto out_double_mount;
797 rc = 0;
798 goto out;
799 }
800
801 if (strcmp(sb->s_type->name, "proc") == 0)
802 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
803
804 if (!strcmp(sb->s_type->name, "debugfs") ||
805 !strcmp(sb->s_type->name, "sysfs") ||
806 !strcmp(sb->s_type->name, "pstore"))
807 sbsec->flags |= SE_SBGENFS;
808
809 if (!sbsec->behavior) {
810 /*
811 * Determine the labeling behavior to use for this
812 * filesystem type.
813 */
814 rc = security_fs_use(sb);
815 if (rc) {
816 printk(KERN_WARNING
817 "%s: security_fs_use(%s) returned %d\n",
818 __func__, sb->s_type->name, rc);
819 goto out;
820 }
821 }
822
823 /*
824 * If this is a user namespace mount and the filesystem type is not
825 * explicitly whitelisted, then no contexts are allowed on the command
826 * line and security labels must be ignored.
827 */
828 if (sb->s_user_ns != &init_user_ns &&
829 strcmp(sb->s_type->name, "tmpfs") &&
830 strcmp(sb->s_type->name, "ramfs") &&
831 strcmp(sb->s_type->name, "devpts")) {
832 if (context_sid || fscontext_sid || rootcontext_sid ||
833 defcontext_sid) {
834 rc = -EACCES;
835 goto out;
836 }
837 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
838 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
839 rc = security_transition_sid(current_sid(), current_sid(),
840 SECCLASS_FILE, NULL,
841 &sbsec->mntpoint_sid);
842 if (rc)
843 goto out;
844 }
845 goto out_set_opts;
846 }
847
848 /* sets the context of the superblock for the fs being mounted. */
849 if (fscontext_sid) {
850 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
851 if (rc)
852 goto out;
853
854 sbsec->sid = fscontext_sid;
855 }
856
857 /*
858 * Switch to using mount point labeling behavior.
859 * sets the label used on all file below the mountpoint, and will set
860 * the superblock context if not already set.
861 */
862 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
863 sbsec->behavior = SECURITY_FS_USE_NATIVE;
864 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
865 }
866
867 if (context_sid) {
868 if (!fscontext_sid) {
869 rc = may_context_mount_sb_relabel(context_sid, sbsec,
870 cred);
871 if (rc)
872 goto out;
873 sbsec->sid = context_sid;
874 } else {
875 rc = may_context_mount_inode_relabel(context_sid, sbsec,
876 cred);
877 if (rc)
878 goto out;
879 }
880 if (!rootcontext_sid)
881 rootcontext_sid = context_sid;
882
883 sbsec->mntpoint_sid = context_sid;
884 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
885 }
886
887 if (rootcontext_sid) {
888 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
889 cred);
890 if (rc)
891 goto out;
892
893 root_isec->sid = rootcontext_sid;
894 root_isec->initialized = LABEL_INITIALIZED;
895 }
896
897 if (defcontext_sid) {
898 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
899 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
900 rc = -EINVAL;
901 printk(KERN_WARNING "SELinux: defcontext option is "
902 "invalid for this filesystem type\n");
903 goto out;
904 }
905
906 if (defcontext_sid != sbsec->def_sid) {
907 rc = may_context_mount_inode_relabel(defcontext_sid,
908 sbsec, cred);
909 if (rc)
910 goto out;
911 }
912
913 sbsec->def_sid = defcontext_sid;
914 }
915
916 out_set_opts:
917 rc = sb_finish_set_opts(sb);
918 out:
919 mutex_unlock(&sbsec->lock);
920 return rc;
921 out_double_mount:
922 rc = -EINVAL;
923 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
924 "security settings for (dev %s, type %s)\n", sb->s_id, name);
925 goto out;
926 }
927
928 static int selinux_cmp_sb_context(const struct super_block *oldsb,
929 const struct super_block *newsb)
930 {
931 struct superblock_security_struct *old = oldsb->s_security;
932 struct superblock_security_struct *new = newsb->s_security;
933 char oldflags = old->flags & SE_MNTMASK;
934 char newflags = new->flags & SE_MNTMASK;
935
936 if (oldflags != newflags)
937 goto mismatch;
938 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
939 goto mismatch;
940 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
941 goto mismatch;
942 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
943 goto mismatch;
944 if (oldflags & ROOTCONTEXT_MNT) {
945 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
946 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
947 if (oldroot->sid != newroot->sid)
948 goto mismatch;
949 }
950 return 0;
951 mismatch:
952 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
953 "different security settings for (dev %s, "
954 "type %s)\n", newsb->s_id, newsb->s_type->name);
955 return -EBUSY;
956 }
957
958 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
959 struct super_block *newsb)
960 {
961 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
962 struct superblock_security_struct *newsbsec = newsb->s_security;
963
964 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
965 int set_context = (oldsbsec->flags & CONTEXT_MNT);
966 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
967
968 /*
969 * if the parent was able to be mounted it clearly had no special lsm
970 * mount options. thus we can safely deal with this superblock later
971 */
972 if (!ss_initialized)
973 return 0;
974
975 /* how can we clone if the old one wasn't set up?? */
976 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
977
978 /* if fs is reusing a sb, make sure that the contexts match */
979 if (newsbsec->flags & SE_SBINITIALIZED)
980 return selinux_cmp_sb_context(oldsb, newsb);
981
982 mutex_lock(&newsbsec->lock);
983
984 newsbsec->flags = oldsbsec->flags;
985
986 newsbsec->sid = oldsbsec->sid;
987 newsbsec->def_sid = oldsbsec->def_sid;
988 newsbsec->behavior = oldsbsec->behavior;
989
990 if (set_context) {
991 u32 sid = oldsbsec->mntpoint_sid;
992
993 if (!set_fscontext)
994 newsbsec->sid = sid;
995 if (!set_rootcontext) {
996 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
997 newisec->sid = sid;
998 }
999 newsbsec->mntpoint_sid = sid;
1000 }
1001 if (set_rootcontext) {
1002 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1003 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1004
1005 newisec->sid = oldisec->sid;
1006 }
1007
1008 sb_finish_set_opts(newsb);
1009 mutex_unlock(&newsbsec->lock);
1010 return 0;
1011 }
1012
1013 static int selinux_parse_opts_str(char *options,
1014 struct security_mnt_opts *opts)
1015 {
1016 char *p;
1017 char *context = NULL, *defcontext = NULL;
1018 char *fscontext = NULL, *rootcontext = NULL;
1019 int rc, num_mnt_opts = 0;
1020
1021 opts->num_mnt_opts = 0;
1022
1023 /* Standard string-based options. */
1024 while ((p = strsep(&options, "|")) != NULL) {
1025 int token;
1026 substring_t args[MAX_OPT_ARGS];
1027
1028 if (!*p)
1029 continue;
1030
1031 token = match_token(p, tokens, args);
1032
1033 switch (token) {
1034 case Opt_context:
1035 if (context || defcontext) {
1036 rc = -EINVAL;
1037 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1038 goto out_err;
1039 }
1040 context = match_strdup(&args[0]);
1041 if (!context) {
1042 rc = -ENOMEM;
1043 goto out_err;
1044 }
1045 break;
1046
1047 case Opt_fscontext:
1048 if (fscontext) {
1049 rc = -EINVAL;
1050 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1051 goto out_err;
1052 }
1053 fscontext = match_strdup(&args[0]);
1054 if (!fscontext) {
1055 rc = -ENOMEM;
1056 goto out_err;
1057 }
1058 break;
1059
1060 case Opt_rootcontext:
1061 if (rootcontext) {
1062 rc = -EINVAL;
1063 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1064 goto out_err;
1065 }
1066 rootcontext = match_strdup(&args[0]);
1067 if (!rootcontext) {
1068 rc = -ENOMEM;
1069 goto out_err;
1070 }
1071 break;
1072
1073 case Opt_defcontext:
1074 if (context || defcontext) {
1075 rc = -EINVAL;
1076 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1077 goto out_err;
1078 }
1079 defcontext = match_strdup(&args[0]);
1080 if (!defcontext) {
1081 rc = -ENOMEM;
1082 goto out_err;
1083 }
1084 break;
1085 case Opt_labelsupport:
1086 break;
1087 default:
1088 rc = -EINVAL;
1089 printk(KERN_WARNING "SELinux: unknown mount option\n");
1090 goto out_err;
1091
1092 }
1093 }
1094
1095 rc = -ENOMEM;
1096 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1097 if (!opts->mnt_opts)
1098 goto out_err;
1099
1100 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1101 GFP_KERNEL);
1102 if (!opts->mnt_opts_flags) {
1103 kfree(opts->mnt_opts);
1104 goto out_err;
1105 }
1106
1107 if (fscontext) {
1108 opts->mnt_opts[num_mnt_opts] = fscontext;
1109 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1110 }
1111 if (context) {
1112 opts->mnt_opts[num_mnt_opts] = context;
1113 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1114 }
1115 if (rootcontext) {
1116 opts->mnt_opts[num_mnt_opts] = rootcontext;
1117 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1118 }
1119 if (defcontext) {
1120 opts->mnt_opts[num_mnt_opts] = defcontext;
1121 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1122 }
1123
1124 opts->num_mnt_opts = num_mnt_opts;
1125 return 0;
1126
1127 out_err:
1128 kfree(context);
1129 kfree(defcontext);
1130 kfree(fscontext);
1131 kfree(rootcontext);
1132 return rc;
1133 }
1134 /*
1135 * string mount options parsing and call set the sbsec
1136 */
1137 static int superblock_doinit(struct super_block *sb, void *data)
1138 {
1139 int rc = 0;
1140 char *options = data;
1141 struct security_mnt_opts opts;
1142
1143 security_init_mnt_opts(&opts);
1144
1145 if (!data)
1146 goto out;
1147
1148 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1149
1150 rc = selinux_parse_opts_str(options, &opts);
1151 if (rc)
1152 goto out_err;
1153
1154 out:
1155 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1156
1157 out_err:
1158 security_free_mnt_opts(&opts);
1159 return rc;
1160 }
1161
1162 static void selinux_write_opts(struct seq_file *m,
1163 struct security_mnt_opts *opts)
1164 {
1165 int i;
1166 char *prefix;
1167
1168 for (i = 0; i < opts->num_mnt_opts; i++) {
1169 char *has_comma;
1170
1171 if (opts->mnt_opts[i])
1172 has_comma = strchr(opts->mnt_opts[i], ',');
1173 else
1174 has_comma = NULL;
1175
1176 switch (opts->mnt_opts_flags[i]) {
1177 case CONTEXT_MNT:
1178 prefix = CONTEXT_STR;
1179 break;
1180 case FSCONTEXT_MNT:
1181 prefix = FSCONTEXT_STR;
1182 break;
1183 case ROOTCONTEXT_MNT:
1184 prefix = ROOTCONTEXT_STR;
1185 break;
1186 case DEFCONTEXT_MNT:
1187 prefix = DEFCONTEXT_STR;
1188 break;
1189 case SBLABEL_MNT:
1190 seq_putc(m, ',');
1191 seq_puts(m, LABELSUPP_STR);
1192 continue;
1193 default:
1194 BUG();
1195 return;
1196 };
1197 /* we need a comma before each option */
1198 seq_putc(m, ',');
1199 seq_puts(m, prefix);
1200 if (has_comma)
1201 seq_putc(m, '\"');
1202 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1203 if (has_comma)
1204 seq_putc(m, '\"');
1205 }
1206 }
1207
1208 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1209 {
1210 struct security_mnt_opts opts;
1211 int rc;
1212
1213 rc = selinux_get_mnt_opts(sb, &opts);
1214 if (rc) {
1215 /* before policy load we may get EINVAL, don't show anything */
1216 if (rc == -EINVAL)
1217 rc = 0;
1218 return rc;
1219 }
1220
1221 selinux_write_opts(m, &opts);
1222
1223 security_free_mnt_opts(&opts);
1224
1225 return rc;
1226 }
1227
1228 static inline u16 inode_mode_to_security_class(umode_t mode)
1229 {
1230 switch (mode & S_IFMT) {
1231 case S_IFSOCK:
1232 return SECCLASS_SOCK_FILE;
1233 case S_IFLNK:
1234 return SECCLASS_LNK_FILE;
1235 case S_IFREG:
1236 return SECCLASS_FILE;
1237 case S_IFBLK:
1238 return SECCLASS_BLK_FILE;
1239 case S_IFDIR:
1240 return SECCLASS_DIR;
1241 case S_IFCHR:
1242 return SECCLASS_CHR_FILE;
1243 case S_IFIFO:
1244 return SECCLASS_FIFO_FILE;
1245
1246 }
1247
1248 return SECCLASS_FILE;
1249 }
1250
1251 static inline int default_protocol_stream(int protocol)
1252 {
1253 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1254 }
1255
1256 static inline int default_protocol_dgram(int protocol)
1257 {
1258 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1259 }
1260
1261 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1262 {
1263 int extsockclass = selinux_policycap_extsockclass;
1264
1265 switch (family) {
1266 case PF_UNIX:
1267 switch (type) {
1268 case SOCK_STREAM:
1269 case SOCK_SEQPACKET:
1270 return SECCLASS_UNIX_STREAM_SOCKET;
1271 case SOCK_DGRAM:
1272 return SECCLASS_UNIX_DGRAM_SOCKET;
1273 }
1274 break;
1275 case PF_INET:
1276 case PF_INET6:
1277 switch (type) {
1278 case SOCK_STREAM:
1279 case SOCK_SEQPACKET:
1280 if (default_protocol_stream(protocol))
1281 return SECCLASS_TCP_SOCKET;
1282 else if (extsockclass && protocol == IPPROTO_SCTP)
1283 return SECCLASS_SCTP_SOCKET;
1284 else
1285 return SECCLASS_RAWIP_SOCKET;
1286 case SOCK_DGRAM:
1287 if (default_protocol_dgram(protocol))
1288 return SECCLASS_UDP_SOCKET;
1289 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1290 protocol == IPPROTO_ICMPV6))
1291 return SECCLASS_ICMP_SOCKET;
1292 else
1293 return SECCLASS_RAWIP_SOCKET;
1294 case SOCK_DCCP:
1295 return SECCLASS_DCCP_SOCKET;
1296 default:
1297 return SECCLASS_RAWIP_SOCKET;
1298 }
1299 break;
1300 case PF_NETLINK:
1301 switch (protocol) {
1302 case NETLINK_ROUTE:
1303 return SECCLASS_NETLINK_ROUTE_SOCKET;
1304 case NETLINK_SOCK_DIAG:
1305 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1306 case NETLINK_NFLOG:
1307 return SECCLASS_NETLINK_NFLOG_SOCKET;
1308 case NETLINK_XFRM:
1309 return SECCLASS_NETLINK_XFRM_SOCKET;
1310 case NETLINK_SELINUX:
1311 return SECCLASS_NETLINK_SELINUX_SOCKET;
1312 case NETLINK_ISCSI:
1313 return SECCLASS_NETLINK_ISCSI_SOCKET;
1314 case NETLINK_AUDIT:
1315 return SECCLASS_NETLINK_AUDIT_SOCKET;
1316 case NETLINK_FIB_LOOKUP:
1317 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1318 case NETLINK_CONNECTOR:
1319 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1320 case NETLINK_NETFILTER:
1321 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1322 case NETLINK_DNRTMSG:
1323 return SECCLASS_NETLINK_DNRT_SOCKET;
1324 case NETLINK_KOBJECT_UEVENT:
1325 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1326 case NETLINK_GENERIC:
1327 return SECCLASS_NETLINK_GENERIC_SOCKET;
1328 case NETLINK_SCSITRANSPORT:
1329 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1330 case NETLINK_RDMA:
1331 return SECCLASS_NETLINK_RDMA_SOCKET;
1332 case NETLINK_CRYPTO:
1333 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1334 default:
1335 return SECCLASS_NETLINK_SOCKET;
1336 }
1337 case PF_PACKET:
1338 return SECCLASS_PACKET_SOCKET;
1339 case PF_KEY:
1340 return SECCLASS_KEY_SOCKET;
1341 case PF_APPLETALK:
1342 return SECCLASS_APPLETALK_SOCKET;
1343 }
1344
1345 if (extsockclass) {
1346 switch (family) {
1347 case PF_AX25:
1348 return SECCLASS_AX25_SOCKET;
1349 case PF_IPX:
1350 return SECCLASS_IPX_SOCKET;
1351 case PF_NETROM:
1352 return SECCLASS_NETROM_SOCKET;
1353 case PF_ATMPVC:
1354 return SECCLASS_ATMPVC_SOCKET;
1355 case PF_X25:
1356 return SECCLASS_X25_SOCKET;
1357 case PF_ROSE:
1358 return SECCLASS_ROSE_SOCKET;
1359 case PF_DECnet:
1360 return SECCLASS_DECNET_SOCKET;
1361 case PF_ATMSVC:
1362 return SECCLASS_ATMSVC_SOCKET;
1363 case PF_RDS:
1364 return SECCLASS_RDS_SOCKET;
1365 case PF_IRDA:
1366 return SECCLASS_IRDA_SOCKET;
1367 case PF_PPPOX:
1368 return SECCLASS_PPPOX_SOCKET;
1369 case PF_LLC:
1370 return SECCLASS_LLC_SOCKET;
1371 case PF_CAN:
1372 return SECCLASS_CAN_SOCKET;
1373 case PF_TIPC:
1374 return SECCLASS_TIPC_SOCKET;
1375 case PF_BLUETOOTH:
1376 return SECCLASS_BLUETOOTH_SOCKET;
1377 case PF_IUCV:
1378 return SECCLASS_IUCV_SOCKET;
1379 case PF_RXRPC:
1380 return SECCLASS_RXRPC_SOCKET;
1381 case PF_ISDN:
1382 return SECCLASS_ISDN_SOCKET;
1383 case PF_PHONET:
1384 return SECCLASS_PHONET_SOCKET;
1385 case PF_IEEE802154:
1386 return SECCLASS_IEEE802154_SOCKET;
1387 case PF_CAIF:
1388 return SECCLASS_CAIF_SOCKET;
1389 case PF_ALG:
1390 return SECCLASS_ALG_SOCKET;
1391 case PF_NFC:
1392 return SECCLASS_NFC_SOCKET;
1393 case PF_VSOCK:
1394 return SECCLASS_VSOCK_SOCKET;
1395 case PF_KCM:
1396 return SECCLASS_KCM_SOCKET;
1397 case PF_QIPCRTR:
1398 return SECCLASS_QIPCRTR_SOCKET;
1399 case PF_SMC:
1400 return SECCLASS_SMC_SOCKET;
1401 #if PF_MAX > 44
1402 #error New address family defined, please update this function.
1403 #endif
1404 }
1405 }
1406
1407 return SECCLASS_SOCKET;
1408 }
1409
1410 static int selinux_genfs_get_sid(struct dentry *dentry,
1411 u16 tclass,
1412 u16 flags,
1413 u32 *sid)
1414 {
1415 int rc;
1416 struct super_block *sb = dentry->d_sb;
1417 char *buffer, *path;
1418
1419 buffer = (char *)__get_free_page(GFP_KERNEL);
1420 if (!buffer)
1421 return -ENOMEM;
1422
1423 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1424 if (IS_ERR(path))
1425 rc = PTR_ERR(path);
1426 else {
1427 if (flags & SE_SBPROC) {
1428 /* each process gets a /proc/PID/ entry. Strip off the
1429 * PID part to get a valid selinux labeling.
1430 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1431 while (path[1] >= '0' && path[1] <= '9') {
1432 path[1] = '/';
1433 path++;
1434 }
1435 }
1436 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1437 }
1438 free_page((unsigned long)buffer);
1439 return rc;
1440 }
1441
1442 /* The inode's security attributes must be initialized before first use. */
1443 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1444 {
1445 struct superblock_security_struct *sbsec = NULL;
1446 struct inode_security_struct *isec = inode->i_security;
1447 u32 task_sid, sid = 0;
1448 u16 sclass;
1449 struct dentry *dentry;
1450 #define INITCONTEXTLEN 255
1451 char *context = NULL;
1452 unsigned len = 0;
1453 int rc = 0;
1454
1455 if (isec->initialized == LABEL_INITIALIZED)
1456 return 0;
1457
1458 spin_lock(&isec->lock);
1459 if (isec->initialized == LABEL_INITIALIZED)
1460 goto out_unlock;
1461
1462 if (isec->sclass == SECCLASS_FILE)
1463 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1464
1465 sbsec = inode->i_sb->s_security;
1466 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1467 /* Defer initialization until selinux_complete_init,
1468 after the initial policy is loaded and the security
1469 server is ready to handle calls. */
1470 spin_lock(&sbsec->isec_lock);
1471 if (list_empty(&isec->list))
1472 list_add(&isec->list, &sbsec->isec_head);
1473 spin_unlock(&sbsec->isec_lock);
1474 goto out_unlock;
1475 }
1476
1477 sclass = isec->sclass;
1478 task_sid = isec->task_sid;
1479 sid = isec->sid;
1480 isec->initialized = LABEL_PENDING;
1481 spin_unlock(&isec->lock);
1482
1483 switch (sbsec->behavior) {
1484 case SECURITY_FS_USE_NATIVE:
1485 break;
1486 case SECURITY_FS_USE_XATTR:
1487 if (!(inode->i_opflags & IOP_XATTR)) {
1488 sid = sbsec->def_sid;
1489 break;
1490 }
1491 /* Need a dentry, since the xattr API requires one.
1492 Life would be simpler if we could just pass the inode. */
1493 if (opt_dentry) {
1494 /* Called from d_instantiate or d_splice_alias. */
1495 dentry = dget(opt_dentry);
1496 } else {
1497 /* Called from selinux_complete_init, try to find a dentry. */
1498 dentry = d_find_alias(inode);
1499 }
1500 if (!dentry) {
1501 /*
1502 * this is can be hit on boot when a file is accessed
1503 * before the policy is loaded. When we load policy we
1504 * may find inodes that have no dentry on the
1505 * sbsec->isec_head list. No reason to complain as these
1506 * will get fixed up the next time we go through
1507 * inode_doinit with a dentry, before these inodes could
1508 * be used again by userspace.
1509 */
1510 goto out;
1511 }
1512
1513 len = INITCONTEXTLEN;
1514 context = kmalloc(len+1, GFP_NOFS);
1515 if (!context) {
1516 rc = -ENOMEM;
1517 dput(dentry);
1518 goto out;
1519 }
1520 context[len] = '\0';
1521 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1522 if (rc == -ERANGE) {
1523 kfree(context);
1524
1525 /* Need a larger buffer. Query for the right size. */
1526 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1527 if (rc < 0) {
1528 dput(dentry);
1529 goto out;
1530 }
1531 len = rc;
1532 context = kmalloc(len+1, GFP_NOFS);
1533 if (!context) {
1534 rc = -ENOMEM;
1535 dput(dentry);
1536 goto out;
1537 }
1538 context[len] = '\0';
1539 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1540 }
1541 dput(dentry);
1542 if (rc < 0) {
1543 if (rc != -ENODATA) {
1544 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1545 "%d for dev=%s ino=%ld\n", __func__,
1546 -rc, inode->i_sb->s_id, inode->i_ino);
1547 kfree(context);
1548 goto out;
1549 }
1550 /* Map ENODATA to the default file SID */
1551 sid = sbsec->def_sid;
1552 rc = 0;
1553 } else {
1554 rc = security_context_to_sid_default(context, rc, &sid,
1555 sbsec->def_sid,
1556 GFP_NOFS);
1557 if (rc) {
1558 char *dev = inode->i_sb->s_id;
1559 unsigned long ino = inode->i_ino;
1560
1561 if (rc == -EINVAL) {
1562 if (printk_ratelimit())
1563 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1564 "context=%s. This indicates you may need to relabel the inode or the "
1565 "filesystem in question.\n", ino, dev, context);
1566 } else {
1567 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1568 "returned %d for dev=%s ino=%ld\n",
1569 __func__, context, -rc, dev, ino);
1570 }
1571 kfree(context);
1572 /* Leave with the unlabeled SID */
1573 rc = 0;
1574 break;
1575 }
1576 }
1577 kfree(context);
1578 break;
1579 case SECURITY_FS_USE_TASK:
1580 sid = task_sid;
1581 break;
1582 case SECURITY_FS_USE_TRANS:
1583 /* Default to the fs SID. */
1584 sid = sbsec->sid;
1585
1586 /* Try to obtain a transition SID. */
1587 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1588 if (rc)
1589 goto out;
1590 break;
1591 case SECURITY_FS_USE_MNTPOINT:
1592 sid = sbsec->mntpoint_sid;
1593 break;
1594 default:
1595 /* Default to the fs superblock SID. */
1596 sid = sbsec->sid;
1597
1598 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1599 /* We must have a dentry to determine the label on
1600 * procfs inodes */
1601 if (opt_dentry)
1602 /* Called from d_instantiate or
1603 * d_splice_alias. */
1604 dentry = dget(opt_dentry);
1605 else
1606 /* Called from selinux_complete_init, try to
1607 * find a dentry. */
1608 dentry = d_find_alias(inode);
1609 /*
1610 * This can be hit on boot when a file is accessed
1611 * before the policy is loaded. When we load policy we
1612 * may find inodes that have no dentry on the
1613 * sbsec->isec_head list. No reason to complain as
1614 * these will get fixed up the next time we go through
1615 * inode_doinit() with a dentry, before these inodes
1616 * could be used again by userspace.
1617 */
1618 if (!dentry)
1619 goto out;
1620 rc = selinux_genfs_get_sid(dentry, sclass,
1621 sbsec->flags, &sid);
1622 dput(dentry);
1623 if (rc)
1624 goto out;
1625 }
1626 break;
1627 }
1628
1629 out:
1630 spin_lock(&isec->lock);
1631 if (isec->initialized == LABEL_PENDING) {
1632 if (!sid || rc) {
1633 isec->initialized = LABEL_INVALID;
1634 goto out_unlock;
1635 }
1636
1637 isec->initialized = LABEL_INITIALIZED;
1638 isec->sid = sid;
1639 }
1640
1641 out_unlock:
1642 spin_unlock(&isec->lock);
1643 return rc;
1644 }
1645
1646 /* Convert a Linux signal to an access vector. */
1647 static inline u32 signal_to_av(int sig)
1648 {
1649 u32 perm = 0;
1650
1651 switch (sig) {
1652 case SIGCHLD:
1653 /* Commonly granted from child to parent. */
1654 perm = PROCESS__SIGCHLD;
1655 break;
1656 case SIGKILL:
1657 /* Cannot be caught or ignored */
1658 perm = PROCESS__SIGKILL;
1659 break;
1660 case SIGSTOP:
1661 /* Cannot be caught or ignored */
1662 perm = PROCESS__SIGSTOP;
1663 break;
1664 default:
1665 /* All other signals. */
1666 perm = PROCESS__SIGNAL;
1667 break;
1668 }
1669
1670 return perm;
1671 }
1672
1673 #if CAP_LAST_CAP > 63
1674 #error Fix SELinux to handle capabilities > 63.
1675 #endif
1676
1677 /* Check whether a task is allowed to use a capability. */
1678 static int cred_has_capability(const struct cred *cred,
1679 int cap, int audit, bool initns)
1680 {
1681 struct common_audit_data ad;
1682 struct av_decision avd;
1683 u16 sclass;
1684 u32 sid = cred_sid(cred);
1685 u32 av = CAP_TO_MASK(cap);
1686 int rc;
1687
1688 ad.type = LSM_AUDIT_DATA_CAP;
1689 ad.u.cap = cap;
1690
1691 switch (CAP_TO_INDEX(cap)) {
1692 case 0:
1693 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1694 break;
1695 case 1:
1696 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1697 break;
1698 default:
1699 printk(KERN_ERR
1700 "SELinux: out of range capability %d\n", cap);
1701 BUG();
1702 return -EINVAL;
1703 }
1704
1705 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1706 if (audit == SECURITY_CAP_AUDIT) {
1707 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1708 if (rc2)
1709 return rc2;
1710 }
1711 return rc;
1712 }
1713
1714 /* Check whether a task has a particular permission to an inode.
1715 The 'adp' parameter is optional and allows other audit
1716 data to be passed (e.g. the dentry). */
1717 static int inode_has_perm(const struct cred *cred,
1718 struct inode *inode,
1719 u32 perms,
1720 struct common_audit_data *adp)
1721 {
1722 struct inode_security_struct *isec;
1723 u32 sid;
1724
1725 validate_creds(cred);
1726
1727 if (unlikely(IS_PRIVATE(inode)))
1728 return 0;
1729
1730 sid = cred_sid(cred);
1731 isec = inode->i_security;
1732
1733 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1734 }
1735
1736 /* Same as inode_has_perm, but pass explicit audit data containing
1737 the dentry to help the auditing code to more easily generate the
1738 pathname if needed. */
1739 static inline int dentry_has_perm(const struct cred *cred,
1740 struct dentry *dentry,
1741 u32 av)
1742 {
1743 struct inode *inode = d_backing_inode(dentry);
1744 struct common_audit_data ad;
1745
1746 ad.type = LSM_AUDIT_DATA_DENTRY;
1747 ad.u.dentry = dentry;
1748 __inode_security_revalidate(inode, dentry, true);
1749 return inode_has_perm(cred, inode, av, &ad);
1750 }
1751
1752 /* Same as inode_has_perm, but pass explicit audit data containing
1753 the path to help the auditing code to more easily generate the
1754 pathname if needed. */
1755 static inline int path_has_perm(const struct cred *cred,
1756 const struct path *path,
1757 u32 av)
1758 {
1759 struct inode *inode = d_backing_inode(path->dentry);
1760 struct common_audit_data ad;
1761
1762 ad.type = LSM_AUDIT_DATA_PATH;
1763 ad.u.path = *path;
1764 __inode_security_revalidate(inode, path->dentry, true);
1765 return inode_has_perm(cred, inode, av, &ad);
1766 }
1767
1768 /* Same as path_has_perm, but uses the inode from the file struct. */
1769 static inline int file_path_has_perm(const struct cred *cred,
1770 struct file *file,
1771 u32 av)
1772 {
1773 struct common_audit_data ad;
1774
1775 ad.type = LSM_AUDIT_DATA_FILE;
1776 ad.u.file = file;
1777 return inode_has_perm(cred, file_inode(file), av, &ad);
1778 }
1779
1780 /* Check whether a task can use an open file descriptor to
1781 access an inode in a given way. Check access to the
1782 descriptor itself, and then use dentry_has_perm to
1783 check a particular permission to the file.
1784 Access to the descriptor is implicitly granted if it
1785 has the same SID as the process. If av is zero, then
1786 access to the file is not checked, e.g. for cases
1787 where only the descriptor is affected like seek. */
1788 static int file_has_perm(const struct cred *cred,
1789 struct file *file,
1790 u32 av)
1791 {
1792 struct file_security_struct *fsec = file->f_security;
1793 struct inode *inode = file_inode(file);
1794 struct common_audit_data ad;
1795 u32 sid = cred_sid(cred);
1796 int rc;
1797
1798 ad.type = LSM_AUDIT_DATA_FILE;
1799 ad.u.file = file;
1800
1801 if (sid != fsec->sid) {
1802 rc = avc_has_perm(sid, fsec->sid,
1803 SECCLASS_FD,
1804 FD__USE,
1805 &ad);
1806 if (rc)
1807 goto out;
1808 }
1809
1810 /* av is zero if only checking access to the descriptor. */
1811 rc = 0;
1812 if (av)
1813 rc = inode_has_perm(cred, inode, av, &ad);
1814
1815 out:
1816 return rc;
1817 }
1818
1819 /*
1820 * Determine the label for an inode that might be unioned.
1821 */
1822 static int
1823 selinux_determine_inode_label(const struct task_security_struct *tsec,
1824 struct inode *dir,
1825 const struct qstr *name, u16 tclass,
1826 u32 *_new_isid)
1827 {
1828 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1829
1830 if ((sbsec->flags & SE_SBINITIALIZED) &&
1831 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1832 *_new_isid = sbsec->mntpoint_sid;
1833 } else if ((sbsec->flags & SBLABEL_MNT) &&
1834 tsec->create_sid) {
1835 *_new_isid = tsec->create_sid;
1836 } else {
1837 const struct inode_security_struct *dsec = inode_security(dir);
1838 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1839 name, _new_isid);
1840 }
1841
1842 return 0;
1843 }
1844
1845 /* Check whether a task can create a file. */
1846 static int may_create(struct inode *dir,
1847 struct dentry *dentry,
1848 u16 tclass)
1849 {
1850 const struct task_security_struct *tsec = current_security();
1851 struct inode_security_struct *dsec;
1852 struct superblock_security_struct *sbsec;
1853 u32 sid, newsid;
1854 struct common_audit_data ad;
1855 int rc;
1856
1857 dsec = inode_security(dir);
1858 sbsec = dir->i_sb->s_security;
1859
1860 sid = tsec->sid;
1861
1862 ad.type = LSM_AUDIT_DATA_DENTRY;
1863 ad.u.dentry = dentry;
1864
1865 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1866 DIR__ADD_NAME | DIR__SEARCH,
1867 &ad);
1868 if (rc)
1869 return rc;
1870
1871 rc = selinux_determine_inode_label(current_security(), dir,
1872 &dentry->d_name, tclass, &newsid);
1873 if (rc)
1874 return rc;
1875
1876 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1877 if (rc)
1878 return rc;
1879
1880 return avc_has_perm(newsid, sbsec->sid,
1881 SECCLASS_FILESYSTEM,
1882 FILESYSTEM__ASSOCIATE, &ad);
1883 }
1884
1885 #define MAY_LINK 0
1886 #define MAY_UNLINK 1
1887 #define MAY_RMDIR 2
1888
1889 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1890 static int may_link(struct inode *dir,
1891 struct dentry *dentry,
1892 int kind)
1893
1894 {
1895 struct inode_security_struct *dsec, *isec;
1896 struct common_audit_data ad;
1897 u32 sid = current_sid();
1898 u32 av;
1899 int rc;
1900
1901 dsec = inode_security(dir);
1902 isec = backing_inode_security(dentry);
1903
1904 ad.type = LSM_AUDIT_DATA_DENTRY;
1905 ad.u.dentry = dentry;
1906
1907 av = DIR__SEARCH;
1908 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1909 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1910 if (rc)
1911 return rc;
1912
1913 switch (kind) {
1914 case MAY_LINK:
1915 av = FILE__LINK;
1916 break;
1917 case MAY_UNLINK:
1918 av = FILE__UNLINK;
1919 break;
1920 case MAY_RMDIR:
1921 av = DIR__RMDIR;
1922 break;
1923 default:
1924 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1925 __func__, kind);
1926 return 0;
1927 }
1928
1929 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1930 return rc;
1931 }
1932
1933 static inline int may_rename(struct inode *old_dir,
1934 struct dentry *old_dentry,
1935 struct inode *new_dir,
1936 struct dentry *new_dentry)
1937 {
1938 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1939 struct common_audit_data ad;
1940 u32 sid = current_sid();
1941 u32 av;
1942 int old_is_dir, new_is_dir;
1943 int rc;
1944
1945 old_dsec = inode_security(old_dir);
1946 old_isec = backing_inode_security(old_dentry);
1947 old_is_dir = d_is_dir(old_dentry);
1948 new_dsec = inode_security(new_dir);
1949
1950 ad.type = LSM_AUDIT_DATA_DENTRY;
1951
1952 ad.u.dentry = old_dentry;
1953 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1954 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1955 if (rc)
1956 return rc;
1957 rc = avc_has_perm(sid, old_isec->sid,
1958 old_isec->sclass, FILE__RENAME, &ad);
1959 if (rc)
1960 return rc;
1961 if (old_is_dir && new_dir != old_dir) {
1962 rc = avc_has_perm(sid, old_isec->sid,
1963 old_isec->sclass, DIR__REPARENT, &ad);
1964 if (rc)
1965 return rc;
1966 }
1967
1968 ad.u.dentry = new_dentry;
1969 av = DIR__ADD_NAME | DIR__SEARCH;
1970 if (d_is_positive(new_dentry))
1971 av |= DIR__REMOVE_NAME;
1972 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1973 if (rc)
1974 return rc;
1975 if (d_is_positive(new_dentry)) {
1976 new_isec = backing_inode_security(new_dentry);
1977 new_is_dir = d_is_dir(new_dentry);
1978 rc = avc_has_perm(sid, new_isec->sid,
1979 new_isec->sclass,
1980 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1981 if (rc)
1982 return rc;
1983 }
1984
1985 return 0;
1986 }
1987
1988 /* Check whether a task can perform a filesystem operation. */
1989 static int superblock_has_perm(const struct cred *cred,
1990 struct super_block *sb,
1991 u32 perms,
1992 struct common_audit_data *ad)
1993 {
1994 struct superblock_security_struct *sbsec;
1995 u32 sid = cred_sid(cred);
1996
1997 sbsec = sb->s_security;
1998 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1999 }
2000
2001 /* Convert a Linux mode and permission mask to an access vector. */
2002 static inline u32 file_mask_to_av(int mode, int mask)
2003 {
2004 u32 av = 0;
2005
2006 if (!S_ISDIR(mode)) {
2007 if (mask & MAY_EXEC)
2008 av |= FILE__EXECUTE;
2009 if (mask & MAY_READ)
2010 av |= FILE__READ;
2011
2012 if (mask & MAY_APPEND)
2013 av |= FILE__APPEND;
2014 else if (mask & MAY_WRITE)
2015 av |= FILE__WRITE;
2016
2017 } else {
2018 if (mask & MAY_EXEC)
2019 av |= DIR__SEARCH;
2020 if (mask & MAY_WRITE)
2021 av |= DIR__WRITE;
2022 if (mask & MAY_READ)
2023 av |= DIR__READ;
2024 }
2025
2026 return av;
2027 }
2028
2029 /* Convert a Linux file to an access vector. */
2030 static inline u32 file_to_av(struct file *file)
2031 {
2032 u32 av = 0;
2033
2034 if (file->f_mode & FMODE_READ)
2035 av |= FILE__READ;
2036 if (file->f_mode & FMODE_WRITE) {
2037 if (file->f_flags & O_APPEND)
2038 av |= FILE__APPEND;
2039 else
2040 av |= FILE__WRITE;
2041 }
2042 if (!av) {
2043 /*
2044 * Special file opened with flags 3 for ioctl-only use.
2045 */
2046 av = FILE__IOCTL;
2047 }
2048
2049 return av;
2050 }
2051
2052 /*
2053 * Convert a file to an access vector and include the correct open
2054 * open permission.
2055 */
2056 static inline u32 open_file_to_av(struct file *file)
2057 {
2058 u32 av = file_to_av(file);
2059 struct inode *inode = file_inode(file);
2060
2061 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2062 av |= FILE__OPEN;
2063
2064 return av;
2065 }
2066
2067 /* Hook functions begin here. */
2068
2069 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2070 {
2071 u32 mysid = current_sid();
2072 u32 mgrsid = task_sid(mgr);
2073
2074 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2075 BINDER__SET_CONTEXT_MGR, NULL);
2076 }
2077
2078 static int selinux_binder_transaction(struct task_struct *from,
2079 struct task_struct *to)
2080 {
2081 u32 mysid = current_sid();
2082 u32 fromsid = task_sid(from);
2083 u32 tosid = task_sid(to);
2084 int rc;
2085
2086 if (mysid != fromsid) {
2087 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2088 BINDER__IMPERSONATE, NULL);
2089 if (rc)
2090 return rc;
2091 }
2092
2093 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2094 NULL);
2095 }
2096
2097 static int selinux_binder_transfer_binder(struct task_struct *from,
2098 struct task_struct *to)
2099 {
2100 u32 fromsid = task_sid(from);
2101 u32 tosid = task_sid(to);
2102
2103 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2104 NULL);
2105 }
2106
2107 static int selinux_binder_transfer_file(struct task_struct *from,
2108 struct task_struct *to,
2109 struct file *file)
2110 {
2111 u32 sid = task_sid(to);
2112 struct file_security_struct *fsec = file->f_security;
2113 struct dentry *dentry = file->f_path.dentry;
2114 struct inode_security_struct *isec;
2115 struct common_audit_data ad;
2116 int rc;
2117
2118 ad.type = LSM_AUDIT_DATA_PATH;
2119 ad.u.path = file->f_path;
2120
2121 if (sid != fsec->sid) {
2122 rc = avc_has_perm(sid, fsec->sid,
2123 SECCLASS_FD,
2124 FD__USE,
2125 &ad);
2126 if (rc)
2127 return rc;
2128 }
2129
2130 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2131 return 0;
2132
2133 isec = backing_inode_security(dentry);
2134 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2135 &ad);
2136 }
2137
2138 static int selinux_ptrace_access_check(struct task_struct *child,
2139 unsigned int mode)
2140 {
2141 u32 sid = current_sid();
2142 u32 csid = task_sid(child);
2143
2144 if (mode & PTRACE_MODE_READ)
2145 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2146
2147 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2148 }
2149
2150 static int selinux_ptrace_traceme(struct task_struct *parent)
2151 {
2152 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2153 PROCESS__PTRACE, NULL);
2154 }
2155
2156 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2157 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2158 {
2159 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2160 PROCESS__GETCAP, NULL);
2161 }
2162
2163 static int selinux_capset(struct cred *new, const struct cred *old,
2164 const kernel_cap_t *effective,
2165 const kernel_cap_t *inheritable,
2166 const kernel_cap_t *permitted)
2167 {
2168 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2169 PROCESS__SETCAP, NULL);
2170 }
2171
2172 /*
2173 * (This comment used to live with the selinux_task_setuid hook,
2174 * which was removed).
2175 *
2176 * Since setuid only affects the current process, and since the SELinux
2177 * controls are not based on the Linux identity attributes, SELinux does not
2178 * need to control this operation. However, SELinux does control the use of
2179 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2180 */
2181
2182 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2183 int cap, int audit)
2184 {
2185 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2186 }
2187
2188 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2189 {
2190 const struct cred *cred = current_cred();
2191 int rc = 0;
2192
2193 if (!sb)
2194 return 0;
2195
2196 switch (cmds) {
2197 case Q_SYNC:
2198 case Q_QUOTAON:
2199 case Q_QUOTAOFF:
2200 case Q_SETINFO:
2201 case Q_SETQUOTA:
2202 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2203 break;
2204 case Q_GETFMT:
2205 case Q_GETINFO:
2206 case Q_GETQUOTA:
2207 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2208 break;
2209 default:
2210 rc = 0; /* let the kernel handle invalid cmds */
2211 break;
2212 }
2213 return rc;
2214 }
2215
2216 static int selinux_quota_on(struct dentry *dentry)
2217 {
2218 const struct cred *cred = current_cred();
2219
2220 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2221 }
2222
2223 static int selinux_syslog(int type)
2224 {
2225 switch (type) {
2226 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2227 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2228 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2229 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2230 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2231 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2232 /* Set level of messages printed to console */
2233 case SYSLOG_ACTION_CONSOLE_LEVEL:
2234 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2235 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2236 NULL);
2237 }
2238 /* All other syslog types */
2239 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2240 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2241 }
2242
2243 /*
2244 * Check that a process has enough memory to allocate a new virtual
2245 * mapping. 0 means there is enough memory for the allocation to
2246 * succeed and -ENOMEM implies there is not.
2247 *
2248 * Do not audit the selinux permission check, as this is applied to all
2249 * processes that allocate mappings.
2250 */
2251 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2252 {
2253 int rc, cap_sys_admin = 0;
2254
2255 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2256 SECURITY_CAP_NOAUDIT, true);
2257 if (rc == 0)
2258 cap_sys_admin = 1;
2259
2260 return cap_sys_admin;
2261 }
2262
2263 /* binprm security operations */
2264
2265 static u32 ptrace_parent_sid(void)
2266 {
2267 u32 sid = 0;
2268 struct task_struct *tracer;
2269
2270 rcu_read_lock();
2271 tracer = ptrace_parent(current);
2272 if (tracer)
2273 sid = task_sid(tracer);
2274 rcu_read_unlock();
2275
2276 return sid;
2277 }
2278
2279 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2280 const struct task_security_struct *old_tsec,
2281 const struct task_security_struct *new_tsec)
2282 {
2283 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2284 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2285 int rc;
2286
2287 if (!nnp && !nosuid)
2288 return 0; /* neither NNP nor nosuid */
2289
2290 if (new_tsec->sid == old_tsec->sid)
2291 return 0; /* No change in credentials */
2292
2293 /*
2294 * The only transitions we permit under NNP or nosuid
2295 * are transitions to bounded SIDs, i.e. SIDs that are
2296 * guaranteed to only be allowed a subset of the permissions
2297 * of the current SID.
2298 */
2299 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2300 if (rc) {
2301 /*
2302 * On failure, preserve the errno values for NNP vs nosuid.
2303 * NNP: Operation not permitted for caller.
2304 * nosuid: Permission denied to file.
2305 */
2306 if (nnp)
2307 return -EPERM;
2308 else
2309 return -EACCES;
2310 }
2311 return 0;
2312 }
2313
2314 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2315 {
2316 const struct task_security_struct *old_tsec;
2317 struct task_security_struct *new_tsec;
2318 struct inode_security_struct *isec;
2319 struct common_audit_data ad;
2320 struct inode *inode = file_inode(bprm->file);
2321 int rc;
2322
2323 /* SELinux context only depends on initial program or script and not
2324 * the script interpreter */
2325 if (bprm->cred_prepared)
2326 return 0;
2327
2328 old_tsec = current_security();
2329 new_tsec = bprm->cred->security;
2330 isec = inode_security(inode);
2331
2332 /* Default to the current task SID. */
2333 new_tsec->sid = old_tsec->sid;
2334 new_tsec->osid = old_tsec->sid;
2335
2336 /* Reset fs, key, and sock SIDs on execve. */
2337 new_tsec->create_sid = 0;
2338 new_tsec->keycreate_sid = 0;
2339 new_tsec->sockcreate_sid = 0;
2340
2341 if (old_tsec->exec_sid) {
2342 new_tsec->sid = old_tsec->exec_sid;
2343 /* Reset exec SID on execve. */
2344 new_tsec->exec_sid = 0;
2345
2346 /* Fail on NNP or nosuid if not an allowed transition. */
2347 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2348 if (rc)
2349 return rc;
2350 } else {
2351 /* Check for a default transition on this program. */
2352 rc = security_transition_sid(old_tsec->sid, isec->sid,
2353 SECCLASS_PROCESS, NULL,
2354 &new_tsec->sid);
2355 if (rc)
2356 return rc;
2357
2358 /*
2359 * Fallback to old SID on NNP or nosuid if not an allowed
2360 * transition.
2361 */
2362 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2363 if (rc)
2364 new_tsec->sid = old_tsec->sid;
2365 }
2366
2367 ad.type = LSM_AUDIT_DATA_FILE;
2368 ad.u.file = bprm->file;
2369
2370 if (new_tsec->sid == old_tsec->sid) {
2371 rc = avc_has_perm(old_tsec->sid, isec->sid,
2372 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2373 if (rc)
2374 return rc;
2375 } else {
2376 /* Check permissions for the transition. */
2377 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2378 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2379 if (rc)
2380 return rc;
2381
2382 rc = avc_has_perm(new_tsec->sid, isec->sid,
2383 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2384 if (rc)
2385 return rc;
2386
2387 /* Check for shared state */
2388 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2389 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2390 SECCLASS_PROCESS, PROCESS__SHARE,
2391 NULL);
2392 if (rc)
2393 return -EPERM;
2394 }
2395
2396 /* Make sure that anyone attempting to ptrace over a task that
2397 * changes its SID has the appropriate permit */
2398 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2399 u32 ptsid = ptrace_parent_sid();
2400 if (ptsid != 0) {
2401 rc = avc_has_perm(ptsid, new_tsec->sid,
2402 SECCLASS_PROCESS,
2403 PROCESS__PTRACE, NULL);
2404 if (rc)
2405 return -EPERM;
2406 }
2407 }
2408
2409 /* Clear any possibly unsafe personality bits on exec: */
2410 bprm->per_clear |= PER_CLEAR_ON_SETID;
2411 }
2412
2413 return 0;
2414 }
2415
2416 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2417 {
2418 const struct task_security_struct *tsec = current_security();
2419 u32 sid, osid;
2420 int atsecure = 0;
2421
2422 sid = tsec->sid;
2423 osid = tsec->osid;
2424
2425 if (osid != sid) {
2426 /* Enable secure mode for SIDs transitions unless
2427 the noatsecure permission is granted between
2428 the two SIDs, i.e. ahp returns 0. */
2429 atsecure = avc_has_perm(osid, sid,
2430 SECCLASS_PROCESS,
2431 PROCESS__NOATSECURE, NULL);
2432 }
2433
2434 return !!atsecure;
2435 }
2436
2437 static int match_file(const void *p, struct file *file, unsigned fd)
2438 {
2439 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2440 }
2441
2442 /* Derived from fs/exec.c:flush_old_files. */
2443 static inline void flush_unauthorized_files(const struct cred *cred,
2444 struct files_struct *files)
2445 {
2446 struct file *file, *devnull = NULL;
2447 struct tty_struct *tty;
2448 int drop_tty = 0;
2449 unsigned n;
2450
2451 tty = get_current_tty();
2452 if (tty) {
2453 spin_lock(&tty->files_lock);
2454 if (!list_empty(&tty->tty_files)) {
2455 struct tty_file_private *file_priv;
2456
2457 /* Revalidate access to controlling tty.
2458 Use file_path_has_perm on the tty path directly
2459 rather than using file_has_perm, as this particular
2460 open file may belong to another process and we are
2461 only interested in the inode-based check here. */
2462 file_priv = list_first_entry(&tty->tty_files,
2463 struct tty_file_private, list);
2464 file = file_priv->file;
2465 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2466 drop_tty = 1;
2467 }
2468 spin_unlock(&tty->files_lock);
2469 tty_kref_put(tty);
2470 }
2471 /* Reset controlling tty. */
2472 if (drop_tty)
2473 no_tty();
2474
2475 /* Revalidate access to inherited open files. */
2476 n = iterate_fd(files, 0, match_file, cred);
2477 if (!n) /* none found? */
2478 return;
2479
2480 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2481 if (IS_ERR(devnull))
2482 devnull = NULL;
2483 /* replace all the matching ones with this */
2484 do {
2485 replace_fd(n - 1, devnull, 0);
2486 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2487 if (devnull)
2488 fput(devnull);
2489 }
2490
2491 /*
2492 * Prepare a process for imminent new credential changes due to exec
2493 */
2494 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2495 {
2496 struct task_security_struct *new_tsec;
2497 struct rlimit *rlim, *initrlim;
2498 int rc, i;
2499
2500 new_tsec = bprm->cred->security;
2501 if (new_tsec->sid == new_tsec->osid)
2502 return;
2503
2504 /* Close files for which the new task SID is not authorized. */
2505 flush_unauthorized_files(bprm->cred, current->files);
2506
2507 /* Always clear parent death signal on SID transitions. */
2508 current->pdeath_signal = 0;
2509
2510 /* Check whether the new SID can inherit resource limits from the old
2511 * SID. If not, reset all soft limits to the lower of the current
2512 * task's hard limit and the init task's soft limit.
2513 *
2514 * Note that the setting of hard limits (even to lower them) can be
2515 * controlled by the setrlimit check. The inclusion of the init task's
2516 * soft limit into the computation is to avoid resetting soft limits
2517 * higher than the default soft limit for cases where the default is
2518 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2519 */
2520 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2521 PROCESS__RLIMITINH, NULL);
2522 if (rc) {
2523 /* protect against do_prlimit() */
2524 task_lock(current);
2525 for (i = 0; i < RLIM_NLIMITS; i++) {
2526 rlim = current->signal->rlim + i;
2527 initrlim = init_task.signal->rlim + i;
2528 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2529 }
2530 task_unlock(current);
2531 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2532 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2533 }
2534 }
2535
2536 /*
2537 * Clean up the process immediately after the installation of new credentials
2538 * due to exec
2539 */
2540 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2541 {
2542 const struct task_security_struct *tsec = current_security();
2543 struct itimerval itimer;
2544 u32 osid, sid;
2545 int rc, i;
2546
2547 osid = tsec->osid;
2548 sid = tsec->sid;
2549
2550 if (sid == osid)
2551 return;
2552
2553 /* Check whether the new SID can inherit signal state from the old SID.
2554 * If not, clear itimers to avoid subsequent signal generation and
2555 * flush and unblock signals.
2556 *
2557 * This must occur _after_ the task SID has been updated so that any
2558 * kill done after the flush will be checked against the new SID.
2559 */
2560 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2561 if (rc) {
2562 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2563 memset(&itimer, 0, sizeof itimer);
2564 for (i = 0; i < 3; i++)
2565 do_setitimer(i, &itimer, NULL);
2566 }
2567 spin_lock_irq(&current->sighand->siglock);
2568 if (!fatal_signal_pending(current)) {
2569 flush_sigqueue(&current->pending);
2570 flush_sigqueue(&current->signal->shared_pending);
2571 flush_signal_handlers(current, 1);
2572 sigemptyset(&current->blocked);
2573 recalc_sigpending();
2574 }
2575 spin_unlock_irq(&current->sighand->siglock);
2576 }
2577
2578 /* Wake up the parent if it is waiting so that it can recheck
2579 * wait permission to the new task SID. */
2580 read_lock(&tasklist_lock);
2581 __wake_up_parent(current, current->real_parent);
2582 read_unlock(&tasklist_lock);
2583 }
2584
2585 /* superblock security operations */
2586
2587 static int selinux_sb_alloc_security(struct super_block *sb)
2588 {
2589 return superblock_alloc_security(sb);
2590 }
2591
2592 static void selinux_sb_free_security(struct super_block *sb)
2593 {
2594 superblock_free_security(sb);
2595 }
2596
2597 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2598 {
2599 if (plen > olen)
2600 return 0;
2601
2602 return !memcmp(prefix, option, plen);
2603 }
2604
2605 static inline int selinux_option(char *option, int len)
2606 {
2607 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2608 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2609 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2610 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2611 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2612 }
2613
2614 static inline void take_option(char **to, char *from, int *first, int len)
2615 {
2616 if (!*first) {
2617 **to = ',';
2618 *to += 1;
2619 } else
2620 *first = 0;
2621 memcpy(*to, from, len);
2622 *to += len;
2623 }
2624
2625 static inline void take_selinux_option(char **to, char *from, int *first,
2626 int len)
2627 {
2628 int current_size = 0;
2629
2630 if (!*first) {
2631 **to = '|';
2632 *to += 1;
2633 } else
2634 *first = 0;
2635
2636 while (current_size < len) {
2637 if (*from != '"') {
2638 **to = *from;
2639 *to += 1;
2640 }
2641 from += 1;
2642 current_size += 1;
2643 }
2644 }
2645
2646 static int selinux_sb_copy_data(char *orig, char *copy)
2647 {
2648 int fnosec, fsec, rc = 0;
2649 char *in_save, *in_curr, *in_end;
2650 char *sec_curr, *nosec_save, *nosec;
2651 int open_quote = 0;
2652
2653 in_curr = orig;
2654 sec_curr = copy;
2655
2656 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2657 if (!nosec) {
2658 rc = -ENOMEM;
2659 goto out;
2660 }
2661
2662 nosec_save = nosec;
2663 fnosec = fsec = 1;
2664 in_save = in_end = orig;
2665
2666 do {
2667 if (*in_end == '"')
2668 open_quote = !open_quote;
2669 if ((*in_end == ',' && open_quote == 0) ||
2670 *in_end == '\0') {
2671 int len = in_end - in_curr;
2672
2673 if (selinux_option(in_curr, len))
2674 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2675 else
2676 take_option(&nosec, in_curr, &fnosec, len);
2677
2678 in_curr = in_end + 1;
2679 }
2680 } while (*in_end++);
2681
2682 strcpy(in_save, nosec_save);
2683 free_page((unsigned long)nosec_save);
2684 out:
2685 return rc;
2686 }
2687
2688 static int selinux_sb_remount(struct super_block *sb, void *data)
2689 {
2690 int rc, i, *flags;
2691 struct security_mnt_opts opts;
2692 char *secdata, **mount_options;
2693 struct superblock_security_struct *sbsec = sb->s_security;
2694
2695 if (!(sbsec->flags & SE_SBINITIALIZED))
2696 return 0;
2697
2698 if (!data)
2699 return 0;
2700
2701 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2702 return 0;
2703
2704 security_init_mnt_opts(&opts);
2705 secdata = alloc_secdata();
2706 if (!secdata)
2707 return -ENOMEM;
2708 rc = selinux_sb_copy_data(data, secdata);
2709 if (rc)
2710 goto out_free_secdata;
2711
2712 rc = selinux_parse_opts_str(secdata, &opts);
2713 if (rc)
2714 goto out_free_secdata;
2715
2716 mount_options = opts.mnt_opts;
2717 flags = opts.mnt_opts_flags;
2718
2719 for (i = 0; i < opts.num_mnt_opts; i++) {
2720 u32 sid;
2721
2722 if (flags[i] == SBLABEL_MNT)
2723 continue;
2724 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2725 if (rc) {
2726 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2727 "(%s) failed for (dev %s, type %s) errno=%d\n",
2728 mount_options[i], sb->s_id, sb->s_type->name, rc);
2729 goto out_free_opts;
2730 }
2731 rc = -EINVAL;
2732 switch (flags[i]) {
2733 case FSCONTEXT_MNT:
2734 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2735 goto out_bad_option;
2736 break;
2737 case CONTEXT_MNT:
2738 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2739 goto out_bad_option;
2740 break;
2741 case ROOTCONTEXT_MNT: {
2742 struct inode_security_struct *root_isec;
2743 root_isec = backing_inode_security(sb->s_root);
2744
2745 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2746 goto out_bad_option;
2747 break;
2748 }
2749 case DEFCONTEXT_MNT:
2750 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2751 goto out_bad_option;
2752 break;
2753 default:
2754 goto out_free_opts;
2755 }
2756 }
2757
2758 rc = 0;
2759 out_free_opts:
2760 security_free_mnt_opts(&opts);
2761 out_free_secdata:
2762 free_secdata(secdata);
2763 return rc;
2764 out_bad_option:
2765 printk(KERN_WARNING "SELinux: unable to change security options "
2766 "during remount (dev %s, type=%s)\n", sb->s_id,
2767 sb->s_type->name);
2768 goto out_free_opts;
2769 }
2770
2771 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2772 {
2773 const struct cred *cred = current_cred();
2774 struct common_audit_data ad;
2775 int rc;
2776
2777 rc = superblock_doinit(sb, data);
2778 if (rc)
2779 return rc;
2780
2781 /* Allow all mounts performed by the kernel */
2782 if (flags & MS_KERNMOUNT)
2783 return 0;
2784
2785 ad.type = LSM_AUDIT_DATA_DENTRY;
2786 ad.u.dentry = sb->s_root;
2787 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2788 }
2789
2790 static int selinux_sb_statfs(struct dentry *dentry)
2791 {
2792 const struct cred *cred = current_cred();
2793 struct common_audit_data ad;
2794
2795 ad.type = LSM_AUDIT_DATA_DENTRY;
2796 ad.u.dentry = dentry->d_sb->s_root;
2797 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2798 }
2799
2800 static int selinux_mount(const char *dev_name,
2801 const struct path *path,
2802 const char *type,
2803 unsigned long flags,
2804 void *data)
2805 {
2806 const struct cred *cred = current_cred();
2807
2808 if (flags & MS_REMOUNT)
2809 return superblock_has_perm(cred, path->dentry->d_sb,
2810 FILESYSTEM__REMOUNT, NULL);
2811 else
2812 return path_has_perm(cred, path, FILE__MOUNTON);
2813 }
2814
2815 static int selinux_umount(struct vfsmount *mnt, int flags)
2816 {
2817 const struct cred *cred = current_cred();
2818
2819 return superblock_has_perm(cred, mnt->mnt_sb,
2820 FILESYSTEM__UNMOUNT, NULL);
2821 }
2822
2823 /* inode security operations */
2824
2825 static int selinux_inode_alloc_security(struct inode *inode)
2826 {
2827 return inode_alloc_security(inode);
2828 }
2829
2830 static void selinux_inode_free_security(struct inode *inode)
2831 {
2832 inode_free_security(inode);
2833 }
2834
2835 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2836 const struct qstr *name, void **ctx,
2837 u32 *ctxlen)
2838 {
2839 u32 newsid;
2840 int rc;
2841
2842 rc = selinux_determine_inode_label(current_security(),
2843 d_inode(dentry->d_parent), name,
2844 inode_mode_to_security_class(mode),
2845 &newsid);
2846 if (rc)
2847 return rc;
2848
2849 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2850 }
2851
2852 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2853 struct qstr *name,
2854 const struct cred *old,
2855 struct cred *new)
2856 {
2857 u32 newsid;
2858 int rc;
2859 struct task_security_struct *tsec;
2860
2861 rc = selinux_determine_inode_label(old->security,
2862 d_inode(dentry->d_parent), name,
2863 inode_mode_to_security_class(mode),
2864 &newsid);
2865 if (rc)
2866 return rc;
2867
2868 tsec = new->security;
2869 tsec->create_sid = newsid;
2870 return 0;
2871 }
2872
2873 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2874 const struct qstr *qstr,
2875 const char **name,
2876 void **value, size_t *len)
2877 {
2878 const struct task_security_struct *tsec = current_security();
2879 struct superblock_security_struct *sbsec;
2880 u32 sid, newsid, clen;
2881 int rc;
2882 char *context;
2883
2884 sbsec = dir->i_sb->s_security;
2885
2886 sid = tsec->sid;
2887 newsid = tsec->create_sid;
2888
2889 rc = selinux_determine_inode_label(current_security(),
2890 dir, qstr,
2891 inode_mode_to_security_class(inode->i_mode),
2892 &newsid);
2893 if (rc)
2894 return rc;
2895
2896 /* Possibly defer initialization to selinux_complete_init. */
2897 if (sbsec->flags & SE_SBINITIALIZED) {
2898 struct inode_security_struct *isec = inode->i_security;
2899 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2900 isec->sid = newsid;
2901 isec->initialized = LABEL_INITIALIZED;
2902 }
2903
2904 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2905 return -EOPNOTSUPP;
2906
2907 if (name)
2908 *name = XATTR_SELINUX_SUFFIX;
2909
2910 if (value && len) {
2911 rc = security_sid_to_context_force(newsid, &context, &clen);
2912 if (rc)
2913 return rc;
2914 *value = context;
2915 *len = clen;
2916 }
2917
2918 return 0;
2919 }
2920
2921 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2922 {
2923 return may_create(dir, dentry, SECCLASS_FILE);
2924 }
2925
2926 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2927 {
2928 return may_link(dir, old_dentry, MAY_LINK);
2929 }
2930
2931 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2932 {
2933 return may_link(dir, dentry, MAY_UNLINK);
2934 }
2935
2936 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2937 {
2938 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2939 }
2940
2941 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2942 {
2943 return may_create(dir, dentry, SECCLASS_DIR);
2944 }
2945
2946 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2947 {
2948 return may_link(dir, dentry, MAY_RMDIR);
2949 }
2950
2951 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2952 {
2953 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2954 }
2955
2956 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2957 struct inode *new_inode, struct dentry *new_dentry)
2958 {
2959 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2960 }
2961
2962 static int selinux_inode_readlink(struct dentry *dentry)
2963 {
2964 const struct cred *cred = current_cred();
2965
2966 return dentry_has_perm(cred, dentry, FILE__READ);
2967 }
2968
2969 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2970 bool rcu)
2971 {
2972 const struct cred *cred = current_cred();
2973 struct common_audit_data ad;
2974 struct inode_security_struct *isec;
2975 u32 sid;
2976
2977 validate_creds(cred);
2978
2979 ad.type = LSM_AUDIT_DATA_DENTRY;
2980 ad.u.dentry = dentry;
2981 sid = cred_sid(cred);
2982 isec = inode_security_rcu(inode, rcu);
2983 if (IS_ERR(isec))
2984 return PTR_ERR(isec);
2985
2986 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2987 rcu ? MAY_NOT_BLOCK : 0);
2988 }
2989
2990 static noinline int audit_inode_permission(struct inode *inode,
2991 u32 perms, u32 audited, u32 denied,
2992 int result,
2993 unsigned flags)
2994 {
2995 struct common_audit_data ad;
2996 struct inode_security_struct *isec = inode->i_security;
2997 int rc;
2998
2999 ad.type = LSM_AUDIT_DATA_INODE;
3000 ad.u.inode = inode;
3001
3002 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3003 audited, denied, result, &ad, flags);
3004 if (rc)
3005 return rc;
3006 return 0;
3007 }
3008
3009 static int selinux_inode_permission(struct inode *inode, int mask)
3010 {
3011 const struct cred *cred = current_cred();
3012 u32 perms;
3013 bool from_access;
3014 unsigned flags = mask & MAY_NOT_BLOCK;
3015 struct inode_security_struct *isec;
3016 u32 sid;
3017 struct av_decision avd;
3018 int rc, rc2;
3019 u32 audited, denied;
3020
3021 from_access = mask & MAY_ACCESS;
3022 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3023
3024 /* No permission to check. Existence test. */
3025 if (!mask)
3026 return 0;
3027
3028 validate_creds(cred);
3029
3030 if (unlikely(IS_PRIVATE(inode)))
3031 return 0;
3032
3033 perms = file_mask_to_av(inode->i_mode, mask);
3034
3035 sid = cred_sid(cred);
3036 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3037 if (IS_ERR(isec))
3038 return PTR_ERR(isec);
3039
3040 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3041 audited = avc_audit_required(perms, &avd, rc,
3042 from_access ? FILE__AUDIT_ACCESS : 0,
3043 &denied);
3044 if (likely(!audited))
3045 return rc;
3046
3047 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3048 if (rc2)
3049 return rc2;
3050 return rc;
3051 }
3052
3053 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3054 {
3055 const struct cred *cred = current_cred();
3056 struct inode *inode = d_backing_inode(dentry);
3057 unsigned int ia_valid = iattr->ia_valid;
3058 __u32 av = FILE__WRITE;
3059
3060 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3061 if (ia_valid & ATTR_FORCE) {
3062 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3063 ATTR_FORCE);
3064 if (!ia_valid)
3065 return 0;
3066 }
3067
3068 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3069 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3070 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3071
3072 if (selinux_policycap_openperm &&
3073 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3074 (ia_valid & ATTR_SIZE) &&
3075 !(ia_valid & ATTR_FILE))
3076 av |= FILE__OPEN;
3077
3078 return dentry_has_perm(cred, dentry, av);
3079 }
3080
3081 static int selinux_inode_getattr(const struct path *path)
3082 {
3083 return path_has_perm(current_cred(), path, FILE__GETATTR);
3084 }
3085
3086 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3087 {
3088 const struct cred *cred = current_cred();
3089
3090 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3091 sizeof XATTR_SECURITY_PREFIX - 1)) {
3092 if (!strcmp(name, XATTR_NAME_CAPS)) {
3093 if (!capable(CAP_SETFCAP))
3094 return -EPERM;
3095 } else if (!capable(CAP_SYS_ADMIN)) {
3096 /* A different attribute in the security namespace.
3097 Restrict to administrator. */
3098 return -EPERM;
3099 }
3100 }
3101
3102 /* Not an attribute we recognize, so just check the
3103 ordinary setattr permission. */
3104 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3105 }
3106
3107 static bool has_cap_mac_admin(bool audit)
3108 {
3109 const struct cred *cred = current_cred();
3110 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3111
3112 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3113 return false;
3114 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3115 return false;
3116 return true;
3117 }
3118
3119 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3120 const void *value, size_t size, int flags)
3121 {
3122 struct inode *inode = d_backing_inode(dentry);
3123 struct inode_security_struct *isec;
3124 struct superblock_security_struct *sbsec;
3125 struct common_audit_data ad;
3126 u32 newsid, sid = current_sid();
3127 int rc = 0;
3128
3129 if (strcmp(name, XATTR_NAME_SELINUX))
3130 return selinux_inode_setotherxattr(dentry, name);
3131
3132 sbsec = inode->i_sb->s_security;
3133 if (!(sbsec->flags & SBLABEL_MNT))
3134 return -EOPNOTSUPP;
3135
3136 if (!inode_owner_or_capable(inode))
3137 return -EPERM;
3138
3139 ad.type = LSM_AUDIT_DATA_DENTRY;
3140 ad.u.dentry = dentry;
3141
3142 isec = backing_inode_security(dentry);
3143 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3144 FILE__RELABELFROM, &ad);
3145 if (rc)
3146 return rc;
3147
3148 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3149 if (rc == -EINVAL) {
3150 if (!has_cap_mac_admin(true)) {
3151 struct audit_buffer *ab;
3152 size_t audit_size;
3153 const char *str;
3154
3155 /* We strip a nul only if it is at the end, otherwise the
3156 * context contains a nul and we should audit that */
3157 if (value) {
3158 str = value;
3159 if (str[size - 1] == '\0')
3160 audit_size = size - 1;
3161 else
3162 audit_size = size;
3163 } else {
3164 str = "";
3165 audit_size = 0;
3166 }
3167 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3168 audit_log_format(ab, "op=setxattr invalid_context=");
3169 audit_log_n_untrustedstring(ab, value, audit_size);
3170 audit_log_end(ab);
3171
3172 return rc;
3173 }
3174 rc = security_context_to_sid_force(value, size, &newsid);
3175 }
3176 if (rc)
3177 return rc;
3178
3179 rc = avc_has_perm(sid, newsid, isec->sclass,
3180 FILE__RELABELTO, &ad);
3181 if (rc)
3182 return rc;
3183
3184 rc = security_validate_transition(isec->sid, newsid, sid,
3185 isec->sclass);
3186 if (rc)
3187 return rc;
3188
3189 return avc_has_perm(newsid,
3190 sbsec->sid,
3191 SECCLASS_FILESYSTEM,
3192 FILESYSTEM__ASSOCIATE,
3193 &ad);
3194 }
3195
3196 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3197 const void *value, size_t size,
3198 int flags)
3199 {
3200 struct inode *inode = d_backing_inode(dentry);
3201 struct inode_security_struct *isec;
3202 u32 newsid;
3203 int rc;
3204
3205 if (strcmp(name, XATTR_NAME_SELINUX)) {
3206 /* Not an attribute we recognize, so nothing to do. */
3207 return;
3208 }
3209
3210 rc = security_context_to_sid_force(value, size, &newsid);
3211 if (rc) {
3212 printk(KERN_ERR "SELinux: unable to map context to SID"
3213 "for (%s, %lu), rc=%d\n",
3214 inode->i_sb->s_id, inode->i_ino, -rc);
3215 return;
3216 }
3217
3218 isec = backing_inode_security(dentry);
3219 spin_lock(&isec->lock);
3220 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3221 isec->sid = newsid;
3222 isec->initialized = LABEL_INITIALIZED;
3223 spin_unlock(&isec->lock);
3224
3225 return;
3226 }
3227
3228 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3229 {
3230 const struct cred *cred = current_cred();
3231
3232 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3233 }
3234
3235 static int selinux_inode_listxattr(struct dentry *dentry)
3236 {
3237 const struct cred *cred = current_cred();
3238
3239 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3240 }
3241
3242 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3243 {
3244 if (strcmp(name, XATTR_NAME_SELINUX))
3245 return selinux_inode_setotherxattr(dentry, name);
3246
3247 /* No one is allowed to remove a SELinux security label.
3248 You can change the label, but all data must be labeled. */
3249 return -EACCES;
3250 }
3251
3252 /*
3253 * Copy the inode security context value to the user.
3254 *
3255 * Permission check is handled by selinux_inode_getxattr hook.
3256 */
3257 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3258 {
3259 u32 size;
3260 int error;
3261 char *context = NULL;
3262 struct inode_security_struct *isec;
3263
3264 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3265 return -EOPNOTSUPP;
3266
3267 /*
3268 * If the caller has CAP_MAC_ADMIN, then get the raw context
3269 * value even if it is not defined by current policy; otherwise,
3270 * use the in-core value under current policy.
3271 * Use the non-auditing forms of the permission checks since
3272 * getxattr may be called by unprivileged processes commonly
3273 * and lack of permission just means that we fall back to the
3274 * in-core context value, not a denial.
3275 */
3276 isec = inode_security(inode);
3277 if (has_cap_mac_admin(false))
3278 error = security_sid_to_context_force(isec->sid, &context,
3279 &size);
3280 else
3281 error = security_sid_to_context(isec->sid, &context, &size);
3282 if (error)
3283 return error;
3284 error = size;
3285 if (alloc) {
3286 *buffer = context;
3287 goto out_nofree;
3288 }
3289 kfree(context);
3290 out_nofree:
3291 return error;
3292 }
3293
3294 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3295 const void *value, size_t size, int flags)
3296 {
3297 struct inode_security_struct *isec = inode_security_novalidate(inode);
3298 u32 newsid;
3299 int rc;
3300
3301 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3302 return -EOPNOTSUPP;
3303
3304 if (!value || !size)
3305 return -EACCES;
3306
3307 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3308 if (rc)
3309 return rc;
3310
3311 spin_lock(&isec->lock);
3312 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3313 isec->sid = newsid;
3314 isec->initialized = LABEL_INITIALIZED;
3315 spin_unlock(&isec->lock);
3316 return 0;
3317 }
3318
3319 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3320 {
3321 const int len = sizeof(XATTR_NAME_SELINUX);
3322 if (buffer && len <= buffer_size)
3323 memcpy(buffer, XATTR_NAME_SELINUX, len);
3324 return len;
3325 }
3326
3327 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3328 {
3329 struct inode_security_struct *isec = inode_security_novalidate(inode);
3330 *secid = isec->sid;
3331 }
3332
3333 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3334 {
3335 u32 sid;
3336 struct task_security_struct *tsec;
3337 struct cred *new_creds = *new;
3338
3339 if (new_creds == NULL) {
3340 new_creds = prepare_creds();
3341 if (!new_creds)
3342 return -ENOMEM;
3343 }
3344
3345 tsec = new_creds->security;
3346 /* Get label from overlay inode and set it in create_sid */
3347 selinux_inode_getsecid(d_inode(src), &sid);
3348 tsec->create_sid = sid;
3349 *new = new_creds;
3350 return 0;
3351 }
3352
3353 static int selinux_inode_copy_up_xattr(const char *name)
3354 {
3355 /* The copy_up hook above sets the initial context on an inode, but we
3356 * don't then want to overwrite it by blindly copying all the lower
3357 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3358 */
3359 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3360 return 1; /* Discard */
3361 /*
3362 * Any other attribute apart from SELINUX is not claimed, supported
3363 * by selinux.
3364 */
3365 return -EOPNOTSUPP;
3366 }
3367
3368 /* file security operations */
3369
3370 static int selinux_revalidate_file_permission(struct file *file, int mask)
3371 {
3372 const struct cred *cred = current_cred();
3373 struct inode *inode = file_inode(file);
3374
3375 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3376 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3377 mask |= MAY_APPEND;
3378
3379 return file_has_perm(cred, file,
3380 file_mask_to_av(inode->i_mode, mask));
3381 }
3382
3383 static int selinux_file_permission(struct file *file, int mask)
3384 {
3385 struct inode *inode = file_inode(file);
3386 struct file_security_struct *fsec = file->f_security;
3387 struct inode_security_struct *isec;
3388 u32 sid = current_sid();
3389
3390 if (!mask)
3391 /* No permission to check. Existence test. */
3392 return 0;
3393
3394 isec = inode_security(inode);
3395 if (sid == fsec->sid && fsec->isid == isec->sid &&
3396 fsec->pseqno == avc_policy_seqno())
3397 /* No change since file_open check. */
3398 return 0;
3399
3400 return selinux_revalidate_file_permission(file, mask);
3401 }
3402
3403 static int selinux_file_alloc_security(struct file *file)
3404 {
3405 return file_alloc_security(file);
3406 }
3407
3408 static void selinux_file_free_security(struct file *file)
3409 {
3410 file_free_security(file);
3411 }
3412
3413 /*
3414 * Check whether a task has the ioctl permission and cmd
3415 * operation to an inode.
3416 */
3417 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3418 u32 requested, u16 cmd)
3419 {
3420 struct common_audit_data ad;
3421 struct file_security_struct *fsec = file->f_security;
3422 struct inode *inode = file_inode(file);
3423 struct inode_security_struct *isec;
3424 struct lsm_ioctlop_audit ioctl;
3425 u32 ssid = cred_sid(cred);
3426 int rc;
3427 u8 driver = cmd >> 8;
3428 u8 xperm = cmd & 0xff;
3429
3430 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3431 ad.u.op = &ioctl;
3432 ad.u.op->cmd = cmd;
3433 ad.u.op->path = file->f_path;
3434
3435 if (ssid != fsec->sid) {
3436 rc = avc_has_perm(ssid, fsec->sid,
3437 SECCLASS_FD,
3438 FD__USE,
3439 &ad);
3440 if (rc)
3441 goto out;
3442 }
3443
3444 if (unlikely(IS_PRIVATE(inode)))
3445 return 0;
3446
3447 isec = inode_security(inode);
3448 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3449 requested, driver, xperm, &ad);
3450 out:
3451 return rc;
3452 }
3453
3454 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3455 unsigned long arg)
3456 {
3457 const struct cred *cred = current_cred();
3458 int error = 0;
3459
3460 switch (cmd) {
3461 case FIONREAD:
3462 /* fall through */
3463 case FIBMAP:
3464 /* fall through */
3465 case FIGETBSZ:
3466 /* fall through */
3467 case FS_IOC_GETFLAGS:
3468 /* fall through */
3469 case FS_IOC_GETVERSION:
3470 error = file_has_perm(cred, file, FILE__GETATTR);
3471 break;
3472
3473 case FS_IOC_SETFLAGS:
3474 /* fall through */
3475 case FS_IOC_SETVERSION:
3476 error = file_has_perm(cred, file, FILE__SETATTR);
3477 break;
3478
3479 /* sys_ioctl() checks */
3480 case FIONBIO:
3481 /* fall through */
3482 case FIOASYNC:
3483 error = file_has_perm(cred, file, 0);
3484 break;
3485
3486 case KDSKBENT:
3487 case KDSKBSENT:
3488 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3489 SECURITY_CAP_AUDIT, true);
3490 break;
3491
3492 /* default case assumes that the command will go
3493 * to the file's ioctl() function.
3494 */
3495 default:
3496 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3497 }
3498 return error;
3499 }
3500
3501 static int default_noexec;
3502
3503 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3504 {
3505 const struct cred *cred = current_cred();
3506 u32 sid = cred_sid(cred);
3507 int rc = 0;
3508
3509 if (default_noexec &&
3510 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3511 (!shared && (prot & PROT_WRITE)))) {
3512 /*
3513 * We are making executable an anonymous mapping or a
3514 * private file mapping that will also be writable.
3515 * This has an additional check.
3516 */
3517 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3518 PROCESS__EXECMEM, NULL);
3519 if (rc)
3520 goto error;
3521 }
3522
3523 if (file) {
3524 /* read access is always possible with a mapping */
3525 u32 av = FILE__READ;
3526
3527 /* write access only matters if the mapping is shared */
3528 if (shared && (prot & PROT_WRITE))
3529 av |= FILE__WRITE;
3530
3531 if (prot & PROT_EXEC)
3532 av |= FILE__EXECUTE;
3533
3534 return file_has_perm(cred, file, av);
3535 }
3536
3537 error:
3538 return rc;
3539 }
3540
3541 static int selinux_mmap_addr(unsigned long addr)
3542 {
3543 int rc = 0;
3544
3545 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3546 u32 sid = current_sid();
3547 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3548 MEMPROTECT__MMAP_ZERO, NULL);
3549 }
3550
3551 return rc;
3552 }
3553
3554 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3555 unsigned long prot, unsigned long flags)
3556 {
3557 struct common_audit_data ad;
3558 int rc;
3559
3560 if (file) {
3561 ad.type = LSM_AUDIT_DATA_FILE;
3562 ad.u.file = file;
3563 rc = inode_has_perm(current_cred(), file_inode(file),
3564 FILE__MAP, &ad);
3565 if (rc)
3566 return rc;
3567 }
3568
3569 if (selinux_checkreqprot)
3570 prot = reqprot;
3571
3572 return file_map_prot_check(file, prot,
3573 (flags & MAP_TYPE) == MAP_SHARED);
3574 }
3575
3576 static int selinux_file_mprotect(struct vm_area_struct *vma,
3577 unsigned long reqprot,
3578 unsigned long prot)
3579 {
3580 const struct cred *cred = current_cred();
3581 u32 sid = cred_sid(cred);
3582
3583 if (selinux_checkreqprot)
3584 prot = reqprot;
3585
3586 if (default_noexec &&
3587 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3588 int rc = 0;
3589 if (vma->vm_start >= vma->vm_mm->start_brk &&
3590 vma->vm_end <= vma->vm_mm->brk) {
3591 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3592 PROCESS__EXECHEAP, NULL);
3593 } else if (!vma->vm_file &&
3594 ((vma->vm_start <= vma->vm_mm->start_stack &&
3595 vma->vm_end >= vma->vm_mm->start_stack) ||
3596 vma_is_stack_for_current(vma))) {
3597 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3598 PROCESS__EXECSTACK, NULL);
3599 } else if (vma->vm_file && vma->anon_vma) {
3600 /*
3601 * We are making executable a file mapping that has
3602 * had some COW done. Since pages might have been
3603 * written, check ability to execute the possibly
3604 * modified content. This typically should only
3605 * occur for text relocations.
3606 */
3607 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3608 }
3609 if (rc)
3610 return rc;
3611 }
3612
3613 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3614 }
3615
3616 static int selinux_file_lock(struct file *file, unsigned int cmd)
3617 {
3618 const struct cred *cred = current_cred();
3619
3620 return file_has_perm(cred, file, FILE__LOCK);
3621 }
3622
3623 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3624 unsigned long arg)
3625 {
3626 const struct cred *cred = current_cred();
3627 int err = 0;
3628
3629 switch (cmd) {
3630 case F_SETFL:
3631 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3632 err = file_has_perm(cred, file, FILE__WRITE);
3633 break;
3634 }
3635 /* fall through */
3636 case F_SETOWN:
3637 case F_SETSIG:
3638 case F_GETFL:
3639 case F_GETOWN:
3640 case F_GETSIG:
3641 case F_GETOWNER_UIDS:
3642 /* Just check FD__USE permission */
3643 err = file_has_perm(cred, file, 0);
3644 break;
3645 case F_GETLK:
3646 case F_SETLK:
3647 case F_SETLKW:
3648 case F_OFD_GETLK:
3649 case F_OFD_SETLK:
3650 case F_OFD_SETLKW:
3651 #if BITS_PER_LONG == 32
3652 case F_GETLK64:
3653 case F_SETLK64:
3654 case F_SETLKW64:
3655 #endif
3656 err = file_has_perm(cred, file, FILE__LOCK);
3657 break;
3658 }
3659
3660 return err;
3661 }
3662
3663 static void selinux_file_set_fowner(struct file *file)
3664 {
3665 struct file_security_struct *fsec;
3666
3667 fsec = file->f_security;
3668 fsec->fown_sid = current_sid();
3669 }
3670
3671 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3672 struct fown_struct *fown, int signum)
3673 {
3674 struct file *file;
3675 u32 sid = task_sid(tsk);
3676 u32 perm;
3677 struct file_security_struct *fsec;
3678
3679 /* struct fown_struct is never outside the context of a struct file */
3680 file = container_of(fown, struct file, f_owner);
3681
3682 fsec = file->f_security;
3683
3684 if (!signum)
3685 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3686 else
3687 perm = signal_to_av(signum);
3688
3689 return avc_has_perm(fsec->fown_sid, sid,
3690 SECCLASS_PROCESS, perm, NULL);
3691 }
3692
3693 static int selinux_file_receive(struct file *file)
3694 {
3695 const struct cred *cred = current_cred();
3696
3697 return file_has_perm(cred, file, file_to_av(file));
3698 }
3699
3700 static int selinux_file_open(struct file *file, const struct cred *cred)
3701 {
3702 struct file_security_struct *fsec;
3703 struct inode_security_struct *isec;
3704
3705 fsec = file->f_security;
3706 isec = inode_security(file_inode(file));
3707 /*
3708 * Save inode label and policy sequence number
3709 * at open-time so that selinux_file_permission
3710 * can determine whether revalidation is necessary.
3711 * Task label is already saved in the file security
3712 * struct as its SID.
3713 */
3714 fsec->isid = isec->sid;
3715 fsec->pseqno = avc_policy_seqno();
3716 /*
3717 * Since the inode label or policy seqno may have changed
3718 * between the selinux_inode_permission check and the saving
3719 * of state above, recheck that access is still permitted.
3720 * Otherwise, access might never be revalidated against the
3721 * new inode label or new policy.
3722 * This check is not redundant - do not remove.
3723 */
3724 return file_path_has_perm(cred, file, open_file_to_av(file));
3725 }
3726
3727 /* task security operations */
3728
3729 static int selinux_task_alloc(struct task_struct *task,
3730 unsigned long clone_flags)
3731 {
3732 u32 sid = current_sid();
3733
3734 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3735 }
3736
3737 /*
3738 * allocate the SELinux part of blank credentials
3739 */
3740 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3741 {
3742 struct task_security_struct *tsec;
3743
3744 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3745 if (!tsec)
3746 return -ENOMEM;
3747
3748 cred->security = tsec;
3749 return 0;
3750 }
3751
3752 /*
3753 * detach and free the LSM part of a set of credentials
3754 */
3755 static void selinux_cred_free(struct cred *cred)
3756 {
3757 struct task_security_struct *tsec = cred->security;
3758
3759 /*
3760 * cred->security == NULL if security_cred_alloc_blank() or
3761 * security_prepare_creds() returned an error.
3762 */
3763 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3764 cred->security = (void *) 0x7UL;
3765 kfree(tsec);
3766 }
3767
3768 /*
3769 * prepare a new set of credentials for modification
3770 */
3771 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3772 gfp_t gfp)
3773 {
3774 const struct task_security_struct *old_tsec;
3775 struct task_security_struct *tsec;
3776
3777 old_tsec = old->security;
3778
3779 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3780 if (!tsec)
3781 return -ENOMEM;
3782
3783 new->security = tsec;
3784 return 0;
3785 }
3786
3787 /*
3788 * transfer the SELinux data to a blank set of creds
3789 */
3790 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3791 {
3792 const struct task_security_struct *old_tsec = old->security;
3793 struct task_security_struct *tsec = new->security;
3794
3795 *tsec = *old_tsec;
3796 }
3797
3798 /*
3799 * set the security data for a kernel service
3800 * - all the creation contexts are set to unlabelled
3801 */
3802 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3803 {
3804 struct task_security_struct *tsec = new->security;
3805 u32 sid = current_sid();
3806 int ret;
3807
3808 ret = avc_has_perm(sid, secid,
3809 SECCLASS_KERNEL_SERVICE,
3810 KERNEL_SERVICE__USE_AS_OVERRIDE,
3811 NULL);
3812 if (ret == 0) {
3813 tsec->sid = secid;
3814 tsec->create_sid = 0;
3815 tsec->keycreate_sid = 0;
3816 tsec->sockcreate_sid = 0;
3817 }
3818 return ret;
3819 }
3820
3821 /*
3822 * set the file creation context in a security record to the same as the
3823 * objective context of the specified inode
3824 */
3825 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3826 {
3827 struct inode_security_struct *isec = inode_security(inode);
3828 struct task_security_struct *tsec = new->security;
3829 u32 sid = current_sid();
3830 int ret;
3831
3832 ret = avc_has_perm(sid, isec->sid,
3833 SECCLASS_KERNEL_SERVICE,
3834 KERNEL_SERVICE__CREATE_FILES_AS,
3835 NULL);
3836
3837 if (ret == 0)
3838 tsec->create_sid = isec->sid;
3839 return ret;
3840 }
3841
3842 static int selinux_kernel_module_request(char *kmod_name)
3843 {
3844 struct common_audit_data ad;
3845
3846 ad.type = LSM_AUDIT_DATA_KMOD;
3847 ad.u.kmod_name = kmod_name;
3848
3849 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3850 SYSTEM__MODULE_REQUEST, &ad);
3851 }
3852
3853 static int selinux_kernel_module_from_file(struct file *file)
3854 {
3855 struct common_audit_data ad;
3856 struct inode_security_struct *isec;
3857 struct file_security_struct *fsec;
3858 u32 sid = current_sid();
3859 int rc;
3860
3861 /* init_module */
3862 if (file == NULL)
3863 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3864 SYSTEM__MODULE_LOAD, NULL);
3865
3866 /* finit_module */
3867
3868 ad.type = LSM_AUDIT_DATA_FILE;
3869 ad.u.file = file;
3870
3871 fsec = file->f_security;
3872 if (sid != fsec->sid) {
3873 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3874 if (rc)
3875 return rc;
3876 }
3877
3878 isec = inode_security(file_inode(file));
3879 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3880 SYSTEM__MODULE_LOAD, &ad);
3881 }
3882
3883 static int selinux_kernel_read_file(struct file *file,
3884 enum kernel_read_file_id id)
3885 {
3886 int rc = 0;
3887
3888 switch (id) {
3889 case READING_MODULE:
3890 rc = selinux_kernel_module_from_file(file);
3891 break;
3892 default:
3893 break;
3894 }
3895
3896 return rc;
3897 }
3898
3899 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3900 {
3901 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3902 PROCESS__SETPGID, NULL);
3903 }
3904
3905 static int selinux_task_getpgid(struct task_struct *p)
3906 {
3907 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3908 PROCESS__GETPGID, NULL);
3909 }
3910
3911 static int selinux_task_getsid(struct task_struct *p)
3912 {
3913 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3914 PROCESS__GETSESSION, NULL);
3915 }
3916
3917 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3918 {
3919 *secid = task_sid(p);
3920 }
3921
3922 static int selinux_task_setnice(struct task_struct *p, int nice)
3923 {
3924 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3925 PROCESS__SETSCHED, NULL);
3926 }
3927
3928 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3929 {
3930 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3931 PROCESS__SETSCHED, NULL);
3932 }
3933
3934 static int selinux_task_getioprio(struct task_struct *p)
3935 {
3936 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3937 PROCESS__GETSCHED, NULL);
3938 }
3939
3940 int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
3941 unsigned int flags)
3942 {
3943 u32 av = 0;
3944
3945 if (!flags)
3946 return 0;
3947 if (flags & LSM_PRLIMIT_WRITE)
3948 av |= PROCESS__SETRLIMIT;
3949 if (flags & LSM_PRLIMIT_READ)
3950 av |= PROCESS__GETRLIMIT;
3951 return avc_has_perm(cred_sid(cred), cred_sid(tcred),
3952 SECCLASS_PROCESS, av, NULL);
3953 }
3954
3955 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3956 struct rlimit *new_rlim)
3957 {
3958 struct rlimit *old_rlim = p->signal->rlim + resource;
3959
3960 /* Control the ability to change the hard limit (whether
3961 lowering or raising it), so that the hard limit can
3962 later be used as a safe reset point for the soft limit
3963 upon context transitions. See selinux_bprm_committing_creds. */
3964 if (old_rlim->rlim_max != new_rlim->rlim_max)
3965 return avc_has_perm(current_sid(), task_sid(p),
3966 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
3967
3968 return 0;
3969 }
3970
3971 static int selinux_task_setscheduler(struct task_struct *p)
3972 {
3973 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3974 PROCESS__SETSCHED, NULL);
3975 }
3976
3977 static int selinux_task_getscheduler(struct task_struct *p)
3978 {
3979 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3980 PROCESS__GETSCHED, NULL);
3981 }
3982
3983 static int selinux_task_movememory(struct task_struct *p)
3984 {
3985 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3986 PROCESS__SETSCHED, NULL);
3987 }
3988
3989 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3990 int sig, u32 secid)
3991 {
3992 u32 perm;
3993
3994 if (!sig)
3995 perm = PROCESS__SIGNULL; /* null signal; existence test */
3996 else
3997 perm = signal_to_av(sig);
3998 if (!secid)
3999 secid = current_sid();
4000 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4001 }
4002
4003 static void selinux_task_to_inode(struct task_struct *p,
4004 struct inode *inode)
4005 {
4006 struct inode_security_struct *isec = inode->i_security;
4007 u32 sid = task_sid(p);
4008
4009 spin_lock(&isec->lock);
4010 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4011 isec->sid = sid;
4012 isec->initialized = LABEL_INITIALIZED;
4013 spin_unlock(&isec->lock);
4014 }
4015
4016 /* Returns error only if unable to parse addresses */
4017 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4018 struct common_audit_data *ad, u8 *proto)
4019 {
4020 int offset, ihlen, ret = -EINVAL;
4021 struct iphdr _iph, *ih;
4022
4023 offset = skb_network_offset(skb);
4024 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4025 if (ih == NULL)
4026 goto out;
4027
4028 ihlen = ih->ihl * 4;
4029 if (ihlen < sizeof(_iph))
4030 goto out;
4031
4032 ad->u.net->v4info.saddr = ih->saddr;
4033 ad->u.net->v4info.daddr = ih->daddr;
4034 ret = 0;
4035
4036 if (proto)
4037 *proto = ih->protocol;
4038
4039 switch (ih->protocol) {
4040 case IPPROTO_TCP: {
4041 struct tcphdr _tcph, *th;
4042
4043 if (ntohs(ih->frag_off) & IP_OFFSET)
4044 break;
4045
4046 offset += ihlen;
4047 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4048 if (th == NULL)
4049 break;
4050
4051 ad->u.net->sport = th->source;
4052 ad->u.net->dport = th->dest;
4053 break;
4054 }
4055
4056 case IPPROTO_UDP: {
4057 struct udphdr _udph, *uh;
4058
4059 if (ntohs(ih->frag_off) & IP_OFFSET)
4060 break;
4061
4062 offset += ihlen;
4063 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4064 if (uh == NULL)
4065 break;
4066
4067 ad->u.net->sport = uh->source;
4068 ad->u.net->dport = uh->dest;
4069 break;
4070 }
4071
4072 case IPPROTO_DCCP: {
4073 struct dccp_hdr _dccph, *dh;
4074
4075 if (ntohs(ih->frag_off) & IP_OFFSET)
4076 break;
4077
4078 offset += ihlen;
4079 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4080 if (dh == NULL)
4081 break;
4082
4083 ad->u.net->sport = dh->dccph_sport;
4084 ad->u.net->dport = dh->dccph_dport;
4085 break;
4086 }
4087
4088 default:
4089 break;
4090 }
4091 out:
4092 return ret;
4093 }
4094
4095 #if IS_ENABLED(CONFIG_IPV6)
4096
4097 /* Returns error only if unable to parse addresses */
4098 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4099 struct common_audit_data *ad, u8 *proto)
4100 {
4101 u8 nexthdr;
4102 int ret = -EINVAL, offset;
4103 struct ipv6hdr _ipv6h, *ip6;
4104 __be16 frag_off;
4105
4106 offset = skb_network_offset(skb);
4107 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4108 if (ip6 == NULL)
4109 goto out;
4110
4111 ad->u.net->v6info.saddr = ip6->saddr;
4112 ad->u.net->v6info.daddr = ip6->daddr;
4113 ret = 0;
4114
4115 nexthdr = ip6->nexthdr;
4116 offset += sizeof(_ipv6h);
4117 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4118 if (offset < 0)
4119 goto out;
4120
4121 if (proto)
4122 *proto = nexthdr;
4123
4124 switch (nexthdr) {
4125 case IPPROTO_TCP: {
4126 struct tcphdr _tcph, *th;
4127
4128 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4129 if (th == NULL)
4130 break;
4131
4132 ad->u.net->sport = th->source;
4133 ad->u.net->dport = th->dest;
4134 break;
4135 }
4136
4137 case IPPROTO_UDP: {
4138 struct udphdr _udph, *uh;
4139
4140 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4141 if (uh == NULL)
4142 break;
4143
4144 ad->u.net->sport = uh->source;
4145 ad->u.net->dport = uh->dest;
4146 break;
4147 }
4148
4149 case IPPROTO_DCCP: {
4150 struct dccp_hdr _dccph, *dh;
4151
4152 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4153 if (dh == NULL)
4154 break;
4155
4156 ad->u.net->sport = dh->dccph_sport;
4157 ad->u.net->dport = dh->dccph_dport;
4158 break;
4159 }
4160
4161 /* includes fragments */
4162 default:
4163 break;
4164 }
4165 out:
4166 return ret;
4167 }
4168
4169 #endif /* IPV6 */
4170
4171 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4172 char **_addrp, int src, u8 *proto)
4173 {
4174 char *addrp;
4175 int ret;
4176
4177 switch (ad->u.net->family) {
4178 case PF_INET:
4179 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4180 if (ret)
4181 goto parse_error;
4182 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4183 &ad->u.net->v4info.daddr);
4184 goto okay;
4185
4186 #if IS_ENABLED(CONFIG_IPV6)
4187 case PF_INET6:
4188 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4189 if (ret)
4190 goto parse_error;
4191 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4192 &ad->u.net->v6info.daddr);
4193 goto okay;
4194 #endif /* IPV6 */
4195 default:
4196 addrp = NULL;
4197 goto okay;
4198 }
4199
4200 parse_error:
4201 printk(KERN_WARNING
4202 "SELinux: failure in selinux_parse_skb(),"
4203 " unable to parse packet\n");
4204 return ret;
4205
4206 okay:
4207 if (_addrp)
4208 *_addrp = addrp;
4209 return 0;
4210 }
4211
4212 /**
4213 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4214 * @skb: the packet
4215 * @family: protocol family
4216 * @sid: the packet's peer label SID
4217 *
4218 * Description:
4219 * Check the various different forms of network peer labeling and determine
4220 * the peer label/SID for the packet; most of the magic actually occurs in
4221 * the security server function security_net_peersid_cmp(). The function
4222 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4223 * or -EACCES if @sid is invalid due to inconsistencies with the different
4224 * peer labels.
4225 *
4226 */
4227 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4228 {
4229 int err;
4230 u32 xfrm_sid;
4231 u32 nlbl_sid;
4232 u32 nlbl_type;
4233
4234 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4235 if (unlikely(err))
4236 return -EACCES;
4237 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4238 if (unlikely(err))
4239 return -EACCES;
4240
4241 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4242 if (unlikely(err)) {
4243 printk(KERN_WARNING
4244 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4245 " unable to determine packet's peer label\n");
4246 return -EACCES;
4247 }
4248
4249 return 0;
4250 }
4251
4252 /**
4253 * selinux_conn_sid - Determine the child socket label for a connection
4254 * @sk_sid: the parent socket's SID
4255 * @skb_sid: the packet's SID
4256 * @conn_sid: the resulting connection SID
4257 *
4258 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4259 * combined with the MLS information from @skb_sid in order to create
4260 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4261 * of @sk_sid. Returns zero on success, negative values on failure.
4262 *
4263 */
4264 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4265 {
4266 int err = 0;
4267
4268 if (skb_sid != SECSID_NULL)
4269 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4270 else
4271 *conn_sid = sk_sid;
4272
4273 return err;
4274 }
4275
4276 /* socket security operations */
4277
4278 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4279 u16 secclass, u32 *socksid)
4280 {
4281 if (tsec->sockcreate_sid > SECSID_NULL) {
4282 *socksid = tsec->sockcreate_sid;
4283 return 0;
4284 }
4285
4286 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4287 socksid);
4288 }
4289
4290 static int sock_has_perm(struct sock *sk, u32 perms)
4291 {
4292 struct sk_security_struct *sksec = sk->sk_security;
4293 struct common_audit_data ad;
4294 struct lsm_network_audit net = {0,};
4295
4296 if (sksec->sid == SECINITSID_KERNEL)
4297 return 0;
4298
4299 ad.type = LSM_AUDIT_DATA_NET;
4300 ad.u.net = &net;
4301 ad.u.net->sk = sk;
4302
4303 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4304 &ad);
4305 }
4306
4307 static int selinux_socket_create(int family, int type,
4308 int protocol, int kern)
4309 {
4310 const struct task_security_struct *tsec = current_security();
4311 u32 newsid;
4312 u16 secclass;
4313 int rc;
4314
4315 if (kern)
4316 return 0;
4317
4318 secclass = socket_type_to_security_class(family, type, protocol);
4319 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4320 if (rc)
4321 return rc;
4322
4323 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4324 }
4325
4326 static int selinux_socket_post_create(struct socket *sock, int family,
4327 int type, int protocol, int kern)
4328 {
4329 const struct task_security_struct *tsec = current_security();
4330 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4331 struct sk_security_struct *sksec;
4332 u16 sclass = socket_type_to_security_class(family, type, protocol);
4333 u32 sid = SECINITSID_KERNEL;
4334 int err = 0;
4335
4336 if (!kern) {
4337 err = socket_sockcreate_sid(tsec, sclass, &sid);
4338 if (err)
4339 return err;
4340 }
4341
4342 isec->sclass = sclass;
4343 isec->sid = sid;
4344 isec->initialized = LABEL_INITIALIZED;
4345
4346 if (sock->sk) {
4347 sksec = sock->sk->sk_security;
4348 sksec->sclass = sclass;
4349 sksec->sid = sid;
4350 err = selinux_netlbl_socket_post_create(sock->sk, family);
4351 }
4352
4353 return err;
4354 }
4355
4356 /* Range of port numbers used to automatically bind.
4357 Need to determine whether we should perform a name_bind
4358 permission check between the socket and the port number. */
4359
4360 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4361 {
4362 struct sock *sk = sock->sk;
4363 u16 family;
4364 int err;
4365
4366 err = sock_has_perm(sk, SOCKET__BIND);
4367 if (err)
4368 goto out;
4369
4370 /*
4371 * If PF_INET or PF_INET6, check name_bind permission for the port.
4372 * Multiple address binding for SCTP is not supported yet: we just
4373 * check the first address now.
4374 */
4375 family = sk->sk_family;
4376 if (family == PF_INET || family == PF_INET6) {
4377 char *addrp;
4378 struct sk_security_struct *sksec = sk->sk_security;
4379 struct common_audit_data ad;
4380 struct lsm_network_audit net = {0,};
4381 struct sockaddr_in *addr4 = NULL;
4382 struct sockaddr_in6 *addr6 = NULL;
4383 unsigned short snum;
4384 u32 sid, node_perm;
4385
4386 if (family == PF_INET) {
4387 if (addrlen < sizeof(struct sockaddr_in)) {
4388 err = -EINVAL;
4389 goto out;
4390 }
4391 addr4 = (struct sockaddr_in *)address;
4392 snum = ntohs(addr4->sin_port);
4393 addrp = (char *)&addr4->sin_addr.s_addr;
4394 } else {
4395 if (addrlen < SIN6_LEN_RFC2133) {
4396 err = -EINVAL;
4397 goto out;
4398 }
4399 addr6 = (struct sockaddr_in6 *)address;
4400 snum = ntohs(addr6->sin6_port);
4401 addrp = (char *)&addr6->sin6_addr.s6_addr;
4402 }
4403
4404 if (snum) {
4405 int low, high;
4406
4407 inet_get_local_port_range(sock_net(sk), &low, &high);
4408
4409 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4410 snum > high) {
4411 err = sel_netport_sid(sk->sk_protocol,
4412 snum, &sid);
4413 if (err)
4414 goto out;
4415 ad.type = LSM_AUDIT_DATA_NET;
4416 ad.u.net = &net;
4417 ad.u.net->sport = htons(snum);
4418 ad.u.net->family = family;
4419 err = avc_has_perm(sksec->sid, sid,
4420 sksec->sclass,
4421 SOCKET__NAME_BIND, &ad);
4422 if (err)
4423 goto out;
4424 }
4425 }
4426
4427 switch (sksec->sclass) {
4428 case SECCLASS_TCP_SOCKET:
4429 node_perm = TCP_SOCKET__NODE_BIND;
4430 break;
4431
4432 case SECCLASS_UDP_SOCKET:
4433 node_perm = UDP_SOCKET__NODE_BIND;
4434 break;
4435
4436 case SECCLASS_DCCP_SOCKET:
4437 node_perm = DCCP_SOCKET__NODE_BIND;
4438 break;
4439
4440 default:
4441 node_perm = RAWIP_SOCKET__NODE_BIND;
4442 break;
4443 }
4444
4445 err = sel_netnode_sid(addrp, family, &sid);
4446 if (err)
4447 goto out;
4448
4449 ad.type = LSM_AUDIT_DATA_NET;
4450 ad.u.net = &net;
4451 ad.u.net->sport = htons(snum);
4452 ad.u.net->family = family;
4453
4454 if (family == PF_INET)
4455 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4456 else
4457 ad.u.net->v6info.saddr = addr6->sin6_addr;
4458
4459 err = avc_has_perm(sksec->sid, sid,
4460 sksec->sclass, node_perm, &ad);
4461 if (err)
4462 goto out;
4463 }
4464 out:
4465 return err;
4466 }
4467
4468 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4469 {
4470 struct sock *sk = sock->sk;
4471 struct sk_security_struct *sksec = sk->sk_security;
4472 int err;
4473
4474 err = sock_has_perm(sk, SOCKET__CONNECT);
4475 if (err)
4476 return err;
4477
4478 /*
4479 * If a TCP or DCCP socket, check name_connect permission for the port.
4480 */
4481 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4482 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4483 struct common_audit_data ad;
4484 struct lsm_network_audit net = {0,};
4485 struct sockaddr_in *addr4 = NULL;
4486 struct sockaddr_in6 *addr6 = NULL;
4487 unsigned short snum;
4488 u32 sid, perm;
4489
4490 if (sk->sk_family == PF_INET) {
4491 addr4 = (struct sockaddr_in *)address;
4492 if (addrlen < sizeof(struct sockaddr_in))
4493 return -EINVAL;
4494 snum = ntohs(addr4->sin_port);
4495 } else {
4496 addr6 = (struct sockaddr_in6 *)address;
4497 if (addrlen < SIN6_LEN_RFC2133)
4498 return -EINVAL;
4499 snum = ntohs(addr6->sin6_port);
4500 }
4501
4502 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4503 if (err)
4504 goto out;
4505
4506 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4507 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4508
4509 ad.type = LSM_AUDIT_DATA_NET;
4510 ad.u.net = &net;
4511 ad.u.net->dport = htons(snum);
4512 ad.u.net->family = sk->sk_family;
4513 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4514 if (err)
4515 goto out;
4516 }
4517
4518 err = selinux_netlbl_socket_connect(sk, address);
4519
4520 out:
4521 return err;
4522 }
4523
4524 static int selinux_socket_listen(struct socket *sock, int backlog)
4525 {
4526 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4527 }
4528
4529 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4530 {
4531 int err;
4532 struct inode_security_struct *isec;
4533 struct inode_security_struct *newisec;
4534 u16 sclass;
4535 u32 sid;
4536
4537 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4538 if (err)
4539 return err;
4540
4541 isec = inode_security_novalidate(SOCK_INODE(sock));
4542 spin_lock(&isec->lock);
4543 sclass = isec->sclass;
4544 sid = isec->sid;
4545 spin_unlock(&isec->lock);
4546
4547 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4548 newisec->sclass = sclass;
4549 newisec->sid = sid;
4550 newisec->initialized = LABEL_INITIALIZED;
4551
4552 return 0;
4553 }
4554
4555 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4556 int size)
4557 {
4558 return sock_has_perm(sock->sk, SOCKET__WRITE);
4559 }
4560
4561 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4562 int size, int flags)
4563 {
4564 return sock_has_perm(sock->sk, SOCKET__READ);
4565 }
4566
4567 static int selinux_socket_getsockname(struct socket *sock)
4568 {
4569 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4570 }
4571
4572 static int selinux_socket_getpeername(struct socket *sock)
4573 {
4574 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4575 }
4576
4577 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4578 {
4579 int err;
4580
4581 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4582 if (err)
4583 return err;
4584
4585 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4586 }
4587
4588 static int selinux_socket_getsockopt(struct socket *sock, int level,
4589 int optname)
4590 {
4591 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4592 }
4593
4594 static int selinux_socket_shutdown(struct socket *sock, int how)
4595 {
4596 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4597 }
4598
4599 static int selinux_socket_unix_stream_connect(struct sock *sock,
4600 struct sock *other,
4601 struct sock *newsk)
4602 {
4603 struct sk_security_struct *sksec_sock = sock->sk_security;
4604 struct sk_security_struct *sksec_other = other->sk_security;
4605 struct sk_security_struct *sksec_new = newsk->sk_security;
4606 struct common_audit_data ad;
4607 struct lsm_network_audit net = {0,};
4608 int err;
4609
4610 ad.type = LSM_AUDIT_DATA_NET;
4611 ad.u.net = &net;
4612 ad.u.net->sk = other;
4613
4614 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4615 sksec_other->sclass,
4616 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4617 if (err)
4618 return err;
4619
4620 /* server child socket */
4621 sksec_new->peer_sid = sksec_sock->sid;
4622 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4623 &sksec_new->sid);
4624 if (err)
4625 return err;
4626
4627 /* connecting socket */
4628 sksec_sock->peer_sid = sksec_new->sid;
4629
4630 return 0;
4631 }
4632
4633 static int selinux_socket_unix_may_send(struct socket *sock,
4634 struct socket *other)
4635 {
4636 struct sk_security_struct *ssec = sock->sk->sk_security;
4637 struct sk_security_struct *osec = other->sk->sk_security;
4638 struct common_audit_data ad;
4639 struct lsm_network_audit net = {0,};
4640
4641 ad.type = LSM_AUDIT_DATA_NET;
4642 ad.u.net = &net;
4643 ad.u.net->sk = other->sk;
4644
4645 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4646 &ad);
4647 }
4648
4649 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4650 char *addrp, u16 family, u32 peer_sid,
4651 struct common_audit_data *ad)
4652 {
4653 int err;
4654 u32 if_sid;
4655 u32 node_sid;
4656
4657 err = sel_netif_sid(ns, ifindex, &if_sid);
4658 if (err)
4659 return err;
4660 err = avc_has_perm(peer_sid, if_sid,
4661 SECCLASS_NETIF, NETIF__INGRESS, ad);
4662 if (err)
4663 return err;
4664
4665 err = sel_netnode_sid(addrp, family, &node_sid);
4666 if (err)
4667 return err;
4668 return avc_has_perm(peer_sid, node_sid,
4669 SECCLASS_NODE, NODE__RECVFROM, ad);
4670 }
4671
4672 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4673 u16 family)
4674 {
4675 int err = 0;
4676 struct sk_security_struct *sksec = sk->sk_security;
4677 u32 sk_sid = sksec->sid;
4678 struct common_audit_data ad;
4679 struct lsm_network_audit net = {0,};
4680 char *addrp;
4681
4682 ad.type = LSM_AUDIT_DATA_NET;
4683 ad.u.net = &net;
4684 ad.u.net->netif = skb->skb_iif;
4685 ad.u.net->family = family;
4686 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4687 if (err)
4688 return err;
4689
4690 if (selinux_secmark_enabled()) {
4691 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4692 PACKET__RECV, &ad);
4693 if (err)
4694 return err;
4695 }
4696
4697 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4698 if (err)
4699 return err;
4700 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4701
4702 return err;
4703 }
4704
4705 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4706 {
4707 int err;
4708 struct sk_security_struct *sksec = sk->sk_security;
4709 u16 family = sk->sk_family;
4710 u32 sk_sid = sksec->sid;
4711 struct common_audit_data ad;
4712 struct lsm_network_audit net = {0,};
4713 char *addrp;
4714 u8 secmark_active;
4715 u8 peerlbl_active;
4716
4717 if (family != PF_INET && family != PF_INET6)
4718 return 0;
4719
4720 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4721 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4722 family = PF_INET;
4723
4724 /* If any sort of compatibility mode is enabled then handoff processing
4725 * to the selinux_sock_rcv_skb_compat() function to deal with the
4726 * special handling. We do this in an attempt to keep this function
4727 * as fast and as clean as possible. */
4728 if (!selinux_policycap_netpeer)
4729 return selinux_sock_rcv_skb_compat(sk, skb, family);
4730
4731 secmark_active = selinux_secmark_enabled();
4732 peerlbl_active = selinux_peerlbl_enabled();
4733 if (!secmark_active && !peerlbl_active)
4734 return 0;
4735
4736 ad.type = LSM_AUDIT_DATA_NET;
4737 ad.u.net = &net;
4738 ad.u.net->netif = skb->skb_iif;
4739 ad.u.net->family = family;
4740 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4741 if (err)
4742 return err;
4743
4744 if (peerlbl_active) {
4745 u32 peer_sid;
4746
4747 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4748 if (err)
4749 return err;
4750 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4751 addrp, family, peer_sid, &ad);
4752 if (err) {
4753 selinux_netlbl_err(skb, family, err, 0);
4754 return err;
4755 }
4756 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4757 PEER__RECV, &ad);
4758 if (err) {
4759 selinux_netlbl_err(skb, family, err, 0);
4760 return err;
4761 }
4762 }
4763
4764 if (secmark_active) {
4765 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4766 PACKET__RECV, &ad);
4767 if (err)
4768 return err;
4769 }
4770
4771 return err;
4772 }
4773
4774 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4775 int __user *optlen, unsigned len)
4776 {
4777 int err = 0;
4778 char *scontext;
4779 u32 scontext_len;
4780 struct sk_security_struct *sksec = sock->sk->sk_security;
4781 u32 peer_sid = SECSID_NULL;
4782
4783 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4784 sksec->sclass == SECCLASS_TCP_SOCKET)
4785 peer_sid = sksec->peer_sid;
4786 if (peer_sid == SECSID_NULL)
4787 return -ENOPROTOOPT;
4788
4789 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4790 if (err)
4791 return err;
4792
4793 if (scontext_len > len) {
4794 err = -ERANGE;
4795 goto out_len;
4796 }
4797
4798 if (copy_to_user(optval, scontext, scontext_len))
4799 err = -EFAULT;
4800
4801 out_len:
4802 if (put_user(scontext_len, optlen))
4803 err = -EFAULT;
4804 kfree(scontext);
4805 return err;
4806 }
4807
4808 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4809 {
4810 u32 peer_secid = SECSID_NULL;
4811 u16 family;
4812 struct inode_security_struct *isec;
4813
4814 if (skb && skb->protocol == htons(ETH_P_IP))
4815 family = PF_INET;
4816 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4817 family = PF_INET6;
4818 else if (sock)
4819 family = sock->sk->sk_family;
4820 else
4821 goto out;
4822
4823 if (sock && family == PF_UNIX) {
4824 isec = inode_security_novalidate(SOCK_INODE(sock));
4825 peer_secid = isec->sid;
4826 } else if (skb)
4827 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4828
4829 out:
4830 *secid = peer_secid;
4831 if (peer_secid == SECSID_NULL)
4832 return -EINVAL;
4833 return 0;
4834 }
4835
4836 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4837 {
4838 struct sk_security_struct *sksec;
4839
4840 sksec = kzalloc(sizeof(*sksec), priority);
4841 if (!sksec)
4842 return -ENOMEM;
4843
4844 sksec->peer_sid = SECINITSID_UNLABELED;
4845 sksec->sid = SECINITSID_UNLABELED;
4846 sksec->sclass = SECCLASS_SOCKET;
4847 selinux_netlbl_sk_security_reset(sksec);
4848 sk->sk_security = sksec;
4849
4850 return 0;
4851 }
4852
4853 static void selinux_sk_free_security(struct sock *sk)
4854 {
4855 struct sk_security_struct *sksec = sk->sk_security;
4856
4857 sk->sk_security = NULL;
4858 selinux_netlbl_sk_security_free(sksec);
4859 kfree(sksec);
4860 }
4861
4862 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4863 {
4864 struct sk_security_struct *sksec = sk->sk_security;
4865 struct sk_security_struct *newsksec = newsk->sk_security;
4866
4867 newsksec->sid = sksec->sid;
4868 newsksec->peer_sid = sksec->peer_sid;
4869 newsksec->sclass = sksec->sclass;
4870
4871 selinux_netlbl_sk_security_reset(newsksec);
4872 }
4873
4874 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4875 {
4876 if (!sk)
4877 *secid = SECINITSID_ANY_SOCKET;
4878 else {
4879 struct sk_security_struct *sksec = sk->sk_security;
4880
4881 *secid = sksec->sid;
4882 }
4883 }
4884
4885 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4886 {
4887 struct inode_security_struct *isec =
4888 inode_security_novalidate(SOCK_INODE(parent));
4889 struct sk_security_struct *sksec = sk->sk_security;
4890
4891 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4892 sk->sk_family == PF_UNIX)
4893 isec->sid = sksec->sid;
4894 sksec->sclass = isec->sclass;
4895 }
4896
4897 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4898 struct request_sock *req)
4899 {
4900 struct sk_security_struct *sksec = sk->sk_security;
4901 int err;
4902 u16 family = req->rsk_ops->family;
4903 u32 connsid;
4904 u32 peersid;
4905
4906 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4907 if (err)
4908 return err;
4909 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4910 if (err)
4911 return err;
4912 req->secid = connsid;
4913 req->peer_secid = peersid;
4914
4915 return selinux_netlbl_inet_conn_request(req, family);
4916 }
4917
4918 static void selinux_inet_csk_clone(struct sock *newsk,
4919 const struct request_sock *req)
4920 {
4921 struct sk_security_struct *newsksec = newsk->sk_security;
4922
4923 newsksec->sid = req->secid;
4924 newsksec->peer_sid = req->peer_secid;
4925 /* NOTE: Ideally, we should also get the isec->sid for the
4926 new socket in sync, but we don't have the isec available yet.
4927 So we will wait until sock_graft to do it, by which
4928 time it will have been created and available. */
4929
4930 /* We don't need to take any sort of lock here as we are the only
4931 * thread with access to newsksec */
4932 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4933 }
4934
4935 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4936 {
4937 u16 family = sk->sk_family;
4938 struct sk_security_struct *sksec = sk->sk_security;
4939
4940 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4941 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4942 family = PF_INET;
4943
4944 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4945 }
4946
4947 static int selinux_secmark_relabel_packet(u32 sid)
4948 {
4949 const struct task_security_struct *__tsec;
4950 u32 tsid;
4951
4952 __tsec = current_security();
4953 tsid = __tsec->sid;
4954
4955 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4956 }
4957
4958 static void selinux_secmark_refcount_inc(void)
4959 {
4960 atomic_inc(&selinux_secmark_refcount);
4961 }
4962
4963 static void selinux_secmark_refcount_dec(void)
4964 {
4965 atomic_dec(&selinux_secmark_refcount);
4966 }
4967
4968 static void selinux_req_classify_flow(const struct request_sock *req,
4969 struct flowi *fl)
4970 {
4971 fl->flowi_secid = req->secid;
4972 }
4973
4974 static int selinux_tun_dev_alloc_security(void **security)
4975 {
4976 struct tun_security_struct *tunsec;
4977
4978 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4979 if (!tunsec)
4980 return -ENOMEM;
4981 tunsec->sid = current_sid();
4982
4983 *security = tunsec;
4984 return 0;
4985 }
4986
4987 static void selinux_tun_dev_free_security(void *security)
4988 {
4989 kfree(security);
4990 }
4991
4992 static int selinux_tun_dev_create(void)
4993 {
4994 u32 sid = current_sid();
4995
4996 /* we aren't taking into account the "sockcreate" SID since the socket
4997 * that is being created here is not a socket in the traditional sense,
4998 * instead it is a private sock, accessible only to the kernel, and
4999 * representing a wide range of network traffic spanning multiple
5000 * connections unlike traditional sockets - check the TUN driver to
5001 * get a better understanding of why this socket is special */
5002
5003 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5004 NULL);
5005 }
5006
5007 static int selinux_tun_dev_attach_queue(void *security)
5008 {
5009 struct tun_security_struct *tunsec = security;
5010
5011 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5012 TUN_SOCKET__ATTACH_QUEUE, NULL);
5013 }
5014
5015 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5016 {
5017 struct tun_security_struct *tunsec = security;
5018 struct sk_security_struct *sksec = sk->sk_security;
5019
5020 /* we don't currently perform any NetLabel based labeling here and it
5021 * isn't clear that we would want to do so anyway; while we could apply
5022 * labeling without the support of the TUN user the resulting labeled
5023 * traffic from the other end of the connection would almost certainly
5024 * cause confusion to the TUN user that had no idea network labeling
5025 * protocols were being used */
5026
5027 sksec->sid = tunsec->sid;
5028 sksec->sclass = SECCLASS_TUN_SOCKET;
5029
5030 return 0;
5031 }
5032
5033 static int selinux_tun_dev_open(void *security)
5034 {
5035 struct tun_security_struct *tunsec = security;
5036 u32 sid = current_sid();
5037 int err;
5038
5039 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5040 TUN_SOCKET__RELABELFROM, NULL);
5041 if (err)
5042 return err;
5043 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5044 TUN_SOCKET__RELABELTO, NULL);
5045 if (err)
5046 return err;
5047 tunsec->sid = sid;
5048
5049 return 0;
5050 }
5051
5052 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5053 {
5054 int err = 0;
5055 u32 perm;
5056 struct nlmsghdr *nlh;
5057 struct sk_security_struct *sksec = sk->sk_security;
5058
5059 if (skb->len < NLMSG_HDRLEN) {
5060 err = -EINVAL;
5061 goto out;
5062 }
5063 nlh = nlmsg_hdr(skb);
5064
5065 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5066 if (err) {
5067 if (err == -EINVAL) {
5068 pr_warn_ratelimited("SELinux: unrecognized netlink"
5069 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5070 " pig=%d comm=%s\n",
5071 sk->sk_protocol, nlh->nlmsg_type,
5072 secclass_map[sksec->sclass - 1].name,
5073 task_pid_nr(current), current->comm);
5074 if (!selinux_enforcing || security_get_allow_unknown())
5075 err = 0;
5076 }
5077
5078 /* Ignore */
5079 if (err == -ENOENT)
5080 err = 0;
5081 goto out;
5082 }
5083
5084 err = sock_has_perm(sk, perm);
5085 out:
5086 return err;
5087 }
5088
5089 #ifdef CONFIG_NETFILTER
5090
5091 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5092 const struct net_device *indev,
5093 u16 family)
5094 {
5095 int err;
5096 char *addrp;
5097 u32 peer_sid;
5098 struct common_audit_data ad;
5099 struct lsm_network_audit net = {0,};
5100 u8 secmark_active;
5101 u8 netlbl_active;
5102 u8 peerlbl_active;
5103
5104 if (!selinux_policycap_netpeer)
5105 return NF_ACCEPT;
5106
5107 secmark_active = selinux_secmark_enabled();
5108 netlbl_active = netlbl_enabled();
5109 peerlbl_active = selinux_peerlbl_enabled();
5110 if (!secmark_active && !peerlbl_active)
5111 return NF_ACCEPT;
5112
5113 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5114 return NF_DROP;
5115
5116 ad.type = LSM_AUDIT_DATA_NET;
5117 ad.u.net = &net;
5118 ad.u.net->netif = indev->ifindex;
5119 ad.u.net->family = family;
5120 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5121 return NF_DROP;
5122
5123 if (peerlbl_active) {
5124 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5125 addrp, family, peer_sid, &ad);
5126 if (err) {
5127 selinux_netlbl_err(skb, family, err, 1);
5128 return NF_DROP;
5129 }
5130 }
5131
5132 if (secmark_active)
5133 if (avc_has_perm(peer_sid, skb->secmark,
5134 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5135 return NF_DROP;
5136
5137 if (netlbl_active)
5138 /* we do this in the FORWARD path and not the POST_ROUTING
5139 * path because we want to make sure we apply the necessary
5140 * labeling before IPsec is applied so we can leverage AH
5141 * protection */
5142 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5143 return NF_DROP;
5144
5145 return NF_ACCEPT;
5146 }
5147
5148 static unsigned int selinux_ipv4_forward(void *priv,
5149 struct sk_buff *skb,
5150 const struct nf_hook_state *state)
5151 {
5152 return selinux_ip_forward(skb, state->in, PF_INET);
5153 }
5154
5155 #if IS_ENABLED(CONFIG_IPV6)
5156 static unsigned int selinux_ipv6_forward(void *priv,
5157 struct sk_buff *skb,
5158 const struct nf_hook_state *state)
5159 {
5160 return selinux_ip_forward(skb, state->in, PF_INET6);
5161 }
5162 #endif /* IPV6 */
5163
5164 static unsigned int selinux_ip_output(struct sk_buff *skb,
5165 u16 family)
5166 {
5167 struct sock *sk;
5168 u32 sid;
5169
5170 if (!netlbl_enabled())
5171 return NF_ACCEPT;
5172
5173 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5174 * because we want to make sure we apply the necessary labeling
5175 * before IPsec is applied so we can leverage AH protection */
5176 sk = skb->sk;
5177 if (sk) {
5178 struct sk_security_struct *sksec;
5179
5180 if (sk_listener(sk))
5181 /* if the socket is the listening state then this
5182 * packet is a SYN-ACK packet which means it needs to
5183 * be labeled based on the connection/request_sock and
5184 * not the parent socket. unfortunately, we can't
5185 * lookup the request_sock yet as it isn't queued on
5186 * the parent socket until after the SYN-ACK is sent.
5187 * the "solution" is to simply pass the packet as-is
5188 * as any IP option based labeling should be copied
5189 * from the initial connection request (in the IP
5190 * layer). it is far from ideal, but until we get a
5191 * security label in the packet itself this is the
5192 * best we can do. */
5193 return NF_ACCEPT;
5194
5195 /* standard practice, label using the parent socket */
5196 sksec = sk->sk_security;
5197 sid = sksec->sid;
5198 } else
5199 sid = SECINITSID_KERNEL;
5200 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5201 return NF_DROP;
5202
5203 return NF_ACCEPT;
5204 }
5205
5206 static unsigned int selinux_ipv4_output(void *priv,
5207 struct sk_buff *skb,
5208 const struct nf_hook_state *state)
5209 {
5210 return selinux_ip_output(skb, PF_INET);
5211 }
5212
5213 #if IS_ENABLED(CONFIG_IPV6)
5214 static unsigned int selinux_ipv6_output(void *priv,
5215 struct sk_buff *skb,
5216 const struct nf_hook_state *state)
5217 {
5218 return selinux_ip_output(skb, PF_INET6);
5219 }
5220 #endif /* IPV6 */
5221
5222 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5223 int ifindex,
5224 u16 family)
5225 {
5226 struct sock *sk = skb_to_full_sk(skb);
5227 struct sk_security_struct *sksec;
5228 struct common_audit_data ad;
5229 struct lsm_network_audit net = {0,};
5230 char *addrp;
5231 u8 proto;
5232
5233 if (sk == NULL)
5234 return NF_ACCEPT;
5235 sksec = sk->sk_security;
5236
5237 ad.type = LSM_AUDIT_DATA_NET;
5238 ad.u.net = &net;
5239 ad.u.net->netif = ifindex;
5240 ad.u.net->family = family;
5241 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5242 return NF_DROP;
5243
5244 if (selinux_secmark_enabled())
5245 if (avc_has_perm(sksec->sid, skb->secmark,
5246 SECCLASS_PACKET, PACKET__SEND, &ad))
5247 return NF_DROP_ERR(-ECONNREFUSED);
5248
5249 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5250 return NF_DROP_ERR(-ECONNREFUSED);
5251
5252 return NF_ACCEPT;
5253 }
5254
5255 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5256 const struct net_device *outdev,
5257 u16 family)
5258 {
5259 u32 secmark_perm;
5260 u32 peer_sid;
5261 int ifindex = outdev->ifindex;
5262 struct sock *sk;
5263 struct common_audit_data ad;
5264 struct lsm_network_audit net = {0,};
5265 char *addrp;
5266 u8 secmark_active;
5267 u8 peerlbl_active;
5268
5269 /* If any sort of compatibility mode is enabled then handoff processing
5270 * to the selinux_ip_postroute_compat() function to deal with the
5271 * special handling. We do this in an attempt to keep this function
5272 * as fast and as clean as possible. */
5273 if (!selinux_policycap_netpeer)
5274 return selinux_ip_postroute_compat(skb, ifindex, family);
5275
5276 secmark_active = selinux_secmark_enabled();
5277 peerlbl_active = selinux_peerlbl_enabled();
5278 if (!secmark_active && !peerlbl_active)
5279 return NF_ACCEPT;
5280
5281 sk = skb_to_full_sk(skb);
5282
5283 #ifdef CONFIG_XFRM
5284 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5285 * packet transformation so allow the packet to pass without any checks
5286 * since we'll have another chance to perform access control checks
5287 * when the packet is on it's final way out.
5288 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5289 * is NULL, in this case go ahead and apply access control.
5290 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5291 * TCP listening state we cannot wait until the XFRM processing
5292 * is done as we will miss out on the SA label if we do;
5293 * unfortunately, this means more work, but it is only once per
5294 * connection. */
5295 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5296 !(sk && sk_listener(sk)))
5297 return NF_ACCEPT;
5298 #endif
5299
5300 if (sk == NULL) {
5301 /* Without an associated socket the packet is either coming
5302 * from the kernel or it is being forwarded; check the packet
5303 * to determine which and if the packet is being forwarded
5304 * query the packet directly to determine the security label. */
5305 if (skb->skb_iif) {
5306 secmark_perm = PACKET__FORWARD_OUT;
5307 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5308 return NF_DROP;
5309 } else {
5310 secmark_perm = PACKET__SEND;
5311 peer_sid = SECINITSID_KERNEL;
5312 }
5313 } else if (sk_listener(sk)) {
5314 /* Locally generated packet but the associated socket is in the
5315 * listening state which means this is a SYN-ACK packet. In
5316 * this particular case the correct security label is assigned
5317 * to the connection/request_sock but unfortunately we can't
5318 * query the request_sock as it isn't queued on the parent
5319 * socket until after the SYN-ACK packet is sent; the only
5320 * viable choice is to regenerate the label like we do in
5321 * selinux_inet_conn_request(). See also selinux_ip_output()
5322 * for similar problems. */
5323 u32 skb_sid;
5324 struct sk_security_struct *sksec;
5325
5326 sksec = sk->sk_security;
5327 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5328 return NF_DROP;
5329 /* At this point, if the returned skb peerlbl is SECSID_NULL
5330 * and the packet has been through at least one XFRM
5331 * transformation then we must be dealing with the "final"
5332 * form of labeled IPsec packet; since we've already applied
5333 * all of our access controls on this packet we can safely
5334 * pass the packet. */
5335 if (skb_sid == SECSID_NULL) {
5336 switch (family) {
5337 case PF_INET:
5338 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5339 return NF_ACCEPT;
5340 break;
5341 case PF_INET6:
5342 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5343 return NF_ACCEPT;
5344 break;
5345 default:
5346 return NF_DROP_ERR(-ECONNREFUSED);
5347 }
5348 }
5349 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5350 return NF_DROP;
5351 secmark_perm = PACKET__SEND;
5352 } else {
5353 /* Locally generated packet, fetch the security label from the
5354 * associated socket. */
5355 struct sk_security_struct *sksec = sk->sk_security;
5356 peer_sid = sksec->sid;
5357 secmark_perm = PACKET__SEND;
5358 }
5359
5360 ad.type = LSM_AUDIT_DATA_NET;
5361 ad.u.net = &net;
5362 ad.u.net->netif = ifindex;
5363 ad.u.net->family = family;
5364 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5365 return NF_DROP;
5366
5367 if (secmark_active)
5368 if (avc_has_perm(peer_sid, skb->secmark,
5369 SECCLASS_PACKET, secmark_perm, &ad))
5370 return NF_DROP_ERR(-ECONNREFUSED);
5371
5372 if (peerlbl_active) {
5373 u32 if_sid;
5374 u32 node_sid;
5375
5376 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5377 return NF_DROP;
5378 if (avc_has_perm(peer_sid, if_sid,
5379 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5380 return NF_DROP_ERR(-ECONNREFUSED);
5381
5382 if (sel_netnode_sid(addrp, family, &node_sid))
5383 return NF_DROP;
5384 if (avc_has_perm(peer_sid, node_sid,
5385 SECCLASS_NODE, NODE__SENDTO, &ad))
5386 return NF_DROP_ERR(-ECONNREFUSED);
5387 }
5388
5389 return NF_ACCEPT;
5390 }
5391
5392 static unsigned int selinux_ipv4_postroute(void *priv,
5393 struct sk_buff *skb,
5394 const struct nf_hook_state *state)
5395 {
5396 return selinux_ip_postroute(skb, state->out, PF_INET);
5397 }
5398
5399 #if IS_ENABLED(CONFIG_IPV6)
5400 static unsigned int selinux_ipv6_postroute(void *priv,
5401 struct sk_buff *skb,
5402 const struct nf_hook_state *state)
5403 {
5404 return selinux_ip_postroute(skb, state->out, PF_INET6);
5405 }
5406 #endif /* IPV6 */
5407
5408 #endif /* CONFIG_NETFILTER */
5409
5410 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5411 {
5412 return selinux_nlmsg_perm(sk, skb);
5413 }
5414
5415 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5416 u16 sclass)
5417 {
5418 struct ipc_security_struct *isec;
5419
5420 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5421 if (!isec)
5422 return -ENOMEM;
5423
5424 isec->sclass = sclass;
5425 isec->sid = current_sid();
5426 perm->security = isec;
5427
5428 return 0;
5429 }
5430
5431 static void ipc_free_security(struct kern_ipc_perm *perm)
5432 {
5433 struct ipc_security_struct *isec = perm->security;
5434 perm->security = NULL;
5435 kfree(isec);
5436 }
5437
5438 static int msg_msg_alloc_security(struct msg_msg *msg)
5439 {
5440 struct msg_security_struct *msec;
5441
5442 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5443 if (!msec)
5444 return -ENOMEM;
5445
5446 msec->sid = SECINITSID_UNLABELED;
5447 msg->security = msec;
5448
5449 return 0;
5450 }
5451
5452 static void msg_msg_free_security(struct msg_msg *msg)
5453 {
5454 struct msg_security_struct *msec = msg->security;
5455
5456 msg->security = NULL;
5457 kfree(msec);
5458 }
5459
5460 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5461 u32 perms)
5462 {
5463 struct ipc_security_struct *isec;
5464 struct common_audit_data ad;
5465 u32 sid = current_sid();
5466
5467 isec = ipc_perms->security;
5468
5469 ad.type = LSM_AUDIT_DATA_IPC;
5470 ad.u.ipc_id = ipc_perms->key;
5471
5472 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5473 }
5474
5475 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5476 {
5477 return msg_msg_alloc_security(msg);
5478 }
5479
5480 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5481 {
5482 msg_msg_free_security(msg);
5483 }
5484
5485 /* message queue security operations */
5486 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5487 {
5488 struct ipc_security_struct *isec;
5489 struct common_audit_data ad;
5490 u32 sid = current_sid();
5491 int rc;
5492
5493 rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ);
5494 if (rc)
5495 return rc;
5496
5497 isec = msq->q_perm.security;
5498
5499 ad.type = LSM_AUDIT_DATA_IPC;
5500 ad.u.ipc_id = msq->q_perm.key;
5501
5502 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5503 MSGQ__CREATE, &ad);
5504 if (rc) {
5505 ipc_free_security(&msq->q_perm);
5506 return rc;
5507 }
5508 return 0;
5509 }
5510
5511 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5512 {
5513 ipc_free_security(&msq->q_perm);
5514 }
5515
5516 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5517 {
5518 struct ipc_security_struct *isec;
5519 struct common_audit_data ad;
5520 u32 sid = current_sid();
5521
5522 isec = msq->q_perm.security;
5523
5524 ad.type = LSM_AUDIT_DATA_IPC;
5525 ad.u.ipc_id = msq->q_perm.key;
5526
5527 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5528 MSGQ__ASSOCIATE, &ad);
5529 }
5530
5531 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5532 {
5533 int err;
5534 int perms;
5535
5536 switch (cmd) {
5537 case IPC_INFO:
5538 case MSG_INFO:
5539 /* No specific object, just general system-wide information. */
5540 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5541 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5542 case IPC_STAT:
5543 case MSG_STAT:
5544 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5545 break;
5546 case IPC_SET:
5547 perms = MSGQ__SETATTR;
5548 break;
5549 case IPC_RMID:
5550 perms = MSGQ__DESTROY;
5551 break;
5552 default:
5553 return 0;
5554 }
5555
5556 err = ipc_has_perm(&msq->q_perm, perms);
5557 return err;
5558 }
5559
5560 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5561 {
5562 struct ipc_security_struct *isec;
5563 struct msg_security_struct *msec;
5564 struct common_audit_data ad;
5565 u32 sid = current_sid();
5566 int rc;
5567
5568 isec = msq->q_perm.security;
5569 msec = msg->security;
5570
5571 /*
5572 * First time through, need to assign label to the message
5573 */
5574 if (msec->sid == SECINITSID_UNLABELED) {
5575 /*
5576 * Compute new sid based on current process and
5577 * message queue this message will be stored in
5578 */
5579 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5580 NULL, &msec->sid);
5581 if (rc)
5582 return rc;
5583 }
5584
5585 ad.type = LSM_AUDIT_DATA_IPC;
5586 ad.u.ipc_id = msq->q_perm.key;
5587
5588 /* Can this process write to the queue? */
5589 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5590 MSGQ__WRITE, &ad);
5591 if (!rc)
5592 /* Can this process send the message */
5593 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5594 MSG__SEND, &ad);
5595 if (!rc)
5596 /* Can the message be put in the queue? */
5597 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5598 MSGQ__ENQUEUE, &ad);
5599
5600 return rc;
5601 }
5602
5603 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5604 struct task_struct *target,
5605 long type, int mode)
5606 {
5607 struct ipc_security_struct *isec;
5608 struct msg_security_struct *msec;
5609 struct common_audit_data ad;
5610 u32 sid = task_sid(target);
5611 int rc;
5612
5613 isec = msq->q_perm.security;
5614 msec = msg->security;
5615
5616 ad.type = LSM_AUDIT_DATA_IPC;
5617 ad.u.ipc_id = msq->q_perm.key;
5618
5619 rc = avc_has_perm(sid, isec->sid,
5620 SECCLASS_MSGQ, MSGQ__READ, &ad);
5621 if (!rc)
5622 rc = avc_has_perm(sid, msec->sid,
5623 SECCLASS_MSG, MSG__RECEIVE, &ad);
5624 return rc;
5625 }
5626
5627 /* Shared Memory security operations */
5628 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5629 {
5630 struct ipc_security_struct *isec;
5631 struct common_audit_data ad;
5632 u32 sid = current_sid();
5633 int rc;
5634
5635 rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM);
5636 if (rc)
5637 return rc;
5638
5639 isec = shp->shm_perm.security;
5640
5641 ad.type = LSM_AUDIT_DATA_IPC;
5642 ad.u.ipc_id = shp->shm_perm.key;
5643
5644 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5645 SHM__CREATE, &ad);
5646 if (rc) {
5647 ipc_free_security(&shp->shm_perm);
5648 return rc;
5649 }
5650 return 0;
5651 }
5652
5653 static void selinux_shm_free_security(struct shmid_kernel *shp)
5654 {
5655 ipc_free_security(&shp->shm_perm);
5656 }
5657
5658 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5659 {
5660 struct ipc_security_struct *isec;
5661 struct common_audit_data ad;
5662 u32 sid = current_sid();
5663
5664 isec = shp->shm_perm.security;
5665
5666 ad.type = LSM_AUDIT_DATA_IPC;
5667 ad.u.ipc_id = shp->shm_perm.key;
5668
5669 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5670 SHM__ASSOCIATE, &ad);
5671 }
5672
5673 /* Note, at this point, shp is locked down */
5674 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5675 {
5676 int perms;
5677 int err;
5678
5679 switch (cmd) {
5680 case IPC_INFO:
5681 case SHM_INFO:
5682 /* No specific object, just general system-wide information. */
5683 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5684 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5685 case IPC_STAT:
5686 case SHM_STAT:
5687 perms = SHM__GETATTR | SHM__ASSOCIATE;
5688 break;
5689 case IPC_SET:
5690 perms = SHM__SETATTR;
5691 break;
5692 case SHM_LOCK:
5693 case SHM_UNLOCK:
5694 perms = SHM__LOCK;
5695 break;
5696 case IPC_RMID:
5697 perms = SHM__DESTROY;
5698 break;
5699 default:
5700 return 0;
5701 }
5702
5703 err = ipc_has_perm(&shp->shm_perm, perms);
5704 return err;
5705 }
5706
5707 static int selinux_shm_shmat(struct shmid_kernel *shp,
5708 char __user *shmaddr, int shmflg)
5709 {
5710 u32 perms;
5711
5712 if (shmflg & SHM_RDONLY)
5713 perms = SHM__READ;
5714 else
5715 perms = SHM__READ | SHM__WRITE;
5716
5717 return ipc_has_perm(&shp->shm_perm, perms);
5718 }
5719
5720 /* Semaphore security operations */
5721 static int selinux_sem_alloc_security(struct sem_array *sma)
5722 {
5723 struct ipc_security_struct *isec;
5724 struct common_audit_data ad;
5725 u32 sid = current_sid();
5726 int rc;
5727
5728 rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM);
5729 if (rc)
5730 return rc;
5731
5732 isec = sma->sem_perm.security;
5733
5734 ad.type = LSM_AUDIT_DATA_IPC;
5735 ad.u.ipc_id = sma->sem_perm.key;
5736
5737 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5738 SEM__CREATE, &ad);
5739 if (rc) {
5740 ipc_free_security(&sma->sem_perm);
5741 return rc;
5742 }
5743 return 0;
5744 }
5745
5746 static void selinux_sem_free_security(struct sem_array *sma)
5747 {
5748 ipc_free_security(&sma->sem_perm);
5749 }
5750
5751 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5752 {
5753 struct ipc_security_struct *isec;
5754 struct common_audit_data ad;
5755 u32 sid = current_sid();
5756
5757 isec = sma->sem_perm.security;
5758
5759 ad.type = LSM_AUDIT_DATA_IPC;
5760 ad.u.ipc_id = sma->sem_perm.key;
5761
5762 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5763 SEM__ASSOCIATE, &ad);
5764 }
5765
5766 /* Note, at this point, sma is locked down */
5767 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5768 {
5769 int err;
5770 u32 perms;
5771
5772 switch (cmd) {
5773 case IPC_INFO:
5774 case SEM_INFO:
5775 /* No specific object, just general system-wide information. */
5776 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5777 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5778 case GETPID:
5779 case GETNCNT:
5780 case GETZCNT:
5781 perms = SEM__GETATTR;
5782 break;
5783 case GETVAL:
5784 case GETALL:
5785 perms = SEM__READ;
5786 break;
5787 case SETVAL:
5788 case SETALL:
5789 perms = SEM__WRITE;
5790 break;
5791 case IPC_RMID:
5792 perms = SEM__DESTROY;
5793 break;
5794 case IPC_SET:
5795 perms = SEM__SETATTR;
5796 break;
5797 case IPC_STAT:
5798 case SEM_STAT:
5799 perms = SEM__GETATTR | SEM__ASSOCIATE;
5800 break;
5801 default:
5802 return 0;
5803 }
5804
5805 err = ipc_has_perm(&sma->sem_perm, perms);
5806 return err;
5807 }
5808
5809 static int selinux_sem_semop(struct sem_array *sma,
5810 struct sembuf *sops, unsigned nsops, int alter)
5811 {
5812 u32 perms;
5813
5814 if (alter)
5815 perms = SEM__READ | SEM__WRITE;
5816 else
5817 perms = SEM__READ;
5818
5819 return ipc_has_perm(&sma->sem_perm, perms);
5820 }
5821
5822 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5823 {
5824 u32 av = 0;
5825
5826 av = 0;
5827 if (flag & S_IRUGO)
5828 av |= IPC__UNIX_READ;
5829 if (flag & S_IWUGO)
5830 av |= IPC__UNIX_WRITE;
5831
5832 if (av == 0)
5833 return 0;
5834
5835 return ipc_has_perm(ipcp, av);
5836 }
5837
5838 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5839 {
5840 struct ipc_security_struct *isec = ipcp->security;
5841 *secid = isec->sid;
5842 }
5843
5844 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5845 {
5846 if (inode)
5847 inode_doinit_with_dentry(inode, dentry);
5848 }
5849
5850 static int selinux_getprocattr(struct task_struct *p,
5851 char *name, char **value)
5852 {
5853 const struct task_security_struct *__tsec;
5854 u32 sid;
5855 int error;
5856 unsigned len;
5857
5858 rcu_read_lock();
5859 __tsec = __task_cred(p)->security;
5860
5861 if (current != p) {
5862 error = avc_has_perm(current_sid(), __tsec->sid,
5863 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
5864 if (error)
5865 goto bad;
5866 }
5867
5868 if (!strcmp(name, "current"))
5869 sid = __tsec->sid;
5870 else if (!strcmp(name, "prev"))
5871 sid = __tsec->osid;
5872 else if (!strcmp(name, "exec"))
5873 sid = __tsec->exec_sid;
5874 else if (!strcmp(name, "fscreate"))
5875 sid = __tsec->create_sid;
5876 else if (!strcmp(name, "keycreate"))
5877 sid = __tsec->keycreate_sid;
5878 else if (!strcmp(name, "sockcreate"))
5879 sid = __tsec->sockcreate_sid;
5880 else {
5881 error = -EINVAL;
5882 goto bad;
5883 }
5884 rcu_read_unlock();
5885
5886 if (!sid)
5887 return 0;
5888
5889 error = security_sid_to_context(sid, value, &len);
5890 if (error)
5891 return error;
5892 return len;
5893
5894 bad:
5895 rcu_read_unlock();
5896 return error;
5897 }
5898
5899 static int selinux_setprocattr(const char *name, void *value, size_t size)
5900 {
5901 struct task_security_struct *tsec;
5902 struct cred *new;
5903 u32 mysid = current_sid(), sid = 0, ptsid;
5904 int error;
5905 char *str = value;
5906
5907 /*
5908 * Basic control over ability to set these attributes at all.
5909 */
5910 if (!strcmp(name, "exec"))
5911 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5912 PROCESS__SETEXEC, NULL);
5913 else if (!strcmp(name, "fscreate"))
5914 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5915 PROCESS__SETFSCREATE, NULL);
5916 else if (!strcmp(name, "keycreate"))
5917 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5918 PROCESS__SETKEYCREATE, NULL);
5919 else if (!strcmp(name, "sockcreate"))
5920 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5921 PROCESS__SETSOCKCREATE, NULL);
5922 else if (!strcmp(name, "current"))
5923 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5924 PROCESS__SETCURRENT, NULL);
5925 else
5926 error = -EINVAL;
5927 if (error)
5928 return error;
5929
5930 /* Obtain a SID for the context, if one was specified. */
5931 if (size && str[0] && str[0] != '\n') {
5932 if (str[size-1] == '\n') {
5933 str[size-1] = 0;
5934 size--;
5935 }
5936 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5937 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5938 if (!has_cap_mac_admin(true)) {
5939 struct audit_buffer *ab;
5940 size_t audit_size;
5941
5942 /* We strip a nul only if it is at the end, otherwise the
5943 * context contains a nul and we should audit that */
5944 if (str[size - 1] == '\0')
5945 audit_size = size - 1;
5946 else
5947 audit_size = size;
5948 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5949 audit_log_format(ab, "op=fscreate invalid_context=");
5950 audit_log_n_untrustedstring(ab, value, audit_size);
5951 audit_log_end(ab);
5952
5953 return error;
5954 }
5955 error = security_context_to_sid_force(value, size,
5956 &sid);
5957 }
5958 if (error)
5959 return error;
5960 }
5961
5962 new = prepare_creds();
5963 if (!new)
5964 return -ENOMEM;
5965
5966 /* Permission checking based on the specified context is
5967 performed during the actual operation (execve,
5968 open/mkdir/...), when we know the full context of the
5969 operation. See selinux_bprm_set_creds for the execve
5970 checks and may_create for the file creation checks. The
5971 operation will then fail if the context is not permitted. */
5972 tsec = new->security;
5973 if (!strcmp(name, "exec")) {
5974 tsec->exec_sid = sid;
5975 } else if (!strcmp(name, "fscreate")) {
5976 tsec->create_sid = sid;
5977 } else if (!strcmp(name, "keycreate")) {
5978 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE,
5979 NULL);
5980 if (error)
5981 goto abort_change;
5982 tsec->keycreate_sid = sid;
5983 } else if (!strcmp(name, "sockcreate")) {
5984 tsec->sockcreate_sid = sid;
5985 } else if (!strcmp(name, "current")) {
5986 error = -EINVAL;
5987 if (sid == 0)
5988 goto abort_change;
5989
5990 /* Only allow single threaded processes to change context */
5991 error = -EPERM;
5992 if (!current_is_single_threaded()) {
5993 error = security_bounded_transition(tsec->sid, sid);
5994 if (error)
5995 goto abort_change;
5996 }
5997
5998 /* Check permissions for the transition. */
5999 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6000 PROCESS__DYNTRANSITION, NULL);
6001 if (error)
6002 goto abort_change;
6003
6004 /* Check for ptracing, and update the task SID if ok.
6005 Otherwise, leave SID unchanged and fail. */
6006 ptsid = ptrace_parent_sid();
6007 if (ptsid != 0) {
6008 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6009 PROCESS__PTRACE, NULL);
6010 if (error)
6011 goto abort_change;
6012 }
6013
6014 tsec->sid = sid;
6015 } else {
6016 error = -EINVAL;
6017 goto abort_change;
6018 }
6019
6020 commit_creds(new);
6021 return size;
6022
6023 abort_change:
6024 abort_creds(new);
6025 return error;
6026 }
6027
6028 static int selinux_ismaclabel(const char *name)
6029 {
6030 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6031 }
6032
6033 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6034 {
6035 return security_sid_to_context(secid, secdata, seclen);
6036 }
6037
6038 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6039 {
6040 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
6041 }
6042
6043 static void selinux_release_secctx(char *secdata, u32 seclen)
6044 {
6045 kfree(secdata);
6046 }
6047
6048 static void selinux_inode_invalidate_secctx(struct inode *inode)
6049 {
6050 struct inode_security_struct *isec = inode->i_security;
6051
6052 spin_lock(&isec->lock);
6053 isec->initialized = LABEL_INVALID;
6054 spin_unlock(&isec->lock);
6055 }
6056
6057 /*
6058 * called with inode->i_mutex locked
6059 */
6060 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6061 {
6062 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6063 }
6064
6065 /*
6066 * called with inode->i_mutex locked
6067 */
6068 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6069 {
6070 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6071 }
6072
6073 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6074 {
6075 int len = 0;
6076 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6077 ctx, true);
6078 if (len < 0)
6079 return len;
6080 *ctxlen = len;
6081 return 0;
6082 }
6083 #ifdef CONFIG_KEYS
6084
6085 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6086 unsigned long flags)
6087 {
6088 const struct task_security_struct *tsec;
6089 struct key_security_struct *ksec;
6090
6091 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6092 if (!ksec)
6093 return -ENOMEM;
6094
6095 tsec = cred->security;
6096 if (tsec->keycreate_sid)
6097 ksec->sid = tsec->keycreate_sid;
6098 else
6099 ksec->sid = tsec->sid;
6100
6101 k->security = ksec;
6102 return 0;
6103 }
6104
6105 static void selinux_key_free(struct key *k)
6106 {
6107 struct key_security_struct *ksec = k->security;
6108
6109 k->security = NULL;
6110 kfree(ksec);
6111 }
6112
6113 static int selinux_key_permission(key_ref_t key_ref,
6114 const struct cred *cred,
6115 unsigned perm)
6116 {
6117 struct key *key;
6118 struct key_security_struct *ksec;
6119 u32 sid;
6120
6121 /* if no specific permissions are requested, we skip the
6122 permission check. No serious, additional covert channels
6123 appear to be created. */
6124 if (perm == 0)
6125 return 0;
6126
6127 sid = cred_sid(cred);
6128
6129 key = key_ref_to_ptr(key_ref);
6130 ksec = key->security;
6131
6132 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6133 }
6134
6135 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6136 {
6137 struct key_security_struct *ksec = key->security;
6138 char *context = NULL;
6139 unsigned len;
6140 int rc;
6141
6142 rc = security_sid_to_context(ksec->sid, &context, &len);
6143 if (!rc)
6144 rc = len;
6145 *_buffer = context;
6146 return rc;
6147 }
6148 #endif
6149
6150 #ifdef CONFIG_SECURITY_INFINIBAND
6151 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6152 {
6153 struct common_audit_data ad;
6154 int err;
6155 u32 sid = 0;
6156 struct ib_security_struct *sec = ib_sec;
6157 struct lsm_ibpkey_audit ibpkey;
6158
6159 err = security_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6160 if (err)
6161 return err;
6162
6163 ad.type = LSM_AUDIT_DATA_IBPKEY;
6164 ibpkey.subnet_prefix = subnet_prefix;
6165 ibpkey.pkey = pkey_val;
6166 ad.u.ibpkey = &ibpkey;
6167 return avc_has_perm(sec->sid, sid,
6168 SECCLASS_INFINIBAND_PKEY,
6169 INFINIBAND_PKEY__ACCESS, &ad);
6170 }
6171
6172 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6173 u8 port_num)
6174 {
6175 struct common_audit_data ad;
6176 int err;
6177 u32 sid = 0;
6178 struct ib_security_struct *sec = ib_sec;
6179 struct lsm_ibendport_audit ibendport;
6180
6181 err = security_ib_endport_sid(dev_name, port_num, &sid);
6182
6183 if (err)
6184 return err;
6185
6186 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6187 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6188 ibendport.port = port_num;
6189 ad.u.ibendport = &ibendport;
6190 return avc_has_perm(sec->sid, sid,
6191 SECCLASS_INFINIBAND_ENDPORT,
6192 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6193 }
6194
6195 static int selinux_ib_alloc_security(void **ib_sec)
6196 {
6197 struct ib_security_struct *sec;
6198
6199 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6200 if (!sec)
6201 return -ENOMEM;
6202 sec->sid = current_sid();
6203
6204 *ib_sec = sec;
6205 return 0;
6206 }
6207
6208 static void selinux_ib_free_security(void *ib_sec)
6209 {
6210 kfree(ib_sec);
6211 }
6212 #endif
6213
6214 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6215 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6216 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6217 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6218 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6219
6220 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6221 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6222 LSM_HOOK_INIT(capget, selinux_capget),
6223 LSM_HOOK_INIT(capset, selinux_capset),
6224 LSM_HOOK_INIT(capable, selinux_capable),
6225 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6226 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6227 LSM_HOOK_INIT(syslog, selinux_syslog),
6228 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6229
6230 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6231
6232 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6233 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6234 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6235 LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
6236
6237 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6238 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6239 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6240 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6241 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6242 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6243 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6244 LSM_HOOK_INIT(sb_mount, selinux_mount),
6245 LSM_HOOK_INIT(sb_umount, selinux_umount),
6246 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6247 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6248 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6249
6250 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6251 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6252
6253 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6254 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6255 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6256 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6257 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6258 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6259 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6260 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6261 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6262 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6263 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6264 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6265 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6266 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6267 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6268 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6269 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6270 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6271 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6272 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6273 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6274 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6275 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6276 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6277 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6278 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6279 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6280
6281 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6282 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6283 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6284 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6285 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6286 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6287 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6288 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6289 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6290 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6291 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6292 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6293
6294 LSM_HOOK_INIT(file_open, selinux_file_open),
6295
6296 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6297 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6298 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6299 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6300 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6301 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6302 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6303 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6304 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6305 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6306 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6307 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6308 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6309 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6310 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6311 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6312 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6313 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6314 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6315 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6316 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6317 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6318 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6319
6320 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6321 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6322
6323 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6324 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6325
6326 LSM_HOOK_INIT(msg_queue_alloc_security,
6327 selinux_msg_queue_alloc_security),
6328 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6329 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6330 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6331 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6332 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6333
6334 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6335 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6336 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6337 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6338 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6339
6340 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6341 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6342 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6343 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6344 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6345
6346 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6347
6348 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6349 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6350
6351 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6352 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6353 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6354 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6355 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6356 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6357 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6358 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6359
6360 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6361 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6362
6363 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6364 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6365 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6366 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6367 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6368 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6369 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6370 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6371 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6372 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6373 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6374 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6375 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6376 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6377 LSM_HOOK_INIT(socket_getpeersec_stream,
6378 selinux_socket_getpeersec_stream),
6379 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6380 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6381 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6382 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6383 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6384 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6385 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6386 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6387 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6388 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6389 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6390 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6391 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6392 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6393 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6394 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6395 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6396 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6397 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6398 #ifdef CONFIG_SECURITY_INFINIBAND
6399 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
6400 LSM_HOOK_INIT(ib_endport_manage_subnet,
6401 selinux_ib_endport_manage_subnet),
6402 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
6403 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
6404 #endif
6405 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6406 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6407 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6408 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6409 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6410 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6411 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6412 selinux_xfrm_state_alloc_acquire),
6413 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6414 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6415 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6416 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6417 selinux_xfrm_state_pol_flow_match),
6418 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6419 #endif
6420
6421 #ifdef CONFIG_KEYS
6422 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6423 LSM_HOOK_INIT(key_free, selinux_key_free),
6424 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6425 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6426 #endif
6427
6428 #ifdef CONFIG_AUDIT
6429 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6430 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6431 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6432 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6433 #endif
6434 };
6435
6436 static __init int selinux_init(void)
6437 {
6438 if (!security_module_enable("selinux")) {
6439 selinux_enabled = 0;
6440 return 0;
6441 }
6442
6443 if (!selinux_enabled) {
6444 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6445 return 0;
6446 }
6447
6448 printk(KERN_INFO "SELinux: Initializing.\n");
6449
6450 /* Set the security state for the initial task. */
6451 cred_init_security();
6452
6453 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6454
6455 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6456 sizeof(struct inode_security_struct),
6457 0, SLAB_PANIC, NULL);
6458 file_security_cache = kmem_cache_create("selinux_file_security",
6459 sizeof(struct file_security_struct),
6460 0, SLAB_PANIC, NULL);
6461 avc_init();
6462
6463 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
6464
6465 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6466 panic("SELinux: Unable to register AVC netcache callback\n");
6467
6468 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
6469 panic("SELinux: Unable to register AVC LSM notifier callback\n");
6470
6471 if (selinux_enforcing)
6472 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6473 else
6474 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6475
6476 return 0;
6477 }
6478
6479 static void delayed_superblock_init(struct super_block *sb, void *unused)
6480 {
6481 superblock_doinit(sb, NULL);
6482 }
6483
6484 void selinux_complete_init(void)
6485 {
6486 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6487
6488 /* Set up any superblocks initialized prior to the policy load. */
6489 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6490 iterate_supers(delayed_superblock_init, NULL);
6491 }
6492
6493 /* SELinux requires early initialization in order to label
6494 all processes and objects when they are created. */
6495 security_initcall(selinux_init);
6496
6497 #if defined(CONFIG_NETFILTER)
6498
6499 static struct nf_hook_ops selinux_nf_ops[] = {
6500 {
6501 .hook = selinux_ipv4_postroute,
6502 .pf = NFPROTO_IPV4,
6503 .hooknum = NF_INET_POST_ROUTING,
6504 .priority = NF_IP_PRI_SELINUX_LAST,
6505 },
6506 {
6507 .hook = selinux_ipv4_forward,
6508 .pf = NFPROTO_IPV4,
6509 .hooknum = NF_INET_FORWARD,
6510 .priority = NF_IP_PRI_SELINUX_FIRST,
6511 },
6512 {
6513 .hook = selinux_ipv4_output,
6514 .pf = NFPROTO_IPV4,
6515 .hooknum = NF_INET_LOCAL_OUT,
6516 .priority = NF_IP_PRI_SELINUX_FIRST,
6517 },
6518 #if IS_ENABLED(CONFIG_IPV6)
6519 {
6520 .hook = selinux_ipv6_postroute,
6521 .pf = NFPROTO_IPV6,
6522 .hooknum = NF_INET_POST_ROUTING,
6523 .priority = NF_IP6_PRI_SELINUX_LAST,
6524 },
6525 {
6526 .hook = selinux_ipv6_forward,
6527 .pf = NFPROTO_IPV6,
6528 .hooknum = NF_INET_FORWARD,
6529 .priority = NF_IP6_PRI_SELINUX_FIRST,
6530 },
6531 {
6532 .hook = selinux_ipv6_output,
6533 .pf = NFPROTO_IPV6,
6534 .hooknum = NF_INET_LOCAL_OUT,
6535 .priority = NF_IP6_PRI_SELINUX_FIRST,
6536 },
6537 #endif /* IPV6 */
6538 };
6539
6540 static int __init selinux_nf_ip_init(void)
6541 {
6542 int err;
6543
6544 if (!selinux_enabled)
6545 return 0;
6546
6547 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6548
6549 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6550 if (err)
6551 panic("SELinux: nf_register_hooks: error %d\n", err);
6552
6553 return 0;
6554 }
6555
6556 __initcall(selinux_nf_ip_init);
6557
6558 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6559 static void selinux_nf_ip_exit(void)
6560 {
6561 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6562
6563 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6564 }
6565 #endif
6566
6567 #else /* CONFIG_NETFILTER */
6568
6569 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6570 #define selinux_nf_ip_exit()
6571 #endif
6572
6573 #endif /* CONFIG_NETFILTER */
6574
6575 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6576 static int selinux_disabled;
6577
6578 int selinux_disable(void)
6579 {
6580 if (ss_initialized) {
6581 /* Not permitted after initial policy load. */
6582 return -EINVAL;
6583 }
6584
6585 if (selinux_disabled) {
6586 /* Only do this once. */
6587 return -EINVAL;
6588 }
6589
6590 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6591
6592 selinux_disabled = 1;
6593 selinux_enabled = 0;
6594
6595 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6596
6597 /* Try to destroy the avc node cache */
6598 avc_disable();
6599
6600 /* Unregister netfilter hooks. */
6601 selinux_nf_ip_exit();
6602
6603 /* Unregister selinuxfs. */
6604 exit_sel_fs();
6605
6606 return 0;
6607 }
6608 #endif
Ubuntu Artful kernel mirror