]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/blob - security/selinux/hooks.c
projects / mirror_ubuntu-zesty-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge tag 'char-misc-4.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregk...
[mirror_ubuntu-zesty-kernel.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
55 #include <net/inet_connection_sock.h>
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
86
87 #include "avc.h"
88 #include "objsec.h"
89 #include "netif.h"
90 #include "netnode.h"
91 #include "netport.h"
92 #include "xfrm.h"
93 #include "netlabel.h"
94 #include "audit.h"
95 #include "avc_ss.h"
96
97 /* SECMARK reference count */
98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102
103 static int __init enforcing_setup(char *str)
104 {
105 unsigned long enforcing;
106 if (!kstrtoul(str, 0, &enforcing))
107 selinux_enforcing = enforcing ? 1 : 0;
108 return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116 static int __init selinux_enabled_setup(char *str)
117 {
118 unsigned long enabled;
119 if (!kstrtoul(str, 0, &enabled))
120 selinux_enabled = enabled ? 1 : 0;
121 return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127
128 static struct kmem_cache *sel_inode_cache;
129 static struct kmem_cache *file_security_cache;
130
131 /**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
140 *
141 */
142 static int selinux_secmark_enabled(void)
143 {
144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145 }
146
147 /**
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149 *
150 * Description:
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
155 *
156 */
157 static int selinux_peerlbl_enabled(void)
158 {
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
160 }
161
162 static int selinux_netcache_avc_callback(u32 event)
163 {
164 if (event == AVC_CALLBACK_RESET) {
165 sel_netif_flush();
166 sel_netnode_flush();
167 sel_netport_flush();
168 synchronize_net();
169 }
170 return 0;
171 }
172
173 /*
174 * initialise the security for the init task
175 */
176 static void cred_init_security(void)
177 {
178 struct cred *cred = (struct cred *) current->real_cred;
179 struct task_security_struct *tsec;
180
181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
182 if (!tsec)
183 panic("SELinux: Failed to initialize initial task.\n");
184
185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
186 cred->security = tsec;
187 }
188
189 /*
190 * get the security ID of a set of credentials
191 */
192 static inline u32 cred_sid(const struct cred *cred)
193 {
194 const struct task_security_struct *tsec;
195
196 tsec = cred->security;
197 return tsec->sid;
198 }
199
200 /*
201 * get the objective security ID of a task
202 */
203 static inline u32 task_sid(const struct task_struct *task)
204 {
205 u32 sid;
206
207 rcu_read_lock();
208 sid = cred_sid(__task_cred(task));
209 rcu_read_unlock();
210 return sid;
211 }
212
213 /*
214 * get the subjective security ID of the current task
215 */
216 static inline u32 current_sid(void)
217 {
218 const struct task_security_struct *tsec = current_security();
219
220 return tsec->sid;
221 }
222
223 /* Allocate and free functions for each kind of security blob. */
224
225 static int inode_alloc_security(struct inode *inode)
226 {
227 struct inode_security_struct *isec;
228 u32 sid = current_sid();
229
230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
231 if (!isec)
232 return -ENOMEM;
233
234 mutex_init(&isec->lock);
235 INIT_LIST_HEAD(&isec->list);
236 isec->inode = inode;
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
239 isec->task_sid = sid;
240 inode->i_security = isec;
241
242 return 0;
243 }
244
245 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246
247 /*
248 * Try reloading inode security labels that have been marked as invalid. The
249 * @may_sleep parameter indicates when sleeping and thus reloading labels is
250 * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is
251 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
252 * when no dentry is available, set it to NULL instead.
253 */
254 static int __inode_security_revalidate(struct inode *inode,
255 struct dentry *opt_dentry,
256 bool may_sleep)
257 {
258 struct inode_security_struct *isec = inode->i_security;
259
260 might_sleep_if(may_sleep);
261
262 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
263 if (!may_sleep)
264 return -ECHILD;
265
266 /*
267 * Try reloading the inode security label. This will fail if
268 * @opt_dentry is NULL and no dentry for this inode can be
269 * found; in that case, continue using the old label.
270 */
271 inode_doinit_with_dentry(inode, opt_dentry);
272 }
273 return 0;
274 }
275
276 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
277 {
278 return inode->i_security;
279 }
280
281 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
282 {
283 int error;
284
285 error = __inode_security_revalidate(inode, NULL, !rcu);
286 if (error)
287 return ERR_PTR(error);
288 return inode->i_security;
289 }
290
291 /*
292 * Get the security label of an inode.
293 */
294 static struct inode_security_struct *inode_security(struct inode *inode)
295 {
296 __inode_security_revalidate(inode, NULL, true);
297 return inode->i_security;
298 }
299
300 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
301 {
302 struct inode *inode = d_backing_inode(dentry);
303
304 return inode->i_security;
305 }
306
307 /*
308 * Get the security label of a dentry's backing inode.
309 */
310 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
311 {
312 struct inode *inode = d_backing_inode(dentry);
313
314 __inode_security_revalidate(inode, dentry, true);
315 return inode->i_security;
316 }
317
318 static void inode_free_rcu(struct rcu_head *head)
319 {
320 struct inode_security_struct *isec;
321
322 isec = container_of(head, struct inode_security_struct, rcu);
323 kmem_cache_free(sel_inode_cache, isec);
324 }
325
326 static void inode_free_security(struct inode *inode)
327 {
328 struct inode_security_struct *isec = inode->i_security;
329 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
330
331 /*
332 * As not all inode security structures are in a list, we check for
333 * empty list outside of the lock to make sure that we won't waste
334 * time taking a lock doing nothing.
335 *
336 * The list_del_init() function can be safely called more than once.
337 * It should not be possible for this function to be called with
338 * concurrent list_add(), but for better safety against future changes
339 * in the code, we use list_empty_careful() here.
340 */
341 if (!list_empty_careful(&isec->list)) {
342 spin_lock(&sbsec->isec_lock);
343 list_del_init(&isec->list);
344 spin_unlock(&sbsec->isec_lock);
345 }
346
347 /*
348 * The inode may still be referenced in a path walk and
349 * a call to selinux_inode_permission() can be made
350 * after inode_free_security() is called. Ideally, the VFS
351 * wouldn't do this, but fixing that is a much harder
352 * job. For now, simply free the i_security via RCU, and
353 * leave the current inode->i_security pointer intact.
354 * The inode will be freed after the RCU grace period too.
355 */
356 call_rcu(&isec->rcu, inode_free_rcu);
357 }
358
359 static int file_alloc_security(struct file *file)
360 {
361 struct file_security_struct *fsec;
362 u32 sid = current_sid();
363
364 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
365 if (!fsec)
366 return -ENOMEM;
367
368 fsec->sid = sid;
369 fsec->fown_sid = sid;
370 file->f_security = fsec;
371
372 return 0;
373 }
374
375 static void file_free_security(struct file *file)
376 {
377 struct file_security_struct *fsec = file->f_security;
378 file->f_security = NULL;
379 kmem_cache_free(file_security_cache, fsec);
380 }
381
382 static int superblock_alloc_security(struct super_block *sb)
383 {
384 struct superblock_security_struct *sbsec;
385
386 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
387 if (!sbsec)
388 return -ENOMEM;
389
390 mutex_init(&sbsec->lock);
391 INIT_LIST_HEAD(&sbsec->isec_head);
392 spin_lock_init(&sbsec->isec_lock);
393 sbsec->sb = sb;
394 sbsec->sid = SECINITSID_UNLABELED;
395 sbsec->def_sid = SECINITSID_FILE;
396 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
397 sb->s_security = sbsec;
398
399 return 0;
400 }
401
402 static void superblock_free_security(struct super_block *sb)
403 {
404 struct superblock_security_struct *sbsec = sb->s_security;
405 sb->s_security = NULL;
406 kfree(sbsec);
407 }
408
409 /* The file system's label must be initialized prior to use. */
410
411 static const char *labeling_behaviors[7] = {
412 "uses xattr",
413 "uses transition SIDs",
414 "uses task SIDs",
415 "uses genfs_contexts",
416 "not configured for labeling",
417 "uses mountpoint labeling",
418 "uses native labeling",
419 };
420
421 static inline int inode_doinit(struct inode *inode)
422 {
423 return inode_doinit_with_dentry(inode, NULL);
424 }
425
426 enum {
427 Opt_error = -1,
428 Opt_context = 1,
429 Opt_fscontext = 2,
430 Opt_defcontext = 3,
431 Opt_rootcontext = 4,
432 Opt_labelsupport = 5,
433 Opt_nextmntopt = 6,
434 };
435
436 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
437
438 static const match_table_t tokens = {
439 {Opt_context, CONTEXT_STR "%s"},
440 {Opt_fscontext, FSCONTEXT_STR "%s"},
441 {Opt_defcontext, DEFCONTEXT_STR "%s"},
442 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
443 {Opt_labelsupport, LABELSUPP_STR},
444 {Opt_error, NULL},
445 };
446
447 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
448
449 static int may_context_mount_sb_relabel(u32 sid,
450 struct superblock_security_struct *sbsec,
451 const struct cred *cred)
452 {
453 const struct task_security_struct *tsec = cred->security;
454 int rc;
455
456 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
457 FILESYSTEM__RELABELFROM, NULL);
458 if (rc)
459 return rc;
460
461 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
462 FILESYSTEM__RELABELTO, NULL);
463 return rc;
464 }
465
466 static int may_context_mount_inode_relabel(u32 sid,
467 struct superblock_security_struct *sbsec,
468 const struct cred *cred)
469 {
470 const struct task_security_struct *tsec = cred->security;
471 int rc;
472 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
473 FILESYSTEM__RELABELFROM, NULL);
474 if (rc)
475 return rc;
476
477 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
478 FILESYSTEM__ASSOCIATE, NULL);
479 return rc;
480 }
481
482 static int selinux_is_sblabel_mnt(struct super_block *sb)
483 {
484 struct superblock_security_struct *sbsec = sb->s_security;
485
486 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
487 sbsec->behavior == SECURITY_FS_USE_TRANS ||
488 sbsec->behavior == SECURITY_FS_USE_TASK ||
489 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
490 /* Special handling. Genfs but also in-core setxattr handler */
491 !strcmp(sb->s_type->name, "sysfs") ||
492 !strcmp(sb->s_type->name, "pstore") ||
493 !strcmp(sb->s_type->name, "debugfs") ||
494 !strcmp(sb->s_type->name, "rootfs");
495 }
496
497 static int sb_finish_set_opts(struct super_block *sb)
498 {
499 struct superblock_security_struct *sbsec = sb->s_security;
500 struct dentry *root = sb->s_root;
501 struct inode *root_inode = d_backing_inode(root);
502 int rc = 0;
503
504 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
505 /* Make sure that the xattr handler exists and that no
506 error other than -ENODATA is returned by getxattr on
507 the root directory. -ENODATA is ok, as this may be
508 the first boot of the SELinux kernel before we have
509 assigned xattr values to the filesystem. */
510 if (!(root_inode->i_opflags & IOP_XATTR)) {
511 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
512 "xattr support\n", sb->s_id, sb->s_type->name);
513 rc = -EOPNOTSUPP;
514 goto out;
515 }
516
517 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
518 if (rc < 0 && rc != -ENODATA) {
519 if (rc == -EOPNOTSUPP)
520 printk(KERN_WARNING "SELinux: (dev %s, type "
521 "%s) has no security xattr handler\n",
522 sb->s_id, sb->s_type->name);
523 else
524 printk(KERN_WARNING "SELinux: (dev %s, type "
525 "%s) getxattr errno %d\n", sb->s_id,
526 sb->s_type->name, -rc);
527 goto out;
528 }
529 }
530
531 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
532 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
533 sb->s_id, sb->s_type->name);
534
535 sbsec->flags |= SE_SBINITIALIZED;
536 if (selinux_is_sblabel_mnt(sb))
537 sbsec->flags |= SBLABEL_MNT;
538
539 /* Initialize the root inode. */
540 rc = inode_doinit_with_dentry(root_inode, root);
541
542 /* Initialize any other inodes associated with the superblock, e.g.
543 inodes created prior to initial policy load or inodes created
544 during get_sb by a pseudo filesystem that directly
545 populates itself. */
546 spin_lock(&sbsec->isec_lock);
547 next_inode:
548 if (!list_empty(&sbsec->isec_head)) {
549 struct inode_security_struct *isec =
550 list_entry(sbsec->isec_head.next,
551 struct inode_security_struct, list);
552 struct inode *inode = isec->inode;
553 list_del_init(&isec->list);
554 spin_unlock(&sbsec->isec_lock);
555 inode = igrab(inode);
556 if (inode) {
557 if (!IS_PRIVATE(inode))
558 inode_doinit(inode);
559 iput(inode);
560 }
561 spin_lock(&sbsec->isec_lock);
562 goto next_inode;
563 }
564 spin_unlock(&sbsec->isec_lock);
565 out:
566 return rc;
567 }
568
569 /*
570 * This function should allow an FS to ask what it's mount security
571 * options were so it can use those later for submounts, displaying
572 * mount options, or whatever.
573 */
574 static int selinux_get_mnt_opts(const struct super_block *sb,
575 struct security_mnt_opts *opts)
576 {
577 int rc = 0, i;
578 struct superblock_security_struct *sbsec = sb->s_security;
579 char *context = NULL;
580 u32 len;
581 char tmp;
582
583 security_init_mnt_opts(opts);
584
585 if (!(sbsec->flags & SE_SBINITIALIZED))
586 return -EINVAL;
587
588 if (!ss_initialized)
589 return -EINVAL;
590
591 /* make sure we always check enough bits to cover the mask */
592 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
593
594 tmp = sbsec->flags & SE_MNTMASK;
595 /* count the number of mount options for this sb */
596 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
597 if (tmp & 0x01)
598 opts->num_mnt_opts++;
599 tmp >>= 1;
600 }
601 /* Check if the Label support flag is set */
602 if (sbsec->flags & SBLABEL_MNT)
603 opts->num_mnt_opts++;
604
605 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
606 if (!opts->mnt_opts) {
607 rc = -ENOMEM;
608 goto out_free;
609 }
610
611 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
612 if (!opts->mnt_opts_flags) {
613 rc = -ENOMEM;
614 goto out_free;
615 }
616
617 i = 0;
618 if (sbsec->flags & FSCONTEXT_MNT) {
619 rc = security_sid_to_context(sbsec->sid, &context, &len);
620 if (rc)
621 goto out_free;
622 opts->mnt_opts[i] = context;
623 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
624 }
625 if (sbsec->flags & CONTEXT_MNT) {
626 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
627 if (rc)
628 goto out_free;
629 opts->mnt_opts[i] = context;
630 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
631 }
632 if (sbsec->flags & DEFCONTEXT_MNT) {
633 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
634 if (rc)
635 goto out_free;
636 opts->mnt_opts[i] = context;
637 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
638 }
639 if (sbsec->flags & ROOTCONTEXT_MNT) {
640 struct dentry *root = sbsec->sb->s_root;
641 struct inode_security_struct *isec = backing_inode_security(root);
642
643 rc = security_sid_to_context(isec->sid, &context, &len);
644 if (rc)
645 goto out_free;
646 opts->mnt_opts[i] = context;
647 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
648 }
649 if (sbsec->flags & SBLABEL_MNT) {
650 opts->mnt_opts[i] = NULL;
651 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
652 }
653
654 BUG_ON(i != opts->num_mnt_opts);
655
656 return 0;
657
658 out_free:
659 security_free_mnt_opts(opts);
660 return rc;
661 }
662
663 static int bad_option(struct superblock_security_struct *sbsec, char flag,
664 u32 old_sid, u32 new_sid)
665 {
666 char mnt_flags = sbsec->flags & SE_MNTMASK;
667
668 /* check if the old mount command had the same options */
669 if (sbsec->flags & SE_SBINITIALIZED)
670 if (!(sbsec->flags & flag) ||
671 (old_sid != new_sid))
672 return 1;
673
674 /* check if we were passed the same options twice,
675 * aka someone passed context=a,context=b
676 */
677 if (!(sbsec->flags & SE_SBINITIALIZED))
678 if (mnt_flags & flag)
679 return 1;
680 return 0;
681 }
682
683 /*
684 * Allow filesystems with binary mount data to explicitly set mount point
685 * labeling information.
686 */
687 static int selinux_set_mnt_opts(struct super_block *sb,
688 struct security_mnt_opts *opts,
689 unsigned long kern_flags,
690 unsigned long *set_kern_flags)
691 {
692 const struct cred *cred = current_cred();
693 int rc = 0, i;
694 struct superblock_security_struct *sbsec = sb->s_security;
695 const char *name = sb->s_type->name;
696 struct dentry *root = sbsec->sb->s_root;
697 struct inode_security_struct *root_isec;
698 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
699 u32 defcontext_sid = 0;
700 char **mount_options = opts->mnt_opts;
701 int *flags = opts->mnt_opts_flags;
702 int num_opts = opts->num_mnt_opts;
703
704 mutex_lock(&sbsec->lock);
705
706 if (!ss_initialized) {
707 if (!num_opts) {
708 /* Defer initialization until selinux_complete_init,
709 after the initial policy is loaded and the security
710 server is ready to handle calls. */
711 goto out;
712 }
713 rc = -EINVAL;
714 printk(KERN_WARNING "SELinux: Unable to set superblock options "
715 "before the security server is initialized\n");
716 goto out;
717 }
718 if (kern_flags && !set_kern_flags) {
719 /* Specifying internal flags without providing a place to
720 * place the results is not allowed */
721 rc = -EINVAL;
722 goto out;
723 }
724
725 /*
726 * Binary mount data FS will come through this function twice. Once
727 * from an explicit call and once from the generic calls from the vfs.
728 * Since the generic VFS calls will not contain any security mount data
729 * we need to skip the double mount verification.
730 *
731 * This does open a hole in which we will not notice if the first
732 * mount using this sb set explict options and a second mount using
733 * this sb does not set any security options. (The first options
734 * will be used for both mounts)
735 */
736 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
737 && (num_opts == 0))
738 goto out;
739
740 root_isec = backing_inode_security_novalidate(root);
741
742 /*
743 * parse the mount options, check if they are valid sids.
744 * also check if someone is trying to mount the same sb more
745 * than once with different security options.
746 */
747 for (i = 0; i < num_opts; i++) {
748 u32 sid;
749
750 if (flags[i] == SBLABEL_MNT)
751 continue;
752 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
753 if (rc) {
754 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
755 "(%s) failed for (dev %s, type %s) errno=%d\n",
756 mount_options[i], sb->s_id, name, rc);
757 goto out;
758 }
759 switch (flags[i]) {
760 case FSCONTEXT_MNT:
761 fscontext_sid = sid;
762
763 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
764 fscontext_sid))
765 goto out_double_mount;
766
767 sbsec->flags |= FSCONTEXT_MNT;
768 break;
769 case CONTEXT_MNT:
770 context_sid = sid;
771
772 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
773 context_sid))
774 goto out_double_mount;
775
776 sbsec->flags |= CONTEXT_MNT;
777 break;
778 case ROOTCONTEXT_MNT:
779 rootcontext_sid = sid;
780
781 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
782 rootcontext_sid))
783 goto out_double_mount;
784
785 sbsec->flags |= ROOTCONTEXT_MNT;
786
787 break;
788 case DEFCONTEXT_MNT:
789 defcontext_sid = sid;
790
791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
792 defcontext_sid))
793 goto out_double_mount;
794
795 sbsec->flags |= DEFCONTEXT_MNT;
796
797 break;
798 default:
799 rc = -EINVAL;
800 goto out;
801 }
802 }
803
804 if (sbsec->flags & SE_SBINITIALIZED) {
805 /* previously mounted with options, but not on this attempt? */
806 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
807 goto out_double_mount;
808 rc = 0;
809 goto out;
810 }
811
812 if (strcmp(sb->s_type->name, "proc") == 0)
813 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
814
815 if (!strcmp(sb->s_type->name, "debugfs") ||
816 !strcmp(sb->s_type->name, "sysfs") ||
817 !strcmp(sb->s_type->name, "pstore"))
818 sbsec->flags |= SE_SBGENFS;
819
820 if (!sbsec->behavior) {
821 /*
822 * Determine the labeling behavior to use for this
823 * filesystem type.
824 */
825 rc = security_fs_use(sb);
826 if (rc) {
827 printk(KERN_WARNING
828 "%s: security_fs_use(%s) returned %d\n",
829 __func__, sb->s_type->name, rc);
830 goto out;
831 }
832 }
833
834 /*
835 * If this is a user namespace mount, no contexts are allowed
836 * on the command line and security labels must be ignored.
837 */
838 if (sb->s_user_ns != &init_user_ns) {
839 if (context_sid || fscontext_sid || rootcontext_sid ||
840 defcontext_sid) {
841 rc = -EACCES;
842 goto out;
843 }
844 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
845 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
846 rc = security_transition_sid(current_sid(), current_sid(),
847 SECCLASS_FILE, NULL,
848 &sbsec->mntpoint_sid);
849 if (rc)
850 goto out;
851 }
852 goto out_set_opts;
853 }
854
855 /* sets the context of the superblock for the fs being mounted. */
856 if (fscontext_sid) {
857 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
858 if (rc)
859 goto out;
860
861 sbsec->sid = fscontext_sid;
862 }
863
864 /*
865 * Switch to using mount point labeling behavior.
866 * sets the label used on all file below the mountpoint, and will set
867 * the superblock context if not already set.
868 */
869 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
870 sbsec->behavior = SECURITY_FS_USE_NATIVE;
871 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
872 }
873
874 if (context_sid) {
875 if (!fscontext_sid) {
876 rc = may_context_mount_sb_relabel(context_sid, sbsec,
877 cred);
878 if (rc)
879 goto out;
880 sbsec->sid = context_sid;
881 } else {
882 rc = may_context_mount_inode_relabel(context_sid, sbsec,
883 cred);
884 if (rc)
885 goto out;
886 }
887 if (!rootcontext_sid)
888 rootcontext_sid = context_sid;
889
890 sbsec->mntpoint_sid = context_sid;
891 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
892 }
893
894 if (rootcontext_sid) {
895 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
896 cred);
897 if (rc)
898 goto out;
899
900 root_isec->sid = rootcontext_sid;
901 root_isec->initialized = LABEL_INITIALIZED;
902 }
903
904 if (defcontext_sid) {
905 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
906 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
907 rc = -EINVAL;
908 printk(KERN_WARNING "SELinux: defcontext option is "
909 "invalid for this filesystem type\n");
910 goto out;
911 }
912
913 if (defcontext_sid != sbsec->def_sid) {
914 rc = may_context_mount_inode_relabel(defcontext_sid,
915 sbsec, cred);
916 if (rc)
917 goto out;
918 }
919
920 sbsec->def_sid = defcontext_sid;
921 }
922
923 out_set_opts:
924 rc = sb_finish_set_opts(sb);
925 out:
926 mutex_unlock(&sbsec->lock);
927 return rc;
928 out_double_mount:
929 rc = -EINVAL;
930 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
931 "security settings for (dev %s, type %s)\n", sb->s_id, name);
932 goto out;
933 }
934
935 static int selinux_cmp_sb_context(const struct super_block *oldsb,
936 const struct super_block *newsb)
937 {
938 struct superblock_security_struct *old = oldsb->s_security;
939 struct superblock_security_struct *new = newsb->s_security;
940 char oldflags = old->flags & SE_MNTMASK;
941 char newflags = new->flags & SE_MNTMASK;
942
943 if (oldflags != newflags)
944 goto mismatch;
945 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
946 goto mismatch;
947 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
948 goto mismatch;
949 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
950 goto mismatch;
951 if (oldflags & ROOTCONTEXT_MNT) {
952 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
953 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
954 if (oldroot->sid != newroot->sid)
955 goto mismatch;
956 }
957 return 0;
958 mismatch:
959 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
960 "different security settings for (dev %s, "
961 "type %s)\n", newsb->s_id, newsb->s_type->name);
962 return -EBUSY;
963 }
964
965 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
966 struct super_block *newsb)
967 {
968 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
969 struct superblock_security_struct *newsbsec = newsb->s_security;
970
971 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
972 int set_context = (oldsbsec->flags & CONTEXT_MNT);
973 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
974
975 /*
976 * if the parent was able to be mounted it clearly had no special lsm
977 * mount options. thus we can safely deal with this superblock later
978 */
979 if (!ss_initialized)
980 return 0;
981
982 /* how can we clone if the old one wasn't set up?? */
983 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
984
985 /* if fs is reusing a sb, make sure that the contexts match */
986 if (newsbsec->flags & SE_SBINITIALIZED)
987 return selinux_cmp_sb_context(oldsb, newsb);
988
989 mutex_lock(&newsbsec->lock);
990
991 newsbsec->flags = oldsbsec->flags;
992
993 newsbsec->sid = oldsbsec->sid;
994 newsbsec->def_sid = oldsbsec->def_sid;
995 newsbsec->behavior = oldsbsec->behavior;
996
997 if (set_context) {
998 u32 sid = oldsbsec->mntpoint_sid;
999
1000 if (!set_fscontext)
1001 newsbsec->sid = sid;
1002 if (!set_rootcontext) {
1003 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1004 newisec->sid = sid;
1005 }
1006 newsbsec->mntpoint_sid = sid;
1007 }
1008 if (set_rootcontext) {
1009 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1010 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1011
1012 newisec->sid = oldisec->sid;
1013 }
1014
1015 sb_finish_set_opts(newsb);
1016 mutex_unlock(&newsbsec->lock);
1017 return 0;
1018 }
1019
1020 static int selinux_parse_opts_str(char *options,
1021 struct security_mnt_opts *opts)
1022 {
1023 char *p;
1024 char *context = NULL, *defcontext = NULL;
1025 char *fscontext = NULL, *rootcontext = NULL;
1026 int rc, num_mnt_opts = 0;
1027
1028 opts->num_mnt_opts = 0;
1029
1030 /* Standard string-based options. */
1031 while ((p = strsep(&options, "|")) != NULL) {
1032 int token;
1033 substring_t args[MAX_OPT_ARGS];
1034
1035 if (!*p)
1036 continue;
1037
1038 token = match_token(p, tokens, args);
1039
1040 switch (token) {
1041 case Opt_context:
1042 if (context || defcontext) {
1043 rc = -EINVAL;
1044 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1045 goto out_err;
1046 }
1047 context = match_strdup(&args[0]);
1048 if (!context) {
1049 rc = -ENOMEM;
1050 goto out_err;
1051 }
1052 break;
1053
1054 case Opt_fscontext:
1055 if (fscontext) {
1056 rc = -EINVAL;
1057 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1058 goto out_err;
1059 }
1060 fscontext = match_strdup(&args[0]);
1061 if (!fscontext) {
1062 rc = -ENOMEM;
1063 goto out_err;
1064 }
1065 break;
1066
1067 case Opt_rootcontext:
1068 if (rootcontext) {
1069 rc = -EINVAL;
1070 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1071 goto out_err;
1072 }
1073 rootcontext = match_strdup(&args[0]);
1074 if (!rootcontext) {
1075 rc = -ENOMEM;
1076 goto out_err;
1077 }
1078 break;
1079
1080 case Opt_defcontext:
1081 if (context || defcontext) {
1082 rc = -EINVAL;
1083 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1084 goto out_err;
1085 }
1086 defcontext = match_strdup(&args[0]);
1087 if (!defcontext) {
1088 rc = -ENOMEM;
1089 goto out_err;
1090 }
1091 break;
1092 case Opt_labelsupport:
1093 break;
1094 default:
1095 rc = -EINVAL;
1096 printk(KERN_WARNING "SELinux: unknown mount option\n");
1097 goto out_err;
1098
1099 }
1100 }
1101
1102 rc = -ENOMEM;
1103 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1104 if (!opts->mnt_opts)
1105 goto out_err;
1106
1107 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1108 if (!opts->mnt_opts_flags) {
1109 kfree(opts->mnt_opts);
1110 goto out_err;
1111 }
1112
1113 if (fscontext) {
1114 opts->mnt_opts[num_mnt_opts] = fscontext;
1115 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1116 }
1117 if (context) {
1118 opts->mnt_opts[num_mnt_opts] = context;
1119 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1120 }
1121 if (rootcontext) {
1122 opts->mnt_opts[num_mnt_opts] = rootcontext;
1123 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1124 }
1125 if (defcontext) {
1126 opts->mnt_opts[num_mnt_opts] = defcontext;
1127 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1128 }
1129
1130 opts->num_mnt_opts = num_mnt_opts;
1131 return 0;
1132
1133 out_err:
1134 kfree(context);
1135 kfree(defcontext);
1136 kfree(fscontext);
1137 kfree(rootcontext);
1138 return rc;
1139 }
1140 /*
1141 * string mount options parsing and call set the sbsec
1142 */
1143 static int superblock_doinit(struct super_block *sb, void *data)
1144 {
1145 int rc = 0;
1146 char *options = data;
1147 struct security_mnt_opts opts;
1148
1149 security_init_mnt_opts(&opts);
1150
1151 if (!data)
1152 goto out;
1153
1154 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1155
1156 rc = selinux_parse_opts_str(options, &opts);
1157 if (rc)
1158 goto out_err;
1159
1160 out:
1161 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1162
1163 out_err:
1164 security_free_mnt_opts(&opts);
1165 return rc;
1166 }
1167
1168 static void selinux_write_opts(struct seq_file *m,
1169 struct security_mnt_opts *opts)
1170 {
1171 int i;
1172 char *prefix;
1173
1174 for (i = 0; i < opts->num_mnt_opts; i++) {
1175 char *has_comma;
1176
1177 if (opts->mnt_opts[i])
1178 has_comma = strchr(opts->mnt_opts[i], ',');
1179 else
1180 has_comma = NULL;
1181
1182 switch (opts->mnt_opts_flags[i]) {
1183 case CONTEXT_MNT:
1184 prefix = CONTEXT_STR;
1185 break;
1186 case FSCONTEXT_MNT:
1187 prefix = FSCONTEXT_STR;
1188 break;
1189 case ROOTCONTEXT_MNT:
1190 prefix = ROOTCONTEXT_STR;
1191 break;
1192 case DEFCONTEXT_MNT:
1193 prefix = DEFCONTEXT_STR;
1194 break;
1195 case SBLABEL_MNT:
1196 seq_putc(m, ',');
1197 seq_puts(m, LABELSUPP_STR);
1198 continue;
1199 default:
1200 BUG();
1201 return;
1202 };
1203 /* we need a comma before each option */
1204 seq_putc(m, ',');
1205 seq_puts(m, prefix);
1206 if (has_comma)
1207 seq_putc(m, '\"');
1208 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1209 if (has_comma)
1210 seq_putc(m, '\"');
1211 }
1212 }
1213
1214 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1215 {
1216 struct security_mnt_opts opts;
1217 int rc;
1218
1219 rc = selinux_get_mnt_opts(sb, &opts);
1220 if (rc) {
1221 /* before policy load we may get EINVAL, don't show anything */
1222 if (rc == -EINVAL)
1223 rc = 0;
1224 return rc;
1225 }
1226
1227 selinux_write_opts(m, &opts);
1228
1229 security_free_mnt_opts(&opts);
1230
1231 return rc;
1232 }
1233
1234 static inline u16 inode_mode_to_security_class(umode_t mode)
1235 {
1236 switch (mode & S_IFMT) {
1237 case S_IFSOCK:
1238 return SECCLASS_SOCK_FILE;
1239 case S_IFLNK:
1240 return SECCLASS_LNK_FILE;
1241 case S_IFREG:
1242 return SECCLASS_FILE;
1243 case S_IFBLK:
1244 return SECCLASS_BLK_FILE;
1245 case S_IFDIR:
1246 return SECCLASS_DIR;
1247 case S_IFCHR:
1248 return SECCLASS_CHR_FILE;
1249 case S_IFIFO:
1250 return SECCLASS_FIFO_FILE;
1251
1252 }
1253
1254 return SECCLASS_FILE;
1255 }
1256
1257 static inline int default_protocol_stream(int protocol)
1258 {
1259 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1260 }
1261
1262 static inline int default_protocol_dgram(int protocol)
1263 {
1264 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1265 }
1266
1267 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1268 {
1269 switch (family) {
1270 case PF_UNIX:
1271 switch (type) {
1272 case SOCK_STREAM:
1273 case SOCK_SEQPACKET:
1274 return SECCLASS_UNIX_STREAM_SOCKET;
1275 case SOCK_DGRAM:
1276 return SECCLASS_UNIX_DGRAM_SOCKET;
1277 }
1278 break;
1279 case PF_INET:
1280 case PF_INET6:
1281 switch (type) {
1282 case SOCK_STREAM:
1283 if (default_protocol_stream(protocol))
1284 return SECCLASS_TCP_SOCKET;
1285 else
1286 return SECCLASS_RAWIP_SOCKET;
1287 case SOCK_DGRAM:
1288 if (default_protocol_dgram(protocol))
1289 return SECCLASS_UDP_SOCKET;
1290 else
1291 return SECCLASS_RAWIP_SOCKET;
1292 case SOCK_DCCP:
1293 return SECCLASS_DCCP_SOCKET;
1294 default:
1295 return SECCLASS_RAWIP_SOCKET;
1296 }
1297 break;
1298 case PF_NETLINK:
1299 switch (protocol) {
1300 case NETLINK_ROUTE:
1301 return SECCLASS_NETLINK_ROUTE_SOCKET;
1302 case NETLINK_SOCK_DIAG:
1303 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1304 case NETLINK_NFLOG:
1305 return SECCLASS_NETLINK_NFLOG_SOCKET;
1306 case NETLINK_XFRM:
1307 return SECCLASS_NETLINK_XFRM_SOCKET;
1308 case NETLINK_SELINUX:
1309 return SECCLASS_NETLINK_SELINUX_SOCKET;
1310 case NETLINK_ISCSI:
1311 return SECCLASS_NETLINK_ISCSI_SOCKET;
1312 case NETLINK_AUDIT:
1313 return SECCLASS_NETLINK_AUDIT_SOCKET;
1314 case NETLINK_FIB_LOOKUP:
1315 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1316 case NETLINK_CONNECTOR:
1317 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1318 case NETLINK_NETFILTER:
1319 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1320 case NETLINK_DNRTMSG:
1321 return SECCLASS_NETLINK_DNRT_SOCKET;
1322 case NETLINK_KOBJECT_UEVENT:
1323 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1324 case NETLINK_GENERIC:
1325 return SECCLASS_NETLINK_GENERIC_SOCKET;
1326 case NETLINK_SCSITRANSPORT:
1327 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1328 case NETLINK_RDMA:
1329 return SECCLASS_NETLINK_RDMA_SOCKET;
1330 case NETLINK_CRYPTO:
1331 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1332 default:
1333 return SECCLASS_NETLINK_SOCKET;
1334 }
1335 case PF_PACKET:
1336 return SECCLASS_PACKET_SOCKET;
1337 case PF_KEY:
1338 return SECCLASS_KEY_SOCKET;
1339 case PF_APPLETALK:
1340 return SECCLASS_APPLETALK_SOCKET;
1341 }
1342
1343 return SECCLASS_SOCKET;
1344 }
1345
1346 static int selinux_genfs_get_sid(struct dentry *dentry,
1347 u16 tclass,
1348 u16 flags,
1349 u32 *sid)
1350 {
1351 int rc;
1352 struct super_block *sb = dentry->d_sb;
1353 char *buffer, *path;
1354
1355 buffer = (char *)__get_free_page(GFP_KERNEL);
1356 if (!buffer)
1357 return -ENOMEM;
1358
1359 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1360 if (IS_ERR(path))
1361 rc = PTR_ERR(path);
1362 else {
1363 if (flags & SE_SBPROC) {
1364 /* each process gets a /proc/PID/ entry. Strip off the
1365 * PID part to get a valid selinux labeling.
1366 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1367 while (path[1] >= '0' && path[1] <= '9') {
1368 path[1] = '/';
1369 path++;
1370 }
1371 }
1372 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1373 }
1374 free_page((unsigned long)buffer);
1375 return rc;
1376 }
1377
1378 /* The inode's security attributes must be initialized before first use. */
1379 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1380 {
1381 struct superblock_security_struct *sbsec = NULL;
1382 struct inode_security_struct *isec = inode->i_security;
1383 u32 sid;
1384 struct dentry *dentry;
1385 #define INITCONTEXTLEN 255
1386 char *context = NULL;
1387 unsigned len = 0;
1388 int rc = 0;
1389
1390 if (isec->initialized == LABEL_INITIALIZED)
1391 goto out;
1392
1393 mutex_lock(&isec->lock);
1394 if (isec->initialized == LABEL_INITIALIZED)
1395 goto out_unlock;
1396
1397 sbsec = inode->i_sb->s_security;
1398 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1399 /* Defer initialization until selinux_complete_init,
1400 after the initial policy is loaded and the security
1401 server is ready to handle calls. */
1402 spin_lock(&sbsec->isec_lock);
1403 if (list_empty(&isec->list))
1404 list_add(&isec->list, &sbsec->isec_head);
1405 spin_unlock(&sbsec->isec_lock);
1406 goto out_unlock;
1407 }
1408
1409 switch (sbsec->behavior) {
1410 case SECURITY_FS_USE_NATIVE:
1411 break;
1412 case SECURITY_FS_USE_XATTR:
1413 if (!(inode->i_opflags & IOP_XATTR)) {
1414 isec->sid = sbsec->def_sid;
1415 break;
1416 }
1417 /* Need a dentry, since the xattr API requires one.
1418 Life would be simpler if we could just pass the inode. */
1419 if (opt_dentry) {
1420 /* Called from d_instantiate or d_splice_alias. */
1421 dentry = dget(opt_dentry);
1422 } else {
1423 /* Called from selinux_complete_init, try to find a dentry. */
1424 dentry = d_find_alias(inode);
1425 }
1426 if (!dentry) {
1427 /*
1428 * this is can be hit on boot when a file is accessed
1429 * before the policy is loaded. When we load policy we
1430 * may find inodes that have no dentry on the
1431 * sbsec->isec_head list. No reason to complain as these
1432 * will get fixed up the next time we go through
1433 * inode_doinit with a dentry, before these inodes could
1434 * be used again by userspace.
1435 */
1436 goto out_unlock;
1437 }
1438
1439 len = INITCONTEXTLEN;
1440 context = kmalloc(len+1, GFP_NOFS);
1441 if (!context) {
1442 rc = -ENOMEM;
1443 dput(dentry);
1444 goto out_unlock;
1445 }
1446 context[len] = '\0';
1447 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1448 if (rc == -ERANGE) {
1449 kfree(context);
1450
1451 /* Need a larger buffer. Query for the right size. */
1452 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1453 if (rc < 0) {
1454 dput(dentry);
1455 goto out_unlock;
1456 }
1457 len = rc;
1458 context = kmalloc(len+1, GFP_NOFS);
1459 if (!context) {
1460 rc = -ENOMEM;
1461 dput(dentry);
1462 goto out_unlock;
1463 }
1464 context[len] = '\0';
1465 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1466 }
1467 dput(dentry);
1468 if (rc < 0) {
1469 if (rc != -ENODATA) {
1470 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1471 "%d for dev=%s ino=%ld\n", __func__,
1472 -rc, inode->i_sb->s_id, inode->i_ino);
1473 kfree(context);
1474 goto out_unlock;
1475 }
1476 /* Map ENODATA to the default file SID */
1477 sid = sbsec->def_sid;
1478 rc = 0;
1479 } else {
1480 rc = security_context_to_sid_default(context, rc, &sid,
1481 sbsec->def_sid,
1482 GFP_NOFS);
1483 if (rc) {
1484 char *dev = inode->i_sb->s_id;
1485 unsigned long ino = inode->i_ino;
1486
1487 if (rc == -EINVAL) {
1488 if (printk_ratelimit())
1489 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1490 "context=%s. This indicates you may need to relabel the inode or the "
1491 "filesystem in question.\n", ino, dev, context);
1492 } else {
1493 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1494 "returned %d for dev=%s ino=%ld\n",
1495 __func__, context, -rc, dev, ino);
1496 }
1497 kfree(context);
1498 /* Leave with the unlabeled SID */
1499 rc = 0;
1500 break;
1501 }
1502 }
1503 kfree(context);
1504 isec->sid = sid;
1505 break;
1506 case SECURITY_FS_USE_TASK:
1507 isec->sid = isec->task_sid;
1508 break;
1509 case SECURITY_FS_USE_TRANS:
1510 /* Default to the fs SID. */
1511 isec->sid = sbsec->sid;
1512
1513 /* Try to obtain a transition SID. */
1514 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1515 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1516 isec->sclass, NULL, &sid);
1517 if (rc)
1518 goto out_unlock;
1519 isec->sid = sid;
1520 break;
1521 case SECURITY_FS_USE_MNTPOINT:
1522 isec->sid = sbsec->mntpoint_sid;
1523 break;
1524 default:
1525 /* Default to the fs superblock SID. */
1526 isec->sid = sbsec->sid;
1527
1528 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1529 /* We must have a dentry to determine the label on
1530 * procfs inodes */
1531 if (opt_dentry)
1532 /* Called from d_instantiate or
1533 * d_splice_alias. */
1534 dentry = dget(opt_dentry);
1535 else
1536 /* Called from selinux_complete_init, try to
1537 * find a dentry. */
1538 dentry = d_find_alias(inode);
1539 /*
1540 * This can be hit on boot when a file is accessed
1541 * before the policy is loaded. When we load policy we
1542 * may find inodes that have no dentry on the
1543 * sbsec->isec_head list. No reason to complain as
1544 * these will get fixed up the next time we go through
1545 * inode_doinit() with a dentry, before these inodes
1546 * could be used again by userspace.
1547 */
1548 if (!dentry)
1549 goto out_unlock;
1550 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1551 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1552 sbsec->flags, &sid);
1553 dput(dentry);
1554 if (rc)
1555 goto out_unlock;
1556 isec->sid = sid;
1557 }
1558 break;
1559 }
1560
1561 isec->initialized = LABEL_INITIALIZED;
1562
1563 out_unlock:
1564 mutex_unlock(&isec->lock);
1565 out:
1566 if (isec->sclass == SECCLASS_FILE)
1567 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1568 return rc;
1569 }
1570
1571 /* Convert a Linux signal to an access vector. */
1572 static inline u32 signal_to_av(int sig)
1573 {
1574 u32 perm = 0;
1575
1576 switch (sig) {
1577 case SIGCHLD:
1578 /* Commonly granted from child to parent. */
1579 perm = PROCESS__SIGCHLD;
1580 break;
1581 case SIGKILL:
1582 /* Cannot be caught or ignored */
1583 perm = PROCESS__SIGKILL;
1584 break;
1585 case SIGSTOP:
1586 /* Cannot be caught or ignored */
1587 perm = PROCESS__SIGSTOP;
1588 break;
1589 default:
1590 /* All other signals. */
1591 perm = PROCESS__SIGNAL;
1592 break;
1593 }
1594
1595 return perm;
1596 }
1597
1598 /*
1599 * Check permission between a pair of credentials
1600 * fork check, ptrace check, etc.
1601 */
1602 static int cred_has_perm(const struct cred *actor,
1603 const struct cred *target,
1604 u32 perms)
1605 {
1606 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1607
1608 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1609 }
1610
1611 /*
1612 * Check permission between a pair of tasks, e.g. signal checks,
1613 * fork check, ptrace check, etc.
1614 * tsk1 is the actor and tsk2 is the target
1615 * - this uses the default subjective creds of tsk1
1616 */
1617 static int task_has_perm(const struct task_struct *tsk1,
1618 const struct task_struct *tsk2,
1619 u32 perms)
1620 {
1621 const struct task_security_struct *__tsec1, *__tsec2;
1622 u32 sid1, sid2;
1623
1624 rcu_read_lock();
1625 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1626 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1627 rcu_read_unlock();
1628 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1629 }
1630
1631 /*
1632 * Check permission between current and another task, e.g. signal checks,
1633 * fork check, ptrace check, etc.
1634 * current is the actor and tsk2 is the target
1635 * - this uses current's subjective creds
1636 */
1637 static int current_has_perm(const struct task_struct *tsk,
1638 u32 perms)
1639 {
1640 u32 sid, tsid;
1641
1642 sid = current_sid();
1643 tsid = task_sid(tsk);
1644 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1645 }
1646
1647 #if CAP_LAST_CAP > 63
1648 #error Fix SELinux to handle capabilities > 63.
1649 #endif
1650
1651 /* Check whether a task is allowed to use a capability. */
1652 static int cred_has_capability(const struct cred *cred,
1653 int cap, int audit, bool initns)
1654 {
1655 struct common_audit_data ad;
1656 struct av_decision avd;
1657 u16 sclass;
1658 u32 sid = cred_sid(cred);
1659 u32 av = CAP_TO_MASK(cap);
1660 int rc;
1661
1662 ad.type = LSM_AUDIT_DATA_CAP;
1663 ad.u.cap = cap;
1664
1665 switch (CAP_TO_INDEX(cap)) {
1666 case 0:
1667 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1668 break;
1669 case 1:
1670 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1671 break;
1672 default:
1673 printk(KERN_ERR
1674 "SELinux: out of range capability %d\n", cap);
1675 BUG();
1676 return -EINVAL;
1677 }
1678
1679 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1680 if (audit == SECURITY_CAP_AUDIT) {
1681 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1682 if (rc2)
1683 return rc2;
1684 }
1685 return rc;
1686 }
1687
1688 /* Check whether a task is allowed to use a system operation. */
1689 static int task_has_system(struct task_struct *tsk,
1690 u32 perms)
1691 {
1692 u32 sid = task_sid(tsk);
1693
1694 return avc_has_perm(sid, SECINITSID_KERNEL,
1695 SECCLASS_SYSTEM, perms, NULL);
1696 }
1697
1698 /* Check whether a task has a particular permission to an inode.
1699 The 'adp' parameter is optional and allows other audit
1700 data to be passed (e.g. the dentry). */
1701 static int inode_has_perm(const struct cred *cred,
1702 struct inode *inode,
1703 u32 perms,
1704 struct common_audit_data *adp)
1705 {
1706 struct inode_security_struct *isec;
1707 u32 sid;
1708
1709 validate_creds(cred);
1710
1711 if (unlikely(IS_PRIVATE(inode)))
1712 return 0;
1713
1714 sid = cred_sid(cred);
1715 isec = inode->i_security;
1716
1717 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1718 }
1719
1720 /* Same as inode_has_perm, but pass explicit audit data containing
1721 the dentry to help the auditing code to more easily generate the
1722 pathname if needed. */
1723 static inline int dentry_has_perm(const struct cred *cred,
1724 struct dentry *dentry,
1725 u32 av)
1726 {
1727 struct inode *inode = d_backing_inode(dentry);
1728 struct common_audit_data ad;
1729
1730 ad.type = LSM_AUDIT_DATA_DENTRY;
1731 ad.u.dentry = dentry;
1732 __inode_security_revalidate(inode, dentry, true);
1733 return inode_has_perm(cred, inode, av, &ad);
1734 }
1735
1736 /* Same as inode_has_perm, but pass explicit audit data containing
1737 the path to help the auditing code to more easily generate the
1738 pathname if needed. */
1739 static inline int path_has_perm(const struct cred *cred,
1740 const struct path *path,
1741 u32 av)
1742 {
1743 struct inode *inode = d_backing_inode(path->dentry);
1744 struct common_audit_data ad;
1745
1746 ad.type = LSM_AUDIT_DATA_PATH;
1747 ad.u.path = *path;
1748 __inode_security_revalidate(inode, path->dentry, true);
1749 return inode_has_perm(cred, inode, av, &ad);
1750 }
1751
1752 /* Same as path_has_perm, but uses the inode from the file struct. */
1753 static inline int file_path_has_perm(const struct cred *cred,
1754 struct file *file,
1755 u32 av)
1756 {
1757 struct common_audit_data ad;
1758
1759 ad.type = LSM_AUDIT_DATA_FILE;
1760 ad.u.file = file;
1761 return inode_has_perm(cred, file_inode(file), av, &ad);
1762 }
1763
1764 /* Check whether a task can use an open file descriptor to
1765 access an inode in a given way. Check access to the
1766 descriptor itself, and then use dentry_has_perm to
1767 check a particular permission to the file.
1768 Access to the descriptor is implicitly granted if it
1769 has the same SID as the process. If av is zero, then
1770 access to the file is not checked, e.g. for cases
1771 where only the descriptor is affected like seek. */
1772 static int file_has_perm(const struct cred *cred,
1773 struct file *file,
1774 u32 av)
1775 {
1776 struct file_security_struct *fsec = file->f_security;
1777 struct inode *inode = file_inode(file);
1778 struct common_audit_data ad;
1779 u32 sid = cred_sid(cred);
1780 int rc;
1781
1782 ad.type = LSM_AUDIT_DATA_FILE;
1783 ad.u.file = file;
1784
1785 if (sid != fsec->sid) {
1786 rc = avc_has_perm(sid, fsec->sid,
1787 SECCLASS_FD,
1788 FD__USE,
1789 &ad);
1790 if (rc)
1791 goto out;
1792 }
1793
1794 /* av is zero if only checking access to the descriptor. */
1795 rc = 0;
1796 if (av)
1797 rc = inode_has_perm(cred, inode, av, &ad);
1798
1799 out:
1800 return rc;
1801 }
1802
1803 /*
1804 * Determine the label for an inode that might be unioned.
1805 */
1806 static int
1807 selinux_determine_inode_label(const struct task_security_struct *tsec,
1808 struct inode *dir,
1809 const struct qstr *name, u16 tclass,
1810 u32 *_new_isid)
1811 {
1812 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1813
1814 if ((sbsec->flags & SE_SBINITIALIZED) &&
1815 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1816 *_new_isid = sbsec->mntpoint_sid;
1817 } else if ((sbsec->flags & SBLABEL_MNT) &&
1818 tsec->create_sid) {
1819 *_new_isid = tsec->create_sid;
1820 } else {
1821 const struct inode_security_struct *dsec = inode_security(dir);
1822 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1823 name, _new_isid);
1824 }
1825
1826 return 0;
1827 }
1828
1829 /* Check whether a task can create a file. */
1830 static int may_create(struct inode *dir,
1831 struct dentry *dentry,
1832 u16 tclass)
1833 {
1834 const struct task_security_struct *tsec = current_security();
1835 struct inode_security_struct *dsec;
1836 struct superblock_security_struct *sbsec;
1837 u32 sid, newsid;
1838 struct common_audit_data ad;
1839 int rc;
1840
1841 dsec = inode_security(dir);
1842 sbsec = dir->i_sb->s_security;
1843
1844 sid = tsec->sid;
1845
1846 ad.type = LSM_AUDIT_DATA_DENTRY;
1847 ad.u.dentry = dentry;
1848
1849 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1850 DIR__ADD_NAME | DIR__SEARCH,
1851 &ad);
1852 if (rc)
1853 return rc;
1854
1855 rc = selinux_determine_inode_label(current_security(), dir,
1856 &dentry->d_name, tclass, &newsid);
1857 if (rc)
1858 return rc;
1859
1860 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1861 if (rc)
1862 return rc;
1863
1864 return avc_has_perm(newsid, sbsec->sid,
1865 SECCLASS_FILESYSTEM,
1866 FILESYSTEM__ASSOCIATE, &ad);
1867 }
1868
1869 /* Check whether a task can create a key. */
1870 static int may_create_key(u32 ksid,
1871 struct task_struct *ctx)
1872 {
1873 u32 sid = task_sid(ctx);
1874
1875 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1876 }
1877
1878 #define MAY_LINK 0
1879 #define MAY_UNLINK 1
1880 #define MAY_RMDIR 2
1881
1882 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1883 static int may_link(struct inode *dir,
1884 struct dentry *dentry,
1885 int kind)
1886
1887 {
1888 struct inode_security_struct *dsec, *isec;
1889 struct common_audit_data ad;
1890 u32 sid = current_sid();
1891 u32 av;
1892 int rc;
1893
1894 dsec = inode_security(dir);
1895 isec = backing_inode_security(dentry);
1896
1897 ad.type = LSM_AUDIT_DATA_DENTRY;
1898 ad.u.dentry = dentry;
1899
1900 av = DIR__SEARCH;
1901 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1902 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1903 if (rc)
1904 return rc;
1905
1906 switch (kind) {
1907 case MAY_LINK:
1908 av = FILE__LINK;
1909 break;
1910 case MAY_UNLINK:
1911 av = FILE__UNLINK;
1912 break;
1913 case MAY_RMDIR:
1914 av = DIR__RMDIR;
1915 break;
1916 default:
1917 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1918 __func__, kind);
1919 return 0;
1920 }
1921
1922 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1923 return rc;
1924 }
1925
1926 static inline int may_rename(struct inode *old_dir,
1927 struct dentry *old_dentry,
1928 struct inode *new_dir,
1929 struct dentry *new_dentry)
1930 {
1931 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1932 struct common_audit_data ad;
1933 u32 sid = current_sid();
1934 u32 av;
1935 int old_is_dir, new_is_dir;
1936 int rc;
1937
1938 old_dsec = inode_security(old_dir);
1939 old_isec = backing_inode_security(old_dentry);
1940 old_is_dir = d_is_dir(old_dentry);
1941 new_dsec = inode_security(new_dir);
1942
1943 ad.type = LSM_AUDIT_DATA_DENTRY;
1944
1945 ad.u.dentry = old_dentry;
1946 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1947 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1948 if (rc)
1949 return rc;
1950 rc = avc_has_perm(sid, old_isec->sid,
1951 old_isec->sclass, FILE__RENAME, &ad);
1952 if (rc)
1953 return rc;
1954 if (old_is_dir && new_dir != old_dir) {
1955 rc = avc_has_perm(sid, old_isec->sid,
1956 old_isec->sclass, DIR__REPARENT, &ad);
1957 if (rc)
1958 return rc;
1959 }
1960
1961 ad.u.dentry = new_dentry;
1962 av = DIR__ADD_NAME | DIR__SEARCH;
1963 if (d_is_positive(new_dentry))
1964 av |= DIR__REMOVE_NAME;
1965 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1966 if (rc)
1967 return rc;
1968 if (d_is_positive(new_dentry)) {
1969 new_isec = backing_inode_security(new_dentry);
1970 new_is_dir = d_is_dir(new_dentry);
1971 rc = avc_has_perm(sid, new_isec->sid,
1972 new_isec->sclass,
1973 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1974 if (rc)
1975 return rc;
1976 }
1977
1978 return 0;
1979 }
1980
1981 /* Check whether a task can perform a filesystem operation. */
1982 static int superblock_has_perm(const struct cred *cred,
1983 struct super_block *sb,
1984 u32 perms,
1985 struct common_audit_data *ad)
1986 {
1987 struct superblock_security_struct *sbsec;
1988 u32 sid = cred_sid(cred);
1989
1990 sbsec = sb->s_security;
1991 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1992 }
1993
1994 /* Convert a Linux mode and permission mask to an access vector. */
1995 static inline u32 file_mask_to_av(int mode, int mask)
1996 {
1997 u32 av = 0;
1998
1999 if (!S_ISDIR(mode)) {
2000 if (mask & MAY_EXEC)
2001 av |= FILE__EXECUTE;
2002 if (mask & MAY_READ)
2003 av |= FILE__READ;
2004
2005 if (mask & MAY_APPEND)
2006 av |= FILE__APPEND;
2007 else if (mask & MAY_WRITE)
2008 av |= FILE__WRITE;
2009
2010 } else {
2011 if (mask & MAY_EXEC)
2012 av |= DIR__SEARCH;
2013 if (mask & MAY_WRITE)
2014 av |= DIR__WRITE;
2015 if (mask & MAY_READ)
2016 av |= DIR__READ;
2017 }
2018
2019 return av;
2020 }
2021
2022 /* Convert a Linux file to an access vector. */
2023 static inline u32 file_to_av(struct file *file)
2024 {
2025 u32 av = 0;
2026
2027 if (file->f_mode & FMODE_READ)
2028 av |= FILE__READ;
2029 if (file->f_mode & FMODE_WRITE) {
2030 if (file->f_flags & O_APPEND)
2031 av |= FILE__APPEND;
2032 else
2033 av |= FILE__WRITE;
2034 }
2035 if (!av) {
2036 /*
2037 * Special file opened with flags 3 for ioctl-only use.
2038 */
2039 av = FILE__IOCTL;
2040 }
2041
2042 return av;
2043 }
2044
2045 /*
2046 * Convert a file to an access vector and include the correct open
2047 * open permission.
2048 */
2049 static inline u32 open_file_to_av(struct file *file)
2050 {
2051 u32 av = file_to_av(file);
2052
2053 if (selinux_policycap_openperm)
2054 av |= FILE__OPEN;
2055
2056 return av;
2057 }
2058
2059 /* Hook functions begin here. */
2060
2061 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2062 {
2063 u32 mysid = current_sid();
2064 u32 mgrsid = task_sid(mgr);
2065
2066 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2067 BINDER__SET_CONTEXT_MGR, NULL);
2068 }
2069
2070 static int selinux_binder_transaction(struct task_struct *from,
2071 struct task_struct *to)
2072 {
2073 u32 mysid = current_sid();
2074 u32 fromsid = task_sid(from);
2075 u32 tosid = task_sid(to);
2076 int rc;
2077
2078 if (mysid != fromsid) {
2079 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2080 BINDER__IMPERSONATE, NULL);
2081 if (rc)
2082 return rc;
2083 }
2084
2085 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2086 NULL);
2087 }
2088
2089 static int selinux_binder_transfer_binder(struct task_struct *from,
2090 struct task_struct *to)
2091 {
2092 u32 fromsid = task_sid(from);
2093 u32 tosid = task_sid(to);
2094
2095 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2096 NULL);
2097 }
2098
2099 static int selinux_binder_transfer_file(struct task_struct *from,
2100 struct task_struct *to,
2101 struct file *file)
2102 {
2103 u32 sid = task_sid(to);
2104 struct file_security_struct *fsec = file->f_security;
2105 struct dentry *dentry = file->f_path.dentry;
2106 struct inode_security_struct *isec;
2107 struct common_audit_data ad;
2108 int rc;
2109
2110 ad.type = LSM_AUDIT_DATA_PATH;
2111 ad.u.path = file->f_path;
2112
2113 if (sid != fsec->sid) {
2114 rc = avc_has_perm(sid, fsec->sid,
2115 SECCLASS_FD,
2116 FD__USE,
2117 &ad);
2118 if (rc)
2119 return rc;
2120 }
2121
2122 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2123 return 0;
2124
2125 isec = backing_inode_security(dentry);
2126 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2127 &ad);
2128 }
2129
2130 static int selinux_ptrace_access_check(struct task_struct *child,
2131 unsigned int mode)
2132 {
2133 if (mode & PTRACE_MODE_READ) {
2134 u32 sid = current_sid();
2135 u32 csid = task_sid(child);
2136 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2137 }
2138
2139 return current_has_perm(child, PROCESS__PTRACE);
2140 }
2141
2142 static int selinux_ptrace_traceme(struct task_struct *parent)
2143 {
2144 return task_has_perm(parent, current, PROCESS__PTRACE);
2145 }
2146
2147 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2148 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2149 {
2150 return current_has_perm(target, PROCESS__GETCAP);
2151 }
2152
2153 static int selinux_capset(struct cred *new, const struct cred *old,
2154 const kernel_cap_t *effective,
2155 const kernel_cap_t *inheritable,
2156 const kernel_cap_t *permitted)
2157 {
2158 return cred_has_perm(old, new, PROCESS__SETCAP);
2159 }
2160
2161 /*
2162 * (This comment used to live with the selinux_task_setuid hook,
2163 * which was removed).
2164 *
2165 * Since setuid only affects the current process, and since the SELinux
2166 * controls are not based on the Linux identity attributes, SELinux does not
2167 * need to control this operation. However, SELinux does control the use of
2168 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2169 */
2170
2171 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2172 int cap, int audit)
2173 {
2174 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2175 }
2176
2177 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2178 {
2179 const struct cred *cred = current_cred();
2180 int rc = 0;
2181
2182 if (!sb)
2183 return 0;
2184
2185 switch (cmds) {
2186 case Q_SYNC:
2187 case Q_QUOTAON:
2188 case Q_QUOTAOFF:
2189 case Q_SETINFO:
2190 case Q_SETQUOTA:
2191 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2192 break;
2193 case Q_GETFMT:
2194 case Q_GETINFO:
2195 case Q_GETQUOTA:
2196 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2197 break;
2198 default:
2199 rc = 0; /* let the kernel handle invalid cmds */
2200 break;
2201 }
2202 return rc;
2203 }
2204
2205 static int selinux_quota_on(struct dentry *dentry)
2206 {
2207 const struct cred *cred = current_cred();
2208
2209 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2210 }
2211
2212 static int selinux_syslog(int type)
2213 {
2214 int rc;
2215
2216 switch (type) {
2217 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2218 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2219 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2220 break;
2221 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2222 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2223 /* Set level of messages printed to console */
2224 case SYSLOG_ACTION_CONSOLE_LEVEL:
2225 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2226 break;
2227 case SYSLOG_ACTION_CLOSE: /* Close log */
2228 case SYSLOG_ACTION_OPEN: /* Open log */
2229 case SYSLOG_ACTION_READ: /* Read from log */
2230 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2231 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
2232 default:
2233 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2234 break;
2235 }
2236 return rc;
2237 }
2238
2239 /*
2240 * Check that a process has enough memory to allocate a new virtual
2241 * mapping. 0 means there is enough memory for the allocation to
2242 * succeed and -ENOMEM implies there is not.
2243 *
2244 * Do not audit the selinux permission check, as this is applied to all
2245 * processes that allocate mappings.
2246 */
2247 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2248 {
2249 int rc, cap_sys_admin = 0;
2250
2251 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2252 SECURITY_CAP_NOAUDIT, true);
2253 if (rc == 0)
2254 cap_sys_admin = 1;
2255
2256 return cap_sys_admin;
2257 }
2258
2259 /* binprm security operations */
2260
2261 static u32 ptrace_parent_sid(struct task_struct *task)
2262 {
2263 u32 sid = 0;
2264 struct task_struct *tracer;
2265
2266 rcu_read_lock();
2267 tracer = ptrace_parent(task);
2268 if (tracer)
2269 sid = task_sid(tracer);
2270 rcu_read_unlock();
2271
2272 return sid;
2273 }
2274
2275 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2276 const struct task_security_struct *old_tsec,
2277 const struct task_security_struct *new_tsec)
2278 {
2279 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2280 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2281 int rc;
2282
2283 if (!nnp && !nosuid)
2284 return 0; /* neither NNP nor nosuid */
2285
2286 if (new_tsec->sid == old_tsec->sid)
2287 return 0; /* No change in credentials */
2288
2289 /*
2290 * The only transitions we permit under NNP or nosuid
2291 * are transitions to bounded SIDs, i.e. SIDs that are
2292 * guaranteed to only be allowed a subset of the permissions
2293 * of the current SID.
2294 */
2295 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2296 if (rc) {
2297 /*
2298 * On failure, preserve the errno values for NNP vs nosuid.
2299 * NNP: Operation not permitted for caller.
2300 * nosuid: Permission denied to file.
2301 */
2302 if (nnp)
2303 return -EPERM;
2304 else
2305 return -EACCES;
2306 }
2307 return 0;
2308 }
2309
2310 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2311 {
2312 const struct task_security_struct *old_tsec;
2313 struct task_security_struct *new_tsec;
2314 struct inode_security_struct *isec;
2315 struct common_audit_data ad;
2316 struct inode *inode = file_inode(bprm->file);
2317 int rc;
2318
2319 /* SELinux context only depends on initial program or script and not
2320 * the script interpreter */
2321 if (bprm->cred_prepared)
2322 return 0;
2323
2324 old_tsec = current_security();
2325 new_tsec = bprm->cred->security;
2326 isec = inode_security(inode);
2327
2328 /* Default to the current task SID. */
2329 new_tsec->sid = old_tsec->sid;
2330 new_tsec->osid = old_tsec->sid;
2331
2332 /* Reset fs, key, and sock SIDs on execve. */
2333 new_tsec->create_sid = 0;
2334 new_tsec->keycreate_sid = 0;
2335 new_tsec->sockcreate_sid = 0;
2336
2337 if (old_tsec->exec_sid) {
2338 new_tsec->sid = old_tsec->exec_sid;
2339 /* Reset exec SID on execve. */
2340 new_tsec->exec_sid = 0;
2341
2342 /* Fail on NNP or nosuid if not an allowed transition. */
2343 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2344 if (rc)
2345 return rc;
2346 } else {
2347 /* Check for a default transition on this program. */
2348 rc = security_transition_sid(old_tsec->sid, isec->sid,
2349 SECCLASS_PROCESS, NULL,
2350 &new_tsec->sid);
2351 if (rc)
2352 return rc;
2353
2354 /*
2355 * Fallback to old SID on NNP or nosuid if not an allowed
2356 * transition.
2357 */
2358 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2359 if (rc)
2360 new_tsec->sid = old_tsec->sid;
2361 }
2362
2363 ad.type = LSM_AUDIT_DATA_FILE;
2364 ad.u.file = bprm->file;
2365
2366 if (new_tsec->sid == old_tsec->sid) {
2367 rc = avc_has_perm(old_tsec->sid, isec->sid,
2368 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2369 if (rc)
2370 return rc;
2371 } else {
2372 /* Check permissions for the transition. */
2373 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2374 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2375 if (rc)
2376 return rc;
2377
2378 rc = avc_has_perm(new_tsec->sid, isec->sid,
2379 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2380 if (rc)
2381 return rc;
2382
2383 /* Check for shared state */
2384 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2385 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2386 SECCLASS_PROCESS, PROCESS__SHARE,
2387 NULL);
2388 if (rc)
2389 return -EPERM;
2390 }
2391
2392 /* Make sure that anyone attempting to ptrace over a task that
2393 * changes its SID has the appropriate permit */
2394 if (bprm->unsafe &
2395 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2396 u32 ptsid = ptrace_parent_sid(current);
2397 if (ptsid != 0) {
2398 rc = avc_has_perm(ptsid, new_tsec->sid,
2399 SECCLASS_PROCESS,
2400 PROCESS__PTRACE, NULL);
2401 if (rc)
2402 return -EPERM;
2403 }
2404 }
2405
2406 /* Clear any possibly unsafe personality bits on exec: */
2407 bprm->per_clear |= PER_CLEAR_ON_SETID;
2408 }
2409
2410 return 0;
2411 }
2412
2413 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2414 {
2415 const struct task_security_struct *tsec = current_security();
2416 u32 sid, osid;
2417 int atsecure = 0;
2418
2419 sid = tsec->sid;
2420 osid = tsec->osid;
2421
2422 if (osid != sid) {
2423 /* Enable secure mode for SIDs transitions unless
2424 the noatsecure permission is granted between
2425 the two SIDs, i.e. ahp returns 0. */
2426 atsecure = avc_has_perm(osid, sid,
2427 SECCLASS_PROCESS,
2428 PROCESS__NOATSECURE, NULL);
2429 }
2430
2431 return !!atsecure;
2432 }
2433
2434 static int match_file(const void *p, struct file *file, unsigned fd)
2435 {
2436 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2437 }
2438
2439 /* Derived from fs/exec.c:flush_old_files. */
2440 static inline void flush_unauthorized_files(const struct cred *cred,
2441 struct files_struct *files)
2442 {
2443 struct file *file, *devnull = NULL;
2444 struct tty_struct *tty;
2445 int drop_tty = 0;
2446 unsigned n;
2447
2448 tty = get_current_tty();
2449 if (tty) {
2450 spin_lock(&tty->files_lock);
2451 if (!list_empty(&tty->tty_files)) {
2452 struct tty_file_private *file_priv;
2453
2454 /* Revalidate access to controlling tty.
2455 Use file_path_has_perm on the tty path directly
2456 rather than using file_has_perm, as this particular
2457 open file may belong to another process and we are
2458 only interested in the inode-based check here. */
2459 file_priv = list_first_entry(&tty->tty_files,
2460 struct tty_file_private, list);
2461 file = file_priv->file;
2462 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2463 drop_tty = 1;
2464 }
2465 spin_unlock(&tty->files_lock);
2466 tty_kref_put(tty);
2467 }
2468 /* Reset controlling tty. */
2469 if (drop_tty)
2470 no_tty();
2471
2472 /* Revalidate access to inherited open files. */
2473 n = iterate_fd(files, 0, match_file, cred);
2474 if (!n) /* none found? */
2475 return;
2476
2477 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2478 if (IS_ERR(devnull))
2479 devnull = NULL;
2480 /* replace all the matching ones with this */
2481 do {
2482 replace_fd(n - 1, devnull, 0);
2483 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2484 if (devnull)
2485 fput(devnull);
2486 }
2487
2488 /*
2489 * Prepare a process for imminent new credential changes due to exec
2490 */
2491 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2492 {
2493 struct task_security_struct *new_tsec;
2494 struct rlimit *rlim, *initrlim;
2495 int rc, i;
2496
2497 new_tsec = bprm->cred->security;
2498 if (new_tsec->sid == new_tsec->osid)
2499 return;
2500
2501 /* Close files for which the new task SID is not authorized. */
2502 flush_unauthorized_files(bprm->cred, current->files);
2503
2504 /* Always clear parent death signal on SID transitions. */
2505 current->pdeath_signal = 0;
2506
2507 /* Check whether the new SID can inherit resource limits from the old
2508 * SID. If not, reset all soft limits to the lower of the current
2509 * task's hard limit and the init task's soft limit.
2510 *
2511 * Note that the setting of hard limits (even to lower them) can be
2512 * controlled by the setrlimit check. The inclusion of the init task's
2513 * soft limit into the computation is to avoid resetting soft limits
2514 * higher than the default soft limit for cases where the default is
2515 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2516 */
2517 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2518 PROCESS__RLIMITINH, NULL);
2519 if (rc) {
2520 /* protect against do_prlimit() */
2521 task_lock(current);
2522 for (i = 0; i < RLIM_NLIMITS; i++) {
2523 rlim = current->signal->rlim + i;
2524 initrlim = init_task.signal->rlim + i;
2525 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2526 }
2527 task_unlock(current);
2528 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2529 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2530 }
2531 }
2532
2533 /*
2534 * Clean up the process immediately after the installation of new credentials
2535 * due to exec
2536 */
2537 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2538 {
2539 const struct task_security_struct *tsec = current_security();
2540 struct itimerval itimer;
2541 u32 osid, sid;
2542 int rc, i;
2543
2544 osid = tsec->osid;
2545 sid = tsec->sid;
2546
2547 if (sid == osid)
2548 return;
2549
2550 /* Check whether the new SID can inherit signal state from the old SID.
2551 * If not, clear itimers to avoid subsequent signal generation and
2552 * flush and unblock signals.
2553 *
2554 * This must occur _after_ the task SID has been updated so that any
2555 * kill done after the flush will be checked against the new SID.
2556 */
2557 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2558 if (rc) {
2559 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2560 memset(&itimer, 0, sizeof itimer);
2561 for (i = 0; i < 3; i++)
2562 do_setitimer(i, &itimer, NULL);
2563 }
2564 spin_lock_irq(&current->sighand->siglock);
2565 if (!fatal_signal_pending(current)) {
2566 flush_sigqueue(&current->pending);
2567 flush_sigqueue(&current->signal->shared_pending);
2568 flush_signal_handlers(current, 1);
2569 sigemptyset(&current->blocked);
2570 recalc_sigpending();
2571 }
2572 spin_unlock_irq(&current->sighand->siglock);
2573 }
2574
2575 /* Wake up the parent if it is waiting so that it can recheck
2576 * wait permission to the new task SID. */
2577 read_lock(&tasklist_lock);
2578 __wake_up_parent(current, current->real_parent);
2579 read_unlock(&tasklist_lock);
2580 }
2581
2582 /* superblock security operations */
2583
2584 static int selinux_sb_alloc_security(struct super_block *sb)
2585 {
2586 return superblock_alloc_security(sb);
2587 }
2588
2589 static void selinux_sb_free_security(struct super_block *sb)
2590 {
2591 superblock_free_security(sb);
2592 }
2593
2594 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2595 {
2596 if (plen > olen)
2597 return 0;
2598
2599 return !memcmp(prefix, option, plen);
2600 }
2601
2602 static inline int selinux_option(char *option, int len)
2603 {
2604 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2605 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2606 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2607 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2608 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2609 }
2610
2611 static inline void take_option(char **to, char *from, int *first, int len)
2612 {
2613 if (!*first) {
2614 **to = ',';
2615 *to += 1;
2616 } else
2617 *first = 0;
2618 memcpy(*to, from, len);
2619 *to += len;
2620 }
2621
2622 static inline void take_selinux_option(char **to, char *from, int *first,
2623 int len)
2624 {
2625 int current_size = 0;
2626
2627 if (!*first) {
2628 **to = '|';
2629 *to += 1;
2630 } else
2631 *first = 0;
2632
2633 while (current_size < len) {
2634 if (*from != '"') {
2635 **to = *from;
2636 *to += 1;
2637 }
2638 from += 1;
2639 current_size += 1;
2640 }
2641 }
2642
2643 static int selinux_sb_copy_data(char *orig, char *copy)
2644 {
2645 int fnosec, fsec, rc = 0;
2646 char *in_save, *in_curr, *in_end;
2647 char *sec_curr, *nosec_save, *nosec;
2648 int open_quote = 0;
2649
2650 in_curr = orig;
2651 sec_curr = copy;
2652
2653 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2654 if (!nosec) {
2655 rc = -ENOMEM;
2656 goto out;
2657 }
2658
2659 nosec_save = nosec;
2660 fnosec = fsec = 1;
2661 in_save = in_end = orig;
2662
2663 do {
2664 if (*in_end == '"')
2665 open_quote = !open_quote;
2666 if ((*in_end == ',' && open_quote == 0) ||
2667 *in_end == '\0') {
2668 int len = in_end - in_curr;
2669
2670 if (selinux_option(in_curr, len))
2671 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2672 else
2673 take_option(&nosec, in_curr, &fnosec, len);
2674
2675 in_curr = in_end + 1;
2676 }
2677 } while (*in_end++);
2678
2679 strcpy(in_save, nosec_save);
2680 free_page((unsigned long)nosec_save);
2681 out:
2682 return rc;
2683 }
2684
2685 static int selinux_sb_remount(struct super_block *sb, void *data)
2686 {
2687 int rc, i, *flags;
2688 struct security_mnt_opts opts;
2689 char *secdata, **mount_options;
2690 struct superblock_security_struct *sbsec = sb->s_security;
2691
2692 if (!(sbsec->flags & SE_SBINITIALIZED))
2693 return 0;
2694
2695 if (!data)
2696 return 0;
2697
2698 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2699 return 0;
2700
2701 security_init_mnt_opts(&opts);
2702 secdata = alloc_secdata();
2703 if (!secdata)
2704 return -ENOMEM;
2705 rc = selinux_sb_copy_data(data, secdata);
2706 if (rc)
2707 goto out_free_secdata;
2708
2709 rc = selinux_parse_opts_str(secdata, &opts);
2710 if (rc)
2711 goto out_free_secdata;
2712
2713 mount_options = opts.mnt_opts;
2714 flags = opts.mnt_opts_flags;
2715
2716 for (i = 0; i < opts.num_mnt_opts; i++) {
2717 u32 sid;
2718
2719 if (flags[i] == SBLABEL_MNT)
2720 continue;
2721 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2722 if (rc) {
2723 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2724 "(%s) failed for (dev %s, type %s) errno=%d\n",
2725 mount_options[i], sb->s_id, sb->s_type->name, rc);
2726 goto out_free_opts;
2727 }
2728 rc = -EINVAL;
2729 switch (flags[i]) {
2730 case FSCONTEXT_MNT:
2731 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2732 goto out_bad_option;
2733 break;
2734 case CONTEXT_MNT:
2735 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2736 goto out_bad_option;
2737 break;
2738 case ROOTCONTEXT_MNT: {
2739 struct inode_security_struct *root_isec;
2740 root_isec = backing_inode_security(sb->s_root);
2741
2742 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2743 goto out_bad_option;
2744 break;
2745 }
2746 case DEFCONTEXT_MNT:
2747 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2748 goto out_bad_option;
2749 break;
2750 default:
2751 goto out_free_opts;
2752 }
2753 }
2754
2755 rc = 0;
2756 out_free_opts:
2757 security_free_mnt_opts(&opts);
2758 out_free_secdata:
2759 free_secdata(secdata);
2760 return rc;
2761 out_bad_option:
2762 printk(KERN_WARNING "SELinux: unable to change security options "
2763 "during remount (dev %s, type=%s)\n", sb->s_id,
2764 sb->s_type->name);
2765 goto out_free_opts;
2766 }
2767
2768 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2769 {
2770 const struct cred *cred = current_cred();
2771 struct common_audit_data ad;
2772 int rc;
2773
2774 rc = superblock_doinit(sb, data);
2775 if (rc)
2776 return rc;
2777
2778 /* Allow all mounts performed by the kernel */
2779 if (flags & MS_KERNMOUNT)
2780 return 0;
2781
2782 ad.type = LSM_AUDIT_DATA_DENTRY;
2783 ad.u.dentry = sb->s_root;
2784 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2785 }
2786
2787 static int selinux_sb_statfs(struct dentry *dentry)
2788 {
2789 const struct cred *cred = current_cred();
2790 struct common_audit_data ad;
2791
2792 ad.type = LSM_AUDIT_DATA_DENTRY;
2793 ad.u.dentry = dentry->d_sb->s_root;
2794 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2795 }
2796
2797 static int selinux_mount(const char *dev_name,
2798 const struct path *path,
2799 const char *type,
2800 unsigned long flags,
2801 void *data)
2802 {
2803 const struct cred *cred = current_cred();
2804
2805 if (flags & MS_REMOUNT)
2806 return superblock_has_perm(cred, path->dentry->d_sb,
2807 FILESYSTEM__REMOUNT, NULL);
2808 else
2809 return path_has_perm(cred, path, FILE__MOUNTON);
2810 }
2811
2812 static int selinux_umount(struct vfsmount *mnt, int flags)
2813 {
2814 const struct cred *cred = current_cred();
2815
2816 return superblock_has_perm(cred, mnt->mnt_sb,
2817 FILESYSTEM__UNMOUNT, NULL);
2818 }
2819
2820 /* inode security operations */
2821
2822 static int selinux_inode_alloc_security(struct inode *inode)
2823 {
2824 return inode_alloc_security(inode);
2825 }
2826
2827 static void selinux_inode_free_security(struct inode *inode)
2828 {
2829 inode_free_security(inode);
2830 }
2831
2832 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2833 const struct qstr *name, void **ctx,
2834 u32 *ctxlen)
2835 {
2836 u32 newsid;
2837 int rc;
2838
2839 rc = selinux_determine_inode_label(current_security(),
2840 d_inode(dentry->d_parent), name,
2841 inode_mode_to_security_class(mode),
2842 &newsid);
2843 if (rc)
2844 return rc;
2845
2846 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2847 }
2848
2849 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2850 struct qstr *name,
2851 const struct cred *old,
2852 struct cred *new)
2853 {
2854 u32 newsid;
2855 int rc;
2856 struct task_security_struct *tsec;
2857
2858 rc = selinux_determine_inode_label(old->security,
2859 d_inode(dentry->d_parent), name,
2860 inode_mode_to_security_class(mode),
2861 &newsid);
2862 if (rc)
2863 return rc;
2864
2865 tsec = new->security;
2866 tsec->create_sid = newsid;
2867 return 0;
2868 }
2869
2870 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2871 const struct qstr *qstr,
2872 const char **name,
2873 void **value, size_t *len)
2874 {
2875 const struct task_security_struct *tsec = current_security();
2876 struct superblock_security_struct *sbsec;
2877 u32 sid, newsid, clen;
2878 int rc;
2879 char *context;
2880
2881 sbsec = dir->i_sb->s_security;
2882
2883 sid = tsec->sid;
2884 newsid = tsec->create_sid;
2885
2886 rc = selinux_determine_inode_label(current_security(),
2887 dir, qstr,
2888 inode_mode_to_security_class(inode->i_mode),
2889 &newsid);
2890 if (rc)
2891 return rc;
2892
2893 /* Possibly defer initialization to selinux_complete_init. */
2894 if (sbsec->flags & SE_SBINITIALIZED) {
2895 struct inode_security_struct *isec = inode->i_security;
2896 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2897 isec->sid = newsid;
2898 isec->initialized = LABEL_INITIALIZED;
2899 }
2900
2901 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2902 return -EOPNOTSUPP;
2903
2904 if (name)
2905 *name = XATTR_SELINUX_SUFFIX;
2906
2907 if (value && len) {
2908 rc = security_sid_to_context_force(newsid, &context, &clen);
2909 if (rc)
2910 return rc;
2911 *value = context;
2912 *len = clen;
2913 }
2914
2915 return 0;
2916 }
2917
2918 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2919 {
2920 return may_create(dir, dentry, SECCLASS_FILE);
2921 }
2922
2923 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2924 {
2925 return may_link(dir, old_dentry, MAY_LINK);
2926 }
2927
2928 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2929 {
2930 return may_link(dir, dentry, MAY_UNLINK);
2931 }
2932
2933 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2934 {
2935 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2936 }
2937
2938 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2939 {
2940 return may_create(dir, dentry, SECCLASS_DIR);
2941 }
2942
2943 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2944 {
2945 return may_link(dir, dentry, MAY_RMDIR);
2946 }
2947
2948 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2949 {
2950 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2951 }
2952
2953 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2954 struct inode *new_inode, struct dentry *new_dentry)
2955 {
2956 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2957 }
2958
2959 static int selinux_inode_readlink(struct dentry *dentry)
2960 {
2961 const struct cred *cred = current_cred();
2962
2963 return dentry_has_perm(cred, dentry, FILE__READ);
2964 }
2965
2966 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2967 bool rcu)
2968 {
2969 const struct cred *cred = current_cred();
2970 struct common_audit_data ad;
2971 struct inode_security_struct *isec;
2972 u32 sid;
2973
2974 validate_creds(cred);
2975
2976 ad.type = LSM_AUDIT_DATA_DENTRY;
2977 ad.u.dentry = dentry;
2978 sid = cred_sid(cred);
2979 isec = inode_security_rcu(inode, rcu);
2980 if (IS_ERR(isec))
2981 return PTR_ERR(isec);
2982
2983 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2984 rcu ? MAY_NOT_BLOCK : 0);
2985 }
2986
2987 static noinline int audit_inode_permission(struct inode *inode,
2988 u32 perms, u32 audited, u32 denied,
2989 int result,
2990 unsigned flags)
2991 {
2992 struct common_audit_data ad;
2993 struct inode_security_struct *isec = inode->i_security;
2994 int rc;
2995
2996 ad.type = LSM_AUDIT_DATA_INODE;
2997 ad.u.inode = inode;
2998
2999 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3000 audited, denied, result, &ad, flags);
3001 if (rc)
3002 return rc;
3003 return 0;
3004 }
3005
3006 static int selinux_inode_permission(struct inode *inode, int mask)
3007 {
3008 const struct cred *cred = current_cred();
3009 u32 perms;
3010 bool from_access;
3011 unsigned flags = mask & MAY_NOT_BLOCK;
3012 struct inode_security_struct *isec;
3013 u32 sid;
3014 struct av_decision avd;
3015 int rc, rc2;
3016 u32 audited, denied;
3017
3018 from_access = mask & MAY_ACCESS;
3019 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3020
3021 /* No permission to check. Existence test. */
3022 if (!mask)
3023 return 0;
3024
3025 validate_creds(cred);
3026
3027 if (unlikely(IS_PRIVATE(inode)))
3028 return 0;
3029
3030 perms = file_mask_to_av(inode->i_mode, mask);
3031
3032 sid = cred_sid(cred);
3033 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3034 if (IS_ERR(isec))
3035 return PTR_ERR(isec);
3036
3037 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3038 audited = avc_audit_required(perms, &avd, rc,
3039 from_access ? FILE__AUDIT_ACCESS : 0,
3040 &denied);
3041 if (likely(!audited))
3042 return rc;
3043
3044 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3045 if (rc2)
3046 return rc2;
3047 return rc;
3048 }
3049
3050 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3051 {
3052 const struct cred *cred = current_cred();
3053 unsigned int ia_valid = iattr->ia_valid;
3054 __u32 av = FILE__WRITE;
3055
3056 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3057 if (ia_valid & ATTR_FORCE) {
3058 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3059 ATTR_FORCE);
3060 if (!ia_valid)
3061 return 0;
3062 }
3063
3064 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3065 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3066 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3067
3068 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE)
3069 && !(ia_valid & ATTR_FILE))
3070 av |= FILE__OPEN;
3071
3072 return dentry_has_perm(cred, dentry, av);
3073 }
3074
3075 static int selinux_inode_getattr(const struct path *path)
3076 {
3077 return path_has_perm(current_cred(), path, FILE__GETATTR);
3078 }
3079
3080 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3081 {
3082 const struct cred *cred = current_cred();
3083
3084 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3085 sizeof XATTR_SECURITY_PREFIX - 1)) {
3086 if (!strcmp(name, XATTR_NAME_CAPS)) {
3087 if (!capable(CAP_SETFCAP))
3088 return -EPERM;
3089 } else if (!capable(CAP_SYS_ADMIN)) {
3090 /* A different attribute in the security namespace.
3091 Restrict to administrator. */
3092 return -EPERM;
3093 }
3094 }
3095
3096 /* Not an attribute we recognize, so just check the
3097 ordinary setattr permission. */
3098 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3099 }
3100
3101 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3102 const void *value, size_t size, int flags)
3103 {
3104 struct inode *inode = d_backing_inode(dentry);
3105 struct inode_security_struct *isec;
3106 struct superblock_security_struct *sbsec;
3107 struct common_audit_data ad;
3108 u32 newsid, sid = current_sid();
3109 int rc = 0;
3110
3111 if (strcmp(name, XATTR_NAME_SELINUX))
3112 return selinux_inode_setotherxattr(dentry, name);
3113
3114 sbsec = inode->i_sb->s_security;
3115 if (!(sbsec->flags & SBLABEL_MNT))
3116 return -EOPNOTSUPP;
3117
3118 if (!inode_owner_or_capable(inode))
3119 return -EPERM;
3120
3121 ad.type = LSM_AUDIT_DATA_DENTRY;
3122 ad.u.dentry = dentry;
3123
3124 isec = backing_inode_security(dentry);
3125 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3126 FILE__RELABELFROM, &ad);
3127 if (rc)
3128 return rc;
3129
3130 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3131 if (rc == -EINVAL) {
3132 if (!capable(CAP_MAC_ADMIN)) {
3133 struct audit_buffer *ab;
3134 size_t audit_size;
3135 const char *str;
3136
3137 /* We strip a nul only if it is at the end, otherwise the
3138 * context contains a nul and we should audit that */
3139 if (value) {
3140 str = value;
3141 if (str[size - 1] == '\0')
3142 audit_size = size - 1;
3143 else
3144 audit_size = size;
3145 } else {
3146 str = "";
3147 audit_size = 0;
3148 }
3149 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3150 audit_log_format(ab, "op=setxattr invalid_context=");
3151 audit_log_n_untrustedstring(ab, value, audit_size);
3152 audit_log_end(ab);
3153
3154 return rc;
3155 }
3156 rc = security_context_to_sid_force(value, size, &newsid);
3157 }
3158 if (rc)
3159 return rc;
3160
3161 rc = avc_has_perm(sid, newsid, isec->sclass,
3162 FILE__RELABELTO, &ad);
3163 if (rc)
3164 return rc;
3165
3166 rc = security_validate_transition(isec->sid, newsid, sid,
3167 isec->sclass);
3168 if (rc)
3169 return rc;
3170
3171 return avc_has_perm(newsid,
3172 sbsec->sid,
3173 SECCLASS_FILESYSTEM,
3174 FILESYSTEM__ASSOCIATE,
3175 &ad);
3176 }
3177
3178 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3179 const void *value, size_t size,
3180 int flags)
3181 {
3182 struct inode *inode = d_backing_inode(dentry);
3183 struct inode_security_struct *isec;
3184 u32 newsid;
3185 int rc;
3186
3187 if (strcmp(name, XATTR_NAME_SELINUX)) {
3188 /* Not an attribute we recognize, so nothing to do. */
3189 return;
3190 }
3191
3192 rc = security_context_to_sid_force(value, size, &newsid);
3193 if (rc) {
3194 printk(KERN_ERR "SELinux: unable to map context to SID"
3195 "for (%s, %lu), rc=%d\n",
3196 inode->i_sb->s_id, inode->i_ino, -rc);
3197 return;
3198 }
3199
3200 isec = backing_inode_security(dentry);
3201 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3202 isec->sid = newsid;
3203 isec->initialized = LABEL_INITIALIZED;
3204
3205 return;
3206 }
3207
3208 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3209 {
3210 const struct cred *cred = current_cred();
3211
3212 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3213 }
3214
3215 static int selinux_inode_listxattr(struct dentry *dentry)
3216 {
3217 const struct cred *cred = current_cred();
3218
3219 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3220 }
3221
3222 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3223 {
3224 if (strcmp(name, XATTR_NAME_SELINUX))
3225 return selinux_inode_setotherxattr(dentry, name);
3226
3227 /* No one is allowed to remove a SELinux security label.
3228 You can change the label, but all data must be labeled. */
3229 return -EACCES;
3230 }
3231
3232 /*
3233 * Copy the inode security context value to the user.
3234 *
3235 * Permission check is handled by selinux_inode_getxattr hook.
3236 */
3237 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3238 {
3239 u32 size;
3240 int error;
3241 char *context = NULL;
3242 struct inode_security_struct *isec;
3243
3244 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3245 return -EOPNOTSUPP;
3246
3247 /*
3248 * If the caller has CAP_MAC_ADMIN, then get the raw context
3249 * value even if it is not defined by current policy; otherwise,
3250 * use the in-core value under current policy.
3251 * Use the non-auditing forms of the permission checks since
3252 * getxattr may be called by unprivileged processes commonly
3253 * and lack of permission just means that we fall back to the
3254 * in-core context value, not a denial.
3255 */
3256 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3257 SECURITY_CAP_NOAUDIT);
3258 if (!error)
3259 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3260 SECURITY_CAP_NOAUDIT, true);
3261 isec = inode_security(inode);
3262 if (!error)
3263 error = security_sid_to_context_force(isec->sid, &context,
3264 &size);
3265 else
3266 error = security_sid_to_context(isec->sid, &context, &size);
3267 if (error)
3268 return error;
3269 error = size;
3270 if (alloc) {
3271 *buffer = context;
3272 goto out_nofree;
3273 }
3274 kfree(context);
3275 out_nofree:
3276 return error;
3277 }
3278
3279 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3280 const void *value, size_t size, int flags)
3281 {
3282 struct inode_security_struct *isec = inode_security_novalidate(inode);
3283 u32 newsid;
3284 int rc;
3285
3286 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3287 return -EOPNOTSUPP;
3288
3289 if (!value || !size)
3290 return -EACCES;
3291
3292 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3293 if (rc)
3294 return rc;
3295
3296 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3297 isec->sid = newsid;
3298 isec->initialized = LABEL_INITIALIZED;
3299 return 0;
3300 }
3301
3302 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3303 {
3304 const int len = sizeof(XATTR_NAME_SELINUX);
3305 if (buffer && len <= buffer_size)
3306 memcpy(buffer, XATTR_NAME_SELINUX, len);
3307 return len;
3308 }
3309
3310 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3311 {
3312 struct inode_security_struct *isec = inode_security_novalidate(inode);
3313 *secid = isec->sid;
3314 }
3315
3316 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3317 {
3318 u32 sid;
3319 struct task_security_struct *tsec;
3320 struct cred *new_creds = *new;
3321
3322 if (new_creds == NULL) {
3323 new_creds = prepare_creds();
3324 if (!new_creds)
3325 return -ENOMEM;
3326 }
3327
3328 tsec = new_creds->security;
3329 /* Get label from overlay inode and set it in create_sid */
3330 selinux_inode_getsecid(d_inode(src), &sid);
3331 tsec->create_sid = sid;
3332 *new = new_creds;
3333 return 0;
3334 }
3335
3336 static int selinux_inode_copy_up_xattr(const char *name)
3337 {
3338 /* The copy_up hook above sets the initial context on an inode, but we
3339 * don't then want to overwrite it by blindly copying all the lower
3340 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3341 */
3342 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3343 return 1; /* Discard */
3344 /*
3345 * Any other attribute apart from SELINUX is not claimed, supported
3346 * by selinux.
3347 */
3348 return -EOPNOTSUPP;
3349 }
3350
3351 /* file security operations */
3352
3353 static int selinux_revalidate_file_permission(struct file *file, int mask)
3354 {
3355 const struct cred *cred = current_cred();
3356 struct inode *inode = file_inode(file);
3357
3358 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3359 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3360 mask |= MAY_APPEND;
3361
3362 return file_has_perm(cred, file,
3363 file_mask_to_av(inode->i_mode, mask));
3364 }
3365
3366 static int selinux_file_permission(struct file *file, int mask)
3367 {
3368 struct inode *inode = file_inode(file);
3369 struct file_security_struct *fsec = file->f_security;
3370 struct inode_security_struct *isec;
3371 u32 sid = current_sid();
3372
3373 if (!mask)
3374 /* No permission to check. Existence test. */
3375 return 0;
3376
3377 isec = inode_security(inode);
3378 if (sid == fsec->sid && fsec->isid == isec->sid &&
3379 fsec->pseqno == avc_policy_seqno())
3380 /* No change since file_open check. */
3381 return 0;
3382
3383 return selinux_revalidate_file_permission(file, mask);
3384 }
3385
3386 static int selinux_file_alloc_security(struct file *file)
3387 {
3388 return file_alloc_security(file);
3389 }
3390
3391 static void selinux_file_free_security(struct file *file)
3392 {
3393 file_free_security(file);
3394 }
3395
3396 /*
3397 * Check whether a task has the ioctl permission and cmd
3398 * operation to an inode.
3399 */
3400 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3401 u32 requested, u16 cmd)
3402 {
3403 struct common_audit_data ad;
3404 struct file_security_struct *fsec = file->f_security;
3405 struct inode *inode = file_inode(file);
3406 struct inode_security_struct *isec;
3407 struct lsm_ioctlop_audit ioctl;
3408 u32 ssid = cred_sid(cred);
3409 int rc;
3410 u8 driver = cmd >> 8;
3411 u8 xperm = cmd & 0xff;
3412
3413 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3414 ad.u.op = &ioctl;
3415 ad.u.op->cmd = cmd;
3416 ad.u.op->path = file->f_path;
3417
3418 if (ssid != fsec->sid) {
3419 rc = avc_has_perm(ssid, fsec->sid,
3420 SECCLASS_FD,
3421 FD__USE,
3422 &ad);
3423 if (rc)
3424 goto out;
3425 }
3426
3427 if (unlikely(IS_PRIVATE(inode)))
3428 return 0;
3429
3430 isec = inode_security(inode);
3431 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3432 requested, driver, xperm, &ad);
3433 out:
3434 return rc;
3435 }
3436
3437 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3438 unsigned long arg)
3439 {
3440 const struct cred *cred = current_cred();
3441 int error = 0;
3442
3443 switch (cmd) {
3444 case FIONREAD:
3445 /* fall through */
3446 case FIBMAP:
3447 /* fall through */
3448 case FIGETBSZ:
3449 /* fall through */
3450 case FS_IOC_GETFLAGS:
3451 /* fall through */
3452 case FS_IOC_GETVERSION:
3453 error = file_has_perm(cred, file, FILE__GETATTR);
3454 break;
3455
3456 case FS_IOC_SETFLAGS:
3457 /* fall through */
3458 case FS_IOC_SETVERSION:
3459 error = file_has_perm(cred, file, FILE__SETATTR);
3460 break;
3461
3462 /* sys_ioctl() checks */
3463 case FIONBIO:
3464 /* fall through */
3465 case FIOASYNC:
3466 error = file_has_perm(cred, file, 0);
3467 break;
3468
3469 case KDSKBENT:
3470 case KDSKBSENT:
3471 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3472 SECURITY_CAP_AUDIT, true);
3473 break;
3474
3475 /* default case assumes that the command will go
3476 * to the file's ioctl() function.
3477 */
3478 default:
3479 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3480 }
3481 return error;
3482 }
3483
3484 static int default_noexec;
3485
3486 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3487 {
3488 const struct cred *cred = current_cred();
3489 int rc = 0;
3490
3491 if (default_noexec &&
3492 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3493 (!shared && (prot & PROT_WRITE)))) {
3494 /*
3495 * We are making executable an anonymous mapping or a
3496 * private file mapping that will also be writable.
3497 * This has an additional check.
3498 */
3499 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3500 if (rc)
3501 goto error;
3502 }
3503
3504 if (file) {
3505 /* read access is always possible with a mapping */
3506 u32 av = FILE__READ;
3507
3508 /* write access only matters if the mapping is shared */
3509 if (shared && (prot & PROT_WRITE))
3510 av |= FILE__WRITE;
3511
3512 if (prot & PROT_EXEC)
3513 av |= FILE__EXECUTE;
3514
3515 return file_has_perm(cred, file, av);
3516 }
3517
3518 error:
3519 return rc;
3520 }
3521
3522 static int selinux_mmap_addr(unsigned long addr)
3523 {
3524 int rc = 0;
3525
3526 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3527 u32 sid = current_sid();
3528 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3529 MEMPROTECT__MMAP_ZERO, NULL);
3530 }
3531
3532 return rc;
3533 }
3534
3535 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3536 unsigned long prot, unsigned long flags)
3537 {
3538 if (selinux_checkreqprot)
3539 prot = reqprot;
3540
3541 return file_map_prot_check(file, prot,
3542 (flags & MAP_TYPE) == MAP_SHARED);
3543 }
3544
3545 static int selinux_file_mprotect(struct vm_area_struct *vma,
3546 unsigned long reqprot,
3547 unsigned long prot)
3548 {
3549 const struct cred *cred = current_cred();
3550
3551 if (selinux_checkreqprot)
3552 prot = reqprot;
3553
3554 if (default_noexec &&
3555 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3556 int rc = 0;
3557 if (vma->vm_start >= vma->vm_mm->start_brk &&
3558 vma->vm_end <= vma->vm_mm->brk) {
3559 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3560 } else if (!vma->vm_file &&
3561 ((vma->vm_start <= vma->vm_mm->start_stack &&
3562 vma->vm_end >= vma->vm_mm->start_stack) ||
3563 vma_is_stack_for_current(vma))) {
3564 rc = current_has_perm(current, PROCESS__EXECSTACK);
3565 } else if (vma->vm_file && vma->anon_vma) {
3566 /*
3567 * We are making executable a file mapping that has
3568 * had some COW done. Since pages might have been
3569 * written, check ability to execute the possibly
3570 * modified content. This typically should only
3571 * occur for text relocations.
3572 */
3573 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3574 }
3575 if (rc)
3576 return rc;
3577 }
3578
3579 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3580 }
3581
3582 static int selinux_file_lock(struct file *file, unsigned int cmd)
3583 {
3584 const struct cred *cred = current_cred();
3585
3586 return file_has_perm(cred, file, FILE__LOCK);
3587 }
3588
3589 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3590 unsigned long arg)
3591 {
3592 const struct cred *cred = current_cred();
3593 int err = 0;
3594
3595 switch (cmd) {
3596 case F_SETFL:
3597 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3598 err = file_has_perm(cred, file, FILE__WRITE);
3599 break;
3600 }
3601 /* fall through */
3602 case F_SETOWN:
3603 case F_SETSIG:
3604 case F_GETFL:
3605 case F_GETOWN:
3606 case F_GETSIG:
3607 case F_GETOWNER_UIDS:
3608 /* Just check FD__USE permission */
3609 err = file_has_perm(cred, file, 0);
3610 break;
3611 case F_GETLK:
3612 case F_SETLK:
3613 case F_SETLKW:
3614 case F_OFD_GETLK:
3615 case F_OFD_SETLK:
3616 case F_OFD_SETLKW:
3617 #if BITS_PER_LONG == 32
3618 case F_GETLK64:
3619 case F_SETLK64:
3620 case F_SETLKW64:
3621 #endif
3622 err = file_has_perm(cred, file, FILE__LOCK);
3623 break;
3624 }
3625
3626 return err;
3627 }
3628
3629 static void selinux_file_set_fowner(struct file *file)
3630 {
3631 struct file_security_struct *fsec;
3632
3633 fsec = file->f_security;
3634 fsec->fown_sid = current_sid();
3635 }
3636
3637 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3638 struct fown_struct *fown, int signum)
3639 {
3640 struct file *file;
3641 u32 sid = task_sid(tsk);
3642 u32 perm;
3643 struct file_security_struct *fsec;
3644
3645 /* struct fown_struct is never outside the context of a struct file */
3646 file = container_of(fown, struct file, f_owner);
3647
3648 fsec = file->f_security;
3649
3650 if (!signum)
3651 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3652 else
3653 perm = signal_to_av(signum);
3654
3655 return avc_has_perm(fsec->fown_sid, sid,
3656 SECCLASS_PROCESS, perm, NULL);
3657 }
3658
3659 static int selinux_file_receive(struct file *file)
3660 {
3661 const struct cred *cred = current_cred();
3662
3663 return file_has_perm(cred, file, file_to_av(file));
3664 }
3665
3666 static int selinux_file_open(struct file *file, const struct cred *cred)
3667 {
3668 struct file_security_struct *fsec;
3669 struct inode_security_struct *isec;
3670
3671 fsec = file->f_security;
3672 isec = inode_security(file_inode(file));
3673 /*
3674 * Save inode label and policy sequence number
3675 * at open-time so that selinux_file_permission
3676 * can determine whether revalidation is necessary.
3677 * Task label is already saved in the file security
3678 * struct as its SID.
3679 */
3680 fsec->isid = isec->sid;
3681 fsec->pseqno = avc_policy_seqno();
3682 /*
3683 * Since the inode label or policy seqno may have changed
3684 * between the selinux_inode_permission check and the saving
3685 * of state above, recheck that access is still permitted.
3686 * Otherwise, access might never be revalidated against the
3687 * new inode label or new policy.
3688 * This check is not redundant - do not remove.
3689 */
3690 return file_path_has_perm(cred, file, open_file_to_av(file));
3691 }
3692
3693 /* task security operations */
3694
3695 static int selinux_task_create(unsigned long clone_flags)
3696 {
3697 return current_has_perm(current, PROCESS__FORK);
3698 }
3699
3700 /*
3701 * allocate the SELinux part of blank credentials
3702 */
3703 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3704 {
3705 struct task_security_struct *tsec;
3706
3707 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3708 if (!tsec)
3709 return -ENOMEM;
3710
3711 cred->security = tsec;
3712 return 0;
3713 }
3714
3715 /*
3716 * detach and free the LSM part of a set of credentials
3717 */
3718 static void selinux_cred_free(struct cred *cred)
3719 {
3720 struct task_security_struct *tsec = cred->security;
3721
3722 /*
3723 * cred->security == NULL if security_cred_alloc_blank() or
3724 * security_prepare_creds() returned an error.
3725 */
3726 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3727 cred->security = (void *) 0x7UL;
3728 kfree(tsec);
3729 }
3730
3731 /*
3732 * prepare a new set of credentials for modification
3733 */
3734 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3735 gfp_t gfp)
3736 {
3737 const struct task_security_struct *old_tsec;
3738 struct task_security_struct *tsec;
3739
3740 old_tsec = old->security;
3741
3742 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3743 if (!tsec)
3744 return -ENOMEM;
3745
3746 new->security = tsec;
3747 return 0;
3748 }
3749
3750 /*
3751 * transfer the SELinux data to a blank set of creds
3752 */
3753 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3754 {
3755 const struct task_security_struct *old_tsec = old->security;
3756 struct task_security_struct *tsec = new->security;
3757
3758 *tsec = *old_tsec;
3759 }
3760
3761 /*
3762 * set the security data for a kernel service
3763 * - all the creation contexts are set to unlabelled
3764 */
3765 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3766 {
3767 struct task_security_struct *tsec = new->security;
3768 u32 sid = current_sid();
3769 int ret;
3770
3771 ret = avc_has_perm(sid, secid,
3772 SECCLASS_KERNEL_SERVICE,
3773 KERNEL_SERVICE__USE_AS_OVERRIDE,
3774 NULL);
3775 if (ret == 0) {
3776 tsec->sid = secid;
3777 tsec->create_sid = 0;
3778 tsec->keycreate_sid = 0;
3779 tsec->sockcreate_sid = 0;
3780 }
3781 return ret;
3782 }
3783
3784 /*
3785 * set the file creation context in a security record to the same as the
3786 * objective context of the specified inode
3787 */
3788 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3789 {
3790 struct inode_security_struct *isec = inode_security(inode);
3791 struct task_security_struct *tsec = new->security;
3792 u32 sid = current_sid();
3793 int ret;
3794
3795 ret = avc_has_perm(sid, isec->sid,
3796 SECCLASS_KERNEL_SERVICE,
3797 KERNEL_SERVICE__CREATE_FILES_AS,
3798 NULL);
3799
3800 if (ret == 0)
3801 tsec->create_sid = isec->sid;
3802 return ret;
3803 }
3804
3805 static int selinux_kernel_module_request(char *kmod_name)
3806 {
3807 u32 sid;
3808 struct common_audit_data ad;
3809
3810 sid = task_sid(current);
3811
3812 ad.type = LSM_AUDIT_DATA_KMOD;
3813 ad.u.kmod_name = kmod_name;
3814
3815 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3816 SYSTEM__MODULE_REQUEST, &ad);
3817 }
3818
3819 static int selinux_kernel_module_from_file(struct file *file)
3820 {
3821 struct common_audit_data ad;
3822 struct inode_security_struct *isec;
3823 struct file_security_struct *fsec;
3824 u32 sid = current_sid();
3825 int rc;
3826
3827 /* init_module */
3828 if (file == NULL)
3829 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3830 SYSTEM__MODULE_LOAD, NULL);
3831
3832 /* finit_module */
3833
3834 ad.type = LSM_AUDIT_DATA_FILE;
3835 ad.u.file = file;
3836
3837 fsec = file->f_security;
3838 if (sid != fsec->sid) {
3839 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3840 if (rc)
3841 return rc;
3842 }
3843
3844 isec = inode_security(file_inode(file));
3845 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3846 SYSTEM__MODULE_LOAD, &ad);
3847 }
3848
3849 static int selinux_kernel_read_file(struct file *file,
3850 enum kernel_read_file_id id)
3851 {
3852 int rc = 0;
3853
3854 switch (id) {
3855 case READING_MODULE:
3856 rc = selinux_kernel_module_from_file(file);
3857 break;
3858 default:
3859 break;
3860 }
3861
3862 return rc;
3863 }
3864
3865 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3866 {
3867 return current_has_perm(p, PROCESS__SETPGID);
3868 }
3869
3870 static int selinux_task_getpgid(struct task_struct *p)
3871 {
3872 return current_has_perm(p, PROCESS__GETPGID);
3873 }
3874
3875 static int selinux_task_getsid(struct task_struct *p)
3876 {
3877 return current_has_perm(p, PROCESS__GETSESSION);
3878 }
3879
3880 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3881 {
3882 *secid = task_sid(p);
3883 }
3884
3885 static int selinux_task_setnice(struct task_struct *p, int nice)
3886 {
3887 return current_has_perm(p, PROCESS__SETSCHED);
3888 }
3889
3890 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3891 {
3892 return current_has_perm(p, PROCESS__SETSCHED);
3893 }
3894
3895 static int selinux_task_getioprio(struct task_struct *p)
3896 {
3897 return current_has_perm(p, PROCESS__GETSCHED);
3898 }
3899
3900 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3901 struct rlimit *new_rlim)
3902 {
3903 struct rlimit *old_rlim = p->signal->rlim + resource;
3904
3905 /* Control the ability to change the hard limit (whether
3906 lowering or raising it), so that the hard limit can
3907 later be used as a safe reset point for the soft limit
3908 upon context transitions. See selinux_bprm_committing_creds. */
3909 if (old_rlim->rlim_max != new_rlim->rlim_max)
3910 return current_has_perm(p, PROCESS__SETRLIMIT);
3911
3912 return 0;
3913 }
3914
3915 static int selinux_task_setscheduler(struct task_struct *p)
3916 {
3917 return current_has_perm(p, PROCESS__SETSCHED);
3918 }
3919
3920 static int selinux_task_getscheduler(struct task_struct *p)
3921 {
3922 return current_has_perm(p, PROCESS__GETSCHED);
3923 }
3924
3925 static int selinux_task_movememory(struct task_struct *p)
3926 {
3927 return current_has_perm(p, PROCESS__SETSCHED);
3928 }
3929
3930 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3931 int sig, u32 secid)
3932 {
3933 u32 perm;
3934 int rc;
3935
3936 if (!sig)
3937 perm = PROCESS__SIGNULL; /* null signal; existence test */
3938 else
3939 perm = signal_to_av(sig);
3940 if (secid)
3941 rc = avc_has_perm(secid, task_sid(p),
3942 SECCLASS_PROCESS, perm, NULL);
3943 else
3944 rc = current_has_perm(p, perm);
3945 return rc;
3946 }
3947
3948 static int selinux_task_wait(struct task_struct *p)
3949 {
3950 return task_has_perm(p, current, PROCESS__SIGCHLD);
3951 }
3952
3953 static void selinux_task_to_inode(struct task_struct *p,
3954 struct inode *inode)
3955 {
3956 struct inode_security_struct *isec = inode->i_security;
3957 u32 sid = task_sid(p);
3958
3959 isec->sid = sid;
3960 isec->initialized = LABEL_INITIALIZED;
3961 }
3962
3963 /* Returns error only if unable to parse addresses */
3964 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3965 struct common_audit_data *ad, u8 *proto)
3966 {
3967 int offset, ihlen, ret = -EINVAL;
3968 struct iphdr _iph, *ih;
3969
3970 offset = skb_network_offset(skb);
3971 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3972 if (ih == NULL)
3973 goto out;
3974
3975 ihlen = ih->ihl * 4;
3976 if (ihlen < sizeof(_iph))
3977 goto out;
3978
3979 ad->u.net->v4info.saddr = ih->saddr;
3980 ad->u.net->v4info.daddr = ih->daddr;
3981 ret = 0;
3982
3983 if (proto)
3984 *proto = ih->protocol;
3985
3986 switch (ih->protocol) {
3987 case IPPROTO_TCP: {
3988 struct tcphdr _tcph, *th;
3989
3990 if (ntohs(ih->frag_off) & IP_OFFSET)
3991 break;
3992
3993 offset += ihlen;
3994 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3995 if (th == NULL)
3996 break;
3997
3998 ad->u.net->sport = th->source;
3999 ad->u.net->dport = th->dest;
4000 break;
4001 }
4002
4003 case IPPROTO_UDP: {
4004 struct udphdr _udph, *uh;
4005
4006 if (ntohs(ih->frag_off) & IP_OFFSET)
4007 break;
4008
4009 offset += ihlen;
4010 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4011 if (uh == NULL)
4012 break;
4013
4014 ad->u.net->sport = uh->source;
4015 ad->u.net->dport = uh->dest;
4016 break;
4017 }
4018
4019 case IPPROTO_DCCP: {
4020 struct dccp_hdr _dccph, *dh;
4021
4022 if (ntohs(ih->frag_off) & IP_OFFSET)
4023 break;
4024
4025 offset += ihlen;
4026 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4027 if (dh == NULL)
4028 break;
4029
4030 ad->u.net->sport = dh->dccph_sport;
4031 ad->u.net->dport = dh->dccph_dport;
4032 break;
4033 }
4034
4035 default:
4036 break;
4037 }
4038 out:
4039 return ret;
4040 }
4041
4042 #if IS_ENABLED(CONFIG_IPV6)
4043
4044 /* Returns error only if unable to parse addresses */
4045 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4046 struct common_audit_data *ad, u8 *proto)
4047 {
4048 u8 nexthdr;
4049 int ret = -EINVAL, offset;
4050 struct ipv6hdr _ipv6h, *ip6;
4051 __be16 frag_off;
4052
4053 offset = skb_network_offset(skb);
4054 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4055 if (ip6 == NULL)
4056 goto out;
4057
4058 ad->u.net->v6info.saddr = ip6->saddr;
4059 ad->u.net->v6info.daddr = ip6->daddr;
4060 ret = 0;
4061
4062 nexthdr = ip6->nexthdr;
4063 offset += sizeof(_ipv6h);
4064 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4065 if (offset < 0)
4066 goto out;
4067
4068 if (proto)
4069 *proto = nexthdr;
4070
4071 switch (nexthdr) {
4072 case IPPROTO_TCP: {
4073 struct tcphdr _tcph, *th;
4074
4075 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4076 if (th == NULL)
4077 break;
4078
4079 ad->u.net->sport = th->source;
4080 ad->u.net->dport = th->dest;
4081 break;
4082 }
4083
4084 case IPPROTO_UDP: {
4085 struct udphdr _udph, *uh;
4086
4087 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4088 if (uh == NULL)
4089 break;
4090
4091 ad->u.net->sport = uh->source;
4092 ad->u.net->dport = uh->dest;
4093 break;
4094 }
4095
4096 case IPPROTO_DCCP: {
4097 struct dccp_hdr _dccph, *dh;
4098
4099 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4100 if (dh == NULL)
4101 break;
4102
4103 ad->u.net->sport = dh->dccph_sport;
4104 ad->u.net->dport = dh->dccph_dport;
4105 break;
4106 }
4107
4108 /* includes fragments */
4109 default:
4110 break;
4111 }
4112 out:
4113 return ret;
4114 }
4115
4116 #endif /* IPV6 */
4117
4118 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4119 char **_addrp, int src, u8 *proto)
4120 {
4121 char *addrp;
4122 int ret;
4123
4124 switch (ad->u.net->family) {
4125 case PF_INET:
4126 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4127 if (ret)
4128 goto parse_error;
4129 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4130 &ad->u.net->v4info.daddr);
4131 goto okay;
4132
4133 #if IS_ENABLED(CONFIG_IPV6)
4134 case PF_INET6:
4135 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4136 if (ret)
4137 goto parse_error;
4138 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4139 &ad->u.net->v6info.daddr);
4140 goto okay;
4141 #endif /* IPV6 */
4142 default:
4143 addrp = NULL;
4144 goto okay;
4145 }
4146
4147 parse_error:
4148 printk(KERN_WARNING
4149 "SELinux: failure in selinux_parse_skb(),"
4150 " unable to parse packet\n");
4151 return ret;
4152
4153 okay:
4154 if (_addrp)
4155 *_addrp = addrp;
4156 return 0;
4157 }
4158
4159 /**
4160 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4161 * @skb: the packet
4162 * @family: protocol family
4163 * @sid: the packet's peer label SID
4164 *
4165 * Description:
4166 * Check the various different forms of network peer labeling and determine
4167 * the peer label/SID for the packet; most of the magic actually occurs in
4168 * the security server function security_net_peersid_cmp(). The function
4169 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4170 * or -EACCES if @sid is invalid due to inconsistencies with the different
4171 * peer labels.
4172 *
4173 */
4174 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4175 {
4176 int err;
4177 u32 xfrm_sid;
4178 u32 nlbl_sid;
4179 u32 nlbl_type;
4180
4181 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4182 if (unlikely(err))
4183 return -EACCES;
4184 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4185 if (unlikely(err))
4186 return -EACCES;
4187
4188 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4189 if (unlikely(err)) {
4190 printk(KERN_WARNING
4191 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4192 " unable to determine packet's peer label\n");
4193 return -EACCES;
4194 }
4195
4196 return 0;
4197 }
4198
4199 /**
4200 * selinux_conn_sid - Determine the child socket label for a connection
4201 * @sk_sid: the parent socket's SID
4202 * @skb_sid: the packet's SID
4203 * @conn_sid: the resulting connection SID
4204 *
4205 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4206 * combined with the MLS information from @skb_sid in order to create
4207 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4208 * of @sk_sid. Returns zero on success, negative values on failure.
4209 *
4210 */
4211 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4212 {
4213 int err = 0;
4214
4215 if (skb_sid != SECSID_NULL)
4216 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4217 else
4218 *conn_sid = sk_sid;
4219
4220 return err;
4221 }
4222
4223 /* socket security operations */
4224
4225 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4226 u16 secclass, u32 *socksid)
4227 {
4228 if (tsec->sockcreate_sid > SECSID_NULL) {
4229 *socksid = tsec->sockcreate_sid;
4230 return 0;
4231 }
4232
4233 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4234 socksid);
4235 }
4236
4237 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
4238 {
4239 struct sk_security_struct *sksec = sk->sk_security;
4240 struct common_audit_data ad;
4241 struct lsm_network_audit net = {0,};
4242 u32 tsid = task_sid(task);
4243
4244 if (sksec->sid == SECINITSID_KERNEL)
4245 return 0;
4246
4247 ad.type = LSM_AUDIT_DATA_NET;
4248 ad.u.net = &net;
4249 ad.u.net->sk = sk;
4250
4251 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
4252 }
4253
4254 static int selinux_socket_create(int family, int type,
4255 int protocol, int kern)
4256 {
4257 const struct task_security_struct *tsec = current_security();
4258 u32 newsid;
4259 u16 secclass;
4260 int rc;
4261
4262 if (kern)
4263 return 0;
4264
4265 secclass = socket_type_to_security_class(family, type, protocol);
4266 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4267 if (rc)
4268 return rc;
4269
4270 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4271 }
4272
4273 static int selinux_socket_post_create(struct socket *sock, int family,
4274 int type, int protocol, int kern)
4275 {
4276 const struct task_security_struct *tsec = current_security();
4277 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4278 struct sk_security_struct *sksec;
4279 int err = 0;
4280
4281 isec->sclass = socket_type_to_security_class(family, type, protocol);
4282
4283 if (kern)
4284 isec->sid = SECINITSID_KERNEL;
4285 else {
4286 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4287 if (err)
4288 return err;
4289 }
4290
4291 isec->initialized = LABEL_INITIALIZED;
4292
4293 if (sock->sk) {
4294 sksec = sock->sk->sk_security;
4295 sksec->sid = isec->sid;
4296 sksec->sclass = isec->sclass;
4297 err = selinux_netlbl_socket_post_create(sock->sk, family);
4298 }
4299
4300 return err;
4301 }
4302
4303 /* Range of port numbers used to automatically bind.
4304 Need to determine whether we should perform a name_bind
4305 permission check between the socket and the port number. */
4306
4307 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4308 {
4309 struct sock *sk = sock->sk;
4310 u16 family;
4311 int err;
4312
4313 err = sock_has_perm(current, sk, SOCKET__BIND);
4314 if (err)
4315 goto out;
4316
4317 /*
4318 * If PF_INET or PF_INET6, check name_bind permission for the port.
4319 * Multiple address binding for SCTP is not supported yet: we just
4320 * check the first address now.
4321 */
4322 family = sk->sk_family;
4323 if (family == PF_INET || family == PF_INET6) {
4324 char *addrp;
4325 struct sk_security_struct *sksec = sk->sk_security;
4326 struct common_audit_data ad;
4327 struct lsm_network_audit net = {0,};
4328 struct sockaddr_in *addr4 = NULL;
4329 struct sockaddr_in6 *addr6 = NULL;
4330 unsigned short snum;
4331 u32 sid, node_perm;
4332
4333 if (family == PF_INET) {
4334 addr4 = (struct sockaddr_in *)address;
4335 snum = ntohs(addr4->sin_port);
4336 addrp = (char *)&addr4->sin_addr.s_addr;
4337 } else {
4338 addr6 = (struct sockaddr_in6 *)address;
4339 snum = ntohs(addr6->sin6_port);
4340 addrp = (char *)&addr6->sin6_addr.s6_addr;
4341 }
4342
4343 if (snum) {
4344 int low, high;
4345
4346 inet_get_local_port_range(sock_net(sk), &low, &high);
4347
4348 if (snum < max(PROT_SOCK, low) || snum > high) {
4349 err = sel_netport_sid(sk->sk_protocol,
4350 snum, &sid);
4351 if (err)
4352 goto out;
4353 ad.type = LSM_AUDIT_DATA_NET;
4354 ad.u.net = &net;
4355 ad.u.net->sport = htons(snum);
4356 ad.u.net->family = family;
4357 err = avc_has_perm(sksec->sid, sid,
4358 sksec->sclass,
4359 SOCKET__NAME_BIND, &ad);
4360 if (err)
4361 goto out;
4362 }
4363 }
4364
4365 switch (sksec->sclass) {
4366 case SECCLASS_TCP_SOCKET:
4367 node_perm = TCP_SOCKET__NODE_BIND;
4368 break;
4369
4370 case SECCLASS_UDP_SOCKET:
4371 node_perm = UDP_SOCKET__NODE_BIND;
4372 break;
4373
4374 case SECCLASS_DCCP_SOCKET:
4375 node_perm = DCCP_SOCKET__NODE_BIND;
4376 break;
4377
4378 default:
4379 node_perm = RAWIP_SOCKET__NODE_BIND;
4380 break;
4381 }
4382
4383 err = sel_netnode_sid(addrp, family, &sid);
4384 if (err)
4385 goto out;
4386
4387 ad.type = LSM_AUDIT_DATA_NET;
4388 ad.u.net = &net;
4389 ad.u.net->sport = htons(snum);
4390 ad.u.net->family = family;
4391
4392 if (family == PF_INET)
4393 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4394 else
4395 ad.u.net->v6info.saddr = addr6->sin6_addr;
4396
4397 err = avc_has_perm(sksec->sid, sid,
4398 sksec->sclass, node_perm, &ad);
4399 if (err)
4400 goto out;
4401 }
4402 out:
4403 return err;
4404 }
4405
4406 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4407 {
4408 struct sock *sk = sock->sk;
4409 struct sk_security_struct *sksec = sk->sk_security;
4410 int err;
4411
4412 err = sock_has_perm(current, sk, SOCKET__CONNECT);
4413 if (err)
4414 return err;
4415
4416 /*
4417 * If a TCP or DCCP socket, check name_connect permission for the port.
4418 */
4419 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4420 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4421 struct common_audit_data ad;
4422 struct lsm_network_audit net = {0,};
4423 struct sockaddr_in *addr4 = NULL;
4424 struct sockaddr_in6 *addr6 = NULL;
4425 unsigned short snum;
4426 u32 sid, perm;
4427
4428 if (sk->sk_family == PF_INET) {
4429 addr4 = (struct sockaddr_in *)address;
4430 if (addrlen < sizeof(struct sockaddr_in))
4431 return -EINVAL;
4432 snum = ntohs(addr4->sin_port);
4433 } else {
4434 addr6 = (struct sockaddr_in6 *)address;
4435 if (addrlen < SIN6_LEN_RFC2133)
4436 return -EINVAL;
4437 snum = ntohs(addr6->sin6_port);
4438 }
4439
4440 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4441 if (err)
4442 goto out;
4443
4444 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4445 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4446
4447 ad.type = LSM_AUDIT_DATA_NET;
4448 ad.u.net = &net;
4449 ad.u.net->dport = htons(snum);
4450 ad.u.net->family = sk->sk_family;
4451 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4452 if (err)
4453 goto out;
4454 }
4455
4456 err = selinux_netlbl_socket_connect(sk, address);
4457
4458 out:
4459 return err;
4460 }
4461
4462 static int selinux_socket_listen(struct socket *sock, int backlog)
4463 {
4464 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4465 }
4466
4467 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4468 {
4469 int err;
4470 struct inode_security_struct *isec;
4471 struct inode_security_struct *newisec;
4472
4473 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4474 if (err)
4475 return err;
4476
4477 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4478
4479 isec = inode_security_novalidate(SOCK_INODE(sock));
4480 newisec->sclass = isec->sclass;
4481 newisec->sid = isec->sid;
4482 newisec->initialized = LABEL_INITIALIZED;
4483
4484 return 0;
4485 }
4486
4487 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4488 int size)
4489 {
4490 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4491 }
4492
4493 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4494 int size, int flags)
4495 {
4496 return sock_has_perm(current, sock->sk, SOCKET__READ);
4497 }
4498
4499 static int selinux_socket_getsockname(struct socket *sock)
4500 {
4501 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4502 }
4503
4504 static int selinux_socket_getpeername(struct socket *sock)
4505 {
4506 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4507 }
4508
4509 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4510 {
4511 int err;
4512
4513 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4514 if (err)
4515 return err;
4516
4517 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4518 }
4519
4520 static int selinux_socket_getsockopt(struct socket *sock, int level,
4521 int optname)
4522 {
4523 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4524 }
4525
4526 static int selinux_socket_shutdown(struct socket *sock, int how)
4527 {
4528 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4529 }
4530
4531 static int selinux_socket_unix_stream_connect(struct sock *sock,
4532 struct sock *other,
4533 struct sock *newsk)
4534 {
4535 struct sk_security_struct *sksec_sock = sock->sk_security;
4536 struct sk_security_struct *sksec_other = other->sk_security;
4537 struct sk_security_struct *sksec_new = newsk->sk_security;
4538 struct common_audit_data ad;
4539 struct lsm_network_audit net = {0,};
4540 int err;
4541
4542 ad.type = LSM_AUDIT_DATA_NET;
4543 ad.u.net = &net;
4544 ad.u.net->sk = other;
4545
4546 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4547 sksec_other->sclass,
4548 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4549 if (err)
4550 return err;
4551
4552 /* server child socket */
4553 sksec_new->peer_sid = sksec_sock->sid;
4554 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4555 &sksec_new->sid);
4556 if (err)
4557 return err;
4558
4559 /* connecting socket */
4560 sksec_sock->peer_sid = sksec_new->sid;
4561
4562 return 0;
4563 }
4564
4565 static int selinux_socket_unix_may_send(struct socket *sock,
4566 struct socket *other)
4567 {
4568 struct sk_security_struct *ssec = sock->sk->sk_security;
4569 struct sk_security_struct *osec = other->sk->sk_security;
4570 struct common_audit_data ad;
4571 struct lsm_network_audit net = {0,};
4572
4573 ad.type = LSM_AUDIT_DATA_NET;
4574 ad.u.net = &net;
4575 ad.u.net->sk = other->sk;
4576
4577 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4578 &ad);
4579 }
4580
4581 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4582 char *addrp, u16 family, u32 peer_sid,
4583 struct common_audit_data *ad)
4584 {
4585 int err;
4586 u32 if_sid;
4587 u32 node_sid;
4588
4589 err = sel_netif_sid(ns, ifindex, &if_sid);
4590 if (err)
4591 return err;
4592 err = avc_has_perm(peer_sid, if_sid,
4593 SECCLASS_NETIF, NETIF__INGRESS, ad);
4594 if (err)
4595 return err;
4596
4597 err = sel_netnode_sid(addrp, family, &node_sid);
4598 if (err)
4599 return err;
4600 return avc_has_perm(peer_sid, node_sid,
4601 SECCLASS_NODE, NODE__RECVFROM, ad);
4602 }
4603
4604 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4605 u16 family)
4606 {
4607 int err = 0;
4608 struct sk_security_struct *sksec = sk->sk_security;
4609 u32 sk_sid = sksec->sid;
4610 struct common_audit_data ad;
4611 struct lsm_network_audit net = {0,};
4612 char *addrp;
4613
4614 ad.type = LSM_AUDIT_DATA_NET;
4615 ad.u.net = &net;
4616 ad.u.net->netif = skb->skb_iif;
4617 ad.u.net->family = family;
4618 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4619 if (err)
4620 return err;
4621
4622 if (selinux_secmark_enabled()) {
4623 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4624 PACKET__RECV, &ad);
4625 if (err)
4626 return err;
4627 }
4628
4629 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4630 if (err)
4631 return err;
4632 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4633
4634 return err;
4635 }
4636
4637 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4638 {
4639 int err;
4640 struct sk_security_struct *sksec = sk->sk_security;
4641 u16 family = sk->sk_family;
4642 u32 sk_sid = sksec->sid;
4643 struct common_audit_data ad;
4644 struct lsm_network_audit net = {0,};
4645 char *addrp;
4646 u8 secmark_active;
4647 u8 peerlbl_active;
4648
4649 if (family != PF_INET && family != PF_INET6)
4650 return 0;
4651
4652 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4653 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4654 family = PF_INET;
4655
4656 /* If any sort of compatibility mode is enabled then handoff processing
4657 * to the selinux_sock_rcv_skb_compat() function to deal with the
4658 * special handling. We do this in an attempt to keep this function
4659 * as fast and as clean as possible. */
4660 if (!selinux_policycap_netpeer)
4661 return selinux_sock_rcv_skb_compat(sk, skb, family);
4662
4663 secmark_active = selinux_secmark_enabled();
4664 peerlbl_active = selinux_peerlbl_enabled();
4665 if (!secmark_active && !peerlbl_active)
4666 return 0;
4667
4668 ad.type = LSM_AUDIT_DATA_NET;
4669 ad.u.net = &net;
4670 ad.u.net->netif = skb->skb_iif;
4671 ad.u.net->family = family;
4672 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4673 if (err)
4674 return err;
4675
4676 if (peerlbl_active) {
4677 u32 peer_sid;
4678
4679 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4680 if (err)
4681 return err;
4682 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4683 addrp, family, peer_sid, &ad);
4684 if (err) {
4685 selinux_netlbl_err(skb, family, err, 0);
4686 return err;
4687 }
4688 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4689 PEER__RECV, &ad);
4690 if (err) {
4691 selinux_netlbl_err(skb, family, err, 0);
4692 return err;
4693 }
4694 }
4695
4696 if (secmark_active) {
4697 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4698 PACKET__RECV, &ad);
4699 if (err)
4700 return err;
4701 }
4702
4703 return err;
4704 }
4705
4706 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4707 int __user *optlen, unsigned len)
4708 {
4709 int err = 0;
4710 char *scontext;
4711 u32 scontext_len;
4712 struct sk_security_struct *sksec = sock->sk->sk_security;
4713 u32 peer_sid = SECSID_NULL;
4714
4715 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4716 sksec->sclass == SECCLASS_TCP_SOCKET)
4717 peer_sid = sksec->peer_sid;
4718 if (peer_sid == SECSID_NULL)
4719 return -ENOPROTOOPT;
4720
4721 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4722 if (err)
4723 return err;
4724
4725 if (scontext_len > len) {
4726 err = -ERANGE;
4727 goto out_len;
4728 }
4729
4730 if (copy_to_user(optval, scontext, scontext_len))
4731 err = -EFAULT;
4732
4733 out_len:
4734 if (put_user(scontext_len, optlen))
4735 err = -EFAULT;
4736 kfree(scontext);
4737 return err;
4738 }
4739
4740 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4741 {
4742 u32 peer_secid = SECSID_NULL;
4743 u16 family;
4744 struct inode_security_struct *isec;
4745
4746 if (skb && skb->protocol == htons(ETH_P_IP))
4747 family = PF_INET;
4748 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4749 family = PF_INET6;
4750 else if (sock)
4751 family = sock->sk->sk_family;
4752 else
4753 goto out;
4754
4755 if (sock && family == PF_UNIX) {
4756 isec = inode_security_novalidate(SOCK_INODE(sock));
4757 peer_secid = isec->sid;
4758 } else if (skb)
4759 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4760
4761 out:
4762 *secid = peer_secid;
4763 if (peer_secid == SECSID_NULL)
4764 return -EINVAL;
4765 return 0;
4766 }
4767
4768 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4769 {
4770 struct sk_security_struct *sksec;
4771
4772 sksec = kzalloc(sizeof(*sksec), priority);
4773 if (!sksec)
4774 return -ENOMEM;
4775
4776 sksec->peer_sid = SECINITSID_UNLABELED;
4777 sksec->sid = SECINITSID_UNLABELED;
4778 sksec->sclass = SECCLASS_SOCKET;
4779 selinux_netlbl_sk_security_reset(sksec);
4780 sk->sk_security = sksec;
4781
4782 return 0;
4783 }
4784
4785 static void selinux_sk_free_security(struct sock *sk)
4786 {
4787 struct sk_security_struct *sksec = sk->sk_security;
4788
4789 sk->sk_security = NULL;
4790 selinux_netlbl_sk_security_free(sksec);
4791 kfree(sksec);
4792 }
4793
4794 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4795 {
4796 struct sk_security_struct *sksec = sk->sk_security;
4797 struct sk_security_struct *newsksec = newsk->sk_security;
4798
4799 newsksec->sid = sksec->sid;
4800 newsksec->peer_sid = sksec->peer_sid;
4801 newsksec->sclass = sksec->sclass;
4802
4803 selinux_netlbl_sk_security_reset(newsksec);
4804 }
4805
4806 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4807 {
4808 if (!sk)
4809 *secid = SECINITSID_ANY_SOCKET;
4810 else {
4811 struct sk_security_struct *sksec = sk->sk_security;
4812
4813 *secid = sksec->sid;
4814 }
4815 }
4816
4817 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4818 {
4819 struct inode_security_struct *isec =
4820 inode_security_novalidate(SOCK_INODE(parent));
4821 struct sk_security_struct *sksec = sk->sk_security;
4822
4823 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4824 sk->sk_family == PF_UNIX)
4825 isec->sid = sksec->sid;
4826 sksec->sclass = isec->sclass;
4827 }
4828
4829 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4830 struct request_sock *req)
4831 {
4832 struct sk_security_struct *sksec = sk->sk_security;
4833 int err;
4834 u16 family = req->rsk_ops->family;
4835 u32 connsid;
4836 u32 peersid;
4837
4838 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4839 if (err)
4840 return err;
4841 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4842 if (err)
4843 return err;
4844 req->secid = connsid;
4845 req->peer_secid = peersid;
4846
4847 return selinux_netlbl_inet_conn_request(req, family);
4848 }
4849
4850 static void selinux_inet_csk_clone(struct sock *newsk,
4851 const struct request_sock *req)
4852 {
4853 struct sk_security_struct *newsksec = newsk->sk_security;
4854
4855 newsksec->sid = req->secid;
4856 newsksec->peer_sid = req->peer_secid;
4857 /* NOTE: Ideally, we should also get the isec->sid for the
4858 new socket in sync, but we don't have the isec available yet.
4859 So we will wait until sock_graft to do it, by which
4860 time it will have been created and available. */
4861
4862 /* We don't need to take any sort of lock here as we are the only
4863 * thread with access to newsksec */
4864 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4865 }
4866
4867 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4868 {
4869 u16 family = sk->sk_family;
4870 struct sk_security_struct *sksec = sk->sk_security;
4871
4872 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4873 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4874 family = PF_INET;
4875
4876 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4877 }
4878
4879 static int selinux_secmark_relabel_packet(u32 sid)
4880 {
4881 const struct task_security_struct *__tsec;
4882 u32 tsid;
4883
4884 __tsec = current_security();
4885 tsid = __tsec->sid;
4886
4887 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4888 }
4889
4890 static void selinux_secmark_refcount_inc(void)
4891 {
4892 atomic_inc(&selinux_secmark_refcount);
4893 }
4894
4895 static void selinux_secmark_refcount_dec(void)
4896 {
4897 atomic_dec(&selinux_secmark_refcount);
4898 }
4899
4900 static void selinux_req_classify_flow(const struct request_sock *req,
4901 struct flowi *fl)
4902 {
4903 fl->flowi_secid = req->secid;
4904 }
4905
4906 static int selinux_tun_dev_alloc_security(void **security)
4907 {
4908 struct tun_security_struct *tunsec;
4909
4910 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4911 if (!tunsec)
4912 return -ENOMEM;
4913 tunsec->sid = current_sid();
4914
4915 *security = tunsec;
4916 return 0;
4917 }
4918
4919 static void selinux_tun_dev_free_security(void *security)
4920 {
4921 kfree(security);
4922 }
4923
4924 static int selinux_tun_dev_create(void)
4925 {
4926 u32 sid = current_sid();
4927
4928 /* we aren't taking into account the "sockcreate" SID since the socket
4929 * that is being created here is not a socket in the traditional sense,
4930 * instead it is a private sock, accessible only to the kernel, and
4931 * representing a wide range of network traffic spanning multiple
4932 * connections unlike traditional sockets - check the TUN driver to
4933 * get a better understanding of why this socket is special */
4934
4935 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4936 NULL);
4937 }
4938
4939 static int selinux_tun_dev_attach_queue(void *security)
4940 {
4941 struct tun_security_struct *tunsec = security;
4942
4943 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4944 TUN_SOCKET__ATTACH_QUEUE, NULL);
4945 }
4946
4947 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4948 {
4949 struct tun_security_struct *tunsec = security;
4950 struct sk_security_struct *sksec = sk->sk_security;
4951
4952 /* we don't currently perform any NetLabel based labeling here and it
4953 * isn't clear that we would want to do so anyway; while we could apply
4954 * labeling without the support of the TUN user the resulting labeled
4955 * traffic from the other end of the connection would almost certainly
4956 * cause confusion to the TUN user that had no idea network labeling
4957 * protocols were being used */
4958
4959 sksec->sid = tunsec->sid;
4960 sksec->sclass = SECCLASS_TUN_SOCKET;
4961
4962 return 0;
4963 }
4964
4965 static int selinux_tun_dev_open(void *security)
4966 {
4967 struct tun_security_struct *tunsec = security;
4968 u32 sid = current_sid();
4969 int err;
4970
4971 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4972 TUN_SOCKET__RELABELFROM, NULL);
4973 if (err)
4974 return err;
4975 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4976 TUN_SOCKET__RELABELTO, NULL);
4977 if (err)
4978 return err;
4979 tunsec->sid = sid;
4980
4981 return 0;
4982 }
4983
4984 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4985 {
4986 int err = 0;
4987 u32 perm;
4988 struct nlmsghdr *nlh;
4989 struct sk_security_struct *sksec = sk->sk_security;
4990
4991 if (skb->len < NLMSG_HDRLEN) {
4992 err = -EINVAL;
4993 goto out;
4994 }
4995 nlh = nlmsg_hdr(skb);
4996
4997 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
4998 if (err) {
4999 if (err == -EINVAL) {
5000 pr_warn_ratelimited("SELinux: unrecognized netlink"
5001 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5002 " pig=%d comm=%s\n",
5003 sk->sk_protocol, nlh->nlmsg_type,
5004 secclass_map[sksec->sclass - 1].name,
5005 task_pid_nr(current), current->comm);
5006 if (!selinux_enforcing || security_get_allow_unknown())
5007 err = 0;
5008 }
5009
5010 /* Ignore */
5011 if (err == -ENOENT)
5012 err = 0;
5013 goto out;
5014 }
5015
5016 err = sock_has_perm(current, sk, perm);
5017 out:
5018 return err;
5019 }
5020
5021 #ifdef CONFIG_NETFILTER
5022
5023 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5024 const struct net_device *indev,
5025 u16 family)
5026 {
5027 int err;
5028 char *addrp;
5029 u32 peer_sid;
5030 struct common_audit_data ad;
5031 struct lsm_network_audit net = {0,};
5032 u8 secmark_active;
5033 u8 netlbl_active;
5034 u8 peerlbl_active;
5035
5036 if (!selinux_policycap_netpeer)
5037 return NF_ACCEPT;
5038
5039 secmark_active = selinux_secmark_enabled();
5040 netlbl_active = netlbl_enabled();
5041 peerlbl_active = selinux_peerlbl_enabled();
5042 if (!secmark_active && !peerlbl_active)
5043 return NF_ACCEPT;
5044
5045 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5046 return NF_DROP;
5047
5048 ad.type = LSM_AUDIT_DATA_NET;
5049 ad.u.net = &net;
5050 ad.u.net->netif = indev->ifindex;
5051 ad.u.net->family = family;
5052 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5053 return NF_DROP;
5054
5055 if (peerlbl_active) {
5056 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5057 addrp, family, peer_sid, &ad);
5058 if (err) {
5059 selinux_netlbl_err(skb, family, err, 1);
5060 return NF_DROP;
5061 }
5062 }
5063
5064 if (secmark_active)
5065 if (avc_has_perm(peer_sid, skb->secmark,
5066 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5067 return NF_DROP;
5068
5069 if (netlbl_active)
5070 /* we do this in the FORWARD path and not the POST_ROUTING
5071 * path because we want to make sure we apply the necessary
5072 * labeling before IPsec is applied so we can leverage AH
5073 * protection */
5074 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5075 return NF_DROP;
5076
5077 return NF_ACCEPT;
5078 }
5079
5080 static unsigned int selinux_ipv4_forward(void *priv,
5081 struct sk_buff *skb,
5082 const struct nf_hook_state *state)
5083 {
5084 return selinux_ip_forward(skb, state->in, PF_INET);
5085 }
5086
5087 #if IS_ENABLED(CONFIG_IPV6)
5088 static unsigned int selinux_ipv6_forward(void *priv,
5089 struct sk_buff *skb,
5090 const struct nf_hook_state *state)
5091 {
5092 return selinux_ip_forward(skb, state->in, PF_INET6);
5093 }
5094 #endif /* IPV6 */
5095
5096 static unsigned int selinux_ip_output(struct sk_buff *skb,
5097 u16 family)
5098 {
5099 struct sock *sk;
5100 u32 sid;
5101
5102 if (!netlbl_enabled())
5103 return NF_ACCEPT;
5104
5105 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5106 * because we want to make sure we apply the necessary labeling
5107 * before IPsec is applied so we can leverage AH protection */
5108 sk = skb->sk;
5109 if (sk) {
5110 struct sk_security_struct *sksec;
5111
5112 if (sk_listener(sk))
5113 /* if the socket is the listening state then this
5114 * packet is a SYN-ACK packet which means it needs to
5115 * be labeled based on the connection/request_sock and
5116 * not the parent socket. unfortunately, we can't
5117 * lookup the request_sock yet as it isn't queued on
5118 * the parent socket until after the SYN-ACK is sent.
5119 * the "solution" is to simply pass the packet as-is
5120 * as any IP option based labeling should be copied
5121 * from the initial connection request (in the IP
5122 * layer). it is far from ideal, but until we get a
5123 * security label in the packet itself this is the
5124 * best we can do. */
5125 return NF_ACCEPT;
5126
5127 /* standard practice, label using the parent socket */
5128 sksec = sk->sk_security;
5129 sid = sksec->sid;
5130 } else
5131 sid = SECINITSID_KERNEL;
5132 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5133 return NF_DROP;
5134
5135 return NF_ACCEPT;
5136 }
5137
5138 static unsigned int selinux_ipv4_output(void *priv,
5139 struct sk_buff *skb,
5140 const struct nf_hook_state *state)
5141 {
5142 return selinux_ip_output(skb, PF_INET);
5143 }
5144
5145 #if IS_ENABLED(CONFIG_IPV6)
5146 static unsigned int selinux_ipv6_output(void *priv,
5147 struct sk_buff *skb,
5148 const struct nf_hook_state *state)
5149 {
5150 return selinux_ip_output(skb, PF_INET6);
5151 }
5152 #endif /* IPV6 */
5153
5154 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5155 int ifindex,
5156 u16 family)
5157 {
5158 struct sock *sk = skb_to_full_sk(skb);
5159 struct sk_security_struct *sksec;
5160 struct common_audit_data ad;
5161 struct lsm_network_audit net = {0,};
5162 char *addrp;
5163 u8 proto;
5164
5165 if (sk == NULL)
5166 return NF_ACCEPT;
5167 sksec = sk->sk_security;
5168
5169 ad.type = LSM_AUDIT_DATA_NET;
5170 ad.u.net = &net;
5171 ad.u.net->netif = ifindex;
5172 ad.u.net->family = family;
5173 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5174 return NF_DROP;
5175
5176 if (selinux_secmark_enabled())
5177 if (avc_has_perm(sksec->sid, skb->secmark,
5178 SECCLASS_PACKET, PACKET__SEND, &ad))
5179 return NF_DROP_ERR(-ECONNREFUSED);
5180
5181 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5182 return NF_DROP_ERR(-ECONNREFUSED);
5183
5184 return NF_ACCEPT;
5185 }
5186
5187 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5188 const struct net_device *outdev,
5189 u16 family)
5190 {
5191 u32 secmark_perm;
5192 u32 peer_sid;
5193 int ifindex = outdev->ifindex;
5194 struct sock *sk;
5195 struct common_audit_data ad;
5196 struct lsm_network_audit net = {0,};
5197 char *addrp;
5198 u8 secmark_active;
5199 u8 peerlbl_active;
5200
5201 /* If any sort of compatibility mode is enabled then handoff processing
5202 * to the selinux_ip_postroute_compat() function to deal with the
5203 * special handling. We do this in an attempt to keep this function
5204 * as fast and as clean as possible. */
5205 if (!selinux_policycap_netpeer)
5206 return selinux_ip_postroute_compat(skb, ifindex, family);
5207
5208 secmark_active = selinux_secmark_enabled();
5209 peerlbl_active = selinux_peerlbl_enabled();
5210 if (!secmark_active && !peerlbl_active)
5211 return NF_ACCEPT;
5212
5213 sk = skb_to_full_sk(skb);
5214
5215 #ifdef CONFIG_XFRM
5216 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5217 * packet transformation so allow the packet to pass without any checks
5218 * since we'll have another chance to perform access control checks
5219 * when the packet is on it's final way out.
5220 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5221 * is NULL, in this case go ahead and apply access control.
5222 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5223 * TCP listening state we cannot wait until the XFRM processing
5224 * is done as we will miss out on the SA label if we do;
5225 * unfortunately, this means more work, but it is only once per
5226 * connection. */
5227 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5228 !(sk && sk_listener(sk)))
5229 return NF_ACCEPT;
5230 #endif
5231
5232 if (sk == NULL) {
5233 /* Without an associated socket the packet is either coming
5234 * from the kernel or it is being forwarded; check the packet
5235 * to determine which and if the packet is being forwarded
5236 * query the packet directly to determine the security label. */
5237 if (skb->skb_iif) {
5238 secmark_perm = PACKET__FORWARD_OUT;
5239 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5240 return NF_DROP;
5241 } else {
5242 secmark_perm = PACKET__SEND;
5243 peer_sid = SECINITSID_KERNEL;
5244 }
5245 } else if (sk_listener(sk)) {
5246 /* Locally generated packet but the associated socket is in the
5247 * listening state which means this is a SYN-ACK packet. In
5248 * this particular case the correct security label is assigned
5249 * to the connection/request_sock but unfortunately we can't
5250 * query the request_sock as it isn't queued on the parent
5251 * socket until after the SYN-ACK packet is sent; the only
5252 * viable choice is to regenerate the label like we do in
5253 * selinux_inet_conn_request(). See also selinux_ip_output()
5254 * for similar problems. */
5255 u32 skb_sid;
5256 struct sk_security_struct *sksec;
5257
5258 sksec = sk->sk_security;
5259 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5260 return NF_DROP;
5261 /* At this point, if the returned skb peerlbl is SECSID_NULL
5262 * and the packet has been through at least one XFRM
5263 * transformation then we must be dealing with the "final"
5264 * form of labeled IPsec packet; since we've already applied
5265 * all of our access controls on this packet we can safely
5266 * pass the packet. */
5267 if (skb_sid == SECSID_NULL) {
5268 switch (family) {
5269 case PF_INET:
5270 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5271 return NF_ACCEPT;
5272 break;
5273 case PF_INET6:
5274 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5275 return NF_ACCEPT;
5276 break;
5277 default:
5278 return NF_DROP_ERR(-ECONNREFUSED);
5279 }
5280 }
5281 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5282 return NF_DROP;
5283 secmark_perm = PACKET__SEND;
5284 } else {
5285 /* Locally generated packet, fetch the security label from the
5286 * associated socket. */
5287 struct sk_security_struct *sksec = sk->sk_security;
5288 peer_sid = sksec->sid;
5289 secmark_perm = PACKET__SEND;
5290 }
5291
5292 ad.type = LSM_AUDIT_DATA_NET;
5293 ad.u.net = &net;
5294 ad.u.net->netif = ifindex;
5295 ad.u.net->family = family;
5296 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5297 return NF_DROP;
5298
5299 if (secmark_active)
5300 if (avc_has_perm(peer_sid, skb->secmark,
5301 SECCLASS_PACKET, secmark_perm, &ad))
5302 return NF_DROP_ERR(-ECONNREFUSED);
5303
5304 if (peerlbl_active) {
5305 u32 if_sid;
5306 u32 node_sid;
5307
5308 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5309 return NF_DROP;
5310 if (avc_has_perm(peer_sid, if_sid,
5311 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5312 return NF_DROP_ERR(-ECONNREFUSED);
5313
5314 if (sel_netnode_sid(addrp, family, &node_sid))
5315 return NF_DROP;
5316 if (avc_has_perm(peer_sid, node_sid,
5317 SECCLASS_NODE, NODE__SENDTO, &ad))
5318 return NF_DROP_ERR(-ECONNREFUSED);
5319 }
5320
5321 return NF_ACCEPT;
5322 }
5323
5324 static unsigned int selinux_ipv4_postroute(void *priv,
5325 struct sk_buff *skb,
5326 const struct nf_hook_state *state)
5327 {
5328 return selinux_ip_postroute(skb, state->out, PF_INET);
5329 }
5330
5331 #if IS_ENABLED(CONFIG_IPV6)
5332 static unsigned int selinux_ipv6_postroute(void *priv,
5333 struct sk_buff *skb,
5334 const struct nf_hook_state *state)
5335 {
5336 return selinux_ip_postroute(skb, state->out, PF_INET6);
5337 }
5338 #endif /* IPV6 */
5339
5340 #endif /* CONFIG_NETFILTER */
5341
5342 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5343 {
5344 return selinux_nlmsg_perm(sk, skb);
5345 }
5346
5347 static int ipc_alloc_security(struct task_struct *task,
5348 struct kern_ipc_perm *perm,
5349 u16 sclass)
5350 {
5351 struct ipc_security_struct *isec;
5352 u32 sid;
5353
5354 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5355 if (!isec)
5356 return -ENOMEM;
5357
5358 sid = task_sid(task);
5359 isec->sclass = sclass;
5360 isec->sid = sid;
5361 perm->security = isec;
5362
5363 return 0;
5364 }
5365
5366 static void ipc_free_security(struct kern_ipc_perm *perm)
5367 {
5368 struct ipc_security_struct *isec = perm->security;
5369 perm->security = NULL;
5370 kfree(isec);
5371 }
5372
5373 static int msg_msg_alloc_security(struct msg_msg *msg)
5374 {
5375 struct msg_security_struct *msec;
5376
5377 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5378 if (!msec)
5379 return -ENOMEM;
5380
5381 msec->sid = SECINITSID_UNLABELED;
5382 msg->security = msec;
5383
5384 return 0;
5385 }
5386
5387 static void msg_msg_free_security(struct msg_msg *msg)
5388 {
5389 struct msg_security_struct *msec = msg->security;
5390
5391 msg->security = NULL;
5392 kfree(msec);
5393 }
5394
5395 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5396 u32 perms)
5397 {
5398 struct ipc_security_struct *isec;
5399 struct common_audit_data ad;
5400 u32 sid = current_sid();
5401
5402 isec = ipc_perms->security;
5403
5404 ad.type = LSM_AUDIT_DATA_IPC;
5405 ad.u.ipc_id = ipc_perms->key;
5406
5407 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5408 }
5409
5410 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5411 {
5412 return msg_msg_alloc_security(msg);
5413 }
5414
5415 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5416 {
5417 msg_msg_free_security(msg);
5418 }
5419
5420 /* message queue security operations */
5421 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5422 {
5423 struct ipc_security_struct *isec;
5424 struct common_audit_data ad;
5425 u32 sid = current_sid();
5426 int rc;
5427
5428 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5429 if (rc)
5430 return rc;
5431
5432 isec = msq->q_perm.security;
5433
5434 ad.type = LSM_AUDIT_DATA_IPC;
5435 ad.u.ipc_id = msq->q_perm.key;
5436
5437 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5438 MSGQ__CREATE, &ad);
5439 if (rc) {
5440 ipc_free_security(&msq->q_perm);
5441 return rc;
5442 }
5443 return 0;
5444 }
5445
5446 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5447 {
5448 ipc_free_security(&msq->q_perm);
5449 }
5450
5451 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5452 {
5453 struct ipc_security_struct *isec;
5454 struct common_audit_data ad;
5455 u32 sid = current_sid();
5456
5457 isec = msq->q_perm.security;
5458
5459 ad.type = LSM_AUDIT_DATA_IPC;
5460 ad.u.ipc_id = msq->q_perm.key;
5461
5462 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5463 MSGQ__ASSOCIATE, &ad);
5464 }
5465
5466 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5467 {
5468 int err;
5469 int perms;
5470
5471 switch (cmd) {
5472 case IPC_INFO:
5473 case MSG_INFO:
5474 /* No specific object, just general system-wide information. */
5475 return task_has_system(current, SYSTEM__IPC_INFO);
5476 case IPC_STAT:
5477 case MSG_STAT:
5478 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5479 break;
5480 case IPC_SET:
5481 perms = MSGQ__SETATTR;
5482 break;
5483 case IPC_RMID:
5484 perms = MSGQ__DESTROY;
5485 break;
5486 default:
5487 return 0;
5488 }
5489
5490 err = ipc_has_perm(&msq->q_perm, perms);
5491 return err;
5492 }
5493
5494 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5495 {
5496 struct ipc_security_struct *isec;
5497 struct msg_security_struct *msec;
5498 struct common_audit_data ad;
5499 u32 sid = current_sid();
5500 int rc;
5501
5502 isec = msq->q_perm.security;
5503 msec = msg->security;
5504
5505 /*
5506 * First time through, need to assign label to the message
5507 */
5508 if (msec->sid == SECINITSID_UNLABELED) {
5509 /*
5510 * Compute new sid based on current process and
5511 * message queue this message will be stored in
5512 */
5513 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5514 NULL, &msec->sid);
5515 if (rc)
5516 return rc;
5517 }
5518
5519 ad.type = LSM_AUDIT_DATA_IPC;
5520 ad.u.ipc_id = msq->q_perm.key;
5521
5522 /* Can this process write to the queue? */
5523 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5524 MSGQ__WRITE, &ad);
5525 if (!rc)
5526 /* Can this process send the message */
5527 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5528 MSG__SEND, &ad);
5529 if (!rc)
5530 /* Can the message be put in the queue? */
5531 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5532 MSGQ__ENQUEUE, &ad);
5533
5534 return rc;
5535 }
5536
5537 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5538 struct task_struct *target,
5539 long type, int mode)
5540 {
5541 struct ipc_security_struct *isec;
5542 struct msg_security_struct *msec;
5543 struct common_audit_data ad;
5544 u32 sid = task_sid(target);
5545 int rc;
5546
5547 isec = msq->q_perm.security;
5548 msec = msg->security;
5549
5550 ad.type = LSM_AUDIT_DATA_IPC;
5551 ad.u.ipc_id = msq->q_perm.key;
5552
5553 rc = avc_has_perm(sid, isec->sid,
5554 SECCLASS_MSGQ, MSGQ__READ, &ad);
5555 if (!rc)
5556 rc = avc_has_perm(sid, msec->sid,
5557 SECCLASS_MSG, MSG__RECEIVE, &ad);
5558 return rc;
5559 }
5560
5561 /* Shared Memory security operations */
5562 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5563 {
5564 struct ipc_security_struct *isec;
5565 struct common_audit_data ad;
5566 u32 sid = current_sid();
5567 int rc;
5568
5569 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5570 if (rc)
5571 return rc;
5572
5573 isec = shp->shm_perm.security;
5574
5575 ad.type = LSM_AUDIT_DATA_IPC;
5576 ad.u.ipc_id = shp->shm_perm.key;
5577
5578 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5579 SHM__CREATE, &ad);
5580 if (rc) {
5581 ipc_free_security(&shp->shm_perm);
5582 return rc;
5583 }
5584 return 0;
5585 }
5586
5587 static void selinux_shm_free_security(struct shmid_kernel *shp)
5588 {
5589 ipc_free_security(&shp->shm_perm);
5590 }
5591
5592 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5593 {
5594 struct ipc_security_struct *isec;
5595 struct common_audit_data ad;
5596 u32 sid = current_sid();
5597
5598 isec = shp->shm_perm.security;
5599
5600 ad.type = LSM_AUDIT_DATA_IPC;
5601 ad.u.ipc_id = shp->shm_perm.key;
5602
5603 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5604 SHM__ASSOCIATE, &ad);
5605 }
5606
5607 /* Note, at this point, shp is locked down */
5608 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5609 {
5610 int perms;
5611 int err;
5612
5613 switch (cmd) {
5614 case IPC_INFO:
5615 case SHM_INFO:
5616 /* No specific object, just general system-wide information. */
5617 return task_has_system(current, SYSTEM__IPC_INFO);
5618 case IPC_STAT:
5619 case SHM_STAT:
5620 perms = SHM__GETATTR | SHM__ASSOCIATE;
5621 break;
5622 case IPC_SET:
5623 perms = SHM__SETATTR;
5624 break;
5625 case SHM_LOCK:
5626 case SHM_UNLOCK:
5627 perms = SHM__LOCK;
5628 break;
5629 case IPC_RMID:
5630 perms = SHM__DESTROY;
5631 break;
5632 default:
5633 return 0;
5634 }
5635
5636 err = ipc_has_perm(&shp->shm_perm, perms);
5637 return err;
5638 }
5639
5640 static int selinux_shm_shmat(struct shmid_kernel *shp,
5641 char __user *shmaddr, int shmflg)
5642 {
5643 u32 perms;
5644
5645 if (shmflg & SHM_RDONLY)
5646 perms = SHM__READ;
5647 else
5648 perms = SHM__READ | SHM__WRITE;
5649
5650 return ipc_has_perm(&shp->shm_perm, perms);
5651 }
5652
5653 /* Semaphore security operations */
5654 static int selinux_sem_alloc_security(struct sem_array *sma)
5655 {
5656 struct ipc_security_struct *isec;
5657 struct common_audit_data ad;
5658 u32 sid = current_sid();
5659 int rc;
5660
5661 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5662 if (rc)
5663 return rc;
5664
5665 isec = sma->sem_perm.security;
5666
5667 ad.type = LSM_AUDIT_DATA_IPC;
5668 ad.u.ipc_id = sma->sem_perm.key;
5669
5670 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5671 SEM__CREATE, &ad);
5672 if (rc) {
5673 ipc_free_security(&sma->sem_perm);
5674 return rc;
5675 }
5676 return 0;
5677 }
5678
5679 static void selinux_sem_free_security(struct sem_array *sma)
5680 {
5681 ipc_free_security(&sma->sem_perm);
5682 }
5683
5684 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5685 {
5686 struct ipc_security_struct *isec;
5687 struct common_audit_data ad;
5688 u32 sid = current_sid();
5689
5690 isec = sma->sem_perm.security;
5691
5692 ad.type = LSM_AUDIT_DATA_IPC;
5693 ad.u.ipc_id = sma->sem_perm.key;
5694
5695 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5696 SEM__ASSOCIATE, &ad);
5697 }
5698
5699 /* Note, at this point, sma is locked down */
5700 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5701 {
5702 int err;
5703 u32 perms;
5704
5705 switch (cmd) {
5706 case IPC_INFO:
5707 case SEM_INFO:
5708 /* No specific object, just general system-wide information. */
5709 return task_has_system(current, SYSTEM__IPC_INFO);
5710 case GETPID:
5711 case GETNCNT:
5712 case GETZCNT:
5713 perms = SEM__GETATTR;
5714 break;
5715 case GETVAL:
5716 case GETALL:
5717 perms = SEM__READ;
5718 break;
5719 case SETVAL:
5720 case SETALL:
5721 perms = SEM__WRITE;
5722 break;
5723 case IPC_RMID:
5724 perms = SEM__DESTROY;
5725 break;
5726 case IPC_SET:
5727 perms = SEM__SETATTR;
5728 break;
5729 case IPC_STAT:
5730 case SEM_STAT:
5731 perms = SEM__GETATTR | SEM__ASSOCIATE;
5732 break;
5733 default:
5734 return 0;
5735 }
5736
5737 err = ipc_has_perm(&sma->sem_perm, perms);
5738 return err;
5739 }
5740
5741 static int selinux_sem_semop(struct sem_array *sma,
5742 struct sembuf *sops, unsigned nsops, int alter)
5743 {
5744 u32 perms;
5745
5746 if (alter)
5747 perms = SEM__READ | SEM__WRITE;
5748 else
5749 perms = SEM__READ;
5750
5751 return ipc_has_perm(&sma->sem_perm, perms);
5752 }
5753
5754 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5755 {
5756 u32 av = 0;
5757
5758 av = 0;
5759 if (flag & S_IRUGO)
5760 av |= IPC__UNIX_READ;
5761 if (flag & S_IWUGO)
5762 av |= IPC__UNIX_WRITE;
5763
5764 if (av == 0)
5765 return 0;
5766
5767 return ipc_has_perm(ipcp, av);
5768 }
5769
5770 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5771 {
5772 struct ipc_security_struct *isec = ipcp->security;
5773 *secid = isec->sid;
5774 }
5775
5776 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5777 {
5778 if (inode)
5779 inode_doinit_with_dentry(inode, dentry);
5780 }
5781
5782 static int selinux_getprocattr(struct task_struct *p,
5783 char *name, char **value)
5784 {
5785 const struct task_security_struct *__tsec;
5786 u32 sid;
5787 int error;
5788 unsigned len;
5789
5790 if (current != p) {
5791 error = current_has_perm(p, PROCESS__GETATTR);
5792 if (error)
5793 return error;
5794 }
5795
5796 rcu_read_lock();
5797 __tsec = __task_cred(p)->security;
5798
5799 if (!strcmp(name, "current"))
5800 sid = __tsec->sid;
5801 else if (!strcmp(name, "prev"))
5802 sid = __tsec->osid;
5803 else if (!strcmp(name, "exec"))
5804 sid = __tsec->exec_sid;
5805 else if (!strcmp(name, "fscreate"))
5806 sid = __tsec->create_sid;
5807 else if (!strcmp(name, "keycreate"))
5808 sid = __tsec->keycreate_sid;
5809 else if (!strcmp(name, "sockcreate"))
5810 sid = __tsec->sockcreate_sid;
5811 else
5812 goto invalid;
5813 rcu_read_unlock();
5814
5815 if (!sid)
5816 return 0;
5817
5818 error = security_sid_to_context(sid, value, &len);
5819 if (error)
5820 return error;
5821 return len;
5822
5823 invalid:
5824 rcu_read_unlock();
5825 return -EINVAL;
5826 }
5827
5828 static int selinux_setprocattr(struct task_struct *p,
5829 char *name, void *value, size_t size)
5830 {
5831 struct task_security_struct *tsec;
5832 struct cred *new;
5833 u32 sid = 0, ptsid;
5834 int error;
5835 char *str = value;
5836
5837 if (current != p) {
5838 /* SELinux only allows a process to change its own
5839 security attributes. */
5840 return -EACCES;
5841 }
5842
5843 /*
5844 * Basic control over ability to set these attributes at all.
5845 * current == p, but we'll pass them separately in case the
5846 * above restriction is ever removed.
5847 */
5848 if (!strcmp(name, "exec"))
5849 error = current_has_perm(p, PROCESS__SETEXEC);
5850 else if (!strcmp(name, "fscreate"))
5851 error = current_has_perm(p, PROCESS__SETFSCREATE);
5852 else if (!strcmp(name, "keycreate"))
5853 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5854 else if (!strcmp(name, "sockcreate"))
5855 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5856 else if (!strcmp(name, "current"))
5857 error = current_has_perm(p, PROCESS__SETCURRENT);
5858 else
5859 error = -EINVAL;
5860 if (error)
5861 return error;
5862
5863 /* Obtain a SID for the context, if one was specified. */
5864 if (size && str[1] && str[1] != '\n') {
5865 if (str[size-1] == '\n') {
5866 str[size-1] = 0;
5867 size--;
5868 }
5869 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5870 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5871 if (!capable(CAP_MAC_ADMIN)) {
5872 struct audit_buffer *ab;
5873 size_t audit_size;
5874
5875 /* We strip a nul only if it is at the end, otherwise the
5876 * context contains a nul and we should audit that */
5877 if (str[size - 1] == '\0')
5878 audit_size = size - 1;
5879 else
5880 audit_size = size;
5881 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5882 audit_log_format(ab, "op=fscreate invalid_context=");
5883 audit_log_n_untrustedstring(ab, value, audit_size);
5884 audit_log_end(ab);
5885
5886 return error;
5887 }
5888 error = security_context_to_sid_force(value, size,
5889 &sid);
5890 }
5891 if (error)
5892 return error;
5893 }
5894
5895 new = prepare_creds();
5896 if (!new)
5897 return -ENOMEM;
5898
5899 /* Permission checking based on the specified context is
5900 performed during the actual operation (execve,
5901 open/mkdir/...), when we know the full context of the
5902 operation. See selinux_bprm_set_creds for the execve
5903 checks and may_create for the file creation checks. The
5904 operation will then fail if the context is not permitted. */
5905 tsec = new->security;
5906 if (!strcmp(name, "exec")) {
5907 tsec->exec_sid = sid;
5908 } else if (!strcmp(name, "fscreate")) {
5909 tsec->create_sid = sid;
5910 } else if (!strcmp(name, "keycreate")) {
5911 error = may_create_key(sid, p);
5912 if (error)
5913 goto abort_change;
5914 tsec->keycreate_sid = sid;
5915 } else if (!strcmp(name, "sockcreate")) {
5916 tsec->sockcreate_sid = sid;
5917 } else if (!strcmp(name, "current")) {
5918 error = -EINVAL;
5919 if (sid == 0)
5920 goto abort_change;
5921
5922 /* Only allow single threaded processes to change context */
5923 error = -EPERM;
5924 if (!current_is_single_threaded()) {
5925 error = security_bounded_transition(tsec->sid, sid);
5926 if (error)
5927 goto abort_change;
5928 }
5929
5930 /* Check permissions for the transition. */
5931 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5932 PROCESS__DYNTRANSITION, NULL);
5933 if (error)
5934 goto abort_change;
5935
5936 /* Check for ptracing, and update the task SID if ok.
5937 Otherwise, leave SID unchanged and fail. */
5938 ptsid = ptrace_parent_sid(p);
5939 if (ptsid != 0) {
5940 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5941 PROCESS__PTRACE, NULL);
5942 if (error)
5943 goto abort_change;
5944 }
5945
5946 tsec->sid = sid;
5947 } else {
5948 error = -EINVAL;
5949 goto abort_change;
5950 }
5951
5952 commit_creds(new);
5953 return size;
5954
5955 abort_change:
5956 abort_creds(new);
5957 return error;
5958 }
5959
5960 static int selinux_ismaclabel(const char *name)
5961 {
5962 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5963 }
5964
5965 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5966 {
5967 return security_sid_to_context(secid, secdata, seclen);
5968 }
5969
5970 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5971 {
5972 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5973 }
5974
5975 static void selinux_release_secctx(char *secdata, u32 seclen)
5976 {
5977 kfree(secdata);
5978 }
5979
5980 static void selinux_inode_invalidate_secctx(struct inode *inode)
5981 {
5982 struct inode_security_struct *isec = inode->i_security;
5983
5984 mutex_lock(&isec->lock);
5985 isec->initialized = LABEL_INVALID;
5986 mutex_unlock(&isec->lock);
5987 }
5988
5989 /*
5990 * called with inode->i_mutex locked
5991 */
5992 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5993 {
5994 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5995 }
5996
5997 /*
5998 * called with inode->i_mutex locked
5999 */
6000 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6001 {
6002 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6003 }
6004
6005 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6006 {
6007 int len = 0;
6008 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6009 ctx, true);
6010 if (len < 0)
6011 return len;
6012 *ctxlen = len;
6013 return 0;
6014 }
6015 #ifdef CONFIG_KEYS
6016
6017 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6018 unsigned long flags)
6019 {
6020 const struct task_security_struct *tsec;
6021 struct key_security_struct *ksec;
6022
6023 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6024 if (!ksec)
6025 return -ENOMEM;
6026
6027 tsec = cred->security;
6028 if (tsec->keycreate_sid)
6029 ksec->sid = tsec->keycreate_sid;
6030 else
6031 ksec->sid = tsec->sid;
6032
6033 k->security = ksec;
6034 return 0;
6035 }
6036
6037 static void selinux_key_free(struct key *k)
6038 {
6039 struct key_security_struct *ksec = k->security;
6040
6041 k->security = NULL;
6042 kfree(ksec);
6043 }
6044
6045 static int selinux_key_permission(key_ref_t key_ref,
6046 const struct cred *cred,
6047 unsigned perm)
6048 {
6049 struct key *key;
6050 struct key_security_struct *ksec;
6051 u32 sid;
6052
6053 /* if no specific permissions are requested, we skip the
6054 permission check. No serious, additional covert channels
6055 appear to be created. */
6056 if (perm == 0)
6057 return 0;
6058
6059 sid = cred_sid(cred);
6060
6061 key = key_ref_to_ptr(key_ref);
6062 ksec = key->security;
6063
6064 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6065 }
6066
6067 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6068 {
6069 struct key_security_struct *ksec = key->security;
6070 char *context = NULL;
6071 unsigned len;
6072 int rc;
6073
6074 rc = security_sid_to_context(ksec->sid, &context, &len);
6075 if (!rc)
6076 rc = len;
6077 *_buffer = context;
6078 return rc;
6079 }
6080
6081 #endif
6082
6083 static struct security_hook_list selinux_hooks[] = {
6084 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6085 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6086 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6087 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6088
6089 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6090 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6091 LSM_HOOK_INIT(capget, selinux_capget),
6092 LSM_HOOK_INIT(capset, selinux_capset),
6093 LSM_HOOK_INIT(capable, selinux_capable),
6094 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6095 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6096 LSM_HOOK_INIT(syslog, selinux_syslog),
6097 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6098
6099 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6100
6101 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6102 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6103 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6104 LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
6105
6106 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6107 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6108 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6109 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6110 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6111 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6112 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6113 LSM_HOOK_INIT(sb_mount, selinux_mount),
6114 LSM_HOOK_INIT(sb_umount, selinux_umount),
6115 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6116 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6117 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6118
6119 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6120 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6121
6122 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6123 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6124 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6125 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6126 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6127 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6128 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6129 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6130 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6131 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6132 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6133 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6134 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6135 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6136 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6137 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6138 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6139 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6140 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6141 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6142 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6143 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6144 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6145 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6146 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6147 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6148 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6149
6150 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6151 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6152 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6153 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6154 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6155 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6156 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6157 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6158 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6159 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6160 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6161 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6162
6163 LSM_HOOK_INIT(file_open, selinux_file_open),
6164
6165 LSM_HOOK_INIT(task_create, selinux_task_create),
6166 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6167 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6168 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6169 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6170 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6171 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6172 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6173 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6174 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6175 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6176 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6177 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6178 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6179 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6180 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6181 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6182 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6183 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6184 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6185 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6186 LSM_HOOK_INIT(task_wait, selinux_task_wait),
6187 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6188
6189 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6190 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6191
6192 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6193 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6194
6195 LSM_HOOK_INIT(msg_queue_alloc_security,
6196 selinux_msg_queue_alloc_security),
6197 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6198 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6199 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6200 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6201 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6202
6203 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6204 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6205 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6206 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6207 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6208
6209 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6210 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6211 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6212 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6213 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6214
6215 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6216
6217 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6218 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6219
6220 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6221 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6222 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6223 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6224 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6225 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6226 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6227 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6228
6229 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6230 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6231
6232 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6233 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6234 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6235 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6236 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6237 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6238 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6239 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6240 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6241 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6242 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6243 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6244 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6245 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6246 LSM_HOOK_INIT(socket_getpeersec_stream,
6247 selinux_socket_getpeersec_stream),
6248 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6249 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6250 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6251 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6252 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6253 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6254 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6255 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6256 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6257 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6258 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6259 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6260 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6261 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6262 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6263 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6264 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6265 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6266 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6267
6268 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6269 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6270 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6271 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6272 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6273 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6274 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6275 selinux_xfrm_state_alloc_acquire),
6276 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6277 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6278 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6279 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6280 selinux_xfrm_state_pol_flow_match),
6281 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6282 #endif
6283
6284 #ifdef CONFIG_KEYS
6285 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6286 LSM_HOOK_INIT(key_free, selinux_key_free),
6287 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6288 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6289 #endif
6290
6291 #ifdef CONFIG_AUDIT
6292 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6293 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6294 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6295 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6296 #endif
6297 };
6298
6299 static __init int selinux_init(void)
6300 {
6301 if (!security_module_enable("selinux")) {
6302 selinux_enabled = 0;
6303 return 0;
6304 }
6305
6306 if (!selinux_enabled) {
6307 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6308 return 0;
6309 }
6310
6311 printk(KERN_INFO "SELinux: Initializing.\n");
6312
6313 /* Set the security state for the initial task. */
6314 cred_init_security();
6315
6316 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6317
6318 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6319 sizeof(struct inode_security_struct),
6320 0, SLAB_PANIC, NULL);
6321 file_security_cache = kmem_cache_create("selinux_file_security",
6322 sizeof(struct file_security_struct),
6323 0, SLAB_PANIC, NULL);
6324 avc_init();
6325
6326 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6327
6328 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6329 panic("SELinux: Unable to register AVC netcache callback\n");
6330
6331 if (selinux_enforcing)
6332 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6333 else
6334 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6335
6336 return 0;
6337 }
6338
6339 static void delayed_superblock_init(struct super_block *sb, void *unused)
6340 {
6341 superblock_doinit(sb, NULL);
6342 }
6343
6344 void selinux_complete_init(void)
6345 {
6346 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6347
6348 /* Set up any superblocks initialized prior to the policy load. */
6349 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6350 iterate_supers(delayed_superblock_init, NULL);
6351 }
6352
6353 /* SELinux requires early initialization in order to label
6354 all processes and objects when they are created. */
6355 security_initcall(selinux_init);
6356
6357 #if defined(CONFIG_NETFILTER)
6358
6359 static struct nf_hook_ops selinux_nf_ops[] = {
6360 {
6361 .hook = selinux_ipv4_postroute,
6362 .pf = NFPROTO_IPV4,
6363 .hooknum = NF_INET_POST_ROUTING,
6364 .priority = NF_IP_PRI_SELINUX_LAST,
6365 },
6366 {
6367 .hook = selinux_ipv4_forward,
6368 .pf = NFPROTO_IPV4,
6369 .hooknum = NF_INET_FORWARD,
6370 .priority = NF_IP_PRI_SELINUX_FIRST,
6371 },
6372 {
6373 .hook = selinux_ipv4_output,
6374 .pf = NFPROTO_IPV4,
6375 .hooknum = NF_INET_LOCAL_OUT,
6376 .priority = NF_IP_PRI_SELINUX_FIRST,
6377 },
6378 #if IS_ENABLED(CONFIG_IPV6)
6379 {
6380 .hook = selinux_ipv6_postroute,
6381 .pf = NFPROTO_IPV6,
6382 .hooknum = NF_INET_POST_ROUTING,
6383 .priority = NF_IP6_PRI_SELINUX_LAST,
6384 },
6385 {
6386 .hook = selinux_ipv6_forward,
6387 .pf = NFPROTO_IPV6,
6388 .hooknum = NF_INET_FORWARD,
6389 .priority = NF_IP6_PRI_SELINUX_FIRST,
6390 },
6391 {
6392 .hook = selinux_ipv6_output,
6393 .pf = NFPROTO_IPV6,
6394 .hooknum = NF_INET_LOCAL_OUT,
6395 .priority = NF_IP6_PRI_SELINUX_FIRST,
6396 },
6397 #endif /* IPV6 */
6398 };
6399
6400 static int __init selinux_nf_ip_init(void)
6401 {
6402 int err;
6403
6404 if (!selinux_enabled)
6405 return 0;
6406
6407 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6408
6409 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6410 if (err)
6411 panic("SELinux: nf_register_hooks: error %d\n", err);
6412
6413 return 0;
6414 }
6415
6416 __initcall(selinux_nf_ip_init);
6417
6418 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6419 static void selinux_nf_ip_exit(void)
6420 {
6421 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6422
6423 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6424 }
6425 #endif
6426
6427 #else /* CONFIG_NETFILTER */
6428
6429 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6430 #define selinux_nf_ip_exit()
6431 #endif
6432
6433 #endif /* CONFIG_NETFILTER */
6434
6435 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6436 static int selinux_disabled;
6437
6438 int selinux_disable(void)
6439 {
6440 if (ss_initialized) {
6441 /* Not permitted after initial policy load. */
6442 return -EINVAL;
6443 }
6444
6445 if (selinux_disabled) {
6446 /* Only do this once. */
6447 return -EINVAL;
6448 }
6449
6450 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6451
6452 selinux_disabled = 1;
6453 selinux_enabled = 0;
6454
6455 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6456
6457 /* Try to destroy the avc node cache */
6458 avc_disable();
6459
6460 /* Unregister netfilter hooks. */
6461 selinux_nf_ip_exit();
6462
6463 /* Unregister selinuxfs. */
6464 exit_sel_fs();
6465
6466 return 0;
6467 }
6468 #endif
ubuntu-zesty-kernel mirror