]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blob - security/selinux/hooks.c
projects / mirror_ubuntu-bionic-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
UBUNTU: SAUCE: LSM stacking: LSM: General stacking
[mirror_ubuntu-bionic-kernel.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
25 */
26
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h> /* for Unix socket types */
72 #include <net/af_unix.h> /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
75 #include <net/ipv6.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89
90 #include "avc.h"
91 #include "objsec.h"
92 #include "netif.h"
93 #include "netnode.h"
94 #include "netport.h"
95 #include "ibpkey.h"
96 #include "xfrm.h"
97 #include "netlabel.h"
98 #include "audit.h"
99 #include "avc_ss.h"
100
101 /* SECMARK reference count */
102 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103
104 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105 int selinux_enforcing;
106
107 static int __init enforcing_setup(char *str)
108 {
109 unsigned long enforcing;
110 if (!kstrtoul(str, 0, &enforcing))
111 selinux_enforcing = enforcing ? 1 : 0;
112 return 1;
113 }
114 __setup("enforcing=", enforcing_setup);
115 #endif
116
117 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
119
120 static int __init selinux_enabled_setup(char *str)
121 {
122 unsigned long enabled;
123 if (!kstrtoul(str, 0, &enabled))
124 selinux_enabled = enabled ? 1 : 0;
125 return 1;
126 }
127 __setup("selinux=", selinux_enabled_setup);
128 #else
129 int selinux_enabled = 1;
130 #endif
131
132 /**
133 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
134 *
135 * Description:
136 * This function checks the SECMARK reference counter to see if any SECMARK
137 * targets are currently configured, if the reference counter is greater than
138 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
139 * enabled, false (0) if SECMARK is disabled. If the always_check_network
140 * policy capability is enabled, SECMARK is always considered enabled.
141 *
142 */
143 static int selinux_secmark_enabled(void)
144 {
145 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
146 }
147
148 /**
149 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
150 *
151 * Description:
152 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
153 * (1) if any are enabled or false (0) if neither are enabled. If the
154 * always_check_network policy capability is enabled, peer labeling
155 * is always considered enabled.
156 *
157 */
158 static int selinux_peerlbl_enabled(void)
159 {
160 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
161 }
162
163 static int selinux_netcache_avc_callback(u32 event)
164 {
165 if (event == AVC_CALLBACK_RESET) {
166 sel_netif_flush();
167 sel_netnode_flush();
168 sel_netport_flush();
169 synchronize_net();
170 }
171 return 0;
172 }
173
174 static int selinux_lsm_notifier_avc_callback(u32 event)
175 {
176 if (event == AVC_CALLBACK_RESET) {
177 sel_ib_pkey_flush();
178 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
179 }
180
181 return 0;
182 }
183
184 /*
185 * initialise the security for the init task
186 */
187 static void cred_init_security(void)
188 {
189 struct cred *cred = (struct cred *) current->real_cred;
190 struct task_security_struct *tsec;
191
192 lsm_early_cred(cred);
193 tsec = selinux_cred(cred);
194 tsec->osid = tsec->sid = SECINITSID_KERNEL;
195 }
196
197 /*
198 * get the security ID of a set of credentials
199 */
200 static inline u32 cred_sid(const struct cred *cred)
201 {
202 const struct task_security_struct *tsec;
203
204 tsec = selinux_cred(cred);
205 return tsec->sid;
206 }
207
208 /*
209 * get the objective security ID of a task
210 */
211 static inline u32 task_sid(const struct task_struct *task)
212 {
213 u32 sid;
214
215 rcu_read_lock();
216 sid = cred_sid(__task_cred(task));
217 rcu_read_unlock();
218 return sid;
219 }
220
221 /* Allocate and free functions for each kind of security blob. */
222
223 static int inode_alloc_security(struct inode *inode)
224 {
225 struct inode_security_struct *isec = selinux_inode(inode);
226 u32 sid = current_sid();
227
228 spin_lock_init(&isec->lock);
229 INIT_LIST_HEAD(&isec->list);
230 isec->inode = inode;
231 isec->sid = SECINITSID_UNLABELED;
232 isec->sclass = SECCLASS_FILE;
233 isec->task_sid = sid;
234 isec->initialized = LABEL_INVALID;
235
236 return 0;
237 }
238
239 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
240
241 /*
242 * Try reloading inode security labels that have been marked as invalid. The
243 * @may_sleep parameter indicates when sleeping and thus reloading labels is
244 * allowed; when set to false, returns -ECHILD when the label is
245 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
246 * when no dentry is available, set it to NULL instead.
247 */
248 static int __inode_security_revalidate(struct inode *inode,
249 struct dentry *opt_dentry,
250 bool may_sleep)
251 {
252 struct inode_security_struct *isec = selinux_inode(inode);
253
254 might_sleep_if(may_sleep);
255
256 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
257 if (!may_sleep)
258 return -ECHILD;
259
260 /*
261 * Try reloading the inode security label. This will fail if
262 * @opt_dentry is NULL and no dentry for this inode can be
263 * found; in that case, continue using the old label.
264 */
265 inode_doinit_with_dentry(inode, opt_dentry);
266 }
267 return 0;
268 }
269
270 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
271 {
272 return selinux_inode(inode);
273 }
274
275 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
276 {
277 int error;
278
279 error = __inode_security_revalidate(inode, NULL, !rcu);
280 if (error)
281 return ERR_PTR(error);
282 return selinux_inode(inode);
283 }
284
285 /*
286 * Get the security label of an inode.
287 */
288 static struct inode_security_struct *inode_security(struct inode *inode)
289 {
290 __inode_security_revalidate(inode, NULL, true);
291 return selinux_inode(inode);
292 }
293
294 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
295 {
296 struct inode *inode = d_backing_inode(dentry);
297
298 return selinux_inode(inode);
299 }
300
301 /*
302 * Get the security label of a dentry's backing inode.
303 */
304 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
305 {
306 struct inode *inode = d_backing_inode(dentry);
307
308 __inode_security_revalidate(inode, dentry, true);
309 return selinux_inode(inode);
310 }
311
312 static void inode_free_security(struct inode *inode)
313 {
314 struct inode_security_struct *isec = selinux_inode(inode);
315 struct superblock_security_struct *sbsec =
316 selinux_superblock(inode->i_sb);
317
318 /*
319 * As not all inode security structures are in a list, we check for
320 * empty list outside of the lock to make sure that we won't waste
321 * time taking a lock doing nothing.
322 *
323 * The list_del_init() function can be safely called more than once.
324 * It should not be possible for this function to be called with
325 * concurrent list_add(), but for better safety against future changes
326 * in the code, we use list_empty_careful() here.
327 */
328 if (!list_empty_careful(&isec->list)) {
329 spin_lock(&sbsec->isec_lock);
330 list_del_init(&isec->list);
331 spin_unlock(&sbsec->isec_lock);
332 }
333 }
334
335 static int file_alloc_security(struct file *file)
336 {
337 struct file_security_struct *fsec = selinux_file(file);
338 u32 sid = current_sid();
339
340 fsec->sid = sid;
341 fsec->fown_sid = sid;
342
343 return 0;
344 }
345
346 static int superblock_alloc_security(struct super_block *sb)
347 {
348 struct superblock_security_struct *sbsec = selinux_superblock(sb);
349
350 mutex_init(&sbsec->lock);
351 INIT_LIST_HEAD(&sbsec->isec_head);
352 spin_lock_init(&sbsec->isec_lock);
353 sbsec->sb = sb;
354 sbsec->sid = SECINITSID_UNLABELED;
355 sbsec->def_sid = SECINITSID_FILE;
356 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
357
358 return 0;
359 }
360
361 static inline int inode_doinit(struct inode *inode)
362 {
363 return inode_doinit_with_dentry(inode, NULL);
364 }
365
366 enum {
367 Opt_error = -1,
368 Opt_context = 1,
369 Opt_fscontext = 2,
370 Opt_defcontext = 3,
371 Opt_rootcontext = 4,
372 Opt_labelsupport = 5,
373 Opt_nextmntopt = 6,
374 };
375
376 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
377
378 static const match_table_t tokens = {
379 {Opt_context, CONTEXT_STR "%s"},
380 {Opt_fscontext, FSCONTEXT_STR "%s"},
381 {Opt_defcontext, DEFCONTEXT_STR "%s"},
382 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
383 {Opt_labelsupport, LABELSUPP_STR},
384 {Opt_error, NULL},
385 };
386
387 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
388
389 static int may_context_mount_sb_relabel(u32 sid,
390 struct superblock_security_struct *sbsec,
391 const struct cred *cred)
392 {
393 const struct task_security_struct *tsec = selinux_cred(cred);
394 int rc;
395
396 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
397 FILESYSTEM__RELABELFROM, NULL);
398 if (rc)
399 return rc;
400
401 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
402 FILESYSTEM__RELABELTO, NULL);
403 return rc;
404 }
405
406 static int may_context_mount_inode_relabel(u32 sid,
407 struct superblock_security_struct *sbsec,
408 const struct cred *cred)
409 {
410 const struct task_security_struct *tsec = selinux_cred(cred);
411 int rc;
412 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
413 FILESYSTEM__RELABELFROM, NULL);
414 if (rc)
415 return rc;
416
417 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
418 FILESYSTEM__ASSOCIATE, NULL);
419 return rc;
420 }
421
422 static int selinux_is_sblabel_mnt(struct super_block *sb)
423 {
424 struct superblock_security_struct *sbsec = selinux_superblock(sb);
425
426 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
427 sbsec->behavior == SECURITY_FS_USE_TRANS ||
428 sbsec->behavior == SECURITY_FS_USE_TASK ||
429 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
430 /* Special handling. Genfs but also in-core setxattr handler */
431 !strcmp(sb->s_type->name, "sysfs") ||
432 !strcmp(sb->s_type->name, "pstore") ||
433 !strcmp(sb->s_type->name, "debugfs") ||
434 !strcmp(sb->s_type->name, "tracefs") ||
435 !strcmp(sb->s_type->name, "rootfs") ||
436 (selinux_policycap_cgroupseclabel &&
437 (!strcmp(sb->s_type->name, "cgroup") ||
438 !strcmp(sb->s_type->name, "cgroup2")));
439 }
440
441 static int sb_finish_set_opts(struct super_block *sb)
442 {
443 struct superblock_security_struct *sbsec = selinux_superblock(sb);
444 struct dentry *root = sb->s_root;
445 struct inode *root_inode = d_backing_inode(root);
446 int rc = 0;
447
448 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
449 /* Make sure that the xattr handler exists and that no
450 error other than -ENODATA is returned by getxattr on
451 the root directory. -ENODATA is ok, as this may be
452 the first boot of the SELinux kernel before we have
453 assigned xattr values to the filesystem. */
454 if (!(root_inode->i_opflags & IOP_XATTR)) {
455 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
456 "xattr support\n", sb->s_id, sb->s_type->name);
457 rc = -EOPNOTSUPP;
458 goto out;
459 }
460
461 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
462 if (rc < 0 && rc != -ENODATA) {
463 if (rc == -EOPNOTSUPP)
464 printk(KERN_WARNING "SELinux: (dev %s, type "
465 "%s) has no security xattr handler\n",
466 sb->s_id, sb->s_type->name);
467 else
468 printk(KERN_WARNING "SELinux: (dev %s, type "
469 "%s) getxattr errno %d\n", sb->s_id,
470 sb->s_type->name, -rc);
471 goto out;
472 }
473 }
474
475 sbsec->flags |= SE_SBINITIALIZED;
476
477 /*
478 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
479 * leave the flag untouched because sb_clone_mnt_opts might be handing
480 * us a superblock that needs the flag to be cleared.
481 */
482 if (selinux_is_sblabel_mnt(sb))
483 sbsec->flags |= SBLABEL_MNT;
484 else
485 sbsec->flags &= ~SBLABEL_MNT;
486
487 /* Initialize the root inode. */
488 rc = inode_doinit_with_dentry(root_inode, root);
489
490 /* Initialize any other inodes associated with the superblock, e.g.
491 inodes created prior to initial policy load or inodes created
492 during get_sb by a pseudo filesystem that directly
493 populates itself. */
494 spin_lock(&sbsec->isec_lock);
495 next_inode:
496 if (!list_empty(&sbsec->isec_head)) {
497 struct inode_security_struct *isec =
498 list_entry(sbsec->isec_head.next,
499 struct inode_security_struct, list);
500 struct inode *inode = isec->inode;
501 list_del_init(&isec->list);
502 spin_unlock(&sbsec->isec_lock);
503 inode = igrab(inode);
504 if (inode) {
505 if (!IS_PRIVATE(inode))
506 inode_doinit(inode);
507 iput(inode);
508 }
509 spin_lock(&sbsec->isec_lock);
510 goto next_inode;
511 }
512 spin_unlock(&sbsec->isec_lock);
513 out:
514 return rc;
515 }
516
517 /*
518 * This function should allow an FS to ask what it's mount security
519 * options were so it can use those later for submounts, displaying
520 * mount options, or whatever.
521 */
522 static int selinux_get_mnt_opts(const struct super_block *sb,
523 struct security_mnt_opts *opts)
524 {
525 int rc = 0, i;
526 struct superblock_security_struct *sbsec = selinux_superblock(sb);
527 char *context = NULL;
528 u32 len;
529 char tmp;
530
531 security_init_mnt_opts(opts);
532
533 if (!(sbsec->flags & SE_SBINITIALIZED))
534 return -EINVAL;
535
536 if (!ss_initialized)
537 return -EINVAL;
538
539 /* make sure we always check enough bits to cover the mask */
540 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
541
542 tmp = sbsec->flags & SE_MNTMASK;
543 /* count the number of mount options for this sb */
544 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
545 if (tmp & 0x01)
546 opts->num_mnt_opts++;
547 tmp >>= 1;
548 }
549 /* Check if the Label support flag is set */
550 if (sbsec->flags & SBLABEL_MNT)
551 opts->num_mnt_opts++;
552
553 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
554 if (!opts->mnt_opts) {
555 rc = -ENOMEM;
556 goto out_free;
557 }
558
559 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
560 if (!opts->mnt_opts_flags) {
561 rc = -ENOMEM;
562 goto out_free;
563 }
564
565 i = 0;
566 if (sbsec->flags & FSCONTEXT_MNT) {
567 rc = security_sid_to_context(sbsec->sid, &context, &len);
568 if (rc)
569 goto out_free;
570 opts->mnt_opts[i] = context;
571 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
572 }
573 if (sbsec->flags & CONTEXT_MNT) {
574 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
575 if (rc)
576 goto out_free;
577 opts->mnt_opts[i] = context;
578 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
579 }
580 if (sbsec->flags & DEFCONTEXT_MNT) {
581 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
582 if (rc)
583 goto out_free;
584 opts->mnt_opts[i] = context;
585 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
586 }
587 if (sbsec->flags & ROOTCONTEXT_MNT) {
588 struct dentry *root = sbsec->sb->s_root;
589 struct inode_security_struct *isec =
590 backing_inode_security(root);
591
592 rc = security_sid_to_context(isec->sid, &context, &len);
593 if (rc)
594 goto out_free;
595 opts->mnt_opts[i] = context;
596 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
597 }
598 if (sbsec->flags & SBLABEL_MNT) {
599 opts->mnt_opts[i] = NULL;
600 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
601 }
602
603 BUG_ON(i != opts->num_mnt_opts);
604
605 return 0;
606
607 out_free:
608 security_free_mnt_opts(opts);
609 return rc;
610 }
611
612 static int bad_option(struct superblock_security_struct *sbsec, char flag,
613 u32 old_sid, u32 new_sid)
614 {
615 char mnt_flags = sbsec->flags & SE_MNTMASK;
616
617 /* check if the old mount command had the same options */
618 if (sbsec->flags & SE_SBINITIALIZED)
619 if (!(sbsec->flags & flag) ||
620 (old_sid != new_sid))
621 return 1;
622
623 /* check if we were passed the same options twice,
624 * aka someone passed context=a,context=b
625 */
626 if (!(sbsec->flags & SE_SBINITIALIZED))
627 if (mnt_flags & flag)
628 return 1;
629 return 0;
630 }
631
632 /*
633 * Allow filesystems with binary mount data to explicitly set mount point
634 * labeling information.
635 */
636 static int selinux_set_mnt_opts(struct super_block *sb,
637 struct security_mnt_opts *opts,
638 unsigned long kern_flags,
639 unsigned long *set_kern_flags)
640 {
641 const struct cred *cred = current_cred();
642 int rc = 0, i;
643 struct superblock_security_struct *sbsec = selinux_superblock(sb);
644 const char *name = sb->s_type->name;
645 struct dentry *root = sbsec->sb->s_root;
646 struct inode_security_struct *root_isec;
647 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
648 u32 defcontext_sid = 0;
649 char **mount_options = opts->mnt_opts;
650 int *flags = opts->mnt_opts_flags;
651 int num_opts = opts->num_mnt_opts;
652
653 mutex_lock(&sbsec->lock);
654
655 if (!ss_initialized) {
656 if (!num_opts) {
657 /* Defer initialization until selinux_complete_init,
658 after the initial policy is loaded and the security
659 server is ready to handle calls. */
660 goto out;
661 }
662 rc = -EINVAL;
663 printk(KERN_WARNING "SELinux: Unable to set superblock options "
664 "before the security server is initialized\n");
665 goto out;
666 }
667 if (kern_flags && !set_kern_flags) {
668 /* Specifying internal flags without providing a place to
669 * place the results is not allowed */
670 rc = -EINVAL;
671 goto out;
672 }
673
674 /*
675 * Binary mount data FS will come through this function twice. Once
676 * from an explicit call and once from the generic calls from the vfs.
677 * Since the generic VFS calls will not contain any security mount data
678 * we need to skip the double mount verification.
679 *
680 * This does open a hole in which we will not notice if the first
681 * mount using this sb set explict options and a second mount using
682 * this sb does not set any security options. (The first options
683 * will be used for both mounts)
684 */
685 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
686 && (num_opts == 0))
687 goto out;
688
689 root_isec = backing_inode_security_novalidate(root);
690
691 /*
692 * parse the mount options, check if they are valid sids.
693 * also check if someone is trying to mount the same sb more
694 * than once with different security options.
695 */
696 for (i = 0; i < num_opts; i++) {
697 u32 sid;
698
699 if (flags[i] == SBLABEL_MNT)
700 continue;
701 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
702 if (rc) {
703 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
704 "(%s) failed for (dev %s, type %s) errno=%d\n",
705 mount_options[i], sb->s_id, name, rc);
706 goto out;
707 }
708 switch (flags[i]) {
709 case FSCONTEXT_MNT:
710 fscontext_sid = sid;
711
712 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
713 fscontext_sid))
714 goto out_double_mount;
715
716 sbsec->flags |= FSCONTEXT_MNT;
717 break;
718 case CONTEXT_MNT:
719 context_sid = sid;
720
721 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
722 context_sid))
723 goto out_double_mount;
724
725 sbsec->flags |= CONTEXT_MNT;
726 break;
727 case ROOTCONTEXT_MNT:
728 rootcontext_sid = sid;
729
730 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
731 rootcontext_sid))
732 goto out_double_mount;
733
734 sbsec->flags |= ROOTCONTEXT_MNT;
735
736 break;
737 case DEFCONTEXT_MNT:
738 defcontext_sid = sid;
739
740 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
741 defcontext_sid))
742 goto out_double_mount;
743
744 sbsec->flags |= DEFCONTEXT_MNT;
745
746 break;
747 default:
748 rc = -EINVAL;
749 goto out;
750 }
751 }
752
753 if (sbsec->flags & SE_SBINITIALIZED) {
754 /* previously mounted with options, but not on this attempt? */
755 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
756 goto out_double_mount;
757 rc = 0;
758 goto out;
759 }
760
761 if (strcmp(sb->s_type->name, "proc") == 0)
762 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
763
764 if (!strcmp(sb->s_type->name, "debugfs") ||
765 !strcmp(sb->s_type->name, "tracefs") ||
766 !strcmp(sb->s_type->name, "sysfs") ||
767 !strcmp(sb->s_type->name, "pstore") ||
768 !strcmp(sb->s_type->name, "cgroup") ||
769 !strcmp(sb->s_type->name, "cgroup2"))
770 sbsec->flags |= SE_SBGENFS;
771
772 if (!sbsec->behavior) {
773 /*
774 * Determine the labeling behavior to use for this
775 * filesystem type.
776 */
777 rc = security_fs_use(sb);
778 if (rc) {
779 printk(KERN_WARNING
780 "%s: security_fs_use(%s) returned %d\n",
781 __func__, sb->s_type->name, rc);
782 goto out;
783 }
784 }
785
786 /*
787 * If this is a user namespace mount and the filesystem type is not
788 * explicitly whitelisted, then no contexts are allowed on the command
789 * line and security labels must be ignored.
790 */
791 if (sb->s_user_ns != &init_user_ns &&
792 strcmp(sb->s_type->name, "tmpfs") &&
793 strcmp(sb->s_type->name, "ramfs") &&
794 strcmp(sb->s_type->name, "devpts")) {
795 if (context_sid || fscontext_sid || rootcontext_sid ||
796 defcontext_sid) {
797 rc = -EACCES;
798 goto out;
799 }
800 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
801 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
802 rc = security_transition_sid(current_sid(), current_sid(),
803 SECCLASS_FILE, NULL,
804 &sbsec->mntpoint_sid);
805 if (rc)
806 goto out;
807 }
808 goto out_set_opts;
809 }
810
811 /* sets the context of the superblock for the fs being mounted. */
812 if (fscontext_sid) {
813 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
814 if (rc)
815 goto out;
816
817 sbsec->sid = fscontext_sid;
818 }
819
820 /*
821 * Switch to using mount point labeling behavior.
822 * sets the label used on all file below the mountpoint, and will set
823 * the superblock context if not already set.
824 */
825 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
826 sbsec->behavior = SECURITY_FS_USE_NATIVE;
827 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
828 }
829
830 if (context_sid) {
831 if (!fscontext_sid) {
832 rc = may_context_mount_sb_relabel(context_sid, sbsec,
833 cred);
834 if (rc)
835 goto out;
836 sbsec->sid = context_sid;
837 } else {
838 rc = may_context_mount_inode_relabel(context_sid, sbsec,
839 cred);
840 if (rc)
841 goto out;
842 }
843 if (!rootcontext_sid)
844 rootcontext_sid = context_sid;
845
846 sbsec->mntpoint_sid = context_sid;
847 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
848 }
849
850 if (rootcontext_sid) {
851 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
852 cred);
853 if (rc)
854 goto out;
855
856 root_isec->sid = rootcontext_sid;
857 root_isec->initialized = LABEL_INITIALIZED;
858 }
859
860 if (defcontext_sid) {
861 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
862 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
863 rc = -EINVAL;
864 printk(KERN_WARNING "SELinux: defcontext option is "
865 "invalid for this filesystem type\n");
866 goto out;
867 }
868
869 if (defcontext_sid != sbsec->def_sid) {
870 rc = may_context_mount_inode_relabel(defcontext_sid,
871 sbsec, cred);
872 if (rc)
873 goto out;
874 }
875
876 sbsec->def_sid = defcontext_sid;
877 }
878
879 out_set_opts:
880 rc = sb_finish_set_opts(sb);
881 out:
882 mutex_unlock(&sbsec->lock);
883 return rc;
884 out_double_mount:
885 rc = -EINVAL;
886 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
887 "security settings for (dev %s, type %s)\n", sb->s_id, name);
888 goto out;
889 }
890
891 static int selinux_cmp_sb_context(const struct super_block *oldsb,
892 const struct super_block *newsb)
893 {
894 struct superblock_security_struct *old = selinux_superblock(oldsb);
895 struct superblock_security_struct *new = selinux_superblock(newsb);
896 char oldflags = old->flags & SE_MNTMASK;
897 char newflags = new->flags & SE_MNTMASK;
898
899 if (oldflags != newflags)
900 goto mismatch;
901 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
902 goto mismatch;
903 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
904 goto mismatch;
905 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
906 goto mismatch;
907 if (oldflags & ROOTCONTEXT_MNT) {
908 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
909 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
910 if (oldroot->sid != newroot->sid)
911 goto mismatch;
912 }
913 return 0;
914 mismatch:
915 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
916 "different security settings for (dev %s, "
917 "type %s)\n", newsb->s_id, newsb->s_type->name);
918 return -EBUSY;
919 }
920
921 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
922 struct super_block *newsb,
923 unsigned long kern_flags,
924 unsigned long *set_kern_flags)
925 {
926 int rc = 0;
927 const struct superblock_security_struct *oldsbsec =
928 selinux_superblock(oldsb);
929 struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
930
931 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
932 int set_context = (oldsbsec->flags & CONTEXT_MNT);
933 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
934
935 /*
936 * if the parent was able to be mounted it clearly had no special lsm
937 * mount options. thus we can safely deal with this superblock later
938 */
939 if (!ss_initialized)
940 return 0;
941
942 /*
943 * Specifying internal flags without providing a place to
944 * place the results is not allowed.
945 */
946 if (kern_flags && !set_kern_flags)
947 return -EINVAL;
948
949 /* how can we clone if the old one wasn't set up?? */
950 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
951
952 /* if fs is reusing a sb, make sure that the contexts match */
953 if (newsbsec->flags & SE_SBINITIALIZED)
954 return selinux_cmp_sb_context(oldsb, newsb);
955
956 mutex_lock(&newsbsec->lock);
957
958 newsbsec->flags = oldsbsec->flags;
959
960 newsbsec->sid = oldsbsec->sid;
961 newsbsec->def_sid = oldsbsec->def_sid;
962 newsbsec->behavior = oldsbsec->behavior;
963
964 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
965 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
966 rc = security_fs_use(newsb);
967 if (rc)
968 goto out;
969 }
970
971 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
972 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
973 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
974 }
975
976 if (set_context) {
977 u32 sid = oldsbsec->mntpoint_sid;
978
979 if (!set_fscontext)
980 newsbsec->sid = sid;
981 if (!set_rootcontext) {
982 struct inode_security_struct *newisec =
983 backing_inode_security(newsb->s_root);
984 newisec->sid = sid;
985 }
986 newsbsec->mntpoint_sid = sid;
987 }
988 if (set_rootcontext) {
989 const struct inode_security_struct *oldisec =
990 backing_inode_security(oldsb->s_root);
991 struct inode_security_struct *newisec =
992 backing_inode_security(newsb->s_root);
993
994 newisec->sid = oldisec->sid;
995 }
996
997 sb_finish_set_opts(newsb);
998 out:
999 mutex_unlock(&newsbsec->lock);
1000 return rc;
1001 }
1002
1003 static int selinux_parse_opts_str(char *options,
1004 struct security_mnt_opts *opts)
1005 {
1006 char *p;
1007 char *context = NULL, *defcontext = NULL;
1008 char *fscontext = NULL, *rootcontext = NULL;
1009 int rc, num_mnt_opts = 0;
1010
1011 opts->num_mnt_opts = 0;
1012
1013 /* Standard string-based options. */
1014 while ((p = strsep(&options, "|")) != NULL) {
1015 int token;
1016 substring_t args[MAX_OPT_ARGS];
1017
1018 if (!*p)
1019 continue;
1020
1021 token = match_token(p, tokens, args);
1022
1023 switch (token) {
1024 case Opt_context:
1025 if (context || defcontext) {
1026 rc = -EINVAL;
1027 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1028 goto out_err;
1029 }
1030 context = match_strdup(&args[0]);
1031 if (!context) {
1032 rc = -ENOMEM;
1033 goto out_err;
1034 }
1035 break;
1036
1037 case Opt_fscontext:
1038 if (fscontext) {
1039 rc = -EINVAL;
1040 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1041 goto out_err;
1042 }
1043 fscontext = match_strdup(&args[0]);
1044 if (!fscontext) {
1045 rc = -ENOMEM;
1046 goto out_err;
1047 }
1048 break;
1049
1050 case Opt_rootcontext:
1051 if (rootcontext) {
1052 rc = -EINVAL;
1053 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1054 goto out_err;
1055 }
1056 rootcontext = match_strdup(&args[0]);
1057 if (!rootcontext) {
1058 rc = -ENOMEM;
1059 goto out_err;
1060 }
1061 break;
1062
1063 case Opt_defcontext:
1064 if (context || defcontext) {
1065 rc = -EINVAL;
1066 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1067 goto out_err;
1068 }
1069 defcontext = match_strdup(&args[0]);
1070 if (!defcontext) {
1071 rc = -ENOMEM;
1072 goto out_err;
1073 }
1074 break;
1075 case Opt_labelsupport:
1076 break;
1077 default:
1078 rc = -EINVAL;
1079 printk(KERN_WARNING "SELinux: unknown mount option\n");
1080 goto out_err;
1081
1082 }
1083 }
1084
1085 rc = -ENOMEM;
1086 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1087 if (!opts->mnt_opts)
1088 goto out_err;
1089
1090 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1091 GFP_KERNEL);
1092 if (!opts->mnt_opts_flags)
1093 goto out_err;
1094
1095 if (fscontext) {
1096 opts->mnt_opts[num_mnt_opts] = fscontext;
1097 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1098 }
1099 if (context) {
1100 opts->mnt_opts[num_mnt_opts] = context;
1101 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1102 }
1103 if (rootcontext) {
1104 opts->mnt_opts[num_mnt_opts] = rootcontext;
1105 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1106 }
1107 if (defcontext) {
1108 opts->mnt_opts[num_mnt_opts] = defcontext;
1109 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1110 }
1111
1112 opts->num_mnt_opts = num_mnt_opts;
1113 return 0;
1114
1115 out_err:
1116 security_free_mnt_opts(opts);
1117 kfree(context);
1118 kfree(defcontext);
1119 kfree(fscontext);
1120 kfree(rootcontext);
1121 return rc;
1122 }
1123 /*
1124 * string mount options parsing and call set the sbsec
1125 */
1126 static int superblock_doinit(struct super_block *sb, void *data)
1127 {
1128 int rc = 0;
1129 char *options = data;
1130 struct security_mnt_opts opts;
1131
1132 security_init_mnt_opts(&opts);
1133
1134 if (!data)
1135 goto out;
1136
1137 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1138
1139 rc = selinux_parse_opts_str(options, &opts);
1140 if (rc)
1141 goto out_err;
1142
1143 out:
1144 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1145
1146 out_err:
1147 security_free_mnt_opts(&opts);
1148 return rc;
1149 }
1150
1151 static void selinux_write_opts(struct seq_file *m,
1152 struct security_mnt_opts *opts)
1153 {
1154 int i;
1155 char *prefix;
1156
1157 for (i = 0; i < opts->num_mnt_opts; i++) {
1158 char *has_comma;
1159
1160 if (opts->mnt_opts[i])
1161 has_comma = strchr(opts->mnt_opts[i], ',');
1162 else
1163 has_comma = NULL;
1164
1165 switch (opts->mnt_opts_flags[i]) {
1166 case CONTEXT_MNT:
1167 prefix = CONTEXT_STR;
1168 break;
1169 case FSCONTEXT_MNT:
1170 prefix = FSCONTEXT_STR;
1171 break;
1172 case ROOTCONTEXT_MNT:
1173 prefix = ROOTCONTEXT_STR;
1174 break;
1175 case DEFCONTEXT_MNT:
1176 prefix = DEFCONTEXT_STR;
1177 break;
1178 case SBLABEL_MNT:
1179 seq_putc(m, ',');
1180 seq_puts(m, LABELSUPP_STR);
1181 continue;
1182 default:
1183 BUG();
1184 return;
1185 };
1186 /* we need a comma before each option */
1187 seq_putc(m, ',');
1188 seq_puts(m, prefix);
1189 if (has_comma)
1190 seq_putc(m, '\"');
1191 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1192 if (has_comma)
1193 seq_putc(m, '\"');
1194 }
1195 }
1196
1197 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1198 {
1199 struct security_mnt_opts opts;
1200 int rc;
1201
1202 rc = selinux_get_mnt_opts(sb, &opts);
1203 if (rc) {
1204 /* before policy load we may get EINVAL, don't show anything */
1205 if (rc == -EINVAL)
1206 rc = 0;
1207 return rc;
1208 }
1209
1210 selinux_write_opts(m, &opts);
1211
1212 security_free_mnt_opts(&opts);
1213
1214 return rc;
1215 }
1216
1217 static inline u16 inode_mode_to_security_class(umode_t mode)
1218 {
1219 switch (mode & S_IFMT) {
1220 case S_IFSOCK:
1221 return SECCLASS_SOCK_FILE;
1222 case S_IFLNK:
1223 return SECCLASS_LNK_FILE;
1224 case S_IFREG:
1225 return SECCLASS_FILE;
1226 case S_IFBLK:
1227 return SECCLASS_BLK_FILE;
1228 case S_IFDIR:
1229 return SECCLASS_DIR;
1230 case S_IFCHR:
1231 return SECCLASS_CHR_FILE;
1232 case S_IFIFO:
1233 return SECCLASS_FIFO_FILE;
1234
1235 }
1236
1237 return SECCLASS_FILE;
1238 }
1239
1240 static inline int default_protocol_stream(int protocol)
1241 {
1242 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1243 }
1244
1245 static inline int default_protocol_dgram(int protocol)
1246 {
1247 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1248 }
1249
1250 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1251 {
1252 int extsockclass = selinux_policycap_extsockclass;
1253
1254 switch (family) {
1255 case PF_UNIX:
1256 switch (type) {
1257 case SOCK_STREAM:
1258 case SOCK_SEQPACKET:
1259 return SECCLASS_UNIX_STREAM_SOCKET;
1260 case SOCK_DGRAM:
1261 case SOCK_RAW:
1262 return SECCLASS_UNIX_DGRAM_SOCKET;
1263 }
1264 break;
1265 case PF_INET:
1266 case PF_INET6:
1267 switch (type) {
1268 case SOCK_STREAM:
1269 case SOCK_SEQPACKET:
1270 if (default_protocol_stream(protocol))
1271 return SECCLASS_TCP_SOCKET;
1272 else if (extsockclass && protocol == IPPROTO_SCTP)
1273 return SECCLASS_SCTP_SOCKET;
1274 else
1275 return SECCLASS_RAWIP_SOCKET;
1276 case SOCK_DGRAM:
1277 if (default_protocol_dgram(protocol))
1278 return SECCLASS_UDP_SOCKET;
1279 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1280 protocol == IPPROTO_ICMPV6))
1281 return SECCLASS_ICMP_SOCKET;
1282 else
1283 return SECCLASS_RAWIP_SOCKET;
1284 case SOCK_DCCP:
1285 return SECCLASS_DCCP_SOCKET;
1286 default:
1287 return SECCLASS_RAWIP_SOCKET;
1288 }
1289 break;
1290 case PF_NETLINK:
1291 switch (protocol) {
1292 case NETLINK_ROUTE:
1293 return SECCLASS_NETLINK_ROUTE_SOCKET;
1294 case NETLINK_SOCK_DIAG:
1295 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1296 case NETLINK_NFLOG:
1297 return SECCLASS_NETLINK_NFLOG_SOCKET;
1298 case NETLINK_XFRM:
1299 return SECCLASS_NETLINK_XFRM_SOCKET;
1300 case NETLINK_SELINUX:
1301 return SECCLASS_NETLINK_SELINUX_SOCKET;
1302 case NETLINK_ISCSI:
1303 return SECCLASS_NETLINK_ISCSI_SOCKET;
1304 case NETLINK_AUDIT:
1305 return SECCLASS_NETLINK_AUDIT_SOCKET;
1306 case NETLINK_FIB_LOOKUP:
1307 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1308 case NETLINK_CONNECTOR:
1309 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1310 case NETLINK_NETFILTER:
1311 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1312 case NETLINK_DNRTMSG:
1313 return SECCLASS_NETLINK_DNRT_SOCKET;
1314 case NETLINK_KOBJECT_UEVENT:
1315 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1316 case NETLINK_GENERIC:
1317 return SECCLASS_NETLINK_GENERIC_SOCKET;
1318 case NETLINK_SCSITRANSPORT:
1319 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1320 case NETLINK_RDMA:
1321 return SECCLASS_NETLINK_RDMA_SOCKET;
1322 case NETLINK_CRYPTO:
1323 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1324 default:
1325 return SECCLASS_NETLINK_SOCKET;
1326 }
1327 case PF_PACKET:
1328 return SECCLASS_PACKET_SOCKET;
1329 case PF_KEY:
1330 return SECCLASS_KEY_SOCKET;
1331 case PF_APPLETALK:
1332 return SECCLASS_APPLETALK_SOCKET;
1333 }
1334
1335 if (extsockclass) {
1336 switch (family) {
1337 case PF_AX25:
1338 return SECCLASS_AX25_SOCKET;
1339 case PF_IPX:
1340 return SECCLASS_IPX_SOCKET;
1341 case PF_NETROM:
1342 return SECCLASS_NETROM_SOCKET;
1343 case PF_ATMPVC:
1344 return SECCLASS_ATMPVC_SOCKET;
1345 case PF_X25:
1346 return SECCLASS_X25_SOCKET;
1347 case PF_ROSE:
1348 return SECCLASS_ROSE_SOCKET;
1349 case PF_DECnet:
1350 return SECCLASS_DECNET_SOCKET;
1351 case PF_ATMSVC:
1352 return SECCLASS_ATMSVC_SOCKET;
1353 case PF_RDS:
1354 return SECCLASS_RDS_SOCKET;
1355 case PF_IRDA:
1356 return SECCLASS_IRDA_SOCKET;
1357 case PF_PPPOX:
1358 return SECCLASS_PPPOX_SOCKET;
1359 case PF_LLC:
1360 return SECCLASS_LLC_SOCKET;
1361 case PF_CAN:
1362 return SECCLASS_CAN_SOCKET;
1363 case PF_TIPC:
1364 return SECCLASS_TIPC_SOCKET;
1365 case PF_BLUETOOTH:
1366 return SECCLASS_BLUETOOTH_SOCKET;
1367 case PF_IUCV:
1368 return SECCLASS_IUCV_SOCKET;
1369 case PF_RXRPC:
1370 return SECCLASS_RXRPC_SOCKET;
1371 case PF_ISDN:
1372 return SECCLASS_ISDN_SOCKET;
1373 case PF_PHONET:
1374 return SECCLASS_PHONET_SOCKET;
1375 case PF_IEEE802154:
1376 return SECCLASS_IEEE802154_SOCKET;
1377 case PF_CAIF:
1378 return SECCLASS_CAIF_SOCKET;
1379 case PF_ALG:
1380 return SECCLASS_ALG_SOCKET;
1381 case PF_NFC:
1382 return SECCLASS_NFC_SOCKET;
1383 case PF_VSOCK:
1384 return SECCLASS_VSOCK_SOCKET;
1385 case PF_KCM:
1386 return SECCLASS_KCM_SOCKET;
1387 case PF_QIPCRTR:
1388 return SECCLASS_QIPCRTR_SOCKET;
1389 case PF_SMC:
1390 return SECCLASS_SMC_SOCKET;
1391 #if PF_MAX > 44
1392 #error New address family defined, please update this function.
1393 #endif
1394 }
1395 }
1396
1397 return SECCLASS_SOCKET;
1398 }
1399
1400 static int selinux_genfs_get_sid(struct dentry *dentry,
1401 u16 tclass,
1402 u16 flags,
1403 u32 *sid)
1404 {
1405 int rc;
1406 struct super_block *sb = dentry->d_sb;
1407 char *buffer, *path;
1408
1409 buffer = (char *)__get_free_page(GFP_KERNEL);
1410 if (!buffer)
1411 return -ENOMEM;
1412
1413 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1414 if (IS_ERR(path))
1415 rc = PTR_ERR(path);
1416 else {
1417 if (flags & SE_SBPROC) {
1418 /* each process gets a /proc/PID/ entry. Strip off the
1419 * PID part to get a valid selinux labeling.
1420 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1421 while (path[1] >= '0' && path[1] <= '9') {
1422 path[1] = '/';
1423 path++;
1424 }
1425 }
1426 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1427 }
1428 free_page((unsigned long)buffer);
1429 return rc;
1430 }
1431
1432 /* The inode's security attributes must be initialized before first use. */
1433 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1434 {
1435 struct superblock_security_struct *sbsec = NULL;
1436 struct inode_security_struct *isec = selinux_inode(inode);
1437 u32 task_sid, sid = 0;
1438 u16 sclass;
1439 struct dentry *dentry;
1440 #define INITCONTEXTLEN 255
1441 char *context = NULL;
1442 unsigned len = 0;
1443 int rc = 0;
1444
1445 if (isec->initialized == LABEL_INITIALIZED)
1446 return 0;
1447
1448 spin_lock(&isec->lock);
1449 if (isec->initialized == LABEL_INITIALIZED)
1450 goto out_unlock;
1451
1452 if (isec->sclass == SECCLASS_FILE)
1453 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1454
1455 sbsec = selinux_superblock(inode->i_sb);
1456 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1457 /* Defer initialization until selinux_complete_init,
1458 after the initial policy is loaded and the security
1459 server is ready to handle calls. */
1460 spin_lock(&sbsec->isec_lock);
1461 if (list_empty(&isec->list))
1462 list_add(&isec->list, &sbsec->isec_head);
1463 spin_unlock(&sbsec->isec_lock);
1464 goto out_unlock;
1465 }
1466
1467 sclass = isec->sclass;
1468 task_sid = isec->task_sid;
1469 sid = isec->sid;
1470 isec->initialized = LABEL_PENDING;
1471 spin_unlock(&isec->lock);
1472
1473 switch (sbsec->behavior) {
1474 case SECURITY_FS_USE_NATIVE:
1475 break;
1476 case SECURITY_FS_USE_XATTR:
1477 if (!(inode->i_opflags & IOP_XATTR)) {
1478 sid = sbsec->def_sid;
1479 break;
1480 }
1481 /* Need a dentry, since the xattr API requires one.
1482 Life would be simpler if we could just pass the inode. */
1483 if (opt_dentry) {
1484 /* Called from d_instantiate or d_splice_alias. */
1485 dentry = dget(opt_dentry);
1486 } else {
1487 /* Called from selinux_complete_init, try to find a dentry. */
1488 dentry = d_find_alias(inode);
1489 }
1490 if (!dentry) {
1491 /*
1492 * this is can be hit on boot when a file is accessed
1493 * before the policy is loaded. When we load policy we
1494 * may find inodes that have no dentry on the
1495 * sbsec->isec_head list. No reason to complain as these
1496 * will get fixed up the next time we go through
1497 * inode_doinit with a dentry, before these inodes could
1498 * be used again by userspace.
1499 */
1500 goto out;
1501 }
1502
1503 len = INITCONTEXTLEN;
1504 context = kmalloc(len+1, GFP_NOFS);
1505 if (!context) {
1506 rc = -ENOMEM;
1507 dput(dentry);
1508 goto out;
1509 }
1510 context[len] = '\0';
1511 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1512 if (rc == -ERANGE) {
1513 kfree(context);
1514
1515 /* Need a larger buffer. Query for the right size. */
1516 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1517 if (rc < 0) {
1518 dput(dentry);
1519 goto out;
1520 }
1521 len = rc;
1522 context = kmalloc(len+1, GFP_NOFS);
1523 if (!context) {
1524 rc = -ENOMEM;
1525 dput(dentry);
1526 goto out;
1527 }
1528 context[len] = '\0';
1529 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1530 }
1531 dput(dentry);
1532 if (rc < 0) {
1533 if (rc != -ENODATA) {
1534 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1535 "%d for dev=%s ino=%ld\n", __func__,
1536 -rc, inode->i_sb->s_id, inode->i_ino);
1537 kfree(context);
1538 goto out;
1539 }
1540 /* Map ENODATA to the default file SID */
1541 sid = sbsec->def_sid;
1542 rc = 0;
1543 } else {
1544 rc = security_context_to_sid_default(context, rc, &sid,
1545 sbsec->def_sid,
1546 GFP_NOFS);
1547 if (rc) {
1548 char *dev = inode->i_sb->s_id;
1549 unsigned long ino = inode->i_ino;
1550
1551 if (rc == -EINVAL) {
1552 if (printk_ratelimit())
1553 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1554 "context=%s. This indicates you may need to relabel the inode or the "
1555 "filesystem in question.\n", ino, dev, context);
1556 } else {
1557 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1558 "returned %d for dev=%s ino=%ld\n",
1559 __func__, context, -rc, dev, ino);
1560 }
1561 kfree(context);
1562 /* Leave with the unlabeled SID */
1563 rc = 0;
1564 break;
1565 }
1566 }
1567 kfree(context);
1568 break;
1569 case SECURITY_FS_USE_TASK:
1570 sid = task_sid;
1571 break;
1572 case SECURITY_FS_USE_TRANS:
1573 /* Default to the fs SID. */
1574 sid = sbsec->sid;
1575
1576 /* Try to obtain a transition SID. */
1577 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1578 if (rc)
1579 goto out;
1580 break;
1581 case SECURITY_FS_USE_MNTPOINT:
1582 sid = sbsec->mntpoint_sid;
1583 break;
1584 default:
1585 /* Default to the fs superblock SID. */
1586 sid = sbsec->sid;
1587
1588 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1589 /* We must have a dentry to determine the label on
1590 * procfs inodes */
1591 if (opt_dentry)
1592 /* Called from d_instantiate or
1593 * d_splice_alias. */
1594 dentry = dget(opt_dentry);
1595 else
1596 /* Called from selinux_complete_init, try to
1597 * find a dentry. */
1598 dentry = d_find_alias(inode);
1599 /*
1600 * This can be hit on boot when a file is accessed
1601 * before the policy is loaded. When we load policy we
1602 * may find inodes that have no dentry on the
1603 * sbsec->isec_head list. No reason to complain as
1604 * these will get fixed up the next time we go through
1605 * inode_doinit() with a dentry, before these inodes
1606 * could be used again by userspace.
1607 */
1608 if (!dentry)
1609 goto out;
1610 rc = selinux_genfs_get_sid(dentry, sclass,
1611 sbsec->flags, &sid);
1612 dput(dentry);
1613 if (rc)
1614 goto out;
1615 }
1616 break;
1617 }
1618
1619 out:
1620 spin_lock(&isec->lock);
1621 if (isec->initialized == LABEL_PENDING) {
1622 if (!sid || rc) {
1623 isec->initialized = LABEL_INVALID;
1624 goto out_unlock;
1625 }
1626
1627 isec->initialized = LABEL_INITIALIZED;
1628 isec->sid = sid;
1629 }
1630
1631 out_unlock:
1632 spin_unlock(&isec->lock);
1633 return rc;
1634 }
1635
1636 /* Convert a Linux signal to an access vector. */
1637 static inline u32 signal_to_av(int sig)
1638 {
1639 u32 perm = 0;
1640
1641 switch (sig) {
1642 case SIGCHLD:
1643 /* Commonly granted from child to parent. */
1644 perm = PROCESS__SIGCHLD;
1645 break;
1646 case SIGKILL:
1647 /* Cannot be caught or ignored */
1648 perm = PROCESS__SIGKILL;
1649 break;
1650 case SIGSTOP:
1651 /* Cannot be caught or ignored */
1652 perm = PROCESS__SIGSTOP;
1653 break;
1654 default:
1655 /* All other signals. */
1656 perm = PROCESS__SIGNAL;
1657 break;
1658 }
1659
1660 return perm;
1661 }
1662
1663 #if CAP_LAST_CAP > 63
1664 #error Fix SELinux to handle capabilities > 63.
1665 #endif
1666
1667 /* Check whether a task is allowed to use a capability. */
1668 static int cred_has_capability(const struct cred *cred,
1669 int cap, int audit, bool initns)
1670 {
1671 struct common_audit_data ad;
1672 struct av_decision avd;
1673 u16 sclass;
1674 u32 sid = cred_sid(cred);
1675 u32 av = CAP_TO_MASK(cap);
1676 int rc;
1677
1678 ad.type = LSM_AUDIT_DATA_CAP;
1679 ad.u.cap = cap;
1680
1681 switch (CAP_TO_INDEX(cap)) {
1682 case 0:
1683 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1684 break;
1685 case 1:
1686 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1687 break;
1688 default:
1689 printk(KERN_ERR
1690 "SELinux: out of range capability %d\n", cap);
1691 BUG();
1692 return -EINVAL;
1693 }
1694
1695 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1696 if (audit == SECURITY_CAP_AUDIT) {
1697 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1698 if (rc2)
1699 return rc2;
1700 }
1701 return rc;
1702 }
1703
1704 /* Check whether a task has a particular permission to an inode.
1705 The 'adp' parameter is optional and allows other audit
1706 data to be passed (e.g. the dentry). */
1707 static int inode_has_perm(const struct cred *cred,
1708 struct inode *inode,
1709 u32 perms,
1710 struct common_audit_data *adp)
1711 {
1712 struct inode_security_struct *isec;
1713 u32 sid;
1714
1715 validate_creds(cred);
1716
1717 if (unlikely(IS_PRIVATE(inode)))
1718 return 0;
1719
1720 sid = cred_sid(cred);
1721 isec = selinux_inode(inode);
1722
1723 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1724 }
1725
1726 /* Same as inode_has_perm, but pass explicit audit data containing
1727 the dentry to help the auditing code to more easily generate the
1728 pathname if needed. */
1729 static inline int dentry_has_perm(const struct cred *cred,
1730 struct dentry *dentry,
1731 u32 av)
1732 {
1733 struct inode *inode = d_backing_inode(dentry);
1734 struct common_audit_data ad;
1735
1736 ad.type = LSM_AUDIT_DATA_DENTRY;
1737 ad.u.dentry = dentry;
1738 __inode_security_revalidate(inode, dentry, true);
1739 return inode_has_perm(cred, inode, av, &ad);
1740 }
1741
1742 /* Same as inode_has_perm, but pass explicit audit data containing
1743 the path to help the auditing code to more easily generate the
1744 pathname if needed. */
1745 static inline int path_has_perm(const struct cred *cred,
1746 const struct path *path,
1747 u32 av)
1748 {
1749 struct inode *inode = d_backing_inode(path->dentry);
1750 struct common_audit_data ad;
1751
1752 ad.type = LSM_AUDIT_DATA_PATH;
1753 ad.u.path = *path;
1754 __inode_security_revalidate(inode, path->dentry, true);
1755 return inode_has_perm(cred, inode, av, &ad);
1756 }
1757
1758 /* Same as path_has_perm, but uses the inode from the file struct. */
1759 static inline int file_path_has_perm(const struct cred *cred,
1760 struct file *file,
1761 u32 av)
1762 {
1763 struct common_audit_data ad;
1764
1765 ad.type = LSM_AUDIT_DATA_FILE;
1766 ad.u.file = file;
1767 return inode_has_perm(cred, file_inode(file), av, &ad);
1768 }
1769
1770 #ifdef CONFIG_BPF_SYSCALL
1771 static int bpf_fd_pass(struct file *file, u32 sid);
1772 #endif
1773
1774 /* Check whether a task can use an open file descriptor to
1775 access an inode in a given way. Check access to the
1776 descriptor itself, and then use dentry_has_perm to
1777 check a particular permission to the file.
1778 Access to the descriptor is implicitly granted if it
1779 has the same SID as the process. If av is zero, then
1780 access to the file is not checked, e.g. for cases
1781 where only the descriptor is affected like seek. */
1782 static int file_has_perm(const struct cred *cred,
1783 struct file *file,
1784 u32 av)
1785 {
1786 struct file_security_struct *fsec = selinux_file(file);
1787 struct inode *inode = file_inode(file);
1788 struct common_audit_data ad;
1789 u32 sid = cred_sid(cred);
1790 int rc;
1791
1792 ad.type = LSM_AUDIT_DATA_FILE;
1793 ad.u.file = file;
1794
1795 if (sid != fsec->sid) {
1796 rc = avc_has_perm(sid, fsec->sid,
1797 SECCLASS_FD,
1798 FD__USE,
1799 &ad);
1800 if (rc)
1801 goto out;
1802 }
1803
1804 #ifdef CONFIG_BPF_SYSCALL
1805 rc = bpf_fd_pass(file, cred_sid(cred));
1806 if (rc)
1807 return rc;
1808 #endif
1809
1810 /* av is zero if only checking access to the descriptor. */
1811 rc = 0;
1812 if (av)
1813 rc = inode_has_perm(cred, inode, av, &ad);
1814
1815 out:
1816 return rc;
1817 }
1818
1819 /*
1820 * Determine the label for an inode that might be unioned.
1821 */
1822 static int
1823 selinux_determine_inode_label(const struct task_security_struct *tsec,
1824 struct inode *dir,
1825 const struct qstr *name, u16 tclass,
1826 u32 *_new_isid)
1827 {
1828 const struct superblock_security_struct *sbsec =
1829 selinux_superblock(dir->i_sb);
1830
1831 if ((sbsec->flags & SE_SBINITIALIZED) &&
1832 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1833 *_new_isid = sbsec->mntpoint_sid;
1834 } else if ((sbsec->flags & SBLABEL_MNT) &&
1835 tsec->create_sid) {
1836 *_new_isid = tsec->create_sid;
1837 } else {
1838 const struct inode_security_struct *dsec = inode_security(dir);
1839 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1840 name, _new_isid);
1841 }
1842
1843 return 0;
1844 }
1845
1846 /* Check whether a task can create a file. */
1847 static int may_create(struct inode *dir,
1848 struct dentry *dentry,
1849 u16 tclass)
1850 {
1851 const struct task_security_struct *tsec = selinux_cred(current_cred());
1852 struct inode_security_struct *dsec;
1853 struct superblock_security_struct *sbsec;
1854 u32 sid, newsid;
1855 struct common_audit_data ad;
1856 int rc;
1857
1858 dsec = inode_security(dir);
1859 sbsec = selinux_superblock(dir->i_sb);
1860
1861 sid = tsec->sid;
1862
1863 ad.type = LSM_AUDIT_DATA_DENTRY;
1864 ad.u.dentry = dentry;
1865
1866 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1867 DIR__ADD_NAME | DIR__SEARCH,
1868 &ad);
1869 if (rc)
1870 return rc;
1871
1872 rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
1873 &dentry->d_name, tclass, &newsid);
1874 if (rc)
1875 return rc;
1876
1877 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1878 if (rc)
1879 return rc;
1880
1881 return avc_has_perm(newsid, sbsec->sid,
1882 SECCLASS_FILESYSTEM,
1883 FILESYSTEM__ASSOCIATE, &ad);
1884 }
1885
1886 #define MAY_LINK 0
1887 #define MAY_UNLINK 1
1888 #define MAY_RMDIR 2
1889
1890 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1891 static int may_link(struct inode *dir,
1892 struct dentry *dentry,
1893 int kind)
1894
1895 {
1896 struct inode_security_struct *dsec, *isec;
1897 struct common_audit_data ad;
1898 u32 sid = current_sid();
1899 u32 av;
1900 int rc;
1901
1902 dsec = inode_security(dir);
1903 isec = backing_inode_security(dentry);
1904
1905 ad.type = LSM_AUDIT_DATA_DENTRY;
1906 ad.u.dentry = dentry;
1907
1908 av = DIR__SEARCH;
1909 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1910 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1911 if (rc)
1912 return rc;
1913
1914 switch (kind) {
1915 case MAY_LINK:
1916 av = FILE__LINK;
1917 break;
1918 case MAY_UNLINK:
1919 av = FILE__UNLINK;
1920 break;
1921 case MAY_RMDIR:
1922 av = DIR__RMDIR;
1923 break;
1924 default:
1925 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1926 __func__, kind);
1927 return 0;
1928 }
1929
1930 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1931 return rc;
1932 }
1933
1934 static inline int may_rename(struct inode *old_dir,
1935 struct dentry *old_dentry,
1936 struct inode *new_dir,
1937 struct dentry *new_dentry)
1938 {
1939 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1940 struct common_audit_data ad;
1941 u32 sid = current_sid();
1942 u32 av;
1943 int old_is_dir, new_is_dir;
1944 int rc;
1945
1946 old_dsec = inode_security(old_dir);
1947 old_isec = backing_inode_security(old_dentry);
1948 old_is_dir = d_is_dir(old_dentry);
1949 new_dsec = inode_security(new_dir);
1950
1951 ad.type = LSM_AUDIT_DATA_DENTRY;
1952
1953 ad.u.dentry = old_dentry;
1954 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1955 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1956 if (rc)
1957 return rc;
1958 rc = avc_has_perm(sid, old_isec->sid,
1959 old_isec->sclass, FILE__RENAME, &ad);
1960 if (rc)
1961 return rc;
1962 if (old_is_dir && new_dir != old_dir) {
1963 rc = avc_has_perm(sid, old_isec->sid,
1964 old_isec->sclass, DIR__REPARENT, &ad);
1965 if (rc)
1966 return rc;
1967 }
1968
1969 ad.u.dentry = new_dentry;
1970 av = DIR__ADD_NAME | DIR__SEARCH;
1971 if (d_is_positive(new_dentry))
1972 av |= DIR__REMOVE_NAME;
1973 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1974 if (rc)
1975 return rc;
1976 if (d_is_positive(new_dentry)) {
1977 new_isec = backing_inode_security(new_dentry);
1978 new_is_dir = d_is_dir(new_dentry);
1979 rc = avc_has_perm(sid, new_isec->sid,
1980 new_isec->sclass,
1981 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1982 if (rc)
1983 return rc;
1984 }
1985
1986 return 0;
1987 }
1988
1989 /* Check whether a task can perform a filesystem operation. */
1990 static int superblock_has_perm(const struct cred *cred,
1991 struct super_block *sb,
1992 u32 perms,
1993 struct common_audit_data *ad)
1994 {
1995 struct superblock_security_struct *sbsec;
1996 u32 sid = cred_sid(cred);
1997
1998 sbsec = selinux_superblock(sb);
1999 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2000 }
2001
2002 /* Convert a Linux mode and permission mask to an access vector. */
2003 static inline u32 file_mask_to_av(int mode, int mask)
2004 {
2005 u32 av = 0;
2006
2007 if (!S_ISDIR(mode)) {
2008 if (mask & MAY_EXEC)
2009 av |= FILE__EXECUTE;
2010 if (mask & MAY_READ)
2011 av |= FILE__READ;
2012
2013 if (mask & MAY_APPEND)
2014 av |= FILE__APPEND;
2015 else if (mask & MAY_WRITE)
2016 av |= FILE__WRITE;
2017
2018 } else {
2019 if (mask & MAY_EXEC)
2020 av |= DIR__SEARCH;
2021 if (mask & MAY_WRITE)
2022 av |= DIR__WRITE;
2023 if (mask & MAY_READ)
2024 av |= DIR__READ;
2025 }
2026
2027 return av;
2028 }
2029
2030 /* Convert a Linux file to an access vector. */
2031 static inline u32 file_to_av(struct file *file)
2032 {
2033 u32 av = 0;
2034
2035 if (file->f_mode & FMODE_READ)
2036 av |= FILE__READ;
2037 if (file->f_mode & FMODE_WRITE) {
2038 if (file->f_flags & O_APPEND)
2039 av |= FILE__APPEND;
2040 else
2041 av |= FILE__WRITE;
2042 }
2043 if (!av) {
2044 /*
2045 * Special file opened with flags 3 for ioctl-only use.
2046 */
2047 av = FILE__IOCTL;
2048 }
2049
2050 return av;
2051 }
2052
2053 /*
2054 * Convert a file to an access vector and include the correct open
2055 * open permission.
2056 */
2057 static inline u32 open_file_to_av(struct file *file)
2058 {
2059 u32 av = file_to_av(file);
2060 struct inode *inode = file_inode(file);
2061
2062 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2063 av |= FILE__OPEN;
2064
2065 return av;
2066 }
2067
2068 /* Hook functions begin here. */
2069
2070 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2071 {
2072 u32 mysid = current_sid();
2073 u32 mgrsid = task_sid(mgr);
2074
2075 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2076 BINDER__SET_CONTEXT_MGR, NULL);
2077 }
2078
2079 static int selinux_binder_transaction(struct task_struct *from,
2080 struct task_struct *to)
2081 {
2082 u32 mysid = current_sid();
2083 u32 fromsid = task_sid(from);
2084 u32 tosid = task_sid(to);
2085 int rc;
2086
2087 if (mysid != fromsid) {
2088 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2089 BINDER__IMPERSONATE, NULL);
2090 if (rc)
2091 return rc;
2092 }
2093
2094 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2095 NULL);
2096 }
2097
2098 static int selinux_binder_transfer_binder(struct task_struct *from,
2099 struct task_struct *to)
2100 {
2101 u32 fromsid = task_sid(from);
2102 u32 tosid = task_sid(to);
2103
2104 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2105 NULL);
2106 }
2107
2108 static int selinux_binder_transfer_file(struct task_struct *from,
2109 struct task_struct *to,
2110 struct file *file)
2111 {
2112 u32 sid = task_sid(to);
2113 struct file_security_struct *fsec = selinux_file(file);
2114 struct dentry *dentry = file->f_path.dentry;
2115 struct inode_security_struct *isec;
2116 struct common_audit_data ad;
2117 int rc;
2118
2119 ad.type = LSM_AUDIT_DATA_PATH;
2120 ad.u.path = file->f_path;
2121
2122 if (sid != fsec->sid) {
2123 rc = avc_has_perm(sid, fsec->sid,
2124 SECCLASS_FD,
2125 FD__USE,
2126 &ad);
2127 if (rc)
2128 return rc;
2129 }
2130
2131 #ifdef CONFIG_BPF_SYSCALL
2132 rc = bpf_fd_pass(file, sid);
2133 if (rc)
2134 return rc;
2135 #endif
2136
2137 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2138 return 0;
2139
2140 isec = backing_inode_security(dentry);
2141 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2142 &ad);
2143 }
2144
2145 static int selinux_ptrace_access_check(struct task_struct *child,
2146 unsigned int mode)
2147 {
2148 u32 sid = current_sid();
2149 u32 csid = task_sid(child);
2150
2151 if (mode & PTRACE_MODE_READ)
2152 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2153
2154 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2155 }
2156
2157 static int selinux_ptrace_traceme(struct task_struct *parent)
2158 {
2159 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2160 PROCESS__PTRACE, NULL);
2161 }
2162
2163 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2164 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2165 {
2166 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2167 PROCESS__GETCAP, NULL);
2168 }
2169
2170 static int selinux_capset(struct cred *new, const struct cred *old,
2171 const kernel_cap_t *effective,
2172 const kernel_cap_t *inheritable,
2173 const kernel_cap_t *permitted)
2174 {
2175 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2176 PROCESS__SETCAP, NULL);
2177 }
2178
2179 /*
2180 * (This comment used to live with the selinux_task_setuid hook,
2181 * which was removed).
2182 *
2183 * Since setuid only affects the current process, and since the SELinux
2184 * controls are not based on the Linux identity attributes, SELinux does not
2185 * need to control this operation. However, SELinux does control the use of
2186 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2187 */
2188
2189 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2190 int cap, int audit)
2191 {
2192 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2193 }
2194
2195 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2196 {
2197 const struct cred *cred = current_cred();
2198 int rc = 0;
2199
2200 if (!sb)
2201 return 0;
2202
2203 switch (cmds) {
2204 case Q_SYNC:
2205 case Q_QUOTAON:
2206 case Q_QUOTAOFF:
2207 case Q_SETINFO:
2208 case Q_SETQUOTA:
2209 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2210 break;
2211 case Q_GETFMT:
2212 case Q_GETINFO:
2213 case Q_GETQUOTA:
2214 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2215 break;
2216 default:
2217 rc = 0; /* let the kernel handle invalid cmds */
2218 break;
2219 }
2220 return rc;
2221 }
2222
2223 static int selinux_quota_on(struct dentry *dentry)
2224 {
2225 const struct cred *cred = current_cred();
2226
2227 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2228 }
2229
2230 static int selinux_syslog(int type)
2231 {
2232 switch (type) {
2233 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2234 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2235 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2236 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2237 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2238 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2239 /* Set level of messages printed to console */
2240 case SYSLOG_ACTION_CONSOLE_LEVEL:
2241 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2242 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2243 NULL);
2244 }
2245 /* All other syslog types */
2246 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2247 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2248 }
2249
2250 /*
2251 * Check that a process has enough memory to allocate a new virtual
2252 * mapping. 0 means there is enough memory for the allocation to
2253 * succeed and -ENOMEM implies there is not.
2254 *
2255 * Do not audit the selinux permission check, as this is applied to all
2256 * processes that allocate mappings.
2257 */
2258 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2259 {
2260 int rc, cap_sys_admin = 0;
2261
2262 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2263 SECURITY_CAP_NOAUDIT, true);
2264 if (rc == 0)
2265 cap_sys_admin = 1;
2266
2267 return cap_sys_admin;
2268 }
2269
2270 /* binprm security operations */
2271
2272 static u32 ptrace_parent_sid(void)
2273 {
2274 u32 sid = 0;
2275 struct task_struct *tracer;
2276
2277 rcu_read_lock();
2278 tracer = ptrace_parent(current);
2279 if (tracer)
2280 sid = task_sid(tracer);
2281 rcu_read_unlock();
2282
2283 return sid;
2284 }
2285
2286 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2287 const struct task_security_struct *old_tsec,
2288 const struct task_security_struct *new_tsec)
2289 {
2290 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2291 int nosuid = path_nosuid(&bprm->file->f_path);
2292 int rc;
2293 u32 av;
2294
2295 if (!nnp && !nosuid)
2296 return 0; /* neither NNP nor nosuid */
2297
2298 if (new_tsec->sid == old_tsec->sid)
2299 return 0; /* No change in credentials */
2300
2301 /*
2302 * If the policy enables the nnp_nosuid_transition policy capability,
2303 * then we permit transitions under NNP or nosuid if the
2304 * policy allows the corresponding permission between
2305 * the old and new contexts.
2306 */
2307 if (selinux_policycap_nnp_nosuid_transition) {
2308 av = 0;
2309 if (nnp)
2310 av |= PROCESS2__NNP_TRANSITION;
2311 if (nosuid)
2312 av |= PROCESS2__NOSUID_TRANSITION;
2313 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2314 SECCLASS_PROCESS2, av, NULL);
2315 if (!rc)
2316 return 0;
2317 }
2318
2319 /*
2320 * We also permit NNP or nosuid transitions to bounded SIDs,
2321 * i.e. SIDs that are guaranteed to only be allowed a subset
2322 * of the permissions of the current SID.
2323 */
2324 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2325 if (!rc)
2326 return 0;
2327
2328 /*
2329 * On failure, preserve the errno values for NNP vs nosuid.
2330 * NNP: Operation not permitted for caller.
2331 * nosuid: Permission denied to file.
2332 */
2333 if (nnp)
2334 return -EPERM;
2335 return -EACCES;
2336 }
2337
2338 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2339 {
2340 const struct task_security_struct *old_tsec;
2341 struct task_security_struct *new_tsec;
2342 struct inode_security_struct *isec;
2343 struct common_audit_data ad;
2344 struct inode *inode = file_inode(bprm->file);
2345 int rc;
2346
2347 /* SELinux context only depends on initial program or script and not
2348 * the script interpreter */
2349 if (bprm->called_set_creds)
2350 return 0;
2351
2352 old_tsec = selinux_cred(current_cred());
2353 new_tsec = selinux_cred(bprm->cred);
2354 isec = inode_security(inode);
2355
2356 /* Default to the current task SID. */
2357 new_tsec->sid = old_tsec->sid;
2358 new_tsec->osid = old_tsec->sid;
2359
2360 /* Reset fs, key, and sock SIDs on execve. */
2361 new_tsec->create_sid = 0;
2362 new_tsec->keycreate_sid = 0;
2363 new_tsec->sockcreate_sid = 0;
2364
2365 if (old_tsec->exec_sid) {
2366 new_tsec->sid = old_tsec->exec_sid;
2367 /* Reset exec SID on execve. */
2368 new_tsec->exec_sid = 0;
2369
2370 /* Fail on NNP or nosuid if not an allowed transition. */
2371 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2372 if (rc)
2373 return rc;
2374 } else {
2375 /* Check for a default transition on this program. */
2376 rc = security_transition_sid(old_tsec->sid, isec->sid,
2377 SECCLASS_PROCESS, NULL,
2378 &new_tsec->sid);
2379 if (rc)
2380 return rc;
2381
2382 /*
2383 * Fallback to old SID on NNP or nosuid if not an allowed
2384 * transition.
2385 */
2386 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2387 if (rc)
2388 new_tsec->sid = old_tsec->sid;
2389 }
2390
2391 ad.type = LSM_AUDIT_DATA_FILE;
2392 ad.u.file = bprm->file;
2393
2394 if (new_tsec->sid == old_tsec->sid) {
2395 rc = avc_has_perm(old_tsec->sid, isec->sid,
2396 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2397 if (rc)
2398 return rc;
2399 } else {
2400 /* Check permissions for the transition. */
2401 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2402 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2403 if (rc)
2404 return rc;
2405
2406 rc = avc_has_perm(new_tsec->sid, isec->sid,
2407 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2408 if (rc)
2409 return rc;
2410
2411 /* Check for shared state */
2412 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2413 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2414 SECCLASS_PROCESS, PROCESS__SHARE,
2415 NULL);
2416 if (rc)
2417 return -EPERM;
2418 }
2419
2420 /* Make sure that anyone attempting to ptrace over a task that
2421 * changes its SID has the appropriate permit */
2422 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2423 u32 ptsid = ptrace_parent_sid();
2424 if (ptsid != 0) {
2425 rc = avc_has_perm(ptsid, new_tsec->sid,
2426 SECCLASS_PROCESS,
2427 PROCESS__PTRACE, NULL);
2428 if (rc)
2429 return -EPERM;
2430 }
2431 }
2432
2433 /* Clear any possibly unsafe personality bits on exec: */
2434 bprm->per_clear |= PER_CLEAR_ON_SETID;
2435
2436 /* Enable secure mode for SIDs transitions unless
2437 the noatsecure permission is granted between
2438 the two SIDs, i.e. ahp returns 0. */
2439 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2440 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2441 NULL);
2442 bprm->secureexec |= !!rc;
2443 }
2444
2445 return 0;
2446 }
2447
2448 static int match_file(const void *p, struct file *file, unsigned fd)
2449 {
2450 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2451 }
2452
2453 /* Derived from fs/exec.c:flush_old_files. */
2454 static inline void flush_unauthorized_files(const struct cred *cred,
2455 struct files_struct *files)
2456 {
2457 struct file *file, *devnull = NULL;
2458 struct tty_struct *tty;
2459 int drop_tty = 0;
2460 unsigned n;
2461
2462 tty = get_current_tty();
2463 if (tty) {
2464 spin_lock(&tty->files_lock);
2465 if (!list_empty(&tty->tty_files)) {
2466 struct tty_file_private *file_priv;
2467
2468 /* Revalidate access to controlling tty.
2469 Use file_path_has_perm on the tty path directly
2470 rather than using file_has_perm, as this particular
2471 open file may belong to another process and we are
2472 only interested in the inode-based check here. */
2473 file_priv = list_first_entry(&tty->tty_files,
2474 struct tty_file_private, list);
2475 file = file_priv->file;
2476 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2477 drop_tty = 1;
2478 }
2479 spin_unlock(&tty->files_lock);
2480 tty_kref_put(tty);
2481 }
2482 /* Reset controlling tty. */
2483 if (drop_tty)
2484 no_tty();
2485
2486 /* Revalidate access to inherited open files. */
2487 n = iterate_fd(files, 0, match_file, cred);
2488 if (!n) /* none found? */
2489 return;
2490
2491 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2492 if (IS_ERR(devnull))
2493 devnull = NULL;
2494 /* replace all the matching ones with this */
2495 do {
2496 replace_fd(n - 1, devnull, 0);
2497 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2498 if (devnull)
2499 fput(devnull);
2500 }
2501
2502 /*
2503 * Prepare a process for imminent new credential changes due to exec
2504 */
2505 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2506 {
2507 struct task_security_struct *new_tsec;
2508 struct rlimit *rlim, *initrlim;
2509 int rc, i;
2510
2511 new_tsec = selinux_cred(bprm->cred);
2512 if (new_tsec->sid == new_tsec->osid)
2513 return;
2514
2515 /* Close files for which the new task SID is not authorized. */
2516 flush_unauthorized_files(bprm->cred, current->files);
2517
2518 /* Always clear parent death signal on SID transitions. */
2519 current->pdeath_signal = 0;
2520
2521 /* Check whether the new SID can inherit resource limits from the old
2522 * SID. If not, reset all soft limits to the lower of the current
2523 * task's hard limit and the init task's soft limit.
2524 *
2525 * Note that the setting of hard limits (even to lower them) can be
2526 * controlled by the setrlimit check. The inclusion of the init task's
2527 * soft limit into the computation is to avoid resetting soft limits
2528 * higher than the default soft limit for cases where the default is
2529 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2530 */
2531 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2532 PROCESS__RLIMITINH, NULL);
2533 if (rc) {
2534 /* protect against do_prlimit() */
2535 task_lock(current);
2536 for (i = 0; i < RLIM_NLIMITS; i++) {
2537 rlim = current->signal->rlim + i;
2538 initrlim = init_task.signal->rlim + i;
2539 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2540 }
2541 task_unlock(current);
2542 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2543 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2544 }
2545 }
2546
2547 /*
2548 * Clean up the process immediately after the installation of new credentials
2549 * due to exec
2550 */
2551 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2552 {
2553 const struct task_security_struct *tsec = selinux_cred(current_cred());
2554 struct itimerval itimer;
2555 u32 osid, sid;
2556 int rc, i;
2557
2558 osid = tsec->osid;
2559 sid = tsec->sid;
2560
2561 if (sid == osid)
2562 return;
2563
2564 /* Check whether the new SID can inherit signal state from the old SID.
2565 * If not, clear itimers to avoid subsequent signal generation and
2566 * flush and unblock signals.
2567 *
2568 * This must occur _after_ the task SID has been updated so that any
2569 * kill done after the flush will be checked against the new SID.
2570 */
2571 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2572 if (rc) {
2573 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2574 memset(&itimer, 0, sizeof itimer);
2575 for (i = 0; i < 3; i++)
2576 do_setitimer(i, &itimer, NULL);
2577 }
2578 spin_lock_irq(&current->sighand->siglock);
2579 if (!fatal_signal_pending(current)) {
2580 flush_sigqueue(&current->pending);
2581 flush_sigqueue(&current->signal->shared_pending);
2582 flush_signal_handlers(current, 1);
2583 sigemptyset(&current->blocked);
2584 recalc_sigpending();
2585 }
2586 spin_unlock_irq(&current->sighand->siglock);
2587 }
2588
2589 /* Wake up the parent if it is waiting so that it can recheck
2590 * wait permission to the new task SID. */
2591 read_lock(&tasklist_lock);
2592 __wake_up_parent(current, current->real_parent);
2593 read_unlock(&tasklist_lock);
2594 }
2595
2596 /* superblock security operations */
2597
2598 static int selinux_sb_alloc_security(struct super_block *sb)
2599 {
2600 return superblock_alloc_security(sb);
2601 }
2602
2603 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2604 {
2605 if (plen > olen)
2606 return 0;
2607
2608 return !memcmp(prefix, option, plen);
2609 }
2610
2611 static inline int selinux_option(char *option, int len)
2612 {
2613 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2614 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2615 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2616 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2617 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2618 }
2619
2620 static inline void take_option(char **to, char *from, int *first, int len)
2621 {
2622 if (!*first) {
2623 **to = ',';
2624 *to += 1;
2625 } else
2626 *first = 0;
2627 memcpy(*to, from, len);
2628 *to += len;
2629 }
2630
2631 static inline void take_selinux_option(char **to, char *from, int *first,
2632 int len)
2633 {
2634 int current_size = 0;
2635
2636 if (!*first) {
2637 **to = '|';
2638 *to += 1;
2639 } else
2640 *first = 0;
2641
2642 while (current_size < len) {
2643 if (*from != '"') {
2644 **to = *from;
2645 *to += 1;
2646 }
2647 from += 1;
2648 current_size += 1;
2649 }
2650 }
2651
2652 static int selinux_sb_copy_data(char *orig, char *copy)
2653 {
2654 int fnosec, fsec, rc = 0;
2655 char *in_save, *in_curr, *in_end;
2656 char *sec_curr, *nosec_save, *nosec;
2657 int open_quote = 0;
2658
2659 in_curr = orig;
2660 sec_curr = copy;
2661
2662 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2663 if (!nosec) {
2664 rc = -ENOMEM;
2665 goto out;
2666 }
2667
2668 nosec_save = nosec;
2669 fnosec = fsec = 1;
2670 in_save = in_end = orig;
2671
2672 do {
2673 if (*in_end == '"')
2674 open_quote = !open_quote;
2675 if ((*in_end == ',' && open_quote == 0) ||
2676 *in_end == '\0') {
2677 int len = in_end - in_curr;
2678
2679 if (selinux_option(in_curr, len))
2680 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2681 else
2682 take_option(&nosec, in_curr, &fnosec, len);
2683
2684 in_curr = in_end + 1;
2685 }
2686 } while (*in_end++);
2687
2688 strcpy(in_save, nosec_save);
2689 free_page((unsigned long)nosec_save);
2690 out:
2691 return rc;
2692 }
2693
2694 static int selinux_sb_remount(struct super_block *sb, void *data)
2695 {
2696 int rc, i, *flags;
2697 struct security_mnt_opts opts;
2698 char *secdata, **mount_options;
2699 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2700
2701 if (!(sbsec->flags & SE_SBINITIALIZED))
2702 return 0;
2703
2704 if (!data)
2705 return 0;
2706
2707 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2708 return 0;
2709
2710 security_init_mnt_opts(&opts);
2711 secdata = alloc_secdata();
2712 if (!secdata)
2713 return -ENOMEM;
2714 rc = selinux_sb_copy_data(data, secdata);
2715 if (rc)
2716 goto out_free_secdata;
2717
2718 rc = selinux_parse_opts_str(secdata, &opts);
2719 if (rc)
2720 goto out_free_secdata;
2721
2722 mount_options = opts.mnt_opts;
2723 flags = opts.mnt_opts_flags;
2724
2725 for (i = 0; i < opts.num_mnt_opts; i++) {
2726 u32 sid;
2727
2728 if (flags[i] == SBLABEL_MNT)
2729 continue;
2730 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2731 if (rc) {
2732 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2733 "(%s) failed for (dev %s, type %s) errno=%d\n",
2734 mount_options[i], sb->s_id, sb->s_type->name, rc);
2735 goto out_free_opts;
2736 }
2737 rc = -EINVAL;
2738 switch (flags[i]) {
2739 case FSCONTEXT_MNT:
2740 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2741 goto out_bad_option;
2742 break;
2743 case CONTEXT_MNT:
2744 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2745 goto out_bad_option;
2746 break;
2747 case ROOTCONTEXT_MNT: {
2748 struct inode_security_struct *root_isec;
2749 root_isec = backing_inode_security(sb->s_root);
2750
2751 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2752 goto out_bad_option;
2753 break;
2754 }
2755 case DEFCONTEXT_MNT:
2756 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2757 goto out_bad_option;
2758 break;
2759 default:
2760 goto out_free_opts;
2761 }
2762 }
2763
2764 rc = 0;
2765 out_free_opts:
2766 security_free_mnt_opts(&opts);
2767 out_free_secdata:
2768 free_secdata(secdata);
2769 return rc;
2770 out_bad_option:
2771 printk(KERN_WARNING "SELinux: unable to change security options "
2772 "during remount (dev %s, type=%s)\n", sb->s_id,
2773 sb->s_type->name);
2774 goto out_free_opts;
2775 }
2776
2777 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2778 {
2779 const struct cred *cred = current_cred();
2780 struct common_audit_data ad;
2781 int rc;
2782
2783 rc = superblock_doinit(sb, data);
2784 if (rc)
2785 return rc;
2786
2787 /* Allow all mounts performed by the kernel */
2788 if (flags & MS_KERNMOUNT)
2789 return 0;
2790
2791 ad.type = LSM_AUDIT_DATA_DENTRY;
2792 ad.u.dentry = sb->s_root;
2793 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2794 }
2795
2796 static int selinux_sb_statfs(struct dentry *dentry)
2797 {
2798 const struct cred *cred = current_cred();
2799 struct common_audit_data ad;
2800
2801 ad.type = LSM_AUDIT_DATA_DENTRY;
2802 ad.u.dentry = dentry->d_sb->s_root;
2803 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2804 }
2805
2806 static int selinux_mount(const char *dev_name,
2807 const struct path *path,
2808 const char *type,
2809 unsigned long flags,
2810 void *data)
2811 {
2812 const struct cred *cred = current_cred();
2813
2814 if (flags & MS_REMOUNT)
2815 return superblock_has_perm(cred, path->dentry->d_sb,
2816 FILESYSTEM__REMOUNT, NULL);
2817 else
2818 return path_has_perm(cred, path, FILE__MOUNTON);
2819 }
2820
2821 static int selinux_umount(struct vfsmount *mnt, int flags)
2822 {
2823 const struct cred *cred = current_cred();
2824
2825 return superblock_has_perm(cred, mnt->mnt_sb,
2826 FILESYSTEM__UNMOUNT, NULL);
2827 }
2828
2829 /* inode security operations */
2830
2831 static int selinux_inode_alloc_security(struct inode *inode)
2832 {
2833 return inode_alloc_security(inode);
2834 }
2835
2836 static void selinux_inode_free_security(struct inode *inode)
2837 {
2838 inode_free_security(inode);
2839 }
2840
2841 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2842 const struct qstr *name, void **ctx,
2843 u32 *ctxlen)
2844 {
2845 u32 newsid;
2846 int rc;
2847
2848 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2849 d_inode(dentry->d_parent), name,
2850 inode_mode_to_security_class(mode),
2851 &newsid);
2852 if (rc)
2853 return rc;
2854
2855 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2856 }
2857
2858 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2859 struct qstr *name,
2860 const struct cred *old,
2861 struct cred *new)
2862 {
2863 u32 newsid;
2864 int rc;
2865 struct task_security_struct *tsec;
2866
2867 rc = selinux_determine_inode_label(selinux_cred(old),
2868 d_inode(dentry->d_parent), name,
2869 inode_mode_to_security_class(mode),
2870 &newsid);
2871 if (rc)
2872 return rc;
2873
2874 tsec = selinux_cred(new);
2875 tsec->create_sid = newsid;
2876 return 0;
2877 }
2878
2879 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2880 const struct qstr *qstr,
2881 const char **name,
2882 void **value, size_t *len)
2883 {
2884 const struct task_security_struct *tsec = selinux_cred(current_cred());
2885 struct superblock_security_struct *sbsec;
2886 u32 newsid, clen;
2887 int rc;
2888 char *context;
2889
2890 sbsec = selinux_superblock(dir->i_sb);
2891
2892 newsid = tsec->create_sid;
2893
2894 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2895 dir, qstr,
2896 inode_mode_to_security_class(inode->i_mode),
2897 &newsid);
2898 if (rc)
2899 return rc;
2900
2901 /* Possibly defer initialization to selinux_complete_init. */
2902 if (sbsec->flags & SE_SBINITIALIZED) {
2903 struct inode_security_struct *isec = selinux_inode(inode);
2904 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2905 isec->sid = newsid;
2906 isec->initialized = LABEL_INITIALIZED;
2907 }
2908
2909 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2910 return -EOPNOTSUPP;
2911
2912 if (name)
2913 *name = XATTR_SELINUX_SUFFIX;
2914
2915 if (value && len) {
2916 rc = security_sid_to_context_force(newsid, &context, &clen);
2917 if (rc)
2918 return rc;
2919 *value = context;
2920 *len = clen;
2921 }
2922
2923 return 0;
2924 }
2925
2926 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2927 {
2928 return may_create(dir, dentry, SECCLASS_FILE);
2929 }
2930
2931 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2932 {
2933 return may_link(dir, old_dentry, MAY_LINK);
2934 }
2935
2936 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2937 {
2938 return may_link(dir, dentry, MAY_UNLINK);
2939 }
2940
2941 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2942 {
2943 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2944 }
2945
2946 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2947 {
2948 return may_create(dir, dentry, SECCLASS_DIR);
2949 }
2950
2951 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2952 {
2953 return may_link(dir, dentry, MAY_RMDIR);
2954 }
2955
2956 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2957 {
2958 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2959 }
2960
2961 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2962 struct inode *new_inode, struct dentry *new_dentry)
2963 {
2964 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2965 }
2966
2967 static int selinux_inode_readlink(struct dentry *dentry)
2968 {
2969 const struct cred *cred = current_cred();
2970
2971 return dentry_has_perm(cred, dentry, FILE__READ);
2972 }
2973
2974 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2975 bool rcu)
2976 {
2977 const struct cred *cred = current_cred();
2978 struct common_audit_data ad;
2979 struct inode_security_struct *isec;
2980 u32 sid;
2981
2982 validate_creds(cred);
2983
2984 ad.type = LSM_AUDIT_DATA_DENTRY;
2985 ad.u.dentry = dentry;
2986 sid = cred_sid(cred);
2987 isec = inode_security_rcu(inode, rcu);
2988 if (IS_ERR(isec))
2989 return PTR_ERR(isec);
2990
2991 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2992 rcu ? MAY_NOT_BLOCK : 0);
2993 }
2994
2995 static noinline int audit_inode_permission(struct inode *inode,
2996 u32 perms, u32 audited, u32 denied,
2997 int result,
2998 unsigned flags)
2999 {
3000 struct common_audit_data ad;
3001 struct inode_security_struct *isec = selinux_inode(inode);
3002 int rc;
3003
3004 ad.type = LSM_AUDIT_DATA_INODE;
3005 ad.u.inode = inode;
3006
3007 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3008 audited, denied, result, &ad, flags);
3009 if (rc)
3010 return rc;
3011 return 0;
3012 }
3013
3014 static int selinux_inode_permission(struct inode *inode, int mask)
3015 {
3016 const struct cred *cred = current_cred();
3017 u32 perms;
3018 bool from_access;
3019 unsigned flags = mask & MAY_NOT_BLOCK;
3020 struct inode_security_struct *isec;
3021 u32 sid;
3022 struct av_decision avd;
3023 int rc, rc2;
3024 u32 audited, denied;
3025
3026 from_access = mask & MAY_ACCESS;
3027 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3028
3029 /* No permission to check. Existence test. */
3030 if (!mask)
3031 return 0;
3032
3033 validate_creds(cred);
3034
3035 if (unlikely(IS_PRIVATE(inode)))
3036 return 0;
3037
3038 perms = file_mask_to_av(inode->i_mode, mask);
3039
3040 sid = cred_sid(cred);
3041 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3042 if (IS_ERR(isec))
3043 return PTR_ERR(isec);
3044
3045 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3046 audited = avc_audit_required(perms, &avd, rc,
3047 from_access ? FILE__AUDIT_ACCESS : 0,
3048 &denied);
3049 if (likely(!audited))
3050 return rc;
3051
3052 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3053 if (rc2)
3054 return rc2;
3055 return rc;
3056 }
3057
3058 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3059 {
3060 const struct cred *cred = current_cred();
3061 struct inode *inode = d_backing_inode(dentry);
3062 unsigned int ia_valid = iattr->ia_valid;
3063 __u32 av = FILE__WRITE;
3064
3065 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3066 if (ia_valid & ATTR_FORCE) {
3067 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3068 ATTR_FORCE);
3069 if (!ia_valid)
3070 return 0;
3071 }
3072
3073 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3074 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3075 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3076
3077 if (selinux_policycap_openperm &&
3078 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3079 (ia_valid & ATTR_SIZE) &&
3080 !(ia_valid & ATTR_FILE))
3081 av |= FILE__OPEN;
3082
3083 return dentry_has_perm(cred, dentry, av);
3084 }
3085
3086 static int selinux_inode_getattr(const struct path *path)
3087 {
3088 return path_has_perm(current_cred(), path, FILE__GETATTR);
3089 }
3090
3091 static bool has_cap_mac_admin(bool audit)
3092 {
3093 const struct cred *cred = current_cred();
3094 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3095
3096 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3097 return false;
3098 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3099 return false;
3100 return true;
3101 }
3102
3103 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3104 const void *value, size_t size, int flags)
3105 {
3106 struct inode *inode = d_backing_inode(dentry);
3107 struct inode_security_struct *isec;
3108 struct superblock_security_struct *sbsec;
3109 struct common_audit_data ad;
3110 u32 newsid, sid = current_sid();
3111 int rc = 0;
3112
3113 if (strcmp(name, XATTR_NAME_SELINUX)) {
3114 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3115 if (rc)
3116 return rc;
3117
3118 /* Not an attribute we recognize, so just check the
3119 ordinary setattr permission. */
3120 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3121 }
3122
3123 sbsec = selinux_superblock(inode->i_sb);
3124 if (!(sbsec->flags & SBLABEL_MNT))
3125 return -EOPNOTSUPP;
3126
3127 if (!inode_owner_or_capable(inode))
3128 return -EPERM;
3129
3130 ad.type = LSM_AUDIT_DATA_DENTRY;
3131 ad.u.dentry = dentry;
3132
3133 isec = backing_inode_security(dentry);
3134 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3135 FILE__RELABELFROM, &ad);
3136 if (rc)
3137 return rc;
3138
3139 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3140 if (rc == -EINVAL) {
3141 if (!has_cap_mac_admin(true)) {
3142 struct audit_buffer *ab;
3143 size_t audit_size;
3144
3145 /* We strip a nul only if it is at the end, otherwise the
3146 * context contains a nul and we should audit that */
3147 if (value) {
3148 const char *str = value;
3149
3150 if (str[size - 1] == '\0')
3151 audit_size = size - 1;
3152 else
3153 audit_size = size;
3154 } else {
3155 audit_size = 0;
3156 }
3157 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3158 audit_log_format(ab, "op=setxattr invalid_context=");
3159 audit_log_n_untrustedstring(ab, value, audit_size);
3160 audit_log_end(ab);
3161
3162 return rc;
3163 }
3164 rc = security_context_to_sid_force(value, size, &newsid);
3165 }
3166 if (rc)
3167 return rc;
3168
3169 rc = avc_has_perm(sid, newsid, isec->sclass,
3170 FILE__RELABELTO, &ad);
3171 if (rc)
3172 return rc;
3173
3174 rc = security_validate_transition(isec->sid, newsid, sid,
3175 isec->sclass);
3176 if (rc)
3177 return rc;
3178
3179 return avc_has_perm(newsid,
3180 sbsec->sid,
3181 SECCLASS_FILESYSTEM,
3182 FILESYSTEM__ASSOCIATE,
3183 &ad);
3184 }
3185
3186 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3187 const void *value, size_t size,
3188 int flags)
3189 {
3190 struct inode *inode = d_backing_inode(dentry);
3191 struct inode_security_struct *isec;
3192 u32 newsid;
3193 int rc;
3194
3195 if (strcmp(name, XATTR_NAME_SELINUX)) {
3196 /* Not an attribute we recognize, so nothing to do. */
3197 return;
3198 }
3199
3200 rc = security_context_to_sid_force(value, size, &newsid);
3201 if (rc) {
3202 printk(KERN_ERR "SELinux: unable to map context to SID"
3203 "for (%s, %lu), rc=%d\n",
3204 inode->i_sb->s_id, inode->i_ino, -rc);
3205 return;
3206 }
3207
3208 isec = backing_inode_security(dentry);
3209 spin_lock(&isec->lock);
3210 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3211 isec->sid = newsid;
3212 isec->initialized = LABEL_INITIALIZED;
3213 spin_unlock(&isec->lock);
3214
3215 return;
3216 }
3217
3218 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3219 {
3220 const struct cred *cred = current_cred();
3221
3222 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3223 }
3224
3225 static int selinux_inode_listxattr(struct dentry *dentry)
3226 {
3227 const struct cred *cred = current_cred();
3228
3229 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3230 }
3231
3232 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3233 {
3234 if (strcmp(name, XATTR_NAME_SELINUX)) {
3235 int rc = cap_inode_removexattr(dentry, name);
3236 if (rc)
3237 return rc;
3238
3239 /* Not an attribute we recognize, so just check the
3240 ordinary setattr permission. */
3241 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3242 }
3243
3244 /* No one is allowed to remove a SELinux security label.
3245 You can change the label, but all data must be labeled. */
3246 return -EACCES;
3247 }
3248
3249 /*
3250 * Copy the inode security context value to the user.
3251 *
3252 * Permission check is handled by selinux_inode_getxattr hook.
3253 */
3254 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3255 {
3256 u32 size;
3257 int error;
3258 char *context = NULL;
3259 struct inode_security_struct *isec;
3260
3261 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3262 return -EOPNOTSUPP;
3263
3264 /*
3265 * If the caller has CAP_MAC_ADMIN, then get the raw context
3266 * value even if it is not defined by current policy; otherwise,
3267 * use the in-core value under current policy.
3268 * Use the non-auditing forms of the permission checks since
3269 * getxattr may be called by unprivileged processes commonly
3270 * and lack of permission just means that we fall back to the
3271 * in-core context value, not a denial.
3272 */
3273 isec = inode_security(inode);
3274 if (has_cap_mac_admin(false))
3275 error = security_sid_to_context_force(isec->sid, &context,
3276 &size);
3277 else
3278 error = security_sid_to_context(isec->sid, &context, &size);
3279 if (error)
3280 return error;
3281 error = size;
3282 if (alloc) {
3283 *buffer = context;
3284 goto out_nofree;
3285 }
3286 kfree(context);
3287 out_nofree:
3288 return error;
3289 }
3290
3291 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3292 const void *value, size_t size, int flags)
3293 {
3294 struct inode_security_struct *isec = inode_security_novalidate(inode);
3295 u32 newsid;
3296 int rc;
3297
3298 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3299 return -EOPNOTSUPP;
3300
3301 if (!value || !size)
3302 return -EACCES;
3303
3304 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3305 if (rc)
3306 return rc;
3307
3308 spin_lock(&isec->lock);
3309 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3310 isec->sid = newsid;
3311 isec->initialized = LABEL_INITIALIZED;
3312 spin_unlock(&isec->lock);
3313 return 0;
3314 }
3315
3316 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3317 {
3318 const int len = sizeof(XATTR_NAME_SELINUX);
3319 if (buffer && len <= buffer_size)
3320 memcpy(buffer, XATTR_NAME_SELINUX, len);
3321 return len;
3322 }
3323
3324 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3325 {
3326 struct inode_security_struct *isec = inode_security_novalidate(inode);
3327 *secid = isec->sid;
3328 }
3329
3330 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3331 {
3332 u32 sid;
3333 struct task_security_struct *tsec;
3334 struct cred *new_creds = *new;
3335
3336 if (new_creds == NULL) {
3337 new_creds = prepare_creds();
3338 if (!new_creds)
3339 return -ENOMEM;
3340 }
3341
3342 tsec = selinux_cred(new_creds);
3343 /* Get label from overlay inode and set it in create_sid */
3344 selinux_inode_getsecid(d_inode(src), &sid);
3345 tsec->create_sid = sid;
3346 *new = new_creds;
3347 return 0;
3348 }
3349
3350 static int selinux_inode_copy_up_xattr(const char *name)
3351 {
3352 /* The copy_up hook above sets the initial context on an inode, but we
3353 * don't then want to overwrite it by blindly copying all the lower
3354 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3355 */
3356 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3357 return 1; /* Discard */
3358 /*
3359 * Any other attribute apart from SELINUX is not claimed, supported
3360 * by selinux.
3361 */
3362 return -EOPNOTSUPP;
3363 }
3364
3365 /* file security operations */
3366
3367 static int selinux_revalidate_file_permission(struct file *file, int mask)
3368 {
3369 const struct cred *cred = current_cred();
3370 struct inode *inode = file_inode(file);
3371
3372 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3373 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3374 mask |= MAY_APPEND;
3375
3376 return file_has_perm(cred, file,
3377 file_mask_to_av(inode->i_mode, mask));
3378 }
3379
3380 static int selinux_file_permission(struct file *file, int mask)
3381 {
3382 struct inode *inode = file_inode(file);
3383 struct file_security_struct *fsec = selinux_file(file);
3384 struct inode_security_struct *isec;
3385 u32 sid = current_sid();
3386
3387 if (!mask)
3388 /* No permission to check. Existence test. */
3389 return 0;
3390
3391 isec = inode_security(inode);
3392 if (sid == fsec->sid && fsec->isid == isec->sid &&
3393 fsec->pseqno == avc_policy_seqno())
3394 /* No change since file_open check. */
3395 return 0;
3396
3397 return selinux_revalidate_file_permission(file, mask);
3398 }
3399
3400 static int selinux_file_alloc_security(struct file *file)
3401 {
3402 return file_alloc_security(file);
3403 }
3404
3405 /*
3406 * Check whether a task has the ioctl permission and cmd
3407 * operation to an inode.
3408 */
3409 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3410 u32 requested, u16 cmd)
3411 {
3412 struct common_audit_data ad;
3413 struct file_security_struct *fsec = selinux_file(file);
3414 struct inode *inode = file_inode(file);
3415 struct inode_security_struct *isec;
3416 struct lsm_ioctlop_audit ioctl;
3417 u32 ssid = cred_sid(cred);
3418 int rc;
3419 u8 driver = cmd >> 8;
3420 u8 xperm = cmd & 0xff;
3421
3422 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3423 ad.u.op = &ioctl;
3424 ad.u.op->cmd = cmd;
3425 ad.u.op->path = file->f_path;
3426
3427 if (ssid != fsec->sid) {
3428 rc = avc_has_perm(ssid, fsec->sid,
3429 SECCLASS_FD,
3430 FD__USE,
3431 &ad);
3432 if (rc)
3433 goto out;
3434 }
3435
3436 if (unlikely(IS_PRIVATE(inode)))
3437 return 0;
3438
3439 isec = inode_security(inode);
3440 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3441 requested, driver, xperm, &ad);
3442 out:
3443 return rc;
3444 }
3445
3446 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3447 unsigned long arg)
3448 {
3449 const struct cred *cred = current_cred();
3450 int error = 0;
3451
3452 switch (cmd) {
3453 case FIONREAD:
3454 /* fall through */
3455 case FIBMAP:
3456 /* fall through */
3457 case FIGETBSZ:
3458 /* fall through */
3459 case FS_IOC_GETFLAGS:
3460 /* fall through */
3461 case FS_IOC_GETVERSION:
3462 error = file_has_perm(cred, file, FILE__GETATTR);
3463 break;
3464
3465 case FS_IOC_SETFLAGS:
3466 /* fall through */
3467 case FS_IOC_SETVERSION:
3468 error = file_has_perm(cred, file, FILE__SETATTR);
3469 break;
3470
3471 /* sys_ioctl() checks */
3472 case FIONBIO:
3473 /* fall through */
3474 case FIOASYNC:
3475 error = file_has_perm(cred, file, 0);
3476 break;
3477
3478 case KDSKBENT:
3479 case KDSKBSENT:
3480 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3481 SECURITY_CAP_AUDIT, true);
3482 break;
3483
3484 /* default case assumes that the command will go
3485 * to the file's ioctl() function.
3486 */
3487 default:
3488 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3489 }
3490 return error;
3491 }
3492
3493 static int default_noexec;
3494
3495 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3496 {
3497 const struct cred *cred = current_cred();
3498 u32 sid = cred_sid(cred);
3499 int rc = 0;
3500
3501 if (default_noexec &&
3502 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3503 (!shared && (prot & PROT_WRITE)))) {
3504 /*
3505 * We are making executable an anonymous mapping or a
3506 * private file mapping that will also be writable.
3507 * This has an additional check.
3508 */
3509 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3510 PROCESS__EXECMEM, NULL);
3511 if (rc)
3512 goto error;
3513 }
3514
3515 if (file) {
3516 /* read access is always possible with a mapping */
3517 u32 av = FILE__READ;
3518
3519 /* write access only matters if the mapping is shared */
3520 if (shared && (prot & PROT_WRITE))
3521 av |= FILE__WRITE;
3522
3523 if (prot & PROT_EXEC)
3524 av |= FILE__EXECUTE;
3525
3526 return file_has_perm(cred, file, av);
3527 }
3528
3529 error:
3530 return rc;
3531 }
3532
3533 static int selinux_mmap_addr(unsigned long addr)
3534 {
3535 int rc = 0;
3536
3537 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3538 u32 sid = current_sid();
3539 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3540 MEMPROTECT__MMAP_ZERO, NULL);
3541 }
3542
3543 return rc;
3544 }
3545
3546 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3547 unsigned long prot, unsigned long flags)
3548 {
3549 struct common_audit_data ad;
3550 int rc;
3551
3552 if (file) {
3553 ad.type = LSM_AUDIT_DATA_FILE;
3554 ad.u.file = file;
3555 rc = inode_has_perm(current_cred(), file_inode(file),
3556 FILE__MAP, &ad);
3557 if (rc)
3558 return rc;
3559 }
3560
3561 if (selinux_checkreqprot)
3562 prot = reqprot;
3563
3564 return file_map_prot_check(file, prot,
3565 (flags & MAP_TYPE) == MAP_SHARED);
3566 }
3567
3568 static int selinux_file_mprotect(struct vm_area_struct *vma,
3569 unsigned long reqprot,
3570 unsigned long prot)
3571 {
3572 const struct cred *cred = current_cred();
3573 u32 sid = cred_sid(cred);
3574
3575 if (selinux_checkreqprot)
3576 prot = reqprot;
3577
3578 if (default_noexec &&
3579 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3580 int rc = 0;
3581 if (vma->vm_start >= vma->vm_mm->start_brk &&
3582 vma->vm_end <= vma->vm_mm->brk) {
3583 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3584 PROCESS__EXECHEAP, NULL);
3585 } else if (!vma->vm_file &&
3586 ((vma->vm_start <= vma->vm_mm->start_stack &&
3587 vma->vm_end >= vma->vm_mm->start_stack) ||
3588 vma_is_stack_for_current(vma))) {
3589 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3590 PROCESS__EXECSTACK, NULL);
3591 } else if (vma->vm_file && vma->anon_vma) {
3592 /*
3593 * We are making executable a file mapping that has
3594 * had some COW done. Since pages might have been
3595 * written, check ability to execute the possibly
3596 * modified content. This typically should only
3597 * occur for text relocations.
3598 */
3599 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3600 }
3601 if (rc)
3602 return rc;
3603 }
3604
3605 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3606 }
3607
3608 static int selinux_file_lock(struct file *file, unsigned int cmd)
3609 {
3610 const struct cred *cred = current_cred();
3611
3612 return file_has_perm(cred, file, FILE__LOCK);
3613 }
3614
3615 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3616 unsigned long arg)
3617 {
3618 const struct cred *cred = current_cred();
3619 int err = 0;
3620
3621 switch (cmd) {
3622 case F_SETFL:
3623 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3624 err = file_has_perm(cred, file, FILE__WRITE);
3625 break;
3626 }
3627 /* fall through */
3628 case F_SETOWN:
3629 case F_SETSIG:
3630 case F_GETFL:
3631 case F_GETOWN:
3632 case F_GETSIG:
3633 case F_GETOWNER_UIDS:
3634 /* Just check FD__USE permission */
3635 err = file_has_perm(cred, file, 0);
3636 break;
3637 case F_GETLK:
3638 case F_SETLK:
3639 case F_SETLKW:
3640 case F_OFD_GETLK:
3641 case F_OFD_SETLK:
3642 case F_OFD_SETLKW:
3643 #if BITS_PER_LONG == 32
3644 case F_GETLK64:
3645 case F_SETLK64:
3646 case F_SETLKW64:
3647 #endif
3648 err = file_has_perm(cred, file, FILE__LOCK);
3649 break;
3650 }
3651
3652 return err;
3653 }
3654
3655 static void selinux_file_set_fowner(struct file *file)
3656 {
3657 struct file_security_struct *fsec;
3658
3659 fsec = selinux_file(file);
3660 fsec->fown_sid = current_sid();
3661 }
3662
3663 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3664 struct fown_struct *fown, int signum)
3665 {
3666 struct file *file;
3667 u32 sid = task_sid(tsk);
3668 u32 perm;
3669 struct file_security_struct *fsec;
3670
3671 /* struct fown_struct is never outside the context of a struct file */
3672 file = container_of(fown, struct file, f_owner);
3673
3674 fsec = selinux_file(file);
3675
3676 if (!signum)
3677 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3678 else
3679 perm = signal_to_av(signum);
3680
3681 return avc_has_perm(fsec->fown_sid, sid,
3682 SECCLASS_PROCESS, perm, NULL);
3683 }
3684
3685 static int selinux_file_receive(struct file *file)
3686 {
3687 const struct cred *cred = current_cred();
3688
3689 return file_has_perm(cred, file, file_to_av(file));
3690 }
3691
3692 static int selinux_file_open(struct file *file, const struct cred *cred)
3693 {
3694 struct file_security_struct *fsec;
3695 struct inode_security_struct *isec;
3696
3697 fsec = selinux_file(file);
3698 isec = inode_security(file_inode(file));
3699 /*
3700 * Save inode label and policy sequence number
3701 * at open-time so that selinux_file_permission
3702 * can determine whether revalidation is necessary.
3703 * Task label is already saved in the file security
3704 * struct as its SID.
3705 */
3706 fsec->isid = isec->sid;
3707 fsec->pseqno = avc_policy_seqno();
3708 /*
3709 * Since the inode label or policy seqno may have changed
3710 * between the selinux_inode_permission check and the saving
3711 * of state above, recheck that access is still permitted.
3712 * Otherwise, access might never be revalidated against the
3713 * new inode label or new policy.
3714 * This check is not redundant - do not remove.
3715 */
3716 return file_path_has_perm(cred, file, open_file_to_av(file));
3717 }
3718
3719 /* task security operations */
3720
3721 static int selinux_task_alloc(struct task_struct *task,
3722 unsigned long clone_flags)
3723 {
3724 u32 sid = current_sid();
3725
3726 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3727 }
3728
3729 /*
3730 * prepare a new set of credentials for modification
3731 */
3732 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3733 gfp_t gfp)
3734 {
3735 const struct task_security_struct *old_tsec = selinux_cred(old);
3736 struct task_security_struct *tsec = selinux_cred(new);
3737
3738 *tsec = *old_tsec;
3739
3740 return 0;
3741 }
3742
3743 /*
3744 * transfer the SELinux data to a blank set of creds
3745 */
3746 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3747 {
3748 const struct task_security_struct *old_tsec = selinux_cred(old);
3749 struct task_security_struct *tsec = selinux_cred(new);
3750
3751 *tsec = *old_tsec;
3752 }
3753
3754 /*
3755 * set the security data for a kernel service
3756 * - all the creation contexts are set to unlabelled
3757 */
3758 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3759 {
3760 struct task_security_struct *tsec = selinux_cred(new);
3761 u32 sid = current_sid();
3762 int ret;
3763
3764 ret = avc_has_perm(sid, secid,
3765 SECCLASS_KERNEL_SERVICE,
3766 KERNEL_SERVICE__USE_AS_OVERRIDE,
3767 NULL);
3768 if (ret == 0) {
3769 tsec->sid = secid;
3770 tsec->create_sid = 0;
3771 tsec->keycreate_sid = 0;
3772 tsec->sockcreate_sid = 0;
3773 }
3774 return ret;
3775 }
3776
3777 /*
3778 * set the file creation context in a security record to the same as the
3779 * objective context of the specified inode
3780 */
3781 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3782 {
3783 struct inode_security_struct *isec = inode_security(inode);
3784 struct task_security_struct *tsec = selinux_cred(new);
3785 u32 sid = current_sid();
3786 int ret;
3787
3788 ret = avc_has_perm(sid, isec->sid,
3789 SECCLASS_KERNEL_SERVICE,
3790 KERNEL_SERVICE__CREATE_FILES_AS,
3791 NULL);
3792
3793 if (ret == 0)
3794 tsec->create_sid = isec->sid;
3795 return ret;
3796 }
3797
3798 static int selinux_kernel_module_request(char *kmod_name)
3799 {
3800 struct common_audit_data ad;
3801
3802 ad.type = LSM_AUDIT_DATA_KMOD;
3803 ad.u.kmod_name = kmod_name;
3804
3805 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3806 SYSTEM__MODULE_REQUEST, &ad);
3807 }
3808
3809 static int selinux_kernel_module_from_file(struct file *file)
3810 {
3811 struct common_audit_data ad;
3812 struct inode_security_struct *isec;
3813 struct file_security_struct *fsec;
3814 u32 sid = current_sid();
3815 int rc;
3816
3817 /* init_module */
3818 if (file == NULL)
3819 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3820 SYSTEM__MODULE_LOAD, NULL);
3821
3822 /* finit_module */
3823
3824 ad.type = LSM_AUDIT_DATA_FILE;
3825 ad.u.file = file;
3826
3827 fsec = selinux_file(file);
3828 if (sid != fsec->sid) {
3829 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3830 if (rc)
3831 return rc;
3832 }
3833
3834 isec = inode_security(file_inode(file));
3835 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3836 SYSTEM__MODULE_LOAD, &ad);
3837 }
3838
3839 static int selinux_kernel_read_file(struct file *file,
3840 enum kernel_read_file_id id)
3841 {
3842 int rc = 0;
3843
3844 switch (id) {
3845 case READING_MODULE:
3846 rc = selinux_kernel_module_from_file(file);
3847 break;
3848 default:
3849 break;
3850 }
3851
3852 return rc;
3853 }
3854
3855 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3856 {
3857 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3858 PROCESS__SETPGID, NULL);
3859 }
3860
3861 static int selinux_task_getpgid(struct task_struct *p)
3862 {
3863 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3864 PROCESS__GETPGID, NULL);
3865 }
3866
3867 static int selinux_task_getsid(struct task_struct *p)
3868 {
3869 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3870 PROCESS__GETSESSION, NULL);
3871 }
3872
3873 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3874 {
3875 *secid = task_sid(p);
3876 }
3877
3878 static int selinux_task_setnice(struct task_struct *p, int nice)
3879 {
3880 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3881 PROCESS__SETSCHED, NULL);
3882 }
3883
3884 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3885 {
3886 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3887 PROCESS__SETSCHED, NULL);
3888 }
3889
3890 static int selinux_task_getioprio(struct task_struct *p)
3891 {
3892 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3893 PROCESS__GETSCHED, NULL);
3894 }
3895
3896 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
3897 unsigned int flags)
3898 {
3899 u32 av = 0;
3900
3901 if (!flags)
3902 return 0;
3903 if (flags & LSM_PRLIMIT_WRITE)
3904 av |= PROCESS__SETRLIMIT;
3905 if (flags & LSM_PRLIMIT_READ)
3906 av |= PROCESS__GETRLIMIT;
3907 return avc_has_perm(cred_sid(cred), cred_sid(tcred),
3908 SECCLASS_PROCESS, av, NULL);
3909 }
3910
3911 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3912 struct rlimit *new_rlim)
3913 {
3914 struct rlimit *old_rlim = p->signal->rlim + resource;
3915
3916 /* Control the ability to change the hard limit (whether
3917 lowering or raising it), so that the hard limit can
3918 later be used as a safe reset point for the soft limit
3919 upon context transitions. See selinux_bprm_committing_creds. */
3920 if (old_rlim->rlim_max != new_rlim->rlim_max)
3921 return avc_has_perm(current_sid(), task_sid(p),
3922 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
3923
3924 return 0;
3925 }
3926
3927 static int selinux_task_setscheduler(struct task_struct *p)
3928 {
3929 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3930 PROCESS__SETSCHED, NULL);
3931 }
3932
3933 static int selinux_task_getscheduler(struct task_struct *p)
3934 {
3935 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3936 PROCESS__GETSCHED, NULL);
3937 }
3938
3939 static int selinux_task_movememory(struct task_struct *p)
3940 {
3941 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3942 PROCESS__SETSCHED, NULL);
3943 }
3944
3945 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3946 int sig, u32 secid)
3947 {
3948 u32 perm;
3949
3950 if (!sig)
3951 perm = PROCESS__SIGNULL; /* null signal; existence test */
3952 else
3953 perm = signal_to_av(sig);
3954 if (!secid)
3955 secid = current_sid();
3956 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
3957 }
3958
3959 static void selinux_task_to_inode(struct task_struct *p,
3960 struct inode *inode)
3961 {
3962 struct inode_security_struct *isec = selinux_inode(inode);
3963 u32 sid = task_sid(p);
3964
3965 spin_lock(&isec->lock);
3966 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3967 isec->sid = sid;
3968 isec->initialized = LABEL_INITIALIZED;
3969 spin_unlock(&isec->lock);
3970 }
3971
3972 /* Returns error only if unable to parse addresses */
3973 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3974 struct common_audit_data *ad, u8 *proto)
3975 {
3976 int offset, ihlen, ret = -EINVAL;
3977 struct iphdr _iph, *ih;
3978
3979 offset = skb_network_offset(skb);
3980 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3981 if (ih == NULL)
3982 goto out;
3983
3984 ihlen = ih->ihl * 4;
3985 if (ihlen < sizeof(_iph))
3986 goto out;
3987
3988 ad->u.net->v4info.saddr = ih->saddr;
3989 ad->u.net->v4info.daddr = ih->daddr;
3990 ret = 0;
3991
3992 if (proto)
3993 *proto = ih->protocol;
3994
3995 switch (ih->protocol) {
3996 case IPPROTO_TCP: {
3997 struct tcphdr _tcph, *th;
3998
3999 if (ntohs(ih->frag_off) & IP_OFFSET)
4000 break;
4001
4002 offset += ihlen;
4003 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4004 if (th == NULL)
4005 break;
4006
4007 ad->u.net->sport = th->source;
4008 ad->u.net->dport = th->dest;
4009 break;
4010 }
4011
4012 case IPPROTO_UDP: {
4013 struct udphdr _udph, *uh;
4014
4015 if (ntohs(ih->frag_off) & IP_OFFSET)
4016 break;
4017
4018 offset += ihlen;
4019 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4020 if (uh == NULL)
4021 break;
4022
4023 ad->u.net->sport = uh->source;
4024 ad->u.net->dport = uh->dest;
4025 break;
4026 }
4027
4028 case IPPROTO_DCCP: {
4029 struct dccp_hdr _dccph, *dh;
4030
4031 if (ntohs(ih->frag_off) & IP_OFFSET)
4032 break;
4033
4034 offset += ihlen;
4035 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4036 if (dh == NULL)
4037 break;
4038
4039 ad->u.net->sport = dh->dccph_sport;
4040 ad->u.net->dport = dh->dccph_dport;
4041 break;
4042 }
4043
4044 default:
4045 break;
4046 }
4047 out:
4048 return ret;
4049 }
4050
4051 #if IS_ENABLED(CONFIG_IPV6)
4052
4053 /* Returns error only if unable to parse addresses */
4054 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4055 struct common_audit_data *ad, u8 *proto)
4056 {
4057 u8 nexthdr;
4058 int ret = -EINVAL, offset;
4059 struct ipv6hdr _ipv6h, *ip6;
4060 __be16 frag_off;
4061
4062 offset = skb_network_offset(skb);
4063 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4064 if (ip6 == NULL)
4065 goto out;
4066
4067 ad->u.net->v6info.saddr = ip6->saddr;
4068 ad->u.net->v6info.daddr = ip6->daddr;
4069 ret = 0;
4070
4071 nexthdr = ip6->nexthdr;
4072 offset += sizeof(_ipv6h);
4073 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4074 if (offset < 0)
4075 goto out;
4076
4077 if (proto)
4078 *proto = nexthdr;
4079
4080 switch (nexthdr) {
4081 case IPPROTO_TCP: {
4082 struct tcphdr _tcph, *th;
4083
4084 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4085 if (th == NULL)
4086 break;
4087
4088 ad->u.net->sport = th->source;
4089 ad->u.net->dport = th->dest;
4090 break;
4091 }
4092
4093 case IPPROTO_UDP: {
4094 struct udphdr _udph, *uh;
4095
4096 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4097 if (uh == NULL)
4098 break;
4099
4100 ad->u.net->sport = uh->source;
4101 ad->u.net->dport = uh->dest;
4102 break;
4103 }
4104
4105 case IPPROTO_DCCP: {
4106 struct dccp_hdr _dccph, *dh;
4107
4108 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4109 if (dh == NULL)
4110 break;
4111
4112 ad->u.net->sport = dh->dccph_sport;
4113 ad->u.net->dport = dh->dccph_dport;
4114 break;
4115 }
4116
4117 /* includes fragments */
4118 default:
4119 break;
4120 }
4121 out:
4122 return ret;
4123 }
4124
4125 #endif /* IPV6 */
4126
4127 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4128 char **_addrp, int src, u8 *proto)
4129 {
4130 char *addrp;
4131 int ret;
4132
4133 switch (ad->u.net->family) {
4134 case PF_INET:
4135 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4136 if (ret)
4137 goto parse_error;
4138 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4139 &ad->u.net->v4info.daddr);
4140 goto okay;
4141
4142 #if IS_ENABLED(CONFIG_IPV6)
4143 case PF_INET6:
4144 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4145 if (ret)
4146 goto parse_error;
4147 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4148 &ad->u.net->v6info.daddr);
4149 goto okay;
4150 #endif /* IPV6 */
4151 default:
4152 addrp = NULL;
4153 goto okay;
4154 }
4155
4156 parse_error:
4157 printk(KERN_WARNING
4158 "SELinux: failure in selinux_parse_skb(),"
4159 " unable to parse packet\n");
4160 return ret;
4161
4162 okay:
4163 if (_addrp)
4164 *_addrp = addrp;
4165 return 0;
4166 }
4167
4168 /**
4169 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4170 * @skb: the packet
4171 * @family: protocol family
4172 * @sid: the packet's peer label SID
4173 *
4174 * Description:
4175 * Check the various different forms of network peer labeling and determine
4176 * the peer label/SID for the packet; most of the magic actually occurs in
4177 * the security server function security_net_peersid_cmp(). The function
4178 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4179 * or -EACCES if @sid is invalid due to inconsistencies with the different
4180 * peer labels.
4181 *
4182 */
4183 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4184 {
4185 int err;
4186 u32 xfrm_sid;
4187 u32 nlbl_sid;
4188 u32 nlbl_type;
4189
4190 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4191 if (unlikely(err))
4192 return -EACCES;
4193 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4194 if (unlikely(err))
4195 return -EACCES;
4196
4197 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4198 if (unlikely(err)) {
4199 printk(KERN_WARNING
4200 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4201 " unable to determine packet's peer label\n");
4202 return -EACCES;
4203 }
4204
4205 return 0;
4206 }
4207
4208 /**
4209 * selinux_conn_sid - Determine the child socket label for a connection
4210 * @sk_sid: the parent socket's SID
4211 * @skb_sid: the packet's SID
4212 * @conn_sid: the resulting connection SID
4213 *
4214 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4215 * combined with the MLS information from @skb_sid in order to create
4216 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4217 * of @sk_sid. Returns zero on success, negative values on failure.
4218 *
4219 */
4220 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4221 {
4222 int err = 0;
4223
4224 if (skb_sid != SECSID_NULL)
4225 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4226 else
4227 *conn_sid = sk_sid;
4228
4229 return err;
4230 }
4231
4232 /* socket security operations */
4233
4234 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4235 u16 secclass, u32 *socksid)
4236 {
4237 if (tsec->sockcreate_sid > SECSID_NULL) {
4238 *socksid = tsec->sockcreate_sid;
4239 return 0;
4240 }
4241
4242 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4243 socksid);
4244 }
4245
4246 static int sock_has_perm(struct sock *sk, u32 perms)
4247 {
4248 struct sk_security_struct *sksec = selinux_sock(sk);
4249 struct common_audit_data ad;
4250 struct lsm_network_audit net = {0,};
4251
4252 if (sksec->sid == SECINITSID_KERNEL)
4253 return 0;
4254
4255 ad.type = LSM_AUDIT_DATA_NET;
4256 ad.u.net = &net;
4257 ad.u.net->sk = sk;
4258
4259 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4260 &ad);
4261 }
4262
4263 static int selinux_socket_create(int family, int type,
4264 int protocol, int kern)
4265 {
4266 const struct task_security_struct *tsec = selinux_cred(current_cred());
4267 u32 newsid;
4268 u16 secclass;
4269 int rc;
4270
4271 if (kern)
4272 return 0;
4273
4274 secclass = socket_type_to_security_class(family, type, protocol);
4275 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4276 if (rc)
4277 return rc;
4278
4279 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4280 }
4281
4282 static int selinux_socket_post_create(struct socket *sock, int family,
4283 int type, int protocol, int kern)
4284 {
4285 const struct task_security_struct *tsec = selinux_cred(current_cred());
4286 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4287 struct sk_security_struct *sksec;
4288 u16 sclass = socket_type_to_security_class(family, type, protocol);
4289 u32 sid = SECINITSID_KERNEL;
4290 int err = 0;
4291
4292 if (!kern) {
4293 err = socket_sockcreate_sid(tsec, sclass, &sid);
4294 if (err)
4295 return err;
4296 }
4297
4298 isec->sclass = sclass;
4299 isec->sid = sid;
4300 isec->initialized = LABEL_INITIALIZED;
4301
4302 if (sock->sk) {
4303 sksec = selinux_sock(sock->sk);
4304 sksec->sclass = sclass;
4305 sksec->sid = sid;
4306 err = selinux_netlbl_socket_post_create(sock->sk, family);
4307 }
4308
4309 return err;
4310 }
4311
4312 /* Range of port numbers used to automatically bind.
4313 Need to determine whether we should perform a name_bind
4314 permission check between the socket and the port number. */
4315
4316 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4317 {
4318 struct sock *sk = sock->sk;
4319 u16 family;
4320 int err;
4321
4322 err = sock_has_perm(sk, SOCKET__BIND);
4323 if (err)
4324 goto out;
4325
4326 /*
4327 * If PF_INET or PF_INET6, check name_bind permission for the port.
4328 * Multiple address binding for SCTP is not supported yet: we just
4329 * check the first address now.
4330 */
4331 family = sk->sk_family;
4332 if (family == PF_INET || family == PF_INET6) {
4333 char *addrp;
4334 struct sk_security_struct *sksec = selinux_sock(sk);
4335 struct common_audit_data ad;
4336 struct lsm_network_audit net = {0,};
4337 struct sockaddr_in *addr4 = NULL;
4338 struct sockaddr_in6 *addr6 = NULL;
4339 unsigned short snum;
4340 u32 sid, node_perm;
4341
4342 if (family == PF_INET) {
4343 if (addrlen < sizeof(struct sockaddr_in)) {
4344 err = -EINVAL;
4345 goto out;
4346 }
4347 addr4 = (struct sockaddr_in *)address;
4348 snum = ntohs(addr4->sin_port);
4349 addrp = (char *)&addr4->sin_addr.s_addr;
4350 } else {
4351 if (addrlen < SIN6_LEN_RFC2133) {
4352 err = -EINVAL;
4353 goto out;
4354 }
4355 addr6 = (struct sockaddr_in6 *)address;
4356 snum = ntohs(addr6->sin6_port);
4357 addrp = (char *)&addr6->sin6_addr.s6_addr;
4358 }
4359
4360 if (snum) {
4361 int low, high;
4362
4363 inet_get_local_port_range(sock_net(sk), &low, &high);
4364
4365 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4366 snum > high) {
4367 err = sel_netport_sid(sk->sk_protocol,
4368 snum, &sid);
4369 if (err)
4370 goto out;
4371 ad.type = LSM_AUDIT_DATA_NET;
4372 ad.u.net = &net;
4373 ad.u.net->sport = htons(snum);
4374 ad.u.net->family = family;
4375 err = avc_has_perm(sksec->sid, sid,
4376 sksec->sclass,
4377 SOCKET__NAME_BIND, &ad);
4378 if (err)
4379 goto out;
4380 }
4381 }
4382
4383 switch (sksec->sclass) {
4384 case SECCLASS_TCP_SOCKET:
4385 node_perm = TCP_SOCKET__NODE_BIND;
4386 break;
4387
4388 case SECCLASS_UDP_SOCKET:
4389 node_perm = UDP_SOCKET__NODE_BIND;
4390 break;
4391
4392 case SECCLASS_DCCP_SOCKET:
4393 node_perm = DCCP_SOCKET__NODE_BIND;
4394 break;
4395
4396 default:
4397 node_perm = RAWIP_SOCKET__NODE_BIND;
4398 break;
4399 }
4400
4401 err = sel_netnode_sid(addrp, family, &sid);
4402 if (err)
4403 goto out;
4404
4405 ad.type = LSM_AUDIT_DATA_NET;
4406 ad.u.net = &net;
4407 ad.u.net->sport = htons(snum);
4408 ad.u.net->family = family;
4409
4410 if (family == PF_INET)
4411 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4412 else
4413 ad.u.net->v6info.saddr = addr6->sin6_addr;
4414
4415 err = avc_has_perm(sksec->sid, sid,
4416 sksec->sclass, node_perm, &ad);
4417 if (err)
4418 goto out;
4419 }
4420 out:
4421 return err;
4422 }
4423
4424 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4425 {
4426 struct sock *sk = sock->sk;
4427 struct sk_security_struct *sksec = selinux_sock(sk);
4428 int err;
4429
4430 err = sock_has_perm(sk, SOCKET__CONNECT);
4431 if (err)
4432 return err;
4433
4434 /*
4435 * If a TCP or DCCP socket, check name_connect permission for the port.
4436 */
4437 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4438 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4439 struct common_audit_data ad;
4440 struct lsm_network_audit net = {0,};
4441 struct sockaddr_in *addr4 = NULL;
4442 struct sockaddr_in6 *addr6 = NULL;
4443 unsigned short snum;
4444 u32 sid, perm;
4445
4446 if (sk->sk_family == PF_INET) {
4447 addr4 = (struct sockaddr_in *)address;
4448 if (addrlen < sizeof(struct sockaddr_in))
4449 return -EINVAL;
4450 snum = ntohs(addr4->sin_port);
4451 } else {
4452 addr6 = (struct sockaddr_in6 *)address;
4453 if (addrlen < SIN6_LEN_RFC2133)
4454 return -EINVAL;
4455 snum = ntohs(addr6->sin6_port);
4456 }
4457
4458 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4459 if (err)
4460 goto out;
4461
4462 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4463 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4464
4465 ad.type = LSM_AUDIT_DATA_NET;
4466 ad.u.net = &net;
4467 ad.u.net->dport = htons(snum);
4468 ad.u.net->family = sk->sk_family;
4469 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4470 if (err)
4471 goto out;
4472 }
4473
4474 err = selinux_netlbl_socket_connect(sk, address);
4475
4476 out:
4477 return err;
4478 }
4479
4480 static int selinux_socket_listen(struct socket *sock, int backlog)
4481 {
4482 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4483 }
4484
4485 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4486 {
4487 int err;
4488 struct inode_security_struct *isec;
4489 struct inode_security_struct *newisec;
4490 u16 sclass;
4491 u32 sid;
4492
4493 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4494 if (err)
4495 return err;
4496
4497 isec = inode_security_novalidate(SOCK_INODE(sock));
4498 spin_lock(&isec->lock);
4499 sclass = isec->sclass;
4500 sid = isec->sid;
4501 spin_unlock(&isec->lock);
4502
4503 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4504 newisec->sclass = sclass;
4505 newisec->sid = sid;
4506 newisec->initialized = LABEL_INITIALIZED;
4507
4508 return 0;
4509 }
4510
4511 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4512 int size)
4513 {
4514 return sock_has_perm(sock->sk, SOCKET__WRITE);
4515 }
4516
4517 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4518 int size, int flags)
4519 {
4520 return sock_has_perm(sock->sk, SOCKET__READ);
4521 }
4522
4523 static int selinux_socket_getsockname(struct socket *sock)
4524 {
4525 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4526 }
4527
4528 static int selinux_socket_getpeername(struct socket *sock)
4529 {
4530 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4531 }
4532
4533 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4534 {
4535 int err;
4536
4537 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4538 if (err)
4539 return err;
4540
4541 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4542 }
4543
4544 static int selinux_socket_getsockopt(struct socket *sock, int level,
4545 int optname)
4546 {
4547 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4548 }
4549
4550 static int selinux_socket_shutdown(struct socket *sock, int how)
4551 {
4552 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4553 }
4554
4555 static int selinux_socket_unix_stream_connect(struct sock *sock,
4556 struct sock *other,
4557 struct sock *newsk)
4558 {
4559 struct sk_security_struct *sksec_sock = selinux_sock(sock);
4560 struct sk_security_struct *sksec_other = selinux_sock(other);
4561 struct sk_security_struct *sksec_new = selinux_sock(newsk);
4562 struct common_audit_data ad;
4563 struct lsm_network_audit net = {0,};
4564 int err;
4565
4566 ad.type = LSM_AUDIT_DATA_NET;
4567 ad.u.net = &net;
4568 ad.u.net->sk = other;
4569
4570 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4571 sksec_other->sclass,
4572 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4573 if (err)
4574 return err;
4575
4576 /* server child socket */
4577 sksec_new->peer_sid = sksec_sock->sid;
4578 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4579 &sksec_new->sid);
4580 if (err)
4581 return err;
4582
4583 /* connecting socket */
4584 sksec_sock->peer_sid = sksec_new->sid;
4585
4586 return 0;
4587 }
4588
4589 static int selinux_socket_unix_may_send(struct socket *sock,
4590 struct socket *other)
4591 {
4592 struct sk_security_struct *ssec = selinux_sock(sock->sk);
4593 struct sk_security_struct *osec = selinux_sock(other->sk);
4594 struct common_audit_data ad;
4595 struct lsm_network_audit net = {0,};
4596
4597 ad.type = LSM_AUDIT_DATA_NET;
4598 ad.u.net = &net;
4599 ad.u.net->sk = other->sk;
4600
4601 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4602 &ad);
4603 }
4604
4605 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4606 char *addrp, u16 family, u32 peer_sid,
4607 struct common_audit_data *ad)
4608 {
4609 int err;
4610 u32 if_sid;
4611 u32 node_sid;
4612
4613 err = sel_netif_sid(ns, ifindex, &if_sid);
4614 if (err)
4615 return err;
4616 err = avc_has_perm(peer_sid, if_sid,
4617 SECCLASS_NETIF, NETIF__INGRESS, ad);
4618 if (err)
4619 return err;
4620
4621 err = sel_netnode_sid(addrp, family, &node_sid);
4622 if (err)
4623 return err;
4624 return avc_has_perm(peer_sid, node_sid,
4625 SECCLASS_NODE, NODE__RECVFROM, ad);
4626 }
4627
4628 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4629 u16 family)
4630 {
4631 int err = 0;
4632 struct sk_security_struct *sksec = selinux_sock(sk);
4633 u32 sk_sid = sksec->sid;
4634 struct common_audit_data ad;
4635 struct lsm_network_audit net = {0,};
4636 char *addrp;
4637
4638 ad.type = LSM_AUDIT_DATA_NET;
4639 ad.u.net = &net;
4640 ad.u.net->netif = skb->skb_iif;
4641 ad.u.net->family = family;
4642 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4643 if (err)
4644 return err;
4645
4646 if (selinux_secmark_enabled()) {
4647 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4648 PACKET__RECV, &ad);
4649 if (err)
4650 return err;
4651 }
4652
4653 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4654 if (err)
4655 return err;
4656 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4657
4658 return err;
4659 }
4660
4661 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4662 {
4663 int err;
4664 struct sk_security_struct *sksec = selinux_sock(sk);
4665 u16 family = sk->sk_family;
4666 u32 sk_sid = sksec->sid;
4667 struct common_audit_data ad;
4668 struct lsm_network_audit net = {0,};
4669 char *addrp;
4670 u8 secmark_active;
4671 u8 peerlbl_active;
4672
4673 if (family != PF_INET && family != PF_INET6)
4674 return 0;
4675
4676 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4677 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4678 family = PF_INET;
4679
4680 /* If any sort of compatibility mode is enabled then handoff processing
4681 * to the selinux_sock_rcv_skb_compat() function to deal with the
4682 * special handling. We do this in an attempt to keep this function
4683 * as fast and as clean as possible. */
4684 if (!selinux_policycap_netpeer)
4685 return selinux_sock_rcv_skb_compat(sk, skb, family);
4686
4687 secmark_active = selinux_secmark_enabled();
4688 peerlbl_active = selinux_peerlbl_enabled();
4689 if (!secmark_active && !peerlbl_active)
4690 return 0;
4691
4692 ad.type = LSM_AUDIT_DATA_NET;
4693 ad.u.net = &net;
4694 ad.u.net->netif = skb->skb_iif;
4695 ad.u.net->family = family;
4696 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4697 if (err)
4698 return err;
4699
4700 if (peerlbl_active) {
4701 u32 peer_sid;
4702
4703 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4704 if (err)
4705 return err;
4706 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4707 addrp, family, peer_sid, &ad);
4708 if (err) {
4709 selinux_netlbl_err(skb, family, err, 0);
4710 return err;
4711 }
4712 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4713 PEER__RECV, &ad);
4714 if (err) {
4715 selinux_netlbl_err(skb, family, err, 0);
4716 return err;
4717 }
4718 }
4719
4720 if (secmark_active) {
4721 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4722 PACKET__RECV, &ad);
4723 if (err)
4724 return err;
4725 }
4726
4727 return err;
4728 }
4729
4730 static int selinux_socket_getpeersec_stream(struct socket *sock,
4731 __user char *optval,
4732 __user int *optlen,
4733 unsigned int len)
4734 {
4735 int err = 0;
4736 char *scontext;
4737 u32 scontext_len;
4738 struct sk_security_struct *sksec = selinux_sock(sock->sk);
4739 u32 peer_sid = SECSID_NULL;
4740
4741 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4742 sksec->sclass == SECCLASS_TCP_SOCKET)
4743 peer_sid = sksec->peer_sid;
4744 if (peer_sid == SECSID_NULL)
4745 return -ENOPROTOOPT;
4746
4747 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4748 if (err)
4749 return err;
4750
4751 if (scontext_len > len) {
4752 err = -ERANGE;
4753 goto out_len;
4754 }
4755
4756 if (copy_to_user(optval, scontext, scontext_len))
4757 err = -EFAULT;
4758
4759 out_len:
4760 if (put_user(scontext_len, optlen))
4761 err = -EFAULT;
4762 kfree(scontext);
4763 return err;
4764 }
4765
4766 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4767 {
4768 u32 peer_secid = SECSID_NULL;
4769 u16 family;
4770 struct inode_security_struct *isec;
4771
4772 if (skb && skb->protocol == htons(ETH_P_IP))
4773 family = PF_INET;
4774 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4775 family = PF_INET6;
4776 else if (sock)
4777 family = sock->sk->sk_family;
4778 else
4779 goto out;
4780
4781 if (sock && family == PF_UNIX) {
4782 isec = inode_security_novalidate(SOCK_INODE(sock));
4783 peer_secid = isec->sid;
4784 } else if (skb)
4785 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4786
4787 out:
4788 *secid = peer_secid;
4789 if (peer_secid == SECSID_NULL)
4790 return -EINVAL;
4791 return 0;
4792 }
4793
4794 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4795 {
4796 struct sk_security_struct *sksec = selinux_sock(sk);
4797
4798 sksec->peer_sid = SECINITSID_UNLABELED;
4799 sksec->sid = SECINITSID_UNLABELED;
4800 sksec->sclass = SECCLASS_SOCKET;
4801 selinux_netlbl_sk_security_reset(sksec);
4802
4803 return 0;
4804 }
4805
4806 static void selinux_sk_free_security(struct sock *sk)
4807 {
4808 struct sk_security_struct *sksec = selinux_sock(sk);
4809
4810 selinux_netlbl_sk_security_free(sksec);
4811 }
4812
4813 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4814 {
4815 struct sk_security_struct *sksec = selinux_sock(sk);
4816 struct sk_security_struct *newsksec = selinux_sock(newsk);
4817
4818 newsksec->sid = sksec->sid;
4819 newsksec->peer_sid = sksec->peer_sid;
4820 newsksec->sclass = sksec->sclass;
4821
4822 selinux_netlbl_sk_security_reset(newsksec);
4823 }
4824
4825 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4826 {
4827 if (!sk)
4828 *secid = SECINITSID_ANY_SOCKET;
4829 else {
4830 struct sk_security_struct *sksec = selinux_sock(sk);
4831
4832 *secid = sksec->sid;
4833 }
4834 }
4835
4836 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4837 {
4838 struct inode_security_struct *isec =
4839 inode_security_novalidate(SOCK_INODE(parent));
4840 struct sk_security_struct *sksec = selinux_sock(sk);
4841
4842 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4843 sk->sk_family == PF_UNIX)
4844 isec->sid = sksec->sid;
4845 sksec->sclass = isec->sclass;
4846 }
4847
4848 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4849 struct request_sock *req)
4850 {
4851 struct sk_security_struct *sksec = selinux_sock(sk);
4852 int err;
4853 u16 family = req->rsk_ops->family;
4854 u32 connsid;
4855 u32 peersid;
4856
4857 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4858 if (err)
4859 return err;
4860 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4861 if (err)
4862 return err;
4863 req->secid = connsid;
4864 req->peer_secid = peersid;
4865
4866 return selinux_netlbl_inet_conn_request(req, family);
4867 }
4868
4869 static void selinux_inet_csk_clone(struct sock *newsk,
4870 const struct request_sock *req)
4871 {
4872 struct sk_security_struct *newsksec = selinux_sock(newsk);
4873
4874 newsksec->sid = req->secid;
4875 newsksec->peer_sid = req->peer_secid;
4876 /* NOTE: Ideally, we should also get the isec->sid for the
4877 new socket in sync, but we don't have the isec available yet.
4878 So we will wait until sock_graft to do it, by which
4879 time it will have been created and available. */
4880
4881 /* We don't need to take any sort of lock here as we are the only
4882 * thread with access to newsksec */
4883 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4884 }
4885
4886 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4887 {
4888 u16 family = sk->sk_family;
4889 struct sk_security_struct *sksec = selinux_sock(sk);
4890
4891 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4892 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4893 family = PF_INET;
4894
4895 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4896 }
4897
4898 static int selinux_secmark_relabel_packet(u32 sid)
4899 {
4900 const struct task_security_struct *__tsec;
4901 u32 tsid;
4902
4903 __tsec = selinux_cred(current_cred());
4904 tsid = __tsec->sid;
4905
4906 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4907 }
4908
4909 static void selinux_secmark_refcount_inc(void)
4910 {
4911 atomic_inc(&selinux_secmark_refcount);
4912 }
4913
4914 static void selinux_secmark_refcount_dec(void)
4915 {
4916 atomic_dec(&selinux_secmark_refcount);
4917 }
4918
4919 static void selinux_req_classify_flow(const struct request_sock *req,
4920 struct flowi *fl)
4921 {
4922 fl->flowi_secid = req->secid;
4923 }
4924
4925 static int selinux_tun_dev_alloc_security(void **security)
4926 {
4927 struct tun_security_struct *tunsec;
4928
4929 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4930 if (!tunsec)
4931 return -ENOMEM;
4932 tunsec->sid = current_sid();
4933
4934 *security = tunsec;
4935 return 0;
4936 }
4937
4938 static void selinux_tun_dev_free_security(void *security)
4939 {
4940 kfree(security);
4941 }
4942
4943 static int selinux_tun_dev_create(void)
4944 {
4945 u32 sid = current_sid();
4946
4947 /* we aren't taking into account the "sockcreate" SID since the socket
4948 * that is being created here is not a socket in the traditional sense,
4949 * instead it is a private sock, accessible only to the kernel, and
4950 * representing a wide range of network traffic spanning multiple
4951 * connections unlike traditional sockets - check the TUN driver to
4952 * get a better understanding of why this socket is special */
4953
4954 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4955 NULL);
4956 }
4957
4958 static int selinux_tun_dev_attach_queue(void *security)
4959 {
4960 struct tun_security_struct *tunsec = security;
4961
4962 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4963 TUN_SOCKET__ATTACH_QUEUE, NULL);
4964 }
4965
4966 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4967 {
4968 struct tun_security_struct *tunsec = security;
4969 struct sk_security_struct *sksec = selinux_sock(sk);
4970
4971 /* we don't currently perform any NetLabel based labeling here and it
4972 * isn't clear that we would want to do so anyway; while we could apply
4973 * labeling without the support of the TUN user the resulting labeled
4974 * traffic from the other end of the connection would almost certainly
4975 * cause confusion to the TUN user that had no idea network labeling
4976 * protocols were being used */
4977
4978 sksec->sid = tunsec->sid;
4979 sksec->sclass = SECCLASS_TUN_SOCKET;
4980
4981 return 0;
4982 }
4983
4984 static int selinux_tun_dev_open(void *security)
4985 {
4986 struct tun_security_struct *tunsec = security;
4987 u32 sid = current_sid();
4988 int err;
4989
4990 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4991 TUN_SOCKET__RELABELFROM, NULL);
4992 if (err)
4993 return err;
4994 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4995 TUN_SOCKET__RELABELTO, NULL);
4996 if (err)
4997 return err;
4998 tunsec->sid = sid;
4999
5000 return 0;
5001 }
5002
5003 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5004 {
5005 int err = 0;
5006 u32 perm;
5007 struct nlmsghdr *nlh;
5008 struct sk_security_struct *sksec = selinux_sock(sk);
5009
5010 if (skb->len < NLMSG_HDRLEN) {
5011 err = -EINVAL;
5012 goto out;
5013 }
5014 nlh = nlmsg_hdr(skb);
5015
5016 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5017 if (err) {
5018 if (err == -EINVAL) {
5019 pr_warn_ratelimited("SELinux: unrecognized netlink"
5020 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5021 " pig=%d comm=%s\n",
5022 sk->sk_protocol, nlh->nlmsg_type,
5023 secclass_map[sksec->sclass - 1].name,
5024 task_pid_nr(current), current->comm);
5025 if (!selinux_enforcing || security_get_allow_unknown())
5026 err = 0;
5027 }
5028
5029 /* Ignore */
5030 if (err == -ENOENT)
5031 err = 0;
5032 goto out;
5033 }
5034
5035 err = sock_has_perm(sk, perm);
5036 out:
5037 return err;
5038 }
5039
5040 #ifdef CONFIG_NETFILTER
5041
5042 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5043 const struct net_device *indev,
5044 u16 family)
5045 {
5046 int err;
5047 char *addrp;
5048 u32 peer_sid;
5049 struct common_audit_data ad;
5050 struct lsm_network_audit net = {0,};
5051 u8 secmark_active;
5052 u8 netlbl_active;
5053 u8 peerlbl_active;
5054
5055 if (!selinux_policycap_netpeer)
5056 return NF_ACCEPT;
5057
5058 secmark_active = selinux_secmark_enabled();
5059 netlbl_active = netlbl_enabled();
5060 peerlbl_active = selinux_peerlbl_enabled();
5061 if (!secmark_active && !peerlbl_active)
5062 return NF_ACCEPT;
5063
5064 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5065 return NF_DROP;
5066
5067 ad.type = LSM_AUDIT_DATA_NET;
5068 ad.u.net = &net;
5069 ad.u.net->netif = indev->ifindex;
5070 ad.u.net->family = family;
5071 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5072 return NF_DROP;
5073
5074 if (peerlbl_active) {
5075 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5076 addrp, family, peer_sid, &ad);
5077 if (err) {
5078 selinux_netlbl_err(skb, family, err, 1);
5079 return NF_DROP;
5080 }
5081 }
5082
5083 if (secmark_active)
5084 if (avc_has_perm(peer_sid, skb->secmark,
5085 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5086 return NF_DROP;
5087
5088 if (netlbl_active)
5089 /* we do this in the FORWARD path and not the POST_ROUTING
5090 * path because we want to make sure we apply the necessary
5091 * labeling before IPsec is applied so we can leverage AH
5092 * protection */
5093 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5094 return NF_DROP;
5095
5096 return NF_ACCEPT;
5097 }
5098
5099 static unsigned int selinux_ipv4_forward(void *priv,
5100 struct sk_buff *skb,
5101 const struct nf_hook_state *state)
5102 {
5103 return selinux_ip_forward(skb, state->in, PF_INET);
5104 }
5105
5106 #if IS_ENABLED(CONFIG_IPV6)
5107 static unsigned int selinux_ipv6_forward(void *priv,
5108 struct sk_buff *skb,
5109 const struct nf_hook_state *state)
5110 {
5111 return selinux_ip_forward(skb, state->in, PF_INET6);
5112 }
5113 #endif /* IPV6 */
5114
5115 static unsigned int selinux_ip_output(struct sk_buff *skb,
5116 u16 family)
5117 {
5118 struct sock *sk;
5119 u32 sid;
5120
5121 if (!netlbl_enabled())
5122 return NF_ACCEPT;
5123
5124 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5125 * because we want to make sure we apply the necessary labeling
5126 * before IPsec is applied so we can leverage AH protection */
5127 sk = skb->sk;
5128 if (sk) {
5129 struct sk_security_struct *sksec;
5130
5131 if (sk_listener(sk))
5132 /* if the socket is the listening state then this
5133 * packet is a SYN-ACK packet which means it needs to
5134 * be labeled based on the connection/request_sock and
5135 * not the parent socket. unfortunately, we can't
5136 * lookup the request_sock yet as it isn't queued on
5137 * the parent socket until after the SYN-ACK is sent.
5138 * the "solution" is to simply pass the packet as-is
5139 * as any IP option based labeling should be copied
5140 * from the initial connection request (in the IP
5141 * layer). it is far from ideal, but until we get a
5142 * security label in the packet itself this is the
5143 * best we can do. */
5144 return NF_ACCEPT;
5145
5146 /* standard practice, label using the parent socket */
5147 sksec = selinux_sock(sk);
5148 sid = sksec->sid;
5149 } else
5150 sid = SECINITSID_KERNEL;
5151 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5152 return NF_DROP;
5153
5154 return NF_ACCEPT;
5155 }
5156
5157 static unsigned int selinux_ipv4_output(void *priv,
5158 struct sk_buff *skb,
5159 const struct nf_hook_state *state)
5160 {
5161 return selinux_ip_output(skb, PF_INET);
5162 }
5163
5164 #if IS_ENABLED(CONFIG_IPV6)
5165 static unsigned int selinux_ipv6_output(void *priv,
5166 struct sk_buff *skb,
5167 const struct nf_hook_state *state)
5168 {
5169 return selinux_ip_output(skb, PF_INET6);
5170 }
5171 #endif /* IPV6 */
5172
5173 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5174 int ifindex,
5175 u16 family)
5176 {
5177 struct sock *sk = skb_to_full_sk(skb);
5178 struct sk_security_struct *sksec;
5179 struct common_audit_data ad;
5180 struct lsm_network_audit net = {0,};
5181 char *addrp;
5182 u8 proto;
5183
5184 if (sk == NULL)
5185 return NF_ACCEPT;
5186 sksec = selinux_sock(sk);
5187
5188 ad.type = LSM_AUDIT_DATA_NET;
5189 ad.u.net = &net;
5190 ad.u.net->netif = ifindex;
5191 ad.u.net->family = family;
5192 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5193 return NF_DROP;
5194
5195 if (selinux_secmark_enabled())
5196 if (avc_has_perm(sksec->sid, skb->secmark,
5197 SECCLASS_PACKET, PACKET__SEND, &ad))
5198 return NF_DROP_ERR(-ECONNREFUSED);
5199
5200 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5201 return NF_DROP_ERR(-ECONNREFUSED);
5202
5203 return NF_ACCEPT;
5204 }
5205
5206 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5207 const struct net_device *outdev,
5208 u16 family)
5209 {
5210 u32 secmark_perm;
5211 u32 peer_sid;
5212 int ifindex = outdev->ifindex;
5213 struct sock *sk;
5214 struct common_audit_data ad;
5215 struct lsm_network_audit net = {0,};
5216 char *addrp;
5217 u8 secmark_active;
5218 u8 peerlbl_active;
5219
5220 /* If any sort of compatibility mode is enabled then handoff processing
5221 * to the selinux_ip_postroute_compat() function to deal with the
5222 * special handling. We do this in an attempt to keep this function
5223 * as fast and as clean as possible. */
5224 if (!selinux_policycap_netpeer)
5225 return selinux_ip_postroute_compat(skb, ifindex, family);
5226
5227 secmark_active = selinux_secmark_enabled();
5228 peerlbl_active = selinux_peerlbl_enabled();
5229 if (!secmark_active && !peerlbl_active)
5230 return NF_ACCEPT;
5231
5232 sk = skb_to_full_sk(skb);
5233
5234 #ifdef CONFIG_XFRM
5235 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5236 * packet transformation so allow the packet to pass without any checks
5237 * since we'll have another chance to perform access control checks
5238 * when the packet is on it's final way out.
5239 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5240 * is NULL, in this case go ahead and apply access control.
5241 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5242 * TCP listening state we cannot wait until the XFRM processing
5243 * is done as we will miss out on the SA label if we do;
5244 * unfortunately, this means more work, but it is only once per
5245 * connection. */
5246 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5247 !(sk && sk_listener(sk)))
5248 return NF_ACCEPT;
5249 #endif
5250
5251 if (sk == NULL) {
5252 /* Without an associated socket the packet is either coming
5253 * from the kernel or it is being forwarded; check the packet
5254 * to determine which and if the packet is being forwarded
5255 * query the packet directly to determine the security label. */
5256 if (skb->skb_iif) {
5257 secmark_perm = PACKET__FORWARD_OUT;
5258 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5259 return NF_DROP;
5260 } else {
5261 secmark_perm = PACKET__SEND;
5262 peer_sid = SECINITSID_KERNEL;
5263 }
5264 } else if (sk_listener(sk)) {
5265 /* Locally generated packet but the associated socket is in the
5266 * listening state which means this is a SYN-ACK packet. In
5267 * this particular case the correct security label is assigned
5268 * to the connection/request_sock but unfortunately we can't
5269 * query the request_sock as it isn't queued on the parent
5270 * socket until after the SYN-ACK packet is sent; the only
5271 * viable choice is to regenerate the label like we do in
5272 * selinux_inet_conn_request(). See also selinux_ip_output()
5273 * for similar problems. */
5274 u32 skb_sid;
5275 struct sk_security_struct *sksec;
5276
5277 sksec = selinux_sock(sk);
5278 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5279 return NF_DROP;
5280 /* At this point, if the returned skb peerlbl is SECSID_NULL
5281 * and the packet has been through at least one XFRM
5282 * transformation then we must be dealing with the "final"
5283 * form of labeled IPsec packet; since we've already applied
5284 * all of our access controls on this packet we can safely
5285 * pass the packet. */
5286 if (skb_sid == SECSID_NULL) {
5287 switch (family) {
5288 case PF_INET:
5289 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5290 return NF_ACCEPT;
5291 break;
5292 case PF_INET6:
5293 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5294 return NF_ACCEPT;
5295 break;
5296 default:
5297 return NF_DROP_ERR(-ECONNREFUSED);
5298 }
5299 }
5300 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5301 return NF_DROP;
5302 secmark_perm = PACKET__SEND;
5303 } else {
5304 /* Locally generated packet, fetch the security label from the
5305 * associated socket. */
5306 struct sk_security_struct *sksec = selinux_sock(sk);
5307 peer_sid = sksec->sid;
5308 secmark_perm = PACKET__SEND;
5309 }
5310
5311 ad.type = LSM_AUDIT_DATA_NET;
5312 ad.u.net = &net;
5313 ad.u.net->netif = ifindex;
5314 ad.u.net->family = family;
5315 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5316 return NF_DROP;
5317
5318 if (secmark_active)
5319 if (avc_has_perm(peer_sid, skb->secmark,
5320 SECCLASS_PACKET, secmark_perm, &ad))
5321 return NF_DROP_ERR(-ECONNREFUSED);
5322
5323 if (peerlbl_active) {
5324 u32 if_sid;
5325 u32 node_sid;
5326
5327 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5328 return NF_DROP;
5329 if (avc_has_perm(peer_sid, if_sid,
5330 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5331 return NF_DROP_ERR(-ECONNREFUSED);
5332
5333 if (sel_netnode_sid(addrp, family, &node_sid))
5334 return NF_DROP;
5335 if (avc_has_perm(peer_sid, node_sid,
5336 SECCLASS_NODE, NODE__SENDTO, &ad))
5337 return NF_DROP_ERR(-ECONNREFUSED);
5338 }
5339
5340 return NF_ACCEPT;
5341 }
5342
5343 static unsigned int selinux_ipv4_postroute(void *priv,
5344 struct sk_buff *skb,
5345 const struct nf_hook_state *state)
5346 {
5347 return selinux_ip_postroute(skb, state->out, PF_INET);
5348 }
5349
5350 #if IS_ENABLED(CONFIG_IPV6)
5351 static unsigned int selinux_ipv6_postroute(void *priv,
5352 struct sk_buff *skb,
5353 const struct nf_hook_state *state)
5354 {
5355 return selinux_ip_postroute(skb, state->out, PF_INET6);
5356 }
5357 #endif /* IPV6 */
5358
5359 #endif /* CONFIG_NETFILTER */
5360
5361 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5362 {
5363 return selinux_nlmsg_perm(sk, skb);
5364 }
5365
5366 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5367 {
5368 isec->sclass = sclass;
5369 isec->sid = current_sid();
5370 }
5371
5372 static int msg_msg_alloc_security(struct msg_msg *msg)
5373 {
5374 struct msg_security_struct *msec;
5375
5376 msec = selinux_msg_msg(msg);
5377 msec->sid = SECINITSID_UNLABELED;
5378
5379 return 0;
5380 }
5381
5382 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5383 u32 perms)
5384 {
5385 struct ipc_security_struct *isec;
5386 struct common_audit_data ad;
5387 u32 sid = current_sid();
5388
5389 isec = selinux_ipc(ipc_perms);
5390
5391 ad.type = LSM_AUDIT_DATA_IPC;
5392 ad.u.ipc_id = ipc_perms->key;
5393
5394 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5395 }
5396
5397 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5398 {
5399 return msg_msg_alloc_security(msg);
5400 }
5401
5402 /* message queue security operations */
5403 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5404 {
5405 struct ipc_security_struct *isec;
5406 struct common_audit_data ad;
5407 u32 sid = current_sid();
5408 int rc;
5409
5410 isec = selinux_ipc(&msq->q_perm);
5411 ipc_init_security(isec, SECCLASS_MSGQ);
5412
5413 ad.type = LSM_AUDIT_DATA_IPC;
5414 ad.u.ipc_id = msq->q_perm.key;
5415
5416 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5417 MSGQ__CREATE, &ad);
5418 return rc;
5419 }
5420
5421 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5422 {
5423 struct ipc_security_struct *isec;
5424 struct common_audit_data ad;
5425 u32 sid = current_sid();
5426
5427 isec = selinux_ipc(&msq->q_perm);
5428
5429 ad.type = LSM_AUDIT_DATA_IPC;
5430 ad.u.ipc_id = msq->q_perm.key;
5431
5432 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5433 MSGQ__ASSOCIATE, &ad);
5434 }
5435
5436 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5437 {
5438 int err;
5439 int perms;
5440
5441 switch (cmd) {
5442 case IPC_INFO:
5443 case MSG_INFO:
5444 /* No specific object, just general system-wide information. */
5445 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5446 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5447 case IPC_STAT:
5448 case MSG_STAT:
5449 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5450 break;
5451 case IPC_SET:
5452 perms = MSGQ__SETATTR;
5453 break;
5454 case IPC_RMID:
5455 perms = MSGQ__DESTROY;
5456 break;
5457 default:
5458 return 0;
5459 }
5460
5461 err = ipc_has_perm(&msq->q_perm, perms);
5462 return err;
5463 }
5464
5465 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5466 {
5467 struct ipc_security_struct *isec;
5468 struct msg_security_struct *msec;
5469 struct common_audit_data ad;
5470 u32 sid = current_sid();
5471 int rc;
5472
5473 isec = selinux_ipc(&msq->q_perm);
5474 msec = selinux_msg_msg(msg);
5475
5476 /*
5477 * First time through, need to assign label to the message
5478 */
5479 if (msec->sid == SECINITSID_UNLABELED) {
5480 /*
5481 * Compute new sid based on current process and
5482 * message queue this message will be stored in
5483 */
5484 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5485 NULL, &msec->sid);
5486 if (rc)
5487 return rc;
5488 }
5489
5490 ad.type = LSM_AUDIT_DATA_IPC;
5491 ad.u.ipc_id = msq->q_perm.key;
5492
5493 /* Can this process write to the queue? */
5494 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5495 MSGQ__WRITE, &ad);
5496 if (!rc)
5497 /* Can this process send the message */
5498 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5499 MSG__SEND, &ad);
5500 if (!rc)
5501 /* Can the message be put in the queue? */
5502 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5503 MSGQ__ENQUEUE, &ad);
5504
5505 return rc;
5506 }
5507
5508 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5509 struct task_struct *target,
5510 long type, int mode)
5511 {
5512 struct ipc_security_struct *isec;
5513 struct msg_security_struct *msec;
5514 struct common_audit_data ad;
5515 u32 sid = task_sid(target);
5516 int rc;
5517
5518 isec = selinux_ipc(&msq->q_perm);
5519 msec = selinux_msg_msg(msg);
5520
5521 ad.type = LSM_AUDIT_DATA_IPC;
5522 ad.u.ipc_id = msq->q_perm.key;
5523
5524 rc = avc_has_perm(sid, isec->sid,
5525 SECCLASS_MSGQ, MSGQ__READ, &ad);
5526 if (!rc)
5527 rc = avc_has_perm(sid, msec->sid,
5528 SECCLASS_MSG, MSG__RECEIVE, &ad);
5529 return rc;
5530 }
5531
5532 /* Shared Memory security operations */
5533 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5534 {
5535 struct ipc_security_struct *isec;
5536 struct common_audit_data ad;
5537 u32 sid = current_sid();
5538 int rc;
5539
5540 isec = selinux_ipc(&shp->shm_perm);
5541 ipc_init_security(isec, SECCLASS_SHM);
5542
5543 ad.type = LSM_AUDIT_DATA_IPC;
5544 ad.u.ipc_id = shp->shm_perm.key;
5545
5546 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5547 SHM__CREATE, &ad);
5548 return rc;
5549 }
5550
5551 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5552 {
5553 struct ipc_security_struct *isec;
5554 struct common_audit_data ad;
5555 u32 sid = current_sid();
5556
5557 isec = selinux_ipc(&shp->shm_perm);
5558
5559 ad.type = LSM_AUDIT_DATA_IPC;
5560 ad.u.ipc_id = shp->shm_perm.key;
5561
5562 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5563 SHM__ASSOCIATE, &ad);
5564 }
5565
5566 /* Note, at this point, shp is locked down */
5567 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5568 {
5569 int perms;
5570 int err;
5571
5572 switch (cmd) {
5573 case IPC_INFO:
5574 case SHM_INFO:
5575 /* No specific object, just general system-wide information. */
5576 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5577 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5578 case IPC_STAT:
5579 case SHM_STAT:
5580 perms = SHM__GETATTR | SHM__ASSOCIATE;
5581 break;
5582 case IPC_SET:
5583 perms = SHM__SETATTR;
5584 break;
5585 case SHM_LOCK:
5586 case SHM_UNLOCK:
5587 perms = SHM__LOCK;
5588 break;
5589 case IPC_RMID:
5590 perms = SHM__DESTROY;
5591 break;
5592 default:
5593 return 0;
5594 }
5595
5596 err = ipc_has_perm(&shp->shm_perm, perms);
5597 return err;
5598 }
5599
5600 static int selinux_shm_shmat(struct shmid_kernel *shp,
5601 char __user *shmaddr, int shmflg)
5602 {
5603 u32 perms;
5604
5605 if (shmflg & SHM_RDONLY)
5606 perms = SHM__READ;
5607 else
5608 perms = SHM__READ | SHM__WRITE;
5609
5610 return ipc_has_perm(&shp->shm_perm, perms);
5611 }
5612
5613 /* Semaphore security operations */
5614 static int selinux_sem_alloc_security(struct sem_array *sma)
5615 {
5616 struct ipc_security_struct *isec;
5617 struct common_audit_data ad;
5618 u32 sid = current_sid();
5619 int rc;
5620
5621 isec = selinux_ipc(&sma->sem_perm);
5622 ipc_init_security(isec, SECCLASS_SEM);
5623
5624 ad.type = LSM_AUDIT_DATA_IPC;
5625 ad.u.ipc_id = sma->sem_perm.key;
5626
5627 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5628 SEM__CREATE, &ad);
5629 return rc;
5630 }
5631
5632 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5633 {
5634 struct ipc_security_struct *isec;
5635 struct common_audit_data ad;
5636 u32 sid = current_sid();
5637
5638 isec = selinux_ipc(&sma->sem_perm);
5639
5640 ad.type = LSM_AUDIT_DATA_IPC;
5641 ad.u.ipc_id = sma->sem_perm.key;
5642
5643 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5644 SEM__ASSOCIATE, &ad);
5645 }
5646
5647 /* Note, at this point, sma is locked down */
5648 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5649 {
5650 int err;
5651 u32 perms;
5652
5653 switch (cmd) {
5654 case IPC_INFO:
5655 case SEM_INFO:
5656 /* No specific object, just general system-wide information. */
5657 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5658 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5659 case GETPID:
5660 case GETNCNT:
5661 case GETZCNT:
5662 perms = SEM__GETATTR;
5663 break;
5664 case GETVAL:
5665 case GETALL:
5666 perms = SEM__READ;
5667 break;
5668 case SETVAL:
5669 case SETALL:
5670 perms = SEM__WRITE;
5671 break;
5672 case IPC_RMID:
5673 perms = SEM__DESTROY;
5674 break;
5675 case IPC_SET:
5676 perms = SEM__SETATTR;
5677 break;
5678 case IPC_STAT:
5679 case SEM_STAT:
5680 perms = SEM__GETATTR | SEM__ASSOCIATE;
5681 break;
5682 default:
5683 return 0;
5684 }
5685
5686 err = ipc_has_perm(&sma->sem_perm, perms);
5687 return err;
5688 }
5689
5690 static int selinux_sem_semop(struct sem_array *sma,
5691 struct sembuf *sops, unsigned nsops, int alter)
5692 {
5693 u32 perms;
5694
5695 if (alter)
5696 perms = SEM__READ | SEM__WRITE;
5697 else
5698 perms = SEM__READ;
5699
5700 return ipc_has_perm(&sma->sem_perm, perms);
5701 }
5702
5703 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5704 {
5705 u32 av = 0;
5706
5707 av = 0;
5708 if (flag & S_IRUGO)
5709 av |= IPC__UNIX_READ;
5710 if (flag & S_IWUGO)
5711 av |= IPC__UNIX_WRITE;
5712
5713 if (av == 0)
5714 return 0;
5715
5716 return ipc_has_perm(ipcp, av);
5717 }
5718
5719 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5720 {
5721 struct ipc_security_struct *isec = selinux_ipc(ipcp);
5722 *secid = isec->sid;
5723 }
5724
5725 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5726 {
5727 if (inode)
5728 inode_doinit_with_dentry(inode, dentry);
5729 }
5730
5731 static int selinux_getprocattr(struct task_struct *p,
5732 char *name, char **value)
5733 {
5734 const struct task_security_struct *__tsec;
5735 u32 sid;
5736 int error;
5737 unsigned len;
5738
5739 rcu_read_lock();
5740 __tsec = selinux_cred(__task_cred(p));
5741
5742 if (current != p) {
5743 error = avc_has_perm(current_sid(), __tsec->sid,
5744 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
5745 if (error)
5746 goto bad;
5747 }
5748
5749 if (!strcmp(name, "current"))
5750 sid = __tsec->sid;
5751 else if (!strcmp(name, "prev"))
5752 sid = __tsec->osid;
5753 else if (!strcmp(name, "exec"))
5754 sid = __tsec->exec_sid;
5755 else if (!strcmp(name, "fscreate"))
5756 sid = __tsec->create_sid;
5757 else if (!strcmp(name, "keycreate"))
5758 sid = __tsec->keycreate_sid;
5759 else if (!strcmp(name, "sockcreate"))
5760 sid = __tsec->sockcreate_sid;
5761 else {
5762 error = -EINVAL;
5763 goto bad;
5764 }
5765 rcu_read_unlock();
5766
5767 if (!sid)
5768 return 0;
5769
5770 error = security_sid_to_context(sid, value, &len);
5771 if (error)
5772 return error;
5773 return len;
5774
5775 bad:
5776 rcu_read_unlock();
5777 return error;
5778 }
5779
5780 static int selinux_setprocattr(const char *name, void *value, size_t size)
5781 {
5782 struct task_security_struct *tsec;
5783 struct cred *new;
5784 u32 mysid = current_sid(), sid = 0, ptsid;
5785 int error;
5786 char *str = value;
5787
5788 /*
5789 * Basic control over ability to set these attributes at all.
5790 */
5791 if (!strcmp(name, "exec"))
5792 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5793 PROCESS__SETEXEC, NULL);
5794 else if (!strcmp(name, "fscreate"))
5795 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5796 PROCESS__SETFSCREATE, NULL);
5797 else if (!strcmp(name, "keycreate"))
5798 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5799 PROCESS__SETKEYCREATE, NULL);
5800 else if (!strcmp(name, "sockcreate"))
5801 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5802 PROCESS__SETSOCKCREATE, NULL);
5803 else if (!strcmp(name, "current"))
5804 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5805 PROCESS__SETCURRENT, NULL);
5806 else
5807 error = -EINVAL;
5808 if (error)
5809 return error;
5810
5811 /* Obtain a SID for the context, if one was specified. */
5812 if (size && str[0] && str[0] != '\n') {
5813 if (str[size-1] == '\n') {
5814 str[size-1] = 0;
5815 size--;
5816 }
5817 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5818 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5819 if (!has_cap_mac_admin(true)) {
5820 struct audit_buffer *ab;
5821 size_t audit_size;
5822
5823 /* We strip a nul only if it is at the end, otherwise the
5824 * context contains a nul and we should audit that */
5825 if (str[size - 1] == '\0')
5826 audit_size = size - 1;
5827 else
5828 audit_size = size;
5829 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5830 audit_log_format(ab, "op=fscreate invalid_context=");
5831 audit_log_n_untrustedstring(ab, value, audit_size);
5832 audit_log_end(ab);
5833
5834 return error;
5835 }
5836 error = security_context_to_sid_force(value, size,
5837 &sid);
5838 }
5839 if (error)
5840 return error;
5841 }
5842
5843 new = prepare_creds();
5844 if (!new)
5845 return -ENOMEM;
5846
5847 /* Permission checking based on the specified context is
5848 performed during the actual operation (execve,
5849 open/mkdir/...), when we know the full context of the
5850 operation. See selinux_bprm_set_creds for the execve
5851 checks and may_create for the file creation checks. The
5852 operation will then fail if the context is not permitted. */
5853 tsec = selinux_cred(new);
5854 if (!strcmp(name, "exec")) {
5855 tsec->exec_sid = sid;
5856 } else if (!strcmp(name, "fscreate")) {
5857 tsec->create_sid = sid;
5858 } else if (!strcmp(name, "keycreate")) {
5859 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE,
5860 NULL);
5861 if (error)
5862 goto abort_change;
5863 tsec->keycreate_sid = sid;
5864 } else if (!strcmp(name, "sockcreate")) {
5865 tsec->sockcreate_sid = sid;
5866 } else if (!strcmp(name, "current")) {
5867 error = -EINVAL;
5868 if (sid == 0)
5869 goto abort_change;
5870
5871 /* Only allow single threaded processes to change context */
5872 error = -EPERM;
5873 if (!current_is_single_threaded()) {
5874 error = security_bounded_transition(tsec->sid, sid);
5875 if (error)
5876 goto abort_change;
5877 }
5878
5879 /* Check permissions for the transition. */
5880 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5881 PROCESS__DYNTRANSITION, NULL);
5882 if (error)
5883 goto abort_change;
5884
5885 /* Check for ptracing, and update the task SID if ok.
5886 Otherwise, leave SID unchanged and fail. */
5887 ptsid = ptrace_parent_sid();
5888 if (ptsid != 0) {
5889 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5890 PROCESS__PTRACE, NULL);
5891 if (error)
5892 goto abort_change;
5893 }
5894
5895 tsec->sid = sid;
5896 } else {
5897 error = -EINVAL;
5898 goto abort_change;
5899 }
5900
5901 commit_creds(new);
5902 return size;
5903
5904 abort_change:
5905 abort_creds(new);
5906 return error;
5907 }
5908
5909 static int selinux_ismaclabel(const char *name)
5910 {
5911 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5912 }
5913
5914 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5915 {
5916 return security_sid_to_context(secid, secdata, seclen);
5917 }
5918
5919 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5920 {
5921 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5922 }
5923
5924 static void selinux_release_secctx(char *secdata, u32 seclen)
5925 {
5926 kfree(secdata);
5927 }
5928
5929 static void selinux_inode_invalidate_secctx(struct inode *inode)
5930 {
5931 struct inode_security_struct *isec = selinux_inode(inode);
5932
5933 spin_lock(&isec->lock);
5934 isec->initialized = LABEL_INVALID;
5935 spin_unlock(&isec->lock);
5936 }
5937
5938 /*
5939 * called with inode->i_mutex locked
5940 */
5941 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5942 {
5943 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5944 }
5945
5946 /*
5947 * called with inode->i_mutex locked
5948 */
5949 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5950 {
5951 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5952 }
5953
5954 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5955 {
5956 int len = 0;
5957 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5958 ctx, true);
5959 if (len < 0)
5960 return len;
5961 *ctxlen = len;
5962 return 0;
5963 }
5964 #ifdef CONFIG_KEYS
5965
5966 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5967 unsigned long flags)
5968 {
5969 const struct task_security_struct *tsec;
5970 struct key_security_struct *ksec = selinux_key(k);
5971
5972 tsec = selinux_cred(cred);
5973 if (tsec->keycreate_sid)
5974 ksec->sid = tsec->keycreate_sid;
5975 else
5976 ksec->sid = tsec->sid;
5977
5978 return 0;
5979 }
5980
5981 static int selinux_key_permission(key_ref_t key_ref,
5982 const struct cred *cred,
5983 unsigned perm)
5984 {
5985 struct key *key;
5986 struct key_security_struct *ksec;
5987 u32 sid;
5988
5989 /* if no specific permissions are requested, we skip the
5990 permission check. No serious, additional covert channels
5991 appear to be created. */
5992 if (perm == 0)
5993 return 0;
5994
5995 sid = cred_sid(cred);
5996
5997 key = key_ref_to_ptr(key_ref);
5998 ksec = selinux_key(key);
5999
6000 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6001 }
6002
6003 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6004 {
6005 struct key_security_struct *ksec = selinux_key(key);
6006 char *context = NULL;
6007 unsigned len;
6008 int rc;
6009
6010 rc = security_sid_to_context(ksec->sid, &context, &len);
6011 if (!rc)
6012 rc = len;
6013 *_buffer = context;
6014 return rc;
6015 }
6016 #endif
6017
6018 #ifdef CONFIG_SECURITY_INFINIBAND
6019 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6020 {
6021 struct common_audit_data ad;
6022 int err;
6023 u32 sid = 0;
6024 struct ib_security_struct *sec = ib_sec;
6025 struct lsm_ibpkey_audit ibpkey;
6026
6027 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6028 if (err)
6029 return err;
6030
6031 ad.type = LSM_AUDIT_DATA_IBPKEY;
6032 ibpkey.subnet_prefix = subnet_prefix;
6033 ibpkey.pkey = pkey_val;
6034 ad.u.ibpkey = &ibpkey;
6035 return avc_has_perm(sec->sid, sid,
6036 SECCLASS_INFINIBAND_PKEY,
6037 INFINIBAND_PKEY__ACCESS, &ad);
6038 }
6039
6040 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6041 u8 port_num)
6042 {
6043 struct common_audit_data ad;
6044 int err;
6045 u32 sid = 0;
6046 struct ib_security_struct *sec = ib_sec;
6047 struct lsm_ibendport_audit ibendport;
6048
6049 err = security_ib_endport_sid(dev_name, port_num, &sid);
6050
6051 if (err)
6052 return err;
6053
6054 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6055 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6056 ibendport.port = port_num;
6057 ad.u.ibendport = &ibendport;
6058 return avc_has_perm(sec->sid, sid,
6059 SECCLASS_INFINIBAND_ENDPORT,
6060 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6061 }
6062
6063 static int selinux_ib_alloc_security(void **ib_sec)
6064 {
6065 struct ib_security_struct *sec;
6066
6067 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6068 if (!sec)
6069 return -ENOMEM;
6070 sec->sid = current_sid();
6071
6072 *ib_sec = sec;
6073 return 0;
6074 }
6075
6076 static void selinux_ib_free_security(void *ib_sec)
6077 {
6078 kfree(ib_sec);
6079 }
6080 #endif
6081
6082 #ifdef CONFIG_BPF_SYSCALL
6083 static int selinux_bpf(int cmd, union bpf_attr *attr,
6084 unsigned int size)
6085 {
6086 u32 sid = current_sid();
6087 int ret;
6088
6089 switch (cmd) {
6090 case BPF_MAP_CREATE:
6091 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6092 NULL);
6093 break;
6094 case BPF_PROG_LOAD:
6095 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6096 NULL);
6097 break;
6098 default:
6099 ret = 0;
6100 break;
6101 }
6102
6103 return ret;
6104 }
6105
6106 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6107 {
6108 u32 av = 0;
6109
6110 if (fmode & FMODE_READ)
6111 av |= BPF__MAP_READ;
6112 if (fmode & FMODE_WRITE)
6113 av |= BPF__MAP_WRITE;
6114 return av;
6115 }
6116
6117 /* This function will check the file pass through unix socket or binder to see
6118 * if it is a bpf related object. And apply correspinding checks on the bpf
6119 * object based on the type. The bpf maps and programs, not like other files and
6120 * socket, are using a shared anonymous inode inside the kernel as their inode.
6121 * So checking that inode cannot identify if the process have privilege to
6122 * access the bpf object and that's why we have to add this additional check in
6123 * selinux_file_receive and selinux_binder_transfer_files.
6124 */
6125 static int bpf_fd_pass(struct file *file, u32 sid)
6126 {
6127 struct bpf_security_struct *bpfsec;
6128 struct bpf_prog *prog;
6129 struct bpf_map *map;
6130 int ret;
6131
6132 if (file->f_op == &bpf_map_fops) {
6133 map = file->private_data;
6134 bpfsec = map->security;
6135 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6136 bpf_map_fmode_to_av(file->f_mode), NULL);
6137 if (ret)
6138 return ret;
6139 } else if (file->f_op == &bpf_prog_fops) {
6140 prog = file->private_data;
6141 bpfsec = prog->aux->security;
6142 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6143 BPF__PROG_RUN, NULL);
6144 if (ret)
6145 return ret;
6146 }
6147 return 0;
6148 }
6149
6150 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6151 {
6152 u32 sid = current_sid();
6153 struct bpf_security_struct *bpfsec;
6154
6155 bpfsec = map->security;
6156 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6157 bpf_map_fmode_to_av(fmode), NULL);
6158 }
6159
6160 static int selinux_bpf_prog(struct bpf_prog *prog)
6161 {
6162 u32 sid = current_sid();
6163 struct bpf_security_struct *bpfsec;
6164
6165 bpfsec = prog->aux->security;
6166 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6167 BPF__PROG_RUN, NULL);
6168 }
6169
6170 static int selinux_bpf_map_alloc(struct bpf_map *map)
6171 {
6172 struct bpf_security_struct *bpfsec;
6173
6174 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6175 if (!bpfsec)
6176 return -ENOMEM;
6177
6178 bpfsec->sid = current_sid();
6179 map->security = bpfsec;
6180
6181 return 0;
6182 }
6183
6184 static void selinux_bpf_map_free(struct bpf_map *map)
6185 {
6186 struct bpf_security_struct *bpfsec = map->security;
6187
6188 map->security = NULL;
6189 kfree(bpfsec);
6190 }
6191
6192 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6193 {
6194 struct bpf_security_struct *bpfsec;
6195
6196 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6197 if (!bpfsec)
6198 return -ENOMEM;
6199
6200 bpfsec->sid = current_sid();
6201 aux->security = bpfsec;
6202
6203 return 0;
6204 }
6205
6206 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6207 {
6208 struct bpf_security_struct *bpfsec = aux->security;
6209
6210 aux->security = NULL;
6211 kfree(bpfsec);
6212 }
6213 #endif
6214
6215 struct lsm_blob_sizes selinux_blob_sizes = {
6216 .lbs_cred = sizeof(struct task_security_struct),
6217 .lbs_file = sizeof(struct file_security_struct),
6218 .lbs_inode = sizeof(struct inode_security_struct),
6219 .lbs_ipc = sizeof(struct ipc_security_struct),
6220 #ifdef CONFIG_KEYS
6221 .lbs_key = sizeof(struct key_security_struct),
6222 #endif /* CONFIG_KEYS */
6223 .lbs_msg_msg = sizeof(struct msg_security_struct),
6224 .lbs_sock = sizeof(struct sk_security_struct),
6225 .lbs_superblock = sizeof(struct superblock_security_struct),
6226 };
6227
6228 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6229 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6230 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6231 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6232 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6233
6234 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6235 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6236 LSM_HOOK_INIT(capget, selinux_capget),
6237 LSM_HOOK_INIT(capset, selinux_capset),
6238 LSM_HOOK_INIT(capable, selinux_capable),
6239 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6240 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6241 LSM_HOOK_INIT(syslog, selinux_syslog),
6242 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6243
6244 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6245
6246 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6247 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6248 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6249
6250 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6251 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6252 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6253 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6254 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6255 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6256 LSM_HOOK_INIT(sb_mount, selinux_mount),
6257 LSM_HOOK_INIT(sb_umount, selinux_umount),
6258 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6259 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6260 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6261
6262 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6263 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6264
6265 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6266 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6267 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6268 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6269 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6270 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6271 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6272 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6273 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6274 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6275 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6276 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6277 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6278 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6279 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6280 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6281 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6282 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6283 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6284 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6285 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6286 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6287 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6288 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6289 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6290 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6291 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6292
6293 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6294 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6295 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6296 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6297 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6298 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6299 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6300 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6301 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6302 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6303 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6304
6305 LSM_HOOK_INIT(file_open, selinux_file_open),
6306
6307 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6308 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6309 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6310 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6311 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6312 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6313 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6314 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6315 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6316 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6317 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6318 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6319 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6320 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6321 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6322 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6323 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6324 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6325 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6326 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6327 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6328
6329 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6330 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6331
6332 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6333
6334 LSM_HOOK_INIT(msg_queue_alloc_security,
6335 selinux_msg_queue_alloc_security),
6336 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6337 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6338 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6339 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6340
6341 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6342 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6343 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6344 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6345
6346 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6347 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6348 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6349 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6350
6351 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6352
6353 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6354 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6355
6356 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6357 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6358 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6359 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6360 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6361 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6362 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6363 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6364
6365 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6366 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6367
6368 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6369 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6370 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6371 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6372 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6373 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6374 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6375 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6376 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6377 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6378 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6379 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6380 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6381 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6382 LSM_HOOK_INIT(socket_getpeersec_stream,
6383 selinux_socket_getpeersec_stream),
6384 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6385 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6386 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6387 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6388 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6389 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6390 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6391 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6392 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6393 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6394 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6395 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6396 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6397 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6398 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6399 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6400 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6401 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6402 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6403 #ifdef CONFIG_SECURITY_INFINIBAND
6404 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
6405 LSM_HOOK_INIT(ib_endport_manage_subnet,
6406 selinux_ib_endport_manage_subnet),
6407 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
6408 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
6409 #endif
6410 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6411 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6412 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6413 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6414 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6415 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6416 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6417 selinux_xfrm_state_alloc_acquire),
6418 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6419 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6420 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6421 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6422 selinux_xfrm_state_pol_flow_match),
6423 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6424 #endif
6425
6426 #ifdef CONFIG_KEYS
6427 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6428 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6429 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6430 #endif
6431
6432 #ifdef CONFIG_AUDIT
6433 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6434 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6435 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6436 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6437 #endif
6438
6439 #ifdef CONFIG_BPF_SYSCALL
6440 LSM_HOOK_INIT(bpf, selinux_bpf),
6441 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
6442 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
6443 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
6444 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
6445 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
6446 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
6447 #endif
6448 };
6449
6450 static __init int selinux_init(void)
6451 {
6452 static int finish;
6453
6454 if (!security_module_enable("selinux",
6455 IS_ENABLED(CONFIG_SECURITY_SELINUX_STACKED))) {
6456 selinux_enabled = 0;
6457 return 0;
6458 }
6459
6460 if (!finish) {
6461 security_add_blobs(&selinux_blob_sizes);
6462 finish = 1;
6463 return 0;
6464 }
6465
6466 if (!selinux_enabled) {
6467 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6468 return 0;
6469 }
6470
6471 printk(KERN_INFO "SELinux: Initializing.\n");
6472
6473 /* Set the security state for the initial task. */
6474 cred_init_security();
6475
6476 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6477
6478 avc_init();
6479
6480 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
6481
6482 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6483 panic("SELinux: Unable to register AVC netcache callback\n");
6484
6485 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
6486 panic("SELinux: Unable to register AVC LSM notifier callback\n");
6487
6488 if (selinux_enforcing)
6489 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6490 else
6491 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6492
6493 return 0;
6494 }
6495
6496 static void delayed_superblock_init(struct super_block *sb, void *unused)
6497 {
6498 superblock_doinit(sb, NULL);
6499 }
6500
6501 void selinux_complete_init(void)
6502 {
6503 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6504
6505 /* Set up any superblocks initialized prior to the policy load. */
6506 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6507 iterate_supers(delayed_superblock_init, NULL);
6508 }
6509
6510 /* SELinux requires early initialization in order to label
6511 all processes and objects when they are created. */
6512 security_initcall(selinux_init);
6513
6514 #if defined(CONFIG_NETFILTER)
6515
6516 static const struct nf_hook_ops selinux_nf_ops[] = {
6517 {
6518 .hook = selinux_ipv4_postroute,
6519 .pf = NFPROTO_IPV4,
6520 .hooknum = NF_INET_POST_ROUTING,
6521 .priority = NF_IP_PRI_SELINUX_LAST,
6522 },
6523 {
6524 .hook = selinux_ipv4_forward,
6525 .pf = NFPROTO_IPV4,
6526 .hooknum = NF_INET_FORWARD,
6527 .priority = NF_IP_PRI_SELINUX_FIRST,
6528 },
6529 {
6530 .hook = selinux_ipv4_output,
6531 .pf = NFPROTO_IPV4,
6532 .hooknum = NF_INET_LOCAL_OUT,
6533 .priority = NF_IP_PRI_SELINUX_FIRST,
6534 },
6535 #if IS_ENABLED(CONFIG_IPV6)
6536 {
6537 .hook = selinux_ipv6_postroute,
6538 .pf = NFPROTO_IPV6,
6539 .hooknum = NF_INET_POST_ROUTING,
6540 .priority = NF_IP6_PRI_SELINUX_LAST,
6541 },
6542 {
6543 .hook = selinux_ipv6_forward,
6544 .pf = NFPROTO_IPV6,
6545 .hooknum = NF_INET_FORWARD,
6546 .priority = NF_IP6_PRI_SELINUX_FIRST,
6547 },
6548 {
6549 .hook = selinux_ipv6_output,
6550 .pf = NFPROTO_IPV6,
6551 .hooknum = NF_INET_LOCAL_OUT,
6552 .priority = NF_IP6_PRI_SELINUX_FIRST,
6553 },
6554 #endif /* IPV6 */
6555 };
6556
6557 static int __net_init selinux_nf_register(struct net *net)
6558 {
6559 return nf_register_net_hooks(net, selinux_nf_ops,
6560 ARRAY_SIZE(selinux_nf_ops));
6561 }
6562
6563 static void __net_exit selinux_nf_unregister(struct net *net)
6564 {
6565 nf_unregister_net_hooks(net, selinux_nf_ops,
6566 ARRAY_SIZE(selinux_nf_ops));
6567 }
6568
6569 static struct pernet_operations selinux_net_ops = {
6570 .init = selinux_nf_register,
6571 .exit = selinux_nf_unregister,
6572 };
6573
6574 static int __init selinux_nf_ip_init(void)
6575 {
6576 int err;
6577
6578 if (!selinux_enabled)
6579 return 0;
6580
6581 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6582
6583 err = register_pernet_subsys(&selinux_net_ops);
6584 if (err)
6585 panic("SELinux: register_pernet_subsys: error %d\n", err);
6586
6587 return 0;
6588 }
6589 __initcall(selinux_nf_ip_init);
6590
6591 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6592 static void selinux_nf_ip_exit(void)
6593 {
6594 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6595
6596 unregister_pernet_subsys(&selinux_net_ops);
6597 }
6598 #endif
6599
6600 #else /* CONFIG_NETFILTER */
6601
6602 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6603 #define selinux_nf_ip_exit()
6604 #endif
6605
6606 #endif /* CONFIG_NETFILTER */
6607
6608 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6609 static int selinux_disabled;
6610
6611 int selinux_disable(void)
6612 {
6613 if (ss_initialized) {
6614 /* Not permitted after initial policy load. */
6615 return -EINVAL;
6616 }
6617
6618 if (selinux_disabled) {
6619 /* Only do this once. */
6620 return -EINVAL;
6621 }
6622
6623 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6624
6625 selinux_disabled = 1;
6626 selinux_enabled = 0;
6627
6628 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6629
6630 /* Try to destroy the avc node cache */
6631 avc_disable();
6632
6633 /* Unregister netfilter hooks. */
6634 selinux_nf_ip_exit();
6635
6636 /* Unregister selinuxfs. */
6637 exit_sel_fs();
6638
6639 return 0;
6640 }
6641 #endif
ubuntu-bionic-kernel mirror