2 * NSA Security-Enhanced Linux (SELinux) security module
4 * This file contains the SELinux hook function implementations.
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
27 #include <linux/init.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h> /* for Unix socket types */
72 #include <net/af_unix.h> /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
101 /* SECMARK reference count */
102 static atomic_t selinux_secmark_refcount
= ATOMIC_INIT(0);
104 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105 int selinux_enforcing
;
107 static int __init
enforcing_setup(char *str
)
109 unsigned long enforcing
;
110 if (!kstrtoul(str
, 0, &enforcing
))
111 selinux_enforcing
= enforcing
? 1 : 0;
114 __setup("enforcing=", enforcing_setup
);
117 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118 int selinux_enabled
= CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE
;
120 static int __init
selinux_enabled_setup(char *str
)
122 unsigned long enabled
;
123 if (!kstrtoul(str
, 0, &enabled
))
124 selinux_enabled
= enabled
? 1 : 0;
127 __setup("selinux=", selinux_enabled_setup
);
129 int selinux_enabled
= 1;
133 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
136 * This function checks the SECMARK reference counter to see if any SECMARK
137 * targets are currently configured, if the reference counter is greater than
138 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
139 * enabled, false (0) if SECMARK is disabled. If the always_check_network
140 * policy capability is enabled, SECMARK is always considered enabled.
143 static int selinux_secmark_enabled(void)
145 return (selinux_policycap_alwaysnetwork
|| atomic_read(&selinux_secmark_refcount
));
149 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
152 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
153 * (1) if any are enabled or false (0) if neither are enabled. If the
154 * always_check_network policy capability is enabled, peer labeling
155 * is always considered enabled.
158 static int selinux_peerlbl_enabled(void)
160 return (selinux_policycap_alwaysnetwork
|| netlbl_enabled() || selinux_xfrm_enabled());
163 static int selinux_netcache_avc_callback(u32 event
)
165 if (event
== AVC_CALLBACK_RESET
) {
174 static int selinux_lsm_notifier_avc_callback(u32 event
)
176 if (event
== AVC_CALLBACK_RESET
) {
178 call_lsm_notifier(LSM_POLICY_CHANGE
, NULL
);
185 * initialise the security for the init task
187 static void cred_init_security(void)
189 struct cred
*cred
= (struct cred
*) current
->real_cred
;
190 struct task_security_struct
*tsec
;
192 lsm_early_cred(cred
);
193 tsec
= selinux_cred(cred
);
194 tsec
->osid
= tsec
->sid
= SECINITSID_KERNEL
;
198 * get the security ID of a set of credentials
200 static inline u32
cred_sid(const struct cred
*cred
)
202 const struct task_security_struct
*tsec
;
204 tsec
= selinux_cred(cred
);
209 * get the objective security ID of a task
211 static inline u32
task_sid(const struct task_struct
*task
)
216 sid
= cred_sid(__task_cred(task
));
221 /* Allocate and free functions for each kind of security blob. */
223 static int inode_alloc_security(struct inode
*inode
)
225 struct inode_security_struct
*isec
= selinux_inode(inode
);
226 u32 sid
= current_sid();
228 spin_lock_init(&isec
->lock
);
229 INIT_LIST_HEAD(&isec
->list
);
231 isec
->sid
= SECINITSID_UNLABELED
;
232 isec
->sclass
= SECCLASS_FILE
;
233 isec
->task_sid
= sid
;
234 isec
->initialized
= LABEL_INVALID
;
239 static int inode_doinit_with_dentry(struct inode
*inode
, struct dentry
*opt_dentry
);
242 * Try reloading inode security labels that have been marked as invalid. The
243 * @may_sleep parameter indicates when sleeping and thus reloading labels is
244 * allowed; when set to false, returns -ECHILD when the label is
245 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
246 * when no dentry is available, set it to NULL instead.
248 static int __inode_security_revalidate(struct inode
*inode
,
249 struct dentry
*opt_dentry
,
252 struct inode_security_struct
*isec
= selinux_inode(inode
);
254 might_sleep_if(may_sleep
);
256 if (ss_initialized
&& isec
->initialized
!= LABEL_INITIALIZED
) {
261 * Try reloading the inode security label. This will fail if
262 * @opt_dentry is NULL and no dentry for this inode can be
263 * found; in that case, continue using the old label.
265 inode_doinit_with_dentry(inode
, opt_dentry
);
270 static struct inode_security_struct
*inode_security_novalidate(struct inode
*inode
)
272 return selinux_inode(inode
);
275 static struct inode_security_struct
*inode_security_rcu(struct inode
*inode
, bool rcu
)
279 error
= __inode_security_revalidate(inode
, NULL
, !rcu
);
281 return ERR_PTR(error
);
282 return selinux_inode(inode
);
286 * Get the security label of an inode.
288 static struct inode_security_struct
*inode_security(struct inode
*inode
)
290 __inode_security_revalidate(inode
, NULL
, true);
291 return selinux_inode(inode
);
294 static struct inode_security_struct
*backing_inode_security_novalidate(struct dentry
*dentry
)
296 struct inode
*inode
= d_backing_inode(dentry
);
298 return selinux_inode(inode
);
302 * Get the security label of a dentry's backing inode.
304 static struct inode_security_struct
*backing_inode_security(struct dentry
*dentry
)
306 struct inode
*inode
= d_backing_inode(dentry
);
308 __inode_security_revalidate(inode
, dentry
, true);
309 return selinux_inode(inode
);
312 static void inode_free_security(struct inode
*inode
)
314 struct inode_security_struct
*isec
= selinux_inode(inode
);
315 struct superblock_security_struct
*sbsec
=
316 selinux_superblock(inode
->i_sb
);
319 * As not all inode security structures are in a list, we check for
320 * empty list outside of the lock to make sure that we won't waste
321 * time taking a lock doing nothing.
323 * The list_del_init() function can be safely called more than once.
324 * It should not be possible for this function to be called with
325 * concurrent list_add(), but for better safety against future changes
326 * in the code, we use list_empty_careful() here.
328 if (!list_empty_careful(&isec
->list
)) {
329 spin_lock(&sbsec
->isec_lock
);
330 list_del_init(&isec
->list
);
331 spin_unlock(&sbsec
->isec_lock
);
335 static int file_alloc_security(struct file
*file
)
337 struct file_security_struct
*fsec
= selinux_file(file
);
338 u32 sid
= current_sid();
341 fsec
->fown_sid
= sid
;
346 static int superblock_alloc_security(struct super_block
*sb
)
348 struct superblock_security_struct
*sbsec
= selinux_superblock(sb
);
350 mutex_init(&sbsec
->lock
);
351 INIT_LIST_HEAD(&sbsec
->isec_head
);
352 spin_lock_init(&sbsec
->isec_lock
);
354 sbsec
->sid
= SECINITSID_UNLABELED
;
355 sbsec
->def_sid
= SECINITSID_FILE
;
356 sbsec
->mntpoint_sid
= SECINITSID_UNLABELED
;
361 static inline int inode_doinit(struct inode
*inode
)
363 return inode_doinit_with_dentry(inode
, NULL
);
372 Opt_labelsupport
= 5,
376 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
378 static const match_table_t tokens
= {
379 {Opt_context
, CONTEXT_STR
"%s"},
380 {Opt_fscontext
, FSCONTEXT_STR
"%s"},
381 {Opt_defcontext
, DEFCONTEXT_STR
"%s"},
382 {Opt_rootcontext
, ROOTCONTEXT_STR
"%s"},
383 {Opt_labelsupport
, LABELSUPP_STR
},
387 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
389 static int may_context_mount_sb_relabel(u32 sid
,
390 struct superblock_security_struct
*sbsec
,
391 const struct cred
*cred
)
393 const struct task_security_struct
*tsec
= selinux_cred(cred
);
396 rc
= avc_has_perm(tsec
->sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
397 FILESYSTEM__RELABELFROM
, NULL
);
401 rc
= avc_has_perm(tsec
->sid
, sid
, SECCLASS_FILESYSTEM
,
402 FILESYSTEM__RELABELTO
, NULL
);
406 static int may_context_mount_inode_relabel(u32 sid
,
407 struct superblock_security_struct
*sbsec
,
408 const struct cred
*cred
)
410 const struct task_security_struct
*tsec
= selinux_cred(cred
);
412 rc
= avc_has_perm(tsec
->sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
413 FILESYSTEM__RELABELFROM
, NULL
);
417 rc
= avc_has_perm(sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
,
418 FILESYSTEM__ASSOCIATE
, NULL
);
422 static int selinux_is_sblabel_mnt(struct super_block
*sb
)
424 struct superblock_security_struct
*sbsec
= selinux_superblock(sb
);
426 return sbsec
->behavior
== SECURITY_FS_USE_XATTR
||
427 sbsec
->behavior
== SECURITY_FS_USE_TRANS
||
428 sbsec
->behavior
== SECURITY_FS_USE_TASK
||
429 sbsec
->behavior
== SECURITY_FS_USE_NATIVE
||
430 /* Special handling. Genfs but also in-core setxattr handler */
431 !strcmp(sb
->s_type
->name
, "sysfs") ||
432 !strcmp(sb
->s_type
->name
, "pstore") ||
433 !strcmp(sb
->s_type
->name
, "debugfs") ||
434 !strcmp(sb
->s_type
->name
, "tracefs") ||
435 !strcmp(sb
->s_type
->name
, "rootfs") ||
436 (selinux_policycap_cgroupseclabel
&&
437 (!strcmp(sb
->s_type
->name
, "cgroup") ||
438 !strcmp(sb
->s_type
->name
, "cgroup2")));
441 static int sb_finish_set_opts(struct super_block
*sb
)
443 struct superblock_security_struct
*sbsec
= selinux_superblock(sb
);
444 struct dentry
*root
= sb
->s_root
;
445 struct inode
*root_inode
= d_backing_inode(root
);
448 if (sbsec
->behavior
== SECURITY_FS_USE_XATTR
) {
449 /* Make sure that the xattr handler exists and that no
450 error other than -ENODATA is returned by getxattr on
451 the root directory. -ENODATA is ok, as this may be
452 the first boot of the SELinux kernel before we have
453 assigned xattr values to the filesystem. */
454 if (!(root_inode
->i_opflags
& IOP_XATTR
)) {
455 printk(KERN_WARNING
"SELinux: (dev %s, type %s) has no "
456 "xattr support\n", sb
->s_id
, sb
->s_type
->name
);
461 rc
= __vfs_getxattr(root
, root_inode
, XATTR_NAME_SELINUX
, NULL
, 0);
462 if (rc
< 0 && rc
!= -ENODATA
) {
463 if (rc
== -EOPNOTSUPP
)
464 printk(KERN_WARNING
"SELinux: (dev %s, type "
465 "%s) has no security xattr handler\n",
466 sb
->s_id
, sb
->s_type
->name
);
468 printk(KERN_WARNING
"SELinux: (dev %s, type "
469 "%s) getxattr errno %d\n", sb
->s_id
,
470 sb
->s_type
->name
, -rc
);
475 sbsec
->flags
|= SE_SBINITIALIZED
;
478 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
479 * leave the flag untouched because sb_clone_mnt_opts might be handing
480 * us a superblock that needs the flag to be cleared.
482 if (selinux_is_sblabel_mnt(sb
))
483 sbsec
->flags
|= SBLABEL_MNT
;
485 sbsec
->flags
&= ~SBLABEL_MNT
;
487 /* Initialize the root inode. */
488 rc
= inode_doinit_with_dentry(root_inode
, root
);
490 /* Initialize any other inodes associated with the superblock, e.g.
491 inodes created prior to initial policy load or inodes created
492 during get_sb by a pseudo filesystem that directly
494 spin_lock(&sbsec
->isec_lock
);
496 if (!list_empty(&sbsec
->isec_head
)) {
497 struct inode_security_struct
*isec
=
498 list_entry(sbsec
->isec_head
.next
,
499 struct inode_security_struct
, list
);
500 struct inode
*inode
= isec
->inode
;
501 list_del_init(&isec
->list
);
502 spin_unlock(&sbsec
->isec_lock
);
503 inode
= igrab(inode
);
505 if (!IS_PRIVATE(inode
))
509 spin_lock(&sbsec
->isec_lock
);
512 spin_unlock(&sbsec
->isec_lock
);
518 * This function should allow an FS to ask what it's mount security
519 * options were so it can use those later for submounts, displaying
520 * mount options, or whatever.
522 static int selinux_get_mnt_opts(const struct super_block
*sb
,
523 struct security_mnt_opts
*opts
)
526 struct superblock_security_struct
*sbsec
= selinux_superblock(sb
);
527 char *context
= NULL
;
531 security_init_mnt_opts(opts
);
533 if (!(sbsec
->flags
& SE_SBINITIALIZED
))
539 /* make sure we always check enough bits to cover the mask */
540 BUILD_BUG_ON(SE_MNTMASK
>= (1 << NUM_SEL_MNT_OPTS
));
542 tmp
= sbsec
->flags
& SE_MNTMASK
;
543 /* count the number of mount options for this sb */
544 for (i
= 0; i
< NUM_SEL_MNT_OPTS
; i
++) {
546 opts
->num_mnt_opts
++;
549 /* Check if the Label support flag is set */
550 if (sbsec
->flags
& SBLABEL_MNT
)
551 opts
->num_mnt_opts
++;
553 opts
->mnt_opts
= kcalloc(opts
->num_mnt_opts
, sizeof(char *), GFP_ATOMIC
);
554 if (!opts
->mnt_opts
) {
559 opts
->mnt_opts_flags
= kcalloc(opts
->num_mnt_opts
, sizeof(int), GFP_ATOMIC
);
560 if (!opts
->mnt_opts_flags
) {
566 if (sbsec
->flags
& FSCONTEXT_MNT
) {
567 rc
= security_sid_to_context(sbsec
->sid
, &context
, &len
);
570 opts
->mnt_opts
[i
] = context
;
571 opts
->mnt_opts_flags
[i
++] = FSCONTEXT_MNT
;
573 if (sbsec
->flags
& CONTEXT_MNT
) {
574 rc
= security_sid_to_context(sbsec
->mntpoint_sid
, &context
, &len
);
577 opts
->mnt_opts
[i
] = context
;
578 opts
->mnt_opts_flags
[i
++] = CONTEXT_MNT
;
580 if (sbsec
->flags
& DEFCONTEXT_MNT
) {
581 rc
= security_sid_to_context(sbsec
->def_sid
, &context
, &len
);
584 opts
->mnt_opts
[i
] = context
;
585 opts
->mnt_opts_flags
[i
++] = DEFCONTEXT_MNT
;
587 if (sbsec
->flags
& ROOTCONTEXT_MNT
) {
588 struct dentry
*root
= sbsec
->sb
->s_root
;
589 struct inode_security_struct
*isec
=
590 backing_inode_security(root
);
592 rc
= security_sid_to_context(isec
->sid
, &context
, &len
);
595 opts
->mnt_opts
[i
] = context
;
596 opts
->mnt_opts_flags
[i
++] = ROOTCONTEXT_MNT
;
598 if (sbsec
->flags
& SBLABEL_MNT
) {
599 opts
->mnt_opts
[i
] = NULL
;
600 opts
->mnt_opts_flags
[i
++] = SBLABEL_MNT
;
603 BUG_ON(i
!= opts
->num_mnt_opts
);
608 security_free_mnt_opts(opts
);
612 static int bad_option(struct superblock_security_struct
*sbsec
, char flag
,
613 u32 old_sid
, u32 new_sid
)
615 char mnt_flags
= sbsec
->flags
& SE_MNTMASK
;
617 /* check if the old mount command had the same options */
618 if (sbsec
->flags
& SE_SBINITIALIZED
)
619 if (!(sbsec
->flags
& flag
) ||
620 (old_sid
!= new_sid
))
623 /* check if we were passed the same options twice,
624 * aka someone passed context=a,context=b
626 if (!(sbsec
->flags
& SE_SBINITIALIZED
))
627 if (mnt_flags
& flag
)
633 * Allow filesystems with binary mount data to explicitly set mount point
634 * labeling information.
636 static int selinux_set_mnt_opts(struct super_block
*sb
,
637 struct security_mnt_opts
*opts
,
638 unsigned long kern_flags
,
639 unsigned long *set_kern_flags
)
641 const struct cred
*cred
= current_cred();
643 struct superblock_security_struct
*sbsec
= selinux_superblock(sb
);
644 const char *name
= sb
->s_type
->name
;
645 struct dentry
*root
= sbsec
->sb
->s_root
;
646 struct inode_security_struct
*root_isec
;
647 u32 fscontext_sid
= 0, context_sid
= 0, rootcontext_sid
= 0;
648 u32 defcontext_sid
= 0;
649 char **mount_options
= opts
->mnt_opts
;
650 int *flags
= opts
->mnt_opts_flags
;
651 int num_opts
= opts
->num_mnt_opts
;
653 mutex_lock(&sbsec
->lock
);
655 if (!ss_initialized
) {
657 /* Defer initialization until selinux_complete_init,
658 after the initial policy is loaded and the security
659 server is ready to handle calls. */
663 printk(KERN_WARNING
"SELinux: Unable to set superblock options "
664 "before the security server is initialized\n");
667 if (kern_flags
&& !set_kern_flags
) {
668 /* Specifying internal flags without providing a place to
669 * place the results is not allowed */
675 * Binary mount data FS will come through this function twice. Once
676 * from an explicit call and once from the generic calls from the vfs.
677 * Since the generic VFS calls will not contain any security mount data
678 * we need to skip the double mount verification.
680 * This does open a hole in which we will not notice if the first
681 * mount using this sb set explict options and a second mount using
682 * this sb does not set any security options. (The first options
683 * will be used for both mounts)
685 if ((sbsec
->flags
& SE_SBINITIALIZED
) && (sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
)
689 root_isec
= backing_inode_security_novalidate(root
);
692 * parse the mount options, check if they are valid sids.
693 * also check if someone is trying to mount the same sb more
694 * than once with different security options.
696 for (i
= 0; i
< num_opts
; i
++) {
699 if (flags
[i
] == SBLABEL_MNT
)
701 rc
= security_context_str_to_sid(mount_options
[i
], &sid
, GFP_KERNEL
);
703 printk(KERN_WARNING
"SELinux: security_context_str_to_sid"
704 "(%s) failed for (dev %s, type %s) errno=%d\n",
705 mount_options
[i
], sb
->s_id
, name
, rc
);
712 if (bad_option(sbsec
, FSCONTEXT_MNT
, sbsec
->sid
,
714 goto out_double_mount
;
716 sbsec
->flags
|= FSCONTEXT_MNT
;
721 if (bad_option(sbsec
, CONTEXT_MNT
, sbsec
->mntpoint_sid
,
723 goto out_double_mount
;
725 sbsec
->flags
|= CONTEXT_MNT
;
727 case ROOTCONTEXT_MNT
:
728 rootcontext_sid
= sid
;
730 if (bad_option(sbsec
, ROOTCONTEXT_MNT
, root_isec
->sid
,
732 goto out_double_mount
;
734 sbsec
->flags
|= ROOTCONTEXT_MNT
;
738 defcontext_sid
= sid
;
740 if (bad_option(sbsec
, DEFCONTEXT_MNT
, sbsec
->def_sid
,
742 goto out_double_mount
;
744 sbsec
->flags
|= DEFCONTEXT_MNT
;
753 if (sbsec
->flags
& SE_SBINITIALIZED
) {
754 /* previously mounted with options, but not on this attempt? */
755 if ((sbsec
->flags
& SE_MNTMASK
) && !num_opts
)
756 goto out_double_mount
;
761 if (strcmp(sb
->s_type
->name
, "proc") == 0)
762 sbsec
->flags
|= SE_SBPROC
| SE_SBGENFS
;
764 if (!strcmp(sb
->s_type
->name
, "debugfs") ||
765 !strcmp(sb
->s_type
->name
, "tracefs") ||
766 !strcmp(sb
->s_type
->name
, "sysfs") ||
767 !strcmp(sb
->s_type
->name
, "pstore") ||
768 !strcmp(sb
->s_type
->name
, "cgroup") ||
769 !strcmp(sb
->s_type
->name
, "cgroup2"))
770 sbsec
->flags
|= SE_SBGENFS
;
772 if (!sbsec
->behavior
) {
774 * Determine the labeling behavior to use for this
777 rc
= security_fs_use(sb
);
780 "%s: security_fs_use(%s) returned %d\n",
781 __func__
, sb
->s_type
->name
, rc
);
787 * If this is a user namespace mount and the filesystem type is not
788 * explicitly whitelisted, then no contexts are allowed on the command
789 * line and security labels must be ignored.
791 if (sb
->s_user_ns
!= &init_user_ns
&&
792 strcmp(sb
->s_type
->name
, "tmpfs") &&
793 strcmp(sb
->s_type
->name
, "ramfs") &&
794 strcmp(sb
->s_type
->name
, "devpts")) {
795 if (context_sid
|| fscontext_sid
|| rootcontext_sid
||
800 if (sbsec
->behavior
== SECURITY_FS_USE_XATTR
) {
801 sbsec
->behavior
= SECURITY_FS_USE_MNTPOINT
;
802 rc
= security_transition_sid(current_sid(), current_sid(),
804 &sbsec
->mntpoint_sid
);
811 /* sets the context of the superblock for the fs being mounted. */
813 rc
= may_context_mount_sb_relabel(fscontext_sid
, sbsec
, cred
);
817 sbsec
->sid
= fscontext_sid
;
821 * Switch to using mount point labeling behavior.
822 * sets the label used on all file below the mountpoint, and will set
823 * the superblock context if not already set.
825 if (kern_flags
& SECURITY_LSM_NATIVE_LABELS
&& !context_sid
) {
826 sbsec
->behavior
= SECURITY_FS_USE_NATIVE
;
827 *set_kern_flags
|= SECURITY_LSM_NATIVE_LABELS
;
831 if (!fscontext_sid
) {
832 rc
= may_context_mount_sb_relabel(context_sid
, sbsec
,
836 sbsec
->sid
= context_sid
;
838 rc
= may_context_mount_inode_relabel(context_sid
, sbsec
,
843 if (!rootcontext_sid
)
844 rootcontext_sid
= context_sid
;
846 sbsec
->mntpoint_sid
= context_sid
;
847 sbsec
->behavior
= SECURITY_FS_USE_MNTPOINT
;
850 if (rootcontext_sid
) {
851 rc
= may_context_mount_inode_relabel(rootcontext_sid
, sbsec
,
856 root_isec
->sid
= rootcontext_sid
;
857 root_isec
->initialized
= LABEL_INITIALIZED
;
860 if (defcontext_sid
) {
861 if (sbsec
->behavior
!= SECURITY_FS_USE_XATTR
&&
862 sbsec
->behavior
!= SECURITY_FS_USE_NATIVE
) {
864 printk(KERN_WARNING
"SELinux: defcontext option is "
865 "invalid for this filesystem type\n");
869 if (defcontext_sid
!= sbsec
->def_sid
) {
870 rc
= may_context_mount_inode_relabel(defcontext_sid
,
876 sbsec
->def_sid
= defcontext_sid
;
880 rc
= sb_finish_set_opts(sb
);
882 mutex_unlock(&sbsec
->lock
);
886 printk(KERN_WARNING
"SELinux: mount invalid. Same superblock, different "
887 "security settings for (dev %s, type %s)\n", sb
->s_id
, name
);
891 static int selinux_cmp_sb_context(const struct super_block
*oldsb
,
892 const struct super_block
*newsb
)
894 struct superblock_security_struct
*old
= selinux_superblock(oldsb
);
895 struct superblock_security_struct
*new = selinux_superblock(newsb
);
896 char oldflags
= old
->flags
& SE_MNTMASK
;
897 char newflags
= new->flags
& SE_MNTMASK
;
899 if (oldflags
!= newflags
)
901 if ((oldflags
& FSCONTEXT_MNT
) && old
->sid
!= new->sid
)
903 if ((oldflags
& CONTEXT_MNT
) && old
->mntpoint_sid
!= new->mntpoint_sid
)
905 if ((oldflags
& DEFCONTEXT_MNT
) && old
->def_sid
!= new->def_sid
)
907 if (oldflags
& ROOTCONTEXT_MNT
) {
908 struct inode_security_struct
*oldroot
= backing_inode_security(oldsb
->s_root
);
909 struct inode_security_struct
*newroot
= backing_inode_security(newsb
->s_root
);
910 if (oldroot
->sid
!= newroot
->sid
)
915 printk(KERN_WARNING
"SELinux: mount invalid. Same superblock, "
916 "different security settings for (dev %s, "
917 "type %s)\n", newsb
->s_id
, newsb
->s_type
->name
);
921 static int selinux_sb_clone_mnt_opts(const struct super_block
*oldsb
,
922 struct super_block
*newsb
,
923 unsigned long kern_flags
,
924 unsigned long *set_kern_flags
)
927 const struct superblock_security_struct
*oldsbsec
=
928 selinux_superblock(oldsb
);
929 struct superblock_security_struct
*newsbsec
= selinux_superblock(newsb
);
931 int set_fscontext
= (oldsbsec
->flags
& FSCONTEXT_MNT
);
932 int set_context
= (oldsbsec
->flags
& CONTEXT_MNT
);
933 int set_rootcontext
= (oldsbsec
->flags
& ROOTCONTEXT_MNT
);
936 * if the parent was able to be mounted it clearly had no special lsm
937 * mount options. thus we can safely deal with this superblock later
943 * Specifying internal flags without providing a place to
944 * place the results is not allowed.
946 if (kern_flags
&& !set_kern_flags
)
949 /* how can we clone if the old one wasn't set up?? */
950 BUG_ON(!(oldsbsec
->flags
& SE_SBINITIALIZED
));
952 /* if fs is reusing a sb, make sure that the contexts match */
953 if (newsbsec
->flags
& SE_SBINITIALIZED
)
954 return selinux_cmp_sb_context(oldsb
, newsb
);
956 mutex_lock(&newsbsec
->lock
);
958 newsbsec
->flags
= oldsbsec
->flags
;
960 newsbsec
->sid
= oldsbsec
->sid
;
961 newsbsec
->def_sid
= oldsbsec
->def_sid
;
962 newsbsec
->behavior
= oldsbsec
->behavior
;
964 if (newsbsec
->behavior
== SECURITY_FS_USE_NATIVE
&&
965 !(kern_flags
& SECURITY_LSM_NATIVE_LABELS
) && !set_context
) {
966 rc
= security_fs_use(newsb
);
971 if (kern_flags
& SECURITY_LSM_NATIVE_LABELS
&& !set_context
) {
972 newsbsec
->behavior
= SECURITY_FS_USE_NATIVE
;
973 *set_kern_flags
|= SECURITY_LSM_NATIVE_LABELS
;
977 u32 sid
= oldsbsec
->mntpoint_sid
;
981 if (!set_rootcontext
) {
982 struct inode_security_struct
*newisec
=
983 backing_inode_security(newsb
->s_root
);
986 newsbsec
->mntpoint_sid
= sid
;
988 if (set_rootcontext
) {
989 const struct inode_security_struct
*oldisec
=
990 backing_inode_security(oldsb
->s_root
);
991 struct inode_security_struct
*newisec
=
992 backing_inode_security(newsb
->s_root
);
994 newisec
->sid
= oldisec
->sid
;
997 sb_finish_set_opts(newsb
);
999 mutex_unlock(&newsbsec
->lock
);
1003 static int selinux_parse_opts_str(char *options
,
1004 struct security_mnt_opts
*opts
)
1007 char *context
= NULL
, *defcontext
= NULL
;
1008 char *fscontext
= NULL
, *rootcontext
= NULL
;
1009 int rc
, num_mnt_opts
= 0;
1011 opts
->num_mnt_opts
= 0;
1013 /* Standard string-based options. */
1014 while ((p
= strsep(&options
, "|")) != NULL
) {
1016 substring_t args
[MAX_OPT_ARGS
];
1021 token
= match_token(p
, tokens
, args
);
1025 if (context
|| defcontext
) {
1027 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1030 context
= match_strdup(&args
[0]);
1040 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1043 fscontext
= match_strdup(&args
[0]);
1050 case Opt_rootcontext
:
1053 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1056 rootcontext
= match_strdup(&args
[0]);
1063 case Opt_defcontext
:
1064 if (context
|| defcontext
) {
1066 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG
);
1069 defcontext
= match_strdup(&args
[0]);
1075 case Opt_labelsupport
:
1079 printk(KERN_WARNING
"SELinux: unknown mount option\n");
1086 opts
->mnt_opts
= kcalloc(NUM_SEL_MNT_OPTS
, sizeof(char *), GFP_KERNEL
);
1087 if (!opts
->mnt_opts
)
1090 opts
->mnt_opts_flags
= kcalloc(NUM_SEL_MNT_OPTS
, sizeof(int),
1092 if (!opts
->mnt_opts_flags
)
1096 opts
->mnt_opts
[num_mnt_opts
] = fscontext
;
1097 opts
->mnt_opts_flags
[num_mnt_opts
++] = FSCONTEXT_MNT
;
1100 opts
->mnt_opts
[num_mnt_opts
] = context
;
1101 opts
->mnt_opts_flags
[num_mnt_opts
++] = CONTEXT_MNT
;
1104 opts
->mnt_opts
[num_mnt_opts
] = rootcontext
;
1105 opts
->mnt_opts_flags
[num_mnt_opts
++] = ROOTCONTEXT_MNT
;
1108 opts
->mnt_opts
[num_mnt_opts
] = defcontext
;
1109 opts
->mnt_opts_flags
[num_mnt_opts
++] = DEFCONTEXT_MNT
;
1112 opts
->num_mnt_opts
= num_mnt_opts
;
1116 security_free_mnt_opts(opts
);
1124 * string mount options parsing and call set the sbsec
1126 static int superblock_doinit(struct super_block
*sb
, void *data
)
1129 char *options
= data
;
1130 struct security_mnt_opts opts
;
1132 security_init_mnt_opts(&opts
);
1137 BUG_ON(sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
);
1139 rc
= selinux_parse_opts_str(options
, &opts
);
1144 rc
= selinux_set_mnt_opts(sb
, &opts
, 0, NULL
);
1147 security_free_mnt_opts(&opts
);
1151 static void selinux_write_opts(struct seq_file
*m
,
1152 struct security_mnt_opts
*opts
)
1157 for (i
= 0; i
< opts
->num_mnt_opts
; i
++) {
1160 if (opts
->mnt_opts
[i
])
1161 has_comma
= strchr(opts
->mnt_opts
[i
], ',');
1165 switch (opts
->mnt_opts_flags
[i
]) {
1167 prefix
= CONTEXT_STR
;
1170 prefix
= FSCONTEXT_STR
;
1172 case ROOTCONTEXT_MNT
:
1173 prefix
= ROOTCONTEXT_STR
;
1175 case DEFCONTEXT_MNT
:
1176 prefix
= DEFCONTEXT_STR
;
1180 seq_puts(m
, LABELSUPP_STR
);
1186 /* we need a comma before each option */
1188 seq_puts(m
, prefix
);
1191 seq_escape(m
, opts
->mnt_opts
[i
], "\"\n\\");
1197 static int selinux_sb_show_options(struct seq_file
*m
, struct super_block
*sb
)
1199 struct security_mnt_opts opts
;
1202 rc
= selinux_get_mnt_opts(sb
, &opts
);
1204 /* before policy load we may get EINVAL, don't show anything */
1210 selinux_write_opts(m
, &opts
);
1212 security_free_mnt_opts(&opts
);
1217 static inline u16
inode_mode_to_security_class(umode_t mode
)
1219 switch (mode
& S_IFMT
) {
1221 return SECCLASS_SOCK_FILE
;
1223 return SECCLASS_LNK_FILE
;
1225 return SECCLASS_FILE
;
1227 return SECCLASS_BLK_FILE
;
1229 return SECCLASS_DIR
;
1231 return SECCLASS_CHR_FILE
;
1233 return SECCLASS_FIFO_FILE
;
1237 return SECCLASS_FILE
;
1240 static inline int default_protocol_stream(int protocol
)
1242 return (protocol
== IPPROTO_IP
|| protocol
== IPPROTO_TCP
);
1245 static inline int default_protocol_dgram(int protocol
)
1247 return (protocol
== IPPROTO_IP
|| protocol
== IPPROTO_UDP
);
1250 static inline u16
socket_type_to_security_class(int family
, int type
, int protocol
)
1252 int extsockclass
= selinux_policycap_extsockclass
;
1258 case SOCK_SEQPACKET
:
1259 return SECCLASS_UNIX_STREAM_SOCKET
;
1262 return SECCLASS_UNIX_DGRAM_SOCKET
;
1269 case SOCK_SEQPACKET
:
1270 if (default_protocol_stream(protocol
))
1271 return SECCLASS_TCP_SOCKET
;
1272 else if (extsockclass
&& protocol
== IPPROTO_SCTP
)
1273 return SECCLASS_SCTP_SOCKET
;
1275 return SECCLASS_RAWIP_SOCKET
;
1277 if (default_protocol_dgram(protocol
))
1278 return SECCLASS_UDP_SOCKET
;
1279 else if (extsockclass
&& (protocol
== IPPROTO_ICMP
||
1280 protocol
== IPPROTO_ICMPV6
))
1281 return SECCLASS_ICMP_SOCKET
;
1283 return SECCLASS_RAWIP_SOCKET
;
1285 return SECCLASS_DCCP_SOCKET
;
1287 return SECCLASS_RAWIP_SOCKET
;
1293 return SECCLASS_NETLINK_ROUTE_SOCKET
;
1294 case NETLINK_SOCK_DIAG
:
1295 return SECCLASS_NETLINK_TCPDIAG_SOCKET
;
1297 return SECCLASS_NETLINK_NFLOG_SOCKET
;
1299 return SECCLASS_NETLINK_XFRM_SOCKET
;
1300 case NETLINK_SELINUX
:
1301 return SECCLASS_NETLINK_SELINUX_SOCKET
;
1303 return SECCLASS_NETLINK_ISCSI_SOCKET
;
1305 return SECCLASS_NETLINK_AUDIT_SOCKET
;
1306 case NETLINK_FIB_LOOKUP
:
1307 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET
;
1308 case NETLINK_CONNECTOR
:
1309 return SECCLASS_NETLINK_CONNECTOR_SOCKET
;
1310 case NETLINK_NETFILTER
:
1311 return SECCLASS_NETLINK_NETFILTER_SOCKET
;
1312 case NETLINK_DNRTMSG
:
1313 return SECCLASS_NETLINK_DNRT_SOCKET
;
1314 case NETLINK_KOBJECT_UEVENT
:
1315 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET
;
1316 case NETLINK_GENERIC
:
1317 return SECCLASS_NETLINK_GENERIC_SOCKET
;
1318 case NETLINK_SCSITRANSPORT
:
1319 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET
;
1321 return SECCLASS_NETLINK_RDMA_SOCKET
;
1322 case NETLINK_CRYPTO
:
1323 return SECCLASS_NETLINK_CRYPTO_SOCKET
;
1325 return SECCLASS_NETLINK_SOCKET
;
1328 return SECCLASS_PACKET_SOCKET
;
1330 return SECCLASS_KEY_SOCKET
;
1332 return SECCLASS_APPLETALK_SOCKET
;
1338 return SECCLASS_AX25_SOCKET
;
1340 return SECCLASS_IPX_SOCKET
;
1342 return SECCLASS_NETROM_SOCKET
;
1344 return SECCLASS_ATMPVC_SOCKET
;
1346 return SECCLASS_X25_SOCKET
;
1348 return SECCLASS_ROSE_SOCKET
;
1350 return SECCLASS_DECNET_SOCKET
;
1352 return SECCLASS_ATMSVC_SOCKET
;
1354 return SECCLASS_RDS_SOCKET
;
1356 return SECCLASS_IRDA_SOCKET
;
1358 return SECCLASS_PPPOX_SOCKET
;
1360 return SECCLASS_LLC_SOCKET
;
1362 return SECCLASS_CAN_SOCKET
;
1364 return SECCLASS_TIPC_SOCKET
;
1366 return SECCLASS_BLUETOOTH_SOCKET
;
1368 return SECCLASS_IUCV_SOCKET
;
1370 return SECCLASS_RXRPC_SOCKET
;
1372 return SECCLASS_ISDN_SOCKET
;
1374 return SECCLASS_PHONET_SOCKET
;
1376 return SECCLASS_IEEE802154_SOCKET
;
1378 return SECCLASS_CAIF_SOCKET
;
1380 return SECCLASS_ALG_SOCKET
;
1382 return SECCLASS_NFC_SOCKET
;
1384 return SECCLASS_VSOCK_SOCKET
;
1386 return SECCLASS_KCM_SOCKET
;
1388 return SECCLASS_QIPCRTR_SOCKET
;
1390 return SECCLASS_SMC_SOCKET
;
1392 #error New address family defined, please update this function.
1397 return SECCLASS_SOCKET
;
1400 static int selinux_genfs_get_sid(struct dentry
*dentry
,
1406 struct super_block
*sb
= dentry
->d_sb
;
1407 char *buffer
, *path
;
1409 buffer
= (char *)__get_free_page(GFP_KERNEL
);
1413 path
= dentry_path_raw(dentry
, buffer
, PAGE_SIZE
);
1417 if (flags
& SE_SBPROC
) {
1418 /* each process gets a /proc/PID/ entry. Strip off the
1419 * PID part to get a valid selinux labeling.
1420 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1421 while (path
[1] >= '0' && path
[1] <= '9') {
1426 rc
= security_genfs_sid(sb
->s_type
->name
, path
, tclass
, sid
);
1428 free_page((unsigned long)buffer
);
1432 /* The inode's security attributes must be initialized before first use. */
1433 static int inode_doinit_with_dentry(struct inode
*inode
, struct dentry
*opt_dentry
)
1435 struct superblock_security_struct
*sbsec
= NULL
;
1436 struct inode_security_struct
*isec
= selinux_inode(inode
);
1437 u32 task_sid
, sid
= 0;
1439 struct dentry
*dentry
;
1440 #define INITCONTEXTLEN 255
1441 char *context
= NULL
;
1445 if (isec
->initialized
== LABEL_INITIALIZED
)
1448 spin_lock(&isec
->lock
);
1449 if (isec
->initialized
== LABEL_INITIALIZED
)
1452 if (isec
->sclass
== SECCLASS_FILE
)
1453 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
1455 sbsec
= selinux_superblock(inode
->i_sb
);
1456 if (!(sbsec
->flags
& SE_SBINITIALIZED
)) {
1457 /* Defer initialization until selinux_complete_init,
1458 after the initial policy is loaded and the security
1459 server is ready to handle calls. */
1460 spin_lock(&sbsec
->isec_lock
);
1461 if (list_empty(&isec
->list
))
1462 list_add(&isec
->list
, &sbsec
->isec_head
);
1463 spin_unlock(&sbsec
->isec_lock
);
1467 sclass
= isec
->sclass
;
1468 task_sid
= isec
->task_sid
;
1470 isec
->initialized
= LABEL_PENDING
;
1471 spin_unlock(&isec
->lock
);
1473 switch (sbsec
->behavior
) {
1474 case SECURITY_FS_USE_NATIVE
:
1476 case SECURITY_FS_USE_XATTR
:
1477 if (!(inode
->i_opflags
& IOP_XATTR
)) {
1478 sid
= sbsec
->def_sid
;
1481 /* Need a dentry, since the xattr API requires one.
1482 Life would be simpler if we could just pass the inode. */
1484 /* Called from d_instantiate or d_splice_alias. */
1485 dentry
= dget(opt_dentry
);
1488 * Called from selinux_complete_init, try to find a dentry.
1489 * Some filesystems really want a connected one, so try
1490 * that first. We could split SECURITY_FS_USE_XATTR in
1491 * two, depending upon that...
1493 dentry
= d_find_alias(inode
);
1495 dentry
= d_find_any_alias(inode
);
1499 * this is can be hit on boot when a file is accessed
1500 * before the policy is loaded. When we load policy we
1501 * may find inodes that have no dentry on the
1502 * sbsec->isec_head list. No reason to complain as these
1503 * will get fixed up the next time we go through
1504 * inode_doinit with a dentry, before these inodes could
1505 * be used again by userspace.
1510 len
= INITCONTEXTLEN
;
1511 context
= kmalloc(len
+1, GFP_NOFS
);
1517 context
[len
] = '\0';
1518 rc
= __vfs_getxattr(dentry
, inode
, XATTR_NAME_SELINUX
, context
, len
);
1519 if (rc
== -ERANGE
) {
1522 /* Need a larger buffer. Query for the right size. */
1523 rc
= __vfs_getxattr(dentry
, inode
, XATTR_NAME_SELINUX
, NULL
, 0);
1529 context
= kmalloc(len
+1, GFP_NOFS
);
1535 context
[len
] = '\0';
1536 rc
= __vfs_getxattr(dentry
, inode
, XATTR_NAME_SELINUX
, context
, len
);
1540 if (rc
!= -ENODATA
) {
1541 printk(KERN_WARNING
"SELinux: %s: getxattr returned "
1542 "%d for dev=%s ino=%ld\n", __func__
,
1543 -rc
, inode
->i_sb
->s_id
, inode
->i_ino
);
1547 /* Map ENODATA to the default file SID */
1548 sid
= sbsec
->def_sid
;
1551 rc
= security_context_to_sid_default(context
, rc
, &sid
,
1555 char *dev
= inode
->i_sb
->s_id
;
1556 unsigned long ino
= inode
->i_ino
;
1558 if (rc
== -EINVAL
) {
1559 if (printk_ratelimit())
1560 printk(KERN_NOTICE
"SELinux: inode=%lu on dev=%s was found to have an invalid "
1561 "context=%s. This indicates you may need to relabel the inode or the "
1562 "filesystem in question.\n", ino
, dev
, context
);
1564 printk(KERN_WARNING
"SELinux: %s: context_to_sid(%s) "
1565 "returned %d for dev=%s ino=%ld\n",
1566 __func__
, context
, -rc
, dev
, ino
);
1569 /* Leave with the unlabeled SID */
1576 case SECURITY_FS_USE_TASK
:
1579 case SECURITY_FS_USE_TRANS
:
1580 /* Default to the fs SID. */
1583 /* Try to obtain a transition SID. */
1584 rc
= security_transition_sid(task_sid
, sid
, sclass
, NULL
, &sid
);
1588 case SECURITY_FS_USE_MNTPOINT
:
1589 sid
= sbsec
->mntpoint_sid
;
1592 /* Default to the fs superblock SID. */
1595 if ((sbsec
->flags
& SE_SBGENFS
) && !S_ISLNK(inode
->i_mode
)) {
1596 /* We must have a dentry to determine the label on
1599 /* Called from d_instantiate or
1600 * d_splice_alias. */
1601 dentry
= dget(opt_dentry
);
1603 /* Called from selinux_complete_init, try to
1604 * find a dentry. Some filesystems really want
1605 * a connected one, so try that first.
1607 dentry
= d_find_alias(inode
);
1609 dentry
= d_find_any_alias(inode
);
1612 * This can be hit on boot when a file is accessed
1613 * before the policy is loaded. When we load policy we
1614 * may find inodes that have no dentry on the
1615 * sbsec->isec_head list. No reason to complain as
1616 * these will get fixed up the next time we go through
1617 * inode_doinit() with a dentry, before these inodes
1618 * could be used again by userspace.
1622 rc
= selinux_genfs_get_sid(dentry
, sclass
,
1623 sbsec
->flags
, &sid
);
1632 spin_lock(&isec
->lock
);
1633 if (isec
->initialized
== LABEL_PENDING
) {
1635 isec
->initialized
= LABEL_INVALID
;
1639 isec
->initialized
= LABEL_INITIALIZED
;
1644 spin_unlock(&isec
->lock
);
1648 /* Convert a Linux signal to an access vector. */
1649 static inline u32
signal_to_av(int sig
)
1655 /* Commonly granted from child to parent. */
1656 perm
= PROCESS__SIGCHLD
;
1659 /* Cannot be caught or ignored */
1660 perm
= PROCESS__SIGKILL
;
1663 /* Cannot be caught or ignored */
1664 perm
= PROCESS__SIGSTOP
;
1667 /* All other signals. */
1668 perm
= PROCESS__SIGNAL
;
1675 #if CAP_LAST_CAP > 63
1676 #error Fix SELinux to handle capabilities > 63.
1679 /* Check whether a task is allowed to use a capability. */
1680 static int cred_has_capability(const struct cred
*cred
,
1681 int cap
, int audit
, bool initns
)
1683 struct common_audit_data ad
;
1684 struct av_decision avd
;
1686 u32 sid
= cred_sid(cred
);
1687 u32 av
= CAP_TO_MASK(cap
);
1690 ad
.type
= LSM_AUDIT_DATA_CAP
;
1693 switch (CAP_TO_INDEX(cap
)) {
1695 sclass
= initns
? SECCLASS_CAPABILITY
: SECCLASS_CAP_USERNS
;
1698 sclass
= initns
? SECCLASS_CAPABILITY2
: SECCLASS_CAP2_USERNS
;
1702 "SELinux: out of range capability %d\n", cap
);
1707 rc
= avc_has_perm_noaudit(sid
, sid
, sclass
, av
, 0, &avd
);
1708 if (audit
== SECURITY_CAP_AUDIT
) {
1709 int rc2
= avc_audit(sid
, sid
, sclass
, av
, &avd
, rc
, &ad
, 0);
1716 /* Check whether a task has a particular permission to an inode.
1717 The 'adp' parameter is optional and allows other audit
1718 data to be passed (e.g. the dentry). */
1719 static int inode_has_perm(const struct cred
*cred
,
1720 struct inode
*inode
,
1722 struct common_audit_data
*adp
)
1724 struct inode_security_struct
*isec
;
1727 validate_creds(cred
);
1729 if (unlikely(IS_PRIVATE(inode
)))
1732 sid
= cred_sid(cred
);
1733 isec
= selinux_inode(inode
);
1735 return avc_has_perm(sid
, isec
->sid
, isec
->sclass
, perms
, adp
);
1738 /* Same as inode_has_perm, but pass explicit audit data containing
1739 the dentry to help the auditing code to more easily generate the
1740 pathname if needed. */
1741 static inline int dentry_has_perm(const struct cred
*cred
,
1742 struct dentry
*dentry
,
1745 struct inode
*inode
= d_backing_inode(dentry
);
1746 struct common_audit_data ad
;
1748 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1749 ad
.u
.dentry
= dentry
;
1750 __inode_security_revalidate(inode
, dentry
, true);
1751 return inode_has_perm(cred
, inode
, av
, &ad
);
1754 /* Same as inode_has_perm, but pass explicit audit data containing
1755 the path to help the auditing code to more easily generate the
1756 pathname if needed. */
1757 static inline int path_has_perm(const struct cred
*cred
,
1758 const struct path
*path
,
1761 struct inode
*inode
= d_backing_inode(path
->dentry
);
1762 struct common_audit_data ad
;
1764 ad
.type
= LSM_AUDIT_DATA_PATH
;
1766 __inode_security_revalidate(inode
, path
->dentry
, true);
1767 return inode_has_perm(cred
, inode
, av
, &ad
);
1770 /* Same as path_has_perm, but uses the inode from the file struct. */
1771 static inline int file_path_has_perm(const struct cred
*cred
,
1775 struct common_audit_data ad
;
1777 ad
.type
= LSM_AUDIT_DATA_FILE
;
1779 return inode_has_perm(cred
, file_inode(file
), av
, &ad
);
1782 #ifdef CONFIG_BPF_SYSCALL
1783 static int bpf_fd_pass(struct file
*file
, u32 sid
);
1786 /* Check whether a task can use an open file descriptor to
1787 access an inode in a given way. Check access to the
1788 descriptor itself, and then use dentry_has_perm to
1789 check a particular permission to the file.
1790 Access to the descriptor is implicitly granted if it
1791 has the same SID as the process. If av is zero, then
1792 access to the file is not checked, e.g. for cases
1793 where only the descriptor is affected like seek. */
1794 static int file_has_perm(const struct cred
*cred
,
1798 struct file_security_struct
*fsec
= selinux_file(file
);
1799 struct inode
*inode
= file_inode(file
);
1800 struct common_audit_data ad
;
1801 u32 sid
= cred_sid(cred
);
1804 ad
.type
= LSM_AUDIT_DATA_FILE
;
1807 if (sid
!= fsec
->sid
) {
1808 rc
= avc_has_perm(sid
, fsec
->sid
,
1816 #ifdef CONFIG_BPF_SYSCALL
1817 rc
= bpf_fd_pass(file
, cred_sid(cred
));
1822 /* av is zero if only checking access to the descriptor. */
1825 rc
= inode_has_perm(cred
, inode
, av
, &ad
);
1832 * Determine the label for an inode that might be unioned.
1835 selinux_determine_inode_label(const struct task_security_struct
*tsec
,
1837 const struct qstr
*name
, u16 tclass
,
1840 const struct superblock_security_struct
*sbsec
=
1841 selinux_superblock(dir
->i_sb
);
1843 if ((sbsec
->flags
& SE_SBINITIALIZED
) &&
1844 (sbsec
->behavior
== SECURITY_FS_USE_MNTPOINT
)) {
1845 *_new_isid
= sbsec
->mntpoint_sid
;
1846 } else if ((sbsec
->flags
& SBLABEL_MNT
) &&
1848 *_new_isid
= tsec
->create_sid
;
1850 const struct inode_security_struct
*dsec
= inode_security(dir
);
1851 return security_transition_sid(tsec
->sid
, dsec
->sid
, tclass
,
1858 /* Check whether a task can create a file. */
1859 static int may_create(struct inode
*dir
,
1860 struct dentry
*dentry
,
1863 const struct task_security_struct
*tsec
= selinux_cred(current_cred());
1864 struct inode_security_struct
*dsec
;
1865 struct superblock_security_struct
*sbsec
;
1867 struct common_audit_data ad
;
1870 dsec
= inode_security(dir
);
1871 sbsec
= selinux_superblock(dir
->i_sb
);
1875 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1876 ad
.u
.dentry
= dentry
;
1878 rc
= avc_has_perm(sid
, dsec
->sid
, SECCLASS_DIR
,
1879 DIR__ADD_NAME
| DIR__SEARCH
,
1884 rc
= selinux_determine_inode_label(selinux_cred(current_cred()), dir
,
1885 &dentry
->d_name
, tclass
, &newsid
);
1889 rc
= avc_has_perm(sid
, newsid
, tclass
, FILE__CREATE
, &ad
);
1893 return avc_has_perm(newsid
, sbsec
->sid
,
1894 SECCLASS_FILESYSTEM
,
1895 FILESYSTEM__ASSOCIATE
, &ad
);
1899 #define MAY_UNLINK 1
1902 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1903 static int may_link(struct inode
*dir
,
1904 struct dentry
*dentry
,
1908 struct inode_security_struct
*dsec
, *isec
;
1909 struct common_audit_data ad
;
1910 u32 sid
= current_sid();
1914 dsec
= inode_security(dir
);
1915 isec
= backing_inode_security(dentry
);
1917 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1918 ad
.u
.dentry
= dentry
;
1921 av
|= (kind
? DIR__REMOVE_NAME
: DIR__ADD_NAME
);
1922 rc
= avc_has_perm(sid
, dsec
->sid
, SECCLASS_DIR
, av
, &ad
);
1937 printk(KERN_WARNING
"SELinux: %s: unrecognized kind %d\n",
1942 rc
= avc_has_perm(sid
, isec
->sid
, isec
->sclass
, av
, &ad
);
1946 static inline int may_rename(struct inode
*old_dir
,
1947 struct dentry
*old_dentry
,
1948 struct inode
*new_dir
,
1949 struct dentry
*new_dentry
)
1951 struct inode_security_struct
*old_dsec
, *new_dsec
, *old_isec
, *new_isec
;
1952 struct common_audit_data ad
;
1953 u32 sid
= current_sid();
1955 int old_is_dir
, new_is_dir
;
1958 old_dsec
= inode_security(old_dir
);
1959 old_isec
= backing_inode_security(old_dentry
);
1960 old_is_dir
= d_is_dir(old_dentry
);
1961 new_dsec
= inode_security(new_dir
);
1963 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
1965 ad
.u
.dentry
= old_dentry
;
1966 rc
= avc_has_perm(sid
, old_dsec
->sid
, SECCLASS_DIR
,
1967 DIR__REMOVE_NAME
| DIR__SEARCH
, &ad
);
1970 rc
= avc_has_perm(sid
, old_isec
->sid
,
1971 old_isec
->sclass
, FILE__RENAME
, &ad
);
1974 if (old_is_dir
&& new_dir
!= old_dir
) {
1975 rc
= avc_has_perm(sid
, old_isec
->sid
,
1976 old_isec
->sclass
, DIR__REPARENT
, &ad
);
1981 ad
.u
.dentry
= new_dentry
;
1982 av
= DIR__ADD_NAME
| DIR__SEARCH
;
1983 if (d_is_positive(new_dentry
))
1984 av
|= DIR__REMOVE_NAME
;
1985 rc
= avc_has_perm(sid
, new_dsec
->sid
, SECCLASS_DIR
, av
, &ad
);
1988 if (d_is_positive(new_dentry
)) {
1989 new_isec
= backing_inode_security(new_dentry
);
1990 new_is_dir
= d_is_dir(new_dentry
);
1991 rc
= avc_has_perm(sid
, new_isec
->sid
,
1993 (new_is_dir
? DIR__RMDIR
: FILE__UNLINK
), &ad
);
2001 /* Check whether a task can perform a filesystem operation. */
2002 static int superblock_has_perm(const struct cred
*cred
,
2003 struct super_block
*sb
,
2005 struct common_audit_data
*ad
)
2007 struct superblock_security_struct
*sbsec
;
2008 u32 sid
= cred_sid(cred
);
2010 sbsec
= selinux_superblock(sb
);
2011 return avc_has_perm(sid
, sbsec
->sid
, SECCLASS_FILESYSTEM
, perms
, ad
);
2014 /* Convert a Linux mode and permission mask to an access vector. */
2015 static inline u32
file_mask_to_av(int mode
, int mask
)
2019 if (!S_ISDIR(mode
)) {
2020 if (mask
& MAY_EXEC
)
2021 av
|= FILE__EXECUTE
;
2022 if (mask
& MAY_READ
)
2025 if (mask
& MAY_APPEND
)
2027 else if (mask
& MAY_WRITE
)
2031 if (mask
& MAY_EXEC
)
2033 if (mask
& MAY_WRITE
)
2035 if (mask
& MAY_READ
)
2042 /* Convert a Linux file to an access vector. */
2043 static inline u32
file_to_av(struct file
*file
)
2047 if (file
->f_mode
& FMODE_READ
)
2049 if (file
->f_mode
& FMODE_WRITE
) {
2050 if (file
->f_flags
& O_APPEND
)
2057 * Special file opened with flags 3 for ioctl-only use.
2066 * Convert a file to an access vector and include the correct open
2069 static inline u32
open_file_to_av(struct file
*file
)
2071 u32 av
= file_to_av(file
);
2072 struct inode
*inode
= file_inode(file
);
2074 if (selinux_policycap_openperm
&& inode
->i_sb
->s_magic
!= SOCKFS_MAGIC
)
2080 /* Hook functions begin here. */
2082 static int selinux_binder_set_context_mgr(struct task_struct
*mgr
)
2084 u32 mysid
= current_sid();
2085 u32 mgrsid
= task_sid(mgr
);
2087 return avc_has_perm(mysid
, mgrsid
, SECCLASS_BINDER
,
2088 BINDER__SET_CONTEXT_MGR
, NULL
);
2091 static int selinux_binder_transaction(struct task_struct
*from
,
2092 struct task_struct
*to
)
2094 u32 mysid
= current_sid();
2095 u32 fromsid
= task_sid(from
);
2096 u32 tosid
= task_sid(to
);
2099 if (mysid
!= fromsid
) {
2100 rc
= avc_has_perm(mysid
, fromsid
, SECCLASS_BINDER
,
2101 BINDER__IMPERSONATE
, NULL
);
2106 return avc_has_perm(fromsid
, tosid
, SECCLASS_BINDER
, BINDER__CALL
,
2110 static int selinux_binder_transfer_binder(struct task_struct
*from
,
2111 struct task_struct
*to
)
2113 u32 fromsid
= task_sid(from
);
2114 u32 tosid
= task_sid(to
);
2116 return avc_has_perm(fromsid
, tosid
, SECCLASS_BINDER
, BINDER__TRANSFER
,
2120 static int selinux_binder_transfer_file(struct task_struct
*from
,
2121 struct task_struct
*to
,
2124 u32 sid
= task_sid(to
);
2125 struct file_security_struct
*fsec
= selinux_file(file
);
2126 struct dentry
*dentry
= file
->f_path
.dentry
;
2127 struct inode_security_struct
*isec
;
2128 struct common_audit_data ad
;
2131 ad
.type
= LSM_AUDIT_DATA_PATH
;
2132 ad
.u
.path
= file
->f_path
;
2134 if (sid
!= fsec
->sid
) {
2135 rc
= avc_has_perm(sid
, fsec
->sid
,
2143 #ifdef CONFIG_BPF_SYSCALL
2144 rc
= bpf_fd_pass(file
, sid
);
2149 if (unlikely(IS_PRIVATE(d_backing_inode(dentry
))))
2152 isec
= backing_inode_security(dentry
);
2153 return avc_has_perm(sid
, isec
->sid
, isec
->sclass
, file_to_av(file
),
2157 static int selinux_ptrace_access_check(struct task_struct
*child
,
2160 u32 sid
= current_sid();
2161 u32 csid
= task_sid(child
);
2163 if (mode
& PTRACE_MODE_READ
)
2164 return avc_has_perm(sid
, csid
, SECCLASS_FILE
, FILE__READ
, NULL
);
2166 return avc_has_perm(sid
, csid
, SECCLASS_PROCESS
, PROCESS__PTRACE
, NULL
);
2169 static int selinux_ptrace_traceme(struct task_struct
*parent
)
2171 return avc_has_perm(task_sid(parent
), current_sid(), SECCLASS_PROCESS
,
2172 PROCESS__PTRACE
, NULL
);
2175 static int selinux_capget(struct task_struct
*target
, kernel_cap_t
*effective
,
2176 kernel_cap_t
*inheritable
, kernel_cap_t
*permitted
)
2178 return avc_has_perm(current_sid(), task_sid(target
), SECCLASS_PROCESS
,
2179 PROCESS__GETCAP
, NULL
);
2182 static int selinux_capset(struct cred
*new, const struct cred
*old
,
2183 const kernel_cap_t
*effective
,
2184 const kernel_cap_t
*inheritable
,
2185 const kernel_cap_t
*permitted
)
2187 return avc_has_perm(cred_sid(old
), cred_sid(new), SECCLASS_PROCESS
,
2188 PROCESS__SETCAP
, NULL
);
2192 * (This comment used to live with the selinux_task_setuid hook,
2193 * which was removed).
2195 * Since setuid only affects the current process, and since the SELinux
2196 * controls are not based on the Linux identity attributes, SELinux does not
2197 * need to control this operation. However, SELinux does control the use of
2198 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2201 static int selinux_capable(const struct cred
*cred
, struct user_namespace
*ns
,
2204 return cred_has_capability(cred
, cap
, audit
, ns
== &init_user_ns
);
2207 static int selinux_quotactl(int cmds
, int type
, int id
, struct super_block
*sb
)
2209 const struct cred
*cred
= current_cred();
2221 rc
= superblock_has_perm(cred
, sb
, FILESYSTEM__QUOTAMOD
, NULL
);
2226 rc
= superblock_has_perm(cred
, sb
, FILESYSTEM__QUOTAGET
, NULL
);
2229 rc
= 0; /* let the kernel handle invalid cmds */
2235 static int selinux_quota_on(struct dentry
*dentry
)
2237 const struct cred
*cred
= current_cred();
2239 return dentry_has_perm(cred
, dentry
, FILE__QUOTAON
);
2242 static int selinux_syslog(int type
)
2245 case SYSLOG_ACTION_READ_ALL
: /* Read last kernel messages */
2246 case SYSLOG_ACTION_SIZE_BUFFER
: /* Return size of the log buffer */
2247 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
2248 SECCLASS_SYSTEM
, SYSTEM__SYSLOG_READ
, NULL
);
2249 case SYSLOG_ACTION_CONSOLE_OFF
: /* Disable logging to console */
2250 case SYSLOG_ACTION_CONSOLE_ON
: /* Enable logging to console */
2251 /* Set level of messages printed to console */
2252 case SYSLOG_ACTION_CONSOLE_LEVEL
:
2253 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
2254 SECCLASS_SYSTEM
, SYSTEM__SYSLOG_CONSOLE
,
2257 /* All other syslog types */
2258 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
2259 SECCLASS_SYSTEM
, SYSTEM__SYSLOG_MOD
, NULL
);
2263 * Check that a process has enough memory to allocate a new virtual
2264 * mapping. 0 means there is enough memory for the allocation to
2265 * succeed and -ENOMEM implies there is not.
2267 * Do not audit the selinux permission check, as this is applied to all
2268 * processes that allocate mappings.
2270 static int selinux_vm_enough_memory(struct mm_struct
*mm
, long pages
)
2272 int rc
, cap_sys_admin
= 0;
2274 rc
= cred_has_capability(current_cred(), CAP_SYS_ADMIN
,
2275 SECURITY_CAP_NOAUDIT
, true);
2279 return cap_sys_admin
;
2282 /* binprm security operations */
2284 static u32
ptrace_parent_sid(void)
2287 struct task_struct
*tracer
;
2290 tracer
= ptrace_parent(current
);
2292 sid
= task_sid(tracer
);
2298 static int check_nnp_nosuid(const struct linux_binprm
*bprm
,
2299 const struct task_security_struct
*old_tsec
,
2300 const struct task_security_struct
*new_tsec
)
2302 int nnp
= (bprm
->unsafe
& LSM_UNSAFE_NO_NEW_PRIVS
);
2303 int nosuid
= path_nosuid(&bprm
->file
->f_path
);
2307 if (!nnp
&& !nosuid
)
2308 return 0; /* neither NNP nor nosuid */
2310 if (new_tsec
->sid
== old_tsec
->sid
)
2311 return 0; /* No change in credentials */
2314 * If the policy enables the nnp_nosuid_transition policy capability,
2315 * then we permit transitions under NNP or nosuid if the
2316 * policy allows the corresponding permission between
2317 * the old and new contexts.
2319 if (selinux_policycap_nnp_nosuid_transition
) {
2322 av
|= PROCESS2__NNP_TRANSITION
;
2324 av
|= PROCESS2__NOSUID_TRANSITION
;
2325 rc
= avc_has_perm(old_tsec
->sid
, new_tsec
->sid
,
2326 SECCLASS_PROCESS2
, av
, NULL
);
2332 * We also permit NNP or nosuid transitions to bounded SIDs,
2333 * i.e. SIDs that are guaranteed to only be allowed a subset
2334 * of the permissions of the current SID.
2336 rc
= security_bounded_transition(old_tsec
->sid
, new_tsec
->sid
);
2341 * On failure, preserve the errno values for NNP vs nosuid.
2342 * NNP: Operation not permitted for caller.
2343 * nosuid: Permission denied to file.
2350 static int selinux_bprm_set_creds(struct linux_binprm
*bprm
)
2352 const struct task_security_struct
*old_tsec
;
2353 struct task_security_struct
*new_tsec
;
2354 struct inode_security_struct
*isec
;
2355 struct common_audit_data ad
;
2356 struct inode
*inode
= file_inode(bprm
->file
);
2359 /* SELinux context only depends on initial program or script and not
2360 * the script interpreter */
2361 if (bprm
->called_set_creds
)
2364 old_tsec
= selinux_cred(current_cred());
2365 new_tsec
= selinux_cred(bprm
->cred
);
2366 isec
= inode_security(inode
);
2368 /* Default to the current task SID. */
2369 new_tsec
->sid
= old_tsec
->sid
;
2370 new_tsec
->osid
= old_tsec
->sid
;
2372 /* Reset fs, key, and sock SIDs on execve. */
2373 new_tsec
->create_sid
= 0;
2374 new_tsec
->keycreate_sid
= 0;
2375 new_tsec
->sockcreate_sid
= 0;
2377 if (old_tsec
->exec_sid
) {
2378 new_tsec
->sid
= old_tsec
->exec_sid
;
2379 /* Reset exec SID on execve. */
2380 new_tsec
->exec_sid
= 0;
2382 /* Fail on NNP or nosuid if not an allowed transition. */
2383 rc
= check_nnp_nosuid(bprm
, old_tsec
, new_tsec
);
2387 /* Check for a default transition on this program. */
2388 rc
= security_transition_sid(old_tsec
->sid
, isec
->sid
,
2389 SECCLASS_PROCESS
, NULL
,
2395 * Fallback to old SID on NNP or nosuid if not an allowed
2398 rc
= check_nnp_nosuid(bprm
, old_tsec
, new_tsec
);
2400 new_tsec
->sid
= old_tsec
->sid
;
2403 ad
.type
= LSM_AUDIT_DATA_FILE
;
2404 ad
.u
.file
= bprm
->file
;
2406 if (new_tsec
->sid
== old_tsec
->sid
) {
2407 rc
= avc_has_perm(old_tsec
->sid
, isec
->sid
,
2408 SECCLASS_FILE
, FILE__EXECUTE_NO_TRANS
, &ad
);
2412 /* Check permissions for the transition. */
2413 rc
= avc_has_perm(old_tsec
->sid
, new_tsec
->sid
,
2414 SECCLASS_PROCESS
, PROCESS__TRANSITION
, &ad
);
2418 rc
= avc_has_perm(new_tsec
->sid
, isec
->sid
,
2419 SECCLASS_FILE
, FILE__ENTRYPOINT
, &ad
);
2423 /* Check for shared state */
2424 if (bprm
->unsafe
& LSM_UNSAFE_SHARE
) {
2425 rc
= avc_has_perm(old_tsec
->sid
, new_tsec
->sid
,
2426 SECCLASS_PROCESS
, PROCESS__SHARE
,
2432 /* Make sure that anyone attempting to ptrace over a task that
2433 * changes its SID has the appropriate permit */
2434 if (bprm
->unsafe
& LSM_UNSAFE_PTRACE
) {
2435 u32 ptsid
= ptrace_parent_sid();
2437 rc
= avc_has_perm(ptsid
, new_tsec
->sid
,
2439 PROCESS__PTRACE
, NULL
);
2445 /* Clear any possibly unsafe personality bits on exec: */
2446 bprm
->per_clear
|= PER_CLEAR_ON_SETID
;
2448 /* Enable secure mode for SIDs transitions unless
2449 the noatsecure permission is granted between
2450 the two SIDs, i.e. ahp returns 0. */
2451 rc
= avc_has_perm(old_tsec
->sid
, new_tsec
->sid
,
2452 SECCLASS_PROCESS
, PROCESS__NOATSECURE
,
2454 bprm
->secureexec
|= !!rc
;
2460 static int match_file(const void *p
, struct file
*file
, unsigned fd
)
2462 return file_has_perm(p
, file
, file_to_av(file
)) ? fd
+ 1 : 0;
2465 /* Derived from fs/exec.c:flush_old_files. */
2466 static inline void flush_unauthorized_files(const struct cred
*cred
,
2467 struct files_struct
*files
)
2469 struct file
*file
, *devnull
= NULL
;
2470 struct tty_struct
*tty
;
2474 tty
= get_current_tty();
2476 spin_lock(&tty
->files_lock
);
2477 if (!list_empty(&tty
->tty_files
)) {
2478 struct tty_file_private
*file_priv
;
2480 /* Revalidate access to controlling tty.
2481 Use file_path_has_perm on the tty path directly
2482 rather than using file_has_perm, as this particular
2483 open file may belong to another process and we are
2484 only interested in the inode-based check here. */
2485 file_priv
= list_first_entry(&tty
->tty_files
,
2486 struct tty_file_private
, list
);
2487 file
= file_priv
->file
;
2488 if (file_path_has_perm(cred
, file
, FILE__READ
| FILE__WRITE
))
2491 spin_unlock(&tty
->files_lock
);
2494 /* Reset controlling tty. */
2498 /* Revalidate access to inherited open files. */
2499 n
= iterate_fd(files
, 0, match_file
, cred
);
2500 if (!n
) /* none found? */
2503 devnull
= dentry_open(&selinux_null
, O_RDWR
, cred
);
2504 if (IS_ERR(devnull
))
2506 /* replace all the matching ones with this */
2508 replace_fd(n
- 1, devnull
, 0);
2509 } while ((n
= iterate_fd(files
, n
, match_file
, cred
)) != 0);
2515 * Prepare a process for imminent new credential changes due to exec
2517 static void selinux_bprm_committing_creds(struct linux_binprm
*bprm
)
2519 struct task_security_struct
*new_tsec
;
2520 struct rlimit
*rlim
, *initrlim
;
2523 new_tsec
= selinux_cred(bprm
->cred
);
2524 if (new_tsec
->sid
== new_tsec
->osid
)
2527 /* Close files for which the new task SID is not authorized. */
2528 flush_unauthorized_files(bprm
->cred
, current
->files
);
2530 /* Always clear parent death signal on SID transitions. */
2531 current
->pdeath_signal
= 0;
2533 /* Check whether the new SID can inherit resource limits from the old
2534 * SID. If not, reset all soft limits to the lower of the current
2535 * task's hard limit and the init task's soft limit.
2537 * Note that the setting of hard limits (even to lower them) can be
2538 * controlled by the setrlimit check. The inclusion of the init task's
2539 * soft limit into the computation is to avoid resetting soft limits
2540 * higher than the default soft limit for cases where the default is
2541 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2543 rc
= avc_has_perm(new_tsec
->osid
, new_tsec
->sid
, SECCLASS_PROCESS
,
2544 PROCESS__RLIMITINH
, NULL
);
2546 /* protect against do_prlimit() */
2548 for (i
= 0; i
< RLIM_NLIMITS
; i
++) {
2549 rlim
= current
->signal
->rlim
+ i
;
2550 initrlim
= init_task
.signal
->rlim
+ i
;
2551 rlim
->rlim_cur
= min(rlim
->rlim_max
, initrlim
->rlim_cur
);
2553 task_unlock(current
);
2554 if (IS_ENABLED(CONFIG_POSIX_TIMERS
))
2555 update_rlimit_cpu(current
, rlimit(RLIMIT_CPU
));
2560 * Clean up the process immediately after the installation of new credentials
2563 static void selinux_bprm_committed_creds(struct linux_binprm
*bprm
)
2565 const struct task_security_struct
*tsec
= selinux_cred(current_cred());
2566 struct itimerval itimer
;
2576 /* Check whether the new SID can inherit signal state from the old SID.
2577 * If not, clear itimers to avoid subsequent signal generation and
2578 * flush and unblock signals.
2580 * This must occur _after_ the task SID has been updated so that any
2581 * kill done after the flush will be checked against the new SID.
2583 rc
= avc_has_perm(osid
, sid
, SECCLASS_PROCESS
, PROCESS__SIGINH
, NULL
);
2585 if (IS_ENABLED(CONFIG_POSIX_TIMERS
)) {
2586 memset(&itimer
, 0, sizeof itimer
);
2587 for (i
= 0; i
< 3; i
++)
2588 do_setitimer(i
, &itimer
, NULL
);
2590 spin_lock_irq(¤t
->sighand
->siglock
);
2591 if (!fatal_signal_pending(current
)) {
2592 flush_sigqueue(¤t
->pending
);
2593 flush_sigqueue(¤t
->signal
->shared_pending
);
2594 flush_signal_handlers(current
, 1);
2595 sigemptyset(¤t
->blocked
);
2596 recalc_sigpending();
2598 spin_unlock_irq(¤t
->sighand
->siglock
);
2601 /* Wake up the parent if it is waiting so that it can recheck
2602 * wait permission to the new task SID. */
2603 read_lock(&tasklist_lock
);
2604 __wake_up_parent(current
, current
->real_parent
);
2605 read_unlock(&tasklist_lock
);
2608 /* superblock security operations */
2610 static int selinux_sb_alloc_security(struct super_block
*sb
)
2612 return superblock_alloc_security(sb
);
2615 static inline int match_prefix(char *prefix
, int plen
, char *option
, int olen
)
2620 return !memcmp(prefix
, option
, plen
);
2623 static inline int selinux_option(char *option
, int len
)
2625 return (match_prefix(CONTEXT_STR
, sizeof(CONTEXT_STR
)-1, option
, len
) ||
2626 match_prefix(FSCONTEXT_STR
, sizeof(FSCONTEXT_STR
)-1, option
, len
) ||
2627 match_prefix(DEFCONTEXT_STR
, sizeof(DEFCONTEXT_STR
)-1, option
, len
) ||
2628 match_prefix(ROOTCONTEXT_STR
, sizeof(ROOTCONTEXT_STR
)-1, option
, len
) ||
2629 match_prefix(LABELSUPP_STR
, sizeof(LABELSUPP_STR
)-1, option
, len
));
2632 static inline void take_option(char **to
, char *from
, int *first
, int len
)
2639 memcpy(*to
, from
, len
);
2643 static inline void take_selinux_option(char **to
, char *from
, int *first
,
2646 int current_size
= 0;
2654 while (current_size
< len
) {
2664 static int selinux_sb_copy_data(char *orig
, char *copy
)
2666 int fnosec
, fsec
, rc
= 0;
2667 char *in_save
, *in_curr
, *in_end
;
2668 char *sec_curr
, *nosec_save
, *nosec
;
2674 nosec
= (char *)get_zeroed_page(GFP_KERNEL
);
2682 in_save
= in_end
= orig
;
2686 open_quote
= !open_quote
;
2687 if ((*in_end
== ',' && open_quote
== 0) ||
2689 int len
= in_end
- in_curr
;
2691 if (selinux_option(in_curr
, len
))
2692 take_selinux_option(&sec_curr
, in_curr
, &fsec
, len
);
2694 take_option(&nosec
, in_curr
, &fnosec
, len
);
2696 in_curr
= in_end
+ 1;
2698 } while (*in_end
++);
2700 strcpy(in_save
, nosec_save
);
2701 free_page((unsigned long)nosec_save
);
2706 static int selinux_sb_remount(struct super_block
*sb
, void *data
)
2709 struct security_mnt_opts opts
;
2710 char *secdata
, **mount_options
;
2711 struct superblock_security_struct
*sbsec
= selinux_superblock(sb
);
2713 if (!(sbsec
->flags
& SE_SBINITIALIZED
))
2719 if (sb
->s_type
->fs_flags
& FS_BINARY_MOUNTDATA
)
2722 security_init_mnt_opts(&opts
);
2723 secdata
= alloc_secdata();
2726 rc
= selinux_sb_copy_data(data
, secdata
);
2728 goto out_free_secdata
;
2730 rc
= selinux_parse_opts_str(secdata
, &opts
);
2732 goto out_free_secdata
;
2734 mount_options
= opts
.mnt_opts
;
2735 flags
= opts
.mnt_opts_flags
;
2737 for (i
= 0; i
< opts
.num_mnt_opts
; i
++) {
2740 if (flags
[i
] == SBLABEL_MNT
)
2742 rc
= security_context_str_to_sid(mount_options
[i
], &sid
, GFP_KERNEL
);
2744 printk(KERN_WARNING
"SELinux: security_context_str_to_sid"
2745 "(%s) failed for (dev %s, type %s) errno=%d\n",
2746 mount_options
[i
], sb
->s_id
, sb
->s_type
->name
, rc
);
2752 if (bad_option(sbsec
, FSCONTEXT_MNT
, sbsec
->sid
, sid
))
2753 goto out_bad_option
;
2756 if (bad_option(sbsec
, CONTEXT_MNT
, sbsec
->mntpoint_sid
, sid
))
2757 goto out_bad_option
;
2759 case ROOTCONTEXT_MNT
: {
2760 struct inode_security_struct
*root_isec
;
2761 root_isec
= backing_inode_security(sb
->s_root
);
2763 if (bad_option(sbsec
, ROOTCONTEXT_MNT
, root_isec
->sid
, sid
))
2764 goto out_bad_option
;
2767 case DEFCONTEXT_MNT
:
2768 if (bad_option(sbsec
, DEFCONTEXT_MNT
, sbsec
->def_sid
, sid
))
2769 goto out_bad_option
;
2778 security_free_mnt_opts(&opts
);
2780 free_secdata(secdata
);
2783 printk(KERN_WARNING
"SELinux: unable to change security options "
2784 "during remount (dev %s, type=%s)\n", sb
->s_id
,
2789 static int selinux_sb_kern_mount(struct super_block
*sb
, int flags
, void *data
)
2791 const struct cred
*cred
= current_cred();
2792 struct common_audit_data ad
;
2795 rc
= superblock_doinit(sb
, data
);
2799 /* Allow all mounts performed by the kernel */
2800 if (flags
& MS_KERNMOUNT
)
2803 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
2804 ad
.u
.dentry
= sb
->s_root
;
2805 return superblock_has_perm(cred
, sb
, FILESYSTEM__MOUNT
, &ad
);
2808 static int selinux_sb_statfs(struct dentry
*dentry
)
2810 const struct cred
*cred
= current_cred();
2811 struct common_audit_data ad
;
2813 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
2814 ad
.u
.dentry
= dentry
->d_sb
->s_root
;
2815 return superblock_has_perm(cred
, dentry
->d_sb
, FILESYSTEM__GETATTR
, &ad
);
2818 static int selinux_mount(const char *dev_name
,
2819 const struct path
*path
,
2821 unsigned long flags
,
2824 const struct cred
*cred
= current_cred();
2826 if (flags
& MS_REMOUNT
)
2827 return superblock_has_perm(cred
, path
->dentry
->d_sb
,
2828 FILESYSTEM__REMOUNT
, NULL
);
2830 return path_has_perm(cred
, path
, FILE__MOUNTON
);
2833 static int selinux_umount(struct vfsmount
*mnt
, int flags
)
2835 const struct cred
*cred
= current_cred();
2837 return superblock_has_perm(cred
, mnt
->mnt_sb
,
2838 FILESYSTEM__UNMOUNT
, NULL
);
2841 /* inode security operations */
2843 static int selinux_inode_alloc_security(struct inode
*inode
)
2845 return inode_alloc_security(inode
);
2848 static void selinux_inode_free_security(struct inode
*inode
)
2850 inode_free_security(inode
);
2853 static int selinux_dentry_init_security(struct dentry
*dentry
, int mode
,
2854 const struct qstr
*name
, void **ctx
,
2860 rc
= selinux_determine_inode_label(selinux_cred(current_cred()),
2861 d_inode(dentry
->d_parent
), name
,
2862 inode_mode_to_security_class(mode
),
2867 return security_sid_to_context(newsid
, (char **)ctx
, ctxlen
);
2870 static int selinux_dentry_create_files_as(struct dentry
*dentry
, int mode
,
2872 const struct cred
*old
,
2877 struct task_security_struct
*tsec
;
2879 rc
= selinux_determine_inode_label(selinux_cred(old
),
2880 d_inode(dentry
->d_parent
), name
,
2881 inode_mode_to_security_class(mode
),
2886 tsec
= selinux_cred(new);
2887 tsec
->create_sid
= newsid
;
2891 static int selinux_inode_init_security(struct inode
*inode
, struct inode
*dir
,
2892 const struct qstr
*qstr
,
2894 void **value
, size_t *len
)
2896 const struct task_security_struct
*tsec
= selinux_cred(current_cred());
2897 struct superblock_security_struct
*sbsec
;
2902 sbsec
= selinux_superblock(dir
->i_sb
);
2904 newsid
= tsec
->create_sid
;
2906 rc
= selinux_determine_inode_label(selinux_cred(current_cred()),
2908 inode_mode_to_security_class(inode
->i_mode
),
2913 /* Possibly defer initialization to selinux_complete_init. */
2914 if (sbsec
->flags
& SE_SBINITIALIZED
) {
2915 struct inode_security_struct
*isec
= selinux_inode(inode
);
2916 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
2918 isec
->initialized
= LABEL_INITIALIZED
;
2921 if (!ss_initialized
|| !(sbsec
->flags
& SBLABEL_MNT
))
2925 *name
= XATTR_SELINUX_SUFFIX
;
2928 rc
= security_sid_to_context_force(newsid
, &context
, &clen
);
2938 static int selinux_inode_create(struct inode
*dir
, struct dentry
*dentry
, umode_t mode
)
2940 return may_create(dir
, dentry
, SECCLASS_FILE
);
2943 static int selinux_inode_link(struct dentry
*old_dentry
, struct inode
*dir
, struct dentry
*new_dentry
)
2945 return may_link(dir
, old_dentry
, MAY_LINK
);
2948 static int selinux_inode_unlink(struct inode
*dir
, struct dentry
*dentry
)
2950 return may_link(dir
, dentry
, MAY_UNLINK
);
2953 static int selinux_inode_symlink(struct inode
*dir
, struct dentry
*dentry
, const char *name
)
2955 return may_create(dir
, dentry
, SECCLASS_LNK_FILE
);
2958 static int selinux_inode_mkdir(struct inode
*dir
, struct dentry
*dentry
, umode_t mask
)
2960 return may_create(dir
, dentry
, SECCLASS_DIR
);
2963 static int selinux_inode_rmdir(struct inode
*dir
, struct dentry
*dentry
)
2965 return may_link(dir
, dentry
, MAY_RMDIR
);
2968 static int selinux_inode_mknod(struct inode
*dir
, struct dentry
*dentry
, umode_t mode
, dev_t dev
)
2970 return may_create(dir
, dentry
, inode_mode_to_security_class(mode
));
2973 static int selinux_inode_rename(struct inode
*old_inode
, struct dentry
*old_dentry
,
2974 struct inode
*new_inode
, struct dentry
*new_dentry
)
2976 return may_rename(old_inode
, old_dentry
, new_inode
, new_dentry
);
2979 static int selinux_inode_readlink(struct dentry
*dentry
)
2981 const struct cred
*cred
= current_cred();
2983 return dentry_has_perm(cred
, dentry
, FILE__READ
);
2986 static int selinux_inode_follow_link(struct dentry
*dentry
, struct inode
*inode
,
2989 const struct cred
*cred
= current_cred();
2990 struct common_audit_data ad
;
2991 struct inode_security_struct
*isec
;
2994 validate_creds(cred
);
2996 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
2997 ad
.u
.dentry
= dentry
;
2998 sid
= cred_sid(cred
);
2999 isec
= inode_security_rcu(inode
, rcu
);
3001 return PTR_ERR(isec
);
3003 return avc_has_perm_flags(sid
, isec
->sid
, isec
->sclass
, FILE__READ
, &ad
,
3004 rcu
? MAY_NOT_BLOCK
: 0);
3007 static noinline
int audit_inode_permission(struct inode
*inode
,
3008 u32 perms
, u32 audited
, u32 denied
,
3012 struct common_audit_data ad
;
3013 struct inode_security_struct
*isec
= selinux_inode(inode
);
3016 ad
.type
= LSM_AUDIT_DATA_INODE
;
3019 rc
= slow_avc_audit(current_sid(), isec
->sid
, isec
->sclass
, perms
,
3020 audited
, denied
, result
, &ad
, flags
);
3026 static int selinux_inode_permission(struct inode
*inode
, int mask
)
3028 const struct cred
*cred
= current_cred();
3031 unsigned flags
= mask
& MAY_NOT_BLOCK
;
3032 struct inode_security_struct
*isec
;
3034 struct av_decision avd
;
3036 u32 audited
, denied
;
3038 from_access
= mask
& MAY_ACCESS
;
3039 mask
&= (MAY_READ
|MAY_WRITE
|MAY_EXEC
|MAY_APPEND
);
3041 /* No permission to check. Existence test. */
3045 validate_creds(cred
);
3047 if (unlikely(IS_PRIVATE(inode
)))
3050 perms
= file_mask_to_av(inode
->i_mode
, mask
);
3052 sid
= cred_sid(cred
);
3053 isec
= inode_security_rcu(inode
, flags
& MAY_NOT_BLOCK
);
3055 return PTR_ERR(isec
);
3057 rc
= avc_has_perm_noaudit(sid
, isec
->sid
, isec
->sclass
, perms
, 0, &avd
);
3058 audited
= avc_audit_required(perms
, &avd
, rc
,
3059 from_access
? FILE__AUDIT_ACCESS
: 0,
3061 if (likely(!audited
))
3064 rc2
= audit_inode_permission(inode
, perms
, audited
, denied
, rc
, flags
);
3070 static int selinux_inode_setattr(struct dentry
*dentry
, struct iattr
*iattr
)
3072 const struct cred
*cred
= current_cred();
3073 struct inode
*inode
= d_backing_inode(dentry
);
3074 unsigned int ia_valid
= iattr
->ia_valid
;
3075 __u32 av
= FILE__WRITE
;
3077 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3078 if (ia_valid
& ATTR_FORCE
) {
3079 ia_valid
&= ~(ATTR_KILL_SUID
| ATTR_KILL_SGID
| ATTR_MODE
|
3085 if (ia_valid
& (ATTR_MODE
| ATTR_UID
| ATTR_GID
|
3086 ATTR_ATIME_SET
| ATTR_MTIME_SET
| ATTR_TIMES_SET
))
3087 return dentry_has_perm(cred
, dentry
, FILE__SETATTR
);
3089 if (selinux_policycap_openperm
&&
3090 inode
->i_sb
->s_magic
!= SOCKFS_MAGIC
&&
3091 (ia_valid
& ATTR_SIZE
) &&
3092 !(ia_valid
& ATTR_FILE
))
3095 return dentry_has_perm(cred
, dentry
, av
);
3098 static int selinux_inode_getattr(const struct path
*path
)
3100 return path_has_perm(current_cred(), path
, FILE__GETATTR
);
3103 static bool has_cap_mac_admin(bool audit
)
3105 const struct cred
*cred
= current_cred();
3106 int cap_audit
= audit
? SECURITY_CAP_AUDIT
: SECURITY_CAP_NOAUDIT
;
3108 if (cap_capable(cred
, &init_user_ns
, CAP_MAC_ADMIN
, cap_audit
))
3110 if (cred_has_capability(cred
, CAP_MAC_ADMIN
, cap_audit
, true))
3115 static int selinux_inode_setxattr(struct dentry
*dentry
, const char *name
,
3116 const void *value
, size_t size
, int flags
)
3118 struct inode
*inode
= d_backing_inode(dentry
);
3119 struct inode_security_struct
*isec
;
3120 struct superblock_security_struct
*sbsec
;
3121 struct common_audit_data ad
;
3122 u32 newsid
, sid
= current_sid();
3125 if (strcmp(name
, XATTR_NAME_SELINUX
)) {
3126 rc
= cap_inode_setxattr(dentry
, name
, value
, size
, flags
);
3130 /* Not an attribute we recognize, so just check the
3131 ordinary setattr permission. */
3132 return dentry_has_perm(current_cred(), dentry
, FILE__SETATTR
);
3135 sbsec
= selinux_superblock(inode
->i_sb
);
3136 if (!(sbsec
->flags
& SBLABEL_MNT
))
3139 if (!inode_owner_or_capable(inode
))
3142 ad
.type
= LSM_AUDIT_DATA_DENTRY
;
3143 ad
.u
.dentry
= dentry
;
3145 isec
= backing_inode_security(dentry
);
3146 rc
= avc_has_perm(sid
, isec
->sid
, isec
->sclass
,
3147 FILE__RELABELFROM
, &ad
);
3151 rc
= security_context_to_sid(value
, size
, &newsid
, GFP_KERNEL
);
3152 if (rc
== -EINVAL
) {
3153 if (!has_cap_mac_admin(true)) {
3154 struct audit_buffer
*ab
;
3157 /* We strip a nul only if it is at the end, otherwise the
3158 * context contains a nul and we should audit that */
3160 const char *str
= value
;
3162 if (str
[size
- 1] == '\0')
3163 audit_size
= size
- 1;
3169 ab
= audit_log_start(current
->audit_context
, GFP_ATOMIC
, AUDIT_SELINUX_ERR
);
3170 audit_log_format(ab
, "op=setxattr invalid_context=");
3171 audit_log_n_untrustedstring(ab
, value
, audit_size
);
3176 rc
= security_context_to_sid_force(value
, size
, &newsid
);
3181 rc
= avc_has_perm(sid
, newsid
, isec
->sclass
,
3182 FILE__RELABELTO
, &ad
);
3186 rc
= security_validate_transition(isec
->sid
, newsid
, sid
,
3191 return avc_has_perm(newsid
,
3193 SECCLASS_FILESYSTEM
,
3194 FILESYSTEM__ASSOCIATE
,
3198 static void selinux_inode_post_setxattr(struct dentry
*dentry
, const char *name
,
3199 const void *value
, size_t size
,
3202 struct inode
*inode
= d_backing_inode(dentry
);
3203 struct inode_security_struct
*isec
;
3207 if (strcmp(name
, XATTR_NAME_SELINUX
)) {
3208 /* Not an attribute we recognize, so nothing to do. */
3212 rc
= security_context_to_sid_force(value
, size
, &newsid
);
3214 printk(KERN_ERR
"SELinux: unable to map context to SID"
3215 "for (%s, %lu), rc=%d\n",
3216 inode
->i_sb
->s_id
, inode
->i_ino
, -rc
);
3220 isec
= backing_inode_security(dentry
);
3221 spin_lock(&isec
->lock
);
3222 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
3224 isec
->initialized
= LABEL_INITIALIZED
;
3225 spin_unlock(&isec
->lock
);
3230 static int selinux_inode_getxattr(struct dentry
*dentry
, const char *name
)
3232 const struct cred
*cred
= current_cred();
3234 return dentry_has_perm(cred
, dentry
, FILE__GETATTR
);
3237 static int selinux_inode_listxattr(struct dentry
*dentry
)
3239 const struct cred
*cred
= current_cred();
3241 return dentry_has_perm(cred
, dentry
, FILE__GETATTR
);
3244 static int selinux_inode_removexattr(struct dentry
*dentry
, const char *name
)
3246 if (strcmp(name
, XATTR_NAME_SELINUX
)) {
3247 int rc
= cap_inode_removexattr(dentry
, name
);
3251 /* Not an attribute we recognize, so just check the
3252 ordinary setattr permission. */
3253 return dentry_has_perm(current_cred(), dentry
, FILE__SETATTR
);
3256 /* No one is allowed to remove a SELinux security label.
3257 You can change the label, but all data must be labeled. */
3262 * Copy the inode security context value to the user.
3264 * Permission check is handled by selinux_inode_getxattr hook.
3266 static int selinux_inode_getsecurity(struct inode
*inode
, const char *name
, void **buffer
, bool alloc
)
3270 char *context
= NULL
;
3271 struct inode_security_struct
*isec
;
3273 if (strcmp(name
, XATTR_SELINUX_SUFFIX
))
3277 * If the caller has CAP_MAC_ADMIN, then get the raw context
3278 * value even if it is not defined by current policy; otherwise,
3279 * use the in-core value under current policy.
3280 * Use the non-auditing forms of the permission checks since
3281 * getxattr may be called by unprivileged processes commonly
3282 * and lack of permission just means that we fall back to the
3283 * in-core context value, not a denial.
3285 isec
= inode_security(inode
);
3286 if (has_cap_mac_admin(false))
3287 error
= security_sid_to_context_force(isec
->sid
, &context
,
3290 error
= security_sid_to_context(isec
->sid
, &context
, &size
);
3303 static int selinux_inode_setsecurity(struct inode
*inode
, const char *name
,
3304 const void *value
, size_t size
, int flags
)
3306 struct inode_security_struct
*isec
= inode_security_novalidate(inode
);
3310 if (strcmp(name
, XATTR_SELINUX_SUFFIX
))
3313 if (!value
|| !size
)
3316 rc
= security_context_to_sid(value
, size
, &newsid
, GFP_KERNEL
);
3320 spin_lock(&isec
->lock
);
3321 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
3323 isec
->initialized
= LABEL_INITIALIZED
;
3324 spin_unlock(&isec
->lock
);
3328 static int selinux_inode_listsecurity(struct inode
*inode
, char *buffer
, size_t buffer_size
)
3330 const int len
= sizeof(XATTR_NAME_SELINUX
);
3331 if (buffer
&& len
<= buffer_size
)
3332 memcpy(buffer
, XATTR_NAME_SELINUX
, len
);
3336 static void selinux_inode_getsecid(struct inode
*inode
, u32
*secid
)
3338 struct inode_security_struct
*isec
= inode_security_novalidate(inode
);
3342 static int selinux_inode_copy_up(struct dentry
*src
, struct cred
**new)
3345 struct task_security_struct
*tsec
;
3346 struct cred
*new_creds
= *new;
3348 if (new_creds
== NULL
) {
3349 new_creds
= prepare_creds();
3354 tsec
= selinux_cred(new_creds
);
3355 /* Get label from overlay inode and set it in create_sid */
3356 selinux_inode_getsecid(d_inode(src
), &sid
);
3357 tsec
->create_sid
= sid
;
3362 static int selinux_inode_copy_up_xattr(const char *name
)
3364 /* The copy_up hook above sets the initial context on an inode, but we
3365 * don't then want to overwrite it by blindly copying all the lower
3366 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3368 if (strcmp(name
, XATTR_NAME_SELINUX
) == 0)
3369 return 1; /* Discard */
3371 * Any other attribute apart from SELINUX is not claimed, supported
3377 /* file security operations */
3379 static int selinux_revalidate_file_permission(struct file
*file
, int mask
)
3381 const struct cred
*cred
= current_cred();
3382 struct inode
*inode
= file_inode(file
);
3384 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3385 if ((file
->f_flags
& O_APPEND
) && (mask
& MAY_WRITE
))
3388 return file_has_perm(cred
, file
,
3389 file_mask_to_av(inode
->i_mode
, mask
));
3392 static int selinux_file_permission(struct file
*file
, int mask
)
3394 struct inode
*inode
= file_inode(file
);
3395 struct file_security_struct
*fsec
= selinux_file(file
);
3396 struct inode_security_struct
*isec
;
3397 u32 sid
= current_sid();
3400 /* No permission to check. Existence test. */
3403 isec
= inode_security(inode
);
3404 if (sid
== fsec
->sid
&& fsec
->isid
== isec
->sid
&&
3405 fsec
->pseqno
== avc_policy_seqno())
3406 /* No change since file_open check. */
3409 return selinux_revalidate_file_permission(file
, mask
);
3412 static int selinux_file_alloc_security(struct file
*file
)
3414 return file_alloc_security(file
);
3418 * Check whether a task has the ioctl permission and cmd
3419 * operation to an inode.
3421 static int ioctl_has_perm(const struct cred
*cred
, struct file
*file
,
3422 u32 requested
, u16 cmd
)
3424 struct common_audit_data ad
;
3425 struct file_security_struct
*fsec
= selinux_file(file
);
3426 struct inode
*inode
= file_inode(file
);
3427 struct inode_security_struct
*isec
;
3428 struct lsm_ioctlop_audit ioctl
;
3429 u32 ssid
= cred_sid(cred
);
3431 u8 driver
= cmd
>> 8;
3432 u8 xperm
= cmd
& 0xff;
3434 ad
.type
= LSM_AUDIT_DATA_IOCTL_OP
;
3437 ad
.u
.op
->path
= file
->f_path
;
3439 if (ssid
!= fsec
->sid
) {
3440 rc
= avc_has_perm(ssid
, fsec
->sid
,
3448 if (unlikely(IS_PRIVATE(inode
)))
3451 isec
= inode_security(inode
);
3452 rc
= avc_has_extended_perms(ssid
, isec
->sid
, isec
->sclass
,
3453 requested
, driver
, xperm
, &ad
);
3458 static int selinux_file_ioctl(struct file
*file
, unsigned int cmd
,
3461 const struct cred
*cred
= current_cred();
3471 case FS_IOC_GETFLAGS
:
3473 case FS_IOC_GETVERSION
:
3474 error
= file_has_perm(cred
, file
, FILE__GETATTR
);
3477 case FS_IOC_SETFLAGS
:
3479 case FS_IOC_SETVERSION
:
3480 error
= file_has_perm(cred
, file
, FILE__SETATTR
);
3483 /* sys_ioctl() checks */
3487 error
= file_has_perm(cred
, file
, 0);
3492 error
= cred_has_capability(cred
, CAP_SYS_TTY_CONFIG
,
3493 SECURITY_CAP_AUDIT
, true);
3496 /* default case assumes that the command will go
3497 * to the file's ioctl() function.
3500 error
= ioctl_has_perm(cred
, file
, FILE__IOCTL
, (u16
) cmd
);
3505 static int default_noexec
;
3507 static int file_map_prot_check(struct file
*file
, unsigned long prot
, int shared
)
3509 const struct cred
*cred
= current_cred();
3510 u32 sid
= cred_sid(cred
);
3513 if (default_noexec
&&
3514 (prot
& PROT_EXEC
) && (!file
|| IS_PRIVATE(file_inode(file
)) ||
3515 (!shared
&& (prot
& PROT_WRITE
)))) {
3517 * We are making executable an anonymous mapping or a
3518 * private file mapping that will also be writable.
3519 * This has an additional check.
3521 rc
= avc_has_perm(sid
, sid
, SECCLASS_PROCESS
,
3522 PROCESS__EXECMEM
, NULL
);
3528 /* read access is always possible with a mapping */
3529 u32 av
= FILE__READ
;
3531 /* write access only matters if the mapping is shared */
3532 if (shared
&& (prot
& PROT_WRITE
))
3535 if (prot
& PROT_EXEC
)
3536 av
|= FILE__EXECUTE
;
3538 return file_has_perm(cred
, file
, av
);
3545 static int selinux_mmap_addr(unsigned long addr
)
3549 if (addr
< CONFIG_LSM_MMAP_MIN_ADDR
) {
3550 u32 sid
= current_sid();
3551 rc
= avc_has_perm(sid
, sid
, SECCLASS_MEMPROTECT
,
3552 MEMPROTECT__MMAP_ZERO
, NULL
);
3558 static int selinux_mmap_file(struct file
*file
, unsigned long reqprot
,
3559 unsigned long prot
, unsigned long flags
)
3561 struct common_audit_data ad
;
3565 ad
.type
= LSM_AUDIT_DATA_FILE
;
3567 rc
= inode_has_perm(current_cred(), file_inode(file
),
3573 if (selinux_checkreqprot
)
3576 return file_map_prot_check(file
, prot
,
3577 (flags
& MAP_TYPE
) == MAP_SHARED
);
3580 static int selinux_file_mprotect(struct vm_area_struct
*vma
,
3581 unsigned long reqprot
,
3584 const struct cred
*cred
= current_cred();
3585 u32 sid
= cred_sid(cred
);
3587 if (selinux_checkreqprot
)
3590 if (default_noexec
&&
3591 (prot
& PROT_EXEC
) && !(vma
->vm_flags
& VM_EXEC
)) {
3593 if (vma
->vm_start
>= vma
->vm_mm
->start_brk
&&
3594 vma
->vm_end
<= vma
->vm_mm
->brk
) {
3595 rc
= avc_has_perm(sid
, sid
, SECCLASS_PROCESS
,
3596 PROCESS__EXECHEAP
, NULL
);
3597 } else if (!vma
->vm_file
&&
3598 ((vma
->vm_start
<= vma
->vm_mm
->start_stack
&&
3599 vma
->vm_end
>= vma
->vm_mm
->start_stack
) ||
3600 vma_is_stack_for_current(vma
))) {
3601 rc
= avc_has_perm(sid
, sid
, SECCLASS_PROCESS
,
3602 PROCESS__EXECSTACK
, NULL
);
3603 } else if (vma
->vm_file
&& vma
->anon_vma
) {
3605 * We are making executable a file mapping that has
3606 * had some COW done. Since pages might have been
3607 * written, check ability to execute the possibly
3608 * modified content. This typically should only
3609 * occur for text relocations.
3611 rc
= file_has_perm(cred
, vma
->vm_file
, FILE__EXECMOD
);
3617 return file_map_prot_check(vma
->vm_file
, prot
, vma
->vm_flags
&VM_SHARED
);
3620 static int selinux_file_lock(struct file
*file
, unsigned int cmd
)
3622 const struct cred
*cred
= current_cred();
3624 return file_has_perm(cred
, file
, FILE__LOCK
);
3627 static int selinux_file_fcntl(struct file
*file
, unsigned int cmd
,
3630 const struct cred
*cred
= current_cred();
3635 if ((file
->f_flags
& O_APPEND
) && !(arg
& O_APPEND
)) {
3636 err
= file_has_perm(cred
, file
, FILE__WRITE
);
3645 case F_GETOWNER_UIDS
:
3646 /* Just check FD__USE permission */
3647 err
= file_has_perm(cred
, file
, 0);
3655 #if BITS_PER_LONG == 32
3660 err
= file_has_perm(cred
, file
, FILE__LOCK
);
3667 static void selinux_file_set_fowner(struct file
*file
)
3669 struct file_security_struct
*fsec
;
3671 fsec
= selinux_file(file
);
3672 fsec
->fown_sid
= current_sid();
3675 static int selinux_file_send_sigiotask(struct task_struct
*tsk
,
3676 struct fown_struct
*fown
, int signum
)
3679 u32 sid
= task_sid(tsk
);
3681 struct file_security_struct
*fsec
;
3683 /* struct fown_struct is never outside the context of a struct file */
3684 file
= container_of(fown
, struct file
, f_owner
);
3686 fsec
= selinux_file(file
);
3689 perm
= signal_to_av(SIGIO
); /* as per send_sigio_to_task */
3691 perm
= signal_to_av(signum
);
3693 return avc_has_perm(fsec
->fown_sid
, sid
,
3694 SECCLASS_PROCESS
, perm
, NULL
);
3697 static int selinux_file_receive(struct file
*file
)
3699 const struct cred
*cred
= current_cred();
3701 return file_has_perm(cred
, file
, file_to_av(file
));
3704 static int selinux_file_open(struct file
*file
, const struct cred
*cred
)
3706 struct file_security_struct
*fsec
;
3707 struct inode_security_struct
*isec
;
3709 fsec
= selinux_file(file
);
3710 isec
= inode_security(file_inode(file
));
3712 * Save inode label and policy sequence number
3713 * at open-time so that selinux_file_permission
3714 * can determine whether revalidation is necessary.
3715 * Task label is already saved in the file security
3716 * struct as its SID.
3718 fsec
->isid
= isec
->sid
;
3719 fsec
->pseqno
= avc_policy_seqno();
3721 * Since the inode label or policy seqno may have changed
3722 * between the selinux_inode_permission check and the saving
3723 * of state above, recheck that access is still permitted.
3724 * Otherwise, access might never be revalidated against the
3725 * new inode label or new policy.
3726 * This check is not redundant - do not remove.
3728 return file_path_has_perm(cred
, file
, open_file_to_av(file
));
3731 /* task security operations */
3733 static int selinux_task_alloc(struct task_struct
*task
,
3734 unsigned long clone_flags
)
3736 u32 sid
= current_sid();
3738 return avc_has_perm(sid
, sid
, SECCLASS_PROCESS
, PROCESS__FORK
, NULL
);
3742 * prepare a new set of credentials for modification
3744 static int selinux_cred_prepare(struct cred
*new, const struct cred
*old
,
3747 const struct task_security_struct
*old_tsec
= selinux_cred(old
);
3748 struct task_security_struct
*tsec
= selinux_cred(new);
3756 * transfer the SELinux data to a blank set of creds
3758 static void selinux_cred_transfer(struct cred
*new, const struct cred
*old
)
3760 const struct task_security_struct
*old_tsec
= selinux_cred(old
);
3761 struct task_security_struct
*tsec
= selinux_cred(new);
3767 * set the security data for a kernel service
3768 * - all the creation contexts are set to unlabelled
3770 static int selinux_kernel_act_as(struct cred
*new, u32 secid
)
3772 struct task_security_struct
*tsec
= selinux_cred(new);
3773 u32 sid
= current_sid();
3776 ret
= avc_has_perm(sid
, secid
,
3777 SECCLASS_KERNEL_SERVICE
,
3778 KERNEL_SERVICE__USE_AS_OVERRIDE
,
3782 tsec
->create_sid
= 0;
3783 tsec
->keycreate_sid
= 0;
3784 tsec
->sockcreate_sid
= 0;
3790 * set the file creation context in a security record to the same as the
3791 * objective context of the specified inode
3793 static int selinux_kernel_create_files_as(struct cred
*new, struct inode
*inode
)
3795 struct inode_security_struct
*isec
= inode_security(inode
);
3796 struct task_security_struct
*tsec
= selinux_cred(new);
3797 u32 sid
= current_sid();
3800 ret
= avc_has_perm(sid
, isec
->sid
,
3801 SECCLASS_KERNEL_SERVICE
,
3802 KERNEL_SERVICE__CREATE_FILES_AS
,
3806 tsec
->create_sid
= isec
->sid
;
3810 static int selinux_kernel_module_request(char *kmod_name
)
3812 struct common_audit_data ad
;
3814 ad
.type
= LSM_AUDIT_DATA_KMOD
;
3815 ad
.u
.kmod_name
= kmod_name
;
3817 return avc_has_perm(current_sid(), SECINITSID_KERNEL
, SECCLASS_SYSTEM
,
3818 SYSTEM__MODULE_REQUEST
, &ad
);
3821 static int selinux_kernel_module_from_file(struct file
*file
)
3823 struct common_audit_data ad
;
3824 struct inode_security_struct
*isec
;
3825 struct file_security_struct
*fsec
;
3826 u32 sid
= current_sid();
3831 return avc_has_perm(sid
, sid
, SECCLASS_SYSTEM
,
3832 SYSTEM__MODULE_LOAD
, NULL
);
3836 ad
.type
= LSM_AUDIT_DATA_FILE
;
3839 fsec
= selinux_file(file
);
3840 if (sid
!= fsec
->sid
) {
3841 rc
= avc_has_perm(sid
, fsec
->sid
, SECCLASS_FD
, FD__USE
, &ad
);
3846 isec
= inode_security(file_inode(file
));
3847 return avc_has_perm(sid
, isec
->sid
, SECCLASS_SYSTEM
,
3848 SYSTEM__MODULE_LOAD
, &ad
);
3851 static int selinux_kernel_read_file(struct file
*file
,
3852 enum kernel_read_file_id id
)
3857 case READING_MODULE
:
3858 rc
= selinux_kernel_module_from_file(file
);
3867 static int selinux_task_setpgid(struct task_struct
*p
, pid_t pgid
)
3869 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3870 PROCESS__SETPGID
, NULL
);
3873 static int selinux_task_getpgid(struct task_struct
*p
)
3875 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3876 PROCESS__GETPGID
, NULL
);
3879 static int selinux_task_getsid(struct task_struct
*p
)
3881 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3882 PROCESS__GETSESSION
, NULL
);
3885 static void selinux_task_getsecid(struct task_struct
*p
, u32
*secid
)
3887 *secid
= task_sid(p
);
3890 static int selinux_task_setnice(struct task_struct
*p
, int nice
)
3892 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3893 PROCESS__SETSCHED
, NULL
);
3896 static int selinux_task_setioprio(struct task_struct
*p
, int ioprio
)
3898 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3899 PROCESS__SETSCHED
, NULL
);
3902 static int selinux_task_getioprio(struct task_struct
*p
)
3904 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3905 PROCESS__GETSCHED
, NULL
);
3908 static int selinux_task_prlimit(const struct cred
*cred
, const struct cred
*tcred
,
3915 if (flags
& LSM_PRLIMIT_WRITE
)
3916 av
|= PROCESS__SETRLIMIT
;
3917 if (flags
& LSM_PRLIMIT_READ
)
3918 av
|= PROCESS__GETRLIMIT
;
3919 return avc_has_perm(cred_sid(cred
), cred_sid(tcred
),
3920 SECCLASS_PROCESS
, av
, NULL
);
3923 static int selinux_task_setrlimit(struct task_struct
*p
, unsigned int resource
,
3924 struct rlimit
*new_rlim
)
3926 struct rlimit
*old_rlim
= p
->signal
->rlim
+ resource
;
3928 /* Control the ability to change the hard limit (whether
3929 lowering or raising it), so that the hard limit can
3930 later be used as a safe reset point for the soft limit
3931 upon context transitions. See selinux_bprm_committing_creds. */
3932 if (old_rlim
->rlim_max
!= new_rlim
->rlim_max
)
3933 return avc_has_perm(current_sid(), task_sid(p
),
3934 SECCLASS_PROCESS
, PROCESS__SETRLIMIT
, NULL
);
3939 static int selinux_task_setscheduler(struct task_struct
*p
)
3941 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3942 PROCESS__SETSCHED
, NULL
);
3945 static int selinux_task_getscheduler(struct task_struct
*p
)
3947 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3948 PROCESS__GETSCHED
, NULL
);
3951 static int selinux_task_movememory(struct task_struct
*p
)
3953 return avc_has_perm(current_sid(), task_sid(p
), SECCLASS_PROCESS
,
3954 PROCESS__SETSCHED
, NULL
);
3957 static int selinux_task_kill(struct task_struct
*p
, struct siginfo
*info
,
3963 perm
= PROCESS__SIGNULL
; /* null signal; existence test */
3965 perm
= signal_to_av(sig
);
3967 secid
= current_sid();
3968 return avc_has_perm(secid
, task_sid(p
), SECCLASS_PROCESS
, perm
, NULL
);
3971 static void selinux_task_to_inode(struct task_struct
*p
,
3972 struct inode
*inode
)
3974 struct inode_security_struct
*isec
= selinux_inode(inode
);
3975 u32 sid
= task_sid(p
);
3977 spin_lock(&isec
->lock
);
3978 isec
->sclass
= inode_mode_to_security_class(inode
->i_mode
);
3980 isec
->initialized
= LABEL_INITIALIZED
;
3981 spin_unlock(&isec
->lock
);
3984 /* Returns error only if unable to parse addresses */
3985 static int selinux_parse_skb_ipv4(struct sk_buff
*skb
,
3986 struct common_audit_data
*ad
, u8
*proto
)
3988 int offset
, ihlen
, ret
= -EINVAL
;
3989 struct iphdr _iph
, *ih
;
3991 offset
= skb_network_offset(skb
);
3992 ih
= skb_header_pointer(skb
, offset
, sizeof(_iph
), &_iph
);
3996 ihlen
= ih
->ihl
* 4;
3997 if (ihlen
< sizeof(_iph
))
4000 ad
->u
.net
->v4info
.saddr
= ih
->saddr
;
4001 ad
->u
.net
->v4info
.daddr
= ih
->daddr
;
4005 *proto
= ih
->protocol
;
4007 switch (ih
->protocol
) {
4009 struct tcphdr _tcph
, *th
;
4011 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
4015 th
= skb_header_pointer(skb
, offset
, sizeof(_tcph
), &_tcph
);
4019 ad
->u
.net
->sport
= th
->source
;
4020 ad
->u
.net
->dport
= th
->dest
;
4025 struct udphdr _udph
, *uh
;
4027 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
4031 uh
= skb_header_pointer(skb
, offset
, sizeof(_udph
), &_udph
);
4035 ad
->u
.net
->sport
= uh
->source
;
4036 ad
->u
.net
->dport
= uh
->dest
;
4040 case IPPROTO_DCCP
: {
4041 struct dccp_hdr _dccph
, *dh
;
4043 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
4047 dh
= skb_header_pointer(skb
, offset
, sizeof(_dccph
), &_dccph
);
4051 ad
->u
.net
->sport
= dh
->dccph_sport
;
4052 ad
->u
.net
->dport
= dh
->dccph_dport
;
4063 #if IS_ENABLED(CONFIG_IPV6)
4065 /* Returns error only if unable to parse addresses */
4066 static int selinux_parse_skb_ipv6(struct sk_buff
*skb
,
4067 struct common_audit_data
*ad
, u8
*proto
)
4070 int ret
= -EINVAL
, offset
;
4071 struct ipv6hdr _ipv6h
, *ip6
;
4074 offset
= skb_network_offset(skb
);
4075 ip6
= skb_header_pointer(skb
, offset
, sizeof(_ipv6h
), &_ipv6h
);
4079 ad
->u
.net
->v6info
.saddr
= ip6
->saddr
;
4080 ad
->u
.net
->v6info
.daddr
= ip6
->daddr
;
4083 nexthdr
= ip6
->nexthdr
;
4084 offset
+= sizeof(_ipv6h
);
4085 offset
= ipv6_skip_exthdr(skb
, offset
, &nexthdr
, &frag_off
);
4094 struct tcphdr _tcph
, *th
;
4096 th
= skb_header_pointer(skb
, offset
, sizeof(_tcph
), &_tcph
);
4100 ad
->u
.net
->sport
= th
->source
;
4101 ad
->u
.net
->dport
= th
->dest
;
4106 struct udphdr _udph
, *uh
;
4108 uh
= skb_header_pointer(skb
, offset
, sizeof(_udph
), &_udph
);
4112 ad
->u
.net
->sport
= uh
->source
;
4113 ad
->u
.net
->dport
= uh
->dest
;
4117 case IPPROTO_DCCP
: {
4118 struct dccp_hdr _dccph
, *dh
;
4120 dh
= skb_header_pointer(skb
, offset
, sizeof(_dccph
), &_dccph
);
4124 ad
->u
.net
->sport
= dh
->dccph_sport
;
4125 ad
->u
.net
->dport
= dh
->dccph_dport
;
4129 /* includes fragments */
4139 static int selinux_parse_skb(struct sk_buff
*skb
, struct common_audit_data
*ad
,
4140 char **_addrp
, int src
, u8
*proto
)
4145 switch (ad
->u
.net
->family
) {
4147 ret
= selinux_parse_skb_ipv4(skb
, ad
, proto
);
4150 addrp
= (char *)(src
? &ad
->u
.net
->v4info
.saddr
:
4151 &ad
->u
.net
->v4info
.daddr
);
4154 #if IS_ENABLED(CONFIG_IPV6)
4156 ret
= selinux_parse_skb_ipv6(skb
, ad
, proto
);
4159 addrp
= (char *)(src
? &ad
->u
.net
->v6info
.saddr
:
4160 &ad
->u
.net
->v6info
.daddr
);
4170 "SELinux: failure in selinux_parse_skb(),"
4171 " unable to parse packet\n");
4181 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4183 * @family: protocol family
4184 * @sid: the packet's peer label SID
4187 * Check the various different forms of network peer labeling and determine
4188 * the peer label/SID for the packet; most of the magic actually occurs in
4189 * the security server function security_net_peersid_cmp(). The function
4190 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4191 * or -EACCES if @sid is invalid due to inconsistencies with the different
4195 static int selinux_skb_peerlbl_sid(struct sk_buff
*skb
, u16 family
, u32
*sid
)
4202 err
= selinux_xfrm_skb_sid(skb
, &xfrm_sid
);
4205 err
= selinux_netlbl_skbuff_getsid(skb
, family
, &nlbl_type
, &nlbl_sid
);
4209 err
= security_net_peersid_resolve(nlbl_sid
, nlbl_type
, xfrm_sid
, sid
);
4210 if (unlikely(err
)) {
4212 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4213 " unable to determine packet's peer label\n");
4221 * selinux_conn_sid - Determine the child socket label for a connection
4222 * @sk_sid: the parent socket's SID
4223 * @skb_sid: the packet's SID
4224 * @conn_sid: the resulting connection SID
4226 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4227 * combined with the MLS information from @skb_sid in order to create
4228 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4229 * of @sk_sid. Returns zero on success, negative values on failure.
4232 static int selinux_conn_sid(u32 sk_sid
, u32 skb_sid
, u32
*conn_sid
)
4236 if (skb_sid
!= SECSID_NULL
)
4237 err
= security_sid_mls_copy(sk_sid
, skb_sid
, conn_sid
);
4244 /* socket security operations */
4246 static int socket_sockcreate_sid(const struct task_security_struct
*tsec
,
4247 u16 secclass
, u32
*socksid
)
4249 if (tsec
->sockcreate_sid
> SECSID_NULL
) {
4250 *socksid
= tsec
->sockcreate_sid
;
4254 return security_transition_sid(tsec
->sid
, tsec
->sid
, secclass
, NULL
,
4258 static int sock_has_perm(struct sock
*sk
, u32 perms
)
4260 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4261 struct common_audit_data ad
;
4262 struct lsm_network_audit net
= {0,};
4264 if (sksec
->sid
== SECINITSID_KERNEL
)
4267 ad
.type
= LSM_AUDIT_DATA_NET
;
4271 return avc_has_perm(current_sid(), sksec
->sid
, sksec
->sclass
, perms
,
4275 static int selinux_socket_create(int family
, int type
,
4276 int protocol
, int kern
)
4278 const struct task_security_struct
*tsec
= selinux_cred(current_cred());
4286 secclass
= socket_type_to_security_class(family
, type
, protocol
);
4287 rc
= socket_sockcreate_sid(tsec
, secclass
, &newsid
);
4291 return avc_has_perm(tsec
->sid
, newsid
, secclass
, SOCKET__CREATE
, NULL
);
4294 static int selinux_socket_post_create(struct socket
*sock
, int family
,
4295 int type
, int protocol
, int kern
)
4297 const struct task_security_struct
*tsec
= selinux_cred(current_cred());
4298 struct inode_security_struct
*isec
= inode_security_novalidate(SOCK_INODE(sock
));
4299 struct sk_security_struct
*sksec
;
4300 u16 sclass
= socket_type_to_security_class(family
, type
, protocol
);
4301 u32 sid
= SECINITSID_KERNEL
;
4305 err
= socket_sockcreate_sid(tsec
, sclass
, &sid
);
4310 isec
->sclass
= sclass
;
4312 isec
->initialized
= LABEL_INITIALIZED
;
4315 sksec
= selinux_sock(sock
->sk
);
4316 sksec
->sclass
= sclass
;
4318 err
= selinux_netlbl_socket_post_create(sock
->sk
, family
);
4324 /* Range of port numbers used to automatically bind.
4325 Need to determine whether we should perform a name_bind
4326 permission check between the socket and the port number. */
4328 static int selinux_socket_bind(struct socket
*sock
, struct sockaddr
*address
, int addrlen
)
4330 struct sock
*sk
= sock
->sk
;
4334 err
= sock_has_perm(sk
, SOCKET__BIND
);
4339 * If PF_INET or PF_INET6, check name_bind permission for the port.
4340 * Multiple address binding for SCTP is not supported yet: we just
4341 * check the first address now.
4343 family
= sk
->sk_family
;
4344 if (family
== PF_INET
|| family
== PF_INET6
) {
4346 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4347 struct common_audit_data ad
;
4348 struct lsm_network_audit net
= {0,};
4349 struct sockaddr_in
*addr4
= NULL
;
4350 struct sockaddr_in6
*addr6
= NULL
;
4351 unsigned short snum
;
4354 if (family
== PF_INET
) {
4355 if (addrlen
< sizeof(struct sockaddr_in
)) {
4359 addr4
= (struct sockaddr_in
*)address
;
4360 snum
= ntohs(addr4
->sin_port
);
4361 addrp
= (char *)&addr4
->sin_addr
.s_addr
;
4363 if (addrlen
< SIN6_LEN_RFC2133
) {
4367 addr6
= (struct sockaddr_in6
*)address
;
4368 snum
= ntohs(addr6
->sin6_port
);
4369 addrp
= (char *)&addr6
->sin6_addr
.s6_addr
;
4375 inet_get_local_port_range(sock_net(sk
), &low
, &high
);
4377 if (snum
< max(inet_prot_sock(sock_net(sk
)), low
) ||
4379 err
= sel_netport_sid(sk
->sk_protocol
,
4383 ad
.type
= LSM_AUDIT_DATA_NET
;
4385 ad
.u
.net
->sport
= htons(snum
);
4386 ad
.u
.net
->family
= family
;
4387 err
= avc_has_perm(sksec
->sid
, sid
,
4389 SOCKET__NAME_BIND
, &ad
);
4395 switch (sksec
->sclass
) {
4396 case SECCLASS_TCP_SOCKET
:
4397 node_perm
= TCP_SOCKET__NODE_BIND
;
4400 case SECCLASS_UDP_SOCKET
:
4401 node_perm
= UDP_SOCKET__NODE_BIND
;
4404 case SECCLASS_DCCP_SOCKET
:
4405 node_perm
= DCCP_SOCKET__NODE_BIND
;
4409 node_perm
= RAWIP_SOCKET__NODE_BIND
;
4413 err
= sel_netnode_sid(addrp
, family
, &sid
);
4417 ad
.type
= LSM_AUDIT_DATA_NET
;
4419 ad
.u
.net
->sport
= htons(snum
);
4420 ad
.u
.net
->family
= family
;
4422 if (family
== PF_INET
)
4423 ad
.u
.net
->v4info
.saddr
= addr4
->sin_addr
.s_addr
;
4425 ad
.u
.net
->v6info
.saddr
= addr6
->sin6_addr
;
4427 err
= avc_has_perm(sksec
->sid
, sid
,
4428 sksec
->sclass
, node_perm
, &ad
);
4436 static int selinux_socket_connect(struct socket
*sock
, struct sockaddr
*address
, int addrlen
)
4438 struct sock
*sk
= sock
->sk
;
4439 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4442 err
= sock_has_perm(sk
, SOCKET__CONNECT
);
4447 * If a TCP or DCCP socket, check name_connect permission for the port.
4449 if (sksec
->sclass
== SECCLASS_TCP_SOCKET
||
4450 sksec
->sclass
== SECCLASS_DCCP_SOCKET
) {
4451 struct common_audit_data ad
;
4452 struct lsm_network_audit net
= {0,};
4453 struct sockaddr_in
*addr4
= NULL
;
4454 struct sockaddr_in6
*addr6
= NULL
;
4455 unsigned short snum
;
4458 if (sk
->sk_family
== PF_INET
) {
4459 addr4
= (struct sockaddr_in
*)address
;
4460 if (addrlen
< sizeof(struct sockaddr_in
))
4462 snum
= ntohs(addr4
->sin_port
);
4464 addr6
= (struct sockaddr_in6
*)address
;
4465 if (addrlen
< SIN6_LEN_RFC2133
)
4467 snum
= ntohs(addr6
->sin6_port
);
4470 err
= sel_netport_sid(sk
->sk_protocol
, snum
, &sid
);
4474 perm
= (sksec
->sclass
== SECCLASS_TCP_SOCKET
) ?
4475 TCP_SOCKET__NAME_CONNECT
: DCCP_SOCKET__NAME_CONNECT
;
4477 ad
.type
= LSM_AUDIT_DATA_NET
;
4479 ad
.u
.net
->dport
= htons(snum
);
4480 ad
.u
.net
->family
= sk
->sk_family
;
4481 err
= avc_has_perm(sksec
->sid
, sid
, sksec
->sclass
, perm
, &ad
);
4486 err
= selinux_netlbl_socket_connect(sk
, address
);
4492 static int selinux_socket_listen(struct socket
*sock
, int backlog
)
4494 return sock_has_perm(sock
->sk
, SOCKET__LISTEN
);
4497 static int selinux_socket_accept(struct socket
*sock
, struct socket
*newsock
)
4500 struct inode_security_struct
*isec
;
4501 struct inode_security_struct
*newisec
;
4505 err
= sock_has_perm(sock
->sk
, SOCKET__ACCEPT
);
4509 isec
= inode_security_novalidate(SOCK_INODE(sock
));
4510 spin_lock(&isec
->lock
);
4511 sclass
= isec
->sclass
;
4513 spin_unlock(&isec
->lock
);
4515 newisec
= inode_security_novalidate(SOCK_INODE(newsock
));
4516 newisec
->sclass
= sclass
;
4518 newisec
->initialized
= LABEL_INITIALIZED
;
4523 static int selinux_socket_sendmsg(struct socket
*sock
, struct msghdr
*msg
,
4526 return sock_has_perm(sock
->sk
, SOCKET__WRITE
);
4529 static int selinux_socket_recvmsg(struct socket
*sock
, struct msghdr
*msg
,
4530 int size
, int flags
)
4532 return sock_has_perm(sock
->sk
, SOCKET__READ
);
4535 static int selinux_socket_getsockname(struct socket
*sock
)
4537 return sock_has_perm(sock
->sk
, SOCKET__GETATTR
);
4540 static int selinux_socket_getpeername(struct socket
*sock
)
4542 return sock_has_perm(sock
->sk
, SOCKET__GETATTR
);
4545 static int selinux_socket_setsockopt(struct socket
*sock
, int level
, int optname
)
4549 err
= sock_has_perm(sock
->sk
, SOCKET__SETOPT
);
4553 return selinux_netlbl_socket_setsockopt(sock
, level
, optname
);
4556 static int selinux_socket_getsockopt(struct socket
*sock
, int level
,
4559 return sock_has_perm(sock
->sk
, SOCKET__GETOPT
);
4562 static int selinux_socket_shutdown(struct socket
*sock
, int how
)
4564 return sock_has_perm(sock
->sk
, SOCKET__SHUTDOWN
);
4567 static int selinux_socket_unix_stream_connect(struct sock
*sock
,
4571 struct sk_security_struct
*sksec_sock
= selinux_sock(sock
);
4572 struct sk_security_struct
*sksec_other
= selinux_sock(other
);
4573 struct sk_security_struct
*sksec_new
= selinux_sock(newsk
);
4574 struct common_audit_data ad
;
4575 struct lsm_network_audit net
= {0,};
4578 ad
.type
= LSM_AUDIT_DATA_NET
;
4580 ad
.u
.net
->sk
= other
;
4582 err
= avc_has_perm(sksec_sock
->sid
, sksec_other
->sid
,
4583 sksec_other
->sclass
,
4584 UNIX_STREAM_SOCKET__CONNECTTO
, &ad
);
4588 /* server child socket */
4589 sksec_new
->peer_sid
= sksec_sock
->sid
;
4590 err
= security_sid_mls_copy(sksec_other
->sid
, sksec_sock
->sid
,
4595 /* connecting socket */
4596 sksec_sock
->peer_sid
= sksec_new
->sid
;
4601 static int selinux_socket_unix_may_send(struct socket
*sock
,
4602 struct socket
*other
)
4604 struct sk_security_struct
*ssec
= selinux_sock(sock
->sk
);
4605 struct sk_security_struct
*osec
= selinux_sock(other
->sk
);
4606 struct common_audit_data ad
;
4607 struct lsm_network_audit net
= {0,};
4609 ad
.type
= LSM_AUDIT_DATA_NET
;
4611 ad
.u
.net
->sk
= other
->sk
;
4613 return avc_has_perm(ssec
->sid
, osec
->sid
, osec
->sclass
, SOCKET__SENDTO
,
4617 static int selinux_inet_sys_rcv_skb(struct net
*ns
, int ifindex
,
4618 char *addrp
, u16 family
, u32 peer_sid
,
4619 struct common_audit_data
*ad
)
4625 err
= sel_netif_sid(ns
, ifindex
, &if_sid
);
4628 err
= avc_has_perm(peer_sid
, if_sid
,
4629 SECCLASS_NETIF
, NETIF__INGRESS
, ad
);
4633 err
= sel_netnode_sid(addrp
, family
, &node_sid
);
4636 return avc_has_perm(peer_sid
, node_sid
,
4637 SECCLASS_NODE
, NODE__RECVFROM
, ad
);
4640 static int selinux_sock_rcv_skb_compat(struct sock
*sk
, struct sk_buff
*skb
,
4644 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4645 u32 sk_sid
= sksec
->sid
;
4646 struct common_audit_data ad
;
4647 struct lsm_network_audit net
= {0,};
4650 ad
.type
= LSM_AUDIT_DATA_NET
;
4652 ad
.u
.net
->netif
= skb
->skb_iif
;
4653 ad
.u
.net
->family
= family
;
4654 err
= selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
);
4658 if (selinux_secmark_enabled()) {
4659 err
= avc_has_perm(sk_sid
, skb
->secmark
, SECCLASS_PACKET
,
4665 err
= selinux_netlbl_sock_rcv_skb(sksec
, skb
, family
, &ad
);
4668 err
= selinux_xfrm_sock_rcv_skb(sksec
->sid
, skb
, &ad
);
4673 static int selinux_socket_sock_rcv_skb(struct sock
*sk
, struct sk_buff
*skb
)
4676 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4677 u16 family
= sk
->sk_family
;
4678 u32 sk_sid
= sksec
->sid
;
4679 struct common_audit_data ad
;
4680 struct lsm_network_audit net
= {0,};
4685 if (family
!= PF_INET
&& family
!= PF_INET6
)
4688 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4689 if (family
== PF_INET6
&& skb
->protocol
== htons(ETH_P_IP
))
4692 /* If any sort of compatibility mode is enabled then handoff processing
4693 * to the selinux_sock_rcv_skb_compat() function to deal with the
4694 * special handling. We do this in an attempt to keep this function
4695 * as fast and as clean as possible. */
4696 if (!selinux_policycap_netpeer
)
4697 return selinux_sock_rcv_skb_compat(sk
, skb
, family
);
4699 secmark_active
= selinux_secmark_enabled();
4700 peerlbl_active
= selinux_peerlbl_enabled();
4701 if (!secmark_active
&& !peerlbl_active
)
4704 ad
.type
= LSM_AUDIT_DATA_NET
;
4706 ad
.u
.net
->netif
= skb
->skb_iif
;
4707 ad
.u
.net
->family
= family
;
4708 err
= selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
);
4712 if (peerlbl_active
) {
4715 err
= selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
);
4718 err
= selinux_inet_sys_rcv_skb(sock_net(sk
), skb
->skb_iif
,
4719 addrp
, family
, peer_sid
, &ad
);
4721 selinux_netlbl_err(skb
, family
, err
, 0);
4724 err
= avc_has_perm(sk_sid
, peer_sid
, SECCLASS_PEER
,
4727 selinux_netlbl_err(skb
, family
, err
, 0);
4732 if (secmark_active
) {
4733 err
= avc_has_perm(sk_sid
, skb
->secmark
, SECCLASS_PACKET
,
4742 static int selinux_socket_getpeersec_stream(struct socket
*sock
,
4743 __user
char *optval
,
4750 struct sk_security_struct
*sksec
= selinux_sock(sock
->sk
);
4751 u32 peer_sid
= SECSID_NULL
;
4753 if (sksec
->sclass
== SECCLASS_UNIX_STREAM_SOCKET
||
4754 sksec
->sclass
== SECCLASS_TCP_SOCKET
)
4755 peer_sid
= sksec
->peer_sid
;
4756 if (peer_sid
== SECSID_NULL
)
4757 return -ENOPROTOOPT
;
4759 err
= security_sid_to_context(peer_sid
, &scontext
, &scontext_len
);
4763 if (scontext_len
> len
) {
4768 if (copy_to_user(optval
, scontext
, scontext_len
))
4772 if (put_user(scontext_len
, optlen
))
4778 static int selinux_socket_getpeersec_dgram(struct socket
*sock
, struct sk_buff
*skb
, u32
*secid
)
4780 u32 peer_secid
= SECSID_NULL
;
4782 struct inode_security_struct
*isec
;
4784 if (skb
&& skb
->protocol
== htons(ETH_P_IP
))
4786 else if (skb
&& skb
->protocol
== htons(ETH_P_IPV6
))
4789 family
= sock
->sk
->sk_family
;
4793 if (sock
&& family
== PF_UNIX
) {
4794 isec
= inode_security_novalidate(SOCK_INODE(sock
));
4795 peer_secid
= isec
->sid
;
4797 selinux_skb_peerlbl_sid(skb
, family
, &peer_secid
);
4800 *secid
= peer_secid
;
4801 if (peer_secid
== SECSID_NULL
)
4806 static int selinux_sk_alloc_security(struct sock
*sk
, int family
, gfp_t priority
)
4808 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4810 sksec
->peer_sid
= SECINITSID_UNLABELED
;
4811 sksec
->sid
= SECINITSID_UNLABELED
;
4812 sksec
->sclass
= SECCLASS_SOCKET
;
4813 selinux_netlbl_sk_security_reset(sksec
);
4818 static void selinux_sk_free_security(struct sock
*sk
)
4820 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4822 selinux_netlbl_sk_security_free(sksec
);
4825 static void selinux_sk_clone_security(const struct sock
*sk
, struct sock
*newsk
)
4827 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4828 struct sk_security_struct
*newsksec
= selinux_sock(newsk
);
4830 newsksec
->sid
= sksec
->sid
;
4831 newsksec
->peer_sid
= sksec
->peer_sid
;
4832 newsksec
->sclass
= sksec
->sclass
;
4834 selinux_netlbl_sk_security_reset(newsksec
);
4837 static void selinux_sk_getsecid(struct sock
*sk
, u32
*secid
)
4840 *secid
= SECINITSID_ANY_SOCKET
;
4842 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4844 *secid
= sksec
->sid
;
4848 static void selinux_sock_graft(struct sock
*sk
, struct socket
*parent
)
4850 struct inode_security_struct
*isec
=
4851 inode_security_novalidate(SOCK_INODE(parent
));
4852 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4854 if (sk
->sk_family
== PF_INET
|| sk
->sk_family
== PF_INET6
||
4855 sk
->sk_family
== PF_UNIX
)
4856 isec
->sid
= sksec
->sid
;
4857 sksec
->sclass
= isec
->sclass
;
4860 static int selinux_inet_conn_request(struct sock
*sk
, struct sk_buff
*skb
,
4861 struct request_sock
*req
)
4863 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4865 u16 family
= req
->rsk_ops
->family
;
4869 err
= selinux_skb_peerlbl_sid(skb
, family
, &peersid
);
4872 err
= selinux_conn_sid(sksec
->sid
, peersid
, &connsid
);
4875 req
->secid
= connsid
;
4876 req
->peer_secid
= peersid
;
4878 return selinux_netlbl_inet_conn_request(req
, family
);
4881 static void selinux_inet_csk_clone(struct sock
*newsk
,
4882 const struct request_sock
*req
)
4884 struct sk_security_struct
*newsksec
= selinux_sock(newsk
);
4886 newsksec
->sid
= req
->secid
;
4887 newsksec
->peer_sid
= req
->peer_secid
;
4888 /* NOTE: Ideally, we should also get the isec->sid for the
4889 new socket in sync, but we don't have the isec available yet.
4890 So we will wait until sock_graft to do it, by which
4891 time it will have been created and available. */
4893 /* We don't need to take any sort of lock here as we are the only
4894 * thread with access to newsksec */
4895 selinux_netlbl_inet_csk_clone(newsk
, req
->rsk_ops
->family
);
4898 static void selinux_inet_conn_established(struct sock
*sk
, struct sk_buff
*skb
)
4900 u16 family
= sk
->sk_family
;
4901 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4903 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4904 if (family
== PF_INET6
&& skb
->protocol
== htons(ETH_P_IP
))
4907 selinux_skb_peerlbl_sid(skb
, family
, &sksec
->peer_sid
);
4910 static int selinux_secmark_relabel_packet(u32 sid
)
4912 const struct task_security_struct
*__tsec
;
4915 __tsec
= selinux_cred(current_cred());
4918 return avc_has_perm(tsid
, sid
, SECCLASS_PACKET
, PACKET__RELABELTO
, NULL
);
4921 static void selinux_secmark_refcount_inc(void)
4923 atomic_inc(&selinux_secmark_refcount
);
4926 static void selinux_secmark_refcount_dec(void)
4928 atomic_dec(&selinux_secmark_refcount
);
4931 static void selinux_req_classify_flow(const struct request_sock
*req
,
4934 fl
->flowi_secid
= req
->secid
;
4937 static int selinux_tun_dev_alloc_security(void **security
)
4939 struct tun_security_struct
*tunsec
;
4941 tunsec
= kzalloc(sizeof(*tunsec
), GFP_KERNEL
);
4944 tunsec
->sid
= current_sid();
4950 static void selinux_tun_dev_free_security(void *security
)
4955 static int selinux_tun_dev_create(void)
4957 u32 sid
= current_sid();
4959 /* we aren't taking into account the "sockcreate" SID since the socket
4960 * that is being created here is not a socket in the traditional sense,
4961 * instead it is a private sock, accessible only to the kernel, and
4962 * representing a wide range of network traffic spanning multiple
4963 * connections unlike traditional sockets - check the TUN driver to
4964 * get a better understanding of why this socket is special */
4966 return avc_has_perm(sid
, sid
, SECCLASS_TUN_SOCKET
, TUN_SOCKET__CREATE
,
4970 static int selinux_tun_dev_attach_queue(void *security
)
4972 struct tun_security_struct
*tunsec
= security
;
4974 return avc_has_perm(current_sid(), tunsec
->sid
, SECCLASS_TUN_SOCKET
,
4975 TUN_SOCKET__ATTACH_QUEUE
, NULL
);
4978 static int selinux_tun_dev_attach(struct sock
*sk
, void *security
)
4980 struct tun_security_struct
*tunsec
= security
;
4981 struct sk_security_struct
*sksec
= selinux_sock(sk
);
4983 /* we don't currently perform any NetLabel based labeling here and it
4984 * isn't clear that we would want to do so anyway; while we could apply
4985 * labeling without the support of the TUN user the resulting labeled
4986 * traffic from the other end of the connection would almost certainly
4987 * cause confusion to the TUN user that had no idea network labeling
4988 * protocols were being used */
4990 sksec
->sid
= tunsec
->sid
;
4991 sksec
->sclass
= SECCLASS_TUN_SOCKET
;
4996 static int selinux_tun_dev_open(void *security
)
4998 struct tun_security_struct
*tunsec
= security
;
4999 u32 sid
= current_sid();
5002 err
= avc_has_perm(sid
, tunsec
->sid
, SECCLASS_TUN_SOCKET
,
5003 TUN_SOCKET__RELABELFROM
, NULL
);
5006 err
= avc_has_perm(sid
, sid
, SECCLASS_TUN_SOCKET
,
5007 TUN_SOCKET__RELABELTO
, NULL
);
5015 static int selinux_nlmsg_perm(struct sock
*sk
, struct sk_buff
*skb
)
5019 struct nlmsghdr
*nlh
;
5020 struct sk_security_struct
*sksec
= selinux_sock(sk
);
5022 if (skb
->len
< NLMSG_HDRLEN
) {
5026 nlh
= nlmsg_hdr(skb
);
5028 err
= selinux_nlmsg_lookup(sksec
->sclass
, nlh
->nlmsg_type
, &perm
);
5030 if (err
== -EINVAL
) {
5031 pr_warn_ratelimited("SELinux: unrecognized netlink"
5032 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5033 " pig=%d comm=%s\n",
5034 sk
->sk_protocol
, nlh
->nlmsg_type
,
5035 secclass_map
[sksec
->sclass
- 1].name
,
5036 task_pid_nr(current
), current
->comm
);
5037 if (!selinux_enforcing
|| security_get_allow_unknown())
5047 err
= sock_has_perm(sk
, perm
);
5052 #ifdef CONFIG_NETFILTER
5054 static unsigned int selinux_ip_forward(struct sk_buff
*skb
,
5055 const struct net_device
*indev
,
5061 struct common_audit_data ad
;
5062 struct lsm_network_audit net
= {0,};
5067 if (!selinux_policycap_netpeer
)
5070 secmark_active
= selinux_secmark_enabled();
5071 netlbl_active
= netlbl_enabled();
5072 peerlbl_active
= selinux_peerlbl_enabled();
5073 if (!secmark_active
&& !peerlbl_active
)
5076 if (selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
) != 0)
5079 ad
.type
= LSM_AUDIT_DATA_NET
;
5081 ad
.u
.net
->netif
= indev
->ifindex
;
5082 ad
.u
.net
->family
= family
;
5083 if (selinux_parse_skb(skb
, &ad
, &addrp
, 1, NULL
) != 0)
5086 if (peerlbl_active
) {
5087 err
= selinux_inet_sys_rcv_skb(dev_net(indev
), indev
->ifindex
,
5088 addrp
, family
, peer_sid
, &ad
);
5090 selinux_netlbl_err(skb
, family
, err
, 1);
5096 if (avc_has_perm(peer_sid
, skb
->secmark
,
5097 SECCLASS_PACKET
, PACKET__FORWARD_IN
, &ad
))
5101 /* we do this in the FORWARD path and not the POST_ROUTING
5102 * path because we want to make sure we apply the necessary
5103 * labeling before IPsec is applied so we can leverage AH
5105 if (selinux_netlbl_skbuff_setsid(skb
, family
, peer_sid
) != 0)
5111 static unsigned int selinux_ipv4_forward(void *priv
,
5112 struct sk_buff
*skb
,
5113 const struct nf_hook_state
*state
)
5115 return selinux_ip_forward(skb
, state
->in
, PF_INET
);
5118 #if IS_ENABLED(CONFIG_IPV6)
5119 static unsigned int selinux_ipv6_forward(void *priv
,
5120 struct sk_buff
*skb
,
5121 const struct nf_hook_state
*state
)
5123 return selinux_ip_forward(skb
, state
->in
, PF_INET6
);
5127 static unsigned int selinux_ip_output(struct sk_buff
*skb
,
5133 if (!netlbl_enabled())
5136 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5137 * because we want to make sure we apply the necessary labeling
5138 * before IPsec is applied so we can leverage AH protection */
5141 struct sk_security_struct
*sksec
;
5143 if (sk_listener(sk
))
5144 /* if the socket is the listening state then this
5145 * packet is a SYN-ACK packet which means it needs to
5146 * be labeled based on the connection/request_sock and
5147 * not the parent socket. unfortunately, we can't
5148 * lookup the request_sock yet as it isn't queued on
5149 * the parent socket until after the SYN-ACK is sent.
5150 * the "solution" is to simply pass the packet as-is
5151 * as any IP option based labeling should be copied
5152 * from the initial connection request (in the IP
5153 * layer). it is far from ideal, but until we get a
5154 * security label in the packet itself this is the
5155 * best we can do. */
5158 /* standard practice, label using the parent socket */
5159 sksec
= selinux_sock(sk
);
5162 sid
= SECINITSID_KERNEL
;
5163 if (selinux_netlbl_skbuff_setsid(skb
, family
, sid
) != 0)
5169 static unsigned int selinux_ipv4_output(void *priv
,
5170 struct sk_buff
*skb
,
5171 const struct nf_hook_state
*state
)
5173 return selinux_ip_output(skb
, PF_INET
);
5176 #if IS_ENABLED(CONFIG_IPV6)
5177 static unsigned int selinux_ipv6_output(void *priv
,
5178 struct sk_buff
*skb
,
5179 const struct nf_hook_state
*state
)
5181 return selinux_ip_output(skb
, PF_INET6
);
5185 static unsigned int selinux_ip_postroute_compat(struct sk_buff
*skb
,
5189 struct sock
*sk
= skb_to_full_sk(skb
);
5190 struct sk_security_struct
*sksec
;
5191 struct common_audit_data ad
;
5192 struct lsm_network_audit net
= {0,};
5198 sksec
= selinux_sock(sk
);
5200 ad
.type
= LSM_AUDIT_DATA_NET
;
5202 ad
.u
.net
->netif
= ifindex
;
5203 ad
.u
.net
->family
= family
;
5204 if (selinux_parse_skb(skb
, &ad
, &addrp
, 0, &proto
))
5207 if (selinux_secmark_enabled())
5208 if (avc_has_perm(sksec
->sid
, skb
->secmark
,
5209 SECCLASS_PACKET
, PACKET__SEND
, &ad
))
5210 return NF_DROP_ERR(-ECONNREFUSED
);
5212 if (selinux_xfrm_postroute_last(sksec
->sid
, skb
, &ad
, proto
))
5213 return NF_DROP_ERR(-ECONNREFUSED
);
5218 static unsigned int selinux_ip_postroute(struct sk_buff
*skb
,
5219 const struct net_device
*outdev
,
5224 int ifindex
= outdev
->ifindex
;
5226 struct common_audit_data ad
;
5227 struct lsm_network_audit net
= {0,};
5232 /* If any sort of compatibility mode is enabled then handoff processing
5233 * to the selinux_ip_postroute_compat() function to deal with the
5234 * special handling. We do this in an attempt to keep this function
5235 * as fast and as clean as possible. */
5236 if (!selinux_policycap_netpeer
)
5237 return selinux_ip_postroute_compat(skb
, ifindex
, family
);
5239 secmark_active
= selinux_secmark_enabled();
5240 peerlbl_active
= selinux_peerlbl_enabled();
5241 if (!secmark_active
&& !peerlbl_active
)
5244 sk
= skb_to_full_sk(skb
);
5247 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5248 * packet transformation so allow the packet to pass without any checks
5249 * since we'll have another chance to perform access control checks
5250 * when the packet is on it's final way out.
5251 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5252 * is NULL, in this case go ahead and apply access control.
5253 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5254 * TCP listening state we cannot wait until the XFRM processing
5255 * is done as we will miss out on the SA label if we do;
5256 * unfortunately, this means more work, but it is only once per
5258 if (skb_dst(skb
) != NULL
&& skb_dst(skb
)->xfrm
!= NULL
&&
5259 !(sk
&& sk_listener(sk
)))
5264 /* Without an associated socket the packet is either coming
5265 * from the kernel or it is being forwarded; check the packet
5266 * to determine which and if the packet is being forwarded
5267 * query the packet directly to determine the security label. */
5269 secmark_perm
= PACKET__FORWARD_OUT
;
5270 if (selinux_skb_peerlbl_sid(skb
, family
, &peer_sid
))
5273 secmark_perm
= PACKET__SEND
;
5274 peer_sid
= SECINITSID_KERNEL
;
5276 } else if (sk_listener(sk
)) {
5277 /* Locally generated packet but the associated socket is in the
5278 * listening state which means this is a SYN-ACK packet. In
5279 * this particular case the correct security label is assigned
5280 * to the connection/request_sock but unfortunately we can't
5281 * query the request_sock as it isn't queued on the parent
5282 * socket until after the SYN-ACK packet is sent; the only
5283 * viable choice is to regenerate the label like we do in
5284 * selinux_inet_conn_request(). See also selinux_ip_output()
5285 * for similar problems. */
5287 struct sk_security_struct
*sksec
;
5289 sksec
= selinux_sock(sk
);
5290 if (selinux_skb_peerlbl_sid(skb
, family
, &skb_sid
))
5292 /* At this point, if the returned skb peerlbl is SECSID_NULL
5293 * and the packet has been through at least one XFRM
5294 * transformation then we must be dealing with the "final"
5295 * form of labeled IPsec packet; since we've already applied
5296 * all of our access controls on this packet we can safely
5297 * pass the packet. */
5298 if (skb_sid
== SECSID_NULL
) {
5301 if (IPCB(skb
)->flags
& IPSKB_XFRM_TRANSFORMED
)
5305 if (IP6CB(skb
)->flags
& IP6SKB_XFRM_TRANSFORMED
)
5309 return NF_DROP_ERR(-ECONNREFUSED
);
5312 if (selinux_conn_sid(sksec
->sid
, skb_sid
, &peer_sid
))
5314 secmark_perm
= PACKET__SEND
;
5316 /* Locally generated packet, fetch the security label from the
5317 * associated socket. */
5318 struct sk_security_struct
*sksec
= selinux_sock(sk
);
5319 peer_sid
= sksec
->sid
;
5320 secmark_perm
= PACKET__SEND
;
5323 ad
.type
= LSM_AUDIT_DATA_NET
;
5325 ad
.u
.net
->netif
= ifindex
;
5326 ad
.u
.net
->family
= family
;
5327 if (selinux_parse_skb(skb
, &ad
, &addrp
, 0, NULL
))
5331 if (avc_has_perm(peer_sid
, skb
->secmark
,
5332 SECCLASS_PACKET
, secmark_perm
, &ad
))
5333 return NF_DROP_ERR(-ECONNREFUSED
);
5335 if (peerlbl_active
) {
5339 if (sel_netif_sid(dev_net(outdev
), ifindex
, &if_sid
))
5341 if (avc_has_perm(peer_sid
, if_sid
,
5342 SECCLASS_NETIF
, NETIF__EGRESS
, &ad
))
5343 return NF_DROP_ERR(-ECONNREFUSED
);
5345 if (sel_netnode_sid(addrp
, family
, &node_sid
))
5347 if (avc_has_perm(peer_sid
, node_sid
,
5348 SECCLASS_NODE
, NODE__SENDTO
, &ad
))
5349 return NF_DROP_ERR(-ECONNREFUSED
);
5355 static unsigned int selinux_ipv4_postroute(void *priv
,
5356 struct sk_buff
*skb
,
5357 const struct nf_hook_state
*state
)
5359 return selinux_ip_postroute(skb
, state
->out
, PF_INET
);
5362 #if IS_ENABLED(CONFIG_IPV6)
5363 static unsigned int selinux_ipv6_postroute(void *priv
,
5364 struct sk_buff
*skb
,
5365 const struct nf_hook_state
*state
)
5367 return selinux_ip_postroute(skb
, state
->out
, PF_INET6
);
5371 #endif /* CONFIG_NETFILTER */
5373 static int selinux_netlink_send(struct sock
*sk
, struct sk_buff
*skb
)
5375 return selinux_nlmsg_perm(sk
, skb
);
5378 static void ipc_init_security(struct ipc_security_struct
*isec
, u16 sclass
)
5380 isec
->sclass
= sclass
;
5381 isec
->sid
= current_sid();
5384 static int msg_msg_alloc_security(struct msg_msg
*msg
)
5386 struct msg_security_struct
*msec
;
5388 msec
= selinux_msg_msg(msg
);
5389 msec
->sid
= SECINITSID_UNLABELED
;
5394 static int ipc_has_perm(struct kern_ipc_perm
*ipc_perms
,
5397 struct ipc_security_struct
*isec
;
5398 struct common_audit_data ad
;
5399 u32 sid
= current_sid();
5401 isec
= selinux_ipc(ipc_perms
);
5403 ad
.type
= LSM_AUDIT_DATA_IPC
;
5404 ad
.u
.ipc_id
= ipc_perms
->key
;
5406 return avc_has_perm(sid
, isec
->sid
, isec
->sclass
, perms
, &ad
);
5409 static int selinux_msg_msg_alloc_security(struct msg_msg
*msg
)
5411 return msg_msg_alloc_security(msg
);
5414 /* message queue security operations */
5415 static int selinux_msg_queue_alloc_security(struct msg_queue
*msq
)
5417 struct ipc_security_struct
*isec
;
5418 struct common_audit_data ad
;
5419 u32 sid
= current_sid();
5422 isec
= selinux_ipc(&msq
->q_perm
);
5423 ipc_init_security(isec
, SECCLASS_MSGQ
);
5425 ad
.type
= LSM_AUDIT_DATA_IPC
;
5426 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5428 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_MSGQ
,
5433 static int selinux_msg_queue_associate(struct msg_queue
*msq
, int msqflg
)
5435 struct ipc_security_struct
*isec
;
5436 struct common_audit_data ad
;
5437 u32 sid
= current_sid();
5439 isec
= selinux_ipc(&msq
->q_perm
);
5441 ad
.type
= LSM_AUDIT_DATA_IPC
;
5442 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5444 return avc_has_perm(sid
, isec
->sid
, SECCLASS_MSGQ
,
5445 MSGQ__ASSOCIATE
, &ad
);
5448 static int selinux_msg_queue_msgctl(struct msg_queue
*msq
, int cmd
)
5456 /* No specific object, just general system-wide information. */
5457 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
5458 SECCLASS_SYSTEM
, SYSTEM__IPC_INFO
, NULL
);
5461 perms
= MSGQ__GETATTR
| MSGQ__ASSOCIATE
;
5464 perms
= MSGQ__SETATTR
;
5467 perms
= MSGQ__DESTROY
;
5473 err
= ipc_has_perm(&msq
->q_perm
, perms
);
5477 static int selinux_msg_queue_msgsnd(struct msg_queue
*msq
, struct msg_msg
*msg
, int msqflg
)
5479 struct ipc_security_struct
*isec
;
5480 struct msg_security_struct
*msec
;
5481 struct common_audit_data ad
;
5482 u32 sid
= current_sid();
5485 isec
= selinux_ipc(&msq
->q_perm
);
5486 msec
= selinux_msg_msg(msg
);
5489 * First time through, need to assign label to the message
5491 if (msec
->sid
== SECINITSID_UNLABELED
) {
5493 * Compute new sid based on current process and
5494 * message queue this message will be stored in
5496 rc
= security_transition_sid(sid
, isec
->sid
, SECCLASS_MSG
,
5502 ad
.type
= LSM_AUDIT_DATA_IPC
;
5503 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5505 /* Can this process write to the queue? */
5506 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_MSGQ
,
5509 /* Can this process send the message */
5510 rc
= avc_has_perm(sid
, msec
->sid
, SECCLASS_MSG
,
5513 /* Can the message be put in the queue? */
5514 rc
= avc_has_perm(msec
->sid
, isec
->sid
, SECCLASS_MSGQ
,
5515 MSGQ__ENQUEUE
, &ad
);
5520 static int selinux_msg_queue_msgrcv(struct msg_queue
*msq
, struct msg_msg
*msg
,
5521 struct task_struct
*target
,
5522 long type
, int mode
)
5524 struct ipc_security_struct
*isec
;
5525 struct msg_security_struct
*msec
;
5526 struct common_audit_data ad
;
5527 u32 sid
= task_sid(target
);
5530 isec
= selinux_ipc(&msq
->q_perm
);
5531 msec
= selinux_msg_msg(msg
);
5533 ad
.type
= LSM_AUDIT_DATA_IPC
;
5534 ad
.u
.ipc_id
= msq
->q_perm
.key
;
5536 rc
= avc_has_perm(sid
, isec
->sid
,
5537 SECCLASS_MSGQ
, MSGQ__READ
, &ad
);
5539 rc
= avc_has_perm(sid
, msec
->sid
,
5540 SECCLASS_MSG
, MSG__RECEIVE
, &ad
);
5544 /* Shared Memory security operations */
5545 static int selinux_shm_alloc_security(struct shmid_kernel
*shp
)
5547 struct ipc_security_struct
*isec
;
5548 struct common_audit_data ad
;
5549 u32 sid
= current_sid();
5552 isec
= selinux_ipc(&shp
->shm_perm
);
5553 ipc_init_security(isec
, SECCLASS_SHM
);
5555 ad
.type
= LSM_AUDIT_DATA_IPC
;
5556 ad
.u
.ipc_id
= shp
->shm_perm
.key
;
5558 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_SHM
,
5563 static int selinux_shm_associate(struct shmid_kernel
*shp
, int shmflg
)
5565 struct ipc_security_struct
*isec
;
5566 struct common_audit_data ad
;
5567 u32 sid
= current_sid();
5569 isec
= selinux_ipc(&shp
->shm_perm
);
5571 ad
.type
= LSM_AUDIT_DATA_IPC
;
5572 ad
.u
.ipc_id
= shp
->shm_perm
.key
;
5574 return avc_has_perm(sid
, isec
->sid
, SECCLASS_SHM
,
5575 SHM__ASSOCIATE
, &ad
);
5578 /* Note, at this point, shp is locked down */
5579 static int selinux_shm_shmctl(struct shmid_kernel
*shp
, int cmd
)
5587 /* No specific object, just general system-wide information. */
5588 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
5589 SECCLASS_SYSTEM
, SYSTEM__IPC_INFO
, NULL
);
5592 perms
= SHM__GETATTR
| SHM__ASSOCIATE
;
5595 perms
= SHM__SETATTR
;
5602 perms
= SHM__DESTROY
;
5608 err
= ipc_has_perm(&shp
->shm_perm
, perms
);
5612 static int selinux_shm_shmat(struct shmid_kernel
*shp
,
5613 char __user
*shmaddr
, int shmflg
)
5617 if (shmflg
& SHM_RDONLY
)
5620 perms
= SHM__READ
| SHM__WRITE
;
5622 return ipc_has_perm(&shp
->shm_perm
, perms
);
5625 /* Semaphore security operations */
5626 static int selinux_sem_alloc_security(struct sem_array
*sma
)
5628 struct ipc_security_struct
*isec
;
5629 struct common_audit_data ad
;
5630 u32 sid
= current_sid();
5633 isec
= selinux_ipc(&sma
->sem_perm
);
5634 ipc_init_security(isec
, SECCLASS_SEM
);
5636 ad
.type
= LSM_AUDIT_DATA_IPC
;
5637 ad
.u
.ipc_id
= sma
->sem_perm
.key
;
5639 rc
= avc_has_perm(sid
, isec
->sid
, SECCLASS_SEM
,
5644 static int selinux_sem_associate(struct sem_array
*sma
, int semflg
)
5646 struct ipc_security_struct
*isec
;
5647 struct common_audit_data ad
;
5648 u32 sid
= current_sid();
5650 isec
= selinux_ipc(&sma
->sem_perm
);
5652 ad
.type
= LSM_AUDIT_DATA_IPC
;
5653 ad
.u
.ipc_id
= sma
->sem_perm
.key
;
5655 return avc_has_perm(sid
, isec
->sid
, SECCLASS_SEM
,
5656 SEM__ASSOCIATE
, &ad
);
5659 /* Note, at this point, sma is locked down */
5660 static int selinux_sem_semctl(struct sem_array
*sma
, int cmd
)
5668 /* No specific object, just general system-wide information. */
5669 return avc_has_perm(current_sid(), SECINITSID_KERNEL
,
5670 SECCLASS_SYSTEM
, SYSTEM__IPC_INFO
, NULL
);
5674 perms
= SEM__GETATTR
;
5685 perms
= SEM__DESTROY
;
5688 perms
= SEM__SETATTR
;
5692 perms
= SEM__GETATTR
| SEM__ASSOCIATE
;
5698 err
= ipc_has_perm(&sma
->sem_perm
, perms
);
5702 static int selinux_sem_semop(struct sem_array
*sma
,
5703 struct sembuf
*sops
, unsigned nsops
, int alter
)
5708 perms
= SEM__READ
| SEM__WRITE
;
5712 return ipc_has_perm(&sma
->sem_perm
, perms
);
5715 static int selinux_ipc_permission(struct kern_ipc_perm
*ipcp
, short flag
)
5721 av
|= IPC__UNIX_READ
;
5723 av
|= IPC__UNIX_WRITE
;
5728 return ipc_has_perm(ipcp
, av
);
5731 static void selinux_ipc_getsecid(struct kern_ipc_perm
*ipcp
, u32
*secid
)
5733 struct ipc_security_struct
*isec
= selinux_ipc(ipcp
);
5737 static void selinux_d_instantiate(struct dentry
*dentry
, struct inode
*inode
)
5740 inode_doinit_with_dentry(inode
, dentry
);
5743 static int selinux_getprocattr(struct task_struct
*p
,
5744 char *name
, char **value
)
5746 const struct task_security_struct
*__tsec
;
5752 __tsec
= selinux_cred(__task_cred(p
));
5755 error
= avc_has_perm(current_sid(), __tsec
->sid
,
5756 SECCLASS_PROCESS
, PROCESS__GETATTR
, NULL
);
5761 if (!strcmp(name
, "current"))
5763 else if (!strcmp(name
, "prev"))
5765 else if (!strcmp(name
, "exec"))
5766 sid
= __tsec
->exec_sid
;
5767 else if (!strcmp(name
, "fscreate"))
5768 sid
= __tsec
->create_sid
;
5769 else if (!strcmp(name
, "keycreate"))
5770 sid
= __tsec
->keycreate_sid
;
5771 else if (!strcmp(name
, "sockcreate"))
5772 sid
= __tsec
->sockcreate_sid
;
5782 error
= security_sid_to_context(sid
, value
, &len
);
5792 static int selinux_setprocattr(const char *name
, void *value
, size_t size
)
5794 struct task_security_struct
*tsec
;
5796 u32 mysid
= current_sid(), sid
= 0, ptsid
;
5801 * Basic control over ability to set these attributes at all.
5803 if (!strcmp(name
, "exec"))
5804 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5805 PROCESS__SETEXEC
, NULL
);
5806 else if (!strcmp(name
, "fscreate"))
5807 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5808 PROCESS__SETFSCREATE
, NULL
);
5809 else if (!strcmp(name
, "keycreate"))
5810 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5811 PROCESS__SETKEYCREATE
, NULL
);
5812 else if (!strcmp(name
, "sockcreate"))
5813 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5814 PROCESS__SETSOCKCREATE
, NULL
);
5815 else if (!strcmp(name
, "current"))
5816 error
= avc_has_perm(mysid
, mysid
, SECCLASS_PROCESS
,
5817 PROCESS__SETCURRENT
, NULL
);
5823 /* Obtain a SID for the context, if one was specified. */
5824 if (size
&& str
[0] && str
[0] != '\n') {
5825 if (str
[size
-1] == '\n') {
5829 error
= security_context_to_sid(value
, size
, &sid
, GFP_KERNEL
);
5830 if (error
== -EINVAL
&& !strcmp(name
, "fscreate")) {
5831 if (!has_cap_mac_admin(true)) {
5832 struct audit_buffer
*ab
;
5835 /* We strip a nul only if it is at the end, otherwise the
5836 * context contains a nul and we should audit that */
5837 if (str
[size
- 1] == '\0')
5838 audit_size
= size
- 1;
5841 ab
= audit_log_start(current
->audit_context
, GFP_ATOMIC
, AUDIT_SELINUX_ERR
);
5842 audit_log_format(ab
, "op=fscreate invalid_context=");
5843 audit_log_n_untrustedstring(ab
, value
, audit_size
);
5848 error
= security_context_to_sid_force(value
, size
,
5855 new = prepare_creds();
5859 /* Permission checking based on the specified context is
5860 performed during the actual operation (execve,
5861 open/mkdir/...), when we know the full context of the
5862 operation. See selinux_bprm_set_creds for the execve
5863 checks and may_create for the file creation checks. The
5864 operation will then fail if the context is not permitted. */
5865 tsec
= selinux_cred(new);
5866 if (!strcmp(name
, "exec")) {
5867 tsec
->exec_sid
= sid
;
5868 } else if (!strcmp(name
, "fscreate")) {
5869 tsec
->create_sid
= sid
;
5870 } else if (!strcmp(name
, "keycreate")) {
5871 error
= avc_has_perm(mysid
, sid
, SECCLASS_KEY
, KEY__CREATE
,
5875 tsec
->keycreate_sid
= sid
;
5876 } else if (!strcmp(name
, "sockcreate")) {
5877 tsec
->sockcreate_sid
= sid
;
5878 } else if (!strcmp(name
, "current")) {
5883 /* Only allow single threaded processes to change context */
5885 if (!current_is_single_threaded()) {
5886 error
= security_bounded_transition(tsec
->sid
, sid
);
5891 /* Check permissions for the transition. */
5892 error
= avc_has_perm(tsec
->sid
, sid
, SECCLASS_PROCESS
,
5893 PROCESS__DYNTRANSITION
, NULL
);
5897 /* Check for ptracing, and update the task SID if ok.
5898 Otherwise, leave SID unchanged and fail. */
5899 ptsid
= ptrace_parent_sid();
5901 error
= avc_has_perm(ptsid
, sid
, SECCLASS_PROCESS
,
5902 PROCESS__PTRACE
, NULL
);
5921 static int selinux_ismaclabel(const char *name
)
5923 return (strcmp(name
, XATTR_SELINUX_SUFFIX
) == 0);
5926 static int selinux_secid_to_secctx(u32 secid
, char **secdata
, u32
*seclen
)
5928 return security_sid_to_context(secid
, secdata
, seclen
);
5931 static int selinux_secctx_to_secid(const char *secdata
, u32 seclen
, u32
*secid
)
5933 return security_context_to_sid(secdata
, seclen
, secid
, GFP_KERNEL
);
5936 static void selinux_release_secctx(char *secdata
, u32 seclen
)
5941 static void selinux_inode_invalidate_secctx(struct inode
*inode
)
5943 struct inode_security_struct
*isec
= selinux_inode(inode
);
5945 spin_lock(&isec
->lock
);
5946 isec
->initialized
= LABEL_INVALID
;
5947 spin_unlock(&isec
->lock
);
5951 * called with inode->i_mutex locked
5953 static int selinux_inode_notifysecctx(struct inode
*inode
, void *ctx
, u32 ctxlen
)
5955 return selinux_inode_setsecurity(inode
, XATTR_SELINUX_SUFFIX
, ctx
, ctxlen
, 0);
5959 * called with inode->i_mutex locked
5961 static int selinux_inode_setsecctx(struct dentry
*dentry
, void *ctx
, u32 ctxlen
)
5963 return __vfs_setxattr_noperm(dentry
, XATTR_NAME_SELINUX
, ctx
, ctxlen
, 0);
5966 static int selinux_inode_getsecctx(struct inode
*inode
, void **ctx
, u32
*ctxlen
)
5969 len
= selinux_inode_getsecurity(inode
, XATTR_SELINUX_SUFFIX
,
5978 static int selinux_key_alloc(struct key
*k
, const struct cred
*cred
,
5979 unsigned long flags
)
5981 const struct task_security_struct
*tsec
;
5982 struct key_security_struct
*ksec
= selinux_key(k
);
5984 tsec
= selinux_cred(cred
);
5985 if (tsec
->keycreate_sid
)
5986 ksec
->sid
= tsec
->keycreate_sid
;
5988 ksec
->sid
= tsec
->sid
;
5993 static int selinux_key_permission(key_ref_t key_ref
,
5994 const struct cred
*cred
,
5998 struct key_security_struct
*ksec
;
6001 /* if no specific permissions are requested, we skip the
6002 permission check. No serious, additional covert channels
6003 appear to be created. */
6007 sid
= cred_sid(cred
);
6009 key
= key_ref_to_ptr(key_ref
);
6010 ksec
= selinux_key(key
);
6012 return avc_has_perm(sid
, ksec
->sid
, SECCLASS_KEY
, perm
, NULL
);
6015 static int selinux_key_getsecurity(struct key
*key
, char **_buffer
)
6017 struct key_security_struct
*ksec
= selinux_key(key
);
6018 char *context
= NULL
;
6022 rc
= security_sid_to_context(ksec
->sid
, &context
, &len
);
6030 #ifdef CONFIG_SECURITY_INFINIBAND
6031 static int selinux_ib_pkey_access(void *ib_sec
, u64 subnet_prefix
, u16 pkey_val
)
6033 struct common_audit_data ad
;
6036 struct ib_security_struct
*sec
= ib_sec
;
6037 struct lsm_ibpkey_audit ibpkey
;
6039 err
= sel_ib_pkey_sid(subnet_prefix
, pkey_val
, &sid
);
6043 ad
.type
= LSM_AUDIT_DATA_IBPKEY
;
6044 ibpkey
.subnet_prefix
= subnet_prefix
;
6045 ibpkey
.pkey
= pkey_val
;
6046 ad
.u
.ibpkey
= &ibpkey
;
6047 return avc_has_perm(sec
->sid
, sid
,
6048 SECCLASS_INFINIBAND_PKEY
,
6049 INFINIBAND_PKEY__ACCESS
, &ad
);
6052 static int selinux_ib_endport_manage_subnet(void *ib_sec
, const char *dev_name
,
6055 struct common_audit_data ad
;
6058 struct ib_security_struct
*sec
= ib_sec
;
6059 struct lsm_ibendport_audit ibendport
;
6061 err
= security_ib_endport_sid(dev_name
, port_num
, &sid
);
6066 ad
.type
= LSM_AUDIT_DATA_IBENDPORT
;
6067 strncpy(ibendport
.dev_name
, dev_name
, sizeof(ibendport
.dev_name
));
6068 ibendport
.port
= port_num
;
6069 ad
.u
.ibendport
= &ibendport
;
6070 return avc_has_perm(sec
->sid
, sid
,
6071 SECCLASS_INFINIBAND_ENDPORT
,
6072 INFINIBAND_ENDPORT__MANAGE_SUBNET
, &ad
);
6075 static int selinux_ib_alloc_security(void **ib_sec
)
6077 struct ib_security_struct
*sec
;
6079 sec
= kzalloc(sizeof(*sec
), GFP_KERNEL
);
6082 sec
->sid
= current_sid();
6088 static void selinux_ib_free_security(void *ib_sec
)
6094 #ifdef CONFIG_BPF_SYSCALL
6095 static int selinux_bpf(int cmd
, union bpf_attr
*attr
,
6098 u32 sid
= current_sid();
6102 case BPF_MAP_CREATE
:
6103 ret
= avc_has_perm(sid
, sid
, SECCLASS_BPF
, BPF__MAP_CREATE
,
6107 ret
= avc_has_perm(sid
, sid
, SECCLASS_BPF
, BPF__PROG_LOAD
,
6118 static u32
bpf_map_fmode_to_av(fmode_t fmode
)
6122 if (fmode
& FMODE_READ
)
6123 av
|= BPF__MAP_READ
;
6124 if (fmode
& FMODE_WRITE
)
6125 av
|= BPF__MAP_WRITE
;
6129 /* This function will check the file pass through unix socket or binder to see
6130 * if it is a bpf related object. And apply correspinding checks on the bpf
6131 * object based on the type. The bpf maps and programs, not like other files and
6132 * socket, are using a shared anonymous inode inside the kernel as their inode.
6133 * So checking that inode cannot identify if the process have privilege to
6134 * access the bpf object and that's why we have to add this additional check in
6135 * selinux_file_receive and selinux_binder_transfer_files.
6137 static int bpf_fd_pass(struct file
*file
, u32 sid
)
6139 struct bpf_security_struct
*bpfsec
;
6140 struct bpf_prog
*prog
;
6141 struct bpf_map
*map
;
6144 if (file
->f_op
== &bpf_map_fops
) {
6145 map
= file
->private_data
;
6146 bpfsec
= map
->security
;
6147 ret
= avc_has_perm(sid
, bpfsec
->sid
, SECCLASS_BPF
,
6148 bpf_map_fmode_to_av(file
->f_mode
), NULL
);
6151 } else if (file
->f_op
== &bpf_prog_fops
) {
6152 prog
= file
->private_data
;
6153 bpfsec
= prog
->aux
->security
;
6154 ret
= avc_has_perm(sid
, bpfsec
->sid
, SECCLASS_BPF
,
6155 BPF__PROG_RUN
, NULL
);
6162 static int selinux_bpf_map(struct bpf_map
*map
, fmode_t fmode
)
6164 u32 sid
= current_sid();
6165 struct bpf_security_struct
*bpfsec
;
6167 bpfsec
= map
->security
;
6168 return avc_has_perm(sid
, bpfsec
->sid
, SECCLASS_BPF
,
6169 bpf_map_fmode_to_av(fmode
), NULL
);
6172 static int selinux_bpf_prog(struct bpf_prog
*prog
)
6174 u32 sid
= current_sid();
6175 struct bpf_security_struct
*bpfsec
;
6177 bpfsec
= prog
->aux
->security
;
6178 return avc_has_perm(sid
, bpfsec
->sid
, SECCLASS_BPF
,
6179 BPF__PROG_RUN
, NULL
);
6182 static int selinux_bpf_map_alloc(struct bpf_map
*map
)
6184 struct bpf_security_struct
*bpfsec
;
6186 bpfsec
= kzalloc(sizeof(*bpfsec
), GFP_KERNEL
);
6190 bpfsec
->sid
= current_sid();
6191 map
->security
= bpfsec
;
6196 static void selinux_bpf_map_free(struct bpf_map
*map
)
6198 struct bpf_security_struct
*bpfsec
= map
->security
;
6200 map
->security
= NULL
;
6204 static int selinux_bpf_prog_alloc(struct bpf_prog_aux
*aux
)
6206 struct bpf_security_struct
*bpfsec
;
6208 bpfsec
= kzalloc(sizeof(*bpfsec
), GFP_KERNEL
);
6212 bpfsec
->sid
= current_sid();
6213 aux
->security
= bpfsec
;
6218 static void selinux_bpf_prog_free(struct bpf_prog_aux
*aux
)
6220 struct bpf_security_struct
*bpfsec
= aux
->security
;
6222 aux
->security
= NULL
;
6227 struct lsm_blob_sizes selinux_blob_sizes
= {
6228 .lbs_cred
= sizeof(struct task_security_struct
),
6229 .lbs_file
= sizeof(struct file_security_struct
),
6230 .lbs_inode
= sizeof(struct inode_security_struct
),
6231 .lbs_ipc
= sizeof(struct ipc_security_struct
),
6233 .lbs_key
= sizeof(struct key_security_struct
),
6234 #endif /* CONFIG_KEYS */
6235 .lbs_msg_msg
= sizeof(struct msg_security_struct
),
6236 .lbs_sock
= sizeof(struct sk_security_struct
),
6237 .lbs_superblock
= sizeof(struct superblock_security_struct
),
6240 static struct security_hook_list selinux_hooks
[] __lsm_ro_after_init
= {
6241 LSM_HOOK_INIT(binder_set_context_mgr
, selinux_binder_set_context_mgr
),
6242 LSM_HOOK_INIT(binder_transaction
, selinux_binder_transaction
),
6243 LSM_HOOK_INIT(binder_transfer_binder
, selinux_binder_transfer_binder
),
6244 LSM_HOOK_INIT(binder_transfer_file
, selinux_binder_transfer_file
),
6246 LSM_HOOK_INIT(ptrace_access_check
, selinux_ptrace_access_check
),
6247 LSM_HOOK_INIT(ptrace_traceme
, selinux_ptrace_traceme
),
6248 LSM_HOOK_INIT(capget
, selinux_capget
),
6249 LSM_HOOK_INIT(capset
, selinux_capset
),
6250 LSM_HOOK_INIT(capable
, selinux_capable
),
6251 LSM_HOOK_INIT(quotactl
, selinux_quotactl
),
6252 LSM_HOOK_INIT(quota_on
, selinux_quota_on
),
6253 LSM_HOOK_INIT(syslog
, selinux_syslog
),
6254 LSM_HOOK_INIT(vm_enough_memory
, selinux_vm_enough_memory
),
6256 LSM_HOOK_INIT(netlink_send
, selinux_netlink_send
),
6258 LSM_HOOK_INIT(bprm_set_creds
, selinux_bprm_set_creds
),
6259 LSM_HOOK_INIT(bprm_committing_creds
, selinux_bprm_committing_creds
),
6260 LSM_HOOK_INIT(bprm_committed_creds
, selinux_bprm_committed_creds
),
6262 LSM_HOOK_INIT(sb_alloc_security
, selinux_sb_alloc_security
),
6263 LSM_HOOK_INIT(sb_copy_data
, selinux_sb_copy_data
),
6264 LSM_HOOK_INIT(sb_remount
, selinux_sb_remount
),
6265 LSM_HOOK_INIT(sb_kern_mount
, selinux_sb_kern_mount
),
6266 LSM_HOOK_INIT(sb_show_options
, selinux_sb_show_options
),
6267 LSM_HOOK_INIT(sb_statfs
, selinux_sb_statfs
),
6268 LSM_HOOK_INIT(sb_mount
, selinux_mount
),
6269 LSM_HOOK_INIT(sb_umount
, selinux_umount
),
6270 LSM_HOOK_INIT(sb_set_mnt_opts
, selinux_set_mnt_opts
),
6271 LSM_HOOK_INIT(sb_clone_mnt_opts
, selinux_sb_clone_mnt_opts
),
6272 LSM_HOOK_INIT(sb_parse_opts_str
, selinux_parse_opts_str
),
6274 LSM_HOOK_INIT(dentry_init_security
, selinux_dentry_init_security
),
6275 LSM_HOOK_INIT(dentry_create_files_as
, selinux_dentry_create_files_as
),
6277 LSM_HOOK_INIT(inode_alloc_security
, selinux_inode_alloc_security
),
6278 LSM_HOOK_INIT(inode_free_security
, selinux_inode_free_security
),
6279 LSM_HOOK_INIT(inode_init_security
, selinux_inode_init_security
),
6280 LSM_HOOK_INIT(inode_create
, selinux_inode_create
),
6281 LSM_HOOK_INIT(inode_link
, selinux_inode_link
),
6282 LSM_HOOK_INIT(inode_unlink
, selinux_inode_unlink
),
6283 LSM_HOOK_INIT(inode_symlink
, selinux_inode_symlink
),
6284 LSM_HOOK_INIT(inode_mkdir
, selinux_inode_mkdir
),
6285 LSM_HOOK_INIT(inode_rmdir
, selinux_inode_rmdir
),
6286 LSM_HOOK_INIT(inode_mknod
, selinux_inode_mknod
),
6287 LSM_HOOK_INIT(inode_rename
, selinux_inode_rename
),
6288 LSM_HOOK_INIT(inode_readlink
, selinux_inode_readlink
),
6289 LSM_HOOK_INIT(inode_follow_link
, selinux_inode_follow_link
),
6290 LSM_HOOK_INIT(inode_permission
, selinux_inode_permission
),
6291 LSM_HOOK_INIT(inode_setattr
, selinux_inode_setattr
),
6292 LSM_HOOK_INIT(inode_getattr
, selinux_inode_getattr
),
6293 LSM_HOOK_INIT(inode_setxattr
, selinux_inode_setxattr
),
6294 LSM_HOOK_INIT(inode_post_setxattr
, selinux_inode_post_setxattr
),
6295 LSM_HOOK_INIT(inode_getxattr
, selinux_inode_getxattr
),
6296 LSM_HOOK_INIT(inode_listxattr
, selinux_inode_listxattr
),
6297 LSM_HOOK_INIT(inode_removexattr
, selinux_inode_removexattr
),
6298 LSM_HOOK_INIT(inode_getsecurity
, selinux_inode_getsecurity
),
6299 LSM_HOOK_INIT(inode_setsecurity
, selinux_inode_setsecurity
),
6300 LSM_HOOK_INIT(inode_listsecurity
, selinux_inode_listsecurity
),
6301 LSM_HOOK_INIT(inode_getsecid
, selinux_inode_getsecid
),
6302 LSM_HOOK_INIT(inode_copy_up
, selinux_inode_copy_up
),
6303 LSM_HOOK_INIT(inode_copy_up_xattr
, selinux_inode_copy_up_xattr
),
6305 LSM_HOOK_INIT(file_permission
, selinux_file_permission
),
6306 LSM_HOOK_INIT(file_alloc_security
, selinux_file_alloc_security
),
6307 LSM_HOOK_INIT(file_ioctl
, selinux_file_ioctl
),
6308 LSM_HOOK_INIT(mmap_file
, selinux_mmap_file
),
6309 LSM_HOOK_INIT(mmap_addr
, selinux_mmap_addr
),
6310 LSM_HOOK_INIT(file_mprotect
, selinux_file_mprotect
),
6311 LSM_HOOK_INIT(file_lock
, selinux_file_lock
),
6312 LSM_HOOK_INIT(file_fcntl
, selinux_file_fcntl
),
6313 LSM_HOOK_INIT(file_set_fowner
, selinux_file_set_fowner
),
6314 LSM_HOOK_INIT(file_send_sigiotask
, selinux_file_send_sigiotask
),
6315 LSM_HOOK_INIT(file_receive
, selinux_file_receive
),
6317 LSM_HOOK_INIT(file_open
, selinux_file_open
),
6319 LSM_HOOK_INIT(task_alloc
, selinux_task_alloc
),
6320 LSM_HOOK_INIT(cred_prepare
, selinux_cred_prepare
),
6321 LSM_HOOK_INIT(cred_transfer
, selinux_cred_transfer
),
6322 LSM_HOOK_INIT(kernel_act_as
, selinux_kernel_act_as
),
6323 LSM_HOOK_INIT(kernel_create_files_as
, selinux_kernel_create_files_as
),
6324 LSM_HOOK_INIT(kernel_module_request
, selinux_kernel_module_request
),
6325 LSM_HOOK_INIT(kernel_read_file
, selinux_kernel_read_file
),
6326 LSM_HOOK_INIT(task_setpgid
, selinux_task_setpgid
),
6327 LSM_HOOK_INIT(task_getpgid
, selinux_task_getpgid
),
6328 LSM_HOOK_INIT(task_getsid
, selinux_task_getsid
),
6329 LSM_HOOK_INIT(task_getsecid
, selinux_task_getsecid
),
6330 LSM_HOOK_INIT(task_setnice
, selinux_task_setnice
),
6331 LSM_HOOK_INIT(task_setioprio
, selinux_task_setioprio
),
6332 LSM_HOOK_INIT(task_getioprio
, selinux_task_getioprio
),
6333 LSM_HOOK_INIT(task_prlimit
, selinux_task_prlimit
),
6334 LSM_HOOK_INIT(task_setrlimit
, selinux_task_setrlimit
),
6335 LSM_HOOK_INIT(task_setscheduler
, selinux_task_setscheduler
),
6336 LSM_HOOK_INIT(task_getscheduler
, selinux_task_getscheduler
),
6337 LSM_HOOK_INIT(task_movememory
, selinux_task_movememory
),
6338 LSM_HOOK_INIT(task_kill
, selinux_task_kill
),
6339 LSM_HOOK_INIT(task_to_inode
, selinux_task_to_inode
),
6341 LSM_HOOK_INIT(ipc_permission
, selinux_ipc_permission
),
6342 LSM_HOOK_INIT(ipc_getsecid
, selinux_ipc_getsecid
),
6344 LSM_HOOK_INIT(msg_msg_alloc_security
, selinux_msg_msg_alloc_security
),
6346 LSM_HOOK_INIT(msg_queue_alloc_security
,
6347 selinux_msg_queue_alloc_security
),
6348 LSM_HOOK_INIT(msg_queue_associate
, selinux_msg_queue_associate
),
6349 LSM_HOOK_INIT(msg_queue_msgctl
, selinux_msg_queue_msgctl
),
6350 LSM_HOOK_INIT(msg_queue_msgsnd
, selinux_msg_queue_msgsnd
),
6351 LSM_HOOK_INIT(msg_queue_msgrcv
, selinux_msg_queue_msgrcv
),
6353 LSM_HOOK_INIT(shm_alloc_security
, selinux_shm_alloc_security
),
6354 LSM_HOOK_INIT(shm_associate
, selinux_shm_associate
),
6355 LSM_HOOK_INIT(shm_shmctl
, selinux_shm_shmctl
),
6356 LSM_HOOK_INIT(shm_shmat
, selinux_shm_shmat
),
6358 LSM_HOOK_INIT(sem_alloc_security
, selinux_sem_alloc_security
),
6359 LSM_HOOK_INIT(sem_associate
, selinux_sem_associate
),
6360 LSM_HOOK_INIT(sem_semctl
, selinux_sem_semctl
),
6361 LSM_HOOK_INIT(sem_semop
, selinux_sem_semop
),
6363 LSM_HOOK_INIT(d_instantiate
, selinux_d_instantiate
),
6365 LSM_HOOK_INIT(getprocattr
, selinux_getprocattr
),
6366 LSM_HOOK_INIT(setprocattr
, selinux_setprocattr
),
6368 LSM_HOOK_INIT(ismaclabel
, selinux_ismaclabel
),
6369 LSM_HOOK_INIT(secid_to_secctx
, selinux_secid_to_secctx
),
6370 LSM_HOOK_INIT(secctx_to_secid
, selinux_secctx_to_secid
),
6371 LSM_HOOK_INIT(release_secctx
, selinux_release_secctx
),
6372 LSM_HOOK_INIT(inode_invalidate_secctx
, selinux_inode_invalidate_secctx
),
6373 LSM_HOOK_INIT(inode_notifysecctx
, selinux_inode_notifysecctx
),
6374 LSM_HOOK_INIT(inode_setsecctx
, selinux_inode_setsecctx
),
6375 LSM_HOOK_INIT(inode_getsecctx
, selinux_inode_getsecctx
),
6377 LSM_HOOK_INIT(unix_stream_connect
, selinux_socket_unix_stream_connect
),
6378 LSM_HOOK_INIT(unix_may_send
, selinux_socket_unix_may_send
),
6380 LSM_HOOK_INIT(socket_create
, selinux_socket_create
),
6381 LSM_HOOK_INIT(socket_post_create
, selinux_socket_post_create
),
6382 LSM_HOOK_INIT(socket_bind
, selinux_socket_bind
),
6383 LSM_HOOK_INIT(socket_connect
, selinux_socket_connect
),
6384 LSM_HOOK_INIT(socket_listen
, selinux_socket_listen
),
6385 LSM_HOOK_INIT(socket_accept
, selinux_socket_accept
),
6386 LSM_HOOK_INIT(socket_sendmsg
, selinux_socket_sendmsg
),
6387 LSM_HOOK_INIT(socket_recvmsg
, selinux_socket_recvmsg
),
6388 LSM_HOOK_INIT(socket_getsockname
, selinux_socket_getsockname
),
6389 LSM_HOOK_INIT(socket_getpeername
, selinux_socket_getpeername
),
6390 LSM_HOOK_INIT(socket_getsockopt
, selinux_socket_getsockopt
),
6391 LSM_HOOK_INIT(socket_setsockopt
, selinux_socket_setsockopt
),
6392 LSM_HOOK_INIT(socket_shutdown
, selinux_socket_shutdown
),
6393 LSM_HOOK_INIT(socket_sock_rcv_skb
, selinux_socket_sock_rcv_skb
),
6394 LSM_HOOK_INIT(socket_getpeersec_stream
,
6395 selinux_socket_getpeersec_stream
),
6396 LSM_HOOK_INIT(socket_getpeersec_dgram
, selinux_socket_getpeersec_dgram
),
6397 LSM_HOOK_INIT(sk_alloc_security
, selinux_sk_alloc_security
),
6398 LSM_HOOK_INIT(sk_free_security
, selinux_sk_free_security
),
6399 LSM_HOOK_INIT(sk_clone_security
, selinux_sk_clone_security
),
6400 LSM_HOOK_INIT(sk_getsecid
, selinux_sk_getsecid
),
6401 LSM_HOOK_INIT(sock_graft
, selinux_sock_graft
),
6402 LSM_HOOK_INIT(inet_conn_request
, selinux_inet_conn_request
),
6403 LSM_HOOK_INIT(inet_csk_clone
, selinux_inet_csk_clone
),
6404 LSM_HOOK_INIT(inet_conn_established
, selinux_inet_conn_established
),
6405 LSM_HOOK_INIT(secmark_relabel_packet
, selinux_secmark_relabel_packet
),
6406 LSM_HOOK_INIT(secmark_refcount_inc
, selinux_secmark_refcount_inc
),
6407 LSM_HOOK_INIT(secmark_refcount_dec
, selinux_secmark_refcount_dec
),
6408 LSM_HOOK_INIT(req_classify_flow
, selinux_req_classify_flow
),
6409 LSM_HOOK_INIT(tun_dev_alloc_security
, selinux_tun_dev_alloc_security
),
6410 LSM_HOOK_INIT(tun_dev_free_security
, selinux_tun_dev_free_security
),
6411 LSM_HOOK_INIT(tun_dev_create
, selinux_tun_dev_create
),
6412 LSM_HOOK_INIT(tun_dev_attach_queue
, selinux_tun_dev_attach_queue
),
6413 LSM_HOOK_INIT(tun_dev_attach
, selinux_tun_dev_attach
),
6414 LSM_HOOK_INIT(tun_dev_open
, selinux_tun_dev_open
),
6415 #ifdef CONFIG_SECURITY_INFINIBAND
6416 LSM_HOOK_INIT(ib_pkey_access
, selinux_ib_pkey_access
),
6417 LSM_HOOK_INIT(ib_endport_manage_subnet
,
6418 selinux_ib_endport_manage_subnet
),
6419 LSM_HOOK_INIT(ib_alloc_security
, selinux_ib_alloc_security
),
6420 LSM_HOOK_INIT(ib_free_security
, selinux_ib_free_security
),
6422 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6423 LSM_HOOK_INIT(xfrm_policy_alloc_security
, selinux_xfrm_policy_alloc
),
6424 LSM_HOOK_INIT(xfrm_policy_clone_security
, selinux_xfrm_policy_clone
),
6425 LSM_HOOK_INIT(xfrm_policy_free_security
, selinux_xfrm_policy_free
),
6426 LSM_HOOK_INIT(xfrm_policy_delete_security
, selinux_xfrm_policy_delete
),
6427 LSM_HOOK_INIT(xfrm_state_alloc
, selinux_xfrm_state_alloc
),
6428 LSM_HOOK_INIT(xfrm_state_alloc_acquire
,
6429 selinux_xfrm_state_alloc_acquire
),
6430 LSM_HOOK_INIT(xfrm_state_free_security
, selinux_xfrm_state_free
),
6431 LSM_HOOK_INIT(xfrm_state_delete_security
, selinux_xfrm_state_delete
),
6432 LSM_HOOK_INIT(xfrm_policy_lookup
, selinux_xfrm_policy_lookup
),
6433 LSM_HOOK_INIT(xfrm_state_pol_flow_match
,
6434 selinux_xfrm_state_pol_flow_match
),
6435 LSM_HOOK_INIT(xfrm_decode_session
, selinux_xfrm_decode_session
),
6439 LSM_HOOK_INIT(key_alloc
, selinux_key_alloc
),
6440 LSM_HOOK_INIT(key_permission
, selinux_key_permission
),
6441 LSM_HOOK_INIT(key_getsecurity
, selinux_key_getsecurity
),
6445 LSM_HOOK_INIT(audit_rule_init
, selinux_audit_rule_init
),
6446 LSM_HOOK_INIT(audit_rule_known
, selinux_audit_rule_known
),
6447 LSM_HOOK_INIT(audit_rule_match
, selinux_audit_rule_match
),
6448 LSM_HOOK_INIT(audit_rule_free
, selinux_audit_rule_free
),
6451 #ifdef CONFIG_BPF_SYSCALL
6452 LSM_HOOK_INIT(bpf
, selinux_bpf
),
6453 LSM_HOOK_INIT(bpf_map
, selinux_bpf_map
),
6454 LSM_HOOK_INIT(bpf_prog
, selinux_bpf_prog
),
6455 LSM_HOOK_INIT(bpf_map_alloc_security
, selinux_bpf_map_alloc
),
6456 LSM_HOOK_INIT(bpf_prog_alloc_security
, selinux_bpf_prog_alloc
),
6457 LSM_HOOK_INIT(bpf_map_free_security
, selinux_bpf_map_free
),
6458 LSM_HOOK_INIT(bpf_prog_free_security
, selinux_bpf_prog_free
),
6462 static __init
int selinux_init(void)
6466 if (!security_module_enable("selinux",
6467 IS_ENABLED(CONFIG_SECURITY_SELINUX_STACKED
))) {
6468 selinux_enabled
= 0;
6473 security_add_blobs(&selinux_blob_sizes
);
6478 if (!selinux_enabled
) {
6479 printk(KERN_INFO
"SELinux: Disabled at boot.\n");
6483 printk(KERN_INFO
"SELinux: Initializing.\n");
6485 /* Set the security state for the initial task. */
6486 cred_init_security();
6488 default_noexec
= !(VM_DATA_DEFAULT_FLAGS
& VM_EXEC
);
6492 security_add_hooks(selinux_hooks
, ARRAY_SIZE(selinux_hooks
), "selinux");
6494 if (avc_add_callback(selinux_netcache_avc_callback
, AVC_CALLBACK_RESET
))
6495 panic("SELinux: Unable to register AVC netcache callback\n");
6497 if (avc_add_callback(selinux_lsm_notifier_avc_callback
, AVC_CALLBACK_RESET
))
6498 panic("SELinux: Unable to register AVC LSM notifier callback\n");
6500 if (selinux_enforcing
)
6501 printk(KERN_DEBUG
"SELinux: Starting in enforcing mode\n");
6503 printk(KERN_DEBUG
"SELinux: Starting in permissive mode\n");
6508 static void delayed_superblock_init(struct super_block
*sb
, void *unused
)
6510 superblock_doinit(sb
, NULL
);
6513 void selinux_complete_init(void)
6515 printk(KERN_DEBUG
"SELinux: Completing initialization.\n");
6517 /* Set up any superblocks initialized prior to the policy load. */
6518 printk(KERN_DEBUG
"SELinux: Setting up existing superblocks.\n");
6519 iterate_supers(delayed_superblock_init
, NULL
);
6522 /* SELinux requires early initialization in order to label
6523 all processes and objects when they are created. */
6524 security_initcall(selinux_init
);
6526 #if defined(CONFIG_NETFILTER)
6528 static const struct nf_hook_ops selinux_nf_ops
[] = {
6530 .hook
= selinux_ipv4_postroute
,
6532 .hooknum
= NF_INET_POST_ROUTING
,
6533 .priority
= NF_IP_PRI_SELINUX_LAST
,
6536 .hook
= selinux_ipv4_forward
,
6538 .hooknum
= NF_INET_FORWARD
,
6539 .priority
= NF_IP_PRI_SELINUX_FIRST
,
6542 .hook
= selinux_ipv4_output
,
6544 .hooknum
= NF_INET_LOCAL_OUT
,
6545 .priority
= NF_IP_PRI_SELINUX_FIRST
,
6547 #if IS_ENABLED(CONFIG_IPV6)
6549 .hook
= selinux_ipv6_postroute
,
6551 .hooknum
= NF_INET_POST_ROUTING
,
6552 .priority
= NF_IP6_PRI_SELINUX_LAST
,
6555 .hook
= selinux_ipv6_forward
,
6557 .hooknum
= NF_INET_FORWARD
,
6558 .priority
= NF_IP6_PRI_SELINUX_FIRST
,
6561 .hook
= selinux_ipv6_output
,
6563 .hooknum
= NF_INET_LOCAL_OUT
,
6564 .priority
= NF_IP6_PRI_SELINUX_FIRST
,
6569 static int __net_init
selinux_nf_register(struct net
*net
)
6571 return nf_register_net_hooks(net
, selinux_nf_ops
,
6572 ARRAY_SIZE(selinux_nf_ops
));
6575 static void __net_exit
selinux_nf_unregister(struct net
*net
)
6577 nf_unregister_net_hooks(net
, selinux_nf_ops
,
6578 ARRAY_SIZE(selinux_nf_ops
));
6581 static struct pernet_operations selinux_net_ops
= {
6582 .init
= selinux_nf_register
,
6583 .exit
= selinux_nf_unregister
,
6586 static int __init
selinux_nf_ip_init(void)
6590 if (!selinux_enabled
)
6593 printk(KERN_DEBUG
"SELinux: Registering netfilter hooks\n");
6595 err
= register_pernet_subsys(&selinux_net_ops
);
6597 panic("SELinux: register_pernet_subsys: error %d\n", err
);
6601 __initcall(selinux_nf_ip_init
);
6603 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6604 static void selinux_nf_ip_exit(void)
6606 printk(KERN_DEBUG
"SELinux: Unregistering netfilter hooks\n");
6608 unregister_pernet_subsys(&selinux_net_ops
);
6612 #else /* CONFIG_NETFILTER */
6614 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6615 #define selinux_nf_ip_exit()
6618 #endif /* CONFIG_NETFILTER */
6620 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6621 static int selinux_disabled
;
6623 int selinux_disable(void)
6625 if (ss_initialized
) {
6626 /* Not permitted after initial policy load. */
6630 if (selinux_disabled
) {
6631 /* Only do this once. */
6635 printk(KERN_INFO
"SELinux: Disabled at runtime.\n");
6637 selinux_disabled
= 1;
6638 selinux_enabled
= 0;
6640 security_delete_hooks(selinux_hooks
, ARRAY_SIZE(selinux_hooks
));
6642 /* Try to destroy the avc node cache */
6645 /* Unregister netfilter hooks. */
6646 selinux_nf_ip_exit();
6648 /* Unregister selinuxfs. */