]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blob - security/selinux/hooks.c
projects / mirror_ubuntu-bionic-kernel.git / blob
? search:


b6e4029021ac93e08ca6b246f0caad35f5a7161f
[mirror_ubuntu-bionic-kernel.git] / security / selinux / hooks.c
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
25 */
26
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h> /* for Unix socket types */
72 #include <net/af_unix.h> /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
75 #include <net/ipv6.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89
90 #include "avc.h"
91 #include "objsec.h"
92 #include "netif.h"
93 #include "netnode.h"
94 #include "netport.h"
95 #include "ibpkey.h"
96 #include "xfrm.h"
97 #include "netlabel.h"
98 #include "audit.h"
99 #include "avc_ss.h"
100
101 /* SECMARK reference count */
102 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103
104 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105 int selinux_enforcing;
106
107 static int __init enforcing_setup(char *str)
108 {
109 unsigned long enforcing;
110 if (!kstrtoul(str, 0, &enforcing))
111 selinux_enforcing = enforcing ? 1 : 0;
112 return 1;
113 }
114 __setup("enforcing=", enforcing_setup);
115 #endif
116
117 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
119
120 static int __init selinux_enabled_setup(char *str)
121 {
122 unsigned long enabled;
123 if (!kstrtoul(str, 0, &enabled))
124 selinux_enabled = enabled ? 1 : 0;
125 return 1;
126 }
127 __setup("selinux=", selinux_enabled_setup);
128 #else
129 int selinux_enabled = 1;
130 #endif
131
132 /**
133 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
134 *
135 * Description:
136 * This function checks the SECMARK reference counter to see if any SECMARK
137 * targets are currently configured, if the reference counter is greater than
138 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
139 * enabled, false (0) if SECMARK is disabled. If the always_check_network
140 * policy capability is enabled, SECMARK is always considered enabled.
141 *
142 */
143 static int selinux_secmark_enabled(void)
144 {
145 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
146 }
147
148 /**
149 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
150 *
151 * Description:
152 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
153 * (1) if any are enabled or false (0) if neither are enabled. If the
154 * always_check_network policy capability is enabled, peer labeling
155 * is always considered enabled.
156 *
157 */
158 static int selinux_peerlbl_enabled(void)
159 {
160 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
161 }
162
163 static int selinux_netcache_avc_callback(u32 event)
164 {
165 if (event == AVC_CALLBACK_RESET) {
166 sel_netif_flush();
167 sel_netnode_flush();
168 sel_netport_flush();
169 synchronize_net();
170 }
171 return 0;
172 }
173
174 static int selinux_lsm_notifier_avc_callback(u32 event)
175 {
176 if (event == AVC_CALLBACK_RESET) {
177 sel_ib_pkey_flush();
178 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
179 }
180
181 return 0;
182 }
183
184 /*
185 * initialise the security for the init task
186 */
187 static void cred_init_security(void)
188 {
189 struct cred *cred = (struct cred *) current->real_cred;
190 struct task_security_struct *tsec;
191
192 lsm_early_cred(cred);
193 tsec = selinux_cred(cred);
194 tsec->osid = tsec->sid = SECINITSID_KERNEL;
195 }
196
197 /*
198 * get the security ID of a set of credentials
199 */
200 static inline u32 cred_sid(const struct cred *cred)
201 {
202 const struct task_security_struct *tsec;
203
204 tsec = selinux_cred(cred);
205 return tsec->sid;
206 }
207
208 /*
209 * get the objective security ID of a task
210 */
211 static inline u32 task_sid(const struct task_struct *task)
212 {
213 u32 sid;
214
215 rcu_read_lock();
216 sid = cred_sid(__task_cred(task));
217 rcu_read_unlock();
218 return sid;
219 }
220
221 /* Allocate and free functions for each kind of security blob. */
222
223 static int inode_alloc_security(struct inode *inode)
224 {
225 struct inode_security_struct *isec = selinux_inode(inode);
226 u32 sid = current_sid();
227
228 spin_lock_init(&isec->lock);
229 INIT_LIST_HEAD(&isec->list);
230 isec->inode = inode;
231 isec->sid = SECINITSID_UNLABELED;
232 isec->sclass = SECCLASS_FILE;
233 isec->task_sid = sid;
234 isec->initialized = LABEL_INVALID;
235
236 return 0;
237 }
238
239 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
240
241 /*
242 * Try reloading inode security labels that have been marked as invalid. The
243 * @may_sleep parameter indicates when sleeping and thus reloading labels is
244 * allowed; when set to false, returns -ECHILD when the label is
245 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
246 * when no dentry is available, set it to NULL instead.
247 */
248 static int __inode_security_revalidate(struct inode *inode,
249 struct dentry *opt_dentry,
250 bool may_sleep)
251 {
252 struct inode_security_struct *isec = selinux_inode(inode);
253
254 might_sleep_if(may_sleep);
255
256 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
257 if (!may_sleep)
258 return -ECHILD;
259
260 /*
261 * Try reloading the inode security label. This will fail if
262 * @opt_dentry is NULL and no dentry for this inode can be
263 * found; in that case, continue using the old label.
264 */
265 inode_doinit_with_dentry(inode, opt_dentry);
266 }
267 return 0;
268 }
269
270 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
271 {
272 return selinux_inode(inode);
273 }
274
275 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
276 {
277 int error;
278
279 error = __inode_security_revalidate(inode, NULL, !rcu);
280 if (error)
281 return ERR_PTR(error);
282 return selinux_inode(inode);
283 }
284
285 /*
286 * Get the security label of an inode.
287 */
288 static struct inode_security_struct *inode_security(struct inode *inode)
289 {
290 __inode_security_revalidate(inode, NULL, true);
291 return selinux_inode(inode);
292 }
293
294 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
295 {
296 struct inode *inode = d_backing_inode(dentry);
297
298 return selinux_inode(inode);
299 }
300
301 /*
302 * Get the security label of a dentry's backing inode.
303 */
304 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
305 {
306 struct inode *inode = d_backing_inode(dentry);
307
308 __inode_security_revalidate(inode, dentry, true);
309 return selinux_inode(inode);
310 }
311
312 static void inode_free_security(struct inode *inode)
313 {
314 struct inode_security_struct *isec = selinux_inode(inode);
315 struct superblock_security_struct *sbsec =
316 selinux_superblock(inode->i_sb);
317
318 /*
319 * As not all inode security structures are in a list, we check for
320 * empty list outside of the lock to make sure that we won't waste
321 * time taking a lock doing nothing.
322 *
323 * The list_del_init() function can be safely called more than once.
324 * It should not be possible for this function to be called with
325 * concurrent list_add(), but for better safety against future changes
326 * in the code, we use list_empty_careful() here.
327 */
328 if (!list_empty_careful(&isec->list)) {
329 spin_lock(&sbsec->isec_lock);
330 list_del_init(&isec->list);
331 spin_unlock(&sbsec->isec_lock);
332 }
333 }
334
335 static int file_alloc_security(struct file *file)
336 {
337 struct file_security_struct *fsec = selinux_file(file);
338 u32 sid = current_sid();
339
340 fsec->sid = sid;
341 fsec->fown_sid = sid;
342
343 return 0;
344 }
345
346 static int superblock_alloc_security(struct super_block *sb)
347 {
348 struct superblock_security_struct *sbsec = selinux_superblock(sb);
349
350 mutex_init(&sbsec->lock);
351 INIT_LIST_HEAD(&sbsec->isec_head);
352 spin_lock_init(&sbsec->isec_lock);
353 sbsec->sb = sb;
354 sbsec->sid = SECINITSID_UNLABELED;
355 sbsec->def_sid = SECINITSID_FILE;
356 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
357
358 return 0;
359 }
360
361 static inline int inode_doinit(struct inode *inode)
362 {
363 return inode_doinit_with_dentry(inode, NULL);
364 }
365
366 enum {
367 Opt_error = -1,
368 Opt_context = 1,
369 Opt_fscontext = 2,
370 Opt_defcontext = 3,
371 Opt_rootcontext = 4,
372 Opt_labelsupport = 5,
373 Opt_nextmntopt = 6,
374 };
375
376 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
377
378 static const match_table_t tokens = {
379 {Opt_context, CONTEXT_STR "%s"},
380 {Opt_fscontext, FSCONTEXT_STR "%s"},
381 {Opt_defcontext, DEFCONTEXT_STR "%s"},
382 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
383 {Opt_labelsupport, LABELSUPP_STR},
384 {Opt_error, NULL},
385 };
386
387 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
388
389 static int may_context_mount_sb_relabel(u32 sid,
390 struct superblock_security_struct *sbsec,
391 const struct cred *cred)
392 {
393 const struct task_security_struct *tsec = selinux_cred(cred);
394 int rc;
395
396 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
397 FILESYSTEM__RELABELFROM, NULL);
398 if (rc)
399 return rc;
400
401 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
402 FILESYSTEM__RELABELTO, NULL);
403 return rc;
404 }
405
406 static int may_context_mount_inode_relabel(u32 sid,
407 struct superblock_security_struct *sbsec,
408 const struct cred *cred)
409 {
410 const struct task_security_struct *tsec = selinux_cred(cred);
411 int rc;
412 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
413 FILESYSTEM__RELABELFROM, NULL);
414 if (rc)
415 return rc;
416
417 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
418 FILESYSTEM__ASSOCIATE, NULL);
419 return rc;
420 }
421
422 static int selinux_is_sblabel_mnt(struct super_block *sb)
423 {
424 struct superblock_security_struct *sbsec = selinux_superblock(sb);
425
426 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
427 sbsec->behavior == SECURITY_FS_USE_TRANS ||
428 sbsec->behavior == SECURITY_FS_USE_TASK ||
429 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
430 /* Special handling. Genfs but also in-core setxattr handler */
431 !strcmp(sb->s_type->name, "sysfs") ||
432 !strcmp(sb->s_type->name, "pstore") ||
433 !strcmp(sb->s_type->name, "debugfs") ||
434 !strcmp(sb->s_type->name, "tracefs") ||
435 !strcmp(sb->s_type->name, "rootfs") ||
436 (selinux_policycap_cgroupseclabel &&
437 (!strcmp(sb->s_type->name, "cgroup") ||
438 !strcmp(sb->s_type->name, "cgroup2")));
439 }
440
441 static int sb_finish_set_opts(struct super_block *sb)
442 {
443 struct superblock_security_struct *sbsec = selinux_superblock(sb);
444 struct dentry *root = sb->s_root;
445 struct inode *root_inode = d_backing_inode(root);
446 int rc = 0;
447
448 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
449 /* Make sure that the xattr handler exists and that no
450 error other than -ENODATA is returned by getxattr on
451 the root directory. -ENODATA is ok, as this may be
452 the first boot of the SELinux kernel before we have
453 assigned xattr values to the filesystem. */
454 if (!(root_inode->i_opflags & IOP_XATTR)) {
455 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
456 "xattr support\n", sb->s_id, sb->s_type->name);
457 rc = -EOPNOTSUPP;
458 goto out;
459 }
460
461 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
462 if (rc < 0 && rc != -ENODATA) {
463 if (rc == -EOPNOTSUPP)
464 printk(KERN_WARNING "SELinux: (dev %s, type "
465 "%s) has no security xattr handler\n",
466 sb->s_id, sb->s_type->name);
467 else
468 printk(KERN_WARNING "SELinux: (dev %s, type "
469 "%s) getxattr errno %d\n", sb->s_id,
470 sb->s_type->name, -rc);
471 goto out;
472 }
473 }
474
475 sbsec->flags |= SE_SBINITIALIZED;
476
477 /*
478 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
479 * leave the flag untouched because sb_clone_mnt_opts might be handing
480 * us a superblock that needs the flag to be cleared.
481 */
482 if (selinux_is_sblabel_mnt(sb))
483 sbsec->flags |= SBLABEL_MNT;
484 else
485 sbsec->flags &= ~SBLABEL_MNT;
486
487 /* Initialize the root inode. */
488 rc = inode_doinit_with_dentry(root_inode, root);
489
490 /* Initialize any other inodes associated with the superblock, e.g.
491 inodes created prior to initial policy load or inodes created
492 during get_sb by a pseudo filesystem that directly
493 populates itself. */
494 spin_lock(&sbsec->isec_lock);
495 next_inode:
496 if (!list_empty(&sbsec->isec_head)) {
497 struct inode_security_struct *isec =
498 list_entry(sbsec->isec_head.next,
499 struct inode_security_struct, list);
500 struct inode *inode = isec->inode;
501 list_del_init(&isec->list);
502 spin_unlock(&sbsec->isec_lock);
503 inode = igrab(inode);
504 if (inode) {
505 if (!IS_PRIVATE(inode))
506 inode_doinit(inode);
507 iput(inode);
508 }
509 spin_lock(&sbsec->isec_lock);
510 goto next_inode;
511 }
512 spin_unlock(&sbsec->isec_lock);
513 out:
514 return rc;
515 }
516
517 /*
518 * This function should allow an FS to ask what it's mount security
519 * options were so it can use those later for submounts, displaying
520 * mount options, or whatever.
521 */
522 static int selinux_get_mnt_opts(const struct super_block *sb,
523 struct security_mnt_opts *opts)
524 {
525 int rc = 0, i;
526 struct superblock_security_struct *sbsec = selinux_superblock(sb);
527 char *context = NULL;
528 u32 len;
529 char tmp;
530
531 security_init_mnt_opts(opts);
532
533 if (!(sbsec->flags & SE_SBINITIALIZED))
534 return -EINVAL;
535
536 if (!ss_initialized)
537 return -EINVAL;
538
539 /* make sure we always check enough bits to cover the mask */
540 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
541
542 tmp = sbsec->flags & SE_MNTMASK;
543 /* count the number of mount options for this sb */
544 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
545 if (tmp & 0x01)
546 opts->num_mnt_opts++;
547 tmp >>= 1;
548 }
549 /* Check if the Label support flag is set */
550 if (sbsec->flags & SBLABEL_MNT)
551 opts->num_mnt_opts++;
552
553 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
554 if (!opts->mnt_opts) {
555 rc = -ENOMEM;
556 goto out_free;
557 }
558
559 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
560 if (!opts->mnt_opts_flags) {
561 rc = -ENOMEM;
562 goto out_free;
563 }
564
565 i = 0;
566 if (sbsec->flags & FSCONTEXT_MNT) {
567 rc = security_sid_to_context(sbsec->sid, &context, &len);
568 if (rc)
569 goto out_free;
570 opts->mnt_opts[i] = context;
571 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
572 }
573 if (sbsec->flags & CONTEXT_MNT) {
574 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
575 if (rc)
576 goto out_free;
577 opts->mnt_opts[i] = context;
578 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
579 }
580 if (sbsec->flags & DEFCONTEXT_MNT) {
581 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
582 if (rc)
583 goto out_free;
584 opts->mnt_opts[i] = context;
585 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
586 }
587 if (sbsec->flags & ROOTCONTEXT_MNT) {
588 struct dentry *root = sbsec->sb->s_root;
589 struct inode_security_struct *isec =
590 backing_inode_security(root);
591
592 rc = security_sid_to_context(isec->sid, &context, &len);
593 if (rc)
594 goto out_free;
595 opts->mnt_opts[i] = context;
596 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
597 }
598 if (sbsec->flags & SBLABEL_MNT) {
599 opts->mnt_opts[i] = NULL;
600 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
601 }
602
603 BUG_ON(i != opts->num_mnt_opts);
604
605 return 0;
606
607 out_free:
608 security_free_mnt_opts(opts);
609 return rc;
610 }
611
612 static int bad_option(struct superblock_security_struct *sbsec, char flag,
613 u32 old_sid, u32 new_sid)
614 {
615 char mnt_flags = sbsec->flags & SE_MNTMASK;
616
617 /* check if the old mount command had the same options */
618 if (sbsec->flags & SE_SBINITIALIZED)
619 if (!(sbsec->flags & flag) ||
620 (old_sid != new_sid))
621 return 1;
622
623 /* check if we were passed the same options twice,
624 * aka someone passed context=a,context=b
625 */
626 if (!(sbsec->flags & SE_SBINITIALIZED))
627 if (mnt_flags & flag)
628 return 1;
629 return 0;
630 }
631
632 /*
633 * Allow filesystems with binary mount data to explicitly set mount point
634 * labeling information.
635 */
636 static int selinux_set_mnt_opts(struct super_block *sb,
637 struct security_mnt_opts *opts,
638 unsigned long kern_flags,
639 unsigned long *set_kern_flags)
640 {
641 const struct cred *cred = current_cred();
642 int rc = 0, i;
643 struct superblock_security_struct *sbsec = selinux_superblock(sb);
644 const char *name = sb->s_type->name;
645 struct dentry *root = sbsec->sb->s_root;
646 struct inode_security_struct *root_isec;
647 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
648 u32 defcontext_sid = 0;
649 char **mount_options = opts->mnt_opts;
650 int *flags = opts->mnt_opts_flags;
651 int num_opts = opts->num_mnt_opts;
652
653 mutex_lock(&sbsec->lock);
654
655 if (!ss_initialized) {
656 if (!num_opts) {
657 /* Defer initialization until selinux_complete_init,
658 after the initial policy is loaded and the security
659 server is ready to handle calls. */
660 goto out;
661 }
662 rc = -EINVAL;
663 printk(KERN_WARNING "SELinux: Unable to set superblock options "
664 "before the security server is initialized\n");
665 goto out;
666 }
667 if (kern_flags && !set_kern_flags) {
668 /* Specifying internal flags without providing a place to
669 * place the results is not allowed */
670 rc = -EINVAL;
671 goto out;
672 }
673
674 /*
675 * Binary mount data FS will come through this function twice. Once
676 * from an explicit call and once from the generic calls from the vfs.
677 * Since the generic VFS calls will not contain any security mount data
678 * we need to skip the double mount verification.
679 *
680 * This does open a hole in which we will not notice if the first
681 * mount using this sb set explict options and a second mount using
682 * this sb does not set any security options. (The first options
683 * will be used for both mounts)
684 */
685 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
686 && (num_opts == 0))
687 goto out;
688
689 root_isec = backing_inode_security_novalidate(root);
690
691 /*
692 * parse the mount options, check if they are valid sids.
693 * also check if someone is trying to mount the same sb more
694 * than once with different security options.
695 */
696 for (i = 0; i < num_opts; i++) {
697 u32 sid;
698
699 if (flags[i] == SBLABEL_MNT)
700 continue;
701 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
702 if (rc) {
703 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
704 "(%s) failed for (dev %s, type %s) errno=%d\n",
705 mount_options[i], sb->s_id, name, rc);
706 goto out;
707 }
708 switch (flags[i]) {
709 case FSCONTEXT_MNT:
710 fscontext_sid = sid;
711
712 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
713 fscontext_sid))
714 goto out_double_mount;
715
716 sbsec->flags |= FSCONTEXT_MNT;
717 break;
718 case CONTEXT_MNT:
719 context_sid = sid;
720
721 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
722 context_sid))
723 goto out_double_mount;
724
725 sbsec->flags |= CONTEXT_MNT;
726 break;
727 case ROOTCONTEXT_MNT:
728 rootcontext_sid = sid;
729
730 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
731 rootcontext_sid))
732 goto out_double_mount;
733
734 sbsec->flags |= ROOTCONTEXT_MNT;
735
736 break;
737 case DEFCONTEXT_MNT:
738 defcontext_sid = sid;
739
740 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
741 defcontext_sid))
742 goto out_double_mount;
743
744 sbsec->flags |= DEFCONTEXT_MNT;
745
746 break;
747 default:
748 rc = -EINVAL;
749 goto out;
750 }
751 }
752
753 if (sbsec->flags & SE_SBINITIALIZED) {
754 /* previously mounted with options, but not on this attempt? */
755 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
756 goto out_double_mount;
757 rc = 0;
758 goto out;
759 }
760
761 if (strcmp(sb->s_type->name, "proc") == 0)
762 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
763
764 if (!strcmp(sb->s_type->name, "debugfs") ||
765 !strcmp(sb->s_type->name, "tracefs") ||
766 !strcmp(sb->s_type->name, "sysfs") ||
767 !strcmp(sb->s_type->name, "pstore") ||
768 !strcmp(sb->s_type->name, "cgroup") ||
769 !strcmp(sb->s_type->name, "cgroup2"))
770 sbsec->flags |= SE_SBGENFS;
771
772 if (!sbsec->behavior) {
773 /*
774 * Determine the labeling behavior to use for this
775 * filesystem type.
776 */
777 rc = security_fs_use(sb);
778 if (rc) {
779 printk(KERN_WARNING
780 "%s: security_fs_use(%s) returned %d\n",
781 __func__, sb->s_type->name, rc);
782 goto out;
783 }
784 }
785
786 /*
787 * If this is a user namespace mount and the filesystem type is not
788 * explicitly whitelisted, then no contexts are allowed on the command
789 * line and security labels must be ignored.
790 */
791 if (sb->s_user_ns != &init_user_ns &&
792 strcmp(sb->s_type->name, "tmpfs") &&
793 strcmp(sb->s_type->name, "ramfs") &&
794 strcmp(sb->s_type->name, "devpts")) {
795 if (context_sid || fscontext_sid || rootcontext_sid ||
796 defcontext_sid) {
797 rc = -EACCES;
798 goto out;
799 }
800 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
801 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
802 rc = security_transition_sid(current_sid(), current_sid(),
803 SECCLASS_FILE, NULL,
804 &sbsec->mntpoint_sid);
805 if (rc)
806 goto out;
807 }
808 goto out_set_opts;
809 }
810
811 /* sets the context of the superblock for the fs being mounted. */
812 if (fscontext_sid) {
813 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
814 if (rc)
815 goto out;
816
817 sbsec->sid = fscontext_sid;
818 }
819
820 /*
821 * Switch to using mount point labeling behavior.
822 * sets the label used on all file below the mountpoint, and will set
823 * the superblock context if not already set.
824 */
825 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
826 sbsec->behavior = SECURITY_FS_USE_NATIVE;
827 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
828 }
829
830 if (context_sid) {
831 if (!fscontext_sid) {
832 rc = may_context_mount_sb_relabel(context_sid, sbsec,
833 cred);
834 if (rc)
835 goto out;
836 sbsec->sid = context_sid;
837 } else {
838 rc = may_context_mount_inode_relabel(context_sid, sbsec,
839 cred);
840 if (rc)
841 goto out;
842 }
843 if (!rootcontext_sid)
844 rootcontext_sid = context_sid;
845
846 sbsec->mntpoint_sid = context_sid;
847 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
848 }
849
850 if (rootcontext_sid) {
851 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
852 cred);
853 if (rc)
854 goto out;
855
856 root_isec->sid = rootcontext_sid;
857 root_isec->initialized = LABEL_INITIALIZED;
858 }
859
860 if (defcontext_sid) {
861 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
862 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
863 rc = -EINVAL;
864 printk(KERN_WARNING "SELinux: defcontext option is "
865 "invalid for this filesystem type\n");
866 goto out;
867 }
868
869 if (defcontext_sid != sbsec->def_sid) {
870 rc = may_context_mount_inode_relabel(defcontext_sid,
871 sbsec, cred);
872 if (rc)
873 goto out;
874 }
875
876 sbsec->def_sid = defcontext_sid;
877 }
878
879 out_set_opts:
880 rc = sb_finish_set_opts(sb);
881 out:
882 mutex_unlock(&sbsec->lock);
883 return rc;
884 out_double_mount:
885 rc = -EINVAL;
886 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
887 "security settings for (dev %s, type %s)\n", sb->s_id, name);
888 goto out;
889 }
890
891 static int selinux_cmp_sb_context(const struct super_block *oldsb,
892 const struct super_block *newsb)
893 {
894 struct superblock_security_struct *old = selinux_superblock(oldsb);
895 struct superblock_security_struct *new = selinux_superblock(newsb);
896 char oldflags = old->flags & SE_MNTMASK;
897 char newflags = new->flags & SE_MNTMASK;
898
899 if (oldflags != newflags)
900 goto mismatch;
901 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
902 goto mismatch;
903 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
904 goto mismatch;
905 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
906 goto mismatch;
907 if (oldflags & ROOTCONTEXT_MNT) {
908 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
909 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
910 if (oldroot->sid != newroot->sid)
911 goto mismatch;
912 }
913 return 0;
914 mismatch:
915 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
916 "different security settings for (dev %s, "
917 "type %s)\n", newsb->s_id, newsb->s_type->name);
918 return -EBUSY;
919 }
920
921 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
922 struct super_block *newsb,
923 unsigned long kern_flags,
924 unsigned long *set_kern_flags)
925 {
926 int rc = 0;
927 const struct superblock_security_struct *oldsbsec =
928 selinux_superblock(oldsb);
929 struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
930
931 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
932 int set_context = (oldsbsec->flags & CONTEXT_MNT);
933 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
934
935 /*
936 * if the parent was able to be mounted it clearly had no special lsm
937 * mount options. thus we can safely deal with this superblock later
938 */
939 if (!ss_initialized)
940 return 0;
941
942 /*
943 * Specifying internal flags without providing a place to
944 * place the results is not allowed.
945 */
946 if (kern_flags && !set_kern_flags)
947 return -EINVAL;
948
949 /* how can we clone if the old one wasn't set up?? */
950 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
951
952 /* if fs is reusing a sb, make sure that the contexts match */
953 if (newsbsec->flags & SE_SBINITIALIZED)
954 return selinux_cmp_sb_context(oldsb, newsb);
955
956 mutex_lock(&newsbsec->lock);
957
958 newsbsec->flags = oldsbsec->flags;
959
960 newsbsec->sid = oldsbsec->sid;
961 newsbsec->def_sid = oldsbsec->def_sid;
962 newsbsec->behavior = oldsbsec->behavior;
963
964 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
965 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
966 rc = security_fs_use(newsb);
967 if (rc)
968 goto out;
969 }
970
971 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
972 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
973 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
974 }
975
976 if (set_context) {
977 u32 sid = oldsbsec->mntpoint_sid;
978
979 if (!set_fscontext)
980 newsbsec->sid = sid;
981 if (!set_rootcontext) {
982 struct inode_security_struct *newisec =
983 backing_inode_security(newsb->s_root);
984 newisec->sid = sid;
985 }
986 newsbsec->mntpoint_sid = sid;
987 }
988 if (set_rootcontext) {
989 const struct inode_security_struct *oldisec =
990 backing_inode_security(oldsb->s_root);
991 struct inode_security_struct *newisec =
992 backing_inode_security(newsb->s_root);
993
994 newisec->sid = oldisec->sid;
995 }
996
997 sb_finish_set_opts(newsb);
998 out:
999 mutex_unlock(&newsbsec->lock);
1000 return rc;
1001 }
1002
1003 static int selinux_parse_opts_str(char *options,
1004 struct security_mnt_opts *opts)
1005 {
1006 char *p;
1007 char *context = NULL, *defcontext = NULL;
1008 char *fscontext = NULL, *rootcontext = NULL;
1009 int rc, num_mnt_opts = 0;
1010
1011 opts->num_mnt_opts = 0;
1012
1013 /* Standard string-based options. */
1014 while ((p = strsep(&options, "|")) != NULL) {
1015 int token;
1016 substring_t args[MAX_OPT_ARGS];
1017
1018 if (!*p)
1019 continue;
1020
1021 token = match_token(p, tokens, args);
1022
1023 switch (token) {
1024 case Opt_context:
1025 if (context || defcontext) {
1026 rc = -EINVAL;
1027 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1028 goto out_err;
1029 }
1030 context = match_strdup(&args[0]);
1031 if (!context) {
1032 rc = -ENOMEM;
1033 goto out_err;
1034 }
1035 break;
1036
1037 case Opt_fscontext:
1038 if (fscontext) {
1039 rc = -EINVAL;
1040 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1041 goto out_err;
1042 }
1043 fscontext = match_strdup(&args[0]);
1044 if (!fscontext) {
1045 rc = -ENOMEM;
1046 goto out_err;
1047 }
1048 break;
1049
1050 case Opt_rootcontext:
1051 if (rootcontext) {
1052 rc = -EINVAL;
1053 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1054 goto out_err;
1055 }
1056 rootcontext = match_strdup(&args[0]);
1057 if (!rootcontext) {
1058 rc = -ENOMEM;
1059 goto out_err;
1060 }
1061 break;
1062
1063 case Opt_defcontext:
1064 if (context || defcontext) {
1065 rc = -EINVAL;
1066 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1067 goto out_err;
1068 }
1069 defcontext = match_strdup(&args[0]);
1070 if (!defcontext) {
1071 rc = -ENOMEM;
1072 goto out_err;
1073 }
1074 break;
1075 case Opt_labelsupport:
1076 break;
1077 default:
1078 rc = -EINVAL;
1079 printk(KERN_WARNING "SELinux: unknown mount option\n");
1080 goto out_err;
1081
1082 }
1083 }
1084
1085 rc = -ENOMEM;
1086 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1087 if (!opts->mnt_opts)
1088 goto out_err;
1089
1090 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1091 GFP_KERNEL);
1092 if (!opts->mnt_opts_flags)
1093 goto out_err;
1094
1095 if (fscontext) {
1096 opts->mnt_opts[num_mnt_opts] = fscontext;
1097 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1098 }
1099 if (context) {
1100 opts->mnt_opts[num_mnt_opts] = context;
1101 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1102 }
1103 if (rootcontext) {
1104 opts->mnt_opts[num_mnt_opts] = rootcontext;
1105 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1106 }
1107 if (defcontext) {
1108 opts->mnt_opts[num_mnt_opts] = defcontext;
1109 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1110 }
1111
1112 opts->num_mnt_opts = num_mnt_opts;
1113 return 0;
1114
1115 out_err:
1116 security_free_mnt_opts(opts);
1117 kfree(context);
1118 kfree(defcontext);
1119 kfree(fscontext);
1120 kfree(rootcontext);
1121 return rc;
1122 }
1123 /*
1124 * string mount options parsing and call set the sbsec
1125 */
1126 static int superblock_doinit(struct super_block *sb, void *data)
1127 {
1128 int rc = 0;
1129 char *options = data;
1130 struct security_mnt_opts opts;
1131
1132 security_init_mnt_opts(&opts);
1133
1134 if (!data)
1135 goto out;
1136
1137 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1138
1139 rc = selinux_parse_opts_str(options, &opts);
1140 if (rc)
1141 goto out_err;
1142
1143 out:
1144 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1145
1146 out_err:
1147 security_free_mnt_opts(&opts);
1148 return rc;
1149 }
1150
1151 static void selinux_write_opts(struct seq_file *m,
1152 struct security_mnt_opts *opts)
1153 {
1154 int i;
1155 char *prefix;
1156
1157 for (i = 0; i < opts->num_mnt_opts; i++) {
1158 char *has_comma;
1159
1160 if (opts->mnt_opts[i])
1161 has_comma = strchr(opts->mnt_opts[i], ',');
1162 else
1163 has_comma = NULL;
1164
1165 switch (opts->mnt_opts_flags[i]) {
1166 case CONTEXT_MNT:
1167 prefix = CONTEXT_STR;
1168 break;
1169 case FSCONTEXT_MNT:
1170 prefix = FSCONTEXT_STR;
1171 break;
1172 case ROOTCONTEXT_MNT:
1173 prefix = ROOTCONTEXT_STR;
1174 break;
1175 case DEFCONTEXT_MNT:
1176 prefix = DEFCONTEXT_STR;
1177 break;
1178 case SBLABEL_MNT:
1179 seq_putc(m, ',');
1180 seq_puts(m, LABELSUPP_STR);
1181 continue;
1182 default:
1183 BUG();
1184 return;
1185 };
1186 /* we need a comma before each option */
1187 seq_putc(m, ',');
1188 seq_puts(m, prefix);
1189 if (has_comma)
1190 seq_putc(m, '\"');
1191 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1192 if (has_comma)
1193 seq_putc(m, '\"');
1194 }
1195 }
1196
1197 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1198 {
1199 struct security_mnt_opts opts;
1200 int rc;
1201
1202 rc = selinux_get_mnt_opts(sb, &opts);
1203 if (rc) {
1204 /* before policy load we may get EINVAL, don't show anything */
1205 if (rc == -EINVAL)
1206 rc = 0;
1207 return rc;
1208 }
1209
1210 selinux_write_opts(m, &opts);
1211
1212 security_free_mnt_opts(&opts);
1213
1214 return rc;
1215 }
1216
1217 static inline u16 inode_mode_to_security_class(umode_t mode)
1218 {
1219 switch (mode & S_IFMT) {
1220 case S_IFSOCK:
1221 return SECCLASS_SOCK_FILE;
1222 case S_IFLNK:
1223 return SECCLASS_LNK_FILE;
1224 case S_IFREG:
1225 return SECCLASS_FILE;
1226 case S_IFBLK:
1227 return SECCLASS_BLK_FILE;
1228 case S_IFDIR:
1229 return SECCLASS_DIR;
1230 case S_IFCHR:
1231 return SECCLASS_CHR_FILE;
1232 case S_IFIFO:
1233 return SECCLASS_FIFO_FILE;
1234
1235 }
1236
1237 return SECCLASS_FILE;
1238 }
1239
1240 static inline int default_protocol_stream(int protocol)
1241 {
1242 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1243 }
1244
1245 static inline int default_protocol_dgram(int protocol)
1246 {
1247 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1248 }
1249
1250 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1251 {
1252 int extsockclass = selinux_policycap_extsockclass;
1253
1254 switch (family) {
1255 case PF_UNIX:
1256 switch (type) {
1257 case SOCK_STREAM:
1258 case SOCK_SEQPACKET:
1259 return SECCLASS_UNIX_STREAM_SOCKET;
1260 case SOCK_DGRAM:
1261 case SOCK_RAW:
1262 return SECCLASS_UNIX_DGRAM_SOCKET;
1263 }
1264 break;
1265 case PF_INET:
1266 case PF_INET6:
1267 switch (type) {
1268 case SOCK_STREAM:
1269 case SOCK_SEQPACKET:
1270 if (default_protocol_stream(protocol))
1271 return SECCLASS_TCP_SOCKET;
1272 else if (extsockclass && protocol == IPPROTO_SCTP)
1273 return SECCLASS_SCTP_SOCKET;
1274 else
1275 return SECCLASS_RAWIP_SOCKET;
1276 case SOCK_DGRAM:
1277 if (default_protocol_dgram(protocol))
1278 return SECCLASS_UDP_SOCKET;
1279 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1280 protocol == IPPROTO_ICMPV6))
1281 return SECCLASS_ICMP_SOCKET;
1282 else
1283 return SECCLASS_RAWIP_SOCKET;
1284 case SOCK_DCCP:
1285 return SECCLASS_DCCP_SOCKET;
1286 default:
1287 return SECCLASS_RAWIP_SOCKET;
1288 }
1289 break;
1290 case PF_NETLINK:
1291 switch (protocol) {
1292 case NETLINK_ROUTE:
1293 return SECCLASS_NETLINK_ROUTE_SOCKET;
1294 case NETLINK_SOCK_DIAG:
1295 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1296 case NETLINK_NFLOG:
1297 return SECCLASS_NETLINK_NFLOG_SOCKET;
1298 case NETLINK_XFRM:
1299 return SECCLASS_NETLINK_XFRM_SOCKET;
1300 case NETLINK_SELINUX:
1301 return SECCLASS_NETLINK_SELINUX_SOCKET;
1302 case NETLINK_ISCSI:
1303 return SECCLASS_NETLINK_ISCSI_SOCKET;
1304 case NETLINK_AUDIT:
1305 return SECCLASS_NETLINK_AUDIT_SOCKET;
1306 case NETLINK_FIB_LOOKUP:
1307 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1308 case NETLINK_CONNECTOR:
1309 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1310 case NETLINK_NETFILTER:
1311 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1312 case NETLINK_DNRTMSG:
1313 return SECCLASS_NETLINK_DNRT_SOCKET;
1314 case NETLINK_KOBJECT_UEVENT:
1315 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1316 case NETLINK_GENERIC:
1317 return SECCLASS_NETLINK_GENERIC_SOCKET;
1318 case NETLINK_SCSITRANSPORT:
1319 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1320 case NETLINK_RDMA:
1321 return SECCLASS_NETLINK_RDMA_SOCKET;
1322 case NETLINK_CRYPTO:
1323 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1324 default:
1325 return SECCLASS_NETLINK_SOCKET;
1326 }
1327 case PF_PACKET:
1328 return SECCLASS_PACKET_SOCKET;
1329 case PF_KEY:
1330 return SECCLASS_KEY_SOCKET;
1331 case PF_APPLETALK:
1332 return SECCLASS_APPLETALK_SOCKET;
1333 }
1334
1335 if (extsockclass) {
1336 switch (family) {
1337 case PF_AX25:
1338 return SECCLASS_AX25_SOCKET;
1339 case PF_IPX:
1340 return SECCLASS_IPX_SOCKET;
1341 case PF_NETROM:
1342 return SECCLASS_NETROM_SOCKET;
1343 case PF_ATMPVC:
1344 return SECCLASS_ATMPVC_SOCKET;
1345 case PF_X25:
1346 return SECCLASS_X25_SOCKET;
1347 case PF_ROSE:
1348 return SECCLASS_ROSE_SOCKET;
1349 case PF_DECnet:
1350 return SECCLASS_DECNET_SOCKET;
1351 case PF_ATMSVC:
1352 return SECCLASS_ATMSVC_SOCKET;
1353 case PF_RDS:
1354 return SECCLASS_RDS_SOCKET;
1355 case PF_IRDA:
1356 return SECCLASS_IRDA_SOCKET;
1357 case PF_PPPOX:
1358 return SECCLASS_PPPOX_SOCKET;
1359 case PF_LLC:
1360 return SECCLASS_LLC_SOCKET;
1361 case PF_CAN:
1362 return SECCLASS_CAN_SOCKET;
1363 case PF_TIPC:
1364 return SECCLASS_TIPC_SOCKET;
1365 case PF_BLUETOOTH:
1366 return SECCLASS_BLUETOOTH_SOCKET;
1367 case PF_IUCV:
1368 return SECCLASS_IUCV_SOCKET;
1369 case PF_RXRPC:
1370 return SECCLASS_RXRPC_SOCKET;
1371 case PF_ISDN:
1372 return SECCLASS_ISDN_SOCKET;
1373 case PF_PHONET:
1374 return SECCLASS_PHONET_SOCKET;
1375 case PF_IEEE802154:
1376 return SECCLASS_IEEE802154_SOCKET;
1377 case PF_CAIF:
1378 return SECCLASS_CAIF_SOCKET;
1379 case PF_ALG:
1380 return SECCLASS_ALG_SOCKET;
1381 case PF_NFC:
1382 return SECCLASS_NFC_SOCKET;
1383 case PF_VSOCK:
1384 return SECCLASS_VSOCK_SOCKET;
1385 case PF_KCM:
1386 return SECCLASS_KCM_SOCKET;
1387 case PF_QIPCRTR:
1388 return SECCLASS_QIPCRTR_SOCKET;
1389 case PF_SMC:
1390 return SECCLASS_SMC_SOCKET;
1391 #if PF_MAX > 44
1392 #error New address family defined, please update this function.
1393 #endif
1394 }
1395 }
1396
1397 return SECCLASS_SOCKET;
1398 }
1399
1400 static int selinux_genfs_get_sid(struct dentry *dentry,
1401 u16 tclass,
1402 u16 flags,
1403 u32 *sid)
1404 {
1405 int rc;
1406 struct super_block *sb = dentry->d_sb;
1407 char *buffer, *path;
1408
1409 buffer = (char *)__get_free_page(GFP_KERNEL);
1410 if (!buffer)
1411 return -ENOMEM;
1412
1413 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1414 if (IS_ERR(path))
1415 rc = PTR_ERR(path);
1416 else {
1417 if (flags & SE_SBPROC) {
1418 /* each process gets a /proc/PID/ entry. Strip off the
1419 * PID part to get a valid selinux labeling.
1420 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1421 while (path[1] >= '0' && path[1] <= '9') {
1422 path[1] = '/';
1423 path++;
1424 }
1425 }
1426 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1427 }
1428 free_page((unsigned long)buffer);
1429 return rc;
1430 }
1431
1432 /* The inode's security attributes must be initialized before first use. */
1433 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1434 {
1435 struct superblock_security_struct *sbsec = NULL;
1436 struct inode_security_struct *isec = selinux_inode(inode);
1437 u32 task_sid, sid = 0;
1438 u16 sclass;
1439 struct dentry *dentry;
1440 #define INITCONTEXTLEN 255
1441 char *context = NULL;
1442 unsigned len = 0;
1443 int rc = 0;
1444
1445 if (isec->initialized == LABEL_INITIALIZED)
1446 return 0;
1447
1448 spin_lock(&isec->lock);
1449 if (isec->initialized == LABEL_INITIALIZED)
1450 goto out_unlock;
1451
1452 if (isec->sclass == SECCLASS_FILE)
1453 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1454
1455 sbsec = selinux_superblock(inode->i_sb);
1456 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1457 /* Defer initialization until selinux_complete_init,
1458 after the initial policy is loaded and the security
1459 server is ready to handle calls. */
1460 spin_lock(&sbsec->isec_lock);
1461 if (list_empty(&isec->list))
1462 list_add(&isec->list, &sbsec->isec_head);
1463 spin_unlock(&sbsec->isec_lock);
1464 goto out_unlock;
1465 }
1466
1467 sclass = isec->sclass;
1468 task_sid = isec->task_sid;
1469 sid = isec->sid;
1470 isec->initialized = LABEL_PENDING;
1471 spin_unlock(&isec->lock);
1472
1473 switch (sbsec->behavior) {
1474 case SECURITY_FS_USE_NATIVE:
1475 break;
1476 case SECURITY_FS_USE_XATTR:
1477 if (!(inode->i_opflags & IOP_XATTR)) {
1478 sid = sbsec->def_sid;
1479 break;
1480 }
1481 /* Need a dentry, since the xattr API requires one.
1482 Life would be simpler if we could just pass the inode. */
1483 if (opt_dentry) {
1484 /* Called from d_instantiate or d_splice_alias. */
1485 dentry = dget(opt_dentry);
1486 } else {
1487 /*
1488 * Called from selinux_complete_init, try to find a dentry.
1489 * Some filesystems really want a connected one, so try
1490 * that first. We could split SECURITY_FS_USE_XATTR in
1491 * two, depending upon that...
1492 */
1493 dentry = d_find_alias(inode);
1494 if (!dentry)
1495 dentry = d_find_any_alias(inode);
1496 }
1497 if (!dentry) {
1498 /*
1499 * this is can be hit on boot when a file is accessed
1500 * before the policy is loaded. When we load policy we
1501 * may find inodes that have no dentry on the
1502 * sbsec->isec_head list. No reason to complain as these
1503 * will get fixed up the next time we go through
1504 * inode_doinit with a dentry, before these inodes could
1505 * be used again by userspace.
1506 */
1507 goto out;
1508 }
1509
1510 len = INITCONTEXTLEN;
1511 context = kmalloc(len+1, GFP_NOFS);
1512 if (!context) {
1513 rc = -ENOMEM;
1514 dput(dentry);
1515 goto out;
1516 }
1517 context[len] = '\0';
1518 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1519 if (rc == -ERANGE) {
1520 kfree(context);
1521
1522 /* Need a larger buffer. Query for the right size. */
1523 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1524 if (rc < 0) {
1525 dput(dentry);
1526 goto out;
1527 }
1528 len = rc;
1529 context = kmalloc(len+1, GFP_NOFS);
1530 if (!context) {
1531 rc = -ENOMEM;
1532 dput(dentry);
1533 goto out;
1534 }
1535 context[len] = '\0';
1536 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1537 }
1538 dput(dentry);
1539 if (rc < 0) {
1540 if (rc != -ENODATA) {
1541 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1542 "%d for dev=%s ino=%ld\n", __func__,
1543 -rc, inode->i_sb->s_id, inode->i_ino);
1544 kfree(context);
1545 goto out;
1546 }
1547 /* Map ENODATA to the default file SID */
1548 sid = sbsec->def_sid;
1549 rc = 0;
1550 } else {
1551 rc = security_context_to_sid_default(context, rc, &sid,
1552 sbsec->def_sid,
1553 GFP_NOFS);
1554 if (rc) {
1555 char *dev = inode->i_sb->s_id;
1556 unsigned long ino = inode->i_ino;
1557
1558 if (rc == -EINVAL) {
1559 if (printk_ratelimit())
1560 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1561 "context=%s. This indicates you may need to relabel the inode or the "
1562 "filesystem in question.\n", ino, dev, context);
1563 } else {
1564 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1565 "returned %d for dev=%s ino=%ld\n",
1566 __func__, context, -rc, dev, ino);
1567 }
1568 kfree(context);
1569 /* Leave with the unlabeled SID */
1570 rc = 0;
1571 break;
1572 }
1573 }
1574 kfree(context);
1575 break;
1576 case SECURITY_FS_USE_TASK:
1577 sid = task_sid;
1578 break;
1579 case SECURITY_FS_USE_TRANS:
1580 /* Default to the fs SID. */
1581 sid = sbsec->sid;
1582
1583 /* Try to obtain a transition SID. */
1584 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1585 if (rc)
1586 goto out;
1587 break;
1588 case SECURITY_FS_USE_MNTPOINT:
1589 sid = sbsec->mntpoint_sid;
1590 break;
1591 default:
1592 /* Default to the fs superblock SID. */
1593 sid = sbsec->sid;
1594
1595 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1596 /* We must have a dentry to determine the label on
1597 * procfs inodes */
1598 if (opt_dentry) {
1599 /* Called from d_instantiate or
1600 * d_splice_alias. */
1601 dentry = dget(opt_dentry);
1602 } else {
1603 /* Called from selinux_complete_init, try to
1604 * find a dentry. Some filesystems really want
1605 * a connected one, so try that first.
1606 */
1607 dentry = d_find_alias(inode);
1608 if (!dentry)
1609 dentry = d_find_any_alias(inode);
1610 }
1611 /*
1612 * This can be hit on boot when a file is accessed
1613 * before the policy is loaded. When we load policy we
1614 * may find inodes that have no dentry on the
1615 * sbsec->isec_head list. No reason to complain as
1616 * these will get fixed up the next time we go through
1617 * inode_doinit() with a dentry, before these inodes
1618 * could be used again by userspace.
1619 */
1620 if (!dentry)
1621 goto out;
1622 rc = selinux_genfs_get_sid(dentry, sclass,
1623 sbsec->flags, &sid);
1624 dput(dentry);
1625 if (rc)
1626 goto out;
1627 }
1628 break;
1629 }
1630
1631 out:
1632 spin_lock(&isec->lock);
1633 if (isec->initialized == LABEL_PENDING) {
1634 if (!sid || rc) {
1635 isec->initialized = LABEL_INVALID;
1636 goto out_unlock;
1637 }
1638
1639 isec->initialized = LABEL_INITIALIZED;
1640 isec->sid = sid;
1641 }
1642
1643 out_unlock:
1644 spin_unlock(&isec->lock);
1645 return rc;
1646 }
1647
1648 /* Convert a Linux signal to an access vector. */
1649 static inline u32 signal_to_av(int sig)
1650 {
1651 u32 perm = 0;
1652
1653 switch (sig) {
1654 case SIGCHLD:
1655 /* Commonly granted from child to parent. */
1656 perm = PROCESS__SIGCHLD;
1657 break;
1658 case SIGKILL:
1659 /* Cannot be caught or ignored */
1660 perm = PROCESS__SIGKILL;
1661 break;
1662 case SIGSTOP:
1663 /* Cannot be caught or ignored */
1664 perm = PROCESS__SIGSTOP;
1665 break;
1666 default:
1667 /* All other signals. */
1668 perm = PROCESS__SIGNAL;
1669 break;
1670 }
1671
1672 return perm;
1673 }
1674
1675 #if CAP_LAST_CAP > 63
1676 #error Fix SELinux to handle capabilities > 63.
1677 #endif
1678
1679 /* Check whether a task is allowed to use a capability. */
1680 static int cred_has_capability(const struct cred *cred,
1681 int cap, int audit, bool initns)
1682 {
1683 struct common_audit_data ad;
1684 struct av_decision avd;
1685 u16 sclass;
1686 u32 sid = cred_sid(cred);
1687 u32 av = CAP_TO_MASK(cap);
1688 int rc;
1689
1690 ad.type = LSM_AUDIT_DATA_CAP;
1691 ad.u.cap = cap;
1692
1693 switch (CAP_TO_INDEX(cap)) {
1694 case 0:
1695 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1696 break;
1697 case 1:
1698 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1699 break;
1700 default:
1701 printk(KERN_ERR
1702 "SELinux: out of range capability %d\n", cap);
1703 BUG();
1704 return -EINVAL;
1705 }
1706
1707 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1708 if (audit == SECURITY_CAP_AUDIT) {
1709 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1710 if (rc2)
1711 return rc2;
1712 }
1713 return rc;
1714 }
1715
1716 /* Check whether a task has a particular permission to an inode.
1717 The 'adp' parameter is optional and allows other audit
1718 data to be passed (e.g. the dentry). */
1719 static int inode_has_perm(const struct cred *cred,
1720 struct inode *inode,
1721 u32 perms,
1722 struct common_audit_data *adp)
1723 {
1724 struct inode_security_struct *isec;
1725 u32 sid;
1726
1727 validate_creds(cred);
1728
1729 if (unlikely(IS_PRIVATE(inode)))
1730 return 0;
1731
1732 sid = cred_sid(cred);
1733 isec = selinux_inode(inode);
1734
1735 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1736 }
1737
1738 /* Same as inode_has_perm, but pass explicit audit data containing
1739 the dentry to help the auditing code to more easily generate the
1740 pathname if needed. */
1741 static inline int dentry_has_perm(const struct cred *cred,
1742 struct dentry *dentry,
1743 u32 av)
1744 {
1745 struct inode *inode = d_backing_inode(dentry);
1746 struct common_audit_data ad;
1747
1748 ad.type = LSM_AUDIT_DATA_DENTRY;
1749 ad.u.dentry = dentry;
1750 __inode_security_revalidate(inode, dentry, true);
1751 return inode_has_perm(cred, inode, av, &ad);
1752 }
1753
1754 /* Same as inode_has_perm, but pass explicit audit data containing
1755 the path to help the auditing code to more easily generate the
1756 pathname if needed. */
1757 static inline int path_has_perm(const struct cred *cred,
1758 const struct path *path,
1759 u32 av)
1760 {
1761 struct inode *inode = d_backing_inode(path->dentry);
1762 struct common_audit_data ad;
1763
1764 ad.type = LSM_AUDIT_DATA_PATH;
1765 ad.u.path = *path;
1766 __inode_security_revalidate(inode, path->dentry, true);
1767 return inode_has_perm(cred, inode, av, &ad);
1768 }
1769
1770 /* Same as path_has_perm, but uses the inode from the file struct. */
1771 static inline int file_path_has_perm(const struct cred *cred,
1772 struct file *file,
1773 u32 av)
1774 {
1775 struct common_audit_data ad;
1776
1777 ad.type = LSM_AUDIT_DATA_FILE;
1778 ad.u.file = file;
1779 return inode_has_perm(cred, file_inode(file), av, &ad);
1780 }
1781
1782 #ifdef CONFIG_BPF_SYSCALL
1783 static int bpf_fd_pass(struct file *file, u32 sid);
1784 #endif
1785
1786 /* Check whether a task can use an open file descriptor to
1787 access an inode in a given way. Check access to the
1788 descriptor itself, and then use dentry_has_perm to
1789 check a particular permission to the file.
1790 Access to the descriptor is implicitly granted if it
1791 has the same SID as the process. If av is zero, then
1792 access to the file is not checked, e.g. for cases
1793 where only the descriptor is affected like seek. */
1794 static int file_has_perm(const struct cred *cred,
1795 struct file *file,
1796 u32 av)
1797 {
1798 struct file_security_struct *fsec = selinux_file(file);
1799 struct inode *inode = file_inode(file);
1800 struct common_audit_data ad;
1801 u32 sid = cred_sid(cred);
1802 int rc;
1803
1804 ad.type = LSM_AUDIT_DATA_FILE;
1805 ad.u.file = file;
1806
1807 if (sid != fsec->sid) {
1808 rc = avc_has_perm(sid, fsec->sid,
1809 SECCLASS_FD,
1810 FD__USE,
1811 &ad);
1812 if (rc)
1813 goto out;
1814 }
1815
1816 #ifdef CONFIG_BPF_SYSCALL
1817 rc = bpf_fd_pass(file, cred_sid(cred));
1818 if (rc)
1819 return rc;
1820 #endif
1821
1822 /* av is zero if only checking access to the descriptor. */
1823 rc = 0;
1824 if (av)
1825 rc = inode_has_perm(cred, inode, av, &ad);
1826
1827 out:
1828 return rc;
1829 }
1830
1831 /*
1832 * Determine the label for an inode that might be unioned.
1833 */
1834 static int
1835 selinux_determine_inode_label(const struct task_security_struct *tsec,
1836 struct inode *dir,
1837 const struct qstr *name, u16 tclass,
1838 u32 *_new_isid)
1839 {
1840 const struct superblock_security_struct *sbsec =
1841 selinux_superblock(dir->i_sb);
1842
1843 if ((sbsec->flags & SE_SBINITIALIZED) &&
1844 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1845 *_new_isid = sbsec->mntpoint_sid;
1846 } else if ((sbsec->flags & SBLABEL_MNT) &&
1847 tsec->create_sid) {
1848 *_new_isid = tsec->create_sid;
1849 } else {
1850 const struct inode_security_struct *dsec = inode_security(dir);
1851 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1852 name, _new_isid);
1853 }
1854
1855 return 0;
1856 }
1857
1858 /* Check whether a task can create a file. */
1859 static int may_create(struct inode *dir,
1860 struct dentry *dentry,
1861 u16 tclass)
1862 {
1863 const struct task_security_struct *tsec = selinux_cred(current_cred());
1864 struct inode_security_struct *dsec;
1865 struct superblock_security_struct *sbsec;
1866 u32 sid, newsid;
1867 struct common_audit_data ad;
1868 int rc;
1869
1870 dsec = inode_security(dir);
1871 sbsec = selinux_superblock(dir->i_sb);
1872
1873 sid = tsec->sid;
1874
1875 ad.type = LSM_AUDIT_DATA_DENTRY;
1876 ad.u.dentry = dentry;
1877
1878 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1879 DIR__ADD_NAME | DIR__SEARCH,
1880 &ad);
1881 if (rc)
1882 return rc;
1883
1884 rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
1885 &dentry->d_name, tclass, &newsid);
1886 if (rc)
1887 return rc;
1888
1889 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1890 if (rc)
1891 return rc;
1892
1893 return avc_has_perm(newsid, sbsec->sid,
1894 SECCLASS_FILESYSTEM,
1895 FILESYSTEM__ASSOCIATE, &ad);
1896 }
1897
1898 #define MAY_LINK 0
1899 #define MAY_UNLINK 1
1900 #define MAY_RMDIR 2
1901
1902 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1903 static int may_link(struct inode *dir,
1904 struct dentry *dentry,
1905 int kind)
1906
1907 {
1908 struct inode_security_struct *dsec, *isec;
1909 struct common_audit_data ad;
1910 u32 sid = current_sid();
1911 u32 av;
1912 int rc;
1913
1914 dsec = inode_security(dir);
1915 isec = backing_inode_security(dentry);
1916
1917 ad.type = LSM_AUDIT_DATA_DENTRY;
1918 ad.u.dentry = dentry;
1919
1920 av = DIR__SEARCH;
1921 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1922 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1923 if (rc)
1924 return rc;
1925
1926 switch (kind) {
1927 case MAY_LINK:
1928 av = FILE__LINK;
1929 break;
1930 case MAY_UNLINK:
1931 av = FILE__UNLINK;
1932 break;
1933 case MAY_RMDIR:
1934 av = DIR__RMDIR;
1935 break;
1936 default:
1937 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1938 __func__, kind);
1939 return 0;
1940 }
1941
1942 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1943 return rc;
1944 }
1945
1946 static inline int may_rename(struct inode *old_dir,
1947 struct dentry *old_dentry,
1948 struct inode *new_dir,
1949 struct dentry *new_dentry)
1950 {
1951 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1952 struct common_audit_data ad;
1953 u32 sid = current_sid();
1954 u32 av;
1955 int old_is_dir, new_is_dir;
1956 int rc;
1957
1958 old_dsec = inode_security(old_dir);
1959 old_isec = backing_inode_security(old_dentry);
1960 old_is_dir = d_is_dir(old_dentry);
1961 new_dsec = inode_security(new_dir);
1962
1963 ad.type = LSM_AUDIT_DATA_DENTRY;
1964
1965 ad.u.dentry = old_dentry;
1966 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1967 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1968 if (rc)
1969 return rc;
1970 rc = avc_has_perm(sid, old_isec->sid,
1971 old_isec->sclass, FILE__RENAME, &ad);
1972 if (rc)
1973 return rc;
1974 if (old_is_dir && new_dir != old_dir) {
1975 rc = avc_has_perm(sid, old_isec->sid,
1976 old_isec->sclass, DIR__REPARENT, &ad);
1977 if (rc)
1978 return rc;
1979 }
1980
1981 ad.u.dentry = new_dentry;
1982 av = DIR__ADD_NAME | DIR__SEARCH;
1983 if (d_is_positive(new_dentry))
1984 av |= DIR__REMOVE_NAME;
1985 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1986 if (rc)
1987 return rc;
1988 if (d_is_positive(new_dentry)) {
1989 new_isec = backing_inode_security(new_dentry);
1990 new_is_dir = d_is_dir(new_dentry);
1991 rc = avc_has_perm(sid, new_isec->sid,
1992 new_isec->sclass,
1993 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1994 if (rc)
1995 return rc;
1996 }
1997
1998 return 0;
1999 }
2000
2001 /* Check whether a task can perform a filesystem operation. */
2002 static int superblock_has_perm(const struct cred *cred,
2003 struct super_block *sb,
2004 u32 perms,
2005 struct common_audit_data *ad)
2006 {
2007 struct superblock_security_struct *sbsec;
2008 u32 sid = cred_sid(cred);
2009
2010 sbsec = selinux_superblock(sb);
2011 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2012 }
2013
2014 /* Convert a Linux mode and permission mask to an access vector. */
2015 static inline u32 file_mask_to_av(int mode, int mask)
2016 {
2017 u32 av = 0;
2018
2019 if (!S_ISDIR(mode)) {
2020 if (mask & MAY_EXEC)
2021 av |= FILE__EXECUTE;
2022 if (mask & MAY_READ)
2023 av |= FILE__READ;
2024
2025 if (mask & MAY_APPEND)
2026 av |= FILE__APPEND;
2027 else if (mask & MAY_WRITE)
2028 av |= FILE__WRITE;
2029
2030 } else {
2031 if (mask & MAY_EXEC)
2032 av |= DIR__SEARCH;
2033 if (mask & MAY_WRITE)
2034 av |= DIR__WRITE;
2035 if (mask & MAY_READ)
2036 av |= DIR__READ;
2037 }
2038
2039 return av;
2040 }
2041
2042 /* Convert a Linux file to an access vector. */
2043 static inline u32 file_to_av(struct file *file)
2044 {
2045 u32 av = 0;
2046
2047 if (file->f_mode & FMODE_READ)
2048 av |= FILE__READ;
2049 if (file->f_mode & FMODE_WRITE) {
2050 if (file->f_flags & O_APPEND)
2051 av |= FILE__APPEND;
2052 else
2053 av |= FILE__WRITE;
2054 }
2055 if (!av) {
2056 /*
2057 * Special file opened with flags 3 for ioctl-only use.
2058 */
2059 av = FILE__IOCTL;
2060 }
2061
2062 return av;
2063 }
2064
2065 /*
2066 * Convert a file to an access vector and include the correct open
2067 * open permission.
2068 */
2069 static inline u32 open_file_to_av(struct file *file)
2070 {
2071 u32 av = file_to_av(file);
2072 struct inode *inode = file_inode(file);
2073
2074 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2075 av |= FILE__OPEN;
2076
2077 return av;
2078 }
2079
2080 /* Hook functions begin here. */
2081
2082 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2083 {
2084 u32 mysid = current_sid();
2085 u32 mgrsid = task_sid(mgr);
2086
2087 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2088 BINDER__SET_CONTEXT_MGR, NULL);
2089 }
2090
2091 static int selinux_binder_transaction(struct task_struct *from,
2092 struct task_struct *to)
2093 {
2094 u32 mysid = current_sid();
2095 u32 fromsid = task_sid(from);
2096 u32 tosid = task_sid(to);
2097 int rc;
2098
2099 if (mysid != fromsid) {
2100 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2101 BINDER__IMPERSONATE, NULL);
2102 if (rc)
2103 return rc;
2104 }
2105
2106 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2107 NULL);
2108 }
2109
2110 static int selinux_binder_transfer_binder(struct task_struct *from,
2111 struct task_struct *to)
2112 {
2113 u32 fromsid = task_sid(from);
2114 u32 tosid = task_sid(to);
2115
2116 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2117 NULL);
2118 }
2119
2120 static int selinux_binder_transfer_file(struct task_struct *from,
2121 struct task_struct *to,
2122 struct file *file)
2123 {
2124 u32 sid = task_sid(to);
2125 struct file_security_struct *fsec = selinux_file(file);
2126 struct dentry *dentry = file->f_path.dentry;
2127 struct inode_security_struct *isec;
2128 struct common_audit_data ad;
2129 int rc;
2130
2131 ad.type = LSM_AUDIT_DATA_PATH;
2132 ad.u.path = file->f_path;
2133
2134 if (sid != fsec->sid) {
2135 rc = avc_has_perm(sid, fsec->sid,
2136 SECCLASS_FD,
2137 FD__USE,
2138 &ad);
2139 if (rc)
2140 return rc;
2141 }
2142
2143 #ifdef CONFIG_BPF_SYSCALL
2144 rc = bpf_fd_pass(file, sid);
2145 if (rc)
2146 return rc;
2147 #endif
2148
2149 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2150 return 0;
2151
2152 isec = backing_inode_security(dentry);
2153 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2154 &ad);
2155 }
2156
2157 static int selinux_ptrace_access_check(struct task_struct *child,
2158 unsigned int mode)
2159 {
2160 u32 sid = current_sid();
2161 u32 csid = task_sid(child);
2162
2163 if (mode & PTRACE_MODE_READ)
2164 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2165
2166 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2167 }
2168
2169 static int selinux_ptrace_traceme(struct task_struct *parent)
2170 {
2171 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2172 PROCESS__PTRACE, NULL);
2173 }
2174
2175 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2176 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2177 {
2178 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2179 PROCESS__GETCAP, NULL);
2180 }
2181
2182 static int selinux_capset(struct cred *new, const struct cred *old,
2183 const kernel_cap_t *effective,
2184 const kernel_cap_t *inheritable,
2185 const kernel_cap_t *permitted)
2186 {
2187 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2188 PROCESS__SETCAP, NULL);
2189 }
2190
2191 /*
2192 * (This comment used to live with the selinux_task_setuid hook,
2193 * which was removed).
2194 *
2195 * Since setuid only affects the current process, and since the SELinux
2196 * controls are not based on the Linux identity attributes, SELinux does not
2197 * need to control this operation. However, SELinux does control the use of
2198 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2199 */
2200
2201 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2202 int cap, int audit)
2203 {
2204 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2205 }
2206
2207 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2208 {
2209 const struct cred *cred = current_cred();
2210 int rc = 0;
2211
2212 if (!sb)
2213 return 0;
2214
2215 switch (cmds) {
2216 case Q_SYNC:
2217 case Q_QUOTAON:
2218 case Q_QUOTAOFF:
2219 case Q_SETINFO:
2220 case Q_SETQUOTA:
2221 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2222 break;
2223 case Q_GETFMT:
2224 case Q_GETINFO:
2225 case Q_GETQUOTA:
2226 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2227 break;
2228 default:
2229 rc = 0; /* let the kernel handle invalid cmds */
2230 break;
2231 }
2232 return rc;
2233 }
2234
2235 static int selinux_quota_on(struct dentry *dentry)
2236 {
2237 const struct cred *cred = current_cred();
2238
2239 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2240 }
2241
2242 static int selinux_syslog(int type)
2243 {
2244 switch (type) {
2245 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2246 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2247 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2248 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2249 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2250 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2251 /* Set level of messages printed to console */
2252 case SYSLOG_ACTION_CONSOLE_LEVEL:
2253 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2254 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2255 NULL);
2256 }
2257 /* All other syslog types */
2258 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2259 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2260 }
2261
2262 /*
2263 * Check that a process has enough memory to allocate a new virtual
2264 * mapping. 0 means there is enough memory for the allocation to
2265 * succeed and -ENOMEM implies there is not.
2266 *
2267 * Do not audit the selinux permission check, as this is applied to all
2268 * processes that allocate mappings.
2269 */
2270 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2271 {
2272 int rc, cap_sys_admin = 0;
2273
2274 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2275 SECURITY_CAP_NOAUDIT, true);
2276 if (rc == 0)
2277 cap_sys_admin = 1;
2278
2279 return cap_sys_admin;
2280 }
2281
2282 /* binprm security operations */
2283
2284 static u32 ptrace_parent_sid(void)
2285 {
2286 u32 sid = 0;
2287 struct task_struct *tracer;
2288
2289 rcu_read_lock();
2290 tracer = ptrace_parent(current);
2291 if (tracer)
2292 sid = task_sid(tracer);
2293 rcu_read_unlock();
2294
2295 return sid;
2296 }
2297
2298 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2299 const struct task_security_struct *old_tsec,
2300 const struct task_security_struct *new_tsec)
2301 {
2302 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2303 int nosuid = path_nosuid(&bprm->file->f_path);
2304 int rc;
2305 u32 av;
2306
2307 if (!nnp && !nosuid)
2308 return 0; /* neither NNP nor nosuid */
2309
2310 if (new_tsec->sid == old_tsec->sid)
2311 return 0; /* No change in credentials */
2312
2313 /*
2314 * If the policy enables the nnp_nosuid_transition policy capability,
2315 * then we permit transitions under NNP or nosuid if the
2316 * policy allows the corresponding permission between
2317 * the old and new contexts.
2318 */
2319 if (selinux_policycap_nnp_nosuid_transition) {
2320 av = 0;
2321 if (nnp)
2322 av |= PROCESS2__NNP_TRANSITION;
2323 if (nosuid)
2324 av |= PROCESS2__NOSUID_TRANSITION;
2325 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2326 SECCLASS_PROCESS2, av, NULL);
2327 if (!rc)
2328 return 0;
2329 }
2330
2331 /*
2332 * We also permit NNP or nosuid transitions to bounded SIDs,
2333 * i.e. SIDs that are guaranteed to only be allowed a subset
2334 * of the permissions of the current SID.
2335 */
2336 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2337 if (!rc)
2338 return 0;
2339
2340 /*
2341 * On failure, preserve the errno values for NNP vs nosuid.
2342 * NNP: Operation not permitted for caller.
2343 * nosuid: Permission denied to file.
2344 */
2345 if (nnp)
2346 return -EPERM;
2347 return -EACCES;
2348 }
2349
2350 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2351 {
2352 const struct task_security_struct *old_tsec;
2353 struct task_security_struct *new_tsec;
2354 struct inode_security_struct *isec;
2355 struct common_audit_data ad;
2356 struct inode *inode = file_inode(bprm->file);
2357 int rc;
2358
2359 /* SELinux context only depends on initial program or script and not
2360 * the script interpreter */
2361 if (bprm->called_set_creds)
2362 return 0;
2363
2364 old_tsec = selinux_cred(current_cred());
2365 new_tsec = selinux_cred(bprm->cred);
2366 isec = inode_security(inode);
2367
2368 /* Default to the current task SID. */
2369 new_tsec->sid = old_tsec->sid;
2370 new_tsec->osid = old_tsec->sid;
2371
2372 /* Reset fs, key, and sock SIDs on execve. */
2373 new_tsec->create_sid = 0;
2374 new_tsec->keycreate_sid = 0;
2375 new_tsec->sockcreate_sid = 0;
2376
2377 if (old_tsec->exec_sid) {
2378 new_tsec->sid = old_tsec->exec_sid;
2379 /* Reset exec SID on execve. */
2380 new_tsec->exec_sid = 0;
2381
2382 /* Fail on NNP or nosuid if not an allowed transition. */
2383 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2384 if (rc)
2385 return rc;
2386 } else {
2387 /* Check for a default transition on this program. */
2388 rc = security_transition_sid(old_tsec->sid, isec->sid,
2389 SECCLASS_PROCESS, NULL,
2390 &new_tsec->sid);
2391 if (rc)
2392 return rc;
2393
2394 /*
2395 * Fallback to old SID on NNP or nosuid if not an allowed
2396 * transition.
2397 */
2398 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2399 if (rc)
2400 new_tsec->sid = old_tsec->sid;
2401 }
2402
2403 ad.type = LSM_AUDIT_DATA_FILE;
2404 ad.u.file = bprm->file;
2405
2406 if (new_tsec->sid == old_tsec->sid) {
2407 rc = avc_has_perm(old_tsec->sid, isec->sid,
2408 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2409 if (rc)
2410 return rc;
2411 } else {
2412 /* Check permissions for the transition. */
2413 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2414 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2415 if (rc)
2416 return rc;
2417
2418 rc = avc_has_perm(new_tsec->sid, isec->sid,
2419 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2420 if (rc)
2421 return rc;
2422
2423 /* Check for shared state */
2424 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2425 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2426 SECCLASS_PROCESS, PROCESS__SHARE,
2427 NULL);
2428 if (rc)
2429 return -EPERM;
2430 }
2431
2432 /* Make sure that anyone attempting to ptrace over a task that
2433 * changes its SID has the appropriate permit */
2434 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2435 u32 ptsid = ptrace_parent_sid();
2436 if (ptsid != 0) {
2437 rc = avc_has_perm(ptsid, new_tsec->sid,
2438 SECCLASS_PROCESS,
2439 PROCESS__PTRACE, NULL);
2440 if (rc)
2441 return -EPERM;
2442 }
2443 }
2444
2445 /* Clear any possibly unsafe personality bits on exec: */
2446 bprm->per_clear |= PER_CLEAR_ON_SETID;
2447
2448 /* Enable secure mode for SIDs transitions unless
2449 the noatsecure permission is granted between
2450 the two SIDs, i.e. ahp returns 0. */
2451 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2452 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2453 NULL);
2454 bprm->secureexec |= !!rc;
2455 }
2456
2457 return 0;
2458 }
2459
2460 static int match_file(const void *p, struct file *file, unsigned fd)
2461 {
2462 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2463 }
2464
2465 /* Derived from fs/exec.c:flush_old_files. */
2466 static inline void flush_unauthorized_files(const struct cred *cred,
2467 struct files_struct *files)
2468 {
2469 struct file *file, *devnull = NULL;
2470 struct tty_struct *tty;
2471 int drop_tty = 0;
2472 unsigned n;
2473
2474 tty = get_current_tty();
2475 if (tty) {
2476 spin_lock(&tty->files_lock);
2477 if (!list_empty(&tty->tty_files)) {
2478 struct tty_file_private *file_priv;
2479
2480 /* Revalidate access to controlling tty.
2481 Use file_path_has_perm on the tty path directly
2482 rather than using file_has_perm, as this particular
2483 open file may belong to another process and we are
2484 only interested in the inode-based check here. */
2485 file_priv = list_first_entry(&tty->tty_files,
2486 struct tty_file_private, list);
2487 file = file_priv->file;
2488 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2489 drop_tty = 1;
2490 }
2491 spin_unlock(&tty->files_lock);
2492 tty_kref_put(tty);
2493 }
2494 /* Reset controlling tty. */
2495 if (drop_tty)
2496 no_tty();
2497
2498 /* Revalidate access to inherited open files. */
2499 n = iterate_fd(files, 0, match_file, cred);
2500 if (!n) /* none found? */
2501 return;
2502
2503 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2504 if (IS_ERR(devnull))
2505 devnull = NULL;
2506 /* replace all the matching ones with this */
2507 do {
2508 replace_fd(n - 1, devnull, 0);
2509 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2510 if (devnull)
2511 fput(devnull);
2512 }
2513
2514 /*
2515 * Prepare a process for imminent new credential changes due to exec
2516 */
2517 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2518 {
2519 struct task_security_struct *new_tsec;
2520 struct rlimit *rlim, *initrlim;
2521 int rc, i;
2522
2523 new_tsec = selinux_cred(bprm->cred);
2524 if (new_tsec->sid == new_tsec->osid)
2525 return;
2526
2527 /* Close files for which the new task SID is not authorized. */
2528 flush_unauthorized_files(bprm->cred, current->files);
2529
2530 /* Always clear parent death signal on SID transitions. */
2531 current->pdeath_signal = 0;
2532
2533 /* Check whether the new SID can inherit resource limits from the old
2534 * SID. If not, reset all soft limits to the lower of the current
2535 * task's hard limit and the init task's soft limit.
2536 *
2537 * Note that the setting of hard limits (even to lower them) can be
2538 * controlled by the setrlimit check. The inclusion of the init task's
2539 * soft limit into the computation is to avoid resetting soft limits
2540 * higher than the default soft limit for cases where the default is
2541 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2542 */
2543 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2544 PROCESS__RLIMITINH, NULL);
2545 if (rc) {
2546 /* protect against do_prlimit() */
2547 task_lock(current);
2548 for (i = 0; i < RLIM_NLIMITS; i++) {
2549 rlim = current->signal->rlim + i;
2550 initrlim = init_task.signal->rlim + i;
2551 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2552 }
2553 task_unlock(current);
2554 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2555 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2556 }
2557 }
2558
2559 /*
2560 * Clean up the process immediately after the installation of new credentials
2561 * due to exec
2562 */
2563 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2564 {
2565 const struct task_security_struct *tsec = selinux_cred(current_cred());
2566 struct itimerval itimer;
2567 u32 osid, sid;
2568 int rc, i;
2569
2570 osid = tsec->osid;
2571 sid = tsec->sid;
2572
2573 if (sid == osid)
2574 return;
2575
2576 /* Check whether the new SID can inherit signal state from the old SID.
2577 * If not, clear itimers to avoid subsequent signal generation and
2578 * flush and unblock signals.
2579 *
2580 * This must occur _after_ the task SID has been updated so that any
2581 * kill done after the flush will be checked against the new SID.
2582 */
2583 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2584 if (rc) {
2585 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2586 memset(&itimer, 0, sizeof itimer);
2587 for (i = 0; i < 3; i++)
2588 do_setitimer(i, &itimer, NULL);
2589 }
2590 spin_lock_irq(&current->sighand->siglock);
2591 if (!fatal_signal_pending(current)) {
2592 flush_sigqueue(&current->pending);
2593 flush_sigqueue(&current->signal->shared_pending);
2594 flush_signal_handlers(current, 1);
2595 sigemptyset(&current->blocked);
2596 recalc_sigpending();
2597 }
2598 spin_unlock_irq(&current->sighand->siglock);
2599 }
2600
2601 /* Wake up the parent if it is waiting so that it can recheck
2602 * wait permission to the new task SID. */
2603 read_lock(&tasklist_lock);
2604 __wake_up_parent(current, current->real_parent);
2605 read_unlock(&tasklist_lock);
2606 }
2607
2608 /* superblock security operations */
2609
2610 static int selinux_sb_alloc_security(struct super_block *sb)
2611 {
2612 return superblock_alloc_security(sb);
2613 }
2614
2615 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2616 {
2617 if (plen > olen)
2618 return 0;
2619
2620 return !memcmp(prefix, option, plen);
2621 }
2622
2623 static inline int selinux_option(char *option, int len)
2624 {
2625 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2626 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2627 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2628 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2629 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2630 }
2631
2632 static inline void take_option(char **to, char *from, int *first, int len)
2633 {
2634 if (!*first) {
2635 **to = ',';
2636 *to += 1;
2637 } else
2638 *first = 0;
2639 memcpy(*to, from, len);
2640 *to += len;
2641 }
2642
2643 static inline void take_selinux_option(char **to, char *from, int *first,
2644 int len)
2645 {
2646 int current_size = 0;
2647
2648 if (!*first) {
2649 **to = '|';
2650 *to += 1;
2651 } else
2652 *first = 0;
2653
2654 while (current_size < len) {
2655 if (*from != '"') {
2656 **to = *from;
2657 *to += 1;
2658 }
2659 from += 1;
2660 current_size += 1;
2661 }
2662 }
2663
2664 static int selinux_sb_copy_data(char *orig, char *copy)
2665 {
2666 int fnosec, fsec, rc = 0;
2667 char *in_save, *in_curr, *in_end;
2668 char *sec_curr, *nosec_save, *nosec;
2669 int open_quote = 0;
2670
2671 in_curr = orig;
2672 sec_curr = copy;
2673
2674 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2675 if (!nosec) {
2676 rc = -ENOMEM;
2677 goto out;
2678 }
2679
2680 nosec_save = nosec;
2681 fnosec = fsec = 1;
2682 in_save = in_end = orig;
2683
2684 do {
2685 if (*in_end == '"')
2686 open_quote = !open_quote;
2687 if ((*in_end == ',' && open_quote == 0) ||
2688 *in_end == '\0') {
2689 int len = in_end - in_curr;
2690
2691 if (selinux_option(in_curr, len))
2692 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2693 else
2694 take_option(&nosec, in_curr, &fnosec, len);
2695
2696 in_curr = in_end + 1;
2697 }
2698 } while (*in_end++);
2699
2700 strcpy(in_save, nosec_save);
2701 free_page((unsigned long)nosec_save);
2702 out:
2703 return rc;
2704 }
2705
2706 static int selinux_sb_remount(struct super_block *sb, void *data)
2707 {
2708 int rc, i, *flags;
2709 struct security_mnt_opts opts;
2710 char *secdata, **mount_options;
2711 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2712
2713 if (!(sbsec->flags & SE_SBINITIALIZED))
2714 return 0;
2715
2716 if (!data)
2717 return 0;
2718
2719 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2720 return 0;
2721
2722 security_init_mnt_opts(&opts);
2723 secdata = alloc_secdata();
2724 if (!secdata)
2725 return -ENOMEM;
2726 rc = selinux_sb_copy_data(data, secdata);
2727 if (rc)
2728 goto out_free_secdata;
2729
2730 rc = selinux_parse_opts_str(secdata, &opts);
2731 if (rc)
2732 goto out_free_secdata;
2733
2734 mount_options = opts.mnt_opts;
2735 flags = opts.mnt_opts_flags;
2736
2737 for (i = 0; i < opts.num_mnt_opts; i++) {
2738 u32 sid;
2739
2740 if (flags[i] == SBLABEL_MNT)
2741 continue;
2742 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2743 if (rc) {
2744 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2745 "(%s) failed for (dev %s, type %s) errno=%d\n",
2746 mount_options[i], sb->s_id, sb->s_type->name, rc);
2747 goto out_free_opts;
2748 }
2749 rc = -EINVAL;
2750 switch (flags[i]) {
2751 case FSCONTEXT_MNT:
2752 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2753 goto out_bad_option;
2754 break;
2755 case CONTEXT_MNT:
2756 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2757 goto out_bad_option;
2758 break;
2759 case ROOTCONTEXT_MNT: {
2760 struct inode_security_struct *root_isec;
2761 root_isec = backing_inode_security(sb->s_root);
2762
2763 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2764 goto out_bad_option;
2765 break;
2766 }
2767 case DEFCONTEXT_MNT:
2768 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2769 goto out_bad_option;
2770 break;
2771 default:
2772 goto out_free_opts;
2773 }
2774 }
2775
2776 rc = 0;
2777 out_free_opts:
2778 security_free_mnt_opts(&opts);
2779 out_free_secdata:
2780 free_secdata(secdata);
2781 return rc;
2782 out_bad_option:
2783 printk(KERN_WARNING "SELinux: unable to change security options "
2784 "during remount (dev %s, type=%s)\n", sb->s_id,
2785 sb->s_type->name);
2786 goto out_free_opts;
2787 }
2788
2789 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2790 {
2791 const struct cred *cred = current_cred();
2792 struct common_audit_data ad;
2793 int rc;
2794
2795 rc = superblock_doinit(sb, data);
2796 if (rc)
2797 return rc;
2798
2799 /* Allow all mounts performed by the kernel */
2800 if (flags & MS_KERNMOUNT)
2801 return 0;
2802
2803 ad.type = LSM_AUDIT_DATA_DENTRY;
2804 ad.u.dentry = sb->s_root;
2805 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2806 }
2807
2808 static int selinux_sb_statfs(struct dentry *dentry)
2809 {
2810 const struct cred *cred = current_cred();
2811 struct common_audit_data ad;
2812
2813 ad.type = LSM_AUDIT_DATA_DENTRY;
2814 ad.u.dentry = dentry->d_sb->s_root;
2815 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2816 }
2817
2818 static int selinux_mount(const char *dev_name,
2819 const struct path *path,
2820 const char *type,
2821 unsigned long flags,
2822 void *data)
2823 {
2824 const struct cred *cred = current_cred();
2825
2826 if (flags & MS_REMOUNT)
2827 return superblock_has_perm(cred, path->dentry->d_sb,
2828 FILESYSTEM__REMOUNT, NULL);
2829 else
2830 return path_has_perm(cred, path, FILE__MOUNTON);
2831 }
2832
2833 static int selinux_umount(struct vfsmount *mnt, int flags)
2834 {
2835 const struct cred *cred = current_cred();
2836
2837 return superblock_has_perm(cred, mnt->mnt_sb,
2838 FILESYSTEM__UNMOUNT, NULL);
2839 }
2840
2841 /* inode security operations */
2842
2843 static int selinux_inode_alloc_security(struct inode *inode)
2844 {
2845 return inode_alloc_security(inode);
2846 }
2847
2848 static void selinux_inode_free_security(struct inode *inode)
2849 {
2850 inode_free_security(inode);
2851 }
2852
2853 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2854 const struct qstr *name, void **ctx,
2855 u32 *ctxlen)
2856 {
2857 u32 newsid;
2858 int rc;
2859
2860 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2861 d_inode(dentry->d_parent), name,
2862 inode_mode_to_security_class(mode),
2863 &newsid);
2864 if (rc)
2865 return rc;
2866
2867 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2868 }
2869
2870 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2871 struct qstr *name,
2872 const struct cred *old,
2873 struct cred *new)
2874 {
2875 u32 newsid;
2876 int rc;
2877 struct task_security_struct *tsec;
2878
2879 rc = selinux_determine_inode_label(selinux_cred(old),
2880 d_inode(dentry->d_parent), name,
2881 inode_mode_to_security_class(mode),
2882 &newsid);
2883 if (rc)
2884 return rc;
2885
2886 tsec = selinux_cred(new);
2887 tsec->create_sid = newsid;
2888 return 0;
2889 }
2890
2891 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2892 const struct qstr *qstr,
2893 const char **name,
2894 void **value, size_t *len)
2895 {
2896 const struct task_security_struct *tsec = selinux_cred(current_cred());
2897 struct superblock_security_struct *sbsec;
2898 u32 newsid, clen;
2899 int rc;
2900 char *context;
2901
2902 sbsec = selinux_superblock(dir->i_sb);
2903
2904 newsid = tsec->create_sid;
2905
2906 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2907 dir, qstr,
2908 inode_mode_to_security_class(inode->i_mode),
2909 &newsid);
2910 if (rc)
2911 return rc;
2912
2913 /* Possibly defer initialization to selinux_complete_init. */
2914 if (sbsec->flags & SE_SBINITIALIZED) {
2915 struct inode_security_struct *isec = selinux_inode(inode);
2916 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2917 isec->sid = newsid;
2918 isec->initialized = LABEL_INITIALIZED;
2919 }
2920
2921 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2922 return -EOPNOTSUPP;
2923
2924 if (name)
2925 *name = XATTR_SELINUX_SUFFIX;
2926
2927 if (value && len) {
2928 rc = security_sid_to_context_force(newsid, &context, &clen);
2929 if (rc)
2930 return rc;
2931 *value = context;
2932 *len = clen;
2933 }
2934
2935 return 0;
2936 }
2937
2938 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2939 {
2940 return may_create(dir, dentry, SECCLASS_FILE);
2941 }
2942
2943 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2944 {
2945 return may_link(dir, old_dentry, MAY_LINK);
2946 }
2947
2948 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2949 {
2950 return may_link(dir, dentry, MAY_UNLINK);
2951 }
2952
2953 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2954 {
2955 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2956 }
2957
2958 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2959 {
2960 return may_create(dir, dentry, SECCLASS_DIR);
2961 }
2962
2963 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2964 {
2965 return may_link(dir, dentry, MAY_RMDIR);
2966 }
2967
2968 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2969 {
2970 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2971 }
2972
2973 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2974 struct inode *new_inode, struct dentry *new_dentry)
2975 {
2976 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2977 }
2978
2979 static int selinux_inode_readlink(struct dentry *dentry)
2980 {
2981 const struct cred *cred = current_cred();
2982
2983 return dentry_has_perm(cred, dentry, FILE__READ);
2984 }
2985
2986 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2987 bool rcu)
2988 {
2989 const struct cred *cred = current_cred();
2990 struct common_audit_data ad;
2991 struct inode_security_struct *isec;
2992 u32 sid;
2993
2994 validate_creds(cred);
2995
2996 ad.type = LSM_AUDIT_DATA_DENTRY;
2997 ad.u.dentry = dentry;
2998 sid = cred_sid(cred);
2999 isec = inode_security_rcu(inode, rcu);
3000 if (IS_ERR(isec))
3001 return PTR_ERR(isec);
3002
3003 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3004 rcu ? MAY_NOT_BLOCK : 0);
3005 }
3006
3007 static noinline int audit_inode_permission(struct inode *inode,
3008 u32 perms, u32 audited, u32 denied,
3009 int result,
3010 unsigned flags)
3011 {
3012 struct common_audit_data ad;
3013 struct inode_security_struct *isec = selinux_inode(inode);
3014 int rc;
3015
3016 ad.type = LSM_AUDIT_DATA_INODE;
3017 ad.u.inode = inode;
3018
3019 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3020 audited, denied, result, &ad, flags);
3021 if (rc)
3022 return rc;
3023 return 0;
3024 }
3025
3026 static int selinux_inode_permission(struct inode *inode, int mask)
3027 {
3028 const struct cred *cred = current_cred();
3029 u32 perms;
3030 bool from_access;
3031 unsigned flags = mask & MAY_NOT_BLOCK;
3032 struct inode_security_struct *isec;
3033 u32 sid;
3034 struct av_decision avd;
3035 int rc, rc2;
3036 u32 audited, denied;
3037
3038 from_access = mask & MAY_ACCESS;
3039 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3040
3041 /* No permission to check. Existence test. */
3042 if (!mask)
3043 return 0;
3044
3045 validate_creds(cred);
3046
3047 if (unlikely(IS_PRIVATE(inode)))
3048 return 0;
3049
3050 perms = file_mask_to_av(inode->i_mode, mask);
3051
3052 sid = cred_sid(cred);
3053 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3054 if (IS_ERR(isec))
3055 return PTR_ERR(isec);
3056
3057 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3058 audited = avc_audit_required(perms, &avd, rc,
3059 from_access ? FILE__AUDIT_ACCESS : 0,
3060 &denied);
3061 if (likely(!audited))
3062 return rc;
3063
3064 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3065 if (rc2)
3066 return rc2;
3067 return rc;
3068 }
3069
3070 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3071 {
3072 const struct cred *cred = current_cred();
3073 struct inode *inode = d_backing_inode(dentry);
3074 unsigned int ia_valid = iattr->ia_valid;
3075 __u32 av = FILE__WRITE;
3076
3077 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3078 if (ia_valid & ATTR_FORCE) {
3079 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3080 ATTR_FORCE);
3081 if (!ia_valid)
3082 return 0;
3083 }
3084
3085 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3086 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3087 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3088
3089 if (selinux_policycap_openperm &&
3090 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3091 (ia_valid & ATTR_SIZE) &&
3092 !(ia_valid & ATTR_FILE))
3093 av |= FILE__OPEN;
3094
3095 return dentry_has_perm(cred, dentry, av);
3096 }
3097
3098 static int selinux_inode_getattr(const struct path *path)
3099 {
3100 return path_has_perm(current_cred(), path, FILE__GETATTR);
3101 }
3102
3103 static bool has_cap_mac_admin(bool audit)
3104 {
3105 const struct cred *cred = current_cred();
3106 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3107
3108 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3109 return false;
3110 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3111 return false;
3112 return true;
3113 }
3114
3115 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3116 const void *value, size_t size, int flags)
3117 {
3118 struct inode *inode = d_backing_inode(dentry);
3119 struct inode_security_struct *isec;
3120 struct superblock_security_struct *sbsec;
3121 struct common_audit_data ad;
3122 u32 newsid, sid = current_sid();
3123 int rc = 0;
3124
3125 if (strcmp(name, XATTR_NAME_SELINUX)) {
3126 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3127 if (rc)
3128 return rc;
3129
3130 /* Not an attribute we recognize, so just check the
3131 ordinary setattr permission. */
3132 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3133 }
3134
3135 sbsec = selinux_superblock(inode->i_sb);
3136 if (!(sbsec->flags & SBLABEL_MNT))
3137 return -EOPNOTSUPP;
3138
3139 if (!inode_owner_or_capable(inode))
3140 return -EPERM;
3141
3142 ad.type = LSM_AUDIT_DATA_DENTRY;
3143 ad.u.dentry = dentry;
3144
3145 isec = backing_inode_security(dentry);
3146 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3147 FILE__RELABELFROM, &ad);
3148 if (rc)
3149 return rc;
3150
3151 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3152 if (rc == -EINVAL) {
3153 if (!has_cap_mac_admin(true)) {
3154 struct audit_buffer *ab;
3155 size_t audit_size;
3156
3157 /* We strip a nul only if it is at the end, otherwise the
3158 * context contains a nul and we should audit that */
3159 if (value) {
3160 const char *str = value;
3161
3162 if (str[size - 1] == '\0')
3163 audit_size = size - 1;
3164 else
3165 audit_size = size;
3166 } else {
3167 audit_size = 0;
3168 }
3169 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3170 audit_log_format(ab, "op=setxattr invalid_context=");
3171 audit_log_n_untrustedstring(ab, value, audit_size);
3172 audit_log_end(ab);
3173
3174 return rc;
3175 }
3176 rc = security_context_to_sid_force(value, size, &newsid);
3177 }
3178 if (rc)
3179 return rc;
3180
3181 rc = avc_has_perm(sid, newsid, isec->sclass,
3182 FILE__RELABELTO, &ad);
3183 if (rc)
3184 return rc;
3185
3186 rc = security_validate_transition(isec->sid, newsid, sid,
3187 isec->sclass);
3188 if (rc)
3189 return rc;
3190
3191 return avc_has_perm(newsid,
3192 sbsec->sid,
3193 SECCLASS_FILESYSTEM,
3194 FILESYSTEM__ASSOCIATE,
3195 &ad);
3196 }
3197
3198 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3199 const void *value, size_t size,
3200 int flags)
3201 {
3202 struct inode *inode = d_backing_inode(dentry);
3203 struct inode_security_struct *isec;
3204 u32 newsid;
3205 int rc;
3206
3207 if (strcmp(name, XATTR_NAME_SELINUX)) {
3208 /* Not an attribute we recognize, so nothing to do. */
3209 return;
3210 }
3211
3212 rc = security_context_to_sid_force(value, size, &newsid);
3213 if (rc) {
3214 printk(KERN_ERR "SELinux: unable to map context to SID"
3215 "for (%s, %lu), rc=%d\n",
3216 inode->i_sb->s_id, inode->i_ino, -rc);
3217 return;
3218 }
3219
3220 isec = backing_inode_security(dentry);
3221 spin_lock(&isec->lock);
3222 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3223 isec->sid = newsid;
3224 isec->initialized = LABEL_INITIALIZED;
3225 spin_unlock(&isec->lock);
3226
3227 return;
3228 }
3229
3230 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3231 {
3232 const struct cred *cred = current_cred();
3233
3234 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3235 }
3236
3237 static int selinux_inode_listxattr(struct dentry *dentry)
3238 {
3239 const struct cred *cred = current_cred();
3240
3241 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3242 }
3243
3244 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3245 {
3246 if (strcmp(name, XATTR_NAME_SELINUX)) {
3247 int rc = cap_inode_removexattr(dentry, name);
3248 if (rc)
3249 return rc;
3250
3251 /* Not an attribute we recognize, so just check the
3252 ordinary setattr permission. */
3253 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3254 }
3255
3256 /* No one is allowed to remove a SELinux security label.
3257 You can change the label, but all data must be labeled. */
3258 return -EACCES;
3259 }
3260
3261 /*
3262 * Copy the inode security context value to the user.
3263 *
3264 * Permission check is handled by selinux_inode_getxattr hook.
3265 */
3266 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3267 {
3268 u32 size;
3269 int error;
3270 char *context = NULL;
3271 struct inode_security_struct *isec;
3272
3273 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3274 return -EOPNOTSUPP;
3275
3276 /*
3277 * If the caller has CAP_MAC_ADMIN, then get the raw context
3278 * value even if it is not defined by current policy; otherwise,
3279 * use the in-core value under current policy.
3280 * Use the non-auditing forms of the permission checks since
3281 * getxattr may be called by unprivileged processes commonly
3282 * and lack of permission just means that we fall back to the
3283 * in-core context value, not a denial.
3284 */
3285 isec = inode_security(inode);
3286 if (has_cap_mac_admin(false))
3287 error = security_sid_to_context_force(isec->sid, &context,
3288 &size);
3289 else
3290 error = security_sid_to_context(isec->sid, &context, &size);
3291 if (error)
3292 return error;
3293 error = size;
3294 if (alloc) {
3295 *buffer = context;
3296 goto out_nofree;
3297 }
3298 kfree(context);
3299 out_nofree:
3300 return error;
3301 }
3302
3303 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3304 const void *value, size_t size, int flags)
3305 {
3306 struct inode_security_struct *isec = inode_security_novalidate(inode);
3307 u32 newsid;
3308 int rc;
3309
3310 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3311 return -EOPNOTSUPP;
3312
3313 if (!value || !size)
3314 return -EACCES;
3315
3316 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3317 if (rc)
3318 return rc;
3319
3320 spin_lock(&isec->lock);
3321 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3322 isec->sid = newsid;
3323 isec->initialized = LABEL_INITIALIZED;
3324 spin_unlock(&isec->lock);
3325 return 0;
3326 }
3327
3328 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3329 {
3330 const int len = sizeof(XATTR_NAME_SELINUX);
3331 if (buffer && len <= buffer_size)
3332 memcpy(buffer, XATTR_NAME_SELINUX, len);
3333 return len;
3334 }
3335
3336 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3337 {
3338 struct inode_security_struct *isec = inode_security_novalidate(inode);
3339 *secid = isec->sid;
3340 }
3341
3342 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3343 {
3344 u32 sid;
3345 struct task_security_struct *tsec;
3346 struct cred *new_creds = *new;
3347
3348 if (new_creds == NULL) {
3349 new_creds = prepare_creds();
3350 if (!new_creds)
3351 return -ENOMEM;
3352 }
3353
3354 tsec = selinux_cred(new_creds);
3355 /* Get label from overlay inode and set it in create_sid */
3356 selinux_inode_getsecid(d_inode(src), &sid);
3357 tsec->create_sid = sid;
3358 *new = new_creds;
3359 return 0;
3360 }
3361
3362 static int selinux_inode_copy_up_xattr(const char *name)
3363 {
3364 /* The copy_up hook above sets the initial context on an inode, but we
3365 * don't then want to overwrite it by blindly copying all the lower
3366 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3367 */
3368 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3369 return 1; /* Discard */
3370 /*
3371 * Any other attribute apart from SELINUX is not claimed, supported
3372 * by selinux.
3373 */
3374 return -EOPNOTSUPP;
3375 }
3376
3377 /* file security operations */
3378
3379 static int selinux_revalidate_file_permission(struct file *file, int mask)
3380 {
3381 const struct cred *cred = current_cred();
3382 struct inode *inode = file_inode(file);
3383
3384 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3385 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3386 mask |= MAY_APPEND;
3387
3388 return file_has_perm(cred, file,
3389 file_mask_to_av(inode->i_mode, mask));
3390 }
3391
3392 static int selinux_file_permission(struct file *file, int mask)
3393 {
3394 struct inode *inode = file_inode(file);
3395 struct file_security_struct *fsec = selinux_file(file);
3396 struct inode_security_struct *isec;
3397 u32 sid = current_sid();
3398
3399 if (!mask)
3400 /* No permission to check. Existence test. */
3401 return 0;
3402
3403 isec = inode_security(inode);
3404 if (sid == fsec->sid && fsec->isid == isec->sid &&
3405 fsec->pseqno == avc_policy_seqno())
3406 /* No change since file_open check. */
3407 return 0;
3408
3409 return selinux_revalidate_file_permission(file, mask);
3410 }
3411
3412 static int selinux_file_alloc_security(struct file *file)
3413 {
3414 return file_alloc_security(file);
3415 }
3416
3417 /*
3418 * Check whether a task has the ioctl permission and cmd
3419 * operation to an inode.
3420 */
3421 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3422 u32 requested, u16 cmd)
3423 {
3424 struct common_audit_data ad;
3425 struct file_security_struct *fsec = selinux_file(file);
3426 struct inode *inode = file_inode(file);
3427 struct inode_security_struct *isec;
3428 struct lsm_ioctlop_audit ioctl;
3429 u32 ssid = cred_sid(cred);
3430 int rc;
3431 u8 driver = cmd >> 8;
3432 u8 xperm = cmd & 0xff;
3433
3434 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3435 ad.u.op = &ioctl;
3436 ad.u.op->cmd = cmd;
3437 ad.u.op->path = file->f_path;
3438
3439 if (ssid != fsec->sid) {
3440 rc = avc_has_perm(ssid, fsec->sid,
3441 SECCLASS_FD,
3442 FD__USE,
3443 &ad);
3444 if (rc)
3445 goto out;
3446 }
3447
3448 if (unlikely(IS_PRIVATE(inode)))
3449 return 0;
3450
3451 isec = inode_security(inode);
3452 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3453 requested, driver, xperm, &ad);
3454 out:
3455 return rc;
3456 }
3457
3458 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3459 unsigned long arg)
3460 {
3461 const struct cred *cred = current_cred();
3462 int error = 0;
3463
3464 switch (cmd) {
3465 case FIONREAD:
3466 /* fall through */
3467 case FIBMAP:
3468 /* fall through */
3469 case FIGETBSZ:
3470 /* fall through */
3471 case FS_IOC_GETFLAGS:
3472 /* fall through */
3473 case FS_IOC_GETVERSION:
3474 error = file_has_perm(cred, file, FILE__GETATTR);
3475 break;
3476
3477 case FS_IOC_SETFLAGS:
3478 /* fall through */
3479 case FS_IOC_SETVERSION:
3480 error = file_has_perm(cred, file, FILE__SETATTR);
3481 break;
3482
3483 /* sys_ioctl() checks */
3484 case FIONBIO:
3485 /* fall through */
3486 case FIOASYNC:
3487 error = file_has_perm(cred, file, 0);
3488 break;
3489
3490 case KDSKBENT:
3491 case KDSKBSENT:
3492 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3493 SECURITY_CAP_AUDIT, true);
3494 break;
3495
3496 /* default case assumes that the command will go
3497 * to the file's ioctl() function.
3498 */
3499 default:
3500 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3501 }
3502 return error;
3503 }
3504
3505 static int default_noexec;
3506
3507 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3508 {
3509 const struct cred *cred = current_cred();
3510 u32 sid = cred_sid(cred);
3511 int rc = 0;
3512
3513 if (default_noexec &&
3514 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3515 (!shared && (prot & PROT_WRITE)))) {
3516 /*
3517 * We are making executable an anonymous mapping or a
3518 * private file mapping that will also be writable.
3519 * This has an additional check.
3520 */
3521 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3522 PROCESS__EXECMEM, NULL);
3523 if (rc)
3524 goto error;
3525 }
3526
3527 if (file) {
3528 /* read access is always possible with a mapping */
3529 u32 av = FILE__READ;
3530
3531 /* write access only matters if the mapping is shared */
3532 if (shared && (prot & PROT_WRITE))
3533 av |= FILE__WRITE;
3534
3535 if (prot & PROT_EXEC)
3536 av |= FILE__EXECUTE;
3537
3538 return file_has_perm(cred, file, av);
3539 }
3540
3541 error:
3542 return rc;
3543 }
3544
3545 static int selinux_mmap_addr(unsigned long addr)
3546 {
3547 int rc = 0;
3548
3549 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3550 u32 sid = current_sid();
3551 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3552 MEMPROTECT__MMAP_ZERO, NULL);
3553 }
3554
3555 return rc;
3556 }
3557
3558 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3559 unsigned long prot, unsigned long flags)
3560 {
3561 struct common_audit_data ad;
3562 int rc;
3563
3564 if (file) {
3565 ad.type = LSM_AUDIT_DATA_FILE;
3566 ad.u.file = file;
3567 rc = inode_has_perm(current_cred(), file_inode(file),
3568 FILE__MAP, &ad);
3569 if (rc)
3570 return rc;
3571 }
3572
3573 if (selinux_checkreqprot)
3574 prot = reqprot;
3575
3576 return file_map_prot_check(file, prot,
3577 (flags & MAP_TYPE) == MAP_SHARED);
3578 }
3579
3580 static int selinux_file_mprotect(struct vm_area_struct *vma,
3581 unsigned long reqprot,
3582 unsigned long prot)
3583 {
3584 const struct cred *cred = current_cred();
3585 u32 sid = cred_sid(cred);
3586
3587 if (selinux_checkreqprot)
3588 prot = reqprot;
3589
3590 if (default_noexec &&
3591 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3592 int rc = 0;
3593 if (vma->vm_start >= vma->vm_mm->start_brk &&
3594 vma->vm_end <= vma->vm_mm->brk) {
3595 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3596 PROCESS__EXECHEAP, NULL);
3597 } else if (!vma->vm_file &&
3598 ((vma->vm_start <= vma->vm_mm->start_stack &&
3599 vma->vm_end >= vma->vm_mm->start_stack) ||
3600 vma_is_stack_for_current(vma))) {
3601 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3602 PROCESS__EXECSTACK, NULL);
3603 } else if (vma->vm_file && vma->anon_vma) {
3604 /*
3605 * We are making executable a file mapping that has
3606 * had some COW done. Since pages might have been
3607 * written, check ability to execute the possibly
3608 * modified content. This typically should only
3609 * occur for text relocations.
3610 */
3611 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3612 }
3613 if (rc)
3614 return rc;
3615 }
3616
3617 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3618 }
3619
3620 static int selinux_file_lock(struct file *file, unsigned int cmd)
3621 {
3622 const struct cred *cred = current_cred();
3623
3624 return file_has_perm(cred, file, FILE__LOCK);
3625 }
3626
3627 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3628 unsigned long arg)
3629 {
3630 const struct cred *cred = current_cred();
3631 int err = 0;
3632
3633 switch (cmd) {
3634 case F_SETFL:
3635 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3636 err = file_has_perm(cred, file, FILE__WRITE);
3637 break;
3638 }
3639 /* fall through */
3640 case F_SETOWN:
3641 case F_SETSIG:
3642 case F_GETFL:
3643 case F_GETOWN:
3644 case F_GETSIG:
3645 case F_GETOWNER_UIDS:
3646 /* Just check FD__USE permission */
3647 err = file_has_perm(cred, file, 0);
3648 break;
3649 case F_GETLK:
3650 case F_SETLK:
3651 case F_SETLKW:
3652 case F_OFD_GETLK:
3653 case F_OFD_SETLK:
3654 case F_OFD_SETLKW:
3655 #if BITS_PER_LONG == 32
3656 case F_GETLK64:
3657 case F_SETLK64:
3658 case F_SETLKW64:
3659 #endif
3660 err = file_has_perm(cred, file, FILE__LOCK);
3661 break;
3662 }
3663
3664 return err;
3665 }
3666
3667 static void selinux_file_set_fowner(struct file *file)
3668 {
3669 struct file_security_struct *fsec;
3670
3671 fsec = selinux_file(file);
3672 fsec->fown_sid = current_sid();
3673 }
3674
3675 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3676 struct fown_struct *fown, int signum)
3677 {
3678 struct file *file;
3679 u32 sid = task_sid(tsk);
3680 u32 perm;
3681 struct file_security_struct *fsec;
3682
3683 /* struct fown_struct is never outside the context of a struct file */
3684 file = container_of(fown, struct file, f_owner);
3685
3686 fsec = selinux_file(file);
3687
3688 if (!signum)
3689 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3690 else
3691 perm = signal_to_av(signum);
3692
3693 return avc_has_perm(fsec->fown_sid, sid,
3694 SECCLASS_PROCESS, perm, NULL);
3695 }
3696
3697 static int selinux_file_receive(struct file *file)
3698 {
3699 const struct cred *cred = current_cred();
3700
3701 return file_has_perm(cred, file, file_to_av(file));
3702 }
3703
3704 static int selinux_file_open(struct file *file, const struct cred *cred)
3705 {
3706 struct file_security_struct *fsec;
3707 struct inode_security_struct *isec;
3708
3709 fsec = selinux_file(file);
3710 isec = inode_security(file_inode(file));
3711 /*
3712 * Save inode label and policy sequence number
3713 * at open-time so that selinux_file_permission
3714 * can determine whether revalidation is necessary.
3715 * Task label is already saved in the file security
3716 * struct as its SID.
3717 */
3718 fsec->isid = isec->sid;
3719 fsec->pseqno = avc_policy_seqno();
3720 /*
3721 * Since the inode label or policy seqno may have changed
3722 * between the selinux_inode_permission check and the saving
3723 * of state above, recheck that access is still permitted.
3724 * Otherwise, access might never be revalidated against the
3725 * new inode label or new policy.
3726 * This check is not redundant - do not remove.
3727 */
3728 return file_path_has_perm(cred, file, open_file_to_av(file));
3729 }
3730
3731 /* task security operations */
3732
3733 static int selinux_task_alloc(struct task_struct *task,
3734 unsigned long clone_flags)
3735 {
3736 u32 sid = current_sid();
3737
3738 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3739 }
3740
3741 /*
3742 * prepare a new set of credentials for modification
3743 */
3744 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3745 gfp_t gfp)
3746 {
3747 const struct task_security_struct *old_tsec = selinux_cred(old);
3748 struct task_security_struct *tsec = selinux_cred(new);
3749
3750 *tsec = *old_tsec;
3751
3752 return 0;
3753 }
3754
3755 /*
3756 * transfer the SELinux data to a blank set of creds
3757 */
3758 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3759 {
3760 const struct task_security_struct *old_tsec = selinux_cred(old);
3761 struct task_security_struct *tsec = selinux_cred(new);
3762
3763 *tsec = *old_tsec;
3764 }
3765
3766 /*
3767 * set the security data for a kernel service
3768 * - all the creation contexts are set to unlabelled
3769 */
3770 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3771 {
3772 struct task_security_struct *tsec = selinux_cred(new);
3773 u32 sid = current_sid();
3774 int ret;
3775
3776 ret = avc_has_perm(sid, secid,
3777 SECCLASS_KERNEL_SERVICE,
3778 KERNEL_SERVICE__USE_AS_OVERRIDE,
3779 NULL);
3780 if (ret == 0) {
3781 tsec->sid = secid;
3782 tsec->create_sid = 0;
3783 tsec->keycreate_sid = 0;
3784 tsec->sockcreate_sid = 0;
3785 }
3786 return ret;
3787 }
3788
3789 /*
3790 * set the file creation context in a security record to the same as the
3791 * objective context of the specified inode
3792 */
3793 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3794 {
3795 struct inode_security_struct *isec = inode_security(inode);
3796 struct task_security_struct *tsec = selinux_cred(new);
3797 u32 sid = current_sid();
3798 int ret;
3799
3800 ret = avc_has_perm(sid, isec->sid,
3801 SECCLASS_KERNEL_SERVICE,
3802 KERNEL_SERVICE__CREATE_FILES_AS,
3803 NULL);
3804
3805 if (ret == 0)
3806 tsec->create_sid = isec->sid;
3807 return ret;
3808 }
3809
3810 static int selinux_kernel_module_request(char *kmod_name)
3811 {
3812 struct common_audit_data ad;
3813
3814 ad.type = LSM_AUDIT_DATA_KMOD;
3815 ad.u.kmod_name = kmod_name;
3816
3817 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3818 SYSTEM__MODULE_REQUEST, &ad);
3819 }
3820
3821 static int selinux_kernel_module_from_file(struct file *file)
3822 {
3823 struct common_audit_data ad;
3824 struct inode_security_struct *isec;
3825 struct file_security_struct *fsec;
3826 u32 sid = current_sid();
3827 int rc;
3828
3829 /* init_module */
3830 if (file == NULL)
3831 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3832 SYSTEM__MODULE_LOAD, NULL);
3833
3834 /* finit_module */
3835
3836 ad.type = LSM_AUDIT_DATA_FILE;
3837 ad.u.file = file;
3838
3839 fsec = selinux_file(file);
3840 if (sid != fsec->sid) {
3841 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3842 if (rc)
3843 return rc;
3844 }
3845
3846 isec = inode_security(file_inode(file));
3847 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3848 SYSTEM__MODULE_LOAD, &ad);
3849 }
3850
3851 static int selinux_kernel_read_file(struct file *file,
3852 enum kernel_read_file_id id)
3853 {
3854 int rc = 0;
3855
3856 switch (id) {
3857 case READING_MODULE:
3858 rc = selinux_kernel_module_from_file(file);
3859 break;
3860 default:
3861 break;
3862 }
3863
3864 return rc;
3865 }
3866
3867 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3868 {
3869 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3870 PROCESS__SETPGID, NULL);
3871 }
3872
3873 static int selinux_task_getpgid(struct task_struct *p)
3874 {
3875 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3876 PROCESS__GETPGID, NULL);
3877 }
3878
3879 static int selinux_task_getsid(struct task_struct *p)
3880 {
3881 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3882 PROCESS__GETSESSION, NULL);
3883 }
3884
3885 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3886 {
3887 *secid = task_sid(p);
3888 }
3889
3890 static int selinux_task_setnice(struct task_struct *p, int nice)
3891 {
3892 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3893 PROCESS__SETSCHED, NULL);
3894 }
3895
3896 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3897 {
3898 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3899 PROCESS__SETSCHED, NULL);
3900 }
3901
3902 static int selinux_task_getioprio(struct task_struct *p)
3903 {
3904 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3905 PROCESS__GETSCHED, NULL);
3906 }
3907
3908 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
3909 unsigned int flags)
3910 {
3911 u32 av = 0;
3912
3913 if (!flags)
3914 return 0;
3915 if (flags & LSM_PRLIMIT_WRITE)
3916 av |= PROCESS__SETRLIMIT;
3917 if (flags & LSM_PRLIMIT_READ)
3918 av |= PROCESS__GETRLIMIT;
3919 return avc_has_perm(cred_sid(cred), cred_sid(tcred),
3920 SECCLASS_PROCESS, av, NULL);
3921 }
3922
3923 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3924 struct rlimit *new_rlim)
3925 {
3926 struct rlimit *old_rlim = p->signal->rlim + resource;
3927
3928 /* Control the ability to change the hard limit (whether
3929 lowering or raising it), so that the hard limit can
3930 later be used as a safe reset point for the soft limit
3931 upon context transitions. See selinux_bprm_committing_creds. */
3932 if (old_rlim->rlim_max != new_rlim->rlim_max)
3933 return avc_has_perm(current_sid(), task_sid(p),
3934 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
3935
3936 return 0;
3937 }
3938
3939 static int selinux_task_setscheduler(struct task_struct *p)
3940 {
3941 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3942 PROCESS__SETSCHED, NULL);
3943 }
3944
3945 static int selinux_task_getscheduler(struct task_struct *p)
3946 {
3947 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3948 PROCESS__GETSCHED, NULL);
3949 }
3950
3951 static int selinux_task_movememory(struct task_struct *p)
3952 {
3953 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3954 PROCESS__SETSCHED, NULL);
3955 }
3956
3957 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3958 int sig, u32 secid)
3959 {
3960 u32 perm;
3961
3962 if (!sig)
3963 perm = PROCESS__SIGNULL; /* null signal; existence test */
3964 else
3965 perm = signal_to_av(sig);
3966 if (!secid)
3967 secid = current_sid();
3968 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
3969 }
3970
3971 static void selinux_task_to_inode(struct task_struct *p,
3972 struct inode *inode)
3973 {
3974 struct inode_security_struct *isec = selinux_inode(inode);
3975 u32 sid = task_sid(p);
3976
3977 spin_lock(&isec->lock);
3978 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3979 isec->sid = sid;
3980 isec->initialized = LABEL_INITIALIZED;
3981 spin_unlock(&isec->lock);
3982 }
3983
3984 /* Returns error only if unable to parse addresses */
3985 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3986 struct common_audit_data *ad, u8 *proto)
3987 {
3988 int offset, ihlen, ret = -EINVAL;
3989 struct iphdr _iph, *ih;
3990
3991 offset = skb_network_offset(skb);
3992 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3993 if (ih == NULL)
3994 goto out;
3995
3996 ihlen = ih->ihl * 4;
3997 if (ihlen < sizeof(_iph))
3998 goto out;
3999
4000 ad->u.net->v4info.saddr = ih->saddr;
4001 ad->u.net->v4info.daddr = ih->daddr;
4002 ret = 0;
4003
4004 if (proto)
4005 *proto = ih->protocol;
4006
4007 switch (ih->protocol) {
4008 case IPPROTO_TCP: {
4009 struct tcphdr _tcph, *th;
4010
4011 if (ntohs(ih->frag_off) & IP_OFFSET)
4012 break;
4013
4014 offset += ihlen;
4015 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4016 if (th == NULL)
4017 break;
4018
4019 ad->u.net->sport = th->source;
4020 ad->u.net->dport = th->dest;
4021 break;
4022 }
4023
4024 case IPPROTO_UDP: {
4025 struct udphdr _udph, *uh;
4026
4027 if (ntohs(ih->frag_off) & IP_OFFSET)
4028 break;
4029
4030 offset += ihlen;
4031 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4032 if (uh == NULL)
4033 break;
4034
4035 ad->u.net->sport = uh->source;
4036 ad->u.net->dport = uh->dest;
4037 break;
4038 }
4039
4040 case IPPROTO_DCCP: {
4041 struct dccp_hdr _dccph, *dh;
4042
4043 if (ntohs(ih->frag_off) & IP_OFFSET)
4044 break;
4045
4046 offset += ihlen;
4047 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4048 if (dh == NULL)
4049 break;
4050
4051 ad->u.net->sport = dh->dccph_sport;
4052 ad->u.net->dport = dh->dccph_dport;
4053 break;
4054 }
4055
4056 default:
4057 break;
4058 }
4059 out:
4060 return ret;
4061 }
4062
4063 #if IS_ENABLED(CONFIG_IPV6)
4064
4065 /* Returns error only if unable to parse addresses */
4066 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4067 struct common_audit_data *ad, u8 *proto)
4068 {
4069 u8 nexthdr;
4070 int ret = -EINVAL, offset;
4071 struct ipv6hdr _ipv6h, *ip6;
4072 __be16 frag_off;
4073
4074 offset = skb_network_offset(skb);
4075 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4076 if (ip6 == NULL)
4077 goto out;
4078
4079 ad->u.net->v6info.saddr = ip6->saddr;
4080 ad->u.net->v6info.daddr = ip6->daddr;
4081 ret = 0;
4082
4083 nexthdr = ip6->nexthdr;
4084 offset += sizeof(_ipv6h);
4085 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4086 if (offset < 0)
4087 goto out;
4088
4089 if (proto)
4090 *proto = nexthdr;
4091
4092 switch (nexthdr) {
4093 case IPPROTO_TCP: {
4094 struct tcphdr _tcph, *th;
4095
4096 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4097 if (th == NULL)
4098 break;
4099
4100 ad->u.net->sport = th->source;
4101 ad->u.net->dport = th->dest;
4102 break;
4103 }
4104
4105 case IPPROTO_UDP: {
4106 struct udphdr _udph, *uh;
4107
4108 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4109 if (uh == NULL)
4110 break;
4111
4112 ad->u.net->sport = uh->source;
4113 ad->u.net->dport = uh->dest;
4114 break;
4115 }
4116
4117 case IPPROTO_DCCP: {
4118 struct dccp_hdr _dccph, *dh;
4119
4120 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4121 if (dh == NULL)
4122 break;
4123
4124 ad->u.net->sport = dh->dccph_sport;
4125 ad->u.net->dport = dh->dccph_dport;
4126 break;
4127 }
4128
4129 /* includes fragments */
4130 default:
4131 break;
4132 }
4133 out:
4134 return ret;
4135 }
4136
4137 #endif /* IPV6 */
4138
4139 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4140 char **_addrp, int src, u8 *proto)
4141 {
4142 char *addrp;
4143 int ret;
4144
4145 switch (ad->u.net->family) {
4146 case PF_INET:
4147 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4148 if (ret)
4149 goto parse_error;
4150 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4151 &ad->u.net->v4info.daddr);
4152 goto okay;
4153
4154 #if IS_ENABLED(CONFIG_IPV6)
4155 case PF_INET6:
4156 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4157 if (ret)
4158 goto parse_error;
4159 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4160 &ad->u.net->v6info.daddr);
4161 goto okay;
4162 #endif /* IPV6 */
4163 default:
4164 addrp = NULL;
4165 goto okay;
4166 }
4167
4168 parse_error:
4169 printk(KERN_WARNING
4170 "SELinux: failure in selinux_parse_skb(),"
4171 " unable to parse packet\n");
4172 return ret;
4173
4174 okay:
4175 if (_addrp)
4176 *_addrp = addrp;
4177 return 0;
4178 }
4179
4180 /**
4181 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4182 * @skb: the packet
4183 * @family: protocol family
4184 * @sid: the packet's peer label SID
4185 *
4186 * Description:
4187 * Check the various different forms of network peer labeling and determine
4188 * the peer label/SID for the packet; most of the magic actually occurs in
4189 * the security server function security_net_peersid_cmp(). The function
4190 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4191 * or -EACCES if @sid is invalid due to inconsistencies with the different
4192 * peer labels.
4193 *
4194 */
4195 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4196 {
4197 int err;
4198 u32 xfrm_sid;
4199 u32 nlbl_sid;
4200 u32 nlbl_type;
4201
4202 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4203 if (unlikely(err))
4204 return -EACCES;
4205 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4206 if (unlikely(err))
4207 return -EACCES;
4208
4209 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4210 if (unlikely(err)) {
4211 printk(KERN_WARNING
4212 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4213 " unable to determine packet's peer label\n");
4214 return -EACCES;
4215 }
4216
4217 return 0;
4218 }
4219
4220 /**
4221 * selinux_conn_sid - Determine the child socket label for a connection
4222 * @sk_sid: the parent socket's SID
4223 * @skb_sid: the packet's SID
4224 * @conn_sid: the resulting connection SID
4225 *
4226 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4227 * combined with the MLS information from @skb_sid in order to create
4228 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4229 * of @sk_sid. Returns zero on success, negative values on failure.
4230 *
4231 */
4232 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4233 {
4234 int err = 0;
4235
4236 if (skb_sid != SECSID_NULL)
4237 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4238 else
4239 *conn_sid = sk_sid;
4240
4241 return err;
4242 }
4243
4244 /* socket security operations */
4245
4246 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4247 u16 secclass, u32 *socksid)
4248 {
4249 if (tsec->sockcreate_sid > SECSID_NULL) {
4250 *socksid = tsec->sockcreate_sid;
4251 return 0;
4252 }
4253
4254 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4255 socksid);
4256 }
4257
4258 static int sock_has_perm(struct sock *sk, u32 perms)
4259 {
4260 struct sk_security_struct *sksec = selinux_sock(sk);
4261 struct common_audit_data ad;
4262 struct lsm_network_audit net = {0,};
4263
4264 if (sksec->sid == SECINITSID_KERNEL)
4265 return 0;
4266
4267 ad.type = LSM_AUDIT_DATA_NET;
4268 ad.u.net = &net;
4269 ad.u.net->sk = sk;
4270
4271 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4272 &ad);
4273 }
4274
4275 static int selinux_socket_create(int family, int type,
4276 int protocol, int kern)
4277 {
4278 const struct task_security_struct *tsec = selinux_cred(current_cred());
4279 u32 newsid;
4280 u16 secclass;
4281 int rc;
4282
4283 if (kern)
4284 return 0;
4285
4286 secclass = socket_type_to_security_class(family, type, protocol);
4287 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4288 if (rc)
4289 return rc;
4290
4291 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4292 }
4293
4294 static int selinux_socket_post_create(struct socket *sock, int family,
4295 int type, int protocol, int kern)
4296 {
4297 const struct task_security_struct *tsec = selinux_cred(current_cred());
4298 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4299 struct sk_security_struct *sksec;
4300 u16 sclass = socket_type_to_security_class(family, type, protocol);
4301 u32 sid = SECINITSID_KERNEL;
4302 int err = 0;
4303
4304 if (!kern) {
4305 err = socket_sockcreate_sid(tsec, sclass, &sid);
4306 if (err)
4307 return err;
4308 }
4309
4310 isec->sclass = sclass;
4311 isec->sid = sid;
4312 isec->initialized = LABEL_INITIALIZED;
4313
4314 if (sock->sk) {
4315 sksec = selinux_sock(sock->sk);
4316 sksec->sclass = sclass;
4317 sksec->sid = sid;
4318 err = selinux_netlbl_socket_post_create(sock->sk, family);
4319 }
4320
4321 return err;
4322 }
4323
4324 /* Range of port numbers used to automatically bind.
4325 Need to determine whether we should perform a name_bind
4326 permission check between the socket and the port number. */
4327
4328 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4329 {
4330 struct sock *sk = sock->sk;
4331 u16 family;
4332 int err;
4333
4334 err = sock_has_perm(sk, SOCKET__BIND);
4335 if (err)
4336 goto out;
4337
4338 /*
4339 * If PF_INET or PF_INET6, check name_bind permission for the port.
4340 * Multiple address binding for SCTP is not supported yet: we just
4341 * check the first address now.
4342 */
4343 family = sk->sk_family;
4344 if (family == PF_INET || family == PF_INET6) {
4345 char *addrp;
4346 struct sk_security_struct *sksec = selinux_sock(sk);
4347 struct common_audit_data ad;
4348 struct lsm_network_audit net = {0,};
4349 struct sockaddr_in *addr4 = NULL;
4350 struct sockaddr_in6 *addr6 = NULL;
4351 unsigned short snum;
4352 u32 sid, node_perm;
4353
4354 if (family == PF_INET) {
4355 if (addrlen < sizeof(struct sockaddr_in)) {
4356 err = -EINVAL;
4357 goto out;
4358 }
4359 addr4 = (struct sockaddr_in *)address;
4360 snum = ntohs(addr4->sin_port);
4361 addrp = (char *)&addr4->sin_addr.s_addr;
4362 } else {
4363 if (addrlen < SIN6_LEN_RFC2133) {
4364 err = -EINVAL;
4365 goto out;
4366 }
4367 addr6 = (struct sockaddr_in6 *)address;
4368 snum = ntohs(addr6->sin6_port);
4369 addrp = (char *)&addr6->sin6_addr.s6_addr;
4370 }
4371
4372 if (snum) {
4373 int low, high;
4374
4375 inet_get_local_port_range(sock_net(sk), &low, &high);
4376
4377 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4378 snum > high) {
4379 err = sel_netport_sid(sk->sk_protocol,
4380 snum, &sid);
4381 if (err)
4382 goto out;
4383 ad.type = LSM_AUDIT_DATA_NET;
4384 ad.u.net = &net;
4385 ad.u.net->sport = htons(snum);
4386 ad.u.net->family = family;
4387 err = avc_has_perm(sksec->sid, sid,
4388 sksec->sclass,
4389 SOCKET__NAME_BIND, &ad);
4390 if (err)
4391 goto out;
4392 }
4393 }
4394
4395 switch (sksec->sclass) {
4396 case SECCLASS_TCP_SOCKET:
4397 node_perm = TCP_SOCKET__NODE_BIND;
4398 break;
4399
4400 case SECCLASS_UDP_SOCKET:
4401 node_perm = UDP_SOCKET__NODE_BIND;
4402 break;
4403
4404 case SECCLASS_DCCP_SOCKET:
4405 node_perm = DCCP_SOCKET__NODE_BIND;
4406 break;
4407
4408 default:
4409 node_perm = RAWIP_SOCKET__NODE_BIND;
4410 break;
4411 }
4412
4413 err = sel_netnode_sid(addrp, family, &sid);
4414 if (err)
4415 goto out;
4416
4417 ad.type = LSM_AUDIT_DATA_NET;
4418 ad.u.net = &net;
4419 ad.u.net->sport = htons(snum);
4420 ad.u.net->family = family;
4421
4422 if (family == PF_INET)
4423 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4424 else
4425 ad.u.net->v6info.saddr = addr6->sin6_addr;
4426
4427 err = avc_has_perm(sksec->sid, sid,
4428 sksec->sclass, node_perm, &ad);
4429 if (err)
4430 goto out;
4431 }
4432 out:
4433 return err;
4434 }
4435
4436 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4437 {
4438 struct sock *sk = sock->sk;
4439 struct sk_security_struct *sksec = selinux_sock(sk);
4440 int err;
4441
4442 err = sock_has_perm(sk, SOCKET__CONNECT);
4443 if (err)
4444 return err;
4445
4446 /*
4447 * If a TCP or DCCP socket, check name_connect permission for the port.
4448 */
4449 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4450 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4451 struct common_audit_data ad;
4452 struct lsm_network_audit net = {0,};
4453 struct sockaddr_in *addr4 = NULL;
4454 struct sockaddr_in6 *addr6 = NULL;
4455 unsigned short snum;
4456 u32 sid, perm;
4457
4458 if (sk->sk_family == PF_INET) {
4459 addr4 = (struct sockaddr_in *)address;
4460 if (addrlen < sizeof(struct sockaddr_in))
4461 return -EINVAL;
4462 snum = ntohs(addr4->sin_port);
4463 } else {
4464 addr6 = (struct sockaddr_in6 *)address;
4465 if (addrlen < SIN6_LEN_RFC2133)
4466 return -EINVAL;
4467 snum = ntohs(addr6->sin6_port);
4468 }
4469
4470 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4471 if (err)
4472 goto out;
4473
4474 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4475 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4476
4477 ad.type = LSM_AUDIT_DATA_NET;
4478 ad.u.net = &net;
4479 ad.u.net->dport = htons(snum);
4480 ad.u.net->family = sk->sk_family;
4481 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4482 if (err)
4483 goto out;
4484 }
4485
4486 err = selinux_netlbl_socket_connect(sk, address);
4487
4488 out:
4489 return err;
4490 }
4491
4492 static int selinux_socket_listen(struct socket *sock, int backlog)
4493 {
4494 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4495 }
4496
4497 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4498 {
4499 int err;
4500 struct inode_security_struct *isec;
4501 struct inode_security_struct *newisec;
4502 u16 sclass;
4503 u32 sid;
4504
4505 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4506 if (err)
4507 return err;
4508
4509 isec = inode_security_novalidate(SOCK_INODE(sock));
4510 spin_lock(&isec->lock);
4511 sclass = isec->sclass;
4512 sid = isec->sid;
4513 spin_unlock(&isec->lock);
4514
4515 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4516 newisec->sclass = sclass;
4517 newisec->sid = sid;
4518 newisec->initialized = LABEL_INITIALIZED;
4519
4520 return 0;
4521 }
4522
4523 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4524 int size)
4525 {
4526 return sock_has_perm(sock->sk, SOCKET__WRITE);
4527 }
4528
4529 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4530 int size, int flags)
4531 {
4532 return sock_has_perm(sock->sk, SOCKET__READ);
4533 }
4534
4535 static int selinux_socket_getsockname(struct socket *sock)
4536 {
4537 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4538 }
4539
4540 static int selinux_socket_getpeername(struct socket *sock)
4541 {
4542 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4543 }
4544
4545 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4546 {
4547 int err;
4548
4549 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4550 if (err)
4551 return err;
4552
4553 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4554 }
4555
4556 static int selinux_socket_getsockopt(struct socket *sock, int level,
4557 int optname)
4558 {
4559 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4560 }
4561
4562 static int selinux_socket_shutdown(struct socket *sock, int how)
4563 {
4564 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4565 }
4566
4567 static int selinux_socket_unix_stream_connect(struct sock *sock,
4568 struct sock *other,
4569 struct sock *newsk)
4570 {
4571 struct sk_security_struct *sksec_sock = selinux_sock(sock);
4572 struct sk_security_struct *sksec_other = selinux_sock(other);
4573 struct sk_security_struct *sksec_new = selinux_sock(newsk);
4574 struct common_audit_data ad;
4575 struct lsm_network_audit net = {0,};
4576 int err;
4577
4578 ad.type = LSM_AUDIT_DATA_NET;
4579 ad.u.net = &net;
4580 ad.u.net->sk = other;
4581
4582 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4583 sksec_other->sclass,
4584 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4585 if (err)
4586 return err;
4587
4588 /* server child socket */
4589 sksec_new->peer_sid = sksec_sock->sid;
4590 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4591 &sksec_new->sid);
4592 if (err)
4593 return err;
4594
4595 /* connecting socket */
4596 sksec_sock->peer_sid = sksec_new->sid;
4597
4598 return 0;
4599 }
4600
4601 static int selinux_socket_unix_may_send(struct socket *sock,
4602 struct socket *other)
4603 {
4604 struct sk_security_struct *ssec = selinux_sock(sock->sk);
4605 struct sk_security_struct *osec = selinux_sock(other->sk);
4606 struct common_audit_data ad;
4607 struct lsm_network_audit net = {0,};
4608
4609 ad.type = LSM_AUDIT_DATA_NET;
4610 ad.u.net = &net;
4611 ad.u.net->sk = other->sk;
4612
4613 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4614 &ad);
4615 }
4616
4617 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4618 char *addrp, u16 family, u32 peer_sid,
4619 struct common_audit_data *ad)
4620 {
4621 int err;
4622 u32 if_sid;
4623 u32 node_sid;
4624
4625 err = sel_netif_sid(ns, ifindex, &if_sid);
4626 if (err)
4627 return err;
4628 err = avc_has_perm(peer_sid, if_sid,
4629 SECCLASS_NETIF, NETIF__INGRESS, ad);
4630 if (err)
4631 return err;
4632
4633 err = sel_netnode_sid(addrp, family, &node_sid);
4634 if (err)
4635 return err;
4636 return avc_has_perm(peer_sid, node_sid,
4637 SECCLASS_NODE, NODE__RECVFROM, ad);
4638 }
4639
4640 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4641 u16 family)
4642 {
4643 int err = 0;
4644 struct sk_security_struct *sksec = selinux_sock(sk);
4645 u32 sk_sid = sksec->sid;
4646 struct common_audit_data ad;
4647 struct lsm_network_audit net = {0,};
4648 char *addrp;
4649
4650 ad.type = LSM_AUDIT_DATA_NET;
4651 ad.u.net = &net;
4652 ad.u.net->netif = skb->skb_iif;
4653 ad.u.net->family = family;
4654 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4655 if (err)
4656 return err;
4657
4658 if (selinux_secmark_enabled()) {
4659 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4660 PACKET__RECV, &ad);
4661 if (err)
4662 return err;
4663 }
4664
4665 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4666 if (err)
4667 return err;
4668 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4669
4670 return err;
4671 }
4672
4673 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4674 {
4675 int err;
4676 struct sk_security_struct *sksec = selinux_sock(sk);
4677 u16 family = sk->sk_family;
4678 u32 sk_sid = sksec->sid;
4679 struct common_audit_data ad;
4680 struct lsm_network_audit net = {0,};
4681 char *addrp;
4682 u8 secmark_active;
4683 u8 peerlbl_active;
4684
4685 if (family != PF_INET && family != PF_INET6)
4686 return 0;
4687
4688 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4689 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4690 family = PF_INET;
4691
4692 /* If any sort of compatibility mode is enabled then handoff processing
4693 * to the selinux_sock_rcv_skb_compat() function to deal with the
4694 * special handling. We do this in an attempt to keep this function
4695 * as fast and as clean as possible. */
4696 if (!selinux_policycap_netpeer)
4697 return selinux_sock_rcv_skb_compat(sk, skb, family);
4698
4699 secmark_active = selinux_secmark_enabled();
4700 peerlbl_active = selinux_peerlbl_enabled();
4701 if (!secmark_active && !peerlbl_active)
4702 return 0;
4703
4704 ad.type = LSM_AUDIT_DATA_NET;
4705 ad.u.net = &net;
4706 ad.u.net->netif = skb->skb_iif;
4707 ad.u.net->family = family;
4708 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4709 if (err)
4710 return err;
4711
4712 if (peerlbl_active) {
4713 u32 peer_sid;
4714
4715 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4716 if (err)
4717 return err;
4718 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4719 addrp, family, peer_sid, &ad);
4720 if (err) {
4721 selinux_netlbl_err(skb, family, err, 0);
4722 return err;
4723 }
4724 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4725 PEER__RECV, &ad);
4726 if (err) {
4727 selinux_netlbl_err(skb, family, err, 0);
4728 return err;
4729 }
4730 }
4731
4732 if (secmark_active) {
4733 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4734 PACKET__RECV, &ad);
4735 if (err)
4736 return err;
4737 }
4738
4739 return err;
4740 }
4741
4742 static int selinux_socket_getpeersec_stream(struct socket *sock,
4743 __user char *optval,
4744 __user int *optlen,
4745 unsigned int len)
4746 {
4747 int err = 0;
4748 char *scontext;
4749 u32 scontext_len;
4750 struct sk_security_struct *sksec = selinux_sock(sock->sk);
4751 u32 peer_sid = SECSID_NULL;
4752
4753 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4754 sksec->sclass == SECCLASS_TCP_SOCKET)
4755 peer_sid = sksec->peer_sid;
4756 if (peer_sid == SECSID_NULL)
4757 return -ENOPROTOOPT;
4758
4759 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4760 if (err)
4761 return err;
4762
4763 if (scontext_len > len) {
4764 err = -ERANGE;
4765 goto out_len;
4766 }
4767
4768 if (copy_to_user(optval, scontext, scontext_len))
4769 err = -EFAULT;
4770
4771 out_len:
4772 if (put_user(scontext_len, optlen))
4773 err = -EFAULT;
4774 kfree(scontext);
4775 return err;
4776 }
4777
4778 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4779 {
4780 u32 peer_secid = SECSID_NULL;
4781 u16 family;
4782 struct inode_security_struct *isec;
4783
4784 if (skb && skb->protocol == htons(ETH_P_IP))
4785 family = PF_INET;
4786 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4787 family = PF_INET6;
4788 else if (sock)
4789 family = sock->sk->sk_family;
4790 else
4791 goto out;
4792
4793 if (sock && family == PF_UNIX) {
4794 isec = inode_security_novalidate(SOCK_INODE(sock));
4795 peer_secid = isec->sid;
4796 } else if (skb)
4797 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4798
4799 out:
4800 *secid = peer_secid;
4801 if (peer_secid == SECSID_NULL)
4802 return -EINVAL;
4803 return 0;
4804 }
4805
4806 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4807 {
4808 struct sk_security_struct *sksec = selinux_sock(sk);
4809
4810 sksec->peer_sid = SECINITSID_UNLABELED;
4811 sksec->sid = SECINITSID_UNLABELED;
4812 sksec->sclass = SECCLASS_SOCKET;
4813 selinux_netlbl_sk_security_reset(sksec);
4814
4815 return 0;
4816 }
4817
4818 static void selinux_sk_free_security(struct sock *sk)
4819 {
4820 struct sk_security_struct *sksec = selinux_sock(sk);
4821
4822 selinux_netlbl_sk_security_free(sksec);
4823 }
4824
4825 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4826 {
4827 struct sk_security_struct *sksec = selinux_sock(sk);
4828 struct sk_security_struct *newsksec = selinux_sock(newsk);
4829
4830 newsksec->sid = sksec->sid;
4831 newsksec->peer_sid = sksec->peer_sid;
4832 newsksec->sclass = sksec->sclass;
4833
4834 selinux_netlbl_sk_security_reset(newsksec);
4835 }
4836
4837 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4838 {
4839 if (!sk)
4840 *secid = SECINITSID_ANY_SOCKET;
4841 else {
4842 struct sk_security_struct *sksec = selinux_sock(sk);
4843
4844 *secid = sksec->sid;
4845 }
4846 }
4847
4848 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4849 {
4850 struct inode_security_struct *isec =
4851 inode_security_novalidate(SOCK_INODE(parent));
4852 struct sk_security_struct *sksec = selinux_sock(sk);
4853
4854 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4855 sk->sk_family == PF_UNIX)
4856 isec->sid = sksec->sid;
4857 sksec->sclass = isec->sclass;
4858 }
4859
4860 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4861 struct request_sock *req)
4862 {
4863 struct sk_security_struct *sksec = selinux_sock(sk);
4864 int err;
4865 u16 family = req->rsk_ops->family;
4866 u32 connsid;
4867 u32 peersid;
4868
4869 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4870 if (err)
4871 return err;
4872 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4873 if (err)
4874 return err;
4875 req->secid = connsid;
4876 req->peer_secid = peersid;
4877
4878 return selinux_netlbl_inet_conn_request(req, family);
4879 }
4880
4881 static void selinux_inet_csk_clone(struct sock *newsk,
4882 const struct request_sock *req)
4883 {
4884 struct sk_security_struct *newsksec = selinux_sock(newsk);
4885
4886 newsksec->sid = req->secid;
4887 newsksec->peer_sid = req->peer_secid;
4888 /* NOTE: Ideally, we should also get the isec->sid for the
4889 new socket in sync, but we don't have the isec available yet.
4890 So we will wait until sock_graft to do it, by which
4891 time it will have been created and available. */
4892
4893 /* We don't need to take any sort of lock here as we are the only
4894 * thread with access to newsksec */
4895 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4896 }
4897
4898 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4899 {
4900 u16 family = sk->sk_family;
4901 struct sk_security_struct *sksec = selinux_sock(sk);
4902
4903 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4904 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4905 family = PF_INET;
4906
4907 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4908 }
4909
4910 static int selinux_secmark_relabel_packet(u32 sid)
4911 {
4912 const struct task_security_struct *__tsec;
4913 u32 tsid;
4914
4915 __tsec = selinux_cred(current_cred());
4916 tsid = __tsec->sid;
4917
4918 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4919 }
4920
4921 static void selinux_secmark_refcount_inc(void)
4922 {
4923 atomic_inc(&selinux_secmark_refcount);
4924 }
4925
4926 static void selinux_secmark_refcount_dec(void)
4927 {
4928 atomic_dec(&selinux_secmark_refcount);
4929 }
4930
4931 static void selinux_req_classify_flow(const struct request_sock *req,
4932 struct flowi *fl)
4933 {
4934 fl->flowi_secid = req->secid;
4935 }
4936
4937 static int selinux_tun_dev_alloc_security(void **security)
4938 {
4939 struct tun_security_struct *tunsec;
4940
4941 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4942 if (!tunsec)
4943 return -ENOMEM;
4944 tunsec->sid = current_sid();
4945
4946 *security = tunsec;
4947 return 0;
4948 }
4949
4950 static void selinux_tun_dev_free_security(void *security)
4951 {
4952 kfree(security);
4953 }
4954
4955 static int selinux_tun_dev_create(void)
4956 {
4957 u32 sid = current_sid();
4958
4959 /* we aren't taking into account the "sockcreate" SID since the socket
4960 * that is being created here is not a socket in the traditional sense,
4961 * instead it is a private sock, accessible only to the kernel, and
4962 * representing a wide range of network traffic spanning multiple
4963 * connections unlike traditional sockets - check the TUN driver to
4964 * get a better understanding of why this socket is special */
4965
4966 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4967 NULL);
4968 }
4969
4970 static int selinux_tun_dev_attach_queue(void *security)
4971 {
4972 struct tun_security_struct *tunsec = security;
4973
4974 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4975 TUN_SOCKET__ATTACH_QUEUE, NULL);
4976 }
4977
4978 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4979 {
4980 struct tun_security_struct *tunsec = security;
4981 struct sk_security_struct *sksec = selinux_sock(sk);
4982
4983 /* we don't currently perform any NetLabel based labeling here and it
4984 * isn't clear that we would want to do so anyway; while we could apply
4985 * labeling without the support of the TUN user the resulting labeled
4986 * traffic from the other end of the connection would almost certainly
4987 * cause confusion to the TUN user that had no idea network labeling
4988 * protocols were being used */
4989
4990 sksec->sid = tunsec->sid;
4991 sksec->sclass = SECCLASS_TUN_SOCKET;
4992
4993 return 0;
4994 }
4995
4996 static int selinux_tun_dev_open(void *security)
4997 {
4998 struct tun_security_struct *tunsec = security;
4999 u32 sid = current_sid();
5000 int err;
5001
5002 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5003 TUN_SOCKET__RELABELFROM, NULL);
5004 if (err)
5005 return err;
5006 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5007 TUN_SOCKET__RELABELTO, NULL);
5008 if (err)
5009 return err;
5010 tunsec->sid = sid;
5011
5012 return 0;
5013 }
5014
5015 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5016 {
5017 int err = 0;
5018 u32 perm;
5019 struct nlmsghdr *nlh;
5020 struct sk_security_struct *sksec = selinux_sock(sk);
5021
5022 if (skb->len < NLMSG_HDRLEN) {
5023 err = -EINVAL;
5024 goto out;
5025 }
5026 nlh = nlmsg_hdr(skb);
5027
5028 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5029 if (err) {
5030 if (err == -EINVAL) {
5031 pr_warn_ratelimited("SELinux: unrecognized netlink"
5032 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5033 " pig=%d comm=%s\n",
5034 sk->sk_protocol, nlh->nlmsg_type,
5035 secclass_map[sksec->sclass - 1].name,
5036 task_pid_nr(current), current->comm);
5037 if (!selinux_enforcing || security_get_allow_unknown())
5038 err = 0;
5039 }
5040
5041 /* Ignore */
5042 if (err == -ENOENT)
5043 err = 0;
5044 goto out;
5045 }
5046
5047 err = sock_has_perm(sk, perm);
5048 out:
5049 return err;
5050 }
5051
5052 #ifdef CONFIG_NETFILTER
5053
5054 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5055 const struct net_device *indev,
5056 u16 family)
5057 {
5058 int err;
5059 char *addrp;
5060 u32 peer_sid;
5061 struct common_audit_data ad;
5062 struct lsm_network_audit net = {0,};
5063 u8 secmark_active;
5064 u8 netlbl_active;
5065 u8 peerlbl_active;
5066
5067 if (!selinux_policycap_netpeer)
5068 return NF_ACCEPT;
5069
5070 secmark_active = selinux_secmark_enabled();
5071 netlbl_active = netlbl_enabled();
5072 peerlbl_active = selinux_peerlbl_enabled();
5073 if (!secmark_active && !peerlbl_active)
5074 return NF_ACCEPT;
5075
5076 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5077 return NF_DROP;
5078
5079 ad.type = LSM_AUDIT_DATA_NET;
5080 ad.u.net = &net;
5081 ad.u.net->netif = indev->ifindex;
5082 ad.u.net->family = family;
5083 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5084 return NF_DROP;
5085
5086 if (peerlbl_active) {
5087 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5088 addrp, family, peer_sid, &ad);
5089 if (err) {
5090 selinux_netlbl_err(skb, family, err, 1);
5091 return NF_DROP;
5092 }
5093 }
5094
5095 if (secmark_active)
5096 if (avc_has_perm(peer_sid, skb->secmark,
5097 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5098 return NF_DROP;
5099
5100 if (netlbl_active)
5101 /* we do this in the FORWARD path and not the POST_ROUTING
5102 * path because we want to make sure we apply the necessary
5103 * labeling before IPsec is applied so we can leverage AH
5104 * protection */
5105 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5106 return NF_DROP;
5107
5108 return NF_ACCEPT;
5109 }
5110
5111 static unsigned int selinux_ipv4_forward(void *priv,
5112 struct sk_buff *skb,
5113 const struct nf_hook_state *state)
5114 {
5115 return selinux_ip_forward(skb, state->in, PF_INET);
5116 }
5117
5118 #if IS_ENABLED(CONFIG_IPV6)
5119 static unsigned int selinux_ipv6_forward(void *priv,
5120 struct sk_buff *skb,
5121 const struct nf_hook_state *state)
5122 {
5123 return selinux_ip_forward(skb, state->in, PF_INET6);
5124 }
5125 #endif /* IPV6 */
5126
5127 static unsigned int selinux_ip_output(struct sk_buff *skb,
5128 u16 family)
5129 {
5130 struct sock *sk;
5131 u32 sid;
5132
5133 if (!netlbl_enabled())
5134 return NF_ACCEPT;
5135
5136 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5137 * because we want to make sure we apply the necessary labeling
5138 * before IPsec is applied so we can leverage AH protection */
5139 sk = skb->sk;
5140 if (sk) {
5141 struct sk_security_struct *sksec;
5142
5143 if (sk_listener(sk))
5144 /* if the socket is the listening state then this
5145 * packet is a SYN-ACK packet which means it needs to
5146 * be labeled based on the connection/request_sock and
5147 * not the parent socket. unfortunately, we can't
5148 * lookup the request_sock yet as it isn't queued on
5149 * the parent socket until after the SYN-ACK is sent.
5150 * the "solution" is to simply pass the packet as-is
5151 * as any IP option based labeling should be copied
5152 * from the initial connection request (in the IP
5153 * layer). it is far from ideal, but until we get a
5154 * security label in the packet itself this is the
5155 * best we can do. */
5156 return NF_ACCEPT;
5157
5158 /* standard practice, label using the parent socket */
5159 sksec = selinux_sock(sk);
5160 sid = sksec->sid;
5161 } else
5162 sid = SECINITSID_KERNEL;
5163 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5164 return NF_DROP;
5165
5166 return NF_ACCEPT;
5167 }
5168
5169 static unsigned int selinux_ipv4_output(void *priv,
5170 struct sk_buff *skb,
5171 const struct nf_hook_state *state)
5172 {
5173 return selinux_ip_output(skb, PF_INET);
5174 }
5175
5176 #if IS_ENABLED(CONFIG_IPV6)
5177 static unsigned int selinux_ipv6_output(void *priv,
5178 struct sk_buff *skb,
5179 const struct nf_hook_state *state)
5180 {
5181 return selinux_ip_output(skb, PF_INET6);
5182 }
5183 #endif /* IPV6 */
5184
5185 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5186 int ifindex,
5187 u16 family)
5188 {
5189 struct sock *sk = skb_to_full_sk(skb);
5190 struct sk_security_struct *sksec;
5191 struct common_audit_data ad;
5192 struct lsm_network_audit net = {0,};
5193 char *addrp;
5194 u8 proto;
5195
5196 if (sk == NULL)
5197 return NF_ACCEPT;
5198 sksec = selinux_sock(sk);
5199
5200 ad.type = LSM_AUDIT_DATA_NET;
5201 ad.u.net = &net;
5202 ad.u.net->netif = ifindex;
5203 ad.u.net->family = family;
5204 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5205 return NF_DROP;
5206
5207 if (selinux_secmark_enabled())
5208 if (avc_has_perm(sksec->sid, skb->secmark,
5209 SECCLASS_PACKET, PACKET__SEND, &ad))
5210 return NF_DROP_ERR(-ECONNREFUSED);
5211
5212 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5213 return NF_DROP_ERR(-ECONNREFUSED);
5214
5215 return NF_ACCEPT;
5216 }
5217
5218 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5219 const struct net_device *outdev,
5220 u16 family)
5221 {
5222 u32 secmark_perm;
5223 u32 peer_sid;
5224 int ifindex = outdev->ifindex;
5225 struct sock *sk;
5226 struct common_audit_data ad;
5227 struct lsm_network_audit net = {0,};
5228 char *addrp;
5229 u8 secmark_active;
5230 u8 peerlbl_active;
5231
5232 /* If any sort of compatibility mode is enabled then handoff processing
5233 * to the selinux_ip_postroute_compat() function to deal with the
5234 * special handling. We do this in an attempt to keep this function
5235 * as fast and as clean as possible. */
5236 if (!selinux_policycap_netpeer)
5237 return selinux_ip_postroute_compat(skb, ifindex, family);
5238
5239 secmark_active = selinux_secmark_enabled();
5240 peerlbl_active = selinux_peerlbl_enabled();
5241 if (!secmark_active && !peerlbl_active)
5242 return NF_ACCEPT;
5243
5244 sk = skb_to_full_sk(skb);
5245
5246 #ifdef CONFIG_XFRM
5247 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5248 * packet transformation so allow the packet to pass without any checks
5249 * since we'll have another chance to perform access control checks
5250 * when the packet is on it's final way out.
5251 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5252 * is NULL, in this case go ahead and apply access control.
5253 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5254 * TCP listening state we cannot wait until the XFRM processing
5255 * is done as we will miss out on the SA label if we do;
5256 * unfortunately, this means more work, but it is only once per
5257 * connection. */
5258 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5259 !(sk && sk_listener(sk)))
5260 return NF_ACCEPT;
5261 #endif
5262
5263 if (sk == NULL) {
5264 /* Without an associated socket the packet is either coming
5265 * from the kernel or it is being forwarded; check the packet
5266 * to determine which and if the packet is being forwarded
5267 * query the packet directly to determine the security label. */
5268 if (skb->skb_iif) {
5269 secmark_perm = PACKET__FORWARD_OUT;
5270 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5271 return NF_DROP;
5272 } else {
5273 secmark_perm = PACKET__SEND;
5274 peer_sid = SECINITSID_KERNEL;
5275 }
5276 } else if (sk_listener(sk)) {
5277 /* Locally generated packet but the associated socket is in the
5278 * listening state which means this is a SYN-ACK packet. In
5279 * this particular case the correct security label is assigned
5280 * to the connection/request_sock but unfortunately we can't
5281 * query the request_sock as it isn't queued on the parent
5282 * socket until after the SYN-ACK packet is sent; the only
5283 * viable choice is to regenerate the label like we do in
5284 * selinux_inet_conn_request(). See also selinux_ip_output()
5285 * for similar problems. */
5286 u32 skb_sid;
5287 struct sk_security_struct *sksec;
5288
5289 sksec = selinux_sock(sk);
5290 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5291 return NF_DROP;
5292 /* At this point, if the returned skb peerlbl is SECSID_NULL
5293 * and the packet has been through at least one XFRM
5294 * transformation then we must be dealing with the "final"
5295 * form of labeled IPsec packet; since we've already applied
5296 * all of our access controls on this packet we can safely
5297 * pass the packet. */
5298 if (skb_sid == SECSID_NULL) {
5299 switch (family) {
5300 case PF_INET:
5301 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5302 return NF_ACCEPT;
5303 break;
5304 case PF_INET6:
5305 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5306 return NF_ACCEPT;
5307 break;
5308 default:
5309 return NF_DROP_ERR(-ECONNREFUSED);
5310 }
5311 }
5312 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5313 return NF_DROP;
5314 secmark_perm = PACKET__SEND;
5315 } else {
5316 /* Locally generated packet, fetch the security label from the
5317 * associated socket. */
5318 struct sk_security_struct *sksec = selinux_sock(sk);
5319 peer_sid = sksec->sid;
5320 secmark_perm = PACKET__SEND;
5321 }
5322
5323 ad.type = LSM_AUDIT_DATA_NET;
5324 ad.u.net = &net;
5325 ad.u.net->netif = ifindex;
5326 ad.u.net->family = family;
5327 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5328 return NF_DROP;
5329
5330 if (secmark_active)
5331 if (avc_has_perm(peer_sid, skb->secmark,
5332 SECCLASS_PACKET, secmark_perm, &ad))
5333 return NF_DROP_ERR(-ECONNREFUSED);
5334
5335 if (peerlbl_active) {
5336 u32 if_sid;
5337 u32 node_sid;
5338
5339 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5340 return NF_DROP;
5341 if (avc_has_perm(peer_sid, if_sid,
5342 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5343 return NF_DROP_ERR(-ECONNREFUSED);
5344
5345 if (sel_netnode_sid(addrp, family, &node_sid))
5346 return NF_DROP;
5347 if (avc_has_perm(peer_sid, node_sid,
5348 SECCLASS_NODE, NODE__SENDTO, &ad))
5349 return NF_DROP_ERR(-ECONNREFUSED);
5350 }
5351
5352 return NF_ACCEPT;
5353 }
5354
5355 static unsigned int selinux_ipv4_postroute(void *priv,
5356 struct sk_buff *skb,
5357 const struct nf_hook_state *state)
5358 {
5359 return selinux_ip_postroute(skb, state->out, PF_INET);
5360 }
5361
5362 #if IS_ENABLED(CONFIG_IPV6)
5363 static unsigned int selinux_ipv6_postroute(void *priv,
5364 struct sk_buff *skb,
5365 const struct nf_hook_state *state)
5366 {
5367 return selinux_ip_postroute(skb, state->out, PF_INET6);
5368 }
5369 #endif /* IPV6 */
5370
5371 #endif /* CONFIG_NETFILTER */
5372
5373 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5374 {
5375 return selinux_nlmsg_perm(sk, skb);
5376 }
5377
5378 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5379 {
5380 isec->sclass = sclass;
5381 isec->sid = current_sid();
5382 }
5383
5384 static int msg_msg_alloc_security(struct msg_msg *msg)
5385 {
5386 struct msg_security_struct *msec;
5387
5388 msec = selinux_msg_msg(msg);
5389 msec->sid = SECINITSID_UNLABELED;
5390
5391 return 0;
5392 }
5393
5394 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5395 u32 perms)
5396 {
5397 struct ipc_security_struct *isec;
5398 struct common_audit_data ad;
5399 u32 sid = current_sid();
5400
5401 isec = selinux_ipc(ipc_perms);
5402
5403 ad.type = LSM_AUDIT_DATA_IPC;
5404 ad.u.ipc_id = ipc_perms->key;
5405
5406 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5407 }
5408
5409 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5410 {
5411 return msg_msg_alloc_security(msg);
5412 }
5413
5414 /* message queue security operations */
5415 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5416 {
5417 struct ipc_security_struct *isec;
5418 struct common_audit_data ad;
5419 u32 sid = current_sid();
5420 int rc;
5421
5422 isec = selinux_ipc(&msq->q_perm);
5423 ipc_init_security(isec, SECCLASS_MSGQ);
5424
5425 ad.type = LSM_AUDIT_DATA_IPC;
5426 ad.u.ipc_id = msq->q_perm.key;
5427
5428 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5429 MSGQ__CREATE, &ad);
5430 return rc;
5431 }
5432
5433 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5434 {
5435 struct ipc_security_struct *isec;
5436 struct common_audit_data ad;
5437 u32 sid = current_sid();
5438
5439 isec = selinux_ipc(&msq->q_perm);
5440
5441 ad.type = LSM_AUDIT_DATA_IPC;
5442 ad.u.ipc_id = msq->q_perm.key;
5443
5444 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5445 MSGQ__ASSOCIATE, &ad);
5446 }
5447
5448 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5449 {
5450 int err;
5451 int perms;
5452
5453 switch (cmd) {
5454 case IPC_INFO:
5455 case MSG_INFO:
5456 /* No specific object, just general system-wide information. */
5457 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5458 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5459 case IPC_STAT:
5460 case MSG_STAT:
5461 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5462 break;
5463 case IPC_SET:
5464 perms = MSGQ__SETATTR;
5465 break;
5466 case IPC_RMID:
5467 perms = MSGQ__DESTROY;
5468 break;
5469 default:
5470 return 0;
5471 }
5472
5473 err = ipc_has_perm(&msq->q_perm, perms);
5474 return err;
5475 }
5476
5477 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5478 {
5479 struct ipc_security_struct *isec;
5480 struct msg_security_struct *msec;
5481 struct common_audit_data ad;
5482 u32 sid = current_sid();
5483 int rc;
5484
5485 isec = selinux_ipc(&msq->q_perm);
5486 msec = selinux_msg_msg(msg);
5487
5488 /*
5489 * First time through, need to assign label to the message
5490 */
5491 if (msec->sid == SECINITSID_UNLABELED) {
5492 /*
5493 * Compute new sid based on current process and
5494 * message queue this message will be stored in
5495 */
5496 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5497 NULL, &msec->sid);
5498 if (rc)
5499 return rc;
5500 }
5501
5502 ad.type = LSM_AUDIT_DATA_IPC;
5503 ad.u.ipc_id = msq->q_perm.key;
5504
5505 /* Can this process write to the queue? */
5506 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5507 MSGQ__WRITE, &ad);
5508 if (!rc)
5509 /* Can this process send the message */
5510 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5511 MSG__SEND, &ad);
5512 if (!rc)
5513 /* Can the message be put in the queue? */
5514 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5515 MSGQ__ENQUEUE, &ad);
5516
5517 return rc;
5518 }
5519
5520 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5521 struct task_struct *target,
5522 long type, int mode)
5523 {
5524 struct ipc_security_struct *isec;
5525 struct msg_security_struct *msec;
5526 struct common_audit_data ad;
5527 u32 sid = task_sid(target);
5528 int rc;
5529
5530 isec = selinux_ipc(&msq->q_perm);
5531 msec = selinux_msg_msg(msg);
5532
5533 ad.type = LSM_AUDIT_DATA_IPC;
5534 ad.u.ipc_id = msq->q_perm.key;
5535
5536 rc = avc_has_perm(sid, isec->sid,
5537 SECCLASS_MSGQ, MSGQ__READ, &ad);
5538 if (!rc)
5539 rc = avc_has_perm(sid, msec->sid,
5540 SECCLASS_MSG, MSG__RECEIVE, &ad);
5541 return rc;
5542 }
5543
5544 /* Shared Memory security operations */
5545 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5546 {
5547 struct ipc_security_struct *isec;
5548 struct common_audit_data ad;
5549 u32 sid = current_sid();
5550 int rc;
5551
5552 isec = selinux_ipc(&shp->shm_perm);
5553 ipc_init_security(isec, SECCLASS_SHM);
5554
5555 ad.type = LSM_AUDIT_DATA_IPC;
5556 ad.u.ipc_id = shp->shm_perm.key;
5557
5558 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5559 SHM__CREATE, &ad);
5560 return rc;
5561 }
5562
5563 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5564 {
5565 struct ipc_security_struct *isec;
5566 struct common_audit_data ad;
5567 u32 sid = current_sid();
5568
5569 isec = selinux_ipc(&shp->shm_perm);
5570
5571 ad.type = LSM_AUDIT_DATA_IPC;
5572 ad.u.ipc_id = shp->shm_perm.key;
5573
5574 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5575 SHM__ASSOCIATE, &ad);
5576 }
5577
5578 /* Note, at this point, shp is locked down */
5579 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5580 {
5581 int perms;
5582 int err;
5583
5584 switch (cmd) {
5585 case IPC_INFO:
5586 case SHM_INFO:
5587 /* No specific object, just general system-wide information. */
5588 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5589 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5590 case IPC_STAT:
5591 case SHM_STAT:
5592 perms = SHM__GETATTR | SHM__ASSOCIATE;
5593 break;
5594 case IPC_SET:
5595 perms = SHM__SETATTR;
5596 break;
5597 case SHM_LOCK:
5598 case SHM_UNLOCK:
5599 perms = SHM__LOCK;
5600 break;
5601 case IPC_RMID:
5602 perms = SHM__DESTROY;
5603 break;
5604 default:
5605 return 0;
5606 }
5607
5608 err = ipc_has_perm(&shp->shm_perm, perms);
5609 return err;
5610 }
5611
5612 static int selinux_shm_shmat(struct shmid_kernel *shp,
5613 char __user *shmaddr, int shmflg)
5614 {
5615 u32 perms;
5616
5617 if (shmflg & SHM_RDONLY)
5618 perms = SHM__READ;
5619 else
5620 perms = SHM__READ | SHM__WRITE;
5621
5622 return ipc_has_perm(&shp->shm_perm, perms);
5623 }
5624
5625 /* Semaphore security operations */
5626 static int selinux_sem_alloc_security(struct sem_array *sma)
5627 {
5628 struct ipc_security_struct *isec;
5629 struct common_audit_data ad;
5630 u32 sid = current_sid();
5631 int rc;
5632
5633 isec = selinux_ipc(&sma->sem_perm);
5634 ipc_init_security(isec, SECCLASS_SEM);
5635
5636 ad.type = LSM_AUDIT_DATA_IPC;
5637 ad.u.ipc_id = sma->sem_perm.key;
5638
5639 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5640 SEM__CREATE, &ad);
5641 return rc;
5642 }
5643
5644 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5645 {
5646 struct ipc_security_struct *isec;
5647 struct common_audit_data ad;
5648 u32 sid = current_sid();
5649
5650 isec = selinux_ipc(&sma->sem_perm);
5651
5652 ad.type = LSM_AUDIT_DATA_IPC;
5653 ad.u.ipc_id = sma->sem_perm.key;
5654
5655 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5656 SEM__ASSOCIATE, &ad);
5657 }
5658
5659 /* Note, at this point, sma is locked down */
5660 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5661 {
5662 int err;
5663 u32 perms;
5664
5665 switch (cmd) {
5666 case IPC_INFO:
5667 case SEM_INFO:
5668 /* No specific object, just general system-wide information. */
5669 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5670 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5671 case GETPID:
5672 case GETNCNT:
5673 case GETZCNT:
5674 perms = SEM__GETATTR;
5675 break;
5676 case GETVAL:
5677 case GETALL:
5678 perms = SEM__READ;
5679 break;
5680 case SETVAL:
5681 case SETALL:
5682 perms = SEM__WRITE;
5683 break;
5684 case IPC_RMID:
5685 perms = SEM__DESTROY;
5686 break;
5687 case IPC_SET:
5688 perms = SEM__SETATTR;
5689 break;
5690 case IPC_STAT:
5691 case SEM_STAT:
5692 perms = SEM__GETATTR | SEM__ASSOCIATE;
5693 break;
5694 default:
5695 return 0;
5696 }
5697
5698 err = ipc_has_perm(&sma->sem_perm, perms);
5699 return err;
5700 }
5701
5702 static int selinux_sem_semop(struct sem_array *sma,
5703 struct sembuf *sops, unsigned nsops, int alter)
5704 {
5705 u32 perms;
5706
5707 if (alter)
5708 perms = SEM__READ | SEM__WRITE;
5709 else
5710 perms = SEM__READ;
5711
5712 return ipc_has_perm(&sma->sem_perm, perms);
5713 }
5714
5715 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5716 {
5717 u32 av = 0;
5718
5719 av = 0;
5720 if (flag & S_IRUGO)
5721 av |= IPC__UNIX_READ;
5722 if (flag & S_IWUGO)
5723 av |= IPC__UNIX_WRITE;
5724
5725 if (av == 0)
5726 return 0;
5727
5728 return ipc_has_perm(ipcp, av);
5729 }
5730
5731 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5732 {
5733 struct ipc_security_struct *isec = selinux_ipc(ipcp);
5734 *secid = isec->sid;
5735 }
5736
5737 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5738 {
5739 if (inode)
5740 inode_doinit_with_dentry(inode, dentry);
5741 }
5742
5743 static int selinux_getprocattr(struct task_struct *p,
5744 char *name, char **value)
5745 {
5746 const struct task_security_struct *__tsec;
5747 u32 sid;
5748 int error;
5749 unsigned len;
5750
5751 rcu_read_lock();
5752 __tsec = selinux_cred(__task_cred(p));
5753
5754 if (current != p) {
5755 error = avc_has_perm(current_sid(), __tsec->sid,
5756 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
5757 if (error)
5758 goto bad;
5759 }
5760
5761 if (!strcmp(name, "current"))
5762 sid = __tsec->sid;
5763 else if (!strcmp(name, "prev"))
5764 sid = __tsec->osid;
5765 else if (!strcmp(name, "exec"))
5766 sid = __tsec->exec_sid;
5767 else if (!strcmp(name, "fscreate"))
5768 sid = __tsec->create_sid;
5769 else if (!strcmp(name, "keycreate"))
5770 sid = __tsec->keycreate_sid;
5771 else if (!strcmp(name, "sockcreate"))
5772 sid = __tsec->sockcreate_sid;
5773 else {
5774 error = -EINVAL;
5775 goto bad;
5776 }
5777 rcu_read_unlock();
5778
5779 if (!sid)
5780 return 0;
5781
5782 error = security_sid_to_context(sid, value, &len);
5783 if (error)
5784 return error;
5785 return len;
5786
5787 bad:
5788 rcu_read_unlock();
5789 return error;
5790 }
5791
5792 static int selinux_setprocattr(const char *name, void *value, size_t size)
5793 {
5794 struct task_security_struct *tsec;
5795 struct cred *new;
5796 u32 mysid = current_sid(), sid = 0, ptsid;
5797 int error;
5798 char *str = value;
5799
5800 /*
5801 * Basic control over ability to set these attributes at all.
5802 */
5803 if (!strcmp(name, "exec"))
5804 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5805 PROCESS__SETEXEC, NULL);
5806 else if (!strcmp(name, "fscreate"))
5807 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5808 PROCESS__SETFSCREATE, NULL);
5809 else if (!strcmp(name, "keycreate"))
5810 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5811 PROCESS__SETKEYCREATE, NULL);
5812 else if (!strcmp(name, "sockcreate"))
5813 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5814 PROCESS__SETSOCKCREATE, NULL);
5815 else if (!strcmp(name, "current"))
5816 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5817 PROCESS__SETCURRENT, NULL);
5818 else
5819 error = -EINVAL;
5820 if (error)
5821 return error;
5822
5823 /* Obtain a SID for the context, if one was specified. */
5824 if (size && str[0] && str[0] != '\n') {
5825 if (str[size-1] == '\n') {
5826 str[size-1] = 0;
5827 size--;
5828 }
5829 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5830 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5831 if (!has_cap_mac_admin(true)) {
5832 struct audit_buffer *ab;
5833 size_t audit_size;
5834
5835 /* We strip a nul only if it is at the end, otherwise the
5836 * context contains a nul and we should audit that */
5837 if (str[size - 1] == '\0')
5838 audit_size = size - 1;
5839 else
5840 audit_size = size;
5841 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5842 audit_log_format(ab, "op=fscreate invalid_context=");
5843 audit_log_n_untrustedstring(ab, value, audit_size);
5844 audit_log_end(ab);
5845
5846 return error;
5847 }
5848 error = security_context_to_sid_force(value, size,
5849 &sid);
5850 }
5851 if (error)
5852 return error;
5853 }
5854
5855 new = prepare_creds();
5856 if (!new)
5857 return -ENOMEM;
5858
5859 /* Permission checking based on the specified context is
5860 performed during the actual operation (execve,
5861 open/mkdir/...), when we know the full context of the
5862 operation. See selinux_bprm_set_creds for the execve
5863 checks and may_create for the file creation checks. The
5864 operation will then fail if the context is not permitted. */
5865 tsec = selinux_cred(new);
5866 if (!strcmp(name, "exec")) {
5867 tsec->exec_sid = sid;
5868 } else if (!strcmp(name, "fscreate")) {
5869 tsec->create_sid = sid;
5870 } else if (!strcmp(name, "keycreate")) {
5871 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE,
5872 NULL);
5873 if (error)
5874 goto abort_change;
5875 tsec->keycreate_sid = sid;
5876 } else if (!strcmp(name, "sockcreate")) {
5877 tsec->sockcreate_sid = sid;
5878 } else if (!strcmp(name, "current")) {
5879 error = -EINVAL;
5880 if (sid == 0)
5881 goto abort_change;
5882
5883 /* Only allow single threaded processes to change context */
5884 error = -EPERM;
5885 if (!current_is_single_threaded()) {
5886 error = security_bounded_transition(tsec->sid, sid);
5887 if (error)
5888 goto abort_change;
5889 }
5890
5891 /* Check permissions for the transition. */
5892 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5893 PROCESS__DYNTRANSITION, NULL);
5894 if (error)
5895 goto abort_change;
5896
5897 /* Check for ptracing, and update the task SID if ok.
5898 Otherwise, leave SID unchanged and fail. */
5899 ptsid = ptrace_parent_sid();
5900 if (ptsid != 0) {
5901 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5902 PROCESS__PTRACE, NULL);
5903 if (error)
5904 goto abort_change;
5905 }
5906
5907 tsec->sid = sid;
5908 } else {
5909 error = -EINVAL;
5910 goto abort_change;
5911 }
5912
5913 commit_creds(new);
5914 return size;
5915
5916 abort_change:
5917 abort_creds(new);
5918 return error;
5919 }
5920
5921 static int selinux_ismaclabel(const char *name)
5922 {
5923 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5924 }
5925
5926 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5927 {
5928 return security_sid_to_context(secid, secdata, seclen);
5929 }
5930
5931 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5932 {
5933 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5934 }
5935
5936 static void selinux_release_secctx(char *secdata, u32 seclen)
5937 {
5938 kfree(secdata);
5939 }
5940
5941 static void selinux_inode_invalidate_secctx(struct inode *inode)
5942 {
5943 struct inode_security_struct *isec = selinux_inode(inode);
5944
5945 spin_lock(&isec->lock);
5946 isec->initialized = LABEL_INVALID;
5947 spin_unlock(&isec->lock);
5948 }
5949
5950 /*
5951 * called with inode->i_mutex locked
5952 */
5953 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5954 {
5955 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5956 }
5957
5958 /*
5959 * called with inode->i_mutex locked
5960 */
5961 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5962 {
5963 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5964 }
5965
5966 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5967 {
5968 int len = 0;
5969 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5970 ctx, true);
5971 if (len < 0)
5972 return len;
5973 *ctxlen = len;
5974 return 0;
5975 }
5976 #ifdef CONFIG_KEYS
5977
5978 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5979 unsigned long flags)
5980 {
5981 const struct task_security_struct *tsec;
5982 struct key_security_struct *ksec = selinux_key(k);
5983
5984 tsec = selinux_cred(cred);
5985 if (tsec->keycreate_sid)
5986 ksec->sid = tsec->keycreate_sid;
5987 else
5988 ksec->sid = tsec->sid;
5989
5990 return 0;
5991 }
5992
5993 static int selinux_key_permission(key_ref_t key_ref,
5994 const struct cred *cred,
5995 unsigned perm)
5996 {
5997 struct key *key;
5998 struct key_security_struct *ksec;
5999 u32 sid;
6000
6001 /* if no specific permissions are requested, we skip the
6002 permission check. No serious, additional covert channels
6003 appear to be created. */
6004 if (perm == 0)
6005 return 0;
6006
6007 sid = cred_sid(cred);
6008
6009 key = key_ref_to_ptr(key_ref);
6010 ksec = selinux_key(key);
6011
6012 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6013 }
6014
6015 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6016 {
6017 struct key_security_struct *ksec = selinux_key(key);
6018 char *context = NULL;
6019 unsigned len;
6020 int rc;
6021
6022 rc = security_sid_to_context(ksec->sid, &context, &len);
6023 if (!rc)
6024 rc = len;
6025 *_buffer = context;
6026 return rc;
6027 }
6028 #endif
6029
6030 #ifdef CONFIG_SECURITY_INFINIBAND
6031 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6032 {
6033 struct common_audit_data ad;
6034 int err;
6035 u32 sid = 0;
6036 struct ib_security_struct *sec = ib_sec;
6037 struct lsm_ibpkey_audit ibpkey;
6038
6039 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6040 if (err)
6041 return err;
6042
6043 ad.type = LSM_AUDIT_DATA_IBPKEY;
6044 ibpkey.subnet_prefix = subnet_prefix;
6045 ibpkey.pkey = pkey_val;
6046 ad.u.ibpkey = &ibpkey;
6047 return avc_has_perm(sec->sid, sid,
6048 SECCLASS_INFINIBAND_PKEY,
6049 INFINIBAND_PKEY__ACCESS, &ad);
6050 }
6051
6052 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6053 u8 port_num)
6054 {
6055 struct common_audit_data ad;
6056 int err;
6057 u32 sid = 0;
6058 struct ib_security_struct *sec = ib_sec;
6059 struct lsm_ibendport_audit ibendport;
6060
6061 err = security_ib_endport_sid(dev_name, port_num, &sid);
6062
6063 if (err)
6064 return err;
6065
6066 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6067 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6068 ibendport.port = port_num;
6069 ad.u.ibendport = &ibendport;
6070 return avc_has_perm(sec->sid, sid,
6071 SECCLASS_INFINIBAND_ENDPORT,
6072 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6073 }
6074
6075 static int selinux_ib_alloc_security(void **ib_sec)
6076 {
6077 struct ib_security_struct *sec;
6078
6079 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6080 if (!sec)
6081 return -ENOMEM;
6082 sec->sid = current_sid();
6083
6084 *ib_sec = sec;
6085 return 0;
6086 }
6087
6088 static void selinux_ib_free_security(void *ib_sec)
6089 {
6090 kfree(ib_sec);
6091 }
6092 #endif
6093
6094 #ifdef CONFIG_BPF_SYSCALL
6095 static int selinux_bpf(int cmd, union bpf_attr *attr,
6096 unsigned int size)
6097 {
6098 u32 sid = current_sid();
6099 int ret;
6100
6101 switch (cmd) {
6102 case BPF_MAP_CREATE:
6103 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6104 NULL);
6105 break;
6106 case BPF_PROG_LOAD:
6107 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6108 NULL);
6109 break;
6110 default:
6111 ret = 0;
6112 break;
6113 }
6114
6115 return ret;
6116 }
6117
6118 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6119 {
6120 u32 av = 0;
6121
6122 if (fmode & FMODE_READ)
6123 av |= BPF__MAP_READ;
6124 if (fmode & FMODE_WRITE)
6125 av |= BPF__MAP_WRITE;
6126 return av;
6127 }
6128
6129 /* This function will check the file pass through unix socket or binder to see
6130 * if it is a bpf related object. And apply correspinding checks on the bpf
6131 * object based on the type. The bpf maps and programs, not like other files and
6132 * socket, are using a shared anonymous inode inside the kernel as their inode.
6133 * So checking that inode cannot identify if the process have privilege to
6134 * access the bpf object and that's why we have to add this additional check in
6135 * selinux_file_receive and selinux_binder_transfer_files.
6136 */
6137 static int bpf_fd_pass(struct file *file, u32 sid)
6138 {
6139 struct bpf_security_struct *bpfsec;
6140 struct bpf_prog *prog;
6141 struct bpf_map *map;
6142 int ret;
6143
6144 if (file->f_op == &bpf_map_fops) {
6145 map = file->private_data;
6146 bpfsec = map->security;
6147 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6148 bpf_map_fmode_to_av(file->f_mode), NULL);
6149 if (ret)
6150 return ret;
6151 } else if (file->f_op == &bpf_prog_fops) {
6152 prog = file->private_data;
6153 bpfsec = prog->aux->security;
6154 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6155 BPF__PROG_RUN, NULL);
6156 if (ret)
6157 return ret;
6158 }
6159 return 0;
6160 }
6161
6162 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6163 {
6164 u32 sid = current_sid();
6165 struct bpf_security_struct *bpfsec;
6166
6167 bpfsec = map->security;
6168 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6169 bpf_map_fmode_to_av(fmode), NULL);
6170 }
6171
6172 static int selinux_bpf_prog(struct bpf_prog *prog)
6173 {
6174 u32 sid = current_sid();
6175 struct bpf_security_struct *bpfsec;
6176
6177 bpfsec = prog->aux->security;
6178 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6179 BPF__PROG_RUN, NULL);
6180 }
6181
6182 static int selinux_bpf_map_alloc(struct bpf_map *map)
6183 {
6184 struct bpf_security_struct *bpfsec;
6185
6186 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6187 if (!bpfsec)
6188 return -ENOMEM;
6189
6190 bpfsec->sid = current_sid();
6191 map->security = bpfsec;
6192
6193 return 0;
6194 }
6195
6196 static void selinux_bpf_map_free(struct bpf_map *map)
6197 {
6198 struct bpf_security_struct *bpfsec = map->security;
6199
6200 map->security = NULL;
6201 kfree(bpfsec);
6202 }
6203
6204 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6205 {
6206 struct bpf_security_struct *bpfsec;
6207
6208 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6209 if (!bpfsec)
6210 return -ENOMEM;
6211
6212 bpfsec->sid = current_sid();
6213 aux->security = bpfsec;
6214
6215 return 0;
6216 }
6217
6218 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6219 {
6220 struct bpf_security_struct *bpfsec = aux->security;
6221
6222 aux->security = NULL;
6223 kfree(bpfsec);
6224 }
6225 #endif
6226
6227 struct lsm_blob_sizes selinux_blob_sizes = {
6228 .lbs_cred = sizeof(struct task_security_struct),
6229 .lbs_file = sizeof(struct file_security_struct),
6230 .lbs_inode = sizeof(struct inode_security_struct),
6231 .lbs_ipc = sizeof(struct ipc_security_struct),
6232 #ifdef CONFIG_KEYS
6233 .lbs_key = sizeof(struct key_security_struct),
6234 #endif /* CONFIG_KEYS */
6235 .lbs_msg_msg = sizeof(struct msg_security_struct),
6236 .lbs_sock = sizeof(struct sk_security_struct),
6237 .lbs_superblock = sizeof(struct superblock_security_struct),
6238 };
6239
6240 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6241 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6242 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6243 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6244 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6245
6246 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6247 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6248 LSM_HOOK_INIT(capget, selinux_capget),
6249 LSM_HOOK_INIT(capset, selinux_capset),
6250 LSM_HOOK_INIT(capable, selinux_capable),
6251 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6252 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6253 LSM_HOOK_INIT(syslog, selinux_syslog),
6254 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6255
6256 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6257
6258 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6259 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6260 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6261
6262 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6263 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6264 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6265 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6266 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6267 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6268 LSM_HOOK_INIT(sb_mount, selinux_mount),
6269 LSM_HOOK_INIT(sb_umount, selinux_umount),
6270 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6271 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6272 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6273
6274 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6275 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6276
6277 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6278 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6279 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6280 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6281 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6282 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6283 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6284 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6285 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6286 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6287 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6288 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6289 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6290 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6291 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6292 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6293 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6294 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6295 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6296 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6297 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6298 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6299 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6300 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6301 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6302 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6303 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6304
6305 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6306 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6307 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6308 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6309 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6310 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6311 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6312 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6313 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6314 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6315 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6316
6317 LSM_HOOK_INIT(file_open, selinux_file_open),
6318
6319 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6320 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6321 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6322 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6323 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6324 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6325 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6326 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6327 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6328 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6329 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6330 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6331 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6332 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6333 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6334 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6335 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6336 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6337 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6338 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6339 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6340
6341 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6342 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6343
6344 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6345
6346 LSM_HOOK_INIT(msg_queue_alloc_security,
6347 selinux_msg_queue_alloc_security),
6348 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6349 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6350 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6351 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6352
6353 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6354 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6355 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6356 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6357
6358 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6359 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6360 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6361 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6362
6363 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6364
6365 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6366 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6367
6368 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6369 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6370 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6371 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6372 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6373 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6374 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6375 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6376
6377 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6378 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6379
6380 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6381 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6382 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6383 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6384 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6385 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6386 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6387 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6388 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6389 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6390 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6391 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6392 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6393 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6394 LSM_HOOK_INIT(socket_getpeersec_stream,
6395 selinux_socket_getpeersec_stream),
6396 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6397 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6398 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6399 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6400 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6401 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6402 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6403 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6404 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6405 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6406 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6407 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6408 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6409 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6410 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6411 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6412 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6413 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6414 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6415 #ifdef CONFIG_SECURITY_INFINIBAND
6416 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
6417 LSM_HOOK_INIT(ib_endport_manage_subnet,
6418 selinux_ib_endport_manage_subnet),
6419 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
6420 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
6421 #endif
6422 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6423 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6424 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6425 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6426 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6427 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6428 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6429 selinux_xfrm_state_alloc_acquire),
6430 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6431 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6432 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6433 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6434 selinux_xfrm_state_pol_flow_match),
6435 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6436 #endif
6437
6438 #ifdef CONFIG_KEYS
6439 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6440 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6441 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6442 #endif
6443
6444 #ifdef CONFIG_AUDIT
6445 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6446 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6447 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6448 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6449 #endif
6450
6451 #ifdef CONFIG_BPF_SYSCALL
6452 LSM_HOOK_INIT(bpf, selinux_bpf),
6453 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
6454 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
6455 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
6456 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
6457 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
6458 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
6459 #endif
6460 };
6461
6462 static __init int selinux_init(void)
6463 {
6464 static int finish;
6465
6466 if (!security_module_enable("selinux",
6467 IS_ENABLED(CONFIG_SECURITY_SELINUX_STACKED))) {
6468 selinux_enabled = 0;
6469 return 0;
6470 }
6471
6472 if (!finish) {
6473 security_add_blobs(&selinux_blob_sizes);
6474 finish = 1;
6475 return 0;
6476 }
6477
6478 if (!selinux_enabled) {
6479 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6480 return 0;
6481 }
6482
6483 printk(KERN_INFO "SELinux: Initializing.\n");
6484
6485 /* Set the security state for the initial task. */
6486 cred_init_security();
6487
6488 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6489
6490 avc_init();
6491
6492 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
6493
6494 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6495 panic("SELinux: Unable to register AVC netcache callback\n");
6496
6497 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
6498 panic("SELinux: Unable to register AVC LSM notifier callback\n");
6499
6500 if (selinux_enforcing)
6501 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6502 else
6503 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6504
6505 return 0;
6506 }
6507
6508 static void delayed_superblock_init(struct super_block *sb, void *unused)
6509 {
6510 superblock_doinit(sb, NULL);
6511 }
6512
6513 void selinux_complete_init(void)
6514 {
6515 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6516
6517 /* Set up any superblocks initialized prior to the policy load. */
6518 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6519 iterate_supers(delayed_superblock_init, NULL);
6520 }
6521
6522 /* SELinux requires early initialization in order to label
6523 all processes and objects when they are created. */
6524 security_initcall(selinux_init);
6525
6526 #if defined(CONFIG_NETFILTER)
6527
6528 static const struct nf_hook_ops selinux_nf_ops[] = {
6529 {
6530 .hook = selinux_ipv4_postroute,
6531 .pf = NFPROTO_IPV4,
6532 .hooknum = NF_INET_POST_ROUTING,
6533 .priority = NF_IP_PRI_SELINUX_LAST,
6534 },
6535 {
6536 .hook = selinux_ipv4_forward,
6537 .pf = NFPROTO_IPV4,
6538 .hooknum = NF_INET_FORWARD,
6539 .priority = NF_IP_PRI_SELINUX_FIRST,
6540 },
6541 {
6542 .hook = selinux_ipv4_output,
6543 .pf = NFPROTO_IPV4,
6544 .hooknum = NF_INET_LOCAL_OUT,
6545 .priority = NF_IP_PRI_SELINUX_FIRST,
6546 },
6547 #if IS_ENABLED(CONFIG_IPV6)
6548 {
6549 .hook = selinux_ipv6_postroute,
6550 .pf = NFPROTO_IPV6,
6551 .hooknum = NF_INET_POST_ROUTING,
6552 .priority = NF_IP6_PRI_SELINUX_LAST,
6553 },
6554 {
6555 .hook = selinux_ipv6_forward,
6556 .pf = NFPROTO_IPV6,
6557 .hooknum = NF_INET_FORWARD,
6558 .priority = NF_IP6_PRI_SELINUX_FIRST,
6559 },
6560 {
6561 .hook = selinux_ipv6_output,
6562 .pf = NFPROTO_IPV6,
6563 .hooknum = NF_INET_LOCAL_OUT,
6564 .priority = NF_IP6_PRI_SELINUX_FIRST,
6565 },
6566 #endif /* IPV6 */
6567 };
6568
6569 static int __net_init selinux_nf_register(struct net *net)
6570 {
6571 return nf_register_net_hooks(net, selinux_nf_ops,
6572 ARRAY_SIZE(selinux_nf_ops));
6573 }
6574
6575 static void __net_exit selinux_nf_unregister(struct net *net)
6576 {
6577 nf_unregister_net_hooks(net, selinux_nf_ops,
6578 ARRAY_SIZE(selinux_nf_ops));
6579 }
6580
6581 static struct pernet_operations selinux_net_ops = {
6582 .init = selinux_nf_register,
6583 .exit = selinux_nf_unregister,
6584 };
6585
6586 static int __init selinux_nf_ip_init(void)
6587 {
6588 int err;
6589
6590 if (!selinux_enabled)
6591 return 0;
6592
6593 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6594
6595 err = register_pernet_subsys(&selinux_net_ops);
6596 if (err)
6597 panic("SELinux: register_pernet_subsys: error %d\n", err);
6598
6599 return 0;
6600 }
6601 __initcall(selinux_nf_ip_init);
6602
6603 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6604 static void selinux_nf_ip_exit(void)
6605 {
6606 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6607
6608 unregister_pernet_subsys(&selinux_net_ops);
6609 }
6610 #endif
6611
6612 #else /* CONFIG_NETFILTER */
6613
6614 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6615 #define selinux_nf_ip_exit()
6616 #endif
6617
6618 #endif /* CONFIG_NETFILTER */
6619
6620 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6621 static int selinux_disabled;
6622
6623 int selinux_disable(void)
6624 {
6625 if (ss_initialized) {
6626 /* Not permitted after initial policy load. */
6627 return -EINVAL;
6628 }
6629
6630 if (selinux_disabled) {
6631 /* Only do this once. */
6632 return -EINVAL;
6633 }
6634
6635 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6636
6637 selinux_disabled = 1;
6638 selinux_enabled = 0;
6639
6640 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6641
6642 /* Try to destroy the avc node cache */
6643 avc_disable();
6644
6645 /* Unregister netfilter hooks. */
6646 selinux_nf_ip_exit();
6647
6648 /* Unregister selinuxfs. */
6649 exit_sel_fs();
6650
6651 return 0;
6652 }
6653 #endif
ubuntu-bionic-kernel mirror