search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Linux 4.9.199
[linux/fpc-iii.git] / security / selinux / hooks.c
blob772df402c49537e37a25cf8bc1f5ec58ba12d5e1
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 *
21 * This program is free software; you can redistribute it and/or modify
22 * it under the terms of the GNU General Public License version 2,
23 * as published by the Free Software Foundation.
24 */
25
26 #include <linux/init.h>
27 #include <linux/kd.h>
28 #include <linux/kernel.h>
29 #include <linux/tracehook.h>
30 #include <linux/errno.h>
31 #include <linux/sched.h>
32 #include <linux/lsm_hooks.h>
33 #include <linux/xattr.h>
34 #include <linux/capability.h>
35 #include <linux/unistd.h>
36 #include <linux/mm.h>
37 #include <linux/mman.h>
38 #include <linux/slab.h>
39 #include <linux/pagemap.h>
40 #include <linux/proc_fs.h>
41 #include <linux/swap.h>
42 #include <linux/spinlock.h>
43 #include <linux/syscalls.h>
44 #include <linux/dcache.h>
45 #include <linux/file.h>
46 #include <linux/fdtable.h>
47 #include <linux/namei.h>
48 #include <linux/mount.h>
49 #include <linux/netfilter_ipv4.h>
50 #include <linux/netfilter_ipv6.h>
51 #include <linux/tty.h>
52 #include <net/icmp.h>
53 #include <net/ip.h> /* for local_port_range[] */
54 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
55 #include <net/inet_connection_sock.h>
56 #include <net/net_namespace.h>
57 #include <net/netlabel.h>
58 #include <linux/uaccess.h>
59 #include <asm/ioctls.h>
60 #include <linux/atomic.h>
61 #include <linux/bitops.h>
62 #include <linux/interrupt.h>
63 #include <linux/netdevice.h> /* for network interface checks */
64 #include <net/netlink.h>
65 #include <linux/tcp.h>
66 #include <linux/udp.h>
67 #include <linux/dccp.h>
68 #include <linux/quota.h>
69 #include <linux/un.h> /* for Unix socket types */
70 #include <net/af_unix.h> /* for Unix socket types */
71 #include <linux/parser.h>
72 #include <linux/nfs_mount.h>
73 #include <net/ipv6.h>
74 #include <linux/hugetlb.h>
75 #include <linux/personality.h>
76 #include <linux/audit.h>
77 #include <linux/string.h>
78 #include <linux/selinux.h>
79 #include <linux/mutex.h>
80 #include <linux/posix-timers.h>
81 #include <linux/syslog.h>
82 #include <linux/user_namespace.h>
83 #include <linux/export.h>
84 #include <linux/msg.h>
85 #include <linux/shm.h>
86
87 #include "avc.h"
88 #include "objsec.h"
89 #include "netif.h"
90 #include "netnode.h"
91 #include "netport.h"
92 #include "xfrm.h"
93 #include "netlabel.h"
94 #include "audit.h"
95 #include "avc_ss.h"
96
97 /* SECMARK reference count */
98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
99
100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
101 int selinux_enforcing;
102
103 static int __init enforcing_setup(char *str)
104 {
105 unsigned long enforcing;
106 if (!kstrtoul(str, 0, &enforcing))
107 selinux_enforcing = enforcing ? 1 : 0;
108 return 1;
109 }
110 __setup("enforcing=", enforcing_setup);
111 #endif
112
113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
115
116 static int __init selinux_enabled_setup(char *str)
117 {
118 unsigned long enabled;
119 if (!kstrtoul(str, 0, &enabled))
120 selinux_enabled = enabled ? 1 : 0;
121 return 1;
122 }
123 __setup("selinux=", selinux_enabled_setup);
124 #else
125 int selinux_enabled = 1;
126 #endif
127
128 static struct kmem_cache *sel_inode_cache;
129 static struct kmem_cache *file_security_cache;
130
131 /**
132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
133 *
134 * Description:
135 * This function checks the SECMARK reference counter to see if any SECMARK
136 * targets are currently configured, if the reference counter is greater than
137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
138 * enabled, false (0) if SECMARK is disabled. If the always_check_network
139 * policy capability is enabled, SECMARK is always considered enabled.
140 *
141 */
142 static int selinux_secmark_enabled(void)
143 {
144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
145 }
146
147 /**
148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
149 *
150 * Description:
151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
152 * (1) if any are enabled or false (0) if neither are enabled. If the
153 * always_check_network policy capability is enabled, peer labeling
154 * is always considered enabled.
155 *
156 */
157 static int selinux_peerlbl_enabled(void)
158 {
159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
160 }
161
162 static int selinux_netcache_avc_callback(u32 event)
163 {
164 if (event == AVC_CALLBACK_RESET) {
165 sel_netif_flush();
166 sel_netnode_flush();
167 sel_netport_flush();
168 synchronize_net();
169 }
170 return 0;
171 }
172
173 /*
174 * initialise the security for the init task
175 */
176 static void cred_init_security(void)
177 {
178 struct cred *cred = (struct cred *) current->real_cred;
179 struct task_security_struct *tsec;
180
181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
182 if (!tsec)
183 panic("SELinux: Failed to initialize initial task.\n");
184
185 tsec->osid = tsec->sid = SECINITSID_KERNEL;
186 cred->security = tsec;
187 }
188
189 /*
190 * get the security ID of a set of credentials
191 */
192 static inline u32 cred_sid(const struct cred *cred)
193 {
194 const struct task_security_struct *tsec;
195
196 tsec = cred->security;
197 return tsec->sid;
198 }
199
200 /*
201 * get the objective security ID of a task
202 */
203 static inline u32 task_sid(const struct task_struct *task)
204 {
205 u32 sid;
206
207 rcu_read_lock();
208 sid = cred_sid(__task_cred(task));
209 rcu_read_unlock();
210 return sid;
211 }
212
213 /*
214 * get the subjective security ID of the current task
215 */
216 static inline u32 current_sid(void)
217 {
218 const struct task_security_struct *tsec = current_security();
219
220 return tsec->sid;
221 }
222
223 /* Allocate and free functions for each kind of security blob. */
224
225 static int inode_alloc_security(struct inode *inode)
226 {
227 struct inode_security_struct *isec;
228 u32 sid = current_sid();
229
230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
231 if (!isec)
232 return -ENOMEM;
233
234 mutex_init(&isec->lock);
235 INIT_LIST_HEAD(&isec->list);
236 isec->inode = inode;
237 isec->sid = SECINITSID_UNLABELED;
238 isec->sclass = SECCLASS_FILE;
239 isec->task_sid = sid;
240 inode->i_security = isec;
241
242 return 0;
243 }
244
245 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
246
247 /*
248 * Try reloading inode security labels that have been marked as invalid. The
249 * @may_sleep parameter indicates when sleeping and thus reloading labels is
250 * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is
251 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
252 * when no dentry is available, set it to NULL instead.
253 */
254 static int __inode_security_revalidate(struct inode *inode,
255 struct dentry *opt_dentry,
256 bool may_sleep)
257 {
258 struct inode_security_struct *isec = inode->i_security;
259
260 might_sleep_if(may_sleep);
261
262 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
263 if (!may_sleep)
264 return -ECHILD;
265
266 /*
267 * Try reloading the inode security label. This will fail if
268 * @opt_dentry is NULL and no dentry for this inode can be
269 * found; in that case, continue using the old label.
270 */
271 inode_doinit_with_dentry(inode, opt_dentry);
272 }
273 return 0;
274 }
275
276 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
277 {
278 return inode->i_security;
279 }
280
281 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
282 {
283 int error;
284
285 error = __inode_security_revalidate(inode, NULL, !rcu);
286 if (error)
287 return ERR_PTR(error);
288 return inode->i_security;
289 }
290
291 /*
292 * Get the security label of an inode.
293 */
294 static struct inode_security_struct *inode_security(struct inode *inode)
295 {
296 __inode_security_revalidate(inode, NULL, true);
297 return inode->i_security;
298 }
299
300 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
301 {
302 struct inode *inode = d_backing_inode(dentry);
303
304 return inode->i_security;
305 }
306
307 /*
308 * Get the security label of a dentry's backing inode.
309 */
310 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
311 {
312 struct inode *inode = d_backing_inode(dentry);
313
314 __inode_security_revalidate(inode, dentry, true);
315 return inode->i_security;
316 }
317
318 static void inode_free_rcu(struct rcu_head *head)
319 {
320 struct inode_security_struct *isec;
321
322 isec = container_of(head, struct inode_security_struct, rcu);
323 kmem_cache_free(sel_inode_cache, isec);
324 }
325
326 static void inode_free_security(struct inode *inode)
327 {
328 struct inode_security_struct *isec = inode->i_security;
329 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
330
331 /*
332 * As not all inode security structures are in a list, we check for
333 * empty list outside of the lock to make sure that we won't waste
334 * time taking a lock doing nothing.
335 *
336 * The list_del_init() function can be safely called more than once.
337 * It should not be possible for this function to be called with
338 * concurrent list_add(), but for better safety against future changes
339 * in the code, we use list_empty_careful() here.
340 */
341 if (!list_empty_careful(&isec->list)) {
342 spin_lock(&sbsec->isec_lock);
343 list_del_init(&isec->list);
344 spin_unlock(&sbsec->isec_lock);
345 }
346
347 /*
348 * The inode may still be referenced in a path walk and
349 * a call to selinux_inode_permission() can be made
350 * after inode_free_security() is called. Ideally, the VFS
351 * wouldn't do this, but fixing that is a much harder
352 * job. For now, simply free the i_security via RCU, and
353 * leave the current inode->i_security pointer intact.
354 * The inode will be freed after the RCU grace period too.
355 */
356 call_rcu(&isec->rcu, inode_free_rcu);
357 }
358
359 static int file_alloc_security(struct file *file)
360 {
361 struct file_security_struct *fsec;
362 u32 sid = current_sid();
363
364 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
365 if (!fsec)
366 return -ENOMEM;
367
368 fsec->sid = sid;
369 fsec->fown_sid = sid;
370 file->f_security = fsec;
371
372 return 0;
373 }
374
375 static void file_free_security(struct file *file)
376 {
377 struct file_security_struct *fsec = file->f_security;
378 file->f_security = NULL;
379 kmem_cache_free(file_security_cache, fsec);
380 }
381
382 static int superblock_alloc_security(struct super_block *sb)
383 {
384 struct superblock_security_struct *sbsec;
385
386 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
387 if (!sbsec)
388 return -ENOMEM;
389
390 mutex_init(&sbsec->lock);
391 INIT_LIST_HEAD(&sbsec->isec_head);
392 spin_lock_init(&sbsec->isec_lock);
393 sbsec->sb = sb;
394 sbsec->sid = SECINITSID_UNLABELED;
395 sbsec->def_sid = SECINITSID_FILE;
396 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
397 sb->s_security = sbsec;
398
399 return 0;
400 }
401
402 static void superblock_free_security(struct super_block *sb)
403 {
404 struct superblock_security_struct *sbsec = sb->s_security;
405 sb->s_security = NULL;
406 kfree(sbsec);
407 }
408
409 static inline int inode_doinit(struct inode *inode)
410 {
411 return inode_doinit_with_dentry(inode, NULL);
412 }
413
414 enum {
415 Opt_error = -1,
416 Opt_context = 1,
417 Opt_fscontext = 2,
418 Opt_defcontext = 3,
419 Opt_rootcontext = 4,
420 Opt_labelsupport = 5,
421 Opt_nextmntopt = 6,
422 };
423
424 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
425
426 static const match_table_t tokens = {
427 {Opt_context, CONTEXT_STR "%s"},
428 {Opt_fscontext, FSCONTEXT_STR "%s"},
429 {Opt_defcontext, DEFCONTEXT_STR "%s"},
430 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
431 {Opt_labelsupport, LABELSUPP_STR},
432 {Opt_error, NULL},
433 };
434
435 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
436
437 static int may_context_mount_sb_relabel(u32 sid,
438 struct superblock_security_struct *sbsec,
439 const struct cred *cred)
440 {
441 const struct task_security_struct *tsec = cred->security;
442 int rc;
443
444 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
445 FILESYSTEM__RELABELFROM, NULL);
446 if (rc)
447 return rc;
448
449 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
450 FILESYSTEM__RELABELTO, NULL);
451 return rc;
452 }
453
454 static int may_context_mount_inode_relabel(u32 sid,
455 struct superblock_security_struct *sbsec,
456 const struct cred *cred)
457 {
458 const struct task_security_struct *tsec = cred->security;
459 int rc;
460 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
461 FILESYSTEM__RELABELFROM, NULL);
462 if (rc)
463 return rc;
464
465 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
466 FILESYSTEM__ASSOCIATE, NULL);
467 return rc;
468 }
469
470 static int selinux_is_genfs_special_handling(struct super_block *sb)
471 {
472 /* Special handling. Genfs but also in-core setxattr handler */
473 return !strcmp(sb->s_type->name, "sysfs") ||
474 !strcmp(sb->s_type->name, "pstore") ||
475 !strcmp(sb->s_type->name, "debugfs") ||
476 !strcmp(sb->s_type->name, "rootfs");
477 }
478
479 static int selinux_is_sblabel_mnt(struct super_block *sb)
480 {
481 struct superblock_security_struct *sbsec = sb->s_security;
482
483 /*
484 * IMPORTANT: Double-check logic in this function when adding a new
485 * SECURITY_FS_USE_* definition!
486 */
487 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
488
489 switch (sbsec->behavior) {
490 case SECURITY_FS_USE_XATTR:
491 case SECURITY_FS_USE_TRANS:
492 case SECURITY_FS_USE_TASK:
493 case SECURITY_FS_USE_NATIVE:
494 return 1;
495
496 case SECURITY_FS_USE_GENFS:
497 return selinux_is_genfs_special_handling(sb);
498
499 /* Never allow relabeling on context mounts */
500 case SECURITY_FS_USE_MNTPOINT:
501 case SECURITY_FS_USE_NONE:
502 default:
503 return 0;
504 }
505 }
506
507 static int sb_finish_set_opts(struct super_block *sb)
508 {
509 struct superblock_security_struct *sbsec = sb->s_security;
510 struct dentry *root = sb->s_root;
511 struct inode *root_inode = d_backing_inode(root);
512 int rc = 0;
513
514 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
515 /* Make sure that the xattr handler exists and that no
516 error other than -ENODATA is returned by getxattr on
517 the root directory. -ENODATA is ok, as this may be
518 the first boot of the SELinux kernel before we have
519 assigned xattr values to the filesystem. */
520 if (!(root_inode->i_opflags & IOP_XATTR)) {
521 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
522 "xattr support\n", sb->s_id, sb->s_type->name);
523 rc = -EOPNOTSUPP;
524 goto out;
525 }
526
527 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
528 if (rc < 0 && rc != -ENODATA) {
529 if (rc == -EOPNOTSUPP)
530 printk(KERN_WARNING "SELinux: (dev %s, type "
531 "%s) has no security xattr handler\n",
532 sb->s_id, sb->s_type->name);
533 else
534 printk(KERN_WARNING "SELinux: (dev %s, type "
535 "%s) getxattr errno %d\n", sb->s_id,
536 sb->s_type->name, -rc);
537 goto out;
538 }
539 }
540
541 sbsec->flags |= SE_SBINITIALIZED;
542 if (selinux_is_sblabel_mnt(sb))
543 sbsec->flags |= SBLABEL_MNT;
544
545 /* Initialize the root inode. */
546 rc = inode_doinit_with_dentry(root_inode, root);
547
548 /* Initialize any other inodes associated with the superblock, e.g.
549 inodes created prior to initial policy load or inodes created
550 during get_sb by a pseudo filesystem that directly
551 populates itself. */
552 spin_lock(&sbsec->isec_lock);
553 next_inode:
554 if (!list_empty(&sbsec->isec_head)) {
555 struct inode_security_struct *isec =
556 list_entry(sbsec->isec_head.next,
557 struct inode_security_struct, list);
558 struct inode *inode = isec->inode;
559 list_del_init(&isec->list);
560 spin_unlock(&sbsec->isec_lock);
561 inode = igrab(inode);
562 if (inode) {
563 if (!IS_PRIVATE(inode))
564 inode_doinit(inode);
565 iput(inode);
566 }
567 spin_lock(&sbsec->isec_lock);
568 goto next_inode;
569 }
570 spin_unlock(&sbsec->isec_lock);
571 out:
572 return rc;
573 }
574
575 /*
576 * This function should allow an FS to ask what it's mount security
577 * options were so it can use those later for submounts, displaying
578 * mount options, or whatever.
579 */
580 static int selinux_get_mnt_opts(const struct super_block *sb,
581 struct security_mnt_opts *opts)
582 {
583 int rc = 0, i;
584 struct superblock_security_struct *sbsec = sb->s_security;
585 char *context = NULL;
586 u32 len;
587 char tmp;
588
589 security_init_mnt_opts(opts);
590
591 if (!(sbsec->flags & SE_SBINITIALIZED))
592 return -EINVAL;
593
594 if (!ss_initialized)
595 return -EINVAL;
596
597 /* make sure we always check enough bits to cover the mask */
598 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
599
600 tmp = sbsec->flags & SE_MNTMASK;
601 /* count the number of mount options for this sb */
602 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
603 if (tmp & 0x01)
604 opts->num_mnt_opts++;
605 tmp >>= 1;
606 }
607 /* Check if the Label support flag is set */
608 if (sbsec->flags & SBLABEL_MNT)
609 opts->num_mnt_opts++;
610
611 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
612 if (!opts->mnt_opts) {
613 rc = -ENOMEM;
614 goto out_free;
615 }
616
617 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
618 if (!opts->mnt_opts_flags) {
619 rc = -ENOMEM;
620 goto out_free;
621 }
622
623 i = 0;
624 if (sbsec->flags & FSCONTEXT_MNT) {
625 rc = security_sid_to_context(sbsec->sid, &context, &len);
626 if (rc)
627 goto out_free;
628 opts->mnt_opts[i] = context;
629 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
630 }
631 if (sbsec->flags & CONTEXT_MNT) {
632 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
633 if (rc)
634 goto out_free;
635 opts->mnt_opts[i] = context;
636 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
637 }
638 if (sbsec->flags & DEFCONTEXT_MNT) {
639 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
640 if (rc)
641 goto out_free;
642 opts->mnt_opts[i] = context;
643 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
644 }
645 if (sbsec->flags & ROOTCONTEXT_MNT) {
646 struct dentry *root = sbsec->sb->s_root;
647 struct inode_security_struct *isec = backing_inode_security(root);
648
649 rc = security_sid_to_context(isec->sid, &context, &len);
650 if (rc)
651 goto out_free;
652 opts->mnt_opts[i] = context;
653 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
654 }
655 if (sbsec->flags & SBLABEL_MNT) {
656 opts->mnt_opts[i] = NULL;
657 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
658 }
659
660 BUG_ON(i != opts->num_mnt_opts);
661
662 return 0;
663
664 out_free:
665 security_free_mnt_opts(opts);
666 return rc;
667 }
668
669 static int bad_option(struct superblock_security_struct *sbsec, char flag,
670 u32 old_sid, u32 new_sid)
671 {
672 char mnt_flags = sbsec->flags & SE_MNTMASK;
673
674 /* check if the old mount command had the same options */
675 if (sbsec->flags & SE_SBINITIALIZED)
676 if (!(sbsec->flags & flag) ||
677 (old_sid != new_sid))
678 return 1;
679
680 /* check if we were passed the same options twice,
681 * aka someone passed context=a,context=b
682 */
683 if (!(sbsec->flags & SE_SBINITIALIZED))
684 if (mnt_flags & flag)
685 return 1;
686 return 0;
687 }
688
689 /*
690 * Allow filesystems with binary mount data to explicitly set mount point
691 * labeling information.
692 */
693 static int selinux_set_mnt_opts(struct super_block *sb,
694 struct security_mnt_opts *opts,
695 unsigned long kern_flags,
696 unsigned long *set_kern_flags)
697 {
698 const struct cred *cred = current_cred();
699 int rc = 0, i;
700 struct superblock_security_struct *sbsec = sb->s_security;
701 const char *name = sb->s_type->name;
702 struct dentry *root = sbsec->sb->s_root;
703 struct inode_security_struct *root_isec;
704 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
705 u32 defcontext_sid = 0;
706 char **mount_options = opts->mnt_opts;
707 int *flags = opts->mnt_opts_flags;
708 int num_opts = opts->num_mnt_opts;
709
710 mutex_lock(&sbsec->lock);
711
712 if (!ss_initialized) {
713 if (!num_opts) {
714 /* Defer initialization until selinux_complete_init,
715 after the initial policy is loaded and the security
716 server is ready to handle calls. */
717 goto out;
718 }
719 rc = -EINVAL;
720 printk(KERN_WARNING "SELinux: Unable to set superblock options "
721 "before the security server is initialized\n");
722 goto out;
723 }
724 if (kern_flags && !set_kern_flags) {
725 /* Specifying internal flags without providing a place to
726 * place the results is not allowed */
727 rc = -EINVAL;
728 goto out;
729 }
730
731 /*
732 * Binary mount data FS will come through this function twice. Once
733 * from an explicit call and once from the generic calls from the vfs.
734 * Since the generic VFS calls will not contain any security mount data
735 * we need to skip the double mount verification.
736 *
737 * This does open a hole in which we will not notice if the first
738 * mount using this sb set explict options and a second mount using
739 * this sb does not set any security options. (The first options
740 * will be used for both mounts)
741 */
742 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
743 && (num_opts == 0))
744 goto out;
745
746 root_isec = backing_inode_security_novalidate(root);
747
748 /*
749 * parse the mount options, check if they are valid sids.
750 * also check if someone is trying to mount the same sb more
751 * than once with different security options.
752 */
753 for (i = 0; i < num_opts; i++) {
754 u32 sid;
755
756 if (flags[i] == SBLABEL_MNT)
757 continue;
758 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
759 if (rc) {
760 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
761 "(%s) failed for (dev %s, type %s) errno=%d\n",
762 mount_options[i], sb->s_id, name, rc);
763 goto out;
764 }
765 switch (flags[i]) {
766 case FSCONTEXT_MNT:
767 fscontext_sid = sid;
768
769 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
770 fscontext_sid))
771 goto out_double_mount;
772
773 sbsec->flags |= FSCONTEXT_MNT;
774 break;
775 case CONTEXT_MNT:
776 context_sid = sid;
777
778 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
779 context_sid))
780 goto out_double_mount;
781
782 sbsec->flags |= CONTEXT_MNT;
783 break;
784 case ROOTCONTEXT_MNT:
785 rootcontext_sid = sid;
786
787 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
788 rootcontext_sid))
789 goto out_double_mount;
790
791 sbsec->flags |= ROOTCONTEXT_MNT;
792
793 break;
794 case DEFCONTEXT_MNT:
795 defcontext_sid = sid;
796
797 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
798 defcontext_sid))
799 goto out_double_mount;
800
801 sbsec->flags |= DEFCONTEXT_MNT;
802
803 break;
804 default:
805 rc = -EINVAL;
806 goto out;
807 }
808 }
809
810 if (sbsec->flags & SE_SBINITIALIZED) {
811 /* previously mounted with options, but not on this attempt? */
812 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
813 goto out_double_mount;
814 rc = 0;
815 goto out;
816 }
817
818 if (strcmp(sb->s_type->name, "proc") == 0)
819 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
820
821 if (!strcmp(sb->s_type->name, "debugfs") ||
822 !strcmp(sb->s_type->name, "sysfs") ||
823 !strcmp(sb->s_type->name, "pstore"))
824 sbsec->flags |= SE_SBGENFS;
825
826 if (!sbsec->behavior) {
827 /*
828 * Determine the labeling behavior to use for this
829 * filesystem type.
830 */
831 rc = security_fs_use(sb);
832 if (rc) {
833 printk(KERN_WARNING
834 "%s: security_fs_use(%s) returned %d\n",
835 __func__, sb->s_type->name, rc);
836 goto out;
837 }
838 }
839
840 /*
841 * If this is a user namespace mount, no contexts are allowed
842 * on the command line and security labels must be ignored.
843 */
844 if (sb->s_user_ns != &init_user_ns) {
845 if (context_sid || fscontext_sid || rootcontext_sid ||
846 defcontext_sid) {
847 rc = -EACCES;
848 goto out;
849 }
850 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
851 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
852 rc = security_transition_sid(current_sid(), current_sid(),
853 SECCLASS_FILE, NULL,
854 &sbsec->mntpoint_sid);
855 if (rc)
856 goto out;
857 }
858 goto out_set_opts;
859 }
860
861 /* sets the context of the superblock for the fs being mounted. */
862 if (fscontext_sid) {
863 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
864 if (rc)
865 goto out;
866
867 sbsec->sid = fscontext_sid;
868 }
869
870 /*
871 * Switch to using mount point labeling behavior.
872 * sets the label used on all file below the mountpoint, and will set
873 * the superblock context if not already set.
874 */
875 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
876 sbsec->behavior = SECURITY_FS_USE_NATIVE;
877 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
878 }
879
880 if (context_sid) {
881 if (!fscontext_sid) {
882 rc = may_context_mount_sb_relabel(context_sid, sbsec,
883 cred);
884 if (rc)
885 goto out;
886 sbsec->sid = context_sid;
887 } else {
888 rc = may_context_mount_inode_relabel(context_sid, sbsec,
889 cred);
890 if (rc)
891 goto out;
892 }
893 if (!rootcontext_sid)
894 rootcontext_sid = context_sid;
895
896 sbsec->mntpoint_sid = context_sid;
897 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
898 }
899
900 if (rootcontext_sid) {
901 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
902 cred);
903 if (rc)
904 goto out;
905
906 root_isec->sid = rootcontext_sid;
907 root_isec->initialized = LABEL_INITIALIZED;
908 }
909
910 if (defcontext_sid) {
911 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
912 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
913 rc = -EINVAL;
914 printk(KERN_WARNING "SELinux: defcontext option is "
915 "invalid for this filesystem type\n");
916 goto out;
917 }
918
919 if (defcontext_sid != sbsec->def_sid) {
920 rc = may_context_mount_inode_relabel(defcontext_sid,
921 sbsec, cred);
922 if (rc)
923 goto out;
924 }
925
926 sbsec->def_sid = defcontext_sid;
927 }
928
929 out_set_opts:
930 rc = sb_finish_set_opts(sb);
931 out:
932 mutex_unlock(&sbsec->lock);
933 return rc;
934 out_double_mount:
935 rc = -EINVAL;
936 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
937 "security settings for (dev %s, type %s)\n", sb->s_id, name);
938 goto out;
939 }
940
941 static int selinux_cmp_sb_context(const struct super_block *oldsb,
942 const struct super_block *newsb)
943 {
944 struct superblock_security_struct *old = oldsb->s_security;
945 struct superblock_security_struct *new = newsb->s_security;
946 char oldflags = old->flags & SE_MNTMASK;
947 char newflags = new->flags & SE_MNTMASK;
948
949 if (oldflags != newflags)
950 goto mismatch;
951 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
952 goto mismatch;
953 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
954 goto mismatch;
955 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
956 goto mismatch;
957 if (oldflags & ROOTCONTEXT_MNT) {
958 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
959 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
960 if (oldroot->sid != newroot->sid)
961 goto mismatch;
962 }
963 return 0;
964 mismatch:
965 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
966 "different security settings for (dev %s, "
967 "type %s)\n", newsb->s_id, newsb->s_type->name);
968 return -EBUSY;
969 }
970
971 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
972 struct super_block *newsb)
973 {
974 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
975 struct superblock_security_struct *newsbsec = newsb->s_security;
976
977 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
978 int set_context = (oldsbsec->flags & CONTEXT_MNT);
979 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
980
981 /*
982 * if the parent was able to be mounted it clearly had no special lsm
983 * mount options. thus we can safely deal with this superblock later
984 */
985 if (!ss_initialized)
986 return 0;
987
988 /* how can we clone if the old one wasn't set up?? */
989 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
990
991 /* if fs is reusing a sb, make sure that the contexts match */
992 if (newsbsec->flags & SE_SBINITIALIZED)
993 return selinux_cmp_sb_context(oldsb, newsb);
994
995 mutex_lock(&newsbsec->lock);
996
997 newsbsec->flags = oldsbsec->flags;
998
999 newsbsec->sid = oldsbsec->sid;
1000 newsbsec->def_sid = oldsbsec->def_sid;
1001 newsbsec->behavior = oldsbsec->behavior;
1002
1003 if (set_context) {
1004 u32 sid = oldsbsec->mntpoint_sid;
1005
1006 if (!set_fscontext)
1007 newsbsec->sid = sid;
1008 if (!set_rootcontext) {
1009 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1010 newisec->sid = sid;
1011 }
1012 newsbsec->mntpoint_sid = sid;
1013 }
1014 if (set_rootcontext) {
1015 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1016 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1017
1018 newisec->sid = oldisec->sid;
1019 }
1020
1021 sb_finish_set_opts(newsb);
1022 mutex_unlock(&newsbsec->lock);
1023 return 0;
1024 }
1025
1026 static int selinux_parse_opts_str(char *options,
1027 struct security_mnt_opts *opts)
1028 {
1029 char *p;
1030 char *context = NULL, *defcontext = NULL;
1031 char *fscontext = NULL, *rootcontext = NULL;
1032 int rc, num_mnt_opts = 0;
1033
1034 opts->num_mnt_opts = 0;
1035
1036 /* Standard string-based options. */
1037 while ((p = strsep(&options, "|")) != NULL) {
1038 int token;
1039 substring_t args[MAX_OPT_ARGS];
1040
1041 if (!*p)
1042 continue;
1043
1044 token = match_token(p, tokens, args);
1045
1046 switch (token) {
1047 case Opt_context:
1048 if (context || defcontext) {
1049 rc = -EINVAL;
1050 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1051 goto out_err;
1052 }
1053 context = match_strdup(&args[0]);
1054 if (!context) {
1055 rc = -ENOMEM;
1056 goto out_err;
1057 }
1058 break;
1059
1060 case Opt_fscontext:
1061 if (fscontext) {
1062 rc = -EINVAL;
1063 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1064 goto out_err;
1065 }
1066 fscontext = match_strdup(&args[0]);
1067 if (!fscontext) {
1068 rc = -ENOMEM;
1069 goto out_err;
1070 }
1071 break;
1072
1073 case Opt_rootcontext:
1074 if (rootcontext) {
1075 rc = -EINVAL;
1076 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1077 goto out_err;
1078 }
1079 rootcontext = match_strdup(&args[0]);
1080 if (!rootcontext) {
1081 rc = -ENOMEM;
1082 goto out_err;
1083 }
1084 break;
1085
1086 case Opt_defcontext:
1087 if (context || defcontext) {
1088 rc = -EINVAL;
1089 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1090 goto out_err;
1091 }
1092 defcontext = match_strdup(&args[0]);
1093 if (!defcontext) {
1094 rc = -ENOMEM;
1095 goto out_err;
1096 }
1097 break;
1098 case Opt_labelsupport:
1099 break;
1100 default:
1101 rc = -EINVAL;
1102 printk(KERN_WARNING "SELinux: unknown mount option\n");
1103 goto out_err;
1104
1105 }
1106 }
1107
1108 rc = -ENOMEM;
1109 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
1110 if (!opts->mnt_opts)
1111 goto out_err;
1112
1113 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
1114 if (!opts->mnt_opts_flags) {
1115 kfree(opts->mnt_opts);
1116 goto out_err;
1117 }
1118
1119 if (fscontext) {
1120 opts->mnt_opts[num_mnt_opts] = fscontext;
1121 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1122 }
1123 if (context) {
1124 opts->mnt_opts[num_mnt_opts] = context;
1125 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1126 }
1127 if (rootcontext) {
1128 opts->mnt_opts[num_mnt_opts] = rootcontext;
1129 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1130 }
1131 if (defcontext) {
1132 opts->mnt_opts[num_mnt_opts] = defcontext;
1133 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1134 }
1135
1136 opts->num_mnt_opts = num_mnt_opts;
1137 return 0;
1138
1139 out_err:
1140 kfree(context);
1141 kfree(defcontext);
1142 kfree(fscontext);
1143 kfree(rootcontext);
1144 return rc;
1145 }
1146 /*
1147 * string mount options parsing and call set the sbsec
1148 */
1149 static int superblock_doinit(struct super_block *sb, void *data)
1150 {
1151 int rc = 0;
1152 char *options = data;
1153 struct security_mnt_opts opts;
1154
1155 security_init_mnt_opts(&opts);
1156
1157 if (!data)
1158 goto out;
1159
1160 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1161
1162 rc = selinux_parse_opts_str(options, &opts);
1163 if (rc)
1164 goto out_err;
1165
1166 out:
1167 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1168
1169 out_err:
1170 security_free_mnt_opts(&opts);
1171 return rc;
1172 }
1173
1174 static void selinux_write_opts(struct seq_file *m,
1175 struct security_mnt_opts *opts)
1176 {
1177 int i;
1178 char *prefix;
1179
1180 for (i = 0; i < opts->num_mnt_opts; i++) {
1181 char *has_comma;
1182
1183 if (opts->mnt_opts[i])
1184 has_comma = strchr(opts->mnt_opts[i], ',');
1185 else
1186 has_comma = NULL;
1187
1188 switch (opts->mnt_opts_flags[i]) {
1189 case CONTEXT_MNT:
1190 prefix = CONTEXT_STR;
1191 break;
1192 case FSCONTEXT_MNT:
1193 prefix = FSCONTEXT_STR;
1194 break;
1195 case ROOTCONTEXT_MNT:
1196 prefix = ROOTCONTEXT_STR;
1197 break;
1198 case DEFCONTEXT_MNT:
1199 prefix = DEFCONTEXT_STR;
1200 break;
1201 case SBLABEL_MNT:
1202 seq_putc(m, ',');
1203 seq_puts(m, LABELSUPP_STR);
1204 continue;
1205 default:
1206 BUG();
1207 return;
1208 };
1209 /* we need a comma before each option */
1210 seq_putc(m, ',');
1211 seq_puts(m, prefix);
1212 if (has_comma)
1213 seq_putc(m, '\"');
1214 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1215 if (has_comma)
1216 seq_putc(m, '\"');
1217 }
1218 }
1219
1220 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1221 {
1222 struct security_mnt_opts opts;
1223 int rc;
1224
1225 rc = selinux_get_mnt_opts(sb, &opts);
1226 if (rc) {
1227 /* before policy load we may get EINVAL, don't show anything */
1228 if (rc == -EINVAL)
1229 rc = 0;
1230 return rc;
1231 }
1232
1233 selinux_write_opts(m, &opts);
1234
1235 security_free_mnt_opts(&opts);
1236
1237 return rc;
1238 }
1239
1240 static inline u16 inode_mode_to_security_class(umode_t mode)
1241 {
1242 switch (mode & S_IFMT) {
1243 case S_IFSOCK:
1244 return SECCLASS_SOCK_FILE;
1245 case S_IFLNK:
1246 return SECCLASS_LNK_FILE;
1247 case S_IFREG:
1248 return SECCLASS_FILE;
1249 case S_IFBLK:
1250 return SECCLASS_BLK_FILE;
1251 case S_IFDIR:
1252 return SECCLASS_DIR;
1253 case S_IFCHR:
1254 return SECCLASS_CHR_FILE;
1255 case S_IFIFO:
1256 return SECCLASS_FIFO_FILE;
1257
1258 }
1259
1260 return SECCLASS_FILE;
1261 }
1262
1263 static inline int default_protocol_stream(int protocol)
1264 {
1265 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1266 }
1267
1268 static inline int default_protocol_dgram(int protocol)
1269 {
1270 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1271 }
1272
1273 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1274 {
1275 switch (family) {
1276 case PF_UNIX:
1277 switch (type) {
1278 case SOCK_STREAM:
1279 case SOCK_SEQPACKET:
1280 return SECCLASS_UNIX_STREAM_SOCKET;
1281 case SOCK_DGRAM:
1282 return SECCLASS_UNIX_DGRAM_SOCKET;
1283 }
1284 break;
1285 case PF_INET:
1286 case PF_INET6:
1287 switch (type) {
1288 case SOCK_STREAM:
1289 if (default_protocol_stream(protocol))
1290 return SECCLASS_TCP_SOCKET;
1291 else
1292 return SECCLASS_RAWIP_SOCKET;
1293 case SOCK_DGRAM:
1294 if (default_protocol_dgram(protocol))
1295 return SECCLASS_UDP_SOCKET;
1296 else
1297 return SECCLASS_RAWIP_SOCKET;
1298 case SOCK_DCCP:
1299 return SECCLASS_DCCP_SOCKET;
1300 default:
1301 return SECCLASS_RAWIP_SOCKET;
1302 }
1303 break;
1304 case PF_NETLINK:
1305 switch (protocol) {
1306 case NETLINK_ROUTE:
1307 return SECCLASS_NETLINK_ROUTE_SOCKET;
1308 case NETLINK_SOCK_DIAG:
1309 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1310 case NETLINK_NFLOG:
1311 return SECCLASS_NETLINK_NFLOG_SOCKET;
1312 case NETLINK_XFRM:
1313 return SECCLASS_NETLINK_XFRM_SOCKET;
1314 case NETLINK_SELINUX:
1315 return SECCLASS_NETLINK_SELINUX_SOCKET;
1316 case NETLINK_ISCSI:
1317 return SECCLASS_NETLINK_ISCSI_SOCKET;
1318 case NETLINK_AUDIT:
1319 return SECCLASS_NETLINK_AUDIT_SOCKET;
1320 case NETLINK_FIB_LOOKUP:
1321 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1322 case NETLINK_CONNECTOR:
1323 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1324 case NETLINK_NETFILTER:
1325 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1326 case NETLINK_DNRTMSG:
1327 return SECCLASS_NETLINK_DNRT_SOCKET;
1328 case NETLINK_KOBJECT_UEVENT:
1329 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1330 case NETLINK_GENERIC:
1331 return SECCLASS_NETLINK_GENERIC_SOCKET;
1332 case NETLINK_SCSITRANSPORT:
1333 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1334 case NETLINK_RDMA:
1335 return SECCLASS_NETLINK_RDMA_SOCKET;
1336 case NETLINK_CRYPTO:
1337 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1338 default:
1339 return SECCLASS_NETLINK_SOCKET;
1340 }
1341 case PF_PACKET:
1342 return SECCLASS_PACKET_SOCKET;
1343 case PF_KEY:
1344 return SECCLASS_KEY_SOCKET;
1345 case PF_APPLETALK:
1346 return SECCLASS_APPLETALK_SOCKET;
1347 }
1348
1349 return SECCLASS_SOCKET;
1350 }
1351
1352 static int selinux_genfs_get_sid(struct dentry *dentry,
1353 u16 tclass,
1354 u16 flags,
1355 u32 *sid)
1356 {
1357 int rc;
1358 struct super_block *sb = dentry->d_sb;
1359 char *buffer, *path;
1360
1361 buffer = (char *)__get_free_page(GFP_KERNEL);
1362 if (!buffer)
1363 return -ENOMEM;
1364
1365 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1366 if (IS_ERR(path))
1367 rc = PTR_ERR(path);
1368 else {
1369 if (flags & SE_SBPROC) {
1370 /* each process gets a /proc/PID/ entry. Strip off the
1371 * PID part to get a valid selinux labeling.
1372 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1373 while (path[1] >= '0' && path[1] <= '9') {
1374 path[1] = '/';
1375 path++;
1376 }
1377 }
1378 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1379 }
1380 free_page((unsigned long)buffer);
1381 return rc;
1382 }
1383
1384 /* The inode's security attributes must be initialized before first use. */
1385 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1386 {
1387 struct superblock_security_struct *sbsec = NULL;
1388 struct inode_security_struct *isec = inode->i_security;
1389 u32 sid;
1390 struct dentry *dentry;
1391 #define INITCONTEXTLEN 255
1392 char *context = NULL;
1393 unsigned len = 0;
1394 int rc = 0;
1395
1396 if (isec->initialized == LABEL_INITIALIZED)
1397 goto out;
1398
1399 mutex_lock(&isec->lock);
1400 if (isec->initialized == LABEL_INITIALIZED)
1401 goto out_unlock;
1402
1403 sbsec = inode->i_sb->s_security;
1404 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1405 /* Defer initialization until selinux_complete_init,
1406 after the initial policy is loaded and the security
1407 server is ready to handle calls. */
1408 spin_lock(&sbsec->isec_lock);
1409 if (list_empty(&isec->list))
1410 list_add(&isec->list, &sbsec->isec_head);
1411 spin_unlock(&sbsec->isec_lock);
1412 goto out_unlock;
1413 }
1414
1415 switch (sbsec->behavior) {
1416 case SECURITY_FS_USE_NATIVE:
1417 break;
1418 case SECURITY_FS_USE_XATTR:
1419 if (!(inode->i_opflags & IOP_XATTR)) {
1420 isec->sid = sbsec->def_sid;
1421 break;
1422 }
1423 /* Need a dentry, since the xattr API requires one.
1424 Life would be simpler if we could just pass the inode. */
1425 if (opt_dentry) {
1426 /* Called from d_instantiate or d_splice_alias. */
1427 dentry = dget(opt_dentry);
1428 } else {
1429 /* Called from selinux_complete_init, try to find a dentry. */
1430 dentry = d_find_alias(inode);
1431 }
1432 if (!dentry) {
1433 /*
1434 * this is can be hit on boot when a file is accessed
1435 * before the policy is loaded. When we load policy we
1436 * may find inodes that have no dentry on the
1437 * sbsec->isec_head list. No reason to complain as these
1438 * will get fixed up the next time we go through
1439 * inode_doinit with a dentry, before these inodes could
1440 * be used again by userspace.
1441 */
1442 goto out_unlock;
1443 }
1444
1445 len = INITCONTEXTLEN;
1446 context = kmalloc(len+1, GFP_NOFS);
1447 if (!context) {
1448 rc = -ENOMEM;
1449 dput(dentry);
1450 goto out_unlock;
1451 }
1452 context[len] = '\0';
1453 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1454 if (rc == -ERANGE) {
1455 kfree(context);
1456
1457 /* Need a larger buffer. Query for the right size. */
1458 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1459 if (rc < 0) {
1460 dput(dentry);
1461 goto out_unlock;
1462 }
1463 len = rc;
1464 context = kmalloc(len+1, GFP_NOFS);
1465 if (!context) {
1466 rc = -ENOMEM;
1467 dput(dentry);
1468 goto out_unlock;
1469 }
1470 context[len] = '\0';
1471 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1472 }
1473 dput(dentry);
1474 if (rc < 0) {
1475 if (rc != -ENODATA) {
1476 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1477 "%d for dev=%s ino=%ld\n", __func__,
1478 -rc, inode->i_sb->s_id, inode->i_ino);
1479 kfree(context);
1480 goto out_unlock;
1481 }
1482 /* Map ENODATA to the default file SID */
1483 sid = sbsec->def_sid;
1484 rc = 0;
1485 } else {
1486 rc = security_context_to_sid_default(context, rc, &sid,
1487 sbsec->def_sid,
1488 GFP_NOFS);
1489 if (rc) {
1490 char *dev = inode->i_sb->s_id;
1491 unsigned long ino = inode->i_ino;
1492
1493 if (rc == -EINVAL) {
1494 if (printk_ratelimit())
1495 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1496 "context=%s. This indicates you may need to relabel the inode or the "
1497 "filesystem in question.\n", ino, dev, context);
1498 } else {
1499 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1500 "returned %d for dev=%s ino=%ld\n",
1501 __func__, context, -rc, dev, ino);
1502 }
1503 kfree(context);
1504 /* Leave with the unlabeled SID */
1505 rc = 0;
1506 break;
1507 }
1508 }
1509 kfree(context);
1510 isec->sid = sid;
1511 break;
1512 case SECURITY_FS_USE_TASK:
1513 isec->sid = isec->task_sid;
1514 break;
1515 case SECURITY_FS_USE_TRANS:
1516 /* Default to the fs SID. */
1517 isec->sid = sbsec->sid;
1518
1519 /* Try to obtain a transition SID. */
1520 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1521 rc = security_transition_sid(isec->task_sid, sbsec->sid,
1522 isec->sclass, NULL, &sid);
1523 if (rc)
1524 goto out_unlock;
1525 isec->sid = sid;
1526 break;
1527 case SECURITY_FS_USE_MNTPOINT:
1528 isec->sid = sbsec->mntpoint_sid;
1529 break;
1530 default:
1531 /* Default to the fs superblock SID. */
1532 isec->sid = sbsec->sid;
1533
1534 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1535 /* We must have a dentry to determine the label on
1536 * procfs inodes */
1537 if (opt_dentry)
1538 /* Called from d_instantiate or
1539 * d_splice_alias. */
1540 dentry = dget(opt_dentry);
1541 else
1542 /* Called from selinux_complete_init, try to
1543 * find a dentry. */
1544 dentry = d_find_alias(inode);
1545 /*
1546 * This can be hit on boot when a file is accessed
1547 * before the policy is loaded. When we load policy we
1548 * may find inodes that have no dentry on the
1549 * sbsec->isec_head list. No reason to complain as
1550 * these will get fixed up the next time we go through
1551 * inode_doinit() with a dentry, before these inodes
1552 * could be used again by userspace.
1553 */
1554 if (!dentry)
1555 goto out_unlock;
1556 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1557 rc = selinux_genfs_get_sid(dentry, isec->sclass,
1558 sbsec->flags, &sid);
1559 dput(dentry);
1560 if (rc)
1561 goto out_unlock;
1562 isec->sid = sid;
1563 }
1564 break;
1565 }
1566
1567 isec->initialized = LABEL_INITIALIZED;
1568
1569 out_unlock:
1570 mutex_unlock(&isec->lock);
1571 out:
1572 if (isec->sclass == SECCLASS_FILE)
1573 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1574 return rc;
1575 }
1576
1577 /* Convert a Linux signal to an access vector. */
1578 static inline u32 signal_to_av(int sig)
1579 {
1580 u32 perm = 0;
1581
1582 switch (sig) {
1583 case SIGCHLD:
1584 /* Commonly granted from child to parent. */
1585 perm = PROCESS__SIGCHLD;
1586 break;
1587 case SIGKILL:
1588 /* Cannot be caught or ignored */
1589 perm = PROCESS__SIGKILL;
1590 break;
1591 case SIGSTOP:
1592 /* Cannot be caught or ignored */
1593 perm = PROCESS__SIGSTOP;
1594 break;
1595 default:
1596 /* All other signals. */
1597 perm = PROCESS__SIGNAL;
1598 break;
1599 }
1600
1601 return perm;
1602 }
1603
1604 /*
1605 * Check permission between a pair of credentials
1606 * fork check, ptrace check, etc.
1607 */
1608 static int cred_has_perm(const struct cred *actor,
1609 const struct cred *target,
1610 u32 perms)
1611 {
1612 u32 asid = cred_sid(actor), tsid = cred_sid(target);
1613
1614 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1615 }
1616
1617 /*
1618 * Check permission between a pair of tasks, e.g. signal checks,
1619 * fork check, ptrace check, etc.
1620 * tsk1 is the actor and tsk2 is the target
1621 * - this uses the default subjective creds of tsk1
1622 */
1623 static int task_has_perm(const struct task_struct *tsk1,
1624 const struct task_struct *tsk2,
1625 u32 perms)
1626 {
1627 const struct task_security_struct *__tsec1, *__tsec2;
1628 u32 sid1, sid2;
1629
1630 rcu_read_lock();
1631 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
1632 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
1633 rcu_read_unlock();
1634 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1635 }
1636
1637 /*
1638 * Check permission between current and another task, e.g. signal checks,
1639 * fork check, ptrace check, etc.
1640 * current is the actor and tsk2 is the target
1641 * - this uses current's subjective creds
1642 */
1643 static int current_has_perm(const struct task_struct *tsk,
1644 u32 perms)
1645 {
1646 u32 sid, tsid;
1647
1648 sid = current_sid();
1649 tsid = task_sid(tsk);
1650 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1651 }
1652
1653 #if CAP_LAST_CAP > 63
1654 #error Fix SELinux to handle capabilities > 63.
1655 #endif
1656
1657 /* Check whether a task is allowed to use a capability. */
1658 static int cred_has_capability(const struct cred *cred,
1659 int cap, int audit, bool initns)
1660 {
1661 struct common_audit_data ad;
1662 struct av_decision avd;
1663 u16 sclass;
1664 u32 sid = cred_sid(cred);
1665 u32 av = CAP_TO_MASK(cap);
1666 int rc;
1667
1668 ad.type = LSM_AUDIT_DATA_CAP;
1669 ad.u.cap = cap;
1670
1671 switch (CAP_TO_INDEX(cap)) {
1672 case 0:
1673 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1674 break;
1675 case 1:
1676 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1677 break;
1678 default:
1679 printk(KERN_ERR
1680 "SELinux: out of range capability %d\n", cap);
1681 BUG();
1682 return -EINVAL;
1683 }
1684
1685 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1686 if (audit == SECURITY_CAP_AUDIT) {
1687 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1688 if (rc2)
1689 return rc2;
1690 }
1691 return rc;
1692 }
1693
1694 /* Check whether a task is allowed to use a system operation. */
1695 static int task_has_system(struct task_struct *tsk,
1696 u32 perms)
1697 {
1698 u32 sid = task_sid(tsk);
1699
1700 return avc_has_perm(sid, SECINITSID_KERNEL,
1701 SECCLASS_SYSTEM, perms, NULL);
1702 }
1703
1704 /* Check whether a task has a particular permission to an inode.
1705 The 'adp' parameter is optional and allows other audit
1706 data to be passed (e.g. the dentry). */
1707 static int inode_has_perm(const struct cred *cred,
1708 struct inode *inode,
1709 u32 perms,
1710 struct common_audit_data *adp)
1711 {
1712 struct inode_security_struct *isec;
1713 u32 sid;
1714
1715 validate_creds(cred);
1716
1717 if (unlikely(IS_PRIVATE(inode)))
1718 return 0;
1719
1720 sid = cred_sid(cred);
1721 isec = inode->i_security;
1722
1723 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1724 }
1725
1726 /* Same as inode_has_perm, but pass explicit audit data containing
1727 the dentry to help the auditing code to more easily generate the
1728 pathname if needed. */
1729 static inline int dentry_has_perm(const struct cred *cred,
1730 struct dentry *dentry,
1731 u32 av)
1732 {
1733 struct inode *inode = d_backing_inode(dentry);
1734 struct common_audit_data ad;
1735
1736 ad.type = LSM_AUDIT_DATA_DENTRY;
1737 ad.u.dentry = dentry;
1738 __inode_security_revalidate(inode, dentry, true);
1739 return inode_has_perm(cred, inode, av, &ad);
1740 }
1741
1742 /* Same as inode_has_perm, but pass explicit audit data containing
1743 the path to help the auditing code to more easily generate the
1744 pathname if needed. */
1745 static inline int path_has_perm(const struct cred *cred,
1746 const struct path *path,
1747 u32 av)
1748 {
1749 struct inode *inode = d_backing_inode(path->dentry);
1750 struct common_audit_data ad;
1751
1752 ad.type = LSM_AUDIT_DATA_PATH;
1753 ad.u.path = *path;
1754 __inode_security_revalidate(inode, path->dentry, true);
1755 return inode_has_perm(cred, inode, av, &ad);
1756 }
1757
1758 /* Same as path_has_perm, but uses the inode from the file struct. */
1759 static inline int file_path_has_perm(const struct cred *cred,
1760 struct file *file,
1761 u32 av)
1762 {
1763 struct common_audit_data ad;
1764
1765 ad.type = LSM_AUDIT_DATA_FILE;
1766 ad.u.file = file;
1767 return inode_has_perm(cred, file_inode(file), av, &ad);
1768 }
1769
1770 /* Check whether a task can use an open file descriptor to
1771 access an inode in a given way. Check access to the
1772 descriptor itself, and then use dentry_has_perm to
1773 check a particular permission to the file.
1774 Access to the descriptor is implicitly granted if it
1775 has the same SID as the process. If av is zero, then
1776 access to the file is not checked, e.g. for cases
1777 where only the descriptor is affected like seek. */
1778 static int file_has_perm(const struct cred *cred,
1779 struct file *file,
1780 u32 av)
1781 {
1782 struct file_security_struct *fsec = file->f_security;
1783 struct inode *inode = file_inode(file);
1784 struct common_audit_data ad;
1785 u32 sid = cred_sid(cred);
1786 int rc;
1787
1788 ad.type = LSM_AUDIT_DATA_FILE;
1789 ad.u.file = file;
1790
1791 if (sid != fsec->sid) {
1792 rc = avc_has_perm(sid, fsec->sid,
1793 SECCLASS_FD,
1794 FD__USE,
1795 &ad);
1796 if (rc)
1797 goto out;
1798 }
1799
1800 /* av is zero if only checking access to the descriptor. */
1801 rc = 0;
1802 if (av)
1803 rc = inode_has_perm(cred, inode, av, &ad);
1804
1805 out:
1806 return rc;
1807 }
1808
1809 /*
1810 * Determine the label for an inode that might be unioned.
1811 */
1812 static int
1813 selinux_determine_inode_label(const struct task_security_struct *tsec,
1814 struct inode *dir,
1815 const struct qstr *name, u16 tclass,
1816 u32 *_new_isid)
1817 {
1818 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1819
1820 if ((sbsec->flags & SE_SBINITIALIZED) &&
1821 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1822 *_new_isid = sbsec->mntpoint_sid;
1823 } else if ((sbsec->flags & SBLABEL_MNT) &&
1824 tsec->create_sid) {
1825 *_new_isid = tsec->create_sid;
1826 } else {
1827 const struct inode_security_struct *dsec = inode_security(dir);
1828 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1829 name, _new_isid);
1830 }
1831
1832 return 0;
1833 }
1834
1835 /* Check whether a task can create a file. */
1836 static int may_create(struct inode *dir,
1837 struct dentry *dentry,
1838 u16 tclass)
1839 {
1840 const struct task_security_struct *tsec = current_security();
1841 struct inode_security_struct *dsec;
1842 struct superblock_security_struct *sbsec;
1843 u32 sid, newsid;
1844 struct common_audit_data ad;
1845 int rc;
1846
1847 dsec = inode_security(dir);
1848 sbsec = dir->i_sb->s_security;
1849
1850 sid = tsec->sid;
1851
1852 ad.type = LSM_AUDIT_DATA_DENTRY;
1853 ad.u.dentry = dentry;
1854
1855 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1856 DIR__ADD_NAME | DIR__SEARCH,
1857 &ad);
1858 if (rc)
1859 return rc;
1860
1861 rc = selinux_determine_inode_label(current_security(), dir,
1862 &dentry->d_name, tclass, &newsid);
1863 if (rc)
1864 return rc;
1865
1866 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1867 if (rc)
1868 return rc;
1869
1870 return avc_has_perm(newsid, sbsec->sid,
1871 SECCLASS_FILESYSTEM,
1872 FILESYSTEM__ASSOCIATE, &ad);
1873 }
1874
1875 /* Check whether a task can create a key. */
1876 static int may_create_key(u32 ksid,
1877 struct task_struct *ctx)
1878 {
1879 u32 sid = task_sid(ctx);
1880
1881 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1882 }
1883
1884 #define MAY_LINK 0
1885 #define MAY_UNLINK 1
1886 #define MAY_RMDIR 2
1887
1888 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1889 static int may_link(struct inode *dir,
1890 struct dentry *dentry,
1891 int kind)
1892
1893 {
1894 struct inode_security_struct *dsec, *isec;
1895 struct common_audit_data ad;
1896 u32 sid = current_sid();
1897 u32 av;
1898 int rc;
1899
1900 dsec = inode_security(dir);
1901 isec = backing_inode_security(dentry);
1902
1903 ad.type = LSM_AUDIT_DATA_DENTRY;
1904 ad.u.dentry = dentry;
1905
1906 av = DIR__SEARCH;
1907 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1908 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1909 if (rc)
1910 return rc;
1911
1912 switch (kind) {
1913 case MAY_LINK:
1914 av = FILE__LINK;
1915 break;
1916 case MAY_UNLINK:
1917 av = FILE__UNLINK;
1918 break;
1919 case MAY_RMDIR:
1920 av = DIR__RMDIR;
1921 break;
1922 default:
1923 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1924 __func__, kind);
1925 return 0;
1926 }
1927
1928 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1929 return rc;
1930 }
1931
1932 static inline int may_rename(struct inode *old_dir,
1933 struct dentry *old_dentry,
1934 struct inode *new_dir,
1935 struct dentry *new_dentry)
1936 {
1937 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1938 struct common_audit_data ad;
1939 u32 sid = current_sid();
1940 u32 av;
1941 int old_is_dir, new_is_dir;
1942 int rc;
1943
1944 old_dsec = inode_security(old_dir);
1945 old_isec = backing_inode_security(old_dentry);
1946 old_is_dir = d_is_dir(old_dentry);
1947 new_dsec = inode_security(new_dir);
1948
1949 ad.type = LSM_AUDIT_DATA_DENTRY;
1950
1951 ad.u.dentry = old_dentry;
1952 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1953 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1954 if (rc)
1955 return rc;
1956 rc = avc_has_perm(sid, old_isec->sid,
1957 old_isec->sclass, FILE__RENAME, &ad);
1958 if (rc)
1959 return rc;
1960 if (old_is_dir && new_dir != old_dir) {
1961 rc = avc_has_perm(sid, old_isec->sid,
1962 old_isec->sclass, DIR__REPARENT, &ad);
1963 if (rc)
1964 return rc;
1965 }
1966
1967 ad.u.dentry = new_dentry;
1968 av = DIR__ADD_NAME | DIR__SEARCH;
1969 if (d_is_positive(new_dentry))
1970 av |= DIR__REMOVE_NAME;
1971 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1972 if (rc)
1973 return rc;
1974 if (d_is_positive(new_dentry)) {
1975 new_isec = backing_inode_security(new_dentry);
1976 new_is_dir = d_is_dir(new_dentry);
1977 rc = avc_has_perm(sid, new_isec->sid,
1978 new_isec->sclass,
1979 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1980 if (rc)
1981 return rc;
1982 }
1983
1984 return 0;
1985 }
1986
1987 /* Check whether a task can perform a filesystem operation. */
1988 static int superblock_has_perm(const struct cred *cred,
1989 struct super_block *sb,
1990 u32 perms,
1991 struct common_audit_data *ad)
1992 {
1993 struct superblock_security_struct *sbsec;
1994 u32 sid = cred_sid(cred);
1995
1996 sbsec = sb->s_security;
1997 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1998 }
1999
2000 /* Convert a Linux mode and permission mask to an access vector. */
2001 static inline u32 file_mask_to_av(int mode, int mask)
2002 {
2003 u32 av = 0;
2004
2005 if (!S_ISDIR(mode)) {
2006 if (mask & MAY_EXEC)
2007 av |= FILE__EXECUTE;
2008 if (mask & MAY_READ)
2009 av |= FILE__READ;
2010
2011 if (mask & MAY_APPEND)
2012 av |= FILE__APPEND;
2013 else if (mask & MAY_WRITE)
2014 av |= FILE__WRITE;
2015
2016 } else {
2017 if (mask & MAY_EXEC)
2018 av |= DIR__SEARCH;
2019 if (mask & MAY_WRITE)
2020 av |= DIR__WRITE;
2021 if (mask & MAY_READ)
2022 av |= DIR__READ;
2023 }
2024
2025 return av;
2026 }
2027
2028 /* Convert a Linux file to an access vector. */
2029 static inline u32 file_to_av(struct file *file)
2030 {
2031 u32 av = 0;
2032
2033 if (file->f_mode & FMODE_READ)
2034 av |= FILE__READ;
2035 if (file->f_mode & FMODE_WRITE) {
2036 if (file->f_flags & O_APPEND)
2037 av |= FILE__APPEND;
2038 else
2039 av |= FILE__WRITE;
2040 }
2041 if (!av) {
2042 /*
2043 * Special file opened with flags 3 for ioctl-only use.
2044 */
2045 av = FILE__IOCTL;
2046 }
2047
2048 return av;
2049 }
2050
2051 /*
2052 * Convert a file to an access vector and include the correct open
2053 * open permission.
2054 */
2055 static inline u32 open_file_to_av(struct file *file)
2056 {
2057 u32 av = file_to_av(file);
2058 struct inode *inode = file_inode(file);
2059
2060 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2061 av |= FILE__OPEN;
2062
2063 return av;
2064 }
2065
2066 /* Hook functions begin here. */
2067
2068 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2069 {
2070 u32 mysid = current_sid();
2071 u32 mgrsid = task_sid(mgr);
2072
2073 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2074 BINDER__SET_CONTEXT_MGR, NULL);
2075 }
2076
2077 static int selinux_binder_transaction(struct task_struct *from,
2078 struct task_struct *to)
2079 {
2080 u32 mysid = current_sid();
2081 u32 fromsid = task_sid(from);
2082 u32 tosid = task_sid(to);
2083 int rc;
2084
2085 if (mysid != fromsid) {
2086 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2087 BINDER__IMPERSONATE, NULL);
2088 if (rc)
2089 return rc;
2090 }
2091
2092 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2093 NULL);
2094 }
2095
2096 static int selinux_binder_transfer_binder(struct task_struct *from,
2097 struct task_struct *to)
2098 {
2099 u32 fromsid = task_sid(from);
2100 u32 tosid = task_sid(to);
2101
2102 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2103 NULL);
2104 }
2105
2106 static int selinux_binder_transfer_file(struct task_struct *from,
2107 struct task_struct *to,
2108 struct file *file)
2109 {
2110 u32 sid = task_sid(to);
2111 struct file_security_struct *fsec = file->f_security;
2112 struct dentry *dentry = file->f_path.dentry;
2113 struct inode_security_struct *isec;
2114 struct common_audit_data ad;
2115 int rc;
2116
2117 ad.type = LSM_AUDIT_DATA_PATH;
2118 ad.u.path = file->f_path;
2119
2120 if (sid != fsec->sid) {
2121 rc = avc_has_perm(sid, fsec->sid,
2122 SECCLASS_FD,
2123 FD__USE,
2124 &ad);
2125 if (rc)
2126 return rc;
2127 }
2128
2129 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2130 return 0;
2131
2132 isec = backing_inode_security(dentry);
2133 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2134 &ad);
2135 }
2136
2137 static int selinux_ptrace_access_check(struct task_struct *child,
2138 unsigned int mode)
2139 {
2140 if (mode & PTRACE_MODE_READ) {
2141 u32 sid = current_sid();
2142 u32 csid = task_sid(child);
2143 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2144 }
2145
2146 return current_has_perm(child, PROCESS__PTRACE);
2147 }
2148
2149 static int selinux_ptrace_traceme(struct task_struct *parent)
2150 {
2151 return task_has_perm(parent, current, PROCESS__PTRACE);
2152 }
2153
2154 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2155 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2156 {
2157 return current_has_perm(target, PROCESS__GETCAP);
2158 }
2159
2160 static int selinux_capset(struct cred *new, const struct cred *old,
2161 const kernel_cap_t *effective,
2162 const kernel_cap_t *inheritable,
2163 const kernel_cap_t *permitted)
2164 {
2165 return cred_has_perm(old, new, PROCESS__SETCAP);
2166 }
2167
2168 /*
2169 * (This comment used to live with the selinux_task_setuid hook,
2170 * which was removed).
2171 *
2172 * Since setuid only affects the current process, and since the SELinux
2173 * controls are not based on the Linux identity attributes, SELinux does not
2174 * need to control this operation. However, SELinux does control the use of
2175 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2176 */
2177
2178 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2179 int cap, int audit)
2180 {
2181 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2182 }
2183
2184 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2185 {
2186 const struct cred *cred = current_cred();
2187 int rc = 0;
2188
2189 if (!sb)
2190 return 0;
2191
2192 switch (cmds) {
2193 case Q_SYNC:
2194 case Q_QUOTAON:
2195 case Q_QUOTAOFF:
2196 case Q_SETINFO:
2197 case Q_SETQUOTA:
2198 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2199 break;
2200 case Q_GETFMT:
2201 case Q_GETINFO:
2202 case Q_GETQUOTA:
2203 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2204 break;
2205 default:
2206 rc = 0; /* let the kernel handle invalid cmds */
2207 break;
2208 }
2209 return rc;
2210 }
2211
2212 static int selinux_quota_on(struct dentry *dentry)
2213 {
2214 const struct cred *cred = current_cred();
2215
2216 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2217 }
2218
2219 static int selinux_syslog(int type)
2220 {
2221 int rc;
2222
2223 switch (type) {
2224 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2225 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2226 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2227 break;
2228 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2229 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2230 /* Set level of messages printed to console */
2231 case SYSLOG_ACTION_CONSOLE_LEVEL:
2232 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2233 break;
2234 case SYSLOG_ACTION_CLOSE: /* Close log */
2235 case SYSLOG_ACTION_OPEN: /* Open log */
2236 case SYSLOG_ACTION_READ: /* Read from log */
2237 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2238 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
2239 default:
2240 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2241 break;
2242 }
2243 return rc;
2244 }
2245
2246 /*
2247 * Check that a process has enough memory to allocate a new virtual
2248 * mapping. 0 means there is enough memory for the allocation to
2249 * succeed and -ENOMEM implies there is not.
2250 *
2251 * Do not audit the selinux permission check, as this is applied to all
2252 * processes that allocate mappings.
2253 */
2254 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2255 {
2256 int rc, cap_sys_admin = 0;
2257
2258 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2259 SECURITY_CAP_NOAUDIT, true);
2260 if (rc == 0)
2261 cap_sys_admin = 1;
2262
2263 return cap_sys_admin;
2264 }
2265
2266 /* binprm security operations */
2267
2268 static u32 ptrace_parent_sid(struct task_struct *task)
2269 {
2270 u32 sid = 0;
2271 struct task_struct *tracer;
2272
2273 rcu_read_lock();
2274 tracer = ptrace_parent(task);
2275 if (tracer)
2276 sid = task_sid(tracer);
2277 rcu_read_unlock();
2278
2279 return sid;
2280 }
2281
2282 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2283 const struct task_security_struct *old_tsec,
2284 const struct task_security_struct *new_tsec)
2285 {
2286 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2287 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2288 int rc;
2289
2290 if (!nnp && !nosuid)
2291 return 0; /* neither NNP nor nosuid */
2292
2293 if (new_tsec->sid == old_tsec->sid)
2294 return 0; /* No change in credentials */
2295
2296 /*
2297 * The only transitions we permit under NNP or nosuid
2298 * are transitions to bounded SIDs, i.e. SIDs that are
2299 * guaranteed to only be allowed a subset of the permissions
2300 * of the current SID.
2301 */
2302 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2303 if (rc) {
2304 /*
2305 * On failure, preserve the errno values for NNP vs nosuid.
2306 * NNP: Operation not permitted for caller.
2307 * nosuid: Permission denied to file.
2308 */
2309 if (nnp)
2310 return -EPERM;
2311 else
2312 return -EACCES;
2313 }
2314 return 0;
2315 }
2316
2317 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2318 {
2319 const struct task_security_struct *old_tsec;
2320 struct task_security_struct *new_tsec;
2321 struct inode_security_struct *isec;
2322 struct common_audit_data ad;
2323 struct inode *inode = file_inode(bprm->file);
2324 int rc;
2325
2326 /* SELinux context only depends on initial program or script and not
2327 * the script interpreter */
2328 if (bprm->cred_prepared)
2329 return 0;
2330
2331 old_tsec = current_security();
2332 new_tsec = bprm->cred->security;
2333 isec = inode_security(inode);
2334
2335 /* Default to the current task SID. */
2336 new_tsec->sid = old_tsec->sid;
2337 new_tsec->osid = old_tsec->sid;
2338
2339 /* Reset fs, key, and sock SIDs on execve. */
2340 new_tsec->create_sid = 0;
2341 new_tsec->keycreate_sid = 0;
2342 new_tsec->sockcreate_sid = 0;
2343
2344 if (old_tsec->exec_sid) {
2345 new_tsec->sid = old_tsec->exec_sid;
2346 /* Reset exec SID on execve. */
2347 new_tsec->exec_sid = 0;
2348
2349 /* Fail on NNP or nosuid if not an allowed transition. */
2350 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2351 if (rc)
2352 return rc;
2353 } else {
2354 /* Check for a default transition on this program. */
2355 rc = security_transition_sid(old_tsec->sid, isec->sid,
2356 SECCLASS_PROCESS, NULL,
2357 &new_tsec->sid);
2358 if (rc)
2359 return rc;
2360
2361 /*
2362 * Fallback to old SID on NNP or nosuid if not an allowed
2363 * transition.
2364 */
2365 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2366 if (rc)
2367 new_tsec->sid = old_tsec->sid;
2368 }
2369
2370 ad.type = LSM_AUDIT_DATA_FILE;
2371 ad.u.file = bprm->file;
2372
2373 if (new_tsec->sid == old_tsec->sid) {
2374 rc = avc_has_perm(old_tsec->sid, isec->sid,
2375 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2376 if (rc)
2377 return rc;
2378 } else {
2379 /* Check permissions for the transition. */
2380 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2381 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2382 if (rc)
2383 return rc;
2384
2385 rc = avc_has_perm(new_tsec->sid, isec->sid,
2386 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2387 if (rc)
2388 return rc;
2389
2390 /* Check for shared state */
2391 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2392 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2393 SECCLASS_PROCESS, PROCESS__SHARE,
2394 NULL);
2395 if (rc)
2396 return -EPERM;
2397 }
2398
2399 /* Make sure that anyone attempting to ptrace over a task that
2400 * changes its SID has the appropriate permit */
2401 if (bprm->unsafe &
2402 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2403 u32 ptsid = ptrace_parent_sid(current);
2404 if (ptsid != 0) {
2405 rc = avc_has_perm(ptsid, new_tsec->sid,
2406 SECCLASS_PROCESS,
2407 PROCESS__PTRACE, NULL);
2408 if (rc)
2409 return -EPERM;
2410 }
2411 }
2412
2413 /* Clear any possibly unsafe personality bits on exec: */
2414 bprm->per_clear |= PER_CLEAR_ON_SETID;
2415 }
2416
2417 return 0;
2418 }
2419
2420 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2421 {
2422 const struct task_security_struct *tsec = current_security();
2423 u32 sid, osid;
2424 int atsecure = 0;
2425
2426 sid = tsec->sid;
2427 osid = tsec->osid;
2428
2429 if (osid != sid) {
2430 /* Enable secure mode for SIDs transitions unless
2431 the noatsecure permission is granted between
2432 the two SIDs, i.e. ahp returns 0. */
2433 atsecure = avc_has_perm(osid, sid,
2434 SECCLASS_PROCESS,
2435 PROCESS__NOATSECURE, NULL);
2436 }
2437
2438 return !!atsecure;
2439 }
2440
2441 static int match_file(const void *p, struct file *file, unsigned fd)
2442 {
2443 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2444 }
2445
2446 /* Derived from fs/exec.c:flush_old_files. */
2447 static inline void flush_unauthorized_files(const struct cred *cred,
2448 struct files_struct *files)
2449 {
2450 struct file *file, *devnull = NULL;
2451 struct tty_struct *tty;
2452 int drop_tty = 0;
2453 unsigned n;
2454
2455 tty = get_current_tty();
2456 if (tty) {
2457 spin_lock(&tty->files_lock);
2458 if (!list_empty(&tty->tty_files)) {
2459 struct tty_file_private *file_priv;
2460
2461 /* Revalidate access to controlling tty.
2462 Use file_path_has_perm on the tty path directly
2463 rather than using file_has_perm, as this particular
2464 open file may belong to another process and we are
2465 only interested in the inode-based check here. */
2466 file_priv = list_first_entry(&tty->tty_files,
2467 struct tty_file_private, list);
2468 file = file_priv->file;
2469 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2470 drop_tty = 1;
2471 }
2472 spin_unlock(&tty->files_lock);
2473 tty_kref_put(tty);
2474 }
2475 /* Reset controlling tty. */
2476 if (drop_tty)
2477 no_tty();
2478
2479 /* Revalidate access to inherited open files. */
2480 n = iterate_fd(files, 0, match_file, cred);
2481 if (!n) /* none found? */
2482 return;
2483
2484 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2485 if (IS_ERR(devnull))
2486 devnull = NULL;
2487 /* replace all the matching ones with this */
2488 do {
2489 replace_fd(n - 1, devnull, 0);
2490 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2491 if (devnull)
2492 fput(devnull);
2493 }
2494
2495 /*
2496 * Prepare a process for imminent new credential changes due to exec
2497 */
2498 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2499 {
2500 struct task_security_struct *new_tsec;
2501 struct rlimit *rlim, *initrlim;
2502 int rc, i;
2503
2504 new_tsec = bprm->cred->security;
2505 if (new_tsec->sid == new_tsec->osid)
2506 return;
2507
2508 /* Close files for which the new task SID is not authorized. */
2509 flush_unauthorized_files(bprm->cred, current->files);
2510
2511 /* Always clear parent death signal on SID transitions. */
2512 current->pdeath_signal = 0;
2513
2514 /* Check whether the new SID can inherit resource limits from the old
2515 * SID. If not, reset all soft limits to the lower of the current
2516 * task's hard limit and the init task's soft limit.
2517 *
2518 * Note that the setting of hard limits (even to lower them) can be
2519 * controlled by the setrlimit check. The inclusion of the init task's
2520 * soft limit into the computation is to avoid resetting soft limits
2521 * higher than the default soft limit for cases where the default is
2522 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2523 */
2524 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2525 PROCESS__RLIMITINH, NULL);
2526 if (rc) {
2527 /* protect against do_prlimit() */
2528 task_lock(current);
2529 for (i = 0; i < RLIM_NLIMITS; i++) {
2530 rlim = current->signal->rlim + i;
2531 initrlim = init_task.signal->rlim + i;
2532 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2533 }
2534 task_unlock(current);
2535 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2536 }
2537 }
2538
2539 /*
2540 * Clean up the process immediately after the installation of new credentials
2541 * due to exec
2542 */
2543 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2544 {
2545 const struct task_security_struct *tsec = current_security();
2546 struct itimerval itimer;
2547 u32 osid, sid;
2548 int rc, i;
2549
2550 osid = tsec->osid;
2551 sid = tsec->sid;
2552
2553 if (sid == osid)
2554 return;
2555
2556 /* Check whether the new SID can inherit signal state from the old SID.
2557 * If not, clear itimers to avoid subsequent signal generation and
2558 * flush and unblock signals.
2559 *
2560 * This must occur _after_ the task SID has been updated so that any
2561 * kill done after the flush will be checked against the new SID.
2562 */
2563 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2564 if (rc) {
2565 memset(&itimer, 0, sizeof itimer);
2566 for (i = 0; i < 3; i++)
2567 do_setitimer(i, &itimer, NULL);
2568 spin_lock_irq(&current->sighand->siglock);
2569 if (!fatal_signal_pending(current)) {
2570 flush_sigqueue(&current->pending);
2571 flush_sigqueue(&current->signal->shared_pending);
2572 flush_signal_handlers(current, 1);
2573 sigemptyset(&current->blocked);
2574 recalc_sigpending();
2575 }
2576 spin_unlock_irq(&current->sighand->siglock);
2577 }
2578
2579 /* Wake up the parent if it is waiting so that it can recheck
2580 * wait permission to the new task SID. */
2581 read_lock(&tasklist_lock);
2582 __wake_up_parent(current, current->real_parent);
2583 read_unlock(&tasklist_lock);
2584 }
2585
2586 /* superblock security operations */
2587
2588 static int selinux_sb_alloc_security(struct super_block *sb)
2589 {
2590 return superblock_alloc_security(sb);
2591 }
2592
2593 static void selinux_sb_free_security(struct super_block *sb)
2594 {
2595 superblock_free_security(sb);
2596 }
2597
2598 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2599 {
2600 if (plen > olen)
2601 return 0;
2602
2603 return !memcmp(prefix, option, plen);
2604 }
2605
2606 static inline int selinux_option(char *option, int len)
2607 {
2608 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2609 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2610 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2611 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2612 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2613 }
2614
2615 static inline void take_option(char **to, char *from, int *first, int len)
2616 {
2617 if (!*first) {
2618 **to = ',';
2619 *to += 1;
2620 } else
2621 *first = 0;
2622 memcpy(*to, from, len);
2623 *to += len;
2624 }
2625
2626 static inline void take_selinux_option(char **to, char *from, int *first,
2627 int len)
2628 {
2629 int current_size = 0;
2630
2631 if (!*first) {
2632 **to = '|';
2633 *to += 1;
2634 } else
2635 *first = 0;
2636
2637 while (current_size < len) {
2638 if (*from != '"') {
2639 **to = *from;
2640 *to += 1;
2641 }
2642 from += 1;
2643 current_size += 1;
2644 }
2645 }
2646
2647 static int selinux_sb_copy_data(char *orig, char *copy)
2648 {
2649 int fnosec, fsec, rc = 0;
2650 char *in_save, *in_curr, *in_end;
2651 char *sec_curr, *nosec_save, *nosec;
2652 int open_quote = 0;
2653
2654 in_curr = orig;
2655 sec_curr = copy;
2656
2657 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2658 if (!nosec) {
2659 rc = -ENOMEM;
2660 goto out;
2661 }
2662
2663 nosec_save = nosec;
2664 fnosec = fsec = 1;
2665 in_save = in_end = orig;
2666
2667 do {
2668 if (*in_end == '"')
2669 open_quote = !open_quote;
2670 if ((*in_end == ',' && open_quote == 0) ||
2671 *in_end == '\0') {
2672 int len = in_end - in_curr;
2673
2674 if (selinux_option(in_curr, len))
2675 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2676 else
2677 take_option(&nosec, in_curr, &fnosec, len);
2678
2679 in_curr = in_end + 1;
2680 }
2681 } while (*in_end++);
2682
2683 strcpy(in_save, nosec_save);
2684 free_page((unsigned long)nosec_save);
2685 out:
2686 return rc;
2687 }
2688
2689 static int selinux_sb_remount(struct super_block *sb, void *data)
2690 {
2691 int rc, i, *flags;
2692 struct security_mnt_opts opts;
2693 char *secdata, **mount_options;
2694 struct superblock_security_struct *sbsec = sb->s_security;
2695
2696 if (!(sbsec->flags & SE_SBINITIALIZED))
2697 return 0;
2698
2699 if (!data)
2700 return 0;
2701
2702 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2703 return 0;
2704
2705 security_init_mnt_opts(&opts);
2706 secdata = alloc_secdata();
2707 if (!secdata)
2708 return -ENOMEM;
2709 rc = selinux_sb_copy_data(data, secdata);
2710 if (rc)
2711 goto out_free_secdata;
2712
2713 rc = selinux_parse_opts_str(secdata, &opts);
2714 if (rc)
2715 goto out_free_secdata;
2716
2717 mount_options = opts.mnt_opts;
2718 flags = opts.mnt_opts_flags;
2719
2720 for (i = 0; i < opts.num_mnt_opts; i++) {
2721 u32 sid;
2722
2723 if (flags[i] == SBLABEL_MNT)
2724 continue;
2725 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2726 if (rc) {
2727 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2728 "(%s) failed for (dev %s, type %s) errno=%d\n",
2729 mount_options[i], sb->s_id, sb->s_type->name, rc);
2730 goto out_free_opts;
2731 }
2732 rc = -EINVAL;
2733 switch (flags[i]) {
2734 case FSCONTEXT_MNT:
2735 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2736 goto out_bad_option;
2737 break;
2738 case CONTEXT_MNT:
2739 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2740 goto out_bad_option;
2741 break;
2742 case ROOTCONTEXT_MNT: {
2743 struct inode_security_struct *root_isec;
2744 root_isec = backing_inode_security(sb->s_root);
2745
2746 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2747 goto out_bad_option;
2748 break;
2749 }
2750 case DEFCONTEXT_MNT:
2751 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2752 goto out_bad_option;
2753 break;
2754 default:
2755 goto out_free_opts;
2756 }
2757 }
2758
2759 rc = 0;
2760 out_free_opts:
2761 security_free_mnt_opts(&opts);
2762 out_free_secdata:
2763 free_secdata(secdata);
2764 return rc;
2765 out_bad_option:
2766 printk(KERN_WARNING "SELinux: unable to change security options "
2767 "during remount (dev %s, type=%s)\n", sb->s_id,
2768 sb->s_type->name);
2769 goto out_free_opts;
2770 }
2771
2772 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2773 {
2774 const struct cred *cred = current_cred();
2775 struct common_audit_data ad;
2776 int rc;
2777
2778 rc = superblock_doinit(sb, data);
2779 if (rc)
2780 return rc;
2781
2782 /* Allow all mounts performed by the kernel */
2783 if (flags & (MS_KERNMOUNT | MS_SUBMOUNT))
2784 return 0;
2785
2786 ad.type = LSM_AUDIT_DATA_DENTRY;
2787 ad.u.dentry = sb->s_root;
2788 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2789 }
2790
2791 static int selinux_sb_statfs(struct dentry *dentry)
2792 {
2793 const struct cred *cred = current_cred();
2794 struct common_audit_data ad;
2795
2796 ad.type = LSM_AUDIT_DATA_DENTRY;
2797 ad.u.dentry = dentry->d_sb->s_root;
2798 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2799 }
2800
2801 static int selinux_mount(const char *dev_name,
2802 const struct path *path,
2803 const char *type,
2804 unsigned long flags,
2805 void *data)
2806 {
2807 const struct cred *cred = current_cred();
2808
2809 if (flags & MS_REMOUNT)
2810 return superblock_has_perm(cred, path->dentry->d_sb,
2811 FILESYSTEM__REMOUNT, NULL);
2812 else
2813 return path_has_perm(cred, path, FILE__MOUNTON);
2814 }
2815
2816 static int selinux_umount(struct vfsmount *mnt, int flags)
2817 {
2818 const struct cred *cred = current_cred();
2819
2820 return superblock_has_perm(cred, mnt->mnt_sb,
2821 FILESYSTEM__UNMOUNT, NULL);
2822 }
2823
2824 /* inode security operations */
2825
2826 static int selinux_inode_alloc_security(struct inode *inode)
2827 {
2828 return inode_alloc_security(inode);
2829 }
2830
2831 static void selinux_inode_free_security(struct inode *inode)
2832 {
2833 inode_free_security(inode);
2834 }
2835
2836 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2837 const struct qstr *name, void **ctx,
2838 u32 *ctxlen)
2839 {
2840 u32 newsid;
2841 int rc;
2842
2843 rc = selinux_determine_inode_label(current_security(),
2844 d_inode(dentry->d_parent), name,
2845 inode_mode_to_security_class(mode),
2846 &newsid);
2847 if (rc)
2848 return rc;
2849
2850 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2851 }
2852
2853 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2854 struct qstr *name,
2855 const struct cred *old,
2856 struct cred *new)
2857 {
2858 u32 newsid;
2859 int rc;
2860 struct task_security_struct *tsec;
2861
2862 rc = selinux_determine_inode_label(old->security,
2863 d_inode(dentry->d_parent), name,
2864 inode_mode_to_security_class(mode),
2865 &newsid);
2866 if (rc)
2867 return rc;
2868
2869 tsec = new->security;
2870 tsec->create_sid = newsid;
2871 return 0;
2872 }
2873
2874 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2875 const struct qstr *qstr,
2876 const char **name,
2877 void **value, size_t *len)
2878 {
2879 const struct task_security_struct *tsec = current_security();
2880 struct superblock_security_struct *sbsec;
2881 u32 sid, newsid, clen;
2882 int rc;
2883 char *context;
2884
2885 sbsec = dir->i_sb->s_security;
2886
2887 sid = tsec->sid;
2888 newsid = tsec->create_sid;
2889
2890 rc = selinux_determine_inode_label(current_security(),
2891 dir, qstr,
2892 inode_mode_to_security_class(inode->i_mode),
2893 &newsid);
2894 if (rc)
2895 return rc;
2896
2897 /* Possibly defer initialization to selinux_complete_init. */
2898 if (sbsec->flags & SE_SBINITIALIZED) {
2899 struct inode_security_struct *isec = inode->i_security;
2900 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2901 isec->sid = newsid;
2902 isec->initialized = LABEL_INITIALIZED;
2903 }
2904
2905 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2906 return -EOPNOTSUPP;
2907
2908 if (name)
2909 *name = XATTR_SELINUX_SUFFIX;
2910
2911 if (value && len) {
2912 rc = security_sid_to_context_force(newsid, &context, &clen);
2913 if (rc)
2914 return rc;
2915 *value = context;
2916 *len = clen;
2917 }
2918
2919 return 0;
2920 }
2921
2922 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2923 {
2924 return may_create(dir, dentry, SECCLASS_FILE);
2925 }
2926
2927 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2928 {
2929 return may_link(dir, old_dentry, MAY_LINK);
2930 }
2931
2932 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2933 {
2934 return may_link(dir, dentry, MAY_UNLINK);
2935 }
2936
2937 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2938 {
2939 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2940 }
2941
2942 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2943 {
2944 return may_create(dir, dentry, SECCLASS_DIR);
2945 }
2946
2947 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2948 {
2949 return may_link(dir, dentry, MAY_RMDIR);
2950 }
2951
2952 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2953 {
2954 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2955 }
2956
2957 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2958 struct inode *new_inode, struct dentry *new_dentry)
2959 {
2960 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2961 }
2962
2963 static int selinux_inode_readlink(struct dentry *dentry)
2964 {
2965 const struct cred *cred = current_cred();
2966
2967 return dentry_has_perm(cred, dentry, FILE__READ);
2968 }
2969
2970 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2971 bool rcu)
2972 {
2973 const struct cred *cred = current_cred();
2974 struct common_audit_data ad;
2975 struct inode_security_struct *isec;
2976 u32 sid;
2977
2978 validate_creds(cred);
2979
2980 ad.type = LSM_AUDIT_DATA_DENTRY;
2981 ad.u.dentry = dentry;
2982 sid = cred_sid(cred);
2983 isec = inode_security_rcu(inode, rcu);
2984 if (IS_ERR(isec))
2985 return PTR_ERR(isec);
2986
2987 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
2988 rcu ? MAY_NOT_BLOCK : 0);
2989 }
2990
2991 static noinline int audit_inode_permission(struct inode *inode,
2992 u32 perms, u32 audited, u32 denied,
2993 int result,
2994 unsigned flags)
2995 {
2996 struct common_audit_data ad;
2997 struct inode_security_struct *isec = inode->i_security;
2998 int rc;
2999
3000 ad.type = LSM_AUDIT_DATA_INODE;
3001 ad.u.inode = inode;
3002
3003 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3004 audited, denied, result, &ad, flags);
3005 if (rc)
3006 return rc;
3007 return 0;
3008 }
3009
3010 static int selinux_inode_permission(struct inode *inode, int mask)
3011 {
3012 const struct cred *cred = current_cred();
3013 u32 perms;
3014 bool from_access;
3015 unsigned flags = mask & MAY_NOT_BLOCK;
3016 struct inode_security_struct *isec;
3017 u32 sid;
3018 struct av_decision avd;
3019 int rc, rc2;
3020 u32 audited, denied;
3021
3022 from_access = mask & MAY_ACCESS;
3023 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3024
3025 /* No permission to check. Existence test. */
3026 if (!mask)
3027 return 0;
3028
3029 validate_creds(cred);
3030
3031 if (unlikely(IS_PRIVATE(inode)))
3032 return 0;
3033
3034 perms = file_mask_to_av(inode->i_mode, mask);
3035
3036 sid = cred_sid(cred);
3037 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3038 if (IS_ERR(isec))
3039 return PTR_ERR(isec);
3040
3041 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3042 audited = avc_audit_required(perms, &avd, rc,
3043 from_access ? FILE__AUDIT_ACCESS : 0,
3044 &denied);
3045 if (likely(!audited))
3046 return rc;
3047
3048 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3049 if (rc2)
3050 return rc2;
3051 return rc;
3052 }
3053
3054 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3055 {
3056 const struct cred *cred = current_cred();
3057 struct inode *inode = d_backing_inode(dentry);
3058 unsigned int ia_valid = iattr->ia_valid;
3059 __u32 av = FILE__WRITE;
3060
3061 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3062 if (ia_valid & ATTR_FORCE) {
3063 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3064 ATTR_FORCE);
3065 if (!ia_valid)
3066 return 0;
3067 }
3068
3069 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3070 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3071 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3072
3073 if (selinux_policycap_openperm &&
3074 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3075 (ia_valid & ATTR_SIZE) &&
3076 !(ia_valid & ATTR_FILE))
3077 av |= FILE__OPEN;
3078
3079 return dentry_has_perm(cred, dentry, av);
3080 }
3081
3082 static int selinux_inode_getattr(const struct path *path)
3083 {
3084 return path_has_perm(current_cred(), path, FILE__GETATTR);
3085 }
3086
3087 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
3088 {
3089 const struct cred *cred = current_cred();
3090
3091 if (!strncmp(name, XATTR_SECURITY_PREFIX,
3092 sizeof XATTR_SECURITY_PREFIX - 1)) {
3093 if (!strcmp(name, XATTR_NAME_CAPS)) {
3094 if (!capable(CAP_SETFCAP))
3095 return -EPERM;
3096 } else if (!capable(CAP_SYS_ADMIN)) {
3097 /* A different attribute in the security namespace.
3098 Restrict to administrator. */
3099 return -EPERM;
3100 }
3101 }
3102
3103 /* Not an attribute we recognize, so just check the
3104 ordinary setattr permission. */
3105 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3106 }
3107
3108 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3109 const void *value, size_t size, int flags)
3110 {
3111 struct inode *inode = d_backing_inode(dentry);
3112 struct inode_security_struct *isec;
3113 struct superblock_security_struct *sbsec;
3114 struct common_audit_data ad;
3115 u32 newsid, sid = current_sid();
3116 int rc = 0;
3117
3118 if (strcmp(name, XATTR_NAME_SELINUX))
3119 return selinux_inode_setotherxattr(dentry, name);
3120
3121 sbsec = inode->i_sb->s_security;
3122 if (!(sbsec->flags & SBLABEL_MNT))
3123 return -EOPNOTSUPP;
3124
3125 if (!inode_owner_or_capable(inode))
3126 return -EPERM;
3127
3128 ad.type = LSM_AUDIT_DATA_DENTRY;
3129 ad.u.dentry = dentry;
3130
3131 isec = backing_inode_security(dentry);
3132 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3133 FILE__RELABELFROM, &ad);
3134 if (rc)
3135 return rc;
3136
3137 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3138 if (rc == -EINVAL) {
3139 if (!capable(CAP_MAC_ADMIN)) {
3140 struct audit_buffer *ab;
3141 size_t audit_size;
3142 const char *str;
3143
3144 /* We strip a nul only if it is at the end, otherwise the
3145 * context contains a nul and we should audit that */
3146 if (value) {
3147 str = value;
3148 if (str[size - 1] == '\0')
3149 audit_size = size - 1;
3150 else
3151 audit_size = size;
3152 } else {
3153 str = "";
3154 audit_size = 0;
3155 }
3156 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3157 audit_log_format(ab, "op=setxattr invalid_context=");
3158 audit_log_n_untrustedstring(ab, value, audit_size);
3159 audit_log_end(ab);
3160
3161 return rc;
3162 }
3163 rc = security_context_to_sid_force(value, size, &newsid);
3164 }
3165 if (rc)
3166 return rc;
3167
3168 rc = avc_has_perm(sid, newsid, isec->sclass,
3169 FILE__RELABELTO, &ad);
3170 if (rc)
3171 return rc;
3172
3173 rc = security_validate_transition(isec->sid, newsid, sid,
3174 isec->sclass);
3175 if (rc)
3176 return rc;
3177
3178 return avc_has_perm(newsid,
3179 sbsec->sid,
3180 SECCLASS_FILESYSTEM,
3181 FILESYSTEM__ASSOCIATE,
3182 &ad);
3183 }
3184
3185 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3186 const void *value, size_t size,
3187 int flags)
3188 {
3189 struct inode *inode = d_backing_inode(dentry);
3190 struct inode_security_struct *isec;
3191 u32 newsid;
3192 int rc;
3193
3194 if (strcmp(name, XATTR_NAME_SELINUX)) {
3195 /* Not an attribute we recognize, so nothing to do. */
3196 return;
3197 }
3198
3199 rc = security_context_to_sid_force(value, size, &newsid);
3200 if (rc) {
3201 printk(KERN_ERR "SELinux: unable to map context to SID"
3202 "for (%s, %lu), rc=%d\n",
3203 inode->i_sb->s_id, inode->i_ino, -rc);
3204 return;
3205 }
3206
3207 isec = backing_inode_security(dentry);
3208 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3209 isec->sid = newsid;
3210 isec->initialized = LABEL_INITIALIZED;
3211
3212 return;
3213 }
3214
3215 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3216 {
3217 const struct cred *cred = current_cred();
3218
3219 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3220 }
3221
3222 static int selinux_inode_listxattr(struct dentry *dentry)
3223 {
3224 const struct cred *cred = current_cred();
3225
3226 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3227 }
3228
3229 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3230 {
3231 if (strcmp(name, XATTR_NAME_SELINUX))
3232 return selinux_inode_setotherxattr(dentry, name);
3233
3234 /* No one is allowed to remove a SELinux security label.
3235 You can change the label, but all data must be labeled. */
3236 return -EACCES;
3237 }
3238
3239 /*
3240 * Copy the inode security context value to the user.
3241 *
3242 * Permission check is handled by selinux_inode_getxattr hook.
3243 */
3244 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3245 {
3246 u32 size;
3247 int error;
3248 char *context = NULL;
3249 struct inode_security_struct *isec;
3250
3251 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3252 return -EOPNOTSUPP;
3253
3254 /*
3255 * If the caller has CAP_MAC_ADMIN, then get the raw context
3256 * value even if it is not defined by current policy; otherwise,
3257 * use the in-core value under current policy.
3258 * Use the non-auditing forms of the permission checks since
3259 * getxattr may be called by unprivileged processes commonly
3260 * and lack of permission just means that we fall back to the
3261 * in-core context value, not a denial.
3262 */
3263 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN,
3264 SECURITY_CAP_NOAUDIT);
3265 if (!error)
3266 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN,
3267 SECURITY_CAP_NOAUDIT, true);
3268 isec = inode_security(inode);
3269 if (!error)
3270 error = security_sid_to_context_force(isec->sid, &context,
3271 &size);
3272 else
3273 error = security_sid_to_context(isec->sid, &context, &size);
3274 if (error)
3275 return error;
3276 error = size;
3277 if (alloc) {
3278 *buffer = context;
3279 goto out_nofree;
3280 }
3281 kfree(context);
3282 out_nofree:
3283 return error;
3284 }
3285
3286 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3287 const void *value, size_t size, int flags)
3288 {
3289 struct inode_security_struct *isec = inode_security_novalidate(inode);
3290 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
3291 u32 newsid;
3292 int rc;
3293
3294 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3295 return -EOPNOTSUPP;
3296
3297 if (!(sbsec->flags & SBLABEL_MNT))
3298 return -EOPNOTSUPP;
3299
3300 if (!value || !size)
3301 return -EACCES;
3302
3303 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3304 if (rc)
3305 return rc;
3306
3307 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3308 isec->sid = newsid;
3309 isec->initialized = LABEL_INITIALIZED;
3310 return 0;
3311 }
3312
3313 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3314 {
3315 const int len = sizeof(XATTR_NAME_SELINUX);
3316 if (buffer && len <= buffer_size)
3317 memcpy(buffer, XATTR_NAME_SELINUX, len);
3318 return len;
3319 }
3320
3321 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3322 {
3323 struct inode_security_struct *isec = inode_security_novalidate(inode);
3324 *secid = isec->sid;
3325 }
3326
3327 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3328 {
3329 u32 sid;
3330 struct task_security_struct *tsec;
3331 struct cred *new_creds = *new;
3332
3333 if (new_creds == NULL) {
3334 new_creds = prepare_creds();
3335 if (!new_creds)
3336 return -ENOMEM;
3337 }
3338
3339 tsec = new_creds->security;
3340 /* Get label from overlay inode and set it in create_sid */
3341 selinux_inode_getsecid(d_inode(src), &sid);
3342 tsec->create_sid = sid;
3343 *new = new_creds;
3344 return 0;
3345 }
3346
3347 static int selinux_inode_copy_up_xattr(const char *name)
3348 {
3349 /* The copy_up hook above sets the initial context on an inode, but we
3350 * don't then want to overwrite it by blindly copying all the lower
3351 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3352 */
3353 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3354 return 1; /* Discard */
3355 /*
3356 * Any other attribute apart from SELINUX is not claimed, supported
3357 * by selinux.
3358 */
3359 return -EOPNOTSUPP;
3360 }
3361
3362 /* file security operations */
3363
3364 static int selinux_revalidate_file_permission(struct file *file, int mask)
3365 {
3366 const struct cred *cred = current_cred();
3367 struct inode *inode = file_inode(file);
3368
3369 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3370 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3371 mask |= MAY_APPEND;
3372
3373 return file_has_perm(cred, file,
3374 file_mask_to_av(inode->i_mode, mask));
3375 }
3376
3377 static int selinux_file_permission(struct file *file, int mask)
3378 {
3379 struct inode *inode = file_inode(file);
3380 struct file_security_struct *fsec = file->f_security;
3381 struct inode_security_struct *isec;
3382 u32 sid = current_sid();
3383
3384 if (!mask)
3385 /* No permission to check. Existence test. */
3386 return 0;
3387
3388 isec = inode_security(inode);
3389 if (sid == fsec->sid && fsec->isid == isec->sid &&
3390 fsec->pseqno == avc_policy_seqno())
3391 /* No change since file_open check. */
3392 return 0;
3393
3394 return selinux_revalidate_file_permission(file, mask);
3395 }
3396
3397 static int selinux_file_alloc_security(struct file *file)
3398 {
3399 return file_alloc_security(file);
3400 }
3401
3402 static void selinux_file_free_security(struct file *file)
3403 {
3404 file_free_security(file);
3405 }
3406
3407 /*
3408 * Check whether a task has the ioctl permission and cmd
3409 * operation to an inode.
3410 */
3411 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3412 u32 requested, u16 cmd)
3413 {
3414 struct common_audit_data ad;
3415 struct file_security_struct *fsec = file->f_security;
3416 struct inode *inode = file_inode(file);
3417 struct inode_security_struct *isec;
3418 struct lsm_ioctlop_audit ioctl;
3419 u32 ssid = cred_sid(cred);
3420 int rc;
3421 u8 driver = cmd >> 8;
3422 u8 xperm = cmd & 0xff;
3423
3424 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3425 ad.u.op = &ioctl;
3426 ad.u.op->cmd = cmd;
3427 ad.u.op->path = file->f_path;
3428
3429 if (ssid != fsec->sid) {
3430 rc = avc_has_perm(ssid, fsec->sid,
3431 SECCLASS_FD,
3432 FD__USE,
3433 &ad);
3434 if (rc)
3435 goto out;
3436 }
3437
3438 if (unlikely(IS_PRIVATE(inode)))
3439 return 0;
3440
3441 isec = inode_security(inode);
3442 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3443 requested, driver, xperm, &ad);
3444 out:
3445 return rc;
3446 }
3447
3448 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3449 unsigned long arg)
3450 {
3451 const struct cred *cred = current_cred();
3452 int error = 0;
3453
3454 switch (cmd) {
3455 case FIONREAD:
3456 /* fall through */
3457 case FIBMAP:
3458 /* fall through */
3459 case FIGETBSZ:
3460 /* fall through */
3461 case FS_IOC_GETFLAGS:
3462 /* fall through */
3463 case FS_IOC_GETVERSION:
3464 error = file_has_perm(cred, file, FILE__GETATTR);
3465 break;
3466
3467 case FS_IOC_SETFLAGS:
3468 /* fall through */
3469 case FS_IOC_SETVERSION:
3470 error = file_has_perm(cred, file, FILE__SETATTR);
3471 break;
3472
3473 /* sys_ioctl() checks */
3474 case FIONBIO:
3475 /* fall through */
3476 case FIOASYNC:
3477 error = file_has_perm(cred, file, 0);
3478 break;
3479
3480 case KDSKBENT:
3481 case KDSKBSENT:
3482 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3483 SECURITY_CAP_AUDIT, true);
3484 break;
3485
3486 /* default case assumes that the command will go
3487 * to the file's ioctl() function.
3488 */
3489 default:
3490 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3491 }
3492 return error;
3493 }
3494
3495 static int default_noexec;
3496
3497 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3498 {
3499 const struct cred *cred = current_cred();
3500 int rc = 0;
3501
3502 if (default_noexec &&
3503 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3504 (!shared && (prot & PROT_WRITE)))) {
3505 /*
3506 * We are making executable an anonymous mapping or a
3507 * private file mapping that will also be writable.
3508 * This has an additional check.
3509 */
3510 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3511 if (rc)
3512 goto error;
3513 }
3514
3515 if (file) {
3516 /* read access is always possible with a mapping */
3517 u32 av = FILE__READ;
3518
3519 /* write access only matters if the mapping is shared */
3520 if (shared && (prot & PROT_WRITE))
3521 av |= FILE__WRITE;
3522
3523 if (prot & PROT_EXEC)
3524 av |= FILE__EXECUTE;
3525
3526 return file_has_perm(cred, file, av);
3527 }
3528
3529 error:
3530 return rc;
3531 }
3532
3533 static int selinux_mmap_addr(unsigned long addr)
3534 {
3535 int rc = 0;
3536
3537 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3538 u32 sid = current_sid();
3539 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3540 MEMPROTECT__MMAP_ZERO, NULL);
3541 }
3542
3543 return rc;
3544 }
3545
3546 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3547 unsigned long prot, unsigned long flags)
3548 {
3549 if (selinux_checkreqprot)
3550 prot = reqprot;
3551
3552 return file_map_prot_check(file, prot,
3553 (flags & MAP_TYPE) == MAP_SHARED);
3554 }
3555
3556 static int selinux_file_mprotect(struct vm_area_struct *vma,
3557 unsigned long reqprot,
3558 unsigned long prot)
3559 {
3560 const struct cred *cred = current_cred();
3561
3562 if (selinux_checkreqprot)
3563 prot = reqprot;
3564
3565 if (default_noexec &&
3566 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3567 int rc = 0;
3568 if (vma->vm_start >= vma->vm_mm->start_brk &&
3569 vma->vm_end <= vma->vm_mm->brk) {
3570 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3571 } else if (!vma->vm_file &&
3572 ((vma->vm_start <= vma->vm_mm->start_stack &&
3573 vma->vm_end >= vma->vm_mm->start_stack) ||
3574 vma_is_stack_for_current(vma))) {
3575 rc = current_has_perm(current, PROCESS__EXECSTACK);
3576 } else if (vma->vm_file && vma->anon_vma) {
3577 /*
3578 * We are making executable a file mapping that has
3579 * had some COW done. Since pages might have been
3580 * written, check ability to execute the possibly
3581 * modified content. This typically should only
3582 * occur for text relocations.
3583 */
3584 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3585 }
3586 if (rc)
3587 return rc;
3588 }
3589
3590 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3591 }
3592
3593 static int selinux_file_lock(struct file *file, unsigned int cmd)
3594 {
3595 const struct cred *cred = current_cred();
3596
3597 return file_has_perm(cred, file, FILE__LOCK);
3598 }
3599
3600 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3601 unsigned long arg)
3602 {
3603 const struct cred *cred = current_cred();
3604 int err = 0;
3605
3606 switch (cmd) {
3607 case F_SETFL:
3608 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3609 err = file_has_perm(cred, file, FILE__WRITE);
3610 break;
3611 }
3612 /* fall through */
3613 case F_SETOWN:
3614 case F_SETSIG:
3615 case F_GETFL:
3616 case F_GETOWN:
3617 case F_GETSIG:
3618 case F_GETOWNER_UIDS:
3619 /* Just check FD__USE permission */
3620 err = file_has_perm(cred, file, 0);
3621 break;
3622 case F_GETLK:
3623 case F_SETLK:
3624 case F_SETLKW:
3625 case F_OFD_GETLK:
3626 case F_OFD_SETLK:
3627 case F_OFD_SETLKW:
3628 #if BITS_PER_LONG == 32
3629 case F_GETLK64:
3630 case F_SETLK64:
3631 case F_SETLKW64:
3632 #endif
3633 err = file_has_perm(cred, file, FILE__LOCK);
3634 break;
3635 }
3636
3637 return err;
3638 }
3639
3640 static void selinux_file_set_fowner(struct file *file)
3641 {
3642 struct file_security_struct *fsec;
3643
3644 fsec = file->f_security;
3645 fsec->fown_sid = current_sid();
3646 }
3647
3648 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3649 struct fown_struct *fown, int signum)
3650 {
3651 struct file *file;
3652 u32 sid = task_sid(tsk);
3653 u32 perm;
3654 struct file_security_struct *fsec;
3655
3656 /* struct fown_struct is never outside the context of a struct file */
3657 file = container_of(fown, struct file, f_owner);
3658
3659 fsec = file->f_security;
3660
3661 if (!signum)
3662 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3663 else
3664 perm = signal_to_av(signum);
3665
3666 return avc_has_perm(fsec->fown_sid, sid,
3667 SECCLASS_PROCESS, perm, NULL);
3668 }
3669
3670 static int selinux_file_receive(struct file *file)
3671 {
3672 const struct cred *cred = current_cred();
3673
3674 return file_has_perm(cred, file, file_to_av(file));
3675 }
3676
3677 static int selinux_file_open(struct file *file, const struct cred *cred)
3678 {
3679 struct file_security_struct *fsec;
3680 struct inode_security_struct *isec;
3681
3682 fsec = file->f_security;
3683 isec = inode_security(file_inode(file));
3684 /*
3685 * Save inode label and policy sequence number
3686 * at open-time so that selinux_file_permission
3687 * can determine whether revalidation is necessary.
3688 * Task label is already saved in the file security
3689 * struct as its SID.
3690 */
3691 fsec->isid = isec->sid;
3692 fsec->pseqno = avc_policy_seqno();
3693 /*
3694 * Since the inode label or policy seqno may have changed
3695 * between the selinux_inode_permission check and the saving
3696 * of state above, recheck that access is still permitted.
3697 * Otherwise, access might never be revalidated against the
3698 * new inode label or new policy.
3699 * This check is not redundant - do not remove.
3700 */
3701 return file_path_has_perm(cred, file, open_file_to_av(file));
3702 }
3703
3704 /* task security operations */
3705
3706 static int selinux_task_create(unsigned long clone_flags)
3707 {
3708 return current_has_perm(current, PROCESS__FORK);
3709 }
3710
3711 /*
3712 * allocate the SELinux part of blank credentials
3713 */
3714 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3715 {
3716 struct task_security_struct *tsec;
3717
3718 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3719 if (!tsec)
3720 return -ENOMEM;
3721
3722 cred->security = tsec;
3723 return 0;
3724 }
3725
3726 /*
3727 * detach and free the LSM part of a set of credentials
3728 */
3729 static void selinux_cred_free(struct cred *cred)
3730 {
3731 struct task_security_struct *tsec = cred->security;
3732
3733 /*
3734 * cred->security == NULL if security_cred_alloc_blank() or
3735 * security_prepare_creds() returned an error.
3736 */
3737 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3738 cred->security = (void *) 0x7UL;
3739 kfree(tsec);
3740 }
3741
3742 /*
3743 * prepare a new set of credentials for modification
3744 */
3745 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3746 gfp_t gfp)
3747 {
3748 const struct task_security_struct *old_tsec;
3749 struct task_security_struct *tsec;
3750
3751 old_tsec = old->security;
3752
3753 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3754 if (!tsec)
3755 return -ENOMEM;
3756
3757 new->security = tsec;
3758 return 0;
3759 }
3760
3761 /*
3762 * transfer the SELinux data to a blank set of creds
3763 */
3764 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3765 {
3766 const struct task_security_struct *old_tsec = old->security;
3767 struct task_security_struct *tsec = new->security;
3768
3769 *tsec = *old_tsec;
3770 }
3771
3772 /*
3773 * set the security data for a kernel service
3774 * - all the creation contexts are set to unlabelled
3775 */
3776 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3777 {
3778 struct task_security_struct *tsec = new->security;
3779 u32 sid = current_sid();
3780 int ret;
3781
3782 ret = avc_has_perm(sid, secid,
3783 SECCLASS_KERNEL_SERVICE,
3784 KERNEL_SERVICE__USE_AS_OVERRIDE,
3785 NULL);
3786 if (ret == 0) {
3787 tsec->sid = secid;
3788 tsec->create_sid = 0;
3789 tsec->keycreate_sid = 0;
3790 tsec->sockcreate_sid = 0;
3791 }
3792 return ret;
3793 }
3794
3795 /*
3796 * set the file creation context in a security record to the same as the
3797 * objective context of the specified inode
3798 */
3799 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3800 {
3801 struct inode_security_struct *isec = inode_security(inode);
3802 struct task_security_struct *tsec = new->security;
3803 u32 sid = current_sid();
3804 int ret;
3805
3806 ret = avc_has_perm(sid, isec->sid,
3807 SECCLASS_KERNEL_SERVICE,
3808 KERNEL_SERVICE__CREATE_FILES_AS,
3809 NULL);
3810
3811 if (ret == 0)
3812 tsec->create_sid = isec->sid;
3813 return ret;
3814 }
3815
3816 static int selinux_kernel_module_request(char *kmod_name)
3817 {
3818 u32 sid;
3819 struct common_audit_data ad;
3820
3821 sid = task_sid(current);
3822
3823 ad.type = LSM_AUDIT_DATA_KMOD;
3824 ad.u.kmod_name = kmod_name;
3825
3826 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3827 SYSTEM__MODULE_REQUEST, &ad);
3828 }
3829
3830 static int selinux_kernel_module_from_file(struct file *file)
3831 {
3832 struct common_audit_data ad;
3833 struct inode_security_struct *isec;
3834 struct file_security_struct *fsec;
3835 u32 sid = current_sid();
3836 int rc;
3837
3838 /* init_module */
3839 if (file == NULL)
3840 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3841 SYSTEM__MODULE_LOAD, NULL);
3842
3843 /* finit_module */
3844
3845 ad.type = LSM_AUDIT_DATA_FILE;
3846 ad.u.file = file;
3847
3848 fsec = file->f_security;
3849 if (sid != fsec->sid) {
3850 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3851 if (rc)
3852 return rc;
3853 }
3854
3855 isec = inode_security(file_inode(file));
3856 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3857 SYSTEM__MODULE_LOAD, &ad);
3858 }
3859
3860 static int selinux_kernel_read_file(struct file *file,
3861 enum kernel_read_file_id id)
3862 {
3863 int rc = 0;
3864
3865 switch (id) {
3866 case READING_MODULE:
3867 rc = selinux_kernel_module_from_file(file);
3868 break;
3869 default:
3870 break;
3871 }
3872
3873 return rc;
3874 }
3875
3876 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3877 {
3878 return current_has_perm(p, PROCESS__SETPGID);
3879 }
3880
3881 static int selinux_task_getpgid(struct task_struct *p)
3882 {
3883 return current_has_perm(p, PROCESS__GETPGID);
3884 }
3885
3886 static int selinux_task_getsid(struct task_struct *p)
3887 {
3888 return current_has_perm(p, PROCESS__GETSESSION);
3889 }
3890
3891 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3892 {
3893 *secid = task_sid(p);
3894 }
3895
3896 static int selinux_task_setnice(struct task_struct *p, int nice)
3897 {
3898 return current_has_perm(p, PROCESS__SETSCHED);
3899 }
3900
3901 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3902 {
3903 return current_has_perm(p, PROCESS__SETSCHED);
3904 }
3905
3906 static int selinux_task_getioprio(struct task_struct *p)
3907 {
3908 return current_has_perm(p, PROCESS__GETSCHED);
3909 }
3910
3911 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
3912 struct rlimit *new_rlim)
3913 {
3914 struct rlimit *old_rlim = p->signal->rlim + resource;
3915
3916 /* Control the ability to change the hard limit (whether
3917 lowering or raising it), so that the hard limit can
3918 later be used as a safe reset point for the soft limit
3919 upon context transitions. See selinux_bprm_committing_creds. */
3920 if (old_rlim->rlim_max != new_rlim->rlim_max)
3921 return current_has_perm(p, PROCESS__SETRLIMIT);
3922
3923 return 0;
3924 }
3925
3926 static int selinux_task_setscheduler(struct task_struct *p)
3927 {
3928 return current_has_perm(p, PROCESS__SETSCHED);
3929 }
3930
3931 static int selinux_task_getscheduler(struct task_struct *p)
3932 {
3933 return current_has_perm(p, PROCESS__GETSCHED);
3934 }
3935
3936 static int selinux_task_movememory(struct task_struct *p)
3937 {
3938 return current_has_perm(p, PROCESS__SETSCHED);
3939 }
3940
3941 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3942 int sig, u32 secid)
3943 {
3944 u32 perm;
3945 int rc;
3946
3947 if (!sig)
3948 perm = PROCESS__SIGNULL; /* null signal; existence test */
3949 else
3950 perm = signal_to_av(sig);
3951 if (secid)
3952 rc = avc_has_perm(secid, task_sid(p),
3953 SECCLASS_PROCESS, perm, NULL);
3954 else
3955 rc = current_has_perm(p, perm);
3956 return rc;
3957 }
3958
3959 static int selinux_task_wait(struct task_struct *p)
3960 {
3961 return task_has_perm(p, current, PROCESS__SIGCHLD);
3962 }
3963
3964 static void selinux_task_to_inode(struct task_struct *p,
3965 struct inode *inode)
3966 {
3967 struct inode_security_struct *isec = inode->i_security;
3968 u32 sid = task_sid(p);
3969
3970 isec->sid = sid;
3971 isec->initialized = LABEL_INITIALIZED;
3972 }
3973
3974 /* Returns error only if unable to parse addresses */
3975 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3976 struct common_audit_data *ad, u8 *proto)
3977 {
3978 int offset, ihlen, ret = -EINVAL;
3979 struct iphdr _iph, *ih;
3980
3981 offset = skb_network_offset(skb);
3982 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3983 if (ih == NULL)
3984 goto out;
3985
3986 ihlen = ih->ihl * 4;
3987 if (ihlen < sizeof(_iph))
3988 goto out;
3989
3990 ad->u.net->v4info.saddr = ih->saddr;
3991 ad->u.net->v4info.daddr = ih->daddr;
3992 ret = 0;
3993
3994 if (proto)
3995 *proto = ih->protocol;
3996
3997 switch (ih->protocol) {
3998 case IPPROTO_TCP: {
3999 struct tcphdr _tcph, *th;
4000
4001 if (ntohs(ih->frag_off) & IP_OFFSET)
4002 break;
4003
4004 offset += ihlen;
4005 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4006 if (th == NULL)
4007 break;
4008
4009 ad->u.net->sport = th->source;
4010 ad->u.net->dport = th->dest;
4011 break;
4012 }
4013
4014 case IPPROTO_UDP: {
4015 struct udphdr _udph, *uh;
4016
4017 if (ntohs(ih->frag_off) & IP_OFFSET)
4018 break;
4019
4020 offset += ihlen;
4021 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4022 if (uh == NULL)
4023 break;
4024
4025 ad->u.net->sport = uh->source;
4026 ad->u.net->dport = uh->dest;
4027 break;
4028 }
4029
4030 case IPPROTO_DCCP: {
4031 struct dccp_hdr _dccph, *dh;
4032
4033 if (ntohs(ih->frag_off) & IP_OFFSET)
4034 break;
4035
4036 offset += ihlen;
4037 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4038 if (dh == NULL)
4039 break;
4040
4041 ad->u.net->sport = dh->dccph_sport;
4042 ad->u.net->dport = dh->dccph_dport;
4043 break;
4044 }
4045
4046 default:
4047 break;
4048 }
4049 out:
4050 return ret;
4051 }
4052
4053 #if IS_ENABLED(CONFIG_IPV6)
4054
4055 /* Returns error only if unable to parse addresses */
4056 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4057 struct common_audit_data *ad, u8 *proto)
4058 {
4059 u8 nexthdr;
4060 int ret = -EINVAL, offset;
4061 struct ipv6hdr _ipv6h, *ip6;
4062 __be16 frag_off;
4063
4064 offset = skb_network_offset(skb);
4065 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4066 if (ip6 == NULL)
4067 goto out;
4068
4069 ad->u.net->v6info.saddr = ip6->saddr;
4070 ad->u.net->v6info.daddr = ip6->daddr;
4071 ret = 0;
4072
4073 nexthdr = ip6->nexthdr;
4074 offset += sizeof(_ipv6h);
4075 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4076 if (offset < 0)
4077 goto out;
4078
4079 if (proto)
4080 *proto = nexthdr;
4081
4082 switch (nexthdr) {
4083 case IPPROTO_TCP: {
4084 struct tcphdr _tcph, *th;
4085
4086 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4087 if (th == NULL)
4088 break;
4089
4090 ad->u.net->sport = th->source;
4091 ad->u.net->dport = th->dest;
4092 break;
4093 }
4094
4095 case IPPROTO_UDP: {
4096 struct udphdr _udph, *uh;
4097
4098 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4099 if (uh == NULL)
4100 break;
4101
4102 ad->u.net->sport = uh->source;
4103 ad->u.net->dport = uh->dest;
4104 break;
4105 }
4106
4107 case IPPROTO_DCCP: {
4108 struct dccp_hdr _dccph, *dh;
4109
4110 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4111 if (dh == NULL)
4112 break;
4113
4114 ad->u.net->sport = dh->dccph_sport;
4115 ad->u.net->dport = dh->dccph_dport;
4116 break;
4117 }
4118
4119 /* includes fragments */
4120 default:
4121 break;
4122 }
4123 out:
4124 return ret;
4125 }
4126
4127 #endif /* IPV6 */
4128
4129 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4130 char **_addrp, int src, u8 *proto)
4131 {
4132 char *addrp;
4133 int ret;
4134
4135 switch (ad->u.net->family) {
4136 case PF_INET:
4137 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4138 if (ret)
4139 goto parse_error;
4140 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4141 &ad->u.net->v4info.daddr);
4142 goto okay;
4143
4144 #if IS_ENABLED(CONFIG_IPV6)
4145 case PF_INET6:
4146 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4147 if (ret)
4148 goto parse_error;
4149 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4150 &ad->u.net->v6info.daddr);
4151 goto okay;
4152 #endif /* IPV6 */
4153 default:
4154 addrp = NULL;
4155 goto okay;
4156 }
4157
4158 parse_error:
4159 printk(KERN_WARNING
4160 "SELinux: failure in selinux_parse_skb(),"
4161 " unable to parse packet\n");
4162 return ret;
4163
4164 okay:
4165 if (_addrp)
4166 *_addrp = addrp;
4167 return 0;
4168 }
4169
4170 /**
4171 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4172 * @skb: the packet
4173 * @family: protocol family
4174 * @sid: the packet's peer label SID
4175 *
4176 * Description:
4177 * Check the various different forms of network peer labeling and determine
4178 * the peer label/SID for the packet; most of the magic actually occurs in
4179 * the security server function security_net_peersid_cmp(). The function
4180 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4181 * or -EACCES if @sid is invalid due to inconsistencies with the different
4182 * peer labels.
4183 *
4184 */
4185 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4186 {
4187 int err;
4188 u32 xfrm_sid;
4189 u32 nlbl_sid;
4190 u32 nlbl_type;
4191
4192 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4193 if (unlikely(err))
4194 return -EACCES;
4195 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4196 if (unlikely(err))
4197 return -EACCES;
4198
4199 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4200 if (unlikely(err)) {
4201 printk(KERN_WARNING
4202 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4203 " unable to determine packet's peer label\n");
4204 return -EACCES;
4205 }
4206
4207 return 0;
4208 }
4209
4210 /**
4211 * selinux_conn_sid - Determine the child socket label for a connection
4212 * @sk_sid: the parent socket's SID
4213 * @skb_sid: the packet's SID
4214 * @conn_sid: the resulting connection SID
4215 *
4216 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4217 * combined with the MLS information from @skb_sid in order to create
4218 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4219 * of @sk_sid. Returns zero on success, negative values on failure.
4220 *
4221 */
4222 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4223 {
4224 int err = 0;
4225
4226 if (skb_sid != SECSID_NULL)
4227 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4228 else
4229 *conn_sid = sk_sid;
4230
4231 return err;
4232 }
4233
4234 /* socket security operations */
4235
4236 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4237 u16 secclass, u32 *socksid)
4238 {
4239 if (tsec->sockcreate_sid > SECSID_NULL) {
4240 *socksid = tsec->sockcreate_sid;
4241 return 0;
4242 }
4243
4244 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4245 socksid);
4246 }
4247
4248 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
4249 {
4250 struct sk_security_struct *sksec = sk->sk_security;
4251 struct common_audit_data ad;
4252 struct lsm_network_audit net = {0,};
4253 u32 tsid = task_sid(task);
4254
4255 if (sksec->sid == SECINITSID_KERNEL)
4256 return 0;
4257
4258 ad.type = LSM_AUDIT_DATA_NET;
4259 ad.u.net = &net;
4260 ad.u.net->sk = sk;
4261
4262 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad);
4263 }
4264
4265 static int selinux_socket_create(int family, int type,
4266 int protocol, int kern)
4267 {
4268 const struct task_security_struct *tsec = current_security();
4269 u32 newsid;
4270 u16 secclass;
4271 int rc;
4272
4273 if (kern)
4274 return 0;
4275
4276 secclass = socket_type_to_security_class(family, type, protocol);
4277 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4278 if (rc)
4279 return rc;
4280
4281 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4282 }
4283
4284 static int selinux_socket_post_create(struct socket *sock, int family,
4285 int type, int protocol, int kern)
4286 {
4287 const struct task_security_struct *tsec = current_security();
4288 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4289 struct sk_security_struct *sksec;
4290 int err = 0;
4291
4292 isec->sclass = socket_type_to_security_class(family, type, protocol);
4293
4294 if (kern)
4295 isec->sid = SECINITSID_KERNEL;
4296 else {
4297 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
4298 if (err)
4299 return err;
4300 }
4301
4302 isec->initialized = LABEL_INITIALIZED;
4303
4304 if (sock->sk) {
4305 sksec = sock->sk->sk_security;
4306 sksec->sid = isec->sid;
4307 sksec->sclass = isec->sclass;
4308 err = selinux_netlbl_socket_post_create(sock->sk, family);
4309 }
4310
4311 return err;
4312 }
4313
4314 /* Range of port numbers used to automatically bind.
4315 Need to determine whether we should perform a name_bind
4316 permission check between the socket and the port number. */
4317
4318 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4319 {
4320 struct sock *sk = sock->sk;
4321 u16 family;
4322 int err;
4323
4324 err = sock_has_perm(current, sk, SOCKET__BIND);
4325 if (err)
4326 goto out;
4327
4328 /*
4329 * If PF_INET or PF_INET6, check name_bind permission for the port.
4330 * Multiple address binding for SCTP is not supported yet: we just
4331 * check the first address now.
4332 */
4333 family = sk->sk_family;
4334 if (family == PF_INET || family == PF_INET6) {
4335 char *addrp;
4336 struct sk_security_struct *sksec = sk->sk_security;
4337 struct common_audit_data ad;
4338 struct lsm_network_audit net = {0,};
4339 struct sockaddr_in *addr4 = NULL;
4340 struct sockaddr_in6 *addr6 = NULL;
4341 unsigned short snum;
4342 u32 sid, node_perm;
4343
4344 if (family == PF_INET) {
4345 if (addrlen < sizeof(struct sockaddr_in)) {
4346 err = -EINVAL;
4347 goto out;
4348 }
4349 addr4 = (struct sockaddr_in *)address;
4350 snum = ntohs(addr4->sin_port);
4351 addrp = (char *)&addr4->sin_addr.s_addr;
4352 } else {
4353 if (addrlen < SIN6_LEN_RFC2133) {
4354 err = -EINVAL;
4355 goto out;
4356 }
4357 addr6 = (struct sockaddr_in6 *)address;
4358 snum = ntohs(addr6->sin6_port);
4359 addrp = (char *)&addr6->sin6_addr.s6_addr;
4360 }
4361
4362 if (snum) {
4363 int low, high;
4364
4365 inet_get_local_port_range(sock_net(sk), &low, &high);
4366
4367 if (snum < max(PROT_SOCK, low) || snum > high) {
4368 err = sel_netport_sid(sk->sk_protocol,
4369 snum, &sid);
4370 if (err)
4371 goto out;
4372 ad.type = LSM_AUDIT_DATA_NET;
4373 ad.u.net = &net;
4374 ad.u.net->sport = htons(snum);
4375 ad.u.net->family = family;
4376 err = avc_has_perm(sksec->sid, sid,
4377 sksec->sclass,
4378 SOCKET__NAME_BIND, &ad);
4379 if (err)
4380 goto out;
4381 }
4382 }
4383
4384 switch (sksec->sclass) {
4385 case SECCLASS_TCP_SOCKET:
4386 node_perm = TCP_SOCKET__NODE_BIND;
4387 break;
4388
4389 case SECCLASS_UDP_SOCKET:
4390 node_perm = UDP_SOCKET__NODE_BIND;
4391 break;
4392
4393 case SECCLASS_DCCP_SOCKET:
4394 node_perm = DCCP_SOCKET__NODE_BIND;
4395 break;
4396
4397 default:
4398 node_perm = RAWIP_SOCKET__NODE_BIND;
4399 break;
4400 }
4401
4402 err = sel_netnode_sid(addrp, family, &sid);
4403 if (err)
4404 goto out;
4405
4406 ad.type = LSM_AUDIT_DATA_NET;
4407 ad.u.net = &net;
4408 ad.u.net->sport = htons(snum);
4409 ad.u.net->family = family;
4410
4411 if (family == PF_INET)
4412 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4413 else
4414 ad.u.net->v6info.saddr = addr6->sin6_addr;
4415
4416 err = avc_has_perm(sksec->sid, sid,
4417 sksec->sclass, node_perm, &ad);
4418 if (err)
4419 goto out;
4420 }
4421 out:
4422 return err;
4423 }
4424
4425 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4426 {
4427 struct sock *sk = sock->sk;
4428 struct sk_security_struct *sksec = sk->sk_security;
4429 int err;
4430
4431 err = sock_has_perm(current, sk, SOCKET__CONNECT);
4432 if (err)
4433 return err;
4434
4435 /*
4436 * If a TCP or DCCP socket, check name_connect permission for the port.
4437 */
4438 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4439 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4440 struct common_audit_data ad;
4441 struct lsm_network_audit net = {0,};
4442 struct sockaddr_in *addr4 = NULL;
4443 struct sockaddr_in6 *addr6 = NULL;
4444 unsigned short snum;
4445 u32 sid, perm;
4446
4447 if (sk->sk_family == PF_INET) {
4448 addr4 = (struct sockaddr_in *)address;
4449 if (addrlen < sizeof(struct sockaddr_in))
4450 return -EINVAL;
4451 snum = ntohs(addr4->sin_port);
4452 } else {
4453 addr6 = (struct sockaddr_in6 *)address;
4454 if (addrlen < SIN6_LEN_RFC2133)
4455 return -EINVAL;
4456 snum = ntohs(addr6->sin6_port);
4457 }
4458
4459 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4460 if (err)
4461 goto out;
4462
4463 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4464 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4465
4466 ad.type = LSM_AUDIT_DATA_NET;
4467 ad.u.net = &net;
4468 ad.u.net->dport = htons(snum);
4469 ad.u.net->family = sk->sk_family;
4470 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4471 if (err)
4472 goto out;
4473 }
4474
4475 err = selinux_netlbl_socket_connect(sk, address);
4476
4477 out:
4478 return err;
4479 }
4480
4481 static int selinux_socket_listen(struct socket *sock, int backlog)
4482 {
4483 return sock_has_perm(current, sock->sk, SOCKET__LISTEN);
4484 }
4485
4486 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4487 {
4488 int err;
4489 struct inode_security_struct *isec;
4490 struct inode_security_struct *newisec;
4491
4492 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT);
4493 if (err)
4494 return err;
4495
4496 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4497
4498 isec = inode_security_novalidate(SOCK_INODE(sock));
4499 newisec->sclass = isec->sclass;
4500 newisec->sid = isec->sid;
4501 newisec->initialized = LABEL_INITIALIZED;
4502
4503 return 0;
4504 }
4505
4506 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4507 int size)
4508 {
4509 return sock_has_perm(current, sock->sk, SOCKET__WRITE);
4510 }
4511
4512 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4513 int size, int flags)
4514 {
4515 return sock_has_perm(current, sock->sk, SOCKET__READ);
4516 }
4517
4518 static int selinux_socket_getsockname(struct socket *sock)
4519 {
4520 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4521 }
4522
4523 static int selinux_socket_getpeername(struct socket *sock)
4524 {
4525 return sock_has_perm(current, sock->sk, SOCKET__GETATTR);
4526 }
4527
4528 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4529 {
4530 int err;
4531
4532 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT);
4533 if (err)
4534 return err;
4535
4536 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4537 }
4538
4539 static int selinux_socket_getsockopt(struct socket *sock, int level,
4540 int optname)
4541 {
4542 return sock_has_perm(current, sock->sk, SOCKET__GETOPT);
4543 }
4544
4545 static int selinux_socket_shutdown(struct socket *sock, int how)
4546 {
4547 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN);
4548 }
4549
4550 static int selinux_socket_unix_stream_connect(struct sock *sock,
4551 struct sock *other,
4552 struct sock *newsk)
4553 {
4554 struct sk_security_struct *sksec_sock = sock->sk_security;
4555 struct sk_security_struct *sksec_other = other->sk_security;
4556 struct sk_security_struct *sksec_new = newsk->sk_security;
4557 struct common_audit_data ad;
4558 struct lsm_network_audit net = {0,};
4559 int err;
4560
4561 ad.type = LSM_AUDIT_DATA_NET;
4562 ad.u.net = &net;
4563 ad.u.net->sk = other;
4564
4565 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4566 sksec_other->sclass,
4567 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4568 if (err)
4569 return err;
4570
4571 /* server child socket */
4572 sksec_new->peer_sid = sksec_sock->sid;
4573 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4574 &sksec_new->sid);
4575 if (err)
4576 return err;
4577
4578 /* connecting socket */
4579 sksec_sock->peer_sid = sksec_new->sid;
4580
4581 return 0;
4582 }
4583
4584 static int selinux_socket_unix_may_send(struct socket *sock,
4585 struct socket *other)
4586 {
4587 struct sk_security_struct *ssec = sock->sk->sk_security;
4588 struct sk_security_struct *osec = other->sk->sk_security;
4589 struct common_audit_data ad;
4590 struct lsm_network_audit net = {0,};
4591
4592 ad.type = LSM_AUDIT_DATA_NET;
4593 ad.u.net = &net;
4594 ad.u.net->sk = other->sk;
4595
4596 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4597 &ad);
4598 }
4599
4600 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4601 char *addrp, u16 family, u32 peer_sid,
4602 struct common_audit_data *ad)
4603 {
4604 int err;
4605 u32 if_sid;
4606 u32 node_sid;
4607
4608 err = sel_netif_sid(ns, ifindex, &if_sid);
4609 if (err)
4610 return err;
4611 err = avc_has_perm(peer_sid, if_sid,
4612 SECCLASS_NETIF, NETIF__INGRESS, ad);
4613 if (err)
4614 return err;
4615
4616 err = sel_netnode_sid(addrp, family, &node_sid);
4617 if (err)
4618 return err;
4619 return avc_has_perm(peer_sid, node_sid,
4620 SECCLASS_NODE, NODE__RECVFROM, ad);
4621 }
4622
4623 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4624 u16 family)
4625 {
4626 int err = 0;
4627 struct sk_security_struct *sksec = sk->sk_security;
4628 u32 sk_sid = sksec->sid;
4629 struct common_audit_data ad;
4630 struct lsm_network_audit net = {0,};
4631 char *addrp;
4632
4633 ad.type = LSM_AUDIT_DATA_NET;
4634 ad.u.net = &net;
4635 ad.u.net->netif = skb->skb_iif;
4636 ad.u.net->family = family;
4637 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4638 if (err)
4639 return err;
4640
4641 if (selinux_secmark_enabled()) {
4642 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4643 PACKET__RECV, &ad);
4644 if (err)
4645 return err;
4646 }
4647
4648 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4649 if (err)
4650 return err;
4651 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4652
4653 return err;
4654 }
4655
4656 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4657 {
4658 int err;
4659 struct sk_security_struct *sksec = sk->sk_security;
4660 u16 family = sk->sk_family;
4661 u32 sk_sid = sksec->sid;
4662 struct common_audit_data ad;
4663 struct lsm_network_audit net = {0,};
4664 char *addrp;
4665 u8 secmark_active;
4666 u8 peerlbl_active;
4667
4668 if (family != PF_INET && family != PF_INET6)
4669 return 0;
4670
4671 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4672 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4673 family = PF_INET;
4674
4675 /* If any sort of compatibility mode is enabled then handoff processing
4676 * to the selinux_sock_rcv_skb_compat() function to deal with the
4677 * special handling. We do this in an attempt to keep this function
4678 * as fast and as clean as possible. */
4679 if (!selinux_policycap_netpeer)
4680 return selinux_sock_rcv_skb_compat(sk, skb, family);
4681
4682 secmark_active = selinux_secmark_enabled();
4683 peerlbl_active = selinux_peerlbl_enabled();
4684 if (!secmark_active && !peerlbl_active)
4685 return 0;
4686
4687 ad.type = LSM_AUDIT_DATA_NET;
4688 ad.u.net = &net;
4689 ad.u.net->netif = skb->skb_iif;
4690 ad.u.net->family = family;
4691 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4692 if (err)
4693 return err;
4694
4695 if (peerlbl_active) {
4696 u32 peer_sid;
4697
4698 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4699 if (err)
4700 return err;
4701 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4702 addrp, family, peer_sid, &ad);
4703 if (err) {
4704 selinux_netlbl_err(skb, family, err, 0);
4705 return err;
4706 }
4707 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4708 PEER__RECV, &ad);
4709 if (err) {
4710 selinux_netlbl_err(skb, family, err, 0);
4711 return err;
4712 }
4713 }
4714
4715 if (secmark_active) {
4716 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4717 PACKET__RECV, &ad);
4718 if (err)
4719 return err;
4720 }
4721
4722 return err;
4723 }
4724
4725 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4726 int __user *optlen, unsigned len)
4727 {
4728 int err = 0;
4729 char *scontext;
4730 u32 scontext_len;
4731 struct sk_security_struct *sksec = sock->sk->sk_security;
4732 u32 peer_sid = SECSID_NULL;
4733
4734 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4735 sksec->sclass == SECCLASS_TCP_SOCKET)
4736 peer_sid = sksec->peer_sid;
4737 if (peer_sid == SECSID_NULL)
4738 return -ENOPROTOOPT;
4739
4740 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4741 if (err)
4742 return err;
4743
4744 if (scontext_len > len) {
4745 err = -ERANGE;
4746 goto out_len;
4747 }
4748
4749 if (copy_to_user(optval, scontext, scontext_len))
4750 err = -EFAULT;
4751
4752 out_len:
4753 if (put_user(scontext_len, optlen))
4754 err = -EFAULT;
4755 kfree(scontext);
4756 return err;
4757 }
4758
4759 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4760 {
4761 u32 peer_secid = SECSID_NULL;
4762 u16 family;
4763 struct inode_security_struct *isec;
4764
4765 if (skb && skb->protocol == htons(ETH_P_IP))
4766 family = PF_INET;
4767 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4768 family = PF_INET6;
4769 else if (sock)
4770 family = sock->sk->sk_family;
4771 else
4772 goto out;
4773
4774 if (sock && family == PF_UNIX) {
4775 isec = inode_security_novalidate(SOCK_INODE(sock));
4776 peer_secid = isec->sid;
4777 } else if (skb)
4778 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4779
4780 out:
4781 *secid = peer_secid;
4782 if (peer_secid == SECSID_NULL)
4783 return -EINVAL;
4784 return 0;
4785 }
4786
4787 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4788 {
4789 struct sk_security_struct *sksec;
4790
4791 sksec = kzalloc(sizeof(*sksec), priority);
4792 if (!sksec)
4793 return -ENOMEM;
4794
4795 sksec->peer_sid = SECINITSID_UNLABELED;
4796 sksec->sid = SECINITSID_UNLABELED;
4797 sksec->sclass = SECCLASS_SOCKET;
4798 selinux_netlbl_sk_security_reset(sksec);
4799 sk->sk_security = sksec;
4800
4801 return 0;
4802 }
4803
4804 static void selinux_sk_free_security(struct sock *sk)
4805 {
4806 struct sk_security_struct *sksec = sk->sk_security;
4807
4808 sk->sk_security = NULL;
4809 selinux_netlbl_sk_security_free(sksec);
4810 kfree(sksec);
4811 }
4812
4813 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4814 {
4815 struct sk_security_struct *sksec = sk->sk_security;
4816 struct sk_security_struct *newsksec = newsk->sk_security;
4817
4818 newsksec->sid = sksec->sid;
4819 newsksec->peer_sid = sksec->peer_sid;
4820 newsksec->sclass = sksec->sclass;
4821
4822 selinux_netlbl_sk_security_reset(newsksec);
4823 }
4824
4825 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4826 {
4827 if (!sk)
4828 *secid = SECINITSID_ANY_SOCKET;
4829 else {
4830 struct sk_security_struct *sksec = sk->sk_security;
4831
4832 *secid = sksec->sid;
4833 }
4834 }
4835
4836 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4837 {
4838 struct inode_security_struct *isec =
4839 inode_security_novalidate(SOCK_INODE(parent));
4840 struct sk_security_struct *sksec = sk->sk_security;
4841
4842 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4843 sk->sk_family == PF_UNIX)
4844 isec->sid = sksec->sid;
4845 sksec->sclass = isec->sclass;
4846 }
4847
4848 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4849 struct request_sock *req)
4850 {
4851 struct sk_security_struct *sksec = sk->sk_security;
4852 int err;
4853 u16 family = req->rsk_ops->family;
4854 u32 connsid;
4855 u32 peersid;
4856
4857 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4858 if (err)
4859 return err;
4860 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4861 if (err)
4862 return err;
4863 req->secid = connsid;
4864 req->peer_secid = peersid;
4865
4866 return selinux_netlbl_inet_conn_request(req, family);
4867 }
4868
4869 static void selinux_inet_csk_clone(struct sock *newsk,
4870 const struct request_sock *req)
4871 {
4872 struct sk_security_struct *newsksec = newsk->sk_security;
4873
4874 newsksec->sid = req->secid;
4875 newsksec->peer_sid = req->peer_secid;
4876 /* NOTE: Ideally, we should also get the isec->sid for the
4877 new socket in sync, but we don't have the isec available yet.
4878 So we will wait until sock_graft to do it, by which
4879 time it will have been created and available. */
4880
4881 /* We don't need to take any sort of lock here as we are the only
4882 * thread with access to newsksec */
4883 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4884 }
4885
4886 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4887 {
4888 u16 family = sk->sk_family;
4889 struct sk_security_struct *sksec = sk->sk_security;
4890
4891 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4892 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4893 family = PF_INET;
4894
4895 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4896 }
4897
4898 static int selinux_secmark_relabel_packet(u32 sid)
4899 {
4900 const struct task_security_struct *__tsec;
4901 u32 tsid;
4902
4903 __tsec = current_security();
4904 tsid = __tsec->sid;
4905
4906 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
4907 }
4908
4909 static void selinux_secmark_refcount_inc(void)
4910 {
4911 atomic_inc(&selinux_secmark_refcount);
4912 }
4913
4914 static void selinux_secmark_refcount_dec(void)
4915 {
4916 atomic_dec(&selinux_secmark_refcount);
4917 }
4918
4919 static void selinux_req_classify_flow(const struct request_sock *req,
4920 struct flowi *fl)
4921 {
4922 fl->flowi_secid = req->secid;
4923 }
4924
4925 static int selinux_tun_dev_alloc_security(void **security)
4926 {
4927 struct tun_security_struct *tunsec;
4928
4929 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
4930 if (!tunsec)
4931 return -ENOMEM;
4932 tunsec->sid = current_sid();
4933
4934 *security = tunsec;
4935 return 0;
4936 }
4937
4938 static void selinux_tun_dev_free_security(void *security)
4939 {
4940 kfree(security);
4941 }
4942
4943 static int selinux_tun_dev_create(void)
4944 {
4945 u32 sid = current_sid();
4946
4947 /* we aren't taking into account the "sockcreate" SID since the socket
4948 * that is being created here is not a socket in the traditional sense,
4949 * instead it is a private sock, accessible only to the kernel, and
4950 * representing a wide range of network traffic spanning multiple
4951 * connections unlike traditional sockets - check the TUN driver to
4952 * get a better understanding of why this socket is special */
4953
4954 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4955 NULL);
4956 }
4957
4958 static int selinux_tun_dev_attach_queue(void *security)
4959 {
4960 struct tun_security_struct *tunsec = security;
4961
4962 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
4963 TUN_SOCKET__ATTACH_QUEUE, NULL);
4964 }
4965
4966 static int selinux_tun_dev_attach(struct sock *sk, void *security)
4967 {
4968 struct tun_security_struct *tunsec = security;
4969 struct sk_security_struct *sksec = sk->sk_security;
4970
4971 /* we don't currently perform any NetLabel based labeling here and it
4972 * isn't clear that we would want to do so anyway; while we could apply
4973 * labeling without the support of the TUN user the resulting labeled
4974 * traffic from the other end of the connection would almost certainly
4975 * cause confusion to the TUN user that had no idea network labeling
4976 * protocols were being used */
4977
4978 sksec->sid = tunsec->sid;
4979 sksec->sclass = SECCLASS_TUN_SOCKET;
4980
4981 return 0;
4982 }
4983
4984 static int selinux_tun_dev_open(void *security)
4985 {
4986 struct tun_security_struct *tunsec = security;
4987 u32 sid = current_sid();
4988 int err;
4989
4990 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
4991 TUN_SOCKET__RELABELFROM, NULL);
4992 if (err)
4993 return err;
4994 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4995 TUN_SOCKET__RELABELTO, NULL);
4996 if (err)
4997 return err;
4998 tunsec->sid = sid;
4999
5000 return 0;
5001 }
5002
5003 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5004 {
5005 int err = 0;
5006 u32 perm;
5007 struct nlmsghdr *nlh;
5008 struct sk_security_struct *sksec = sk->sk_security;
5009
5010 if (skb->len < NLMSG_HDRLEN) {
5011 err = -EINVAL;
5012 goto out;
5013 }
5014 nlh = nlmsg_hdr(skb);
5015
5016 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5017 if (err) {
5018 if (err == -EINVAL) {
5019 pr_warn_ratelimited("SELinux: unrecognized netlink"
5020 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5021 " pig=%d comm=%s\n",
5022 sk->sk_protocol, nlh->nlmsg_type,
5023 secclass_map[sksec->sclass - 1].name,
5024 task_pid_nr(current), current->comm);
5025 if (!selinux_enforcing || security_get_allow_unknown())
5026 err = 0;
5027 }
5028
5029 /* Ignore */
5030 if (err == -ENOENT)
5031 err = 0;
5032 goto out;
5033 }
5034
5035 err = sock_has_perm(current, sk, perm);
5036 out:
5037 return err;
5038 }
5039
5040 #ifdef CONFIG_NETFILTER
5041
5042 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5043 const struct net_device *indev,
5044 u16 family)
5045 {
5046 int err;
5047 char *addrp;
5048 u32 peer_sid;
5049 struct common_audit_data ad;
5050 struct lsm_network_audit net = {0,};
5051 u8 secmark_active;
5052 u8 netlbl_active;
5053 u8 peerlbl_active;
5054
5055 if (!selinux_policycap_netpeer)
5056 return NF_ACCEPT;
5057
5058 secmark_active = selinux_secmark_enabled();
5059 netlbl_active = netlbl_enabled();
5060 peerlbl_active = selinux_peerlbl_enabled();
5061 if (!secmark_active && !peerlbl_active)
5062 return NF_ACCEPT;
5063
5064 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5065 return NF_DROP;
5066
5067 ad.type = LSM_AUDIT_DATA_NET;
5068 ad.u.net = &net;
5069 ad.u.net->netif = indev->ifindex;
5070 ad.u.net->family = family;
5071 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5072 return NF_DROP;
5073
5074 if (peerlbl_active) {
5075 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5076 addrp, family, peer_sid, &ad);
5077 if (err) {
5078 selinux_netlbl_err(skb, family, err, 1);
5079 return NF_DROP;
5080 }
5081 }
5082
5083 if (secmark_active)
5084 if (avc_has_perm(peer_sid, skb->secmark,
5085 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5086 return NF_DROP;
5087
5088 if (netlbl_active)
5089 /* we do this in the FORWARD path and not the POST_ROUTING
5090 * path because we want to make sure we apply the necessary
5091 * labeling before IPsec is applied so we can leverage AH
5092 * protection */
5093 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5094 return NF_DROP;
5095
5096 return NF_ACCEPT;
5097 }
5098
5099 static unsigned int selinux_ipv4_forward(void *priv,
5100 struct sk_buff *skb,
5101 const struct nf_hook_state *state)
5102 {
5103 return selinux_ip_forward(skb, state->in, PF_INET);
5104 }
5105
5106 #if IS_ENABLED(CONFIG_IPV6)
5107 static unsigned int selinux_ipv6_forward(void *priv,
5108 struct sk_buff *skb,
5109 const struct nf_hook_state *state)
5110 {
5111 return selinux_ip_forward(skb, state->in, PF_INET6);
5112 }
5113 #endif /* IPV6 */
5114
5115 static unsigned int selinux_ip_output(struct sk_buff *skb,
5116 u16 family)
5117 {
5118 struct sock *sk;
5119 u32 sid;
5120
5121 if (!netlbl_enabled())
5122 return NF_ACCEPT;
5123
5124 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5125 * because we want to make sure we apply the necessary labeling
5126 * before IPsec is applied so we can leverage AH protection */
5127 sk = skb->sk;
5128 if (sk) {
5129 struct sk_security_struct *sksec;
5130
5131 if (sk_listener(sk))
5132 /* if the socket is the listening state then this
5133 * packet is a SYN-ACK packet which means it needs to
5134 * be labeled based on the connection/request_sock and
5135 * not the parent socket. unfortunately, we can't
5136 * lookup the request_sock yet as it isn't queued on
5137 * the parent socket until after the SYN-ACK is sent.
5138 * the "solution" is to simply pass the packet as-is
5139 * as any IP option based labeling should be copied
5140 * from the initial connection request (in the IP
5141 * layer). it is far from ideal, but until we get a
5142 * security label in the packet itself this is the
5143 * best we can do. */
5144 return NF_ACCEPT;
5145
5146 /* standard practice, label using the parent socket */
5147 sksec = sk->sk_security;
5148 sid = sksec->sid;
5149 } else
5150 sid = SECINITSID_KERNEL;
5151 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5152 return NF_DROP;
5153
5154 return NF_ACCEPT;
5155 }
5156
5157 static unsigned int selinux_ipv4_output(void *priv,
5158 struct sk_buff *skb,
5159 const struct nf_hook_state *state)
5160 {
5161 return selinux_ip_output(skb, PF_INET);
5162 }
5163
5164 #if IS_ENABLED(CONFIG_IPV6)
5165 static unsigned int selinux_ipv6_output(void *priv,
5166 struct sk_buff *skb,
5167 const struct nf_hook_state *state)
5168 {
5169 return selinux_ip_output(skb, PF_INET6);
5170 }
5171 #endif /* IPV6 */
5172
5173 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5174 int ifindex,
5175 u16 family)
5176 {
5177 struct sock *sk = skb_to_full_sk(skb);
5178 struct sk_security_struct *sksec;
5179 struct common_audit_data ad;
5180 struct lsm_network_audit net = {0,};
5181 char *addrp;
5182 u8 proto;
5183
5184 if (sk == NULL)
5185 return NF_ACCEPT;
5186 sksec = sk->sk_security;
5187
5188 ad.type = LSM_AUDIT_DATA_NET;
5189 ad.u.net = &net;
5190 ad.u.net->netif = ifindex;
5191 ad.u.net->family = family;
5192 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5193 return NF_DROP;
5194
5195 if (selinux_secmark_enabled())
5196 if (avc_has_perm(sksec->sid, skb->secmark,
5197 SECCLASS_PACKET, PACKET__SEND, &ad))
5198 return NF_DROP_ERR(-ECONNREFUSED);
5199
5200 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5201 return NF_DROP_ERR(-ECONNREFUSED);
5202
5203 return NF_ACCEPT;
5204 }
5205
5206 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5207 const struct net_device *outdev,
5208 u16 family)
5209 {
5210 u32 secmark_perm;
5211 u32 peer_sid;
5212 int ifindex = outdev->ifindex;
5213 struct sock *sk;
5214 struct common_audit_data ad;
5215 struct lsm_network_audit net = {0,};
5216 char *addrp;
5217 u8 secmark_active;
5218 u8 peerlbl_active;
5219
5220 /* If any sort of compatibility mode is enabled then handoff processing
5221 * to the selinux_ip_postroute_compat() function to deal with the
5222 * special handling. We do this in an attempt to keep this function
5223 * as fast and as clean as possible. */
5224 if (!selinux_policycap_netpeer)
5225 return selinux_ip_postroute_compat(skb, ifindex, family);
5226
5227 secmark_active = selinux_secmark_enabled();
5228 peerlbl_active = selinux_peerlbl_enabled();
5229 if (!secmark_active && !peerlbl_active)
5230 return NF_ACCEPT;
5231
5232 sk = skb_to_full_sk(skb);
5233
5234 #ifdef CONFIG_XFRM
5235 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5236 * packet transformation so allow the packet to pass without any checks
5237 * since we'll have another chance to perform access control checks
5238 * when the packet is on it's final way out.
5239 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5240 * is NULL, in this case go ahead and apply access control.
5241 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5242 * TCP listening state we cannot wait until the XFRM processing
5243 * is done as we will miss out on the SA label if we do;
5244 * unfortunately, this means more work, but it is only once per
5245 * connection. */
5246 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5247 !(sk && sk_listener(sk)))
5248 return NF_ACCEPT;
5249 #endif
5250
5251 if (sk == NULL) {
5252 /* Without an associated socket the packet is either coming
5253 * from the kernel or it is being forwarded; check the packet
5254 * to determine which and if the packet is being forwarded
5255 * query the packet directly to determine the security label. */
5256 if (skb->skb_iif) {
5257 secmark_perm = PACKET__FORWARD_OUT;
5258 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5259 return NF_DROP;
5260 } else {
5261 secmark_perm = PACKET__SEND;
5262 peer_sid = SECINITSID_KERNEL;
5263 }
5264 } else if (sk_listener(sk)) {
5265 /* Locally generated packet but the associated socket is in the
5266 * listening state which means this is a SYN-ACK packet. In
5267 * this particular case the correct security label is assigned
5268 * to the connection/request_sock but unfortunately we can't
5269 * query the request_sock as it isn't queued on the parent
5270 * socket until after the SYN-ACK packet is sent; the only
5271 * viable choice is to regenerate the label like we do in
5272 * selinux_inet_conn_request(). See also selinux_ip_output()
5273 * for similar problems. */
5274 u32 skb_sid;
5275 struct sk_security_struct *sksec;
5276
5277 sksec = sk->sk_security;
5278 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5279 return NF_DROP;
5280 /* At this point, if the returned skb peerlbl is SECSID_NULL
5281 * and the packet has been through at least one XFRM
5282 * transformation then we must be dealing with the "final"
5283 * form of labeled IPsec packet; since we've already applied
5284 * all of our access controls on this packet we can safely
5285 * pass the packet. */
5286 if (skb_sid == SECSID_NULL) {
5287 switch (family) {
5288 case PF_INET:
5289 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5290 return NF_ACCEPT;
5291 break;
5292 case PF_INET6:
5293 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5294 return NF_ACCEPT;
5295 break;
5296 default:
5297 return NF_DROP_ERR(-ECONNREFUSED);
5298 }
5299 }
5300 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5301 return NF_DROP;
5302 secmark_perm = PACKET__SEND;
5303 } else {
5304 /* Locally generated packet, fetch the security label from the
5305 * associated socket. */
5306 struct sk_security_struct *sksec = sk->sk_security;
5307 peer_sid = sksec->sid;
5308 secmark_perm = PACKET__SEND;
5309 }
5310
5311 ad.type = LSM_AUDIT_DATA_NET;
5312 ad.u.net = &net;
5313 ad.u.net->netif = ifindex;
5314 ad.u.net->family = family;
5315 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5316 return NF_DROP;
5317
5318 if (secmark_active)
5319 if (avc_has_perm(peer_sid, skb->secmark,
5320 SECCLASS_PACKET, secmark_perm, &ad))
5321 return NF_DROP_ERR(-ECONNREFUSED);
5322
5323 if (peerlbl_active) {
5324 u32 if_sid;
5325 u32 node_sid;
5326
5327 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5328 return NF_DROP;
5329 if (avc_has_perm(peer_sid, if_sid,
5330 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5331 return NF_DROP_ERR(-ECONNREFUSED);
5332
5333 if (sel_netnode_sid(addrp, family, &node_sid))
5334 return NF_DROP;
5335 if (avc_has_perm(peer_sid, node_sid,
5336 SECCLASS_NODE, NODE__SENDTO, &ad))
5337 return NF_DROP_ERR(-ECONNREFUSED);
5338 }
5339
5340 return NF_ACCEPT;
5341 }
5342
5343 static unsigned int selinux_ipv4_postroute(void *priv,
5344 struct sk_buff *skb,
5345 const struct nf_hook_state *state)
5346 {
5347 return selinux_ip_postroute(skb, state->out, PF_INET);
5348 }
5349
5350 #if IS_ENABLED(CONFIG_IPV6)
5351 static unsigned int selinux_ipv6_postroute(void *priv,
5352 struct sk_buff *skb,
5353 const struct nf_hook_state *state)
5354 {
5355 return selinux_ip_postroute(skb, state->out, PF_INET6);
5356 }
5357 #endif /* IPV6 */
5358
5359 #endif /* CONFIG_NETFILTER */
5360
5361 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5362 {
5363 return selinux_nlmsg_perm(sk, skb);
5364 }
5365
5366 static int ipc_alloc_security(struct task_struct *task,
5367 struct kern_ipc_perm *perm,
5368 u16 sclass)
5369 {
5370 struct ipc_security_struct *isec;
5371 u32 sid;
5372
5373 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5374 if (!isec)
5375 return -ENOMEM;
5376
5377 sid = task_sid(task);
5378 isec->sclass = sclass;
5379 isec->sid = sid;
5380 perm->security = isec;
5381
5382 return 0;
5383 }
5384
5385 static void ipc_free_security(struct kern_ipc_perm *perm)
5386 {
5387 struct ipc_security_struct *isec = perm->security;
5388 perm->security = NULL;
5389 kfree(isec);
5390 }
5391
5392 static int msg_msg_alloc_security(struct msg_msg *msg)
5393 {
5394 struct msg_security_struct *msec;
5395
5396 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5397 if (!msec)
5398 return -ENOMEM;
5399
5400 msec->sid = SECINITSID_UNLABELED;
5401 msg->security = msec;
5402
5403 return 0;
5404 }
5405
5406 static void msg_msg_free_security(struct msg_msg *msg)
5407 {
5408 struct msg_security_struct *msec = msg->security;
5409
5410 msg->security = NULL;
5411 kfree(msec);
5412 }
5413
5414 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5415 u32 perms)
5416 {
5417 struct ipc_security_struct *isec;
5418 struct common_audit_data ad;
5419 u32 sid = current_sid();
5420
5421 isec = ipc_perms->security;
5422
5423 ad.type = LSM_AUDIT_DATA_IPC;
5424 ad.u.ipc_id = ipc_perms->key;
5425
5426 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5427 }
5428
5429 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5430 {
5431 return msg_msg_alloc_security(msg);
5432 }
5433
5434 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5435 {
5436 msg_msg_free_security(msg);
5437 }
5438
5439 /* message queue security operations */
5440 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5441 {
5442 struct ipc_security_struct *isec;
5443 struct common_audit_data ad;
5444 u32 sid = current_sid();
5445 int rc;
5446
5447 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
5448 if (rc)
5449 return rc;
5450
5451 isec = msq->q_perm.security;
5452
5453 ad.type = LSM_AUDIT_DATA_IPC;
5454 ad.u.ipc_id = msq->q_perm.key;
5455
5456 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5457 MSGQ__CREATE, &ad);
5458 if (rc) {
5459 ipc_free_security(&msq->q_perm);
5460 return rc;
5461 }
5462 return 0;
5463 }
5464
5465 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5466 {
5467 ipc_free_security(&msq->q_perm);
5468 }
5469
5470 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5471 {
5472 struct ipc_security_struct *isec;
5473 struct common_audit_data ad;
5474 u32 sid = current_sid();
5475
5476 isec = msq->q_perm.security;
5477
5478 ad.type = LSM_AUDIT_DATA_IPC;
5479 ad.u.ipc_id = msq->q_perm.key;
5480
5481 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5482 MSGQ__ASSOCIATE, &ad);
5483 }
5484
5485 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5486 {
5487 int err;
5488 int perms;
5489
5490 switch (cmd) {
5491 case IPC_INFO:
5492 case MSG_INFO:
5493 /* No specific object, just general system-wide information. */
5494 return task_has_system(current, SYSTEM__IPC_INFO);
5495 case IPC_STAT:
5496 case MSG_STAT:
5497 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5498 break;
5499 case IPC_SET:
5500 perms = MSGQ__SETATTR;
5501 break;
5502 case IPC_RMID:
5503 perms = MSGQ__DESTROY;
5504 break;
5505 default:
5506 return 0;
5507 }
5508
5509 err = ipc_has_perm(&msq->q_perm, perms);
5510 return err;
5511 }
5512
5513 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5514 {
5515 struct ipc_security_struct *isec;
5516 struct msg_security_struct *msec;
5517 struct common_audit_data ad;
5518 u32 sid = current_sid();
5519 int rc;
5520
5521 isec = msq->q_perm.security;
5522 msec = msg->security;
5523
5524 /*
5525 * First time through, need to assign label to the message
5526 */
5527 if (msec->sid == SECINITSID_UNLABELED) {
5528 /*
5529 * Compute new sid based on current process and
5530 * message queue this message will be stored in
5531 */
5532 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5533 NULL, &msec->sid);
5534 if (rc)
5535 return rc;
5536 }
5537
5538 ad.type = LSM_AUDIT_DATA_IPC;
5539 ad.u.ipc_id = msq->q_perm.key;
5540
5541 /* Can this process write to the queue? */
5542 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5543 MSGQ__WRITE, &ad);
5544 if (!rc)
5545 /* Can this process send the message */
5546 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5547 MSG__SEND, &ad);
5548 if (!rc)
5549 /* Can the message be put in the queue? */
5550 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5551 MSGQ__ENQUEUE, &ad);
5552
5553 return rc;
5554 }
5555
5556 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5557 struct task_struct *target,
5558 long type, int mode)
5559 {
5560 struct ipc_security_struct *isec;
5561 struct msg_security_struct *msec;
5562 struct common_audit_data ad;
5563 u32 sid = task_sid(target);
5564 int rc;
5565
5566 isec = msq->q_perm.security;
5567 msec = msg->security;
5568
5569 ad.type = LSM_AUDIT_DATA_IPC;
5570 ad.u.ipc_id = msq->q_perm.key;
5571
5572 rc = avc_has_perm(sid, isec->sid,
5573 SECCLASS_MSGQ, MSGQ__READ, &ad);
5574 if (!rc)
5575 rc = avc_has_perm(sid, msec->sid,
5576 SECCLASS_MSG, MSG__RECEIVE, &ad);
5577 return rc;
5578 }
5579
5580 /* Shared Memory security operations */
5581 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5582 {
5583 struct ipc_security_struct *isec;
5584 struct common_audit_data ad;
5585 u32 sid = current_sid();
5586 int rc;
5587
5588 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5589 if (rc)
5590 return rc;
5591
5592 isec = shp->shm_perm.security;
5593
5594 ad.type = LSM_AUDIT_DATA_IPC;
5595 ad.u.ipc_id = shp->shm_perm.key;
5596
5597 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5598 SHM__CREATE, &ad);
5599 if (rc) {
5600 ipc_free_security(&shp->shm_perm);
5601 return rc;
5602 }
5603 return 0;
5604 }
5605
5606 static void selinux_shm_free_security(struct shmid_kernel *shp)
5607 {
5608 ipc_free_security(&shp->shm_perm);
5609 }
5610
5611 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5612 {
5613 struct ipc_security_struct *isec;
5614 struct common_audit_data ad;
5615 u32 sid = current_sid();
5616
5617 isec = shp->shm_perm.security;
5618
5619 ad.type = LSM_AUDIT_DATA_IPC;
5620 ad.u.ipc_id = shp->shm_perm.key;
5621
5622 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5623 SHM__ASSOCIATE, &ad);
5624 }
5625
5626 /* Note, at this point, shp is locked down */
5627 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5628 {
5629 int perms;
5630 int err;
5631
5632 switch (cmd) {
5633 case IPC_INFO:
5634 case SHM_INFO:
5635 /* No specific object, just general system-wide information. */
5636 return task_has_system(current, SYSTEM__IPC_INFO);
5637 case IPC_STAT:
5638 case SHM_STAT:
5639 perms = SHM__GETATTR | SHM__ASSOCIATE;
5640 break;
5641 case IPC_SET:
5642 perms = SHM__SETATTR;
5643 break;
5644 case SHM_LOCK:
5645 case SHM_UNLOCK:
5646 perms = SHM__LOCK;
5647 break;
5648 case IPC_RMID:
5649 perms = SHM__DESTROY;
5650 break;
5651 default:
5652 return 0;
5653 }
5654
5655 err = ipc_has_perm(&shp->shm_perm, perms);
5656 return err;
5657 }
5658
5659 static int selinux_shm_shmat(struct shmid_kernel *shp,
5660 char __user *shmaddr, int shmflg)
5661 {
5662 u32 perms;
5663
5664 if (shmflg & SHM_RDONLY)
5665 perms = SHM__READ;
5666 else
5667 perms = SHM__READ | SHM__WRITE;
5668
5669 return ipc_has_perm(&shp->shm_perm, perms);
5670 }
5671
5672 /* Semaphore security operations */
5673 static int selinux_sem_alloc_security(struct sem_array *sma)
5674 {
5675 struct ipc_security_struct *isec;
5676 struct common_audit_data ad;
5677 u32 sid = current_sid();
5678 int rc;
5679
5680 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5681 if (rc)
5682 return rc;
5683
5684 isec = sma->sem_perm.security;
5685
5686 ad.type = LSM_AUDIT_DATA_IPC;
5687 ad.u.ipc_id = sma->sem_perm.key;
5688
5689 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5690 SEM__CREATE, &ad);
5691 if (rc) {
5692 ipc_free_security(&sma->sem_perm);
5693 return rc;
5694 }
5695 return 0;
5696 }
5697
5698 static void selinux_sem_free_security(struct sem_array *sma)
5699 {
5700 ipc_free_security(&sma->sem_perm);
5701 }
5702
5703 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5704 {
5705 struct ipc_security_struct *isec;
5706 struct common_audit_data ad;
5707 u32 sid = current_sid();
5708
5709 isec = sma->sem_perm.security;
5710
5711 ad.type = LSM_AUDIT_DATA_IPC;
5712 ad.u.ipc_id = sma->sem_perm.key;
5713
5714 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5715 SEM__ASSOCIATE, &ad);
5716 }
5717
5718 /* Note, at this point, sma is locked down */
5719 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5720 {
5721 int err;
5722 u32 perms;
5723
5724 switch (cmd) {
5725 case IPC_INFO:
5726 case SEM_INFO:
5727 /* No specific object, just general system-wide information. */
5728 return task_has_system(current, SYSTEM__IPC_INFO);
5729 case GETPID:
5730 case GETNCNT:
5731 case GETZCNT:
5732 perms = SEM__GETATTR;
5733 break;
5734 case GETVAL:
5735 case GETALL:
5736 perms = SEM__READ;
5737 break;
5738 case SETVAL:
5739 case SETALL:
5740 perms = SEM__WRITE;
5741 break;
5742 case IPC_RMID:
5743 perms = SEM__DESTROY;
5744 break;
5745 case IPC_SET:
5746 perms = SEM__SETATTR;
5747 break;
5748 case IPC_STAT:
5749 case SEM_STAT:
5750 perms = SEM__GETATTR | SEM__ASSOCIATE;
5751 break;
5752 default:
5753 return 0;
5754 }
5755
5756 err = ipc_has_perm(&sma->sem_perm, perms);
5757 return err;
5758 }
5759
5760 static int selinux_sem_semop(struct sem_array *sma,
5761 struct sembuf *sops, unsigned nsops, int alter)
5762 {
5763 u32 perms;
5764
5765 if (alter)
5766 perms = SEM__READ | SEM__WRITE;
5767 else
5768 perms = SEM__READ;
5769
5770 return ipc_has_perm(&sma->sem_perm, perms);
5771 }
5772
5773 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5774 {
5775 u32 av = 0;
5776
5777 av = 0;
5778 if (flag & S_IRUGO)
5779 av |= IPC__UNIX_READ;
5780 if (flag & S_IWUGO)
5781 av |= IPC__UNIX_WRITE;
5782
5783 if (av == 0)
5784 return 0;
5785
5786 return ipc_has_perm(ipcp, av);
5787 }
5788
5789 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5790 {
5791 struct ipc_security_struct *isec = ipcp->security;
5792 *secid = isec->sid;
5793 }
5794
5795 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5796 {
5797 if (inode)
5798 inode_doinit_with_dentry(inode, dentry);
5799 }
5800
5801 static int selinux_getprocattr(struct task_struct *p,
5802 char *name, char **value)
5803 {
5804 const struct task_security_struct *__tsec;
5805 u32 sid;
5806 int error;
5807 unsigned len;
5808
5809 if (current != p) {
5810 error = current_has_perm(p, PROCESS__GETATTR);
5811 if (error)
5812 return error;
5813 }
5814
5815 rcu_read_lock();
5816 __tsec = __task_cred(p)->security;
5817
5818 if (!strcmp(name, "current"))
5819 sid = __tsec->sid;
5820 else if (!strcmp(name, "prev"))
5821 sid = __tsec->osid;
5822 else if (!strcmp(name, "exec"))
5823 sid = __tsec->exec_sid;
5824 else if (!strcmp(name, "fscreate"))
5825 sid = __tsec->create_sid;
5826 else if (!strcmp(name, "keycreate"))
5827 sid = __tsec->keycreate_sid;
5828 else if (!strcmp(name, "sockcreate"))
5829 sid = __tsec->sockcreate_sid;
5830 else
5831 goto invalid;
5832 rcu_read_unlock();
5833
5834 if (!sid)
5835 return 0;
5836
5837 error = security_sid_to_context(sid, value, &len);
5838 if (error)
5839 return error;
5840 return len;
5841
5842 invalid:
5843 rcu_read_unlock();
5844 return -EINVAL;
5845 }
5846
5847 static int selinux_setprocattr(struct task_struct *p,
5848 char *name, void *value, size_t size)
5849 {
5850 struct task_security_struct *tsec;
5851 struct cred *new;
5852 u32 sid = 0, ptsid;
5853 int error;
5854 char *str = value;
5855
5856 if (current != p) {
5857 /* SELinux only allows a process to change its own
5858 security attributes. */
5859 return -EACCES;
5860 }
5861
5862 /*
5863 * Basic control over ability to set these attributes at all.
5864 * current == p, but we'll pass them separately in case the
5865 * above restriction is ever removed.
5866 */
5867 if (!strcmp(name, "exec"))
5868 error = current_has_perm(p, PROCESS__SETEXEC);
5869 else if (!strcmp(name, "fscreate"))
5870 error = current_has_perm(p, PROCESS__SETFSCREATE);
5871 else if (!strcmp(name, "keycreate"))
5872 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5873 else if (!strcmp(name, "sockcreate"))
5874 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5875 else if (!strcmp(name, "current"))
5876 error = current_has_perm(p, PROCESS__SETCURRENT);
5877 else
5878 error = -EINVAL;
5879 if (error)
5880 return error;
5881
5882 /* Obtain a SID for the context, if one was specified. */
5883 if (size && str[0] && str[0] != '\n') {
5884 if (str[size-1] == '\n') {
5885 str[size-1] = 0;
5886 size--;
5887 }
5888 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5889 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5890 if (!capable(CAP_MAC_ADMIN)) {
5891 struct audit_buffer *ab;
5892 size_t audit_size;
5893
5894 /* We strip a nul only if it is at the end, otherwise the
5895 * context contains a nul and we should audit that */
5896 if (str[size - 1] == '\0')
5897 audit_size = size - 1;
5898 else
5899 audit_size = size;
5900 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5901 audit_log_format(ab, "op=fscreate invalid_context=");
5902 audit_log_n_untrustedstring(ab, value, audit_size);
5903 audit_log_end(ab);
5904
5905 return error;
5906 }
5907 error = security_context_to_sid_force(value, size,
5908 &sid);
5909 }
5910 if (error)
5911 return error;
5912 }
5913
5914 new = prepare_creds();
5915 if (!new)
5916 return -ENOMEM;
5917
5918 /* Permission checking based on the specified context is
5919 performed during the actual operation (execve,
5920 open/mkdir/...), when we know the full context of the
5921 operation. See selinux_bprm_set_creds for the execve
5922 checks and may_create for the file creation checks. The
5923 operation will then fail if the context is not permitted. */
5924 tsec = new->security;
5925 if (!strcmp(name, "exec")) {
5926 tsec->exec_sid = sid;
5927 } else if (!strcmp(name, "fscreate")) {
5928 tsec->create_sid = sid;
5929 } else if (!strcmp(name, "keycreate")) {
5930 error = may_create_key(sid, p);
5931 if (error)
5932 goto abort_change;
5933 tsec->keycreate_sid = sid;
5934 } else if (!strcmp(name, "sockcreate")) {
5935 tsec->sockcreate_sid = sid;
5936 } else if (!strcmp(name, "current")) {
5937 error = -EINVAL;
5938 if (sid == 0)
5939 goto abort_change;
5940
5941 /* Only allow single threaded processes to change context */
5942 error = -EPERM;
5943 if (!current_is_single_threaded()) {
5944 error = security_bounded_transition(tsec->sid, sid);
5945 if (error)
5946 goto abort_change;
5947 }
5948
5949 /* Check permissions for the transition. */
5950 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5951 PROCESS__DYNTRANSITION, NULL);
5952 if (error)
5953 goto abort_change;
5954
5955 /* Check for ptracing, and update the task SID if ok.
5956 Otherwise, leave SID unchanged and fail. */
5957 ptsid = ptrace_parent_sid(p);
5958 if (ptsid != 0) {
5959 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5960 PROCESS__PTRACE, NULL);
5961 if (error)
5962 goto abort_change;
5963 }
5964
5965 tsec->sid = sid;
5966 } else {
5967 error = -EINVAL;
5968 goto abort_change;
5969 }
5970
5971 commit_creds(new);
5972 return size;
5973
5974 abort_change:
5975 abort_creds(new);
5976 return error;
5977 }
5978
5979 static int selinux_ismaclabel(const char *name)
5980 {
5981 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
5982 }
5983
5984 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5985 {
5986 return security_sid_to_context(secid, secdata, seclen);
5987 }
5988
5989 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5990 {
5991 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
5992 }
5993
5994 static void selinux_release_secctx(char *secdata, u32 seclen)
5995 {
5996 kfree(secdata);
5997 }
5998
5999 static void selinux_inode_invalidate_secctx(struct inode *inode)
6000 {
6001 struct inode_security_struct *isec = inode->i_security;
6002
6003 mutex_lock(&isec->lock);
6004 isec->initialized = LABEL_INVALID;
6005 mutex_unlock(&isec->lock);
6006 }
6007
6008 /*
6009 * called with inode->i_mutex locked
6010 */
6011 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6012 {
6013 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6014 ctx, ctxlen, 0);
6015 /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6016 return rc == -EOPNOTSUPP ? 0 : rc;
6017 }
6018
6019 /*
6020 * called with inode->i_mutex locked
6021 */
6022 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6023 {
6024 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6025 }
6026
6027 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6028 {
6029 int len = 0;
6030 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6031 ctx, true);
6032 if (len < 0)
6033 return len;
6034 *ctxlen = len;
6035 return 0;
6036 }
6037 #ifdef CONFIG_KEYS
6038
6039 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6040 unsigned long flags)
6041 {
6042 const struct task_security_struct *tsec;
6043 struct key_security_struct *ksec;
6044
6045 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6046 if (!ksec)
6047 return -ENOMEM;
6048
6049 tsec = cred->security;
6050 if (tsec->keycreate_sid)
6051 ksec->sid = tsec->keycreate_sid;
6052 else
6053 ksec->sid = tsec->sid;
6054
6055 k->security = ksec;
6056 return 0;
6057 }
6058
6059 static void selinux_key_free(struct key *k)
6060 {
6061 struct key_security_struct *ksec = k->security;
6062
6063 k->security = NULL;
6064 kfree(ksec);
6065 }
6066
6067 static int selinux_key_permission(key_ref_t key_ref,
6068 const struct cred *cred,
6069 unsigned perm)
6070 {
6071 struct key *key;
6072 struct key_security_struct *ksec;
6073 u32 sid;
6074
6075 /* if no specific permissions are requested, we skip the
6076 permission check. No serious, additional covert channels
6077 appear to be created. */
6078 if (perm == 0)
6079 return 0;
6080
6081 sid = cred_sid(cred);
6082
6083 key = key_ref_to_ptr(key_ref);
6084 ksec = key->security;
6085
6086 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6087 }
6088
6089 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6090 {
6091 struct key_security_struct *ksec = key->security;
6092 char *context = NULL;
6093 unsigned len;
6094 int rc;
6095
6096 rc = security_sid_to_context(ksec->sid, &context, &len);
6097 if (!rc)
6098 rc = len;
6099 *_buffer = context;
6100 return rc;
6101 }
6102
6103 #endif
6104
6105 static struct security_hook_list selinux_hooks[] = {
6106 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6107 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6108 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6109 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6110
6111 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6112 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6113 LSM_HOOK_INIT(capget, selinux_capget),
6114 LSM_HOOK_INIT(capset, selinux_capset),
6115 LSM_HOOK_INIT(capable, selinux_capable),
6116 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6117 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6118 LSM_HOOK_INIT(syslog, selinux_syslog),
6119 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6120
6121 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6122
6123 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6124 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6125 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6126 LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
6127
6128 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6129 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6130 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6131 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6132 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6133 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6134 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6135 LSM_HOOK_INIT(sb_mount, selinux_mount),
6136 LSM_HOOK_INIT(sb_umount, selinux_umount),
6137 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6138 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6139 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6140
6141 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6142 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6143
6144 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6145 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6146 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6147 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6148 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6149 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6150 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6151 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6152 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6153 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6154 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6155 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6156 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6157 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6158 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6159 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6160 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6161 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6162 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6163 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6164 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6165 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6166 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6167 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6168 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6169 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6170 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6171
6172 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6173 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6174 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6175 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6176 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6177 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6178 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6179 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6180 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6181 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6182 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6183 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6184
6185 LSM_HOOK_INIT(file_open, selinux_file_open),
6186
6187 LSM_HOOK_INIT(task_create, selinux_task_create),
6188 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6189 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6190 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6191 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6192 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6193 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6194 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6195 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6196 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6197 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6198 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6199 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6200 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6201 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6202 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6203 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6204 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6205 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6206 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6207 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6208 LSM_HOOK_INIT(task_wait, selinux_task_wait),
6209 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6210
6211 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6212 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6213
6214 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6215 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6216
6217 LSM_HOOK_INIT(msg_queue_alloc_security,
6218 selinux_msg_queue_alloc_security),
6219 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6220 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6221 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6222 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6223 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6224
6225 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6226 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6227 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6228 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6229 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6230
6231 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6232 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6233 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6234 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6235 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6236
6237 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6238
6239 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6240 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6241
6242 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6243 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6244 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6245 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6246 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6247 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6248 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6249 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6250
6251 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6252 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6253
6254 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6255 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6256 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6257 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6258 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6259 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6260 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6261 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6262 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6263 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6264 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6265 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6266 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6267 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6268 LSM_HOOK_INIT(socket_getpeersec_stream,
6269 selinux_socket_getpeersec_stream),
6270 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6271 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6272 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6273 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6274 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6275 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6276 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6277 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6278 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6279 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6280 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6281 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6282 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6283 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6284 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6285 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6286 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6287 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6288 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6289
6290 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6291 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6292 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6293 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6294 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6295 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6296 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6297 selinux_xfrm_state_alloc_acquire),
6298 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6299 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6300 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6301 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6302 selinux_xfrm_state_pol_flow_match),
6303 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6304 #endif
6305
6306 #ifdef CONFIG_KEYS
6307 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6308 LSM_HOOK_INIT(key_free, selinux_key_free),
6309 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6310 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6311 #endif
6312
6313 #ifdef CONFIG_AUDIT
6314 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6315 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6316 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6317 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6318 #endif
6319 };
6320
6321 static __init int selinux_init(void)
6322 {
6323 if (!security_module_enable("selinux")) {
6324 selinux_enabled = 0;
6325 return 0;
6326 }
6327
6328 if (!selinux_enabled) {
6329 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6330 return 0;
6331 }
6332
6333 printk(KERN_INFO "SELinux: Initializing.\n");
6334
6335 /* Set the security state for the initial task. */
6336 cred_init_security();
6337
6338 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6339
6340 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6341 sizeof(struct inode_security_struct),
6342 0, SLAB_PANIC, NULL);
6343 file_security_cache = kmem_cache_create("selinux_file_security",
6344 sizeof(struct file_security_struct),
6345 0, SLAB_PANIC, NULL);
6346 avc_init();
6347
6348 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6349
6350 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6351 panic("SELinux: Unable to register AVC netcache callback\n");
6352
6353 if (selinux_enforcing)
6354 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6355 else
6356 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6357
6358 return 0;
6359 }
6360
6361 static void delayed_superblock_init(struct super_block *sb, void *unused)
6362 {
6363 superblock_doinit(sb, NULL);
6364 }
6365
6366 void selinux_complete_init(void)
6367 {
6368 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6369
6370 /* Set up any superblocks initialized prior to the policy load. */
6371 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6372 iterate_supers(delayed_superblock_init, NULL);
6373 }
6374
6375 /* SELinux requires early initialization in order to label
6376 all processes and objects when they are created. */
6377 security_initcall(selinux_init);
6378
6379 #if defined(CONFIG_NETFILTER)
6380
6381 static struct nf_hook_ops selinux_nf_ops[] = {
6382 {
6383 .hook = selinux_ipv4_postroute,
6384 .pf = NFPROTO_IPV4,
6385 .hooknum = NF_INET_POST_ROUTING,
6386 .priority = NF_IP_PRI_SELINUX_LAST,
6387 },
6388 {
6389 .hook = selinux_ipv4_forward,
6390 .pf = NFPROTO_IPV4,
6391 .hooknum = NF_INET_FORWARD,
6392 .priority = NF_IP_PRI_SELINUX_FIRST,
6393 },
6394 {
6395 .hook = selinux_ipv4_output,
6396 .pf = NFPROTO_IPV4,
6397 .hooknum = NF_INET_LOCAL_OUT,
6398 .priority = NF_IP_PRI_SELINUX_FIRST,
6399 },
6400 #if IS_ENABLED(CONFIG_IPV6)
6401 {
6402 .hook = selinux_ipv6_postroute,
6403 .pf = NFPROTO_IPV6,
6404 .hooknum = NF_INET_POST_ROUTING,
6405 .priority = NF_IP6_PRI_SELINUX_LAST,
6406 },
6407 {
6408 .hook = selinux_ipv6_forward,
6409 .pf = NFPROTO_IPV6,
6410 .hooknum = NF_INET_FORWARD,
6411 .priority = NF_IP6_PRI_SELINUX_FIRST,
6412 },
6413 {
6414 .hook = selinux_ipv6_output,
6415 .pf = NFPROTO_IPV6,
6416 .hooknum = NF_INET_LOCAL_OUT,
6417 .priority = NF_IP6_PRI_SELINUX_FIRST,
6418 },
6419 #endif /* IPV6 */
6420 };
6421
6422 static int __init selinux_nf_ip_init(void)
6423 {
6424 int err;
6425
6426 if (!selinux_enabled)
6427 return 0;
6428
6429 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6430
6431 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6432 if (err)
6433 panic("SELinux: nf_register_hooks: error %d\n", err);
6434
6435 return 0;
6436 }
6437
6438 __initcall(selinux_nf_ip_init);
6439
6440 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6441 static void selinux_nf_ip_exit(void)
6442 {
6443 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6444
6445 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
6446 }
6447 #endif
6448
6449 #else /* CONFIG_NETFILTER */
6450
6451 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6452 #define selinux_nf_ip_exit()
6453 #endif
6454
6455 #endif /* CONFIG_NETFILTER */
6456
6457 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6458 static int selinux_disabled;
6459
6460 int selinux_disable(void)
6461 {
6462 if (ss_initialized) {
6463 /* Not permitted after initial policy load. */
6464 return -EINVAL;
6465 }
6466
6467 if (selinux_disabled) {
6468 /* Only do this once. */
6469 return -EINVAL;
6470 }
6471
6472 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6473
6474 selinux_disabled = 1;
6475 selinux_enabled = 0;
6476
6477 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6478
6479 /* Try to destroy the avc node cache */
6480 avc_disable();
6481
6482 /* Unregister netfilter hooks. */
6483 selinux_nf_ip_exit();
6484
6485 /* Unregister selinuxfs. */
6486 exit_sel_fs();
6487
6488 return 0;
6489 }
6490 #endif
Linux with added FPC-III support