search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'tag-chrome-platform-for-v4.20' of git://git.kernel.org/pub/scm/linux/kerne...
[linux/fpc-iii.git] / security / selinux / hooks.c
blob7ce683259357750cdfd25feb978ee1d6a984312b
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
25 */
26
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h> /* for Unix socket types */
74 #include <net/af_unix.h> /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
77 #include <net/ipv6.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/selinux.h>
83 #include <linux/mutex.h>
84 #include <linux/posix-timers.h>
85 #include <linux/syslog.h>
86 #include <linux/user_namespace.h>
87 #include <linux/export.h>
88 #include <linux/msg.h>
89 #include <linux/shm.h>
90 #include <linux/bpf.h>
91
92 #include "avc.h"
93 #include "objsec.h"
94 #include "netif.h"
95 #include "netnode.h"
96 #include "netport.h"
97 #include "ibpkey.h"
98 #include "xfrm.h"
99 #include "netlabel.h"
100 #include "audit.h"
101 #include "avc_ss.h"
102
103 struct selinux_state selinux_state;
104
105 /* SECMARK reference count */
106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
107
108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109 static int selinux_enforcing_boot;
110
111 static int __init enforcing_setup(char *str)
112 {
113 unsigned long enforcing;
114 if (!kstrtoul(str, 0, &enforcing))
115 selinux_enforcing_boot = enforcing ? 1 : 0;
116 return 1;
117 }
118 __setup("enforcing=", enforcing_setup);
119 #else
120 #define selinux_enforcing_boot 1
121 #endif
122
123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
125
126 static int __init selinux_enabled_setup(char *str)
127 {
128 unsigned long enabled;
129 if (!kstrtoul(str, 0, &enabled))
130 selinux_enabled = enabled ? 1 : 0;
131 return 1;
132 }
133 __setup("selinux=", selinux_enabled_setup);
134 #else
135 int selinux_enabled = 1;
136 #endif
137
138 static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140
141 static int __init checkreqprot_setup(char *str)
142 {
143 unsigned long checkreqprot;
144
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 return 1;
148 }
149 __setup("checkreqprot=", checkreqprot_setup);
150
151 static struct kmem_cache *sel_inode_cache;
152 static struct kmem_cache *file_security_cache;
153
154 /**
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156 *
157 * Description:
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
163 *
164 */
165 static int selinux_secmark_enabled(void)
166 {
167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
169 }
170
171 /**
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173 *
174 * Description:
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
179 *
180 */
181 static int selinux_peerlbl_enabled(void)
182 {
183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
185 }
186
187 static int selinux_netcache_avc_callback(u32 event)
188 {
189 if (event == AVC_CALLBACK_RESET) {
190 sel_netif_flush();
191 sel_netnode_flush();
192 sel_netport_flush();
193 synchronize_net();
194 }
195 return 0;
196 }
197
198 static int selinux_lsm_notifier_avc_callback(u32 event)
199 {
200 if (event == AVC_CALLBACK_RESET) {
201 sel_ib_pkey_flush();
202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
203 }
204
205 return 0;
206 }
207
208 /*
209 * initialise the security for the init task
210 */
211 static void cred_init_security(void)
212 {
213 struct cred *cred = (struct cred *) current->real_cred;
214 struct task_security_struct *tsec;
215
216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
217 if (!tsec)
218 panic("SELinux: Failed to initialize initial task.\n");
219
220 tsec->osid = tsec->sid = SECINITSID_KERNEL;
221 cred->security = tsec;
222 }
223
224 /*
225 * get the security ID of a set of credentials
226 */
227 static inline u32 cred_sid(const struct cred *cred)
228 {
229 const struct task_security_struct *tsec;
230
231 tsec = cred->security;
232 return tsec->sid;
233 }
234
235 /*
236 * get the objective security ID of a task
237 */
238 static inline u32 task_sid(const struct task_struct *task)
239 {
240 u32 sid;
241
242 rcu_read_lock();
243 sid = cred_sid(__task_cred(task));
244 rcu_read_unlock();
245 return sid;
246 }
247
248 /* Allocate and free functions for each kind of security blob. */
249
250 static int inode_alloc_security(struct inode *inode)
251 {
252 struct inode_security_struct *isec;
253 u32 sid = current_sid();
254
255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
256 if (!isec)
257 return -ENOMEM;
258
259 spin_lock_init(&isec->lock);
260 INIT_LIST_HEAD(&isec->list);
261 isec->inode = inode;
262 isec->sid = SECINITSID_UNLABELED;
263 isec->sclass = SECCLASS_FILE;
264 isec->task_sid = sid;
265 isec->initialized = LABEL_INVALID;
266 inode->i_security = isec;
267
268 return 0;
269 }
270
271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
272
273 /*
274 * Try reloading inode security labels that have been marked as invalid. The
275 * @may_sleep parameter indicates when sleeping and thus reloading labels is
276 * allowed; when set to false, returns -ECHILD when the label is
277 * invalid. The @dentry parameter should be set to a dentry of the inode.
278 */
279 static int __inode_security_revalidate(struct inode *inode,
280 struct dentry *dentry,
281 bool may_sleep)
282 {
283 struct inode_security_struct *isec = inode->i_security;
284
285 might_sleep_if(may_sleep);
286
287 if (selinux_state.initialized &&
288 isec->initialized != LABEL_INITIALIZED) {
289 if (!may_sleep)
290 return -ECHILD;
291
292 /*
293 * Try reloading the inode security label. This will fail if
294 * @opt_dentry is NULL and no dentry for this inode can be
295 * found; in that case, continue using the old label.
296 */
297 inode_doinit_with_dentry(inode, dentry);
298 }
299 return 0;
300 }
301
302 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
303 {
304 return inode->i_security;
305 }
306
307 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
308 {
309 int error;
310
311 error = __inode_security_revalidate(inode, NULL, !rcu);
312 if (error)
313 return ERR_PTR(error);
314 return inode->i_security;
315 }
316
317 /*
318 * Get the security label of an inode.
319 */
320 static struct inode_security_struct *inode_security(struct inode *inode)
321 {
322 __inode_security_revalidate(inode, NULL, true);
323 return inode->i_security;
324 }
325
326 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
327 {
328 struct inode *inode = d_backing_inode(dentry);
329
330 return inode->i_security;
331 }
332
333 /*
334 * Get the security label of a dentry's backing inode.
335 */
336 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
337 {
338 struct inode *inode = d_backing_inode(dentry);
339
340 __inode_security_revalidate(inode, dentry, true);
341 return inode->i_security;
342 }
343
344 static void inode_free_rcu(struct rcu_head *head)
345 {
346 struct inode_security_struct *isec;
347
348 isec = container_of(head, struct inode_security_struct, rcu);
349 kmem_cache_free(sel_inode_cache, isec);
350 }
351
352 static void inode_free_security(struct inode *inode)
353 {
354 struct inode_security_struct *isec = inode->i_security;
355 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
356
357 /*
358 * As not all inode security structures are in a list, we check for
359 * empty list outside of the lock to make sure that we won't waste
360 * time taking a lock doing nothing.
361 *
362 * The list_del_init() function can be safely called more than once.
363 * It should not be possible for this function to be called with
364 * concurrent list_add(), but for better safety against future changes
365 * in the code, we use list_empty_careful() here.
366 */
367 if (!list_empty_careful(&isec->list)) {
368 spin_lock(&sbsec->isec_lock);
369 list_del_init(&isec->list);
370 spin_unlock(&sbsec->isec_lock);
371 }
372
373 /*
374 * The inode may still be referenced in a path walk and
375 * a call to selinux_inode_permission() can be made
376 * after inode_free_security() is called. Ideally, the VFS
377 * wouldn't do this, but fixing that is a much harder
378 * job. For now, simply free the i_security via RCU, and
379 * leave the current inode->i_security pointer intact.
380 * The inode will be freed after the RCU grace period too.
381 */
382 call_rcu(&isec->rcu, inode_free_rcu);
383 }
384
385 static int file_alloc_security(struct file *file)
386 {
387 struct file_security_struct *fsec;
388 u32 sid = current_sid();
389
390 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
391 if (!fsec)
392 return -ENOMEM;
393
394 fsec->sid = sid;
395 fsec->fown_sid = sid;
396 file->f_security = fsec;
397
398 return 0;
399 }
400
401 static void file_free_security(struct file *file)
402 {
403 struct file_security_struct *fsec = file->f_security;
404 file->f_security = NULL;
405 kmem_cache_free(file_security_cache, fsec);
406 }
407
408 static int superblock_alloc_security(struct super_block *sb)
409 {
410 struct superblock_security_struct *sbsec;
411
412 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
413 if (!sbsec)
414 return -ENOMEM;
415
416 mutex_init(&sbsec->lock);
417 INIT_LIST_HEAD(&sbsec->isec_head);
418 spin_lock_init(&sbsec->isec_lock);
419 sbsec->sb = sb;
420 sbsec->sid = SECINITSID_UNLABELED;
421 sbsec->def_sid = SECINITSID_FILE;
422 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
423 sb->s_security = sbsec;
424
425 return 0;
426 }
427
428 static void superblock_free_security(struct super_block *sb)
429 {
430 struct superblock_security_struct *sbsec = sb->s_security;
431 sb->s_security = NULL;
432 kfree(sbsec);
433 }
434
435 static inline int inode_doinit(struct inode *inode)
436 {
437 return inode_doinit_with_dentry(inode, NULL);
438 }
439
440 enum {
441 Opt_error = -1,
442 Opt_context = 1,
443 Opt_fscontext = 2,
444 Opt_defcontext = 3,
445 Opt_rootcontext = 4,
446 Opt_labelsupport = 5,
447 Opt_nextmntopt = 6,
448 };
449
450 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
451
452 static const match_table_t tokens = {
453 {Opt_context, CONTEXT_STR "%s"},
454 {Opt_fscontext, FSCONTEXT_STR "%s"},
455 {Opt_defcontext, DEFCONTEXT_STR "%s"},
456 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
457 {Opt_labelsupport, LABELSUPP_STR},
458 {Opt_error, NULL},
459 };
460
461 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
462
463 static int may_context_mount_sb_relabel(u32 sid,
464 struct superblock_security_struct *sbsec,
465 const struct cred *cred)
466 {
467 const struct task_security_struct *tsec = cred->security;
468 int rc;
469
470 rc = avc_has_perm(&selinux_state,
471 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
472 FILESYSTEM__RELABELFROM, NULL);
473 if (rc)
474 return rc;
475
476 rc = avc_has_perm(&selinux_state,
477 tsec->sid, sid, SECCLASS_FILESYSTEM,
478 FILESYSTEM__RELABELTO, NULL);
479 return rc;
480 }
481
482 static int may_context_mount_inode_relabel(u32 sid,
483 struct superblock_security_struct *sbsec,
484 const struct cred *cred)
485 {
486 const struct task_security_struct *tsec = cred->security;
487 int rc;
488 rc = avc_has_perm(&selinux_state,
489 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
490 FILESYSTEM__RELABELFROM, NULL);
491 if (rc)
492 return rc;
493
494 rc = avc_has_perm(&selinux_state,
495 sid, sbsec->sid, SECCLASS_FILESYSTEM,
496 FILESYSTEM__ASSOCIATE, NULL);
497 return rc;
498 }
499
500 static int selinux_is_sblabel_mnt(struct super_block *sb)
501 {
502 struct superblock_security_struct *sbsec = sb->s_security;
503
504 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
505 sbsec->behavior == SECURITY_FS_USE_TRANS ||
506 sbsec->behavior == SECURITY_FS_USE_TASK ||
507 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
508 /* Special handling. Genfs but also in-core setxattr handler */
509 !strcmp(sb->s_type->name, "sysfs") ||
510 !strcmp(sb->s_type->name, "pstore") ||
511 !strcmp(sb->s_type->name, "debugfs") ||
512 !strcmp(sb->s_type->name, "tracefs") ||
513 !strcmp(sb->s_type->name, "rootfs") ||
514 (selinux_policycap_cgroupseclabel() &&
515 (!strcmp(sb->s_type->name, "cgroup") ||
516 !strcmp(sb->s_type->name, "cgroup2")));
517 }
518
519 static int sb_finish_set_opts(struct super_block *sb)
520 {
521 struct superblock_security_struct *sbsec = sb->s_security;
522 struct dentry *root = sb->s_root;
523 struct inode *root_inode = d_backing_inode(root);
524 int rc = 0;
525
526 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
527 /* Make sure that the xattr handler exists and that no
528 error other than -ENODATA is returned by getxattr on
529 the root directory. -ENODATA is ok, as this may be
530 the first boot of the SELinux kernel before we have
531 assigned xattr values to the filesystem. */
532 if (!(root_inode->i_opflags & IOP_XATTR)) {
533 pr_warn("SELinux: (dev %s, type %s) has no "
534 "xattr support\n", sb->s_id, sb->s_type->name);
535 rc = -EOPNOTSUPP;
536 goto out;
537 }
538
539 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
540 if (rc < 0 && rc != -ENODATA) {
541 if (rc == -EOPNOTSUPP)
542 pr_warn("SELinux: (dev %s, type "
543 "%s) has no security xattr handler\n",
544 sb->s_id, sb->s_type->name);
545 else
546 pr_warn("SELinux: (dev %s, type "
547 "%s) getxattr errno %d\n", sb->s_id,
548 sb->s_type->name, -rc);
549 goto out;
550 }
551 }
552
553 sbsec->flags |= SE_SBINITIALIZED;
554
555 /*
556 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
557 * leave the flag untouched because sb_clone_mnt_opts might be handing
558 * us a superblock that needs the flag to be cleared.
559 */
560 if (selinux_is_sblabel_mnt(sb))
561 sbsec->flags |= SBLABEL_MNT;
562 else
563 sbsec->flags &= ~SBLABEL_MNT;
564
565 /* Initialize the root inode. */
566 rc = inode_doinit_with_dentry(root_inode, root);
567
568 /* Initialize any other inodes associated with the superblock, e.g.
569 inodes created prior to initial policy load or inodes created
570 during get_sb by a pseudo filesystem that directly
571 populates itself. */
572 spin_lock(&sbsec->isec_lock);
573 next_inode:
574 if (!list_empty(&sbsec->isec_head)) {
575 struct inode_security_struct *isec =
576 list_entry(sbsec->isec_head.next,
577 struct inode_security_struct, list);
578 struct inode *inode = isec->inode;
579 list_del_init(&isec->list);
580 spin_unlock(&sbsec->isec_lock);
581 inode = igrab(inode);
582 if (inode) {
583 if (!IS_PRIVATE(inode))
584 inode_doinit(inode);
585 iput(inode);
586 }
587 spin_lock(&sbsec->isec_lock);
588 goto next_inode;
589 }
590 spin_unlock(&sbsec->isec_lock);
591 out:
592 return rc;
593 }
594
595 /*
596 * This function should allow an FS to ask what it's mount security
597 * options were so it can use those later for submounts, displaying
598 * mount options, or whatever.
599 */
600 static int selinux_get_mnt_opts(const struct super_block *sb,
601 struct security_mnt_opts *opts)
602 {
603 int rc = 0, i;
604 struct superblock_security_struct *sbsec = sb->s_security;
605 char *context = NULL;
606 u32 len;
607 char tmp;
608
609 security_init_mnt_opts(opts);
610
611 if (!(sbsec->flags & SE_SBINITIALIZED))
612 return -EINVAL;
613
614 if (!selinux_state.initialized)
615 return -EINVAL;
616
617 /* make sure we always check enough bits to cover the mask */
618 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
619
620 tmp = sbsec->flags & SE_MNTMASK;
621 /* count the number of mount options for this sb */
622 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
623 if (tmp & 0x01)
624 opts->num_mnt_opts++;
625 tmp >>= 1;
626 }
627 /* Check if the Label support flag is set */
628 if (sbsec->flags & SBLABEL_MNT)
629 opts->num_mnt_opts++;
630
631 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
632 if (!opts->mnt_opts) {
633 rc = -ENOMEM;
634 goto out_free;
635 }
636
637 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
638 if (!opts->mnt_opts_flags) {
639 rc = -ENOMEM;
640 goto out_free;
641 }
642
643 i = 0;
644 if (sbsec->flags & FSCONTEXT_MNT) {
645 rc = security_sid_to_context(&selinux_state, sbsec->sid,
646 &context, &len);
647 if (rc)
648 goto out_free;
649 opts->mnt_opts[i] = context;
650 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
651 }
652 if (sbsec->flags & CONTEXT_MNT) {
653 rc = security_sid_to_context(&selinux_state,
654 sbsec->mntpoint_sid,
655 &context, &len);
656 if (rc)
657 goto out_free;
658 opts->mnt_opts[i] = context;
659 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
660 }
661 if (sbsec->flags & DEFCONTEXT_MNT) {
662 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
663 &context, &len);
664 if (rc)
665 goto out_free;
666 opts->mnt_opts[i] = context;
667 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
668 }
669 if (sbsec->flags & ROOTCONTEXT_MNT) {
670 struct dentry *root = sbsec->sb->s_root;
671 struct inode_security_struct *isec = backing_inode_security(root);
672
673 rc = security_sid_to_context(&selinux_state, isec->sid,
674 &context, &len);
675 if (rc)
676 goto out_free;
677 opts->mnt_opts[i] = context;
678 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
679 }
680 if (sbsec->flags & SBLABEL_MNT) {
681 opts->mnt_opts[i] = NULL;
682 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
683 }
684
685 BUG_ON(i != opts->num_mnt_opts);
686
687 return 0;
688
689 out_free:
690 security_free_mnt_opts(opts);
691 return rc;
692 }
693
694 static int bad_option(struct superblock_security_struct *sbsec, char flag,
695 u32 old_sid, u32 new_sid)
696 {
697 char mnt_flags = sbsec->flags & SE_MNTMASK;
698
699 /* check if the old mount command had the same options */
700 if (sbsec->flags & SE_SBINITIALIZED)
701 if (!(sbsec->flags & flag) ||
702 (old_sid != new_sid))
703 return 1;
704
705 /* check if we were passed the same options twice,
706 * aka someone passed context=a,context=b
707 */
708 if (!(sbsec->flags & SE_SBINITIALIZED))
709 if (mnt_flags & flag)
710 return 1;
711 return 0;
712 }
713
714 /*
715 * Allow filesystems with binary mount data to explicitly set mount point
716 * labeling information.
717 */
718 static int selinux_set_mnt_opts(struct super_block *sb,
719 struct security_mnt_opts *opts,
720 unsigned long kern_flags,
721 unsigned long *set_kern_flags)
722 {
723 const struct cred *cred = current_cred();
724 int rc = 0, i;
725 struct superblock_security_struct *sbsec = sb->s_security;
726 const char *name = sb->s_type->name;
727 struct dentry *root = sbsec->sb->s_root;
728 struct inode_security_struct *root_isec;
729 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
730 u32 defcontext_sid = 0;
731 char **mount_options = opts->mnt_opts;
732 int *flags = opts->mnt_opts_flags;
733 int num_opts = opts->num_mnt_opts;
734
735 mutex_lock(&sbsec->lock);
736
737 if (!selinux_state.initialized) {
738 if (!num_opts) {
739 /* Defer initialization until selinux_complete_init,
740 after the initial policy is loaded and the security
741 server is ready to handle calls. */
742 goto out;
743 }
744 rc = -EINVAL;
745 pr_warn("SELinux: Unable to set superblock options "
746 "before the security server is initialized\n");
747 goto out;
748 }
749 if (kern_flags && !set_kern_flags) {
750 /* Specifying internal flags without providing a place to
751 * place the results is not allowed */
752 rc = -EINVAL;
753 goto out;
754 }
755
756 /*
757 * Binary mount data FS will come through this function twice. Once
758 * from an explicit call and once from the generic calls from the vfs.
759 * Since the generic VFS calls will not contain any security mount data
760 * we need to skip the double mount verification.
761 *
762 * This does open a hole in which we will not notice if the first
763 * mount using this sb set explict options and a second mount using
764 * this sb does not set any security options. (The first options
765 * will be used for both mounts)
766 */
767 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
768 && (num_opts == 0))
769 goto out;
770
771 root_isec = backing_inode_security_novalidate(root);
772
773 /*
774 * parse the mount options, check if they are valid sids.
775 * also check if someone is trying to mount the same sb more
776 * than once with different security options.
777 */
778 for (i = 0; i < num_opts; i++) {
779 u32 sid;
780
781 if (flags[i] == SBLABEL_MNT)
782 continue;
783 rc = security_context_str_to_sid(&selinux_state,
784 mount_options[i], &sid,
785 GFP_KERNEL);
786 if (rc) {
787 pr_warn("SELinux: security_context_str_to_sid"
788 "(%s) failed for (dev %s, type %s) errno=%d\n",
789 mount_options[i], sb->s_id, name, rc);
790 goto out;
791 }
792 switch (flags[i]) {
793 case FSCONTEXT_MNT:
794 fscontext_sid = sid;
795
796 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
797 fscontext_sid))
798 goto out_double_mount;
799
800 sbsec->flags |= FSCONTEXT_MNT;
801 break;
802 case CONTEXT_MNT:
803 context_sid = sid;
804
805 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
806 context_sid))
807 goto out_double_mount;
808
809 sbsec->flags |= CONTEXT_MNT;
810 break;
811 case ROOTCONTEXT_MNT:
812 rootcontext_sid = sid;
813
814 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
815 rootcontext_sid))
816 goto out_double_mount;
817
818 sbsec->flags |= ROOTCONTEXT_MNT;
819
820 break;
821 case DEFCONTEXT_MNT:
822 defcontext_sid = sid;
823
824 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
825 defcontext_sid))
826 goto out_double_mount;
827
828 sbsec->flags |= DEFCONTEXT_MNT;
829
830 break;
831 default:
832 rc = -EINVAL;
833 goto out;
834 }
835 }
836
837 if (sbsec->flags & SE_SBINITIALIZED) {
838 /* previously mounted with options, but not on this attempt? */
839 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
840 goto out_double_mount;
841 rc = 0;
842 goto out;
843 }
844
845 if (strcmp(sb->s_type->name, "proc") == 0)
846 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
847
848 if (!strcmp(sb->s_type->name, "debugfs") ||
849 !strcmp(sb->s_type->name, "tracefs") ||
850 !strcmp(sb->s_type->name, "sysfs") ||
851 !strcmp(sb->s_type->name, "pstore") ||
852 !strcmp(sb->s_type->name, "cgroup") ||
853 !strcmp(sb->s_type->name, "cgroup2"))
854 sbsec->flags |= SE_SBGENFS;
855
856 if (!sbsec->behavior) {
857 /*
858 * Determine the labeling behavior to use for this
859 * filesystem type.
860 */
861 rc = security_fs_use(&selinux_state, sb);
862 if (rc) {
863 pr_warn("%s: security_fs_use(%s) returned %d\n",
864 __func__, sb->s_type->name, rc);
865 goto out;
866 }
867 }
868
869 /*
870 * If this is a user namespace mount and the filesystem type is not
871 * explicitly whitelisted, then no contexts are allowed on the command
872 * line and security labels must be ignored.
873 */
874 if (sb->s_user_ns != &init_user_ns &&
875 strcmp(sb->s_type->name, "tmpfs") &&
876 strcmp(sb->s_type->name, "ramfs") &&
877 strcmp(sb->s_type->name, "devpts")) {
878 if (context_sid || fscontext_sid || rootcontext_sid ||
879 defcontext_sid) {
880 rc = -EACCES;
881 goto out;
882 }
883 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
884 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
885 rc = security_transition_sid(&selinux_state,
886 current_sid(),
887 current_sid(),
888 SECCLASS_FILE, NULL,
889 &sbsec->mntpoint_sid);
890 if (rc)
891 goto out;
892 }
893 goto out_set_opts;
894 }
895
896 /* sets the context of the superblock for the fs being mounted. */
897 if (fscontext_sid) {
898 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
899 if (rc)
900 goto out;
901
902 sbsec->sid = fscontext_sid;
903 }
904
905 /*
906 * Switch to using mount point labeling behavior.
907 * sets the label used on all file below the mountpoint, and will set
908 * the superblock context if not already set.
909 */
910 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
911 sbsec->behavior = SECURITY_FS_USE_NATIVE;
912 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
913 }
914
915 if (context_sid) {
916 if (!fscontext_sid) {
917 rc = may_context_mount_sb_relabel(context_sid, sbsec,
918 cred);
919 if (rc)
920 goto out;
921 sbsec->sid = context_sid;
922 } else {
923 rc = may_context_mount_inode_relabel(context_sid, sbsec,
924 cred);
925 if (rc)
926 goto out;
927 }
928 if (!rootcontext_sid)
929 rootcontext_sid = context_sid;
930
931 sbsec->mntpoint_sid = context_sid;
932 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
933 }
934
935 if (rootcontext_sid) {
936 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
937 cred);
938 if (rc)
939 goto out;
940
941 root_isec->sid = rootcontext_sid;
942 root_isec->initialized = LABEL_INITIALIZED;
943 }
944
945 if (defcontext_sid) {
946 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
947 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
948 rc = -EINVAL;
949 pr_warn("SELinux: defcontext option is "
950 "invalid for this filesystem type\n");
951 goto out;
952 }
953
954 if (defcontext_sid != sbsec->def_sid) {
955 rc = may_context_mount_inode_relabel(defcontext_sid,
956 sbsec, cred);
957 if (rc)
958 goto out;
959 }
960
961 sbsec->def_sid = defcontext_sid;
962 }
963
964 out_set_opts:
965 rc = sb_finish_set_opts(sb);
966 out:
967 mutex_unlock(&sbsec->lock);
968 return rc;
969 out_double_mount:
970 rc = -EINVAL;
971 pr_warn("SELinux: mount invalid. Same superblock, different "
972 "security settings for (dev %s, type %s)\n", sb->s_id, name);
973 goto out;
974 }
975
976 static int selinux_cmp_sb_context(const struct super_block *oldsb,
977 const struct super_block *newsb)
978 {
979 struct superblock_security_struct *old = oldsb->s_security;
980 struct superblock_security_struct *new = newsb->s_security;
981 char oldflags = old->flags & SE_MNTMASK;
982 char newflags = new->flags & SE_MNTMASK;
983
984 if (oldflags != newflags)
985 goto mismatch;
986 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
987 goto mismatch;
988 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
989 goto mismatch;
990 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
991 goto mismatch;
992 if (oldflags & ROOTCONTEXT_MNT) {
993 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
994 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
995 if (oldroot->sid != newroot->sid)
996 goto mismatch;
997 }
998 return 0;
999 mismatch:
1000 pr_warn("SELinux: mount invalid. Same superblock, "
1001 "different security settings for (dev %s, "
1002 "type %s)\n", newsb->s_id, newsb->s_type->name);
1003 return -EBUSY;
1004 }
1005
1006 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1007 struct super_block *newsb,
1008 unsigned long kern_flags,
1009 unsigned long *set_kern_flags)
1010 {
1011 int rc = 0;
1012 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1013 struct superblock_security_struct *newsbsec = newsb->s_security;
1014
1015 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
1016 int set_context = (oldsbsec->flags & CONTEXT_MNT);
1017 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1018
1019 /*
1020 * if the parent was able to be mounted it clearly had no special lsm
1021 * mount options. thus we can safely deal with this superblock later
1022 */
1023 if (!selinux_state.initialized)
1024 return 0;
1025
1026 /*
1027 * Specifying internal flags without providing a place to
1028 * place the results is not allowed.
1029 */
1030 if (kern_flags && !set_kern_flags)
1031 return -EINVAL;
1032
1033 /* how can we clone if the old one wasn't set up?? */
1034 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1035
1036 /* if fs is reusing a sb, make sure that the contexts match */
1037 if (newsbsec->flags & SE_SBINITIALIZED)
1038 return selinux_cmp_sb_context(oldsb, newsb);
1039
1040 mutex_lock(&newsbsec->lock);
1041
1042 newsbsec->flags = oldsbsec->flags;
1043
1044 newsbsec->sid = oldsbsec->sid;
1045 newsbsec->def_sid = oldsbsec->def_sid;
1046 newsbsec->behavior = oldsbsec->behavior;
1047
1048 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1049 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1050 rc = security_fs_use(&selinux_state, newsb);
1051 if (rc)
1052 goto out;
1053 }
1054
1055 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1056 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1057 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1058 }
1059
1060 if (set_context) {
1061 u32 sid = oldsbsec->mntpoint_sid;
1062
1063 if (!set_fscontext)
1064 newsbsec->sid = sid;
1065 if (!set_rootcontext) {
1066 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1067 newisec->sid = sid;
1068 }
1069 newsbsec->mntpoint_sid = sid;
1070 }
1071 if (set_rootcontext) {
1072 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1073 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1074
1075 newisec->sid = oldisec->sid;
1076 }
1077
1078 sb_finish_set_opts(newsb);
1079 out:
1080 mutex_unlock(&newsbsec->lock);
1081 return rc;
1082 }
1083
1084 static int selinux_parse_opts_str(char *options,
1085 struct security_mnt_opts *opts)
1086 {
1087 char *p;
1088 char *context = NULL, *defcontext = NULL;
1089 char *fscontext = NULL, *rootcontext = NULL;
1090 int rc, num_mnt_opts = 0;
1091
1092 opts->num_mnt_opts = 0;
1093
1094 /* Standard string-based options. */
1095 while ((p = strsep(&options, "|")) != NULL) {
1096 int token;
1097 substring_t args[MAX_OPT_ARGS];
1098
1099 if (!*p)
1100 continue;
1101
1102 token = match_token(p, tokens, args);
1103
1104 switch (token) {
1105 case Opt_context:
1106 if (context || defcontext) {
1107 rc = -EINVAL;
1108 pr_warn(SEL_MOUNT_FAIL_MSG);
1109 goto out_err;
1110 }
1111 context = match_strdup(&args[0]);
1112 if (!context) {
1113 rc = -ENOMEM;
1114 goto out_err;
1115 }
1116 break;
1117
1118 case Opt_fscontext:
1119 if (fscontext) {
1120 rc = -EINVAL;
1121 pr_warn(SEL_MOUNT_FAIL_MSG);
1122 goto out_err;
1123 }
1124 fscontext = match_strdup(&args[0]);
1125 if (!fscontext) {
1126 rc = -ENOMEM;
1127 goto out_err;
1128 }
1129 break;
1130
1131 case Opt_rootcontext:
1132 if (rootcontext) {
1133 rc = -EINVAL;
1134 pr_warn(SEL_MOUNT_FAIL_MSG);
1135 goto out_err;
1136 }
1137 rootcontext = match_strdup(&args[0]);
1138 if (!rootcontext) {
1139 rc = -ENOMEM;
1140 goto out_err;
1141 }
1142 break;
1143
1144 case Opt_defcontext:
1145 if (context || defcontext) {
1146 rc = -EINVAL;
1147 pr_warn(SEL_MOUNT_FAIL_MSG);
1148 goto out_err;
1149 }
1150 defcontext = match_strdup(&args[0]);
1151 if (!defcontext) {
1152 rc = -ENOMEM;
1153 goto out_err;
1154 }
1155 break;
1156 case Opt_labelsupport:
1157 break;
1158 default:
1159 rc = -EINVAL;
1160 pr_warn("SELinux: unknown mount option\n");
1161 goto out_err;
1162
1163 }
1164 }
1165
1166 rc = -ENOMEM;
1167 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1168 if (!opts->mnt_opts)
1169 goto out_err;
1170
1171 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1172 GFP_KERNEL);
1173 if (!opts->mnt_opts_flags)
1174 goto out_err;
1175
1176 if (fscontext) {
1177 opts->mnt_opts[num_mnt_opts] = fscontext;
1178 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1179 }
1180 if (context) {
1181 opts->mnt_opts[num_mnt_opts] = context;
1182 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1183 }
1184 if (rootcontext) {
1185 opts->mnt_opts[num_mnt_opts] = rootcontext;
1186 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1187 }
1188 if (defcontext) {
1189 opts->mnt_opts[num_mnt_opts] = defcontext;
1190 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1191 }
1192
1193 opts->num_mnt_opts = num_mnt_opts;
1194 return 0;
1195
1196 out_err:
1197 security_free_mnt_opts(opts);
1198 kfree(context);
1199 kfree(defcontext);
1200 kfree(fscontext);
1201 kfree(rootcontext);
1202 return rc;
1203 }
1204 /*
1205 * string mount options parsing and call set the sbsec
1206 */
1207 static int superblock_doinit(struct super_block *sb, void *data)
1208 {
1209 int rc = 0;
1210 char *options = data;
1211 struct security_mnt_opts opts;
1212
1213 security_init_mnt_opts(&opts);
1214
1215 if (!data)
1216 goto out;
1217
1218 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1219
1220 rc = selinux_parse_opts_str(options, &opts);
1221 if (rc)
1222 goto out_err;
1223
1224 out:
1225 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1226
1227 out_err:
1228 security_free_mnt_opts(&opts);
1229 return rc;
1230 }
1231
1232 static void selinux_write_opts(struct seq_file *m,
1233 struct security_mnt_opts *opts)
1234 {
1235 int i;
1236 char *prefix;
1237
1238 for (i = 0; i < opts->num_mnt_opts; i++) {
1239 char *has_comma;
1240
1241 if (opts->mnt_opts[i])
1242 has_comma = strchr(opts->mnt_opts[i], ',');
1243 else
1244 has_comma = NULL;
1245
1246 switch (opts->mnt_opts_flags[i]) {
1247 case CONTEXT_MNT:
1248 prefix = CONTEXT_STR;
1249 break;
1250 case FSCONTEXT_MNT:
1251 prefix = FSCONTEXT_STR;
1252 break;
1253 case ROOTCONTEXT_MNT:
1254 prefix = ROOTCONTEXT_STR;
1255 break;
1256 case DEFCONTEXT_MNT:
1257 prefix = DEFCONTEXT_STR;
1258 break;
1259 case SBLABEL_MNT:
1260 seq_putc(m, ',');
1261 seq_puts(m, LABELSUPP_STR);
1262 continue;
1263 default:
1264 BUG();
1265 return;
1266 };
1267 /* we need a comma before each option */
1268 seq_putc(m, ',');
1269 seq_puts(m, prefix);
1270 if (has_comma)
1271 seq_putc(m, '\"');
1272 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1273 if (has_comma)
1274 seq_putc(m, '\"');
1275 }
1276 }
1277
1278 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1279 {
1280 struct security_mnt_opts opts;
1281 int rc;
1282
1283 rc = selinux_get_mnt_opts(sb, &opts);
1284 if (rc) {
1285 /* before policy load we may get EINVAL, don't show anything */
1286 if (rc == -EINVAL)
1287 rc = 0;
1288 return rc;
1289 }
1290
1291 selinux_write_opts(m, &opts);
1292
1293 security_free_mnt_opts(&opts);
1294
1295 return rc;
1296 }
1297
1298 static inline u16 inode_mode_to_security_class(umode_t mode)
1299 {
1300 switch (mode & S_IFMT) {
1301 case S_IFSOCK:
1302 return SECCLASS_SOCK_FILE;
1303 case S_IFLNK:
1304 return SECCLASS_LNK_FILE;
1305 case S_IFREG:
1306 return SECCLASS_FILE;
1307 case S_IFBLK:
1308 return SECCLASS_BLK_FILE;
1309 case S_IFDIR:
1310 return SECCLASS_DIR;
1311 case S_IFCHR:
1312 return SECCLASS_CHR_FILE;
1313 case S_IFIFO:
1314 return SECCLASS_FIFO_FILE;
1315
1316 }
1317
1318 return SECCLASS_FILE;
1319 }
1320
1321 static inline int default_protocol_stream(int protocol)
1322 {
1323 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1324 }
1325
1326 static inline int default_protocol_dgram(int protocol)
1327 {
1328 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1329 }
1330
1331 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1332 {
1333 int extsockclass = selinux_policycap_extsockclass();
1334
1335 switch (family) {
1336 case PF_UNIX:
1337 switch (type) {
1338 case SOCK_STREAM:
1339 case SOCK_SEQPACKET:
1340 return SECCLASS_UNIX_STREAM_SOCKET;
1341 case SOCK_DGRAM:
1342 case SOCK_RAW:
1343 return SECCLASS_UNIX_DGRAM_SOCKET;
1344 }
1345 break;
1346 case PF_INET:
1347 case PF_INET6:
1348 switch (type) {
1349 case SOCK_STREAM:
1350 case SOCK_SEQPACKET:
1351 if (default_protocol_stream(protocol))
1352 return SECCLASS_TCP_SOCKET;
1353 else if (extsockclass && protocol == IPPROTO_SCTP)
1354 return SECCLASS_SCTP_SOCKET;
1355 else
1356 return SECCLASS_RAWIP_SOCKET;
1357 case SOCK_DGRAM:
1358 if (default_protocol_dgram(protocol))
1359 return SECCLASS_UDP_SOCKET;
1360 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1361 protocol == IPPROTO_ICMPV6))
1362 return SECCLASS_ICMP_SOCKET;
1363 else
1364 return SECCLASS_RAWIP_SOCKET;
1365 case SOCK_DCCP:
1366 return SECCLASS_DCCP_SOCKET;
1367 default:
1368 return SECCLASS_RAWIP_SOCKET;
1369 }
1370 break;
1371 case PF_NETLINK:
1372 switch (protocol) {
1373 case NETLINK_ROUTE:
1374 return SECCLASS_NETLINK_ROUTE_SOCKET;
1375 case NETLINK_SOCK_DIAG:
1376 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1377 case NETLINK_NFLOG:
1378 return SECCLASS_NETLINK_NFLOG_SOCKET;
1379 case NETLINK_XFRM:
1380 return SECCLASS_NETLINK_XFRM_SOCKET;
1381 case NETLINK_SELINUX:
1382 return SECCLASS_NETLINK_SELINUX_SOCKET;
1383 case NETLINK_ISCSI:
1384 return SECCLASS_NETLINK_ISCSI_SOCKET;
1385 case NETLINK_AUDIT:
1386 return SECCLASS_NETLINK_AUDIT_SOCKET;
1387 case NETLINK_FIB_LOOKUP:
1388 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1389 case NETLINK_CONNECTOR:
1390 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1391 case NETLINK_NETFILTER:
1392 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1393 case NETLINK_DNRTMSG:
1394 return SECCLASS_NETLINK_DNRT_SOCKET;
1395 case NETLINK_KOBJECT_UEVENT:
1396 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1397 case NETLINK_GENERIC:
1398 return SECCLASS_NETLINK_GENERIC_SOCKET;
1399 case NETLINK_SCSITRANSPORT:
1400 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1401 case NETLINK_RDMA:
1402 return SECCLASS_NETLINK_RDMA_SOCKET;
1403 case NETLINK_CRYPTO:
1404 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1405 default:
1406 return SECCLASS_NETLINK_SOCKET;
1407 }
1408 case PF_PACKET:
1409 return SECCLASS_PACKET_SOCKET;
1410 case PF_KEY:
1411 return SECCLASS_KEY_SOCKET;
1412 case PF_APPLETALK:
1413 return SECCLASS_APPLETALK_SOCKET;
1414 }
1415
1416 if (extsockclass) {
1417 switch (family) {
1418 case PF_AX25:
1419 return SECCLASS_AX25_SOCKET;
1420 case PF_IPX:
1421 return SECCLASS_IPX_SOCKET;
1422 case PF_NETROM:
1423 return SECCLASS_NETROM_SOCKET;
1424 case PF_ATMPVC:
1425 return SECCLASS_ATMPVC_SOCKET;
1426 case PF_X25:
1427 return SECCLASS_X25_SOCKET;
1428 case PF_ROSE:
1429 return SECCLASS_ROSE_SOCKET;
1430 case PF_DECnet:
1431 return SECCLASS_DECNET_SOCKET;
1432 case PF_ATMSVC:
1433 return SECCLASS_ATMSVC_SOCKET;
1434 case PF_RDS:
1435 return SECCLASS_RDS_SOCKET;
1436 case PF_IRDA:
1437 return SECCLASS_IRDA_SOCKET;
1438 case PF_PPPOX:
1439 return SECCLASS_PPPOX_SOCKET;
1440 case PF_LLC:
1441 return SECCLASS_LLC_SOCKET;
1442 case PF_CAN:
1443 return SECCLASS_CAN_SOCKET;
1444 case PF_TIPC:
1445 return SECCLASS_TIPC_SOCKET;
1446 case PF_BLUETOOTH:
1447 return SECCLASS_BLUETOOTH_SOCKET;
1448 case PF_IUCV:
1449 return SECCLASS_IUCV_SOCKET;
1450 case PF_RXRPC:
1451 return SECCLASS_RXRPC_SOCKET;
1452 case PF_ISDN:
1453 return SECCLASS_ISDN_SOCKET;
1454 case PF_PHONET:
1455 return SECCLASS_PHONET_SOCKET;
1456 case PF_IEEE802154:
1457 return SECCLASS_IEEE802154_SOCKET;
1458 case PF_CAIF:
1459 return SECCLASS_CAIF_SOCKET;
1460 case PF_ALG:
1461 return SECCLASS_ALG_SOCKET;
1462 case PF_NFC:
1463 return SECCLASS_NFC_SOCKET;
1464 case PF_VSOCK:
1465 return SECCLASS_VSOCK_SOCKET;
1466 case PF_KCM:
1467 return SECCLASS_KCM_SOCKET;
1468 case PF_QIPCRTR:
1469 return SECCLASS_QIPCRTR_SOCKET;
1470 case PF_SMC:
1471 return SECCLASS_SMC_SOCKET;
1472 case PF_XDP:
1473 return SECCLASS_XDP_SOCKET;
1474 #if PF_MAX > 45
1475 #error New address family defined, please update this function.
1476 #endif
1477 }
1478 }
1479
1480 return SECCLASS_SOCKET;
1481 }
1482
1483 static int selinux_genfs_get_sid(struct dentry *dentry,
1484 u16 tclass,
1485 u16 flags,
1486 u32 *sid)
1487 {
1488 int rc;
1489 struct super_block *sb = dentry->d_sb;
1490 char *buffer, *path;
1491
1492 buffer = (char *)__get_free_page(GFP_KERNEL);
1493 if (!buffer)
1494 return -ENOMEM;
1495
1496 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1497 if (IS_ERR(path))
1498 rc = PTR_ERR(path);
1499 else {
1500 if (flags & SE_SBPROC) {
1501 /* each process gets a /proc/PID/ entry. Strip off the
1502 * PID part to get a valid selinux labeling.
1503 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1504 while (path[1] >= '0' && path[1] <= '9') {
1505 path[1] = '/';
1506 path++;
1507 }
1508 }
1509 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1510 path, tclass, sid);
1511 if (rc == -ENOENT) {
1512 /* No match in policy, mark as unlabeled. */
1513 *sid = SECINITSID_UNLABELED;
1514 rc = 0;
1515 }
1516 }
1517 free_page((unsigned long)buffer);
1518 return rc;
1519 }
1520
1521 /* The inode's security attributes must be initialized before first use. */
1522 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1523 {
1524 struct superblock_security_struct *sbsec = NULL;
1525 struct inode_security_struct *isec = inode->i_security;
1526 u32 task_sid, sid = 0;
1527 u16 sclass;
1528 struct dentry *dentry;
1529 #define INITCONTEXTLEN 255
1530 char *context = NULL;
1531 unsigned len = 0;
1532 int rc = 0;
1533
1534 if (isec->initialized == LABEL_INITIALIZED)
1535 return 0;
1536
1537 spin_lock(&isec->lock);
1538 if (isec->initialized == LABEL_INITIALIZED)
1539 goto out_unlock;
1540
1541 if (isec->sclass == SECCLASS_FILE)
1542 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1543
1544 sbsec = inode->i_sb->s_security;
1545 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1546 /* Defer initialization until selinux_complete_init,
1547 after the initial policy is loaded and the security
1548 server is ready to handle calls. */
1549 spin_lock(&sbsec->isec_lock);
1550 if (list_empty(&isec->list))
1551 list_add(&isec->list, &sbsec->isec_head);
1552 spin_unlock(&sbsec->isec_lock);
1553 goto out_unlock;
1554 }
1555
1556 sclass = isec->sclass;
1557 task_sid = isec->task_sid;
1558 sid = isec->sid;
1559 isec->initialized = LABEL_PENDING;
1560 spin_unlock(&isec->lock);
1561
1562 switch (sbsec->behavior) {
1563 case SECURITY_FS_USE_NATIVE:
1564 break;
1565 case SECURITY_FS_USE_XATTR:
1566 if (!(inode->i_opflags & IOP_XATTR)) {
1567 sid = sbsec->def_sid;
1568 break;
1569 }
1570 /* Need a dentry, since the xattr API requires one.
1571 Life would be simpler if we could just pass the inode. */
1572 if (opt_dentry) {
1573 /* Called from d_instantiate or d_splice_alias. */
1574 dentry = dget(opt_dentry);
1575 } else {
1576 /*
1577 * Called from selinux_complete_init, try to find a dentry.
1578 * Some filesystems really want a connected one, so try
1579 * that first. We could split SECURITY_FS_USE_XATTR in
1580 * two, depending upon that...
1581 */
1582 dentry = d_find_alias(inode);
1583 if (!dentry)
1584 dentry = d_find_any_alias(inode);
1585 }
1586 if (!dentry) {
1587 /*
1588 * this is can be hit on boot when a file is accessed
1589 * before the policy is loaded. When we load policy we
1590 * may find inodes that have no dentry on the
1591 * sbsec->isec_head list. No reason to complain as these
1592 * will get fixed up the next time we go through
1593 * inode_doinit with a dentry, before these inodes could
1594 * be used again by userspace.
1595 */
1596 goto out;
1597 }
1598
1599 len = INITCONTEXTLEN;
1600 context = kmalloc(len+1, GFP_NOFS);
1601 if (!context) {
1602 rc = -ENOMEM;
1603 dput(dentry);
1604 goto out;
1605 }
1606 context[len] = '\0';
1607 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1608 if (rc == -ERANGE) {
1609 kfree(context);
1610
1611 /* Need a larger buffer. Query for the right size. */
1612 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1613 if (rc < 0) {
1614 dput(dentry);
1615 goto out;
1616 }
1617 len = rc;
1618 context = kmalloc(len+1, GFP_NOFS);
1619 if (!context) {
1620 rc = -ENOMEM;
1621 dput(dentry);
1622 goto out;
1623 }
1624 context[len] = '\0';
1625 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1626 }
1627 dput(dentry);
1628 if (rc < 0) {
1629 if (rc != -ENODATA) {
1630 pr_warn("SELinux: %s: getxattr returned "
1631 "%d for dev=%s ino=%ld\n", __func__,
1632 -rc, inode->i_sb->s_id, inode->i_ino);
1633 kfree(context);
1634 goto out;
1635 }
1636 /* Map ENODATA to the default file SID */
1637 sid = sbsec->def_sid;
1638 rc = 0;
1639 } else {
1640 rc = security_context_to_sid_default(&selinux_state,
1641 context, rc, &sid,
1642 sbsec->def_sid,
1643 GFP_NOFS);
1644 if (rc) {
1645 char *dev = inode->i_sb->s_id;
1646 unsigned long ino = inode->i_ino;
1647
1648 if (rc == -EINVAL) {
1649 if (printk_ratelimit())
1650 pr_notice("SELinux: inode=%lu on dev=%s was found to have an invalid "
1651 "context=%s. This indicates you may need to relabel the inode or the "
1652 "filesystem in question.\n", ino, dev, context);
1653 } else {
1654 pr_warn("SELinux: %s: context_to_sid(%s) "
1655 "returned %d for dev=%s ino=%ld\n",
1656 __func__, context, -rc, dev, ino);
1657 }
1658 kfree(context);
1659 /* Leave with the unlabeled SID */
1660 rc = 0;
1661 break;
1662 }
1663 }
1664 kfree(context);
1665 break;
1666 case SECURITY_FS_USE_TASK:
1667 sid = task_sid;
1668 break;
1669 case SECURITY_FS_USE_TRANS:
1670 /* Default to the fs SID. */
1671 sid = sbsec->sid;
1672
1673 /* Try to obtain a transition SID. */
1674 rc = security_transition_sid(&selinux_state, task_sid, sid,
1675 sclass, NULL, &sid);
1676 if (rc)
1677 goto out;
1678 break;
1679 case SECURITY_FS_USE_MNTPOINT:
1680 sid = sbsec->mntpoint_sid;
1681 break;
1682 default:
1683 /* Default to the fs superblock SID. */
1684 sid = sbsec->sid;
1685
1686 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1687 /* We must have a dentry to determine the label on
1688 * procfs inodes */
1689 if (opt_dentry) {
1690 /* Called from d_instantiate or
1691 * d_splice_alias. */
1692 dentry = dget(opt_dentry);
1693 } else {
1694 /* Called from selinux_complete_init, try to
1695 * find a dentry. Some filesystems really want
1696 * a connected one, so try that first.
1697 */
1698 dentry = d_find_alias(inode);
1699 if (!dentry)
1700 dentry = d_find_any_alias(inode);
1701 }
1702 /*
1703 * This can be hit on boot when a file is accessed
1704 * before the policy is loaded. When we load policy we
1705 * may find inodes that have no dentry on the
1706 * sbsec->isec_head list. No reason to complain as
1707 * these will get fixed up the next time we go through
1708 * inode_doinit() with a dentry, before these inodes
1709 * could be used again by userspace.
1710 */
1711 if (!dentry)
1712 goto out;
1713 rc = selinux_genfs_get_sid(dentry, sclass,
1714 sbsec->flags, &sid);
1715 dput(dentry);
1716 if (rc)
1717 goto out;
1718 }
1719 break;
1720 }
1721
1722 out:
1723 spin_lock(&isec->lock);
1724 if (isec->initialized == LABEL_PENDING) {
1725 if (!sid || rc) {
1726 isec->initialized = LABEL_INVALID;
1727 goto out_unlock;
1728 }
1729
1730 isec->initialized = LABEL_INITIALIZED;
1731 isec->sid = sid;
1732 }
1733
1734 out_unlock:
1735 spin_unlock(&isec->lock);
1736 return rc;
1737 }
1738
1739 /* Convert a Linux signal to an access vector. */
1740 static inline u32 signal_to_av(int sig)
1741 {
1742 u32 perm = 0;
1743
1744 switch (sig) {
1745 case SIGCHLD:
1746 /* Commonly granted from child to parent. */
1747 perm = PROCESS__SIGCHLD;
1748 break;
1749 case SIGKILL:
1750 /* Cannot be caught or ignored */
1751 perm = PROCESS__SIGKILL;
1752 break;
1753 case SIGSTOP:
1754 /* Cannot be caught or ignored */
1755 perm = PROCESS__SIGSTOP;
1756 break;
1757 default:
1758 /* All other signals. */
1759 perm = PROCESS__SIGNAL;
1760 break;
1761 }
1762
1763 return perm;
1764 }
1765
1766 #if CAP_LAST_CAP > 63
1767 #error Fix SELinux to handle capabilities > 63.
1768 #endif
1769
1770 /* Check whether a task is allowed to use a capability. */
1771 static int cred_has_capability(const struct cred *cred,
1772 int cap, int audit, bool initns)
1773 {
1774 struct common_audit_data ad;
1775 struct av_decision avd;
1776 u16 sclass;
1777 u32 sid = cred_sid(cred);
1778 u32 av = CAP_TO_MASK(cap);
1779 int rc;
1780
1781 ad.type = LSM_AUDIT_DATA_CAP;
1782 ad.u.cap = cap;
1783
1784 switch (CAP_TO_INDEX(cap)) {
1785 case 0:
1786 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1787 break;
1788 case 1:
1789 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1790 break;
1791 default:
1792 pr_err("SELinux: out of range capability %d\n", cap);
1793 BUG();
1794 return -EINVAL;
1795 }
1796
1797 rc = avc_has_perm_noaudit(&selinux_state,
1798 sid, sid, sclass, av, 0, &avd);
1799 if (audit == SECURITY_CAP_AUDIT) {
1800 int rc2 = avc_audit(&selinux_state,
1801 sid, sid, sclass, av, &avd, rc, &ad, 0);
1802 if (rc2)
1803 return rc2;
1804 }
1805 return rc;
1806 }
1807
1808 /* Check whether a task has a particular permission to an inode.
1809 The 'adp' parameter is optional and allows other audit
1810 data to be passed (e.g. the dentry). */
1811 static int inode_has_perm(const struct cred *cred,
1812 struct inode *inode,
1813 u32 perms,
1814 struct common_audit_data *adp)
1815 {
1816 struct inode_security_struct *isec;
1817 u32 sid;
1818
1819 validate_creds(cred);
1820
1821 if (unlikely(IS_PRIVATE(inode)))
1822 return 0;
1823
1824 sid = cred_sid(cred);
1825 isec = inode->i_security;
1826
1827 return avc_has_perm(&selinux_state,
1828 sid, isec->sid, isec->sclass, perms, adp);
1829 }
1830
1831 /* Same as inode_has_perm, but pass explicit audit data containing
1832 the dentry to help the auditing code to more easily generate the
1833 pathname if needed. */
1834 static inline int dentry_has_perm(const struct cred *cred,
1835 struct dentry *dentry,
1836 u32 av)
1837 {
1838 struct inode *inode = d_backing_inode(dentry);
1839 struct common_audit_data ad;
1840
1841 ad.type = LSM_AUDIT_DATA_DENTRY;
1842 ad.u.dentry = dentry;
1843 __inode_security_revalidate(inode, dentry, true);
1844 return inode_has_perm(cred, inode, av, &ad);
1845 }
1846
1847 /* Same as inode_has_perm, but pass explicit audit data containing
1848 the path to help the auditing code to more easily generate the
1849 pathname if needed. */
1850 static inline int path_has_perm(const struct cred *cred,
1851 const struct path *path,
1852 u32 av)
1853 {
1854 struct inode *inode = d_backing_inode(path->dentry);
1855 struct common_audit_data ad;
1856
1857 ad.type = LSM_AUDIT_DATA_PATH;
1858 ad.u.path = *path;
1859 __inode_security_revalidate(inode, path->dentry, true);
1860 return inode_has_perm(cred, inode, av, &ad);
1861 }
1862
1863 /* Same as path_has_perm, but uses the inode from the file struct. */
1864 static inline int file_path_has_perm(const struct cred *cred,
1865 struct file *file,
1866 u32 av)
1867 {
1868 struct common_audit_data ad;
1869
1870 ad.type = LSM_AUDIT_DATA_FILE;
1871 ad.u.file = file;
1872 return inode_has_perm(cred, file_inode(file), av, &ad);
1873 }
1874
1875 #ifdef CONFIG_BPF_SYSCALL
1876 static int bpf_fd_pass(struct file *file, u32 sid);
1877 #endif
1878
1879 /* Check whether a task can use an open file descriptor to
1880 access an inode in a given way. Check access to the
1881 descriptor itself, and then use dentry_has_perm to
1882 check a particular permission to the file.
1883 Access to the descriptor is implicitly granted if it
1884 has the same SID as the process. If av is zero, then
1885 access to the file is not checked, e.g. for cases
1886 where only the descriptor is affected like seek. */
1887 static int file_has_perm(const struct cred *cred,
1888 struct file *file,
1889 u32 av)
1890 {
1891 struct file_security_struct *fsec = file->f_security;
1892 struct inode *inode = file_inode(file);
1893 struct common_audit_data ad;
1894 u32 sid = cred_sid(cred);
1895 int rc;
1896
1897 ad.type = LSM_AUDIT_DATA_FILE;
1898 ad.u.file = file;
1899
1900 if (sid != fsec->sid) {
1901 rc = avc_has_perm(&selinux_state,
1902 sid, fsec->sid,
1903 SECCLASS_FD,
1904 FD__USE,
1905 &ad);
1906 if (rc)
1907 goto out;
1908 }
1909
1910 #ifdef CONFIG_BPF_SYSCALL
1911 rc = bpf_fd_pass(file, cred_sid(cred));
1912 if (rc)
1913 return rc;
1914 #endif
1915
1916 /* av is zero if only checking access to the descriptor. */
1917 rc = 0;
1918 if (av)
1919 rc = inode_has_perm(cred, inode, av, &ad);
1920
1921 out:
1922 return rc;
1923 }
1924
1925 /*
1926 * Determine the label for an inode that might be unioned.
1927 */
1928 static int
1929 selinux_determine_inode_label(const struct task_security_struct *tsec,
1930 struct inode *dir,
1931 const struct qstr *name, u16 tclass,
1932 u32 *_new_isid)
1933 {
1934 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1935
1936 if ((sbsec->flags & SE_SBINITIALIZED) &&
1937 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1938 *_new_isid = sbsec->mntpoint_sid;
1939 } else if ((sbsec->flags & SBLABEL_MNT) &&
1940 tsec->create_sid) {
1941 *_new_isid = tsec->create_sid;
1942 } else {
1943 const struct inode_security_struct *dsec = inode_security(dir);
1944 return security_transition_sid(&selinux_state, tsec->sid,
1945 dsec->sid, tclass,
1946 name, _new_isid);
1947 }
1948
1949 return 0;
1950 }
1951
1952 /* Check whether a task can create a file. */
1953 static int may_create(struct inode *dir,
1954 struct dentry *dentry,
1955 u16 tclass)
1956 {
1957 const struct task_security_struct *tsec = current_security();
1958 struct inode_security_struct *dsec;
1959 struct superblock_security_struct *sbsec;
1960 u32 sid, newsid;
1961 struct common_audit_data ad;
1962 int rc;
1963
1964 dsec = inode_security(dir);
1965 sbsec = dir->i_sb->s_security;
1966
1967 sid = tsec->sid;
1968
1969 ad.type = LSM_AUDIT_DATA_DENTRY;
1970 ad.u.dentry = dentry;
1971
1972 rc = avc_has_perm(&selinux_state,
1973 sid, dsec->sid, SECCLASS_DIR,
1974 DIR__ADD_NAME | DIR__SEARCH,
1975 &ad);
1976 if (rc)
1977 return rc;
1978
1979 rc = selinux_determine_inode_label(current_security(), dir,
1980 &dentry->d_name, tclass, &newsid);
1981 if (rc)
1982 return rc;
1983
1984 rc = avc_has_perm(&selinux_state,
1985 sid, newsid, tclass, FILE__CREATE, &ad);
1986 if (rc)
1987 return rc;
1988
1989 return avc_has_perm(&selinux_state,
1990 newsid, sbsec->sid,
1991 SECCLASS_FILESYSTEM,
1992 FILESYSTEM__ASSOCIATE, &ad);
1993 }
1994
1995 #define MAY_LINK 0
1996 #define MAY_UNLINK 1
1997 #define MAY_RMDIR 2
1998
1999 /* Check whether a task can link, unlink, or rmdir a file/directory. */
2000 static int may_link(struct inode *dir,
2001 struct dentry *dentry,
2002 int kind)
2003
2004 {
2005 struct inode_security_struct *dsec, *isec;
2006 struct common_audit_data ad;
2007 u32 sid = current_sid();
2008 u32 av;
2009 int rc;
2010
2011 dsec = inode_security(dir);
2012 isec = backing_inode_security(dentry);
2013
2014 ad.type = LSM_AUDIT_DATA_DENTRY;
2015 ad.u.dentry = dentry;
2016
2017 av = DIR__SEARCH;
2018 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
2019 rc = avc_has_perm(&selinux_state,
2020 sid, dsec->sid, SECCLASS_DIR, av, &ad);
2021 if (rc)
2022 return rc;
2023
2024 switch (kind) {
2025 case MAY_LINK:
2026 av = FILE__LINK;
2027 break;
2028 case MAY_UNLINK:
2029 av = FILE__UNLINK;
2030 break;
2031 case MAY_RMDIR:
2032 av = DIR__RMDIR;
2033 break;
2034 default:
2035 pr_warn("SELinux: %s: unrecognized kind %d\n",
2036 __func__, kind);
2037 return 0;
2038 }
2039
2040 rc = avc_has_perm(&selinux_state,
2041 sid, isec->sid, isec->sclass, av, &ad);
2042 return rc;
2043 }
2044
2045 static inline int may_rename(struct inode *old_dir,
2046 struct dentry *old_dentry,
2047 struct inode *new_dir,
2048 struct dentry *new_dentry)
2049 {
2050 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2051 struct common_audit_data ad;
2052 u32 sid = current_sid();
2053 u32 av;
2054 int old_is_dir, new_is_dir;
2055 int rc;
2056
2057 old_dsec = inode_security(old_dir);
2058 old_isec = backing_inode_security(old_dentry);
2059 old_is_dir = d_is_dir(old_dentry);
2060 new_dsec = inode_security(new_dir);
2061
2062 ad.type = LSM_AUDIT_DATA_DENTRY;
2063
2064 ad.u.dentry = old_dentry;
2065 rc = avc_has_perm(&selinux_state,
2066 sid, old_dsec->sid, SECCLASS_DIR,
2067 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2068 if (rc)
2069 return rc;
2070 rc = avc_has_perm(&selinux_state,
2071 sid, old_isec->sid,
2072 old_isec->sclass, FILE__RENAME, &ad);
2073 if (rc)
2074 return rc;
2075 if (old_is_dir && new_dir != old_dir) {
2076 rc = avc_has_perm(&selinux_state,
2077 sid, old_isec->sid,
2078 old_isec->sclass, DIR__REPARENT, &ad);
2079 if (rc)
2080 return rc;
2081 }
2082
2083 ad.u.dentry = new_dentry;
2084 av = DIR__ADD_NAME | DIR__SEARCH;
2085 if (d_is_positive(new_dentry))
2086 av |= DIR__REMOVE_NAME;
2087 rc = avc_has_perm(&selinux_state,
2088 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2089 if (rc)
2090 return rc;
2091 if (d_is_positive(new_dentry)) {
2092 new_isec = backing_inode_security(new_dentry);
2093 new_is_dir = d_is_dir(new_dentry);
2094 rc = avc_has_perm(&selinux_state,
2095 sid, new_isec->sid,
2096 new_isec->sclass,
2097 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2098 if (rc)
2099 return rc;
2100 }
2101
2102 return 0;
2103 }
2104
2105 /* Check whether a task can perform a filesystem operation. */
2106 static int superblock_has_perm(const struct cred *cred,
2107 struct super_block *sb,
2108 u32 perms,
2109 struct common_audit_data *ad)
2110 {
2111 struct superblock_security_struct *sbsec;
2112 u32 sid = cred_sid(cred);
2113
2114 sbsec = sb->s_security;
2115 return avc_has_perm(&selinux_state,
2116 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2117 }
2118
2119 /* Convert a Linux mode and permission mask to an access vector. */
2120 static inline u32 file_mask_to_av(int mode, int mask)
2121 {
2122 u32 av = 0;
2123
2124 if (!S_ISDIR(mode)) {
2125 if (mask & MAY_EXEC)
2126 av |= FILE__EXECUTE;
2127 if (mask & MAY_READ)
2128 av |= FILE__READ;
2129
2130 if (mask & MAY_APPEND)
2131 av |= FILE__APPEND;
2132 else if (mask & MAY_WRITE)
2133 av |= FILE__WRITE;
2134
2135 } else {
2136 if (mask & MAY_EXEC)
2137 av |= DIR__SEARCH;
2138 if (mask & MAY_WRITE)
2139 av |= DIR__WRITE;
2140 if (mask & MAY_READ)
2141 av |= DIR__READ;
2142 }
2143
2144 return av;
2145 }
2146
2147 /* Convert a Linux file to an access vector. */
2148 static inline u32 file_to_av(struct file *file)
2149 {
2150 u32 av = 0;
2151
2152 if (file->f_mode & FMODE_READ)
2153 av |= FILE__READ;
2154 if (file->f_mode & FMODE_WRITE) {
2155 if (file->f_flags & O_APPEND)
2156 av |= FILE__APPEND;
2157 else
2158 av |= FILE__WRITE;
2159 }
2160 if (!av) {
2161 /*
2162 * Special file opened with flags 3 for ioctl-only use.
2163 */
2164 av = FILE__IOCTL;
2165 }
2166
2167 return av;
2168 }
2169
2170 /*
2171 * Convert a file to an access vector and include the correct open
2172 * open permission.
2173 */
2174 static inline u32 open_file_to_av(struct file *file)
2175 {
2176 u32 av = file_to_av(file);
2177 struct inode *inode = file_inode(file);
2178
2179 if (selinux_policycap_openperm() &&
2180 inode->i_sb->s_magic != SOCKFS_MAGIC)
2181 av |= FILE__OPEN;
2182
2183 return av;
2184 }
2185
2186 /* Hook functions begin here. */
2187
2188 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2189 {
2190 u32 mysid = current_sid();
2191 u32 mgrsid = task_sid(mgr);
2192
2193 return avc_has_perm(&selinux_state,
2194 mysid, mgrsid, SECCLASS_BINDER,
2195 BINDER__SET_CONTEXT_MGR, NULL);
2196 }
2197
2198 static int selinux_binder_transaction(struct task_struct *from,
2199 struct task_struct *to)
2200 {
2201 u32 mysid = current_sid();
2202 u32 fromsid = task_sid(from);
2203 u32 tosid = task_sid(to);
2204 int rc;
2205
2206 if (mysid != fromsid) {
2207 rc = avc_has_perm(&selinux_state,
2208 mysid, fromsid, SECCLASS_BINDER,
2209 BINDER__IMPERSONATE, NULL);
2210 if (rc)
2211 return rc;
2212 }
2213
2214 return avc_has_perm(&selinux_state,
2215 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2216 NULL);
2217 }
2218
2219 static int selinux_binder_transfer_binder(struct task_struct *from,
2220 struct task_struct *to)
2221 {
2222 u32 fromsid = task_sid(from);
2223 u32 tosid = task_sid(to);
2224
2225 return avc_has_perm(&selinux_state,
2226 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2227 NULL);
2228 }
2229
2230 static int selinux_binder_transfer_file(struct task_struct *from,
2231 struct task_struct *to,
2232 struct file *file)
2233 {
2234 u32 sid = task_sid(to);
2235 struct file_security_struct *fsec = file->f_security;
2236 struct dentry *dentry = file->f_path.dentry;
2237 struct inode_security_struct *isec;
2238 struct common_audit_data ad;
2239 int rc;
2240
2241 ad.type = LSM_AUDIT_DATA_PATH;
2242 ad.u.path = file->f_path;
2243
2244 if (sid != fsec->sid) {
2245 rc = avc_has_perm(&selinux_state,
2246 sid, fsec->sid,
2247 SECCLASS_FD,
2248 FD__USE,
2249 &ad);
2250 if (rc)
2251 return rc;
2252 }
2253
2254 #ifdef CONFIG_BPF_SYSCALL
2255 rc = bpf_fd_pass(file, sid);
2256 if (rc)
2257 return rc;
2258 #endif
2259
2260 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2261 return 0;
2262
2263 isec = backing_inode_security(dentry);
2264 return avc_has_perm(&selinux_state,
2265 sid, isec->sid, isec->sclass, file_to_av(file),
2266 &ad);
2267 }
2268
2269 static int selinux_ptrace_access_check(struct task_struct *child,
2270 unsigned int mode)
2271 {
2272 u32 sid = current_sid();
2273 u32 csid = task_sid(child);
2274
2275 if (mode & PTRACE_MODE_READ)
2276 return avc_has_perm(&selinux_state,
2277 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2278
2279 return avc_has_perm(&selinux_state,
2280 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2281 }
2282
2283 static int selinux_ptrace_traceme(struct task_struct *parent)
2284 {
2285 return avc_has_perm(&selinux_state,
2286 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2287 PROCESS__PTRACE, NULL);
2288 }
2289
2290 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2291 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2292 {
2293 return avc_has_perm(&selinux_state,
2294 current_sid(), task_sid(target), SECCLASS_PROCESS,
2295 PROCESS__GETCAP, NULL);
2296 }
2297
2298 static int selinux_capset(struct cred *new, const struct cred *old,
2299 const kernel_cap_t *effective,
2300 const kernel_cap_t *inheritable,
2301 const kernel_cap_t *permitted)
2302 {
2303 return avc_has_perm(&selinux_state,
2304 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2305 PROCESS__SETCAP, NULL);
2306 }
2307
2308 /*
2309 * (This comment used to live with the selinux_task_setuid hook,
2310 * which was removed).
2311 *
2312 * Since setuid only affects the current process, and since the SELinux
2313 * controls are not based on the Linux identity attributes, SELinux does not
2314 * need to control this operation. However, SELinux does control the use of
2315 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2316 */
2317
2318 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2319 int cap, int audit)
2320 {
2321 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2322 }
2323
2324 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2325 {
2326 const struct cred *cred = current_cred();
2327 int rc = 0;
2328
2329 if (!sb)
2330 return 0;
2331
2332 switch (cmds) {
2333 case Q_SYNC:
2334 case Q_QUOTAON:
2335 case Q_QUOTAOFF:
2336 case Q_SETINFO:
2337 case Q_SETQUOTA:
2338 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2339 break;
2340 case Q_GETFMT:
2341 case Q_GETINFO:
2342 case Q_GETQUOTA:
2343 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2344 break;
2345 default:
2346 rc = 0; /* let the kernel handle invalid cmds */
2347 break;
2348 }
2349 return rc;
2350 }
2351
2352 static int selinux_quota_on(struct dentry *dentry)
2353 {
2354 const struct cred *cred = current_cred();
2355
2356 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2357 }
2358
2359 static int selinux_syslog(int type)
2360 {
2361 switch (type) {
2362 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2363 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2364 return avc_has_perm(&selinux_state,
2365 current_sid(), SECINITSID_KERNEL,
2366 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2367 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2368 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2369 /* Set level of messages printed to console */
2370 case SYSLOG_ACTION_CONSOLE_LEVEL:
2371 return avc_has_perm(&selinux_state,
2372 current_sid(), SECINITSID_KERNEL,
2373 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2374 NULL);
2375 }
2376 /* All other syslog types */
2377 return avc_has_perm(&selinux_state,
2378 current_sid(), SECINITSID_KERNEL,
2379 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2380 }
2381
2382 /*
2383 * Check that a process has enough memory to allocate a new virtual
2384 * mapping. 0 means there is enough memory for the allocation to
2385 * succeed and -ENOMEM implies there is not.
2386 *
2387 * Do not audit the selinux permission check, as this is applied to all
2388 * processes that allocate mappings.
2389 */
2390 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2391 {
2392 int rc, cap_sys_admin = 0;
2393
2394 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2395 SECURITY_CAP_NOAUDIT, true);
2396 if (rc == 0)
2397 cap_sys_admin = 1;
2398
2399 return cap_sys_admin;
2400 }
2401
2402 /* binprm security operations */
2403
2404 static u32 ptrace_parent_sid(void)
2405 {
2406 u32 sid = 0;
2407 struct task_struct *tracer;
2408
2409 rcu_read_lock();
2410 tracer = ptrace_parent(current);
2411 if (tracer)
2412 sid = task_sid(tracer);
2413 rcu_read_unlock();
2414
2415 return sid;
2416 }
2417
2418 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2419 const struct task_security_struct *old_tsec,
2420 const struct task_security_struct *new_tsec)
2421 {
2422 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2423 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2424 int rc;
2425 u32 av;
2426
2427 if (!nnp && !nosuid)
2428 return 0; /* neither NNP nor nosuid */
2429
2430 if (new_tsec->sid == old_tsec->sid)
2431 return 0; /* No change in credentials */
2432
2433 /*
2434 * If the policy enables the nnp_nosuid_transition policy capability,
2435 * then we permit transitions under NNP or nosuid if the
2436 * policy allows the corresponding permission between
2437 * the old and new contexts.
2438 */
2439 if (selinux_policycap_nnp_nosuid_transition()) {
2440 av = 0;
2441 if (nnp)
2442 av |= PROCESS2__NNP_TRANSITION;
2443 if (nosuid)
2444 av |= PROCESS2__NOSUID_TRANSITION;
2445 rc = avc_has_perm(&selinux_state,
2446 old_tsec->sid, new_tsec->sid,
2447 SECCLASS_PROCESS2, av, NULL);
2448 if (!rc)
2449 return 0;
2450 }
2451
2452 /*
2453 * We also permit NNP or nosuid transitions to bounded SIDs,
2454 * i.e. SIDs that are guaranteed to only be allowed a subset
2455 * of the permissions of the current SID.
2456 */
2457 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2458 new_tsec->sid);
2459 if (!rc)
2460 return 0;
2461
2462 /*
2463 * On failure, preserve the errno values for NNP vs nosuid.
2464 * NNP: Operation not permitted for caller.
2465 * nosuid: Permission denied to file.
2466 */
2467 if (nnp)
2468 return -EPERM;
2469 return -EACCES;
2470 }
2471
2472 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2473 {
2474 const struct task_security_struct *old_tsec;
2475 struct task_security_struct *new_tsec;
2476 struct inode_security_struct *isec;
2477 struct common_audit_data ad;
2478 struct inode *inode = file_inode(bprm->file);
2479 int rc;
2480
2481 /* SELinux context only depends on initial program or script and not
2482 * the script interpreter */
2483 if (bprm->called_set_creds)
2484 return 0;
2485
2486 old_tsec = current_security();
2487 new_tsec = bprm->cred->security;
2488 isec = inode_security(inode);
2489
2490 /* Default to the current task SID. */
2491 new_tsec->sid = old_tsec->sid;
2492 new_tsec->osid = old_tsec->sid;
2493
2494 /* Reset fs, key, and sock SIDs on execve. */
2495 new_tsec->create_sid = 0;
2496 new_tsec->keycreate_sid = 0;
2497 new_tsec->sockcreate_sid = 0;
2498
2499 if (old_tsec->exec_sid) {
2500 new_tsec->sid = old_tsec->exec_sid;
2501 /* Reset exec SID on execve. */
2502 new_tsec->exec_sid = 0;
2503
2504 /* Fail on NNP or nosuid if not an allowed transition. */
2505 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2506 if (rc)
2507 return rc;
2508 } else {
2509 /* Check for a default transition on this program. */
2510 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2511 isec->sid, SECCLASS_PROCESS, NULL,
2512 &new_tsec->sid);
2513 if (rc)
2514 return rc;
2515
2516 /*
2517 * Fallback to old SID on NNP or nosuid if not an allowed
2518 * transition.
2519 */
2520 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2521 if (rc)
2522 new_tsec->sid = old_tsec->sid;
2523 }
2524
2525 ad.type = LSM_AUDIT_DATA_FILE;
2526 ad.u.file = bprm->file;
2527
2528 if (new_tsec->sid == old_tsec->sid) {
2529 rc = avc_has_perm(&selinux_state,
2530 old_tsec->sid, isec->sid,
2531 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2532 if (rc)
2533 return rc;
2534 } else {
2535 /* Check permissions for the transition. */
2536 rc = avc_has_perm(&selinux_state,
2537 old_tsec->sid, new_tsec->sid,
2538 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2539 if (rc)
2540 return rc;
2541
2542 rc = avc_has_perm(&selinux_state,
2543 new_tsec->sid, isec->sid,
2544 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2545 if (rc)
2546 return rc;
2547
2548 /* Check for shared state */
2549 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2550 rc = avc_has_perm(&selinux_state,
2551 old_tsec->sid, new_tsec->sid,
2552 SECCLASS_PROCESS, PROCESS__SHARE,
2553 NULL);
2554 if (rc)
2555 return -EPERM;
2556 }
2557
2558 /* Make sure that anyone attempting to ptrace over a task that
2559 * changes its SID has the appropriate permit */
2560 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2561 u32 ptsid = ptrace_parent_sid();
2562 if (ptsid != 0) {
2563 rc = avc_has_perm(&selinux_state,
2564 ptsid, new_tsec->sid,
2565 SECCLASS_PROCESS,
2566 PROCESS__PTRACE, NULL);
2567 if (rc)
2568 return -EPERM;
2569 }
2570 }
2571
2572 /* Clear any possibly unsafe personality bits on exec: */
2573 bprm->per_clear |= PER_CLEAR_ON_SETID;
2574
2575 /* Enable secure mode for SIDs transitions unless
2576 the noatsecure permission is granted between
2577 the two SIDs, i.e. ahp returns 0. */
2578 rc = avc_has_perm(&selinux_state,
2579 old_tsec->sid, new_tsec->sid,
2580 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2581 NULL);
2582 bprm->secureexec |= !!rc;
2583 }
2584
2585 return 0;
2586 }
2587
2588 static int match_file(const void *p, struct file *file, unsigned fd)
2589 {
2590 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2591 }
2592
2593 /* Derived from fs/exec.c:flush_old_files. */
2594 static inline void flush_unauthorized_files(const struct cred *cred,
2595 struct files_struct *files)
2596 {
2597 struct file *file, *devnull = NULL;
2598 struct tty_struct *tty;
2599 int drop_tty = 0;
2600 unsigned n;
2601
2602 tty = get_current_tty();
2603 if (tty) {
2604 spin_lock(&tty->files_lock);
2605 if (!list_empty(&tty->tty_files)) {
2606 struct tty_file_private *file_priv;
2607
2608 /* Revalidate access to controlling tty.
2609 Use file_path_has_perm on the tty path directly
2610 rather than using file_has_perm, as this particular
2611 open file may belong to another process and we are
2612 only interested in the inode-based check here. */
2613 file_priv = list_first_entry(&tty->tty_files,
2614 struct tty_file_private, list);
2615 file = file_priv->file;
2616 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2617 drop_tty = 1;
2618 }
2619 spin_unlock(&tty->files_lock);
2620 tty_kref_put(tty);
2621 }
2622 /* Reset controlling tty. */
2623 if (drop_tty)
2624 no_tty();
2625
2626 /* Revalidate access to inherited open files. */
2627 n = iterate_fd(files, 0, match_file, cred);
2628 if (!n) /* none found? */
2629 return;
2630
2631 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2632 if (IS_ERR(devnull))
2633 devnull = NULL;
2634 /* replace all the matching ones with this */
2635 do {
2636 replace_fd(n - 1, devnull, 0);
2637 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2638 if (devnull)
2639 fput(devnull);
2640 }
2641
2642 /*
2643 * Prepare a process for imminent new credential changes due to exec
2644 */
2645 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2646 {
2647 struct task_security_struct *new_tsec;
2648 struct rlimit *rlim, *initrlim;
2649 int rc, i;
2650
2651 new_tsec = bprm->cred->security;
2652 if (new_tsec->sid == new_tsec->osid)
2653 return;
2654
2655 /* Close files for which the new task SID is not authorized. */
2656 flush_unauthorized_files(bprm->cred, current->files);
2657
2658 /* Always clear parent death signal on SID transitions. */
2659 current->pdeath_signal = 0;
2660
2661 /* Check whether the new SID can inherit resource limits from the old
2662 * SID. If not, reset all soft limits to the lower of the current
2663 * task's hard limit and the init task's soft limit.
2664 *
2665 * Note that the setting of hard limits (even to lower them) can be
2666 * controlled by the setrlimit check. The inclusion of the init task's
2667 * soft limit into the computation is to avoid resetting soft limits
2668 * higher than the default soft limit for cases where the default is
2669 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2670 */
2671 rc = avc_has_perm(&selinux_state,
2672 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2673 PROCESS__RLIMITINH, NULL);
2674 if (rc) {
2675 /* protect against do_prlimit() */
2676 task_lock(current);
2677 for (i = 0; i < RLIM_NLIMITS; i++) {
2678 rlim = current->signal->rlim + i;
2679 initrlim = init_task.signal->rlim + i;
2680 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2681 }
2682 task_unlock(current);
2683 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2684 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2685 }
2686 }
2687
2688 /*
2689 * Clean up the process immediately after the installation of new credentials
2690 * due to exec
2691 */
2692 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2693 {
2694 const struct task_security_struct *tsec = current_security();
2695 struct itimerval itimer;
2696 u32 osid, sid;
2697 int rc, i;
2698
2699 osid = tsec->osid;
2700 sid = tsec->sid;
2701
2702 if (sid == osid)
2703 return;
2704
2705 /* Check whether the new SID can inherit signal state from the old SID.
2706 * If not, clear itimers to avoid subsequent signal generation and
2707 * flush and unblock signals.
2708 *
2709 * This must occur _after_ the task SID has been updated so that any
2710 * kill done after the flush will be checked against the new SID.
2711 */
2712 rc = avc_has_perm(&selinux_state,
2713 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2714 if (rc) {
2715 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2716 memset(&itimer, 0, sizeof itimer);
2717 for (i = 0; i < 3; i++)
2718 do_setitimer(i, &itimer, NULL);
2719 }
2720 spin_lock_irq(&current->sighand->siglock);
2721 if (!fatal_signal_pending(current)) {
2722 flush_sigqueue(&current->pending);
2723 flush_sigqueue(&current->signal->shared_pending);
2724 flush_signal_handlers(current, 1);
2725 sigemptyset(&current->blocked);
2726 recalc_sigpending();
2727 }
2728 spin_unlock_irq(&current->sighand->siglock);
2729 }
2730
2731 /* Wake up the parent if it is waiting so that it can recheck
2732 * wait permission to the new task SID. */
2733 read_lock(&tasklist_lock);
2734 __wake_up_parent(current, current->real_parent);
2735 read_unlock(&tasklist_lock);
2736 }
2737
2738 /* superblock security operations */
2739
2740 static int selinux_sb_alloc_security(struct super_block *sb)
2741 {
2742 return superblock_alloc_security(sb);
2743 }
2744
2745 static void selinux_sb_free_security(struct super_block *sb)
2746 {
2747 superblock_free_security(sb);
2748 }
2749
2750 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2751 {
2752 if (plen > olen)
2753 return 0;
2754
2755 return !memcmp(prefix, option, plen);
2756 }
2757
2758 static inline int selinux_option(char *option, int len)
2759 {
2760 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2761 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2762 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2763 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2764 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2765 }
2766
2767 static inline void take_option(char **to, char *from, int *first, int len)
2768 {
2769 if (!*first) {
2770 **to = ',';
2771 *to += 1;
2772 } else
2773 *first = 0;
2774 memcpy(*to, from, len);
2775 *to += len;
2776 }
2777
2778 static inline void take_selinux_option(char **to, char *from, int *first,
2779 int len)
2780 {
2781 int current_size = 0;
2782
2783 if (!*first) {
2784 **to = '|';
2785 *to += 1;
2786 } else
2787 *first = 0;
2788
2789 while (current_size < len) {
2790 if (*from != '"') {
2791 **to = *from;
2792 *to += 1;
2793 }
2794 from += 1;
2795 current_size += 1;
2796 }
2797 }
2798
2799 static int selinux_sb_copy_data(char *orig, char *copy)
2800 {
2801 int fnosec, fsec, rc = 0;
2802 char *in_save, *in_curr, *in_end;
2803 char *sec_curr, *nosec_save, *nosec;
2804 int open_quote = 0;
2805
2806 in_curr = orig;
2807 sec_curr = copy;
2808
2809 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2810 if (!nosec) {
2811 rc = -ENOMEM;
2812 goto out;
2813 }
2814
2815 nosec_save = nosec;
2816 fnosec = fsec = 1;
2817 in_save = in_end = orig;
2818
2819 do {
2820 if (*in_end == '"')
2821 open_quote = !open_quote;
2822 if ((*in_end == ',' && open_quote == 0) ||
2823 *in_end == '\0') {
2824 int len = in_end - in_curr;
2825
2826 if (selinux_option(in_curr, len))
2827 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2828 else
2829 take_option(&nosec, in_curr, &fnosec, len);
2830
2831 in_curr = in_end + 1;
2832 }
2833 } while (*in_end++);
2834
2835 strcpy(in_save, nosec_save);
2836 free_page((unsigned long)nosec_save);
2837 out:
2838 return rc;
2839 }
2840
2841 static int selinux_sb_remount(struct super_block *sb, void *data)
2842 {
2843 int rc, i, *flags;
2844 struct security_mnt_opts opts;
2845 char *secdata, **mount_options;
2846 struct superblock_security_struct *sbsec = sb->s_security;
2847
2848 if (!(sbsec->flags & SE_SBINITIALIZED))
2849 return 0;
2850
2851 if (!data)
2852 return 0;
2853
2854 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2855 return 0;
2856
2857 security_init_mnt_opts(&opts);
2858 secdata = alloc_secdata();
2859 if (!secdata)
2860 return -ENOMEM;
2861 rc = selinux_sb_copy_data(data, secdata);
2862 if (rc)
2863 goto out_free_secdata;
2864
2865 rc = selinux_parse_opts_str(secdata, &opts);
2866 if (rc)
2867 goto out_free_secdata;
2868
2869 mount_options = opts.mnt_opts;
2870 flags = opts.mnt_opts_flags;
2871
2872 for (i = 0; i < opts.num_mnt_opts; i++) {
2873 u32 sid;
2874
2875 if (flags[i] == SBLABEL_MNT)
2876 continue;
2877 rc = security_context_str_to_sid(&selinux_state,
2878 mount_options[i], &sid,
2879 GFP_KERNEL);
2880 if (rc) {
2881 pr_warn("SELinux: security_context_str_to_sid"
2882 "(%s) failed for (dev %s, type %s) errno=%d\n",
2883 mount_options[i], sb->s_id, sb->s_type->name, rc);
2884 goto out_free_opts;
2885 }
2886 rc = -EINVAL;
2887 switch (flags[i]) {
2888 case FSCONTEXT_MNT:
2889 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2890 goto out_bad_option;
2891 break;
2892 case CONTEXT_MNT:
2893 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2894 goto out_bad_option;
2895 break;
2896 case ROOTCONTEXT_MNT: {
2897 struct inode_security_struct *root_isec;
2898 root_isec = backing_inode_security(sb->s_root);
2899
2900 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2901 goto out_bad_option;
2902 break;
2903 }
2904 case DEFCONTEXT_MNT:
2905 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2906 goto out_bad_option;
2907 break;
2908 default:
2909 goto out_free_opts;
2910 }
2911 }
2912
2913 rc = 0;
2914 out_free_opts:
2915 security_free_mnt_opts(&opts);
2916 out_free_secdata:
2917 free_secdata(secdata);
2918 return rc;
2919 out_bad_option:
2920 pr_warn("SELinux: unable to change security options "
2921 "during remount (dev %s, type=%s)\n", sb->s_id,
2922 sb->s_type->name);
2923 goto out_free_opts;
2924 }
2925
2926 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2927 {
2928 const struct cred *cred = current_cred();
2929 struct common_audit_data ad;
2930 int rc;
2931
2932 rc = superblock_doinit(sb, data);
2933 if (rc)
2934 return rc;
2935
2936 /* Allow all mounts performed by the kernel */
2937 if (flags & MS_KERNMOUNT)
2938 return 0;
2939
2940 ad.type = LSM_AUDIT_DATA_DENTRY;
2941 ad.u.dentry = sb->s_root;
2942 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2943 }
2944
2945 static int selinux_sb_statfs(struct dentry *dentry)
2946 {
2947 const struct cred *cred = current_cred();
2948 struct common_audit_data ad;
2949
2950 ad.type = LSM_AUDIT_DATA_DENTRY;
2951 ad.u.dentry = dentry->d_sb->s_root;
2952 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2953 }
2954
2955 static int selinux_mount(const char *dev_name,
2956 const struct path *path,
2957 const char *type,
2958 unsigned long flags,
2959 void *data)
2960 {
2961 const struct cred *cred = current_cred();
2962
2963 if (flags & MS_REMOUNT)
2964 return superblock_has_perm(cred, path->dentry->d_sb,
2965 FILESYSTEM__REMOUNT, NULL);
2966 else
2967 return path_has_perm(cred, path, FILE__MOUNTON);
2968 }
2969
2970 static int selinux_umount(struct vfsmount *mnt, int flags)
2971 {
2972 const struct cred *cred = current_cred();
2973
2974 return superblock_has_perm(cred, mnt->mnt_sb,
2975 FILESYSTEM__UNMOUNT, NULL);
2976 }
2977
2978 /* inode security operations */
2979
2980 static int selinux_inode_alloc_security(struct inode *inode)
2981 {
2982 return inode_alloc_security(inode);
2983 }
2984
2985 static void selinux_inode_free_security(struct inode *inode)
2986 {
2987 inode_free_security(inode);
2988 }
2989
2990 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2991 const struct qstr *name, void **ctx,
2992 u32 *ctxlen)
2993 {
2994 u32 newsid;
2995 int rc;
2996
2997 rc = selinux_determine_inode_label(current_security(),
2998 d_inode(dentry->d_parent), name,
2999 inode_mode_to_security_class(mode),
3000 &newsid);
3001 if (rc)
3002 return rc;
3003
3004 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
3005 ctxlen);
3006 }
3007
3008 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
3009 struct qstr *name,
3010 const struct cred *old,
3011 struct cred *new)
3012 {
3013 u32 newsid;
3014 int rc;
3015 struct task_security_struct *tsec;
3016
3017 rc = selinux_determine_inode_label(old->security,
3018 d_inode(dentry->d_parent), name,
3019 inode_mode_to_security_class(mode),
3020 &newsid);
3021 if (rc)
3022 return rc;
3023
3024 tsec = new->security;
3025 tsec->create_sid = newsid;
3026 return 0;
3027 }
3028
3029 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
3030 const struct qstr *qstr,
3031 const char **name,
3032 void **value, size_t *len)
3033 {
3034 const struct task_security_struct *tsec = current_security();
3035 struct superblock_security_struct *sbsec;
3036 u32 newsid, clen;
3037 int rc;
3038 char *context;
3039
3040 sbsec = dir->i_sb->s_security;
3041
3042 newsid = tsec->create_sid;
3043
3044 rc = selinux_determine_inode_label(current_security(),
3045 dir, qstr,
3046 inode_mode_to_security_class(inode->i_mode),
3047 &newsid);
3048 if (rc)
3049 return rc;
3050
3051 /* Possibly defer initialization to selinux_complete_init. */
3052 if (sbsec->flags & SE_SBINITIALIZED) {
3053 struct inode_security_struct *isec = inode->i_security;
3054 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3055 isec->sid = newsid;
3056 isec->initialized = LABEL_INITIALIZED;
3057 }
3058
3059 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
3060 return -EOPNOTSUPP;
3061
3062 if (name)
3063 *name = XATTR_SELINUX_SUFFIX;
3064
3065 if (value && len) {
3066 rc = security_sid_to_context_force(&selinux_state, newsid,
3067 &context, &clen);
3068 if (rc)
3069 return rc;
3070 *value = context;
3071 *len = clen;
3072 }
3073
3074 return 0;
3075 }
3076
3077 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3078 {
3079 return may_create(dir, dentry, SECCLASS_FILE);
3080 }
3081
3082 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3083 {
3084 return may_link(dir, old_dentry, MAY_LINK);
3085 }
3086
3087 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3088 {
3089 return may_link(dir, dentry, MAY_UNLINK);
3090 }
3091
3092 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3093 {
3094 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3095 }
3096
3097 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3098 {
3099 return may_create(dir, dentry, SECCLASS_DIR);
3100 }
3101
3102 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3103 {
3104 return may_link(dir, dentry, MAY_RMDIR);
3105 }
3106
3107 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3108 {
3109 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3110 }
3111
3112 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3113 struct inode *new_inode, struct dentry *new_dentry)
3114 {
3115 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3116 }
3117
3118 static int selinux_inode_readlink(struct dentry *dentry)
3119 {
3120 const struct cred *cred = current_cred();
3121
3122 return dentry_has_perm(cred, dentry, FILE__READ);
3123 }
3124
3125 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3126 bool rcu)
3127 {
3128 const struct cred *cred = current_cred();
3129 struct common_audit_data ad;
3130 struct inode_security_struct *isec;
3131 u32 sid;
3132
3133 validate_creds(cred);
3134
3135 ad.type = LSM_AUDIT_DATA_DENTRY;
3136 ad.u.dentry = dentry;
3137 sid = cred_sid(cred);
3138 isec = inode_security_rcu(inode, rcu);
3139 if (IS_ERR(isec))
3140 return PTR_ERR(isec);
3141
3142 return avc_has_perm_flags(&selinux_state,
3143 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3144 rcu ? MAY_NOT_BLOCK : 0);
3145 }
3146
3147 static noinline int audit_inode_permission(struct inode *inode,
3148 u32 perms, u32 audited, u32 denied,
3149 int result,
3150 unsigned flags)
3151 {
3152 struct common_audit_data ad;
3153 struct inode_security_struct *isec = inode->i_security;
3154 int rc;
3155
3156 ad.type = LSM_AUDIT_DATA_INODE;
3157 ad.u.inode = inode;
3158
3159 rc = slow_avc_audit(&selinux_state,
3160 current_sid(), isec->sid, isec->sclass, perms,
3161 audited, denied, result, &ad, flags);
3162 if (rc)
3163 return rc;
3164 return 0;
3165 }
3166
3167 static int selinux_inode_permission(struct inode *inode, int mask)
3168 {
3169 const struct cred *cred = current_cred();
3170 u32 perms;
3171 bool from_access;
3172 unsigned flags = mask & MAY_NOT_BLOCK;
3173 struct inode_security_struct *isec;
3174 u32 sid;
3175 struct av_decision avd;
3176 int rc, rc2;
3177 u32 audited, denied;
3178
3179 from_access = mask & MAY_ACCESS;
3180 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3181
3182 /* No permission to check. Existence test. */
3183 if (!mask)
3184 return 0;
3185
3186 validate_creds(cred);
3187
3188 if (unlikely(IS_PRIVATE(inode)))
3189 return 0;
3190
3191 perms = file_mask_to_av(inode->i_mode, mask);
3192
3193 sid = cred_sid(cred);
3194 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3195 if (IS_ERR(isec))
3196 return PTR_ERR(isec);
3197
3198 rc = avc_has_perm_noaudit(&selinux_state,
3199 sid, isec->sid, isec->sclass, perms, 0, &avd);
3200 audited = avc_audit_required(perms, &avd, rc,
3201 from_access ? FILE__AUDIT_ACCESS : 0,
3202 &denied);
3203 if (likely(!audited))
3204 return rc;
3205
3206 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3207 if (rc2)
3208 return rc2;
3209 return rc;
3210 }
3211
3212 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3213 {
3214 const struct cred *cred = current_cred();
3215 struct inode *inode = d_backing_inode(dentry);
3216 unsigned int ia_valid = iattr->ia_valid;
3217 __u32 av = FILE__WRITE;
3218
3219 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3220 if (ia_valid & ATTR_FORCE) {
3221 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3222 ATTR_FORCE);
3223 if (!ia_valid)
3224 return 0;
3225 }
3226
3227 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3228 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3229 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3230
3231 if (selinux_policycap_openperm() &&
3232 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3233 (ia_valid & ATTR_SIZE) &&
3234 !(ia_valid & ATTR_FILE))
3235 av |= FILE__OPEN;
3236
3237 return dentry_has_perm(cred, dentry, av);
3238 }
3239
3240 static int selinux_inode_getattr(const struct path *path)
3241 {
3242 return path_has_perm(current_cred(), path, FILE__GETATTR);
3243 }
3244
3245 static bool has_cap_mac_admin(bool audit)
3246 {
3247 const struct cred *cred = current_cred();
3248 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3249
3250 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3251 return false;
3252 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3253 return false;
3254 return true;
3255 }
3256
3257 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3258 const void *value, size_t size, int flags)
3259 {
3260 struct inode *inode = d_backing_inode(dentry);
3261 struct inode_security_struct *isec;
3262 struct superblock_security_struct *sbsec;
3263 struct common_audit_data ad;
3264 u32 newsid, sid = current_sid();
3265 int rc = 0;
3266
3267 if (strcmp(name, XATTR_NAME_SELINUX)) {
3268 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3269 if (rc)
3270 return rc;
3271
3272 /* Not an attribute we recognize, so just check the
3273 ordinary setattr permission. */
3274 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3275 }
3276
3277 sbsec = inode->i_sb->s_security;
3278 if (!(sbsec->flags & SBLABEL_MNT))
3279 return -EOPNOTSUPP;
3280
3281 if (!inode_owner_or_capable(inode))
3282 return -EPERM;
3283
3284 ad.type = LSM_AUDIT_DATA_DENTRY;
3285 ad.u.dentry = dentry;
3286
3287 isec = backing_inode_security(dentry);
3288 rc = avc_has_perm(&selinux_state,
3289 sid, isec->sid, isec->sclass,
3290 FILE__RELABELFROM, &ad);
3291 if (rc)
3292 return rc;
3293
3294 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3295 GFP_KERNEL);
3296 if (rc == -EINVAL) {
3297 if (!has_cap_mac_admin(true)) {
3298 struct audit_buffer *ab;
3299 size_t audit_size;
3300
3301 /* We strip a nul only if it is at the end, otherwise the
3302 * context contains a nul and we should audit that */
3303 if (value) {
3304 const char *str = value;
3305
3306 if (str[size - 1] == '\0')
3307 audit_size = size - 1;
3308 else
3309 audit_size = size;
3310 } else {
3311 audit_size = 0;
3312 }
3313 ab = audit_log_start(audit_context(),
3314 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3315 audit_log_format(ab, "op=setxattr invalid_context=");
3316 audit_log_n_untrustedstring(ab, value, audit_size);
3317 audit_log_end(ab);
3318
3319 return rc;
3320 }
3321 rc = security_context_to_sid_force(&selinux_state, value,
3322 size, &newsid);
3323 }
3324 if (rc)
3325 return rc;
3326
3327 rc = avc_has_perm(&selinux_state,
3328 sid, newsid, isec->sclass,
3329 FILE__RELABELTO, &ad);
3330 if (rc)
3331 return rc;
3332
3333 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3334 sid, isec->sclass);
3335 if (rc)
3336 return rc;
3337
3338 return avc_has_perm(&selinux_state,
3339 newsid,
3340 sbsec->sid,
3341 SECCLASS_FILESYSTEM,
3342 FILESYSTEM__ASSOCIATE,
3343 &ad);
3344 }
3345
3346 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3347 const void *value, size_t size,
3348 int flags)
3349 {
3350 struct inode *inode = d_backing_inode(dentry);
3351 struct inode_security_struct *isec;
3352 u32 newsid;
3353 int rc;
3354
3355 if (strcmp(name, XATTR_NAME_SELINUX)) {
3356 /* Not an attribute we recognize, so nothing to do. */
3357 return;
3358 }
3359
3360 rc = security_context_to_sid_force(&selinux_state, value, size,
3361 &newsid);
3362 if (rc) {
3363 pr_err("SELinux: unable to map context to SID"
3364 "for (%s, %lu), rc=%d\n",
3365 inode->i_sb->s_id, inode->i_ino, -rc);
3366 return;
3367 }
3368
3369 isec = backing_inode_security(dentry);
3370 spin_lock(&isec->lock);
3371 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3372 isec->sid = newsid;
3373 isec->initialized = LABEL_INITIALIZED;
3374 spin_unlock(&isec->lock);
3375
3376 return;
3377 }
3378
3379 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3380 {
3381 const struct cred *cred = current_cred();
3382
3383 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3384 }
3385
3386 static int selinux_inode_listxattr(struct dentry *dentry)
3387 {
3388 const struct cred *cred = current_cred();
3389
3390 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3391 }
3392
3393 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3394 {
3395 if (strcmp(name, XATTR_NAME_SELINUX)) {
3396 int rc = cap_inode_removexattr(dentry, name);
3397 if (rc)
3398 return rc;
3399
3400 /* Not an attribute we recognize, so just check the
3401 ordinary setattr permission. */
3402 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3403 }
3404
3405 /* No one is allowed to remove a SELinux security label.
3406 You can change the label, but all data must be labeled. */
3407 return -EACCES;
3408 }
3409
3410 /*
3411 * Copy the inode security context value to the user.
3412 *
3413 * Permission check is handled by selinux_inode_getxattr hook.
3414 */
3415 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3416 {
3417 u32 size;
3418 int error;
3419 char *context = NULL;
3420 struct inode_security_struct *isec;
3421
3422 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3423 return -EOPNOTSUPP;
3424
3425 /*
3426 * If the caller has CAP_MAC_ADMIN, then get the raw context
3427 * value even if it is not defined by current policy; otherwise,
3428 * use the in-core value under current policy.
3429 * Use the non-auditing forms of the permission checks since
3430 * getxattr may be called by unprivileged processes commonly
3431 * and lack of permission just means that we fall back to the
3432 * in-core context value, not a denial.
3433 */
3434 isec = inode_security(inode);
3435 if (has_cap_mac_admin(false))
3436 error = security_sid_to_context_force(&selinux_state,
3437 isec->sid, &context,
3438 &size);
3439 else
3440 error = security_sid_to_context(&selinux_state, isec->sid,
3441 &context, &size);
3442 if (error)
3443 return error;
3444 error = size;
3445 if (alloc) {
3446 *buffer = context;
3447 goto out_nofree;
3448 }
3449 kfree(context);
3450 out_nofree:
3451 return error;
3452 }
3453
3454 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3455 const void *value, size_t size, int flags)
3456 {
3457 struct inode_security_struct *isec = inode_security_novalidate(inode);
3458 u32 newsid;
3459 int rc;
3460
3461 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3462 return -EOPNOTSUPP;
3463
3464 if (!value || !size)
3465 return -EACCES;
3466
3467 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3468 GFP_KERNEL);
3469 if (rc)
3470 return rc;
3471
3472 spin_lock(&isec->lock);
3473 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3474 isec->sid = newsid;
3475 isec->initialized = LABEL_INITIALIZED;
3476 spin_unlock(&isec->lock);
3477 return 0;
3478 }
3479
3480 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3481 {
3482 const int len = sizeof(XATTR_NAME_SELINUX);
3483 if (buffer && len <= buffer_size)
3484 memcpy(buffer, XATTR_NAME_SELINUX, len);
3485 return len;
3486 }
3487
3488 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3489 {
3490 struct inode_security_struct *isec = inode_security_novalidate(inode);
3491 *secid = isec->sid;
3492 }
3493
3494 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3495 {
3496 u32 sid;
3497 struct task_security_struct *tsec;
3498 struct cred *new_creds = *new;
3499
3500 if (new_creds == NULL) {
3501 new_creds = prepare_creds();
3502 if (!new_creds)
3503 return -ENOMEM;
3504 }
3505
3506 tsec = new_creds->security;
3507 /* Get label from overlay inode and set it in create_sid */
3508 selinux_inode_getsecid(d_inode(src), &sid);
3509 tsec->create_sid = sid;
3510 *new = new_creds;
3511 return 0;
3512 }
3513
3514 static int selinux_inode_copy_up_xattr(const char *name)
3515 {
3516 /* The copy_up hook above sets the initial context on an inode, but we
3517 * don't then want to overwrite it by blindly copying all the lower
3518 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3519 */
3520 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3521 return 1; /* Discard */
3522 /*
3523 * Any other attribute apart from SELINUX is not claimed, supported
3524 * by selinux.
3525 */
3526 return -EOPNOTSUPP;
3527 }
3528
3529 /* file security operations */
3530
3531 static int selinux_revalidate_file_permission(struct file *file, int mask)
3532 {
3533 const struct cred *cred = current_cred();
3534 struct inode *inode = file_inode(file);
3535
3536 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3537 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3538 mask |= MAY_APPEND;
3539
3540 return file_has_perm(cred, file,
3541 file_mask_to_av(inode->i_mode, mask));
3542 }
3543
3544 static int selinux_file_permission(struct file *file, int mask)
3545 {
3546 struct inode *inode = file_inode(file);
3547 struct file_security_struct *fsec = file->f_security;
3548 struct inode_security_struct *isec;
3549 u32 sid = current_sid();
3550
3551 if (!mask)
3552 /* No permission to check. Existence test. */
3553 return 0;
3554
3555 isec = inode_security(inode);
3556 if (sid == fsec->sid && fsec->isid == isec->sid &&
3557 fsec->pseqno == avc_policy_seqno(&selinux_state))
3558 /* No change since file_open check. */
3559 return 0;
3560
3561 return selinux_revalidate_file_permission(file, mask);
3562 }
3563
3564 static int selinux_file_alloc_security(struct file *file)
3565 {
3566 return file_alloc_security(file);
3567 }
3568
3569 static void selinux_file_free_security(struct file *file)
3570 {
3571 file_free_security(file);
3572 }
3573
3574 /*
3575 * Check whether a task has the ioctl permission and cmd
3576 * operation to an inode.
3577 */
3578 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3579 u32 requested, u16 cmd)
3580 {
3581 struct common_audit_data ad;
3582 struct file_security_struct *fsec = file->f_security;
3583 struct inode *inode = file_inode(file);
3584 struct inode_security_struct *isec;
3585 struct lsm_ioctlop_audit ioctl;
3586 u32 ssid = cred_sid(cred);
3587 int rc;
3588 u8 driver = cmd >> 8;
3589 u8 xperm = cmd & 0xff;
3590
3591 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3592 ad.u.op = &ioctl;
3593 ad.u.op->cmd = cmd;
3594 ad.u.op->path = file->f_path;
3595
3596 if (ssid != fsec->sid) {
3597 rc = avc_has_perm(&selinux_state,
3598 ssid, fsec->sid,
3599 SECCLASS_FD,
3600 FD__USE,
3601 &ad);
3602 if (rc)
3603 goto out;
3604 }
3605
3606 if (unlikely(IS_PRIVATE(inode)))
3607 return 0;
3608
3609 isec = inode_security(inode);
3610 rc = avc_has_extended_perms(&selinux_state,
3611 ssid, isec->sid, isec->sclass,
3612 requested, driver, xperm, &ad);
3613 out:
3614 return rc;
3615 }
3616
3617 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3618 unsigned long arg)
3619 {
3620 const struct cred *cred = current_cred();
3621 int error = 0;
3622
3623 switch (cmd) {
3624 case FIONREAD:
3625 /* fall through */
3626 case FIBMAP:
3627 /* fall through */
3628 case FIGETBSZ:
3629 /* fall through */
3630 case FS_IOC_GETFLAGS:
3631 /* fall through */
3632 case FS_IOC_GETVERSION:
3633 error = file_has_perm(cred, file, FILE__GETATTR);
3634 break;
3635
3636 case FS_IOC_SETFLAGS:
3637 /* fall through */
3638 case FS_IOC_SETVERSION:
3639 error = file_has_perm(cred, file, FILE__SETATTR);
3640 break;
3641
3642 /* sys_ioctl() checks */
3643 case FIONBIO:
3644 /* fall through */
3645 case FIOASYNC:
3646 error = file_has_perm(cred, file, 0);
3647 break;
3648
3649 case KDSKBENT:
3650 case KDSKBSENT:
3651 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3652 SECURITY_CAP_AUDIT, true);
3653 break;
3654
3655 /* default case assumes that the command will go
3656 * to the file's ioctl() function.
3657 */
3658 default:
3659 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3660 }
3661 return error;
3662 }
3663
3664 static int default_noexec;
3665
3666 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3667 {
3668 const struct cred *cred = current_cred();
3669 u32 sid = cred_sid(cred);
3670 int rc = 0;
3671
3672 if (default_noexec &&
3673 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3674 (!shared && (prot & PROT_WRITE)))) {
3675 /*
3676 * We are making executable an anonymous mapping or a
3677 * private file mapping that will also be writable.
3678 * This has an additional check.
3679 */
3680 rc = avc_has_perm(&selinux_state,
3681 sid, sid, SECCLASS_PROCESS,
3682 PROCESS__EXECMEM, NULL);
3683 if (rc)
3684 goto error;
3685 }
3686
3687 if (file) {
3688 /* read access is always possible with a mapping */
3689 u32 av = FILE__READ;
3690
3691 /* write access only matters if the mapping is shared */
3692 if (shared && (prot & PROT_WRITE))
3693 av |= FILE__WRITE;
3694
3695 if (prot & PROT_EXEC)
3696 av |= FILE__EXECUTE;
3697
3698 return file_has_perm(cred, file, av);
3699 }
3700
3701 error:
3702 return rc;
3703 }
3704
3705 static int selinux_mmap_addr(unsigned long addr)
3706 {
3707 int rc = 0;
3708
3709 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3710 u32 sid = current_sid();
3711 rc = avc_has_perm(&selinux_state,
3712 sid, sid, SECCLASS_MEMPROTECT,
3713 MEMPROTECT__MMAP_ZERO, NULL);
3714 }
3715
3716 return rc;
3717 }
3718
3719 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3720 unsigned long prot, unsigned long flags)
3721 {
3722 struct common_audit_data ad;
3723 int rc;
3724
3725 if (file) {
3726 ad.type = LSM_AUDIT_DATA_FILE;
3727 ad.u.file = file;
3728 rc = inode_has_perm(current_cred(), file_inode(file),
3729 FILE__MAP, &ad);
3730 if (rc)
3731 return rc;
3732 }
3733
3734 if (selinux_state.checkreqprot)
3735 prot = reqprot;
3736
3737 return file_map_prot_check(file, prot,
3738 (flags & MAP_TYPE) == MAP_SHARED);
3739 }
3740
3741 static int selinux_file_mprotect(struct vm_area_struct *vma,
3742 unsigned long reqprot,
3743 unsigned long prot)
3744 {
3745 const struct cred *cred = current_cred();
3746 u32 sid = cred_sid(cred);
3747
3748 if (selinux_state.checkreqprot)
3749 prot = reqprot;
3750
3751 if (default_noexec &&
3752 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3753 int rc = 0;
3754 if (vma->vm_start >= vma->vm_mm->start_brk &&
3755 vma->vm_end <= vma->vm_mm->brk) {
3756 rc = avc_has_perm(&selinux_state,
3757 sid, sid, SECCLASS_PROCESS,
3758 PROCESS__EXECHEAP, NULL);
3759 } else if (!vma->vm_file &&
3760 ((vma->vm_start <= vma->vm_mm->start_stack &&
3761 vma->vm_end >= vma->vm_mm->start_stack) ||
3762 vma_is_stack_for_current(vma))) {
3763 rc = avc_has_perm(&selinux_state,
3764 sid, sid, SECCLASS_PROCESS,
3765 PROCESS__EXECSTACK, NULL);
3766 } else if (vma->vm_file && vma->anon_vma) {
3767 /*
3768 * We are making executable a file mapping that has
3769 * had some COW done. Since pages might have been
3770 * written, check ability to execute the possibly
3771 * modified content. This typically should only
3772 * occur for text relocations.
3773 */
3774 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3775 }
3776 if (rc)
3777 return rc;
3778 }
3779
3780 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3781 }
3782
3783 static int selinux_file_lock(struct file *file, unsigned int cmd)
3784 {
3785 const struct cred *cred = current_cred();
3786
3787 return file_has_perm(cred, file, FILE__LOCK);
3788 }
3789
3790 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3791 unsigned long arg)
3792 {
3793 const struct cred *cred = current_cred();
3794 int err = 0;
3795
3796 switch (cmd) {
3797 case F_SETFL:
3798 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3799 err = file_has_perm(cred, file, FILE__WRITE);
3800 break;
3801 }
3802 /* fall through */
3803 case F_SETOWN:
3804 case F_SETSIG:
3805 case F_GETFL:
3806 case F_GETOWN:
3807 case F_GETSIG:
3808 case F_GETOWNER_UIDS:
3809 /* Just check FD__USE permission */
3810 err = file_has_perm(cred, file, 0);
3811 break;
3812 case F_GETLK:
3813 case F_SETLK:
3814 case F_SETLKW:
3815 case F_OFD_GETLK:
3816 case F_OFD_SETLK:
3817 case F_OFD_SETLKW:
3818 #if BITS_PER_LONG == 32
3819 case F_GETLK64:
3820 case F_SETLK64:
3821 case F_SETLKW64:
3822 #endif
3823 err = file_has_perm(cred, file, FILE__LOCK);
3824 break;
3825 }
3826
3827 return err;
3828 }
3829
3830 static void selinux_file_set_fowner(struct file *file)
3831 {
3832 struct file_security_struct *fsec;
3833
3834 fsec = file->f_security;
3835 fsec->fown_sid = current_sid();
3836 }
3837
3838 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3839 struct fown_struct *fown, int signum)
3840 {
3841 struct file *file;
3842 u32 sid = task_sid(tsk);
3843 u32 perm;
3844 struct file_security_struct *fsec;
3845
3846 /* struct fown_struct is never outside the context of a struct file */
3847 file = container_of(fown, struct file, f_owner);
3848
3849 fsec = file->f_security;
3850
3851 if (!signum)
3852 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3853 else
3854 perm = signal_to_av(signum);
3855
3856 return avc_has_perm(&selinux_state,
3857 fsec->fown_sid, sid,
3858 SECCLASS_PROCESS, perm, NULL);
3859 }
3860
3861 static int selinux_file_receive(struct file *file)
3862 {
3863 const struct cred *cred = current_cred();
3864
3865 return file_has_perm(cred, file, file_to_av(file));
3866 }
3867
3868 static int selinux_file_open(struct file *file)
3869 {
3870 struct file_security_struct *fsec;
3871 struct inode_security_struct *isec;
3872
3873 fsec = file->f_security;
3874 isec = inode_security(file_inode(file));
3875 /*
3876 * Save inode label and policy sequence number
3877 * at open-time so that selinux_file_permission
3878 * can determine whether revalidation is necessary.
3879 * Task label is already saved in the file security
3880 * struct as its SID.
3881 */
3882 fsec->isid = isec->sid;
3883 fsec->pseqno = avc_policy_seqno(&selinux_state);
3884 /*
3885 * Since the inode label or policy seqno may have changed
3886 * between the selinux_inode_permission check and the saving
3887 * of state above, recheck that access is still permitted.
3888 * Otherwise, access might never be revalidated against the
3889 * new inode label or new policy.
3890 * This check is not redundant - do not remove.
3891 */
3892 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3893 }
3894
3895 /* task security operations */
3896
3897 static int selinux_task_alloc(struct task_struct *task,
3898 unsigned long clone_flags)
3899 {
3900 u32 sid = current_sid();
3901
3902 return avc_has_perm(&selinux_state,
3903 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3904 }
3905
3906 /*
3907 * allocate the SELinux part of blank credentials
3908 */
3909 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3910 {
3911 struct task_security_struct *tsec;
3912
3913 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3914 if (!tsec)
3915 return -ENOMEM;
3916
3917 cred->security = tsec;
3918 return 0;
3919 }
3920
3921 /*
3922 * detach and free the LSM part of a set of credentials
3923 */
3924 static void selinux_cred_free(struct cred *cred)
3925 {
3926 struct task_security_struct *tsec = cred->security;
3927
3928 /*
3929 * cred->security == NULL if security_cred_alloc_blank() or
3930 * security_prepare_creds() returned an error.
3931 */
3932 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3933 cred->security = (void *) 0x7UL;
3934 kfree(tsec);
3935 }
3936
3937 /*
3938 * prepare a new set of credentials for modification
3939 */
3940 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3941 gfp_t gfp)
3942 {
3943 const struct task_security_struct *old_tsec;
3944 struct task_security_struct *tsec;
3945
3946 old_tsec = old->security;
3947
3948 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3949 if (!tsec)
3950 return -ENOMEM;
3951
3952 new->security = tsec;
3953 return 0;
3954 }
3955
3956 /*
3957 * transfer the SELinux data to a blank set of creds
3958 */
3959 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3960 {
3961 const struct task_security_struct *old_tsec = old->security;
3962 struct task_security_struct *tsec = new->security;
3963
3964 *tsec = *old_tsec;
3965 }
3966
3967 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3968 {
3969 *secid = cred_sid(c);
3970 }
3971
3972 /*
3973 * set the security data for a kernel service
3974 * - all the creation contexts are set to unlabelled
3975 */
3976 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3977 {
3978 struct task_security_struct *tsec = new->security;
3979 u32 sid = current_sid();
3980 int ret;
3981
3982 ret = avc_has_perm(&selinux_state,
3983 sid, secid,
3984 SECCLASS_KERNEL_SERVICE,
3985 KERNEL_SERVICE__USE_AS_OVERRIDE,
3986 NULL);
3987 if (ret == 0) {
3988 tsec->sid = secid;
3989 tsec->create_sid = 0;
3990 tsec->keycreate_sid = 0;
3991 tsec->sockcreate_sid = 0;
3992 }
3993 return ret;
3994 }
3995
3996 /*
3997 * set the file creation context in a security record to the same as the
3998 * objective context of the specified inode
3999 */
4000 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4001 {
4002 struct inode_security_struct *isec = inode_security(inode);
4003 struct task_security_struct *tsec = new->security;
4004 u32 sid = current_sid();
4005 int ret;
4006
4007 ret = avc_has_perm(&selinux_state,
4008 sid, isec->sid,
4009 SECCLASS_KERNEL_SERVICE,
4010 KERNEL_SERVICE__CREATE_FILES_AS,
4011 NULL);
4012
4013 if (ret == 0)
4014 tsec->create_sid = isec->sid;
4015 return ret;
4016 }
4017
4018 static int selinux_kernel_module_request(char *kmod_name)
4019 {
4020 struct common_audit_data ad;
4021
4022 ad.type = LSM_AUDIT_DATA_KMOD;
4023 ad.u.kmod_name = kmod_name;
4024
4025 return avc_has_perm(&selinux_state,
4026 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4027 SYSTEM__MODULE_REQUEST, &ad);
4028 }
4029
4030 static int selinux_kernel_module_from_file(struct file *file)
4031 {
4032 struct common_audit_data ad;
4033 struct inode_security_struct *isec;
4034 struct file_security_struct *fsec;
4035 u32 sid = current_sid();
4036 int rc;
4037
4038 /* init_module */
4039 if (file == NULL)
4040 return avc_has_perm(&selinux_state,
4041 sid, sid, SECCLASS_SYSTEM,
4042 SYSTEM__MODULE_LOAD, NULL);
4043
4044 /* finit_module */
4045
4046 ad.type = LSM_AUDIT_DATA_FILE;
4047 ad.u.file = file;
4048
4049 fsec = file->f_security;
4050 if (sid != fsec->sid) {
4051 rc = avc_has_perm(&selinux_state,
4052 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4053 if (rc)
4054 return rc;
4055 }
4056
4057 isec = inode_security(file_inode(file));
4058 return avc_has_perm(&selinux_state,
4059 sid, isec->sid, SECCLASS_SYSTEM,
4060 SYSTEM__MODULE_LOAD, &ad);
4061 }
4062
4063 static int selinux_kernel_read_file(struct file *file,
4064 enum kernel_read_file_id id)
4065 {
4066 int rc = 0;
4067
4068 switch (id) {
4069 case READING_MODULE:
4070 rc = selinux_kernel_module_from_file(file);
4071 break;
4072 default:
4073 break;
4074 }
4075
4076 return rc;
4077 }
4078
4079 static int selinux_kernel_load_data(enum kernel_load_data_id id)
4080 {
4081 int rc = 0;
4082
4083 switch (id) {
4084 case LOADING_MODULE:
4085 rc = selinux_kernel_module_from_file(NULL);
4086 default:
4087 break;
4088 }
4089
4090 return rc;
4091 }
4092
4093 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4094 {
4095 return avc_has_perm(&selinux_state,
4096 current_sid(), task_sid(p), SECCLASS_PROCESS,
4097 PROCESS__SETPGID, NULL);
4098 }
4099
4100 static int selinux_task_getpgid(struct task_struct *p)
4101 {
4102 return avc_has_perm(&selinux_state,
4103 current_sid(), task_sid(p), SECCLASS_PROCESS,
4104 PROCESS__GETPGID, NULL);
4105 }
4106
4107 static int selinux_task_getsid(struct task_struct *p)
4108 {
4109 return avc_has_perm(&selinux_state,
4110 current_sid(), task_sid(p), SECCLASS_PROCESS,
4111 PROCESS__GETSESSION, NULL);
4112 }
4113
4114 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4115 {
4116 *secid = task_sid(p);
4117 }
4118
4119 static int selinux_task_setnice(struct task_struct *p, int nice)
4120 {
4121 return avc_has_perm(&selinux_state,
4122 current_sid(), task_sid(p), SECCLASS_PROCESS,
4123 PROCESS__SETSCHED, NULL);
4124 }
4125
4126 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4127 {
4128 return avc_has_perm(&selinux_state,
4129 current_sid(), task_sid(p), SECCLASS_PROCESS,
4130 PROCESS__SETSCHED, NULL);
4131 }
4132
4133 static int selinux_task_getioprio(struct task_struct *p)
4134 {
4135 return avc_has_perm(&selinux_state,
4136 current_sid(), task_sid(p), SECCLASS_PROCESS,
4137 PROCESS__GETSCHED, NULL);
4138 }
4139
4140 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4141 unsigned int flags)
4142 {
4143 u32 av = 0;
4144
4145 if (!flags)
4146 return 0;
4147 if (flags & LSM_PRLIMIT_WRITE)
4148 av |= PROCESS__SETRLIMIT;
4149 if (flags & LSM_PRLIMIT_READ)
4150 av |= PROCESS__GETRLIMIT;
4151 return avc_has_perm(&selinux_state,
4152 cred_sid(cred), cred_sid(tcred),
4153 SECCLASS_PROCESS, av, NULL);
4154 }
4155
4156 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4157 struct rlimit *new_rlim)
4158 {
4159 struct rlimit *old_rlim = p->signal->rlim + resource;
4160
4161 /* Control the ability to change the hard limit (whether
4162 lowering or raising it), so that the hard limit can
4163 later be used as a safe reset point for the soft limit
4164 upon context transitions. See selinux_bprm_committing_creds. */
4165 if (old_rlim->rlim_max != new_rlim->rlim_max)
4166 return avc_has_perm(&selinux_state,
4167 current_sid(), task_sid(p),
4168 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4169
4170 return 0;
4171 }
4172
4173 static int selinux_task_setscheduler(struct task_struct *p)
4174 {
4175 return avc_has_perm(&selinux_state,
4176 current_sid(), task_sid(p), SECCLASS_PROCESS,
4177 PROCESS__SETSCHED, NULL);
4178 }
4179
4180 static int selinux_task_getscheduler(struct task_struct *p)
4181 {
4182 return avc_has_perm(&selinux_state,
4183 current_sid(), task_sid(p), SECCLASS_PROCESS,
4184 PROCESS__GETSCHED, NULL);
4185 }
4186
4187 static int selinux_task_movememory(struct task_struct *p)
4188 {
4189 return avc_has_perm(&selinux_state,
4190 current_sid(), task_sid(p), SECCLASS_PROCESS,
4191 PROCESS__SETSCHED, NULL);
4192 }
4193
4194 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4195 int sig, const struct cred *cred)
4196 {
4197 u32 secid;
4198 u32 perm;
4199
4200 if (!sig)
4201 perm = PROCESS__SIGNULL; /* null signal; existence test */
4202 else
4203 perm = signal_to_av(sig);
4204 if (!cred)
4205 secid = current_sid();
4206 else
4207 secid = cred_sid(cred);
4208 return avc_has_perm(&selinux_state,
4209 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4210 }
4211
4212 static void selinux_task_to_inode(struct task_struct *p,
4213 struct inode *inode)
4214 {
4215 struct inode_security_struct *isec = inode->i_security;
4216 u32 sid = task_sid(p);
4217
4218 spin_lock(&isec->lock);
4219 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4220 isec->sid = sid;
4221 isec->initialized = LABEL_INITIALIZED;
4222 spin_unlock(&isec->lock);
4223 }
4224
4225 /* Returns error only if unable to parse addresses */
4226 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4227 struct common_audit_data *ad, u8 *proto)
4228 {
4229 int offset, ihlen, ret = -EINVAL;
4230 struct iphdr _iph, *ih;
4231
4232 offset = skb_network_offset(skb);
4233 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4234 if (ih == NULL)
4235 goto out;
4236
4237 ihlen = ih->ihl * 4;
4238 if (ihlen < sizeof(_iph))
4239 goto out;
4240
4241 ad->u.net->v4info.saddr = ih->saddr;
4242 ad->u.net->v4info.daddr = ih->daddr;
4243 ret = 0;
4244
4245 if (proto)
4246 *proto = ih->protocol;
4247
4248 switch (ih->protocol) {
4249 case IPPROTO_TCP: {
4250 struct tcphdr _tcph, *th;
4251
4252 if (ntohs(ih->frag_off) & IP_OFFSET)
4253 break;
4254
4255 offset += ihlen;
4256 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4257 if (th == NULL)
4258 break;
4259
4260 ad->u.net->sport = th->source;
4261 ad->u.net->dport = th->dest;
4262 break;
4263 }
4264
4265 case IPPROTO_UDP: {
4266 struct udphdr _udph, *uh;
4267
4268 if (ntohs(ih->frag_off) & IP_OFFSET)
4269 break;
4270
4271 offset += ihlen;
4272 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4273 if (uh == NULL)
4274 break;
4275
4276 ad->u.net->sport = uh->source;
4277 ad->u.net->dport = uh->dest;
4278 break;
4279 }
4280
4281 case IPPROTO_DCCP: {
4282 struct dccp_hdr _dccph, *dh;
4283
4284 if (ntohs(ih->frag_off) & IP_OFFSET)
4285 break;
4286
4287 offset += ihlen;
4288 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4289 if (dh == NULL)
4290 break;
4291
4292 ad->u.net->sport = dh->dccph_sport;
4293 ad->u.net->dport = dh->dccph_dport;
4294 break;
4295 }
4296
4297 #if IS_ENABLED(CONFIG_IP_SCTP)
4298 case IPPROTO_SCTP: {
4299 struct sctphdr _sctph, *sh;
4300
4301 if (ntohs(ih->frag_off) & IP_OFFSET)
4302 break;
4303
4304 offset += ihlen;
4305 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4306 if (sh == NULL)
4307 break;
4308
4309 ad->u.net->sport = sh->source;
4310 ad->u.net->dport = sh->dest;
4311 break;
4312 }
4313 #endif
4314 default:
4315 break;
4316 }
4317 out:
4318 return ret;
4319 }
4320
4321 #if IS_ENABLED(CONFIG_IPV6)
4322
4323 /* Returns error only if unable to parse addresses */
4324 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4325 struct common_audit_data *ad, u8 *proto)
4326 {
4327 u8 nexthdr;
4328 int ret = -EINVAL, offset;
4329 struct ipv6hdr _ipv6h, *ip6;
4330 __be16 frag_off;
4331
4332 offset = skb_network_offset(skb);
4333 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4334 if (ip6 == NULL)
4335 goto out;
4336
4337 ad->u.net->v6info.saddr = ip6->saddr;
4338 ad->u.net->v6info.daddr = ip6->daddr;
4339 ret = 0;
4340
4341 nexthdr = ip6->nexthdr;
4342 offset += sizeof(_ipv6h);
4343 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4344 if (offset < 0)
4345 goto out;
4346
4347 if (proto)
4348 *proto = nexthdr;
4349
4350 switch (nexthdr) {
4351 case IPPROTO_TCP: {
4352 struct tcphdr _tcph, *th;
4353
4354 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4355 if (th == NULL)
4356 break;
4357
4358 ad->u.net->sport = th->source;
4359 ad->u.net->dport = th->dest;
4360 break;
4361 }
4362
4363 case IPPROTO_UDP: {
4364 struct udphdr _udph, *uh;
4365
4366 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4367 if (uh == NULL)
4368 break;
4369
4370 ad->u.net->sport = uh->source;
4371 ad->u.net->dport = uh->dest;
4372 break;
4373 }
4374
4375 case IPPROTO_DCCP: {
4376 struct dccp_hdr _dccph, *dh;
4377
4378 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4379 if (dh == NULL)
4380 break;
4381
4382 ad->u.net->sport = dh->dccph_sport;
4383 ad->u.net->dport = dh->dccph_dport;
4384 break;
4385 }
4386
4387 #if IS_ENABLED(CONFIG_IP_SCTP)
4388 case IPPROTO_SCTP: {
4389 struct sctphdr _sctph, *sh;
4390
4391 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4392 if (sh == NULL)
4393 break;
4394
4395 ad->u.net->sport = sh->source;
4396 ad->u.net->dport = sh->dest;
4397 break;
4398 }
4399 #endif
4400 /* includes fragments */
4401 default:
4402 break;
4403 }
4404 out:
4405 return ret;
4406 }
4407
4408 #endif /* IPV6 */
4409
4410 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4411 char **_addrp, int src, u8 *proto)
4412 {
4413 char *addrp;
4414 int ret;
4415
4416 switch (ad->u.net->family) {
4417 case PF_INET:
4418 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4419 if (ret)
4420 goto parse_error;
4421 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4422 &ad->u.net->v4info.daddr);
4423 goto okay;
4424
4425 #if IS_ENABLED(CONFIG_IPV6)
4426 case PF_INET6:
4427 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4428 if (ret)
4429 goto parse_error;
4430 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4431 &ad->u.net->v6info.daddr);
4432 goto okay;
4433 #endif /* IPV6 */
4434 default:
4435 addrp = NULL;
4436 goto okay;
4437 }
4438
4439 parse_error:
4440 pr_warn(
4441 "SELinux: failure in selinux_parse_skb(),"
4442 " unable to parse packet\n");
4443 return ret;
4444
4445 okay:
4446 if (_addrp)
4447 *_addrp = addrp;
4448 return 0;
4449 }
4450
4451 /**
4452 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4453 * @skb: the packet
4454 * @family: protocol family
4455 * @sid: the packet's peer label SID
4456 *
4457 * Description:
4458 * Check the various different forms of network peer labeling and determine
4459 * the peer label/SID for the packet; most of the magic actually occurs in
4460 * the security server function security_net_peersid_cmp(). The function
4461 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4462 * or -EACCES if @sid is invalid due to inconsistencies with the different
4463 * peer labels.
4464 *
4465 */
4466 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4467 {
4468 int err;
4469 u32 xfrm_sid;
4470 u32 nlbl_sid;
4471 u32 nlbl_type;
4472
4473 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4474 if (unlikely(err))
4475 return -EACCES;
4476 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4477 if (unlikely(err))
4478 return -EACCES;
4479
4480 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4481 nlbl_type, xfrm_sid, sid);
4482 if (unlikely(err)) {
4483 pr_warn(
4484 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4485 " unable to determine packet's peer label\n");
4486 return -EACCES;
4487 }
4488
4489 return 0;
4490 }
4491
4492 /**
4493 * selinux_conn_sid - Determine the child socket label for a connection
4494 * @sk_sid: the parent socket's SID
4495 * @skb_sid: the packet's SID
4496 * @conn_sid: the resulting connection SID
4497 *
4498 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4499 * combined with the MLS information from @skb_sid in order to create
4500 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4501 * of @sk_sid. Returns zero on success, negative values on failure.
4502 *
4503 */
4504 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4505 {
4506 int err = 0;
4507
4508 if (skb_sid != SECSID_NULL)
4509 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4510 conn_sid);
4511 else
4512 *conn_sid = sk_sid;
4513
4514 return err;
4515 }
4516
4517 /* socket security operations */
4518
4519 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4520 u16 secclass, u32 *socksid)
4521 {
4522 if (tsec->sockcreate_sid > SECSID_NULL) {
4523 *socksid = tsec->sockcreate_sid;
4524 return 0;
4525 }
4526
4527 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4528 secclass, NULL, socksid);
4529 }
4530
4531 static int sock_has_perm(struct sock *sk, u32 perms)
4532 {
4533 struct sk_security_struct *sksec = sk->sk_security;
4534 struct common_audit_data ad;
4535 struct lsm_network_audit net = {0,};
4536
4537 if (sksec->sid == SECINITSID_KERNEL)
4538 return 0;
4539
4540 ad.type = LSM_AUDIT_DATA_NET;
4541 ad.u.net = &net;
4542 ad.u.net->sk = sk;
4543
4544 return avc_has_perm(&selinux_state,
4545 current_sid(), sksec->sid, sksec->sclass, perms,
4546 &ad);
4547 }
4548
4549 static int selinux_socket_create(int family, int type,
4550 int protocol, int kern)
4551 {
4552 const struct task_security_struct *tsec = current_security();
4553 u32 newsid;
4554 u16 secclass;
4555 int rc;
4556
4557 if (kern)
4558 return 0;
4559
4560 secclass = socket_type_to_security_class(family, type, protocol);
4561 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4562 if (rc)
4563 return rc;
4564
4565 return avc_has_perm(&selinux_state,
4566 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4567 }
4568
4569 static int selinux_socket_post_create(struct socket *sock, int family,
4570 int type, int protocol, int kern)
4571 {
4572 const struct task_security_struct *tsec = current_security();
4573 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4574 struct sk_security_struct *sksec;
4575 u16 sclass = socket_type_to_security_class(family, type, protocol);
4576 u32 sid = SECINITSID_KERNEL;
4577 int err = 0;
4578
4579 if (!kern) {
4580 err = socket_sockcreate_sid(tsec, sclass, &sid);
4581 if (err)
4582 return err;
4583 }
4584
4585 isec->sclass = sclass;
4586 isec->sid = sid;
4587 isec->initialized = LABEL_INITIALIZED;
4588
4589 if (sock->sk) {
4590 sksec = sock->sk->sk_security;
4591 sksec->sclass = sclass;
4592 sksec->sid = sid;
4593 /* Allows detection of the first association on this socket */
4594 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4595 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4596
4597 err = selinux_netlbl_socket_post_create(sock->sk, family);
4598 }
4599
4600 return err;
4601 }
4602
4603 static int selinux_socket_socketpair(struct socket *socka,
4604 struct socket *sockb)
4605 {
4606 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4607 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4608
4609 sksec_a->peer_sid = sksec_b->sid;
4610 sksec_b->peer_sid = sksec_a->sid;
4611
4612 return 0;
4613 }
4614
4615 /* Range of port numbers used to automatically bind.
4616 Need to determine whether we should perform a name_bind
4617 permission check between the socket and the port number. */
4618
4619 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4620 {
4621 struct sock *sk = sock->sk;
4622 struct sk_security_struct *sksec = sk->sk_security;
4623 u16 family;
4624 int err;
4625
4626 err = sock_has_perm(sk, SOCKET__BIND);
4627 if (err)
4628 goto out;
4629
4630 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4631 family = sk->sk_family;
4632 if (family == PF_INET || family == PF_INET6) {
4633 char *addrp;
4634 struct common_audit_data ad;
4635 struct lsm_network_audit net = {0,};
4636 struct sockaddr_in *addr4 = NULL;
4637 struct sockaddr_in6 *addr6 = NULL;
4638 u16 family_sa = address->sa_family;
4639 unsigned short snum;
4640 u32 sid, node_perm;
4641
4642 /*
4643 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4644 * that validates multiple binding addresses. Because of this
4645 * need to check address->sa_family as it is possible to have
4646 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4647 */
4648 switch (family_sa) {
4649 case AF_UNSPEC:
4650 case AF_INET:
4651 if (addrlen < sizeof(struct sockaddr_in))
4652 return -EINVAL;
4653 addr4 = (struct sockaddr_in *)address;
4654 if (family_sa == AF_UNSPEC) {
4655 /* see __inet_bind(), we only want to allow
4656 * AF_UNSPEC if the address is INADDR_ANY
4657 */
4658 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4659 goto err_af;
4660 family_sa = AF_INET;
4661 }
4662 snum = ntohs(addr4->sin_port);
4663 addrp = (char *)&addr4->sin_addr.s_addr;
4664 break;
4665 case AF_INET6:
4666 if (addrlen < SIN6_LEN_RFC2133)
4667 return -EINVAL;
4668 addr6 = (struct sockaddr_in6 *)address;
4669 snum = ntohs(addr6->sin6_port);
4670 addrp = (char *)&addr6->sin6_addr.s6_addr;
4671 break;
4672 default:
4673 goto err_af;
4674 }
4675
4676 ad.type = LSM_AUDIT_DATA_NET;
4677 ad.u.net = &net;
4678 ad.u.net->sport = htons(snum);
4679 ad.u.net->family = family_sa;
4680
4681 if (snum) {
4682 int low, high;
4683
4684 inet_get_local_port_range(sock_net(sk), &low, &high);
4685
4686 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4687 snum > high) {
4688 err = sel_netport_sid(sk->sk_protocol,
4689 snum, &sid);
4690 if (err)
4691 goto out;
4692 err = avc_has_perm(&selinux_state,
4693 sksec->sid, sid,
4694 sksec->sclass,
4695 SOCKET__NAME_BIND, &ad);
4696 if (err)
4697 goto out;
4698 }
4699 }
4700
4701 switch (sksec->sclass) {
4702 case SECCLASS_TCP_SOCKET:
4703 node_perm = TCP_SOCKET__NODE_BIND;
4704 break;
4705
4706 case SECCLASS_UDP_SOCKET:
4707 node_perm = UDP_SOCKET__NODE_BIND;
4708 break;
4709
4710 case SECCLASS_DCCP_SOCKET:
4711 node_perm = DCCP_SOCKET__NODE_BIND;
4712 break;
4713
4714 case SECCLASS_SCTP_SOCKET:
4715 node_perm = SCTP_SOCKET__NODE_BIND;
4716 break;
4717
4718 default:
4719 node_perm = RAWIP_SOCKET__NODE_BIND;
4720 break;
4721 }
4722
4723 err = sel_netnode_sid(addrp, family_sa, &sid);
4724 if (err)
4725 goto out;
4726
4727 if (family_sa == AF_INET)
4728 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4729 else
4730 ad.u.net->v6info.saddr = addr6->sin6_addr;
4731
4732 err = avc_has_perm(&selinux_state,
4733 sksec->sid, sid,
4734 sksec->sclass, node_perm, &ad);
4735 if (err)
4736 goto out;
4737 }
4738 out:
4739 return err;
4740 err_af:
4741 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4742 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4743 return -EINVAL;
4744 return -EAFNOSUPPORT;
4745 }
4746
4747 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4748 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.rst
4749 */
4750 static int selinux_socket_connect_helper(struct socket *sock,
4751 struct sockaddr *address, int addrlen)
4752 {
4753 struct sock *sk = sock->sk;
4754 struct sk_security_struct *sksec = sk->sk_security;
4755 int err;
4756
4757 err = sock_has_perm(sk, SOCKET__CONNECT);
4758 if (err)
4759 return err;
4760
4761 /*
4762 * If a TCP, DCCP or SCTP socket, check name_connect permission
4763 * for the port.
4764 */
4765 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4766 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4767 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4768 struct common_audit_data ad;
4769 struct lsm_network_audit net = {0,};
4770 struct sockaddr_in *addr4 = NULL;
4771 struct sockaddr_in6 *addr6 = NULL;
4772 unsigned short snum;
4773 u32 sid, perm;
4774
4775 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4776 * that validates multiple connect addresses. Because of this
4777 * need to check address->sa_family as it is possible to have
4778 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4779 */
4780 switch (address->sa_family) {
4781 case AF_INET:
4782 addr4 = (struct sockaddr_in *)address;
4783 if (addrlen < sizeof(struct sockaddr_in))
4784 return -EINVAL;
4785 snum = ntohs(addr4->sin_port);
4786 break;
4787 case AF_INET6:
4788 addr6 = (struct sockaddr_in6 *)address;
4789 if (addrlen < SIN6_LEN_RFC2133)
4790 return -EINVAL;
4791 snum = ntohs(addr6->sin6_port);
4792 break;
4793 default:
4794 /* Note that SCTP services expect -EINVAL, whereas
4795 * others expect -EAFNOSUPPORT.
4796 */
4797 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4798 return -EINVAL;
4799 else
4800 return -EAFNOSUPPORT;
4801 }
4802
4803 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4804 if (err)
4805 return err;
4806
4807 switch (sksec->sclass) {
4808 case SECCLASS_TCP_SOCKET:
4809 perm = TCP_SOCKET__NAME_CONNECT;
4810 break;
4811 case SECCLASS_DCCP_SOCKET:
4812 perm = DCCP_SOCKET__NAME_CONNECT;
4813 break;
4814 case SECCLASS_SCTP_SOCKET:
4815 perm = SCTP_SOCKET__NAME_CONNECT;
4816 break;
4817 }
4818
4819 ad.type = LSM_AUDIT_DATA_NET;
4820 ad.u.net = &net;
4821 ad.u.net->dport = htons(snum);
4822 ad.u.net->family = address->sa_family;
4823 err = avc_has_perm(&selinux_state,
4824 sksec->sid, sid, sksec->sclass, perm, &ad);
4825 if (err)
4826 return err;
4827 }
4828
4829 return 0;
4830 }
4831
4832 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4833 static int selinux_socket_connect(struct socket *sock,
4834 struct sockaddr *address, int addrlen)
4835 {
4836 int err;
4837 struct sock *sk = sock->sk;
4838
4839 err = selinux_socket_connect_helper(sock, address, addrlen);
4840 if (err)
4841 return err;
4842
4843 return selinux_netlbl_socket_connect(sk, address);
4844 }
4845
4846 static int selinux_socket_listen(struct socket *sock, int backlog)
4847 {
4848 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4849 }
4850
4851 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4852 {
4853 int err;
4854 struct inode_security_struct *isec;
4855 struct inode_security_struct *newisec;
4856 u16 sclass;
4857 u32 sid;
4858
4859 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4860 if (err)
4861 return err;
4862
4863 isec = inode_security_novalidate(SOCK_INODE(sock));
4864 spin_lock(&isec->lock);
4865 sclass = isec->sclass;
4866 sid = isec->sid;
4867 spin_unlock(&isec->lock);
4868
4869 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4870 newisec->sclass = sclass;
4871 newisec->sid = sid;
4872 newisec->initialized = LABEL_INITIALIZED;
4873
4874 return 0;
4875 }
4876
4877 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4878 int size)
4879 {
4880 return sock_has_perm(sock->sk, SOCKET__WRITE);
4881 }
4882
4883 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4884 int size, int flags)
4885 {
4886 return sock_has_perm(sock->sk, SOCKET__READ);
4887 }
4888
4889 static int selinux_socket_getsockname(struct socket *sock)
4890 {
4891 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4892 }
4893
4894 static int selinux_socket_getpeername(struct socket *sock)
4895 {
4896 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4897 }
4898
4899 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4900 {
4901 int err;
4902
4903 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4904 if (err)
4905 return err;
4906
4907 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4908 }
4909
4910 static int selinux_socket_getsockopt(struct socket *sock, int level,
4911 int optname)
4912 {
4913 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4914 }
4915
4916 static int selinux_socket_shutdown(struct socket *sock, int how)
4917 {
4918 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4919 }
4920
4921 static int selinux_socket_unix_stream_connect(struct sock *sock,
4922 struct sock *other,
4923 struct sock *newsk)
4924 {
4925 struct sk_security_struct *sksec_sock = sock->sk_security;
4926 struct sk_security_struct *sksec_other = other->sk_security;
4927 struct sk_security_struct *sksec_new = newsk->sk_security;
4928 struct common_audit_data ad;
4929 struct lsm_network_audit net = {0,};
4930 int err;
4931
4932 ad.type = LSM_AUDIT_DATA_NET;
4933 ad.u.net = &net;
4934 ad.u.net->sk = other;
4935
4936 err = avc_has_perm(&selinux_state,
4937 sksec_sock->sid, sksec_other->sid,
4938 sksec_other->sclass,
4939 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4940 if (err)
4941 return err;
4942
4943 /* server child socket */
4944 sksec_new->peer_sid = sksec_sock->sid;
4945 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4946 sksec_sock->sid, &sksec_new->sid);
4947 if (err)
4948 return err;
4949
4950 /* connecting socket */
4951 sksec_sock->peer_sid = sksec_new->sid;
4952
4953 return 0;
4954 }
4955
4956 static int selinux_socket_unix_may_send(struct socket *sock,
4957 struct socket *other)
4958 {
4959 struct sk_security_struct *ssec = sock->sk->sk_security;
4960 struct sk_security_struct *osec = other->sk->sk_security;
4961 struct common_audit_data ad;
4962 struct lsm_network_audit net = {0,};
4963
4964 ad.type = LSM_AUDIT_DATA_NET;
4965 ad.u.net = &net;
4966 ad.u.net->sk = other->sk;
4967
4968 return avc_has_perm(&selinux_state,
4969 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4970 &ad);
4971 }
4972
4973 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4974 char *addrp, u16 family, u32 peer_sid,
4975 struct common_audit_data *ad)
4976 {
4977 int err;
4978 u32 if_sid;
4979 u32 node_sid;
4980
4981 err = sel_netif_sid(ns, ifindex, &if_sid);
4982 if (err)
4983 return err;
4984 err = avc_has_perm(&selinux_state,
4985 peer_sid, if_sid,
4986 SECCLASS_NETIF, NETIF__INGRESS, ad);
4987 if (err)
4988 return err;
4989
4990 err = sel_netnode_sid(addrp, family, &node_sid);
4991 if (err)
4992 return err;
4993 return avc_has_perm(&selinux_state,
4994 peer_sid, node_sid,
4995 SECCLASS_NODE, NODE__RECVFROM, ad);
4996 }
4997
4998 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4999 u16 family)
5000 {
5001 int err = 0;
5002 struct sk_security_struct *sksec = sk->sk_security;
5003 u32 sk_sid = sksec->sid;
5004 struct common_audit_data ad;
5005 struct lsm_network_audit net = {0,};
5006 char *addrp;
5007
5008 ad.type = LSM_AUDIT_DATA_NET;
5009 ad.u.net = &net;
5010 ad.u.net->netif = skb->skb_iif;
5011 ad.u.net->family = family;
5012 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5013 if (err)
5014 return err;
5015
5016 if (selinux_secmark_enabled()) {
5017 err = avc_has_perm(&selinux_state,
5018 sk_sid, skb->secmark, SECCLASS_PACKET,
5019 PACKET__RECV, &ad);
5020 if (err)
5021 return err;
5022 }
5023
5024 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5025 if (err)
5026 return err;
5027 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5028
5029 return err;
5030 }
5031
5032 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5033 {
5034 int err;
5035 struct sk_security_struct *sksec = sk->sk_security;
5036 u16 family = sk->sk_family;
5037 u32 sk_sid = sksec->sid;
5038 struct common_audit_data ad;
5039 struct lsm_network_audit net = {0,};
5040 char *addrp;
5041 u8 secmark_active;
5042 u8 peerlbl_active;
5043
5044 if (family != PF_INET && family != PF_INET6)
5045 return 0;
5046
5047 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5048 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5049 family = PF_INET;
5050
5051 /* If any sort of compatibility mode is enabled then handoff processing
5052 * to the selinux_sock_rcv_skb_compat() function to deal with the
5053 * special handling. We do this in an attempt to keep this function
5054 * as fast and as clean as possible. */
5055 if (!selinux_policycap_netpeer())
5056 return selinux_sock_rcv_skb_compat(sk, skb, family);
5057
5058 secmark_active = selinux_secmark_enabled();
5059 peerlbl_active = selinux_peerlbl_enabled();
5060 if (!secmark_active && !peerlbl_active)
5061 return 0;
5062
5063 ad.type = LSM_AUDIT_DATA_NET;
5064 ad.u.net = &net;
5065 ad.u.net->netif = skb->skb_iif;
5066 ad.u.net->family = family;
5067 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5068 if (err)
5069 return err;
5070
5071 if (peerlbl_active) {
5072 u32 peer_sid;
5073
5074 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5075 if (err)
5076 return err;
5077 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5078 addrp, family, peer_sid, &ad);
5079 if (err) {
5080 selinux_netlbl_err(skb, family, err, 0);
5081 return err;
5082 }
5083 err = avc_has_perm(&selinux_state,
5084 sk_sid, peer_sid, SECCLASS_PEER,
5085 PEER__RECV, &ad);
5086 if (err) {
5087 selinux_netlbl_err(skb, family, err, 0);
5088 return err;
5089 }
5090 }
5091
5092 if (secmark_active) {
5093 err = avc_has_perm(&selinux_state,
5094 sk_sid, skb->secmark, SECCLASS_PACKET,
5095 PACKET__RECV, &ad);
5096 if (err)
5097 return err;
5098 }
5099
5100 return err;
5101 }
5102
5103 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5104 int __user *optlen, unsigned len)
5105 {
5106 int err = 0;
5107 char *scontext;
5108 u32 scontext_len;
5109 struct sk_security_struct *sksec = sock->sk->sk_security;
5110 u32 peer_sid = SECSID_NULL;
5111
5112 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5113 sksec->sclass == SECCLASS_TCP_SOCKET ||
5114 sksec->sclass == SECCLASS_SCTP_SOCKET)
5115 peer_sid = sksec->peer_sid;
5116 if (peer_sid == SECSID_NULL)
5117 return -ENOPROTOOPT;
5118
5119 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5120 &scontext_len);
5121 if (err)
5122 return err;
5123
5124 if (scontext_len > len) {
5125 err = -ERANGE;
5126 goto out_len;
5127 }
5128
5129 if (copy_to_user(optval, scontext, scontext_len))
5130 err = -EFAULT;
5131
5132 out_len:
5133 if (put_user(scontext_len, optlen))
5134 err = -EFAULT;
5135 kfree(scontext);
5136 return err;
5137 }
5138
5139 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5140 {
5141 u32 peer_secid = SECSID_NULL;
5142 u16 family;
5143 struct inode_security_struct *isec;
5144
5145 if (skb && skb->protocol == htons(ETH_P_IP))
5146 family = PF_INET;
5147 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5148 family = PF_INET6;
5149 else if (sock)
5150 family = sock->sk->sk_family;
5151 else
5152 goto out;
5153
5154 if (sock && family == PF_UNIX) {
5155 isec = inode_security_novalidate(SOCK_INODE(sock));
5156 peer_secid = isec->sid;
5157 } else if (skb)
5158 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5159
5160 out:
5161 *secid = peer_secid;
5162 if (peer_secid == SECSID_NULL)
5163 return -EINVAL;
5164 return 0;
5165 }
5166
5167 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5168 {
5169 struct sk_security_struct *sksec;
5170
5171 sksec = kzalloc(sizeof(*sksec), priority);
5172 if (!sksec)
5173 return -ENOMEM;
5174
5175 sksec->peer_sid = SECINITSID_UNLABELED;
5176 sksec->sid = SECINITSID_UNLABELED;
5177 sksec->sclass = SECCLASS_SOCKET;
5178 selinux_netlbl_sk_security_reset(sksec);
5179 sk->sk_security = sksec;
5180
5181 return 0;
5182 }
5183
5184 static void selinux_sk_free_security(struct sock *sk)
5185 {
5186 struct sk_security_struct *sksec = sk->sk_security;
5187
5188 sk->sk_security = NULL;
5189 selinux_netlbl_sk_security_free(sksec);
5190 kfree(sksec);
5191 }
5192
5193 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5194 {
5195 struct sk_security_struct *sksec = sk->sk_security;
5196 struct sk_security_struct *newsksec = newsk->sk_security;
5197
5198 newsksec->sid = sksec->sid;
5199 newsksec->peer_sid = sksec->peer_sid;
5200 newsksec->sclass = sksec->sclass;
5201
5202 selinux_netlbl_sk_security_reset(newsksec);
5203 }
5204
5205 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5206 {
5207 if (!sk)
5208 *secid = SECINITSID_ANY_SOCKET;
5209 else {
5210 struct sk_security_struct *sksec = sk->sk_security;
5211
5212 *secid = sksec->sid;
5213 }
5214 }
5215
5216 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5217 {
5218 struct inode_security_struct *isec =
5219 inode_security_novalidate(SOCK_INODE(parent));
5220 struct sk_security_struct *sksec = sk->sk_security;
5221
5222 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5223 sk->sk_family == PF_UNIX)
5224 isec->sid = sksec->sid;
5225 sksec->sclass = isec->sclass;
5226 }
5227
5228 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5229 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5230 * already present).
5231 */
5232 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5233 struct sk_buff *skb)
5234 {
5235 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5236 struct common_audit_data ad;
5237 struct lsm_network_audit net = {0,};
5238 u8 peerlbl_active;
5239 u32 peer_sid = SECINITSID_UNLABELED;
5240 u32 conn_sid;
5241 int err = 0;
5242
5243 if (!selinux_policycap_extsockclass())
5244 return 0;
5245
5246 peerlbl_active = selinux_peerlbl_enabled();
5247
5248 if (peerlbl_active) {
5249 /* This will return peer_sid = SECSID_NULL if there are
5250 * no peer labels, see security_net_peersid_resolve().
5251 */
5252 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5253 &peer_sid);
5254 if (err)
5255 return err;
5256
5257 if (peer_sid == SECSID_NULL)
5258 peer_sid = SECINITSID_UNLABELED;
5259 }
5260
5261 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5262 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5263
5264 /* Here as first association on socket. As the peer SID
5265 * was allowed by peer recv (and the netif/node checks),
5266 * then it is approved by policy and used as the primary
5267 * peer SID for getpeercon(3).
5268 */
5269 sksec->peer_sid = peer_sid;
5270 } else if (sksec->peer_sid != peer_sid) {
5271 /* Other association peer SIDs are checked to enforce
5272 * consistency among the peer SIDs.
5273 */
5274 ad.type = LSM_AUDIT_DATA_NET;
5275 ad.u.net = &net;
5276 ad.u.net->sk = ep->base.sk;
5277 err = avc_has_perm(&selinux_state,
5278 sksec->peer_sid, peer_sid, sksec->sclass,
5279 SCTP_SOCKET__ASSOCIATION, &ad);
5280 if (err)
5281 return err;
5282 }
5283
5284 /* Compute the MLS component for the connection and store
5285 * the information in ep. This will be used by SCTP TCP type
5286 * sockets and peeled off connections as they cause a new
5287 * socket to be generated. selinux_sctp_sk_clone() will then
5288 * plug this into the new socket.
5289 */
5290 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5291 if (err)
5292 return err;
5293
5294 ep->secid = conn_sid;
5295 ep->peer_secid = peer_sid;
5296
5297 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5298 return selinux_netlbl_sctp_assoc_request(ep, skb);
5299 }
5300
5301 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5302 * based on their @optname.
5303 */
5304 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5305 struct sockaddr *address,
5306 int addrlen)
5307 {
5308 int len, err = 0, walk_size = 0;
5309 void *addr_buf;
5310 struct sockaddr *addr;
5311 struct socket *sock;
5312
5313 if (!selinux_policycap_extsockclass())
5314 return 0;
5315
5316 /* Process one or more addresses that may be IPv4 or IPv6 */
5317 sock = sk->sk_socket;
5318 addr_buf = address;
5319
5320 while (walk_size < addrlen) {
5321 addr = addr_buf;
5322 switch (addr->sa_family) {
5323 case AF_UNSPEC:
5324 case AF_INET:
5325 len = sizeof(struct sockaddr_in);
5326 break;
5327 case AF_INET6:
5328 len = sizeof(struct sockaddr_in6);
5329 break;
5330 default:
5331 return -EINVAL;
5332 }
5333
5334 err = -EINVAL;
5335 switch (optname) {
5336 /* Bind checks */
5337 case SCTP_PRIMARY_ADDR:
5338 case SCTP_SET_PEER_PRIMARY_ADDR:
5339 case SCTP_SOCKOPT_BINDX_ADD:
5340 err = selinux_socket_bind(sock, addr, len);
5341 break;
5342 /* Connect checks */
5343 case SCTP_SOCKOPT_CONNECTX:
5344 case SCTP_PARAM_SET_PRIMARY:
5345 case SCTP_PARAM_ADD_IP:
5346 case SCTP_SENDMSG_CONNECT:
5347 err = selinux_socket_connect_helper(sock, addr, len);
5348 if (err)
5349 return err;
5350
5351 /* As selinux_sctp_bind_connect() is called by the
5352 * SCTP protocol layer, the socket is already locked,
5353 * therefore selinux_netlbl_socket_connect_locked() is
5354 * is called here. The situations handled are:
5355 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5356 * whenever a new IP address is added or when a new
5357 * primary address is selected.
5358 * Note that an SCTP connect(2) call happens before
5359 * the SCTP protocol layer and is handled via
5360 * selinux_socket_connect().
5361 */
5362 err = selinux_netlbl_socket_connect_locked(sk, addr);
5363 break;
5364 }
5365
5366 if (err)
5367 return err;
5368
5369 addr_buf += len;
5370 walk_size += len;
5371 }
5372
5373 return 0;
5374 }
5375
5376 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5377 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5378 struct sock *newsk)
5379 {
5380 struct sk_security_struct *sksec = sk->sk_security;
5381 struct sk_security_struct *newsksec = newsk->sk_security;
5382
5383 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5384 * the non-sctp clone version.
5385 */
5386 if (!selinux_policycap_extsockclass())
5387 return selinux_sk_clone_security(sk, newsk);
5388
5389 newsksec->sid = ep->secid;
5390 newsksec->peer_sid = ep->peer_secid;
5391 newsksec->sclass = sksec->sclass;
5392 selinux_netlbl_sctp_sk_clone(sk, newsk);
5393 }
5394
5395 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5396 struct request_sock *req)
5397 {
5398 struct sk_security_struct *sksec = sk->sk_security;
5399 int err;
5400 u16 family = req->rsk_ops->family;
5401 u32 connsid;
5402 u32 peersid;
5403
5404 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5405 if (err)
5406 return err;
5407 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5408 if (err)
5409 return err;
5410 req->secid = connsid;
5411 req->peer_secid = peersid;
5412
5413 return selinux_netlbl_inet_conn_request(req, family);
5414 }
5415
5416 static void selinux_inet_csk_clone(struct sock *newsk,
5417 const struct request_sock *req)
5418 {
5419 struct sk_security_struct *newsksec = newsk->sk_security;
5420
5421 newsksec->sid = req->secid;
5422 newsksec->peer_sid = req->peer_secid;
5423 /* NOTE: Ideally, we should also get the isec->sid for the
5424 new socket in sync, but we don't have the isec available yet.
5425 So we will wait until sock_graft to do it, by which
5426 time it will have been created and available. */
5427
5428 /* We don't need to take any sort of lock here as we are the only
5429 * thread with access to newsksec */
5430 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5431 }
5432
5433 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5434 {
5435 u16 family = sk->sk_family;
5436 struct sk_security_struct *sksec = sk->sk_security;
5437
5438 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5439 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5440 family = PF_INET;
5441
5442 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5443 }
5444
5445 static int selinux_secmark_relabel_packet(u32 sid)
5446 {
5447 const struct task_security_struct *__tsec;
5448 u32 tsid;
5449
5450 __tsec = current_security();
5451 tsid = __tsec->sid;
5452
5453 return avc_has_perm(&selinux_state,
5454 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5455 NULL);
5456 }
5457
5458 static void selinux_secmark_refcount_inc(void)
5459 {
5460 atomic_inc(&selinux_secmark_refcount);
5461 }
5462
5463 static void selinux_secmark_refcount_dec(void)
5464 {
5465 atomic_dec(&selinux_secmark_refcount);
5466 }
5467
5468 static void selinux_req_classify_flow(const struct request_sock *req,
5469 struct flowi *fl)
5470 {
5471 fl->flowi_secid = req->secid;
5472 }
5473
5474 static int selinux_tun_dev_alloc_security(void **security)
5475 {
5476 struct tun_security_struct *tunsec;
5477
5478 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5479 if (!tunsec)
5480 return -ENOMEM;
5481 tunsec->sid = current_sid();
5482
5483 *security = tunsec;
5484 return 0;
5485 }
5486
5487 static void selinux_tun_dev_free_security(void *security)
5488 {
5489 kfree(security);
5490 }
5491
5492 static int selinux_tun_dev_create(void)
5493 {
5494 u32 sid = current_sid();
5495
5496 /* we aren't taking into account the "sockcreate" SID since the socket
5497 * that is being created here is not a socket in the traditional sense,
5498 * instead it is a private sock, accessible only to the kernel, and
5499 * representing a wide range of network traffic spanning multiple
5500 * connections unlike traditional sockets - check the TUN driver to
5501 * get a better understanding of why this socket is special */
5502
5503 return avc_has_perm(&selinux_state,
5504 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5505 NULL);
5506 }
5507
5508 static int selinux_tun_dev_attach_queue(void *security)
5509 {
5510 struct tun_security_struct *tunsec = security;
5511
5512 return avc_has_perm(&selinux_state,
5513 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5514 TUN_SOCKET__ATTACH_QUEUE, NULL);
5515 }
5516
5517 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5518 {
5519 struct tun_security_struct *tunsec = security;
5520 struct sk_security_struct *sksec = sk->sk_security;
5521
5522 /* we don't currently perform any NetLabel based labeling here and it
5523 * isn't clear that we would want to do so anyway; while we could apply
5524 * labeling without the support of the TUN user the resulting labeled
5525 * traffic from the other end of the connection would almost certainly
5526 * cause confusion to the TUN user that had no idea network labeling
5527 * protocols were being used */
5528
5529 sksec->sid = tunsec->sid;
5530 sksec->sclass = SECCLASS_TUN_SOCKET;
5531
5532 return 0;
5533 }
5534
5535 static int selinux_tun_dev_open(void *security)
5536 {
5537 struct tun_security_struct *tunsec = security;
5538 u32 sid = current_sid();
5539 int err;
5540
5541 err = avc_has_perm(&selinux_state,
5542 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5543 TUN_SOCKET__RELABELFROM, NULL);
5544 if (err)
5545 return err;
5546 err = avc_has_perm(&selinux_state,
5547 sid, sid, SECCLASS_TUN_SOCKET,
5548 TUN_SOCKET__RELABELTO, NULL);
5549 if (err)
5550 return err;
5551 tunsec->sid = sid;
5552
5553 return 0;
5554 }
5555
5556 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5557 {
5558 int err = 0;
5559 u32 perm;
5560 struct nlmsghdr *nlh;
5561 struct sk_security_struct *sksec = sk->sk_security;
5562
5563 if (skb->len < NLMSG_HDRLEN) {
5564 err = -EINVAL;
5565 goto out;
5566 }
5567 nlh = nlmsg_hdr(skb);
5568
5569 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5570 if (err) {
5571 if (err == -EINVAL) {
5572 pr_warn_ratelimited("SELinux: unrecognized netlink"
5573 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5574 " pig=%d comm=%s\n",
5575 sk->sk_protocol, nlh->nlmsg_type,
5576 secclass_map[sksec->sclass - 1].name,
5577 task_pid_nr(current), current->comm);
5578 if (!enforcing_enabled(&selinux_state) ||
5579 security_get_allow_unknown(&selinux_state))
5580 err = 0;
5581 }
5582
5583 /* Ignore */
5584 if (err == -ENOENT)
5585 err = 0;
5586 goto out;
5587 }
5588
5589 err = sock_has_perm(sk, perm);
5590 out:
5591 return err;
5592 }
5593
5594 #ifdef CONFIG_NETFILTER
5595
5596 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5597 const struct net_device *indev,
5598 u16 family)
5599 {
5600 int err;
5601 char *addrp;
5602 u32 peer_sid;
5603 struct common_audit_data ad;
5604 struct lsm_network_audit net = {0,};
5605 u8 secmark_active;
5606 u8 netlbl_active;
5607 u8 peerlbl_active;
5608
5609 if (!selinux_policycap_netpeer())
5610 return NF_ACCEPT;
5611
5612 secmark_active = selinux_secmark_enabled();
5613 netlbl_active = netlbl_enabled();
5614 peerlbl_active = selinux_peerlbl_enabled();
5615 if (!secmark_active && !peerlbl_active)
5616 return NF_ACCEPT;
5617
5618 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5619 return NF_DROP;
5620
5621 ad.type = LSM_AUDIT_DATA_NET;
5622 ad.u.net = &net;
5623 ad.u.net->netif = indev->ifindex;
5624 ad.u.net->family = family;
5625 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5626 return NF_DROP;
5627
5628 if (peerlbl_active) {
5629 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5630 addrp, family, peer_sid, &ad);
5631 if (err) {
5632 selinux_netlbl_err(skb, family, err, 1);
5633 return NF_DROP;
5634 }
5635 }
5636
5637 if (secmark_active)
5638 if (avc_has_perm(&selinux_state,
5639 peer_sid, skb->secmark,
5640 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5641 return NF_DROP;
5642
5643 if (netlbl_active)
5644 /* we do this in the FORWARD path and not the POST_ROUTING
5645 * path because we want to make sure we apply the necessary
5646 * labeling before IPsec is applied so we can leverage AH
5647 * protection */
5648 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5649 return NF_DROP;
5650
5651 return NF_ACCEPT;
5652 }
5653
5654 static unsigned int selinux_ipv4_forward(void *priv,
5655 struct sk_buff *skb,
5656 const struct nf_hook_state *state)
5657 {
5658 return selinux_ip_forward(skb, state->in, PF_INET);
5659 }
5660
5661 #if IS_ENABLED(CONFIG_IPV6)
5662 static unsigned int selinux_ipv6_forward(void *priv,
5663 struct sk_buff *skb,
5664 const struct nf_hook_state *state)
5665 {
5666 return selinux_ip_forward(skb, state->in, PF_INET6);
5667 }
5668 #endif /* IPV6 */
5669
5670 static unsigned int selinux_ip_output(struct sk_buff *skb,
5671 u16 family)
5672 {
5673 struct sock *sk;
5674 u32 sid;
5675
5676 if (!netlbl_enabled())
5677 return NF_ACCEPT;
5678
5679 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5680 * because we want to make sure we apply the necessary labeling
5681 * before IPsec is applied so we can leverage AH protection */
5682 sk = skb->sk;
5683 if (sk) {
5684 struct sk_security_struct *sksec;
5685
5686 if (sk_listener(sk))
5687 /* if the socket is the listening state then this
5688 * packet is a SYN-ACK packet which means it needs to
5689 * be labeled based on the connection/request_sock and
5690 * not the parent socket. unfortunately, we can't
5691 * lookup the request_sock yet as it isn't queued on
5692 * the parent socket until after the SYN-ACK is sent.
5693 * the "solution" is to simply pass the packet as-is
5694 * as any IP option based labeling should be copied
5695 * from the initial connection request (in the IP
5696 * layer). it is far from ideal, but until we get a
5697 * security label in the packet itself this is the
5698 * best we can do. */
5699 return NF_ACCEPT;
5700
5701 /* standard practice, label using the parent socket */
5702 sksec = sk->sk_security;
5703 sid = sksec->sid;
5704 } else
5705 sid = SECINITSID_KERNEL;
5706 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5707 return NF_DROP;
5708
5709 return NF_ACCEPT;
5710 }
5711
5712 static unsigned int selinux_ipv4_output(void *priv,
5713 struct sk_buff *skb,
5714 const struct nf_hook_state *state)
5715 {
5716 return selinux_ip_output(skb, PF_INET);
5717 }
5718
5719 #if IS_ENABLED(CONFIG_IPV6)
5720 static unsigned int selinux_ipv6_output(void *priv,
5721 struct sk_buff *skb,
5722 const struct nf_hook_state *state)
5723 {
5724 return selinux_ip_output(skb, PF_INET6);
5725 }
5726 #endif /* IPV6 */
5727
5728 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5729 int ifindex,
5730 u16 family)
5731 {
5732 struct sock *sk = skb_to_full_sk(skb);
5733 struct sk_security_struct *sksec;
5734 struct common_audit_data ad;
5735 struct lsm_network_audit net = {0,};
5736 char *addrp;
5737 u8 proto;
5738
5739 if (sk == NULL)
5740 return NF_ACCEPT;
5741 sksec = sk->sk_security;
5742
5743 ad.type = LSM_AUDIT_DATA_NET;
5744 ad.u.net = &net;
5745 ad.u.net->netif = ifindex;
5746 ad.u.net->family = family;
5747 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5748 return NF_DROP;
5749
5750 if (selinux_secmark_enabled())
5751 if (avc_has_perm(&selinux_state,
5752 sksec->sid, skb->secmark,
5753 SECCLASS_PACKET, PACKET__SEND, &ad))
5754 return NF_DROP_ERR(-ECONNREFUSED);
5755
5756 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5757 return NF_DROP_ERR(-ECONNREFUSED);
5758
5759 return NF_ACCEPT;
5760 }
5761
5762 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5763 const struct net_device *outdev,
5764 u16 family)
5765 {
5766 u32 secmark_perm;
5767 u32 peer_sid;
5768 int ifindex = outdev->ifindex;
5769 struct sock *sk;
5770 struct common_audit_data ad;
5771 struct lsm_network_audit net = {0,};
5772 char *addrp;
5773 u8 secmark_active;
5774 u8 peerlbl_active;
5775
5776 /* If any sort of compatibility mode is enabled then handoff processing
5777 * to the selinux_ip_postroute_compat() function to deal with the
5778 * special handling. We do this in an attempt to keep this function
5779 * as fast and as clean as possible. */
5780 if (!selinux_policycap_netpeer())
5781 return selinux_ip_postroute_compat(skb, ifindex, family);
5782
5783 secmark_active = selinux_secmark_enabled();
5784 peerlbl_active = selinux_peerlbl_enabled();
5785 if (!secmark_active && !peerlbl_active)
5786 return NF_ACCEPT;
5787
5788 sk = skb_to_full_sk(skb);
5789
5790 #ifdef CONFIG_XFRM
5791 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5792 * packet transformation so allow the packet to pass without any checks
5793 * since we'll have another chance to perform access control checks
5794 * when the packet is on it's final way out.
5795 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5796 * is NULL, in this case go ahead and apply access control.
5797 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5798 * TCP listening state we cannot wait until the XFRM processing
5799 * is done as we will miss out on the SA label if we do;
5800 * unfortunately, this means more work, but it is only once per
5801 * connection. */
5802 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5803 !(sk && sk_listener(sk)))
5804 return NF_ACCEPT;
5805 #endif
5806
5807 if (sk == NULL) {
5808 /* Without an associated socket the packet is either coming
5809 * from the kernel or it is being forwarded; check the packet
5810 * to determine which and if the packet is being forwarded
5811 * query the packet directly to determine the security label. */
5812 if (skb->skb_iif) {
5813 secmark_perm = PACKET__FORWARD_OUT;
5814 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5815 return NF_DROP;
5816 } else {
5817 secmark_perm = PACKET__SEND;
5818 peer_sid = SECINITSID_KERNEL;
5819 }
5820 } else if (sk_listener(sk)) {
5821 /* Locally generated packet but the associated socket is in the
5822 * listening state which means this is a SYN-ACK packet. In
5823 * this particular case the correct security label is assigned
5824 * to the connection/request_sock but unfortunately we can't
5825 * query the request_sock as it isn't queued on the parent
5826 * socket until after the SYN-ACK packet is sent; the only
5827 * viable choice is to regenerate the label like we do in
5828 * selinux_inet_conn_request(). See also selinux_ip_output()
5829 * for similar problems. */
5830 u32 skb_sid;
5831 struct sk_security_struct *sksec;
5832
5833 sksec = sk->sk_security;
5834 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5835 return NF_DROP;
5836 /* At this point, if the returned skb peerlbl is SECSID_NULL
5837 * and the packet has been through at least one XFRM
5838 * transformation then we must be dealing with the "final"
5839 * form of labeled IPsec packet; since we've already applied
5840 * all of our access controls on this packet we can safely
5841 * pass the packet. */
5842 if (skb_sid == SECSID_NULL) {
5843 switch (family) {
5844 case PF_INET:
5845 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5846 return NF_ACCEPT;
5847 break;
5848 case PF_INET6:
5849 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5850 return NF_ACCEPT;
5851 break;
5852 default:
5853 return NF_DROP_ERR(-ECONNREFUSED);
5854 }
5855 }
5856 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5857 return NF_DROP;
5858 secmark_perm = PACKET__SEND;
5859 } else {
5860 /* Locally generated packet, fetch the security label from the
5861 * associated socket. */
5862 struct sk_security_struct *sksec = sk->sk_security;
5863 peer_sid = sksec->sid;
5864 secmark_perm = PACKET__SEND;
5865 }
5866
5867 ad.type = LSM_AUDIT_DATA_NET;
5868 ad.u.net = &net;
5869 ad.u.net->netif = ifindex;
5870 ad.u.net->family = family;
5871 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5872 return NF_DROP;
5873
5874 if (secmark_active)
5875 if (avc_has_perm(&selinux_state,
5876 peer_sid, skb->secmark,
5877 SECCLASS_PACKET, secmark_perm, &ad))
5878 return NF_DROP_ERR(-ECONNREFUSED);
5879
5880 if (peerlbl_active) {
5881 u32 if_sid;
5882 u32 node_sid;
5883
5884 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5885 return NF_DROP;
5886 if (avc_has_perm(&selinux_state,
5887 peer_sid, if_sid,
5888 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5889 return NF_DROP_ERR(-ECONNREFUSED);
5890
5891 if (sel_netnode_sid(addrp, family, &node_sid))
5892 return NF_DROP;
5893 if (avc_has_perm(&selinux_state,
5894 peer_sid, node_sid,
5895 SECCLASS_NODE, NODE__SENDTO, &ad))
5896 return NF_DROP_ERR(-ECONNREFUSED);
5897 }
5898
5899 return NF_ACCEPT;
5900 }
5901
5902 static unsigned int selinux_ipv4_postroute(void *priv,
5903 struct sk_buff *skb,
5904 const struct nf_hook_state *state)
5905 {
5906 return selinux_ip_postroute(skb, state->out, PF_INET);
5907 }
5908
5909 #if IS_ENABLED(CONFIG_IPV6)
5910 static unsigned int selinux_ipv6_postroute(void *priv,
5911 struct sk_buff *skb,
5912 const struct nf_hook_state *state)
5913 {
5914 return selinux_ip_postroute(skb, state->out, PF_INET6);
5915 }
5916 #endif /* IPV6 */
5917
5918 #endif /* CONFIG_NETFILTER */
5919
5920 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5921 {
5922 return selinux_nlmsg_perm(sk, skb);
5923 }
5924
5925 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5926 u16 sclass)
5927 {
5928 struct ipc_security_struct *isec;
5929
5930 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5931 if (!isec)
5932 return -ENOMEM;
5933
5934 isec->sclass = sclass;
5935 isec->sid = current_sid();
5936 perm->security = isec;
5937
5938 return 0;
5939 }
5940
5941 static void ipc_free_security(struct kern_ipc_perm *perm)
5942 {
5943 struct ipc_security_struct *isec = perm->security;
5944 perm->security = NULL;
5945 kfree(isec);
5946 }
5947
5948 static int msg_msg_alloc_security(struct msg_msg *msg)
5949 {
5950 struct msg_security_struct *msec;
5951
5952 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5953 if (!msec)
5954 return -ENOMEM;
5955
5956 msec->sid = SECINITSID_UNLABELED;
5957 msg->security = msec;
5958
5959 return 0;
5960 }
5961
5962 static void msg_msg_free_security(struct msg_msg *msg)
5963 {
5964 struct msg_security_struct *msec = msg->security;
5965
5966 msg->security = NULL;
5967 kfree(msec);
5968 }
5969
5970 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5971 u32 perms)
5972 {
5973 struct ipc_security_struct *isec;
5974 struct common_audit_data ad;
5975 u32 sid = current_sid();
5976
5977 isec = ipc_perms->security;
5978
5979 ad.type = LSM_AUDIT_DATA_IPC;
5980 ad.u.ipc_id = ipc_perms->key;
5981
5982 return avc_has_perm(&selinux_state,
5983 sid, isec->sid, isec->sclass, perms, &ad);
5984 }
5985
5986 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5987 {
5988 return msg_msg_alloc_security(msg);
5989 }
5990
5991 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5992 {
5993 msg_msg_free_security(msg);
5994 }
5995
5996 /* message queue security operations */
5997 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5998 {
5999 struct ipc_security_struct *isec;
6000 struct common_audit_data ad;
6001 u32 sid = current_sid();
6002 int rc;
6003
6004 rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
6005 if (rc)
6006 return rc;
6007
6008 isec = msq->security;
6009
6010 ad.type = LSM_AUDIT_DATA_IPC;
6011 ad.u.ipc_id = msq->key;
6012
6013 rc = avc_has_perm(&selinux_state,
6014 sid, isec->sid, SECCLASS_MSGQ,
6015 MSGQ__CREATE, &ad);
6016 if (rc) {
6017 ipc_free_security(msq);
6018 return rc;
6019 }
6020 return 0;
6021 }
6022
6023 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
6024 {
6025 ipc_free_security(msq);
6026 }
6027
6028 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6029 {
6030 struct ipc_security_struct *isec;
6031 struct common_audit_data ad;
6032 u32 sid = current_sid();
6033
6034 isec = msq->security;
6035
6036 ad.type = LSM_AUDIT_DATA_IPC;
6037 ad.u.ipc_id = msq->key;
6038
6039 return avc_has_perm(&selinux_state,
6040 sid, isec->sid, SECCLASS_MSGQ,
6041 MSGQ__ASSOCIATE, &ad);
6042 }
6043
6044 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6045 {
6046 int err;
6047 int perms;
6048
6049 switch (cmd) {
6050 case IPC_INFO:
6051 case MSG_INFO:
6052 /* No specific object, just general system-wide information. */
6053 return avc_has_perm(&selinux_state,
6054 current_sid(), SECINITSID_KERNEL,
6055 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6056 case IPC_STAT:
6057 case MSG_STAT:
6058 case MSG_STAT_ANY:
6059 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6060 break;
6061 case IPC_SET:
6062 perms = MSGQ__SETATTR;
6063 break;
6064 case IPC_RMID:
6065 perms = MSGQ__DESTROY;
6066 break;
6067 default:
6068 return 0;
6069 }
6070
6071 err = ipc_has_perm(msq, perms);
6072 return err;
6073 }
6074
6075 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6076 {
6077 struct ipc_security_struct *isec;
6078 struct msg_security_struct *msec;
6079 struct common_audit_data ad;
6080 u32 sid = current_sid();
6081 int rc;
6082
6083 isec = msq->security;
6084 msec = msg->security;
6085
6086 /*
6087 * First time through, need to assign label to the message
6088 */
6089 if (msec->sid == SECINITSID_UNLABELED) {
6090 /*
6091 * Compute new sid based on current process and
6092 * message queue this message will be stored in
6093 */
6094 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6095 SECCLASS_MSG, NULL, &msec->sid);
6096 if (rc)
6097 return rc;
6098 }
6099
6100 ad.type = LSM_AUDIT_DATA_IPC;
6101 ad.u.ipc_id = msq->key;
6102
6103 /* Can this process write to the queue? */
6104 rc = avc_has_perm(&selinux_state,
6105 sid, isec->sid, SECCLASS_MSGQ,
6106 MSGQ__WRITE, &ad);
6107 if (!rc)
6108 /* Can this process send the message */
6109 rc = avc_has_perm(&selinux_state,
6110 sid, msec->sid, SECCLASS_MSG,
6111 MSG__SEND, &ad);
6112 if (!rc)
6113 /* Can the message be put in the queue? */
6114 rc = avc_has_perm(&selinux_state,
6115 msec->sid, isec->sid, SECCLASS_MSGQ,
6116 MSGQ__ENQUEUE, &ad);
6117
6118 return rc;
6119 }
6120
6121 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6122 struct task_struct *target,
6123 long type, int mode)
6124 {
6125 struct ipc_security_struct *isec;
6126 struct msg_security_struct *msec;
6127 struct common_audit_data ad;
6128 u32 sid = task_sid(target);
6129 int rc;
6130
6131 isec = msq->security;
6132 msec = msg->security;
6133
6134 ad.type = LSM_AUDIT_DATA_IPC;
6135 ad.u.ipc_id = msq->key;
6136
6137 rc = avc_has_perm(&selinux_state,
6138 sid, isec->sid,
6139 SECCLASS_MSGQ, MSGQ__READ, &ad);
6140 if (!rc)
6141 rc = avc_has_perm(&selinux_state,
6142 sid, msec->sid,
6143 SECCLASS_MSG, MSG__RECEIVE, &ad);
6144 return rc;
6145 }
6146
6147 /* Shared Memory security operations */
6148 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6149 {
6150 struct ipc_security_struct *isec;
6151 struct common_audit_data ad;
6152 u32 sid = current_sid();
6153 int rc;
6154
6155 rc = ipc_alloc_security(shp, SECCLASS_SHM);
6156 if (rc)
6157 return rc;
6158
6159 isec = shp->security;
6160
6161 ad.type = LSM_AUDIT_DATA_IPC;
6162 ad.u.ipc_id = shp->key;
6163
6164 rc = avc_has_perm(&selinux_state,
6165 sid, isec->sid, SECCLASS_SHM,
6166 SHM__CREATE, &ad);
6167 if (rc) {
6168 ipc_free_security(shp);
6169 return rc;
6170 }
6171 return 0;
6172 }
6173
6174 static void selinux_shm_free_security(struct kern_ipc_perm *shp)
6175 {
6176 ipc_free_security(shp);
6177 }
6178
6179 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6180 {
6181 struct ipc_security_struct *isec;
6182 struct common_audit_data ad;
6183 u32 sid = current_sid();
6184
6185 isec = shp->security;
6186
6187 ad.type = LSM_AUDIT_DATA_IPC;
6188 ad.u.ipc_id = shp->key;
6189
6190 return avc_has_perm(&selinux_state,
6191 sid, isec->sid, SECCLASS_SHM,
6192 SHM__ASSOCIATE, &ad);
6193 }
6194
6195 /* Note, at this point, shp is locked down */
6196 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6197 {
6198 int perms;
6199 int err;
6200
6201 switch (cmd) {
6202 case IPC_INFO:
6203 case SHM_INFO:
6204 /* No specific object, just general system-wide information. */
6205 return avc_has_perm(&selinux_state,
6206 current_sid(), SECINITSID_KERNEL,
6207 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6208 case IPC_STAT:
6209 case SHM_STAT:
6210 case SHM_STAT_ANY:
6211 perms = SHM__GETATTR | SHM__ASSOCIATE;
6212 break;
6213 case IPC_SET:
6214 perms = SHM__SETATTR;
6215 break;
6216 case SHM_LOCK:
6217 case SHM_UNLOCK:
6218 perms = SHM__LOCK;
6219 break;
6220 case IPC_RMID:
6221 perms = SHM__DESTROY;
6222 break;
6223 default:
6224 return 0;
6225 }
6226
6227 err = ipc_has_perm(shp, perms);
6228 return err;
6229 }
6230
6231 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6232 char __user *shmaddr, int shmflg)
6233 {
6234 u32 perms;
6235
6236 if (shmflg & SHM_RDONLY)
6237 perms = SHM__READ;
6238 else
6239 perms = SHM__READ | SHM__WRITE;
6240
6241 return ipc_has_perm(shp, perms);
6242 }
6243
6244 /* Semaphore security operations */
6245 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6246 {
6247 struct ipc_security_struct *isec;
6248 struct common_audit_data ad;
6249 u32 sid = current_sid();
6250 int rc;
6251
6252 rc = ipc_alloc_security(sma, SECCLASS_SEM);
6253 if (rc)
6254 return rc;
6255
6256 isec = sma->security;
6257
6258 ad.type = LSM_AUDIT_DATA_IPC;
6259 ad.u.ipc_id = sma->key;
6260
6261 rc = avc_has_perm(&selinux_state,
6262 sid, isec->sid, SECCLASS_SEM,
6263 SEM__CREATE, &ad);
6264 if (rc) {
6265 ipc_free_security(sma);
6266 return rc;
6267 }
6268 return 0;
6269 }
6270
6271 static void selinux_sem_free_security(struct kern_ipc_perm *sma)
6272 {
6273 ipc_free_security(sma);
6274 }
6275
6276 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6277 {
6278 struct ipc_security_struct *isec;
6279 struct common_audit_data ad;
6280 u32 sid = current_sid();
6281
6282 isec = sma->security;
6283
6284 ad.type = LSM_AUDIT_DATA_IPC;
6285 ad.u.ipc_id = sma->key;
6286
6287 return avc_has_perm(&selinux_state,
6288 sid, isec->sid, SECCLASS_SEM,
6289 SEM__ASSOCIATE, &ad);
6290 }
6291
6292 /* Note, at this point, sma is locked down */
6293 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6294 {
6295 int err;
6296 u32 perms;
6297
6298 switch (cmd) {
6299 case IPC_INFO:
6300 case SEM_INFO:
6301 /* No specific object, just general system-wide information. */
6302 return avc_has_perm(&selinux_state,
6303 current_sid(), SECINITSID_KERNEL,
6304 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6305 case GETPID:
6306 case GETNCNT:
6307 case GETZCNT:
6308 perms = SEM__GETATTR;
6309 break;
6310 case GETVAL:
6311 case GETALL:
6312 perms = SEM__READ;
6313 break;
6314 case SETVAL:
6315 case SETALL:
6316 perms = SEM__WRITE;
6317 break;
6318 case IPC_RMID:
6319 perms = SEM__DESTROY;
6320 break;
6321 case IPC_SET:
6322 perms = SEM__SETATTR;
6323 break;
6324 case IPC_STAT:
6325 case SEM_STAT:
6326 case SEM_STAT_ANY:
6327 perms = SEM__GETATTR | SEM__ASSOCIATE;
6328 break;
6329 default:
6330 return 0;
6331 }
6332
6333 err = ipc_has_perm(sma, perms);
6334 return err;
6335 }
6336
6337 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6338 struct sembuf *sops, unsigned nsops, int alter)
6339 {
6340 u32 perms;
6341
6342 if (alter)
6343 perms = SEM__READ | SEM__WRITE;
6344 else
6345 perms = SEM__READ;
6346
6347 return ipc_has_perm(sma, perms);
6348 }
6349
6350 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6351 {
6352 u32 av = 0;
6353
6354 av = 0;
6355 if (flag & S_IRUGO)
6356 av |= IPC__UNIX_READ;
6357 if (flag & S_IWUGO)
6358 av |= IPC__UNIX_WRITE;
6359
6360 if (av == 0)
6361 return 0;
6362
6363 return ipc_has_perm(ipcp, av);
6364 }
6365
6366 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6367 {
6368 struct ipc_security_struct *isec = ipcp->security;
6369 *secid = isec->sid;
6370 }
6371
6372 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6373 {
6374 if (inode)
6375 inode_doinit_with_dentry(inode, dentry);
6376 }
6377
6378 static int selinux_getprocattr(struct task_struct *p,
6379 char *name, char **value)
6380 {
6381 const struct task_security_struct *__tsec;
6382 u32 sid;
6383 int error;
6384 unsigned len;
6385
6386 rcu_read_lock();
6387 __tsec = __task_cred(p)->security;
6388
6389 if (current != p) {
6390 error = avc_has_perm(&selinux_state,
6391 current_sid(), __tsec->sid,
6392 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6393 if (error)
6394 goto bad;
6395 }
6396
6397 if (!strcmp(name, "current"))
6398 sid = __tsec->sid;
6399 else if (!strcmp(name, "prev"))
6400 sid = __tsec->osid;
6401 else if (!strcmp(name, "exec"))
6402 sid = __tsec->exec_sid;
6403 else if (!strcmp(name, "fscreate"))
6404 sid = __tsec->create_sid;
6405 else if (!strcmp(name, "keycreate"))
6406 sid = __tsec->keycreate_sid;
6407 else if (!strcmp(name, "sockcreate"))
6408 sid = __tsec->sockcreate_sid;
6409 else {
6410 error = -EINVAL;
6411 goto bad;
6412 }
6413 rcu_read_unlock();
6414
6415 if (!sid)
6416 return 0;
6417
6418 error = security_sid_to_context(&selinux_state, sid, value, &len);
6419 if (error)
6420 return error;
6421 return len;
6422
6423 bad:
6424 rcu_read_unlock();
6425 return error;
6426 }
6427
6428 static int selinux_setprocattr(const char *name, void *value, size_t size)
6429 {
6430 struct task_security_struct *tsec;
6431 struct cred *new;
6432 u32 mysid = current_sid(), sid = 0, ptsid;
6433 int error;
6434 char *str = value;
6435
6436 /*
6437 * Basic control over ability to set these attributes at all.
6438 */
6439 if (!strcmp(name, "exec"))
6440 error = avc_has_perm(&selinux_state,
6441 mysid, mysid, SECCLASS_PROCESS,
6442 PROCESS__SETEXEC, NULL);
6443 else if (!strcmp(name, "fscreate"))
6444 error = avc_has_perm(&selinux_state,
6445 mysid, mysid, SECCLASS_PROCESS,
6446 PROCESS__SETFSCREATE, NULL);
6447 else if (!strcmp(name, "keycreate"))
6448 error = avc_has_perm(&selinux_state,
6449 mysid, mysid, SECCLASS_PROCESS,
6450 PROCESS__SETKEYCREATE, NULL);
6451 else if (!strcmp(name, "sockcreate"))
6452 error = avc_has_perm(&selinux_state,
6453 mysid, mysid, SECCLASS_PROCESS,
6454 PROCESS__SETSOCKCREATE, NULL);
6455 else if (!strcmp(name, "current"))
6456 error = avc_has_perm(&selinux_state,
6457 mysid, mysid, SECCLASS_PROCESS,
6458 PROCESS__SETCURRENT, NULL);
6459 else
6460 error = -EINVAL;
6461 if (error)
6462 return error;
6463
6464 /* Obtain a SID for the context, if one was specified. */
6465 if (size && str[0] && str[0] != '\n') {
6466 if (str[size-1] == '\n') {
6467 str[size-1] = 0;
6468 size--;
6469 }
6470 error = security_context_to_sid(&selinux_state, value, size,
6471 &sid, GFP_KERNEL);
6472 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6473 if (!has_cap_mac_admin(true)) {
6474 struct audit_buffer *ab;
6475 size_t audit_size;
6476
6477 /* We strip a nul only if it is at the end, otherwise the
6478 * context contains a nul and we should audit that */
6479 if (str[size - 1] == '\0')
6480 audit_size = size - 1;
6481 else
6482 audit_size = size;
6483 ab = audit_log_start(audit_context(),
6484 GFP_ATOMIC,
6485 AUDIT_SELINUX_ERR);
6486 audit_log_format(ab, "op=fscreate invalid_context=");
6487 audit_log_n_untrustedstring(ab, value, audit_size);
6488 audit_log_end(ab);
6489
6490 return error;
6491 }
6492 error = security_context_to_sid_force(
6493 &selinux_state,
6494 value, size, &sid);
6495 }
6496 if (error)
6497 return error;
6498 }
6499
6500 new = prepare_creds();
6501 if (!new)
6502 return -ENOMEM;
6503
6504 /* Permission checking based on the specified context is
6505 performed during the actual operation (execve,
6506 open/mkdir/...), when we know the full context of the
6507 operation. See selinux_bprm_set_creds for the execve
6508 checks and may_create for the file creation checks. The
6509 operation will then fail if the context is not permitted. */
6510 tsec = new->security;
6511 if (!strcmp(name, "exec")) {
6512 tsec->exec_sid = sid;
6513 } else if (!strcmp(name, "fscreate")) {
6514 tsec->create_sid = sid;
6515 } else if (!strcmp(name, "keycreate")) {
6516 error = avc_has_perm(&selinux_state,
6517 mysid, sid, SECCLASS_KEY, KEY__CREATE,
6518 NULL);
6519 if (error)
6520 goto abort_change;
6521 tsec->keycreate_sid = sid;
6522 } else if (!strcmp(name, "sockcreate")) {
6523 tsec->sockcreate_sid = sid;
6524 } else if (!strcmp(name, "current")) {
6525 error = -EINVAL;
6526 if (sid == 0)
6527 goto abort_change;
6528
6529 /* Only allow single threaded processes to change context */
6530 error = -EPERM;
6531 if (!current_is_single_threaded()) {
6532 error = security_bounded_transition(&selinux_state,
6533 tsec->sid, sid);
6534 if (error)
6535 goto abort_change;
6536 }
6537
6538 /* Check permissions for the transition. */
6539 error = avc_has_perm(&selinux_state,
6540 tsec->sid, sid, SECCLASS_PROCESS,
6541 PROCESS__DYNTRANSITION, NULL);
6542 if (error)
6543 goto abort_change;
6544
6545 /* Check for ptracing, and update the task SID if ok.
6546 Otherwise, leave SID unchanged and fail. */
6547 ptsid = ptrace_parent_sid();
6548 if (ptsid != 0) {
6549 error = avc_has_perm(&selinux_state,
6550 ptsid, sid, SECCLASS_PROCESS,
6551 PROCESS__PTRACE, NULL);
6552 if (error)
6553 goto abort_change;
6554 }
6555
6556 tsec->sid = sid;
6557 } else {
6558 error = -EINVAL;
6559 goto abort_change;
6560 }
6561
6562 commit_creds(new);
6563 return size;
6564
6565 abort_change:
6566 abort_creds(new);
6567 return error;
6568 }
6569
6570 static int selinux_ismaclabel(const char *name)
6571 {
6572 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6573 }
6574
6575 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6576 {
6577 return security_sid_to_context(&selinux_state, secid,
6578 secdata, seclen);
6579 }
6580
6581 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6582 {
6583 return security_context_to_sid(&selinux_state, secdata, seclen,
6584 secid, GFP_KERNEL);
6585 }
6586
6587 static void selinux_release_secctx(char *secdata, u32 seclen)
6588 {
6589 kfree(secdata);
6590 }
6591
6592 static void selinux_inode_invalidate_secctx(struct inode *inode)
6593 {
6594 struct inode_security_struct *isec = inode->i_security;
6595
6596 spin_lock(&isec->lock);
6597 isec->initialized = LABEL_INVALID;
6598 spin_unlock(&isec->lock);
6599 }
6600
6601 /*
6602 * called with inode->i_mutex locked
6603 */
6604 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6605 {
6606 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6607 }
6608
6609 /*
6610 * called with inode->i_mutex locked
6611 */
6612 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6613 {
6614 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6615 }
6616
6617 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6618 {
6619 int len = 0;
6620 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6621 ctx, true);
6622 if (len < 0)
6623 return len;
6624 *ctxlen = len;
6625 return 0;
6626 }
6627 #ifdef CONFIG_KEYS
6628
6629 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6630 unsigned long flags)
6631 {
6632 const struct task_security_struct *tsec;
6633 struct key_security_struct *ksec;
6634
6635 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6636 if (!ksec)
6637 return -ENOMEM;
6638
6639 tsec = cred->security;
6640 if (tsec->keycreate_sid)
6641 ksec->sid = tsec->keycreate_sid;
6642 else
6643 ksec->sid = tsec->sid;
6644
6645 k->security = ksec;
6646 return 0;
6647 }
6648
6649 static void selinux_key_free(struct key *k)
6650 {
6651 struct key_security_struct *ksec = k->security;
6652
6653 k->security = NULL;
6654 kfree(ksec);
6655 }
6656
6657 static int selinux_key_permission(key_ref_t key_ref,
6658 const struct cred *cred,
6659 unsigned perm)
6660 {
6661 struct key *key;
6662 struct key_security_struct *ksec;
6663 u32 sid;
6664
6665 /* if no specific permissions are requested, we skip the
6666 permission check. No serious, additional covert channels
6667 appear to be created. */
6668 if (perm == 0)
6669 return 0;
6670
6671 sid = cred_sid(cred);
6672
6673 key = key_ref_to_ptr(key_ref);
6674 ksec = key->security;
6675
6676 return avc_has_perm(&selinux_state,
6677 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6678 }
6679
6680 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6681 {
6682 struct key_security_struct *ksec = key->security;
6683 char *context = NULL;
6684 unsigned len;
6685 int rc;
6686
6687 rc = security_sid_to_context(&selinux_state, ksec->sid,
6688 &context, &len);
6689 if (!rc)
6690 rc = len;
6691 *_buffer = context;
6692 return rc;
6693 }
6694 #endif
6695
6696 #ifdef CONFIG_SECURITY_INFINIBAND
6697 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6698 {
6699 struct common_audit_data ad;
6700 int err;
6701 u32 sid = 0;
6702 struct ib_security_struct *sec = ib_sec;
6703 struct lsm_ibpkey_audit ibpkey;
6704
6705 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6706 if (err)
6707 return err;
6708
6709 ad.type = LSM_AUDIT_DATA_IBPKEY;
6710 ibpkey.subnet_prefix = subnet_prefix;
6711 ibpkey.pkey = pkey_val;
6712 ad.u.ibpkey = &ibpkey;
6713 return avc_has_perm(&selinux_state,
6714 sec->sid, sid,
6715 SECCLASS_INFINIBAND_PKEY,
6716 INFINIBAND_PKEY__ACCESS, &ad);
6717 }
6718
6719 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6720 u8 port_num)
6721 {
6722 struct common_audit_data ad;
6723 int err;
6724 u32 sid = 0;
6725 struct ib_security_struct *sec = ib_sec;
6726 struct lsm_ibendport_audit ibendport;
6727
6728 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6729 &sid);
6730
6731 if (err)
6732 return err;
6733
6734 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6735 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6736 ibendport.port = port_num;
6737 ad.u.ibendport = &ibendport;
6738 return avc_has_perm(&selinux_state,
6739 sec->sid, sid,
6740 SECCLASS_INFINIBAND_ENDPORT,
6741 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6742 }
6743
6744 static int selinux_ib_alloc_security(void **ib_sec)
6745 {
6746 struct ib_security_struct *sec;
6747
6748 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6749 if (!sec)
6750 return -ENOMEM;
6751 sec->sid = current_sid();
6752
6753 *ib_sec = sec;
6754 return 0;
6755 }
6756
6757 static void selinux_ib_free_security(void *ib_sec)
6758 {
6759 kfree(ib_sec);
6760 }
6761 #endif
6762
6763 #ifdef CONFIG_BPF_SYSCALL
6764 static int selinux_bpf(int cmd, union bpf_attr *attr,
6765 unsigned int size)
6766 {
6767 u32 sid = current_sid();
6768 int ret;
6769
6770 switch (cmd) {
6771 case BPF_MAP_CREATE:
6772 ret = avc_has_perm(&selinux_state,
6773 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6774 NULL);
6775 break;
6776 case BPF_PROG_LOAD:
6777 ret = avc_has_perm(&selinux_state,
6778 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6779 NULL);
6780 break;
6781 default:
6782 ret = 0;
6783 break;
6784 }
6785
6786 return ret;
6787 }
6788
6789 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6790 {
6791 u32 av = 0;
6792
6793 if (fmode & FMODE_READ)
6794 av |= BPF__MAP_READ;
6795 if (fmode & FMODE_WRITE)
6796 av |= BPF__MAP_WRITE;
6797 return av;
6798 }
6799
6800 /* This function will check the file pass through unix socket or binder to see
6801 * if it is a bpf related object. And apply correspinding checks on the bpf
6802 * object based on the type. The bpf maps and programs, not like other files and
6803 * socket, are using a shared anonymous inode inside the kernel as their inode.
6804 * So checking that inode cannot identify if the process have privilege to
6805 * access the bpf object and that's why we have to add this additional check in
6806 * selinux_file_receive and selinux_binder_transfer_files.
6807 */
6808 static int bpf_fd_pass(struct file *file, u32 sid)
6809 {
6810 struct bpf_security_struct *bpfsec;
6811 struct bpf_prog *prog;
6812 struct bpf_map *map;
6813 int ret;
6814
6815 if (file->f_op == &bpf_map_fops) {
6816 map = file->private_data;
6817 bpfsec = map->security;
6818 ret = avc_has_perm(&selinux_state,
6819 sid, bpfsec->sid, SECCLASS_BPF,
6820 bpf_map_fmode_to_av(file->f_mode), NULL);
6821 if (ret)
6822 return ret;
6823 } else if (file->f_op == &bpf_prog_fops) {
6824 prog = file->private_data;
6825 bpfsec = prog->aux->security;
6826 ret = avc_has_perm(&selinux_state,
6827 sid, bpfsec->sid, SECCLASS_BPF,
6828 BPF__PROG_RUN, NULL);
6829 if (ret)
6830 return ret;
6831 }
6832 return 0;
6833 }
6834
6835 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6836 {
6837 u32 sid = current_sid();
6838 struct bpf_security_struct *bpfsec;
6839
6840 bpfsec = map->security;
6841 return avc_has_perm(&selinux_state,
6842 sid, bpfsec->sid, SECCLASS_BPF,
6843 bpf_map_fmode_to_av(fmode), NULL);
6844 }
6845
6846 static int selinux_bpf_prog(struct bpf_prog *prog)
6847 {
6848 u32 sid = current_sid();
6849 struct bpf_security_struct *bpfsec;
6850
6851 bpfsec = prog->aux->security;
6852 return avc_has_perm(&selinux_state,
6853 sid, bpfsec->sid, SECCLASS_BPF,
6854 BPF__PROG_RUN, NULL);
6855 }
6856
6857 static int selinux_bpf_map_alloc(struct bpf_map *map)
6858 {
6859 struct bpf_security_struct *bpfsec;
6860
6861 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6862 if (!bpfsec)
6863 return -ENOMEM;
6864
6865 bpfsec->sid = current_sid();
6866 map->security = bpfsec;
6867
6868 return 0;
6869 }
6870
6871 static void selinux_bpf_map_free(struct bpf_map *map)
6872 {
6873 struct bpf_security_struct *bpfsec = map->security;
6874
6875 map->security = NULL;
6876 kfree(bpfsec);
6877 }
6878
6879 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6880 {
6881 struct bpf_security_struct *bpfsec;
6882
6883 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6884 if (!bpfsec)
6885 return -ENOMEM;
6886
6887 bpfsec->sid = current_sid();
6888 aux->security = bpfsec;
6889
6890 return 0;
6891 }
6892
6893 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6894 {
6895 struct bpf_security_struct *bpfsec = aux->security;
6896
6897 aux->security = NULL;
6898 kfree(bpfsec);
6899 }
6900 #endif
6901
6902 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6903 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6904 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6905 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6906 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6907
6908 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6909 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6910 LSM_HOOK_INIT(capget, selinux_capget),
6911 LSM_HOOK_INIT(capset, selinux_capset),
6912 LSM_HOOK_INIT(capable, selinux_capable),
6913 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6914 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6915 LSM_HOOK_INIT(syslog, selinux_syslog),
6916 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6917
6918 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6919
6920 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6921 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6922 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6923
6924 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6925 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6926 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6927 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6928 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6929 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6930 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6931 LSM_HOOK_INIT(sb_mount, selinux_mount),
6932 LSM_HOOK_INIT(sb_umount, selinux_umount),
6933 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6934 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6935 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6936
6937 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6938 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6939
6940 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6941 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6942 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6943 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6944 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6945 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6946 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6947 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6948 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6949 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6950 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6951 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6952 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6953 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6954 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6955 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6956 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6957 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6958 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6959 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6960 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6961 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6962 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6963 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6964 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6965 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6966 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6967
6968 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6969 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6970 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6971 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6972 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6973 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6974 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6975 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6976 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6977 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6978 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6979 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6980
6981 LSM_HOOK_INIT(file_open, selinux_file_open),
6982
6983 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6984 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6985 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6986 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6987 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6988 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6989 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6990 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6991 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6992 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
6993 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6994 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6995 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6996 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6997 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6998 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6999 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7000 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7001 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7002 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7003 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7004 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7005 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7006 LSM_HOOK_INIT(task_kill, selinux_task_kill),
7007 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7008
7009 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7010 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
7011
7012 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7013 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
7014
7015 LSM_HOOK_INIT(msg_queue_alloc_security,
7016 selinux_msg_queue_alloc_security),
7017 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
7018 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7019 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7020 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7021 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7022
7023 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7024 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
7025 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7026 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7027 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7028
7029 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7030 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
7031 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7032 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7033 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7034
7035 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7036
7037 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7038 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7039
7040 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7041 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7042 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7043 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7044 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7045 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7046 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7047 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7048
7049 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7050 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7051
7052 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7053 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7054 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7055 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7056 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7057 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7058 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7059 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7060 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7061 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7062 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7063 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7064 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7065 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7066 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7067 LSM_HOOK_INIT(socket_getpeersec_stream,
7068 selinux_socket_getpeersec_stream),
7069 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7070 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7071 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7072 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7073 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7074 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7075 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7076 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7077 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7078 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7079 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7080 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7081 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7082 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7083 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7084 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7085 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7086 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7087 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7088 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7089 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7090 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7091 #ifdef CONFIG_SECURITY_INFINIBAND
7092 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7093 LSM_HOOK_INIT(ib_endport_manage_subnet,
7094 selinux_ib_endport_manage_subnet),
7095 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7096 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7097 #endif
7098 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7099 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7100 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7101 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7102 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7103 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7104 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7105 selinux_xfrm_state_alloc_acquire),
7106 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7107 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7108 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7109 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7110 selinux_xfrm_state_pol_flow_match),
7111 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7112 #endif
7113
7114 #ifdef CONFIG_KEYS
7115 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7116 LSM_HOOK_INIT(key_free, selinux_key_free),
7117 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7118 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7119 #endif
7120
7121 #ifdef CONFIG_AUDIT
7122 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7123 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7124 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7125 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7126 #endif
7127
7128 #ifdef CONFIG_BPF_SYSCALL
7129 LSM_HOOK_INIT(bpf, selinux_bpf),
7130 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7131 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7132 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7133 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7134 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7135 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7136 #endif
7137 };
7138
7139 static __init int selinux_init(void)
7140 {
7141 if (!security_module_enable("selinux")) {
7142 selinux_enabled = 0;
7143 return 0;
7144 }
7145
7146 if (!selinux_enabled) {
7147 pr_info("SELinux: Disabled at boot.\n");
7148 return 0;
7149 }
7150
7151 pr_info("SELinux: Initializing.\n");
7152
7153 memset(&selinux_state, 0, sizeof(selinux_state));
7154 enforcing_set(&selinux_state, selinux_enforcing_boot);
7155 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7156 selinux_ss_init(&selinux_state.ss);
7157 selinux_avc_init(&selinux_state.avc);
7158
7159 /* Set the security state for the initial task. */
7160 cred_init_security();
7161
7162 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7163
7164 sel_inode_cache = kmem_cache_create("selinux_inode_security",
7165 sizeof(struct inode_security_struct),
7166 0, SLAB_PANIC, NULL);
7167 file_security_cache = kmem_cache_create("selinux_file_security",
7168 sizeof(struct file_security_struct),
7169 0, SLAB_PANIC, NULL);
7170 avc_init();
7171
7172 avtab_cache_init();
7173
7174 ebitmap_cache_init();
7175
7176 hashtab_cache_init();
7177
7178 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7179
7180 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7181 panic("SELinux: Unable to register AVC netcache callback\n");
7182
7183 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7184 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7185
7186 if (selinux_enforcing_boot)
7187 pr_debug("SELinux: Starting in enforcing mode\n");
7188 else
7189 pr_debug("SELinux: Starting in permissive mode\n");
7190
7191 return 0;
7192 }
7193
7194 static void delayed_superblock_init(struct super_block *sb, void *unused)
7195 {
7196 superblock_doinit(sb, NULL);
7197 }
7198
7199 void selinux_complete_init(void)
7200 {
7201 pr_debug("SELinux: Completing initialization.\n");
7202
7203 /* Set up any superblocks initialized prior to the policy load. */
7204 pr_debug("SELinux: Setting up existing superblocks.\n");
7205 iterate_supers(delayed_superblock_init, NULL);
7206 }
7207
7208 /* SELinux requires early initialization in order to label
7209 all processes and objects when they are created. */
7210 DEFINE_LSM(selinux) = {
7211 .name = "selinux",
7212 .init = selinux_init,
7213 };
7214
7215 #if defined(CONFIG_NETFILTER)
7216
7217 static const struct nf_hook_ops selinux_nf_ops[] = {
7218 {
7219 .hook = selinux_ipv4_postroute,
7220 .pf = NFPROTO_IPV4,
7221 .hooknum = NF_INET_POST_ROUTING,
7222 .priority = NF_IP_PRI_SELINUX_LAST,
7223 },
7224 {
7225 .hook = selinux_ipv4_forward,
7226 .pf = NFPROTO_IPV4,
7227 .hooknum = NF_INET_FORWARD,
7228 .priority = NF_IP_PRI_SELINUX_FIRST,
7229 },
7230 {
7231 .hook = selinux_ipv4_output,
7232 .pf = NFPROTO_IPV4,
7233 .hooknum = NF_INET_LOCAL_OUT,
7234 .priority = NF_IP_PRI_SELINUX_FIRST,
7235 },
7236 #if IS_ENABLED(CONFIG_IPV6)
7237 {
7238 .hook = selinux_ipv6_postroute,
7239 .pf = NFPROTO_IPV6,
7240 .hooknum = NF_INET_POST_ROUTING,
7241 .priority = NF_IP6_PRI_SELINUX_LAST,
7242 },
7243 {
7244 .hook = selinux_ipv6_forward,
7245 .pf = NFPROTO_IPV6,
7246 .hooknum = NF_INET_FORWARD,
7247 .priority = NF_IP6_PRI_SELINUX_FIRST,
7248 },
7249 {
7250 .hook = selinux_ipv6_output,
7251 .pf = NFPROTO_IPV6,
7252 .hooknum = NF_INET_LOCAL_OUT,
7253 .priority = NF_IP6_PRI_SELINUX_FIRST,
7254 },
7255 #endif /* IPV6 */
7256 };
7257
7258 static int __net_init selinux_nf_register(struct net *net)
7259 {
7260 return nf_register_net_hooks(net, selinux_nf_ops,
7261 ARRAY_SIZE(selinux_nf_ops));
7262 }
7263
7264 static void __net_exit selinux_nf_unregister(struct net *net)
7265 {
7266 nf_unregister_net_hooks(net, selinux_nf_ops,
7267 ARRAY_SIZE(selinux_nf_ops));
7268 }
7269
7270 static struct pernet_operations selinux_net_ops = {
7271 .init = selinux_nf_register,
7272 .exit = selinux_nf_unregister,
7273 };
7274
7275 static int __init selinux_nf_ip_init(void)
7276 {
7277 int err;
7278
7279 if (!selinux_enabled)
7280 return 0;
7281
7282 pr_debug("SELinux: Registering netfilter hooks\n");
7283
7284 err = register_pernet_subsys(&selinux_net_ops);
7285 if (err)
7286 panic("SELinux: register_pernet_subsys: error %d\n", err);
7287
7288 return 0;
7289 }
7290 __initcall(selinux_nf_ip_init);
7291
7292 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7293 static void selinux_nf_ip_exit(void)
7294 {
7295 pr_debug("SELinux: Unregistering netfilter hooks\n");
7296
7297 unregister_pernet_subsys(&selinux_net_ops);
7298 }
7299 #endif
7300
7301 #else /* CONFIG_NETFILTER */
7302
7303 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7304 #define selinux_nf_ip_exit()
7305 #endif
7306
7307 #endif /* CONFIG_NETFILTER */
7308
7309 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7310 int selinux_disable(struct selinux_state *state)
7311 {
7312 if (state->initialized) {
7313 /* Not permitted after initial policy load. */
7314 return -EINVAL;
7315 }
7316
7317 if (state->disabled) {
7318 /* Only do this once. */
7319 return -EINVAL;
7320 }
7321
7322 state->disabled = 1;
7323
7324 pr_info("SELinux: Disabled at runtime.\n");
7325
7326 selinux_enabled = 0;
7327
7328 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7329
7330 /* Try to destroy the avc node cache */
7331 avc_disable();
7332
7333 /* Unregister netfilter hooks. */
7334 selinux_nf_ip_exit();
7335
7336 /* Unregister selinuxfs. */
7337 exit_sel_fs();
7338
7339 return 0;
7340 }
7341 #endif
Linux with added FPC-III support