search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
perf tools: Streamline bpf examples and headers installation
[linux/fpc-iii.git] / security / selinux / hooks.c
blob2b5ee5fbd652de22a951d7618e6daad3d7cb82f5
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
25 */
26
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/sctp.h>
71 #include <net/sctp/structs.h>
72 #include <linux/quota.h>
73 #include <linux/un.h> /* for Unix socket types */
74 #include <net/af_unix.h> /* for Unix socket types */
75 #include <linux/parser.h>
76 #include <linux/nfs_mount.h>
77 #include <net/ipv6.h>
78 #include <linux/hugetlb.h>
79 #include <linux/personality.h>
80 #include <linux/audit.h>
81 #include <linux/string.h>
82 #include <linux/selinux.h>
83 #include <linux/mutex.h>
84 #include <linux/posix-timers.h>
85 #include <linux/syslog.h>
86 #include <linux/user_namespace.h>
87 #include <linux/export.h>
88 #include <linux/msg.h>
89 #include <linux/shm.h>
90 #include <linux/bpf.h>
91
92 #include "avc.h"
93 #include "objsec.h"
94 #include "netif.h"
95 #include "netnode.h"
96 #include "netport.h"
97 #include "ibpkey.h"
98 #include "xfrm.h"
99 #include "netlabel.h"
100 #include "audit.h"
101 #include "avc_ss.h"
102
103 struct selinux_state selinux_state;
104
105 /* SECMARK reference count */
106 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
107
108 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
109 static int selinux_enforcing_boot;
110
111 static int __init enforcing_setup(char *str)
112 {
113 unsigned long enforcing;
114 if (!kstrtoul(str, 0, &enforcing))
115 selinux_enforcing_boot = enforcing ? 1 : 0;
116 return 1;
117 }
118 __setup("enforcing=", enforcing_setup);
119 #else
120 #define selinux_enforcing_boot 1
121 #endif
122
123 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
124 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
125
126 static int __init selinux_enabled_setup(char *str)
127 {
128 unsigned long enabled;
129 if (!kstrtoul(str, 0, &enabled))
130 selinux_enabled = enabled ? 1 : 0;
131 return 1;
132 }
133 __setup("selinux=", selinux_enabled_setup);
134 #else
135 int selinux_enabled = 1;
136 #endif
137
138 static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140
141 static int __init checkreqprot_setup(char *str)
142 {
143 unsigned long checkreqprot;
144
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 return 1;
148 }
149 __setup("checkreqprot=", checkreqprot_setup);
150
151 static struct kmem_cache *sel_inode_cache;
152 static struct kmem_cache *file_security_cache;
153
154 /**
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156 *
157 * Description:
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
163 *
164 */
165 static int selinux_secmark_enabled(void)
166 {
167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
169 }
170
171 /**
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173 *
174 * Description:
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
179 *
180 */
181 static int selinux_peerlbl_enabled(void)
182 {
183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
185 }
186
187 static int selinux_netcache_avc_callback(u32 event)
188 {
189 if (event == AVC_CALLBACK_RESET) {
190 sel_netif_flush();
191 sel_netnode_flush();
192 sel_netport_flush();
193 synchronize_net();
194 }
195 return 0;
196 }
197
198 static int selinux_lsm_notifier_avc_callback(u32 event)
199 {
200 if (event == AVC_CALLBACK_RESET) {
201 sel_ib_pkey_flush();
202 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
203 }
204
205 return 0;
206 }
207
208 /*
209 * initialise the security for the init task
210 */
211 static void cred_init_security(void)
212 {
213 struct cred *cred = (struct cred *) current->real_cred;
214 struct task_security_struct *tsec;
215
216 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
217 if (!tsec)
218 panic("SELinux: Failed to initialize initial task.\n");
219
220 tsec->osid = tsec->sid = SECINITSID_KERNEL;
221 cred->security = tsec;
222 }
223
224 /*
225 * get the security ID of a set of credentials
226 */
227 static inline u32 cred_sid(const struct cred *cred)
228 {
229 const struct task_security_struct *tsec;
230
231 tsec = cred->security;
232 return tsec->sid;
233 }
234
235 /*
236 * get the objective security ID of a task
237 */
238 static inline u32 task_sid(const struct task_struct *task)
239 {
240 u32 sid;
241
242 rcu_read_lock();
243 sid = cred_sid(__task_cred(task));
244 rcu_read_unlock();
245 return sid;
246 }
247
248 /* Allocate and free functions for each kind of security blob. */
249
250 static int inode_alloc_security(struct inode *inode)
251 {
252 struct inode_security_struct *isec;
253 u32 sid = current_sid();
254
255 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
256 if (!isec)
257 return -ENOMEM;
258
259 spin_lock_init(&isec->lock);
260 INIT_LIST_HEAD(&isec->list);
261 isec->inode = inode;
262 isec->sid = SECINITSID_UNLABELED;
263 isec->sclass = SECCLASS_FILE;
264 isec->task_sid = sid;
265 isec->initialized = LABEL_INVALID;
266 inode->i_security = isec;
267
268 return 0;
269 }
270
271 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
272
273 /*
274 * Try reloading inode security labels that have been marked as invalid. The
275 * @may_sleep parameter indicates when sleeping and thus reloading labels is
276 * allowed; when set to false, returns -ECHILD when the label is
277 * invalid. The @dentry parameter should be set to a dentry of the inode.
278 */
279 static int __inode_security_revalidate(struct inode *inode,
280 struct dentry *dentry,
281 bool may_sleep)
282 {
283 struct inode_security_struct *isec = inode->i_security;
284
285 might_sleep_if(may_sleep);
286
287 if (selinux_state.initialized &&
288 isec->initialized != LABEL_INITIALIZED) {
289 if (!may_sleep)
290 return -ECHILD;
291
292 /*
293 * Try reloading the inode security label. This will fail if
294 * @opt_dentry is NULL and no dentry for this inode can be
295 * found; in that case, continue using the old label.
296 */
297 inode_doinit_with_dentry(inode, dentry);
298 }
299 return 0;
300 }
301
302 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
303 {
304 return inode->i_security;
305 }
306
307 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
308 {
309 int error;
310
311 error = __inode_security_revalidate(inode, NULL, !rcu);
312 if (error)
313 return ERR_PTR(error);
314 return inode->i_security;
315 }
316
317 /*
318 * Get the security label of an inode.
319 */
320 static struct inode_security_struct *inode_security(struct inode *inode)
321 {
322 __inode_security_revalidate(inode, NULL, true);
323 return inode->i_security;
324 }
325
326 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
327 {
328 struct inode *inode = d_backing_inode(dentry);
329
330 return inode->i_security;
331 }
332
333 /*
334 * Get the security label of a dentry's backing inode.
335 */
336 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
337 {
338 struct inode *inode = d_backing_inode(dentry);
339
340 __inode_security_revalidate(inode, dentry, true);
341 return inode->i_security;
342 }
343
344 static void inode_free_rcu(struct rcu_head *head)
345 {
346 struct inode_security_struct *isec;
347
348 isec = container_of(head, struct inode_security_struct, rcu);
349 kmem_cache_free(sel_inode_cache, isec);
350 }
351
352 static void inode_free_security(struct inode *inode)
353 {
354 struct inode_security_struct *isec = inode->i_security;
355 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
356
357 /*
358 * As not all inode security structures are in a list, we check for
359 * empty list outside of the lock to make sure that we won't waste
360 * time taking a lock doing nothing.
361 *
362 * The list_del_init() function can be safely called more than once.
363 * It should not be possible for this function to be called with
364 * concurrent list_add(), but for better safety against future changes
365 * in the code, we use list_empty_careful() here.
366 */
367 if (!list_empty_careful(&isec->list)) {
368 spin_lock(&sbsec->isec_lock);
369 list_del_init(&isec->list);
370 spin_unlock(&sbsec->isec_lock);
371 }
372
373 /*
374 * The inode may still be referenced in a path walk and
375 * a call to selinux_inode_permission() can be made
376 * after inode_free_security() is called. Ideally, the VFS
377 * wouldn't do this, but fixing that is a much harder
378 * job. For now, simply free the i_security via RCU, and
379 * leave the current inode->i_security pointer intact.
380 * The inode will be freed after the RCU grace period too.
381 */
382 call_rcu(&isec->rcu, inode_free_rcu);
383 }
384
385 static int file_alloc_security(struct file *file)
386 {
387 struct file_security_struct *fsec;
388 u32 sid = current_sid();
389
390 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
391 if (!fsec)
392 return -ENOMEM;
393
394 fsec->sid = sid;
395 fsec->fown_sid = sid;
396 file->f_security = fsec;
397
398 return 0;
399 }
400
401 static void file_free_security(struct file *file)
402 {
403 struct file_security_struct *fsec = file->f_security;
404 file->f_security = NULL;
405 kmem_cache_free(file_security_cache, fsec);
406 }
407
408 static int superblock_alloc_security(struct super_block *sb)
409 {
410 struct superblock_security_struct *sbsec;
411
412 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
413 if (!sbsec)
414 return -ENOMEM;
415
416 mutex_init(&sbsec->lock);
417 INIT_LIST_HEAD(&sbsec->isec_head);
418 spin_lock_init(&sbsec->isec_lock);
419 sbsec->sb = sb;
420 sbsec->sid = SECINITSID_UNLABELED;
421 sbsec->def_sid = SECINITSID_FILE;
422 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
423 sb->s_security = sbsec;
424
425 return 0;
426 }
427
428 static void superblock_free_security(struct super_block *sb)
429 {
430 struct superblock_security_struct *sbsec = sb->s_security;
431 sb->s_security = NULL;
432 kfree(sbsec);
433 }
434
435 static inline int inode_doinit(struct inode *inode)
436 {
437 return inode_doinit_with_dentry(inode, NULL);
438 }
439
440 enum {
441 Opt_error = -1,
442 Opt_context = 1,
443 Opt_fscontext = 2,
444 Opt_defcontext = 3,
445 Opt_rootcontext = 4,
446 Opt_labelsupport = 5,
447 Opt_nextmntopt = 6,
448 };
449
450 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
451
452 static const match_table_t tokens = {
453 {Opt_context, CONTEXT_STR "%s"},
454 {Opt_fscontext, FSCONTEXT_STR "%s"},
455 {Opt_defcontext, DEFCONTEXT_STR "%s"},
456 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
457 {Opt_labelsupport, LABELSUPP_STR},
458 {Opt_error, NULL},
459 };
460
461 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
462
463 static int may_context_mount_sb_relabel(u32 sid,
464 struct superblock_security_struct *sbsec,
465 const struct cred *cred)
466 {
467 const struct task_security_struct *tsec = cred->security;
468 int rc;
469
470 rc = avc_has_perm(&selinux_state,
471 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
472 FILESYSTEM__RELABELFROM, NULL);
473 if (rc)
474 return rc;
475
476 rc = avc_has_perm(&selinux_state,
477 tsec->sid, sid, SECCLASS_FILESYSTEM,
478 FILESYSTEM__RELABELTO, NULL);
479 return rc;
480 }
481
482 static int may_context_mount_inode_relabel(u32 sid,
483 struct superblock_security_struct *sbsec,
484 const struct cred *cred)
485 {
486 const struct task_security_struct *tsec = cred->security;
487 int rc;
488 rc = avc_has_perm(&selinux_state,
489 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
490 FILESYSTEM__RELABELFROM, NULL);
491 if (rc)
492 return rc;
493
494 rc = avc_has_perm(&selinux_state,
495 sid, sbsec->sid, SECCLASS_FILESYSTEM,
496 FILESYSTEM__ASSOCIATE, NULL);
497 return rc;
498 }
499
500 static int selinux_is_sblabel_mnt(struct super_block *sb)
501 {
502 struct superblock_security_struct *sbsec = sb->s_security;
503
504 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
505 sbsec->behavior == SECURITY_FS_USE_TRANS ||
506 sbsec->behavior == SECURITY_FS_USE_TASK ||
507 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
508 /* Special handling. Genfs but also in-core setxattr handler */
509 !strcmp(sb->s_type->name, "sysfs") ||
510 !strcmp(sb->s_type->name, "pstore") ||
511 !strcmp(sb->s_type->name, "debugfs") ||
512 !strcmp(sb->s_type->name, "tracefs") ||
513 !strcmp(sb->s_type->name, "rootfs") ||
514 (selinux_policycap_cgroupseclabel() &&
515 (!strcmp(sb->s_type->name, "cgroup") ||
516 !strcmp(sb->s_type->name, "cgroup2")));
517 }
518
519 static int sb_finish_set_opts(struct super_block *sb)
520 {
521 struct superblock_security_struct *sbsec = sb->s_security;
522 struct dentry *root = sb->s_root;
523 struct inode *root_inode = d_backing_inode(root);
524 int rc = 0;
525
526 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
527 /* Make sure that the xattr handler exists and that no
528 error other than -ENODATA is returned by getxattr on
529 the root directory. -ENODATA is ok, as this may be
530 the first boot of the SELinux kernel before we have
531 assigned xattr values to the filesystem. */
532 if (!(root_inode->i_opflags & IOP_XATTR)) {
533 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
534 "xattr support\n", sb->s_id, sb->s_type->name);
535 rc = -EOPNOTSUPP;
536 goto out;
537 }
538
539 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
540 if (rc < 0 && rc != -ENODATA) {
541 if (rc == -EOPNOTSUPP)
542 printk(KERN_WARNING "SELinux: (dev %s, type "
543 "%s) has no security xattr handler\n",
544 sb->s_id, sb->s_type->name);
545 else
546 printk(KERN_WARNING "SELinux: (dev %s, type "
547 "%s) getxattr errno %d\n", sb->s_id,
548 sb->s_type->name, -rc);
549 goto out;
550 }
551 }
552
553 sbsec->flags |= SE_SBINITIALIZED;
554
555 /*
556 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
557 * leave the flag untouched because sb_clone_mnt_opts might be handing
558 * us a superblock that needs the flag to be cleared.
559 */
560 if (selinux_is_sblabel_mnt(sb))
561 sbsec->flags |= SBLABEL_MNT;
562 else
563 sbsec->flags &= ~SBLABEL_MNT;
564
565 /* Initialize the root inode. */
566 rc = inode_doinit_with_dentry(root_inode, root);
567
568 /* Initialize any other inodes associated with the superblock, e.g.
569 inodes created prior to initial policy load or inodes created
570 during get_sb by a pseudo filesystem that directly
571 populates itself. */
572 spin_lock(&sbsec->isec_lock);
573 next_inode:
574 if (!list_empty(&sbsec->isec_head)) {
575 struct inode_security_struct *isec =
576 list_entry(sbsec->isec_head.next,
577 struct inode_security_struct, list);
578 struct inode *inode = isec->inode;
579 list_del_init(&isec->list);
580 spin_unlock(&sbsec->isec_lock);
581 inode = igrab(inode);
582 if (inode) {
583 if (!IS_PRIVATE(inode))
584 inode_doinit(inode);
585 iput(inode);
586 }
587 spin_lock(&sbsec->isec_lock);
588 goto next_inode;
589 }
590 spin_unlock(&sbsec->isec_lock);
591 out:
592 return rc;
593 }
594
595 /*
596 * This function should allow an FS to ask what it's mount security
597 * options were so it can use those later for submounts, displaying
598 * mount options, or whatever.
599 */
600 static int selinux_get_mnt_opts(const struct super_block *sb,
601 struct security_mnt_opts *opts)
602 {
603 int rc = 0, i;
604 struct superblock_security_struct *sbsec = sb->s_security;
605 char *context = NULL;
606 u32 len;
607 char tmp;
608
609 security_init_mnt_opts(opts);
610
611 if (!(sbsec->flags & SE_SBINITIALIZED))
612 return -EINVAL;
613
614 if (!selinux_state.initialized)
615 return -EINVAL;
616
617 /* make sure we always check enough bits to cover the mask */
618 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
619
620 tmp = sbsec->flags & SE_MNTMASK;
621 /* count the number of mount options for this sb */
622 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
623 if (tmp & 0x01)
624 opts->num_mnt_opts++;
625 tmp >>= 1;
626 }
627 /* Check if the Label support flag is set */
628 if (sbsec->flags & SBLABEL_MNT)
629 opts->num_mnt_opts++;
630
631 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
632 if (!opts->mnt_opts) {
633 rc = -ENOMEM;
634 goto out_free;
635 }
636
637 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
638 if (!opts->mnt_opts_flags) {
639 rc = -ENOMEM;
640 goto out_free;
641 }
642
643 i = 0;
644 if (sbsec->flags & FSCONTEXT_MNT) {
645 rc = security_sid_to_context(&selinux_state, sbsec->sid,
646 &context, &len);
647 if (rc)
648 goto out_free;
649 opts->mnt_opts[i] = context;
650 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
651 }
652 if (sbsec->flags & CONTEXT_MNT) {
653 rc = security_sid_to_context(&selinux_state,
654 sbsec->mntpoint_sid,
655 &context, &len);
656 if (rc)
657 goto out_free;
658 opts->mnt_opts[i] = context;
659 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
660 }
661 if (sbsec->flags & DEFCONTEXT_MNT) {
662 rc = security_sid_to_context(&selinux_state, sbsec->def_sid,
663 &context, &len);
664 if (rc)
665 goto out_free;
666 opts->mnt_opts[i] = context;
667 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
668 }
669 if (sbsec->flags & ROOTCONTEXT_MNT) {
670 struct dentry *root = sbsec->sb->s_root;
671 struct inode_security_struct *isec = backing_inode_security(root);
672
673 rc = security_sid_to_context(&selinux_state, isec->sid,
674 &context, &len);
675 if (rc)
676 goto out_free;
677 opts->mnt_opts[i] = context;
678 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
679 }
680 if (sbsec->flags & SBLABEL_MNT) {
681 opts->mnt_opts[i] = NULL;
682 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
683 }
684
685 BUG_ON(i != opts->num_mnt_opts);
686
687 return 0;
688
689 out_free:
690 security_free_mnt_opts(opts);
691 return rc;
692 }
693
694 static int bad_option(struct superblock_security_struct *sbsec, char flag,
695 u32 old_sid, u32 new_sid)
696 {
697 char mnt_flags = sbsec->flags & SE_MNTMASK;
698
699 /* check if the old mount command had the same options */
700 if (sbsec->flags & SE_SBINITIALIZED)
701 if (!(sbsec->flags & flag) ||
702 (old_sid != new_sid))
703 return 1;
704
705 /* check if we were passed the same options twice,
706 * aka someone passed context=a,context=b
707 */
708 if (!(sbsec->flags & SE_SBINITIALIZED))
709 if (mnt_flags & flag)
710 return 1;
711 return 0;
712 }
713
714 /*
715 * Allow filesystems with binary mount data to explicitly set mount point
716 * labeling information.
717 */
718 static int selinux_set_mnt_opts(struct super_block *sb,
719 struct security_mnt_opts *opts,
720 unsigned long kern_flags,
721 unsigned long *set_kern_flags)
722 {
723 const struct cred *cred = current_cred();
724 int rc = 0, i;
725 struct superblock_security_struct *sbsec = sb->s_security;
726 const char *name = sb->s_type->name;
727 struct dentry *root = sbsec->sb->s_root;
728 struct inode_security_struct *root_isec;
729 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
730 u32 defcontext_sid = 0;
731 char **mount_options = opts->mnt_opts;
732 int *flags = opts->mnt_opts_flags;
733 int num_opts = opts->num_mnt_opts;
734
735 mutex_lock(&sbsec->lock);
736
737 if (!selinux_state.initialized) {
738 if (!num_opts) {
739 /* Defer initialization until selinux_complete_init,
740 after the initial policy is loaded and the security
741 server is ready to handle calls. */
742 goto out;
743 }
744 rc = -EINVAL;
745 printk(KERN_WARNING "SELinux: Unable to set superblock options "
746 "before the security server is initialized\n");
747 goto out;
748 }
749 if (kern_flags && !set_kern_flags) {
750 /* Specifying internal flags without providing a place to
751 * place the results is not allowed */
752 rc = -EINVAL;
753 goto out;
754 }
755
756 /*
757 * Binary mount data FS will come through this function twice. Once
758 * from an explicit call and once from the generic calls from the vfs.
759 * Since the generic VFS calls will not contain any security mount data
760 * we need to skip the double mount verification.
761 *
762 * This does open a hole in which we will not notice if the first
763 * mount using this sb set explict options and a second mount using
764 * this sb does not set any security options. (The first options
765 * will be used for both mounts)
766 */
767 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
768 && (num_opts == 0))
769 goto out;
770
771 root_isec = backing_inode_security_novalidate(root);
772
773 /*
774 * parse the mount options, check if they are valid sids.
775 * also check if someone is trying to mount the same sb more
776 * than once with different security options.
777 */
778 for (i = 0; i < num_opts; i++) {
779 u32 sid;
780
781 if (flags[i] == SBLABEL_MNT)
782 continue;
783 rc = security_context_str_to_sid(&selinux_state,
784 mount_options[i], &sid,
785 GFP_KERNEL);
786 if (rc) {
787 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
788 "(%s) failed for (dev %s, type %s) errno=%d\n",
789 mount_options[i], sb->s_id, name, rc);
790 goto out;
791 }
792 switch (flags[i]) {
793 case FSCONTEXT_MNT:
794 fscontext_sid = sid;
795
796 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
797 fscontext_sid))
798 goto out_double_mount;
799
800 sbsec->flags |= FSCONTEXT_MNT;
801 break;
802 case CONTEXT_MNT:
803 context_sid = sid;
804
805 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
806 context_sid))
807 goto out_double_mount;
808
809 sbsec->flags |= CONTEXT_MNT;
810 break;
811 case ROOTCONTEXT_MNT:
812 rootcontext_sid = sid;
813
814 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
815 rootcontext_sid))
816 goto out_double_mount;
817
818 sbsec->flags |= ROOTCONTEXT_MNT;
819
820 break;
821 case DEFCONTEXT_MNT:
822 defcontext_sid = sid;
823
824 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
825 defcontext_sid))
826 goto out_double_mount;
827
828 sbsec->flags |= DEFCONTEXT_MNT;
829
830 break;
831 default:
832 rc = -EINVAL;
833 goto out;
834 }
835 }
836
837 if (sbsec->flags & SE_SBINITIALIZED) {
838 /* previously mounted with options, but not on this attempt? */
839 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
840 goto out_double_mount;
841 rc = 0;
842 goto out;
843 }
844
845 if (strcmp(sb->s_type->name, "proc") == 0)
846 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
847
848 if (!strcmp(sb->s_type->name, "debugfs") ||
849 !strcmp(sb->s_type->name, "tracefs") ||
850 !strcmp(sb->s_type->name, "sysfs") ||
851 !strcmp(sb->s_type->name, "pstore") ||
852 !strcmp(sb->s_type->name, "cgroup") ||
853 !strcmp(sb->s_type->name, "cgroup2"))
854 sbsec->flags |= SE_SBGENFS;
855
856 if (!sbsec->behavior) {
857 /*
858 * Determine the labeling behavior to use for this
859 * filesystem type.
860 */
861 rc = security_fs_use(&selinux_state, sb);
862 if (rc) {
863 printk(KERN_WARNING
864 "%s: security_fs_use(%s) returned %d\n",
865 __func__, sb->s_type->name, rc);
866 goto out;
867 }
868 }
869
870 /*
871 * If this is a user namespace mount and the filesystem type is not
872 * explicitly whitelisted, then no contexts are allowed on the command
873 * line and security labels must be ignored.
874 */
875 if (sb->s_user_ns != &init_user_ns &&
876 strcmp(sb->s_type->name, "tmpfs") &&
877 strcmp(sb->s_type->name, "ramfs") &&
878 strcmp(sb->s_type->name, "devpts")) {
879 if (context_sid || fscontext_sid || rootcontext_sid ||
880 defcontext_sid) {
881 rc = -EACCES;
882 goto out;
883 }
884 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
885 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
886 rc = security_transition_sid(&selinux_state,
887 current_sid(),
888 current_sid(),
889 SECCLASS_FILE, NULL,
890 &sbsec->mntpoint_sid);
891 if (rc)
892 goto out;
893 }
894 goto out_set_opts;
895 }
896
897 /* sets the context of the superblock for the fs being mounted. */
898 if (fscontext_sid) {
899 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
900 if (rc)
901 goto out;
902
903 sbsec->sid = fscontext_sid;
904 }
905
906 /*
907 * Switch to using mount point labeling behavior.
908 * sets the label used on all file below the mountpoint, and will set
909 * the superblock context if not already set.
910 */
911 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
912 sbsec->behavior = SECURITY_FS_USE_NATIVE;
913 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
914 }
915
916 if (context_sid) {
917 if (!fscontext_sid) {
918 rc = may_context_mount_sb_relabel(context_sid, sbsec,
919 cred);
920 if (rc)
921 goto out;
922 sbsec->sid = context_sid;
923 } else {
924 rc = may_context_mount_inode_relabel(context_sid, sbsec,
925 cred);
926 if (rc)
927 goto out;
928 }
929 if (!rootcontext_sid)
930 rootcontext_sid = context_sid;
931
932 sbsec->mntpoint_sid = context_sid;
933 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
934 }
935
936 if (rootcontext_sid) {
937 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
938 cred);
939 if (rc)
940 goto out;
941
942 root_isec->sid = rootcontext_sid;
943 root_isec->initialized = LABEL_INITIALIZED;
944 }
945
946 if (defcontext_sid) {
947 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
948 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
949 rc = -EINVAL;
950 printk(KERN_WARNING "SELinux: defcontext option is "
951 "invalid for this filesystem type\n");
952 goto out;
953 }
954
955 if (defcontext_sid != sbsec->def_sid) {
956 rc = may_context_mount_inode_relabel(defcontext_sid,
957 sbsec, cred);
958 if (rc)
959 goto out;
960 }
961
962 sbsec->def_sid = defcontext_sid;
963 }
964
965 out_set_opts:
966 rc = sb_finish_set_opts(sb);
967 out:
968 mutex_unlock(&sbsec->lock);
969 return rc;
970 out_double_mount:
971 rc = -EINVAL;
972 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
973 "security settings for (dev %s, type %s)\n", sb->s_id, name);
974 goto out;
975 }
976
977 static int selinux_cmp_sb_context(const struct super_block *oldsb,
978 const struct super_block *newsb)
979 {
980 struct superblock_security_struct *old = oldsb->s_security;
981 struct superblock_security_struct *new = newsb->s_security;
982 char oldflags = old->flags & SE_MNTMASK;
983 char newflags = new->flags & SE_MNTMASK;
984
985 if (oldflags != newflags)
986 goto mismatch;
987 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
988 goto mismatch;
989 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
990 goto mismatch;
991 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
992 goto mismatch;
993 if (oldflags & ROOTCONTEXT_MNT) {
994 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
995 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
996 if (oldroot->sid != newroot->sid)
997 goto mismatch;
998 }
999 return 0;
1000 mismatch:
1001 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
1002 "different security settings for (dev %s, "
1003 "type %s)\n", newsb->s_id, newsb->s_type->name);
1004 return -EBUSY;
1005 }
1006
1007 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
1008 struct super_block *newsb,
1009 unsigned long kern_flags,
1010 unsigned long *set_kern_flags)
1011 {
1012 int rc = 0;
1013 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
1014 struct superblock_security_struct *newsbsec = newsb->s_security;
1015
1016 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
1017 int set_context = (oldsbsec->flags & CONTEXT_MNT);
1018 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
1019
1020 /*
1021 * if the parent was able to be mounted it clearly had no special lsm
1022 * mount options. thus we can safely deal with this superblock later
1023 */
1024 if (!selinux_state.initialized)
1025 return 0;
1026
1027 /*
1028 * Specifying internal flags without providing a place to
1029 * place the results is not allowed.
1030 */
1031 if (kern_flags && !set_kern_flags)
1032 return -EINVAL;
1033
1034 /* how can we clone if the old one wasn't set up?? */
1035 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1036
1037 /* if fs is reusing a sb, make sure that the contexts match */
1038 if (newsbsec->flags & SE_SBINITIALIZED)
1039 return selinux_cmp_sb_context(oldsb, newsb);
1040
1041 mutex_lock(&newsbsec->lock);
1042
1043 newsbsec->flags = oldsbsec->flags;
1044
1045 newsbsec->sid = oldsbsec->sid;
1046 newsbsec->def_sid = oldsbsec->def_sid;
1047 newsbsec->behavior = oldsbsec->behavior;
1048
1049 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1050 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1051 rc = security_fs_use(&selinux_state, newsb);
1052 if (rc)
1053 goto out;
1054 }
1055
1056 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1057 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1058 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1059 }
1060
1061 if (set_context) {
1062 u32 sid = oldsbsec->mntpoint_sid;
1063
1064 if (!set_fscontext)
1065 newsbsec->sid = sid;
1066 if (!set_rootcontext) {
1067 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1068 newisec->sid = sid;
1069 }
1070 newsbsec->mntpoint_sid = sid;
1071 }
1072 if (set_rootcontext) {
1073 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1074 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1075
1076 newisec->sid = oldisec->sid;
1077 }
1078
1079 sb_finish_set_opts(newsb);
1080 out:
1081 mutex_unlock(&newsbsec->lock);
1082 return rc;
1083 }
1084
1085 static int selinux_parse_opts_str(char *options,
1086 struct security_mnt_opts *opts)
1087 {
1088 char *p;
1089 char *context = NULL, *defcontext = NULL;
1090 char *fscontext = NULL, *rootcontext = NULL;
1091 int rc, num_mnt_opts = 0;
1092
1093 opts->num_mnt_opts = 0;
1094
1095 /* Standard string-based options. */
1096 while ((p = strsep(&options, "|")) != NULL) {
1097 int token;
1098 substring_t args[MAX_OPT_ARGS];
1099
1100 if (!*p)
1101 continue;
1102
1103 token = match_token(p, tokens, args);
1104
1105 switch (token) {
1106 case Opt_context:
1107 if (context || defcontext) {
1108 rc = -EINVAL;
1109 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1110 goto out_err;
1111 }
1112 context = match_strdup(&args[0]);
1113 if (!context) {
1114 rc = -ENOMEM;
1115 goto out_err;
1116 }
1117 break;
1118
1119 case Opt_fscontext:
1120 if (fscontext) {
1121 rc = -EINVAL;
1122 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1123 goto out_err;
1124 }
1125 fscontext = match_strdup(&args[0]);
1126 if (!fscontext) {
1127 rc = -ENOMEM;
1128 goto out_err;
1129 }
1130 break;
1131
1132 case Opt_rootcontext:
1133 if (rootcontext) {
1134 rc = -EINVAL;
1135 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1136 goto out_err;
1137 }
1138 rootcontext = match_strdup(&args[0]);
1139 if (!rootcontext) {
1140 rc = -ENOMEM;
1141 goto out_err;
1142 }
1143 break;
1144
1145 case Opt_defcontext:
1146 if (context || defcontext) {
1147 rc = -EINVAL;
1148 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1149 goto out_err;
1150 }
1151 defcontext = match_strdup(&args[0]);
1152 if (!defcontext) {
1153 rc = -ENOMEM;
1154 goto out_err;
1155 }
1156 break;
1157 case Opt_labelsupport:
1158 break;
1159 default:
1160 rc = -EINVAL;
1161 printk(KERN_WARNING "SELinux: unknown mount option\n");
1162 goto out_err;
1163
1164 }
1165 }
1166
1167 rc = -ENOMEM;
1168 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1169 if (!opts->mnt_opts)
1170 goto out_err;
1171
1172 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1173 GFP_KERNEL);
1174 if (!opts->mnt_opts_flags)
1175 goto out_err;
1176
1177 if (fscontext) {
1178 opts->mnt_opts[num_mnt_opts] = fscontext;
1179 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1180 }
1181 if (context) {
1182 opts->mnt_opts[num_mnt_opts] = context;
1183 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1184 }
1185 if (rootcontext) {
1186 opts->mnt_opts[num_mnt_opts] = rootcontext;
1187 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1188 }
1189 if (defcontext) {
1190 opts->mnt_opts[num_mnt_opts] = defcontext;
1191 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1192 }
1193
1194 opts->num_mnt_opts = num_mnt_opts;
1195 return 0;
1196
1197 out_err:
1198 security_free_mnt_opts(opts);
1199 kfree(context);
1200 kfree(defcontext);
1201 kfree(fscontext);
1202 kfree(rootcontext);
1203 return rc;
1204 }
1205 /*
1206 * string mount options parsing and call set the sbsec
1207 */
1208 static int superblock_doinit(struct super_block *sb, void *data)
1209 {
1210 int rc = 0;
1211 char *options = data;
1212 struct security_mnt_opts opts;
1213
1214 security_init_mnt_opts(&opts);
1215
1216 if (!data)
1217 goto out;
1218
1219 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1220
1221 rc = selinux_parse_opts_str(options, &opts);
1222 if (rc)
1223 goto out_err;
1224
1225 out:
1226 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1227
1228 out_err:
1229 security_free_mnt_opts(&opts);
1230 return rc;
1231 }
1232
1233 static void selinux_write_opts(struct seq_file *m,
1234 struct security_mnt_opts *opts)
1235 {
1236 int i;
1237 char *prefix;
1238
1239 for (i = 0; i < opts->num_mnt_opts; i++) {
1240 char *has_comma;
1241
1242 if (opts->mnt_opts[i])
1243 has_comma = strchr(opts->mnt_opts[i], ',');
1244 else
1245 has_comma = NULL;
1246
1247 switch (opts->mnt_opts_flags[i]) {
1248 case CONTEXT_MNT:
1249 prefix = CONTEXT_STR;
1250 break;
1251 case FSCONTEXT_MNT:
1252 prefix = FSCONTEXT_STR;
1253 break;
1254 case ROOTCONTEXT_MNT:
1255 prefix = ROOTCONTEXT_STR;
1256 break;
1257 case DEFCONTEXT_MNT:
1258 prefix = DEFCONTEXT_STR;
1259 break;
1260 case SBLABEL_MNT:
1261 seq_putc(m, ',');
1262 seq_puts(m, LABELSUPP_STR);
1263 continue;
1264 default:
1265 BUG();
1266 return;
1267 };
1268 /* we need a comma before each option */
1269 seq_putc(m, ',');
1270 seq_puts(m, prefix);
1271 if (has_comma)
1272 seq_putc(m, '\"');
1273 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1274 if (has_comma)
1275 seq_putc(m, '\"');
1276 }
1277 }
1278
1279 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1280 {
1281 struct security_mnt_opts opts;
1282 int rc;
1283
1284 rc = selinux_get_mnt_opts(sb, &opts);
1285 if (rc) {
1286 /* before policy load we may get EINVAL, don't show anything */
1287 if (rc == -EINVAL)
1288 rc = 0;
1289 return rc;
1290 }
1291
1292 selinux_write_opts(m, &opts);
1293
1294 security_free_mnt_opts(&opts);
1295
1296 return rc;
1297 }
1298
1299 static inline u16 inode_mode_to_security_class(umode_t mode)
1300 {
1301 switch (mode & S_IFMT) {
1302 case S_IFSOCK:
1303 return SECCLASS_SOCK_FILE;
1304 case S_IFLNK:
1305 return SECCLASS_LNK_FILE;
1306 case S_IFREG:
1307 return SECCLASS_FILE;
1308 case S_IFBLK:
1309 return SECCLASS_BLK_FILE;
1310 case S_IFDIR:
1311 return SECCLASS_DIR;
1312 case S_IFCHR:
1313 return SECCLASS_CHR_FILE;
1314 case S_IFIFO:
1315 return SECCLASS_FIFO_FILE;
1316
1317 }
1318
1319 return SECCLASS_FILE;
1320 }
1321
1322 static inline int default_protocol_stream(int protocol)
1323 {
1324 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1325 }
1326
1327 static inline int default_protocol_dgram(int protocol)
1328 {
1329 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1330 }
1331
1332 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1333 {
1334 int extsockclass = selinux_policycap_extsockclass();
1335
1336 switch (family) {
1337 case PF_UNIX:
1338 switch (type) {
1339 case SOCK_STREAM:
1340 case SOCK_SEQPACKET:
1341 return SECCLASS_UNIX_STREAM_SOCKET;
1342 case SOCK_DGRAM:
1343 case SOCK_RAW:
1344 return SECCLASS_UNIX_DGRAM_SOCKET;
1345 }
1346 break;
1347 case PF_INET:
1348 case PF_INET6:
1349 switch (type) {
1350 case SOCK_STREAM:
1351 case SOCK_SEQPACKET:
1352 if (default_protocol_stream(protocol))
1353 return SECCLASS_TCP_SOCKET;
1354 else if (extsockclass && protocol == IPPROTO_SCTP)
1355 return SECCLASS_SCTP_SOCKET;
1356 else
1357 return SECCLASS_RAWIP_SOCKET;
1358 case SOCK_DGRAM:
1359 if (default_protocol_dgram(protocol))
1360 return SECCLASS_UDP_SOCKET;
1361 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1362 protocol == IPPROTO_ICMPV6))
1363 return SECCLASS_ICMP_SOCKET;
1364 else
1365 return SECCLASS_RAWIP_SOCKET;
1366 case SOCK_DCCP:
1367 return SECCLASS_DCCP_SOCKET;
1368 default:
1369 return SECCLASS_RAWIP_SOCKET;
1370 }
1371 break;
1372 case PF_NETLINK:
1373 switch (protocol) {
1374 case NETLINK_ROUTE:
1375 return SECCLASS_NETLINK_ROUTE_SOCKET;
1376 case NETLINK_SOCK_DIAG:
1377 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1378 case NETLINK_NFLOG:
1379 return SECCLASS_NETLINK_NFLOG_SOCKET;
1380 case NETLINK_XFRM:
1381 return SECCLASS_NETLINK_XFRM_SOCKET;
1382 case NETLINK_SELINUX:
1383 return SECCLASS_NETLINK_SELINUX_SOCKET;
1384 case NETLINK_ISCSI:
1385 return SECCLASS_NETLINK_ISCSI_SOCKET;
1386 case NETLINK_AUDIT:
1387 return SECCLASS_NETLINK_AUDIT_SOCKET;
1388 case NETLINK_FIB_LOOKUP:
1389 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1390 case NETLINK_CONNECTOR:
1391 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1392 case NETLINK_NETFILTER:
1393 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1394 case NETLINK_DNRTMSG:
1395 return SECCLASS_NETLINK_DNRT_SOCKET;
1396 case NETLINK_KOBJECT_UEVENT:
1397 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1398 case NETLINK_GENERIC:
1399 return SECCLASS_NETLINK_GENERIC_SOCKET;
1400 case NETLINK_SCSITRANSPORT:
1401 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1402 case NETLINK_RDMA:
1403 return SECCLASS_NETLINK_RDMA_SOCKET;
1404 case NETLINK_CRYPTO:
1405 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1406 default:
1407 return SECCLASS_NETLINK_SOCKET;
1408 }
1409 case PF_PACKET:
1410 return SECCLASS_PACKET_SOCKET;
1411 case PF_KEY:
1412 return SECCLASS_KEY_SOCKET;
1413 case PF_APPLETALK:
1414 return SECCLASS_APPLETALK_SOCKET;
1415 }
1416
1417 if (extsockclass) {
1418 switch (family) {
1419 case PF_AX25:
1420 return SECCLASS_AX25_SOCKET;
1421 case PF_IPX:
1422 return SECCLASS_IPX_SOCKET;
1423 case PF_NETROM:
1424 return SECCLASS_NETROM_SOCKET;
1425 case PF_ATMPVC:
1426 return SECCLASS_ATMPVC_SOCKET;
1427 case PF_X25:
1428 return SECCLASS_X25_SOCKET;
1429 case PF_ROSE:
1430 return SECCLASS_ROSE_SOCKET;
1431 case PF_DECnet:
1432 return SECCLASS_DECNET_SOCKET;
1433 case PF_ATMSVC:
1434 return SECCLASS_ATMSVC_SOCKET;
1435 case PF_RDS:
1436 return SECCLASS_RDS_SOCKET;
1437 case PF_IRDA:
1438 return SECCLASS_IRDA_SOCKET;
1439 case PF_PPPOX:
1440 return SECCLASS_PPPOX_SOCKET;
1441 case PF_LLC:
1442 return SECCLASS_LLC_SOCKET;
1443 case PF_CAN:
1444 return SECCLASS_CAN_SOCKET;
1445 case PF_TIPC:
1446 return SECCLASS_TIPC_SOCKET;
1447 case PF_BLUETOOTH:
1448 return SECCLASS_BLUETOOTH_SOCKET;
1449 case PF_IUCV:
1450 return SECCLASS_IUCV_SOCKET;
1451 case PF_RXRPC:
1452 return SECCLASS_RXRPC_SOCKET;
1453 case PF_ISDN:
1454 return SECCLASS_ISDN_SOCKET;
1455 case PF_PHONET:
1456 return SECCLASS_PHONET_SOCKET;
1457 case PF_IEEE802154:
1458 return SECCLASS_IEEE802154_SOCKET;
1459 case PF_CAIF:
1460 return SECCLASS_CAIF_SOCKET;
1461 case PF_ALG:
1462 return SECCLASS_ALG_SOCKET;
1463 case PF_NFC:
1464 return SECCLASS_NFC_SOCKET;
1465 case PF_VSOCK:
1466 return SECCLASS_VSOCK_SOCKET;
1467 case PF_KCM:
1468 return SECCLASS_KCM_SOCKET;
1469 case PF_QIPCRTR:
1470 return SECCLASS_QIPCRTR_SOCKET;
1471 case PF_SMC:
1472 return SECCLASS_SMC_SOCKET;
1473 case PF_XDP:
1474 return SECCLASS_XDP_SOCKET;
1475 #if PF_MAX > 45
1476 #error New address family defined, please update this function.
1477 #endif
1478 }
1479 }
1480
1481 return SECCLASS_SOCKET;
1482 }
1483
1484 static int selinux_genfs_get_sid(struct dentry *dentry,
1485 u16 tclass,
1486 u16 flags,
1487 u32 *sid)
1488 {
1489 int rc;
1490 struct super_block *sb = dentry->d_sb;
1491 char *buffer, *path;
1492
1493 buffer = (char *)__get_free_page(GFP_KERNEL);
1494 if (!buffer)
1495 return -ENOMEM;
1496
1497 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1498 if (IS_ERR(path))
1499 rc = PTR_ERR(path);
1500 else {
1501 if (flags & SE_SBPROC) {
1502 /* each process gets a /proc/PID/ entry. Strip off the
1503 * PID part to get a valid selinux labeling.
1504 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1505 while (path[1] >= '0' && path[1] <= '9') {
1506 path[1] = '/';
1507 path++;
1508 }
1509 }
1510 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1511 path, tclass, sid);
1512 }
1513 free_page((unsigned long)buffer);
1514 return rc;
1515 }
1516
1517 /* The inode's security attributes must be initialized before first use. */
1518 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1519 {
1520 struct superblock_security_struct *sbsec = NULL;
1521 struct inode_security_struct *isec = inode->i_security;
1522 u32 task_sid, sid = 0;
1523 u16 sclass;
1524 struct dentry *dentry;
1525 #define INITCONTEXTLEN 255
1526 char *context = NULL;
1527 unsigned len = 0;
1528 int rc = 0;
1529
1530 if (isec->initialized == LABEL_INITIALIZED)
1531 return 0;
1532
1533 spin_lock(&isec->lock);
1534 if (isec->initialized == LABEL_INITIALIZED)
1535 goto out_unlock;
1536
1537 if (isec->sclass == SECCLASS_FILE)
1538 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1539
1540 sbsec = inode->i_sb->s_security;
1541 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1542 /* Defer initialization until selinux_complete_init,
1543 after the initial policy is loaded and the security
1544 server is ready to handle calls. */
1545 spin_lock(&sbsec->isec_lock);
1546 if (list_empty(&isec->list))
1547 list_add(&isec->list, &sbsec->isec_head);
1548 spin_unlock(&sbsec->isec_lock);
1549 goto out_unlock;
1550 }
1551
1552 sclass = isec->sclass;
1553 task_sid = isec->task_sid;
1554 sid = isec->sid;
1555 isec->initialized = LABEL_PENDING;
1556 spin_unlock(&isec->lock);
1557
1558 switch (sbsec->behavior) {
1559 case SECURITY_FS_USE_NATIVE:
1560 break;
1561 case SECURITY_FS_USE_XATTR:
1562 if (!(inode->i_opflags & IOP_XATTR)) {
1563 sid = sbsec->def_sid;
1564 break;
1565 }
1566 /* Need a dentry, since the xattr API requires one.
1567 Life would be simpler if we could just pass the inode. */
1568 if (opt_dentry) {
1569 /* Called from d_instantiate or d_splice_alias. */
1570 dentry = dget(opt_dentry);
1571 } else {
1572 /*
1573 * Called from selinux_complete_init, try to find a dentry.
1574 * Some filesystems really want a connected one, so try
1575 * that first. We could split SECURITY_FS_USE_XATTR in
1576 * two, depending upon that...
1577 */
1578 dentry = d_find_alias(inode);
1579 if (!dentry)
1580 dentry = d_find_any_alias(inode);
1581 }
1582 if (!dentry) {
1583 /*
1584 * this is can be hit on boot when a file is accessed
1585 * before the policy is loaded. When we load policy we
1586 * may find inodes that have no dentry on the
1587 * sbsec->isec_head list. No reason to complain as these
1588 * will get fixed up the next time we go through
1589 * inode_doinit with a dentry, before these inodes could
1590 * be used again by userspace.
1591 */
1592 goto out;
1593 }
1594
1595 len = INITCONTEXTLEN;
1596 context = kmalloc(len+1, GFP_NOFS);
1597 if (!context) {
1598 rc = -ENOMEM;
1599 dput(dentry);
1600 goto out;
1601 }
1602 context[len] = '\0';
1603 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1604 if (rc == -ERANGE) {
1605 kfree(context);
1606
1607 /* Need a larger buffer. Query for the right size. */
1608 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1609 if (rc < 0) {
1610 dput(dentry);
1611 goto out;
1612 }
1613 len = rc;
1614 context = kmalloc(len+1, GFP_NOFS);
1615 if (!context) {
1616 rc = -ENOMEM;
1617 dput(dentry);
1618 goto out;
1619 }
1620 context[len] = '\0';
1621 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1622 }
1623 dput(dentry);
1624 if (rc < 0) {
1625 if (rc != -ENODATA) {
1626 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1627 "%d for dev=%s ino=%ld\n", __func__,
1628 -rc, inode->i_sb->s_id, inode->i_ino);
1629 kfree(context);
1630 goto out;
1631 }
1632 /* Map ENODATA to the default file SID */
1633 sid = sbsec->def_sid;
1634 rc = 0;
1635 } else {
1636 rc = security_context_to_sid_default(&selinux_state,
1637 context, rc, &sid,
1638 sbsec->def_sid,
1639 GFP_NOFS);
1640 if (rc) {
1641 char *dev = inode->i_sb->s_id;
1642 unsigned long ino = inode->i_ino;
1643
1644 if (rc == -EINVAL) {
1645 if (printk_ratelimit())
1646 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1647 "context=%s. This indicates you may need to relabel the inode or the "
1648 "filesystem in question.\n", ino, dev, context);
1649 } else {
1650 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1651 "returned %d for dev=%s ino=%ld\n",
1652 __func__, context, -rc, dev, ino);
1653 }
1654 kfree(context);
1655 /* Leave with the unlabeled SID */
1656 rc = 0;
1657 break;
1658 }
1659 }
1660 kfree(context);
1661 break;
1662 case SECURITY_FS_USE_TASK:
1663 sid = task_sid;
1664 break;
1665 case SECURITY_FS_USE_TRANS:
1666 /* Default to the fs SID. */
1667 sid = sbsec->sid;
1668
1669 /* Try to obtain a transition SID. */
1670 rc = security_transition_sid(&selinux_state, task_sid, sid,
1671 sclass, NULL, &sid);
1672 if (rc)
1673 goto out;
1674 break;
1675 case SECURITY_FS_USE_MNTPOINT:
1676 sid = sbsec->mntpoint_sid;
1677 break;
1678 default:
1679 /* Default to the fs superblock SID. */
1680 sid = sbsec->sid;
1681
1682 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1683 /* We must have a dentry to determine the label on
1684 * procfs inodes */
1685 if (opt_dentry) {
1686 /* Called from d_instantiate or
1687 * d_splice_alias. */
1688 dentry = dget(opt_dentry);
1689 } else {
1690 /* Called from selinux_complete_init, try to
1691 * find a dentry. Some filesystems really want
1692 * a connected one, so try that first.
1693 */
1694 dentry = d_find_alias(inode);
1695 if (!dentry)
1696 dentry = d_find_any_alias(inode);
1697 }
1698 /*
1699 * This can be hit on boot when a file is accessed
1700 * before the policy is loaded. When we load policy we
1701 * may find inodes that have no dentry on the
1702 * sbsec->isec_head list. No reason to complain as
1703 * these will get fixed up the next time we go through
1704 * inode_doinit() with a dentry, before these inodes
1705 * could be used again by userspace.
1706 */
1707 if (!dentry)
1708 goto out;
1709 rc = selinux_genfs_get_sid(dentry, sclass,
1710 sbsec->flags, &sid);
1711 dput(dentry);
1712 if (rc)
1713 goto out;
1714 }
1715 break;
1716 }
1717
1718 out:
1719 spin_lock(&isec->lock);
1720 if (isec->initialized == LABEL_PENDING) {
1721 if (!sid || rc) {
1722 isec->initialized = LABEL_INVALID;
1723 goto out_unlock;
1724 }
1725
1726 isec->initialized = LABEL_INITIALIZED;
1727 isec->sid = sid;
1728 }
1729
1730 out_unlock:
1731 spin_unlock(&isec->lock);
1732 return rc;
1733 }
1734
1735 /* Convert a Linux signal to an access vector. */
1736 static inline u32 signal_to_av(int sig)
1737 {
1738 u32 perm = 0;
1739
1740 switch (sig) {
1741 case SIGCHLD:
1742 /* Commonly granted from child to parent. */
1743 perm = PROCESS__SIGCHLD;
1744 break;
1745 case SIGKILL:
1746 /* Cannot be caught or ignored */
1747 perm = PROCESS__SIGKILL;
1748 break;
1749 case SIGSTOP:
1750 /* Cannot be caught or ignored */
1751 perm = PROCESS__SIGSTOP;
1752 break;
1753 default:
1754 /* All other signals. */
1755 perm = PROCESS__SIGNAL;
1756 break;
1757 }
1758
1759 return perm;
1760 }
1761
1762 #if CAP_LAST_CAP > 63
1763 #error Fix SELinux to handle capabilities > 63.
1764 #endif
1765
1766 /* Check whether a task is allowed to use a capability. */
1767 static int cred_has_capability(const struct cred *cred,
1768 int cap, int audit, bool initns)
1769 {
1770 struct common_audit_data ad;
1771 struct av_decision avd;
1772 u16 sclass;
1773 u32 sid = cred_sid(cred);
1774 u32 av = CAP_TO_MASK(cap);
1775 int rc;
1776
1777 ad.type = LSM_AUDIT_DATA_CAP;
1778 ad.u.cap = cap;
1779
1780 switch (CAP_TO_INDEX(cap)) {
1781 case 0:
1782 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1783 break;
1784 case 1:
1785 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1786 break;
1787 default:
1788 printk(KERN_ERR
1789 "SELinux: out of range capability %d\n", cap);
1790 BUG();
1791 return -EINVAL;
1792 }
1793
1794 rc = avc_has_perm_noaudit(&selinux_state,
1795 sid, sid, sclass, av, 0, &avd);
1796 if (audit == SECURITY_CAP_AUDIT) {
1797 int rc2 = avc_audit(&selinux_state,
1798 sid, sid, sclass, av, &avd, rc, &ad, 0);
1799 if (rc2)
1800 return rc2;
1801 }
1802 return rc;
1803 }
1804
1805 /* Check whether a task has a particular permission to an inode.
1806 The 'adp' parameter is optional and allows other audit
1807 data to be passed (e.g. the dentry). */
1808 static int inode_has_perm(const struct cred *cred,
1809 struct inode *inode,
1810 u32 perms,
1811 struct common_audit_data *adp)
1812 {
1813 struct inode_security_struct *isec;
1814 u32 sid;
1815
1816 validate_creds(cred);
1817
1818 if (unlikely(IS_PRIVATE(inode)))
1819 return 0;
1820
1821 sid = cred_sid(cred);
1822 isec = inode->i_security;
1823
1824 return avc_has_perm(&selinux_state,
1825 sid, isec->sid, isec->sclass, perms, adp);
1826 }
1827
1828 /* Same as inode_has_perm, but pass explicit audit data containing
1829 the dentry to help the auditing code to more easily generate the
1830 pathname if needed. */
1831 static inline int dentry_has_perm(const struct cred *cred,
1832 struct dentry *dentry,
1833 u32 av)
1834 {
1835 struct inode *inode = d_backing_inode(dentry);
1836 struct common_audit_data ad;
1837
1838 ad.type = LSM_AUDIT_DATA_DENTRY;
1839 ad.u.dentry = dentry;
1840 __inode_security_revalidate(inode, dentry, true);
1841 return inode_has_perm(cred, inode, av, &ad);
1842 }
1843
1844 /* Same as inode_has_perm, but pass explicit audit data containing
1845 the path to help the auditing code to more easily generate the
1846 pathname if needed. */
1847 static inline int path_has_perm(const struct cred *cred,
1848 const struct path *path,
1849 u32 av)
1850 {
1851 struct inode *inode = d_backing_inode(path->dentry);
1852 struct common_audit_data ad;
1853
1854 ad.type = LSM_AUDIT_DATA_PATH;
1855 ad.u.path = *path;
1856 __inode_security_revalidate(inode, path->dentry, true);
1857 return inode_has_perm(cred, inode, av, &ad);
1858 }
1859
1860 /* Same as path_has_perm, but uses the inode from the file struct. */
1861 static inline int file_path_has_perm(const struct cred *cred,
1862 struct file *file,
1863 u32 av)
1864 {
1865 struct common_audit_data ad;
1866
1867 ad.type = LSM_AUDIT_DATA_FILE;
1868 ad.u.file = file;
1869 return inode_has_perm(cred, file_inode(file), av, &ad);
1870 }
1871
1872 #ifdef CONFIG_BPF_SYSCALL
1873 static int bpf_fd_pass(struct file *file, u32 sid);
1874 #endif
1875
1876 /* Check whether a task can use an open file descriptor to
1877 access an inode in a given way. Check access to the
1878 descriptor itself, and then use dentry_has_perm to
1879 check a particular permission to the file.
1880 Access to the descriptor is implicitly granted if it
1881 has the same SID as the process. If av is zero, then
1882 access to the file is not checked, e.g. for cases
1883 where only the descriptor is affected like seek. */
1884 static int file_has_perm(const struct cred *cred,
1885 struct file *file,
1886 u32 av)
1887 {
1888 struct file_security_struct *fsec = file->f_security;
1889 struct inode *inode = file_inode(file);
1890 struct common_audit_data ad;
1891 u32 sid = cred_sid(cred);
1892 int rc;
1893
1894 ad.type = LSM_AUDIT_DATA_FILE;
1895 ad.u.file = file;
1896
1897 if (sid != fsec->sid) {
1898 rc = avc_has_perm(&selinux_state,
1899 sid, fsec->sid,
1900 SECCLASS_FD,
1901 FD__USE,
1902 &ad);
1903 if (rc)
1904 goto out;
1905 }
1906
1907 #ifdef CONFIG_BPF_SYSCALL
1908 rc = bpf_fd_pass(file, cred_sid(cred));
1909 if (rc)
1910 return rc;
1911 #endif
1912
1913 /* av is zero if only checking access to the descriptor. */
1914 rc = 0;
1915 if (av)
1916 rc = inode_has_perm(cred, inode, av, &ad);
1917
1918 out:
1919 return rc;
1920 }
1921
1922 /*
1923 * Determine the label for an inode that might be unioned.
1924 */
1925 static int
1926 selinux_determine_inode_label(const struct task_security_struct *tsec,
1927 struct inode *dir,
1928 const struct qstr *name, u16 tclass,
1929 u32 *_new_isid)
1930 {
1931 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1932
1933 if ((sbsec->flags & SE_SBINITIALIZED) &&
1934 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1935 *_new_isid = sbsec->mntpoint_sid;
1936 } else if ((sbsec->flags & SBLABEL_MNT) &&
1937 tsec->create_sid) {
1938 *_new_isid = tsec->create_sid;
1939 } else {
1940 const struct inode_security_struct *dsec = inode_security(dir);
1941 return security_transition_sid(&selinux_state, tsec->sid,
1942 dsec->sid, tclass,
1943 name, _new_isid);
1944 }
1945
1946 return 0;
1947 }
1948
1949 /* Check whether a task can create a file. */
1950 static int may_create(struct inode *dir,
1951 struct dentry *dentry,
1952 u16 tclass)
1953 {
1954 const struct task_security_struct *tsec = current_security();
1955 struct inode_security_struct *dsec;
1956 struct superblock_security_struct *sbsec;
1957 u32 sid, newsid;
1958 struct common_audit_data ad;
1959 int rc;
1960
1961 dsec = inode_security(dir);
1962 sbsec = dir->i_sb->s_security;
1963
1964 sid = tsec->sid;
1965
1966 ad.type = LSM_AUDIT_DATA_DENTRY;
1967 ad.u.dentry = dentry;
1968
1969 rc = avc_has_perm(&selinux_state,
1970 sid, dsec->sid, SECCLASS_DIR,
1971 DIR__ADD_NAME | DIR__SEARCH,
1972 &ad);
1973 if (rc)
1974 return rc;
1975
1976 rc = selinux_determine_inode_label(current_security(), dir,
1977 &dentry->d_name, tclass, &newsid);
1978 if (rc)
1979 return rc;
1980
1981 rc = avc_has_perm(&selinux_state,
1982 sid, newsid, tclass, FILE__CREATE, &ad);
1983 if (rc)
1984 return rc;
1985
1986 return avc_has_perm(&selinux_state,
1987 newsid, sbsec->sid,
1988 SECCLASS_FILESYSTEM,
1989 FILESYSTEM__ASSOCIATE, &ad);
1990 }
1991
1992 #define MAY_LINK 0
1993 #define MAY_UNLINK 1
1994 #define MAY_RMDIR 2
1995
1996 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1997 static int may_link(struct inode *dir,
1998 struct dentry *dentry,
1999 int kind)
2000
2001 {
2002 struct inode_security_struct *dsec, *isec;
2003 struct common_audit_data ad;
2004 u32 sid = current_sid();
2005 u32 av;
2006 int rc;
2007
2008 dsec = inode_security(dir);
2009 isec = backing_inode_security(dentry);
2010
2011 ad.type = LSM_AUDIT_DATA_DENTRY;
2012 ad.u.dentry = dentry;
2013
2014 av = DIR__SEARCH;
2015 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
2016 rc = avc_has_perm(&selinux_state,
2017 sid, dsec->sid, SECCLASS_DIR, av, &ad);
2018 if (rc)
2019 return rc;
2020
2021 switch (kind) {
2022 case MAY_LINK:
2023 av = FILE__LINK;
2024 break;
2025 case MAY_UNLINK:
2026 av = FILE__UNLINK;
2027 break;
2028 case MAY_RMDIR:
2029 av = DIR__RMDIR;
2030 break;
2031 default:
2032 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
2033 __func__, kind);
2034 return 0;
2035 }
2036
2037 rc = avc_has_perm(&selinux_state,
2038 sid, isec->sid, isec->sclass, av, &ad);
2039 return rc;
2040 }
2041
2042 static inline int may_rename(struct inode *old_dir,
2043 struct dentry *old_dentry,
2044 struct inode *new_dir,
2045 struct dentry *new_dentry)
2046 {
2047 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
2048 struct common_audit_data ad;
2049 u32 sid = current_sid();
2050 u32 av;
2051 int old_is_dir, new_is_dir;
2052 int rc;
2053
2054 old_dsec = inode_security(old_dir);
2055 old_isec = backing_inode_security(old_dentry);
2056 old_is_dir = d_is_dir(old_dentry);
2057 new_dsec = inode_security(new_dir);
2058
2059 ad.type = LSM_AUDIT_DATA_DENTRY;
2060
2061 ad.u.dentry = old_dentry;
2062 rc = avc_has_perm(&selinux_state,
2063 sid, old_dsec->sid, SECCLASS_DIR,
2064 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2065 if (rc)
2066 return rc;
2067 rc = avc_has_perm(&selinux_state,
2068 sid, old_isec->sid,
2069 old_isec->sclass, FILE__RENAME, &ad);
2070 if (rc)
2071 return rc;
2072 if (old_is_dir && new_dir != old_dir) {
2073 rc = avc_has_perm(&selinux_state,
2074 sid, old_isec->sid,
2075 old_isec->sclass, DIR__REPARENT, &ad);
2076 if (rc)
2077 return rc;
2078 }
2079
2080 ad.u.dentry = new_dentry;
2081 av = DIR__ADD_NAME | DIR__SEARCH;
2082 if (d_is_positive(new_dentry))
2083 av |= DIR__REMOVE_NAME;
2084 rc = avc_has_perm(&selinux_state,
2085 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2086 if (rc)
2087 return rc;
2088 if (d_is_positive(new_dentry)) {
2089 new_isec = backing_inode_security(new_dentry);
2090 new_is_dir = d_is_dir(new_dentry);
2091 rc = avc_has_perm(&selinux_state,
2092 sid, new_isec->sid,
2093 new_isec->sclass,
2094 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2095 if (rc)
2096 return rc;
2097 }
2098
2099 return 0;
2100 }
2101
2102 /* Check whether a task can perform a filesystem operation. */
2103 static int superblock_has_perm(const struct cred *cred,
2104 struct super_block *sb,
2105 u32 perms,
2106 struct common_audit_data *ad)
2107 {
2108 struct superblock_security_struct *sbsec;
2109 u32 sid = cred_sid(cred);
2110
2111 sbsec = sb->s_security;
2112 return avc_has_perm(&selinux_state,
2113 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2114 }
2115
2116 /* Convert a Linux mode and permission mask to an access vector. */
2117 static inline u32 file_mask_to_av(int mode, int mask)
2118 {
2119 u32 av = 0;
2120
2121 if (!S_ISDIR(mode)) {
2122 if (mask & MAY_EXEC)
2123 av |= FILE__EXECUTE;
2124 if (mask & MAY_READ)
2125 av |= FILE__READ;
2126
2127 if (mask & MAY_APPEND)
2128 av |= FILE__APPEND;
2129 else if (mask & MAY_WRITE)
2130 av |= FILE__WRITE;
2131
2132 } else {
2133 if (mask & MAY_EXEC)
2134 av |= DIR__SEARCH;
2135 if (mask & MAY_WRITE)
2136 av |= DIR__WRITE;
2137 if (mask & MAY_READ)
2138 av |= DIR__READ;
2139 }
2140
2141 return av;
2142 }
2143
2144 /* Convert a Linux file to an access vector. */
2145 static inline u32 file_to_av(struct file *file)
2146 {
2147 u32 av = 0;
2148
2149 if (file->f_mode & FMODE_READ)
2150 av |= FILE__READ;
2151 if (file->f_mode & FMODE_WRITE) {
2152 if (file->f_flags & O_APPEND)
2153 av |= FILE__APPEND;
2154 else
2155 av |= FILE__WRITE;
2156 }
2157 if (!av) {
2158 /*
2159 * Special file opened with flags 3 for ioctl-only use.
2160 */
2161 av = FILE__IOCTL;
2162 }
2163
2164 return av;
2165 }
2166
2167 /*
2168 * Convert a file to an access vector and include the correct open
2169 * open permission.
2170 */
2171 static inline u32 open_file_to_av(struct file *file)
2172 {
2173 u32 av = file_to_av(file);
2174 struct inode *inode = file_inode(file);
2175
2176 if (selinux_policycap_openperm() &&
2177 inode->i_sb->s_magic != SOCKFS_MAGIC)
2178 av |= FILE__OPEN;
2179
2180 return av;
2181 }
2182
2183 /* Hook functions begin here. */
2184
2185 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2186 {
2187 u32 mysid = current_sid();
2188 u32 mgrsid = task_sid(mgr);
2189
2190 return avc_has_perm(&selinux_state,
2191 mysid, mgrsid, SECCLASS_BINDER,
2192 BINDER__SET_CONTEXT_MGR, NULL);
2193 }
2194
2195 static int selinux_binder_transaction(struct task_struct *from,
2196 struct task_struct *to)
2197 {
2198 u32 mysid = current_sid();
2199 u32 fromsid = task_sid(from);
2200 u32 tosid = task_sid(to);
2201 int rc;
2202
2203 if (mysid != fromsid) {
2204 rc = avc_has_perm(&selinux_state,
2205 mysid, fromsid, SECCLASS_BINDER,
2206 BINDER__IMPERSONATE, NULL);
2207 if (rc)
2208 return rc;
2209 }
2210
2211 return avc_has_perm(&selinux_state,
2212 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2213 NULL);
2214 }
2215
2216 static int selinux_binder_transfer_binder(struct task_struct *from,
2217 struct task_struct *to)
2218 {
2219 u32 fromsid = task_sid(from);
2220 u32 tosid = task_sid(to);
2221
2222 return avc_has_perm(&selinux_state,
2223 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2224 NULL);
2225 }
2226
2227 static int selinux_binder_transfer_file(struct task_struct *from,
2228 struct task_struct *to,
2229 struct file *file)
2230 {
2231 u32 sid = task_sid(to);
2232 struct file_security_struct *fsec = file->f_security;
2233 struct dentry *dentry = file->f_path.dentry;
2234 struct inode_security_struct *isec;
2235 struct common_audit_data ad;
2236 int rc;
2237
2238 ad.type = LSM_AUDIT_DATA_PATH;
2239 ad.u.path = file->f_path;
2240
2241 if (sid != fsec->sid) {
2242 rc = avc_has_perm(&selinux_state,
2243 sid, fsec->sid,
2244 SECCLASS_FD,
2245 FD__USE,
2246 &ad);
2247 if (rc)
2248 return rc;
2249 }
2250
2251 #ifdef CONFIG_BPF_SYSCALL
2252 rc = bpf_fd_pass(file, sid);
2253 if (rc)
2254 return rc;
2255 #endif
2256
2257 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2258 return 0;
2259
2260 isec = backing_inode_security(dentry);
2261 return avc_has_perm(&selinux_state,
2262 sid, isec->sid, isec->sclass, file_to_av(file),
2263 &ad);
2264 }
2265
2266 static int selinux_ptrace_access_check(struct task_struct *child,
2267 unsigned int mode)
2268 {
2269 u32 sid = current_sid();
2270 u32 csid = task_sid(child);
2271
2272 if (mode & PTRACE_MODE_READ)
2273 return avc_has_perm(&selinux_state,
2274 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2275
2276 return avc_has_perm(&selinux_state,
2277 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2278 }
2279
2280 static int selinux_ptrace_traceme(struct task_struct *parent)
2281 {
2282 return avc_has_perm(&selinux_state,
2283 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2284 PROCESS__PTRACE, NULL);
2285 }
2286
2287 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2288 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2289 {
2290 return avc_has_perm(&selinux_state,
2291 current_sid(), task_sid(target), SECCLASS_PROCESS,
2292 PROCESS__GETCAP, NULL);
2293 }
2294
2295 static int selinux_capset(struct cred *new, const struct cred *old,
2296 const kernel_cap_t *effective,
2297 const kernel_cap_t *inheritable,
2298 const kernel_cap_t *permitted)
2299 {
2300 return avc_has_perm(&selinux_state,
2301 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2302 PROCESS__SETCAP, NULL);
2303 }
2304
2305 /*
2306 * (This comment used to live with the selinux_task_setuid hook,
2307 * which was removed).
2308 *
2309 * Since setuid only affects the current process, and since the SELinux
2310 * controls are not based on the Linux identity attributes, SELinux does not
2311 * need to control this operation. However, SELinux does control the use of
2312 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2313 */
2314
2315 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2316 int cap, int audit)
2317 {
2318 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2319 }
2320
2321 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2322 {
2323 const struct cred *cred = current_cred();
2324 int rc = 0;
2325
2326 if (!sb)
2327 return 0;
2328
2329 switch (cmds) {
2330 case Q_SYNC:
2331 case Q_QUOTAON:
2332 case Q_QUOTAOFF:
2333 case Q_SETINFO:
2334 case Q_SETQUOTA:
2335 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2336 break;
2337 case Q_GETFMT:
2338 case Q_GETINFO:
2339 case Q_GETQUOTA:
2340 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2341 break;
2342 default:
2343 rc = 0; /* let the kernel handle invalid cmds */
2344 break;
2345 }
2346 return rc;
2347 }
2348
2349 static int selinux_quota_on(struct dentry *dentry)
2350 {
2351 const struct cred *cred = current_cred();
2352
2353 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2354 }
2355
2356 static int selinux_syslog(int type)
2357 {
2358 switch (type) {
2359 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2360 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2361 return avc_has_perm(&selinux_state,
2362 current_sid(), SECINITSID_KERNEL,
2363 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2364 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2365 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2366 /* Set level of messages printed to console */
2367 case SYSLOG_ACTION_CONSOLE_LEVEL:
2368 return avc_has_perm(&selinux_state,
2369 current_sid(), SECINITSID_KERNEL,
2370 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2371 NULL);
2372 }
2373 /* All other syslog types */
2374 return avc_has_perm(&selinux_state,
2375 current_sid(), SECINITSID_KERNEL,
2376 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2377 }
2378
2379 /*
2380 * Check that a process has enough memory to allocate a new virtual
2381 * mapping. 0 means there is enough memory for the allocation to
2382 * succeed and -ENOMEM implies there is not.
2383 *
2384 * Do not audit the selinux permission check, as this is applied to all
2385 * processes that allocate mappings.
2386 */
2387 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2388 {
2389 int rc, cap_sys_admin = 0;
2390
2391 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2392 SECURITY_CAP_NOAUDIT, true);
2393 if (rc == 0)
2394 cap_sys_admin = 1;
2395
2396 return cap_sys_admin;
2397 }
2398
2399 /* binprm security operations */
2400
2401 static u32 ptrace_parent_sid(void)
2402 {
2403 u32 sid = 0;
2404 struct task_struct *tracer;
2405
2406 rcu_read_lock();
2407 tracer = ptrace_parent(current);
2408 if (tracer)
2409 sid = task_sid(tracer);
2410 rcu_read_unlock();
2411
2412 return sid;
2413 }
2414
2415 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2416 const struct task_security_struct *old_tsec,
2417 const struct task_security_struct *new_tsec)
2418 {
2419 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2420 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2421 int rc;
2422 u32 av;
2423
2424 if (!nnp && !nosuid)
2425 return 0; /* neither NNP nor nosuid */
2426
2427 if (new_tsec->sid == old_tsec->sid)
2428 return 0; /* No change in credentials */
2429
2430 /*
2431 * If the policy enables the nnp_nosuid_transition policy capability,
2432 * then we permit transitions under NNP or nosuid if the
2433 * policy allows the corresponding permission between
2434 * the old and new contexts.
2435 */
2436 if (selinux_policycap_nnp_nosuid_transition()) {
2437 av = 0;
2438 if (nnp)
2439 av |= PROCESS2__NNP_TRANSITION;
2440 if (nosuid)
2441 av |= PROCESS2__NOSUID_TRANSITION;
2442 rc = avc_has_perm(&selinux_state,
2443 old_tsec->sid, new_tsec->sid,
2444 SECCLASS_PROCESS2, av, NULL);
2445 if (!rc)
2446 return 0;
2447 }
2448
2449 /*
2450 * We also permit NNP or nosuid transitions to bounded SIDs,
2451 * i.e. SIDs that are guaranteed to only be allowed a subset
2452 * of the permissions of the current SID.
2453 */
2454 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2455 new_tsec->sid);
2456 if (!rc)
2457 return 0;
2458
2459 /*
2460 * On failure, preserve the errno values for NNP vs nosuid.
2461 * NNP: Operation not permitted for caller.
2462 * nosuid: Permission denied to file.
2463 */
2464 if (nnp)
2465 return -EPERM;
2466 return -EACCES;
2467 }
2468
2469 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2470 {
2471 const struct task_security_struct *old_tsec;
2472 struct task_security_struct *new_tsec;
2473 struct inode_security_struct *isec;
2474 struct common_audit_data ad;
2475 struct inode *inode = file_inode(bprm->file);
2476 int rc;
2477
2478 /* SELinux context only depends on initial program or script and not
2479 * the script interpreter */
2480 if (bprm->called_set_creds)
2481 return 0;
2482
2483 old_tsec = current_security();
2484 new_tsec = bprm->cred->security;
2485 isec = inode_security(inode);
2486
2487 /* Default to the current task SID. */
2488 new_tsec->sid = old_tsec->sid;
2489 new_tsec->osid = old_tsec->sid;
2490
2491 /* Reset fs, key, and sock SIDs on execve. */
2492 new_tsec->create_sid = 0;
2493 new_tsec->keycreate_sid = 0;
2494 new_tsec->sockcreate_sid = 0;
2495
2496 if (old_tsec->exec_sid) {
2497 new_tsec->sid = old_tsec->exec_sid;
2498 /* Reset exec SID on execve. */
2499 new_tsec->exec_sid = 0;
2500
2501 /* Fail on NNP or nosuid if not an allowed transition. */
2502 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2503 if (rc)
2504 return rc;
2505 } else {
2506 /* Check for a default transition on this program. */
2507 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2508 isec->sid, SECCLASS_PROCESS, NULL,
2509 &new_tsec->sid);
2510 if (rc)
2511 return rc;
2512
2513 /*
2514 * Fallback to old SID on NNP or nosuid if not an allowed
2515 * transition.
2516 */
2517 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2518 if (rc)
2519 new_tsec->sid = old_tsec->sid;
2520 }
2521
2522 ad.type = LSM_AUDIT_DATA_FILE;
2523 ad.u.file = bprm->file;
2524
2525 if (new_tsec->sid == old_tsec->sid) {
2526 rc = avc_has_perm(&selinux_state,
2527 old_tsec->sid, isec->sid,
2528 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2529 if (rc)
2530 return rc;
2531 } else {
2532 /* Check permissions for the transition. */
2533 rc = avc_has_perm(&selinux_state,
2534 old_tsec->sid, new_tsec->sid,
2535 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2536 if (rc)
2537 return rc;
2538
2539 rc = avc_has_perm(&selinux_state,
2540 new_tsec->sid, isec->sid,
2541 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2542 if (rc)
2543 return rc;
2544
2545 /* Check for shared state */
2546 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2547 rc = avc_has_perm(&selinux_state,
2548 old_tsec->sid, new_tsec->sid,
2549 SECCLASS_PROCESS, PROCESS__SHARE,
2550 NULL);
2551 if (rc)
2552 return -EPERM;
2553 }
2554
2555 /* Make sure that anyone attempting to ptrace over a task that
2556 * changes its SID has the appropriate permit */
2557 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2558 u32 ptsid = ptrace_parent_sid();
2559 if (ptsid != 0) {
2560 rc = avc_has_perm(&selinux_state,
2561 ptsid, new_tsec->sid,
2562 SECCLASS_PROCESS,
2563 PROCESS__PTRACE, NULL);
2564 if (rc)
2565 return -EPERM;
2566 }
2567 }
2568
2569 /* Clear any possibly unsafe personality bits on exec: */
2570 bprm->per_clear |= PER_CLEAR_ON_SETID;
2571
2572 /* Enable secure mode for SIDs transitions unless
2573 the noatsecure permission is granted between
2574 the two SIDs, i.e. ahp returns 0. */
2575 rc = avc_has_perm(&selinux_state,
2576 old_tsec->sid, new_tsec->sid,
2577 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2578 NULL);
2579 bprm->secureexec |= !!rc;
2580 }
2581
2582 return 0;
2583 }
2584
2585 static int match_file(const void *p, struct file *file, unsigned fd)
2586 {
2587 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2588 }
2589
2590 /* Derived from fs/exec.c:flush_old_files. */
2591 static inline void flush_unauthorized_files(const struct cred *cred,
2592 struct files_struct *files)
2593 {
2594 struct file *file, *devnull = NULL;
2595 struct tty_struct *tty;
2596 int drop_tty = 0;
2597 unsigned n;
2598
2599 tty = get_current_tty();
2600 if (tty) {
2601 spin_lock(&tty->files_lock);
2602 if (!list_empty(&tty->tty_files)) {
2603 struct tty_file_private *file_priv;
2604
2605 /* Revalidate access to controlling tty.
2606 Use file_path_has_perm on the tty path directly
2607 rather than using file_has_perm, as this particular
2608 open file may belong to another process and we are
2609 only interested in the inode-based check here. */
2610 file_priv = list_first_entry(&tty->tty_files,
2611 struct tty_file_private, list);
2612 file = file_priv->file;
2613 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2614 drop_tty = 1;
2615 }
2616 spin_unlock(&tty->files_lock);
2617 tty_kref_put(tty);
2618 }
2619 /* Reset controlling tty. */
2620 if (drop_tty)
2621 no_tty();
2622
2623 /* Revalidate access to inherited open files. */
2624 n = iterate_fd(files, 0, match_file, cred);
2625 if (!n) /* none found? */
2626 return;
2627
2628 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2629 if (IS_ERR(devnull))
2630 devnull = NULL;
2631 /* replace all the matching ones with this */
2632 do {
2633 replace_fd(n - 1, devnull, 0);
2634 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2635 if (devnull)
2636 fput(devnull);
2637 }
2638
2639 /*
2640 * Prepare a process for imminent new credential changes due to exec
2641 */
2642 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2643 {
2644 struct task_security_struct *new_tsec;
2645 struct rlimit *rlim, *initrlim;
2646 int rc, i;
2647
2648 new_tsec = bprm->cred->security;
2649 if (new_tsec->sid == new_tsec->osid)
2650 return;
2651
2652 /* Close files for which the new task SID is not authorized. */
2653 flush_unauthorized_files(bprm->cred, current->files);
2654
2655 /* Always clear parent death signal on SID transitions. */
2656 current->pdeath_signal = 0;
2657
2658 /* Check whether the new SID can inherit resource limits from the old
2659 * SID. If not, reset all soft limits to the lower of the current
2660 * task's hard limit and the init task's soft limit.
2661 *
2662 * Note that the setting of hard limits (even to lower them) can be
2663 * controlled by the setrlimit check. The inclusion of the init task's
2664 * soft limit into the computation is to avoid resetting soft limits
2665 * higher than the default soft limit for cases where the default is
2666 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2667 */
2668 rc = avc_has_perm(&selinux_state,
2669 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2670 PROCESS__RLIMITINH, NULL);
2671 if (rc) {
2672 /* protect against do_prlimit() */
2673 task_lock(current);
2674 for (i = 0; i < RLIM_NLIMITS; i++) {
2675 rlim = current->signal->rlim + i;
2676 initrlim = init_task.signal->rlim + i;
2677 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2678 }
2679 task_unlock(current);
2680 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2681 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2682 }
2683 }
2684
2685 /*
2686 * Clean up the process immediately after the installation of new credentials
2687 * due to exec
2688 */
2689 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2690 {
2691 const struct task_security_struct *tsec = current_security();
2692 struct itimerval itimer;
2693 u32 osid, sid;
2694 int rc, i;
2695
2696 osid = tsec->osid;
2697 sid = tsec->sid;
2698
2699 if (sid == osid)
2700 return;
2701
2702 /* Check whether the new SID can inherit signal state from the old SID.
2703 * If not, clear itimers to avoid subsequent signal generation and
2704 * flush and unblock signals.
2705 *
2706 * This must occur _after_ the task SID has been updated so that any
2707 * kill done after the flush will be checked against the new SID.
2708 */
2709 rc = avc_has_perm(&selinux_state,
2710 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2711 if (rc) {
2712 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2713 memset(&itimer, 0, sizeof itimer);
2714 for (i = 0; i < 3; i++)
2715 do_setitimer(i, &itimer, NULL);
2716 }
2717 spin_lock_irq(&current->sighand->siglock);
2718 if (!fatal_signal_pending(current)) {
2719 flush_sigqueue(&current->pending);
2720 flush_sigqueue(&current->signal->shared_pending);
2721 flush_signal_handlers(current, 1);
2722 sigemptyset(&current->blocked);
2723 recalc_sigpending();
2724 }
2725 spin_unlock_irq(&current->sighand->siglock);
2726 }
2727
2728 /* Wake up the parent if it is waiting so that it can recheck
2729 * wait permission to the new task SID. */
2730 read_lock(&tasklist_lock);
2731 __wake_up_parent(current, current->real_parent);
2732 read_unlock(&tasklist_lock);
2733 }
2734
2735 /* superblock security operations */
2736
2737 static int selinux_sb_alloc_security(struct super_block *sb)
2738 {
2739 return superblock_alloc_security(sb);
2740 }
2741
2742 static void selinux_sb_free_security(struct super_block *sb)
2743 {
2744 superblock_free_security(sb);
2745 }
2746
2747 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2748 {
2749 if (plen > olen)
2750 return 0;
2751
2752 return !memcmp(prefix, option, plen);
2753 }
2754
2755 static inline int selinux_option(char *option, int len)
2756 {
2757 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2758 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2759 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2760 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2761 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2762 }
2763
2764 static inline void take_option(char **to, char *from, int *first, int len)
2765 {
2766 if (!*first) {
2767 **to = ',';
2768 *to += 1;
2769 } else
2770 *first = 0;
2771 memcpy(*to, from, len);
2772 *to += len;
2773 }
2774
2775 static inline void take_selinux_option(char **to, char *from, int *first,
2776 int len)
2777 {
2778 int current_size = 0;
2779
2780 if (!*first) {
2781 **to = '|';
2782 *to += 1;
2783 } else
2784 *first = 0;
2785
2786 while (current_size < len) {
2787 if (*from != '"') {
2788 **to = *from;
2789 *to += 1;
2790 }
2791 from += 1;
2792 current_size += 1;
2793 }
2794 }
2795
2796 static int selinux_sb_copy_data(char *orig, char *copy)
2797 {
2798 int fnosec, fsec, rc = 0;
2799 char *in_save, *in_curr, *in_end;
2800 char *sec_curr, *nosec_save, *nosec;
2801 int open_quote = 0;
2802
2803 in_curr = orig;
2804 sec_curr = copy;
2805
2806 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2807 if (!nosec) {
2808 rc = -ENOMEM;
2809 goto out;
2810 }
2811
2812 nosec_save = nosec;
2813 fnosec = fsec = 1;
2814 in_save = in_end = orig;
2815
2816 do {
2817 if (*in_end == '"')
2818 open_quote = !open_quote;
2819 if ((*in_end == ',' && open_quote == 0) ||
2820 *in_end == '\0') {
2821 int len = in_end - in_curr;
2822
2823 if (selinux_option(in_curr, len))
2824 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2825 else
2826 take_option(&nosec, in_curr, &fnosec, len);
2827
2828 in_curr = in_end + 1;
2829 }
2830 } while (*in_end++);
2831
2832 strcpy(in_save, nosec_save);
2833 free_page((unsigned long)nosec_save);
2834 out:
2835 return rc;
2836 }
2837
2838 static int selinux_sb_remount(struct super_block *sb, void *data)
2839 {
2840 int rc, i, *flags;
2841 struct security_mnt_opts opts;
2842 char *secdata, **mount_options;
2843 struct superblock_security_struct *sbsec = sb->s_security;
2844
2845 if (!(sbsec->flags & SE_SBINITIALIZED))
2846 return 0;
2847
2848 if (!data)
2849 return 0;
2850
2851 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2852 return 0;
2853
2854 security_init_mnt_opts(&opts);
2855 secdata = alloc_secdata();
2856 if (!secdata)
2857 return -ENOMEM;
2858 rc = selinux_sb_copy_data(data, secdata);
2859 if (rc)
2860 goto out_free_secdata;
2861
2862 rc = selinux_parse_opts_str(secdata, &opts);
2863 if (rc)
2864 goto out_free_secdata;
2865
2866 mount_options = opts.mnt_opts;
2867 flags = opts.mnt_opts_flags;
2868
2869 for (i = 0; i < opts.num_mnt_opts; i++) {
2870 u32 sid;
2871
2872 if (flags[i] == SBLABEL_MNT)
2873 continue;
2874 rc = security_context_str_to_sid(&selinux_state,
2875 mount_options[i], &sid,
2876 GFP_KERNEL);
2877 if (rc) {
2878 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2879 "(%s) failed for (dev %s, type %s) errno=%d\n",
2880 mount_options[i], sb->s_id, sb->s_type->name, rc);
2881 goto out_free_opts;
2882 }
2883 rc = -EINVAL;
2884 switch (flags[i]) {
2885 case FSCONTEXT_MNT:
2886 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2887 goto out_bad_option;
2888 break;
2889 case CONTEXT_MNT:
2890 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2891 goto out_bad_option;
2892 break;
2893 case ROOTCONTEXT_MNT: {
2894 struct inode_security_struct *root_isec;
2895 root_isec = backing_inode_security(sb->s_root);
2896
2897 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2898 goto out_bad_option;
2899 break;
2900 }
2901 case DEFCONTEXT_MNT:
2902 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2903 goto out_bad_option;
2904 break;
2905 default:
2906 goto out_free_opts;
2907 }
2908 }
2909
2910 rc = 0;
2911 out_free_opts:
2912 security_free_mnt_opts(&opts);
2913 out_free_secdata:
2914 free_secdata(secdata);
2915 return rc;
2916 out_bad_option:
2917 printk(KERN_WARNING "SELinux: unable to change security options "
2918 "during remount (dev %s, type=%s)\n", sb->s_id,
2919 sb->s_type->name);
2920 goto out_free_opts;
2921 }
2922
2923 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2924 {
2925 const struct cred *cred = current_cred();
2926 struct common_audit_data ad;
2927 int rc;
2928
2929 rc = superblock_doinit(sb, data);
2930 if (rc)
2931 return rc;
2932
2933 /* Allow all mounts performed by the kernel */
2934 if (flags & MS_KERNMOUNT)
2935 return 0;
2936
2937 ad.type = LSM_AUDIT_DATA_DENTRY;
2938 ad.u.dentry = sb->s_root;
2939 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2940 }
2941
2942 static int selinux_sb_statfs(struct dentry *dentry)
2943 {
2944 const struct cred *cred = current_cred();
2945 struct common_audit_data ad;
2946
2947 ad.type = LSM_AUDIT_DATA_DENTRY;
2948 ad.u.dentry = dentry->d_sb->s_root;
2949 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2950 }
2951
2952 static int selinux_mount(const char *dev_name,
2953 const struct path *path,
2954 const char *type,
2955 unsigned long flags,
2956 void *data)
2957 {
2958 const struct cred *cred = current_cred();
2959
2960 if (flags & MS_REMOUNT)
2961 return superblock_has_perm(cred, path->dentry->d_sb,
2962 FILESYSTEM__REMOUNT, NULL);
2963 else
2964 return path_has_perm(cred, path, FILE__MOUNTON);
2965 }
2966
2967 static int selinux_umount(struct vfsmount *mnt, int flags)
2968 {
2969 const struct cred *cred = current_cred();
2970
2971 return superblock_has_perm(cred, mnt->mnt_sb,
2972 FILESYSTEM__UNMOUNT, NULL);
2973 }
2974
2975 /* inode security operations */
2976
2977 static int selinux_inode_alloc_security(struct inode *inode)
2978 {
2979 return inode_alloc_security(inode);
2980 }
2981
2982 static void selinux_inode_free_security(struct inode *inode)
2983 {
2984 inode_free_security(inode);
2985 }
2986
2987 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2988 const struct qstr *name, void **ctx,
2989 u32 *ctxlen)
2990 {
2991 u32 newsid;
2992 int rc;
2993
2994 rc = selinux_determine_inode_label(current_security(),
2995 d_inode(dentry->d_parent), name,
2996 inode_mode_to_security_class(mode),
2997 &newsid);
2998 if (rc)
2999 return rc;
3000
3001 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
3002 ctxlen);
3003 }
3004
3005 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
3006 struct qstr *name,
3007 const struct cred *old,
3008 struct cred *new)
3009 {
3010 u32 newsid;
3011 int rc;
3012 struct task_security_struct *tsec;
3013
3014 rc = selinux_determine_inode_label(old->security,
3015 d_inode(dentry->d_parent), name,
3016 inode_mode_to_security_class(mode),
3017 &newsid);
3018 if (rc)
3019 return rc;
3020
3021 tsec = new->security;
3022 tsec->create_sid = newsid;
3023 return 0;
3024 }
3025
3026 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
3027 const struct qstr *qstr,
3028 const char **name,
3029 void **value, size_t *len)
3030 {
3031 const struct task_security_struct *tsec = current_security();
3032 struct superblock_security_struct *sbsec;
3033 u32 newsid, clen;
3034 int rc;
3035 char *context;
3036
3037 sbsec = dir->i_sb->s_security;
3038
3039 newsid = tsec->create_sid;
3040
3041 rc = selinux_determine_inode_label(current_security(),
3042 dir, qstr,
3043 inode_mode_to_security_class(inode->i_mode),
3044 &newsid);
3045 if (rc)
3046 return rc;
3047
3048 /* Possibly defer initialization to selinux_complete_init. */
3049 if (sbsec->flags & SE_SBINITIALIZED) {
3050 struct inode_security_struct *isec = inode->i_security;
3051 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3052 isec->sid = newsid;
3053 isec->initialized = LABEL_INITIALIZED;
3054 }
3055
3056 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
3057 return -EOPNOTSUPP;
3058
3059 if (name)
3060 *name = XATTR_SELINUX_SUFFIX;
3061
3062 if (value && len) {
3063 rc = security_sid_to_context_force(&selinux_state, newsid,
3064 &context, &clen);
3065 if (rc)
3066 return rc;
3067 *value = context;
3068 *len = clen;
3069 }
3070
3071 return 0;
3072 }
3073
3074 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3075 {
3076 return may_create(dir, dentry, SECCLASS_FILE);
3077 }
3078
3079 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3080 {
3081 return may_link(dir, old_dentry, MAY_LINK);
3082 }
3083
3084 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3085 {
3086 return may_link(dir, dentry, MAY_UNLINK);
3087 }
3088
3089 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3090 {
3091 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3092 }
3093
3094 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3095 {
3096 return may_create(dir, dentry, SECCLASS_DIR);
3097 }
3098
3099 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3100 {
3101 return may_link(dir, dentry, MAY_RMDIR);
3102 }
3103
3104 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3105 {
3106 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3107 }
3108
3109 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3110 struct inode *new_inode, struct dentry *new_dentry)
3111 {
3112 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3113 }
3114
3115 static int selinux_inode_readlink(struct dentry *dentry)
3116 {
3117 const struct cred *cred = current_cred();
3118
3119 return dentry_has_perm(cred, dentry, FILE__READ);
3120 }
3121
3122 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3123 bool rcu)
3124 {
3125 const struct cred *cred = current_cred();
3126 struct common_audit_data ad;
3127 struct inode_security_struct *isec;
3128 u32 sid;
3129
3130 validate_creds(cred);
3131
3132 ad.type = LSM_AUDIT_DATA_DENTRY;
3133 ad.u.dentry = dentry;
3134 sid = cred_sid(cred);
3135 isec = inode_security_rcu(inode, rcu);
3136 if (IS_ERR(isec))
3137 return PTR_ERR(isec);
3138
3139 return avc_has_perm_flags(&selinux_state,
3140 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3141 rcu ? MAY_NOT_BLOCK : 0);
3142 }
3143
3144 static noinline int audit_inode_permission(struct inode *inode,
3145 u32 perms, u32 audited, u32 denied,
3146 int result,
3147 unsigned flags)
3148 {
3149 struct common_audit_data ad;
3150 struct inode_security_struct *isec = inode->i_security;
3151 int rc;
3152
3153 ad.type = LSM_AUDIT_DATA_INODE;
3154 ad.u.inode = inode;
3155
3156 rc = slow_avc_audit(&selinux_state,
3157 current_sid(), isec->sid, isec->sclass, perms,
3158 audited, denied, result, &ad, flags);
3159 if (rc)
3160 return rc;
3161 return 0;
3162 }
3163
3164 static int selinux_inode_permission(struct inode *inode, int mask)
3165 {
3166 const struct cred *cred = current_cred();
3167 u32 perms;
3168 bool from_access;
3169 unsigned flags = mask & MAY_NOT_BLOCK;
3170 struct inode_security_struct *isec;
3171 u32 sid;
3172 struct av_decision avd;
3173 int rc, rc2;
3174 u32 audited, denied;
3175
3176 from_access = mask & MAY_ACCESS;
3177 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3178
3179 /* No permission to check. Existence test. */
3180 if (!mask)
3181 return 0;
3182
3183 validate_creds(cred);
3184
3185 if (unlikely(IS_PRIVATE(inode)))
3186 return 0;
3187
3188 perms = file_mask_to_av(inode->i_mode, mask);
3189
3190 sid = cred_sid(cred);
3191 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3192 if (IS_ERR(isec))
3193 return PTR_ERR(isec);
3194
3195 rc = avc_has_perm_noaudit(&selinux_state,
3196 sid, isec->sid, isec->sclass, perms, 0, &avd);
3197 audited = avc_audit_required(perms, &avd, rc,
3198 from_access ? FILE__AUDIT_ACCESS : 0,
3199 &denied);
3200 if (likely(!audited))
3201 return rc;
3202
3203 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3204 if (rc2)
3205 return rc2;
3206 return rc;
3207 }
3208
3209 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3210 {
3211 const struct cred *cred = current_cred();
3212 struct inode *inode = d_backing_inode(dentry);
3213 unsigned int ia_valid = iattr->ia_valid;
3214 __u32 av = FILE__WRITE;
3215
3216 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3217 if (ia_valid & ATTR_FORCE) {
3218 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3219 ATTR_FORCE);
3220 if (!ia_valid)
3221 return 0;
3222 }
3223
3224 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3225 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3226 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3227
3228 if (selinux_policycap_openperm() &&
3229 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3230 (ia_valid & ATTR_SIZE) &&
3231 !(ia_valid & ATTR_FILE))
3232 av |= FILE__OPEN;
3233
3234 return dentry_has_perm(cred, dentry, av);
3235 }
3236
3237 static int selinux_inode_getattr(const struct path *path)
3238 {
3239 return path_has_perm(current_cred(), path, FILE__GETATTR);
3240 }
3241
3242 static bool has_cap_mac_admin(bool audit)
3243 {
3244 const struct cred *cred = current_cred();
3245 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3246
3247 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3248 return false;
3249 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3250 return false;
3251 return true;
3252 }
3253
3254 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3255 const void *value, size_t size, int flags)
3256 {
3257 struct inode *inode = d_backing_inode(dentry);
3258 struct inode_security_struct *isec;
3259 struct superblock_security_struct *sbsec;
3260 struct common_audit_data ad;
3261 u32 newsid, sid = current_sid();
3262 int rc = 0;
3263
3264 if (strcmp(name, XATTR_NAME_SELINUX)) {
3265 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3266 if (rc)
3267 return rc;
3268
3269 /* Not an attribute we recognize, so just check the
3270 ordinary setattr permission. */
3271 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3272 }
3273
3274 sbsec = inode->i_sb->s_security;
3275 if (!(sbsec->flags & SBLABEL_MNT))
3276 return -EOPNOTSUPP;
3277
3278 if (!inode_owner_or_capable(inode))
3279 return -EPERM;
3280
3281 ad.type = LSM_AUDIT_DATA_DENTRY;
3282 ad.u.dentry = dentry;
3283
3284 isec = backing_inode_security(dentry);
3285 rc = avc_has_perm(&selinux_state,
3286 sid, isec->sid, isec->sclass,
3287 FILE__RELABELFROM, &ad);
3288 if (rc)
3289 return rc;
3290
3291 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3292 GFP_KERNEL);
3293 if (rc == -EINVAL) {
3294 if (!has_cap_mac_admin(true)) {
3295 struct audit_buffer *ab;
3296 size_t audit_size;
3297
3298 /* We strip a nul only if it is at the end, otherwise the
3299 * context contains a nul and we should audit that */
3300 if (value) {
3301 const char *str = value;
3302
3303 if (str[size - 1] == '\0')
3304 audit_size = size - 1;
3305 else
3306 audit_size = size;
3307 } else {
3308 audit_size = 0;
3309 }
3310 ab = audit_log_start(audit_context(),
3311 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3312 audit_log_format(ab, "op=setxattr invalid_context=");
3313 audit_log_n_untrustedstring(ab, value, audit_size);
3314 audit_log_end(ab);
3315
3316 return rc;
3317 }
3318 rc = security_context_to_sid_force(&selinux_state, value,
3319 size, &newsid);
3320 }
3321 if (rc)
3322 return rc;
3323
3324 rc = avc_has_perm(&selinux_state,
3325 sid, newsid, isec->sclass,
3326 FILE__RELABELTO, &ad);
3327 if (rc)
3328 return rc;
3329
3330 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3331 sid, isec->sclass);
3332 if (rc)
3333 return rc;
3334
3335 return avc_has_perm(&selinux_state,
3336 newsid,
3337 sbsec->sid,
3338 SECCLASS_FILESYSTEM,
3339 FILESYSTEM__ASSOCIATE,
3340 &ad);
3341 }
3342
3343 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3344 const void *value, size_t size,
3345 int flags)
3346 {
3347 struct inode *inode = d_backing_inode(dentry);
3348 struct inode_security_struct *isec;
3349 u32 newsid;
3350 int rc;
3351
3352 if (strcmp(name, XATTR_NAME_SELINUX)) {
3353 /* Not an attribute we recognize, so nothing to do. */
3354 return;
3355 }
3356
3357 rc = security_context_to_sid_force(&selinux_state, value, size,
3358 &newsid);
3359 if (rc) {
3360 printk(KERN_ERR "SELinux: unable to map context to SID"
3361 "for (%s, %lu), rc=%d\n",
3362 inode->i_sb->s_id, inode->i_ino, -rc);
3363 return;
3364 }
3365
3366 isec = backing_inode_security(dentry);
3367 spin_lock(&isec->lock);
3368 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3369 isec->sid = newsid;
3370 isec->initialized = LABEL_INITIALIZED;
3371 spin_unlock(&isec->lock);
3372
3373 return;
3374 }
3375
3376 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3377 {
3378 const struct cred *cred = current_cred();
3379
3380 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3381 }
3382
3383 static int selinux_inode_listxattr(struct dentry *dentry)
3384 {
3385 const struct cred *cred = current_cred();
3386
3387 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3388 }
3389
3390 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3391 {
3392 if (strcmp(name, XATTR_NAME_SELINUX)) {
3393 int rc = cap_inode_removexattr(dentry, name);
3394 if (rc)
3395 return rc;
3396
3397 /* Not an attribute we recognize, so just check the
3398 ordinary setattr permission. */
3399 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3400 }
3401
3402 /* No one is allowed to remove a SELinux security label.
3403 You can change the label, but all data must be labeled. */
3404 return -EACCES;
3405 }
3406
3407 /*
3408 * Copy the inode security context value to the user.
3409 *
3410 * Permission check is handled by selinux_inode_getxattr hook.
3411 */
3412 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3413 {
3414 u32 size;
3415 int error;
3416 char *context = NULL;
3417 struct inode_security_struct *isec;
3418
3419 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3420 return -EOPNOTSUPP;
3421
3422 /*
3423 * If the caller has CAP_MAC_ADMIN, then get the raw context
3424 * value even if it is not defined by current policy; otherwise,
3425 * use the in-core value under current policy.
3426 * Use the non-auditing forms of the permission checks since
3427 * getxattr may be called by unprivileged processes commonly
3428 * and lack of permission just means that we fall back to the
3429 * in-core context value, not a denial.
3430 */
3431 isec = inode_security(inode);
3432 if (has_cap_mac_admin(false))
3433 error = security_sid_to_context_force(&selinux_state,
3434 isec->sid, &context,
3435 &size);
3436 else
3437 error = security_sid_to_context(&selinux_state, isec->sid,
3438 &context, &size);
3439 if (error)
3440 return error;
3441 error = size;
3442 if (alloc) {
3443 *buffer = context;
3444 goto out_nofree;
3445 }
3446 kfree(context);
3447 out_nofree:
3448 return error;
3449 }
3450
3451 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3452 const void *value, size_t size, int flags)
3453 {
3454 struct inode_security_struct *isec = inode_security_novalidate(inode);
3455 u32 newsid;
3456 int rc;
3457
3458 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3459 return -EOPNOTSUPP;
3460
3461 if (!value || !size)
3462 return -EACCES;
3463
3464 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3465 GFP_KERNEL);
3466 if (rc)
3467 return rc;
3468
3469 spin_lock(&isec->lock);
3470 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3471 isec->sid = newsid;
3472 isec->initialized = LABEL_INITIALIZED;
3473 spin_unlock(&isec->lock);
3474 return 0;
3475 }
3476
3477 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3478 {
3479 const int len = sizeof(XATTR_NAME_SELINUX);
3480 if (buffer && len <= buffer_size)
3481 memcpy(buffer, XATTR_NAME_SELINUX, len);
3482 return len;
3483 }
3484
3485 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3486 {
3487 struct inode_security_struct *isec = inode_security_novalidate(inode);
3488 *secid = isec->sid;
3489 }
3490
3491 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3492 {
3493 u32 sid;
3494 struct task_security_struct *tsec;
3495 struct cred *new_creds = *new;
3496
3497 if (new_creds == NULL) {
3498 new_creds = prepare_creds();
3499 if (!new_creds)
3500 return -ENOMEM;
3501 }
3502
3503 tsec = new_creds->security;
3504 /* Get label from overlay inode and set it in create_sid */
3505 selinux_inode_getsecid(d_inode(src), &sid);
3506 tsec->create_sid = sid;
3507 *new = new_creds;
3508 return 0;
3509 }
3510
3511 static int selinux_inode_copy_up_xattr(const char *name)
3512 {
3513 /* The copy_up hook above sets the initial context on an inode, but we
3514 * don't then want to overwrite it by blindly copying all the lower
3515 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3516 */
3517 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3518 return 1; /* Discard */
3519 /*
3520 * Any other attribute apart from SELINUX is not claimed, supported
3521 * by selinux.
3522 */
3523 return -EOPNOTSUPP;
3524 }
3525
3526 /* file security operations */
3527
3528 static int selinux_revalidate_file_permission(struct file *file, int mask)
3529 {
3530 const struct cred *cred = current_cred();
3531 struct inode *inode = file_inode(file);
3532
3533 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3534 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3535 mask |= MAY_APPEND;
3536
3537 return file_has_perm(cred, file,
3538 file_mask_to_av(inode->i_mode, mask));
3539 }
3540
3541 static int selinux_file_permission(struct file *file, int mask)
3542 {
3543 struct inode *inode = file_inode(file);
3544 struct file_security_struct *fsec = file->f_security;
3545 struct inode_security_struct *isec;
3546 u32 sid = current_sid();
3547
3548 if (!mask)
3549 /* No permission to check. Existence test. */
3550 return 0;
3551
3552 isec = inode_security(inode);
3553 if (sid == fsec->sid && fsec->isid == isec->sid &&
3554 fsec->pseqno == avc_policy_seqno(&selinux_state))
3555 /* No change since file_open check. */
3556 return 0;
3557
3558 return selinux_revalidate_file_permission(file, mask);
3559 }
3560
3561 static int selinux_file_alloc_security(struct file *file)
3562 {
3563 return file_alloc_security(file);
3564 }
3565
3566 static void selinux_file_free_security(struct file *file)
3567 {
3568 file_free_security(file);
3569 }
3570
3571 /*
3572 * Check whether a task has the ioctl permission and cmd
3573 * operation to an inode.
3574 */
3575 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3576 u32 requested, u16 cmd)
3577 {
3578 struct common_audit_data ad;
3579 struct file_security_struct *fsec = file->f_security;
3580 struct inode *inode = file_inode(file);
3581 struct inode_security_struct *isec;
3582 struct lsm_ioctlop_audit ioctl;
3583 u32 ssid = cred_sid(cred);
3584 int rc;
3585 u8 driver = cmd >> 8;
3586 u8 xperm = cmd & 0xff;
3587
3588 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3589 ad.u.op = &ioctl;
3590 ad.u.op->cmd = cmd;
3591 ad.u.op->path = file->f_path;
3592
3593 if (ssid != fsec->sid) {
3594 rc = avc_has_perm(&selinux_state,
3595 ssid, fsec->sid,
3596 SECCLASS_FD,
3597 FD__USE,
3598 &ad);
3599 if (rc)
3600 goto out;
3601 }
3602
3603 if (unlikely(IS_PRIVATE(inode)))
3604 return 0;
3605
3606 isec = inode_security(inode);
3607 rc = avc_has_extended_perms(&selinux_state,
3608 ssid, isec->sid, isec->sclass,
3609 requested, driver, xperm, &ad);
3610 out:
3611 return rc;
3612 }
3613
3614 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3615 unsigned long arg)
3616 {
3617 const struct cred *cred = current_cred();
3618 int error = 0;
3619
3620 switch (cmd) {
3621 case FIONREAD:
3622 /* fall through */
3623 case FIBMAP:
3624 /* fall through */
3625 case FIGETBSZ:
3626 /* fall through */
3627 case FS_IOC_GETFLAGS:
3628 /* fall through */
3629 case FS_IOC_GETVERSION:
3630 error = file_has_perm(cred, file, FILE__GETATTR);
3631 break;
3632
3633 case FS_IOC_SETFLAGS:
3634 /* fall through */
3635 case FS_IOC_SETVERSION:
3636 error = file_has_perm(cred, file, FILE__SETATTR);
3637 break;
3638
3639 /* sys_ioctl() checks */
3640 case FIONBIO:
3641 /* fall through */
3642 case FIOASYNC:
3643 error = file_has_perm(cred, file, 0);
3644 break;
3645
3646 case KDSKBENT:
3647 case KDSKBSENT:
3648 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3649 SECURITY_CAP_AUDIT, true);
3650 break;
3651
3652 /* default case assumes that the command will go
3653 * to the file's ioctl() function.
3654 */
3655 default:
3656 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3657 }
3658 return error;
3659 }
3660
3661 static int default_noexec;
3662
3663 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3664 {
3665 const struct cred *cred = current_cred();
3666 u32 sid = cred_sid(cred);
3667 int rc = 0;
3668
3669 if (default_noexec &&
3670 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3671 (!shared && (prot & PROT_WRITE)))) {
3672 /*
3673 * We are making executable an anonymous mapping or a
3674 * private file mapping that will also be writable.
3675 * This has an additional check.
3676 */
3677 rc = avc_has_perm(&selinux_state,
3678 sid, sid, SECCLASS_PROCESS,
3679 PROCESS__EXECMEM, NULL);
3680 if (rc)
3681 goto error;
3682 }
3683
3684 if (file) {
3685 /* read access is always possible with a mapping */
3686 u32 av = FILE__READ;
3687
3688 /* write access only matters if the mapping is shared */
3689 if (shared && (prot & PROT_WRITE))
3690 av |= FILE__WRITE;
3691
3692 if (prot & PROT_EXEC)
3693 av |= FILE__EXECUTE;
3694
3695 return file_has_perm(cred, file, av);
3696 }
3697
3698 error:
3699 return rc;
3700 }
3701
3702 static int selinux_mmap_addr(unsigned long addr)
3703 {
3704 int rc = 0;
3705
3706 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3707 u32 sid = current_sid();
3708 rc = avc_has_perm(&selinux_state,
3709 sid, sid, SECCLASS_MEMPROTECT,
3710 MEMPROTECT__MMAP_ZERO, NULL);
3711 }
3712
3713 return rc;
3714 }
3715
3716 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3717 unsigned long prot, unsigned long flags)
3718 {
3719 struct common_audit_data ad;
3720 int rc;
3721
3722 if (file) {
3723 ad.type = LSM_AUDIT_DATA_FILE;
3724 ad.u.file = file;
3725 rc = inode_has_perm(current_cred(), file_inode(file),
3726 FILE__MAP, &ad);
3727 if (rc)
3728 return rc;
3729 }
3730
3731 if (selinux_state.checkreqprot)
3732 prot = reqprot;
3733
3734 return file_map_prot_check(file, prot,
3735 (flags & MAP_TYPE) == MAP_SHARED);
3736 }
3737
3738 static int selinux_file_mprotect(struct vm_area_struct *vma,
3739 unsigned long reqprot,
3740 unsigned long prot)
3741 {
3742 const struct cred *cred = current_cred();
3743 u32 sid = cred_sid(cred);
3744
3745 if (selinux_state.checkreqprot)
3746 prot = reqprot;
3747
3748 if (default_noexec &&
3749 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3750 int rc = 0;
3751 if (vma->vm_start >= vma->vm_mm->start_brk &&
3752 vma->vm_end <= vma->vm_mm->brk) {
3753 rc = avc_has_perm(&selinux_state,
3754 sid, sid, SECCLASS_PROCESS,
3755 PROCESS__EXECHEAP, NULL);
3756 } else if (!vma->vm_file &&
3757 ((vma->vm_start <= vma->vm_mm->start_stack &&
3758 vma->vm_end >= vma->vm_mm->start_stack) ||
3759 vma_is_stack_for_current(vma))) {
3760 rc = avc_has_perm(&selinux_state,
3761 sid, sid, SECCLASS_PROCESS,
3762 PROCESS__EXECSTACK, NULL);
3763 } else if (vma->vm_file && vma->anon_vma) {
3764 /*
3765 * We are making executable a file mapping that has
3766 * had some COW done. Since pages might have been
3767 * written, check ability to execute the possibly
3768 * modified content. This typically should only
3769 * occur for text relocations.
3770 */
3771 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3772 }
3773 if (rc)
3774 return rc;
3775 }
3776
3777 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3778 }
3779
3780 static int selinux_file_lock(struct file *file, unsigned int cmd)
3781 {
3782 const struct cred *cred = current_cred();
3783
3784 return file_has_perm(cred, file, FILE__LOCK);
3785 }
3786
3787 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3788 unsigned long arg)
3789 {
3790 const struct cred *cred = current_cred();
3791 int err = 0;
3792
3793 switch (cmd) {
3794 case F_SETFL:
3795 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3796 err = file_has_perm(cred, file, FILE__WRITE);
3797 break;
3798 }
3799 /* fall through */
3800 case F_SETOWN:
3801 case F_SETSIG:
3802 case F_GETFL:
3803 case F_GETOWN:
3804 case F_GETSIG:
3805 case F_GETOWNER_UIDS:
3806 /* Just check FD__USE permission */
3807 err = file_has_perm(cred, file, 0);
3808 break;
3809 case F_GETLK:
3810 case F_SETLK:
3811 case F_SETLKW:
3812 case F_OFD_GETLK:
3813 case F_OFD_SETLK:
3814 case F_OFD_SETLKW:
3815 #if BITS_PER_LONG == 32
3816 case F_GETLK64:
3817 case F_SETLK64:
3818 case F_SETLKW64:
3819 #endif
3820 err = file_has_perm(cred, file, FILE__LOCK);
3821 break;
3822 }
3823
3824 return err;
3825 }
3826
3827 static void selinux_file_set_fowner(struct file *file)
3828 {
3829 struct file_security_struct *fsec;
3830
3831 fsec = file->f_security;
3832 fsec->fown_sid = current_sid();
3833 }
3834
3835 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3836 struct fown_struct *fown, int signum)
3837 {
3838 struct file *file;
3839 u32 sid = task_sid(tsk);
3840 u32 perm;
3841 struct file_security_struct *fsec;
3842
3843 /* struct fown_struct is never outside the context of a struct file */
3844 file = container_of(fown, struct file, f_owner);
3845
3846 fsec = file->f_security;
3847
3848 if (!signum)
3849 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3850 else
3851 perm = signal_to_av(signum);
3852
3853 return avc_has_perm(&selinux_state,
3854 fsec->fown_sid, sid,
3855 SECCLASS_PROCESS, perm, NULL);
3856 }
3857
3858 static int selinux_file_receive(struct file *file)
3859 {
3860 const struct cred *cred = current_cred();
3861
3862 return file_has_perm(cred, file, file_to_av(file));
3863 }
3864
3865 static int selinux_file_open(struct file *file, const struct cred *cred)
3866 {
3867 struct file_security_struct *fsec;
3868 struct inode_security_struct *isec;
3869
3870 fsec = file->f_security;
3871 isec = inode_security(file_inode(file));
3872 /*
3873 * Save inode label and policy sequence number
3874 * at open-time so that selinux_file_permission
3875 * can determine whether revalidation is necessary.
3876 * Task label is already saved in the file security
3877 * struct as its SID.
3878 */
3879 fsec->isid = isec->sid;
3880 fsec->pseqno = avc_policy_seqno(&selinux_state);
3881 /*
3882 * Since the inode label or policy seqno may have changed
3883 * between the selinux_inode_permission check and the saving
3884 * of state above, recheck that access is still permitted.
3885 * Otherwise, access might never be revalidated against the
3886 * new inode label or new policy.
3887 * This check is not redundant - do not remove.
3888 */
3889 return file_path_has_perm(cred, file, open_file_to_av(file));
3890 }
3891
3892 /* task security operations */
3893
3894 static int selinux_task_alloc(struct task_struct *task,
3895 unsigned long clone_flags)
3896 {
3897 u32 sid = current_sid();
3898
3899 return avc_has_perm(&selinux_state,
3900 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3901 }
3902
3903 /*
3904 * allocate the SELinux part of blank credentials
3905 */
3906 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3907 {
3908 struct task_security_struct *tsec;
3909
3910 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3911 if (!tsec)
3912 return -ENOMEM;
3913
3914 cred->security = tsec;
3915 return 0;
3916 }
3917
3918 /*
3919 * detach and free the LSM part of a set of credentials
3920 */
3921 static void selinux_cred_free(struct cred *cred)
3922 {
3923 struct task_security_struct *tsec = cred->security;
3924
3925 /*
3926 * cred->security == NULL if security_cred_alloc_blank() or
3927 * security_prepare_creds() returned an error.
3928 */
3929 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3930 cred->security = (void *) 0x7UL;
3931 kfree(tsec);
3932 }
3933
3934 /*
3935 * prepare a new set of credentials for modification
3936 */
3937 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3938 gfp_t gfp)
3939 {
3940 const struct task_security_struct *old_tsec;
3941 struct task_security_struct *tsec;
3942
3943 old_tsec = old->security;
3944
3945 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3946 if (!tsec)
3947 return -ENOMEM;
3948
3949 new->security = tsec;
3950 return 0;
3951 }
3952
3953 /*
3954 * transfer the SELinux data to a blank set of creds
3955 */
3956 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3957 {
3958 const struct task_security_struct *old_tsec = old->security;
3959 struct task_security_struct *tsec = new->security;
3960
3961 *tsec = *old_tsec;
3962 }
3963
3964 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3965 {
3966 *secid = cred_sid(c);
3967 }
3968
3969 /*
3970 * set the security data for a kernel service
3971 * - all the creation contexts are set to unlabelled
3972 */
3973 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3974 {
3975 struct task_security_struct *tsec = new->security;
3976 u32 sid = current_sid();
3977 int ret;
3978
3979 ret = avc_has_perm(&selinux_state,
3980 sid, secid,
3981 SECCLASS_KERNEL_SERVICE,
3982 KERNEL_SERVICE__USE_AS_OVERRIDE,
3983 NULL);
3984 if (ret == 0) {
3985 tsec->sid = secid;
3986 tsec->create_sid = 0;
3987 tsec->keycreate_sid = 0;
3988 tsec->sockcreate_sid = 0;
3989 }
3990 return ret;
3991 }
3992
3993 /*
3994 * set the file creation context in a security record to the same as the
3995 * objective context of the specified inode
3996 */
3997 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3998 {
3999 struct inode_security_struct *isec = inode_security(inode);
4000 struct task_security_struct *tsec = new->security;
4001 u32 sid = current_sid();
4002 int ret;
4003
4004 ret = avc_has_perm(&selinux_state,
4005 sid, isec->sid,
4006 SECCLASS_KERNEL_SERVICE,
4007 KERNEL_SERVICE__CREATE_FILES_AS,
4008 NULL);
4009
4010 if (ret == 0)
4011 tsec->create_sid = isec->sid;
4012 return ret;
4013 }
4014
4015 static int selinux_kernel_module_request(char *kmod_name)
4016 {
4017 struct common_audit_data ad;
4018
4019 ad.type = LSM_AUDIT_DATA_KMOD;
4020 ad.u.kmod_name = kmod_name;
4021
4022 return avc_has_perm(&selinux_state,
4023 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4024 SYSTEM__MODULE_REQUEST, &ad);
4025 }
4026
4027 static int selinux_kernel_module_from_file(struct file *file)
4028 {
4029 struct common_audit_data ad;
4030 struct inode_security_struct *isec;
4031 struct file_security_struct *fsec;
4032 u32 sid = current_sid();
4033 int rc;
4034
4035 /* init_module */
4036 if (file == NULL)
4037 return avc_has_perm(&selinux_state,
4038 sid, sid, SECCLASS_SYSTEM,
4039 SYSTEM__MODULE_LOAD, NULL);
4040
4041 /* finit_module */
4042
4043 ad.type = LSM_AUDIT_DATA_FILE;
4044 ad.u.file = file;
4045
4046 fsec = file->f_security;
4047 if (sid != fsec->sid) {
4048 rc = avc_has_perm(&selinux_state,
4049 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4050 if (rc)
4051 return rc;
4052 }
4053
4054 isec = inode_security(file_inode(file));
4055 return avc_has_perm(&selinux_state,
4056 sid, isec->sid, SECCLASS_SYSTEM,
4057 SYSTEM__MODULE_LOAD, &ad);
4058 }
4059
4060 static int selinux_kernel_read_file(struct file *file,
4061 enum kernel_read_file_id id)
4062 {
4063 int rc = 0;
4064
4065 switch (id) {
4066 case READING_MODULE:
4067 rc = selinux_kernel_module_from_file(file);
4068 break;
4069 default:
4070 break;
4071 }
4072
4073 return rc;
4074 }
4075
4076 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4077 {
4078 return avc_has_perm(&selinux_state,
4079 current_sid(), task_sid(p), SECCLASS_PROCESS,
4080 PROCESS__SETPGID, NULL);
4081 }
4082
4083 static int selinux_task_getpgid(struct task_struct *p)
4084 {
4085 return avc_has_perm(&selinux_state,
4086 current_sid(), task_sid(p), SECCLASS_PROCESS,
4087 PROCESS__GETPGID, NULL);
4088 }
4089
4090 static int selinux_task_getsid(struct task_struct *p)
4091 {
4092 return avc_has_perm(&selinux_state,
4093 current_sid(), task_sid(p), SECCLASS_PROCESS,
4094 PROCESS__GETSESSION, NULL);
4095 }
4096
4097 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4098 {
4099 *secid = task_sid(p);
4100 }
4101
4102 static int selinux_task_setnice(struct task_struct *p, int nice)
4103 {
4104 return avc_has_perm(&selinux_state,
4105 current_sid(), task_sid(p), SECCLASS_PROCESS,
4106 PROCESS__SETSCHED, NULL);
4107 }
4108
4109 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4110 {
4111 return avc_has_perm(&selinux_state,
4112 current_sid(), task_sid(p), SECCLASS_PROCESS,
4113 PROCESS__SETSCHED, NULL);
4114 }
4115
4116 static int selinux_task_getioprio(struct task_struct *p)
4117 {
4118 return avc_has_perm(&selinux_state,
4119 current_sid(), task_sid(p), SECCLASS_PROCESS,
4120 PROCESS__GETSCHED, NULL);
4121 }
4122
4123 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4124 unsigned int flags)
4125 {
4126 u32 av = 0;
4127
4128 if (!flags)
4129 return 0;
4130 if (flags & LSM_PRLIMIT_WRITE)
4131 av |= PROCESS__SETRLIMIT;
4132 if (flags & LSM_PRLIMIT_READ)
4133 av |= PROCESS__GETRLIMIT;
4134 return avc_has_perm(&selinux_state,
4135 cred_sid(cred), cred_sid(tcred),
4136 SECCLASS_PROCESS, av, NULL);
4137 }
4138
4139 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4140 struct rlimit *new_rlim)
4141 {
4142 struct rlimit *old_rlim = p->signal->rlim + resource;
4143
4144 /* Control the ability to change the hard limit (whether
4145 lowering or raising it), so that the hard limit can
4146 later be used as a safe reset point for the soft limit
4147 upon context transitions. See selinux_bprm_committing_creds. */
4148 if (old_rlim->rlim_max != new_rlim->rlim_max)
4149 return avc_has_perm(&selinux_state,
4150 current_sid(), task_sid(p),
4151 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4152
4153 return 0;
4154 }
4155
4156 static int selinux_task_setscheduler(struct task_struct *p)
4157 {
4158 return avc_has_perm(&selinux_state,
4159 current_sid(), task_sid(p), SECCLASS_PROCESS,
4160 PROCESS__SETSCHED, NULL);
4161 }
4162
4163 static int selinux_task_getscheduler(struct task_struct *p)
4164 {
4165 return avc_has_perm(&selinux_state,
4166 current_sid(), task_sid(p), SECCLASS_PROCESS,
4167 PROCESS__GETSCHED, NULL);
4168 }
4169
4170 static int selinux_task_movememory(struct task_struct *p)
4171 {
4172 return avc_has_perm(&selinux_state,
4173 current_sid(), task_sid(p), SECCLASS_PROCESS,
4174 PROCESS__SETSCHED, NULL);
4175 }
4176
4177 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4178 int sig, const struct cred *cred)
4179 {
4180 u32 secid;
4181 u32 perm;
4182
4183 if (!sig)
4184 perm = PROCESS__SIGNULL; /* null signal; existence test */
4185 else
4186 perm = signal_to_av(sig);
4187 if (!cred)
4188 secid = current_sid();
4189 else
4190 secid = cred_sid(cred);
4191 return avc_has_perm(&selinux_state,
4192 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4193 }
4194
4195 static void selinux_task_to_inode(struct task_struct *p,
4196 struct inode *inode)
4197 {
4198 struct inode_security_struct *isec = inode->i_security;
4199 u32 sid = task_sid(p);
4200
4201 spin_lock(&isec->lock);
4202 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4203 isec->sid = sid;
4204 isec->initialized = LABEL_INITIALIZED;
4205 spin_unlock(&isec->lock);
4206 }
4207
4208 /* Returns error only if unable to parse addresses */
4209 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4210 struct common_audit_data *ad, u8 *proto)
4211 {
4212 int offset, ihlen, ret = -EINVAL;
4213 struct iphdr _iph, *ih;
4214
4215 offset = skb_network_offset(skb);
4216 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4217 if (ih == NULL)
4218 goto out;
4219
4220 ihlen = ih->ihl * 4;
4221 if (ihlen < sizeof(_iph))
4222 goto out;
4223
4224 ad->u.net->v4info.saddr = ih->saddr;
4225 ad->u.net->v4info.daddr = ih->daddr;
4226 ret = 0;
4227
4228 if (proto)
4229 *proto = ih->protocol;
4230
4231 switch (ih->protocol) {
4232 case IPPROTO_TCP: {
4233 struct tcphdr _tcph, *th;
4234
4235 if (ntohs(ih->frag_off) & IP_OFFSET)
4236 break;
4237
4238 offset += ihlen;
4239 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4240 if (th == NULL)
4241 break;
4242
4243 ad->u.net->sport = th->source;
4244 ad->u.net->dport = th->dest;
4245 break;
4246 }
4247
4248 case IPPROTO_UDP: {
4249 struct udphdr _udph, *uh;
4250
4251 if (ntohs(ih->frag_off) & IP_OFFSET)
4252 break;
4253
4254 offset += ihlen;
4255 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4256 if (uh == NULL)
4257 break;
4258
4259 ad->u.net->sport = uh->source;
4260 ad->u.net->dport = uh->dest;
4261 break;
4262 }
4263
4264 case IPPROTO_DCCP: {
4265 struct dccp_hdr _dccph, *dh;
4266
4267 if (ntohs(ih->frag_off) & IP_OFFSET)
4268 break;
4269
4270 offset += ihlen;
4271 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4272 if (dh == NULL)
4273 break;
4274
4275 ad->u.net->sport = dh->dccph_sport;
4276 ad->u.net->dport = dh->dccph_dport;
4277 break;
4278 }
4279
4280 #if IS_ENABLED(CONFIG_IP_SCTP)
4281 case IPPROTO_SCTP: {
4282 struct sctphdr _sctph, *sh;
4283
4284 if (ntohs(ih->frag_off) & IP_OFFSET)
4285 break;
4286
4287 offset += ihlen;
4288 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4289 if (sh == NULL)
4290 break;
4291
4292 ad->u.net->sport = sh->source;
4293 ad->u.net->dport = sh->dest;
4294 break;
4295 }
4296 #endif
4297 default:
4298 break;
4299 }
4300 out:
4301 return ret;
4302 }
4303
4304 #if IS_ENABLED(CONFIG_IPV6)
4305
4306 /* Returns error only if unable to parse addresses */
4307 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4308 struct common_audit_data *ad, u8 *proto)
4309 {
4310 u8 nexthdr;
4311 int ret = -EINVAL, offset;
4312 struct ipv6hdr _ipv6h, *ip6;
4313 __be16 frag_off;
4314
4315 offset = skb_network_offset(skb);
4316 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4317 if (ip6 == NULL)
4318 goto out;
4319
4320 ad->u.net->v6info.saddr = ip6->saddr;
4321 ad->u.net->v6info.daddr = ip6->daddr;
4322 ret = 0;
4323
4324 nexthdr = ip6->nexthdr;
4325 offset += sizeof(_ipv6h);
4326 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4327 if (offset < 0)
4328 goto out;
4329
4330 if (proto)
4331 *proto = nexthdr;
4332
4333 switch (nexthdr) {
4334 case IPPROTO_TCP: {
4335 struct tcphdr _tcph, *th;
4336
4337 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4338 if (th == NULL)
4339 break;
4340
4341 ad->u.net->sport = th->source;
4342 ad->u.net->dport = th->dest;
4343 break;
4344 }
4345
4346 case IPPROTO_UDP: {
4347 struct udphdr _udph, *uh;
4348
4349 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4350 if (uh == NULL)
4351 break;
4352
4353 ad->u.net->sport = uh->source;
4354 ad->u.net->dport = uh->dest;
4355 break;
4356 }
4357
4358 case IPPROTO_DCCP: {
4359 struct dccp_hdr _dccph, *dh;
4360
4361 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4362 if (dh == NULL)
4363 break;
4364
4365 ad->u.net->sport = dh->dccph_sport;
4366 ad->u.net->dport = dh->dccph_dport;
4367 break;
4368 }
4369
4370 #if IS_ENABLED(CONFIG_IP_SCTP)
4371 case IPPROTO_SCTP: {
4372 struct sctphdr _sctph, *sh;
4373
4374 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4375 if (sh == NULL)
4376 break;
4377
4378 ad->u.net->sport = sh->source;
4379 ad->u.net->dport = sh->dest;
4380 break;
4381 }
4382 #endif
4383 /* includes fragments */
4384 default:
4385 break;
4386 }
4387 out:
4388 return ret;
4389 }
4390
4391 #endif /* IPV6 */
4392
4393 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4394 char **_addrp, int src, u8 *proto)
4395 {
4396 char *addrp;
4397 int ret;
4398
4399 switch (ad->u.net->family) {
4400 case PF_INET:
4401 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4402 if (ret)
4403 goto parse_error;
4404 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4405 &ad->u.net->v4info.daddr);
4406 goto okay;
4407
4408 #if IS_ENABLED(CONFIG_IPV6)
4409 case PF_INET6:
4410 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4411 if (ret)
4412 goto parse_error;
4413 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4414 &ad->u.net->v6info.daddr);
4415 goto okay;
4416 #endif /* IPV6 */
4417 default:
4418 addrp = NULL;
4419 goto okay;
4420 }
4421
4422 parse_error:
4423 printk(KERN_WARNING
4424 "SELinux: failure in selinux_parse_skb(),"
4425 " unable to parse packet\n");
4426 return ret;
4427
4428 okay:
4429 if (_addrp)
4430 *_addrp = addrp;
4431 return 0;
4432 }
4433
4434 /**
4435 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4436 * @skb: the packet
4437 * @family: protocol family
4438 * @sid: the packet's peer label SID
4439 *
4440 * Description:
4441 * Check the various different forms of network peer labeling and determine
4442 * the peer label/SID for the packet; most of the magic actually occurs in
4443 * the security server function security_net_peersid_cmp(). The function
4444 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4445 * or -EACCES if @sid is invalid due to inconsistencies with the different
4446 * peer labels.
4447 *
4448 */
4449 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4450 {
4451 int err;
4452 u32 xfrm_sid;
4453 u32 nlbl_sid;
4454 u32 nlbl_type;
4455
4456 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4457 if (unlikely(err))
4458 return -EACCES;
4459 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4460 if (unlikely(err))
4461 return -EACCES;
4462
4463 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4464 nlbl_type, xfrm_sid, sid);
4465 if (unlikely(err)) {
4466 printk(KERN_WARNING
4467 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4468 " unable to determine packet's peer label\n");
4469 return -EACCES;
4470 }
4471
4472 return 0;
4473 }
4474
4475 /**
4476 * selinux_conn_sid - Determine the child socket label for a connection
4477 * @sk_sid: the parent socket's SID
4478 * @skb_sid: the packet's SID
4479 * @conn_sid: the resulting connection SID
4480 *
4481 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4482 * combined with the MLS information from @skb_sid in order to create
4483 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4484 * of @sk_sid. Returns zero on success, negative values on failure.
4485 *
4486 */
4487 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4488 {
4489 int err = 0;
4490
4491 if (skb_sid != SECSID_NULL)
4492 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4493 conn_sid);
4494 else
4495 *conn_sid = sk_sid;
4496
4497 return err;
4498 }
4499
4500 /* socket security operations */
4501
4502 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4503 u16 secclass, u32 *socksid)
4504 {
4505 if (tsec->sockcreate_sid > SECSID_NULL) {
4506 *socksid = tsec->sockcreate_sid;
4507 return 0;
4508 }
4509
4510 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4511 secclass, NULL, socksid);
4512 }
4513
4514 static int sock_has_perm(struct sock *sk, u32 perms)
4515 {
4516 struct sk_security_struct *sksec = sk->sk_security;
4517 struct common_audit_data ad;
4518 struct lsm_network_audit net = {0,};
4519
4520 if (sksec->sid == SECINITSID_KERNEL)
4521 return 0;
4522
4523 ad.type = LSM_AUDIT_DATA_NET;
4524 ad.u.net = &net;
4525 ad.u.net->sk = sk;
4526
4527 return avc_has_perm(&selinux_state,
4528 current_sid(), sksec->sid, sksec->sclass, perms,
4529 &ad);
4530 }
4531
4532 static int selinux_socket_create(int family, int type,
4533 int protocol, int kern)
4534 {
4535 const struct task_security_struct *tsec = current_security();
4536 u32 newsid;
4537 u16 secclass;
4538 int rc;
4539
4540 if (kern)
4541 return 0;
4542
4543 secclass = socket_type_to_security_class(family, type, protocol);
4544 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4545 if (rc)
4546 return rc;
4547
4548 return avc_has_perm(&selinux_state,
4549 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4550 }
4551
4552 static int selinux_socket_post_create(struct socket *sock, int family,
4553 int type, int protocol, int kern)
4554 {
4555 const struct task_security_struct *tsec = current_security();
4556 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4557 struct sk_security_struct *sksec;
4558 u16 sclass = socket_type_to_security_class(family, type, protocol);
4559 u32 sid = SECINITSID_KERNEL;
4560 int err = 0;
4561
4562 if (!kern) {
4563 err = socket_sockcreate_sid(tsec, sclass, &sid);
4564 if (err)
4565 return err;
4566 }
4567
4568 isec->sclass = sclass;
4569 isec->sid = sid;
4570 isec->initialized = LABEL_INITIALIZED;
4571
4572 if (sock->sk) {
4573 sksec = sock->sk->sk_security;
4574 sksec->sclass = sclass;
4575 sksec->sid = sid;
4576 /* Allows detection of the first association on this socket */
4577 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4578 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4579
4580 err = selinux_netlbl_socket_post_create(sock->sk, family);
4581 }
4582
4583 return err;
4584 }
4585
4586 static int selinux_socket_socketpair(struct socket *socka,
4587 struct socket *sockb)
4588 {
4589 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4590 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4591
4592 sksec_a->peer_sid = sksec_b->sid;
4593 sksec_b->peer_sid = sksec_a->sid;
4594
4595 return 0;
4596 }
4597
4598 /* Range of port numbers used to automatically bind.
4599 Need to determine whether we should perform a name_bind
4600 permission check between the socket and the port number. */
4601
4602 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4603 {
4604 struct sock *sk = sock->sk;
4605 struct sk_security_struct *sksec = sk->sk_security;
4606 u16 family;
4607 int err;
4608
4609 err = sock_has_perm(sk, SOCKET__BIND);
4610 if (err)
4611 goto out;
4612
4613 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4614 family = sk->sk_family;
4615 if (family == PF_INET || family == PF_INET6) {
4616 char *addrp;
4617 struct common_audit_data ad;
4618 struct lsm_network_audit net = {0,};
4619 struct sockaddr_in *addr4 = NULL;
4620 struct sockaddr_in6 *addr6 = NULL;
4621 u16 family_sa = address->sa_family;
4622 unsigned short snum;
4623 u32 sid, node_perm;
4624
4625 /*
4626 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4627 * that validates multiple binding addresses. Because of this
4628 * need to check address->sa_family as it is possible to have
4629 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4630 */
4631 switch (family_sa) {
4632 case AF_UNSPEC:
4633 case AF_INET:
4634 if (addrlen < sizeof(struct sockaddr_in))
4635 return -EINVAL;
4636 addr4 = (struct sockaddr_in *)address;
4637 if (family_sa == AF_UNSPEC) {
4638 /* see __inet_bind(), we only want to allow
4639 * AF_UNSPEC if the address is INADDR_ANY
4640 */
4641 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4642 goto err_af;
4643 family_sa = AF_INET;
4644 }
4645 snum = ntohs(addr4->sin_port);
4646 addrp = (char *)&addr4->sin_addr.s_addr;
4647 break;
4648 case AF_INET6:
4649 if (addrlen < SIN6_LEN_RFC2133)
4650 return -EINVAL;
4651 addr6 = (struct sockaddr_in6 *)address;
4652 snum = ntohs(addr6->sin6_port);
4653 addrp = (char *)&addr6->sin6_addr.s6_addr;
4654 break;
4655 default:
4656 goto err_af;
4657 }
4658
4659 ad.type = LSM_AUDIT_DATA_NET;
4660 ad.u.net = &net;
4661 ad.u.net->sport = htons(snum);
4662 ad.u.net->family = family_sa;
4663
4664 if (snum) {
4665 int low, high;
4666
4667 inet_get_local_port_range(sock_net(sk), &low, &high);
4668
4669 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4670 snum > high) {
4671 err = sel_netport_sid(sk->sk_protocol,
4672 snum, &sid);
4673 if (err)
4674 goto out;
4675 err = avc_has_perm(&selinux_state,
4676 sksec->sid, sid,
4677 sksec->sclass,
4678 SOCKET__NAME_BIND, &ad);
4679 if (err)
4680 goto out;
4681 }
4682 }
4683
4684 switch (sksec->sclass) {
4685 case SECCLASS_TCP_SOCKET:
4686 node_perm = TCP_SOCKET__NODE_BIND;
4687 break;
4688
4689 case SECCLASS_UDP_SOCKET:
4690 node_perm = UDP_SOCKET__NODE_BIND;
4691 break;
4692
4693 case SECCLASS_DCCP_SOCKET:
4694 node_perm = DCCP_SOCKET__NODE_BIND;
4695 break;
4696
4697 case SECCLASS_SCTP_SOCKET:
4698 node_perm = SCTP_SOCKET__NODE_BIND;
4699 break;
4700
4701 default:
4702 node_perm = RAWIP_SOCKET__NODE_BIND;
4703 break;
4704 }
4705
4706 err = sel_netnode_sid(addrp, family_sa, &sid);
4707 if (err)
4708 goto out;
4709
4710 if (family_sa == AF_INET)
4711 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4712 else
4713 ad.u.net->v6info.saddr = addr6->sin6_addr;
4714
4715 err = avc_has_perm(&selinux_state,
4716 sksec->sid, sid,
4717 sksec->sclass, node_perm, &ad);
4718 if (err)
4719 goto out;
4720 }
4721 out:
4722 return err;
4723 err_af:
4724 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4725 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4726 return -EINVAL;
4727 return -EAFNOSUPPORT;
4728 }
4729
4730 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4731 * and sctp_sendmsg(3) as described in Documentation/security/LSM-sctp.rst
4732 */
4733 static int selinux_socket_connect_helper(struct socket *sock,
4734 struct sockaddr *address, int addrlen)
4735 {
4736 struct sock *sk = sock->sk;
4737 struct sk_security_struct *sksec = sk->sk_security;
4738 int err;
4739
4740 err = sock_has_perm(sk, SOCKET__CONNECT);
4741 if (err)
4742 return err;
4743
4744 /*
4745 * If a TCP, DCCP or SCTP socket, check name_connect permission
4746 * for the port.
4747 */
4748 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4749 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4750 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4751 struct common_audit_data ad;
4752 struct lsm_network_audit net = {0,};
4753 struct sockaddr_in *addr4 = NULL;
4754 struct sockaddr_in6 *addr6 = NULL;
4755 unsigned short snum;
4756 u32 sid, perm;
4757
4758 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4759 * that validates multiple connect addresses. Because of this
4760 * need to check address->sa_family as it is possible to have
4761 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4762 */
4763 switch (address->sa_family) {
4764 case AF_INET:
4765 addr4 = (struct sockaddr_in *)address;
4766 if (addrlen < sizeof(struct sockaddr_in))
4767 return -EINVAL;
4768 snum = ntohs(addr4->sin_port);
4769 break;
4770 case AF_INET6:
4771 addr6 = (struct sockaddr_in6 *)address;
4772 if (addrlen < SIN6_LEN_RFC2133)
4773 return -EINVAL;
4774 snum = ntohs(addr6->sin6_port);
4775 break;
4776 default:
4777 /* Note that SCTP services expect -EINVAL, whereas
4778 * others expect -EAFNOSUPPORT.
4779 */
4780 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4781 return -EINVAL;
4782 else
4783 return -EAFNOSUPPORT;
4784 }
4785
4786 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4787 if (err)
4788 return err;
4789
4790 switch (sksec->sclass) {
4791 case SECCLASS_TCP_SOCKET:
4792 perm = TCP_SOCKET__NAME_CONNECT;
4793 break;
4794 case SECCLASS_DCCP_SOCKET:
4795 perm = DCCP_SOCKET__NAME_CONNECT;
4796 break;
4797 case SECCLASS_SCTP_SOCKET:
4798 perm = SCTP_SOCKET__NAME_CONNECT;
4799 break;
4800 }
4801
4802 ad.type = LSM_AUDIT_DATA_NET;
4803 ad.u.net = &net;
4804 ad.u.net->dport = htons(snum);
4805 ad.u.net->family = address->sa_family;
4806 err = avc_has_perm(&selinux_state,
4807 sksec->sid, sid, sksec->sclass, perm, &ad);
4808 if (err)
4809 return err;
4810 }
4811
4812 return 0;
4813 }
4814
4815 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4816 static int selinux_socket_connect(struct socket *sock,
4817 struct sockaddr *address, int addrlen)
4818 {
4819 int err;
4820 struct sock *sk = sock->sk;
4821
4822 err = selinux_socket_connect_helper(sock, address, addrlen);
4823 if (err)
4824 return err;
4825
4826 return selinux_netlbl_socket_connect(sk, address);
4827 }
4828
4829 static int selinux_socket_listen(struct socket *sock, int backlog)
4830 {
4831 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4832 }
4833
4834 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4835 {
4836 int err;
4837 struct inode_security_struct *isec;
4838 struct inode_security_struct *newisec;
4839 u16 sclass;
4840 u32 sid;
4841
4842 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4843 if (err)
4844 return err;
4845
4846 isec = inode_security_novalidate(SOCK_INODE(sock));
4847 spin_lock(&isec->lock);
4848 sclass = isec->sclass;
4849 sid = isec->sid;
4850 spin_unlock(&isec->lock);
4851
4852 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4853 newisec->sclass = sclass;
4854 newisec->sid = sid;
4855 newisec->initialized = LABEL_INITIALIZED;
4856
4857 return 0;
4858 }
4859
4860 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4861 int size)
4862 {
4863 return sock_has_perm(sock->sk, SOCKET__WRITE);
4864 }
4865
4866 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4867 int size, int flags)
4868 {
4869 return sock_has_perm(sock->sk, SOCKET__READ);
4870 }
4871
4872 static int selinux_socket_getsockname(struct socket *sock)
4873 {
4874 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4875 }
4876
4877 static int selinux_socket_getpeername(struct socket *sock)
4878 {
4879 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4880 }
4881
4882 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4883 {
4884 int err;
4885
4886 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4887 if (err)
4888 return err;
4889
4890 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4891 }
4892
4893 static int selinux_socket_getsockopt(struct socket *sock, int level,
4894 int optname)
4895 {
4896 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4897 }
4898
4899 static int selinux_socket_shutdown(struct socket *sock, int how)
4900 {
4901 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4902 }
4903
4904 static int selinux_socket_unix_stream_connect(struct sock *sock,
4905 struct sock *other,
4906 struct sock *newsk)
4907 {
4908 struct sk_security_struct *sksec_sock = sock->sk_security;
4909 struct sk_security_struct *sksec_other = other->sk_security;
4910 struct sk_security_struct *sksec_new = newsk->sk_security;
4911 struct common_audit_data ad;
4912 struct lsm_network_audit net = {0,};
4913 int err;
4914
4915 ad.type = LSM_AUDIT_DATA_NET;
4916 ad.u.net = &net;
4917 ad.u.net->sk = other;
4918
4919 err = avc_has_perm(&selinux_state,
4920 sksec_sock->sid, sksec_other->sid,
4921 sksec_other->sclass,
4922 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4923 if (err)
4924 return err;
4925
4926 /* server child socket */
4927 sksec_new->peer_sid = sksec_sock->sid;
4928 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4929 sksec_sock->sid, &sksec_new->sid);
4930 if (err)
4931 return err;
4932
4933 /* connecting socket */
4934 sksec_sock->peer_sid = sksec_new->sid;
4935
4936 return 0;
4937 }
4938
4939 static int selinux_socket_unix_may_send(struct socket *sock,
4940 struct socket *other)
4941 {
4942 struct sk_security_struct *ssec = sock->sk->sk_security;
4943 struct sk_security_struct *osec = other->sk->sk_security;
4944 struct common_audit_data ad;
4945 struct lsm_network_audit net = {0,};
4946
4947 ad.type = LSM_AUDIT_DATA_NET;
4948 ad.u.net = &net;
4949 ad.u.net->sk = other->sk;
4950
4951 return avc_has_perm(&selinux_state,
4952 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4953 &ad);
4954 }
4955
4956 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4957 char *addrp, u16 family, u32 peer_sid,
4958 struct common_audit_data *ad)
4959 {
4960 int err;
4961 u32 if_sid;
4962 u32 node_sid;
4963
4964 err = sel_netif_sid(ns, ifindex, &if_sid);
4965 if (err)
4966 return err;
4967 err = avc_has_perm(&selinux_state,
4968 peer_sid, if_sid,
4969 SECCLASS_NETIF, NETIF__INGRESS, ad);
4970 if (err)
4971 return err;
4972
4973 err = sel_netnode_sid(addrp, family, &node_sid);
4974 if (err)
4975 return err;
4976 return avc_has_perm(&selinux_state,
4977 peer_sid, node_sid,
4978 SECCLASS_NODE, NODE__RECVFROM, ad);
4979 }
4980
4981 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4982 u16 family)
4983 {
4984 int err = 0;
4985 struct sk_security_struct *sksec = sk->sk_security;
4986 u32 sk_sid = sksec->sid;
4987 struct common_audit_data ad;
4988 struct lsm_network_audit net = {0,};
4989 char *addrp;
4990
4991 ad.type = LSM_AUDIT_DATA_NET;
4992 ad.u.net = &net;
4993 ad.u.net->netif = skb->skb_iif;
4994 ad.u.net->family = family;
4995 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4996 if (err)
4997 return err;
4998
4999 if (selinux_secmark_enabled()) {
5000 err = avc_has_perm(&selinux_state,
5001 sk_sid, skb->secmark, SECCLASS_PACKET,
5002 PACKET__RECV, &ad);
5003 if (err)
5004 return err;
5005 }
5006
5007 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5008 if (err)
5009 return err;
5010 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5011
5012 return err;
5013 }
5014
5015 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5016 {
5017 int err;
5018 struct sk_security_struct *sksec = sk->sk_security;
5019 u16 family = sk->sk_family;
5020 u32 sk_sid = sksec->sid;
5021 struct common_audit_data ad;
5022 struct lsm_network_audit net = {0,};
5023 char *addrp;
5024 u8 secmark_active;
5025 u8 peerlbl_active;
5026
5027 if (family != PF_INET && family != PF_INET6)
5028 return 0;
5029
5030 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5031 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5032 family = PF_INET;
5033
5034 /* If any sort of compatibility mode is enabled then handoff processing
5035 * to the selinux_sock_rcv_skb_compat() function to deal with the
5036 * special handling. We do this in an attempt to keep this function
5037 * as fast and as clean as possible. */
5038 if (!selinux_policycap_netpeer())
5039 return selinux_sock_rcv_skb_compat(sk, skb, family);
5040
5041 secmark_active = selinux_secmark_enabled();
5042 peerlbl_active = selinux_peerlbl_enabled();
5043 if (!secmark_active && !peerlbl_active)
5044 return 0;
5045
5046 ad.type = LSM_AUDIT_DATA_NET;
5047 ad.u.net = &net;
5048 ad.u.net->netif = skb->skb_iif;
5049 ad.u.net->family = family;
5050 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5051 if (err)
5052 return err;
5053
5054 if (peerlbl_active) {
5055 u32 peer_sid;
5056
5057 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5058 if (err)
5059 return err;
5060 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5061 addrp, family, peer_sid, &ad);
5062 if (err) {
5063 selinux_netlbl_err(skb, family, err, 0);
5064 return err;
5065 }
5066 err = avc_has_perm(&selinux_state,
5067 sk_sid, peer_sid, SECCLASS_PEER,
5068 PEER__RECV, &ad);
5069 if (err) {
5070 selinux_netlbl_err(skb, family, err, 0);
5071 return err;
5072 }
5073 }
5074
5075 if (secmark_active) {
5076 err = avc_has_perm(&selinux_state,
5077 sk_sid, skb->secmark, SECCLASS_PACKET,
5078 PACKET__RECV, &ad);
5079 if (err)
5080 return err;
5081 }
5082
5083 return err;
5084 }
5085
5086 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5087 int __user *optlen, unsigned len)
5088 {
5089 int err = 0;
5090 char *scontext;
5091 u32 scontext_len;
5092 struct sk_security_struct *sksec = sock->sk->sk_security;
5093 u32 peer_sid = SECSID_NULL;
5094
5095 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5096 sksec->sclass == SECCLASS_TCP_SOCKET ||
5097 sksec->sclass == SECCLASS_SCTP_SOCKET)
5098 peer_sid = sksec->peer_sid;
5099 if (peer_sid == SECSID_NULL)
5100 return -ENOPROTOOPT;
5101
5102 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5103 &scontext_len);
5104 if (err)
5105 return err;
5106
5107 if (scontext_len > len) {
5108 err = -ERANGE;
5109 goto out_len;
5110 }
5111
5112 if (copy_to_user(optval, scontext, scontext_len))
5113 err = -EFAULT;
5114
5115 out_len:
5116 if (put_user(scontext_len, optlen))
5117 err = -EFAULT;
5118 kfree(scontext);
5119 return err;
5120 }
5121
5122 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5123 {
5124 u32 peer_secid = SECSID_NULL;
5125 u16 family;
5126 struct inode_security_struct *isec;
5127
5128 if (skb && skb->protocol == htons(ETH_P_IP))
5129 family = PF_INET;
5130 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5131 family = PF_INET6;
5132 else if (sock)
5133 family = sock->sk->sk_family;
5134 else
5135 goto out;
5136
5137 if (sock && family == PF_UNIX) {
5138 isec = inode_security_novalidate(SOCK_INODE(sock));
5139 peer_secid = isec->sid;
5140 } else if (skb)
5141 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5142
5143 out:
5144 *secid = peer_secid;
5145 if (peer_secid == SECSID_NULL)
5146 return -EINVAL;
5147 return 0;
5148 }
5149
5150 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5151 {
5152 struct sk_security_struct *sksec;
5153
5154 sksec = kzalloc(sizeof(*sksec), priority);
5155 if (!sksec)
5156 return -ENOMEM;
5157
5158 sksec->peer_sid = SECINITSID_UNLABELED;
5159 sksec->sid = SECINITSID_UNLABELED;
5160 sksec->sclass = SECCLASS_SOCKET;
5161 selinux_netlbl_sk_security_reset(sksec);
5162 sk->sk_security = sksec;
5163
5164 return 0;
5165 }
5166
5167 static void selinux_sk_free_security(struct sock *sk)
5168 {
5169 struct sk_security_struct *sksec = sk->sk_security;
5170
5171 sk->sk_security = NULL;
5172 selinux_netlbl_sk_security_free(sksec);
5173 kfree(sksec);
5174 }
5175
5176 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5177 {
5178 struct sk_security_struct *sksec = sk->sk_security;
5179 struct sk_security_struct *newsksec = newsk->sk_security;
5180
5181 newsksec->sid = sksec->sid;
5182 newsksec->peer_sid = sksec->peer_sid;
5183 newsksec->sclass = sksec->sclass;
5184
5185 selinux_netlbl_sk_security_reset(newsksec);
5186 }
5187
5188 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5189 {
5190 if (!sk)
5191 *secid = SECINITSID_ANY_SOCKET;
5192 else {
5193 struct sk_security_struct *sksec = sk->sk_security;
5194
5195 *secid = sksec->sid;
5196 }
5197 }
5198
5199 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5200 {
5201 struct inode_security_struct *isec =
5202 inode_security_novalidate(SOCK_INODE(parent));
5203 struct sk_security_struct *sksec = sk->sk_security;
5204
5205 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5206 sk->sk_family == PF_UNIX)
5207 isec->sid = sksec->sid;
5208 sksec->sclass = isec->sclass;
5209 }
5210
5211 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5212 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5213 * already present).
5214 */
5215 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5216 struct sk_buff *skb)
5217 {
5218 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5219 struct common_audit_data ad;
5220 struct lsm_network_audit net = {0,};
5221 u8 peerlbl_active;
5222 u32 peer_sid = SECINITSID_UNLABELED;
5223 u32 conn_sid;
5224 int err = 0;
5225
5226 if (!selinux_policycap_extsockclass())
5227 return 0;
5228
5229 peerlbl_active = selinux_peerlbl_enabled();
5230
5231 if (peerlbl_active) {
5232 /* This will return peer_sid = SECSID_NULL if there are
5233 * no peer labels, see security_net_peersid_resolve().
5234 */
5235 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5236 &peer_sid);
5237 if (err)
5238 return err;
5239
5240 if (peer_sid == SECSID_NULL)
5241 peer_sid = SECINITSID_UNLABELED;
5242 }
5243
5244 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5245 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5246
5247 /* Here as first association on socket. As the peer SID
5248 * was allowed by peer recv (and the netif/node checks),
5249 * then it is approved by policy and used as the primary
5250 * peer SID for getpeercon(3).
5251 */
5252 sksec->peer_sid = peer_sid;
5253 } else if (sksec->peer_sid != peer_sid) {
5254 /* Other association peer SIDs are checked to enforce
5255 * consistency among the peer SIDs.
5256 */
5257 ad.type = LSM_AUDIT_DATA_NET;
5258 ad.u.net = &net;
5259 ad.u.net->sk = ep->base.sk;
5260 err = avc_has_perm(&selinux_state,
5261 sksec->peer_sid, peer_sid, sksec->sclass,
5262 SCTP_SOCKET__ASSOCIATION, &ad);
5263 if (err)
5264 return err;
5265 }
5266
5267 /* Compute the MLS component for the connection and store
5268 * the information in ep. This will be used by SCTP TCP type
5269 * sockets and peeled off connections as they cause a new
5270 * socket to be generated. selinux_sctp_sk_clone() will then
5271 * plug this into the new socket.
5272 */
5273 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5274 if (err)
5275 return err;
5276
5277 ep->secid = conn_sid;
5278 ep->peer_secid = peer_sid;
5279
5280 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5281 return selinux_netlbl_sctp_assoc_request(ep, skb);
5282 }
5283
5284 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5285 * based on their @optname.
5286 */
5287 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5288 struct sockaddr *address,
5289 int addrlen)
5290 {
5291 int len, err = 0, walk_size = 0;
5292 void *addr_buf;
5293 struct sockaddr *addr;
5294 struct socket *sock;
5295
5296 if (!selinux_policycap_extsockclass())
5297 return 0;
5298
5299 /* Process one or more addresses that may be IPv4 or IPv6 */
5300 sock = sk->sk_socket;
5301 addr_buf = address;
5302
5303 while (walk_size < addrlen) {
5304 addr = addr_buf;
5305 switch (addr->sa_family) {
5306 case AF_UNSPEC:
5307 case AF_INET:
5308 len = sizeof(struct sockaddr_in);
5309 break;
5310 case AF_INET6:
5311 len = sizeof(struct sockaddr_in6);
5312 break;
5313 default:
5314 return -EINVAL;
5315 }
5316
5317 err = -EINVAL;
5318 switch (optname) {
5319 /* Bind checks */
5320 case SCTP_PRIMARY_ADDR:
5321 case SCTP_SET_PEER_PRIMARY_ADDR:
5322 case SCTP_SOCKOPT_BINDX_ADD:
5323 err = selinux_socket_bind(sock, addr, len);
5324 break;
5325 /* Connect checks */
5326 case SCTP_SOCKOPT_CONNECTX:
5327 case SCTP_PARAM_SET_PRIMARY:
5328 case SCTP_PARAM_ADD_IP:
5329 case SCTP_SENDMSG_CONNECT:
5330 err = selinux_socket_connect_helper(sock, addr, len);
5331 if (err)
5332 return err;
5333
5334 /* As selinux_sctp_bind_connect() is called by the
5335 * SCTP protocol layer, the socket is already locked,
5336 * therefore selinux_netlbl_socket_connect_locked() is
5337 * is called here. The situations handled are:
5338 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5339 * whenever a new IP address is added or when a new
5340 * primary address is selected.
5341 * Note that an SCTP connect(2) call happens before
5342 * the SCTP protocol layer and is handled via
5343 * selinux_socket_connect().
5344 */
5345 err = selinux_netlbl_socket_connect_locked(sk, addr);
5346 break;
5347 }
5348
5349 if (err)
5350 return err;
5351
5352 addr_buf += len;
5353 walk_size += len;
5354 }
5355
5356 return 0;
5357 }
5358
5359 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5360 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5361 struct sock *newsk)
5362 {
5363 struct sk_security_struct *sksec = sk->sk_security;
5364 struct sk_security_struct *newsksec = newsk->sk_security;
5365
5366 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5367 * the non-sctp clone version.
5368 */
5369 if (!selinux_policycap_extsockclass())
5370 return selinux_sk_clone_security(sk, newsk);
5371
5372 newsksec->sid = ep->secid;
5373 newsksec->peer_sid = ep->peer_secid;
5374 newsksec->sclass = sksec->sclass;
5375 selinux_netlbl_sctp_sk_clone(sk, newsk);
5376 }
5377
5378 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5379 struct request_sock *req)
5380 {
5381 struct sk_security_struct *sksec = sk->sk_security;
5382 int err;
5383 u16 family = req->rsk_ops->family;
5384 u32 connsid;
5385 u32 peersid;
5386
5387 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5388 if (err)
5389 return err;
5390 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5391 if (err)
5392 return err;
5393 req->secid = connsid;
5394 req->peer_secid = peersid;
5395
5396 return selinux_netlbl_inet_conn_request(req, family);
5397 }
5398
5399 static void selinux_inet_csk_clone(struct sock *newsk,
5400 const struct request_sock *req)
5401 {
5402 struct sk_security_struct *newsksec = newsk->sk_security;
5403
5404 newsksec->sid = req->secid;
5405 newsksec->peer_sid = req->peer_secid;
5406 /* NOTE: Ideally, we should also get the isec->sid for the
5407 new socket in sync, but we don't have the isec available yet.
5408 So we will wait until sock_graft to do it, by which
5409 time it will have been created and available. */
5410
5411 /* We don't need to take any sort of lock here as we are the only
5412 * thread with access to newsksec */
5413 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5414 }
5415
5416 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5417 {
5418 u16 family = sk->sk_family;
5419 struct sk_security_struct *sksec = sk->sk_security;
5420
5421 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5422 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5423 family = PF_INET;
5424
5425 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5426 }
5427
5428 static int selinux_secmark_relabel_packet(u32 sid)
5429 {
5430 const struct task_security_struct *__tsec;
5431 u32 tsid;
5432
5433 __tsec = current_security();
5434 tsid = __tsec->sid;
5435
5436 return avc_has_perm(&selinux_state,
5437 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5438 NULL);
5439 }
5440
5441 static void selinux_secmark_refcount_inc(void)
5442 {
5443 atomic_inc(&selinux_secmark_refcount);
5444 }
5445
5446 static void selinux_secmark_refcount_dec(void)
5447 {
5448 atomic_dec(&selinux_secmark_refcount);
5449 }
5450
5451 static void selinux_req_classify_flow(const struct request_sock *req,
5452 struct flowi *fl)
5453 {
5454 fl->flowi_secid = req->secid;
5455 }
5456
5457 static int selinux_tun_dev_alloc_security(void **security)
5458 {
5459 struct tun_security_struct *tunsec;
5460
5461 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5462 if (!tunsec)
5463 return -ENOMEM;
5464 tunsec->sid = current_sid();
5465
5466 *security = tunsec;
5467 return 0;
5468 }
5469
5470 static void selinux_tun_dev_free_security(void *security)
5471 {
5472 kfree(security);
5473 }
5474
5475 static int selinux_tun_dev_create(void)
5476 {
5477 u32 sid = current_sid();
5478
5479 /* we aren't taking into account the "sockcreate" SID since the socket
5480 * that is being created here is not a socket in the traditional sense,
5481 * instead it is a private sock, accessible only to the kernel, and
5482 * representing a wide range of network traffic spanning multiple
5483 * connections unlike traditional sockets - check the TUN driver to
5484 * get a better understanding of why this socket is special */
5485
5486 return avc_has_perm(&selinux_state,
5487 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5488 NULL);
5489 }
5490
5491 static int selinux_tun_dev_attach_queue(void *security)
5492 {
5493 struct tun_security_struct *tunsec = security;
5494
5495 return avc_has_perm(&selinux_state,
5496 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5497 TUN_SOCKET__ATTACH_QUEUE, NULL);
5498 }
5499
5500 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5501 {
5502 struct tun_security_struct *tunsec = security;
5503 struct sk_security_struct *sksec = sk->sk_security;
5504
5505 /* we don't currently perform any NetLabel based labeling here and it
5506 * isn't clear that we would want to do so anyway; while we could apply
5507 * labeling without the support of the TUN user the resulting labeled
5508 * traffic from the other end of the connection would almost certainly
5509 * cause confusion to the TUN user that had no idea network labeling
5510 * protocols were being used */
5511
5512 sksec->sid = tunsec->sid;
5513 sksec->sclass = SECCLASS_TUN_SOCKET;
5514
5515 return 0;
5516 }
5517
5518 static int selinux_tun_dev_open(void *security)
5519 {
5520 struct tun_security_struct *tunsec = security;
5521 u32 sid = current_sid();
5522 int err;
5523
5524 err = avc_has_perm(&selinux_state,
5525 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5526 TUN_SOCKET__RELABELFROM, NULL);
5527 if (err)
5528 return err;
5529 err = avc_has_perm(&selinux_state,
5530 sid, sid, SECCLASS_TUN_SOCKET,
5531 TUN_SOCKET__RELABELTO, NULL);
5532 if (err)
5533 return err;
5534 tunsec->sid = sid;
5535
5536 return 0;
5537 }
5538
5539 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5540 {
5541 int err = 0;
5542 u32 perm;
5543 struct nlmsghdr *nlh;
5544 struct sk_security_struct *sksec = sk->sk_security;
5545
5546 if (skb->len < NLMSG_HDRLEN) {
5547 err = -EINVAL;
5548 goto out;
5549 }
5550 nlh = nlmsg_hdr(skb);
5551
5552 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5553 if (err) {
5554 if (err == -EINVAL) {
5555 pr_warn_ratelimited("SELinux: unrecognized netlink"
5556 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5557 " pig=%d comm=%s\n",
5558 sk->sk_protocol, nlh->nlmsg_type,
5559 secclass_map[sksec->sclass - 1].name,
5560 task_pid_nr(current), current->comm);
5561 if (!enforcing_enabled(&selinux_state) ||
5562 security_get_allow_unknown(&selinux_state))
5563 err = 0;
5564 }
5565
5566 /* Ignore */
5567 if (err == -ENOENT)
5568 err = 0;
5569 goto out;
5570 }
5571
5572 err = sock_has_perm(sk, perm);
5573 out:
5574 return err;
5575 }
5576
5577 #ifdef CONFIG_NETFILTER
5578
5579 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5580 const struct net_device *indev,
5581 u16 family)
5582 {
5583 int err;
5584 char *addrp;
5585 u32 peer_sid;
5586 struct common_audit_data ad;
5587 struct lsm_network_audit net = {0,};
5588 u8 secmark_active;
5589 u8 netlbl_active;
5590 u8 peerlbl_active;
5591
5592 if (!selinux_policycap_netpeer())
5593 return NF_ACCEPT;
5594
5595 secmark_active = selinux_secmark_enabled();
5596 netlbl_active = netlbl_enabled();
5597 peerlbl_active = selinux_peerlbl_enabled();
5598 if (!secmark_active && !peerlbl_active)
5599 return NF_ACCEPT;
5600
5601 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5602 return NF_DROP;
5603
5604 ad.type = LSM_AUDIT_DATA_NET;
5605 ad.u.net = &net;
5606 ad.u.net->netif = indev->ifindex;
5607 ad.u.net->family = family;
5608 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5609 return NF_DROP;
5610
5611 if (peerlbl_active) {
5612 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5613 addrp, family, peer_sid, &ad);
5614 if (err) {
5615 selinux_netlbl_err(skb, family, err, 1);
5616 return NF_DROP;
5617 }
5618 }
5619
5620 if (secmark_active)
5621 if (avc_has_perm(&selinux_state,
5622 peer_sid, skb->secmark,
5623 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5624 return NF_DROP;
5625
5626 if (netlbl_active)
5627 /* we do this in the FORWARD path and not the POST_ROUTING
5628 * path because we want to make sure we apply the necessary
5629 * labeling before IPsec is applied so we can leverage AH
5630 * protection */
5631 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5632 return NF_DROP;
5633
5634 return NF_ACCEPT;
5635 }
5636
5637 static unsigned int selinux_ipv4_forward(void *priv,
5638 struct sk_buff *skb,
5639 const struct nf_hook_state *state)
5640 {
5641 return selinux_ip_forward(skb, state->in, PF_INET);
5642 }
5643
5644 #if IS_ENABLED(CONFIG_IPV6)
5645 static unsigned int selinux_ipv6_forward(void *priv,
5646 struct sk_buff *skb,
5647 const struct nf_hook_state *state)
5648 {
5649 return selinux_ip_forward(skb, state->in, PF_INET6);
5650 }
5651 #endif /* IPV6 */
5652
5653 static unsigned int selinux_ip_output(struct sk_buff *skb,
5654 u16 family)
5655 {
5656 struct sock *sk;
5657 u32 sid;
5658
5659 if (!netlbl_enabled())
5660 return NF_ACCEPT;
5661
5662 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5663 * because we want to make sure we apply the necessary labeling
5664 * before IPsec is applied so we can leverage AH protection */
5665 sk = skb->sk;
5666 if (sk) {
5667 struct sk_security_struct *sksec;
5668
5669 if (sk_listener(sk))
5670 /* if the socket is the listening state then this
5671 * packet is a SYN-ACK packet which means it needs to
5672 * be labeled based on the connection/request_sock and
5673 * not the parent socket. unfortunately, we can't
5674 * lookup the request_sock yet as it isn't queued on
5675 * the parent socket until after the SYN-ACK is sent.
5676 * the "solution" is to simply pass the packet as-is
5677 * as any IP option based labeling should be copied
5678 * from the initial connection request (in the IP
5679 * layer). it is far from ideal, but until we get a
5680 * security label in the packet itself this is the
5681 * best we can do. */
5682 return NF_ACCEPT;
5683
5684 /* standard practice, label using the parent socket */
5685 sksec = sk->sk_security;
5686 sid = sksec->sid;
5687 } else
5688 sid = SECINITSID_KERNEL;
5689 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5690 return NF_DROP;
5691
5692 return NF_ACCEPT;
5693 }
5694
5695 static unsigned int selinux_ipv4_output(void *priv,
5696 struct sk_buff *skb,
5697 const struct nf_hook_state *state)
5698 {
5699 return selinux_ip_output(skb, PF_INET);
5700 }
5701
5702 #if IS_ENABLED(CONFIG_IPV6)
5703 static unsigned int selinux_ipv6_output(void *priv,
5704 struct sk_buff *skb,
5705 const struct nf_hook_state *state)
5706 {
5707 return selinux_ip_output(skb, PF_INET6);
5708 }
5709 #endif /* IPV6 */
5710
5711 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5712 int ifindex,
5713 u16 family)
5714 {
5715 struct sock *sk = skb_to_full_sk(skb);
5716 struct sk_security_struct *sksec;
5717 struct common_audit_data ad;
5718 struct lsm_network_audit net = {0,};
5719 char *addrp;
5720 u8 proto;
5721
5722 if (sk == NULL)
5723 return NF_ACCEPT;
5724 sksec = sk->sk_security;
5725
5726 ad.type = LSM_AUDIT_DATA_NET;
5727 ad.u.net = &net;
5728 ad.u.net->netif = ifindex;
5729 ad.u.net->family = family;
5730 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5731 return NF_DROP;
5732
5733 if (selinux_secmark_enabled())
5734 if (avc_has_perm(&selinux_state,
5735 sksec->sid, skb->secmark,
5736 SECCLASS_PACKET, PACKET__SEND, &ad))
5737 return NF_DROP_ERR(-ECONNREFUSED);
5738
5739 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5740 return NF_DROP_ERR(-ECONNREFUSED);
5741
5742 return NF_ACCEPT;
5743 }
5744
5745 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5746 const struct net_device *outdev,
5747 u16 family)
5748 {
5749 u32 secmark_perm;
5750 u32 peer_sid;
5751 int ifindex = outdev->ifindex;
5752 struct sock *sk;
5753 struct common_audit_data ad;
5754 struct lsm_network_audit net = {0,};
5755 char *addrp;
5756 u8 secmark_active;
5757 u8 peerlbl_active;
5758
5759 /* If any sort of compatibility mode is enabled then handoff processing
5760 * to the selinux_ip_postroute_compat() function to deal with the
5761 * special handling. We do this in an attempt to keep this function
5762 * as fast and as clean as possible. */
5763 if (!selinux_policycap_netpeer())
5764 return selinux_ip_postroute_compat(skb, ifindex, family);
5765
5766 secmark_active = selinux_secmark_enabled();
5767 peerlbl_active = selinux_peerlbl_enabled();
5768 if (!secmark_active && !peerlbl_active)
5769 return NF_ACCEPT;
5770
5771 sk = skb_to_full_sk(skb);
5772
5773 #ifdef CONFIG_XFRM
5774 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5775 * packet transformation so allow the packet to pass without any checks
5776 * since we'll have another chance to perform access control checks
5777 * when the packet is on it's final way out.
5778 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5779 * is NULL, in this case go ahead and apply access control.
5780 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5781 * TCP listening state we cannot wait until the XFRM processing
5782 * is done as we will miss out on the SA label if we do;
5783 * unfortunately, this means more work, but it is only once per
5784 * connection. */
5785 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5786 !(sk && sk_listener(sk)))
5787 return NF_ACCEPT;
5788 #endif
5789
5790 if (sk == NULL) {
5791 /* Without an associated socket the packet is either coming
5792 * from the kernel or it is being forwarded; check the packet
5793 * to determine which and if the packet is being forwarded
5794 * query the packet directly to determine the security label. */
5795 if (skb->skb_iif) {
5796 secmark_perm = PACKET__FORWARD_OUT;
5797 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5798 return NF_DROP;
5799 } else {
5800 secmark_perm = PACKET__SEND;
5801 peer_sid = SECINITSID_KERNEL;
5802 }
5803 } else if (sk_listener(sk)) {
5804 /* Locally generated packet but the associated socket is in the
5805 * listening state which means this is a SYN-ACK packet. In
5806 * this particular case the correct security label is assigned
5807 * to the connection/request_sock but unfortunately we can't
5808 * query the request_sock as it isn't queued on the parent
5809 * socket until after the SYN-ACK packet is sent; the only
5810 * viable choice is to regenerate the label like we do in
5811 * selinux_inet_conn_request(). See also selinux_ip_output()
5812 * for similar problems. */
5813 u32 skb_sid;
5814 struct sk_security_struct *sksec;
5815
5816 sksec = sk->sk_security;
5817 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5818 return NF_DROP;
5819 /* At this point, if the returned skb peerlbl is SECSID_NULL
5820 * and the packet has been through at least one XFRM
5821 * transformation then we must be dealing with the "final"
5822 * form of labeled IPsec packet; since we've already applied
5823 * all of our access controls on this packet we can safely
5824 * pass the packet. */
5825 if (skb_sid == SECSID_NULL) {
5826 switch (family) {
5827 case PF_INET:
5828 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5829 return NF_ACCEPT;
5830 break;
5831 case PF_INET6:
5832 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5833 return NF_ACCEPT;
5834 break;
5835 default:
5836 return NF_DROP_ERR(-ECONNREFUSED);
5837 }
5838 }
5839 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5840 return NF_DROP;
5841 secmark_perm = PACKET__SEND;
5842 } else {
5843 /* Locally generated packet, fetch the security label from the
5844 * associated socket. */
5845 struct sk_security_struct *sksec = sk->sk_security;
5846 peer_sid = sksec->sid;
5847 secmark_perm = PACKET__SEND;
5848 }
5849
5850 ad.type = LSM_AUDIT_DATA_NET;
5851 ad.u.net = &net;
5852 ad.u.net->netif = ifindex;
5853 ad.u.net->family = family;
5854 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5855 return NF_DROP;
5856
5857 if (secmark_active)
5858 if (avc_has_perm(&selinux_state,
5859 peer_sid, skb->secmark,
5860 SECCLASS_PACKET, secmark_perm, &ad))
5861 return NF_DROP_ERR(-ECONNREFUSED);
5862
5863 if (peerlbl_active) {
5864 u32 if_sid;
5865 u32 node_sid;
5866
5867 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5868 return NF_DROP;
5869 if (avc_has_perm(&selinux_state,
5870 peer_sid, if_sid,
5871 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5872 return NF_DROP_ERR(-ECONNREFUSED);
5873
5874 if (sel_netnode_sid(addrp, family, &node_sid))
5875 return NF_DROP;
5876 if (avc_has_perm(&selinux_state,
5877 peer_sid, node_sid,
5878 SECCLASS_NODE, NODE__SENDTO, &ad))
5879 return NF_DROP_ERR(-ECONNREFUSED);
5880 }
5881
5882 return NF_ACCEPT;
5883 }
5884
5885 static unsigned int selinux_ipv4_postroute(void *priv,
5886 struct sk_buff *skb,
5887 const struct nf_hook_state *state)
5888 {
5889 return selinux_ip_postroute(skb, state->out, PF_INET);
5890 }
5891
5892 #if IS_ENABLED(CONFIG_IPV6)
5893 static unsigned int selinux_ipv6_postroute(void *priv,
5894 struct sk_buff *skb,
5895 const struct nf_hook_state *state)
5896 {
5897 return selinux_ip_postroute(skb, state->out, PF_INET6);
5898 }
5899 #endif /* IPV6 */
5900
5901 #endif /* CONFIG_NETFILTER */
5902
5903 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5904 {
5905 return selinux_nlmsg_perm(sk, skb);
5906 }
5907
5908 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5909 u16 sclass)
5910 {
5911 struct ipc_security_struct *isec;
5912
5913 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5914 if (!isec)
5915 return -ENOMEM;
5916
5917 isec->sclass = sclass;
5918 isec->sid = current_sid();
5919 perm->security = isec;
5920
5921 return 0;
5922 }
5923
5924 static void ipc_free_security(struct kern_ipc_perm *perm)
5925 {
5926 struct ipc_security_struct *isec = perm->security;
5927 perm->security = NULL;
5928 kfree(isec);
5929 }
5930
5931 static int msg_msg_alloc_security(struct msg_msg *msg)
5932 {
5933 struct msg_security_struct *msec;
5934
5935 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5936 if (!msec)
5937 return -ENOMEM;
5938
5939 msec->sid = SECINITSID_UNLABELED;
5940 msg->security = msec;
5941
5942 return 0;
5943 }
5944
5945 static void msg_msg_free_security(struct msg_msg *msg)
5946 {
5947 struct msg_security_struct *msec = msg->security;
5948
5949 msg->security = NULL;
5950 kfree(msec);
5951 }
5952
5953 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5954 u32 perms)
5955 {
5956 struct ipc_security_struct *isec;
5957 struct common_audit_data ad;
5958 u32 sid = current_sid();
5959
5960 isec = ipc_perms->security;
5961
5962 ad.type = LSM_AUDIT_DATA_IPC;
5963 ad.u.ipc_id = ipc_perms->key;
5964
5965 return avc_has_perm(&selinux_state,
5966 sid, isec->sid, isec->sclass, perms, &ad);
5967 }
5968
5969 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5970 {
5971 return msg_msg_alloc_security(msg);
5972 }
5973
5974 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5975 {
5976 msg_msg_free_security(msg);
5977 }
5978
5979 /* message queue security operations */
5980 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5981 {
5982 struct ipc_security_struct *isec;
5983 struct common_audit_data ad;
5984 u32 sid = current_sid();
5985 int rc;
5986
5987 rc = ipc_alloc_security(msq, SECCLASS_MSGQ);
5988 if (rc)
5989 return rc;
5990
5991 isec = msq->security;
5992
5993 ad.type = LSM_AUDIT_DATA_IPC;
5994 ad.u.ipc_id = msq->key;
5995
5996 rc = avc_has_perm(&selinux_state,
5997 sid, isec->sid, SECCLASS_MSGQ,
5998 MSGQ__CREATE, &ad);
5999 if (rc) {
6000 ipc_free_security(msq);
6001 return rc;
6002 }
6003 return 0;
6004 }
6005
6006 static void selinux_msg_queue_free_security(struct kern_ipc_perm *msq)
6007 {
6008 ipc_free_security(msq);
6009 }
6010
6011 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6012 {
6013 struct ipc_security_struct *isec;
6014 struct common_audit_data ad;
6015 u32 sid = current_sid();
6016
6017 isec = msq->security;
6018
6019 ad.type = LSM_AUDIT_DATA_IPC;
6020 ad.u.ipc_id = msq->key;
6021
6022 return avc_has_perm(&selinux_state,
6023 sid, isec->sid, SECCLASS_MSGQ,
6024 MSGQ__ASSOCIATE, &ad);
6025 }
6026
6027 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6028 {
6029 int err;
6030 int perms;
6031
6032 switch (cmd) {
6033 case IPC_INFO:
6034 case MSG_INFO:
6035 /* No specific object, just general system-wide information. */
6036 return avc_has_perm(&selinux_state,
6037 current_sid(), SECINITSID_KERNEL,
6038 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6039 case IPC_STAT:
6040 case MSG_STAT:
6041 case MSG_STAT_ANY:
6042 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6043 break;
6044 case IPC_SET:
6045 perms = MSGQ__SETATTR;
6046 break;
6047 case IPC_RMID:
6048 perms = MSGQ__DESTROY;
6049 break;
6050 default:
6051 return 0;
6052 }
6053
6054 err = ipc_has_perm(msq, perms);
6055 return err;
6056 }
6057
6058 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6059 {
6060 struct ipc_security_struct *isec;
6061 struct msg_security_struct *msec;
6062 struct common_audit_data ad;
6063 u32 sid = current_sid();
6064 int rc;
6065
6066 isec = msq->security;
6067 msec = msg->security;
6068
6069 /*
6070 * First time through, need to assign label to the message
6071 */
6072 if (msec->sid == SECINITSID_UNLABELED) {
6073 /*
6074 * Compute new sid based on current process and
6075 * message queue this message will be stored in
6076 */
6077 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6078 SECCLASS_MSG, NULL, &msec->sid);
6079 if (rc)
6080 return rc;
6081 }
6082
6083 ad.type = LSM_AUDIT_DATA_IPC;
6084 ad.u.ipc_id = msq->key;
6085
6086 /* Can this process write to the queue? */
6087 rc = avc_has_perm(&selinux_state,
6088 sid, isec->sid, SECCLASS_MSGQ,
6089 MSGQ__WRITE, &ad);
6090 if (!rc)
6091 /* Can this process send the message */
6092 rc = avc_has_perm(&selinux_state,
6093 sid, msec->sid, SECCLASS_MSG,
6094 MSG__SEND, &ad);
6095 if (!rc)
6096 /* Can the message be put in the queue? */
6097 rc = avc_has_perm(&selinux_state,
6098 msec->sid, isec->sid, SECCLASS_MSGQ,
6099 MSGQ__ENQUEUE, &ad);
6100
6101 return rc;
6102 }
6103
6104 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6105 struct task_struct *target,
6106 long type, int mode)
6107 {
6108 struct ipc_security_struct *isec;
6109 struct msg_security_struct *msec;
6110 struct common_audit_data ad;
6111 u32 sid = task_sid(target);
6112 int rc;
6113
6114 isec = msq->security;
6115 msec = msg->security;
6116
6117 ad.type = LSM_AUDIT_DATA_IPC;
6118 ad.u.ipc_id = msq->key;
6119
6120 rc = avc_has_perm(&selinux_state,
6121 sid, isec->sid,
6122 SECCLASS_MSGQ, MSGQ__READ, &ad);
6123 if (!rc)
6124 rc = avc_has_perm(&selinux_state,
6125 sid, msec->sid,
6126 SECCLASS_MSG, MSG__RECEIVE, &ad);
6127 return rc;
6128 }
6129
6130 /* Shared Memory security operations */
6131 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6132 {
6133 struct ipc_security_struct *isec;
6134 struct common_audit_data ad;
6135 u32 sid = current_sid();
6136 int rc;
6137
6138 rc = ipc_alloc_security(shp, SECCLASS_SHM);
6139 if (rc)
6140 return rc;
6141
6142 isec = shp->security;
6143
6144 ad.type = LSM_AUDIT_DATA_IPC;
6145 ad.u.ipc_id = shp->key;
6146
6147 rc = avc_has_perm(&selinux_state,
6148 sid, isec->sid, SECCLASS_SHM,
6149 SHM__CREATE, &ad);
6150 if (rc) {
6151 ipc_free_security(shp);
6152 return rc;
6153 }
6154 return 0;
6155 }
6156
6157 static void selinux_shm_free_security(struct kern_ipc_perm *shp)
6158 {
6159 ipc_free_security(shp);
6160 }
6161
6162 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6163 {
6164 struct ipc_security_struct *isec;
6165 struct common_audit_data ad;
6166 u32 sid = current_sid();
6167
6168 isec = shp->security;
6169
6170 ad.type = LSM_AUDIT_DATA_IPC;
6171 ad.u.ipc_id = shp->key;
6172
6173 return avc_has_perm(&selinux_state,
6174 sid, isec->sid, SECCLASS_SHM,
6175 SHM__ASSOCIATE, &ad);
6176 }
6177
6178 /* Note, at this point, shp is locked down */
6179 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6180 {
6181 int perms;
6182 int err;
6183
6184 switch (cmd) {
6185 case IPC_INFO:
6186 case SHM_INFO:
6187 /* No specific object, just general system-wide information. */
6188 return avc_has_perm(&selinux_state,
6189 current_sid(), SECINITSID_KERNEL,
6190 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6191 case IPC_STAT:
6192 case SHM_STAT:
6193 case SHM_STAT_ANY:
6194 perms = SHM__GETATTR | SHM__ASSOCIATE;
6195 break;
6196 case IPC_SET:
6197 perms = SHM__SETATTR;
6198 break;
6199 case SHM_LOCK:
6200 case SHM_UNLOCK:
6201 perms = SHM__LOCK;
6202 break;
6203 case IPC_RMID:
6204 perms = SHM__DESTROY;
6205 break;
6206 default:
6207 return 0;
6208 }
6209
6210 err = ipc_has_perm(shp, perms);
6211 return err;
6212 }
6213
6214 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6215 char __user *shmaddr, int shmflg)
6216 {
6217 u32 perms;
6218
6219 if (shmflg & SHM_RDONLY)
6220 perms = SHM__READ;
6221 else
6222 perms = SHM__READ | SHM__WRITE;
6223
6224 return ipc_has_perm(shp, perms);
6225 }
6226
6227 /* Semaphore security operations */
6228 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6229 {
6230 struct ipc_security_struct *isec;
6231 struct common_audit_data ad;
6232 u32 sid = current_sid();
6233 int rc;
6234
6235 rc = ipc_alloc_security(sma, SECCLASS_SEM);
6236 if (rc)
6237 return rc;
6238
6239 isec = sma->security;
6240
6241 ad.type = LSM_AUDIT_DATA_IPC;
6242 ad.u.ipc_id = sma->key;
6243
6244 rc = avc_has_perm(&selinux_state,
6245 sid, isec->sid, SECCLASS_SEM,
6246 SEM__CREATE, &ad);
6247 if (rc) {
6248 ipc_free_security(sma);
6249 return rc;
6250 }
6251 return 0;
6252 }
6253
6254 static void selinux_sem_free_security(struct kern_ipc_perm *sma)
6255 {
6256 ipc_free_security(sma);
6257 }
6258
6259 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6260 {
6261 struct ipc_security_struct *isec;
6262 struct common_audit_data ad;
6263 u32 sid = current_sid();
6264
6265 isec = sma->security;
6266
6267 ad.type = LSM_AUDIT_DATA_IPC;
6268 ad.u.ipc_id = sma->key;
6269
6270 return avc_has_perm(&selinux_state,
6271 sid, isec->sid, SECCLASS_SEM,
6272 SEM__ASSOCIATE, &ad);
6273 }
6274
6275 /* Note, at this point, sma is locked down */
6276 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6277 {
6278 int err;
6279 u32 perms;
6280
6281 switch (cmd) {
6282 case IPC_INFO:
6283 case SEM_INFO:
6284 /* No specific object, just general system-wide information. */
6285 return avc_has_perm(&selinux_state,
6286 current_sid(), SECINITSID_KERNEL,
6287 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6288 case GETPID:
6289 case GETNCNT:
6290 case GETZCNT:
6291 perms = SEM__GETATTR;
6292 break;
6293 case GETVAL:
6294 case GETALL:
6295 perms = SEM__READ;
6296 break;
6297 case SETVAL:
6298 case SETALL:
6299 perms = SEM__WRITE;
6300 break;
6301 case IPC_RMID:
6302 perms = SEM__DESTROY;
6303 break;
6304 case IPC_SET:
6305 perms = SEM__SETATTR;
6306 break;
6307 case IPC_STAT:
6308 case SEM_STAT:
6309 case SEM_STAT_ANY:
6310 perms = SEM__GETATTR | SEM__ASSOCIATE;
6311 break;
6312 default:
6313 return 0;
6314 }
6315
6316 err = ipc_has_perm(sma, perms);
6317 return err;
6318 }
6319
6320 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6321 struct sembuf *sops, unsigned nsops, int alter)
6322 {
6323 u32 perms;
6324
6325 if (alter)
6326 perms = SEM__READ | SEM__WRITE;
6327 else
6328 perms = SEM__READ;
6329
6330 return ipc_has_perm(sma, perms);
6331 }
6332
6333 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6334 {
6335 u32 av = 0;
6336
6337 av = 0;
6338 if (flag & S_IRUGO)
6339 av |= IPC__UNIX_READ;
6340 if (flag & S_IWUGO)
6341 av |= IPC__UNIX_WRITE;
6342
6343 if (av == 0)
6344 return 0;
6345
6346 return ipc_has_perm(ipcp, av);
6347 }
6348
6349 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6350 {
6351 struct ipc_security_struct *isec = ipcp->security;
6352 *secid = isec->sid;
6353 }
6354
6355 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6356 {
6357 if (inode)
6358 inode_doinit_with_dentry(inode, dentry);
6359 }
6360
6361 static int selinux_getprocattr(struct task_struct *p,
6362 char *name, char **value)
6363 {
6364 const struct task_security_struct *__tsec;
6365 u32 sid;
6366 int error;
6367 unsigned len;
6368
6369 rcu_read_lock();
6370 __tsec = __task_cred(p)->security;
6371
6372 if (current != p) {
6373 error = avc_has_perm(&selinux_state,
6374 current_sid(), __tsec->sid,
6375 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6376 if (error)
6377 goto bad;
6378 }
6379
6380 if (!strcmp(name, "current"))
6381 sid = __tsec->sid;
6382 else if (!strcmp(name, "prev"))
6383 sid = __tsec->osid;
6384 else if (!strcmp(name, "exec"))
6385 sid = __tsec->exec_sid;
6386 else if (!strcmp(name, "fscreate"))
6387 sid = __tsec->create_sid;
6388 else if (!strcmp(name, "keycreate"))
6389 sid = __tsec->keycreate_sid;
6390 else if (!strcmp(name, "sockcreate"))
6391 sid = __tsec->sockcreate_sid;
6392 else {
6393 error = -EINVAL;
6394 goto bad;
6395 }
6396 rcu_read_unlock();
6397
6398 if (!sid)
6399 return 0;
6400
6401 error = security_sid_to_context(&selinux_state, sid, value, &len);
6402 if (error)
6403 return error;
6404 return len;
6405
6406 bad:
6407 rcu_read_unlock();
6408 return error;
6409 }
6410
6411 static int selinux_setprocattr(const char *name, void *value, size_t size)
6412 {
6413 struct task_security_struct *tsec;
6414 struct cred *new;
6415 u32 mysid = current_sid(), sid = 0, ptsid;
6416 int error;
6417 char *str = value;
6418
6419 /*
6420 * Basic control over ability to set these attributes at all.
6421 */
6422 if (!strcmp(name, "exec"))
6423 error = avc_has_perm(&selinux_state,
6424 mysid, mysid, SECCLASS_PROCESS,
6425 PROCESS__SETEXEC, NULL);
6426 else if (!strcmp(name, "fscreate"))
6427 error = avc_has_perm(&selinux_state,
6428 mysid, mysid, SECCLASS_PROCESS,
6429 PROCESS__SETFSCREATE, NULL);
6430 else if (!strcmp(name, "keycreate"))
6431 error = avc_has_perm(&selinux_state,
6432 mysid, mysid, SECCLASS_PROCESS,
6433 PROCESS__SETKEYCREATE, NULL);
6434 else if (!strcmp(name, "sockcreate"))
6435 error = avc_has_perm(&selinux_state,
6436 mysid, mysid, SECCLASS_PROCESS,
6437 PROCESS__SETSOCKCREATE, NULL);
6438 else if (!strcmp(name, "current"))
6439 error = avc_has_perm(&selinux_state,
6440 mysid, mysid, SECCLASS_PROCESS,
6441 PROCESS__SETCURRENT, NULL);
6442 else
6443 error = -EINVAL;
6444 if (error)
6445 return error;
6446
6447 /* Obtain a SID for the context, if one was specified. */
6448 if (size && str[0] && str[0] != '\n') {
6449 if (str[size-1] == '\n') {
6450 str[size-1] = 0;
6451 size--;
6452 }
6453 error = security_context_to_sid(&selinux_state, value, size,
6454 &sid, GFP_KERNEL);
6455 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6456 if (!has_cap_mac_admin(true)) {
6457 struct audit_buffer *ab;
6458 size_t audit_size;
6459
6460 /* We strip a nul only if it is at the end, otherwise the
6461 * context contains a nul and we should audit that */
6462 if (str[size - 1] == '\0')
6463 audit_size = size - 1;
6464 else
6465 audit_size = size;
6466 ab = audit_log_start(audit_context(),
6467 GFP_ATOMIC,
6468 AUDIT_SELINUX_ERR);
6469 audit_log_format(ab, "op=fscreate invalid_context=");
6470 audit_log_n_untrustedstring(ab, value, audit_size);
6471 audit_log_end(ab);
6472
6473 return error;
6474 }
6475 error = security_context_to_sid_force(
6476 &selinux_state,
6477 value, size, &sid);
6478 }
6479 if (error)
6480 return error;
6481 }
6482
6483 new = prepare_creds();
6484 if (!new)
6485 return -ENOMEM;
6486
6487 /* Permission checking based on the specified context is
6488 performed during the actual operation (execve,
6489 open/mkdir/...), when we know the full context of the
6490 operation. See selinux_bprm_set_creds for the execve
6491 checks and may_create for the file creation checks. The
6492 operation will then fail if the context is not permitted. */
6493 tsec = new->security;
6494 if (!strcmp(name, "exec")) {
6495 tsec->exec_sid = sid;
6496 } else if (!strcmp(name, "fscreate")) {
6497 tsec->create_sid = sid;
6498 } else if (!strcmp(name, "keycreate")) {
6499 error = avc_has_perm(&selinux_state,
6500 mysid, sid, SECCLASS_KEY, KEY__CREATE,
6501 NULL);
6502 if (error)
6503 goto abort_change;
6504 tsec->keycreate_sid = sid;
6505 } else if (!strcmp(name, "sockcreate")) {
6506 tsec->sockcreate_sid = sid;
6507 } else if (!strcmp(name, "current")) {
6508 error = -EINVAL;
6509 if (sid == 0)
6510 goto abort_change;
6511
6512 /* Only allow single threaded processes to change context */
6513 error = -EPERM;
6514 if (!current_is_single_threaded()) {
6515 error = security_bounded_transition(&selinux_state,
6516 tsec->sid, sid);
6517 if (error)
6518 goto abort_change;
6519 }
6520
6521 /* Check permissions for the transition. */
6522 error = avc_has_perm(&selinux_state,
6523 tsec->sid, sid, SECCLASS_PROCESS,
6524 PROCESS__DYNTRANSITION, NULL);
6525 if (error)
6526 goto abort_change;
6527
6528 /* Check for ptracing, and update the task SID if ok.
6529 Otherwise, leave SID unchanged and fail. */
6530 ptsid = ptrace_parent_sid();
6531 if (ptsid != 0) {
6532 error = avc_has_perm(&selinux_state,
6533 ptsid, sid, SECCLASS_PROCESS,
6534 PROCESS__PTRACE, NULL);
6535 if (error)
6536 goto abort_change;
6537 }
6538
6539 tsec->sid = sid;
6540 } else {
6541 error = -EINVAL;
6542 goto abort_change;
6543 }
6544
6545 commit_creds(new);
6546 return size;
6547
6548 abort_change:
6549 abort_creds(new);
6550 return error;
6551 }
6552
6553 static int selinux_ismaclabel(const char *name)
6554 {
6555 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6556 }
6557
6558 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6559 {
6560 return security_sid_to_context(&selinux_state, secid,
6561 secdata, seclen);
6562 }
6563
6564 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6565 {
6566 return security_context_to_sid(&selinux_state, secdata, seclen,
6567 secid, GFP_KERNEL);
6568 }
6569
6570 static void selinux_release_secctx(char *secdata, u32 seclen)
6571 {
6572 kfree(secdata);
6573 }
6574
6575 static void selinux_inode_invalidate_secctx(struct inode *inode)
6576 {
6577 struct inode_security_struct *isec = inode->i_security;
6578
6579 spin_lock(&isec->lock);
6580 isec->initialized = LABEL_INVALID;
6581 spin_unlock(&isec->lock);
6582 }
6583
6584 /*
6585 * called with inode->i_mutex locked
6586 */
6587 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6588 {
6589 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6590 }
6591
6592 /*
6593 * called with inode->i_mutex locked
6594 */
6595 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6596 {
6597 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6598 }
6599
6600 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6601 {
6602 int len = 0;
6603 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6604 ctx, true);
6605 if (len < 0)
6606 return len;
6607 *ctxlen = len;
6608 return 0;
6609 }
6610 #ifdef CONFIG_KEYS
6611
6612 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6613 unsigned long flags)
6614 {
6615 const struct task_security_struct *tsec;
6616 struct key_security_struct *ksec;
6617
6618 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6619 if (!ksec)
6620 return -ENOMEM;
6621
6622 tsec = cred->security;
6623 if (tsec->keycreate_sid)
6624 ksec->sid = tsec->keycreate_sid;
6625 else
6626 ksec->sid = tsec->sid;
6627
6628 k->security = ksec;
6629 return 0;
6630 }
6631
6632 static void selinux_key_free(struct key *k)
6633 {
6634 struct key_security_struct *ksec = k->security;
6635
6636 k->security = NULL;
6637 kfree(ksec);
6638 }
6639
6640 static int selinux_key_permission(key_ref_t key_ref,
6641 const struct cred *cred,
6642 unsigned perm)
6643 {
6644 struct key *key;
6645 struct key_security_struct *ksec;
6646 u32 sid;
6647
6648 /* if no specific permissions are requested, we skip the
6649 permission check. No serious, additional covert channels
6650 appear to be created. */
6651 if (perm == 0)
6652 return 0;
6653
6654 sid = cred_sid(cred);
6655
6656 key = key_ref_to_ptr(key_ref);
6657 ksec = key->security;
6658
6659 return avc_has_perm(&selinux_state,
6660 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6661 }
6662
6663 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6664 {
6665 struct key_security_struct *ksec = key->security;
6666 char *context = NULL;
6667 unsigned len;
6668 int rc;
6669
6670 rc = security_sid_to_context(&selinux_state, ksec->sid,
6671 &context, &len);
6672 if (!rc)
6673 rc = len;
6674 *_buffer = context;
6675 return rc;
6676 }
6677 #endif
6678
6679 #ifdef CONFIG_SECURITY_INFINIBAND
6680 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6681 {
6682 struct common_audit_data ad;
6683 int err;
6684 u32 sid = 0;
6685 struct ib_security_struct *sec = ib_sec;
6686 struct lsm_ibpkey_audit ibpkey;
6687
6688 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6689 if (err)
6690 return err;
6691
6692 ad.type = LSM_AUDIT_DATA_IBPKEY;
6693 ibpkey.subnet_prefix = subnet_prefix;
6694 ibpkey.pkey = pkey_val;
6695 ad.u.ibpkey = &ibpkey;
6696 return avc_has_perm(&selinux_state,
6697 sec->sid, sid,
6698 SECCLASS_INFINIBAND_PKEY,
6699 INFINIBAND_PKEY__ACCESS, &ad);
6700 }
6701
6702 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6703 u8 port_num)
6704 {
6705 struct common_audit_data ad;
6706 int err;
6707 u32 sid = 0;
6708 struct ib_security_struct *sec = ib_sec;
6709 struct lsm_ibendport_audit ibendport;
6710
6711 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6712 &sid);
6713
6714 if (err)
6715 return err;
6716
6717 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6718 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6719 ibendport.port = port_num;
6720 ad.u.ibendport = &ibendport;
6721 return avc_has_perm(&selinux_state,
6722 sec->sid, sid,
6723 SECCLASS_INFINIBAND_ENDPORT,
6724 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6725 }
6726
6727 static int selinux_ib_alloc_security(void **ib_sec)
6728 {
6729 struct ib_security_struct *sec;
6730
6731 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6732 if (!sec)
6733 return -ENOMEM;
6734 sec->sid = current_sid();
6735
6736 *ib_sec = sec;
6737 return 0;
6738 }
6739
6740 static void selinux_ib_free_security(void *ib_sec)
6741 {
6742 kfree(ib_sec);
6743 }
6744 #endif
6745
6746 #ifdef CONFIG_BPF_SYSCALL
6747 static int selinux_bpf(int cmd, union bpf_attr *attr,
6748 unsigned int size)
6749 {
6750 u32 sid = current_sid();
6751 int ret;
6752
6753 switch (cmd) {
6754 case BPF_MAP_CREATE:
6755 ret = avc_has_perm(&selinux_state,
6756 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6757 NULL);
6758 break;
6759 case BPF_PROG_LOAD:
6760 ret = avc_has_perm(&selinux_state,
6761 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6762 NULL);
6763 break;
6764 default:
6765 ret = 0;
6766 break;
6767 }
6768
6769 return ret;
6770 }
6771
6772 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6773 {
6774 u32 av = 0;
6775
6776 if (fmode & FMODE_READ)
6777 av |= BPF__MAP_READ;
6778 if (fmode & FMODE_WRITE)
6779 av |= BPF__MAP_WRITE;
6780 return av;
6781 }
6782
6783 /* This function will check the file pass through unix socket or binder to see
6784 * if it is a bpf related object. And apply correspinding checks on the bpf
6785 * object based on the type. The bpf maps and programs, not like other files and
6786 * socket, are using a shared anonymous inode inside the kernel as their inode.
6787 * So checking that inode cannot identify if the process have privilege to
6788 * access the bpf object and that's why we have to add this additional check in
6789 * selinux_file_receive and selinux_binder_transfer_files.
6790 */
6791 static int bpf_fd_pass(struct file *file, u32 sid)
6792 {
6793 struct bpf_security_struct *bpfsec;
6794 struct bpf_prog *prog;
6795 struct bpf_map *map;
6796 int ret;
6797
6798 if (file->f_op == &bpf_map_fops) {
6799 map = file->private_data;
6800 bpfsec = map->security;
6801 ret = avc_has_perm(&selinux_state,
6802 sid, bpfsec->sid, SECCLASS_BPF,
6803 bpf_map_fmode_to_av(file->f_mode), NULL);
6804 if (ret)
6805 return ret;
6806 } else if (file->f_op == &bpf_prog_fops) {
6807 prog = file->private_data;
6808 bpfsec = prog->aux->security;
6809 ret = avc_has_perm(&selinux_state,
6810 sid, bpfsec->sid, SECCLASS_BPF,
6811 BPF__PROG_RUN, NULL);
6812 if (ret)
6813 return ret;
6814 }
6815 return 0;
6816 }
6817
6818 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6819 {
6820 u32 sid = current_sid();
6821 struct bpf_security_struct *bpfsec;
6822
6823 bpfsec = map->security;
6824 return avc_has_perm(&selinux_state,
6825 sid, bpfsec->sid, SECCLASS_BPF,
6826 bpf_map_fmode_to_av(fmode), NULL);
6827 }
6828
6829 static int selinux_bpf_prog(struct bpf_prog *prog)
6830 {
6831 u32 sid = current_sid();
6832 struct bpf_security_struct *bpfsec;
6833
6834 bpfsec = prog->aux->security;
6835 return avc_has_perm(&selinux_state,
6836 sid, bpfsec->sid, SECCLASS_BPF,
6837 BPF__PROG_RUN, NULL);
6838 }
6839
6840 static int selinux_bpf_map_alloc(struct bpf_map *map)
6841 {
6842 struct bpf_security_struct *bpfsec;
6843
6844 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6845 if (!bpfsec)
6846 return -ENOMEM;
6847
6848 bpfsec->sid = current_sid();
6849 map->security = bpfsec;
6850
6851 return 0;
6852 }
6853
6854 static void selinux_bpf_map_free(struct bpf_map *map)
6855 {
6856 struct bpf_security_struct *bpfsec = map->security;
6857
6858 map->security = NULL;
6859 kfree(bpfsec);
6860 }
6861
6862 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6863 {
6864 struct bpf_security_struct *bpfsec;
6865
6866 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6867 if (!bpfsec)
6868 return -ENOMEM;
6869
6870 bpfsec->sid = current_sid();
6871 aux->security = bpfsec;
6872
6873 return 0;
6874 }
6875
6876 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6877 {
6878 struct bpf_security_struct *bpfsec = aux->security;
6879
6880 aux->security = NULL;
6881 kfree(bpfsec);
6882 }
6883 #endif
6884
6885 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6886 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6887 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6888 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6889 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6890
6891 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6892 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6893 LSM_HOOK_INIT(capget, selinux_capget),
6894 LSM_HOOK_INIT(capset, selinux_capset),
6895 LSM_HOOK_INIT(capable, selinux_capable),
6896 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6897 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6898 LSM_HOOK_INIT(syslog, selinux_syslog),
6899 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6900
6901 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6902
6903 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6904 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6905 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6906
6907 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6908 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6909 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6910 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6911 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6912 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6913 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6914 LSM_HOOK_INIT(sb_mount, selinux_mount),
6915 LSM_HOOK_INIT(sb_umount, selinux_umount),
6916 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6917 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6918 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6919
6920 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6921 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6922
6923 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6924 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6925 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6926 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6927 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6928 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6929 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6930 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6931 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6932 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6933 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6934 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6935 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6936 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6937 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6938 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6939 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6940 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6941 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6942 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6943 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6944 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6945 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6946 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6947 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6948 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6949 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6950
6951 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6952 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6953 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6954 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6955 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6956 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6957 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6958 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6959 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6960 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6961 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6962 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6963
6964 LSM_HOOK_INIT(file_open, selinux_file_open),
6965
6966 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6967 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6968 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6969 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6970 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6971 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6972 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6973 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6974 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6975 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6976 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6977 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6978 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6979 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6980 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6981 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6982 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6983 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6984 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6985 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6986 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6987 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6988 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6989 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6990
6991 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6992 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6993
6994 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6995 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6996
6997 LSM_HOOK_INIT(msg_queue_alloc_security,
6998 selinux_msg_queue_alloc_security),
6999 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
7000 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7001 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7002 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7003 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7004
7005 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7006 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
7007 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7008 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7009 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7010
7011 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7012 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
7013 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7014 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7015 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7016
7017 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7018
7019 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7020 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7021
7022 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7023 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7024 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7025 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7026 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7027 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7028 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7029 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7030
7031 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7032 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7033
7034 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7035 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7036 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7037 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7038 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7039 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7040 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7041 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7042 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7043 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7044 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7045 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7046 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7047 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7048 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7049 LSM_HOOK_INIT(socket_getpeersec_stream,
7050 selinux_socket_getpeersec_stream),
7051 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7052 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7053 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7054 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7055 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7056 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7057 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7058 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7059 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7060 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7061 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7062 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7063 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7064 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7065 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7066 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7067 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7068 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7069 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7070 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7071 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7072 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7073 #ifdef CONFIG_SECURITY_INFINIBAND
7074 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7075 LSM_HOOK_INIT(ib_endport_manage_subnet,
7076 selinux_ib_endport_manage_subnet),
7077 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7078 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7079 #endif
7080 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7081 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7082 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7083 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7084 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7085 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7086 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7087 selinux_xfrm_state_alloc_acquire),
7088 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7089 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7090 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7091 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7092 selinux_xfrm_state_pol_flow_match),
7093 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7094 #endif
7095
7096 #ifdef CONFIG_KEYS
7097 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7098 LSM_HOOK_INIT(key_free, selinux_key_free),
7099 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7100 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7101 #endif
7102
7103 #ifdef CONFIG_AUDIT
7104 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7105 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7106 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7107 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7108 #endif
7109
7110 #ifdef CONFIG_BPF_SYSCALL
7111 LSM_HOOK_INIT(bpf, selinux_bpf),
7112 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7113 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7114 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7115 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7116 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7117 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7118 #endif
7119 };
7120
7121 static __init int selinux_init(void)
7122 {
7123 if (!security_module_enable("selinux")) {
7124 selinux_enabled = 0;
7125 return 0;
7126 }
7127
7128 if (!selinux_enabled) {
7129 printk(KERN_INFO "SELinux: Disabled at boot.\n");
7130 return 0;
7131 }
7132
7133 printk(KERN_INFO "SELinux: Initializing.\n");
7134
7135 memset(&selinux_state, 0, sizeof(selinux_state));
7136 enforcing_set(&selinux_state, selinux_enforcing_boot);
7137 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7138 selinux_ss_init(&selinux_state.ss);
7139 selinux_avc_init(&selinux_state.avc);
7140
7141 /* Set the security state for the initial task. */
7142 cred_init_security();
7143
7144 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7145
7146 sel_inode_cache = kmem_cache_create("selinux_inode_security",
7147 sizeof(struct inode_security_struct),
7148 0, SLAB_PANIC, NULL);
7149 file_security_cache = kmem_cache_create("selinux_file_security",
7150 sizeof(struct file_security_struct),
7151 0, SLAB_PANIC, NULL);
7152 avc_init();
7153
7154 avtab_cache_init();
7155
7156 ebitmap_cache_init();
7157
7158 hashtab_cache_init();
7159
7160 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7161
7162 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7163 panic("SELinux: Unable to register AVC netcache callback\n");
7164
7165 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7166 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7167
7168 if (selinux_enforcing_boot)
7169 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
7170 else
7171 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
7172
7173 return 0;
7174 }
7175
7176 static void delayed_superblock_init(struct super_block *sb, void *unused)
7177 {
7178 superblock_doinit(sb, NULL);
7179 }
7180
7181 void selinux_complete_init(void)
7182 {
7183 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
7184
7185 /* Set up any superblocks initialized prior to the policy load. */
7186 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
7187 iterate_supers(delayed_superblock_init, NULL);
7188 }
7189
7190 /* SELinux requires early initialization in order to label
7191 all processes and objects when they are created. */
7192 security_initcall(selinux_init);
7193
7194 #if defined(CONFIG_NETFILTER)
7195
7196 static const struct nf_hook_ops selinux_nf_ops[] = {
7197 {
7198 .hook = selinux_ipv4_postroute,
7199 .pf = NFPROTO_IPV4,
7200 .hooknum = NF_INET_POST_ROUTING,
7201 .priority = NF_IP_PRI_SELINUX_LAST,
7202 },
7203 {
7204 .hook = selinux_ipv4_forward,
7205 .pf = NFPROTO_IPV4,
7206 .hooknum = NF_INET_FORWARD,
7207 .priority = NF_IP_PRI_SELINUX_FIRST,
7208 },
7209 {
7210 .hook = selinux_ipv4_output,
7211 .pf = NFPROTO_IPV4,
7212 .hooknum = NF_INET_LOCAL_OUT,
7213 .priority = NF_IP_PRI_SELINUX_FIRST,
7214 },
7215 #if IS_ENABLED(CONFIG_IPV6)
7216 {
7217 .hook = selinux_ipv6_postroute,
7218 .pf = NFPROTO_IPV6,
7219 .hooknum = NF_INET_POST_ROUTING,
7220 .priority = NF_IP6_PRI_SELINUX_LAST,
7221 },
7222 {
7223 .hook = selinux_ipv6_forward,
7224 .pf = NFPROTO_IPV6,
7225 .hooknum = NF_INET_FORWARD,
7226 .priority = NF_IP6_PRI_SELINUX_FIRST,
7227 },
7228 {
7229 .hook = selinux_ipv6_output,
7230 .pf = NFPROTO_IPV6,
7231 .hooknum = NF_INET_LOCAL_OUT,
7232 .priority = NF_IP6_PRI_SELINUX_FIRST,
7233 },
7234 #endif /* IPV6 */
7235 };
7236
7237 static int __net_init selinux_nf_register(struct net *net)
7238 {
7239 return nf_register_net_hooks(net, selinux_nf_ops,
7240 ARRAY_SIZE(selinux_nf_ops));
7241 }
7242
7243 static void __net_exit selinux_nf_unregister(struct net *net)
7244 {
7245 nf_unregister_net_hooks(net, selinux_nf_ops,
7246 ARRAY_SIZE(selinux_nf_ops));
7247 }
7248
7249 static struct pernet_operations selinux_net_ops = {
7250 .init = selinux_nf_register,
7251 .exit = selinux_nf_unregister,
7252 };
7253
7254 static int __init selinux_nf_ip_init(void)
7255 {
7256 int err;
7257
7258 if (!selinux_enabled)
7259 return 0;
7260
7261 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
7262
7263 err = register_pernet_subsys(&selinux_net_ops);
7264 if (err)
7265 panic("SELinux: register_pernet_subsys: error %d\n", err);
7266
7267 return 0;
7268 }
7269 __initcall(selinux_nf_ip_init);
7270
7271 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7272 static void selinux_nf_ip_exit(void)
7273 {
7274 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
7275
7276 unregister_pernet_subsys(&selinux_net_ops);
7277 }
7278 #endif
7279
7280 #else /* CONFIG_NETFILTER */
7281
7282 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7283 #define selinux_nf_ip_exit()
7284 #endif
7285
7286 #endif /* CONFIG_NETFILTER */
7287
7288 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7289 int selinux_disable(struct selinux_state *state)
7290 {
7291 if (state->initialized) {
7292 /* Not permitted after initial policy load. */
7293 return -EINVAL;
7294 }
7295
7296 if (state->disabled) {
7297 /* Only do this once. */
7298 return -EINVAL;
7299 }
7300
7301 state->disabled = 1;
7302
7303 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
7304
7305 selinux_enabled = 0;
7306
7307 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7308
7309 /* Try to destroy the avc node cache */
7310 avc_disable();
7311
7312 /* Unregister netfilter hooks. */
7313 selinux_nf_ip_exit();
7314
7315 /* Unregister selinuxfs. */
7316 exit_sel_fs();
7317
7318 return 0;
7319 }
7320 #endif
Linux with added FPC-III support