search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'riscv-for-linus-4.15-rc2_cleanups' of git://git.kernel.org/pub/scm/linux...
[linux/fpc-iii.git] / security / selinux / hooks.c
blob8644d864e3c196ca3dc8a10cb84c2daa97e3a596
1 /*
2 * NSA Security-Enhanced Linux (SELinux) security module
3 *
4 * This file contains the SELinux hook function implementations.
5 *
6 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
7 * Chris Vance, <cvance@nai.com>
8 * Wayne Salamon, <wsalamon@nai.com>
9 * James Morris <jmorris@redhat.com>
10 *
11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul@paul-moore.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * Copyright (C) 2016 Mellanox Technologies
21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License version 2,
24 * as published by the Free Software Foundation.
25 */
26
27 #include <linux/init.h>
28 #include <linux/kd.h>
29 #include <linux/kernel.h>
30 #include <linux/tracehook.h>
31 #include <linux/errno.h>
32 #include <linux/sched/signal.h>
33 #include <linux/sched/task.h>
34 #include <linux/lsm_hooks.h>
35 #include <linux/xattr.h>
36 #include <linux/capability.h>
37 #include <linux/unistd.h>
38 #include <linux/mm.h>
39 #include <linux/mman.h>
40 #include <linux/slab.h>
41 #include <linux/pagemap.h>
42 #include <linux/proc_fs.h>
43 #include <linux/swap.h>
44 #include <linux/spinlock.h>
45 #include <linux/syscalls.h>
46 #include <linux/dcache.h>
47 #include <linux/file.h>
48 #include <linux/fdtable.h>
49 #include <linux/namei.h>
50 #include <linux/mount.h>
51 #include <linux/netfilter_ipv4.h>
52 #include <linux/netfilter_ipv6.h>
53 #include <linux/tty.h>
54 #include <net/icmp.h>
55 #include <net/ip.h> /* for local_port_range[] */
56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
57 #include <net/inet_connection_sock.h>
58 #include <net/net_namespace.h>
59 #include <net/netlabel.h>
60 #include <linux/uaccess.h>
61 #include <asm/ioctls.h>
62 #include <linux/atomic.h>
63 #include <linux/bitops.h>
64 #include <linux/interrupt.h>
65 #include <linux/netdevice.h> /* for network interface checks */
66 #include <net/netlink.h>
67 #include <linux/tcp.h>
68 #include <linux/udp.h>
69 #include <linux/dccp.h>
70 #include <linux/quota.h>
71 #include <linux/un.h> /* for Unix socket types */
72 #include <net/af_unix.h> /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
75 #include <net/ipv6.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/selinux.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89
90 #include "avc.h"
91 #include "objsec.h"
92 #include "netif.h"
93 #include "netnode.h"
94 #include "netport.h"
95 #include "ibpkey.h"
96 #include "xfrm.h"
97 #include "netlabel.h"
98 #include "audit.h"
99 #include "avc_ss.h"
100
101 /* SECMARK reference count */
102 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
103
104 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
105 int selinux_enforcing;
106
107 static int __init enforcing_setup(char *str)
108 {
109 unsigned long enforcing;
110 if (!kstrtoul(str, 0, &enforcing))
111 selinux_enforcing = enforcing ? 1 : 0;
112 return 1;
113 }
114 __setup("enforcing=", enforcing_setup);
115 #endif
116
117 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
118 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
119
120 static int __init selinux_enabled_setup(char *str)
121 {
122 unsigned long enabled;
123 if (!kstrtoul(str, 0, &enabled))
124 selinux_enabled = enabled ? 1 : 0;
125 return 1;
126 }
127 __setup("selinux=", selinux_enabled_setup);
128 #else
129 int selinux_enabled = 1;
130 #endif
131
132 static struct kmem_cache *sel_inode_cache;
133 static struct kmem_cache *file_security_cache;
134
135 /**
136 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
137 *
138 * Description:
139 * This function checks the SECMARK reference counter to see if any SECMARK
140 * targets are currently configured, if the reference counter is greater than
141 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
142 * enabled, false (0) if SECMARK is disabled. If the always_check_network
143 * policy capability is enabled, SECMARK is always considered enabled.
144 *
145 */
146 static int selinux_secmark_enabled(void)
147 {
148 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount));
149 }
150
151 /**
152 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
153 *
154 * Description:
155 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
156 * (1) if any are enabled or false (0) if neither are enabled. If the
157 * always_check_network policy capability is enabled, peer labeling
158 * is always considered enabled.
159 *
160 */
161 static int selinux_peerlbl_enabled(void)
162 {
163 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
164 }
165
166 static int selinux_netcache_avc_callback(u32 event)
167 {
168 if (event == AVC_CALLBACK_RESET) {
169 sel_netif_flush();
170 sel_netnode_flush();
171 sel_netport_flush();
172 synchronize_net();
173 }
174 return 0;
175 }
176
177 static int selinux_lsm_notifier_avc_callback(u32 event)
178 {
179 if (event == AVC_CALLBACK_RESET) {
180 sel_ib_pkey_flush();
181 call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
182 }
183
184 return 0;
185 }
186
187 /*
188 * initialise the security for the init task
189 */
190 static void cred_init_security(void)
191 {
192 struct cred *cred = (struct cred *) current->real_cred;
193 struct task_security_struct *tsec;
194
195 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
196 if (!tsec)
197 panic("SELinux: Failed to initialize initial task.\n");
198
199 tsec->osid = tsec->sid = SECINITSID_KERNEL;
200 cred->security = tsec;
201 }
202
203 /*
204 * get the security ID of a set of credentials
205 */
206 static inline u32 cred_sid(const struct cred *cred)
207 {
208 const struct task_security_struct *tsec;
209
210 tsec = cred->security;
211 return tsec->sid;
212 }
213
214 /*
215 * get the objective security ID of a task
216 */
217 static inline u32 task_sid(const struct task_struct *task)
218 {
219 u32 sid;
220
221 rcu_read_lock();
222 sid = cred_sid(__task_cred(task));
223 rcu_read_unlock();
224 return sid;
225 }
226
227 /* Allocate and free functions for each kind of security blob. */
228
229 static int inode_alloc_security(struct inode *inode)
230 {
231 struct inode_security_struct *isec;
232 u32 sid = current_sid();
233
234 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
235 if (!isec)
236 return -ENOMEM;
237
238 spin_lock_init(&isec->lock);
239 INIT_LIST_HEAD(&isec->list);
240 isec->inode = inode;
241 isec->sid = SECINITSID_UNLABELED;
242 isec->sclass = SECCLASS_FILE;
243 isec->task_sid = sid;
244 isec->initialized = LABEL_INVALID;
245 inode->i_security = isec;
246
247 return 0;
248 }
249
250 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
251
252 /*
253 * Try reloading inode security labels that have been marked as invalid. The
254 * @may_sleep parameter indicates when sleeping and thus reloading labels is
255 * allowed; when set to false, returns -ECHILD when the label is
256 * invalid. The @opt_dentry parameter should be set to a dentry of the inode;
257 * when no dentry is available, set it to NULL instead.
258 */
259 static int __inode_security_revalidate(struct inode *inode,
260 struct dentry *opt_dentry,
261 bool may_sleep)
262 {
263 struct inode_security_struct *isec = inode->i_security;
264
265 might_sleep_if(may_sleep);
266
267 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) {
268 if (!may_sleep)
269 return -ECHILD;
270
271 /*
272 * Try reloading the inode security label. This will fail if
273 * @opt_dentry is NULL and no dentry for this inode can be
274 * found; in that case, continue using the old label.
275 */
276 inode_doinit_with_dentry(inode, opt_dentry);
277 }
278 return 0;
279 }
280
281 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
282 {
283 return inode->i_security;
284 }
285
286 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
287 {
288 int error;
289
290 error = __inode_security_revalidate(inode, NULL, !rcu);
291 if (error)
292 return ERR_PTR(error);
293 return inode->i_security;
294 }
295
296 /*
297 * Get the security label of an inode.
298 */
299 static struct inode_security_struct *inode_security(struct inode *inode)
300 {
301 __inode_security_revalidate(inode, NULL, true);
302 return inode->i_security;
303 }
304
305 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
306 {
307 struct inode *inode = d_backing_inode(dentry);
308
309 return inode->i_security;
310 }
311
312 /*
313 * Get the security label of a dentry's backing inode.
314 */
315 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
316 {
317 struct inode *inode = d_backing_inode(dentry);
318
319 __inode_security_revalidate(inode, dentry, true);
320 return inode->i_security;
321 }
322
323 static void inode_free_rcu(struct rcu_head *head)
324 {
325 struct inode_security_struct *isec;
326
327 isec = container_of(head, struct inode_security_struct, rcu);
328 kmem_cache_free(sel_inode_cache, isec);
329 }
330
331 static void inode_free_security(struct inode *inode)
332 {
333 struct inode_security_struct *isec = inode->i_security;
334 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
335
336 /*
337 * As not all inode security structures are in a list, we check for
338 * empty list outside of the lock to make sure that we won't waste
339 * time taking a lock doing nothing.
340 *
341 * The list_del_init() function can be safely called more than once.
342 * It should not be possible for this function to be called with
343 * concurrent list_add(), but for better safety against future changes
344 * in the code, we use list_empty_careful() here.
345 */
346 if (!list_empty_careful(&isec->list)) {
347 spin_lock(&sbsec->isec_lock);
348 list_del_init(&isec->list);
349 spin_unlock(&sbsec->isec_lock);
350 }
351
352 /*
353 * The inode may still be referenced in a path walk and
354 * a call to selinux_inode_permission() can be made
355 * after inode_free_security() is called. Ideally, the VFS
356 * wouldn't do this, but fixing that is a much harder
357 * job. For now, simply free the i_security via RCU, and
358 * leave the current inode->i_security pointer intact.
359 * The inode will be freed after the RCU grace period too.
360 */
361 call_rcu(&isec->rcu, inode_free_rcu);
362 }
363
364 static int file_alloc_security(struct file *file)
365 {
366 struct file_security_struct *fsec;
367 u32 sid = current_sid();
368
369 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
370 if (!fsec)
371 return -ENOMEM;
372
373 fsec->sid = sid;
374 fsec->fown_sid = sid;
375 file->f_security = fsec;
376
377 return 0;
378 }
379
380 static void file_free_security(struct file *file)
381 {
382 struct file_security_struct *fsec = file->f_security;
383 file->f_security = NULL;
384 kmem_cache_free(file_security_cache, fsec);
385 }
386
387 static int superblock_alloc_security(struct super_block *sb)
388 {
389 struct superblock_security_struct *sbsec;
390
391 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
392 if (!sbsec)
393 return -ENOMEM;
394
395 mutex_init(&sbsec->lock);
396 INIT_LIST_HEAD(&sbsec->isec_head);
397 spin_lock_init(&sbsec->isec_lock);
398 sbsec->sb = sb;
399 sbsec->sid = SECINITSID_UNLABELED;
400 sbsec->def_sid = SECINITSID_FILE;
401 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
402 sb->s_security = sbsec;
403
404 return 0;
405 }
406
407 static void superblock_free_security(struct super_block *sb)
408 {
409 struct superblock_security_struct *sbsec = sb->s_security;
410 sb->s_security = NULL;
411 kfree(sbsec);
412 }
413
414 static inline int inode_doinit(struct inode *inode)
415 {
416 return inode_doinit_with_dentry(inode, NULL);
417 }
418
419 enum {
420 Opt_error = -1,
421 Opt_context = 1,
422 Opt_fscontext = 2,
423 Opt_defcontext = 3,
424 Opt_rootcontext = 4,
425 Opt_labelsupport = 5,
426 Opt_nextmntopt = 6,
427 };
428
429 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1)
430
431 static const match_table_t tokens = {
432 {Opt_context, CONTEXT_STR "%s"},
433 {Opt_fscontext, FSCONTEXT_STR "%s"},
434 {Opt_defcontext, DEFCONTEXT_STR "%s"},
435 {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
436 {Opt_labelsupport, LABELSUPP_STR},
437 {Opt_error, NULL},
438 };
439
440 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
441
442 static int may_context_mount_sb_relabel(u32 sid,
443 struct superblock_security_struct *sbsec,
444 const struct cred *cred)
445 {
446 const struct task_security_struct *tsec = cred->security;
447 int rc;
448
449 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
450 FILESYSTEM__RELABELFROM, NULL);
451 if (rc)
452 return rc;
453
454 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
455 FILESYSTEM__RELABELTO, NULL);
456 return rc;
457 }
458
459 static int may_context_mount_inode_relabel(u32 sid,
460 struct superblock_security_struct *sbsec,
461 const struct cred *cred)
462 {
463 const struct task_security_struct *tsec = cred->security;
464 int rc;
465 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
466 FILESYSTEM__RELABELFROM, NULL);
467 if (rc)
468 return rc;
469
470 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
471 FILESYSTEM__ASSOCIATE, NULL);
472 return rc;
473 }
474
475 static int selinux_is_sblabel_mnt(struct super_block *sb)
476 {
477 struct superblock_security_struct *sbsec = sb->s_security;
478
479 return sbsec->behavior == SECURITY_FS_USE_XATTR ||
480 sbsec->behavior == SECURITY_FS_USE_TRANS ||
481 sbsec->behavior == SECURITY_FS_USE_TASK ||
482 sbsec->behavior == SECURITY_FS_USE_NATIVE ||
483 /* Special handling. Genfs but also in-core setxattr handler */
484 !strcmp(sb->s_type->name, "sysfs") ||
485 !strcmp(sb->s_type->name, "pstore") ||
486 !strcmp(sb->s_type->name, "debugfs") ||
487 !strcmp(sb->s_type->name, "tracefs") ||
488 !strcmp(sb->s_type->name, "rootfs") ||
489 (selinux_policycap_cgroupseclabel &&
490 (!strcmp(sb->s_type->name, "cgroup") ||
491 !strcmp(sb->s_type->name, "cgroup2")));
492 }
493
494 static int sb_finish_set_opts(struct super_block *sb)
495 {
496 struct superblock_security_struct *sbsec = sb->s_security;
497 struct dentry *root = sb->s_root;
498 struct inode *root_inode = d_backing_inode(root);
499 int rc = 0;
500
501 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
502 /* Make sure that the xattr handler exists and that no
503 error other than -ENODATA is returned by getxattr on
504 the root directory. -ENODATA is ok, as this may be
505 the first boot of the SELinux kernel before we have
506 assigned xattr values to the filesystem. */
507 if (!(root_inode->i_opflags & IOP_XATTR)) {
508 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
509 "xattr support\n", sb->s_id, sb->s_type->name);
510 rc = -EOPNOTSUPP;
511 goto out;
512 }
513
514 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
515 if (rc < 0 && rc != -ENODATA) {
516 if (rc == -EOPNOTSUPP)
517 printk(KERN_WARNING "SELinux: (dev %s, type "
518 "%s) has no security xattr handler\n",
519 sb->s_id, sb->s_type->name);
520 else
521 printk(KERN_WARNING "SELinux: (dev %s, type "
522 "%s) getxattr errno %d\n", sb->s_id,
523 sb->s_type->name, -rc);
524 goto out;
525 }
526 }
527
528 sbsec->flags |= SE_SBINITIALIZED;
529
530 /*
531 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
532 * leave the flag untouched because sb_clone_mnt_opts might be handing
533 * us a superblock that needs the flag to be cleared.
534 */
535 if (selinux_is_sblabel_mnt(sb))
536 sbsec->flags |= SBLABEL_MNT;
537 else
538 sbsec->flags &= ~SBLABEL_MNT;
539
540 /* Initialize the root inode. */
541 rc = inode_doinit_with_dentry(root_inode, root);
542
543 /* Initialize any other inodes associated with the superblock, e.g.
544 inodes created prior to initial policy load or inodes created
545 during get_sb by a pseudo filesystem that directly
546 populates itself. */
547 spin_lock(&sbsec->isec_lock);
548 next_inode:
549 if (!list_empty(&sbsec->isec_head)) {
550 struct inode_security_struct *isec =
551 list_entry(sbsec->isec_head.next,
552 struct inode_security_struct, list);
553 struct inode *inode = isec->inode;
554 list_del_init(&isec->list);
555 spin_unlock(&sbsec->isec_lock);
556 inode = igrab(inode);
557 if (inode) {
558 if (!IS_PRIVATE(inode))
559 inode_doinit(inode);
560 iput(inode);
561 }
562 spin_lock(&sbsec->isec_lock);
563 goto next_inode;
564 }
565 spin_unlock(&sbsec->isec_lock);
566 out:
567 return rc;
568 }
569
570 /*
571 * This function should allow an FS to ask what it's mount security
572 * options were so it can use those later for submounts, displaying
573 * mount options, or whatever.
574 */
575 static int selinux_get_mnt_opts(const struct super_block *sb,
576 struct security_mnt_opts *opts)
577 {
578 int rc = 0, i;
579 struct superblock_security_struct *sbsec = sb->s_security;
580 char *context = NULL;
581 u32 len;
582 char tmp;
583
584 security_init_mnt_opts(opts);
585
586 if (!(sbsec->flags & SE_SBINITIALIZED))
587 return -EINVAL;
588
589 if (!ss_initialized)
590 return -EINVAL;
591
592 /* make sure we always check enough bits to cover the mask */
593 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS));
594
595 tmp = sbsec->flags & SE_MNTMASK;
596 /* count the number of mount options for this sb */
597 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
598 if (tmp & 0x01)
599 opts->num_mnt_opts++;
600 tmp >>= 1;
601 }
602 /* Check if the Label support flag is set */
603 if (sbsec->flags & SBLABEL_MNT)
604 opts->num_mnt_opts++;
605
606 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
607 if (!opts->mnt_opts) {
608 rc = -ENOMEM;
609 goto out_free;
610 }
611
612 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
613 if (!opts->mnt_opts_flags) {
614 rc = -ENOMEM;
615 goto out_free;
616 }
617
618 i = 0;
619 if (sbsec->flags & FSCONTEXT_MNT) {
620 rc = security_sid_to_context(sbsec->sid, &context, &len);
621 if (rc)
622 goto out_free;
623 opts->mnt_opts[i] = context;
624 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
625 }
626 if (sbsec->flags & CONTEXT_MNT) {
627 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
628 if (rc)
629 goto out_free;
630 opts->mnt_opts[i] = context;
631 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
632 }
633 if (sbsec->flags & DEFCONTEXT_MNT) {
634 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
635 if (rc)
636 goto out_free;
637 opts->mnt_opts[i] = context;
638 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
639 }
640 if (sbsec->flags & ROOTCONTEXT_MNT) {
641 struct dentry *root = sbsec->sb->s_root;
642 struct inode_security_struct *isec = backing_inode_security(root);
643
644 rc = security_sid_to_context(isec->sid, &context, &len);
645 if (rc)
646 goto out_free;
647 opts->mnt_opts[i] = context;
648 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
649 }
650 if (sbsec->flags & SBLABEL_MNT) {
651 opts->mnt_opts[i] = NULL;
652 opts->mnt_opts_flags[i++] = SBLABEL_MNT;
653 }
654
655 BUG_ON(i != opts->num_mnt_opts);
656
657 return 0;
658
659 out_free:
660 security_free_mnt_opts(opts);
661 return rc;
662 }
663
664 static int bad_option(struct superblock_security_struct *sbsec, char flag,
665 u32 old_sid, u32 new_sid)
666 {
667 char mnt_flags = sbsec->flags & SE_MNTMASK;
668
669 /* check if the old mount command had the same options */
670 if (sbsec->flags & SE_SBINITIALIZED)
671 if (!(sbsec->flags & flag) ||
672 (old_sid != new_sid))
673 return 1;
674
675 /* check if we were passed the same options twice,
676 * aka someone passed context=a,context=b
677 */
678 if (!(sbsec->flags & SE_SBINITIALIZED))
679 if (mnt_flags & flag)
680 return 1;
681 return 0;
682 }
683
684 /*
685 * Allow filesystems with binary mount data to explicitly set mount point
686 * labeling information.
687 */
688 static int selinux_set_mnt_opts(struct super_block *sb,
689 struct security_mnt_opts *opts,
690 unsigned long kern_flags,
691 unsigned long *set_kern_flags)
692 {
693 const struct cred *cred = current_cred();
694 int rc = 0, i;
695 struct superblock_security_struct *sbsec = sb->s_security;
696 const char *name = sb->s_type->name;
697 struct dentry *root = sbsec->sb->s_root;
698 struct inode_security_struct *root_isec;
699 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
700 u32 defcontext_sid = 0;
701 char **mount_options = opts->mnt_opts;
702 int *flags = opts->mnt_opts_flags;
703 int num_opts = opts->num_mnt_opts;
704
705 mutex_lock(&sbsec->lock);
706
707 if (!ss_initialized) {
708 if (!num_opts) {
709 /* Defer initialization until selinux_complete_init,
710 after the initial policy is loaded and the security
711 server is ready to handle calls. */
712 goto out;
713 }
714 rc = -EINVAL;
715 printk(KERN_WARNING "SELinux: Unable to set superblock options "
716 "before the security server is initialized\n");
717 goto out;
718 }
719 if (kern_flags && !set_kern_flags) {
720 /* Specifying internal flags without providing a place to
721 * place the results is not allowed */
722 rc = -EINVAL;
723 goto out;
724 }
725
726 /*
727 * Binary mount data FS will come through this function twice. Once
728 * from an explicit call and once from the generic calls from the vfs.
729 * Since the generic VFS calls will not contain any security mount data
730 * we need to skip the double mount verification.
731 *
732 * This does open a hole in which we will not notice if the first
733 * mount using this sb set explict options and a second mount using
734 * this sb does not set any security options. (The first options
735 * will be used for both mounts)
736 */
737 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
738 && (num_opts == 0))
739 goto out;
740
741 root_isec = backing_inode_security_novalidate(root);
742
743 /*
744 * parse the mount options, check if they are valid sids.
745 * also check if someone is trying to mount the same sb more
746 * than once with different security options.
747 */
748 for (i = 0; i < num_opts; i++) {
749 u32 sid;
750
751 if (flags[i] == SBLABEL_MNT)
752 continue;
753 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
754 if (rc) {
755 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
756 "(%s) failed for (dev %s, type %s) errno=%d\n",
757 mount_options[i], sb->s_id, name, rc);
758 goto out;
759 }
760 switch (flags[i]) {
761 case FSCONTEXT_MNT:
762 fscontext_sid = sid;
763
764 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
765 fscontext_sid))
766 goto out_double_mount;
767
768 sbsec->flags |= FSCONTEXT_MNT;
769 break;
770 case CONTEXT_MNT:
771 context_sid = sid;
772
773 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
774 context_sid))
775 goto out_double_mount;
776
777 sbsec->flags |= CONTEXT_MNT;
778 break;
779 case ROOTCONTEXT_MNT:
780 rootcontext_sid = sid;
781
782 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
783 rootcontext_sid))
784 goto out_double_mount;
785
786 sbsec->flags |= ROOTCONTEXT_MNT;
787
788 break;
789 case DEFCONTEXT_MNT:
790 defcontext_sid = sid;
791
792 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
793 defcontext_sid))
794 goto out_double_mount;
795
796 sbsec->flags |= DEFCONTEXT_MNT;
797
798 break;
799 default:
800 rc = -EINVAL;
801 goto out;
802 }
803 }
804
805 if (sbsec->flags & SE_SBINITIALIZED) {
806 /* previously mounted with options, but not on this attempt? */
807 if ((sbsec->flags & SE_MNTMASK) && !num_opts)
808 goto out_double_mount;
809 rc = 0;
810 goto out;
811 }
812
813 if (strcmp(sb->s_type->name, "proc") == 0)
814 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
815
816 if (!strcmp(sb->s_type->name, "debugfs") ||
817 !strcmp(sb->s_type->name, "tracefs") ||
818 !strcmp(sb->s_type->name, "sysfs") ||
819 !strcmp(sb->s_type->name, "pstore") ||
820 !strcmp(sb->s_type->name, "cgroup") ||
821 !strcmp(sb->s_type->name, "cgroup2"))
822 sbsec->flags |= SE_SBGENFS;
823
824 if (!sbsec->behavior) {
825 /*
826 * Determine the labeling behavior to use for this
827 * filesystem type.
828 */
829 rc = security_fs_use(sb);
830 if (rc) {
831 printk(KERN_WARNING
832 "%s: security_fs_use(%s) returned %d\n",
833 __func__, sb->s_type->name, rc);
834 goto out;
835 }
836 }
837
838 /*
839 * If this is a user namespace mount and the filesystem type is not
840 * explicitly whitelisted, then no contexts are allowed on the command
841 * line and security labels must be ignored.
842 */
843 if (sb->s_user_ns != &init_user_ns &&
844 strcmp(sb->s_type->name, "tmpfs") &&
845 strcmp(sb->s_type->name, "ramfs") &&
846 strcmp(sb->s_type->name, "devpts")) {
847 if (context_sid || fscontext_sid || rootcontext_sid ||
848 defcontext_sid) {
849 rc = -EACCES;
850 goto out;
851 }
852 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
853 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
854 rc = security_transition_sid(current_sid(), current_sid(),
855 SECCLASS_FILE, NULL,
856 &sbsec->mntpoint_sid);
857 if (rc)
858 goto out;
859 }
860 goto out_set_opts;
861 }
862
863 /* sets the context of the superblock for the fs being mounted. */
864 if (fscontext_sid) {
865 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
866 if (rc)
867 goto out;
868
869 sbsec->sid = fscontext_sid;
870 }
871
872 /*
873 * Switch to using mount point labeling behavior.
874 * sets the label used on all file below the mountpoint, and will set
875 * the superblock context if not already set.
876 */
877 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
878 sbsec->behavior = SECURITY_FS_USE_NATIVE;
879 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
880 }
881
882 if (context_sid) {
883 if (!fscontext_sid) {
884 rc = may_context_mount_sb_relabel(context_sid, sbsec,
885 cred);
886 if (rc)
887 goto out;
888 sbsec->sid = context_sid;
889 } else {
890 rc = may_context_mount_inode_relabel(context_sid, sbsec,
891 cred);
892 if (rc)
893 goto out;
894 }
895 if (!rootcontext_sid)
896 rootcontext_sid = context_sid;
897
898 sbsec->mntpoint_sid = context_sid;
899 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
900 }
901
902 if (rootcontext_sid) {
903 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
904 cred);
905 if (rc)
906 goto out;
907
908 root_isec->sid = rootcontext_sid;
909 root_isec->initialized = LABEL_INITIALIZED;
910 }
911
912 if (defcontext_sid) {
913 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
914 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
915 rc = -EINVAL;
916 printk(KERN_WARNING "SELinux: defcontext option is "
917 "invalid for this filesystem type\n");
918 goto out;
919 }
920
921 if (defcontext_sid != sbsec->def_sid) {
922 rc = may_context_mount_inode_relabel(defcontext_sid,
923 sbsec, cred);
924 if (rc)
925 goto out;
926 }
927
928 sbsec->def_sid = defcontext_sid;
929 }
930
931 out_set_opts:
932 rc = sb_finish_set_opts(sb);
933 out:
934 mutex_unlock(&sbsec->lock);
935 return rc;
936 out_double_mount:
937 rc = -EINVAL;
938 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different "
939 "security settings for (dev %s, type %s)\n", sb->s_id, name);
940 goto out;
941 }
942
943 static int selinux_cmp_sb_context(const struct super_block *oldsb,
944 const struct super_block *newsb)
945 {
946 struct superblock_security_struct *old = oldsb->s_security;
947 struct superblock_security_struct *new = newsb->s_security;
948 char oldflags = old->flags & SE_MNTMASK;
949 char newflags = new->flags & SE_MNTMASK;
950
951 if (oldflags != newflags)
952 goto mismatch;
953 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
954 goto mismatch;
955 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
956 goto mismatch;
957 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
958 goto mismatch;
959 if (oldflags & ROOTCONTEXT_MNT) {
960 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
961 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
962 if (oldroot->sid != newroot->sid)
963 goto mismatch;
964 }
965 return 0;
966 mismatch:
967 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
968 "different security settings for (dev %s, "
969 "type %s)\n", newsb->s_id, newsb->s_type->name);
970 return -EBUSY;
971 }
972
973 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
974 struct super_block *newsb,
975 unsigned long kern_flags,
976 unsigned long *set_kern_flags)
977 {
978 int rc = 0;
979 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
980 struct superblock_security_struct *newsbsec = newsb->s_security;
981
982 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
983 int set_context = (oldsbsec->flags & CONTEXT_MNT);
984 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
985
986 /*
987 * if the parent was able to be mounted it clearly had no special lsm
988 * mount options. thus we can safely deal with this superblock later
989 */
990 if (!ss_initialized)
991 return 0;
992
993 /*
994 * Specifying internal flags without providing a place to
995 * place the results is not allowed.
996 */
997 if (kern_flags && !set_kern_flags)
998 return -EINVAL;
999
1000 /* how can we clone if the old one wasn't set up?? */
1001 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
1002
1003 /* if fs is reusing a sb, make sure that the contexts match */
1004 if (newsbsec->flags & SE_SBINITIALIZED)
1005 return selinux_cmp_sb_context(oldsb, newsb);
1006
1007 mutex_lock(&newsbsec->lock);
1008
1009 newsbsec->flags = oldsbsec->flags;
1010
1011 newsbsec->sid = oldsbsec->sid;
1012 newsbsec->def_sid = oldsbsec->def_sid;
1013 newsbsec->behavior = oldsbsec->behavior;
1014
1015 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
1016 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
1017 rc = security_fs_use(newsb);
1018 if (rc)
1019 goto out;
1020 }
1021
1022 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
1023 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
1024 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
1025 }
1026
1027 if (set_context) {
1028 u32 sid = oldsbsec->mntpoint_sid;
1029
1030 if (!set_fscontext)
1031 newsbsec->sid = sid;
1032 if (!set_rootcontext) {
1033 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1034 newisec->sid = sid;
1035 }
1036 newsbsec->mntpoint_sid = sid;
1037 }
1038 if (set_rootcontext) {
1039 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
1040 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
1041
1042 newisec->sid = oldisec->sid;
1043 }
1044
1045 sb_finish_set_opts(newsb);
1046 out:
1047 mutex_unlock(&newsbsec->lock);
1048 return rc;
1049 }
1050
1051 static int selinux_parse_opts_str(char *options,
1052 struct security_mnt_opts *opts)
1053 {
1054 char *p;
1055 char *context = NULL, *defcontext = NULL;
1056 char *fscontext = NULL, *rootcontext = NULL;
1057 int rc, num_mnt_opts = 0;
1058
1059 opts->num_mnt_opts = 0;
1060
1061 /* Standard string-based options. */
1062 while ((p = strsep(&options, "|")) != NULL) {
1063 int token;
1064 substring_t args[MAX_OPT_ARGS];
1065
1066 if (!*p)
1067 continue;
1068
1069 token = match_token(p, tokens, args);
1070
1071 switch (token) {
1072 case Opt_context:
1073 if (context || defcontext) {
1074 rc = -EINVAL;
1075 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1076 goto out_err;
1077 }
1078 context = match_strdup(&args[0]);
1079 if (!context) {
1080 rc = -ENOMEM;
1081 goto out_err;
1082 }
1083 break;
1084
1085 case Opt_fscontext:
1086 if (fscontext) {
1087 rc = -EINVAL;
1088 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1089 goto out_err;
1090 }
1091 fscontext = match_strdup(&args[0]);
1092 if (!fscontext) {
1093 rc = -ENOMEM;
1094 goto out_err;
1095 }
1096 break;
1097
1098 case Opt_rootcontext:
1099 if (rootcontext) {
1100 rc = -EINVAL;
1101 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1102 goto out_err;
1103 }
1104 rootcontext = match_strdup(&args[0]);
1105 if (!rootcontext) {
1106 rc = -ENOMEM;
1107 goto out_err;
1108 }
1109 break;
1110
1111 case Opt_defcontext:
1112 if (context || defcontext) {
1113 rc = -EINVAL;
1114 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
1115 goto out_err;
1116 }
1117 defcontext = match_strdup(&args[0]);
1118 if (!defcontext) {
1119 rc = -ENOMEM;
1120 goto out_err;
1121 }
1122 break;
1123 case Opt_labelsupport:
1124 break;
1125 default:
1126 rc = -EINVAL;
1127 printk(KERN_WARNING "SELinux: unknown mount option\n");
1128 goto out_err;
1129
1130 }
1131 }
1132
1133 rc = -ENOMEM;
1134 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
1135 if (!opts->mnt_opts)
1136 goto out_err;
1137
1138 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
1139 GFP_KERNEL);
1140 if (!opts->mnt_opts_flags)
1141 goto out_err;
1142
1143 if (fscontext) {
1144 opts->mnt_opts[num_mnt_opts] = fscontext;
1145 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
1146 }
1147 if (context) {
1148 opts->mnt_opts[num_mnt_opts] = context;
1149 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
1150 }
1151 if (rootcontext) {
1152 opts->mnt_opts[num_mnt_opts] = rootcontext;
1153 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
1154 }
1155 if (defcontext) {
1156 opts->mnt_opts[num_mnt_opts] = defcontext;
1157 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
1158 }
1159
1160 opts->num_mnt_opts = num_mnt_opts;
1161 return 0;
1162
1163 out_err:
1164 security_free_mnt_opts(opts);
1165 kfree(context);
1166 kfree(defcontext);
1167 kfree(fscontext);
1168 kfree(rootcontext);
1169 return rc;
1170 }
1171 /*
1172 * string mount options parsing and call set the sbsec
1173 */
1174 static int superblock_doinit(struct super_block *sb, void *data)
1175 {
1176 int rc = 0;
1177 char *options = data;
1178 struct security_mnt_opts opts;
1179
1180 security_init_mnt_opts(&opts);
1181
1182 if (!data)
1183 goto out;
1184
1185 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
1186
1187 rc = selinux_parse_opts_str(options, &opts);
1188 if (rc)
1189 goto out_err;
1190
1191 out:
1192 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
1193
1194 out_err:
1195 security_free_mnt_opts(&opts);
1196 return rc;
1197 }
1198
1199 static void selinux_write_opts(struct seq_file *m,
1200 struct security_mnt_opts *opts)
1201 {
1202 int i;
1203 char *prefix;
1204
1205 for (i = 0; i < opts->num_mnt_opts; i++) {
1206 char *has_comma;
1207
1208 if (opts->mnt_opts[i])
1209 has_comma = strchr(opts->mnt_opts[i], ',');
1210 else
1211 has_comma = NULL;
1212
1213 switch (opts->mnt_opts_flags[i]) {
1214 case CONTEXT_MNT:
1215 prefix = CONTEXT_STR;
1216 break;
1217 case FSCONTEXT_MNT:
1218 prefix = FSCONTEXT_STR;
1219 break;
1220 case ROOTCONTEXT_MNT:
1221 prefix = ROOTCONTEXT_STR;
1222 break;
1223 case DEFCONTEXT_MNT:
1224 prefix = DEFCONTEXT_STR;
1225 break;
1226 case SBLABEL_MNT:
1227 seq_putc(m, ',');
1228 seq_puts(m, LABELSUPP_STR);
1229 continue;
1230 default:
1231 BUG();
1232 return;
1233 };
1234 /* we need a comma before each option */
1235 seq_putc(m, ',');
1236 seq_puts(m, prefix);
1237 if (has_comma)
1238 seq_putc(m, '\"');
1239 seq_escape(m, opts->mnt_opts[i], "\"\n\\");
1240 if (has_comma)
1241 seq_putc(m, '\"');
1242 }
1243 }
1244
1245 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1246 {
1247 struct security_mnt_opts opts;
1248 int rc;
1249
1250 rc = selinux_get_mnt_opts(sb, &opts);
1251 if (rc) {
1252 /* before policy load we may get EINVAL, don't show anything */
1253 if (rc == -EINVAL)
1254 rc = 0;
1255 return rc;
1256 }
1257
1258 selinux_write_opts(m, &opts);
1259
1260 security_free_mnt_opts(&opts);
1261
1262 return rc;
1263 }
1264
1265 static inline u16 inode_mode_to_security_class(umode_t mode)
1266 {
1267 switch (mode & S_IFMT) {
1268 case S_IFSOCK:
1269 return SECCLASS_SOCK_FILE;
1270 case S_IFLNK:
1271 return SECCLASS_LNK_FILE;
1272 case S_IFREG:
1273 return SECCLASS_FILE;
1274 case S_IFBLK:
1275 return SECCLASS_BLK_FILE;
1276 case S_IFDIR:
1277 return SECCLASS_DIR;
1278 case S_IFCHR:
1279 return SECCLASS_CHR_FILE;
1280 case S_IFIFO:
1281 return SECCLASS_FIFO_FILE;
1282
1283 }
1284
1285 return SECCLASS_FILE;
1286 }
1287
1288 static inline int default_protocol_stream(int protocol)
1289 {
1290 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1291 }
1292
1293 static inline int default_protocol_dgram(int protocol)
1294 {
1295 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1296 }
1297
1298 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1299 {
1300 int extsockclass = selinux_policycap_extsockclass;
1301
1302 switch (family) {
1303 case PF_UNIX:
1304 switch (type) {
1305 case SOCK_STREAM:
1306 case SOCK_SEQPACKET:
1307 return SECCLASS_UNIX_STREAM_SOCKET;
1308 case SOCK_DGRAM:
1309 case SOCK_RAW:
1310 return SECCLASS_UNIX_DGRAM_SOCKET;
1311 }
1312 break;
1313 case PF_INET:
1314 case PF_INET6:
1315 switch (type) {
1316 case SOCK_STREAM:
1317 case SOCK_SEQPACKET:
1318 if (default_protocol_stream(protocol))
1319 return SECCLASS_TCP_SOCKET;
1320 else if (extsockclass && protocol == IPPROTO_SCTP)
1321 return SECCLASS_SCTP_SOCKET;
1322 else
1323 return SECCLASS_RAWIP_SOCKET;
1324 case SOCK_DGRAM:
1325 if (default_protocol_dgram(protocol))
1326 return SECCLASS_UDP_SOCKET;
1327 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1328 protocol == IPPROTO_ICMPV6))
1329 return SECCLASS_ICMP_SOCKET;
1330 else
1331 return SECCLASS_RAWIP_SOCKET;
1332 case SOCK_DCCP:
1333 return SECCLASS_DCCP_SOCKET;
1334 default:
1335 return SECCLASS_RAWIP_SOCKET;
1336 }
1337 break;
1338 case PF_NETLINK:
1339 switch (protocol) {
1340 case NETLINK_ROUTE:
1341 return SECCLASS_NETLINK_ROUTE_SOCKET;
1342 case NETLINK_SOCK_DIAG:
1343 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1344 case NETLINK_NFLOG:
1345 return SECCLASS_NETLINK_NFLOG_SOCKET;
1346 case NETLINK_XFRM:
1347 return SECCLASS_NETLINK_XFRM_SOCKET;
1348 case NETLINK_SELINUX:
1349 return SECCLASS_NETLINK_SELINUX_SOCKET;
1350 case NETLINK_ISCSI:
1351 return SECCLASS_NETLINK_ISCSI_SOCKET;
1352 case NETLINK_AUDIT:
1353 return SECCLASS_NETLINK_AUDIT_SOCKET;
1354 case NETLINK_FIB_LOOKUP:
1355 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1356 case NETLINK_CONNECTOR:
1357 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1358 case NETLINK_NETFILTER:
1359 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1360 case NETLINK_DNRTMSG:
1361 return SECCLASS_NETLINK_DNRT_SOCKET;
1362 case NETLINK_KOBJECT_UEVENT:
1363 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1364 case NETLINK_GENERIC:
1365 return SECCLASS_NETLINK_GENERIC_SOCKET;
1366 case NETLINK_SCSITRANSPORT:
1367 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1368 case NETLINK_RDMA:
1369 return SECCLASS_NETLINK_RDMA_SOCKET;
1370 case NETLINK_CRYPTO:
1371 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1372 default:
1373 return SECCLASS_NETLINK_SOCKET;
1374 }
1375 case PF_PACKET:
1376 return SECCLASS_PACKET_SOCKET;
1377 case PF_KEY:
1378 return SECCLASS_KEY_SOCKET;
1379 case PF_APPLETALK:
1380 return SECCLASS_APPLETALK_SOCKET;
1381 }
1382
1383 if (extsockclass) {
1384 switch (family) {
1385 case PF_AX25:
1386 return SECCLASS_AX25_SOCKET;
1387 case PF_IPX:
1388 return SECCLASS_IPX_SOCKET;
1389 case PF_NETROM:
1390 return SECCLASS_NETROM_SOCKET;
1391 case PF_ATMPVC:
1392 return SECCLASS_ATMPVC_SOCKET;
1393 case PF_X25:
1394 return SECCLASS_X25_SOCKET;
1395 case PF_ROSE:
1396 return SECCLASS_ROSE_SOCKET;
1397 case PF_DECnet:
1398 return SECCLASS_DECNET_SOCKET;
1399 case PF_ATMSVC:
1400 return SECCLASS_ATMSVC_SOCKET;
1401 case PF_RDS:
1402 return SECCLASS_RDS_SOCKET;
1403 case PF_IRDA:
1404 return SECCLASS_IRDA_SOCKET;
1405 case PF_PPPOX:
1406 return SECCLASS_PPPOX_SOCKET;
1407 case PF_LLC:
1408 return SECCLASS_LLC_SOCKET;
1409 case PF_CAN:
1410 return SECCLASS_CAN_SOCKET;
1411 case PF_TIPC:
1412 return SECCLASS_TIPC_SOCKET;
1413 case PF_BLUETOOTH:
1414 return SECCLASS_BLUETOOTH_SOCKET;
1415 case PF_IUCV:
1416 return SECCLASS_IUCV_SOCKET;
1417 case PF_RXRPC:
1418 return SECCLASS_RXRPC_SOCKET;
1419 case PF_ISDN:
1420 return SECCLASS_ISDN_SOCKET;
1421 case PF_PHONET:
1422 return SECCLASS_PHONET_SOCKET;
1423 case PF_IEEE802154:
1424 return SECCLASS_IEEE802154_SOCKET;
1425 case PF_CAIF:
1426 return SECCLASS_CAIF_SOCKET;
1427 case PF_ALG:
1428 return SECCLASS_ALG_SOCKET;
1429 case PF_NFC:
1430 return SECCLASS_NFC_SOCKET;
1431 case PF_VSOCK:
1432 return SECCLASS_VSOCK_SOCKET;
1433 case PF_KCM:
1434 return SECCLASS_KCM_SOCKET;
1435 case PF_QIPCRTR:
1436 return SECCLASS_QIPCRTR_SOCKET;
1437 case PF_SMC:
1438 return SECCLASS_SMC_SOCKET;
1439 #if PF_MAX > 44
1440 #error New address family defined, please update this function.
1441 #endif
1442 }
1443 }
1444
1445 return SECCLASS_SOCKET;
1446 }
1447
1448 static int selinux_genfs_get_sid(struct dentry *dentry,
1449 u16 tclass,
1450 u16 flags,
1451 u32 *sid)
1452 {
1453 int rc;
1454 struct super_block *sb = dentry->d_sb;
1455 char *buffer, *path;
1456
1457 buffer = (char *)__get_free_page(GFP_KERNEL);
1458 if (!buffer)
1459 return -ENOMEM;
1460
1461 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1462 if (IS_ERR(path))
1463 rc = PTR_ERR(path);
1464 else {
1465 if (flags & SE_SBPROC) {
1466 /* each process gets a /proc/PID/ entry. Strip off the
1467 * PID part to get a valid selinux labeling.
1468 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1469 while (path[1] >= '0' && path[1] <= '9') {
1470 path[1] = '/';
1471 path++;
1472 }
1473 }
1474 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid);
1475 }
1476 free_page((unsigned long)buffer);
1477 return rc;
1478 }
1479
1480 /* The inode's security attributes must be initialized before first use. */
1481 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1482 {
1483 struct superblock_security_struct *sbsec = NULL;
1484 struct inode_security_struct *isec = inode->i_security;
1485 u32 task_sid, sid = 0;
1486 u16 sclass;
1487 struct dentry *dentry;
1488 #define INITCONTEXTLEN 255
1489 char *context = NULL;
1490 unsigned len = 0;
1491 int rc = 0;
1492
1493 if (isec->initialized == LABEL_INITIALIZED)
1494 return 0;
1495
1496 spin_lock(&isec->lock);
1497 if (isec->initialized == LABEL_INITIALIZED)
1498 goto out_unlock;
1499
1500 if (isec->sclass == SECCLASS_FILE)
1501 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1502
1503 sbsec = inode->i_sb->s_security;
1504 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1505 /* Defer initialization until selinux_complete_init,
1506 after the initial policy is loaded and the security
1507 server is ready to handle calls. */
1508 spin_lock(&sbsec->isec_lock);
1509 if (list_empty(&isec->list))
1510 list_add(&isec->list, &sbsec->isec_head);
1511 spin_unlock(&sbsec->isec_lock);
1512 goto out_unlock;
1513 }
1514
1515 sclass = isec->sclass;
1516 task_sid = isec->task_sid;
1517 sid = isec->sid;
1518 isec->initialized = LABEL_PENDING;
1519 spin_unlock(&isec->lock);
1520
1521 switch (sbsec->behavior) {
1522 case SECURITY_FS_USE_NATIVE:
1523 break;
1524 case SECURITY_FS_USE_XATTR:
1525 if (!(inode->i_opflags & IOP_XATTR)) {
1526 sid = sbsec->def_sid;
1527 break;
1528 }
1529 /* Need a dentry, since the xattr API requires one.
1530 Life would be simpler if we could just pass the inode. */
1531 if (opt_dentry) {
1532 /* Called from d_instantiate or d_splice_alias. */
1533 dentry = dget(opt_dentry);
1534 } else {
1535 /* Called from selinux_complete_init, try to find a dentry. */
1536 dentry = d_find_alias(inode);
1537 }
1538 if (!dentry) {
1539 /*
1540 * this is can be hit on boot when a file is accessed
1541 * before the policy is loaded. When we load policy we
1542 * may find inodes that have no dentry on the
1543 * sbsec->isec_head list. No reason to complain as these
1544 * will get fixed up the next time we go through
1545 * inode_doinit with a dentry, before these inodes could
1546 * be used again by userspace.
1547 */
1548 goto out;
1549 }
1550
1551 len = INITCONTEXTLEN;
1552 context = kmalloc(len+1, GFP_NOFS);
1553 if (!context) {
1554 rc = -ENOMEM;
1555 dput(dentry);
1556 goto out;
1557 }
1558 context[len] = '\0';
1559 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1560 if (rc == -ERANGE) {
1561 kfree(context);
1562
1563 /* Need a larger buffer. Query for the right size. */
1564 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1565 if (rc < 0) {
1566 dput(dentry);
1567 goto out;
1568 }
1569 len = rc;
1570 context = kmalloc(len+1, GFP_NOFS);
1571 if (!context) {
1572 rc = -ENOMEM;
1573 dput(dentry);
1574 goto out;
1575 }
1576 context[len] = '\0';
1577 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1578 }
1579 dput(dentry);
1580 if (rc < 0) {
1581 if (rc != -ENODATA) {
1582 printk(KERN_WARNING "SELinux: %s: getxattr returned "
1583 "%d for dev=%s ino=%ld\n", __func__,
1584 -rc, inode->i_sb->s_id, inode->i_ino);
1585 kfree(context);
1586 goto out;
1587 }
1588 /* Map ENODATA to the default file SID */
1589 sid = sbsec->def_sid;
1590 rc = 0;
1591 } else {
1592 rc = security_context_to_sid_default(context, rc, &sid,
1593 sbsec->def_sid,
1594 GFP_NOFS);
1595 if (rc) {
1596 char *dev = inode->i_sb->s_id;
1597 unsigned long ino = inode->i_ino;
1598
1599 if (rc == -EINVAL) {
1600 if (printk_ratelimit())
1601 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1602 "context=%s. This indicates you may need to relabel the inode or the "
1603 "filesystem in question.\n", ino, dev, context);
1604 } else {
1605 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1606 "returned %d for dev=%s ino=%ld\n",
1607 __func__, context, -rc, dev, ino);
1608 }
1609 kfree(context);
1610 /* Leave with the unlabeled SID */
1611 rc = 0;
1612 break;
1613 }
1614 }
1615 kfree(context);
1616 break;
1617 case SECURITY_FS_USE_TASK:
1618 sid = task_sid;
1619 break;
1620 case SECURITY_FS_USE_TRANS:
1621 /* Default to the fs SID. */
1622 sid = sbsec->sid;
1623
1624 /* Try to obtain a transition SID. */
1625 rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid);
1626 if (rc)
1627 goto out;
1628 break;
1629 case SECURITY_FS_USE_MNTPOINT:
1630 sid = sbsec->mntpoint_sid;
1631 break;
1632 default:
1633 /* Default to the fs superblock SID. */
1634 sid = sbsec->sid;
1635
1636 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1637 /* We must have a dentry to determine the label on
1638 * procfs inodes */
1639 if (opt_dentry)
1640 /* Called from d_instantiate or
1641 * d_splice_alias. */
1642 dentry = dget(opt_dentry);
1643 else
1644 /* Called from selinux_complete_init, try to
1645 * find a dentry. */
1646 dentry = d_find_alias(inode);
1647 /*
1648 * This can be hit on boot when a file is accessed
1649 * before the policy is loaded. When we load policy we
1650 * may find inodes that have no dentry on the
1651 * sbsec->isec_head list. No reason to complain as
1652 * these will get fixed up the next time we go through
1653 * inode_doinit() with a dentry, before these inodes
1654 * could be used again by userspace.
1655 */
1656 if (!dentry)
1657 goto out;
1658 rc = selinux_genfs_get_sid(dentry, sclass,
1659 sbsec->flags, &sid);
1660 dput(dentry);
1661 if (rc)
1662 goto out;
1663 }
1664 break;
1665 }
1666
1667 out:
1668 spin_lock(&isec->lock);
1669 if (isec->initialized == LABEL_PENDING) {
1670 if (!sid || rc) {
1671 isec->initialized = LABEL_INVALID;
1672 goto out_unlock;
1673 }
1674
1675 isec->initialized = LABEL_INITIALIZED;
1676 isec->sid = sid;
1677 }
1678
1679 out_unlock:
1680 spin_unlock(&isec->lock);
1681 return rc;
1682 }
1683
1684 /* Convert a Linux signal to an access vector. */
1685 static inline u32 signal_to_av(int sig)
1686 {
1687 u32 perm = 0;
1688
1689 switch (sig) {
1690 case SIGCHLD:
1691 /* Commonly granted from child to parent. */
1692 perm = PROCESS__SIGCHLD;
1693 break;
1694 case SIGKILL:
1695 /* Cannot be caught or ignored */
1696 perm = PROCESS__SIGKILL;
1697 break;
1698 case SIGSTOP:
1699 /* Cannot be caught or ignored */
1700 perm = PROCESS__SIGSTOP;
1701 break;
1702 default:
1703 /* All other signals. */
1704 perm = PROCESS__SIGNAL;
1705 break;
1706 }
1707
1708 return perm;
1709 }
1710
1711 #if CAP_LAST_CAP > 63
1712 #error Fix SELinux to handle capabilities > 63.
1713 #endif
1714
1715 /* Check whether a task is allowed to use a capability. */
1716 static int cred_has_capability(const struct cred *cred,
1717 int cap, int audit, bool initns)
1718 {
1719 struct common_audit_data ad;
1720 struct av_decision avd;
1721 u16 sclass;
1722 u32 sid = cred_sid(cred);
1723 u32 av = CAP_TO_MASK(cap);
1724 int rc;
1725
1726 ad.type = LSM_AUDIT_DATA_CAP;
1727 ad.u.cap = cap;
1728
1729 switch (CAP_TO_INDEX(cap)) {
1730 case 0:
1731 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1732 break;
1733 case 1:
1734 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1735 break;
1736 default:
1737 printk(KERN_ERR
1738 "SELinux: out of range capability %d\n", cap);
1739 BUG();
1740 return -EINVAL;
1741 }
1742
1743 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1744 if (audit == SECURITY_CAP_AUDIT) {
1745 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
1746 if (rc2)
1747 return rc2;
1748 }
1749 return rc;
1750 }
1751
1752 /* Check whether a task has a particular permission to an inode.
1753 The 'adp' parameter is optional and allows other audit
1754 data to be passed (e.g. the dentry). */
1755 static int inode_has_perm(const struct cred *cred,
1756 struct inode *inode,
1757 u32 perms,
1758 struct common_audit_data *adp)
1759 {
1760 struct inode_security_struct *isec;
1761 u32 sid;
1762
1763 validate_creds(cred);
1764
1765 if (unlikely(IS_PRIVATE(inode)))
1766 return 0;
1767
1768 sid = cred_sid(cred);
1769 isec = inode->i_security;
1770
1771 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1772 }
1773
1774 /* Same as inode_has_perm, but pass explicit audit data containing
1775 the dentry to help the auditing code to more easily generate the
1776 pathname if needed. */
1777 static inline int dentry_has_perm(const struct cred *cred,
1778 struct dentry *dentry,
1779 u32 av)
1780 {
1781 struct inode *inode = d_backing_inode(dentry);
1782 struct common_audit_data ad;
1783
1784 ad.type = LSM_AUDIT_DATA_DENTRY;
1785 ad.u.dentry = dentry;
1786 __inode_security_revalidate(inode, dentry, true);
1787 return inode_has_perm(cred, inode, av, &ad);
1788 }
1789
1790 /* Same as inode_has_perm, but pass explicit audit data containing
1791 the path to help the auditing code to more easily generate the
1792 pathname if needed. */
1793 static inline int path_has_perm(const struct cred *cred,
1794 const struct path *path,
1795 u32 av)
1796 {
1797 struct inode *inode = d_backing_inode(path->dentry);
1798 struct common_audit_data ad;
1799
1800 ad.type = LSM_AUDIT_DATA_PATH;
1801 ad.u.path = *path;
1802 __inode_security_revalidate(inode, path->dentry, true);
1803 return inode_has_perm(cred, inode, av, &ad);
1804 }
1805
1806 /* Same as path_has_perm, but uses the inode from the file struct. */
1807 static inline int file_path_has_perm(const struct cred *cred,
1808 struct file *file,
1809 u32 av)
1810 {
1811 struct common_audit_data ad;
1812
1813 ad.type = LSM_AUDIT_DATA_FILE;
1814 ad.u.file = file;
1815 return inode_has_perm(cred, file_inode(file), av, &ad);
1816 }
1817
1818 #ifdef CONFIG_BPF_SYSCALL
1819 static int bpf_fd_pass(struct file *file, u32 sid);
1820 #endif
1821
1822 /* Check whether a task can use an open file descriptor to
1823 access an inode in a given way. Check access to the
1824 descriptor itself, and then use dentry_has_perm to
1825 check a particular permission to the file.
1826 Access to the descriptor is implicitly granted if it
1827 has the same SID as the process. If av is zero, then
1828 access to the file is not checked, e.g. for cases
1829 where only the descriptor is affected like seek. */
1830 static int file_has_perm(const struct cred *cred,
1831 struct file *file,
1832 u32 av)
1833 {
1834 struct file_security_struct *fsec = file->f_security;
1835 struct inode *inode = file_inode(file);
1836 struct common_audit_data ad;
1837 u32 sid = cred_sid(cred);
1838 int rc;
1839
1840 ad.type = LSM_AUDIT_DATA_FILE;
1841 ad.u.file = file;
1842
1843 if (sid != fsec->sid) {
1844 rc = avc_has_perm(sid, fsec->sid,
1845 SECCLASS_FD,
1846 FD__USE,
1847 &ad);
1848 if (rc)
1849 goto out;
1850 }
1851
1852 #ifdef CONFIG_BPF_SYSCALL
1853 rc = bpf_fd_pass(file, cred_sid(cred));
1854 if (rc)
1855 return rc;
1856 #endif
1857
1858 /* av is zero if only checking access to the descriptor. */
1859 rc = 0;
1860 if (av)
1861 rc = inode_has_perm(cred, inode, av, &ad);
1862
1863 out:
1864 return rc;
1865 }
1866
1867 /*
1868 * Determine the label for an inode that might be unioned.
1869 */
1870 static int
1871 selinux_determine_inode_label(const struct task_security_struct *tsec,
1872 struct inode *dir,
1873 const struct qstr *name, u16 tclass,
1874 u32 *_new_isid)
1875 {
1876 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1877
1878 if ((sbsec->flags & SE_SBINITIALIZED) &&
1879 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1880 *_new_isid = sbsec->mntpoint_sid;
1881 } else if ((sbsec->flags & SBLABEL_MNT) &&
1882 tsec->create_sid) {
1883 *_new_isid = tsec->create_sid;
1884 } else {
1885 const struct inode_security_struct *dsec = inode_security(dir);
1886 return security_transition_sid(tsec->sid, dsec->sid, tclass,
1887 name, _new_isid);
1888 }
1889
1890 return 0;
1891 }
1892
1893 /* Check whether a task can create a file. */
1894 static int may_create(struct inode *dir,
1895 struct dentry *dentry,
1896 u16 tclass)
1897 {
1898 const struct task_security_struct *tsec = current_security();
1899 struct inode_security_struct *dsec;
1900 struct superblock_security_struct *sbsec;
1901 u32 sid, newsid;
1902 struct common_audit_data ad;
1903 int rc;
1904
1905 dsec = inode_security(dir);
1906 sbsec = dir->i_sb->s_security;
1907
1908 sid = tsec->sid;
1909
1910 ad.type = LSM_AUDIT_DATA_DENTRY;
1911 ad.u.dentry = dentry;
1912
1913 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1914 DIR__ADD_NAME | DIR__SEARCH,
1915 &ad);
1916 if (rc)
1917 return rc;
1918
1919 rc = selinux_determine_inode_label(current_security(), dir,
1920 &dentry->d_name, tclass, &newsid);
1921 if (rc)
1922 return rc;
1923
1924 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1925 if (rc)
1926 return rc;
1927
1928 return avc_has_perm(newsid, sbsec->sid,
1929 SECCLASS_FILESYSTEM,
1930 FILESYSTEM__ASSOCIATE, &ad);
1931 }
1932
1933 #define MAY_LINK 0
1934 #define MAY_UNLINK 1
1935 #define MAY_RMDIR 2
1936
1937 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1938 static int may_link(struct inode *dir,
1939 struct dentry *dentry,
1940 int kind)
1941
1942 {
1943 struct inode_security_struct *dsec, *isec;
1944 struct common_audit_data ad;
1945 u32 sid = current_sid();
1946 u32 av;
1947 int rc;
1948
1949 dsec = inode_security(dir);
1950 isec = backing_inode_security(dentry);
1951
1952 ad.type = LSM_AUDIT_DATA_DENTRY;
1953 ad.u.dentry = dentry;
1954
1955 av = DIR__SEARCH;
1956 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1957 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1958 if (rc)
1959 return rc;
1960
1961 switch (kind) {
1962 case MAY_LINK:
1963 av = FILE__LINK;
1964 break;
1965 case MAY_UNLINK:
1966 av = FILE__UNLINK;
1967 break;
1968 case MAY_RMDIR:
1969 av = DIR__RMDIR;
1970 break;
1971 default:
1972 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n",
1973 __func__, kind);
1974 return 0;
1975 }
1976
1977 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1978 return rc;
1979 }
1980
1981 static inline int may_rename(struct inode *old_dir,
1982 struct dentry *old_dentry,
1983 struct inode *new_dir,
1984 struct dentry *new_dentry)
1985 {
1986 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1987 struct common_audit_data ad;
1988 u32 sid = current_sid();
1989 u32 av;
1990 int old_is_dir, new_is_dir;
1991 int rc;
1992
1993 old_dsec = inode_security(old_dir);
1994 old_isec = backing_inode_security(old_dentry);
1995 old_is_dir = d_is_dir(old_dentry);
1996 new_dsec = inode_security(new_dir);
1997
1998 ad.type = LSM_AUDIT_DATA_DENTRY;
1999
2000 ad.u.dentry = old_dentry;
2001 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
2002 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
2003 if (rc)
2004 return rc;
2005 rc = avc_has_perm(sid, old_isec->sid,
2006 old_isec->sclass, FILE__RENAME, &ad);
2007 if (rc)
2008 return rc;
2009 if (old_is_dir && new_dir != old_dir) {
2010 rc = avc_has_perm(sid, old_isec->sid,
2011 old_isec->sclass, DIR__REPARENT, &ad);
2012 if (rc)
2013 return rc;
2014 }
2015
2016 ad.u.dentry = new_dentry;
2017 av = DIR__ADD_NAME | DIR__SEARCH;
2018 if (d_is_positive(new_dentry))
2019 av |= DIR__REMOVE_NAME;
2020 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
2021 if (rc)
2022 return rc;
2023 if (d_is_positive(new_dentry)) {
2024 new_isec = backing_inode_security(new_dentry);
2025 new_is_dir = d_is_dir(new_dentry);
2026 rc = avc_has_perm(sid, new_isec->sid,
2027 new_isec->sclass,
2028 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
2029 if (rc)
2030 return rc;
2031 }
2032
2033 return 0;
2034 }
2035
2036 /* Check whether a task can perform a filesystem operation. */
2037 static int superblock_has_perm(const struct cred *cred,
2038 struct super_block *sb,
2039 u32 perms,
2040 struct common_audit_data *ad)
2041 {
2042 struct superblock_security_struct *sbsec;
2043 u32 sid = cred_sid(cred);
2044
2045 sbsec = sb->s_security;
2046 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
2047 }
2048
2049 /* Convert a Linux mode and permission mask to an access vector. */
2050 static inline u32 file_mask_to_av(int mode, int mask)
2051 {
2052 u32 av = 0;
2053
2054 if (!S_ISDIR(mode)) {
2055 if (mask & MAY_EXEC)
2056 av |= FILE__EXECUTE;
2057 if (mask & MAY_READ)
2058 av |= FILE__READ;
2059
2060 if (mask & MAY_APPEND)
2061 av |= FILE__APPEND;
2062 else if (mask & MAY_WRITE)
2063 av |= FILE__WRITE;
2064
2065 } else {
2066 if (mask & MAY_EXEC)
2067 av |= DIR__SEARCH;
2068 if (mask & MAY_WRITE)
2069 av |= DIR__WRITE;
2070 if (mask & MAY_READ)
2071 av |= DIR__READ;
2072 }
2073
2074 return av;
2075 }
2076
2077 /* Convert a Linux file to an access vector. */
2078 static inline u32 file_to_av(struct file *file)
2079 {
2080 u32 av = 0;
2081
2082 if (file->f_mode & FMODE_READ)
2083 av |= FILE__READ;
2084 if (file->f_mode & FMODE_WRITE) {
2085 if (file->f_flags & O_APPEND)
2086 av |= FILE__APPEND;
2087 else
2088 av |= FILE__WRITE;
2089 }
2090 if (!av) {
2091 /*
2092 * Special file opened with flags 3 for ioctl-only use.
2093 */
2094 av = FILE__IOCTL;
2095 }
2096
2097 return av;
2098 }
2099
2100 /*
2101 * Convert a file to an access vector and include the correct open
2102 * open permission.
2103 */
2104 static inline u32 open_file_to_av(struct file *file)
2105 {
2106 u32 av = file_to_av(file);
2107 struct inode *inode = file_inode(file);
2108
2109 if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC)
2110 av |= FILE__OPEN;
2111
2112 return av;
2113 }
2114
2115 /* Hook functions begin here. */
2116
2117 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2118 {
2119 u32 mysid = current_sid();
2120 u32 mgrsid = task_sid(mgr);
2121
2122 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER,
2123 BINDER__SET_CONTEXT_MGR, NULL);
2124 }
2125
2126 static int selinux_binder_transaction(struct task_struct *from,
2127 struct task_struct *to)
2128 {
2129 u32 mysid = current_sid();
2130 u32 fromsid = task_sid(from);
2131 u32 tosid = task_sid(to);
2132 int rc;
2133
2134 if (mysid != fromsid) {
2135 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2136 BINDER__IMPERSONATE, NULL);
2137 if (rc)
2138 return rc;
2139 }
2140
2141 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2142 NULL);
2143 }
2144
2145 static int selinux_binder_transfer_binder(struct task_struct *from,
2146 struct task_struct *to)
2147 {
2148 u32 fromsid = task_sid(from);
2149 u32 tosid = task_sid(to);
2150
2151 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2152 NULL);
2153 }
2154
2155 static int selinux_binder_transfer_file(struct task_struct *from,
2156 struct task_struct *to,
2157 struct file *file)
2158 {
2159 u32 sid = task_sid(to);
2160 struct file_security_struct *fsec = file->f_security;
2161 struct dentry *dentry = file->f_path.dentry;
2162 struct inode_security_struct *isec;
2163 struct common_audit_data ad;
2164 int rc;
2165
2166 ad.type = LSM_AUDIT_DATA_PATH;
2167 ad.u.path = file->f_path;
2168
2169 if (sid != fsec->sid) {
2170 rc = avc_has_perm(sid, fsec->sid,
2171 SECCLASS_FD,
2172 FD__USE,
2173 &ad);
2174 if (rc)
2175 return rc;
2176 }
2177
2178 #ifdef CONFIG_BPF_SYSCALL
2179 rc = bpf_fd_pass(file, sid);
2180 if (rc)
2181 return rc;
2182 #endif
2183
2184 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2185 return 0;
2186
2187 isec = backing_inode_security(dentry);
2188 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2189 &ad);
2190 }
2191
2192 static int selinux_ptrace_access_check(struct task_struct *child,
2193 unsigned int mode)
2194 {
2195 u32 sid = current_sid();
2196 u32 csid = task_sid(child);
2197
2198 if (mode & PTRACE_MODE_READ)
2199 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2200
2201 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2202 }
2203
2204 static int selinux_ptrace_traceme(struct task_struct *parent)
2205 {
2206 return avc_has_perm(task_sid(parent), current_sid(), SECCLASS_PROCESS,
2207 PROCESS__PTRACE, NULL);
2208 }
2209
2210 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2211 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2212 {
2213 return avc_has_perm(current_sid(), task_sid(target), SECCLASS_PROCESS,
2214 PROCESS__GETCAP, NULL);
2215 }
2216
2217 static int selinux_capset(struct cred *new, const struct cred *old,
2218 const kernel_cap_t *effective,
2219 const kernel_cap_t *inheritable,
2220 const kernel_cap_t *permitted)
2221 {
2222 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2223 PROCESS__SETCAP, NULL);
2224 }
2225
2226 /*
2227 * (This comment used to live with the selinux_task_setuid hook,
2228 * which was removed).
2229 *
2230 * Since setuid only affects the current process, and since the SELinux
2231 * controls are not based on the Linux identity attributes, SELinux does not
2232 * need to control this operation. However, SELinux does control the use of
2233 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2234 */
2235
2236 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2237 int cap, int audit)
2238 {
2239 return cred_has_capability(cred, cap, audit, ns == &init_user_ns);
2240 }
2241
2242 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2243 {
2244 const struct cred *cred = current_cred();
2245 int rc = 0;
2246
2247 if (!sb)
2248 return 0;
2249
2250 switch (cmds) {
2251 case Q_SYNC:
2252 case Q_QUOTAON:
2253 case Q_QUOTAOFF:
2254 case Q_SETINFO:
2255 case Q_SETQUOTA:
2256 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2257 break;
2258 case Q_GETFMT:
2259 case Q_GETINFO:
2260 case Q_GETQUOTA:
2261 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2262 break;
2263 default:
2264 rc = 0; /* let the kernel handle invalid cmds */
2265 break;
2266 }
2267 return rc;
2268 }
2269
2270 static int selinux_quota_on(struct dentry *dentry)
2271 {
2272 const struct cred *cred = current_cred();
2273
2274 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2275 }
2276
2277 static int selinux_syslog(int type)
2278 {
2279 switch (type) {
2280 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2281 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2282 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2283 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2284 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2285 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2286 /* Set level of messages printed to console */
2287 case SYSLOG_ACTION_CONSOLE_LEVEL:
2288 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2289 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2290 NULL);
2291 }
2292 /* All other syslog types */
2293 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2294 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2295 }
2296
2297 /*
2298 * Check that a process has enough memory to allocate a new virtual
2299 * mapping. 0 means there is enough memory for the allocation to
2300 * succeed and -ENOMEM implies there is not.
2301 *
2302 * Do not audit the selinux permission check, as this is applied to all
2303 * processes that allocate mappings.
2304 */
2305 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2306 {
2307 int rc, cap_sys_admin = 0;
2308
2309 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2310 SECURITY_CAP_NOAUDIT, true);
2311 if (rc == 0)
2312 cap_sys_admin = 1;
2313
2314 return cap_sys_admin;
2315 }
2316
2317 /* binprm security operations */
2318
2319 static u32 ptrace_parent_sid(void)
2320 {
2321 u32 sid = 0;
2322 struct task_struct *tracer;
2323
2324 rcu_read_lock();
2325 tracer = ptrace_parent(current);
2326 if (tracer)
2327 sid = task_sid(tracer);
2328 rcu_read_unlock();
2329
2330 return sid;
2331 }
2332
2333 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2334 const struct task_security_struct *old_tsec,
2335 const struct task_security_struct *new_tsec)
2336 {
2337 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2338 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2339 int rc;
2340 u32 av;
2341
2342 if (!nnp && !nosuid)
2343 return 0; /* neither NNP nor nosuid */
2344
2345 if (new_tsec->sid == old_tsec->sid)
2346 return 0; /* No change in credentials */
2347
2348 /*
2349 * If the policy enables the nnp_nosuid_transition policy capability,
2350 * then we permit transitions under NNP or nosuid if the
2351 * policy allows the corresponding permission between
2352 * the old and new contexts.
2353 */
2354 if (selinux_policycap_nnp_nosuid_transition) {
2355 av = 0;
2356 if (nnp)
2357 av |= PROCESS2__NNP_TRANSITION;
2358 if (nosuid)
2359 av |= PROCESS2__NOSUID_TRANSITION;
2360 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2361 SECCLASS_PROCESS2, av, NULL);
2362 if (!rc)
2363 return 0;
2364 }
2365
2366 /*
2367 * We also permit NNP or nosuid transitions to bounded SIDs,
2368 * i.e. SIDs that are guaranteed to only be allowed a subset
2369 * of the permissions of the current SID.
2370 */
2371 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
2372 if (!rc)
2373 return 0;
2374
2375 /*
2376 * On failure, preserve the errno values for NNP vs nosuid.
2377 * NNP: Operation not permitted for caller.
2378 * nosuid: Permission denied to file.
2379 */
2380 if (nnp)
2381 return -EPERM;
2382 return -EACCES;
2383 }
2384
2385 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2386 {
2387 const struct task_security_struct *old_tsec;
2388 struct task_security_struct *new_tsec;
2389 struct inode_security_struct *isec;
2390 struct common_audit_data ad;
2391 struct inode *inode = file_inode(bprm->file);
2392 int rc;
2393
2394 /* SELinux context only depends on initial program or script and not
2395 * the script interpreter */
2396 if (bprm->called_set_creds)
2397 return 0;
2398
2399 old_tsec = current_security();
2400 new_tsec = bprm->cred->security;
2401 isec = inode_security(inode);
2402
2403 /* Default to the current task SID. */
2404 new_tsec->sid = old_tsec->sid;
2405 new_tsec->osid = old_tsec->sid;
2406
2407 /* Reset fs, key, and sock SIDs on execve. */
2408 new_tsec->create_sid = 0;
2409 new_tsec->keycreate_sid = 0;
2410 new_tsec->sockcreate_sid = 0;
2411
2412 if (old_tsec->exec_sid) {
2413 new_tsec->sid = old_tsec->exec_sid;
2414 /* Reset exec SID on execve. */
2415 new_tsec->exec_sid = 0;
2416
2417 /* Fail on NNP or nosuid if not an allowed transition. */
2418 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2419 if (rc)
2420 return rc;
2421 } else {
2422 /* Check for a default transition on this program. */
2423 rc = security_transition_sid(old_tsec->sid, isec->sid,
2424 SECCLASS_PROCESS, NULL,
2425 &new_tsec->sid);
2426 if (rc)
2427 return rc;
2428
2429 /*
2430 * Fallback to old SID on NNP or nosuid if not an allowed
2431 * transition.
2432 */
2433 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2434 if (rc)
2435 new_tsec->sid = old_tsec->sid;
2436 }
2437
2438 ad.type = LSM_AUDIT_DATA_FILE;
2439 ad.u.file = bprm->file;
2440
2441 if (new_tsec->sid == old_tsec->sid) {
2442 rc = avc_has_perm(old_tsec->sid, isec->sid,
2443 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2444 if (rc)
2445 return rc;
2446 } else {
2447 /* Check permissions for the transition. */
2448 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2449 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2450 if (rc)
2451 return rc;
2452
2453 rc = avc_has_perm(new_tsec->sid, isec->sid,
2454 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2455 if (rc)
2456 return rc;
2457
2458 /* Check for shared state */
2459 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2460 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2461 SECCLASS_PROCESS, PROCESS__SHARE,
2462 NULL);
2463 if (rc)
2464 return -EPERM;
2465 }
2466
2467 /* Make sure that anyone attempting to ptrace over a task that
2468 * changes its SID has the appropriate permit */
2469 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2470 u32 ptsid = ptrace_parent_sid();
2471 if (ptsid != 0) {
2472 rc = avc_has_perm(ptsid, new_tsec->sid,
2473 SECCLASS_PROCESS,
2474 PROCESS__PTRACE, NULL);
2475 if (rc)
2476 return -EPERM;
2477 }
2478 }
2479
2480 /* Clear any possibly unsafe personality bits on exec: */
2481 bprm->per_clear |= PER_CLEAR_ON_SETID;
2482
2483 /* Enable secure mode for SIDs transitions unless
2484 the noatsecure permission is granted between
2485 the two SIDs, i.e. ahp returns 0. */
2486 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2487 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2488 NULL);
2489 bprm->secureexec |= !!rc;
2490 }
2491
2492 return 0;
2493 }
2494
2495 static int match_file(const void *p, struct file *file, unsigned fd)
2496 {
2497 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2498 }
2499
2500 /* Derived from fs/exec.c:flush_old_files. */
2501 static inline void flush_unauthorized_files(const struct cred *cred,
2502 struct files_struct *files)
2503 {
2504 struct file *file, *devnull = NULL;
2505 struct tty_struct *tty;
2506 int drop_tty = 0;
2507 unsigned n;
2508
2509 tty = get_current_tty();
2510 if (tty) {
2511 spin_lock(&tty->files_lock);
2512 if (!list_empty(&tty->tty_files)) {
2513 struct tty_file_private *file_priv;
2514
2515 /* Revalidate access to controlling tty.
2516 Use file_path_has_perm on the tty path directly
2517 rather than using file_has_perm, as this particular
2518 open file may belong to another process and we are
2519 only interested in the inode-based check here. */
2520 file_priv = list_first_entry(&tty->tty_files,
2521 struct tty_file_private, list);
2522 file = file_priv->file;
2523 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2524 drop_tty = 1;
2525 }
2526 spin_unlock(&tty->files_lock);
2527 tty_kref_put(tty);
2528 }
2529 /* Reset controlling tty. */
2530 if (drop_tty)
2531 no_tty();
2532
2533 /* Revalidate access to inherited open files. */
2534 n = iterate_fd(files, 0, match_file, cred);
2535 if (!n) /* none found? */
2536 return;
2537
2538 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2539 if (IS_ERR(devnull))
2540 devnull = NULL;
2541 /* replace all the matching ones with this */
2542 do {
2543 replace_fd(n - 1, devnull, 0);
2544 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2545 if (devnull)
2546 fput(devnull);
2547 }
2548
2549 /*
2550 * Prepare a process for imminent new credential changes due to exec
2551 */
2552 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2553 {
2554 struct task_security_struct *new_tsec;
2555 struct rlimit *rlim, *initrlim;
2556 int rc, i;
2557
2558 new_tsec = bprm->cred->security;
2559 if (new_tsec->sid == new_tsec->osid)
2560 return;
2561
2562 /* Close files for which the new task SID is not authorized. */
2563 flush_unauthorized_files(bprm->cred, current->files);
2564
2565 /* Always clear parent death signal on SID transitions. */
2566 current->pdeath_signal = 0;
2567
2568 /* Check whether the new SID can inherit resource limits from the old
2569 * SID. If not, reset all soft limits to the lower of the current
2570 * task's hard limit and the init task's soft limit.
2571 *
2572 * Note that the setting of hard limits (even to lower them) can be
2573 * controlled by the setrlimit check. The inclusion of the init task's
2574 * soft limit into the computation is to avoid resetting soft limits
2575 * higher than the default soft limit for cases where the default is
2576 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2577 */
2578 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2579 PROCESS__RLIMITINH, NULL);
2580 if (rc) {
2581 /* protect against do_prlimit() */
2582 task_lock(current);
2583 for (i = 0; i < RLIM_NLIMITS; i++) {
2584 rlim = current->signal->rlim + i;
2585 initrlim = init_task.signal->rlim + i;
2586 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2587 }
2588 task_unlock(current);
2589 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2590 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2591 }
2592 }
2593
2594 /*
2595 * Clean up the process immediately after the installation of new credentials
2596 * due to exec
2597 */
2598 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2599 {
2600 const struct task_security_struct *tsec = current_security();
2601 struct itimerval itimer;
2602 u32 osid, sid;
2603 int rc, i;
2604
2605 osid = tsec->osid;
2606 sid = tsec->sid;
2607
2608 if (sid == osid)
2609 return;
2610
2611 /* Check whether the new SID can inherit signal state from the old SID.
2612 * If not, clear itimers to avoid subsequent signal generation and
2613 * flush and unblock signals.
2614 *
2615 * This must occur _after_ the task SID has been updated so that any
2616 * kill done after the flush will be checked against the new SID.
2617 */
2618 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2619 if (rc) {
2620 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) {
2621 memset(&itimer, 0, sizeof itimer);
2622 for (i = 0; i < 3; i++)
2623 do_setitimer(i, &itimer, NULL);
2624 }
2625 spin_lock_irq(&current->sighand->siglock);
2626 if (!fatal_signal_pending(current)) {
2627 flush_sigqueue(&current->pending);
2628 flush_sigqueue(&current->signal->shared_pending);
2629 flush_signal_handlers(current, 1);
2630 sigemptyset(&current->blocked);
2631 recalc_sigpending();
2632 }
2633 spin_unlock_irq(&current->sighand->siglock);
2634 }
2635
2636 /* Wake up the parent if it is waiting so that it can recheck
2637 * wait permission to the new task SID. */
2638 read_lock(&tasklist_lock);
2639 __wake_up_parent(current, current->real_parent);
2640 read_unlock(&tasklist_lock);
2641 }
2642
2643 /* superblock security operations */
2644
2645 static int selinux_sb_alloc_security(struct super_block *sb)
2646 {
2647 return superblock_alloc_security(sb);
2648 }
2649
2650 static void selinux_sb_free_security(struct super_block *sb)
2651 {
2652 superblock_free_security(sb);
2653 }
2654
2655 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2656 {
2657 if (plen > olen)
2658 return 0;
2659
2660 return !memcmp(prefix, option, plen);
2661 }
2662
2663 static inline int selinux_option(char *option, int len)
2664 {
2665 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2666 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2667 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2668 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) ||
2669 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len));
2670 }
2671
2672 static inline void take_option(char **to, char *from, int *first, int len)
2673 {
2674 if (!*first) {
2675 **to = ',';
2676 *to += 1;
2677 } else
2678 *first = 0;
2679 memcpy(*to, from, len);
2680 *to += len;
2681 }
2682
2683 static inline void take_selinux_option(char **to, char *from, int *first,
2684 int len)
2685 {
2686 int current_size = 0;
2687
2688 if (!*first) {
2689 **to = '|';
2690 *to += 1;
2691 } else
2692 *first = 0;
2693
2694 while (current_size < len) {
2695 if (*from != '"') {
2696 **to = *from;
2697 *to += 1;
2698 }
2699 from += 1;
2700 current_size += 1;
2701 }
2702 }
2703
2704 static int selinux_sb_copy_data(char *orig, char *copy)
2705 {
2706 int fnosec, fsec, rc = 0;
2707 char *in_save, *in_curr, *in_end;
2708 char *sec_curr, *nosec_save, *nosec;
2709 int open_quote = 0;
2710
2711 in_curr = orig;
2712 sec_curr = copy;
2713
2714 nosec = (char *)get_zeroed_page(GFP_KERNEL);
2715 if (!nosec) {
2716 rc = -ENOMEM;
2717 goto out;
2718 }
2719
2720 nosec_save = nosec;
2721 fnosec = fsec = 1;
2722 in_save = in_end = orig;
2723
2724 do {
2725 if (*in_end == '"')
2726 open_quote = !open_quote;
2727 if ((*in_end == ',' && open_quote == 0) ||
2728 *in_end == '\0') {
2729 int len = in_end - in_curr;
2730
2731 if (selinux_option(in_curr, len))
2732 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2733 else
2734 take_option(&nosec, in_curr, &fnosec, len);
2735
2736 in_curr = in_end + 1;
2737 }
2738 } while (*in_end++);
2739
2740 strcpy(in_save, nosec_save);
2741 free_page((unsigned long)nosec_save);
2742 out:
2743 return rc;
2744 }
2745
2746 static int selinux_sb_remount(struct super_block *sb, void *data)
2747 {
2748 int rc, i, *flags;
2749 struct security_mnt_opts opts;
2750 char *secdata, **mount_options;
2751 struct superblock_security_struct *sbsec = sb->s_security;
2752
2753 if (!(sbsec->flags & SE_SBINITIALIZED))
2754 return 0;
2755
2756 if (!data)
2757 return 0;
2758
2759 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
2760 return 0;
2761
2762 security_init_mnt_opts(&opts);
2763 secdata = alloc_secdata();
2764 if (!secdata)
2765 return -ENOMEM;
2766 rc = selinux_sb_copy_data(data, secdata);
2767 if (rc)
2768 goto out_free_secdata;
2769
2770 rc = selinux_parse_opts_str(secdata, &opts);
2771 if (rc)
2772 goto out_free_secdata;
2773
2774 mount_options = opts.mnt_opts;
2775 flags = opts.mnt_opts_flags;
2776
2777 for (i = 0; i < opts.num_mnt_opts; i++) {
2778 u32 sid;
2779
2780 if (flags[i] == SBLABEL_MNT)
2781 continue;
2782 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL);
2783 if (rc) {
2784 printk(KERN_WARNING "SELinux: security_context_str_to_sid"
2785 "(%s) failed for (dev %s, type %s) errno=%d\n",
2786 mount_options[i], sb->s_id, sb->s_type->name, rc);
2787 goto out_free_opts;
2788 }
2789 rc = -EINVAL;
2790 switch (flags[i]) {
2791 case FSCONTEXT_MNT:
2792 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2793 goto out_bad_option;
2794 break;
2795 case CONTEXT_MNT:
2796 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2797 goto out_bad_option;
2798 break;
2799 case ROOTCONTEXT_MNT: {
2800 struct inode_security_struct *root_isec;
2801 root_isec = backing_inode_security(sb->s_root);
2802
2803 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2804 goto out_bad_option;
2805 break;
2806 }
2807 case DEFCONTEXT_MNT:
2808 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2809 goto out_bad_option;
2810 break;
2811 default:
2812 goto out_free_opts;
2813 }
2814 }
2815
2816 rc = 0;
2817 out_free_opts:
2818 security_free_mnt_opts(&opts);
2819 out_free_secdata:
2820 free_secdata(secdata);
2821 return rc;
2822 out_bad_option:
2823 printk(KERN_WARNING "SELinux: unable to change security options "
2824 "during remount (dev %s, type=%s)\n", sb->s_id,
2825 sb->s_type->name);
2826 goto out_free_opts;
2827 }
2828
2829 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2830 {
2831 const struct cred *cred = current_cred();
2832 struct common_audit_data ad;
2833 int rc;
2834
2835 rc = superblock_doinit(sb, data);
2836 if (rc)
2837 return rc;
2838
2839 /* Allow all mounts performed by the kernel */
2840 if (flags & MS_KERNMOUNT)
2841 return 0;
2842
2843 ad.type = LSM_AUDIT_DATA_DENTRY;
2844 ad.u.dentry = sb->s_root;
2845 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2846 }
2847
2848 static int selinux_sb_statfs(struct dentry *dentry)
2849 {
2850 const struct cred *cred = current_cred();
2851 struct common_audit_data ad;
2852
2853 ad.type = LSM_AUDIT_DATA_DENTRY;
2854 ad.u.dentry = dentry->d_sb->s_root;
2855 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2856 }
2857
2858 static int selinux_mount(const char *dev_name,
2859 const struct path *path,
2860 const char *type,
2861 unsigned long flags,
2862 void *data)
2863 {
2864 const struct cred *cred = current_cred();
2865
2866 if (flags & MS_REMOUNT)
2867 return superblock_has_perm(cred, path->dentry->d_sb,
2868 FILESYSTEM__REMOUNT, NULL);
2869 else
2870 return path_has_perm(cred, path, FILE__MOUNTON);
2871 }
2872
2873 static int selinux_umount(struct vfsmount *mnt, int flags)
2874 {
2875 const struct cred *cred = current_cred();
2876
2877 return superblock_has_perm(cred, mnt->mnt_sb,
2878 FILESYSTEM__UNMOUNT, NULL);
2879 }
2880
2881 /* inode security operations */
2882
2883 static int selinux_inode_alloc_security(struct inode *inode)
2884 {
2885 return inode_alloc_security(inode);
2886 }
2887
2888 static void selinux_inode_free_security(struct inode *inode)
2889 {
2890 inode_free_security(inode);
2891 }
2892
2893 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2894 const struct qstr *name, void **ctx,
2895 u32 *ctxlen)
2896 {
2897 u32 newsid;
2898 int rc;
2899
2900 rc = selinux_determine_inode_label(current_security(),
2901 d_inode(dentry->d_parent), name,
2902 inode_mode_to_security_class(mode),
2903 &newsid);
2904 if (rc)
2905 return rc;
2906
2907 return security_sid_to_context(newsid, (char **)ctx, ctxlen);
2908 }
2909
2910 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2911 struct qstr *name,
2912 const struct cred *old,
2913 struct cred *new)
2914 {
2915 u32 newsid;
2916 int rc;
2917 struct task_security_struct *tsec;
2918
2919 rc = selinux_determine_inode_label(old->security,
2920 d_inode(dentry->d_parent), name,
2921 inode_mode_to_security_class(mode),
2922 &newsid);
2923 if (rc)
2924 return rc;
2925
2926 tsec = new->security;
2927 tsec->create_sid = newsid;
2928 return 0;
2929 }
2930
2931 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2932 const struct qstr *qstr,
2933 const char **name,
2934 void **value, size_t *len)
2935 {
2936 const struct task_security_struct *tsec = current_security();
2937 struct superblock_security_struct *sbsec;
2938 u32 newsid, clen;
2939 int rc;
2940 char *context;
2941
2942 sbsec = dir->i_sb->s_security;
2943
2944 newsid = tsec->create_sid;
2945
2946 rc = selinux_determine_inode_label(current_security(),
2947 dir, qstr,
2948 inode_mode_to_security_class(inode->i_mode),
2949 &newsid);
2950 if (rc)
2951 return rc;
2952
2953 /* Possibly defer initialization to selinux_complete_init. */
2954 if (sbsec->flags & SE_SBINITIALIZED) {
2955 struct inode_security_struct *isec = inode->i_security;
2956 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2957 isec->sid = newsid;
2958 isec->initialized = LABEL_INITIALIZED;
2959 }
2960
2961 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT))
2962 return -EOPNOTSUPP;
2963
2964 if (name)
2965 *name = XATTR_SELINUX_SUFFIX;
2966
2967 if (value && len) {
2968 rc = security_sid_to_context_force(newsid, &context, &clen);
2969 if (rc)
2970 return rc;
2971 *value = context;
2972 *len = clen;
2973 }
2974
2975 return 0;
2976 }
2977
2978 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2979 {
2980 return may_create(dir, dentry, SECCLASS_FILE);
2981 }
2982
2983 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2984 {
2985 return may_link(dir, old_dentry, MAY_LINK);
2986 }
2987
2988 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2989 {
2990 return may_link(dir, dentry, MAY_UNLINK);
2991 }
2992
2993 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2994 {
2995 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2996 }
2997
2998 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2999 {
3000 return may_create(dir, dentry, SECCLASS_DIR);
3001 }
3002
3003 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3004 {
3005 return may_link(dir, dentry, MAY_RMDIR);
3006 }
3007
3008 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3009 {
3010 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3011 }
3012
3013 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3014 struct inode *new_inode, struct dentry *new_dentry)
3015 {
3016 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3017 }
3018
3019 static int selinux_inode_readlink(struct dentry *dentry)
3020 {
3021 const struct cred *cred = current_cred();
3022
3023 return dentry_has_perm(cred, dentry, FILE__READ);
3024 }
3025
3026 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3027 bool rcu)
3028 {
3029 const struct cred *cred = current_cred();
3030 struct common_audit_data ad;
3031 struct inode_security_struct *isec;
3032 u32 sid;
3033
3034 validate_creds(cred);
3035
3036 ad.type = LSM_AUDIT_DATA_DENTRY;
3037 ad.u.dentry = dentry;
3038 sid = cred_sid(cred);
3039 isec = inode_security_rcu(inode, rcu);
3040 if (IS_ERR(isec))
3041 return PTR_ERR(isec);
3042
3043 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad,
3044 rcu ? MAY_NOT_BLOCK : 0);
3045 }
3046
3047 static noinline int audit_inode_permission(struct inode *inode,
3048 u32 perms, u32 audited, u32 denied,
3049 int result,
3050 unsigned flags)
3051 {
3052 struct common_audit_data ad;
3053 struct inode_security_struct *isec = inode->i_security;
3054 int rc;
3055
3056 ad.type = LSM_AUDIT_DATA_INODE;
3057 ad.u.inode = inode;
3058
3059 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3060 audited, denied, result, &ad, flags);
3061 if (rc)
3062 return rc;
3063 return 0;
3064 }
3065
3066 static int selinux_inode_permission(struct inode *inode, int mask)
3067 {
3068 const struct cred *cred = current_cred();
3069 u32 perms;
3070 bool from_access;
3071 unsigned flags = mask & MAY_NOT_BLOCK;
3072 struct inode_security_struct *isec;
3073 u32 sid;
3074 struct av_decision avd;
3075 int rc, rc2;
3076 u32 audited, denied;
3077
3078 from_access = mask & MAY_ACCESS;
3079 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3080
3081 /* No permission to check. Existence test. */
3082 if (!mask)
3083 return 0;
3084
3085 validate_creds(cred);
3086
3087 if (unlikely(IS_PRIVATE(inode)))
3088 return 0;
3089
3090 perms = file_mask_to_av(inode->i_mode, mask);
3091
3092 sid = cred_sid(cred);
3093 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3094 if (IS_ERR(isec))
3095 return PTR_ERR(isec);
3096
3097 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
3098 audited = avc_audit_required(perms, &avd, rc,
3099 from_access ? FILE__AUDIT_ACCESS : 0,
3100 &denied);
3101 if (likely(!audited))
3102 return rc;
3103
3104 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
3105 if (rc2)
3106 return rc2;
3107 return rc;
3108 }
3109
3110 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3111 {
3112 const struct cred *cred = current_cred();
3113 struct inode *inode = d_backing_inode(dentry);
3114 unsigned int ia_valid = iattr->ia_valid;
3115 __u32 av = FILE__WRITE;
3116
3117 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3118 if (ia_valid & ATTR_FORCE) {
3119 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3120 ATTR_FORCE);
3121 if (!ia_valid)
3122 return 0;
3123 }
3124
3125 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3126 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3127 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3128
3129 if (selinux_policycap_openperm &&
3130 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3131 (ia_valid & ATTR_SIZE) &&
3132 !(ia_valid & ATTR_FILE))
3133 av |= FILE__OPEN;
3134
3135 return dentry_has_perm(cred, dentry, av);
3136 }
3137
3138 static int selinux_inode_getattr(const struct path *path)
3139 {
3140 return path_has_perm(current_cred(), path, FILE__GETATTR);
3141 }
3142
3143 static bool has_cap_mac_admin(bool audit)
3144 {
3145 const struct cred *cred = current_cred();
3146 int cap_audit = audit ? SECURITY_CAP_AUDIT : SECURITY_CAP_NOAUDIT;
3147
3148 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, cap_audit))
3149 return false;
3150 if (cred_has_capability(cred, CAP_MAC_ADMIN, cap_audit, true))
3151 return false;
3152 return true;
3153 }
3154
3155 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3156 const void *value, size_t size, int flags)
3157 {
3158 struct inode *inode = d_backing_inode(dentry);
3159 struct inode_security_struct *isec;
3160 struct superblock_security_struct *sbsec;
3161 struct common_audit_data ad;
3162 u32 newsid, sid = current_sid();
3163 int rc = 0;
3164
3165 if (strcmp(name, XATTR_NAME_SELINUX)) {
3166 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3167 if (rc)
3168 return rc;
3169
3170 /* Not an attribute we recognize, so just check the
3171 ordinary setattr permission. */
3172 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3173 }
3174
3175 sbsec = inode->i_sb->s_security;
3176 if (!(sbsec->flags & SBLABEL_MNT))
3177 return -EOPNOTSUPP;
3178
3179 if (!inode_owner_or_capable(inode))
3180 return -EPERM;
3181
3182 ad.type = LSM_AUDIT_DATA_DENTRY;
3183 ad.u.dentry = dentry;
3184
3185 isec = backing_inode_security(dentry);
3186 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3187 FILE__RELABELFROM, &ad);
3188 if (rc)
3189 return rc;
3190
3191 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3192 if (rc == -EINVAL) {
3193 if (!has_cap_mac_admin(true)) {
3194 struct audit_buffer *ab;
3195 size_t audit_size;
3196
3197 /* We strip a nul only if it is at the end, otherwise the
3198 * context contains a nul and we should audit that */
3199 if (value) {
3200 const char *str = value;
3201
3202 if (str[size - 1] == '\0')
3203 audit_size = size - 1;
3204 else
3205 audit_size = size;
3206 } else {
3207 audit_size = 0;
3208 }
3209 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
3210 audit_log_format(ab, "op=setxattr invalid_context=");
3211 audit_log_n_untrustedstring(ab, value, audit_size);
3212 audit_log_end(ab);
3213
3214 return rc;
3215 }
3216 rc = security_context_to_sid_force(value, size, &newsid);
3217 }
3218 if (rc)
3219 return rc;
3220
3221 rc = avc_has_perm(sid, newsid, isec->sclass,
3222 FILE__RELABELTO, &ad);
3223 if (rc)
3224 return rc;
3225
3226 rc = security_validate_transition(isec->sid, newsid, sid,
3227 isec->sclass);
3228 if (rc)
3229 return rc;
3230
3231 return avc_has_perm(newsid,
3232 sbsec->sid,
3233 SECCLASS_FILESYSTEM,
3234 FILESYSTEM__ASSOCIATE,
3235 &ad);
3236 }
3237
3238 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3239 const void *value, size_t size,
3240 int flags)
3241 {
3242 struct inode *inode = d_backing_inode(dentry);
3243 struct inode_security_struct *isec;
3244 u32 newsid;
3245 int rc;
3246
3247 if (strcmp(name, XATTR_NAME_SELINUX)) {
3248 /* Not an attribute we recognize, so nothing to do. */
3249 return;
3250 }
3251
3252 rc = security_context_to_sid_force(value, size, &newsid);
3253 if (rc) {
3254 printk(KERN_ERR "SELinux: unable to map context to SID"
3255 "for (%s, %lu), rc=%d\n",
3256 inode->i_sb->s_id, inode->i_ino, -rc);
3257 return;
3258 }
3259
3260 isec = backing_inode_security(dentry);
3261 spin_lock(&isec->lock);
3262 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3263 isec->sid = newsid;
3264 isec->initialized = LABEL_INITIALIZED;
3265 spin_unlock(&isec->lock);
3266
3267 return;
3268 }
3269
3270 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3271 {
3272 const struct cred *cred = current_cred();
3273
3274 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3275 }
3276
3277 static int selinux_inode_listxattr(struct dentry *dentry)
3278 {
3279 const struct cred *cred = current_cred();
3280
3281 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3282 }
3283
3284 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3285 {
3286 if (strcmp(name, XATTR_NAME_SELINUX)) {
3287 int rc = cap_inode_removexattr(dentry, name);
3288 if (rc)
3289 return rc;
3290
3291 /* Not an attribute we recognize, so just check the
3292 ordinary setattr permission. */
3293 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3294 }
3295
3296 /* No one is allowed to remove a SELinux security label.
3297 You can change the label, but all data must be labeled. */
3298 return -EACCES;
3299 }
3300
3301 /*
3302 * Copy the inode security context value to the user.
3303 *
3304 * Permission check is handled by selinux_inode_getxattr hook.
3305 */
3306 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3307 {
3308 u32 size;
3309 int error;
3310 char *context = NULL;
3311 struct inode_security_struct *isec;
3312
3313 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3314 return -EOPNOTSUPP;
3315
3316 /*
3317 * If the caller has CAP_MAC_ADMIN, then get the raw context
3318 * value even if it is not defined by current policy; otherwise,
3319 * use the in-core value under current policy.
3320 * Use the non-auditing forms of the permission checks since
3321 * getxattr may be called by unprivileged processes commonly
3322 * and lack of permission just means that we fall back to the
3323 * in-core context value, not a denial.
3324 */
3325 isec = inode_security(inode);
3326 if (has_cap_mac_admin(false))
3327 error = security_sid_to_context_force(isec->sid, &context,
3328 &size);
3329 else
3330 error = security_sid_to_context(isec->sid, &context, &size);
3331 if (error)
3332 return error;
3333 error = size;
3334 if (alloc) {
3335 *buffer = context;
3336 goto out_nofree;
3337 }
3338 kfree(context);
3339 out_nofree:
3340 return error;
3341 }
3342
3343 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3344 const void *value, size_t size, int flags)
3345 {
3346 struct inode_security_struct *isec = inode_security_novalidate(inode);
3347 u32 newsid;
3348 int rc;
3349
3350 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3351 return -EOPNOTSUPP;
3352
3353 if (!value || !size)
3354 return -EACCES;
3355
3356 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
3357 if (rc)
3358 return rc;
3359
3360 spin_lock(&isec->lock);
3361 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3362 isec->sid = newsid;
3363 isec->initialized = LABEL_INITIALIZED;
3364 spin_unlock(&isec->lock);
3365 return 0;
3366 }
3367
3368 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3369 {
3370 const int len = sizeof(XATTR_NAME_SELINUX);
3371 if (buffer && len <= buffer_size)
3372 memcpy(buffer, XATTR_NAME_SELINUX, len);
3373 return len;
3374 }
3375
3376 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3377 {
3378 struct inode_security_struct *isec = inode_security_novalidate(inode);
3379 *secid = isec->sid;
3380 }
3381
3382 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3383 {
3384 u32 sid;
3385 struct task_security_struct *tsec;
3386 struct cred *new_creds = *new;
3387
3388 if (new_creds == NULL) {
3389 new_creds = prepare_creds();
3390 if (!new_creds)
3391 return -ENOMEM;
3392 }
3393
3394 tsec = new_creds->security;
3395 /* Get label from overlay inode and set it in create_sid */
3396 selinux_inode_getsecid(d_inode(src), &sid);
3397 tsec->create_sid = sid;
3398 *new = new_creds;
3399 return 0;
3400 }
3401
3402 static int selinux_inode_copy_up_xattr(const char *name)
3403 {
3404 /* The copy_up hook above sets the initial context on an inode, but we
3405 * don't then want to overwrite it by blindly copying all the lower
3406 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3407 */
3408 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3409 return 1; /* Discard */
3410 /*
3411 * Any other attribute apart from SELINUX is not claimed, supported
3412 * by selinux.
3413 */
3414 return -EOPNOTSUPP;
3415 }
3416
3417 /* file security operations */
3418
3419 static int selinux_revalidate_file_permission(struct file *file, int mask)
3420 {
3421 const struct cred *cred = current_cred();
3422 struct inode *inode = file_inode(file);
3423
3424 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3425 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3426 mask |= MAY_APPEND;
3427
3428 return file_has_perm(cred, file,
3429 file_mask_to_av(inode->i_mode, mask));
3430 }
3431
3432 static int selinux_file_permission(struct file *file, int mask)
3433 {
3434 struct inode *inode = file_inode(file);
3435 struct file_security_struct *fsec = file->f_security;
3436 struct inode_security_struct *isec;
3437 u32 sid = current_sid();
3438
3439 if (!mask)
3440 /* No permission to check. Existence test. */
3441 return 0;
3442
3443 isec = inode_security(inode);
3444 if (sid == fsec->sid && fsec->isid == isec->sid &&
3445 fsec->pseqno == avc_policy_seqno())
3446 /* No change since file_open check. */
3447 return 0;
3448
3449 return selinux_revalidate_file_permission(file, mask);
3450 }
3451
3452 static int selinux_file_alloc_security(struct file *file)
3453 {
3454 return file_alloc_security(file);
3455 }
3456
3457 static void selinux_file_free_security(struct file *file)
3458 {
3459 file_free_security(file);
3460 }
3461
3462 /*
3463 * Check whether a task has the ioctl permission and cmd
3464 * operation to an inode.
3465 */
3466 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3467 u32 requested, u16 cmd)
3468 {
3469 struct common_audit_data ad;
3470 struct file_security_struct *fsec = file->f_security;
3471 struct inode *inode = file_inode(file);
3472 struct inode_security_struct *isec;
3473 struct lsm_ioctlop_audit ioctl;
3474 u32 ssid = cred_sid(cred);
3475 int rc;
3476 u8 driver = cmd >> 8;
3477 u8 xperm = cmd & 0xff;
3478
3479 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3480 ad.u.op = &ioctl;
3481 ad.u.op->cmd = cmd;
3482 ad.u.op->path = file->f_path;
3483
3484 if (ssid != fsec->sid) {
3485 rc = avc_has_perm(ssid, fsec->sid,
3486 SECCLASS_FD,
3487 FD__USE,
3488 &ad);
3489 if (rc)
3490 goto out;
3491 }
3492
3493 if (unlikely(IS_PRIVATE(inode)))
3494 return 0;
3495
3496 isec = inode_security(inode);
3497 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass,
3498 requested, driver, xperm, &ad);
3499 out:
3500 return rc;
3501 }
3502
3503 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3504 unsigned long arg)
3505 {
3506 const struct cred *cred = current_cred();
3507 int error = 0;
3508
3509 switch (cmd) {
3510 case FIONREAD:
3511 /* fall through */
3512 case FIBMAP:
3513 /* fall through */
3514 case FIGETBSZ:
3515 /* fall through */
3516 case FS_IOC_GETFLAGS:
3517 /* fall through */
3518 case FS_IOC_GETVERSION:
3519 error = file_has_perm(cred, file, FILE__GETATTR);
3520 break;
3521
3522 case FS_IOC_SETFLAGS:
3523 /* fall through */
3524 case FS_IOC_SETVERSION:
3525 error = file_has_perm(cred, file, FILE__SETATTR);
3526 break;
3527
3528 /* sys_ioctl() checks */
3529 case FIONBIO:
3530 /* fall through */
3531 case FIOASYNC:
3532 error = file_has_perm(cred, file, 0);
3533 break;
3534
3535 case KDSKBENT:
3536 case KDSKBSENT:
3537 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3538 SECURITY_CAP_AUDIT, true);
3539 break;
3540
3541 /* default case assumes that the command will go
3542 * to the file's ioctl() function.
3543 */
3544 default:
3545 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3546 }
3547 return error;
3548 }
3549
3550 static int default_noexec;
3551
3552 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3553 {
3554 const struct cred *cred = current_cred();
3555 u32 sid = cred_sid(cred);
3556 int rc = 0;
3557
3558 if (default_noexec &&
3559 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3560 (!shared && (prot & PROT_WRITE)))) {
3561 /*
3562 * We are making executable an anonymous mapping or a
3563 * private file mapping that will also be writable.
3564 * This has an additional check.
3565 */
3566 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3567 PROCESS__EXECMEM, NULL);
3568 if (rc)
3569 goto error;
3570 }
3571
3572 if (file) {
3573 /* read access is always possible with a mapping */
3574 u32 av = FILE__READ;
3575
3576 /* write access only matters if the mapping is shared */
3577 if (shared && (prot & PROT_WRITE))
3578 av |= FILE__WRITE;
3579
3580 if (prot & PROT_EXEC)
3581 av |= FILE__EXECUTE;
3582
3583 return file_has_perm(cred, file, av);
3584 }
3585
3586 error:
3587 return rc;
3588 }
3589
3590 static int selinux_mmap_addr(unsigned long addr)
3591 {
3592 int rc = 0;
3593
3594 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3595 u32 sid = current_sid();
3596 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3597 MEMPROTECT__MMAP_ZERO, NULL);
3598 }
3599
3600 return rc;
3601 }
3602
3603 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3604 unsigned long prot, unsigned long flags)
3605 {
3606 struct common_audit_data ad;
3607 int rc;
3608
3609 if (file) {
3610 ad.type = LSM_AUDIT_DATA_FILE;
3611 ad.u.file = file;
3612 rc = inode_has_perm(current_cred(), file_inode(file),
3613 FILE__MAP, &ad);
3614 if (rc)
3615 return rc;
3616 }
3617
3618 if (selinux_checkreqprot)
3619 prot = reqprot;
3620
3621 return file_map_prot_check(file, prot,
3622 (flags & MAP_TYPE) == MAP_SHARED);
3623 }
3624
3625 static int selinux_file_mprotect(struct vm_area_struct *vma,
3626 unsigned long reqprot,
3627 unsigned long prot)
3628 {
3629 const struct cred *cred = current_cred();
3630 u32 sid = cred_sid(cred);
3631
3632 if (selinux_checkreqprot)
3633 prot = reqprot;
3634
3635 if (default_noexec &&
3636 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3637 int rc = 0;
3638 if (vma->vm_start >= vma->vm_mm->start_brk &&
3639 vma->vm_end <= vma->vm_mm->brk) {
3640 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3641 PROCESS__EXECHEAP, NULL);
3642 } else if (!vma->vm_file &&
3643 ((vma->vm_start <= vma->vm_mm->start_stack &&
3644 vma->vm_end >= vma->vm_mm->start_stack) ||
3645 vma_is_stack_for_current(vma))) {
3646 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3647 PROCESS__EXECSTACK, NULL);
3648 } else if (vma->vm_file && vma->anon_vma) {
3649 /*
3650 * We are making executable a file mapping that has
3651 * had some COW done. Since pages might have been
3652 * written, check ability to execute the possibly
3653 * modified content. This typically should only
3654 * occur for text relocations.
3655 */
3656 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3657 }
3658 if (rc)
3659 return rc;
3660 }
3661
3662 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3663 }
3664
3665 static int selinux_file_lock(struct file *file, unsigned int cmd)
3666 {
3667 const struct cred *cred = current_cred();
3668
3669 return file_has_perm(cred, file, FILE__LOCK);
3670 }
3671
3672 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3673 unsigned long arg)
3674 {
3675 const struct cred *cred = current_cred();
3676 int err = 0;
3677
3678 switch (cmd) {
3679 case F_SETFL:
3680 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3681 err = file_has_perm(cred, file, FILE__WRITE);
3682 break;
3683 }
3684 /* fall through */
3685 case F_SETOWN:
3686 case F_SETSIG:
3687 case F_GETFL:
3688 case F_GETOWN:
3689 case F_GETSIG:
3690 case F_GETOWNER_UIDS:
3691 /* Just check FD__USE permission */
3692 err = file_has_perm(cred, file, 0);
3693 break;
3694 case F_GETLK:
3695 case F_SETLK:
3696 case F_SETLKW:
3697 case F_OFD_GETLK:
3698 case F_OFD_SETLK:
3699 case F_OFD_SETLKW:
3700 #if BITS_PER_LONG == 32
3701 case F_GETLK64:
3702 case F_SETLK64:
3703 case F_SETLKW64:
3704 #endif
3705 err = file_has_perm(cred, file, FILE__LOCK);
3706 break;
3707 }
3708
3709 return err;
3710 }
3711
3712 static void selinux_file_set_fowner(struct file *file)
3713 {
3714 struct file_security_struct *fsec;
3715
3716 fsec = file->f_security;
3717 fsec->fown_sid = current_sid();
3718 }
3719
3720 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3721 struct fown_struct *fown, int signum)
3722 {
3723 struct file *file;
3724 u32 sid = task_sid(tsk);
3725 u32 perm;
3726 struct file_security_struct *fsec;
3727
3728 /* struct fown_struct is never outside the context of a struct file */
3729 file = container_of(fown, struct file, f_owner);
3730
3731 fsec = file->f_security;
3732
3733 if (!signum)
3734 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3735 else
3736 perm = signal_to_av(signum);
3737
3738 return avc_has_perm(fsec->fown_sid, sid,
3739 SECCLASS_PROCESS, perm, NULL);
3740 }
3741
3742 static int selinux_file_receive(struct file *file)
3743 {
3744 const struct cred *cred = current_cred();
3745
3746 return file_has_perm(cred, file, file_to_av(file));
3747 }
3748
3749 static int selinux_file_open(struct file *file, const struct cred *cred)
3750 {
3751 struct file_security_struct *fsec;
3752 struct inode_security_struct *isec;
3753
3754 fsec = file->f_security;
3755 isec = inode_security(file_inode(file));
3756 /*
3757 * Save inode label and policy sequence number
3758 * at open-time so that selinux_file_permission
3759 * can determine whether revalidation is necessary.
3760 * Task label is already saved in the file security
3761 * struct as its SID.
3762 */
3763 fsec->isid = isec->sid;
3764 fsec->pseqno = avc_policy_seqno();
3765 /*
3766 * Since the inode label or policy seqno may have changed
3767 * between the selinux_inode_permission check and the saving
3768 * of state above, recheck that access is still permitted.
3769 * Otherwise, access might never be revalidated against the
3770 * new inode label or new policy.
3771 * This check is not redundant - do not remove.
3772 */
3773 return file_path_has_perm(cred, file, open_file_to_av(file));
3774 }
3775
3776 /* task security operations */
3777
3778 static int selinux_task_alloc(struct task_struct *task,
3779 unsigned long clone_flags)
3780 {
3781 u32 sid = current_sid();
3782
3783 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3784 }
3785
3786 /*
3787 * allocate the SELinux part of blank credentials
3788 */
3789 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3790 {
3791 struct task_security_struct *tsec;
3792
3793 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3794 if (!tsec)
3795 return -ENOMEM;
3796
3797 cred->security = tsec;
3798 return 0;
3799 }
3800
3801 /*
3802 * detach and free the LSM part of a set of credentials
3803 */
3804 static void selinux_cred_free(struct cred *cred)
3805 {
3806 struct task_security_struct *tsec = cred->security;
3807
3808 /*
3809 * cred->security == NULL if security_cred_alloc_blank() or
3810 * security_prepare_creds() returned an error.
3811 */
3812 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3813 cred->security = (void *) 0x7UL;
3814 kfree(tsec);
3815 }
3816
3817 /*
3818 * prepare a new set of credentials for modification
3819 */
3820 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3821 gfp_t gfp)
3822 {
3823 const struct task_security_struct *old_tsec;
3824 struct task_security_struct *tsec;
3825
3826 old_tsec = old->security;
3827
3828 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3829 if (!tsec)
3830 return -ENOMEM;
3831
3832 new->security = tsec;
3833 return 0;
3834 }
3835
3836 /*
3837 * transfer the SELinux data to a blank set of creds
3838 */
3839 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3840 {
3841 const struct task_security_struct *old_tsec = old->security;
3842 struct task_security_struct *tsec = new->security;
3843
3844 *tsec = *old_tsec;
3845 }
3846
3847 /*
3848 * set the security data for a kernel service
3849 * - all the creation contexts are set to unlabelled
3850 */
3851 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3852 {
3853 struct task_security_struct *tsec = new->security;
3854 u32 sid = current_sid();
3855 int ret;
3856
3857 ret = avc_has_perm(sid, secid,
3858 SECCLASS_KERNEL_SERVICE,
3859 KERNEL_SERVICE__USE_AS_OVERRIDE,
3860 NULL);
3861 if (ret == 0) {
3862 tsec->sid = secid;
3863 tsec->create_sid = 0;
3864 tsec->keycreate_sid = 0;
3865 tsec->sockcreate_sid = 0;
3866 }
3867 return ret;
3868 }
3869
3870 /*
3871 * set the file creation context in a security record to the same as the
3872 * objective context of the specified inode
3873 */
3874 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3875 {
3876 struct inode_security_struct *isec = inode_security(inode);
3877 struct task_security_struct *tsec = new->security;
3878 u32 sid = current_sid();
3879 int ret;
3880
3881 ret = avc_has_perm(sid, isec->sid,
3882 SECCLASS_KERNEL_SERVICE,
3883 KERNEL_SERVICE__CREATE_FILES_AS,
3884 NULL);
3885
3886 if (ret == 0)
3887 tsec->create_sid = isec->sid;
3888 return ret;
3889 }
3890
3891 static int selinux_kernel_module_request(char *kmod_name)
3892 {
3893 struct common_audit_data ad;
3894
3895 ad.type = LSM_AUDIT_DATA_KMOD;
3896 ad.u.kmod_name = kmod_name;
3897
3898 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3899 SYSTEM__MODULE_REQUEST, &ad);
3900 }
3901
3902 static int selinux_kernel_module_from_file(struct file *file)
3903 {
3904 struct common_audit_data ad;
3905 struct inode_security_struct *isec;
3906 struct file_security_struct *fsec;
3907 u32 sid = current_sid();
3908 int rc;
3909
3910 /* init_module */
3911 if (file == NULL)
3912 return avc_has_perm(sid, sid, SECCLASS_SYSTEM,
3913 SYSTEM__MODULE_LOAD, NULL);
3914
3915 /* finit_module */
3916
3917 ad.type = LSM_AUDIT_DATA_FILE;
3918 ad.u.file = file;
3919
3920 fsec = file->f_security;
3921 if (sid != fsec->sid) {
3922 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
3923 if (rc)
3924 return rc;
3925 }
3926
3927 isec = inode_security(file_inode(file));
3928 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM,
3929 SYSTEM__MODULE_LOAD, &ad);
3930 }
3931
3932 static int selinux_kernel_read_file(struct file *file,
3933 enum kernel_read_file_id id)
3934 {
3935 int rc = 0;
3936
3937 switch (id) {
3938 case READING_MODULE:
3939 rc = selinux_kernel_module_from_file(file);
3940 break;
3941 default:
3942 break;
3943 }
3944
3945 return rc;
3946 }
3947
3948 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3949 {
3950 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3951 PROCESS__SETPGID, NULL);
3952 }
3953
3954 static int selinux_task_getpgid(struct task_struct *p)
3955 {
3956 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3957 PROCESS__GETPGID, NULL);
3958 }
3959
3960 static int selinux_task_getsid(struct task_struct *p)
3961 {
3962 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3963 PROCESS__GETSESSION, NULL);
3964 }
3965
3966 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3967 {
3968 *secid = task_sid(p);
3969 }
3970
3971 static int selinux_task_setnice(struct task_struct *p, int nice)
3972 {
3973 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3974 PROCESS__SETSCHED, NULL);
3975 }
3976
3977 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3978 {
3979 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3980 PROCESS__SETSCHED, NULL);
3981 }
3982
3983 static int selinux_task_getioprio(struct task_struct *p)
3984 {
3985 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
3986 PROCESS__GETSCHED, NULL);
3987 }
3988
3989 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
3990 unsigned int flags)
3991 {
3992 u32 av = 0;
3993
3994 if (!flags)
3995 return 0;
3996 if (flags & LSM_PRLIMIT_WRITE)
3997 av |= PROCESS__SETRLIMIT;
3998 if (flags & LSM_PRLIMIT_READ)
3999 av |= PROCESS__GETRLIMIT;
4000 return avc_has_perm(cred_sid(cred), cred_sid(tcred),
4001 SECCLASS_PROCESS, av, NULL);
4002 }
4003
4004 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4005 struct rlimit *new_rlim)
4006 {
4007 struct rlimit *old_rlim = p->signal->rlim + resource;
4008
4009 /* Control the ability to change the hard limit (whether
4010 lowering or raising it), so that the hard limit can
4011 later be used as a safe reset point for the soft limit
4012 upon context transitions. See selinux_bprm_committing_creds. */
4013 if (old_rlim->rlim_max != new_rlim->rlim_max)
4014 return avc_has_perm(current_sid(), task_sid(p),
4015 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4016
4017 return 0;
4018 }
4019
4020 static int selinux_task_setscheduler(struct task_struct *p)
4021 {
4022 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4023 PROCESS__SETSCHED, NULL);
4024 }
4025
4026 static int selinux_task_getscheduler(struct task_struct *p)
4027 {
4028 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4029 PROCESS__GETSCHED, NULL);
4030 }
4031
4032 static int selinux_task_movememory(struct task_struct *p)
4033 {
4034 return avc_has_perm(current_sid(), task_sid(p), SECCLASS_PROCESS,
4035 PROCESS__SETSCHED, NULL);
4036 }
4037
4038 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
4039 int sig, u32 secid)
4040 {
4041 u32 perm;
4042
4043 if (!sig)
4044 perm = PROCESS__SIGNULL; /* null signal; existence test */
4045 else
4046 perm = signal_to_av(sig);
4047 if (!secid)
4048 secid = current_sid();
4049 return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4050 }
4051
4052 static void selinux_task_to_inode(struct task_struct *p,
4053 struct inode *inode)
4054 {
4055 struct inode_security_struct *isec = inode->i_security;
4056 u32 sid = task_sid(p);
4057
4058 spin_lock(&isec->lock);
4059 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4060 isec->sid = sid;
4061 isec->initialized = LABEL_INITIALIZED;
4062 spin_unlock(&isec->lock);
4063 }
4064
4065 /* Returns error only if unable to parse addresses */
4066 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4067 struct common_audit_data *ad, u8 *proto)
4068 {
4069 int offset, ihlen, ret = -EINVAL;
4070 struct iphdr _iph, *ih;
4071
4072 offset = skb_network_offset(skb);
4073 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4074 if (ih == NULL)
4075 goto out;
4076
4077 ihlen = ih->ihl * 4;
4078 if (ihlen < sizeof(_iph))
4079 goto out;
4080
4081 ad->u.net->v4info.saddr = ih->saddr;
4082 ad->u.net->v4info.daddr = ih->daddr;
4083 ret = 0;
4084
4085 if (proto)
4086 *proto = ih->protocol;
4087
4088 switch (ih->protocol) {
4089 case IPPROTO_TCP: {
4090 struct tcphdr _tcph, *th;
4091
4092 if (ntohs(ih->frag_off) & IP_OFFSET)
4093 break;
4094
4095 offset += ihlen;
4096 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4097 if (th == NULL)
4098 break;
4099
4100 ad->u.net->sport = th->source;
4101 ad->u.net->dport = th->dest;
4102 break;
4103 }
4104
4105 case IPPROTO_UDP: {
4106 struct udphdr _udph, *uh;
4107
4108 if (ntohs(ih->frag_off) & IP_OFFSET)
4109 break;
4110
4111 offset += ihlen;
4112 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4113 if (uh == NULL)
4114 break;
4115
4116 ad->u.net->sport = uh->source;
4117 ad->u.net->dport = uh->dest;
4118 break;
4119 }
4120
4121 case IPPROTO_DCCP: {
4122 struct dccp_hdr _dccph, *dh;
4123
4124 if (ntohs(ih->frag_off) & IP_OFFSET)
4125 break;
4126
4127 offset += ihlen;
4128 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4129 if (dh == NULL)
4130 break;
4131
4132 ad->u.net->sport = dh->dccph_sport;
4133 ad->u.net->dport = dh->dccph_dport;
4134 break;
4135 }
4136
4137 default:
4138 break;
4139 }
4140 out:
4141 return ret;
4142 }
4143
4144 #if IS_ENABLED(CONFIG_IPV6)
4145
4146 /* Returns error only if unable to parse addresses */
4147 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4148 struct common_audit_data *ad, u8 *proto)
4149 {
4150 u8 nexthdr;
4151 int ret = -EINVAL, offset;
4152 struct ipv6hdr _ipv6h, *ip6;
4153 __be16 frag_off;
4154
4155 offset = skb_network_offset(skb);
4156 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4157 if (ip6 == NULL)
4158 goto out;
4159
4160 ad->u.net->v6info.saddr = ip6->saddr;
4161 ad->u.net->v6info.daddr = ip6->daddr;
4162 ret = 0;
4163
4164 nexthdr = ip6->nexthdr;
4165 offset += sizeof(_ipv6h);
4166 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4167 if (offset < 0)
4168 goto out;
4169
4170 if (proto)
4171 *proto = nexthdr;
4172
4173 switch (nexthdr) {
4174 case IPPROTO_TCP: {
4175 struct tcphdr _tcph, *th;
4176
4177 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4178 if (th == NULL)
4179 break;
4180
4181 ad->u.net->sport = th->source;
4182 ad->u.net->dport = th->dest;
4183 break;
4184 }
4185
4186 case IPPROTO_UDP: {
4187 struct udphdr _udph, *uh;
4188
4189 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4190 if (uh == NULL)
4191 break;
4192
4193 ad->u.net->sport = uh->source;
4194 ad->u.net->dport = uh->dest;
4195 break;
4196 }
4197
4198 case IPPROTO_DCCP: {
4199 struct dccp_hdr _dccph, *dh;
4200
4201 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4202 if (dh == NULL)
4203 break;
4204
4205 ad->u.net->sport = dh->dccph_sport;
4206 ad->u.net->dport = dh->dccph_dport;
4207 break;
4208 }
4209
4210 /* includes fragments */
4211 default:
4212 break;
4213 }
4214 out:
4215 return ret;
4216 }
4217
4218 #endif /* IPV6 */
4219
4220 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4221 char **_addrp, int src, u8 *proto)
4222 {
4223 char *addrp;
4224 int ret;
4225
4226 switch (ad->u.net->family) {
4227 case PF_INET:
4228 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4229 if (ret)
4230 goto parse_error;
4231 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4232 &ad->u.net->v4info.daddr);
4233 goto okay;
4234
4235 #if IS_ENABLED(CONFIG_IPV6)
4236 case PF_INET6:
4237 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4238 if (ret)
4239 goto parse_error;
4240 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4241 &ad->u.net->v6info.daddr);
4242 goto okay;
4243 #endif /* IPV6 */
4244 default:
4245 addrp = NULL;
4246 goto okay;
4247 }
4248
4249 parse_error:
4250 printk(KERN_WARNING
4251 "SELinux: failure in selinux_parse_skb(),"
4252 " unable to parse packet\n");
4253 return ret;
4254
4255 okay:
4256 if (_addrp)
4257 *_addrp = addrp;
4258 return 0;
4259 }
4260
4261 /**
4262 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4263 * @skb: the packet
4264 * @family: protocol family
4265 * @sid: the packet's peer label SID
4266 *
4267 * Description:
4268 * Check the various different forms of network peer labeling and determine
4269 * the peer label/SID for the packet; most of the magic actually occurs in
4270 * the security server function security_net_peersid_cmp(). The function
4271 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4272 * or -EACCES if @sid is invalid due to inconsistencies with the different
4273 * peer labels.
4274 *
4275 */
4276 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4277 {
4278 int err;
4279 u32 xfrm_sid;
4280 u32 nlbl_sid;
4281 u32 nlbl_type;
4282
4283 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4284 if (unlikely(err))
4285 return -EACCES;
4286 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4287 if (unlikely(err))
4288 return -EACCES;
4289
4290 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
4291 if (unlikely(err)) {
4292 printk(KERN_WARNING
4293 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4294 " unable to determine packet's peer label\n");
4295 return -EACCES;
4296 }
4297
4298 return 0;
4299 }
4300
4301 /**
4302 * selinux_conn_sid - Determine the child socket label for a connection
4303 * @sk_sid: the parent socket's SID
4304 * @skb_sid: the packet's SID
4305 * @conn_sid: the resulting connection SID
4306 *
4307 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4308 * combined with the MLS information from @skb_sid in order to create
4309 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4310 * of @sk_sid. Returns zero on success, negative values on failure.
4311 *
4312 */
4313 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4314 {
4315 int err = 0;
4316
4317 if (skb_sid != SECSID_NULL)
4318 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
4319 else
4320 *conn_sid = sk_sid;
4321
4322 return err;
4323 }
4324
4325 /* socket security operations */
4326
4327 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4328 u16 secclass, u32 *socksid)
4329 {
4330 if (tsec->sockcreate_sid > SECSID_NULL) {
4331 *socksid = tsec->sockcreate_sid;
4332 return 0;
4333 }
4334
4335 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
4336 socksid);
4337 }
4338
4339 static int sock_has_perm(struct sock *sk, u32 perms)
4340 {
4341 struct sk_security_struct *sksec = sk->sk_security;
4342 struct common_audit_data ad;
4343 struct lsm_network_audit net = {0,};
4344
4345 if (sksec->sid == SECINITSID_KERNEL)
4346 return 0;
4347
4348 ad.type = LSM_AUDIT_DATA_NET;
4349 ad.u.net = &net;
4350 ad.u.net->sk = sk;
4351
4352 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4353 &ad);
4354 }
4355
4356 static int selinux_socket_create(int family, int type,
4357 int protocol, int kern)
4358 {
4359 const struct task_security_struct *tsec = current_security();
4360 u32 newsid;
4361 u16 secclass;
4362 int rc;
4363
4364 if (kern)
4365 return 0;
4366
4367 secclass = socket_type_to_security_class(family, type, protocol);
4368 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4369 if (rc)
4370 return rc;
4371
4372 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4373 }
4374
4375 static int selinux_socket_post_create(struct socket *sock, int family,
4376 int type, int protocol, int kern)
4377 {
4378 const struct task_security_struct *tsec = current_security();
4379 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4380 struct sk_security_struct *sksec;
4381 u16 sclass = socket_type_to_security_class(family, type, protocol);
4382 u32 sid = SECINITSID_KERNEL;
4383 int err = 0;
4384
4385 if (!kern) {
4386 err = socket_sockcreate_sid(tsec, sclass, &sid);
4387 if (err)
4388 return err;
4389 }
4390
4391 isec->sclass = sclass;
4392 isec->sid = sid;
4393 isec->initialized = LABEL_INITIALIZED;
4394
4395 if (sock->sk) {
4396 sksec = sock->sk->sk_security;
4397 sksec->sclass = sclass;
4398 sksec->sid = sid;
4399 err = selinux_netlbl_socket_post_create(sock->sk, family);
4400 }
4401
4402 return err;
4403 }
4404
4405 /* Range of port numbers used to automatically bind.
4406 Need to determine whether we should perform a name_bind
4407 permission check between the socket and the port number. */
4408
4409 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4410 {
4411 struct sock *sk = sock->sk;
4412 u16 family;
4413 int err;
4414
4415 err = sock_has_perm(sk, SOCKET__BIND);
4416 if (err)
4417 goto out;
4418
4419 /*
4420 * If PF_INET or PF_INET6, check name_bind permission for the port.
4421 * Multiple address binding for SCTP is not supported yet: we just
4422 * check the first address now.
4423 */
4424 family = sk->sk_family;
4425 if (family == PF_INET || family == PF_INET6) {
4426 char *addrp;
4427 struct sk_security_struct *sksec = sk->sk_security;
4428 struct common_audit_data ad;
4429 struct lsm_network_audit net = {0,};
4430 struct sockaddr_in *addr4 = NULL;
4431 struct sockaddr_in6 *addr6 = NULL;
4432 unsigned short snum;
4433 u32 sid, node_perm;
4434
4435 if (family == PF_INET) {
4436 if (addrlen < sizeof(struct sockaddr_in)) {
4437 err = -EINVAL;
4438 goto out;
4439 }
4440 addr4 = (struct sockaddr_in *)address;
4441 snum = ntohs(addr4->sin_port);
4442 addrp = (char *)&addr4->sin_addr.s_addr;
4443 } else {
4444 if (addrlen < SIN6_LEN_RFC2133) {
4445 err = -EINVAL;
4446 goto out;
4447 }
4448 addr6 = (struct sockaddr_in6 *)address;
4449 snum = ntohs(addr6->sin6_port);
4450 addrp = (char *)&addr6->sin6_addr.s6_addr;
4451 }
4452
4453 if (snum) {
4454 int low, high;
4455
4456 inet_get_local_port_range(sock_net(sk), &low, &high);
4457
4458 if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
4459 snum > high) {
4460 err = sel_netport_sid(sk->sk_protocol,
4461 snum, &sid);
4462 if (err)
4463 goto out;
4464 ad.type = LSM_AUDIT_DATA_NET;
4465 ad.u.net = &net;
4466 ad.u.net->sport = htons(snum);
4467 ad.u.net->family = family;
4468 err = avc_has_perm(sksec->sid, sid,
4469 sksec->sclass,
4470 SOCKET__NAME_BIND, &ad);
4471 if (err)
4472 goto out;
4473 }
4474 }
4475
4476 switch (sksec->sclass) {
4477 case SECCLASS_TCP_SOCKET:
4478 node_perm = TCP_SOCKET__NODE_BIND;
4479 break;
4480
4481 case SECCLASS_UDP_SOCKET:
4482 node_perm = UDP_SOCKET__NODE_BIND;
4483 break;
4484
4485 case SECCLASS_DCCP_SOCKET:
4486 node_perm = DCCP_SOCKET__NODE_BIND;
4487 break;
4488
4489 default:
4490 node_perm = RAWIP_SOCKET__NODE_BIND;
4491 break;
4492 }
4493
4494 err = sel_netnode_sid(addrp, family, &sid);
4495 if (err)
4496 goto out;
4497
4498 ad.type = LSM_AUDIT_DATA_NET;
4499 ad.u.net = &net;
4500 ad.u.net->sport = htons(snum);
4501 ad.u.net->family = family;
4502
4503 if (family == PF_INET)
4504 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4505 else
4506 ad.u.net->v6info.saddr = addr6->sin6_addr;
4507
4508 err = avc_has_perm(sksec->sid, sid,
4509 sksec->sclass, node_perm, &ad);
4510 if (err)
4511 goto out;
4512 }
4513 out:
4514 return err;
4515 }
4516
4517 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
4518 {
4519 struct sock *sk = sock->sk;
4520 struct sk_security_struct *sksec = sk->sk_security;
4521 int err;
4522
4523 err = sock_has_perm(sk, SOCKET__CONNECT);
4524 if (err)
4525 return err;
4526
4527 /*
4528 * If a TCP or DCCP socket, check name_connect permission for the port.
4529 */
4530 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4531 sksec->sclass == SECCLASS_DCCP_SOCKET) {
4532 struct common_audit_data ad;
4533 struct lsm_network_audit net = {0,};
4534 struct sockaddr_in *addr4 = NULL;
4535 struct sockaddr_in6 *addr6 = NULL;
4536 unsigned short snum;
4537 u32 sid, perm;
4538
4539 if (sk->sk_family == PF_INET) {
4540 addr4 = (struct sockaddr_in *)address;
4541 if (addrlen < sizeof(struct sockaddr_in))
4542 return -EINVAL;
4543 snum = ntohs(addr4->sin_port);
4544 } else {
4545 addr6 = (struct sockaddr_in6 *)address;
4546 if (addrlen < SIN6_LEN_RFC2133)
4547 return -EINVAL;
4548 snum = ntohs(addr6->sin6_port);
4549 }
4550
4551 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4552 if (err)
4553 goto out;
4554
4555 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
4556 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
4557
4558 ad.type = LSM_AUDIT_DATA_NET;
4559 ad.u.net = &net;
4560 ad.u.net->dport = htons(snum);
4561 ad.u.net->family = sk->sk_family;
4562 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
4563 if (err)
4564 goto out;
4565 }
4566
4567 err = selinux_netlbl_socket_connect(sk, address);
4568
4569 out:
4570 return err;
4571 }
4572
4573 static int selinux_socket_listen(struct socket *sock, int backlog)
4574 {
4575 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4576 }
4577
4578 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4579 {
4580 int err;
4581 struct inode_security_struct *isec;
4582 struct inode_security_struct *newisec;
4583 u16 sclass;
4584 u32 sid;
4585
4586 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4587 if (err)
4588 return err;
4589
4590 isec = inode_security_novalidate(SOCK_INODE(sock));
4591 spin_lock(&isec->lock);
4592 sclass = isec->sclass;
4593 sid = isec->sid;
4594 spin_unlock(&isec->lock);
4595
4596 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4597 newisec->sclass = sclass;
4598 newisec->sid = sid;
4599 newisec->initialized = LABEL_INITIALIZED;
4600
4601 return 0;
4602 }
4603
4604 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4605 int size)
4606 {
4607 return sock_has_perm(sock->sk, SOCKET__WRITE);
4608 }
4609
4610 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4611 int size, int flags)
4612 {
4613 return sock_has_perm(sock->sk, SOCKET__READ);
4614 }
4615
4616 static int selinux_socket_getsockname(struct socket *sock)
4617 {
4618 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4619 }
4620
4621 static int selinux_socket_getpeername(struct socket *sock)
4622 {
4623 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4624 }
4625
4626 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4627 {
4628 int err;
4629
4630 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4631 if (err)
4632 return err;
4633
4634 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4635 }
4636
4637 static int selinux_socket_getsockopt(struct socket *sock, int level,
4638 int optname)
4639 {
4640 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4641 }
4642
4643 static int selinux_socket_shutdown(struct socket *sock, int how)
4644 {
4645 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4646 }
4647
4648 static int selinux_socket_unix_stream_connect(struct sock *sock,
4649 struct sock *other,
4650 struct sock *newsk)
4651 {
4652 struct sk_security_struct *sksec_sock = sock->sk_security;
4653 struct sk_security_struct *sksec_other = other->sk_security;
4654 struct sk_security_struct *sksec_new = newsk->sk_security;
4655 struct common_audit_data ad;
4656 struct lsm_network_audit net = {0,};
4657 int err;
4658
4659 ad.type = LSM_AUDIT_DATA_NET;
4660 ad.u.net = &net;
4661 ad.u.net->sk = other;
4662
4663 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
4664 sksec_other->sclass,
4665 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4666 if (err)
4667 return err;
4668
4669 /* server child socket */
4670 sksec_new->peer_sid = sksec_sock->sid;
4671 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid,
4672 &sksec_new->sid);
4673 if (err)
4674 return err;
4675
4676 /* connecting socket */
4677 sksec_sock->peer_sid = sksec_new->sid;
4678
4679 return 0;
4680 }
4681
4682 static int selinux_socket_unix_may_send(struct socket *sock,
4683 struct socket *other)
4684 {
4685 struct sk_security_struct *ssec = sock->sk->sk_security;
4686 struct sk_security_struct *osec = other->sk->sk_security;
4687 struct common_audit_data ad;
4688 struct lsm_network_audit net = {0,};
4689
4690 ad.type = LSM_AUDIT_DATA_NET;
4691 ad.u.net = &net;
4692 ad.u.net->sk = other->sk;
4693
4694 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4695 &ad);
4696 }
4697
4698 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4699 char *addrp, u16 family, u32 peer_sid,
4700 struct common_audit_data *ad)
4701 {
4702 int err;
4703 u32 if_sid;
4704 u32 node_sid;
4705
4706 err = sel_netif_sid(ns, ifindex, &if_sid);
4707 if (err)
4708 return err;
4709 err = avc_has_perm(peer_sid, if_sid,
4710 SECCLASS_NETIF, NETIF__INGRESS, ad);
4711 if (err)
4712 return err;
4713
4714 err = sel_netnode_sid(addrp, family, &node_sid);
4715 if (err)
4716 return err;
4717 return avc_has_perm(peer_sid, node_sid,
4718 SECCLASS_NODE, NODE__RECVFROM, ad);
4719 }
4720
4721 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4722 u16 family)
4723 {
4724 int err = 0;
4725 struct sk_security_struct *sksec = sk->sk_security;
4726 u32 sk_sid = sksec->sid;
4727 struct common_audit_data ad;
4728 struct lsm_network_audit net = {0,};
4729 char *addrp;
4730
4731 ad.type = LSM_AUDIT_DATA_NET;
4732 ad.u.net = &net;
4733 ad.u.net->netif = skb->skb_iif;
4734 ad.u.net->family = family;
4735 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4736 if (err)
4737 return err;
4738
4739 if (selinux_secmark_enabled()) {
4740 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4741 PACKET__RECV, &ad);
4742 if (err)
4743 return err;
4744 }
4745
4746 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4747 if (err)
4748 return err;
4749 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4750
4751 return err;
4752 }
4753
4754 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4755 {
4756 int err;
4757 struct sk_security_struct *sksec = sk->sk_security;
4758 u16 family = sk->sk_family;
4759 u32 sk_sid = sksec->sid;
4760 struct common_audit_data ad;
4761 struct lsm_network_audit net = {0,};
4762 char *addrp;
4763 u8 secmark_active;
4764 u8 peerlbl_active;
4765
4766 if (family != PF_INET && family != PF_INET6)
4767 return 0;
4768
4769 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4770 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4771 family = PF_INET;
4772
4773 /* If any sort of compatibility mode is enabled then handoff processing
4774 * to the selinux_sock_rcv_skb_compat() function to deal with the
4775 * special handling. We do this in an attempt to keep this function
4776 * as fast and as clean as possible. */
4777 if (!selinux_policycap_netpeer)
4778 return selinux_sock_rcv_skb_compat(sk, skb, family);
4779
4780 secmark_active = selinux_secmark_enabled();
4781 peerlbl_active = selinux_peerlbl_enabled();
4782 if (!secmark_active && !peerlbl_active)
4783 return 0;
4784
4785 ad.type = LSM_AUDIT_DATA_NET;
4786 ad.u.net = &net;
4787 ad.u.net->netif = skb->skb_iif;
4788 ad.u.net->family = family;
4789 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4790 if (err)
4791 return err;
4792
4793 if (peerlbl_active) {
4794 u32 peer_sid;
4795
4796 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4797 if (err)
4798 return err;
4799 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
4800 addrp, family, peer_sid, &ad);
4801 if (err) {
4802 selinux_netlbl_err(skb, family, err, 0);
4803 return err;
4804 }
4805 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4806 PEER__RECV, &ad);
4807 if (err) {
4808 selinux_netlbl_err(skb, family, err, 0);
4809 return err;
4810 }
4811 }
4812
4813 if (secmark_active) {
4814 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4815 PACKET__RECV, &ad);
4816 if (err)
4817 return err;
4818 }
4819
4820 return err;
4821 }
4822
4823 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4824 int __user *optlen, unsigned len)
4825 {
4826 int err = 0;
4827 char *scontext;
4828 u32 scontext_len;
4829 struct sk_security_struct *sksec = sock->sk->sk_security;
4830 u32 peer_sid = SECSID_NULL;
4831
4832 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4833 sksec->sclass == SECCLASS_TCP_SOCKET)
4834 peer_sid = sksec->peer_sid;
4835 if (peer_sid == SECSID_NULL)
4836 return -ENOPROTOOPT;
4837
4838 err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4839 if (err)
4840 return err;
4841
4842 if (scontext_len > len) {
4843 err = -ERANGE;
4844 goto out_len;
4845 }
4846
4847 if (copy_to_user(optval, scontext, scontext_len))
4848 err = -EFAULT;
4849
4850 out_len:
4851 if (put_user(scontext_len, optlen))
4852 err = -EFAULT;
4853 kfree(scontext);
4854 return err;
4855 }
4856
4857 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4858 {
4859 u32 peer_secid = SECSID_NULL;
4860 u16 family;
4861 struct inode_security_struct *isec;
4862
4863 if (skb && skb->protocol == htons(ETH_P_IP))
4864 family = PF_INET;
4865 else if (skb && skb->protocol == htons(ETH_P_IPV6))
4866 family = PF_INET6;
4867 else if (sock)
4868 family = sock->sk->sk_family;
4869 else
4870 goto out;
4871
4872 if (sock && family == PF_UNIX) {
4873 isec = inode_security_novalidate(SOCK_INODE(sock));
4874 peer_secid = isec->sid;
4875 } else if (skb)
4876 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4877
4878 out:
4879 *secid = peer_secid;
4880 if (peer_secid == SECSID_NULL)
4881 return -EINVAL;
4882 return 0;
4883 }
4884
4885 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4886 {
4887 struct sk_security_struct *sksec;
4888
4889 sksec = kzalloc(sizeof(*sksec), priority);
4890 if (!sksec)
4891 return -ENOMEM;
4892
4893 sksec->peer_sid = SECINITSID_UNLABELED;
4894 sksec->sid = SECINITSID_UNLABELED;
4895 sksec->sclass = SECCLASS_SOCKET;
4896 selinux_netlbl_sk_security_reset(sksec);
4897 sk->sk_security = sksec;
4898
4899 return 0;
4900 }
4901
4902 static void selinux_sk_free_security(struct sock *sk)
4903 {
4904 struct sk_security_struct *sksec = sk->sk_security;
4905
4906 sk->sk_security = NULL;
4907 selinux_netlbl_sk_security_free(sksec);
4908 kfree(sksec);
4909 }
4910
4911 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4912 {
4913 struct sk_security_struct *sksec = sk->sk_security;
4914 struct sk_security_struct *newsksec = newsk->sk_security;
4915
4916 newsksec->sid = sksec->sid;
4917 newsksec->peer_sid = sksec->peer_sid;
4918 newsksec->sclass = sksec->sclass;
4919
4920 selinux_netlbl_sk_security_reset(newsksec);
4921 }
4922
4923 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4924 {
4925 if (!sk)
4926 *secid = SECINITSID_ANY_SOCKET;
4927 else {
4928 struct sk_security_struct *sksec = sk->sk_security;
4929
4930 *secid = sksec->sid;
4931 }
4932 }
4933
4934 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4935 {
4936 struct inode_security_struct *isec =
4937 inode_security_novalidate(SOCK_INODE(parent));
4938 struct sk_security_struct *sksec = sk->sk_security;
4939
4940 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4941 sk->sk_family == PF_UNIX)
4942 isec->sid = sksec->sid;
4943 sksec->sclass = isec->sclass;
4944 }
4945
4946 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4947 struct request_sock *req)
4948 {
4949 struct sk_security_struct *sksec = sk->sk_security;
4950 int err;
4951 u16 family = req->rsk_ops->family;
4952 u32 connsid;
4953 u32 peersid;
4954
4955 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4956 if (err)
4957 return err;
4958 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
4959 if (err)
4960 return err;
4961 req->secid = connsid;
4962 req->peer_secid = peersid;
4963
4964 return selinux_netlbl_inet_conn_request(req, family);
4965 }
4966
4967 static void selinux_inet_csk_clone(struct sock *newsk,
4968 const struct request_sock *req)
4969 {
4970 struct sk_security_struct *newsksec = newsk->sk_security;
4971
4972 newsksec->sid = req->secid;
4973 newsksec->peer_sid = req->peer_secid;
4974 /* NOTE: Ideally, we should also get the isec->sid for the
4975 new socket in sync, but we don't have the isec available yet.
4976 So we will wait until sock_graft to do it, by which
4977 time it will have been created and available. */
4978
4979 /* We don't need to take any sort of lock here as we are the only
4980 * thread with access to newsksec */
4981 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
4982 }
4983
4984 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4985 {
4986 u16 family = sk->sk_family;
4987 struct sk_security_struct *sksec = sk->sk_security;
4988
4989 /* handle mapped IPv4 packets arriving via IPv6 sockets */
4990 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4991 family = PF_INET;
4992
4993 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4994 }
4995
4996 static int selinux_secmark_relabel_packet(u32 sid)
4997 {
4998 const struct task_security_struct *__tsec;
4999 u32 tsid;
5000
5001 __tsec = current_security();
5002 tsid = __tsec->sid;
5003
5004 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
5005 }
5006
5007 static void selinux_secmark_refcount_inc(void)
5008 {
5009 atomic_inc(&selinux_secmark_refcount);
5010 }
5011
5012 static void selinux_secmark_refcount_dec(void)
5013 {
5014 atomic_dec(&selinux_secmark_refcount);
5015 }
5016
5017 static void selinux_req_classify_flow(const struct request_sock *req,
5018 struct flowi *fl)
5019 {
5020 fl->flowi_secid = req->secid;
5021 }
5022
5023 static int selinux_tun_dev_alloc_security(void **security)
5024 {
5025 struct tun_security_struct *tunsec;
5026
5027 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5028 if (!tunsec)
5029 return -ENOMEM;
5030 tunsec->sid = current_sid();
5031
5032 *security = tunsec;
5033 return 0;
5034 }
5035
5036 static void selinux_tun_dev_free_security(void *security)
5037 {
5038 kfree(security);
5039 }
5040
5041 static int selinux_tun_dev_create(void)
5042 {
5043 u32 sid = current_sid();
5044
5045 /* we aren't taking into account the "sockcreate" SID since the socket
5046 * that is being created here is not a socket in the traditional sense,
5047 * instead it is a private sock, accessible only to the kernel, and
5048 * representing a wide range of network traffic spanning multiple
5049 * connections unlike traditional sockets - check the TUN driver to
5050 * get a better understanding of why this socket is special */
5051
5052 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5053 NULL);
5054 }
5055
5056 static int selinux_tun_dev_attach_queue(void *security)
5057 {
5058 struct tun_security_struct *tunsec = security;
5059
5060 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5061 TUN_SOCKET__ATTACH_QUEUE, NULL);
5062 }
5063
5064 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5065 {
5066 struct tun_security_struct *tunsec = security;
5067 struct sk_security_struct *sksec = sk->sk_security;
5068
5069 /* we don't currently perform any NetLabel based labeling here and it
5070 * isn't clear that we would want to do so anyway; while we could apply
5071 * labeling without the support of the TUN user the resulting labeled
5072 * traffic from the other end of the connection would almost certainly
5073 * cause confusion to the TUN user that had no idea network labeling
5074 * protocols were being used */
5075
5076 sksec->sid = tunsec->sid;
5077 sksec->sclass = SECCLASS_TUN_SOCKET;
5078
5079 return 0;
5080 }
5081
5082 static int selinux_tun_dev_open(void *security)
5083 {
5084 struct tun_security_struct *tunsec = security;
5085 u32 sid = current_sid();
5086 int err;
5087
5088 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5089 TUN_SOCKET__RELABELFROM, NULL);
5090 if (err)
5091 return err;
5092 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5093 TUN_SOCKET__RELABELTO, NULL);
5094 if (err)
5095 return err;
5096 tunsec->sid = sid;
5097
5098 return 0;
5099 }
5100
5101 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5102 {
5103 int err = 0;
5104 u32 perm;
5105 struct nlmsghdr *nlh;
5106 struct sk_security_struct *sksec = sk->sk_security;
5107
5108 if (skb->len < NLMSG_HDRLEN) {
5109 err = -EINVAL;
5110 goto out;
5111 }
5112 nlh = nlmsg_hdr(skb);
5113
5114 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5115 if (err) {
5116 if (err == -EINVAL) {
5117 pr_warn_ratelimited("SELinux: unrecognized netlink"
5118 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5119 " pig=%d comm=%s\n",
5120 sk->sk_protocol, nlh->nlmsg_type,
5121 secclass_map[sksec->sclass - 1].name,
5122 task_pid_nr(current), current->comm);
5123 if (!selinux_enforcing || security_get_allow_unknown())
5124 err = 0;
5125 }
5126
5127 /* Ignore */
5128 if (err == -ENOENT)
5129 err = 0;
5130 goto out;
5131 }
5132
5133 err = sock_has_perm(sk, perm);
5134 out:
5135 return err;
5136 }
5137
5138 #ifdef CONFIG_NETFILTER
5139
5140 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5141 const struct net_device *indev,
5142 u16 family)
5143 {
5144 int err;
5145 char *addrp;
5146 u32 peer_sid;
5147 struct common_audit_data ad;
5148 struct lsm_network_audit net = {0,};
5149 u8 secmark_active;
5150 u8 netlbl_active;
5151 u8 peerlbl_active;
5152
5153 if (!selinux_policycap_netpeer)
5154 return NF_ACCEPT;
5155
5156 secmark_active = selinux_secmark_enabled();
5157 netlbl_active = netlbl_enabled();
5158 peerlbl_active = selinux_peerlbl_enabled();
5159 if (!secmark_active && !peerlbl_active)
5160 return NF_ACCEPT;
5161
5162 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5163 return NF_DROP;
5164
5165 ad.type = LSM_AUDIT_DATA_NET;
5166 ad.u.net = &net;
5167 ad.u.net->netif = indev->ifindex;
5168 ad.u.net->family = family;
5169 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5170 return NF_DROP;
5171
5172 if (peerlbl_active) {
5173 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5174 addrp, family, peer_sid, &ad);
5175 if (err) {
5176 selinux_netlbl_err(skb, family, err, 1);
5177 return NF_DROP;
5178 }
5179 }
5180
5181 if (secmark_active)
5182 if (avc_has_perm(peer_sid, skb->secmark,
5183 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5184 return NF_DROP;
5185
5186 if (netlbl_active)
5187 /* we do this in the FORWARD path and not the POST_ROUTING
5188 * path because we want to make sure we apply the necessary
5189 * labeling before IPsec is applied so we can leverage AH
5190 * protection */
5191 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5192 return NF_DROP;
5193
5194 return NF_ACCEPT;
5195 }
5196
5197 static unsigned int selinux_ipv4_forward(void *priv,
5198 struct sk_buff *skb,
5199 const struct nf_hook_state *state)
5200 {
5201 return selinux_ip_forward(skb, state->in, PF_INET);
5202 }
5203
5204 #if IS_ENABLED(CONFIG_IPV6)
5205 static unsigned int selinux_ipv6_forward(void *priv,
5206 struct sk_buff *skb,
5207 const struct nf_hook_state *state)
5208 {
5209 return selinux_ip_forward(skb, state->in, PF_INET6);
5210 }
5211 #endif /* IPV6 */
5212
5213 static unsigned int selinux_ip_output(struct sk_buff *skb,
5214 u16 family)
5215 {
5216 struct sock *sk;
5217 u32 sid;
5218
5219 if (!netlbl_enabled())
5220 return NF_ACCEPT;
5221
5222 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5223 * because we want to make sure we apply the necessary labeling
5224 * before IPsec is applied so we can leverage AH protection */
5225 sk = skb->sk;
5226 if (sk) {
5227 struct sk_security_struct *sksec;
5228
5229 if (sk_listener(sk))
5230 /* if the socket is the listening state then this
5231 * packet is a SYN-ACK packet which means it needs to
5232 * be labeled based on the connection/request_sock and
5233 * not the parent socket. unfortunately, we can't
5234 * lookup the request_sock yet as it isn't queued on
5235 * the parent socket until after the SYN-ACK is sent.
5236 * the "solution" is to simply pass the packet as-is
5237 * as any IP option based labeling should be copied
5238 * from the initial connection request (in the IP
5239 * layer). it is far from ideal, but until we get a
5240 * security label in the packet itself this is the
5241 * best we can do. */
5242 return NF_ACCEPT;
5243
5244 /* standard practice, label using the parent socket */
5245 sksec = sk->sk_security;
5246 sid = sksec->sid;
5247 } else
5248 sid = SECINITSID_KERNEL;
5249 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5250 return NF_DROP;
5251
5252 return NF_ACCEPT;
5253 }
5254
5255 static unsigned int selinux_ipv4_output(void *priv,
5256 struct sk_buff *skb,
5257 const struct nf_hook_state *state)
5258 {
5259 return selinux_ip_output(skb, PF_INET);
5260 }
5261
5262 #if IS_ENABLED(CONFIG_IPV6)
5263 static unsigned int selinux_ipv6_output(void *priv,
5264 struct sk_buff *skb,
5265 const struct nf_hook_state *state)
5266 {
5267 return selinux_ip_output(skb, PF_INET6);
5268 }
5269 #endif /* IPV6 */
5270
5271 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5272 int ifindex,
5273 u16 family)
5274 {
5275 struct sock *sk = skb_to_full_sk(skb);
5276 struct sk_security_struct *sksec;
5277 struct common_audit_data ad;
5278 struct lsm_network_audit net = {0,};
5279 char *addrp;
5280 u8 proto;
5281
5282 if (sk == NULL)
5283 return NF_ACCEPT;
5284 sksec = sk->sk_security;
5285
5286 ad.type = LSM_AUDIT_DATA_NET;
5287 ad.u.net = &net;
5288 ad.u.net->netif = ifindex;
5289 ad.u.net->family = family;
5290 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5291 return NF_DROP;
5292
5293 if (selinux_secmark_enabled())
5294 if (avc_has_perm(sksec->sid, skb->secmark,
5295 SECCLASS_PACKET, PACKET__SEND, &ad))
5296 return NF_DROP_ERR(-ECONNREFUSED);
5297
5298 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5299 return NF_DROP_ERR(-ECONNREFUSED);
5300
5301 return NF_ACCEPT;
5302 }
5303
5304 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5305 const struct net_device *outdev,
5306 u16 family)
5307 {
5308 u32 secmark_perm;
5309 u32 peer_sid;
5310 int ifindex = outdev->ifindex;
5311 struct sock *sk;
5312 struct common_audit_data ad;
5313 struct lsm_network_audit net = {0,};
5314 char *addrp;
5315 u8 secmark_active;
5316 u8 peerlbl_active;
5317
5318 /* If any sort of compatibility mode is enabled then handoff processing
5319 * to the selinux_ip_postroute_compat() function to deal with the
5320 * special handling. We do this in an attempt to keep this function
5321 * as fast and as clean as possible. */
5322 if (!selinux_policycap_netpeer)
5323 return selinux_ip_postroute_compat(skb, ifindex, family);
5324
5325 secmark_active = selinux_secmark_enabled();
5326 peerlbl_active = selinux_peerlbl_enabled();
5327 if (!secmark_active && !peerlbl_active)
5328 return NF_ACCEPT;
5329
5330 sk = skb_to_full_sk(skb);
5331
5332 #ifdef CONFIG_XFRM
5333 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5334 * packet transformation so allow the packet to pass without any checks
5335 * since we'll have another chance to perform access control checks
5336 * when the packet is on it's final way out.
5337 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5338 * is NULL, in this case go ahead and apply access control.
5339 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5340 * TCP listening state we cannot wait until the XFRM processing
5341 * is done as we will miss out on the SA label if we do;
5342 * unfortunately, this means more work, but it is only once per
5343 * connection. */
5344 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5345 !(sk && sk_listener(sk)))
5346 return NF_ACCEPT;
5347 #endif
5348
5349 if (sk == NULL) {
5350 /* Without an associated socket the packet is either coming
5351 * from the kernel or it is being forwarded; check the packet
5352 * to determine which and if the packet is being forwarded
5353 * query the packet directly to determine the security label. */
5354 if (skb->skb_iif) {
5355 secmark_perm = PACKET__FORWARD_OUT;
5356 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5357 return NF_DROP;
5358 } else {
5359 secmark_perm = PACKET__SEND;
5360 peer_sid = SECINITSID_KERNEL;
5361 }
5362 } else if (sk_listener(sk)) {
5363 /* Locally generated packet but the associated socket is in the
5364 * listening state which means this is a SYN-ACK packet. In
5365 * this particular case the correct security label is assigned
5366 * to the connection/request_sock but unfortunately we can't
5367 * query the request_sock as it isn't queued on the parent
5368 * socket until after the SYN-ACK packet is sent; the only
5369 * viable choice is to regenerate the label like we do in
5370 * selinux_inet_conn_request(). See also selinux_ip_output()
5371 * for similar problems. */
5372 u32 skb_sid;
5373 struct sk_security_struct *sksec;
5374
5375 sksec = sk->sk_security;
5376 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5377 return NF_DROP;
5378 /* At this point, if the returned skb peerlbl is SECSID_NULL
5379 * and the packet has been through at least one XFRM
5380 * transformation then we must be dealing with the "final"
5381 * form of labeled IPsec packet; since we've already applied
5382 * all of our access controls on this packet we can safely
5383 * pass the packet. */
5384 if (skb_sid == SECSID_NULL) {
5385 switch (family) {
5386 case PF_INET:
5387 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5388 return NF_ACCEPT;
5389 break;
5390 case PF_INET6:
5391 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5392 return NF_ACCEPT;
5393 break;
5394 default:
5395 return NF_DROP_ERR(-ECONNREFUSED);
5396 }
5397 }
5398 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5399 return NF_DROP;
5400 secmark_perm = PACKET__SEND;
5401 } else {
5402 /* Locally generated packet, fetch the security label from the
5403 * associated socket. */
5404 struct sk_security_struct *sksec = sk->sk_security;
5405 peer_sid = sksec->sid;
5406 secmark_perm = PACKET__SEND;
5407 }
5408
5409 ad.type = LSM_AUDIT_DATA_NET;
5410 ad.u.net = &net;
5411 ad.u.net->netif = ifindex;
5412 ad.u.net->family = family;
5413 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5414 return NF_DROP;
5415
5416 if (secmark_active)
5417 if (avc_has_perm(peer_sid, skb->secmark,
5418 SECCLASS_PACKET, secmark_perm, &ad))
5419 return NF_DROP_ERR(-ECONNREFUSED);
5420
5421 if (peerlbl_active) {
5422 u32 if_sid;
5423 u32 node_sid;
5424
5425 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5426 return NF_DROP;
5427 if (avc_has_perm(peer_sid, if_sid,
5428 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5429 return NF_DROP_ERR(-ECONNREFUSED);
5430
5431 if (sel_netnode_sid(addrp, family, &node_sid))
5432 return NF_DROP;
5433 if (avc_has_perm(peer_sid, node_sid,
5434 SECCLASS_NODE, NODE__SENDTO, &ad))
5435 return NF_DROP_ERR(-ECONNREFUSED);
5436 }
5437
5438 return NF_ACCEPT;
5439 }
5440
5441 static unsigned int selinux_ipv4_postroute(void *priv,
5442 struct sk_buff *skb,
5443 const struct nf_hook_state *state)
5444 {
5445 return selinux_ip_postroute(skb, state->out, PF_INET);
5446 }
5447
5448 #if IS_ENABLED(CONFIG_IPV6)
5449 static unsigned int selinux_ipv6_postroute(void *priv,
5450 struct sk_buff *skb,
5451 const struct nf_hook_state *state)
5452 {
5453 return selinux_ip_postroute(skb, state->out, PF_INET6);
5454 }
5455 #endif /* IPV6 */
5456
5457 #endif /* CONFIG_NETFILTER */
5458
5459 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5460 {
5461 return selinux_nlmsg_perm(sk, skb);
5462 }
5463
5464 static int ipc_alloc_security(struct kern_ipc_perm *perm,
5465 u16 sclass)
5466 {
5467 struct ipc_security_struct *isec;
5468
5469 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
5470 if (!isec)
5471 return -ENOMEM;
5472
5473 isec->sclass = sclass;
5474 isec->sid = current_sid();
5475 perm->security = isec;
5476
5477 return 0;
5478 }
5479
5480 static void ipc_free_security(struct kern_ipc_perm *perm)
5481 {
5482 struct ipc_security_struct *isec = perm->security;
5483 perm->security = NULL;
5484 kfree(isec);
5485 }
5486
5487 static int msg_msg_alloc_security(struct msg_msg *msg)
5488 {
5489 struct msg_security_struct *msec;
5490
5491 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
5492 if (!msec)
5493 return -ENOMEM;
5494
5495 msec->sid = SECINITSID_UNLABELED;
5496 msg->security = msec;
5497
5498 return 0;
5499 }
5500
5501 static void msg_msg_free_security(struct msg_msg *msg)
5502 {
5503 struct msg_security_struct *msec = msg->security;
5504
5505 msg->security = NULL;
5506 kfree(msec);
5507 }
5508
5509 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5510 u32 perms)
5511 {
5512 struct ipc_security_struct *isec;
5513 struct common_audit_data ad;
5514 u32 sid = current_sid();
5515
5516 isec = ipc_perms->security;
5517
5518 ad.type = LSM_AUDIT_DATA_IPC;
5519 ad.u.ipc_id = ipc_perms->key;
5520
5521 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
5522 }
5523
5524 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5525 {
5526 return msg_msg_alloc_security(msg);
5527 }
5528
5529 static void selinux_msg_msg_free_security(struct msg_msg *msg)
5530 {
5531 msg_msg_free_security(msg);
5532 }
5533
5534 /* message queue security operations */
5535 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
5536 {
5537 struct ipc_security_struct *isec;
5538 struct common_audit_data ad;
5539 u32 sid = current_sid();
5540 int rc;
5541
5542 rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ);
5543 if (rc)
5544 return rc;
5545
5546 isec = msq->q_perm.security;
5547
5548 ad.type = LSM_AUDIT_DATA_IPC;
5549 ad.u.ipc_id = msq->q_perm.key;
5550
5551 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5552 MSGQ__CREATE, &ad);
5553 if (rc) {
5554 ipc_free_security(&msq->q_perm);
5555 return rc;
5556 }
5557 return 0;
5558 }
5559
5560 static void selinux_msg_queue_free_security(struct msg_queue *msq)
5561 {
5562 ipc_free_security(&msq->q_perm);
5563 }
5564
5565 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
5566 {
5567 struct ipc_security_struct *isec;
5568 struct common_audit_data ad;
5569 u32 sid = current_sid();
5570
5571 isec = msq->q_perm.security;
5572
5573 ad.type = LSM_AUDIT_DATA_IPC;
5574 ad.u.ipc_id = msq->q_perm.key;
5575
5576 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5577 MSGQ__ASSOCIATE, &ad);
5578 }
5579
5580 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5581 {
5582 int err;
5583 int perms;
5584
5585 switch (cmd) {
5586 case IPC_INFO:
5587 case MSG_INFO:
5588 /* No specific object, just general system-wide information. */
5589 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5590 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5591 case IPC_STAT:
5592 case MSG_STAT:
5593 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5594 break;
5595 case IPC_SET:
5596 perms = MSGQ__SETATTR;
5597 break;
5598 case IPC_RMID:
5599 perms = MSGQ__DESTROY;
5600 break;
5601 default:
5602 return 0;
5603 }
5604
5605 err = ipc_has_perm(&msq->q_perm, perms);
5606 return err;
5607 }
5608
5609 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5610 {
5611 struct ipc_security_struct *isec;
5612 struct msg_security_struct *msec;
5613 struct common_audit_data ad;
5614 u32 sid = current_sid();
5615 int rc;
5616
5617 isec = msq->q_perm.security;
5618 msec = msg->security;
5619
5620 /*
5621 * First time through, need to assign label to the message
5622 */
5623 if (msec->sid == SECINITSID_UNLABELED) {
5624 /*
5625 * Compute new sid based on current process and
5626 * message queue this message will be stored in
5627 */
5628 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5629 NULL, &msec->sid);
5630 if (rc)
5631 return rc;
5632 }
5633
5634 ad.type = LSM_AUDIT_DATA_IPC;
5635 ad.u.ipc_id = msq->q_perm.key;
5636
5637 /* Can this process write to the queue? */
5638 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5639 MSGQ__WRITE, &ad);
5640 if (!rc)
5641 /* Can this process send the message */
5642 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5643 MSG__SEND, &ad);
5644 if (!rc)
5645 /* Can the message be put in the queue? */
5646 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5647 MSGQ__ENQUEUE, &ad);
5648
5649 return rc;
5650 }
5651
5652 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5653 struct task_struct *target,
5654 long type, int mode)
5655 {
5656 struct ipc_security_struct *isec;
5657 struct msg_security_struct *msec;
5658 struct common_audit_data ad;
5659 u32 sid = task_sid(target);
5660 int rc;
5661
5662 isec = msq->q_perm.security;
5663 msec = msg->security;
5664
5665 ad.type = LSM_AUDIT_DATA_IPC;
5666 ad.u.ipc_id = msq->q_perm.key;
5667
5668 rc = avc_has_perm(sid, isec->sid,
5669 SECCLASS_MSGQ, MSGQ__READ, &ad);
5670 if (!rc)
5671 rc = avc_has_perm(sid, msec->sid,
5672 SECCLASS_MSG, MSG__RECEIVE, &ad);
5673 return rc;
5674 }
5675
5676 /* Shared Memory security operations */
5677 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5678 {
5679 struct ipc_security_struct *isec;
5680 struct common_audit_data ad;
5681 u32 sid = current_sid();
5682 int rc;
5683
5684 rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM);
5685 if (rc)
5686 return rc;
5687
5688 isec = shp->shm_perm.security;
5689
5690 ad.type = LSM_AUDIT_DATA_IPC;
5691 ad.u.ipc_id = shp->shm_perm.key;
5692
5693 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5694 SHM__CREATE, &ad);
5695 if (rc) {
5696 ipc_free_security(&shp->shm_perm);
5697 return rc;
5698 }
5699 return 0;
5700 }
5701
5702 static void selinux_shm_free_security(struct shmid_kernel *shp)
5703 {
5704 ipc_free_security(&shp->shm_perm);
5705 }
5706
5707 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5708 {
5709 struct ipc_security_struct *isec;
5710 struct common_audit_data ad;
5711 u32 sid = current_sid();
5712
5713 isec = shp->shm_perm.security;
5714
5715 ad.type = LSM_AUDIT_DATA_IPC;
5716 ad.u.ipc_id = shp->shm_perm.key;
5717
5718 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5719 SHM__ASSOCIATE, &ad);
5720 }
5721
5722 /* Note, at this point, shp is locked down */
5723 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5724 {
5725 int perms;
5726 int err;
5727
5728 switch (cmd) {
5729 case IPC_INFO:
5730 case SHM_INFO:
5731 /* No specific object, just general system-wide information. */
5732 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5733 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5734 case IPC_STAT:
5735 case SHM_STAT:
5736 perms = SHM__GETATTR | SHM__ASSOCIATE;
5737 break;
5738 case IPC_SET:
5739 perms = SHM__SETATTR;
5740 break;
5741 case SHM_LOCK:
5742 case SHM_UNLOCK:
5743 perms = SHM__LOCK;
5744 break;
5745 case IPC_RMID:
5746 perms = SHM__DESTROY;
5747 break;
5748 default:
5749 return 0;
5750 }
5751
5752 err = ipc_has_perm(&shp->shm_perm, perms);
5753 return err;
5754 }
5755
5756 static int selinux_shm_shmat(struct shmid_kernel *shp,
5757 char __user *shmaddr, int shmflg)
5758 {
5759 u32 perms;
5760
5761 if (shmflg & SHM_RDONLY)
5762 perms = SHM__READ;
5763 else
5764 perms = SHM__READ | SHM__WRITE;
5765
5766 return ipc_has_perm(&shp->shm_perm, perms);
5767 }
5768
5769 /* Semaphore security operations */
5770 static int selinux_sem_alloc_security(struct sem_array *sma)
5771 {
5772 struct ipc_security_struct *isec;
5773 struct common_audit_data ad;
5774 u32 sid = current_sid();
5775 int rc;
5776
5777 rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM);
5778 if (rc)
5779 return rc;
5780
5781 isec = sma->sem_perm.security;
5782
5783 ad.type = LSM_AUDIT_DATA_IPC;
5784 ad.u.ipc_id = sma->sem_perm.key;
5785
5786 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5787 SEM__CREATE, &ad);
5788 if (rc) {
5789 ipc_free_security(&sma->sem_perm);
5790 return rc;
5791 }
5792 return 0;
5793 }
5794
5795 static void selinux_sem_free_security(struct sem_array *sma)
5796 {
5797 ipc_free_security(&sma->sem_perm);
5798 }
5799
5800 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5801 {
5802 struct ipc_security_struct *isec;
5803 struct common_audit_data ad;
5804 u32 sid = current_sid();
5805
5806 isec = sma->sem_perm.security;
5807
5808 ad.type = LSM_AUDIT_DATA_IPC;
5809 ad.u.ipc_id = sma->sem_perm.key;
5810
5811 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5812 SEM__ASSOCIATE, &ad);
5813 }
5814
5815 /* Note, at this point, sma is locked down */
5816 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5817 {
5818 int err;
5819 u32 perms;
5820
5821 switch (cmd) {
5822 case IPC_INFO:
5823 case SEM_INFO:
5824 /* No specific object, just general system-wide information. */
5825 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
5826 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5827 case GETPID:
5828 case GETNCNT:
5829 case GETZCNT:
5830 perms = SEM__GETATTR;
5831 break;
5832 case GETVAL:
5833 case GETALL:
5834 perms = SEM__READ;
5835 break;
5836 case SETVAL:
5837 case SETALL:
5838 perms = SEM__WRITE;
5839 break;
5840 case IPC_RMID:
5841 perms = SEM__DESTROY;
5842 break;
5843 case IPC_SET:
5844 perms = SEM__SETATTR;
5845 break;
5846 case IPC_STAT:
5847 case SEM_STAT:
5848 perms = SEM__GETATTR | SEM__ASSOCIATE;
5849 break;
5850 default:
5851 return 0;
5852 }
5853
5854 err = ipc_has_perm(&sma->sem_perm, perms);
5855 return err;
5856 }
5857
5858 static int selinux_sem_semop(struct sem_array *sma,
5859 struct sembuf *sops, unsigned nsops, int alter)
5860 {
5861 u32 perms;
5862
5863 if (alter)
5864 perms = SEM__READ | SEM__WRITE;
5865 else
5866 perms = SEM__READ;
5867
5868 return ipc_has_perm(&sma->sem_perm, perms);
5869 }
5870
5871 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5872 {
5873 u32 av = 0;
5874
5875 av = 0;
5876 if (flag & S_IRUGO)
5877 av |= IPC__UNIX_READ;
5878 if (flag & S_IWUGO)
5879 av |= IPC__UNIX_WRITE;
5880
5881 if (av == 0)
5882 return 0;
5883
5884 return ipc_has_perm(ipcp, av);
5885 }
5886
5887 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5888 {
5889 struct ipc_security_struct *isec = ipcp->security;
5890 *secid = isec->sid;
5891 }
5892
5893 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5894 {
5895 if (inode)
5896 inode_doinit_with_dentry(inode, dentry);
5897 }
5898
5899 static int selinux_getprocattr(struct task_struct *p,
5900 char *name, char **value)
5901 {
5902 const struct task_security_struct *__tsec;
5903 u32 sid;
5904 int error;
5905 unsigned len;
5906
5907 rcu_read_lock();
5908 __tsec = __task_cred(p)->security;
5909
5910 if (current != p) {
5911 error = avc_has_perm(current_sid(), __tsec->sid,
5912 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
5913 if (error)
5914 goto bad;
5915 }
5916
5917 if (!strcmp(name, "current"))
5918 sid = __tsec->sid;
5919 else if (!strcmp(name, "prev"))
5920 sid = __tsec->osid;
5921 else if (!strcmp(name, "exec"))
5922 sid = __tsec->exec_sid;
5923 else if (!strcmp(name, "fscreate"))
5924 sid = __tsec->create_sid;
5925 else if (!strcmp(name, "keycreate"))
5926 sid = __tsec->keycreate_sid;
5927 else if (!strcmp(name, "sockcreate"))
5928 sid = __tsec->sockcreate_sid;
5929 else {
5930 error = -EINVAL;
5931 goto bad;
5932 }
5933 rcu_read_unlock();
5934
5935 if (!sid)
5936 return 0;
5937
5938 error = security_sid_to_context(sid, value, &len);
5939 if (error)
5940 return error;
5941 return len;
5942
5943 bad:
5944 rcu_read_unlock();
5945 return error;
5946 }
5947
5948 static int selinux_setprocattr(const char *name, void *value, size_t size)
5949 {
5950 struct task_security_struct *tsec;
5951 struct cred *new;
5952 u32 mysid = current_sid(), sid = 0, ptsid;
5953 int error;
5954 char *str = value;
5955
5956 /*
5957 * Basic control over ability to set these attributes at all.
5958 */
5959 if (!strcmp(name, "exec"))
5960 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5961 PROCESS__SETEXEC, NULL);
5962 else if (!strcmp(name, "fscreate"))
5963 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5964 PROCESS__SETFSCREATE, NULL);
5965 else if (!strcmp(name, "keycreate"))
5966 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5967 PROCESS__SETKEYCREATE, NULL);
5968 else if (!strcmp(name, "sockcreate"))
5969 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5970 PROCESS__SETSOCKCREATE, NULL);
5971 else if (!strcmp(name, "current"))
5972 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
5973 PROCESS__SETCURRENT, NULL);
5974 else
5975 error = -EINVAL;
5976 if (error)
5977 return error;
5978
5979 /* Obtain a SID for the context, if one was specified. */
5980 if (size && str[0] && str[0] != '\n') {
5981 if (str[size-1] == '\n') {
5982 str[size-1] = 0;
5983 size--;
5984 }
5985 error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
5986 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5987 if (!has_cap_mac_admin(true)) {
5988 struct audit_buffer *ab;
5989 size_t audit_size;
5990
5991 /* We strip a nul only if it is at the end, otherwise the
5992 * context contains a nul and we should audit that */
5993 if (str[size - 1] == '\0')
5994 audit_size = size - 1;
5995 else
5996 audit_size = size;
5997 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5998 audit_log_format(ab, "op=fscreate invalid_context=");
5999 audit_log_n_untrustedstring(ab, value, audit_size);
6000 audit_log_end(ab);
6001
6002 return error;
6003 }
6004 error = security_context_to_sid_force(value, size,
6005 &sid);
6006 }
6007 if (error)
6008 return error;
6009 }
6010
6011 new = prepare_creds();
6012 if (!new)
6013 return -ENOMEM;
6014
6015 /* Permission checking based on the specified context is
6016 performed during the actual operation (execve,
6017 open/mkdir/...), when we know the full context of the
6018 operation. See selinux_bprm_set_creds for the execve
6019 checks and may_create for the file creation checks. The
6020 operation will then fail if the context is not permitted. */
6021 tsec = new->security;
6022 if (!strcmp(name, "exec")) {
6023 tsec->exec_sid = sid;
6024 } else if (!strcmp(name, "fscreate")) {
6025 tsec->create_sid = sid;
6026 } else if (!strcmp(name, "keycreate")) {
6027 error = avc_has_perm(mysid, sid, SECCLASS_KEY, KEY__CREATE,
6028 NULL);
6029 if (error)
6030 goto abort_change;
6031 tsec->keycreate_sid = sid;
6032 } else if (!strcmp(name, "sockcreate")) {
6033 tsec->sockcreate_sid = sid;
6034 } else if (!strcmp(name, "current")) {
6035 error = -EINVAL;
6036 if (sid == 0)
6037 goto abort_change;
6038
6039 /* Only allow single threaded processes to change context */
6040 error = -EPERM;
6041 if (!current_is_single_threaded()) {
6042 error = security_bounded_transition(tsec->sid, sid);
6043 if (error)
6044 goto abort_change;
6045 }
6046
6047 /* Check permissions for the transition. */
6048 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6049 PROCESS__DYNTRANSITION, NULL);
6050 if (error)
6051 goto abort_change;
6052
6053 /* Check for ptracing, and update the task SID if ok.
6054 Otherwise, leave SID unchanged and fail. */
6055 ptsid = ptrace_parent_sid();
6056 if (ptsid != 0) {
6057 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6058 PROCESS__PTRACE, NULL);
6059 if (error)
6060 goto abort_change;
6061 }
6062
6063 tsec->sid = sid;
6064 } else {
6065 error = -EINVAL;
6066 goto abort_change;
6067 }
6068
6069 commit_creds(new);
6070 return size;
6071
6072 abort_change:
6073 abort_creds(new);
6074 return error;
6075 }
6076
6077 static int selinux_ismaclabel(const char *name)
6078 {
6079 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6080 }
6081
6082 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6083 {
6084 return security_sid_to_context(secid, secdata, seclen);
6085 }
6086
6087 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6088 {
6089 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
6090 }
6091
6092 static void selinux_release_secctx(char *secdata, u32 seclen)
6093 {
6094 kfree(secdata);
6095 }
6096
6097 static void selinux_inode_invalidate_secctx(struct inode *inode)
6098 {
6099 struct inode_security_struct *isec = inode->i_security;
6100
6101 spin_lock(&isec->lock);
6102 isec->initialized = LABEL_INVALID;
6103 spin_unlock(&isec->lock);
6104 }
6105
6106 /*
6107 * called with inode->i_mutex locked
6108 */
6109 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6110 {
6111 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
6112 }
6113
6114 /*
6115 * called with inode->i_mutex locked
6116 */
6117 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6118 {
6119 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6120 }
6121
6122 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6123 {
6124 int len = 0;
6125 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6126 ctx, true);
6127 if (len < 0)
6128 return len;
6129 *ctxlen = len;
6130 return 0;
6131 }
6132 #ifdef CONFIG_KEYS
6133
6134 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6135 unsigned long flags)
6136 {
6137 const struct task_security_struct *tsec;
6138 struct key_security_struct *ksec;
6139
6140 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6141 if (!ksec)
6142 return -ENOMEM;
6143
6144 tsec = cred->security;
6145 if (tsec->keycreate_sid)
6146 ksec->sid = tsec->keycreate_sid;
6147 else
6148 ksec->sid = tsec->sid;
6149
6150 k->security = ksec;
6151 return 0;
6152 }
6153
6154 static void selinux_key_free(struct key *k)
6155 {
6156 struct key_security_struct *ksec = k->security;
6157
6158 k->security = NULL;
6159 kfree(ksec);
6160 }
6161
6162 static int selinux_key_permission(key_ref_t key_ref,
6163 const struct cred *cred,
6164 unsigned perm)
6165 {
6166 struct key *key;
6167 struct key_security_struct *ksec;
6168 u32 sid;
6169
6170 /* if no specific permissions are requested, we skip the
6171 permission check. No serious, additional covert channels
6172 appear to be created. */
6173 if (perm == 0)
6174 return 0;
6175
6176 sid = cred_sid(cred);
6177
6178 key = key_ref_to_ptr(key_ref);
6179 ksec = key->security;
6180
6181 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6182 }
6183
6184 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6185 {
6186 struct key_security_struct *ksec = key->security;
6187 char *context = NULL;
6188 unsigned len;
6189 int rc;
6190
6191 rc = security_sid_to_context(ksec->sid, &context, &len);
6192 if (!rc)
6193 rc = len;
6194 *_buffer = context;
6195 return rc;
6196 }
6197 #endif
6198
6199 #ifdef CONFIG_SECURITY_INFINIBAND
6200 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6201 {
6202 struct common_audit_data ad;
6203 int err;
6204 u32 sid = 0;
6205 struct ib_security_struct *sec = ib_sec;
6206 struct lsm_ibpkey_audit ibpkey;
6207
6208 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6209 if (err)
6210 return err;
6211
6212 ad.type = LSM_AUDIT_DATA_IBPKEY;
6213 ibpkey.subnet_prefix = subnet_prefix;
6214 ibpkey.pkey = pkey_val;
6215 ad.u.ibpkey = &ibpkey;
6216 return avc_has_perm(sec->sid, sid,
6217 SECCLASS_INFINIBAND_PKEY,
6218 INFINIBAND_PKEY__ACCESS, &ad);
6219 }
6220
6221 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6222 u8 port_num)
6223 {
6224 struct common_audit_data ad;
6225 int err;
6226 u32 sid = 0;
6227 struct ib_security_struct *sec = ib_sec;
6228 struct lsm_ibendport_audit ibendport;
6229
6230 err = security_ib_endport_sid(dev_name, port_num, &sid);
6231
6232 if (err)
6233 return err;
6234
6235 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6236 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6237 ibendport.port = port_num;
6238 ad.u.ibendport = &ibendport;
6239 return avc_has_perm(sec->sid, sid,
6240 SECCLASS_INFINIBAND_ENDPORT,
6241 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6242 }
6243
6244 static int selinux_ib_alloc_security(void **ib_sec)
6245 {
6246 struct ib_security_struct *sec;
6247
6248 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6249 if (!sec)
6250 return -ENOMEM;
6251 sec->sid = current_sid();
6252
6253 *ib_sec = sec;
6254 return 0;
6255 }
6256
6257 static void selinux_ib_free_security(void *ib_sec)
6258 {
6259 kfree(ib_sec);
6260 }
6261 #endif
6262
6263 #ifdef CONFIG_BPF_SYSCALL
6264 static int selinux_bpf(int cmd, union bpf_attr *attr,
6265 unsigned int size)
6266 {
6267 u32 sid = current_sid();
6268 int ret;
6269
6270 switch (cmd) {
6271 case BPF_MAP_CREATE:
6272 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6273 NULL);
6274 break;
6275 case BPF_PROG_LOAD:
6276 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6277 NULL);
6278 break;
6279 default:
6280 ret = 0;
6281 break;
6282 }
6283
6284 return ret;
6285 }
6286
6287 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6288 {
6289 u32 av = 0;
6290
6291 if (fmode & FMODE_READ)
6292 av |= BPF__MAP_READ;
6293 if (fmode & FMODE_WRITE)
6294 av |= BPF__MAP_WRITE;
6295 return av;
6296 }
6297
6298 /* This function will check the file pass through unix socket or binder to see
6299 * if it is a bpf related object. And apply correspinding checks on the bpf
6300 * object based on the type. The bpf maps and programs, not like other files and
6301 * socket, are using a shared anonymous inode inside the kernel as their inode.
6302 * So checking that inode cannot identify if the process have privilege to
6303 * access the bpf object and that's why we have to add this additional check in
6304 * selinux_file_receive and selinux_binder_transfer_files.
6305 */
6306 static int bpf_fd_pass(struct file *file, u32 sid)
6307 {
6308 struct bpf_security_struct *bpfsec;
6309 struct bpf_prog *prog;
6310 struct bpf_map *map;
6311 int ret;
6312
6313 if (file->f_op == &bpf_map_fops) {
6314 map = file->private_data;
6315 bpfsec = map->security;
6316 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6317 bpf_map_fmode_to_av(file->f_mode), NULL);
6318 if (ret)
6319 return ret;
6320 } else if (file->f_op == &bpf_prog_fops) {
6321 prog = file->private_data;
6322 bpfsec = prog->aux->security;
6323 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6324 BPF__PROG_RUN, NULL);
6325 if (ret)
6326 return ret;
6327 }
6328 return 0;
6329 }
6330
6331 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6332 {
6333 u32 sid = current_sid();
6334 struct bpf_security_struct *bpfsec;
6335
6336 bpfsec = map->security;
6337 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6338 bpf_map_fmode_to_av(fmode), NULL);
6339 }
6340
6341 static int selinux_bpf_prog(struct bpf_prog *prog)
6342 {
6343 u32 sid = current_sid();
6344 struct bpf_security_struct *bpfsec;
6345
6346 bpfsec = prog->aux->security;
6347 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
6348 BPF__PROG_RUN, NULL);
6349 }
6350
6351 static int selinux_bpf_map_alloc(struct bpf_map *map)
6352 {
6353 struct bpf_security_struct *bpfsec;
6354
6355 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6356 if (!bpfsec)
6357 return -ENOMEM;
6358
6359 bpfsec->sid = current_sid();
6360 map->security = bpfsec;
6361
6362 return 0;
6363 }
6364
6365 static void selinux_bpf_map_free(struct bpf_map *map)
6366 {
6367 struct bpf_security_struct *bpfsec = map->security;
6368
6369 map->security = NULL;
6370 kfree(bpfsec);
6371 }
6372
6373 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6374 {
6375 struct bpf_security_struct *bpfsec;
6376
6377 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6378 if (!bpfsec)
6379 return -ENOMEM;
6380
6381 bpfsec->sid = current_sid();
6382 aux->security = bpfsec;
6383
6384 return 0;
6385 }
6386
6387 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6388 {
6389 struct bpf_security_struct *bpfsec = aux->security;
6390
6391 aux->security = NULL;
6392 kfree(bpfsec);
6393 }
6394 #endif
6395
6396 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6397 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6398 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6399 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6400 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6401
6402 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6403 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6404 LSM_HOOK_INIT(capget, selinux_capget),
6405 LSM_HOOK_INIT(capset, selinux_capset),
6406 LSM_HOOK_INIT(capable, selinux_capable),
6407 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6408 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6409 LSM_HOOK_INIT(syslog, selinux_syslog),
6410 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6411
6412 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6413
6414 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6415 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6416 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6417
6418 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6419 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6420 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
6421 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6422 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6423 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6424 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6425 LSM_HOOK_INIT(sb_mount, selinux_mount),
6426 LSM_HOOK_INIT(sb_umount, selinux_umount),
6427 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6428 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6429 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
6430
6431 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6432 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6433
6434 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6435 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6436 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6437 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6438 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6439 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6440 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6441 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6442 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6443 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6444 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6445 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6446 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6447 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6448 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6449 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6450 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6451 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6452 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6453 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6454 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6455 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6456 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6457 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6458 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6459 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6460 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6461
6462 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6463 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6464 LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
6465 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6466 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6467 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6468 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6469 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6470 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6471 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6472 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6473 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6474
6475 LSM_HOOK_INIT(file_open, selinux_file_open),
6476
6477 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6478 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
6479 LSM_HOOK_INIT(cred_free, selinux_cred_free),
6480 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6481 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6482 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6483 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6484 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6485 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6486 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6487 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6488 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6489 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6490 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6491 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6492 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6493 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6494 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6495 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6496 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6497 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6498 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6499 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6500
6501 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6502 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6503
6504 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6505 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
6506
6507 LSM_HOOK_INIT(msg_queue_alloc_security,
6508 selinux_msg_queue_alloc_security),
6509 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
6510 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
6511 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
6512 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
6513 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
6514
6515 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
6516 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
6517 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
6518 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
6519 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
6520
6521 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
6522 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
6523 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
6524 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
6525 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
6526
6527 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
6528
6529 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
6530 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
6531
6532 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
6533 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
6534 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
6535 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
6536 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
6537 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
6538 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
6539 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
6540
6541 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
6542 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
6543
6544 LSM_HOOK_INIT(socket_create, selinux_socket_create),
6545 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
6546 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
6547 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
6548 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
6549 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
6550 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
6551 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
6552 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
6553 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
6554 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
6555 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
6556 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
6557 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
6558 LSM_HOOK_INIT(socket_getpeersec_stream,
6559 selinux_socket_getpeersec_stream),
6560 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
6561 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
6562 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
6563 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
6564 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
6565 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
6566 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
6567 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
6568 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
6569 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
6570 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
6571 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
6572 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
6573 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
6574 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
6575 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
6576 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
6577 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6578 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6579 #ifdef CONFIG_SECURITY_INFINIBAND
6580 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
6581 LSM_HOOK_INIT(ib_endport_manage_subnet,
6582 selinux_ib_endport_manage_subnet),
6583 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
6584 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
6585 #endif
6586 #ifdef CONFIG_SECURITY_NETWORK_XFRM
6587 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
6588 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
6589 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
6590 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
6591 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
6592 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
6593 selinux_xfrm_state_alloc_acquire),
6594 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
6595 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
6596 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
6597 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
6598 selinux_xfrm_state_pol_flow_match),
6599 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
6600 #endif
6601
6602 #ifdef CONFIG_KEYS
6603 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
6604 LSM_HOOK_INIT(key_free, selinux_key_free),
6605 LSM_HOOK_INIT(key_permission, selinux_key_permission),
6606 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
6607 #endif
6608
6609 #ifdef CONFIG_AUDIT
6610 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
6611 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
6612 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
6613 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
6614 #endif
6615
6616 #ifdef CONFIG_BPF_SYSCALL
6617 LSM_HOOK_INIT(bpf, selinux_bpf),
6618 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
6619 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
6620 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
6621 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
6622 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
6623 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
6624 #endif
6625 };
6626
6627 static __init int selinux_init(void)
6628 {
6629 if (!security_module_enable("selinux")) {
6630 selinux_enabled = 0;
6631 return 0;
6632 }
6633
6634 if (!selinux_enabled) {
6635 printk(KERN_INFO "SELinux: Disabled at boot.\n");
6636 return 0;
6637 }
6638
6639 printk(KERN_INFO "SELinux: Initializing.\n");
6640
6641 /* Set the security state for the initial task. */
6642 cred_init_security();
6643
6644 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
6645
6646 sel_inode_cache = kmem_cache_create("selinux_inode_security",
6647 sizeof(struct inode_security_struct),
6648 0, SLAB_PANIC, NULL);
6649 file_security_cache = kmem_cache_create("selinux_file_security",
6650 sizeof(struct file_security_struct),
6651 0, SLAB_PANIC, NULL);
6652 avc_init();
6653
6654 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
6655
6656 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6657 panic("SELinux: Unable to register AVC netcache callback\n");
6658
6659 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
6660 panic("SELinux: Unable to register AVC LSM notifier callback\n");
6661
6662 if (selinux_enforcing)
6663 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
6664 else
6665 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
6666
6667 return 0;
6668 }
6669
6670 static void delayed_superblock_init(struct super_block *sb, void *unused)
6671 {
6672 superblock_doinit(sb, NULL);
6673 }
6674
6675 void selinux_complete_init(void)
6676 {
6677 printk(KERN_DEBUG "SELinux: Completing initialization.\n");
6678
6679 /* Set up any superblocks initialized prior to the policy load. */
6680 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
6681 iterate_supers(delayed_superblock_init, NULL);
6682 }
6683
6684 /* SELinux requires early initialization in order to label
6685 all processes and objects when they are created. */
6686 security_initcall(selinux_init);
6687
6688 #if defined(CONFIG_NETFILTER)
6689
6690 static const struct nf_hook_ops selinux_nf_ops[] = {
6691 {
6692 .hook = selinux_ipv4_postroute,
6693 .pf = NFPROTO_IPV4,
6694 .hooknum = NF_INET_POST_ROUTING,
6695 .priority = NF_IP_PRI_SELINUX_LAST,
6696 },
6697 {
6698 .hook = selinux_ipv4_forward,
6699 .pf = NFPROTO_IPV4,
6700 .hooknum = NF_INET_FORWARD,
6701 .priority = NF_IP_PRI_SELINUX_FIRST,
6702 },
6703 {
6704 .hook = selinux_ipv4_output,
6705 .pf = NFPROTO_IPV4,
6706 .hooknum = NF_INET_LOCAL_OUT,
6707 .priority = NF_IP_PRI_SELINUX_FIRST,
6708 },
6709 #if IS_ENABLED(CONFIG_IPV6)
6710 {
6711 .hook = selinux_ipv6_postroute,
6712 .pf = NFPROTO_IPV6,
6713 .hooknum = NF_INET_POST_ROUTING,
6714 .priority = NF_IP6_PRI_SELINUX_LAST,
6715 },
6716 {
6717 .hook = selinux_ipv6_forward,
6718 .pf = NFPROTO_IPV6,
6719 .hooknum = NF_INET_FORWARD,
6720 .priority = NF_IP6_PRI_SELINUX_FIRST,
6721 },
6722 {
6723 .hook = selinux_ipv6_output,
6724 .pf = NFPROTO_IPV6,
6725 .hooknum = NF_INET_LOCAL_OUT,
6726 .priority = NF_IP6_PRI_SELINUX_FIRST,
6727 },
6728 #endif /* IPV6 */
6729 };
6730
6731 static int __net_init selinux_nf_register(struct net *net)
6732 {
6733 return nf_register_net_hooks(net, selinux_nf_ops,
6734 ARRAY_SIZE(selinux_nf_ops));
6735 }
6736
6737 static void __net_exit selinux_nf_unregister(struct net *net)
6738 {
6739 nf_unregister_net_hooks(net, selinux_nf_ops,
6740 ARRAY_SIZE(selinux_nf_ops));
6741 }
6742
6743 static struct pernet_operations selinux_net_ops = {
6744 .init = selinux_nf_register,
6745 .exit = selinux_nf_unregister,
6746 };
6747
6748 static int __init selinux_nf_ip_init(void)
6749 {
6750 int err;
6751
6752 if (!selinux_enabled)
6753 return 0;
6754
6755 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
6756
6757 err = register_pernet_subsys(&selinux_net_ops);
6758 if (err)
6759 panic("SELinux: register_pernet_subsys: error %d\n", err);
6760
6761 return 0;
6762 }
6763 __initcall(selinux_nf_ip_init);
6764
6765 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6766 static void selinux_nf_ip_exit(void)
6767 {
6768 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
6769
6770 unregister_pernet_subsys(&selinux_net_ops);
6771 }
6772 #endif
6773
6774 #else /* CONFIG_NETFILTER */
6775
6776 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6777 #define selinux_nf_ip_exit()
6778 #endif
6779
6780 #endif /* CONFIG_NETFILTER */
6781
6782 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
6783 static int selinux_disabled;
6784
6785 int selinux_disable(void)
6786 {
6787 if (ss_initialized) {
6788 /* Not permitted after initial policy load. */
6789 return -EINVAL;
6790 }
6791
6792 if (selinux_disabled) {
6793 /* Only do this once. */
6794 return -EINVAL;
6795 }
6796
6797 printk(KERN_INFO "SELinux: Disabled at runtime.\n");
6798
6799 selinux_disabled = 1;
6800 selinux_enabled = 0;
6801
6802 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
6803
6804 /* Try to destroy the avc node cache */
6805 avc_disable();
6806
6807 /* Unregister netfilter hooks. */
6808 selinux_nf_ip_exit();
6809
6810 /* Unregister selinuxfs. */
6811 exit_sel_fs();
6812
6813 return 0;
6814 }
6815 #endif
Linux with added FPC-III support