search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ARM: dts: omap5: Add bus_dma_limit for L3 bus
[linux/fpc-iii.git] / security / selinux / hooks.c
blobdb44c7eb43213d49e66f99a4452a806b5b9f56ce
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * NSA Security-Enhanced Linux (SELinux) security module
4 *
5 * This file contains the SELinux hook function implementations.
6 *
7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov>
8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
11 *
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16 * <dgoeddel@trustedcs.com>
17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18 * Paul Moore <paul@paul-moore.com>
19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * Copyright (C) 2016 Mellanox Technologies
22 */
23
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/tracehook.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h> /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/dccp.h>
69 #include <linux/sctp.h>
70 #include <net/sctp/structs.h>
71 #include <linux/quota.h>
72 #include <linux/un.h> /* for Unix socket types */
73 #include <net/af_unix.h> /* for Unix socket types */
74 #include <linux/parser.h>
75 #include <linux/nfs_mount.h>
76 #include <net/ipv6.h>
77 #include <linux/hugetlb.h>
78 #include <linux/personality.h>
79 #include <linux/audit.h>
80 #include <linux/string.h>
81 #include <linux/mutex.h>
82 #include <linux/posix-timers.h>
83 #include <linux/syslog.h>
84 #include <linux/user_namespace.h>
85 #include <linux/export.h>
86 #include <linux/msg.h>
87 #include <linux/shm.h>
88 #include <linux/bpf.h>
89 #include <linux/kernfs.h>
90 #include <linux/stringhash.h> /* for hashlen_string() */
91 #include <uapi/linux/mount.h>
92 #include <linux/fsnotify.h>
93 #include <linux/fanotify.h>
94
95 #include "avc.h"
96 #include "objsec.h"
97 #include "netif.h"
98 #include "netnode.h"
99 #include "netport.h"
100 #include "ibpkey.h"
101 #include "xfrm.h"
102 #include "netlabel.h"
103 #include "audit.h"
104 #include "avc_ss.h"
105
106 struct selinux_state selinux_state;
107
108 /* SECMARK reference count */
109 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
110
111 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
112 static int selinux_enforcing_boot;
113
114 static int __init enforcing_setup(char *str)
115 {
116 unsigned long enforcing;
117 if (!kstrtoul(str, 0, &enforcing))
118 selinux_enforcing_boot = enforcing ? 1 : 0;
119 return 1;
120 }
121 __setup("enforcing=", enforcing_setup);
122 #else
123 #define selinux_enforcing_boot 1
124 #endif
125
126 int selinux_enabled __lsm_ro_after_init = 1;
127 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
128 static int __init selinux_enabled_setup(char *str)
129 {
130 unsigned long enabled;
131 if (!kstrtoul(str, 0, &enabled))
132 selinux_enabled = enabled ? 1 : 0;
133 return 1;
134 }
135 __setup("selinux=", selinux_enabled_setup);
136 #endif
137
138 static unsigned int selinux_checkreqprot_boot =
139 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
140
141 static int __init checkreqprot_setup(char *str)
142 {
143 unsigned long checkreqprot;
144
145 if (!kstrtoul(str, 0, &checkreqprot))
146 selinux_checkreqprot_boot = checkreqprot ? 1 : 0;
147 return 1;
148 }
149 __setup("checkreqprot=", checkreqprot_setup);
150
151 /**
152 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
153 *
154 * Description:
155 * This function checks the SECMARK reference counter to see if any SECMARK
156 * targets are currently configured, if the reference counter is greater than
157 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
158 * enabled, false (0) if SECMARK is disabled. If the always_check_network
159 * policy capability is enabled, SECMARK is always considered enabled.
160 *
161 */
162 static int selinux_secmark_enabled(void)
163 {
164 return (selinux_policycap_alwaysnetwork() ||
165 atomic_read(&selinux_secmark_refcount));
166 }
167
168 /**
169 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
170 *
171 * Description:
172 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
173 * (1) if any are enabled or false (0) if neither are enabled. If the
174 * always_check_network policy capability is enabled, peer labeling
175 * is always considered enabled.
176 *
177 */
178 static int selinux_peerlbl_enabled(void)
179 {
180 return (selinux_policycap_alwaysnetwork() ||
181 netlbl_enabled() || selinux_xfrm_enabled());
182 }
183
184 static int selinux_netcache_avc_callback(u32 event)
185 {
186 if (event == AVC_CALLBACK_RESET) {
187 sel_netif_flush();
188 sel_netnode_flush();
189 sel_netport_flush();
190 synchronize_net();
191 }
192 return 0;
193 }
194
195 static int selinux_lsm_notifier_avc_callback(u32 event)
196 {
197 if (event == AVC_CALLBACK_RESET) {
198 sel_ib_pkey_flush();
199 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
200 }
201
202 return 0;
203 }
204
205 /*
206 * initialise the security for the init task
207 */
208 static void cred_init_security(void)
209 {
210 struct cred *cred = (struct cred *) current->real_cred;
211 struct task_security_struct *tsec;
212
213 tsec = selinux_cred(cred);
214 tsec->osid = tsec->sid = SECINITSID_KERNEL;
215 }
216
217 /*
218 * get the security ID of a set of credentials
219 */
220 static inline u32 cred_sid(const struct cred *cred)
221 {
222 const struct task_security_struct *tsec;
223
224 tsec = selinux_cred(cred);
225 return tsec->sid;
226 }
227
228 /*
229 * get the objective security ID of a task
230 */
231 static inline u32 task_sid(const struct task_struct *task)
232 {
233 u32 sid;
234
235 rcu_read_lock();
236 sid = cred_sid(__task_cred(task));
237 rcu_read_unlock();
238 return sid;
239 }
240
241 /* Allocate and free functions for each kind of security blob. */
242
243 static int inode_alloc_security(struct inode *inode)
244 {
245 struct inode_security_struct *isec = selinux_inode(inode);
246 u32 sid = current_sid();
247
248 spin_lock_init(&isec->lock);
249 INIT_LIST_HEAD(&isec->list);
250 isec->inode = inode;
251 isec->sid = SECINITSID_UNLABELED;
252 isec->sclass = SECCLASS_FILE;
253 isec->task_sid = sid;
254 isec->initialized = LABEL_INVALID;
255
256 return 0;
257 }
258
259 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
260
261 /*
262 * Try reloading inode security labels that have been marked as invalid. The
263 * @may_sleep parameter indicates when sleeping and thus reloading labels is
264 * allowed; when set to false, returns -ECHILD when the label is
265 * invalid. The @dentry parameter should be set to a dentry of the inode.
266 */
267 static int __inode_security_revalidate(struct inode *inode,
268 struct dentry *dentry,
269 bool may_sleep)
270 {
271 struct inode_security_struct *isec = selinux_inode(inode);
272
273 might_sleep_if(may_sleep);
274
275 if (selinux_state.initialized &&
276 isec->initialized != LABEL_INITIALIZED) {
277 if (!may_sleep)
278 return -ECHILD;
279
280 /*
281 * Try reloading the inode security label. This will fail if
282 * @opt_dentry is NULL and no dentry for this inode can be
283 * found; in that case, continue using the old label.
284 */
285 inode_doinit_with_dentry(inode, dentry);
286 }
287 return 0;
288 }
289
290 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
291 {
292 return selinux_inode(inode);
293 }
294
295 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
296 {
297 int error;
298
299 error = __inode_security_revalidate(inode, NULL, !rcu);
300 if (error)
301 return ERR_PTR(error);
302 return selinux_inode(inode);
303 }
304
305 /*
306 * Get the security label of an inode.
307 */
308 static struct inode_security_struct *inode_security(struct inode *inode)
309 {
310 __inode_security_revalidate(inode, NULL, true);
311 return selinux_inode(inode);
312 }
313
314 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
315 {
316 struct inode *inode = d_backing_inode(dentry);
317
318 return selinux_inode(inode);
319 }
320
321 /*
322 * Get the security label of a dentry's backing inode.
323 */
324 static struct inode_security_struct *backing_inode_security(struct dentry *dentry)
325 {
326 struct inode *inode = d_backing_inode(dentry);
327
328 __inode_security_revalidate(inode, dentry, true);
329 return selinux_inode(inode);
330 }
331
332 static void inode_free_security(struct inode *inode)
333 {
334 struct inode_security_struct *isec = selinux_inode(inode);
335 struct superblock_security_struct *sbsec;
336
337 if (!isec)
338 return;
339 sbsec = inode->i_sb->s_security;
340 /*
341 * As not all inode security structures are in a list, we check for
342 * empty list outside of the lock to make sure that we won't waste
343 * time taking a lock doing nothing.
344 *
345 * The list_del_init() function can be safely called more than once.
346 * It should not be possible for this function to be called with
347 * concurrent list_add(), but for better safety against future changes
348 * in the code, we use list_empty_careful() here.
349 */
350 if (!list_empty_careful(&isec->list)) {
351 spin_lock(&sbsec->isec_lock);
352 list_del_init(&isec->list);
353 spin_unlock(&sbsec->isec_lock);
354 }
355 }
356
357 static int file_alloc_security(struct file *file)
358 {
359 struct file_security_struct *fsec = selinux_file(file);
360 u32 sid = current_sid();
361
362 fsec->sid = sid;
363 fsec->fown_sid = sid;
364
365 return 0;
366 }
367
368 static int superblock_alloc_security(struct super_block *sb)
369 {
370 struct superblock_security_struct *sbsec;
371
372 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
373 if (!sbsec)
374 return -ENOMEM;
375
376 mutex_init(&sbsec->lock);
377 INIT_LIST_HEAD(&sbsec->isec_head);
378 spin_lock_init(&sbsec->isec_lock);
379 sbsec->sb = sb;
380 sbsec->sid = SECINITSID_UNLABELED;
381 sbsec->def_sid = SECINITSID_FILE;
382 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
383 sb->s_security = sbsec;
384
385 return 0;
386 }
387
388 static void superblock_free_security(struct super_block *sb)
389 {
390 struct superblock_security_struct *sbsec = sb->s_security;
391 sb->s_security = NULL;
392 kfree(sbsec);
393 }
394
395 struct selinux_mnt_opts {
396 const char *fscontext, *context, *rootcontext, *defcontext;
397 };
398
399 static void selinux_free_mnt_opts(void *mnt_opts)
400 {
401 struct selinux_mnt_opts *opts = mnt_opts;
402 kfree(opts->fscontext);
403 kfree(opts->context);
404 kfree(opts->rootcontext);
405 kfree(opts->defcontext);
406 kfree(opts);
407 }
408
409 static inline int inode_doinit(struct inode *inode)
410 {
411 return inode_doinit_with_dentry(inode, NULL);
412 }
413
414 enum {
415 Opt_error = -1,
416 Opt_context = 0,
417 Opt_defcontext = 1,
418 Opt_fscontext = 2,
419 Opt_rootcontext = 3,
420 Opt_seclabel = 4,
421 };
422
423 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
424 static struct {
425 const char *name;
426 int len;
427 int opt;
428 bool has_arg;
429 } tokens[] = {
430 A(context, true),
431 A(fscontext, true),
432 A(defcontext, true),
433 A(rootcontext, true),
434 A(seclabel, false),
435 };
436 #undef A
437
438 static int match_opt_prefix(char *s, int l, char **arg)
439 {
440 int i;
441
442 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
443 size_t len = tokens[i].len;
444 if (len > l || memcmp(s, tokens[i].name, len))
445 continue;
446 if (tokens[i].has_arg) {
447 if (len == l || s[len] != '=')
448 continue;
449 *arg = s + len + 1;
450 } else if (len != l)
451 continue;
452 return tokens[i].opt;
453 }
454 return Opt_error;
455 }
456
457 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
458
459 static int may_context_mount_sb_relabel(u32 sid,
460 struct superblock_security_struct *sbsec,
461 const struct cred *cred)
462 {
463 const struct task_security_struct *tsec = selinux_cred(cred);
464 int rc;
465
466 rc = avc_has_perm(&selinux_state,
467 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
468 FILESYSTEM__RELABELFROM, NULL);
469 if (rc)
470 return rc;
471
472 rc = avc_has_perm(&selinux_state,
473 tsec->sid, sid, SECCLASS_FILESYSTEM,
474 FILESYSTEM__RELABELTO, NULL);
475 return rc;
476 }
477
478 static int may_context_mount_inode_relabel(u32 sid,
479 struct superblock_security_struct *sbsec,
480 const struct cred *cred)
481 {
482 const struct task_security_struct *tsec = selinux_cred(cred);
483 int rc;
484 rc = avc_has_perm(&selinux_state,
485 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
486 FILESYSTEM__RELABELFROM, NULL);
487 if (rc)
488 return rc;
489
490 rc = avc_has_perm(&selinux_state,
491 sid, sbsec->sid, SECCLASS_FILESYSTEM,
492 FILESYSTEM__ASSOCIATE, NULL);
493 return rc;
494 }
495
496 static int selinux_is_genfs_special_handling(struct super_block *sb)
497 {
498 /* Special handling. Genfs but also in-core setxattr handler */
499 return !strcmp(sb->s_type->name, "sysfs") ||
500 !strcmp(sb->s_type->name, "pstore") ||
501 !strcmp(sb->s_type->name, "debugfs") ||
502 !strcmp(sb->s_type->name, "tracefs") ||
503 !strcmp(sb->s_type->name, "rootfs") ||
504 (selinux_policycap_cgroupseclabel() &&
505 (!strcmp(sb->s_type->name, "cgroup") ||
506 !strcmp(sb->s_type->name, "cgroup2")));
507 }
508
509 static int selinux_is_sblabel_mnt(struct super_block *sb)
510 {
511 struct superblock_security_struct *sbsec = sb->s_security;
512
513 /*
514 * IMPORTANT: Double-check logic in this function when adding a new
515 * SECURITY_FS_USE_* definition!
516 */
517 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
518
519 switch (sbsec->behavior) {
520 case SECURITY_FS_USE_XATTR:
521 case SECURITY_FS_USE_TRANS:
522 case SECURITY_FS_USE_TASK:
523 case SECURITY_FS_USE_NATIVE:
524 return 1;
525
526 case SECURITY_FS_USE_GENFS:
527 return selinux_is_genfs_special_handling(sb);
528
529 /* Never allow relabeling on context mounts */
530 case SECURITY_FS_USE_MNTPOINT:
531 case SECURITY_FS_USE_NONE:
532 default:
533 return 0;
534 }
535 }
536
537 static int sb_finish_set_opts(struct super_block *sb)
538 {
539 struct superblock_security_struct *sbsec = sb->s_security;
540 struct dentry *root = sb->s_root;
541 struct inode *root_inode = d_backing_inode(root);
542 int rc = 0;
543
544 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
545 /* Make sure that the xattr handler exists and that no
546 error other than -ENODATA is returned by getxattr on
547 the root directory. -ENODATA is ok, as this may be
548 the first boot of the SELinux kernel before we have
549 assigned xattr values to the filesystem. */
550 if (!(root_inode->i_opflags & IOP_XATTR)) {
551 pr_warn("SELinux: (dev %s, type %s) has no "
552 "xattr support\n", sb->s_id, sb->s_type->name);
553 rc = -EOPNOTSUPP;
554 goto out;
555 }
556
557 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
558 if (rc < 0 && rc != -ENODATA) {
559 if (rc == -EOPNOTSUPP)
560 pr_warn("SELinux: (dev %s, type "
561 "%s) has no security xattr handler\n",
562 sb->s_id, sb->s_type->name);
563 else
564 pr_warn("SELinux: (dev %s, type "
565 "%s) getxattr errno %d\n", sb->s_id,
566 sb->s_type->name, -rc);
567 goto out;
568 }
569 }
570
571 sbsec->flags |= SE_SBINITIALIZED;
572
573 /*
574 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
575 * leave the flag untouched because sb_clone_mnt_opts might be handing
576 * us a superblock that needs the flag to be cleared.
577 */
578 if (selinux_is_sblabel_mnt(sb))
579 sbsec->flags |= SBLABEL_MNT;
580 else
581 sbsec->flags &= ~SBLABEL_MNT;
582
583 /* Initialize the root inode. */
584 rc = inode_doinit_with_dentry(root_inode, root);
585
586 /* Initialize any other inodes associated with the superblock, e.g.
587 inodes created prior to initial policy load or inodes created
588 during get_sb by a pseudo filesystem that directly
589 populates itself. */
590 spin_lock(&sbsec->isec_lock);
591 while (!list_empty(&sbsec->isec_head)) {
592 struct inode_security_struct *isec =
593 list_first_entry(&sbsec->isec_head,
594 struct inode_security_struct, list);
595 struct inode *inode = isec->inode;
596 list_del_init(&isec->list);
597 spin_unlock(&sbsec->isec_lock);
598 inode = igrab(inode);
599 if (inode) {
600 if (!IS_PRIVATE(inode))
601 inode_doinit(inode);
602 iput(inode);
603 }
604 spin_lock(&sbsec->isec_lock);
605 }
606 spin_unlock(&sbsec->isec_lock);
607 out:
608 return rc;
609 }
610
611 static int bad_option(struct superblock_security_struct *sbsec, char flag,
612 u32 old_sid, u32 new_sid)
613 {
614 char mnt_flags = sbsec->flags & SE_MNTMASK;
615
616 /* check if the old mount command had the same options */
617 if (sbsec->flags & SE_SBINITIALIZED)
618 if (!(sbsec->flags & flag) ||
619 (old_sid != new_sid))
620 return 1;
621
622 /* check if we were passed the same options twice,
623 * aka someone passed context=a,context=b
624 */
625 if (!(sbsec->flags & SE_SBINITIALIZED))
626 if (mnt_flags & flag)
627 return 1;
628 return 0;
629 }
630
631 static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
632 {
633 int rc = security_context_str_to_sid(&selinux_state, s,
634 sid, GFP_KERNEL);
635 if (rc)
636 pr_warn("SELinux: security_context_str_to_sid"
637 "(%s) failed for (dev %s, type %s) errno=%d\n",
638 s, sb->s_id, sb->s_type->name, rc);
639 return rc;
640 }
641
642 /*
643 * Allow filesystems with binary mount data to explicitly set mount point
644 * labeling information.
645 */
646 static int selinux_set_mnt_opts(struct super_block *sb,
647 void *mnt_opts,
648 unsigned long kern_flags,
649 unsigned long *set_kern_flags)
650 {
651 const struct cred *cred = current_cred();
652 struct superblock_security_struct *sbsec = sb->s_security;
653 struct dentry *root = sbsec->sb->s_root;
654 struct selinux_mnt_opts *opts = mnt_opts;
655 struct inode_security_struct *root_isec;
656 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
657 u32 defcontext_sid = 0;
658 int rc = 0;
659
660 mutex_lock(&sbsec->lock);
661
662 if (!selinux_state.initialized) {
663 if (!opts) {
664 /* Defer initialization until selinux_complete_init,
665 after the initial policy is loaded and the security
666 server is ready to handle calls. */
667 goto out;
668 }
669 rc = -EINVAL;
670 pr_warn("SELinux: Unable to set superblock options "
671 "before the security server is initialized\n");
672 goto out;
673 }
674 if (kern_flags && !set_kern_flags) {
675 /* Specifying internal flags without providing a place to
676 * place the results is not allowed */
677 rc = -EINVAL;
678 goto out;
679 }
680
681 /*
682 * Binary mount data FS will come through this function twice. Once
683 * from an explicit call and once from the generic calls from the vfs.
684 * Since the generic VFS calls will not contain any security mount data
685 * we need to skip the double mount verification.
686 *
687 * This does open a hole in which we will not notice if the first
688 * mount using this sb set explict options and a second mount using
689 * this sb does not set any security options. (The first options
690 * will be used for both mounts)
691 */
692 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
693 && !opts)
694 goto out;
695
696 root_isec = backing_inode_security_novalidate(root);
697
698 /*
699 * parse the mount options, check if they are valid sids.
700 * also check if someone is trying to mount the same sb more
701 * than once with different security options.
702 */
703 if (opts) {
704 if (opts->fscontext) {
705 rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
706 if (rc)
707 goto out;
708 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
709 fscontext_sid))
710 goto out_double_mount;
711 sbsec->flags |= FSCONTEXT_MNT;
712 }
713 if (opts->context) {
714 rc = parse_sid(sb, opts->context, &context_sid);
715 if (rc)
716 goto out;
717 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
718 context_sid))
719 goto out_double_mount;
720 sbsec->flags |= CONTEXT_MNT;
721 }
722 if (opts->rootcontext) {
723 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
724 if (rc)
725 goto out;
726 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
727 rootcontext_sid))
728 goto out_double_mount;
729 sbsec->flags |= ROOTCONTEXT_MNT;
730 }
731 if (opts->defcontext) {
732 rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
733 if (rc)
734 goto out;
735 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
736 defcontext_sid))
737 goto out_double_mount;
738 sbsec->flags |= DEFCONTEXT_MNT;
739 }
740 }
741
742 if (sbsec->flags & SE_SBINITIALIZED) {
743 /* previously mounted with options, but not on this attempt? */
744 if ((sbsec->flags & SE_MNTMASK) && !opts)
745 goto out_double_mount;
746 rc = 0;
747 goto out;
748 }
749
750 if (strcmp(sb->s_type->name, "proc") == 0)
751 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
752
753 if (!strcmp(sb->s_type->name, "debugfs") ||
754 !strcmp(sb->s_type->name, "tracefs") ||
755 !strcmp(sb->s_type->name, "pstore"))
756 sbsec->flags |= SE_SBGENFS;
757
758 if (!strcmp(sb->s_type->name, "sysfs") ||
759 !strcmp(sb->s_type->name, "cgroup") ||
760 !strcmp(sb->s_type->name, "cgroup2"))
761 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
762
763 if (!sbsec->behavior) {
764 /*
765 * Determine the labeling behavior to use for this
766 * filesystem type.
767 */
768 rc = security_fs_use(&selinux_state, sb);
769 if (rc) {
770 pr_warn("%s: security_fs_use(%s) returned %d\n",
771 __func__, sb->s_type->name, rc);
772 goto out;
773 }
774 }
775
776 /*
777 * If this is a user namespace mount and the filesystem type is not
778 * explicitly whitelisted, then no contexts are allowed on the command
779 * line and security labels must be ignored.
780 */
781 if (sb->s_user_ns != &init_user_ns &&
782 strcmp(sb->s_type->name, "tmpfs") &&
783 strcmp(sb->s_type->name, "ramfs") &&
784 strcmp(sb->s_type->name, "devpts")) {
785 if (context_sid || fscontext_sid || rootcontext_sid ||
786 defcontext_sid) {
787 rc = -EACCES;
788 goto out;
789 }
790 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
791 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
792 rc = security_transition_sid(&selinux_state,
793 current_sid(),
794 current_sid(),
795 SECCLASS_FILE, NULL,
796 &sbsec->mntpoint_sid);
797 if (rc)
798 goto out;
799 }
800 goto out_set_opts;
801 }
802
803 /* sets the context of the superblock for the fs being mounted. */
804 if (fscontext_sid) {
805 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
806 if (rc)
807 goto out;
808
809 sbsec->sid = fscontext_sid;
810 }
811
812 /*
813 * Switch to using mount point labeling behavior.
814 * sets the label used on all file below the mountpoint, and will set
815 * the superblock context if not already set.
816 */
817 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
818 sbsec->behavior = SECURITY_FS_USE_NATIVE;
819 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
820 }
821
822 if (context_sid) {
823 if (!fscontext_sid) {
824 rc = may_context_mount_sb_relabel(context_sid, sbsec,
825 cred);
826 if (rc)
827 goto out;
828 sbsec->sid = context_sid;
829 } else {
830 rc = may_context_mount_inode_relabel(context_sid, sbsec,
831 cred);
832 if (rc)
833 goto out;
834 }
835 if (!rootcontext_sid)
836 rootcontext_sid = context_sid;
837
838 sbsec->mntpoint_sid = context_sid;
839 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
840 }
841
842 if (rootcontext_sid) {
843 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
844 cred);
845 if (rc)
846 goto out;
847
848 root_isec->sid = rootcontext_sid;
849 root_isec->initialized = LABEL_INITIALIZED;
850 }
851
852 if (defcontext_sid) {
853 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
854 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
855 rc = -EINVAL;
856 pr_warn("SELinux: defcontext option is "
857 "invalid for this filesystem type\n");
858 goto out;
859 }
860
861 if (defcontext_sid != sbsec->def_sid) {
862 rc = may_context_mount_inode_relabel(defcontext_sid,
863 sbsec, cred);
864 if (rc)
865 goto out;
866 }
867
868 sbsec->def_sid = defcontext_sid;
869 }
870
871 out_set_opts:
872 rc = sb_finish_set_opts(sb);
873 out:
874 mutex_unlock(&sbsec->lock);
875 return rc;
876 out_double_mount:
877 rc = -EINVAL;
878 pr_warn("SELinux: mount invalid. Same superblock, different "
879 "security settings for (dev %s, type %s)\n", sb->s_id,
880 sb->s_type->name);
881 goto out;
882 }
883
884 static int selinux_cmp_sb_context(const struct super_block *oldsb,
885 const struct super_block *newsb)
886 {
887 struct superblock_security_struct *old = oldsb->s_security;
888 struct superblock_security_struct *new = newsb->s_security;
889 char oldflags = old->flags & SE_MNTMASK;
890 char newflags = new->flags & SE_MNTMASK;
891
892 if (oldflags != newflags)
893 goto mismatch;
894 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
895 goto mismatch;
896 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
897 goto mismatch;
898 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
899 goto mismatch;
900 if (oldflags & ROOTCONTEXT_MNT) {
901 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
902 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
903 if (oldroot->sid != newroot->sid)
904 goto mismatch;
905 }
906 return 0;
907 mismatch:
908 pr_warn("SELinux: mount invalid. Same superblock, "
909 "different security settings for (dev %s, "
910 "type %s)\n", newsb->s_id, newsb->s_type->name);
911 return -EBUSY;
912 }
913
914 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
915 struct super_block *newsb,
916 unsigned long kern_flags,
917 unsigned long *set_kern_flags)
918 {
919 int rc = 0;
920 const struct superblock_security_struct *oldsbsec = oldsb->s_security;
921 struct superblock_security_struct *newsbsec = newsb->s_security;
922
923 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
924 int set_context = (oldsbsec->flags & CONTEXT_MNT);
925 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
926
927 /*
928 * if the parent was able to be mounted it clearly had no special lsm
929 * mount options. thus we can safely deal with this superblock later
930 */
931 if (!selinux_state.initialized)
932 return 0;
933
934 /*
935 * Specifying internal flags without providing a place to
936 * place the results is not allowed.
937 */
938 if (kern_flags && !set_kern_flags)
939 return -EINVAL;
940
941 /* how can we clone if the old one wasn't set up?? */
942 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
943
944 /* if fs is reusing a sb, make sure that the contexts match */
945 if (newsbsec->flags & SE_SBINITIALIZED) {
946 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
947 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
948 return selinux_cmp_sb_context(oldsb, newsb);
949 }
950
951 mutex_lock(&newsbsec->lock);
952
953 newsbsec->flags = oldsbsec->flags;
954
955 newsbsec->sid = oldsbsec->sid;
956 newsbsec->def_sid = oldsbsec->def_sid;
957 newsbsec->behavior = oldsbsec->behavior;
958
959 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
960 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
961 rc = security_fs_use(&selinux_state, newsb);
962 if (rc)
963 goto out;
964 }
965
966 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
967 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
968 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
969 }
970
971 if (set_context) {
972 u32 sid = oldsbsec->mntpoint_sid;
973
974 if (!set_fscontext)
975 newsbsec->sid = sid;
976 if (!set_rootcontext) {
977 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
978 newisec->sid = sid;
979 }
980 newsbsec->mntpoint_sid = sid;
981 }
982 if (set_rootcontext) {
983 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
984 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
985
986 newisec->sid = oldisec->sid;
987 }
988
989 sb_finish_set_opts(newsb);
990 out:
991 mutex_unlock(&newsbsec->lock);
992 return rc;
993 }
994
995 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
996 {
997 struct selinux_mnt_opts *opts = *mnt_opts;
998
999 if (token == Opt_seclabel) /* eaten and completely ignored */
1000 return 0;
1001
1002 if (!opts) {
1003 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
1004 if (!opts)
1005 return -ENOMEM;
1006 *mnt_opts = opts;
1007 }
1008 if (!s)
1009 return -ENOMEM;
1010 switch (token) {
1011 case Opt_context:
1012 if (opts->context || opts->defcontext)
1013 goto Einval;
1014 opts->context = s;
1015 break;
1016 case Opt_fscontext:
1017 if (opts->fscontext)
1018 goto Einval;
1019 opts->fscontext = s;
1020 break;
1021 case Opt_rootcontext:
1022 if (opts->rootcontext)
1023 goto Einval;
1024 opts->rootcontext = s;
1025 break;
1026 case Opt_defcontext:
1027 if (opts->context || opts->defcontext)
1028 goto Einval;
1029 opts->defcontext = s;
1030 break;
1031 }
1032 return 0;
1033 Einval:
1034 pr_warn(SEL_MOUNT_FAIL_MSG);
1035 return -EINVAL;
1036 }
1037
1038 static int selinux_add_mnt_opt(const char *option, const char *val, int len,
1039 void **mnt_opts)
1040 {
1041 int token = Opt_error;
1042 int rc, i;
1043
1044 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
1045 if (strcmp(option, tokens[i].name) == 0) {
1046 token = tokens[i].opt;
1047 break;
1048 }
1049 }
1050
1051 if (token == Opt_error)
1052 return -EINVAL;
1053
1054 if (token != Opt_seclabel) {
1055 val = kmemdup_nul(val, len, GFP_KERNEL);
1056 if (!val) {
1057 rc = -ENOMEM;
1058 goto free_opt;
1059 }
1060 }
1061 rc = selinux_add_opt(token, val, mnt_opts);
1062 if (unlikely(rc)) {
1063 kfree(val);
1064 goto free_opt;
1065 }
1066 return rc;
1067
1068 free_opt:
1069 if (*mnt_opts) {
1070 selinux_free_mnt_opts(*mnt_opts);
1071 *mnt_opts = NULL;
1072 }
1073 return rc;
1074 }
1075
1076 static int show_sid(struct seq_file *m, u32 sid)
1077 {
1078 char *context = NULL;
1079 u32 len;
1080 int rc;
1081
1082 rc = security_sid_to_context(&selinux_state, sid,
1083 &context, &len);
1084 if (!rc) {
1085 bool has_comma = context && strchr(context, ',');
1086
1087 seq_putc(m, '=');
1088 if (has_comma)
1089 seq_putc(m, '\"');
1090 seq_escape(m, context, "\"\n\\");
1091 if (has_comma)
1092 seq_putc(m, '\"');
1093 }
1094 kfree(context);
1095 return rc;
1096 }
1097
1098 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1099 {
1100 struct superblock_security_struct *sbsec = sb->s_security;
1101 int rc;
1102
1103 if (!(sbsec->flags & SE_SBINITIALIZED))
1104 return 0;
1105
1106 if (!selinux_state.initialized)
1107 return 0;
1108
1109 if (sbsec->flags & FSCONTEXT_MNT) {
1110 seq_putc(m, ',');
1111 seq_puts(m, FSCONTEXT_STR);
1112 rc = show_sid(m, sbsec->sid);
1113 if (rc)
1114 return rc;
1115 }
1116 if (sbsec->flags & CONTEXT_MNT) {
1117 seq_putc(m, ',');
1118 seq_puts(m, CONTEXT_STR);
1119 rc = show_sid(m, sbsec->mntpoint_sid);
1120 if (rc)
1121 return rc;
1122 }
1123 if (sbsec->flags & DEFCONTEXT_MNT) {
1124 seq_putc(m, ',');
1125 seq_puts(m, DEFCONTEXT_STR);
1126 rc = show_sid(m, sbsec->def_sid);
1127 if (rc)
1128 return rc;
1129 }
1130 if (sbsec->flags & ROOTCONTEXT_MNT) {
1131 struct dentry *root = sbsec->sb->s_root;
1132 struct inode_security_struct *isec = backing_inode_security(root);
1133 seq_putc(m, ',');
1134 seq_puts(m, ROOTCONTEXT_STR);
1135 rc = show_sid(m, isec->sid);
1136 if (rc)
1137 return rc;
1138 }
1139 if (sbsec->flags & SBLABEL_MNT) {
1140 seq_putc(m, ',');
1141 seq_puts(m, SECLABEL_STR);
1142 }
1143 return 0;
1144 }
1145
1146 static inline u16 inode_mode_to_security_class(umode_t mode)
1147 {
1148 switch (mode & S_IFMT) {
1149 case S_IFSOCK:
1150 return SECCLASS_SOCK_FILE;
1151 case S_IFLNK:
1152 return SECCLASS_LNK_FILE;
1153 case S_IFREG:
1154 return SECCLASS_FILE;
1155 case S_IFBLK:
1156 return SECCLASS_BLK_FILE;
1157 case S_IFDIR:
1158 return SECCLASS_DIR;
1159 case S_IFCHR:
1160 return SECCLASS_CHR_FILE;
1161 case S_IFIFO:
1162 return SECCLASS_FIFO_FILE;
1163
1164 }
1165
1166 return SECCLASS_FILE;
1167 }
1168
1169 static inline int default_protocol_stream(int protocol)
1170 {
1171 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1172 }
1173
1174 static inline int default_protocol_dgram(int protocol)
1175 {
1176 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1177 }
1178
1179 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1180 {
1181 int extsockclass = selinux_policycap_extsockclass();
1182
1183 switch (family) {
1184 case PF_UNIX:
1185 switch (type) {
1186 case SOCK_STREAM:
1187 case SOCK_SEQPACKET:
1188 return SECCLASS_UNIX_STREAM_SOCKET;
1189 case SOCK_DGRAM:
1190 case SOCK_RAW:
1191 return SECCLASS_UNIX_DGRAM_SOCKET;
1192 }
1193 break;
1194 case PF_INET:
1195 case PF_INET6:
1196 switch (type) {
1197 case SOCK_STREAM:
1198 case SOCK_SEQPACKET:
1199 if (default_protocol_stream(protocol))
1200 return SECCLASS_TCP_SOCKET;
1201 else if (extsockclass && protocol == IPPROTO_SCTP)
1202 return SECCLASS_SCTP_SOCKET;
1203 else
1204 return SECCLASS_RAWIP_SOCKET;
1205 case SOCK_DGRAM:
1206 if (default_protocol_dgram(protocol))
1207 return SECCLASS_UDP_SOCKET;
1208 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1209 protocol == IPPROTO_ICMPV6))
1210 return SECCLASS_ICMP_SOCKET;
1211 else
1212 return SECCLASS_RAWIP_SOCKET;
1213 case SOCK_DCCP:
1214 return SECCLASS_DCCP_SOCKET;
1215 default:
1216 return SECCLASS_RAWIP_SOCKET;
1217 }
1218 break;
1219 case PF_NETLINK:
1220 switch (protocol) {
1221 case NETLINK_ROUTE:
1222 return SECCLASS_NETLINK_ROUTE_SOCKET;
1223 case NETLINK_SOCK_DIAG:
1224 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1225 case NETLINK_NFLOG:
1226 return SECCLASS_NETLINK_NFLOG_SOCKET;
1227 case NETLINK_XFRM:
1228 return SECCLASS_NETLINK_XFRM_SOCKET;
1229 case NETLINK_SELINUX:
1230 return SECCLASS_NETLINK_SELINUX_SOCKET;
1231 case NETLINK_ISCSI:
1232 return SECCLASS_NETLINK_ISCSI_SOCKET;
1233 case NETLINK_AUDIT:
1234 return SECCLASS_NETLINK_AUDIT_SOCKET;
1235 case NETLINK_FIB_LOOKUP:
1236 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1237 case NETLINK_CONNECTOR:
1238 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1239 case NETLINK_NETFILTER:
1240 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1241 case NETLINK_DNRTMSG:
1242 return SECCLASS_NETLINK_DNRT_SOCKET;
1243 case NETLINK_KOBJECT_UEVENT:
1244 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1245 case NETLINK_GENERIC:
1246 return SECCLASS_NETLINK_GENERIC_SOCKET;
1247 case NETLINK_SCSITRANSPORT:
1248 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1249 case NETLINK_RDMA:
1250 return SECCLASS_NETLINK_RDMA_SOCKET;
1251 case NETLINK_CRYPTO:
1252 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1253 default:
1254 return SECCLASS_NETLINK_SOCKET;
1255 }
1256 case PF_PACKET:
1257 return SECCLASS_PACKET_SOCKET;
1258 case PF_KEY:
1259 return SECCLASS_KEY_SOCKET;
1260 case PF_APPLETALK:
1261 return SECCLASS_APPLETALK_SOCKET;
1262 }
1263
1264 if (extsockclass) {
1265 switch (family) {
1266 case PF_AX25:
1267 return SECCLASS_AX25_SOCKET;
1268 case PF_IPX:
1269 return SECCLASS_IPX_SOCKET;
1270 case PF_NETROM:
1271 return SECCLASS_NETROM_SOCKET;
1272 case PF_ATMPVC:
1273 return SECCLASS_ATMPVC_SOCKET;
1274 case PF_X25:
1275 return SECCLASS_X25_SOCKET;
1276 case PF_ROSE:
1277 return SECCLASS_ROSE_SOCKET;
1278 case PF_DECnet:
1279 return SECCLASS_DECNET_SOCKET;
1280 case PF_ATMSVC:
1281 return SECCLASS_ATMSVC_SOCKET;
1282 case PF_RDS:
1283 return SECCLASS_RDS_SOCKET;
1284 case PF_IRDA:
1285 return SECCLASS_IRDA_SOCKET;
1286 case PF_PPPOX:
1287 return SECCLASS_PPPOX_SOCKET;
1288 case PF_LLC:
1289 return SECCLASS_LLC_SOCKET;
1290 case PF_CAN:
1291 return SECCLASS_CAN_SOCKET;
1292 case PF_TIPC:
1293 return SECCLASS_TIPC_SOCKET;
1294 case PF_BLUETOOTH:
1295 return SECCLASS_BLUETOOTH_SOCKET;
1296 case PF_IUCV:
1297 return SECCLASS_IUCV_SOCKET;
1298 case PF_RXRPC:
1299 return SECCLASS_RXRPC_SOCKET;
1300 case PF_ISDN:
1301 return SECCLASS_ISDN_SOCKET;
1302 case PF_PHONET:
1303 return SECCLASS_PHONET_SOCKET;
1304 case PF_IEEE802154:
1305 return SECCLASS_IEEE802154_SOCKET;
1306 case PF_CAIF:
1307 return SECCLASS_CAIF_SOCKET;
1308 case PF_ALG:
1309 return SECCLASS_ALG_SOCKET;
1310 case PF_NFC:
1311 return SECCLASS_NFC_SOCKET;
1312 case PF_VSOCK:
1313 return SECCLASS_VSOCK_SOCKET;
1314 case PF_KCM:
1315 return SECCLASS_KCM_SOCKET;
1316 case PF_QIPCRTR:
1317 return SECCLASS_QIPCRTR_SOCKET;
1318 case PF_SMC:
1319 return SECCLASS_SMC_SOCKET;
1320 case PF_XDP:
1321 return SECCLASS_XDP_SOCKET;
1322 #if PF_MAX > 45
1323 #error New address family defined, please update this function.
1324 #endif
1325 }
1326 }
1327
1328 return SECCLASS_SOCKET;
1329 }
1330
1331 static int selinux_genfs_get_sid(struct dentry *dentry,
1332 u16 tclass,
1333 u16 flags,
1334 u32 *sid)
1335 {
1336 int rc;
1337 struct super_block *sb = dentry->d_sb;
1338 char *buffer, *path;
1339
1340 buffer = (char *)__get_free_page(GFP_KERNEL);
1341 if (!buffer)
1342 return -ENOMEM;
1343
1344 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1345 if (IS_ERR(path))
1346 rc = PTR_ERR(path);
1347 else {
1348 if (flags & SE_SBPROC) {
1349 /* each process gets a /proc/PID/ entry. Strip off the
1350 * PID part to get a valid selinux labeling.
1351 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1352 while (path[1] >= '0' && path[1] <= '9') {
1353 path[1] = '/';
1354 path++;
1355 }
1356 }
1357 rc = security_genfs_sid(&selinux_state, sb->s_type->name,
1358 path, tclass, sid);
1359 if (rc == -ENOENT) {
1360 /* No match in policy, mark as unlabeled. */
1361 *sid = SECINITSID_UNLABELED;
1362 rc = 0;
1363 }
1364 }
1365 free_page((unsigned long)buffer);
1366 return rc;
1367 }
1368
1369 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1370 u32 def_sid, u32 *sid)
1371 {
1372 #define INITCONTEXTLEN 255
1373 char *context;
1374 unsigned int len;
1375 int rc;
1376
1377 len = INITCONTEXTLEN;
1378 context = kmalloc(len + 1, GFP_NOFS);
1379 if (!context)
1380 return -ENOMEM;
1381
1382 context[len] = '\0';
1383 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1384 if (rc == -ERANGE) {
1385 kfree(context);
1386
1387 /* Need a larger buffer. Query for the right size. */
1388 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1389 if (rc < 0)
1390 return rc;
1391
1392 len = rc;
1393 context = kmalloc(len + 1, GFP_NOFS);
1394 if (!context)
1395 return -ENOMEM;
1396
1397 context[len] = '\0';
1398 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1399 context, len);
1400 }
1401 if (rc < 0) {
1402 kfree(context);
1403 if (rc != -ENODATA) {
1404 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1405 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1406 return rc;
1407 }
1408 *sid = def_sid;
1409 return 0;
1410 }
1411
1412 rc = security_context_to_sid_default(&selinux_state, context, rc, sid,
1413 def_sid, GFP_NOFS);
1414 if (rc) {
1415 char *dev = inode->i_sb->s_id;
1416 unsigned long ino = inode->i_ino;
1417
1418 if (rc == -EINVAL) {
1419 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1420 ino, dev, context);
1421 } else {
1422 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1423 __func__, context, -rc, dev, ino);
1424 }
1425 }
1426 kfree(context);
1427 return 0;
1428 }
1429
1430 /* The inode's security attributes must be initialized before first use. */
1431 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1432 {
1433 struct superblock_security_struct *sbsec = NULL;
1434 struct inode_security_struct *isec = selinux_inode(inode);
1435 u32 task_sid, sid = 0;
1436 u16 sclass;
1437 struct dentry *dentry;
1438 int rc = 0;
1439
1440 if (isec->initialized == LABEL_INITIALIZED)
1441 return 0;
1442
1443 spin_lock(&isec->lock);
1444 if (isec->initialized == LABEL_INITIALIZED)
1445 goto out_unlock;
1446
1447 if (isec->sclass == SECCLASS_FILE)
1448 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1449
1450 sbsec = inode->i_sb->s_security;
1451 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1452 /* Defer initialization until selinux_complete_init,
1453 after the initial policy is loaded and the security
1454 server is ready to handle calls. */
1455 spin_lock(&sbsec->isec_lock);
1456 if (list_empty(&isec->list))
1457 list_add(&isec->list, &sbsec->isec_head);
1458 spin_unlock(&sbsec->isec_lock);
1459 goto out_unlock;
1460 }
1461
1462 sclass = isec->sclass;
1463 task_sid = isec->task_sid;
1464 sid = isec->sid;
1465 isec->initialized = LABEL_PENDING;
1466 spin_unlock(&isec->lock);
1467
1468 switch (sbsec->behavior) {
1469 case SECURITY_FS_USE_NATIVE:
1470 break;
1471 case SECURITY_FS_USE_XATTR:
1472 if (!(inode->i_opflags & IOP_XATTR)) {
1473 sid = sbsec->def_sid;
1474 break;
1475 }
1476 /* Need a dentry, since the xattr API requires one.
1477 Life would be simpler if we could just pass the inode. */
1478 if (opt_dentry) {
1479 /* Called from d_instantiate or d_splice_alias. */
1480 dentry = dget(opt_dentry);
1481 } else {
1482 /*
1483 * Called from selinux_complete_init, try to find a dentry.
1484 * Some filesystems really want a connected one, so try
1485 * that first. We could split SECURITY_FS_USE_XATTR in
1486 * two, depending upon that...
1487 */
1488 dentry = d_find_alias(inode);
1489 if (!dentry)
1490 dentry = d_find_any_alias(inode);
1491 }
1492 if (!dentry) {
1493 /*
1494 * this is can be hit on boot when a file is accessed
1495 * before the policy is loaded. When we load policy we
1496 * may find inodes that have no dentry on the
1497 * sbsec->isec_head list. No reason to complain as these
1498 * will get fixed up the next time we go through
1499 * inode_doinit with a dentry, before these inodes could
1500 * be used again by userspace.
1501 */
1502 goto out;
1503 }
1504
1505 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1506 &sid);
1507 dput(dentry);
1508 if (rc)
1509 goto out;
1510 break;
1511 case SECURITY_FS_USE_TASK:
1512 sid = task_sid;
1513 break;
1514 case SECURITY_FS_USE_TRANS:
1515 /* Default to the fs SID. */
1516 sid = sbsec->sid;
1517
1518 /* Try to obtain a transition SID. */
1519 rc = security_transition_sid(&selinux_state, task_sid, sid,
1520 sclass, NULL, &sid);
1521 if (rc)
1522 goto out;
1523 break;
1524 case SECURITY_FS_USE_MNTPOINT:
1525 sid = sbsec->mntpoint_sid;
1526 break;
1527 default:
1528 /* Default to the fs superblock SID. */
1529 sid = sbsec->sid;
1530
1531 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
1532 /* We must have a dentry to determine the label on
1533 * procfs inodes */
1534 if (opt_dentry) {
1535 /* Called from d_instantiate or
1536 * d_splice_alias. */
1537 dentry = dget(opt_dentry);
1538 } else {
1539 /* Called from selinux_complete_init, try to
1540 * find a dentry. Some filesystems really want
1541 * a connected one, so try that first.
1542 */
1543 dentry = d_find_alias(inode);
1544 if (!dentry)
1545 dentry = d_find_any_alias(inode);
1546 }
1547 /*
1548 * This can be hit on boot when a file is accessed
1549 * before the policy is loaded. When we load policy we
1550 * may find inodes that have no dentry on the
1551 * sbsec->isec_head list. No reason to complain as
1552 * these will get fixed up the next time we go through
1553 * inode_doinit() with a dentry, before these inodes
1554 * could be used again by userspace.
1555 */
1556 if (!dentry)
1557 goto out;
1558 rc = selinux_genfs_get_sid(dentry, sclass,
1559 sbsec->flags, &sid);
1560 if (rc) {
1561 dput(dentry);
1562 goto out;
1563 }
1564
1565 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1566 (inode->i_opflags & IOP_XATTR)) {
1567 rc = inode_doinit_use_xattr(inode, dentry,
1568 sid, &sid);
1569 if (rc) {
1570 dput(dentry);
1571 goto out;
1572 }
1573 }
1574 dput(dentry);
1575 }
1576 break;
1577 }
1578
1579 out:
1580 spin_lock(&isec->lock);
1581 if (isec->initialized == LABEL_PENDING) {
1582 if (!sid || rc) {
1583 isec->initialized = LABEL_INVALID;
1584 goto out_unlock;
1585 }
1586
1587 isec->initialized = LABEL_INITIALIZED;
1588 isec->sid = sid;
1589 }
1590
1591 out_unlock:
1592 spin_unlock(&isec->lock);
1593 return rc;
1594 }
1595
1596 /* Convert a Linux signal to an access vector. */
1597 static inline u32 signal_to_av(int sig)
1598 {
1599 u32 perm = 0;
1600
1601 switch (sig) {
1602 case SIGCHLD:
1603 /* Commonly granted from child to parent. */
1604 perm = PROCESS__SIGCHLD;
1605 break;
1606 case SIGKILL:
1607 /* Cannot be caught or ignored */
1608 perm = PROCESS__SIGKILL;
1609 break;
1610 case SIGSTOP:
1611 /* Cannot be caught or ignored */
1612 perm = PROCESS__SIGSTOP;
1613 break;
1614 default:
1615 /* All other signals. */
1616 perm = PROCESS__SIGNAL;
1617 break;
1618 }
1619
1620 return perm;
1621 }
1622
1623 #if CAP_LAST_CAP > 63
1624 #error Fix SELinux to handle capabilities > 63.
1625 #endif
1626
1627 /* Check whether a task is allowed to use a capability. */
1628 static int cred_has_capability(const struct cred *cred,
1629 int cap, unsigned int opts, bool initns)
1630 {
1631 struct common_audit_data ad;
1632 struct av_decision avd;
1633 u16 sclass;
1634 u32 sid = cred_sid(cred);
1635 u32 av = CAP_TO_MASK(cap);
1636 int rc;
1637
1638 ad.type = LSM_AUDIT_DATA_CAP;
1639 ad.u.cap = cap;
1640
1641 switch (CAP_TO_INDEX(cap)) {
1642 case 0:
1643 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1644 break;
1645 case 1:
1646 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1647 break;
1648 default:
1649 pr_err("SELinux: out of range capability %d\n", cap);
1650 BUG();
1651 return -EINVAL;
1652 }
1653
1654 rc = avc_has_perm_noaudit(&selinux_state,
1655 sid, sid, sclass, av, 0, &avd);
1656 if (!(opts & CAP_OPT_NOAUDIT)) {
1657 int rc2 = avc_audit(&selinux_state,
1658 sid, sid, sclass, av, &avd, rc, &ad, 0);
1659 if (rc2)
1660 return rc2;
1661 }
1662 return rc;
1663 }
1664
1665 /* Check whether a task has a particular permission to an inode.
1666 The 'adp' parameter is optional and allows other audit
1667 data to be passed (e.g. the dentry). */
1668 static int inode_has_perm(const struct cred *cred,
1669 struct inode *inode,
1670 u32 perms,
1671 struct common_audit_data *adp)
1672 {
1673 struct inode_security_struct *isec;
1674 u32 sid;
1675
1676 validate_creds(cred);
1677
1678 if (unlikely(IS_PRIVATE(inode)))
1679 return 0;
1680
1681 sid = cred_sid(cred);
1682 isec = selinux_inode(inode);
1683
1684 return avc_has_perm(&selinux_state,
1685 sid, isec->sid, isec->sclass, perms, adp);
1686 }
1687
1688 /* Same as inode_has_perm, but pass explicit audit data containing
1689 the dentry to help the auditing code to more easily generate the
1690 pathname if needed. */
1691 static inline int dentry_has_perm(const struct cred *cred,
1692 struct dentry *dentry,
1693 u32 av)
1694 {
1695 struct inode *inode = d_backing_inode(dentry);
1696 struct common_audit_data ad;
1697
1698 ad.type = LSM_AUDIT_DATA_DENTRY;
1699 ad.u.dentry = dentry;
1700 __inode_security_revalidate(inode, dentry, true);
1701 return inode_has_perm(cred, inode, av, &ad);
1702 }
1703
1704 /* Same as inode_has_perm, but pass explicit audit data containing
1705 the path to help the auditing code to more easily generate the
1706 pathname if needed. */
1707 static inline int path_has_perm(const struct cred *cred,
1708 const struct path *path,
1709 u32 av)
1710 {
1711 struct inode *inode = d_backing_inode(path->dentry);
1712 struct common_audit_data ad;
1713
1714 ad.type = LSM_AUDIT_DATA_PATH;
1715 ad.u.path = *path;
1716 __inode_security_revalidate(inode, path->dentry, true);
1717 return inode_has_perm(cred, inode, av, &ad);
1718 }
1719
1720 /* Same as path_has_perm, but uses the inode from the file struct. */
1721 static inline int file_path_has_perm(const struct cred *cred,
1722 struct file *file,
1723 u32 av)
1724 {
1725 struct common_audit_data ad;
1726
1727 ad.type = LSM_AUDIT_DATA_FILE;
1728 ad.u.file = file;
1729 return inode_has_perm(cred, file_inode(file), av, &ad);
1730 }
1731
1732 #ifdef CONFIG_BPF_SYSCALL
1733 static int bpf_fd_pass(struct file *file, u32 sid);
1734 #endif
1735
1736 /* Check whether a task can use an open file descriptor to
1737 access an inode in a given way. Check access to the
1738 descriptor itself, and then use dentry_has_perm to
1739 check a particular permission to the file.
1740 Access to the descriptor is implicitly granted if it
1741 has the same SID as the process. If av is zero, then
1742 access to the file is not checked, e.g. for cases
1743 where only the descriptor is affected like seek. */
1744 static int file_has_perm(const struct cred *cred,
1745 struct file *file,
1746 u32 av)
1747 {
1748 struct file_security_struct *fsec = selinux_file(file);
1749 struct inode *inode = file_inode(file);
1750 struct common_audit_data ad;
1751 u32 sid = cred_sid(cred);
1752 int rc;
1753
1754 ad.type = LSM_AUDIT_DATA_FILE;
1755 ad.u.file = file;
1756
1757 if (sid != fsec->sid) {
1758 rc = avc_has_perm(&selinux_state,
1759 sid, fsec->sid,
1760 SECCLASS_FD,
1761 FD__USE,
1762 &ad);
1763 if (rc)
1764 goto out;
1765 }
1766
1767 #ifdef CONFIG_BPF_SYSCALL
1768 rc = bpf_fd_pass(file, cred_sid(cred));
1769 if (rc)
1770 return rc;
1771 #endif
1772
1773 /* av is zero if only checking access to the descriptor. */
1774 rc = 0;
1775 if (av)
1776 rc = inode_has_perm(cred, inode, av, &ad);
1777
1778 out:
1779 return rc;
1780 }
1781
1782 /*
1783 * Determine the label for an inode that might be unioned.
1784 */
1785 static int
1786 selinux_determine_inode_label(const struct task_security_struct *tsec,
1787 struct inode *dir,
1788 const struct qstr *name, u16 tclass,
1789 u32 *_new_isid)
1790 {
1791 const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
1792
1793 if ((sbsec->flags & SE_SBINITIALIZED) &&
1794 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1795 *_new_isid = sbsec->mntpoint_sid;
1796 } else if ((sbsec->flags & SBLABEL_MNT) &&
1797 tsec->create_sid) {
1798 *_new_isid = tsec->create_sid;
1799 } else {
1800 const struct inode_security_struct *dsec = inode_security(dir);
1801 return security_transition_sid(&selinux_state, tsec->sid,
1802 dsec->sid, tclass,
1803 name, _new_isid);
1804 }
1805
1806 return 0;
1807 }
1808
1809 /* Check whether a task can create a file. */
1810 static int may_create(struct inode *dir,
1811 struct dentry *dentry,
1812 u16 tclass)
1813 {
1814 const struct task_security_struct *tsec = selinux_cred(current_cred());
1815 struct inode_security_struct *dsec;
1816 struct superblock_security_struct *sbsec;
1817 u32 sid, newsid;
1818 struct common_audit_data ad;
1819 int rc;
1820
1821 dsec = inode_security(dir);
1822 sbsec = dir->i_sb->s_security;
1823
1824 sid = tsec->sid;
1825
1826 ad.type = LSM_AUDIT_DATA_DENTRY;
1827 ad.u.dentry = dentry;
1828
1829 rc = avc_has_perm(&selinux_state,
1830 sid, dsec->sid, SECCLASS_DIR,
1831 DIR__ADD_NAME | DIR__SEARCH,
1832 &ad);
1833 if (rc)
1834 return rc;
1835
1836 rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
1837 &dentry->d_name, tclass, &newsid);
1838 if (rc)
1839 return rc;
1840
1841 rc = avc_has_perm(&selinux_state,
1842 sid, newsid, tclass, FILE__CREATE, &ad);
1843 if (rc)
1844 return rc;
1845
1846 return avc_has_perm(&selinux_state,
1847 newsid, sbsec->sid,
1848 SECCLASS_FILESYSTEM,
1849 FILESYSTEM__ASSOCIATE, &ad);
1850 }
1851
1852 #define MAY_LINK 0
1853 #define MAY_UNLINK 1
1854 #define MAY_RMDIR 2
1855
1856 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1857 static int may_link(struct inode *dir,
1858 struct dentry *dentry,
1859 int kind)
1860
1861 {
1862 struct inode_security_struct *dsec, *isec;
1863 struct common_audit_data ad;
1864 u32 sid = current_sid();
1865 u32 av;
1866 int rc;
1867
1868 dsec = inode_security(dir);
1869 isec = backing_inode_security(dentry);
1870
1871 ad.type = LSM_AUDIT_DATA_DENTRY;
1872 ad.u.dentry = dentry;
1873
1874 av = DIR__SEARCH;
1875 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1876 rc = avc_has_perm(&selinux_state,
1877 sid, dsec->sid, SECCLASS_DIR, av, &ad);
1878 if (rc)
1879 return rc;
1880
1881 switch (kind) {
1882 case MAY_LINK:
1883 av = FILE__LINK;
1884 break;
1885 case MAY_UNLINK:
1886 av = FILE__UNLINK;
1887 break;
1888 case MAY_RMDIR:
1889 av = DIR__RMDIR;
1890 break;
1891 default:
1892 pr_warn("SELinux: %s: unrecognized kind %d\n",
1893 __func__, kind);
1894 return 0;
1895 }
1896
1897 rc = avc_has_perm(&selinux_state,
1898 sid, isec->sid, isec->sclass, av, &ad);
1899 return rc;
1900 }
1901
1902 static inline int may_rename(struct inode *old_dir,
1903 struct dentry *old_dentry,
1904 struct inode *new_dir,
1905 struct dentry *new_dentry)
1906 {
1907 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1908 struct common_audit_data ad;
1909 u32 sid = current_sid();
1910 u32 av;
1911 int old_is_dir, new_is_dir;
1912 int rc;
1913
1914 old_dsec = inode_security(old_dir);
1915 old_isec = backing_inode_security(old_dentry);
1916 old_is_dir = d_is_dir(old_dentry);
1917 new_dsec = inode_security(new_dir);
1918
1919 ad.type = LSM_AUDIT_DATA_DENTRY;
1920
1921 ad.u.dentry = old_dentry;
1922 rc = avc_has_perm(&selinux_state,
1923 sid, old_dsec->sid, SECCLASS_DIR,
1924 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1925 if (rc)
1926 return rc;
1927 rc = avc_has_perm(&selinux_state,
1928 sid, old_isec->sid,
1929 old_isec->sclass, FILE__RENAME, &ad);
1930 if (rc)
1931 return rc;
1932 if (old_is_dir && new_dir != old_dir) {
1933 rc = avc_has_perm(&selinux_state,
1934 sid, old_isec->sid,
1935 old_isec->sclass, DIR__REPARENT, &ad);
1936 if (rc)
1937 return rc;
1938 }
1939
1940 ad.u.dentry = new_dentry;
1941 av = DIR__ADD_NAME | DIR__SEARCH;
1942 if (d_is_positive(new_dentry))
1943 av |= DIR__REMOVE_NAME;
1944 rc = avc_has_perm(&selinux_state,
1945 sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1946 if (rc)
1947 return rc;
1948 if (d_is_positive(new_dentry)) {
1949 new_isec = backing_inode_security(new_dentry);
1950 new_is_dir = d_is_dir(new_dentry);
1951 rc = avc_has_perm(&selinux_state,
1952 sid, new_isec->sid,
1953 new_isec->sclass,
1954 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1955 if (rc)
1956 return rc;
1957 }
1958
1959 return 0;
1960 }
1961
1962 /* Check whether a task can perform a filesystem operation. */
1963 static int superblock_has_perm(const struct cred *cred,
1964 struct super_block *sb,
1965 u32 perms,
1966 struct common_audit_data *ad)
1967 {
1968 struct superblock_security_struct *sbsec;
1969 u32 sid = cred_sid(cred);
1970
1971 sbsec = sb->s_security;
1972 return avc_has_perm(&selinux_state,
1973 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1974 }
1975
1976 /* Convert a Linux mode and permission mask to an access vector. */
1977 static inline u32 file_mask_to_av(int mode, int mask)
1978 {
1979 u32 av = 0;
1980
1981 if (!S_ISDIR(mode)) {
1982 if (mask & MAY_EXEC)
1983 av |= FILE__EXECUTE;
1984 if (mask & MAY_READ)
1985 av |= FILE__READ;
1986
1987 if (mask & MAY_APPEND)
1988 av |= FILE__APPEND;
1989 else if (mask & MAY_WRITE)
1990 av |= FILE__WRITE;
1991
1992 } else {
1993 if (mask & MAY_EXEC)
1994 av |= DIR__SEARCH;
1995 if (mask & MAY_WRITE)
1996 av |= DIR__WRITE;
1997 if (mask & MAY_READ)
1998 av |= DIR__READ;
1999 }
2000
2001 return av;
2002 }
2003
2004 /* Convert a Linux file to an access vector. */
2005 static inline u32 file_to_av(struct file *file)
2006 {
2007 u32 av = 0;
2008
2009 if (file->f_mode & FMODE_READ)
2010 av |= FILE__READ;
2011 if (file->f_mode & FMODE_WRITE) {
2012 if (file->f_flags & O_APPEND)
2013 av |= FILE__APPEND;
2014 else
2015 av |= FILE__WRITE;
2016 }
2017 if (!av) {
2018 /*
2019 * Special file opened with flags 3 for ioctl-only use.
2020 */
2021 av = FILE__IOCTL;
2022 }
2023
2024 return av;
2025 }
2026
2027 /*
2028 * Convert a file to an access vector and include the correct open
2029 * open permission.
2030 */
2031 static inline u32 open_file_to_av(struct file *file)
2032 {
2033 u32 av = file_to_av(file);
2034 struct inode *inode = file_inode(file);
2035
2036 if (selinux_policycap_openperm() &&
2037 inode->i_sb->s_magic != SOCKFS_MAGIC)
2038 av |= FILE__OPEN;
2039
2040 return av;
2041 }
2042
2043 /* Hook functions begin here. */
2044
2045 static int selinux_binder_set_context_mgr(struct task_struct *mgr)
2046 {
2047 u32 mysid = current_sid();
2048 u32 mgrsid = task_sid(mgr);
2049
2050 return avc_has_perm(&selinux_state,
2051 mysid, mgrsid, SECCLASS_BINDER,
2052 BINDER__SET_CONTEXT_MGR, NULL);
2053 }
2054
2055 static int selinux_binder_transaction(struct task_struct *from,
2056 struct task_struct *to)
2057 {
2058 u32 mysid = current_sid();
2059 u32 fromsid = task_sid(from);
2060 u32 tosid = task_sid(to);
2061 int rc;
2062
2063 if (mysid != fromsid) {
2064 rc = avc_has_perm(&selinux_state,
2065 mysid, fromsid, SECCLASS_BINDER,
2066 BINDER__IMPERSONATE, NULL);
2067 if (rc)
2068 return rc;
2069 }
2070
2071 return avc_has_perm(&selinux_state,
2072 fromsid, tosid, SECCLASS_BINDER, BINDER__CALL,
2073 NULL);
2074 }
2075
2076 static int selinux_binder_transfer_binder(struct task_struct *from,
2077 struct task_struct *to)
2078 {
2079 u32 fromsid = task_sid(from);
2080 u32 tosid = task_sid(to);
2081
2082 return avc_has_perm(&selinux_state,
2083 fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER,
2084 NULL);
2085 }
2086
2087 static int selinux_binder_transfer_file(struct task_struct *from,
2088 struct task_struct *to,
2089 struct file *file)
2090 {
2091 u32 sid = task_sid(to);
2092 struct file_security_struct *fsec = selinux_file(file);
2093 struct dentry *dentry = file->f_path.dentry;
2094 struct inode_security_struct *isec;
2095 struct common_audit_data ad;
2096 int rc;
2097
2098 ad.type = LSM_AUDIT_DATA_PATH;
2099 ad.u.path = file->f_path;
2100
2101 if (sid != fsec->sid) {
2102 rc = avc_has_perm(&selinux_state,
2103 sid, fsec->sid,
2104 SECCLASS_FD,
2105 FD__USE,
2106 &ad);
2107 if (rc)
2108 return rc;
2109 }
2110
2111 #ifdef CONFIG_BPF_SYSCALL
2112 rc = bpf_fd_pass(file, sid);
2113 if (rc)
2114 return rc;
2115 #endif
2116
2117 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2118 return 0;
2119
2120 isec = backing_inode_security(dentry);
2121 return avc_has_perm(&selinux_state,
2122 sid, isec->sid, isec->sclass, file_to_av(file),
2123 &ad);
2124 }
2125
2126 static int selinux_ptrace_access_check(struct task_struct *child,
2127 unsigned int mode)
2128 {
2129 u32 sid = current_sid();
2130 u32 csid = task_sid(child);
2131
2132 if (mode & PTRACE_MODE_READ)
2133 return avc_has_perm(&selinux_state,
2134 sid, csid, SECCLASS_FILE, FILE__READ, NULL);
2135
2136 return avc_has_perm(&selinux_state,
2137 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2138 }
2139
2140 static int selinux_ptrace_traceme(struct task_struct *parent)
2141 {
2142 return avc_has_perm(&selinux_state,
2143 task_sid(parent), current_sid(), SECCLASS_PROCESS,
2144 PROCESS__PTRACE, NULL);
2145 }
2146
2147 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
2148 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2149 {
2150 return avc_has_perm(&selinux_state,
2151 current_sid(), task_sid(target), SECCLASS_PROCESS,
2152 PROCESS__GETCAP, NULL);
2153 }
2154
2155 static int selinux_capset(struct cred *new, const struct cred *old,
2156 const kernel_cap_t *effective,
2157 const kernel_cap_t *inheritable,
2158 const kernel_cap_t *permitted)
2159 {
2160 return avc_has_perm(&selinux_state,
2161 cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2162 PROCESS__SETCAP, NULL);
2163 }
2164
2165 /*
2166 * (This comment used to live with the selinux_task_setuid hook,
2167 * which was removed).
2168 *
2169 * Since setuid only affects the current process, and since the SELinux
2170 * controls are not based on the Linux identity attributes, SELinux does not
2171 * need to control this operation. However, SELinux does control the use of
2172 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2173 */
2174
2175 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2176 int cap, unsigned int opts)
2177 {
2178 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2179 }
2180
2181 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
2182 {
2183 const struct cred *cred = current_cred();
2184 int rc = 0;
2185
2186 if (!sb)
2187 return 0;
2188
2189 switch (cmds) {
2190 case Q_SYNC:
2191 case Q_QUOTAON:
2192 case Q_QUOTAOFF:
2193 case Q_SETINFO:
2194 case Q_SETQUOTA:
2195 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2196 break;
2197 case Q_GETFMT:
2198 case Q_GETINFO:
2199 case Q_GETQUOTA:
2200 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2201 break;
2202 default:
2203 rc = 0; /* let the kernel handle invalid cmds */
2204 break;
2205 }
2206 return rc;
2207 }
2208
2209 static int selinux_quota_on(struct dentry *dentry)
2210 {
2211 const struct cred *cred = current_cred();
2212
2213 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2214 }
2215
2216 static int selinux_syslog(int type)
2217 {
2218 switch (type) {
2219 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2220 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2221 return avc_has_perm(&selinux_state,
2222 current_sid(), SECINITSID_KERNEL,
2223 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2224 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2225 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2226 /* Set level of messages printed to console */
2227 case SYSLOG_ACTION_CONSOLE_LEVEL:
2228 return avc_has_perm(&selinux_state,
2229 current_sid(), SECINITSID_KERNEL,
2230 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2231 NULL);
2232 }
2233 /* All other syslog types */
2234 return avc_has_perm(&selinux_state,
2235 current_sid(), SECINITSID_KERNEL,
2236 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2237 }
2238
2239 /*
2240 * Check that a process has enough memory to allocate a new virtual
2241 * mapping. 0 means there is enough memory for the allocation to
2242 * succeed and -ENOMEM implies there is not.
2243 *
2244 * Do not audit the selinux permission check, as this is applied to all
2245 * processes that allocate mappings.
2246 */
2247 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2248 {
2249 int rc, cap_sys_admin = 0;
2250
2251 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2252 CAP_OPT_NOAUDIT, true);
2253 if (rc == 0)
2254 cap_sys_admin = 1;
2255
2256 return cap_sys_admin;
2257 }
2258
2259 /* binprm security operations */
2260
2261 static u32 ptrace_parent_sid(void)
2262 {
2263 u32 sid = 0;
2264 struct task_struct *tracer;
2265
2266 rcu_read_lock();
2267 tracer = ptrace_parent(current);
2268 if (tracer)
2269 sid = task_sid(tracer);
2270 rcu_read_unlock();
2271
2272 return sid;
2273 }
2274
2275 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2276 const struct task_security_struct *old_tsec,
2277 const struct task_security_struct *new_tsec)
2278 {
2279 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2280 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2281 int rc;
2282 u32 av;
2283
2284 if (!nnp && !nosuid)
2285 return 0; /* neither NNP nor nosuid */
2286
2287 if (new_tsec->sid == old_tsec->sid)
2288 return 0; /* No change in credentials */
2289
2290 /*
2291 * If the policy enables the nnp_nosuid_transition policy capability,
2292 * then we permit transitions under NNP or nosuid if the
2293 * policy allows the corresponding permission between
2294 * the old and new contexts.
2295 */
2296 if (selinux_policycap_nnp_nosuid_transition()) {
2297 av = 0;
2298 if (nnp)
2299 av |= PROCESS2__NNP_TRANSITION;
2300 if (nosuid)
2301 av |= PROCESS2__NOSUID_TRANSITION;
2302 rc = avc_has_perm(&selinux_state,
2303 old_tsec->sid, new_tsec->sid,
2304 SECCLASS_PROCESS2, av, NULL);
2305 if (!rc)
2306 return 0;
2307 }
2308
2309 /*
2310 * We also permit NNP or nosuid transitions to bounded SIDs,
2311 * i.e. SIDs that are guaranteed to only be allowed a subset
2312 * of the permissions of the current SID.
2313 */
2314 rc = security_bounded_transition(&selinux_state, old_tsec->sid,
2315 new_tsec->sid);
2316 if (!rc)
2317 return 0;
2318
2319 /*
2320 * On failure, preserve the errno values for NNP vs nosuid.
2321 * NNP: Operation not permitted for caller.
2322 * nosuid: Permission denied to file.
2323 */
2324 if (nnp)
2325 return -EPERM;
2326 return -EACCES;
2327 }
2328
2329 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2330 {
2331 const struct task_security_struct *old_tsec;
2332 struct task_security_struct *new_tsec;
2333 struct inode_security_struct *isec;
2334 struct common_audit_data ad;
2335 struct inode *inode = file_inode(bprm->file);
2336 int rc;
2337
2338 /* SELinux context only depends on initial program or script and not
2339 * the script interpreter */
2340 if (bprm->called_set_creds)
2341 return 0;
2342
2343 old_tsec = selinux_cred(current_cred());
2344 new_tsec = selinux_cred(bprm->cred);
2345 isec = inode_security(inode);
2346
2347 /* Default to the current task SID. */
2348 new_tsec->sid = old_tsec->sid;
2349 new_tsec->osid = old_tsec->sid;
2350
2351 /* Reset fs, key, and sock SIDs on execve. */
2352 new_tsec->create_sid = 0;
2353 new_tsec->keycreate_sid = 0;
2354 new_tsec->sockcreate_sid = 0;
2355
2356 if (old_tsec->exec_sid) {
2357 new_tsec->sid = old_tsec->exec_sid;
2358 /* Reset exec SID on execve. */
2359 new_tsec->exec_sid = 0;
2360
2361 /* Fail on NNP or nosuid if not an allowed transition. */
2362 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2363 if (rc)
2364 return rc;
2365 } else {
2366 /* Check for a default transition on this program. */
2367 rc = security_transition_sid(&selinux_state, old_tsec->sid,
2368 isec->sid, SECCLASS_PROCESS, NULL,
2369 &new_tsec->sid);
2370 if (rc)
2371 return rc;
2372
2373 /*
2374 * Fallback to old SID on NNP or nosuid if not an allowed
2375 * transition.
2376 */
2377 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2378 if (rc)
2379 new_tsec->sid = old_tsec->sid;
2380 }
2381
2382 ad.type = LSM_AUDIT_DATA_FILE;
2383 ad.u.file = bprm->file;
2384
2385 if (new_tsec->sid == old_tsec->sid) {
2386 rc = avc_has_perm(&selinux_state,
2387 old_tsec->sid, isec->sid,
2388 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2389 if (rc)
2390 return rc;
2391 } else {
2392 /* Check permissions for the transition. */
2393 rc = avc_has_perm(&selinux_state,
2394 old_tsec->sid, new_tsec->sid,
2395 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2396 if (rc)
2397 return rc;
2398
2399 rc = avc_has_perm(&selinux_state,
2400 new_tsec->sid, isec->sid,
2401 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2402 if (rc)
2403 return rc;
2404
2405 /* Check for shared state */
2406 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2407 rc = avc_has_perm(&selinux_state,
2408 old_tsec->sid, new_tsec->sid,
2409 SECCLASS_PROCESS, PROCESS__SHARE,
2410 NULL);
2411 if (rc)
2412 return -EPERM;
2413 }
2414
2415 /* Make sure that anyone attempting to ptrace over a task that
2416 * changes its SID has the appropriate permit */
2417 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2418 u32 ptsid = ptrace_parent_sid();
2419 if (ptsid != 0) {
2420 rc = avc_has_perm(&selinux_state,
2421 ptsid, new_tsec->sid,
2422 SECCLASS_PROCESS,
2423 PROCESS__PTRACE, NULL);
2424 if (rc)
2425 return -EPERM;
2426 }
2427 }
2428
2429 /* Clear any possibly unsafe personality bits on exec: */
2430 bprm->per_clear |= PER_CLEAR_ON_SETID;
2431
2432 /* Enable secure mode for SIDs transitions unless
2433 the noatsecure permission is granted between
2434 the two SIDs, i.e. ahp returns 0. */
2435 rc = avc_has_perm(&selinux_state,
2436 old_tsec->sid, new_tsec->sid,
2437 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2438 NULL);
2439 bprm->secureexec |= !!rc;
2440 }
2441
2442 return 0;
2443 }
2444
2445 static int match_file(const void *p, struct file *file, unsigned fd)
2446 {
2447 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2448 }
2449
2450 /* Derived from fs/exec.c:flush_old_files. */
2451 static inline void flush_unauthorized_files(const struct cred *cred,
2452 struct files_struct *files)
2453 {
2454 struct file *file, *devnull = NULL;
2455 struct tty_struct *tty;
2456 int drop_tty = 0;
2457 unsigned n;
2458
2459 tty = get_current_tty();
2460 if (tty) {
2461 spin_lock(&tty->files_lock);
2462 if (!list_empty(&tty->tty_files)) {
2463 struct tty_file_private *file_priv;
2464
2465 /* Revalidate access to controlling tty.
2466 Use file_path_has_perm on the tty path directly
2467 rather than using file_has_perm, as this particular
2468 open file may belong to another process and we are
2469 only interested in the inode-based check here. */
2470 file_priv = list_first_entry(&tty->tty_files,
2471 struct tty_file_private, list);
2472 file = file_priv->file;
2473 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2474 drop_tty = 1;
2475 }
2476 spin_unlock(&tty->files_lock);
2477 tty_kref_put(tty);
2478 }
2479 /* Reset controlling tty. */
2480 if (drop_tty)
2481 no_tty();
2482
2483 /* Revalidate access to inherited open files. */
2484 n = iterate_fd(files, 0, match_file, cred);
2485 if (!n) /* none found? */
2486 return;
2487
2488 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2489 if (IS_ERR(devnull))
2490 devnull = NULL;
2491 /* replace all the matching ones with this */
2492 do {
2493 replace_fd(n - 1, devnull, 0);
2494 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2495 if (devnull)
2496 fput(devnull);
2497 }
2498
2499 /*
2500 * Prepare a process for imminent new credential changes due to exec
2501 */
2502 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2503 {
2504 struct task_security_struct *new_tsec;
2505 struct rlimit *rlim, *initrlim;
2506 int rc, i;
2507
2508 new_tsec = selinux_cred(bprm->cred);
2509 if (new_tsec->sid == new_tsec->osid)
2510 return;
2511
2512 /* Close files for which the new task SID is not authorized. */
2513 flush_unauthorized_files(bprm->cred, current->files);
2514
2515 /* Always clear parent death signal on SID transitions. */
2516 current->pdeath_signal = 0;
2517
2518 /* Check whether the new SID can inherit resource limits from the old
2519 * SID. If not, reset all soft limits to the lower of the current
2520 * task's hard limit and the init task's soft limit.
2521 *
2522 * Note that the setting of hard limits (even to lower them) can be
2523 * controlled by the setrlimit check. The inclusion of the init task's
2524 * soft limit into the computation is to avoid resetting soft limits
2525 * higher than the default soft limit for cases where the default is
2526 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2527 */
2528 rc = avc_has_perm(&selinux_state,
2529 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2530 PROCESS__RLIMITINH, NULL);
2531 if (rc) {
2532 /* protect against do_prlimit() */
2533 task_lock(current);
2534 for (i = 0; i < RLIM_NLIMITS; i++) {
2535 rlim = current->signal->rlim + i;
2536 initrlim = init_task.signal->rlim + i;
2537 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2538 }
2539 task_unlock(current);
2540 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2541 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2542 }
2543 }
2544
2545 /*
2546 * Clean up the process immediately after the installation of new credentials
2547 * due to exec
2548 */
2549 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2550 {
2551 const struct task_security_struct *tsec = selinux_cred(current_cred());
2552 u32 osid, sid;
2553 int rc;
2554
2555 osid = tsec->osid;
2556 sid = tsec->sid;
2557
2558 if (sid == osid)
2559 return;
2560
2561 /* Check whether the new SID can inherit signal state from the old SID.
2562 * If not, clear itimers to avoid subsequent signal generation and
2563 * flush and unblock signals.
2564 *
2565 * This must occur _after_ the task SID has been updated so that any
2566 * kill done after the flush will be checked against the new SID.
2567 */
2568 rc = avc_has_perm(&selinux_state,
2569 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2570 if (rc) {
2571 clear_itimer();
2572
2573 spin_lock_irq(&current->sighand->siglock);
2574 if (!fatal_signal_pending(current)) {
2575 flush_sigqueue(&current->pending);
2576 flush_sigqueue(&current->signal->shared_pending);
2577 flush_signal_handlers(current, 1);
2578 sigemptyset(&current->blocked);
2579 recalc_sigpending();
2580 }
2581 spin_unlock_irq(&current->sighand->siglock);
2582 }
2583
2584 /* Wake up the parent if it is waiting so that it can recheck
2585 * wait permission to the new task SID. */
2586 read_lock(&tasklist_lock);
2587 __wake_up_parent(current, current->real_parent);
2588 read_unlock(&tasklist_lock);
2589 }
2590
2591 /* superblock security operations */
2592
2593 static int selinux_sb_alloc_security(struct super_block *sb)
2594 {
2595 return superblock_alloc_security(sb);
2596 }
2597
2598 static void selinux_sb_free_security(struct super_block *sb)
2599 {
2600 superblock_free_security(sb);
2601 }
2602
2603 static inline int opt_len(const char *s)
2604 {
2605 bool open_quote = false;
2606 int len;
2607 char c;
2608
2609 for (len = 0; (c = s[len]) != '\0'; len++) {
2610 if (c == '"')
2611 open_quote = !open_quote;
2612 if (c == ',' && !open_quote)
2613 break;
2614 }
2615 return len;
2616 }
2617
2618 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2619 {
2620 char *from = options;
2621 char *to = options;
2622 bool first = true;
2623 int rc;
2624
2625 while (1) {
2626 int len = opt_len(from);
2627 int token;
2628 char *arg = NULL;
2629
2630 token = match_opt_prefix(from, len, &arg);
2631
2632 if (token != Opt_error) {
2633 char *p, *q;
2634
2635 /* strip quotes */
2636 if (arg) {
2637 for (p = q = arg; p < from + len; p++) {
2638 char c = *p;
2639 if (c != '"')
2640 *q++ = c;
2641 }
2642 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2643 if (!arg) {
2644 rc = -ENOMEM;
2645 goto free_opt;
2646 }
2647 }
2648 rc = selinux_add_opt(token, arg, mnt_opts);
2649 if (unlikely(rc)) {
2650 kfree(arg);
2651 goto free_opt;
2652 }
2653 } else {
2654 if (!first) { // copy with preceding comma
2655 from--;
2656 len++;
2657 }
2658 if (to != from)
2659 memmove(to, from, len);
2660 to += len;
2661 first = false;
2662 }
2663 if (!from[len])
2664 break;
2665 from += len + 1;
2666 }
2667 *to = '\0';
2668 return 0;
2669
2670 free_opt:
2671 if (*mnt_opts) {
2672 selinux_free_mnt_opts(*mnt_opts);
2673 *mnt_opts = NULL;
2674 }
2675 return rc;
2676 }
2677
2678 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2679 {
2680 struct selinux_mnt_opts *opts = mnt_opts;
2681 struct superblock_security_struct *sbsec = sb->s_security;
2682 u32 sid;
2683 int rc;
2684
2685 if (!(sbsec->flags & SE_SBINITIALIZED))
2686 return 0;
2687
2688 if (!opts)
2689 return 0;
2690
2691 if (opts->fscontext) {
2692 rc = parse_sid(sb, opts->fscontext, &sid);
2693 if (rc)
2694 return rc;
2695 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
2696 goto out_bad_option;
2697 }
2698 if (opts->context) {
2699 rc = parse_sid(sb, opts->context, &sid);
2700 if (rc)
2701 return rc;
2702 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
2703 goto out_bad_option;
2704 }
2705 if (opts->rootcontext) {
2706 struct inode_security_struct *root_isec;
2707 root_isec = backing_inode_security(sb->s_root);
2708 rc = parse_sid(sb, opts->rootcontext, &sid);
2709 if (rc)
2710 return rc;
2711 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
2712 goto out_bad_option;
2713 }
2714 if (opts->defcontext) {
2715 rc = parse_sid(sb, opts->defcontext, &sid);
2716 if (rc)
2717 return rc;
2718 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
2719 goto out_bad_option;
2720 }
2721 return 0;
2722
2723 out_bad_option:
2724 pr_warn("SELinux: unable to change security options "
2725 "during remount (dev %s, type=%s)\n", sb->s_id,
2726 sb->s_type->name);
2727 return -EINVAL;
2728 }
2729
2730 static int selinux_sb_kern_mount(struct super_block *sb)
2731 {
2732 const struct cred *cred = current_cred();
2733 struct common_audit_data ad;
2734
2735 ad.type = LSM_AUDIT_DATA_DENTRY;
2736 ad.u.dentry = sb->s_root;
2737 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2738 }
2739
2740 static int selinux_sb_statfs(struct dentry *dentry)
2741 {
2742 const struct cred *cred = current_cred();
2743 struct common_audit_data ad;
2744
2745 ad.type = LSM_AUDIT_DATA_DENTRY;
2746 ad.u.dentry = dentry->d_sb->s_root;
2747 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2748 }
2749
2750 static int selinux_mount(const char *dev_name,
2751 const struct path *path,
2752 const char *type,
2753 unsigned long flags,
2754 void *data)
2755 {
2756 const struct cred *cred = current_cred();
2757
2758 if (flags & MS_REMOUNT)
2759 return superblock_has_perm(cred, path->dentry->d_sb,
2760 FILESYSTEM__REMOUNT, NULL);
2761 else
2762 return path_has_perm(cred, path, FILE__MOUNTON);
2763 }
2764
2765 static int selinux_move_mount(const struct path *from_path,
2766 const struct path *to_path)
2767 {
2768 const struct cred *cred = current_cred();
2769
2770 return path_has_perm(cred, to_path, FILE__MOUNTON);
2771 }
2772
2773 static int selinux_umount(struct vfsmount *mnt, int flags)
2774 {
2775 const struct cred *cred = current_cred();
2776
2777 return superblock_has_perm(cred, mnt->mnt_sb,
2778 FILESYSTEM__UNMOUNT, NULL);
2779 }
2780
2781 static int selinux_fs_context_dup(struct fs_context *fc,
2782 struct fs_context *src_fc)
2783 {
2784 const struct selinux_mnt_opts *src = src_fc->security;
2785 struct selinux_mnt_opts *opts;
2786
2787 if (!src)
2788 return 0;
2789
2790 fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
2791 if (!fc->security)
2792 return -ENOMEM;
2793
2794 opts = fc->security;
2795
2796 if (src->fscontext) {
2797 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL);
2798 if (!opts->fscontext)
2799 return -ENOMEM;
2800 }
2801 if (src->context) {
2802 opts->context = kstrdup(src->context, GFP_KERNEL);
2803 if (!opts->context)
2804 return -ENOMEM;
2805 }
2806 if (src->rootcontext) {
2807 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL);
2808 if (!opts->rootcontext)
2809 return -ENOMEM;
2810 }
2811 if (src->defcontext) {
2812 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL);
2813 if (!opts->defcontext)
2814 return -ENOMEM;
2815 }
2816 return 0;
2817 }
2818
2819 static const struct fs_parameter_spec selinux_param_specs[] = {
2820 fsparam_string(CONTEXT_STR, Opt_context),
2821 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2822 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2823 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2824 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2825 {}
2826 };
2827
2828 static const struct fs_parameter_description selinux_fs_parameters = {
2829 .name = "SELinux",
2830 .specs = selinux_param_specs,
2831 };
2832
2833 static int selinux_fs_context_parse_param(struct fs_context *fc,
2834 struct fs_parameter *param)
2835 {
2836 struct fs_parse_result result;
2837 int opt, rc;
2838
2839 opt = fs_parse(fc, &selinux_fs_parameters, param, &result);
2840 if (opt < 0)
2841 return opt;
2842
2843 rc = selinux_add_opt(opt, param->string, &fc->security);
2844 if (!rc) {
2845 param->string = NULL;
2846 rc = 1;
2847 }
2848 return rc;
2849 }
2850
2851 /* inode security operations */
2852
2853 static int selinux_inode_alloc_security(struct inode *inode)
2854 {
2855 return inode_alloc_security(inode);
2856 }
2857
2858 static void selinux_inode_free_security(struct inode *inode)
2859 {
2860 inode_free_security(inode);
2861 }
2862
2863 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2864 const struct qstr *name, void **ctx,
2865 u32 *ctxlen)
2866 {
2867 u32 newsid;
2868 int rc;
2869
2870 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2871 d_inode(dentry->d_parent), name,
2872 inode_mode_to_security_class(mode),
2873 &newsid);
2874 if (rc)
2875 return rc;
2876
2877 return security_sid_to_context(&selinux_state, newsid, (char **)ctx,
2878 ctxlen);
2879 }
2880
2881 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2882 struct qstr *name,
2883 const struct cred *old,
2884 struct cred *new)
2885 {
2886 u32 newsid;
2887 int rc;
2888 struct task_security_struct *tsec;
2889
2890 rc = selinux_determine_inode_label(selinux_cred(old),
2891 d_inode(dentry->d_parent), name,
2892 inode_mode_to_security_class(mode),
2893 &newsid);
2894 if (rc)
2895 return rc;
2896
2897 tsec = selinux_cred(new);
2898 tsec->create_sid = newsid;
2899 return 0;
2900 }
2901
2902 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2903 const struct qstr *qstr,
2904 const char **name,
2905 void **value, size_t *len)
2906 {
2907 const struct task_security_struct *tsec = selinux_cred(current_cred());
2908 struct superblock_security_struct *sbsec;
2909 u32 newsid, clen;
2910 int rc;
2911 char *context;
2912
2913 sbsec = dir->i_sb->s_security;
2914
2915 newsid = tsec->create_sid;
2916
2917 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2918 dir, qstr,
2919 inode_mode_to_security_class(inode->i_mode),
2920 &newsid);
2921 if (rc)
2922 return rc;
2923
2924 /* Possibly defer initialization to selinux_complete_init. */
2925 if (sbsec->flags & SE_SBINITIALIZED) {
2926 struct inode_security_struct *isec = selinux_inode(inode);
2927 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2928 isec->sid = newsid;
2929 isec->initialized = LABEL_INITIALIZED;
2930 }
2931
2932 if (!selinux_state.initialized || !(sbsec->flags & SBLABEL_MNT))
2933 return -EOPNOTSUPP;
2934
2935 if (name)
2936 *name = XATTR_SELINUX_SUFFIX;
2937
2938 if (value && len) {
2939 rc = security_sid_to_context_force(&selinux_state, newsid,
2940 &context, &clen);
2941 if (rc)
2942 return rc;
2943 *value = context;
2944 *len = clen;
2945 }
2946
2947 return 0;
2948 }
2949
2950 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
2951 {
2952 return may_create(dir, dentry, SECCLASS_FILE);
2953 }
2954
2955 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2956 {
2957 return may_link(dir, old_dentry, MAY_LINK);
2958 }
2959
2960 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2961 {
2962 return may_link(dir, dentry, MAY_UNLINK);
2963 }
2964
2965 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2966 {
2967 return may_create(dir, dentry, SECCLASS_LNK_FILE);
2968 }
2969
2970 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
2971 {
2972 return may_create(dir, dentry, SECCLASS_DIR);
2973 }
2974
2975 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2976 {
2977 return may_link(dir, dentry, MAY_RMDIR);
2978 }
2979
2980 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2981 {
2982 return may_create(dir, dentry, inode_mode_to_security_class(mode));
2983 }
2984
2985 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2986 struct inode *new_inode, struct dentry *new_dentry)
2987 {
2988 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2989 }
2990
2991 static int selinux_inode_readlink(struct dentry *dentry)
2992 {
2993 const struct cred *cred = current_cred();
2994
2995 return dentry_has_perm(cred, dentry, FILE__READ);
2996 }
2997
2998 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
2999 bool rcu)
3000 {
3001 const struct cred *cred = current_cred();
3002 struct common_audit_data ad;
3003 struct inode_security_struct *isec;
3004 u32 sid;
3005
3006 validate_creds(cred);
3007
3008 ad.type = LSM_AUDIT_DATA_DENTRY;
3009 ad.u.dentry = dentry;
3010 sid = cred_sid(cred);
3011 isec = inode_security_rcu(inode, rcu);
3012 if (IS_ERR(isec))
3013 return PTR_ERR(isec);
3014
3015 return avc_has_perm_flags(&selinux_state,
3016 sid, isec->sid, isec->sclass, FILE__READ, &ad,
3017 rcu ? MAY_NOT_BLOCK : 0);
3018 }
3019
3020 static noinline int audit_inode_permission(struct inode *inode,
3021 u32 perms, u32 audited, u32 denied,
3022 int result)
3023 {
3024 struct common_audit_data ad;
3025 struct inode_security_struct *isec = selinux_inode(inode);
3026 int rc;
3027
3028 ad.type = LSM_AUDIT_DATA_INODE;
3029 ad.u.inode = inode;
3030
3031 rc = slow_avc_audit(&selinux_state,
3032 current_sid(), isec->sid, isec->sclass, perms,
3033 audited, denied, result, &ad);
3034 if (rc)
3035 return rc;
3036 return 0;
3037 }
3038
3039 static int selinux_inode_permission(struct inode *inode, int mask)
3040 {
3041 const struct cred *cred = current_cred();
3042 u32 perms;
3043 bool from_access;
3044 unsigned flags = mask & MAY_NOT_BLOCK;
3045 struct inode_security_struct *isec;
3046 u32 sid;
3047 struct av_decision avd;
3048 int rc, rc2;
3049 u32 audited, denied;
3050
3051 from_access = mask & MAY_ACCESS;
3052 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3053
3054 /* No permission to check. Existence test. */
3055 if (!mask)
3056 return 0;
3057
3058 validate_creds(cred);
3059
3060 if (unlikely(IS_PRIVATE(inode)))
3061 return 0;
3062
3063 perms = file_mask_to_av(inode->i_mode, mask);
3064
3065 sid = cred_sid(cred);
3066 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK);
3067 if (IS_ERR(isec))
3068 return PTR_ERR(isec);
3069
3070 rc = avc_has_perm_noaudit(&selinux_state,
3071 sid, isec->sid, isec->sclass, perms,
3072 (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
3073 &avd);
3074 audited = avc_audit_required(perms, &avd, rc,
3075 from_access ? FILE__AUDIT_ACCESS : 0,
3076 &denied);
3077 if (likely(!audited))
3078 return rc;
3079
3080 /* fall back to ref-walk if we have to generate audit */
3081 if (flags & MAY_NOT_BLOCK)
3082 return -ECHILD;
3083
3084 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3085 if (rc2)
3086 return rc2;
3087 return rc;
3088 }
3089
3090 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
3091 {
3092 const struct cred *cred = current_cred();
3093 struct inode *inode = d_backing_inode(dentry);
3094 unsigned int ia_valid = iattr->ia_valid;
3095 __u32 av = FILE__WRITE;
3096
3097 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3098 if (ia_valid & ATTR_FORCE) {
3099 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3100 ATTR_FORCE);
3101 if (!ia_valid)
3102 return 0;
3103 }
3104
3105 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3106 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3107 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3108
3109 if (selinux_policycap_openperm() &&
3110 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3111 (ia_valid & ATTR_SIZE) &&
3112 !(ia_valid & ATTR_FILE))
3113 av |= FILE__OPEN;
3114
3115 return dentry_has_perm(cred, dentry, av);
3116 }
3117
3118 static int selinux_inode_getattr(const struct path *path)
3119 {
3120 return path_has_perm(current_cred(), path, FILE__GETATTR);
3121 }
3122
3123 static bool has_cap_mac_admin(bool audit)
3124 {
3125 const struct cred *cred = current_cred();
3126 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3127
3128 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3129 return false;
3130 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3131 return false;
3132 return true;
3133 }
3134
3135 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
3136 const void *value, size_t size, int flags)
3137 {
3138 struct inode *inode = d_backing_inode(dentry);
3139 struct inode_security_struct *isec;
3140 struct superblock_security_struct *sbsec;
3141 struct common_audit_data ad;
3142 u32 newsid, sid = current_sid();
3143 int rc = 0;
3144
3145 if (strcmp(name, XATTR_NAME_SELINUX)) {
3146 rc = cap_inode_setxattr(dentry, name, value, size, flags);
3147 if (rc)
3148 return rc;
3149
3150 /* Not an attribute we recognize, so just check the
3151 ordinary setattr permission. */
3152 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3153 }
3154
3155 if (!selinux_state.initialized)
3156 return (inode_owner_or_capable(inode) ? 0 : -EPERM);
3157
3158 sbsec = inode->i_sb->s_security;
3159 if (!(sbsec->flags & SBLABEL_MNT))
3160 return -EOPNOTSUPP;
3161
3162 if (!inode_owner_or_capable(inode))
3163 return -EPERM;
3164
3165 ad.type = LSM_AUDIT_DATA_DENTRY;
3166 ad.u.dentry = dentry;
3167
3168 isec = backing_inode_security(dentry);
3169 rc = avc_has_perm(&selinux_state,
3170 sid, isec->sid, isec->sclass,
3171 FILE__RELABELFROM, &ad);
3172 if (rc)
3173 return rc;
3174
3175 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3176 GFP_KERNEL);
3177 if (rc == -EINVAL) {
3178 if (!has_cap_mac_admin(true)) {
3179 struct audit_buffer *ab;
3180 size_t audit_size;
3181
3182 /* We strip a nul only if it is at the end, otherwise the
3183 * context contains a nul and we should audit that */
3184 if (value) {
3185 const char *str = value;
3186
3187 if (str[size - 1] == '\0')
3188 audit_size = size - 1;
3189 else
3190 audit_size = size;
3191 } else {
3192 audit_size = 0;
3193 }
3194 ab = audit_log_start(audit_context(),
3195 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3196 audit_log_format(ab, "op=setxattr invalid_context=");
3197 audit_log_n_untrustedstring(ab, value, audit_size);
3198 audit_log_end(ab);
3199
3200 return rc;
3201 }
3202 rc = security_context_to_sid_force(&selinux_state, value,
3203 size, &newsid);
3204 }
3205 if (rc)
3206 return rc;
3207
3208 rc = avc_has_perm(&selinux_state,
3209 sid, newsid, isec->sclass,
3210 FILE__RELABELTO, &ad);
3211 if (rc)
3212 return rc;
3213
3214 rc = security_validate_transition(&selinux_state, isec->sid, newsid,
3215 sid, isec->sclass);
3216 if (rc)
3217 return rc;
3218
3219 return avc_has_perm(&selinux_state,
3220 newsid,
3221 sbsec->sid,
3222 SECCLASS_FILESYSTEM,
3223 FILESYSTEM__ASSOCIATE,
3224 &ad);
3225 }
3226
3227 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3228 const void *value, size_t size,
3229 int flags)
3230 {
3231 struct inode *inode = d_backing_inode(dentry);
3232 struct inode_security_struct *isec;
3233 u32 newsid;
3234 int rc;
3235
3236 if (strcmp(name, XATTR_NAME_SELINUX)) {
3237 /* Not an attribute we recognize, so nothing to do. */
3238 return;
3239 }
3240
3241 if (!selinux_state.initialized) {
3242 /* If we haven't even been initialized, then we can't validate
3243 * against a policy, so leave the label as invalid. It may
3244 * resolve to a valid label on the next revalidation try if
3245 * we've since initialized.
3246 */
3247 return;
3248 }
3249
3250 rc = security_context_to_sid_force(&selinux_state, value, size,
3251 &newsid);
3252 if (rc) {
3253 pr_err("SELinux: unable to map context to SID"
3254 "for (%s, %lu), rc=%d\n",
3255 inode->i_sb->s_id, inode->i_ino, -rc);
3256 return;
3257 }
3258
3259 isec = backing_inode_security(dentry);
3260 spin_lock(&isec->lock);
3261 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3262 isec->sid = newsid;
3263 isec->initialized = LABEL_INITIALIZED;
3264 spin_unlock(&isec->lock);
3265
3266 return;
3267 }
3268
3269 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3270 {
3271 const struct cred *cred = current_cred();
3272
3273 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3274 }
3275
3276 static int selinux_inode_listxattr(struct dentry *dentry)
3277 {
3278 const struct cred *cred = current_cred();
3279
3280 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3281 }
3282
3283 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
3284 {
3285 if (strcmp(name, XATTR_NAME_SELINUX)) {
3286 int rc = cap_inode_removexattr(dentry, name);
3287 if (rc)
3288 return rc;
3289
3290 /* Not an attribute we recognize, so just check the
3291 ordinary setattr permission. */
3292 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3293 }
3294
3295 /* No one is allowed to remove a SELinux security label.
3296 You can change the label, but all data must be labeled. */
3297 return -EACCES;
3298 }
3299
3300 static int selinux_path_notify(const struct path *path, u64 mask,
3301 unsigned int obj_type)
3302 {
3303 int ret;
3304 u32 perm;
3305
3306 struct common_audit_data ad;
3307
3308 ad.type = LSM_AUDIT_DATA_PATH;
3309 ad.u.path = *path;
3310
3311 /*
3312 * Set permission needed based on the type of mark being set.
3313 * Performs an additional check for sb watches.
3314 */
3315 switch (obj_type) {
3316 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3317 perm = FILE__WATCH_MOUNT;
3318 break;
3319 case FSNOTIFY_OBJ_TYPE_SB:
3320 perm = FILE__WATCH_SB;
3321 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3322 FILESYSTEM__WATCH, &ad);
3323 if (ret)
3324 return ret;
3325 break;
3326 case FSNOTIFY_OBJ_TYPE_INODE:
3327 perm = FILE__WATCH;
3328 break;
3329 default:
3330 return -EINVAL;
3331 }
3332
3333 /* blocking watches require the file:watch_with_perm permission */
3334 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3335 perm |= FILE__WATCH_WITH_PERM;
3336
3337 /* watches on read-like events need the file:watch_reads permission */
3338 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE))
3339 perm |= FILE__WATCH_READS;
3340
3341 return path_has_perm(current_cred(), path, perm);
3342 }
3343
3344 /*
3345 * Copy the inode security context value to the user.
3346 *
3347 * Permission check is handled by selinux_inode_getxattr hook.
3348 */
3349 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
3350 {
3351 u32 size;
3352 int error;
3353 char *context = NULL;
3354 struct inode_security_struct *isec;
3355
3356 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3357 return -EOPNOTSUPP;
3358
3359 /*
3360 * If the caller has CAP_MAC_ADMIN, then get the raw context
3361 * value even if it is not defined by current policy; otherwise,
3362 * use the in-core value under current policy.
3363 * Use the non-auditing forms of the permission checks since
3364 * getxattr may be called by unprivileged processes commonly
3365 * and lack of permission just means that we fall back to the
3366 * in-core context value, not a denial.
3367 */
3368 isec = inode_security(inode);
3369 if (has_cap_mac_admin(false))
3370 error = security_sid_to_context_force(&selinux_state,
3371 isec->sid, &context,
3372 &size);
3373 else
3374 error = security_sid_to_context(&selinux_state, isec->sid,
3375 &context, &size);
3376 if (error)
3377 return error;
3378 error = size;
3379 if (alloc) {
3380 *buffer = context;
3381 goto out_nofree;
3382 }
3383 kfree(context);
3384 out_nofree:
3385 return error;
3386 }
3387
3388 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3389 const void *value, size_t size, int flags)
3390 {
3391 struct inode_security_struct *isec = inode_security_novalidate(inode);
3392 struct superblock_security_struct *sbsec = inode->i_sb->s_security;
3393 u32 newsid;
3394 int rc;
3395
3396 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3397 return -EOPNOTSUPP;
3398
3399 if (!(sbsec->flags & SBLABEL_MNT))
3400 return -EOPNOTSUPP;
3401
3402 if (!value || !size)
3403 return -EACCES;
3404
3405 rc = security_context_to_sid(&selinux_state, value, size, &newsid,
3406 GFP_KERNEL);
3407 if (rc)
3408 return rc;
3409
3410 spin_lock(&isec->lock);
3411 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3412 isec->sid = newsid;
3413 isec->initialized = LABEL_INITIALIZED;
3414 spin_unlock(&isec->lock);
3415 return 0;
3416 }
3417
3418 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3419 {
3420 const int len = sizeof(XATTR_NAME_SELINUX);
3421 if (buffer && len <= buffer_size)
3422 memcpy(buffer, XATTR_NAME_SELINUX, len);
3423 return len;
3424 }
3425
3426 static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
3427 {
3428 struct inode_security_struct *isec = inode_security_novalidate(inode);
3429 *secid = isec->sid;
3430 }
3431
3432 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3433 {
3434 u32 sid;
3435 struct task_security_struct *tsec;
3436 struct cred *new_creds = *new;
3437
3438 if (new_creds == NULL) {
3439 new_creds = prepare_creds();
3440 if (!new_creds)
3441 return -ENOMEM;
3442 }
3443
3444 tsec = selinux_cred(new_creds);
3445 /* Get label from overlay inode and set it in create_sid */
3446 selinux_inode_getsecid(d_inode(src), &sid);
3447 tsec->create_sid = sid;
3448 *new = new_creds;
3449 return 0;
3450 }
3451
3452 static int selinux_inode_copy_up_xattr(const char *name)
3453 {
3454 /* The copy_up hook above sets the initial context on an inode, but we
3455 * don't then want to overwrite it by blindly copying all the lower
3456 * xattrs up. Instead, we have to filter out SELinux-related xattrs.
3457 */
3458 if (strcmp(name, XATTR_NAME_SELINUX) == 0)
3459 return 1; /* Discard */
3460 /*
3461 * Any other attribute apart from SELINUX is not claimed, supported
3462 * by selinux.
3463 */
3464 return -EOPNOTSUPP;
3465 }
3466
3467 /* kernfs node operations */
3468
3469 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3470 struct kernfs_node *kn)
3471 {
3472 const struct task_security_struct *tsec = selinux_cred(current_cred());
3473 u32 parent_sid, newsid, clen;
3474 int rc;
3475 char *context;
3476
3477 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3478 if (rc == -ENODATA)
3479 return 0;
3480 else if (rc < 0)
3481 return rc;
3482
3483 clen = (u32)rc;
3484 context = kmalloc(clen, GFP_KERNEL);
3485 if (!context)
3486 return -ENOMEM;
3487
3488 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3489 if (rc < 0) {
3490 kfree(context);
3491 return rc;
3492 }
3493
3494 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid,
3495 GFP_KERNEL);
3496 kfree(context);
3497 if (rc)
3498 return rc;
3499
3500 if (tsec->create_sid) {
3501 newsid = tsec->create_sid;
3502 } else {
3503 u16 secclass = inode_mode_to_security_class(kn->mode);
3504 struct qstr q;
3505
3506 q.name = kn->name;
3507 q.hash_len = hashlen_string(kn_dir, kn->name);
3508
3509 rc = security_transition_sid(&selinux_state, tsec->sid,
3510 parent_sid, secclass, &q,
3511 &newsid);
3512 if (rc)
3513 return rc;
3514 }
3515
3516 rc = security_sid_to_context_force(&selinux_state, newsid,
3517 &context, &clen);
3518 if (rc)
3519 return rc;
3520
3521 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3522 XATTR_CREATE);
3523 kfree(context);
3524 return rc;
3525 }
3526
3527
3528 /* file security operations */
3529
3530 static int selinux_revalidate_file_permission(struct file *file, int mask)
3531 {
3532 const struct cred *cred = current_cred();
3533 struct inode *inode = file_inode(file);
3534
3535 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3536 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3537 mask |= MAY_APPEND;
3538
3539 return file_has_perm(cred, file,
3540 file_mask_to_av(inode->i_mode, mask));
3541 }
3542
3543 static int selinux_file_permission(struct file *file, int mask)
3544 {
3545 struct inode *inode = file_inode(file);
3546 struct file_security_struct *fsec = selinux_file(file);
3547 struct inode_security_struct *isec;
3548 u32 sid = current_sid();
3549
3550 if (!mask)
3551 /* No permission to check. Existence test. */
3552 return 0;
3553
3554 isec = inode_security(inode);
3555 if (sid == fsec->sid && fsec->isid == isec->sid &&
3556 fsec->pseqno == avc_policy_seqno(&selinux_state))
3557 /* No change since file_open check. */
3558 return 0;
3559
3560 return selinux_revalidate_file_permission(file, mask);
3561 }
3562
3563 static int selinux_file_alloc_security(struct file *file)
3564 {
3565 return file_alloc_security(file);
3566 }
3567
3568 /*
3569 * Check whether a task has the ioctl permission and cmd
3570 * operation to an inode.
3571 */
3572 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3573 u32 requested, u16 cmd)
3574 {
3575 struct common_audit_data ad;
3576 struct file_security_struct *fsec = selinux_file(file);
3577 struct inode *inode = file_inode(file);
3578 struct inode_security_struct *isec;
3579 struct lsm_ioctlop_audit ioctl;
3580 u32 ssid = cred_sid(cred);
3581 int rc;
3582 u8 driver = cmd >> 8;
3583 u8 xperm = cmd & 0xff;
3584
3585 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3586 ad.u.op = &ioctl;
3587 ad.u.op->cmd = cmd;
3588 ad.u.op->path = file->f_path;
3589
3590 if (ssid != fsec->sid) {
3591 rc = avc_has_perm(&selinux_state,
3592 ssid, fsec->sid,
3593 SECCLASS_FD,
3594 FD__USE,
3595 &ad);
3596 if (rc)
3597 goto out;
3598 }
3599
3600 if (unlikely(IS_PRIVATE(inode)))
3601 return 0;
3602
3603 isec = inode_security(inode);
3604 rc = avc_has_extended_perms(&selinux_state,
3605 ssid, isec->sid, isec->sclass,
3606 requested, driver, xperm, &ad);
3607 out:
3608 return rc;
3609 }
3610
3611 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3612 unsigned long arg)
3613 {
3614 const struct cred *cred = current_cred();
3615 int error = 0;
3616
3617 switch (cmd) {
3618 case FIONREAD:
3619 /* fall through */
3620 case FIBMAP:
3621 /* fall through */
3622 case FIGETBSZ:
3623 /* fall through */
3624 case FS_IOC_GETFLAGS:
3625 /* fall through */
3626 case FS_IOC_GETVERSION:
3627 error = file_has_perm(cred, file, FILE__GETATTR);
3628 break;
3629
3630 case FS_IOC_SETFLAGS:
3631 /* fall through */
3632 case FS_IOC_SETVERSION:
3633 error = file_has_perm(cred, file, FILE__SETATTR);
3634 break;
3635
3636 /* sys_ioctl() checks */
3637 case FIONBIO:
3638 /* fall through */
3639 case FIOASYNC:
3640 error = file_has_perm(cred, file, 0);
3641 break;
3642
3643 case KDSKBENT:
3644 case KDSKBSENT:
3645 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3646 CAP_OPT_NONE, true);
3647 break;
3648
3649 /* default case assumes that the command will go
3650 * to the file's ioctl() function.
3651 */
3652 default:
3653 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3654 }
3655 return error;
3656 }
3657
3658 static int default_noexec;
3659
3660 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3661 {
3662 const struct cred *cred = current_cred();
3663 u32 sid = cred_sid(cred);
3664 int rc = 0;
3665
3666 if (default_noexec &&
3667 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3668 (!shared && (prot & PROT_WRITE)))) {
3669 /*
3670 * We are making executable an anonymous mapping or a
3671 * private file mapping that will also be writable.
3672 * This has an additional check.
3673 */
3674 rc = avc_has_perm(&selinux_state,
3675 sid, sid, SECCLASS_PROCESS,
3676 PROCESS__EXECMEM, NULL);
3677 if (rc)
3678 goto error;
3679 }
3680
3681 if (file) {
3682 /* read access is always possible with a mapping */
3683 u32 av = FILE__READ;
3684
3685 /* write access only matters if the mapping is shared */
3686 if (shared && (prot & PROT_WRITE))
3687 av |= FILE__WRITE;
3688
3689 if (prot & PROT_EXEC)
3690 av |= FILE__EXECUTE;
3691
3692 return file_has_perm(cred, file, av);
3693 }
3694
3695 error:
3696 return rc;
3697 }
3698
3699 static int selinux_mmap_addr(unsigned long addr)
3700 {
3701 int rc = 0;
3702
3703 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3704 u32 sid = current_sid();
3705 rc = avc_has_perm(&selinux_state,
3706 sid, sid, SECCLASS_MEMPROTECT,
3707 MEMPROTECT__MMAP_ZERO, NULL);
3708 }
3709
3710 return rc;
3711 }
3712
3713 static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3714 unsigned long prot, unsigned long flags)
3715 {
3716 struct common_audit_data ad;
3717 int rc;
3718
3719 if (file) {
3720 ad.type = LSM_AUDIT_DATA_FILE;
3721 ad.u.file = file;
3722 rc = inode_has_perm(current_cred(), file_inode(file),
3723 FILE__MAP, &ad);
3724 if (rc)
3725 return rc;
3726 }
3727
3728 if (selinux_state.checkreqprot)
3729 prot = reqprot;
3730
3731 return file_map_prot_check(file, prot,
3732 (flags & MAP_TYPE) == MAP_SHARED);
3733 }
3734
3735 static int selinux_file_mprotect(struct vm_area_struct *vma,
3736 unsigned long reqprot,
3737 unsigned long prot)
3738 {
3739 const struct cred *cred = current_cred();
3740 u32 sid = cred_sid(cred);
3741
3742 if (selinux_state.checkreqprot)
3743 prot = reqprot;
3744
3745 if (default_noexec &&
3746 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3747 int rc = 0;
3748 if (vma->vm_start >= vma->vm_mm->start_brk &&
3749 vma->vm_end <= vma->vm_mm->brk) {
3750 rc = avc_has_perm(&selinux_state,
3751 sid, sid, SECCLASS_PROCESS,
3752 PROCESS__EXECHEAP, NULL);
3753 } else if (!vma->vm_file &&
3754 ((vma->vm_start <= vma->vm_mm->start_stack &&
3755 vma->vm_end >= vma->vm_mm->start_stack) ||
3756 vma_is_stack_for_current(vma))) {
3757 rc = avc_has_perm(&selinux_state,
3758 sid, sid, SECCLASS_PROCESS,
3759 PROCESS__EXECSTACK, NULL);
3760 } else if (vma->vm_file && vma->anon_vma) {
3761 /*
3762 * We are making executable a file mapping that has
3763 * had some COW done. Since pages might have been
3764 * written, check ability to execute the possibly
3765 * modified content. This typically should only
3766 * occur for text relocations.
3767 */
3768 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3769 }
3770 if (rc)
3771 return rc;
3772 }
3773
3774 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3775 }
3776
3777 static int selinux_file_lock(struct file *file, unsigned int cmd)
3778 {
3779 const struct cred *cred = current_cred();
3780
3781 return file_has_perm(cred, file, FILE__LOCK);
3782 }
3783
3784 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3785 unsigned long arg)
3786 {
3787 const struct cred *cred = current_cred();
3788 int err = 0;
3789
3790 switch (cmd) {
3791 case F_SETFL:
3792 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3793 err = file_has_perm(cred, file, FILE__WRITE);
3794 break;
3795 }
3796 /* fall through */
3797 case F_SETOWN:
3798 case F_SETSIG:
3799 case F_GETFL:
3800 case F_GETOWN:
3801 case F_GETSIG:
3802 case F_GETOWNER_UIDS:
3803 /* Just check FD__USE permission */
3804 err = file_has_perm(cred, file, 0);
3805 break;
3806 case F_GETLK:
3807 case F_SETLK:
3808 case F_SETLKW:
3809 case F_OFD_GETLK:
3810 case F_OFD_SETLK:
3811 case F_OFD_SETLKW:
3812 #if BITS_PER_LONG == 32
3813 case F_GETLK64:
3814 case F_SETLK64:
3815 case F_SETLKW64:
3816 #endif
3817 err = file_has_perm(cred, file, FILE__LOCK);
3818 break;
3819 }
3820
3821 return err;
3822 }
3823
3824 static void selinux_file_set_fowner(struct file *file)
3825 {
3826 struct file_security_struct *fsec;
3827
3828 fsec = selinux_file(file);
3829 fsec->fown_sid = current_sid();
3830 }
3831
3832 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3833 struct fown_struct *fown, int signum)
3834 {
3835 struct file *file;
3836 u32 sid = task_sid(tsk);
3837 u32 perm;
3838 struct file_security_struct *fsec;
3839
3840 /* struct fown_struct is never outside the context of a struct file */
3841 file = container_of(fown, struct file, f_owner);
3842
3843 fsec = selinux_file(file);
3844
3845 if (!signum)
3846 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3847 else
3848 perm = signal_to_av(signum);
3849
3850 return avc_has_perm(&selinux_state,
3851 fsec->fown_sid, sid,
3852 SECCLASS_PROCESS, perm, NULL);
3853 }
3854
3855 static int selinux_file_receive(struct file *file)
3856 {
3857 const struct cred *cred = current_cred();
3858
3859 return file_has_perm(cred, file, file_to_av(file));
3860 }
3861
3862 static int selinux_file_open(struct file *file)
3863 {
3864 struct file_security_struct *fsec;
3865 struct inode_security_struct *isec;
3866
3867 fsec = selinux_file(file);
3868 isec = inode_security(file_inode(file));
3869 /*
3870 * Save inode label and policy sequence number
3871 * at open-time so that selinux_file_permission
3872 * can determine whether revalidation is necessary.
3873 * Task label is already saved in the file security
3874 * struct as its SID.
3875 */
3876 fsec->isid = isec->sid;
3877 fsec->pseqno = avc_policy_seqno(&selinux_state);
3878 /*
3879 * Since the inode label or policy seqno may have changed
3880 * between the selinux_inode_permission check and the saving
3881 * of state above, recheck that access is still permitted.
3882 * Otherwise, access might never be revalidated against the
3883 * new inode label or new policy.
3884 * This check is not redundant - do not remove.
3885 */
3886 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
3887 }
3888
3889 /* task security operations */
3890
3891 static int selinux_task_alloc(struct task_struct *task,
3892 unsigned long clone_flags)
3893 {
3894 u32 sid = current_sid();
3895
3896 return avc_has_perm(&selinux_state,
3897 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
3898 }
3899
3900 /*
3901 * prepare a new set of credentials for modification
3902 */
3903 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3904 gfp_t gfp)
3905 {
3906 const struct task_security_struct *old_tsec = selinux_cred(old);
3907 struct task_security_struct *tsec = selinux_cred(new);
3908
3909 *tsec = *old_tsec;
3910 return 0;
3911 }
3912
3913 /*
3914 * transfer the SELinux data to a blank set of creds
3915 */
3916 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3917 {
3918 const struct task_security_struct *old_tsec = selinux_cred(old);
3919 struct task_security_struct *tsec = selinux_cred(new);
3920
3921 *tsec = *old_tsec;
3922 }
3923
3924 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
3925 {
3926 *secid = cred_sid(c);
3927 }
3928
3929 /*
3930 * set the security data for a kernel service
3931 * - all the creation contexts are set to unlabelled
3932 */
3933 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3934 {
3935 struct task_security_struct *tsec = selinux_cred(new);
3936 u32 sid = current_sid();
3937 int ret;
3938
3939 ret = avc_has_perm(&selinux_state,
3940 sid, secid,
3941 SECCLASS_KERNEL_SERVICE,
3942 KERNEL_SERVICE__USE_AS_OVERRIDE,
3943 NULL);
3944 if (ret == 0) {
3945 tsec->sid = secid;
3946 tsec->create_sid = 0;
3947 tsec->keycreate_sid = 0;
3948 tsec->sockcreate_sid = 0;
3949 }
3950 return ret;
3951 }
3952
3953 /*
3954 * set the file creation context in a security record to the same as the
3955 * objective context of the specified inode
3956 */
3957 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3958 {
3959 struct inode_security_struct *isec = inode_security(inode);
3960 struct task_security_struct *tsec = selinux_cred(new);
3961 u32 sid = current_sid();
3962 int ret;
3963
3964 ret = avc_has_perm(&selinux_state,
3965 sid, isec->sid,
3966 SECCLASS_KERNEL_SERVICE,
3967 KERNEL_SERVICE__CREATE_FILES_AS,
3968 NULL);
3969
3970 if (ret == 0)
3971 tsec->create_sid = isec->sid;
3972 return ret;
3973 }
3974
3975 static int selinux_kernel_module_request(char *kmod_name)
3976 {
3977 struct common_audit_data ad;
3978
3979 ad.type = LSM_AUDIT_DATA_KMOD;
3980 ad.u.kmod_name = kmod_name;
3981
3982 return avc_has_perm(&selinux_state,
3983 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
3984 SYSTEM__MODULE_REQUEST, &ad);
3985 }
3986
3987 static int selinux_kernel_module_from_file(struct file *file)
3988 {
3989 struct common_audit_data ad;
3990 struct inode_security_struct *isec;
3991 struct file_security_struct *fsec;
3992 u32 sid = current_sid();
3993 int rc;
3994
3995 /* init_module */
3996 if (file == NULL)
3997 return avc_has_perm(&selinux_state,
3998 sid, sid, SECCLASS_SYSTEM,
3999 SYSTEM__MODULE_LOAD, NULL);
4000
4001 /* finit_module */
4002
4003 ad.type = LSM_AUDIT_DATA_FILE;
4004 ad.u.file = file;
4005
4006 fsec = selinux_file(file);
4007 if (sid != fsec->sid) {
4008 rc = avc_has_perm(&selinux_state,
4009 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4010 if (rc)
4011 return rc;
4012 }
4013
4014 isec = inode_security(file_inode(file));
4015 return avc_has_perm(&selinux_state,
4016 sid, isec->sid, SECCLASS_SYSTEM,
4017 SYSTEM__MODULE_LOAD, &ad);
4018 }
4019
4020 static int selinux_kernel_read_file(struct file *file,
4021 enum kernel_read_file_id id)
4022 {
4023 int rc = 0;
4024
4025 switch (id) {
4026 case READING_MODULE:
4027 rc = selinux_kernel_module_from_file(file);
4028 break;
4029 default:
4030 break;
4031 }
4032
4033 return rc;
4034 }
4035
4036 static int selinux_kernel_load_data(enum kernel_load_data_id id)
4037 {
4038 int rc = 0;
4039
4040 switch (id) {
4041 case LOADING_MODULE:
4042 rc = selinux_kernel_module_from_file(NULL);
4043 default:
4044 break;
4045 }
4046
4047 return rc;
4048 }
4049
4050 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4051 {
4052 return avc_has_perm(&selinux_state,
4053 current_sid(), task_sid(p), SECCLASS_PROCESS,
4054 PROCESS__SETPGID, NULL);
4055 }
4056
4057 static int selinux_task_getpgid(struct task_struct *p)
4058 {
4059 return avc_has_perm(&selinux_state,
4060 current_sid(), task_sid(p), SECCLASS_PROCESS,
4061 PROCESS__GETPGID, NULL);
4062 }
4063
4064 static int selinux_task_getsid(struct task_struct *p)
4065 {
4066 return avc_has_perm(&selinux_state,
4067 current_sid(), task_sid(p), SECCLASS_PROCESS,
4068 PROCESS__GETSESSION, NULL);
4069 }
4070
4071 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
4072 {
4073 *secid = task_sid(p);
4074 }
4075
4076 static int selinux_task_setnice(struct task_struct *p, int nice)
4077 {
4078 return avc_has_perm(&selinux_state,
4079 current_sid(), task_sid(p), SECCLASS_PROCESS,
4080 PROCESS__SETSCHED, NULL);
4081 }
4082
4083 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4084 {
4085 return avc_has_perm(&selinux_state,
4086 current_sid(), task_sid(p), SECCLASS_PROCESS,
4087 PROCESS__SETSCHED, NULL);
4088 }
4089
4090 static int selinux_task_getioprio(struct task_struct *p)
4091 {
4092 return avc_has_perm(&selinux_state,
4093 current_sid(), task_sid(p), SECCLASS_PROCESS,
4094 PROCESS__GETSCHED, NULL);
4095 }
4096
4097 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4098 unsigned int flags)
4099 {
4100 u32 av = 0;
4101
4102 if (!flags)
4103 return 0;
4104 if (flags & LSM_PRLIMIT_WRITE)
4105 av |= PROCESS__SETRLIMIT;
4106 if (flags & LSM_PRLIMIT_READ)
4107 av |= PROCESS__GETRLIMIT;
4108 return avc_has_perm(&selinux_state,
4109 cred_sid(cred), cred_sid(tcred),
4110 SECCLASS_PROCESS, av, NULL);
4111 }
4112
4113 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4114 struct rlimit *new_rlim)
4115 {
4116 struct rlimit *old_rlim = p->signal->rlim + resource;
4117
4118 /* Control the ability to change the hard limit (whether
4119 lowering or raising it), so that the hard limit can
4120 later be used as a safe reset point for the soft limit
4121 upon context transitions. See selinux_bprm_committing_creds. */
4122 if (old_rlim->rlim_max != new_rlim->rlim_max)
4123 return avc_has_perm(&selinux_state,
4124 current_sid(), task_sid(p),
4125 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4126
4127 return 0;
4128 }
4129
4130 static int selinux_task_setscheduler(struct task_struct *p)
4131 {
4132 return avc_has_perm(&selinux_state,
4133 current_sid(), task_sid(p), SECCLASS_PROCESS,
4134 PROCESS__SETSCHED, NULL);
4135 }
4136
4137 static int selinux_task_getscheduler(struct task_struct *p)
4138 {
4139 return avc_has_perm(&selinux_state,
4140 current_sid(), task_sid(p), SECCLASS_PROCESS,
4141 PROCESS__GETSCHED, NULL);
4142 }
4143
4144 static int selinux_task_movememory(struct task_struct *p)
4145 {
4146 return avc_has_perm(&selinux_state,
4147 current_sid(), task_sid(p), SECCLASS_PROCESS,
4148 PROCESS__SETSCHED, NULL);
4149 }
4150
4151 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4152 int sig, const struct cred *cred)
4153 {
4154 u32 secid;
4155 u32 perm;
4156
4157 if (!sig)
4158 perm = PROCESS__SIGNULL; /* null signal; existence test */
4159 else
4160 perm = signal_to_av(sig);
4161 if (!cred)
4162 secid = current_sid();
4163 else
4164 secid = cred_sid(cred);
4165 return avc_has_perm(&selinux_state,
4166 secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
4167 }
4168
4169 static void selinux_task_to_inode(struct task_struct *p,
4170 struct inode *inode)
4171 {
4172 struct inode_security_struct *isec = selinux_inode(inode);
4173 u32 sid = task_sid(p);
4174
4175 spin_lock(&isec->lock);
4176 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4177 isec->sid = sid;
4178 isec->initialized = LABEL_INITIALIZED;
4179 spin_unlock(&isec->lock);
4180 }
4181
4182 /* Returns error only if unable to parse addresses */
4183 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4184 struct common_audit_data *ad, u8 *proto)
4185 {
4186 int offset, ihlen, ret = -EINVAL;
4187 struct iphdr _iph, *ih;
4188
4189 offset = skb_network_offset(skb);
4190 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4191 if (ih == NULL)
4192 goto out;
4193
4194 ihlen = ih->ihl * 4;
4195 if (ihlen < sizeof(_iph))
4196 goto out;
4197
4198 ad->u.net->v4info.saddr = ih->saddr;
4199 ad->u.net->v4info.daddr = ih->daddr;
4200 ret = 0;
4201
4202 if (proto)
4203 *proto = ih->protocol;
4204
4205 switch (ih->protocol) {
4206 case IPPROTO_TCP: {
4207 struct tcphdr _tcph, *th;
4208
4209 if (ntohs(ih->frag_off) & IP_OFFSET)
4210 break;
4211
4212 offset += ihlen;
4213 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4214 if (th == NULL)
4215 break;
4216
4217 ad->u.net->sport = th->source;
4218 ad->u.net->dport = th->dest;
4219 break;
4220 }
4221
4222 case IPPROTO_UDP: {
4223 struct udphdr _udph, *uh;
4224
4225 if (ntohs(ih->frag_off) & IP_OFFSET)
4226 break;
4227
4228 offset += ihlen;
4229 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4230 if (uh == NULL)
4231 break;
4232
4233 ad->u.net->sport = uh->source;
4234 ad->u.net->dport = uh->dest;
4235 break;
4236 }
4237
4238 case IPPROTO_DCCP: {
4239 struct dccp_hdr _dccph, *dh;
4240
4241 if (ntohs(ih->frag_off) & IP_OFFSET)
4242 break;
4243
4244 offset += ihlen;
4245 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4246 if (dh == NULL)
4247 break;
4248
4249 ad->u.net->sport = dh->dccph_sport;
4250 ad->u.net->dport = dh->dccph_dport;
4251 break;
4252 }
4253
4254 #if IS_ENABLED(CONFIG_IP_SCTP)
4255 case IPPROTO_SCTP: {
4256 struct sctphdr _sctph, *sh;
4257
4258 if (ntohs(ih->frag_off) & IP_OFFSET)
4259 break;
4260
4261 offset += ihlen;
4262 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4263 if (sh == NULL)
4264 break;
4265
4266 ad->u.net->sport = sh->source;
4267 ad->u.net->dport = sh->dest;
4268 break;
4269 }
4270 #endif
4271 default:
4272 break;
4273 }
4274 out:
4275 return ret;
4276 }
4277
4278 #if IS_ENABLED(CONFIG_IPV6)
4279
4280 /* Returns error only if unable to parse addresses */
4281 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4282 struct common_audit_data *ad, u8 *proto)
4283 {
4284 u8 nexthdr;
4285 int ret = -EINVAL, offset;
4286 struct ipv6hdr _ipv6h, *ip6;
4287 __be16 frag_off;
4288
4289 offset = skb_network_offset(skb);
4290 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4291 if (ip6 == NULL)
4292 goto out;
4293
4294 ad->u.net->v6info.saddr = ip6->saddr;
4295 ad->u.net->v6info.daddr = ip6->daddr;
4296 ret = 0;
4297
4298 nexthdr = ip6->nexthdr;
4299 offset += sizeof(_ipv6h);
4300 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4301 if (offset < 0)
4302 goto out;
4303
4304 if (proto)
4305 *proto = nexthdr;
4306
4307 switch (nexthdr) {
4308 case IPPROTO_TCP: {
4309 struct tcphdr _tcph, *th;
4310
4311 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4312 if (th == NULL)
4313 break;
4314
4315 ad->u.net->sport = th->source;
4316 ad->u.net->dport = th->dest;
4317 break;
4318 }
4319
4320 case IPPROTO_UDP: {
4321 struct udphdr _udph, *uh;
4322
4323 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4324 if (uh == NULL)
4325 break;
4326
4327 ad->u.net->sport = uh->source;
4328 ad->u.net->dport = uh->dest;
4329 break;
4330 }
4331
4332 case IPPROTO_DCCP: {
4333 struct dccp_hdr _dccph, *dh;
4334
4335 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
4336 if (dh == NULL)
4337 break;
4338
4339 ad->u.net->sport = dh->dccph_sport;
4340 ad->u.net->dport = dh->dccph_dport;
4341 break;
4342 }
4343
4344 #if IS_ENABLED(CONFIG_IP_SCTP)
4345 case IPPROTO_SCTP: {
4346 struct sctphdr _sctph, *sh;
4347
4348 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4349 if (sh == NULL)
4350 break;
4351
4352 ad->u.net->sport = sh->source;
4353 ad->u.net->dport = sh->dest;
4354 break;
4355 }
4356 #endif
4357 /* includes fragments */
4358 default:
4359 break;
4360 }
4361 out:
4362 return ret;
4363 }
4364
4365 #endif /* IPV6 */
4366
4367 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4368 char **_addrp, int src, u8 *proto)
4369 {
4370 char *addrp;
4371 int ret;
4372
4373 switch (ad->u.net->family) {
4374 case PF_INET:
4375 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4376 if (ret)
4377 goto parse_error;
4378 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4379 &ad->u.net->v4info.daddr);
4380 goto okay;
4381
4382 #if IS_ENABLED(CONFIG_IPV6)
4383 case PF_INET6:
4384 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4385 if (ret)
4386 goto parse_error;
4387 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4388 &ad->u.net->v6info.daddr);
4389 goto okay;
4390 #endif /* IPV6 */
4391 default:
4392 addrp = NULL;
4393 goto okay;
4394 }
4395
4396 parse_error:
4397 pr_warn(
4398 "SELinux: failure in selinux_parse_skb(),"
4399 " unable to parse packet\n");
4400 return ret;
4401
4402 okay:
4403 if (_addrp)
4404 *_addrp = addrp;
4405 return 0;
4406 }
4407
4408 /**
4409 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4410 * @skb: the packet
4411 * @family: protocol family
4412 * @sid: the packet's peer label SID
4413 *
4414 * Description:
4415 * Check the various different forms of network peer labeling and determine
4416 * the peer label/SID for the packet; most of the magic actually occurs in
4417 * the security server function security_net_peersid_cmp(). The function
4418 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4419 * or -EACCES if @sid is invalid due to inconsistencies with the different
4420 * peer labels.
4421 *
4422 */
4423 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4424 {
4425 int err;
4426 u32 xfrm_sid;
4427 u32 nlbl_sid;
4428 u32 nlbl_type;
4429
4430 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4431 if (unlikely(err))
4432 return -EACCES;
4433 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4434 if (unlikely(err))
4435 return -EACCES;
4436
4437 err = security_net_peersid_resolve(&selinux_state, nlbl_sid,
4438 nlbl_type, xfrm_sid, sid);
4439 if (unlikely(err)) {
4440 pr_warn(
4441 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4442 " unable to determine packet's peer label\n");
4443 return -EACCES;
4444 }
4445
4446 return 0;
4447 }
4448
4449 /**
4450 * selinux_conn_sid - Determine the child socket label for a connection
4451 * @sk_sid: the parent socket's SID
4452 * @skb_sid: the packet's SID
4453 * @conn_sid: the resulting connection SID
4454 *
4455 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4456 * combined with the MLS information from @skb_sid in order to create
4457 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy
4458 * of @sk_sid. Returns zero on success, negative values on failure.
4459 *
4460 */
4461 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4462 {
4463 int err = 0;
4464
4465 if (skb_sid != SECSID_NULL)
4466 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid,
4467 conn_sid);
4468 else
4469 *conn_sid = sk_sid;
4470
4471 return err;
4472 }
4473
4474 /* socket security operations */
4475
4476 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4477 u16 secclass, u32 *socksid)
4478 {
4479 if (tsec->sockcreate_sid > SECSID_NULL) {
4480 *socksid = tsec->sockcreate_sid;
4481 return 0;
4482 }
4483
4484 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid,
4485 secclass, NULL, socksid);
4486 }
4487
4488 static int sock_has_perm(struct sock *sk, u32 perms)
4489 {
4490 struct sk_security_struct *sksec = sk->sk_security;
4491 struct common_audit_data ad;
4492 struct lsm_network_audit net = {0,};
4493
4494 if (sksec->sid == SECINITSID_KERNEL)
4495 return 0;
4496
4497 ad.type = LSM_AUDIT_DATA_NET;
4498 ad.u.net = &net;
4499 ad.u.net->sk = sk;
4500
4501 return avc_has_perm(&selinux_state,
4502 current_sid(), sksec->sid, sksec->sclass, perms,
4503 &ad);
4504 }
4505
4506 static int selinux_socket_create(int family, int type,
4507 int protocol, int kern)
4508 {
4509 const struct task_security_struct *tsec = selinux_cred(current_cred());
4510 u32 newsid;
4511 u16 secclass;
4512 int rc;
4513
4514 if (kern)
4515 return 0;
4516
4517 secclass = socket_type_to_security_class(family, type, protocol);
4518 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4519 if (rc)
4520 return rc;
4521
4522 return avc_has_perm(&selinux_state,
4523 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4524 }
4525
4526 static int selinux_socket_post_create(struct socket *sock, int family,
4527 int type, int protocol, int kern)
4528 {
4529 const struct task_security_struct *tsec = selinux_cred(current_cred());
4530 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4531 struct sk_security_struct *sksec;
4532 u16 sclass = socket_type_to_security_class(family, type, protocol);
4533 u32 sid = SECINITSID_KERNEL;
4534 int err = 0;
4535
4536 if (!kern) {
4537 err = socket_sockcreate_sid(tsec, sclass, &sid);
4538 if (err)
4539 return err;
4540 }
4541
4542 isec->sclass = sclass;
4543 isec->sid = sid;
4544 isec->initialized = LABEL_INITIALIZED;
4545
4546 if (sock->sk) {
4547 sksec = sock->sk->sk_security;
4548 sksec->sclass = sclass;
4549 sksec->sid = sid;
4550 /* Allows detection of the first association on this socket */
4551 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4552 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4553
4554 err = selinux_netlbl_socket_post_create(sock->sk, family);
4555 }
4556
4557 return err;
4558 }
4559
4560 static int selinux_socket_socketpair(struct socket *socka,
4561 struct socket *sockb)
4562 {
4563 struct sk_security_struct *sksec_a = socka->sk->sk_security;
4564 struct sk_security_struct *sksec_b = sockb->sk->sk_security;
4565
4566 sksec_a->peer_sid = sksec_b->sid;
4567 sksec_b->peer_sid = sksec_a->sid;
4568
4569 return 0;
4570 }
4571
4572 /* Range of port numbers used to automatically bind.
4573 Need to determine whether we should perform a name_bind
4574 permission check between the socket and the port number. */
4575
4576 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4577 {
4578 struct sock *sk = sock->sk;
4579 struct sk_security_struct *sksec = sk->sk_security;
4580 u16 family;
4581 int err;
4582
4583 err = sock_has_perm(sk, SOCKET__BIND);
4584 if (err)
4585 goto out;
4586
4587 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4588 family = sk->sk_family;
4589 if (family == PF_INET || family == PF_INET6) {
4590 char *addrp;
4591 struct common_audit_data ad;
4592 struct lsm_network_audit net = {0,};
4593 struct sockaddr_in *addr4 = NULL;
4594 struct sockaddr_in6 *addr6 = NULL;
4595 u16 family_sa;
4596 unsigned short snum;
4597 u32 sid, node_perm;
4598
4599 /*
4600 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4601 * that validates multiple binding addresses. Because of this
4602 * need to check address->sa_family as it is possible to have
4603 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4604 */
4605 if (addrlen < offsetofend(struct sockaddr, sa_family))
4606 return -EINVAL;
4607 family_sa = address->sa_family;
4608 switch (family_sa) {
4609 case AF_UNSPEC:
4610 case AF_INET:
4611 if (addrlen < sizeof(struct sockaddr_in))
4612 return -EINVAL;
4613 addr4 = (struct sockaddr_in *)address;
4614 if (family_sa == AF_UNSPEC) {
4615 /* see __inet_bind(), we only want to allow
4616 * AF_UNSPEC if the address is INADDR_ANY
4617 */
4618 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4619 goto err_af;
4620 family_sa = AF_INET;
4621 }
4622 snum = ntohs(addr4->sin_port);
4623 addrp = (char *)&addr4->sin_addr.s_addr;
4624 break;
4625 case AF_INET6:
4626 if (addrlen < SIN6_LEN_RFC2133)
4627 return -EINVAL;
4628 addr6 = (struct sockaddr_in6 *)address;
4629 snum = ntohs(addr6->sin6_port);
4630 addrp = (char *)&addr6->sin6_addr.s6_addr;
4631 break;
4632 default:
4633 goto err_af;
4634 }
4635
4636 ad.type = LSM_AUDIT_DATA_NET;
4637 ad.u.net = &net;
4638 ad.u.net->sport = htons(snum);
4639 ad.u.net->family = family_sa;
4640
4641 if (snum) {
4642 int low, high;
4643
4644 inet_get_local_port_range(sock_net(sk), &low, &high);
4645
4646 if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4647 snum < low || snum > high) {
4648 err = sel_netport_sid(sk->sk_protocol,
4649 snum, &sid);
4650 if (err)
4651 goto out;
4652 err = avc_has_perm(&selinux_state,
4653 sksec->sid, sid,
4654 sksec->sclass,
4655 SOCKET__NAME_BIND, &ad);
4656 if (err)
4657 goto out;
4658 }
4659 }
4660
4661 switch (sksec->sclass) {
4662 case SECCLASS_TCP_SOCKET:
4663 node_perm = TCP_SOCKET__NODE_BIND;
4664 break;
4665
4666 case SECCLASS_UDP_SOCKET:
4667 node_perm = UDP_SOCKET__NODE_BIND;
4668 break;
4669
4670 case SECCLASS_DCCP_SOCKET:
4671 node_perm = DCCP_SOCKET__NODE_BIND;
4672 break;
4673
4674 case SECCLASS_SCTP_SOCKET:
4675 node_perm = SCTP_SOCKET__NODE_BIND;
4676 break;
4677
4678 default:
4679 node_perm = RAWIP_SOCKET__NODE_BIND;
4680 break;
4681 }
4682
4683 err = sel_netnode_sid(addrp, family_sa, &sid);
4684 if (err)
4685 goto out;
4686
4687 if (family_sa == AF_INET)
4688 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4689 else
4690 ad.u.net->v6info.saddr = addr6->sin6_addr;
4691
4692 err = avc_has_perm(&selinux_state,
4693 sksec->sid, sid,
4694 sksec->sclass, node_perm, &ad);
4695 if (err)
4696 goto out;
4697 }
4698 out:
4699 return err;
4700 err_af:
4701 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4702 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4703 return -EINVAL;
4704 return -EAFNOSUPPORT;
4705 }
4706
4707 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4708 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4709 */
4710 static int selinux_socket_connect_helper(struct socket *sock,
4711 struct sockaddr *address, int addrlen)
4712 {
4713 struct sock *sk = sock->sk;
4714 struct sk_security_struct *sksec = sk->sk_security;
4715 int err;
4716
4717 err = sock_has_perm(sk, SOCKET__CONNECT);
4718 if (err)
4719 return err;
4720 if (addrlen < offsetofend(struct sockaddr, sa_family))
4721 return -EINVAL;
4722
4723 /* connect(AF_UNSPEC) has special handling, as it is a documented
4724 * way to disconnect the socket
4725 */
4726 if (address->sa_family == AF_UNSPEC)
4727 return 0;
4728
4729 /*
4730 * If a TCP, DCCP or SCTP socket, check name_connect permission
4731 * for the port.
4732 */
4733 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
4734 sksec->sclass == SECCLASS_DCCP_SOCKET ||
4735 sksec->sclass == SECCLASS_SCTP_SOCKET) {
4736 struct common_audit_data ad;
4737 struct lsm_network_audit net = {0,};
4738 struct sockaddr_in *addr4 = NULL;
4739 struct sockaddr_in6 *addr6 = NULL;
4740 unsigned short snum;
4741 u32 sid, perm;
4742
4743 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
4744 * that validates multiple connect addresses. Because of this
4745 * need to check address->sa_family as it is possible to have
4746 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4747 */
4748 switch (address->sa_family) {
4749 case AF_INET:
4750 addr4 = (struct sockaddr_in *)address;
4751 if (addrlen < sizeof(struct sockaddr_in))
4752 return -EINVAL;
4753 snum = ntohs(addr4->sin_port);
4754 break;
4755 case AF_INET6:
4756 addr6 = (struct sockaddr_in6 *)address;
4757 if (addrlen < SIN6_LEN_RFC2133)
4758 return -EINVAL;
4759 snum = ntohs(addr6->sin6_port);
4760 break;
4761 default:
4762 /* Note that SCTP services expect -EINVAL, whereas
4763 * others expect -EAFNOSUPPORT.
4764 */
4765 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4766 return -EINVAL;
4767 else
4768 return -EAFNOSUPPORT;
4769 }
4770
4771 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
4772 if (err)
4773 return err;
4774
4775 switch (sksec->sclass) {
4776 case SECCLASS_TCP_SOCKET:
4777 perm = TCP_SOCKET__NAME_CONNECT;
4778 break;
4779 case SECCLASS_DCCP_SOCKET:
4780 perm = DCCP_SOCKET__NAME_CONNECT;
4781 break;
4782 case SECCLASS_SCTP_SOCKET:
4783 perm = SCTP_SOCKET__NAME_CONNECT;
4784 break;
4785 }
4786
4787 ad.type = LSM_AUDIT_DATA_NET;
4788 ad.u.net = &net;
4789 ad.u.net->dport = htons(snum);
4790 ad.u.net->family = address->sa_family;
4791 err = avc_has_perm(&selinux_state,
4792 sksec->sid, sid, sksec->sclass, perm, &ad);
4793 if (err)
4794 return err;
4795 }
4796
4797 return 0;
4798 }
4799
4800 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
4801 static int selinux_socket_connect(struct socket *sock,
4802 struct sockaddr *address, int addrlen)
4803 {
4804 int err;
4805 struct sock *sk = sock->sk;
4806
4807 err = selinux_socket_connect_helper(sock, address, addrlen);
4808 if (err)
4809 return err;
4810
4811 return selinux_netlbl_socket_connect(sk, address);
4812 }
4813
4814 static int selinux_socket_listen(struct socket *sock, int backlog)
4815 {
4816 return sock_has_perm(sock->sk, SOCKET__LISTEN);
4817 }
4818
4819 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
4820 {
4821 int err;
4822 struct inode_security_struct *isec;
4823 struct inode_security_struct *newisec;
4824 u16 sclass;
4825 u32 sid;
4826
4827 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
4828 if (err)
4829 return err;
4830
4831 isec = inode_security_novalidate(SOCK_INODE(sock));
4832 spin_lock(&isec->lock);
4833 sclass = isec->sclass;
4834 sid = isec->sid;
4835 spin_unlock(&isec->lock);
4836
4837 newisec = inode_security_novalidate(SOCK_INODE(newsock));
4838 newisec->sclass = sclass;
4839 newisec->sid = sid;
4840 newisec->initialized = LABEL_INITIALIZED;
4841
4842 return 0;
4843 }
4844
4845 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4846 int size)
4847 {
4848 return sock_has_perm(sock->sk, SOCKET__WRITE);
4849 }
4850
4851 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4852 int size, int flags)
4853 {
4854 return sock_has_perm(sock->sk, SOCKET__READ);
4855 }
4856
4857 static int selinux_socket_getsockname(struct socket *sock)
4858 {
4859 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4860 }
4861
4862 static int selinux_socket_getpeername(struct socket *sock)
4863 {
4864 return sock_has_perm(sock->sk, SOCKET__GETATTR);
4865 }
4866
4867 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4868 {
4869 int err;
4870
4871 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
4872 if (err)
4873 return err;
4874
4875 return selinux_netlbl_socket_setsockopt(sock, level, optname);
4876 }
4877
4878 static int selinux_socket_getsockopt(struct socket *sock, int level,
4879 int optname)
4880 {
4881 return sock_has_perm(sock->sk, SOCKET__GETOPT);
4882 }
4883
4884 static int selinux_socket_shutdown(struct socket *sock, int how)
4885 {
4886 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
4887 }
4888
4889 static int selinux_socket_unix_stream_connect(struct sock *sock,
4890 struct sock *other,
4891 struct sock *newsk)
4892 {
4893 struct sk_security_struct *sksec_sock = sock->sk_security;
4894 struct sk_security_struct *sksec_other = other->sk_security;
4895 struct sk_security_struct *sksec_new = newsk->sk_security;
4896 struct common_audit_data ad;
4897 struct lsm_network_audit net = {0,};
4898 int err;
4899
4900 ad.type = LSM_AUDIT_DATA_NET;
4901 ad.u.net = &net;
4902 ad.u.net->sk = other;
4903
4904 err = avc_has_perm(&selinux_state,
4905 sksec_sock->sid, sksec_other->sid,
4906 sksec_other->sclass,
4907 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4908 if (err)
4909 return err;
4910
4911 /* server child socket */
4912 sksec_new->peer_sid = sksec_sock->sid;
4913 err = security_sid_mls_copy(&selinux_state, sksec_other->sid,
4914 sksec_sock->sid, &sksec_new->sid);
4915 if (err)
4916 return err;
4917
4918 /* connecting socket */
4919 sksec_sock->peer_sid = sksec_new->sid;
4920
4921 return 0;
4922 }
4923
4924 static int selinux_socket_unix_may_send(struct socket *sock,
4925 struct socket *other)
4926 {
4927 struct sk_security_struct *ssec = sock->sk->sk_security;
4928 struct sk_security_struct *osec = other->sk->sk_security;
4929 struct common_audit_data ad;
4930 struct lsm_network_audit net = {0,};
4931
4932 ad.type = LSM_AUDIT_DATA_NET;
4933 ad.u.net = &net;
4934 ad.u.net->sk = other->sk;
4935
4936 return avc_has_perm(&selinux_state,
4937 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
4938 &ad);
4939 }
4940
4941 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
4942 char *addrp, u16 family, u32 peer_sid,
4943 struct common_audit_data *ad)
4944 {
4945 int err;
4946 u32 if_sid;
4947 u32 node_sid;
4948
4949 err = sel_netif_sid(ns, ifindex, &if_sid);
4950 if (err)
4951 return err;
4952 err = avc_has_perm(&selinux_state,
4953 peer_sid, if_sid,
4954 SECCLASS_NETIF, NETIF__INGRESS, ad);
4955 if (err)
4956 return err;
4957
4958 err = sel_netnode_sid(addrp, family, &node_sid);
4959 if (err)
4960 return err;
4961 return avc_has_perm(&selinux_state,
4962 peer_sid, node_sid,
4963 SECCLASS_NODE, NODE__RECVFROM, ad);
4964 }
4965
4966 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4967 u16 family)
4968 {
4969 int err = 0;
4970 struct sk_security_struct *sksec = sk->sk_security;
4971 u32 sk_sid = sksec->sid;
4972 struct common_audit_data ad;
4973 struct lsm_network_audit net = {0,};
4974 char *addrp;
4975
4976 ad.type = LSM_AUDIT_DATA_NET;
4977 ad.u.net = &net;
4978 ad.u.net->netif = skb->skb_iif;
4979 ad.u.net->family = family;
4980 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4981 if (err)
4982 return err;
4983
4984 if (selinux_secmark_enabled()) {
4985 err = avc_has_perm(&selinux_state,
4986 sk_sid, skb->secmark, SECCLASS_PACKET,
4987 PACKET__RECV, &ad);
4988 if (err)
4989 return err;
4990 }
4991
4992 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4993 if (err)
4994 return err;
4995 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4996
4997 return err;
4998 }
4999
5000 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5001 {
5002 int err;
5003 struct sk_security_struct *sksec = sk->sk_security;
5004 u16 family = sk->sk_family;
5005 u32 sk_sid = sksec->sid;
5006 struct common_audit_data ad;
5007 struct lsm_network_audit net = {0,};
5008 char *addrp;
5009 u8 secmark_active;
5010 u8 peerlbl_active;
5011
5012 if (family != PF_INET && family != PF_INET6)
5013 return 0;
5014
5015 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5016 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5017 family = PF_INET;
5018
5019 /* If any sort of compatibility mode is enabled then handoff processing
5020 * to the selinux_sock_rcv_skb_compat() function to deal with the
5021 * special handling. We do this in an attempt to keep this function
5022 * as fast and as clean as possible. */
5023 if (!selinux_policycap_netpeer())
5024 return selinux_sock_rcv_skb_compat(sk, skb, family);
5025
5026 secmark_active = selinux_secmark_enabled();
5027 peerlbl_active = selinux_peerlbl_enabled();
5028 if (!secmark_active && !peerlbl_active)
5029 return 0;
5030
5031 ad.type = LSM_AUDIT_DATA_NET;
5032 ad.u.net = &net;
5033 ad.u.net->netif = skb->skb_iif;
5034 ad.u.net->family = family;
5035 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5036 if (err)
5037 return err;
5038
5039 if (peerlbl_active) {
5040 u32 peer_sid;
5041
5042 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5043 if (err)
5044 return err;
5045 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5046 addrp, family, peer_sid, &ad);
5047 if (err) {
5048 selinux_netlbl_err(skb, family, err, 0);
5049 return err;
5050 }
5051 err = avc_has_perm(&selinux_state,
5052 sk_sid, peer_sid, SECCLASS_PEER,
5053 PEER__RECV, &ad);
5054 if (err) {
5055 selinux_netlbl_err(skb, family, err, 0);
5056 return err;
5057 }
5058 }
5059
5060 if (secmark_active) {
5061 err = avc_has_perm(&selinux_state,
5062 sk_sid, skb->secmark, SECCLASS_PACKET,
5063 PACKET__RECV, &ad);
5064 if (err)
5065 return err;
5066 }
5067
5068 return err;
5069 }
5070
5071 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
5072 int __user *optlen, unsigned len)
5073 {
5074 int err = 0;
5075 char *scontext;
5076 u32 scontext_len;
5077 struct sk_security_struct *sksec = sock->sk->sk_security;
5078 u32 peer_sid = SECSID_NULL;
5079
5080 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5081 sksec->sclass == SECCLASS_TCP_SOCKET ||
5082 sksec->sclass == SECCLASS_SCTP_SOCKET)
5083 peer_sid = sksec->peer_sid;
5084 if (peer_sid == SECSID_NULL)
5085 return -ENOPROTOOPT;
5086
5087 err = security_sid_to_context(&selinux_state, peer_sid, &scontext,
5088 &scontext_len);
5089 if (err)
5090 return err;
5091
5092 if (scontext_len > len) {
5093 err = -ERANGE;
5094 goto out_len;
5095 }
5096
5097 if (copy_to_user(optval, scontext, scontext_len))
5098 err = -EFAULT;
5099
5100 out_len:
5101 if (put_user(scontext_len, optlen))
5102 err = -EFAULT;
5103 kfree(scontext);
5104 return err;
5105 }
5106
5107 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
5108 {
5109 u32 peer_secid = SECSID_NULL;
5110 u16 family;
5111 struct inode_security_struct *isec;
5112
5113 if (skb && skb->protocol == htons(ETH_P_IP))
5114 family = PF_INET;
5115 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5116 family = PF_INET6;
5117 else if (sock)
5118 family = sock->sk->sk_family;
5119 else
5120 goto out;
5121
5122 if (sock && family == PF_UNIX) {
5123 isec = inode_security_novalidate(SOCK_INODE(sock));
5124 peer_secid = isec->sid;
5125 } else if (skb)
5126 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5127
5128 out:
5129 *secid = peer_secid;
5130 if (peer_secid == SECSID_NULL)
5131 return -EINVAL;
5132 return 0;
5133 }
5134
5135 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5136 {
5137 struct sk_security_struct *sksec;
5138
5139 sksec = kzalloc(sizeof(*sksec), priority);
5140 if (!sksec)
5141 return -ENOMEM;
5142
5143 sksec->peer_sid = SECINITSID_UNLABELED;
5144 sksec->sid = SECINITSID_UNLABELED;
5145 sksec->sclass = SECCLASS_SOCKET;
5146 selinux_netlbl_sk_security_reset(sksec);
5147 sk->sk_security = sksec;
5148
5149 return 0;
5150 }
5151
5152 static void selinux_sk_free_security(struct sock *sk)
5153 {
5154 struct sk_security_struct *sksec = sk->sk_security;
5155
5156 sk->sk_security = NULL;
5157 selinux_netlbl_sk_security_free(sksec);
5158 kfree(sksec);
5159 }
5160
5161 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5162 {
5163 struct sk_security_struct *sksec = sk->sk_security;
5164 struct sk_security_struct *newsksec = newsk->sk_security;
5165
5166 newsksec->sid = sksec->sid;
5167 newsksec->peer_sid = sksec->peer_sid;
5168 newsksec->sclass = sksec->sclass;
5169
5170 selinux_netlbl_sk_security_reset(newsksec);
5171 }
5172
5173 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
5174 {
5175 if (!sk)
5176 *secid = SECINITSID_ANY_SOCKET;
5177 else {
5178 struct sk_security_struct *sksec = sk->sk_security;
5179
5180 *secid = sksec->sid;
5181 }
5182 }
5183
5184 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5185 {
5186 struct inode_security_struct *isec =
5187 inode_security_novalidate(SOCK_INODE(parent));
5188 struct sk_security_struct *sksec = sk->sk_security;
5189
5190 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5191 sk->sk_family == PF_UNIX)
5192 isec->sid = sksec->sid;
5193 sksec->sclass = isec->sclass;
5194 }
5195
5196 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming
5197 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association
5198 * already present).
5199 */
5200 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
5201 struct sk_buff *skb)
5202 {
5203 struct sk_security_struct *sksec = ep->base.sk->sk_security;
5204 struct common_audit_data ad;
5205 struct lsm_network_audit net = {0,};
5206 u8 peerlbl_active;
5207 u32 peer_sid = SECINITSID_UNLABELED;
5208 u32 conn_sid;
5209 int err = 0;
5210
5211 if (!selinux_policycap_extsockclass())
5212 return 0;
5213
5214 peerlbl_active = selinux_peerlbl_enabled();
5215
5216 if (peerlbl_active) {
5217 /* This will return peer_sid = SECSID_NULL if there are
5218 * no peer labels, see security_net_peersid_resolve().
5219 */
5220 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
5221 &peer_sid);
5222 if (err)
5223 return err;
5224
5225 if (peer_sid == SECSID_NULL)
5226 peer_sid = SECINITSID_UNLABELED;
5227 }
5228
5229 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5230 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5231
5232 /* Here as first association on socket. As the peer SID
5233 * was allowed by peer recv (and the netif/node checks),
5234 * then it is approved by policy and used as the primary
5235 * peer SID for getpeercon(3).
5236 */
5237 sksec->peer_sid = peer_sid;
5238 } else if (sksec->peer_sid != peer_sid) {
5239 /* Other association peer SIDs are checked to enforce
5240 * consistency among the peer SIDs.
5241 */
5242 ad.type = LSM_AUDIT_DATA_NET;
5243 ad.u.net = &net;
5244 ad.u.net->sk = ep->base.sk;
5245 err = avc_has_perm(&selinux_state,
5246 sksec->peer_sid, peer_sid, sksec->sclass,
5247 SCTP_SOCKET__ASSOCIATION, &ad);
5248 if (err)
5249 return err;
5250 }
5251
5252 /* Compute the MLS component for the connection and store
5253 * the information in ep. This will be used by SCTP TCP type
5254 * sockets and peeled off connections as they cause a new
5255 * socket to be generated. selinux_sctp_sk_clone() will then
5256 * plug this into the new socket.
5257 */
5258 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
5259 if (err)
5260 return err;
5261
5262 ep->secid = conn_sid;
5263 ep->peer_secid = peer_sid;
5264
5265 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5266 return selinux_netlbl_sctp_assoc_request(ep, skb);
5267 }
5268
5269 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5270 * based on their @optname.
5271 */
5272 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5273 struct sockaddr *address,
5274 int addrlen)
5275 {
5276 int len, err = 0, walk_size = 0;
5277 void *addr_buf;
5278 struct sockaddr *addr;
5279 struct socket *sock;
5280
5281 if (!selinux_policycap_extsockclass())
5282 return 0;
5283
5284 /* Process one or more addresses that may be IPv4 or IPv6 */
5285 sock = sk->sk_socket;
5286 addr_buf = address;
5287
5288 while (walk_size < addrlen) {
5289 if (walk_size + sizeof(sa_family_t) > addrlen)
5290 return -EINVAL;
5291
5292 addr = addr_buf;
5293 switch (addr->sa_family) {
5294 case AF_UNSPEC:
5295 case AF_INET:
5296 len = sizeof(struct sockaddr_in);
5297 break;
5298 case AF_INET6:
5299 len = sizeof(struct sockaddr_in6);
5300 break;
5301 default:
5302 return -EINVAL;
5303 }
5304
5305 if (walk_size + len > addrlen)
5306 return -EINVAL;
5307
5308 err = -EINVAL;
5309 switch (optname) {
5310 /* Bind checks */
5311 case SCTP_PRIMARY_ADDR:
5312 case SCTP_SET_PEER_PRIMARY_ADDR:
5313 case SCTP_SOCKOPT_BINDX_ADD:
5314 err = selinux_socket_bind(sock, addr, len);
5315 break;
5316 /* Connect checks */
5317 case SCTP_SOCKOPT_CONNECTX:
5318 case SCTP_PARAM_SET_PRIMARY:
5319 case SCTP_PARAM_ADD_IP:
5320 case SCTP_SENDMSG_CONNECT:
5321 err = selinux_socket_connect_helper(sock, addr, len);
5322 if (err)
5323 return err;
5324
5325 /* As selinux_sctp_bind_connect() is called by the
5326 * SCTP protocol layer, the socket is already locked,
5327 * therefore selinux_netlbl_socket_connect_locked() is
5328 * is called here. The situations handled are:
5329 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5330 * whenever a new IP address is added or when a new
5331 * primary address is selected.
5332 * Note that an SCTP connect(2) call happens before
5333 * the SCTP protocol layer and is handled via
5334 * selinux_socket_connect().
5335 */
5336 err = selinux_netlbl_socket_connect_locked(sk, addr);
5337 break;
5338 }
5339
5340 if (err)
5341 return err;
5342
5343 addr_buf += len;
5344 walk_size += len;
5345 }
5346
5347 return 0;
5348 }
5349
5350 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
5351 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
5352 struct sock *newsk)
5353 {
5354 struct sk_security_struct *sksec = sk->sk_security;
5355 struct sk_security_struct *newsksec = newsk->sk_security;
5356
5357 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5358 * the non-sctp clone version.
5359 */
5360 if (!selinux_policycap_extsockclass())
5361 return selinux_sk_clone_security(sk, newsk);
5362
5363 newsksec->sid = ep->secid;
5364 newsksec->peer_sid = ep->peer_secid;
5365 newsksec->sclass = sksec->sclass;
5366 selinux_netlbl_sctp_sk_clone(sk, newsk);
5367 }
5368
5369 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
5370 struct request_sock *req)
5371 {
5372 struct sk_security_struct *sksec = sk->sk_security;
5373 int err;
5374 u16 family = req->rsk_ops->family;
5375 u32 connsid;
5376 u32 peersid;
5377
5378 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5379 if (err)
5380 return err;
5381 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5382 if (err)
5383 return err;
5384 req->secid = connsid;
5385 req->peer_secid = peersid;
5386
5387 return selinux_netlbl_inet_conn_request(req, family);
5388 }
5389
5390 static void selinux_inet_csk_clone(struct sock *newsk,
5391 const struct request_sock *req)
5392 {
5393 struct sk_security_struct *newsksec = newsk->sk_security;
5394
5395 newsksec->sid = req->secid;
5396 newsksec->peer_sid = req->peer_secid;
5397 /* NOTE: Ideally, we should also get the isec->sid for the
5398 new socket in sync, but we don't have the isec available yet.
5399 So we will wait until sock_graft to do it, by which
5400 time it will have been created and available. */
5401
5402 /* We don't need to take any sort of lock here as we are the only
5403 * thread with access to newsksec */
5404 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5405 }
5406
5407 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5408 {
5409 u16 family = sk->sk_family;
5410 struct sk_security_struct *sksec = sk->sk_security;
5411
5412 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5413 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5414 family = PF_INET;
5415
5416 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5417 }
5418
5419 static int selinux_secmark_relabel_packet(u32 sid)
5420 {
5421 const struct task_security_struct *__tsec;
5422 u32 tsid;
5423
5424 __tsec = selinux_cred(current_cred());
5425 tsid = __tsec->sid;
5426
5427 return avc_has_perm(&selinux_state,
5428 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
5429 NULL);
5430 }
5431
5432 static void selinux_secmark_refcount_inc(void)
5433 {
5434 atomic_inc(&selinux_secmark_refcount);
5435 }
5436
5437 static void selinux_secmark_refcount_dec(void)
5438 {
5439 atomic_dec(&selinux_secmark_refcount);
5440 }
5441
5442 static void selinux_req_classify_flow(const struct request_sock *req,
5443 struct flowi *fl)
5444 {
5445 fl->flowi_secid = req->secid;
5446 }
5447
5448 static int selinux_tun_dev_alloc_security(void **security)
5449 {
5450 struct tun_security_struct *tunsec;
5451
5452 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5453 if (!tunsec)
5454 return -ENOMEM;
5455 tunsec->sid = current_sid();
5456
5457 *security = tunsec;
5458 return 0;
5459 }
5460
5461 static void selinux_tun_dev_free_security(void *security)
5462 {
5463 kfree(security);
5464 }
5465
5466 static int selinux_tun_dev_create(void)
5467 {
5468 u32 sid = current_sid();
5469
5470 /* we aren't taking into account the "sockcreate" SID since the socket
5471 * that is being created here is not a socket in the traditional sense,
5472 * instead it is a private sock, accessible only to the kernel, and
5473 * representing a wide range of network traffic spanning multiple
5474 * connections unlike traditional sockets - check the TUN driver to
5475 * get a better understanding of why this socket is special */
5476
5477 return avc_has_perm(&selinux_state,
5478 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5479 NULL);
5480 }
5481
5482 static int selinux_tun_dev_attach_queue(void *security)
5483 {
5484 struct tun_security_struct *tunsec = security;
5485
5486 return avc_has_perm(&selinux_state,
5487 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5488 TUN_SOCKET__ATTACH_QUEUE, NULL);
5489 }
5490
5491 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5492 {
5493 struct tun_security_struct *tunsec = security;
5494 struct sk_security_struct *sksec = sk->sk_security;
5495
5496 /* we don't currently perform any NetLabel based labeling here and it
5497 * isn't clear that we would want to do so anyway; while we could apply
5498 * labeling without the support of the TUN user the resulting labeled
5499 * traffic from the other end of the connection would almost certainly
5500 * cause confusion to the TUN user that had no idea network labeling
5501 * protocols were being used */
5502
5503 sksec->sid = tunsec->sid;
5504 sksec->sclass = SECCLASS_TUN_SOCKET;
5505
5506 return 0;
5507 }
5508
5509 static int selinux_tun_dev_open(void *security)
5510 {
5511 struct tun_security_struct *tunsec = security;
5512 u32 sid = current_sid();
5513 int err;
5514
5515 err = avc_has_perm(&selinux_state,
5516 sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5517 TUN_SOCKET__RELABELFROM, NULL);
5518 if (err)
5519 return err;
5520 err = avc_has_perm(&selinux_state,
5521 sid, sid, SECCLASS_TUN_SOCKET,
5522 TUN_SOCKET__RELABELTO, NULL);
5523 if (err)
5524 return err;
5525 tunsec->sid = sid;
5526
5527 return 0;
5528 }
5529
5530 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
5531 {
5532 int err = 0;
5533 u32 perm;
5534 struct nlmsghdr *nlh;
5535 struct sk_security_struct *sksec = sk->sk_security;
5536
5537 if (skb->len < NLMSG_HDRLEN) {
5538 err = -EINVAL;
5539 goto out;
5540 }
5541 nlh = nlmsg_hdr(skb);
5542
5543 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
5544 if (err) {
5545 if (err == -EINVAL) {
5546 pr_warn_ratelimited("SELinux: unrecognized netlink"
5547 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
5548 " pig=%d comm=%s\n",
5549 sk->sk_protocol, nlh->nlmsg_type,
5550 secclass_map[sksec->sclass - 1].name,
5551 task_pid_nr(current), current->comm);
5552 if (!enforcing_enabled(&selinux_state) ||
5553 security_get_allow_unknown(&selinux_state))
5554 err = 0;
5555 }
5556
5557 /* Ignore */
5558 if (err == -ENOENT)
5559 err = 0;
5560 goto out;
5561 }
5562
5563 err = sock_has_perm(sk, perm);
5564 out:
5565 return err;
5566 }
5567
5568 #ifdef CONFIG_NETFILTER
5569
5570 static unsigned int selinux_ip_forward(struct sk_buff *skb,
5571 const struct net_device *indev,
5572 u16 family)
5573 {
5574 int err;
5575 char *addrp;
5576 u32 peer_sid;
5577 struct common_audit_data ad;
5578 struct lsm_network_audit net = {0,};
5579 u8 secmark_active;
5580 u8 netlbl_active;
5581 u8 peerlbl_active;
5582
5583 if (!selinux_policycap_netpeer())
5584 return NF_ACCEPT;
5585
5586 secmark_active = selinux_secmark_enabled();
5587 netlbl_active = netlbl_enabled();
5588 peerlbl_active = selinux_peerlbl_enabled();
5589 if (!secmark_active && !peerlbl_active)
5590 return NF_ACCEPT;
5591
5592 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5593 return NF_DROP;
5594
5595 ad.type = LSM_AUDIT_DATA_NET;
5596 ad.u.net = &net;
5597 ad.u.net->netif = indev->ifindex;
5598 ad.u.net->family = family;
5599 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5600 return NF_DROP;
5601
5602 if (peerlbl_active) {
5603 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex,
5604 addrp, family, peer_sid, &ad);
5605 if (err) {
5606 selinux_netlbl_err(skb, family, err, 1);
5607 return NF_DROP;
5608 }
5609 }
5610
5611 if (secmark_active)
5612 if (avc_has_perm(&selinux_state,
5613 peer_sid, skb->secmark,
5614 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5615 return NF_DROP;
5616
5617 if (netlbl_active)
5618 /* we do this in the FORWARD path and not the POST_ROUTING
5619 * path because we want to make sure we apply the necessary
5620 * labeling before IPsec is applied so we can leverage AH
5621 * protection */
5622 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5623 return NF_DROP;
5624
5625 return NF_ACCEPT;
5626 }
5627
5628 static unsigned int selinux_ipv4_forward(void *priv,
5629 struct sk_buff *skb,
5630 const struct nf_hook_state *state)
5631 {
5632 return selinux_ip_forward(skb, state->in, PF_INET);
5633 }
5634
5635 #if IS_ENABLED(CONFIG_IPV6)
5636 static unsigned int selinux_ipv6_forward(void *priv,
5637 struct sk_buff *skb,
5638 const struct nf_hook_state *state)
5639 {
5640 return selinux_ip_forward(skb, state->in, PF_INET6);
5641 }
5642 #endif /* IPV6 */
5643
5644 static unsigned int selinux_ip_output(struct sk_buff *skb,
5645 u16 family)
5646 {
5647 struct sock *sk;
5648 u32 sid;
5649
5650 if (!netlbl_enabled())
5651 return NF_ACCEPT;
5652
5653 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5654 * because we want to make sure we apply the necessary labeling
5655 * before IPsec is applied so we can leverage AH protection */
5656 sk = skb->sk;
5657 if (sk) {
5658 struct sk_security_struct *sksec;
5659
5660 if (sk_listener(sk))
5661 /* if the socket is the listening state then this
5662 * packet is a SYN-ACK packet which means it needs to
5663 * be labeled based on the connection/request_sock and
5664 * not the parent socket. unfortunately, we can't
5665 * lookup the request_sock yet as it isn't queued on
5666 * the parent socket until after the SYN-ACK is sent.
5667 * the "solution" is to simply pass the packet as-is
5668 * as any IP option based labeling should be copied
5669 * from the initial connection request (in the IP
5670 * layer). it is far from ideal, but until we get a
5671 * security label in the packet itself this is the
5672 * best we can do. */
5673 return NF_ACCEPT;
5674
5675 /* standard practice, label using the parent socket */
5676 sksec = sk->sk_security;
5677 sid = sksec->sid;
5678 } else
5679 sid = SECINITSID_KERNEL;
5680 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
5681 return NF_DROP;
5682
5683 return NF_ACCEPT;
5684 }
5685
5686 static unsigned int selinux_ipv4_output(void *priv,
5687 struct sk_buff *skb,
5688 const struct nf_hook_state *state)
5689 {
5690 return selinux_ip_output(skb, PF_INET);
5691 }
5692
5693 #if IS_ENABLED(CONFIG_IPV6)
5694 static unsigned int selinux_ipv6_output(void *priv,
5695 struct sk_buff *skb,
5696 const struct nf_hook_state *state)
5697 {
5698 return selinux_ip_output(skb, PF_INET6);
5699 }
5700 #endif /* IPV6 */
5701
5702 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5703 int ifindex,
5704 u16 family)
5705 {
5706 struct sock *sk = skb_to_full_sk(skb);
5707 struct sk_security_struct *sksec;
5708 struct common_audit_data ad;
5709 struct lsm_network_audit net = {0,};
5710 char *addrp;
5711 u8 proto;
5712
5713 if (sk == NULL)
5714 return NF_ACCEPT;
5715 sksec = sk->sk_security;
5716
5717 ad.type = LSM_AUDIT_DATA_NET;
5718 ad.u.net = &net;
5719 ad.u.net->netif = ifindex;
5720 ad.u.net->family = family;
5721 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
5722 return NF_DROP;
5723
5724 if (selinux_secmark_enabled())
5725 if (avc_has_perm(&selinux_state,
5726 sksec->sid, skb->secmark,
5727 SECCLASS_PACKET, PACKET__SEND, &ad))
5728 return NF_DROP_ERR(-ECONNREFUSED);
5729
5730 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5731 return NF_DROP_ERR(-ECONNREFUSED);
5732
5733 return NF_ACCEPT;
5734 }
5735
5736 static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5737 const struct net_device *outdev,
5738 u16 family)
5739 {
5740 u32 secmark_perm;
5741 u32 peer_sid;
5742 int ifindex = outdev->ifindex;
5743 struct sock *sk;
5744 struct common_audit_data ad;
5745 struct lsm_network_audit net = {0,};
5746 char *addrp;
5747 u8 secmark_active;
5748 u8 peerlbl_active;
5749
5750 /* If any sort of compatibility mode is enabled then handoff processing
5751 * to the selinux_ip_postroute_compat() function to deal with the
5752 * special handling. We do this in an attempt to keep this function
5753 * as fast and as clean as possible. */
5754 if (!selinux_policycap_netpeer())
5755 return selinux_ip_postroute_compat(skb, ifindex, family);
5756
5757 secmark_active = selinux_secmark_enabled();
5758 peerlbl_active = selinux_peerlbl_enabled();
5759 if (!secmark_active && !peerlbl_active)
5760 return NF_ACCEPT;
5761
5762 sk = skb_to_full_sk(skb);
5763
5764 #ifdef CONFIG_XFRM
5765 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5766 * packet transformation so allow the packet to pass without any checks
5767 * since we'll have another chance to perform access control checks
5768 * when the packet is on it's final way out.
5769 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5770 * is NULL, in this case go ahead and apply access control.
5771 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5772 * TCP listening state we cannot wait until the XFRM processing
5773 * is done as we will miss out on the SA label if we do;
5774 * unfortunately, this means more work, but it is only once per
5775 * connection. */
5776 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5777 !(sk && sk_listener(sk)))
5778 return NF_ACCEPT;
5779 #endif
5780
5781 if (sk == NULL) {
5782 /* Without an associated socket the packet is either coming
5783 * from the kernel or it is being forwarded; check the packet
5784 * to determine which and if the packet is being forwarded
5785 * query the packet directly to determine the security label. */
5786 if (skb->skb_iif) {
5787 secmark_perm = PACKET__FORWARD_OUT;
5788 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5789 return NF_DROP;
5790 } else {
5791 secmark_perm = PACKET__SEND;
5792 peer_sid = SECINITSID_KERNEL;
5793 }
5794 } else if (sk_listener(sk)) {
5795 /* Locally generated packet but the associated socket is in the
5796 * listening state which means this is a SYN-ACK packet. In
5797 * this particular case the correct security label is assigned
5798 * to the connection/request_sock but unfortunately we can't
5799 * query the request_sock as it isn't queued on the parent
5800 * socket until after the SYN-ACK packet is sent; the only
5801 * viable choice is to regenerate the label like we do in
5802 * selinux_inet_conn_request(). See also selinux_ip_output()
5803 * for similar problems. */
5804 u32 skb_sid;
5805 struct sk_security_struct *sksec;
5806
5807 sksec = sk->sk_security;
5808 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
5809 return NF_DROP;
5810 /* At this point, if the returned skb peerlbl is SECSID_NULL
5811 * and the packet has been through at least one XFRM
5812 * transformation then we must be dealing with the "final"
5813 * form of labeled IPsec packet; since we've already applied
5814 * all of our access controls on this packet we can safely
5815 * pass the packet. */
5816 if (skb_sid == SECSID_NULL) {
5817 switch (family) {
5818 case PF_INET:
5819 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
5820 return NF_ACCEPT;
5821 break;
5822 case PF_INET6:
5823 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
5824 return NF_ACCEPT;
5825 break;
5826 default:
5827 return NF_DROP_ERR(-ECONNREFUSED);
5828 }
5829 }
5830 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
5831 return NF_DROP;
5832 secmark_perm = PACKET__SEND;
5833 } else {
5834 /* Locally generated packet, fetch the security label from the
5835 * associated socket. */
5836 struct sk_security_struct *sksec = sk->sk_security;
5837 peer_sid = sksec->sid;
5838 secmark_perm = PACKET__SEND;
5839 }
5840
5841 ad.type = LSM_AUDIT_DATA_NET;
5842 ad.u.net = &net;
5843 ad.u.net->netif = ifindex;
5844 ad.u.net->family = family;
5845 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
5846 return NF_DROP;
5847
5848 if (secmark_active)
5849 if (avc_has_perm(&selinux_state,
5850 peer_sid, skb->secmark,
5851 SECCLASS_PACKET, secmark_perm, &ad))
5852 return NF_DROP_ERR(-ECONNREFUSED);
5853
5854 if (peerlbl_active) {
5855 u32 if_sid;
5856 u32 node_sid;
5857
5858 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid))
5859 return NF_DROP;
5860 if (avc_has_perm(&selinux_state,
5861 peer_sid, if_sid,
5862 SECCLASS_NETIF, NETIF__EGRESS, &ad))
5863 return NF_DROP_ERR(-ECONNREFUSED);
5864
5865 if (sel_netnode_sid(addrp, family, &node_sid))
5866 return NF_DROP;
5867 if (avc_has_perm(&selinux_state,
5868 peer_sid, node_sid,
5869 SECCLASS_NODE, NODE__SENDTO, &ad))
5870 return NF_DROP_ERR(-ECONNREFUSED);
5871 }
5872
5873 return NF_ACCEPT;
5874 }
5875
5876 static unsigned int selinux_ipv4_postroute(void *priv,
5877 struct sk_buff *skb,
5878 const struct nf_hook_state *state)
5879 {
5880 return selinux_ip_postroute(skb, state->out, PF_INET);
5881 }
5882
5883 #if IS_ENABLED(CONFIG_IPV6)
5884 static unsigned int selinux_ipv6_postroute(void *priv,
5885 struct sk_buff *skb,
5886 const struct nf_hook_state *state)
5887 {
5888 return selinux_ip_postroute(skb, state->out, PF_INET6);
5889 }
5890 #endif /* IPV6 */
5891
5892 #endif /* CONFIG_NETFILTER */
5893
5894 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
5895 {
5896 return selinux_nlmsg_perm(sk, skb);
5897 }
5898
5899 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
5900 {
5901 isec->sclass = sclass;
5902 isec->sid = current_sid();
5903 }
5904
5905 static int msg_msg_alloc_security(struct msg_msg *msg)
5906 {
5907 struct msg_security_struct *msec;
5908
5909 msec = selinux_msg_msg(msg);
5910 msec->sid = SECINITSID_UNLABELED;
5911
5912 return 0;
5913 }
5914
5915 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
5916 u32 perms)
5917 {
5918 struct ipc_security_struct *isec;
5919 struct common_audit_data ad;
5920 u32 sid = current_sid();
5921
5922 isec = selinux_ipc(ipc_perms);
5923
5924 ad.type = LSM_AUDIT_DATA_IPC;
5925 ad.u.ipc_id = ipc_perms->key;
5926
5927 return avc_has_perm(&selinux_state,
5928 sid, isec->sid, isec->sclass, perms, &ad);
5929 }
5930
5931 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
5932 {
5933 return msg_msg_alloc_security(msg);
5934 }
5935
5936 /* message queue security operations */
5937 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
5938 {
5939 struct ipc_security_struct *isec;
5940 struct common_audit_data ad;
5941 u32 sid = current_sid();
5942 int rc;
5943
5944 isec = selinux_ipc(msq);
5945 ipc_init_security(isec, SECCLASS_MSGQ);
5946
5947 ad.type = LSM_AUDIT_DATA_IPC;
5948 ad.u.ipc_id = msq->key;
5949
5950 rc = avc_has_perm(&selinux_state,
5951 sid, isec->sid, SECCLASS_MSGQ,
5952 MSGQ__CREATE, &ad);
5953 return rc;
5954 }
5955
5956 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
5957 {
5958 struct ipc_security_struct *isec;
5959 struct common_audit_data ad;
5960 u32 sid = current_sid();
5961
5962 isec = selinux_ipc(msq);
5963
5964 ad.type = LSM_AUDIT_DATA_IPC;
5965 ad.u.ipc_id = msq->key;
5966
5967 return avc_has_perm(&selinux_state,
5968 sid, isec->sid, SECCLASS_MSGQ,
5969 MSGQ__ASSOCIATE, &ad);
5970 }
5971
5972 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
5973 {
5974 int err;
5975 int perms;
5976
5977 switch (cmd) {
5978 case IPC_INFO:
5979 case MSG_INFO:
5980 /* No specific object, just general system-wide information. */
5981 return avc_has_perm(&selinux_state,
5982 current_sid(), SECINITSID_KERNEL,
5983 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
5984 case IPC_STAT:
5985 case MSG_STAT:
5986 case MSG_STAT_ANY:
5987 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5988 break;
5989 case IPC_SET:
5990 perms = MSGQ__SETATTR;
5991 break;
5992 case IPC_RMID:
5993 perms = MSGQ__DESTROY;
5994 break;
5995 default:
5996 return 0;
5997 }
5998
5999 err = ipc_has_perm(msq, perms);
6000 return err;
6001 }
6002
6003 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6004 {
6005 struct ipc_security_struct *isec;
6006 struct msg_security_struct *msec;
6007 struct common_audit_data ad;
6008 u32 sid = current_sid();
6009 int rc;
6010
6011 isec = selinux_ipc(msq);
6012 msec = selinux_msg_msg(msg);
6013
6014 /*
6015 * First time through, need to assign label to the message
6016 */
6017 if (msec->sid == SECINITSID_UNLABELED) {
6018 /*
6019 * Compute new sid based on current process and
6020 * message queue this message will be stored in
6021 */
6022 rc = security_transition_sid(&selinux_state, sid, isec->sid,
6023 SECCLASS_MSG, NULL, &msec->sid);
6024 if (rc)
6025 return rc;
6026 }
6027
6028 ad.type = LSM_AUDIT_DATA_IPC;
6029 ad.u.ipc_id = msq->key;
6030
6031 /* Can this process write to the queue? */
6032 rc = avc_has_perm(&selinux_state,
6033 sid, isec->sid, SECCLASS_MSGQ,
6034 MSGQ__WRITE, &ad);
6035 if (!rc)
6036 /* Can this process send the message */
6037 rc = avc_has_perm(&selinux_state,
6038 sid, msec->sid, SECCLASS_MSG,
6039 MSG__SEND, &ad);
6040 if (!rc)
6041 /* Can the message be put in the queue? */
6042 rc = avc_has_perm(&selinux_state,
6043 msec->sid, isec->sid, SECCLASS_MSGQ,
6044 MSGQ__ENQUEUE, &ad);
6045
6046 return rc;
6047 }
6048
6049 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6050 struct task_struct *target,
6051 long type, int mode)
6052 {
6053 struct ipc_security_struct *isec;
6054 struct msg_security_struct *msec;
6055 struct common_audit_data ad;
6056 u32 sid = task_sid(target);
6057 int rc;
6058
6059 isec = selinux_ipc(msq);
6060 msec = selinux_msg_msg(msg);
6061
6062 ad.type = LSM_AUDIT_DATA_IPC;
6063 ad.u.ipc_id = msq->key;
6064
6065 rc = avc_has_perm(&selinux_state,
6066 sid, isec->sid,
6067 SECCLASS_MSGQ, MSGQ__READ, &ad);
6068 if (!rc)
6069 rc = avc_has_perm(&selinux_state,
6070 sid, msec->sid,
6071 SECCLASS_MSG, MSG__RECEIVE, &ad);
6072 return rc;
6073 }
6074
6075 /* Shared Memory security operations */
6076 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6077 {
6078 struct ipc_security_struct *isec;
6079 struct common_audit_data ad;
6080 u32 sid = current_sid();
6081 int rc;
6082
6083 isec = selinux_ipc(shp);
6084 ipc_init_security(isec, SECCLASS_SHM);
6085
6086 ad.type = LSM_AUDIT_DATA_IPC;
6087 ad.u.ipc_id = shp->key;
6088
6089 rc = avc_has_perm(&selinux_state,
6090 sid, isec->sid, SECCLASS_SHM,
6091 SHM__CREATE, &ad);
6092 return rc;
6093 }
6094
6095 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6096 {
6097 struct ipc_security_struct *isec;
6098 struct common_audit_data ad;
6099 u32 sid = current_sid();
6100
6101 isec = selinux_ipc(shp);
6102
6103 ad.type = LSM_AUDIT_DATA_IPC;
6104 ad.u.ipc_id = shp->key;
6105
6106 return avc_has_perm(&selinux_state,
6107 sid, isec->sid, SECCLASS_SHM,
6108 SHM__ASSOCIATE, &ad);
6109 }
6110
6111 /* Note, at this point, shp is locked down */
6112 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6113 {
6114 int perms;
6115 int err;
6116
6117 switch (cmd) {
6118 case IPC_INFO:
6119 case SHM_INFO:
6120 /* No specific object, just general system-wide information. */
6121 return avc_has_perm(&selinux_state,
6122 current_sid(), SECINITSID_KERNEL,
6123 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6124 case IPC_STAT:
6125 case SHM_STAT:
6126 case SHM_STAT_ANY:
6127 perms = SHM__GETATTR | SHM__ASSOCIATE;
6128 break;
6129 case IPC_SET:
6130 perms = SHM__SETATTR;
6131 break;
6132 case SHM_LOCK:
6133 case SHM_UNLOCK:
6134 perms = SHM__LOCK;
6135 break;
6136 case IPC_RMID:
6137 perms = SHM__DESTROY;
6138 break;
6139 default:
6140 return 0;
6141 }
6142
6143 err = ipc_has_perm(shp, perms);
6144 return err;
6145 }
6146
6147 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6148 char __user *shmaddr, int shmflg)
6149 {
6150 u32 perms;
6151
6152 if (shmflg & SHM_RDONLY)
6153 perms = SHM__READ;
6154 else
6155 perms = SHM__READ | SHM__WRITE;
6156
6157 return ipc_has_perm(shp, perms);
6158 }
6159
6160 /* Semaphore security operations */
6161 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6162 {
6163 struct ipc_security_struct *isec;
6164 struct common_audit_data ad;
6165 u32 sid = current_sid();
6166 int rc;
6167
6168 isec = selinux_ipc(sma);
6169 ipc_init_security(isec, SECCLASS_SEM);
6170
6171 ad.type = LSM_AUDIT_DATA_IPC;
6172 ad.u.ipc_id = sma->key;
6173
6174 rc = avc_has_perm(&selinux_state,
6175 sid, isec->sid, SECCLASS_SEM,
6176 SEM__CREATE, &ad);
6177 return rc;
6178 }
6179
6180 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6181 {
6182 struct ipc_security_struct *isec;
6183 struct common_audit_data ad;
6184 u32 sid = current_sid();
6185
6186 isec = selinux_ipc(sma);
6187
6188 ad.type = LSM_AUDIT_DATA_IPC;
6189 ad.u.ipc_id = sma->key;
6190
6191 return avc_has_perm(&selinux_state,
6192 sid, isec->sid, SECCLASS_SEM,
6193 SEM__ASSOCIATE, &ad);
6194 }
6195
6196 /* Note, at this point, sma is locked down */
6197 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6198 {
6199 int err;
6200 u32 perms;
6201
6202 switch (cmd) {
6203 case IPC_INFO:
6204 case SEM_INFO:
6205 /* No specific object, just general system-wide information. */
6206 return avc_has_perm(&selinux_state,
6207 current_sid(), SECINITSID_KERNEL,
6208 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6209 case GETPID:
6210 case GETNCNT:
6211 case GETZCNT:
6212 perms = SEM__GETATTR;
6213 break;
6214 case GETVAL:
6215 case GETALL:
6216 perms = SEM__READ;
6217 break;
6218 case SETVAL:
6219 case SETALL:
6220 perms = SEM__WRITE;
6221 break;
6222 case IPC_RMID:
6223 perms = SEM__DESTROY;
6224 break;
6225 case IPC_SET:
6226 perms = SEM__SETATTR;
6227 break;
6228 case IPC_STAT:
6229 case SEM_STAT:
6230 case SEM_STAT_ANY:
6231 perms = SEM__GETATTR | SEM__ASSOCIATE;
6232 break;
6233 default:
6234 return 0;
6235 }
6236
6237 err = ipc_has_perm(sma, perms);
6238 return err;
6239 }
6240
6241 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6242 struct sembuf *sops, unsigned nsops, int alter)
6243 {
6244 u32 perms;
6245
6246 if (alter)
6247 perms = SEM__READ | SEM__WRITE;
6248 else
6249 perms = SEM__READ;
6250
6251 return ipc_has_perm(sma, perms);
6252 }
6253
6254 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6255 {
6256 u32 av = 0;
6257
6258 av = 0;
6259 if (flag & S_IRUGO)
6260 av |= IPC__UNIX_READ;
6261 if (flag & S_IWUGO)
6262 av |= IPC__UNIX_WRITE;
6263
6264 if (av == 0)
6265 return 0;
6266
6267 return ipc_has_perm(ipcp, av);
6268 }
6269
6270 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
6271 {
6272 struct ipc_security_struct *isec = selinux_ipc(ipcp);
6273 *secid = isec->sid;
6274 }
6275
6276 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6277 {
6278 if (inode)
6279 inode_doinit_with_dentry(inode, dentry);
6280 }
6281
6282 static int selinux_getprocattr(struct task_struct *p,
6283 char *name, char **value)
6284 {
6285 const struct task_security_struct *__tsec;
6286 u32 sid;
6287 int error;
6288 unsigned len;
6289
6290 rcu_read_lock();
6291 __tsec = selinux_cred(__task_cred(p));
6292
6293 if (current != p) {
6294 error = avc_has_perm(&selinux_state,
6295 current_sid(), __tsec->sid,
6296 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6297 if (error)
6298 goto bad;
6299 }
6300
6301 if (!strcmp(name, "current"))
6302 sid = __tsec->sid;
6303 else if (!strcmp(name, "prev"))
6304 sid = __tsec->osid;
6305 else if (!strcmp(name, "exec"))
6306 sid = __tsec->exec_sid;
6307 else if (!strcmp(name, "fscreate"))
6308 sid = __tsec->create_sid;
6309 else if (!strcmp(name, "keycreate"))
6310 sid = __tsec->keycreate_sid;
6311 else if (!strcmp(name, "sockcreate"))
6312 sid = __tsec->sockcreate_sid;
6313 else {
6314 error = -EINVAL;
6315 goto bad;
6316 }
6317 rcu_read_unlock();
6318
6319 if (!sid)
6320 return 0;
6321
6322 error = security_sid_to_context(&selinux_state, sid, value, &len);
6323 if (error)
6324 return error;
6325 return len;
6326
6327 bad:
6328 rcu_read_unlock();
6329 return error;
6330 }
6331
6332 static int selinux_setprocattr(const char *name, void *value, size_t size)
6333 {
6334 struct task_security_struct *tsec;
6335 struct cred *new;
6336 u32 mysid = current_sid(), sid = 0, ptsid;
6337 int error;
6338 char *str = value;
6339
6340 /*
6341 * Basic control over ability to set these attributes at all.
6342 */
6343 if (!strcmp(name, "exec"))
6344 error = avc_has_perm(&selinux_state,
6345 mysid, mysid, SECCLASS_PROCESS,
6346 PROCESS__SETEXEC, NULL);
6347 else if (!strcmp(name, "fscreate"))
6348 error = avc_has_perm(&selinux_state,
6349 mysid, mysid, SECCLASS_PROCESS,
6350 PROCESS__SETFSCREATE, NULL);
6351 else if (!strcmp(name, "keycreate"))
6352 error = avc_has_perm(&selinux_state,
6353 mysid, mysid, SECCLASS_PROCESS,
6354 PROCESS__SETKEYCREATE, NULL);
6355 else if (!strcmp(name, "sockcreate"))
6356 error = avc_has_perm(&selinux_state,
6357 mysid, mysid, SECCLASS_PROCESS,
6358 PROCESS__SETSOCKCREATE, NULL);
6359 else if (!strcmp(name, "current"))
6360 error = avc_has_perm(&selinux_state,
6361 mysid, mysid, SECCLASS_PROCESS,
6362 PROCESS__SETCURRENT, NULL);
6363 else
6364 error = -EINVAL;
6365 if (error)
6366 return error;
6367
6368 /* Obtain a SID for the context, if one was specified. */
6369 if (size && str[0] && str[0] != '\n') {
6370 if (str[size-1] == '\n') {
6371 str[size-1] = 0;
6372 size--;
6373 }
6374 error = security_context_to_sid(&selinux_state, value, size,
6375 &sid, GFP_KERNEL);
6376 if (error == -EINVAL && !strcmp(name, "fscreate")) {
6377 if (!has_cap_mac_admin(true)) {
6378 struct audit_buffer *ab;
6379 size_t audit_size;
6380
6381 /* We strip a nul only if it is at the end, otherwise the
6382 * context contains a nul and we should audit that */
6383 if (str[size - 1] == '\0')
6384 audit_size = size - 1;
6385 else
6386 audit_size = size;
6387 ab = audit_log_start(audit_context(),
6388 GFP_ATOMIC,
6389 AUDIT_SELINUX_ERR);
6390 audit_log_format(ab, "op=fscreate invalid_context=");
6391 audit_log_n_untrustedstring(ab, value, audit_size);
6392 audit_log_end(ab);
6393
6394 return error;
6395 }
6396 error = security_context_to_sid_force(
6397 &selinux_state,
6398 value, size, &sid);
6399 }
6400 if (error)
6401 return error;
6402 }
6403
6404 new = prepare_creds();
6405 if (!new)
6406 return -ENOMEM;
6407
6408 /* Permission checking based on the specified context is
6409 performed during the actual operation (execve,
6410 open/mkdir/...), when we know the full context of the
6411 operation. See selinux_bprm_set_creds for the execve
6412 checks and may_create for the file creation checks. The
6413 operation will then fail if the context is not permitted. */
6414 tsec = selinux_cred(new);
6415 if (!strcmp(name, "exec")) {
6416 tsec->exec_sid = sid;
6417 } else if (!strcmp(name, "fscreate")) {
6418 tsec->create_sid = sid;
6419 } else if (!strcmp(name, "keycreate")) {
6420 if (sid) {
6421 error = avc_has_perm(&selinux_state, mysid, sid,
6422 SECCLASS_KEY, KEY__CREATE, NULL);
6423 if (error)
6424 goto abort_change;
6425 }
6426 tsec->keycreate_sid = sid;
6427 } else if (!strcmp(name, "sockcreate")) {
6428 tsec->sockcreate_sid = sid;
6429 } else if (!strcmp(name, "current")) {
6430 error = -EINVAL;
6431 if (sid == 0)
6432 goto abort_change;
6433
6434 /* Only allow single threaded processes to change context */
6435 error = -EPERM;
6436 if (!current_is_single_threaded()) {
6437 error = security_bounded_transition(&selinux_state,
6438 tsec->sid, sid);
6439 if (error)
6440 goto abort_change;
6441 }
6442
6443 /* Check permissions for the transition. */
6444 error = avc_has_perm(&selinux_state,
6445 tsec->sid, sid, SECCLASS_PROCESS,
6446 PROCESS__DYNTRANSITION, NULL);
6447 if (error)
6448 goto abort_change;
6449
6450 /* Check for ptracing, and update the task SID if ok.
6451 Otherwise, leave SID unchanged and fail. */
6452 ptsid = ptrace_parent_sid();
6453 if (ptsid != 0) {
6454 error = avc_has_perm(&selinux_state,
6455 ptsid, sid, SECCLASS_PROCESS,
6456 PROCESS__PTRACE, NULL);
6457 if (error)
6458 goto abort_change;
6459 }
6460
6461 tsec->sid = sid;
6462 } else {
6463 error = -EINVAL;
6464 goto abort_change;
6465 }
6466
6467 commit_creds(new);
6468 return size;
6469
6470 abort_change:
6471 abort_creds(new);
6472 return error;
6473 }
6474
6475 static int selinux_ismaclabel(const char *name)
6476 {
6477 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6478 }
6479
6480 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
6481 {
6482 return security_sid_to_context(&selinux_state, secid,
6483 secdata, seclen);
6484 }
6485
6486 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6487 {
6488 return security_context_to_sid(&selinux_state, secdata, seclen,
6489 secid, GFP_KERNEL);
6490 }
6491
6492 static void selinux_release_secctx(char *secdata, u32 seclen)
6493 {
6494 kfree(secdata);
6495 }
6496
6497 static void selinux_inode_invalidate_secctx(struct inode *inode)
6498 {
6499 struct inode_security_struct *isec = selinux_inode(inode);
6500
6501 spin_lock(&isec->lock);
6502 isec->initialized = LABEL_INVALID;
6503 spin_unlock(&isec->lock);
6504 }
6505
6506 /*
6507 * called with inode->i_mutex locked
6508 */
6509 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6510 {
6511 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6512 ctx, ctxlen, 0);
6513 /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6514 return rc == -EOPNOTSUPP ? 0 : rc;
6515 }
6516
6517 /*
6518 * called with inode->i_mutex locked
6519 */
6520 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6521 {
6522 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
6523 }
6524
6525 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
6526 {
6527 int len = 0;
6528 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
6529 ctx, true);
6530 if (len < 0)
6531 return len;
6532 *ctxlen = len;
6533 return 0;
6534 }
6535 #ifdef CONFIG_KEYS
6536
6537 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6538 unsigned long flags)
6539 {
6540 const struct task_security_struct *tsec;
6541 struct key_security_struct *ksec;
6542
6543 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
6544 if (!ksec)
6545 return -ENOMEM;
6546
6547 tsec = selinux_cred(cred);
6548 if (tsec->keycreate_sid)
6549 ksec->sid = tsec->keycreate_sid;
6550 else
6551 ksec->sid = tsec->sid;
6552
6553 k->security = ksec;
6554 return 0;
6555 }
6556
6557 static void selinux_key_free(struct key *k)
6558 {
6559 struct key_security_struct *ksec = k->security;
6560
6561 k->security = NULL;
6562 kfree(ksec);
6563 }
6564
6565 static int selinux_key_permission(key_ref_t key_ref,
6566 const struct cred *cred,
6567 unsigned perm)
6568 {
6569 struct key *key;
6570 struct key_security_struct *ksec;
6571 u32 sid;
6572
6573 /* if no specific permissions are requested, we skip the
6574 permission check. No serious, additional covert channels
6575 appear to be created. */
6576 if (perm == 0)
6577 return 0;
6578
6579 sid = cred_sid(cred);
6580
6581 key = key_ref_to_ptr(key_ref);
6582 ksec = key->security;
6583
6584 return avc_has_perm(&selinux_state,
6585 sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6586 }
6587
6588 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6589 {
6590 struct key_security_struct *ksec = key->security;
6591 char *context = NULL;
6592 unsigned len;
6593 int rc;
6594
6595 rc = security_sid_to_context(&selinux_state, ksec->sid,
6596 &context, &len);
6597 if (!rc)
6598 rc = len;
6599 *_buffer = context;
6600 return rc;
6601 }
6602 #endif
6603
6604 #ifdef CONFIG_SECURITY_INFINIBAND
6605 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6606 {
6607 struct common_audit_data ad;
6608 int err;
6609 u32 sid = 0;
6610 struct ib_security_struct *sec = ib_sec;
6611 struct lsm_ibpkey_audit ibpkey;
6612
6613 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6614 if (err)
6615 return err;
6616
6617 ad.type = LSM_AUDIT_DATA_IBPKEY;
6618 ibpkey.subnet_prefix = subnet_prefix;
6619 ibpkey.pkey = pkey_val;
6620 ad.u.ibpkey = &ibpkey;
6621 return avc_has_perm(&selinux_state,
6622 sec->sid, sid,
6623 SECCLASS_INFINIBAND_PKEY,
6624 INFINIBAND_PKEY__ACCESS, &ad);
6625 }
6626
6627 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6628 u8 port_num)
6629 {
6630 struct common_audit_data ad;
6631 int err;
6632 u32 sid = 0;
6633 struct ib_security_struct *sec = ib_sec;
6634 struct lsm_ibendport_audit ibendport;
6635
6636 err = security_ib_endport_sid(&selinux_state, dev_name, port_num,
6637 &sid);
6638
6639 if (err)
6640 return err;
6641
6642 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6643 strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
6644 ibendport.port = port_num;
6645 ad.u.ibendport = &ibendport;
6646 return avc_has_perm(&selinux_state,
6647 sec->sid, sid,
6648 SECCLASS_INFINIBAND_ENDPORT,
6649 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6650 }
6651
6652 static int selinux_ib_alloc_security(void **ib_sec)
6653 {
6654 struct ib_security_struct *sec;
6655
6656 sec = kzalloc(sizeof(*sec), GFP_KERNEL);
6657 if (!sec)
6658 return -ENOMEM;
6659 sec->sid = current_sid();
6660
6661 *ib_sec = sec;
6662 return 0;
6663 }
6664
6665 static void selinux_ib_free_security(void *ib_sec)
6666 {
6667 kfree(ib_sec);
6668 }
6669 #endif
6670
6671 #ifdef CONFIG_BPF_SYSCALL
6672 static int selinux_bpf(int cmd, union bpf_attr *attr,
6673 unsigned int size)
6674 {
6675 u32 sid = current_sid();
6676 int ret;
6677
6678 switch (cmd) {
6679 case BPF_MAP_CREATE:
6680 ret = avc_has_perm(&selinux_state,
6681 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
6682 NULL);
6683 break;
6684 case BPF_PROG_LOAD:
6685 ret = avc_has_perm(&selinux_state,
6686 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
6687 NULL);
6688 break;
6689 default:
6690 ret = 0;
6691 break;
6692 }
6693
6694 return ret;
6695 }
6696
6697 static u32 bpf_map_fmode_to_av(fmode_t fmode)
6698 {
6699 u32 av = 0;
6700
6701 if (fmode & FMODE_READ)
6702 av |= BPF__MAP_READ;
6703 if (fmode & FMODE_WRITE)
6704 av |= BPF__MAP_WRITE;
6705 return av;
6706 }
6707
6708 /* This function will check the file pass through unix socket or binder to see
6709 * if it is a bpf related object. And apply correspinding checks on the bpf
6710 * object based on the type. The bpf maps and programs, not like other files and
6711 * socket, are using a shared anonymous inode inside the kernel as their inode.
6712 * So checking that inode cannot identify if the process have privilege to
6713 * access the bpf object and that's why we have to add this additional check in
6714 * selinux_file_receive and selinux_binder_transfer_files.
6715 */
6716 static int bpf_fd_pass(struct file *file, u32 sid)
6717 {
6718 struct bpf_security_struct *bpfsec;
6719 struct bpf_prog *prog;
6720 struct bpf_map *map;
6721 int ret;
6722
6723 if (file->f_op == &bpf_map_fops) {
6724 map = file->private_data;
6725 bpfsec = map->security;
6726 ret = avc_has_perm(&selinux_state,
6727 sid, bpfsec->sid, SECCLASS_BPF,
6728 bpf_map_fmode_to_av(file->f_mode), NULL);
6729 if (ret)
6730 return ret;
6731 } else if (file->f_op == &bpf_prog_fops) {
6732 prog = file->private_data;
6733 bpfsec = prog->aux->security;
6734 ret = avc_has_perm(&selinux_state,
6735 sid, bpfsec->sid, SECCLASS_BPF,
6736 BPF__PROG_RUN, NULL);
6737 if (ret)
6738 return ret;
6739 }
6740 return 0;
6741 }
6742
6743 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
6744 {
6745 u32 sid = current_sid();
6746 struct bpf_security_struct *bpfsec;
6747
6748 bpfsec = map->security;
6749 return avc_has_perm(&selinux_state,
6750 sid, bpfsec->sid, SECCLASS_BPF,
6751 bpf_map_fmode_to_av(fmode), NULL);
6752 }
6753
6754 static int selinux_bpf_prog(struct bpf_prog *prog)
6755 {
6756 u32 sid = current_sid();
6757 struct bpf_security_struct *bpfsec;
6758
6759 bpfsec = prog->aux->security;
6760 return avc_has_perm(&selinux_state,
6761 sid, bpfsec->sid, SECCLASS_BPF,
6762 BPF__PROG_RUN, NULL);
6763 }
6764
6765 static int selinux_bpf_map_alloc(struct bpf_map *map)
6766 {
6767 struct bpf_security_struct *bpfsec;
6768
6769 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6770 if (!bpfsec)
6771 return -ENOMEM;
6772
6773 bpfsec->sid = current_sid();
6774 map->security = bpfsec;
6775
6776 return 0;
6777 }
6778
6779 static void selinux_bpf_map_free(struct bpf_map *map)
6780 {
6781 struct bpf_security_struct *bpfsec = map->security;
6782
6783 map->security = NULL;
6784 kfree(bpfsec);
6785 }
6786
6787 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
6788 {
6789 struct bpf_security_struct *bpfsec;
6790
6791 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
6792 if (!bpfsec)
6793 return -ENOMEM;
6794
6795 bpfsec->sid = current_sid();
6796 aux->security = bpfsec;
6797
6798 return 0;
6799 }
6800
6801 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
6802 {
6803 struct bpf_security_struct *bpfsec = aux->security;
6804
6805 aux->security = NULL;
6806 kfree(bpfsec);
6807 }
6808 #endif
6809
6810 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
6811 .lbs_cred = sizeof(struct task_security_struct),
6812 .lbs_file = sizeof(struct file_security_struct),
6813 .lbs_inode = sizeof(struct inode_security_struct),
6814 .lbs_ipc = sizeof(struct ipc_security_struct),
6815 .lbs_msg_msg = sizeof(struct msg_security_struct),
6816 };
6817
6818 #ifdef CONFIG_PERF_EVENTS
6819 static int selinux_perf_event_open(struct perf_event_attr *attr, int type)
6820 {
6821 u32 requested, sid = current_sid();
6822
6823 if (type == PERF_SECURITY_OPEN)
6824 requested = PERF_EVENT__OPEN;
6825 else if (type == PERF_SECURITY_CPU)
6826 requested = PERF_EVENT__CPU;
6827 else if (type == PERF_SECURITY_KERNEL)
6828 requested = PERF_EVENT__KERNEL;
6829 else if (type == PERF_SECURITY_TRACEPOINT)
6830 requested = PERF_EVENT__TRACEPOINT;
6831 else
6832 return -EINVAL;
6833
6834 return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT,
6835 requested, NULL);
6836 }
6837
6838 static int selinux_perf_event_alloc(struct perf_event *event)
6839 {
6840 struct perf_event_security_struct *perfsec;
6841
6842 perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL);
6843 if (!perfsec)
6844 return -ENOMEM;
6845
6846 perfsec->sid = current_sid();
6847 event->security = perfsec;
6848
6849 return 0;
6850 }
6851
6852 static void selinux_perf_event_free(struct perf_event *event)
6853 {
6854 struct perf_event_security_struct *perfsec = event->security;
6855
6856 event->security = NULL;
6857 kfree(perfsec);
6858 }
6859
6860 static int selinux_perf_event_read(struct perf_event *event)
6861 {
6862 struct perf_event_security_struct *perfsec = event->security;
6863 u32 sid = current_sid();
6864
6865 return avc_has_perm(&selinux_state, sid, perfsec->sid,
6866 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
6867 }
6868
6869 static int selinux_perf_event_write(struct perf_event *event)
6870 {
6871 struct perf_event_security_struct *perfsec = event->security;
6872 u32 sid = current_sid();
6873
6874 return avc_has_perm(&selinux_state, sid, perfsec->sid,
6875 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
6876 }
6877 #endif
6878
6879 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6880 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
6881 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
6882 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
6883 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
6884
6885 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
6886 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
6887 LSM_HOOK_INIT(capget, selinux_capget),
6888 LSM_HOOK_INIT(capset, selinux_capset),
6889 LSM_HOOK_INIT(capable, selinux_capable),
6890 LSM_HOOK_INIT(quotactl, selinux_quotactl),
6891 LSM_HOOK_INIT(quota_on, selinux_quota_on),
6892 LSM_HOOK_INIT(syslog, selinux_syslog),
6893 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
6894
6895 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
6896
6897 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
6898 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
6899 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
6900
6901 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
6902 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
6903
6904 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
6905 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
6906 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
6907 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
6908 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
6909 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
6910 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
6911 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
6912 LSM_HOOK_INIT(sb_mount, selinux_mount),
6913 LSM_HOOK_INIT(sb_umount, selinux_umount),
6914 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
6915 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
6916 LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt),
6917
6918 LSM_HOOK_INIT(move_mount, selinux_move_mount),
6919
6920 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
6921 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
6922
6923 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
6924 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
6925 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
6926 LSM_HOOK_INIT(inode_create, selinux_inode_create),
6927 LSM_HOOK_INIT(inode_link, selinux_inode_link),
6928 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
6929 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
6930 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
6931 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
6932 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
6933 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
6934 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
6935 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
6936 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
6937 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
6938 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
6939 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
6940 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
6941 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
6942 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
6943 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
6944 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
6945 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
6946 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
6947 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
6948 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
6949 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
6950 LSM_HOOK_INIT(path_notify, selinux_path_notify),
6951
6952 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
6953
6954 LSM_HOOK_INIT(file_permission, selinux_file_permission),
6955 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
6956 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
6957 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
6958 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
6959 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
6960 LSM_HOOK_INIT(file_lock, selinux_file_lock),
6961 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
6962 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
6963 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
6964 LSM_HOOK_INIT(file_receive, selinux_file_receive),
6965
6966 LSM_HOOK_INIT(file_open, selinux_file_open),
6967
6968 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
6969 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
6970 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
6971 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
6972 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
6973 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
6974 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
6975 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
6976 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
6977 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
6978 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
6979 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
6980 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid),
6981 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
6982 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
6983 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
6984 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
6985 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
6986 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
6987 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
6988 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
6989 LSM_HOOK_INIT(task_kill, selinux_task_kill),
6990 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
6991
6992 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
6993 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
6994
6995 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
6996
6997 LSM_HOOK_INIT(msg_queue_alloc_security,
6998 selinux_msg_queue_alloc_security),
6999 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7000 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7001 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7002 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7003
7004 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7005 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7006 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7007 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7008
7009 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7010 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7011 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7012 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7013
7014 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7015
7016 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7017 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7018
7019 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7020 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7021 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7022 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7023 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7024 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7025 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7026 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7027
7028 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7029 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7030
7031 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7032 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7033 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7034 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7035 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7036 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7037 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7038 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7039 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7040 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7041 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7042 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7043 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7044 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7045 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7046 LSM_HOOK_INIT(socket_getpeersec_stream,
7047 selinux_socket_getpeersec_stream),
7048 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7049 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7050 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7051 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7052 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7053 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7054 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7055 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7056 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7057 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7058 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7059 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7060 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7061 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7062 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7063 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7064 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7065 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
7066 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7067 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7068 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7069 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7070 #ifdef CONFIG_SECURITY_INFINIBAND
7071 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7072 LSM_HOOK_INIT(ib_endport_manage_subnet,
7073 selinux_ib_endport_manage_subnet),
7074 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7075 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
7076 #endif
7077 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7078 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7079 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7080 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7081 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7082 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7083 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7084 selinux_xfrm_state_alloc_acquire),
7085 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7086 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7087 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7088 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7089 selinux_xfrm_state_pol_flow_match),
7090 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7091 #endif
7092
7093 #ifdef CONFIG_KEYS
7094 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7095 LSM_HOOK_INIT(key_free, selinux_key_free),
7096 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7097 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7098 #endif
7099
7100 #ifdef CONFIG_AUDIT
7101 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7102 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7103 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7104 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7105 #endif
7106
7107 #ifdef CONFIG_BPF_SYSCALL
7108 LSM_HOOK_INIT(bpf, selinux_bpf),
7109 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7110 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7111 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc),
7112 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc),
7113 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
7114 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
7115 #endif
7116
7117 #ifdef CONFIG_PERF_EVENTS
7118 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7119 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7120 LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free),
7121 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7122 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7123 #endif
7124 };
7125
7126 static __init int selinux_init(void)
7127 {
7128 pr_info("SELinux: Initializing.\n");
7129
7130 memset(&selinux_state, 0, sizeof(selinux_state));
7131 enforcing_set(&selinux_state, selinux_enforcing_boot);
7132 selinux_state.checkreqprot = selinux_checkreqprot_boot;
7133 selinux_ss_init(&selinux_state.ss);
7134 selinux_avc_init(&selinux_state.avc);
7135
7136 /* Set the security state for the initial task. */
7137 cred_init_security();
7138
7139 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7140
7141 avc_init();
7142
7143 avtab_cache_init();
7144
7145 ebitmap_cache_init();
7146
7147 hashtab_cache_init();
7148
7149 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
7150
7151 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7152 panic("SELinux: Unable to register AVC netcache callback\n");
7153
7154 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7155 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7156
7157 if (selinux_enforcing_boot)
7158 pr_debug("SELinux: Starting in enforcing mode\n");
7159 else
7160 pr_debug("SELinux: Starting in permissive mode\n");
7161
7162 fs_validate_description(&selinux_fs_parameters);
7163
7164 return 0;
7165 }
7166
7167 static void delayed_superblock_init(struct super_block *sb, void *unused)
7168 {
7169 selinux_set_mnt_opts(sb, NULL, 0, NULL);
7170 }
7171
7172 void selinux_complete_init(void)
7173 {
7174 pr_debug("SELinux: Completing initialization.\n");
7175
7176 /* Set up any superblocks initialized prior to the policy load. */
7177 pr_debug("SELinux: Setting up existing superblocks.\n");
7178 iterate_supers(delayed_superblock_init, NULL);
7179 }
7180
7181 /* SELinux requires early initialization in order to label
7182 all processes and objects when they are created. */
7183 DEFINE_LSM(selinux) = {
7184 .name = "selinux",
7185 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7186 .enabled = &selinux_enabled,
7187 .blobs = &selinux_blob_sizes,
7188 .init = selinux_init,
7189 };
7190
7191 #if defined(CONFIG_NETFILTER)
7192
7193 static const struct nf_hook_ops selinux_nf_ops[] = {
7194 {
7195 .hook = selinux_ipv4_postroute,
7196 .pf = NFPROTO_IPV4,
7197 .hooknum = NF_INET_POST_ROUTING,
7198 .priority = NF_IP_PRI_SELINUX_LAST,
7199 },
7200 {
7201 .hook = selinux_ipv4_forward,
7202 .pf = NFPROTO_IPV4,
7203 .hooknum = NF_INET_FORWARD,
7204 .priority = NF_IP_PRI_SELINUX_FIRST,
7205 },
7206 {
7207 .hook = selinux_ipv4_output,
7208 .pf = NFPROTO_IPV4,
7209 .hooknum = NF_INET_LOCAL_OUT,
7210 .priority = NF_IP_PRI_SELINUX_FIRST,
7211 },
7212 #if IS_ENABLED(CONFIG_IPV6)
7213 {
7214 .hook = selinux_ipv6_postroute,
7215 .pf = NFPROTO_IPV6,
7216 .hooknum = NF_INET_POST_ROUTING,
7217 .priority = NF_IP6_PRI_SELINUX_LAST,
7218 },
7219 {
7220 .hook = selinux_ipv6_forward,
7221 .pf = NFPROTO_IPV6,
7222 .hooknum = NF_INET_FORWARD,
7223 .priority = NF_IP6_PRI_SELINUX_FIRST,
7224 },
7225 {
7226 .hook = selinux_ipv6_output,
7227 .pf = NFPROTO_IPV6,
7228 .hooknum = NF_INET_LOCAL_OUT,
7229 .priority = NF_IP6_PRI_SELINUX_FIRST,
7230 },
7231 #endif /* IPV6 */
7232 };
7233
7234 static int __net_init selinux_nf_register(struct net *net)
7235 {
7236 return nf_register_net_hooks(net, selinux_nf_ops,
7237 ARRAY_SIZE(selinux_nf_ops));
7238 }
7239
7240 static void __net_exit selinux_nf_unregister(struct net *net)
7241 {
7242 nf_unregister_net_hooks(net, selinux_nf_ops,
7243 ARRAY_SIZE(selinux_nf_ops));
7244 }
7245
7246 static struct pernet_operations selinux_net_ops = {
7247 .init = selinux_nf_register,
7248 .exit = selinux_nf_unregister,
7249 };
7250
7251 static int __init selinux_nf_ip_init(void)
7252 {
7253 int err;
7254
7255 if (!selinux_enabled)
7256 return 0;
7257
7258 pr_debug("SELinux: Registering netfilter hooks\n");
7259
7260 err = register_pernet_subsys(&selinux_net_ops);
7261 if (err)
7262 panic("SELinux: register_pernet_subsys: error %d\n", err);
7263
7264 return 0;
7265 }
7266 __initcall(selinux_nf_ip_init);
7267
7268 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7269 static void selinux_nf_ip_exit(void)
7270 {
7271 pr_debug("SELinux: Unregistering netfilter hooks\n");
7272
7273 unregister_pernet_subsys(&selinux_net_ops);
7274 }
7275 #endif
7276
7277 #else /* CONFIG_NETFILTER */
7278
7279 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7280 #define selinux_nf_ip_exit()
7281 #endif
7282
7283 #endif /* CONFIG_NETFILTER */
7284
7285 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
7286 int selinux_disable(struct selinux_state *state)
7287 {
7288 if (state->initialized) {
7289 /* Not permitted after initial policy load. */
7290 return -EINVAL;
7291 }
7292
7293 if (state->disabled) {
7294 /* Only do this once. */
7295 return -EINVAL;
7296 }
7297
7298 state->disabled = 1;
7299
7300 pr_info("SELinux: Disabled at runtime.\n");
7301
7302 selinux_enabled = 0;
7303
7304 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
7305
7306 /* Try to destroy the avc node cache */
7307 avc_disable();
7308
7309 /* Unregister netfilter hooks. */
7310 selinux_nf_ip_exit();
7311
7312 /* Unregister selinuxfs. */
7313 exit_sel_fs();
7314
7315 return 0;
7316 }
7317 #endif
Linux with added FPC-III support