1 // SPDX-License-Identifier: GPL-2.0-only 2 /* Updated: Karl MacMillan <kmacmillan@tresys.com> 3 * 4 * Added conditional policy language extensions 5 * 6 * Updated: Hewlett-Packard <paul@paul-moore.com> 7 * 8 * Added support for the policy capability bitmap 9 * 10 * Copyright (C) 2007 Hewlett-Packard Development Company, L.P. 11 * Copyright (C) 2003 - 2004 Tresys Technology, LLC 12 * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 */ 14 15 #include <linux/kernel.h> 16 #include <linux/pagemap.h> 17 #include <linux/slab.h> 18 #include <linux/vmalloc.h> 19 #include <linux/fs.h> 20 #include <linux/fs_context.h> 21 #include <linux/hex.h> 22 #include <linux/mount.h> 23 #include <linux/mutex.h> 24 #include <linux/namei.h> 25 #include <linux/init.h> 26 #include <linux/string.h> 27 #include <linux/security.h> 28 #include <linux/major.h> 29 #include <linux/seq_file.h> 30 #include <linux/percpu.h> 31 #include <linux/audit.h> 32 #include <linux/uaccess.h> 33 #include <linux/kobject.h> 34 #include <linux/ctype.h> 35 36 /* selinuxfs pseudo filesystem for exporting the security policy API. 37 Based on the proc code and the fs/nfsd/nfsctl.c code. */ 38 39 #include "initcalls.h" 40 #include "flask.h" 41 #include "avc.h" 42 #include "avc_ss.h" 43 #include "security.h" 44 #include "objsec.h" 45 #include "conditional.h" 46 #include "ima.h" 47 48 enum sel_inos { 49 SEL_ROOT_INO = 2, 50 SEL_LOAD, /* load policy */ 51 SEL_ENFORCE, /* get or set enforcing status */ 52 SEL_CONTEXT, /* validate context */ 53 SEL_ACCESS, /* compute access decision */ 54 SEL_CREATE, /* compute create labeling decision */ 55 SEL_RELABEL, /* compute relabeling decision */ 56 SEL_USER, /* compute reachable user contexts */ 57 SEL_POLICYVERS, /* return policy version for this kernel */ 58 SEL_COMMIT_BOOLS, /* commit new boolean values */ 59 SEL_MLS, /* return if MLS policy is enabled */ 60 SEL_DISABLE, /* disable SELinux until next reboot */ 61 SEL_MEMBER, /* compute polyinstantiation membership decision */ 62 SEL_CHECKREQPROT, /* check requested protection, not kernel-applied one */ 63 SEL_COMPAT_NET, /* whether to use old compat network packet controls */ 64 SEL_REJECT_UNKNOWN, /* export unknown reject handling to userspace */ 65 SEL_DENY_UNKNOWN, /* export unknown deny handling to userspace */ 66 SEL_STATUS, /* export current status using mmap() */ 67 SEL_POLICY, /* allow userspace to read the in kernel policy */ 68 SEL_VALIDATE_TRANS, /* compute validatetrans decision */ 69 SEL_INO_NEXT, /* The next inode number to use */ 70 }; 71 72 struct selinux_fs_info { 73 struct dentry *bool_dir; 74 unsigned int bool_num; 75 char **bool_pending_names; 76 int *bool_pending_values; 77 struct dentry *class_dir; 78 unsigned long last_class_ino; 79 bool policy_opened; 80 unsigned long last_ino; 81 struct super_block *sb; 82 }; 83 84 static int selinux_fs_info_create(struct super_block *sb) 85 { 86 struct selinux_fs_info *fsi; 87 88 fsi = kzalloc_obj(*fsi); 89 if (!fsi) 90 return -ENOMEM; 91 92 fsi->last_ino = SEL_INO_NEXT - 1; 93 fsi->sb = sb; 94 sb->s_fs_info = fsi; 95 return 0; 96 } 97 98 static void selinux_fs_info_free(struct super_block *sb) 99 { 100 struct selinux_fs_info *fsi = sb->s_fs_info; 101 unsigned int i; 102 103 if (fsi) { 104 for (i = 0; i < fsi->bool_num; i++) 105 kfree(fsi->bool_pending_names[i]); 106 kfree(fsi->bool_pending_names); 107 kfree(fsi->bool_pending_values); 108 } 109 kfree(sb->s_fs_info); 110 sb->s_fs_info = NULL; 111 } 112 113 #define SEL_INITCON_INO_OFFSET 0x01000000 114 #define SEL_BOOL_INO_OFFSET 0x02000000 115 #define SEL_CLASS_INO_OFFSET 0x04000000 116 #define SEL_POLICYCAP_INO_OFFSET 0x08000000 117 #define SEL_INO_MASK 0x00ffffff 118 119 #define BOOL_DIR_NAME "booleans" 120 #define CLASS_DIR_NAME "class" 121 122 #define TMPBUFLEN 12 123 static ssize_t sel_read_enforce(struct file *filp, char __user *buf, 124 size_t count, loff_t *ppos) 125 { 126 char tmpbuf[TMPBUFLEN]; 127 ssize_t length; 128 129 length = scnprintf(tmpbuf, TMPBUFLEN, "%d", 130 enforcing_enabled()); 131 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 132 } 133 134 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 135 static ssize_t sel_write_enforce(struct file *file, const char __user *buf, 136 size_t count, loff_t *ppos) 137 138 { 139 char *page = NULL; 140 ssize_t length; 141 int scan_value; 142 bool old_value, new_value; 143 144 if (count >= PAGE_SIZE) 145 return -ENOMEM; 146 147 /* No partial writes. */ 148 if (*ppos != 0) 149 return -EINVAL; 150 151 page = memdup_user_nul(buf, count); 152 if (IS_ERR(page)) 153 return PTR_ERR(page); 154 155 length = -EINVAL; 156 if (sscanf(page, "%d", &scan_value) != 1) 157 goto out; 158 159 new_value = !!scan_value; 160 161 old_value = enforcing_enabled(); 162 if (new_value != old_value) { 163 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 164 SECCLASS_SECURITY, SECURITY__SETENFORCE, 165 NULL); 166 if (length) 167 goto out; 168 audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS, 169 "enforcing=%d old_enforcing=%d auid=%u ses=%u" 170 " enabled=1 old-enabled=1 lsm=selinux res=1", 171 new_value, old_value, 172 from_kuid(&init_user_ns, audit_get_loginuid(current)), 173 audit_get_sessionid(current)); 174 enforcing_set(new_value); 175 if (new_value) 176 avc_ss_reset(0); 177 selnl_notify_setenforce(new_value); 178 selinux_status_update_setenforce(new_value); 179 if (!new_value) 180 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL); 181 182 selinux_ima_measure_state(); 183 } 184 length = count; 185 out: 186 kfree(page); 187 return length; 188 } 189 #else 190 #define sel_write_enforce NULL 191 #endif 192 193 static const struct file_operations sel_enforce_ops = { 194 .read = sel_read_enforce, 195 .write = sel_write_enforce, 196 .llseek = generic_file_llseek, 197 }; 198 199 static ssize_t sel_read_handle_unknown(struct file *filp, char __user *buf, 200 size_t count, loff_t *ppos) 201 { 202 char tmpbuf[TMPBUFLEN]; 203 ssize_t length; 204 ino_t ino = file_inode(filp)->i_ino; 205 int handle_unknown = (ino == SEL_REJECT_UNKNOWN) ? 206 security_get_reject_unknown() : 207 !security_get_allow_unknown(); 208 209 length = scnprintf(tmpbuf, TMPBUFLEN, "%d", handle_unknown); 210 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 211 } 212 213 static const struct file_operations sel_handle_unknown_ops = { 214 .read = sel_read_handle_unknown, 215 .llseek = generic_file_llseek, 216 }; 217 218 static int sel_open_handle_status(struct inode *inode, struct file *filp) 219 { 220 struct page *status = selinux_kernel_status_page(); 221 222 if (!status) 223 return -ENOMEM; 224 225 filp->private_data = status; 226 227 return 0; 228 } 229 230 static ssize_t sel_read_handle_status(struct file *filp, char __user *buf, 231 size_t count, loff_t *ppos) 232 { 233 struct page *status = filp->private_data; 234 235 BUG_ON(!status); 236 237 return simple_read_from_buffer(buf, count, ppos, 238 page_address(status), 239 sizeof(struct selinux_kernel_status)); 240 } 241 242 static int sel_mmap_handle_status(struct file *filp, 243 struct vm_area_struct *vma) 244 { 245 struct page *status = filp->private_data; 246 unsigned long size = vma->vm_end - vma->vm_start; 247 248 BUG_ON(!status); 249 250 /* only allows one page from the head */ 251 if (vma->vm_pgoff > 0 || size != PAGE_SIZE) 252 return -EIO; 253 /* disallow writable mapping */ 254 if (vma->vm_flags & VM_WRITE) 255 return -EPERM; 256 /* disallow mprotect() turns it into writable */ 257 vm_flags_clear(vma, VM_MAYWRITE); 258 259 return remap_pfn_range(vma, vma->vm_start, 260 page_to_pfn(status), 261 size, vma->vm_page_prot); 262 } 263 264 static const struct file_operations sel_handle_status_ops = { 265 .open = sel_open_handle_status, 266 .read = sel_read_handle_status, 267 .mmap = sel_mmap_handle_status, 268 .llseek = generic_file_llseek, 269 }; 270 271 static ssize_t sel_write_disable(struct file *file, const char __user *buf, 272 size_t count, loff_t *ppos) 273 274 { 275 char *page; 276 ssize_t length; 277 int new_value; 278 279 if (count >= PAGE_SIZE) 280 return -ENOMEM; 281 282 /* No partial writes. */ 283 if (*ppos != 0) 284 return -EINVAL; 285 286 page = memdup_user_nul(buf, count); 287 if (IS_ERR(page)) 288 return PTR_ERR(page); 289 290 if (sscanf(page, "%d", &new_value) != 1) { 291 length = -EINVAL; 292 goto out; 293 } 294 length = count; 295 296 if (new_value) { 297 pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n"); 298 pr_err("SELinux: Runtime disable is not supported, use selinux=0 on the kernel cmdline.\n"); 299 } 300 301 out: 302 kfree(page); 303 return length; 304 } 305 306 static const struct file_operations sel_disable_ops = { 307 .write = sel_write_disable, 308 .llseek = generic_file_llseek, 309 }; 310 311 static ssize_t sel_read_policyvers(struct file *filp, char __user *buf, 312 size_t count, loff_t *ppos) 313 { 314 char tmpbuf[TMPBUFLEN]; 315 ssize_t length; 316 317 length = scnprintf(tmpbuf, TMPBUFLEN, "%u", POLICYDB_VERSION_MAX); 318 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 319 } 320 321 static const struct file_operations sel_policyvers_ops = { 322 .read = sel_read_policyvers, 323 .llseek = generic_file_llseek, 324 }; 325 326 /* declaration for sel_write_load */ 327 static int sel_make_bools(struct selinux_policy *newpolicy, struct dentry *bool_dir, 328 unsigned int *bool_num, char ***bool_pending_names, 329 int **bool_pending_values); 330 static int sel_make_classes(struct selinux_policy *newpolicy, 331 struct dentry *class_dir, 332 unsigned long *last_class_ino); 333 334 /* declaration for sel_make_class_dirs */ 335 static struct dentry *sel_make_dir(struct dentry *dir, const char *name, 336 unsigned long *ino); 337 338 /* declaration for sel_make_policy_nodes */ 339 static struct dentry *sel_make_swapover_dir(struct super_block *sb, 340 unsigned long *ino); 341 342 static ssize_t sel_read_mls(struct file *filp, char __user *buf, 343 size_t count, loff_t *ppos) 344 { 345 char tmpbuf[TMPBUFLEN]; 346 ssize_t length; 347 348 length = scnprintf(tmpbuf, TMPBUFLEN, "%d", 349 security_mls_enabled()); 350 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 351 } 352 353 static const struct file_operations sel_mls_ops = { 354 .read = sel_read_mls, 355 .llseek = generic_file_llseek, 356 }; 357 358 struct policy_load_memory { 359 size_t len; 360 void *data; 361 }; 362 363 static int sel_open_policy(struct inode *inode, struct file *filp) 364 { 365 struct selinux_fs_info *fsi = inode->i_sb->s_fs_info; 366 struct policy_load_memory *plm = NULL; 367 int rc; 368 369 BUG_ON(filp->private_data); 370 371 mutex_lock(&selinux_state.policy_mutex); 372 373 rc = avc_has_perm(current_sid(), SECINITSID_SECURITY, 374 SECCLASS_SECURITY, SECURITY__READ_POLICY, NULL); 375 if (rc) 376 goto err; 377 378 rc = -EBUSY; 379 if (fsi->policy_opened) 380 goto err; 381 382 rc = -ENOMEM; 383 plm = kzalloc_obj(*plm); 384 if (!plm) 385 goto err; 386 387 rc = security_read_policy(&plm->data, &plm->len); 388 if (rc) 389 goto err; 390 391 if ((size_t)i_size_read(inode) != plm->len) { 392 inode_lock(inode); 393 i_size_write(inode, plm->len); 394 inode_unlock(inode); 395 } 396 397 fsi->policy_opened = 1; 398 399 filp->private_data = plm; 400 401 mutex_unlock(&selinux_state.policy_mutex); 402 403 return 0; 404 err: 405 mutex_unlock(&selinux_state.policy_mutex); 406 407 if (plm) 408 vfree(plm->data); 409 kfree(plm); 410 return rc; 411 } 412 413 static int sel_release_policy(struct inode *inode, struct file *filp) 414 { 415 struct selinux_fs_info *fsi = inode->i_sb->s_fs_info; 416 struct policy_load_memory *plm = filp->private_data; 417 418 BUG_ON(!plm); 419 420 fsi->policy_opened = 0; 421 422 vfree(plm->data); 423 kfree(plm); 424 425 return 0; 426 } 427 428 static ssize_t sel_read_policy(struct file *filp, char __user *buf, 429 size_t count, loff_t *ppos) 430 { 431 struct policy_load_memory *plm = filp->private_data; 432 int ret; 433 434 ret = avc_has_perm(current_sid(), SECINITSID_SECURITY, 435 SECCLASS_SECURITY, SECURITY__READ_POLICY, NULL); 436 if (ret) 437 return ret; 438 439 return simple_read_from_buffer(buf, count, ppos, plm->data, plm->len); 440 } 441 442 static vm_fault_t sel_mmap_policy_fault(struct vm_fault *vmf) 443 { 444 struct policy_load_memory *plm = vmf->vma->vm_file->private_data; 445 unsigned long offset; 446 struct page *page; 447 448 if (vmf->flags & (FAULT_FLAG_MKWRITE | FAULT_FLAG_WRITE)) 449 return VM_FAULT_SIGBUS; 450 451 offset = vmf->pgoff << PAGE_SHIFT; 452 if (offset >= roundup(plm->len, PAGE_SIZE)) 453 return VM_FAULT_SIGBUS; 454 455 page = vmalloc_to_page(plm->data + offset); 456 get_page(page); 457 458 vmf->page = page; 459 460 return 0; 461 } 462 463 static const struct vm_operations_struct sel_mmap_policy_ops = { 464 .fault = sel_mmap_policy_fault, 465 .page_mkwrite = sel_mmap_policy_fault, 466 }; 467 468 static int sel_mmap_policy(struct file *filp, struct vm_area_struct *vma) 469 { 470 if (vma->vm_flags & VM_SHARED) { 471 /* do not allow mprotect to make mapping writable */ 472 vm_flags_clear(vma, VM_MAYWRITE); 473 474 if (vma->vm_flags & VM_WRITE) 475 return -EACCES; 476 } 477 478 vm_flags_set(vma, VM_DONTEXPAND | VM_DONTDUMP); 479 vma->vm_ops = &sel_mmap_policy_ops; 480 481 return 0; 482 } 483 484 static const struct file_operations sel_policy_ops = { 485 .open = sel_open_policy, 486 .read = sel_read_policy, 487 .mmap = sel_mmap_policy, 488 .release = sel_release_policy, 489 .llseek = generic_file_llseek, 490 }; 491 492 static void sel_remove_old_bool_data(unsigned int bool_num, char **bool_names, 493 int *bool_values) 494 { 495 u32 i; 496 497 /* bool_dir cleanup */ 498 for (i = 0; i < bool_num; i++) 499 kfree(bool_names[i]); 500 kfree(bool_names); 501 kfree(bool_values); 502 } 503 504 static int sel_make_policy_nodes(struct selinux_fs_info *fsi, 505 struct selinux_policy *newpolicy) 506 { 507 int ret = 0; 508 struct dentry *tmp_parent, *tmp_bool_dir, *tmp_class_dir; 509 struct renamedata rd = {}; 510 unsigned int bool_num = 0; 511 char **bool_names = NULL; 512 int *bool_values = NULL; 513 unsigned long tmp_ino = fsi->last_ino; /* Don't increment last_ino in this function */ 514 515 tmp_parent = sel_make_swapover_dir(fsi->sb, &tmp_ino); 516 if (IS_ERR(tmp_parent)) 517 return PTR_ERR(tmp_parent); 518 519 tmp_ino = fsi->bool_dir->d_inode->i_ino - 1; /* sel_make_dir will increment and set */ 520 tmp_bool_dir = sel_make_dir(tmp_parent, BOOL_DIR_NAME, &tmp_ino); 521 if (IS_ERR(tmp_bool_dir)) { 522 ret = PTR_ERR(tmp_bool_dir); 523 goto out; 524 } 525 526 tmp_ino = fsi->class_dir->d_inode->i_ino - 1; /* sel_make_dir will increment and set */ 527 tmp_class_dir = sel_make_dir(tmp_parent, CLASS_DIR_NAME, &tmp_ino); 528 if (IS_ERR(tmp_class_dir)) { 529 ret = PTR_ERR(tmp_class_dir); 530 goto out; 531 } 532 533 ret = sel_make_bools(newpolicy, tmp_bool_dir, &bool_num, 534 &bool_names, &bool_values); 535 if (ret) 536 goto out; 537 538 ret = sel_make_classes(newpolicy, tmp_class_dir, 539 &fsi->last_class_ino); 540 if (ret) 541 goto out; 542 543 rd.old_parent = tmp_parent; 544 rd.new_parent = fsi->sb->s_root; 545 546 /* booleans */ 547 ret = start_renaming_two_dentries(&rd, tmp_bool_dir, fsi->bool_dir); 548 if (ret) 549 goto out; 550 551 d_exchange(tmp_bool_dir, fsi->bool_dir); 552 553 swap(fsi->bool_num, bool_num); 554 swap(fsi->bool_pending_names, bool_names); 555 swap(fsi->bool_pending_values, bool_values); 556 557 fsi->bool_dir = tmp_bool_dir; 558 end_renaming(&rd); 559 560 /* classes */ 561 ret = start_renaming_two_dentries(&rd, tmp_class_dir, fsi->class_dir); 562 if (ret) 563 goto out; 564 565 d_exchange(tmp_class_dir, fsi->class_dir); 566 fsi->class_dir = tmp_class_dir; 567 568 end_renaming(&rd); 569 570 out: 571 sel_remove_old_bool_data(bool_num, bool_names, bool_values); 572 /* Since the other temporary dirs are children of tmp_parent 573 * this will handle all the cleanup in the case of a failure before 574 * the swapover 575 */ 576 simple_recursive_removal(tmp_parent, NULL); 577 578 return ret; 579 } 580 581 static ssize_t sel_write_load(struct file *file, const char __user *buf, 582 size_t count, loff_t *ppos) 583 584 { 585 struct selinux_fs_info *fsi; 586 struct selinux_load_state load_state; 587 ssize_t length; 588 void *data = NULL; 589 590 /* no partial writes */ 591 if (*ppos) 592 return -EINVAL; 593 /* no empty policies */ 594 if (!count) 595 return -EINVAL; 596 597 mutex_lock(&selinux_state.policy_mutex); 598 599 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 600 SECCLASS_SECURITY, SECURITY__LOAD_POLICY, NULL); 601 if (length) 602 goto out; 603 604 data = vmalloc(count); 605 if (!data) { 606 length = -ENOMEM; 607 goto out; 608 } 609 if (copy_from_user(data, buf, count) != 0) { 610 length = -EFAULT; 611 goto out; 612 } 613 614 length = security_load_policy(data, count, &load_state); 615 if (length) { 616 pr_warn_ratelimited("SELinux: failed to load policy\n"); 617 goto out; 618 } 619 fsi = file_inode(file)->i_sb->s_fs_info; 620 length = sel_make_policy_nodes(fsi, load_state.policy); 621 if (length) { 622 pr_warn_ratelimited("SELinux: failed to initialize selinuxfs\n"); 623 selinux_policy_cancel(&load_state); 624 goto out; 625 } 626 627 selinux_policy_commit(&load_state); 628 length = count; 629 audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_POLICY_LOAD, 630 "auid=%u ses=%u lsm=selinux res=1", 631 from_kuid(&init_user_ns, audit_get_loginuid(current)), 632 audit_get_sessionid(current)); 633 634 out: 635 mutex_unlock(&selinux_state.policy_mutex); 636 vfree(data); 637 return length; 638 } 639 640 static const struct file_operations sel_load_ops = { 641 .write = sel_write_load, 642 .llseek = generic_file_llseek, 643 }; 644 645 static ssize_t sel_write_context(struct file *file, char *buf, size_t size) 646 { 647 char *canon = NULL; 648 u32 sid, len; 649 ssize_t length; 650 651 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 652 SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, NULL); 653 if (length) 654 goto out; 655 656 length = security_context_to_sid(buf, size, &sid, GFP_KERNEL); 657 if (length) 658 goto out; 659 660 length = security_sid_to_context(sid, &canon, &len); 661 if (length) 662 goto out; 663 664 length = -ERANGE; 665 if (len > SIMPLE_TRANSACTION_LIMIT) { 666 pr_err("SELinux: %s: context size (%u) exceeds " 667 "payload max\n", __func__, len); 668 goto out; 669 } 670 671 memcpy(buf, canon, len); 672 length = len; 673 out: 674 kfree(canon); 675 return length; 676 } 677 678 static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf, 679 size_t count, loff_t *ppos) 680 { 681 char tmpbuf[TMPBUFLEN]; 682 ssize_t length; 683 684 length = scnprintf(tmpbuf, TMPBUFLEN, "%u", 685 checkreqprot_get()); 686 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 687 } 688 689 static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, 690 size_t count, loff_t *ppos) 691 { 692 char *page; 693 ssize_t length; 694 unsigned int new_value; 695 696 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 697 SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT, 698 NULL); 699 if (length) 700 return length; 701 702 if (count >= PAGE_SIZE) 703 return -ENOMEM; 704 705 /* No partial writes. */ 706 if (*ppos != 0) 707 return -EINVAL; 708 709 page = memdup_user_nul(buf, count); 710 if (IS_ERR(page)) 711 return PTR_ERR(page); 712 713 if (sscanf(page, "%u", &new_value) != 1) { 714 length = -EINVAL; 715 goto out; 716 } 717 length = count; 718 719 if (new_value) { 720 char comm[sizeof(current->comm)]; 721 722 strscpy(comm, current->comm); 723 pr_err("SELinux: %s (%d) set checkreqprot to 1. This is no longer supported.\n", 724 comm, current->pid); 725 } 726 727 selinux_ima_measure_state(); 728 729 out: 730 kfree(page); 731 return length; 732 } 733 static const struct file_operations sel_checkreqprot_ops = { 734 .read = sel_read_checkreqprot, 735 .write = sel_write_checkreqprot, 736 .llseek = generic_file_llseek, 737 }; 738 739 static ssize_t sel_write_validatetrans(struct file *file, 740 const char __user *buf, 741 size_t count, loff_t *ppos) 742 { 743 char *oldcon = NULL, *newcon = NULL, *taskcon = NULL; 744 char *req = NULL; 745 u32 osid, nsid, tsid; 746 u16 tclass; 747 int rc; 748 749 rc = avc_has_perm(current_sid(), SECINITSID_SECURITY, 750 SECCLASS_SECURITY, SECURITY__VALIDATE_TRANS, NULL); 751 if (rc) 752 goto out; 753 754 rc = -ENOMEM; 755 if (count >= PAGE_SIZE) 756 goto out; 757 758 /* No partial writes. */ 759 rc = -EINVAL; 760 if (*ppos != 0) 761 goto out; 762 763 req = memdup_user_nul(buf, count); 764 if (IS_ERR(req)) { 765 rc = PTR_ERR(req); 766 req = NULL; 767 goto out; 768 } 769 770 rc = -ENOMEM; 771 oldcon = kzalloc(count + 1, GFP_KERNEL); 772 if (!oldcon) 773 goto out; 774 775 newcon = kzalloc(count + 1, GFP_KERNEL); 776 if (!newcon) 777 goto out; 778 779 taskcon = kzalloc(count + 1, GFP_KERNEL); 780 if (!taskcon) 781 goto out; 782 783 rc = -EINVAL; 784 if (sscanf(req, "%s %s %hu %s", oldcon, newcon, &tclass, taskcon) != 4) 785 goto out; 786 787 rc = security_context_str_to_sid(oldcon, &osid, GFP_KERNEL); 788 if (rc) 789 goto out; 790 791 rc = security_context_str_to_sid(newcon, &nsid, GFP_KERNEL); 792 if (rc) 793 goto out; 794 795 rc = security_context_str_to_sid(taskcon, &tsid, GFP_KERNEL); 796 if (rc) 797 goto out; 798 799 rc = security_validate_transition_user(osid, nsid, tsid, tclass); 800 if (!rc) 801 rc = count; 802 out: 803 kfree(req); 804 kfree(oldcon); 805 kfree(newcon); 806 kfree(taskcon); 807 return rc; 808 } 809 810 static const struct file_operations sel_transition_ops = { 811 .write = sel_write_validatetrans, 812 .llseek = generic_file_llseek, 813 }; 814 815 /* 816 * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c 817 */ 818 static ssize_t sel_write_access(struct file *file, char *buf, size_t size); 819 static ssize_t sel_write_create(struct file *file, char *buf, size_t size); 820 static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size); 821 static ssize_t sel_write_user(struct file *file, char *buf, size_t size); 822 static ssize_t sel_write_member(struct file *file, char *buf, size_t size); 823 824 static ssize_t (*const write_op[])(struct file *, char *, size_t) = { 825 [SEL_ACCESS] = sel_write_access, 826 [SEL_CREATE] = sel_write_create, 827 [SEL_RELABEL] = sel_write_relabel, 828 [SEL_USER] = sel_write_user, 829 [SEL_MEMBER] = sel_write_member, 830 [SEL_CONTEXT] = sel_write_context, 831 }; 832 833 static ssize_t selinux_transaction_write(struct file *file, const char __user *buf, size_t size, loff_t *pos) 834 { 835 ino_t ino = file_inode(file)->i_ino; 836 char *data; 837 ssize_t rv; 838 839 if (ino >= ARRAY_SIZE(write_op) || !write_op[ino]) 840 return -EINVAL; 841 842 data = simple_transaction_get(file, buf, size); 843 if (IS_ERR(data)) 844 return PTR_ERR(data); 845 846 rv = write_op[ino](file, data, size); 847 if (rv > 0) { 848 simple_transaction_set(file, rv); 849 rv = size; 850 } 851 return rv; 852 } 853 854 static const struct file_operations transaction_ops = { 855 .write = selinux_transaction_write, 856 .read = simple_transaction_read, 857 .release = simple_transaction_release, 858 .llseek = generic_file_llseek, 859 }; 860 861 /* 862 * payload - write methods 863 * If the method has a response, the response should be put in buf, 864 * and the length returned. Otherwise return 0 or and -error. 865 */ 866 867 static ssize_t sel_write_access(struct file *file, char *buf, size_t size) 868 { 869 char *scon = NULL, *tcon = NULL; 870 u32 ssid, tsid; 871 u16 tclass; 872 struct av_decision avd; 873 ssize_t length; 874 875 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 876 SECCLASS_SECURITY, SECURITY__COMPUTE_AV, NULL); 877 if (length) 878 goto out; 879 880 length = -ENOMEM; 881 scon = kzalloc(size + 1, GFP_KERNEL); 882 if (!scon) 883 goto out; 884 885 length = -ENOMEM; 886 tcon = kzalloc(size + 1, GFP_KERNEL); 887 if (!tcon) 888 goto out; 889 890 length = -EINVAL; 891 if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) 892 goto out; 893 894 length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL); 895 if (length) 896 goto out; 897 898 length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL); 899 if (length) 900 goto out; 901 902 security_compute_av_user(ssid, tsid, tclass, &avd); 903 904 length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, 905 "%x %x %x %x %u %x", 906 avd.allowed, 0xffffffff, 907 avd.auditallow, avd.auditdeny, 908 avd.seqno, avd.flags); 909 out: 910 kfree(tcon); 911 kfree(scon); 912 return length; 913 } 914 915 static ssize_t sel_write_create(struct file *file, char *buf, size_t size) 916 { 917 char *scon = NULL, *tcon = NULL; 918 char *namebuf = NULL, *objname = NULL; 919 u32 ssid, tsid, newsid; 920 u16 tclass; 921 ssize_t length; 922 char *newcon = NULL; 923 u32 len; 924 int nargs; 925 926 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 927 SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, 928 NULL); 929 if (length) 930 goto out; 931 932 length = -ENOMEM; 933 scon = kzalloc(size + 1, GFP_KERNEL); 934 if (!scon) 935 goto out; 936 937 length = -ENOMEM; 938 tcon = kzalloc(size + 1, GFP_KERNEL); 939 if (!tcon) 940 goto out; 941 942 length = -ENOMEM; 943 namebuf = kzalloc(size + 1, GFP_KERNEL); 944 if (!namebuf) 945 goto out; 946 947 length = -EINVAL; 948 nargs = sscanf(buf, "%s %s %hu %s", scon, tcon, &tclass, namebuf); 949 if (nargs < 3 || nargs > 4) 950 goto out; 951 if (nargs == 4) { 952 /* 953 * If and when the name of new object to be queried contains 954 * either whitespace or multibyte characters, they shall be 955 * encoded based on the percentage-encoding rule. 956 * If not encoded, the sscanf logic picks up only left-half 957 * of the supplied name; split by a whitespace unexpectedly. 958 */ 959 char *r, *w; 960 int c1, c2; 961 962 r = w = namebuf; 963 do { 964 c1 = *r++; 965 if (c1 == '+') 966 c1 = ' '; 967 else if (c1 == '%') { 968 c1 = hex_to_bin(*r++); 969 if (c1 < 0) 970 goto out; 971 c2 = hex_to_bin(*r++); 972 if (c2 < 0) 973 goto out; 974 c1 = (c1 << 4) | c2; 975 } 976 *w++ = c1; 977 } while (c1 != '\0'); 978 979 objname = namebuf; 980 } 981 982 length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL); 983 if (length) 984 goto out; 985 986 length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL); 987 if (length) 988 goto out; 989 990 length = security_transition_sid_user(ssid, tsid, tclass, 991 objname, &newsid); 992 if (length) 993 goto out; 994 995 length = security_sid_to_context(newsid, &newcon, &len); 996 if (length) 997 goto out; 998 999 length = -ERANGE; 1000 if (len > SIMPLE_TRANSACTION_LIMIT) { 1001 pr_err("SELinux: %s: context size (%u) exceeds " 1002 "payload max\n", __func__, len); 1003 goto out; 1004 } 1005 1006 memcpy(buf, newcon, len); 1007 length = len; 1008 out: 1009 kfree(newcon); 1010 kfree(namebuf); 1011 kfree(tcon); 1012 kfree(scon); 1013 return length; 1014 } 1015 1016 static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size) 1017 { 1018 char *scon = NULL, *tcon = NULL; 1019 u32 ssid, tsid, newsid; 1020 u16 tclass; 1021 ssize_t length; 1022 char *newcon = NULL; 1023 u32 len; 1024 1025 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 1026 SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, 1027 NULL); 1028 if (length) 1029 goto out; 1030 1031 length = -ENOMEM; 1032 scon = kzalloc(size + 1, GFP_KERNEL); 1033 if (!scon) 1034 goto out; 1035 1036 length = -ENOMEM; 1037 tcon = kzalloc(size + 1, GFP_KERNEL); 1038 if (!tcon) 1039 goto out; 1040 1041 length = -EINVAL; 1042 if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) 1043 goto out; 1044 1045 length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL); 1046 if (length) 1047 goto out; 1048 1049 length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL); 1050 if (length) 1051 goto out; 1052 1053 length = security_change_sid(ssid, tsid, tclass, &newsid); 1054 if (length) 1055 goto out; 1056 1057 length = security_sid_to_context(newsid, &newcon, &len); 1058 if (length) 1059 goto out; 1060 1061 length = -ERANGE; 1062 if (len > SIMPLE_TRANSACTION_LIMIT) 1063 goto out; 1064 1065 memcpy(buf, newcon, len); 1066 length = len; 1067 out: 1068 kfree(newcon); 1069 kfree(tcon); 1070 kfree(scon); 1071 return length; 1072 } 1073 1074 static ssize_t sel_write_user(struct file *file, char *buf, size_t size) 1075 { 1076 char *con = NULL, *user = NULL, *ptr; 1077 u32 sid, *sids = NULL; 1078 ssize_t length; 1079 char *newcon; 1080 int rc; 1081 u32 i, len, nsids; 1082 1083 pr_warn_ratelimited("SELinux: %s (%d) wrote to /sys/fs/selinux/user!" 1084 " This will not be supported in the future; please update your" 1085 " userspace.\n", current->comm, current->pid); 1086 ssleep(5); 1087 1088 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 1089 SECCLASS_SECURITY, SECURITY__COMPUTE_USER, 1090 NULL); 1091 if (length) 1092 goto out; 1093 1094 length = -ENOMEM; 1095 con = kzalloc(size + 1, GFP_KERNEL); 1096 if (!con) 1097 goto out; 1098 1099 length = -ENOMEM; 1100 user = kzalloc(size + 1, GFP_KERNEL); 1101 if (!user) 1102 goto out; 1103 1104 length = -EINVAL; 1105 if (sscanf(buf, "%s %s", con, user) != 2) 1106 goto out; 1107 1108 length = security_context_str_to_sid(con, &sid, GFP_KERNEL); 1109 if (length) 1110 goto out; 1111 1112 length = security_get_user_sids(sid, user, &sids, &nsids); 1113 if (length) 1114 goto out; 1115 1116 length = sprintf(buf, "%u", nsids) + 1; 1117 ptr = buf + length; 1118 for (i = 0; i < nsids; i++) { 1119 rc = security_sid_to_context(sids[i], &newcon, &len); 1120 if (rc) { 1121 length = rc; 1122 goto out; 1123 } 1124 if ((length + len) >= SIMPLE_TRANSACTION_LIMIT) { 1125 kfree(newcon); 1126 length = -ERANGE; 1127 goto out; 1128 } 1129 memcpy(ptr, newcon, len); 1130 kfree(newcon); 1131 ptr += len; 1132 length += len; 1133 } 1134 out: 1135 kfree(sids); 1136 kfree(user); 1137 kfree(con); 1138 return length; 1139 } 1140 1141 static ssize_t sel_write_member(struct file *file, char *buf, size_t size) 1142 { 1143 char *scon = NULL, *tcon = NULL; 1144 u32 ssid, tsid, newsid; 1145 u16 tclass; 1146 ssize_t length; 1147 char *newcon = NULL; 1148 u32 len; 1149 1150 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 1151 SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, 1152 NULL); 1153 if (length) 1154 goto out; 1155 1156 length = -ENOMEM; 1157 scon = kzalloc(size + 1, GFP_KERNEL); 1158 if (!scon) 1159 goto out; 1160 1161 length = -ENOMEM; 1162 tcon = kzalloc(size + 1, GFP_KERNEL); 1163 if (!tcon) 1164 goto out; 1165 1166 length = -EINVAL; 1167 if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) 1168 goto out; 1169 1170 length = security_context_str_to_sid(scon, &ssid, GFP_KERNEL); 1171 if (length) 1172 goto out; 1173 1174 length = security_context_str_to_sid(tcon, &tsid, GFP_KERNEL); 1175 if (length) 1176 goto out; 1177 1178 length = security_member_sid(ssid, tsid, tclass, &newsid); 1179 if (length) 1180 goto out; 1181 1182 length = security_sid_to_context(newsid, &newcon, &len); 1183 if (length) 1184 goto out; 1185 1186 length = -ERANGE; 1187 if (len > SIMPLE_TRANSACTION_LIMIT) { 1188 pr_err("SELinux: %s: context size (%u) exceeds " 1189 "payload max\n", __func__, len); 1190 goto out; 1191 } 1192 1193 memcpy(buf, newcon, len); 1194 length = len; 1195 out: 1196 kfree(newcon); 1197 kfree(tcon); 1198 kfree(scon); 1199 return length; 1200 } 1201 1202 static struct inode *sel_make_inode(struct super_block *sb, umode_t mode) 1203 { 1204 struct inode *ret = new_inode(sb); 1205 1206 if (ret) { 1207 ret->i_mode = mode; 1208 simple_inode_init_ts(ret); 1209 } 1210 return ret; 1211 } 1212 1213 static struct dentry *sel_attach(struct dentry *parent, const char *name, 1214 struct inode *inode) 1215 { 1216 struct dentry *dentry = d_alloc_name(parent, name); 1217 if (unlikely(!dentry)) { 1218 iput(inode); 1219 return ERR_PTR(-ENOMEM); 1220 } 1221 d_make_persistent(dentry, inode); 1222 dput(dentry); 1223 return dentry; 1224 } 1225 1226 static int sel_attach_file(struct dentry *parent, const char *name, 1227 struct inode *inode) 1228 { 1229 struct dentry *dentry = sel_attach(parent, name, inode); 1230 return PTR_ERR_OR_ZERO(dentry); 1231 } 1232 1233 static ssize_t sel_read_bool(struct file *filep, char __user *buf, 1234 size_t count, loff_t *ppos) 1235 { 1236 struct selinux_fs_info *fsi = file_inode(filep)->i_sb->s_fs_info; 1237 char buffer[4]; 1238 ssize_t length; 1239 ssize_t ret; 1240 int cur_enforcing; 1241 unsigned index = file_inode(filep)->i_ino & SEL_INO_MASK; 1242 const char *name = filep->f_path.dentry->d_name.name; 1243 1244 mutex_lock(&selinux_state.policy_mutex); 1245 1246 ret = -EINVAL; 1247 if (index >= fsi->bool_num || strcmp(name, 1248 fsi->bool_pending_names[index])) 1249 goto out_unlock; 1250 1251 cur_enforcing = security_get_bool_value(index); 1252 if (cur_enforcing < 0) { 1253 ret = cur_enforcing; 1254 goto out_unlock; 1255 } 1256 length = scnprintf(buffer, sizeof(buffer), "%d %d", !!cur_enforcing, 1257 !!fsi->bool_pending_values[index]); 1258 mutex_unlock(&selinux_state.policy_mutex); 1259 return simple_read_from_buffer(buf, count, ppos, buffer, length); 1260 1261 out_unlock: 1262 mutex_unlock(&selinux_state.policy_mutex); 1263 return ret; 1264 } 1265 1266 static ssize_t sel_write_bool(struct file *filep, const char __user *buf, 1267 size_t count, loff_t *ppos) 1268 { 1269 struct selinux_fs_info *fsi = file_inode(filep)->i_sb->s_fs_info; 1270 char *page = NULL; 1271 ssize_t length; 1272 int new_value; 1273 unsigned index = file_inode(filep)->i_ino & SEL_INO_MASK; 1274 const char *name = filep->f_path.dentry->d_name.name; 1275 1276 if (count >= PAGE_SIZE) 1277 return -ENOMEM; 1278 1279 /* No partial writes. */ 1280 if (*ppos != 0) 1281 return -EINVAL; 1282 1283 page = memdup_user_nul(buf, count); 1284 if (IS_ERR(page)) 1285 return PTR_ERR(page); 1286 1287 mutex_lock(&selinux_state.policy_mutex); 1288 1289 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 1290 SECCLASS_SECURITY, SECURITY__SETBOOL, 1291 NULL); 1292 if (length) 1293 goto out; 1294 1295 length = -EINVAL; 1296 if (index >= fsi->bool_num || strcmp(name, 1297 fsi->bool_pending_names[index])) 1298 goto out; 1299 1300 length = -EINVAL; 1301 if (sscanf(page, "%d", &new_value) != 1) 1302 goto out; 1303 1304 if (new_value) 1305 new_value = 1; 1306 1307 fsi->bool_pending_values[index] = new_value; 1308 length = count; 1309 1310 out: 1311 mutex_unlock(&selinux_state.policy_mutex); 1312 kfree(page); 1313 return length; 1314 } 1315 1316 static const struct file_operations sel_bool_ops = { 1317 .read = sel_read_bool, 1318 .write = sel_write_bool, 1319 .llseek = generic_file_llseek, 1320 }; 1321 1322 static ssize_t sel_commit_bools_write(struct file *filep, 1323 const char __user *buf, 1324 size_t count, loff_t *ppos) 1325 { 1326 struct selinux_fs_info *fsi = file_inode(filep)->i_sb->s_fs_info; 1327 char *page = NULL; 1328 ssize_t length; 1329 int new_value; 1330 1331 if (count >= PAGE_SIZE) 1332 return -ENOMEM; 1333 1334 /* No partial writes. */ 1335 if (*ppos != 0) 1336 return -EINVAL; 1337 1338 page = memdup_user_nul(buf, count); 1339 if (IS_ERR(page)) 1340 return PTR_ERR(page); 1341 1342 mutex_lock(&selinux_state.policy_mutex); 1343 1344 length = avc_has_perm(current_sid(), SECINITSID_SECURITY, 1345 SECCLASS_SECURITY, SECURITY__SETBOOL, 1346 NULL); 1347 if (length) 1348 goto out; 1349 1350 length = -EINVAL; 1351 if (sscanf(page, "%d", &new_value) != 1) 1352 goto out; 1353 1354 length = 0; 1355 if (new_value && fsi->bool_pending_values) 1356 length = security_set_bools(fsi->bool_num, 1357 fsi->bool_pending_values); 1358 1359 if (!length) 1360 length = count; 1361 1362 out: 1363 mutex_unlock(&selinux_state.policy_mutex); 1364 kfree(page); 1365 return length; 1366 } 1367 1368 static const struct file_operations sel_commit_bools_ops = { 1369 .write = sel_commit_bools_write, 1370 .llseek = generic_file_llseek, 1371 }; 1372 1373 static int sel_make_bools(struct selinux_policy *newpolicy, struct dentry *bool_dir, 1374 unsigned int *bool_num, char ***bool_pending_names, 1375 int **bool_pending_values) 1376 { 1377 int ret; 1378 char **names, *page; 1379 u32 i, num; 1380 1381 page = (char *)get_zeroed_page(GFP_KERNEL); 1382 if (!page) 1383 return -ENOMEM; 1384 1385 ret = security_get_bools(newpolicy, &num, &names, bool_pending_values); 1386 if (ret) 1387 goto out; 1388 1389 *bool_num = num; 1390 *bool_pending_names = names; 1391 1392 for (i = 0; !ret && i < num; i++) { 1393 struct inode *inode; 1394 struct inode_security_struct *isec; 1395 ssize_t len; 1396 u32 sid; 1397 1398 len = snprintf(page, PAGE_SIZE, "/%s/%s", BOOL_DIR_NAME, names[i]); 1399 if (len >= PAGE_SIZE) { 1400 ret = -ENAMETOOLONG; 1401 break; 1402 } 1403 1404 inode = sel_make_inode(bool_dir->d_sb, S_IFREG | S_IRUGO | S_IWUSR); 1405 if (!inode) { 1406 ret = -ENOMEM; 1407 break; 1408 } 1409 1410 isec = selinux_inode(inode); 1411 ret = selinux_policy_genfs_sid(newpolicy, "selinuxfs", page, 1412 SECCLASS_FILE, &sid); 1413 if (ret) { 1414 pr_warn_ratelimited("SELinux: no sid found, defaulting to security isid for %s\n", 1415 page); 1416 sid = SECINITSID_SECURITY; 1417 } 1418 1419 isec->sid = sid; 1420 isec->initialized = LABEL_INITIALIZED; 1421 inode->i_fop = &sel_bool_ops; 1422 inode->i_ino = i|SEL_BOOL_INO_OFFSET; 1423 1424 ret = sel_attach_file(bool_dir, names[i], inode); 1425 } 1426 out: 1427 free_page((unsigned long)page); 1428 return ret; 1429 } 1430 1431 static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf, 1432 size_t count, loff_t *ppos) 1433 { 1434 char tmpbuf[TMPBUFLEN]; 1435 ssize_t length; 1436 1437 length = scnprintf(tmpbuf, TMPBUFLEN, "%u", 1438 avc_get_cache_threshold()); 1439 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 1440 } 1441 1442 static ssize_t sel_write_avc_cache_threshold(struct file *file, 1443 const char __user *buf, 1444 size_t count, loff_t *ppos) 1445 1446 { 1447 char *page; 1448 ssize_t ret; 1449 unsigned int new_value; 1450 1451 ret = avc_has_perm(current_sid(), SECINITSID_SECURITY, 1452 SECCLASS_SECURITY, SECURITY__SETSECPARAM, 1453 NULL); 1454 if (ret) 1455 return ret; 1456 1457 if (count >= PAGE_SIZE) 1458 return -ENOMEM; 1459 1460 /* No partial writes. */ 1461 if (*ppos != 0) 1462 return -EINVAL; 1463 1464 page = memdup_user_nul(buf, count); 1465 if (IS_ERR(page)) 1466 return PTR_ERR(page); 1467 1468 ret = -EINVAL; 1469 if (sscanf(page, "%u", &new_value) != 1) 1470 goto out; 1471 1472 avc_set_cache_threshold(new_value); 1473 1474 ret = count; 1475 out: 1476 kfree(page); 1477 return ret; 1478 } 1479 1480 static ssize_t sel_read_avc_hash_stats(struct file *filp, char __user *buf, 1481 size_t count, loff_t *ppos) 1482 { 1483 char *page; 1484 ssize_t length; 1485 1486 page = (char *)__get_free_page(GFP_KERNEL); 1487 if (!page) 1488 return -ENOMEM; 1489 1490 length = avc_get_hash_stats(page); 1491 if (length >= 0) 1492 length = simple_read_from_buffer(buf, count, ppos, page, length); 1493 free_page((unsigned long)page); 1494 1495 return length; 1496 } 1497 1498 static ssize_t sel_read_sidtab_hash_stats(struct file *filp, char __user *buf, 1499 size_t count, loff_t *ppos) 1500 { 1501 char *page; 1502 ssize_t length; 1503 1504 page = (char *)__get_free_page(GFP_KERNEL); 1505 if (!page) 1506 return -ENOMEM; 1507 1508 length = security_sidtab_hash_stats(page); 1509 if (length >= 0) 1510 length = simple_read_from_buffer(buf, count, ppos, page, 1511 length); 1512 free_page((unsigned long)page); 1513 1514 return length; 1515 } 1516 1517 static const struct file_operations sel_sidtab_hash_stats_ops = { 1518 .read = sel_read_sidtab_hash_stats, 1519 .llseek = generic_file_llseek, 1520 }; 1521 1522 static const struct file_operations sel_avc_cache_threshold_ops = { 1523 .read = sel_read_avc_cache_threshold, 1524 .write = sel_write_avc_cache_threshold, 1525 .llseek = generic_file_llseek, 1526 }; 1527 1528 static const struct file_operations sel_avc_hash_stats_ops = { 1529 .read = sel_read_avc_hash_stats, 1530 .llseek = generic_file_llseek, 1531 }; 1532 1533 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS 1534 static struct avc_cache_stats *sel_avc_get_stat_idx(loff_t *idx) 1535 { 1536 loff_t cpu; 1537 1538 for (cpu = *idx; cpu < nr_cpu_ids; ++cpu) { 1539 if (!cpu_possible(cpu)) 1540 continue; 1541 *idx = cpu + 1; 1542 return &per_cpu(avc_cache_stats, cpu); 1543 } 1544 (*idx)++; 1545 return NULL; 1546 } 1547 1548 static void *sel_avc_stats_seq_start(struct seq_file *seq, loff_t *pos) 1549 { 1550 loff_t n = *pos - 1; 1551 1552 if (*pos == 0) 1553 return SEQ_START_TOKEN; 1554 1555 return sel_avc_get_stat_idx(&n); 1556 } 1557 1558 static void *sel_avc_stats_seq_next(struct seq_file *seq, void *v, loff_t *pos) 1559 { 1560 return sel_avc_get_stat_idx(pos); 1561 } 1562 1563 static int sel_avc_stats_seq_show(struct seq_file *seq, void *v) 1564 { 1565 struct avc_cache_stats *st = v; 1566 1567 if (v == SEQ_START_TOKEN) { 1568 seq_puts(seq, 1569 "lookups hits misses allocations reclaims frees\n"); 1570 } else { 1571 unsigned int lookups = st->lookups; 1572 unsigned int misses = st->misses; 1573 unsigned int hits = lookups - misses; 1574 seq_printf(seq, "%u %u %u %u %u %u\n", lookups, 1575 hits, misses, st->allocations, 1576 st->reclaims, st->frees); 1577 } 1578 return 0; 1579 } 1580 1581 static void sel_avc_stats_seq_stop(struct seq_file *seq, void *v) 1582 { } 1583 1584 static const struct seq_operations sel_avc_cache_stats_seq_ops = { 1585 .start = sel_avc_stats_seq_start, 1586 .next = sel_avc_stats_seq_next, 1587 .show = sel_avc_stats_seq_show, 1588 .stop = sel_avc_stats_seq_stop, 1589 }; 1590 1591 static int sel_open_avc_cache_stats(struct inode *inode, struct file *file) 1592 { 1593 return seq_open(file, &sel_avc_cache_stats_seq_ops); 1594 } 1595 1596 static const struct file_operations sel_avc_cache_stats_ops = { 1597 .open = sel_open_avc_cache_stats, 1598 .read = seq_read, 1599 .llseek = seq_lseek, 1600 .release = seq_release, 1601 }; 1602 #endif 1603 1604 static int sel_make_avc_files(struct dentry *dir) 1605 { 1606 struct super_block *sb = dir->d_sb; 1607 struct selinux_fs_info *fsi = sb->s_fs_info; 1608 unsigned int i; 1609 int err = 0; 1610 static const struct tree_descr files[] = { 1611 { "cache_threshold", 1612 &sel_avc_cache_threshold_ops, S_IRUGO|S_IWUSR }, 1613 { "hash_stats", &sel_avc_hash_stats_ops, S_IRUGO }, 1614 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS 1615 { "cache_stats", &sel_avc_cache_stats_ops, S_IRUGO }, 1616 #endif 1617 }; 1618 1619 for (i = 0; !err && i < ARRAY_SIZE(files); i++) { 1620 struct inode *inode; 1621 1622 inode = sel_make_inode(dir->d_sb, S_IFREG|files[i].mode); 1623 if (!inode) 1624 return -ENOMEM; 1625 1626 inode->i_fop = files[i].ops; 1627 inode->i_ino = ++fsi->last_ino; 1628 1629 err = sel_attach_file(dir, files[i].name, inode); 1630 } 1631 1632 return err; 1633 } 1634 1635 static int sel_make_ss_files(struct dentry *dir) 1636 { 1637 struct super_block *sb = dir->d_sb; 1638 struct selinux_fs_info *fsi = sb->s_fs_info; 1639 unsigned int i; 1640 int err = 0; 1641 static const struct tree_descr files[] = { 1642 { "sidtab_hash_stats", &sel_sidtab_hash_stats_ops, S_IRUGO }, 1643 }; 1644 1645 for (i = 0; !err && i < ARRAY_SIZE(files); i++) { 1646 struct inode *inode; 1647 1648 inode = sel_make_inode(dir->d_sb, S_IFREG|files[i].mode); 1649 if (!inode) 1650 return -ENOMEM; 1651 1652 inode->i_fop = files[i].ops; 1653 inode->i_ino = ++fsi->last_ino; 1654 1655 err = sel_attach_file(dir, files[i].name, inode); 1656 } 1657 1658 return err; 1659 } 1660 1661 static ssize_t sel_read_initcon(struct file *file, char __user *buf, 1662 size_t count, loff_t *ppos) 1663 { 1664 char *con; 1665 u32 sid, len; 1666 ssize_t ret; 1667 1668 sid = file_inode(file)->i_ino&SEL_INO_MASK; 1669 ret = security_sid_to_context(sid, &con, &len); 1670 if (ret) 1671 return ret; 1672 1673 ret = simple_read_from_buffer(buf, count, ppos, con, len); 1674 kfree(con); 1675 return ret; 1676 } 1677 1678 static const struct file_operations sel_initcon_ops = { 1679 .read = sel_read_initcon, 1680 .llseek = generic_file_llseek, 1681 }; 1682 1683 static int sel_make_initcon_files(struct dentry *dir) 1684 { 1685 unsigned int i; 1686 int err = 0; 1687 1688 for (i = 1; !err && i <= SECINITSID_NUM; i++) { 1689 const char *s = security_get_initial_sid_context(i); 1690 struct inode *inode; 1691 1692 if (!s) 1693 continue; 1694 1695 inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO); 1696 if (!inode) 1697 return -ENOMEM; 1698 1699 inode->i_fop = &sel_initcon_ops; 1700 inode->i_ino = i|SEL_INITCON_INO_OFFSET; 1701 err = sel_attach_file(dir, s, inode); 1702 } 1703 1704 return err; 1705 } 1706 1707 static inline unsigned long sel_class_to_ino(u16 class) 1708 { 1709 return (class * (SEL_VEC_MAX + 1)) | SEL_CLASS_INO_OFFSET; 1710 } 1711 1712 static inline u16 sel_ino_to_class(unsigned long ino) 1713 { 1714 return (ino & SEL_INO_MASK) / (SEL_VEC_MAX + 1); 1715 } 1716 1717 static inline unsigned long sel_perm_to_ino(u16 class, u32 perm) 1718 { 1719 return (class * (SEL_VEC_MAX + 1) + perm) | SEL_CLASS_INO_OFFSET; 1720 } 1721 1722 static inline u32 sel_ino_to_perm(unsigned long ino) 1723 { 1724 return (ino & SEL_INO_MASK) % (SEL_VEC_MAX + 1); 1725 } 1726 1727 static ssize_t sel_read_class(struct file *file, char __user *buf, 1728 size_t count, loff_t *ppos) 1729 { 1730 unsigned long ino = file_inode(file)->i_ino; 1731 char res[TMPBUFLEN]; 1732 ssize_t len = scnprintf(res, sizeof(res), "%d", sel_ino_to_class(ino)); 1733 return simple_read_from_buffer(buf, count, ppos, res, len); 1734 } 1735 1736 static const struct file_operations sel_class_ops = { 1737 .read = sel_read_class, 1738 .llseek = generic_file_llseek, 1739 }; 1740 1741 static ssize_t sel_read_perm(struct file *file, char __user *buf, 1742 size_t count, loff_t *ppos) 1743 { 1744 unsigned long ino = file_inode(file)->i_ino; 1745 char res[TMPBUFLEN]; 1746 ssize_t len = scnprintf(res, sizeof(res), "%d", sel_ino_to_perm(ino)); 1747 return simple_read_from_buffer(buf, count, ppos, res, len); 1748 } 1749 1750 static const struct file_operations sel_perm_ops = { 1751 .read = sel_read_perm, 1752 .llseek = generic_file_llseek, 1753 }; 1754 1755 static ssize_t sel_read_policycap(struct file *file, char __user *buf, 1756 size_t count, loff_t *ppos) 1757 { 1758 int value; 1759 char tmpbuf[TMPBUFLEN]; 1760 ssize_t length; 1761 unsigned long i_ino = file_inode(file)->i_ino; 1762 1763 value = security_policycap_supported(i_ino & SEL_INO_MASK); 1764 length = scnprintf(tmpbuf, TMPBUFLEN, "%d", value); 1765 1766 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 1767 } 1768 1769 static const struct file_operations sel_policycap_ops = { 1770 .read = sel_read_policycap, 1771 .llseek = generic_file_llseek, 1772 }; 1773 1774 static int sel_make_perm_files(struct selinux_policy *newpolicy, 1775 char *objclass, int classvalue, 1776 struct dentry *dir) 1777 { 1778 u32 i, nperms; 1779 int rc; 1780 char **perms; 1781 1782 rc = security_get_permissions(newpolicy, objclass, &perms, &nperms); 1783 if (rc) 1784 return rc; 1785 1786 for (i = 0; !rc && i < nperms; i++) { 1787 struct inode *inode; 1788 1789 inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO); 1790 if (!inode) { 1791 rc = -ENOMEM; 1792 break; 1793 } 1794 1795 inode->i_fop = &sel_perm_ops; 1796 /* i+1 since perm values are 1-indexed */ 1797 inode->i_ino = sel_perm_to_ino(classvalue, i + 1); 1798 1799 rc = sel_attach_file(dir, perms[i], inode); 1800 } 1801 for (i = 0; i < nperms; i++) 1802 kfree(perms[i]); 1803 kfree(perms); 1804 return rc; 1805 } 1806 1807 static int sel_make_class_dir_entries(struct selinux_policy *newpolicy, 1808 char *classname, int index, 1809 struct dentry *dir) 1810 { 1811 struct super_block *sb = dir->d_sb; 1812 struct selinux_fs_info *fsi = sb->s_fs_info; 1813 struct dentry *dentry = NULL; 1814 struct inode *inode = NULL; 1815 int err; 1816 1817 inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO); 1818 if (!inode) 1819 return -ENOMEM; 1820 1821 inode->i_fop = &sel_class_ops; 1822 inode->i_ino = sel_class_to_ino(index); 1823 1824 err = sel_attach_file(dir, "index", inode); 1825 if (err) 1826 return err; 1827 1828 dentry = sel_make_dir(dir, "perms", &fsi->last_class_ino); 1829 if (IS_ERR(dentry)) 1830 return PTR_ERR(dentry); 1831 1832 return sel_make_perm_files(newpolicy, classname, index, dentry); 1833 } 1834 1835 static int sel_make_classes(struct selinux_policy *newpolicy, 1836 struct dentry *class_dir, 1837 unsigned long *last_class_ino) 1838 { 1839 u32 i, nclasses; 1840 int rc; 1841 char **classes; 1842 1843 rc = security_get_classes(newpolicy, &classes, &nclasses); 1844 if (rc) 1845 return rc; 1846 1847 /* +2 since classes are 1-indexed */ 1848 *last_class_ino = sel_class_to_ino(nclasses + 2); 1849 1850 for (i = 0; i < nclasses; i++) { 1851 struct dentry *class_name_dir; 1852 1853 class_name_dir = sel_make_dir(class_dir, classes[i], 1854 last_class_ino); 1855 if (IS_ERR(class_name_dir)) { 1856 rc = PTR_ERR(class_name_dir); 1857 goto out; 1858 } 1859 1860 /* i+1 since class values are 1-indexed */ 1861 rc = sel_make_class_dir_entries(newpolicy, classes[i], i + 1, 1862 class_name_dir); 1863 if (rc) 1864 goto out; 1865 } 1866 rc = 0; 1867 out: 1868 for (i = 0; i < nclasses; i++) 1869 kfree(classes[i]); 1870 kfree(classes); 1871 return rc; 1872 } 1873 1874 static int sel_make_policycap(struct dentry *dir) 1875 { 1876 struct super_block *sb = dir->d_sb; 1877 unsigned int iter; 1878 struct inode *inode = NULL; 1879 int err = 0; 1880 1881 for (iter = 0; !err && iter <= POLICYDB_CAP_MAX; iter++) { 1882 const char *name; 1883 1884 if (iter < ARRAY_SIZE(selinux_policycap_names)) 1885 name = selinux_policycap_names[iter]; 1886 else 1887 name = "unknown"; 1888 1889 inode = sel_make_inode(sb, S_IFREG | 0444); 1890 if (!inode) 1891 return -ENOMEM; 1892 1893 inode->i_fop = &sel_policycap_ops; 1894 inode->i_ino = iter | SEL_POLICYCAP_INO_OFFSET; 1895 err = sel_attach_file(dir, name, inode); 1896 } 1897 1898 return err; 1899 } 1900 1901 static struct dentry *sel_make_dir(struct dentry *dir, const char *name, 1902 unsigned long *ino) 1903 { 1904 struct inode *inode; 1905 1906 inode = sel_make_inode(dir->d_sb, S_IFDIR | S_IRUGO | S_IXUGO); 1907 if (!inode) 1908 return ERR_PTR(-ENOMEM); 1909 1910 inode->i_op = &simple_dir_inode_operations; 1911 inode->i_fop = &simple_dir_operations; 1912 inode->i_ino = ++(*ino); 1913 /* directory inodes start off with i_nlink == 2 (for "." entry) */ 1914 inc_nlink(inode); 1915 /* bump link count on parent directory, too */ 1916 inc_nlink(d_inode(dir)); 1917 1918 return sel_attach(dir, name, inode); 1919 } 1920 1921 static int reject_all(struct mnt_idmap *idmap, struct inode *inode, int mask) 1922 { 1923 return -EPERM; // no access for anyone, root or no root. 1924 } 1925 1926 static const struct inode_operations swapover_dir_inode_operations = { 1927 .lookup = simple_lookup, 1928 .permission = reject_all, 1929 }; 1930 1931 static struct dentry *sel_make_swapover_dir(struct super_block *sb, 1932 unsigned long *ino) 1933 { 1934 struct dentry *dentry = d_alloc_name(sb->s_root, ".swapover"); 1935 struct inode *inode; 1936 1937 if (!dentry) 1938 return ERR_PTR(-ENOMEM); 1939 1940 inode = sel_make_inode(sb, S_IFDIR); 1941 if (!inode) { 1942 dput(dentry); 1943 return ERR_PTR(-ENOMEM); 1944 } 1945 1946 inode->i_op = &swapover_dir_inode_operations; 1947 inode->i_ino = ++(*ino); 1948 /* directory inodes start off with i_nlink == 2 (for "." entry) */ 1949 inc_nlink(inode); 1950 inode_lock(sb->s_root->d_inode); 1951 d_make_persistent(dentry, inode); 1952 inc_nlink(sb->s_root->d_inode); 1953 inode_unlock(sb->s_root->d_inode); 1954 dput(dentry); 1955 return dentry; // borrowed 1956 } 1957 1958 #define NULL_FILE_NAME "null" 1959 1960 static int sel_fill_super(struct super_block *sb, struct fs_context *fc) 1961 { 1962 struct selinux_fs_info *fsi; 1963 int ret; 1964 struct dentry *dentry; 1965 struct inode *inode; 1966 struct inode_security_struct *isec; 1967 1968 static const struct tree_descr selinux_files[] = { 1969 [SEL_LOAD] = {"load", &sel_load_ops, S_IRUSR|S_IWUSR}, 1970 [SEL_ENFORCE] = {"enforce", &sel_enforce_ops, S_IRUGO|S_IWUSR}, 1971 [SEL_CONTEXT] = {"context", &transaction_ops, S_IRUGO|S_IWUGO}, 1972 [SEL_ACCESS] = {"access", &transaction_ops, S_IRUGO|S_IWUGO}, 1973 [SEL_CREATE] = {"create", &transaction_ops, S_IRUGO|S_IWUGO}, 1974 [SEL_RELABEL] = {"relabel", &transaction_ops, S_IRUGO|S_IWUGO}, 1975 [SEL_USER] = {"user", &transaction_ops, S_IRUGO|S_IWUGO}, 1976 [SEL_POLICYVERS] = {"policyvers", &sel_policyvers_ops, S_IRUGO}, 1977 [SEL_COMMIT_BOOLS] = {"commit_pending_bools", &sel_commit_bools_ops, S_IWUSR}, 1978 [SEL_MLS] = {"mls", &sel_mls_ops, S_IRUGO}, 1979 [SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR}, 1980 [SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO|S_IWUGO}, 1981 [SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO|S_IWUSR}, 1982 [SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO}, 1983 [SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO}, 1984 [SEL_STATUS] = {"status", &sel_handle_status_ops, S_IRUGO}, 1985 [SEL_POLICY] = {"policy", &sel_policy_ops, S_IRUGO}, 1986 [SEL_VALIDATE_TRANS] = {"validatetrans", &sel_transition_ops, 1987 S_IWUGO}, 1988 /* last one */ {"", NULL, 0} 1989 }; 1990 1991 ret = selinux_fs_info_create(sb); 1992 if (ret) 1993 goto err; 1994 1995 ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files); 1996 if (ret) 1997 goto err; 1998 1999 fsi = sb->s_fs_info; 2000 fsi->bool_dir = sel_make_dir(sb->s_root, BOOL_DIR_NAME, &fsi->last_ino); 2001 if (IS_ERR(fsi->bool_dir)) { 2002 ret = PTR_ERR(fsi->bool_dir); 2003 fsi->bool_dir = NULL; 2004 goto err; 2005 } 2006 2007 ret = -ENOMEM; 2008 inode = sel_make_inode(sb, S_IFCHR | S_IRUGO | S_IWUGO); 2009 if (!inode) 2010 goto err; 2011 2012 inode->i_ino = ++fsi->last_ino; 2013 isec = selinux_inode(inode); 2014 isec->sid = SECINITSID_DEVNULL; 2015 isec->sclass = SECCLASS_CHR_FILE; 2016 isec->initialized = LABEL_INITIALIZED; 2017 2018 init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO, MKDEV(MEM_MAJOR, 3)); 2019 ret = sel_attach_file(sb->s_root, NULL_FILE_NAME, inode); 2020 if (ret) 2021 goto err; 2022 2023 dentry = sel_make_dir(sb->s_root, "avc", &fsi->last_ino); 2024 if (IS_ERR(dentry)) { 2025 ret = PTR_ERR(dentry); 2026 goto err; 2027 } 2028 2029 ret = sel_make_avc_files(dentry); 2030 if (ret) 2031 goto err; 2032 2033 dentry = sel_make_dir(sb->s_root, "ss", &fsi->last_ino); 2034 if (IS_ERR(dentry)) { 2035 ret = PTR_ERR(dentry); 2036 goto err; 2037 } 2038 2039 ret = sel_make_ss_files(dentry); 2040 if (ret) 2041 goto err; 2042 2043 dentry = sel_make_dir(sb->s_root, "initial_contexts", &fsi->last_ino); 2044 if (IS_ERR(dentry)) { 2045 ret = PTR_ERR(dentry); 2046 goto err; 2047 } 2048 2049 ret = sel_make_initcon_files(dentry); 2050 if (ret) 2051 goto err; 2052 2053 fsi->class_dir = sel_make_dir(sb->s_root, CLASS_DIR_NAME, &fsi->last_ino); 2054 if (IS_ERR(fsi->class_dir)) { 2055 ret = PTR_ERR(fsi->class_dir); 2056 fsi->class_dir = NULL; 2057 goto err; 2058 } 2059 2060 dentry = sel_make_dir(sb->s_root, "policy_capabilities", &fsi->last_ino); 2061 if (IS_ERR(dentry)) { 2062 ret = PTR_ERR(dentry); 2063 goto err; 2064 } 2065 2066 ret = sel_make_policycap(dentry); 2067 if (ret) { 2068 pr_err("SELinux: failed to load policy capabilities\n"); 2069 goto err; 2070 } 2071 2072 return 0; 2073 err: 2074 pr_err("SELinux: %s: failed while creating inodes\n", 2075 __func__); 2076 2077 return ret; 2078 } 2079 2080 static int sel_get_tree(struct fs_context *fc) 2081 { 2082 return get_tree_single(fc, sel_fill_super); 2083 } 2084 2085 static const struct fs_context_operations sel_context_ops = { 2086 .get_tree = sel_get_tree, 2087 }; 2088 2089 static int sel_init_fs_context(struct fs_context *fc) 2090 { 2091 fc->ops = &sel_context_ops; 2092 return 0; 2093 } 2094 2095 static void sel_kill_sb(struct super_block *sb) 2096 { 2097 selinux_fs_info_free(sb); 2098 kill_anon_super(sb); 2099 } 2100 2101 static struct file_system_type sel_fs_type = { 2102 .name = "selinuxfs", 2103 .init_fs_context = sel_init_fs_context, 2104 .kill_sb = sel_kill_sb, 2105 }; 2106 2107 struct path selinux_null __ro_after_init; 2108 2109 int __init init_sel_fs(void) 2110 { 2111 struct qstr null_name = QSTR_INIT(NULL_FILE_NAME, 2112 sizeof(NULL_FILE_NAME)-1); 2113 int err; 2114 2115 if (!selinux_enabled_boot) 2116 return 0; 2117 2118 err = sysfs_create_mount_point(fs_kobj, "selinux"); 2119 if (err) 2120 return err; 2121 2122 err = register_filesystem(&sel_fs_type); 2123 if (err) { 2124 sysfs_remove_mount_point(fs_kobj, "selinux"); 2125 return err; 2126 } 2127 2128 selinux_null.mnt = kern_mount(&sel_fs_type); 2129 if (IS_ERR(selinux_null.mnt)) { 2130 pr_err("selinuxfs: could not mount!\n"); 2131 err = PTR_ERR(selinux_null.mnt); 2132 selinux_null.mnt = NULL; 2133 return err; 2134 } 2135 2136 selinux_null.dentry = try_lookup_noperm(&null_name, 2137 selinux_null.mnt->mnt_root); 2138 if (IS_ERR(selinux_null.dentry)) { 2139 pr_err("selinuxfs: could not lookup null!\n"); 2140 err = PTR_ERR(selinux_null.dentry); 2141 selinux_null.dentry = NULL; 2142 return err; 2143 } 2144 2145 /* 2146 * Try to pre-allocate the status page, so the sequence number of the 2147 * initial policy load can be stored. 2148 */ 2149 (void) selinux_kernel_status_page(); 2150 2151 return err; 2152 } 2153