1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <stephen.smalley.work@gmail.com> 8 * Chris Vance, <cvance@nai.com> 9 * Wayne Salamon, <wsalamon@nai.com> 10 * James Morris <jmorris@redhat.com> 11 * 12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 14 * Eric Paris <eparis@redhat.com> 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 16 * <dgoeddel@trustedcs.com> 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 18 * Paul Moore <paul@paul-moore.com> 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 20 * Yuichi Nakamura <ynakam@hitachisoft.jp> 21 * Copyright (C) 2016 Mellanox Technologies 22 */ 23 24 #include <linux/init.h> 25 #include <linux/kd.h> 26 #include <linux/kernel.h> 27 #include <linux/kernel_read_file.h> 28 #include <linux/errno.h> 29 #include <linux/sched/signal.h> 30 #include <linux/sched/task.h> 31 #include <linux/lsm_hooks.h> 32 #include <linux/xattr.h> 33 #include <linux/capability.h> 34 #include <linux/unistd.h> 35 #include <linux/mm.h> 36 #include <linux/mman.h> 37 #include <linux/slab.h> 38 #include <linux/pagemap.h> 39 #include <linux/proc_fs.h> 40 #include <linux/swap.h> 41 #include <linux/spinlock.h> 42 #include <linux/syscalls.h> 43 #include <linux/dcache.h> 44 #include <linux/file.h> 45 #include <linux/fdtable.h> 46 #include <linux/namei.h> 47 #include <linux/mount.h> 48 #include <linux/fs_context.h> 49 #include <linux/fs_parser.h> 50 #include <linux/netfilter_ipv4.h> 51 #include <linux/netfilter_ipv6.h> 52 #include <linux/tty.h> 53 #include <net/icmp.h> 54 #include <net/ip.h> /* for local_port_range[] */ 55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 56 #include <net/inet_connection_sock.h> 57 #include <net/net_namespace.h> 58 #include <net/netlabel.h> 59 #include <linux/uaccess.h> 60 #include <asm/ioctls.h> 61 #include <linux/atomic.h> 62 #include <linux/bitops.h> 63 #include <linux/interrupt.h> 64 #include <linux/netdevice.h> /* for network interface checks */ 65 #include <net/netlink.h> 66 #include <linux/tcp.h> 67 #include <linux/udp.h> 68 #include <linux/sctp.h> 69 #include <net/sctp/structs.h> 70 #include <linux/quota.h> 71 #include <linux/un.h> /* for Unix socket types */ 72 #include <net/af_unix.h> /* for Unix socket types */ 73 #include <linux/parser.h> 74 #include <linux/nfs_mount.h> 75 #include <net/ipv6.h> 76 #include <linux/hugetlb.h> 77 #include <linux/personality.h> 78 #include <linux/audit.h> 79 #include <linux/string.h> 80 #include <linux/mutex.h> 81 #include <linux/posix-timers.h> 82 #include <linux/syslog.h> 83 #include <linux/user_namespace.h> 84 #include <linux/export.h> 85 #include <linux/msg.h> 86 #include <linux/shm.h> 87 #include <uapi/linux/shm.h> 88 #include <linux/bpf.h> 89 #include <linux/kernfs.h> 90 #include <linux/stringhash.h> /* for hashlen_string() */ 91 #include <uapi/linux/mount.h> 92 #include <linux/fsnotify.h> 93 #include <linux/fanotify.h> 94 #include <linux/io_uring/cmd.h> 95 #include <uapi/linux/lsm.h> 96 #include <linux/memfd.h> 97 98 #include "initcalls.h" 99 #include "avc.h" 100 #include "objsec.h" 101 #include "netif.h" 102 #include "netnode.h" 103 #include "netport.h" 104 #include "ibpkey.h" 105 #include "xfrm.h" 106 #include "netlabel.h" 107 #include "audit.h" 108 #include "avc_ss.h" 109 110 #define SELINUX_INODE_INIT_XATTRS 1 111 112 struct selinux_state selinux_state; 113 114 /* SECMARK reference count */ 115 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 116 117 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 118 static int selinux_enforcing_boot __initdata; 119 120 static int __init enforcing_setup(char *str) 121 { 122 unsigned long enforcing; 123 if (!kstrtoul(str, 0, &enforcing)) 124 selinux_enforcing_boot = enforcing ? 1 : 0; 125 return 1; 126 } 127 __setup("enforcing=", enforcing_setup); 128 #else 129 #define selinux_enforcing_boot 1 130 #endif 131 132 int selinux_enabled_boot __initdata = 1; 133 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 134 static int __init selinux_enabled_setup(char *str) 135 { 136 unsigned long enabled; 137 if (!kstrtoul(str, 0, &enabled)) 138 selinux_enabled_boot = enabled ? 1 : 0; 139 return 1; 140 } 141 __setup("selinux=", selinux_enabled_setup); 142 #endif 143 144 static int __init checkreqprot_setup(char *str) 145 { 146 unsigned long checkreqprot; 147 148 if (!kstrtoul(str, 0, &checkreqprot)) { 149 if (checkreqprot) 150 pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is no longer supported.\n"); 151 } 152 return 1; 153 } 154 __setup("checkreqprot=", checkreqprot_setup); 155 156 /** 157 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 158 * 159 * Description: 160 * This function checks the SECMARK reference counter to see if any SECMARK 161 * targets are currently configured, if the reference counter is greater than 162 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 163 * enabled, false (0) if SECMARK is disabled. If the always_check_network 164 * policy capability is enabled, SECMARK is always considered enabled. 165 * 166 */ 167 static int selinux_secmark_enabled(void) 168 { 169 return (selinux_policycap_alwaysnetwork() || 170 atomic_read(&selinux_secmark_refcount)); 171 } 172 173 /** 174 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 175 * 176 * Description: 177 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 178 * (1) if any are enabled or false (0) if neither are enabled. If the 179 * always_check_network policy capability is enabled, peer labeling 180 * is always considered enabled. 181 * 182 */ 183 static int selinux_peerlbl_enabled(void) 184 { 185 return (selinux_policycap_alwaysnetwork() || 186 netlbl_enabled() || selinux_xfrm_enabled()); 187 } 188 189 static int selinux_netcache_avc_callback(u32 event) 190 { 191 if (event == AVC_CALLBACK_RESET) { 192 sel_netif_flush(); 193 sel_netnode_flush(); 194 sel_netport_flush(); 195 synchronize_net(); 196 } 197 return 0; 198 } 199 200 static int selinux_lsm_notifier_avc_callback(u32 event) 201 { 202 if (event == AVC_CALLBACK_RESET) { 203 sel_ib_pkey_flush(); 204 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL); 205 } 206 207 return 0; 208 } 209 210 /* 211 * initialise the security for the init task 212 */ 213 static void cred_init_security(void) 214 { 215 struct cred_security_struct *crsec; 216 217 /* NOTE: the lsm framework zeros out the buffer on allocation */ 218 219 crsec = selinux_cred(unrcu_pointer(current->real_cred)); 220 crsec->osid = crsec->sid = SECINITSID_KERNEL; 221 } 222 223 /* 224 * get the security ID of a set of credentials 225 */ 226 static inline u32 cred_sid(const struct cred *cred) 227 { 228 const struct cred_security_struct *crsec; 229 230 crsec = selinux_cred(cred); 231 return crsec->sid; 232 } 233 234 static void __ad_net_init(struct common_audit_data *ad, 235 struct lsm_network_audit *net, 236 int ifindex, struct sock *sk, u16 family) 237 { 238 ad->type = LSM_AUDIT_DATA_NET; 239 ad->u.net = net; 240 net->netif = ifindex; 241 net->sk = sk; 242 net->family = family; 243 } 244 245 static void ad_net_init_from_sk(struct common_audit_data *ad, 246 struct lsm_network_audit *net, 247 struct sock *sk) 248 { 249 __ad_net_init(ad, net, 0, sk, 0); 250 } 251 252 static void ad_net_init_from_iif(struct common_audit_data *ad, 253 struct lsm_network_audit *net, 254 int ifindex, u16 family) 255 { 256 __ad_net_init(ad, net, ifindex, NULL, family); 257 } 258 259 /* 260 * get the objective security ID of a task 261 */ 262 static inline u32 task_sid_obj(const struct task_struct *task) 263 { 264 u32 sid; 265 266 rcu_read_lock(); 267 sid = cred_sid(__task_cred(task)); 268 rcu_read_unlock(); 269 return sid; 270 } 271 272 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 273 274 /* 275 * Try reloading inode security labels that have been marked as invalid. The 276 * @may_sleep parameter indicates when sleeping and thus reloading labels is 277 * allowed; when set to false, returns -ECHILD when the label is 278 * invalid. The @dentry parameter should be set to a dentry of the inode. 279 */ 280 static int __inode_security_revalidate(struct inode *inode, 281 struct dentry *dentry, 282 bool may_sleep) 283 { 284 if (!selinux_initialized()) 285 return 0; 286 287 if (may_sleep) 288 might_sleep(); 289 else 290 return -ECHILD; 291 292 /* 293 * Check to ensure that an inode's SELinux state is valid and try 294 * reloading the inode security label if necessary. This will fail if 295 * @dentry is NULL and no dentry for this inode can be found; in that 296 * case, continue using the old label. 297 */ 298 inode_doinit_with_dentry(inode, dentry); 299 return 0; 300 } 301 302 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 303 { 304 return selinux_inode(inode); 305 } 306 307 static inline struct inode_security_struct *inode_security_rcu(struct inode *inode, 308 bool rcu) 309 { 310 int rc; 311 struct inode_security_struct *isec = selinux_inode(inode); 312 313 /* check below is racy, but revalidate will recheck with lock held */ 314 if (data_race(likely(isec->initialized == LABEL_INITIALIZED))) 315 return isec; 316 rc = __inode_security_revalidate(inode, NULL, !rcu); 317 if (rc) 318 return ERR_PTR(rc); 319 return isec; 320 } 321 322 /* 323 * Get the security label of an inode. 324 */ 325 static inline struct inode_security_struct *inode_security(struct inode *inode) 326 { 327 struct inode_security_struct *isec = selinux_inode(inode); 328 329 /* check below is racy, but revalidate will recheck with lock held */ 330 if (data_race(likely(isec->initialized == LABEL_INITIALIZED))) 331 return isec; 332 __inode_security_revalidate(inode, NULL, true); 333 return isec; 334 } 335 336 static inline struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 337 { 338 return selinux_inode(d_backing_inode(dentry)); 339 } 340 341 /* 342 * Get the security label of a dentry's backing inode. 343 */ 344 static inline struct inode_security_struct *backing_inode_security(struct dentry *dentry) 345 { 346 struct inode *inode = d_backing_inode(dentry); 347 struct inode_security_struct *isec = selinux_inode(inode); 348 349 /* check below is racy, but revalidate will recheck with lock held */ 350 if (data_race(likely(isec->initialized == LABEL_INITIALIZED))) 351 return isec; 352 __inode_security_revalidate(inode, dentry, true); 353 return isec; 354 } 355 356 static void inode_free_security(struct inode *inode) 357 { 358 struct inode_security_struct *isec = selinux_inode(inode); 359 struct superblock_security_struct *sbsec; 360 361 if (!isec) 362 return; 363 sbsec = selinux_superblock(inode->i_sb); 364 /* 365 * As not all inode security structures are in a list, we check for 366 * empty list outside of the lock to make sure that we won't waste 367 * time taking a lock doing nothing. 368 * 369 * The list_del_init() function can be safely called more than once. 370 * It should not be possible for this function to be called with 371 * concurrent list_add(), but for better safety against future changes 372 * in the code, we use list_empty_careful() here. 373 */ 374 if (!list_empty_careful(&isec->list)) { 375 spin_lock(&sbsec->isec_lock); 376 list_del_init(&isec->list); 377 spin_unlock(&sbsec->isec_lock); 378 } 379 } 380 381 struct selinux_mnt_opts { 382 u32 fscontext_sid; 383 u32 context_sid; 384 u32 rootcontext_sid; 385 u32 defcontext_sid; 386 }; 387 388 static void selinux_free_mnt_opts(void *mnt_opts) 389 { 390 kfree(mnt_opts); 391 } 392 393 enum { 394 Opt_error = -1, 395 Opt_context = 0, 396 Opt_defcontext = 1, 397 Opt_fscontext = 2, 398 Opt_rootcontext = 3, 399 Opt_seclabel = 4, 400 }; 401 402 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg} 403 static const struct { 404 const char *name; 405 int len; 406 int opt; 407 bool has_arg; 408 } tokens[] = { 409 A(context, true), 410 A(fscontext, true), 411 A(defcontext, true), 412 A(rootcontext, true), 413 A(seclabel, false), 414 }; 415 #undef A 416 417 static int match_opt_prefix(char *s, int l, char **arg) 418 { 419 unsigned int i; 420 421 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 422 size_t len = tokens[i].len; 423 if (len > l || memcmp(s, tokens[i].name, len)) 424 continue; 425 if (tokens[i].has_arg) { 426 if (len == l || s[len] != '=') 427 continue; 428 *arg = s + len + 1; 429 } else if (len != l) 430 continue; 431 return tokens[i].opt; 432 } 433 return Opt_error; 434 } 435 436 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 437 438 static int may_context_mount_sb_relabel(u32 sid, 439 struct superblock_security_struct *sbsec, 440 const struct cred *cred) 441 { 442 const struct cred_security_struct *crsec = selinux_cred(cred); 443 int rc; 444 445 rc = avc_has_perm(crsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 446 FILESYSTEM__RELABELFROM, NULL); 447 if (rc) 448 return rc; 449 450 rc = avc_has_perm(crsec->sid, sid, SECCLASS_FILESYSTEM, 451 FILESYSTEM__RELABELTO, NULL); 452 return rc; 453 } 454 455 static int may_context_mount_inode_relabel(u32 sid, 456 struct superblock_security_struct *sbsec, 457 const struct cred *cred) 458 { 459 const struct cred_security_struct *crsec = selinux_cred(cred); 460 int rc; 461 rc = avc_has_perm(crsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 462 FILESYSTEM__RELABELFROM, NULL); 463 if (rc) 464 return rc; 465 466 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 467 FILESYSTEM__ASSOCIATE, NULL); 468 return rc; 469 } 470 471 static int selinux_is_genfs_special_handling(struct super_block *sb) 472 { 473 /* Special handling. Genfs but also in-core setxattr handler */ 474 return !strcmp(sb->s_type->name, "sysfs") || 475 !strcmp(sb->s_type->name, "pstore") || 476 !strcmp(sb->s_type->name, "debugfs") || 477 !strcmp(sb->s_type->name, "tracefs") || 478 !strcmp(sb->s_type->name, "rootfs") || 479 (selinux_policycap_cgroupseclabel() && 480 (!strcmp(sb->s_type->name, "cgroup") || 481 !strcmp(sb->s_type->name, "cgroup2"))) || 482 (selinux_policycap_functionfs_seclabel() && 483 !strcmp(sb->s_type->name, "functionfs")); 484 } 485 486 static int selinux_is_sblabel_mnt(struct super_block *sb) 487 { 488 struct superblock_security_struct *sbsec = selinux_superblock(sb); 489 490 /* 491 * IMPORTANT: Double-check logic in this function when adding a new 492 * SECURITY_FS_USE_* definition! 493 */ 494 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7); 495 496 switch (sbsec->behavior) { 497 case SECURITY_FS_USE_XATTR: 498 case SECURITY_FS_USE_TRANS: 499 case SECURITY_FS_USE_TASK: 500 case SECURITY_FS_USE_NATIVE: 501 return 1; 502 503 case SECURITY_FS_USE_GENFS: 504 return selinux_is_genfs_special_handling(sb); 505 506 /* Never allow relabeling on context mounts */ 507 case SECURITY_FS_USE_MNTPOINT: 508 case SECURITY_FS_USE_NONE: 509 default: 510 return 0; 511 } 512 } 513 514 static int sb_check_xattr_support(struct super_block *sb) 515 { 516 struct superblock_security_struct *sbsec = selinux_superblock(sb); 517 struct dentry *root = sb->s_root; 518 struct inode *root_inode = d_backing_inode(root); 519 u32 sid; 520 int rc; 521 522 /* 523 * Make sure that the xattr handler exists and that no 524 * error other than -ENODATA is returned by getxattr on 525 * the root directory. -ENODATA is ok, as this may be 526 * the first boot of the SELinux kernel before we have 527 * assigned xattr values to the filesystem. 528 */ 529 if (!(root_inode->i_opflags & IOP_XATTR)) { 530 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n", 531 sb->s_id, sb->s_type->name); 532 goto fallback; 533 } 534 535 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 536 if (rc < 0 && rc != -ENODATA) { 537 if (rc == -EOPNOTSUPP) { 538 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n", 539 sb->s_id, sb->s_type->name); 540 goto fallback; 541 } else { 542 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n", 543 sb->s_id, sb->s_type->name, -rc); 544 return rc; 545 } 546 } 547 return 0; 548 549 fallback: 550 /* No xattr support - try to fallback to genfs if possible. */ 551 rc = security_genfs_sid(sb->s_type->name, "/", 552 SECCLASS_DIR, &sid); 553 if (rc) 554 return -EOPNOTSUPP; 555 556 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n", 557 sb->s_id, sb->s_type->name); 558 sbsec->behavior = SECURITY_FS_USE_GENFS; 559 sbsec->sid = sid; 560 return 0; 561 } 562 563 static int sb_finish_set_opts(struct super_block *sb) 564 { 565 struct superblock_security_struct *sbsec = selinux_superblock(sb); 566 struct dentry *root = sb->s_root; 567 struct inode *root_inode = d_backing_inode(root); 568 int rc = 0; 569 570 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 571 rc = sb_check_xattr_support(sb); 572 if (rc) 573 return rc; 574 } 575 576 sbsec->flags |= SE_SBINITIALIZED; 577 578 /* 579 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 580 * leave the flag untouched because sb_clone_mnt_opts might be handing 581 * us a superblock that needs the flag to be cleared. 582 */ 583 if (selinux_is_sblabel_mnt(sb)) 584 sbsec->flags |= SBLABEL_MNT; 585 else 586 sbsec->flags &= ~SBLABEL_MNT; 587 588 /* Initialize the root inode. */ 589 rc = inode_doinit_with_dentry(root_inode, root); 590 591 /* Initialize any other inodes associated with the superblock, e.g. 592 inodes created prior to initial policy load or inodes created 593 during get_sb by a pseudo filesystem that directly 594 populates itself. */ 595 spin_lock(&sbsec->isec_lock); 596 while (!list_empty(&sbsec->isec_head)) { 597 struct inode_security_struct *isec = 598 list_first_entry(&sbsec->isec_head, 599 struct inode_security_struct, list); 600 struct inode *inode = isec->inode; 601 list_del_init(&isec->list); 602 spin_unlock(&sbsec->isec_lock); 603 inode = igrab(inode); 604 if (inode) { 605 if (!IS_PRIVATE(inode)) 606 inode_doinit_with_dentry(inode, NULL); 607 iput(inode); 608 } 609 spin_lock(&sbsec->isec_lock); 610 } 611 spin_unlock(&sbsec->isec_lock); 612 return rc; 613 } 614 615 static int bad_option(struct superblock_security_struct *sbsec, char flag, 616 u32 old_sid, u32 new_sid) 617 { 618 char mnt_flags = sbsec->flags & SE_MNTMASK; 619 620 /* check if the old mount command had the same options */ 621 if (sbsec->flags & SE_SBINITIALIZED) 622 if (!(sbsec->flags & flag) || 623 (old_sid != new_sid)) 624 return 1; 625 626 /* check if we were passed the same options twice, 627 * aka someone passed context=a,context=b 628 */ 629 if (!(sbsec->flags & SE_SBINITIALIZED)) 630 if (mnt_flags & flag) 631 return 1; 632 return 0; 633 } 634 635 /* 636 * Allow filesystems with binary mount data to explicitly set mount point 637 * labeling information. 638 */ 639 static int selinux_set_mnt_opts(struct super_block *sb, 640 void *mnt_opts, 641 unsigned long kern_flags, 642 unsigned long *set_kern_flags) 643 { 644 const struct cred *cred = current_cred(); 645 struct superblock_security_struct *sbsec = selinux_superblock(sb); 646 struct dentry *root = sb->s_root; 647 struct selinux_mnt_opts *opts = mnt_opts; 648 struct inode_security_struct *root_isec; 649 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 650 u32 defcontext_sid = 0; 651 int rc = 0; 652 653 /* 654 * Specifying internal flags without providing a place to 655 * place the results is not allowed 656 */ 657 if (kern_flags && !set_kern_flags) 658 return -EINVAL; 659 660 mutex_lock(&sbsec->lock); 661 662 if (!selinux_initialized()) { 663 if (!opts) { 664 /* Defer initialization until selinux_complete_init, 665 after the initial policy is loaded and the security 666 server is ready to handle calls. */ 667 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) { 668 sbsec->flags |= SE_SBNATIVE; 669 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 670 } 671 goto out; 672 } 673 rc = -EINVAL; 674 pr_warn("SELinux: Unable to set superblock options " 675 "before the security server is initialized\n"); 676 goto out; 677 } 678 679 /* 680 * Binary mount data FS will come through this function twice. Once 681 * from an explicit call and once from the generic calls from the vfs. 682 * Since the generic VFS calls will not contain any security mount data 683 * we need to skip the double mount verification. 684 * 685 * This does open a hole in which we will not notice if the first 686 * mount using this sb set explicit options and a second mount using 687 * this sb does not set any security options. (The first options 688 * will be used for both mounts) 689 */ 690 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 691 && !opts) 692 goto out; 693 694 root_isec = backing_inode_security_novalidate(root); 695 696 /* 697 * parse the mount options, check if they are valid sids. 698 * also check if someone is trying to mount the same sb more 699 * than once with different security options. 700 */ 701 if (opts) { 702 if (opts->fscontext_sid) { 703 fscontext_sid = opts->fscontext_sid; 704 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 705 fscontext_sid)) 706 goto out_double_mount; 707 sbsec->flags |= FSCONTEXT_MNT; 708 } 709 if (opts->context_sid) { 710 context_sid = opts->context_sid; 711 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 712 context_sid)) 713 goto out_double_mount; 714 sbsec->flags |= CONTEXT_MNT; 715 } 716 if (opts->rootcontext_sid) { 717 rootcontext_sid = opts->rootcontext_sid; 718 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 719 rootcontext_sid)) 720 goto out_double_mount; 721 sbsec->flags |= ROOTCONTEXT_MNT; 722 } 723 if (opts->defcontext_sid) { 724 defcontext_sid = opts->defcontext_sid; 725 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 726 defcontext_sid)) 727 goto out_double_mount; 728 sbsec->flags |= DEFCONTEXT_MNT; 729 } 730 } 731 732 if (sbsec->flags & SE_SBINITIALIZED) { 733 /* previously mounted with options, but not on this attempt? */ 734 if ((sbsec->flags & SE_MNTMASK) && !opts) 735 goto out_double_mount; 736 rc = 0; 737 goto out; 738 } 739 740 sbsec->creator_sid = current_sid(); 741 742 if (strcmp(sb->s_type->name, "proc") == 0) 743 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 744 745 if (!strcmp(sb->s_type->name, "debugfs") || 746 !strcmp(sb->s_type->name, "tracefs") || 747 !strcmp(sb->s_type->name, "binder") || 748 !strcmp(sb->s_type->name, "bpf") || 749 !strcmp(sb->s_type->name, "pstore") || 750 !strcmp(sb->s_type->name, "securityfs") || 751 (selinux_policycap_functionfs_seclabel() && 752 !strcmp(sb->s_type->name, "functionfs"))) 753 sbsec->flags |= SE_SBGENFS; 754 755 if (!strcmp(sb->s_type->name, "sysfs") || 756 !strcmp(sb->s_type->name, "cgroup") || 757 !strcmp(sb->s_type->name, "cgroup2")) 758 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR; 759 760 if (!sbsec->behavior) { 761 /* 762 * Determine the labeling behavior to use for this 763 * filesystem type. 764 */ 765 rc = security_fs_use(sb); 766 if (rc) { 767 pr_warn("%s: security_fs_use(%s) returned %d\n", 768 __func__, sb->s_type->name, rc); 769 goto out; 770 } 771 } 772 773 /* 774 * If this is a user namespace mount and the filesystem type is not 775 * explicitly whitelisted, then no contexts are allowed on the command 776 * line and security labels must be ignored. 777 */ 778 if (sb->s_user_ns != &init_user_ns && 779 strcmp(sb->s_type->name, "tmpfs") && 780 strcmp(sb->s_type->name, "ramfs") && 781 strcmp(sb->s_type->name, "devpts") && 782 strcmp(sb->s_type->name, "overlay")) { 783 if (context_sid || fscontext_sid || rootcontext_sid || 784 defcontext_sid) { 785 rc = -EACCES; 786 goto out; 787 } 788 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 789 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 790 rc = security_transition_sid(current_sid(), 791 current_sid(), 792 SECCLASS_FILE, NULL, 793 &sbsec->mntpoint_sid); 794 if (rc) 795 goto out; 796 } 797 goto out_set_opts; 798 } 799 800 /* sets the context of the superblock for the fs being mounted. */ 801 if (fscontext_sid) { 802 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 803 if (rc) 804 goto out; 805 806 sbsec->sid = fscontext_sid; 807 } 808 809 /* 810 * Switch to using mount point labeling behavior. 811 * sets the label used on all file below the mountpoint, and will set 812 * the superblock context if not already set. 813 */ 814 if (sbsec->flags & SE_SBNATIVE) { 815 /* 816 * This means we are initializing a superblock that has been 817 * mounted before the SELinux was initialized and the 818 * filesystem requested native labeling. We had already 819 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags 820 * in the original mount attempt, so now we just need to set 821 * the SECURITY_FS_USE_NATIVE behavior. 822 */ 823 sbsec->behavior = SECURITY_FS_USE_NATIVE; 824 } else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 825 sbsec->behavior = SECURITY_FS_USE_NATIVE; 826 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 827 } 828 829 if (context_sid) { 830 if (!fscontext_sid) { 831 rc = may_context_mount_sb_relabel(context_sid, sbsec, 832 cred); 833 if (rc) 834 goto out; 835 sbsec->sid = context_sid; 836 } else { 837 rc = may_context_mount_inode_relabel(context_sid, sbsec, 838 cred); 839 if (rc) 840 goto out; 841 } 842 if (!rootcontext_sid) 843 rootcontext_sid = context_sid; 844 845 sbsec->mntpoint_sid = context_sid; 846 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 847 } 848 849 if (rootcontext_sid) { 850 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 851 cred); 852 if (rc) 853 goto out; 854 855 root_isec->sid = rootcontext_sid; 856 root_isec->initialized = LABEL_INITIALIZED; 857 } 858 859 if (defcontext_sid) { 860 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 861 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 862 rc = -EINVAL; 863 pr_warn("SELinux: defcontext option is " 864 "invalid for this filesystem type\n"); 865 goto out; 866 } 867 868 if (defcontext_sid != sbsec->def_sid) { 869 rc = may_context_mount_inode_relabel(defcontext_sid, 870 sbsec, cred); 871 if (rc) 872 goto out; 873 } 874 875 sbsec->def_sid = defcontext_sid; 876 } 877 878 out_set_opts: 879 rc = sb_finish_set_opts(sb); 880 out: 881 mutex_unlock(&sbsec->lock); 882 return rc; 883 out_double_mount: 884 rc = -EINVAL; 885 pr_warn("SELinux: mount invalid. Same superblock, different " 886 "security settings for (dev %s, type %s)\n", sb->s_id, 887 sb->s_type->name); 888 goto out; 889 } 890 891 static int selinux_cmp_sb_context(const struct super_block *oldsb, 892 const struct super_block *newsb) 893 { 894 struct superblock_security_struct *old = selinux_superblock(oldsb); 895 struct superblock_security_struct *new = selinux_superblock(newsb); 896 char oldflags = old->flags & SE_MNTMASK; 897 char newflags = new->flags & SE_MNTMASK; 898 899 if (oldflags != newflags) 900 goto mismatch; 901 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 902 goto mismatch; 903 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 904 goto mismatch; 905 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 906 goto mismatch; 907 if (oldflags & ROOTCONTEXT_MNT) { 908 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 909 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 910 if (oldroot->sid != newroot->sid) 911 goto mismatch; 912 } 913 if (old->creator_sid != new->creator_sid) 914 goto mismatch; 915 return 0; 916 mismatch: 917 pr_warn("SELinux: mount invalid. Same superblock, " 918 "different security settings for (dev %s, " 919 "type %s)\n", newsb->s_id, newsb->s_type->name); 920 return -EBUSY; 921 } 922 923 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 924 struct super_block *newsb, 925 unsigned long kern_flags, 926 unsigned long *set_kern_flags) 927 { 928 int rc = 0; 929 const struct superblock_security_struct *oldsbsec = 930 selinux_superblock(oldsb); 931 struct superblock_security_struct *newsbsec = selinux_superblock(newsb); 932 933 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 934 int set_context = (oldsbsec->flags & CONTEXT_MNT); 935 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 936 937 /* 938 * Specifying internal flags without providing a place to 939 * place the results is not allowed. 940 */ 941 if (kern_flags && !set_kern_flags) 942 return -EINVAL; 943 944 mutex_lock(&newsbsec->lock); 945 946 /* 947 * if the parent was able to be mounted it clearly had no special lsm 948 * mount options. thus we can safely deal with this superblock later 949 */ 950 if (!selinux_initialized()) { 951 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) { 952 newsbsec->flags |= SE_SBNATIVE; 953 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 954 } 955 goto out; 956 } 957 958 /* how can we clone if the old one wasn't set up?? */ 959 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 960 961 /* if fs is reusing a sb, make sure that the contexts match */ 962 if (newsbsec->flags & SE_SBINITIALIZED) { 963 mutex_unlock(&newsbsec->lock); 964 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) 965 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 966 return selinux_cmp_sb_context(oldsb, newsb); 967 } 968 969 newsbsec->flags = oldsbsec->flags; 970 971 newsbsec->sid = oldsbsec->sid; 972 newsbsec->def_sid = oldsbsec->def_sid; 973 newsbsec->behavior = oldsbsec->behavior; 974 newsbsec->creator_sid = oldsbsec->creator_sid; 975 976 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 977 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 978 rc = security_fs_use(newsb); 979 if (rc) 980 goto out; 981 } 982 983 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 984 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 985 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 986 } 987 988 if (set_context) { 989 u32 sid = oldsbsec->mntpoint_sid; 990 991 if (!set_fscontext) 992 newsbsec->sid = sid; 993 if (!set_rootcontext) { 994 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 995 newisec->sid = sid; 996 } 997 newsbsec->mntpoint_sid = sid; 998 } 999 if (set_rootcontext) { 1000 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 1001 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1002 1003 newisec->sid = oldisec->sid; 1004 } 1005 1006 sb_finish_set_opts(newsb); 1007 out: 1008 mutex_unlock(&newsbsec->lock); 1009 return rc; 1010 } 1011 1012 /* 1013 * NOTE: the caller is responsible for freeing the memory even if on error. 1014 */ 1015 static int selinux_add_opt(int token, const char *s, void **mnt_opts) 1016 { 1017 struct selinux_mnt_opts *opts = *mnt_opts; 1018 u32 *dst_sid; 1019 int rc; 1020 1021 if (token == Opt_seclabel) 1022 /* eaten and completely ignored */ 1023 return 0; 1024 if (!s) 1025 return -EINVAL; 1026 1027 if (!selinux_initialized()) { 1028 pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n"); 1029 return -EINVAL; 1030 } 1031 1032 if (!opts) { 1033 opts = kzalloc(sizeof(*opts), GFP_KERNEL); 1034 if (!opts) 1035 return -ENOMEM; 1036 *mnt_opts = opts; 1037 } 1038 1039 switch (token) { 1040 case Opt_context: 1041 if (opts->context_sid || opts->defcontext_sid) 1042 goto err; 1043 dst_sid = &opts->context_sid; 1044 break; 1045 case Opt_fscontext: 1046 if (opts->fscontext_sid) 1047 goto err; 1048 dst_sid = &opts->fscontext_sid; 1049 break; 1050 case Opt_rootcontext: 1051 if (opts->rootcontext_sid) 1052 goto err; 1053 dst_sid = &opts->rootcontext_sid; 1054 break; 1055 case Opt_defcontext: 1056 if (opts->context_sid || opts->defcontext_sid) 1057 goto err; 1058 dst_sid = &opts->defcontext_sid; 1059 break; 1060 default: 1061 WARN_ON(1); 1062 return -EINVAL; 1063 } 1064 rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL); 1065 if (rc) 1066 pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n", 1067 s, rc); 1068 return rc; 1069 1070 err: 1071 pr_warn(SEL_MOUNT_FAIL_MSG); 1072 return -EINVAL; 1073 } 1074 1075 static int show_sid(struct seq_file *m, u32 sid) 1076 { 1077 char *context = NULL; 1078 u32 len; 1079 int rc; 1080 1081 rc = security_sid_to_context(sid, &context, &len); 1082 if (!rc) { 1083 bool has_comma = strchr(context, ','); 1084 1085 seq_putc(m, '='); 1086 if (has_comma) 1087 seq_putc(m, '\"'); 1088 seq_escape(m, context, "\"\n\\"); 1089 if (has_comma) 1090 seq_putc(m, '\"'); 1091 } 1092 kfree(context); 1093 return rc; 1094 } 1095 1096 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1097 { 1098 struct superblock_security_struct *sbsec = selinux_superblock(sb); 1099 int rc; 1100 1101 if (!(sbsec->flags & SE_SBINITIALIZED)) 1102 return 0; 1103 1104 if (!selinux_initialized()) 1105 return 0; 1106 1107 if (sbsec->flags & FSCONTEXT_MNT) { 1108 seq_putc(m, ','); 1109 seq_puts(m, FSCONTEXT_STR); 1110 rc = show_sid(m, sbsec->sid); 1111 if (rc) 1112 return rc; 1113 } 1114 if (sbsec->flags & CONTEXT_MNT) { 1115 seq_putc(m, ','); 1116 seq_puts(m, CONTEXT_STR); 1117 rc = show_sid(m, sbsec->mntpoint_sid); 1118 if (rc) 1119 return rc; 1120 } 1121 if (sbsec->flags & DEFCONTEXT_MNT) { 1122 seq_putc(m, ','); 1123 seq_puts(m, DEFCONTEXT_STR); 1124 rc = show_sid(m, sbsec->def_sid); 1125 if (rc) 1126 return rc; 1127 } 1128 if (sbsec->flags & ROOTCONTEXT_MNT) { 1129 struct dentry *root = sb->s_root; 1130 struct inode_security_struct *isec = backing_inode_security(root); 1131 seq_putc(m, ','); 1132 seq_puts(m, ROOTCONTEXT_STR); 1133 rc = show_sid(m, isec->sid); 1134 if (rc) 1135 return rc; 1136 } 1137 if (sbsec->flags & SBLABEL_MNT) { 1138 seq_putc(m, ','); 1139 seq_puts(m, SECLABEL_STR); 1140 } 1141 return 0; 1142 } 1143 1144 static inline u16 inode_mode_to_security_class(umode_t mode) 1145 { 1146 switch (mode & S_IFMT) { 1147 case S_IFSOCK: 1148 return SECCLASS_SOCK_FILE; 1149 case S_IFLNK: 1150 return SECCLASS_LNK_FILE; 1151 case S_IFREG: 1152 return SECCLASS_FILE; 1153 case S_IFBLK: 1154 return SECCLASS_BLK_FILE; 1155 case S_IFDIR: 1156 return SECCLASS_DIR; 1157 case S_IFCHR: 1158 return SECCLASS_CHR_FILE; 1159 case S_IFIFO: 1160 return SECCLASS_FIFO_FILE; 1161 1162 } 1163 1164 return SECCLASS_FILE; 1165 } 1166 1167 static inline int default_protocol_stream(int protocol) 1168 { 1169 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP || 1170 protocol == IPPROTO_MPTCP); 1171 } 1172 1173 static inline int default_protocol_dgram(int protocol) 1174 { 1175 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1176 } 1177 1178 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1179 { 1180 bool extsockclass = selinux_policycap_extsockclass(); 1181 1182 switch (family) { 1183 case PF_UNIX: 1184 switch (type) { 1185 case SOCK_STREAM: 1186 case SOCK_SEQPACKET: 1187 return SECCLASS_UNIX_STREAM_SOCKET; 1188 case SOCK_DGRAM: 1189 case SOCK_RAW: 1190 return SECCLASS_UNIX_DGRAM_SOCKET; 1191 } 1192 break; 1193 case PF_INET: 1194 case PF_INET6: 1195 switch (type) { 1196 case SOCK_STREAM: 1197 case SOCK_SEQPACKET: 1198 if (default_protocol_stream(protocol)) 1199 return SECCLASS_TCP_SOCKET; 1200 else if (extsockclass && protocol == IPPROTO_SCTP) 1201 return SECCLASS_SCTP_SOCKET; 1202 else 1203 return SECCLASS_RAWIP_SOCKET; 1204 case SOCK_DGRAM: 1205 if (default_protocol_dgram(protocol)) 1206 return SECCLASS_UDP_SOCKET; 1207 else if (extsockclass && (protocol == IPPROTO_ICMP || 1208 protocol == IPPROTO_ICMPV6)) 1209 return SECCLASS_ICMP_SOCKET; 1210 else 1211 return SECCLASS_RAWIP_SOCKET; 1212 default: 1213 return SECCLASS_RAWIP_SOCKET; 1214 } 1215 break; 1216 case PF_NETLINK: 1217 switch (protocol) { 1218 case NETLINK_ROUTE: 1219 return SECCLASS_NETLINK_ROUTE_SOCKET; 1220 case NETLINK_SOCK_DIAG: 1221 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1222 case NETLINK_NFLOG: 1223 return SECCLASS_NETLINK_NFLOG_SOCKET; 1224 case NETLINK_XFRM: 1225 return SECCLASS_NETLINK_XFRM_SOCKET; 1226 case NETLINK_SELINUX: 1227 return SECCLASS_NETLINK_SELINUX_SOCKET; 1228 case NETLINK_ISCSI: 1229 return SECCLASS_NETLINK_ISCSI_SOCKET; 1230 case NETLINK_AUDIT: 1231 return SECCLASS_NETLINK_AUDIT_SOCKET; 1232 case NETLINK_FIB_LOOKUP: 1233 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1234 case NETLINK_CONNECTOR: 1235 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1236 case NETLINK_NETFILTER: 1237 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1238 case NETLINK_DNRTMSG: 1239 return SECCLASS_NETLINK_DNRT_SOCKET; 1240 case NETLINK_KOBJECT_UEVENT: 1241 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1242 case NETLINK_GENERIC: 1243 return SECCLASS_NETLINK_GENERIC_SOCKET; 1244 case NETLINK_SCSITRANSPORT: 1245 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1246 case NETLINK_RDMA: 1247 return SECCLASS_NETLINK_RDMA_SOCKET; 1248 case NETLINK_CRYPTO: 1249 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1250 default: 1251 return SECCLASS_NETLINK_SOCKET; 1252 } 1253 case PF_PACKET: 1254 return SECCLASS_PACKET_SOCKET; 1255 case PF_KEY: 1256 return SECCLASS_KEY_SOCKET; 1257 case PF_APPLETALK: 1258 return SECCLASS_APPLETALK_SOCKET; 1259 } 1260 1261 if (extsockclass) { 1262 switch (family) { 1263 case PF_AX25: 1264 return SECCLASS_AX25_SOCKET; 1265 case PF_IPX: 1266 return SECCLASS_IPX_SOCKET; 1267 case PF_NETROM: 1268 return SECCLASS_NETROM_SOCKET; 1269 case PF_ATMPVC: 1270 return SECCLASS_ATMPVC_SOCKET; 1271 case PF_X25: 1272 return SECCLASS_X25_SOCKET; 1273 case PF_ROSE: 1274 return SECCLASS_ROSE_SOCKET; 1275 case PF_DECnet: 1276 return SECCLASS_DECNET_SOCKET; 1277 case PF_ATMSVC: 1278 return SECCLASS_ATMSVC_SOCKET; 1279 case PF_RDS: 1280 return SECCLASS_RDS_SOCKET; 1281 case PF_IRDA: 1282 return SECCLASS_IRDA_SOCKET; 1283 case PF_PPPOX: 1284 return SECCLASS_PPPOX_SOCKET; 1285 case PF_LLC: 1286 return SECCLASS_LLC_SOCKET; 1287 case PF_CAN: 1288 return SECCLASS_CAN_SOCKET; 1289 case PF_TIPC: 1290 return SECCLASS_TIPC_SOCKET; 1291 case PF_BLUETOOTH: 1292 return SECCLASS_BLUETOOTH_SOCKET; 1293 case PF_IUCV: 1294 return SECCLASS_IUCV_SOCKET; 1295 case PF_RXRPC: 1296 return SECCLASS_RXRPC_SOCKET; 1297 case PF_ISDN: 1298 return SECCLASS_ISDN_SOCKET; 1299 case PF_PHONET: 1300 return SECCLASS_PHONET_SOCKET; 1301 case PF_IEEE802154: 1302 return SECCLASS_IEEE802154_SOCKET; 1303 case PF_CAIF: 1304 return SECCLASS_CAIF_SOCKET; 1305 case PF_ALG: 1306 return SECCLASS_ALG_SOCKET; 1307 case PF_NFC: 1308 return SECCLASS_NFC_SOCKET; 1309 case PF_VSOCK: 1310 return SECCLASS_VSOCK_SOCKET; 1311 case PF_KCM: 1312 return SECCLASS_KCM_SOCKET; 1313 case PF_QIPCRTR: 1314 return SECCLASS_QIPCRTR_SOCKET; 1315 case PF_SMC: 1316 return SECCLASS_SMC_SOCKET; 1317 case PF_XDP: 1318 return SECCLASS_XDP_SOCKET; 1319 case PF_MCTP: 1320 return SECCLASS_MCTP_SOCKET; 1321 #if PF_MAX > 46 1322 #error New address family defined, please update this function. 1323 #endif 1324 } 1325 } 1326 1327 return SECCLASS_SOCKET; 1328 } 1329 1330 static int selinux_genfs_get_sid(struct dentry *dentry, 1331 u16 tclass, 1332 u16 flags, 1333 u32 *sid) 1334 { 1335 int rc; 1336 struct super_block *sb = dentry->d_sb; 1337 char *buffer, *path; 1338 1339 buffer = (char *)__get_free_page(GFP_KERNEL); 1340 if (!buffer) 1341 return -ENOMEM; 1342 1343 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1344 if (IS_ERR(path)) 1345 rc = PTR_ERR(path); 1346 else { 1347 if (flags & SE_SBPROC) { 1348 /* each process gets a /proc/PID/ entry. Strip off the 1349 * PID part to get a valid selinux labeling. 1350 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1351 while (path[1] >= '0' && path[1] <= '9') { 1352 path[1] = '/'; 1353 path++; 1354 } 1355 } 1356 rc = security_genfs_sid(sb->s_type->name, 1357 path, tclass, sid); 1358 if (rc == -ENOENT) { 1359 /* No match in policy, mark as unlabeled. */ 1360 *sid = SECINITSID_UNLABELED; 1361 rc = 0; 1362 } 1363 } 1364 free_page((unsigned long)buffer); 1365 return rc; 1366 } 1367 1368 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry, 1369 u32 def_sid, u32 *sid) 1370 { 1371 #define INITCONTEXTLEN 255 1372 char *context; 1373 unsigned int len; 1374 int rc; 1375 1376 len = INITCONTEXTLEN; 1377 context = kmalloc(len + 1, GFP_NOFS); 1378 if (!context) 1379 return -ENOMEM; 1380 1381 context[len] = '\0'; 1382 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1383 if (rc == -ERANGE) { 1384 kfree(context); 1385 1386 /* Need a larger buffer. Query for the right size. */ 1387 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1388 if (rc < 0) 1389 return rc; 1390 1391 len = rc; 1392 context = kmalloc(len + 1, GFP_NOFS); 1393 if (!context) 1394 return -ENOMEM; 1395 1396 context[len] = '\0'; 1397 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, 1398 context, len); 1399 } 1400 if (rc < 0) { 1401 kfree(context); 1402 if (rc != -ENODATA) { 1403 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n", 1404 __func__, -rc, inode->i_sb->s_id, inode->i_ino); 1405 return rc; 1406 } 1407 *sid = def_sid; 1408 return 0; 1409 } 1410 1411 rc = security_context_to_sid_default(context, rc, sid, 1412 def_sid, GFP_NOFS); 1413 if (rc) { 1414 char *dev = inode->i_sb->s_id; 1415 unsigned long ino = inode->i_ino; 1416 1417 if (rc == -EINVAL) { 1418 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n", 1419 ino, dev, context); 1420 } else { 1421 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n", 1422 __func__, context, -rc, dev, ino); 1423 } 1424 } 1425 kfree(context); 1426 return 0; 1427 } 1428 1429 /* The inode's security attributes must be initialized before first use. */ 1430 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1431 { 1432 struct superblock_security_struct *sbsec = NULL; 1433 struct inode_security_struct *isec = selinux_inode(inode); 1434 u32 task_sid, sid = 0; 1435 u16 sclass; 1436 struct dentry *dentry; 1437 int rc = 0; 1438 1439 if (isec->initialized == LABEL_INITIALIZED) 1440 return 0; 1441 1442 spin_lock(&isec->lock); 1443 if (isec->initialized == LABEL_INITIALIZED) 1444 goto out_unlock; 1445 1446 if (isec->sclass == SECCLASS_FILE) 1447 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1448 1449 sbsec = selinux_superblock(inode->i_sb); 1450 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1451 /* Defer initialization until selinux_complete_init, 1452 after the initial policy is loaded and the security 1453 server is ready to handle calls. */ 1454 spin_lock(&sbsec->isec_lock); 1455 if (list_empty(&isec->list)) 1456 list_add(&isec->list, &sbsec->isec_head); 1457 spin_unlock(&sbsec->isec_lock); 1458 goto out_unlock; 1459 } 1460 1461 sclass = isec->sclass; 1462 task_sid = isec->task_sid; 1463 sid = isec->sid; 1464 isec->initialized = LABEL_PENDING; 1465 spin_unlock(&isec->lock); 1466 1467 switch (sbsec->behavior) { 1468 /* 1469 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels 1470 * via xattr when called from delayed_superblock_init(). 1471 */ 1472 case SECURITY_FS_USE_NATIVE: 1473 case SECURITY_FS_USE_XATTR: 1474 if (!(inode->i_opflags & IOP_XATTR)) { 1475 sid = sbsec->def_sid; 1476 break; 1477 } 1478 /* Need a dentry, since the xattr API requires one. 1479 Life would be simpler if we could just pass the inode. */ 1480 if (opt_dentry) { 1481 /* Called from d_instantiate or d_splice_alias. */ 1482 dentry = dget(opt_dentry); 1483 } else { 1484 /* 1485 * Called from selinux_complete_init, try to find a dentry. 1486 * Some filesystems really want a connected one, so try 1487 * that first. We could split SECURITY_FS_USE_XATTR in 1488 * two, depending upon that... 1489 */ 1490 dentry = d_find_alias(inode); 1491 if (!dentry) 1492 dentry = d_find_any_alias(inode); 1493 } 1494 if (!dentry) { 1495 /* 1496 * this is can be hit on boot when a file is accessed 1497 * before the policy is loaded. When we load policy we 1498 * may find inodes that have no dentry on the 1499 * sbsec->isec_head list. No reason to complain as these 1500 * will get fixed up the next time we go through 1501 * inode_doinit with a dentry, before these inodes could 1502 * be used again by userspace. 1503 */ 1504 goto out_invalid; 1505 } 1506 1507 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid, 1508 &sid); 1509 dput(dentry); 1510 if (rc) 1511 goto out; 1512 break; 1513 case SECURITY_FS_USE_TASK: 1514 sid = task_sid; 1515 break; 1516 case SECURITY_FS_USE_TRANS: 1517 /* Default to the fs SID. */ 1518 sid = sbsec->sid; 1519 1520 /* Try to obtain a transition SID. */ 1521 rc = security_transition_sid(task_sid, sid, 1522 sclass, NULL, &sid); 1523 if (rc) 1524 goto out; 1525 break; 1526 case SECURITY_FS_USE_MNTPOINT: 1527 sid = sbsec->mntpoint_sid; 1528 break; 1529 default: 1530 /* Default to the fs superblock SID. */ 1531 sid = sbsec->sid; 1532 1533 if ((sbsec->flags & SE_SBGENFS) && 1534 (!S_ISLNK(inode->i_mode) || 1535 selinux_policycap_genfs_seclabel_symlinks())) { 1536 /* We must have a dentry to determine the label on 1537 * procfs inodes */ 1538 if (opt_dentry) { 1539 /* Called from d_instantiate or 1540 * d_splice_alias. */ 1541 dentry = dget(opt_dentry); 1542 } else { 1543 /* Called from selinux_complete_init, try to 1544 * find a dentry. Some filesystems really want 1545 * a connected one, so try that first. 1546 */ 1547 dentry = d_find_alias(inode); 1548 if (!dentry) 1549 dentry = d_find_any_alias(inode); 1550 } 1551 /* 1552 * This can be hit on boot when a file is accessed 1553 * before the policy is loaded. When we load policy we 1554 * may find inodes that have no dentry on the 1555 * sbsec->isec_head list. No reason to complain as 1556 * these will get fixed up the next time we go through 1557 * inode_doinit() with a dentry, before these inodes 1558 * could be used again by userspace. 1559 */ 1560 if (!dentry) 1561 goto out_invalid; 1562 rc = selinux_genfs_get_sid(dentry, sclass, 1563 sbsec->flags, &sid); 1564 if (rc) { 1565 dput(dentry); 1566 goto out; 1567 } 1568 1569 if ((sbsec->flags & SE_SBGENFS_XATTR) && 1570 (inode->i_opflags & IOP_XATTR)) { 1571 rc = inode_doinit_use_xattr(inode, dentry, 1572 sid, &sid); 1573 if (rc) { 1574 dput(dentry); 1575 goto out; 1576 } 1577 } 1578 dput(dentry); 1579 } 1580 break; 1581 } 1582 1583 out: 1584 spin_lock(&isec->lock); 1585 if (isec->initialized == LABEL_PENDING) { 1586 if (rc) { 1587 isec->initialized = LABEL_INVALID; 1588 goto out_unlock; 1589 } 1590 isec->initialized = LABEL_INITIALIZED; 1591 isec->sid = sid; 1592 } 1593 1594 out_unlock: 1595 spin_unlock(&isec->lock); 1596 return rc; 1597 1598 out_invalid: 1599 spin_lock(&isec->lock); 1600 if (isec->initialized == LABEL_PENDING) { 1601 isec->initialized = LABEL_INVALID; 1602 isec->sid = sid; 1603 } 1604 spin_unlock(&isec->lock); 1605 return 0; 1606 } 1607 1608 /* Convert a Linux signal to an access vector. */ 1609 static inline u32 signal_to_av(int sig) 1610 { 1611 u32 perm = 0; 1612 1613 switch (sig) { 1614 case SIGCHLD: 1615 /* Commonly granted from child to parent. */ 1616 perm = PROCESS__SIGCHLD; 1617 break; 1618 case SIGKILL: 1619 /* Cannot be caught or ignored */ 1620 perm = PROCESS__SIGKILL; 1621 break; 1622 case SIGSTOP: 1623 /* Cannot be caught or ignored */ 1624 perm = PROCESS__SIGSTOP; 1625 break; 1626 default: 1627 /* All other signals. */ 1628 perm = PROCESS__SIGNAL; 1629 break; 1630 } 1631 1632 return perm; 1633 } 1634 1635 #if CAP_LAST_CAP > 63 1636 #error Fix SELinux to handle capabilities > 63. 1637 #endif 1638 1639 /* Check whether a task is allowed to use a capability. */ 1640 static int cred_has_capability(const struct cred *cred, 1641 int cap, unsigned int opts, bool initns) 1642 { 1643 struct common_audit_data ad; 1644 struct av_decision avd; 1645 u16 sclass; 1646 u32 sid = cred_sid(cred); 1647 u32 av = CAP_TO_MASK(cap); 1648 int rc; 1649 1650 ad.type = LSM_AUDIT_DATA_CAP; 1651 ad.u.cap = cap; 1652 1653 switch (CAP_TO_INDEX(cap)) { 1654 case 0: 1655 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1656 break; 1657 case 1: 1658 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1659 break; 1660 default: 1661 pr_err("SELinux: out of range capability %d\n", cap); 1662 return -EINVAL; 1663 } 1664 1665 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1666 if (!(opts & CAP_OPT_NOAUDIT)) { 1667 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); 1668 if (rc2) 1669 return rc2; 1670 } 1671 return rc; 1672 } 1673 1674 /* Check whether a task has a particular permission to an inode. 1675 The 'adp' parameter is optional and allows other audit 1676 data to be passed (e.g. the dentry). */ 1677 static int inode_has_perm(const struct cred *cred, 1678 struct inode *inode, 1679 u32 perms, 1680 struct common_audit_data *adp) 1681 { 1682 struct inode_security_struct *isec; 1683 u32 sid; 1684 1685 if (unlikely(IS_PRIVATE(inode))) 1686 return 0; 1687 1688 sid = cred_sid(cred); 1689 isec = selinux_inode(inode); 1690 1691 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1692 } 1693 1694 /* Same as inode_has_perm, but pass explicit audit data containing 1695 the dentry to help the auditing code to more easily generate the 1696 pathname if needed. */ 1697 static inline int dentry_has_perm(const struct cred *cred, 1698 struct dentry *dentry, 1699 u32 av) 1700 { 1701 struct common_audit_data ad; 1702 struct inode *inode = d_backing_inode(dentry); 1703 struct inode_security_struct *isec = selinux_inode(inode); 1704 1705 ad.type = LSM_AUDIT_DATA_DENTRY; 1706 ad.u.dentry = dentry; 1707 /* check below is racy, but revalidate will recheck with lock held */ 1708 if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED))) 1709 __inode_security_revalidate(inode, dentry, true); 1710 return inode_has_perm(cred, inode, av, &ad); 1711 } 1712 1713 /* Same as inode_has_perm, but pass explicit audit data containing 1714 the path to help the auditing code to more easily generate the 1715 pathname if needed. */ 1716 static inline int path_has_perm(const struct cred *cred, 1717 const struct path *path, 1718 u32 av) 1719 { 1720 struct common_audit_data ad; 1721 struct inode *inode = d_backing_inode(path->dentry); 1722 struct inode_security_struct *isec = selinux_inode(inode); 1723 1724 ad.type = LSM_AUDIT_DATA_PATH; 1725 ad.u.path = *path; 1726 /* check below is racy, but revalidate will recheck with lock held */ 1727 if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED))) 1728 __inode_security_revalidate(inode, path->dentry, true); 1729 return inode_has_perm(cred, inode, av, &ad); 1730 } 1731 1732 /* Same as path_has_perm, but uses the inode from the file struct. */ 1733 static inline int file_path_has_perm(const struct cred *cred, 1734 struct file *file, 1735 u32 av) 1736 { 1737 struct common_audit_data ad; 1738 1739 ad.type = LSM_AUDIT_DATA_FILE; 1740 ad.u.file = file; 1741 return inode_has_perm(cred, file_inode(file), av, &ad); 1742 } 1743 1744 #ifdef CONFIG_BPF_SYSCALL 1745 static int bpf_fd_pass(const struct file *file, u32 sid); 1746 #endif 1747 1748 /* Check whether a task can use an open file descriptor to 1749 access an inode in a given way. Check access to the 1750 descriptor itself, and then use dentry_has_perm to 1751 check a particular permission to the file. 1752 Access to the descriptor is implicitly granted if it 1753 has the same SID as the process. If av is zero, then 1754 access to the file is not checked, e.g. for cases 1755 where only the descriptor is affected like seek. */ 1756 static int file_has_perm(const struct cred *cred, 1757 struct file *file, 1758 u32 av) 1759 { 1760 struct file_security_struct *fsec = selinux_file(file); 1761 struct inode *inode = file_inode(file); 1762 struct common_audit_data ad; 1763 u32 sid = cred_sid(cred); 1764 int rc; 1765 1766 ad.type = LSM_AUDIT_DATA_FILE; 1767 ad.u.file = file; 1768 1769 if (sid != fsec->sid) { 1770 rc = avc_has_perm(sid, fsec->sid, 1771 SECCLASS_FD, 1772 FD__USE, 1773 &ad); 1774 if (rc) 1775 goto out; 1776 } 1777 1778 #ifdef CONFIG_BPF_SYSCALL 1779 rc = bpf_fd_pass(file, cred_sid(cred)); 1780 if (rc) 1781 return rc; 1782 #endif 1783 1784 /* av is zero if only checking access to the descriptor. */ 1785 rc = 0; 1786 if (av) 1787 rc = inode_has_perm(cred, inode, av, &ad); 1788 1789 out: 1790 return rc; 1791 } 1792 1793 /* 1794 * Determine the label for an inode that might be unioned. 1795 */ 1796 static int 1797 selinux_determine_inode_label(const struct cred_security_struct *crsec, 1798 struct inode *dir, 1799 const struct qstr *name, u16 tclass, 1800 u32 *_new_isid) 1801 { 1802 const struct superblock_security_struct *sbsec = 1803 selinux_superblock(dir->i_sb); 1804 1805 if ((sbsec->flags & SE_SBINITIALIZED) && 1806 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1807 *_new_isid = sbsec->mntpoint_sid; 1808 } else if ((sbsec->flags & SBLABEL_MNT) && 1809 crsec->create_sid) { 1810 *_new_isid = crsec->create_sid; 1811 } else { 1812 const struct inode_security_struct *dsec = inode_security(dir); 1813 return security_transition_sid(crsec->sid, 1814 dsec->sid, tclass, 1815 name, _new_isid); 1816 } 1817 1818 return 0; 1819 } 1820 1821 /* Check whether a task can create a file. */ 1822 static int may_create(struct inode *dir, 1823 struct dentry *dentry, 1824 u16 tclass) 1825 { 1826 const struct cred_security_struct *crsec = selinux_cred(current_cred()); 1827 struct inode_security_struct *dsec; 1828 struct superblock_security_struct *sbsec; 1829 u32 sid, newsid; 1830 struct common_audit_data ad; 1831 int rc; 1832 1833 dsec = inode_security(dir); 1834 sbsec = selinux_superblock(dir->i_sb); 1835 1836 sid = crsec->sid; 1837 1838 ad.type = LSM_AUDIT_DATA_DENTRY; 1839 ad.u.dentry = dentry; 1840 1841 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1842 DIR__ADD_NAME | DIR__SEARCH, 1843 &ad); 1844 if (rc) 1845 return rc; 1846 1847 rc = selinux_determine_inode_label(crsec, dir, &dentry->d_name, tclass, 1848 &newsid); 1849 if (rc) 1850 return rc; 1851 1852 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1853 if (rc) 1854 return rc; 1855 1856 return avc_has_perm(newsid, sbsec->sid, 1857 SECCLASS_FILESYSTEM, 1858 FILESYSTEM__ASSOCIATE, &ad); 1859 } 1860 1861 #define MAY_LINK 0 1862 #define MAY_UNLINK 1 1863 #define MAY_RMDIR 2 1864 1865 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1866 static int may_link(struct inode *dir, 1867 struct dentry *dentry, 1868 int kind) 1869 1870 { 1871 struct inode_security_struct *dsec, *isec; 1872 struct common_audit_data ad; 1873 u32 sid = current_sid(); 1874 u32 av; 1875 int rc; 1876 1877 dsec = inode_security(dir); 1878 isec = backing_inode_security(dentry); 1879 1880 ad.type = LSM_AUDIT_DATA_DENTRY; 1881 ad.u.dentry = dentry; 1882 1883 av = DIR__SEARCH; 1884 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1885 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 1886 if (rc) 1887 return rc; 1888 1889 switch (kind) { 1890 case MAY_LINK: 1891 av = FILE__LINK; 1892 break; 1893 case MAY_UNLINK: 1894 av = FILE__UNLINK; 1895 break; 1896 case MAY_RMDIR: 1897 av = DIR__RMDIR; 1898 break; 1899 default: 1900 pr_warn("SELinux: %s: unrecognized kind %d\n", 1901 __func__, kind); 1902 return 0; 1903 } 1904 1905 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 1906 return rc; 1907 } 1908 1909 static inline int may_rename(struct inode *old_dir, 1910 struct dentry *old_dentry, 1911 struct inode *new_dir, 1912 struct dentry *new_dentry) 1913 { 1914 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1915 struct common_audit_data ad; 1916 u32 sid = current_sid(); 1917 u32 av; 1918 int old_is_dir, new_is_dir; 1919 int rc; 1920 1921 old_dsec = inode_security(old_dir); 1922 old_isec = backing_inode_security(old_dentry); 1923 old_is_dir = d_is_dir(old_dentry); 1924 new_dsec = inode_security(new_dir); 1925 1926 ad.type = LSM_AUDIT_DATA_DENTRY; 1927 1928 ad.u.dentry = old_dentry; 1929 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1930 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1931 if (rc) 1932 return rc; 1933 rc = avc_has_perm(sid, old_isec->sid, 1934 old_isec->sclass, FILE__RENAME, &ad); 1935 if (rc) 1936 return rc; 1937 if (old_is_dir && new_dir != old_dir) { 1938 rc = avc_has_perm(sid, old_isec->sid, 1939 old_isec->sclass, DIR__REPARENT, &ad); 1940 if (rc) 1941 return rc; 1942 } 1943 1944 ad.u.dentry = new_dentry; 1945 av = DIR__ADD_NAME | DIR__SEARCH; 1946 if (d_is_positive(new_dentry)) 1947 av |= DIR__REMOVE_NAME; 1948 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1949 if (rc) 1950 return rc; 1951 if (d_is_positive(new_dentry)) { 1952 new_isec = backing_inode_security(new_dentry); 1953 new_is_dir = d_is_dir(new_dentry); 1954 rc = avc_has_perm(sid, new_isec->sid, 1955 new_isec->sclass, 1956 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1957 if (rc) 1958 return rc; 1959 } 1960 1961 return 0; 1962 } 1963 1964 /* Check whether a task can perform a filesystem operation. */ 1965 static int superblock_has_perm(const struct cred *cred, 1966 const struct super_block *sb, 1967 u32 perms, 1968 struct common_audit_data *ad) 1969 { 1970 struct superblock_security_struct *sbsec; 1971 u32 sid = cred_sid(cred); 1972 1973 sbsec = selinux_superblock(sb); 1974 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1975 } 1976 1977 /* Convert a Linux mode and permission mask to an access vector. */ 1978 static inline u32 file_mask_to_av(int mode, int mask) 1979 { 1980 u32 av = 0; 1981 1982 if (!S_ISDIR(mode)) { 1983 if (mask & MAY_EXEC) 1984 av |= FILE__EXECUTE; 1985 if (mask & MAY_READ) 1986 av |= FILE__READ; 1987 1988 if (mask & MAY_APPEND) 1989 av |= FILE__APPEND; 1990 else if (mask & MAY_WRITE) 1991 av |= FILE__WRITE; 1992 1993 } else { 1994 if (mask & MAY_EXEC) 1995 av |= DIR__SEARCH; 1996 if (mask & MAY_WRITE) 1997 av |= DIR__WRITE; 1998 if (mask & MAY_READ) 1999 av |= DIR__READ; 2000 } 2001 2002 return av; 2003 } 2004 2005 /* Convert a Linux file to an access vector. */ 2006 static inline u32 file_to_av(const struct file *file) 2007 { 2008 u32 av = 0; 2009 2010 if (file->f_mode & FMODE_READ) 2011 av |= FILE__READ; 2012 if (file->f_mode & FMODE_WRITE) { 2013 if (file->f_flags & O_APPEND) 2014 av |= FILE__APPEND; 2015 else 2016 av |= FILE__WRITE; 2017 } 2018 if (!av) { 2019 /* 2020 * Special file opened with flags 3 for ioctl-only use. 2021 */ 2022 av = FILE__IOCTL; 2023 } 2024 2025 return av; 2026 } 2027 2028 /* 2029 * Convert a file to an access vector and include the correct 2030 * open permission. 2031 */ 2032 static inline u32 open_file_to_av(struct file *file) 2033 { 2034 u32 av = file_to_av(file); 2035 struct inode *inode = file_inode(file); 2036 2037 if (selinux_policycap_openperm() && 2038 inode->i_sb->s_magic != SOCKFS_MAGIC) 2039 av |= FILE__OPEN; 2040 2041 return av; 2042 } 2043 2044 /* Hook functions begin here. */ 2045 2046 static int selinux_binder_set_context_mgr(const struct cred *mgr) 2047 { 2048 return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER, 2049 BINDER__SET_CONTEXT_MGR, NULL); 2050 } 2051 2052 static int selinux_binder_transaction(const struct cred *from, 2053 const struct cred *to) 2054 { 2055 u32 mysid = current_sid(); 2056 u32 fromsid = cred_sid(from); 2057 u32 tosid = cred_sid(to); 2058 int rc; 2059 2060 if (mysid != fromsid) { 2061 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, 2062 BINDER__IMPERSONATE, NULL); 2063 if (rc) 2064 return rc; 2065 } 2066 2067 return avc_has_perm(fromsid, tosid, 2068 SECCLASS_BINDER, BINDER__CALL, NULL); 2069 } 2070 2071 static int selinux_binder_transfer_binder(const struct cred *from, 2072 const struct cred *to) 2073 { 2074 return avc_has_perm(cred_sid(from), cred_sid(to), 2075 SECCLASS_BINDER, BINDER__TRANSFER, 2076 NULL); 2077 } 2078 2079 static int selinux_binder_transfer_file(const struct cred *from, 2080 const struct cred *to, 2081 const struct file *file) 2082 { 2083 u32 sid = cred_sid(to); 2084 struct file_security_struct *fsec = selinux_file(file); 2085 struct dentry *dentry = file->f_path.dentry; 2086 struct inode_security_struct *isec; 2087 struct common_audit_data ad; 2088 int rc; 2089 2090 ad.type = LSM_AUDIT_DATA_PATH; 2091 ad.u.path = file->f_path; 2092 2093 if (sid != fsec->sid) { 2094 rc = avc_has_perm(sid, fsec->sid, 2095 SECCLASS_FD, 2096 FD__USE, 2097 &ad); 2098 if (rc) 2099 return rc; 2100 } 2101 2102 #ifdef CONFIG_BPF_SYSCALL 2103 rc = bpf_fd_pass(file, sid); 2104 if (rc) 2105 return rc; 2106 #endif 2107 2108 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2109 return 0; 2110 2111 isec = backing_inode_security(dentry); 2112 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2113 &ad); 2114 } 2115 2116 static int selinux_ptrace_access_check(struct task_struct *child, 2117 unsigned int mode) 2118 { 2119 u32 sid = current_sid(); 2120 u32 csid = task_sid_obj(child); 2121 2122 if (mode & PTRACE_MODE_READ) 2123 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, 2124 NULL); 2125 2126 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, 2127 NULL); 2128 } 2129 2130 static int selinux_ptrace_traceme(struct task_struct *parent) 2131 { 2132 return avc_has_perm(task_sid_obj(parent), task_sid_obj(current), 2133 SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2134 } 2135 2136 static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective, 2137 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2138 { 2139 return avc_has_perm(current_sid(), task_sid_obj(target), 2140 SECCLASS_PROCESS, PROCESS__GETCAP, NULL); 2141 } 2142 2143 static int selinux_capset(struct cred *new, const struct cred *old, 2144 const kernel_cap_t *effective, 2145 const kernel_cap_t *inheritable, 2146 const kernel_cap_t *permitted) 2147 { 2148 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2149 PROCESS__SETCAP, NULL); 2150 } 2151 2152 /* 2153 * (This comment used to live with the selinux_task_setuid hook, 2154 * which was removed). 2155 * 2156 * Since setuid only affects the current process, and since the SELinux 2157 * controls are not based on the Linux identity attributes, SELinux does not 2158 * need to control this operation. However, SELinux does control the use of 2159 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2160 */ 2161 2162 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2163 int cap, unsigned int opts) 2164 { 2165 return cred_has_capability(cred, cap, opts, ns == &init_user_ns); 2166 } 2167 2168 static int selinux_quotactl(int cmds, int type, int id, const struct super_block *sb) 2169 { 2170 const struct cred *cred = current_cred(); 2171 int rc = 0; 2172 2173 if (!sb) 2174 return 0; 2175 2176 switch (cmds) { 2177 case Q_SYNC: 2178 case Q_QUOTAON: 2179 case Q_QUOTAOFF: 2180 case Q_SETINFO: 2181 case Q_SETQUOTA: 2182 case Q_XQUOTAOFF: 2183 case Q_XQUOTAON: 2184 case Q_XSETQLIM: 2185 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2186 break; 2187 case Q_GETFMT: 2188 case Q_GETINFO: 2189 case Q_GETQUOTA: 2190 case Q_XGETQUOTA: 2191 case Q_XGETQSTAT: 2192 case Q_XGETQSTATV: 2193 case Q_XGETNEXTQUOTA: 2194 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2195 break; 2196 default: 2197 rc = 0; /* let the kernel handle invalid cmds */ 2198 break; 2199 } 2200 return rc; 2201 } 2202 2203 static int selinux_quota_on(struct dentry *dentry) 2204 { 2205 const struct cred *cred = current_cred(); 2206 2207 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2208 } 2209 2210 static int selinux_syslog(int type) 2211 { 2212 switch (type) { 2213 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2214 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2215 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2216 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2217 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2218 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2219 /* Set level of messages printed to console */ 2220 case SYSLOG_ACTION_CONSOLE_LEVEL: 2221 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2222 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2223 NULL); 2224 } 2225 /* All other syslog types */ 2226 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2227 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2228 } 2229 2230 /* 2231 * Check permission for allocating a new virtual mapping. Returns 2232 * 0 if permission is granted, negative error code if not. 2233 * 2234 * Do not audit the selinux permission check, as this is applied to all 2235 * processes that allocate mappings. 2236 */ 2237 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2238 { 2239 return cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2240 CAP_OPT_NOAUDIT, true); 2241 } 2242 2243 /* binprm security operations */ 2244 2245 static u32 ptrace_parent_sid(void) 2246 { 2247 u32 sid = 0; 2248 struct task_struct *tracer; 2249 2250 rcu_read_lock(); 2251 tracer = ptrace_parent(current); 2252 if (tracer) 2253 sid = task_sid_obj(tracer); 2254 rcu_read_unlock(); 2255 2256 return sid; 2257 } 2258 2259 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2260 const struct cred_security_struct *old_crsec, 2261 const struct cred_security_struct *new_crsec) 2262 { 2263 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2264 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2265 int rc; 2266 u32 av; 2267 2268 if (!nnp && !nosuid) 2269 return 0; /* neither NNP nor nosuid */ 2270 2271 if (new_crsec->sid == old_crsec->sid) 2272 return 0; /* No change in credentials */ 2273 2274 /* 2275 * If the policy enables the nnp_nosuid_transition policy capability, 2276 * then we permit transitions under NNP or nosuid if the 2277 * policy allows the corresponding permission between 2278 * the old and new contexts. 2279 */ 2280 if (selinux_policycap_nnp_nosuid_transition()) { 2281 av = 0; 2282 if (nnp) 2283 av |= PROCESS2__NNP_TRANSITION; 2284 if (nosuid) 2285 av |= PROCESS2__NOSUID_TRANSITION; 2286 rc = avc_has_perm(old_crsec->sid, new_crsec->sid, 2287 SECCLASS_PROCESS2, av, NULL); 2288 if (!rc) 2289 return 0; 2290 } 2291 2292 /* 2293 * We also permit NNP or nosuid transitions to bounded SIDs, 2294 * i.e. SIDs that are guaranteed to only be allowed a subset 2295 * of the permissions of the current SID. 2296 */ 2297 rc = security_bounded_transition(old_crsec->sid, 2298 new_crsec->sid); 2299 if (!rc) 2300 return 0; 2301 2302 /* 2303 * On failure, preserve the errno values for NNP vs nosuid. 2304 * NNP: Operation not permitted for caller. 2305 * nosuid: Permission denied to file. 2306 */ 2307 if (nnp) 2308 return -EPERM; 2309 return -EACCES; 2310 } 2311 2312 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) 2313 { 2314 const struct cred_security_struct *old_crsec; 2315 struct cred_security_struct *new_crsec; 2316 struct inode_security_struct *isec; 2317 struct common_audit_data ad; 2318 struct inode *inode = file_inode(bprm->file); 2319 int rc; 2320 2321 /* SELinux context only depends on initial program or script and not 2322 * the script interpreter */ 2323 2324 old_crsec = selinux_cred(current_cred()); 2325 new_crsec = selinux_cred(bprm->cred); 2326 isec = inode_security(inode); 2327 2328 if (WARN_ON(isec->sclass != SECCLASS_FILE && 2329 isec->sclass != SECCLASS_MEMFD_FILE)) 2330 return -EACCES; 2331 2332 /* Default to the current task SID. */ 2333 new_crsec->sid = old_crsec->sid; 2334 new_crsec->osid = old_crsec->sid; 2335 2336 /* Reset fs, key, and sock SIDs on execve. */ 2337 new_crsec->create_sid = 0; 2338 new_crsec->keycreate_sid = 0; 2339 new_crsec->sockcreate_sid = 0; 2340 2341 /* 2342 * Before policy is loaded, label any task outside kernel space 2343 * as SECINITSID_INIT, so that any userspace tasks surviving from 2344 * early boot end up with a label different from SECINITSID_KERNEL 2345 * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL). 2346 */ 2347 if (!selinux_initialized()) { 2348 new_crsec->sid = SECINITSID_INIT; 2349 /* also clear the exec_sid just in case */ 2350 new_crsec->exec_sid = 0; 2351 return 0; 2352 } 2353 2354 if (old_crsec->exec_sid) { 2355 new_crsec->sid = old_crsec->exec_sid; 2356 /* Reset exec SID on execve. */ 2357 new_crsec->exec_sid = 0; 2358 2359 /* Fail on NNP or nosuid if not an allowed transition. */ 2360 rc = check_nnp_nosuid(bprm, old_crsec, new_crsec); 2361 if (rc) 2362 return rc; 2363 } else { 2364 /* Check for a default transition on this program. */ 2365 rc = security_transition_sid(old_crsec->sid, 2366 isec->sid, SECCLASS_PROCESS, NULL, 2367 &new_crsec->sid); 2368 if (rc) 2369 return rc; 2370 2371 /* 2372 * Fallback to old SID on NNP or nosuid if not an allowed 2373 * transition. 2374 */ 2375 rc = check_nnp_nosuid(bprm, old_crsec, new_crsec); 2376 if (rc) 2377 new_crsec->sid = old_crsec->sid; 2378 } 2379 2380 ad.type = LSM_AUDIT_DATA_FILE; 2381 ad.u.file = bprm->file; 2382 2383 if (new_crsec->sid == old_crsec->sid) { 2384 rc = avc_has_perm(old_crsec->sid, isec->sid, isec->sclass, 2385 FILE__EXECUTE_NO_TRANS, &ad); 2386 if (rc) 2387 return rc; 2388 } else { 2389 /* Check permissions for the transition. */ 2390 rc = avc_has_perm(old_crsec->sid, new_crsec->sid, 2391 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2392 if (rc) 2393 return rc; 2394 2395 rc = avc_has_perm(new_crsec->sid, isec->sid, isec->sclass, 2396 FILE__ENTRYPOINT, &ad); 2397 if (rc) 2398 return rc; 2399 2400 /* Check for shared state */ 2401 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2402 rc = avc_has_perm(old_crsec->sid, new_crsec->sid, 2403 SECCLASS_PROCESS, PROCESS__SHARE, 2404 NULL); 2405 if (rc) 2406 return -EPERM; 2407 } 2408 2409 /* Make sure that anyone attempting to ptrace over a task that 2410 * changes its SID has the appropriate permit */ 2411 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2412 u32 ptsid = ptrace_parent_sid(); 2413 if (ptsid != 0) { 2414 rc = avc_has_perm(ptsid, new_crsec->sid, 2415 SECCLASS_PROCESS, 2416 PROCESS__PTRACE, NULL); 2417 if (rc) 2418 return -EPERM; 2419 } 2420 } 2421 2422 /* Clear any possibly unsafe personality bits on exec: */ 2423 bprm->per_clear |= PER_CLEAR_ON_SETID; 2424 2425 /* Enable secure mode for SIDs transitions unless 2426 the noatsecure permission is granted between 2427 the two SIDs, i.e. ahp returns 0. */ 2428 rc = avc_has_perm(old_crsec->sid, new_crsec->sid, 2429 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2430 NULL); 2431 bprm->secureexec |= !!rc; 2432 } 2433 2434 return 0; 2435 } 2436 2437 static int match_file(const void *p, struct file *file, unsigned fd) 2438 { 2439 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2440 } 2441 2442 /* Derived from fs/exec.c:flush_old_files. */ 2443 static inline void flush_unauthorized_files(const struct cred *cred, 2444 struct files_struct *files) 2445 { 2446 struct file *file, *devnull = NULL; 2447 struct tty_struct *tty; 2448 int drop_tty = 0; 2449 unsigned n; 2450 2451 tty = get_current_tty(); 2452 if (tty) { 2453 spin_lock(&tty->files_lock); 2454 if (!list_empty(&tty->tty_files)) { 2455 struct tty_file_private *file_priv; 2456 2457 /* Revalidate access to controlling tty. 2458 Use file_path_has_perm on the tty path directly 2459 rather than using file_has_perm, as this particular 2460 open file may belong to another process and we are 2461 only interested in the inode-based check here. */ 2462 file_priv = list_first_entry(&tty->tty_files, 2463 struct tty_file_private, list); 2464 file = file_priv->file; 2465 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2466 drop_tty = 1; 2467 } 2468 spin_unlock(&tty->files_lock); 2469 tty_kref_put(tty); 2470 } 2471 /* Reset controlling tty. */ 2472 if (drop_tty) 2473 no_tty(); 2474 2475 /* Revalidate access to inherited open files. */ 2476 n = iterate_fd(files, 0, match_file, cred); 2477 if (!n) /* none found? */ 2478 return; 2479 2480 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2481 if (IS_ERR(devnull)) 2482 devnull = NULL; 2483 /* replace all the matching ones with this */ 2484 do { 2485 replace_fd(n - 1, devnull, 0); 2486 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2487 if (devnull) 2488 fput(devnull); 2489 } 2490 2491 /* 2492 * Prepare a process for imminent new credential changes due to exec 2493 */ 2494 static void selinux_bprm_committing_creds(const struct linux_binprm *bprm) 2495 { 2496 struct cred_security_struct *new_crsec; 2497 struct rlimit *rlim, *initrlim; 2498 int rc, i; 2499 2500 new_crsec = selinux_cred(bprm->cred); 2501 if (new_crsec->sid == new_crsec->osid) 2502 return; 2503 2504 /* Close files for which the new task SID is not authorized. */ 2505 flush_unauthorized_files(bprm->cred, current->files); 2506 2507 /* Always clear parent death signal on SID transitions. */ 2508 current->pdeath_signal = 0; 2509 2510 /* Check whether the new SID can inherit resource limits from the old 2511 * SID. If not, reset all soft limits to the lower of the current 2512 * task's hard limit and the init task's soft limit. 2513 * 2514 * Note that the setting of hard limits (even to lower them) can be 2515 * controlled by the setrlimit check. The inclusion of the init task's 2516 * soft limit into the computation is to avoid resetting soft limits 2517 * higher than the default soft limit for cases where the default is 2518 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2519 */ 2520 rc = avc_has_perm(new_crsec->osid, new_crsec->sid, SECCLASS_PROCESS, 2521 PROCESS__RLIMITINH, NULL); 2522 if (rc) { 2523 /* protect against do_prlimit() */ 2524 task_lock(current); 2525 for (i = 0; i < RLIM_NLIMITS; i++) { 2526 rlim = current->signal->rlim + i; 2527 initrlim = init_task.signal->rlim + i; 2528 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2529 } 2530 task_unlock(current); 2531 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2532 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2533 } 2534 } 2535 2536 /* 2537 * Clean up the process immediately after the installation of new credentials 2538 * due to exec 2539 */ 2540 static void selinux_bprm_committed_creds(const struct linux_binprm *bprm) 2541 { 2542 const struct cred_security_struct *crsec = selinux_cred(current_cred()); 2543 u32 osid, sid; 2544 int rc; 2545 2546 osid = crsec->osid; 2547 sid = crsec->sid; 2548 2549 if (sid == osid) 2550 return; 2551 2552 /* Check whether the new SID can inherit signal state from the old SID. 2553 * If not, clear itimers to avoid subsequent signal generation and 2554 * flush and unblock signals. 2555 * 2556 * This must occur _after_ the task SID has been updated so that any 2557 * kill done after the flush will be checked against the new SID. 2558 */ 2559 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2560 if (rc) { 2561 clear_itimer(); 2562 2563 spin_lock_irq(&unrcu_pointer(current->sighand)->siglock); 2564 if (!fatal_signal_pending(current)) { 2565 flush_sigqueue(¤t->pending); 2566 flush_sigqueue(¤t->signal->shared_pending); 2567 flush_signal_handlers(current, 1); 2568 sigemptyset(¤t->blocked); 2569 recalc_sigpending(); 2570 } 2571 spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock); 2572 } 2573 2574 /* Wake up the parent if it is waiting so that it can recheck 2575 * wait permission to the new task SID. */ 2576 read_lock(&tasklist_lock); 2577 __wake_up_parent(current, unrcu_pointer(current->real_parent)); 2578 read_unlock(&tasklist_lock); 2579 } 2580 2581 /* superblock security operations */ 2582 2583 static int selinux_sb_alloc_security(struct super_block *sb) 2584 { 2585 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2586 2587 mutex_init(&sbsec->lock); 2588 INIT_LIST_HEAD(&sbsec->isec_head); 2589 spin_lock_init(&sbsec->isec_lock); 2590 sbsec->sid = SECINITSID_UNLABELED; 2591 sbsec->def_sid = SECINITSID_FILE; 2592 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 2593 sbsec->creator_sid = SECINITSID_UNLABELED; 2594 2595 return 0; 2596 } 2597 2598 static inline int opt_len(const char *s) 2599 { 2600 bool open_quote = false; 2601 int len; 2602 char c; 2603 2604 for (len = 0; (c = s[len]) != '\0'; len++) { 2605 if (c == '"') 2606 open_quote = !open_quote; 2607 if (c == ',' && !open_quote) 2608 break; 2609 } 2610 return len; 2611 } 2612 2613 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts) 2614 { 2615 char *from = options; 2616 char *to = options; 2617 bool first = true; 2618 int rc; 2619 2620 while (1) { 2621 int len = opt_len(from); 2622 int token; 2623 char *arg = NULL; 2624 2625 token = match_opt_prefix(from, len, &arg); 2626 2627 if (token != Opt_error) { 2628 char *p, *q; 2629 2630 /* strip quotes */ 2631 if (arg) { 2632 for (p = q = arg; p < from + len; p++) { 2633 char c = *p; 2634 if (c != '"') 2635 *q++ = c; 2636 } 2637 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); 2638 if (!arg) { 2639 rc = -ENOMEM; 2640 goto free_opt; 2641 } 2642 } 2643 rc = selinux_add_opt(token, arg, mnt_opts); 2644 kfree(arg); 2645 arg = NULL; 2646 if (unlikely(rc)) { 2647 goto free_opt; 2648 } 2649 } else { 2650 if (!first) { // copy with preceding comma 2651 from--; 2652 len++; 2653 } 2654 if (to != from) 2655 memmove(to, from, len); 2656 to += len; 2657 first = false; 2658 } 2659 if (!from[len]) 2660 break; 2661 from += len + 1; 2662 } 2663 *to = '\0'; 2664 return 0; 2665 2666 free_opt: 2667 if (*mnt_opts) { 2668 selinux_free_mnt_opts(*mnt_opts); 2669 *mnt_opts = NULL; 2670 } 2671 return rc; 2672 } 2673 2674 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts) 2675 { 2676 struct selinux_mnt_opts *opts = mnt_opts; 2677 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2678 2679 /* 2680 * Superblock not initialized (i.e. no options) - reject if any 2681 * options specified, otherwise accept. 2682 */ 2683 if (!(sbsec->flags & SE_SBINITIALIZED)) 2684 return opts ? 1 : 0; 2685 2686 /* 2687 * Superblock initialized and no options specified - reject if 2688 * superblock has any options set, otherwise accept. 2689 */ 2690 if (!opts) 2691 return (sbsec->flags & SE_MNTMASK) ? 1 : 0; 2692 2693 if (opts->fscontext_sid) { 2694 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 2695 opts->fscontext_sid)) 2696 return 1; 2697 } 2698 if (opts->context_sid) { 2699 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 2700 opts->context_sid)) 2701 return 1; 2702 } 2703 if (opts->rootcontext_sid) { 2704 struct inode_security_struct *root_isec; 2705 2706 root_isec = backing_inode_security(sb->s_root); 2707 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 2708 opts->rootcontext_sid)) 2709 return 1; 2710 } 2711 if (opts->defcontext_sid) { 2712 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 2713 opts->defcontext_sid)) 2714 return 1; 2715 } 2716 return 0; 2717 } 2718 2719 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts) 2720 { 2721 struct selinux_mnt_opts *opts = mnt_opts; 2722 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2723 2724 if (!(sbsec->flags & SE_SBINITIALIZED)) 2725 return 0; 2726 2727 if (!opts) 2728 return 0; 2729 2730 if (opts->fscontext_sid) { 2731 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 2732 opts->fscontext_sid)) 2733 goto out_bad_option; 2734 } 2735 if (opts->context_sid) { 2736 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 2737 opts->context_sid)) 2738 goto out_bad_option; 2739 } 2740 if (opts->rootcontext_sid) { 2741 struct inode_security_struct *root_isec; 2742 root_isec = backing_inode_security(sb->s_root); 2743 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 2744 opts->rootcontext_sid)) 2745 goto out_bad_option; 2746 } 2747 if (opts->defcontext_sid) { 2748 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 2749 opts->defcontext_sid)) 2750 goto out_bad_option; 2751 } 2752 return 0; 2753 2754 out_bad_option: 2755 pr_warn("SELinux: unable to change security options " 2756 "during remount (dev %s, type=%s)\n", sb->s_id, 2757 sb->s_type->name); 2758 return -EINVAL; 2759 } 2760 2761 static int selinux_sb_kern_mount(const struct super_block *sb) 2762 { 2763 const struct cred *cred = current_cred(); 2764 struct common_audit_data ad; 2765 2766 ad.type = LSM_AUDIT_DATA_DENTRY; 2767 ad.u.dentry = sb->s_root; 2768 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2769 } 2770 2771 static int selinux_sb_statfs(struct dentry *dentry) 2772 { 2773 const struct cred *cred = current_cred(); 2774 struct common_audit_data ad; 2775 2776 ad.type = LSM_AUDIT_DATA_DENTRY; 2777 ad.u.dentry = dentry->d_sb->s_root; 2778 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2779 } 2780 2781 static int selinux_mount(const char *dev_name, 2782 const struct path *path, 2783 const char *type, 2784 unsigned long flags, 2785 void *data) 2786 { 2787 const struct cred *cred = current_cred(); 2788 2789 if (flags & MS_REMOUNT) 2790 return superblock_has_perm(cred, path->dentry->d_sb, 2791 FILESYSTEM__REMOUNT, NULL); 2792 else 2793 return path_has_perm(cred, path, FILE__MOUNTON); 2794 } 2795 2796 static int selinux_move_mount(const struct path *from_path, 2797 const struct path *to_path) 2798 { 2799 const struct cred *cred = current_cred(); 2800 2801 return path_has_perm(cred, to_path, FILE__MOUNTON); 2802 } 2803 2804 static int selinux_umount(struct vfsmount *mnt, int flags) 2805 { 2806 const struct cred *cred = current_cred(); 2807 2808 return superblock_has_perm(cred, mnt->mnt_sb, 2809 FILESYSTEM__UNMOUNT, NULL); 2810 } 2811 2812 static int selinux_fs_context_submount(struct fs_context *fc, 2813 struct super_block *reference) 2814 { 2815 const struct superblock_security_struct *sbsec = selinux_superblock(reference); 2816 struct selinux_mnt_opts *opts; 2817 2818 /* 2819 * Ensure that fc->security remains NULL when no options are set 2820 * as expected by selinux_set_mnt_opts(). 2821 */ 2822 if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT))) 2823 return 0; 2824 2825 opts = kzalloc(sizeof(*opts), GFP_KERNEL); 2826 if (!opts) 2827 return -ENOMEM; 2828 2829 if (sbsec->flags & FSCONTEXT_MNT) 2830 opts->fscontext_sid = sbsec->sid; 2831 if (sbsec->flags & CONTEXT_MNT) 2832 opts->context_sid = sbsec->mntpoint_sid; 2833 if (sbsec->flags & DEFCONTEXT_MNT) 2834 opts->defcontext_sid = sbsec->def_sid; 2835 fc->security = opts; 2836 return 0; 2837 } 2838 2839 static int selinux_fs_context_dup(struct fs_context *fc, 2840 struct fs_context *src_fc) 2841 { 2842 const struct selinux_mnt_opts *src = src_fc->security; 2843 2844 if (!src) 2845 return 0; 2846 2847 fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL); 2848 return fc->security ? 0 : -ENOMEM; 2849 } 2850 2851 static const struct fs_parameter_spec selinux_fs_parameters[] = { 2852 fsparam_string(CONTEXT_STR, Opt_context), 2853 fsparam_string(DEFCONTEXT_STR, Opt_defcontext), 2854 fsparam_string(FSCONTEXT_STR, Opt_fscontext), 2855 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext), 2856 fsparam_flag (SECLABEL_STR, Opt_seclabel), 2857 {} 2858 }; 2859 2860 static int selinux_fs_context_parse_param(struct fs_context *fc, 2861 struct fs_parameter *param) 2862 { 2863 struct fs_parse_result result; 2864 int opt; 2865 2866 opt = fs_parse(fc, selinux_fs_parameters, param, &result); 2867 if (opt < 0) 2868 return opt; 2869 2870 return selinux_add_opt(opt, param->string, &fc->security); 2871 } 2872 2873 /* inode security operations */ 2874 2875 static int selinux_inode_alloc_security(struct inode *inode) 2876 { 2877 struct inode_security_struct *isec = selinux_inode(inode); 2878 u32 sid = current_sid(); 2879 2880 spin_lock_init(&isec->lock); 2881 INIT_LIST_HEAD(&isec->list); 2882 isec->inode = inode; 2883 isec->sid = SECINITSID_UNLABELED; 2884 isec->sclass = SECCLASS_FILE; 2885 isec->task_sid = sid; 2886 isec->initialized = LABEL_INVALID; 2887 2888 return 0; 2889 } 2890 2891 static void selinux_inode_free_security(struct inode *inode) 2892 { 2893 inode_free_security(inode); 2894 } 2895 2896 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2897 const struct qstr *name, 2898 const char **xattr_name, 2899 struct lsm_context *cp) 2900 { 2901 u32 newsid; 2902 int rc; 2903 2904 rc = selinux_determine_inode_label(selinux_cred(current_cred()), 2905 d_inode(dentry->d_parent), name, 2906 inode_mode_to_security_class(mode), 2907 &newsid); 2908 if (rc) 2909 return rc; 2910 2911 if (xattr_name) 2912 *xattr_name = XATTR_NAME_SELINUX; 2913 2914 cp->id = LSM_ID_SELINUX; 2915 return security_sid_to_context(newsid, &cp->context, &cp->len); 2916 } 2917 2918 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2919 const struct qstr *name, 2920 const struct cred *old, 2921 struct cred *new) 2922 { 2923 u32 newsid; 2924 int rc; 2925 struct cred_security_struct *crsec; 2926 2927 rc = selinux_determine_inode_label(selinux_cred(old), 2928 d_inode(dentry->d_parent), name, 2929 inode_mode_to_security_class(mode), 2930 &newsid); 2931 if (rc) 2932 return rc; 2933 2934 crsec = selinux_cred(new); 2935 crsec->create_sid = newsid; 2936 return 0; 2937 } 2938 2939 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2940 const struct qstr *qstr, 2941 struct xattr *xattrs, int *xattr_count) 2942 { 2943 const struct cred_security_struct *crsec = selinux_cred(current_cred()); 2944 struct superblock_security_struct *sbsec; 2945 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); 2946 u32 newsid, clen; 2947 u16 newsclass; 2948 int rc; 2949 char *context; 2950 2951 sbsec = selinux_superblock(dir->i_sb); 2952 2953 newsid = crsec->create_sid; 2954 newsclass = inode_mode_to_security_class(inode->i_mode); 2955 rc = selinux_determine_inode_label(crsec, dir, qstr, newsclass, &newsid); 2956 if (rc) 2957 return rc; 2958 2959 /* Possibly defer initialization to selinux_complete_init. */ 2960 if (sbsec->flags & SE_SBINITIALIZED) { 2961 struct inode_security_struct *isec = selinux_inode(inode); 2962 isec->sclass = newsclass; 2963 isec->sid = newsid; 2964 isec->initialized = LABEL_INITIALIZED; 2965 } 2966 2967 if (!selinux_initialized() || 2968 !(sbsec->flags & SBLABEL_MNT)) 2969 return -EOPNOTSUPP; 2970 2971 if (xattr) { 2972 rc = security_sid_to_context_force(newsid, 2973 &context, &clen); 2974 if (rc) 2975 return rc; 2976 xattr->value = context; 2977 xattr->value_len = clen; 2978 xattr->name = XATTR_SELINUX_SUFFIX; 2979 } 2980 2981 return 0; 2982 } 2983 2984 static int selinux_inode_init_security_anon(struct inode *inode, 2985 const struct qstr *name, 2986 const struct inode *context_inode) 2987 { 2988 u32 sid = current_sid(); 2989 struct common_audit_data ad; 2990 struct inode_security_struct *isec; 2991 int rc; 2992 bool is_memfd = false; 2993 2994 if (unlikely(!selinux_initialized())) 2995 return 0; 2996 2997 if (name != NULL && name->name != NULL && 2998 !strcmp(name->name, MEMFD_ANON_NAME)) { 2999 if (!selinux_policycap_memfd_class()) 3000 return 0; 3001 is_memfd = true; 3002 } 3003 3004 isec = selinux_inode(inode); 3005 3006 /* 3007 * We only get here once per ephemeral inode. The inode has 3008 * been initialized via inode_alloc_security but is otherwise 3009 * untouched. 3010 */ 3011 3012 if (context_inode) { 3013 struct inode_security_struct *context_isec = 3014 selinux_inode(context_inode); 3015 if (context_isec->initialized != LABEL_INITIALIZED) { 3016 pr_err("SELinux: context_inode is not initialized\n"); 3017 return -EACCES; 3018 } 3019 3020 isec->sclass = context_isec->sclass; 3021 isec->sid = context_isec->sid; 3022 } else { 3023 if (is_memfd) 3024 isec->sclass = SECCLASS_MEMFD_FILE; 3025 else 3026 isec->sclass = SECCLASS_ANON_INODE; 3027 rc = security_transition_sid( 3028 sid, sid, 3029 isec->sclass, name, &isec->sid); 3030 if (rc) 3031 return rc; 3032 } 3033 3034 isec->initialized = LABEL_INITIALIZED; 3035 /* 3036 * Now that we've initialized security, check whether we're 3037 * allowed to actually create this type of anonymous inode. 3038 */ 3039 3040 ad.type = LSM_AUDIT_DATA_ANONINODE; 3041 ad.u.anonclass = name ? (const char *)name->name : "?"; 3042 3043 return avc_has_perm(sid, 3044 isec->sid, 3045 isec->sclass, 3046 FILE__CREATE, 3047 &ad); 3048 } 3049 3050 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 3051 { 3052 return may_create(dir, dentry, SECCLASS_FILE); 3053 } 3054 3055 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 3056 { 3057 return may_link(dir, old_dentry, MAY_LINK); 3058 } 3059 3060 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 3061 { 3062 return may_link(dir, dentry, MAY_UNLINK); 3063 } 3064 3065 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 3066 { 3067 return may_create(dir, dentry, SECCLASS_LNK_FILE); 3068 } 3069 3070 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 3071 { 3072 return may_create(dir, dentry, SECCLASS_DIR); 3073 } 3074 3075 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 3076 { 3077 return may_link(dir, dentry, MAY_RMDIR); 3078 } 3079 3080 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 3081 { 3082 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 3083 } 3084 3085 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 3086 struct inode *new_inode, struct dentry *new_dentry) 3087 { 3088 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 3089 } 3090 3091 static int selinux_inode_readlink(struct dentry *dentry) 3092 { 3093 const struct cred *cred = current_cred(); 3094 3095 return dentry_has_perm(cred, dentry, FILE__READ); 3096 } 3097 3098 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 3099 bool rcu) 3100 { 3101 struct common_audit_data ad; 3102 struct inode_security_struct *isec; 3103 u32 sid = current_sid(); 3104 3105 ad.type = LSM_AUDIT_DATA_DENTRY; 3106 ad.u.dentry = dentry; 3107 isec = inode_security_rcu(inode, rcu); 3108 if (IS_ERR(isec)) 3109 return PTR_ERR(isec); 3110 3111 return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad); 3112 } 3113 3114 static noinline int audit_inode_permission(struct inode *inode, 3115 u32 perms, u32 audited, u32 denied, 3116 int result) 3117 { 3118 struct common_audit_data ad; 3119 struct inode_security_struct *isec = selinux_inode(inode); 3120 3121 ad.type = LSM_AUDIT_DATA_INODE; 3122 ad.u.inode = inode; 3123 3124 return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 3125 audited, denied, result, &ad); 3126 } 3127 3128 /** 3129 * task_avdcache_reset - Reset the task's AVD cache 3130 * @tsec: the task's security state 3131 * 3132 * Clear the task's AVD cache in @tsec and reset it to the current policy's 3133 * and task's info. 3134 */ 3135 static inline void task_avdcache_reset(struct task_security_struct *tsec) 3136 { 3137 memset(&tsec->avdcache.dir, 0, sizeof(tsec->avdcache.dir)); 3138 tsec->avdcache.sid = current_sid(); 3139 tsec->avdcache.seqno = avc_policy_seqno(); 3140 tsec->avdcache.dir_spot = TSEC_AVDC_DIR_SIZE - 1; 3141 } 3142 3143 /** 3144 * task_avdcache_search - Search the task's AVD cache 3145 * @tsec: the task's security state 3146 * @isec: the inode to search for in the cache 3147 * @avdc: matching avd cache entry returned to the caller 3148 * 3149 * Search @tsec for a AVD cache entry that matches @isec and return it to the 3150 * caller via @avdc. Returns 0 if a match is found, negative values otherwise. 3151 */ 3152 static inline int task_avdcache_search(struct task_security_struct *tsec, 3153 struct inode_security_struct *isec, 3154 struct avdc_entry **avdc) 3155 { 3156 int orig, iter; 3157 3158 /* focused on path walk optimization, only cache directories */ 3159 if (isec->sclass != SECCLASS_DIR) 3160 return -ENOENT; 3161 3162 if (unlikely(current_sid() != tsec->avdcache.sid || 3163 tsec->avdcache.seqno != avc_policy_seqno())) { 3164 task_avdcache_reset(tsec); 3165 return -ENOENT; 3166 } 3167 3168 orig = iter = tsec->avdcache.dir_spot; 3169 do { 3170 if (tsec->avdcache.dir[iter].isid == isec->sid) { 3171 /* cache hit */ 3172 tsec->avdcache.dir_spot = iter; 3173 *avdc = &tsec->avdcache.dir[iter]; 3174 return 0; 3175 } 3176 iter = (iter - 1) & (TSEC_AVDC_DIR_SIZE - 1); 3177 } while (iter != orig); 3178 3179 return -ENOENT; 3180 } 3181 3182 /** 3183 * task_avdcache_update - Update the task's AVD cache 3184 * @tsec: the task's security state 3185 * @isec: the inode associated with the cache entry 3186 * @avd: the AVD to cache 3187 * @audited: the permission audit bitmask to cache 3188 * 3189 * Update the AVD cache in @tsec with the @avdc and @audited info associated 3190 * with @isec. 3191 */ 3192 static inline void task_avdcache_update(struct task_security_struct *tsec, 3193 struct inode_security_struct *isec, 3194 struct av_decision *avd, 3195 u32 audited) 3196 { 3197 int spot; 3198 3199 /* focused on path walk optimization, only cache directories */ 3200 if (isec->sclass != SECCLASS_DIR) 3201 return; 3202 3203 /* update cache */ 3204 spot = (tsec->avdcache.dir_spot + 1) & (TSEC_AVDC_DIR_SIZE - 1); 3205 tsec->avdcache.dir_spot = spot; 3206 tsec->avdcache.dir[spot].isid = isec->sid; 3207 tsec->avdcache.dir[spot].audited = audited; 3208 tsec->avdcache.dir[spot].allowed = avd->allowed; 3209 tsec->avdcache.dir[spot].permissive = avd->flags & AVD_FLAGS_PERMISSIVE; 3210 tsec->avdcache.permissive_neveraudit = 3211 (avd->flags == (AVD_FLAGS_PERMISSIVE|AVD_FLAGS_NEVERAUDIT)); 3212 } 3213 3214 /** 3215 * selinux_inode_permission - Check if the current task can access an inode 3216 * @inode: the inode that is being accessed 3217 * @requested: the accesses being requested 3218 * 3219 * Check if the current task is allowed to access @inode according to 3220 * @requested. Returns 0 if allowed, negative values otherwise. 3221 */ 3222 static int selinux_inode_permission(struct inode *inode, int requested) 3223 { 3224 int mask; 3225 u32 perms; 3226 u32 sid = current_sid(); 3227 struct task_security_struct *tsec; 3228 struct inode_security_struct *isec; 3229 struct avdc_entry *avdc; 3230 int rc, rc2; 3231 u32 audited, denied; 3232 3233 mask = requested & (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3234 3235 /* No permission to check. Existence test. */ 3236 if (!mask) 3237 return 0; 3238 3239 tsec = selinux_task(current); 3240 if (task_avdcache_permnoaudit(tsec, sid)) 3241 return 0; 3242 3243 isec = inode_security_rcu(inode, requested & MAY_NOT_BLOCK); 3244 if (IS_ERR(isec)) 3245 return PTR_ERR(isec); 3246 perms = file_mask_to_av(inode->i_mode, mask); 3247 3248 rc = task_avdcache_search(tsec, isec, &avdc); 3249 if (likely(!rc)) { 3250 /* Cache hit. */ 3251 audited = perms & avdc->audited; 3252 denied = perms & ~avdc->allowed; 3253 if (unlikely(denied && enforcing_enabled() && 3254 !avdc->permissive)) 3255 rc = -EACCES; 3256 } else { 3257 struct av_decision avd; 3258 3259 /* Cache miss. */ 3260 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, 3261 perms, 0, &avd); 3262 audited = avc_audit_required(perms, &avd, rc, 3263 (requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0, 3264 &denied); 3265 task_avdcache_update(tsec, isec, &avd, audited); 3266 } 3267 3268 if (likely(!audited)) 3269 return rc; 3270 3271 rc2 = audit_inode_permission(inode, perms, audited, denied, rc); 3272 if (rc2) 3273 return rc2; 3274 3275 return rc; 3276 } 3277 3278 static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, 3279 struct iattr *iattr) 3280 { 3281 const struct cred *cred = current_cred(); 3282 struct inode *inode = d_backing_inode(dentry); 3283 unsigned int ia_valid = iattr->ia_valid; 3284 u32 av = FILE__WRITE; 3285 3286 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3287 if (ia_valid & ATTR_FORCE) { 3288 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3289 ATTR_FORCE); 3290 if (!ia_valid) 3291 return 0; 3292 } 3293 3294 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3295 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3296 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3297 3298 if (selinux_policycap_openperm() && 3299 inode->i_sb->s_magic != SOCKFS_MAGIC && 3300 (ia_valid & ATTR_SIZE) && 3301 !(ia_valid & ATTR_FILE)) 3302 av |= FILE__OPEN; 3303 3304 return dentry_has_perm(cred, dentry, av); 3305 } 3306 3307 static int selinux_inode_getattr(const struct path *path) 3308 { 3309 struct task_security_struct *tsec; 3310 3311 tsec = selinux_task(current); 3312 3313 if (task_avdcache_permnoaudit(tsec, current_sid())) 3314 return 0; 3315 3316 return path_has_perm(current_cred(), path, FILE__GETATTR); 3317 } 3318 3319 static bool has_cap_mac_admin(bool audit) 3320 { 3321 const struct cred *cred = current_cred(); 3322 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT; 3323 3324 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts)) 3325 return false; 3326 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true)) 3327 return false; 3328 return true; 3329 } 3330 3331 /** 3332 * selinux_inode_xattr_skipcap - Skip the xattr capability checks? 3333 * @name: name of the xattr 3334 * 3335 * Returns 1 to indicate that SELinux "owns" the access control rights to xattrs 3336 * named @name; the LSM layer should avoid enforcing any traditional 3337 * capability based access controls on this xattr. Returns 0 to indicate that 3338 * SELinux does not "own" the access control rights to xattrs named @name and is 3339 * deferring to the LSM layer for further access controls, including capability 3340 * based controls. 3341 */ 3342 static int selinux_inode_xattr_skipcap(const char *name) 3343 { 3344 /* require capability check if not a selinux xattr */ 3345 return !strcmp(name, XATTR_NAME_SELINUX); 3346 } 3347 3348 static int selinux_inode_setxattr(struct mnt_idmap *idmap, 3349 struct dentry *dentry, const char *name, 3350 const void *value, size_t size, int flags) 3351 { 3352 struct inode *inode = d_backing_inode(dentry); 3353 struct inode_security_struct *isec; 3354 struct superblock_security_struct *sbsec; 3355 struct common_audit_data ad; 3356 u32 newsid, sid = current_sid(); 3357 int rc = 0; 3358 3359 /* if not a selinux xattr, only check the ordinary setattr perm */ 3360 if (strcmp(name, XATTR_NAME_SELINUX)) 3361 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3362 3363 if (!selinux_initialized()) 3364 return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM); 3365 3366 sbsec = selinux_superblock(inode->i_sb); 3367 if (!(sbsec->flags & SBLABEL_MNT)) 3368 return -EOPNOTSUPP; 3369 3370 if (!inode_owner_or_capable(idmap, inode)) 3371 return -EPERM; 3372 3373 ad.type = LSM_AUDIT_DATA_DENTRY; 3374 ad.u.dentry = dentry; 3375 3376 isec = backing_inode_security(dentry); 3377 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3378 FILE__RELABELFROM, &ad); 3379 if (rc) 3380 return rc; 3381 3382 rc = security_context_to_sid(value, size, &newsid, 3383 GFP_KERNEL); 3384 if (rc == -EINVAL) { 3385 if (!has_cap_mac_admin(true)) { 3386 struct audit_buffer *ab; 3387 size_t audit_size; 3388 3389 /* We strip a nul only if it is at the end, otherwise the 3390 * context contains a nul and we should audit that */ 3391 if (value) { 3392 const char *str = value; 3393 3394 if (str[size - 1] == '\0') 3395 audit_size = size - 1; 3396 else 3397 audit_size = size; 3398 } else { 3399 audit_size = 0; 3400 } 3401 ab = audit_log_start(audit_context(), 3402 GFP_ATOMIC, AUDIT_SELINUX_ERR); 3403 if (!ab) 3404 return rc; 3405 audit_log_format(ab, "op=setxattr invalid_context="); 3406 audit_log_n_untrustedstring(ab, value, audit_size); 3407 audit_log_end(ab); 3408 3409 return rc; 3410 } 3411 rc = security_context_to_sid_force(value, 3412 size, &newsid); 3413 } 3414 if (rc) 3415 return rc; 3416 3417 rc = avc_has_perm(sid, newsid, isec->sclass, 3418 FILE__RELABELTO, &ad); 3419 if (rc) 3420 return rc; 3421 3422 rc = security_validate_transition(isec->sid, newsid, 3423 sid, isec->sclass); 3424 if (rc) 3425 return rc; 3426 3427 return avc_has_perm(newsid, 3428 sbsec->sid, 3429 SECCLASS_FILESYSTEM, 3430 FILESYSTEM__ASSOCIATE, 3431 &ad); 3432 } 3433 3434 static int selinux_inode_set_acl(struct mnt_idmap *idmap, 3435 struct dentry *dentry, const char *acl_name, 3436 struct posix_acl *kacl) 3437 { 3438 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3439 } 3440 3441 static int selinux_inode_get_acl(struct mnt_idmap *idmap, 3442 struct dentry *dentry, const char *acl_name) 3443 { 3444 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR); 3445 } 3446 3447 static int selinux_inode_remove_acl(struct mnt_idmap *idmap, 3448 struct dentry *dentry, const char *acl_name) 3449 { 3450 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3451 } 3452 3453 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3454 const void *value, size_t size, 3455 int flags) 3456 { 3457 struct inode *inode = d_backing_inode(dentry); 3458 struct inode_security_struct *isec; 3459 u32 newsid; 3460 int rc; 3461 3462 if (strcmp(name, XATTR_NAME_SELINUX)) { 3463 /* Not an attribute we recognize, so nothing to do. */ 3464 return; 3465 } 3466 3467 if (!selinux_initialized()) { 3468 /* If we haven't even been initialized, then we can't validate 3469 * against a policy, so leave the label as invalid. It may 3470 * resolve to a valid label on the next revalidation try if 3471 * we've since initialized. 3472 */ 3473 return; 3474 } 3475 3476 rc = security_context_to_sid_force(value, size, 3477 &newsid); 3478 if (rc) { 3479 pr_err("SELinux: unable to map context to SID" 3480 "for (%s, %lu), rc=%d\n", 3481 inode->i_sb->s_id, inode->i_ino, -rc); 3482 return; 3483 } 3484 3485 isec = backing_inode_security(dentry); 3486 spin_lock(&isec->lock); 3487 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3488 isec->sid = newsid; 3489 isec->initialized = LABEL_INITIALIZED; 3490 spin_unlock(&isec->lock); 3491 } 3492 3493 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3494 { 3495 const struct cred *cred = current_cred(); 3496 3497 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3498 } 3499 3500 static int selinux_inode_listxattr(struct dentry *dentry) 3501 { 3502 const struct cred *cred = current_cred(); 3503 3504 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3505 } 3506 3507 static int selinux_inode_removexattr(struct mnt_idmap *idmap, 3508 struct dentry *dentry, const char *name) 3509 { 3510 /* if not a selinux xattr, only check the ordinary setattr perm */ 3511 if (strcmp(name, XATTR_NAME_SELINUX)) 3512 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3513 3514 if (!selinux_initialized()) 3515 return 0; 3516 3517 /* No one is allowed to remove a SELinux security label. 3518 You can change the label, but all data must be labeled. */ 3519 return -EACCES; 3520 } 3521 3522 static int selinux_inode_file_setattr(struct dentry *dentry, 3523 struct file_kattr *fa) 3524 { 3525 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3526 } 3527 3528 static int selinux_inode_file_getattr(struct dentry *dentry, 3529 struct file_kattr *fa) 3530 { 3531 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR); 3532 } 3533 3534 static int selinux_path_notify(const struct path *path, u64 mask, 3535 unsigned int obj_type) 3536 { 3537 int ret; 3538 u32 perm; 3539 3540 struct common_audit_data ad; 3541 3542 ad.type = LSM_AUDIT_DATA_PATH; 3543 ad.u.path = *path; 3544 3545 /* 3546 * Set permission needed based on the type of mark being set. 3547 * Performs an additional check for sb watches. 3548 */ 3549 switch (obj_type) { 3550 case FSNOTIFY_OBJ_TYPE_VFSMOUNT: 3551 perm = FILE__WATCH_MOUNT; 3552 break; 3553 case FSNOTIFY_OBJ_TYPE_SB: 3554 perm = FILE__WATCH_SB; 3555 ret = superblock_has_perm(current_cred(), path->dentry->d_sb, 3556 FILESYSTEM__WATCH, &ad); 3557 if (ret) 3558 return ret; 3559 break; 3560 case FSNOTIFY_OBJ_TYPE_INODE: 3561 perm = FILE__WATCH; 3562 break; 3563 case FSNOTIFY_OBJ_TYPE_MNTNS: 3564 perm = FILE__WATCH_MOUNTNS; 3565 break; 3566 default: 3567 return -EINVAL; 3568 } 3569 3570 /* blocking watches require the file:watch_with_perm permission */ 3571 if (mask & (ALL_FSNOTIFY_PERM_EVENTS)) 3572 perm |= FILE__WATCH_WITH_PERM; 3573 3574 /* watches on read-like events need the file:watch_reads permission */ 3575 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_PRE_ACCESS | 3576 FS_CLOSE_NOWRITE)) 3577 perm |= FILE__WATCH_READS; 3578 3579 return path_has_perm(current_cred(), path, perm); 3580 } 3581 3582 /* 3583 * Copy the inode security context value to the user. 3584 * 3585 * Permission check is handled by selinux_inode_getxattr hook. 3586 */ 3587 static int selinux_inode_getsecurity(struct mnt_idmap *idmap, 3588 struct inode *inode, const char *name, 3589 void **buffer, bool alloc) 3590 { 3591 u32 size; 3592 int error; 3593 char *context = NULL; 3594 struct inode_security_struct *isec; 3595 3596 /* 3597 * If we're not initialized yet, then we can't validate contexts, so 3598 * just let vfs_getxattr fall back to using the on-disk xattr. 3599 */ 3600 if (!selinux_initialized() || 3601 strcmp(name, XATTR_SELINUX_SUFFIX)) 3602 return -EOPNOTSUPP; 3603 3604 /* 3605 * If the caller has CAP_MAC_ADMIN, then get the raw context 3606 * value even if it is not defined by current policy; otherwise, 3607 * use the in-core value under current policy. 3608 * Use the non-auditing forms of the permission checks since 3609 * getxattr may be called by unprivileged processes commonly 3610 * and lack of permission just means that we fall back to the 3611 * in-core context value, not a denial. 3612 */ 3613 isec = inode_security(inode); 3614 if (has_cap_mac_admin(false)) 3615 error = security_sid_to_context_force(isec->sid, &context, 3616 &size); 3617 else 3618 error = security_sid_to_context(isec->sid, 3619 &context, &size); 3620 if (error) 3621 return error; 3622 error = size; 3623 if (alloc) { 3624 *buffer = context; 3625 goto out_nofree; 3626 } 3627 kfree(context); 3628 out_nofree: 3629 return error; 3630 } 3631 3632 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3633 const void *value, size_t size, int flags) 3634 { 3635 struct inode_security_struct *isec = inode_security_novalidate(inode); 3636 struct superblock_security_struct *sbsec; 3637 u32 newsid; 3638 int rc; 3639 3640 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3641 return -EOPNOTSUPP; 3642 3643 sbsec = selinux_superblock(inode->i_sb); 3644 if (!(sbsec->flags & SBLABEL_MNT)) 3645 return -EOPNOTSUPP; 3646 3647 if (!value || !size) 3648 return -EACCES; 3649 3650 rc = security_context_to_sid(value, size, &newsid, 3651 GFP_KERNEL); 3652 if (rc) 3653 return rc; 3654 3655 spin_lock(&isec->lock); 3656 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3657 isec->sid = newsid; 3658 isec->initialized = LABEL_INITIALIZED; 3659 spin_unlock(&isec->lock); 3660 return 0; 3661 } 3662 3663 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3664 { 3665 const int len = sizeof(XATTR_NAME_SELINUX); 3666 3667 if (!selinux_initialized()) 3668 return 0; 3669 3670 if (buffer && len <= buffer_size) 3671 memcpy(buffer, XATTR_NAME_SELINUX, len); 3672 return len; 3673 } 3674 3675 static void selinux_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop) 3676 { 3677 struct inode_security_struct *isec = inode_security_novalidate(inode); 3678 3679 prop->selinux.secid = isec->sid; 3680 } 3681 3682 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3683 { 3684 struct lsm_prop prop; 3685 struct cred_security_struct *crsec; 3686 struct cred *new_creds = *new; 3687 3688 if (new_creds == NULL) { 3689 new_creds = prepare_creds(); 3690 if (!new_creds) 3691 return -ENOMEM; 3692 } 3693 3694 crsec = selinux_cred(new_creds); 3695 /* Get label from overlay inode and set it in create_sid */ 3696 selinux_inode_getlsmprop(d_inode(src), &prop); 3697 crsec->create_sid = prop.selinux.secid; 3698 *new = new_creds; 3699 return 0; 3700 } 3701 3702 static int selinux_inode_copy_up_xattr(struct dentry *dentry, const char *name) 3703 { 3704 /* The copy_up hook above sets the initial context on an inode, but we 3705 * don't then want to overwrite it by blindly copying all the lower 3706 * xattrs up. Instead, filter out SELinux-related xattrs following 3707 * policy load. 3708 */ 3709 if (selinux_initialized() && !strcmp(name, XATTR_NAME_SELINUX)) 3710 return -ECANCELED; /* Discard */ 3711 /* 3712 * Any other attribute apart from SELINUX is not claimed, supported 3713 * by selinux. 3714 */ 3715 return -EOPNOTSUPP; 3716 } 3717 3718 /* kernfs node operations */ 3719 3720 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, 3721 struct kernfs_node *kn) 3722 { 3723 const struct cred_security_struct *crsec = selinux_cred(current_cred()); 3724 u32 parent_sid, newsid, clen; 3725 int rc; 3726 char *context; 3727 3728 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0); 3729 if (rc == -ENODATA) 3730 return 0; 3731 else if (rc < 0) 3732 return rc; 3733 3734 clen = (u32)rc; 3735 context = kmalloc(clen, GFP_KERNEL); 3736 if (!context) 3737 return -ENOMEM; 3738 3739 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen); 3740 if (rc < 0) { 3741 kfree(context); 3742 return rc; 3743 } 3744 3745 rc = security_context_to_sid(context, clen, &parent_sid, 3746 GFP_KERNEL); 3747 kfree(context); 3748 if (rc) 3749 return rc; 3750 3751 if (crsec->create_sid) { 3752 newsid = crsec->create_sid; 3753 } else { 3754 u16 secclass = inode_mode_to_security_class(kn->mode); 3755 const char *kn_name; 3756 struct qstr q; 3757 3758 /* kn is fresh, can't be renamed, name goes not away */ 3759 kn_name = rcu_dereference_check(kn->name, true); 3760 q.name = kn_name; 3761 q.hash_len = hashlen_string(kn_dir, kn_name); 3762 3763 rc = security_transition_sid(crsec->sid, 3764 parent_sid, secclass, &q, 3765 &newsid); 3766 if (rc) 3767 return rc; 3768 } 3769 3770 rc = security_sid_to_context_force(newsid, 3771 &context, &clen); 3772 if (rc) 3773 return rc; 3774 3775 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen, 3776 XATTR_CREATE); 3777 kfree(context); 3778 return rc; 3779 } 3780 3781 3782 /* file security operations */ 3783 3784 static int selinux_revalidate_file_permission(struct file *file, int mask) 3785 { 3786 const struct cred *cred = current_cred(); 3787 struct inode *inode = file_inode(file); 3788 3789 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3790 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3791 mask |= MAY_APPEND; 3792 3793 return file_has_perm(cred, file, 3794 file_mask_to_av(inode->i_mode, mask)); 3795 } 3796 3797 static int selinux_file_permission(struct file *file, int mask) 3798 { 3799 struct inode *inode = file_inode(file); 3800 struct file_security_struct *fsec = selinux_file(file); 3801 struct inode_security_struct *isec; 3802 u32 sid = current_sid(); 3803 3804 if (!mask) 3805 /* No permission to check. Existence test. */ 3806 return 0; 3807 3808 isec = inode_security(inode); 3809 if (sid == fsec->sid && fsec->isid == isec->sid && 3810 fsec->pseqno == avc_policy_seqno()) 3811 /* No change since file_open check. */ 3812 return 0; 3813 3814 return selinux_revalidate_file_permission(file, mask); 3815 } 3816 3817 static int selinux_file_alloc_security(struct file *file) 3818 { 3819 struct file_security_struct *fsec = selinux_file(file); 3820 u32 sid = current_sid(); 3821 3822 fsec->sid = sid; 3823 fsec->fown_sid = sid; 3824 3825 return 0; 3826 } 3827 3828 /* 3829 * Check whether a task has the ioctl permission and cmd 3830 * operation to an inode. 3831 */ 3832 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3833 u32 requested, u16 cmd) 3834 { 3835 struct common_audit_data ad; 3836 struct file_security_struct *fsec = selinux_file(file); 3837 struct inode *inode = file_inode(file); 3838 struct inode_security_struct *isec; 3839 struct lsm_ioctlop_audit ioctl; 3840 u32 ssid = cred_sid(cred); 3841 int rc; 3842 u8 driver = cmd >> 8; 3843 u8 xperm = cmd & 0xff; 3844 3845 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3846 ad.u.op = &ioctl; 3847 ad.u.op->cmd = cmd; 3848 ad.u.op->path = file->f_path; 3849 3850 if (ssid != fsec->sid) { 3851 rc = avc_has_perm(ssid, fsec->sid, 3852 SECCLASS_FD, 3853 FD__USE, 3854 &ad); 3855 if (rc) 3856 goto out; 3857 } 3858 3859 if (unlikely(IS_PRIVATE(inode))) 3860 return 0; 3861 3862 isec = inode_security(inode); 3863 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, requested, 3864 driver, AVC_EXT_IOCTL, xperm, &ad); 3865 out: 3866 return rc; 3867 } 3868 3869 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3870 unsigned long arg) 3871 { 3872 const struct cred *cred = current_cred(); 3873 int error = 0; 3874 3875 switch (cmd) { 3876 case FIONREAD: 3877 case FIBMAP: 3878 case FIGETBSZ: 3879 case FS_IOC_GETFLAGS: 3880 case FS_IOC_GETVERSION: 3881 error = file_has_perm(cred, file, FILE__GETATTR); 3882 break; 3883 3884 case FS_IOC_SETFLAGS: 3885 case FS_IOC_SETVERSION: 3886 error = file_has_perm(cred, file, FILE__SETATTR); 3887 break; 3888 3889 /* sys_ioctl() checks */ 3890 case FIONBIO: 3891 case FIOASYNC: 3892 error = file_has_perm(cred, file, 0); 3893 break; 3894 3895 case KDSKBENT: 3896 case KDSKBSENT: 3897 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3898 CAP_OPT_NONE, true); 3899 break; 3900 3901 case FIOCLEX: 3902 case FIONCLEX: 3903 if (!selinux_policycap_ioctl_skip_cloexec()) 3904 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3905 break; 3906 3907 /* default case assumes that the command will go 3908 * to the file's ioctl() function. 3909 */ 3910 default: 3911 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3912 } 3913 return error; 3914 } 3915 3916 static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd, 3917 unsigned long arg) 3918 { 3919 /* 3920 * If we are in a 64-bit kernel running 32-bit userspace, we need to 3921 * make sure we don't compare 32-bit flags to 64-bit flags. 3922 */ 3923 switch (cmd) { 3924 case FS_IOC32_GETFLAGS: 3925 cmd = FS_IOC_GETFLAGS; 3926 break; 3927 case FS_IOC32_SETFLAGS: 3928 cmd = FS_IOC_SETFLAGS; 3929 break; 3930 case FS_IOC32_GETVERSION: 3931 cmd = FS_IOC_GETVERSION; 3932 break; 3933 case FS_IOC32_SETVERSION: 3934 cmd = FS_IOC_SETVERSION; 3935 break; 3936 default: 3937 break; 3938 } 3939 3940 return selinux_file_ioctl(file, cmd, arg); 3941 } 3942 3943 static int default_noexec __ro_after_init; 3944 3945 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3946 { 3947 const struct cred *cred = current_cred(); 3948 u32 sid = cred_sid(cred); 3949 int rc = 0; 3950 3951 if (default_noexec && 3952 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3953 (!shared && (prot & PROT_WRITE)))) { 3954 /* 3955 * We are making executable an anonymous mapping or a 3956 * private file mapping that will also be writable. 3957 * This has an additional check. 3958 */ 3959 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3960 PROCESS__EXECMEM, NULL); 3961 if (rc) 3962 goto error; 3963 } 3964 3965 if (file) { 3966 /* read access is always possible with a mapping */ 3967 u32 av = FILE__READ; 3968 3969 /* write access only matters if the mapping is shared */ 3970 if (shared && (prot & PROT_WRITE)) 3971 av |= FILE__WRITE; 3972 3973 if (prot & PROT_EXEC) 3974 av |= FILE__EXECUTE; 3975 3976 return file_has_perm(cred, file, av); 3977 } 3978 3979 error: 3980 return rc; 3981 } 3982 3983 static int selinux_mmap_addr(unsigned long addr) 3984 { 3985 int rc = 0; 3986 3987 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3988 u32 sid = current_sid(); 3989 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3990 MEMPROTECT__MMAP_ZERO, NULL); 3991 } 3992 3993 return rc; 3994 } 3995 3996 static int selinux_mmap_file(struct file *file, 3997 unsigned long reqprot __always_unused, 3998 unsigned long prot, unsigned long flags) 3999 { 4000 struct common_audit_data ad; 4001 int rc; 4002 4003 if (file) { 4004 ad.type = LSM_AUDIT_DATA_FILE; 4005 ad.u.file = file; 4006 rc = inode_has_perm(current_cred(), file_inode(file), 4007 FILE__MAP, &ad); 4008 if (rc) 4009 return rc; 4010 } 4011 4012 return file_map_prot_check(file, prot, 4013 (flags & MAP_TYPE) == MAP_SHARED); 4014 } 4015 4016 static int selinux_file_mprotect(struct vm_area_struct *vma, 4017 unsigned long reqprot __always_unused, 4018 unsigned long prot) 4019 { 4020 const struct cred *cred = current_cred(); 4021 u32 sid = cred_sid(cred); 4022 4023 if (default_noexec && 4024 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 4025 int rc = 0; 4026 /* 4027 * We don't use the vma_is_initial_heap() helper as it has 4028 * a history of problems and is currently broken on systems 4029 * where there is no heap, e.g. brk == start_brk. Before 4030 * replacing the conditional below with vma_is_initial_heap(), 4031 * or something similar, please ensure that the logic is the 4032 * same as what we have below or you have tested every possible 4033 * corner case you can think to test. 4034 */ 4035 if (vma->vm_start >= vma->vm_mm->start_brk && 4036 vma->vm_end <= vma->vm_mm->brk) { 4037 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 4038 PROCESS__EXECHEAP, NULL); 4039 } else if (!vma->vm_file && (vma_is_initial_stack(vma) || 4040 vma_is_stack_for_current(vma))) { 4041 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 4042 PROCESS__EXECSTACK, NULL); 4043 } else if (vma->vm_file && vma->anon_vma) { 4044 /* 4045 * We are making executable a file mapping that has 4046 * had some COW done. Since pages might have been 4047 * written, check ability to execute the possibly 4048 * modified content. This typically should only 4049 * occur for text relocations. 4050 */ 4051 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 4052 } 4053 if (rc) 4054 return rc; 4055 } 4056 4057 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 4058 } 4059 4060 static int selinux_file_lock(struct file *file, unsigned int cmd) 4061 { 4062 const struct cred *cred = current_cred(); 4063 4064 return file_has_perm(cred, file, FILE__LOCK); 4065 } 4066 4067 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 4068 unsigned long arg) 4069 { 4070 const struct cred *cred = current_cred(); 4071 int err = 0; 4072 4073 switch (cmd) { 4074 case F_SETFL: 4075 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 4076 err = file_has_perm(cred, file, FILE__WRITE); 4077 break; 4078 } 4079 fallthrough; 4080 case F_SETOWN: 4081 case F_SETSIG: 4082 case F_GETFL: 4083 case F_GETOWN: 4084 case F_GETSIG: 4085 case F_GETOWNER_UIDS: 4086 /* Just check FD__USE permission */ 4087 err = file_has_perm(cred, file, 0); 4088 break; 4089 case F_GETLK: 4090 case F_SETLK: 4091 case F_SETLKW: 4092 case F_OFD_GETLK: 4093 case F_OFD_SETLK: 4094 case F_OFD_SETLKW: 4095 #if BITS_PER_LONG == 32 4096 case F_GETLK64: 4097 case F_SETLK64: 4098 case F_SETLKW64: 4099 #endif 4100 err = file_has_perm(cred, file, FILE__LOCK); 4101 break; 4102 } 4103 4104 return err; 4105 } 4106 4107 static void selinux_file_set_fowner(struct file *file) 4108 { 4109 struct file_security_struct *fsec; 4110 4111 fsec = selinux_file(file); 4112 fsec->fown_sid = current_sid(); 4113 } 4114 4115 static int selinux_file_send_sigiotask(struct task_struct *tsk, 4116 struct fown_struct *fown, int signum) 4117 { 4118 struct file *file; 4119 u32 sid = task_sid_obj(tsk); 4120 u32 perm; 4121 struct file_security_struct *fsec; 4122 4123 /* struct fown_struct is never outside the context of a struct file */ 4124 file = fown->file; 4125 4126 fsec = selinux_file(file); 4127 4128 if (!signum) 4129 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 4130 else 4131 perm = signal_to_av(signum); 4132 4133 return avc_has_perm(fsec->fown_sid, sid, 4134 SECCLASS_PROCESS, perm, NULL); 4135 } 4136 4137 static int selinux_file_receive(struct file *file) 4138 { 4139 const struct cred *cred = current_cred(); 4140 4141 return file_has_perm(cred, file, file_to_av(file)); 4142 } 4143 4144 static int selinux_file_open(struct file *file) 4145 { 4146 struct file_security_struct *fsec; 4147 struct inode_security_struct *isec; 4148 4149 fsec = selinux_file(file); 4150 isec = inode_security(file_inode(file)); 4151 /* 4152 * Save inode label and policy sequence number 4153 * at open-time so that selinux_file_permission 4154 * can determine whether revalidation is necessary. 4155 * Task label is already saved in the file security 4156 * struct as its SID. 4157 */ 4158 fsec->isid = isec->sid; 4159 fsec->pseqno = avc_policy_seqno(); 4160 /* 4161 * Since the inode label or policy seqno may have changed 4162 * between the selinux_inode_permission check and the saving 4163 * of state above, recheck that access is still permitted. 4164 * Otherwise, access might never be revalidated against the 4165 * new inode label or new policy. 4166 * This check is not redundant - do not remove. 4167 */ 4168 return file_path_has_perm(file->f_cred, file, open_file_to_av(file)); 4169 } 4170 4171 /* task security operations */ 4172 4173 static int selinux_task_alloc(struct task_struct *task, 4174 u64 clone_flags) 4175 { 4176 u32 sid = current_sid(); 4177 struct task_security_struct *old_tsec = selinux_task(current); 4178 struct task_security_struct *new_tsec = selinux_task(task); 4179 4180 *new_tsec = *old_tsec; 4181 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 4182 } 4183 4184 /* 4185 * prepare a new set of credentials for modification 4186 */ 4187 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 4188 gfp_t gfp) 4189 { 4190 const struct cred_security_struct *old_crsec = selinux_cred(old); 4191 struct cred_security_struct *crsec = selinux_cred(new); 4192 4193 *crsec = *old_crsec; 4194 return 0; 4195 } 4196 4197 /* 4198 * transfer the SELinux data to a blank set of creds 4199 */ 4200 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 4201 { 4202 const struct cred_security_struct *old_crsec = selinux_cred(old); 4203 struct cred_security_struct *crsec = selinux_cred(new); 4204 4205 *crsec = *old_crsec; 4206 } 4207 4208 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 4209 { 4210 *secid = cred_sid(c); 4211 } 4212 4213 static void selinux_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop) 4214 { 4215 prop->selinux.secid = cred_sid(c); 4216 } 4217 4218 /* 4219 * set the security data for a kernel service 4220 * - all the creation contexts are set to unlabelled 4221 */ 4222 static int selinux_kernel_act_as(struct cred *new, u32 secid) 4223 { 4224 struct cred_security_struct *crsec = selinux_cred(new); 4225 u32 sid = current_sid(); 4226 int ret; 4227 4228 ret = avc_has_perm(sid, secid, 4229 SECCLASS_KERNEL_SERVICE, 4230 KERNEL_SERVICE__USE_AS_OVERRIDE, 4231 NULL); 4232 if (ret == 0) { 4233 crsec->sid = secid; 4234 crsec->create_sid = 0; 4235 crsec->keycreate_sid = 0; 4236 crsec->sockcreate_sid = 0; 4237 } 4238 return ret; 4239 } 4240 4241 /* 4242 * set the file creation context in a security record to the same as the 4243 * objective context of the specified inode 4244 */ 4245 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 4246 { 4247 struct inode_security_struct *isec = inode_security(inode); 4248 struct cred_security_struct *crsec = selinux_cred(new); 4249 u32 sid = current_sid(); 4250 int ret; 4251 4252 ret = avc_has_perm(sid, isec->sid, 4253 SECCLASS_KERNEL_SERVICE, 4254 KERNEL_SERVICE__CREATE_FILES_AS, 4255 NULL); 4256 4257 if (ret == 0) 4258 crsec->create_sid = isec->sid; 4259 return ret; 4260 } 4261 4262 static int selinux_kernel_module_request(char *kmod_name) 4263 { 4264 struct common_audit_data ad; 4265 4266 ad.type = LSM_AUDIT_DATA_KMOD; 4267 ad.u.kmod_name = kmod_name; 4268 4269 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4270 SYSTEM__MODULE_REQUEST, &ad); 4271 } 4272 4273 static int selinux_kernel_load_from_file(struct file *file, u32 requested) 4274 { 4275 struct common_audit_data ad; 4276 struct inode_security_struct *isec; 4277 struct file_security_struct *fsec; 4278 u32 sid = current_sid(); 4279 int rc; 4280 4281 if (file == NULL) 4282 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, requested, NULL); 4283 4284 ad.type = LSM_AUDIT_DATA_FILE; 4285 ad.u.file = file; 4286 4287 fsec = selinux_file(file); 4288 if (sid != fsec->sid) { 4289 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4290 if (rc) 4291 return rc; 4292 } 4293 4294 isec = inode_security(file_inode(file)); 4295 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, requested, &ad); 4296 } 4297 4298 static int selinux_kernel_read_file(struct file *file, 4299 enum kernel_read_file_id id, 4300 bool contents) 4301 { 4302 int rc = 0; 4303 4304 BUILD_BUG_ON_MSG(READING_MAX_ID > 8, 4305 "New kernel_read_file_id introduced; update SELinux!"); 4306 4307 switch (id) { 4308 case READING_FIRMWARE: 4309 rc = selinux_kernel_load_from_file(file, SYSTEM__FIRMWARE_LOAD); 4310 break; 4311 case READING_MODULE: 4312 case READING_MODULE_COMPRESSED: 4313 rc = selinux_kernel_load_from_file(file, SYSTEM__MODULE_LOAD); 4314 break; 4315 case READING_KEXEC_IMAGE: 4316 rc = selinux_kernel_load_from_file(file, 4317 SYSTEM__KEXEC_IMAGE_LOAD); 4318 break; 4319 case READING_KEXEC_INITRAMFS: 4320 rc = selinux_kernel_load_from_file(file, 4321 SYSTEM__KEXEC_INITRAMFS_LOAD); 4322 break; 4323 case READING_POLICY: 4324 rc = selinux_kernel_load_from_file(file, SYSTEM__POLICY_LOAD); 4325 break; 4326 case READING_X509_CERTIFICATE: 4327 rc = selinux_kernel_load_from_file(file, 4328 SYSTEM__X509_CERTIFICATE_LOAD); 4329 break; 4330 default: 4331 break; 4332 } 4333 4334 return rc; 4335 } 4336 4337 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents) 4338 { 4339 int rc = 0; 4340 4341 BUILD_BUG_ON_MSG(LOADING_MAX_ID > 8, 4342 "New kernel_load_data_id introduced; update SELinux!"); 4343 4344 switch (id) { 4345 case LOADING_FIRMWARE: 4346 rc = selinux_kernel_load_from_file(NULL, SYSTEM__FIRMWARE_LOAD); 4347 break; 4348 case LOADING_MODULE: 4349 rc = selinux_kernel_load_from_file(NULL, SYSTEM__MODULE_LOAD); 4350 break; 4351 case LOADING_KEXEC_IMAGE: 4352 rc = selinux_kernel_load_from_file(NULL, 4353 SYSTEM__KEXEC_IMAGE_LOAD); 4354 break; 4355 case LOADING_KEXEC_INITRAMFS: 4356 rc = selinux_kernel_load_from_file(NULL, 4357 SYSTEM__KEXEC_INITRAMFS_LOAD); 4358 break; 4359 case LOADING_POLICY: 4360 rc = selinux_kernel_load_from_file(NULL, 4361 SYSTEM__POLICY_LOAD); 4362 break; 4363 case LOADING_X509_CERTIFICATE: 4364 rc = selinux_kernel_load_from_file(NULL, 4365 SYSTEM__X509_CERTIFICATE_LOAD); 4366 break; 4367 default: 4368 break; 4369 } 4370 4371 return rc; 4372 } 4373 4374 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4375 { 4376 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4377 PROCESS__SETPGID, NULL); 4378 } 4379 4380 static int selinux_task_getpgid(struct task_struct *p) 4381 { 4382 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4383 PROCESS__GETPGID, NULL); 4384 } 4385 4386 static int selinux_task_getsid(struct task_struct *p) 4387 { 4388 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4389 PROCESS__GETSESSION, NULL); 4390 } 4391 4392 static void selinux_current_getlsmprop_subj(struct lsm_prop *prop) 4393 { 4394 prop->selinux.secid = current_sid(); 4395 } 4396 4397 static void selinux_task_getlsmprop_obj(struct task_struct *p, 4398 struct lsm_prop *prop) 4399 { 4400 prop->selinux.secid = task_sid_obj(p); 4401 } 4402 4403 static int selinux_task_setnice(struct task_struct *p, int nice) 4404 { 4405 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4406 PROCESS__SETSCHED, NULL); 4407 } 4408 4409 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4410 { 4411 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4412 PROCESS__SETSCHED, NULL); 4413 } 4414 4415 static int selinux_task_getioprio(struct task_struct *p) 4416 { 4417 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4418 PROCESS__GETSCHED, NULL); 4419 } 4420 4421 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 4422 unsigned int flags) 4423 { 4424 u32 av = 0; 4425 4426 if (!flags) 4427 return 0; 4428 if (flags & LSM_PRLIMIT_WRITE) 4429 av |= PROCESS__SETRLIMIT; 4430 if (flags & LSM_PRLIMIT_READ) 4431 av |= PROCESS__GETRLIMIT; 4432 return avc_has_perm(cred_sid(cred), cred_sid(tcred), 4433 SECCLASS_PROCESS, av, NULL); 4434 } 4435 4436 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 4437 struct rlimit *new_rlim) 4438 { 4439 struct rlimit *old_rlim = p->signal->rlim + resource; 4440 4441 /* Control the ability to change the hard limit (whether 4442 lowering or raising it), so that the hard limit can 4443 later be used as a safe reset point for the soft limit 4444 upon context transitions. See selinux_bprm_committing_creds. */ 4445 if (old_rlim->rlim_max != new_rlim->rlim_max) 4446 return avc_has_perm(current_sid(), task_sid_obj(p), 4447 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4448 4449 return 0; 4450 } 4451 4452 static int selinux_task_setscheduler(struct task_struct *p) 4453 { 4454 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4455 PROCESS__SETSCHED, NULL); 4456 } 4457 4458 static int selinux_task_getscheduler(struct task_struct *p) 4459 { 4460 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4461 PROCESS__GETSCHED, NULL); 4462 } 4463 4464 static int selinux_task_movememory(struct task_struct *p) 4465 { 4466 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4467 PROCESS__SETSCHED, NULL); 4468 } 4469 4470 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info, 4471 int sig, const struct cred *cred) 4472 { 4473 u32 secid; 4474 u32 perm; 4475 4476 if (!sig) 4477 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4478 else 4479 perm = signal_to_av(sig); 4480 if (!cred) 4481 secid = current_sid(); 4482 else 4483 secid = cred_sid(cred); 4484 return avc_has_perm(secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL); 4485 } 4486 4487 static void selinux_task_to_inode(struct task_struct *p, 4488 struct inode *inode) 4489 { 4490 struct inode_security_struct *isec = selinux_inode(inode); 4491 u32 sid = task_sid_obj(p); 4492 4493 spin_lock(&isec->lock); 4494 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4495 isec->sid = sid; 4496 isec->initialized = LABEL_INITIALIZED; 4497 spin_unlock(&isec->lock); 4498 } 4499 4500 static int selinux_userns_create(const struct cred *cred) 4501 { 4502 u32 sid = current_sid(); 4503 4504 return avc_has_perm(sid, sid, SECCLASS_USER_NAMESPACE, 4505 USER_NAMESPACE__CREATE, NULL); 4506 } 4507 4508 /* Returns error only if unable to parse addresses */ 4509 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4510 struct common_audit_data *ad, u8 *proto) 4511 { 4512 int offset, ihlen, ret = -EINVAL; 4513 struct iphdr _iph, *ih; 4514 4515 offset = skb_network_offset(skb); 4516 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4517 if (ih == NULL) 4518 goto out; 4519 4520 ihlen = ih->ihl * 4; 4521 if (ihlen < sizeof(_iph)) 4522 goto out; 4523 4524 ad->u.net->v4info.saddr = ih->saddr; 4525 ad->u.net->v4info.daddr = ih->daddr; 4526 ret = 0; 4527 4528 if (proto) 4529 *proto = ih->protocol; 4530 4531 switch (ih->protocol) { 4532 case IPPROTO_TCP: { 4533 struct tcphdr _tcph, *th; 4534 4535 if (ntohs(ih->frag_off) & IP_OFFSET) 4536 break; 4537 4538 offset += ihlen; 4539 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4540 if (th == NULL) 4541 break; 4542 4543 ad->u.net->sport = th->source; 4544 ad->u.net->dport = th->dest; 4545 break; 4546 } 4547 4548 case IPPROTO_UDP: { 4549 struct udphdr _udph, *uh; 4550 4551 if (ntohs(ih->frag_off) & IP_OFFSET) 4552 break; 4553 4554 offset += ihlen; 4555 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4556 if (uh == NULL) 4557 break; 4558 4559 ad->u.net->sport = uh->source; 4560 ad->u.net->dport = uh->dest; 4561 break; 4562 } 4563 4564 #if IS_ENABLED(CONFIG_IP_SCTP) 4565 case IPPROTO_SCTP: { 4566 struct sctphdr _sctph, *sh; 4567 4568 if (ntohs(ih->frag_off) & IP_OFFSET) 4569 break; 4570 4571 offset += ihlen; 4572 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4573 if (sh == NULL) 4574 break; 4575 4576 ad->u.net->sport = sh->source; 4577 ad->u.net->dport = sh->dest; 4578 break; 4579 } 4580 #endif 4581 default: 4582 break; 4583 } 4584 out: 4585 return ret; 4586 } 4587 4588 #if IS_ENABLED(CONFIG_IPV6) 4589 4590 /* Returns error only if unable to parse addresses */ 4591 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4592 struct common_audit_data *ad, u8 *proto) 4593 { 4594 u8 nexthdr; 4595 int ret = -EINVAL, offset; 4596 struct ipv6hdr _ipv6h, *ip6; 4597 __be16 frag_off; 4598 4599 offset = skb_network_offset(skb); 4600 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4601 if (ip6 == NULL) 4602 goto out; 4603 4604 ad->u.net->v6info.saddr = ip6->saddr; 4605 ad->u.net->v6info.daddr = ip6->daddr; 4606 ret = 0; 4607 4608 nexthdr = ip6->nexthdr; 4609 offset += sizeof(_ipv6h); 4610 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4611 if (offset < 0) 4612 goto out; 4613 4614 if (proto) 4615 *proto = nexthdr; 4616 4617 switch (nexthdr) { 4618 case IPPROTO_TCP: { 4619 struct tcphdr _tcph, *th; 4620 4621 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4622 if (th == NULL) 4623 break; 4624 4625 ad->u.net->sport = th->source; 4626 ad->u.net->dport = th->dest; 4627 break; 4628 } 4629 4630 case IPPROTO_UDP: { 4631 struct udphdr _udph, *uh; 4632 4633 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4634 if (uh == NULL) 4635 break; 4636 4637 ad->u.net->sport = uh->source; 4638 ad->u.net->dport = uh->dest; 4639 break; 4640 } 4641 4642 #if IS_ENABLED(CONFIG_IP_SCTP) 4643 case IPPROTO_SCTP: { 4644 struct sctphdr _sctph, *sh; 4645 4646 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4647 if (sh == NULL) 4648 break; 4649 4650 ad->u.net->sport = sh->source; 4651 ad->u.net->dport = sh->dest; 4652 break; 4653 } 4654 #endif 4655 /* includes fragments */ 4656 default: 4657 break; 4658 } 4659 out: 4660 return ret; 4661 } 4662 4663 #endif /* IPV6 */ 4664 4665 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4666 char **_addrp, int src, u8 *proto) 4667 { 4668 char *addrp; 4669 int ret; 4670 4671 switch (ad->u.net->family) { 4672 case PF_INET: 4673 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4674 if (ret) 4675 goto parse_error; 4676 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4677 &ad->u.net->v4info.daddr); 4678 goto okay; 4679 4680 #if IS_ENABLED(CONFIG_IPV6) 4681 case PF_INET6: 4682 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4683 if (ret) 4684 goto parse_error; 4685 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4686 &ad->u.net->v6info.daddr); 4687 goto okay; 4688 #endif /* IPV6 */ 4689 default: 4690 addrp = NULL; 4691 goto okay; 4692 } 4693 4694 parse_error: 4695 pr_warn( 4696 "SELinux: failure in selinux_parse_skb()," 4697 " unable to parse packet\n"); 4698 return ret; 4699 4700 okay: 4701 if (_addrp) 4702 *_addrp = addrp; 4703 return 0; 4704 } 4705 4706 /** 4707 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4708 * @skb: the packet 4709 * @family: protocol family 4710 * @sid: the packet's peer label SID 4711 * 4712 * Description: 4713 * Check the various different forms of network peer labeling and determine 4714 * the peer label/SID for the packet; most of the magic actually occurs in 4715 * the security server function security_net_peersid_cmp(). The function 4716 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4717 * or -EACCES if @sid is invalid due to inconsistencies with the different 4718 * peer labels. 4719 * 4720 */ 4721 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4722 { 4723 int err; 4724 u32 xfrm_sid; 4725 u32 nlbl_sid; 4726 u32 nlbl_type; 4727 4728 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4729 if (unlikely(err)) 4730 return -EACCES; 4731 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4732 if (unlikely(err)) 4733 return -EACCES; 4734 4735 err = security_net_peersid_resolve(nlbl_sid, 4736 nlbl_type, xfrm_sid, sid); 4737 if (unlikely(err)) { 4738 pr_warn( 4739 "SELinux: failure in selinux_skb_peerlbl_sid()," 4740 " unable to determine packet's peer label\n"); 4741 return -EACCES; 4742 } 4743 4744 return 0; 4745 } 4746 4747 /** 4748 * selinux_conn_sid - Determine the child socket label for a connection 4749 * @sk_sid: the parent socket's SID 4750 * @skb_sid: the packet's SID 4751 * @conn_sid: the resulting connection SID 4752 * 4753 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4754 * combined with the MLS information from @skb_sid in order to create 4755 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy 4756 * of @sk_sid. Returns zero on success, negative values on failure. 4757 * 4758 */ 4759 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4760 { 4761 int err = 0; 4762 4763 if (skb_sid != SECSID_NULL) 4764 err = security_sid_mls_copy(sk_sid, skb_sid, 4765 conn_sid); 4766 else 4767 *conn_sid = sk_sid; 4768 4769 return err; 4770 } 4771 4772 /* socket security operations */ 4773 4774 static int socket_sockcreate_sid(const struct cred_security_struct *crsec, 4775 u16 secclass, u32 *socksid) 4776 { 4777 if (crsec->sockcreate_sid > SECSID_NULL) { 4778 *socksid = crsec->sockcreate_sid; 4779 return 0; 4780 } 4781 4782 return security_transition_sid(crsec->sid, crsec->sid, 4783 secclass, NULL, socksid); 4784 } 4785 4786 static bool sock_skip_has_perm(u32 sid) 4787 { 4788 if (sid == SECINITSID_KERNEL) 4789 return true; 4790 4791 /* 4792 * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that 4793 * inherited the kernel context from early boot used to be skipped 4794 * here, so preserve that behavior unless the capability is set. 4795 * 4796 * By setting the capability the policy signals that it is ready 4797 * for this quirk to be fixed. Note that sockets created by a kernel 4798 * thread or a usermode helper executed without a transition will 4799 * still be skipped in this check regardless of the policycap 4800 * setting. 4801 */ 4802 if (!selinux_policycap_userspace_initial_context() && 4803 sid == SECINITSID_INIT) 4804 return true; 4805 return false; 4806 } 4807 4808 4809 static int sock_has_perm(struct sock *sk, u32 perms) 4810 { 4811 struct sk_security_struct *sksec = sk->sk_security; 4812 struct common_audit_data ad; 4813 struct lsm_network_audit net; 4814 4815 if (sock_skip_has_perm(sksec->sid)) 4816 return 0; 4817 4818 ad_net_init_from_sk(&ad, &net, sk); 4819 4820 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4821 &ad); 4822 } 4823 4824 static int selinux_socket_create(int family, int type, 4825 int protocol, int kern) 4826 { 4827 const struct cred_security_struct *crsec = selinux_cred(current_cred()); 4828 u32 newsid; 4829 u16 secclass; 4830 int rc; 4831 4832 if (kern) 4833 return 0; 4834 4835 secclass = socket_type_to_security_class(family, type, protocol); 4836 rc = socket_sockcreate_sid(crsec, secclass, &newsid); 4837 if (rc) 4838 return rc; 4839 4840 return avc_has_perm(crsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4841 } 4842 4843 static int selinux_socket_post_create(struct socket *sock, int family, 4844 int type, int protocol, int kern) 4845 { 4846 const struct cred_security_struct *crsec = selinux_cred(current_cred()); 4847 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4848 struct sk_security_struct *sksec; 4849 u16 sclass = socket_type_to_security_class(family, type, protocol); 4850 u32 sid = SECINITSID_KERNEL; 4851 int err = 0; 4852 4853 if (!kern) { 4854 err = socket_sockcreate_sid(crsec, sclass, &sid); 4855 if (err) 4856 return err; 4857 } 4858 4859 isec->sclass = sclass; 4860 isec->sid = sid; 4861 isec->initialized = LABEL_INITIALIZED; 4862 4863 if (sock->sk) { 4864 sksec = selinux_sock(sock->sk); 4865 sksec->sclass = sclass; 4866 sksec->sid = sid; 4867 /* Allows detection of the first association on this socket */ 4868 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4869 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4870 4871 err = selinux_netlbl_socket_post_create(sock->sk, family); 4872 } 4873 4874 return err; 4875 } 4876 4877 static int selinux_socket_socketpair(struct socket *socka, 4878 struct socket *sockb) 4879 { 4880 struct sk_security_struct *sksec_a = selinux_sock(socka->sk); 4881 struct sk_security_struct *sksec_b = selinux_sock(sockb->sk); 4882 4883 sksec_a->peer_sid = sksec_b->sid; 4884 sksec_b->peer_sid = sksec_a->sid; 4885 4886 return 0; 4887 } 4888 4889 /* Range of port numbers used to automatically bind. 4890 Need to determine whether we should perform a name_bind 4891 permission check between the socket and the port number. */ 4892 4893 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4894 { 4895 struct sock *sk = sock->sk; 4896 struct sk_security_struct *sksec = selinux_sock(sk); 4897 u16 family; 4898 int err; 4899 4900 err = sock_has_perm(sk, SOCKET__BIND); 4901 if (err) 4902 goto out; 4903 4904 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4905 family = sk->sk_family; 4906 if (family == PF_INET || family == PF_INET6) { 4907 char *addrp; 4908 struct common_audit_data ad; 4909 struct lsm_network_audit net = {0,}; 4910 struct sockaddr_in *addr4 = NULL; 4911 struct sockaddr_in6 *addr6 = NULL; 4912 u16 family_sa; 4913 unsigned short snum; 4914 u32 sid, node_perm; 4915 4916 /* 4917 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4918 * that validates multiple binding addresses. Because of this 4919 * need to check address->sa_family as it is possible to have 4920 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4921 */ 4922 if (addrlen < offsetofend(struct sockaddr, sa_family)) 4923 return -EINVAL; 4924 family_sa = address->sa_family; 4925 switch (family_sa) { 4926 case AF_UNSPEC: 4927 case AF_INET: 4928 if (addrlen < sizeof(struct sockaddr_in)) 4929 return -EINVAL; 4930 addr4 = (struct sockaddr_in *)address; 4931 if (family_sa == AF_UNSPEC) { 4932 if (family == PF_INET6) { 4933 /* Length check from inet6_bind_sk() */ 4934 if (addrlen < SIN6_LEN_RFC2133) 4935 return -EINVAL; 4936 /* Family check from __inet6_bind() */ 4937 goto err_af; 4938 } 4939 /* see __inet_bind(), we only want to allow 4940 * AF_UNSPEC if the address is INADDR_ANY 4941 */ 4942 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) 4943 goto err_af; 4944 family_sa = AF_INET; 4945 } 4946 snum = ntohs(addr4->sin_port); 4947 addrp = (char *)&addr4->sin_addr.s_addr; 4948 break; 4949 case AF_INET6: 4950 if (addrlen < SIN6_LEN_RFC2133) 4951 return -EINVAL; 4952 addr6 = (struct sockaddr_in6 *)address; 4953 snum = ntohs(addr6->sin6_port); 4954 addrp = (char *)&addr6->sin6_addr.s6_addr; 4955 break; 4956 default: 4957 goto err_af; 4958 } 4959 4960 ad.type = LSM_AUDIT_DATA_NET; 4961 ad.u.net = &net; 4962 ad.u.net->sport = htons(snum); 4963 ad.u.net->family = family_sa; 4964 4965 if (snum) { 4966 int low, high; 4967 4968 inet_get_local_port_range(sock_net(sk), &low, &high); 4969 4970 if (inet_port_requires_bind_service(sock_net(sk), snum) || 4971 snum < low || snum > high) { 4972 err = sel_netport_sid(sk->sk_protocol, 4973 snum, &sid); 4974 if (err) 4975 goto out; 4976 err = avc_has_perm(sksec->sid, sid, 4977 sksec->sclass, 4978 SOCKET__NAME_BIND, &ad); 4979 if (err) 4980 goto out; 4981 } 4982 } 4983 4984 switch (sksec->sclass) { 4985 case SECCLASS_TCP_SOCKET: 4986 node_perm = TCP_SOCKET__NODE_BIND; 4987 break; 4988 4989 case SECCLASS_UDP_SOCKET: 4990 node_perm = UDP_SOCKET__NODE_BIND; 4991 break; 4992 4993 case SECCLASS_SCTP_SOCKET: 4994 node_perm = SCTP_SOCKET__NODE_BIND; 4995 break; 4996 4997 default: 4998 node_perm = RAWIP_SOCKET__NODE_BIND; 4999 break; 5000 } 5001 5002 err = sel_netnode_sid(addrp, family_sa, &sid); 5003 if (err) 5004 goto out; 5005 5006 if (family_sa == AF_INET) 5007 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 5008 else 5009 ad.u.net->v6info.saddr = addr6->sin6_addr; 5010 5011 err = avc_has_perm(sksec->sid, sid, 5012 sksec->sclass, node_perm, &ad); 5013 if (err) 5014 goto out; 5015 } 5016 out: 5017 return err; 5018 err_af: 5019 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 5020 if (sk->sk_protocol == IPPROTO_SCTP) 5021 return -EINVAL; 5022 return -EAFNOSUPPORT; 5023 } 5024 5025 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 5026 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst 5027 */ 5028 static int selinux_socket_connect_helper(struct socket *sock, 5029 struct sockaddr *address, int addrlen) 5030 { 5031 struct sock *sk = sock->sk; 5032 struct sk_security_struct *sksec = selinux_sock(sk); 5033 int err; 5034 5035 err = sock_has_perm(sk, SOCKET__CONNECT); 5036 if (err) 5037 return err; 5038 if (addrlen < offsetofend(struct sockaddr, sa_family)) 5039 return -EINVAL; 5040 5041 /* connect(AF_UNSPEC) has special handling, as it is a documented 5042 * way to disconnect the socket 5043 */ 5044 if (address->sa_family == AF_UNSPEC) 5045 return 0; 5046 5047 /* 5048 * If a TCP or SCTP socket, check name_connect permission 5049 * for the port. 5050 */ 5051 if (sksec->sclass == SECCLASS_TCP_SOCKET || 5052 sksec->sclass == SECCLASS_SCTP_SOCKET) { 5053 struct common_audit_data ad; 5054 struct lsm_network_audit net = {0,}; 5055 struct sockaddr_in *addr4 = NULL; 5056 struct sockaddr_in6 *addr6 = NULL; 5057 unsigned short snum; 5058 u32 sid, perm; 5059 5060 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 5061 * that validates multiple connect addresses. Because of this 5062 * need to check address->sa_family as it is possible to have 5063 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 5064 */ 5065 switch (address->sa_family) { 5066 case AF_INET: 5067 addr4 = (struct sockaddr_in *)address; 5068 if (addrlen < sizeof(struct sockaddr_in)) 5069 return -EINVAL; 5070 snum = ntohs(addr4->sin_port); 5071 break; 5072 case AF_INET6: 5073 addr6 = (struct sockaddr_in6 *)address; 5074 if (addrlen < SIN6_LEN_RFC2133) 5075 return -EINVAL; 5076 snum = ntohs(addr6->sin6_port); 5077 break; 5078 default: 5079 /* Note that SCTP services expect -EINVAL, whereas 5080 * others expect -EAFNOSUPPORT. 5081 */ 5082 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 5083 return -EINVAL; 5084 else 5085 return -EAFNOSUPPORT; 5086 } 5087 5088 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 5089 if (err) 5090 return err; 5091 5092 switch (sksec->sclass) { 5093 case SECCLASS_TCP_SOCKET: 5094 perm = TCP_SOCKET__NAME_CONNECT; 5095 break; 5096 case SECCLASS_SCTP_SOCKET: 5097 perm = SCTP_SOCKET__NAME_CONNECT; 5098 break; 5099 } 5100 5101 ad.type = LSM_AUDIT_DATA_NET; 5102 ad.u.net = &net; 5103 ad.u.net->dport = htons(snum); 5104 ad.u.net->family = address->sa_family; 5105 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 5106 if (err) 5107 return err; 5108 } 5109 5110 return 0; 5111 } 5112 5113 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 5114 static int selinux_socket_connect(struct socket *sock, 5115 struct sockaddr *address, int addrlen) 5116 { 5117 int err; 5118 struct sock *sk = sock->sk; 5119 5120 err = selinux_socket_connect_helper(sock, address, addrlen); 5121 if (err) 5122 return err; 5123 5124 return selinux_netlbl_socket_connect(sk, address); 5125 } 5126 5127 static int selinux_socket_listen(struct socket *sock, int backlog) 5128 { 5129 return sock_has_perm(sock->sk, SOCKET__LISTEN); 5130 } 5131 5132 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 5133 { 5134 int err; 5135 struct inode_security_struct *isec; 5136 struct inode_security_struct *newisec; 5137 u16 sclass; 5138 u32 sid; 5139 5140 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 5141 if (err) 5142 return err; 5143 5144 isec = inode_security_novalidate(SOCK_INODE(sock)); 5145 spin_lock(&isec->lock); 5146 sclass = isec->sclass; 5147 sid = isec->sid; 5148 spin_unlock(&isec->lock); 5149 5150 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 5151 newisec->sclass = sclass; 5152 newisec->sid = sid; 5153 newisec->initialized = LABEL_INITIALIZED; 5154 5155 return 0; 5156 } 5157 5158 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 5159 int size) 5160 { 5161 return sock_has_perm(sock->sk, SOCKET__WRITE); 5162 } 5163 5164 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 5165 int size, int flags) 5166 { 5167 return sock_has_perm(sock->sk, SOCKET__READ); 5168 } 5169 5170 static int selinux_socket_getsockname(struct socket *sock) 5171 { 5172 return sock_has_perm(sock->sk, SOCKET__GETATTR); 5173 } 5174 5175 static int selinux_socket_getpeername(struct socket *sock) 5176 { 5177 return sock_has_perm(sock->sk, SOCKET__GETATTR); 5178 } 5179 5180 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 5181 { 5182 int err; 5183 5184 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 5185 if (err) 5186 return err; 5187 5188 return selinux_netlbl_socket_setsockopt(sock, level, optname); 5189 } 5190 5191 static int selinux_socket_getsockopt(struct socket *sock, int level, 5192 int optname) 5193 { 5194 return sock_has_perm(sock->sk, SOCKET__GETOPT); 5195 } 5196 5197 static int selinux_socket_shutdown(struct socket *sock, int how) 5198 { 5199 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 5200 } 5201 5202 static int selinux_socket_unix_stream_connect(struct sock *sock, 5203 struct sock *other, 5204 struct sock *newsk) 5205 { 5206 struct sk_security_struct *sksec_sock = selinux_sock(sock); 5207 struct sk_security_struct *sksec_other = selinux_sock(other); 5208 struct sk_security_struct *sksec_new = selinux_sock(newsk); 5209 struct common_audit_data ad; 5210 struct lsm_network_audit net; 5211 int err; 5212 5213 ad_net_init_from_sk(&ad, &net, other); 5214 5215 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 5216 sksec_other->sclass, 5217 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 5218 if (err) 5219 return err; 5220 5221 /* server child socket */ 5222 sksec_new->peer_sid = sksec_sock->sid; 5223 err = security_sid_mls_copy(sksec_other->sid, 5224 sksec_sock->sid, &sksec_new->sid); 5225 if (err) 5226 return err; 5227 5228 /* connecting socket */ 5229 sksec_sock->peer_sid = sksec_new->sid; 5230 5231 return 0; 5232 } 5233 5234 static int selinux_socket_unix_may_send(struct socket *sock, 5235 struct socket *other) 5236 { 5237 struct sk_security_struct *ssec = selinux_sock(sock->sk); 5238 struct sk_security_struct *osec = selinux_sock(other->sk); 5239 struct common_audit_data ad; 5240 struct lsm_network_audit net; 5241 5242 ad_net_init_from_sk(&ad, &net, other->sk); 5243 5244 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 5245 &ad); 5246 } 5247 5248 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 5249 char *addrp, u16 family, u32 peer_sid, 5250 struct common_audit_data *ad) 5251 { 5252 int err; 5253 u32 if_sid; 5254 u32 node_sid; 5255 5256 err = sel_netif_sid(ns, ifindex, &if_sid); 5257 if (err) 5258 return err; 5259 err = avc_has_perm(peer_sid, if_sid, 5260 SECCLASS_NETIF, NETIF__INGRESS, ad); 5261 if (err) 5262 return err; 5263 5264 err = sel_netnode_sid(addrp, family, &node_sid); 5265 if (err) 5266 return err; 5267 return avc_has_perm(peer_sid, node_sid, 5268 SECCLASS_NODE, NODE__RECVFROM, ad); 5269 } 5270 5271 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 5272 u16 family) 5273 { 5274 int err = 0; 5275 struct sk_security_struct *sksec = selinux_sock(sk); 5276 u32 sk_sid = sksec->sid; 5277 struct common_audit_data ad; 5278 struct lsm_network_audit net; 5279 char *addrp; 5280 5281 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family); 5282 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5283 if (err) 5284 return err; 5285 5286 if (selinux_secmark_enabled()) { 5287 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5288 PACKET__RECV, &ad); 5289 if (err) 5290 return err; 5291 } 5292 5293 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 5294 if (err) 5295 return err; 5296 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 5297 5298 return err; 5299 } 5300 5301 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 5302 { 5303 int err, peerlbl_active, secmark_active; 5304 struct sk_security_struct *sksec = selinux_sock(sk); 5305 u16 family = sk->sk_family; 5306 u32 sk_sid = sksec->sid; 5307 struct common_audit_data ad; 5308 struct lsm_network_audit net; 5309 char *addrp; 5310 5311 if (family != PF_INET && family != PF_INET6) 5312 return 0; 5313 5314 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 5315 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5316 family = PF_INET; 5317 5318 /* If any sort of compatibility mode is enabled then handoff processing 5319 * to the selinux_sock_rcv_skb_compat() function to deal with the 5320 * special handling. We do this in an attempt to keep this function 5321 * as fast and as clean as possible. */ 5322 if (!selinux_policycap_netpeer()) 5323 return selinux_sock_rcv_skb_compat(sk, skb, family); 5324 5325 secmark_active = selinux_secmark_enabled(); 5326 peerlbl_active = selinux_peerlbl_enabled(); 5327 if (!secmark_active && !peerlbl_active) 5328 return 0; 5329 5330 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family); 5331 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5332 if (err) 5333 return err; 5334 5335 if (peerlbl_active) { 5336 u32 peer_sid; 5337 5338 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 5339 if (err) 5340 return err; 5341 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 5342 addrp, family, peer_sid, &ad); 5343 if (err) { 5344 selinux_netlbl_err(skb, family, err, 0); 5345 return err; 5346 } 5347 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 5348 PEER__RECV, &ad); 5349 if (err) { 5350 selinux_netlbl_err(skb, family, err, 0); 5351 return err; 5352 } 5353 } 5354 5355 if (secmark_active) { 5356 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5357 PACKET__RECV, &ad); 5358 if (err) 5359 return err; 5360 } 5361 5362 return err; 5363 } 5364 5365 static int selinux_socket_getpeersec_stream(struct socket *sock, 5366 sockptr_t optval, sockptr_t optlen, 5367 unsigned int len) 5368 { 5369 int err = 0; 5370 char *scontext = NULL; 5371 u32 scontext_len; 5372 struct sk_security_struct *sksec = selinux_sock(sock->sk); 5373 u32 peer_sid = SECSID_NULL; 5374 5375 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5376 sksec->sclass == SECCLASS_TCP_SOCKET || 5377 sksec->sclass == SECCLASS_SCTP_SOCKET) 5378 peer_sid = sksec->peer_sid; 5379 if (peer_sid == SECSID_NULL) 5380 return -ENOPROTOOPT; 5381 5382 err = security_sid_to_context(peer_sid, &scontext, 5383 &scontext_len); 5384 if (err) 5385 return err; 5386 if (scontext_len > len) { 5387 err = -ERANGE; 5388 goto out_len; 5389 } 5390 5391 if (copy_to_sockptr(optval, scontext, scontext_len)) 5392 err = -EFAULT; 5393 out_len: 5394 if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len))) 5395 err = -EFAULT; 5396 kfree(scontext); 5397 return err; 5398 } 5399 5400 static int selinux_socket_getpeersec_dgram(struct socket *sock, 5401 struct sk_buff *skb, u32 *secid) 5402 { 5403 u32 peer_secid = SECSID_NULL; 5404 u16 family; 5405 5406 if (skb && skb->protocol == htons(ETH_P_IP)) 5407 family = PF_INET; 5408 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 5409 family = PF_INET6; 5410 else if (sock) 5411 family = sock->sk->sk_family; 5412 else { 5413 *secid = SECSID_NULL; 5414 return -EINVAL; 5415 } 5416 5417 if (sock && family == PF_UNIX) { 5418 struct inode_security_struct *isec; 5419 isec = inode_security_novalidate(SOCK_INODE(sock)); 5420 peer_secid = isec->sid; 5421 } else if (skb) 5422 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 5423 5424 *secid = peer_secid; 5425 if (peer_secid == SECSID_NULL) 5426 return -ENOPROTOOPT; 5427 return 0; 5428 } 5429 5430 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 5431 { 5432 struct sk_security_struct *sksec = selinux_sock(sk); 5433 5434 sksec->peer_sid = SECINITSID_UNLABELED; 5435 sksec->sid = SECINITSID_UNLABELED; 5436 sksec->sclass = SECCLASS_SOCKET; 5437 selinux_netlbl_sk_security_reset(sksec); 5438 5439 return 0; 5440 } 5441 5442 static void selinux_sk_free_security(struct sock *sk) 5443 { 5444 struct sk_security_struct *sksec = selinux_sock(sk); 5445 5446 selinux_netlbl_sk_security_free(sksec); 5447 } 5448 5449 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 5450 { 5451 struct sk_security_struct *sksec = selinux_sock(sk); 5452 struct sk_security_struct *newsksec = selinux_sock(newsk); 5453 5454 newsksec->sid = sksec->sid; 5455 newsksec->peer_sid = sksec->peer_sid; 5456 newsksec->sclass = sksec->sclass; 5457 5458 selinux_netlbl_sk_security_reset(newsksec); 5459 } 5460 5461 static void selinux_sk_getsecid(const struct sock *sk, u32 *secid) 5462 { 5463 if (!sk) 5464 *secid = SECINITSID_ANY_SOCKET; 5465 else { 5466 const struct sk_security_struct *sksec = selinux_sock(sk); 5467 5468 *secid = sksec->sid; 5469 } 5470 } 5471 5472 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 5473 { 5474 struct inode_security_struct *isec = 5475 inode_security_novalidate(SOCK_INODE(parent)); 5476 struct sk_security_struct *sksec = selinux_sock(sk); 5477 5478 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5479 sk->sk_family == PF_UNIX) 5480 isec->sid = sksec->sid; 5481 sksec->sclass = isec->sclass; 5482 } 5483 5484 /* 5485 * Determines peer_secid for the asoc and updates socket's peer label 5486 * if it's the first association on the socket. 5487 */ 5488 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc, 5489 struct sk_buff *skb) 5490 { 5491 struct sock *sk = asoc->base.sk; 5492 u16 family = sk->sk_family; 5493 struct sk_security_struct *sksec = selinux_sock(sk); 5494 struct common_audit_data ad; 5495 struct lsm_network_audit net; 5496 int err; 5497 5498 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5499 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5500 family = PF_INET; 5501 5502 if (selinux_peerlbl_enabled()) { 5503 asoc->peer_secid = SECSID_NULL; 5504 5505 /* This will return peer_sid = SECSID_NULL if there are 5506 * no peer labels, see security_net_peersid_resolve(). 5507 */ 5508 err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid); 5509 if (err) 5510 return err; 5511 5512 if (asoc->peer_secid == SECSID_NULL) 5513 asoc->peer_secid = SECINITSID_UNLABELED; 5514 } else { 5515 asoc->peer_secid = SECINITSID_UNLABELED; 5516 } 5517 5518 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 5519 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 5520 5521 /* Here as first association on socket. As the peer SID 5522 * was allowed by peer recv (and the netif/node checks), 5523 * then it is approved by policy and used as the primary 5524 * peer SID for getpeercon(3). 5525 */ 5526 sksec->peer_sid = asoc->peer_secid; 5527 } else if (sksec->peer_sid != asoc->peer_secid) { 5528 /* Other association peer SIDs are checked to enforce 5529 * consistency among the peer SIDs. 5530 */ 5531 ad_net_init_from_sk(&ad, &net, asoc->base.sk); 5532 err = avc_has_perm(sksec->peer_sid, asoc->peer_secid, 5533 sksec->sclass, SCTP_SOCKET__ASSOCIATION, 5534 &ad); 5535 if (err) 5536 return err; 5537 } 5538 return 0; 5539 } 5540 5541 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This 5542 * happens on an incoming connect(2), sctp_connectx(3) or 5543 * sctp_sendmsg(3) (with no association already present). 5544 */ 5545 static int selinux_sctp_assoc_request(struct sctp_association *asoc, 5546 struct sk_buff *skb) 5547 { 5548 struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); 5549 u32 conn_sid; 5550 int err; 5551 5552 if (!selinux_policycap_extsockclass()) 5553 return 0; 5554 5555 err = selinux_sctp_process_new_assoc(asoc, skb); 5556 if (err) 5557 return err; 5558 5559 /* Compute the MLS component for the connection and store 5560 * the information in asoc. This will be used by SCTP TCP type 5561 * sockets and peeled off connections as they cause a new 5562 * socket to be generated. selinux_sctp_sk_clone() will then 5563 * plug this into the new socket. 5564 */ 5565 err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid); 5566 if (err) 5567 return err; 5568 5569 asoc->secid = conn_sid; 5570 5571 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 5572 return selinux_netlbl_sctp_assoc_request(asoc, skb); 5573 } 5574 5575 /* Called when SCTP receives a COOKIE ACK chunk as the final 5576 * response to an association request (initited by us). 5577 */ 5578 static int selinux_sctp_assoc_established(struct sctp_association *asoc, 5579 struct sk_buff *skb) 5580 { 5581 struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); 5582 5583 if (!selinux_policycap_extsockclass()) 5584 return 0; 5585 5586 /* Inherit secid from the parent socket - this will be picked up 5587 * by selinux_sctp_sk_clone() if the association gets peeled off 5588 * into a new socket. 5589 */ 5590 asoc->secid = sksec->sid; 5591 5592 return selinux_sctp_process_new_assoc(asoc, skb); 5593 } 5594 5595 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5596 * based on their @optname. 5597 */ 5598 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5599 struct sockaddr *address, 5600 int addrlen) 5601 { 5602 int len, err = 0, walk_size = 0; 5603 void *addr_buf; 5604 struct sockaddr *addr; 5605 struct socket *sock; 5606 5607 if (!selinux_policycap_extsockclass()) 5608 return 0; 5609 5610 /* Process one or more addresses that may be IPv4 or IPv6 */ 5611 sock = sk->sk_socket; 5612 addr_buf = address; 5613 5614 while (walk_size < addrlen) { 5615 if (walk_size + sizeof(sa_family_t) > addrlen) 5616 return -EINVAL; 5617 5618 addr = addr_buf; 5619 switch (addr->sa_family) { 5620 case AF_UNSPEC: 5621 case AF_INET: 5622 len = sizeof(struct sockaddr_in); 5623 break; 5624 case AF_INET6: 5625 len = sizeof(struct sockaddr_in6); 5626 break; 5627 default: 5628 return -EINVAL; 5629 } 5630 5631 if (walk_size + len > addrlen) 5632 return -EINVAL; 5633 5634 err = -EINVAL; 5635 switch (optname) { 5636 /* Bind checks */ 5637 case SCTP_PRIMARY_ADDR: 5638 case SCTP_SET_PEER_PRIMARY_ADDR: 5639 case SCTP_SOCKOPT_BINDX_ADD: 5640 err = selinux_socket_bind(sock, addr, len); 5641 break; 5642 /* Connect checks */ 5643 case SCTP_SOCKOPT_CONNECTX: 5644 case SCTP_PARAM_SET_PRIMARY: 5645 case SCTP_PARAM_ADD_IP: 5646 case SCTP_SENDMSG_CONNECT: 5647 err = selinux_socket_connect_helper(sock, addr, len); 5648 if (err) 5649 return err; 5650 5651 /* As selinux_sctp_bind_connect() is called by the 5652 * SCTP protocol layer, the socket is already locked, 5653 * therefore selinux_netlbl_socket_connect_locked() 5654 * is called here. The situations handled are: 5655 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5656 * whenever a new IP address is added or when a new 5657 * primary address is selected. 5658 * Note that an SCTP connect(2) call happens before 5659 * the SCTP protocol layer and is handled via 5660 * selinux_socket_connect(). 5661 */ 5662 err = selinux_netlbl_socket_connect_locked(sk, addr); 5663 break; 5664 } 5665 5666 if (err) 5667 return err; 5668 5669 addr_buf += len; 5670 walk_size += len; 5671 } 5672 5673 return 0; 5674 } 5675 5676 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5677 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, 5678 struct sock *newsk) 5679 { 5680 struct sk_security_struct *sksec = selinux_sock(sk); 5681 struct sk_security_struct *newsksec = selinux_sock(newsk); 5682 5683 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5684 * the non-sctp clone version. 5685 */ 5686 if (!selinux_policycap_extsockclass()) 5687 return selinux_sk_clone_security(sk, newsk); 5688 5689 newsksec->sid = asoc->secid; 5690 newsksec->peer_sid = asoc->peer_secid; 5691 newsksec->sclass = sksec->sclass; 5692 selinux_netlbl_sctp_sk_clone(sk, newsk); 5693 } 5694 5695 static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk) 5696 { 5697 struct sk_security_struct *ssksec = selinux_sock(ssk); 5698 struct sk_security_struct *sksec = selinux_sock(sk); 5699 5700 ssksec->sclass = sksec->sclass; 5701 ssksec->sid = sksec->sid; 5702 5703 /* replace the existing subflow label deleting the existing one 5704 * and re-recreating a new label using the updated context 5705 */ 5706 selinux_netlbl_sk_security_free(ssksec); 5707 return selinux_netlbl_socket_post_create(ssk, ssk->sk_family); 5708 } 5709 5710 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 5711 struct request_sock *req) 5712 { 5713 struct sk_security_struct *sksec = selinux_sock(sk); 5714 int err; 5715 u16 family = req->rsk_ops->family; 5716 u32 connsid; 5717 u32 peersid; 5718 5719 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5720 if (err) 5721 return err; 5722 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5723 if (err) 5724 return err; 5725 req->secid = connsid; 5726 req->peer_secid = peersid; 5727 5728 return selinux_netlbl_inet_conn_request(req, family); 5729 } 5730 5731 static void selinux_inet_csk_clone(struct sock *newsk, 5732 const struct request_sock *req) 5733 { 5734 struct sk_security_struct *newsksec = selinux_sock(newsk); 5735 5736 newsksec->sid = req->secid; 5737 newsksec->peer_sid = req->peer_secid; 5738 /* NOTE: Ideally, we should also get the isec->sid for the 5739 new socket in sync, but we don't have the isec available yet. 5740 So we will wait until sock_graft to do it, by which 5741 time it will have been created and available. */ 5742 5743 /* We don't need to take any sort of lock here as we are the only 5744 * thread with access to newsksec */ 5745 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5746 } 5747 5748 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5749 { 5750 u16 family = sk->sk_family; 5751 struct sk_security_struct *sksec = selinux_sock(sk); 5752 5753 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5754 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5755 family = PF_INET; 5756 5757 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5758 } 5759 5760 static int selinux_secmark_relabel_packet(u32 sid) 5761 { 5762 return avc_has_perm(current_sid(), sid, SECCLASS_PACKET, PACKET__RELABELTO, 5763 NULL); 5764 } 5765 5766 static void selinux_secmark_refcount_inc(void) 5767 { 5768 atomic_inc(&selinux_secmark_refcount); 5769 } 5770 5771 static void selinux_secmark_refcount_dec(void) 5772 { 5773 atomic_dec(&selinux_secmark_refcount); 5774 } 5775 5776 static void selinux_req_classify_flow(const struct request_sock *req, 5777 struct flowi_common *flic) 5778 { 5779 flic->flowic_secid = req->secid; 5780 } 5781 5782 static int selinux_tun_dev_alloc_security(void *security) 5783 { 5784 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5785 5786 tunsec->sid = current_sid(); 5787 return 0; 5788 } 5789 5790 static int selinux_tun_dev_create(void) 5791 { 5792 u32 sid = current_sid(); 5793 5794 /* we aren't taking into account the "sockcreate" SID since the socket 5795 * that is being created here is not a socket in the traditional sense, 5796 * instead it is a private sock, accessible only to the kernel, and 5797 * representing a wide range of network traffic spanning multiple 5798 * connections unlike traditional sockets - check the TUN driver to 5799 * get a better understanding of why this socket is special */ 5800 5801 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5802 NULL); 5803 } 5804 5805 static int selinux_tun_dev_attach_queue(void *security) 5806 { 5807 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5808 5809 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5810 TUN_SOCKET__ATTACH_QUEUE, NULL); 5811 } 5812 5813 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5814 { 5815 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5816 struct sk_security_struct *sksec = selinux_sock(sk); 5817 5818 /* we don't currently perform any NetLabel based labeling here and it 5819 * isn't clear that we would want to do so anyway; while we could apply 5820 * labeling without the support of the TUN user the resulting labeled 5821 * traffic from the other end of the connection would almost certainly 5822 * cause confusion to the TUN user that had no idea network labeling 5823 * protocols were being used */ 5824 5825 sksec->sid = tunsec->sid; 5826 sksec->sclass = SECCLASS_TUN_SOCKET; 5827 5828 return 0; 5829 } 5830 5831 static int selinux_tun_dev_open(void *security) 5832 { 5833 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5834 u32 sid = current_sid(); 5835 int err; 5836 5837 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5838 TUN_SOCKET__RELABELFROM, NULL); 5839 if (err) 5840 return err; 5841 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 5842 TUN_SOCKET__RELABELTO, NULL); 5843 if (err) 5844 return err; 5845 tunsec->sid = sid; 5846 5847 return 0; 5848 } 5849 5850 #ifdef CONFIG_NETFILTER 5851 5852 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb, 5853 const struct nf_hook_state *state) 5854 { 5855 int ifindex; 5856 u16 family; 5857 char *addrp; 5858 u32 peer_sid; 5859 struct common_audit_data ad; 5860 struct lsm_network_audit net; 5861 int secmark_active, peerlbl_active; 5862 5863 if (!selinux_policycap_netpeer()) 5864 return NF_ACCEPT; 5865 5866 secmark_active = selinux_secmark_enabled(); 5867 peerlbl_active = selinux_peerlbl_enabled(); 5868 if (!secmark_active && !peerlbl_active) 5869 return NF_ACCEPT; 5870 5871 family = state->pf; 5872 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5873 return NF_DROP; 5874 5875 ifindex = state->in->ifindex; 5876 ad_net_init_from_iif(&ad, &net, ifindex, family); 5877 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5878 return NF_DROP; 5879 5880 if (peerlbl_active) { 5881 int err; 5882 5883 err = selinux_inet_sys_rcv_skb(state->net, ifindex, 5884 addrp, family, peer_sid, &ad); 5885 if (err) { 5886 selinux_netlbl_err(skb, family, err, 1); 5887 return NF_DROP; 5888 } 5889 } 5890 5891 if (secmark_active) 5892 if (avc_has_perm(peer_sid, skb->secmark, 5893 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5894 return NF_DROP; 5895 5896 if (netlbl_enabled()) 5897 /* we do this in the FORWARD path and not the POST_ROUTING 5898 * path because we want to make sure we apply the necessary 5899 * labeling before IPsec is applied so we can leverage AH 5900 * protection */ 5901 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5902 return NF_DROP; 5903 5904 return NF_ACCEPT; 5905 } 5906 5907 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb, 5908 const struct nf_hook_state *state) 5909 { 5910 struct sock *sk; 5911 u32 sid; 5912 5913 if (!netlbl_enabled()) 5914 return NF_ACCEPT; 5915 5916 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5917 * because we want to make sure we apply the necessary labeling 5918 * before IPsec is applied so we can leverage AH protection */ 5919 sk = skb_to_full_sk(skb); 5920 if (sk) { 5921 struct sk_security_struct *sksec; 5922 5923 if (sk_listener(sk)) 5924 /* if the socket is the listening state then this 5925 * packet is a SYN-ACK packet which means it needs to 5926 * be labeled based on the connection/request_sock and 5927 * not the parent socket. unfortunately, we can't 5928 * lookup the request_sock yet as it isn't queued on 5929 * the parent socket until after the SYN-ACK is sent. 5930 * the "solution" is to simply pass the packet as-is 5931 * as any IP option based labeling should be copied 5932 * from the initial connection request (in the IP 5933 * layer). it is far from ideal, but until we get a 5934 * security label in the packet itself this is the 5935 * best we can do. */ 5936 return NF_ACCEPT; 5937 5938 /* standard practice, label using the parent socket */ 5939 sksec = selinux_sock(sk); 5940 sid = sksec->sid; 5941 } else 5942 sid = SECINITSID_KERNEL; 5943 if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0) 5944 return NF_DROP; 5945 5946 return NF_ACCEPT; 5947 } 5948 5949 5950 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5951 const struct nf_hook_state *state) 5952 { 5953 struct sock *sk; 5954 struct sk_security_struct *sksec; 5955 struct common_audit_data ad; 5956 struct lsm_network_audit net; 5957 u8 proto = 0; 5958 5959 sk = skb_to_full_sk(skb); 5960 if (sk == NULL) 5961 return NF_ACCEPT; 5962 sksec = selinux_sock(sk); 5963 5964 ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf); 5965 if (selinux_parse_skb(skb, &ad, NULL, 0, &proto)) 5966 return NF_DROP; 5967 5968 if (selinux_secmark_enabled()) 5969 if (avc_has_perm(sksec->sid, skb->secmark, 5970 SECCLASS_PACKET, PACKET__SEND, &ad)) 5971 return NF_DROP_ERR(-ECONNREFUSED); 5972 5973 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5974 return NF_DROP_ERR(-ECONNREFUSED); 5975 5976 return NF_ACCEPT; 5977 } 5978 5979 static unsigned int selinux_ip_postroute(void *priv, 5980 struct sk_buff *skb, 5981 const struct nf_hook_state *state) 5982 { 5983 u16 family; 5984 u32 secmark_perm; 5985 u32 peer_sid; 5986 int ifindex; 5987 struct sock *sk; 5988 struct common_audit_data ad; 5989 struct lsm_network_audit net; 5990 char *addrp; 5991 int secmark_active, peerlbl_active; 5992 5993 /* If any sort of compatibility mode is enabled then handoff processing 5994 * to the selinux_ip_postroute_compat() function to deal with the 5995 * special handling. We do this in an attempt to keep this function 5996 * as fast and as clean as possible. */ 5997 if (!selinux_policycap_netpeer()) 5998 return selinux_ip_postroute_compat(skb, state); 5999 6000 secmark_active = selinux_secmark_enabled(); 6001 peerlbl_active = selinux_peerlbl_enabled(); 6002 if (!secmark_active && !peerlbl_active) 6003 return NF_ACCEPT; 6004 6005 sk = skb_to_full_sk(skb); 6006 6007 #ifdef CONFIG_XFRM 6008 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 6009 * packet transformation so allow the packet to pass without any checks 6010 * since we'll have another chance to perform access control checks 6011 * when the packet is on it's final way out. 6012 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 6013 * is NULL, in this case go ahead and apply access control. 6014 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 6015 * TCP listening state we cannot wait until the XFRM processing 6016 * is done as we will miss out on the SA label if we do; 6017 * unfortunately, this means more work, but it is only once per 6018 * connection. */ 6019 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 6020 !(sk && sk_listener(sk))) 6021 return NF_ACCEPT; 6022 #endif 6023 6024 family = state->pf; 6025 if (sk == NULL) { 6026 /* Without an associated socket the packet is either coming 6027 * from the kernel or it is being forwarded; check the packet 6028 * to determine which and if the packet is being forwarded 6029 * query the packet directly to determine the security label. */ 6030 if (skb->skb_iif) { 6031 secmark_perm = PACKET__FORWARD_OUT; 6032 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 6033 return NF_DROP; 6034 } else { 6035 secmark_perm = PACKET__SEND; 6036 peer_sid = SECINITSID_KERNEL; 6037 } 6038 } else if (sk_listener(sk)) { 6039 /* Locally generated packet but the associated socket is in the 6040 * listening state which means this is a SYN-ACK packet. In 6041 * this particular case the correct security label is assigned 6042 * to the connection/request_sock but unfortunately we can't 6043 * query the request_sock as it isn't queued on the parent 6044 * socket until after the SYN-ACK packet is sent; the only 6045 * viable choice is to regenerate the label like we do in 6046 * selinux_inet_conn_request(). See also selinux_ip_output() 6047 * for similar problems. */ 6048 u32 skb_sid; 6049 struct sk_security_struct *sksec; 6050 6051 sksec = selinux_sock(sk); 6052 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 6053 return NF_DROP; 6054 /* At this point, if the returned skb peerlbl is SECSID_NULL 6055 * and the packet has been through at least one XFRM 6056 * transformation then we must be dealing with the "final" 6057 * form of labeled IPsec packet; since we've already applied 6058 * all of our access controls on this packet we can safely 6059 * pass the packet. */ 6060 if (skb_sid == SECSID_NULL) { 6061 switch (family) { 6062 case PF_INET: 6063 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 6064 return NF_ACCEPT; 6065 break; 6066 case PF_INET6: 6067 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 6068 return NF_ACCEPT; 6069 break; 6070 default: 6071 return NF_DROP_ERR(-ECONNREFUSED); 6072 } 6073 } 6074 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 6075 return NF_DROP; 6076 secmark_perm = PACKET__SEND; 6077 } else { 6078 /* Locally generated packet, fetch the security label from the 6079 * associated socket. */ 6080 struct sk_security_struct *sksec = selinux_sock(sk); 6081 peer_sid = sksec->sid; 6082 secmark_perm = PACKET__SEND; 6083 } 6084 6085 ifindex = state->out->ifindex; 6086 ad_net_init_from_iif(&ad, &net, ifindex, family); 6087 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 6088 return NF_DROP; 6089 6090 if (secmark_active) 6091 if (avc_has_perm(peer_sid, skb->secmark, 6092 SECCLASS_PACKET, secmark_perm, &ad)) 6093 return NF_DROP_ERR(-ECONNREFUSED); 6094 6095 if (peerlbl_active) { 6096 u32 if_sid; 6097 u32 node_sid; 6098 6099 if (sel_netif_sid(state->net, ifindex, &if_sid)) 6100 return NF_DROP; 6101 if (avc_has_perm(peer_sid, if_sid, 6102 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 6103 return NF_DROP_ERR(-ECONNREFUSED); 6104 6105 if (sel_netnode_sid(addrp, family, &node_sid)) 6106 return NF_DROP; 6107 if (avc_has_perm(peer_sid, node_sid, 6108 SECCLASS_NODE, NODE__SENDTO, &ad)) 6109 return NF_DROP_ERR(-ECONNREFUSED); 6110 } 6111 6112 return NF_ACCEPT; 6113 } 6114 #endif /* CONFIG_NETFILTER */ 6115 6116 static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type) 6117 { 6118 struct sk_security_struct *sksec = sk->sk_security; 6119 struct common_audit_data ad; 6120 u8 driver; 6121 u8 xperm; 6122 6123 if (sock_skip_has_perm(sksec->sid)) 6124 return 0; 6125 6126 ad.type = LSM_AUDIT_DATA_NLMSGTYPE; 6127 ad.u.nlmsg_type = nlmsg_type; 6128 6129 driver = nlmsg_type >> 8; 6130 xperm = nlmsg_type & 0xff; 6131 6132 return avc_has_extended_perms(current_sid(), sksec->sid, sksec->sclass, 6133 perms, driver, AVC_EXT_NLMSG, xperm, &ad); 6134 } 6135 6136 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 6137 { 6138 int rc = 0; 6139 unsigned int msg_len; 6140 unsigned int data_len = skb->len; 6141 unsigned char *data = skb->data; 6142 struct nlmsghdr *nlh; 6143 struct sk_security_struct *sksec = selinux_sock(sk); 6144 u16 sclass = sksec->sclass; 6145 u32 perm; 6146 6147 while (data_len >= nlmsg_total_size(0)) { 6148 nlh = (struct nlmsghdr *)data; 6149 6150 /* NOTE: the nlmsg_len field isn't reliably set by some netlink 6151 * users which means we can't reject skb's with bogus 6152 * length fields; our solution is to follow what 6153 * netlink_rcv_skb() does and simply skip processing at 6154 * messages with length fields that are clearly junk 6155 */ 6156 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len) 6157 return 0; 6158 6159 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm); 6160 if (rc == 0) { 6161 if (selinux_policycap_netlink_xperm()) { 6162 rc = nlmsg_sock_has_extended_perms( 6163 sk, perm, nlh->nlmsg_type); 6164 } else { 6165 rc = sock_has_perm(sk, perm); 6166 } 6167 if (rc) 6168 return rc; 6169 } else if (rc == -EINVAL) { 6170 /* -EINVAL is a missing msg/perm mapping */ 6171 pr_warn_ratelimited("SELinux: unrecognized netlink" 6172 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 6173 " pid=%d comm=%s\n", 6174 sk->sk_protocol, nlh->nlmsg_type, 6175 secclass_map[sclass - 1].name, 6176 task_pid_nr(current), current->comm); 6177 if (enforcing_enabled() && 6178 !security_get_allow_unknown()) 6179 return rc; 6180 rc = 0; 6181 } else if (rc == -ENOENT) { 6182 /* -ENOENT is a missing socket/class mapping, ignore */ 6183 rc = 0; 6184 } else { 6185 return rc; 6186 } 6187 6188 /* move to the next message after applying netlink padding */ 6189 msg_len = NLMSG_ALIGN(nlh->nlmsg_len); 6190 if (msg_len >= data_len) 6191 return 0; 6192 data_len -= msg_len; 6193 data += msg_len; 6194 } 6195 6196 return rc; 6197 } 6198 6199 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass) 6200 { 6201 isec->sclass = sclass; 6202 isec->sid = current_sid(); 6203 } 6204 6205 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 6206 u32 perms) 6207 { 6208 struct ipc_security_struct *isec; 6209 struct common_audit_data ad; 6210 u32 sid = current_sid(); 6211 6212 isec = selinux_ipc(ipc_perms); 6213 6214 ad.type = LSM_AUDIT_DATA_IPC; 6215 ad.u.ipc_id = ipc_perms->key; 6216 6217 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 6218 } 6219 6220 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 6221 { 6222 struct msg_security_struct *msec; 6223 6224 msec = selinux_msg_msg(msg); 6225 msec->sid = SECINITSID_UNLABELED; 6226 6227 return 0; 6228 } 6229 6230 /* message queue security operations */ 6231 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 6232 { 6233 struct ipc_security_struct *isec; 6234 struct common_audit_data ad; 6235 u32 sid = current_sid(); 6236 6237 isec = selinux_ipc(msq); 6238 ipc_init_security(isec, SECCLASS_MSGQ); 6239 6240 ad.type = LSM_AUDIT_DATA_IPC; 6241 ad.u.ipc_id = msq->key; 6242 6243 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6244 MSGQ__CREATE, &ad); 6245 } 6246 6247 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 6248 { 6249 struct ipc_security_struct *isec; 6250 struct common_audit_data ad; 6251 u32 sid = current_sid(); 6252 6253 isec = selinux_ipc(msq); 6254 6255 ad.type = LSM_AUDIT_DATA_IPC; 6256 ad.u.ipc_id = msq->key; 6257 6258 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6259 MSGQ__ASSOCIATE, &ad); 6260 } 6261 6262 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 6263 { 6264 u32 perms; 6265 6266 switch (cmd) { 6267 case IPC_INFO: 6268 case MSG_INFO: 6269 /* No specific object, just general system-wide information. */ 6270 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6271 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6272 case IPC_STAT: 6273 case MSG_STAT: 6274 case MSG_STAT_ANY: 6275 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 6276 break; 6277 case IPC_SET: 6278 perms = MSGQ__SETATTR; 6279 break; 6280 case IPC_RMID: 6281 perms = MSGQ__DESTROY; 6282 break; 6283 default: 6284 return 0; 6285 } 6286 6287 return ipc_has_perm(msq, perms); 6288 } 6289 6290 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 6291 { 6292 struct ipc_security_struct *isec; 6293 struct msg_security_struct *msec; 6294 struct common_audit_data ad; 6295 u32 sid = current_sid(); 6296 int rc; 6297 6298 isec = selinux_ipc(msq); 6299 msec = selinux_msg_msg(msg); 6300 6301 /* 6302 * First time through, need to assign label to the message 6303 */ 6304 if (msec->sid == SECINITSID_UNLABELED) { 6305 /* 6306 * Compute new sid based on current process and 6307 * message queue this message will be stored in 6308 */ 6309 rc = security_transition_sid(sid, isec->sid, 6310 SECCLASS_MSG, NULL, &msec->sid); 6311 if (rc) 6312 return rc; 6313 } 6314 6315 ad.type = LSM_AUDIT_DATA_IPC; 6316 ad.u.ipc_id = msq->key; 6317 6318 /* Can this process write to the queue? */ 6319 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6320 MSGQ__WRITE, &ad); 6321 if (!rc) 6322 /* Can this process send the message */ 6323 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 6324 MSG__SEND, &ad); 6325 if (!rc) 6326 /* Can the message be put in the queue? */ 6327 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 6328 MSGQ__ENQUEUE, &ad); 6329 6330 return rc; 6331 } 6332 6333 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 6334 struct task_struct *target, 6335 long type, int mode) 6336 { 6337 struct ipc_security_struct *isec; 6338 struct msg_security_struct *msec; 6339 struct common_audit_data ad; 6340 u32 sid = task_sid_obj(target); 6341 int rc; 6342 6343 isec = selinux_ipc(msq); 6344 msec = selinux_msg_msg(msg); 6345 6346 ad.type = LSM_AUDIT_DATA_IPC; 6347 ad.u.ipc_id = msq->key; 6348 6349 rc = avc_has_perm(sid, isec->sid, 6350 SECCLASS_MSGQ, MSGQ__READ, &ad); 6351 if (!rc) 6352 rc = avc_has_perm(sid, msec->sid, 6353 SECCLASS_MSG, MSG__RECEIVE, &ad); 6354 return rc; 6355 } 6356 6357 /* Shared Memory security operations */ 6358 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 6359 { 6360 struct ipc_security_struct *isec; 6361 struct common_audit_data ad; 6362 u32 sid = current_sid(); 6363 6364 isec = selinux_ipc(shp); 6365 ipc_init_security(isec, SECCLASS_SHM); 6366 6367 ad.type = LSM_AUDIT_DATA_IPC; 6368 ad.u.ipc_id = shp->key; 6369 6370 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6371 SHM__CREATE, &ad); 6372 } 6373 6374 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 6375 { 6376 struct ipc_security_struct *isec; 6377 struct common_audit_data ad; 6378 u32 sid = current_sid(); 6379 6380 isec = selinux_ipc(shp); 6381 6382 ad.type = LSM_AUDIT_DATA_IPC; 6383 ad.u.ipc_id = shp->key; 6384 6385 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6386 SHM__ASSOCIATE, &ad); 6387 } 6388 6389 /* Note, at this point, shp is locked down */ 6390 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 6391 { 6392 u32 perms; 6393 6394 switch (cmd) { 6395 case IPC_INFO: 6396 case SHM_INFO: 6397 /* No specific object, just general system-wide information. */ 6398 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6399 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6400 case IPC_STAT: 6401 case SHM_STAT: 6402 case SHM_STAT_ANY: 6403 perms = SHM__GETATTR | SHM__ASSOCIATE; 6404 break; 6405 case IPC_SET: 6406 perms = SHM__SETATTR; 6407 break; 6408 case SHM_LOCK: 6409 case SHM_UNLOCK: 6410 perms = SHM__LOCK; 6411 break; 6412 case IPC_RMID: 6413 perms = SHM__DESTROY; 6414 break; 6415 default: 6416 return 0; 6417 } 6418 6419 return ipc_has_perm(shp, perms); 6420 } 6421 6422 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6423 char __user *shmaddr, int shmflg) 6424 { 6425 u32 perms; 6426 6427 if (shmflg & SHM_RDONLY) 6428 perms = SHM__READ; 6429 else 6430 perms = SHM__READ | SHM__WRITE; 6431 6432 return ipc_has_perm(shp, perms); 6433 } 6434 6435 /* Semaphore security operations */ 6436 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 6437 { 6438 struct ipc_security_struct *isec; 6439 struct common_audit_data ad; 6440 u32 sid = current_sid(); 6441 6442 isec = selinux_ipc(sma); 6443 ipc_init_security(isec, SECCLASS_SEM); 6444 6445 ad.type = LSM_AUDIT_DATA_IPC; 6446 ad.u.ipc_id = sma->key; 6447 6448 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6449 SEM__CREATE, &ad); 6450 } 6451 6452 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 6453 { 6454 struct ipc_security_struct *isec; 6455 struct common_audit_data ad; 6456 u32 sid = current_sid(); 6457 6458 isec = selinux_ipc(sma); 6459 6460 ad.type = LSM_AUDIT_DATA_IPC; 6461 ad.u.ipc_id = sma->key; 6462 6463 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6464 SEM__ASSOCIATE, &ad); 6465 } 6466 6467 /* Note, at this point, sma is locked down */ 6468 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 6469 { 6470 int err; 6471 u32 perms; 6472 6473 switch (cmd) { 6474 case IPC_INFO: 6475 case SEM_INFO: 6476 /* No specific object, just general system-wide information. */ 6477 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6478 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6479 case GETPID: 6480 case GETNCNT: 6481 case GETZCNT: 6482 perms = SEM__GETATTR; 6483 break; 6484 case GETVAL: 6485 case GETALL: 6486 perms = SEM__READ; 6487 break; 6488 case SETVAL: 6489 case SETALL: 6490 perms = SEM__WRITE; 6491 break; 6492 case IPC_RMID: 6493 perms = SEM__DESTROY; 6494 break; 6495 case IPC_SET: 6496 perms = SEM__SETATTR; 6497 break; 6498 case IPC_STAT: 6499 case SEM_STAT: 6500 case SEM_STAT_ANY: 6501 perms = SEM__GETATTR | SEM__ASSOCIATE; 6502 break; 6503 default: 6504 return 0; 6505 } 6506 6507 err = ipc_has_perm(sma, perms); 6508 return err; 6509 } 6510 6511 static int selinux_sem_semop(struct kern_ipc_perm *sma, 6512 struct sembuf *sops, unsigned nsops, int alter) 6513 { 6514 u32 perms; 6515 6516 if (alter) 6517 perms = SEM__READ | SEM__WRITE; 6518 else 6519 perms = SEM__READ; 6520 6521 return ipc_has_perm(sma, perms); 6522 } 6523 6524 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6525 { 6526 u32 av = 0; 6527 6528 av = 0; 6529 if (flag & S_IRUGO) 6530 av |= IPC__UNIX_READ; 6531 if (flag & S_IWUGO) 6532 av |= IPC__UNIX_WRITE; 6533 6534 if (av == 0) 6535 return 0; 6536 6537 return ipc_has_perm(ipcp, av); 6538 } 6539 6540 static void selinux_ipc_getlsmprop(struct kern_ipc_perm *ipcp, 6541 struct lsm_prop *prop) 6542 { 6543 struct ipc_security_struct *isec = selinux_ipc(ipcp); 6544 prop->selinux.secid = isec->sid; 6545 } 6546 6547 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6548 { 6549 if (inode) 6550 inode_doinit_with_dentry(inode, dentry); 6551 } 6552 6553 static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p, 6554 char **value) 6555 { 6556 const struct cred_security_struct *crsec; 6557 int error; 6558 u32 sid; 6559 u32 len; 6560 6561 rcu_read_lock(); 6562 crsec = selinux_cred(__task_cred(p)); 6563 if (p != current) { 6564 error = avc_has_perm(current_sid(), crsec->sid, 6565 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6566 if (error) 6567 goto err_unlock; 6568 } 6569 switch (attr) { 6570 case LSM_ATTR_CURRENT: 6571 sid = crsec->sid; 6572 break; 6573 case LSM_ATTR_PREV: 6574 sid = crsec->osid; 6575 break; 6576 case LSM_ATTR_EXEC: 6577 sid = crsec->exec_sid; 6578 break; 6579 case LSM_ATTR_FSCREATE: 6580 sid = crsec->create_sid; 6581 break; 6582 case LSM_ATTR_KEYCREATE: 6583 sid = crsec->keycreate_sid; 6584 break; 6585 case LSM_ATTR_SOCKCREATE: 6586 sid = crsec->sockcreate_sid; 6587 break; 6588 default: 6589 error = -EOPNOTSUPP; 6590 goto err_unlock; 6591 } 6592 rcu_read_unlock(); 6593 6594 if (sid == SECSID_NULL) { 6595 *value = NULL; 6596 return 0; 6597 } 6598 6599 error = security_sid_to_context(sid, value, &len); 6600 if (error) 6601 return error; 6602 return len; 6603 6604 err_unlock: 6605 rcu_read_unlock(); 6606 return error; 6607 } 6608 6609 static int selinux_lsm_setattr(u64 attr, void *value, size_t size) 6610 { 6611 struct cred_security_struct *crsec; 6612 struct cred *new; 6613 u32 mysid = current_sid(), sid = 0, ptsid; 6614 int error; 6615 char *str = value; 6616 6617 /* 6618 * Basic control over ability to set these attributes at all. 6619 */ 6620 switch (attr) { 6621 case LSM_ATTR_EXEC: 6622 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6623 PROCESS__SETEXEC, NULL); 6624 break; 6625 case LSM_ATTR_FSCREATE: 6626 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6627 PROCESS__SETFSCREATE, NULL); 6628 break; 6629 case LSM_ATTR_KEYCREATE: 6630 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6631 PROCESS__SETKEYCREATE, NULL); 6632 break; 6633 case LSM_ATTR_SOCKCREATE: 6634 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6635 PROCESS__SETSOCKCREATE, NULL); 6636 break; 6637 case LSM_ATTR_CURRENT: 6638 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6639 PROCESS__SETCURRENT, NULL); 6640 break; 6641 default: 6642 error = -EOPNOTSUPP; 6643 break; 6644 } 6645 if (error) 6646 return error; 6647 6648 /* Obtain a SID for the context, if one was specified. */ 6649 if (size && str[0] && str[0] != '\n') { 6650 if (str[size-1] == '\n') { 6651 str[size-1] = 0; 6652 size--; 6653 } 6654 error = security_context_to_sid(value, size, 6655 &sid, GFP_KERNEL); 6656 if (error == -EINVAL && attr == LSM_ATTR_FSCREATE) { 6657 if (!has_cap_mac_admin(true)) { 6658 struct audit_buffer *ab; 6659 size_t audit_size; 6660 6661 /* We strip a nul only if it is at the end, 6662 * otherwise the context contains a nul and 6663 * we should audit that */ 6664 if (str[size - 1] == '\0') 6665 audit_size = size - 1; 6666 else 6667 audit_size = size; 6668 ab = audit_log_start(audit_context(), 6669 GFP_ATOMIC, 6670 AUDIT_SELINUX_ERR); 6671 if (!ab) 6672 return error; 6673 audit_log_format(ab, "op=fscreate invalid_context="); 6674 audit_log_n_untrustedstring(ab, value, 6675 audit_size); 6676 audit_log_end(ab); 6677 6678 return error; 6679 } 6680 error = security_context_to_sid_force(value, size, 6681 &sid); 6682 } 6683 if (error) 6684 return error; 6685 } 6686 6687 new = prepare_creds(); 6688 if (!new) 6689 return -ENOMEM; 6690 6691 /* Permission checking based on the specified context is 6692 performed during the actual operation (execve, 6693 open/mkdir/...), when we know the full context of the 6694 operation. See selinux_bprm_creds_for_exec for the execve 6695 checks and may_create for the file creation checks. The 6696 operation will then fail if the context is not permitted. */ 6697 crsec = selinux_cred(new); 6698 if (attr == LSM_ATTR_EXEC) { 6699 crsec->exec_sid = sid; 6700 } else if (attr == LSM_ATTR_FSCREATE) { 6701 crsec->create_sid = sid; 6702 } else if (attr == LSM_ATTR_KEYCREATE) { 6703 if (sid) { 6704 error = avc_has_perm(mysid, sid, 6705 SECCLASS_KEY, KEY__CREATE, NULL); 6706 if (error) 6707 goto abort_change; 6708 } 6709 crsec->keycreate_sid = sid; 6710 } else if (attr == LSM_ATTR_SOCKCREATE) { 6711 crsec->sockcreate_sid = sid; 6712 } else if (attr == LSM_ATTR_CURRENT) { 6713 error = -EINVAL; 6714 if (sid == 0) 6715 goto abort_change; 6716 6717 if (!current_is_single_threaded()) { 6718 error = security_bounded_transition(crsec->sid, sid); 6719 if (error) 6720 goto abort_change; 6721 } 6722 6723 /* Check permissions for the transition. */ 6724 error = avc_has_perm(crsec->sid, sid, SECCLASS_PROCESS, 6725 PROCESS__DYNTRANSITION, NULL); 6726 if (error) 6727 goto abort_change; 6728 6729 /* Check for ptracing, and update the task SID if ok. 6730 Otherwise, leave SID unchanged and fail. */ 6731 ptsid = ptrace_parent_sid(); 6732 if (ptsid != 0) { 6733 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 6734 PROCESS__PTRACE, NULL); 6735 if (error) 6736 goto abort_change; 6737 } 6738 6739 crsec->sid = sid; 6740 } else { 6741 error = -EINVAL; 6742 goto abort_change; 6743 } 6744 6745 commit_creds(new); 6746 return size; 6747 6748 abort_change: 6749 abort_creds(new); 6750 return error; 6751 } 6752 6753 /** 6754 * selinux_getselfattr - Get SELinux current task attributes 6755 * @attr: the requested attribute 6756 * @ctx: buffer to receive the result 6757 * @size: buffer size (input), buffer size used (output) 6758 * @flags: unused 6759 * 6760 * Fill the passed user space @ctx with the details of the requested 6761 * attribute. 6762 * 6763 * Returns the number of attributes on success, an error code otherwise. 6764 * There will only ever be one attribute. 6765 */ 6766 static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, 6767 u32 *size, u32 flags) 6768 { 6769 int rc; 6770 char *val = NULL; 6771 int val_len; 6772 6773 val_len = selinux_lsm_getattr(attr, current, &val); 6774 if (val_len < 0) 6775 return val_len; 6776 rc = lsm_fill_user_ctx(ctx, size, val, val_len, LSM_ID_SELINUX, 0); 6777 kfree(val); 6778 return (!rc ? 1 : rc); 6779 } 6780 6781 static int selinux_setselfattr(unsigned int attr, struct lsm_ctx *ctx, 6782 u32 size, u32 flags) 6783 { 6784 int rc; 6785 6786 rc = selinux_lsm_setattr(attr, ctx->ctx, ctx->ctx_len); 6787 if (rc > 0) 6788 return 0; 6789 return rc; 6790 } 6791 6792 static int selinux_getprocattr(struct task_struct *p, 6793 const char *name, char **value) 6794 { 6795 unsigned int attr = lsm_name_to_attr(name); 6796 int rc; 6797 6798 if (attr) { 6799 rc = selinux_lsm_getattr(attr, p, value); 6800 if (rc != -EOPNOTSUPP) 6801 return rc; 6802 } 6803 6804 return -EINVAL; 6805 } 6806 6807 static int selinux_setprocattr(const char *name, void *value, size_t size) 6808 { 6809 int attr = lsm_name_to_attr(name); 6810 6811 if (attr) 6812 return selinux_lsm_setattr(attr, value, size); 6813 return -EINVAL; 6814 } 6815 6816 static int selinux_ismaclabel(const char *name) 6817 { 6818 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6819 } 6820 6821 static int selinux_secid_to_secctx(u32 secid, struct lsm_context *cp) 6822 { 6823 u32 seclen; 6824 int ret; 6825 6826 if (cp) { 6827 cp->id = LSM_ID_SELINUX; 6828 ret = security_sid_to_context(secid, &cp->context, &cp->len); 6829 if (ret < 0) 6830 return ret; 6831 return cp->len; 6832 } 6833 ret = security_sid_to_context(secid, NULL, &seclen); 6834 if (ret < 0) 6835 return ret; 6836 return seclen; 6837 } 6838 6839 static int selinux_lsmprop_to_secctx(struct lsm_prop *prop, 6840 struct lsm_context *cp) 6841 { 6842 return selinux_secid_to_secctx(prop->selinux.secid, cp); 6843 } 6844 6845 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6846 { 6847 return security_context_to_sid(secdata, seclen, 6848 secid, GFP_KERNEL); 6849 } 6850 6851 static void selinux_release_secctx(struct lsm_context *cp) 6852 { 6853 if (cp->id == LSM_ID_SELINUX) { 6854 kfree(cp->context); 6855 cp->context = NULL; 6856 cp->id = LSM_ID_UNDEF; 6857 } 6858 } 6859 6860 static void selinux_inode_invalidate_secctx(struct inode *inode) 6861 { 6862 struct inode_security_struct *isec = selinux_inode(inode); 6863 6864 spin_lock(&isec->lock); 6865 isec->initialized = LABEL_INVALID; 6866 spin_unlock(&isec->lock); 6867 } 6868 6869 /* 6870 * called with inode->i_mutex locked 6871 */ 6872 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6873 { 6874 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, 6875 ctx, ctxlen, 0); 6876 /* Do not return error when suppressing label (SBLABEL_MNT not set). */ 6877 return rc == -EOPNOTSUPP ? 0 : rc; 6878 } 6879 6880 /* 6881 * called with inode->i_mutex locked 6882 */ 6883 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6884 { 6885 return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX, 6886 ctx, ctxlen, 0, NULL); 6887 } 6888 6889 static int selinux_inode_getsecctx(struct inode *inode, struct lsm_context *cp) 6890 { 6891 int len; 6892 len = selinux_inode_getsecurity(&nop_mnt_idmap, inode, 6893 XATTR_SELINUX_SUFFIX, 6894 (void **)&cp->context, true); 6895 if (len < 0) 6896 return len; 6897 cp->len = len; 6898 cp->id = LSM_ID_SELINUX; 6899 return 0; 6900 } 6901 #ifdef CONFIG_KEYS 6902 6903 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6904 unsigned long flags) 6905 { 6906 const struct cred_security_struct *crsec; 6907 struct key_security_struct *ksec = selinux_key(k); 6908 6909 crsec = selinux_cred(cred); 6910 if (crsec->keycreate_sid) 6911 ksec->sid = crsec->keycreate_sid; 6912 else 6913 ksec->sid = crsec->sid; 6914 6915 return 0; 6916 } 6917 6918 static int selinux_key_permission(key_ref_t key_ref, 6919 const struct cred *cred, 6920 enum key_need_perm need_perm) 6921 { 6922 struct key *key; 6923 struct key_security_struct *ksec; 6924 u32 perm, sid; 6925 6926 switch (need_perm) { 6927 case KEY_NEED_VIEW: 6928 perm = KEY__VIEW; 6929 break; 6930 case KEY_NEED_READ: 6931 perm = KEY__READ; 6932 break; 6933 case KEY_NEED_WRITE: 6934 perm = KEY__WRITE; 6935 break; 6936 case KEY_NEED_SEARCH: 6937 perm = KEY__SEARCH; 6938 break; 6939 case KEY_NEED_LINK: 6940 perm = KEY__LINK; 6941 break; 6942 case KEY_NEED_SETATTR: 6943 perm = KEY__SETATTR; 6944 break; 6945 case KEY_NEED_UNLINK: 6946 case KEY_SYSADMIN_OVERRIDE: 6947 case KEY_AUTHTOKEN_OVERRIDE: 6948 case KEY_DEFER_PERM_CHECK: 6949 return 0; 6950 default: 6951 WARN_ON(1); 6952 return -EPERM; 6953 6954 } 6955 6956 sid = cred_sid(cred); 6957 key = key_ref_to_ptr(key_ref); 6958 ksec = selinux_key(key); 6959 6960 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6961 } 6962 6963 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6964 { 6965 struct key_security_struct *ksec = selinux_key(key); 6966 char *context = NULL; 6967 unsigned len; 6968 int rc; 6969 6970 rc = security_sid_to_context(ksec->sid, 6971 &context, &len); 6972 if (!rc) 6973 rc = len; 6974 *_buffer = context; 6975 return rc; 6976 } 6977 6978 #ifdef CONFIG_KEY_NOTIFICATIONS 6979 static int selinux_watch_key(struct key *key) 6980 { 6981 struct key_security_struct *ksec = selinux_key(key); 6982 u32 sid = current_sid(); 6983 6984 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL); 6985 } 6986 #endif 6987 #endif 6988 6989 #ifdef CONFIG_SECURITY_INFINIBAND 6990 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6991 { 6992 struct common_audit_data ad; 6993 int err; 6994 u32 sid = 0; 6995 struct ib_security_struct *sec = ib_sec; 6996 struct lsm_ibpkey_audit ibpkey; 6997 6998 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6999 if (err) 7000 return err; 7001 7002 ad.type = LSM_AUDIT_DATA_IBPKEY; 7003 ibpkey.subnet_prefix = subnet_prefix; 7004 ibpkey.pkey = pkey_val; 7005 ad.u.ibpkey = &ibpkey; 7006 return avc_has_perm(sec->sid, sid, 7007 SECCLASS_INFINIBAND_PKEY, 7008 INFINIBAND_PKEY__ACCESS, &ad); 7009 } 7010 7011 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 7012 u8 port_num) 7013 { 7014 struct common_audit_data ad; 7015 int err; 7016 u32 sid = 0; 7017 struct ib_security_struct *sec = ib_sec; 7018 struct lsm_ibendport_audit ibendport; 7019 7020 err = security_ib_endport_sid(dev_name, port_num, 7021 &sid); 7022 7023 if (err) 7024 return err; 7025 7026 ad.type = LSM_AUDIT_DATA_IBENDPORT; 7027 ibendport.dev_name = dev_name; 7028 ibendport.port = port_num; 7029 ad.u.ibendport = &ibendport; 7030 return avc_has_perm(sec->sid, sid, 7031 SECCLASS_INFINIBAND_ENDPORT, 7032 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 7033 } 7034 7035 static int selinux_ib_alloc_security(void *ib_sec) 7036 { 7037 struct ib_security_struct *sec = selinux_ib(ib_sec); 7038 7039 sec->sid = current_sid(); 7040 return 0; 7041 } 7042 #endif 7043 7044 #ifdef CONFIG_BPF_SYSCALL 7045 static int selinux_bpf(int cmd, union bpf_attr *attr, 7046 unsigned int size, bool kernel) 7047 { 7048 u32 sid = current_sid(); 7049 int ret; 7050 7051 if (selinux_policycap_bpf_token_perms()) 7052 return 0; 7053 7054 switch (cmd) { 7055 case BPF_MAP_CREATE: 7056 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 7057 NULL); 7058 break; 7059 case BPF_PROG_LOAD: 7060 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 7061 NULL); 7062 break; 7063 default: 7064 ret = 0; 7065 break; 7066 } 7067 7068 return ret; 7069 } 7070 7071 static u32 bpf_map_fmode_to_av(fmode_t fmode) 7072 { 7073 u32 av = 0; 7074 7075 if (fmode & FMODE_READ) 7076 av |= BPF__MAP_READ; 7077 if (fmode & FMODE_WRITE) 7078 av |= BPF__MAP_WRITE; 7079 return av; 7080 } 7081 7082 /* This function will check the file pass through unix socket or binder to see 7083 * if it is a bpf related object. And apply corresponding checks on the bpf 7084 * object based on the type. The bpf maps and programs, not like other files and 7085 * socket, are using a shared anonymous inode inside the kernel as their inode. 7086 * So checking that inode cannot identify if the process have privilege to 7087 * access the bpf object and that's why we have to add this additional check in 7088 * selinux_file_receive and selinux_binder_transfer_files. 7089 */ 7090 static int bpf_fd_pass(const struct file *file, u32 sid) 7091 { 7092 struct bpf_security_struct *bpfsec; 7093 struct bpf_prog *prog; 7094 struct bpf_map *map; 7095 int ret; 7096 7097 if (file->f_op == &bpf_map_fops) { 7098 map = file->private_data; 7099 bpfsec = selinux_bpf_map_security(map); 7100 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7101 bpf_map_fmode_to_av(file->f_mode), NULL); 7102 if (ret) 7103 return ret; 7104 } else if (file->f_op == &bpf_prog_fops) { 7105 prog = file->private_data; 7106 bpfsec = selinux_bpf_prog_security(prog); 7107 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7108 BPF__PROG_RUN, NULL); 7109 if (ret) 7110 return ret; 7111 } 7112 return 0; 7113 } 7114 7115 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 7116 { 7117 u32 sid = current_sid(); 7118 struct bpf_security_struct *bpfsec; 7119 7120 bpfsec = selinux_bpf_map_security(map); 7121 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7122 bpf_map_fmode_to_av(fmode), NULL); 7123 } 7124 7125 static int selinux_bpf_prog(struct bpf_prog *prog) 7126 { 7127 u32 sid = current_sid(); 7128 struct bpf_security_struct *bpfsec; 7129 7130 bpfsec = selinux_bpf_prog_security(prog); 7131 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7132 BPF__PROG_RUN, NULL); 7133 } 7134 7135 static u32 selinux_bpffs_creator_sid(u32 fd) 7136 { 7137 struct path path; 7138 struct super_block *sb; 7139 struct superblock_security_struct *sbsec; 7140 7141 CLASS(fd, f)(fd); 7142 7143 if (fd_empty(f)) 7144 return SECSID_NULL; 7145 7146 path = fd_file(f)->f_path; 7147 sb = path.dentry->d_sb; 7148 sbsec = selinux_superblock(sb); 7149 7150 return sbsec->creator_sid; 7151 } 7152 7153 static int selinux_bpf_map_create(struct bpf_map *map, union bpf_attr *attr, 7154 struct bpf_token *token, bool kernel) 7155 { 7156 struct bpf_security_struct *bpfsec; 7157 u32 ssid; 7158 7159 bpfsec = selinux_bpf_map_security(map); 7160 bpfsec->sid = current_sid(); 7161 7162 if (!token) 7163 ssid = bpfsec->sid; 7164 else 7165 ssid = selinux_bpffs_creator_sid(attr->map_token_fd); 7166 7167 return avc_has_perm(ssid, bpfsec->sid, SECCLASS_BPF, BPF__MAP_CREATE, 7168 NULL); 7169 } 7170 7171 static int selinux_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr, 7172 struct bpf_token *token, bool kernel) 7173 { 7174 struct bpf_security_struct *bpfsec; 7175 u32 ssid; 7176 7177 bpfsec = selinux_bpf_prog_security(prog); 7178 bpfsec->sid = current_sid(); 7179 7180 if (!token) 7181 ssid = bpfsec->sid; 7182 else 7183 ssid = selinux_bpffs_creator_sid(attr->prog_token_fd); 7184 7185 return avc_has_perm(ssid, bpfsec->sid, SECCLASS_BPF, BPF__PROG_LOAD, 7186 NULL); 7187 } 7188 7189 #define bpf_token_cmd(T, C) \ 7190 ((T)->allowed_cmds & (1ULL << (C))) 7191 7192 static int selinux_bpf_token_create(struct bpf_token *token, 7193 union bpf_attr *attr, 7194 const struct path *path) 7195 { 7196 struct bpf_security_struct *bpfsec; 7197 u32 sid = selinux_bpffs_creator_sid(attr->token_create.bpffs_fd); 7198 int err; 7199 7200 bpfsec = selinux_bpf_token_security(token); 7201 bpfsec->sid = current_sid(); 7202 bpfsec->grantor_sid = sid; 7203 7204 bpfsec->perms = 0; 7205 /** 7206 * 'token->allowed_cmds' is a bit mask of allowed commands 7207 * Convert the BPF command enum to a bitmask representing its position 7208 * in the allowed_cmds bitmap. 7209 */ 7210 if (bpf_token_cmd(token, BPF_MAP_CREATE)) { 7211 err = avc_has_perm(bpfsec->sid, sid, SECCLASS_BPF, 7212 BPF__MAP_CREATE_AS, NULL); 7213 if (err) 7214 return err; 7215 bpfsec->perms |= BPF__MAP_CREATE; 7216 } 7217 if (bpf_token_cmd(token, BPF_PROG_LOAD)) { 7218 err = avc_has_perm(bpfsec->sid, sid, SECCLASS_BPF, 7219 BPF__PROG_LOAD_AS, NULL); 7220 if (err) 7221 return err; 7222 bpfsec->perms |= BPF__PROG_LOAD; 7223 } 7224 7225 return 0; 7226 } 7227 7228 static int selinux_bpf_token_cmd(const struct bpf_token *token, 7229 enum bpf_cmd cmd) 7230 { 7231 struct bpf_security_struct *bpfsec; 7232 7233 bpfsec = token->security; 7234 switch (cmd) { 7235 case BPF_MAP_CREATE: 7236 if (!(bpfsec->perms & BPF__MAP_CREATE)) 7237 return -EACCES; 7238 break; 7239 case BPF_PROG_LOAD: 7240 if (!(bpfsec->perms & BPF__PROG_LOAD)) 7241 return -EACCES; 7242 break; 7243 default: 7244 break; 7245 } 7246 7247 return 0; 7248 } 7249 7250 static int selinux_bpf_token_capable(const struct bpf_token *token, int cap) 7251 { 7252 u16 sclass; 7253 struct bpf_security_struct *bpfsec = token->security; 7254 bool initns = (token->userns == &init_user_ns); 7255 u32 av = CAP_TO_MASK(cap); 7256 7257 switch (CAP_TO_INDEX(cap)) { 7258 case 0: 7259 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 7260 break; 7261 case 1: 7262 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 7263 break; 7264 default: 7265 pr_err("SELinux: out of range capability %d\n", cap); 7266 return -EINVAL; 7267 } 7268 7269 return avc_has_perm(current_sid(), bpfsec->grantor_sid, sclass, av, 7270 NULL); 7271 } 7272 #endif 7273 7274 #ifdef CONFIG_PERF_EVENTS 7275 static int selinux_perf_event_open(int type) 7276 { 7277 u32 requested, sid = current_sid(); 7278 7279 if (type == PERF_SECURITY_OPEN) 7280 requested = PERF_EVENT__OPEN; 7281 else if (type == PERF_SECURITY_CPU) 7282 requested = PERF_EVENT__CPU; 7283 else if (type == PERF_SECURITY_KERNEL) 7284 requested = PERF_EVENT__KERNEL; 7285 else if (type == PERF_SECURITY_TRACEPOINT) 7286 requested = PERF_EVENT__TRACEPOINT; 7287 else 7288 return -EINVAL; 7289 7290 return avc_has_perm(sid, sid, SECCLASS_PERF_EVENT, 7291 requested, NULL); 7292 } 7293 7294 static int selinux_perf_event_alloc(struct perf_event *event) 7295 { 7296 struct perf_event_security_struct *perfsec; 7297 7298 perfsec = selinux_perf_event(event->security); 7299 perfsec->sid = current_sid(); 7300 7301 return 0; 7302 } 7303 7304 static int selinux_perf_event_read(struct perf_event *event) 7305 { 7306 struct perf_event_security_struct *perfsec = event->security; 7307 u32 sid = current_sid(); 7308 7309 return avc_has_perm(sid, perfsec->sid, 7310 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL); 7311 } 7312 7313 static int selinux_perf_event_write(struct perf_event *event) 7314 { 7315 struct perf_event_security_struct *perfsec = event->security; 7316 u32 sid = current_sid(); 7317 7318 return avc_has_perm(sid, perfsec->sid, 7319 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL); 7320 } 7321 #endif 7322 7323 #ifdef CONFIG_IO_URING 7324 /** 7325 * selinux_uring_override_creds - check the requested cred override 7326 * @new: the target creds 7327 * 7328 * Check to see if the current task is allowed to override it's credentials 7329 * to service an io_uring operation. 7330 */ 7331 static int selinux_uring_override_creds(const struct cred *new) 7332 { 7333 return avc_has_perm(current_sid(), cred_sid(new), 7334 SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL); 7335 } 7336 7337 /** 7338 * selinux_uring_sqpoll - check if a io_uring polling thread can be created 7339 * 7340 * Check to see if the current task is allowed to create a new io_uring 7341 * kernel polling thread. 7342 */ 7343 static int selinux_uring_sqpoll(void) 7344 { 7345 u32 sid = current_sid(); 7346 7347 return avc_has_perm(sid, sid, 7348 SECCLASS_IO_URING, IO_URING__SQPOLL, NULL); 7349 } 7350 7351 /** 7352 * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed 7353 * @ioucmd: the io_uring command structure 7354 * 7355 * Check to see if the current domain is allowed to execute an 7356 * IORING_OP_URING_CMD against the device/file specified in @ioucmd. 7357 * 7358 */ 7359 static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) 7360 { 7361 struct file *file = ioucmd->file; 7362 struct inode *inode = file_inode(file); 7363 struct inode_security_struct *isec = selinux_inode(inode); 7364 struct common_audit_data ad; 7365 7366 ad.type = LSM_AUDIT_DATA_FILE; 7367 ad.u.file = file; 7368 7369 return avc_has_perm(current_sid(), isec->sid, 7370 SECCLASS_IO_URING, IO_URING__CMD, &ad); 7371 } 7372 7373 /** 7374 * selinux_uring_allowed - check if io_uring_setup() can be called 7375 * 7376 * Check to see if the current task is allowed to call io_uring_setup(). 7377 */ 7378 static int selinux_uring_allowed(void) 7379 { 7380 u32 sid = current_sid(); 7381 7382 return avc_has_perm(sid, sid, SECCLASS_IO_URING, IO_URING__ALLOWED, 7383 NULL); 7384 } 7385 #endif /* CONFIG_IO_URING */ 7386 7387 static const struct lsm_id selinux_lsmid = { 7388 .name = "selinux", 7389 .id = LSM_ID_SELINUX, 7390 }; 7391 7392 struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { 7393 .lbs_cred = sizeof(struct cred_security_struct), 7394 .lbs_task = sizeof(struct task_security_struct), 7395 .lbs_file = sizeof(struct file_security_struct), 7396 .lbs_inode = sizeof(struct inode_security_struct), 7397 .lbs_ipc = sizeof(struct ipc_security_struct), 7398 .lbs_key = sizeof(struct key_security_struct), 7399 .lbs_msg_msg = sizeof(struct msg_security_struct), 7400 #ifdef CONFIG_PERF_EVENTS 7401 .lbs_perf_event = sizeof(struct perf_event_security_struct), 7402 #endif 7403 .lbs_sock = sizeof(struct sk_security_struct), 7404 .lbs_superblock = sizeof(struct superblock_security_struct), 7405 .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS, 7406 .lbs_tun_dev = sizeof(struct tun_security_struct), 7407 .lbs_ib = sizeof(struct ib_security_struct), 7408 .lbs_bpf_map = sizeof(struct bpf_security_struct), 7409 .lbs_bpf_prog = sizeof(struct bpf_security_struct), 7410 .lbs_bpf_token = sizeof(struct bpf_security_struct), 7411 }; 7412 7413 /* 7414 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: 7415 * 1. any hooks that don't belong to (2.) or (3.) below, 7416 * 2. hooks that both access structures allocated by other hooks, and allocate 7417 * structures that can be later accessed by other hooks (mostly "cloning" 7418 * hooks), 7419 * 3. hooks that only allocate structures that can be later accessed by other 7420 * hooks ("allocating" hooks). 7421 * 7422 * Please follow block comment delimiters in the list to keep this order. 7423 */ 7424 static struct security_hook_list selinux_hooks[] __ro_after_init = { 7425 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 7426 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 7427 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 7428 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 7429 7430 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 7431 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 7432 LSM_HOOK_INIT(capget, selinux_capget), 7433 LSM_HOOK_INIT(capset, selinux_capset), 7434 LSM_HOOK_INIT(capable, selinux_capable), 7435 LSM_HOOK_INIT(quotactl, selinux_quotactl), 7436 LSM_HOOK_INIT(quota_on, selinux_quota_on), 7437 LSM_HOOK_INIT(syslog, selinux_syslog), 7438 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 7439 7440 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 7441 7442 LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec), 7443 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 7444 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 7445 7446 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts), 7447 LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat), 7448 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 7449 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 7450 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 7451 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 7452 LSM_HOOK_INIT(sb_mount, selinux_mount), 7453 LSM_HOOK_INIT(sb_umount, selinux_umount), 7454 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 7455 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 7456 7457 LSM_HOOK_INIT(move_mount, selinux_move_mount), 7458 7459 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 7460 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 7461 7462 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 7463 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 7464 LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon), 7465 LSM_HOOK_INIT(inode_create, selinux_inode_create), 7466 LSM_HOOK_INIT(inode_link, selinux_inode_link), 7467 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 7468 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 7469 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 7470 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 7471 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 7472 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 7473 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 7474 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 7475 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 7476 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 7477 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 7478 LSM_HOOK_INIT(inode_xattr_skipcap, selinux_inode_xattr_skipcap), 7479 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 7480 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 7481 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 7482 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 7483 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 7484 LSM_HOOK_INIT(inode_file_getattr, selinux_inode_file_getattr), 7485 LSM_HOOK_INIT(inode_file_setattr, selinux_inode_file_setattr), 7486 LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl), 7487 LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl), 7488 LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl), 7489 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 7490 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 7491 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 7492 LSM_HOOK_INIT(inode_getlsmprop, selinux_inode_getlsmprop), 7493 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 7494 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 7495 LSM_HOOK_INIT(path_notify, selinux_path_notify), 7496 7497 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security), 7498 7499 LSM_HOOK_INIT(file_permission, selinux_file_permission), 7500 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 7501 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 7502 LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat), 7503 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 7504 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 7505 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 7506 LSM_HOOK_INIT(file_lock, selinux_file_lock), 7507 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 7508 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 7509 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 7510 LSM_HOOK_INIT(file_receive, selinux_file_receive), 7511 7512 LSM_HOOK_INIT(file_open, selinux_file_open), 7513 7514 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 7515 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 7516 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 7517 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 7518 LSM_HOOK_INIT(cred_getlsmprop, selinux_cred_getlsmprop), 7519 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 7520 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 7521 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 7522 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), 7523 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 7524 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 7525 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 7526 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 7527 LSM_HOOK_INIT(current_getlsmprop_subj, selinux_current_getlsmprop_subj), 7528 LSM_HOOK_INIT(task_getlsmprop_obj, selinux_task_getlsmprop_obj), 7529 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 7530 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 7531 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 7532 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 7533 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 7534 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 7535 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 7536 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 7537 LSM_HOOK_INIT(task_kill, selinux_task_kill), 7538 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 7539 LSM_HOOK_INIT(userns_create, selinux_userns_create), 7540 7541 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 7542 LSM_HOOK_INIT(ipc_getlsmprop, selinux_ipc_getlsmprop), 7543 7544 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 7545 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 7546 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 7547 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 7548 7549 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 7550 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 7551 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 7552 7553 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 7554 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 7555 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 7556 7557 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 7558 7559 LSM_HOOK_INIT(getselfattr, selinux_getselfattr), 7560 LSM_HOOK_INIT(setselfattr, selinux_setselfattr), 7561 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 7562 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 7563 7564 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 7565 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 7566 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 7567 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 7568 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 7569 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 7570 7571 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 7572 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 7573 7574 LSM_HOOK_INIT(socket_create, selinux_socket_create), 7575 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 7576 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair), 7577 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 7578 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 7579 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 7580 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 7581 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 7582 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 7583 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 7584 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 7585 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 7586 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 7587 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 7588 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 7589 LSM_HOOK_INIT(socket_getpeersec_stream, 7590 selinux_socket_getpeersec_stream), 7591 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 7592 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 7593 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7594 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7595 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7596 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 7597 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 7598 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 7599 LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established), 7600 LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow), 7601 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7602 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7603 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7604 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 7605 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 7606 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 7607 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 7608 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 7609 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 7610 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 7611 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 7612 #ifdef CONFIG_SECURITY_INFINIBAND 7613 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 7614 LSM_HOOK_INIT(ib_endport_manage_subnet, 7615 selinux_ib_endport_manage_subnet), 7616 #endif 7617 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7618 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 7619 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 7620 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 7621 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 7622 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 7623 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 7624 selinux_xfrm_state_pol_flow_match), 7625 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 7626 #endif 7627 7628 #ifdef CONFIG_KEYS 7629 LSM_HOOK_INIT(key_permission, selinux_key_permission), 7630 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 7631 #ifdef CONFIG_KEY_NOTIFICATIONS 7632 LSM_HOOK_INIT(watch_key, selinux_watch_key), 7633 #endif 7634 #endif 7635 7636 #ifdef CONFIG_AUDIT 7637 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 7638 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 7639 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 7640 #endif 7641 7642 #ifdef CONFIG_BPF_SYSCALL 7643 LSM_HOOK_INIT(bpf, selinux_bpf), 7644 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 7645 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 7646 #endif 7647 7648 #ifdef CONFIG_PERF_EVENTS 7649 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open), 7650 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read), 7651 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write), 7652 #endif 7653 7654 #ifdef CONFIG_IO_URING 7655 LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds), 7656 LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll), 7657 LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd), 7658 LSM_HOOK_INIT(uring_allowed, selinux_uring_allowed), 7659 #endif 7660 7661 /* 7662 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE 7663 */ 7664 LSM_HOOK_INIT(fs_context_submount, selinux_fs_context_submount), 7665 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), 7666 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), 7667 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 7668 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7669 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7670 #endif 7671 7672 /* 7673 * PUT "ALLOCATING" HOOKS HERE 7674 */ 7675 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 7676 LSM_HOOK_INIT(msg_queue_alloc_security, 7677 selinux_msg_queue_alloc_security), 7678 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 7679 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 7680 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 7681 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 7682 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 7683 LSM_HOOK_INIT(lsmprop_to_secctx, selinux_lsmprop_to_secctx), 7684 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 7685 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 7686 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 7687 #ifdef CONFIG_SECURITY_INFINIBAND 7688 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 7689 #endif 7690 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7691 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 7692 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 7693 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 7694 selinux_xfrm_state_alloc_acquire), 7695 #endif 7696 #ifdef CONFIG_KEYS 7697 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 7698 #endif 7699 #ifdef CONFIG_AUDIT 7700 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 7701 #endif 7702 #ifdef CONFIG_BPF_SYSCALL 7703 LSM_HOOK_INIT(bpf_map_create, selinux_bpf_map_create), 7704 LSM_HOOK_INIT(bpf_prog_load, selinux_bpf_prog_load), 7705 LSM_HOOK_INIT(bpf_token_create, selinux_bpf_token_create), 7706 LSM_HOOK_INIT(bpf_token_cmd, selinux_bpf_token_cmd), 7707 LSM_HOOK_INIT(bpf_token_capable, selinux_bpf_token_capable), 7708 #endif 7709 #ifdef CONFIG_PERF_EVENTS 7710 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc), 7711 #endif 7712 }; 7713 7714 static __init int selinux_init(void) 7715 { 7716 pr_info("SELinux: Initializing.\n"); 7717 7718 memset(&selinux_state, 0, sizeof(selinux_state)); 7719 enforcing_set(selinux_enforcing_boot); 7720 selinux_avc_init(); 7721 mutex_init(&selinux_state.status_lock); 7722 mutex_init(&selinux_state.policy_mutex); 7723 7724 /* Set the security state for the initial task. */ 7725 cred_init_security(); 7726 7727 /* Inform the audit system that secctx is used */ 7728 audit_cfg_lsm(&selinux_lsmid, 7729 AUDIT_CFG_LSM_SECCTX_SUBJECT | 7730 AUDIT_CFG_LSM_SECCTX_OBJECT); 7731 7732 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 7733 if (!default_noexec) 7734 pr_notice("SELinux: virtual memory is executable by default\n"); 7735 7736 avc_init(); 7737 7738 avtab_cache_init(); 7739 7740 ebitmap_cache_init(); 7741 7742 hashtab_cache_init(); 7743 7744 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), 7745 &selinux_lsmid); 7746 7747 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7748 panic("SELinux: Unable to register AVC netcache callback\n"); 7749 7750 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7751 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7752 7753 if (avc_add_callback(selinux_audit_rule_avc_callback, 7754 AVC_CALLBACK_RESET)) 7755 panic("SELinux: Unable to register AVC audit callback\n"); 7756 7757 if (selinux_enforcing_boot) 7758 pr_debug("SELinux: Starting in enforcing mode\n"); 7759 else 7760 pr_debug("SELinux: Starting in permissive mode\n"); 7761 7762 fs_validate_description("selinux", selinux_fs_parameters); 7763 7764 return 0; 7765 } 7766 7767 static void delayed_superblock_init(struct super_block *sb, void *unused) 7768 { 7769 selinux_set_mnt_opts(sb, NULL, 0, NULL); 7770 } 7771 7772 void selinux_complete_init(void) 7773 { 7774 pr_debug("SELinux: Completing initialization.\n"); 7775 7776 /* Set up any superblocks initialized prior to the policy load. */ 7777 pr_debug("SELinux: Setting up existing superblocks.\n"); 7778 iterate_supers(delayed_superblock_init, NULL); 7779 } 7780 7781 /* SELinux requires early initialization in order to label 7782 all processes and objects when they are created. */ 7783 DEFINE_LSM(selinux) = { 7784 .id = &selinux_lsmid, 7785 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 7786 .enabled = &selinux_enabled_boot, 7787 .blobs = &selinux_blob_sizes, 7788 .init = selinux_init, 7789 .initcall_device = selinux_initcall, 7790 }; 7791 7792 #if defined(CONFIG_NETFILTER) 7793 static const struct nf_hook_ops selinux_nf_ops[] = { 7794 { 7795 .hook = selinux_ip_postroute, 7796 .pf = NFPROTO_IPV4, 7797 .hooknum = NF_INET_POST_ROUTING, 7798 .priority = NF_IP_PRI_SELINUX_LAST, 7799 }, 7800 { 7801 .hook = selinux_ip_forward, 7802 .pf = NFPROTO_IPV4, 7803 .hooknum = NF_INET_FORWARD, 7804 .priority = NF_IP_PRI_SELINUX_FIRST, 7805 }, 7806 { 7807 .hook = selinux_ip_output, 7808 .pf = NFPROTO_IPV4, 7809 .hooknum = NF_INET_LOCAL_OUT, 7810 .priority = NF_IP_PRI_SELINUX_FIRST, 7811 }, 7812 #if IS_ENABLED(CONFIG_IPV6) 7813 { 7814 .hook = selinux_ip_postroute, 7815 .pf = NFPROTO_IPV6, 7816 .hooknum = NF_INET_POST_ROUTING, 7817 .priority = NF_IP6_PRI_SELINUX_LAST, 7818 }, 7819 { 7820 .hook = selinux_ip_forward, 7821 .pf = NFPROTO_IPV6, 7822 .hooknum = NF_INET_FORWARD, 7823 .priority = NF_IP6_PRI_SELINUX_FIRST, 7824 }, 7825 { 7826 .hook = selinux_ip_output, 7827 .pf = NFPROTO_IPV6, 7828 .hooknum = NF_INET_LOCAL_OUT, 7829 .priority = NF_IP6_PRI_SELINUX_FIRST, 7830 }, 7831 #endif /* IPV6 */ 7832 }; 7833 7834 static int __net_init selinux_nf_register(struct net *net) 7835 { 7836 return nf_register_net_hooks(net, selinux_nf_ops, 7837 ARRAY_SIZE(selinux_nf_ops)); 7838 } 7839 7840 static void __net_exit selinux_nf_unregister(struct net *net) 7841 { 7842 nf_unregister_net_hooks(net, selinux_nf_ops, 7843 ARRAY_SIZE(selinux_nf_ops)); 7844 } 7845 7846 static struct pernet_operations selinux_net_ops = { 7847 .init = selinux_nf_register, 7848 .exit = selinux_nf_unregister, 7849 }; 7850 7851 int __init selinux_nf_ip_init(void) 7852 { 7853 int err; 7854 7855 if (!selinux_enabled_boot) 7856 return 0; 7857 7858 pr_debug("SELinux: Registering netfilter hooks\n"); 7859 7860 err = register_pernet_subsys(&selinux_net_ops); 7861 if (err) 7862 panic("SELinux: register_pernet_subsys: error %d\n", err); 7863 7864 return 0; 7865 } 7866 #endif /* CONFIG_NETFILTER */ 7867