1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Security-Enhanced Linux (SELinux) security module
4 *
5 * This file contains the SELinux hook function implementations.
6 *
7 * Authors: Stephen Smalley, <stephen.smalley.work@gmail.com>
8 * Chris Vance, <cvance@nai.com>
9 * Wayne Salamon, <wsalamon@nai.com>
10 * James Morris <jmorris@redhat.com>
11 *
12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc.
13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
14 * Eric Paris <eparis@redhat.com>
15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
16 * <dgoeddel@trustedcs.com>
17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
18 * Paul Moore <paul@paul-moore.com>
19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
20 * Yuichi Nakamura <ynakam@hitachisoft.jp>
21 * Copyright (C) 2016 Mellanox Technologies
22 */
23
24 #include <linux/init.h>
25 #include <linux/kd.h>
26 #include <linux/kernel.h>
27 #include <linux/kernel_read_file.h>
28 #include <linux/errno.h>
29 #include <linux/sched/signal.h>
30 #include <linux/sched/task.h>
31 #include <linux/lsm_hooks.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/proc_fs.h>
40 #include <linux/swap.h>
41 #include <linux/spinlock.h>
42 #include <linux/syscalls.h>
43 #include <linux/dcache.h>
44 #include <linux/file.h>
45 #include <linux/fdtable.h>
46 #include <linux/namei.h>
47 #include <linux/mount.h>
48 #include <linux/fs_context.h>
49 #include <linux/fs_parser.h>
50 #include <linux/netfilter_ipv4.h>
51 #include <linux/netfilter_ipv6.h>
52 #include <linux/tty.h>
53 #include <net/icmp.h>
54 #include <net/ip.h> /* for local_port_range[] */
55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
56 #include <net/inet_connection_sock.h>
57 #include <net/net_namespace.h>
58 #include <net/netlabel.h>
59 #include <linux/uaccess.h>
60 #include <asm/ioctls.h>
61 #include <linux/atomic.h>
62 #include <linux/bitops.h>
63 #include <linux/interrupt.h>
64 #include <linux/netdevice.h> /* for network interface checks */
65 #include <net/netlink.h>
66 #include <linux/tcp.h>
67 #include <linux/udp.h>
68 #include <linux/sctp.h>
69 #include <net/sctp/structs.h>
70 #include <linux/quota.h>
71 #include <linux/un.h> /* for Unix socket types */
72 #include <net/af_unix.h> /* for Unix socket types */
73 #include <linux/parser.h>
74 #include <linux/nfs_mount.h>
75 #include <net/ipv6.h>
76 #include <linux/hugetlb.h>
77 #include <linux/personality.h>
78 #include <linux/audit.h>
79 #include <linux/string.h>
80 #include <linux/mutex.h>
81 #include <linux/posix-timers.h>
82 #include <linux/syslog.h>
83 #include <linux/user_namespace.h>
84 #include <linux/export.h>
85 #include <linux/msg.h>
86 #include <linux/shm.h>
87 #include <uapi/linux/shm.h>
88 #include <linux/bpf.h>
89 #include <linux/kernfs.h>
90 #include <linux/stringhash.h> /* for hashlen_string() */
91 #include <uapi/linux/mount.h>
92 #include <linux/fsnotify.h>
93 #include <linux/fanotify.h>
94 #include <linux/io_uring/cmd.h>
95 #include <uapi/linux/lsm.h>
96
97 #include "avc.h"
98 #include "objsec.h"
99 #include "netif.h"
100 #include "netnode.h"
101 #include "netport.h"
102 #include "ibpkey.h"
103 #include "xfrm.h"
104 #include "netlabel.h"
105 #include "audit.h"
106 #include "avc_ss.h"
107
108 #define SELINUX_INODE_INIT_XATTRS 1
109
110 struct selinux_state selinux_state;
111
112 /* SECMARK reference count */
113 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
114
115 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
116 static int selinux_enforcing_boot __initdata;
117
enforcing_setup(char * str)118 static int __init enforcing_setup(char *str)
119 {
120 unsigned long enforcing;
121 if (!kstrtoul(str, 0, &enforcing))
122 selinux_enforcing_boot = enforcing ? 1 : 0;
123 return 1;
124 }
125 __setup("enforcing=", enforcing_setup);
126 #else
127 #define selinux_enforcing_boot 1
128 #endif
129
130 int selinux_enabled_boot __initdata = 1;
131 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
selinux_enabled_setup(char * str)132 static int __init selinux_enabled_setup(char *str)
133 {
134 unsigned long enabled;
135 if (!kstrtoul(str, 0, &enabled))
136 selinux_enabled_boot = enabled ? 1 : 0;
137 return 1;
138 }
139 __setup("selinux=", selinux_enabled_setup);
140 #endif
141
checkreqprot_setup(char * str)142 static int __init checkreqprot_setup(char *str)
143 {
144 unsigned long checkreqprot;
145
146 if (!kstrtoul(str, 0, &checkreqprot)) {
147 if (checkreqprot)
148 pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is no longer supported.\n");
149 }
150 return 1;
151 }
152 __setup("checkreqprot=", checkreqprot_setup);
153
154 /**
155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
156 *
157 * Description:
158 * This function checks the SECMARK reference counter to see if any SECMARK
159 * targets are currently configured, if the reference counter is greater than
160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is
161 * enabled, false (0) if SECMARK is disabled. If the always_check_network
162 * policy capability is enabled, SECMARK is always considered enabled.
163 *
164 */
selinux_secmark_enabled(void)165 static int selinux_secmark_enabled(void)
166 {
167 return (selinux_policycap_alwaysnetwork() ||
168 atomic_read(&selinux_secmark_refcount));
169 }
170
171 /**
172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled
173 *
174 * Description:
175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true
176 * (1) if any are enabled or false (0) if neither are enabled. If the
177 * always_check_network policy capability is enabled, peer labeling
178 * is always considered enabled.
179 *
180 */
selinux_peerlbl_enabled(void)181 static int selinux_peerlbl_enabled(void)
182 {
183 return (selinux_policycap_alwaysnetwork() ||
184 netlbl_enabled() || selinux_xfrm_enabled());
185 }
186
selinux_netcache_avc_callback(u32 event)187 static int selinux_netcache_avc_callback(u32 event)
188 {
189 if (event == AVC_CALLBACK_RESET) {
190 sel_netif_flush();
191 sel_netnode_flush();
192 sel_netport_flush();
193 synchronize_net();
194 }
195 return 0;
196 }
197
selinux_lsm_notifier_avc_callback(u32 event)198 static int selinux_lsm_notifier_avc_callback(u32 event)
199 {
200 if (event == AVC_CALLBACK_RESET) {
201 sel_ib_pkey_flush();
202 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
203 }
204
205 return 0;
206 }
207
208 /*
209 * initialise the security for the init task
210 */
cred_init_security(void)211 static void cred_init_security(void)
212 {
213 struct task_security_struct *tsec;
214
215 /* NOTE: the lsm framework zeros out the buffer on allocation */
216
217 tsec = selinux_cred(unrcu_pointer(current->real_cred));
218 tsec->osid = tsec->sid = tsec->avdcache.sid = SECINITSID_KERNEL;
219 }
220
221 /*
222 * get the security ID of a set of credentials
223 */
cred_sid(const struct cred * cred)224 static inline u32 cred_sid(const struct cred *cred)
225 {
226 const struct task_security_struct *tsec;
227
228 tsec = selinux_cred(cred);
229 return tsec->sid;
230 }
231
__ad_net_init(struct common_audit_data * ad,struct lsm_network_audit * net,int ifindex,struct sock * sk,u16 family)232 static void __ad_net_init(struct common_audit_data *ad,
233 struct lsm_network_audit *net,
234 int ifindex, struct sock *sk, u16 family)
235 {
236 ad->type = LSM_AUDIT_DATA_NET;
237 ad->u.net = net;
238 net->netif = ifindex;
239 net->sk = sk;
240 net->family = family;
241 }
242
ad_net_init_from_sk(struct common_audit_data * ad,struct lsm_network_audit * net,struct sock * sk)243 static void ad_net_init_from_sk(struct common_audit_data *ad,
244 struct lsm_network_audit *net,
245 struct sock *sk)
246 {
247 __ad_net_init(ad, net, 0, sk, 0);
248 }
249
ad_net_init_from_iif(struct common_audit_data * ad,struct lsm_network_audit * net,int ifindex,u16 family)250 static void ad_net_init_from_iif(struct common_audit_data *ad,
251 struct lsm_network_audit *net,
252 int ifindex, u16 family)
253 {
254 __ad_net_init(ad, net, ifindex, NULL, family);
255 }
256
257 /*
258 * get the objective security ID of a task
259 */
task_sid_obj(const struct task_struct * task)260 static inline u32 task_sid_obj(const struct task_struct *task)
261 {
262 u32 sid;
263
264 rcu_read_lock();
265 sid = cred_sid(__task_cred(task));
266 rcu_read_unlock();
267 return sid;
268 }
269
270 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
271
272 /*
273 * Try reloading inode security labels that have been marked as invalid. The
274 * @may_sleep parameter indicates when sleeping and thus reloading labels is
275 * allowed; when set to false, returns -ECHILD when the label is
276 * invalid. The @dentry parameter should be set to a dentry of the inode.
277 */
__inode_security_revalidate(struct inode * inode,struct dentry * dentry,bool may_sleep)278 static int __inode_security_revalidate(struct inode *inode,
279 struct dentry *dentry,
280 bool may_sleep)
281 {
282 if (!selinux_initialized())
283 return 0;
284
285 if (may_sleep)
286 might_sleep();
287 else
288 return -ECHILD;
289
290 /*
291 * Check to ensure that an inode's SELinux state is valid and try
292 * reloading the inode security label if necessary. This will fail if
293 * @dentry is NULL and no dentry for this inode can be found; in that
294 * case, continue using the old label.
295 */
296 inode_doinit_with_dentry(inode, dentry);
297 return 0;
298 }
299
inode_security_novalidate(struct inode * inode)300 static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
301 {
302 return selinux_inode(inode);
303 }
304
inode_security_rcu(struct inode * inode,bool rcu)305 static inline struct inode_security_struct *inode_security_rcu(struct inode *inode,
306 bool rcu)
307 {
308 int rc;
309 struct inode_security_struct *isec = selinux_inode(inode);
310
311 /* check below is racy, but revalidate will recheck with lock held */
312 if (data_race(likely(isec->initialized == LABEL_INITIALIZED)))
313 return isec;
314 rc = __inode_security_revalidate(inode, NULL, !rcu);
315 if (rc)
316 return ERR_PTR(rc);
317 return isec;
318 }
319
320 /*
321 * Get the security label of an inode.
322 */
inode_security(struct inode * inode)323 static inline struct inode_security_struct *inode_security(struct inode *inode)
324 {
325 struct inode_security_struct *isec = selinux_inode(inode);
326
327 /* check below is racy, but revalidate will recheck with lock held */
328 if (data_race(likely(isec->initialized == LABEL_INITIALIZED)))
329 return isec;
330 __inode_security_revalidate(inode, NULL, true);
331 return isec;
332 }
333
backing_inode_security_novalidate(struct dentry * dentry)334 static inline struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
335 {
336 return selinux_inode(d_backing_inode(dentry));
337 }
338
339 /*
340 * Get the security label of a dentry's backing inode.
341 */
backing_inode_security(struct dentry * dentry)342 static inline struct inode_security_struct *backing_inode_security(struct dentry *dentry)
343 {
344 struct inode *inode = d_backing_inode(dentry);
345 struct inode_security_struct *isec = selinux_inode(inode);
346
347 /* check below is racy, but revalidate will recheck with lock held */
348 if (data_race(likely(isec->initialized == LABEL_INITIALIZED)))
349 return isec;
350 __inode_security_revalidate(inode, dentry, true);
351 return isec;
352 }
353
inode_free_security(struct inode * inode)354 static void inode_free_security(struct inode *inode)
355 {
356 struct inode_security_struct *isec = selinux_inode(inode);
357 struct superblock_security_struct *sbsec;
358
359 if (!isec)
360 return;
361 sbsec = selinux_superblock(inode->i_sb);
362 /*
363 * As not all inode security structures are in a list, we check for
364 * empty list outside of the lock to make sure that we won't waste
365 * time taking a lock doing nothing.
366 *
367 * The list_del_init() function can be safely called more than once.
368 * It should not be possible for this function to be called with
369 * concurrent list_add(), but for better safety against future changes
370 * in the code, we use list_empty_careful() here.
371 */
372 if (!list_empty_careful(&isec->list)) {
373 spin_lock(&sbsec->isec_lock);
374 list_del_init(&isec->list);
375 spin_unlock(&sbsec->isec_lock);
376 }
377 }
378
379 struct selinux_mnt_opts {
380 u32 fscontext_sid;
381 u32 context_sid;
382 u32 rootcontext_sid;
383 u32 defcontext_sid;
384 };
385
selinux_free_mnt_opts(void * mnt_opts)386 static void selinux_free_mnt_opts(void *mnt_opts)
387 {
388 kfree(mnt_opts);
389 }
390
391 enum {
392 Opt_error = -1,
393 Opt_context = 0,
394 Opt_defcontext = 1,
395 Opt_fscontext = 2,
396 Opt_rootcontext = 3,
397 Opt_seclabel = 4,
398 };
399
400 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg}
401 static const struct {
402 const char *name;
403 int len;
404 int opt;
405 bool has_arg;
406 } tokens[] = {
407 A(context, true),
408 A(fscontext, true),
409 A(defcontext, true),
410 A(rootcontext, true),
411 A(seclabel, false),
412 };
413 #undef A
414
match_opt_prefix(char * s,int l,char ** arg)415 static int match_opt_prefix(char *s, int l, char **arg)
416 {
417 unsigned int i;
418
419 for (i = 0; i < ARRAY_SIZE(tokens); i++) {
420 size_t len = tokens[i].len;
421 if (len > l || memcmp(s, tokens[i].name, len))
422 continue;
423 if (tokens[i].has_arg) {
424 if (len == l || s[len] != '=')
425 continue;
426 *arg = s + len + 1;
427 } else if (len != l)
428 continue;
429 return tokens[i].opt;
430 }
431 return Opt_error;
432 }
433
434 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n"
435
may_context_mount_sb_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)436 static int may_context_mount_sb_relabel(u32 sid,
437 struct superblock_security_struct *sbsec,
438 const struct cred *cred)
439 {
440 const struct task_security_struct *tsec = selinux_cred(cred);
441 int rc;
442
443 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
444 FILESYSTEM__RELABELFROM, NULL);
445 if (rc)
446 return rc;
447
448 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
449 FILESYSTEM__RELABELTO, NULL);
450 return rc;
451 }
452
may_context_mount_inode_relabel(u32 sid,struct superblock_security_struct * sbsec,const struct cred * cred)453 static int may_context_mount_inode_relabel(u32 sid,
454 struct superblock_security_struct *sbsec,
455 const struct cred *cred)
456 {
457 const struct task_security_struct *tsec = selinux_cred(cred);
458 int rc;
459 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
460 FILESYSTEM__RELABELFROM, NULL);
461 if (rc)
462 return rc;
463
464 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
465 FILESYSTEM__ASSOCIATE, NULL);
466 return rc;
467 }
468
selinux_is_genfs_special_handling(struct super_block * sb)469 static int selinux_is_genfs_special_handling(struct super_block *sb)
470 {
471 /* Special handling. Genfs but also in-core setxattr handler */
472 return !strcmp(sb->s_type->name, "sysfs") ||
473 !strcmp(sb->s_type->name, "pstore") ||
474 !strcmp(sb->s_type->name, "debugfs") ||
475 !strcmp(sb->s_type->name, "tracefs") ||
476 !strcmp(sb->s_type->name, "rootfs") ||
477 (selinux_policycap_cgroupseclabel() &&
478 (!strcmp(sb->s_type->name, "cgroup") ||
479 !strcmp(sb->s_type->name, "cgroup2")));
480 }
481
selinux_is_sblabel_mnt(struct super_block * sb)482 static int selinux_is_sblabel_mnt(struct super_block *sb)
483 {
484 struct superblock_security_struct *sbsec = selinux_superblock(sb);
485
486 /*
487 * IMPORTANT: Double-check logic in this function when adding a new
488 * SECURITY_FS_USE_* definition!
489 */
490 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7);
491
492 switch (sbsec->behavior) {
493 case SECURITY_FS_USE_XATTR:
494 case SECURITY_FS_USE_TRANS:
495 case SECURITY_FS_USE_TASK:
496 case SECURITY_FS_USE_NATIVE:
497 return 1;
498
499 case SECURITY_FS_USE_GENFS:
500 return selinux_is_genfs_special_handling(sb);
501
502 /* Never allow relabeling on context mounts */
503 case SECURITY_FS_USE_MNTPOINT:
504 case SECURITY_FS_USE_NONE:
505 default:
506 return 0;
507 }
508 }
509
sb_check_xattr_support(struct super_block * sb)510 static int sb_check_xattr_support(struct super_block *sb)
511 {
512 struct superblock_security_struct *sbsec = selinux_superblock(sb);
513 struct dentry *root = sb->s_root;
514 struct inode *root_inode = d_backing_inode(root);
515 u32 sid;
516 int rc;
517
518 /*
519 * Make sure that the xattr handler exists and that no
520 * error other than -ENODATA is returned by getxattr on
521 * the root directory. -ENODATA is ok, as this may be
522 * the first boot of the SELinux kernel before we have
523 * assigned xattr values to the filesystem.
524 */
525 if (!(root_inode->i_opflags & IOP_XATTR)) {
526 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n",
527 sb->s_id, sb->s_type->name);
528 goto fallback;
529 }
530
531 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0);
532 if (rc < 0 && rc != -ENODATA) {
533 if (rc == -EOPNOTSUPP) {
534 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n",
535 sb->s_id, sb->s_type->name);
536 goto fallback;
537 } else {
538 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n",
539 sb->s_id, sb->s_type->name, -rc);
540 return rc;
541 }
542 }
543 return 0;
544
545 fallback:
546 /* No xattr support - try to fallback to genfs if possible. */
547 rc = security_genfs_sid(sb->s_type->name, "/",
548 SECCLASS_DIR, &sid);
549 if (rc)
550 return -EOPNOTSUPP;
551
552 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n",
553 sb->s_id, sb->s_type->name);
554 sbsec->behavior = SECURITY_FS_USE_GENFS;
555 sbsec->sid = sid;
556 return 0;
557 }
558
sb_finish_set_opts(struct super_block * sb)559 static int sb_finish_set_opts(struct super_block *sb)
560 {
561 struct superblock_security_struct *sbsec = selinux_superblock(sb);
562 struct dentry *root = sb->s_root;
563 struct inode *root_inode = d_backing_inode(root);
564 int rc = 0;
565
566 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
567 rc = sb_check_xattr_support(sb);
568 if (rc)
569 return rc;
570 }
571
572 sbsec->flags |= SE_SBINITIALIZED;
573
574 /*
575 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply
576 * leave the flag untouched because sb_clone_mnt_opts might be handing
577 * us a superblock that needs the flag to be cleared.
578 */
579 if (selinux_is_sblabel_mnt(sb))
580 sbsec->flags |= SBLABEL_MNT;
581 else
582 sbsec->flags &= ~SBLABEL_MNT;
583
584 /* Initialize the root inode. */
585 rc = inode_doinit_with_dentry(root_inode, root);
586
587 /* Initialize any other inodes associated with the superblock, e.g.
588 inodes created prior to initial policy load or inodes created
589 during get_sb by a pseudo filesystem that directly
590 populates itself. */
591 spin_lock(&sbsec->isec_lock);
592 while (!list_empty(&sbsec->isec_head)) {
593 struct inode_security_struct *isec =
594 list_first_entry(&sbsec->isec_head,
595 struct inode_security_struct, list);
596 struct inode *inode = isec->inode;
597 list_del_init(&isec->list);
598 spin_unlock(&sbsec->isec_lock);
599 inode = igrab(inode);
600 if (inode) {
601 if (!IS_PRIVATE(inode))
602 inode_doinit_with_dentry(inode, NULL);
603 iput(inode);
604 }
605 spin_lock(&sbsec->isec_lock);
606 }
607 spin_unlock(&sbsec->isec_lock);
608 return rc;
609 }
610
bad_option(struct superblock_security_struct * sbsec,char flag,u32 old_sid,u32 new_sid)611 static int bad_option(struct superblock_security_struct *sbsec, char flag,
612 u32 old_sid, u32 new_sid)
613 {
614 char mnt_flags = sbsec->flags & SE_MNTMASK;
615
616 /* check if the old mount command had the same options */
617 if (sbsec->flags & SE_SBINITIALIZED)
618 if (!(sbsec->flags & flag) ||
619 (old_sid != new_sid))
620 return 1;
621
622 /* check if we were passed the same options twice,
623 * aka someone passed context=a,context=b
624 */
625 if (!(sbsec->flags & SE_SBINITIALIZED))
626 if (mnt_flags & flag)
627 return 1;
628 return 0;
629 }
630
631 /*
632 * Allow filesystems with binary mount data to explicitly set mount point
633 * labeling information.
634 */
selinux_set_mnt_opts(struct super_block * sb,void * mnt_opts,unsigned long kern_flags,unsigned long * set_kern_flags)635 static int selinux_set_mnt_opts(struct super_block *sb,
636 void *mnt_opts,
637 unsigned long kern_flags,
638 unsigned long *set_kern_flags)
639 {
640 const struct cred *cred = current_cred();
641 struct superblock_security_struct *sbsec = selinux_superblock(sb);
642 struct dentry *root = sb->s_root;
643 struct selinux_mnt_opts *opts = mnt_opts;
644 struct inode_security_struct *root_isec;
645 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
646 u32 defcontext_sid = 0;
647 int rc = 0;
648
649 /*
650 * Specifying internal flags without providing a place to
651 * place the results is not allowed
652 */
653 if (kern_flags && !set_kern_flags)
654 return -EINVAL;
655
656 mutex_lock(&sbsec->lock);
657
658 if (!selinux_initialized()) {
659 if (!opts) {
660 /* Defer initialization until selinux_complete_init,
661 after the initial policy is loaded and the security
662 server is ready to handle calls. */
663 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
664 sbsec->flags |= SE_SBNATIVE;
665 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
666 }
667 goto out;
668 }
669 rc = -EINVAL;
670 pr_warn("SELinux: Unable to set superblock options "
671 "before the security server is initialized\n");
672 goto out;
673 }
674
675 /*
676 * Binary mount data FS will come through this function twice. Once
677 * from an explicit call and once from the generic calls from the vfs.
678 * Since the generic VFS calls will not contain any security mount data
679 * we need to skip the double mount verification.
680 *
681 * This does open a hole in which we will not notice if the first
682 * mount using this sb set explicit options and a second mount using
683 * this sb does not set any security options. (The first options
684 * will be used for both mounts)
685 */
686 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
687 && !opts)
688 goto out;
689
690 root_isec = backing_inode_security_novalidate(root);
691
692 /*
693 * parse the mount options, check if they are valid sids.
694 * also check if someone is trying to mount the same sb more
695 * than once with different security options.
696 */
697 if (opts) {
698 if (opts->fscontext_sid) {
699 fscontext_sid = opts->fscontext_sid;
700 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
701 fscontext_sid))
702 goto out_double_mount;
703 sbsec->flags |= FSCONTEXT_MNT;
704 }
705 if (opts->context_sid) {
706 context_sid = opts->context_sid;
707 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
708 context_sid))
709 goto out_double_mount;
710 sbsec->flags |= CONTEXT_MNT;
711 }
712 if (opts->rootcontext_sid) {
713 rootcontext_sid = opts->rootcontext_sid;
714 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
715 rootcontext_sid))
716 goto out_double_mount;
717 sbsec->flags |= ROOTCONTEXT_MNT;
718 }
719 if (opts->defcontext_sid) {
720 defcontext_sid = opts->defcontext_sid;
721 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
722 defcontext_sid))
723 goto out_double_mount;
724 sbsec->flags |= DEFCONTEXT_MNT;
725 }
726 }
727
728 if (sbsec->flags & SE_SBINITIALIZED) {
729 /* previously mounted with options, but not on this attempt? */
730 if ((sbsec->flags & SE_MNTMASK) && !opts)
731 goto out_double_mount;
732 rc = 0;
733 goto out;
734 }
735
736 if (strcmp(sb->s_type->name, "proc") == 0)
737 sbsec->flags |= SE_SBPROC | SE_SBGENFS;
738
739 if (!strcmp(sb->s_type->name, "debugfs") ||
740 !strcmp(sb->s_type->name, "tracefs") ||
741 !strcmp(sb->s_type->name, "binder") ||
742 !strcmp(sb->s_type->name, "bpf") ||
743 !strcmp(sb->s_type->name, "pstore") ||
744 !strcmp(sb->s_type->name, "securityfs"))
745 sbsec->flags |= SE_SBGENFS;
746
747 if (!strcmp(sb->s_type->name, "sysfs") ||
748 !strcmp(sb->s_type->name, "cgroup") ||
749 !strcmp(sb->s_type->name, "cgroup2"))
750 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR;
751
752 if (!sbsec->behavior) {
753 /*
754 * Determine the labeling behavior to use for this
755 * filesystem type.
756 */
757 rc = security_fs_use(sb);
758 if (rc) {
759 pr_warn("%s: security_fs_use(%s) returned %d\n",
760 __func__, sb->s_type->name, rc);
761 goto out;
762 }
763 }
764
765 /*
766 * If this is a user namespace mount and the filesystem type is not
767 * explicitly whitelisted, then no contexts are allowed on the command
768 * line and security labels must be ignored.
769 */
770 if (sb->s_user_ns != &init_user_ns &&
771 strcmp(sb->s_type->name, "tmpfs") &&
772 strcmp(sb->s_type->name, "ramfs") &&
773 strcmp(sb->s_type->name, "devpts") &&
774 strcmp(sb->s_type->name, "overlay")) {
775 if (context_sid || fscontext_sid || rootcontext_sid ||
776 defcontext_sid) {
777 rc = -EACCES;
778 goto out;
779 }
780 if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
781 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
782 rc = security_transition_sid(current_sid(),
783 current_sid(),
784 SECCLASS_FILE, NULL,
785 &sbsec->mntpoint_sid);
786 if (rc)
787 goto out;
788 }
789 goto out_set_opts;
790 }
791
792 /* sets the context of the superblock for the fs being mounted. */
793 if (fscontext_sid) {
794 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
795 if (rc)
796 goto out;
797
798 sbsec->sid = fscontext_sid;
799 }
800
801 /*
802 * Switch to using mount point labeling behavior.
803 * sets the label used on all file below the mountpoint, and will set
804 * the superblock context if not already set.
805 */
806 if (sbsec->flags & SE_SBNATIVE) {
807 /*
808 * This means we are initializing a superblock that has been
809 * mounted before the SELinux was initialized and the
810 * filesystem requested native labeling. We had already
811 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags
812 * in the original mount attempt, so now we just need to set
813 * the SECURITY_FS_USE_NATIVE behavior.
814 */
815 sbsec->behavior = SECURITY_FS_USE_NATIVE;
816 } else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
817 sbsec->behavior = SECURITY_FS_USE_NATIVE;
818 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
819 }
820
821 if (context_sid) {
822 if (!fscontext_sid) {
823 rc = may_context_mount_sb_relabel(context_sid, sbsec,
824 cred);
825 if (rc)
826 goto out;
827 sbsec->sid = context_sid;
828 } else {
829 rc = may_context_mount_inode_relabel(context_sid, sbsec,
830 cred);
831 if (rc)
832 goto out;
833 }
834 if (!rootcontext_sid)
835 rootcontext_sid = context_sid;
836
837 sbsec->mntpoint_sid = context_sid;
838 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
839 }
840
841 if (rootcontext_sid) {
842 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
843 cred);
844 if (rc)
845 goto out;
846
847 root_isec->sid = rootcontext_sid;
848 root_isec->initialized = LABEL_INITIALIZED;
849 }
850
851 if (defcontext_sid) {
852 if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
853 sbsec->behavior != SECURITY_FS_USE_NATIVE) {
854 rc = -EINVAL;
855 pr_warn("SELinux: defcontext option is "
856 "invalid for this filesystem type\n");
857 goto out;
858 }
859
860 if (defcontext_sid != sbsec->def_sid) {
861 rc = may_context_mount_inode_relabel(defcontext_sid,
862 sbsec, cred);
863 if (rc)
864 goto out;
865 }
866
867 sbsec->def_sid = defcontext_sid;
868 }
869
870 out_set_opts:
871 rc = sb_finish_set_opts(sb);
872 out:
873 mutex_unlock(&sbsec->lock);
874 return rc;
875 out_double_mount:
876 rc = -EINVAL;
877 pr_warn("SELinux: mount invalid. Same superblock, different "
878 "security settings for (dev %s, type %s)\n", sb->s_id,
879 sb->s_type->name);
880 goto out;
881 }
882
selinux_cmp_sb_context(const struct super_block * oldsb,const struct super_block * newsb)883 static int selinux_cmp_sb_context(const struct super_block *oldsb,
884 const struct super_block *newsb)
885 {
886 struct superblock_security_struct *old = selinux_superblock(oldsb);
887 struct superblock_security_struct *new = selinux_superblock(newsb);
888 char oldflags = old->flags & SE_MNTMASK;
889 char newflags = new->flags & SE_MNTMASK;
890
891 if (oldflags != newflags)
892 goto mismatch;
893 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid)
894 goto mismatch;
895 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid)
896 goto mismatch;
897 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid)
898 goto mismatch;
899 if (oldflags & ROOTCONTEXT_MNT) {
900 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root);
901 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root);
902 if (oldroot->sid != newroot->sid)
903 goto mismatch;
904 }
905 return 0;
906 mismatch:
907 pr_warn("SELinux: mount invalid. Same superblock, "
908 "different security settings for (dev %s, "
909 "type %s)\n", newsb->s_id, newsb->s_type->name);
910 return -EBUSY;
911 }
912
selinux_sb_clone_mnt_opts(const struct super_block * oldsb,struct super_block * newsb,unsigned long kern_flags,unsigned long * set_kern_flags)913 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
914 struct super_block *newsb,
915 unsigned long kern_flags,
916 unsigned long *set_kern_flags)
917 {
918 int rc = 0;
919 const struct superblock_security_struct *oldsbsec =
920 selinux_superblock(oldsb);
921 struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
922
923 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
924 int set_context = (oldsbsec->flags & CONTEXT_MNT);
925 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
926
927 /*
928 * Specifying internal flags without providing a place to
929 * place the results is not allowed.
930 */
931 if (kern_flags && !set_kern_flags)
932 return -EINVAL;
933
934 mutex_lock(&newsbsec->lock);
935
936 /*
937 * if the parent was able to be mounted it clearly had no special lsm
938 * mount options. thus we can safely deal with this superblock later
939 */
940 if (!selinux_initialized()) {
941 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) {
942 newsbsec->flags |= SE_SBNATIVE;
943 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
944 }
945 goto out;
946 }
947
948 /* how can we clone if the old one wasn't set up?? */
949 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED));
950
951 /* if fs is reusing a sb, make sure that the contexts match */
952 if (newsbsec->flags & SE_SBINITIALIZED) {
953 mutex_unlock(&newsbsec->lock);
954 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context)
955 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
956 return selinux_cmp_sb_context(oldsb, newsb);
957 }
958
959 newsbsec->flags = oldsbsec->flags;
960
961 newsbsec->sid = oldsbsec->sid;
962 newsbsec->def_sid = oldsbsec->def_sid;
963 newsbsec->behavior = oldsbsec->behavior;
964
965 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
966 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
967 rc = security_fs_use(newsb);
968 if (rc)
969 goto out;
970 }
971
972 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) {
973 newsbsec->behavior = SECURITY_FS_USE_NATIVE;
974 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
975 }
976
977 if (set_context) {
978 u32 sid = oldsbsec->mntpoint_sid;
979
980 if (!set_fscontext)
981 newsbsec->sid = sid;
982 if (!set_rootcontext) {
983 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
984 newisec->sid = sid;
985 }
986 newsbsec->mntpoint_sid = sid;
987 }
988 if (set_rootcontext) {
989 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
990 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
991
992 newisec->sid = oldisec->sid;
993 }
994
995 sb_finish_set_opts(newsb);
996 out:
997 mutex_unlock(&newsbsec->lock);
998 return rc;
999 }
1000
1001 /*
1002 * NOTE: the caller is responsible for freeing the memory even if on error.
1003 */
selinux_add_opt(int token,const char * s,void ** mnt_opts)1004 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
1005 {
1006 struct selinux_mnt_opts *opts = *mnt_opts;
1007 u32 *dst_sid;
1008 int rc;
1009
1010 if (token == Opt_seclabel)
1011 /* eaten and completely ignored */
1012 return 0;
1013 if (!s)
1014 return -EINVAL;
1015
1016 if (!selinux_initialized()) {
1017 pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n");
1018 return -EINVAL;
1019 }
1020
1021 if (!opts) {
1022 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
1023 if (!opts)
1024 return -ENOMEM;
1025 *mnt_opts = opts;
1026 }
1027
1028 switch (token) {
1029 case Opt_context:
1030 if (opts->context_sid || opts->defcontext_sid)
1031 goto err;
1032 dst_sid = &opts->context_sid;
1033 break;
1034 case Opt_fscontext:
1035 if (opts->fscontext_sid)
1036 goto err;
1037 dst_sid = &opts->fscontext_sid;
1038 break;
1039 case Opt_rootcontext:
1040 if (opts->rootcontext_sid)
1041 goto err;
1042 dst_sid = &opts->rootcontext_sid;
1043 break;
1044 case Opt_defcontext:
1045 if (opts->context_sid || opts->defcontext_sid)
1046 goto err;
1047 dst_sid = &opts->defcontext_sid;
1048 break;
1049 default:
1050 WARN_ON(1);
1051 return -EINVAL;
1052 }
1053 rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL);
1054 if (rc)
1055 pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
1056 s, rc);
1057 return rc;
1058
1059 err:
1060 pr_warn(SEL_MOUNT_FAIL_MSG);
1061 return -EINVAL;
1062 }
1063
show_sid(struct seq_file * m,u32 sid)1064 static int show_sid(struct seq_file *m, u32 sid)
1065 {
1066 char *context = NULL;
1067 u32 len;
1068 int rc;
1069
1070 rc = security_sid_to_context(sid, &context, &len);
1071 if (!rc) {
1072 bool has_comma = strchr(context, ',');
1073
1074 seq_putc(m, '=');
1075 if (has_comma)
1076 seq_putc(m, '\"');
1077 seq_escape(m, context, "\"\n\\");
1078 if (has_comma)
1079 seq_putc(m, '\"');
1080 }
1081 kfree(context);
1082 return rc;
1083 }
1084
selinux_sb_show_options(struct seq_file * m,struct super_block * sb)1085 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1086 {
1087 struct superblock_security_struct *sbsec = selinux_superblock(sb);
1088 int rc;
1089
1090 if (!(sbsec->flags & SE_SBINITIALIZED))
1091 return 0;
1092
1093 if (!selinux_initialized())
1094 return 0;
1095
1096 if (sbsec->flags & FSCONTEXT_MNT) {
1097 seq_putc(m, ',');
1098 seq_puts(m, FSCONTEXT_STR);
1099 rc = show_sid(m, sbsec->sid);
1100 if (rc)
1101 return rc;
1102 }
1103 if (sbsec->flags & CONTEXT_MNT) {
1104 seq_putc(m, ',');
1105 seq_puts(m, CONTEXT_STR);
1106 rc = show_sid(m, sbsec->mntpoint_sid);
1107 if (rc)
1108 return rc;
1109 }
1110 if (sbsec->flags & DEFCONTEXT_MNT) {
1111 seq_putc(m, ',');
1112 seq_puts(m, DEFCONTEXT_STR);
1113 rc = show_sid(m, sbsec->def_sid);
1114 if (rc)
1115 return rc;
1116 }
1117 if (sbsec->flags & ROOTCONTEXT_MNT) {
1118 struct dentry *root = sb->s_root;
1119 struct inode_security_struct *isec = backing_inode_security(root);
1120 seq_putc(m, ',');
1121 seq_puts(m, ROOTCONTEXT_STR);
1122 rc = show_sid(m, isec->sid);
1123 if (rc)
1124 return rc;
1125 }
1126 if (sbsec->flags & SBLABEL_MNT) {
1127 seq_putc(m, ',');
1128 seq_puts(m, SECLABEL_STR);
1129 }
1130 return 0;
1131 }
1132
inode_mode_to_security_class(umode_t mode)1133 static inline u16 inode_mode_to_security_class(umode_t mode)
1134 {
1135 switch (mode & S_IFMT) {
1136 case S_IFSOCK:
1137 return SECCLASS_SOCK_FILE;
1138 case S_IFLNK:
1139 return SECCLASS_LNK_FILE;
1140 case S_IFREG:
1141 return SECCLASS_FILE;
1142 case S_IFBLK:
1143 return SECCLASS_BLK_FILE;
1144 case S_IFDIR:
1145 return SECCLASS_DIR;
1146 case S_IFCHR:
1147 return SECCLASS_CHR_FILE;
1148 case S_IFIFO:
1149 return SECCLASS_FIFO_FILE;
1150
1151 }
1152
1153 return SECCLASS_FILE;
1154 }
1155
default_protocol_stream(int protocol)1156 static inline int default_protocol_stream(int protocol)
1157 {
1158 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP ||
1159 protocol == IPPROTO_MPTCP);
1160 }
1161
default_protocol_dgram(int protocol)1162 static inline int default_protocol_dgram(int protocol)
1163 {
1164 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1165 }
1166
socket_type_to_security_class(int family,int type,int protocol)1167 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1168 {
1169 bool extsockclass = selinux_policycap_extsockclass();
1170
1171 switch (family) {
1172 case PF_UNIX:
1173 switch (type) {
1174 case SOCK_STREAM:
1175 case SOCK_SEQPACKET:
1176 return SECCLASS_UNIX_STREAM_SOCKET;
1177 case SOCK_DGRAM:
1178 case SOCK_RAW:
1179 return SECCLASS_UNIX_DGRAM_SOCKET;
1180 }
1181 break;
1182 case PF_INET:
1183 case PF_INET6:
1184 switch (type) {
1185 case SOCK_STREAM:
1186 case SOCK_SEQPACKET:
1187 if (default_protocol_stream(protocol))
1188 return SECCLASS_TCP_SOCKET;
1189 else if (extsockclass && protocol == IPPROTO_SCTP)
1190 return SECCLASS_SCTP_SOCKET;
1191 else
1192 return SECCLASS_RAWIP_SOCKET;
1193 case SOCK_DGRAM:
1194 if (default_protocol_dgram(protocol))
1195 return SECCLASS_UDP_SOCKET;
1196 else if (extsockclass && (protocol == IPPROTO_ICMP ||
1197 protocol == IPPROTO_ICMPV6))
1198 return SECCLASS_ICMP_SOCKET;
1199 else
1200 return SECCLASS_RAWIP_SOCKET;
1201 default:
1202 return SECCLASS_RAWIP_SOCKET;
1203 }
1204 break;
1205 case PF_NETLINK:
1206 switch (protocol) {
1207 case NETLINK_ROUTE:
1208 return SECCLASS_NETLINK_ROUTE_SOCKET;
1209 case NETLINK_SOCK_DIAG:
1210 return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1211 case NETLINK_NFLOG:
1212 return SECCLASS_NETLINK_NFLOG_SOCKET;
1213 case NETLINK_XFRM:
1214 return SECCLASS_NETLINK_XFRM_SOCKET;
1215 case NETLINK_SELINUX:
1216 return SECCLASS_NETLINK_SELINUX_SOCKET;
1217 case NETLINK_ISCSI:
1218 return SECCLASS_NETLINK_ISCSI_SOCKET;
1219 case NETLINK_AUDIT:
1220 return SECCLASS_NETLINK_AUDIT_SOCKET;
1221 case NETLINK_FIB_LOOKUP:
1222 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
1223 case NETLINK_CONNECTOR:
1224 return SECCLASS_NETLINK_CONNECTOR_SOCKET;
1225 case NETLINK_NETFILTER:
1226 return SECCLASS_NETLINK_NETFILTER_SOCKET;
1227 case NETLINK_DNRTMSG:
1228 return SECCLASS_NETLINK_DNRT_SOCKET;
1229 case NETLINK_KOBJECT_UEVENT:
1230 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1231 case NETLINK_GENERIC:
1232 return SECCLASS_NETLINK_GENERIC_SOCKET;
1233 case NETLINK_SCSITRANSPORT:
1234 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
1235 case NETLINK_RDMA:
1236 return SECCLASS_NETLINK_RDMA_SOCKET;
1237 case NETLINK_CRYPTO:
1238 return SECCLASS_NETLINK_CRYPTO_SOCKET;
1239 default:
1240 return SECCLASS_NETLINK_SOCKET;
1241 }
1242 case PF_PACKET:
1243 return SECCLASS_PACKET_SOCKET;
1244 case PF_KEY:
1245 return SECCLASS_KEY_SOCKET;
1246 case PF_APPLETALK:
1247 return SECCLASS_APPLETALK_SOCKET;
1248 }
1249
1250 if (extsockclass) {
1251 switch (family) {
1252 case PF_AX25:
1253 return SECCLASS_AX25_SOCKET;
1254 case PF_IPX:
1255 return SECCLASS_IPX_SOCKET;
1256 case PF_NETROM:
1257 return SECCLASS_NETROM_SOCKET;
1258 case PF_ATMPVC:
1259 return SECCLASS_ATMPVC_SOCKET;
1260 case PF_X25:
1261 return SECCLASS_X25_SOCKET;
1262 case PF_ROSE:
1263 return SECCLASS_ROSE_SOCKET;
1264 case PF_DECnet:
1265 return SECCLASS_DECNET_SOCKET;
1266 case PF_ATMSVC:
1267 return SECCLASS_ATMSVC_SOCKET;
1268 case PF_RDS:
1269 return SECCLASS_RDS_SOCKET;
1270 case PF_IRDA:
1271 return SECCLASS_IRDA_SOCKET;
1272 case PF_PPPOX:
1273 return SECCLASS_PPPOX_SOCKET;
1274 case PF_LLC:
1275 return SECCLASS_LLC_SOCKET;
1276 case PF_CAN:
1277 return SECCLASS_CAN_SOCKET;
1278 case PF_TIPC:
1279 return SECCLASS_TIPC_SOCKET;
1280 case PF_BLUETOOTH:
1281 return SECCLASS_BLUETOOTH_SOCKET;
1282 case PF_IUCV:
1283 return SECCLASS_IUCV_SOCKET;
1284 case PF_RXRPC:
1285 return SECCLASS_RXRPC_SOCKET;
1286 case PF_ISDN:
1287 return SECCLASS_ISDN_SOCKET;
1288 case PF_PHONET:
1289 return SECCLASS_PHONET_SOCKET;
1290 case PF_IEEE802154:
1291 return SECCLASS_IEEE802154_SOCKET;
1292 case PF_CAIF:
1293 return SECCLASS_CAIF_SOCKET;
1294 case PF_ALG:
1295 return SECCLASS_ALG_SOCKET;
1296 case PF_NFC:
1297 return SECCLASS_NFC_SOCKET;
1298 case PF_VSOCK:
1299 return SECCLASS_VSOCK_SOCKET;
1300 case PF_KCM:
1301 return SECCLASS_KCM_SOCKET;
1302 case PF_QIPCRTR:
1303 return SECCLASS_QIPCRTR_SOCKET;
1304 case PF_SMC:
1305 return SECCLASS_SMC_SOCKET;
1306 case PF_XDP:
1307 return SECCLASS_XDP_SOCKET;
1308 case PF_MCTP:
1309 return SECCLASS_MCTP_SOCKET;
1310 #if PF_MAX > 46
1311 #error New address family defined, please update this function.
1312 #endif
1313 }
1314 }
1315
1316 return SECCLASS_SOCKET;
1317 }
1318
selinux_genfs_get_sid(struct dentry * dentry,u16 tclass,u16 flags,u32 * sid)1319 static int selinux_genfs_get_sid(struct dentry *dentry,
1320 u16 tclass,
1321 u16 flags,
1322 u32 *sid)
1323 {
1324 int rc;
1325 struct super_block *sb = dentry->d_sb;
1326 char *buffer, *path;
1327
1328 buffer = (char *)__get_free_page(GFP_KERNEL);
1329 if (!buffer)
1330 return -ENOMEM;
1331
1332 path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
1333 if (IS_ERR(path))
1334 rc = PTR_ERR(path);
1335 else {
1336 if (flags & SE_SBPROC) {
1337 /* each process gets a /proc/PID/ entry. Strip off the
1338 * PID part to get a valid selinux labeling.
1339 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
1340 while (path[1] >= '0' && path[1] <= '9') {
1341 path[1] = '/';
1342 path++;
1343 }
1344 }
1345 rc = security_genfs_sid(sb->s_type->name,
1346 path, tclass, sid);
1347 if (rc == -ENOENT) {
1348 /* No match in policy, mark as unlabeled. */
1349 *sid = SECINITSID_UNLABELED;
1350 rc = 0;
1351 }
1352 }
1353 free_page((unsigned long)buffer);
1354 return rc;
1355 }
1356
inode_doinit_use_xattr(struct inode * inode,struct dentry * dentry,u32 def_sid,u32 * sid)1357 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry,
1358 u32 def_sid, u32 *sid)
1359 {
1360 #define INITCONTEXTLEN 255
1361 char *context;
1362 unsigned int len;
1363 int rc;
1364
1365 len = INITCONTEXTLEN;
1366 context = kmalloc(len + 1, GFP_NOFS);
1367 if (!context)
1368 return -ENOMEM;
1369
1370 context[len] = '\0';
1371 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len);
1372 if (rc == -ERANGE) {
1373 kfree(context);
1374
1375 /* Need a larger buffer. Query for the right size. */
1376 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0);
1377 if (rc < 0)
1378 return rc;
1379
1380 len = rc;
1381 context = kmalloc(len + 1, GFP_NOFS);
1382 if (!context)
1383 return -ENOMEM;
1384
1385 context[len] = '\0';
1386 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX,
1387 context, len);
1388 }
1389 if (rc < 0) {
1390 kfree(context);
1391 if (rc != -ENODATA) {
1392 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n",
1393 __func__, -rc, inode->i_sb->s_id, inode->i_ino);
1394 return rc;
1395 }
1396 *sid = def_sid;
1397 return 0;
1398 }
1399
1400 rc = security_context_to_sid_default(context, rc, sid,
1401 def_sid, GFP_NOFS);
1402 if (rc) {
1403 char *dev = inode->i_sb->s_id;
1404 unsigned long ino = inode->i_ino;
1405
1406 if (rc == -EINVAL) {
1407 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n",
1408 ino, dev, context);
1409 } else {
1410 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n",
1411 __func__, context, -rc, dev, ino);
1412 }
1413 }
1414 kfree(context);
1415 return 0;
1416 }
1417
1418 /* The inode's security attributes must be initialized before first use. */
inode_doinit_with_dentry(struct inode * inode,struct dentry * opt_dentry)1419 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1420 {
1421 struct superblock_security_struct *sbsec = NULL;
1422 struct inode_security_struct *isec = selinux_inode(inode);
1423 u32 task_sid, sid = 0;
1424 u16 sclass;
1425 struct dentry *dentry;
1426 int rc = 0;
1427
1428 if (isec->initialized == LABEL_INITIALIZED)
1429 return 0;
1430
1431 spin_lock(&isec->lock);
1432 if (isec->initialized == LABEL_INITIALIZED)
1433 goto out_unlock;
1434
1435 if (isec->sclass == SECCLASS_FILE)
1436 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1437
1438 sbsec = selinux_superblock(inode->i_sb);
1439 if (!(sbsec->flags & SE_SBINITIALIZED)) {
1440 /* Defer initialization until selinux_complete_init,
1441 after the initial policy is loaded and the security
1442 server is ready to handle calls. */
1443 spin_lock(&sbsec->isec_lock);
1444 if (list_empty(&isec->list))
1445 list_add(&isec->list, &sbsec->isec_head);
1446 spin_unlock(&sbsec->isec_lock);
1447 goto out_unlock;
1448 }
1449
1450 sclass = isec->sclass;
1451 task_sid = isec->task_sid;
1452 sid = isec->sid;
1453 isec->initialized = LABEL_PENDING;
1454 spin_unlock(&isec->lock);
1455
1456 switch (sbsec->behavior) {
1457 /*
1458 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels
1459 * via xattr when called from delayed_superblock_init().
1460 */
1461 case SECURITY_FS_USE_NATIVE:
1462 case SECURITY_FS_USE_XATTR:
1463 if (!(inode->i_opflags & IOP_XATTR)) {
1464 sid = sbsec->def_sid;
1465 break;
1466 }
1467 /* Need a dentry, since the xattr API requires one.
1468 Life would be simpler if we could just pass the inode. */
1469 if (opt_dentry) {
1470 /* Called from d_instantiate or d_splice_alias. */
1471 dentry = dget(opt_dentry);
1472 } else {
1473 /*
1474 * Called from selinux_complete_init, try to find a dentry.
1475 * Some filesystems really want a connected one, so try
1476 * that first. We could split SECURITY_FS_USE_XATTR in
1477 * two, depending upon that...
1478 */
1479 dentry = d_find_alias(inode);
1480 if (!dentry)
1481 dentry = d_find_any_alias(inode);
1482 }
1483 if (!dentry) {
1484 /*
1485 * this is can be hit on boot when a file is accessed
1486 * before the policy is loaded. When we load policy we
1487 * may find inodes that have no dentry on the
1488 * sbsec->isec_head list. No reason to complain as these
1489 * will get fixed up the next time we go through
1490 * inode_doinit with a dentry, before these inodes could
1491 * be used again by userspace.
1492 */
1493 goto out_invalid;
1494 }
1495
1496 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid,
1497 &sid);
1498 dput(dentry);
1499 if (rc)
1500 goto out;
1501 break;
1502 case SECURITY_FS_USE_TASK:
1503 sid = task_sid;
1504 break;
1505 case SECURITY_FS_USE_TRANS:
1506 /* Default to the fs SID. */
1507 sid = sbsec->sid;
1508
1509 /* Try to obtain a transition SID. */
1510 rc = security_transition_sid(task_sid, sid,
1511 sclass, NULL, &sid);
1512 if (rc)
1513 goto out;
1514 break;
1515 case SECURITY_FS_USE_MNTPOINT:
1516 sid = sbsec->mntpoint_sid;
1517 break;
1518 default:
1519 /* Default to the fs superblock SID. */
1520 sid = sbsec->sid;
1521
1522 if ((sbsec->flags & SE_SBGENFS) &&
1523 (!S_ISLNK(inode->i_mode) ||
1524 selinux_policycap_genfs_seclabel_symlinks())) {
1525 /* We must have a dentry to determine the label on
1526 * procfs inodes */
1527 if (opt_dentry) {
1528 /* Called from d_instantiate or
1529 * d_splice_alias. */
1530 dentry = dget(opt_dentry);
1531 } else {
1532 /* Called from selinux_complete_init, try to
1533 * find a dentry. Some filesystems really want
1534 * a connected one, so try that first.
1535 */
1536 dentry = d_find_alias(inode);
1537 if (!dentry)
1538 dentry = d_find_any_alias(inode);
1539 }
1540 /*
1541 * This can be hit on boot when a file is accessed
1542 * before the policy is loaded. When we load policy we
1543 * may find inodes that have no dentry on the
1544 * sbsec->isec_head list. No reason to complain as
1545 * these will get fixed up the next time we go through
1546 * inode_doinit() with a dentry, before these inodes
1547 * could be used again by userspace.
1548 */
1549 if (!dentry)
1550 goto out_invalid;
1551 rc = selinux_genfs_get_sid(dentry, sclass,
1552 sbsec->flags, &sid);
1553 if (rc) {
1554 dput(dentry);
1555 goto out;
1556 }
1557
1558 if ((sbsec->flags & SE_SBGENFS_XATTR) &&
1559 (inode->i_opflags & IOP_XATTR)) {
1560 rc = inode_doinit_use_xattr(inode, dentry,
1561 sid, &sid);
1562 if (rc) {
1563 dput(dentry);
1564 goto out;
1565 }
1566 }
1567 dput(dentry);
1568 }
1569 break;
1570 }
1571
1572 out:
1573 spin_lock(&isec->lock);
1574 if (isec->initialized == LABEL_PENDING) {
1575 if (rc) {
1576 isec->initialized = LABEL_INVALID;
1577 goto out_unlock;
1578 }
1579 isec->initialized = LABEL_INITIALIZED;
1580 isec->sid = sid;
1581 }
1582
1583 out_unlock:
1584 spin_unlock(&isec->lock);
1585 return rc;
1586
1587 out_invalid:
1588 spin_lock(&isec->lock);
1589 if (isec->initialized == LABEL_PENDING) {
1590 isec->initialized = LABEL_INVALID;
1591 isec->sid = sid;
1592 }
1593 spin_unlock(&isec->lock);
1594 return 0;
1595 }
1596
1597 /* Convert a Linux signal to an access vector. */
signal_to_av(int sig)1598 static inline u32 signal_to_av(int sig)
1599 {
1600 u32 perm = 0;
1601
1602 switch (sig) {
1603 case SIGCHLD:
1604 /* Commonly granted from child to parent. */
1605 perm = PROCESS__SIGCHLD;
1606 break;
1607 case SIGKILL:
1608 /* Cannot be caught or ignored */
1609 perm = PROCESS__SIGKILL;
1610 break;
1611 case SIGSTOP:
1612 /* Cannot be caught or ignored */
1613 perm = PROCESS__SIGSTOP;
1614 break;
1615 default:
1616 /* All other signals. */
1617 perm = PROCESS__SIGNAL;
1618 break;
1619 }
1620
1621 return perm;
1622 }
1623
1624 #if CAP_LAST_CAP > 63
1625 #error Fix SELinux to handle capabilities > 63.
1626 #endif
1627
1628 /* Check whether a task is allowed to use a capability. */
cred_has_capability(const struct cred * cred,int cap,unsigned int opts,bool initns)1629 static int cred_has_capability(const struct cred *cred,
1630 int cap, unsigned int opts, bool initns)
1631 {
1632 struct common_audit_data ad;
1633 struct av_decision avd;
1634 u16 sclass;
1635 u32 sid = cred_sid(cred);
1636 u32 av = CAP_TO_MASK(cap);
1637 int rc;
1638
1639 ad.type = LSM_AUDIT_DATA_CAP;
1640 ad.u.cap = cap;
1641
1642 switch (CAP_TO_INDEX(cap)) {
1643 case 0:
1644 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS;
1645 break;
1646 case 1:
1647 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS;
1648 break;
1649 default:
1650 pr_err("SELinux: out of range capability %d\n", cap);
1651 BUG();
1652 return -EINVAL;
1653 }
1654
1655 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1656 if (!(opts & CAP_OPT_NOAUDIT)) {
1657 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1658 if (rc2)
1659 return rc2;
1660 }
1661 return rc;
1662 }
1663
1664 /* Check whether a task has a particular permission to an inode.
1665 The 'adp' parameter is optional and allows other audit
1666 data to be passed (e.g. the dentry). */
inode_has_perm(const struct cred * cred,struct inode * inode,u32 perms,struct common_audit_data * adp)1667 static int inode_has_perm(const struct cred *cred,
1668 struct inode *inode,
1669 u32 perms,
1670 struct common_audit_data *adp)
1671 {
1672 struct inode_security_struct *isec;
1673 u32 sid;
1674
1675 if (unlikely(IS_PRIVATE(inode)))
1676 return 0;
1677
1678 sid = cred_sid(cred);
1679 isec = selinux_inode(inode);
1680
1681 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1682 }
1683
1684 /* Same as inode_has_perm, but pass explicit audit data containing
1685 the dentry to help the auditing code to more easily generate the
1686 pathname if needed. */
dentry_has_perm(const struct cred * cred,struct dentry * dentry,u32 av)1687 static inline int dentry_has_perm(const struct cred *cred,
1688 struct dentry *dentry,
1689 u32 av)
1690 {
1691 struct common_audit_data ad;
1692 struct inode *inode = d_backing_inode(dentry);
1693 struct inode_security_struct *isec = selinux_inode(inode);
1694
1695 ad.type = LSM_AUDIT_DATA_DENTRY;
1696 ad.u.dentry = dentry;
1697 /* check below is racy, but revalidate will recheck with lock held */
1698 if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED)))
1699 __inode_security_revalidate(inode, dentry, true);
1700 return inode_has_perm(cred, inode, av, &ad);
1701 }
1702
1703 /* Same as inode_has_perm, but pass explicit audit data containing
1704 the path to help the auditing code to more easily generate the
1705 pathname if needed. */
path_has_perm(const struct cred * cred,const struct path * path,u32 av)1706 static inline int path_has_perm(const struct cred *cred,
1707 const struct path *path,
1708 u32 av)
1709 {
1710 struct common_audit_data ad;
1711 struct inode *inode = d_backing_inode(path->dentry);
1712 struct inode_security_struct *isec = selinux_inode(inode);
1713
1714 ad.type = LSM_AUDIT_DATA_PATH;
1715 ad.u.path = *path;
1716 /* check below is racy, but revalidate will recheck with lock held */
1717 if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED)))
1718 __inode_security_revalidate(inode, path->dentry, true);
1719 return inode_has_perm(cred, inode, av, &ad);
1720 }
1721
1722 /* Same as path_has_perm, but uses the inode from the file struct. */
file_path_has_perm(const struct cred * cred,struct file * file,u32 av)1723 static inline int file_path_has_perm(const struct cred *cred,
1724 struct file *file,
1725 u32 av)
1726 {
1727 struct common_audit_data ad;
1728
1729 ad.type = LSM_AUDIT_DATA_FILE;
1730 ad.u.file = file;
1731 return inode_has_perm(cred, file_inode(file), av, &ad);
1732 }
1733
1734 #ifdef CONFIG_BPF_SYSCALL
1735 static int bpf_fd_pass(const struct file *file, u32 sid);
1736 #endif
1737
1738 /* Check whether a task can use an open file descriptor to
1739 access an inode in a given way. Check access to the
1740 descriptor itself, and then use dentry_has_perm to
1741 check a particular permission to the file.
1742 Access to the descriptor is implicitly granted if it
1743 has the same SID as the process. If av is zero, then
1744 access to the file is not checked, e.g. for cases
1745 where only the descriptor is affected like seek. */
file_has_perm(const struct cred * cred,struct file * file,u32 av)1746 static int file_has_perm(const struct cred *cred,
1747 struct file *file,
1748 u32 av)
1749 {
1750 struct file_security_struct *fsec = selinux_file(file);
1751 struct inode *inode = file_inode(file);
1752 struct common_audit_data ad;
1753 u32 sid = cred_sid(cred);
1754 int rc;
1755
1756 ad.type = LSM_AUDIT_DATA_FILE;
1757 ad.u.file = file;
1758
1759 if (sid != fsec->sid) {
1760 rc = avc_has_perm(sid, fsec->sid,
1761 SECCLASS_FD,
1762 FD__USE,
1763 &ad);
1764 if (rc)
1765 goto out;
1766 }
1767
1768 #ifdef CONFIG_BPF_SYSCALL
1769 rc = bpf_fd_pass(file, cred_sid(cred));
1770 if (rc)
1771 return rc;
1772 #endif
1773
1774 /* av is zero if only checking access to the descriptor. */
1775 rc = 0;
1776 if (av)
1777 rc = inode_has_perm(cred, inode, av, &ad);
1778
1779 out:
1780 return rc;
1781 }
1782
1783 /*
1784 * Determine the label for an inode that might be unioned.
1785 */
1786 static int
selinux_determine_inode_label(const struct task_security_struct * tsec,struct inode * dir,const struct qstr * name,u16 tclass,u32 * _new_isid)1787 selinux_determine_inode_label(const struct task_security_struct *tsec,
1788 struct inode *dir,
1789 const struct qstr *name, u16 tclass,
1790 u32 *_new_isid)
1791 {
1792 const struct superblock_security_struct *sbsec =
1793 selinux_superblock(dir->i_sb);
1794
1795 if ((sbsec->flags & SE_SBINITIALIZED) &&
1796 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
1797 *_new_isid = sbsec->mntpoint_sid;
1798 } else if ((sbsec->flags & SBLABEL_MNT) &&
1799 tsec->create_sid) {
1800 *_new_isid = tsec->create_sid;
1801 } else {
1802 const struct inode_security_struct *dsec = inode_security(dir);
1803 return security_transition_sid(tsec->sid,
1804 dsec->sid, tclass,
1805 name, _new_isid);
1806 }
1807
1808 return 0;
1809 }
1810
1811 /* Check whether a task can create a file. */
may_create(struct inode * dir,struct dentry * dentry,u16 tclass)1812 static int may_create(struct inode *dir,
1813 struct dentry *dentry,
1814 u16 tclass)
1815 {
1816 const struct task_security_struct *tsec = selinux_cred(current_cred());
1817 struct inode_security_struct *dsec;
1818 struct superblock_security_struct *sbsec;
1819 u32 sid, newsid;
1820 struct common_audit_data ad;
1821 int rc;
1822
1823 dsec = inode_security(dir);
1824 sbsec = selinux_superblock(dir->i_sb);
1825
1826 sid = tsec->sid;
1827
1828 ad.type = LSM_AUDIT_DATA_DENTRY;
1829 ad.u.dentry = dentry;
1830
1831 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1832 DIR__ADD_NAME | DIR__SEARCH,
1833 &ad);
1834 if (rc)
1835 return rc;
1836
1837 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass,
1838 &newsid);
1839 if (rc)
1840 return rc;
1841
1842 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1843 if (rc)
1844 return rc;
1845
1846 return avc_has_perm(newsid, sbsec->sid,
1847 SECCLASS_FILESYSTEM,
1848 FILESYSTEM__ASSOCIATE, &ad);
1849 }
1850
1851 #define MAY_LINK 0
1852 #define MAY_UNLINK 1
1853 #define MAY_RMDIR 2
1854
1855 /* Check whether a task can link, unlink, or rmdir a file/directory. */
may_link(struct inode * dir,struct dentry * dentry,int kind)1856 static int may_link(struct inode *dir,
1857 struct dentry *dentry,
1858 int kind)
1859
1860 {
1861 struct inode_security_struct *dsec, *isec;
1862 struct common_audit_data ad;
1863 u32 sid = current_sid();
1864 u32 av;
1865 int rc;
1866
1867 dsec = inode_security(dir);
1868 isec = backing_inode_security(dentry);
1869
1870 ad.type = LSM_AUDIT_DATA_DENTRY;
1871 ad.u.dentry = dentry;
1872
1873 av = DIR__SEARCH;
1874 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1875 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1876 if (rc)
1877 return rc;
1878
1879 switch (kind) {
1880 case MAY_LINK:
1881 av = FILE__LINK;
1882 break;
1883 case MAY_UNLINK:
1884 av = FILE__UNLINK;
1885 break;
1886 case MAY_RMDIR:
1887 av = DIR__RMDIR;
1888 break;
1889 default:
1890 pr_warn("SELinux: %s: unrecognized kind %d\n",
1891 __func__, kind);
1892 return 0;
1893 }
1894
1895 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1896 return rc;
1897 }
1898
may_rename(struct inode * old_dir,struct dentry * old_dentry,struct inode * new_dir,struct dentry * new_dentry)1899 static inline int may_rename(struct inode *old_dir,
1900 struct dentry *old_dentry,
1901 struct inode *new_dir,
1902 struct dentry *new_dentry)
1903 {
1904 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1905 struct common_audit_data ad;
1906 u32 sid = current_sid();
1907 u32 av;
1908 int old_is_dir, new_is_dir;
1909 int rc;
1910
1911 old_dsec = inode_security(old_dir);
1912 old_isec = backing_inode_security(old_dentry);
1913 old_is_dir = d_is_dir(old_dentry);
1914 new_dsec = inode_security(new_dir);
1915
1916 ad.type = LSM_AUDIT_DATA_DENTRY;
1917
1918 ad.u.dentry = old_dentry;
1919 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1920 DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1921 if (rc)
1922 return rc;
1923 rc = avc_has_perm(sid, old_isec->sid,
1924 old_isec->sclass, FILE__RENAME, &ad);
1925 if (rc)
1926 return rc;
1927 if (old_is_dir && new_dir != old_dir) {
1928 rc = avc_has_perm(sid, old_isec->sid,
1929 old_isec->sclass, DIR__REPARENT, &ad);
1930 if (rc)
1931 return rc;
1932 }
1933
1934 ad.u.dentry = new_dentry;
1935 av = DIR__ADD_NAME | DIR__SEARCH;
1936 if (d_is_positive(new_dentry))
1937 av |= DIR__REMOVE_NAME;
1938 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1939 if (rc)
1940 return rc;
1941 if (d_is_positive(new_dentry)) {
1942 new_isec = backing_inode_security(new_dentry);
1943 new_is_dir = d_is_dir(new_dentry);
1944 rc = avc_has_perm(sid, new_isec->sid,
1945 new_isec->sclass,
1946 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1947 if (rc)
1948 return rc;
1949 }
1950
1951 return 0;
1952 }
1953
1954 /* Check whether a task can perform a filesystem operation. */
superblock_has_perm(const struct cred * cred,const struct super_block * sb,u32 perms,struct common_audit_data * ad)1955 static int superblock_has_perm(const struct cred *cred,
1956 const struct super_block *sb,
1957 u32 perms,
1958 struct common_audit_data *ad)
1959 {
1960 struct superblock_security_struct *sbsec;
1961 u32 sid = cred_sid(cred);
1962
1963 sbsec = selinux_superblock(sb);
1964 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1965 }
1966
1967 /* Convert a Linux mode and permission mask to an access vector. */
file_mask_to_av(int mode,int mask)1968 static inline u32 file_mask_to_av(int mode, int mask)
1969 {
1970 u32 av = 0;
1971
1972 if (!S_ISDIR(mode)) {
1973 if (mask & MAY_EXEC)
1974 av |= FILE__EXECUTE;
1975 if (mask & MAY_READ)
1976 av |= FILE__READ;
1977
1978 if (mask & MAY_APPEND)
1979 av |= FILE__APPEND;
1980 else if (mask & MAY_WRITE)
1981 av |= FILE__WRITE;
1982
1983 } else {
1984 if (mask & MAY_EXEC)
1985 av |= DIR__SEARCH;
1986 if (mask & MAY_WRITE)
1987 av |= DIR__WRITE;
1988 if (mask & MAY_READ)
1989 av |= DIR__READ;
1990 }
1991
1992 return av;
1993 }
1994
1995 /* Convert a Linux file to an access vector. */
file_to_av(const struct file * file)1996 static inline u32 file_to_av(const struct file *file)
1997 {
1998 u32 av = 0;
1999
2000 if (file->f_mode & FMODE_READ)
2001 av |= FILE__READ;
2002 if (file->f_mode & FMODE_WRITE) {
2003 if (file->f_flags & O_APPEND)
2004 av |= FILE__APPEND;
2005 else
2006 av |= FILE__WRITE;
2007 }
2008 if (!av) {
2009 /*
2010 * Special file opened with flags 3 for ioctl-only use.
2011 */
2012 av = FILE__IOCTL;
2013 }
2014
2015 return av;
2016 }
2017
2018 /*
2019 * Convert a file to an access vector and include the correct
2020 * open permission.
2021 */
open_file_to_av(struct file * file)2022 static inline u32 open_file_to_av(struct file *file)
2023 {
2024 u32 av = file_to_av(file);
2025 struct inode *inode = file_inode(file);
2026
2027 if (selinux_policycap_openperm() &&
2028 inode->i_sb->s_magic != SOCKFS_MAGIC)
2029 av |= FILE__OPEN;
2030
2031 return av;
2032 }
2033
2034 /* Hook functions begin here. */
2035
selinux_binder_set_context_mgr(const struct cred * mgr)2036 static int selinux_binder_set_context_mgr(const struct cred *mgr)
2037 {
2038 return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER,
2039 BINDER__SET_CONTEXT_MGR, NULL);
2040 }
2041
selinux_binder_transaction(const struct cred * from,const struct cred * to)2042 static int selinux_binder_transaction(const struct cred *from,
2043 const struct cred *to)
2044 {
2045 u32 mysid = current_sid();
2046 u32 fromsid = cred_sid(from);
2047 u32 tosid = cred_sid(to);
2048 int rc;
2049
2050 if (mysid != fromsid) {
2051 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER,
2052 BINDER__IMPERSONATE, NULL);
2053 if (rc)
2054 return rc;
2055 }
2056
2057 return avc_has_perm(fromsid, tosid,
2058 SECCLASS_BINDER, BINDER__CALL, NULL);
2059 }
2060
selinux_binder_transfer_binder(const struct cred * from,const struct cred * to)2061 static int selinux_binder_transfer_binder(const struct cred *from,
2062 const struct cred *to)
2063 {
2064 return avc_has_perm(cred_sid(from), cred_sid(to),
2065 SECCLASS_BINDER, BINDER__TRANSFER,
2066 NULL);
2067 }
2068
selinux_binder_transfer_file(const struct cred * from,const struct cred * to,const struct file * file)2069 static int selinux_binder_transfer_file(const struct cred *from,
2070 const struct cred *to,
2071 const struct file *file)
2072 {
2073 u32 sid = cred_sid(to);
2074 struct file_security_struct *fsec = selinux_file(file);
2075 struct dentry *dentry = file->f_path.dentry;
2076 struct inode_security_struct *isec;
2077 struct common_audit_data ad;
2078 int rc;
2079
2080 ad.type = LSM_AUDIT_DATA_PATH;
2081 ad.u.path = file->f_path;
2082
2083 if (sid != fsec->sid) {
2084 rc = avc_has_perm(sid, fsec->sid,
2085 SECCLASS_FD,
2086 FD__USE,
2087 &ad);
2088 if (rc)
2089 return rc;
2090 }
2091
2092 #ifdef CONFIG_BPF_SYSCALL
2093 rc = bpf_fd_pass(file, sid);
2094 if (rc)
2095 return rc;
2096 #endif
2097
2098 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
2099 return 0;
2100
2101 isec = backing_inode_security(dentry);
2102 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file),
2103 &ad);
2104 }
2105
selinux_ptrace_access_check(struct task_struct * child,unsigned int mode)2106 static int selinux_ptrace_access_check(struct task_struct *child,
2107 unsigned int mode)
2108 {
2109 u32 sid = current_sid();
2110 u32 csid = task_sid_obj(child);
2111
2112 if (mode & PTRACE_MODE_READ)
2113 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ,
2114 NULL);
2115
2116 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE,
2117 NULL);
2118 }
2119
selinux_ptrace_traceme(struct task_struct * parent)2120 static int selinux_ptrace_traceme(struct task_struct *parent)
2121 {
2122 return avc_has_perm(task_sid_obj(parent), task_sid_obj(current),
2123 SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
2124 }
2125
selinux_capget(const struct task_struct * target,kernel_cap_t * effective,kernel_cap_t * inheritable,kernel_cap_t * permitted)2126 static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective,
2127 kernel_cap_t *inheritable, kernel_cap_t *permitted)
2128 {
2129 return avc_has_perm(current_sid(), task_sid_obj(target),
2130 SECCLASS_PROCESS, PROCESS__GETCAP, NULL);
2131 }
2132
selinux_capset(struct cred * new,const struct cred * old,const kernel_cap_t * effective,const kernel_cap_t * inheritable,const kernel_cap_t * permitted)2133 static int selinux_capset(struct cred *new, const struct cred *old,
2134 const kernel_cap_t *effective,
2135 const kernel_cap_t *inheritable,
2136 const kernel_cap_t *permitted)
2137 {
2138 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS,
2139 PROCESS__SETCAP, NULL);
2140 }
2141
2142 /*
2143 * (This comment used to live with the selinux_task_setuid hook,
2144 * which was removed).
2145 *
2146 * Since setuid only affects the current process, and since the SELinux
2147 * controls are not based on the Linux identity attributes, SELinux does not
2148 * need to control this operation. However, SELinux does control the use of
2149 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook.
2150 */
2151
selinux_capable(const struct cred * cred,struct user_namespace * ns,int cap,unsigned int opts)2152 static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
2153 int cap, unsigned int opts)
2154 {
2155 return cred_has_capability(cred, cap, opts, ns == &init_user_ns);
2156 }
2157
selinux_quotactl(int cmds,int type,int id,const struct super_block * sb)2158 static int selinux_quotactl(int cmds, int type, int id, const struct super_block *sb)
2159 {
2160 const struct cred *cred = current_cred();
2161 int rc = 0;
2162
2163 if (!sb)
2164 return 0;
2165
2166 switch (cmds) {
2167 case Q_SYNC:
2168 case Q_QUOTAON:
2169 case Q_QUOTAOFF:
2170 case Q_SETINFO:
2171 case Q_SETQUOTA:
2172 case Q_XQUOTAOFF:
2173 case Q_XQUOTAON:
2174 case Q_XSETQLIM:
2175 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
2176 break;
2177 case Q_GETFMT:
2178 case Q_GETINFO:
2179 case Q_GETQUOTA:
2180 case Q_XGETQUOTA:
2181 case Q_XGETQSTAT:
2182 case Q_XGETQSTATV:
2183 case Q_XGETNEXTQUOTA:
2184 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
2185 break;
2186 default:
2187 rc = 0; /* let the kernel handle invalid cmds */
2188 break;
2189 }
2190 return rc;
2191 }
2192
selinux_quota_on(struct dentry * dentry)2193 static int selinux_quota_on(struct dentry *dentry)
2194 {
2195 const struct cred *cred = current_cred();
2196
2197 return dentry_has_perm(cred, dentry, FILE__QUOTAON);
2198 }
2199
selinux_syslog(int type)2200 static int selinux_syslog(int type)
2201 {
2202 switch (type) {
2203 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2204 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2205 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2206 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL);
2207 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2208 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2209 /* Set level of messages printed to console */
2210 case SYSLOG_ACTION_CONSOLE_LEVEL:
2211 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2212 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE,
2213 NULL);
2214 }
2215 /* All other syslog types */
2216 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
2217 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL);
2218 }
2219
2220 /*
2221 * Check permission for allocating a new virtual mapping. Returns
2222 * 0 if permission is granted, negative error code if not.
2223 *
2224 * Do not audit the selinux permission check, as this is applied to all
2225 * processes that allocate mappings.
2226 */
selinux_vm_enough_memory(struct mm_struct * mm,long pages)2227 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2228 {
2229 return cred_has_capability(current_cred(), CAP_SYS_ADMIN,
2230 CAP_OPT_NOAUDIT, true);
2231 }
2232
2233 /* binprm security operations */
2234
ptrace_parent_sid(void)2235 static u32 ptrace_parent_sid(void)
2236 {
2237 u32 sid = 0;
2238 struct task_struct *tracer;
2239
2240 rcu_read_lock();
2241 tracer = ptrace_parent(current);
2242 if (tracer)
2243 sid = task_sid_obj(tracer);
2244 rcu_read_unlock();
2245
2246 return sid;
2247 }
2248
check_nnp_nosuid(const struct linux_binprm * bprm,const struct task_security_struct * old_tsec,const struct task_security_struct * new_tsec)2249 static int check_nnp_nosuid(const struct linux_binprm *bprm,
2250 const struct task_security_struct *old_tsec,
2251 const struct task_security_struct *new_tsec)
2252 {
2253 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
2254 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
2255 int rc;
2256 u32 av;
2257
2258 if (!nnp && !nosuid)
2259 return 0; /* neither NNP nor nosuid */
2260
2261 if (new_tsec->sid == old_tsec->sid)
2262 return 0; /* No change in credentials */
2263
2264 /*
2265 * If the policy enables the nnp_nosuid_transition policy capability,
2266 * then we permit transitions under NNP or nosuid if the
2267 * policy allows the corresponding permission between
2268 * the old and new contexts.
2269 */
2270 if (selinux_policycap_nnp_nosuid_transition()) {
2271 av = 0;
2272 if (nnp)
2273 av |= PROCESS2__NNP_TRANSITION;
2274 if (nosuid)
2275 av |= PROCESS2__NOSUID_TRANSITION;
2276 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2277 SECCLASS_PROCESS2, av, NULL);
2278 if (!rc)
2279 return 0;
2280 }
2281
2282 /*
2283 * We also permit NNP or nosuid transitions to bounded SIDs,
2284 * i.e. SIDs that are guaranteed to only be allowed a subset
2285 * of the permissions of the current SID.
2286 */
2287 rc = security_bounded_transition(old_tsec->sid,
2288 new_tsec->sid);
2289 if (!rc)
2290 return 0;
2291
2292 /*
2293 * On failure, preserve the errno values for NNP vs nosuid.
2294 * NNP: Operation not permitted for caller.
2295 * nosuid: Permission denied to file.
2296 */
2297 if (nnp)
2298 return -EPERM;
2299 return -EACCES;
2300 }
2301
selinux_bprm_creds_for_exec(struct linux_binprm * bprm)2302 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm)
2303 {
2304 const struct task_security_struct *old_tsec;
2305 struct task_security_struct *new_tsec;
2306 struct inode_security_struct *isec;
2307 struct common_audit_data ad;
2308 struct inode *inode = file_inode(bprm->file);
2309 int rc;
2310
2311 /* SELinux context only depends on initial program or script and not
2312 * the script interpreter */
2313
2314 old_tsec = selinux_cred(current_cred());
2315 new_tsec = selinux_cred(bprm->cred);
2316 isec = inode_security(inode);
2317
2318 /* Default to the current task SID. */
2319 new_tsec->sid = old_tsec->sid;
2320 new_tsec->osid = old_tsec->sid;
2321
2322 /* Reset fs, key, and sock SIDs on execve. */
2323 new_tsec->create_sid = 0;
2324 new_tsec->keycreate_sid = 0;
2325 new_tsec->sockcreate_sid = 0;
2326
2327 /*
2328 * Before policy is loaded, label any task outside kernel space
2329 * as SECINITSID_INIT, so that any userspace tasks surviving from
2330 * early boot end up with a label different from SECINITSID_KERNEL
2331 * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL).
2332 */
2333 if (!selinux_initialized()) {
2334 new_tsec->sid = SECINITSID_INIT;
2335 /* also clear the exec_sid just in case */
2336 new_tsec->exec_sid = 0;
2337 return 0;
2338 }
2339
2340 if (old_tsec->exec_sid) {
2341 new_tsec->sid = old_tsec->exec_sid;
2342 /* Reset exec SID on execve. */
2343 new_tsec->exec_sid = 0;
2344
2345 /* Fail on NNP or nosuid if not an allowed transition. */
2346 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2347 if (rc)
2348 return rc;
2349 } else {
2350 /* Check for a default transition on this program. */
2351 rc = security_transition_sid(old_tsec->sid,
2352 isec->sid, SECCLASS_PROCESS, NULL,
2353 &new_tsec->sid);
2354 if (rc)
2355 return rc;
2356
2357 /*
2358 * Fallback to old SID on NNP or nosuid if not an allowed
2359 * transition.
2360 */
2361 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec);
2362 if (rc)
2363 new_tsec->sid = old_tsec->sid;
2364 }
2365
2366 ad.type = LSM_AUDIT_DATA_FILE;
2367 ad.u.file = bprm->file;
2368
2369 if (new_tsec->sid == old_tsec->sid) {
2370 rc = avc_has_perm(old_tsec->sid, isec->sid,
2371 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2372 if (rc)
2373 return rc;
2374 } else {
2375 /* Check permissions for the transition. */
2376 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2377 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2378 if (rc)
2379 return rc;
2380
2381 rc = avc_has_perm(new_tsec->sid, isec->sid,
2382 SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2383 if (rc)
2384 return rc;
2385
2386 /* Check for shared state */
2387 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2388 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2389 SECCLASS_PROCESS, PROCESS__SHARE,
2390 NULL);
2391 if (rc)
2392 return -EPERM;
2393 }
2394
2395 /* Make sure that anyone attempting to ptrace over a task that
2396 * changes its SID has the appropriate permit */
2397 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
2398 u32 ptsid = ptrace_parent_sid();
2399 if (ptsid != 0) {
2400 rc = avc_has_perm(ptsid, new_tsec->sid,
2401 SECCLASS_PROCESS,
2402 PROCESS__PTRACE, NULL);
2403 if (rc)
2404 return -EPERM;
2405 }
2406 }
2407
2408 /* Clear any possibly unsafe personality bits on exec: */
2409 bprm->per_clear |= PER_CLEAR_ON_SETID;
2410
2411 /* Enable secure mode for SIDs transitions unless
2412 the noatsecure permission is granted between
2413 the two SIDs, i.e. ahp returns 0. */
2414 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2415 SECCLASS_PROCESS, PROCESS__NOATSECURE,
2416 NULL);
2417 bprm->secureexec |= !!rc;
2418 }
2419
2420 return 0;
2421 }
2422
match_file(const void * p,struct file * file,unsigned fd)2423 static int match_file(const void *p, struct file *file, unsigned fd)
2424 {
2425 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0;
2426 }
2427
2428 /* Derived from fs/exec.c:flush_old_files. */
flush_unauthorized_files(const struct cred * cred,struct files_struct * files)2429 static inline void flush_unauthorized_files(const struct cred *cred,
2430 struct files_struct *files)
2431 {
2432 struct file *file, *devnull = NULL;
2433 struct tty_struct *tty;
2434 int drop_tty = 0;
2435 unsigned n;
2436
2437 tty = get_current_tty();
2438 if (tty) {
2439 spin_lock(&tty->files_lock);
2440 if (!list_empty(&tty->tty_files)) {
2441 struct tty_file_private *file_priv;
2442
2443 /* Revalidate access to controlling tty.
2444 Use file_path_has_perm on the tty path directly
2445 rather than using file_has_perm, as this particular
2446 open file may belong to another process and we are
2447 only interested in the inode-based check here. */
2448 file_priv = list_first_entry(&tty->tty_files,
2449 struct tty_file_private, list);
2450 file = file_priv->file;
2451 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE))
2452 drop_tty = 1;
2453 }
2454 spin_unlock(&tty->files_lock);
2455 tty_kref_put(tty);
2456 }
2457 /* Reset controlling tty. */
2458 if (drop_tty)
2459 no_tty();
2460
2461 /* Revalidate access to inherited open files. */
2462 n = iterate_fd(files, 0, match_file, cred);
2463 if (!n) /* none found? */
2464 return;
2465
2466 devnull = dentry_open(&selinux_null, O_RDWR, cred);
2467 if (IS_ERR(devnull))
2468 devnull = NULL;
2469 /* replace all the matching ones with this */
2470 do {
2471 replace_fd(n - 1, devnull, 0);
2472 } while ((n = iterate_fd(files, n, match_file, cred)) != 0);
2473 if (devnull)
2474 fput(devnull);
2475 }
2476
2477 /*
2478 * Prepare a process for imminent new credential changes due to exec
2479 */
selinux_bprm_committing_creds(const struct linux_binprm * bprm)2480 static void selinux_bprm_committing_creds(const struct linux_binprm *bprm)
2481 {
2482 struct task_security_struct *new_tsec;
2483 struct rlimit *rlim, *initrlim;
2484 int rc, i;
2485
2486 new_tsec = selinux_cred(bprm->cred);
2487 if (new_tsec->sid == new_tsec->osid)
2488 return;
2489
2490 /* Close files for which the new task SID is not authorized. */
2491 flush_unauthorized_files(bprm->cred, current->files);
2492
2493 /* Always clear parent death signal on SID transitions. */
2494 current->pdeath_signal = 0;
2495
2496 /* Check whether the new SID can inherit resource limits from the old
2497 * SID. If not, reset all soft limits to the lower of the current
2498 * task's hard limit and the init task's soft limit.
2499 *
2500 * Note that the setting of hard limits (even to lower them) can be
2501 * controlled by the setrlimit check. The inclusion of the init task's
2502 * soft limit into the computation is to avoid resetting soft limits
2503 * higher than the default soft limit for cases where the default is
2504 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2505 */
2506 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2507 PROCESS__RLIMITINH, NULL);
2508 if (rc) {
2509 /* protect against do_prlimit() */
2510 task_lock(current);
2511 for (i = 0; i < RLIM_NLIMITS; i++) {
2512 rlim = current->signal->rlim + i;
2513 initrlim = init_task.signal->rlim + i;
2514 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2515 }
2516 task_unlock(current);
2517 if (IS_ENABLED(CONFIG_POSIX_TIMERS))
2518 update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
2519 }
2520 }
2521
2522 /*
2523 * Clean up the process immediately after the installation of new credentials
2524 * due to exec
2525 */
selinux_bprm_committed_creds(const struct linux_binprm * bprm)2526 static void selinux_bprm_committed_creds(const struct linux_binprm *bprm)
2527 {
2528 const struct task_security_struct *tsec = selinux_cred(current_cred());
2529 u32 osid, sid;
2530 int rc;
2531
2532 osid = tsec->osid;
2533 sid = tsec->sid;
2534
2535 if (sid == osid)
2536 return;
2537
2538 /* Check whether the new SID can inherit signal state from the old SID.
2539 * If not, clear itimers to avoid subsequent signal generation and
2540 * flush and unblock signals.
2541 *
2542 * This must occur _after_ the task SID has been updated so that any
2543 * kill done after the flush will be checked against the new SID.
2544 */
2545 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2546 if (rc) {
2547 clear_itimer();
2548
2549 spin_lock_irq(&unrcu_pointer(current->sighand)->siglock);
2550 if (!fatal_signal_pending(current)) {
2551 flush_sigqueue(¤t->pending);
2552 flush_sigqueue(¤t->signal->shared_pending);
2553 flush_signal_handlers(current, 1);
2554 sigemptyset(¤t->blocked);
2555 recalc_sigpending();
2556 }
2557 spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock);
2558 }
2559
2560 /* Wake up the parent if it is waiting so that it can recheck
2561 * wait permission to the new task SID. */
2562 read_lock(&tasklist_lock);
2563 __wake_up_parent(current, unrcu_pointer(current->real_parent));
2564 read_unlock(&tasklist_lock);
2565 }
2566
2567 /* superblock security operations */
2568
selinux_sb_alloc_security(struct super_block * sb)2569 static int selinux_sb_alloc_security(struct super_block *sb)
2570 {
2571 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2572
2573 mutex_init(&sbsec->lock);
2574 INIT_LIST_HEAD(&sbsec->isec_head);
2575 spin_lock_init(&sbsec->isec_lock);
2576 sbsec->sid = SECINITSID_UNLABELED;
2577 sbsec->def_sid = SECINITSID_FILE;
2578 sbsec->mntpoint_sid = SECINITSID_UNLABELED;
2579
2580 return 0;
2581 }
2582
opt_len(const char * s)2583 static inline int opt_len(const char *s)
2584 {
2585 bool open_quote = false;
2586 int len;
2587 char c;
2588
2589 for (len = 0; (c = s[len]) != '\0'; len++) {
2590 if (c == '"')
2591 open_quote = !open_quote;
2592 if (c == ',' && !open_quote)
2593 break;
2594 }
2595 return len;
2596 }
2597
selinux_sb_eat_lsm_opts(char * options,void ** mnt_opts)2598 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
2599 {
2600 char *from = options;
2601 char *to = options;
2602 bool first = true;
2603 int rc;
2604
2605 while (1) {
2606 int len = opt_len(from);
2607 int token;
2608 char *arg = NULL;
2609
2610 token = match_opt_prefix(from, len, &arg);
2611
2612 if (token != Opt_error) {
2613 char *p, *q;
2614
2615 /* strip quotes */
2616 if (arg) {
2617 for (p = q = arg; p < from + len; p++) {
2618 char c = *p;
2619 if (c != '"')
2620 *q++ = c;
2621 }
2622 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL);
2623 if (!arg) {
2624 rc = -ENOMEM;
2625 goto free_opt;
2626 }
2627 }
2628 rc = selinux_add_opt(token, arg, mnt_opts);
2629 kfree(arg);
2630 arg = NULL;
2631 if (unlikely(rc)) {
2632 goto free_opt;
2633 }
2634 } else {
2635 if (!first) { // copy with preceding comma
2636 from--;
2637 len++;
2638 }
2639 if (to != from)
2640 memmove(to, from, len);
2641 to += len;
2642 first = false;
2643 }
2644 if (!from[len])
2645 break;
2646 from += len + 1;
2647 }
2648 *to = '\0';
2649 return 0;
2650
2651 free_opt:
2652 if (*mnt_opts) {
2653 selinux_free_mnt_opts(*mnt_opts);
2654 *mnt_opts = NULL;
2655 }
2656 return rc;
2657 }
2658
selinux_sb_mnt_opts_compat(struct super_block * sb,void * mnt_opts)2659 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
2660 {
2661 struct selinux_mnt_opts *opts = mnt_opts;
2662 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2663
2664 /*
2665 * Superblock not initialized (i.e. no options) - reject if any
2666 * options specified, otherwise accept.
2667 */
2668 if (!(sbsec->flags & SE_SBINITIALIZED))
2669 return opts ? 1 : 0;
2670
2671 /*
2672 * Superblock initialized and no options specified - reject if
2673 * superblock has any options set, otherwise accept.
2674 */
2675 if (!opts)
2676 return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
2677
2678 if (opts->fscontext_sid) {
2679 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2680 opts->fscontext_sid))
2681 return 1;
2682 }
2683 if (opts->context_sid) {
2684 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2685 opts->context_sid))
2686 return 1;
2687 }
2688 if (opts->rootcontext_sid) {
2689 struct inode_security_struct *root_isec;
2690
2691 root_isec = backing_inode_security(sb->s_root);
2692 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2693 opts->rootcontext_sid))
2694 return 1;
2695 }
2696 if (opts->defcontext_sid) {
2697 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2698 opts->defcontext_sid))
2699 return 1;
2700 }
2701 return 0;
2702 }
2703
selinux_sb_remount(struct super_block * sb,void * mnt_opts)2704 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
2705 {
2706 struct selinux_mnt_opts *opts = mnt_opts;
2707 struct superblock_security_struct *sbsec = selinux_superblock(sb);
2708
2709 if (!(sbsec->flags & SE_SBINITIALIZED))
2710 return 0;
2711
2712 if (!opts)
2713 return 0;
2714
2715 if (opts->fscontext_sid) {
2716 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
2717 opts->fscontext_sid))
2718 goto out_bad_option;
2719 }
2720 if (opts->context_sid) {
2721 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
2722 opts->context_sid))
2723 goto out_bad_option;
2724 }
2725 if (opts->rootcontext_sid) {
2726 struct inode_security_struct *root_isec;
2727 root_isec = backing_inode_security(sb->s_root);
2728 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
2729 opts->rootcontext_sid))
2730 goto out_bad_option;
2731 }
2732 if (opts->defcontext_sid) {
2733 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
2734 opts->defcontext_sid))
2735 goto out_bad_option;
2736 }
2737 return 0;
2738
2739 out_bad_option:
2740 pr_warn("SELinux: unable to change security options "
2741 "during remount (dev %s, type=%s)\n", sb->s_id,
2742 sb->s_type->name);
2743 return -EINVAL;
2744 }
2745
selinux_sb_kern_mount(const struct super_block * sb)2746 static int selinux_sb_kern_mount(const struct super_block *sb)
2747 {
2748 const struct cred *cred = current_cred();
2749 struct common_audit_data ad;
2750
2751 ad.type = LSM_AUDIT_DATA_DENTRY;
2752 ad.u.dentry = sb->s_root;
2753 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2754 }
2755
selinux_sb_statfs(struct dentry * dentry)2756 static int selinux_sb_statfs(struct dentry *dentry)
2757 {
2758 const struct cred *cred = current_cred();
2759 struct common_audit_data ad;
2760
2761 ad.type = LSM_AUDIT_DATA_DENTRY;
2762 ad.u.dentry = dentry->d_sb->s_root;
2763 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2764 }
2765
selinux_mount(const char * dev_name,const struct path * path,const char * type,unsigned long flags,void * data)2766 static int selinux_mount(const char *dev_name,
2767 const struct path *path,
2768 const char *type,
2769 unsigned long flags,
2770 void *data)
2771 {
2772 const struct cred *cred = current_cred();
2773
2774 if (flags & MS_REMOUNT)
2775 return superblock_has_perm(cred, path->dentry->d_sb,
2776 FILESYSTEM__REMOUNT, NULL);
2777 else
2778 return path_has_perm(cred, path, FILE__MOUNTON);
2779 }
2780
selinux_move_mount(const struct path * from_path,const struct path * to_path)2781 static int selinux_move_mount(const struct path *from_path,
2782 const struct path *to_path)
2783 {
2784 const struct cred *cred = current_cred();
2785
2786 return path_has_perm(cred, to_path, FILE__MOUNTON);
2787 }
2788
selinux_umount(struct vfsmount * mnt,int flags)2789 static int selinux_umount(struct vfsmount *mnt, int flags)
2790 {
2791 const struct cred *cred = current_cred();
2792
2793 return superblock_has_perm(cred, mnt->mnt_sb,
2794 FILESYSTEM__UNMOUNT, NULL);
2795 }
2796
selinux_fs_context_submount(struct fs_context * fc,struct super_block * reference)2797 static int selinux_fs_context_submount(struct fs_context *fc,
2798 struct super_block *reference)
2799 {
2800 const struct superblock_security_struct *sbsec = selinux_superblock(reference);
2801 struct selinux_mnt_opts *opts;
2802
2803 /*
2804 * Ensure that fc->security remains NULL when no options are set
2805 * as expected by selinux_set_mnt_opts().
2806 */
2807 if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT)))
2808 return 0;
2809
2810 opts = kzalloc(sizeof(*opts), GFP_KERNEL);
2811 if (!opts)
2812 return -ENOMEM;
2813
2814 if (sbsec->flags & FSCONTEXT_MNT)
2815 opts->fscontext_sid = sbsec->sid;
2816 if (sbsec->flags & CONTEXT_MNT)
2817 opts->context_sid = sbsec->mntpoint_sid;
2818 if (sbsec->flags & DEFCONTEXT_MNT)
2819 opts->defcontext_sid = sbsec->def_sid;
2820 fc->security = opts;
2821 return 0;
2822 }
2823
selinux_fs_context_dup(struct fs_context * fc,struct fs_context * src_fc)2824 static int selinux_fs_context_dup(struct fs_context *fc,
2825 struct fs_context *src_fc)
2826 {
2827 const struct selinux_mnt_opts *src = src_fc->security;
2828
2829 if (!src)
2830 return 0;
2831
2832 fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
2833 return fc->security ? 0 : -ENOMEM;
2834 }
2835
2836 static const struct fs_parameter_spec selinux_fs_parameters[] = {
2837 fsparam_string(CONTEXT_STR, Opt_context),
2838 fsparam_string(DEFCONTEXT_STR, Opt_defcontext),
2839 fsparam_string(FSCONTEXT_STR, Opt_fscontext),
2840 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext),
2841 fsparam_flag (SECLABEL_STR, Opt_seclabel),
2842 {}
2843 };
2844
selinux_fs_context_parse_param(struct fs_context * fc,struct fs_parameter * param)2845 static int selinux_fs_context_parse_param(struct fs_context *fc,
2846 struct fs_parameter *param)
2847 {
2848 struct fs_parse_result result;
2849 int opt;
2850
2851 opt = fs_parse(fc, selinux_fs_parameters, param, &result);
2852 if (opt < 0)
2853 return opt;
2854
2855 return selinux_add_opt(opt, param->string, &fc->security);
2856 }
2857
2858 /* inode security operations */
2859
selinux_inode_alloc_security(struct inode * inode)2860 static int selinux_inode_alloc_security(struct inode *inode)
2861 {
2862 struct inode_security_struct *isec = selinux_inode(inode);
2863 u32 sid = current_sid();
2864
2865 spin_lock_init(&isec->lock);
2866 INIT_LIST_HEAD(&isec->list);
2867 isec->inode = inode;
2868 isec->sid = SECINITSID_UNLABELED;
2869 isec->sclass = SECCLASS_FILE;
2870 isec->task_sid = sid;
2871 isec->initialized = LABEL_INVALID;
2872
2873 return 0;
2874 }
2875
selinux_inode_free_security(struct inode * inode)2876 static void selinux_inode_free_security(struct inode *inode)
2877 {
2878 inode_free_security(inode);
2879 }
2880
selinux_dentry_init_security(struct dentry * dentry,int mode,const struct qstr * name,const char ** xattr_name,struct lsm_context * cp)2881 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
2882 const struct qstr *name,
2883 const char **xattr_name,
2884 struct lsm_context *cp)
2885 {
2886 u32 newsid;
2887 int rc;
2888
2889 rc = selinux_determine_inode_label(selinux_cred(current_cred()),
2890 d_inode(dentry->d_parent), name,
2891 inode_mode_to_security_class(mode),
2892 &newsid);
2893 if (rc)
2894 return rc;
2895
2896 if (xattr_name)
2897 *xattr_name = XATTR_NAME_SELINUX;
2898
2899 cp->id = LSM_ID_SELINUX;
2900 return security_sid_to_context(newsid, &cp->context, &cp->len);
2901 }
2902
selinux_dentry_create_files_as(struct dentry * dentry,int mode,struct qstr * name,const struct cred * old,struct cred * new)2903 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
2904 struct qstr *name,
2905 const struct cred *old,
2906 struct cred *new)
2907 {
2908 u32 newsid;
2909 int rc;
2910 struct task_security_struct *tsec;
2911
2912 rc = selinux_determine_inode_label(selinux_cred(old),
2913 d_inode(dentry->d_parent), name,
2914 inode_mode_to_security_class(mode),
2915 &newsid);
2916 if (rc)
2917 return rc;
2918
2919 tsec = selinux_cred(new);
2920 tsec->create_sid = newsid;
2921 return 0;
2922 }
2923
selinux_inode_init_security(struct inode * inode,struct inode * dir,const struct qstr * qstr,struct xattr * xattrs,int * xattr_count)2924 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2925 const struct qstr *qstr,
2926 struct xattr *xattrs, int *xattr_count)
2927 {
2928 const struct task_security_struct *tsec = selinux_cred(current_cred());
2929 struct superblock_security_struct *sbsec;
2930 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count);
2931 u32 newsid, clen;
2932 u16 newsclass;
2933 int rc;
2934 char *context;
2935
2936 sbsec = selinux_superblock(dir->i_sb);
2937
2938 newsid = tsec->create_sid;
2939 newsclass = inode_mode_to_security_class(inode->i_mode);
2940 rc = selinux_determine_inode_label(tsec, dir, qstr, newsclass, &newsid);
2941 if (rc)
2942 return rc;
2943
2944 /* Possibly defer initialization to selinux_complete_init. */
2945 if (sbsec->flags & SE_SBINITIALIZED) {
2946 struct inode_security_struct *isec = selinux_inode(inode);
2947 isec->sclass = newsclass;
2948 isec->sid = newsid;
2949 isec->initialized = LABEL_INITIALIZED;
2950 }
2951
2952 if (!selinux_initialized() ||
2953 !(sbsec->flags & SBLABEL_MNT))
2954 return -EOPNOTSUPP;
2955
2956 if (xattr) {
2957 rc = security_sid_to_context_force(newsid,
2958 &context, &clen);
2959 if (rc)
2960 return rc;
2961 xattr->value = context;
2962 xattr->value_len = clen;
2963 xattr->name = XATTR_SELINUX_SUFFIX;
2964 }
2965
2966 return 0;
2967 }
2968
selinux_inode_init_security_anon(struct inode * inode,const struct qstr * name,const struct inode * context_inode)2969 static int selinux_inode_init_security_anon(struct inode *inode,
2970 const struct qstr *name,
2971 const struct inode *context_inode)
2972 {
2973 u32 sid = current_sid();
2974 struct common_audit_data ad;
2975 struct inode_security_struct *isec;
2976 int rc;
2977
2978 if (unlikely(!selinux_initialized()))
2979 return 0;
2980
2981 isec = selinux_inode(inode);
2982
2983 /*
2984 * We only get here once per ephemeral inode. The inode has
2985 * been initialized via inode_alloc_security but is otherwise
2986 * untouched.
2987 */
2988
2989 if (context_inode) {
2990 struct inode_security_struct *context_isec =
2991 selinux_inode(context_inode);
2992 if (context_isec->initialized != LABEL_INITIALIZED) {
2993 pr_err("SELinux: context_inode is not initialized\n");
2994 return -EACCES;
2995 }
2996
2997 isec->sclass = context_isec->sclass;
2998 isec->sid = context_isec->sid;
2999 } else {
3000 isec->sclass = SECCLASS_ANON_INODE;
3001 rc = security_transition_sid(
3002 sid, sid,
3003 isec->sclass, name, &isec->sid);
3004 if (rc)
3005 return rc;
3006 }
3007
3008 isec->initialized = LABEL_INITIALIZED;
3009 /*
3010 * Now that we've initialized security, check whether we're
3011 * allowed to actually create this type of anonymous inode.
3012 */
3013
3014 ad.type = LSM_AUDIT_DATA_ANONINODE;
3015 ad.u.anonclass = name ? (const char *)name->name : "?";
3016
3017 return avc_has_perm(sid,
3018 isec->sid,
3019 isec->sclass,
3020 FILE__CREATE,
3021 &ad);
3022 }
3023
selinux_inode_create(struct inode * dir,struct dentry * dentry,umode_t mode)3024 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
3025 {
3026 return may_create(dir, dentry, SECCLASS_FILE);
3027 }
3028
selinux_inode_link(struct dentry * old_dentry,struct inode * dir,struct dentry * new_dentry)3029 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
3030 {
3031 return may_link(dir, old_dentry, MAY_LINK);
3032 }
3033
selinux_inode_unlink(struct inode * dir,struct dentry * dentry)3034 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
3035 {
3036 return may_link(dir, dentry, MAY_UNLINK);
3037 }
3038
selinux_inode_symlink(struct inode * dir,struct dentry * dentry,const char * name)3039 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
3040 {
3041 return may_create(dir, dentry, SECCLASS_LNK_FILE);
3042 }
3043
selinux_inode_mkdir(struct inode * dir,struct dentry * dentry,umode_t mask)3044 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask)
3045 {
3046 return may_create(dir, dentry, SECCLASS_DIR);
3047 }
3048
selinux_inode_rmdir(struct inode * dir,struct dentry * dentry)3049 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
3050 {
3051 return may_link(dir, dentry, MAY_RMDIR);
3052 }
3053
selinux_inode_mknod(struct inode * dir,struct dentry * dentry,umode_t mode,dev_t dev)3054 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
3055 {
3056 return may_create(dir, dentry, inode_mode_to_security_class(mode));
3057 }
3058
selinux_inode_rename(struct inode * old_inode,struct dentry * old_dentry,struct inode * new_inode,struct dentry * new_dentry)3059 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
3060 struct inode *new_inode, struct dentry *new_dentry)
3061 {
3062 return may_rename(old_inode, old_dentry, new_inode, new_dentry);
3063 }
3064
selinux_inode_readlink(struct dentry * dentry)3065 static int selinux_inode_readlink(struct dentry *dentry)
3066 {
3067 const struct cred *cred = current_cred();
3068
3069 return dentry_has_perm(cred, dentry, FILE__READ);
3070 }
3071
selinux_inode_follow_link(struct dentry * dentry,struct inode * inode,bool rcu)3072 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
3073 bool rcu)
3074 {
3075 struct common_audit_data ad;
3076 struct inode_security_struct *isec;
3077 u32 sid = current_sid();
3078
3079 ad.type = LSM_AUDIT_DATA_DENTRY;
3080 ad.u.dentry = dentry;
3081 isec = inode_security_rcu(inode, rcu);
3082 if (IS_ERR(isec))
3083 return PTR_ERR(isec);
3084
3085 return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad);
3086 }
3087
audit_inode_permission(struct inode * inode,u32 perms,u32 audited,u32 denied,int result)3088 static noinline int audit_inode_permission(struct inode *inode,
3089 u32 perms, u32 audited, u32 denied,
3090 int result)
3091 {
3092 struct common_audit_data ad;
3093 struct inode_security_struct *isec = selinux_inode(inode);
3094
3095 ad.type = LSM_AUDIT_DATA_INODE;
3096 ad.u.inode = inode;
3097
3098 return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
3099 audited, denied, result, &ad);
3100 }
3101
3102 /**
3103 * task_avdcache_reset - Reset the task's AVD cache
3104 * @tsec: the task's security state
3105 *
3106 * Clear the task's AVD cache in @tsec and reset it to the current policy's
3107 * and task's info.
3108 */
task_avdcache_reset(struct task_security_struct * tsec)3109 static inline void task_avdcache_reset(struct task_security_struct *tsec)
3110 {
3111 memset(&tsec->avdcache.dir, 0, sizeof(tsec->avdcache.dir));
3112 tsec->avdcache.sid = tsec->sid;
3113 tsec->avdcache.seqno = avc_policy_seqno();
3114 tsec->avdcache.dir_spot = TSEC_AVDC_DIR_SIZE - 1;
3115 }
3116
3117 /**
3118 * task_avdcache_search - Search the task's AVD cache
3119 * @tsec: the task's security state
3120 * @isec: the inode to search for in the cache
3121 * @avdc: matching avd cache entry returned to the caller
3122 *
3123 * Search @tsec for a AVD cache entry that matches @isec and return it to the
3124 * caller via @avdc. Returns 0 if a match is found, negative values otherwise.
3125 */
task_avdcache_search(struct task_security_struct * tsec,struct inode_security_struct * isec,struct avdc_entry ** avdc)3126 static inline int task_avdcache_search(struct task_security_struct *tsec,
3127 struct inode_security_struct *isec,
3128 struct avdc_entry **avdc)
3129 {
3130 int orig, iter;
3131
3132 /* focused on path walk optimization, only cache directories */
3133 if (isec->sclass != SECCLASS_DIR)
3134 return -ENOENT;
3135
3136 if (unlikely(tsec->sid != tsec->avdcache.sid ||
3137 tsec->avdcache.seqno != avc_policy_seqno())) {
3138 task_avdcache_reset(tsec);
3139 return -ENOENT;
3140 }
3141
3142 orig = iter = tsec->avdcache.dir_spot;
3143 do {
3144 if (tsec->avdcache.dir[iter].isid == isec->sid) {
3145 /* cache hit */
3146 tsec->avdcache.dir_spot = iter;
3147 *avdc = &tsec->avdcache.dir[iter];
3148 return 0;
3149 }
3150 iter = (iter - 1) & (TSEC_AVDC_DIR_SIZE - 1);
3151 } while (iter != orig);
3152
3153 return -ENOENT;
3154 }
3155
3156 /**
3157 * task_avdcache_update - Update the task's AVD cache
3158 * @tsec: the task's security state
3159 * @isec: the inode associated with the cache entry
3160 * @avd: the AVD to cache
3161 * @audited: the permission audit bitmask to cache
3162 *
3163 * Update the AVD cache in @tsec with the @avdc and @audited info associated
3164 * with @isec.
3165 */
task_avdcache_update(struct task_security_struct * tsec,struct inode_security_struct * isec,struct av_decision * avd,u32 audited)3166 static inline void task_avdcache_update(struct task_security_struct *tsec,
3167 struct inode_security_struct *isec,
3168 struct av_decision *avd,
3169 u32 audited)
3170 {
3171 int spot;
3172
3173 /* focused on path walk optimization, only cache directories */
3174 if (isec->sclass != SECCLASS_DIR)
3175 return;
3176
3177 /* update cache */
3178 spot = (tsec->avdcache.dir_spot + 1) & (TSEC_AVDC_DIR_SIZE - 1);
3179 tsec->avdcache.dir_spot = spot;
3180 tsec->avdcache.dir[spot].isid = isec->sid;
3181 tsec->avdcache.dir[spot].audited = audited;
3182 tsec->avdcache.dir[spot].allowed = avd->allowed;
3183 tsec->avdcache.dir[spot].permissive = avd->flags & AVD_FLAGS_PERMISSIVE;
3184 }
3185
3186 /**
3187 * selinux_inode_permission - Check if the current task can access an inode
3188 * @inode: the inode that is being accessed
3189 * @requested: the accesses being requested
3190 *
3191 * Check if the current task is allowed to access @inode according to
3192 * @requested. Returns 0 if allowed, negative values otherwise.
3193 */
selinux_inode_permission(struct inode * inode,int requested)3194 static int selinux_inode_permission(struct inode *inode, int requested)
3195 {
3196 int mask;
3197 u32 perms;
3198 struct task_security_struct *tsec;
3199 struct inode_security_struct *isec;
3200 struct avdc_entry *avdc;
3201 int rc, rc2;
3202 u32 audited, denied;
3203
3204 mask = requested & (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
3205
3206 /* No permission to check. Existence test. */
3207 if (!mask)
3208 return 0;
3209
3210 isec = inode_security_rcu(inode, requested & MAY_NOT_BLOCK);
3211 if (IS_ERR(isec))
3212 return PTR_ERR(isec);
3213 tsec = selinux_cred(current_cred());
3214 perms = file_mask_to_av(inode->i_mode, mask);
3215
3216 rc = task_avdcache_search(tsec, isec, &avdc);
3217 if (likely(!rc)) {
3218 /* Cache hit. */
3219 audited = perms & avdc->audited;
3220 denied = perms & ~avdc->allowed;
3221 if (unlikely(denied && enforcing_enabled() &&
3222 !avdc->permissive))
3223 rc = -EACCES;
3224 } else {
3225 struct av_decision avd;
3226
3227 /* Cache miss. */
3228 rc = avc_has_perm_noaudit(tsec->sid, isec->sid, isec->sclass,
3229 perms, 0, &avd);
3230 audited = avc_audit_required(perms, &avd, rc,
3231 (requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0,
3232 &denied);
3233 task_avdcache_update(tsec, isec, &avd, audited);
3234 }
3235
3236 if (likely(!audited))
3237 return rc;
3238
3239 rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
3240 if (rc2)
3241 return rc2;
3242
3243 return rc;
3244 }
3245
selinux_inode_setattr(struct mnt_idmap * idmap,struct dentry * dentry,struct iattr * iattr)3246 static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
3247 struct iattr *iattr)
3248 {
3249 const struct cred *cred = current_cred();
3250 struct inode *inode = d_backing_inode(dentry);
3251 unsigned int ia_valid = iattr->ia_valid;
3252 u32 av = FILE__WRITE;
3253
3254 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
3255 if (ia_valid & ATTR_FORCE) {
3256 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
3257 ATTR_FORCE);
3258 if (!ia_valid)
3259 return 0;
3260 }
3261
3262 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
3263 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
3264 return dentry_has_perm(cred, dentry, FILE__SETATTR);
3265
3266 if (selinux_policycap_openperm() &&
3267 inode->i_sb->s_magic != SOCKFS_MAGIC &&
3268 (ia_valid & ATTR_SIZE) &&
3269 !(ia_valid & ATTR_FILE))
3270 av |= FILE__OPEN;
3271
3272 return dentry_has_perm(cred, dentry, av);
3273 }
3274
selinux_inode_getattr(const struct path * path)3275 static int selinux_inode_getattr(const struct path *path)
3276 {
3277 return path_has_perm(current_cred(), path, FILE__GETATTR);
3278 }
3279
has_cap_mac_admin(bool audit)3280 static bool has_cap_mac_admin(bool audit)
3281 {
3282 const struct cred *cred = current_cred();
3283 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT;
3284
3285 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts))
3286 return false;
3287 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true))
3288 return false;
3289 return true;
3290 }
3291
3292 /**
3293 * selinux_inode_xattr_skipcap - Skip the xattr capability checks?
3294 * @name: name of the xattr
3295 *
3296 * Returns 1 to indicate that SELinux "owns" the access control rights to xattrs
3297 * named @name; the LSM layer should avoid enforcing any traditional
3298 * capability based access controls on this xattr. Returns 0 to indicate that
3299 * SELinux does not "own" the access control rights to xattrs named @name and is
3300 * deferring to the LSM layer for further access controls, including capability
3301 * based controls.
3302 */
selinux_inode_xattr_skipcap(const char * name)3303 static int selinux_inode_xattr_skipcap(const char *name)
3304 {
3305 /* require capability check if not a selinux xattr */
3306 return !strcmp(name, XATTR_NAME_SELINUX);
3307 }
3308
selinux_inode_setxattr(struct mnt_idmap * idmap,struct dentry * dentry,const char * name,const void * value,size_t size,int flags)3309 static int selinux_inode_setxattr(struct mnt_idmap *idmap,
3310 struct dentry *dentry, const char *name,
3311 const void *value, size_t size, int flags)
3312 {
3313 struct inode *inode = d_backing_inode(dentry);
3314 struct inode_security_struct *isec;
3315 struct superblock_security_struct *sbsec;
3316 struct common_audit_data ad;
3317 u32 newsid, sid = current_sid();
3318 int rc = 0;
3319
3320 /* if not a selinux xattr, only check the ordinary setattr perm */
3321 if (strcmp(name, XATTR_NAME_SELINUX))
3322 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3323
3324 if (!selinux_initialized())
3325 return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM);
3326
3327 sbsec = selinux_superblock(inode->i_sb);
3328 if (!(sbsec->flags & SBLABEL_MNT))
3329 return -EOPNOTSUPP;
3330
3331 if (!inode_owner_or_capable(idmap, inode))
3332 return -EPERM;
3333
3334 ad.type = LSM_AUDIT_DATA_DENTRY;
3335 ad.u.dentry = dentry;
3336
3337 isec = backing_inode_security(dentry);
3338 rc = avc_has_perm(sid, isec->sid, isec->sclass,
3339 FILE__RELABELFROM, &ad);
3340 if (rc)
3341 return rc;
3342
3343 rc = security_context_to_sid(value, size, &newsid,
3344 GFP_KERNEL);
3345 if (rc == -EINVAL) {
3346 if (!has_cap_mac_admin(true)) {
3347 struct audit_buffer *ab;
3348 size_t audit_size;
3349
3350 /* We strip a nul only if it is at the end, otherwise the
3351 * context contains a nul and we should audit that */
3352 if (value) {
3353 const char *str = value;
3354
3355 if (str[size - 1] == '\0')
3356 audit_size = size - 1;
3357 else
3358 audit_size = size;
3359 } else {
3360 audit_size = 0;
3361 }
3362 ab = audit_log_start(audit_context(),
3363 GFP_ATOMIC, AUDIT_SELINUX_ERR);
3364 if (!ab)
3365 return rc;
3366 audit_log_format(ab, "op=setxattr invalid_context=");
3367 audit_log_n_untrustedstring(ab, value, audit_size);
3368 audit_log_end(ab);
3369
3370 return rc;
3371 }
3372 rc = security_context_to_sid_force(value,
3373 size, &newsid);
3374 }
3375 if (rc)
3376 return rc;
3377
3378 rc = avc_has_perm(sid, newsid, isec->sclass,
3379 FILE__RELABELTO, &ad);
3380 if (rc)
3381 return rc;
3382
3383 rc = security_validate_transition(isec->sid, newsid,
3384 sid, isec->sclass);
3385 if (rc)
3386 return rc;
3387
3388 return avc_has_perm(newsid,
3389 sbsec->sid,
3390 SECCLASS_FILESYSTEM,
3391 FILESYSTEM__ASSOCIATE,
3392 &ad);
3393 }
3394
selinux_inode_set_acl(struct mnt_idmap * idmap,struct dentry * dentry,const char * acl_name,struct posix_acl * kacl)3395 static int selinux_inode_set_acl(struct mnt_idmap *idmap,
3396 struct dentry *dentry, const char *acl_name,
3397 struct posix_acl *kacl)
3398 {
3399 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3400 }
3401
selinux_inode_get_acl(struct mnt_idmap * idmap,struct dentry * dentry,const char * acl_name)3402 static int selinux_inode_get_acl(struct mnt_idmap *idmap,
3403 struct dentry *dentry, const char *acl_name)
3404 {
3405 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3406 }
3407
selinux_inode_remove_acl(struct mnt_idmap * idmap,struct dentry * dentry,const char * acl_name)3408 static int selinux_inode_remove_acl(struct mnt_idmap *idmap,
3409 struct dentry *dentry, const char *acl_name)
3410 {
3411 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3412 }
3413
selinux_inode_post_setxattr(struct dentry * dentry,const char * name,const void * value,size_t size,int flags)3414 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
3415 const void *value, size_t size,
3416 int flags)
3417 {
3418 struct inode *inode = d_backing_inode(dentry);
3419 struct inode_security_struct *isec;
3420 u32 newsid;
3421 int rc;
3422
3423 if (strcmp(name, XATTR_NAME_SELINUX)) {
3424 /* Not an attribute we recognize, so nothing to do. */
3425 return;
3426 }
3427
3428 if (!selinux_initialized()) {
3429 /* If we haven't even been initialized, then we can't validate
3430 * against a policy, so leave the label as invalid. It may
3431 * resolve to a valid label on the next revalidation try if
3432 * we've since initialized.
3433 */
3434 return;
3435 }
3436
3437 rc = security_context_to_sid_force(value, size,
3438 &newsid);
3439 if (rc) {
3440 pr_err("SELinux: unable to map context to SID"
3441 "for (%s, %lu), rc=%d\n",
3442 inode->i_sb->s_id, inode->i_ino, -rc);
3443 return;
3444 }
3445
3446 isec = backing_inode_security(dentry);
3447 spin_lock(&isec->lock);
3448 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3449 isec->sid = newsid;
3450 isec->initialized = LABEL_INITIALIZED;
3451 spin_unlock(&isec->lock);
3452 }
3453
selinux_inode_getxattr(struct dentry * dentry,const char * name)3454 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
3455 {
3456 const struct cred *cred = current_cred();
3457
3458 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3459 }
3460
selinux_inode_listxattr(struct dentry * dentry)3461 static int selinux_inode_listxattr(struct dentry *dentry)
3462 {
3463 const struct cred *cred = current_cred();
3464
3465 return dentry_has_perm(cred, dentry, FILE__GETATTR);
3466 }
3467
selinux_inode_removexattr(struct mnt_idmap * idmap,struct dentry * dentry,const char * name)3468 static int selinux_inode_removexattr(struct mnt_idmap *idmap,
3469 struct dentry *dentry, const char *name)
3470 {
3471 /* if not a selinux xattr, only check the ordinary setattr perm */
3472 if (strcmp(name, XATTR_NAME_SELINUX))
3473 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3474
3475 if (!selinux_initialized())
3476 return 0;
3477
3478 /* No one is allowed to remove a SELinux security label.
3479 You can change the label, but all data must be labeled. */
3480 return -EACCES;
3481 }
3482
selinux_inode_file_setattr(struct dentry * dentry,struct file_kattr * fa)3483 static int selinux_inode_file_setattr(struct dentry *dentry,
3484 struct file_kattr *fa)
3485 {
3486 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
3487 }
3488
selinux_inode_file_getattr(struct dentry * dentry,struct file_kattr * fa)3489 static int selinux_inode_file_getattr(struct dentry *dentry,
3490 struct file_kattr *fa)
3491 {
3492 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
3493 }
3494
selinux_path_notify(const struct path * path,u64 mask,unsigned int obj_type)3495 static int selinux_path_notify(const struct path *path, u64 mask,
3496 unsigned int obj_type)
3497 {
3498 int ret;
3499 u32 perm;
3500
3501 struct common_audit_data ad;
3502
3503 ad.type = LSM_AUDIT_DATA_PATH;
3504 ad.u.path = *path;
3505
3506 /*
3507 * Set permission needed based on the type of mark being set.
3508 * Performs an additional check for sb watches.
3509 */
3510 switch (obj_type) {
3511 case FSNOTIFY_OBJ_TYPE_VFSMOUNT:
3512 perm = FILE__WATCH_MOUNT;
3513 break;
3514 case FSNOTIFY_OBJ_TYPE_SB:
3515 perm = FILE__WATCH_SB;
3516 ret = superblock_has_perm(current_cred(), path->dentry->d_sb,
3517 FILESYSTEM__WATCH, &ad);
3518 if (ret)
3519 return ret;
3520 break;
3521 case FSNOTIFY_OBJ_TYPE_INODE:
3522 perm = FILE__WATCH;
3523 break;
3524 case FSNOTIFY_OBJ_TYPE_MNTNS:
3525 perm = FILE__WATCH_MOUNTNS;
3526 break;
3527 default:
3528 return -EINVAL;
3529 }
3530
3531 /* blocking watches require the file:watch_with_perm permission */
3532 if (mask & (ALL_FSNOTIFY_PERM_EVENTS))
3533 perm |= FILE__WATCH_WITH_PERM;
3534
3535 /* watches on read-like events need the file:watch_reads permission */
3536 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_PRE_ACCESS |
3537 FS_CLOSE_NOWRITE))
3538 perm |= FILE__WATCH_READS;
3539
3540 return path_has_perm(current_cred(), path, perm);
3541 }
3542
3543 /*
3544 * Copy the inode security context value to the user.
3545 *
3546 * Permission check is handled by selinux_inode_getxattr hook.
3547 */
selinux_inode_getsecurity(struct mnt_idmap * idmap,struct inode * inode,const char * name,void ** buffer,bool alloc)3548 static int selinux_inode_getsecurity(struct mnt_idmap *idmap,
3549 struct inode *inode, const char *name,
3550 void **buffer, bool alloc)
3551 {
3552 u32 size;
3553 int error;
3554 char *context = NULL;
3555 struct inode_security_struct *isec;
3556
3557 /*
3558 * If we're not initialized yet, then we can't validate contexts, so
3559 * just let vfs_getxattr fall back to using the on-disk xattr.
3560 */
3561 if (!selinux_initialized() ||
3562 strcmp(name, XATTR_SELINUX_SUFFIX))
3563 return -EOPNOTSUPP;
3564
3565 /*
3566 * If the caller has CAP_MAC_ADMIN, then get the raw context
3567 * value even if it is not defined by current policy; otherwise,
3568 * use the in-core value under current policy.
3569 * Use the non-auditing forms of the permission checks since
3570 * getxattr may be called by unprivileged processes commonly
3571 * and lack of permission just means that we fall back to the
3572 * in-core context value, not a denial.
3573 */
3574 isec = inode_security(inode);
3575 if (has_cap_mac_admin(false))
3576 error = security_sid_to_context_force(isec->sid, &context,
3577 &size);
3578 else
3579 error = security_sid_to_context(isec->sid,
3580 &context, &size);
3581 if (error)
3582 return error;
3583 error = size;
3584 if (alloc) {
3585 *buffer = context;
3586 goto out_nofree;
3587 }
3588 kfree(context);
3589 out_nofree:
3590 return error;
3591 }
3592
selinux_inode_setsecurity(struct inode * inode,const char * name,const void * value,size_t size,int flags)3593 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
3594 const void *value, size_t size, int flags)
3595 {
3596 struct inode_security_struct *isec = inode_security_novalidate(inode);
3597 struct superblock_security_struct *sbsec;
3598 u32 newsid;
3599 int rc;
3600
3601 if (strcmp(name, XATTR_SELINUX_SUFFIX))
3602 return -EOPNOTSUPP;
3603
3604 sbsec = selinux_superblock(inode->i_sb);
3605 if (!(sbsec->flags & SBLABEL_MNT))
3606 return -EOPNOTSUPP;
3607
3608 if (!value || !size)
3609 return -EACCES;
3610
3611 rc = security_context_to_sid(value, size, &newsid,
3612 GFP_KERNEL);
3613 if (rc)
3614 return rc;
3615
3616 spin_lock(&isec->lock);
3617 isec->sclass = inode_mode_to_security_class(inode->i_mode);
3618 isec->sid = newsid;
3619 isec->initialized = LABEL_INITIALIZED;
3620 spin_unlock(&isec->lock);
3621 return 0;
3622 }
3623
selinux_inode_listsecurity(struct inode * inode,char * buffer,size_t buffer_size)3624 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
3625 {
3626 const int len = sizeof(XATTR_NAME_SELINUX);
3627
3628 if (!selinux_initialized())
3629 return 0;
3630
3631 if (buffer && len <= buffer_size)
3632 memcpy(buffer, XATTR_NAME_SELINUX, len);
3633 return len;
3634 }
3635
selinux_inode_getlsmprop(struct inode * inode,struct lsm_prop * prop)3636 static void selinux_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop)
3637 {
3638 struct inode_security_struct *isec = inode_security_novalidate(inode);
3639
3640 prop->selinux.secid = isec->sid;
3641 }
3642
selinux_inode_copy_up(struct dentry * src,struct cred ** new)3643 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
3644 {
3645 struct lsm_prop prop;
3646 struct task_security_struct *tsec;
3647 struct cred *new_creds = *new;
3648
3649 if (new_creds == NULL) {
3650 new_creds = prepare_creds();
3651 if (!new_creds)
3652 return -ENOMEM;
3653 }
3654
3655 tsec = selinux_cred(new_creds);
3656 /* Get label from overlay inode and set it in create_sid */
3657 selinux_inode_getlsmprop(d_inode(src), &prop);
3658 tsec->create_sid = prop.selinux.secid;
3659 *new = new_creds;
3660 return 0;
3661 }
3662
selinux_inode_copy_up_xattr(struct dentry * dentry,const char * name)3663 static int selinux_inode_copy_up_xattr(struct dentry *dentry, const char *name)
3664 {
3665 /* The copy_up hook above sets the initial context on an inode, but we
3666 * don't then want to overwrite it by blindly copying all the lower
3667 * xattrs up. Instead, filter out SELinux-related xattrs following
3668 * policy load.
3669 */
3670 if (selinux_initialized() && !strcmp(name, XATTR_NAME_SELINUX))
3671 return -ECANCELED; /* Discard */
3672 /*
3673 * Any other attribute apart from SELINUX is not claimed, supported
3674 * by selinux.
3675 */
3676 return -EOPNOTSUPP;
3677 }
3678
3679 /* kernfs node operations */
3680
selinux_kernfs_init_security(struct kernfs_node * kn_dir,struct kernfs_node * kn)3681 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir,
3682 struct kernfs_node *kn)
3683 {
3684 const struct task_security_struct *tsec = selinux_cred(current_cred());
3685 u32 parent_sid, newsid, clen;
3686 int rc;
3687 char *context;
3688
3689 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0);
3690 if (rc == -ENODATA)
3691 return 0;
3692 else if (rc < 0)
3693 return rc;
3694
3695 clen = (u32)rc;
3696 context = kmalloc(clen, GFP_KERNEL);
3697 if (!context)
3698 return -ENOMEM;
3699
3700 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen);
3701 if (rc < 0) {
3702 kfree(context);
3703 return rc;
3704 }
3705
3706 rc = security_context_to_sid(context, clen, &parent_sid,
3707 GFP_KERNEL);
3708 kfree(context);
3709 if (rc)
3710 return rc;
3711
3712 if (tsec->create_sid) {
3713 newsid = tsec->create_sid;
3714 } else {
3715 u16 secclass = inode_mode_to_security_class(kn->mode);
3716 const char *kn_name;
3717 struct qstr q;
3718
3719 /* kn is fresh, can't be renamed, name goes not away */
3720 kn_name = rcu_dereference_check(kn->name, true);
3721 q.name = kn_name;
3722 q.hash_len = hashlen_string(kn_dir, kn_name);
3723
3724 rc = security_transition_sid(tsec->sid,
3725 parent_sid, secclass, &q,
3726 &newsid);
3727 if (rc)
3728 return rc;
3729 }
3730
3731 rc = security_sid_to_context_force(newsid,
3732 &context, &clen);
3733 if (rc)
3734 return rc;
3735
3736 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen,
3737 XATTR_CREATE);
3738 kfree(context);
3739 return rc;
3740 }
3741
3742
3743 /* file security operations */
3744
selinux_revalidate_file_permission(struct file * file,int mask)3745 static int selinux_revalidate_file_permission(struct file *file, int mask)
3746 {
3747 const struct cred *cred = current_cred();
3748 struct inode *inode = file_inode(file);
3749
3750 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
3751 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
3752 mask |= MAY_APPEND;
3753
3754 return file_has_perm(cred, file,
3755 file_mask_to_av(inode->i_mode, mask));
3756 }
3757
selinux_file_permission(struct file * file,int mask)3758 static int selinux_file_permission(struct file *file, int mask)
3759 {
3760 struct inode *inode = file_inode(file);
3761 struct file_security_struct *fsec = selinux_file(file);
3762 struct inode_security_struct *isec;
3763 u32 sid = current_sid();
3764
3765 if (!mask)
3766 /* No permission to check. Existence test. */
3767 return 0;
3768
3769 isec = inode_security(inode);
3770 if (sid == fsec->sid && fsec->isid == isec->sid &&
3771 fsec->pseqno == avc_policy_seqno())
3772 /* No change since file_open check. */
3773 return 0;
3774
3775 return selinux_revalidate_file_permission(file, mask);
3776 }
3777
selinux_file_alloc_security(struct file * file)3778 static int selinux_file_alloc_security(struct file *file)
3779 {
3780 struct file_security_struct *fsec = selinux_file(file);
3781 u32 sid = current_sid();
3782
3783 fsec->sid = sid;
3784 fsec->fown_sid = sid;
3785
3786 return 0;
3787 }
3788
3789 /*
3790 * Check whether a task has the ioctl permission and cmd
3791 * operation to an inode.
3792 */
ioctl_has_perm(const struct cred * cred,struct file * file,u32 requested,u16 cmd)3793 static int ioctl_has_perm(const struct cred *cred, struct file *file,
3794 u32 requested, u16 cmd)
3795 {
3796 struct common_audit_data ad;
3797 struct file_security_struct *fsec = selinux_file(file);
3798 struct inode *inode = file_inode(file);
3799 struct inode_security_struct *isec;
3800 struct lsm_ioctlop_audit ioctl;
3801 u32 ssid = cred_sid(cred);
3802 int rc;
3803 u8 driver = cmd >> 8;
3804 u8 xperm = cmd & 0xff;
3805
3806 ad.type = LSM_AUDIT_DATA_IOCTL_OP;
3807 ad.u.op = &ioctl;
3808 ad.u.op->cmd = cmd;
3809 ad.u.op->path = file->f_path;
3810
3811 if (ssid != fsec->sid) {
3812 rc = avc_has_perm(ssid, fsec->sid,
3813 SECCLASS_FD,
3814 FD__USE,
3815 &ad);
3816 if (rc)
3817 goto out;
3818 }
3819
3820 if (unlikely(IS_PRIVATE(inode)))
3821 return 0;
3822
3823 isec = inode_security(inode);
3824 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, requested,
3825 driver, AVC_EXT_IOCTL, xperm, &ad);
3826 out:
3827 return rc;
3828 }
3829
selinux_file_ioctl(struct file * file,unsigned int cmd,unsigned long arg)3830 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3831 unsigned long arg)
3832 {
3833 const struct cred *cred = current_cred();
3834 int error = 0;
3835
3836 switch (cmd) {
3837 case FIONREAD:
3838 case FIBMAP:
3839 case FIGETBSZ:
3840 case FS_IOC_GETFLAGS:
3841 case FS_IOC_GETVERSION:
3842 error = file_has_perm(cred, file, FILE__GETATTR);
3843 break;
3844
3845 case FS_IOC_SETFLAGS:
3846 case FS_IOC_SETVERSION:
3847 error = file_has_perm(cred, file, FILE__SETATTR);
3848 break;
3849
3850 /* sys_ioctl() checks */
3851 case FIONBIO:
3852 case FIOASYNC:
3853 error = file_has_perm(cred, file, 0);
3854 break;
3855
3856 case KDSKBENT:
3857 case KDSKBSENT:
3858 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG,
3859 CAP_OPT_NONE, true);
3860 break;
3861
3862 case FIOCLEX:
3863 case FIONCLEX:
3864 if (!selinux_policycap_ioctl_skip_cloexec())
3865 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3866 break;
3867
3868 /* default case assumes that the command will go
3869 * to the file's ioctl() function.
3870 */
3871 default:
3872 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd);
3873 }
3874 return error;
3875 }
3876
selinux_file_ioctl_compat(struct file * file,unsigned int cmd,unsigned long arg)3877 static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd,
3878 unsigned long arg)
3879 {
3880 /*
3881 * If we are in a 64-bit kernel running 32-bit userspace, we need to
3882 * make sure we don't compare 32-bit flags to 64-bit flags.
3883 */
3884 switch (cmd) {
3885 case FS_IOC32_GETFLAGS:
3886 cmd = FS_IOC_GETFLAGS;
3887 break;
3888 case FS_IOC32_SETFLAGS:
3889 cmd = FS_IOC_SETFLAGS;
3890 break;
3891 case FS_IOC32_GETVERSION:
3892 cmd = FS_IOC_GETVERSION;
3893 break;
3894 case FS_IOC32_SETVERSION:
3895 cmd = FS_IOC_SETVERSION;
3896 break;
3897 default:
3898 break;
3899 }
3900
3901 return selinux_file_ioctl(file, cmd, arg);
3902 }
3903
3904 static int default_noexec __ro_after_init;
3905
file_map_prot_check(struct file * file,unsigned long prot,int shared)3906 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3907 {
3908 const struct cred *cred = current_cred();
3909 u32 sid = cred_sid(cred);
3910 int rc = 0;
3911
3912 if (default_noexec &&
3913 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) ||
3914 (!shared && (prot & PROT_WRITE)))) {
3915 /*
3916 * We are making executable an anonymous mapping or a
3917 * private file mapping that will also be writable.
3918 * This has an additional check.
3919 */
3920 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3921 PROCESS__EXECMEM, NULL);
3922 if (rc)
3923 goto error;
3924 }
3925
3926 if (file) {
3927 /* read access is always possible with a mapping */
3928 u32 av = FILE__READ;
3929
3930 /* write access only matters if the mapping is shared */
3931 if (shared && (prot & PROT_WRITE))
3932 av |= FILE__WRITE;
3933
3934 if (prot & PROT_EXEC)
3935 av |= FILE__EXECUTE;
3936
3937 return file_has_perm(cred, file, av);
3938 }
3939
3940 error:
3941 return rc;
3942 }
3943
selinux_mmap_addr(unsigned long addr)3944 static int selinux_mmap_addr(unsigned long addr)
3945 {
3946 int rc = 0;
3947
3948 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
3949 u32 sid = current_sid();
3950 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3951 MEMPROTECT__MMAP_ZERO, NULL);
3952 }
3953
3954 return rc;
3955 }
3956
selinux_mmap_file(struct file * file,unsigned long reqprot __always_unused,unsigned long prot,unsigned long flags)3957 static int selinux_mmap_file(struct file *file,
3958 unsigned long reqprot __always_unused,
3959 unsigned long prot, unsigned long flags)
3960 {
3961 struct common_audit_data ad;
3962 int rc;
3963
3964 if (file) {
3965 ad.type = LSM_AUDIT_DATA_FILE;
3966 ad.u.file = file;
3967 rc = inode_has_perm(current_cred(), file_inode(file),
3968 FILE__MAP, &ad);
3969 if (rc)
3970 return rc;
3971 }
3972
3973 return file_map_prot_check(file, prot,
3974 (flags & MAP_TYPE) == MAP_SHARED);
3975 }
3976
selinux_file_mprotect(struct vm_area_struct * vma,unsigned long reqprot __always_unused,unsigned long prot)3977 static int selinux_file_mprotect(struct vm_area_struct *vma,
3978 unsigned long reqprot __always_unused,
3979 unsigned long prot)
3980 {
3981 const struct cred *cred = current_cred();
3982 u32 sid = cred_sid(cred);
3983
3984 if (default_noexec &&
3985 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3986 int rc = 0;
3987 /*
3988 * We don't use the vma_is_initial_heap() helper as it has
3989 * a history of problems and is currently broken on systems
3990 * where there is no heap, e.g. brk == start_brk. Before
3991 * replacing the conditional below with vma_is_initial_heap(),
3992 * or something similar, please ensure that the logic is the
3993 * same as what we have below or you have tested every possible
3994 * corner case you can think to test.
3995 */
3996 if (vma->vm_start >= vma->vm_mm->start_brk &&
3997 vma->vm_end <= vma->vm_mm->brk) {
3998 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
3999 PROCESS__EXECHEAP, NULL);
4000 } else if (!vma->vm_file && (vma_is_initial_stack(vma) ||
4001 vma_is_stack_for_current(vma))) {
4002 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS,
4003 PROCESS__EXECSTACK, NULL);
4004 } else if (vma->vm_file && vma->anon_vma) {
4005 /*
4006 * We are making executable a file mapping that has
4007 * had some COW done. Since pages might have been
4008 * written, check ability to execute the possibly
4009 * modified content. This typically should only
4010 * occur for text relocations.
4011 */
4012 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
4013 }
4014 if (rc)
4015 return rc;
4016 }
4017
4018 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
4019 }
4020
selinux_file_lock(struct file * file,unsigned int cmd)4021 static int selinux_file_lock(struct file *file, unsigned int cmd)
4022 {
4023 const struct cred *cred = current_cred();
4024
4025 return file_has_perm(cred, file, FILE__LOCK);
4026 }
4027
selinux_file_fcntl(struct file * file,unsigned int cmd,unsigned long arg)4028 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
4029 unsigned long arg)
4030 {
4031 const struct cred *cred = current_cred();
4032 int err = 0;
4033
4034 switch (cmd) {
4035 case F_SETFL:
4036 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
4037 err = file_has_perm(cred, file, FILE__WRITE);
4038 break;
4039 }
4040 fallthrough;
4041 case F_SETOWN:
4042 case F_SETSIG:
4043 case F_GETFL:
4044 case F_GETOWN:
4045 case F_GETSIG:
4046 case F_GETOWNER_UIDS:
4047 /* Just check FD__USE permission */
4048 err = file_has_perm(cred, file, 0);
4049 break;
4050 case F_GETLK:
4051 case F_SETLK:
4052 case F_SETLKW:
4053 case F_OFD_GETLK:
4054 case F_OFD_SETLK:
4055 case F_OFD_SETLKW:
4056 #if BITS_PER_LONG == 32
4057 case F_GETLK64:
4058 case F_SETLK64:
4059 case F_SETLKW64:
4060 #endif
4061 err = file_has_perm(cred, file, FILE__LOCK);
4062 break;
4063 }
4064
4065 return err;
4066 }
4067
selinux_file_set_fowner(struct file * file)4068 static void selinux_file_set_fowner(struct file *file)
4069 {
4070 struct file_security_struct *fsec;
4071
4072 fsec = selinux_file(file);
4073 fsec->fown_sid = current_sid();
4074 }
4075
selinux_file_send_sigiotask(struct task_struct * tsk,struct fown_struct * fown,int signum)4076 static int selinux_file_send_sigiotask(struct task_struct *tsk,
4077 struct fown_struct *fown, int signum)
4078 {
4079 struct file *file;
4080 u32 sid = task_sid_obj(tsk);
4081 u32 perm;
4082 struct file_security_struct *fsec;
4083
4084 /* struct fown_struct is never outside the context of a struct file */
4085 file = fown->file;
4086
4087 fsec = selinux_file(file);
4088
4089 if (!signum)
4090 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
4091 else
4092 perm = signal_to_av(signum);
4093
4094 return avc_has_perm(fsec->fown_sid, sid,
4095 SECCLASS_PROCESS, perm, NULL);
4096 }
4097
selinux_file_receive(struct file * file)4098 static int selinux_file_receive(struct file *file)
4099 {
4100 const struct cred *cred = current_cred();
4101
4102 return file_has_perm(cred, file, file_to_av(file));
4103 }
4104
selinux_file_open(struct file * file)4105 static int selinux_file_open(struct file *file)
4106 {
4107 struct file_security_struct *fsec;
4108 struct inode_security_struct *isec;
4109
4110 fsec = selinux_file(file);
4111 isec = inode_security(file_inode(file));
4112 /*
4113 * Save inode label and policy sequence number
4114 * at open-time so that selinux_file_permission
4115 * can determine whether revalidation is necessary.
4116 * Task label is already saved in the file security
4117 * struct as its SID.
4118 */
4119 fsec->isid = isec->sid;
4120 fsec->pseqno = avc_policy_seqno();
4121 /*
4122 * Since the inode label or policy seqno may have changed
4123 * between the selinux_inode_permission check and the saving
4124 * of state above, recheck that access is still permitted.
4125 * Otherwise, access might never be revalidated against the
4126 * new inode label or new policy.
4127 * This check is not redundant - do not remove.
4128 */
4129 return file_path_has_perm(file->f_cred, file, open_file_to_av(file));
4130 }
4131
4132 /* task security operations */
4133
selinux_task_alloc(struct task_struct * task,unsigned long clone_flags)4134 static int selinux_task_alloc(struct task_struct *task,
4135 unsigned long clone_flags)
4136 {
4137 u32 sid = current_sid();
4138
4139 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
4140 }
4141
4142 /*
4143 * prepare a new set of credentials for modification
4144 */
selinux_cred_prepare(struct cred * new,const struct cred * old,gfp_t gfp)4145 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
4146 gfp_t gfp)
4147 {
4148 const struct task_security_struct *old_tsec = selinux_cred(old);
4149 struct task_security_struct *tsec = selinux_cred(new);
4150
4151 *tsec = *old_tsec;
4152 return 0;
4153 }
4154
4155 /*
4156 * transfer the SELinux data to a blank set of creds
4157 */
selinux_cred_transfer(struct cred * new,const struct cred * old)4158 static void selinux_cred_transfer(struct cred *new, const struct cred *old)
4159 {
4160 const struct task_security_struct *old_tsec = selinux_cred(old);
4161 struct task_security_struct *tsec = selinux_cred(new);
4162
4163 *tsec = *old_tsec;
4164 }
4165
selinux_cred_getsecid(const struct cred * c,u32 * secid)4166 static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
4167 {
4168 *secid = cred_sid(c);
4169 }
4170
selinux_cred_getlsmprop(const struct cred * c,struct lsm_prop * prop)4171 static void selinux_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop)
4172 {
4173 prop->selinux.secid = cred_sid(c);
4174 }
4175
4176 /*
4177 * set the security data for a kernel service
4178 * - all the creation contexts are set to unlabelled
4179 */
selinux_kernel_act_as(struct cred * new,u32 secid)4180 static int selinux_kernel_act_as(struct cred *new, u32 secid)
4181 {
4182 struct task_security_struct *tsec = selinux_cred(new);
4183 u32 sid = current_sid();
4184 int ret;
4185
4186 ret = avc_has_perm(sid, secid,
4187 SECCLASS_KERNEL_SERVICE,
4188 KERNEL_SERVICE__USE_AS_OVERRIDE,
4189 NULL);
4190 if (ret == 0) {
4191 tsec->sid = secid;
4192 tsec->create_sid = 0;
4193 tsec->keycreate_sid = 0;
4194 tsec->sockcreate_sid = 0;
4195 }
4196 return ret;
4197 }
4198
4199 /*
4200 * set the file creation context in a security record to the same as the
4201 * objective context of the specified inode
4202 */
selinux_kernel_create_files_as(struct cred * new,struct inode * inode)4203 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
4204 {
4205 struct inode_security_struct *isec = inode_security(inode);
4206 struct task_security_struct *tsec = selinux_cred(new);
4207 u32 sid = current_sid();
4208 int ret;
4209
4210 ret = avc_has_perm(sid, isec->sid,
4211 SECCLASS_KERNEL_SERVICE,
4212 KERNEL_SERVICE__CREATE_FILES_AS,
4213 NULL);
4214
4215 if (ret == 0)
4216 tsec->create_sid = isec->sid;
4217 return ret;
4218 }
4219
selinux_kernel_module_request(char * kmod_name)4220 static int selinux_kernel_module_request(char *kmod_name)
4221 {
4222 struct common_audit_data ad;
4223
4224 ad.type = LSM_AUDIT_DATA_KMOD;
4225 ad.u.kmod_name = kmod_name;
4226
4227 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM,
4228 SYSTEM__MODULE_REQUEST, &ad);
4229 }
4230
selinux_kernel_load_from_file(struct file * file,u32 requested)4231 static int selinux_kernel_load_from_file(struct file *file, u32 requested)
4232 {
4233 struct common_audit_data ad;
4234 struct inode_security_struct *isec;
4235 struct file_security_struct *fsec;
4236 u32 sid = current_sid();
4237 int rc;
4238
4239 if (file == NULL)
4240 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, requested, NULL);
4241
4242 ad.type = LSM_AUDIT_DATA_FILE;
4243 ad.u.file = file;
4244
4245 fsec = selinux_file(file);
4246 if (sid != fsec->sid) {
4247 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
4248 if (rc)
4249 return rc;
4250 }
4251
4252 isec = inode_security(file_inode(file));
4253 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, requested, &ad);
4254 }
4255
selinux_kernel_read_file(struct file * file,enum kernel_read_file_id id,bool contents)4256 static int selinux_kernel_read_file(struct file *file,
4257 enum kernel_read_file_id id,
4258 bool contents)
4259 {
4260 int rc = 0;
4261
4262 BUILD_BUG_ON_MSG(READING_MAX_ID > 7,
4263 "New kernel_read_file_id introduced; update SELinux!");
4264
4265 switch (id) {
4266 case READING_FIRMWARE:
4267 rc = selinux_kernel_load_from_file(file, SYSTEM__FIRMWARE_LOAD);
4268 break;
4269 case READING_MODULE:
4270 rc = selinux_kernel_load_from_file(file, SYSTEM__MODULE_LOAD);
4271 break;
4272 case READING_KEXEC_IMAGE:
4273 rc = selinux_kernel_load_from_file(file,
4274 SYSTEM__KEXEC_IMAGE_LOAD);
4275 break;
4276 case READING_KEXEC_INITRAMFS:
4277 rc = selinux_kernel_load_from_file(file,
4278 SYSTEM__KEXEC_INITRAMFS_LOAD);
4279 break;
4280 case READING_POLICY:
4281 rc = selinux_kernel_load_from_file(file, SYSTEM__POLICY_LOAD);
4282 break;
4283 case READING_X509_CERTIFICATE:
4284 rc = selinux_kernel_load_from_file(file,
4285 SYSTEM__X509_CERTIFICATE_LOAD);
4286 break;
4287 default:
4288 break;
4289 }
4290
4291 return rc;
4292 }
4293
selinux_kernel_load_data(enum kernel_load_data_id id,bool contents)4294 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
4295 {
4296 int rc = 0;
4297
4298 BUILD_BUG_ON_MSG(LOADING_MAX_ID > 7,
4299 "New kernel_load_data_id introduced; update SELinux!");
4300
4301 switch (id) {
4302 case LOADING_FIRMWARE:
4303 rc = selinux_kernel_load_from_file(NULL, SYSTEM__FIRMWARE_LOAD);
4304 break;
4305 case LOADING_MODULE:
4306 rc = selinux_kernel_load_from_file(NULL, SYSTEM__MODULE_LOAD);
4307 break;
4308 case LOADING_KEXEC_IMAGE:
4309 rc = selinux_kernel_load_from_file(NULL,
4310 SYSTEM__KEXEC_IMAGE_LOAD);
4311 break;
4312 case LOADING_KEXEC_INITRAMFS:
4313 rc = selinux_kernel_load_from_file(NULL,
4314 SYSTEM__KEXEC_INITRAMFS_LOAD);
4315 break;
4316 case LOADING_POLICY:
4317 rc = selinux_kernel_load_from_file(NULL,
4318 SYSTEM__POLICY_LOAD);
4319 break;
4320 case LOADING_X509_CERTIFICATE:
4321 rc = selinux_kernel_load_from_file(NULL,
4322 SYSTEM__X509_CERTIFICATE_LOAD);
4323 break;
4324 default:
4325 break;
4326 }
4327
4328 return rc;
4329 }
4330
selinux_task_setpgid(struct task_struct * p,pid_t pgid)4331 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
4332 {
4333 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4334 PROCESS__SETPGID, NULL);
4335 }
4336
selinux_task_getpgid(struct task_struct * p)4337 static int selinux_task_getpgid(struct task_struct *p)
4338 {
4339 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4340 PROCESS__GETPGID, NULL);
4341 }
4342
selinux_task_getsid(struct task_struct * p)4343 static int selinux_task_getsid(struct task_struct *p)
4344 {
4345 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4346 PROCESS__GETSESSION, NULL);
4347 }
4348
selinux_current_getlsmprop_subj(struct lsm_prop * prop)4349 static void selinux_current_getlsmprop_subj(struct lsm_prop *prop)
4350 {
4351 prop->selinux.secid = current_sid();
4352 }
4353
selinux_task_getlsmprop_obj(struct task_struct * p,struct lsm_prop * prop)4354 static void selinux_task_getlsmprop_obj(struct task_struct *p,
4355 struct lsm_prop *prop)
4356 {
4357 prop->selinux.secid = task_sid_obj(p);
4358 }
4359
selinux_task_setnice(struct task_struct * p,int nice)4360 static int selinux_task_setnice(struct task_struct *p, int nice)
4361 {
4362 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4363 PROCESS__SETSCHED, NULL);
4364 }
4365
selinux_task_setioprio(struct task_struct * p,int ioprio)4366 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
4367 {
4368 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4369 PROCESS__SETSCHED, NULL);
4370 }
4371
selinux_task_getioprio(struct task_struct * p)4372 static int selinux_task_getioprio(struct task_struct *p)
4373 {
4374 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4375 PROCESS__GETSCHED, NULL);
4376 }
4377
selinux_task_prlimit(const struct cred * cred,const struct cred * tcred,unsigned int flags)4378 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
4379 unsigned int flags)
4380 {
4381 u32 av = 0;
4382
4383 if (!flags)
4384 return 0;
4385 if (flags & LSM_PRLIMIT_WRITE)
4386 av |= PROCESS__SETRLIMIT;
4387 if (flags & LSM_PRLIMIT_READ)
4388 av |= PROCESS__GETRLIMIT;
4389 return avc_has_perm(cred_sid(cred), cred_sid(tcred),
4390 SECCLASS_PROCESS, av, NULL);
4391 }
4392
selinux_task_setrlimit(struct task_struct * p,unsigned int resource,struct rlimit * new_rlim)4393 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
4394 struct rlimit *new_rlim)
4395 {
4396 struct rlimit *old_rlim = p->signal->rlim + resource;
4397
4398 /* Control the ability to change the hard limit (whether
4399 lowering or raising it), so that the hard limit can
4400 later be used as a safe reset point for the soft limit
4401 upon context transitions. See selinux_bprm_committing_creds. */
4402 if (old_rlim->rlim_max != new_rlim->rlim_max)
4403 return avc_has_perm(current_sid(), task_sid_obj(p),
4404 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL);
4405
4406 return 0;
4407 }
4408
selinux_task_setscheduler(struct task_struct * p)4409 static int selinux_task_setscheduler(struct task_struct *p)
4410 {
4411 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4412 PROCESS__SETSCHED, NULL);
4413 }
4414
selinux_task_getscheduler(struct task_struct * p)4415 static int selinux_task_getscheduler(struct task_struct *p)
4416 {
4417 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4418 PROCESS__GETSCHED, NULL);
4419 }
4420
selinux_task_movememory(struct task_struct * p)4421 static int selinux_task_movememory(struct task_struct *p)
4422 {
4423 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS,
4424 PROCESS__SETSCHED, NULL);
4425 }
4426
selinux_task_kill(struct task_struct * p,struct kernel_siginfo * info,int sig,const struct cred * cred)4427 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info,
4428 int sig, const struct cred *cred)
4429 {
4430 u32 secid;
4431 u32 perm;
4432
4433 if (!sig)
4434 perm = PROCESS__SIGNULL; /* null signal; existence test */
4435 else
4436 perm = signal_to_av(sig);
4437 if (!cred)
4438 secid = current_sid();
4439 else
4440 secid = cred_sid(cred);
4441 return avc_has_perm(secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL);
4442 }
4443
selinux_task_to_inode(struct task_struct * p,struct inode * inode)4444 static void selinux_task_to_inode(struct task_struct *p,
4445 struct inode *inode)
4446 {
4447 struct inode_security_struct *isec = selinux_inode(inode);
4448 u32 sid = task_sid_obj(p);
4449
4450 spin_lock(&isec->lock);
4451 isec->sclass = inode_mode_to_security_class(inode->i_mode);
4452 isec->sid = sid;
4453 isec->initialized = LABEL_INITIALIZED;
4454 spin_unlock(&isec->lock);
4455 }
4456
selinux_userns_create(const struct cred * cred)4457 static int selinux_userns_create(const struct cred *cred)
4458 {
4459 u32 sid = current_sid();
4460
4461 return avc_has_perm(sid, sid, SECCLASS_USER_NAMESPACE,
4462 USER_NAMESPACE__CREATE, NULL);
4463 }
4464
4465 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv4(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)4466 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
4467 struct common_audit_data *ad, u8 *proto)
4468 {
4469 int offset, ihlen, ret = -EINVAL;
4470 struct iphdr _iph, *ih;
4471
4472 offset = skb_network_offset(skb);
4473 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
4474 if (ih == NULL)
4475 goto out;
4476
4477 ihlen = ih->ihl * 4;
4478 if (ihlen < sizeof(_iph))
4479 goto out;
4480
4481 ad->u.net->v4info.saddr = ih->saddr;
4482 ad->u.net->v4info.daddr = ih->daddr;
4483 ret = 0;
4484
4485 if (proto)
4486 *proto = ih->protocol;
4487
4488 switch (ih->protocol) {
4489 case IPPROTO_TCP: {
4490 struct tcphdr _tcph, *th;
4491
4492 if (ntohs(ih->frag_off) & IP_OFFSET)
4493 break;
4494
4495 offset += ihlen;
4496 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4497 if (th == NULL)
4498 break;
4499
4500 ad->u.net->sport = th->source;
4501 ad->u.net->dport = th->dest;
4502 break;
4503 }
4504
4505 case IPPROTO_UDP: {
4506 struct udphdr _udph, *uh;
4507
4508 if (ntohs(ih->frag_off) & IP_OFFSET)
4509 break;
4510
4511 offset += ihlen;
4512 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4513 if (uh == NULL)
4514 break;
4515
4516 ad->u.net->sport = uh->source;
4517 ad->u.net->dport = uh->dest;
4518 break;
4519 }
4520
4521 #if IS_ENABLED(CONFIG_IP_SCTP)
4522 case IPPROTO_SCTP: {
4523 struct sctphdr _sctph, *sh;
4524
4525 if (ntohs(ih->frag_off) & IP_OFFSET)
4526 break;
4527
4528 offset += ihlen;
4529 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4530 if (sh == NULL)
4531 break;
4532
4533 ad->u.net->sport = sh->source;
4534 ad->u.net->dport = sh->dest;
4535 break;
4536 }
4537 #endif
4538 default:
4539 break;
4540 }
4541 out:
4542 return ret;
4543 }
4544
4545 #if IS_ENABLED(CONFIG_IPV6)
4546
4547 /* Returns error only if unable to parse addresses */
selinux_parse_skb_ipv6(struct sk_buff * skb,struct common_audit_data * ad,u8 * proto)4548 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
4549 struct common_audit_data *ad, u8 *proto)
4550 {
4551 u8 nexthdr;
4552 int ret = -EINVAL, offset;
4553 struct ipv6hdr _ipv6h, *ip6;
4554 __be16 frag_off;
4555
4556 offset = skb_network_offset(skb);
4557 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
4558 if (ip6 == NULL)
4559 goto out;
4560
4561 ad->u.net->v6info.saddr = ip6->saddr;
4562 ad->u.net->v6info.daddr = ip6->daddr;
4563 ret = 0;
4564
4565 nexthdr = ip6->nexthdr;
4566 offset += sizeof(_ipv6h);
4567 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
4568 if (offset < 0)
4569 goto out;
4570
4571 if (proto)
4572 *proto = nexthdr;
4573
4574 switch (nexthdr) {
4575 case IPPROTO_TCP: {
4576 struct tcphdr _tcph, *th;
4577
4578 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
4579 if (th == NULL)
4580 break;
4581
4582 ad->u.net->sport = th->source;
4583 ad->u.net->dport = th->dest;
4584 break;
4585 }
4586
4587 case IPPROTO_UDP: {
4588 struct udphdr _udph, *uh;
4589
4590 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
4591 if (uh == NULL)
4592 break;
4593
4594 ad->u.net->sport = uh->source;
4595 ad->u.net->dport = uh->dest;
4596 break;
4597 }
4598
4599 #if IS_ENABLED(CONFIG_IP_SCTP)
4600 case IPPROTO_SCTP: {
4601 struct sctphdr _sctph, *sh;
4602
4603 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
4604 if (sh == NULL)
4605 break;
4606
4607 ad->u.net->sport = sh->source;
4608 ad->u.net->dport = sh->dest;
4609 break;
4610 }
4611 #endif
4612 /* includes fragments */
4613 default:
4614 break;
4615 }
4616 out:
4617 return ret;
4618 }
4619
4620 #endif /* IPV6 */
4621
selinux_parse_skb(struct sk_buff * skb,struct common_audit_data * ad,char ** _addrp,int src,u8 * proto)4622 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
4623 char **_addrp, int src, u8 *proto)
4624 {
4625 char *addrp;
4626 int ret;
4627
4628 switch (ad->u.net->family) {
4629 case PF_INET:
4630 ret = selinux_parse_skb_ipv4(skb, ad, proto);
4631 if (ret)
4632 goto parse_error;
4633 addrp = (char *)(src ? &ad->u.net->v4info.saddr :
4634 &ad->u.net->v4info.daddr);
4635 goto okay;
4636
4637 #if IS_ENABLED(CONFIG_IPV6)
4638 case PF_INET6:
4639 ret = selinux_parse_skb_ipv6(skb, ad, proto);
4640 if (ret)
4641 goto parse_error;
4642 addrp = (char *)(src ? &ad->u.net->v6info.saddr :
4643 &ad->u.net->v6info.daddr);
4644 goto okay;
4645 #endif /* IPV6 */
4646 default:
4647 addrp = NULL;
4648 goto okay;
4649 }
4650
4651 parse_error:
4652 pr_warn(
4653 "SELinux: failure in selinux_parse_skb(),"
4654 " unable to parse packet\n");
4655 return ret;
4656
4657 okay:
4658 if (_addrp)
4659 *_addrp = addrp;
4660 return 0;
4661 }
4662
4663 /**
4664 * selinux_skb_peerlbl_sid - Determine the peer label of a packet
4665 * @skb: the packet
4666 * @family: protocol family
4667 * @sid: the packet's peer label SID
4668 *
4669 * Description:
4670 * Check the various different forms of network peer labeling and determine
4671 * the peer label/SID for the packet; most of the magic actually occurs in
4672 * the security server function security_net_peersid_cmp(). The function
4673 * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
4674 * or -EACCES if @sid is invalid due to inconsistencies with the different
4675 * peer labels.
4676 *
4677 */
selinux_skb_peerlbl_sid(struct sk_buff * skb,u16 family,u32 * sid)4678 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
4679 {
4680 int err;
4681 u32 xfrm_sid;
4682 u32 nlbl_sid;
4683 u32 nlbl_type;
4684
4685 err = selinux_xfrm_skb_sid(skb, &xfrm_sid);
4686 if (unlikely(err))
4687 return -EACCES;
4688 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
4689 if (unlikely(err))
4690 return -EACCES;
4691
4692 err = security_net_peersid_resolve(nlbl_sid,
4693 nlbl_type, xfrm_sid, sid);
4694 if (unlikely(err)) {
4695 pr_warn(
4696 "SELinux: failure in selinux_skb_peerlbl_sid(),"
4697 " unable to determine packet's peer label\n");
4698 return -EACCES;
4699 }
4700
4701 return 0;
4702 }
4703
4704 /**
4705 * selinux_conn_sid - Determine the child socket label for a connection
4706 * @sk_sid: the parent socket's SID
4707 * @skb_sid: the packet's SID
4708 * @conn_sid: the resulting connection SID
4709 *
4710 * If @skb_sid is valid then the user:role:type information from @sk_sid is
4711 * combined with the MLS information from @skb_sid in order to create
4712 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy
4713 * of @sk_sid. Returns zero on success, negative values on failure.
4714 *
4715 */
selinux_conn_sid(u32 sk_sid,u32 skb_sid,u32 * conn_sid)4716 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
4717 {
4718 int err = 0;
4719
4720 if (skb_sid != SECSID_NULL)
4721 err = security_sid_mls_copy(sk_sid, skb_sid,
4722 conn_sid);
4723 else
4724 *conn_sid = sk_sid;
4725
4726 return err;
4727 }
4728
4729 /* socket security operations */
4730
socket_sockcreate_sid(const struct task_security_struct * tsec,u16 secclass,u32 * socksid)4731 static int socket_sockcreate_sid(const struct task_security_struct *tsec,
4732 u16 secclass, u32 *socksid)
4733 {
4734 if (tsec->sockcreate_sid > SECSID_NULL) {
4735 *socksid = tsec->sockcreate_sid;
4736 return 0;
4737 }
4738
4739 return security_transition_sid(tsec->sid, tsec->sid,
4740 secclass, NULL, socksid);
4741 }
4742
sock_skip_has_perm(u32 sid)4743 static bool sock_skip_has_perm(u32 sid)
4744 {
4745 if (sid == SECINITSID_KERNEL)
4746 return true;
4747
4748 /*
4749 * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that
4750 * inherited the kernel context from early boot used to be skipped
4751 * here, so preserve that behavior unless the capability is set.
4752 *
4753 * By setting the capability the policy signals that it is ready
4754 * for this quirk to be fixed. Note that sockets created by a kernel
4755 * thread or a usermode helper executed without a transition will
4756 * still be skipped in this check regardless of the policycap
4757 * setting.
4758 */
4759 if (!selinux_policycap_userspace_initial_context() &&
4760 sid == SECINITSID_INIT)
4761 return true;
4762 return false;
4763 }
4764
4765
sock_has_perm(struct sock * sk,u32 perms)4766 static int sock_has_perm(struct sock *sk, u32 perms)
4767 {
4768 struct sk_security_struct *sksec = sk->sk_security;
4769 struct common_audit_data ad;
4770 struct lsm_network_audit net;
4771
4772 if (sock_skip_has_perm(sksec->sid))
4773 return 0;
4774
4775 ad_net_init_from_sk(&ad, &net, sk);
4776
4777 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms,
4778 &ad);
4779 }
4780
selinux_socket_create(int family,int type,int protocol,int kern)4781 static int selinux_socket_create(int family, int type,
4782 int protocol, int kern)
4783 {
4784 const struct task_security_struct *tsec = selinux_cred(current_cred());
4785 u32 newsid;
4786 u16 secclass;
4787 int rc;
4788
4789 if (kern)
4790 return 0;
4791
4792 secclass = socket_type_to_security_class(family, type, protocol);
4793 rc = socket_sockcreate_sid(tsec, secclass, &newsid);
4794 if (rc)
4795 return rc;
4796
4797 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
4798 }
4799
selinux_socket_post_create(struct socket * sock,int family,int type,int protocol,int kern)4800 static int selinux_socket_post_create(struct socket *sock, int family,
4801 int type, int protocol, int kern)
4802 {
4803 const struct task_security_struct *tsec = selinux_cred(current_cred());
4804 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
4805 struct sk_security_struct *sksec;
4806 u16 sclass = socket_type_to_security_class(family, type, protocol);
4807 u32 sid = SECINITSID_KERNEL;
4808 int err = 0;
4809
4810 if (!kern) {
4811 err = socket_sockcreate_sid(tsec, sclass, &sid);
4812 if (err)
4813 return err;
4814 }
4815
4816 isec->sclass = sclass;
4817 isec->sid = sid;
4818 isec->initialized = LABEL_INITIALIZED;
4819
4820 if (sock->sk) {
4821 sksec = selinux_sock(sock->sk);
4822 sksec->sclass = sclass;
4823 sksec->sid = sid;
4824 /* Allows detection of the first association on this socket */
4825 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
4826 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
4827
4828 err = selinux_netlbl_socket_post_create(sock->sk, family);
4829 }
4830
4831 return err;
4832 }
4833
selinux_socket_socketpair(struct socket * socka,struct socket * sockb)4834 static int selinux_socket_socketpair(struct socket *socka,
4835 struct socket *sockb)
4836 {
4837 struct sk_security_struct *sksec_a = selinux_sock(socka->sk);
4838 struct sk_security_struct *sksec_b = selinux_sock(sockb->sk);
4839
4840 sksec_a->peer_sid = sksec_b->sid;
4841 sksec_b->peer_sid = sksec_a->sid;
4842
4843 return 0;
4844 }
4845
4846 /* Range of port numbers used to automatically bind.
4847 Need to determine whether we should perform a name_bind
4848 permission check between the socket and the port number. */
4849
selinux_socket_bind(struct socket * sock,struct sockaddr * address,int addrlen)4850 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
4851 {
4852 struct sock *sk = sock->sk;
4853 struct sk_security_struct *sksec = selinux_sock(sk);
4854 u16 family;
4855 int err;
4856
4857 err = sock_has_perm(sk, SOCKET__BIND);
4858 if (err)
4859 goto out;
4860
4861 /* If PF_INET or PF_INET6, check name_bind permission for the port. */
4862 family = sk->sk_family;
4863 if (family == PF_INET || family == PF_INET6) {
4864 char *addrp;
4865 struct common_audit_data ad;
4866 struct lsm_network_audit net = {0,};
4867 struct sockaddr_in *addr4 = NULL;
4868 struct sockaddr_in6 *addr6 = NULL;
4869 u16 family_sa;
4870 unsigned short snum;
4871 u32 sid, node_perm;
4872
4873 /*
4874 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
4875 * that validates multiple binding addresses. Because of this
4876 * need to check address->sa_family as it is possible to have
4877 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
4878 */
4879 if (addrlen < offsetofend(struct sockaddr, sa_family))
4880 return -EINVAL;
4881 family_sa = address->sa_family;
4882 switch (family_sa) {
4883 case AF_UNSPEC:
4884 case AF_INET:
4885 if (addrlen < sizeof(struct sockaddr_in))
4886 return -EINVAL;
4887 addr4 = (struct sockaddr_in *)address;
4888 if (family_sa == AF_UNSPEC) {
4889 if (family == PF_INET6) {
4890 /* Length check from inet6_bind_sk() */
4891 if (addrlen < SIN6_LEN_RFC2133)
4892 return -EINVAL;
4893 /* Family check from __inet6_bind() */
4894 goto err_af;
4895 }
4896 /* see __inet_bind(), we only want to allow
4897 * AF_UNSPEC if the address is INADDR_ANY
4898 */
4899 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY))
4900 goto err_af;
4901 family_sa = AF_INET;
4902 }
4903 snum = ntohs(addr4->sin_port);
4904 addrp = (char *)&addr4->sin_addr.s_addr;
4905 break;
4906 case AF_INET6:
4907 if (addrlen < SIN6_LEN_RFC2133)
4908 return -EINVAL;
4909 addr6 = (struct sockaddr_in6 *)address;
4910 snum = ntohs(addr6->sin6_port);
4911 addrp = (char *)&addr6->sin6_addr.s6_addr;
4912 break;
4913 default:
4914 goto err_af;
4915 }
4916
4917 ad.type = LSM_AUDIT_DATA_NET;
4918 ad.u.net = &net;
4919 ad.u.net->sport = htons(snum);
4920 ad.u.net->family = family_sa;
4921
4922 if (snum) {
4923 int low, high;
4924
4925 inet_get_local_port_range(sock_net(sk), &low, &high);
4926
4927 if (inet_port_requires_bind_service(sock_net(sk), snum) ||
4928 snum < low || snum > high) {
4929 err = sel_netport_sid(sk->sk_protocol,
4930 snum, &sid);
4931 if (err)
4932 goto out;
4933 err = avc_has_perm(sksec->sid, sid,
4934 sksec->sclass,
4935 SOCKET__NAME_BIND, &ad);
4936 if (err)
4937 goto out;
4938 }
4939 }
4940
4941 switch (sksec->sclass) {
4942 case SECCLASS_TCP_SOCKET:
4943 node_perm = TCP_SOCKET__NODE_BIND;
4944 break;
4945
4946 case SECCLASS_UDP_SOCKET:
4947 node_perm = UDP_SOCKET__NODE_BIND;
4948 break;
4949
4950 case SECCLASS_SCTP_SOCKET:
4951 node_perm = SCTP_SOCKET__NODE_BIND;
4952 break;
4953
4954 default:
4955 node_perm = RAWIP_SOCKET__NODE_BIND;
4956 break;
4957 }
4958
4959 err = sel_netnode_sid(addrp, family_sa, &sid);
4960 if (err)
4961 goto out;
4962
4963 if (family_sa == AF_INET)
4964 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
4965 else
4966 ad.u.net->v6info.saddr = addr6->sin6_addr;
4967
4968 err = avc_has_perm(sksec->sid, sid,
4969 sksec->sclass, node_perm, &ad);
4970 if (err)
4971 goto out;
4972 }
4973 out:
4974 return err;
4975 err_af:
4976 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */
4977 if (sk->sk_protocol == IPPROTO_SCTP)
4978 return -EINVAL;
4979 return -EAFNOSUPPORT;
4980 }
4981
4982 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3)
4983 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst
4984 */
selinux_socket_connect_helper(struct socket * sock,struct sockaddr * address,int addrlen)4985 static int selinux_socket_connect_helper(struct socket *sock,
4986 struct sockaddr *address, int addrlen)
4987 {
4988 struct sock *sk = sock->sk;
4989 struct sk_security_struct *sksec = selinux_sock(sk);
4990 int err;
4991
4992 err = sock_has_perm(sk, SOCKET__CONNECT);
4993 if (err)
4994 return err;
4995 if (addrlen < offsetofend(struct sockaddr, sa_family))
4996 return -EINVAL;
4997
4998 /* connect(AF_UNSPEC) has special handling, as it is a documented
4999 * way to disconnect the socket
5000 */
5001 if (address->sa_family == AF_UNSPEC)
5002 return 0;
5003
5004 /*
5005 * If a TCP or SCTP socket, check name_connect permission
5006 * for the port.
5007 */
5008 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
5009 sksec->sclass == SECCLASS_SCTP_SOCKET) {
5010 struct common_audit_data ad;
5011 struct lsm_network_audit net = {0,};
5012 struct sockaddr_in *addr4 = NULL;
5013 struct sockaddr_in6 *addr6 = NULL;
5014 unsigned short snum;
5015 u32 sid, perm;
5016
5017 /* sctp_connectx(3) calls via selinux_sctp_bind_connect()
5018 * that validates multiple connect addresses. Because of this
5019 * need to check address->sa_family as it is possible to have
5020 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
5021 */
5022 switch (address->sa_family) {
5023 case AF_INET:
5024 addr4 = (struct sockaddr_in *)address;
5025 if (addrlen < sizeof(struct sockaddr_in))
5026 return -EINVAL;
5027 snum = ntohs(addr4->sin_port);
5028 break;
5029 case AF_INET6:
5030 addr6 = (struct sockaddr_in6 *)address;
5031 if (addrlen < SIN6_LEN_RFC2133)
5032 return -EINVAL;
5033 snum = ntohs(addr6->sin6_port);
5034 break;
5035 default:
5036 /* Note that SCTP services expect -EINVAL, whereas
5037 * others expect -EAFNOSUPPORT.
5038 */
5039 if (sksec->sclass == SECCLASS_SCTP_SOCKET)
5040 return -EINVAL;
5041 else
5042 return -EAFNOSUPPORT;
5043 }
5044
5045 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
5046 if (err)
5047 return err;
5048
5049 switch (sksec->sclass) {
5050 case SECCLASS_TCP_SOCKET:
5051 perm = TCP_SOCKET__NAME_CONNECT;
5052 break;
5053 case SECCLASS_SCTP_SOCKET:
5054 perm = SCTP_SOCKET__NAME_CONNECT;
5055 break;
5056 }
5057
5058 ad.type = LSM_AUDIT_DATA_NET;
5059 ad.u.net = &net;
5060 ad.u.net->dport = htons(snum);
5061 ad.u.net->family = address->sa_family;
5062 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad);
5063 if (err)
5064 return err;
5065 }
5066
5067 return 0;
5068 }
5069
5070 /* Supports connect(2), see comments in selinux_socket_connect_helper() */
selinux_socket_connect(struct socket * sock,struct sockaddr * address,int addrlen)5071 static int selinux_socket_connect(struct socket *sock,
5072 struct sockaddr *address, int addrlen)
5073 {
5074 int err;
5075 struct sock *sk = sock->sk;
5076
5077 err = selinux_socket_connect_helper(sock, address, addrlen);
5078 if (err)
5079 return err;
5080
5081 return selinux_netlbl_socket_connect(sk, address);
5082 }
5083
selinux_socket_listen(struct socket * sock,int backlog)5084 static int selinux_socket_listen(struct socket *sock, int backlog)
5085 {
5086 return sock_has_perm(sock->sk, SOCKET__LISTEN);
5087 }
5088
selinux_socket_accept(struct socket * sock,struct socket * newsock)5089 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
5090 {
5091 int err;
5092 struct inode_security_struct *isec;
5093 struct inode_security_struct *newisec;
5094 u16 sclass;
5095 u32 sid;
5096
5097 err = sock_has_perm(sock->sk, SOCKET__ACCEPT);
5098 if (err)
5099 return err;
5100
5101 isec = inode_security_novalidate(SOCK_INODE(sock));
5102 spin_lock(&isec->lock);
5103 sclass = isec->sclass;
5104 sid = isec->sid;
5105 spin_unlock(&isec->lock);
5106
5107 newisec = inode_security_novalidate(SOCK_INODE(newsock));
5108 newisec->sclass = sclass;
5109 newisec->sid = sid;
5110 newisec->initialized = LABEL_INITIALIZED;
5111
5112 return 0;
5113 }
5114
selinux_socket_sendmsg(struct socket * sock,struct msghdr * msg,int size)5115 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
5116 int size)
5117 {
5118 return sock_has_perm(sock->sk, SOCKET__WRITE);
5119 }
5120
selinux_socket_recvmsg(struct socket * sock,struct msghdr * msg,int size,int flags)5121 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
5122 int size, int flags)
5123 {
5124 return sock_has_perm(sock->sk, SOCKET__READ);
5125 }
5126
selinux_socket_getsockname(struct socket * sock)5127 static int selinux_socket_getsockname(struct socket *sock)
5128 {
5129 return sock_has_perm(sock->sk, SOCKET__GETATTR);
5130 }
5131
selinux_socket_getpeername(struct socket * sock)5132 static int selinux_socket_getpeername(struct socket *sock)
5133 {
5134 return sock_has_perm(sock->sk, SOCKET__GETATTR);
5135 }
5136
selinux_socket_setsockopt(struct socket * sock,int level,int optname)5137 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
5138 {
5139 int err;
5140
5141 err = sock_has_perm(sock->sk, SOCKET__SETOPT);
5142 if (err)
5143 return err;
5144
5145 return selinux_netlbl_socket_setsockopt(sock, level, optname);
5146 }
5147
selinux_socket_getsockopt(struct socket * sock,int level,int optname)5148 static int selinux_socket_getsockopt(struct socket *sock, int level,
5149 int optname)
5150 {
5151 return sock_has_perm(sock->sk, SOCKET__GETOPT);
5152 }
5153
selinux_socket_shutdown(struct socket * sock,int how)5154 static int selinux_socket_shutdown(struct socket *sock, int how)
5155 {
5156 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN);
5157 }
5158
selinux_socket_unix_stream_connect(struct sock * sock,struct sock * other,struct sock * newsk)5159 static int selinux_socket_unix_stream_connect(struct sock *sock,
5160 struct sock *other,
5161 struct sock *newsk)
5162 {
5163 struct sk_security_struct *sksec_sock = selinux_sock(sock);
5164 struct sk_security_struct *sksec_other = selinux_sock(other);
5165 struct sk_security_struct *sksec_new = selinux_sock(newsk);
5166 struct common_audit_data ad;
5167 struct lsm_network_audit net;
5168 int err;
5169
5170 ad_net_init_from_sk(&ad, &net, other);
5171
5172 err = avc_has_perm(sksec_sock->sid, sksec_other->sid,
5173 sksec_other->sclass,
5174 UNIX_STREAM_SOCKET__CONNECTTO, &ad);
5175 if (err)
5176 return err;
5177
5178 /* server child socket */
5179 sksec_new->peer_sid = sksec_sock->sid;
5180 err = security_sid_mls_copy(sksec_other->sid,
5181 sksec_sock->sid, &sksec_new->sid);
5182 if (err)
5183 return err;
5184
5185 /* connecting socket */
5186 sksec_sock->peer_sid = sksec_new->sid;
5187
5188 return 0;
5189 }
5190
selinux_socket_unix_may_send(struct socket * sock,struct socket * other)5191 static int selinux_socket_unix_may_send(struct socket *sock,
5192 struct socket *other)
5193 {
5194 struct sk_security_struct *ssec = selinux_sock(sock->sk);
5195 struct sk_security_struct *osec = selinux_sock(other->sk);
5196 struct common_audit_data ad;
5197 struct lsm_network_audit net;
5198
5199 ad_net_init_from_sk(&ad, &net, other->sk);
5200
5201 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO,
5202 &ad);
5203 }
5204
selinux_inet_sys_rcv_skb(struct net * ns,int ifindex,char * addrp,u16 family,u32 peer_sid,struct common_audit_data * ad)5205 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
5206 char *addrp, u16 family, u32 peer_sid,
5207 struct common_audit_data *ad)
5208 {
5209 int err;
5210 u32 if_sid;
5211 u32 node_sid;
5212
5213 err = sel_netif_sid(ns, ifindex, &if_sid);
5214 if (err)
5215 return err;
5216 err = avc_has_perm(peer_sid, if_sid,
5217 SECCLASS_NETIF, NETIF__INGRESS, ad);
5218 if (err)
5219 return err;
5220
5221 err = sel_netnode_sid(addrp, family, &node_sid);
5222 if (err)
5223 return err;
5224 return avc_has_perm(peer_sid, node_sid,
5225 SECCLASS_NODE, NODE__RECVFROM, ad);
5226 }
5227
selinux_sock_rcv_skb_compat(struct sock * sk,struct sk_buff * skb,u16 family)5228 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
5229 u16 family)
5230 {
5231 int err = 0;
5232 struct sk_security_struct *sksec = selinux_sock(sk);
5233 u32 sk_sid = sksec->sid;
5234 struct common_audit_data ad;
5235 struct lsm_network_audit net;
5236 char *addrp;
5237
5238 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
5239 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5240 if (err)
5241 return err;
5242
5243 if (selinux_secmark_enabled()) {
5244 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5245 PACKET__RECV, &ad);
5246 if (err)
5247 return err;
5248 }
5249
5250 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
5251 if (err)
5252 return err;
5253 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
5254
5255 return err;
5256 }
5257
selinux_socket_sock_rcv_skb(struct sock * sk,struct sk_buff * skb)5258 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
5259 {
5260 int err, peerlbl_active, secmark_active;
5261 struct sk_security_struct *sksec = selinux_sock(sk);
5262 u16 family = sk->sk_family;
5263 u32 sk_sid = sksec->sid;
5264 struct common_audit_data ad;
5265 struct lsm_network_audit net;
5266 char *addrp;
5267
5268 if (family != PF_INET && family != PF_INET6)
5269 return 0;
5270
5271 /* Handle mapped IPv4 packets arriving via IPv6 sockets */
5272 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5273 family = PF_INET;
5274
5275 /* If any sort of compatibility mode is enabled then handoff processing
5276 * to the selinux_sock_rcv_skb_compat() function to deal with the
5277 * special handling. We do this in an attempt to keep this function
5278 * as fast and as clean as possible. */
5279 if (!selinux_policycap_netpeer())
5280 return selinux_sock_rcv_skb_compat(sk, skb, family);
5281
5282 secmark_active = selinux_secmark_enabled();
5283 peerlbl_active = selinux_peerlbl_enabled();
5284 if (!secmark_active && !peerlbl_active)
5285 return 0;
5286
5287 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family);
5288 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
5289 if (err)
5290 return err;
5291
5292 if (peerlbl_active) {
5293 u32 peer_sid;
5294
5295 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
5296 if (err)
5297 return err;
5298 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif,
5299 addrp, family, peer_sid, &ad);
5300 if (err) {
5301 selinux_netlbl_err(skb, family, err, 0);
5302 return err;
5303 }
5304 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
5305 PEER__RECV, &ad);
5306 if (err) {
5307 selinux_netlbl_err(skb, family, err, 0);
5308 return err;
5309 }
5310 }
5311
5312 if (secmark_active) {
5313 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
5314 PACKET__RECV, &ad);
5315 if (err)
5316 return err;
5317 }
5318
5319 return err;
5320 }
5321
selinux_socket_getpeersec_stream(struct socket * sock,sockptr_t optval,sockptr_t optlen,unsigned int len)5322 static int selinux_socket_getpeersec_stream(struct socket *sock,
5323 sockptr_t optval, sockptr_t optlen,
5324 unsigned int len)
5325 {
5326 int err = 0;
5327 char *scontext = NULL;
5328 u32 scontext_len;
5329 struct sk_security_struct *sksec = selinux_sock(sock->sk);
5330 u32 peer_sid = SECSID_NULL;
5331
5332 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
5333 sksec->sclass == SECCLASS_TCP_SOCKET ||
5334 sksec->sclass == SECCLASS_SCTP_SOCKET)
5335 peer_sid = sksec->peer_sid;
5336 if (peer_sid == SECSID_NULL)
5337 return -ENOPROTOOPT;
5338
5339 err = security_sid_to_context(peer_sid, &scontext,
5340 &scontext_len);
5341 if (err)
5342 return err;
5343 if (scontext_len > len) {
5344 err = -ERANGE;
5345 goto out_len;
5346 }
5347
5348 if (copy_to_sockptr(optval, scontext, scontext_len))
5349 err = -EFAULT;
5350 out_len:
5351 if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len)))
5352 err = -EFAULT;
5353 kfree(scontext);
5354 return err;
5355 }
5356
selinux_socket_getpeersec_dgram(struct socket * sock,struct sk_buff * skb,u32 * secid)5357 static int selinux_socket_getpeersec_dgram(struct socket *sock,
5358 struct sk_buff *skb, u32 *secid)
5359 {
5360 u32 peer_secid = SECSID_NULL;
5361 u16 family;
5362
5363 if (skb && skb->protocol == htons(ETH_P_IP))
5364 family = PF_INET;
5365 else if (skb && skb->protocol == htons(ETH_P_IPV6))
5366 family = PF_INET6;
5367 else if (sock)
5368 family = sock->sk->sk_family;
5369 else {
5370 *secid = SECSID_NULL;
5371 return -EINVAL;
5372 }
5373
5374 if (sock && family == PF_UNIX) {
5375 struct inode_security_struct *isec;
5376 isec = inode_security_novalidate(SOCK_INODE(sock));
5377 peer_secid = isec->sid;
5378 } else if (skb)
5379 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
5380
5381 *secid = peer_secid;
5382 if (peer_secid == SECSID_NULL)
5383 return -ENOPROTOOPT;
5384 return 0;
5385 }
5386
selinux_sk_alloc_security(struct sock * sk,int family,gfp_t priority)5387 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
5388 {
5389 struct sk_security_struct *sksec = selinux_sock(sk);
5390
5391 sksec->peer_sid = SECINITSID_UNLABELED;
5392 sksec->sid = SECINITSID_UNLABELED;
5393 sksec->sclass = SECCLASS_SOCKET;
5394 selinux_netlbl_sk_security_reset(sksec);
5395
5396 return 0;
5397 }
5398
selinux_sk_free_security(struct sock * sk)5399 static void selinux_sk_free_security(struct sock *sk)
5400 {
5401 struct sk_security_struct *sksec = selinux_sock(sk);
5402
5403 selinux_netlbl_sk_security_free(sksec);
5404 }
5405
selinux_sk_clone_security(const struct sock * sk,struct sock * newsk)5406 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
5407 {
5408 struct sk_security_struct *sksec = selinux_sock(sk);
5409 struct sk_security_struct *newsksec = selinux_sock(newsk);
5410
5411 newsksec->sid = sksec->sid;
5412 newsksec->peer_sid = sksec->peer_sid;
5413 newsksec->sclass = sksec->sclass;
5414
5415 selinux_netlbl_sk_security_reset(newsksec);
5416 }
5417
selinux_sk_getsecid(const struct sock * sk,u32 * secid)5418 static void selinux_sk_getsecid(const struct sock *sk, u32 *secid)
5419 {
5420 if (!sk)
5421 *secid = SECINITSID_ANY_SOCKET;
5422 else {
5423 const struct sk_security_struct *sksec = selinux_sock(sk);
5424
5425 *secid = sksec->sid;
5426 }
5427 }
5428
selinux_sock_graft(struct sock * sk,struct socket * parent)5429 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
5430 {
5431 struct inode_security_struct *isec =
5432 inode_security_novalidate(SOCK_INODE(parent));
5433 struct sk_security_struct *sksec = selinux_sock(sk);
5434
5435 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
5436 sk->sk_family == PF_UNIX)
5437 isec->sid = sksec->sid;
5438 sksec->sclass = isec->sclass;
5439 }
5440
5441 /*
5442 * Determines peer_secid for the asoc and updates socket's peer label
5443 * if it's the first association on the socket.
5444 */
selinux_sctp_process_new_assoc(struct sctp_association * asoc,struct sk_buff * skb)5445 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
5446 struct sk_buff *skb)
5447 {
5448 struct sock *sk = asoc->base.sk;
5449 u16 family = sk->sk_family;
5450 struct sk_security_struct *sksec = selinux_sock(sk);
5451 struct common_audit_data ad;
5452 struct lsm_network_audit net;
5453 int err;
5454
5455 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5456 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5457 family = PF_INET;
5458
5459 if (selinux_peerlbl_enabled()) {
5460 asoc->peer_secid = SECSID_NULL;
5461
5462 /* This will return peer_sid = SECSID_NULL if there are
5463 * no peer labels, see security_net_peersid_resolve().
5464 */
5465 err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid);
5466 if (err)
5467 return err;
5468
5469 if (asoc->peer_secid == SECSID_NULL)
5470 asoc->peer_secid = SECINITSID_UNLABELED;
5471 } else {
5472 asoc->peer_secid = SECINITSID_UNLABELED;
5473 }
5474
5475 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
5476 sksec->sctp_assoc_state = SCTP_ASSOC_SET;
5477
5478 /* Here as first association on socket. As the peer SID
5479 * was allowed by peer recv (and the netif/node checks),
5480 * then it is approved by policy and used as the primary
5481 * peer SID for getpeercon(3).
5482 */
5483 sksec->peer_sid = asoc->peer_secid;
5484 } else if (sksec->peer_sid != asoc->peer_secid) {
5485 /* Other association peer SIDs are checked to enforce
5486 * consistency among the peer SIDs.
5487 */
5488 ad_net_init_from_sk(&ad, &net, asoc->base.sk);
5489 err = avc_has_perm(sksec->peer_sid, asoc->peer_secid,
5490 sksec->sclass, SCTP_SOCKET__ASSOCIATION,
5491 &ad);
5492 if (err)
5493 return err;
5494 }
5495 return 0;
5496 }
5497
5498 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This
5499 * happens on an incoming connect(2), sctp_connectx(3) or
5500 * sctp_sendmsg(3) (with no association already present).
5501 */
selinux_sctp_assoc_request(struct sctp_association * asoc,struct sk_buff * skb)5502 static int selinux_sctp_assoc_request(struct sctp_association *asoc,
5503 struct sk_buff *skb)
5504 {
5505 struct sk_security_struct *sksec = selinux_sock(asoc->base.sk);
5506 u32 conn_sid;
5507 int err;
5508
5509 if (!selinux_policycap_extsockclass())
5510 return 0;
5511
5512 err = selinux_sctp_process_new_assoc(asoc, skb);
5513 if (err)
5514 return err;
5515
5516 /* Compute the MLS component for the connection and store
5517 * the information in asoc. This will be used by SCTP TCP type
5518 * sockets and peeled off connections as they cause a new
5519 * socket to be generated. selinux_sctp_sk_clone() will then
5520 * plug this into the new socket.
5521 */
5522 err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid);
5523 if (err)
5524 return err;
5525
5526 asoc->secid = conn_sid;
5527
5528 /* Set any NetLabel labels including CIPSO/CALIPSO options. */
5529 return selinux_netlbl_sctp_assoc_request(asoc, skb);
5530 }
5531
5532 /* Called when SCTP receives a COOKIE ACK chunk as the final
5533 * response to an association request (initited by us).
5534 */
selinux_sctp_assoc_established(struct sctp_association * asoc,struct sk_buff * skb)5535 static int selinux_sctp_assoc_established(struct sctp_association *asoc,
5536 struct sk_buff *skb)
5537 {
5538 struct sk_security_struct *sksec = selinux_sock(asoc->base.sk);
5539
5540 if (!selinux_policycap_extsockclass())
5541 return 0;
5542
5543 /* Inherit secid from the parent socket - this will be picked up
5544 * by selinux_sctp_sk_clone() if the association gets peeled off
5545 * into a new socket.
5546 */
5547 asoc->secid = sksec->sid;
5548
5549 return selinux_sctp_process_new_assoc(asoc, skb);
5550 }
5551
5552 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
5553 * based on their @optname.
5554 */
selinux_sctp_bind_connect(struct sock * sk,int optname,struct sockaddr * address,int addrlen)5555 static int selinux_sctp_bind_connect(struct sock *sk, int optname,
5556 struct sockaddr *address,
5557 int addrlen)
5558 {
5559 int len, err = 0, walk_size = 0;
5560 void *addr_buf;
5561 struct sockaddr *addr;
5562 struct socket *sock;
5563
5564 if (!selinux_policycap_extsockclass())
5565 return 0;
5566
5567 /* Process one or more addresses that may be IPv4 or IPv6 */
5568 sock = sk->sk_socket;
5569 addr_buf = address;
5570
5571 while (walk_size < addrlen) {
5572 if (walk_size + sizeof(sa_family_t) > addrlen)
5573 return -EINVAL;
5574
5575 addr = addr_buf;
5576 switch (addr->sa_family) {
5577 case AF_UNSPEC:
5578 case AF_INET:
5579 len = sizeof(struct sockaddr_in);
5580 break;
5581 case AF_INET6:
5582 len = sizeof(struct sockaddr_in6);
5583 break;
5584 default:
5585 return -EINVAL;
5586 }
5587
5588 if (walk_size + len > addrlen)
5589 return -EINVAL;
5590
5591 err = -EINVAL;
5592 switch (optname) {
5593 /* Bind checks */
5594 case SCTP_PRIMARY_ADDR:
5595 case SCTP_SET_PEER_PRIMARY_ADDR:
5596 case SCTP_SOCKOPT_BINDX_ADD:
5597 err = selinux_socket_bind(sock, addr, len);
5598 break;
5599 /* Connect checks */
5600 case SCTP_SOCKOPT_CONNECTX:
5601 case SCTP_PARAM_SET_PRIMARY:
5602 case SCTP_PARAM_ADD_IP:
5603 case SCTP_SENDMSG_CONNECT:
5604 err = selinux_socket_connect_helper(sock, addr, len);
5605 if (err)
5606 return err;
5607
5608 /* As selinux_sctp_bind_connect() is called by the
5609 * SCTP protocol layer, the socket is already locked,
5610 * therefore selinux_netlbl_socket_connect_locked()
5611 * is called here. The situations handled are:
5612 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2),
5613 * whenever a new IP address is added or when a new
5614 * primary address is selected.
5615 * Note that an SCTP connect(2) call happens before
5616 * the SCTP protocol layer and is handled via
5617 * selinux_socket_connect().
5618 */
5619 err = selinux_netlbl_socket_connect_locked(sk, addr);
5620 break;
5621 }
5622
5623 if (err)
5624 return err;
5625
5626 addr_buf += len;
5627 walk_size += len;
5628 }
5629
5630 return 0;
5631 }
5632
5633 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
selinux_sctp_sk_clone(struct sctp_association * asoc,struct sock * sk,struct sock * newsk)5634 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
5635 struct sock *newsk)
5636 {
5637 struct sk_security_struct *sksec = selinux_sock(sk);
5638 struct sk_security_struct *newsksec = selinux_sock(newsk);
5639
5640 /* If policy does not support SECCLASS_SCTP_SOCKET then call
5641 * the non-sctp clone version.
5642 */
5643 if (!selinux_policycap_extsockclass())
5644 return selinux_sk_clone_security(sk, newsk);
5645
5646 newsksec->sid = asoc->secid;
5647 newsksec->peer_sid = asoc->peer_secid;
5648 newsksec->sclass = sksec->sclass;
5649 selinux_netlbl_sctp_sk_clone(sk, newsk);
5650 }
5651
selinux_mptcp_add_subflow(struct sock * sk,struct sock * ssk)5652 static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
5653 {
5654 struct sk_security_struct *ssksec = selinux_sock(ssk);
5655 struct sk_security_struct *sksec = selinux_sock(sk);
5656
5657 ssksec->sclass = sksec->sclass;
5658 ssksec->sid = sksec->sid;
5659
5660 /* replace the existing subflow label deleting the existing one
5661 * and re-recreating a new label using the updated context
5662 */
5663 selinux_netlbl_sk_security_free(ssksec);
5664 return selinux_netlbl_socket_post_create(ssk, ssk->sk_family);
5665 }
5666
selinux_inet_conn_request(const struct sock * sk,struct sk_buff * skb,struct request_sock * req)5667 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
5668 struct request_sock *req)
5669 {
5670 struct sk_security_struct *sksec = selinux_sock(sk);
5671 int err;
5672 u16 family = req->rsk_ops->family;
5673 u32 connsid;
5674 u32 peersid;
5675
5676 err = selinux_skb_peerlbl_sid(skb, family, &peersid);
5677 if (err)
5678 return err;
5679 err = selinux_conn_sid(sksec->sid, peersid, &connsid);
5680 if (err)
5681 return err;
5682 req->secid = connsid;
5683 req->peer_secid = peersid;
5684
5685 return selinux_netlbl_inet_conn_request(req, family);
5686 }
5687
selinux_inet_csk_clone(struct sock * newsk,const struct request_sock * req)5688 static void selinux_inet_csk_clone(struct sock *newsk,
5689 const struct request_sock *req)
5690 {
5691 struct sk_security_struct *newsksec = selinux_sock(newsk);
5692
5693 newsksec->sid = req->secid;
5694 newsksec->peer_sid = req->peer_secid;
5695 /* NOTE: Ideally, we should also get the isec->sid for the
5696 new socket in sync, but we don't have the isec available yet.
5697 So we will wait until sock_graft to do it, by which
5698 time it will have been created and available. */
5699
5700 /* We don't need to take any sort of lock here as we are the only
5701 * thread with access to newsksec */
5702 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family);
5703 }
5704
selinux_inet_conn_established(struct sock * sk,struct sk_buff * skb)5705 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
5706 {
5707 u16 family = sk->sk_family;
5708 struct sk_security_struct *sksec = selinux_sock(sk);
5709
5710 /* handle mapped IPv4 packets arriving via IPv6 sockets */
5711 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
5712 family = PF_INET;
5713
5714 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
5715 }
5716
selinux_secmark_relabel_packet(u32 sid)5717 static int selinux_secmark_relabel_packet(u32 sid)
5718 {
5719 return avc_has_perm(current_sid(), sid, SECCLASS_PACKET, PACKET__RELABELTO,
5720 NULL);
5721 }
5722
selinux_secmark_refcount_inc(void)5723 static void selinux_secmark_refcount_inc(void)
5724 {
5725 atomic_inc(&selinux_secmark_refcount);
5726 }
5727
selinux_secmark_refcount_dec(void)5728 static void selinux_secmark_refcount_dec(void)
5729 {
5730 atomic_dec(&selinux_secmark_refcount);
5731 }
5732
selinux_req_classify_flow(const struct request_sock * req,struct flowi_common * flic)5733 static void selinux_req_classify_flow(const struct request_sock *req,
5734 struct flowi_common *flic)
5735 {
5736 flic->flowic_secid = req->secid;
5737 }
5738
selinux_tun_dev_alloc_security(void * security)5739 static int selinux_tun_dev_alloc_security(void *security)
5740 {
5741 struct tun_security_struct *tunsec = selinux_tun_dev(security);
5742
5743 tunsec->sid = current_sid();
5744 return 0;
5745 }
5746
selinux_tun_dev_create(void)5747 static int selinux_tun_dev_create(void)
5748 {
5749 u32 sid = current_sid();
5750
5751 /* we aren't taking into account the "sockcreate" SID since the socket
5752 * that is being created here is not a socket in the traditional sense,
5753 * instead it is a private sock, accessible only to the kernel, and
5754 * representing a wide range of network traffic spanning multiple
5755 * connections unlike traditional sockets - check the TUN driver to
5756 * get a better understanding of why this socket is special */
5757
5758 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
5759 NULL);
5760 }
5761
selinux_tun_dev_attach_queue(void * security)5762 static int selinux_tun_dev_attach_queue(void *security)
5763 {
5764 struct tun_security_struct *tunsec = selinux_tun_dev(security);
5765
5766 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
5767 TUN_SOCKET__ATTACH_QUEUE, NULL);
5768 }
5769
selinux_tun_dev_attach(struct sock * sk,void * security)5770 static int selinux_tun_dev_attach(struct sock *sk, void *security)
5771 {
5772 struct tun_security_struct *tunsec = selinux_tun_dev(security);
5773 struct sk_security_struct *sksec = selinux_sock(sk);
5774
5775 /* we don't currently perform any NetLabel based labeling here and it
5776 * isn't clear that we would want to do so anyway; while we could apply
5777 * labeling without the support of the TUN user the resulting labeled
5778 * traffic from the other end of the connection would almost certainly
5779 * cause confusion to the TUN user that had no idea network labeling
5780 * protocols were being used */
5781
5782 sksec->sid = tunsec->sid;
5783 sksec->sclass = SECCLASS_TUN_SOCKET;
5784
5785 return 0;
5786 }
5787
selinux_tun_dev_open(void * security)5788 static int selinux_tun_dev_open(void *security)
5789 {
5790 struct tun_security_struct *tunsec = selinux_tun_dev(security);
5791 u32 sid = current_sid();
5792 int err;
5793
5794 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET,
5795 TUN_SOCKET__RELABELFROM, NULL);
5796 if (err)
5797 return err;
5798 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
5799 TUN_SOCKET__RELABELTO, NULL);
5800 if (err)
5801 return err;
5802 tunsec->sid = sid;
5803
5804 return 0;
5805 }
5806
5807 #ifdef CONFIG_NETFILTER
5808
selinux_ip_forward(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5809 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
5810 const struct nf_hook_state *state)
5811 {
5812 int ifindex;
5813 u16 family;
5814 char *addrp;
5815 u32 peer_sid;
5816 struct common_audit_data ad;
5817 struct lsm_network_audit net;
5818 int secmark_active, peerlbl_active;
5819
5820 if (!selinux_policycap_netpeer())
5821 return NF_ACCEPT;
5822
5823 secmark_active = selinux_secmark_enabled();
5824 peerlbl_active = selinux_peerlbl_enabled();
5825 if (!secmark_active && !peerlbl_active)
5826 return NF_ACCEPT;
5827
5828 family = state->pf;
5829 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
5830 return NF_DROP;
5831
5832 ifindex = state->in->ifindex;
5833 ad_net_init_from_iif(&ad, &net, ifindex, family);
5834 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
5835 return NF_DROP;
5836
5837 if (peerlbl_active) {
5838 int err;
5839
5840 err = selinux_inet_sys_rcv_skb(state->net, ifindex,
5841 addrp, family, peer_sid, &ad);
5842 if (err) {
5843 selinux_netlbl_err(skb, family, err, 1);
5844 return NF_DROP;
5845 }
5846 }
5847
5848 if (secmark_active)
5849 if (avc_has_perm(peer_sid, skb->secmark,
5850 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
5851 return NF_DROP;
5852
5853 if (netlbl_enabled())
5854 /* we do this in the FORWARD path and not the POST_ROUTING
5855 * path because we want to make sure we apply the necessary
5856 * labeling before IPsec is applied so we can leverage AH
5857 * protection */
5858 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
5859 return NF_DROP;
5860
5861 return NF_ACCEPT;
5862 }
5863
selinux_ip_output(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5864 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
5865 const struct nf_hook_state *state)
5866 {
5867 struct sock *sk;
5868 u32 sid;
5869
5870 if (!netlbl_enabled())
5871 return NF_ACCEPT;
5872
5873 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
5874 * because we want to make sure we apply the necessary labeling
5875 * before IPsec is applied so we can leverage AH protection */
5876 sk = sk_to_full_sk(skb->sk);
5877 if (sk) {
5878 struct sk_security_struct *sksec;
5879
5880 if (sk_listener(sk))
5881 /* if the socket is the listening state then this
5882 * packet is a SYN-ACK packet which means it needs to
5883 * be labeled based on the connection/request_sock and
5884 * not the parent socket. unfortunately, we can't
5885 * lookup the request_sock yet as it isn't queued on
5886 * the parent socket until after the SYN-ACK is sent.
5887 * the "solution" is to simply pass the packet as-is
5888 * as any IP option based labeling should be copied
5889 * from the initial connection request (in the IP
5890 * layer). it is far from ideal, but until we get a
5891 * security label in the packet itself this is the
5892 * best we can do. */
5893 return NF_ACCEPT;
5894
5895 /* standard practice, label using the parent socket */
5896 sksec = selinux_sock(sk);
5897 sid = sksec->sid;
5898 } else
5899 sid = SECINITSID_KERNEL;
5900 if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0)
5901 return NF_DROP;
5902
5903 return NF_ACCEPT;
5904 }
5905
5906
selinux_ip_postroute_compat(struct sk_buff * skb,const struct nf_hook_state * state)5907 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5908 const struct nf_hook_state *state)
5909 {
5910 struct sock *sk;
5911 struct sk_security_struct *sksec;
5912 struct common_audit_data ad;
5913 struct lsm_network_audit net;
5914 u8 proto = 0;
5915
5916 sk = skb_to_full_sk(skb);
5917 if (sk == NULL)
5918 return NF_ACCEPT;
5919 sksec = selinux_sock(sk);
5920
5921 ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf);
5922 if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
5923 return NF_DROP;
5924
5925 if (selinux_secmark_enabled())
5926 if (avc_has_perm(sksec->sid, skb->secmark,
5927 SECCLASS_PACKET, PACKET__SEND, &ad))
5928 return NF_DROP_ERR(-ECONNREFUSED);
5929
5930 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
5931 return NF_DROP_ERR(-ECONNREFUSED);
5932
5933 return NF_ACCEPT;
5934 }
5935
selinux_ip_postroute(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)5936 static unsigned int selinux_ip_postroute(void *priv,
5937 struct sk_buff *skb,
5938 const struct nf_hook_state *state)
5939 {
5940 u16 family;
5941 u32 secmark_perm;
5942 u32 peer_sid;
5943 int ifindex;
5944 struct sock *sk;
5945 struct common_audit_data ad;
5946 struct lsm_network_audit net;
5947 char *addrp;
5948 int secmark_active, peerlbl_active;
5949
5950 /* If any sort of compatibility mode is enabled then handoff processing
5951 * to the selinux_ip_postroute_compat() function to deal with the
5952 * special handling. We do this in an attempt to keep this function
5953 * as fast and as clean as possible. */
5954 if (!selinux_policycap_netpeer())
5955 return selinux_ip_postroute_compat(skb, state);
5956
5957 secmark_active = selinux_secmark_enabled();
5958 peerlbl_active = selinux_peerlbl_enabled();
5959 if (!secmark_active && !peerlbl_active)
5960 return NF_ACCEPT;
5961
5962 sk = skb_to_full_sk(skb);
5963
5964 #ifdef CONFIG_XFRM
5965 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
5966 * packet transformation so allow the packet to pass without any checks
5967 * since we'll have another chance to perform access control checks
5968 * when the packet is on it's final way out.
5969 * NOTE: there appear to be some IPv6 multicast cases where skb->dst
5970 * is NULL, in this case go ahead and apply access control.
5971 * NOTE: if this is a local socket (skb->sk != NULL) that is in the
5972 * TCP listening state we cannot wait until the XFRM processing
5973 * is done as we will miss out on the SA label if we do;
5974 * unfortunately, this means more work, but it is only once per
5975 * connection. */
5976 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL &&
5977 !(sk && sk_listener(sk)))
5978 return NF_ACCEPT;
5979 #endif
5980
5981 family = state->pf;
5982 if (sk == NULL) {
5983 /* Without an associated socket the packet is either coming
5984 * from the kernel or it is being forwarded; check the packet
5985 * to determine which and if the packet is being forwarded
5986 * query the packet directly to determine the security label. */
5987 if (skb->skb_iif) {
5988 secmark_perm = PACKET__FORWARD_OUT;
5989 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
5990 return NF_DROP;
5991 } else {
5992 secmark_perm = PACKET__SEND;
5993 peer_sid = SECINITSID_KERNEL;
5994 }
5995 } else if (sk_listener(sk)) {
5996 /* Locally generated packet but the associated socket is in the
5997 * listening state which means this is a SYN-ACK packet. In
5998 * this particular case the correct security label is assigned
5999 * to the connection/request_sock but unfortunately we can't
6000 * query the request_sock as it isn't queued on the parent
6001 * socket until after the SYN-ACK packet is sent; the only
6002 * viable choice is to regenerate the label like we do in
6003 * selinux_inet_conn_request(). See also selinux_ip_output()
6004 * for similar problems. */
6005 u32 skb_sid;
6006 struct sk_security_struct *sksec;
6007
6008 sksec = selinux_sock(sk);
6009 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
6010 return NF_DROP;
6011 /* At this point, if the returned skb peerlbl is SECSID_NULL
6012 * and the packet has been through at least one XFRM
6013 * transformation then we must be dealing with the "final"
6014 * form of labeled IPsec packet; since we've already applied
6015 * all of our access controls on this packet we can safely
6016 * pass the packet. */
6017 if (skb_sid == SECSID_NULL) {
6018 switch (family) {
6019 case PF_INET:
6020 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
6021 return NF_ACCEPT;
6022 break;
6023 case PF_INET6:
6024 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
6025 return NF_ACCEPT;
6026 break;
6027 default:
6028 return NF_DROP_ERR(-ECONNREFUSED);
6029 }
6030 }
6031 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
6032 return NF_DROP;
6033 secmark_perm = PACKET__SEND;
6034 } else {
6035 /* Locally generated packet, fetch the security label from the
6036 * associated socket. */
6037 struct sk_security_struct *sksec = selinux_sock(sk);
6038 peer_sid = sksec->sid;
6039 secmark_perm = PACKET__SEND;
6040 }
6041
6042 ifindex = state->out->ifindex;
6043 ad_net_init_from_iif(&ad, &net, ifindex, family);
6044 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
6045 return NF_DROP;
6046
6047 if (secmark_active)
6048 if (avc_has_perm(peer_sid, skb->secmark,
6049 SECCLASS_PACKET, secmark_perm, &ad))
6050 return NF_DROP_ERR(-ECONNREFUSED);
6051
6052 if (peerlbl_active) {
6053 u32 if_sid;
6054 u32 node_sid;
6055
6056 if (sel_netif_sid(state->net, ifindex, &if_sid))
6057 return NF_DROP;
6058 if (avc_has_perm(peer_sid, if_sid,
6059 SECCLASS_NETIF, NETIF__EGRESS, &ad))
6060 return NF_DROP_ERR(-ECONNREFUSED);
6061
6062 if (sel_netnode_sid(addrp, family, &node_sid))
6063 return NF_DROP;
6064 if (avc_has_perm(peer_sid, node_sid,
6065 SECCLASS_NODE, NODE__SENDTO, &ad))
6066 return NF_DROP_ERR(-ECONNREFUSED);
6067 }
6068
6069 return NF_ACCEPT;
6070 }
6071 #endif /* CONFIG_NETFILTER */
6072
nlmsg_sock_has_extended_perms(struct sock * sk,u32 perms,u16 nlmsg_type)6073 static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type)
6074 {
6075 struct sk_security_struct *sksec = sk->sk_security;
6076 struct common_audit_data ad;
6077 u8 driver;
6078 u8 xperm;
6079
6080 if (sock_skip_has_perm(sksec->sid))
6081 return 0;
6082
6083 ad.type = LSM_AUDIT_DATA_NLMSGTYPE;
6084 ad.u.nlmsg_type = nlmsg_type;
6085
6086 driver = nlmsg_type >> 8;
6087 xperm = nlmsg_type & 0xff;
6088
6089 return avc_has_extended_perms(current_sid(), sksec->sid, sksec->sclass,
6090 perms, driver, AVC_EXT_NLMSG, xperm, &ad);
6091 }
6092
selinux_netlink_send(struct sock * sk,struct sk_buff * skb)6093 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
6094 {
6095 int rc = 0;
6096 unsigned int msg_len;
6097 unsigned int data_len = skb->len;
6098 unsigned char *data = skb->data;
6099 struct nlmsghdr *nlh;
6100 struct sk_security_struct *sksec = selinux_sock(sk);
6101 u16 sclass = sksec->sclass;
6102 u32 perm;
6103
6104 while (data_len >= nlmsg_total_size(0)) {
6105 nlh = (struct nlmsghdr *)data;
6106
6107 /* NOTE: the nlmsg_len field isn't reliably set by some netlink
6108 * users which means we can't reject skb's with bogus
6109 * length fields; our solution is to follow what
6110 * netlink_rcv_skb() does and simply skip processing at
6111 * messages with length fields that are clearly junk
6112 */
6113 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
6114 return 0;
6115
6116 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
6117 if (rc == 0) {
6118 if (selinux_policycap_netlink_xperm()) {
6119 rc = nlmsg_sock_has_extended_perms(
6120 sk, perm, nlh->nlmsg_type);
6121 } else {
6122 rc = sock_has_perm(sk, perm);
6123 }
6124 if (rc)
6125 return rc;
6126 } else if (rc == -EINVAL) {
6127 /* -EINVAL is a missing msg/perm mapping */
6128 pr_warn_ratelimited("SELinux: unrecognized netlink"
6129 " message: protocol=%hu nlmsg_type=%hu sclass=%s"
6130 " pid=%d comm=%s\n",
6131 sk->sk_protocol, nlh->nlmsg_type,
6132 secclass_map[sclass - 1].name,
6133 task_pid_nr(current), current->comm);
6134 if (enforcing_enabled() &&
6135 !security_get_allow_unknown())
6136 return rc;
6137 rc = 0;
6138 } else if (rc == -ENOENT) {
6139 /* -ENOENT is a missing socket/class mapping, ignore */
6140 rc = 0;
6141 } else {
6142 return rc;
6143 }
6144
6145 /* move to the next message after applying netlink padding */
6146 msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
6147 if (msg_len >= data_len)
6148 return 0;
6149 data_len -= msg_len;
6150 data += msg_len;
6151 }
6152
6153 return rc;
6154 }
6155
ipc_init_security(struct ipc_security_struct * isec,u16 sclass)6156 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
6157 {
6158 isec->sclass = sclass;
6159 isec->sid = current_sid();
6160 }
6161
ipc_has_perm(struct kern_ipc_perm * ipc_perms,u32 perms)6162 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
6163 u32 perms)
6164 {
6165 struct ipc_security_struct *isec;
6166 struct common_audit_data ad;
6167 u32 sid = current_sid();
6168
6169 isec = selinux_ipc(ipc_perms);
6170
6171 ad.type = LSM_AUDIT_DATA_IPC;
6172 ad.u.ipc_id = ipc_perms->key;
6173
6174 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
6175 }
6176
selinux_msg_msg_alloc_security(struct msg_msg * msg)6177 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
6178 {
6179 struct msg_security_struct *msec;
6180
6181 msec = selinux_msg_msg(msg);
6182 msec->sid = SECINITSID_UNLABELED;
6183
6184 return 0;
6185 }
6186
6187 /* message queue security operations */
selinux_msg_queue_alloc_security(struct kern_ipc_perm * msq)6188 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq)
6189 {
6190 struct ipc_security_struct *isec;
6191 struct common_audit_data ad;
6192 u32 sid = current_sid();
6193
6194 isec = selinux_ipc(msq);
6195 ipc_init_security(isec, SECCLASS_MSGQ);
6196
6197 ad.type = LSM_AUDIT_DATA_IPC;
6198 ad.u.ipc_id = msq->key;
6199
6200 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6201 MSGQ__CREATE, &ad);
6202 }
6203
selinux_msg_queue_associate(struct kern_ipc_perm * msq,int msqflg)6204 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
6205 {
6206 struct ipc_security_struct *isec;
6207 struct common_audit_data ad;
6208 u32 sid = current_sid();
6209
6210 isec = selinux_ipc(msq);
6211
6212 ad.type = LSM_AUDIT_DATA_IPC;
6213 ad.u.ipc_id = msq->key;
6214
6215 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6216 MSGQ__ASSOCIATE, &ad);
6217 }
6218
selinux_msg_queue_msgctl(struct kern_ipc_perm * msq,int cmd)6219 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
6220 {
6221 u32 perms;
6222
6223 switch (cmd) {
6224 case IPC_INFO:
6225 case MSG_INFO:
6226 /* No specific object, just general system-wide information. */
6227 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6228 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6229 case IPC_STAT:
6230 case MSG_STAT:
6231 case MSG_STAT_ANY:
6232 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
6233 break;
6234 case IPC_SET:
6235 perms = MSGQ__SETATTR;
6236 break;
6237 case IPC_RMID:
6238 perms = MSGQ__DESTROY;
6239 break;
6240 default:
6241 return 0;
6242 }
6243
6244 return ipc_has_perm(msq, perms);
6245 }
6246
selinux_msg_queue_msgsnd(struct kern_ipc_perm * msq,struct msg_msg * msg,int msqflg)6247 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg)
6248 {
6249 struct ipc_security_struct *isec;
6250 struct msg_security_struct *msec;
6251 struct common_audit_data ad;
6252 u32 sid = current_sid();
6253 int rc;
6254
6255 isec = selinux_ipc(msq);
6256 msec = selinux_msg_msg(msg);
6257
6258 /*
6259 * First time through, need to assign label to the message
6260 */
6261 if (msec->sid == SECINITSID_UNLABELED) {
6262 /*
6263 * Compute new sid based on current process and
6264 * message queue this message will be stored in
6265 */
6266 rc = security_transition_sid(sid, isec->sid,
6267 SECCLASS_MSG, NULL, &msec->sid);
6268 if (rc)
6269 return rc;
6270 }
6271
6272 ad.type = LSM_AUDIT_DATA_IPC;
6273 ad.u.ipc_id = msq->key;
6274
6275 /* Can this process write to the queue? */
6276 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
6277 MSGQ__WRITE, &ad);
6278 if (!rc)
6279 /* Can this process send the message */
6280 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
6281 MSG__SEND, &ad);
6282 if (!rc)
6283 /* Can the message be put in the queue? */
6284 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
6285 MSGQ__ENQUEUE, &ad);
6286
6287 return rc;
6288 }
6289
selinux_msg_queue_msgrcv(struct kern_ipc_perm * msq,struct msg_msg * msg,struct task_struct * target,long type,int mode)6290 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
6291 struct task_struct *target,
6292 long type, int mode)
6293 {
6294 struct ipc_security_struct *isec;
6295 struct msg_security_struct *msec;
6296 struct common_audit_data ad;
6297 u32 sid = task_sid_obj(target);
6298 int rc;
6299
6300 isec = selinux_ipc(msq);
6301 msec = selinux_msg_msg(msg);
6302
6303 ad.type = LSM_AUDIT_DATA_IPC;
6304 ad.u.ipc_id = msq->key;
6305
6306 rc = avc_has_perm(sid, isec->sid,
6307 SECCLASS_MSGQ, MSGQ__READ, &ad);
6308 if (!rc)
6309 rc = avc_has_perm(sid, msec->sid,
6310 SECCLASS_MSG, MSG__RECEIVE, &ad);
6311 return rc;
6312 }
6313
6314 /* Shared Memory security operations */
selinux_shm_alloc_security(struct kern_ipc_perm * shp)6315 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp)
6316 {
6317 struct ipc_security_struct *isec;
6318 struct common_audit_data ad;
6319 u32 sid = current_sid();
6320
6321 isec = selinux_ipc(shp);
6322 ipc_init_security(isec, SECCLASS_SHM);
6323
6324 ad.type = LSM_AUDIT_DATA_IPC;
6325 ad.u.ipc_id = shp->key;
6326
6327 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6328 SHM__CREATE, &ad);
6329 }
6330
selinux_shm_associate(struct kern_ipc_perm * shp,int shmflg)6331 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
6332 {
6333 struct ipc_security_struct *isec;
6334 struct common_audit_data ad;
6335 u32 sid = current_sid();
6336
6337 isec = selinux_ipc(shp);
6338
6339 ad.type = LSM_AUDIT_DATA_IPC;
6340 ad.u.ipc_id = shp->key;
6341
6342 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
6343 SHM__ASSOCIATE, &ad);
6344 }
6345
6346 /* Note, at this point, shp is locked down */
selinux_shm_shmctl(struct kern_ipc_perm * shp,int cmd)6347 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
6348 {
6349 u32 perms;
6350
6351 switch (cmd) {
6352 case IPC_INFO:
6353 case SHM_INFO:
6354 /* No specific object, just general system-wide information. */
6355 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6356 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6357 case IPC_STAT:
6358 case SHM_STAT:
6359 case SHM_STAT_ANY:
6360 perms = SHM__GETATTR | SHM__ASSOCIATE;
6361 break;
6362 case IPC_SET:
6363 perms = SHM__SETATTR;
6364 break;
6365 case SHM_LOCK:
6366 case SHM_UNLOCK:
6367 perms = SHM__LOCK;
6368 break;
6369 case IPC_RMID:
6370 perms = SHM__DESTROY;
6371 break;
6372 default:
6373 return 0;
6374 }
6375
6376 return ipc_has_perm(shp, perms);
6377 }
6378
selinux_shm_shmat(struct kern_ipc_perm * shp,char __user * shmaddr,int shmflg)6379 static int selinux_shm_shmat(struct kern_ipc_perm *shp,
6380 char __user *shmaddr, int shmflg)
6381 {
6382 u32 perms;
6383
6384 if (shmflg & SHM_RDONLY)
6385 perms = SHM__READ;
6386 else
6387 perms = SHM__READ | SHM__WRITE;
6388
6389 return ipc_has_perm(shp, perms);
6390 }
6391
6392 /* Semaphore security operations */
selinux_sem_alloc_security(struct kern_ipc_perm * sma)6393 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma)
6394 {
6395 struct ipc_security_struct *isec;
6396 struct common_audit_data ad;
6397 u32 sid = current_sid();
6398
6399 isec = selinux_ipc(sma);
6400 ipc_init_security(isec, SECCLASS_SEM);
6401
6402 ad.type = LSM_AUDIT_DATA_IPC;
6403 ad.u.ipc_id = sma->key;
6404
6405 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6406 SEM__CREATE, &ad);
6407 }
6408
selinux_sem_associate(struct kern_ipc_perm * sma,int semflg)6409 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
6410 {
6411 struct ipc_security_struct *isec;
6412 struct common_audit_data ad;
6413 u32 sid = current_sid();
6414
6415 isec = selinux_ipc(sma);
6416
6417 ad.type = LSM_AUDIT_DATA_IPC;
6418 ad.u.ipc_id = sma->key;
6419
6420 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
6421 SEM__ASSOCIATE, &ad);
6422 }
6423
6424 /* Note, at this point, sma is locked down */
selinux_sem_semctl(struct kern_ipc_perm * sma,int cmd)6425 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd)
6426 {
6427 int err;
6428 u32 perms;
6429
6430 switch (cmd) {
6431 case IPC_INFO:
6432 case SEM_INFO:
6433 /* No specific object, just general system-wide information. */
6434 return avc_has_perm(current_sid(), SECINITSID_KERNEL,
6435 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
6436 case GETPID:
6437 case GETNCNT:
6438 case GETZCNT:
6439 perms = SEM__GETATTR;
6440 break;
6441 case GETVAL:
6442 case GETALL:
6443 perms = SEM__READ;
6444 break;
6445 case SETVAL:
6446 case SETALL:
6447 perms = SEM__WRITE;
6448 break;
6449 case IPC_RMID:
6450 perms = SEM__DESTROY;
6451 break;
6452 case IPC_SET:
6453 perms = SEM__SETATTR;
6454 break;
6455 case IPC_STAT:
6456 case SEM_STAT:
6457 case SEM_STAT_ANY:
6458 perms = SEM__GETATTR | SEM__ASSOCIATE;
6459 break;
6460 default:
6461 return 0;
6462 }
6463
6464 err = ipc_has_perm(sma, perms);
6465 return err;
6466 }
6467
selinux_sem_semop(struct kern_ipc_perm * sma,struct sembuf * sops,unsigned nsops,int alter)6468 static int selinux_sem_semop(struct kern_ipc_perm *sma,
6469 struct sembuf *sops, unsigned nsops, int alter)
6470 {
6471 u32 perms;
6472
6473 if (alter)
6474 perms = SEM__READ | SEM__WRITE;
6475 else
6476 perms = SEM__READ;
6477
6478 return ipc_has_perm(sma, perms);
6479 }
6480
selinux_ipc_permission(struct kern_ipc_perm * ipcp,short flag)6481 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
6482 {
6483 u32 av = 0;
6484
6485 av = 0;
6486 if (flag & S_IRUGO)
6487 av |= IPC__UNIX_READ;
6488 if (flag & S_IWUGO)
6489 av |= IPC__UNIX_WRITE;
6490
6491 if (av == 0)
6492 return 0;
6493
6494 return ipc_has_perm(ipcp, av);
6495 }
6496
selinux_ipc_getlsmprop(struct kern_ipc_perm * ipcp,struct lsm_prop * prop)6497 static void selinux_ipc_getlsmprop(struct kern_ipc_perm *ipcp,
6498 struct lsm_prop *prop)
6499 {
6500 struct ipc_security_struct *isec = selinux_ipc(ipcp);
6501 prop->selinux.secid = isec->sid;
6502 }
6503
selinux_d_instantiate(struct dentry * dentry,struct inode * inode)6504 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
6505 {
6506 if (inode)
6507 inode_doinit_with_dentry(inode, dentry);
6508 }
6509
selinux_lsm_getattr(unsigned int attr,struct task_struct * p,char ** value)6510 static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p,
6511 char **value)
6512 {
6513 const struct task_security_struct *tsec;
6514 int error;
6515 u32 sid;
6516 u32 len;
6517
6518 rcu_read_lock();
6519 tsec = selinux_cred(__task_cred(p));
6520 if (p != current) {
6521 error = avc_has_perm(current_sid(), tsec->sid,
6522 SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
6523 if (error)
6524 goto err_unlock;
6525 }
6526 switch (attr) {
6527 case LSM_ATTR_CURRENT:
6528 sid = tsec->sid;
6529 break;
6530 case LSM_ATTR_PREV:
6531 sid = tsec->osid;
6532 break;
6533 case LSM_ATTR_EXEC:
6534 sid = tsec->exec_sid;
6535 break;
6536 case LSM_ATTR_FSCREATE:
6537 sid = tsec->create_sid;
6538 break;
6539 case LSM_ATTR_KEYCREATE:
6540 sid = tsec->keycreate_sid;
6541 break;
6542 case LSM_ATTR_SOCKCREATE:
6543 sid = tsec->sockcreate_sid;
6544 break;
6545 default:
6546 error = -EOPNOTSUPP;
6547 goto err_unlock;
6548 }
6549 rcu_read_unlock();
6550
6551 if (sid == SECSID_NULL) {
6552 *value = NULL;
6553 return 0;
6554 }
6555
6556 error = security_sid_to_context(sid, value, &len);
6557 if (error)
6558 return error;
6559 return len;
6560
6561 err_unlock:
6562 rcu_read_unlock();
6563 return error;
6564 }
6565
selinux_lsm_setattr(u64 attr,void * value,size_t size)6566 static int selinux_lsm_setattr(u64 attr, void *value, size_t size)
6567 {
6568 struct task_security_struct *tsec;
6569 struct cred *new;
6570 u32 mysid = current_sid(), sid = 0, ptsid;
6571 int error;
6572 char *str = value;
6573
6574 /*
6575 * Basic control over ability to set these attributes at all.
6576 */
6577 switch (attr) {
6578 case LSM_ATTR_EXEC:
6579 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6580 PROCESS__SETEXEC, NULL);
6581 break;
6582 case LSM_ATTR_FSCREATE:
6583 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6584 PROCESS__SETFSCREATE, NULL);
6585 break;
6586 case LSM_ATTR_KEYCREATE:
6587 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6588 PROCESS__SETKEYCREATE, NULL);
6589 break;
6590 case LSM_ATTR_SOCKCREATE:
6591 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6592 PROCESS__SETSOCKCREATE, NULL);
6593 break;
6594 case LSM_ATTR_CURRENT:
6595 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
6596 PROCESS__SETCURRENT, NULL);
6597 break;
6598 default:
6599 error = -EOPNOTSUPP;
6600 break;
6601 }
6602 if (error)
6603 return error;
6604
6605 /* Obtain a SID for the context, if one was specified. */
6606 if (size && str[0] && str[0] != '\n') {
6607 if (str[size-1] == '\n') {
6608 str[size-1] = 0;
6609 size--;
6610 }
6611 error = security_context_to_sid(value, size,
6612 &sid, GFP_KERNEL);
6613 if (error == -EINVAL && attr == LSM_ATTR_FSCREATE) {
6614 if (!has_cap_mac_admin(true)) {
6615 struct audit_buffer *ab;
6616 size_t audit_size;
6617
6618 /* We strip a nul only if it is at the end,
6619 * otherwise the context contains a nul and
6620 * we should audit that */
6621 if (str[size - 1] == '\0')
6622 audit_size = size - 1;
6623 else
6624 audit_size = size;
6625 ab = audit_log_start(audit_context(),
6626 GFP_ATOMIC,
6627 AUDIT_SELINUX_ERR);
6628 if (!ab)
6629 return error;
6630 audit_log_format(ab, "op=fscreate invalid_context=");
6631 audit_log_n_untrustedstring(ab, value,
6632 audit_size);
6633 audit_log_end(ab);
6634
6635 return error;
6636 }
6637 error = security_context_to_sid_force(value, size,
6638 &sid);
6639 }
6640 if (error)
6641 return error;
6642 }
6643
6644 new = prepare_creds();
6645 if (!new)
6646 return -ENOMEM;
6647
6648 /* Permission checking based on the specified context is
6649 performed during the actual operation (execve,
6650 open/mkdir/...), when we know the full context of the
6651 operation. See selinux_bprm_creds_for_exec for the execve
6652 checks and may_create for the file creation checks. The
6653 operation will then fail if the context is not permitted. */
6654 tsec = selinux_cred(new);
6655 if (attr == LSM_ATTR_EXEC) {
6656 tsec->exec_sid = sid;
6657 } else if (attr == LSM_ATTR_FSCREATE) {
6658 tsec->create_sid = sid;
6659 } else if (attr == LSM_ATTR_KEYCREATE) {
6660 if (sid) {
6661 error = avc_has_perm(mysid, sid,
6662 SECCLASS_KEY, KEY__CREATE, NULL);
6663 if (error)
6664 goto abort_change;
6665 }
6666 tsec->keycreate_sid = sid;
6667 } else if (attr == LSM_ATTR_SOCKCREATE) {
6668 tsec->sockcreate_sid = sid;
6669 } else if (attr == LSM_ATTR_CURRENT) {
6670 error = -EINVAL;
6671 if (sid == 0)
6672 goto abort_change;
6673
6674 if (!current_is_single_threaded()) {
6675 error = security_bounded_transition(tsec->sid, sid);
6676 if (error)
6677 goto abort_change;
6678 }
6679
6680 /* Check permissions for the transition. */
6681 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
6682 PROCESS__DYNTRANSITION, NULL);
6683 if (error)
6684 goto abort_change;
6685
6686 /* Check for ptracing, and update the task SID if ok.
6687 Otherwise, leave SID unchanged and fail. */
6688 ptsid = ptrace_parent_sid();
6689 if (ptsid != 0) {
6690 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
6691 PROCESS__PTRACE, NULL);
6692 if (error)
6693 goto abort_change;
6694 }
6695
6696 tsec->sid = sid;
6697 } else {
6698 error = -EINVAL;
6699 goto abort_change;
6700 }
6701
6702 commit_creds(new);
6703 return size;
6704
6705 abort_change:
6706 abort_creds(new);
6707 return error;
6708 }
6709
6710 /**
6711 * selinux_getselfattr - Get SELinux current task attributes
6712 * @attr: the requested attribute
6713 * @ctx: buffer to receive the result
6714 * @size: buffer size (input), buffer size used (output)
6715 * @flags: unused
6716 *
6717 * Fill the passed user space @ctx with the details of the requested
6718 * attribute.
6719 *
6720 * Returns the number of attributes on success, an error code otherwise.
6721 * There will only ever be one attribute.
6722 */
selinux_getselfattr(unsigned int attr,struct lsm_ctx __user * ctx,u32 * size,u32 flags)6723 static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx,
6724 u32 *size, u32 flags)
6725 {
6726 int rc;
6727 char *val = NULL;
6728 int val_len;
6729
6730 val_len = selinux_lsm_getattr(attr, current, &val);
6731 if (val_len < 0)
6732 return val_len;
6733 rc = lsm_fill_user_ctx(ctx, size, val, val_len, LSM_ID_SELINUX, 0);
6734 kfree(val);
6735 return (!rc ? 1 : rc);
6736 }
6737
selinux_setselfattr(unsigned int attr,struct lsm_ctx * ctx,u32 size,u32 flags)6738 static int selinux_setselfattr(unsigned int attr, struct lsm_ctx *ctx,
6739 u32 size, u32 flags)
6740 {
6741 int rc;
6742
6743 rc = selinux_lsm_setattr(attr, ctx->ctx, ctx->ctx_len);
6744 if (rc > 0)
6745 return 0;
6746 return rc;
6747 }
6748
selinux_getprocattr(struct task_struct * p,const char * name,char ** value)6749 static int selinux_getprocattr(struct task_struct *p,
6750 const char *name, char **value)
6751 {
6752 unsigned int attr = lsm_name_to_attr(name);
6753 int rc;
6754
6755 if (attr) {
6756 rc = selinux_lsm_getattr(attr, p, value);
6757 if (rc != -EOPNOTSUPP)
6758 return rc;
6759 }
6760
6761 return -EINVAL;
6762 }
6763
selinux_setprocattr(const char * name,void * value,size_t size)6764 static int selinux_setprocattr(const char *name, void *value, size_t size)
6765 {
6766 int attr = lsm_name_to_attr(name);
6767
6768 if (attr)
6769 return selinux_lsm_setattr(attr, value, size);
6770 return -EINVAL;
6771 }
6772
selinux_ismaclabel(const char * name)6773 static int selinux_ismaclabel(const char *name)
6774 {
6775 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
6776 }
6777
selinux_secid_to_secctx(u32 secid,struct lsm_context * cp)6778 static int selinux_secid_to_secctx(u32 secid, struct lsm_context *cp)
6779 {
6780 u32 seclen;
6781 int ret;
6782
6783 if (cp) {
6784 cp->id = LSM_ID_SELINUX;
6785 ret = security_sid_to_context(secid, &cp->context, &cp->len);
6786 if (ret < 0)
6787 return ret;
6788 return cp->len;
6789 }
6790 ret = security_sid_to_context(secid, NULL, &seclen);
6791 if (ret < 0)
6792 return ret;
6793 return seclen;
6794 }
6795
selinux_lsmprop_to_secctx(struct lsm_prop * prop,struct lsm_context * cp)6796 static int selinux_lsmprop_to_secctx(struct lsm_prop *prop,
6797 struct lsm_context *cp)
6798 {
6799 return selinux_secid_to_secctx(prop->selinux.secid, cp);
6800 }
6801
selinux_secctx_to_secid(const char * secdata,u32 seclen,u32 * secid)6802 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
6803 {
6804 return security_context_to_sid(secdata, seclen,
6805 secid, GFP_KERNEL);
6806 }
6807
selinux_release_secctx(struct lsm_context * cp)6808 static void selinux_release_secctx(struct lsm_context *cp)
6809 {
6810 if (cp->id == LSM_ID_SELINUX) {
6811 kfree(cp->context);
6812 cp->context = NULL;
6813 cp->id = LSM_ID_UNDEF;
6814 }
6815 }
6816
selinux_inode_invalidate_secctx(struct inode * inode)6817 static void selinux_inode_invalidate_secctx(struct inode *inode)
6818 {
6819 struct inode_security_struct *isec = selinux_inode(inode);
6820
6821 spin_lock(&isec->lock);
6822 isec->initialized = LABEL_INVALID;
6823 spin_unlock(&isec->lock);
6824 }
6825
6826 /*
6827 * called with inode->i_mutex locked
6828 */
selinux_inode_notifysecctx(struct inode * inode,void * ctx,u32 ctxlen)6829 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
6830 {
6831 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
6832 ctx, ctxlen, 0);
6833 /* Do not return error when suppressing label (SBLABEL_MNT not set). */
6834 return rc == -EOPNOTSUPP ? 0 : rc;
6835 }
6836
6837 /*
6838 * called with inode->i_mutex locked
6839 */
selinux_inode_setsecctx(struct dentry * dentry,void * ctx,u32 ctxlen)6840 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
6841 {
6842 return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX,
6843 ctx, ctxlen, 0, NULL);
6844 }
6845
selinux_inode_getsecctx(struct inode * inode,struct lsm_context * cp)6846 static int selinux_inode_getsecctx(struct inode *inode, struct lsm_context *cp)
6847 {
6848 int len;
6849 len = selinux_inode_getsecurity(&nop_mnt_idmap, inode,
6850 XATTR_SELINUX_SUFFIX,
6851 (void **)&cp->context, true);
6852 if (len < 0)
6853 return len;
6854 cp->len = len;
6855 cp->id = LSM_ID_SELINUX;
6856 return 0;
6857 }
6858 #ifdef CONFIG_KEYS
6859
selinux_key_alloc(struct key * k,const struct cred * cred,unsigned long flags)6860 static int selinux_key_alloc(struct key *k, const struct cred *cred,
6861 unsigned long flags)
6862 {
6863 const struct task_security_struct *tsec;
6864 struct key_security_struct *ksec = selinux_key(k);
6865
6866 tsec = selinux_cred(cred);
6867 if (tsec->keycreate_sid)
6868 ksec->sid = tsec->keycreate_sid;
6869 else
6870 ksec->sid = tsec->sid;
6871
6872 return 0;
6873 }
6874
selinux_key_permission(key_ref_t key_ref,const struct cred * cred,enum key_need_perm need_perm)6875 static int selinux_key_permission(key_ref_t key_ref,
6876 const struct cred *cred,
6877 enum key_need_perm need_perm)
6878 {
6879 struct key *key;
6880 struct key_security_struct *ksec;
6881 u32 perm, sid;
6882
6883 switch (need_perm) {
6884 case KEY_NEED_VIEW:
6885 perm = KEY__VIEW;
6886 break;
6887 case KEY_NEED_READ:
6888 perm = KEY__READ;
6889 break;
6890 case KEY_NEED_WRITE:
6891 perm = KEY__WRITE;
6892 break;
6893 case KEY_NEED_SEARCH:
6894 perm = KEY__SEARCH;
6895 break;
6896 case KEY_NEED_LINK:
6897 perm = KEY__LINK;
6898 break;
6899 case KEY_NEED_SETATTR:
6900 perm = KEY__SETATTR;
6901 break;
6902 case KEY_NEED_UNLINK:
6903 case KEY_SYSADMIN_OVERRIDE:
6904 case KEY_AUTHTOKEN_OVERRIDE:
6905 case KEY_DEFER_PERM_CHECK:
6906 return 0;
6907 default:
6908 WARN_ON(1);
6909 return -EPERM;
6910
6911 }
6912
6913 sid = cred_sid(cred);
6914 key = key_ref_to_ptr(key_ref);
6915 ksec = selinux_key(key);
6916
6917 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
6918 }
6919
selinux_key_getsecurity(struct key * key,char ** _buffer)6920 static int selinux_key_getsecurity(struct key *key, char **_buffer)
6921 {
6922 struct key_security_struct *ksec = selinux_key(key);
6923 char *context = NULL;
6924 unsigned len;
6925 int rc;
6926
6927 rc = security_sid_to_context(ksec->sid,
6928 &context, &len);
6929 if (!rc)
6930 rc = len;
6931 *_buffer = context;
6932 return rc;
6933 }
6934
6935 #ifdef CONFIG_KEY_NOTIFICATIONS
selinux_watch_key(struct key * key)6936 static int selinux_watch_key(struct key *key)
6937 {
6938 struct key_security_struct *ksec = selinux_key(key);
6939 u32 sid = current_sid();
6940
6941 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
6942 }
6943 #endif
6944 #endif
6945
6946 #ifdef CONFIG_SECURITY_INFINIBAND
selinux_ib_pkey_access(void * ib_sec,u64 subnet_prefix,u16 pkey_val)6947 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6948 {
6949 struct common_audit_data ad;
6950 int err;
6951 u32 sid = 0;
6952 struct ib_security_struct *sec = ib_sec;
6953 struct lsm_ibpkey_audit ibpkey;
6954
6955 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
6956 if (err)
6957 return err;
6958
6959 ad.type = LSM_AUDIT_DATA_IBPKEY;
6960 ibpkey.subnet_prefix = subnet_prefix;
6961 ibpkey.pkey = pkey_val;
6962 ad.u.ibpkey = &ibpkey;
6963 return avc_has_perm(sec->sid, sid,
6964 SECCLASS_INFINIBAND_PKEY,
6965 INFINIBAND_PKEY__ACCESS, &ad);
6966 }
6967
selinux_ib_endport_manage_subnet(void * ib_sec,const char * dev_name,u8 port_num)6968 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
6969 u8 port_num)
6970 {
6971 struct common_audit_data ad;
6972 int err;
6973 u32 sid = 0;
6974 struct ib_security_struct *sec = ib_sec;
6975 struct lsm_ibendport_audit ibendport;
6976
6977 err = security_ib_endport_sid(dev_name, port_num,
6978 &sid);
6979
6980 if (err)
6981 return err;
6982
6983 ad.type = LSM_AUDIT_DATA_IBENDPORT;
6984 ibendport.dev_name = dev_name;
6985 ibendport.port = port_num;
6986 ad.u.ibendport = &ibendport;
6987 return avc_has_perm(sec->sid, sid,
6988 SECCLASS_INFINIBAND_ENDPORT,
6989 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
6990 }
6991
selinux_ib_alloc_security(void * ib_sec)6992 static int selinux_ib_alloc_security(void *ib_sec)
6993 {
6994 struct ib_security_struct *sec = selinux_ib(ib_sec);
6995
6996 sec->sid = current_sid();
6997 return 0;
6998 }
6999 #endif
7000
7001 #ifdef CONFIG_BPF_SYSCALL
selinux_bpf(int cmd,union bpf_attr * attr,unsigned int size,bool kernel)7002 static int selinux_bpf(int cmd, union bpf_attr *attr,
7003 unsigned int size, bool kernel)
7004 {
7005 u32 sid = current_sid();
7006 int ret;
7007
7008 switch (cmd) {
7009 case BPF_MAP_CREATE:
7010 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE,
7011 NULL);
7012 break;
7013 case BPF_PROG_LOAD:
7014 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD,
7015 NULL);
7016 break;
7017 default:
7018 ret = 0;
7019 break;
7020 }
7021
7022 return ret;
7023 }
7024
bpf_map_fmode_to_av(fmode_t fmode)7025 static u32 bpf_map_fmode_to_av(fmode_t fmode)
7026 {
7027 u32 av = 0;
7028
7029 if (fmode & FMODE_READ)
7030 av |= BPF__MAP_READ;
7031 if (fmode & FMODE_WRITE)
7032 av |= BPF__MAP_WRITE;
7033 return av;
7034 }
7035
7036 /* This function will check the file pass through unix socket or binder to see
7037 * if it is a bpf related object. And apply corresponding checks on the bpf
7038 * object based on the type. The bpf maps and programs, not like other files and
7039 * socket, are using a shared anonymous inode inside the kernel as their inode.
7040 * So checking that inode cannot identify if the process have privilege to
7041 * access the bpf object and that's why we have to add this additional check in
7042 * selinux_file_receive and selinux_binder_transfer_files.
7043 */
bpf_fd_pass(const struct file * file,u32 sid)7044 static int bpf_fd_pass(const struct file *file, u32 sid)
7045 {
7046 struct bpf_security_struct *bpfsec;
7047 struct bpf_prog *prog;
7048 struct bpf_map *map;
7049 int ret;
7050
7051 if (file->f_op == &bpf_map_fops) {
7052 map = file->private_data;
7053 bpfsec = map->security;
7054 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
7055 bpf_map_fmode_to_av(file->f_mode), NULL);
7056 if (ret)
7057 return ret;
7058 } else if (file->f_op == &bpf_prog_fops) {
7059 prog = file->private_data;
7060 bpfsec = prog->aux->security;
7061 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
7062 BPF__PROG_RUN, NULL);
7063 if (ret)
7064 return ret;
7065 }
7066 return 0;
7067 }
7068
selinux_bpf_map(struct bpf_map * map,fmode_t fmode)7069 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
7070 {
7071 u32 sid = current_sid();
7072 struct bpf_security_struct *bpfsec;
7073
7074 bpfsec = map->security;
7075 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
7076 bpf_map_fmode_to_av(fmode), NULL);
7077 }
7078
selinux_bpf_prog(struct bpf_prog * prog)7079 static int selinux_bpf_prog(struct bpf_prog *prog)
7080 {
7081 u32 sid = current_sid();
7082 struct bpf_security_struct *bpfsec;
7083
7084 bpfsec = prog->aux->security;
7085 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
7086 BPF__PROG_RUN, NULL);
7087 }
7088
selinux_bpf_map_create(struct bpf_map * map,union bpf_attr * attr,struct bpf_token * token,bool kernel)7089 static int selinux_bpf_map_create(struct bpf_map *map, union bpf_attr *attr,
7090 struct bpf_token *token, bool kernel)
7091 {
7092 struct bpf_security_struct *bpfsec;
7093
7094 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
7095 if (!bpfsec)
7096 return -ENOMEM;
7097
7098 bpfsec->sid = current_sid();
7099 map->security = bpfsec;
7100
7101 return 0;
7102 }
7103
selinux_bpf_map_free(struct bpf_map * map)7104 static void selinux_bpf_map_free(struct bpf_map *map)
7105 {
7106 struct bpf_security_struct *bpfsec = map->security;
7107
7108 map->security = NULL;
7109 kfree(bpfsec);
7110 }
7111
selinux_bpf_prog_load(struct bpf_prog * prog,union bpf_attr * attr,struct bpf_token * token,bool kernel)7112 static int selinux_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,
7113 struct bpf_token *token, bool kernel)
7114 {
7115 struct bpf_security_struct *bpfsec;
7116
7117 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
7118 if (!bpfsec)
7119 return -ENOMEM;
7120
7121 bpfsec->sid = current_sid();
7122 prog->aux->security = bpfsec;
7123
7124 return 0;
7125 }
7126
selinux_bpf_prog_free(struct bpf_prog * prog)7127 static void selinux_bpf_prog_free(struct bpf_prog *prog)
7128 {
7129 struct bpf_security_struct *bpfsec = prog->aux->security;
7130
7131 prog->aux->security = NULL;
7132 kfree(bpfsec);
7133 }
7134
selinux_bpf_token_create(struct bpf_token * token,union bpf_attr * attr,const struct path * path)7135 static int selinux_bpf_token_create(struct bpf_token *token, union bpf_attr *attr,
7136 const struct path *path)
7137 {
7138 struct bpf_security_struct *bpfsec;
7139
7140 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
7141 if (!bpfsec)
7142 return -ENOMEM;
7143
7144 bpfsec->sid = current_sid();
7145 token->security = bpfsec;
7146
7147 return 0;
7148 }
7149
selinux_bpf_token_free(struct bpf_token * token)7150 static void selinux_bpf_token_free(struct bpf_token *token)
7151 {
7152 struct bpf_security_struct *bpfsec = token->security;
7153
7154 token->security = NULL;
7155 kfree(bpfsec);
7156 }
7157 #endif
7158
7159 struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
7160 .lbs_cred = sizeof(struct task_security_struct),
7161 .lbs_file = sizeof(struct file_security_struct),
7162 .lbs_inode = sizeof(struct inode_security_struct),
7163 .lbs_ipc = sizeof(struct ipc_security_struct),
7164 .lbs_key = sizeof(struct key_security_struct),
7165 .lbs_msg_msg = sizeof(struct msg_security_struct),
7166 #ifdef CONFIG_PERF_EVENTS
7167 .lbs_perf_event = sizeof(struct perf_event_security_struct),
7168 #endif
7169 .lbs_sock = sizeof(struct sk_security_struct),
7170 .lbs_superblock = sizeof(struct superblock_security_struct),
7171 .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS,
7172 .lbs_tun_dev = sizeof(struct tun_security_struct),
7173 .lbs_ib = sizeof(struct ib_security_struct),
7174 };
7175
7176 #ifdef CONFIG_PERF_EVENTS
selinux_perf_event_open(int type)7177 static int selinux_perf_event_open(int type)
7178 {
7179 u32 requested, sid = current_sid();
7180
7181 if (type == PERF_SECURITY_OPEN)
7182 requested = PERF_EVENT__OPEN;
7183 else if (type == PERF_SECURITY_CPU)
7184 requested = PERF_EVENT__CPU;
7185 else if (type == PERF_SECURITY_KERNEL)
7186 requested = PERF_EVENT__KERNEL;
7187 else if (type == PERF_SECURITY_TRACEPOINT)
7188 requested = PERF_EVENT__TRACEPOINT;
7189 else
7190 return -EINVAL;
7191
7192 return avc_has_perm(sid, sid, SECCLASS_PERF_EVENT,
7193 requested, NULL);
7194 }
7195
selinux_perf_event_alloc(struct perf_event * event)7196 static int selinux_perf_event_alloc(struct perf_event *event)
7197 {
7198 struct perf_event_security_struct *perfsec;
7199
7200 perfsec = selinux_perf_event(event->security);
7201 perfsec->sid = current_sid();
7202
7203 return 0;
7204 }
7205
selinux_perf_event_read(struct perf_event * event)7206 static int selinux_perf_event_read(struct perf_event *event)
7207 {
7208 struct perf_event_security_struct *perfsec = event->security;
7209 u32 sid = current_sid();
7210
7211 return avc_has_perm(sid, perfsec->sid,
7212 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL);
7213 }
7214
selinux_perf_event_write(struct perf_event * event)7215 static int selinux_perf_event_write(struct perf_event *event)
7216 {
7217 struct perf_event_security_struct *perfsec = event->security;
7218 u32 sid = current_sid();
7219
7220 return avc_has_perm(sid, perfsec->sid,
7221 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL);
7222 }
7223 #endif
7224
7225 #ifdef CONFIG_IO_URING
7226 /**
7227 * selinux_uring_override_creds - check the requested cred override
7228 * @new: the target creds
7229 *
7230 * Check to see if the current task is allowed to override it's credentials
7231 * to service an io_uring operation.
7232 */
selinux_uring_override_creds(const struct cred * new)7233 static int selinux_uring_override_creds(const struct cred *new)
7234 {
7235 return avc_has_perm(current_sid(), cred_sid(new),
7236 SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL);
7237 }
7238
7239 /**
7240 * selinux_uring_sqpoll - check if a io_uring polling thread can be created
7241 *
7242 * Check to see if the current task is allowed to create a new io_uring
7243 * kernel polling thread.
7244 */
selinux_uring_sqpoll(void)7245 static int selinux_uring_sqpoll(void)
7246 {
7247 u32 sid = current_sid();
7248
7249 return avc_has_perm(sid, sid,
7250 SECCLASS_IO_URING, IO_URING__SQPOLL, NULL);
7251 }
7252
7253 /**
7254 * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed
7255 * @ioucmd: the io_uring command structure
7256 *
7257 * Check to see if the current domain is allowed to execute an
7258 * IORING_OP_URING_CMD against the device/file specified in @ioucmd.
7259 *
7260 */
selinux_uring_cmd(struct io_uring_cmd * ioucmd)7261 static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
7262 {
7263 struct file *file = ioucmd->file;
7264 struct inode *inode = file_inode(file);
7265 struct inode_security_struct *isec = selinux_inode(inode);
7266 struct common_audit_data ad;
7267
7268 ad.type = LSM_AUDIT_DATA_FILE;
7269 ad.u.file = file;
7270
7271 return avc_has_perm(current_sid(), isec->sid,
7272 SECCLASS_IO_URING, IO_URING__CMD, &ad);
7273 }
7274
7275 /**
7276 * selinux_uring_allowed - check if io_uring_setup() can be called
7277 *
7278 * Check to see if the current task is allowed to call io_uring_setup().
7279 */
selinux_uring_allowed(void)7280 static int selinux_uring_allowed(void)
7281 {
7282 u32 sid = current_sid();
7283
7284 return avc_has_perm(sid, sid, SECCLASS_IO_URING, IO_URING__ALLOWED,
7285 NULL);
7286 }
7287 #endif /* CONFIG_IO_URING */
7288
7289 static const struct lsm_id selinux_lsmid = {
7290 .name = "selinux",
7291 .id = LSM_ID_SELINUX,
7292 };
7293
7294 /*
7295 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
7296 * 1. any hooks that don't belong to (2.) or (3.) below,
7297 * 2. hooks that both access structures allocated by other hooks, and allocate
7298 * structures that can be later accessed by other hooks (mostly "cloning"
7299 * hooks),
7300 * 3. hooks that only allocate structures that can be later accessed by other
7301 * hooks ("allocating" hooks).
7302 *
7303 * Please follow block comment delimiters in the list to keep this order.
7304 */
7305 static struct security_hook_list selinux_hooks[] __ro_after_init = {
7306 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
7307 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
7308 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
7309 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
7310
7311 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
7312 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
7313 LSM_HOOK_INIT(capget, selinux_capget),
7314 LSM_HOOK_INIT(capset, selinux_capset),
7315 LSM_HOOK_INIT(capable, selinux_capable),
7316 LSM_HOOK_INIT(quotactl, selinux_quotactl),
7317 LSM_HOOK_INIT(quota_on, selinux_quota_on),
7318 LSM_HOOK_INIT(syslog, selinux_syslog),
7319 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory),
7320
7321 LSM_HOOK_INIT(netlink_send, selinux_netlink_send),
7322
7323 LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec),
7324 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
7325 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
7326
7327 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts),
7328 LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat),
7329 LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
7330 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
7331 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options),
7332 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs),
7333 LSM_HOOK_INIT(sb_mount, selinux_mount),
7334 LSM_HOOK_INIT(sb_umount, selinux_umount),
7335 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts),
7336 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts),
7337
7338 LSM_HOOK_INIT(move_mount, selinux_move_mount),
7339
7340 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
7341 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
7342
7343 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
7344 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security),
7345 LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon),
7346 LSM_HOOK_INIT(inode_create, selinux_inode_create),
7347 LSM_HOOK_INIT(inode_link, selinux_inode_link),
7348 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink),
7349 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink),
7350 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir),
7351 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir),
7352 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod),
7353 LSM_HOOK_INIT(inode_rename, selinux_inode_rename),
7354 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink),
7355 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link),
7356 LSM_HOOK_INIT(inode_permission, selinux_inode_permission),
7357 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr),
7358 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr),
7359 LSM_HOOK_INIT(inode_xattr_skipcap, selinux_inode_xattr_skipcap),
7360 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr),
7361 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr),
7362 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
7363 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
7364 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
7365 LSM_HOOK_INIT(inode_file_getattr, selinux_inode_file_getattr),
7366 LSM_HOOK_INIT(inode_file_setattr, selinux_inode_file_setattr),
7367 LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl),
7368 LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl),
7369 LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl),
7370 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
7371 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
7372 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
7373 LSM_HOOK_INIT(inode_getlsmprop, selinux_inode_getlsmprop),
7374 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
7375 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
7376 LSM_HOOK_INIT(path_notify, selinux_path_notify),
7377
7378 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security),
7379
7380 LSM_HOOK_INIT(file_permission, selinux_file_permission),
7381 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
7382 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
7383 LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat),
7384 LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
7385 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
7386 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect),
7387 LSM_HOOK_INIT(file_lock, selinux_file_lock),
7388 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl),
7389 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner),
7390 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask),
7391 LSM_HOOK_INIT(file_receive, selinux_file_receive),
7392
7393 LSM_HOOK_INIT(file_open, selinux_file_open),
7394
7395 LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
7396 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
7397 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
7398 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
7399 LSM_HOOK_INIT(cred_getlsmprop, selinux_cred_getlsmprop),
7400 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
7401 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
7402 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
7403 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
7404 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
7405 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
7406 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
7407 LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
7408 LSM_HOOK_INIT(current_getlsmprop_subj, selinux_current_getlsmprop_subj),
7409 LSM_HOOK_INIT(task_getlsmprop_obj, selinux_task_getlsmprop_obj),
7410 LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
7411 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
7412 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
7413 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
7414 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
7415 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
7416 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
7417 LSM_HOOK_INIT(task_movememory, selinux_task_movememory),
7418 LSM_HOOK_INIT(task_kill, selinux_task_kill),
7419 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode),
7420 LSM_HOOK_INIT(userns_create, selinux_userns_create),
7421
7422 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
7423 LSM_HOOK_INIT(ipc_getlsmprop, selinux_ipc_getlsmprop),
7424
7425 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
7426 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
7427 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
7428 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
7429
7430 LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
7431 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
7432 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
7433
7434 LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
7435 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
7436 LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
7437
7438 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate),
7439
7440 LSM_HOOK_INIT(getselfattr, selinux_getselfattr),
7441 LSM_HOOK_INIT(setselfattr, selinux_setselfattr),
7442 LSM_HOOK_INIT(getprocattr, selinux_getprocattr),
7443 LSM_HOOK_INIT(setprocattr, selinux_setprocattr),
7444
7445 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
7446 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
7447 LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
7448 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
7449 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
7450 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
7451
7452 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
7453 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),
7454
7455 LSM_HOOK_INIT(socket_create, selinux_socket_create),
7456 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create),
7457 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair),
7458 LSM_HOOK_INIT(socket_bind, selinux_socket_bind),
7459 LSM_HOOK_INIT(socket_connect, selinux_socket_connect),
7460 LSM_HOOK_INIT(socket_listen, selinux_socket_listen),
7461 LSM_HOOK_INIT(socket_accept, selinux_socket_accept),
7462 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg),
7463 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg),
7464 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname),
7465 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername),
7466 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt),
7467 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt),
7468 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown),
7469 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb),
7470 LSM_HOOK_INIT(socket_getpeersec_stream,
7471 selinux_socket_getpeersec_stream),
7472 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram),
7473 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security),
7474 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
7475 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
7476 LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
7477 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
7478 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
7479 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
7480 LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established),
7481 LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow),
7482 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
7483 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
7484 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
7485 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet),
7486 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
7487 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
7488 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7489 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
7490 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
7491 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
7492 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
7493 #ifdef CONFIG_SECURITY_INFINIBAND
7494 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
7495 LSM_HOOK_INIT(ib_endport_manage_subnet,
7496 selinux_ib_endport_manage_subnet),
7497 #endif
7498 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7499 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free),
7500 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete),
7501 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free),
7502 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete),
7503 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup),
7504 LSM_HOOK_INIT(xfrm_state_pol_flow_match,
7505 selinux_xfrm_state_pol_flow_match),
7506 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session),
7507 #endif
7508
7509 #ifdef CONFIG_KEYS
7510 LSM_HOOK_INIT(key_permission, selinux_key_permission),
7511 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
7512 #ifdef CONFIG_KEY_NOTIFICATIONS
7513 LSM_HOOK_INIT(watch_key, selinux_watch_key),
7514 #endif
7515 #endif
7516
7517 #ifdef CONFIG_AUDIT
7518 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known),
7519 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
7520 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
7521 #endif
7522
7523 #ifdef CONFIG_BPF_SYSCALL
7524 LSM_HOOK_INIT(bpf, selinux_bpf),
7525 LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
7526 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
7527 LSM_HOOK_INIT(bpf_map_free, selinux_bpf_map_free),
7528 LSM_HOOK_INIT(bpf_prog_free, selinux_bpf_prog_free),
7529 LSM_HOOK_INIT(bpf_token_free, selinux_bpf_token_free),
7530 #endif
7531
7532 #ifdef CONFIG_PERF_EVENTS
7533 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open),
7534 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read),
7535 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write),
7536 #endif
7537
7538 #ifdef CONFIG_IO_URING
7539 LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds),
7540 LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll),
7541 LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd),
7542 LSM_HOOK_INIT(uring_allowed, selinux_uring_allowed),
7543 #endif
7544
7545 /*
7546 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE
7547 */
7548 LSM_HOOK_INIT(fs_context_submount, selinux_fs_context_submount),
7549 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup),
7550 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param),
7551 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts),
7552 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7553 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
7554 #endif
7555
7556 /*
7557 * PUT "ALLOCATING" HOOKS HERE
7558 */
7559 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
7560 LSM_HOOK_INIT(msg_queue_alloc_security,
7561 selinux_msg_queue_alloc_security),
7562 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
7563 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
7564 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
7565 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
7566 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
7567 LSM_HOOK_INIT(lsmprop_to_secctx, selinux_lsmprop_to_secctx),
7568 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
7569 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
7570 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
7571 #ifdef CONFIG_SECURITY_INFINIBAND
7572 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
7573 #endif
7574 #ifdef CONFIG_SECURITY_NETWORK_XFRM
7575 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
7576 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc),
7577 LSM_HOOK_INIT(xfrm_state_alloc_acquire,
7578 selinux_xfrm_state_alloc_acquire),
7579 #endif
7580 #ifdef CONFIG_KEYS
7581 LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
7582 #endif
7583 #ifdef CONFIG_AUDIT
7584 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init),
7585 #endif
7586 #ifdef CONFIG_BPF_SYSCALL
7587 LSM_HOOK_INIT(bpf_map_create, selinux_bpf_map_create),
7588 LSM_HOOK_INIT(bpf_prog_load, selinux_bpf_prog_load),
7589 LSM_HOOK_INIT(bpf_token_create, selinux_bpf_token_create),
7590 #endif
7591 #ifdef CONFIG_PERF_EVENTS
7592 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
7593 #endif
7594 };
7595
selinux_init(void)7596 static __init int selinux_init(void)
7597 {
7598 pr_info("SELinux: Initializing.\n");
7599
7600 memset(&selinux_state, 0, sizeof(selinux_state));
7601 enforcing_set(selinux_enforcing_boot);
7602 selinux_avc_init();
7603 mutex_init(&selinux_state.status_lock);
7604 mutex_init(&selinux_state.policy_mutex);
7605
7606 /* Set the security state for the initial task. */
7607 cred_init_security();
7608
7609 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
7610 if (!default_noexec)
7611 pr_notice("SELinux: virtual memory is executable by default\n");
7612
7613 avc_init();
7614
7615 avtab_cache_init();
7616
7617 ebitmap_cache_init();
7618
7619 hashtab_cache_init();
7620
7621 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks),
7622 &selinux_lsmid);
7623
7624 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
7625 panic("SELinux: Unable to register AVC netcache callback\n");
7626
7627 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))
7628 panic("SELinux: Unable to register AVC LSM notifier callback\n");
7629
7630 if (selinux_enforcing_boot)
7631 pr_debug("SELinux: Starting in enforcing mode\n");
7632 else
7633 pr_debug("SELinux: Starting in permissive mode\n");
7634
7635 fs_validate_description("selinux", selinux_fs_parameters);
7636
7637 return 0;
7638 }
7639
delayed_superblock_init(struct super_block * sb,void * unused)7640 static void delayed_superblock_init(struct super_block *sb, void *unused)
7641 {
7642 selinux_set_mnt_opts(sb, NULL, 0, NULL);
7643 }
7644
selinux_complete_init(void)7645 void selinux_complete_init(void)
7646 {
7647 pr_debug("SELinux: Completing initialization.\n");
7648
7649 /* Set up any superblocks initialized prior to the policy load. */
7650 pr_debug("SELinux: Setting up existing superblocks.\n");
7651 iterate_supers(delayed_superblock_init, NULL);
7652 }
7653
7654 /* SELinux requires early initialization in order to label
7655 all processes and objects when they are created. */
7656 DEFINE_LSM(selinux) = {
7657 .name = "selinux",
7658 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
7659 .enabled = &selinux_enabled_boot,
7660 .blobs = &selinux_blob_sizes,
7661 .init = selinux_init,
7662 };
7663
7664 #if defined(CONFIG_NETFILTER)
7665 static const struct nf_hook_ops selinux_nf_ops[] = {
7666 {
7667 .hook = selinux_ip_postroute,
7668 .pf = NFPROTO_IPV4,
7669 .hooknum = NF_INET_POST_ROUTING,
7670 .priority = NF_IP_PRI_SELINUX_LAST,
7671 },
7672 {
7673 .hook = selinux_ip_forward,
7674 .pf = NFPROTO_IPV4,
7675 .hooknum = NF_INET_FORWARD,
7676 .priority = NF_IP_PRI_SELINUX_FIRST,
7677 },
7678 {
7679 .hook = selinux_ip_output,
7680 .pf = NFPROTO_IPV4,
7681 .hooknum = NF_INET_LOCAL_OUT,
7682 .priority = NF_IP_PRI_SELINUX_FIRST,
7683 },
7684 #if IS_ENABLED(CONFIG_IPV6)
7685 {
7686 .hook = selinux_ip_postroute,
7687 .pf = NFPROTO_IPV6,
7688 .hooknum = NF_INET_POST_ROUTING,
7689 .priority = NF_IP6_PRI_SELINUX_LAST,
7690 },
7691 {
7692 .hook = selinux_ip_forward,
7693 .pf = NFPROTO_IPV6,
7694 .hooknum = NF_INET_FORWARD,
7695 .priority = NF_IP6_PRI_SELINUX_FIRST,
7696 },
7697 {
7698 .hook = selinux_ip_output,
7699 .pf = NFPROTO_IPV6,
7700 .hooknum = NF_INET_LOCAL_OUT,
7701 .priority = NF_IP6_PRI_SELINUX_FIRST,
7702 },
7703 #endif /* IPV6 */
7704 };
7705
selinux_nf_register(struct net * net)7706 static int __net_init selinux_nf_register(struct net *net)
7707 {
7708 return nf_register_net_hooks(net, selinux_nf_ops,
7709 ARRAY_SIZE(selinux_nf_ops));
7710 }
7711
selinux_nf_unregister(struct net * net)7712 static void __net_exit selinux_nf_unregister(struct net *net)
7713 {
7714 nf_unregister_net_hooks(net, selinux_nf_ops,
7715 ARRAY_SIZE(selinux_nf_ops));
7716 }
7717
7718 static struct pernet_operations selinux_net_ops = {
7719 .init = selinux_nf_register,
7720 .exit = selinux_nf_unregister,
7721 };
7722
selinux_nf_ip_init(void)7723 static int __init selinux_nf_ip_init(void)
7724 {
7725 int err;
7726
7727 if (!selinux_enabled_boot)
7728 return 0;
7729
7730 pr_debug("SELinux: Registering netfilter hooks\n");
7731
7732 err = register_pernet_subsys(&selinux_net_ops);
7733 if (err)
7734 panic("SELinux: register_pernet_subsys: error %d\n", err);
7735
7736 return 0;
7737 }
7738 __initcall(selinux_nf_ip_init);
7739 #endif /* CONFIG_NETFILTER */
7740