1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <stephen.smalley.work@gmail.com> 8 * Chris Vance, <cvance@nai.com> 9 * Wayne Salamon, <wsalamon@nai.com> 10 * James Morris <jmorris@redhat.com> 11 * 12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 14 * Eric Paris <eparis@redhat.com> 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 16 * <dgoeddel@trustedcs.com> 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 18 * Paul Moore <paul@paul-moore.com> 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 20 * Yuichi Nakamura <ynakam@hitachisoft.jp> 21 * Copyright (C) 2016 Mellanox Technologies 22 */ 23 24 #include <linux/init.h> 25 #include <linux/kd.h> 26 #include <linux/kernel.h> 27 #include <linux/kernel_read_file.h> 28 #include <linux/errno.h> 29 #include <linux/sched/signal.h> 30 #include <linux/sched/task.h> 31 #include <linux/lsm_hooks.h> 32 #include <linux/xattr.h> 33 #include <linux/capability.h> 34 #include <linux/unistd.h> 35 #include <linux/mm.h> 36 #include <linux/mman.h> 37 #include <linux/slab.h> 38 #include <linux/pagemap.h> 39 #include <linux/proc_fs.h> 40 #include <linux/swap.h> 41 #include <linux/spinlock.h> 42 #include <linux/syscalls.h> 43 #include <linux/dcache.h> 44 #include <linux/file.h> 45 #include <linux/fdtable.h> 46 #include <linux/namei.h> 47 #include <linux/mount.h> 48 #include <linux/fs_context.h> 49 #include <linux/fs_parser.h> 50 #include <linux/netfilter_ipv4.h> 51 #include <linux/netfilter_ipv6.h> 52 #include <linux/tty.h> 53 #include <net/icmp.h> 54 #include <net/ip.h> /* for local_port_range[] */ 55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 56 #include <net/inet_connection_sock.h> 57 #include <net/net_namespace.h> 58 #include <net/netlabel.h> 59 #include <linux/uaccess.h> 60 #include <asm/ioctls.h> 61 #include <linux/atomic.h> 62 #include <linux/bitops.h> 63 #include <linux/interrupt.h> 64 #include <linux/netdevice.h> /* for network interface checks */ 65 #include <net/netlink.h> 66 #include <linux/tcp.h> 67 #include <linux/udp.h> 68 #include <linux/sctp.h> 69 #include <net/sctp/structs.h> 70 #include <linux/quota.h> 71 #include <linux/un.h> /* for Unix socket types */ 72 #include <net/af_unix.h> /* for Unix socket types */ 73 #include <linux/parser.h> 74 #include <linux/nfs_mount.h> 75 #include <net/ipv6.h> 76 #include <linux/hugetlb.h> 77 #include <linux/personality.h> 78 #include <linux/audit.h> 79 #include <linux/string.h> 80 #include <linux/mutex.h> 81 #include <linux/posix-timers.h> 82 #include <linux/syslog.h> 83 #include <linux/user_namespace.h> 84 #include <linux/export.h> 85 #include <linux/msg.h> 86 #include <linux/shm.h> 87 #include <uapi/linux/shm.h> 88 #include <linux/bpf.h> 89 #include <linux/kernfs.h> 90 #include <linux/stringhash.h> /* for hashlen_string() */ 91 #include <uapi/linux/mount.h> 92 #include <linux/fsnotify.h> 93 #include <linux/fanotify.h> 94 #include <linux/io_uring/cmd.h> 95 #include <uapi/linux/lsm.h> 96 97 #include "avc.h" 98 #include "objsec.h" 99 #include "netif.h" 100 #include "netnode.h" 101 #include "netport.h" 102 #include "ibpkey.h" 103 #include "xfrm.h" 104 #include "netlabel.h" 105 #include "audit.h" 106 #include "avc_ss.h" 107 108 #define SELINUX_INODE_INIT_XATTRS 1 109 110 struct selinux_state selinux_state; 111 112 /* SECMARK reference count */ 113 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 114 115 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 116 static int selinux_enforcing_boot __initdata; 117 118 static int __init enforcing_setup(char *str) 119 { 120 unsigned long enforcing; 121 if (!kstrtoul(str, 0, &enforcing)) 122 selinux_enforcing_boot = enforcing ? 1 : 0; 123 return 1; 124 } 125 __setup("enforcing=", enforcing_setup); 126 #else 127 #define selinux_enforcing_boot 1 128 #endif 129 130 int selinux_enabled_boot __initdata = 1; 131 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 132 static int __init selinux_enabled_setup(char *str) 133 { 134 unsigned long enabled; 135 if (!kstrtoul(str, 0, &enabled)) 136 selinux_enabled_boot = enabled ? 1 : 0; 137 return 1; 138 } 139 __setup("selinux=", selinux_enabled_setup); 140 #endif 141 142 static int __init checkreqprot_setup(char *str) 143 { 144 unsigned long checkreqprot; 145 146 if (!kstrtoul(str, 0, &checkreqprot)) { 147 if (checkreqprot) 148 pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is no longer supported.\n"); 149 } 150 return 1; 151 } 152 __setup("checkreqprot=", checkreqprot_setup); 153 154 /** 155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 156 * 157 * Description: 158 * This function checks the SECMARK reference counter to see if any SECMARK 159 * targets are currently configured, if the reference counter is greater than 160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 161 * enabled, false (0) if SECMARK is disabled. If the always_check_network 162 * policy capability is enabled, SECMARK is always considered enabled. 163 * 164 */ 165 static int selinux_secmark_enabled(void) 166 { 167 return (selinux_policycap_alwaysnetwork() || 168 atomic_read(&selinux_secmark_refcount)); 169 } 170 171 /** 172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 173 * 174 * Description: 175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 176 * (1) if any are enabled or false (0) if neither are enabled. If the 177 * always_check_network policy capability is enabled, peer labeling 178 * is always considered enabled. 179 * 180 */ 181 static int selinux_peerlbl_enabled(void) 182 { 183 return (selinux_policycap_alwaysnetwork() || 184 netlbl_enabled() || selinux_xfrm_enabled()); 185 } 186 187 static int selinux_netcache_avc_callback(u32 event) 188 { 189 if (event == AVC_CALLBACK_RESET) { 190 sel_netif_flush(); 191 sel_netnode_flush(); 192 sel_netport_flush(); 193 synchronize_net(); 194 } 195 return 0; 196 } 197 198 static int selinux_lsm_notifier_avc_callback(u32 event) 199 { 200 if (event == AVC_CALLBACK_RESET) { 201 sel_ib_pkey_flush(); 202 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL); 203 } 204 205 return 0; 206 } 207 208 /* 209 * initialise the security for the init task 210 */ 211 static void cred_init_security(void) 212 { 213 struct cred_security_struct *crsec; 214 215 /* NOTE: the lsm framework zeros out the buffer on allocation */ 216 217 crsec = selinux_cred(unrcu_pointer(current->real_cred)); 218 crsec->osid = crsec->sid = SECINITSID_KERNEL; 219 } 220 221 /* 222 * get the security ID of a set of credentials 223 */ 224 static inline u32 cred_sid(const struct cred *cred) 225 { 226 const struct cred_security_struct *crsec; 227 228 crsec = selinux_cred(cred); 229 return crsec->sid; 230 } 231 232 static void __ad_net_init(struct common_audit_data *ad, 233 struct lsm_network_audit *net, 234 int ifindex, struct sock *sk, u16 family) 235 { 236 ad->type = LSM_AUDIT_DATA_NET; 237 ad->u.net = net; 238 net->netif = ifindex; 239 net->sk = sk; 240 net->family = family; 241 } 242 243 static void ad_net_init_from_sk(struct common_audit_data *ad, 244 struct lsm_network_audit *net, 245 struct sock *sk) 246 { 247 __ad_net_init(ad, net, 0, sk, 0); 248 } 249 250 static void ad_net_init_from_iif(struct common_audit_data *ad, 251 struct lsm_network_audit *net, 252 int ifindex, u16 family) 253 { 254 __ad_net_init(ad, net, ifindex, NULL, family); 255 } 256 257 /* 258 * get the objective security ID of a task 259 */ 260 static inline u32 task_sid_obj(const struct task_struct *task) 261 { 262 u32 sid; 263 264 rcu_read_lock(); 265 sid = cred_sid(__task_cred(task)); 266 rcu_read_unlock(); 267 return sid; 268 } 269 270 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 271 272 /* 273 * Try reloading inode security labels that have been marked as invalid. The 274 * @may_sleep parameter indicates when sleeping and thus reloading labels is 275 * allowed; when set to false, returns -ECHILD when the label is 276 * invalid. The @dentry parameter should be set to a dentry of the inode. 277 */ 278 static int __inode_security_revalidate(struct inode *inode, 279 struct dentry *dentry, 280 bool may_sleep) 281 { 282 if (!selinux_initialized()) 283 return 0; 284 285 if (may_sleep) 286 might_sleep(); 287 else 288 return -ECHILD; 289 290 /* 291 * Check to ensure that an inode's SELinux state is valid and try 292 * reloading the inode security label if necessary. This will fail if 293 * @dentry is NULL and no dentry for this inode can be found; in that 294 * case, continue using the old label. 295 */ 296 inode_doinit_with_dentry(inode, dentry); 297 return 0; 298 } 299 300 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 301 { 302 return selinux_inode(inode); 303 } 304 305 static inline struct inode_security_struct *inode_security_rcu(struct inode *inode, 306 bool rcu) 307 { 308 int rc; 309 struct inode_security_struct *isec = selinux_inode(inode); 310 311 /* check below is racy, but revalidate will recheck with lock held */ 312 if (data_race(likely(isec->initialized == LABEL_INITIALIZED))) 313 return isec; 314 rc = __inode_security_revalidate(inode, NULL, !rcu); 315 if (rc) 316 return ERR_PTR(rc); 317 return isec; 318 } 319 320 /* 321 * Get the security label of an inode. 322 */ 323 static inline struct inode_security_struct *inode_security(struct inode *inode) 324 { 325 struct inode_security_struct *isec = selinux_inode(inode); 326 327 /* check below is racy, but revalidate will recheck with lock held */ 328 if (data_race(likely(isec->initialized == LABEL_INITIALIZED))) 329 return isec; 330 __inode_security_revalidate(inode, NULL, true); 331 return isec; 332 } 333 334 static inline struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 335 { 336 return selinux_inode(d_backing_inode(dentry)); 337 } 338 339 /* 340 * Get the security label of a dentry's backing inode. 341 */ 342 static inline struct inode_security_struct *backing_inode_security(struct dentry *dentry) 343 { 344 struct inode *inode = d_backing_inode(dentry); 345 struct inode_security_struct *isec = selinux_inode(inode); 346 347 /* check below is racy, but revalidate will recheck with lock held */ 348 if (data_race(likely(isec->initialized == LABEL_INITIALIZED))) 349 return isec; 350 __inode_security_revalidate(inode, dentry, true); 351 return isec; 352 } 353 354 static void inode_free_security(struct inode *inode) 355 { 356 struct inode_security_struct *isec = selinux_inode(inode); 357 struct superblock_security_struct *sbsec; 358 359 if (!isec) 360 return; 361 sbsec = selinux_superblock(inode->i_sb); 362 /* 363 * As not all inode security structures are in a list, we check for 364 * empty list outside of the lock to make sure that we won't waste 365 * time taking a lock doing nothing. 366 * 367 * The list_del_init() function can be safely called more than once. 368 * It should not be possible for this function to be called with 369 * concurrent list_add(), but for better safety against future changes 370 * in the code, we use list_empty_careful() here. 371 */ 372 if (!list_empty_careful(&isec->list)) { 373 spin_lock(&sbsec->isec_lock); 374 list_del_init(&isec->list); 375 spin_unlock(&sbsec->isec_lock); 376 } 377 } 378 379 struct selinux_mnt_opts { 380 u32 fscontext_sid; 381 u32 context_sid; 382 u32 rootcontext_sid; 383 u32 defcontext_sid; 384 }; 385 386 static void selinux_free_mnt_opts(void *mnt_opts) 387 { 388 kfree(mnt_opts); 389 } 390 391 enum { 392 Opt_error = -1, 393 Opt_context = 0, 394 Opt_defcontext = 1, 395 Opt_fscontext = 2, 396 Opt_rootcontext = 3, 397 Opt_seclabel = 4, 398 }; 399 400 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg} 401 static const struct { 402 const char *name; 403 int len; 404 int opt; 405 bool has_arg; 406 } tokens[] = { 407 A(context, true), 408 A(fscontext, true), 409 A(defcontext, true), 410 A(rootcontext, true), 411 A(seclabel, false), 412 }; 413 #undef A 414 415 static int match_opt_prefix(char *s, int l, char **arg) 416 { 417 unsigned int i; 418 419 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 420 size_t len = tokens[i].len; 421 if (len > l || memcmp(s, tokens[i].name, len)) 422 continue; 423 if (tokens[i].has_arg) { 424 if (len == l || s[len] != '=') 425 continue; 426 *arg = s + len + 1; 427 } else if (len != l) 428 continue; 429 return tokens[i].opt; 430 } 431 return Opt_error; 432 } 433 434 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 435 436 static int may_context_mount_sb_relabel(u32 sid, 437 struct superblock_security_struct *sbsec, 438 const struct cred *cred) 439 { 440 const struct cred_security_struct *crsec = selinux_cred(cred); 441 int rc; 442 443 rc = avc_has_perm(crsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 444 FILESYSTEM__RELABELFROM, NULL); 445 if (rc) 446 return rc; 447 448 rc = avc_has_perm(crsec->sid, sid, SECCLASS_FILESYSTEM, 449 FILESYSTEM__RELABELTO, NULL); 450 return rc; 451 } 452 453 static int may_context_mount_inode_relabel(u32 sid, 454 struct superblock_security_struct *sbsec, 455 const struct cred *cred) 456 { 457 const struct cred_security_struct *crsec = selinux_cred(cred); 458 int rc; 459 rc = avc_has_perm(crsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 460 FILESYSTEM__RELABELFROM, NULL); 461 if (rc) 462 return rc; 463 464 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 465 FILESYSTEM__ASSOCIATE, NULL); 466 return rc; 467 } 468 469 static int selinux_is_genfs_special_handling(struct super_block *sb) 470 { 471 /* Special handling. Genfs but also in-core setxattr handler */ 472 return !strcmp(sb->s_type->name, "sysfs") || 473 !strcmp(sb->s_type->name, "pstore") || 474 !strcmp(sb->s_type->name, "debugfs") || 475 !strcmp(sb->s_type->name, "tracefs") || 476 !strcmp(sb->s_type->name, "rootfs") || 477 (selinux_policycap_cgroupseclabel() && 478 (!strcmp(sb->s_type->name, "cgroup") || 479 !strcmp(sb->s_type->name, "cgroup2"))) || 480 (selinux_policycap_functionfs_seclabel() && 481 !strcmp(sb->s_type->name, "functionfs")); 482 } 483 484 static int selinux_is_sblabel_mnt(struct super_block *sb) 485 { 486 struct superblock_security_struct *sbsec = selinux_superblock(sb); 487 488 /* 489 * IMPORTANT: Double-check logic in this function when adding a new 490 * SECURITY_FS_USE_* definition! 491 */ 492 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7); 493 494 switch (sbsec->behavior) { 495 case SECURITY_FS_USE_XATTR: 496 case SECURITY_FS_USE_TRANS: 497 case SECURITY_FS_USE_TASK: 498 case SECURITY_FS_USE_NATIVE: 499 return 1; 500 501 case SECURITY_FS_USE_GENFS: 502 return selinux_is_genfs_special_handling(sb); 503 504 /* Never allow relabeling on context mounts */ 505 case SECURITY_FS_USE_MNTPOINT: 506 case SECURITY_FS_USE_NONE: 507 default: 508 return 0; 509 } 510 } 511 512 static int sb_check_xattr_support(struct super_block *sb) 513 { 514 struct superblock_security_struct *sbsec = selinux_superblock(sb); 515 struct dentry *root = sb->s_root; 516 struct inode *root_inode = d_backing_inode(root); 517 u32 sid; 518 int rc; 519 520 /* 521 * Make sure that the xattr handler exists and that no 522 * error other than -ENODATA is returned by getxattr on 523 * the root directory. -ENODATA is ok, as this may be 524 * the first boot of the SELinux kernel before we have 525 * assigned xattr values to the filesystem. 526 */ 527 if (!(root_inode->i_opflags & IOP_XATTR)) { 528 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n", 529 sb->s_id, sb->s_type->name); 530 goto fallback; 531 } 532 533 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 534 if (rc < 0 && rc != -ENODATA) { 535 if (rc == -EOPNOTSUPP) { 536 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n", 537 sb->s_id, sb->s_type->name); 538 goto fallback; 539 } else { 540 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n", 541 sb->s_id, sb->s_type->name, -rc); 542 return rc; 543 } 544 } 545 return 0; 546 547 fallback: 548 /* No xattr support - try to fallback to genfs if possible. */ 549 rc = security_genfs_sid(sb->s_type->name, "/", 550 SECCLASS_DIR, &sid); 551 if (rc) 552 return -EOPNOTSUPP; 553 554 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n", 555 sb->s_id, sb->s_type->name); 556 sbsec->behavior = SECURITY_FS_USE_GENFS; 557 sbsec->sid = sid; 558 return 0; 559 } 560 561 static int sb_finish_set_opts(struct super_block *sb) 562 { 563 struct superblock_security_struct *sbsec = selinux_superblock(sb); 564 struct dentry *root = sb->s_root; 565 struct inode *root_inode = d_backing_inode(root); 566 int rc = 0; 567 568 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 569 rc = sb_check_xattr_support(sb); 570 if (rc) 571 return rc; 572 } 573 574 sbsec->flags |= SE_SBINITIALIZED; 575 576 /* 577 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 578 * leave the flag untouched because sb_clone_mnt_opts might be handing 579 * us a superblock that needs the flag to be cleared. 580 */ 581 if (selinux_is_sblabel_mnt(sb)) 582 sbsec->flags |= SBLABEL_MNT; 583 else 584 sbsec->flags &= ~SBLABEL_MNT; 585 586 /* Initialize the root inode. */ 587 rc = inode_doinit_with_dentry(root_inode, root); 588 589 /* Initialize any other inodes associated with the superblock, e.g. 590 inodes created prior to initial policy load or inodes created 591 during get_sb by a pseudo filesystem that directly 592 populates itself. */ 593 spin_lock(&sbsec->isec_lock); 594 while (!list_empty(&sbsec->isec_head)) { 595 struct inode_security_struct *isec = 596 list_first_entry(&sbsec->isec_head, 597 struct inode_security_struct, list); 598 struct inode *inode = isec->inode; 599 list_del_init(&isec->list); 600 spin_unlock(&sbsec->isec_lock); 601 inode = igrab(inode); 602 if (inode) { 603 if (!IS_PRIVATE(inode)) 604 inode_doinit_with_dentry(inode, NULL); 605 iput(inode); 606 } 607 spin_lock(&sbsec->isec_lock); 608 } 609 spin_unlock(&sbsec->isec_lock); 610 return rc; 611 } 612 613 static int bad_option(struct superblock_security_struct *sbsec, char flag, 614 u32 old_sid, u32 new_sid) 615 { 616 char mnt_flags = sbsec->flags & SE_MNTMASK; 617 618 /* check if the old mount command had the same options */ 619 if (sbsec->flags & SE_SBINITIALIZED) 620 if (!(sbsec->flags & flag) || 621 (old_sid != new_sid)) 622 return 1; 623 624 /* check if we were passed the same options twice, 625 * aka someone passed context=a,context=b 626 */ 627 if (!(sbsec->flags & SE_SBINITIALIZED)) 628 if (mnt_flags & flag) 629 return 1; 630 return 0; 631 } 632 633 /* 634 * Allow filesystems with binary mount data to explicitly set mount point 635 * labeling information. 636 */ 637 static int selinux_set_mnt_opts(struct super_block *sb, 638 void *mnt_opts, 639 unsigned long kern_flags, 640 unsigned long *set_kern_flags) 641 { 642 const struct cred *cred = current_cred(); 643 struct superblock_security_struct *sbsec = selinux_superblock(sb); 644 struct dentry *root = sb->s_root; 645 struct selinux_mnt_opts *opts = mnt_opts; 646 struct inode_security_struct *root_isec; 647 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 648 u32 defcontext_sid = 0; 649 int rc = 0; 650 651 /* 652 * Specifying internal flags without providing a place to 653 * place the results is not allowed 654 */ 655 if (kern_flags && !set_kern_flags) 656 return -EINVAL; 657 658 mutex_lock(&sbsec->lock); 659 660 if (!selinux_initialized()) { 661 if (!opts) { 662 /* Defer initialization until selinux_complete_init, 663 after the initial policy is loaded and the security 664 server is ready to handle calls. */ 665 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) { 666 sbsec->flags |= SE_SBNATIVE; 667 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 668 } 669 goto out; 670 } 671 rc = -EINVAL; 672 pr_warn("SELinux: Unable to set superblock options " 673 "before the security server is initialized\n"); 674 goto out; 675 } 676 677 /* 678 * Binary mount data FS will come through this function twice. Once 679 * from an explicit call and once from the generic calls from the vfs. 680 * Since the generic VFS calls will not contain any security mount data 681 * we need to skip the double mount verification. 682 * 683 * This does open a hole in which we will not notice if the first 684 * mount using this sb set explicit options and a second mount using 685 * this sb does not set any security options. (The first options 686 * will be used for both mounts) 687 */ 688 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 689 && !opts) 690 goto out; 691 692 root_isec = backing_inode_security_novalidate(root); 693 694 /* 695 * parse the mount options, check if they are valid sids. 696 * also check if someone is trying to mount the same sb more 697 * than once with different security options. 698 */ 699 if (opts) { 700 if (opts->fscontext_sid) { 701 fscontext_sid = opts->fscontext_sid; 702 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 703 fscontext_sid)) 704 goto out_double_mount; 705 sbsec->flags |= FSCONTEXT_MNT; 706 } 707 if (opts->context_sid) { 708 context_sid = opts->context_sid; 709 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 710 context_sid)) 711 goto out_double_mount; 712 sbsec->flags |= CONTEXT_MNT; 713 } 714 if (opts->rootcontext_sid) { 715 rootcontext_sid = opts->rootcontext_sid; 716 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 717 rootcontext_sid)) 718 goto out_double_mount; 719 sbsec->flags |= ROOTCONTEXT_MNT; 720 } 721 if (opts->defcontext_sid) { 722 defcontext_sid = opts->defcontext_sid; 723 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 724 defcontext_sid)) 725 goto out_double_mount; 726 sbsec->flags |= DEFCONTEXT_MNT; 727 } 728 } 729 730 if (sbsec->flags & SE_SBINITIALIZED) { 731 /* previously mounted with options, but not on this attempt? */ 732 if ((sbsec->flags & SE_MNTMASK) && !opts) 733 goto out_double_mount; 734 rc = 0; 735 goto out; 736 } 737 738 if (strcmp(sb->s_type->name, "proc") == 0) 739 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 740 741 if (!strcmp(sb->s_type->name, "debugfs") || 742 !strcmp(sb->s_type->name, "tracefs") || 743 !strcmp(sb->s_type->name, "binder") || 744 !strcmp(sb->s_type->name, "bpf") || 745 !strcmp(sb->s_type->name, "pstore") || 746 !strcmp(sb->s_type->name, "securityfs") || 747 (selinux_policycap_functionfs_seclabel() && 748 !strcmp(sb->s_type->name, "functionfs"))) 749 sbsec->flags |= SE_SBGENFS; 750 751 if (!strcmp(sb->s_type->name, "sysfs") || 752 !strcmp(sb->s_type->name, "cgroup") || 753 !strcmp(sb->s_type->name, "cgroup2")) 754 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR; 755 756 if (!sbsec->behavior) { 757 /* 758 * Determine the labeling behavior to use for this 759 * filesystem type. 760 */ 761 rc = security_fs_use(sb); 762 if (rc) { 763 pr_warn("%s: security_fs_use(%s) returned %d\n", 764 __func__, sb->s_type->name, rc); 765 goto out; 766 } 767 } 768 769 /* 770 * If this is a user namespace mount and the filesystem type is not 771 * explicitly whitelisted, then no contexts are allowed on the command 772 * line and security labels must be ignored. 773 */ 774 if (sb->s_user_ns != &init_user_ns && 775 strcmp(sb->s_type->name, "tmpfs") && 776 strcmp(sb->s_type->name, "ramfs") && 777 strcmp(sb->s_type->name, "devpts") && 778 strcmp(sb->s_type->name, "overlay")) { 779 if (context_sid || fscontext_sid || rootcontext_sid || 780 defcontext_sid) { 781 rc = -EACCES; 782 goto out; 783 } 784 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 785 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 786 rc = security_transition_sid(current_sid(), 787 current_sid(), 788 SECCLASS_FILE, NULL, 789 &sbsec->mntpoint_sid); 790 if (rc) 791 goto out; 792 } 793 goto out_set_opts; 794 } 795 796 /* sets the context of the superblock for the fs being mounted. */ 797 if (fscontext_sid) { 798 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 799 if (rc) 800 goto out; 801 802 sbsec->sid = fscontext_sid; 803 } 804 805 /* 806 * Switch to using mount point labeling behavior. 807 * sets the label used on all file below the mountpoint, and will set 808 * the superblock context if not already set. 809 */ 810 if (sbsec->flags & SE_SBNATIVE) { 811 /* 812 * This means we are initializing a superblock that has been 813 * mounted before the SELinux was initialized and the 814 * filesystem requested native labeling. We had already 815 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags 816 * in the original mount attempt, so now we just need to set 817 * the SECURITY_FS_USE_NATIVE behavior. 818 */ 819 sbsec->behavior = SECURITY_FS_USE_NATIVE; 820 } else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 821 sbsec->behavior = SECURITY_FS_USE_NATIVE; 822 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 823 } 824 825 if (context_sid) { 826 if (!fscontext_sid) { 827 rc = may_context_mount_sb_relabel(context_sid, sbsec, 828 cred); 829 if (rc) 830 goto out; 831 sbsec->sid = context_sid; 832 } else { 833 rc = may_context_mount_inode_relabel(context_sid, sbsec, 834 cred); 835 if (rc) 836 goto out; 837 } 838 if (!rootcontext_sid) 839 rootcontext_sid = context_sid; 840 841 sbsec->mntpoint_sid = context_sid; 842 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 843 } 844 845 if (rootcontext_sid) { 846 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 847 cred); 848 if (rc) 849 goto out; 850 851 root_isec->sid = rootcontext_sid; 852 root_isec->initialized = LABEL_INITIALIZED; 853 } 854 855 if (defcontext_sid) { 856 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 857 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 858 rc = -EINVAL; 859 pr_warn("SELinux: defcontext option is " 860 "invalid for this filesystem type\n"); 861 goto out; 862 } 863 864 if (defcontext_sid != sbsec->def_sid) { 865 rc = may_context_mount_inode_relabel(defcontext_sid, 866 sbsec, cred); 867 if (rc) 868 goto out; 869 } 870 871 sbsec->def_sid = defcontext_sid; 872 } 873 874 out_set_opts: 875 rc = sb_finish_set_opts(sb); 876 out: 877 mutex_unlock(&sbsec->lock); 878 return rc; 879 out_double_mount: 880 rc = -EINVAL; 881 pr_warn("SELinux: mount invalid. Same superblock, different " 882 "security settings for (dev %s, type %s)\n", sb->s_id, 883 sb->s_type->name); 884 goto out; 885 } 886 887 static int selinux_cmp_sb_context(const struct super_block *oldsb, 888 const struct super_block *newsb) 889 { 890 struct superblock_security_struct *old = selinux_superblock(oldsb); 891 struct superblock_security_struct *new = selinux_superblock(newsb); 892 char oldflags = old->flags & SE_MNTMASK; 893 char newflags = new->flags & SE_MNTMASK; 894 895 if (oldflags != newflags) 896 goto mismatch; 897 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 898 goto mismatch; 899 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 900 goto mismatch; 901 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 902 goto mismatch; 903 if (oldflags & ROOTCONTEXT_MNT) { 904 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 905 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 906 if (oldroot->sid != newroot->sid) 907 goto mismatch; 908 } 909 return 0; 910 mismatch: 911 pr_warn("SELinux: mount invalid. Same superblock, " 912 "different security settings for (dev %s, " 913 "type %s)\n", newsb->s_id, newsb->s_type->name); 914 return -EBUSY; 915 } 916 917 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 918 struct super_block *newsb, 919 unsigned long kern_flags, 920 unsigned long *set_kern_flags) 921 { 922 int rc = 0; 923 const struct superblock_security_struct *oldsbsec = 924 selinux_superblock(oldsb); 925 struct superblock_security_struct *newsbsec = selinux_superblock(newsb); 926 927 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 928 int set_context = (oldsbsec->flags & CONTEXT_MNT); 929 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 930 931 /* 932 * Specifying internal flags without providing a place to 933 * place the results is not allowed. 934 */ 935 if (kern_flags && !set_kern_flags) 936 return -EINVAL; 937 938 mutex_lock(&newsbsec->lock); 939 940 /* 941 * if the parent was able to be mounted it clearly had no special lsm 942 * mount options. thus we can safely deal with this superblock later 943 */ 944 if (!selinux_initialized()) { 945 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) { 946 newsbsec->flags |= SE_SBNATIVE; 947 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 948 } 949 goto out; 950 } 951 952 /* how can we clone if the old one wasn't set up?? */ 953 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 954 955 /* if fs is reusing a sb, make sure that the contexts match */ 956 if (newsbsec->flags & SE_SBINITIALIZED) { 957 mutex_unlock(&newsbsec->lock); 958 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) 959 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 960 return selinux_cmp_sb_context(oldsb, newsb); 961 } 962 963 newsbsec->flags = oldsbsec->flags; 964 965 newsbsec->sid = oldsbsec->sid; 966 newsbsec->def_sid = oldsbsec->def_sid; 967 newsbsec->behavior = oldsbsec->behavior; 968 969 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 970 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 971 rc = security_fs_use(newsb); 972 if (rc) 973 goto out; 974 } 975 976 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 977 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 978 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 979 } 980 981 if (set_context) { 982 u32 sid = oldsbsec->mntpoint_sid; 983 984 if (!set_fscontext) 985 newsbsec->sid = sid; 986 if (!set_rootcontext) { 987 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 988 newisec->sid = sid; 989 } 990 newsbsec->mntpoint_sid = sid; 991 } 992 if (set_rootcontext) { 993 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 994 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 995 996 newisec->sid = oldisec->sid; 997 } 998 999 sb_finish_set_opts(newsb); 1000 out: 1001 mutex_unlock(&newsbsec->lock); 1002 return rc; 1003 } 1004 1005 /* 1006 * NOTE: the caller is responsible for freeing the memory even if on error. 1007 */ 1008 static int selinux_add_opt(int token, const char *s, void **mnt_opts) 1009 { 1010 struct selinux_mnt_opts *opts = *mnt_opts; 1011 u32 *dst_sid; 1012 int rc; 1013 1014 if (token == Opt_seclabel) 1015 /* eaten and completely ignored */ 1016 return 0; 1017 if (!s) 1018 return -EINVAL; 1019 1020 if (!selinux_initialized()) { 1021 pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n"); 1022 return -EINVAL; 1023 } 1024 1025 if (!opts) { 1026 opts = kzalloc(sizeof(*opts), GFP_KERNEL); 1027 if (!opts) 1028 return -ENOMEM; 1029 *mnt_opts = opts; 1030 } 1031 1032 switch (token) { 1033 case Opt_context: 1034 if (opts->context_sid || opts->defcontext_sid) 1035 goto err; 1036 dst_sid = &opts->context_sid; 1037 break; 1038 case Opt_fscontext: 1039 if (opts->fscontext_sid) 1040 goto err; 1041 dst_sid = &opts->fscontext_sid; 1042 break; 1043 case Opt_rootcontext: 1044 if (opts->rootcontext_sid) 1045 goto err; 1046 dst_sid = &opts->rootcontext_sid; 1047 break; 1048 case Opt_defcontext: 1049 if (opts->context_sid || opts->defcontext_sid) 1050 goto err; 1051 dst_sid = &opts->defcontext_sid; 1052 break; 1053 default: 1054 WARN_ON(1); 1055 return -EINVAL; 1056 } 1057 rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL); 1058 if (rc) 1059 pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n", 1060 s, rc); 1061 return rc; 1062 1063 err: 1064 pr_warn(SEL_MOUNT_FAIL_MSG); 1065 return -EINVAL; 1066 } 1067 1068 static int show_sid(struct seq_file *m, u32 sid) 1069 { 1070 char *context = NULL; 1071 u32 len; 1072 int rc; 1073 1074 rc = security_sid_to_context(sid, &context, &len); 1075 if (!rc) { 1076 bool has_comma = strchr(context, ','); 1077 1078 seq_putc(m, '='); 1079 if (has_comma) 1080 seq_putc(m, '\"'); 1081 seq_escape(m, context, "\"\n\\"); 1082 if (has_comma) 1083 seq_putc(m, '\"'); 1084 } 1085 kfree(context); 1086 return rc; 1087 } 1088 1089 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1090 { 1091 struct superblock_security_struct *sbsec = selinux_superblock(sb); 1092 int rc; 1093 1094 if (!(sbsec->flags & SE_SBINITIALIZED)) 1095 return 0; 1096 1097 if (!selinux_initialized()) 1098 return 0; 1099 1100 if (sbsec->flags & FSCONTEXT_MNT) { 1101 seq_putc(m, ','); 1102 seq_puts(m, FSCONTEXT_STR); 1103 rc = show_sid(m, sbsec->sid); 1104 if (rc) 1105 return rc; 1106 } 1107 if (sbsec->flags & CONTEXT_MNT) { 1108 seq_putc(m, ','); 1109 seq_puts(m, CONTEXT_STR); 1110 rc = show_sid(m, sbsec->mntpoint_sid); 1111 if (rc) 1112 return rc; 1113 } 1114 if (sbsec->flags & DEFCONTEXT_MNT) { 1115 seq_putc(m, ','); 1116 seq_puts(m, DEFCONTEXT_STR); 1117 rc = show_sid(m, sbsec->def_sid); 1118 if (rc) 1119 return rc; 1120 } 1121 if (sbsec->flags & ROOTCONTEXT_MNT) { 1122 struct dentry *root = sb->s_root; 1123 struct inode_security_struct *isec = backing_inode_security(root); 1124 seq_putc(m, ','); 1125 seq_puts(m, ROOTCONTEXT_STR); 1126 rc = show_sid(m, isec->sid); 1127 if (rc) 1128 return rc; 1129 } 1130 if (sbsec->flags & SBLABEL_MNT) { 1131 seq_putc(m, ','); 1132 seq_puts(m, SECLABEL_STR); 1133 } 1134 return 0; 1135 } 1136 1137 static inline u16 inode_mode_to_security_class(umode_t mode) 1138 { 1139 switch (mode & S_IFMT) { 1140 case S_IFSOCK: 1141 return SECCLASS_SOCK_FILE; 1142 case S_IFLNK: 1143 return SECCLASS_LNK_FILE; 1144 case S_IFREG: 1145 return SECCLASS_FILE; 1146 case S_IFBLK: 1147 return SECCLASS_BLK_FILE; 1148 case S_IFDIR: 1149 return SECCLASS_DIR; 1150 case S_IFCHR: 1151 return SECCLASS_CHR_FILE; 1152 case S_IFIFO: 1153 return SECCLASS_FIFO_FILE; 1154 1155 } 1156 1157 return SECCLASS_FILE; 1158 } 1159 1160 static inline int default_protocol_stream(int protocol) 1161 { 1162 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP || 1163 protocol == IPPROTO_MPTCP); 1164 } 1165 1166 static inline int default_protocol_dgram(int protocol) 1167 { 1168 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1169 } 1170 1171 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1172 { 1173 bool extsockclass = selinux_policycap_extsockclass(); 1174 1175 switch (family) { 1176 case PF_UNIX: 1177 switch (type) { 1178 case SOCK_STREAM: 1179 case SOCK_SEQPACKET: 1180 return SECCLASS_UNIX_STREAM_SOCKET; 1181 case SOCK_DGRAM: 1182 case SOCK_RAW: 1183 return SECCLASS_UNIX_DGRAM_SOCKET; 1184 } 1185 break; 1186 case PF_INET: 1187 case PF_INET6: 1188 switch (type) { 1189 case SOCK_STREAM: 1190 case SOCK_SEQPACKET: 1191 if (default_protocol_stream(protocol)) 1192 return SECCLASS_TCP_SOCKET; 1193 else if (extsockclass && protocol == IPPROTO_SCTP) 1194 return SECCLASS_SCTP_SOCKET; 1195 else 1196 return SECCLASS_RAWIP_SOCKET; 1197 case SOCK_DGRAM: 1198 if (default_protocol_dgram(protocol)) 1199 return SECCLASS_UDP_SOCKET; 1200 else if (extsockclass && (protocol == IPPROTO_ICMP || 1201 protocol == IPPROTO_ICMPV6)) 1202 return SECCLASS_ICMP_SOCKET; 1203 else 1204 return SECCLASS_RAWIP_SOCKET; 1205 default: 1206 return SECCLASS_RAWIP_SOCKET; 1207 } 1208 break; 1209 case PF_NETLINK: 1210 switch (protocol) { 1211 case NETLINK_ROUTE: 1212 return SECCLASS_NETLINK_ROUTE_SOCKET; 1213 case NETLINK_SOCK_DIAG: 1214 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1215 case NETLINK_NFLOG: 1216 return SECCLASS_NETLINK_NFLOG_SOCKET; 1217 case NETLINK_XFRM: 1218 return SECCLASS_NETLINK_XFRM_SOCKET; 1219 case NETLINK_SELINUX: 1220 return SECCLASS_NETLINK_SELINUX_SOCKET; 1221 case NETLINK_ISCSI: 1222 return SECCLASS_NETLINK_ISCSI_SOCKET; 1223 case NETLINK_AUDIT: 1224 return SECCLASS_NETLINK_AUDIT_SOCKET; 1225 case NETLINK_FIB_LOOKUP: 1226 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1227 case NETLINK_CONNECTOR: 1228 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1229 case NETLINK_NETFILTER: 1230 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1231 case NETLINK_DNRTMSG: 1232 return SECCLASS_NETLINK_DNRT_SOCKET; 1233 case NETLINK_KOBJECT_UEVENT: 1234 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1235 case NETLINK_GENERIC: 1236 return SECCLASS_NETLINK_GENERIC_SOCKET; 1237 case NETLINK_SCSITRANSPORT: 1238 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1239 case NETLINK_RDMA: 1240 return SECCLASS_NETLINK_RDMA_SOCKET; 1241 case NETLINK_CRYPTO: 1242 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1243 default: 1244 return SECCLASS_NETLINK_SOCKET; 1245 } 1246 case PF_PACKET: 1247 return SECCLASS_PACKET_SOCKET; 1248 case PF_KEY: 1249 return SECCLASS_KEY_SOCKET; 1250 case PF_APPLETALK: 1251 return SECCLASS_APPLETALK_SOCKET; 1252 } 1253 1254 if (extsockclass) { 1255 switch (family) { 1256 case PF_AX25: 1257 return SECCLASS_AX25_SOCKET; 1258 case PF_IPX: 1259 return SECCLASS_IPX_SOCKET; 1260 case PF_NETROM: 1261 return SECCLASS_NETROM_SOCKET; 1262 case PF_ATMPVC: 1263 return SECCLASS_ATMPVC_SOCKET; 1264 case PF_X25: 1265 return SECCLASS_X25_SOCKET; 1266 case PF_ROSE: 1267 return SECCLASS_ROSE_SOCKET; 1268 case PF_DECnet: 1269 return SECCLASS_DECNET_SOCKET; 1270 case PF_ATMSVC: 1271 return SECCLASS_ATMSVC_SOCKET; 1272 case PF_RDS: 1273 return SECCLASS_RDS_SOCKET; 1274 case PF_IRDA: 1275 return SECCLASS_IRDA_SOCKET; 1276 case PF_PPPOX: 1277 return SECCLASS_PPPOX_SOCKET; 1278 case PF_LLC: 1279 return SECCLASS_LLC_SOCKET; 1280 case PF_CAN: 1281 return SECCLASS_CAN_SOCKET; 1282 case PF_TIPC: 1283 return SECCLASS_TIPC_SOCKET; 1284 case PF_BLUETOOTH: 1285 return SECCLASS_BLUETOOTH_SOCKET; 1286 case PF_IUCV: 1287 return SECCLASS_IUCV_SOCKET; 1288 case PF_RXRPC: 1289 return SECCLASS_RXRPC_SOCKET; 1290 case PF_ISDN: 1291 return SECCLASS_ISDN_SOCKET; 1292 case PF_PHONET: 1293 return SECCLASS_PHONET_SOCKET; 1294 case PF_IEEE802154: 1295 return SECCLASS_IEEE802154_SOCKET; 1296 case PF_CAIF: 1297 return SECCLASS_CAIF_SOCKET; 1298 case PF_ALG: 1299 return SECCLASS_ALG_SOCKET; 1300 case PF_NFC: 1301 return SECCLASS_NFC_SOCKET; 1302 case PF_VSOCK: 1303 return SECCLASS_VSOCK_SOCKET; 1304 case PF_KCM: 1305 return SECCLASS_KCM_SOCKET; 1306 case PF_QIPCRTR: 1307 return SECCLASS_QIPCRTR_SOCKET; 1308 case PF_SMC: 1309 return SECCLASS_SMC_SOCKET; 1310 case PF_XDP: 1311 return SECCLASS_XDP_SOCKET; 1312 case PF_MCTP: 1313 return SECCLASS_MCTP_SOCKET; 1314 #if PF_MAX > 46 1315 #error New address family defined, please update this function. 1316 #endif 1317 } 1318 } 1319 1320 return SECCLASS_SOCKET; 1321 } 1322 1323 static int selinux_genfs_get_sid(struct dentry *dentry, 1324 u16 tclass, 1325 u16 flags, 1326 u32 *sid) 1327 { 1328 int rc; 1329 struct super_block *sb = dentry->d_sb; 1330 char *buffer, *path; 1331 1332 buffer = (char *)__get_free_page(GFP_KERNEL); 1333 if (!buffer) 1334 return -ENOMEM; 1335 1336 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1337 if (IS_ERR(path)) 1338 rc = PTR_ERR(path); 1339 else { 1340 if (flags & SE_SBPROC) { 1341 /* each process gets a /proc/PID/ entry. Strip off the 1342 * PID part to get a valid selinux labeling. 1343 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1344 while (path[1] >= '0' && path[1] <= '9') { 1345 path[1] = '/'; 1346 path++; 1347 } 1348 } 1349 rc = security_genfs_sid(sb->s_type->name, 1350 path, tclass, sid); 1351 if (rc == -ENOENT) { 1352 /* No match in policy, mark as unlabeled. */ 1353 *sid = SECINITSID_UNLABELED; 1354 rc = 0; 1355 } 1356 } 1357 free_page((unsigned long)buffer); 1358 return rc; 1359 } 1360 1361 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry, 1362 u32 def_sid, u32 *sid) 1363 { 1364 #define INITCONTEXTLEN 255 1365 char *context; 1366 unsigned int len; 1367 int rc; 1368 1369 len = INITCONTEXTLEN; 1370 context = kmalloc(len + 1, GFP_NOFS); 1371 if (!context) 1372 return -ENOMEM; 1373 1374 context[len] = '\0'; 1375 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1376 if (rc == -ERANGE) { 1377 kfree(context); 1378 1379 /* Need a larger buffer. Query for the right size. */ 1380 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1381 if (rc < 0) 1382 return rc; 1383 1384 len = rc; 1385 context = kmalloc(len + 1, GFP_NOFS); 1386 if (!context) 1387 return -ENOMEM; 1388 1389 context[len] = '\0'; 1390 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, 1391 context, len); 1392 } 1393 if (rc < 0) { 1394 kfree(context); 1395 if (rc != -ENODATA) { 1396 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n", 1397 __func__, -rc, inode->i_sb->s_id, inode->i_ino); 1398 return rc; 1399 } 1400 *sid = def_sid; 1401 return 0; 1402 } 1403 1404 rc = security_context_to_sid_default(context, rc, sid, 1405 def_sid, GFP_NOFS); 1406 if (rc) { 1407 char *dev = inode->i_sb->s_id; 1408 unsigned long ino = inode->i_ino; 1409 1410 if (rc == -EINVAL) { 1411 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n", 1412 ino, dev, context); 1413 } else { 1414 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n", 1415 __func__, context, -rc, dev, ino); 1416 } 1417 } 1418 kfree(context); 1419 return 0; 1420 } 1421 1422 /* The inode's security attributes must be initialized before first use. */ 1423 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1424 { 1425 struct superblock_security_struct *sbsec = NULL; 1426 struct inode_security_struct *isec = selinux_inode(inode); 1427 u32 task_sid, sid = 0; 1428 u16 sclass; 1429 struct dentry *dentry; 1430 int rc = 0; 1431 1432 if (isec->initialized == LABEL_INITIALIZED) 1433 return 0; 1434 1435 spin_lock(&isec->lock); 1436 if (isec->initialized == LABEL_INITIALIZED) 1437 goto out_unlock; 1438 1439 if (isec->sclass == SECCLASS_FILE) 1440 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1441 1442 sbsec = selinux_superblock(inode->i_sb); 1443 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1444 /* Defer initialization until selinux_complete_init, 1445 after the initial policy is loaded and the security 1446 server is ready to handle calls. */ 1447 spin_lock(&sbsec->isec_lock); 1448 if (list_empty(&isec->list)) 1449 list_add(&isec->list, &sbsec->isec_head); 1450 spin_unlock(&sbsec->isec_lock); 1451 goto out_unlock; 1452 } 1453 1454 sclass = isec->sclass; 1455 task_sid = isec->task_sid; 1456 sid = isec->sid; 1457 isec->initialized = LABEL_PENDING; 1458 spin_unlock(&isec->lock); 1459 1460 switch (sbsec->behavior) { 1461 /* 1462 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels 1463 * via xattr when called from delayed_superblock_init(). 1464 */ 1465 case SECURITY_FS_USE_NATIVE: 1466 case SECURITY_FS_USE_XATTR: 1467 if (!(inode->i_opflags & IOP_XATTR)) { 1468 sid = sbsec->def_sid; 1469 break; 1470 } 1471 /* Need a dentry, since the xattr API requires one. 1472 Life would be simpler if we could just pass the inode. */ 1473 if (opt_dentry) { 1474 /* Called from d_instantiate or d_splice_alias. */ 1475 dentry = dget(opt_dentry); 1476 } else { 1477 /* 1478 * Called from selinux_complete_init, try to find a dentry. 1479 * Some filesystems really want a connected one, so try 1480 * that first. We could split SECURITY_FS_USE_XATTR in 1481 * two, depending upon that... 1482 */ 1483 dentry = d_find_alias(inode); 1484 if (!dentry) 1485 dentry = d_find_any_alias(inode); 1486 } 1487 if (!dentry) { 1488 /* 1489 * this is can be hit on boot when a file is accessed 1490 * before the policy is loaded. When we load policy we 1491 * may find inodes that have no dentry on the 1492 * sbsec->isec_head list. No reason to complain as these 1493 * will get fixed up the next time we go through 1494 * inode_doinit with a dentry, before these inodes could 1495 * be used again by userspace. 1496 */ 1497 goto out_invalid; 1498 } 1499 1500 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid, 1501 &sid); 1502 dput(dentry); 1503 if (rc) 1504 goto out; 1505 break; 1506 case SECURITY_FS_USE_TASK: 1507 sid = task_sid; 1508 break; 1509 case SECURITY_FS_USE_TRANS: 1510 /* Default to the fs SID. */ 1511 sid = sbsec->sid; 1512 1513 /* Try to obtain a transition SID. */ 1514 rc = security_transition_sid(task_sid, sid, 1515 sclass, NULL, &sid); 1516 if (rc) 1517 goto out; 1518 break; 1519 case SECURITY_FS_USE_MNTPOINT: 1520 sid = sbsec->mntpoint_sid; 1521 break; 1522 default: 1523 /* Default to the fs superblock SID. */ 1524 sid = sbsec->sid; 1525 1526 if ((sbsec->flags & SE_SBGENFS) && 1527 (!S_ISLNK(inode->i_mode) || 1528 selinux_policycap_genfs_seclabel_symlinks())) { 1529 /* We must have a dentry to determine the label on 1530 * procfs inodes */ 1531 if (opt_dentry) { 1532 /* Called from d_instantiate or 1533 * d_splice_alias. */ 1534 dentry = dget(opt_dentry); 1535 } else { 1536 /* Called from selinux_complete_init, try to 1537 * find a dentry. Some filesystems really want 1538 * a connected one, so try that first. 1539 */ 1540 dentry = d_find_alias(inode); 1541 if (!dentry) 1542 dentry = d_find_any_alias(inode); 1543 } 1544 /* 1545 * This can be hit on boot when a file is accessed 1546 * before the policy is loaded. When we load policy we 1547 * may find inodes that have no dentry on the 1548 * sbsec->isec_head list. No reason to complain as 1549 * these will get fixed up the next time we go through 1550 * inode_doinit() with a dentry, before these inodes 1551 * could be used again by userspace. 1552 */ 1553 if (!dentry) 1554 goto out_invalid; 1555 rc = selinux_genfs_get_sid(dentry, sclass, 1556 sbsec->flags, &sid); 1557 if (rc) { 1558 dput(dentry); 1559 goto out; 1560 } 1561 1562 if ((sbsec->flags & SE_SBGENFS_XATTR) && 1563 (inode->i_opflags & IOP_XATTR)) { 1564 rc = inode_doinit_use_xattr(inode, dentry, 1565 sid, &sid); 1566 if (rc) { 1567 dput(dentry); 1568 goto out; 1569 } 1570 } 1571 dput(dentry); 1572 } 1573 break; 1574 } 1575 1576 out: 1577 spin_lock(&isec->lock); 1578 if (isec->initialized == LABEL_PENDING) { 1579 if (rc) { 1580 isec->initialized = LABEL_INVALID; 1581 goto out_unlock; 1582 } 1583 isec->initialized = LABEL_INITIALIZED; 1584 isec->sid = sid; 1585 } 1586 1587 out_unlock: 1588 spin_unlock(&isec->lock); 1589 return rc; 1590 1591 out_invalid: 1592 spin_lock(&isec->lock); 1593 if (isec->initialized == LABEL_PENDING) { 1594 isec->initialized = LABEL_INVALID; 1595 isec->sid = sid; 1596 } 1597 spin_unlock(&isec->lock); 1598 return 0; 1599 } 1600 1601 /* Convert a Linux signal to an access vector. */ 1602 static inline u32 signal_to_av(int sig) 1603 { 1604 u32 perm = 0; 1605 1606 switch (sig) { 1607 case SIGCHLD: 1608 /* Commonly granted from child to parent. */ 1609 perm = PROCESS__SIGCHLD; 1610 break; 1611 case SIGKILL: 1612 /* Cannot be caught or ignored */ 1613 perm = PROCESS__SIGKILL; 1614 break; 1615 case SIGSTOP: 1616 /* Cannot be caught or ignored */ 1617 perm = PROCESS__SIGSTOP; 1618 break; 1619 default: 1620 /* All other signals. */ 1621 perm = PROCESS__SIGNAL; 1622 break; 1623 } 1624 1625 return perm; 1626 } 1627 1628 #if CAP_LAST_CAP > 63 1629 #error Fix SELinux to handle capabilities > 63. 1630 #endif 1631 1632 /* Check whether a task is allowed to use a capability. */ 1633 static int cred_has_capability(const struct cred *cred, 1634 int cap, unsigned int opts, bool initns) 1635 { 1636 struct common_audit_data ad; 1637 struct av_decision avd; 1638 u16 sclass; 1639 u32 sid = cred_sid(cred); 1640 u32 av = CAP_TO_MASK(cap); 1641 int rc; 1642 1643 ad.type = LSM_AUDIT_DATA_CAP; 1644 ad.u.cap = cap; 1645 1646 switch (CAP_TO_INDEX(cap)) { 1647 case 0: 1648 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1649 break; 1650 case 1: 1651 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1652 break; 1653 default: 1654 pr_err("SELinux: out of range capability %d\n", cap); 1655 BUG(); 1656 return -EINVAL; 1657 } 1658 1659 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1660 if (!(opts & CAP_OPT_NOAUDIT)) { 1661 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); 1662 if (rc2) 1663 return rc2; 1664 } 1665 return rc; 1666 } 1667 1668 /* Check whether a task has a particular permission to an inode. 1669 The 'adp' parameter is optional and allows other audit 1670 data to be passed (e.g. the dentry). */ 1671 static int inode_has_perm(const struct cred *cred, 1672 struct inode *inode, 1673 u32 perms, 1674 struct common_audit_data *adp) 1675 { 1676 struct inode_security_struct *isec; 1677 u32 sid; 1678 1679 if (unlikely(IS_PRIVATE(inode))) 1680 return 0; 1681 1682 sid = cred_sid(cred); 1683 isec = selinux_inode(inode); 1684 1685 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1686 } 1687 1688 /* Same as inode_has_perm, but pass explicit audit data containing 1689 the dentry to help the auditing code to more easily generate the 1690 pathname if needed. */ 1691 static inline int dentry_has_perm(const struct cred *cred, 1692 struct dentry *dentry, 1693 u32 av) 1694 { 1695 struct common_audit_data ad; 1696 struct inode *inode = d_backing_inode(dentry); 1697 struct inode_security_struct *isec = selinux_inode(inode); 1698 1699 ad.type = LSM_AUDIT_DATA_DENTRY; 1700 ad.u.dentry = dentry; 1701 /* check below is racy, but revalidate will recheck with lock held */ 1702 if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED))) 1703 __inode_security_revalidate(inode, dentry, true); 1704 return inode_has_perm(cred, inode, av, &ad); 1705 } 1706 1707 /* Same as inode_has_perm, but pass explicit audit data containing 1708 the path to help the auditing code to more easily generate the 1709 pathname if needed. */ 1710 static inline int path_has_perm(const struct cred *cred, 1711 const struct path *path, 1712 u32 av) 1713 { 1714 struct common_audit_data ad; 1715 struct inode *inode = d_backing_inode(path->dentry); 1716 struct inode_security_struct *isec = selinux_inode(inode); 1717 1718 ad.type = LSM_AUDIT_DATA_PATH; 1719 ad.u.path = *path; 1720 /* check below is racy, but revalidate will recheck with lock held */ 1721 if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED))) 1722 __inode_security_revalidate(inode, path->dentry, true); 1723 return inode_has_perm(cred, inode, av, &ad); 1724 } 1725 1726 /* Same as path_has_perm, but uses the inode from the file struct. */ 1727 static inline int file_path_has_perm(const struct cred *cred, 1728 struct file *file, 1729 u32 av) 1730 { 1731 struct common_audit_data ad; 1732 1733 ad.type = LSM_AUDIT_DATA_FILE; 1734 ad.u.file = file; 1735 return inode_has_perm(cred, file_inode(file), av, &ad); 1736 } 1737 1738 #ifdef CONFIG_BPF_SYSCALL 1739 static int bpf_fd_pass(const struct file *file, u32 sid); 1740 #endif 1741 1742 /* Check whether a task can use an open file descriptor to 1743 access an inode in a given way. Check access to the 1744 descriptor itself, and then use dentry_has_perm to 1745 check a particular permission to the file. 1746 Access to the descriptor is implicitly granted if it 1747 has the same SID as the process. If av is zero, then 1748 access to the file is not checked, e.g. for cases 1749 where only the descriptor is affected like seek. */ 1750 static int file_has_perm(const struct cred *cred, 1751 struct file *file, 1752 u32 av) 1753 { 1754 struct file_security_struct *fsec = selinux_file(file); 1755 struct inode *inode = file_inode(file); 1756 struct common_audit_data ad; 1757 u32 sid = cred_sid(cred); 1758 int rc; 1759 1760 ad.type = LSM_AUDIT_DATA_FILE; 1761 ad.u.file = file; 1762 1763 if (sid != fsec->sid) { 1764 rc = avc_has_perm(sid, fsec->sid, 1765 SECCLASS_FD, 1766 FD__USE, 1767 &ad); 1768 if (rc) 1769 goto out; 1770 } 1771 1772 #ifdef CONFIG_BPF_SYSCALL 1773 rc = bpf_fd_pass(file, cred_sid(cred)); 1774 if (rc) 1775 return rc; 1776 #endif 1777 1778 /* av is zero if only checking access to the descriptor. */ 1779 rc = 0; 1780 if (av) 1781 rc = inode_has_perm(cred, inode, av, &ad); 1782 1783 out: 1784 return rc; 1785 } 1786 1787 /* 1788 * Determine the label for an inode that might be unioned. 1789 */ 1790 static int 1791 selinux_determine_inode_label(const struct cred_security_struct *crsec, 1792 struct inode *dir, 1793 const struct qstr *name, u16 tclass, 1794 u32 *_new_isid) 1795 { 1796 const struct superblock_security_struct *sbsec = 1797 selinux_superblock(dir->i_sb); 1798 1799 if ((sbsec->flags & SE_SBINITIALIZED) && 1800 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1801 *_new_isid = sbsec->mntpoint_sid; 1802 } else if ((sbsec->flags & SBLABEL_MNT) && 1803 crsec->create_sid) { 1804 *_new_isid = crsec->create_sid; 1805 } else { 1806 const struct inode_security_struct *dsec = inode_security(dir); 1807 return security_transition_sid(crsec->sid, 1808 dsec->sid, tclass, 1809 name, _new_isid); 1810 } 1811 1812 return 0; 1813 } 1814 1815 /* Check whether a task can create a file. */ 1816 static int may_create(struct inode *dir, 1817 struct dentry *dentry, 1818 u16 tclass) 1819 { 1820 const struct cred_security_struct *crsec = selinux_cred(current_cred()); 1821 struct inode_security_struct *dsec; 1822 struct superblock_security_struct *sbsec; 1823 u32 sid, newsid; 1824 struct common_audit_data ad; 1825 int rc; 1826 1827 dsec = inode_security(dir); 1828 sbsec = selinux_superblock(dir->i_sb); 1829 1830 sid = crsec->sid; 1831 1832 ad.type = LSM_AUDIT_DATA_DENTRY; 1833 ad.u.dentry = dentry; 1834 1835 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1836 DIR__ADD_NAME | DIR__SEARCH, 1837 &ad); 1838 if (rc) 1839 return rc; 1840 1841 rc = selinux_determine_inode_label(crsec, dir, &dentry->d_name, tclass, 1842 &newsid); 1843 if (rc) 1844 return rc; 1845 1846 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1847 if (rc) 1848 return rc; 1849 1850 return avc_has_perm(newsid, sbsec->sid, 1851 SECCLASS_FILESYSTEM, 1852 FILESYSTEM__ASSOCIATE, &ad); 1853 } 1854 1855 #define MAY_LINK 0 1856 #define MAY_UNLINK 1 1857 #define MAY_RMDIR 2 1858 1859 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1860 static int may_link(struct inode *dir, 1861 struct dentry *dentry, 1862 int kind) 1863 1864 { 1865 struct inode_security_struct *dsec, *isec; 1866 struct common_audit_data ad; 1867 u32 sid = current_sid(); 1868 u32 av; 1869 int rc; 1870 1871 dsec = inode_security(dir); 1872 isec = backing_inode_security(dentry); 1873 1874 ad.type = LSM_AUDIT_DATA_DENTRY; 1875 ad.u.dentry = dentry; 1876 1877 av = DIR__SEARCH; 1878 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1879 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 1880 if (rc) 1881 return rc; 1882 1883 switch (kind) { 1884 case MAY_LINK: 1885 av = FILE__LINK; 1886 break; 1887 case MAY_UNLINK: 1888 av = FILE__UNLINK; 1889 break; 1890 case MAY_RMDIR: 1891 av = DIR__RMDIR; 1892 break; 1893 default: 1894 pr_warn("SELinux: %s: unrecognized kind %d\n", 1895 __func__, kind); 1896 return 0; 1897 } 1898 1899 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 1900 return rc; 1901 } 1902 1903 static inline int may_rename(struct inode *old_dir, 1904 struct dentry *old_dentry, 1905 struct inode *new_dir, 1906 struct dentry *new_dentry) 1907 { 1908 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1909 struct common_audit_data ad; 1910 u32 sid = current_sid(); 1911 u32 av; 1912 int old_is_dir, new_is_dir; 1913 int rc; 1914 1915 old_dsec = inode_security(old_dir); 1916 old_isec = backing_inode_security(old_dentry); 1917 old_is_dir = d_is_dir(old_dentry); 1918 new_dsec = inode_security(new_dir); 1919 1920 ad.type = LSM_AUDIT_DATA_DENTRY; 1921 1922 ad.u.dentry = old_dentry; 1923 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1924 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1925 if (rc) 1926 return rc; 1927 rc = avc_has_perm(sid, old_isec->sid, 1928 old_isec->sclass, FILE__RENAME, &ad); 1929 if (rc) 1930 return rc; 1931 if (old_is_dir && new_dir != old_dir) { 1932 rc = avc_has_perm(sid, old_isec->sid, 1933 old_isec->sclass, DIR__REPARENT, &ad); 1934 if (rc) 1935 return rc; 1936 } 1937 1938 ad.u.dentry = new_dentry; 1939 av = DIR__ADD_NAME | DIR__SEARCH; 1940 if (d_is_positive(new_dentry)) 1941 av |= DIR__REMOVE_NAME; 1942 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1943 if (rc) 1944 return rc; 1945 if (d_is_positive(new_dentry)) { 1946 new_isec = backing_inode_security(new_dentry); 1947 new_is_dir = d_is_dir(new_dentry); 1948 rc = avc_has_perm(sid, new_isec->sid, 1949 new_isec->sclass, 1950 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1951 if (rc) 1952 return rc; 1953 } 1954 1955 return 0; 1956 } 1957 1958 /* Check whether a task can perform a filesystem operation. */ 1959 static int superblock_has_perm(const struct cred *cred, 1960 const struct super_block *sb, 1961 u32 perms, 1962 struct common_audit_data *ad) 1963 { 1964 struct superblock_security_struct *sbsec; 1965 u32 sid = cred_sid(cred); 1966 1967 sbsec = selinux_superblock(sb); 1968 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1969 } 1970 1971 /* Convert a Linux mode and permission mask to an access vector. */ 1972 static inline u32 file_mask_to_av(int mode, int mask) 1973 { 1974 u32 av = 0; 1975 1976 if (!S_ISDIR(mode)) { 1977 if (mask & MAY_EXEC) 1978 av |= FILE__EXECUTE; 1979 if (mask & MAY_READ) 1980 av |= FILE__READ; 1981 1982 if (mask & MAY_APPEND) 1983 av |= FILE__APPEND; 1984 else if (mask & MAY_WRITE) 1985 av |= FILE__WRITE; 1986 1987 } else { 1988 if (mask & MAY_EXEC) 1989 av |= DIR__SEARCH; 1990 if (mask & MAY_WRITE) 1991 av |= DIR__WRITE; 1992 if (mask & MAY_READ) 1993 av |= DIR__READ; 1994 } 1995 1996 return av; 1997 } 1998 1999 /* Convert a Linux file to an access vector. */ 2000 static inline u32 file_to_av(const struct file *file) 2001 { 2002 u32 av = 0; 2003 2004 if (file->f_mode & FMODE_READ) 2005 av |= FILE__READ; 2006 if (file->f_mode & FMODE_WRITE) { 2007 if (file->f_flags & O_APPEND) 2008 av |= FILE__APPEND; 2009 else 2010 av |= FILE__WRITE; 2011 } 2012 if (!av) { 2013 /* 2014 * Special file opened with flags 3 for ioctl-only use. 2015 */ 2016 av = FILE__IOCTL; 2017 } 2018 2019 return av; 2020 } 2021 2022 /* 2023 * Convert a file to an access vector and include the correct 2024 * open permission. 2025 */ 2026 static inline u32 open_file_to_av(struct file *file) 2027 { 2028 u32 av = file_to_av(file); 2029 struct inode *inode = file_inode(file); 2030 2031 if (selinux_policycap_openperm() && 2032 inode->i_sb->s_magic != SOCKFS_MAGIC) 2033 av |= FILE__OPEN; 2034 2035 return av; 2036 } 2037 2038 /* Hook functions begin here. */ 2039 2040 static int selinux_binder_set_context_mgr(const struct cred *mgr) 2041 { 2042 return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER, 2043 BINDER__SET_CONTEXT_MGR, NULL); 2044 } 2045 2046 static int selinux_binder_transaction(const struct cred *from, 2047 const struct cred *to) 2048 { 2049 u32 mysid = current_sid(); 2050 u32 fromsid = cred_sid(from); 2051 u32 tosid = cred_sid(to); 2052 int rc; 2053 2054 if (mysid != fromsid) { 2055 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, 2056 BINDER__IMPERSONATE, NULL); 2057 if (rc) 2058 return rc; 2059 } 2060 2061 return avc_has_perm(fromsid, tosid, 2062 SECCLASS_BINDER, BINDER__CALL, NULL); 2063 } 2064 2065 static int selinux_binder_transfer_binder(const struct cred *from, 2066 const struct cred *to) 2067 { 2068 return avc_has_perm(cred_sid(from), cred_sid(to), 2069 SECCLASS_BINDER, BINDER__TRANSFER, 2070 NULL); 2071 } 2072 2073 static int selinux_binder_transfer_file(const struct cred *from, 2074 const struct cred *to, 2075 const struct file *file) 2076 { 2077 u32 sid = cred_sid(to); 2078 struct file_security_struct *fsec = selinux_file(file); 2079 struct dentry *dentry = file->f_path.dentry; 2080 struct inode_security_struct *isec; 2081 struct common_audit_data ad; 2082 int rc; 2083 2084 ad.type = LSM_AUDIT_DATA_PATH; 2085 ad.u.path = file->f_path; 2086 2087 if (sid != fsec->sid) { 2088 rc = avc_has_perm(sid, fsec->sid, 2089 SECCLASS_FD, 2090 FD__USE, 2091 &ad); 2092 if (rc) 2093 return rc; 2094 } 2095 2096 #ifdef CONFIG_BPF_SYSCALL 2097 rc = bpf_fd_pass(file, sid); 2098 if (rc) 2099 return rc; 2100 #endif 2101 2102 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2103 return 0; 2104 2105 isec = backing_inode_security(dentry); 2106 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2107 &ad); 2108 } 2109 2110 static int selinux_ptrace_access_check(struct task_struct *child, 2111 unsigned int mode) 2112 { 2113 u32 sid = current_sid(); 2114 u32 csid = task_sid_obj(child); 2115 2116 if (mode & PTRACE_MODE_READ) 2117 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, 2118 NULL); 2119 2120 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, 2121 NULL); 2122 } 2123 2124 static int selinux_ptrace_traceme(struct task_struct *parent) 2125 { 2126 return avc_has_perm(task_sid_obj(parent), task_sid_obj(current), 2127 SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2128 } 2129 2130 static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective, 2131 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2132 { 2133 return avc_has_perm(current_sid(), task_sid_obj(target), 2134 SECCLASS_PROCESS, PROCESS__GETCAP, NULL); 2135 } 2136 2137 static int selinux_capset(struct cred *new, const struct cred *old, 2138 const kernel_cap_t *effective, 2139 const kernel_cap_t *inheritable, 2140 const kernel_cap_t *permitted) 2141 { 2142 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2143 PROCESS__SETCAP, NULL); 2144 } 2145 2146 /* 2147 * (This comment used to live with the selinux_task_setuid hook, 2148 * which was removed). 2149 * 2150 * Since setuid only affects the current process, and since the SELinux 2151 * controls are not based on the Linux identity attributes, SELinux does not 2152 * need to control this operation. However, SELinux does control the use of 2153 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2154 */ 2155 2156 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2157 int cap, unsigned int opts) 2158 { 2159 return cred_has_capability(cred, cap, opts, ns == &init_user_ns); 2160 } 2161 2162 static int selinux_quotactl(int cmds, int type, int id, const struct super_block *sb) 2163 { 2164 const struct cred *cred = current_cred(); 2165 int rc = 0; 2166 2167 if (!sb) 2168 return 0; 2169 2170 switch (cmds) { 2171 case Q_SYNC: 2172 case Q_QUOTAON: 2173 case Q_QUOTAOFF: 2174 case Q_SETINFO: 2175 case Q_SETQUOTA: 2176 case Q_XQUOTAOFF: 2177 case Q_XQUOTAON: 2178 case Q_XSETQLIM: 2179 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2180 break; 2181 case Q_GETFMT: 2182 case Q_GETINFO: 2183 case Q_GETQUOTA: 2184 case Q_XGETQUOTA: 2185 case Q_XGETQSTAT: 2186 case Q_XGETQSTATV: 2187 case Q_XGETNEXTQUOTA: 2188 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2189 break; 2190 default: 2191 rc = 0; /* let the kernel handle invalid cmds */ 2192 break; 2193 } 2194 return rc; 2195 } 2196 2197 static int selinux_quota_on(struct dentry *dentry) 2198 { 2199 const struct cred *cred = current_cred(); 2200 2201 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2202 } 2203 2204 static int selinux_syslog(int type) 2205 { 2206 switch (type) { 2207 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2208 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2209 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2210 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2211 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2212 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2213 /* Set level of messages printed to console */ 2214 case SYSLOG_ACTION_CONSOLE_LEVEL: 2215 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2216 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2217 NULL); 2218 } 2219 /* All other syslog types */ 2220 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2221 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2222 } 2223 2224 /* 2225 * Check permission for allocating a new virtual mapping. Returns 2226 * 0 if permission is granted, negative error code if not. 2227 * 2228 * Do not audit the selinux permission check, as this is applied to all 2229 * processes that allocate mappings. 2230 */ 2231 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2232 { 2233 return cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2234 CAP_OPT_NOAUDIT, true); 2235 } 2236 2237 /* binprm security operations */ 2238 2239 static u32 ptrace_parent_sid(void) 2240 { 2241 u32 sid = 0; 2242 struct task_struct *tracer; 2243 2244 rcu_read_lock(); 2245 tracer = ptrace_parent(current); 2246 if (tracer) 2247 sid = task_sid_obj(tracer); 2248 rcu_read_unlock(); 2249 2250 return sid; 2251 } 2252 2253 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2254 const struct cred_security_struct *old_crsec, 2255 const struct cred_security_struct *new_crsec) 2256 { 2257 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2258 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2259 int rc; 2260 u32 av; 2261 2262 if (!nnp && !nosuid) 2263 return 0; /* neither NNP nor nosuid */ 2264 2265 if (new_crsec->sid == old_crsec->sid) 2266 return 0; /* No change in credentials */ 2267 2268 /* 2269 * If the policy enables the nnp_nosuid_transition policy capability, 2270 * then we permit transitions under NNP or nosuid if the 2271 * policy allows the corresponding permission between 2272 * the old and new contexts. 2273 */ 2274 if (selinux_policycap_nnp_nosuid_transition()) { 2275 av = 0; 2276 if (nnp) 2277 av |= PROCESS2__NNP_TRANSITION; 2278 if (nosuid) 2279 av |= PROCESS2__NOSUID_TRANSITION; 2280 rc = avc_has_perm(old_crsec->sid, new_crsec->sid, 2281 SECCLASS_PROCESS2, av, NULL); 2282 if (!rc) 2283 return 0; 2284 } 2285 2286 /* 2287 * We also permit NNP or nosuid transitions to bounded SIDs, 2288 * i.e. SIDs that are guaranteed to only be allowed a subset 2289 * of the permissions of the current SID. 2290 */ 2291 rc = security_bounded_transition(old_crsec->sid, 2292 new_crsec->sid); 2293 if (!rc) 2294 return 0; 2295 2296 /* 2297 * On failure, preserve the errno values for NNP vs nosuid. 2298 * NNP: Operation not permitted for caller. 2299 * nosuid: Permission denied to file. 2300 */ 2301 if (nnp) 2302 return -EPERM; 2303 return -EACCES; 2304 } 2305 2306 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) 2307 { 2308 const struct cred_security_struct *old_crsec; 2309 struct cred_security_struct *new_crsec; 2310 struct inode_security_struct *isec; 2311 struct common_audit_data ad; 2312 struct inode *inode = file_inode(bprm->file); 2313 int rc; 2314 2315 /* SELinux context only depends on initial program or script and not 2316 * the script interpreter */ 2317 2318 old_crsec = selinux_cred(current_cred()); 2319 new_crsec = selinux_cred(bprm->cred); 2320 isec = inode_security(inode); 2321 2322 /* Default to the current task SID. */ 2323 new_crsec->sid = old_crsec->sid; 2324 new_crsec->osid = old_crsec->sid; 2325 2326 /* Reset fs, key, and sock SIDs on execve. */ 2327 new_crsec->create_sid = 0; 2328 new_crsec->keycreate_sid = 0; 2329 new_crsec->sockcreate_sid = 0; 2330 2331 /* 2332 * Before policy is loaded, label any task outside kernel space 2333 * as SECINITSID_INIT, so that any userspace tasks surviving from 2334 * early boot end up with a label different from SECINITSID_KERNEL 2335 * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL). 2336 */ 2337 if (!selinux_initialized()) { 2338 new_crsec->sid = SECINITSID_INIT; 2339 /* also clear the exec_sid just in case */ 2340 new_crsec->exec_sid = 0; 2341 return 0; 2342 } 2343 2344 if (old_crsec->exec_sid) { 2345 new_crsec->sid = old_crsec->exec_sid; 2346 /* Reset exec SID on execve. */ 2347 new_crsec->exec_sid = 0; 2348 2349 /* Fail on NNP or nosuid if not an allowed transition. */ 2350 rc = check_nnp_nosuid(bprm, old_crsec, new_crsec); 2351 if (rc) 2352 return rc; 2353 } else { 2354 /* Check for a default transition on this program. */ 2355 rc = security_transition_sid(old_crsec->sid, 2356 isec->sid, SECCLASS_PROCESS, NULL, 2357 &new_crsec->sid); 2358 if (rc) 2359 return rc; 2360 2361 /* 2362 * Fallback to old SID on NNP or nosuid if not an allowed 2363 * transition. 2364 */ 2365 rc = check_nnp_nosuid(bprm, old_crsec, new_crsec); 2366 if (rc) 2367 new_crsec->sid = old_crsec->sid; 2368 } 2369 2370 ad.type = LSM_AUDIT_DATA_FILE; 2371 ad.u.file = bprm->file; 2372 2373 if (new_crsec->sid == old_crsec->sid) { 2374 rc = avc_has_perm(old_crsec->sid, isec->sid, 2375 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2376 if (rc) 2377 return rc; 2378 } else { 2379 /* Check permissions for the transition. */ 2380 rc = avc_has_perm(old_crsec->sid, new_crsec->sid, 2381 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2382 if (rc) 2383 return rc; 2384 2385 rc = avc_has_perm(new_crsec->sid, isec->sid, 2386 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2387 if (rc) 2388 return rc; 2389 2390 /* Check for shared state */ 2391 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2392 rc = avc_has_perm(old_crsec->sid, new_crsec->sid, 2393 SECCLASS_PROCESS, PROCESS__SHARE, 2394 NULL); 2395 if (rc) 2396 return -EPERM; 2397 } 2398 2399 /* Make sure that anyone attempting to ptrace over a task that 2400 * changes its SID has the appropriate permit */ 2401 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2402 u32 ptsid = ptrace_parent_sid(); 2403 if (ptsid != 0) { 2404 rc = avc_has_perm(ptsid, new_crsec->sid, 2405 SECCLASS_PROCESS, 2406 PROCESS__PTRACE, NULL); 2407 if (rc) 2408 return -EPERM; 2409 } 2410 } 2411 2412 /* Clear any possibly unsafe personality bits on exec: */ 2413 bprm->per_clear |= PER_CLEAR_ON_SETID; 2414 2415 /* Enable secure mode for SIDs transitions unless 2416 the noatsecure permission is granted between 2417 the two SIDs, i.e. ahp returns 0. */ 2418 rc = avc_has_perm(old_crsec->sid, new_crsec->sid, 2419 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2420 NULL); 2421 bprm->secureexec |= !!rc; 2422 } 2423 2424 return 0; 2425 } 2426 2427 static int match_file(const void *p, struct file *file, unsigned fd) 2428 { 2429 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2430 } 2431 2432 /* Derived from fs/exec.c:flush_old_files. */ 2433 static inline void flush_unauthorized_files(const struct cred *cred, 2434 struct files_struct *files) 2435 { 2436 struct file *file, *devnull = NULL; 2437 struct tty_struct *tty; 2438 int drop_tty = 0; 2439 unsigned n; 2440 2441 tty = get_current_tty(); 2442 if (tty) { 2443 spin_lock(&tty->files_lock); 2444 if (!list_empty(&tty->tty_files)) { 2445 struct tty_file_private *file_priv; 2446 2447 /* Revalidate access to controlling tty. 2448 Use file_path_has_perm on the tty path directly 2449 rather than using file_has_perm, as this particular 2450 open file may belong to another process and we are 2451 only interested in the inode-based check here. */ 2452 file_priv = list_first_entry(&tty->tty_files, 2453 struct tty_file_private, list); 2454 file = file_priv->file; 2455 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2456 drop_tty = 1; 2457 } 2458 spin_unlock(&tty->files_lock); 2459 tty_kref_put(tty); 2460 } 2461 /* Reset controlling tty. */ 2462 if (drop_tty) 2463 no_tty(); 2464 2465 /* Revalidate access to inherited open files. */ 2466 n = iterate_fd(files, 0, match_file, cred); 2467 if (!n) /* none found? */ 2468 return; 2469 2470 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2471 if (IS_ERR(devnull)) 2472 devnull = NULL; 2473 /* replace all the matching ones with this */ 2474 do { 2475 replace_fd(n - 1, devnull, 0); 2476 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2477 if (devnull) 2478 fput(devnull); 2479 } 2480 2481 /* 2482 * Prepare a process for imminent new credential changes due to exec 2483 */ 2484 static void selinux_bprm_committing_creds(const struct linux_binprm *bprm) 2485 { 2486 struct cred_security_struct *new_crsec; 2487 struct rlimit *rlim, *initrlim; 2488 int rc, i; 2489 2490 new_crsec = selinux_cred(bprm->cred); 2491 if (new_crsec->sid == new_crsec->osid) 2492 return; 2493 2494 /* Close files for which the new task SID is not authorized. */ 2495 flush_unauthorized_files(bprm->cred, current->files); 2496 2497 /* Always clear parent death signal on SID transitions. */ 2498 current->pdeath_signal = 0; 2499 2500 /* Check whether the new SID can inherit resource limits from the old 2501 * SID. If not, reset all soft limits to the lower of the current 2502 * task's hard limit and the init task's soft limit. 2503 * 2504 * Note that the setting of hard limits (even to lower them) can be 2505 * controlled by the setrlimit check. The inclusion of the init task's 2506 * soft limit into the computation is to avoid resetting soft limits 2507 * higher than the default soft limit for cases where the default is 2508 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2509 */ 2510 rc = avc_has_perm(new_crsec->osid, new_crsec->sid, SECCLASS_PROCESS, 2511 PROCESS__RLIMITINH, NULL); 2512 if (rc) { 2513 /* protect against do_prlimit() */ 2514 task_lock(current); 2515 for (i = 0; i < RLIM_NLIMITS; i++) { 2516 rlim = current->signal->rlim + i; 2517 initrlim = init_task.signal->rlim + i; 2518 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2519 } 2520 task_unlock(current); 2521 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2522 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2523 } 2524 } 2525 2526 /* 2527 * Clean up the process immediately after the installation of new credentials 2528 * due to exec 2529 */ 2530 static void selinux_bprm_committed_creds(const struct linux_binprm *bprm) 2531 { 2532 const struct cred_security_struct *crsec = selinux_cred(current_cred()); 2533 u32 osid, sid; 2534 int rc; 2535 2536 osid = crsec->osid; 2537 sid = crsec->sid; 2538 2539 if (sid == osid) 2540 return; 2541 2542 /* Check whether the new SID can inherit signal state from the old SID. 2543 * If not, clear itimers to avoid subsequent signal generation and 2544 * flush and unblock signals. 2545 * 2546 * This must occur _after_ the task SID has been updated so that any 2547 * kill done after the flush will be checked against the new SID. 2548 */ 2549 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2550 if (rc) { 2551 clear_itimer(); 2552 2553 spin_lock_irq(&unrcu_pointer(current->sighand)->siglock); 2554 if (!fatal_signal_pending(current)) { 2555 flush_sigqueue(¤t->pending); 2556 flush_sigqueue(¤t->signal->shared_pending); 2557 flush_signal_handlers(current, 1); 2558 sigemptyset(¤t->blocked); 2559 recalc_sigpending(); 2560 } 2561 spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock); 2562 } 2563 2564 /* Wake up the parent if it is waiting so that it can recheck 2565 * wait permission to the new task SID. */ 2566 read_lock(&tasklist_lock); 2567 __wake_up_parent(current, unrcu_pointer(current->real_parent)); 2568 read_unlock(&tasklist_lock); 2569 } 2570 2571 /* superblock security operations */ 2572 2573 static int selinux_sb_alloc_security(struct super_block *sb) 2574 { 2575 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2576 2577 mutex_init(&sbsec->lock); 2578 INIT_LIST_HEAD(&sbsec->isec_head); 2579 spin_lock_init(&sbsec->isec_lock); 2580 sbsec->sid = SECINITSID_UNLABELED; 2581 sbsec->def_sid = SECINITSID_FILE; 2582 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 2583 2584 return 0; 2585 } 2586 2587 static inline int opt_len(const char *s) 2588 { 2589 bool open_quote = false; 2590 int len; 2591 char c; 2592 2593 for (len = 0; (c = s[len]) != '\0'; len++) { 2594 if (c == '"') 2595 open_quote = !open_quote; 2596 if (c == ',' && !open_quote) 2597 break; 2598 } 2599 return len; 2600 } 2601 2602 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts) 2603 { 2604 char *from = options; 2605 char *to = options; 2606 bool first = true; 2607 int rc; 2608 2609 while (1) { 2610 int len = opt_len(from); 2611 int token; 2612 char *arg = NULL; 2613 2614 token = match_opt_prefix(from, len, &arg); 2615 2616 if (token != Opt_error) { 2617 char *p, *q; 2618 2619 /* strip quotes */ 2620 if (arg) { 2621 for (p = q = arg; p < from + len; p++) { 2622 char c = *p; 2623 if (c != '"') 2624 *q++ = c; 2625 } 2626 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); 2627 if (!arg) { 2628 rc = -ENOMEM; 2629 goto free_opt; 2630 } 2631 } 2632 rc = selinux_add_opt(token, arg, mnt_opts); 2633 kfree(arg); 2634 arg = NULL; 2635 if (unlikely(rc)) { 2636 goto free_opt; 2637 } 2638 } else { 2639 if (!first) { // copy with preceding comma 2640 from--; 2641 len++; 2642 } 2643 if (to != from) 2644 memmove(to, from, len); 2645 to += len; 2646 first = false; 2647 } 2648 if (!from[len]) 2649 break; 2650 from += len + 1; 2651 } 2652 *to = '\0'; 2653 return 0; 2654 2655 free_opt: 2656 if (*mnt_opts) { 2657 selinux_free_mnt_opts(*mnt_opts); 2658 *mnt_opts = NULL; 2659 } 2660 return rc; 2661 } 2662 2663 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts) 2664 { 2665 struct selinux_mnt_opts *opts = mnt_opts; 2666 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2667 2668 /* 2669 * Superblock not initialized (i.e. no options) - reject if any 2670 * options specified, otherwise accept. 2671 */ 2672 if (!(sbsec->flags & SE_SBINITIALIZED)) 2673 return opts ? 1 : 0; 2674 2675 /* 2676 * Superblock initialized and no options specified - reject if 2677 * superblock has any options set, otherwise accept. 2678 */ 2679 if (!opts) 2680 return (sbsec->flags & SE_MNTMASK) ? 1 : 0; 2681 2682 if (opts->fscontext_sid) { 2683 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 2684 opts->fscontext_sid)) 2685 return 1; 2686 } 2687 if (opts->context_sid) { 2688 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 2689 opts->context_sid)) 2690 return 1; 2691 } 2692 if (opts->rootcontext_sid) { 2693 struct inode_security_struct *root_isec; 2694 2695 root_isec = backing_inode_security(sb->s_root); 2696 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 2697 opts->rootcontext_sid)) 2698 return 1; 2699 } 2700 if (opts->defcontext_sid) { 2701 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 2702 opts->defcontext_sid)) 2703 return 1; 2704 } 2705 return 0; 2706 } 2707 2708 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts) 2709 { 2710 struct selinux_mnt_opts *opts = mnt_opts; 2711 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2712 2713 if (!(sbsec->flags & SE_SBINITIALIZED)) 2714 return 0; 2715 2716 if (!opts) 2717 return 0; 2718 2719 if (opts->fscontext_sid) { 2720 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 2721 opts->fscontext_sid)) 2722 goto out_bad_option; 2723 } 2724 if (opts->context_sid) { 2725 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 2726 opts->context_sid)) 2727 goto out_bad_option; 2728 } 2729 if (opts->rootcontext_sid) { 2730 struct inode_security_struct *root_isec; 2731 root_isec = backing_inode_security(sb->s_root); 2732 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 2733 opts->rootcontext_sid)) 2734 goto out_bad_option; 2735 } 2736 if (opts->defcontext_sid) { 2737 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 2738 opts->defcontext_sid)) 2739 goto out_bad_option; 2740 } 2741 return 0; 2742 2743 out_bad_option: 2744 pr_warn("SELinux: unable to change security options " 2745 "during remount (dev %s, type=%s)\n", sb->s_id, 2746 sb->s_type->name); 2747 return -EINVAL; 2748 } 2749 2750 static int selinux_sb_kern_mount(const struct super_block *sb) 2751 { 2752 const struct cred *cred = current_cred(); 2753 struct common_audit_data ad; 2754 2755 ad.type = LSM_AUDIT_DATA_DENTRY; 2756 ad.u.dentry = sb->s_root; 2757 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2758 } 2759 2760 static int selinux_sb_statfs(struct dentry *dentry) 2761 { 2762 const struct cred *cred = current_cred(); 2763 struct common_audit_data ad; 2764 2765 ad.type = LSM_AUDIT_DATA_DENTRY; 2766 ad.u.dentry = dentry->d_sb->s_root; 2767 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2768 } 2769 2770 static int selinux_mount(const char *dev_name, 2771 const struct path *path, 2772 const char *type, 2773 unsigned long flags, 2774 void *data) 2775 { 2776 const struct cred *cred = current_cred(); 2777 2778 if (flags & MS_REMOUNT) 2779 return superblock_has_perm(cred, path->dentry->d_sb, 2780 FILESYSTEM__REMOUNT, NULL); 2781 else 2782 return path_has_perm(cred, path, FILE__MOUNTON); 2783 } 2784 2785 static int selinux_move_mount(const struct path *from_path, 2786 const struct path *to_path) 2787 { 2788 const struct cred *cred = current_cred(); 2789 2790 return path_has_perm(cred, to_path, FILE__MOUNTON); 2791 } 2792 2793 static int selinux_umount(struct vfsmount *mnt, int flags) 2794 { 2795 const struct cred *cred = current_cred(); 2796 2797 return superblock_has_perm(cred, mnt->mnt_sb, 2798 FILESYSTEM__UNMOUNT, NULL); 2799 } 2800 2801 static int selinux_fs_context_submount(struct fs_context *fc, 2802 struct super_block *reference) 2803 { 2804 const struct superblock_security_struct *sbsec = selinux_superblock(reference); 2805 struct selinux_mnt_opts *opts; 2806 2807 /* 2808 * Ensure that fc->security remains NULL when no options are set 2809 * as expected by selinux_set_mnt_opts(). 2810 */ 2811 if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT))) 2812 return 0; 2813 2814 opts = kzalloc(sizeof(*opts), GFP_KERNEL); 2815 if (!opts) 2816 return -ENOMEM; 2817 2818 if (sbsec->flags & FSCONTEXT_MNT) 2819 opts->fscontext_sid = sbsec->sid; 2820 if (sbsec->flags & CONTEXT_MNT) 2821 opts->context_sid = sbsec->mntpoint_sid; 2822 if (sbsec->flags & DEFCONTEXT_MNT) 2823 opts->defcontext_sid = sbsec->def_sid; 2824 fc->security = opts; 2825 return 0; 2826 } 2827 2828 static int selinux_fs_context_dup(struct fs_context *fc, 2829 struct fs_context *src_fc) 2830 { 2831 const struct selinux_mnt_opts *src = src_fc->security; 2832 2833 if (!src) 2834 return 0; 2835 2836 fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL); 2837 return fc->security ? 0 : -ENOMEM; 2838 } 2839 2840 static const struct fs_parameter_spec selinux_fs_parameters[] = { 2841 fsparam_string(CONTEXT_STR, Opt_context), 2842 fsparam_string(DEFCONTEXT_STR, Opt_defcontext), 2843 fsparam_string(FSCONTEXT_STR, Opt_fscontext), 2844 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext), 2845 fsparam_flag (SECLABEL_STR, Opt_seclabel), 2846 {} 2847 }; 2848 2849 static int selinux_fs_context_parse_param(struct fs_context *fc, 2850 struct fs_parameter *param) 2851 { 2852 struct fs_parse_result result; 2853 int opt; 2854 2855 opt = fs_parse(fc, selinux_fs_parameters, param, &result); 2856 if (opt < 0) 2857 return opt; 2858 2859 return selinux_add_opt(opt, param->string, &fc->security); 2860 } 2861 2862 /* inode security operations */ 2863 2864 static int selinux_inode_alloc_security(struct inode *inode) 2865 { 2866 struct inode_security_struct *isec = selinux_inode(inode); 2867 u32 sid = current_sid(); 2868 2869 spin_lock_init(&isec->lock); 2870 INIT_LIST_HEAD(&isec->list); 2871 isec->inode = inode; 2872 isec->sid = SECINITSID_UNLABELED; 2873 isec->sclass = SECCLASS_FILE; 2874 isec->task_sid = sid; 2875 isec->initialized = LABEL_INVALID; 2876 2877 return 0; 2878 } 2879 2880 static void selinux_inode_free_security(struct inode *inode) 2881 { 2882 inode_free_security(inode); 2883 } 2884 2885 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2886 const struct qstr *name, 2887 const char **xattr_name, 2888 struct lsm_context *cp) 2889 { 2890 u32 newsid; 2891 int rc; 2892 2893 rc = selinux_determine_inode_label(selinux_cred(current_cred()), 2894 d_inode(dentry->d_parent), name, 2895 inode_mode_to_security_class(mode), 2896 &newsid); 2897 if (rc) 2898 return rc; 2899 2900 if (xattr_name) 2901 *xattr_name = XATTR_NAME_SELINUX; 2902 2903 cp->id = LSM_ID_SELINUX; 2904 return security_sid_to_context(newsid, &cp->context, &cp->len); 2905 } 2906 2907 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2908 const struct qstr *name, 2909 const struct cred *old, 2910 struct cred *new) 2911 { 2912 u32 newsid; 2913 int rc; 2914 struct cred_security_struct *crsec; 2915 2916 rc = selinux_determine_inode_label(selinux_cred(old), 2917 d_inode(dentry->d_parent), name, 2918 inode_mode_to_security_class(mode), 2919 &newsid); 2920 if (rc) 2921 return rc; 2922 2923 crsec = selinux_cred(new); 2924 crsec->create_sid = newsid; 2925 return 0; 2926 } 2927 2928 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2929 const struct qstr *qstr, 2930 struct xattr *xattrs, int *xattr_count) 2931 { 2932 const struct cred_security_struct *crsec = selinux_cred(current_cred()); 2933 struct superblock_security_struct *sbsec; 2934 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); 2935 u32 newsid, clen; 2936 u16 newsclass; 2937 int rc; 2938 char *context; 2939 2940 sbsec = selinux_superblock(dir->i_sb); 2941 2942 newsid = crsec->create_sid; 2943 newsclass = inode_mode_to_security_class(inode->i_mode); 2944 rc = selinux_determine_inode_label(crsec, dir, qstr, newsclass, &newsid); 2945 if (rc) 2946 return rc; 2947 2948 /* Possibly defer initialization to selinux_complete_init. */ 2949 if (sbsec->flags & SE_SBINITIALIZED) { 2950 struct inode_security_struct *isec = selinux_inode(inode); 2951 isec->sclass = newsclass; 2952 isec->sid = newsid; 2953 isec->initialized = LABEL_INITIALIZED; 2954 } 2955 2956 if (!selinux_initialized() || 2957 !(sbsec->flags & SBLABEL_MNT)) 2958 return -EOPNOTSUPP; 2959 2960 if (xattr) { 2961 rc = security_sid_to_context_force(newsid, 2962 &context, &clen); 2963 if (rc) 2964 return rc; 2965 xattr->value = context; 2966 xattr->value_len = clen; 2967 xattr->name = XATTR_SELINUX_SUFFIX; 2968 } 2969 2970 return 0; 2971 } 2972 2973 static int selinux_inode_init_security_anon(struct inode *inode, 2974 const struct qstr *name, 2975 const struct inode *context_inode) 2976 { 2977 u32 sid = current_sid(); 2978 struct common_audit_data ad; 2979 struct inode_security_struct *isec; 2980 int rc; 2981 2982 if (unlikely(!selinux_initialized())) 2983 return 0; 2984 2985 isec = selinux_inode(inode); 2986 2987 /* 2988 * We only get here once per ephemeral inode. The inode has 2989 * been initialized via inode_alloc_security but is otherwise 2990 * untouched. 2991 */ 2992 2993 if (context_inode) { 2994 struct inode_security_struct *context_isec = 2995 selinux_inode(context_inode); 2996 if (context_isec->initialized != LABEL_INITIALIZED) { 2997 pr_err("SELinux: context_inode is not initialized\n"); 2998 return -EACCES; 2999 } 3000 3001 isec->sclass = context_isec->sclass; 3002 isec->sid = context_isec->sid; 3003 } else { 3004 isec->sclass = SECCLASS_ANON_INODE; 3005 rc = security_transition_sid( 3006 sid, sid, 3007 isec->sclass, name, &isec->sid); 3008 if (rc) 3009 return rc; 3010 } 3011 3012 isec->initialized = LABEL_INITIALIZED; 3013 /* 3014 * Now that we've initialized security, check whether we're 3015 * allowed to actually create this type of anonymous inode. 3016 */ 3017 3018 ad.type = LSM_AUDIT_DATA_ANONINODE; 3019 ad.u.anonclass = name ? (const char *)name->name : "?"; 3020 3021 return avc_has_perm(sid, 3022 isec->sid, 3023 isec->sclass, 3024 FILE__CREATE, 3025 &ad); 3026 } 3027 3028 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 3029 { 3030 return may_create(dir, dentry, SECCLASS_FILE); 3031 } 3032 3033 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 3034 { 3035 return may_link(dir, old_dentry, MAY_LINK); 3036 } 3037 3038 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 3039 { 3040 return may_link(dir, dentry, MAY_UNLINK); 3041 } 3042 3043 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 3044 { 3045 return may_create(dir, dentry, SECCLASS_LNK_FILE); 3046 } 3047 3048 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 3049 { 3050 return may_create(dir, dentry, SECCLASS_DIR); 3051 } 3052 3053 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 3054 { 3055 return may_link(dir, dentry, MAY_RMDIR); 3056 } 3057 3058 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 3059 { 3060 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 3061 } 3062 3063 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 3064 struct inode *new_inode, struct dentry *new_dentry) 3065 { 3066 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 3067 } 3068 3069 static int selinux_inode_readlink(struct dentry *dentry) 3070 { 3071 const struct cred *cred = current_cred(); 3072 3073 return dentry_has_perm(cred, dentry, FILE__READ); 3074 } 3075 3076 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 3077 bool rcu) 3078 { 3079 struct common_audit_data ad; 3080 struct inode_security_struct *isec; 3081 u32 sid = current_sid(); 3082 3083 ad.type = LSM_AUDIT_DATA_DENTRY; 3084 ad.u.dentry = dentry; 3085 isec = inode_security_rcu(inode, rcu); 3086 if (IS_ERR(isec)) 3087 return PTR_ERR(isec); 3088 3089 return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad); 3090 } 3091 3092 static noinline int audit_inode_permission(struct inode *inode, 3093 u32 perms, u32 audited, u32 denied, 3094 int result) 3095 { 3096 struct common_audit_data ad; 3097 struct inode_security_struct *isec = selinux_inode(inode); 3098 3099 ad.type = LSM_AUDIT_DATA_INODE; 3100 ad.u.inode = inode; 3101 3102 return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 3103 audited, denied, result, &ad); 3104 } 3105 3106 /** 3107 * task_avdcache_reset - Reset the task's AVD cache 3108 * @tsec: the task's security state 3109 * 3110 * Clear the task's AVD cache in @tsec and reset it to the current policy's 3111 * and task's info. 3112 */ 3113 static inline void task_avdcache_reset(struct task_security_struct *tsec) 3114 { 3115 memset(&tsec->avdcache.dir, 0, sizeof(tsec->avdcache.dir)); 3116 tsec->avdcache.sid = current_sid(); 3117 tsec->avdcache.seqno = avc_policy_seqno(); 3118 tsec->avdcache.dir_spot = TSEC_AVDC_DIR_SIZE - 1; 3119 } 3120 3121 /** 3122 * task_avdcache_search - Search the task's AVD cache 3123 * @tsec: the task's security state 3124 * @isec: the inode to search for in the cache 3125 * @avdc: matching avd cache entry returned to the caller 3126 * 3127 * Search @tsec for a AVD cache entry that matches @isec and return it to the 3128 * caller via @avdc. Returns 0 if a match is found, negative values otherwise. 3129 */ 3130 static inline int task_avdcache_search(struct task_security_struct *tsec, 3131 struct inode_security_struct *isec, 3132 struct avdc_entry **avdc) 3133 { 3134 int orig, iter; 3135 3136 /* focused on path walk optimization, only cache directories */ 3137 if (isec->sclass != SECCLASS_DIR) 3138 return -ENOENT; 3139 3140 if (unlikely(current_sid() != tsec->avdcache.sid || 3141 tsec->avdcache.seqno != avc_policy_seqno())) { 3142 task_avdcache_reset(tsec); 3143 return -ENOENT; 3144 } 3145 3146 orig = iter = tsec->avdcache.dir_spot; 3147 do { 3148 if (tsec->avdcache.dir[iter].isid == isec->sid) { 3149 /* cache hit */ 3150 tsec->avdcache.dir_spot = iter; 3151 *avdc = &tsec->avdcache.dir[iter]; 3152 return 0; 3153 } 3154 iter = (iter - 1) & (TSEC_AVDC_DIR_SIZE - 1); 3155 } while (iter != orig); 3156 3157 return -ENOENT; 3158 } 3159 3160 /** 3161 * task_avdcache_update - Update the task's AVD cache 3162 * @tsec: the task's security state 3163 * @isec: the inode associated with the cache entry 3164 * @avd: the AVD to cache 3165 * @audited: the permission audit bitmask to cache 3166 * 3167 * Update the AVD cache in @tsec with the @avdc and @audited info associated 3168 * with @isec. 3169 */ 3170 static inline void task_avdcache_update(struct task_security_struct *tsec, 3171 struct inode_security_struct *isec, 3172 struct av_decision *avd, 3173 u32 audited) 3174 { 3175 int spot; 3176 3177 /* focused on path walk optimization, only cache directories */ 3178 if (isec->sclass != SECCLASS_DIR) 3179 return; 3180 3181 /* update cache */ 3182 spot = (tsec->avdcache.dir_spot + 1) & (TSEC_AVDC_DIR_SIZE - 1); 3183 tsec->avdcache.dir_spot = spot; 3184 tsec->avdcache.dir[spot].isid = isec->sid; 3185 tsec->avdcache.dir[spot].audited = audited; 3186 tsec->avdcache.dir[spot].allowed = avd->allowed; 3187 tsec->avdcache.dir[spot].permissive = avd->flags & AVD_FLAGS_PERMISSIVE; 3188 tsec->avdcache.permissive_neveraudit = 3189 (avd->flags == (AVD_FLAGS_PERMISSIVE|AVD_FLAGS_NEVERAUDIT)); 3190 } 3191 3192 /** 3193 * selinux_inode_permission - Check if the current task can access an inode 3194 * @inode: the inode that is being accessed 3195 * @requested: the accesses being requested 3196 * 3197 * Check if the current task is allowed to access @inode according to 3198 * @requested. Returns 0 if allowed, negative values otherwise. 3199 */ 3200 static int selinux_inode_permission(struct inode *inode, int requested) 3201 { 3202 int mask; 3203 u32 perms; 3204 u32 sid = current_sid(); 3205 struct task_security_struct *tsec; 3206 struct inode_security_struct *isec; 3207 struct avdc_entry *avdc; 3208 int rc, rc2; 3209 u32 audited, denied; 3210 3211 mask = requested & (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3212 3213 /* No permission to check. Existence test. */ 3214 if (!mask) 3215 return 0; 3216 3217 tsec = selinux_task(current); 3218 if (task_avdcache_permnoaudit(tsec, sid)) 3219 return 0; 3220 3221 isec = inode_security_rcu(inode, requested & MAY_NOT_BLOCK); 3222 if (IS_ERR(isec)) 3223 return PTR_ERR(isec); 3224 perms = file_mask_to_av(inode->i_mode, mask); 3225 3226 rc = task_avdcache_search(tsec, isec, &avdc); 3227 if (likely(!rc)) { 3228 /* Cache hit. */ 3229 audited = perms & avdc->audited; 3230 denied = perms & ~avdc->allowed; 3231 if (unlikely(denied && enforcing_enabled() && 3232 !avdc->permissive)) 3233 rc = -EACCES; 3234 } else { 3235 struct av_decision avd; 3236 3237 /* Cache miss. */ 3238 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, 3239 perms, 0, &avd); 3240 audited = avc_audit_required(perms, &avd, rc, 3241 (requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0, 3242 &denied); 3243 task_avdcache_update(tsec, isec, &avd, audited); 3244 } 3245 3246 if (likely(!audited)) 3247 return rc; 3248 3249 rc2 = audit_inode_permission(inode, perms, audited, denied, rc); 3250 if (rc2) 3251 return rc2; 3252 3253 return rc; 3254 } 3255 3256 static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, 3257 struct iattr *iattr) 3258 { 3259 const struct cred *cred = current_cred(); 3260 struct inode *inode = d_backing_inode(dentry); 3261 unsigned int ia_valid = iattr->ia_valid; 3262 u32 av = FILE__WRITE; 3263 3264 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3265 if (ia_valid & ATTR_FORCE) { 3266 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3267 ATTR_FORCE); 3268 if (!ia_valid) 3269 return 0; 3270 } 3271 3272 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3273 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3274 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3275 3276 if (selinux_policycap_openperm() && 3277 inode->i_sb->s_magic != SOCKFS_MAGIC && 3278 (ia_valid & ATTR_SIZE) && 3279 !(ia_valid & ATTR_FILE)) 3280 av |= FILE__OPEN; 3281 3282 return dentry_has_perm(cred, dentry, av); 3283 } 3284 3285 static int selinux_inode_getattr(const struct path *path) 3286 { 3287 struct task_security_struct *tsec; 3288 3289 tsec = selinux_task(current); 3290 3291 if (task_avdcache_permnoaudit(tsec, current_sid())) 3292 return 0; 3293 3294 return path_has_perm(current_cred(), path, FILE__GETATTR); 3295 } 3296 3297 static bool has_cap_mac_admin(bool audit) 3298 { 3299 const struct cred *cred = current_cred(); 3300 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT; 3301 3302 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts)) 3303 return false; 3304 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true)) 3305 return false; 3306 return true; 3307 } 3308 3309 /** 3310 * selinux_inode_xattr_skipcap - Skip the xattr capability checks? 3311 * @name: name of the xattr 3312 * 3313 * Returns 1 to indicate that SELinux "owns" the access control rights to xattrs 3314 * named @name; the LSM layer should avoid enforcing any traditional 3315 * capability based access controls on this xattr. Returns 0 to indicate that 3316 * SELinux does not "own" the access control rights to xattrs named @name and is 3317 * deferring to the LSM layer for further access controls, including capability 3318 * based controls. 3319 */ 3320 static int selinux_inode_xattr_skipcap(const char *name) 3321 { 3322 /* require capability check if not a selinux xattr */ 3323 return !strcmp(name, XATTR_NAME_SELINUX); 3324 } 3325 3326 static int selinux_inode_setxattr(struct mnt_idmap *idmap, 3327 struct dentry *dentry, const char *name, 3328 const void *value, size_t size, int flags) 3329 { 3330 struct inode *inode = d_backing_inode(dentry); 3331 struct inode_security_struct *isec; 3332 struct superblock_security_struct *sbsec; 3333 struct common_audit_data ad; 3334 u32 newsid, sid = current_sid(); 3335 int rc = 0; 3336 3337 /* if not a selinux xattr, only check the ordinary setattr perm */ 3338 if (strcmp(name, XATTR_NAME_SELINUX)) 3339 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3340 3341 if (!selinux_initialized()) 3342 return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM); 3343 3344 sbsec = selinux_superblock(inode->i_sb); 3345 if (!(sbsec->flags & SBLABEL_MNT)) 3346 return -EOPNOTSUPP; 3347 3348 if (!inode_owner_or_capable(idmap, inode)) 3349 return -EPERM; 3350 3351 ad.type = LSM_AUDIT_DATA_DENTRY; 3352 ad.u.dentry = dentry; 3353 3354 isec = backing_inode_security(dentry); 3355 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3356 FILE__RELABELFROM, &ad); 3357 if (rc) 3358 return rc; 3359 3360 rc = security_context_to_sid(value, size, &newsid, 3361 GFP_KERNEL); 3362 if (rc == -EINVAL) { 3363 if (!has_cap_mac_admin(true)) { 3364 struct audit_buffer *ab; 3365 size_t audit_size; 3366 3367 /* We strip a nul only if it is at the end, otherwise the 3368 * context contains a nul and we should audit that */ 3369 if (value) { 3370 const char *str = value; 3371 3372 if (str[size - 1] == '\0') 3373 audit_size = size - 1; 3374 else 3375 audit_size = size; 3376 } else { 3377 audit_size = 0; 3378 } 3379 ab = audit_log_start(audit_context(), 3380 GFP_ATOMIC, AUDIT_SELINUX_ERR); 3381 if (!ab) 3382 return rc; 3383 audit_log_format(ab, "op=setxattr invalid_context="); 3384 audit_log_n_untrustedstring(ab, value, audit_size); 3385 audit_log_end(ab); 3386 3387 return rc; 3388 } 3389 rc = security_context_to_sid_force(value, 3390 size, &newsid); 3391 } 3392 if (rc) 3393 return rc; 3394 3395 rc = avc_has_perm(sid, newsid, isec->sclass, 3396 FILE__RELABELTO, &ad); 3397 if (rc) 3398 return rc; 3399 3400 rc = security_validate_transition(isec->sid, newsid, 3401 sid, isec->sclass); 3402 if (rc) 3403 return rc; 3404 3405 return avc_has_perm(newsid, 3406 sbsec->sid, 3407 SECCLASS_FILESYSTEM, 3408 FILESYSTEM__ASSOCIATE, 3409 &ad); 3410 } 3411 3412 static int selinux_inode_set_acl(struct mnt_idmap *idmap, 3413 struct dentry *dentry, const char *acl_name, 3414 struct posix_acl *kacl) 3415 { 3416 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3417 } 3418 3419 static int selinux_inode_get_acl(struct mnt_idmap *idmap, 3420 struct dentry *dentry, const char *acl_name) 3421 { 3422 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR); 3423 } 3424 3425 static int selinux_inode_remove_acl(struct mnt_idmap *idmap, 3426 struct dentry *dentry, const char *acl_name) 3427 { 3428 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3429 } 3430 3431 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3432 const void *value, size_t size, 3433 int flags) 3434 { 3435 struct inode *inode = d_backing_inode(dentry); 3436 struct inode_security_struct *isec; 3437 u32 newsid; 3438 int rc; 3439 3440 if (strcmp(name, XATTR_NAME_SELINUX)) { 3441 /* Not an attribute we recognize, so nothing to do. */ 3442 return; 3443 } 3444 3445 if (!selinux_initialized()) { 3446 /* If we haven't even been initialized, then we can't validate 3447 * against a policy, so leave the label as invalid. It may 3448 * resolve to a valid label on the next revalidation try if 3449 * we've since initialized. 3450 */ 3451 return; 3452 } 3453 3454 rc = security_context_to_sid_force(value, size, 3455 &newsid); 3456 if (rc) { 3457 pr_err("SELinux: unable to map context to SID" 3458 "for (%s, %lu), rc=%d\n", 3459 inode->i_sb->s_id, inode->i_ino, -rc); 3460 return; 3461 } 3462 3463 isec = backing_inode_security(dentry); 3464 spin_lock(&isec->lock); 3465 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3466 isec->sid = newsid; 3467 isec->initialized = LABEL_INITIALIZED; 3468 spin_unlock(&isec->lock); 3469 } 3470 3471 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3472 { 3473 const struct cred *cred = current_cred(); 3474 3475 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3476 } 3477 3478 static int selinux_inode_listxattr(struct dentry *dentry) 3479 { 3480 const struct cred *cred = current_cred(); 3481 3482 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3483 } 3484 3485 static int selinux_inode_removexattr(struct mnt_idmap *idmap, 3486 struct dentry *dentry, const char *name) 3487 { 3488 /* if not a selinux xattr, only check the ordinary setattr perm */ 3489 if (strcmp(name, XATTR_NAME_SELINUX)) 3490 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3491 3492 if (!selinux_initialized()) 3493 return 0; 3494 3495 /* No one is allowed to remove a SELinux security label. 3496 You can change the label, but all data must be labeled. */ 3497 return -EACCES; 3498 } 3499 3500 static int selinux_inode_file_setattr(struct dentry *dentry, 3501 struct file_kattr *fa) 3502 { 3503 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3504 } 3505 3506 static int selinux_inode_file_getattr(struct dentry *dentry, 3507 struct file_kattr *fa) 3508 { 3509 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR); 3510 } 3511 3512 static int selinux_path_notify(const struct path *path, u64 mask, 3513 unsigned int obj_type) 3514 { 3515 int ret; 3516 u32 perm; 3517 3518 struct common_audit_data ad; 3519 3520 ad.type = LSM_AUDIT_DATA_PATH; 3521 ad.u.path = *path; 3522 3523 /* 3524 * Set permission needed based on the type of mark being set. 3525 * Performs an additional check for sb watches. 3526 */ 3527 switch (obj_type) { 3528 case FSNOTIFY_OBJ_TYPE_VFSMOUNT: 3529 perm = FILE__WATCH_MOUNT; 3530 break; 3531 case FSNOTIFY_OBJ_TYPE_SB: 3532 perm = FILE__WATCH_SB; 3533 ret = superblock_has_perm(current_cred(), path->dentry->d_sb, 3534 FILESYSTEM__WATCH, &ad); 3535 if (ret) 3536 return ret; 3537 break; 3538 case FSNOTIFY_OBJ_TYPE_INODE: 3539 perm = FILE__WATCH; 3540 break; 3541 case FSNOTIFY_OBJ_TYPE_MNTNS: 3542 perm = FILE__WATCH_MOUNTNS; 3543 break; 3544 default: 3545 return -EINVAL; 3546 } 3547 3548 /* blocking watches require the file:watch_with_perm permission */ 3549 if (mask & (ALL_FSNOTIFY_PERM_EVENTS)) 3550 perm |= FILE__WATCH_WITH_PERM; 3551 3552 /* watches on read-like events need the file:watch_reads permission */ 3553 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_PRE_ACCESS | 3554 FS_CLOSE_NOWRITE)) 3555 perm |= FILE__WATCH_READS; 3556 3557 return path_has_perm(current_cred(), path, perm); 3558 } 3559 3560 /* 3561 * Copy the inode security context value to the user. 3562 * 3563 * Permission check is handled by selinux_inode_getxattr hook. 3564 */ 3565 static int selinux_inode_getsecurity(struct mnt_idmap *idmap, 3566 struct inode *inode, const char *name, 3567 void **buffer, bool alloc) 3568 { 3569 u32 size; 3570 int error; 3571 char *context = NULL; 3572 struct inode_security_struct *isec; 3573 3574 /* 3575 * If we're not initialized yet, then we can't validate contexts, so 3576 * just let vfs_getxattr fall back to using the on-disk xattr. 3577 */ 3578 if (!selinux_initialized() || 3579 strcmp(name, XATTR_SELINUX_SUFFIX)) 3580 return -EOPNOTSUPP; 3581 3582 /* 3583 * If the caller has CAP_MAC_ADMIN, then get the raw context 3584 * value even if it is not defined by current policy; otherwise, 3585 * use the in-core value under current policy. 3586 * Use the non-auditing forms of the permission checks since 3587 * getxattr may be called by unprivileged processes commonly 3588 * and lack of permission just means that we fall back to the 3589 * in-core context value, not a denial. 3590 */ 3591 isec = inode_security(inode); 3592 if (has_cap_mac_admin(false)) 3593 error = security_sid_to_context_force(isec->sid, &context, 3594 &size); 3595 else 3596 error = security_sid_to_context(isec->sid, 3597 &context, &size); 3598 if (error) 3599 return error; 3600 error = size; 3601 if (alloc) { 3602 *buffer = context; 3603 goto out_nofree; 3604 } 3605 kfree(context); 3606 out_nofree: 3607 return error; 3608 } 3609 3610 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3611 const void *value, size_t size, int flags) 3612 { 3613 struct inode_security_struct *isec = inode_security_novalidate(inode); 3614 struct superblock_security_struct *sbsec; 3615 u32 newsid; 3616 int rc; 3617 3618 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3619 return -EOPNOTSUPP; 3620 3621 sbsec = selinux_superblock(inode->i_sb); 3622 if (!(sbsec->flags & SBLABEL_MNT)) 3623 return -EOPNOTSUPP; 3624 3625 if (!value || !size) 3626 return -EACCES; 3627 3628 rc = security_context_to_sid(value, size, &newsid, 3629 GFP_KERNEL); 3630 if (rc) 3631 return rc; 3632 3633 spin_lock(&isec->lock); 3634 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3635 isec->sid = newsid; 3636 isec->initialized = LABEL_INITIALIZED; 3637 spin_unlock(&isec->lock); 3638 return 0; 3639 } 3640 3641 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3642 { 3643 const int len = sizeof(XATTR_NAME_SELINUX); 3644 3645 if (!selinux_initialized()) 3646 return 0; 3647 3648 if (buffer && len <= buffer_size) 3649 memcpy(buffer, XATTR_NAME_SELINUX, len); 3650 return len; 3651 } 3652 3653 static void selinux_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop) 3654 { 3655 struct inode_security_struct *isec = inode_security_novalidate(inode); 3656 3657 prop->selinux.secid = isec->sid; 3658 } 3659 3660 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3661 { 3662 struct lsm_prop prop; 3663 struct cred_security_struct *crsec; 3664 struct cred *new_creds = *new; 3665 3666 if (new_creds == NULL) { 3667 new_creds = prepare_creds(); 3668 if (!new_creds) 3669 return -ENOMEM; 3670 } 3671 3672 crsec = selinux_cred(new_creds); 3673 /* Get label from overlay inode and set it in create_sid */ 3674 selinux_inode_getlsmprop(d_inode(src), &prop); 3675 crsec->create_sid = prop.selinux.secid; 3676 *new = new_creds; 3677 return 0; 3678 } 3679 3680 static int selinux_inode_copy_up_xattr(struct dentry *dentry, const char *name) 3681 { 3682 /* The copy_up hook above sets the initial context on an inode, but we 3683 * don't then want to overwrite it by blindly copying all the lower 3684 * xattrs up. Instead, filter out SELinux-related xattrs following 3685 * policy load. 3686 */ 3687 if (selinux_initialized() && !strcmp(name, XATTR_NAME_SELINUX)) 3688 return -ECANCELED; /* Discard */ 3689 /* 3690 * Any other attribute apart from SELINUX is not claimed, supported 3691 * by selinux. 3692 */ 3693 return -EOPNOTSUPP; 3694 } 3695 3696 /* kernfs node operations */ 3697 3698 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, 3699 struct kernfs_node *kn) 3700 { 3701 const struct cred_security_struct *crsec = selinux_cred(current_cred()); 3702 u32 parent_sid, newsid, clen; 3703 int rc; 3704 char *context; 3705 3706 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0); 3707 if (rc == -ENODATA) 3708 return 0; 3709 else if (rc < 0) 3710 return rc; 3711 3712 clen = (u32)rc; 3713 context = kmalloc(clen, GFP_KERNEL); 3714 if (!context) 3715 return -ENOMEM; 3716 3717 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen); 3718 if (rc < 0) { 3719 kfree(context); 3720 return rc; 3721 } 3722 3723 rc = security_context_to_sid(context, clen, &parent_sid, 3724 GFP_KERNEL); 3725 kfree(context); 3726 if (rc) 3727 return rc; 3728 3729 if (crsec->create_sid) { 3730 newsid = crsec->create_sid; 3731 } else { 3732 u16 secclass = inode_mode_to_security_class(kn->mode); 3733 const char *kn_name; 3734 struct qstr q; 3735 3736 /* kn is fresh, can't be renamed, name goes not away */ 3737 kn_name = rcu_dereference_check(kn->name, true); 3738 q.name = kn_name; 3739 q.hash_len = hashlen_string(kn_dir, kn_name); 3740 3741 rc = security_transition_sid(crsec->sid, 3742 parent_sid, secclass, &q, 3743 &newsid); 3744 if (rc) 3745 return rc; 3746 } 3747 3748 rc = security_sid_to_context_force(newsid, 3749 &context, &clen); 3750 if (rc) 3751 return rc; 3752 3753 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen, 3754 XATTR_CREATE); 3755 kfree(context); 3756 return rc; 3757 } 3758 3759 3760 /* file security operations */ 3761 3762 static int selinux_revalidate_file_permission(struct file *file, int mask) 3763 { 3764 const struct cred *cred = current_cred(); 3765 struct inode *inode = file_inode(file); 3766 3767 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3768 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3769 mask |= MAY_APPEND; 3770 3771 return file_has_perm(cred, file, 3772 file_mask_to_av(inode->i_mode, mask)); 3773 } 3774 3775 static int selinux_file_permission(struct file *file, int mask) 3776 { 3777 struct inode *inode = file_inode(file); 3778 struct file_security_struct *fsec = selinux_file(file); 3779 struct inode_security_struct *isec; 3780 u32 sid = current_sid(); 3781 3782 if (!mask) 3783 /* No permission to check. Existence test. */ 3784 return 0; 3785 3786 isec = inode_security(inode); 3787 if (sid == fsec->sid && fsec->isid == isec->sid && 3788 fsec->pseqno == avc_policy_seqno()) 3789 /* No change since file_open check. */ 3790 return 0; 3791 3792 return selinux_revalidate_file_permission(file, mask); 3793 } 3794 3795 static int selinux_file_alloc_security(struct file *file) 3796 { 3797 struct file_security_struct *fsec = selinux_file(file); 3798 u32 sid = current_sid(); 3799 3800 fsec->sid = sid; 3801 fsec->fown_sid = sid; 3802 3803 return 0; 3804 } 3805 3806 /* 3807 * Check whether a task has the ioctl permission and cmd 3808 * operation to an inode. 3809 */ 3810 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3811 u32 requested, u16 cmd) 3812 { 3813 struct common_audit_data ad; 3814 struct file_security_struct *fsec = selinux_file(file); 3815 struct inode *inode = file_inode(file); 3816 struct inode_security_struct *isec; 3817 struct lsm_ioctlop_audit ioctl; 3818 u32 ssid = cred_sid(cred); 3819 int rc; 3820 u8 driver = cmd >> 8; 3821 u8 xperm = cmd & 0xff; 3822 3823 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3824 ad.u.op = &ioctl; 3825 ad.u.op->cmd = cmd; 3826 ad.u.op->path = file->f_path; 3827 3828 if (ssid != fsec->sid) { 3829 rc = avc_has_perm(ssid, fsec->sid, 3830 SECCLASS_FD, 3831 FD__USE, 3832 &ad); 3833 if (rc) 3834 goto out; 3835 } 3836 3837 if (unlikely(IS_PRIVATE(inode))) 3838 return 0; 3839 3840 isec = inode_security(inode); 3841 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, requested, 3842 driver, AVC_EXT_IOCTL, xperm, &ad); 3843 out: 3844 return rc; 3845 } 3846 3847 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3848 unsigned long arg) 3849 { 3850 const struct cred *cred = current_cred(); 3851 int error = 0; 3852 3853 switch (cmd) { 3854 case FIONREAD: 3855 case FIBMAP: 3856 case FIGETBSZ: 3857 case FS_IOC_GETFLAGS: 3858 case FS_IOC_GETVERSION: 3859 error = file_has_perm(cred, file, FILE__GETATTR); 3860 break; 3861 3862 case FS_IOC_SETFLAGS: 3863 case FS_IOC_SETVERSION: 3864 error = file_has_perm(cred, file, FILE__SETATTR); 3865 break; 3866 3867 /* sys_ioctl() checks */ 3868 case FIONBIO: 3869 case FIOASYNC: 3870 error = file_has_perm(cred, file, 0); 3871 break; 3872 3873 case KDSKBENT: 3874 case KDSKBSENT: 3875 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3876 CAP_OPT_NONE, true); 3877 break; 3878 3879 case FIOCLEX: 3880 case FIONCLEX: 3881 if (!selinux_policycap_ioctl_skip_cloexec()) 3882 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3883 break; 3884 3885 /* default case assumes that the command will go 3886 * to the file's ioctl() function. 3887 */ 3888 default: 3889 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3890 } 3891 return error; 3892 } 3893 3894 static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd, 3895 unsigned long arg) 3896 { 3897 /* 3898 * If we are in a 64-bit kernel running 32-bit userspace, we need to 3899 * make sure we don't compare 32-bit flags to 64-bit flags. 3900 */ 3901 switch (cmd) { 3902 case FS_IOC32_GETFLAGS: 3903 cmd = FS_IOC_GETFLAGS; 3904 break; 3905 case FS_IOC32_SETFLAGS: 3906 cmd = FS_IOC_SETFLAGS; 3907 break; 3908 case FS_IOC32_GETVERSION: 3909 cmd = FS_IOC_GETVERSION; 3910 break; 3911 case FS_IOC32_SETVERSION: 3912 cmd = FS_IOC_SETVERSION; 3913 break; 3914 default: 3915 break; 3916 } 3917 3918 return selinux_file_ioctl(file, cmd, arg); 3919 } 3920 3921 static int default_noexec __ro_after_init; 3922 3923 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3924 { 3925 const struct cred *cred = current_cred(); 3926 u32 sid = cred_sid(cred); 3927 int rc = 0; 3928 3929 if (default_noexec && 3930 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3931 (!shared && (prot & PROT_WRITE)))) { 3932 /* 3933 * We are making executable an anonymous mapping or a 3934 * private file mapping that will also be writable. 3935 * This has an additional check. 3936 */ 3937 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3938 PROCESS__EXECMEM, NULL); 3939 if (rc) 3940 goto error; 3941 } 3942 3943 if (file) { 3944 /* read access is always possible with a mapping */ 3945 u32 av = FILE__READ; 3946 3947 /* write access only matters if the mapping is shared */ 3948 if (shared && (prot & PROT_WRITE)) 3949 av |= FILE__WRITE; 3950 3951 if (prot & PROT_EXEC) 3952 av |= FILE__EXECUTE; 3953 3954 return file_has_perm(cred, file, av); 3955 } 3956 3957 error: 3958 return rc; 3959 } 3960 3961 static int selinux_mmap_addr(unsigned long addr) 3962 { 3963 int rc = 0; 3964 3965 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3966 u32 sid = current_sid(); 3967 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3968 MEMPROTECT__MMAP_ZERO, NULL); 3969 } 3970 3971 return rc; 3972 } 3973 3974 static int selinux_mmap_file(struct file *file, 3975 unsigned long reqprot __always_unused, 3976 unsigned long prot, unsigned long flags) 3977 { 3978 struct common_audit_data ad; 3979 int rc; 3980 3981 if (file) { 3982 ad.type = LSM_AUDIT_DATA_FILE; 3983 ad.u.file = file; 3984 rc = inode_has_perm(current_cred(), file_inode(file), 3985 FILE__MAP, &ad); 3986 if (rc) 3987 return rc; 3988 } 3989 3990 return file_map_prot_check(file, prot, 3991 (flags & MAP_TYPE) == MAP_SHARED); 3992 } 3993 3994 static int selinux_file_mprotect(struct vm_area_struct *vma, 3995 unsigned long reqprot __always_unused, 3996 unsigned long prot) 3997 { 3998 const struct cred *cred = current_cred(); 3999 u32 sid = cred_sid(cred); 4000 4001 if (default_noexec && 4002 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 4003 int rc = 0; 4004 /* 4005 * We don't use the vma_is_initial_heap() helper as it has 4006 * a history of problems and is currently broken on systems 4007 * where there is no heap, e.g. brk == start_brk. Before 4008 * replacing the conditional below with vma_is_initial_heap(), 4009 * or something similar, please ensure that the logic is the 4010 * same as what we have below or you have tested every possible 4011 * corner case you can think to test. 4012 */ 4013 if (vma->vm_start >= vma->vm_mm->start_brk && 4014 vma->vm_end <= vma->vm_mm->brk) { 4015 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 4016 PROCESS__EXECHEAP, NULL); 4017 } else if (!vma->vm_file && (vma_is_initial_stack(vma) || 4018 vma_is_stack_for_current(vma))) { 4019 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 4020 PROCESS__EXECSTACK, NULL); 4021 } else if (vma->vm_file && vma->anon_vma) { 4022 /* 4023 * We are making executable a file mapping that has 4024 * had some COW done. Since pages might have been 4025 * written, check ability to execute the possibly 4026 * modified content. This typically should only 4027 * occur for text relocations. 4028 */ 4029 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 4030 } 4031 if (rc) 4032 return rc; 4033 } 4034 4035 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 4036 } 4037 4038 static int selinux_file_lock(struct file *file, unsigned int cmd) 4039 { 4040 const struct cred *cred = current_cred(); 4041 4042 return file_has_perm(cred, file, FILE__LOCK); 4043 } 4044 4045 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 4046 unsigned long arg) 4047 { 4048 const struct cred *cred = current_cred(); 4049 int err = 0; 4050 4051 switch (cmd) { 4052 case F_SETFL: 4053 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 4054 err = file_has_perm(cred, file, FILE__WRITE); 4055 break; 4056 } 4057 fallthrough; 4058 case F_SETOWN: 4059 case F_SETSIG: 4060 case F_GETFL: 4061 case F_GETOWN: 4062 case F_GETSIG: 4063 case F_GETOWNER_UIDS: 4064 /* Just check FD__USE permission */ 4065 err = file_has_perm(cred, file, 0); 4066 break; 4067 case F_GETLK: 4068 case F_SETLK: 4069 case F_SETLKW: 4070 case F_OFD_GETLK: 4071 case F_OFD_SETLK: 4072 case F_OFD_SETLKW: 4073 #if BITS_PER_LONG == 32 4074 case F_GETLK64: 4075 case F_SETLK64: 4076 case F_SETLKW64: 4077 #endif 4078 err = file_has_perm(cred, file, FILE__LOCK); 4079 break; 4080 } 4081 4082 return err; 4083 } 4084 4085 static void selinux_file_set_fowner(struct file *file) 4086 { 4087 struct file_security_struct *fsec; 4088 4089 fsec = selinux_file(file); 4090 fsec->fown_sid = current_sid(); 4091 } 4092 4093 static int selinux_file_send_sigiotask(struct task_struct *tsk, 4094 struct fown_struct *fown, int signum) 4095 { 4096 struct file *file; 4097 u32 sid = task_sid_obj(tsk); 4098 u32 perm; 4099 struct file_security_struct *fsec; 4100 4101 /* struct fown_struct is never outside the context of a struct file */ 4102 file = fown->file; 4103 4104 fsec = selinux_file(file); 4105 4106 if (!signum) 4107 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 4108 else 4109 perm = signal_to_av(signum); 4110 4111 return avc_has_perm(fsec->fown_sid, sid, 4112 SECCLASS_PROCESS, perm, NULL); 4113 } 4114 4115 static int selinux_file_receive(struct file *file) 4116 { 4117 const struct cred *cred = current_cred(); 4118 4119 return file_has_perm(cred, file, file_to_av(file)); 4120 } 4121 4122 static int selinux_file_open(struct file *file) 4123 { 4124 struct file_security_struct *fsec; 4125 struct inode_security_struct *isec; 4126 4127 fsec = selinux_file(file); 4128 isec = inode_security(file_inode(file)); 4129 /* 4130 * Save inode label and policy sequence number 4131 * at open-time so that selinux_file_permission 4132 * can determine whether revalidation is necessary. 4133 * Task label is already saved in the file security 4134 * struct as its SID. 4135 */ 4136 fsec->isid = isec->sid; 4137 fsec->pseqno = avc_policy_seqno(); 4138 /* 4139 * Since the inode label or policy seqno may have changed 4140 * between the selinux_inode_permission check and the saving 4141 * of state above, recheck that access is still permitted. 4142 * Otherwise, access might never be revalidated against the 4143 * new inode label or new policy. 4144 * This check is not redundant - do not remove. 4145 */ 4146 return file_path_has_perm(file->f_cred, file, open_file_to_av(file)); 4147 } 4148 4149 /* task security operations */ 4150 4151 static int selinux_task_alloc(struct task_struct *task, 4152 u64 clone_flags) 4153 { 4154 u32 sid = current_sid(); 4155 struct task_security_struct *old_tsec = selinux_task(current); 4156 struct task_security_struct *new_tsec = selinux_task(task); 4157 4158 *new_tsec = *old_tsec; 4159 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 4160 } 4161 4162 /* 4163 * prepare a new set of credentials for modification 4164 */ 4165 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 4166 gfp_t gfp) 4167 { 4168 const struct cred_security_struct *old_crsec = selinux_cred(old); 4169 struct cred_security_struct *crsec = selinux_cred(new); 4170 4171 *crsec = *old_crsec; 4172 return 0; 4173 } 4174 4175 /* 4176 * transfer the SELinux data to a blank set of creds 4177 */ 4178 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 4179 { 4180 const struct cred_security_struct *old_crsec = selinux_cred(old); 4181 struct cred_security_struct *crsec = selinux_cred(new); 4182 4183 *crsec = *old_crsec; 4184 } 4185 4186 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 4187 { 4188 *secid = cred_sid(c); 4189 } 4190 4191 static void selinux_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop) 4192 { 4193 prop->selinux.secid = cred_sid(c); 4194 } 4195 4196 /* 4197 * set the security data for a kernel service 4198 * - all the creation contexts are set to unlabelled 4199 */ 4200 static int selinux_kernel_act_as(struct cred *new, u32 secid) 4201 { 4202 struct cred_security_struct *crsec = selinux_cred(new); 4203 u32 sid = current_sid(); 4204 int ret; 4205 4206 ret = avc_has_perm(sid, secid, 4207 SECCLASS_KERNEL_SERVICE, 4208 KERNEL_SERVICE__USE_AS_OVERRIDE, 4209 NULL); 4210 if (ret == 0) { 4211 crsec->sid = secid; 4212 crsec->create_sid = 0; 4213 crsec->keycreate_sid = 0; 4214 crsec->sockcreate_sid = 0; 4215 } 4216 return ret; 4217 } 4218 4219 /* 4220 * set the file creation context in a security record to the same as the 4221 * objective context of the specified inode 4222 */ 4223 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 4224 { 4225 struct inode_security_struct *isec = inode_security(inode); 4226 struct cred_security_struct *crsec = selinux_cred(new); 4227 u32 sid = current_sid(); 4228 int ret; 4229 4230 ret = avc_has_perm(sid, isec->sid, 4231 SECCLASS_KERNEL_SERVICE, 4232 KERNEL_SERVICE__CREATE_FILES_AS, 4233 NULL); 4234 4235 if (ret == 0) 4236 crsec->create_sid = isec->sid; 4237 return ret; 4238 } 4239 4240 static int selinux_kernel_module_request(char *kmod_name) 4241 { 4242 struct common_audit_data ad; 4243 4244 ad.type = LSM_AUDIT_DATA_KMOD; 4245 ad.u.kmod_name = kmod_name; 4246 4247 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4248 SYSTEM__MODULE_REQUEST, &ad); 4249 } 4250 4251 static int selinux_kernel_load_from_file(struct file *file, u32 requested) 4252 { 4253 struct common_audit_data ad; 4254 struct inode_security_struct *isec; 4255 struct file_security_struct *fsec; 4256 u32 sid = current_sid(); 4257 int rc; 4258 4259 if (file == NULL) 4260 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, requested, NULL); 4261 4262 ad.type = LSM_AUDIT_DATA_FILE; 4263 ad.u.file = file; 4264 4265 fsec = selinux_file(file); 4266 if (sid != fsec->sid) { 4267 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4268 if (rc) 4269 return rc; 4270 } 4271 4272 isec = inode_security(file_inode(file)); 4273 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, requested, &ad); 4274 } 4275 4276 static int selinux_kernel_read_file(struct file *file, 4277 enum kernel_read_file_id id, 4278 bool contents) 4279 { 4280 int rc = 0; 4281 4282 BUILD_BUG_ON_MSG(READING_MAX_ID > 7, 4283 "New kernel_read_file_id introduced; update SELinux!"); 4284 4285 switch (id) { 4286 case READING_FIRMWARE: 4287 rc = selinux_kernel_load_from_file(file, SYSTEM__FIRMWARE_LOAD); 4288 break; 4289 case READING_MODULE: 4290 rc = selinux_kernel_load_from_file(file, SYSTEM__MODULE_LOAD); 4291 break; 4292 case READING_KEXEC_IMAGE: 4293 rc = selinux_kernel_load_from_file(file, 4294 SYSTEM__KEXEC_IMAGE_LOAD); 4295 break; 4296 case READING_KEXEC_INITRAMFS: 4297 rc = selinux_kernel_load_from_file(file, 4298 SYSTEM__KEXEC_INITRAMFS_LOAD); 4299 break; 4300 case READING_POLICY: 4301 rc = selinux_kernel_load_from_file(file, SYSTEM__POLICY_LOAD); 4302 break; 4303 case READING_X509_CERTIFICATE: 4304 rc = selinux_kernel_load_from_file(file, 4305 SYSTEM__X509_CERTIFICATE_LOAD); 4306 break; 4307 default: 4308 break; 4309 } 4310 4311 return rc; 4312 } 4313 4314 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents) 4315 { 4316 int rc = 0; 4317 4318 BUILD_BUG_ON_MSG(LOADING_MAX_ID > 7, 4319 "New kernel_load_data_id introduced; update SELinux!"); 4320 4321 switch (id) { 4322 case LOADING_FIRMWARE: 4323 rc = selinux_kernel_load_from_file(NULL, SYSTEM__FIRMWARE_LOAD); 4324 break; 4325 case LOADING_MODULE: 4326 rc = selinux_kernel_load_from_file(NULL, SYSTEM__MODULE_LOAD); 4327 break; 4328 case LOADING_KEXEC_IMAGE: 4329 rc = selinux_kernel_load_from_file(NULL, 4330 SYSTEM__KEXEC_IMAGE_LOAD); 4331 break; 4332 case LOADING_KEXEC_INITRAMFS: 4333 rc = selinux_kernel_load_from_file(NULL, 4334 SYSTEM__KEXEC_INITRAMFS_LOAD); 4335 break; 4336 case LOADING_POLICY: 4337 rc = selinux_kernel_load_from_file(NULL, 4338 SYSTEM__POLICY_LOAD); 4339 break; 4340 case LOADING_X509_CERTIFICATE: 4341 rc = selinux_kernel_load_from_file(NULL, 4342 SYSTEM__X509_CERTIFICATE_LOAD); 4343 break; 4344 default: 4345 break; 4346 } 4347 4348 return rc; 4349 } 4350 4351 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4352 { 4353 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4354 PROCESS__SETPGID, NULL); 4355 } 4356 4357 static int selinux_task_getpgid(struct task_struct *p) 4358 { 4359 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4360 PROCESS__GETPGID, NULL); 4361 } 4362 4363 static int selinux_task_getsid(struct task_struct *p) 4364 { 4365 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4366 PROCESS__GETSESSION, NULL); 4367 } 4368 4369 static void selinux_current_getlsmprop_subj(struct lsm_prop *prop) 4370 { 4371 prop->selinux.secid = current_sid(); 4372 } 4373 4374 static void selinux_task_getlsmprop_obj(struct task_struct *p, 4375 struct lsm_prop *prop) 4376 { 4377 prop->selinux.secid = task_sid_obj(p); 4378 } 4379 4380 static int selinux_task_setnice(struct task_struct *p, int nice) 4381 { 4382 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4383 PROCESS__SETSCHED, NULL); 4384 } 4385 4386 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4387 { 4388 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4389 PROCESS__SETSCHED, NULL); 4390 } 4391 4392 static int selinux_task_getioprio(struct task_struct *p) 4393 { 4394 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4395 PROCESS__GETSCHED, NULL); 4396 } 4397 4398 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 4399 unsigned int flags) 4400 { 4401 u32 av = 0; 4402 4403 if (!flags) 4404 return 0; 4405 if (flags & LSM_PRLIMIT_WRITE) 4406 av |= PROCESS__SETRLIMIT; 4407 if (flags & LSM_PRLIMIT_READ) 4408 av |= PROCESS__GETRLIMIT; 4409 return avc_has_perm(cred_sid(cred), cred_sid(tcred), 4410 SECCLASS_PROCESS, av, NULL); 4411 } 4412 4413 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 4414 struct rlimit *new_rlim) 4415 { 4416 struct rlimit *old_rlim = p->signal->rlim + resource; 4417 4418 /* Control the ability to change the hard limit (whether 4419 lowering or raising it), so that the hard limit can 4420 later be used as a safe reset point for the soft limit 4421 upon context transitions. See selinux_bprm_committing_creds. */ 4422 if (old_rlim->rlim_max != new_rlim->rlim_max) 4423 return avc_has_perm(current_sid(), task_sid_obj(p), 4424 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4425 4426 return 0; 4427 } 4428 4429 static int selinux_task_setscheduler(struct task_struct *p) 4430 { 4431 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4432 PROCESS__SETSCHED, NULL); 4433 } 4434 4435 static int selinux_task_getscheduler(struct task_struct *p) 4436 { 4437 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4438 PROCESS__GETSCHED, NULL); 4439 } 4440 4441 static int selinux_task_movememory(struct task_struct *p) 4442 { 4443 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4444 PROCESS__SETSCHED, NULL); 4445 } 4446 4447 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info, 4448 int sig, const struct cred *cred) 4449 { 4450 u32 secid; 4451 u32 perm; 4452 4453 if (!sig) 4454 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4455 else 4456 perm = signal_to_av(sig); 4457 if (!cred) 4458 secid = current_sid(); 4459 else 4460 secid = cred_sid(cred); 4461 return avc_has_perm(secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL); 4462 } 4463 4464 static void selinux_task_to_inode(struct task_struct *p, 4465 struct inode *inode) 4466 { 4467 struct inode_security_struct *isec = selinux_inode(inode); 4468 u32 sid = task_sid_obj(p); 4469 4470 spin_lock(&isec->lock); 4471 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4472 isec->sid = sid; 4473 isec->initialized = LABEL_INITIALIZED; 4474 spin_unlock(&isec->lock); 4475 } 4476 4477 static int selinux_userns_create(const struct cred *cred) 4478 { 4479 u32 sid = current_sid(); 4480 4481 return avc_has_perm(sid, sid, SECCLASS_USER_NAMESPACE, 4482 USER_NAMESPACE__CREATE, NULL); 4483 } 4484 4485 /* Returns error only if unable to parse addresses */ 4486 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4487 struct common_audit_data *ad, u8 *proto) 4488 { 4489 int offset, ihlen, ret = -EINVAL; 4490 struct iphdr _iph, *ih; 4491 4492 offset = skb_network_offset(skb); 4493 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4494 if (ih == NULL) 4495 goto out; 4496 4497 ihlen = ih->ihl * 4; 4498 if (ihlen < sizeof(_iph)) 4499 goto out; 4500 4501 ad->u.net->v4info.saddr = ih->saddr; 4502 ad->u.net->v4info.daddr = ih->daddr; 4503 ret = 0; 4504 4505 if (proto) 4506 *proto = ih->protocol; 4507 4508 switch (ih->protocol) { 4509 case IPPROTO_TCP: { 4510 struct tcphdr _tcph, *th; 4511 4512 if (ntohs(ih->frag_off) & IP_OFFSET) 4513 break; 4514 4515 offset += ihlen; 4516 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4517 if (th == NULL) 4518 break; 4519 4520 ad->u.net->sport = th->source; 4521 ad->u.net->dport = th->dest; 4522 break; 4523 } 4524 4525 case IPPROTO_UDP: { 4526 struct udphdr _udph, *uh; 4527 4528 if (ntohs(ih->frag_off) & IP_OFFSET) 4529 break; 4530 4531 offset += ihlen; 4532 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4533 if (uh == NULL) 4534 break; 4535 4536 ad->u.net->sport = uh->source; 4537 ad->u.net->dport = uh->dest; 4538 break; 4539 } 4540 4541 #if IS_ENABLED(CONFIG_IP_SCTP) 4542 case IPPROTO_SCTP: { 4543 struct sctphdr _sctph, *sh; 4544 4545 if (ntohs(ih->frag_off) & IP_OFFSET) 4546 break; 4547 4548 offset += ihlen; 4549 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4550 if (sh == NULL) 4551 break; 4552 4553 ad->u.net->sport = sh->source; 4554 ad->u.net->dport = sh->dest; 4555 break; 4556 } 4557 #endif 4558 default: 4559 break; 4560 } 4561 out: 4562 return ret; 4563 } 4564 4565 #if IS_ENABLED(CONFIG_IPV6) 4566 4567 /* Returns error only if unable to parse addresses */ 4568 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4569 struct common_audit_data *ad, u8 *proto) 4570 { 4571 u8 nexthdr; 4572 int ret = -EINVAL, offset; 4573 struct ipv6hdr _ipv6h, *ip6; 4574 __be16 frag_off; 4575 4576 offset = skb_network_offset(skb); 4577 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4578 if (ip6 == NULL) 4579 goto out; 4580 4581 ad->u.net->v6info.saddr = ip6->saddr; 4582 ad->u.net->v6info.daddr = ip6->daddr; 4583 ret = 0; 4584 4585 nexthdr = ip6->nexthdr; 4586 offset += sizeof(_ipv6h); 4587 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4588 if (offset < 0) 4589 goto out; 4590 4591 if (proto) 4592 *proto = nexthdr; 4593 4594 switch (nexthdr) { 4595 case IPPROTO_TCP: { 4596 struct tcphdr _tcph, *th; 4597 4598 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4599 if (th == NULL) 4600 break; 4601 4602 ad->u.net->sport = th->source; 4603 ad->u.net->dport = th->dest; 4604 break; 4605 } 4606 4607 case IPPROTO_UDP: { 4608 struct udphdr _udph, *uh; 4609 4610 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4611 if (uh == NULL) 4612 break; 4613 4614 ad->u.net->sport = uh->source; 4615 ad->u.net->dport = uh->dest; 4616 break; 4617 } 4618 4619 #if IS_ENABLED(CONFIG_IP_SCTP) 4620 case IPPROTO_SCTP: { 4621 struct sctphdr _sctph, *sh; 4622 4623 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4624 if (sh == NULL) 4625 break; 4626 4627 ad->u.net->sport = sh->source; 4628 ad->u.net->dport = sh->dest; 4629 break; 4630 } 4631 #endif 4632 /* includes fragments */ 4633 default: 4634 break; 4635 } 4636 out: 4637 return ret; 4638 } 4639 4640 #endif /* IPV6 */ 4641 4642 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4643 char **_addrp, int src, u8 *proto) 4644 { 4645 char *addrp; 4646 int ret; 4647 4648 switch (ad->u.net->family) { 4649 case PF_INET: 4650 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4651 if (ret) 4652 goto parse_error; 4653 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4654 &ad->u.net->v4info.daddr); 4655 goto okay; 4656 4657 #if IS_ENABLED(CONFIG_IPV6) 4658 case PF_INET6: 4659 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4660 if (ret) 4661 goto parse_error; 4662 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4663 &ad->u.net->v6info.daddr); 4664 goto okay; 4665 #endif /* IPV6 */ 4666 default: 4667 addrp = NULL; 4668 goto okay; 4669 } 4670 4671 parse_error: 4672 pr_warn( 4673 "SELinux: failure in selinux_parse_skb()," 4674 " unable to parse packet\n"); 4675 return ret; 4676 4677 okay: 4678 if (_addrp) 4679 *_addrp = addrp; 4680 return 0; 4681 } 4682 4683 /** 4684 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4685 * @skb: the packet 4686 * @family: protocol family 4687 * @sid: the packet's peer label SID 4688 * 4689 * Description: 4690 * Check the various different forms of network peer labeling and determine 4691 * the peer label/SID for the packet; most of the magic actually occurs in 4692 * the security server function security_net_peersid_cmp(). The function 4693 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4694 * or -EACCES if @sid is invalid due to inconsistencies with the different 4695 * peer labels. 4696 * 4697 */ 4698 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4699 { 4700 int err; 4701 u32 xfrm_sid; 4702 u32 nlbl_sid; 4703 u32 nlbl_type; 4704 4705 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4706 if (unlikely(err)) 4707 return -EACCES; 4708 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4709 if (unlikely(err)) 4710 return -EACCES; 4711 4712 err = security_net_peersid_resolve(nlbl_sid, 4713 nlbl_type, xfrm_sid, sid); 4714 if (unlikely(err)) { 4715 pr_warn( 4716 "SELinux: failure in selinux_skb_peerlbl_sid()," 4717 " unable to determine packet's peer label\n"); 4718 return -EACCES; 4719 } 4720 4721 return 0; 4722 } 4723 4724 /** 4725 * selinux_conn_sid - Determine the child socket label for a connection 4726 * @sk_sid: the parent socket's SID 4727 * @skb_sid: the packet's SID 4728 * @conn_sid: the resulting connection SID 4729 * 4730 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4731 * combined with the MLS information from @skb_sid in order to create 4732 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy 4733 * of @sk_sid. Returns zero on success, negative values on failure. 4734 * 4735 */ 4736 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4737 { 4738 int err = 0; 4739 4740 if (skb_sid != SECSID_NULL) 4741 err = security_sid_mls_copy(sk_sid, skb_sid, 4742 conn_sid); 4743 else 4744 *conn_sid = sk_sid; 4745 4746 return err; 4747 } 4748 4749 /* socket security operations */ 4750 4751 static int socket_sockcreate_sid(const struct cred_security_struct *crsec, 4752 u16 secclass, u32 *socksid) 4753 { 4754 if (crsec->sockcreate_sid > SECSID_NULL) { 4755 *socksid = crsec->sockcreate_sid; 4756 return 0; 4757 } 4758 4759 return security_transition_sid(crsec->sid, crsec->sid, 4760 secclass, NULL, socksid); 4761 } 4762 4763 static bool sock_skip_has_perm(u32 sid) 4764 { 4765 if (sid == SECINITSID_KERNEL) 4766 return true; 4767 4768 /* 4769 * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that 4770 * inherited the kernel context from early boot used to be skipped 4771 * here, so preserve that behavior unless the capability is set. 4772 * 4773 * By setting the capability the policy signals that it is ready 4774 * for this quirk to be fixed. Note that sockets created by a kernel 4775 * thread or a usermode helper executed without a transition will 4776 * still be skipped in this check regardless of the policycap 4777 * setting. 4778 */ 4779 if (!selinux_policycap_userspace_initial_context() && 4780 sid == SECINITSID_INIT) 4781 return true; 4782 return false; 4783 } 4784 4785 4786 static int sock_has_perm(struct sock *sk, u32 perms) 4787 { 4788 struct sk_security_struct *sksec = sk->sk_security; 4789 struct common_audit_data ad; 4790 struct lsm_network_audit net; 4791 4792 if (sock_skip_has_perm(sksec->sid)) 4793 return 0; 4794 4795 ad_net_init_from_sk(&ad, &net, sk); 4796 4797 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4798 &ad); 4799 } 4800 4801 static int selinux_socket_create(int family, int type, 4802 int protocol, int kern) 4803 { 4804 const struct cred_security_struct *crsec = selinux_cred(current_cred()); 4805 u32 newsid; 4806 u16 secclass; 4807 int rc; 4808 4809 if (kern) 4810 return 0; 4811 4812 secclass = socket_type_to_security_class(family, type, protocol); 4813 rc = socket_sockcreate_sid(crsec, secclass, &newsid); 4814 if (rc) 4815 return rc; 4816 4817 return avc_has_perm(crsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4818 } 4819 4820 static int selinux_socket_post_create(struct socket *sock, int family, 4821 int type, int protocol, int kern) 4822 { 4823 const struct cred_security_struct *crsec = selinux_cred(current_cred()); 4824 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4825 struct sk_security_struct *sksec; 4826 u16 sclass = socket_type_to_security_class(family, type, protocol); 4827 u32 sid = SECINITSID_KERNEL; 4828 int err = 0; 4829 4830 if (!kern) { 4831 err = socket_sockcreate_sid(crsec, sclass, &sid); 4832 if (err) 4833 return err; 4834 } 4835 4836 isec->sclass = sclass; 4837 isec->sid = sid; 4838 isec->initialized = LABEL_INITIALIZED; 4839 4840 if (sock->sk) { 4841 sksec = selinux_sock(sock->sk); 4842 sksec->sclass = sclass; 4843 sksec->sid = sid; 4844 /* Allows detection of the first association on this socket */ 4845 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4846 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4847 4848 err = selinux_netlbl_socket_post_create(sock->sk, family); 4849 } 4850 4851 return err; 4852 } 4853 4854 static int selinux_socket_socketpair(struct socket *socka, 4855 struct socket *sockb) 4856 { 4857 struct sk_security_struct *sksec_a = selinux_sock(socka->sk); 4858 struct sk_security_struct *sksec_b = selinux_sock(sockb->sk); 4859 4860 sksec_a->peer_sid = sksec_b->sid; 4861 sksec_b->peer_sid = sksec_a->sid; 4862 4863 return 0; 4864 } 4865 4866 /* Range of port numbers used to automatically bind. 4867 Need to determine whether we should perform a name_bind 4868 permission check between the socket and the port number. */ 4869 4870 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4871 { 4872 struct sock *sk = sock->sk; 4873 struct sk_security_struct *sksec = selinux_sock(sk); 4874 u16 family; 4875 int err; 4876 4877 err = sock_has_perm(sk, SOCKET__BIND); 4878 if (err) 4879 goto out; 4880 4881 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4882 family = sk->sk_family; 4883 if (family == PF_INET || family == PF_INET6) { 4884 char *addrp; 4885 struct common_audit_data ad; 4886 struct lsm_network_audit net = {0,}; 4887 struct sockaddr_in *addr4 = NULL; 4888 struct sockaddr_in6 *addr6 = NULL; 4889 u16 family_sa; 4890 unsigned short snum; 4891 u32 sid, node_perm; 4892 4893 /* 4894 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4895 * that validates multiple binding addresses. Because of this 4896 * need to check address->sa_family as it is possible to have 4897 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4898 */ 4899 if (addrlen < offsetofend(struct sockaddr, sa_family)) 4900 return -EINVAL; 4901 family_sa = address->sa_family; 4902 switch (family_sa) { 4903 case AF_UNSPEC: 4904 case AF_INET: 4905 if (addrlen < sizeof(struct sockaddr_in)) 4906 return -EINVAL; 4907 addr4 = (struct sockaddr_in *)address; 4908 if (family_sa == AF_UNSPEC) { 4909 if (family == PF_INET6) { 4910 /* Length check from inet6_bind_sk() */ 4911 if (addrlen < SIN6_LEN_RFC2133) 4912 return -EINVAL; 4913 /* Family check from __inet6_bind() */ 4914 goto err_af; 4915 } 4916 /* see __inet_bind(), we only want to allow 4917 * AF_UNSPEC if the address is INADDR_ANY 4918 */ 4919 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) 4920 goto err_af; 4921 family_sa = AF_INET; 4922 } 4923 snum = ntohs(addr4->sin_port); 4924 addrp = (char *)&addr4->sin_addr.s_addr; 4925 break; 4926 case AF_INET6: 4927 if (addrlen < SIN6_LEN_RFC2133) 4928 return -EINVAL; 4929 addr6 = (struct sockaddr_in6 *)address; 4930 snum = ntohs(addr6->sin6_port); 4931 addrp = (char *)&addr6->sin6_addr.s6_addr; 4932 break; 4933 default: 4934 goto err_af; 4935 } 4936 4937 ad.type = LSM_AUDIT_DATA_NET; 4938 ad.u.net = &net; 4939 ad.u.net->sport = htons(snum); 4940 ad.u.net->family = family_sa; 4941 4942 if (snum) { 4943 int low, high; 4944 4945 inet_get_local_port_range(sock_net(sk), &low, &high); 4946 4947 if (inet_port_requires_bind_service(sock_net(sk), snum) || 4948 snum < low || snum > high) { 4949 err = sel_netport_sid(sk->sk_protocol, 4950 snum, &sid); 4951 if (err) 4952 goto out; 4953 err = avc_has_perm(sksec->sid, sid, 4954 sksec->sclass, 4955 SOCKET__NAME_BIND, &ad); 4956 if (err) 4957 goto out; 4958 } 4959 } 4960 4961 switch (sksec->sclass) { 4962 case SECCLASS_TCP_SOCKET: 4963 node_perm = TCP_SOCKET__NODE_BIND; 4964 break; 4965 4966 case SECCLASS_UDP_SOCKET: 4967 node_perm = UDP_SOCKET__NODE_BIND; 4968 break; 4969 4970 case SECCLASS_SCTP_SOCKET: 4971 node_perm = SCTP_SOCKET__NODE_BIND; 4972 break; 4973 4974 default: 4975 node_perm = RAWIP_SOCKET__NODE_BIND; 4976 break; 4977 } 4978 4979 err = sel_netnode_sid(addrp, family_sa, &sid); 4980 if (err) 4981 goto out; 4982 4983 if (family_sa == AF_INET) 4984 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4985 else 4986 ad.u.net->v6info.saddr = addr6->sin6_addr; 4987 4988 err = avc_has_perm(sksec->sid, sid, 4989 sksec->sclass, node_perm, &ad); 4990 if (err) 4991 goto out; 4992 } 4993 out: 4994 return err; 4995 err_af: 4996 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 4997 if (sk->sk_protocol == IPPROTO_SCTP) 4998 return -EINVAL; 4999 return -EAFNOSUPPORT; 5000 } 5001 5002 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 5003 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst 5004 */ 5005 static int selinux_socket_connect_helper(struct socket *sock, 5006 struct sockaddr *address, int addrlen) 5007 { 5008 struct sock *sk = sock->sk; 5009 struct sk_security_struct *sksec = selinux_sock(sk); 5010 int err; 5011 5012 err = sock_has_perm(sk, SOCKET__CONNECT); 5013 if (err) 5014 return err; 5015 if (addrlen < offsetofend(struct sockaddr, sa_family)) 5016 return -EINVAL; 5017 5018 /* connect(AF_UNSPEC) has special handling, as it is a documented 5019 * way to disconnect the socket 5020 */ 5021 if (address->sa_family == AF_UNSPEC) 5022 return 0; 5023 5024 /* 5025 * If a TCP or SCTP socket, check name_connect permission 5026 * for the port. 5027 */ 5028 if (sksec->sclass == SECCLASS_TCP_SOCKET || 5029 sksec->sclass == SECCLASS_SCTP_SOCKET) { 5030 struct common_audit_data ad; 5031 struct lsm_network_audit net = {0,}; 5032 struct sockaddr_in *addr4 = NULL; 5033 struct sockaddr_in6 *addr6 = NULL; 5034 unsigned short snum; 5035 u32 sid, perm; 5036 5037 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 5038 * that validates multiple connect addresses. Because of this 5039 * need to check address->sa_family as it is possible to have 5040 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 5041 */ 5042 switch (address->sa_family) { 5043 case AF_INET: 5044 addr4 = (struct sockaddr_in *)address; 5045 if (addrlen < sizeof(struct sockaddr_in)) 5046 return -EINVAL; 5047 snum = ntohs(addr4->sin_port); 5048 break; 5049 case AF_INET6: 5050 addr6 = (struct sockaddr_in6 *)address; 5051 if (addrlen < SIN6_LEN_RFC2133) 5052 return -EINVAL; 5053 snum = ntohs(addr6->sin6_port); 5054 break; 5055 default: 5056 /* Note that SCTP services expect -EINVAL, whereas 5057 * others expect -EAFNOSUPPORT. 5058 */ 5059 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 5060 return -EINVAL; 5061 else 5062 return -EAFNOSUPPORT; 5063 } 5064 5065 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 5066 if (err) 5067 return err; 5068 5069 switch (sksec->sclass) { 5070 case SECCLASS_TCP_SOCKET: 5071 perm = TCP_SOCKET__NAME_CONNECT; 5072 break; 5073 case SECCLASS_SCTP_SOCKET: 5074 perm = SCTP_SOCKET__NAME_CONNECT; 5075 break; 5076 } 5077 5078 ad.type = LSM_AUDIT_DATA_NET; 5079 ad.u.net = &net; 5080 ad.u.net->dport = htons(snum); 5081 ad.u.net->family = address->sa_family; 5082 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 5083 if (err) 5084 return err; 5085 } 5086 5087 return 0; 5088 } 5089 5090 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 5091 static int selinux_socket_connect(struct socket *sock, 5092 struct sockaddr *address, int addrlen) 5093 { 5094 int err; 5095 struct sock *sk = sock->sk; 5096 5097 err = selinux_socket_connect_helper(sock, address, addrlen); 5098 if (err) 5099 return err; 5100 5101 return selinux_netlbl_socket_connect(sk, address); 5102 } 5103 5104 static int selinux_socket_listen(struct socket *sock, int backlog) 5105 { 5106 return sock_has_perm(sock->sk, SOCKET__LISTEN); 5107 } 5108 5109 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 5110 { 5111 int err; 5112 struct inode_security_struct *isec; 5113 struct inode_security_struct *newisec; 5114 u16 sclass; 5115 u32 sid; 5116 5117 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 5118 if (err) 5119 return err; 5120 5121 isec = inode_security_novalidate(SOCK_INODE(sock)); 5122 spin_lock(&isec->lock); 5123 sclass = isec->sclass; 5124 sid = isec->sid; 5125 spin_unlock(&isec->lock); 5126 5127 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 5128 newisec->sclass = sclass; 5129 newisec->sid = sid; 5130 newisec->initialized = LABEL_INITIALIZED; 5131 5132 return 0; 5133 } 5134 5135 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 5136 int size) 5137 { 5138 return sock_has_perm(sock->sk, SOCKET__WRITE); 5139 } 5140 5141 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 5142 int size, int flags) 5143 { 5144 return sock_has_perm(sock->sk, SOCKET__READ); 5145 } 5146 5147 static int selinux_socket_getsockname(struct socket *sock) 5148 { 5149 return sock_has_perm(sock->sk, SOCKET__GETATTR); 5150 } 5151 5152 static int selinux_socket_getpeername(struct socket *sock) 5153 { 5154 return sock_has_perm(sock->sk, SOCKET__GETATTR); 5155 } 5156 5157 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 5158 { 5159 int err; 5160 5161 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 5162 if (err) 5163 return err; 5164 5165 return selinux_netlbl_socket_setsockopt(sock, level, optname); 5166 } 5167 5168 static int selinux_socket_getsockopt(struct socket *sock, int level, 5169 int optname) 5170 { 5171 return sock_has_perm(sock->sk, SOCKET__GETOPT); 5172 } 5173 5174 static int selinux_socket_shutdown(struct socket *sock, int how) 5175 { 5176 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 5177 } 5178 5179 static int selinux_socket_unix_stream_connect(struct sock *sock, 5180 struct sock *other, 5181 struct sock *newsk) 5182 { 5183 struct sk_security_struct *sksec_sock = selinux_sock(sock); 5184 struct sk_security_struct *sksec_other = selinux_sock(other); 5185 struct sk_security_struct *sksec_new = selinux_sock(newsk); 5186 struct common_audit_data ad; 5187 struct lsm_network_audit net; 5188 int err; 5189 5190 ad_net_init_from_sk(&ad, &net, other); 5191 5192 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 5193 sksec_other->sclass, 5194 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 5195 if (err) 5196 return err; 5197 5198 /* server child socket */ 5199 sksec_new->peer_sid = sksec_sock->sid; 5200 err = security_sid_mls_copy(sksec_other->sid, 5201 sksec_sock->sid, &sksec_new->sid); 5202 if (err) 5203 return err; 5204 5205 /* connecting socket */ 5206 sksec_sock->peer_sid = sksec_new->sid; 5207 5208 return 0; 5209 } 5210 5211 static int selinux_socket_unix_may_send(struct socket *sock, 5212 struct socket *other) 5213 { 5214 struct sk_security_struct *ssec = selinux_sock(sock->sk); 5215 struct sk_security_struct *osec = selinux_sock(other->sk); 5216 struct common_audit_data ad; 5217 struct lsm_network_audit net; 5218 5219 ad_net_init_from_sk(&ad, &net, other->sk); 5220 5221 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 5222 &ad); 5223 } 5224 5225 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 5226 char *addrp, u16 family, u32 peer_sid, 5227 struct common_audit_data *ad) 5228 { 5229 int err; 5230 u32 if_sid; 5231 u32 node_sid; 5232 5233 err = sel_netif_sid(ns, ifindex, &if_sid); 5234 if (err) 5235 return err; 5236 err = avc_has_perm(peer_sid, if_sid, 5237 SECCLASS_NETIF, NETIF__INGRESS, ad); 5238 if (err) 5239 return err; 5240 5241 err = sel_netnode_sid(addrp, family, &node_sid); 5242 if (err) 5243 return err; 5244 return avc_has_perm(peer_sid, node_sid, 5245 SECCLASS_NODE, NODE__RECVFROM, ad); 5246 } 5247 5248 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 5249 u16 family) 5250 { 5251 int err = 0; 5252 struct sk_security_struct *sksec = selinux_sock(sk); 5253 u32 sk_sid = sksec->sid; 5254 struct common_audit_data ad; 5255 struct lsm_network_audit net; 5256 char *addrp; 5257 5258 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family); 5259 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5260 if (err) 5261 return err; 5262 5263 if (selinux_secmark_enabled()) { 5264 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5265 PACKET__RECV, &ad); 5266 if (err) 5267 return err; 5268 } 5269 5270 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 5271 if (err) 5272 return err; 5273 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 5274 5275 return err; 5276 } 5277 5278 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 5279 { 5280 int err, peerlbl_active, secmark_active; 5281 struct sk_security_struct *sksec = selinux_sock(sk); 5282 u16 family = sk->sk_family; 5283 u32 sk_sid = sksec->sid; 5284 struct common_audit_data ad; 5285 struct lsm_network_audit net; 5286 char *addrp; 5287 5288 if (family != PF_INET && family != PF_INET6) 5289 return 0; 5290 5291 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 5292 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5293 family = PF_INET; 5294 5295 /* If any sort of compatibility mode is enabled then handoff processing 5296 * to the selinux_sock_rcv_skb_compat() function to deal with the 5297 * special handling. We do this in an attempt to keep this function 5298 * as fast and as clean as possible. */ 5299 if (!selinux_policycap_netpeer()) 5300 return selinux_sock_rcv_skb_compat(sk, skb, family); 5301 5302 secmark_active = selinux_secmark_enabled(); 5303 peerlbl_active = selinux_peerlbl_enabled(); 5304 if (!secmark_active && !peerlbl_active) 5305 return 0; 5306 5307 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family); 5308 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5309 if (err) 5310 return err; 5311 5312 if (peerlbl_active) { 5313 u32 peer_sid; 5314 5315 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 5316 if (err) 5317 return err; 5318 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 5319 addrp, family, peer_sid, &ad); 5320 if (err) { 5321 selinux_netlbl_err(skb, family, err, 0); 5322 return err; 5323 } 5324 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 5325 PEER__RECV, &ad); 5326 if (err) { 5327 selinux_netlbl_err(skb, family, err, 0); 5328 return err; 5329 } 5330 } 5331 5332 if (secmark_active) { 5333 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5334 PACKET__RECV, &ad); 5335 if (err) 5336 return err; 5337 } 5338 5339 return err; 5340 } 5341 5342 static int selinux_socket_getpeersec_stream(struct socket *sock, 5343 sockptr_t optval, sockptr_t optlen, 5344 unsigned int len) 5345 { 5346 int err = 0; 5347 char *scontext = NULL; 5348 u32 scontext_len; 5349 struct sk_security_struct *sksec = selinux_sock(sock->sk); 5350 u32 peer_sid = SECSID_NULL; 5351 5352 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5353 sksec->sclass == SECCLASS_TCP_SOCKET || 5354 sksec->sclass == SECCLASS_SCTP_SOCKET) 5355 peer_sid = sksec->peer_sid; 5356 if (peer_sid == SECSID_NULL) 5357 return -ENOPROTOOPT; 5358 5359 err = security_sid_to_context(peer_sid, &scontext, 5360 &scontext_len); 5361 if (err) 5362 return err; 5363 if (scontext_len > len) { 5364 err = -ERANGE; 5365 goto out_len; 5366 } 5367 5368 if (copy_to_sockptr(optval, scontext, scontext_len)) 5369 err = -EFAULT; 5370 out_len: 5371 if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len))) 5372 err = -EFAULT; 5373 kfree(scontext); 5374 return err; 5375 } 5376 5377 static int selinux_socket_getpeersec_dgram(struct socket *sock, 5378 struct sk_buff *skb, u32 *secid) 5379 { 5380 u32 peer_secid = SECSID_NULL; 5381 u16 family; 5382 5383 if (skb && skb->protocol == htons(ETH_P_IP)) 5384 family = PF_INET; 5385 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 5386 family = PF_INET6; 5387 else if (sock) 5388 family = sock->sk->sk_family; 5389 else { 5390 *secid = SECSID_NULL; 5391 return -EINVAL; 5392 } 5393 5394 if (sock && family == PF_UNIX) { 5395 struct inode_security_struct *isec; 5396 isec = inode_security_novalidate(SOCK_INODE(sock)); 5397 peer_secid = isec->sid; 5398 } else if (skb) 5399 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 5400 5401 *secid = peer_secid; 5402 if (peer_secid == SECSID_NULL) 5403 return -ENOPROTOOPT; 5404 return 0; 5405 } 5406 5407 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 5408 { 5409 struct sk_security_struct *sksec = selinux_sock(sk); 5410 5411 sksec->peer_sid = SECINITSID_UNLABELED; 5412 sksec->sid = SECINITSID_UNLABELED; 5413 sksec->sclass = SECCLASS_SOCKET; 5414 selinux_netlbl_sk_security_reset(sksec); 5415 5416 return 0; 5417 } 5418 5419 static void selinux_sk_free_security(struct sock *sk) 5420 { 5421 struct sk_security_struct *sksec = selinux_sock(sk); 5422 5423 selinux_netlbl_sk_security_free(sksec); 5424 } 5425 5426 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 5427 { 5428 struct sk_security_struct *sksec = selinux_sock(sk); 5429 struct sk_security_struct *newsksec = selinux_sock(newsk); 5430 5431 newsksec->sid = sksec->sid; 5432 newsksec->peer_sid = sksec->peer_sid; 5433 newsksec->sclass = sksec->sclass; 5434 5435 selinux_netlbl_sk_security_reset(newsksec); 5436 } 5437 5438 static void selinux_sk_getsecid(const struct sock *sk, u32 *secid) 5439 { 5440 if (!sk) 5441 *secid = SECINITSID_ANY_SOCKET; 5442 else { 5443 const struct sk_security_struct *sksec = selinux_sock(sk); 5444 5445 *secid = sksec->sid; 5446 } 5447 } 5448 5449 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 5450 { 5451 struct inode_security_struct *isec = 5452 inode_security_novalidate(SOCK_INODE(parent)); 5453 struct sk_security_struct *sksec = selinux_sock(sk); 5454 5455 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5456 sk->sk_family == PF_UNIX) 5457 isec->sid = sksec->sid; 5458 sksec->sclass = isec->sclass; 5459 } 5460 5461 /* 5462 * Determines peer_secid for the asoc and updates socket's peer label 5463 * if it's the first association on the socket. 5464 */ 5465 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc, 5466 struct sk_buff *skb) 5467 { 5468 struct sock *sk = asoc->base.sk; 5469 u16 family = sk->sk_family; 5470 struct sk_security_struct *sksec = selinux_sock(sk); 5471 struct common_audit_data ad; 5472 struct lsm_network_audit net; 5473 int err; 5474 5475 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5476 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5477 family = PF_INET; 5478 5479 if (selinux_peerlbl_enabled()) { 5480 asoc->peer_secid = SECSID_NULL; 5481 5482 /* This will return peer_sid = SECSID_NULL if there are 5483 * no peer labels, see security_net_peersid_resolve(). 5484 */ 5485 err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid); 5486 if (err) 5487 return err; 5488 5489 if (asoc->peer_secid == SECSID_NULL) 5490 asoc->peer_secid = SECINITSID_UNLABELED; 5491 } else { 5492 asoc->peer_secid = SECINITSID_UNLABELED; 5493 } 5494 5495 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 5496 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 5497 5498 /* Here as first association on socket. As the peer SID 5499 * was allowed by peer recv (and the netif/node checks), 5500 * then it is approved by policy and used as the primary 5501 * peer SID for getpeercon(3). 5502 */ 5503 sksec->peer_sid = asoc->peer_secid; 5504 } else if (sksec->peer_sid != asoc->peer_secid) { 5505 /* Other association peer SIDs are checked to enforce 5506 * consistency among the peer SIDs. 5507 */ 5508 ad_net_init_from_sk(&ad, &net, asoc->base.sk); 5509 err = avc_has_perm(sksec->peer_sid, asoc->peer_secid, 5510 sksec->sclass, SCTP_SOCKET__ASSOCIATION, 5511 &ad); 5512 if (err) 5513 return err; 5514 } 5515 return 0; 5516 } 5517 5518 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This 5519 * happens on an incoming connect(2), sctp_connectx(3) or 5520 * sctp_sendmsg(3) (with no association already present). 5521 */ 5522 static int selinux_sctp_assoc_request(struct sctp_association *asoc, 5523 struct sk_buff *skb) 5524 { 5525 struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); 5526 u32 conn_sid; 5527 int err; 5528 5529 if (!selinux_policycap_extsockclass()) 5530 return 0; 5531 5532 err = selinux_sctp_process_new_assoc(asoc, skb); 5533 if (err) 5534 return err; 5535 5536 /* Compute the MLS component for the connection and store 5537 * the information in asoc. This will be used by SCTP TCP type 5538 * sockets and peeled off connections as they cause a new 5539 * socket to be generated. selinux_sctp_sk_clone() will then 5540 * plug this into the new socket. 5541 */ 5542 err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid); 5543 if (err) 5544 return err; 5545 5546 asoc->secid = conn_sid; 5547 5548 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 5549 return selinux_netlbl_sctp_assoc_request(asoc, skb); 5550 } 5551 5552 /* Called when SCTP receives a COOKIE ACK chunk as the final 5553 * response to an association request (initited by us). 5554 */ 5555 static int selinux_sctp_assoc_established(struct sctp_association *asoc, 5556 struct sk_buff *skb) 5557 { 5558 struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); 5559 5560 if (!selinux_policycap_extsockclass()) 5561 return 0; 5562 5563 /* Inherit secid from the parent socket - this will be picked up 5564 * by selinux_sctp_sk_clone() if the association gets peeled off 5565 * into a new socket. 5566 */ 5567 asoc->secid = sksec->sid; 5568 5569 return selinux_sctp_process_new_assoc(asoc, skb); 5570 } 5571 5572 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5573 * based on their @optname. 5574 */ 5575 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5576 struct sockaddr *address, 5577 int addrlen) 5578 { 5579 int len, err = 0, walk_size = 0; 5580 void *addr_buf; 5581 struct sockaddr *addr; 5582 struct socket *sock; 5583 5584 if (!selinux_policycap_extsockclass()) 5585 return 0; 5586 5587 /* Process one or more addresses that may be IPv4 or IPv6 */ 5588 sock = sk->sk_socket; 5589 addr_buf = address; 5590 5591 while (walk_size < addrlen) { 5592 if (walk_size + sizeof(sa_family_t) > addrlen) 5593 return -EINVAL; 5594 5595 addr = addr_buf; 5596 switch (addr->sa_family) { 5597 case AF_UNSPEC: 5598 case AF_INET: 5599 len = sizeof(struct sockaddr_in); 5600 break; 5601 case AF_INET6: 5602 len = sizeof(struct sockaddr_in6); 5603 break; 5604 default: 5605 return -EINVAL; 5606 } 5607 5608 if (walk_size + len > addrlen) 5609 return -EINVAL; 5610 5611 err = -EINVAL; 5612 switch (optname) { 5613 /* Bind checks */ 5614 case SCTP_PRIMARY_ADDR: 5615 case SCTP_SET_PEER_PRIMARY_ADDR: 5616 case SCTP_SOCKOPT_BINDX_ADD: 5617 err = selinux_socket_bind(sock, addr, len); 5618 break; 5619 /* Connect checks */ 5620 case SCTP_SOCKOPT_CONNECTX: 5621 case SCTP_PARAM_SET_PRIMARY: 5622 case SCTP_PARAM_ADD_IP: 5623 case SCTP_SENDMSG_CONNECT: 5624 err = selinux_socket_connect_helper(sock, addr, len); 5625 if (err) 5626 return err; 5627 5628 /* As selinux_sctp_bind_connect() is called by the 5629 * SCTP protocol layer, the socket is already locked, 5630 * therefore selinux_netlbl_socket_connect_locked() 5631 * is called here. The situations handled are: 5632 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5633 * whenever a new IP address is added or when a new 5634 * primary address is selected. 5635 * Note that an SCTP connect(2) call happens before 5636 * the SCTP protocol layer and is handled via 5637 * selinux_socket_connect(). 5638 */ 5639 err = selinux_netlbl_socket_connect_locked(sk, addr); 5640 break; 5641 } 5642 5643 if (err) 5644 return err; 5645 5646 addr_buf += len; 5647 walk_size += len; 5648 } 5649 5650 return 0; 5651 } 5652 5653 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5654 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, 5655 struct sock *newsk) 5656 { 5657 struct sk_security_struct *sksec = selinux_sock(sk); 5658 struct sk_security_struct *newsksec = selinux_sock(newsk); 5659 5660 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5661 * the non-sctp clone version. 5662 */ 5663 if (!selinux_policycap_extsockclass()) 5664 return selinux_sk_clone_security(sk, newsk); 5665 5666 newsksec->sid = asoc->secid; 5667 newsksec->peer_sid = asoc->peer_secid; 5668 newsksec->sclass = sksec->sclass; 5669 selinux_netlbl_sctp_sk_clone(sk, newsk); 5670 } 5671 5672 static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk) 5673 { 5674 struct sk_security_struct *ssksec = selinux_sock(ssk); 5675 struct sk_security_struct *sksec = selinux_sock(sk); 5676 5677 ssksec->sclass = sksec->sclass; 5678 ssksec->sid = sksec->sid; 5679 5680 /* replace the existing subflow label deleting the existing one 5681 * and re-recreating a new label using the updated context 5682 */ 5683 selinux_netlbl_sk_security_free(ssksec); 5684 return selinux_netlbl_socket_post_create(ssk, ssk->sk_family); 5685 } 5686 5687 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 5688 struct request_sock *req) 5689 { 5690 struct sk_security_struct *sksec = selinux_sock(sk); 5691 int err; 5692 u16 family = req->rsk_ops->family; 5693 u32 connsid; 5694 u32 peersid; 5695 5696 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5697 if (err) 5698 return err; 5699 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5700 if (err) 5701 return err; 5702 req->secid = connsid; 5703 req->peer_secid = peersid; 5704 5705 return selinux_netlbl_inet_conn_request(req, family); 5706 } 5707 5708 static void selinux_inet_csk_clone(struct sock *newsk, 5709 const struct request_sock *req) 5710 { 5711 struct sk_security_struct *newsksec = selinux_sock(newsk); 5712 5713 newsksec->sid = req->secid; 5714 newsksec->peer_sid = req->peer_secid; 5715 /* NOTE: Ideally, we should also get the isec->sid for the 5716 new socket in sync, but we don't have the isec available yet. 5717 So we will wait until sock_graft to do it, by which 5718 time it will have been created and available. */ 5719 5720 /* We don't need to take any sort of lock here as we are the only 5721 * thread with access to newsksec */ 5722 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5723 } 5724 5725 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5726 { 5727 u16 family = sk->sk_family; 5728 struct sk_security_struct *sksec = selinux_sock(sk); 5729 5730 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5731 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5732 family = PF_INET; 5733 5734 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5735 } 5736 5737 static int selinux_secmark_relabel_packet(u32 sid) 5738 { 5739 return avc_has_perm(current_sid(), sid, SECCLASS_PACKET, PACKET__RELABELTO, 5740 NULL); 5741 } 5742 5743 static void selinux_secmark_refcount_inc(void) 5744 { 5745 atomic_inc(&selinux_secmark_refcount); 5746 } 5747 5748 static void selinux_secmark_refcount_dec(void) 5749 { 5750 atomic_dec(&selinux_secmark_refcount); 5751 } 5752 5753 static void selinux_req_classify_flow(const struct request_sock *req, 5754 struct flowi_common *flic) 5755 { 5756 flic->flowic_secid = req->secid; 5757 } 5758 5759 static int selinux_tun_dev_alloc_security(void *security) 5760 { 5761 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5762 5763 tunsec->sid = current_sid(); 5764 return 0; 5765 } 5766 5767 static int selinux_tun_dev_create(void) 5768 { 5769 u32 sid = current_sid(); 5770 5771 /* we aren't taking into account the "sockcreate" SID since the socket 5772 * that is being created here is not a socket in the traditional sense, 5773 * instead it is a private sock, accessible only to the kernel, and 5774 * representing a wide range of network traffic spanning multiple 5775 * connections unlike traditional sockets - check the TUN driver to 5776 * get a better understanding of why this socket is special */ 5777 5778 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5779 NULL); 5780 } 5781 5782 static int selinux_tun_dev_attach_queue(void *security) 5783 { 5784 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5785 5786 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5787 TUN_SOCKET__ATTACH_QUEUE, NULL); 5788 } 5789 5790 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5791 { 5792 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5793 struct sk_security_struct *sksec = selinux_sock(sk); 5794 5795 /* we don't currently perform any NetLabel based labeling here and it 5796 * isn't clear that we would want to do so anyway; while we could apply 5797 * labeling without the support of the TUN user the resulting labeled 5798 * traffic from the other end of the connection would almost certainly 5799 * cause confusion to the TUN user that had no idea network labeling 5800 * protocols were being used */ 5801 5802 sksec->sid = tunsec->sid; 5803 sksec->sclass = SECCLASS_TUN_SOCKET; 5804 5805 return 0; 5806 } 5807 5808 static int selinux_tun_dev_open(void *security) 5809 { 5810 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5811 u32 sid = current_sid(); 5812 int err; 5813 5814 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5815 TUN_SOCKET__RELABELFROM, NULL); 5816 if (err) 5817 return err; 5818 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 5819 TUN_SOCKET__RELABELTO, NULL); 5820 if (err) 5821 return err; 5822 tunsec->sid = sid; 5823 5824 return 0; 5825 } 5826 5827 #ifdef CONFIG_NETFILTER 5828 5829 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb, 5830 const struct nf_hook_state *state) 5831 { 5832 int ifindex; 5833 u16 family; 5834 char *addrp; 5835 u32 peer_sid; 5836 struct common_audit_data ad; 5837 struct lsm_network_audit net; 5838 int secmark_active, peerlbl_active; 5839 5840 if (!selinux_policycap_netpeer()) 5841 return NF_ACCEPT; 5842 5843 secmark_active = selinux_secmark_enabled(); 5844 peerlbl_active = selinux_peerlbl_enabled(); 5845 if (!secmark_active && !peerlbl_active) 5846 return NF_ACCEPT; 5847 5848 family = state->pf; 5849 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5850 return NF_DROP; 5851 5852 ifindex = state->in->ifindex; 5853 ad_net_init_from_iif(&ad, &net, ifindex, family); 5854 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5855 return NF_DROP; 5856 5857 if (peerlbl_active) { 5858 int err; 5859 5860 err = selinux_inet_sys_rcv_skb(state->net, ifindex, 5861 addrp, family, peer_sid, &ad); 5862 if (err) { 5863 selinux_netlbl_err(skb, family, err, 1); 5864 return NF_DROP; 5865 } 5866 } 5867 5868 if (secmark_active) 5869 if (avc_has_perm(peer_sid, skb->secmark, 5870 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5871 return NF_DROP; 5872 5873 if (netlbl_enabled()) 5874 /* we do this in the FORWARD path and not the POST_ROUTING 5875 * path because we want to make sure we apply the necessary 5876 * labeling before IPsec is applied so we can leverage AH 5877 * protection */ 5878 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5879 return NF_DROP; 5880 5881 return NF_ACCEPT; 5882 } 5883 5884 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb, 5885 const struct nf_hook_state *state) 5886 { 5887 struct sock *sk; 5888 u32 sid; 5889 5890 if (!netlbl_enabled()) 5891 return NF_ACCEPT; 5892 5893 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5894 * because we want to make sure we apply the necessary labeling 5895 * before IPsec is applied so we can leverage AH protection */ 5896 sk = skb_to_full_sk(skb); 5897 if (sk) { 5898 struct sk_security_struct *sksec; 5899 5900 if (sk_listener(sk)) 5901 /* if the socket is the listening state then this 5902 * packet is a SYN-ACK packet which means it needs to 5903 * be labeled based on the connection/request_sock and 5904 * not the parent socket. unfortunately, we can't 5905 * lookup the request_sock yet as it isn't queued on 5906 * the parent socket until after the SYN-ACK is sent. 5907 * the "solution" is to simply pass the packet as-is 5908 * as any IP option based labeling should be copied 5909 * from the initial connection request (in the IP 5910 * layer). it is far from ideal, but until we get a 5911 * security label in the packet itself this is the 5912 * best we can do. */ 5913 return NF_ACCEPT; 5914 5915 /* standard practice, label using the parent socket */ 5916 sksec = selinux_sock(sk); 5917 sid = sksec->sid; 5918 } else 5919 sid = SECINITSID_KERNEL; 5920 if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0) 5921 return NF_DROP; 5922 5923 return NF_ACCEPT; 5924 } 5925 5926 5927 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5928 const struct nf_hook_state *state) 5929 { 5930 struct sock *sk; 5931 struct sk_security_struct *sksec; 5932 struct common_audit_data ad; 5933 struct lsm_network_audit net; 5934 u8 proto = 0; 5935 5936 sk = skb_to_full_sk(skb); 5937 if (sk == NULL) 5938 return NF_ACCEPT; 5939 sksec = selinux_sock(sk); 5940 5941 ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf); 5942 if (selinux_parse_skb(skb, &ad, NULL, 0, &proto)) 5943 return NF_DROP; 5944 5945 if (selinux_secmark_enabled()) 5946 if (avc_has_perm(sksec->sid, skb->secmark, 5947 SECCLASS_PACKET, PACKET__SEND, &ad)) 5948 return NF_DROP_ERR(-ECONNREFUSED); 5949 5950 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5951 return NF_DROP_ERR(-ECONNREFUSED); 5952 5953 return NF_ACCEPT; 5954 } 5955 5956 static unsigned int selinux_ip_postroute(void *priv, 5957 struct sk_buff *skb, 5958 const struct nf_hook_state *state) 5959 { 5960 u16 family; 5961 u32 secmark_perm; 5962 u32 peer_sid; 5963 int ifindex; 5964 struct sock *sk; 5965 struct common_audit_data ad; 5966 struct lsm_network_audit net; 5967 char *addrp; 5968 int secmark_active, peerlbl_active; 5969 5970 /* If any sort of compatibility mode is enabled then handoff processing 5971 * to the selinux_ip_postroute_compat() function to deal with the 5972 * special handling. We do this in an attempt to keep this function 5973 * as fast and as clean as possible. */ 5974 if (!selinux_policycap_netpeer()) 5975 return selinux_ip_postroute_compat(skb, state); 5976 5977 secmark_active = selinux_secmark_enabled(); 5978 peerlbl_active = selinux_peerlbl_enabled(); 5979 if (!secmark_active && !peerlbl_active) 5980 return NF_ACCEPT; 5981 5982 sk = skb_to_full_sk(skb); 5983 5984 #ifdef CONFIG_XFRM 5985 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5986 * packet transformation so allow the packet to pass without any checks 5987 * since we'll have another chance to perform access control checks 5988 * when the packet is on it's final way out. 5989 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5990 * is NULL, in this case go ahead and apply access control. 5991 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5992 * TCP listening state we cannot wait until the XFRM processing 5993 * is done as we will miss out on the SA label if we do; 5994 * unfortunately, this means more work, but it is only once per 5995 * connection. */ 5996 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5997 !(sk && sk_listener(sk))) 5998 return NF_ACCEPT; 5999 #endif 6000 6001 family = state->pf; 6002 if (sk == NULL) { 6003 /* Without an associated socket the packet is either coming 6004 * from the kernel or it is being forwarded; check the packet 6005 * to determine which and if the packet is being forwarded 6006 * query the packet directly to determine the security label. */ 6007 if (skb->skb_iif) { 6008 secmark_perm = PACKET__FORWARD_OUT; 6009 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 6010 return NF_DROP; 6011 } else { 6012 secmark_perm = PACKET__SEND; 6013 peer_sid = SECINITSID_KERNEL; 6014 } 6015 } else if (sk_listener(sk)) { 6016 /* Locally generated packet but the associated socket is in the 6017 * listening state which means this is a SYN-ACK packet. In 6018 * this particular case the correct security label is assigned 6019 * to the connection/request_sock but unfortunately we can't 6020 * query the request_sock as it isn't queued on the parent 6021 * socket until after the SYN-ACK packet is sent; the only 6022 * viable choice is to regenerate the label like we do in 6023 * selinux_inet_conn_request(). See also selinux_ip_output() 6024 * for similar problems. */ 6025 u32 skb_sid; 6026 struct sk_security_struct *sksec; 6027 6028 sksec = selinux_sock(sk); 6029 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 6030 return NF_DROP; 6031 /* At this point, if the returned skb peerlbl is SECSID_NULL 6032 * and the packet has been through at least one XFRM 6033 * transformation then we must be dealing with the "final" 6034 * form of labeled IPsec packet; since we've already applied 6035 * all of our access controls on this packet we can safely 6036 * pass the packet. */ 6037 if (skb_sid == SECSID_NULL) { 6038 switch (family) { 6039 case PF_INET: 6040 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 6041 return NF_ACCEPT; 6042 break; 6043 case PF_INET6: 6044 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 6045 return NF_ACCEPT; 6046 break; 6047 default: 6048 return NF_DROP_ERR(-ECONNREFUSED); 6049 } 6050 } 6051 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 6052 return NF_DROP; 6053 secmark_perm = PACKET__SEND; 6054 } else { 6055 /* Locally generated packet, fetch the security label from the 6056 * associated socket. */ 6057 struct sk_security_struct *sksec = selinux_sock(sk); 6058 peer_sid = sksec->sid; 6059 secmark_perm = PACKET__SEND; 6060 } 6061 6062 ifindex = state->out->ifindex; 6063 ad_net_init_from_iif(&ad, &net, ifindex, family); 6064 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 6065 return NF_DROP; 6066 6067 if (secmark_active) 6068 if (avc_has_perm(peer_sid, skb->secmark, 6069 SECCLASS_PACKET, secmark_perm, &ad)) 6070 return NF_DROP_ERR(-ECONNREFUSED); 6071 6072 if (peerlbl_active) { 6073 u32 if_sid; 6074 u32 node_sid; 6075 6076 if (sel_netif_sid(state->net, ifindex, &if_sid)) 6077 return NF_DROP; 6078 if (avc_has_perm(peer_sid, if_sid, 6079 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 6080 return NF_DROP_ERR(-ECONNREFUSED); 6081 6082 if (sel_netnode_sid(addrp, family, &node_sid)) 6083 return NF_DROP; 6084 if (avc_has_perm(peer_sid, node_sid, 6085 SECCLASS_NODE, NODE__SENDTO, &ad)) 6086 return NF_DROP_ERR(-ECONNREFUSED); 6087 } 6088 6089 return NF_ACCEPT; 6090 } 6091 #endif /* CONFIG_NETFILTER */ 6092 6093 static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type) 6094 { 6095 struct sk_security_struct *sksec = sk->sk_security; 6096 struct common_audit_data ad; 6097 u8 driver; 6098 u8 xperm; 6099 6100 if (sock_skip_has_perm(sksec->sid)) 6101 return 0; 6102 6103 ad.type = LSM_AUDIT_DATA_NLMSGTYPE; 6104 ad.u.nlmsg_type = nlmsg_type; 6105 6106 driver = nlmsg_type >> 8; 6107 xperm = nlmsg_type & 0xff; 6108 6109 return avc_has_extended_perms(current_sid(), sksec->sid, sksec->sclass, 6110 perms, driver, AVC_EXT_NLMSG, xperm, &ad); 6111 } 6112 6113 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 6114 { 6115 int rc = 0; 6116 unsigned int msg_len; 6117 unsigned int data_len = skb->len; 6118 unsigned char *data = skb->data; 6119 struct nlmsghdr *nlh; 6120 struct sk_security_struct *sksec = selinux_sock(sk); 6121 u16 sclass = sksec->sclass; 6122 u32 perm; 6123 6124 while (data_len >= nlmsg_total_size(0)) { 6125 nlh = (struct nlmsghdr *)data; 6126 6127 /* NOTE: the nlmsg_len field isn't reliably set by some netlink 6128 * users which means we can't reject skb's with bogus 6129 * length fields; our solution is to follow what 6130 * netlink_rcv_skb() does and simply skip processing at 6131 * messages with length fields that are clearly junk 6132 */ 6133 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len) 6134 return 0; 6135 6136 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm); 6137 if (rc == 0) { 6138 if (selinux_policycap_netlink_xperm()) { 6139 rc = nlmsg_sock_has_extended_perms( 6140 sk, perm, nlh->nlmsg_type); 6141 } else { 6142 rc = sock_has_perm(sk, perm); 6143 } 6144 if (rc) 6145 return rc; 6146 } else if (rc == -EINVAL) { 6147 /* -EINVAL is a missing msg/perm mapping */ 6148 pr_warn_ratelimited("SELinux: unrecognized netlink" 6149 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 6150 " pid=%d comm=%s\n", 6151 sk->sk_protocol, nlh->nlmsg_type, 6152 secclass_map[sclass - 1].name, 6153 task_pid_nr(current), current->comm); 6154 if (enforcing_enabled() && 6155 !security_get_allow_unknown()) 6156 return rc; 6157 rc = 0; 6158 } else if (rc == -ENOENT) { 6159 /* -ENOENT is a missing socket/class mapping, ignore */ 6160 rc = 0; 6161 } else { 6162 return rc; 6163 } 6164 6165 /* move to the next message after applying netlink padding */ 6166 msg_len = NLMSG_ALIGN(nlh->nlmsg_len); 6167 if (msg_len >= data_len) 6168 return 0; 6169 data_len -= msg_len; 6170 data += msg_len; 6171 } 6172 6173 return rc; 6174 } 6175 6176 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass) 6177 { 6178 isec->sclass = sclass; 6179 isec->sid = current_sid(); 6180 } 6181 6182 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 6183 u32 perms) 6184 { 6185 struct ipc_security_struct *isec; 6186 struct common_audit_data ad; 6187 u32 sid = current_sid(); 6188 6189 isec = selinux_ipc(ipc_perms); 6190 6191 ad.type = LSM_AUDIT_DATA_IPC; 6192 ad.u.ipc_id = ipc_perms->key; 6193 6194 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 6195 } 6196 6197 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 6198 { 6199 struct msg_security_struct *msec; 6200 6201 msec = selinux_msg_msg(msg); 6202 msec->sid = SECINITSID_UNLABELED; 6203 6204 return 0; 6205 } 6206 6207 /* message queue security operations */ 6208 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 6209 { 6210 struct ipc_security_struct *isec; 6211 struct common_audit_data ad; 6212 u32 sid = current_sid(); 6213 6214 isec = selinux_ipc(msq); 6215 ipc_init_security(isec, SECCLASS_MSGQ); 6216 6217 ad.type = LSM_AUDIT_DATA_IPC; 6218 ad.u.ipc_id = msq->key; 6219 6220 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6221 MSGQ__CREATE, &ad); 6222 } 6223 6224 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 6225 { 6226 struct ipc_security_struct *isec; 6227 struct common_audit_data ad; 6228 u32 sid = current_sid(); 6229 6230 isec = selinux_ipc(msq); 6231 6232 ad.type = LSM_AUDIT_DATA_IPC; 6233 ad.u.ipc_id = msq->key; 6234 6235 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6236 MSGQ__ASSOCIATE, &ad); 6237 } 6238 6239 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 6240 { 6241 u32 perms; 6242 6243 switch (cmd) { 6244 case IPC_INFO: 6245 case MSG_INFO: 6246 /* No specific object, just general system-wide information. */ 6247 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6248 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6249 case IPC_STAT: 6250 case MSG_STAT: 6251 case MSG_STAT_ANY: 6252 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 6253 break; 6254 case IPC_SET: 6255 perms = MSGQ__SETATTR; 6256 break; 6257 case IPC_RMID: 6258 perms = MSGQ__DESTROY; 6259 break; 6260 default: 6261 return 0; 6262 } 6263 6264 return ipc_has_perm(msq, perms); 6265 } 6266 6267 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 6268 { 6269 struct ipc_security_struct *isec; 6270 struct msg_security_struct *msec; 6271 struct common_audit_data ad; 6272 u32 sid = current_sid(); 6273 int rc; 6274 6275 isec = selinux_ipc(msq); 6276 msec = selinux_msg_msg(msg); 6277 6278 /* 6279 * First time through, need to assign label to the message 6280 */ 6281 if (msec->sid == SECINITSID_UNLABELED) { 6282 /* 6283 * Compute new sid based on current process and 6284 * message queue this message will be stored in 6285 */ 6286 rc = security_transition_sid(sid, isec->sid, 6287 SECCLASS_MSG, NULL, &msec->sid); 6288 if (rc) 6289 return rc; 6290 } 6291 6292 ad.type = LSM_AUDIT_DATA_IPC; 6293 ad.u.ipc_id = msq->key; 6294 6295 /* Can this process write to the queue? */ 6296 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6297 MSGQ__WRITE, &ad); 6298 if (!rc) 6299 /* Can this process send the message */ 6300 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 6301 MSG__SEND, &ad); 6302 if (!rc) 6303 /* Can the message be put in the queue? */ 6304 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 6305 MSGQ__ENQUEUE, &ad); 6306 6307 return rc; 6308 } 6309 6310 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 6311 struct task_struct *target, 6312 long type, int mode) 6313 { 6314 struct ipc_security_struct *isec; 6315 struct msg_security_struct *msec; 6316 struct common_audit_data ad; 6317 u32 sid = task_sid_obj(target); 6318 int rc; 6319 6320 isec = selinux_ipc(msq); 6321 msec = selinux_msg_msg(msg); 6322 6323 ad.type = LSM_AUDIT_DATA_IPC; 6324 ad.u.ipc_id = msq->key; 6325 6326 rc = avc_has_perm(sid, isec->sid, 6327 SECCLASS_MSGQ, MSGQ__READ, &ad); 6328 if (!rc) 6329 rc = avc_has_perm(sid, msec->sid, 6330 SECCLASS_MSG, MSG__RECEIVE, &ad); 6331 return rc; 6332 } 6333 6334 /* Shared Memory security operations */ 6335 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 6336 { 6337 struct ipc_security_struct *isec; 6338 struct common_audit_data ad; 6339 u32 sid = current_sid(); 6340 6341 isec = selinux_ipc(shp); 6342 ipc_init_security(isec, SECCLASS_SHM); 6343 6344 ad.type = LSM_AUDIT_DATA_IPC; 6345 ad.u.ipc_id = shp->key; 6346 6347 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6348 SHM__CREATE, &ad); 6349 } 6350 6351 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 6352 { 6353 struct ipc_security_struct *isec; 6354 struct common_audit_data ad; 6355 u32 sid = current_sid(); 6356 6357 isec = selinux_ipc(shp); 6358 6359 ad.type = LSM_AUDIT_DATA_IPC; 6360 ad.u.ipc_id = shp->key; 6361 6362 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6363 SHM__ASSOCIATE, &ad); 6364 } 6365 6366 /* Note, at this point, shp is locked down */ 6367 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 6368 { 6369 u32 perms; 6370 6371 switch (cmd) { 6372 case IPC_INFO: 6373 case SHM_INFO: 6374 /* No specific object, just general system-wide information. */ 6375 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6376 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6377 case IPC_STAT: 6378 case SHM_STAT: 6379 case SHM_STAT_ANY: 6380 perms = SHM__GETATTR | SHM__ASSOCIATE; 6381 break; 6382 case IPC_SET: 6383 perms = SHM__SETATTR; 6384 break; 6385 case SHM_LOCK: 6386 case SHM_UNLOCK: 6387 perms = SHM__LOCK; 6388 break; 6389 case IPC_RMID: 6390 perms = SHM__DESTROY; 6391 break; 6392 default: 6393 return 0; 6394 } 6395 6396 return ipc_has_perm(shp, perms); 6397 } 6398 6399 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6400 char __user *shmaddr, int shmflg) 6401 { 6402 u32 perms; 6403 6404 if (shmflg & SHM_RDONLY) 6405 perms = SHM__READ; 6406 else 6407 perms = SHM__READ | SHM__WRITE; 6408 6409 return ipc_has_perm(shp, perms); 6410 } 6411 6412 /* Semaphore security operations */ 6413 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 6414 { 6415 struct ipc_security_struct *isec; 6416 struct common_audit_data ad; 6417 u32 sid = current_sid(); 6418 6419 isec = selinux_ipc(sma); 6420 ipc_init_security(isec, SECCLASS_SEM); 6421 6422 ad.type = LSM_AUDIT_DATA_IPC; 6423 ad.u.ipc_id = sma->key; 6424 6425 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6426 SEM__CREATE, &ad); 6427 } 6428 6429 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 6430 { 6431 struct ipc_security_struct *isec; 6432 struct common_audit_data ad; 6433 u32 sid = current_sid(); 6434 6435 isec = selinux_ipc(sma); 6436 6437 ad.type = LSM_AUDIT_DATA_IPC; 6438 ad.u.ipc_id = sma->key; 6439 6440 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6441 SEM__ASSOCIATE, &ad); 6442 } 6443 6444 /* Note, at this point, sma is locked down */ 6445 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 6446 { 6447 int err; 6448 u32 perms; 6449 6450 switch (cmd) { 6451 case IPC_INFO: 6452 case SEM_INFO: 6453 /* No specific object, just general system-wide information. */ 6454 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6455 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6456 case GETPID: 6457 case GETNCNT: 6458 case GETZCNT: 6459 perms = SEM__GETATTR; 6460 break; 6461 case GETVAL: 6462 case GETALL: 6463 perms = SEM__READ; 6464 break; 6465 case SETVAL: 6466 case SETALL: 6467 perms = SEM__WRITE; 6468 break; 6469 case IPC_RMID: 6470 perms = SEM__DESTROY; 6471 break; 6472 case IPC_SET: 6473 perms = SEM__SETATTR; 6474 break; 6475 case IPC_STAT: 6476 case SEM_STAT: 6477 case SEM_STAT_ANY: 6478 perms = SEM__GETATTR | SEM__ASSOCIATE; 6479 break; 6480 default: 6481 return 0; 6482 } 6483 6484 err = ipc_has_perm(sma, perms); 6485 return err; 6486 } 6487 6488 static int selinux_sem_semop(struct kern_ipc_perm *sma, 6489 struct sembuf *sops, unsigned nsops, int alter) 6490 { 6491 u32 perms; 6492 6493 if (alter) 6494 perms = SEM__READ | SEM__WRITE; 6495 else 6496 perms = SEM__READ; 6497 6498 return ipc_has_perm(sma, perms); 6499 } 6500 6501 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6502 { 6503 u32 av = 0; 6504 6505 av = 0; 6506 if (flag & S_IRUGO) 6507 av |= IPC__UNIX_READ; 6508 if (flag & S_IWUGO) 6509 av |= IPC__UNIX_WRITE; 6510 6511 if (av == 0) 6512 return 0; 6513 6514 return ipc_has_perm(ipcp, av); 6515 } 6516 6517 static void selinux_ipc_getlsmprop(struct kern_ipc_perm *ipcp, 6518 struct lsm_prop *prop) 6519 { 6520 struct ipc_security_struct *isec = selinux_ipc(ipcp); 6521 prop->selinux.secid = isec->sid; 6522 } 6523 6524 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6525 { 6526 if (inode) 6527 inode_doinit_with_dentry(inode, dentry); 6528 } 6529 6530 static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p, 6531 char **value) 6532 { 6533 const struct cred_security_struct *crsec; 6534 int error; 6535 u32 sid; 6536 u32 len; 6537 6538 rcu_read_lock(); 6539 crsec = selinux_cred(__task_cred(p)); 6540 if (p != current) { 6541 error = avc_has_perm(current_sid(), crsec->sid, 6542 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6543 if (error) 6544 goto err_unlock; 6545 } 6546 switch (attr) { 6547 case LSM_ATTR_CURRENT: 6548 sid = crsec->sid; 6549 break; 6550 case LSM_ATTR_PREV: 6551 sid = crsec->osid; 6552 break; 6553 case LSM_ATTR_EXEC: 6554 sid = crsec->exec_sid; 6555 break; 6556 case LSM_ATTR_FSCREATE: 6557 sid = crsec->create_sid; 6558 break; 6559 case LSM_ATTR_KEYCREATE: 6560 sid = crsec->keycreate_sid; 6561 break; 6562 case LSM_ATTR_SOCKCREATE: 6563 sid = crsec->sockcreate_sid; 6564 break; 6565 default: 6566 error = -EOPNOTSUPP; 6567 goto err_unlock; 6568 } 6569 rcu_read_unlock(); 6570 6571 if (sid == SECSID_NULL) { 6572 *value = NULL; 6573 return 0; 6574 } 6575 6576 error = security_sid_to_context(sid, value, &len); 6577 if (error) 6578 return error; 6579 return len; 6580 6581 err_unlock: 6582 rcu_read_unlock(); 6583 return error; 6584 } 6585 6586 static int selinux_lsm_setattr(u64 attr, void *value, size_t size) 6587 { 6588 struct cred_security_struct *crsec; 6589 struct cred *new; 6590 u32 mysid = current_sid(), sid = 0, ptsid; 6591 int error; 6592 char *str = value; 6593 6594 /* 6595 * Basic control over ability to set these attributes at all. 6596 */ 6597 switch (attr) { 6598 case LSM_ATTR_EXEC: 6599 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6600 PROCESS__SETEXEC, NULL); 6601 break; 6602 case LSM_ATTR_FSCREATE: 6603 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6604 PROCESS__SETFSCREATE, NULL); 6605 break; 6606 case LSM_ATTR_KEYCREATE: 6607 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6608 PROCESS__SETKEYCREATE, NULL); 6609 break; 6610 case LSM_ATTR_SOCKCREATE: 6611 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6612 PROCESS__SETSOCKCREATE, NULL); 6613 break; 6614 case LSM_ATTR_CURRENT: 6615 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6616 PROCESS__SETCURRENT, NULL); 6617 break; 6618 default: 6619 error = -EOPNOTSUPP; 6620 break; 6621 } 6622 if (error) 6623 return error; 6624 6625 /* Obtain a SID for the context, if one was specified. */ 6626 if (size && str[0] && str[0] != '\n') { 6627 if (str[size-1] == '\n') { 6628 str[size-1] = 0; 6629 size--; 6630 } 6631 error = security_context_to_sid(value, size, 6632 &sid, GFP_KERNEL); 6633 if (error == -EINVAL && attr == LSM_ATTR_FSCREATE) { 6634 if (!has_cap_mac_admin(true)) { 6635 struct audit_buffer *ab; 6636 size_t audit_size; 6637 6638 /* We strip a nul only if it is at the end, 6639 * otherwise the context contains a nul and 6640 * we should audit that */ 6641 if (str[size - 1] == '\0') 6642 audit_size = size - 1; 6643 else 6644 audit_size = size; 6645 ab = audit_log_start(audit_context(), 6646 GFP_ATOMIC, 6647 AUDIT_SELINUX_ERR); 6648 if (!ab) 6649 return error; 6650 audit_log_format(ab, "op=fscreate invalid_context="); 6651 audit_log_n_untrustedstring(ab, value, 6652 audit_size); 6653 audit_log_end(ab); 6654 6655 return error; 6656 } 6657 error = security_context_to_sid_force(value, size, 6658 &sid); 6659 } 6660 if (error) 6661 return error; 6662 } 6663 6664 new = prepare_creds(); 6665 if (!new) 6666 return -ENOMEM; 6667 6668 /* Permission checking based on the specified context is 6669 performed during the actual operation (execve, 6670 open/mkdir/...), when we know the full context of the 6671 operation. See selinux_bprm_creds_for_exec for the execve 6672 checks and may_create for the file creation checks. The 6673 operation will then fail if the context is not permitted. */ 6674 crsec = selinux_cred(new); 6675 if (attr == LSM_ATTR_EXEC) { 6676 crsec->exec_sid = sid; 6677 } else if (attr == LSM_ATTR_FSCREATE) { 6678 crsec->create_sid = sid; 6679 } else if (attr == LSM_ATTR_KEYCREATE) { 6680 if (sid) { 6681 error = avc_has_perm(mysid, sid, 6682 SECCLASS_KEY, KEY__CREATE, NULL); 6683 if (error) 6684 goto abort_change; 6685 } 6686 crsec->keycreate_sid = sid; 6687 } else if (attr == LSM_ATTR_SOCKCREATE) { 6688 crsec->sockcreate_sid = sid; 6689 } else if (attr == LSM_ATTR_CURRENT) { 6690 error = -EINVAL; 6691 if (sid == 0) 6692 goto abort_change; 6693 6694 if (!current_is_single_threaded()) { 6695 error = security_bounded_transition(crsec->sid, sid); 6696 if (error) 6697 goto abort_change; 6698 } 6699 6700 /* Check permissions for the transition. */ 6701 error = avc_has_perm(crsec->sid, sid, SECCLASS_PROCESS, 6702 PROCESS__DYNTRANSITION, NULL); 6703 if (error) 6704 goto abort_change; 6705 6706 /* Check for ptracing, and update the task SID if ok. 6707 Otherwise, leave SID unchanged and fail. */ 6708 ptsid = ptrace_parent_sid(); 6709 if (ptsid != 0) { 6710 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 6711 PROCESS__PTRACE, NULL); 6712 if (error) 6713 goto abort_change; 6714 } 6715 6716 crsec->sid = sid; 6717 } else { 6718 error = -EINVAL; 6719 goto abort_change; 6720 } 6721 6722 commit_creds(new); 6723 return size; 6724 6725 abort_change: 6726 abort_creds(new); 6727 return error; 6728 } 6729 6730 /** 6731 * selinux_getselfattr - Get SELinux current task attributes 6732 * @attr: the requested attribute 6733 * @ctx: buffer to receive the result 6734 * @size: buffer size (input), buffer size used (output) 6735 * @flags: unused 6736 * 6737 * Fill the passed user space @ctx with the details of the requested 6738 * attribute. 6739 * 6740 * Returns the number of attributes on success, an error code otherwise. 6741 * There will only ever be one attribute. 6742 */ 6743 static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, 6744 u32 *size, u32 flags) 6745 { 6746 int rc; 6747 char *val = NULL; 6748 int val_len; 6749 6750 val_len = selinux_lsm_getattr(attr, current, &val); 6751 if (val_len < 0) 6752 return val_len; 6753 rc = lsm_fill_user_ctx(ctx, size, val, val_len, LSM_ID_SELINUX, 0); 6754 kfree(val); 6755 return (!rc ? 1 : rc); 6756 } 6757 6758 static int selinux_setselfattr(unsigned int attr, struct lsm_ctx *ctx, 6759 u32 size, u32 flags) 6760 { 6761 int rc; 6762 6763 rc = selinux_lsm_setattr(attr, ctx->ctx, ctx->ctx_len); 6764 if (rc > 0) 6765 return 0; 6766 return rc; 6767 } 6768 6769 static int selinux_getprocattr(struct task_struct *p, 6770 const char *name, char **value) 6771 { 6772 unsigned int attr = lsm_name_to_attr(name); 6773 int rc; 6774 6775 if (attr) { 6776 rc = selinux_lsm_getattr(attr, p, value); 6777 if (rc != -EOPNOTSUPP) 6778 return rc; 6779 } 6780 6781 return -EINVAL; 6782 } 6783 6784 static int selinux_setprocattr(const char *name, void *value, size_t size) 6785 { 6786 int attr = lsm_name_to_attr(name); 6787 6788 if (attr) 6789 return selinux_lsm_setattr(attr, value, size); 6790 return -EINVAL; 6791 } 6792 6793 static int selinux_ismaclabel(const char *name) 6794 { 6795 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6796 } 6797 6798 static int selinux_secid_to_secctx(u32 secid, struct lsm_context *cp) 6799 { 6800 u32 seclen; 6801 int ret; 6802 6803 if (cp) { 6804 cp->id = LSM_ID_SELINUX; 6805 ret = security_sid_to_context(secid, &cp->context, &cp->len); 6806 if (ret < 0) 6807 return ret; 6808 return cp->len; 6809 } 6810 ret = security_sid_to_context(secid, NULL, &seclen); 6811 if (ret < 0) 6812 return ret; 6813 return seclen; 6814 } 6815 6816 static int selinux_lsmprop_to_secctx(struct lsm_prop *prop, 6817 struct lsm_context *cp) 6818 { 6819 return selinux_secid_to_secctx(prop->selinux.secid, cp); 6820 } 6821 6822 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6823 { 6824 return security_context_to_sid(secdata, seclen, 6825 secid, GFP_KERNEL); 6826 } 6827 6828 static void selinux_release_secctx(struct lsm_context *cp) 6829 { 6830 if (cp->id == LSM_ID_SELINUX) { 6831 kfree(cp->context); 6832 cp->context = NULL; 6833 cp->id = LSM_ID_UNDEF; 6834 } 6835 } 6836 6837 static void selinux_inode_invalidate_secctx(struct inode *inode) 6838 { 6839 struct inode_security_struct *isec = selinux_inode(inode); 6840 6841 spin_lock(&isec->lock); 6842 isec->initialized = LABEL_INVALID; 6843 spin_unlock(&isec->lock); 6844 } 6845 6846 /* 6847 * called with inode->i_mutex locked 6848 */ 6849 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6850 { 6851 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, 6852 ctx, ctxlen, 0); 6853 /* Do not return error when suppressing label (SBLABEL_MNT not set). */ 6854 return rc == -EOPNOTSUPP ? 0 : rc; 6855 } 6856 6857 /* 6858 * called with inode->i_mutex locked 6859 */ 6860 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6861 { 6862 return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX, 6863 ctx, ctxlen, 0, NULL); 6864 } 6865 6866 static int selinux_inode_getsecctx(struct inode *inode, struct lsm_context *cp) 6867 { 6868 int len; 6869 len = selinux_inode_getsecurity(&nop_mnt_idmap, inode, 6870 XATTR_SELINUX_SUFFIX, 6871 (void **)&cp->context, true); 6872 if (len < 0) 6873 return len; 6874 cp->len = len; 6875 cp->id = LSM_ID_SELINUX; 6876 return 0; 6877 } 6878 #ifdef CONFIG_KEYS 6879 6880 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6881 unsigned long flags) 6882 { 6883 const struct cred_security_struct *crsec; 6884 struct key_security_struct *ksec = selinux_key(k); 6885 6886 crsec = selinux_cred(cred); 6887 if (crsec->keycreate_sid) 6888 ksec->sid = crsec->keycreate_sid; 6889 else 6890 ksec->sid = crsec->sid; 6891 6892 return 0; 6893 } 6894 6895 static int selinux_key_permission(key_ref_t key_ref, 6896 const struct cred *cred, 6897 enum key_need_perm need_perm) 6898 { 6899 struct key *key; 6900 struct key_security_struct *ksec; 6901 u32 perm, sid; 6902 6903 switch (need_perm) { 6904 case KEY_NEED_VIEW: 6905 perm = KEY__VIEW; 6906 break; 6907 case KEY_NEED_READ: 6908 perm = KEY__READ; 6909 break; 6910 case KEY_NEED_WRITE: 6911 perm = KEY__WRITE; 6912 break; 6913 case KEY_NEED_SEARCH: 6914 perm = KEY__SEARCH; 6915 break; 6916 case KEY_NEED_LINK: 6917 perm = KEY__LINK; 6918 break; 6919 case KEY_NEED_SETATTR: 6920 perm = KEY__SETATTR; 6921 break; 6922 case KEY_NEED_UNLINK: 6923 case KEY_SYSADMIN_OVERRIDE: 6924 case KEY_AUTHTOKEN_OVERRIDE: 6925 case KEY_DEFER_PERM_CHECK: 6926 return 0; 6927 default: 6928 WARN_ON(1); 6929 return -EPERM; 6930 6931 } 6932 6933 sid = cred_sid(cred); 6934 key = key_ref_to_ptr(key_ref); 6935 ksec = selinux_key(key); 6936 6937 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6938 } 6939 6940 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6941 { 6942 struct key_security_struct *ksec = selinux_key(key); 6943 char *context = NULL; 6944 unsigned len; 6945 int rc; 6946 6947 rc = security_sid_to_context(ksec->sid, 6948 &context, &len); 6949 if (!rc) 6950 rc = len; 6951 *_buffer = context; 6952 return rc; 6953 } 6954 6955 #ifdef CONFIG_KEY_NOTIFICATIONS 6956 static int selinux_watch_key(struct key *key) 6957 { 6958 struct key_security_struct *ksec = selinux_key(key); 6959 u32 sid = current_sid(); 6960 6961 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL); 6962 } 6963 #endif 6964 #endif 6965 6966 #ifdef CONFIG_SECURITY_INFINIBAND 6967 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6968 { 6969 struct common_audit_data ad; 6970 int err; 6971 u32 sid = 0; 6972 struct ib_security_struct *sec = ib_sec; 6973 struct lsm_ibpkey_audit ibpkey; 6974 6975 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6976 if (err) 6977 return err; 6978 6979 ad.type = LSM_AUDIT_DATA_IBPKEY; 6980 ibpkey.subnet_prefix = subnet_prefix; 6981 ibpkey.pkey = pkey_val; 6982 ad.u.ibpkey = &ibpkey; 6983 return avc_has_perm(sec->sid, sid, 6984 SECCLASS_INFINIBAND_PKEY, 6985 INFINIBAND_PKEY__ACCESS, &ad); 6986 } 6987 6988 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6989 u8 port_num) 6990 { 6991 struct common_audit_data ad; 6992 int err; 6993 u32 sid = 0; 6994 struct ib_security_struct *sec = ib_sec; 6995 struct lsm_ibendport_audit ibendport; 6996 6997 err = security_ib_endport_sid(dev_name, port_num, 6998 &sid); 6999 7000 if (err) 7001 return err; 7002 7003 ad.type = LSM_AUDIT_DATA_IBENDPORT; 7004 ibendport.dev_name = dev_name; 7005 ibendport.port = port_num; 7006 ad.u.ibendport = &ibendport; 7007 return avc_has_perm(sec->sid, sid, 7008 SECCLASS_INFINIBAND_ENDPORT, 7009 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 7010 } 7011 7012 static int selinux_ib_alloc_security(void *ib_sec) 7013 { 7014 struct ib_security_struct *sec = selinux_ib(ib_sec); 7015 7016 sec->sid = current_sid(); 7017 return 0; 7018 } 7019 #endif 7020 7021 #ifdef CONFIG_BPF_SYSCALL 7022 static int selinux_bpf(int cmd, union bpf_attr *attr, 7023 unsigned int size, bool kernel) 7024 { 7025 u32 sid = current_sid(); 7026 int ret; 7027 7028 switch (cmd) { 7029 case BPF_MAP_CREATE: 7030 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 7031 NULL); 7032 break; 7033 case BPF_PROG_LOAD: 7034 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 7035 NULL); 7036 break; 7037 default: 7038 ret = 0; 7039 break; 7040 } 7041 7042 return ret; 7043 } 7044 7045 static u32 bpf_map_fmode_to_av(fmode_t fmode) 7046 { 7047 u32 av = 0; 7048 7049 if (fmode & FMODE_READ) 7050 av |= BPF__MAP_READ; 7051 if (fmode & FMODE_WRITE) 7052 av |= BPF__MAP_WRITE; 7053 return av; 7054 } 7055 7056 /* This function will check the file pass through unix socket or binder to see 7057 * if it is a bpf related object. And apply corresponding checks on the bpf 7058 * object based on the type. The bpf maps and programs, not like other files and 7059 * socket, are using a shared anonymous inode inside the kernel as their inode. 7060 * So checking that inode cannot identify if the process have privilege to 7061 * access the bpf object and that's why we have to add this additional check in 7062 * selinux_file_receive and selinux_binder_transfer_files. 7063 */ 7064 static int bpf_fd_pass(const struct file *file, u32 sid) 7065 { 7066 struct bpf_security_struct *bpfsec; 7067 struct bpf_prog *prog; 7068 struct bpf_map *map; 7069 int ret; 7070 7071 if (file->f_op == &bpf_map_fops) { 7072 map = file->private_data; 7073 bpfsec = selinux_bpf_map_security(map); 7074 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7075 bpf_map_fmode_to_av(file->f_mode), NULL); 7076 if (ret) 7077 return ret; 7078 } else if (file->f_op == &bpf_prog_fops) { 7079 prog = file->private_data; 7080 bpfsec = selinux_bpf_prog_security(prog); 7081 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7082 BPF__PROG_RUN, NULL); 7083 if (ret) 7084 return ret; 7085 } 7086 return 0; 7087 } 7088 7089 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 7090 { 7091 u32 sid = current_sid(); 7092 struct bpf_security_struct *bpfsec; 7093 7094 bpfsec = selinux_bpf_map_security(map); 7095 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7096 bpf_map_fmode_to_av(fmode), NULL); 7097 } 7098 7099 static int selinux_bpf_prog(struct bpf_prog *prog) 7100 { 7101 u32 sid = current_sid(); 7102 struct bpf_security_struct *bpfsec; 7103 7104 bpfsec = selinux_bpf_prog_security(prog); 7105 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7106 BPF__PROG_RUN, NULL); 7107 } 7108 7109 static int selinux_bpf_map_create(struct bpf_map *map, union bpf_attr *attr, 7110 struct bpf_token *token, bool kernel) 7111 { 7112 struct bpf_security_struct *bpfsec; 7113 7114 bpfsec = selinux_bpf_map_security(map); 7115 bpfsec->sid = current_sid(); 7116 7117 return 0; 7118 } 7119 7120 static int selinux_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr, 7121 struct bpf_token *token, bool kernel) 7122 { 7123 struct bpf_security_struct *bpfsec; 7124 7125 bpfsec = selinux_bpf_prog_security(prog); 7126 bpfsec->sid = current_sid(); 7127 7128 return 0; 7129 } 7130 7131 static int selinux_bpf_token_create(struct bpf_token *token, union bpf_attr *attr, 7132 const struct path *path) 7133 { 7134 struct bpf_security_struct *bpfsec; 7135 7136 bpfsec = selinux_bpf_token_security(token); 7137 bpfsec->sid = current_sid(); 7138 7139 return 0; 7140 } 7141 #endif 7142 7143 struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { 7144 .lbs_cred = sizeof(struct cred_security_struct), 7145 .lbs_task = sizeof(struct task_security_struct), 7146 .lbs_file = sizeof(struct file_security_struct), 7147 .lbs_inode = sizeof(struct inode_security_struct), 7148 .lbs_ipc = sizeof(struct ipc_security_struct), 7149 .lbs_key = sizeof(struct key_security_struct), 7150 .lbs_msg_msg = sizeof(struct msg_security_struct), 7151 #ifdef CONFIG_PERF_EVENTS 7152 .lbs_perf_event = sizeof(struct perf_event_security_struct), 7153 #endif 7154 .lbs_sock = sizeof(struct sk_security_struct), 7155 .lbs_superblock = sizeof(struct superblock_security_struct), 7156 .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS, 7157 .lbs_tun_dev = sizeof(struct tun_security_struct), 7158 .lbs_ib = sizeof(struct ib_security_struct), 7159 .lbs_bpf_map = sizeof(struct bpf_security_struct), 7160 .lbs_bpf_prog = sizeof(struct bpf_security_struct), 7161 .lbs_bpf_token = sizeof(struct bpf_security_struct), 7162 }; 7163 7164 #ifdef CONFIG_PERF_EVENTS 7165 static int selinux_perf_event_open(int type) 7166 { 7167 u32 requested, sid = current_sid(); 7168 7169 if (type == PERF_SECURITY_OPEN) 7170 requested = PERF_EVENT__OPEN; 7171 else if (type == PERF_SECURITY_CPU) 7172 requested = PERF_EVENT__CPU; 7173 else if (type == PERF_SECURITY_KERNEL) 7174 requested = PERF_EVENT__KERNEL; 7175 else if (type == PERF_SECURITY_TRACEPOINT) 7176 requested = PERF_EVENT__TRACEPOINT; 7177 else 7178 return -EINVAL; 7179 7180 return avc_has_perm(sid, sid, SECCLASS_PERF_EVENT, 7181 requested, NULL); 7182 } 7183 7184 static int selinux_perf_event_alloc(struct perf_event *event) 7185 { 7186 struct perf_event_security_struct *perfsec; 7187 7188 perfsec = selinux_perf_event(event->security); 7189 perfsec->sid = current_sid(); 7190 7191 return 0; 7192 } 7193 7194 static int selinux_perf_event_read(struct perf_event *event) 7195 { 7196 struct perf_event_security_struct *perfsec = event->security; 7197 u32 sid = current_sid(); 7198 7199 return avc_has_perm(sid, perfsec->sid, 7200 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL); 7201 } 7202 7203 static int selinux_perf_event_write(struct perf_event *event) 7204 { 7205 struct perf_event_security_struct *perfsec = event->security; 7206 u32 sid = current_sid(); 7207 7208 return avc_has_perm(sid, perfsec->sid, 7209 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL); 7210 } 7211 #endif 7212 7213 #ifdef CONFIG_IO_URING 7214 /** 7215 * selinux_uring_override_creds - check the requested cred override 7216 * @new: the target creds 7217 * 7218 * Check to see if the current task is allowed to override it's credentials 7219 * to service an io_uring operation. 7220 */ 7221 static int selinux_uring_override_creds(const struct cred *new) 7222 { 7223 return avc_has_perm(current_sid(), cred_sid(new), 7224 SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL); 7225 } 7226 7227 /** 7228 * selinux_uring_sqpoll - check if a io_uring polling thread can be created 7229 * 7230 * Check to see if the current task is allowed to create a new io_uring 7231 * kernel polling thread. 7232 */ 7233 static int selinux_uring_sqpoll(void) 7234 { 7235 u32 sid = current_sid(); 7236 7237 return avc_has_perm(sid, sid, 7238 SECCLASS_IO_URING, IO_URING__SQPOLL, NULL); 7239 } 7240 7241 /** 7242 * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed 7243 * @ioucmd: the io_uring command structure 7244 * 7245 * Check to see if the current domain is allowed to execute an 7246 * IORING_OP_URING_CMD against the device/file specified in @ioucmd. 7247 * 7248 */ 7249 static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) 7250 { 7251 struct file *file = ioucmd->file; 7252 struct inode *inode = file_inode(file); 7253 struct inode_security_struct *isec = selinux_inode(inode); 7254 struct common_audit_data ad; 7255 7256 ad.type = LSM_AUDIT_DATA_FILE; 7257 ad.u.file = file; 7258 7259 return avc_has_perm(current_sid(), isec->sid, 7260 SECCLASS_IO_URING, IO_URING__CMD, &ad); 7261 } 7262 7263 /** 7264 * selinux_uring_allowed - check if io_uring_setup() can be called 7265 * 7266 * Check to see if the current task is allowed to call io_uring_setup(). 7267 */ 7268 static int selinux_uring_allowed(void) 7269 { 7270 u32 sid = current_sid(); 7271 7272 return avc_has_perm(sid, sid, SECCLASS_IO_URING, IO_URING__ALLOWED, 7273 NULL); 7274 } 7275 #endif /* CONFIG_IO_URING */ 7276 7277 static const struct lsm_id selinux_lsmid = { 7278 .name = "selinux", 7279 .id = LSM_ID_SELINUX, 7280 }; 7281 7282 /* 7283 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: 7284 * 1. any hooks that don't belong to (2.) or (3.) below, 7285 * 2. hooks that both access structures allocated by other hooks, and allocate 7286 * structures that can be later accessed by other hooks (mostly "cloning" 7287 * hooks), 7288 * 3. hooks that only allocate structures that can be later accessed by other 7289 * hooks ("allocating" hooks). 7290 * 7291 * Please follow block comment delimiters in the list to keep this order. 7292 */ 7293 static struct security_hook_list selinux_hooks[] __ro_after_init = { 7294 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 7295 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 7296 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 7297 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 7298 7299 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 7300 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 7301 LSM_HOOK_INIT(capget, selinux_capget), 7302 LSM_HOOK_INIT(capset, selinux_capset), 7303 LSM_HOOK_INIT(capable, selinux_capable), 7304 LSM_HOOK_INIT(quotactl, selinux_quotactl), 7305 LSM_HOOK_INIT(quota_on, selinux_quota_on), 7306 LSM_HOOK_INIT(syslog, selinux_syslog), 7307 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 7308 7309 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 7310 7311 LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec), 7312 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 7313 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 7314 7315 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts), 7316 LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat), 7317 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 7318 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 7319 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 7320 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 7321 LSM_HOOK_INIT(sb_mount, selinux_mount), 7322 LSM_HOOK_INIT(sb_umount, selinux_umount), 7323 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 7324 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 7325 7326 LSM_HOOK_INIT(move_mount, selinux_move_mount), 7327 7328 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 7329 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 7330 7331 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 7332 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 7333 LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon), 7334 LSM_HOOK_INIT(inode_create, selinux_inode_create), 7335 LSM_HOOK_INIT(inode_link, selinux_inode_link), 7336 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 7337 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 7338 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 7339 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 7340 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 7341 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 7342 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 7343 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 7344 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 7345 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 7346 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 7347 LSM_HOOK_INIT(inode_xattr_skipcap, selinux_inode_xattr_skipcap), 7348 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 7349 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 7350 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 7351 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 7352 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 7353 LSM_HOOK_INIT(inode_file_getattr, selinux_inode_file_getattr), 7354 LSM_HOOK_INIT(inode_file_setattr, selinux_inode_file_setattr), 7355 LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl), 7356 LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl), 7357 LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl), 7358 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 7359 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 7360 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 7361 LSM_HOOK_INIT(inode_getlsmprop, selinux_inode_getlsmprop), 7362 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 7363 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 7364 LSM_HOOK_INIT(path_notify, selinux_path_notify), 7365 7366 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security), 7367 7368 LSM_HOOK_INIT(file_permission, selinux_file_permission), 7369 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 7370 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 7371 LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat), 7372 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 7373 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 7374 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 7375 LSM_HOOK_INIT(file_lock, selinux_file_lock), 7376 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 7377 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 7378 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 7379 LSM_HOOK_INIT(file_receive, selinux_file_receive), 7380 7381 LSM_HOOK_INIT(file_open, selinux_file_open), 7382 7383 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 7384 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 7385 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 7386 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 7387 LSM_HOOK_INIT(cred_getlsmprop, selinux_cred_getlsmprop), 7388 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 7389 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 7390 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 7391 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), 7392 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 7393 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 7394 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 7395 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 7396 LSM_HOOK_INIT(current_getlsmprop_subj, selinux_current_getlsmprop_subj), 7397 LSM_HOOK_INIT(task_getlsmprop_obj, selinux_task_getlsmprop_obj), 7398 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 7399 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 7400 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 7401 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 7402 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 7403 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 7404 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 7405 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 7406 LSM_HOOK_INIT(task_kill, selinux_task_kill), 7407 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 7408 LSM_HOOK_INIT(userns_create, selinux_userns_create), 7409 7410 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 7411 LSM_HOOK_INIT(ipc_getlsmprop, selinux_ipc_getlsmprop), 7412 7413 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 7414 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 7415 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 7416 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 7417 7418 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 7419 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 7420 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 7421 7422 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 7423 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 7424 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 7425 7426 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 7427 7428 LSM_HOOK_INIT(getselfattr, selinux_getselfattr), 7429 LSM_HOOK_INIT(setselfattr, selinux_setselfattr), 7430 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 7431 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 7432 7433 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 7434 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 7435 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 7436 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 7437 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 7438 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 7439 7440 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 7441 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 7442 7443 LSM_HOOK_INIT(socket_create, selinux_socket_create), 7444 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 7445 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair), 7446 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 7447 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 7448 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 7449 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 7450 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 7451 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 7452 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 7453 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 7454 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 7455 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 7456 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 7457 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 7458 LSM_HOOK_INIT(socket_getpeersec_stream, 7459 selinux_socket_getpeersec_stream), 7460 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 7461 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 7462 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7463 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7464 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7465 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 7466 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 7467 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 7468 LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established), 7469 LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow), 7470 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7471 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7472 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7473 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 7474 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 7475 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 7476 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 7477 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 7478 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 7479 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 7480 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 7481 #ifdef CONFIG_SECURITY_INFINIBAND 7482 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 7483 LSM_HOOK_INIT(ib_endport_manage_subnet, 7484 selinux_ib_endport_manage_subnet), 7485 #endif 7486 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7487 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 7488 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 7489 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 7490 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 7491 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 7492 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 7493 selinux_xfrm_state_pol_flow_match), 7494 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 7495 #endif 7496 7497 #ifdef CONFIG_KEYS 7498 LSM_HOOK_INIT(key_permission, selinux_key_permission), 7499 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 7500 #ifdef CONFIG_KEY_NOTIFICATIONS 7501 LSM_HOOK_INIT(watch_key, selinux_watch_key), 7502 #endif 7503 #endif 7504 7505 #ifdef CONFIG_AUDIT 7506 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 7507 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 7508 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 7509 #endif 7510 7511 #ifdef CONFIG_BPF_SYSCALL 7512 LSM_HOOK_INIT(bpf, selinux_bpf), 7513 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 7514 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 7515 #endif 7516 7517 #ifdef CONFIG_PERF_EVENTS 7518 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open), 7519 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read), 7520 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write), 7521 #endif 7522 7523 #ifdef CONFIG_IO_URING 7524 LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds), 7525 LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll), 7526 LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd), 7527 LSM_HOOK_INIT(uring_allowed, selinux_uring_allowed), 7528 #endif 7529 7530 /* 7531 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE 7532 */ 7533 LSM_HOOK_INIT(fs_context_submount, selinux_fs_context_submount), 7534 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), 7535 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), 7536 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 7537 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7538 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7539 #endif 7540 7541 /* 7542 * PUT "ALLOCATING" HOOKS HERE 7543 */ 7544 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 7545 LSM_HOOK_INIT(msg_queue_alloc_security, 7546 selinux_msg_queue_alloc_security), 7547 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 7548 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 7549 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 7550 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 7551 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 7552 LSM_HOOK_INIT(lsmprop_to_secctx, selinux_lsmprop_to_secctx), 7553 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 7554 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 7555 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 7556 #ifdef CONFIG_SECURITY_INFINIBAND 7557 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 7558 #endif 7559 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7560 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 7561 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 7562 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 7563 selinux_xfrm_state_alloc_acquire), 7564 #endif 7565 #ifdef CONFIG_KEYS 7566 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 7567 #endif 7568 #ifdef CONFIG_AUDIT 7569 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 7570 #endif 7571 #ifdef CONFIG_BPF_SYSCALL 7572 LSM_HOOK_INIT(bpf_map_create, selinux_bpf_map_create), 7573 LSM_HOOK_INIT(bpf_prog_load, selinux_bpf_prog_load), 7574 LSM_HOOK_INIT(bpf_token_create, selinux_bpf_token_create), 7575 #endif 7576 #ifdef CONFIG_PERF_EVENTS 7577 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc), 7578 #endif 7579 }; 7580 7581 static __init int selinux_init(void) 7582 { 7583 pr_info("SELinux: Initializing.\n"); 7584 7585 memset(&selinux_state, 0, sizeof(selinux_state)); 7586 enforcing_set(selinux_enforcing_boot); 7587 selinux_avc_init(); 7588 mutex_init(&selinux_state.status_lock); 7589 mutex_init(&selinux_state.policy_mutex); 7590 7591 /* Set the security state for the initial task. */ 7592 cred_init_security(); 7593 7594 /* Inform the audit system that secctx is used */ 7595 audit_cfg_lsm(&selinux_lsmid, 7596 AUDIT_CFG_LSM_SECCTX_SUBJECT | 7597 AUDIT_CFG_LSM_SECCTX_OBJECT); 7598 7599 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 7600 if (!default_noexec) 7601 pr_notice("SELinux: virtual memory is executable by default\n"); 7602 7603 avc_init(); 7604 7605 avtab_cache_init(); 7606 7607 ebitmap_cache_init(); 7608 7609 hashtab_cache_init(); 7610 7611 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), 7612 &selinux_lsmid); 7613 7614 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7615 panic("SELinux: Unable to register AVC netcache callback\n"); 7616 7617 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7618 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7619 7620 if (selinux_enforcing_boot) 7621 pr_debug("SELinux: Starting in enforcing mode\n"); 7622 else 7623 pr_debug("SELinux: Starting in permissive mode\n"); 7624 7625 fs_validate_description("selinux", selinux_fs_parameters); 7626 7627 return 0; 7628 } 7629 7630 static void delayed_superblock_init(struct super_block *sb, void *unused) 7631 { 7632 selinux_set_mnt_opts(sb, NULL, 0, NULL); 7633 } 7634 7635 void selinux_complete_init(void) 7636 { 7637 pr_debug("SELinux: Completing initialization.\n"); 7638 7639 /* Set up any superblocks initialized prior to the policy load. */ 7640 pr_debug("SELinux: Setting up existing superblocks.\n"); 7641 iterate_supers(delayed_superblock_init, NULL); 7642 } 7643 7644 /* SELinux requires early initialization in order to label 7645 all processes and objects when they are created. */ 7646 DEFINE_LSM(selinux) = { 7647 .name = "selinux", 7648 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 7649 .enabled = &selinux_enabled_boot, 7650 .blobs = &selinux_blob_sizes, 7651 .init = selinux_init, 7652 }; 7653 7654 #if defined(CONFIG_NETFILTER) 7655 static const struct nf_hook_ops selinux_nf_ops[] = { 7656 { 7657 .hook = selinux_ip_postroute, 7658 .pf = NFPROTO_IPV4, 7659 .hooknum = NF_INET_POST_ROUTING, 7660 .priority = NF_IP_PRI_SELINUX_LAST, 7661 }, 7662 { 7663 .hook = selinux_ip_forward, 7664 .pf = NFPROTO_IPV4, 7665 .hooknum = NF_INET_FORWARD, 7666 .priority = NF_IP_PRI_SELINUX_FIRST, 7667 }, 7668 { 7669 .hook = selinux_ip_output, 7670 .pf = NFPROTO_IPV4, 7671 .hooknum = NF_INET_LOCAL_OUT, 7672 .priority = NF_IP_PRI_SELINUX_FIRST, 7673 }, 7674 #if IS_ENABLED(CONFIG_IPV6) 7675 { 7676 .hook = selinux_ip_postroute, 7677 .pf = NFPROTO_IPV6, 7678 .hooknum = NF_INET_POST_ROUTING, 7679 .priority = NF_IP6_PRI_SELINUX_LAST, 7680 }, 7681 { 7682 .hook = selinux_ip_forward, 7683 .pf = NFPROTO_IPV6, 7684 .hooknum = NF_INET_FORWARD, 7685 .priority = NF_IP6_PRI_SELINUX_FIRST, 7686 }, 7687 { 7688 .hook = selinux_ip_output, 7689 .pf = NFPROTO_IPV6, 7690 .hooknum = NF_INET_LOCAL_OUT, 7691 .priority = NF_IP6_PRI_SELINUX_FIRST, 7692 }, 7693 #endif /* IPV6 */ 7694 }; 7695 7696 static int __net_init selinux_nf_register(struct net *net) 7697 { 7698 return nf_register_net_hooks(net, selinux_nf_ops, 7699 ARRAY_SIZE(selinux_nf_ops)); 7700 } 7701 7702 static void __net_exit selinux_nf_unregister(struct net *net) 7703 { 7704 nf_unregister_net_hooks(net, selinux_nf_ops, 7705 ARRAY_SIZE(selinux_nf_ops)); 7706 } 7707 7708 static struct pernet_operations selinux_net_ops = { 7709 .init = selinux_nf_register, 7710 .exit = selinux_nf_unregister, 7711 }; 7712 7713 static int __init selinux_nf_ip_init(void) 7714 { 7715 int err; 7716 7717 if (!selinux_enabled_boot) 7718 return 0; 7719 7720 pr_debug("SELinux: Registering netfilter hooks\n"); 7721 7722 err = register_pernet_subsys(&selinux_net_ops); 7723 if (err) 7724 panic("SELinux: register_pernet_subsys: error %d\n", err); 7725 7726 return 0; 7727 } 7728 __initcall(selinux_nf_ip_init); 7729 #endif /* CONFIG_NETFILTER */ 7730