1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <stephen.smalley.work@gmail.com> 8 * Chris Vance, <cvance@nai.com> 9 * Wayne Salamon, <wsalamon@nai.com> 10 * James Morris <jmorris@redhat.com> 11 * 12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 14 * Eric Paris <eparis@redhat.com> 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 16 * <dgoeddel@trustedcs.com> 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 18 * Paul Moore <paul@paul-moore.com> 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 20 * Yuichi Nakamura <ynakam@hitachisoft.jp> 21 * Copyright (C) 2016 Mellanox Technologies 22 */ 23 24 #include <linux/init.h> 25 #include <linux/kd.h> 26 #include <linux/kernel.h> 27 #include <linux/kernel_read_file.h> 28 #include <linux/errno.h> 29 #include <linux/sched/signal.h> 30 #include <linux/sched/task.h> 31 #include <linux/lsm_hooks.h> 32 #include <linux/xattr.h> 33 #include <linux/capability.h> 34 #include <linux/unistd.h> 35 #include <linux/mm.h> 36 #include <linux/mman.h> 37 #include <linux/slab.h> 38 #include <linux/pagemap.h> 39 #include <linux/proc_fs.h> 40 #include <linux/swap.h> 41 #include <linux/spinlock.h> 42 #include <linux/syscalls.h> 43 #include <linux/dcache.h> 44 #include <linux/file.h> 45 #include <linux/fdtable.h> 46 #include <linux/namei.h> 47 #include <linux/mount.h> 48 #include <linux/fs_context.h> 49 #include <linux/fs_parser.h> 50 #include <linux/netfilter_ipv4.h> 51 #include <linux/netfilter_ipv6.h> 52 #include <linux/tty.h> 53 #include <net/icmp.h> 54 #include <net/ip.h> /* for local_port_range[] */ 55 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 56 #include <net/inet_connection_sock.h> 57 #include <net/net_namespace.h> 58 #include <net/netlabel.h> 59 #include <linux/uaccess.h> 60 #include <asm/ioctls.h> 61 #include <linux/atomic.h> 62 #include <linux/bitops.h> 63 #include <linux/interrupt.h> 64 #include <linux/netdevice.h> /* for network interface checks */ 65 #include <net/netlink.h> 66 #include <linux/tcp.h> 67 #include <linux/udp.h> 68 #include <linux/sctp.h> 69 #include <net/sctp/structs.h> 70 #include <linux/quota.h> 71 #include <linux/un.h> /* for Unix socket types */ 72 #include <net/af_unix.h> /* for Unix socket types */ 73 #include <linux/parser.h> 74 #include <linux/nfs_mount.h> 75 #include <net/ipv6.h> 76 #include <linux/hugetlb.h> 77 #include <linux/personality.h> 78 #include <linux/audit.h> 79 #include <linux/string.h> 80 #include <linux/mutex.h> 81 #include <linux/posix-timers.h> 82 #include <linux/syslog.h> 83 #include <linux/user_namespace.h> 84 #include <linux/export.h> 85 #include <linux/msg.h> 86 #include <linux/shm.h> 87 #include <uapi/linux/shm.h> 88 #include <linux/bpf.h> 89 #include <linux/kernfs.h> 90 #include <linux/stringhash.h> /* for hashlen_string() */ 91 #include <uapi/linux/mount.h> 92 #include <linux/fsnotify.h> 93 #include <linux/fanotify.h> 94 #include <linux/io_uring/cmd.h> 95 #include <uapi/linux/lsm.h> 96 97 #include "avc.h" 98 #include "objsec.h" 99 #include "netif.h" 100 #include "netnode.h" 101 #include "netport.h" 102 #include "ibpkey.h" 103 #include "xfrm.h" 104 #include "netlabel.h" 105 #include "audit.h" 106 #include "avc_ss.h" 107 108 #define SELINUX_INODE_INIT_XATTRS 1 109 110 struct selinux_state selinux_state; 111 112 /* SECMARK reference count */ 113 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 114 115 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 116 static int selinux_enforcing_boot __initdata; 117 118 static int __init enforcing_setup(char *str) 119 { 120 unsigned long enforcing; 121 if (!kstrtoul(str, 0, &enforcing)) 122 selinux_enforcing_boot = enforcing ? 1 : 0; 123 return 1; 124 } 125 __setup("enforcing=", enforcing_setup); 126 #else 127 #define selinux_enforcing_boot 1 128 #endif 129 130 int selinux_enabled_boot __initdata = 1; 131 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 132 static int __init selinux_enabled_setup(char *str) 133 { 134 unsigned long enabled; 135 if (!kstrtoul(str, 0, &enabled)) 136 selinux_enabled_boot = enabled ? 1 : 0; 137 return 1; 138 } 139 __setup("selinux=", selinux_enabled_setup); 140 #endif 141 142 static int __init checkreqprot_setup(char *str) 143 { 144 unsigned long checkreqprot; 145 146 if (!kstrtoul(str, 0, &checkreqprot)) { 147 if (checkreqprot) 148 pr_err("SELinux: checkreqprot set to 1 via kernel parameter. This is no longer supported.\n"); 149 } 150 return 1; 151 } 152 __setup("checkreqprot=", checkreqprot_setup); 153 154 /** 155 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 156 * 157 * Description: 158 * This function checks the SECMARK reference counter to see if any SECMARK 159 * targets are currently configured, if the reference counter is greater than 160 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 161 * enabled, false (0) if SECMARK is disabled. If the always_check_network 162 * policy capability is enabled, SECMARK is always considered enabled. 163 * 164 */ 165 static int selinux_secmark_enabled(void) 166 { 167 return (selinux_policycap_alwaysnetwork() || 168 atomic_read(&selinux_secmark_refcount)); 169 } 170 171 /** 172 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 173 * 174 * Description: 175 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 176 * (1) if any are enabled or false (0) if neither are enabled. If the 177 * always_check_network policy capability is enabled, peer labeling 178 * is always considered enabled. 179 * 180 */ 181 static int selinux_peerlbl_enabled(void) 182 { 183 return (selinux_policycap_alwaysnetwork() || 184 netlbl_enabled() || selinux_xfrm_enabled()); 185 } 186 187 static int selinux_netcache_avc_callback(u32 event) 188 { 189 if (event == AVC_CALLBACK_RESET) { 190 sel_netif_flush(); 191 sel_netnode_flush(); 192 sel_netport_flush(); 193 synchronize_net(); 194 } 195 return 0; 196 } 197 198 static int selinux_lsm_notifier_avc_callback(u32 event) 199 { 200 if (event == AVC_CALLBACK_RESET) { 201 sel_ib_pkey_flush(); 202 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL); 203 } 204 205 return 0; 206 } 207 208 /* 209 * initialise the security for the init task 210 */ 211 static void cred_init_security(void) 212 { 213 struct task_security_struct *tsec; 214 215 /* NOTE: the lsm framework zeros out the buffer on allocation */ 216 217 tsec = selinux_cred(unrcu_pointer(current->real_cred)); 218 tsec->osid = tsec->sid = tsec->avdcache.sid = SECINITSID_KERNEL; 219 } 220 221 /* 222 * get the security ID of a set of credentials 223 */ 224 static inline u32 cred_sid(const struct cred *cred) 225 { 226 const struct task_security_struct *tsec; 227 228 tsec = selinux_cred(cred); 229 return tsec->sid; 230 } 231 232 static void __ad_net_init(struct common_audit_data *ad, 233 struct lsm_network_audit *net, 234 int ifindex, struct sock *sk, u16 family) 235 { 236 ad->type = LSM_AUDIT_DATA_NET; 237 ad->u.net = net; 238 net->netif = ifindex; 239 net->sk = sk; 240 net->family = family; 241 } 242 243 static void ad_net_init_from_sk(struct common_audit_data *ad, 244 struct lsm_network_audit *net, 245 struct sock *sk) 246 { 247 __ad_net_init(ad, net, 0, sk, 0); 248 } 249 250 static void ad_net_init_from_iif(struct common_audit_data *ad, 251 struct lsm_network_audit *net, 252 int ifindex, u16 family) 253 { 254 __ad_net_init(ad, net, ifindex, NULL, family); 255 } 256 257 /* 258 * get the objective security ID of a task 259 */ 260 static inline u32 task_sid_obj(const struct task_struct *task) 261 { 262 u32 sid; 263 264 rcu_read_lock(); 265 sid = cred_sid(__task_cred(task)); 266 rcu_read_unlock(); 267 return sid; 268 } 269 270 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 271 272 /* 273 * Try reloading inode security labels that have been marked as invalid. The 274 * @may_sleep parameter indicates when sleeping and thus reloading labels is 275 * allowed; when set to false, returns -ECHILD when the label is 276 * invalid. The @dentry parameter should be set to a dentry of the inode. 277 */ 278 static int __inode_security_revalidate(struct inode *inode, 279 struct dentry *dentry, 280 bool may_sleep) 281 { 282 if (!selinux_initialized()) 283 return 0; 284 285 if (may_sleep) 286 might_sleep(); 287 else 288 return -ECHILD; 289 290 /* 291 * Check to ensure that an inode's SELinux state is valid and try 292 * reloading the inode security label if necessary. This will fail if 293 * @dentry is NULL and no dentry for this inode can be found; in that 294 * case, continue using the old label. 295 */ 296 inode_doinit_with_dentry(inode, dentry); 297 return 0; 298 } 299 300 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 301 { 302 return selinux_inode(inode); 303 } 304 305 static inline struct inode_security_struct *inode_security_rcu(struct inode *inode, 306 bool rcu) 307 { 308 int rc; 309 struct inode_security_struct *isec = selinux_inode(inode); 310 311 /* check below is racy, but revalidate will recheck with lock held */ 312 if (data_race(likely(isec->initialized == LABEL_INITIALIZED))) 313 return isec; 314 rc = __inode_security_revalidate(inode, NULL, !rcu); 315 if (rc) 316 return ERR_PTR(rc); 317 return isec; 318 } 319 320 /* 321 * Get the security label of an inode. 322 */ 323 static inline struct inode_security_struct *inode_security(struct inode *inode) 324 { 325 struct inode_security_struct *isec = selinux_inode(inode); 326 327 /* check below is racy, but revalidate will recheck with lock held */ 328 if (data_race(likely(isec->initialized == LABEL_INITIALIZED))) 329 return isec; 330 __inode_security_revalidate(inode, NULL, true); 331 return isec; 332 } 333 334 static inline struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 335 { 336 return selinux_inode(d_backing_inode(dentry)); 337 } 338 339 /* 340 * Get the security label of a dentry's backing inode. 341 */ 342 static inline struct inode_security_struct *backing_inode_security(struct dentry *dentry) 343 { 344 struct inode *inode = d_backing_inode(dentry); 345 struct inode_security_struct *isec = selinux_inode(inode); 346 347 /* check below is racy, but revalidate will recheck with lock held */ 348 if (data_race(likely(isec->initialized == LABEL_INITIALIZED))) 349 return isec; 350 __inode_security_revalidate(inode, dentry, true); 351 return isec; 352 } 353 354 static void inode_free_security(struct inode *inode) 355 { 356 struct inode_security_struct *isec = selinux_inode(inode); 357 struct superblock_security_struct *sbsec; 358 359 if (!isec) 360 return; 361 sbsec = selinux_superblock(inode->i_sb); 362 /* 363 * As not all inode security structures are in a list, we check for 364 * empty list outside of the lock to make sure that we won't waste 365 * time taking a lock doing nothing. 366 * 367 * The list_del_init() function can be safely called more than once. 368 * It should not be possible for this function to be called with 369 * concurrent list_add(), but for better safety against future changes 370 * in the code, we use list_empty_careful() here. 371 */ 372 if (!list_empty_careful(&isec->list)) { 373 spin_lock(&sbsec->isec_lock); 374 list_del_init(&isec->list); 375 spin_unlock(&sbsec->isec_lock); 376 } 377 } 378 379 struct selinux_mnt_opts { 380 u32 fscontext_sid; 381 u32 context_sid; 382 u32 rootcontext_sid; 383 u32 defcontext_sid; 384 }; 385 386 static void selinux_free_mnt_opts(void *mnt_opts) 387 { 388 kfree(mnt_opts); 389 } 390 391 enum { 392 Opt_error = -1, 393 Opt_context = 0, 394 Opt_defcontext = 1, 395 Opt_fscontext = 2, 396 Opt_rootcontext = 3, 397 Opt_seclabel = 4, 398 }; 399 400 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg} 401 static const struct { 402 const char *name; 403 int len; 404 int opt; 405 bool has_arg; 406 } tokens[] = { 407 A(context, true), 408 A(fscontext, true), 409 A(defcontext, true), 410 A(rootcontext, true), 411 A(seclabel, false), 412 }; 413 #undef A 414 415 static int match_opt_prefix(char *s, int l, char **arg) 416 { 417 unsigned int i; 418 419 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 420 size_t len = tokens[i].len; 421 if (len > l || memcmp(s, tokens[i].name, len)) 422 continue; 423 if (tokens[i].has_arg) { 424 if (len == l || s[len] != '=') 425 continue; 426 *arg = s + len + 1; 427 } else if (len != l) 428 continue; 429 return tokens[i].opt; 430 } 431 return Opt_error; 432 } 433 434 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 435 436 static int may_context_mount_sb_relabel(u32 sid, 437 struct superblock_security_struct *sbsec, 438 const struct cred *cred) 439 { 440 const struct task_security_struct *tsec = selinux_cred(cred); 441 int rc; 442 443 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 444 FILESYSTEM__RELABELFROM, NULL); 445 if (rc) 446 return rc; 447 448 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 449 FILESYSTEM__RELABELTO, NULL); 450 return rc; 451 } 452 453 static int may_context_mount_inode_relabel(u32 sid, 454 struct superblock_security_struct *sbsec, 455 const struct cred *cred) 456 { 457 const struct task_security_struct *tsec = selinux_cred(cred); 458 int rc; 459 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 460 FILESYSTEM__RELABELFROM, NULL); 461 if (rc) 462 return rc; 463 464 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 465 FILESYSTEM__ASSOCIATE, NULL); 466 return rc; 467 } 468 469 static int selinux_is_genfs_special_handling(struct super_block *sb) 470 { 471 /* Special handling. Genfs but also in-core setxattr handler */ 472 return !strcmp(sb->s_type->name, "sysfs") || 473 !strcmp(sb->s_type->name, "pstore") || 474 !strcmp(sb->s_type->name, "debugfs") || 475 !strcmp(sb->s_type->name, "tracefs") || 476 !strcmp(sb->s_type->name, "rootfs") || 477 (selinux_policycap_cgroupseclabel() && 478 (!strcmp(sb->s_type->name, "cgroup") || 479 !strcmp(sb->s_type->name, "cgroup2"))) || 480 (selinux_policycap_functionfs_seclabel() && 481 !strcmp(sb->s_type->name, "functionfs")); 482 } 483 484 static int selinux_is_sblabel_mnt(struct super_block *sb) 485 { 486 struct superblock_security_struct *sbsec = selinux_superblock(sb); 487 488 /* 489 * IMPORTANT: Double-check logic in this function when adding a new 490 * SECURITY_FS_USE_* definition! 491 */ 492 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7); 493 494 switch (sbsec->behavior) { 495 case SECURITY_FS_USE_XATTR: 496 case SECURITY_FS_USE_TRANS: 497 case SECURITY_FS_USE_TASK: 498 case SECURITY_FS_USE_NATIVE: 499 return 1; 500 501 case SECURITY_FS_USE_GENFS: 502 return selinux_is_genfs_special_handling(sb); 503 504 /* Never allow relabeling on context mounts */ 505 case SECURITY_FS_USE_MNTPOINT: 506 case SECURITY_FS_USE_NONE: 507 default: 508 return 0; 509 } 510 } 511 512 static int sb_check_xattr_support(struct super_block *sb) 513 { 514 struct superblock_security_struct *sbsec = selinux_superblock(sb); 515 struct dentry *root = sb->s_root; 516 struct inode *root_inode = d_backing_inode(root); 517 u32 sid; 518 int rc; 519 520 /* 521 * Make sure that the xattr handler exists and that no 522 * error other than -ENODATA is returned by getxattr on 523 * the root directory. -ENODATA is ok, as this may be 524 * the first boot of the SELinux kernel before we have 525 * assigned xattr values to the filesystem. 526 */ 527 if (!(root_inode->i_opflags & IOP_XATTR)) { 528 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n", 529 sb->s_id, sb->s_type->name); 530 goto fallback; 531 } 532 533 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 534 if (rc < 0 && rc != -ENODATA) { 535 if (rc == -EOPNOTSUPP) { 536 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n", 537 sb->s_id, sb->s_type->name); 538 goto fallback; 539 } else { 540 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n", 541 sb->s_id, sb->s_type->name, -rc); 542 return rc; 543 } 544 } 545 return 0; 546 547 fallback: 548 /* No xattr support - try to fallback to genfs if possible. */ 549 rc = security_genfs_sid(sb->s_type->name, "/", 550 SECCLASS_DIR, &sid); 551 if (rc) 552 return -EOPNOTSUPP; 553 554 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n", 555 sb->s_id, sb->s_type->name); 556 sbsec->behavior = SECURITY_FS_USE_GENFS; 557 sbsec->sid = sid; 558 return 0; 559 } 560 561 static int sb_finish_set_opts(struct super_block *sb) 562 { 563 struct superblock_security_struct *sbsec = selinux_superblock(sb); 564 struct dentry *root = sb->s_root; 565 struct inode *root_inode = d_backing_inode(root); 566 int rc = 0; 567 568 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 569 rc = sb_check_xattr_support(sb); 570 if (rc) 571 return rc; 572 } 573 574 sbsec->flags |= SE_SBINITIALIZED; 575 576 /* 577 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 578 * leave the flag untouched because sb_clone_mnt_opts might be handing 579 * us a superblock that needs the flag to be cleared. 580 */ 581 if (selinux_is_sblabel_mnt(sb)) 582 sbsec->flags |= SBLABEL_MNT; 583 else 584 sbsec->flags &= ~SBLABEL_MNT; 585 586 /* Initialize the root inode. */ 587 rc = inode_doinit_with_dentry(root_inode, root); 588 589 /* Initialize any other inodes associated with the superblock, e.g. 590 inodes created prior to initial policy load or inodes created 591 during get_sb by a pseudo filesystem that directly 592 populates itself. */ 593 spin_lock(&sbsec->isec_lock); 594 while (!list_empty(&sbsec->isec_head)) { 595 struct inode_security_struct *isec = 596 list_first_entry(&sbsec->isec_head, 597 struct inode_security_struct, list); 598 struct inode *inode = isec->inode; 599 list_del_init(&isec->list); 600 spin_unlock(&sbsec->isec_lock); 601 inode = igrab(inode); 602 if (inode) { 603 if (!IS_PRIVATE(inode)) 604 inode_doinit_with_dentry(inode, NULL); 605 iput(inode); 606 } 607 spin_lock(&sbsec->isec_lock); 608 } 609 spin_unlock(&sbsec->isec_lock); 610 return rc; 611 } 612 613 static int bad_option(struct superblock_security_struct *sbsec, char flag, 614 u32 old_sid, u32 new_sid) 615 { 616 char mnt_flags = sbsec->flags & SE_MNTMASK; 617 618 /* check if the old mount command had the same options */ 619 if (sbsec->flags & SE_SBINITIALIZED) 620 if (!(sbsec->flags & flag) || 621 (old_sid != new_sid)) 622 return 1; 623 624 /* check if we were passed the same options twice, 625 * aka someone passed context=a,context=b 626 */ 627 if (!(sbsec->flags & SE_SBINITIALIZED)) 628 if (mnt_flags & flag) 629 return 1; 630 return 0; 631 } 632 633 /* 634 * Allow filesystems with binary mount data to explicitly set mount point 635 * labeling information. 636 */ 637 static int selinux_set_mnt_opts(struct super_block *sb, 638 void *mnt_opts, 639 unsigned long kern_flags, 640 unsigned long *set_kern_flags) 641 { 642 const struct cred *cred = current_cred(); 643 struct superblock_security_struct *sbsec = selinux_superblock(sb); 644 struct dentry *root = sb->s_root; 645 struct selinux_mnt_opts *opts = mnt_opts; 646 struct inode_security_struct *root_isec; 647 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 648 u32 defcontext_sid = 0; 649 int rc = 0; 650 651 /* 652 * Specifying internal flags without providing a place to 653 * place the results is not allowed 654 */ 655 if (kern_flags && !set_kern_flags) 656 return -EINVAL; 657 658 mutex_lock(&sbsec->lock); 659 660 if (!selinux_initialized()) { 661 if (!opts) { 662 /* Defer initialization until selinux_complete_init, 663 after the initial policy is loaded and the security 664 server is ready to handle calls. */ 665 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) { 666 sbsec->flags |= SE_SBNATIVE; 667 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 668 } 669 goto out; 670 } 671 rc = -EINVAL; 672 pr_warn("SELinux: Unable to set superblock options " 673 "before the security server is initialized\n"); 674 goto out; 675 } 676 677 /* 678 * Binary mount data FS will come through this function twice. Once 679 * from an explicit call and once from the generic calls from the vfs. 680 * Since the generic VFS calls will not contain any security mount data 681 * we need to skip the double mount verification. 682 * 683 * This does open a hole in which we will not notice if the first 684 * mount using this sb set explicit options and a second mount using 685 * this sb does not set any security options. (The first options 686 * will be used for both mounts) 687 */ 688 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 689 && !opts) 690 goto out; 691 692 root_isec = backing_inode_security_novalidate(root); 693 694 /* 695 * parse the mount options, check if they are valid sids. 696 * also check if someone is trying to mount the same sb more 697 * than once with different security options. 698 */ 699 if (opts) { 700 if (opts->fscontext_sid) { 701 fscontext_sid = opts->fscontext_sid; 702 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 703 fscontext_sid)) 704 goto out_double_mount; 705 sbsec->flags |= FSCONTEXT_MNT; 706 } 707 if (opts->context_sid) { 708 context_sid = opts->context_sid; 709 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 710 context_sid)) 711 goto out_double_mount; 712 sbsec->flags |= CONTEXT_MNT; 713 } 714 if (opts->rootcontext_sid) { 715 rootcontext_sid = opts->rootcontext_sid; 716 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 717 rootcontext_sid)) 718 goto out_double_mount; 719 sbsec->flags |= ROOTCONTEXT_MNT; 720 } 721 if (opts->defcontext_sid) { 722 defcontext_sid = opts->defcontext_sid; 723 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 724 defcontext_sid)) 725 goto out_double_mount; 726 sbsec->flags |= DEFCONTEXT_MNT; 727 } 728 } 729 730 if (sbsec->flags & SE_SBINITIALIZED) { 731 /* previously mounted with options, but not on this attempt? */ 732 if ((sbsec->flags & SE_MNTMASK) && !opts) 733 goto out_double_mount; 734 rc = 0; 735 goto out; 736 } 737 738 if (strcmp(sb->s_type->name, "proc") == 0) 739 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 740 741 if (!strcmp(sb->s_type->name, "debugfs") || 742 !strcmp(sb->s_type->name, "tracefs") || 743 !strcmp(sb->s_type->name, "binder") || 744 !strcmp(sb->s_type->name, "bpf") || 745 !strcmp(sb->s_type->name, "pstore") || 746 !strcmp(sb->s_type->name, "securityfs") || 747 (selinux_policycap_functionfs_seclabel() && 748 !strcmp(sb->s_type->name, "functionfs"))) 749 sbsec->flags |= SE_SBGENFS; 750 751 if (!strcmp(sb->s_type->name, "sysfs") || 752 !strcmp(sb->s_type->name, "cgroup") || 753 !strcmp(sb->s_type->name, "cgroup2")) 754 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR; 755 756 if (!sbsec->behavior) { 757 /* 758 * Determine the labeling behavior to use for this 759 * filesystem type. 760 */ 761 rc = security_fs_use(sb); 762 if (rc) { 763 pr_warn("%s: security_fs_use(%s) returned %d\n", 764 __func__, sb->s_type->name, rc); 765 goto out; 766 } 767 } 768 769 /* 770 * If this is a user namespace mount and the filesystem type is not 771 * explicitly whitelisted, then no contexts are allowed on the command 772 * line and security labels must be ignored. 773 */ 774 if (sb->s_user_ns != &init_user_ns && 775 strcmp(sb->s_type->name, "tmpfs") && 776 strcmp(sb->s_type->name, "ramfs") && 777 strcmp(sb->s_type->name, "devpts") && 778 strcmp(sb->s_type->name, "overlay")) { 779 if (context_sid || fscontext_sid || rootcontext_sid || 780 defcontext_sid) { 781 rc = -EACCES; 782 goto out; 783 } 784 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 785 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 786 rc = security_transition_sid(current_sid(), 787 current_sid(), 788 SECCLASS_FILE, NULL, 789 &sbsec->mntpoint_sid); 790 if (rc) 791 goto out; 792 } 793 goto out_set_opts; 794 } 795 796 /* sets the context of the superblock for the fs being mounted. */ 797 if (fscontext_sid) { 798 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 799 if (rc) 800 goto out; 801 802 sbsec->sid = fscontext_sid; 803 } 804 805 /* 806 * Switch to using mount point labeling behavior. 807 * sets the label used on all file below the mountpoint, and will set 808 * the superblock context if not already set. 809 */ 810 if (sbsec->flags & SE_SBNATIVE) { 811 /* 812 * This means we are initializing a superblock that has been 813 * mounted before the SELinux was initialized and the 814 * filesystem requested native labeling. We had already 815 * returned SECURITY_LSM_NATIVE_LABELS in *set_kern_flags 816 * in the original mount attempt, so now we just need to set 817 * the SECURITY_FS_USE_NATIVE behavior. 818 */ 819 sbsec->behavior = SECURITY_FS_USE_NATIVE; 820 } else if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 821 sbsec->behavior = SECURITY_FS_USE_NATIVE; 822 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 823 } 824 825 if (context_sid) { 826 if (!fscontext_sid) { 827 rc = may_context_mount_sb_relabel(context_sid, sbsec, 828 cred); 829 if (rc) 830 goto out; 831 sbsec->sid = context_sid; 832 } else { 833 rc = may_context_mount_inode_relabel(context_sid, sbsec, 834 cred); 835 if (rc) 836 goto out; 837 } 838 if (!rootcontext_sid) 839 rootcontext_sid = context_sid; 840 841 sbsec->mntpoint_sid = context_sid; 842 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 843 } 844 845 if (rootcontext_sid) { 846 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 847 cred); 848 if (rc) 849 goto out; 850 851 root_isec->sid = rootcontext_sid; 852 root_isec->initialized = LABEL_INITIALIZED; 853 } 854 855 if (defcontext_sid) { 856 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 857 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 858 rc = -EINVAL; 859 pr_warn("SELinux: defcontext option is " 860 "invalid for this filesystem type\n"); 861 goto out; 862 } 863 864 if (defcontext_sid != sbsec->def_sid) { 865 rc = may_context_mount_inode_relabel(defcontext_sid, 866 sbsec, cred); 867 if (rc) 868 goto out; 869 } 870 871 sbsec->def_sid = defcontext_sid; 872 } 873 874 out_set_opts: 875 rc = sb_finish_set_opts(sb); 876 out: 877 mutex_unlock(&sbsec->lock); 878 return rc; 879 out_double_mount: 880 rc = -EINVAL; 881 pr_warn("SELinux: mount invalid. Same superblock, different " 882 "security settings for (dev %s, type %s)\n", sb->s_id, 883 sb->s_type->name); 884 goto out; 885 } 886 887 static int selinux_cmp_sb_context(const struct super_block *oldsb, 888 const struct super_block *newsb) 889 { 890 struct superblock_security_struct *old = selinux_superblock(oldsb); 891 struct superblock_security_struct *new = selinux_superblock(newsb); 892 char oldflags = old->flags & SE_MNTMASK; 893 char newflags = new->flags & SE_MNTMASK; 894 895 if (oldflags != newflags) 896 goto mismatch; 897 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 898 goto mismatch; 899 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 900 goto mismatch; 901 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 902 goto mismatch; 903 if (oldflags & ROOTCONTEXT_MNT) { 904 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 905 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 906 if (oldroot->sid != newroot->sid) 907 goto mismatch; 908 } 909 return 0; 910 mismatch: 911 pr_warn("SELinux: mount invalid. Same superblock, " 912 "different security settings for (dev %s, " 913 "type %s)\n", newsb->s_id, newsb->s_type->name); 914 return -EBUSY; 915 } 916 917 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 918 struct super_block *newsb, 919 unsigned long kern_flags, 920 unsigned long *set_kern_flags) 921 { 922 int rc = 0; 923 const struct superblock_security_struct *oldsbsec = 924 selinux_superblock(oldsb); 925 struct superblock_security_struct *newsbsec = selinux_superblock(newsb); 926 927 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 928 int set_context = (oldsbsec->flags & CONTEXT_MNT); 929 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 930 931 /* 932 * Specifying internal flags without providing a place to 933 * place the results is not allowed. 934 */ 935 if (kern_flags && !set_kern_flags) 936 return -EINVAL; 937 938 mutex_lock(&newsbsec->lock); 939 940 /* 941 * if the parent was able to be mounted it clearly had no special lsm 942 * mount options. thus we can safely deal with this superblock later 943 */ 944 if (!selinux_initialized()) { 945 if (kern_flags & SECURITY_LSM_NATIVE_LABELS) { 946 newsbsec->flags |= SE_SBNATIVE; 947 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 948 } 949 goto out; 950 } 951 952 /* how can we clone if the old one wasn't set up?? */ 953 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 954 955 /* if fs is reusing a sb, make sure that the contexts match */ 956 if (newsbsec->flags & SE_SBINITIALIZED) { 957 mutex_unlock(&newsbsec->lock); 958 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) 959 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 960 return selinux_cmp_sb_context(oldsb, newsb); 961 } 962 963 newsbsec->flags = oldsbsec->flags; 964 965 newsbsec->sid = oldsbsec->sid; 966 newsbsec->def_sid = oldsbsec->def_sid; 967 newsbsec->behavior = oldsbsec->behavior; 968 969 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 970 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 971 rc = security_fs_use(newsb); 972 if (rc) 973 goto out; 974 } 975 976 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 977 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 978 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 979 } 980 981 if (set_context) { 982 u32 sid = oldsbsec->mntpoint_sid; 983 984 if (!set_fscontext) 985 newsbsec->sid = sid; 986 if (!set_rootcontext) { 987 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 988 newisec->sid = sid; 989 } 990 newsbsec->mntpoint_sid = sid; 991 } 992 if (set_rootcontext) { 993 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 994 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 995 996 newisec->sid = oldisec->sid; 997 } 998 999 sb_finish_set_opts(newsb); 1000 out: 1001 mutex_unlock(&newsbsec->lock); 1002 return rc; 1003 } 1004 1005 /* 1006 * NOTE: the caller is responsible for freeing the memory even if on error. 1007 */ 1008 static int selinux_add_opt(int token, const char *s, void **mnt_opts) 1009 { 1010 struct selinux_mnt_opts *opts = *mnt_opts; 1011 u32 *dst_sid; 1012 int rc; 1013 1014 if (token == Opt_seclabel) 1015 /* eaten and completely ignored */ 1016 return 0; 1017 if (!s) 1018 return -EINVAL; 1019 1020 if (!selinux_initialized()) { 1021 pr_warn("SELinux: Unable to set superblock options before the security server is initialized\n"); 1022 return -EINVAL; 1023 } 1024 1025 if (!opts) { 1026 opts = kzalloc(sizeof(*opts), GFP_KERNEL); 1027 if (!opts) 1028 return -ENOMEM; 1029 *mnt_opts = opts; 1030 } 1031 1032 switch (token) { 1033 case Opt_context: 1034 if (opts->context_sid || opts->defcontext_sid) 1035 goto err; 1036 dst_sid = &opts->context_sid; 1037 break; 1038 case Opt_fscontext: 1039 if (opts->fscontext_sid) 1040 goto err; 1041 dst_sid = &opts->fscontext_sid; 1042 break; 1043 case Opt_rootcontext: 1044 if (opts->rootcontext_sid) 1045 goto err; 1046 dst_sid = &opts->rootcontext_sid; 1047 break; 1048 case Opt_defcontext: 1049 if (opts->context_sid || opts->defcontext_sid) 1050 goto err; 1051 dst_sid = &opts->defcontext_sid; 1052 break; 1053 default: 1054 WARN_ON(1); 1055 return -EINVAL; 1056 } 1057 rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL); 1058 if (rc) 1059 pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n", 1060 s, rc); 1061 return rc; 1062 1063 err: 1064 pr_warn(SEL_MOUNT_FAIL_MSG); 1065 return -EINVAL; 1066 } 1067 1068 static int show_sid(struct seq_file *m, u32 sid) 1069 { 1070 char *context = NULL; 1071 u32 len; 1072 int rc; 1073 1074 rc = security_sid_to_context(sid, &context, &len); 1075 if (!rc) { 1076 bool has_comma = strchr(context, ','); 1077 1078 seq_putc(m, '='); 1079 if (has_comma) 1080 seq_putc(m, '\"'); 1081 seq_escape(m, context, "\"\n\\"); 1082 if (has_comma) 1083 seq_putc(m, '\"'); 1084 } 1085 kfree(context); 1086 return rc; 1087 } 1088 1089 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1090 { 1091 struct superblock_security_struct *sbsec = selinux_superblock(sb); 1092 int rc; 1093 1094 if (!(sbsec->flags & SE_SBINITIALIZED)) 1095 return 0; 1096 1097 if (!selinux_initialized()) 1098 return 0; 1099 1100 if (sbsec->flags & FSCONTEXT_MNT) { 1101 seq_putc(m, ','); 1102 seq_puts(m, FSCONTEXT_STR); 1103 rc = show_sid(m, sbsec->sid); 1104 if (rc) 1105 return rc; 1106 } 1107 if (sbsec->flags & CONTEXT_MNT) { 1108 seq_putc(m, ','); 1109 seq_puts(m, CONTEXT_STR); 1110 rc = show_sid(m, sbsec->mntpoint_sid); 1111 if (rc) 1112 return rc; 1113 } 1114 if (sbsec->flags & DEFCONTEXT_MNT) { 1115 seq_putc(m, ','); 1116 seq_puts(m, DEFCONTEXT_STR); 1117 rc = show_sid(m, sbsec->def_sid); 1118 if (rc) 1119 return rc; 1120 } 1121 if (sbsec->flags & ROOTCONTEXT_MNT) { 1122 struct dentry *root = sb->s_root; 1123 struct inode_security_struct *isec = backing_inode_security(root); 1124 seq_putc(m, ','); 1125 seq_puts(m, ROOTCONTEXT_STR); 1126 rc = show_sid(m, isec->sid); 1127 if (rc) 1128 return rc; 1129 } 1130 if (sbsec->flags & SBLABEL_MNT) { 1131 seq_putc(m, ','); 1132 seq_puts(m, SECLABEL_STR); 1133 } 1134 return 0; 1135 } 1136 1137 static inline u16 inode_mode_to_security_class(umode_t mode) 1138 { 1139 switch (mode & S_IFMT) { 1140 case S_IFSOCK: 1141 return SECCLASS_SOCK_FILE; 1142 case S_IFLNK: 1143 return SECCLASS_LNK_FILE; 1144 case S_IFREG: 1145 return SECCLASS_FILE; 1146 case S_IFBLK: 1147 return SECCLASS_BLK_FILE; 1148 case S_IFDIR: 1149 return SECCLASS_DIR; 1150 case S_IFCHR: 1151 return SECCLASS_CHR_FILE; 1152 case S_IFIFO: 1153 return SECCLASS_FIFO_FILE; 1154 1155 } 1156 1157 return SECCLASS_FILE; 1158 } 1159 1160 static inline int default_protocol_stream(int protocol) 1161 { 1162 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP || 1163 protocol == IPPROTO_MPTCP); 1164 } 1165 1166 static inline int default_protocol_dgram(int protocol) 1167 { 1168 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1169 } 1170 1171 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1172 { 1173 bool extsockclass = selinux_policycap_extsockclass(); 1174 1175 switch (family) { 1176 case PF_UNIX: 1177 switch (type) { 1178 case SOCK_STREAM: 1179 case SOCK_SEQPACKET: 1180 return SECCLASS_UNIX_STREAM_SOCKET; 1181 case SOCK_DGRAM: 1182 case SOCK_RAW: 1183 return SECCLASS_UNIX_DGRAM_SOCKET; 1184 } 1185 break; 1186 case PF_INET: 1187 case PF_INET6: 1188 switch (type) { 1189 case SOCK_STREAM: 1190 case SOCK_SEQPACKET: 1191 if (default_protocol_stream(protocol)) 1192 return SECCLASS_TCP_SOCKET; 1193 else if (extsockclass && protocol == IPPROTO_SCTP) 1194 return SECCLASS_SCTP_SOCKET; 1195 else 1196 return SECCLASS_RAWIP_SOCKET; 1197 case SOCK_DGRAM: 1198 if (default_protocol_dgram(protocol)) 1199 return SECCLASS_UDP_SOCKET; 1200 else if (extsockclass && (protocol == IPPROTO_ICMP || 1201 protocol == IPPROTO_ICMPV6)) 1202 return SECCLASS_ICMP_SOCKET; 1203 else 1204 return SECCLASS_RAWIP_SOCKET; 1205 default: 1206 return SECCLASS_RAWIP_SOCKET; 1207 } 1208 break; 1209 case PF_NETLINK: 1210 switch (protocol) { 1211 case NETLINK_ROUTE: 1212 return SECCLASS_NETLINK_ROUTE_SOCKET; 1213 case NETLINK_SOCK_DIAG: 1214 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1215 case NETLINK_NFLOG: 1216 return SECCLASS_NETLINK_NFLOG_SOCKET; 1217 case NETLINK_XFRM: 1218 return SECCLASS_NETLINK_XFRM_SOCKET; 1219 case NETLINK_SELINUX: 1220 return SECCLASS_NETLINK_SELINUX_SOCKET; 1221 case NETLINK_ISCSI: 1222 return SECCLASS_NETLINK_ISCSI_SOCKET; 1223 case NETLINK_AUDIT: 1224 return SECCLASS_NETLINK_AUDIT_SOCKET; 1225 case NETLINK_FIB_LOOKUP: 1226 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1227 case NETLINK_CONNECTOR: 1228 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1229 case NETLINK_NETFILTER: 1230 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1231 case NETLINK_DNRTMSG: 1232 return SECCLASS_NETLINK_DNRT_SOCKET; 1233 case NETLINK_KOBJECT_UEVENT: 1234 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1235 case NETLINK_GENERIC: 1236 return SECCLASS_NETLINK_GENERIC_SOCKET; 1237 case NETLINK_SCSITRANSPORT: 1238 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1239 case NETLINK_RDMA: 1240 return SECCLASS_NETLINK_RDMA_SOCKET; 1241 case NETLINK_CRYPTO: 1242 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1243 default: 1244 return SECCLASS_NETLINK_SOCKET; 1245 } 1246 case PF_PACKET: 1247 return SECCLASS_PACKET_SOCKET; 1248 case PF_KEY: 1249 return SECCLASS_KEY_SOCKET; 1250 case PF_APPLETALK: 1251 return SECCLASS_APPLETALK_SOCKET; 1252 } 1253 1254 if (extsockclass) { 1255 switch (family) { 1256 case PF_AX25: 1257 return SECCLASS_AX25_SOCKET; 1258 case PF_IPX: 1259 return SECCLASS_IPX_SOCKET; 1260 case PF_NETROM: 1261 return SECCLASS_NETROM_SOCKET; 1262 case PF_ATMPVC: 1263 return SECCLASS_ATMPVC_SOCKET; 1264 case PF_X25: 1265 return SECCLASS_X25_SOCKET; 1266 case PF_ROSE: 1267 return SECCLASS_ROSE_SOCKET; 1268 case PF_DECnet: 1269 return SECCLASS_DECNET_SOCKET; 1270 case PF_ATMSVC: 1271 return SECCLASS_ATMSVC_SOCKET; 1272 case PF_RDS: 1273 return SECCLASS_RDS_SOCKET; 1274 case PF_IRDA: 1275 return SECCLASS_IRDA_SOCKET; 1276 case PF_PPPOX: 1277 return SECCLASS_PPPOX_SOCKET; 1278 case PF_LLC: 1279 return SECCLASS_LLC_SOCKET; 1280 case PF_CAN: 1281 return SECCLASS_CAN_SOCKET; 1282 case PF_TIPC: 1283 return SECCLASS_TIPC_SOCKET; 1284 case PF_BLUETOOTH: 1285 return SECCLASS_BLUETOOTH_SOCKET; 1286 case PF_IUCV: 1287 return SECCLASS_IUCV_SOCKET; 1288 case PF_RXRPC: 1289 return SECCLASS_RXRPC_SOCKET; 1290 case PF_ISDN: 1291 return SECCLASS_ISDN_SOCKET; 1292 case PF_PHONET: 1293 return SECCLASS_PHONET_SOCKET; 1294 case PF_IEEE802154: 1295 return SECCLASS_IEEE802154_SOCKET; 1296 case PF_CAIF: 1297 return SECCLASS_CAIF_SOCKET; 1298 case PF_ALG: 1299 return SECCLASS_ALG_SOCKET; 1300 case PF_NFC: 1301 return SECCLASS_NFC_SOCKET; 1302 case PF_VSOCK: 1303 return SECCLASS_VSOCK_SOCKET; 1304 case PF_KCM: 1305 return SECCLASS_KCM_SOCKET; 1306 case PF_QIPCRTR: 1307 return SECCLASS_QIPCRTR_SOCKET; 1308 case PF_SMC: 1309 return SECCLASS_SMC_SOCKET; 1310 case PF_XDP: 1311 return SECCLASS_XDP_SOCKET; 1312 case PF_MCTP: 1313 return SECCLASS_MCTP_SOCKET; 1314 #if PF_MAX > 46 1315 #error New address family defined, please update this function. 1316 #endif 1317 } 1318 } 1319 1320 return SECCLASS_SOCKET; 1321 } 1322 1323 static int selinux_genfs_get_sid(struct dentry *dentry, 1324 u16 tclass, 1325 u16 flags, 1326 u32 *sid) 1327 { 1328 int rc; 1329 struct super_block *sb = dentry->d_sb; 1330 char *buffer, *path; 1331 1332 buffer = (char *)__get_free_page(GFP_KERNEL); 1333 if (!buffer) 1334 return -ENOMEM; 1335 1336 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1337 if (IS_ERR(path)) 1338 rc = PTR_ERR(path); 1339 else { 1340 if (flags & SE_SBPROC) { 1341 /* each process gets a /proc/PID/ entry. Strip off the 1342 * PID part to get a valid selinux labeling. 1343 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1344 while (path[1] >= '0' && path[1] <= '9') { 1345 path[1] = '/'; 1346 path++; 1347 } 1348 } 1349 rc = security_genfs_sid(sb->s_type->name, 1350 path, tclass, sid); 1351 if (rc == -ENOENT) { 1352 /* No match in policy, mark as unlabeled. */ 1353 *sid = SECINITSID_UNLABELED; 1354 rc = 0; 1355 } 1356 } 1357 free_page((unsigned long)buffer); 1358 return rc; 1359 } 1360 1361 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry, 1362 u32 def_sid, u32 *sid) 1363 { 1364 #define INITCONTEXTLEN 255 1365 char *context; 1366 unsigned int len; 1367 int rc; 1368 1369 len = INITCONTEXTLEN; 1370 context = kmalloc(len + 1, GFP_NOFS); 1371 if (!context) 1372 return -ENOMEM; 1373 1374 context[len] = '\0'; 1375 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1376 if (rc == -ERANGE) { 1377 kfree(context); 1378 1379 /* Need a larger buffer. Query for the right size. */ 1380 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1381 if (rc < 0) 1382 return rc; 1383 1384 len = rc; 1385 context = kmalloc(len + 1, GFP_NOFS); 1386 if (!context) 1387 return -ENOMEM; 1388 1389 context[len] = '\0'; 1390 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, 1391 context, len); 1392 } 1393 if (rc < 0) { 1394 kfree(context); 1395 if (rc != -ENODATA) { 1396 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n", 1397 __func__, -rc, inode->i_sb->s_id, inode->i_ino); 1398 return rc; 1399 } 1400 *sid = def_sid; 1401 return 0; 1402 } 1403 1404 rc = security_context_to_sid_default(context, rc, sid, 1405 def_sid, GFP_NOFS); 1406 if (rc) { 1407 char *dev = inode->i_sb->s_id; 1408 unsigned long ino = inode->i_ino; 1409 1410 if (rc == -EINVAL) { 1411 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n", 1412 ino, dev, context); 1413 } else { 1414 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n", 1415 __func__, context, -rc, dev, ino); 1416 } 1417 } 1418 kfree(context); 1419 return 0; 1420 } 1421 1422 /* The inode's security attributes must be initialized before first use. */ 1423 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1424 { 1425 struct superblock_security_struct *sbsec = NULL; 1426 struct inode_security_struct *isec = selinux_inode(inode); 1427 u32 task_sid, sid = 0; 1428 u16 sclass; 1429 struct dentry *dentry; 1430 int rc = 0; 1431 1432 if (isec->initialized == LABEL_INITIALIZED) 1433 return 0; 1434 1435 spin_lock(&isec->lock); 1436 if (isec->initialized == LABEL_INITIALIZED) 1437 goto out_unlock; 1438 1439 if (isec->sclass == SECCLASS_FILE) 1440 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1441 1442 sbsec = selinux_superblock(inode->i_sb); 1443 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1444 /* Defer initialization until selinux_complete_init, 1445 after the initial policy is loaded and the security 1446 server is ready to handle calls. */ 1447 spin_lock(&sbsec->isec_lock); 1448 if (list_empty(&isec->list)) 1449 list_add(&isec->list, &sbsec->isec_head); 1450 spin_unlock(&sbsec->isec_lock); 1451 goto out_unlock; 1452 } 1453 1454 sclass = isec->sclass; 1455 task_sid = isec->task_sid; 1456 sid = isec->sid; 1457 isec->initialized = LABEL_PENDING; 1458 spin_unlock(&isec->lock); 1459 1460 switch (sbsec->behavior) { 1461 /* 1462 * In case of SECURITY_FS_USE_NATIVE we need to re-fetch the labels 1463 * via xattr when called from delayed_superblock_init(). 1464 */ 1465 case SECURITY_FS_USE_NATIVE: 1466 case SECURITY_FS_USE_XATTR: 1467 if (!(inode->i_opflags & IOP_XATTR)) { 1468 sid = sbsec->def_sid; 1469 break; 1470 } 1471 /* Need a dentry, since the xattr API requires one. 1472 Life would be simpler if we could just pass the inode. */ 1473 if (opt_dentry) { 1474 /* Called from d_instantiate or d_splice_alias. */ 1475 dentry = dget(opt_dentry); 1476 } else { 1477 /* 1478 * Called from selinux_complete_init, try to find a dentry. 1479 * Some filesystems really want a connected one, so try 1480 * that first. We could split SECURITY_FS_USE_XATTR in 1481 * two, depending upon that... 1482 */ 1483 dentry = d_find_alias(inode); 1484 if (!dentry) 1485 dentry = d_find_any_alias(inode); 1486 } 1487 if (!dentry) { 1488 /* 1489 * this is can be hit on boot when a file is accessed 1490 * before the policy is loaded. When we load policy we 1491 * may find inodes that have no dentry on the 1492 * sbsec->isec_head list. No reason to complain as these 1493 * will get fixed up the next time we go through 1494 * inode_doinit with a dentry, before these inodes could 1495 * be used again by userspace. 1496 */ 1497 goto out_invalid; 1498 } 1499 1500 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid, 1501 &sid); 1502 dput(dentry); 1503 if (rc) 1504 goto out; 1505 break; 1506 case SECURITY_FS_USE_TASK: 1507 sid = task_sid; 1508 break; 1509 case SECURITY_FS_USE_TRANS: 1510 /* Default to the fs SID. */ 1511 sid = sbsec->sid; 1512 1513 /* Try to obtain a transition SID. */ 1514 rc = security_transition_sid(task_sid, sid, 1515 sclass, NULL, &sid); 1516 if (rc) 1517 goto out; 1518 break; 1519 case SECURITY_FS_USE_MNTPOINT: 1520 sid = sbsec->mntpoint_sid; 1521 break; 1522 default: 1523 /* Default to the fs superblock SID. */ 1524 sid = sbsec->sid; 1525 1526 if ((sbsec->flags & SE_SBGENFS) && 1527 (!S_ISLNK(inode->i_mode) || 1528 selinux_policycap_genfs_seclabel_symlinks())) { 1529 /* We must have a dentry to determine the label on 1530 * procfs inodes */ 1531 if (opt_dentry) { 1532 /* Called from d_instantiate or 1533 * d_splice_alias. */ 1534 dentry = dget(opt_dentry); 1535 } else { 1536 /* Called from selinux_complete_init, try to 1537 * find a dentry. Some filesystems really want 1538 * a connected one, so try that first. 1539 */ 1540 dentry = d_find_alias(inode); 1541 if (!dentry) 1542 dentry = d_find_any_alias(inode); 1543 } 1544 /* 1545 * This can be hit on boot when a file is accessed 1546 * before the policy is loaded. When we load policy we 1547 * may find inodes that have no dentry on the 1548 * sbsec->isec_head list. No reason to complain as 1549 * these will get fixed up the next time we go through 1550 * inode_doinit() with a dentry, before these inodes 1551 * could be used again by userspace. 1552 */ 1553 if (!dentry) 1554 goto out_invalid; 1555 rc = selinux_genfs_get_sid(dentry, sclass, 1556 sbsec->flags, &sid); 1557 if (rc) { 1558 dput(dentry); 1559 goto out; 1560 } 1561 1562 if ((sbsec->flags & SE_SBGENFS_XATTR) && 1563 (inode->i_opflags & IOP_XATTR)) { 1564 rc = inode_doinit_use_xattr(inode, dentry, 1565 sid, &sid); 1566 if (rc) { 1567 dput(dentry); 1568 goto out; 1569 } 1570 } 1571 dput(dentry); 1572 } 1573 break; 1574 } 1575 1576 out: 1577 spin_lock(&isec->lock); 1578 if (isec->initialized == LABEL_PENDING) { 1579 if (rc) { 1580 isec->initialized = LABEL_INVALID; 1581 goto out_unlock; 1582 } 1583 isec->initialized = LABEL_INITIALIZED; 1584 isec->sid = sid; 1585 } 1586 1587 out_unlock: 1588 spin_unlock(&isec->lock); 1589 return rc; 1590 1591 out_invalid: 1592 spin_lock(&isec->lock); 1593 if (isec->initialized == LABEL_PENDING) { 1594 isec->initialized = LABEL_INVALID; 1595 isec->sid = sid; 1596 } 1597 spin_unlock(&isec->lock); 1598 return 0; 1599 } 1600 1601 /* Convert a Linux signal to an access vector. */ 1602 static inline u32 signal_to_av(int sig) 1603 { 1604 u32 perm = 0; 1605 1606 switch (sig) { 1607 case SIGCHLD: 1608 /* Commonly granted from child to parent. */ 1609 perm = PROCESS__SIGCHLD; 1610 break; 1611 case SIGKILL: 1612 /* Cannot be caught or ignored */ 1613 perm = PROCESS__SIGKILL; 1614 break; 1615 case SIGSTOP: 1616 /* Cannot be caught or ignored */ 1617 perm = PROCESS__SIGSTOP; 1618 break; 1619 default: 1620 /* All other signals. */ 1621 perm = PROCESS__SIGNAL; 1622 break; 1623 } 1624 1625 return perm; 1626 } 1627 1628 #if CAP_LAST_CAP > 63 1629 #error Fix SELinux to handle capabilities > 63. 1630 #endif 1631 1632 /* Check whether a task is allowed to use a capability. */ 1633 static int cred_has_capability(const struct cred *cred, 1634 int cap, unsigned int opts, bool initns) 1635 { 1636 struct common_audit_data ad; 1637 struct av_decision avd; 1638 u16 sclass; 1639 u32 sid = cred_sid(cred); 1640 u32 av = CAP_TO_MASK(cap); 1641 int rc; 1642 1643 ad.type = LSM_AUDIT_DATA_CAP; 1644 ad.u.cap = cap; 1645 1646 switch (CAP_TO_INDEX(cap)) { 1647 case 0: 1648 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1649 break; 1650 case 1: 1651 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1652 break; 1653 default: 1654 pr_err("SELinux: out of range capability %d\n", cap); 1655 BUG(); 1656 return -EINVAL; 1657 } 1658 1659 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1660 if (!(opts & CAP_OPT_NOAUDIT)) { 1661 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad); 1662 if (rc2) 1663 return rc2; 1664 } 1665 return rc; 1666 } 1667 1668 /* Check whether a task has a particular permission to an inode. 1669 The 'adp' parameter is optional and allows other audit 1670 data to be passed (e.g. the dentry). */ 1671 static int inode_has_perm(const struct cred *cred, 1672 struct inode *inode, 1673 u32 perms, 1674 struct common_audit_data *adp) 1675 { 1676 struct inode_security_struct *isec; 1677 u32 sid; 1678 1679 if (unlikely(IS_PRIVATE(inode))) 1680 return 0; 1681 1682 sid = cred_sid(cred); 1683 isec = selinux_inode(inode); 1684 1685 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1686 } 1687 1688 /* Same as inode_has_perm, but pass explicit audit data containing 1689 the dentry to help the auditing code to more easily generate the 1690 pathname if needed. */ 1691 static inline int dentry_has_perm(const struct cred *cred, 1692 struct dentry *dentry, 1693 u32 av) 1694 { 1695 struct common_audit_data ad; 1696 struct inode *inode = d_backing_inode(dentry); 1697 struct inode_security_struct *isec = selinux_inode(inode); 1698 1699 ad.type = LSM_AUDIT_DATA_DENTRY; 1700 ad.u.dentry = dentry; 1701 /* check below is racy, but revalidate will recheck with lock held */ 1702 if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED))) 1703 __inode_security_revalidate(inode, dentry, true); 1704 return inode_has_perm(cred, inode, av, &ad); 1705 } 1706 1707 /* Same as inode_has_perm, but pass explicit audit data containing 1708 the path to help the auditing code to more easily generate the 1709 pathname if needed. */ 1710 static inline int path_has_perm(const struct cred *cred, 1711 const struct path *path, 1712 u32 av) 1713 { 1714 struct common_audit_data ad; 1715 struct inode *inode = d_backing_inode(path->dentry); 1716 struct inode_security_struct *isec = selinux_inode(inode); 1717 1718 ad.type = LSM_AUDIT_DATA_PATH; 1719 ad.u.path = *path; 1720 /* check below is racy, but revalidate will recheck with lock held */ 1721 if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED))) 1722 __inode_security_revalidate(inode, path->dentry, true); 1723 return inode_has_perm(cred, inode, av, &ad); 1724 } 1725 1726 /* Same as path_has_perm, but uses the inode from the file struct. */ 1727 static inline int file_path_has_perm(const struct cred *cred, 1728 struct file *file, 1729 u32 av) 1730 { 1731 struct common_audit_data ad; 1732 1733 ad.type = LSM_AUDIT_DATA_FILE; 1734 ad.u.file = file; 1735 return inode_has_perm(cred, file_inode(file), av, &ad); 1736 } 1737 1738 #ifdef CONFIG_BPF_SYSCALL 1739 static int bpf_fd_pass(const struct file *file, u32 sid); 1740 #endif 1741 1742 /* Check whether a task can use an open file descriptor to 1743 access an inode in a given way. Check access to the 1744 descriptor itself, and then use dentry_has_perm to 1745 check a particular permission to the file. 1746 Access to the descriptor is implicitly granted if it 1747 has the same SID as the process. If av is zero, then 1748 access to the file is not checked, e.g. for cases 1749 where only the descriptor is affected like seek. */ 1750 static int file_has_perm(const struct cred *cred, 1751 struct file *file, 1752 u32 av) 1753 { 1754 struct file_security_struct *fsec = selinux_file(file); 1755 struct inode *inode = file_inode(file); 1756 struct common_audit_data ad; 1757 u32 sid = cred_sid(cred); 1758 int rc; 1759 1760 ad.type = LSM_AUDIT_DATA_FILE; 1761 ad.u.file = file; 1762 1763 if (sid != fsec->sid) { 1764 rc = avc_has_perm(sid, fsec->sid, 1765 SECCLASS_FD, 1766 FD__USE, 1767 &ad); 1768 if (rc) 1769 goto out; 1770 } 1771 1772 #ifdef CONFIG_BPF_SYSCALL 1773 rc = bpf_fd_pass(file, cred_sid(cred)); 1774 if (rc) 1775 return rc; 1776 #endif 1777 1778 /* av is zero if only checking access to the descriptor. */ 1779 rc = 0; 1780 if (av) 1781 rc = inode_has_perm(cred, inode, av, &ad); 1782 1783 out: 1784 return rc; 1785 } 1786 1787 /* 1788 * Determine the label for an inode that might be unioned. 1789 */ 1790 static int 1791 selinux_determine_inode_label(const struct task_security_struct *tsec, 1792 struct inode *dir, 1793 const struct qstr *name, u16 tclass, 1794 u32 *_new_isid) 1795 { 1796 const struct superblock_security_struct *sbsec = 1797 selinux_superblock(dir->i_sb); 1798 1799 if ((sbsec->flags & SE_SBINITIALIZED) && 1800 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1801 *_new_isid = sbsec->mntpoint_sid; 1802 } else if ((sbsec->flags & SBLABEL_MNT) && 1803 tsec->create_sid) { 1804 *_new_isid = tsec->create_sid; 1805 } else { 1806 const struct inode_security_struct *dsec = inode_security(dir); 1807 return security_transition_sid(tsec->sid, 1808 dsec->sid, tclass, 1809 name, _new_isid); 1810 } 1811 1812 return 0; 1813 } 1814 1815 /* Check whether a task can create a file. */ 1816 static int may_create(struct inode *dir, 1817 struct dentry *dentry, 1818 u16 tclass) 1819 { 1820 const struct task_security_struct *tsec = selinux_cred(current_cred()); 1821 struct inode_security_struct *dsec; 1822 struct superblock_security_struct *sbsec; 1823 u32 sid, newsid; 1824 struct common_audit_data ad; 1825 int rc; 1826 1827 dsec = inode_security(dir); 1828 sbsec = selinux_superblock(dir->i_sb); 1829 1830 sid = tsec->sid; 1831 1832 ad.type = LSM_AUDIT_DATA_DENTRY; 1833 ad.u.dentry = dentry; 1834 1835 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1836 DIR__ADD_NAME | DIR__SEARCH, 1837 &ad); 1838 if (rc) 1839 return rc; 1840 1841 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass, 1842 &newsid); 1843 if (rc) 1844 return rc; 1845 1846 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1847 if (rc) 1848 return rc; 1849 1850 return avc_has_perm(newsid, sbsec->sid, 1851 SECCLASS_FILESYSTEM, 1852 FILESYSTEM__ASSOCIATE, &ad); 1853 } 1854 1855 #define MAY_LINK 0 1856 #define MAY_UNLINK 1 1857 #define MAY_RMDIR 2 1858 1859 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1860 static int may_link(struct inode *dir, 1861 struct dentry *dentry, 1862 int kind) 1863 1864 { 1865 struct inode_security_struct *dsec, *isec; 1866 struct common_audit_data ad; 1867 u32 sid = current_sid(); 1868 u32 av; 1869 int rc; 1870 1871 dsec = inode_security(dir); 1872 isec = backing_inode_security(dentry); 1873 1874 ad.type = LSM_AUDIT_DATA_DENTRY; 1875 ad.u.dentry = dentry; 1876 1877 av = DIR__SEARCH; 1878 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1879 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 1880 if (rc) 1881 return rc; 1882 1883 switch (kind) { 1884 case MAY_LINK: 1885 av = FILE__LINK; 1886 break; 1887 case MAY_UNLINK: 1888 av = FILE__UNLINK; 1889 break; 1890 case MAY_RMDIR: 1891 av = DIR__RMDIR; 1892 break; 1893 default: 1894 pr_warn("SELinux: %s: unrecognized kind %d\n", 1895 __func__, kind); 1896 return 0; 1897 } 1898 1899 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 1900 return rc; 1901 } 1902 1903 static inline int may_rename(struct inode *old_dir, 1904 struct dentry *old_dentry, 1905 struct inode *new_dir, 1906 struct dentry *new_dentry) 1907 { 1908 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1909 struct common_audit_data ad; 1910 u32 sid = current_sid(); 1911 u32 av; 1912 int old_is_dir, new_is_dir; 1913 int rc; 1914 1915 old_dsec = inode_security(old_dir); 1916 old_isec = backing_inode_security(old_dentry); 1917 old_is_dir = d_is_dir(old_dentry); 1918 new_dsec = inode_security(new_dir); 1919 1920 ad.type = LSM_AUDIT_DATA_DENTRY; 1921 1922 ad.u.dentry = old_dentry; 1923 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1924 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1925 if (rc) 1926 return rc; 1927 rc = avc_has_perm(sid, old_isec->sid, 1928 old_isec->sclass, FILE__RENAME, &ad); 1929 if (rc) 1930 return rc; 1931 if (old_is_dir && new_dir != old_dir) { 1932 rc = avc_has_perm(sid, old_isec->sid, 1933 old_isec->sclass, DIR__REPARENT, &ad); 1934 if (rc) 1935 return rc; 1936 } 1937 1938 ad.u.dentry = new_dentry; 1939 av = DIR__ADD_NAME | DIR__SEARCH; 1940 if (d_is_positive(new_dentry)) 1941 av |= DIR__REMOVE_NAME; 1942 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1943 if (rc) 1944 return rc; 1945 if (d_is_positive(new_dentry)) { 1946 new_isec = backing_inode_security(new_dentry); 1947 new_is_dir = d_is_dir(new_dentry); 1948 rc = avc_has_perm(sid, new_isec->sid, 1949 new_isec->sclass, 1950 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1951 if (rc) 1952 return rc; 1953 } 1954 1955 return 0; 1956 } 1957 1958 /* Check whether a task can perform a filesystem operation. */ 1959 static int superblock_has_perm(const struct cred *cred, 1960 const struct super_block *sb, 1961 u32 perms, 1962 struct common_audit_data *ad) 1963 { 1964 struct superblock_security_struct *sbsec; 1965 u32 sid = cred_sid(cred); 1966 1967 sbsec = selinux_superblock(sb); 1968 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1969 } 1970 1971 /* Convert a Linux mode and permission mask to an access vector. */ 1972 static inline u32 file_mask_to_av(int mode, int mask) 1973 { 1974 u32 av = 0; 1975 1976 if (!S_ISDIR(mode)) { 1977 if (mask & MAY_EXEC) 1978 av |= FILE__EXECUTE; 1979 if (mask & MAY_READ) 1980 av |= FILE__READ; 1981 1982 if (mask & MAY_APPEND) 1983 av |= FILE__APPEND; 1984 else if (mask & MAY_WRITE) 1985 av |= FILE__WRITE; 1986 1987 } else { 1988 if (mask & MAY_EXEC) 1989 av |= DIR__SEARCH; 1990 if (mask & MAY_WRITE) 1991 av |= DIR__WRITE; 1992 if (mask & MAY_READ) 1993 av |= DIR__READ; 1994 } 1995 1996 return av; 1997 } 1998 1999 /* Convert a Linux file to an access vector. */ 2000 static inline u32 file_to_av(const struct file *file) 2001 { 2002 u32 av = 0; 2003 2004 if (file->f_mode & FMODE_READ) 2005 av |= FILE__READ; 2006 if (file->f_mode & FMODE_WRITE) { 2007 if (file->f_flags & O_APPEND) 2008 av |= FILE__APPEND; 2009 else 2010 av |= FILE__WRITE; 2011 } 2012 if (!av) { 2013 /* 2014 * Special file opened with flags 3 for ioctl-only use. 2015 */ 2016 av = FILE__IOCTL; 2017 } 2018 2019 return av; 2020 } 2021 2022 /* 2023 * Convert a file to an access vector and include the correct 2024 * open permission. 2025 */ 2026 static inline u32 open_file_to_av(struct file *file) 2027 { 2028 u32 av = file_to_av(file); 2029 struct inode *inode = file_inode(file); 2030 2031 if (selinux_policycap_openperm() && 2032 inode->i_sb->s_magic != SOCKFS_MAGIC) 2033 av |= FILE__OPEN; 2034 2035 return av; 2036 } 2037 2038 /* Hook functions begin here. */ 2039 2040 static int selinux_binder_set_context_mgr(const struct cred *mgr) 2041 { 2042 return avc_has_perm(current_sid(), cred_sid(mgr), SECCLASS_BINDER, 2043 BINDER__SET_CONTEXT_MGR, NULL); 2044 } 2045 2046 static int selinux_binder_transaction(const struct cred *from, 2047 const struct cred *to) 2048 { 2049 u32 mysid = current_sid(); 2050 u32 fromsid = cred_sid(from); 2051 u32 tosid = cred_sid(to); 2052 int rc; 2053 2054 if (mysid != fromsid) { 2055 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, 2056 BINDER__IMPERSONATE, NULL); 2057 if (rc) 2058 return rc; 2059 } 2060 2061 return avc_has_perm(fromsid, tosid, 2062 SECCLASS_BINDER, BINDER__CALL, NULL); 2063 } 2064 2065 static int selinux_binder_transfer_binder(const struct cred *from, 2066 const struct cred *to) 2067 { 2068 return avc_has_perm(cred_sid(from), cred_sid(to), 2069 SECCLASS_BINDER, BINDER__TRANSFER, 2070 NULL); 2071 } 2072 2073 static int selinux_binder_transfer_file(const struct cred *from, 2074 const struct cred *to, 2075 const struct file *file) 2076 { 2077 u32 sid = cred_sid(to); 2078 struct file_security_struct *fsec = selinux_file(file); 2079 struct dentry *dentry = file->f_path.dentry; 2080 struct inode_security_struct *isec; 2081 struct common_audit_data ad; 2082 int rc; 2083 2084 ad.type = LSM_AUDIT_DATA_PATH; 2085 ad.u.path = file->f_path; 2086 2087 if (sid != fsec->sid) { 2088 rc = avc_has_perm(sid, fsec->sid, 2089 SECCLASS_FD, 2090 FD__USE, 2091 &ad); 2092 if (rc) 2093 return rc; 2094 } 2095 2096 #ifdef CONFIG_BPF_SYSCALL 2097 rc = bpf_fd_pass(file, sid); 2098 if (rc) 2099 return rc; 2100 #endif 2101 2102 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2103 return 0; 2104 2105 isec = backing_inode_security(dentry); 2106 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2107 &ad); 2108 } 2109 2110 static int selinux_ptrace_access_check(struct task_struct *child, 2111 unsigned int mode) 2112 { 2113 u32 sid = current_sid(); 2114 u32 csid = task_sid_obj(child); 2115 2116 if (mode & PTRACE_MODE_READ) 2117 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, 2118 NULL); 2119 2120 return avc_has_perm(sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, 2121 NULL); 2122 } 2123 2124 static int selinux_ptrace_traceme(struct task_struct *parent) 2125 { 2126 return avc_has_perm(task_sid_obj(parent), task_sid_obj(current), 2127 SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2128 } 2129 2130 static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective, 2131 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2132 { 2133 return avc_has_perm(current_sid(), task_sid_obj(target), 2134 SECCLASS_PROCESS, PROCESS__GETCAP, NULL); 2135 } 2136 2137 static int selinux_capset(struct cred *new, const struct cred *old, 2138 const kernel_cap_t *effective, 2139 const kernel_cap_t *inheritable, 2140 const kernel_cap_t *permitted) 2141 { 2142 return avc_has_perm(cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2143 PROCESS__SETCAP, NULL); 2144 } 2145 2146 /* 2147 * (This comment used to live with the selinux_task_setuid hook, 2148 * which was removed). 2149 * 2150 * Since setuid only affects the current process, and since the SELinux 2151 * controls are not based on the Linux identity attributes, SELinux does not 2152 * need to control this operation. However, SELinux does control the use of 2153 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2154 */ 2155 2156 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2157 int cap, unsigned int opts) 2158 { 2159 return cred_has_capability(cred, cap, opts, ns == &init_user_ns); 2160 } 2161 2162 static int selinux_quotactl(int cmds, int type, int id, const struct super_block *sb) 2163 { 2164 const struct cred *cred = current_cred(); 2165 int rc = 0; 2166 2167 if (!sb) 2168 return 0; 2169 2170 switch (cmds) { 2171 case Q_SYNC: 2172 case Q_QUOTAON: 2173 case Q_QUOTAOFF: 2174 case Q_SETINFO: 2175 case Q_SETQUOTA: 2176 case Q_XQUOTAOFF: 2177 case Q_XQUOTAON: 2178 case Q_XSETQLIM: 2179 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2180 break; 2181 case Q_GETFMT: 2182 case Q_GETINFO: 2183 case Q_GETQUOTA: 2184 case Q_XGETQUOTA: 2185 case Q_XGETQSTAT: 2186 case Q_XGETQSTATV: 2187 case Q_XGETNEXTQUOTA: 2188 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2189 break; 2190 default: 2191 rc = 0; /* let the kernel handle invalid cmds */ 2192 break; 2193 } 2194 return rc; 2195 } 2196 2197 static int selinux_quota_on(struct dentry *dentry) 2198 { 2199 const struct cred *cred = current_cred(); 2200 2201 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2202 } 2203 2204 static int selinux_syslog(int type) 2205 { 2206 switch (type) { 2207 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2208 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2209 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2210 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2211 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2212 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2213 /* Set level of messages printed to console */ 2214 case SYSLOG_ACTION_CONSOLE_LEVEL: 2215 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2216 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2217 NULL); 2218 } 2219 /* All other syslog types */ 2220 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 2221 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2222 } 2223 2224 /* 2225 * Check permission for allocating a new virtual mapping. Returns 2226 * 0 if permission is granted, negative error code if not. 2227 * 2228 * Do not audit the selinux permission check, as this is applied to all 2229 * processes that allocate mappings. 2230 */ 2231 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2232 { 2233 return cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2234 CAP_OPT_NOAUDIT, true); 2235 } 2236 2237 /* binprm security operations */ 2238 2239 static u32 ptrace_parent_sid(void) 2240 { 2241 u32 sid = 0; 2242 struct task_struct *tracer; 2243 2244 rcu_read_lock(); 2245 tracer = ptrace_parent(current); 2246 if (tracer) 2247 sid = task_sid_obj(tracer); 2248 rcu_read_unlock(); 2249 2250 return sid; 2251 } 2252 2253 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2254 const struct task_security_struct *old_tsec, 2255 const struct task_security_struct *new_tsec) 2256 { 2257 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2258 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2259 int rc; 2260 u32 av; 2261 2262 if (!nnp && !nosuid) 2263 return 0; /* neither NNP nor nosuid */ 2264 2265 if (new_tsec->sid == old_tsec->sid) 2266 return 0; /* No change in credentials */ 2267 2268 /* 2269 * If the policy enables the nnp_nosuid_transition policy capability, 2270 * then we permit transitions under NNP or nosuid if the 2271 * policy allows the corresponding permission between 2272 * the old and new contexts. 2273 */ 2274 if (selinux_policycap_nnp_nosuid_transition()) { 2275 av = 0; 2276 if (nnp) 2277 av |= PROCESS2__NNP_TRANSITION; 2278 if (nosuid) 2279 av |= PROCESS2__NOSUID_TRANSITION; 2280 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2281 SECCLASS_PROCESS2, av, NULL); 2282 if (!rc) 2283 return 0; 2284 } 2285 2286 /* 2287 * We also permit NNP or nosuid transitions to bounded SIDs, 2288 * i.e. SIDs that are guaranteed to only be allowed a subset 2289 * of the permissions of the current SID. 2290 */ 2291 rc = security_bounded_transition(old_tsec->sid, 2292 new_tsec->sid); 2293 if (!rc) 2294 return 0; 2295 2296 /* 2297 * On failure, preserve the errno values for NNP vs nosuid. 2298 * NNP: Operation not permitted for caller. 2299 * nosuid: Permission denied to file. 2300 */ 2301 if (nnp) 2302 return -EPERM; 2303 return -EACCES; 2304 } 2305 2306 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) 2307 { 2308 const struct task_security_struct *old_tsec; 2309 struct task_security_struct *new_tsec; 2310 struct inode_security_struct *isec; 2311 struct common_audit_data ad; 2312 struct inode *inode = file_inode(bprm->file); 2313 int rc; 2314 2315 /* SELinux context only depends on initial program or script and not 2316 * the script interpreter */ 2317 2318 old_tsec = selinux_cred(current_cred()); 2319 new_tsec = selinux_cred(bprm->cred); 2320 isec = inode_security(inode); 2321 2322 /* Default to the current task SID. */ 2323 new_tsec->sid = old_tsec->sid; 2324 new_tsec->osid = old_tsec->sid; 2325 2326 /* Reset fs, key, and sock SIDs on execve. */ 2327 new_tsec->create_sid = 0; 2328 new_tsec->keycreate_sid = 0; 2329 new_tsec->sockcreate_sid = 0; 2330 2331 /* 2332 * Before policy is loaded, label any task outside kernel space 2333 * as SECINITSID_INIT, so that any userspace tasks surviving from 2334 * early boot end up with a label different from SECINITSID_KERNEL 2335 * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL). 2336 */ 2337 if (!selinux_initialized()) { 2338 new_tsec->sid = SECINITSID_INIT; 2339 /* also clear the exec_sid just in case */ 2340 new_tsec->exec_sid = 0; 2341 return 0; 2342 } 2343 2344 if (old_tsec->exec_sid) { 2345 new_tsec->sid = old_tsec->exec_sid; 2346 /* Reset exec SID on execve. */ 2347 new_tsec->exec_sid = 0; 2348 2349 /* Fail on NNP or nosuid if not an allowed transition. */ 2350 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2351 if (rc) 2352 return rc; 2353 } else { 2354 /* Check for a default transition on this program. */ 2355 rc = security_transition_sid(old_tsec->sid, 2356 isec->sid, SECCLASS_PROCESS, NULL, 2357 &new_tsec->sid); 2358 if (rc) 2359 return rc; 2360 2361 /* 2362 * Fallback to old SID on NNP or nosuid if not an allowed 2363 * transition. 2364 */ 2365 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2366 if (rc) 2367 new_tsec->sid = old_tsec->sid; 2368 } 2369 2370 ad.type = LSM_AUDIT_DATA_FILE; 2371 ad.u.file = bprm->file; 2372 2373 if (new_tsec->sid == old_tsec->sid) { 2374 rc = avc_has_perm(old_tsec->sid, isec->sid, 2375 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2376 if (rc) 2377 return rc; 2378 } else { 2379 /* Check permissions for the transition. */ 2380 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2381 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2382 if (rc) 2383 return rc; 2384 2385 rc = avc_has_perm(new_tsec->sid, isec->sid, 2386 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2387 if (rc) 2388 return rc; 2389 2390 /* Check for shared state */ 2391 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2392 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2393 SECCLASS_PROCESS, PROCESS__SHARE, 2394 NULL); 2395 if (rc) 2396 return -EPERM; 2397 } 2398 2399 /* Make sure that anyone attempting to ptrace over a task that 2400 * changes its SID has the appropriate permit */ 2401 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2402 u32 ptsid = ptrace_parent_sid(); 2403 if (ptsid != 0) { 2404 rc = avc_has_perm(ptsid, new_tsec->sid, 2405 SECCLASS_PROCESS, 2406 PROCESS__PTRACE, NULL); 2407 if (rc) 2408 return -EPERM; 2409 } 2410 } 2411 2412 /* Clear any possibly unsafe personality bits on exec: */ 2413 bprm->per_clear |= PER_CLEAR_ON_SETID; 2414 2415 /* Enable secure mode for SIDs transitions unless 2416 the noatsecure permission is granted between 2417 the two SIDs, i.e. ahp returns 0. */ 2418 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2419 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2420 NULL); 2421 bprm->secureexec |= !!rc; 2422 } 2423 2424 return 0; 2425 } 2426 2427 static int match_file(const void *p, struct file *file, unsigned fd) 2428 { 2429 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2430 } 2431 2432 /* Derived from fs/exec.c:flush_old_files. */ 2433 static inline void flush_unauthorized_files(const struct cred *cred, 2434 struct files_struct *files) 2435 { 2436 struct file *file, *devnull = NULL; 2437 struct tty_struct *tty; 2438 int drop_tty = 0; 2439 unsigned n; 2440 2441 tty = get_current_tty(); 2442 if (tty) { 2443 spin_lock(&tty->files_lock); 2444 if (!list_empty(&tty->tty_files)) { 2445 struct tty_file_private *file_priv; 2446 2447 /* Revalidate access to controlling tty. 2448 Use file_path_has_perm on the tty path directly 2449 rather than using file_has_perm, as this particular 2450 open file may belong to another process and we are 2451 only interested in the inode-based check here. */ 2452 file_priv = list_first_entry(&tty->tty_files, 2453 struct tty_file_private, list); 2454 file = file_priv->file; 2455 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2456 drop_tty = 1; 2457 } 2458 spin_unlock(&tty->files_lock); 2459 tty_kref_put(tty); 2460 } 2461 /* Reset controlling tty. */ 2462 if (drop_tty) 2463 no_tty(); 2464 2465 /* Revalidate access to inherited open files. */ 2466 n = iterate_fd(files, 0, match_file, cred); 2467 if (!n) /* none found? */ 2468 return; 2469 2470 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2471 if (IS_ERR(devnull)) 2472 devnull = NULL; 2473 /* replace all the matching ones with this */ 2474 do { 2475 replace_fd(n - 1, devnull, 0); 2476 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2477 if (devnull) 2478 fput(devnull); 2479 } 2480 2481 /* 2482 * Prepare a process for imminent new credential changes due to exec 2483 */ 2484 static void selinux_bprm_committing_creds(const struct linux_binprm *bprm) 2485 { 2486 struct task_security_struct *new_tsec; 2487 struct rlimit *rlim, *initrlim; 2488 int rc, i; 2489 2490 new_tsec = selinux_cred(bprm->cred); 2491 if (new_tsec->sid == new_tsec->osid) 2492 return; 2493 2494 /* Close files for which the new task SID is not authorized. */ 2495 flush_unauthorized_files(bprm->cred, current->files); 2496 2497 /* Always clear parent death signal on SID transitions. */ 2498 current->pdeath_signal = 0; 2499 2500 /* Check whether the new SID can inherit resource limits from the old 2501 * SID. If not, reset all soft limits to the lower of the current 2502 * task's hard limit and the init task's soft limit. 2503 * 2504 * Note that the setting of hard limits (even to lower them) can be 2505 * controlled by the setrlimit check. The inclusion of the init task's 2506 * soft limit into the computation is to avoid resetting soft limits 2507 * higher than the default soft limit for cases where the default is 2508 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2509 */ 2510 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2511 PROCESS__RLIMITINH, NULL); 2512 if (rc) { 2513 /* protect against do_prlimit() */ 2514 task_lock(current); 2515 for (i = 0; i < RLIM_NLIMITS; i++) { 2516 rlim = current->signal->rlim + i; 2517 initrlim = init_task.signal->rlim + i; 2518 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2519 } 2520 task_unlock(current); 2521 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2522 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2523 } 2524 } 2525 2526 /* 2527 * Clean up the process immediately after the installation of new credentials 2528 * due to exec 2529 */ 2530 static void selinux_bprm_committed_creds(const struct linux_binprm *bprm) 2531 { 2532 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2533 u32 osid, sid; 2534 int rc; 2535 2536 osid = tsec->osid; 2537 sid = tsec->sid; 2538 2539 if (sid == osid) 2540 return; 2541 2542 /* Check whether the new SID can inherit signal state from the old SID. 2543 * If not, clear itimers to avoid subsequent signal generation and 2544 * flush and unblock signals. 2545 * 2546 * This must occur _after_ the task SID has been updated so that any 2547 * kill done after the flush will be checked against the new SID. 2548 */ 2549 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2550 if (rc) { 2551 clear_itimer(); 2552 2553 spin_lock_irq(&unrcu_pointer(current->sighand)->siglock); 2554 if (!fatal_signal_pending(current)) { 2555 flush_sigqueue(¤t->pending); 2556 flush_sigqueue(¤t->signal->shared_pending); 2557 flush_signal_handlers(current, 1); 2558 sigemptyset(¤t->blocked); 2559 recalc_sigpending(); 2560 } 2561 spin_unlock_irq(&unrcu_pointer(current->sighand)->siglock); 2562 } 2563 2564 /* Wake up the parent if it is waiting so that it can recheck 2565 * wait permission to the new task SID. */ 2566 read_lock(&tasklist_lock); 2567 __wake_up_parent(current, unrcu_pointer(current->real_parent)); 2568 read_unlock(&tasklist_lock); 2569 } 2570 2571 /* superblock security operations */ 2572 2573 static int selinux_sb_alloc_security(struct super_block *sb) 2574 { 2575 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2576 2577 mutex_init(&sbsec->lock); 2578 INIT_LIST_HEAD(&sbsec->isec_head); 2579 spin_lock_init(&sbsec->isec_lock); 2580 sbsec->sid = SECINITSID_UNLABELED; 2581 sbsec->def_sid = SECINITSID_FILE; 2582 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 2583 2584 return 0; 2585 } 2586 2587 static inline int opt_len(const char *s) 2588 { 2589 bool open_quote = false; 2590 int len; 2591 char c; 2592 2593 for (len = 0; (c = s[len]) != '\0'; len++) { 2594 if (c == '"') 2595 open_quote = !open_quote; 2596 if (c == ',' && !open_quote) 2597 break; 2598 } 2599 return len; 2600 } 2601 2602 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts) 2603 { 2604 char *from = options; 2605 char *to = options; 2606 bool first = true; 2607 int rc; 2608 2609 while (1) { 2610 int len = opt_len(from); 2611 int token; 2612 char *arg = NULL; 2613 2614 token = match_opt_prefix(from, len, &arg); 2615 2616 if (token != Opt_error) { 2617 char *p, *q; 2618 2619 /* strip quotes */ 2620 if (arg) { 2621 for (p = q = arg; p < from + len; p++) { 2622 char c = *p; 2623 if (c != '"') 2624 *q++ = c; 2625 } 2626 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); 2627 if (!arg) { 2628 rc = -ENOMEM; 2629 goto free_opt; 2630 } 2631 } 2632 rc = selinux_add_opt(token, arg, mnt_opts); 2633 kfree(arg); 2634 arg = NULL; 2635 if (unlikely(rc)) { 2636 goto free_opt; 2637 } 2638 } else { 2639 if (!first) { // copy with preceding comma 2640 from--; 2641 len++; 2642 } 2643 if (to != from) 2644 memmove(to, from, len); 2645 to += len; 2646 first = false; 2647 } 2648 if (!from[len]) 2649 break; 2650 from += len + 1; 2651 } 2652 *to = '\0'; 2653 return 0; 2654 2655 free_opt: 2656 if (*mnt_opts) { 2657 selinux_free_mnt_opts(*mnt_opts); 2658 *mnt_opts = NULL; 2659 } 2660 return rc; 2661 } 2662 2663 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts) 2664 { 2665 struct selinux_mnt_opts *opts = mnt_opts; 2666 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2667 2668 /* 2669 * Superblock not initialized (i.e. no options) - reject if any 2670 * options specified, otherwise accept. 2671 */ 2672 if (!(sbsec->flags & SE_SBINITIALIZED)) 2673 return opts ? 1 : 0; 2674 2675 /* 2676 * Superblock initialized and no options specified - reject if 2677 * superblock has any options set, otherwise accept. 2678 */ 2679 if (!opts) 2680 return (sbsec->flags & SE_MNTMASK) ? 1 : 0; 2681 2682 if (opts->fscontext_sid) { 2683 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 2684 opts->fscontext_sid)) 2685 return 1; 2686 } 2687 if (opts->context_sid) { 2688 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 2689 opts->context_sid)) 2690 return 1; 2691 } 2692 if (opts->rootcontext_sid) { 2693 struct inode_security_struct *root_isec; 2694 2695 root_isec = backing_inode_security(sb->s_root); 2696 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 2697 opts->rootcontext_sid)) 2698 return 1; 2699 } 2700 if (opts->defcontext_sid) { 2701 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 2702 opts->defcontext_sid)) 2703 return 1; 2704 } 2705 return 0; 2706 } 2707 2708 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts) 2709 { 2710 struct selinux_mnt_opts *opts = mnt_opts; 2711 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2712 2713 if (!(sbsec->flags & SE_SBINITIALIZED)) 2714 return 0; 2715 2716 if (!opts) 2717 return 0; 2718 2719 if (opts->fscontext_sid) { 2720 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 2721 opts->fscontext_sid)) 2722 goto out_bad_option; 2723 } 2724 if (opts->context_sid) { 2725 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 2726 opts->context_sid)) 2727 goto out_bad_option; 2728 } 2729 if (opts->rootcontext_sid) { 2730 struct inode_security_struct *root_isec; 2731 root_isec = backing_inode_security(sb->s_root); 2732 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 2733 opts->rootcontext_sid)) 2734 goto out_bad_option; 2735 } 2736 if (opts->defcontext_sid) { 2737 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 2738 opts->defcontext_sid)) 2739 goto out_bad_option; 2740 } 2741 return 0; 2742 2743 out_bad_option: 2744 pr_warn("SELinux: unable to change security options " 2745 "during remount (dev %s, type=%s)\n", sb->s_id, 2746 sb->s_type->name); 2747 return -EINVAL; 2748 } 2749 2750 static int selinux_sb_kern_mount(const struct super_block *sb) 2751 { 2752 const struct cred *cred = current_cred(); 2753 struct common_audit_data ad; 2754 2755 ad.type = LSM_AUDIT_DATA_DENTRY; 2756 ad.u.dentry = sb->s_root; 2757 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2758 } 2759 2760 static int selinux_sb_statfs(struct dentry *dentry) 2761 { 2762 const struct cred *cred = current_cred(); 2763 struct common_audit_data ad; 2764 2765 ad.type = LSM_AUDIT_DATA_DENTRY; 2766 ad.u.dentry = dentry->d_sb->s_root; 2767 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2768 } 2769 2770 static int selinux_mount(const char *dev_name, 2771 const struct path *path, 2772 const char *type, 2773 unsigned long flags, 2774 void *data) 2775 { 2776 const struct cred *cred = current_cred(); 2777 2778 if (flags & MS_REMOUNT) 2779 return superblock_has_perm(cred, path->dentry->d_sb, 2780 FILESYSTEM__REMOUNT, NULL); 2781 else 2782 return path_has_perm(cred, path, FILE__MOUNTON); 2783 } 2784 2785 static int selinux_move_mount(const struct path *from_path, 2786 const struct path *to_path) 2787 { 2788 const struct cred *cred = current_cred(); 2789 2790 return path_has_perm(cred, to_path, FILE__MOUNTON); 2791 } 2792 2793 static int selinux_umount(struct vfsmount *mnt, int flags) 2794 { 2795 const struct cred *cred = current_cred(); 2796 2797 return superblock_has_perm(cred, mnt->mnt_sb, 2798 FILESYSTEM__UNMOUNT, NULL); 2799 } 2800 2801 static int selinux_fs_context_submount(struct fs_context *fc, 2802 struct super_block *reference) 2803 { 2804 const struct superblock_security_struct *sbsec = selinux_superblock(reference); 2805 struct selinux_mnt_opts *opts; 2806 2807 /* 2808 * Ensure that fc->security remains NULL when no options are set 2809 * as expected by selinux_set_mnt_opts(). 2810 */ 2811 if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT))) 2812 return 0; 2813 2814 opts = kzalloc(sizeof(*opts), GFP_KERNEL); 2815 if (!opts) 2816 return -ENOMEM; 2817 2818 if (sbsec->flags & FSCONTEXT_MNT) 2819 opts->fscontext_sid = sbsec->sid; 2820 if (sbsec->flags & CONTEXT_MNT) 2821 opts->context_sid = sbsec->mntpoint_sid; 2822 if (sbsec->flags & DEFCONTEXT_MNT) 2823 opts->defcontext_sid = sbsec->def_sid; 2824 fc->security = opts; 2825 return 0; 2826 } 2827 2828 static int selinux_fs_context_dup(struct fs_context *fc, 2829 struct fs_context *src_fc) 2830 { 2831 const struct selinux_mnt_opts *src = src_fc->security; 2832 2833 if (!src) 2834 return 0; 2835 2836 fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL); 2837 return fc->security ? 0 : -ENOMEM; 2838 } 2839 2840 static const struct fs_parameter_spec selinux_fs_parameters[] = { 2841 fsparam_string(CONTEXT_STR, Opt_context), 2842 fsparam_string(DEFCONTEXT_STR, Opt_defcontext), 2843 fsparam_string(FSCONTEXT_STR, Opt_fscontext), 2844 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext), 2845 fsparam_flag (SECLABEL_STR, Opt_seclabel), 2846 {} 2847 }; 2848 2849 static int selinux_fs_context_parse_param(struct fs_context *fc, 2850 struct fs_parameter *param) 2851 { 2852 struct fs_parse_result result; 2853 int opt; 2854 2855 opt = fs_parse(fc, selinux_fs_parameters, param, &result); 2856 if (opt < 0) 2857 return opt; 2858 2859 return selinux_add_opt(opt, param->string, &fc->security); 2860 } 2861 2862 /* inode security operations */ 2863 2864 static int selinux_inode_alloc_security(struct inode *inode) 2865 { 2866 struct inode_security_struct *isec = selinux_inode(inode); 2867 u32 sid = current_sid(); 2868 2869 spin_lock_init(&isec->lock); 2870 INIT_LIST_HEAD(&isec->list); 2871 isec->inode = inode; 2872 isec->sid = SECINITSID_UNLABELED; 2873 isec->sclass = SECCLASS_FILE; 2874 isec->task_sid = sid; 2875 isec->initialized = LABEL_INVALID; 2876 2877 return 0; 2878 } 2879 2880 static void selinux_inode_free_security(struct inode *inode) 2881 { 2882 inode_free_security(inode); 2883 } 2884 2885 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2886 const struct qstr *name, 2887 const char **xattr_name, 2888 struct lsm_context *cp) 2889 { 2890 u32 newsid; 2891 int rc; 2892 2893 rc = selinux_determine_inode_label(selinux_cred(current_cred()), 2894 d_inode(dentry->d_parent), name, 2895 inode_mode_to_security_class(mode), 2896 &newsid); 2897 if (rc) 2898 return rc; 2899 2900 if (xattr_name) 2901 *xattr_name = XATTR_NAME_SELINUX; 2902 2903 cp->id = LSM_ID_SELINUX; 2904 return security_sid_to_context(newsid, &cp->context, &cp->len); 2905 } 2906 2907 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2908 struct qstr *name, 2909 const struct cred *old, 2910 struct cred *new) 2911 { 2912 u32 newsid; 2913 int rc; 2914 struct task_security_struct *tsec; 2915 2916 rc = selinux_determine_inode_label(selinux_cred(old), 2917 d_inode(dentry->d_parent), name, 2918 inode_mode_to_security_class(mode), 2919 &newsid); 2920 if (rc) 2921 return rc; 2922 2923 tsec = selinux_cred(new); 2924 tsec->create_sid = newsid; 2925 return 0; 2926 } 2927 2928 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2929 const struct qstr *qstr, 2930 struct xattr *xattrs, int *xattr_count) 2931 { 2932 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2933 struct superblock_security_struct *sbsec; 2934 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); 2935 u32 newsid, clen; 2936 u16 newsclass; 2937 int rc; 2938 char *context; 2939 2940 sbsec = selinux_superblock(dir->i_sb); 2941 2942 newsid = tsec->create_sid; 2943 newsclass = inode_mode_to_security_class(inode->i_mode); 2944 rc = selinux_determine_inode_label(tsec, dir, qstr, newsclass, &newsid); 2945 if (rc) 2946 return rc; 2947 2948 /* Possibly defer initialization to selinux_complete_init. */ 2949 if (sbsec->flags & SE_SBINITIALIZED) { 2950 struct inode_security_struct *isec = selinux_inode(inode); 2951 isec->sclass = newsclass; 2952 isec->sid = newsid; 2953 isec->initialized = LABEL_INITIALIZED; 2954 } 2955 2956 if (!selinux_initialized() || 2957 !(sbsec->flags & SBLABEL_MNT)) 2958 return -EOPNOTSUPP; 2959 2960 if (xattr) { 2961 rc = security_sid_to_context_force(newsid, 2962 &context, &clen); 2963 if (rc) 2964 return rc; 2965 xattr->value = context; 2966 xattr->value_len = clen; 2967 xattr->name = XATTR_SELINUX_SUFFIX; 2968 } 2969 2970 return 0; 2971 } 2972 2973 static int selinux_inode_init_security_anon(struct inode *inode, 2974 const struct qstr *name, 2975 const struct inode *context_inode) 2976 { 2977 u32 sid = current_sid(); 2978 struct common_audit_data ad; 2979 struct inode_security_struct *isec; 2980 int rc; 2981 2982 if (unlikely(!selinux_initialized())) 2983 return 0; 2984 2985 isec = selinux_inode(inode); 2986 2987 /* 2988 * We only get here once per ephemeral inode. The inode has 2989 * been initialized via inode_alloc_security but is otherwise 2990 * untouched. 2991 */ 2992 2993 if (context_inode) { 2994 struct inode_security_struct *context_isec = 2995 selinux_inode(context_inode); 2996 if (context_isec->initialized != LABEL_INITIALIZED) { 2997 pr_err("SELinux: context_inode is not initialized\n"); 2998 return -EACCES; 2999 } 3000 3001 isec->sclass = context_isec->sclass; 3002 isec->sid = context_isec->sid; 3003 } else { 3004 isec->sclass = SECCLASS_ANON_INODE; 3005 rc = security_transition_sid( 3006 sid, sid, 3007 isec->sclass, name, &isec->sid); 3008 if (rc) 3009 return rc; 3010 } 3011 3012 isec->initialized = LABEL_INITIALIZED; 3013 /* 3014 * Now that we've initialized security, check whether we're 3015 * allowed to actually create this type of anonymous inode. 3016 */ 3017 3018 ad.type = LSM_AUDIT_DATA_ANONINODE; 3019 ad.u.anonclass = name ? (const char *)name->name : "?"; 3020 3021 return avc_has_perm(sid, 3022 isec->sid, 3023 isec->sclass, 3024 FILE__CREATE, 3025 &ad); 3026 } 3027 3028 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 3029 { 3030 return may_create(dir, dentry, SECCLASS_FILE); 3031 } 3032 3033 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 3034 { 3035 return may_link(dir, old_dentry, MAY_LINK); 3036 } 3037 3038 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 3039 { 3040 return may_link(dir, dentry, MAY_UNLINK); 3041 } 3042 3043 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 3044 { 3045 return may_create(dir, dentry, SECCLASS_LNK_FILE); 3046 } 3047 3048 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 3049 { 3050 return may_create(dir, dentry, SECCLASS_DIR); 3051 } 3052 3053 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 3054 { 3055 return may_link(dir, dentry, MAY_RMDIR); 3056 } 3057 3058 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 3059 { 3060 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 3061 } 3062 3063 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 3064 struct inode *new_inode, struct dentry *new_dentry) 3065 { 3066 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 3067 } 3068 3069 static int selinux_inode_readlink(struct dentry *dentry) 3070 { 3071 const struct cred *cred = current_cred(); 3072 3073 return dentry_has_perm(cred, dentry, FILE__READ); 3074 } 3075 3076 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 3077 bool rcu) 3078 { 3079 struct common_audit_data ad; 3080 struct inode_security_struct *isec; 3081 u32 sid = current_sid(); 3082 3083 ad.type = LSM_AUDIT_DATA_DENTRY; 3084 ad.u.dentry = dentry; 3085 isec = inode_security_rcu(inode, rcu); 3086 if (IS_ERR(isec)) 3087 return PTR_ERR(isec); 3088 3089 return avc_has_perm(sid, isec->sid, isec->sclass, FILE__READ, &ad); 3090 } 3091 3092 static noinline int audit_inode_permission(struct inode *inode, 3093 u32 perms, u32 audited, u32 denied, 3094 int result) 3095 { 3096 struct common_audit_data ad; 3097 struct inode_security_struct *isec = selinux_inode(inode); 3098 3099 ad.type = LSM_AUDIT_DATA_INODE; 3100 ad.u.inode = inode; 3101 3102 return slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 3103 audited, denied, result, &ad); 3104 } 3105 3106 /** 3107 * task_avdcache_reset - Reset the task's AVD cache 3108 * @tsec: the task's security state 3109 * 3110 * Clear the task's AVD cache in @tsec and reset it to the current policy's 3111 * and task's info. 3112 */ 3113 static inline void task_avdcache_reset(struct task_security_struct *tsec) 3114 { 3115 memset(&tsec->avdcache.dir, 0, sizeof(tsec->avdcache.dir)); 3116 tsec->avdcache.sid = tsec->sid; 3117 tsec->avdcache.seqno = avc_policy_seqno(); 3118 tsec->avdcache.dir_spot = TSEC_AVDC_DIR_SIZE - 1; 3119 } 3120 3121 /** 3122 * task_avdcache_search - Search the task's AVD cache 3123 * @tsec: the task's security state 3124 * @isec: the inode to search for in the cache 3125 * @avdc: matching avd cache entry returned to the caller 3126 * 3127 * Search @tsec for a AVD cache entry that matches @isec and return it to the 3128 * caller via @avdc. Returns 0 if a match is found, negative values otherwise. 3129 */ 3130 static inline int task_avdcache_search(struct task_security_struct *tsec, 3131 struct inode_security_struct *isec, 3132 struct avdc_entry **avdc) 3133 { 3134 int orig, iter; 3135 3136 /* focused on path walk optimization, only cache directories */ 3137 if (isec->sclass != SECCLASS_DIR) 3138 return -ENOENT; 3139 3140 if (unlikely(tsec->sid != tsec->avdcache.sid || 3141 tsec->avdcache.seqno != avc_policy_seqno())) { 3142 task_avdcache_reset(tsec); 3143 return -ENOENT; 3144 } 3145 3146 orig = iter = tsec->avdcache.dir_spot; 3147 do { 3148 if (tsec->avdcache.dir[iter].isid == isec->sid) { 3149 /* cache hit */ 3150 tsec->avdcache.dir_spot = iter; 3151 *avdc = &tsec->avdcache.dir[iter]; 3152 return 0; 3153 } 3154 iter = (iter - 1) & (TSEC_AVDC_DIR_SIZE - 1); 3155 } while (iter != orig); 3156 3157 return -ENOENT; 3158 } 3159 3160 /** 3161 * task_avdcache_update - Update the task's AVD cache 3162 * @tsec: the task's security state 3163 * @isec: the inode associated with the cache entry 3164 * @avd: the AVD to cache 3165 * @audited: the permission audit bitmask to cache 3166 * 3167 * Update the AVD cache in @tsec with the @avdc and @audited info associated 3168 * with @isec. 3169 */ 3170 static inline void task_avdcache_update(struct task_security_struct *tsec, 3171 struct inode_security_struct *isec, 3172 struct av_decision *avd, 3173 u32 audited) 3174 { 3175 int spot; 3176 3177 /* focused on path walk optimization, only cache directories */ 3178 if (isec->sclass != SECCLASS_DIR) 3179 return; 3180 3181 /* update cache */ 3182 spot = (tsec->avdcache.dir_spot + 1) & (TSEC_AVDC_DIR_SIZE - 1); 3183 tsec->avdcache.dir_spot = spot; 3184 tsec->avdcache.dir[spot].isid = isec->sid; 3185 tsec->avdcache.dir[spot].audited = audited; 3186 tsec->avdcache.dir[spot].allowed = avd->allowed; 3187 tsec->avdcache.dir[spot].permissive = avd->flags & AVD_FLAGS_PERMISSIVE; 3188 tsec->avdcache.permissive_neveraudit = 3189 (avd->flags == (AVD_FLAGS_PERMISSIVE|AVD_FLAGS_NEVERAUDIT)); 3190 } 3191 3192 /** 3193 * selinux_inode_permission - Check if the current task can access an inode 3194 * @inode: the inode that is being accessed 3195 * @requested: the accesses being requested 3196 * 3197 * Check if the current task is allowed to access @inode according to 3198 * @requested. Returns 0 if allowed, negative values otherwise. 3199 */ 3200 static int selinux_inode_permission(struct inode *inode, int requested) 3201 { 3202 int mask; 3203 u32 perms; 3204 struct task_security_struct *tsec; 3205 struct inode_security_struct *isec; 3206 struct avdc_entry *avdc; 3207 int rc, rc2; 3208 u32 audited, denied; 3209 3210 mask = requested & (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3211 3212 /* No permission to check. Existence test. */ 3213 if (!mask) 3214 return 0; 3215 3216 tsec = selinux_cred(current_cred()); 3217 if (task_avdcache_permnoaudit(tsec)) 3218 return 0; 3219 3220 isec = inode_security_rcu(inode, requested & MAY_NOT_BLOCK); 3221 if (IS_ERR(isec)) 3222 return PTR_ERR(isec); 3223 perms = file_mask_to_av(inode->i_mode, mask); 3224 3225 rc = task_avdcache_search(tsec, isec, &avdc); 3226 if (likely(!rc)) { 3227 /* Cache hit. */ 3228 audited = perms & avdc->audited; 3229 denied = perms & ~avdc->allowed; 3230 if (unlikely(denied && enforcing_enabled() && 3231 !avdc->permissive)) 3232 rc = -EACCES; 3233 } else { 3234 struct av_decision avd; 3235 3236 /* Cache miss. */ 3237 rc = avc_has_perm_noaudit(tsec->sid, isec->sid, isec->sclass, 3238 perms, 0, &avd); 3239 audited = avc_audit_required(perms, &avd, rc, 3240 (requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0, 3241 &denied); 3242 task_avdcache_update(tsec, isec, &avd, audited); 3243 } 3244 3245 if (likely(!audited)) 3246 return rc; 3247 3248 rc2 = audit_inode_permission(inode, perms, audited, denied, rc); 3249 if (rc2) 3250 return rc2; 3251 3252 return rc; 3253 } 3254 3255 static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, 3256 struct iattr *iattr) 3257 { 3258 const struct cred *cred = current_cred(); 3259 struct inode *inode = d_backing_inode(dentry); 3260 unsigned int ia_valid = iattr->ia_valid; 3261 u32 av = FILE__WRITE; 3262 3263 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3264 if (ia_valid & ATTR_FORCE) { 3265 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3266 ATTR_FORCE); 3267 if (!ia_valid) 3268 return 0; 3269 } 3270 3271 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3272 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3273 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3274 3275 if (selinux_policycap_openperm() && 3276 inode->i_sb->s_magic != SOCKFS_MAGIC && 3277 (ia_valid & ATTR_SIZE) && 3278 !(ia_valid & ATTR_FILE)) 3279 av |= FILE__OPEN; 3280 3281 return dentry_has_perm(cred, dentry, av); 3282 } 3283 3284 static int selinux_inode_getattr(const struct path *path) 3285 { 3286 struct task_security_struct *tsec; 3287 3288 tsec = selinux_cred(current_cred()); 3289 3290 if (task_avdcache_permnoaudit(tsec)) 3291 return 0; 3292 3293 return path_has_perm(current_cred(), path, FILE__GETATTR); 3294 } 3295 3296 static bool has_cap_mac_admin(bool audit) 3297 { 3298 const struct cred *cred = current_cred(); 3299 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT; 3300 3301 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts)) 3302 return false; 3303 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true)) 3304 return false; 3305 return true; 3306 } 3307 3308 /** 3309 * selinux_inode_xattr_skipcap - Skip the xattr capability checks? 3310 * @name: name of the xattr 3311 * 3312 * Returns 1 to indicate that SELinux "owns" the access control rights to xattrs 3313 * named @name; the LSM layer should avoid enforcing any traditional 3314 * capability based access controls on this xattr. Returns 0 to indicate that 3315 * SELinux does not "own" the access control rights to xattrs named @name and is 3316 * deferring to the LSM layer for further access controls, including capability 3317 * based controls. 3318 */ 3319 static int selinux_inode_xattr_skipcap(const char *name) 3320 { 3321 /* require capability check if not a selinux xattr */ 3322 return !strcmp(name, XATTR_NAME_SELINUX); 3323 } 3324 3325 static int selinux_inode_setxattr(struct mnt_idmap *idmap, 3326 struct dentry *dentry, const char *name, 3327 const void *value, size_t size, int flags) 3328 { 3329 struct inode *inode = d_backing_inode(dentry); 3330 struct inode_security_struct *isec; 3331 struct superblock_security_struct *sbsec; 3332 struct common_audit_data ad; 3333 u32 newsid, sid = current_sid(); 3334 int rc = 0; 3335 3336 /* if not a selinux xattr, only check the ordinary setattr perm */ 3337 if (strcmp(name, XATTR_NAME_SELINUX)) 3338 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3339 3340 if (!selinux_initialized()) 3341 return (inode_owner_or_capable(idmap, inode) ? 0 : -EPERM); 3342 3343 sbsec = selinux_superblock(inode->i_sb); 3344 if (!(sbsec->flags & SBLABEL_MNT)) 3345 return -EOPNOTSUPP; 3346 3347 if (!inode_owner_or_capable(idmap, inode)) 3348 return -EPERM; 3349 3350 ad.type = LSM_AUDIT_DATA_DENTRY; 3351 ad.u.dentry = dentry; 3352 3353 isec = backing_inode_security(dentry); 3354 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3355 FILE__RELABELFROM, &ad); 3356 if (rc) 3357 return rc; 3358 3359 rc = security_context_to_sid(value, size, &newsid, 3360 GFP_KERNEL); 3361 if (rc == -EINVAL) { 3362 if (!has_cap_mac_admin(true)) { 3363 struct audit_buffer *ab; 3364 size_t audit_size; 3365 3366 /* We strip a nul only if it is at the end, otherwise the 3367 * context contains a nul and we should audit that */ 3368 if (value) { 3369 const char *str = value; 3370 3371 if (str[size - 1] == '\0') 3372 audit_size = size - 1; 3373 else 3374 audit_size = size; 3375 } else { 3376 audit_size = 0; 3377 } 3378 ab = audit_log_start(audit_context(), 3379 GFP_ATOMIC, AUDIT_SELINUX_ERR); 3380 if (!ab) 3381 return rc; 3382 audit_log_format(ab, "op=setxattr invalid_context="); 3383 audit_log_n_untrustedstring(ab, value, audit_size); 3384 audit_log_end(ab); 3385 3386 return rc; 3387 } 3388 rc = security_context_to_sid_force(value, 3389 size, &newsid); 3390 } 3391 if (rc) 3392 return rc; 3393 3394 rc = avc_has_perm(sid, newsid, isec->sclass, 3395 FILE__RELABELTO, &ad); 3396 if (rc) 3397 return rc; 3398 3399 rc = security_validate_transition(isec->sid, newsid, 3400 sid, isec->sclass); 3401 if (rc) 3402 return rc; 3403 3404 return avc_has_perm(newsid, 3405 sbsec->sid, 3406 SECCLASS_FILESYSTEM, 3407 FILESYSTEM__ASSOCIATE, 3408 &ad); 3409 } 3410 3411 static int selinux_inode_set_acl(struct mnt_idmap *idmap, 3412 struct dentry *dentry, const char *acl_name, 3413 struct posix_acl *kacl) 3414 { 3415 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3416 } 3417 3418 static int selinux_inode_get_acl(struct mnt_idmap *idmap, 3419 struct dentry *dentry, const char *acl_name) 3420 { 3421 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR); 3422 } 3423 3424 static int selinux_inode_remove_acl(struct mnt_idmap *idmap, 3425 struct dentry *dentry, const char *acl_name) 3426 { 3427 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3428 } 3429 3430 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3431 const void *value, size_t size, 3432 int flags) 3433 { 3434 struct inode *inode = d_backing_inode(dentry); 3435 struct inode_security_struct *isec; 3436 u32 newsid; 3437 int rc; 3438 3439 if (strcmp(name, XATTR_NAME_SELINUX)) { 3440 /* Not an attribute we recognize, so nothing to do. */ 3441 return; 3442 } 3443 3444 if (!selinux_initialized()) { 3445 /* If we haven't even been initialized, then we can't validate 3446 * against a policy, so leave the label as invalid. It may 3447 * resolve to a valid label on the next revalidation try if 3448 * we've since initialized. 3449 */ 3450 return; 3451 } 3452 3453 rc = security_context_to_sid_force(value, size, 3454 &newsid); 3455 if (rc) { 3456 pr_err("SELinux: unable to map context to SID" 3457 "for (%s, %lu), rc=%d\n", 3458 inode->i_sb->s_id, inode->i_ino, -rc); 3459 return; 3460 } 3461 3462 isec = backing_inode_security(dentry); 3463 spin_lock(&isec->lock); 3464 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3465 isec->sid = newsid; 3466 isec->initialized = LABEL_INITIALIZED; 3467 spin_unlock(&isec->lock); 3468 } 3469 3470 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3471 { 3472 const struct cred *cred = current_cred(); 3473 3474 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3475 } 3476 3477 static int selinux_inode_listxattr(struct dentry *dentry) 3478 { 3479 const struct cred *cred = current_cred(); 3480 3481 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3482 } 3483 3484 static int selinux_inode_removexattr(struct mnt_idmap *idmap, 3485 struct dentry *dentry, const char *name) 3486 { 3487 /* if not a selinux xattr, only check the ordinary setattr perm */ 3488 if (strcmp(name, XATTR_NAME_SELINUX)) 3489 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3490 3491 if (!selinux_initialized()) 3492 return 0; 3493 3494 /* No one is allowed to remove a SELinux security label. 3495 You can change the label, but all data must be labeled. */ 3496 return -EACCES; 3497 } 3498 3499 static int selinux_inode_file_setattr(struct dentry *dentry, 3500 struct file_kattr *fa) 3501 { 3502 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3503 } 3504 3505 static int selinux_inode_file_getattr(struct dentry *dentry, 3506 struct file_kattr *fa) 3507 { 3508 return dentry_has_perm(current_cred(), dentry, FILE__GETATTR); 3509 } 3510 3511 static int selinux_path_notify(const struct path *path, u64 mask, 3512 unsigned int obj_type) 3513 { 3514 int ret; 3515 u32 perm; 3516 3517 struct common_audit_data ad; 3518 3519 ad.type = LSM_AUDIT_DATA_PATH; 3520 ad.u.path = *path; 3521 3522 /* 3523 * Set permission needed based on the type of mark being set. 3524 * Performs an additional check for sb watches. 3525 */ 3526 switch (obj_type) { 3527 case FSNOTIFY_OBJ_TYPE_VFSMOUNT: 3528 perm = FILE__WATCH_MOUNT; 3529 break; 3530 case FSNOTIFY_OBJ_TYPE_SB: 3531 perm = FILE__WATCH_SB; 3532 ret = superblock_has_perm(current_cred(), path->dentry->d_sb, 3533 FILESYSTEM__WATCH, &ad); 3534 if (ret) 3535 return ret; 3536 break; 3537 case FSNOTIFY_OBJ_TYPE_INODE: 3538 perm = FILE__WATCH; 3539 break; 3540 case FSNOTIFY_OBJ_TYPE_MNTNS: 3541 perm = FILE__WATCH_MOUNTNS; 3542 break; 3543 default: 3544 return -EINVAL; 3545 } 3546 3547 /* blocking watches require the file:watch_with_perm permission */ 3548 if (mask & (ALL_FSNOTIFY_PERM_EVENTS)) 3549 perm |= FILE__WATCH_WITH_PERM; 3550 3551 /* watches on read-like events need the file:watch_reads permission */ 3552 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_PRE_ACCESS | 3553 FS_CLOSE_NOWRITE)) 3554 perm |= FILE__WATCH_READS; 3555 3556 return path_has_perm(current_cred(), path, perm); 3557 } 3558 3559 /* 3560 * Copy the inode security context value to the user. 3561 * 3562 * Permission check is handled by selinux_inode_getxattr hook. 3563 */ 3564 static int selinux_inode_getsecurity(struct mnt_idmap *idmap, 3565 struct inode *inode, const char *name, 3566 void **buffer, bool alloc) 3567 { 3568 u32 size; 3569 int error; 3570 char *context = NULL; 3571 struct inode_security_struct *isec; 3572 3573 /* 3574 * If we're not initialized yet, then we can't validate contexts, so 3575 * just let vfs_getxattr fall back to using the on-disk xattr. 3576 */ 3577 if (!selinux_initialized() || 3578 strcmp(name, XATTR_SELINUX_SUFFIX)) 3579 return -EOPNOTSUPP; 3580 3581 /* 3582 * If the caller has CAP_MAC_ADMIN, then get the raw context 3583 * value even if it is not defined by current policy; otherwise, 3584 * use the in-core value under current policy. 3585 * Use the non-auditing forms of the permission checks since 3586 * getxattr may be called by unprivileged processes commonly 3587 * and lack of permission just means that we fall back to the 3588 * in-core context value, not a denial. 3589 */ 3590 isec = inode_security(inode); 3591 if (has_cap_mac_admin(false)) 3592 error = security_sid_to_context_force(isec->sid, &context, 3593 &size); 3594 else 3595 error = security_sid_to_context(isec->sid, 3596 &context, &size); 3597 if (error) 3598 return error; 3599 error = size; 3600 if (alloc) { 3601 *buffer = context; 3602 goto out_nofree; 3603 } 3604 kfree(context); 3605 out_nofree: 3606 return error; 3607 } 3608 3609 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3610 const void *value, size_t size, int flags) 3611 { 3612 struct inode_security_struct *isec = inode_security_novalidate(inode); 3613 struct superblock_security_struct *sbsec; 3614 u32 newsid; 3615 int rc; 3616 3617 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3618 return -EOPNOTSUPP; 3619 3620 sbsec = selinux_superblock(inode->i_sb); 3621 if (!(sbsec->flags & SBLABEL_MNT)) 3622 return -EOPNOTSUPP; 3623 3624 if (!value || !size) 3625 return -EACCES; 3626 3627 rc = security_context_to_sid(value, size, &newsid, 3628 GFP_KERNEL); 3629 if (rc) 3630 return rc; 3631 3632 spin_lock(&isec->lock); 3633 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3634 isec->sid = newsid; 3635 isec->initialized = LABEL_INITIALIZED; 3636 spin_unlock(&isec->lock); 3637 return 0; 3638 } 3639 3640 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3641 { 3642 const int len = sizeof(XATTR_NAME_SELINUX); 3643 3644 if (!selinux_initialized()) 3645 return 0; 3646 3647 if (buffer && len <= buffer_size) 3648 memcpy(buffer, XATTR_NAME_SELINUX, len); 3649 return len; 3650 } 3651 3652 static void selinux_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop) 3653 { 3654 struct inode_security_struct *isec = inode_security_novalidate(inode); 3655 3656 prop->selinux.secid = isec->sid; 3657 } 3658 3659 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3660 { 3661 struct lsm_prop prop; 3662 struct task_security_struct *tsec; 3663 struct cred *new_creds = *new; 3664 3665 if (new_creds == NULL) { 3666 new_creds = prepare_creds(); 3667 if (!new_creds) 3668 return -ENOMEM; 3669 } 3670 3671 tsec = selinux_cred(new_creds); 3672 /* Get label from overlay inode and set it in create_sid */ 3673 selinux_inode_getlsmprop(d_inode(src), &prop); 3674 tsec->create_sid = prop.selinux.secid; 3675 *new = new_creds; 3676 return 0; 3677 } 3678 3679 static int selinux_inode_copy_up_xattr(struct dentry *dentry, const char *name) 3680 { 3681 /* The copy_up hook above sets the initial context on an inode, but we 3682 * don't then want to overwrite it by blindly copying all the lower 3683 * xattrs up. Instead, filter out SELinux-related xattrs following 3684 * policy load. 3685 */ 3686 if (selinux_initialized() && !strcmp(name, XATTR_NAME_SELINUX)) 3687 return -ECANCELED; /* Discard */ 3688 /* 3689 * Any other attribute apart from SELINUX is not claimed, supported 3690 * by selinux. 3691 */ 3692 return -EOPNOTSUPP; 3693 } 3694 3695 /* kernfs node operations */ 3696 3697 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, 3698 struct kernfs_node *kn) 3699 { 3700 const struct task_security_struct *tsec = selinux_cred(current_cred()); 3701 u32 parent_sid, newsid, clen; 3702 int rc; 3703 char *context; 3704 3705 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0); 3706 if (rc == -ENODATA) 3707 return 0; 3708 else if (rc < 0) 3709 return rc; 3710 3711 clen = (u32)rc; 3712 context = kmalloc(clen, GFP_KERNEL); 3713 if (!context) 3714 return -ENOMEM; 3715 3716 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen); 3717 if (rc < 0) { 3718 kfree(context); 3719 return rc; 3720 } 3721 3722 rc = security_context_to_sid(context, clen, &parent_sid, 3723 GFP_KERNEL); 3724 kfree(context); 3725 if (rc) 3726 return rc; 3727 3728 if (tsec->create_sid) { 3729 newsid = tsec->create_sid; 3730 } else { 3731 u16 secclass = inode_mode_to_security_class(kn->mode); 3732 const char *kn_name; 3733 struct qstr q; 3734 3735 /* kn is fresh, can't be renamed, name goes not away */ 3736 kn_name = rcu_dereference_check(kn->name, true); 3737 q.name = kn_name; 3738 q.hash_len = hashlen_string(kn_dir, kn_name); 3739 3740 rc = security_transition_sid(tsec->sid, 3741 parent_sid, secclass, &q, 3742 &newsid); 3743 if (rc) 3744 return rc; 3745 } 3746 3747 rc = security_sid_to_context_force(newsid, 3748 &context, &clen); 3749 if (rc) 3750 return rc; 3751 3752 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen, 3753 XATTR_CREATE); 3754 kfree(context); 3755 return rc; 3756 } 3757 3758 3759 /* file security operations */ 3760 3761 static int selinux_revalidate_file_permission(struct file *file, int mask) 3762 { 3763 const struct cred *cred = current_cred(); 3764 struct inode *inode = file_inode(file); 3765 3766 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3767 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3768 mask |= MAY_APPEND; 3769 3770 return file_has_perm(cred, file, 3771 file_mask_to_av(inode->i_mode, mask)); 3772 } 3773 3774 static int selinux_file_permission(struct file *file, int mask) 3775 { 3776 struct inode *inode = file_inode(file); 3777 struct file_security_struct *fsec = selinux_file(file); 3778 struct inode_security_struct *isec; 3779 u32 sid = current_sid(); 3780 3781 if (!mask) 3782 /* No permission to check. Existence test. */ 3783 return 0; 3784 3785 isec = inode_security(inode); 3786 if (sid == fsec->sid && fsec->isid == isec->sid && 3787 fsec->pseqno == avc_policy_seqno()) 3788 /* No change since file_open check. */ 3789 return 0; 3790 3791 return selinux_revalidate_file_permission(file, mask); 3792 } 3793 3794 static int selinux_file_alloc_security(struct file *file) 3795 { 3796 struct file_security_struct *fsec = selinux_file(file); 3797 u32 sid = current_sid(); 3798 3799 fsec->sid = sid; 3800 fsec->fown_sid = sid; 3801 3802 return 0; 3803 } 3804 3805 /* 3806 * Check whether a task has the ioctl permission and cmd 3807 * operation to an inode. 3808 */ 3809 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3810 u32 requested, u16 cmd) 3811 { 3812 struct common_audit_data ad; 3813 struct file_security_struct *fsec = selinux_file(file); 3814 struct inode *inode = file_inode(file); 3815 struct inode_security_struct *isec; 3816 struct lsm_ioctlop_audit ioctl; 3817 u32 ssid = cred_sid(cred); 3818 int rc; 3819 u8 driver = cmd >> 8; 3820 u8 xperm = cmd & 0xff; 3821 3822 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3823 ad.u.op = &ioctl; 3824 ad.u.op->cmd = cmd; 3825 ad.u.op->path = file->f_path; 3826 3827 if (ssid != fsec->sid) { 3828 rc = avc_has_perm(ssid, fsec->sid, 3829 SECCLASS_FD, 3830 FD__USE, 3831 &ad); 3832 if (rc) 3833 goto out; 3834 } 3835 3836 if (unlikely(IS_PRIVATE(inode))) 3837 return 0; 3838 3839 isec = inode_security(inode); 3840 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, requested, 3841 driver, AVC_EXT_IOCTL, xperm, &ad); 3842 out: 3843 return rc; 3844 } 3845 3846 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3847 unsigned long arg) 3848 { 3849 const struct cred *cred = current_cred(); 3850 int error = 0; 3851 3852 switch (cmd) { 3853 case FIONREAD: 3854 case FIBMAP: 3855 case FIGETBSZ: 3856 case FS_IOC_GETFLAGS: 3857 case FS_IOC_GETVERSION: 3858 error = file_has_perm(cred, file, FILE__GETATTR); 3859 break; 3860 3861 case FS_IOC_SETFLAGS: 3862 case FS_IOC_SETVERSION: 3863 error = file_has_perm(cred, file, FILE__SETATTR); 3864 break; 3865 3866 /* sys_ioctl() checks */ 3867 case FIONBIO: 3868 case FIOASYNC: 3869 error = file_has_perm(cred, file, 0); 3870 break; 3871 3872 case KDSKBENT: 3873 case KDSKBSENT: 3874 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3875 CAP_OPT_NONE, true); 3876 break; 3877 3878 case FIOCLEX: 3879 case FIONCLEX: 3880 if (!selinux_policycap_ioctl_skip_cloexec()) 3881 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3882 break; 3883 3884 /* default case assumes that the command will go 3885 * to the file's ioctl() function. 3886 */ 3887 default: 3888 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3889 } 3890 return error; 3891 } 3892 3893 static int selinux_file_ioctl_compat(struct file *file, unsigned int cmd, 3894 unsigned long arg) 3895 { 3896 /* 3897 * If we are in a 64-bit kernel running 32-bit userspace, we need to 3898 * make sure we don't compare 32-bit flags to 64-bit flags. 3899 */ 3900 switch (cmd) { 3901 case FS_IOC32_GETFLAGS: 3902 cmd = FS_IOC_GETFLAGS; 3903 break; 3904 case FS_IOC32_SETFLAGS: 3905 cmd = FS_IOC_SETFLAGS; 3906 break; 3907 case FS_IOC32_GETVERSION: 3908 cmd = FS_IOC_GETVERSION; 3909 break; 3910 case FS_IOC32_SETVERSION: 3911 cmd = FS_IOC_SETVERSION; 3912 break; 3913 default: 3914 break; 3915 } 3916 3917 return selinux_file_ioctl(file, cmd, arg); 3918 } 3919 3920 static int default_noexec __ro_after_init; 3921 3922 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3923 { 3924 const struct cred *cred = current_cred(); 3925 u32 sid = cred_sid(cred); 3926 int rc = 0; 3927 3928 if (default_noexec && 3929 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3930 (!shared && (prot & PROT_WRITE)))) { 3931 /* 3932 * We are making executable an anonymous mapping or a 3933 * private file mapping that will also be writable. 3934 * This has an additional check. 3935 */ 3936 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 3937 PROCESS__EXECMEM, NULL); 3938 if (rc) 3939 goto error; 3940 } 3941 3942 if (file) { 3943 /* read access is always possible with a mapping */ 3944 u32 av = FILE__READ; 3945 3946 /* write access only matters if the mapping is shared */ 3947 if (shared && (prot & PROT_WRITE)) 3948 av |= FILE__WRITE; 3949 3950 if (prot & PROT_EXEC) 3951 av |= FILE__EXECUTE; 3952 3953 return file_has_perm(cred, file, av); 3954 } 3955 3956 error: 3957 return rc; 3958 } 3959 3960 static int selinux_mmap_addr(unsigned long addr) 3961 { 3962 int rc = 0; 3963 3964 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3965 u32 sid = current_sid(); 3966 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3967 MEMPROTECT__MMAP_ZERO, NULL); 3968 } 3969 3970 return rc; 3971 } 3972 3973 static int selinux_mmap_file(struct file *file, 3974 unsigned long reqprot __always_unused, 3975 unsigned long prot, unsigned long flags) 3976 { 3977 struct common_audit_data ad; 3978 int rc; 3979 3980 if (file) { 3981 ad.type = LSM_AUDIT_DATA_FILE; 3982 ad.u.file = file; 3983 rc = inode_has_perm(current_cred(), file_inode(file), 3984 FILE__MAP, &ad); 3985 if (rc) 3986 return rc; 3987 } 3988 3989 return file_map_prot_check(file, prot, 3990 (flags & MAP_TYPE) == MAP_SHARED); 3991 } 3992 3993 static int selinux_file_mprotect(struct vm_area_struct *vma, 3994 unsigned long reqprot __always_unused, 3995 unsigned long prot) 3996 { 3997 const struct cred *cred = current_cred(); 3998 u32 sid = cred_sid(cred); 3999 4000 if (default_noexec && 4001 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 4002 int rc = 0; 4003 /* 4004 * We don't use the vma_is_initial_heap() helper as it has 4005 * a history of problems and is currently broken on systems 4006 * where there is no heap, e.g. brk == start_brk. Before 4007 * replacing the conditional below with vma_is_initial_heap(), 4008 * or something similar, please ensure that the logic is the 4009 * same as what we have below or you have tested every possible 4010 * corner case you can think to test. 4011 */ 4012 if (vma->vm_start >= vma->vm_mm->start_brk && 4013 vma->vm_end <= vma->vm_mm->brk) { 4014 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 4015 PROCESS__EXECHEAP, NULL); 4016 } else if (!vma->vm_file && (vma_is_initial_stack(vma) || 4017 vma_is_stack_for_current(vma))) { 4018 rc = avc_has_perm(sid, sid, SECCLASS_PROCESS, 4019 PROCESS__EXECSTACK, NULL); 4020 } else if (vma->vm_file && vma->anon_vma) { 4021 /* 4022 * We are making executable a file mapping that has 4023 * had some COW done. Since pages might have been 4024 * written, check ability to execute the possibly 4025 * modified content. This typically should only 4026 * occur for text relocations. 4027 */ 4028 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 4029 } 4030 if (rc) 4031 return rc; 4032 } 4033 4034 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 4035 } 4036 4037 static int selinux_file_lock(struct file *file, unsigned int cmd) 4038 { 4039 const struct cred *cred = current_cred(); 4040 4041 return file_has_perm(cred, file, FILE__LOCK); 4042 } 4043 4044 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 4045 unsigned long arg) 4046 { 4047 const struct cred *cred = current_cred(); 4048 int err = 0; 4049 4050 switch (cmd) { 4051 case F_SETFL: 4052 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 4053 err = file_has_perm(cred, file, FILE__WRITE); 4054 break; 4055 } 4056 fallthrough; 4057 case F_SETOWN: 4058 case F_SETSIG: 4059 case F_GETFL: 4060 case F_GETOWN: 4061 case F_GETSIG: 4062 case F_GETOWNER_UIDS: 4063 /* Just check FD__USE permission */ 4064 err = file_has_perm(cred, file, 0); 4065 break; 4066 case F_GETLK: 4067 case F_SETLK: 4068 case F_SETLKW: 4069 case F_OFD_GETLK: 4070 case F_OFD_SETLK: 4071 case F_OFD_SETLKW: 4072 #if BITS_PER_LONG == 32 4073 case F_GETLK64: 4074 case F_SETLK64: 4075 case F_SETLKW64: 4076 #endif 4077 err = file_has_perm(cred, file, FILE__LOCK); 4078 break; 4079 } 4080 4081 return err; 4082 } 4083 4084 static void selinux_file_set_fowner(struct file *file) 4085 { 4086 struct file_security_struct *fsec; 4087 4088 fsec = selinux_file(file); 4089 fsec->fown_sid = current_sid(); 4090 } 4091 4092 static int selinux_file_send_sigiotask(struct task_struct *tsk, 4093 struct fown_struct *fown, int signum) 4094 { 4095 struct file *file; 4096 u32 sid = task_sid_obj(tsk); 4097 u32 perm; 4098 struct file_security_struct *fsec; 4099 4100 /* struct fown_struct is never outside the context of a struct file */ 4101 file = fown->file; 4102 4103 fsec = selinux_file(file); 4104 4105 if (!signum) 4106 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 4107 else 4108 perm = signal_to_av(signum); 4109 4110 return avc_has_perm(fsec->fown_sid, sid, 4111 SECCLASS_PROCESS, perm, NULL); 4112 } 4113 4114 static int selinux_file_receive(struct file *file) 4115 { 4116 const struct cred *cred = current_cred(); 4117 4118 return file_has_perm(cred, file, file_to_av(file)); 4119 } 4120 4121 static int selinux_file_open(struct file *file) 4122 { 4123 struct file_security_struct *fsec; 4124 struct inode_security_struct *isec; 4125 4126 fsec = selinux_file(file); 4127 isec = inode_security(file_inode(file)); 4128 /* 4129 * Save inode label and policy sequence number 4130 * at open-time so that selinux_file_permission 4131 * can determine whether revalidation is necessary. 4132 * Task label is already saved in the file security 4133 * struct as its SID. 4134 */ 4135 fsec->isid = isec->sid; 4136 fsec->pseqno = avc_policy_seqno(); 4137 /* 4138 * Since the inode label or policy seqno may have changed 4139 * between the selinux_inode_permission check and the saving 4140 * of state above, recheck that access is still permitted. 4141 * Otherwise, access might never be revalidated against the 4142 * new inode label or new policy. 4143 * This check is not redundant - do not remove. 4144 */ 4145 return file_path_has_perm(file->f_cred, file, open_file_to_av(file)); 4146 } 4147 4148 /* task security operations */ 4149 4150 static int selinux_task_alloc(struct task_struct *task, 4151 u64 clone_flags) 4152 { 4153 u32 sid = current_sid(); 4154 4155 return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 4156 } 4157 4158 /* 4159 * prepare a new set of credentials for modification 4160 */ 4161 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 4162 gfp_t gfp) 4163 { 4164 const struct task_security_struct *old_tsec = selinux_cred(old); 4165 struct task_security_struct *tsec = selinux_cred(new); 4166 4167 *tsec = *old_tsec; 4168 return 0; 4169 } 4170 4171 /* 4172 * transfer the SELinux data to a blank set of creds 4173 */ 4174 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 4175 { 4176 const struct task_security_struct *old_tsec = selinux_cred(old); 4177 struct task_security_struct *tsec = selinux_cred(new); 4178 4179 *tsec = *old_tsec; 4180 } 4181 4182 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 4183 { 4184 *secid = cred_sid(c); 4185 } 4186 4187 static void selinux_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop) 4188 { 4189 prop->selinux.secid = cred_sid(c); 4190 } 4191 4192 /* 4193 * set the security data for a kernel service 4194 * - all the creation contexts are set to unlabelled 4195 */ 4196 static int selinux_kernel_act_as(struct cred *new, u32 secid) 4197 { 4198 struct task_security_struct *tsec = selinux_cred(new); 4199 u32 sid = current_sid(); 4200 int ret; 4201 4202 ret = avc_has_perm(sid, secid, 4203 SECCLASS_KERNEL_SERVICE, 4204 KERNEL_SERVICE__USE_AS_OVERRIDE, 4205 NULL); 4206 if (ret == 0) { 4207 tsec->sid = secid; 4208 tsec->create_sid = 0; 4209 tsec->keycreate_sid = 0; 4210 tsec->sockcreate_sid = 0; 4211 } 4212 return ret; 4213 } 4214 4215 /* 4216 * set the file creation context in a security record to the same as the 4217 * objective context of the specified inode 4218 */ 4219 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 4220 { 4221 struct inode_security_struct *isec = inode_security(inode); 4222 struct task_security_struct *tsec = selinux_cred(new); 4223 u32 sid = current_sid(); 4224 int ret; 4225 4226 ret = avc_has_perm(sid, isec->sid, 4227 SECCLASS_KERNEL_SERVICE, 4228 KERNEL_SERVICE__CREATE_FILES_AS, 4229 NULL); 4230 4231 if (ret == 0) 4232 tsec->create_sid = isec->sid; 4233 return ret; 4234 } 4235 4236 static int selinux_kernel_module_request(char *kmod_name) 4237 { 4238 struct common_audit_data ad; 4239 4240 ad.type = LSM_AUDIT_DATA_KMOD; 4241 ad.u.kmod_name = kmod_name; 4242 4243 return avc_has_perm(current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4244 SYSTEM__MODULE_REQUEST, &ad); 4245 } 4246 4247 static int selinux_kernel_load_from_file(struct file *file, u32 requested) 4248 { 4249 struct common_audit_data ad; 4250 struct inode_security_struct *isec; 4251 struct file_security_struct *fsec; 4252 u32 sid = current_sid(); 4253 int rc; 4254 4255 if (file == NULL) 4256 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, requested, NULL); 4257 4258 ad.type = LSM_AUDIT_DATA_FILE; 4259 ad.u.file = file; 4260 4261 fsec = selinux_file(file); 4262 if (sid != fsec->sid) { 4263 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4264 if (rc) 4265 return rc; 4266 } 4267 4268 isec = inode_security(file_inode(file)); 4269 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, requested, &ad); 4270 } 4271 4272 static int selinux_kernel_read_file(struct file *file, 4273 enum kernel_read_file_id id, 4274 bool contents) 4275 { 4276 int rc = 0; 4277 4278 BUILD_BUG_ON_MSG(READING_MAX_ID > 7, 4279 "New kernel_read_file_id introduced; update SELinux!"); 4280 4281 switch (id) { 4282 case READING_FIRMWARE: 4283 rc = selinux_kernel_load_from_file(file, SYSTEM__FIRMWARE_LOAD); 4284 break; 4285 case READING_MODULE: 4286 rc = selinux_kernel_load_from_file(file, SYSTEM__MODULE_LOAD); 4287 break; 4288 case READING_KEXEC_IMAGE: 4289 rc = selinux_kernel_load_from_file(file, 4290 SYSTEM__KEXEC_IMAGE_LOAD); 4291 break; 4292 case READING_KEXEC_INITRAMFS: 4293 rc = selinux_kernel_load_from_file(file, 4294 SYSTEM__KEXEC_INITRAMFS_LOAD); 4295 break; 4296 case READING_POLICY: 4297 rc = selinux_kernel_load_from_file(file, SYSTEM__POLICY_LOAD); 4298 break; 4299 case READING_X509_CERTIFICATE: 4300 rc = selinux_kernel_load_from_file(file, 4301 SYSTEM__X509_CERTIFICATE_LOAD); 4302 break; 4303 default: 4304 break; 4305 } 4306 4307 return rc; 4308 } 4309 4310 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents) 4311 { 4312 int rc = 0; 4313 4314 BUILD_BUG_ON_MSG(LOADING_MAX_ID > 7, 4315 "New kernel_load_data_id introduced; update SELinux!"); 4316 4317 switch (id) { 4318 case LOADING_FIRMWARE: 4319 rc = selinux_kernel_load_from_file(NULL, SYSTEM__FIRMWARE_LOAD); 4320 break; 4321 case LOADING_MODULE: 4322 rc = selinux_kernel_load_from_file(NULL, SYSTEM__MODULE_LOAD); 4323 break; 4324 case LOADING_KEXEC_IMAGE: 4325 rc = selinux_kernel_load_from_file(NULL, 4326 SYSTEM__KEXEC_IMAGE_LOAD); 4327 break; 4328 case LOADING_KEXEC_INITRAMFS: 4329 rc = selinux_kernel_load_from_file(NULL, 4330 SYSTEM__KEXEC_INITRAMFS_LOAD); 4331 break; 4332 case LOADING_POLICY: 4333 rc = selinux_kernel_load_from_file(NULL, 4334 SYSTEM__POLICY_LOAD); 4335 break; 4336 case LOADING_X509_CERTIFICATE: 4337 rc = selinux_kernel_load_from_file(NULL, 4338 SYSTEM__X509_CERTIFICATE_LOAD); 4339 break; 4340 default: 4341 break; 4342 } 4343 4344 return rc; 4345 } 4346 4347 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4348 { 4349 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4350 PROCESS__SETPGID, NULL); 4351 } 4352 4353 static int selinux_task_getpgid(struct task_struct *p) 4354 { 4355 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4356 PROCESS__GETPGID, NULL); 4357 } 4358 4359 static int selinux_task_getsid(struct task_struct *p) 4360 { 4361 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4362 PROCESS__GETSESSION, NULL); 4363 } 4364 4365 static void selinux_current_getlsmprop_subj(struct lsm_prop *prop) 4366 { 4367 prop->selinux.secid = current_sid(); 4368 } 4369 4370 static void selinux_task_getlsmprop_obj(struct task_struct *p, 4371 struct lsm_prop *prop) 4372 { 4373 prop->selinux.secid = task_sid_obj(p); 4374 } 4375 4376 static int selinux_task_setnice(struct task_struct *p, int nice) 4377 { 4378 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4379 PROCESS__SETSCHED, NULL); 4380 } 4381 4382 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4383 { 4384 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4385 PROCESS__SETSCHED, NULL); 4386 } 4387 4388 static int selinux_task_getioprio(struct task_struct *p) 4389 { 4390 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4391 PROCESS__GETSCHED, NULL); 4392 } 4393 4394 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 4395 unsigned int flags) 4396 { 4397 u32 av = 0; 4398 4399 if (!flags) 4400 return 0; 4401 if (flags & LSM_PRLIMIT_WRITE) 4402 av |= PROCESS__SETRLIMIT; 4403 if (flags & LSM_PRLIMIT_READ) 4404 av |= PROCESS__GETRLIMIT; 4405 return avc_has_perm(cred_sid(cred), cred_sid(tcred), 4406 SECCLASS_PROCESS, av, NULL); 4407 } 4408 4409 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 4410 struct rlimit *new_rlim) 4411 { 4412 struct rlimit *old_rlim = p->signal->rlim + resource; 4413 4414 /* Control the ability to change the hard limit (whether 4415 lowering or raising it), so that the hard limit can 4416 later be used as a safe reset point for the soft limit 4417 upon context transitions. See selinux_bprm_committing_creds. */ 4418 if (old_rlim->rlim_max != new_rlim->rlim_max) 4419 return avc_has_perm(current_sid(), task_sid_obj(p), 4420 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4421 4422 return 0; 4423 } 4424 4425 static int selinux_task_setscheduler(struct task_struct *p) 4426 { 4427 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4428 PROCESS__SETSCHED, NULL); 4429 } 4430 4431 static int selinux_task_getscheduler(struct task_struct *p) 4432 { 4433 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4434 PROCESS__GETSCHED, NULL); 4435 } 4436 4437 static int selinux_task_movememory(struct task_struct *p) 4438 { 4439 return avc_has_perm(current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4440 PROCESS__SETSCHED, NULL); 4441 } 4442 4443 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info, 4444 int sig, const struct cred *cred) 4445 { 4446 u32 secid; 4447 u32 perm; 4448 4449 if (!sig) 4450 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4451 else 4452 perm = signal_to_av(sig); 4453 if (!cred) 4454 secid = current_sid(); 4455 else 4456 secid = cred_sid(cred); 4457 return avc_has_perm(secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL); 4458 } 4459 4460 static void selinux_task_to_inode(struct task_struct *p, 4461 struct inode *inode) 4462 { 4463 struct inode_security_struct *isec = selinux_inode(inode); 4464 u32 sid = task_sid_obj(p); 4465 4466 spin_lock(&isec->lock); 4467 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4468 isec->sid = sid; 4469 isec->initialized = LABEL_INITIALIZED; 4470 spin_unlock(&isec->lock); 4471 } 4472 4473 static int selinux_userns_create(const struct cred *cred) 4474 { 4475 u32 sid = current_sid(); 4476 4477 return avc_has_perm(sid, sid, SECCLASS_USER_NAMESPACE, 4478 USER_NAMESPACE__CREATE, NULL); 4479 } 4480 4481 /* Returns error only if unable to parse addresses */ 4482 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4483 struct common_audit_data *ad, u8 *proto) 4484 { 4485 int offset, ihlen, ret = -EINVAL; 4486 struct iphdr _iph, *ih; 4487 4488 offset = skb_network_offset(skb); 4489 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4490 if (ih == NULL) 4491 goto out; 4492 4493 ihlen = ih->ihl * 4; 4494 if (ihlen < sizeof(_iph)) 4495 goto out; 4496 4497 ad->u.net->v4info.saddr = ih->saddr; 4498 ad->u.net->v4info.daddr = ih->daddr; 4499 ret = 0; 4500 4501 if (proto) 4502 *proto = ih->protocol; 4503 4504 switch (ih->protocol) { 4505 case IPPROTO_TCP: { 4506 struct tcphdr _tcph, *th; 4507 4508 if (ntohs(ih->frag_off) & IP_OFFSET) 4509 break; 4510 4511 offset += ihlen; 4512 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4513 if (th == NULL) 4514 break; 4515 4516 ad->u.net->sport = th->source; 4517 ad->u.net->dport = th->dest; 4518 break; 4519 } 4520 4521 case IPPROTO_UDP: { 4522 struct udphdr _udph, *uh; 4523 4524 if (ntohs(ih->frag_off) & IP_OFFSET) 4525 break; 4526 4527 offset += ihlen; 4528 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4529 if (uh == NULL) 4530 break; 4531 4532 ad->u.net->sport = uh->source; 4533 ad->u.net->dport = uh->dest; 4534 break; 4535 } 4536 4537 #if IS_ENABLED(CONFIG_IP_SCTP) 4538 case IPPROTO_SCTP: { 4539 struct sctphdr _sctph, *sh; 4540 4541 if (ntohs(ih->frag_off) & IP_OFFSET) 4542 break; 4543 4544 offset += ihlen; 4545 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4546 if (sh == NULL) 4547 break; 4548 4549 ad->u.net->sport = sh->source; 4550 ad->u.net->dport = sh->dest; 4551 break; 4552 } 4553 #endif 4554 default: 4555 break; 4556 } 4557 out: 4558 return ret; 4559 } 4560 4561 #if IS_ENABLED(CONFIG_IPV6) 4562 4563 /* Returns error only if unable to parse addresses */ 4564 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4565 struct common_audit_data *ad, u8 *proto) 4566 { 4567 u8 nexthdr; 4568 int ret = -EINVAL, offset; 4569 struct ipv6hdr _ipv6h, *ip6; 4570 __be16 frag_off; 4571 4572 offset = skb_network_offset(skb); 4573 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4574 if (ip6 == NULL) 4575 goto out; 4576 4577 ad->u.net->v6info.saddr = ip6->saddr; 4578 ad->u.net->v6info.daddr = ip6->daddr; 4579 ret = 0; 4580 4581 nexthdr = ip6->nexthdr; 4582 offset += sizeof(_ipv6h); 4583 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4584 if (offset < 0) 4585 goto out; 4586 4587 if (proto) 4588 *proto = nexthdr; 4589 4590 switch (nexthdr) { 4591 case IPPROTO_TCP: { 4592 struct tcphdr _tcph, *th; 4593 4594 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4595 if (th == NULL) 4596 break; 4597 4598 ad->u.net->sport = th->source; 4599 ad->u.net->dport = th->dest; 4600 break; 4601 } 4602 4603 case IPPROTO_UDP: { 4604 struct udphdr _udph, *uh; 4605 4606 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4607 if (uh == NULL) 4608 break; 4609 4610 ad->u.net->sport = uh->source; 4611 ad->u.net->dport = uh->dest; 4612 break; 4613 } 4614 4615 #if IS_ENABLED(CONFIG_IP_SCTP) 4616 case IPPROTO_SCTP: { 4617 struct sctphdr _sctph, *sh; 4618 4619 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4620 if (sh == NULL) 4621 break; 4622 4623 ad->u.net->sport = sh->source; 4624 ad->u.net->dport = sh->dest; 4625 break; 4626 } 4627 #endif 4628 /* includes fragments */ 4629 default: 4630 break; 4631 } 4632 out: 4633 return ret; 4634 } 4635 4636 #endif /* IPV6 */ 4637 4638 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4639 char **_addrp, int src, u8 *proto) 4640 { 4641 char *addrp; 4642 int ret; 4643 4644 switch (ad->u.net->family) { 4645 case PF_INET: 4646 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4647 if (ret) 4648 goto parse_error; 4649 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4650 &ad->u.net->v4info.daddr); 4651 goto okay; 4652 4653 #if IS_ENABLED(CONFIG_IPV6) 4654 case PF_INET6: 4655 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4656 if (ret) 4657 goto parse_error; 4658 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4659 &ad->u.net->v6info.daddr); 4660 goto okay; 4661 #endif /* IPV6 */ 4662 default: 4663 addrp = NULL; 4664 goto okay; 4665 } 4666 4667 parse_error: 4668 pr_warn( 4669 "SELinux: failure in selinux_parse_skb()," 4670 " unable to parse packet\n"); 4671 return ret; 4672 4673 okay: 4674 if (_addrp) 4675 *_addrp = addrp; 4676 return 0; 4677 } 4678 4679 /** 4680 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4681 * @skb: the packet 4682 * @family: protocol family 4683 * @sid: the packet's peer label SID 4684 * 4685 * Description: 4686 * Check the various different forms of network peer labeling and determine 4687 * the peer label/SID for the packet; most of the magic actually occurs in 4688 * the security server function security_net_peersid_cmp(). The function 4689 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4690 * or -EACCES if @sid is invalid due to inconsistencies with the different 4691 * peer labels. 4692 * 4693 */ 4694 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4695 { 4696 int err; 4697 u32 xfrm_sid; 4698 u32 nlbl_sid; 4699 u32 nlbl_type; 4700 4701 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4702 if (unlikely(err)) 4703 return -EACCES; 4704 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4705 if (unlikely(err)) 4706 return -EACCES; 4707 4708 err = security_net_peersid_resolve(nlbl_sid, 4709 nlbl_type, xfrm_sid, sid); 4710 if (unlikely(err)) { 4711 pr_warn( 4712 "SELinux: failure in selinux_skb_peerlbl_sid()," 4713 " unable to determine packet's peer label\n"); 4714 return -EACCES; 4715 } 4716 4717 return 0; 4718 } 4719 4720 /** 4721 * selinux_conn_sid - Determine the child socket label for a connection 4722 * @sk_sid: the parent socket's SID 4723 * @skb_sid: the packet's SID 4724 * @conn_sid: the resulting connection SID 4725 * 4726 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4727 * combined with the MLS information from @skb_sid in order to create 4728 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy 4729 * of @sk_sid. Returns zero on success, negative values on failure. 4730 * 4731 */ 4732 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4733 { 4734 int err = 0; 4735 4736 if (skb_sid != SECSID_NULL) 4737 err = security_sid_mls_copy(sk_sid, skb_sid, 4738 conn_sid); 4739 else 4740 *conn_sid = sk_sid; 4741 4742 return err; 4743 } 4744 4745 /* socket security operations */ 4746 4747 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4748 u16 secclass, u32 *socksid) 4749 { 4750 if (tsec->sockcreate_sid > SECSID_NULL) { 4751 *socksid = tsec->sockcreate_sid; 4752 return 0; 4753 } 4754 4755 return security_transition_sid(tsec->sid, tsec->sid, 4756 secclass, NULL, socksid); 4757 } 4758 4759 static bool sock_skip_has_perm(u32 sid) 4760 { 4761 if (sid == SECINITSID_KERNEL) 4762 return true; 4763 4764 /* 4765 * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that 4766 * inherited the kernel context from early boot used to be skipped 4767 * here, so preserve that behavior unless the capability is set. 4768 * 4769 * By setting the capability the policy signals that it is ready 4770 * for this quirk to be fixed. Note that sockets created by a kernel 4771 * thread or a usermode helper executed without a transition will 4772 * still be skipped in this check regardless of the policycap 4773 * setting. 4774 */ 4775 if (!selinux_policycap_userspace_initial_context() && 4776 sid == SECINITSID_INIT) 4777 return true; 4778 return false; 4779 } 4780 4781 4782 static int sock_has_perm(struct sock *sk, u32 perms) 4783 { 4784 struct sk_security_struct *sksec = sk->sk_security; 4785 struct common_audit_data ad; 4786 struct lsm_network_audit net; 4787 4788 if (sock_skip_has_perm(sksec->sid)) 4789 return 0; 4790 4791 ad_net_init_from_sk(&ad, &net, sk); 4792 4793 return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, 4794 &ad); 4795 } 4796 4797 static int selinux_socket_create(int family, int type, 4798 int protocol, int kern) 4799 { 4800 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4801 u32 newsid; 4802 u16 secclass; 4803 int rc; 4804 4805 if (kern) 4806 return 0; 4807 4808 secclass = socket_type_to_security_class(family, type, protocol); 4809 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4810 if (rc) 4811 return rc; 4812 4813 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4814 } 4815 4816 static int selinux_socket_post_create(struct socket *sock, int family, 4817 int type, int protocol, int kern) 4818 { 4819 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4820 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4821 struct sk_security_struct *sksec; 4822 u16 sclass = socket_type_to_security_class(family, type, protocol); 4823 u32 sid = SECINITSID_KERNEL; 4824 int err = 0; 4825 4826 if (!kern) { 4827 err = socket_sockcreate_sid(tsec, sclass, &sid); 4828 if (err) 4829 return err; 4830 } 4831 4832 isec->sclass = sclass; 4833 isec->sid = sid; 4834 isec->initialized = LABEL_INITIALIZED; 4835 4836 if (sock->sk) { 4837 sksec = selinux_sock(sock->sk); 4838 sksec->sclass = sclass; 4839 sksec->sid = sid; 4840 /* Allows detection of the first association on this socket */ 4841 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4842 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4843 4844 err = selinux_netlbl_socket_post_create(sock->sk, family); 4845 } 4846 4847 return err; 4848 } 4849 4850 static int selinux_socket_socketpair(struct socket *socka, 4851 struct socket *sockb) 4852 { 4853 struct sk_security_struct *sksec_a = selinux_sock(socka->sk); 4854 struct sk_security_struct *sksec_b = selinux_sock(sockb->sk); 4855 4856 sksec_a->peer_sid = sksec_b->sid; 4857 sksec_b->peer_sid = sksec_a->sid; 4858 4859 return 0; 4860 } 4861 4862 /* Range of port numbers used to automatically bind. 4863 Need to determine whether we should perform a name_bind 4864 permission check between the socket and the port number. */ 4865 4866 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4867 { 4868 struct sock *sk = sock->sk; 4869 struct sk_security_struct *sksec = selinux_sock(sk); 4870 u16 family; 4871 int err; 4872 4873 err = sock_has_perm(sk, SOCKET__BIND); 4874 if (err) 4875 goto out; 4876 4877 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4878 family = sk->sk_family; 4879 if (family == PF_INET || family == PF_INET6) { 4880 char *addrp; 4881 struct common_audit_data ad; 4882 struct lsm_network_audit net = {0,}; 4883 struct sockaddr_in *addr4 = NULL; 4884 struct sockaddr_in6 *addr6 = NULL; 4885 u16 family_sa; 4886 unsigned short snum; 4887 u32 sid, node_perm; 4888 4889 /* 4890 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4891 * that validates multiple binding addresses. Because of this 4892 * need to check address->sa_family as it is possible to have 4893 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4894 */ 4895 if (addrlen < offsetofend(struct sockaddr, sa_family)) 4896 return -EINVAL; 4897 family_sa = address->sa_family; 4898 switch (family_sa) { 4899 case AF_UNSPEC: 4900 case AF_INET: 4901 if (addrlen < sizeof(struct sockaddr_in)) 4902 return -EINVAL; 4903 addr4 = (struct sockaddr_in *)address; 4904 if (family_sa == AF_UNSPEC) { 4905 if (family == PF_INET6) { 4906 /* Length check from inet6_bind_sk() */ 4907 if (addrlen < SIN6_LEN_RFC2133) 4908 return -EINVAL; 4909 /* Family check from __inet6_bind() */ 4910 goto err_af; 4911 } 4912 /* see __inet_bind(), we only want to allow 4913 * AF_UNSPEC if the address is INADDR_ANY 4914 */ 4915 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) 4916 goto err_af; 4917 family_sa = AF_INET; 4918 } 4919 snum = ntohs(addr4->sin_port); 4920 addrp = (char *)&addr4->sin_addr.s_addr; 4921 break; 4922 case AF_INET6: 4923 if (addrlen < SIN6_LEN_RFC2133) 4924 return -EINVAL; 4925 addr6 = (struct sockaddr_in6 *)address; 4926 snum = ntohs(addr6->sin6_port); 4927 addrp = (char *)&addr6->sin6_addr.s6_addr; 4928 break; 4929 default: 4930 goto err_af; 4931 } 4932 4933 ad.type = LSM_AUDIT_DATA_NET; 4934 ad.u.net = &net; 4935 ad.u.net->sport = htons(snum); 4936 ad.u.net->family = family_sa; 4937 4938 if (snum) { 4939 int low, high; 4940 4941 inet_get_local_port_range(sock_net(sk), &low, &high); 4942 4943 if (inet_port_requires_bind_service(sock_net(sk), snum) || 4944 snum < low || snum > high) { 4945 err = sel_netport_sid(sk->sk_protocol, 4946 snum, &sid); 4947 if (err) 4948 goto out; 4949 err = avc_has_perm(sksec->sid, sid, 4950 sksec->sclass, 4951 SOCKET__NAME_BIND, &ad); 4952 if (err) 4953 goto out; 4954 } 4955 } 4956 4957 switch (sksec->sclass) { 4958 case SECCLASS_TCP_SOCKET: 4959 node_perm = TCP_SOCKET__NODE_BIND; 4960 break; 4961 4962 case SECCLASS_UDP_SOCKET: 4963 node_perm = UDP_SOCKET__NODE_BIND; 4964 break; 4965 4966 case SECCLASS_SCTP_SOCKET: 4967 node_perm = SCTP_SOCKET__NODE_BIND; 4968 break; 4969 4970 default: 4971 node_perm = RAWIP_SOCKET__NODE_BIND; 4972 break; 4973 } 4974 4975 err = sel_netnode_sid(addrp, family_sa, &sid); 4976 if (err) 4977 goto out; 4978 4979 if (family_sa == AF_INET) 4980 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4981 else 4982 ad.u.net->v6info.saddr = addr6->sin6_addr; 4983 4984 err = avc_has_perm(sksec->sid, sid, 4985 sksec->sclass, node_perm, &ad); 4986 if (err) 4987 goto out; 4988 } 4989 out: 4990 return err; 4991 err_af: 4992 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 4993 if (sk->sk_protocol == IPPROTO_SCTP) 4994 return -EINVAL; 4995 return -EAFNOSUPPORT; 4996 } 4997 4998 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 4999 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst 5000 */ 5001 static int selinux_socket_connect_helper(struct socket *sock, 5002 struct sockaddr *address, int addrlen) 5003 { 5004 struct sock *sk = sock->sk; 5005 struct sk_security_struct *sksec = selinux_sock(sk); 5006 int err; 5007 5008 err = sock_has_perm(sk, SOCKET__CONNECT); 5009 if (err) 5010 return err; 5011 if (addrlen < offsetofend(struct sockaddr, sa_family)) 5012 return -EINVAL; 5013 5014 /* connect(AF_UNSPEC) has special handling, as it is a documented 5015 * way to disconnect the socket 5016 */ 5017 if (address->sa_family == AF_UNSPEC) 5018 return 0; 5019 5020 /* 5021 * If a TCP or SCTP socket, check name_connect permission 5022 * for the port. 5023 */ 5024 if (sksec->sclass == SECCLASS_TCP_SOCKET || 5025 sksec->sclass == SECCLASS_SCTP_SOCKET) { 5026 struct common_audit_data ad; 5027 struct lsm_network_audit net = {0,}; 5028 struct sockaddr_in *addr4 = NULL; 5029 struct sockaddr_in6 *addr6 = NULL; 5030 unsigned short snum; 5031 u32 sid, perm; 5032 5033 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 5034 * that validates multiple connect addresses. Because of this 5035 * need to check address->sa_family as it is possible to have 5036 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 5037 */ 5038 switch (address->sa_family) { 5039 case AF_INET: 5040 addr4 = (struct sockaddr_in *)address; 5041 if (addrlen < sizeof(struct sockaddr_in)) 5042 return -EINVAL; 5043 snum = ntohs(addr4->sin_port); 5044 break; 5045 case AF_INET6: 5046 addr6 = (struct sockaddr_in6 *)address; 5047 if (addrlen < SIN6_LEN_RFC2133) 5048 return -EINVAL; 5049 snum = ntohs(addr6->sin6_port); 5050 break; 5051 default: 5052 /* Note that SCTP services expect -EINVAL, whereas 5053 * others expect -EAFNOSUPPORT. 5054 */ 5055 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 5056 return -EINVAL; 5057 else 5058 return -EAFNOSUPPORT; 5059 } 5060 5061 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 5062 if (err) 5063 return err; 5064 5065 switch (sksec->sclass) { 5066 case SECCLASS_TCP_SOCKET: 5067 perm = TCP_SOCKET__NAME_CONNECT; 5068 break; 5069 case SECCLASS_SCTP_SOCKET: 5070 perm = SCTP_SOCKET__NAME_CONNECT; 5071 break; 5072 } 5073 5074 ad.type = LSM_AUDIT_DATA_NET; 5075 ad.u.net = &net; 5076 ad.u.net->dport = htons(snum); 5077 ad.u.net->family = address->sa_family; 5078 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 5079 if (err) 5080 return err; 5081 } 5082 5083 return 0; 5084 } 5085 5086 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 5087 static int selinux_socket_connect(struct socket *sock, 5088 struct sockaddr *address, int addrlen) 5089 { 5090 int err; 5091 struct sock *sk = sock->sk; 5092 5093 err = selinux_socket_connect_helper(sock, address, addrlen); 5094 if (err) 5095 return err; 5096 5097 return selinux_netlbl_socket_connect(sk, address); 5098 } 5099 5100 static int selinux_socket_listen(struct socket *sock, int backlog) 5101 { 5102 return sock_has_perm(sock->sk, SOCKET__LISTEN); 5103 } 5104 5105 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 5106 { 5107 int err; 5108 struct inode_security_struct *isec; 5109 struct inode_security_struct *newisec; 5110 u16 sclass; 5111 u32 sid; 5112 5113 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 5114 if (err) 5115 return err; 5116 5117 isec = inode_security_novalidate(SOCK_INODE(sock)); 5118 spin_lock(&isec->lock); 5119 sclass = isec->sclass; 5120 sid = isec->sid; 5121 spin_unlock(&isec->lock); 5122 5123 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 5124 newisec->sclass = sclass; 5125 newisec->sid = sid; 5126 newisec->initialized = LABEL_INITIALIZED; 5127 5128 return 0; 5129 } 5130 5131 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 5132 int size) 5133 { 5134 return sock_has_perm(sock->sk, SOCKET__WRITE); 5135 } 5136 5137 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 5138 int size, int flags) 5139 { 5140 return sock_has_perm(sock->sk, SOCKET__READ); 5141 } 5142 5143 static int selinux_socket_getsockname(struct socket *sock) 5144 { 5145 return sock_has_perm(sock->sk, SOCKET__GETATTR); 5146 } 5147 5148 static int selinux_socket_getpeername(struct socket *sock) 5149 { 5150 return sock_has_perm(sock->sk, SOCKET__GETATTR); 5151 } 5152 5153 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 5154 { 5155 int err; 5156 5157 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 5158 if (err) 5159 return err; 5160 5161 return selinux_netlbl_socket_setsockopt(sock, level, optname); 5162 } 5163 5164 static int selinux_socket_getsockopt(struct socket *sock, int level, 5165 int optname) 5166 { 5167 return sock_has_perm(sock->sk, SOCKET__GETOPT); 5168 } 5169 5170 static int selinux_socket_shutdown(struct socket *sock, int how) 5171 { 5172 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 5173 } 5174 5175 static int selinux_socket_unix_stream_connect(struct sock *sock, 5176 struct sock *other, 5177 struct sock *newsk) 5178 { 5179 struct sk_security_struct *sksec_sock = selinux_sock(sock); 5180 struct sk_security_struct *sksec_other = selinux_sock(other); 5181 struct sk_security_struct *sksec_new = selinux_sock(newsk); 5182 struct common_audit_data ad; 5183 struct lsm_network_audit net; 5184 int err; 5185 5186 ad_net_init_from_sk(&ad, &net, other); 5187 5188 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 5189 sksec_other->sclass, 5190 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 5191 if (err) 5192 return err; 5193 5194 /* server child socket */ 5195 sksec_new->peer_sid = sksec_sock->sid; 5196 err = security_sid_mls_copy(sksec_other->sid, 5197 sksec_sock->sid, &sksec_new->sid); 5198 if (err) 5199 return err; 5200 5201 /* connecting socket */ 5202 sksec_sock->peer_sid = sksec_new->sid; 5203 5204 return 0; 5205 } 5206 5207 static int selinux_socket_unix_may_send(struct socket *sock, 5208 struct socket *other) 5209 { 5210 struct sk_security_struct *ssec = selinux_sock(sock->sk); 5211 struct sk_security_struct *osec = selinux_sock(other->sk); 5212 struct common_audit_data ad; 5213 struct lsm_network_audit net; 5214 5215 ad_net_init_from_sk(&ad, &net, other->sk); 5216 5217 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 5218 &ad); 5219 } 5220 5221 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 5222 char *addrp, u16 family, u32 peer_sid, 5223 struct common_audit_data *ad) 5224 { 5225 int err; 5226 u32 if_sid; 5227 u32 node_sid; 5228 5229 err = sel_netif_sid(ns, ifindex, &if_sid); 5230 if (err) 5231 return err; 5232 err = avc_has_perm(peer_sid, if_sid, 5233 SECCLASS_NETIF, NETIF__INGRESS, ad); 5234 if (err) 5235 return err; 5236 5237 err = sel_netnode_sid(addrp, family, &node_sid); 5238 if (err) 5239 return err; 5240 return avc_has_perm(peer_sid, node_sid, 5241 SECCLASS_NODE, NODE__RECVFROM, ad); 5242 } 5243 5244 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 5245 u16 family) 5246 { 5247 int err = 0; 5248 struct sk_security_struct *sksec = selinux_sock(sk); 5249 u32 sk_sid = sksec->sid; 5250 struct common_audit_data ad; 5251 struct lsm_network_audit net; 5252 char *addrp; 5253 5254 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family); 5255 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5256 if (err) 5257 return err; 5258 5259 if (selinux_secmark_enabled()) { 5260 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5261 PACKET__RECV, &ad); 5262 if (err) 5263 return err; 5264 } 5265 5266 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 5267 if (err) 5268 return err; 5269 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 5270 5271 return err; 5272 } 5273 5274 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 5275 { 5276 int err, peerlbl_active, secmark_active; 5277 struct sk_security_struct *sksec = selinux_sock(sk); 5278 u16 family = sk->sk_family; 5279 u32 sk_sid = sksec->sid; 5280 struct common_audit_data ad; 5281 struct lsm_network_audit net; 5282 char *addrp; 5283 5284 if (family != PF_INET && family != PF_INET6) 5285 return 0; 5286 5287 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 5288 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5289 family = PF_INET; 5290 5291 /* If any sort of compatibility mode is enabled then handoff processing 5292 * to the selinux_sock_rcv_skb_compat() function to deal with the 5293 * special handling. We do this in an attempt to keep this function 5294 * as fast and as clean as possible. */ 5295 if (!selinux_policycap_netpeer()) 5296 return selinux_sock_rcv_skb_compat(sk, skb, family); 5297 5298 secmark_active = selinux_secmark_enabled(); 5299 peerlbl_active = selinux_peerlbl_enabled(); 5300 if (!secmark_active && !peerlbl_active) 5301 return 0; 5302 5303 ad_net_init_from_iif(&ad, &net, skb->skb_iif, family); 5304 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5305 if (err) 5306 return err; 5307 5308 if (peerlbl_active) { 5309 u32 peer_sid; 5310 5311 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 5312 if (err) 5313 return err; 5314 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 5315 addrp, family, peer_sid, &ad); 5316 if (err) { 5317 selinux_netlbl_err(skb, family, err, 0); 5318 return err; 5319 } 5320 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 5321 PEER__RECV, &ad); 5322 if (err) { 5323 selinux_netlbl_err(skb, family, err, 0); 5324 return err; 5325 } 5326 } 5327 5328 if (secmark_active) { 5329 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 5330 PACKET__RECV, &ad); 5331 if (err) 5332 return err; 5333 } 5334 5335 return err; 5336 } 5337 5338 static int selinux_socket_getpeersec_stream(struct socket *sock, 5339 sockptr_t optval, sockptr_t optlen, 5340 unsigned int len) 5341 { 5342 int err = 0; 5343 char *scontext = NULL; 5344 u32 scontext_len; 5345 struct sk_security_struct *sksec = selinux_sock(sock->sk); 5346 u32 peer_sid = SECSID_NULL; 5347 5348 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5349 sksec->sclass == SECCLASS_TCP_SOCKET || 5350 sksec->sclass == SECCLASS_SCTP_SOCKET) 5351 peer_sid = sksec->peer_sid; 5352 if (peer_sid == SECSID_NULL) 5353 return -ENOPROTOOPT; 5354 5355 err = security_sid_to_context(peer_sid, &scontext, 5356 &scontext_len); 5357 if (err) 5358 return err; 5359 if (scontext_len > len) { 5360 err = -ERANGE; 5361 goto out_len; 5362 } 5363 5364 if (copy_to_sockptr(optval, scontext, scontext_len)) 5365 err = -EFAULT; 5366 out_len: 5367 if (copy_to_sockptr(optlen, &scontext_len, sizeof(scontext_len))) 5368 err = -EFAULT; 5369 kfree(scontext); 5370 return err; 5371 } 5372 5373 static int selinux_socket_getpeersec_dgram(struct socket *sock, 5374 struct sk_buff *skb, u32 *secid) 5375 { 5376 u32 peer_secid = SECSID_NULL; 5377 u16 family; 5378 5379 if (skb && skb->protocol == htons(ETH_P_IP)) 5380 family = PF_INET; 5381 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 5382 family = PF_INET6; 5383 else if (sock) 5384 family = sock->sk->sk_family; 5385 else { 5386 *secid = SECSID_NULL; 5387 return -EINVAL; 5388 } 5389 5390 if (sock && family == PF_UNIX) { 5391 struct inode_security_struct *isec; 5392 isec = inode_security_novalidate(SOCK_INODE(sock)); 5393 peer_secid = isec->sid; 5394 } else if (skb) 5395 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 5396 5397 *secid = peer_secid; 5398 if (peer_secid == SECSID_NULL) 5399 return -ENOPROTOOPT; 5400 return 0; 5401 } 5402 5403 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 5404 { 5405 struct sk_security_struct *sksec = selinux_sock(sk); 5406 5407 sksec->peer_sid = SECINITSID_UNLABELED; 5408 sksec->sid = SECINITSID_UNLABELED; 5409 sksec->sclass = SECCLASS_SOCKET; 5410 selinux_netlbl_sk_security_reset(sksec); 5411 5412 return 0; 5413 } 5414 5415 static void selinux_sk_free_security(struct sock *sk) 5416 { 5417 struct sk_security_struct *sksec = selinux_sock(sk); 5418 5419 selinux_netlbl_sk_security_free(sksec); 5420 } 5421 5422 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 5423 { 5424 struct sk_security_struct *sksec = selinux_sock(sk); 5425 struct sk_security_struct *newsksec = selinux_sock(newsk); 5426 5427 newsksec->sid = sksec->sid; 5428 newsksec->peer_sid = sksec->peer_sid; 5429 newsksec->sclass = sksec->sclass; 5430 5431 selinux_netlbl_sk_security_reset(newsksec); 5432 } 5433 5434 static void selinux_sk_getsecid(const struct sock *sk, u32 *secid) 5435 { 5436 if (!sk) 5437 *secid = SECINITSID_ANY_SOCKET; 5438 else { 5439 const struct sk_security_struct *sksec = selinux_sock(sk); 5440 5441 *secid = sksec->sid; 5442 } 5443 } 5444 5445 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 5446 { 5447 struct inode_security_struct *isec = 5448 inode_security_novalidate(SOCK_INODE(parent)); 5449 struct sk_security_struct *sksec = selinux_sock(sk); 5450 5451 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5452 sk->sk_family == PF_UNIX) 5453 isec->sid = sksec->sid; 5454 sksec->sclass = isec->sclass; 5455 } 5456 5457 /* 5458 * Determines peer_secid for the asoc and updates socket's peer label 5459 * if it's the first association on the socket. 5460 */ 5461 static int selinux_sctp_process_new_assoc(struct sctp_association *asoc, 5462 struct sk_buff *skb) 5463 { 5464 struct sock *sk = asoc->base.sk; 5465 u16 family = sk->sk_family; 5466 struct sk_security_struct *sksec = selinux_sock(sk); 5467 struct common_audit_data ad; 5468 struct lsm_network_audit net; 5469 int err; 5470 5471 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5472 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5473 family = PF_INET; 5474 5475 if (selinux_peerlbl_enabled()) { 5476 asoc->peer_secid = SECSID_NULL; 5477 5478 /* This will return peer_sid = SECSID_NULL if there are 5479 * no peer labels, see security_net_peersid_resolve(). 5480 */ 5481 err = selinux_skb_peerlbl_sid(skb, family, &asoc->peer_secid); 5482 if (err) 5483 return err; 5484 5485 if (asoc->peer_secid == SECSID_NULL) 5486 asoc->peer_secid = SECINITSID_UNLABELED; 5487 } else { 5488 asoc->peer_secid = SECINITSID_UNLABELED; 5489 } 5490 5491 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 5492 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 5493 5494 /* Here as first association on socket. As the peer SID 5495 * was allowed by peer recv (and the netif/node checks), 5496 * then it is approved by policy and used as the primary 5497 * peer SID for getpeercon(3). 5498 */ 5499 sksec->peer_sid = asoc->peer_secid; 5500 } else if (sksec->peer_sid != asoc->peer_secid) { 5501 /* Other association peer SIDs are checked to enforce 5502 * consistency among the peer SIDs. 5503 */ 5504 ad_net_init_from_sk(&ad, &net, asoc->base.sk); 5505 err = avc_has_perm(sksec->peer_sid, asoc->peer_secid, 5506 sksec->sclass, SCTP_SOCKET__ASSOCIATION, 5507 &ad); 5508 if (err) 5509 return err; 5510 } 5511 return 0; 5512 } 5513 5514 /* Called whenever SCTP receives an INIT or COOKIE ECHO chunk. This 5515 * happens on an incoming connect(2), sctp_connectx(3) or 5516 * sctp_sendmsg(3) (with no association already present). 5517 */ 5518 static int selinux_sctp_assoc_request(struct sctp_association *asoc, 5519 struct sk_buff *skb) 5520 { 5521 struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); 5522 u32 conn_sid; 5523 int err; 5524 5525 if (!selinux_policycap_extsockclass()) 5526 return 0; 5527 5528 err = selinux_sctp_process_new_assoc(asoc, skb); 5529 if (err) 5530 return err; 5531 5532 /* Compute the MLS component for the connection and store 5533 * the information in asoc. This will be used by SCTP TCP type 5534 * sockets and peeled off connections as they cause a new 5535 * socket to be generated. selinux_sctp_sk_clone() will then 5536 * plug this into the new socket. 5537 */ 5538 err = selinux_conn_sid(sksec->sid, asoc->peer_secid, &conn_sid); 5539 if (err) 5540 return err; 5541 5542 asoc->secid = conn_sid; 5543 5544 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 5545 return selinux_netlbl_sctp_assoc_request(asoc, skb); 5546 } 5547 5548 /* Called when SCTP receives a COOKIE ACK chunk as the final 5549 * response to an association request (initited by us). 5550 */ 5551 static int selinux_sctp_assoc_established(struct sctp_association *asoc, 5552 struct sk_buff *skb) 5553 { 5554 struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); 5555 5556 if (!selinux_policycap_extsockclass()) 5557 return 0; 5558 5559 /* Inherit secid from the parent socket - this will be picked up 5560 * by selinux_sctp_sk_clone() if the association gets peeled off 5561 * into a new socket. 5562 */ 5563 asoc->secid = sksec->sid; 5564 5565 return selinux_sctp_process_new_assoc(asoc, skb); 5566 } 5567 5568 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5569 * based on their @optname. 5570 */ 5571 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5572 struct sockaddr *address, 5573 int addrlen) 5574 { 5575 int len, err = 0, walk_size = 0; 5576 void *addr_buf; 5577 struct sockaddr *addr; 5578 struct socket *sock; 5579 5580 if (!selinux_policycap_extsockclass()) 5581 return 0; 5582 5583 /* Process one or more addresses that may be IPv4 or IPv6 */ 5584 sock = sk->sk_socket; 5585 addr_buf = address; 5586 5587 while (walk_size < addrlen) { 5588 if (walk_size + sizeof(sa_family_t) > addrlen) 5589 return -EINVAL; 5590 5591 addr = addr_buf; 5592 switch (addr->sa_family) { 5593 case AF_UNSPEC: 5594 case AF_INET: 5595 len = sizeof(struct sockaddr_in); 5596 break; 5597 case AF_INET6: 5598 len = sizeof(struct sockaddr_in6); 5599 break; 5600 default: 5601 return -EINVAL; 5602 } 5603 5604 if (walk_size + len > addrlen) 5605 return -EINVAL; 5606 5607 err = -EINVAL; 5608 switch (optname) { 5609 /* Bind checks */ 5610 case SCTP_PRIMARY_ADDR: 5611 case SCTP_SET_PEER_PRIMARY_ADDR: 5612 case SCTP_SOCKOPT_BINDX_ADD: 5613 err = selinux_socket_bind(sock, addr, len); 5614 break; 5615 /* Connect checks */ 5616 case SCTP_SOCKOPT_CONNECTX: 5617 case SCTP_PARAM_SET_PRIMARY: 5618 case SCTP_PARAM_ADD_IP: 5619 case SCTP_SENDMSG_CONNECT: 5620 err = selinux_socket_connect_helper(sock, addr, len); 5621 if (err) 5622 return err; 5623 5624 /* As selinux_sctp_bind_connect() is called by the 5625 * SCTP protocol layer, the socket is already locked, 5626 * therefore selinux_netlbl_socket_connect_locked() 5627 * is called here. The situations handled are: 5628 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5629 * whenever a new IP address is added or when a new 5630 * primary address is selected. 5631 * Note that an SCTP connect(2) call happens before 5632 * the SCTP protocol layer and is handled via 5633 * selinux_socket_connect(). 5634 */ 5635 err = selinux_netlbl_socket_connect_locked(sk, addr); 5636 break; 5637 } 5638 5639 if (err) 5640 return err; 5641 5642 addr_buf += len; 5643 walk_size += len; 5644 } 5645 5646 return 0; 5647 } 5648 5649 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5650 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, 5651 struct sock *newsk) 5652 { 5653 struct sk_security_struct *sksec = selinux_sock(sk); 5654 struct sk_security_struct *newsksec = selinux_sock(newsk); 5655 5656 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5657 * the non-sctp clone version. 5658 */ 5659 if (!selinux_policycap_extsockclass()) 5660 return selinux_sk_clone_security(sk, newsk); 5661 5662 newsksec->sid = asoc->secid; 5663 newsksec->peer_sid = asoc->peer_secid; 5664 newsksec->sclass = sksec->sclass; 5665 selinux_netlbl_sctp_sk_clone(sk, newsk); 5666 } 5667 5668 static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk) 5669 { 5670 struct sk_security_struct *ssksec = selinux_sock(ssk); 5671 struct sk_security_struct *sksec = selinux_sock(sk); 5672 5673 ssksec->sclass = sksec->sclass; 5674 ssksec->sid = sksec->sid; 5675 5676 /* replace the existing subflow label deleting the existing one 5677 * and re-recreating a new label using the updated context 5678 */ 5679 selinux_netlbl_sk_security_free(ssksec); 5680 return selinux_netlbl_socket_post_create(ssk, ssk->sk_family); 5681 } 5682 5683 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 5684 struct request_sock *req) 5685 { 5686 struct sk_security_struct *sksec = selinux_sock(sk); 5687 int err; 5688 u16 family = req->rsk_ops->family; 5689 u32 connsid; 5690 u32 peersid; 5691 5692 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5693 if (err) 5694 return err; 5695 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5696 if (err) 5697 return err; 5698 req->secid = connsid; 5699 req->peer_secid = peersid; 5700 5701 return selinux_netlbl_inet_conn_request(req, family); 5702 } 5703 5704 static void selinux_inet_csk_clone(struct sock *newsk, 5705 const struct request_sock *req) 5706 { 5707 struct sk_security_struct *newsksec = selinux_sock(newsk); 5708 5709 newsksec->sid = req->secid; 5710 newsksec->peer_sid = req->peer_secid; 5711 /* NOTE: Ideally, we should also get the isec->sid for the 5712 new socket in sync, but we don't have the isec available yet. 5713 So we will wait until sock_graft to do it, by which 5714 time it will have been created and available. */ 5715 5716 /* We don't need to take any sort of lock here as we are the only 5717 * thread with access to newsksec */ 5718 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5719 } 5720 5721 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5722 { 5723 u16 family = sk->sk_family; 5724 struct sk_security_struct *sksec = selinux_sock(sk); 5725 5726 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5727 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5728 family = PF_INET; 5729 5730 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5731 } 5732 5733 static int selinux_secmark_relabel_packet(u32 sid) 5734 { 5735 return avc_has_perm(current_sid(), sid, SECCLASS_PACKET, PACKET__RELABELTO, 5736 NULL); 5737 } 5738 5739 static void selinux_secmark_refcount_inc(void) 5740 { 5741 atomic_inc(&selinux_secmark_refcount); 5742 } 5743 5744 static void selinux_secmark_refcount_dec(void) 5745 { 5746 atomic_dec(&selinux_secmark_refcount); 5747 } 5748 5749 static void selinux_req_classify_flow(const struct request_sock *req, 5750 struct flowi_common *flic) 5751 { 5752 flic->flowic_secid = req->secid; 5753 } 5754 5755 static int selinux_tun_dev_alloc_security(void *security) 5756 { 5757 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5758 5759 tunsec->sid = current_sid(); 5760 return 0; 5761 } 5762 5763 static int selinux_tun_dev_create(void) 5764 { 5765 u32 sid = current_sid(); 5766 5767 /* we aren't taking into account the "sockcreate" SID since the socket 5768 * that is being created here is not a socket in the traditional sense, 5769 * instead it is a private sock, accessible only to the kernel, and 5770 * representing a wide range of network traffic spanning multiple 5771 * connections unlike traditional sockets - check the TUN driver to 5772 * get a better understanding of why this socket is special */ 5773 5774 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5775 NULL); 5776 } 5777 5778 static int selinux_tun_dev_attach_queue(void *security) 5779 { 5780 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5781 5782 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5783 TUN_SOCKET__ATTACH_QUEUE, NULL); 5784 } 5785 5786 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5787 { 5788 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5789 struct sk_security_struct *sksec = selinux_sock(sk); 5790 5791 /* we don't currently perform any NetLabel based labeling here and it 5792 * isn't clear that we would want to do so anyway; while we could apply 5793 * labeling without the support of the TUN user the resulting labeled 5794 * traffic from the other end of the connection would almost certainly 5795 * cause confusion to the TUN user that had no idea network labeling 5796 * protocols were being used */ 5797 5798 sksec->sid = tunsec->sid; 5799 sksec->sclass = SECCLASS_TUN_SOCKET; 5800 5801 return 0; 5802 } 5803 5804 static int selinux_tun_dev_open(void *security) 5805 { 5806 struct tun_security_struct *tunsec = selinux_tun_dev(security); 5807 u32 sid = current_sid(); 5808 int err; 5809 5810 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5811 TUN_SOCKET__RELABELFROM, NULL); 5812 if (err) 5813 return err; 5814 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 5815 TUN_SOCKET__RELABELTO, NULL); 5816 if (err) 5817 return err; 5818 tunsec->sid = sid; 5819 5820 return 0; 5821 } 5822 5823 #ifdef CONFIG_NETFILTER 5824 5825 static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb, 5826 const struct nf_hook_state *state) 5827 { 5828 int ifindex; 5829 u16 family; 5830 char *addrp; 5831 u32 peer_sid; 5832 struct common_audit_data ad; 5833 struct lsm_network_audit net; 5834 int secmark_active, peerlbl_active; 5835 5836 if (!selinux_policycap_netpeer()) 5837 return NF_ACCEPT; 5838 5839 secmark_active = selinux_secmark_enabled(); 5840 peerlbl_active = selinux_peerlbl_enabled(); 5841 if (!secmark_active && !peerlbl_active) 5842 return NF_ACCEPT; 5843 5844 family = state->pf; 5845 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5846 return NF_DROP; 5847 5848 ifindex = state->in->ifindex; 5849 ad_net_init_from_iif(&ad, &net, ifindex, family); 5850 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5851 return NF_DROP; 5852 5853 if (peerlbl_active) { 5854 int err; 5855 5856 err = selinux_inet_sys_rcv_skb(state->net, ifindex, 5857 addrp, family, peer_sid, &ad); 5858 if (err) { 5859 selinux_netlbl_err(skb, family, err, 1); 5860 return NF_DROP; 5861 } 5862 } 5863 5864 if (secmark_active) 5865 if (avc_has_perm(peer_sid, skb->secmark, 5866 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5867 return NF_DROP; 5868 5869 if (netlbl_enabled()) 5870 /* we do this in the FORWARD path and not the POST_ROUTING 5871 * path because we want to make sure we apply the necessary 5872 * labeling before IPsec is applied so we can leverage AH 5873 * protection */ 5874 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5875 return NF_DROP; 5876 5877 return NF_ACCEPT; 5878 } 5879 5880 static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb, 5881 const struct nf_hook_state *state) 5882 { 5883 struct sock *sk; 5884 u32 sid; 5885 5886 if (!netlbl_enabled()) 5887 return NF_ACCEPT; 5888 5889 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5890 * because we want to make sure we apply the necessary labeling 5891 * before IPsec is applied so we can leverage AH protection */ 5892 sk = skb_to_full_sk(skb); 5893 if (sk) { 5894 struct sk_security_struct *sksec; 5895 5896 if (sk_listener(sk)) 5897 /* if the socket is the listening state then this 5898 * packet is a SYN-ACK packet which means it needs to 5899 * be labeled based on the connection/request_sock and 5900 * not the parent socket. unfortunately, we can't 5901 * lookup the request_sock yet as it isn't queued on 5902 * the parent socket until after the SYN-ACK is sent. 5903 * the "solution" is to simply pass the packet as-is 5904 * as any IP option based labeling should be copied 5905 * from the initial connection request (in the IP 5906 * layer). it is far from ideal, but until we get a 5907 * security label in the packet itself this is the 5908 * best we can do. */ 5909 return NF_ACCEPT; 5910 5911 /* standard practice, label using the parent socket */ 5912 sksec = selinux_sock(sk); 5913 sid = sksec->sid; 5914 } else 5915 sid = SECINITSID_KERNEL; 5916 if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0) 5917 return NF_DROP; 5918 5919 return NF_ACCEPT; 5920 } 5921 5922 5923 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5924 const struct nf_hook_state *state) 5925 { 5926 struct sock *sk; 5927 struct sk_security_struct *sksec; 5928 struct common_audit_data ad; 5929 struct lsm_network_audit net; 5930 u8 proto = 0; 5931 5932 sk = skb_to_full_sk(skb); 5933 if (sk == NULL) 5934 return NF_ACCEPT; 5935 sksec = selinux_sock(sk); 5936 5937 ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf); 5938 if (selinux_parse_skb(skb, &ad, NULL, 0, &proto)) 5939 return NF_DROP; 5940 5941 if (selinux_secmark_enabled()) 5942 if (avc_has_perm(sksec->sid, skb->secmark, 5943 SECCLASS_PACKET, PACKET__SEND, &ad)) 5944 return NF_DROP_ERR(-ECONNREFUSED); 5945 5946 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5947 return NF_DROP_ERR(-ECONNREFUSED); 5948 5949 return NF_ACCEPT; 5950 } 5951 5952 static unsigned int selinux_ip_postroute(void *priv, 5953 struct sk_buff *skb, 5954 const struct nf_hook_state *state) 5955 { 5956 u16 family; 5957 u32 secmark_perm; 5958 u32 peer_sid; 5959 int ifindex; 5960 struct sock *sk; 5961 struct common_audit_data ad; 5962 struct lsm_network_audit net; 5963 char *addrp; 5964 int secmark_active, peerlbl_active; 5965 5966 /* If any sort of compatibility mode is enabled then handoff processing 5967 * to the selinux_ip_postroute_compat() function to deal with the 5968 * special handling. We do this in an attempt to keep this function 5969 * as fast and as clean as possible. */ 5970 if (!selinux_policycap_netpeer()) 5971 return selinux_ip_postroute_compat(skb, state); 5972 5973 secmark_active = selinux_secmark_enabled(); 5974 peerlbl_active = selinux_peerlbl_enabled(); 5975 if (!secmark_active && !peerlbl_active) 5976 return NF_ACCEPT; 5977 5978 sk = skb_to_full_sk(skb); 5979 5980 #ifdef CONFIG_XFRM 5981 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5982 * packet transformation so allow the packet to pass without any checks 5983 * since we'll have another chance to perform access control checks 5984 * when the packet is on it's final way out. 5985 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5986 * is NULL, in this case go ahead and apply access control. 5987 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5988 * TCP listening state we cannot wait until the XFRM processing 5989 * is done as we will miss out on the SA label if we do; 5990 * unfortunately, this means more work, but it is only once per 5991 * connection. */ 5992 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5993 !(sk && sk_listener(sk))) 5994 return NF_ACCEPT; 5995 #endif 5996 5997 family = state->pf; 5998 if (sk == NULL) { 5999 /* Without an associated socket the packet is either coming 6000 * from the kernel or it is being forwarded; check the packet 6001 * to determine which and if the packet is being forwarded 6002 * query the packet directly to determine the security label. */ 6003 if (skb->skb_iif) { 6004 secmark_perm = PACKET__FORWARD_OUT; 6005 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 6006 return NF_DROP; 6007 } else { 6008 secmark_perm = PACKET__SEND; 6009 peer_sid = SECINITSID_KERNEL; 6010 } 6011 } else if (sk_listener(sk)) { 6012 /* Locally generated packet but the associated socket is in the 6013 * listening state which means this is a SYN-ACK packet. In 6014 * this particular case the correct security label is assigned 6015 * to the connection/request_sock but unfortunately we can't 6016 * query the request_sock as it isn't queued on the parent 6017 * socket until after the SYN-ACK packet is sent; the only 6018 * viable choice is to regenerate the label like we do in 6019 * selinux_inet_conn_request(). See also selinux_ip_output() 6020 * for similar problems. */ 6021 u32 skb_sid; 6022 struct sk_security_struct *sksec; 6023 6024 sksec = selinux_sock(sk); 6025 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 6026 return NF_DROP; 6027 /* At this point, if the returned skb peerlbl is SECSID_NULL 6028 * and the packet has been through at least one XFRM 6029 * transformation then we must be dealing with the "final" 6030 * form of labeled IPsec packet; since we've already applied 6031 * all of our access controls on this packet we can safely 6032 * pass the packet. */ 6033 if (skb_sid == SECSID_NULL) { 6034 switch (family) { 6035 case PF_INET: 6036 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 6037 return NF_ACCEPT; 6038 break; 6039 case PF_INET6: 6040 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 6041 return NF_ACCEPT; 6042 break; 6043 default: 6044 return NF_DROP_ERR(-ECONNREFUSED); 6045 } 6046 } 6047 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 6048 return NF_DROP; 6049 secmark_perm = PACKET__SEND; 6050 } else { 6051 /* Locally generated packet, fetch the security label from the 6052 * associated socket. */ 6053 struct sk_security_struct *sksec = selinux_sock(sk); 6054 peer_sid = sksec->sid; 6055 secmark_perm = PACKET__SEND; 6056 } 6057 6058 ifindex = state->out->ifindex; 6059 ad_net_init_from_iif(&ad, &net, ifindex, family); 6060 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 6061 return NF_DROP; 6062 6063 if (secmark_active) 6064 if (avc_has_perm(peer_sid, skb->secmark, 6065 SECCLASS_PACKET, secmark_perm, &ad)) 6066 return NF_DROP_ERR(-ECONNREFUSED); 6067 6068 if (peerlbl_active) { 6069 u32 if_sid; 6070 u32 node_sid; 6071 6072 if (sel_netif_sid(state->net, ifindex, &if_sid)) 6073 return NF_DROP; 6074 if (avc_has_perm(peer_sid, if_sid, 6075 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 6076 return NF_DROP_ERR(-ECONNREFUSED); 6077 6078 if (sel_netnode_sid(addrp, family, &node_sid)) 6079 return NF_DROP; 6080 if (avc_has_perm(peer_sid, node_sid, 6081 SECCLASS_NODE, NODE__SENDTO, &ad)) 6082 return NF_DROP_ERR(-ECONNREFUSED); 6083 } 6084 6085 return NF_ACCEPT; 6086 } 6087 #endif /* CONFIG_NETFILTER */ 6088 6089 static int nlmsg_sock_has_extended_perms(struct sock *sk, u32 perms, u16 nlmsg_type) 6090 { 6091 struct sk_security_struct *sksec = sk->sk_security; 6092 struct common_audit_data ad; 6093 u8 driver; 6094 u8 xperm; 6095 6096 if (sock_skip_has_perm(sksec->sid)) 6097 return 0; 6098 6099 ad.type = LSM_AUDIT_DATA_NLMSGTYPE; 6100 ad.u.nlmsg_type = nlmsg_type; 6101 6102 driver = nlmsg_type >> 8; 6103 xperm = nlmsg_type & 0xff; 6104 6105 return avc_has_extended_perms(current_sid(), sksec->sid, sksec->sclass, 6106 perms, driver, AVC_EXT_NLMSG, xperm, &ad); 6107 } 6108 6109 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 6110 { 6111 int rc = 0; 6112 unsigned int msg_len; 6113 unsigned int data_len = skb->len; 6114 unsigned char *data = skb->data; 6115 struct nlmsghdr *nlh; 6116 struct sk_security_struct *sksec = selinux_sock(sk); 6117 u16 sclass = sksec->sclass; 6118 u32 perm; 6119 6120 while (data_len >= nlmsg_total_size(0)) { 6121 nlh = (struct nlmsghdr *)data; 6122 6123 /* NOTE: the nlmsg_len field isn't reliably set by some netlink 6124 * users which means we can't reject skb's with bogus 6125 * length fields; our solution is to follow what 6126 * netlink_rcv_skb() does and simply skip processing at 6127 * messages with length fields that are clearly junk 6128 */ 6129 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len) 6130 return 0; 6131 6132 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm); 6133 if (rc == 0) { 6134 if (selinux_policycap_netlink_xperm()) { 6135 rc = nlmsg_sock_has_extended_perms( 6136 sk, perm, nlh->nlmsg_type); 6137 } else { 6138 rc = sock_has_perm(sk, perm); 6139 } 6140 if (rc) 6141 return rc; 6142 } else if (rc == -EINVAL) { 6143 /* -EINVAL is a missing msg/perm mapping */ 6144 pr_warn_ratelimited("SELinux: unrecognized netlink" 6145 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 6146 " pid=%d comm=%s\n", 6147 sk->sk_protocol, nlh->nlmsg_type, 6148 secclass_map[sclass - 1].name, 6149 task_pid_nr(current), current->comm); 6150 if (enforcing_enabled() && 6151 !security_get_allow_unknown()) 6152 return rc; 6153 rc = 0; 6154 } else if (rc == -ENOENT) { 6155 /* -ENOENT is a missing socket/class mapping, ignore */ 6156 rc = 0; 6157 } else { 6158 return rc; 6159 } 6160 6161 /* move to the next message after applying netlink padding */ 6162 msg_len = NLMSG_ALIGN(nlh->nlmsg_len); 6163 if (msg_len >= data_len) 6164 return 0; 6165 data_len -= msg_len; 6166 data += msg_len; 6167 } 6168 6169 return rc; 6170 } 6171 6172 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass) 6173 { 6174 isec->sclass = sclass; 6175 isec->sid = current_sid(); 6176 } 6177 6178 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 6179 u32 perms) 6180 { 6181 struct ipc_security_struct *isec; 6182 struct common_audit_data ad; 6183 u32 sid = current_sid(); 6184 6185 isec = selinux_ipc(ipc_perms); 6186 6187 ad.type = LSM_AUDIT_DATA_IPC; 6188 ad.u.ipc_id = ipc_perms->key; 6189 6190 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 6191 } 6192 6193 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 6194 { 6195 struct msg_security_struct *msec; 6196 6197 msec = selinux_msg_msg(msg); 6198 msec->sid = SECINITSID_UNLABELED; 6199 6200 return 0; 6201 } 6202 6203 /* message queue security operations */ 6204 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 6205 { 6206 struct ipc_security_struct *isec; 6207 struct common_audit_data ad; 6208 u32 sid = current_sid(); 6209 6210 isec = selinux_ipc(msq); 6211 ipc_init_security(isec, SECCLASS_MSGQ); 6212 6213 ad.type = LSM_AUDIT_DATA_IPC; 6214 ad.u.ipc_id = msq->key; 6215 6216 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6217 MSGQ__CREATE, &ad); 6218 } 6219 6220 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 6221 { 6222 struct ipc_security_struct *isec; 6223 struct common_audit_data ad; 6224 u32 sid = current_sid(); 6225 6226 isec = selinux_ipc(msq); 6227 6228 ad.type = LSM_AUDIT_DATA_IPC; 6229 ad.u.ipc_id = msq->key; 6230 6231 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6232 MSGQ__ASSOCIATE, &ad); 6233 } 6234 6235 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 6236 { 6237 u32 perms; 6238 6239 switch (cmd) { 6240 case IPC_INFO: 6241 case MSG_INFO: 6242 /* No specific object, just general system-wide information. */ 6243 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6244 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6245 case IPC_STAT: 6246 case MSG_STAT: 6247 case MSG_STAT_ANY: 6248 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 6249 break; 6250 case IPC_SET: 6251 perms = MSGQ__SETATTR; 6252 break; 6253 case IPC_RMID: 6254 perms = MSGQ__DESTROY; 6255 break; 6256 default: 6257 return 0; 6258 } 6259 6260 return ipc_has_perm(msq, perms); 6261 } 6262 6263 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 6264 { 6265 struct ipc_security_struct *isec; 6266 struct msg_security_struct *msec; 6267 struct common_audit_data ad; 6268 u32 sid = current_sid(); 6269 int rc; 6270 6271 isec = selinux_ipc(msq); 6272 msec = selinux_msg_msg(msg); 6273 6274 /* 6275 * First time through, need to assign label to the message 6276 */ 6277 if (msec->sid == SECINITSID_UNLABELED) { 6278 /* 6279 * Compute new sid based on current process and 6280 * message queue this message will be stored in 6281 */ 6282 rc = security_transition_sid(sid, isec->sid, 6283 SECCLASS_MSG, NULL, &msec->sid); 6284 if (rc) 6285 return rc; 6286 } 6287 6288 ad.type = LSM_AUDIT_DATA_IPC; 6289 ad.u.ipc_id = msq->key; 6290 6291 /* Can this process write to the queue? */ 6292 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 6293 MSGQ__WRITE, &ad); 6294 if (!rc) 6295 /* Can this process send the message */ 6296 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 6297 MSG__SEND, &ad); 6298 if (!rc) 6299 /* Can the message be put in the queue? */ 6300 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 6301 MSGQ__ENQUEUE, &ad); 6302 6303 return rc; 6304 } 6305 6306 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 6307 struct task_struct *target, 6308 long type, int mode) 6309 { 6310 struct ipc_security_struct *isec; 6311 struct msg_security_struct *msec; 6312 struct common_audit_data ad; 6313 u32 sid = task_sid_obj(target); 6314 int rc; 6315 6316 isec = selinux_ipc(msq); 6317 msec = selinux_msg_msg(msg); 6318 6319 ad.type = LSM_AUDIT_DATA_IPC; 6320 ad.u.ipc_id = msq->key; 6321 6322 rc = avc_has_perm(sid, isec->sid, 6323 SECCLASS_MSGQ, MSGQ__READ, &ad); 6324 if (!rc) 6325 rc = avc_has_perm(sid, msec->sid, 6326 SECCLASS_MSG, MSG__RECEIVE, &ad); 6327 return rc; 6328 } 6329 6330 /* Shared Memory security operations */ 6331 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 6332 { 6333 struct ipc_security_struct *isec; 6334 struct common_audit_data ad; 6335 u32 sid = current_sid(); 6336 6337 isec = selinux_ipc(shp); 6338 ipc_init_security(isec, SECCLASS_SHM); 6339 6340 ad.type = LSM_AUDIT_DATA_IPC; 6341 ad.u.ipc_id = shp->key; 6342 6343 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6344 SHM__CREATE, &ad); 6345 } 6346 6347 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 6348 { 6349 struct ipc_security_struct *isec; 6350 struct common_audit_data ad; 6351 u32 sid = current_sid(); 6352 6353 isec = selinux_ipc(shp); 6354 6355 ad.type = LSM_AUDIT_DATA_IPC; 6356 ad.u.ipc_id = shp->key; 6357 6358 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 6359 SHM__ASSOCIATE, &ad); 6360 } 6361 6362 /* Note, at this point, shp is locked down */ 6363 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 6364 { 6365 u32 perms; 6366 6367 switch (cmd) { 6368 case IPC_INFO: 6369 case SHM_INFO: 6370 /* No specific object, just general system-wide information. */ 6371 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6372 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6373 case IPC_STAT: 6374 case SHM_STAT: 6375 case SHM_STAT_ANY: 6376 perms = SHM__GETATTR | SHM__ASSOCIATE; 6377 break; 6378 case IPC_SET: 6379 perms = SHM__SETATTR; 6380 break; 6381 case SHM_LOCK: 6382 case SHM_UNLOCK: 6383 perms = SHM__LOCK; 6384 break; 6385 case IPC_RMID: 6386 perms = SHM__DESTROY; 6387 break; 6388 default: 6389 return 0; 6390 } 6391 6392 return ipc_has_perm(shp, perms); 6393 } 6394 6395 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6396 char __user *shmaddr, int shmflg) 6397 { 6398 u32 perms; 6399 6400 if (shmflg & SHM_RDONLY) 6401 perms = SHM__READ; 6402 else 6403 perms = SHM__READ | SHM__WRITE; 6404 6405 return ipc_has_perm(shp, perms); 6406 } 6407 6408 /* Semaphore security operations */ 6409 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 6410 { 6411 struct ipc_security_struct *isec; 6412 struct common_audit_data ad; 6413 u32 sid = current_sid(); 6414 6415 isec = selinux_ipc(sma); 6416 ipc_init_security(isec, SECCLASS_SEM); 6417 6418 ad.type = LSM_AUDIT_DATA_IPC; 6419 ad.u.ipc_id = sma->key; 6420 6421 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6422 SEM__CREATE, &ad); 6423 } 6424 6425 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 6426 { 6427 struct ipc_security_struct *isec; 6428 struct common_audit_data ad; 6429 u32 sid = current_sid(); 6430 6431 isec = selinux_ipc(sma); 6432 6433 ad.type = LSM_AUDIT_DATA_IPC; 6434 ad.u.ipc_id = sma->key; 6435 6436 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 6437 SEM__ASSOCIATE, &ad); 6438 } 6439 6440 /* Note, at this point, sma is locked down */ 6441 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 6442 { 6443 int err; 6444 u32 perms; 6445 6446 switch (cmd) { 6447 case IPC_INFO: 6448 case SEM_INFO: 6449 /* No specific object, just general system-wide information. */ 6450 return avc_has_perm(current_sid(), SECINITSID_KERNEL, 6451 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6452 case GETPID: 6453 case GETNCNT: 6454 case GETZCNT: 6455 perms = SEM__GETATTR; 6456 break; 6457 case GETVAL: 6458 case GETALL: 6459 perms = SEM__READ; 6460 break; 6461 case SETVAL: 6462 case SETALL: 6463 perms = SEM__WRITE; 6464 break; 6465 case IPC_RMID: 6466 perms = SEM__DESTROY; 6467 break; 6468 case IPC_SET: 6469 perms = SEM__SETATTR; 6470 break; 6471 case IPC_STAT: 6472 case SEM_STAT: 6473 case SEM_STAT_ANY: 6474 perms = SEM__GETATTR | SEM__ASSOCIATE; 6475 break; 6476 default: 6477 return 0; 6478 } 6479 6480 err = ipc_has_perm(sma, perms); 6481 return err; 6482 } 6483 6484 static int selinux_sem_semop(struct kern_ipc_perm *sma, 6485 struct sembuf *sops, unsigned nsops, int alter) 6486 { 6487 u32 perms; 6488 6489 if (alter) 6490 perms = SEM__READ | SEM__WRITE; 6491 else 6492 perms = SEM__READ; 6493 6494 return ipc_has_perm(sma, perms); 6495 } 6496 6497 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6498 { 6499 u32 av = 0; 6500 6501 av = 0; 6502 if (flag & S_IRUGO) 6503 av |= IPC__UNIX_READ; 6504 if (flag & S_IWUGO) 6505 av |= IPC__UNIX_WRITE; 6506 6507 if (av == 0) 6508 return 0; 6509 6510 return ipc_has_perm(ipcp, av); 6511 } 6512 6513 static void selinux_ipc_getlsmprop(struct kern_ipc_perm *ipcp, 6514 struct lsm_prop *prop) 6515 { 6516 struct ipc_security_struct *isec = selinux_ipc(ipcp); 6517 prop->selinux.secid = isec->sid; 6518 } 6519 6520 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6521 { 6522 if (inode) 6523 inode_doinit_with_dentry(inode, dentry); 6524 } 6525 6526 static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p, 6527 char **value) 6528 { 6529 const struct task_security_struct *tsec; 6530 int error; 6531 u32 sid; 6532 u32 len; 6533 6534 rcu_read_lock(); 6535 tsec = selinux_cred(__task_cred(p)); 6536 if (p != current) { 6537 error = avc_has_perm(current_sid(), tsec->sid, 6538 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6539 if (error) 6540 goto err_unlock; 6541 } 6542 switch (attr) { 6543 case LSM_ATTR_CURRENT: 6544 sid = tsec->sid; 6545 break; 6546 case LSM_ATTR_PREV: 6547 sid = tsec->osid; 6548 break; 6549 case LSM_ATTR_EXEC: 6550 sid = tsec->exec_sid; 6551 break; 6552 case LSM_ATTR_FSCREATE: 6553 sid = tsec->create_sid; 6554 break; 6555 case LSM_ATTR_KEYCREATE: 6556 sid = tsec->keycreate_sid; 6557 break; 6558 case LSM_ATTR_SOCKCREATE: 6559 sid = tsec->sockcreate_sid; 6560 break; 6561 default: 6562 error = -EOPNOTSUPP; 6563 goto err_unlock; 6564 } 6565 rcu_read_unlock(); 6566 6567 if (sid == SECSID_NULL) { 6568 *value = NULL; 6569 return 0; 6570 } 6571 6572 error = security_sid_to_context(sid, value, &len); 6573 if (error) 6574 return error; 6575 return len; 6576 6577 err_unlock: 6578 rcu_read_unlock(); 6579 return error; 6580 } 6581 6582 static int selinux_lsm_setattr(u64 attr, void *value, size_t size) 6583 { 6584 struct task_security_struct *tsec; 6585 struct cred *new; 6586 u32 mysid = current_sid(), sid = 0, ptsid; 6587 int error; 6588 char *str = value; 6589 6590 /* 6591 * Basic control over ability to set these attributes at all. 6592 */ 6593 switch (attr) { 6594 case LSM_ATTR_EXEC: 6595 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6596 PROCESS__SETEXEC, NULL); 6597 break; 6598 case LSM_ATTR_FSCREATE: 6599 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6600 PROCESS__SETFSCREATE, NULL); 6601 break; 6602 case LSM_ATTR_KEYCREATE: 6603 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6604 PROCESS__SETKEYCREATE, NULL); 6605 break; 6606 case LSM_ATTR_SOCKCREATE: 6607 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6608 PROCESS__SETSOCKCREATE, NULL); 6609 break; 6610 case LSM_ATTR_CURRENT: 6611 error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS, 6612 PROCESS__SETCURRENT, NULL); 6613 break; 6614 default: 6615 error = -EOPNOTSUPP; 6616 break; 6617 } 6618 if (error) 6619 return error; 6620 6621 /* Obtain a SID for the context, if one was specified. */ 6622 if (size && str[0] && str[0] != '\n') { 6623 if (str[size-1] == '\n') { 6624 str[size-1] = 0; 6625 size--; 6626 } 6627 error = security_context_to_sid(value, size, 6628 &sid, GFP_KERNEL); 6629 if (error == -EINVAL && attr == LSM_ATTR_FSCREATE) { 6630 if (!has_cap_mac_admin(true)) { 6631 struct audit_buffer *ab; 6632 size_t audit_size; 6633 6634 /* We strip a nul only if it is at the end, 6635 * otherwise the context contains a nul and 6636 * we should audit that */ 6637 if (str[size - 1] == '\0') 6638 audit_size = size - 1; 6639 else 6640 audit_size = size; 6641 ab = audit_log_start(audit_context(), 6642 GFP_ATOMIC, 6643 AUDIT_SELINUX_ERR); 6644 if (!ab) 6645 return error; 6646 audit_log_format(ab, "op=fscreate invalid_context="); 6647 audit_log_n_untrustedstring(ab, value, 6648 audit_size); 6649 audit_log_end(ab); 6650 6651 return error; 6652 } 6653 error = security_context_to_sid_force(value, size, 6654 &sid); 6655 } 6656 if (error) 6657 return error; 6658 } 6659 6660 new = prepare_creds(); 6661 if (!new) 6662 return -ENOMEM; 6663 6664 /* Permission checking based on the specified context is 6665 performed during the actual operation (execve, 6666 open/mkdir/...), when we know the full context of the 6667 operation. See selinux_bprm_creds_for_exec for the execve 6668 checks and may_create for the file creation checks. The 6669 operation will then fail if the context is not permitted. */ 6670 tsec = selinux_cred(new); 6671 if (attr == LSM_ATTR_EXEC) { 6672 tsec->exec_sid = sid; 6673 } else if (attr == LSM_ATTR_FSCREATE) { 6674 tsec->create_sid = sid; 6675 } else if (attr == LSM_ATTR_KEYCREATE) { 6676 if (sid) { 6677 error = avc_has_perm(mysid, sid, 6678 SECCLASS_KEY, KEY__CREATE, NULL); 6679 if (error) 6680 goto abort_change; 6681 } 6682 tsec->keycreate_sid = sid; 6683 } else if (attr == LSM_ATTR_SOCKCREATE) { 6684 tsec->sockcreate_sid = sid; 6685 } else if (attr == LSM_ATTR_CURRENT) { 6686 error = -EINVAL; 6687 if (sid == 0) 6688 goto abort_change; 6689 6690 if (!current_is_single_threaded()) { 6691 error = security_bounded_transition(tsec->sid, sid); 6692 if (error) 6693 goto abort_change; 6694 } 6695 6696 /* Check permissions for the transition. */ 6697 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 6698 PROCESS__DYNTRANSITION, NULL); 6699 if (error) 6700 goto abort_change; 6701 6702 /* Check for ptracing, and update the task SID if ok. 6703 Otherwise, leave SID unchanged and fail. */ 6704 ptsid = ptrace_parent_sid(); 6705 if (ptsid != 0) { 6706 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 6707 PROCESS__PTRACE, NULL); 6708 if (error) 6709 goto abort_change; 6710 } 6711 6712 tsec->sid = sid; 6713 } else { 6714 error = -EINVAL; 6715 goto abort_change; 6716 } 6717 6718 commit_creds(new); 6719 return size; 6720 6721 abort_change: 6722 abort_creds(new); 6723 return error; 6724 } 6725 6726 /** 6727 * selinux_getselfattr - Get SELinux current task attributes 6728 * @attr: the requested attribute 6729 * @ctx: buffer to receive the result 6730 * @size: buffer size (input), buffer size used (output) 6731 * @flags: unused 6732 * 6733 * Fill the passed user space @ctx with the details of the requested 6734 * attribute. 6735 * 6736 * Returns the number of attributes on success, an error code otherwise. 6737 * There will only ever be one attribute. 6738 */ 6739 static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, 6740 u32 *size, u32 flags) 6741 { 6742 int rc; 6743 char *val = NULL; 6744 int val_len; 6745 6746 val_len = selinux_lsm_getattr(attr, current, &val); 6747 if (val_len < 0) 6748 return val_len; 6749 rc = lsm_fill_user_ctx(ctx, size, val, val_len, LSM_ID_SELINUX, 0); 6750 kfree(val); 6751 return (!rc ? 1 : rc); 6752 } 6753 6754 static int selinux_setselfattr(unsigned int attr, struct lsm_ctx *ctx, 6755 u32 size, u32 flags) 6756 { 6757 int rc; 6758 6759 rc = selinux_lsm_setattr(attr, ctx->ctx, ctx->ctx_len); 6760 if (rc > 0) 6761 return 0; 6762 return rc; 6763 } 6764 6765 static int selinux_getprocattr(struct task_struct *p, 6766 const char *name, char **value) 6767 { 6768 unsigned int attr = lsm_name_to_attr(name); 6769 int rc; 6770 6771 if (attr) { 6772 rc = selinux_lsm_getattr(attr, p, value); 6773 if (rc != -EOPNOTSUPP) 6774 return rc; 6775 } 6776 6777 return -EINVAL; 6778 } 6779 6780 static int selinux_setprocattr(const char *name, void *value, size_t size) 6781 { 6782 int attr = lsm_name_to_attr(name); 6783 6784 if (attr) 6785 return selinux_lsm_setattr(attr, value, size); 6786 return -EINVAL; 6787 } 6788 6789 static int selinux_ismaclabel(const char *name) 6790 { 6791 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6792 } 6793 6794 static int selinux_secid_to_secctx(u32 secid, struct lsm_context *cp) 6795 { 6796 u32 seclen; 6797 int ret; 6798 6799 if (cp) { 6800 cp->id = LSM_ID_SELINUX; 6801 ret = security_sid_to_context(secid, &cp->context, &cp->len); 6802 if (ret < 0) 6803 return ret; 6804 return cp->len; 6805 } 6806 ret = security_sid_to_context(secid, NULL, &seclen); 6807 if (ret < 0) 6808 return ret; 6809 return seclen; 6810 } 6811 6812 static int selinux_lsmprop_to_secctx(struct lsm_prop *prop, 6813 struct lsm_context *cp) 6814 { 6815 return selinux_secid_to_secctx(prop->selinux.secid, cp); 6816 } 6817 6818 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6819 { 6820 return security_context_to_sid(secdata, seclen, 6821 secid, GFP_KERNEL); 6822 } 6823 6824 static void selinux_release_secctx(struct lsm_context *cp) 6825 { 6826 if (cp->id == LSM_ID_SELINUX) { 6827 kfree(cp->context); 6828 cp->context = NULL; 6829 cp->id = LSM_ID_UNDEF; 6830 } 6831 } 6832 6833 static void selinux_inode_invalidate_secctx(struct inode *inode) 6834 { 6835 struct inode_security_struct *isec = selinux_inode(inode); 6836 6837 spin_lock(&isec->lock); 6838 isec->initialized = LABEL_INVALID; 6839 spin_unlock(&isec->lock); 6840 } 6841 6842 /* 6843 * called with inode->i_mutex locked 6844 */ 6845 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6846 { 6847 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, 6848 ctx, ctxlen, 0); 6849 /* Do not return error when suppressing label (SBLABEL_MNT not set). */ 6850 return rc == -EOPNOTSUPP ? 0 : rc; 6851 } 6852 6853 /* 6854 * called with inode->i_mutex locked 6855 */ 6856 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6857 { 6858 return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX, 6859 ctx, ctxlen, 0, NULL); 6860 } 6861 6862 static int selinux_inode_getsecctx(struct inode *inode, struct lsm_context *cp) 6863 { 6864 int len; 6865 len = selinux_inode_getsecurity(&nop_mnt_idmap, inode, 6866 XATTR_SELINUX_SUFFIX, 6867 (void **)&cp->context, true); 6868 if (len < 0) 6869 return len; 6870 cp->len = len; 6871 cp->id = LSM_ID_SELINUX; 6872 return 0; 6873 } 6874 #ifdef CONFIG_KEYS 6875 6876 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6877 unsigned long flags) 6878 { 6879 const struct task_security_struct *tsec; 6880 struct key_security_struct *ksec = selinux_key(k); 6881 6882 tsec = selinux_cred(cred); 6883 if (tsec->keycreate_sid) 6884 ksec->sid = tsec->keycreate_sid; 6885 else 6886 ksec->sid = tsec->sid; 6887 6888 return 0; 6889 } 6890 6891 static int selinux_key_permission(key_ref_t key_ref, 6892 const struct cred *cred, 6893 enum key_need_perm need_perm) 6894 { 6895 struct key *key; 6896 struct key_security_struct *ksec; 6897 u32 perm, sid; 6898 6899 switch (need_perm) { 6900 case KEY_NEED_VIEW: 6901 perm = KEY__VIEW; 6902 break; 6903 case KEY_NEED_READ: 6904 perm = KEY__READ; 6905 break; 6906 case KEY_NEED_WRITE: 6907 perm = KEY__WRITE; 6908 break; 6909 case KEY_NEED_SEARCH: 6910 perm = KEY__SEARCH; 6911 break; 6912 case KEY_NEED_LINK: 6913 perm = KEY__LINK; 6914 break; 6915 case KEY_NEED_SETATTR: 6916 perm = KEY__SETATTR; 6917 break; 6918 case KEY_NEED_UNLINK: 6919 case KEY_SYSADMIN_OVERRIDE: 6920 case KEY_AUTHTOKEN_OVERRIDE: 6921 case KEY_DEFER_PERM_CHECK: 6922 return 0; 6923 default: 6924 WARN_ON(1); 6925 return -EPERM; 6926 6927 } 6928 6929 sid = cred_sid(cred); 6930 key = key_ref_to_ptr(key_ref); 6931 ksec = selinux_key(key); 6932 6933 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6934 } 6935 6936 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6937 { 6938 struct key_security_struct *ksec = selinux_key(key); 6939 char *context = NULL; 6940 unsigned len; 6941 int rc; 6942 6943 rc = security_sid_to_context(ksec->sid, 6944 &context, &len); 6945 if (!rc) 6946 rc = len; 6947 *_buffer = context; 6948 return rc; 6949 } 6950 6951 #ifdef CONFIG_KEY_NOTIFICATIONS 6952 static int selinux_watch_key(struct key *key) 6953 { 6954 struct key_security_struct *ksec = selinux_key(key); 6955 u32 sid = current_sid(); 6956 6957 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL); 6958 } 6959 #endif 6960 #endif 6961 6962 #ifdef CONFIG_SECURITY_INFINIBAND 6963 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6964 { 6965 struct common_audit_data ad; 6966 int err; 6967 u32 sid = 0; 6968 struct ib_security_struct *sec = ib_sec; 6969 struct lsm_ibpkey_audit ibpkey; 6970 6971 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6972 if (err) 6973 return err; 6974 6975 ad.type = LSM_AUDIT_DATA_IBPKEY; 6976 ibpkey.subnet_prefix = subnet_prefix; 6977 ibpkey.pkey = pkey_val; 6978 ad.u.ibpkey = &ibpkey; 6979 return avc_has_perm(sec->sid, sid, 6980 SECCLASS_INFINIBAND_PKEY, 6981 INFINIBAND_PKEY__ACCESS, &ad); 6982 } 6983 6984 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6985 u8 port_num) 6986 { 6987 struct common_audit_data ad; 6988 int err; 6989 u32 sid = 0; 6990 struct ib_security_struct *sec = ib_sec; 6991 struct lsm_ibendport_audit ibendport; 6992 6993 err = security_ib_endport_sid(dev_name, port_num, 6994 &sid); 6995 6996 if (err) 6997 return err; 6998 6999 ad.type = LSM_AUDIT_DATA_IBENDPORT; 7000 ibendport.dev_name = dev_name; 7001 ibendport.port = port_num; 7002 ad.u.ibendport = &ibendport; 7003 return avc_has_perm(sec->sid, sid, 7004 SECCLASS_INFINIBAND_ENDPORT, 7005 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 7006 } 7007 7008 static int selinux_ib_alloc_security(void *ib_sec) 7009 { 7010 struct ib_security_struct *sec = selinux_ib(ib_sec); 7011 7012 sec->sid = current_sid(); 7013 return 0; 7014 } 7015 #endif 7016 7017 #ifdef CONFIG_BPF_SYSCALL 7018 static int selinux_bpf(int cmd, union bpf_attr *attr, 7019 unsigned int size, bool kernel) 7020 { 7021 u32 sid = current_sid(); 7022 int ret; 7023 7024 switch (cmd) { 7025 case BPF_MAP_CREATE: 7026 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 7027 NULL); 7028 break; 7029 case BPF_PROG_LOAD: 7030 ret = avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 7031 NULL); 7032 break; 7033 default: 7034 ret = 0; 7035 break; 7036 } 7037 7038 return ret; 7039 } 7040 7041 static u32 bpf_map_fmode_to_av(fmode_t fmode) 7042 { 7043 u32 av = 0; 7044 7045 if (fmode & FMODE_READ) 7046 av |= BPF__MAP_READ; 7047 if (fmode & FMODE_WRITE) 7048 av |= BPF__MAP_WRITE; 7049 return av; 7050 } 7051 7052 /* This function will check the file pass through unix socket or binder to see 7053 * if it is a bpf related object. And apply corresponding checks on the bpf 7054 * object based on the type. The bpf maps and programs, not like other files and 7055 * socket, are using a shared anonymous inode inside the kernel as their inode. 7056 * So checking that inode cannot identify if the process have privilege to 7057 * access the bpf object and that's why we have to add this additional check in 7058 * selinux_file_receive and selinux_binder_transfer_files. 7059 */ 7060 static int bpf_fd_pass(const struct file *file, u32 sid) 7061 { 7062 struct bpf_security_struct *bpfsec; 7063 struct bpf_prog *prog; 7064 struct bpf_map *map; 7065 int ret; 7066 7067 if (file->f_op == &bpf_map_fops) { 7068 map = file->private_data; 7069 bpfsec = selinux_bpf_map_security(map); 7070 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7071 bpf_map_fmode_to_av(file->f_mode), NULL); 7072 if (ret) 7073 return ret; 7074 } else if (file->f_op == &bpf_prog_fops) { 7075 prog = file->private_data; 7076 bpfsec = selinux_bpf_prog_security(prog); 7077 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7078 BPF__PROG_RUN, NULL); 7079 if (ret) 7080 return ret; 7081 } 7082 return 0; 7083 } 7084 7085 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 7086 { 7087 u32 sid = current_sid(); 7088 struct bpf_security_struct *bpfsec; 7089 7090 bpfsec = selinux_bpf_map_security(map); 7091 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7092 bpf_map_fmode_to_av(fmode), NULL); 7093 } 7094 7095 static int selinux_bpf_prog(struct bpf_prog *prog) 7096 { 7097 u32 sid = current_sid(); 7098 struct bpf_security_struct *bpfsec; 7099 7100 bpfsec = selinux_bpf_prog_security(prog); 7101 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7102 BPF__PROG_RUN, NULL); 7103 } 7104 7105 static int selinux_bpf_map_create(struct bpf_map *map, union bpf_attr *attr, 7106 struct bpf_token *token, bool kernel) 7107 { 7108 struct bpf_security_struct *bpfsec; 7109 7110 bpfsec = selinux_bpf_map_security(map); 7111 bpfsec->sid = current_sid(); 7112 7113 return 0; 7114 } 7115 7116 static int selinux_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr, 7117 struct bpf_token *token, bool kernel) 7118 { 7119 struct bpf_security_struct *bpfsec; 7120 7121 bpfsec = selinux_bpf_prog_security(prog); 7122 bpfsec->sid = current_sid(); 7123 7124 return 0; 7125 } 7126 7127 static int selinux_bpf_token_create(struct bpf_token *token, union bpf_attr *attr, 7128 const struct path *path) 7129 { 7130 struct bpf_security_struct *bpfsec; 7131 7132 bpfsec = selinux_bpf_token_security(token); 7133 bpfsec->sid = current_sid(); 7134 7135 return 0; 7136 } 7137 #endif 7138 7139 struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { 7140 .lbs_cred = sizeof(struct task_security_struct), 7141 .lbs_file = sizeof(struct file_security_struct), 7142 .lbs_inode = sizeof(struct inode_security_struct), 7143 .lbs_ipc = sizeof(struct ipc_security_struct), 7144 .lbs_key = sizeof(struct key_security_struct), 7145 .lbs_msg_msg = sizeof(struct msg_security_struct), 7146 #ifdef CONFIG_PERF_EVENTS 7147 .lbs_perf_event = sizeof(struct perf_event_security_struct), 7148 #endif 7149 .lbs_sock = sizeof(struct sk_security_struct), 7150 .lbs_superblock = sizeof(struct superblock_security_struct), 7151 .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS, 7152 .lbs_tun_dev = sizeof(struct tun_security_struct), 7153 .lbs_ib = sizeof(struct ib_security_struct), 7154 .lbs_bpf_map = sizeof(struct bpf_security_struct), 7155 .lbs_bpf_prog = sizeof(struct bpf_security_struct), 7156 .lbs_bpf_token = sizeof(struct bpf_security_struct), 7157 }; 7158 7159 #ifdef CONFIG_PERF_EVENTS 7160 static int selinux_perf_event_open(int type) 7161 { 7162 u32 requested, sid = current_sid(); 7163 7164 if (type == PERF_SECURITY_OPEN) 7165 requested = PERF_EVENT__OPEN; 7166 else if (type == PERF_SECURITY_CPU) 7167 requested = PERF_EVENT__CPU; 7168 else if (type == PERF_SECURITY_KERNEL) 7169 requested = PERF_EVENT__KERNEL; 7170 else if (type == PERF_SECURITY_TRACEPOINT) 7171 requested = PERF_EVENT__TRACEPOINT; 7172 else 7173 return -EINVAL; 7174 7175 return avc_has_perm(sid, sid, SECCLASS_PERF_EVENT, 7176 requested, NULL); 7177 } 7178 7179 static int selinux_perf_event_alloc(struct perf_event *event) 7180 { 7181 struct perf_event_security_struct *perfsec; 7182 7183 perfsec = selinux_perf_event(event->security); 7184 perfsec->sid = current_sid(); 7185 7186 return 0; 7187 } 7188 7189 static int selinux_perf_event_read(struct perf_event *event) 7190 { 7191 struct perf_event_security_struct *perfsec = event->security; 7192 u32 sid = current_sid(); 7193 7194 return avc_has_perm(sid, perfsec->sid, 7195 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL); 7196 } 7197 7198 static int selinux_perf_event_write(struct perf_event *event) 7199 { 7200 struct perf_event_security_struct *perfsec = event->security; 7201 u32 sid = current_sid(); 7202 7203 return avc_has_perm(sid, perfsec->sid, 7204 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL); 7205 } 7206 #endif 7207 7208 #ifdef CONFIG_IO_URING 7209 /** 7210 * selinux_uring_override_creds - check the requested cred override 7211 * @new: the target creds 7212 * 7213 * Check to see if the current task is allowed to override it's credentials 7214 * to service an io_uring operation. 7215 */ 7216 static int selinux_uring_override_creds(const struct cred *new) 7217 { 7218 return avc_has_perm(current_sid(), cred_sid(new), 7219 SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL); 7220 } 7221 7222 /** 7223 * selinux_uring_sqpoll - check if a io_uring polling thread can be created 7224 * 7225 * Check to see if the current task is allowed to create a new io_uring 7226 * kernel polling thread. 7227 */ 7228 static int selinux_uring_sqpoll(void) 7229 { 7230 u32 sid = current_sid(); 7231 7232 return avc_has_perm(sid, sid, 7233 SECCLASS_IO_URING, IO_URING__SQPOLL, NULL); 7234 } 7235 7236 /** 7237 * selinux_uring_cmd - check if IORING_OP_URING_CMD is allowed 7238 * @ioucmd: the io_uring command structure 7239 * 7240 * Check to see if the current domain is allowed to execute an 7241 * IORING_OP_URING_CMD against the device/file specified in @ioucmd. 7242 * 7243 */ 7244 static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) 7245 { 7246 struct file *file = ioucmd->file; 7247 struct inode *inode = file_inode(file); 7248 struct inode_security_struct *isec = selinux_inode(inode); 7249 struct common_audit_data ad; 7250 7251 ad.type = LSM_AUDIT_DATA_FILE; 7252 ad.u.file = file; 7253 7254 return avc_has_perm(current_sid(), isec->sid, 7255 SECCLASS_IO_URING, IO_URING__CMD, &ad); 7256 } 7257 7258 /** 7259 * selinux_uring_allowed - check if io_uring_setup() can be called 7260 * 7261 * Check to see if the current task is allowed to call io_uring_setup(). 7262 */ 7263 static int selinux_uring_allowed(void) 7264 { 7265 u32 sid = current_sid(); 7266 7267 return avc_has_perm(sid, sid, SECCLASS_IO_URING, IO_URING__ALLOWED, 7268 NULL); 7269 } 7270 #endif /* CONFIG_IO_URING */ 7271 7272 static const struct lsm_id selinux_lsmid = { 7273 .name = "selinux", 7274 .id = LSM_ID_SELINUX, 7275 }; 7276 7277 /* 7278 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: 7279 * 1. any hooks that don't belong to (2.) or (3.) below, 7280 * 2. hooks that both access structures allocated by other hooks, and allocate 7281 * structures that can be later accessed by other hooks (mostly "cloning" 7282 * hooks), 7283 * 3. hooks that only allocate structures that can be later accessed by other 7284 * hooks ("allocating" hooks). 7285 * 7286 * Please follow block comment delimiters in the list to keep this order. 7287 */ 7288 static struct security_hook_list selinux_hooks[] __ro_after_init = { 7289 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 7290 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 7291 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 7292 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 7293 7294 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 7295 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 7296 LSM_HOOK_INIT(capget, selinux_capget), 7297 LSM_HOOK_INIT(capset, selinux_capset), 7298 LSM_HOOK_INIT(capable, selinux_capable), 7299 LSM_HOOK_INIT(quotactl, selinux_quotactl), 7300 LSM_HOOK_INIT(quota_on, selinux_quota_on), 7301 LSM_HOOK_INIT(syslog, selinux_syslog), 7302 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 7303 7304 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 7305 7306 LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec), 7307 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 7308 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 7309 7310 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts), 7311 LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat), 7312 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 7313 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 7314 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 7315 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 7316 LSM_HOOK_INIT(sb_mount, selinux_mount), 7317 LSM_HOOK_INIT(sb_umount, selinux_umount), 7318 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 7319 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 7320 7321 LSM_HOOK_INIT(move_mount, selinux_move_mount), 7322 7323 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 7324 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 7325 7326 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 7327 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 7328 LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon), 7329 LSM_HOOK_INIT(inode_create, selinux_inode_create), 7330 LSM_HOOK_INIT(inode_link, selinux_inode_link), 7331 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 7332 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 7333 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 7334 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 7335 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 7336 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 7337 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 7338 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 7339 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 7340 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 7341 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 7342 LSM_HOOK_INIT(inode_xattr_skipcap, selinux_inode_xattr_skipcap), 7343 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 7344 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 7345 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 7346 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 7347 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 7348 LSM_HOOK_INIT(inode_file_getattr, selinux_inode_file_getattr), 7349 LSM_HOOK_INIT(inode_file_setattr, selinux_inode_file_setattr), 7350 LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl), 7351 LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl), 7352 LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl), 7353 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 7354 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 7355 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 7356 LSM_HOOK_INIT(inode_getlsmprop, selinux_inode_getlsmprop), 7357 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 7358 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 7359 LSM_HOOK_INIT(path_notify, selinux_path_notify), 7360 7361 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security), 7362 7363 LSM_HOOK_INIT(file_permission, selinux_file_permission), 7364 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 7365 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 7366 LSM_HOOK_INIT(file_ioctl_compat, selinux_file_ioctl_compat), 7367 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 7368 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 7369 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 7370 LSM_HOOK_INIT(file_lock, selinux_file_lock), 7371 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 7372 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 7373 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 7374 LSM_HOOK_INIT(file_receive, selinux_file_receive), 7375 7376 LSM_HOOK_INIT(file_open, selinux_file_open), 7377 7378 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 7379 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 7380 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 7381 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 7382 LSM_HOOK_INIT(cred_getlsmprop, selinux_cred_getlsmprop), 7383 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 7384 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 7385 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 7386 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), 7387 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 7388 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 7389 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 7390 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 7391 LSM_HOOK_INIT(current_getlsmprop_subj, selinux_current_getlsmprop_subj), 7392 LSM_HOOK_INIT(task_getlsmprop_obj, selinux_task_getlsmprop_obj), 7393 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 7394 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 7395 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 7396 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 7397 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 7398 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 7399 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 7400 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 7401 LSM_HOOK_INIT(task_kill, selinux_task_kill), 7402 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 7403 LSM_HOOK_INIT(userns_create, selinux_userns_create), 7404 7405 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 7406 LSM_HOOK_INIT(ipc_getlsmprop, selinux_ipc_getlsmprop), 7407 7408 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 7409 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 7410 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 7411 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 7412 7413 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 7414 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 7415 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 7416 7417 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 7418 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 7419 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 7420 7421 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 7422 7423 LSM_HOOK_INIT(getselfattr, selinux_getselfattr), 7424 LSM_HOOK_INIT(setselfattr, selinux_setselfattr), 7425 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 7426 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 7427 7428 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 7429 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 7430 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 7431 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 7432 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 7433 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 7434 7435 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 7436 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 7437 7438 LSM_HOOK_INIT(socket_create, selinux_socket_create), 7439 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 7440 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair), 7441 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 7442 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 7443 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 7444 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 7445 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 7446 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 7447 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 7448 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 7449 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 7450 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 7451 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 7452 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 7453 LSM_HOOK_INIT(socket_getpeersec_stream, 7454 selinux_socket_getpeersec_stream), 7455 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 7456 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 7457 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7458 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7459 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7460 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 7461 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 7462 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 7463 LSM_HOOK_INIT(sctp_assoc_established, selinux_sctp_assoc_established), 7464 LSM_HOOK_INIT(mptcp_add_subflow, selinux_mptcp_add_subflow), 7465 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7466 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7467 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7468 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 7469 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 7470 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 7471 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 7472 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 7473 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 7474 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 7475 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 7476 #ifdef CONFIG_SECURITY_INFINIBAND 7477 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 7478 LSM_HOOK_INIT(ib_endport_manage_subnet, 7479 selinux_ib_endport_manage_subnet), 7480 #endif 7481 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7482 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 7483 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 7484 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 7485 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 7486 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 7487 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 7488 selinux_xfrm_state_pol_flow_match), 7489 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 7490 #endif 7491 7492 #ifdef CONFIG_KEYS 7493 LSM_HOOK_INIT(key_permission, selinux_key_permission), 7494 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 7495 #ifdef CONFIG_KEY_NOTIFICATIONS 7496 LSM_HOOK_INIT(watch_key, selinux_watch_key), 7497 #endif 7498 #endif 7499 7500 #ifdef CONFIG_AUDIT 7501 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 7502 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 7503 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 7504 #endif 7505 7506 #ifdef CONFIG_BPF_SYSCALL 7507 LSM_HOOK_INIT(bpf, selinux_bpf), 7508 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 7509 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 7510 #endif 7511 7512 #ifdef CONFIG_PERF_EVENTS 7513 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open), 7514 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read), 7515 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write), 7516 #endif 7517 7518 #ifdef CONFIG_IO_URING 7519 LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds), 7520 LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll), 7521 LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd), 7522 LSM_HOOK_INIT(uring_allowed, selinux_uring_allowed), 7523 #endif 7524 7525 /* 7526 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE 7527 */ 7528 LSM_HOOK_INIT(fs_context_submount, selinux_fs_context_submount), 7529 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), 7530 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), 7531 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 7532 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7533 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7534 #endif 7535 7536 /* 7537 * PUT "ALLOCATING" HOOKS HERE 7538 */ 7539 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 7540 LSM_HOOK_INIT(msg_queue_alloc_security, 7541 selinux_msg_queue_alloc_security), 7542 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 7543 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 7544 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 7545 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 7546 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 7547 LSM_HOOK_INIT(lsmprop_to_secctx, selinux_lsmprop_to_secctx), 7548 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 7549 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 7550 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 7551 #ifdef CONFIG_SECURITY_INFINIBAND 7552 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 7553 #endif 7554 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7555 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 7556 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 7557 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 7558 selinux_xfrm_state_alloc_acquire), 7559 #endif 7560 #ifdef CONFIG_KEYS 7561 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 7562 #endif 7563 #ifdef CONFIG_AUDIT 7564 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 7565 #endif 7566 #ifdef CONFIG_BPF_SYSCALL 7567 LSM_HOOK_INIT(bpf_map_create, selinux_bpf_map_create), 7568 LSM_HOOK_INIT(bpf_prog_load, selinux_bpf_prog_load), 7569 LSM_HOOK_INIT(bpf_token_create, selinux_bpf_token_create), 7570 #endif 7571 #ifdef CONFIG_PERF_EVENTS 7572 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc), 7573 #endif 7574 }; 7575 7576 static __init int selinux_init(void) 7577 { 7578 pr_info("SELinux: Initializing.\n"); 7579 7580 memset(&selinux_state, 0, sizeof(selinux_state)); 7581 enforcing_set(selinux_enforcing_boot); 7582 selinux_avc_init(); 7583 mutex_init(&selinux_state.status_lock); 7584 mutex_init(&selinux_state.policy_mutex); 7585 7586 /* Set the security state for the initial task. */ 7587 cred_init_security(); 7588 7589 /* Inform the audit system that secctx is used */ 7590 audit_cfg_lsm(&selinux_lsmid, 7591 AUDIT_CFG_LSM_SECCTX_SUBJECT | 7592 AUDIT_CFG_LSM_SECCTX_OBJECT); 7593 7594 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 7595 if (!default_noexec) 7596 pr_notice("SELinux: virtual memory is executable by default\n"); 7597 7598 avc_init(); 7599 7600 avtab_cache_init(); 7601 7602 ebitmap_cache_init(); 7603 7604 hashtab_cache_init(); 7605 7606 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), 7607 &selinux_lsmid); 7608 7609 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7610 panic("SELinux: Unable to register AVC netcache callback\n"); 7611 7612 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7613 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7614 7615 if (selinux_enforcing_boot) 7616 pr_debug("SELinux: Starting in enforcing mode\n"); 7617 else 7618 pr_debug("SELinux: Starting in permissive mode\n"); 7619 7620 fs_validate_description("selinux", selinux_fs_parameters); 7621 7622 return 0; 7623 } 7624 7625 static void delayed_superblock_init(struct super_block *sb, void *unused) 7626 { 7627 selinux_set_mnt_opts(sb, NULL, 0, NULL); 7628 } 7629 7630 void selinux_complete_init(void) 7631 { 7632 pr_debug("SELinux: Completing initialization.\n"); 7633 7634 /* Set up any superblocks initialized prior to the policy load. */ 7635 pr_debug("SELinux: Setting up existing superblocks.\n"); 7636 iterate_supers(delayed_superblock_init, NULL); 7637 } 7638 7639 /* SELinux requires early initialization in order to label 7640 all processes and objects when they are created. */ 7641 DEFINE_LSM(selinux) = { 7642 .name = "selinux", 7643 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 7644 .enabled = &selinux_enabled_boot, 7645 .blobs = &selinux_blob_sizes, 7646 .init = selinux_init, 7647 }; 7648 7649 #if defined(CONFIG_NETFILTER) 7650 static const struct nf_hook_ops selinux_nf_ops[] = { 7651 { 7652 .hook = selinux_ip_postroute, 7653 .pf = NFPROTO_IPV4, 7654 .hooknum = NF_INET_POST_ROUTING, 7655 .priority = NF_IP_PRI_SELINUX_LAST, 7656 }, 7657 { 7658 .hook = selinux_ip_forward, 7659 .pf = NFPROTO_IPV4, 7660 .hooknum = NF_INET_FORWARD, 7661 .priority = NF_IP_PRI_SELINUX_FIRST, 7662 }, 7663 { 7664 .hook = selinux_ip_output, 7665 .pf = NFPROTO_IPV4, 7666 .hooknum = NF_INET_LOCAL_OUT, 7667 .priority = NF_IP_PRI_SELINUX_FIRST, 7668 }, 7669 #if IS_ENABLED(CONFIG_IPV6) 7670 { 7671 .hook = selinux_ip_postroute, 7672 .pf = NFPROTO_IPV6, 7673 .hooknum = NF_INET_POST_ROUTING, 7674 .priority = NF_IP6_PRI_SELINUX_LAST, 7675 }, 7676 { 7677 .hook = selinux_ip_forward, 7678 .pf = NFPROTO_IPV6, 7679 .hooknum = NF_INET_FORWARD, 7680 .priority = NF_IP6_PRI_SELINUX_FIRST, 7681 }, 7682 { 7683 .hook = selinux_ip_output, 7684 .pf = NFPROTO_IPV6, 7685 .hooknum = NF_INET_LOCAL_OUT, 7686 .priority = NF_IP6_PRI_SELINUX_FIRST, 7687 }, 7688 #endif /* IPV6 */ 7689 }; 7690 7691 static int __net_init selinux_nf_register(struct net *net) 7692 { 7693 return nf_register_net_hooks(net, selinux_nf_ops, 7694 ARRAY_SIZE(selinux_nf_ops)); 7695 } 7696 7697 static void __net_exit selinux_nf_unregister(struct net *net) 7698 { 7699 nf_unregister_net_hooks(net, selinux_nf_ops, 7700 ARRAY_SIZE(selinux_nf_ops)); 7701 } 7702 7703 static struct pernet_operations selinux_net_ops = { 7704 .init = selinux_nf_register, 7705 .exit = selinux_nf_unregister, 7706 }; 7707 7708 static int __init selinux_nf_ip_init(void) 7709 { 7710 int err; 7711 7712 if (!selinux_enabled_boot) 7713 return 0; 7714 7715 pr_debug("SELinux: Registering netfilter hooks\n"); 7716 7717 err = register_pernet_subsys(&selinux_net_ops); 7718 if (err) 7719 panic("SELinux: register_pernet_subsys: error %d\n", err); 7720 7721 return 0; 7722 } 7723 __initcall(selinux_nf_ip_init); 7724 #endif /* CONFIG_NETFILTER */ 7725