1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * NSA Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 8 * Chris Vance, <cvance@nai.com> 9 * Wayne Salamon, <wsalamon@nai.com> 10 * James Morris <jmorris@redhat.com> 11 * 12 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 13 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 14 * Eric Paris <eparis@redhat.com> 15 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 16 * <dgoeddel@trustedcs.com> 17 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 18 * Paul Moore <paul@paul-moore.com> 19 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 20 * Yuichi Nakamura <ynakam@hitachisoft.jp> 21 * Copyright (C) 2016 Mellanox Technologies 22 */ 23 24 #include <linux/init.h> 25 #include <linux/kd.h> 26 #include <linux/kernel.h> 27 #include <linux/kernel_read_file.h> 28 #include <linux/tracehook.h> 29 #include <linux/errno.h> 30 #include <linux/sched/signal.h> 31 #include <linux/sched/task.h> 32 #include <linux/lsm_hooks.h> 33 #include <linux/xattr.h> 34 #include <linux/capability.h> 35 #include <linux/unistd.h> 36 #include <linux/mm.h> 37 #include <linux/mman.h> 38 #include <linux/slab.h> 39 #include <linux/pagemap.h> 40 #include <linux/proc_fs.h> 41 #include <linux/swap.h> 42 #include <linux/spinlock.h> 43 #include <linux/syscalls.h> 44 #include <linux/dcache.h> 45 #include <linux/file.h> 46 #include <linux/fdtable.h> 47 #include <linux/namei.h> 48 #include <linux/mount.h> 49 #include <linux/fs_context.h> 50 #include <linux/fs_parser.h> 51 #include <linux/netfilter_ipv4.h> 52 #include <linux/netfilter_ipv6.h> 53 #include <linux/tty.h> 54 #include <net/icmp.h> 55 #include <net/ip.h> /* for local_port_range[] */ 56 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 57 #include <net/inet_connection_sock.h> 58 #include <net/net_namespace.h> 59 #include <net/netlabel.h> 60 #include <linux/uaccess.h> 61 #include <asm/ioctls.h> 62 #include <linux/atomic.h> 63 #include <linux/bitops.h> 64 #include <linux/interrupt.h> 65 #include <linux/netdevice.h> /* for network interface checks */ 66 #include <net/netlink.h> 67 #include <linux/tcp.h> 68 #include <linux/udp.h> 69 #include <linux/dccp.h> 70 #include <linux/sctp.h> 71 #include <net/sctp/structs.h> 72 #include <linux/quota.h> 73 #include <linux/un.h> /* for Unix socket types */ 74 #include <net/af_unix.h> /* for Unix socket types */ 75 #include <linux/parser.h> 76 #include <linux/nfs_mount.h> 77 #include <net/ipv6.h> 78 #include <linux/hugetlb.h> 79 #include <linux/personality.h> 80 #include <linux/audit.h> 81 #include <linux/string.h> 82 #include <linux/mutex.h> 83 #include <linux/posix-timers.h> 84 #include <linux/syslog.h> 85 #include <linux/user_namespace.h> 86 #include <linux/export.h> 87 #include <linux/msg.h> 88 #include <linux/shm.h> 89 #include <linux/bpf.h> 90 #include <linux/kernfs.h> 91 #include <linux/stringhash.h> /* for hashlen_string() */ 92 #include <uapi/linux/mount.h> 93 #include <linux/fsnotify.h> 94 #include <linux/fanotify.h> 95 96 #include "avc.h" 97 #include "objsec.h" 98 #include "netif.h" 99 #include "netnode.h" 100 #include "netport.h" 101 #include "ibpkey.h" 102 #include "xfrm.h" 103 #include "netlabel.h" 104 #include "audit.h" 105 #include "avc_ss.h" 106 107 struct selinux_state selinux_state; 108 109 /* SECMARK reference count */ 110 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 111 112 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 113 static int selinux_enforcing_boot __initdata; 114 115 static int __init enforcing_setup(char *str) 116 { 117 unsigned long enforcing; 118 if (!kstrtoul(str, 0, &enforcing)) 119 selinux_enforcing_boot = enforcing ? 1 : 0; 120 return 1; 121 } 122 __setup("enforcing=", enforcing_setup); 123 #else 124 #define selinux_enforcing_boot 1 125 #endif 126 127 int selinux_enabled_boot __initdata = 1; 128 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 129 static int __init selinux_enabled_setup(char *str) 130 { 131 unsigned long enabled; 132 if (!kstrtoul(str, 0, &enabled)) 133 selinux_enabled_boot = enabled ? 1 : 0; 134 return 1; 135 } 136 __setup("selinux=", selinux_enabled_setup); 137 #endif 138 139 static unsigned int selinux_checkreqprot_boot = 140 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 141 142 static int __init checkreqprot_setup(char *str) 143 { 144 unsigned long checkreqprot; 145 146 if (!kstrtoul(str, 0, &checkreqprot)) { 147 selinux_checkreqprot_boot = checkreqprot ? 1 : 0; 148 if (checkreqprot) 149 pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n"); 150 } 151 return 1; 152 } 153 __setup("checkreqprot=", checkreqprot_setup); 154 155 /** 156 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 157 * 158 * Description: 159 * This function checks the SECMARK reference counter to see if any SECMARK 160 * targets are currently configured, if the reference counter is greater than 161 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 162 * enabled, false (0) if SECMARK is disabled. If the always_check_network 163 * policy capability is enabled, SECMARK is always considered enabled. 164 * 165 */ 166 static int selinux_secmark_enabled(void) 167 { 168 return (selinux_policycap_alwaysnetwork() || 169 atomic_read(&selinux_secmark_refcount)); 170 } 171 172 /** 173 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 174 * 175 * Description: 176 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 177 * (1) if any are enabled or false (0) if neither are enabled. If the 178 * always_check_network policy capability is enabled, peer labeling 179 * is always considered enabled. 180 * 181 */ 182 static int selinux_peerlbl_enabled(void) 183 { 184 return (selinux_policycap_alwaysnetwork() || 185 netlbl_enabled() || selinux_xfrm_enabled()); 186 } 187 188 static int selinux_netcache_avc_callback(u32 event) 189 { 190 if (event == AVC_CALLBACK_RESET) { 191 sel_netif_flush(); 192 sel_netnode_flush(); 193 sel_netport_flush(); 194 synchronize_net(); 195 } 196 return 0; 197 } 198 199 static int selinux_lsm_notifier_avc_callback(u32 event) 200 { 201 if (event == AVC_CALLBACK_RESET) { 202 sel_ib_pkey_flush(); 203 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL); 204 } 205 206 return 0; 207 } 208 209 /* 210 * initialise the security for the init task 211 */ 212 static void cred_init_security(void) 213 { 214 struct cred *cred = (struct cred *) current->real_cred; 215 struct task_security_struct *tsec; 216 217 tsec = selinux_cred(cred); 218 tsec->osid = tsec->sid = SECINITSID_KERNEL; 219 } 220 221 /* 222 * get the security ID of a set of credentials 223 */ 224 static inline u32 cred_sid(const struct cred *cred) 225 { 226 const struct task_security_struct *tsec; 227 228 tsec = selinux_cred(cred); 229 return tsec->sid; 230 } 231 232 /* 233 * get the subjective security ID of a task 234 */ 235 static inline u32 task_sid_subj(const struct task_struct *task) 236 { 237 u32 sid; 238 239 rcu_read_lock(); 240 sid = cred_sid(rcu_dereference(task->cred)); 241 rcu_read_unlock(); 242 return sid; 243 } 244 245 /* 246 * get the objective security ID of a task 247 */ 248 static inline u32 task_sid_obj(const struct task_struct *task) 249 { 250 u32 sid; 251 252 rcu_read_lock(); 253 sid = cred_sid(__task_cred(task)); 254 rcu_read_unlock(); 255 return sid; 256 } 257 258 /* 259 * get the security ID of a task for use with binder 260 */ 261 static inline u32 task_sid_binder(const struct task_struct *task) 262 { 263 /* 264 * In many case where this function is used we should be using the 265 * task's subjective SID, but we can't reliably access the subjective 266 * creds of a task other than our own so we must use the objective 267 * creds/SID, which are safe to access. The downside is that if a task 268 * is temporarily overriding it's creds it will not be reflected here; 269 * however, it isn't clear that binder would handle that case well 270 * anyway. 271 * 272 * If this ever changes and we can safely reference the subjective 273 * creds/SID of another task, this function will make it easier to 274 * identify the various places where we make use of the task SIDs in 275 * the binder code. It is also likely that we will need to adjust 276 * the main drivers/android binder code as well. 277 */ 278 return task_sid_obj(task); 279 } 280 281 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 282 283 /* 284 * Try reloading inode security labels that have been marked as invalid. The 285 * @may_sleep parameter indicates when sleeping and thus reloading labels is 286 * allowed; when set to false, returns -ECHILD when the label is 287 * invalid. The @dentry parameter should be set to a dentry of the inode. 288 */ 289 static int __inode_security_revalidate(struct inode *inode, 290 struct dentry *dentry, 291 bool may_sleep) 292 { 293 struct inode_security_struct *isec = selinux_inode(inode); 294 295 might_sleep_if(may_sleep); 296 297 if (selinux_initialized(&selinux_state) && 298 isec->initialized != LABEL_INITIALIZED) { 299 if (!may_sleep) 300 return -ECHILD; 301 302 /* 303 * Try reloading the inode security label. This will fail if 304 * @opt_dentry is NULL and no dentry for this inode can be 305 * found; in that case, continue using the old label. 306 */ 307 inode_doinit_with_dentry(inode, dentry); 308 } 309 return 0; 310 } 311 312 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 313 { 314 return selinux_inode(inode); 315 } 316 317 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 318 { 319 int error; 320 321 error = __inode_security_revalidate(inode, NULL, !rcu); 322 if (error) 323 return ERR_PTR(error); 324 return selinux_inode(inode); 325 } 326 327 /* 328 * Get the security label of an inode. 329 */ 330 static struct inode_security_struct *inode_security(struct inode *inode) 331 { 332 __inode_security_revalidate(inode, NULL, true); 333 return selinux_inode(inode); 334 } 335 336 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 337 { 338 struct inode *inode = d_backing_inode(dentry); 339 340 return selinux_inode(inode); 341 } 342 343 /* 344 * Get the security label of a dentry's backing inode. 345 */ 346 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 347 { 348 struct inode *inode = d_backing_inode(dentry); 349 350 __inode_security_revalidate(inode, dentry, true); 351 return selinux_inode(inode); 352 } 353 354 static void inode_free_security(struct inode *inode) 355 { 356 struct inode_security_struct *isec = selinux_inode(inode); 357 struct superblock_security_struct *sbsec; 358 359 if (!isec) 360 return; 361 sbsec = selinux_superblock(inode->i_sb); 362 /* 363 * As not all inode security structures are in a list, we check for 364 * empty list outside of the lock to make sure that we won't waste 365 * time taking a lock doing nothing. 366 * 367 * The list_del_init() function can be safely called more than once. 368 * It should not be possible for this function to be called with 369 * concurrent list_add(), but for better safety against future changes 370 * in the code, we use list_empty_careful() here. 371 */ 372 if (!list_empty_careful(&isec->list)) { 373 spin_lock(&sbsec->isec_lock); 374 list_del_init(&isec->list); 375 spin_unlock(&sbsec->isec_lock); 376 } 377 } 378 379 struct selinux_mnt_opts { 380 const char *fscontext, *context, *rootcontext, *defcontext; 381 }; 382 383 static void selinux_free_mnt_opts(void *mnt_opts) 384 { 385 struct selinux_mnt_opts *opts = mnt_opts; 386 kfree(opts->fscontext); 387 kfree(opts->context); 388 kfree(opts->rootcontext); 389 kfree(opts->defcontext); 390 kfree(opts); 391 } 392 393 enum { 394 Opt_error = -1, 395 Opt_context = 0, 396 Opt_defcontext = 1, 397 Opt_fscontext = 2, 398 Opt_rootcontext = 3, 399 Opt_seclabel = 4, 400 }; 401 402 #define A(s, has_arg) {#s, sizeof(#s) - 1, Opt_##s, has_arg} 403 static struct { 404 const char *name; 405 int len; 406 int opt; 407 bool has_arg; 408 } tokens[] = { 409 A(context, true), 410 A(fscontext, true), 411 A(defcontext, true), 412 A(rootcontext, true), 413 A(seclabel, false), 414 }; 415 #undef A 416 417 static int match_opt_prefix(char *s, int l, char **arg) 418 { 419 int i; 420 421 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 422 size_t len = tokens[i].len; 423 if (len > l || memcmp(s, tokens[i].name, len)) 424 continue; 425 if (tokens[i].has_arg) { 426 if (len == l || s[len] != '=') 427 continue; 428 *arg = s + len + 1; 429 } else if (len != l) 430 continue; 431 return tokens[i].opt; 432 } 433 return Opt_error; 434 } 435 436 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 437 438 static int may_context_mount_sb_relabel(u32 sid, 439 struct superblock_security_struct *sbsec, 440 const struct cred *cred) 441 { 442 const struct task_security_struct *tsec = selinux_cred(cred); 443 int rc; 444 445 rc = avc_has_perm(&selinux_state, 446 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 447 FILESYSTEM__RELABELFROM, NULL); 448 if (rc) 449 return rc; 450 451 rc = avc_has_perm(&selinux_state, 452 tsec->sid, sid, SECCLASS_FILESYSTEM, 453 FILESYSTEM__RELABELTO, NULL); 454 return rc; 455 } 456 457 static int may_context_mount_inode_relabel(u32 sid, 458 struct superblock_security_struct *sbsec, 459 const struct cred *cred) 460 { 461 const struct task_security_struct *tsec = selinux_cred(cred); 462 int rc; 463 rc = avc_has_perm(&selinux_state, 464 tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 465 FILESYSTEM__RELABELFROM, NULL); 466 if (rc) 467 return rc; 468 469 rc = avc_has_perm(&selinux_state, 470 sid, sbsec->sid, SECCLASS_FILESYSTEM, 471 FILESYSTEM__ASSOCIATE, NULL); 472 return rc; 473 } 474 475 static int selinux_is_genfs_special_handling(struct super_block *sb) 476 { 477 /* Special handling. Genfs but also in-core setxattr handler */ 478 return !strcmp(sb->s_type->name, "sysfs") || 479 !strcmp(sb->s_type->name, "pstore") || 480 !strcmp(sb->s_type->name, "debugfs") || 481 !strcmp(sb->s_type->name, "tracefs") || 482 !strcmp(sb->s_type->name, "rootfs") || 483 (selinux_policycap_cgroupseclabel() && 484 (!strcmp(sb->s_type->name, "cgroup") || 485 !strcmp(sb->s_type->name, "cgroup2"))); 486 } 487 488 static int selinux_is_sblabel_mnt(struct super_block *sb) 489 { 490 struct superblock_security_struct *sbsec = selinux_superblock(sb); 491 492 /* 493 * IMPORTANT: Double-check logic in this function when adding a new 494 * SECURITY_FS_USE_* definition! 495 */ 496 BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7); 497 498 switch (sbsec->behavior) { 499 case SECURITY_FS_USE_XATTR: 500 case SECURITY_FS_USE_TRANS: 501 case SECURITY_FS_USE_TASK: 502 case SECURITY_FS_USE_NATIVE: 503 return 1; 504 505 case SECURITY_FS_USE_GENFS: 506 return selinux_is_genfs_special_handling(sb); 507 508 /* Never allow relabeling on context mounts */ 509 case SECURITY_FS_USE_MNTPOINT: 510 case SECURITY_FS_USE_NONE: 511 default: 512 return 0; 513 } 514 } 515 516 static int sb_check_xattr_support(struct super_block *sb) 517 { 518 struct superblock_security_struct *sbsec = sb->s_security; 519 struct dentry *root = sb->s_root; 520 struct inode *root_inode = d_backing_inode(root); 521 u32 sid; 522 int rc; 523 524 /* 525 * Make sure that the xattr handler exists and that no 526 * error other than -ENODATA is returned by getxattr on 527 * the root directory. -ENODATA is ok, as this may be 528 * the first boot of the SELinux kernel before we have 529 * assigned xattr values to the filesystem. 530 */ 531 if (!(root_inode->i_opflags & IOP_XATTR)) { 532 pr_warn("SELinux: (dev %s, type %s) has no xattr support\n", 533 sb->s_id, sb->s_type->name); 534 goto fallback; 535 } 536 537 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 538 if (rc < 0 && rc != -ENODATA) { 539 if (rc == -EOPNOTSUPP) { 540 pr_warn("SELinux: (dev %s, type %s) has no security xattr handler\n", 541 sb->s_id, sb->s_type->name); 542 goto fallback; 543 } else { 544 pr_warn("SELinux: (dev %s, type %s) getxattr errno %d\n", 545 sb->s_id, sb->s_type->name, -rc); 546 return rc; 547 } 548 } 549 return 0; 550 551 fallback: 552 /* No xattr support - try to fallback to genfs if possible. */ 553 rc = security_genfs_sid(&selinux_state, sb->s_type->name, "/", 554 SECCLASS_DIR, &sid); 555 if (rc) 556 return -EOPNOTSUPP; 557 558 pr_warn("SELinux: (dev %s, type %s) falling back to genfs\n", 559 sb->s_id, sb->s_type->name); 560 sbsec->behavior = SECURITY_FS_USE_GENFS; 561 sbsec->sid = sid; 562 return 0; 563 } 564 565 static int sb_finish_set_opts(struct super_block *sb) 566 { 567 struct superblock_security_struct *sbsec = selinux_superblock(sb); 568 struct dentry *root = sb->s_root; 569 struct inode *root_inode = d_backing_inode(root); 570 int rc = 0; 571 572 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 573 rc = sb_check_xattr_support(sb); 574 if (rc) 575 return rc; 576 } 577 578 sbsec->flags |= SE_SBINITIALIZED; 579 580 /* 581 * Explicitly set or clear SBLABEL_MNT. It's not sufficient to simply 582 * leave the flag untouched because sb_clone_mnt_opts might be handing 583 * us a superblock that needs the flag to be cleared. 584 */ 585 if (selinux_is_sblabel_mnt(sb)) 586 sbsec->flags |= SBLABEL_MNT; 587 else 588 sbsec->flags &= ~SBLABEL_MNT; 589 590 /* Initialize the root inode. */ 591 rc = inode_doinit_with_dentry(root_inode, root); 592 593 /* Initialize any other inodes associated with the superblock, e.g. 594 inodes created prior to initial policy load or inodes created 595 during get_sb by a pseudo filesystem that directly 596 populates itself. */ 597 spin_lock(&sbsec->isec_lock); 598 while (!list_empty(&sbsec->isec_head)) { 599 struct inode_security_struct *isec = 600 list_first_entry(&sbsec->isec_head, 601 struct inode_security_struct, list); 602 struct inode *inode = isec->inode; 603 list_del_init(&isec->list); 604 spin_unlock(&sbsec->isec_lock); 605 inode = igrab(inode); 606 if (inode) { 607 if (!IS_PRIVATE(inode)) 608 inode_doinit_with_dentry(inode, NULL); 609 iput(inode); 610 } 611 spin_lock(&sbsec->isec_lock); 612 } 613 spin_unlock(&sbsec->isec_lock); 614 return rc; 615 } 616 617 static int bad_option(struct superblock_security_struct *sbsec, char flag, 618 u32 old_sid, u32 new_sid) 619 { 620 char mnt_flags = sbsec->flags & SE_MNTMASK; 621 622 /* check if the old mount command had the same options */ 623 if (sbsec->flags & SE_SBINITIALIZED) 624 if (!(sbsec->flags & flag) || 625 (old_sid != new_sid)) 626 return 1; 627 628 /* check if we were passed the same options twice, 629 * aka someone passed context=a,context=b 630 */ 631 if (!(sbsec->flags & SE_SBINITIALIZED)) 632 if (mnt_flags & flag) 633 return 1; 634 return 0; 635 } 636 637 static int parse_sid(struct super_block *sb, const char *s, u32 *sid) 638 { 639 int rc = security_context_str_to_sid(&selinux_state, s, 640 sid, GFP_KERNEL); 641 if (rc) 642 pr_warn("SELinux: security_context_str_to_sid" 643 "(%s) failed for (dev %s, type %s) errno=%d\n", 644 s, sb->s_id, sb->s_type->name, rc); 645 return rc; 646 } 647 648 /* 649 * Allow filesystems with binary mount data to explicitly set mount point 650 * labeling information. 651 */ 652 static int selinux_set_mnt_opts(struct super_block *sb, 653 void *mnt_opts, 654 unsigned long kern_flags, 655 unsigned long *set_kern_flags) 656 { 657 const struct cred *cred = current_cred(); 658 struct superblock_security_struct *sbsec = selinux_superblock(sb); 659 struct dentry *root = sb->s_root; 660 struct selinux_mnt_opts *opts = mnt_opts; 661 struct inode_security_struct *root_isec; 662 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 663 u32 defcontext_sid = 0; 664 int rc = 0; 665 666 mutex_lock(&sbsec->lock); 667 668 if (!selinux_initialized(&selinux_state)) { 669 if (!opts) { 670 /* Defer initialization until selinux_complete_init, 671 after the initial policy is loaded and the security 672 server is ready to handle calls. */ 673 goto out; 674 } 675 rc = -EINVAL; 676 pr_warn("SELinux: Unable to set superblock options " 677 "before the security server is initialized\n"); 678 goto out; 679 } 680 if (kern_flags && !set_kern_flags) { 681 /* Specifying internal flags without providing a place to 682 * place the results is not allowed */ 683 rc = -EINVAL; 684 goto out; 685 } 686 687 /* 688 * Binary mount data FS will come through this function twice. Once 689 * from an explicit call and once from the generic calls from the vfs. 690 * Since the generic VFS calls will not contain any security mount data 691 * we need to skip the double mount verification. 692 * 693 * This does open a hole in which we will not notice if the first 694 * mount using this sb set explict options and a second mount using 695 * this sb does not set any security options. (The first options 696 * will be used for both mounts) 697 */ 698 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 699 && !opts) 700 goto out; 701 702 root_isec = backing_inode_security_novalidate(root); 703 704 /* 705 * parse the mount options, check if they are valid sids. 706 * also check if someone is trying to mount the same sb more 707 * than once with different security options. 708 */ 709 if (opts) { 710 if (opts->fscontext) { 711 rc = parse_sid(sb, opts->fscontext, &fscontext_sid); 712 if (rc) 713 goto out; 714 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 715 fscontext_sid)) 716 goto out_double_mount; 717 sbsec->flags |= FSCONTEXT_MNT; 718 } 719 if (opts->context) { 720 rc = parse_sid(sb, opts->context, &context_sid); 721 if (rc) 722 goto out; 723 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 724 context_sid)) 725 goto out_double_mount; 726 sbsec->flags |= CONTEXT_MNT; 727 } 728 if (opts->rootcontext) { 729 rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid); 730 if (rc) 731 goto out; 732 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 733 rootcontext_sid)) 734 goto out_double_mount; 735 sbsec->flags |= ROOTCONTEXT_MNT; 736 } 737 if (opts->defcontext) { 738 rc = parse_sid(sb, opts->defcontext, &defcontext_sid); 739 if (rc) 740 goto out; 741 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 742 defcontext_sid)) 743 goto out_double_mount; 744 sbsec->flags |= DEFCONTEXT_MNT; 745 } 746 } 747 748 if (sbsec->flags & SE_SBINITIALIZED) { 749 /* previously mounted with options, but not on this attempt? */ 750 if ((sbsec->flags & SE_MNTMASK) && !opts) 751 goto out_double_mount; 752 rc = 0; 753 goto out; 754 } 755 756 if (strcmp(sb->s_type->name, "proc") == 0) 757 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 758 759 if (!strcmp(sb->s_type->name, "debugfs") || 760 !strcmp(sb->s_type->name, "tracefs") || 761 !strcmp(sb->s_type->name, "binder") || 762 !strcmp(sb->s_type->name, "bpf") || 763 !strcmp(sb->s_type->name, "pstore")) 764 sbsec->flags |= SE_SBGENFS; 765 766 if (!strcmp(sb->s_type->name, "sysfs") || 767 !strcmp(sb->s_type->name, "cgroup") || 768 !strcmp(sb->s_type->name, "cgroup2")) 769 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR; 770 771 if (!sbsec->behavior) { 772 /* 773 * Determine the labeling behavior to use for this 774 * filesystem type. 775 */ 776 rc = security_fs_use(&selinux_state, sb); 777 if (rc) { 778 pr_warn("%s: security_fs_use(%s) returned %d\n", 779 __func__, sb->s_type->name, rc); 780 goto out; 781 } 782 } 783 784 /* 785 * If this is a user namespace mount and the filesystem type is not 786 * explicitly whitelisted, then no contexts are allowed on the command 787 * line and security labels must be ignored. 788 */ 789 if (sb->s_user_ns != &init_user_ns && 790 strcmp(sb->s_type->name, "tmpfs") && 791 strcmp(sb->s_type->name, "ramfs") && 792 strcmp(sb->s_type->name, "devpts") && 793 strcmp(sb->s_type->name, "overlay")) { 794 if (context_sid || fscontext_sid || rootcontext_sid || 795 defcontext_sid) { 796 rc = -EACCES; 797 goto out; 798 } 799 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 800 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 801 rc = security_transition_sid(&selinux_state, 802 current_sid(), 803 current_sid(), 804 SECCLASS_FILE, NULL, 805 &sbsec->mntpoint_sid); 806 if (rc) 807 goto out; 808 } 809 goto out_set_opts; 810 } 811 812 /* sets the context of the superblock for the fs being mounted. */ 813 if (fscontext_sid) { 814 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 815 if (rc) 816 goto out; 817 818 sbsec->sid = fscontext_sid; 819 } 820 821 /* 822 * Switch to using mount point labeling behavior. 823 * sets the label used on all file below the mountpoint, and will set 824 * the superblock context if not already set. 825 */ 826 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 827 sbsec->behavior = SECURITY_FS_USE_NATIVE; 828 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 829 } 830 831 if (context_sid) { 832 if (!fscontext_sid) { 833 rc = may_context_mount_sb_relabel(context_sid, sbsec, 834 cred); 835 if (rc) 836 goto out; 837 sbsec->sid = context_sid; 838 } else { 839 rc = may_context_mount_inode_relabel(context_sid, sbsec, 840 cred); 841 if (rc) 842 goto out; 843 } 844 if (!rootcontext_sid) 845 rootcontext_sid = context_sid; 846 847 sbsec->mntpoint_sid = context_sid; 848 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 849 } 850 851 if (rootcontext_sid) { 852 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 853 cred); 854 if (rc) 855 goto out; 856 857 root_isec->sid = rootcontext_sid; 858 root_isec->initialized = LABEL_INITIALIZED; 859 } 860 861 if (defcontext_sid) { 862 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 863 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 864 rc = -EINVAL; 865 pr_warn("SELinux: defcontext option is " 866 "invalid for this filesystem type\n"); 867 goto out; 868 } 869 870 if (defcontext_sid != sbsec->def_sid) { 871 rc = may_context_mount_inode_relabel(defcontext_sid, 872 sbsec, cred); 873 if (rc) 874 goto out; 875 } 876 877 sbsec->def_sid = defcontext_sid; 878 } 879 880 out_set_opts: 881 rc = sb_finish_set_opts(sb); 882 out: 883 mutex_unlock(&sbsec->lock); 884 return rc; 885 out_double_mount: 886 rc = -EINVAL; 887 pr_warn("SELinux: mount invalid. Same superblock, different " 888 "security settings for (dev %s, type %s)\n", sb->s_id, 889 sb->s_type->name); 890 goto out; 891 } 892 893 static int selinux_cmp_sb_context(const struct super_block *oldsb, 894 const struct super_block *newsb) 895 { 896 struct superblock_security_struct *old = selinux_superblock(oldsb); 897 struct superblock_security_struct *new = selinux_superblock(newsb); 898 char oldflags = old->flags & SE_MNTMASK; 899 char newflags = new->flags & SE_MNTMASK; 900 901 if (oldflags != newflags) 902 goto mismatch; 903 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 904 goto mismatch; 905 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 906 goto mismatch; 907 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 908 goto mismatch; 909 if (oldflags & ROOTCONTEXT_MNT) { 910 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 911 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 912 if (oldroot->sid != newroot->sid) 913 goto mismatch; 914 } 915 return 0; 916 mismatch: 917 pr_warn("SELinux: mount invalid. Same superblock, " 918 "different security settings for (dev %s, " 919 "type %s)\n", newsb->s_id, newsb->s_type->name); 920 return -EBUSY; 921 } 922 923 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 924 struct super_block *newsb, 925 unsigned long kern_flags, 926 unsigned long *set_kern_flags) 927 { 928 int rc = 0; 929 const struct superblock_security_struct *oldsbsec = 930 selinux_superblock(oldsb); 931 struct superblock_security_struct *newsbsec = selinux_superblock(newsb); 932 933 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 934 int set_context = (oldsbsec->flags & CONTEXT_MNT); 935 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 936 937 /* 938 * if the parent was able to be mounted it clearly had no special lsm 939 * mount options. thus we can safely deal with this superblock later 940 */ 941 if (!selinux_initialized(&selinux_state)) 942 return 0; 943 944 /* 945 * Specifying internal flags without providing a place to 946 * place the results is not allowed. 947 */ 948 if (kern_flags && !set_kern_flags) 949 return -EINVAL; 950 951 /* how can we clone if the old one wasn't set up?? */ 952 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 953 954 /* if fs is reusing a sb, make sure that the contexts match */ 955 if (newsbsec->flags & SE_SBINITIALIZED) { 956 if ((kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) 957 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 958 return selinux_cmp_sb_context(oldsb, newsb); 959 } 960 961 mutex_lock(&newsbsec->lock); 962 963 newsbsec->flags = oldsbsec->flags; 964 965 newsbsec->sid = oldsbsec->sid; 966 newsbsec->def_sid = oldsbsec->def_sid; 967 newsbsec->behavior = oldsbsec->behavior; 968 969 if (newsbsec->behavior == SECURITY_FS_USE_NATIVE && 970 !(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) { 971 rc = security_fs_use(&selinux_state, newsb); 972 if (rc) 973 goto out; 974 } 975 976 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !set_context) { 977 newsbsec->behavior = SECURITY_FS_USE_NATIVE; 978 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 979 } 980 981 if (set_context) { 982 u32 sid = oldsbsec->mntpoint_sid; 983 984 if (!set_fscontext) 985 newsbsec->sid = sid; 986 if (!set_rootcontext) { 987 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 988 newisec->sid = sid; 989 } 990 newsbsec->mntpoint_sid = sid; 991 } 992 if (set_rootcontext) { 993 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 994 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 995 996 newisec->sid = oldisec->sid; 997 } 998 999 sb_finish_set_opts(newsb); 1000 out: 1001 mutex_unlock(&newsbsec->lock); 1002 return rc; 1003 } 1004 1005 static int selinux_add_opt(int token, const char *s, void **mnt_opts) 1006 { 1007 struct selinux_mnt_opts *opts = *mnt_opts; 1008 1009 if (token == Opt_seclabel) /* eaten and completely ignored */ 1010 return 0; 1011 1012 if (!opts) { 1013 opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL); 1014 if (!opts) 1015 return -ENOMEM; 1016 *mnt_opts = opts; 1017 } 1018 if (!s) 1019 return -ENOMEM; 1020 switch (token) { 1021 case Opt_context: 1022 if (opts->context || opts->defcontext) 1023 goto Einval; 1024 opts->context = s; 1025 break; 1026 case Opt_fscontext: 1027 if (opts->fscontext) 1028 goto Einval; 1029 opts->fscontext = s; 1030 break; 1031 case Opt_rootcontext: 1032 if (opts->rootcontext) 1033 goto Einval; 1034 opts->rootcontext = s; 1035 break; 1036 case Opt_defcontext: 1037 if (opts->context || opts->defcontext) 1038 goto Einval; 1039 opts->defcontext = s; 1040 break; 1041 } 1042 return 0; 1043 Einval: 1044 pr_warn(SEL_MOUNT_FAIL_MSG); 1045 return -EINVAL; 1046 } 1047 1048 static int selinux_add_mnt_opt(const char *option, const char *val, int len, 1049 void **mnt_opts) 1050 { 1051 int token = Opt_error; 1052 int rc, i; 1053 1054 for (i = 0; i < ARRAY_SIZE(tokens); i++) { 1055 if (strcmp(option, tokens[i].name) == 0) { 1056 token = tokens[i].opt; 1057 break; 1058 } 1059 } 1060 1061 if (token == Opt_error) 1062 return -EINVAL; 1063 1064 if (token != Opt_seclabel) { 1065 val = kmemdup_nul(val, len, GFP_KERNEL); 1066 if (!val) { 1067 rc = -ENOMEM; 1068 goto free_opt; 1069 } 1070 } 1071 rc = selinux_add_opt(token, val, mnt_opts); 1072 if (unlikely(rc)) { 1073 kfree(val); 1074 goto free_opt; 1075 } 1076 return rc; 1077 1078 free_opt: 1079 if (*mnt_opts) { 1080 selinux_free_mnt_opts(*mnt_opts); 1081 *mnt_opts = NULL; 1082 } 1083 return rc; 1084 } 1085 1086 static int show_sid(struct seq_file *m, u32 sid) 1087 { 1088 char *context = NULL; 1089 u32 len; 1090 int rc; 1091 1092 rc = security_sid_to_context(&selinux_state, sid, 1093 &context, &len); 1094 if (!rc) { 1095 bool has_comma = context && strchr(context, ','); 1096 1097 seq_putc(m, '='); 1098 if (has_comma) 1099 seq_putc(m, '\"'); 1100 seq_escape(m, context, "\"\n\\"); 1101 if (has_comma) 1102 seq_putc(m, '\"'); 1103 } 1104 kfree(context); 1105 return rc; 1106 } 1107 1108 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1109 { 1110 struct superblock_security_struct *sbsec = selinux_superblock(sb); 1111 int rc; 1112 1113 if (!(sbsec->flags & SE_SBINITIALIZED)) 1114 return 0; 1115 1116 if (!selinux_initialized(&selinux_state)) 1117 return 0; 1118 1119 if (sbsec->flags & FSCONTEXT_MNT) { 1120 seq_putc(m, ','); 1121 seq_puts(m, FSCONTEXT_STR); 1122 rc = show_sid(m, sbsec->sid); 1123 if (rc) 1124 return rc; 1125 } 1126 if (sbsec->flags & CONTEXT_MNT) { 1127 seq_putc(m, ','); 1128 seq_puts(m, CONTEXT_STR); 1129 rc = show_sid(m, sbsec->mntpoint_sid); 1130 if (rc) 1131 return rc; 1132 } 1133 if (sbsec->flags & DEFCONTEXT_MNT) { 1134 seq_putc(m, ','); 1135 seq_puts(m, DEFCONTEXT_STR); 1136 rc = show_sid(m, sbsec->def_sid); 1137 if (rc) 1138 return rc; 1139 } 1140 if (sbsec->flags & ROOTCONTEXT_MNT) { 1141 struct dentry *root = sb->s_root; 1142 struct inode_security_struct *isec = backing_inode_security(root); 1143 seq_putc(m, ','); 1144 seq_puts(m, ROOTCONTEXT_STR); 1145 rc = show_sid(m, isec->sid); 1146 if (rc) 1147 return rc; 1148 } 1149 if (sbsec->flags & SBLABEL_MNT) { 1150 seq_putc(m, ','); 1151 seq_puts(m, SECLABEL_STR); 1152 } 1153 return 0; 1154 } 1155 1156 static inline u16 inode_mode_to_security_class(umode_t mode) 1157 { 1158 switch (mode & S_IFMT) { 1159 case S_IFSOCK: 1160 return SECCLASS_SOCK_FILE; 1161 case S_IFLNK: 1162 return SECCLASS_LNK_FILE; 1163 case S_IFREG: 1164 return SECCLASS_FILE; 1165 case S_IFBLK: 1166 return SECCLASS_BLK_FILE; 1167 case S_IFDIR: 1168 return SECCLASS_DIR; 1169 case S_IFCHR: 1170 return SECCLASS_CHR_FILE; 1171 case S_IFIFO: 1172 return SECCLASS_FIFO_FILE; 1173 1174 } 1175 1176 return SECCLASS_FILE; 1177 } 1178 1179 static inline int default_protocol_stream(int protocol) 1180 { 1181 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP || 1182 protocol == IPPROTO_MPTCP); 1183 } 1184 1185 static inline int default_protocol_dgram(int protocol) 1186 { 1187 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1188 } 1189 1190 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1191 { 1192 int extsockclass = selinux_policycap_extsockclass(); 1193 1194 switch (family) { 1195 case PF_UNIX: 1196 switch (type) { 1197 case SOCK_STREAM: 1198 case SOCK_SEQPACKET: 1199 return SECCLASS_UNIX_STREAM_SOCKET; 1200 case SOCK_DGRAM: 1201 case SOCK_RAW: 1202 return SECCLASS_UNIX_DGRAM_SOCKET; 1203 } 1204 break; 1205 case PF_INET: 1206 case PF_INET6: 1207 switch (type) { 1208 case SOCK_STREAM: 1209 case SOCK_SEQPACKET: 1210 if (default_protocol_stream(protocol)) 1211 return SECCLASS_TCP_SOCKET; 1212 else if (extsockclass && protocol == IPPROTO_SCTP) 1213 return SECCLASS_SCTP_SOCKET; 1214 else 1215 return SECCLASS_RAWIP_SOCKET; 1216 case SOCK_DGRAM: 1217 if (default_protocol_dgram(protocol)) 1218 return SECCLASS_UDP_SOCKET; 1219 else if (extsockclass && (protocol == IPPROTO_ICMP || 1220 protocol == IPPROTO_ICMPV6)) 1221 return SECCLASS_ICMP_SOCKET; 1222 else 1223 return SECCLASS_RAWIP_SOCKET; 1224 case SOCK_DCCP: 1225 return SECCLASS_DCCP_SOCKET; 1226 default: 1227 return SECCLASS_RAWIP_SOCKET; 1228 } 1229 break; 1230 case PF_NETLINK: 1231 switch (protocol) { 1232 case NETLINK_ROUTE: 1233 return SECCLASS_NETLINK_ROUTE_SOCKET; 1234 case NETLINK_SOCK_DIAG: 1235 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1236 case NETLINK_NFLOG: 1237 return SECCLASS_NETLINK_NFLOG_SOCKET; 1238 case NETLINK_XFRM: 1239 return SECCLASS_NETLINK_XFRM_SOCKET; 1240 case NETLINK_SELINUX: 1241 return SECCLASS_NETLINK_SELINUX_SOCKET; 1242 case NETLINK_ISCSI: 1243 return SECCLASS_NETLINK_ISCSI_SOCKET; 1244 case NETLINK_AUDIT: 1245 return SECCLASS_NETLINK_AUDIT_SOCKET; 1246 case NETLINK_FIB_LOOKUP: 1247 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1248 case NETLINK_CONNECTOR: 1249 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1250 case NETLINK_NETFILTER: 1251 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1252 case NETLINK_DNRTMSG: 1253 return SECCLASS_NETLINK_DNRT_SOCKET; 1254 case NETLINK_KOBJECT_UEVENT: 1255 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1256 case NETLINK_GENERIC: 1257 return SECCLASS_NETLINK_GENERIC_SOCKET; 1258 case NETLINK_SCSITRANSPORT: 1259 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1260 case NETLINK_RDMA: 1261 return SECCLASS_NETLINK_RDMA_SOCKET; 1262 case NETLINK_CRYPTO: 1263 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1264 default: 1265 return SECCLASS_NETLINK_SOCKET; 1266 } 1267 case PF_PACKET: 1268 return SECCLASS_PACKET_SOCKET; 1269 case PF_KEY: 1270 return SECCLASS_KEY_SOCKET; 1271 case PF_APPLETALK: 1272 return SECCLASS_APPLETALK_SOCKET; 1273 } 1274 1275 if (extsockclass) { 1276 switch (family) { 1277 case PF_AX25: 1278 return SECCLASS_AX25_SOCKET; 1279 case PF_IPX: 1280 return SECCLASS_IPX_SOCKET; 1281 case PF_NETROM: 1282 return SECCLASS_NETROM_SOCKET; 1283 case PF_ATMPVC: 1284 return SECCLASS_ATMPVC_SOCKET; 1285 case PF_X25: 1286 return SECCLASS_X25_SOCKET; 1287 case PF_ROSE: 1288 return SECCLASS_ROSE_SOCKET; 1289 case PF_DECnet: 1290 return SECCLASS_DECNET_SOCKET; 1291 case PF_ATMSVC: 1292 return SECCLASS_ATMSVC_SOCKET; 1293 case PF_RDS: 1294 return SECCLASS_RDS_SOCKET; 1295 case PF_IRDA: 1296 return SECCLASS_IRDA_SOCKET; 1297 case PF_PPPOX: 1298 return SECCLASS_PPPOX_SOCKET; 1299 case PF_LLC: 1300 return SECCLASS_LLC_SOCKET; 1301 case PF_CAN: 1302 return SECCLASS_CAN_SOCKET; 1303 case PF_TIPC: 1304 return SECCLASS_TIPC_SOCKET; 1305 case PF_BLUETOOTH: 1306 return SECCLASS_BLUETOOTH_SOCKET; 1307 case PF_IUCV: 1308 return SECCLASS_IUCV_SOCKET; 1309 case PF_RXRPC: 1310 return SECCLASS_RXRPC_SOCKET; 1311 case PF_ISDN: 1312 return SECCLASS_ISDN_SOCKET; 1313 case PF_PHONET: 1314 return SECCLASS_PHONET_SOCKET; 1315 case PF_IEEE802154: 1316 return SECCLASS_IEEE802154_SOCKET; 1317 case PF_CAIF: 1318 return SECCLASS_CAIF_SOCKET; 1319 case PF_ALG: 1320 return SECCLASS_ALG_SOCKET; 1321 case PF_NFC: 1322 return SECCLASS_NFC_SOCKET; 1323 case PF_VSOCK: 1324 return SECCLASS_VSOCK_SOCKET; 1325 case PF_KCM: 1326 return SECCLASS_KCM_SOCKET; 1327 case PF_QIPCRTR: 1328 return SECCLASS_QIPCRTR_SOCKET; 1329 case PF_SMC: 1330 return SECCLASS_SMC_SOCKET; 1331 case PF_XDP: 1332 return SECCLASS_XDP_SOCKET; 1333 #if PF_MAX > 45 1334 #error New address family defined, please update this function. 1335 #endif 1336 } 1337 } 1338 1339 return SECCLASS_SOCKET; 1340 } 1341 1342 static int selinux_genfs_get_sid(struct dentry *dentry, 1343 u16 tclass, 1344 u16 flags, 1345 u32 *sid) 1346 { 1347 int rc; 1348 struct super_block *sb = dentry->d_sb; 1349 char *buffer, *path; 1350 1351 buffer = (char *)__get_free_page(GFP_KERNEL); 1352 if (!buffer) 1353 return -ENOMEM; 1354 1355 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1356 if (IS_ERR(path)) 1357 rc = PTR_ERR(path); 1358 else { 1359 if (flags & SE_SBPROC) { 1360 /* each process gets a /proc/PID/ entry. Strip off the 1361 * PID part to get a valid selinux labeling. 1362 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1363 while (path[1] >= '0' && path[1] <= '9') { 1364 path[1] = '/'; 1365 path++; 1366 } 1367 } 1368 rc = security_genfs_sid(&selinux_state, sb->s_type->name, 1369 path, tclass, sid); 1370 if (rc == -ENOENT) { 1371 /* No match in policy, mark as unlabeled. */ 1372 *sid = SECINITSID_UNLABELED; 1373 rc = 0; 1374 } 1375 } 1376 free_page((unsigned long)buffer); 1377 return rc; 1378 } 1379 1380 static int inode_doinit_use_xattr(struct inode *inode, struct dentry *dentry, 1381 u32 def_sid, u32 *sid) 1382 { 1383 #define INITCONTEXTLEN 255 1384 char *context; 1385 unsigned int len; 1386 int rc; 1387 1388 len = INITCONTEXTLEN; 1389 context = kmalloc(len + 1, GFP_NOFS); 1390 if (!context) 1391 return -ENOMEM; 1392 1393 context[len] = '\0'; 1394 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1395 if (rc == -ERANGE) { 1396 kfree(context); 1397 1398 /* Need a larger buffer. Query for the right size. */ 1399 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1400 if (rc < 0) 1401 return rc; 1402 1403 len = rc; 1404 context = kmalloc(len + 1, GFP_NOFS); 1405 if (!context) 1406 return -ENOMEM; 1407 1408 context[len] = '\0'; 1409 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, 1410 context, len); 1411 } 1412 if (rc < 0) { 1413 kfree(context); 1414 if (rc != -ENODATA) { 1415 pr_warn("SELinux: %s: getxattr returned %d for dev=%s ino=%ld\n", 1416 __func__, -rc, inode->i_sb->s_id, inode->i_ino); 1417 return rc; 1418 } 1419 *sid = def_sid; 1420 return 0; 1421 } 1422 1423 rc = security_context_to_sid_default(&selinux_state, context, rc, sid, 1424 def_sid, GFP_NOFS); 1425 if (rc) { 1426 char *dev = inode->i_sb->s_id; 1427 unsigned long ino = inode->i_ino; 1428 1429 if (rc == -EINVAL) { 1430 pr_notice_ratelimited("SELinux: inode=%lu on dev=%s was found to have an invalid context=%s. This indicates you may need to relabel the inode or the filesystem in question.\n", 1431 ino, dev, context); 1432 } else { 1433 pr_warn("SELinux: %s: context_to_sid(%s) returned %d for dev=%s ino=%ld\n", 1434 __func__, context, -rc, dev, ino); 1435 } 1436 } 1437 kfree(context); 1438 return 0; 1439 } 1440 1441 /* The inode's security attributes must be initialized before first use. */ 1442 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1443 { 1444 struct superblock_security_struct *sbsec = NULL; 1445 struct inode_security_struct *isec = selinux_inode(inode); 1446 u32 task_sid, sid = 0; 1447 u16 sclass; 1448 struct dentry *dentry; 1449 int rc = 0; 1450 1451 if (isec->initialized == LABEL_INITIALIZED) 1452 return 0; 1453 1454 spin_lock(&isec->lock); 1455 if (isec->initialized == LABEL_INITIALIZED) 1456 goto out_unlock; 1457 1458 if (isec->sclass == SECCLASS_FILE) 1459 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1460 1461 sbsec = selinux_superblock(inode->i_sb); 1462 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1463 /* Defer initialization until selinux_complete_init, 1464 after the initial policy is loaded and the security 1465 server is ready to handle calls. */ 1466 spin_lock(&sbsec->isec_lock); 1467 if (list_empty(&isec->list)) 1468 list_add(&isec->list, &sbsec->isec_head); 1469 spin_unlock(&sbsec->isec_lock); 1470 goto out_unlock; 1471 } 1472 1473 sclass = isec->sclass; 1474 task_sid = isec->task_sid; 1475 sid = isec->sid; 1476 isec->initialized = LABEL_PENDING; 1477 spin_unlock(&isec->lock); 1478 1479 switch (sbsec->behavior) { 1480 case SECURITY_FS_USE_NATIVE: 1481 break; 1482 case SECURITY_FS_USE_XATTR: 1483 if (!(inode->i_opflags & IOP_XATTR)) { 1484 sid = sbsec->def_sid; 1485 break; 1486 } 1487 /* Need a dentry, since the xattr API requires one. 1488 Life would be simpler if we could just pass the inode. */ 1489 if (opt_dentry) { 1490 /* Called from d_instantiate or d_splice_alias. */ 1491 dentry = dget(opt_dentry); 1492 } else { 1493 /* 1494 * Called from selinux_complete_init, try to find a dentry. 1495 * Some filesystems really want a connected one, so try 1496 * that first. We could split SECURITY_FS_USE_XATTR in 1497 * two, depending upon that... 1498 */ 1499 dentry = d_find_alias(inode); 1500 if (!dentry) 1501 dentry = d_find_any_alias(inode); 1502 } 1503 if (!dentry) { 1504 /* 1505 * this is can be hit on boot when a file is accessed 1506 * before the policy is loaded. When we load policy we 1507 * may find inodes that have no dentry on the 1508 * sbsec->isec_head list. No reason to complain as these 1509 * will get fixed up the next time we go through 1510 * inode_doinit with a dentry, before these inodes could 1511 * be used again by userspace. 1512 */ 1513 goto out_invalid; 1514 } 1515 1516 rc = inode_doinit_use_xattr(inode, dentry, sbsec->def_sid, 1517 &sid); 1518 dput(dentry); 1519 if (rc) 1520 goto out; 1521 break; 1522 case SECURITY_FS_USE_TASK: 1523 sid = task_sid; 1524 break; 1525 case SECURITY_FS_USE_TRANS: 1526 /* Default to the fs SID. */ 1527 sid = sbsec->sid; 1528 1529 /* Try to obtain a transition SID. */ 1530 rc = security_transition_sid(&selinux_state, task_sid, sid, 1531 sclass, NULL, &sid); 1532 if (rc) 1533 goto out; 1534 break; 1535 case SECURITY_FS_USE_MNTPOINT: 1536 sid = sbsec->mntpoint_sid; 1537 break; 1538 default: 1539 /* Default to the fs superblock SID. */ 1540 sid = sbsec->sid; 1541 1542 if ((sbsec->flags & SE_SBGENFS) && 1543 (!S_ISLNK(inode->i_mode) || 1544 selinux_policycap_genfs_seclabel_symlinks())) { 1545 /* We must have a dentry to determine the label on 1546 * procfs inodes */ 1547 if (opt_dentry) { 1548 /* Called from d_instantiate or 1549 * d_splice_alias. */ 1550 dentry = dget(opt_dentry); 1551 } else { 1552 /* Called from selinux_complete_init, try to 1553 * find a dentry. Some filesystems really want 1554 * a connected one, so try that first. 1555 */ 1556 dentry = d_find_alias(inode); 1557 if (!dentry) 1558 dentry = d_find_any_alias(inode); 1559 } 1560 /* 1561 * This can be hit on boot when a file is accessed 1562 * before the policy is loaded. When we load policy we 1563 * may find inodes that have no dentry on the 1564 * sbsec->isec_head list. No reason to complain as 1565 * these will get fixed up the next time we go through 1566 * inode_doinit() with a dentry, before these inodes 1567 * could be used again by userspace. 1568 */ 1569 if (!dentry) 1570 goto out_invalid; 1571 rc = selinux_genfs_get_sid(dentry, sclass, 1572 sbsec->flags, &sid); 1573 if (rc) { 1574 dput(dentry); 1575 goto out; 1576 } 1577 1578 if ((sbsec->flags & SE_SBGENFS_XATTR) && 1579 (inode->i_opflags & IOP_XATTR)) { 1580 rc = inode_doinit_use_xattr(inode, dentry, 1581 sid, &sid); 1582 if (rc) { 1583 dput(dentry); 1584 goto out; 1585 } 1586 } 1587 dput(dentry); 1588 } 1589 break; 1590 } 1591 1592 out: 1593 spin_lock(&isec->lock); 1594 if (isec->initialized == LABEL_PENDING) { 1595 if (rc) { 1596 isec->initialized = LABEL_INVALID; 1597 goto out_unlock; 1598 } 1599 isec->initialized = LABEL_INITIALIZED; 1600 isec->sid = sid; 1601 } 1602 1603 out_unlock: 1604 spin_unlock(&isec->lock); 1605 return rc; 1606 1607 out_invalid: 1608 spin_lock(&isec->lock); 1609 if (isec->initialized == LABEL_PENDING) { 1610 isec->initialized = LABEL_INVALID; 1611 isec->sid = sid; 1612 } 1613 spin_unlock(&isec->lock); 1614 return 0; 1615 } 1616 1617 /* Convert a Linux signal to an access vector. */ 1618 static inline u32 signal_to_av(int sig) 1619 { 1620 u32 perm = 0; 1621 1622 switch (sig) { 1623 case SIGCHLD: 1624 /* Commonly granted from child to parent. */ 1625 perm = PROCESS__SIGCHLD; 1626 break; 1627 case SIGKILL: 1628 /* Cannot be caught or ignored */ 1629 perm = PROCESS__SIGKILL; 1630 break; 1631 case SIGSTOP: 1632 /* Cannot be caught or ignored */ 1633 perm = PROCESS__SIGSTOP; 1634 break; 1635 default: 1636 /* All other signals. */ 1637 perm = PROCESS__SIGNAL; 1638 break; 1639 } 1640 1641 return perm; 1642 } 1643 1644 #if CAP_LAST_CAP > 63 1645 #error Fix SELinux to handle capabilities > 63. 1646 #endif 1647 1648 /* Check whether a task is allowed to use a capability. */ 1649 static int cred_has_capability(const struct cred *cred, 1650 int cap, unsigned int opts, bool initns) 1651 { 1652 struct common_audit_data ad; 1653 struct av_decision avd; 1654 u16 sclass; 1655 u32 sid = cred_sid(cred); 1656 u32 av = CAP_TO_MASK(cap); 1657 int rc; 1658 1659 ad.type = LSM_AUDIT_DATA_CAP; 1660 ad.u.cap = cap; 1661 1662 switch (CAP_TO_INDEX(cap)) { 1663 case 0: 1664 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1665 break; 1666 case 1: 1667 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1668 break; 1669 default: 1670 pr_err("SELinux: out of range capability %d\n", cap); 1671 BUG(); 1672 return -EINVAL; 1673 } 1674 1675 rc = avc_has_perm_noaudit(&selinux_state, 1676 sid, sid, sclass, av, 0, &avd); 1677 if (!(opts & CAP_OPT_NOAUDIT)) { 1678 int rc2 = avc_audit(&selinux_state, 1679 sid, sid, sclass, av, &avd, rc, &ad); 1680 if (rc2) 1681 return rc2; 1682 } 1683 return rc; 1684 } 1685 1686 /* Check whether a task has a particular permission to an inode. 1687 The 'adp' parameter is optional and allows other audit 1688 data to be passed (e.g. the dentry). */ 1689 static int inode_has_perm(const struct cred *cred, 1690 struct inode *inode, 1691 u32 perms, 1692 struct common_audit_data *adp) 1693 { 1694 struct inode_security_struct *isec; 1695 u32 sid; 1696 1697 validate_creds(cred); 1698 1699 if (unlikely(IS_PRIVATE(inode))) 1700 return 0; 1701 1702 sid = cred_sid(cred); 1703 isec = selinux_inode(inode); 1704 1705 return avc_has_perm(&selinux_state, 1706 sid, isec->sid, isec->sclass, perms, adp); 1707 } 1708 1709 /* Same as inode_has_perm, but pass explicit audit data containing 1710 the dentry to help the auditing code to more easily generate the 1711 pathname if needed. */ 1712 static inline int dentry_has_perm(const struct cred *cred, 1713 struct dentry *dentry, 1714 u32 av) 1715 { 1716 struct inode *inode = d_backing_inode(dentry); 1717 struct common_audit_data ad; 1718 1719 ad.type = LSM_AUDIT_DATA_DENTRY; 1720 ad.u.dentry = dentry; 1721 __inode_security_revalidate(inode, dentry, true); 1722 return inode_has_perm(cred, inode, av, &ad); 1723 } 1724 1725 /* Same as inode_has_perm, but pass explicit audit data containing 1726 the path to help the auditing code to more easily generate the 1727 pathname if needed. */ 1728 static inline int path_has_perm(const struct cred *cred, 1729 const struct path *path, 1730 u32 av) 1731 { 1732 struct inode *inode = d_backing_inode(path->dentry); 1733 struct common_audit_data ad; 1734 1735 ad.type = LSM_AUDIT_DATA_PATH; 1736 ad.u.path = *path; 1737 __inode_security_revalidate(inode, path->dentry, true); 1738 return inode_has_perm(cred, inode, av, &ad); 1739 } 1740 1741 /* Same as path_has_perm, but uses the inode from the file struct. */ 1742 static inline int file_path_has_perm(const struct cred *cred, 1743 struct file *file, 1744 u32 av) 1745 { 1746 struct common_audit_data ad; 1747 1748 ad.type = LSM_AUDIT_DATA_FILE; 1749 ad.u.file = file; 1750 return inode_has_perm(cred, file_inode(file), av, &ad); 1751 } 1752 1753 #ifdef CONFIG_BPF_SYSCALL 1754 static int bpf_fd_pass(struct file *file, u32 sid); 1755 #endif 1756 1757 /* Check whether a task can use an open file descriptor to 1758 access an inode in a given way. Check access to the 1759 descriptor itself, and then use dentry_has_perm to 1760 check a particular permission to the file. 1761 Access to the descriptor is implicitly granted if it 1762 has the same SID as the process. If av is zero, then 1763 access to the file is not checked, e.g. for cases 1764 where only the descriptor is affected like seek. */ 1765 static int file_has_perm(const struct cred *cred, 1766 struct file *file, 1767 u32 av) 1768 { 1769 struct file_security_struct *fsec = selinux_file(file); 1770 struct inode *inode = file_inode(file); 1771 struct common_audit_data ad; 1772 u32 sid = cred_sid(cred); 1773 int rc; 1774 1775 ad.type = LSM_AUDIT_DATA_FILE; 1776 ad.u.file = file; 1777 1778 if (sid != fsec->sid) { 1779 rc = avc_has_perm(&selinux_state, 1780 sid, fsec->sid, 1781 SECCLASS_FD, 1782 FD__USE, 1783 &ad); 1784 if (rc) 1785 goto out; 1786 } 1787 1788 #ifdef CONFIG_BPF_SYSCALL 1789 rc = bpf_fd_pass(file, cred_sid(cred)); 1790 if (rc) 1791 return rc; 1792 #endif 1793 1794 /* av is zero if only checking access to the descriptor. */ 1795 rc = 0; 1796 if (av) 1797 rc = inode_has_perm(cred, inode, av, &ad); 1798 1799 out: 1800 return rc; 1801 } 1802 1803 /* 1804 * Determine the label for an inode that might be unioned. 1805 */ 1806 static int 1807 selinux_determine_inode_label(const struct task_security_struct *tsec, 1808 struct inode *dir, 1809 const struct qstr *name, u16 tclass, 1810 u32 *_new_isid) 1811 { 1812 const struct superblock_security_struct *sbsec = 1813 selinux_superblock(dir->i_sb); 1814 1815 if ((sbsec->flags & SE_SBINITIALIZED) && 1816 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1817 *_new_isid = sbsec->mntpoint_sid; 1818 } else if ((sbsec->flags & SBLABEL_MNT) && 1819 tsec->create_sid) { 1820 *_new_isid = tsec->create_sid; 1821 } else { 1822 const struct inode_security_struct *dsec = inode_security(dir); 1823 return security_transition_sid(&selinux_state, tsec->sid, 1824 dsec->sid, tclass, 1825 name, _new_isid); 1826 } 1827 1828 return 0; 1829 } 1830 1831 /* Check whether a task can create a file. */ 1832 static int may_create(struct inode *dir, 1833 struct dentry *dentry, 1834 u16 tclass) 1835 { 1836 const struct task_security_struct *tsec = selinux_cred(current_cred()); 1837 struct inode_security_struct *dsec; 1838 struct superblock_security_struct *sbsec; 1839 u32 sid, newsid; 1840 struct common_audit_data ad; 1841 int rc; 1842 1843 dsec = inode_security(dir); 1844 sbsec = selinux_superblock(dir->i_sb); 1845 1846 sid = tsec->sid; 1847 1848 ad.type = LSM_AUDIT_DATA_DENTRY; 1849 ad.u.dentry = dentry; 1850 1851 rc = avc_has_perm(&selinux_state, 1852 sid, dsec->sid, SECCLASS_DIR, 1853 DIR__ADD_NAME | DIR__SEARCH, 1854 &ad); 1855 if (rc) 1856 return rc; 1857 1858 rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass, 1859 &newsid); 1860 if (rc) 1861 return rc; 1862 1863 rc = avc_has_perm(&selinux_state, 1864 sid, newsid, tclass, FILE__CREATE, &ad); 1865 if (rc) 1866 return rc; 1867 1868 return avc_has_perm(&selinux_state, 1869 newsid, sbsec->sid, 1870 SECCLASS_FILESYSTEM, 1871 FILESYSTEM__ASSOCIATE, &ad); 1872 } 1873 1874 #define MAY_LINK 0 1875 #define MAY_UNLINK 1 1876 #define MAY_RMDIR 2 1877 1878 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1879 static int may_link(struct inode *dir, 1880 struct dentry *dentry, 1881 int kind) 1882 1883 { 1884 struct inode_security_struct *dsec, *isec; 1885 struct common_audit_data ad; 1886 u32 sid = current_sid(); 1887 u32 av; 1888 int rc; 1889 1890 dsec = inode_security(dir); 1891 isec = backing_inode_security(dentry); 1892 1893 ad.type = LSM_AUDIT_DATA_DENTRY; 1894 ad.u.dentry = dentry; 1895 1896 av = DIR__SEARCH; 1897 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1898 rc = avc_has_perm(&selinux_state, 1899 sid, dsec->sid, SECCLASS_DIR, av, &ad); 1900 if (rc) 1901 return rc; 1902 1903 switch (kind) { 1904 case MAY_LINK: 1905 av = FILE__LINK; 1906 break; 1907 case MAY_UNLINK: 1908 av = FILE__UNLINK; 1909 break; 1910 case MAY_RMDIR: 1911 av = DIR__RMDIR; 1912 break; 1913 default: 1914 pr_warn("SELinux: %s: unrecognized kind %d\n", 1915 __func__, kind); 1916 return 0; 1917 } 1918 1919 rc = avc_has_perm(&selinux_state, 1920 sid, isec->sid, isec->sclass, av, &ad); 1921 return rc; 1922 } 1923 1924 static inline int may_rename(struct inode *old_dir, 1925 struct dentry *old_dentry, 1926 struct inode *new_dir, 1927 struct dentry *new_dentry) 1928 { 1929 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1930 struct common_audit_data ad; 1931 u32 sid = current_sid(); 1932 u32 av; 1933 int old_is_dir, new_is_dir; 1934 int rc; 1935 1936 old_dsec = inode_security(old_dir); 1937 old_isec = backing_inode_security(old_dentry); 1938 old_is_dir = d_is_dir(old_dentry); 1939 new_dsec = inode_security(new_dir); 1940 1941 ad.type = LSM_AUDIT_DATA_DENTRY; 1942 1943 ad.u.dentry = old_dentry; 1944 rc = avc_has_perm(&selinux_state, 1945 sid, old_dsec->sid, SECCLASS_DIR, 1946 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1947 if (rc) 1948 return rc; 1949 rc = avc_has_perm(&selinux_state, 1950 sid, old_isec->sid, 1951 old_isec->sclass, FILE__RENAME, &ad); 1952 if (rc) 1953 return rc; 1954 if (old_is_dir && new_dir != old_dir) { 1955 rc = avc_has_perm(&selinux_state, 1956 sid, old_isec->sid, 1957 old_isec->sclass, DIR__REPARENT, &ad); 1958 if (rc) 1959 return rc; 1960 } 1961 1962 ad.u.dentry = new_dentry; 1963 av = DIR__ADD_NAME | DIR__SEARCH; 1964 if (d_is_positive(new_dentry)) 1965 av |= DIR__REMOVE_NAME; 1966 rc = avc_has_perm(&selinux_state, 1967 sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1968 if (rc) 1969 return rc; 1970 if (d_is_positive(new_dentry)) { 1971 new_isec = backing_inode_security(new_dentry); 1972 new_is_dir = d_is_dir(new_dentry); 1973 rc = avc_has_perm(&selinux_state, 1974 sid, new_isec->sid, 1975 new_isec->sclass, 1976 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1977 if (rc) 1978 return rc; 1979 } 1980 1981 return 0; 1982 } 1983 1984 /* Check whether a task can perform a filesystem operation. */ 1985 static int superblock_has_perm(const struct cred *cred, 1986 struct super_block *sb, 1987 u32 perms, 1988 struct common_audit_data *ad) 1989 { 1990 struct superblock_security_struct *sbsec; 1991 u32 sid = cred_sid(cred); 1992 1993 sbsec = selinux_superblock(sb); 1994 return avc_has_perm(&selinux_state, 1995 sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1996 } 1997 1998 /* Convert a Linux mode and permission mask to an access vector. */ 1999 static inline u32 file_mask_to_av(int mode, int mask) 2000 { 2001 u32 av = 0; 2002 2003 if (!S_ISDIR(mode)) { 2004 if (mask & MAY_EXEC) 2005 av |= FILE__EXECUTE; 2006 if (mask & MAY_READ) 2007 av |= FILE__READ; 2008 2009 if (mask & MAY_APPEND) 2010 av |= FILE__APPEND; 2011 else if (mask & MAY_WRITE) 2012 av |= FILE__WRITE; 2013 2014 } else { 2015 if (mask & MAY_EXEC) 2016 av |= DIR__SEARCH; 2017 if (mask & MAY_WRITE) 2018 av |= DIR__WRITE; 2019 if (mask & MAY_READ) 2020 av |= DIR__READ; 2021 } 2022 2023 return av; 2024 } 2025 2026 /* Convert a Linux file to an access vector. */ 2027 static inline u32 file_to_av(struct file *file) 2028 { 2029 u32 av = 0; 2030 2031 if (file->f_mode & FMODE_READ) 2032 av |= FILE__READ; 2033 if (file->f_mode & FMODE_WRITE) { 2034 if (file->f_flags & O_APPEND) 2035 av |= FILE__APPEND; 2036 else 2037 av |= FILE__WRITE; 2038 } 2039 if (!av) { 2040 /* 2041 * Special file opened with flags 3 for ioctl-only use. 2042 */ 2043 av = FILE__IOCTL; 2044 } 2045 2046 return av; 2047 } 2048 2049 /* 2050 * Convert a file to an access vector and include the correct 2051 * open permission. 2052 */ 2053 static inline u32 open_file_to_av(struct file *file) 2054 { 2055 u32 av = file_to_av(file); 2056 struct inode *inode = file_inode(file); 2057 2058 if (selinux_policycap_openperm() && 2059 inode->i_sb->s_magic != SOCKFS_MAGIC) 2060 av |= FILE__OPEN; 2061 2062 return av; 2063 } 2064 2065 /* Hook functions begin here. */ 2066 2067 static int selinux_binder_set_context_mgr(struct task_struct *mgr) 2068 { 2069 return avc_has_perm(&selinux_state, 2070 current_sid(), task_sid_binder(mgr), SECCLASS_BINDER, 2071 BINDER__SET_CONTEXT_MGR, NULL); 2072 } 2073 2074 static int selinux_binder_transaction(struct task_struct *from, 2075 struct task_struct *to) 2076 { 2077 u32 mysid = current_sid(); 2078 u32 fromsid = task_sid_binder(from); 2079 int rc; 2080 2081 if (mysid != fromsid) { 2082 rc = avc_has_perm(&selinux_state, 2083 mysid, fromsid, SECCLASS_BINDER, 2084 BINDER__IMPERSONATE, NULL); 2085 if (rc) 2086 return rc; 2087 } 2088 2089 return avc_has_perm(&selinux_state, fromsid, task_sid_binder(to), 2090 SECCLASS_BINDER, BINDER__CALL, NULL); 2091 } 2092 2093 static int selinux_binder_transfer_binder(struct task_struct *from, 2094 struct task_struct *to) 2095 { 2096 return avc_has_perm(&selinux_state, 2097 task_sid_binder(from), task_sid_binder(to), 2098 SECCLASS_BINDER, BINDER__TRANSFER, 2099 NULL); 2100 } 2101 2102 static int selinux_binder_transfer_file(struct task_struct *from, 2103 struct task_struct *to, 2104 struct file *file) 2105 { 2106 u32 sid = task_sid_binder(to); 2107 struct file_security_struct *fsec = selinux_file(file); 2108 struct dentry *dentry = file->f_path.dentry; 2109 struct inode_security_struct *isec; 2110 struct common_audit_data ad; 2111 int rc; 2112 2113 ad.type = LSM_AUDIT_DATA_PATH; 2114 ad.u.path = file->f_path; 2115 2116 if (sid != fsec->sid) { 2117 rc = avc_has_perm(&selinux_state, 2118 sid, fsec->sid, 2119 SECCLASS_FD, 2120 FD__USE, 2121 &ad); 2122 if (rc) 2123 return rc; 2124 } 2125 2126 #ifdef CONFIG_BPF_SYSCALL 2127 rc = bpf_fd_pass(file, sid); 2128 if (rc) 2129 return rc; 2130 #endif 2131 2132 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2133 return 0; 2134 2135 isec = backing_inode_security(dentry); 2136 return avc_has_perm(&selinux_state, 2137 sid, isec->sid, isec->sclass, file_to_av(file), 2138 &ad); 2139 } 2140 2141 static int selinux_ptrace_access_check(struct task_struct *child, 2142 unsigned int mode) 2143 { 2144 u32 sid = current_sid(); 2145 u32 csid = task_sid_obj(child); 2146 2147 if (mode & PTRACE_MODE_READ) 2148 return avc_has_perm(&selinux_state, 2149 sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2150 2151 return avc_has_perm(&selinux_state, 2152 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2153 } 2154 2155 static int selinux_ptrace_traceme(struct task_struct *parent) 2156 { 2157 return avc_has_perm(&selinux_state, 2158 task_sid_subj(parent), task_sid_obj(current), 2159 SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2160 } 2161 2162 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2163 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2164 { 2165 return avc_has_perm(&selinux_state, 2166 current_sid(), task_sid_obj(target), SECCLASS_PROCESS, 2167 PROCESS__GETCAP, NULL); 2168 } 2169 2170 static int selinux_capset(struct cred *new, const struct cred *old, 2171 const kernel_cap_t *effective, 2172 const kernel_cap_t *inheritable, 2173 const kernel_cap_t *permitted) 2174 { 2175 return avc_has_perm(&selinux_state, 2176 cred_sid(old), cred_sid(new), SECCLASS_PROCESS, 2177 PROCESS__SETCAP, NULL); 2178 } 2179 2180 /* 2181 * (This comment used to live with the selinux_task_setuid hook, 2182 * which was removed). 2183 * 2184 * Since setuid only affects the current process, and since the SELinux 2185 * controls are not based on the Linux identity attributes, SELinux does not 2186 * need to control this operation. However, SELinux does control the use of 2187 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2188 */ 2189 2190 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2191 int cap, unsigned int opts) 2192 { 2193 return cred_has_capability(cred, cap, opts, ns == &init_user_ns); 2194 } 2195 2196 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2197 { 2198 const struct cred *cred = current_cred(); 2199 int rc = 0; 2200 2201 if (!sb) 2202 return 0; 2203 2204 switch (cmds) { 2205 case Q_SYNC: 2206 case Q_QUOTAON: 2207 case Q_QUOTAOFF: 2208 case Q_SETINFO: 2209 case Q_SETQUOTA: 2210 case Q_XQUOTAOFF: 2211 case Q_XQUOTAON: 2212 case Q_XSETQLIM: 2213 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2214 break; 2215 case Q_GETFMT: 2216 case Q_GETINFO: 2217 case Q_GETQUOTA: 2218 case Q_XGETQUOTA: 2219 case Q_XGETQSTAT: 2220 case Q_XGETQSTATV: 2221 case Q_XGETNEXTQUOTA: 2222 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2223 break; 2224 default: 2225 rc = 0; /* let the kernel handle invalid cmds */ 2226 break; 2227 } 2228 return rc; 2229 } 2230 2231 static int selinux_quota_on(struct dentry *dentry) 2232 { 2233 const struct cred *cred = current_cred(); 2234 2235 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2236 } 2237 2238 static int selinux_syslog(int type) 2239 { 2240 switch (type) { 2241 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2242 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2243 return avc_has_perm(&selinux_state, 2244 current_sid(), SECINITSID_KERNEL, 2245 SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, NULL); 2246 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2247 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2248 /* Set level of messages printed to console */ 2249 case SYSLOG_ACTION_CONSOLE_LEVEL: 2250 return avc_has_perm(&selinux_state, 2251 current_sid(), SECINITSID_KERNEL, 2252 SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, 2253 NULL); 2254 } 2255 /* All other syslog types */ 2256 return avc_has_perm(&selinux_state, 2257 current_sid(), SECINITSID_KERNEL, 2258 SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, NULL); 2259 } 2260 2261 /* 2262 * Check that a process has enough memory to allocate a new virtual 2263 * mapping. 0 means there is enough memory for the allocation to 2264 * succeed and -ENOMEM implies there is not. 2265 * 2266 * Do not audit the selinux permission check, as this is applied to all 2267 * processes that allocate mappings. 2268 */ 2269 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2270 { 2271 int rc, cap_sys_admin = 0; 2272 2273 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2274 CAP_OPT_NOAUDIT, true); 2275 if (rc == 0) 2276 cap_sys_admin = 1; 2277 2278 return cap_sys_admin; 2279 } 2280 2281 /* binprm security operations */ 2282 2283 static u32 ptrace_parent_sid(void) 2284 { 2285 u32 sid = 0; 2286 struct task_struct *tracer; 2287 2288 rcu_read_lock(); 2289 tracer = ptrace_parent(current); 2290 if (tracer) 2291 sid = task_sid_obj(tracer); 2292 rcu_read_unlock(); 2293 2294 return sid; 2295 } 2296 2297 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2298 const struct task_security_struct *old_tsec, 2299 const struct task_security_struct *new_tsec) 2300 { 2301 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2302 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2303 int rc; 2304 u32 av; 2305 2306 if (!nnp && !nosuid) 2307 return 0; /* neither NNP nor nosuid */ 2308 2309 if (new_tsec->sid == old_tsec->sid) 2310 return 0; /* No change in credentials */ 2311 2312 /* 2313 * If the policy enables the nnp_nosuid_transition policy capability, 2314 * then we permit transitions under NNP or nosuid if the 2315 * policy allows the corresponding permission between 2316 * the old and new contexts. 2317 */ 2318 if (selinux_policycap_nnp_nosuid_transition()) { 2319 av = 0; 2320 if (nnp) 2321 av |= PROCESS2__NNP_TRANSITION; 2322 if (nosuid) 2323 av |= PROCESS2__NOSUID_TRANSITION; 2324 rc = avc_has_perm(&selinux_state, 2325 old_tsec->sid, new_tsec->sid, 2326 SECCLASS_PROCESS2, av, NULL); 2327 if (!rc) 2328 return 0; 2329 } 2330 2331 /* 2332 * We also permit NNP or nosuid transitions to bounded SIDs, 2333 * i.e. SIDs that are guaranteed to only be allowed a subset 2334 * of the permissions of the current SID. 2335 */ 2336 rc = security_bounded_transition(&selinux_state, old_tsec->sid, 2337 new_tsec->sid); 2338 if (!rc) 2339 return 0; 2340 2341 /* 2342 * On failure, preserve the errno values for NNP vs nosuid. 2343 * NNP: Operation not permitted for caller. 2344 * nosuid: Permission denied to file. 2345 */ 2346 if (nnp) 2347 return -EPERM; 2348 return -EACCES; 2349 } 2350 2351 static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) 2352 { 2353 const struct task_security_struct *old_tsec; 2354 struct task_security_struct *new_tsec; 2355 struct inode_security_struct *isec; 2356 struct common_audit_data ad; 2357 struct inode *inode = file_inode(bprm->file); 2358 int rc; 2359 2360 /* SELinux context only depends on initial program or script and not 2361 * the script interpreter */ 2362 2363 old_tsec = selinux_cred(current_cred()); 2364 new_tsec = selinux_cred(bprm->cred); 2365 isec = inode_security(inode); 2366 2367 /* Default to the current task SID. */ 2368 new_tsec->sid = old_tsec->sid; 2369 new_tsec->osid = old_tsec->sid; 2370 2371 /* Reset fs, key, and sock SIDs on execve. */ 2372 new_tsec->create_sid = 0; 2373 new_tsec->keycreate_sid = 0; 2374 new_tsec->sockcreate_sid = 0; 2375 2376 if (old_tsec->exec_sid) { 2377 new_tsec->sid = old_tsec->exec_sid; 2378 /* Reset exec SID on execve. */ 2379 new_tsec->exec_sid = 0; 2380 2381 /* Fail on NNP or nosuid if not an allowed transition. */ 2382 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2383 if (rc) 2384 return rc; 2385 } else { 2386 /* Check for a default transition on this program. */ 2387 rc = security_transition_sid(&selinux_state, old_tsec->sid, 2388 isec->sid, SECCLASS_PROCESS, NULL, 2389 &new_tsec->sid); 2390 if (rc) 2391 return rc; 2392 2393 /* 2394 * Fallback to old SID on NNP or nosuid if not an allowed 2395 * transition. 2396 */ 2397 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2398 if (rc) 2399 new_tsec->sid = old_tsec->sid; 2400 } 2401 2402 ad.type = LSM_AUDIT_DATA_FILE; 2403 ad.u.file = bprm->file; 2404 2405 if (new_tsec->sid == old_tsec->sid) { 2406 rc = avc_has_perm(&selinux_state, 2407 old_tsec->sid, isec->sid, 2408 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2409 if (rc) 2410 return rc; 2411 } else { 2412 /* Check permissions for the transition. */ 2413 rc = avc_has_perm(&selinux_state, 2414 old_tsec->sid, new_tsec->sid, 2415 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2416 if (rc) 2417 return rc; 2418 2419 rc = avc_has_perm(&selinux_state, 2420 new_tsec->sid, isec->sid, 2421 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2422 if (rc) 2423 return rc; 2424 2425 /* Check for shared state */ 2426 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2427 rc = avc_has_perm(&selinux_state, 2428 old_tsec->sid, new_tsec->sid, 2429 SECCLASS_PROCESS, PROCESS__SHARE, 2430 NULL); 2431 if (rc) 2432 return -EPERM; 2433 } 2434 2435 /* Make sure that anyone attempting to ptrace over a task that 2436 * changes its SID has the appropriate permit */ 2437 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 2438 u32 ptsid = ptrace_parent_sid(); 2439 if (ptsid != 0) { 2440 rc = avc_has_perm(&selinux_state, 2441 ptsid, new_tsec->sid, 2442 SECCLASS_PROCESS, 2443 PROCESS__PTRACE, NULL); 2444 if (rc) 2445 return -EPERM; 2446 } 2447 } 2448 2449 /* Clear any possibly unsafe personality bits on exec: */ 2450 bprm->per_clear |= PER_CLEAR_ON_SETID; 2451 2452 /* Enable secure mode for SIDs transitions unless 2453 the noatsecure permission is granted between 2454 the two SIDs, i.e. ahp returns 0. */ 2455 rc = avc_has_perm(&selinux_state, 2456 old_tsec->sid, new_tsec->sid, 2457 SECCLASS_PROCESS, PROCESS__NOATSECURE, 2458 NULL); 2459 bprm->secureexec |= !!rc; 2460 } 2461 2462 return 0; 2463 } 2464 2465 static int match_file(const void *p, struct file *file, unsigned fd) 2466 { 2467 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2468 } 2469 2470 /* Derived from fs/exec.c:flush_old_files. */ 2471 static inline void flush_unauthorized_files(const struct cred *cred, 2472 struct files_struct *files) 2473 { 2474 struct file *file, *devnull = NULL; 2475 struct tty_struct *tty; 2476 int drop_tty = 0; 2477 unsigned n; 2478 2479 tty = get_current_tty(); 2480 if (tty) { 2481 spin_lock(&tty->files_lock); 2482 if (!list_empty(&tty->tty_files)) { 2483 struct tty_file_private *file_priv; 2484 2485 /* Revalidate access to controlling tty. 2486 Use file_path_has_perm on the tty path directly 2487 rather than using file_has_perm, as this particular 2488 open file may belong to another process and we are 2489 only interested in the inode-based check here. */ 2490 file_priv = list_first_entry(&tty->tty_files, 2491 struct tty_file_private, list); 2492 file = file_priv->file; 2493 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2494 drop_tty = 1; 2495 } 2496 spin_unlock(&tty->files_lock); 2497 tty_kref_put(tty); 2498 } 2499 /* Reset controlling tty. */ 2500 if (drop_tty) 2501 no_tty(); 2502 2503 /* Revalidate access to inherited open files. */ 2504 n = iterate_fd(files, 0, match_file, cred); 2505 if (!n) /* none found? */ 2506 return; 2507 2508 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2509 if (IS_ERR(devnull)) 2510 devnull = NULL; 2511 /* replace all the matching ones with this */ 2512 do { 2513 replace_fd(n - 1, devnull, 0); 2514 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2515 if (devnull) 2516 fput(devnull); 2517 } 2518 2519 /* 2520 * Prepare a process for imminent new credential changes due to exec 2521 */ 2522 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2523 { 2524 struct task_security_struct *new_tsec; 2525 struct rlimit *rlim, *initrlim; 2526 int rc, i; 2527 2528 new_tsec = selinux_cred(bprm->cred); 2529 if (new_tsec->sid == new_tsec->osid) 2530 return; 2531 2532 /* Close files for which the new task SID is not authorized. */ 2533 flush_unauthorized_files(bprm->cred, current->files); 2534 2535 /* Always clear parent death signal on SID transitions. */ 2536 current->pdeath_signal = 0; 2537 2538 /* Check whether the new SID can inherit resource limits from the old 2539 * SID. If not, reset all soft limits to the lower of the current 2540 * task's hard limit and the init task's soft limit. 2541 * 2542 * Note that the setting of hard limits (even to lower them) can be 2543 * controlled by the setrlimit check. The inclusion of the init task's 2544 * soft limit into the computation is to avoid resetting soft limits 2545 * higher than the default soft limit for cases where the default is 2546 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2547 */ 2548 rc = avc_has_perm(&selinux_state, 2549 new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2550 PROCESS__RLIMITINH, NULL); 2551 if (rc) { 2552 /* protect against do_prlimit() */ 2553 task_lock(current); 2554 for (i = 0; i < RLIM_NLIMITS; i++) { 2555 rlim = current->signal->rlim + i; 2556 initrlim = init_task.signal->rlim + i; 2557 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2558 } 2559 task_unlock(current); 2560 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2561 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2562 } 2563 } 2564 2565 /* 2566 * Clean up the process immediately after the installation of new credentials 2567 * due to exec 2568 */ 2569 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2570 { 2571 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2572 u32 osid, sid; 2573 int rc; 2574 2575 osid = tsec->osid; 2576 sid = tsec->sid; 2577 2578 if (sid == osid) 2579 return; 2580 2581 /* Check whether the new SID can inherit signal state from the old SID. 2582 * If not, clear itimers to avoid subsequent signal generation and 2583 * flush and unblock signals. 2584 * 2585 * This must occur _after_ the task SID has been updated so that any 2586 * kill done after the flush will be checked against the new SID. 2587 */ 2588 rc = avc_has_perm(&selinux_state, 2589 osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2590 if (rc) { 2591 clear_itimer(); 2592 2593 spin_lock_irq(¤t->sighand->siglock); 2594 if (!fatal_signal_pending(current)) { 2595 flush_sigqueue(¤t->pending); 2596 flush_sigqueue(¤t->signal->shared_pending); 2597 flush_signal_handlers(current, 1); 2598 sigemptyset(¤t->blocked); 2599 recalc_sigpending(); 2600 } 2601 spin_unlock_irq(¤t->sighand->siglock); 2602 } 2603 2604 /* Wake up the parent if it is waiting so that it can recheck 2605 * wait permission to the new task SID. */ 2606 read_lock(&tasklist_lock); 2607 __wake_up_parent(current, current->real_parent); 2608 read_unlock(&tasklist_lock); 2609 } 2610 2611 /* superblock security operations */ 2612 2613 static int selinux_sb_alloc_security(struct super_block *sb) 2614 { 2615 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2616 2617 mutex_init(&sbsec->lock); 2618 INIT_LIST_HEAD(&sbsec->isec_head); 2619 spin_lock_init(&sbsec->isec_lock); 2620 sbsec->sid = SECINITSID_UNLABELED; 2621 sbsec->def_sid = SECINITSID_FILE; 2622 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 2623 2624 return 0; 2625 } 2626 2627 static inline int opt_len(const char *s) 2628 { 2629 bool open_quote = false; 2630 int len; 2631 char c; 2632 2633 for (len = 0; (c = s[len]) != '\0'; len++) { 2634 if (c == '"') 2635 open_quote = !open_quote; 2636 if (c == ',' && !open_quote) 2637 break; 2638 } 2639 return len; 2640 } 2641 2642 static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts) 2643 { 2644 char *from = options; 2645 char *to = options; 2646 bool first = true; 2647 int rc; 2648 2649 while (1) { 2650 int len = opt_len(from); 2651 int token; 2652 char *arg = NULL; 2653 2654 token = match_opt_prefix(from, len, &arg); 2655 2656 if (token != Opt_error) { 2657 char *p, *q; 2658 2659 /* strip quotes */ 2660 if (arg) { 2661 for (p = q = arg; p < from + len; p++) { 2662 char c = *p; 2663 if (c != '"') 2664 *q++ = c; 2665 } 2666 arg = kmemdup_nul(arg, q - arg, GFP_KERNEL); 2667 if (!arg) { 2668 rc = -ENOMEM; 2669 goto free_opt; 2670 } 2671 } 2672 rc = selinux_add_opt(token, arg, mnt_opts); 2673 if (unlikely(rc)) { 2674 kfree(arg); 2675 goto free_opt; 2676 } 2677 } else { 2678 if (!first) { // copy with preceding comma 2679 from--; 2680 len++; 2681 } 2682 if (to != from) 2683 memmove(to, from, len); 2684 to += len; 2685 first = false; 2686 } 2687 if (!from[len]) 2688 break; 2689 from += len + 1; 2690 } 2691 *to = '\0'; 2692 return 0; 2693 2694 free_opt: 2695 if (*mnt_opts) { 2696 selinux_free_mnt_opts(*mnt_opts); 2697 *mnt_opts = NULL; 2698 } 2699 return rc; 2700 } 2701 2702 static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts) 2703 { 2704 struct selinux_mnt_opts *opts = mnt_opts; 2705 struct superblock_security_struct *sbsec = sb->s_security; 2706 u32 sid; 2707 int rc; 2708 2709 /* 2710 * Superblock not initialized (i.e. no options) - reject if any 2711 * options specified, otherwise accept. 2712 */ 2713 if (!(sbsec->flags & SE_SBINITIALIZED)) 2714 return opts ? 1 : 0; 2715 2716 /* 2717 * Superblock initialized and no options specified - reject if 2718 * superblock has any options set, otherwise accept. 2719 */ 2720 if (!opts) 2721 return (sbsec->flags & SE_MNTMASK) ? 1 : 0; 2722 2723 if (opts->fscontext) { 2724 rc = parse_sid(sb, opts->fscontext, &sid); 2725 if (rc) 2726 return 1; 2727 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2728 return 1; 2729 } 2730 if (opts->context) { 2731 rc = parse_sid(sb, opts->context, &sid); 2732 if (rc) 2733 return 1; 2734 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2735 return 1; 2736 } 2737 if (opts->rootcontext) { 2738 struct inode_security_struct *root_isec; 2739 2740 root_isec = backing_inode_security(sb->s_root); 2741 rc = parse_sid(sb, opts->rootcontext, &sid); 2742 if (rc) 2743 return 1; 2744 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2745 return 1; 2746 } 2747 if (opts->defcontext) { 2748 rc = parse_sid(sb, opts->defcontext, &sid); 2749 if (rc) 2750 return 1; 2751 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2752 return 1; 2753 } 2754 return 0; 2755 } 2756 2757 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts) 2758 { 2759 struct selinux_mnt_opts *opts = mnt_opts; 2760 struct superblock_security_struct *sbsec = selinux_superblock(sb); 2761 u32 sid; 2762 int rc; 2763 2764 if (!(sbsec->flags & SE_SBINITIALIZED)) 2765 return 0; 2766 2767 if (!opts) 2768 return 0; 2769 2770 if (opts->fscontext) { 2771 rc = parse_sid(sb, opts->fscontext, &sid); 2772 if (rc) 2773 return rc; 2774 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2775 goto out_bad_option; 2776 } 2777 if (opts->context) { 2778 rc = parse_sid(sb, opts->context, &sid); 2779 if (rc) 2780 return rc; 2781 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2782 goto out_bad_option; 2783 } 2784 if (opts->rootcontext) { 2785 struct inode_security_struct *root_isec; 2786 root_isec = backing_inode_security(sb->s_root); 2787 rc = parse_sid(sb, opts->rootcontext, &sid); 2788 if (rc) 2789 return rc; 2790 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2791 goto out_bad_option; 2792 } 2793 if (opts->defcontext) { 2794 rc = parse_sid(sb, opts->defcontext, &sid); 2795 if (rc) 2796 return rc; 2797 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2798 goto out_bad_option; 2799 } 2800 return 0; 2801 2802 out_bad_option: 2803 pr_warn("SELinux: unable to change security options " 2804 "during remount (dev %s, type=%s)\n", sb->s_id, 2805 sb->s_type->name); 2806 return -EINVAL; 2807 } 2808 2809 static int selinux_sb_kern_mount(struct super_block *sb) 2810 { 2811 const struct cred *cred = current_cred(); 2812 struct common_audit_data ad; 2813 2814 ad.type = LSM_AUDIT_DATA_DENTRY; 2815 ad.u.dentry = sb->s_root; 2816 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2817 } 2818 2819 static int selinux_sb_statfs(struct dentry *dentry) 2820 { 2821 const struct cred *cred = current_cred(); 2822 struct common_audit_data ad; 2823 2824 ad.type = LSM_AUDIT_DATA_DENTRY; 2825 ad.u.dentry = dentry->d_sb->s_root; 2826 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2827 } 2828 2829 static int selinux_mount(const char *dev_name, 2830 const struct path *path, 2831 const char *type, 2832 unsigned long flags, 2833 void *data) 2834 { 2835 const struct cred *cred = current_cred(); 2836 2837 if (flags & MS_REMOUNT) 2838 return superblock_has_perm(cred, path->dentry->d_sb, 2839 FILESYSTEM__REMOUNT, NULL); 2840 else 2841 return path_has_perm(cred, path, FILE__MOUNTON); 2842 } 2843 2844 static int selinux_move_mount(const struct path *from_path, 2845 const struct path *to_path) 2846 { 2847 const struct cred *cred = current_cred(); 2848 2849 return path_has_perm(cred, to_path, FILE__MOUNTON); 2850 } 2851 2852 static int selinux_umount(struct vfsmount *mnt, int flags) 2853 { 2854 const struct cred *cred = current_cred(); 2855 2856 return superblock_has_perm(cred, mnt->mnt_sb, 2857 FILESYSTEM__UNMOUNT, NULL); 2858 } 2859 2860 static int selinux_fs_context_dup(struct fs_context *fc, 2861 struct fs_context *src_fc) 2862 { 2863 const struct selinux_mnt_opts *src = src_fc->security; 2864 struct selinux_mnt_opts *opts; 2865 2866 if (!src) 2867 return 0; 2868 2869 fc->security = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL); 2870 if (!fc->security) 2871 return -ENOMEM; 2872 2873 opts = fc->security; 2874 2875 if (src->fscontext) { 2876 opts->fscontext = kstrdup(src->fscontext, GFP_KERNEL); 2877 if (!opts->fscontext) 2878 return -ENOMEM; 2879 } 2880 if (src->context) { 2881 opts->context = kstrdup(src->context, GFP_KERNEL); 2882 if (!opts->context) 2883 return -ENOMEM; 2884 } 2885 if (src->rootcontext) { 2886 opts->rootcontext = kstrdup(src->rootcontext, GFP_KERNEL); 2887 if (!opts->rootcontext) 2888 return -ENOMEM; 2889 } 2890 if (src->defcontext) { 2891 opts->defcontext = kstrdup(src->defcontext, GFP_KERNEL); 2892 if (!opts->defcontext) 2893 return -ENOMEM; 2894 } 2895 return 0; 2896 } 2897 2898 static const struct fs_parameter_spec selinux_fs_parameters[] = { 2899 fsparam_string(CONTEXT_STR, Opt_context), 2900 fsparam_string(DEFCONTEXT_STR, Opt_defcontext), 2901 fsparam_string(FSCONTEXT_STR, Opt_fscontext), 2902 fsparam_string(ROOTCONTEXT_STR, Opt_rootcontext), 2903 fsparam_flag (SECLABEL_STR, Opt_seclabel), 2904 {} 2905 }; 2906 2907 static int selinux_fs_context_parse_param(struct fs_context *fc, 2908 struct fs_parameter *param) 2909 { 2910 struct fs_parse_result result; 2911 int opt, rc; 2912 2913 opt = fs_parse(fc, selinux_fs_parameters, param, &result); 2914 if (opt < 0) 2915 return opt; 2916 2917 rc = selinux_add_opt(opt, param->string, &fc->security); 2918 if (!rc) { 2919 param->string = NULL; 2920 rc = 1; 2921 } 2922 return rc; 2923 } 2924 2925 /* inode security operations */ 2926 2927 static int selinux_inode_alloc_security(struct inode *inode) 2928 { 2929 struct inode_security_struct *isec = selinux_inode(inode); 2930 u32 sid = current_sid(); 2931 2932 spin_lock_init(&isec->lock); 2933 INIT_LIST_HEAD(&isec->list); 2934 isec->inode = inode; 2935 isec->sid = SECINITSID_UNLABELED; 2936 isec->sclass = SECCLASS_FILE; 2937 isec->task_sid = sid; 2938 isec->initialized = LABEL_INVALID; 2939 2940 return 0; 2941 } 2942 2943 static void selinux_inode_free_security(struct inode *inode) 2944 { 2945 inode_free_security(inode); 2946 } 2947 2948 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2949 const struct qstr *name, void **ctx, 2950 u32 *ctxlen) 2951 { 2952 u32 newsid; 2953 int rc; 2954 2955 rc = selinux_determine_inode_label(selinux_cred(current_cred()), 2956 d_inode(dentry->d_parent), name, 2957 inode_mode_to_security_class(mode), 2958 &newsid); 2959 if (rc) 2960 return rc; 2961 2962 return security_sid_to_context(&selinux_state, newsid, (char **)ctx, 2963 ctxlen); 2964 } 2965 2966 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2967 struct qstr *name, 2968 const struct cred *old, 2969 struct cred *new) 2970 { 2971 u32 newsid; 2972 int rc; 2973 struct task_security_struct *tsec; 2974 2975 rc = selinux_determine_inode_label(selinux_cred(old), 2976 d_inode(dentry->d_parent), name, 2977 inode_mode_to_security_class(mode), 2978 &newsid); 2979 if (rc) 2980 return rc; 2981 2982 tsec = selinux_cred(new); 2983 tsec->create_sid = newsid; 2984 return 0; 2985 } 2986 2987 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2988 const struct qstr *qstr, 2989 const char **name, 2990 void **value, size_t *len) 2991 { 2992 const struct task_security_struct *tsec = selinux_cred(current_cred()); 2993 struct superblock_security_struct *sbsec; 2994 u32 newsid, clen; 2995 int rc; 2996 char *context; 2997 2998 sbsec = selinux_superblock(dir->i_sb); 2999 3000 newsid = tsec->create_sid; 3001 3002 rc = selinux_determine_inode_label(tsec, dir, qstr, 3003 inode_mode_to_security_class(inode->i_mode), 3004 &newsid); 3005 if (rc) 3006 return rc; 3007 3008 /* Possibly defer initialization to selinux_complete_init. */ 3009 if (sbsec->flags & SE_SBINITIALIZED) { 3010 struct inode_security_struct *isec = selinux_inode(inode); 3011 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3012 isec->sid = newsid; 3013 isec->initialized = LABEL_INITIALIZED; 3014 } 3015 3016 if (!selinux_initialized(&selinux_state) || 3017 !(sbsec->flags & SBLABEL_MNT)) 3018 return -EOPNOTSUPP; 3019 3020 if (name) 3021 *name = XATTR_SELINUX_SUFFIX; 3022 3023 if (value && len) { 3024 rc = security_sid_to_context_force(&selinux_state, newsid, 3025 &context, &clen); 3026 if (rc) 3027 return rc; 3028 *value = context; 3029 *len = clen; 3030 } 3031 3032 return 0; 3033 } 3034 3035 static int selinux_inode_init_security_anon(struct inode *inode, 3036 const struct qstr *name, 3037 const struct inode *context_inode) 3038 { 3039 const struct task_security_struct *tsec = selinux_cred(current_cred()); 3040 struct common_audit_data ad; 3041 struct inode_security_struct *isec; 3042 int rc; 3043 3044 if (unlikely(!selinux_initialized(&selinux_state))) 3045 return 0; 3046 3047 isec = selinux_inode(inode); 3048 3049 /* 3050 * We only get here once per ephemeral inode. The inode has 3051 * been initialized via inode_alloc_security but is otherwise 3052 * untouched. 3053 */ 3054 3055 if (context_inode) { 3056 struct inode_security_struct *context_isec = 3057 selinux_inode(context_inode); 3058 if (context_isec->initialized != LABEL_INITIALIZED) { 3059 pr_err("SELinux: context_inode is not initialized"); 3060 return -EACCES; 3061 } 3062 3063 isec->sclass = context_isec->sclass; 3064 isec->sid = context_isec->sid; 3065 } else { 3066 isec->sclass = SECCLASS_ANON_INODE; 3067 rc = security_transition_sid( 3068 &selinux_state, tsec->sid, tsec->sid, 3069 isec->sclass, name, &isec->sid); 3070 if (rc) 3071 return rc; 3072 } 3073 3074 isec->initialized = LABEL_INITIALIZED; 3075 /* 3076 * Now that we've initialized security, check whether we're 3077 * allowed to actually create this type of anonymous inode. 3078 */ 3079 3080 ad.type = LSM_AUDIT_DATA_INODE; 3081 ad.u.inode = inode; 3082 3083 return avc_has_perm(&selinux_state, 3084 tsec->sid, 3085 isec->sid, 3086 isec->sclass, 3087 FILE__CREATE, 3088 &ad); 3089 } 3090 3091 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 3092 { 3093 return may_create(dir, dentry, SECCLASS_FILE); 3094 } 3095 3096 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 3097 { 3098 return may_link(dir, old_dentry, MAY_LINK); 3099 } 3100 3101 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 3102 { 3103 return may_link(dir, dentry, MAY_UNLINK); 3104 } 3105 3106 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 3107 { 3108 return may_create(dir, dentry, SECCLASS_LNK_FILE); 3109 } 3110 3111 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 3112 { 3113 return may_create(dir, dentry, SECCLASS_DIR); 3114 } 3115 3116 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 3117 { 3118 return may_link(dir, dentry, MAY_RMDIR); 3119 } 3120 3121 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 3122 { 3123 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 3124 } 3125 3126 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 3127 struct inode *new_inode, struct dentry *new_dentry) 3128 { 3129 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 3130 } 3131 3132 static int selinux_inode_readlink(struct dentry *dentry) 3133 { 3134 const struct cred *cred = current_cred(); 3135 3136 return dentry_has_perm(cred, dentry, FILE__READ); 3137 } 3138 3139 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 3140 bool rcu) 3141 { 3142 const struct cred *cred = current_cred(); 3143 struct common_audit_data ad; 3144 struct inode_security_struct *isec; 3145 u32 sid; 3146 3147 validate_creds(cred); 3148 3149 ad.type = LSM_AUDIT_DATA_DENTRY; 3150 ad.u.dentry = dentry; 3151 sid = cred_sid(cred); 3152 isec = inode_security_rcu(inode, rcu); 3153 if (IS_ERR(isec)) 3154 return PTR_ERR(isec); 3155 3156 return avc_has_perm(&selinux_state, 3157 sid, isec->sid, isec->sclass, FILE__READ, &ad); 3158 } 3159 3160 static noinline int audit_inode_permission(struct inode *inode, 3161 u32 perms, u32 audited, u32 denied, 3162 int result) 3163 { 3164 struct common_audit_data ad; 3165 struct inode_security_struct *isec = selinux_inode(inode); 3166 3167 ad.type = LSM_AUDIT_DATA_INODE; 3168 ad.u.inode = inode; 3169 3170 return slow_avc_audit(&selinux_state, 3171 current_sid(), isec->sid, isec->sclass, perms, 3172 audited, denied, result, &ad); 3173 } 3174 3175 static int selinux_inode_permission(struct inode *inode, int mask) 3176 { 3177 const struct cred *cred = current_cred(); 3178 u32 perms; 3179 bool from_access; 3180 bool no_block = mask & MAY_NOT_BLOCK; 3181 struct inode_security_struct *isec; 3182 u32 sid; 3183 struct av_decision avd; 3184 int rc, rc2; 3185 u32 audited, denied; 3186 3187 from_access = mask & MAY_ACCESS; 3188 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3189 3190 /* No permission to check. Existence test. */ 3191 if (!mask) 3192 return 0; 3193 3194 validate_creds(cred); 3195 3196 if (unlikely(IS_PRIVATE(inode))) 3197 return 0; 3198 3199 perms = file_mask_to_av(inode->i_mode, mask); 3200 3201 sid = cred_sid(cred); 3202 isec = inode_security_rcu(inode, no_block); 3203 if (IS_ERR(isec)) 3204 return PTR_ERR(isec); 3205 3206 rc = avc_has_perm_noaudit(&selinux_state, 3207 sid, isec->sid, isec->sclass, perms, 0, 3208 &avd); 3209 audited = avc_audit_required(perms, &avd, rc, 3210 from_access ? FILE__AUDIT_ACCESS : 0, 3211 &denied); 3212 if (likely(!audited)) 3213 return rc; 3214 3215 rc2 = audit_inode_permission(inode, perms, audited, denied, rc); 3216 if (rc2) 3217 return rc2; 3218 return rc; 3219 } 3220 3221 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 3222 { 3223 const struct cred *cred = current_cred(); 3224 struct inode *inode = d_backing_inode(dentry); 3225 unsigned int ia_valid = iattr->ia_valid; 3226 __u32 av = FILE__WRITE; 3227 3228 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3229 if (ia_valid & ATTR_FORCE) { 3230 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3231 ATTR_FORCE); 3232 if (!ia_valid) 3233 return 0; 3234 } 3235 3236 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3237 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3238 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3239 3240 if (selinux_policycap_openperm() && 3241 inode->i_sb->s_magic != SOCKFS_MAGIC && 3242 (ia_valid & ATTR_SIZE) && 3243 !(ia_valid & ATTR_FILE)) 3244 av |= FILE__OPEN; 3245 3246 return dentry_has_perm(cred, dentry, av); 3247 } 3248 3249 static int selinux_inode_getattr(const struct path *path) 3250 { 3251 return path_has_perm(current_cred(), path, FILE__GETATTR); 3252 } 3253 3254 static bool has_cap_mac_admin(bool audit) 3255 { 3256 const struct cred *cred = current_cred(); 3257 unsigned int opts = audit ? CAP_OPT_NONE : CAP_OPT_NOAUDIT; 3258 3259 if (cap_capable(cred, &init_user_ns, CAP_MAC_ADMIN, opts)) 3260 return false; 3261 if (cred_has_capability(cred, CAP_MAC_ADMIN, opts, true)) 3262 return false; 3263 return true; 3264 } 3265 3266 static int selinux_inode_setxattr(struct user_namespace *mnt_userns, 3267 struct dentry *dentry, const char *name, 3268 const void *value, size_t size, int flags) 3269 { 3270 struct inode *inode = d_backing_inode(dentry); 3271 struct inode_security_struct *isec; 3272 struct superblock_security_struct *sbsec; 3273 struct common_audit_data ad; 3274 u32 newsid, sid = current_sid(); 3275 int rc = 0; 3276 3277 if (strcmp(name, XATTR_NAME_SELINUX)) { 3278 rc = cap_inode_setxattr(dentry, name, value, size, flags); 3279 if (rc) 3280 return rc; 3281 3282 /* Not an attribute we recognize, so just check the 3283 ordinary setattr permission. */ 3284 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3285 } 3286 3287 if (!selinux_initialized(&selinux_state)) 3288 return (inode_owner_or_capable(mnt_userns, inode) ? 0 : -EPERM); 3289 3290 sbsec = selinux_superblock(inode->i_sb); 3291 if (!(sbsec->flags & SBLABEL_MNT)) 3292 return -EOPNOTSUPP; 3293 3294 if (!inode_owner_or_capable(mnt_userns, inode)) 3295 return -EPERM; 3296 3297 ad.type = LSM_AUDIT_DATA_DENTRY; 3298 ad.u.dentry = dentry; 3299 3300 isec = backing_inode_security(dentry); 3301 rc = avc_has_perm(&selinux_state, 3302 sid, isec->sid, isec->sclass, 3303 FILE__RELABELFROM, &ad); 3304 if (rc) 3305 return rc; 3306 3307 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3308 GFP_KERNEL); 3309 if (rc == -EINVAL) { 3310 if (!has_cap_mac_admin(true)) { 3311 struct audit_buffer *ab; 3312 size_t audit_size; 3313 3314 /* We strip a nul only if it is at the end, otherwise the 3315 * context contains a nul and we should audit that */ 3316 if (value) { 3317 const char *str = value; 3318 3319 if (str[size - 1] == '\0') 3320 audit_size = size - 1; 3321 else 3322 audit_size = size; 3323 } else { 3324 audit_size = 0; 3325 } 3326 ab = audit_log_start(audit_context(), 3327 GFP_ATOMIC, AUDIT_SELINUX_ERR); 3328 if (!ab) 3329 return rc; 3330 audit_log_format(ab, "op=setxattr invalid_context="); 3331 audit_log_n_untrustedstring(ab, value, audit_size); 3332 audit_log_end(ab); 3333 3334 return rc; 3335 } 3336 rc = security_context_to_sid_force(&selinux_state, value, 3337 size, &newsid); 3338 } 3339 if (rc) 3340 return rc; 3341 3342 rc = avc_has_perm(&selinux_state, 3343 sid, newsid, isec->sclass, 3344 FILE__RELABELTO, &ad); 3345 if (rc) 3346 return rc; 3347 3348 rc = security_validate_transition(&selinux_state, isec->sid, newsid, 3349 sid, isec->sclass); 3350 if (rc) 3351 return rc; 3352 3353 return avc_has_perm(&selinux_state, 3354 newsid, 3355 sbsec->sid, 3356 SECCLASS_FILESYSTEM, 3357 FILESYSTEM__ASSOCIATE, 3358 &ad); 3359 } 3360 3361 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3362 const void *value, size_t size, 3363 int flags) 3364 { 3365 struct inode *inode = d_backing_inode(dentry); 3366 struct inode_security_struct *isec; 3367 u32 newsid; 3368 int rc; 3369 3370 if (strcmp(name, XATTR_NAME_SELINUX)) { 3371 /* Not an attribute we recognize, so nothing to do. */ 3372 return; 3373 } 3374 3375 if (!selinux_initialized(&selinux_state)) { 3376 /* If we haven't even been initialized, then we can't validate 3377 * against a policy, so leave the label as invalid. It may 3378 * resolve to a valid label on the next revalidation try if 3379 * we've since initialized. 3380 */ 3381 return; 3382 } 3383 3384 rc = security_context_to_sid_force(&selinux_state, value, size, 3385 &newsid); 3386 if (rc) { 3387 pr_err("SELinux: unable to map context to SID" 3388 "for (%s, %lu), rc=%d\n", 3389 inode->i_sb->s_id, inode->i_ino, -rc); 3390 return; 3391 } 3392 3393 isec = backing_inode_security(dentry); 3394 spin_lock(&isec->lock); 3395 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3396 isec->sid = newsid; 3397 isec->initialized = LABEL_INITIALIZED; 3398 spin_unlock(&isec->lock); 3399 3400 return; 3401 } 3402 3403 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3404 { 3405 const struct cred *cred = current_cred(); 3406 3407 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3408 } 3409 3410 static int selinux_inode_listxattr(struct dentry *dentry) 3411 { 3412 const struct cred *cred = current_cred(); 3413 3414 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3415 } 3416 3417 static int selinux_inode_removexattr(struct user_namespace *mnt_userns, 3418 struct dentry *dentry, const char *name) 3419 { 3420 if (strcmp(name, XATTR_NAME_SELINUX)) { 3421 int rc = cap_inode_removexattr(mnt_userns, dentry, name); 3422 if (rc) 3423 return rc; 3424 3425 /* Not an attribute we recognize, so just check the 3426 ordinary setattr permission. */ 3427 return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); 3428 } 3429 3430 if (!selinux_initialized(&selinux_state)) 3431 return 0; 3432 3433 /* No one is allowed to remove a SELinux security label. 3434 You can change the label, but all data must be labeled. */ 3435 return -EACCES; 3436 } 3437 3438 static int selinux_path_notify(const struct path *path, u64 mask, 3439 unsigned int obj_type) 3440 { 3441 int ret; 3442 u32 perm; 3443 3444 struct common_audit_data ad; 3445 3446 ad.type = LSM_AUDIT_DATA_PATH; 3447 ad.u.path = *path; 3448 3449 /* 3450 * Set permission needed based on the type of mark being set. 3451 * Performs an additional check for sb watches. 3452 */ 3453 switch (obj_type) { 3454 case FSNOTIFY_OBJ_TYPE_VFSMOUNT: 3455 perm = FILE__WATCH_MOUNT; 3456 break; 3457 case FSNOTIFY_OBJ_TYPE_SB: 3458 perm = FILE__WATCH_SB; 3459 ret = superblock_has_perm(current_cred(), path->dentry->d_sb, 3460 FILESYSTEM__WATCH, &ad); 3461 if (ret) 3462 return ret; 3463 break; 3464 case FSNOTIFY_OBJ_TYPE_INODE: 3465 perm = FILE__WATCH; 3466 break; 3467 default: 3468 return -EINVAL; 3469 } 3470 3471 /* blocking watches require the file:watch_with_perm permission */ 3472 if (mask & (ALL_FSNOTIFY_PERM_EVENTS)) 3473 perm |= FILE__WATCH_WITH_PERM; 3474 3475 /* watches on read-like events need the file:watch_reads permission */ 3476 if (mask & (FS_ACCESS | FS_ACCESS_PERM | FS_CLOSE_NOWRITE)) 3477 perm |= FILE__WATCH_READS; 3478 3479 return path_has_perm(current_cred(), path, perm); 3480 } 3481 3482 /* 3483 * Copy the inode security context value to the user. 3484 * 3485 * Permission check is handled by selinux_inode_getxattr hook. 3486 */ 3487 static int selinux_inode_getsecurity(struct user_namespace *mnt_userns, 3488 struct inode *inode, const char *name, 3489 void **buffer, bool alloc) 3490 { 3491 u32 size; 3492 int error; 3493 char *context = NULL; 3494 struct inode_security_struct *isec; 3495 3496 /* 3497 * If we're not initialized yet, then we can't validate contexts, so 3498 * just let vfs_getxattr fall back to using the on-disk xattr. 3499 */ 3500 if (!selinux_initialized(&selinux_state) || 3501 strcmp(name, XATTR_SELINUX_SUFFIX)) 3502 return -EOPNOTSUPP; 3503 3504 /* 3505 * If the caller has CAP_MAC_ADMIN, then get the raw context 3506 * value even if it is not defined by current policy; otherwise, 3507 * use the in-core value under current policy. 3508 * Use the non-auditing forms of the permission checks since 3509 * getxattr may be called by unprivileged processes commonly 3510 * and lack of permission just means that we fall back to the 3511 * in-core context value, not a denial. 3512 */ 3513 isec = inode_security(inode); 3514 if (has_cap_mac_admin(false)) 3515 error = security_sid_to_context_force(&selinux_state, 3516 isec->sid, &context, 3517 &size); 3518 else 3519 error = security_sid_to_context(&selinux_state, isec->sid, 3520 &context, &size); 3521 if (error) 3522 return error; 3523 error = size; 3524 if (alloc) { 3525 *buffer = context; 3526 goto out_nofree; 3527 } 3528 kfree(context); 3529 out_nofree: 3530 return error; 3531 } 3532 3533 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3534 const void *value, size_t size, int flags) 3535 { 3536 struct inode_security_struct *isec = inode_security_novalidate(inode); 3537 struct superblock_security_struct *sbsec; 3538 u32 newsid; 3539 int rc; 3540 3541 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3542 return -EOPNOTSUPP; 3543 3544 sbsec = selinux_superblock(inode->i_sb); 3545 if (!(sbsec->flags & SBLABEL_MNT)) 3546 return -EOPNOTSUPP; 3547 3548 if (!value || !size) 3549 return -EACCES; 3550 3551 rc = security_context_to_sid(&selinux_state, value, size, &newsid, 3552 GFP_KERNEL); 3553 if (rc) 3554 return rc; 3555 3556 spin_lock(&isec->lock); 3557 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3558 isec->sid = newsid; 3559 isec->initialized = LABEL_INITIALIZED; 3560 spin_unlock(&isec->lock); 3561 return 0; 3562 } 3563 3564 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3565 { 3566 const int len = sizeof(XATTR_NAME_SELINUX); 3567 3568 if (!selinux_initialized(&selinux_state)) 3569 return 0; 3570 3571 if (buffer && len <= buffer_size) 3572 memcpy(buffer, XATTR_NAME_SELINUX, len); 3573 return len; 3574 } 3575 3576 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3577 { 3578 struct inode_security_struct *isec = inode_security_novalidate(inode); 3579 *secid = isec->sid; 3580 } 3581 3582 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3583 { 3584 u32 sid; 3585 struct task_security_struct *tsec; 3586 struct cred *new_creds = *new; 3587 3588 if (new_creds == NULL) { 3589 new_creds = prepare_creds(); 3590 if (!new_creds) 3591 return -ENOMEM; 3592 } 3593 3594 tsec = selinux_cred(new_creds); 3595 /* Get label from overlay inode and set it in create_sid */ 3596 selinux_inode_getsecid(d_inode(src), &sid); 3597 tsec->create_sid = sid; 3598 *new = new_creds; 3599 return 0; 3600 } 3601 3602 static int selinux_inode_copy_up_xattr(const char *name) 3603 { 3604 /* The copy_up hook above sets the initial context on an inode, but we 3605 * don't then want to overwrite it by blindly copying all the lower 3606 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3607 */ 3608 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3609 return 1; /* Discard */ 3610 /* 3611 * Any other attribute apart from SELINUX is not claimed, supported 3612 * by selinux. 3613 */ 3614 return -EOPNOTSUPP; 3615 } 3616 3617 /* kernfs node operations */ 3618 3619 static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, 3620 struct kernfs_node *kn) 3621 { 3622 const struct task_security_struct *tsec = selinux_cred(current_cred()); 3623 u32 parent_sid, newsid, clen; 3624 int rc; 3625 char *context; 3626 3627 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, NULL, 0); 3628 if (rc == -ENODATA) 3629 return 0; 3630 else if (rc < 0) 3631 return rc; 3632 3633 clen = (u32)rc; 3634 context = kmalloc(clen, GFP_KERNEL); 3635 if (!context) 3636 return -ENOMEM; 3637 3638 rc = kernfs_xattr_get(kn_dir, XATTR_NAME_SELINUX, context, clen); 3639 if (rc < 0) { 3640 kfree(context); 3641 return rc; 3642 } 3643 3644 rc = security_context_to_sid(&selinux_state, context, clen, &parent_sid, 3645 GFP_KERNEL); 3646 kfree(context); 3647 if (rc) 3648 return rc; 3649 3650 if (tsec->create_sid) { 3651 newsid = tsec->create_sid; 3652 } else { 3653 u16 secclass = inode_mode_to_security_class(kn->mode); 3654 struct qstr q; 3655 3656 q.name = kn->name; 3657 q.hash_len = hashlen_string(kn_dir, kn->name); 3658 3659 rc = security_transition_sid(&selinux_state, tsec->sid, 3660 parent_sid, secclass, &q, 3661 &newsid); 3662 if (rc) 3663 return rc; 3664 } 3665 3666 rc = security_sid_to_context_force(&selinux_state, newsid, 3667 &context, &clen); 3668 if (rc) 3669 return rc; 3670 3671 rc = kernfs_xattr_set(kn, XATTR_NAME_SELINUX, context, clen, 3672 XATTR_CREATE); 3673 kfree(context); 3674 return rc; 3675 } 3676 3677 3678 /* file security operations */ 3679 3680 static int selinux_revalidate_file_permission(struct file *file, int mask) 3681 { 3682 const struct cred *cred = current_cred(); 3683 struct inode *inode = file_inode(file); 3684 3685 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3686 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3687 mask |= MAY_APPEND; 3688 3689 return file_has_perm(cred, file, 3690 file_mask_to_av(inode->i_mode, mask)); 3691 } 3692 3693 static int selinux_file_permission(struct file *file, int mask) 3694 { 3695 struct inode *inode = file_inode(file); 3696 struct file_security_struct *fsec = selinux_file(file); 3697 struct inode_security_struct *isec; 3698 u32 sid = current_sid(); 3699 3700 if (!mask) 3701 /* No permission to check. Existence test. */ 3702 return 0; 3703 3704 isec = inode_security(inode); 3705 if (sid == fsec->sid && fsec->isid == isec->sid && 3706 fsec->pseqno == avc_policy_seqno(&selinux_state)) 3707 /* No change since file_open check. */ 3708 return 0; 3709 3710 return selinux_revalidate_file_permission(file, mask); 3711 } 3712 3713 static int selinux_file_alloc_security(struct file *file) 3714 { 3715 struct file_security_struct *fsec = selinux_file(file); 3716 u32 sid = current_sid(); 3717 3718 fsec->sid = sid; 3719 fsec->fown_sid = sid; 3720 3721 return 0; 3722 } 3723 3724 /* 3725 * Check whether a task has the ioctl permission and cmd 3726 * operation to an inode. 3727 */ 3728 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3729 u32 requested, u16 cmd) 3730 { 3731 struct common_audit_data ad; 3732 struct file_security_struct *fsec = selinux_file(file); 3733 struct inode *inode = file_inode(file); 3734 struct inode_security_struct *isec; 3735 struct lsm_ioctlop_audit ioctl; 3736 u32 ssid = cred_sid(cred); 3737 int rc; 3738 u8 driver = cmd >> 8; 3739 u8 xperm = cmd & 0xff; 3740 3741 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3742 ad.u.op = &ioctl; 3743 ad.u.op->cmd = cmd; 3744 ad.u.op->path = file->f_path; 3745 3746 if (ssid != fsec->sid) { 3747 rc = avc_has_perm(&selinux_state, 3748 ssid, fsec->sid, 3749 SECCLASS_FD, 3750 FD__USE, 3751 &ad); 3752 if (rc) 3753 goto out; 3754 } 3755 3756 if (unlikely(IS_PRIVATE(inode))) 3757 return 0; 3758 3759 isec = inode_security(inode); 3760 rc = avc_has_extended_perms(&selinux_state, 3761 ssid, isec->sid, isec->sclass, 3762 requested, driver, xperm, &ad); 3763 out: 3764 return rc; 3765 } 3766 3767 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3768 unsigned long arg) 3769 { 3770 const struct cred *cred = current_cred(); 3771 int error = 0; 3772 3773 switch (cmd) { 3774 case FIONREAD: 3775 case FIBMAP: 3776 case FIGETBSZ: 3777 case FS_IOC_GETFLAGS: 3778 case FS_IOC_GETVERSION: 3779 error = file_has_perm(cred, file, FILE__GETATTR); 3780 break; 3781 3782 case FS_IOC_SETFLAGS: 3783 case FS_IOC_SETVERSION: 3784 error = file_has_perm(cred, file, FILE__SETATTR); 3785 break; 3786 3787 /* sys_ioctl() checks */ 3788 case FIONBIO: 3789 case FIOASYNC: 3790 error = file_has_perm(cred, file, 0); 3791 break; 3792 3793 case KDSKBENT: 3794 case KDSKBSENT: 3795 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3796 CAP_OPT_NONE, true); 3797 break; 3798 3799 /* default case assumes that the command will go 3800 * to the file's ioctl() function. 3801 */ 3802 default: 3803 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3804 } 3805 return error; 3806 } 3807 3808 static int default_noexec __ro_after_init; 3809 3810 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3811 { 3812 const struct cred *cred = current_cred(); 3813 u32 sid = cred_sid(cred); 3814 int rc = 0; 3815 3816 if (default_noexec && 3817 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3818 (!shared && (prot & PROT_WRITE)))) { 3819 /* 3820 * We are making executable an anonymous mapping or a 3821 * private file mapping that will also be writable. 3822 * This has an additional check. 3823 */ 3824 rc = avc_has_perm(&selinux_state, 3825 sid, sid, SECCLASS_PROCESS, 3826 PROCESS__EXECMEM, NULL); 3827 if (rc) 3828 goto error; 3829 } 3830 3831 if (file) { 3832 /* read access is always possible with a mapping */ 3833 u32 av = FILE__READ; 3834 3835 /* write access only matters if the mapping is shared */ 3836 if (shared && (prot & PROT_WRITE)) 3837 av |= FILE__WRITE; 3838 3839 if (prot & PROT_EXEC) 3840 av |= FILE__EXECUTE; 3841 3842 return file_has_perm(cred, file, av); 3843 } 3844 3845 error: 3846 return rc; 3847 } 3848 3849 static int selinux_mmap_addr(unsigned long addr) 3850 { 3851 int rc = 0; 3852 3853 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3854 u32 sid = current_sid(); 3855 rc = avc_has_perm(&selinux_state, 3856 sid, sid, SECCLASS_MEMPROTECT, 3857 MEMPROTECT__MMAP_ZERO, NULL); 3858 } 3859 3860 return rc; 3861 } 3862 3863 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3864 unsigned long prot, unsigned long flags) 3865 { 3866 struct common_audit_data ad; 3867 int rc; 3868 3869 if (file) { 3870 ad.type = LSM_AUDIT_DATA_FILE; 3871 ad.u.file = file; 3872 rc = inode_has_perm(current_cred(), file_inode(file), 3873 FILE__MAP, &ad); 3874 if (rc) 3875 return rc; 3876 } 3877 3878 if (checkreqprot_get(&selinux_state)) 3879 prot = reqprot; 3880 3881 return file_map_prot_check(file, prot, 3882 (flags & MAP_TYPE) == MAP_SHARED); 3883 } 3884 3885 static int selinux_file_mprotect(struct vm_area_struct *vma, 3886 unsigned long reqprot, 3887 unsigned long prot) 3888 { 3889 const struct cred *cred = current_cred(); 3890 u32 sid = cred_sid(cred); 3891 3892 if (checkreqprot_get(&selinux_state)) 3893 prot = reqprot; 3894 3895 if (default_noexec && 3896 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3897 int rc = 0; 3898 if (vma->vm_start >= vma->vm_mm->start_brk && 3899 vma->vm_end <= vma->vm_mm->brk) { 3900 rc = avc_has_perm(&selinux_state, 3901 sid, sid, SECCLASS_PROCESS, 3902 PROCESS__EXECHEAP, NULL); 3903 } else if (!vma->vm_file && 3904 ((vma->vm_start <= vma->vm_mm->start_stack && 3905 vma->vm_end >= vma->vm_mm->start_stack) || 3906 vma_is_stack_for_current(vma))) { 3907 rc = avc_has_perm(&selinux_state, 3908 sid, sid, SECCLASS_PROCESS, 3909 PROCESS__EXECSTACK, NULL); 3910 } else if (vma->vm_file && vma->anon_vma) { 3911 /* 3912 * We are making executable a file mapping that has 3913 * had some COW done. Since pages might have been 3914 * written, check ability to execute the possibly 3915 * modified content. This typically should only 3916 * occur for text relocations. 3917 */ 3918 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3919 } 3920 if (rc) 3921 return rc; 3922 } 3923 3924 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3925 } 3926 3927 static int selinux_file_lock(struct file *file, unsigned int cmd) 3928 { 3929 const struct cred *cred = current_cred(); 3930 3931 return file_has_perm(cred, file, FILE__LOCK); 3932 } 3933 3934 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3935 unsigned long arg) 3936 { 3937 const struct cred *cred = current_cred(); 3938 int err = 0; 3939 3940 switch (cmd) { 3941 case F_SETFL: 3942 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3943 err = file_has_perm(cred, file, FILE__WRITE); 3944 break; 3945 } 3946 fallthrough; 3947 case F_SETOWN: 3948 case F_SETSIG: 3949 case F_GETFL: 3950 case F_GETOWN: 3951 case F_GETSIG: 3952 case F_GETOWNER_UIDS: 3953 /* Just check FD__USE permission */ 3954 err = file_has_perm(cred, file, 0); 3955 break; 3956 case F_GETLK: 3957 case F_SETLK: 3958 case F_SETLKW: 3959 case F_OFD_GETLK: 3960 case F_OFD_SETLK: 3961 case F_OFD_SETLKW: 3962 #if BITS_PER_LONG == 32 3963 case F_GETLK64: 3964 case F_SETLK64: 3965 case F_SETLKW64: 3966 #endif 3967 err = file_has_perm(cred, file, FILE__LOCK); 3968 break; 3969 } 3970 3971 return err; 3972 } 3973 3974 static void selinux_file_set_fowner(struct file *file) 3975 { 3976 struct file_security_struct *fsec; 3977 3978 fsec = selinux_file(file); 3979 fsec->fown_sid = current_sid(); 3980 } 3981 3982 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3983 struct fown_struct *fown, int signum) 3984 { 3985 struct file *file; 3986 u32 sid = task_sid_obj(tsk); 3987 u32 perm; 3988 struct file_security_struct *fsec; 3989 3990 /* struct fown_struct is never outside the context of a struct file */ 3991 file = container_of(fown, struct file, f_owner); 3992 3993 fsec = selinux_file(file); 3994 3995 if (!signum) 3996 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3997 else 3998 perm = signal_to_av(signum); 3999 4000 return avc_has_perm(&selinux_state, 4001 fsec->fown_sid, sid, 4002 SECCLASS_PROCESS, perm, NULL); 4003 } 4004 4005 static int selinux_file_receive(struct file *file) 4006 { 4007 const struct cred *cred = current_cred(); 4008 4009 return file_has_perm(cred, file, file_to_av(file)); 4010 } 4011 4012 static int selinux_file_open(struct file *file) 4013 { 4014 struct file_security_struct *fsec; 4015 struct inode_security_struct *isec; 4016 4017 fsec = selinux_file(file); 4018 isec = inode_security(file_inode(file)); 4019 /* 4020 * Save inode label and policy sequence number 4021 * at open-time so that selinux_file_permission 4022 * can determine whether revalidation is necessary. 4023 * Task label is already saved in the file security 4024 * struct as its SID. 4025 */ 4026 fsec->isid = isec->sid; 4027 fsec->pseqno = avc_policy_seqno(&selinux_state); 4028 /* 4029 * Since the inode label or policy seqno may have changed 4030 * between the selinux_inode_permission check and the saving 4031 * of state above, recheck that access is still permitted. 4032 * Otherwise, access might never be revalidated against the 4033 * new inode label or new policy. 4034 * This check is not redundant - do not remove. 4035 */ 4036 return file_path_has_perm(file->f_cred, file, open_file_to_av(file)); 4037 } 4038 4039 /* task security operations */ 4040 4041 static int selinux_task_alloc(struct task_struct *task, 4042 unsigned long clone_flags) 4043 { 4044 u32 sid = current_sid(); 4045 4046 return avc_has_perm(&selinux_state, 4047 sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); 4048 } 4049 4050 /* 4051 * prepare a new set of credentials for modification 4052 */ 4053 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 4054 gfp_t gfp) 4055 { 4056 const struct task_security_struct *old_tsec = selinux_cred(old); 4057 struct task_security_struct *tsec = selinux_cred(new); 4058 4059 *tsec = *old_tsec; 4060 return 0; 4061 } 4062 4063 /* 4064 * transfer the SELinux data to a blank set of creds 4065 */ 4066 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 4067 { 4068 const struct task_security_struct *old_tsec = selinux_cred(old); 4069 struct task_security_struct *tsec = selinux_cred(new); 4070 4071 *tsec = *old_tsec; 4072 } 4073 4074 static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 4075 { 4076 *secid = cred_sid(c); 4077 } 4078 4079 /* 4080 * set the security data for a kernel service 4081 * - all the creation contexts are set to unlabelled 4082 */ 4083 static int selinux_kernel_act_as(struct cred *new, u32 secid) 4084 { 4085 struct task_security_struct *tsec = selinux_cred(new); 4086 u32 sid = current_sid(); 4087 int ret; 4088 4089 ret = avc_has_perm(&selinux_state, 4090 sid, secid, 4091 SECCLASS_KERNEL_SERVICE, 4092 KERNEL_SERVICE__USE_AS_OVERRIDE, 4093 NULL); 4094 if (ret == 0) { 4095 tsec->sid = secid; 4096 tsec->create_sid = 0; 4097 tsec->keycreate_sid = 0; 4098 tsec->sockcreate_sid = 0; 4099 } 4100 return ret; 4101 } 4102 4103 /* 4104 * set the file creation context in a security record to the same as the 4105 * objective context of the specified inode 4106 */ 4107 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 4108 { 4109 struct inode_security_struct *isec = inode_security(inode); 4110 struct task_security_struct *tsec = selinux_cred(new); 4111 u32 sid = current_sid(); 4112 int ret; 4113 4114 ret = avc_has_perm(&selinux_state, 4115 sid, isec->sid, 4116 SECCLASS_KERNEL_SERVICE, 4117 KERNEL_SERVICE__CREATE_FILES_AS, 4118 NULL); 4119 4120 if (ret == 0) 4121 tsec->create_sid = isec->sid; 4122 return ret; 4123 } 4124 4125 static int selinux_kernel_module_request(char *kmod_name) 4126 { 4127 struct common_audit_data ad; 4128 4129 ad.type = LSM_AUDIT_DATA_KMOD; 4130 ad.u.kmod_name = kmod_name; 4131 4132 return avc_has_perm(&selinux_state, 4133 current_sid(), SECINITSID_KERNEL, SECCLASS_SYSTEM, 4134 SYSTEM__MODULE_REQUEST, &ad); 4135 } 4136 4137 static int selinux_kernel_module_from_file(struct file *file) 4138 { 4139 struct common_audit_data ad; 4140 struct inode_security_struct *isec; 4141 struct file_security_struct *fsec; 4142 u32 sid = current_sid(); 4143 int rc; 4144 4145 /* init_module */ 4146 if (file == NULL) 4147 return avc_has_perm(&selinux_state, 4148 sid, sid, SECCLASS_SYSTEM, 4149 SYSTEM__MODULE_LOAD, NULL); 4150 4151 /* finit_module */ 4152 4153 ad.type = LSM_AUDIT_DATA_FILE; 4154 ad.u.file = file; 4155 4156 fsec = selinux_file(file); 4157 if (sid != fsec->sid) { 4158 rc = avc_has_perm(&selinux_state, 4159 sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 4160 if (rc) 4161 return rc; 4162 } 4163 4164 isec = inode_security(file_inode(file)); 4165 return avc_has_perm(&selinux_state, 4166 sid, isec->sid, SECCLASS_SYSTEM, 4167 SYSTEM__MODULE_LOAD, &ad); 4168 } 4169 4170 static int selinux_kernel_read_file(struct file *file, 4171 enum kernel_read_file_id id, 4172 bool contents) 4173 { 4174 int rc = 0; 4175 4176 switch (id) { 4177 case READING_MODULE: 4178 rc = selinux_kernel_module_from_file(contents ? file : NULL); 4179 break; 4180 default: 4181 break; 4182 } 4183 4184 return rc; 4185 } 4186 4187 static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents) 4188 { 4189 int rc = 0; 4190 4191 switch (id) { 4192 case LOADING_MODULE: 4193 rc = selinux_kernel_module_from_file(NULL); 4194 break; 4195 default: 4196 break; 4197 } 4198 4199 return rc; 4200 } 4201 4202 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 4203 { 4204 return avc_has_perm(&selinux_state, 4205 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4206 PROCESS__SETPGID, NULL); 4207 } 4208 4209 static int selinux_task_getpgid(struct task_struct *p) 4210 { 4211 return avc_has_perm(&selinux_state, 4212 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4213 PROCESS__GETPGID, NULL); 4214 } 4215 4216 static int selinux_task_getsid(struct task_struct *p) 4217 { 4218 return avc_has_perm(&selinux_state, 4219 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4220 PROCESS__GETSESSION, NULL); 4221 } 4222 4223 static void selinux_task_getsecid_subj(struct task_struct *p, u32 *secid) 4224 { 4225 *secid = task_sid_subj(p); 4226 } 4227 4228 static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid) 4229 { 4230 *secid = task_sid_obj(p); 4231 } 4232 4233 static int selinux_task_setnice(struct task_struct *p, int nice) 4234 { 4235 return avc_has_perm(&selinux_state, 4236 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4237 PROCESS__SETSCHED, NULL); 4238 } 4239 4240 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 4241 { 4242 return avc_has_perm(&selinux_state, 4243 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4244 PROCESS__SETSCHED, NULL); 4245 } 4246 4247 static int selinux_task_getioprio(struct task_struct *p) 4248 { 4249 return avc_has_perm(&selinux_state, 4250 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4251 PROCESS__GETSCHED, NULL); 4252 } 4253 4254 static int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred, 4255 unsigned int flags) 4256 { 4257 u32 av = 0; 4258 4259 if (!flags) 4260 return 0; 4261 if (flags & LSM_PRLIMIT_WRITE) 4262 av |= PROCESS__SETRLIMIT; 4263 if (flags & LSM_PRLIMIT_READ) 4264 av |= PROCESS__GETRLIMIT; 4265 return avc_has_perm(&selinux_state, 4266 cred_sid(cred), cred_sid(tcred), 4267 SECCLASS_PROCESS, av, NULL); 4268 } 4269 4270 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 4271 struct rlimit *new_rlim) 4272 { 4273 struct rlimit *old_rlim = p->signal->rlim + resource; 4274 4275 /* Control the ability to change the hard limit (whether 4276 lowering or raising it), so that the hard limit can 4277 later be used as a safe reset point for the soft limit 4278 upon context transitions. See selinux_bprm_committing_creds. */ 4279 if (old_rlim->rlim_max != new_rlim->rlim_max) 4280 return avc_has_perm(&selinux_state, 4281 current_sid(), task_sid_obj(p), 4282 SECCLASS_PROCESS, PROCESS__SETRLIMIT, NULL); 4283 4284 return 0; 4285 } 4286 4287 static int selinux_task_setscheduler(struct task_struct *p) 4288 { 4289 return avc_has_perm(&selinux_state, 4290 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4291 PROCESS__SETSCHED, NULL); 4292 } 4293 4294 static int selinux_task_getscheduler(struct task_struct *p) 4295 { 4296 return avc_has_perm(&selinux_state, 4297 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4298 PROCESS__GETSCHED, NULL); 4299 } 4300 4301 static int selinux_task_movememory(struct task_struct *p) 4302 { 4303 return avc_has_perm(&selinux_state, 4304 current_sid(), task_sid_obj(p), SECCLASS_PROCESS, 4305 PROCESS__SETSCHED, NULL); 4306 } 4307 4308 static int selinux_task_kill(struct task_struct *p, struct kernel_siginfo *info, 4309 int sig, const struct cred *cred) 4310 { 4311 u32 secid; 4312 u32 perm; 4313 4314 if (!sig) 4315 perm = PROCESS__SIGNULL; /* null signal; existence test */ 4316 else 4317 perm = signal_to_av(sig); 4318 if (!cred) 4319 secid = current_sid(); 4320 else 4321 secid = cred_sid(cred); 4322 return avc_has_perm(&selinux_state, 4323 secid, task_sid_obj(p), SECCLASS_PROCESS, perm, NULL); 4324 } 4325 4326 static void selinux_task_to_inode(struct task_struct *p, 4327 struct inode *inode) 4328 { 4329 struct inode_security_struct *isec = selinux_inode(inode); 4330 u32 sid = task_sid_obj(p); 4331 4332 spin_lock(&isec->lock); 4333 isec->sclass = inode_mode_to_security_class(inode->i_mode); 4334 isec->sid = sid; 4335 isec->initialized = LABEL_INITIALIZED; 4336 spin_unlock(&isec->lock); 4337 } 4338 4339 /* Returns error only if unable to parse addresses */ 4340 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 4341 struct common_audit_data *ad, u8 *proto) 4342 { 4343 int offset, ihlen, ret = -EINVAL; 4344 struct iphdr _iph, *ih; 4345 4346 offset = skb_network_offset(skb); 4347 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 4348 if (ih == NULL) 4349 goto out; 4350 4351 ihlen = ih->ihl * 4; 4352 if (ihlen < sizeof(_iph)) 4353 goto out; 4354 4355 ad->u.net->v4info.saddr = ih->saddr; 4356 ad->u.net->v4info.daddr = ih->daddr; 4357 ret = 0; 4358 4359 if (proto) 4360 *proto = ih->protocol; 4361 4362 switch (ih->protocol) { 4363 case IPPROTO_TCP: { 4364 struct tcphdr _tcph, *th; 4365 4366 if (ntohs(ih->frag_off) & IP_OFFSET) 4367 break; 4368 4369 offset += ihlen; 4370 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4371 if (th == NULL) 4372 break; 4373 4374 ad->u.net->sport = th->source; 4375 ad->u.net->dport = th->dest; 4376 break; 4377 } 4378 4379 case IPPROTO_UDP: { 4380 struct udphdr _udph, *uh; 4381 4382 if (ntohs(ih->frag_off) & IP_OFFSET) 4383 break; 4384 4385 offset += ihlen; 4386 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4387 if (uh == NULL) 4388 break; 4389 4390 ad->u.net->sport = uh->source; 4391 ad->u.net->dport = uh->dest; 4392 break; 4393 } 4394 4395 case IPPROTO_DCCP: { 4396 struct dccp_hdr _dccph, *dh; 4397 4398 if (ntohs(ih->frag_off) & IP_OFFSET) 4399 break; 4400 4401 offset += ihlen; 4402 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4403 if (dh == NULL) 4404 break; 4405 4406 ad->u.net->sport = dh->dccph_sport; 4407 ad->u.net->dport = dh->dccph_dport; 4408 break; 4409 } 4410 4411 #if IS_ENABLED(CONFIG_IP_SCTP) 4412 case IPPROTO_SCTP: { 4413 struct sctphdr _sctph, *sh; 4414 4415 if (ntohs(ih->frag_off) & IP_OFFSET) 4416 break; 4417 4418 offset += ihlen; 4419 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4420 if (sh == NULL) 4421 break; 4422 4423 ad->u.net->sport = sh->source; 4424 ad->u.net->dport = sh->dest; 4425 break; 4426 } 4427 #endif 4428 default: 4429 break; 4430 } 4431 out: 4432 return ret; 4433 } 4434 4435 #if IS_ENABLED(CONFIG_IPV6) 4436 4437 /* Returns error only if unable to parse addresses */ 4438 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4439 struct common_audit_data *ad, u8 *proto) 4440 { 4441 u8 nexthdr; 4442 int ret = -EINVAL, offset; 4443 struct ipv6hdr _ipv6h, *ip6; 4444 __be16 frag_off; 4445 4446 offset = skb_network_offset(skb); 4447 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4448 if (ip6 == NULL) 4449 goto out; 4450 4451 ad->u.net->v6info.saddr = ip6->saddr; 4452 ad->u.net->v6info.daddr = ip6->daddr; 4453 ret = 0; 4454 4455 nexthdr = ip6->nexthdr; 4456 offset += sizeof(_ipv6h); 4457 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4458 if (offset < 0) 4459 goto out; 4460 4461 if (proto) 4462 *proto = nexthdr; 4463 4464 switch (nexthdr) { 4465 case IPPROTO_TCP: { 4466 struct tcphdr _tcph, *th; 4467 4468 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4469 if (th == NULL) 4470 break; 4471 4472 ad->u.net->sport = th->source; 4473 ad->u.net->dport = th->dest; 4474 break; 4475 } 4476 4477 case IPPROTO_UDP: { 4478 struct udphdr _udph, *uh; 4479 4480 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4481 if (uh == NULL) 4482 break; 4483 4484 ad->u.net->sport = uh->source; 4485 ad->u.net->dport = uh->dest; 4486 break; 4487 } 4488 4489 case IPPROTO_DCCP: { 4490 struct dccp_hdr _dccph, *dh; 4491 4492 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4493 if (dh == NULL) 4494 break; 4495 4496 ad->u.net->sport = dh->dccph_sport; 4497 ad->u.net->dport = dh->dccph_dport; 4498 break; 4499 } 4500 4501 #if IS_ENABLED(CONFIG_IP_SCTP) 4502 case IPPROTO_SCTP: { 4503 struct sctphdr _sctph, *sh; 4504 4505 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 4506 if (sh == NULL) 4507 break; 4508 4509 ad->u.net->sport = sh->source; 4510 ad->u.net->dport = sh->dest; 4511 break; 4512 } 4513 #endif 4514 /* includes fragments */ 4515 default: 4516 break; 4517 } 4518 out: 4519 return ret; 4520 } 4521 4522 #endif /* IPV6 */ 4523 4524 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4525 char **_addrp, int src, u8 *proto) 4526 { 4527 char *addrp; 4528 int ret; 4529 4530 switch (ad->u.net->family) { 4531 case PF_INET: 4532 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4533 if (ret) 4534 goto parse_error; 4535 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4536 &ad->u.net->v4info.daddr); 4537 goto okay; 4538 4539 #if IS_ENABLED(CONFIG_IPV6) 4540 case PF_INET6: 4541 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4542 if (ret) 4543 goto parse_error; 4544 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4545 &ad->u.net->v6info.daddr); 4546 goto okay; 4547 #endif /* IPV6 */ 4548 default: 4549 addrp = NULL; 4550 goto okay; 4551 } 4552 4553 parse_error: 4554 pr_warn( 4555 "SELinux: failure in selinux_parse_skb()," 4556 " unable to parse packet\n"); 4557 return ret; 4558 4559 okay: 4560 if (_addrp) 4561 *_addrp = addrp; 4562 return 0; 4563 } 4564 4565 /** 4566 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4567 * @skb: the packet 4568 * @family: protocol family 4569 * @sid: the packet's peer label SID 4570 * 4571 * Description: 4572 * Check the various different forms of network peer labeling and determine 4573 * the peer label/SID for the packet; most of the magic actually occurs in 4574 * the security server function security_net_peersid_cmp(). The function 4575 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4576 * or -EACCES if @sid is invalid due to inconsistencies with the different 4577 * peer labels. 4578 * 4579 */ 4580 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4581 { 4582 int err; 4583 u32 xfrm_sid; 4584 u32 nlbl_sid; 4585 u32 nlbl_type; 4586 4587 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4588 if (unlikely(err)) 4589 return -EACCES; 4590 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4591 if (unlikely(err)) 4592 return -EACCES; 4593 4594 err = security_net_peersid_resolve(&selinux_state, nlbl_sid, 4595 nlbl_type, xfrm_sid, sid); 4596 if (unlikely(err)) { 4597 pr_warn( 4598 "SELinux: failure in selinux_skb_peerlbl_sid()," 4599 " unable to determine packet's peer label\n"); 4600 return -EACCES; 4601 } 4602 4603 return 0; 4604 } 4605 4606 /** 4607 * selinux_conn_sid - Determine the child socket label for a connection 4608 * @sk_sid: the parent socket's SID 4609 * @skb_sid: the packet's SID 4610 * @conn_sid: the resulting connection SID 4611 * 4612 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4613 * combined with the MLS information from @skb_sid in order to create 4614 * @conn_sid. If @skb_sid is not valid then @conn_sid is simply a copy 4615 * of @sk_sid. Returns zero on success, negative values on failure. 4616 * 4617 */ 4618 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4619 { 4620 int err = 0; 4621 4622 if (skb_sid != SECSID_NULL) 4623 err = security_sid_mls_copy(&selinux_state, sk_sid, skb_sid, 4624 conn_sid); 4625 else 4626 *conn_sid = sk_sid; 4627 4628 return err; 4629 } 4630 4631 /* socket security operations */ 4632 4633 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4634 u16 secclass, u32 *socksid) 4635 { 4636 if (tsec->sockcreate_sid > SECSID_NULL) { 4637 *socksid = tsec->sockcreate_sid; 4638 return 0; 4639 } 4640 4641 return security_transition_sid(&selinux_state, tsec->sid, tsec->sid, 4642 secclass, NULL, socksid); 4643 } 4644 4645 static int sock_has_perm(struct sock *sk, u32 perms) 4646 { 4647 struct sk_security_struct *sksec = sk->sk_security; 4648 struct common_audit_data ad; 4649 struct lsm_network_audit net = {0,}; 4650 4651 if (sksec->sid == SECINITSID_KERNEL) 4652 return 0; 4653 4654 ad.type = LSM_AUDIT_DATA_NET; 4655 ad.u.net = &net; 4656 ad.u.net->sk = sk; 4657 4658 return avc_has_perm(&selinux_state, 4659 current_sid(), sksec->sid, sksec->sclass, perms, 4660 &ad); 4661 } 4662 4663 static int selinux_socket_create(int family, int type, 4664 int protocol, int kern) 4665 { 4666 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4667 u32 newsid; 4668 u16 secclass; 4669 int rc; 4670 4671 if (kern) 4672 return 0; 4673 4674 secclass = socket_type_to_security_class(family, type, protocol); 4675 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4676 if (rc) 4677 return rc; 4678 4679 return avc_has_perm(&selinux_state, 4680 tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4681 } 4682 4683 static int selinux_socket_post_create(struct socket *sock, int family, 4684 int type, int protocol, int kern) 4685 { 4686 const struct task_security_struct *tsec = selinux_cred(current_cred()); 4687 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4688 struct sk_security_struct *sksec; 4689 u16 sclass = socket_type_to_security_class(family, type, protocol); 4690 u32 sid = SECINITSID_KERNEL; 4691 int err = 0; 4692 4693 if (!kern) { 4694 err = socket_sockcreate_sid(tsec, sclass, &sid); 4695 if (err) 4696 return err; 4697 } 4698 4699 isec->sclass = sclass; 4700 isec->sid = sid; 4701 isec->initialized = LABEL_INITIALIZED; 4702 4703 if (sock->sk) { 4704 sksec = sock->sk->sk_security; 4705 sksec->sclass = sclass; 4706 sksec->sid = sid; 4707 /* Allows detection of the first association on this socket */ 4708 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4709 sksec->sctp_assoc_state = SCTP_ASSOC_UNSET; 4710 4711 err = selinux_netlbl_socket_post_create(sock->sk, family); 4712 } 4713 4714 return err; 4715 } 4716 4717 static int selinux_socket_socketpair(struct socket *socka, 4718 struct socket *sockb) 4719 { 4720 struct sk_security_struct *sksec_a = socka->sk->sk_security; 4721 struct sk_security_struct *sksec_b = sockb->sk->sk_security; 4722 4723 sksec_a->peer_sid = sksec_b->sid; 4724 sksec_b->peer_sid = sksec_a->sid; 4725 4726 return 0; 4727 } 4728 4729 /* Range of port numbers used to automatically bind. 4730 Need to determine whether we should perform a name_bind 4731 permission check between the socket and the port number. */ 4732 4733 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4734 { 4735 struct sock *sk = sock->sk; 4736 struct sk_security_struct *sksec = sk->sk_security; 4737 u16 family; 4738 int err; 4739 4740 err = sock_has_perm(sk, SOCKET__BIND); 4741 if (err) 4742 goto out; 4743 4744 /* If PF_INET or PF_INET6, check name_bind permission for the port. */ 4745 family = sk->sk_family; 4746 if (family == PF_INET || family == PF_INET6) { 4747 char *addrp; 4748 struct common_audit_data ad; 4749 struct lsm_network_audit net = {0,}; 4750 struct sockaddr_in *addr4 = NULL; 4751 struct sockaddr_in6 *addr6 = NULL; 4752 u16 family_sa; 4753 unsigned short snum; 4754 u32 sid, node_perm; 4755 4756 /* 4757 * sctp_bindx(3) calls via selinux_sctp_bind_connect() 4758 * that validates multiple binding addresses. Because of this 4759 * need to check address->sa_family as it is possible to have 4760 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4761 */ 4762 if (addrlen < offsetofend(struct sockaddr, sa_family)) 4763 return -EINVAL; 4764 family_sa = address->sa_family; 4765 switch (family_sa) { 4766 case AF_UNSPEC: 4767 case AF_INET: 4768 if (addrlen < sizeof(struct sockaddr_in)) 4769 return -EINVAL; 4770 addr4 = (struct sockaddr_in *)address; 4771 if (family_sa == AF_UNSPEC) { 4772 /* see __inet_bind(), we only want to allow 4773 * AF_UNSPEC if the address is INADDR_ANY 4774 */ 4775 if (addr4->sin_addr.s_addr != htonl(INADDR_ANY)) 4776 goto err_af; 4777 family_sa = AF_INET; 4778 } 4779 snum = ntohs(addr4->sin_port); 4780 addrp = (char *)&addr4->sin_addr.s_addr; 4781 break; 4782 case AF_INET6: 4783 if (addrlen < SIN6_LEN_RFC2133) 4784 return -EINVAL; 4785 addr6 = (struct sockaddr_in6 *)address; 4786 snum = ntohs(addr6->sin6_port); 4787 addrp = (char *)&addr6->sin6_addr.s6_addr; 4788 break; 4789 default: 4790 goto err_af; 4791 } 4792 4793 ad.type = LSM_AUDIT_DATA_NET; 4794 ad.u.net = &net; 4795 ad.u.net->sport = htons(snum); 4796 ad.u.net->family = family_sa; 4797 4798 if (snum) { 4799 int low, high; 4800 4801 inet_get_local_port_range(sock_net(sk), &low, &high); 4802 4803 if (inet_port_requires_bind_service(sock_net(sk), snum) || 4804 snum < low || snum > high) { 4805 err = sel_netport_sid(sk->sk_protocol, 4806 snum, &sid); 4807 if (err) 4808 goto out; 4809 err = avc_has_perm(&selinux_state, 4810 sksec->sid, sid, 4811 sksec->sclass, 4812 SOCKET__NAME_BIND, &ad); 4813 if (err) 4814 goto out; 4815 } 4816 } 4817 4818 switch (sksec->sclass) { 4819 case SECCLASS_TCP_SOCKET: 4820 node_perm = TCP_SOCKET__NODE_BIND; 4821 break; 4822 4823 case SECCLASS_UDP_SOCKET: 4824 node_perm = UDP_SOCKET__NODE_BIND; 4825 break; 4826 4827 case SECCLASS_DCCP_SOCKET: 4828 node_perm = DCCP_SOCKET__NODE_BIND; 4829 break; 4830 4831 case SECCLASS_SCTP_SOCKET: 4832 node_perm = SCTP_SOCKET__NODE_BIND; 4833 break; 4834 4835 default: 4836 node_perm = RAWIP_SOCKET__NODE_BIND; 4837 break; 4838 } 4839 4840 err = sel_netnode_sid(addrp, family_sa, &sid); 4841 if (err) 4842 goto out; 4843 4844 if (family_sa == AF_INET) 4845 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4846 else 4847 ad.u.net->v6info.saddr = addr6->sin6_addr; 4848 4849 err = avc_has_perm(&selinux_state, 4850 sksec->sid, sid, 4851 sksec->sclass, node_perm, &ad); 4852 if (err) 4853 goto out; 4854 } 4855 out: 4856 return err; 4857 err_af: 4858 /* Note that SCTP services expect -EINVAL, others -EAFNOSUPPORT. */ 4859 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4860 return -EINVAL; 4861 return -EAFNOSUPPORT; 4862 } 4863 4864 /* This supports connect(2) and SCTP connect services such as sctp_connectx(3) 4865 * and sctp_sendmsg(3) as described in Documentation/security/SCTP.rst 4866 */ 4867 static int selinux_socket_connect_helper(struct socket *sock, 4868 struct sockaddr *address, int addrlen) 4869 { 4870 struct sock *sk = sock->sk; 4871 struct sk_security_struct *sksec = sk->sk_security; 4872 int err; 4873 4874 err = sock_has_perm(sk, SOCKET__CONNECT); 4875 if (err) 4876 return err; 4877 if (addrlen < offsetofend(struct sockaddr, sa_family)) 4878 return -EINVAL; 4879 4880 /* connect(AF_UNSPEC) has special handling, as it is a documented 4881 * way to disconnect the socket 4882 */ 4883 if (address->sa_family == AF_UNSPEC) 4884 return 0; 4885 4886 /* 4887 * If a TCP, DCCP or SCTP socket, check name_connect permission 4888 * for the port. 4889 */ 4890 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4891 sksec->sclass == SECCLASS_DCCP_SOCKET || 4892 sksec->sclass == SECCLASS_SCTP_SOCKET) { 4893 struct common_audit_data ad; 4894 struct lsm_network_audit net = {0,}; 4895 struct sockaddr_in *addr4 = NULL; 4896 struct sockaddr_in6 *addr6 = NULL; 4897 unsigned short snum; 4898 u32 sid, perm; 4899 4900 /* sctp_connectx(3) calls via selinux_sctp_bind_connect() 4901 * that validates multiple connect addresses. Because of this 4902 * need to check address->sa_family as it is possible to have 4903 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. 4904 */ 4905 switch (address->sa_family) { 4906 case AF_INET: 4907 addr4 = (struct sockaddr_in *)address; 4908 if (addrlen < sizeof(struct sockaddr_in)) 4909 return -EINVAL; 4910 snum = ntohs(addr4->sin_port); 4911 break; 4912 case AF_INET6: 4913 addr6 = (struct sockaddr_in6 *)address; 4914 if (addrlen < SIN6_LEN_RFC2133) 4915 return -EINVAL; 4916 snum = ntohs(addr6->sin6_port); 4917 break; 4918 default: 4919 /* Note that SCTP services expect -EINVAL, whereas 4920 * others expect -EAFNOSUPPORT. 4921 */ 4922 if (sksec->sclass == SECCLASS_SCTP_SOCKET) 4923 return -EINVAL; 4924 else 4925 return -EAFNOSUPPORT; 4926 } 4927 4928 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4929 if (err) 4930 return err; 4931 4932 switch (sksec->sclass) { 4933 case SECCLASS_TCP_SOCKET: 4934 perm = TCP_SOCKET__NAME_CONNECT; 4935 break; 4936 case SECCLASS_DCCP_SOCKET: 4937 perm = DCCP_SOCKET__NAME_CONNECT; 4938 break; 4939 case SECCLASS_SCTP_SOCKET: 4940 perm = SCTP_SOCKET__NAME_CONNECT; 4941 break; 4942 } 4943 4944 ad.type = LSM_AUDIT_DATA_NET; 4945 ad.u.net = &net; 4946 ad.u.net->dport = htons(snum); 4947 ad.u.net->family = address->sa_family; 4948 err = avc_has_perm(&selinux_state, 4949 sksec->sid, sid, sksec->sclass, perm, &ad); 4950 if (err) 4951 return err; 4952 } 4953 4954 return 0; 4955 } 4956 4957 /* Supports connect(2), see comments in selinux_socket_connect_helper() */ 4958 static int selinux_socket_connect(struct socket *sock, 4959 struct sockaddr *address, int addrlen) 4960 { 4961 int err; 4962 struct sock *sk = sock->sk; 4963 4964 err = selinux_socket_connect_helper(sock, address, addrlen); 4965 if (err) 4966 return err; 4967 4968 return selinux_netlbl_socket_connect(sk, address); 4969 } 4970 4971 static int selinux_socket_listen(struct socket *sock, int backlog) 4972 { 4973 return sock_has_perm(sock->sk, SOCKET__LISTEN); 4974 } 4975 4976 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4977 { 4978 int err; 4979 struct inode_security_struct *isec; 4980 struct inode_security_struct *newisec; 4981 u16 sclass; 4982 u32 sid; 4983 4984 err = sock_has_perm(sock->sk, SOCKET__ACCEPT); 4985 if (err) 4986 return err; 4987 4988 isec = inode_security_novalidate(SOCK_INODE(sock)); 4989 spin_lock(&isec->lock); 4990 sclass = isec->sclass; 4991 sid = isec->sid; 4992 spin_unlock(&isec->lock); 4993 4994 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4995 newisec->sclass = sclass; 4996 newisec->sid = sid; 4997 newisec->initialized = LABEL_INITIALIZED; 4998 4999 return 0; 5000 } 5001 5002 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 5003 int size) 5004 { 5005 return sock_has_perm(sock->sk, SOCKET__WRITE); 5006 } 5007 5008 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 5009 int size, int flags) 5010 { 5011 return sock_has_perm(sock->sk, SOCKET__READ); 5012 } 5013 5014 static int selinux_socket_getsockname(struct socket *sock) 5015 { 5016 return sock_has_perm(sock->sk, SOCKET__GETATTR); 5017 } 5018 5019 static int selinux_socket_getpeername(struct socket *sock) 5020 { 5021 return sock_has_perm(sock->sk, SOCKET__GETATTR); 5022 } 5023 5024 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 5025 { 5026 int err; 5027 5028 err = sock_has_perm(sock->sk, SOCKET__SETOPT); 5029 if (err) 5030 return err; 5031 5032 return selinux_netlbl_socket_setsockopt(sock, level, optname); 5033 } 5034 5035 static int selinux_socket_getsockopt(struct socket *sock, int level, 5036 int optname) 5037 { 5038 return sock_has_perm(sock->sk, SOCKET__GETOPT); 5039 } 5040 5041 static int selinux_socket_shutdown(struct socket *sock, int how) 5042 { 5043 return sock_has_perm(sock->sk, SOCKET__SHUTDOWN); 5044 } 5045 5046 static int selinux_socket_unix_stream_connect(struct sock *sock, 5047 struct sock *other, 5048 struct sock *newsk) 5049 { 5050 struct sk_security_struct *sksec_sock = sock->sk_security; 5051 struct sk_security_struct *sksec_other = other->sk_security; 5052 struct sk_security_struct *sksec_new = newsk->sk_security; 5053 struct common_audit_data ad; 5054 struct lsm_network_audit net = {0,}; 5055 int err; 5056 5057 ad.type = LSM_AUDIT_DATA_NET; 5058 ad.u.net = &net; 5059 ad.u.net->sk = other; 5060 5061 err = avc_has_perm(&selinux_state, 5062 sksec_sock->sid, sksec_other->sid, 5063 sksec_other->sclass, 5064 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 5065 if (err) 5066 return err; 5067 5068 /* server child socket */ 5069 sksec_new->peer_sid = sksec_sock->sid; 5070 err = security_sid_mls_copy(&selinux_state, sksec_other->sid, 5071 sksec_sock->sid, &sksec_new->sid); 5072 if (err) 5073 return err; 5074 5075 /* connecting socket */ 5076 sksec_sock->peer_sid = sksec_new->sid; 5077 5078 return 0; 5079 } 5080 5081 static int selinux_socket_unix_may_send(struct socket *sock, 5082 struct socket *other) 5083 { 5084 struct sk_security_struct *ssec = sock->sk->sk_security; 5085 struct sk_security_struct *osec = other->sk->sk_security; 5086 struct common_audit_data ad; 5087 struct lsm_network_audit net = {0,}; 5088 5089 ad.type = LSM_AUDIT_DATA_NET; 5090 ad.u.net = &net; 5091 ad.u.net->sk = other->sk; 5092 5093 return avc_has_perm(&selinux_state, 5094 ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 5095 &ad); 5096 } 5097 5098 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 5099 char *addrp, u16 family, u32 peer_sid, 5100 struct common_audit_data *ad) 5101 { 5102 int err; 5103 u32 if_sid; 5104 u32 node_sid; 5105 5106 err = sel_netif_sid(ns, ifindex, &if_sid); 5107 if (err) 5108 return err; 5109 err = avc_has_perm(&selinux_state, 5110 peer_sid, if_sid, 5111 SECCLASS_NETIF, NETIF__INGRESS, ad); 5112 if (err) 5113 return err; 5114 5115 err = sel_netnode_sid(addrp, family, &node_sid); 5116 if (err) 5117 return err; 5118 return avc_has_perm(&selinux_state, 5119 peer_sid, node_sid, 5120 SECCLASS_NODE, NODE__RECVFROM, ad); 5121 } 5122 5123 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 5124 u16 family) 5125 { 5126 int err = 0; 5127 struct sk_security_struct *sksec = sk->sk_security; 5128 u32 sk_sid = sksec->sid; 5129 struct common_audit_data ad; 5130 struct lsm_network_audit net = {0,}; 5131 char *addrp; 5132 5133 ad.type = LSM_AUDIT_DATA_NET; 5134 ad.u.net = &net; 5135 ad.u.net->netif = skb->skb_iif; 5136 ad.u.net->family = family; 5137 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5138 if (err) 5139 return err; 5140 5141 if (selinux_secmark_enabled()) { 5142 err = avc_has_perm(&selinux_state, 5143 sk_sid, skb->secmark, SECCLASS_PACKET, 5144 PACKET__RECV, &ad); 5145 if (err) 5146 return err; 5147 } 5148 5149 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 5150 if (err) 5151 return err; 5152 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 5153 5154 return err; 5155 } 5156 5157 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 5158 { 5159 int err; 5160 struct sk_security_struct *sksec = sk->sk_security; 5161 u16 family = sk->sk_family; 5162 u32 sk_sid = sksec->sid; 5163 struct common_audit_data ad; 5164 struct lsm_network_audit net = {0,}; 5165 char *addrp; 5166 u8 secmark_active; 5167 u8 peerlbl_active; 5168 5169 if (family != PF_INET && family != PF_INET6) 5170 return 0; 5171 5172 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 5173 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5174 family = PF_INET; 5175 5176 /* If any sort of compatibility mode is enabled then handoff processing 5177 * to the selinux_sock_rcv_skb_compat() function to deal with the 5178 * special handling. We do this in an attempt to keep this function 5179 * as fast and as clean as possible. */ 5180 if (!selinux_policycap_netpeer()) 5181 return selinux_sock_rcv_skb_compat(sk, skb, family); 5182 5183 secmark_active = selinux_secmark_enabled(); 5184 peerlbl_active = selinux_peerlbl_enabled(); 5185 if (!secmark_active && !peerlbl_active) 5186 return 0; 5187 5188 ad.type = LSM_AUDIT_DATA_NET; 5189 ad.u.net = &net; 5190 ad.u.net->netif = skb->skb_iif; 5191 ad.u.net->family = family; 5192 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 5193 if (err) 5194 return err; 5195 5196 if (peerlbl_active) { 5197 u32 peer_sid; 5198 5199 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 5200 if (err) 5201 return err; 5202 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 5203 addrp, family, peer_sid, &ad); 5204 if (err) { 5205 selinux_netlbl_err(skb, family, err, 0); 5206 return err; 5207 } 5208 err = avc_has_perm(&selinux_state, 5209 sk_sid, peer_sid, SECCLASS_PEER, 5210 PEER__RECV, &ad); 5211 if (err) { 5212 selinux_netlbl_err(skb, family, err, 0); 5213 return err; 5214 } 5215 } 5216 5217 if (secmark_active) { 5218 err = avc_has_perm(&selinux_state, 5219 sk_sid, skb->secmark, SECCLASS_PACKET, 5220 PACKET__RECV, &ad); 5221 if (err) 5222 return err; 5223 } 5224 5225 return err; 5226 } 5227 5228 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 5229 int __user *optlen, unsigned len) 5230 { 5231 int err = 0; 5232 char *scontext; 5233 u32 scontext_len; 5234 struct sk_security_struct *sksec = sock->sk->sk_security; 5235 u32 peer_sid = SECSID_NULL; 5236 5237 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 5238 sksec->sclass == SECCLASS_TCP_SOCKET || 5239 sksec->sclass == SECCLASS_SCTP_SOCKET) 5240 peer_sid = sksec->peer_sid; 5241 if (peer_sid == SECSID_NULL) 5242 return -ENOPROTOOPT; 5243 5244 err = security_sid_to_context(&selinux_state, peer_sid, &scontext, 5245 &scontext_len); 5246 if (err) 5247 return err; 5248 5249 if (scontext_len > len) { 5250 err = -ERANGE; 5251 goto out_len; 5252 } 5253 5254 if (copy_to_user(optval, scontext, scontext_len)) 5255 err = -EFAULT; 5256 5257 out_len: 5258 if (put_user(scontext_len, optlen)) 5259 err = -EFAULT; 5260 kfree(scontext); 5261 return err; 5262 } 5263 5264 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 5265 { 5266 u32 peer_secid = SECSID_NULL; 5267 u16 family; 5268 struct inode_security_struct *isec; 5269 5270 if (skb && skb->protocol == htons(ETH_P_IP)) 5271 family = PF_INET; 5272 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 5273 family = PF_INET6; 5274 else if (sock) 5275 family = sock->sk->sk_family; 5276 else 5277 goto out; 5278 5279 if (sock && family == PF_UNIX) { 5280 isec = inode_security_novalidate(SOCK_INODE(sock)); 5281 peer_secid = isec->sid; 5282 } else if (skb) 5283 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 5284 5285 out: 5286 *secid = peer_secid; 5287 if (peer_secid == SECSID_NULL) 5288 return -EINVAL; 5289 return 0; 5290 } 5291 5292 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 5293 { 5294 struct sk_security_struct *sksec; 5295 5296 sksec = kzalloc(sizeof(*sksec), priority); 5297 if (!sksec) 5298 return -ENOMEM; 5299 5300 sksec->peer_sid = SECINITSID_UNLABELED; 5301 sksec->sid = SECINITSID_UNLABELED; 5302 sksec->sclass = SECCLASS_SOCKET; 5303 selinux_netlbl_sk_security_reset(sksec); 5304 sk->sk_security = sksec; 5305 5306 return 0; 5307 } 5308 5309 static void selinux_sk_free_security(struct sock *sk) 5310 { 5311 struct sk_security_struct *sksec = sk->sk_security; 5312 5313 sk->sk_security = NULL; 5314 selinux_netlbl_sk_security_free(sksec); 5315 kfree(sksec); 5316 } 5317 5318 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 5319 { 5320 struct sk_security_struct *sksec = sk->sk_security; 5321 struct sk_security_struct *newsksec = newsk->sk_security; 5322 5323 newsksec->sid = sksec->sid; 5324 newsksec->peer_sid = sksec->peer_sid; 5325 newsksec->sclass = sksec->sclass; 5326 5327 selinux_netlbl_sk_security_reset(newsksec); 5328 } 5329 5330 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 5331 { 5332 if (!sk) 5333 *secid = SECINITSID_ANY_SOCKET; 5334 else { 5335 struct sk_security_struct *sksec = sk->sk_security; 5336 5337 *secid = sksec->sid; 5338 } 5339 } 5340 5341 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 5342 { 5343 struct inode_security_struct *isec = 5344 inode_security_novalidate(SOCK_INODE(parent)); 5345 struct sk_security_struct *sksec = sk->sk_security; 5346 5347 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 5348 sk->sk_family == PF_UNIX) 5349 isec->sid = sksec->sid; 5350 sksec->sclass = isec->sclass; 5351 } 5352 5353 /* Called whenever SCTP receives an INIT chunk. This happens when an incoming 5354 * connect(2), sctp_connectx(3) or sctp_sendmsg(3) (with no association 5355 * already present). 5356 */ 5357 static int selinux_sctp_assoc_request(struct sctp_endpoint *ep, 5358 struct sk_buff *skb) 5359 { 5360 struct sk_security_struct *sksec = ep->base.sk->sk_security; 5361 struct common_audit_data ad; 5362 struct lsm_network_audit net = {0,}; 5363 u8 peerlbl_active; 5364 u32 peer_sid = SECINITSID_UNLABELED; 5365 u32 conn_sid; 5366 int err = 0; 5367 5368 if (!selinux_policycap_extsockclass()) 5369 return 0; 5370 5371 peerlbl_active = selinux_peerlbl_enabled(); 5372 5373 if (peerlbl_active) { 5374 /* This will return peer_sid = SECSID_NULL if there are 5375 * no peer labels, see security_net_peersid_resolve(). 5376 */ 5377 err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family, 5378 &peer_sid); 5379 if (err) 5380 return err; 5381 5382 if (peer_sid == SECSID_NULL) 5383 peer_sid = SECINITSID_UNLABELED; 5384 } 5385 5386 if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) { 5387 sksec->sctp_assoc_state = SCTP_ASSOC_SET; 5388 5389 /* Here as first association on socket. As the peer SID 5390 * was allowed by peer recv (and the netif/node checks), 5391 * then it is approved by policy and used as the primary 5392 * peer SID for getpeercon(3). 5393 */ 5394 sksec->peer_sid = peer_sid; 5395 } else if (sksec->peer_sid != peer_sid) { 5396 /* Other association peer SIDs are checked to enforce 5397 * consistency among the peer SIDs. 5398 */ 5399 ad.type = LSM_AUDIT_DATA_NET; 5400 ad.u.net = &net; 5401 ad.u.net->sk = ep->base.sk; 5402 err = avc_has_perm(&selinux_state, 5403 sksec->peer_sid, peer_sid, sksec->sclass, 5404 SCTP_SOCKET__ASSOCIATION, &ad); 5405 if (err) 5406 return err; 5407 } 5408 5409 /* Compute the MLS component for the connection and store 5410 * the information in ep. This will be used by SCTP TCP type 5411 * sockets and peeled off connections as they cause a new 5412 * socket to be generated. selinux_sctp_sk_clone() will then 5413 * plug this into the new socket. 5414 */ 5415 err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid); 5416 if (err) 5417 return err; 5418 5419 ep->secid = conn_sid; 5420 ep->peer_secid = peer_sid; 5421 5422 /* Set any NetLabel labels including CIPSO/CALIPSO options. */ 5423 return selinux_netlbl_sctp_assoc_request(ep, skb); 5424 } 5425 5426 /* Check if sctp IPv4/IPv6 addresses are valid for binding or connecting 5427 * based on their @optname. 5428 */ 5429 static int selinux_sctp_bind_connect(struct sock *sk, int optname, 5430 struct sockaddr *address, 5431 int addrlen) 5432 { 5433 int len, err = 0, walk_size = 0; 5434 void *addr_buf; 5435 struct sockaddr *addr; 5436 struct socket *sock; 5437 5438 if (!selinux_policycap_extsockclass()) 5439 return 0; 5440 5441 /* Process one or more addresses that may be IPv4 or IPv6 */ 5442 sock = sk->sk_socket; 5443 addr_buf = address; 5444 5445 while (walk_size < addrlen) { 5446 if (walk_size + sizeof(sa_family_t) > addrlen) 5447 return -EINVAL; 5448 5449 addr = addr_buf; 5450 switch (addr->sa_family) { 5451 case AF_UNSPEC: 5452 case AF_INET: 5453 len = sizeof(struct sockaddr_in); 5454 break; 5455 case AF_INET6: 5456 len = sizeof(struct sockaddr_in6); 5457 break; 5458 default: 5459 return -EINVAL; 5460 } 5461 5462 if (walk_size + len > addrlen) 5463 return -EINVAL; 5464 5465 err = -EINVAL; 5466 switch (optname) { 5467 /* Bind checks */ 5468 case SCTP_PRIMARY_ADDR: 5469 case SCTP_SET_PEER_PRIMARY_ADDR: 5470 case SCTP_SOCKOPT_BINDX_ADD: 5471 err = selinux_socket_bind(sock, addr, len); 5472 break; 5473 /* Connect checks */ 5474 case SCTP_SOCKOPT_CONNECTX: 5475 case SCTP_PARAM_SET_PRIMARY: 5476 case SCTP_PARAM_ADD_IP: 5477 case SCTP_SENDMSG_CONNECT: 5478 err = selinux_socket_connect_helper(sock, addr, len); 5479 if (err) 5480 return err; 5481 5482 /* As selinux_sctp_bind_connect() is called by the 5483 * SCTP protocol layer, the socket is already locked, 5484 * therefore selinux_netlbl_socket_connect_locked() 5485 * is called here. The situations handled are: 5486 * sctp_connectx(3), sctp_sendmsg(3), sendmsg(2), 5487 * whenever a new IP address is added or when a new 5488 * primary address is selected. 5489 * Note that an SCTP connect(2) call happens before 5490 * the SCTP protocol layer and is handled via 5491 * selinux_socket_connect(). 5492 */ 5493 err = selinux_netlbl_socket_connect_locked(sk, addr); 5494 break; 5495 } 5496 5497 if (err) 5498 return err; 5499 5500 addr_buf += len; 5501 walk_size += len; 5502 } 5503 5504 return 0; 5505 } 5506 5507 /* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */ 5508 static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, 5509 struct sock *newsk) 5510 { 5511 struct sk_security_struct *sksec = sk->sk_security; 5512 struct sk_security_struct *newsksec = newsk->sk_security; 5513 5514 /* If policy does not support SECCLASS_SCTP_SOCKET then call 5515 * the non-sctp clone version. 5516 */ 5517 if (!selinux_policycap_extsockclass()) 5518 return selinux_sk_clone_security(sk, newsk); 5519 5520 newsksec->sid = ep->secid; 5521 newsksec->peer_sid = ep->peer_secid; 5522 newsksec->sclass = sksec->sclass; 5523 selinux_netlbl_sctp_sk_clone(sk, newsk); 5524 } 5525 5526 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 5527 struct request_sock *req) 5528 { 5529 struct sk_security_struct *sksec = sk->sk_security; 5530 int err; 5531 u16 family = req->rsk_ops->family; 5532 u32 connsid; 5533 u32 peersid; 5534 5535 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 5536 if (err) 5537 return err; 5538 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 5539 if (err) 5540 return err; 5541 req->secid = connsid; 5542 req->peer_secid = peersid; 5543 5544 return selinux_netlbl_inet_conn_request(req, family); 5545 } 5546 5547 static void selinux_inet_csk_clone(struct sock *newsk, 5548 const struct request_sock *req) 5549 { 5550 struct sk_security_struct *newsksec = newsk->sk_security; 5551 5552 newsksec->sid = req->secid; 5553 newsksec->peer_sid = req->peer_secid; 5554 /* NOTE: Ideally, we should also get the isec->sid for the 5555 new socket in sync, but we don't have the isec available yet. 5556 So we will wait until sock_graft to do it, by which 5557 time it will have been created and available. */ 5558 5559 /* We don't need to take any sort of lock here as we are the only 5560 * thread with access to newsksec */ 5561 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 5562 } 5563 5564 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 5565 { 5566 u16 family = sk->sk_family; 5567 struct sk_security_struct *sksec = sk->sk_security; 5568 5569 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 5570 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 5571 family = PF_INET; 5572 5573 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 5574 } 5575 5576 static int selinux_secmark_relabel_packet(u32 sid) 5577 { 5578 const struct task_security_struct *__tsec; 5579 u32 tsid; 5580 5581 __tsec = selinux_cred(current_cred()); 5582 tsid = __tsec->sid; 5583 5584 return avc_has_perm(&selinux_state, 5585 tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, 5586 NULL); 5587 } 5588 5589 static void selinux_secmark_refcount_inc(void) 5590 { 5591 atomic_inc(&selinux_secmark_refcount); 5592 } 5593 5594 static void selinux_secmark_refcount_dec(void) 5595 { 5596 atomic_dec(&selinux_secmark_refcount); 5597 } 5598 5599 static void selinux_req_classify_flow(const struct request_sock *req, 5600 struct flowi_common *flic) 5601 { 5602 flic->flowic_secid = req->secid; 5603 } 5604 5605 static int selinux_tun_dev_alloc_security(void **security) 5606 { 5607 struct tun_security_struct *tunsec; 5608 5609 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 5610 if (!tunsec) 5611 return -ENOMEM; 5612 tunsec->sid = current_sid(); 5613 5614 *security = tunsec; 5615 return 0; 5616 } 5617 5618 static void selinux_tun_dev_free_security(void *security) 5619 { 5620 kfree(security); 5621 } 5622 5623 static int selinux_tun_dev_create(void) 5624 { 5625 u32 sid = current_sid(); 5626 5627 /* we aren't taking into account the "sockcreate" SID since the socket 5628 * that is being created here is not a socket in the traditional sense, 5629 * instead it is a private sock, accessible only to the kernel, and 5630 * representing a wide range of network traffic spanning multiple 5631 * connections unlike traditional sockets - check the TUN driver to 5632 * get a better understanding of why this socket is special */ 5633 5634 return avc_has_perm(&selinux_state, 5635 sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 5636 NULL); 5637 } 5638 5639 static int selinux_tun_dev_attach_queue(void *security) 5640 { 5641 struct tun_security_struct *tunsec = security; 5642 5643 return avc_has_perm(&selinux_state, 5644 current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 5645 TUN_SOCKET__ATTACH_QUEUE, NULL); 5646 } 5647 5648 static int selinux_tun_dev_attach(struct sock *sk, void *security) 5649 { 5650 struct tun_security_struct *tunsec = security; 5651 struct sk_security_struct *sksec = sk->sk_security; 5652 5653 /* we don't currently perform any NetLabel based labeling here and it 5654 * isn't clear that we would want to do so anyway; while we could apply 5655 * labeling without the support of the TUN user the resulting labeled 5656 * traffic from the other end of the connection would almost certainly 5657 * cause confusion to the TUN user that had no idea network labeling 5658 * protocols were being used */ 5659 5660 sksec->sid = tunsec->sid; 5661 sksec->sclass = SECCLASS_TUN_SOCKET; 5662 5663 return 0; 5664 } 5665 5666 static int selinux_tun_dev_open(void *security) 5667 { 5668 struct tun_security_struct *tunsec = security; 5669 u32 sid = current_sid(); 5670 int err; 5671 5672 err = avc_has_perm(&selinux_state, 5673 sid, tunsec->sid, SECCLASS_TUN_SOCKET, 5674 TUN_SOCKET__RELABELFROM, NULL); 5675 if (err) 5676 return err; 5677 err = avc_has_perm(&selinux_state, 5678 sid, sid, SECCLASS_TUN_SOCKET, 5679 TUN_SOCKET__RELABELTO, NULL); 5680 if (err) 5681 return err; 5682 tunsec->sid = sid; 5683 5684 return 0; 5685 } 5686 5687 #ifdef CONFIG_NETFILTER 5688 5689 static unsigned int selinux_ip_forward(struct sk_buff *skb, 5690 const struct net_device *indev, 5691 u16 family) 5692 { 5693 int err; 5694 char *addrp; 5695 u32 peer_sid; 5696 struct common_audit_data ad; 5697 struct lsm_network_audit net = {0,}; 5698 u8 secmark_active; 5699 u8 netlbl_active; 5700 u8 peerlbl_active; 5701 5702 if (!selinux_policycap_netpeer()) 5703 return NF_ACCEPT; 5704 5705 secmark_active = selinux_secmark_enabled(); 5706 netlbl_active = netlbl_enabled(); 5707 peerlbl_active = selinux_peerlbl_enabled(); 5708 if (!secmark_active && !peerlbl_active) 5709 return NF_ACCEPT; 5710 5711 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5712 return NF_DROP; 5713 5714 ad.type = LSM_AUDIT_DATA_NET; 5715 ad.u.net = &net; 5716 ad.u.net->netif = indev->ifindex; 5717 ad.u.net->family = family; 5718 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5719 return NF_DROP; 5720 5721 if (peerlbl_active) { 5722 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 5723 addrp, family, peer_sid, &ad); 5724 if (err) { 5725 selinux_netlbl_err(skb, family, err, 1); 5726 return NF_DROP; 5727 } 5728 } 5729 5730 if (secmark_active) 5731 if (avc_has_perm(&selinux_state, 5732 peer_sid, skb->secmark, 5733 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5734 return NF_DROP; 5735 5736 if (netlbl_active) 5737 /* we do this in the FORWARD path and not the POST_ROUTING 5738 * path because we want to make sure we apply the necessary 5739 * labeling before IPsec is applied so we can leverage AH 5740 * protection */ 5741 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5742 return NF_DROP; 5743 5744 return NF_ACCEPT; 5745 } 5746 5747 static unsigned int selinux_ipv4_forward(void *priv, 5748 struct sk_buff *skb, 5749 const struct nf_hook_state *state) 5750 { 5751 return selinux_ip_forward(skb, state->in, PF_INET); 5752 } 5753 5754 #if IS_ENABLED(CONFIG_IPV6) 5755 static unsigned int selinux_ipv6_forward(void *priv, 5756 struct sk_buff *skb, 5757 const struct nf_hook_state *state) 5758 { 5759 return selinux_ip_forward(skb, state->in, PF_INET6); 5760 } 5761 #endif /* IPV6 */ 5762 5763 static unsigned int selinux_ip_output(struct sk_buff *skb, 5764 u16 family) 5765 { 5766 struct sock *sk; 5767 u32 sid; 5768 5769 if (!netlbl_enabled()) 5770 return NF_ACCEPT; 5771 5772 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5773 * because we want to make sure we apply the necessary labeling 5774 * before IPsec is applied so we can leverage AH protection */ 5775 sk = skb->sk; 5776 if (sk) { 5777 struct sk_security_struct *sksec; 5778 5779 if (sk_listener(sk)) 5780 /* if the socket is the listening state then this 5781 * packet is a SYN-ACK packet which means it needs to 5782 * be labeled based on the connection/request_sock and 5783 * not the parent socket. unfortunately, we can't 5784 * lookup the request_sock yet as it isn't queued on 5785 * the parent socket until after the SYN-ACK is sent. 5786 * the "solution" is to simply pass the packet as-is 5787 * as any IP option based labeling should be copied 5788 * from the initial connection request (in the IP 5789 * layer). it is far from ideal, but until we get a 5790 * security label in the packet itself this is the 5791 * best we can do. */ 5792 return NF_ACCEPT; 5793 5794 /* standard practice, label using the parent socket */ 5795 sksec = sk->sk_security; 5796 sid = sksec->sid; 5797 } else 5798 sid = SECINITSID_KERNEL; 5799 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5800 return NF_DROP; 5801 5802 return NF_ACCEPT; 5803 } 5804 5805 static unsigned int selinux_ipv4_output(void *priv, 5806 struct sk_buff *skb, 5807 const struct nf_hook_state *state) 5808 { 5809 return selinux_ip_output(skb, PF_INET); 5810 } 5811 5812 #if IS_ENABLED(CONFIG_IPV6) 5813 static unsigned int selinux_ipv6_output(void *priv, 5814 struct sk_buff *skb, 5815 const struct nf_hook_state *state) 5816 { 5817 return selinux_ip_output(skb, PF_INET6); 5818 } 5819 #endif /* IPV6 */ 5820 5821 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5822 int ifindex, 5823 u16 family) 5824 { 5825 struct sock *sk = skb_to_full_sk(skb); 5826 struct sk_security_struct *sksec; 5827 struct common_audit_data ad; 5828 struct lsm_network_audit net = {0,}; 5829 char *addrp; 5830 u8 proto; 5831 5832 if (sk == NULL) 5833 return NF_ACCEPT; 5834 sksec = sk->sk_security; 5835 5836 ad.type = LSM_AUDIT_DATA_NET; 5837 ad.u.net = &net; 5838 ad.u.net->netif = ifindex; 5839 ad.u.net->family = family; 5840 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5841 return NF_DROP; 5842 5843 if (selinux_secmark_enabled()) 5844 if (avc_has_perm(&selinux_state, 5845 sksec->sid, skb->secmark, 5846 SECCLASS_PACKET, PACKET__SEND, &ad)) 5847 return NF_DROP_ERR(-ECONNREFUSED); 5848 5849 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5850 return NF_DROP_ERR(-ECONNREFUSED); 5851 5852 return NF_ACCEPT; 5853 } 5854 5855 static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5856 const struct net_device *outdev, 5857 u16 family) 5858 { 5859 u32 secmark_perm; 5860 u32 peer_sid; 5861 int ifindex = outdev->ifindex; 5862 struct sock *sk; 5863 struct common_audit_data ad; 5864 struct lsm_network_audit net = {0,}; 5865 char *addrp; 5866 u8 secmark_active; 5867 u8 peerlbl_active; 5868 5869 /* If any sort of compatibility mode is enabled then handoff processing 5870 * to the selinux_ip_postroute_compat() function to deal with the 5871 * special handling. We do this in an attempt to keep this function 5872 * as fast and as clean as possible. */ 5873 if (!selinux_policycap_netpeer()) 5874 return selinux_ip_postroute_compat(skb, ifindex, family); 5875 5876 secmark_active = selinux_secmark_enabled(); 5877 peerlbl_active = selinux_peerlbl_enabled(); 5878 if (!secmark_active && !peerlbl_active) 5879 return NF_ACCEPT; 5880 5881 sk = skb_to_full_sk(skb); 5882 5883 #ifdef CONFIG_XFRM 5884 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5885 * packet transformation so allow the packet to pass without any checks 5886 * since we'll have another chance to perform access control checks 5887 * when the packet is on it's final way out. 5888 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5889 * is NULL, in this case go ahead and apply access control. 5890 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5891 * TCP listening state we cannot wait until the XFRM processing 5892 * is done as we will miss out on the SA label if we do; 5893 * unfortunately, this means more work, but it is only once per 5894 * connection. */ 5895 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5896 !(sk && sk_listener(sk))) 5897 return NF_ACCEPT; 5898 #endif 5899 5900 if (sk == NULL) { 5901 /* Without an associated socket the packet is either coming 5902 * from the kernel or it is being forwarded; check the packet 5903 * to determine which and if the packet is being forwarded 5904 * query the packet directly to determine the security label. */ 5905 if (skb->skb_iif) { 5906 secmark_perm = PACKET__FORWARD_OUT; 5907 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5908 return NF_DROP; 5909 } else { 5910 secmark_perm = PACKET__SEND; 5911 peer_sid = SECINITSID_KERNEL; 5912 } 5913 } else if (sk_listener(sk)) { 5914 /* Locally generated packet but the associated socket is in the 5915 * listening state which means this is a SYN-ACK packet. In 5916 * this particular case the correct security label is assigned 5917 * to the connection/request_sock but unfortunately we can't 5918 * query the request_sock as it isn't queued on the parent 5919 * socket until after the SYN-ACK packet is sent; the only 5920 * viable choice is to regenerate the label like we do in 5921 * selinux_inet_conn_request(). See also selinux_ip_output() 5922 * for similar problems. */ 5923 u32 skb_sid; 5924 struct sk_security_struct *sksec; 5925 5926 sksec = sk->sk_security; 5927 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5928 return NF_DROP; 5929 /* At this point, if the returned skb peerlbl is SECSID_NULL 5930 * and the packet has been through at least one XFRM 5931 * transformation then we must be dealing with the "final" 5932 * form of labeled IPsec packet; since we've already applied 5933 * all of our access controls on this packet we can safely 5934 * pass the packet. */ 5935 if (skb_sid == SECSID_NULL) { 5936 switch (family) { 5937 case PF_INET: 5938 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5939 return NF_ACCEPT; 5940 break; 5941 case PF_INET6: 5942 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5943 return NF_ACCEPT; 5944 break; 5945 default: 5946 return NF_DROP_ERR(-ECONNREFUSED); 5947 } 5948 } 5949 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5950 return NF_DROP; 5951 secmark_perm = PACKET__SEND; 5952 } else { 5953 /* Locally generated packet, fetch the security label from the 5954 * associated socket. */ 5955 struct sk_security_struct *sksec = sk->sk_security; 5956 peer_sid = sksec->sid; 5957 secmark_perm = PACKET__SEND; 5958 } 5959 5960 ad.type = LSM_AUDIT_DATA_NET; 5961 ad.u.net = &net; 5962 ad.u.net->netif = ifindex; 5963 ad.u.net->family = family; 5964 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5965 return NF_DROP; 5966 5967 if (secmark_active) 5968 if (avc_has_perm(&selinux_state, 5969 peer_sid, skb->secmark, 5970 SECCLASS_PACKET, secmark_perm, &ad)) 5971 return NF_DROP_ERR(-ECONNREFUSED); 5972 5973 if (peerlbl_active) { 5974 u32 if_sid; 5975 u32 node_sid; 5976 5977 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5978 return NF_DROP; 5979 if (avc_has_perm(&selinux_state, 5980 peer_sid, if_sid, 5981 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5982 return NF_DROP_ERR(-ECONNREFUSED); 5983 5984 if (sel_netnode_sid(addrp, family, &node_sid)) 5985 return NF_DROP; 5986 if (avc_has_perm(&selinux_state, 5987 peer_sid, node_sid, 5988 SECCLASS_NODE, NODE__SENDTO, &ad)) 5989 return NF_DROP_ERR(-ECONNREFUSED); 5990 } 5991 5992 return NF_ACCEPT; 5993 } 5994 5995 static unsigned int selinux_ipv4_postroute(void *priv, 5996 struct sk_buff *skb, 5997 const struct nf_hook_state *state) 5998 { 5999 return selinux_ip_postroute(skb, state->out, PF_INET); 6000 } 6001 6002 #if IS_ENABLED(CONFIG_IPV6) 6003 static unsigned int selinux_ipv6_postroute(void *priv, 6004 struct sk_buff *skb, 6005 const struct nf_hook_state *state) 6006 { 6007 return selinux_ip_postroute(skb, state->out, PF_INET6); 6008 } 6009 #endif /* IPV6 */ 6010 6011 #endif /* CONFIG_NETFILTER */ 6012 6013 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 6014 { 6015 int rc = 0; 6016 unsigned int msg_len; 6017 unsigned int data_len = skb->len; 6018 unsigned char *data = skb->data; 6019 struct nlmsghdr *nlh; 6020 struct sk_security_struct *sksec = sk->sk_security; 6021 u16 sclass = sksec->sclass; 6022 u32 perm; 6023 6024 while (data_len >= nlmsg_total_size(0)) { 6025 nlh = (struct nlmsghdr *)data; 6026 6027 /* NOTE: the nlmsg_len field isn't reliably set by some netlink 6028 * users which means we can't reject skb's with bogus 6029 * length fields; our solution is to follow what 6030 * netlink_rcv_skb() does and simply skip processing at 6031 * messages with length fields that are clearly junk 6032 */ 6033 if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len) 6034 return 0; 6035 6036 rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm); 6037 if (rc == 0) { 6038 rc = sock_has_perm(sk, perm); 6039 if (rc) 6040 return rc; 6041 } else if (rc == -EINVAL) { 6042 /* -EINVAL is a missing msg/perm mapping */ 6043 pr_warn_ratelimited("SELinux: unrecognized netlink" 6044 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 6045 " pid=%d comm=%s\n", 6046 sk->sk_protocol, nlh->nlmsg_type, 6047 secclass_map[sclass - 1].name, 6048 task_pid_nr(current), current->comm); 6049 if (enforcing_enabled(&selinux_state) && 6050 !security_get_allow_unknown(&selinux_state)) 6051 return rc; 6052 rc = 0; 6053 } else if (rc == -ENOENT) { 6054 /* -ENOENT is a missing socket/class mapping, ignore */ 6055 rc = 0; 6056 } else { 6057 return rc; 6058 } 6059 6060 /* move to the next message after applying netlink padding */ 6061 msg_len = NLMSG_ALIGN(nlh->nlmsg_len); 6062 if (msg_len >= data_len) 6063 return 0; 6064 data_len -= msg_len; 6065 data += msg_len; 6066 } 6067 6068 return rc; 6069 } 6070 6071 static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass) 6072 { 6073 isec->sclass = sclass; 6074 isec->sid = current_sid(); 6075 } 6076 6077 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 6078 u32 perms) 6079 { 6080 struct ipc_security_struct *isec; 6081 struct common_audit_data ad; 6082 u32 sid = current_sid(); 6083 6084 isec = selinux_ipc(ipc_perms); 6085 6086 ad.type = LSM_AUDIT_DATA_IPC; 6087 ad.u.ipc_id = ipc_perms->key; 6088 6089 return avc_has_perm(&selinux_state, 6090 sid, isec->sid, isec->sclass, perms, &ad); 6091 } 6092 6093 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 6094 { 6095 struct msg_security_struct *msec; 6096 6097 msec = selinux_msg_msg(msg); 6098 msec->sid = SECINITSID_UNLABELED; 6099 6100 return 0; 6101 } 6102 6103 /* message queue security operations */ 6104 static int selinux_msg_queue_alloc_security(struct kern_ipc_perm *msq) 6105 { 6106 struct ipc_security_struct *isec; 6107 struct common_audit_data ad; 6108 u32 sid = current_sid(); 6109 int rc; 6110 6111 isec = selinux_ipc(msq); 6112 ipc_init_security(isec, SECCLASS_MSGQ); 6113 6114 ad.type = LSM_AUDIT_DATA_IPC; 6115 ad.u.ipc_id = msq->key; 6116 6117 rc = avc_has_perm(&selinux_state, 6118 sid, isec->sid, SECCLASS_MSGQ, 6119 MSGQ__CREATE, &ad); 6120 return rc; 6121 } 6122 6123 static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) 6124 { 6125 struct ipc_security_struct *isec; 6126 struct common_audit_data ad; 6127 u32 sid = current_sid(); 6128 6129 isec = selinux_ipc(msq); 6130 6131 ad.type = LSM_AUDIT_DATA_IPC; 6132 ad.u.ipc_id = msq->key; 6133 6134 return avc_has_perm(&selinux_state, 6135 sid, isec->sid, SECCLASS_MSGQ, 6136 MSGQ__ASSOCIATE, &ad); 6137 } 6138 6139 static int selinux_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 6140 { 6141 int err; 6142 int perms; 6143 6144 switch (cmd) { 6145 case IPC_INFO: 6146 case MSG_INFO: 6147 /* No specific object, just general system-wide information. */ 6148 return avc_has_perm(&selinux_state, 6149 current_sid(), SECINITSID_KERNEL, 6150 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6151 case IPC_STAT: 6152 case MSG_STAT: 6153 case MSG_STAT_ANY: 6154 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 6155 break; 6156 case IPC_SET: 6157 perms = MSGQ__SETATTR; 6158 break; 6159 case IPC_RMID: 6160 perms = MSGQ__DESTROY; 6161 break; 6162 default: 6163 return 0; 6164 } 6165 6166 err = ipc_has_perm(msq, perms); 6167 return err; 6168 } 6169 6170 static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *msg, int msqflg) 6171 { 6172 struct ipc_security_struct *isec; 6173 struct msg_security_struct *msec; 6174 struct common_audit_data ad; 6175 u32 sid = current_sid(); 6176 int rc; 6177 6178 isec = selinux_ipc(msq); 6179 msec = selinux_msg_msg(msg); 6180 6181 /* 6182 * First time through, need to assign label to the message 6183 */ 6184 if (msec->sid == SECINITSID_UNLABELED) { 6185 /* 6186 * Compute new sid based on current process and 6187 * message queue this message will be stored in 6188 */ 6189 rc = security_transition_sid(&selinux_state, sid, isec->sid, 6190 SECCLASS_MSG, NULL, &msec->sid); 6191 if (rc) 6192 return rc; 6193 } 6194 6195 ad.type = LSM_AUDIT_DATA_IPC; 6196 ad.u.ipc_id = msq->key; 6197 6198 /* Can this process write to the queue? */ 6199 rc = avc_has_perm(&selinux_state, 6200 sid, isec->sid, SECCLASS_MSGQ, 6201 MSGQ__WRITE, &ad); 6202 if (!rc) 6203 /* Can this process send the message */ 6204 rc = avc_has_perm(&selinux_state, 6205 sid, msec->sid, SECCLASS_MSG, 6206 MSG__SEND, &ad); 6207 if (!rc) 6208 /* Can the message be put in the queue? */ 6209 rc = avc_has_perm(&selinux_state, 6210 msec->sid, isec->sid, SECCLASS_MSGQ, 6211 MSGQ__ENQUEUE, &ad); 6212 6213 return rc; 6214 } 6215 6216 static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 6217 struct task_struct *target, 6218 long type, int mode) 6219 { 6220 struct ipc_security_struct *isec; 6221 struct msg_security_struct *msec; 6222 struct common_audit_data ad; 6223 u32 sid = task_sid_subj(target); 6224 int rc; 6225 6226 isec = selinux_ipc(msq); 6227 msec = selinux_msg_msg(msg); 6228 6229 ad.type = LSM_AUDIT_DATA_IPC; 6230 ad.u.ipc_id = msq->key; 6231 6232 rc = avc_has_perm(&selinux_state, 6233 sid, isec->sid, 6234 SECCLASS_MSGQ, MSGQ__READ, &ad); 6235 if (!rc) 6236 rc = avc_has_perm(&selinux_state, 6237 sid, msec->sid, 6238 SECCLASS_MSG, MSG__RECEIVE, &ad); 6239 return rc; 6240 } 6241 6242 /* Shared Memory security operations */ 6243 static int selinux_shm_alloc_security(struct kern_ipc_perm *shp) 6244 { 6245 struct ipc_security_struct *isec; 6246 struct common_audit_data ad; 6247 u32 sid = current_sid(); 6248 int rc; 6249 6250 isec = selinux_ipc(shp); 6251 ipc_init_security(isec, SECCLASS_SHM); 6252 6253 ad.type = LSM_AUDIT_DATA_IPC; 6254 ad.u.ipc_id = shp->key; 6255 6256 rc = avc_has_perm(&selinux_state, 6257 sid, isec->sid, SECCLASS_SHM, 6258 SHM__CREATE, &ad); 6259 return rc; 6260 } 6261 6262 static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) 6263 { 6264 struct ipc_security_struct *isec; 6265 struct common_audit_data ad; 6266 u32 sid = current_sid(); 6267 6268 isec = selinux_ipc(shp); 6269 6270 ad.type = LSM_AUDIT_DATA_IPC; 6271 ad.u.ipc_id = shp->key; 6272 6273 return avc_has_perm(&selinux_state, 6274 sid, isec->sid, SECCLASS_SHM, 6275 SHM__ASSOCIATE, &ad); 6276 } 6277 6278 /* Note, at this point, shp is locked down */ 6279 static int selinux_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 6280 { 6281 int perms; 6282 int err; 6283 6284 switch (cmd) { 6285 case IPC_INFO: 6286 case SHM_INFO: 6287 /* No specific object, just general system-wide information. */ 6288 return avc_has_perm(&selinux_state, 6289 current_sid(), SECINITSID_KERNEL, 6290 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6291 case IPC_STAT: 6292 case SHM_STAT: 6293 case SHM_STAT_ANY: 6294 perms = SHM__GETATTR | SHM__ASSOCIATE; 6295 break; 6296 case IPC_SET: 6297 perms = SHM__SETATTR; 6298 break; 6299 case SHM_LOCK: 6300 case SHM_UNLOCK: 6301 perms = SHM__LOCK; 6302 break; 6303 case IPC_RMID: 6304 perms = SHM__DESTROY; 6305 break; 6306 default: 6307 return 0; 6308 } 6309 6310 err = ipc_has_perm(shp, perms); 6311 return err; 6312 } 6313 6314 static int selinux_shm_shmat(struct kern_ipc_perm *shp, 6315 char __user *shmaddr, int shmflg) 6316 { 6317 u32 perms; 6318 6319 if (shmflg & SHM_RDONLY) 6320 perms = SHM__READ; 6321 else 6322 perms = SHM__READ | SHM__WRITE; 6323 6324 return ipc_has_perm(shp, perms); 6325 } 6326 6327 /* Semaphore security operations */ 6328 static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 6329 { 6330 struct ipc_security_struct *isec; 6331 struct common_audit_data ad; 6332 u32 sid = current_sid(); 6333 int rc; 6334 6335 isec = selinux_ipc(sma); 6336 ipc_init_security(isec, SECCLASS_SEM); 6337 6338 ad.type = LSM_AUDIT_DATA_IPC; 6339 ad.u.ipc_id = sma->key; 6340 6341 rc = avc_has_perm(&selinux_state, 6342 sid, isec->sid, SECCLASS_SEM, 6343 SEM__CREATE, &ad); 6344 return rc; 6345 } 6346 6347 static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 6348 { 6349 struct ipc_security_struct *isec; 6350 struct common_audit_data ad; 6351 u32 sid = current_sid(); 6352 6353 isec = selinux_ipc(sma); 6354 6355 ad.type = LSM_AUDIT_DATA_IPC; 6356 ad.u.ipc_id = sma->key; 6357 6358 return avc_has_perm(&selinux_state, 6359 sid, isec->sid, SECCLASS_SEM, 6360 SEM__ASSOCIATE, &ad); 6361 } 6362 6363 /* Note, at this point, sma is locked down */ 6364 static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 6365 { 6366 int err; 6367 u32 perms; 6368 6369 switch (cmd) { 6370 case IPC_INFO: 6371 case SEM_INFO: 6372 /* No specific object, just general system-wide information. */ 6373 return avc_has_perm(&selinux_state, 6374 current_sid(), SECINITSID_KERNEL, 6375 SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); 6376 case GETPID: 6377 case GETNCNT: 6378 case GETZCNT: 6379 perms = SEM__GETATTR; 6380 break; 6381 case GETVAL: 6382 case GETALL: 6383 perms = SEM__READ; 6384 break; 6385 case SETVAL: 6386 case SETALL: 6387 perms = SEM__WRITE; 6388 break; 6389 case IPC_RMID: 6390 perms = SEM__DESTROY; 6391 break; 6392 case IPC_SET: 6393 perms = SEM__SETATTR; 6394 break; 6395 case IPC_STAT: 6396 case SEM_STAT: 6397 case SEM_STAT_ANY: 6398 perms = SEM__GETATTR | SEM__ASSOCIATE; 6399 break; 6400 default: 6401 return 0; 6402 } 6403 6404 err = ipc_has_perm(sma, perms); 6405 return err; 6406 } 6407 6408 static int selinux_sem_semop(struct kern_ipc_perm *sma, 6409 struct sembuf *sops, unsigned nsops, int alter) 6410 { 6411 u32 perms; 6412 6413 if (alter) 6414 perms = SEM__READ | SEM__WRITE; 6415 else 6416 perms = SEM__READ; 6417 6418 return ipc_has_perm(sma, perms); 6419 } 6420 6421 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 6422 { 6423 u32 av = 0; 6424 6425 av = 0; 6426 if (flag & S_IRUGO) 6427 av |= IPC__UNIX_READ; 6428 if (flag & S_IWUGO) 6429 av |= IPC__UNIX_WRITE; 6430 6431 if (av == 0) 6432 return 0; 6433 6434 return ipc_has_perm(ipcp, av); 6435 } 6436 6437 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 6438 { 6439 struct ipc_security_struct *isec = selinux_ipc(ipcp); 6440 *secid = isec->sid; 6441 } 6442 6443 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 6444 { 6445 if (inode) 6446 inode_doinit_with_dentry(inode, dentry); 6447 } 6448 6449 static int selinux_getprocattr(struct task_struct *p, 6450 char *name, char **value) 6451 { 6452 const struct task_security_struct *__tsec; 6453 u32 sid; 6454 int error; 6455 unsigned len; 6456 6457 rcu_read_lock(); 6458 __tsec = selinux_cred(__task_cred(p)); 6459 6460 if (current != p) { 6461 error = avc_has_perm(&selinux_state, 6462 current_sid(), __tsec->sid, 6463 SECCLASS_PROCESS, PROCESS__GETATTR, NULL); 6464 if (error) 6465 goto bad; 6466 } 6467 6468 if (!strcmp(name, "current")) 6469 sid = __tsec->sid; 6470 else if (!strcmp(name, "prev")) 6471 sid = __tsec->osid; 6472 else if (!strcmp(name, "exec")) 6473 sid = __tsec->exec_sid; 6474 else if (!strcmp(name, "fscreate")) 6475 sid = __tsec->create_sid; 6476 else if (!strcmp(name, "keycreate")) 6477 sid = __tsec->keycreate_sid; 6478 else if (!strcmp(name, "sockcreate")) 6479 sid = __tsec->sockcreate_sid; 6480 else { 6481 error = -EINVAL; 6482 goto bad; 6483 } 6484 rcu_read_unlock(); 6485 6486 if (!sid) 6487 return 0; 6488 6489 error = security_sid_to_context(&selinux_state, sid, value, &len); 6490 if (error) 6491 return error; 6492 return len; 6493 6494 bad: 6495 rcu_read_unlock(); 6496 return error; 6497 } 6498 6499 static int selinux_setprocattr(const char *name, void *value, size_t size) 6500 { 6501 struct task_security_struct *tsec; 6502 struct cred *new; 6503 u32 mysid = current_sid(), sid = 0, ptsid; 6504 int error; 6505 char *str = value; 6506 6507 /* 6508 * Basic control over ability to set these attributes at all. 6509 */ 6510 if (!strcmp(name, "exec")) 6511 error = avc_has_perm(&selinux_state, 6512 mysid, mysid, SECCLASS_PROCESS, 6513 PROCESS__SETEXEC, NULL); 6514 else if (!strcmp(name, "fscreate")) 6515 error = avc_has_perm(&selinux_state, 6516 mysid, mysid, SECCLASS_PROCESS, 6517 PROCESS__SETFSCREATE, NULL); 6518 else if (!strcmp(name, "keycreate")) 6519 error = avc_has_perm(&selinux_state, 6520 mysid, mysid, SECCLASS_PROCESS, 6521 PROCESS__SETKEYCREATE, NULL); 6522 else if (!strcmp(name, "sockcreate")) 6523 error = avc_has_perm(&selinux_state, 6524 mysid, mysid, SECCLASS_PROCESS, 6525 PROCESS__SETSOCKCREATE, NULL); 6526 else if (!strcmp(name, "current")) 6527 error = avc_has_perm(&selinux_state, 6528 mysid, mysid, SECCLASS_PROCESS, 6529 PROCESS__SETCURRENT, NULL); 6530 else 6531 error = -EINVAL; 6532 if (error) 6533 return error; 6534 6535 /* Obtain a SID for the context, if one was specified. */ 6536 if (size && str[0] && str[0] != '\n') { 6537 if (str[size-1] == '\n') { 6538 str[size-1] = 0; 6539 size--; 6540 } 6541 error = security_context_to_sid(&selinux_state, value, size, 6542 &sid, GFP_KERNEL); 6543 if (error == -EINVAL && !strcmp(name, "fscreate")) { 6544 if (!has_cap_mac_admin(true)) { 6545 struct audit_buffer *ab; 6546 size_t audit_size; 6547 6548 /* We strip a nul only if it is at the end, otherwise the 6549 * context contains a nul and we should audit that */ 6550 if (str[size - 1] == '\0') 6551 audit_size = size - 1; 6552 else 6553 audit_size = size; 6554 ab = audit_log_start(audit_context(), 6555 GFP_ATOMIC, 6556 AUDIT_SELINUX_ERR); 6557 if (!ab) 6558 return error; 6559 audit_log_format(ab, "op=fscreate invalid_context="); 6560 audit_log_n_untrustedstring(ab, value, audit_size); 6561 audit_log_end(ab); 6562 6563 return error; 6564 } 6565 error = security_context_to_sid_force( 6566 &selinux_state, 6567 value, size, &sid); 6568 } 6569 if (error) 6570 return error; 6571 } 6572 6573 new = prepare_creds(); 6574 if (!new) 6575 return -ENOMEM; 6576 6577 /* Permission checking based on the specified context is 6578 performed during the actual operation (execve, 6579 open/mkdir/...), when we know the full context of the 6580 operation. See selinux_bprm_creds_for_exec for the execve 6581 checks and may_create for the file creation checks. The 6582 operation will then fail if the context is not permitted. */ 6583 tsec = selinux_cred(new); 6584 if (!strcmp(name, "exec")) { 6585 tsec->exec_sid = sid; 6586 } else if (!strcmp(name, "fscreate")) { 6587 tsec->create_sid = sid; 6588 } else if (!strcmp(name, "keycreate")) { 6589 if (sid) { 6590 error = avc_has_perm(&selinux_state, mysid, sid, 6591 SECCLASS_KEY, KEY__CREATE, NULL); 6592 if (error) 6593 goto abort_change; 6594 } 6595 tsec->keycreate_sid = sid; 6596 } else if (!strcmp(name, "sockcreate")) { 6597 tsec->sockcreate_sid = sid; 6598 } else if (!strcmp(name, "current")) { 6599 error = -EINVAL; 6600 if (sid == 0) 6601 goto abort_change; 6602 6603 /* Only allow single threaded processes to change context */ 6604 error = -EPERM; 6605 if (!current_is_single_threaded()) { 6606 error = security_bounded_transition(&selinux_state, 6607 tsec->sid, sid); 6608 if (error) 6609 goto abort_change; 6610 } 6611 6612 /* Check permissions for the transition. */ 6613 error = avc_has_perm(&selinux_state, 6614 tsec->sid, sid, SECCLASS_PROCESS, 6615 PROCESS__DYNTRANSITION, NULL); 6616 if (error) 6617 goto abort_change; 6618 6619 /* Check for ptracing, and update the task SID if ok. 6620 Otherwise, leave SID unchanged and fail. */ 6621 ptsid = ptrace_parent_sid(); 6622 if (ptsid != 0) { 6623 error = avc_has_perm(&selinux_state, 6624 ptsid, sid, SECCLASS_PROCESS, 6625 PROCESS__PTRACE, NULL); 6626 if (error) 6627 goto abort_change; 6628 } 6629 6630 tsec->sid = sid; 6631 } else { 6632 error = -EINVAL; 6633 goto abort_change; 6634 } 6635 6636 commit_creds(new); 6637 return size; 6638 6639 abort_change: 6640 abort_creds(new); 6641 return error; 6642 } 6643 6644 static int selinux_ismaclabel(const char *name) 6645 { 6646 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 6647 } 6648 6649 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 6650 { 6651 return security_sid_to_context(&selinux_state, secid, 6652 secdata, seclen); 6653 } 6654 6655 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 6656 { 6657 return security_context_to_sid(&selinux_state, secdata, seclen, 6658 secid, GFP_KERNEL); 6659 } 6660 6661 static void selinux_release_secctx(char *secdata, u32 seclen) 6662 { 6663 kfree(secdata); 6664 } 6665 6666 static void selinux_inode_invalidate_secctx(struct inode *inode) 6667 { 6668 struct inode_security_struct *isec = selinux_inode(inode); 6669 6670 spin_lock(&isec->lock); 6671 isec->initialized = LABEL_INVALID; 6672 spin_unlock(&isec->lock); 6673 } 6674 6675 /* 6676 * called with inode->i_mutex locked 6677 */ 6678 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 6679 { 6680 int rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, 6681 ctx, ctxlen, 0); 6682 /* Do not return error when suppressing label (SBLABEL_MNT not set). */ 6683 return rc == -EOPNOTSUPP ? 0 : rc; 6684 } 6685 6686 /* 6687 * called with inode->i_mutex locked 6688 */ 6689 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6690 { 6691 return __vfs_setxattr_noperm(&init_user_ns, dentry, XATTR_NAME_SELINUX, 6692 ctx, ctxlen, 0); 6693 } 6694 6695 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6696 { 6697 int len = 0; 6698 len = selinux_inode_getsecurity(&init_user_ns, inode, 6699 XATTR_SELINUX_SUFFIX, ctx, true); 6700 if (len < 0) 6701 return len; 6702 *ctxlen = len; 6703 return 0; 6704 } 6705 #ifdef CONFIG_KEYS 6706 6707 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6708 unsigned long flags) 6709 { 6710 const struct task_security_struct *tsec; 6711 struct key_security_struct *ksec; 6712 6713 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6714 if (!ksec) 6715 return -ENOMEM; 6716 6717 tsec = selinux_cred(cred); 6718 if (tsec->keycreate_sid) 6719 ksec->sid = tsec->keycreate_sid; 6720 else 6721 ksec->sid = tsec->sid; 6722 6723 k->security = ksec; 6724 return 0; 6725 } 6726 6727 static void selinux_key_free(struct key *k) 6728 { 6729 struct key_security_struct *ksec = k->security; 6730 6731 k->security = NULL; 6732 kfree(ksec); 6733 } 6734 6735 static int selinux_key_permission(key_ref_t key_ref, 6736 const struct cred *cred, 6737 enum key_need_perm need_perm) 6738 { 6739 struct key *key; 6740 struct key_security_struct *ksec; 6741 u32 perm, sid; 6742 6743 switch (need_perm) { 6744 case KEY_NEED_VIEW: 6745 perm = KEY__VIEW; 6746 break; 6747 case KEY_NEED_READ: 6748 perm = KEY__READ; 6749 break; 6750 case KEY_NEED_WRITE: 6751 perm = KEY__WRITE; 6752 break; 6753 case KEY_NEED_SEARCH: 6754 perm = KEY__SEARCH; 6755 break; 6756 case KEY_NEED_LINK: 6757 perm = KEY__LINK; 6758 break; 6759 case KEY_NEED_SETATTR: 6760 perm = KEY__SETATTR; 6761 break; 6762 case KEY_NEED_UNLINK: 6763 case KEY_SYSADMIN_OVERRIDE: 6764 case KEY_AUTHTOKEN_OVERRIDE: 6765 case KEY_DEFER_PERM_CHECK: 6766 return 0; 6767 default: 6768 WARN_ON(1); 6769 return -EPERM; 6770 6771 } 6772 6773 sid = cred_sid(cred); 6774 key = key_ref_to_ptr(key_ref); 6775 ksec = key->security; 6776 6777 return avc_has_perm(&selinux_state, 6778 sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6779 } 6780 6781 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6782 { 6783 struct key_security_struct *ksec = key->security; 6784 char *context = NULL; 6785 unsigned len; 6786 int rc; 6787 6788 rc = security_sid_to_context(&selinux_state, ksec->sid, 6789 &context, &len); 6790 if (!rc) 6791 rc = len; 6792 *_buffer = context; 6793 return rc; 6794 } 6795 6796 #ifdef CONFIG_KEY_NOTIFICATIONS 6797 static int selinux_watch_key(struct key *key) 6798 { 6799 struct key_security_struct *ksec = key->security; 6800 u32 sid = current_sid(); 6801 6802 return avc_has_perm(&selinux_state, 6803 sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL); 6804 } 6805 #endif 6806 #endif 6807 6808 #ifdef CONFIG_SECURITY_INFINIBAND 6809 static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) 6810 { 6811 struct common_audit_data ad; 6812 int err; 6813 u32 sid = 0; 6814 struct ib_security_struct *sec = ib_sec; 6815 struct lsm_ibpkey_audit ibpkey; 6816 6817 err = sel_ib_pkey_sid(subnet_prefix, pkey_val, &sid); 6818 if (err) 6819 return err; 6820 6821 ad.type = LSM_AUDIT_DATA_IBPKEY; 6822 ibpkey.subnet_prefix = subnet_prefix; 6823 ibpkey.pkey = pkey_val; 6824 ad.u.ibpkey = &ibpkey; 6825 return avc_has_perm(&selinux_state, 6826 sec->sid, sid, 6827 SECCLASS_INFINIBAND_PKEY, 6828 INFINIBAND_PKEY__ACCESS, &ad); 6829 } 6830 6831 static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, 6832 u8 port_num) 6833 { 6834 struct common_audit_data ad; 6835 int err; 6836 u32 sid = 0; 6837 struct ib_security_struct *sec = ib_sec; 6838 struct lsm_ibendport_audit ibendport; 6839 6840 err = security_ib_endport_sid(&selinux_state, dev_name, port_num, 6841 &sid); 6842 6843 if (err) 6844 return err; 6845 6846 ad.type = LSM_AUDIT_DATA_IBENDPORT; 6847 ibendport.dev_name = dev_name; 6848 ibendport.port = port_num; 6849 ad.u.ibendport = &ibendport; 6850 return avc_has_perm(&selinux_state, 6851 sec->sid, sid, 6852 SECCLASS_INFINIBAND_ENDPORT, 6853 INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); 6854 } 6855 6856 static int selinux_ib_alloc_security(void **ib_sec) 6857 { 6858 struct ib_security_struct *sec; 6859 6860 sec = kzalloc(sizeof(*sec), GFP_KERNEL); 6861 if (!sec) 6862 return -ENOMEM; 6863 sec->sid = current_sid(); 6864 6865 *ib_sec = sec; 6866 return 0; 6867 } 6868 6869 static void selinux_ib_free_security(void *ib_sec) 6870 { 6871 kfree(ib_sec); 6872 } 6873 #endif 6874 6875 #ifdef CONFIG_BPF_SYSCALL 6876 static int selinux_bpf(int cmd, union bpf_attr *attr, 6877 unsigned int size) 6878 { 6879 u32 sid = current_sid(); 6880 int ret; 6881 6882 switch (cmd) { 6883 case BPF_MAP_CREATE: 6884 ret = avc_has_perm(&selinux_state, 6885 sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, 6886 NULL); 6887 break; 6888 case BPF_PROG_LOAD: 6889 ret = avc_has_perm(&selinux_state, 6890 sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, 6891 NULL); 6892 break; 6893 default: 6894 ret = 0; 6895 break; 6896 } 6897 6898 return ret; 6899 } 6900 6901 static u32 bpf_map_fmode_to_av(fmode_t fmode) 6902 { 6903 u32 av = 0; 6904 6905 if (fmode & FMODE_READ) 6906 av |= BPF__MAP_READ; 6907 if (fmode & FMODE_WRITE) 6908 av |= BPF__MAP_WRITE; 6909 return av; 6910 } 6911 6912 /* This function will check the file pass through unix socket or binder to see 6913 * if it is a bpf related object. And apply correspinding checks on the bpf 6914 * object based on the type. The bpf maps and programs, not like other files and 6915 * socket, are using a shared anonymous inode inside the kernel as their inode. 6916 * So checking that inode cannot identify if the process have privilege to 6917 * access the bpf object and that's why we have to add this additional check in 6918 * selinux_file_receive and selinux_binder_transfer_files. 6919 */ 6920 static int bpf_fd_pass(struct file *file, u32 sid) 6921 { 6922 struct bpf_security_struct *bpfsec; 6923 struct bpf_prog *prog; 6924 struct bpf_map *map; 6925 int ret; 6926 6927 if (file->f_op == &bpf_map_fops) { 6928 map = file->private_data; 6929 bpfsec = map->security; 6930 ret = avc_has_perm(&selinux_state, 6931 sid, bpfsec->sid, SECCLASS_BPF, 6932 bpf_map_fmode_to_av(file->f_mode), NULL); 6933 if (ret) 6934 return ret; 6935 } else if (file->f_op == &bpf_prog_fops) { 6936 prog = file->private_data; 6937 bpfsec = prog->aux->security; 6938 ret = avc_has_perm(&selinux_state, 6939 sid, bpfsec->sid, SECCLASS_BPF, 6940 BPF__PROG_RUN, NULL); 6941 if (ret) 6942 return ret; 6943 } 6944 return 0; 6945 } 6946 6947 static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode) 6948 { 6949 u32 sid = current_sid(); 6950 struct bpf_security_struct *bpfsec; 6951 6952 bpfsec = map->security; 6953 return avc_has_perm(&selinux_state, 6954 sid, bpfsec->sid, SECCLASS_BPF, 6955 bpf_map_fmode_to_av(fmode), NULL); 6956 } 6957 6958 static int selinux_bpf_prog(struct bpf_prog *prog) 6959 { 6960 u32 sid = current_sid(); 6961 struct bpf_security_struct *bpfsec; 6962 6963 bpfsec = prog->aux->security; 6964 return avc_has_perm(&selinux_state, 6965 sid, bpfsec->sid, SECCLASS_BPF, 6966 BPF__PROG_RUN, NULL); 6967 } 6968 6969 static int selinux_bpf_map_alloc(struct bpf_map *map) 6970 { 6971 struct bpf_security_struct *bpfsec; 6972 6973 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6974 if (!bpfsec) 6975 return -ENOMEM; 6976 6977 bpfsec->sid = current_sid(); 6978 map->security = bpfsec; 6979 6980 return 0; 6981 } 6982 6983 static void selinux_bpf_map_free(struct bpf_map *map) 6984 { 6985 struct bpf_security_struct *bpfsec = map->security; 6986 6987 map->security = NULL; 6988 kfree(bpfsec); 6989 } 6990 6991 static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux) 6992 { 6993 struct bpf_security_struct *bpfsec; 6994 6995 bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 6996 if (!bpfsec) 6997 return -ENOMEM; 6998 6999 bpfsec->sid = current_sid(); 7000 aux->security = bpfsec; 7001 7002 return 0; 7003 } 7004 7005 static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) 7006 { 7007 struct bpf_security_struct *bpfsec = aux->security; 7008 7009 aux->security = NULL; 7010 kfree(bpfsec); 7011 } 7012 #endif 7013 7014 static int selinux_lockdown(enum lockdown_reason what) 7015 { 7016 struct common_audit_data ad; 7017 u32 sid = current_sid(); 7018 int invalid_reason = (what <= LOCKDOWN_NONE) || 7019 (what == LOCKDOWN_INTEGRITY_MAX) || 7020 (what >= LOCKDOWN_CONFIDENTIALITY_MAX); 7021 7022 if (WARN(invalid_reason, "Invalid lockdown reason")) { 7023 audit_log(audit_context(), 7024 GFP_ATOMIC, AUDIT_SELINUX_ERR, 7025 "lockdown_reason=invalid"); 7026 return -EINVAL; 7027 } 7028 7029 ad.type = LSM_AUDIT_DATA_LOCKDOWN; 7030 ad.u.reason = what; 7031 7032 if (what <= LOCKDOWN_INTEGRITY_MAX) 7033 return avc_has_perm(&selinux_state, 7034 sid, sid, SECCLASS_LOCKDOWN, 7035 LOCKDOWN__INTEGRITY, &ad); 7036 else 7037 return avc_has_perm(&selinux_state, 7038 sid, sid, SECCLASS_LOCKDOWN, 7039 LOCKDOWN__CONFIDENTIALITY, &ad); 7040 } 7041 7042 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = { 7043 .lbs_cred = sizeof(struct task_security_struct), 7044 .lbs_file = sizeof(struct file_security_struct), 7045 .lbs_inode = sizeof(struct inode_security_struct), 7046 .lbs_ipc = sizeof(struct ipc_security_struct), 7047 .lbs_msg_msg = sizeof(struct msg_security_struct), 7048 .lbs_superblock = sizeof(struct superblock_security_struct), 7049 }; 7050 7051 #ifdef CONFIG_PERF_EVENTS 7052 static int selinux_perf_event_open(struct perf_event_attr *attr, int type) 7053 { 7054 u32 requested, sid = current_sid(); 7055 7056 if (type == PERF_SECURITY_OPEN) 7057 requested = PERF_EVENT__OPEN; 7058 else if (type == PERF_SECURITY_CPU) 7059 requested = PERF_EVENT__CPU; 7060 else if (type == PERF_SECURITY_KERNEL) 7061 requested = PERF_EVENT__KERNEL; 7062 else if (type == PERF_SECURITY_TRACEPOINT) 7063 requested = PERF_EVENT__TRACEPOINT; 7064 else 7065 return -EINVAL; 7066 7067 return avc_has_perm(&selinux_state, sid, sid, SECCLASS_PERF_EVENT, 7068 requested, NULL); 7069 } 7070 7071 static int selinux_perf_event_alloc(struct perf_event *event) 7072 { 7073 struct perf_event_security_struct *perfsec; 7074 7075 perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL); 7076 if (!perfsec) 7077 return -ENOMEM; 7078 7079 perfsec->sid = current_sid(); 7080 event->security = perfsec; 7081 7082 return 0; 7083 } 7084 7085 static void selinux_perf_event_free(struct perf_event *event) 7086 { 7087 struct perf_event_security_struct *perfsec = event->security; 7088 7089 event->security = NULL; 7090 kfree(perfsec); 7091 } 7092 7093 static int selinux_perf_event_read(struct perf_event *event) 7094 { 7095 struct perf_event_security_struct *perfsec = event->security; 7096 u32 sid = current_sid(); 7097 7098 return avc_has_perm(&selinux_state, sid, perfsec->sid, 7099 SECCLASS_PERF_EVENT, PERF_EVENT__READ, NULL); 7100 } 7101 7102 static int selinux_perf_event_write(struct perf_event *event) 7103 { 7104 struct perf_event_security_struct *perfsec = event->security; 7105 u32 sid = current_sid(); 7106 7107 return avc_has_perm(&selinux_state, sid, perfsec->sid, 7108 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL); 7109 } 7110 #endif 7111 7112 /* 7113 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: 7114 * 1. any hooks that don't belong to (2.) or (3.) below, 7115 * 2. hooks that both access structures allocated by other hooks, and allocate 7116 * structures that can be later accessed by other hooks (mostly "cloning" 7117 * hooks), 7118 * 3. hooks that only allocate structures that can be later accessed by other 7119 * hooks ("allocating" hooks). 7120 * 7121 * Please follow block comment delimiters in the list to keep this order. 7122 * 7123 * This ordering is needed for SELinux runtime disable to work at least somewhat 7124 * safely. Breaking the ordering rules above might lead to NULL pointer derefs 7125 * when disabling SELinux at runtime. 7126 */ 7127 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { 7128 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 7129 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 7130 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 7131 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 7132 7133 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 7134 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 7135 LSM_HOOK_INIT(capget, selinux_capget), 7136 LSM_HOOK_INIT(capset, selinux_capset), 7137 LSM_HOOK_INIT(capable, selinux_capable), 7138 LSM_HOOK_INIT(quotactl, selinux_quotactl), 7139 LSM_HOOK_INIT(quota_on, selinux_quota_on), 7140 LSM_HOOK_INIT(syslog, selinux_syslog), 7141 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 7142 7143 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 7144 7145 LSM_HOOK_INIT(bprm_creds_for_exec, selinux_bprm_creds_for_exec), 7146 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 7147 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 7148 7149 LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts), 7150 LSM_HOOK_INIT(sb_mnt_opts_compat, selinux_sb_mnt_opts_compat), 7151 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 7152 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 7153 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 7154 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 7155 LSM_HOOK_INIT(sb_mount, selinux_mount), 7156 LSM_HOOK_INIT(sb_umount, selinux_umount), 7157 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 7158 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 7159 7160 LSM_HOOK_INIT(move_mount, selinux_move_mount), 7161 7162 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 7163 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 7164 7165 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 7166 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 7167 LSM_HOOK_INIT(inode_init_security_anon, selinux_inode_init_security_anon), 7168 LSM_HOOK_INIT(inode_create, selinux_inode_create), 7169 LSM_HOOK_INIT(inode_link, selinux_inode_link), 7170 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 7171 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 7172 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 7173 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 7174 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 7175 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 7176 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 7177 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 7178 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 7179 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 7180 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 7181 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 7182 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 7183 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 7184 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 7185 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 7186 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 7187 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 7188 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 7189 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 7190 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 7191 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 7192 LSM_HOOK_INIT(path_notify, selinux_path_notify), 7193 7194 LSM_HOOK_INIT(kernfs_init_security, selinux_kernfs_init_security), 7195 7196 LSM_HOOK_INIT(file_permission, selinux_file_permission), 7197 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 7198 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 7199 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 7200 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 7201 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 7202 LSM_HOOK_INIT(file_lock, selinux_file_lock), 7203 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 7204 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 7205 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 7206 LSM_HOOK_INIT(file_receive, selinux_file_receive), 7207 7208 LSM_HOOK_INIT(file_open, selinux_file_open), 7209 7210 LSM_HOOK_INIT(task_alloc, selinux_task_alloc), 7211 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 7212 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 7213 LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), 7214 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 7215 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 7216 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 7217 LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), 7218 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 7219 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 7220 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 7221 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 7222 LSM_HOOK_INIT(task_getsecid_subj, selinux_task_getsecid_subj), 7223 LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj), 7224 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 7225 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 7226 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 7227 LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit), 7228 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 7229 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 7230 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 7231 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 7232 LSM_HOOK_INIT(task_kill, selinux_task_kill), 7233 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 7234 7235 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 7236 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 7237 7238 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 7239 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 7240 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 7241 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 7242 7243 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 7244 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 7245 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 7246 7247 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 7248 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 7249 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 7250 7251 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 7252 7253 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 7254 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 7255 7256 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 7257 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 7258 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 7259 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 7260 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 7261 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 7262 7263 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 7264 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 7265 7266 LSM_HOOK_INIT(socket_create, selinux_socket_create), 7267 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 7268 LSM_HOOK_INIT(socket_socketpair, selinux_socket_socketpair), 7269 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 7270 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 7271 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 7272 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 7273 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 7274 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 7275 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 7276 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 7277 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 7278 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 7279 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 7280 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 7281 LSM_HOOK_INIT(socket_getpeersec_stream, 7282 selinux_socket_getpeersec_stream), 7283 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 7284 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 7285 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 7286 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 7287 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 7288 LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request), 7289 LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone), 7290 LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect), 7291 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 7292 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 7293 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 7294 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 7295 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 7296 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 7297 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 7298 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 7299 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 7300 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 7301 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 7302 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 7303 #ifdef CONFIG_SECURITY_INFINIBAND 7304 LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), 7305 LSM_HOOK_INIT(ib_endport_manage_subnet, 7306 selinux_ib_endport_manage_subnet), 7307 LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), 7308 #endif 7309 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7310 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 7311 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 7312 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 7313 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 7314 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 7315 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 7316 selinux_xfrm_state_pol_flow_match), 7317 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 7318 #endif 7319 7320 #ifdef CONFIG_KEYS 7321 LSM_HOOK_INIT(key_free, selinux_key_free), 7322 LSM_HOOK_INIT(key_permission, selinux_key_permission), 7323 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 7324 #ifdef CONFIG_KEY_NOTIFICATIONS 7325 LSM_HOOK_INIT(watch_key, selinux_watch_key), 7326 #endif 7327 #endif 7328 7329 #ifdef CONFIG_AUDIT 7330 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 7331 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 7332 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 7333 #endif 7334 7335 #ifdef CONFIG_BPF_SYSCALL 7336 LSM_HOOK_INIT(bpf, selinux_bpf), 7337 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 7338 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 7339 LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free), 7340 LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free), 7341 #endif 7342 7343 #ifdef CONFIG_PERF_EVENTS 7344 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open), 7345 LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free), 7346 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read), 7347 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write), 7348 #endif 7349 7350 LSM_HOOK_INIT(locked_down, selinux_lockdown), 7351 7352 /* 7353 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE 7354 */ 7355 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), 7356 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), 7357 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 7358 LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt), 7359 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7360 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 7361 #endif 7362 7363 /* 7364 * PUT "ALLOCATING" HOOKS HERE 7365 */ 7366 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 7367 LSM_HOOK_INIT(msg_queue_alloc_security, 7368 selinux_msg_queue_alloc_security), 7369 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 7370 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 7371 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 7372 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 7373 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 7374 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 7375 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 7376 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 7377 #ifdef CONFIG_SECURITY_INFINIBAND 7378 LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), 7379 #endif 7380 #ifdef CONFIG_SECURITY_NETWORK_XFRM 7381 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 7382 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 7383 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 7384 selinux_xfrm_state_alloc_acquire), 7385 #endif 7386 #ifdef CONFIG_KEYS 7387 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 7388 #endif 7389 #ifdef CONFIG_AUDIT 7390 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 7391 #endif 7392 #ifdef CONFIG_BPF_SYSCALL 7393 LSM_HOOK_INIT(bpf_map_alloc_security, selinux_bpf_map_alloc), 7394 LSM_HOOK_INIT(bpf_prog_alloc_security, selinux_bpf_prog_alloc), 7395 #endif 7396 #ifdef CONFIG_PERF_EVENTS 7397 LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc), 7398 #endif 7399 }; 7400 7401 static __init int selinux_init(void) 7402 { 7403 pr_info("SELinux: Initializing.\n"); 7404 7405 memset(&selinux_state, 0, sizeof(selinux_state)); 7406 enforcing_set(&selinux_state, selinux_enforcing_boot); 7407 checkreqprot_set(&selinux_state, selinux_checkreqprot_boot); 7408 selinux_avc_init(&selinux_state.avc); 7409 mutex_init(&selinux_state.status_lock); 7410 mutex_init(&selinux_state.policy_mutex); 7411 7412 /* Set the security state for the initial task. */ 7413 cred_init_security(); 7414 7415 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 7416 7417 avc_init(); 7418 7419 avtab_cache_init(); 7420 7421 ebitmap_cache_init(); 7422 7423 hashtab_cache_init(); 7424 7425 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); 7426 7427 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 7428 panic("SELinux: Unable to register AVC netcache callback\n"); 7429 7430 if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET)) 7431 panic("SELinux: Unable to register AVC LSM notifier callback\n"); 7432 7433 if (selinux_enforcing_boot) 7434 pr_debug("SELinux: Starting in enforcing mode\n"); 7435 else 7436 pr_debug("SELinux: Starting in permissive mode\n"); 7437 7438 fs_validate_description("selinux", selinux_fs_parameters); 7439 7440 return 0; 7441 } 7442 7443 static void delayed_superblock_init(struct super_block *sb, void *unused) 7444 { 7445 selinux_set_mnt_opts(sb, NULL, 0, NULL); 7446 } 7447 7448 void selinux_complete_init(void) 7449 { 7450 pr_debug("SELinux: Completing initialization.\n"); 7451 7452 /* Set up any superblocks initialized prior to the policy load. */ 7453 pr_debug("SELinux: Setting up existing superblocks.\n"); 7454 iterate_supers(delayed_superblock_init, NULL); 7455 } 7456 7457 /* SELinux requires early initialization in order to label 7458 all processes and objects when they are created. */ 7459 DEFINE_LSM(selinux) = { 7460 .name = "selinux", 7461 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 7462 .enabled = &selinux_enabled_boot, 7463 .blobs = &selinux_blob_sizes, 7464 .init = selinux_init, 7465 }; 7466 7467 #if defined(CONFIG_NETFILTER) 7468 7469 static const struct nf_hook_ops selinux_nf_ops[] = { 7470 { 7471 .hook = selinux_ipv4_postroute, 7472 .pf = NFPROTO_IPV4, 7473 .hooknum = NF_INET_POST_ROUTING, 7474 .priority = NF_IP_PRI_SELINUX_LAST, 7475 }, 7476 { 7477 .hook = selinux_ipv4_forward, 7478 .pf = NFPROTO_IPV4, 7479 .hooknum = NF_INET_FORWARD, 7480 .priority = NF_IP_PRI_SELINUX_FIRST, 7481 }, 7482 { 7483 .hook = selinux_ipv4_output, 7484 .pf = NFPROTO_IPV4, 7485 .hooknum = NF_INET_LOCAL_OUT, 7486 .priority = NF_IP_PRI_SELINUX_FIRST, 7487 }, 7488 #if IS_ENABLED(CONFIG_IPV6) 7489 { 7490 .hook = selinux_ipv6_postroute, 7491 .pf = NFPROTO_IPV6, 7492 .hooknum = NF_INET_POST_ROUTING, 7493 .priority = NF_IP6_PRI_SELINUX_LAST, 7494 }, 7495 { 7496 .hook = selinux_ipv6_forward, 7497 .pf = NFPROTO_IPV6, 7498 .hooknum = NF_INET_FORWARD, 7499 .priority = NF_IP6_PRI_SELINUX_FIRST, 7500 }, 7501 { 7502 .hook = selinux_ipv6_output, 7503 .pf = NFPROTO_IPV6, 7504 .hooknum = NF_INET_LOCAL_OUT, 7505 .priority = NF_IP6_PRI_SELINUX_FIRST, 7506 }, 7507 #endif /* IPV6 */ 7508 }; 7509 7510 static int __net_init selinux_nf_register(struct net *net) 7511 { 7512 return nf_register_net_hooks(net, selinux_nf_ops, 7513 ARRAY_SIZE(selinux_nf_ops)); 7514 } 7515 7516 static void __net_exit selinux_nf_unregister(struct net *net) 7517 { 7518 nf_unregister_net_hooks(net, selinux_nf_ops, 7519 ARRAY_SIZE(selinux_nf_ops)); 7520 } 7521 7522 static struct pernet_operations selinux_net_ops = { 7523 .init = selinux_nf_register, 7524 .exit = selinux_nf_unregister, 7525 }; 7526 7527 static int __init selinux_nf_ip_init(void) 7528 { 7529 int err; 7530 7531 if (!selinux_enabled_boot) 7532 return 0; 7533 7534 pr_debug("SELinux: Registering netfilter hooks\n"); 7535 7536 err = register_pernet_subsys(&selinux_net_ops); 7537 if (err) 7538 panic("SELinux: register_pernet_subsys: error %d\n", err); 7539 7540 return 0; 7541 } 7542 __initcall(selinux_nf_ip_init); 7543 7544 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7545 static void selinux_nf_ip_exit(void) 7546 { 7547 pr_debug("SELinux: Unregistering netfilter hooks\n"); 7548 7549 unregister_pernet_subsys(&selinux_net_ops); 7550 } 7551 #endif 7552 7553 #else /* CONFIG_NETFILTER */ 7554 7555 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7556 #define selinux_nf_ip_exit() 7557 #endif 7558 7559 #endif /* CONFIG_NETFILTER */ 7560 7561 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 7562 int selinux_disable(struct selinux_state *state) 7563 { 7564 if (selinux_initialized(state)) { 7565 /* Not permitted after initial policy load. */ 7566 return -EINVAL; 7567 } 7568 7569 if (selinux_disabled(state)) { 7570 /* Only do this once. */ 7571 return -EINVAL; 7572 } 7573 7574 selinux_mark_disabled(state); 7575 7576 pr_info("SELinux: Disabled at runtime.\n"); 7577 7578 /* 7579 * Unregister netfilter hooks. 7580 * Must be done before security_delete_hooks() to avoid breaking 7581 * runtime disable. 7582 */ 7583 selinux_nf_ip_exit(); 7584 7585 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 7586 7587 /* Try to destroy the avc node cache */ 7588 avc_disable(); 7589 7590 /* Unregister selinuxfs. */ 7591 exit_sel_fs(); 7592 7593 return 0; 7594 } 7595 #endif 7596