1 /* 2 * NSA Security-Enhanced Linux (SELinux) security module 3 * 4 * This file contains the SELinux hook function implementations. 5 * 6 * Authors: Stephen Smalley, <sds@epoch.ncsc.mil> 7 * Chris Vance, <cvance@nai.com> 8 * Wayne Salamon, <wsalamon@nai.com> 9 * James Morris <jmorris@redhat.com> 10 * 11 * Copyright (C) 2001,2002 Networks Associates Technology, Inc. 12 * Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 13 * Eric Paris <eparis@redhat.com> 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 15 * <dgoeddel@trustedcs.com> 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P. 17 * Paul Moore <paul@paul-moore.com> 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 20 * 21 * This program is free software; you can redistribute it and/or modify 22 * it under the terms of the GNU General Public License version 2, 23 * as published by the Free Software Foundation. 24 */ 25 26 #include <linux/init.h> 27 #include <linux/kd.h> 28 #include <linux/kernel.h> 29 #include <linux/tracehook.h> 30 #include <linux/errno.h> 31 #include <linux/sched.h> 32 #include <linux/lsm_hooks.h> 33 #include <linux/xattr.h> 34 #include <linux/capability.h> 35 #include <linux/unistd.h> 36 #include <linux/mm.h> 37 #include <linux/mman.h> 38 #include <linux/slab.h> 39 #include <linux/pagemap.h> 40 #include <linux/proc_fs.h> 41 #include <linux/swap.h> 42 #include <linux/spinlock.h> 43 #include <linux/syscalls.h> 44 #include <linux/dcache.h> 45 #include <linux/file.h> 46 #include <linux/fdtable.h> 47 #include <linux/namei.h> 48 #include <linux/mount.h> 49 #include <linux/netfilter_ipv4.h> 50 #include <linux/netfilter_ipv6.h> 51 #include <linux/tty.h> 52 #include <net/icmp.h> 53 #include <net/ip.h> /* for local_port_range[] */ 54 #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */ 55 #include <net/inet_connection_sock.h> 56 #include <net/net_namespace.h> 57 #include <net/netlabel.h> 58 #include <linux/uaccess.h> 59 #include <asm/ioctls.h> 60 #include <linux/atomic.h> 61 #include <linux/bitops.h> 62 #include <linux/interrupt.h> 63 #include <linux/netdevice.h> /* for network interface checks */ 64 #include <net/netlink.h> 65 #include <linux/tcp.h> 66 #include <linux/udp.h> 67 #include <linux/dccp.h> 68 #include <linux/quota.h> 69 #include <linux/un.h> /* for Unix socket types */ 70 #include <net/af_unix.h> /* for Unix socket types */ 71 #include <linux/parser.h> 72 #include <linux/nfs_mount.h> 73 #include <net/ipv6.h> 74 #include <linux/hugetlb.h> 75 #include <linux/personality.h> 76 #include <linux/audit.h> 77 #include <linux/string.h> 78 #include <linux/selinux.h> 79 #include <linux/mutex.h> 80 #include <linux/posix-timers.h> 81 #include <linux/syslog.h> 82 #include <linux/user_namespace.h> 83 #include <linux/export.h> 84 #include <linux/msg.h> 85 #include <linux/shm.h> 86 87 #include "avc.h" 88 #include "objsec.h" 89 #include "netif.h" 90 #include "netnode.h" 91 #include "netport.h" 92 #include "xfrm.h" 93 #include "netlabel.h" 94 #include "audit.h" 95 #include "avc_ss.h" 96 97 /* SECMARK reference count */ 98 static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); 99 100 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 101 int selinux_enforcing; 102 103 static int __init enforcing_setup(char *str) 104 { 105 unsigned long enforcing; 106 if (!kstrtoul(str, 0, &enforcing)) 107 selinux_enforcing = enforcing ? 1 : 0; 108 return 1; 109 } 110 __setup("enforcing=", enforcing_setup); 111 #endif 112 113 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM 114 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; 115 116 static int __init selinux_enabled_setup(char *str) 117 { 118 unsigned long enabled; 119 if (!kstrtoul(str, 0, &enabled)) 120 selinux_enabled = enabled ? 1 : 0; 121 return 1; 122 } 123 __setup("selinux=", selinux_enabled_setup); 124 #else 125 int selinux_enabled = 1; 126 #endif 127 128 static struct kmem_cache *sel_inode_cache; 129 static struct kmem_cache *file_security_cache; 130 131 /** 132 * selinux_secmark_enabled - Check to see if SECMARK is currently enabled 133 * 134 * Description: 135 * This function checks the SECMARK reference counter to see if any SECMARK 136 * targets are currently configured, if the reference counter is greater than 137 * zero SECMARK is considered to be enabled. Returns true (1) if SECMARK is 138 * enabled, false (0) if SECMARK is disabled. If the always_check_network 139 * policy capability is enabled, SECMARK is always considered enabled. 140 * 141 */ 142 static int selinux_secmark_enabled(void) 143 { 144 return (selinux_policycap_alwaysnetwork || atomic_read(&selinux_secmark_refcount)); 145 } 146 147 /** 148 * selinux_peerlbl_enabled - Check to see if peer labeling is currently enabled 149 * 150 * Description: 151 * This function checks if NetLabel or labeled IPSEC is enabled. Returns true 152 * (1) if any are enabled or false (0) if neither are enabled. If the 153 * always_check_network policy capability is enabled, peer labeling 154 * is always considered enabled. 155 * 156 */ 157 static int selinux_peerlbl_enabled(void) 158 { 159 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled()); 160 } 161 162 static int selinux_netcache_avc_callback(u32 event) 163 { 164 if (event == AVC_CALLBACK_RESET) { 165 sel_netif_flush(); 166 sel_netnode_flush(); 167 sel_netport_flush(); 168 synchronize_net(); 169 } 170 return 0; 171 } 172 173 /* 174 * initialise the security for the init task 175 */ 176 static void cred_init_security(void) 177 { 178 struct cred *cred = (struct cred *) current->real_cred; 179 struct task_security_struct *tsec; 180 181 tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL); 182 if (!tsec) 183 panic("SELinux: Failed to initialize initial task.\n"); 184 185 tsec->osid = tsec->sid = SECINITSID_KERNEL; 186 cred->security = tsec; 187 } 188 189 /* 190 * get the security ID of a set of credentials 191 */ 192 static inline u32 cred_sid(const struct cred *cred) 193 { 194 const struct task_security_struct *tsec; 195 196 tsec = cred->security; 197 return tsec->sid; 198 } 199 200 /* 201 * get the objective security ID of a task 202 */ 203 static inline u32 task_sid(const struct task_struct *task) 204 { 205 u32 sid; 206 207 rcu_read_lock(); 208 sid = cred_sid(__task_cred(task)); 209 rcu_read_unlock(); 210 return sid; 211 } 212 213 /* 214 * get the subjective security ID of the current task 215 */ 216 static inline u32 current_sid(void) 217 { 218 const struct task_security_struct *tsec = current_security(); 219 220 return tsec->sid; 221 } 222 223 /* Allocate and free functions for each kind of security blob. */ 224 225 static int inode_alloc_security(struct inode *inode) 226 { 227 struct inode_security_struct *isec; 228 u32 sid = current_sid(); 229 230 isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS); 231 if (!isec) 232 return -ENOMEM; 233 234 mutex_init(&isec->lock); 235 INIT_LIST_HEAD(&isec->list); 236 isec->inode = inode; 237 isec->sid = SECINITSID_UNLABELED; 238 isec->sclass = SECCLASS_FILE; 239 isec->task_sid = sid; 240 inode->i_security = isec; 241 242 return 0; 243 } 244 245 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 246 247 /* 248 * Try reloading inode security labels that have been marked as invalid. The 249 * @may_sleep parameter indicates when sleeping and thus reloading labels is 250 * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is 251 * invalid. The @opt_dentry parameter should be set to a dentry of the inode; 252 * when no dentry is available, set it to NULL instead. 253 */ 254 static int __inode_security_revalidate(struct inode *inode, 255 struct dentry *opt_dentry, 256 bool may_sleep) 257 { 258 struct inode_security_struct *isec = inode->i_security; 259 260 might_sleep_if(may_sleep); 261 262 if (ss_initialized && isec->initialized != LABEL_INITIALIZED) { 263 if (!may_sleep) 264 return -ECHILD; 265 266 /* 267 * Try reloading the inode security label. This will fail if 268 * @opt_dentry is NULL and no dentry for this inode can be 269 * found; in that case, continue using the old label. 270 */ 271 inode_doinit_with_dentry(inode, opt_dentry); 272 } 273 return 0; 274 } 275 276 static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 277 { 278 return inode->i_security; 279 } 280 281 static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 282 { 283 int error; 284 285 error = __inode_security_revalidate(inode, NULL, !rcu); 286 if (error) 287 return ERR_PTR(error); 288 return inode->i_security; 289 } 290 291 /* 292 * Get the security label of an inode. 293 */ 294 static struct inode_security_struct *inode_security(struct inode *inode) 295 { 296 __inode_security_revalidate(inode, NULL, true); 297 return inode->i_security; 298 } 299 300 static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry) 301 { 302 struct inode *inode = d_backing_inode(dentry); 303 304 return inode->i_security; 305 } 306 307 /* 308 * Get the security label of a dentry's backing inode. 309 */ 310 static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 311 { 312 struct inode *inode = d_backing_inode(dentry); 313 314 __inode_security_revalidate(inode, dentry, true); 315 return inode->i_security; 316 } 317 318 static void inode_free_rcu(struct rcu_head *head) 319 { 320 struct inode_security_struct *isec; 321 322 isec = container_of(head, struct inode_security_struct, rcu); 323 kmem_cache_free(sel_inode_cache, isec); 324 } 325 326 static void inode_free_security(struct inode *inode) 327 { 328 struct inode_security_struct *isec = inode->i_security; 329 struct superblock_security_struct *sbsec = inode->i_sb->s_security; 330 331 /* 332 * As not all inode security structures are in a list, we check for 333 * empty list outside of the lock to make sure that we won't waste 334 * time taking a lock doing nothing. 335 * 336 * The list_del_init() function can be safely called more than once. 337 * It should not be possible for this function to be called with 338 * concurrent list_add(), but for better safety against future changes 339 * in the code, we use list_empty_careful() here. 340 */ 341 if (!list_empty_careful(&isec->list)) { 342 spin_lock(&sbsec->isec_lock); 343 list_del_init(&isec->list); 344 spin_unlock(&sbsec->isec_lock); 345 } 346 347 /* 348 * The inode may still be referenced in a path walk and 349 * a call to selinux_inode_permission() can be made 350 * after inode_free_security() is called. Ideally, the VFS 351 * wouldn't do this, but fixing that is a much harder 352 * job. For now, simply free the i_security via RCU, and 353 * leave the current inode->i_security pointer intact. 354 * The inode will be freed after the RCU grace period too. 355 */ 356 call_rcu(&isec->rcu, inode_free_rcu); 357 } 358 359 static int file_alloc_security(struct file *file) 360 { 361 struct file_security_struct *fsec; 362 u32 sid = current_sid(); 363 364 fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL); 365 if (!fsec) 366 return -ENOMEM; 367 368 fsec->sid = sid; 369 fsec->fown_sid = sid; 370 file->f_security = fsec; 371 372 return 0; 373 } 374 375 static void file_free_security(struct file *file) 376 { 377 struct file_security_struct *fsec = file->f_security; 378 file->f_security = NULL; 379 kmem_cache_free(file_security_cache, fsec); 380 } 381 382 static int superblock_alloc_security(struct super_block *sb) 383 { 384 struct superblock_security_struct *sbsec; 385 386 sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); 387 if (!sbsec) 388 return -ENOMEM; 389 390 mutex_init(&sbsec->lock); 391 INIT_LIST_HEAD(&sbsec->isec_head); 392 spin_lock_init(&sbsec->isec_lock); 393 sbsec->sb = sb; 394 sbsec->sid = SECINITSID_UNLABELED; 395 sbsec->def_sid = SECINITSID_FILE; 396 sbsec->mntpoint_sid = SECINITSID_UNLABELED; 397 sb->s_security = sbsec; 398 399 return 0; 400 } 401 402 static void superblock_free_security(struct super_block *sb) 403 { 404 struct superblock_security_struct *sbsec = sb->s_security; 405 sb->s_security = NULL; 406 kfree(sbsec); 407 } 408 409 /* The file system's label must be initialized prior to use. */ 410 411 static const char *labeling_behaviors[7] = { 412 "uses xattr", 413 "uses transition SIDs", 414 "uses task SIDs", 415 "uses genfs_contexts", 416 "not configured for labeling", 417 "uses mountpoint labeling", 418 "uses native labeling", 419 }; 420 421 static inline int inode_doinit(struct inode *inode) 422 { 423 return inode_doinit_with_dentry(inode, NULL); 424 } 425 426 enum { 427 Opt_error = -1, 428 Opt_context = 1, 429 Opt_fscontext = 2, 430 Opt_defcontext = 3, 431 Opt_rootcontext = 4, 432 Opt_labelsupport = 5, 433 Opt_nextmntopt = 6, 434 }; 435 436 #define NUM_SEL_MNT_OPTS (Opt_nextmntopt - 1) 437 438 static const match_table_t tokens = { 439 {Opt_context, CONTEXT_STR "%s"}, 440 {Opt_fscontext, FSCONTEXT_STR "%s"}, 441 {Opt_defcontext, DEFCONTEXT_STR "%s"}, 442 {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, 443 {Opt_labelsupport, LABELSUPP_STR}, 444 {Opt_error, NULL}, 445 }; 446 447 #define SEL_MOUNT_FAIL_MSG "SELinux: duplicate or incompatible mount options\n" 448 449 static int may_context_mount_sb_relabel(u32 sid, 450 struct superblock_security_struct *sbsec, 451 const struct cred *cred) 452 { 453 const struct task_security_struct *tsec = cred->security; 454 int rc; 455 456 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 457 FILESYSTEM__RELABELFROM, NULL); 458 if (rc) 459 return rc; 460 461 rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, 462 FILESYSTEM__RELABELTO, NULL); 463 return rc; 464 } 465 466 static int may_context_mount_inode_relabel(u32 sid, 467 struct superblock_security_struct *sbsec, 468 const struct cred *cred) 469 { 470 const struct task_security_struct *tsec = cred->security; 471 int rc; 472 rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, 473 FILESYSTEM__RELABELFROM, NULL); 474 if (rc) 475 return rc; 476 477 rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, 478 FILESYSTEM__ASSOCIATE, NULL); 479 return rc; 480 } 481 482 static int selinux_is_sblabel_mnt(struct super_block *sb) 483 { 484 struct superblock_security_struct *sbsec = sb->s_security; 485 486 return sbsec->behavior == SECURITY_FS_USE_XATTR || 487 sbsec->behavior == SECURITY_FS_USE_TRANS || 488 sbsec->behavior == SECURITY_FS_USE_TASK || 489 sbsec->behavior == SECURITY_FS_USE_NATIVE || 490 /* Special handling. Genfs but also in-core setxattr handler */ 491 !strcmp(sb->s_type->name, "sysfs") || 492 !strcmp(sb->s_type->name, "pstore") || 493 !strcmp(sb->s_type->name, "debugfs") || 494 !strcmp(sb->s_type->name, "rootfs"); 495 } 496 497 static int sb_finish_set_opts(struct super_block *sb) 498 { 499 struct superblock_security_struct *sbsec = sb->s_security; 500 struct dentry *root = sb->s_root; 501 struct inode *root_inode = d_backing_inode(root); 502 int rc = 0; 503 504 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 505 /* Make sure that the xattr handler exists and that no 506 error other than -ENODATA is returned by getxattr on 507 the root directory. -ENODATA is ok, as this may be 508 the first boot of the SELinux kernel before we have 509 assigned xattr values to the filesystem. */ 510 if (!(root_inode->i_opflags & IOP_XATTR)) { 511 printk(KERN_WARNING "SELinux: (dev %s, type %s) has no " 512 "xattr support\n", sb->s_id, sb->s_type->name); 513 rc = -EOPNOTSUPP; 514 goto out; 515 } 516 517 rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX, NULL, 0); 518 if (rc < 0 && rc != -ENODATA) { 519 if (rc == -EOPNOTSUPP) 520 printk(KERN_WARNING "SELinux: (dev %s, type " 521 "%s) has no security xattr handler\n", 522 sb->s_id, sb->s_type->name); 523 else 524 printk(KERN_WARNING "SELinux: (dev %s, type " 525 "%s) getxattr errno %d\n", sb->s_id, 526 sb->s_type->name, -rc); 527 goto out; 528 } 529 } 530 531 if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) 532 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", 533 sb->s_id, sb->s_type->name); 534 535 sbsec->flags |= SE_SBINITIALIZED; 536 if (selinux_is_sblabel_mnt(sb)) 537 sbsec->flags |= SBLABEL_MNT; 538 539 /* Initialize the root inode. */ 540 rc = inode_doinit_with_dentry(root_inode, root); 541 542 /* Initialize any other inodes associated with the superblock, e.g. 543 inodes created prior to initial policy load or inodes created 544 during get_sb by a pseudo filesystem that directly 545 populates itself. */ 546 spin_lock(&sbsec->isec_lock); 547 next_inode: 548 if (!list_empty(&sbsec->isec_head)) { 549 struct inode_security_struct *isec = 550 list_entry(sbsec->isec_head.next, 551 struct inode_security_struct, list); 552 struct inode *inode = isec->inode; 553 list_del_init(&isec->list); 554 spin_unlock(&sbsec->isec_lock); 555 inode = igrab(inode); 556 if (inode) { 557 if (!IS_PRIVATE(inode)) 558 inode_doinit(inode); 559 iput(inode); 560 } 561 spin_lock(&sbsec->isec_lock); 562 goto next_inode; 563 } 564 spin_unlock(&sbsec->isec_lock); 565 out: 566 return rc; 567 } 568 569 /* 570 * This function should allow an FS to ask what it's mount security 571 * options were so it can use those later for submounts, displaying 572 * mount options, or whatever. 573 */ 574 static int selinux_get_mnt_opts(const struct super_block *sb, 575 struct security_mnt_opts *opts) 576 { 577 int rc = 0, i; 578 struct superblock_security_struct *sbsec = sb->s_security; 579 char *context = NULL; 580 u32 len; 581 char tmp; 582 583 security_init_mnt_opts(opts); 584 585 if (!(sbsec->flags & SE_SBINITIALIZED)) 586 return -EINVAL; 587 588 if (!ss_initialized) 589 return -EINVAL; 590 591 /* make sure we always check enough bits to cover the mask */ 592 BUILD_BUG_ON(SE_MNTMASK >= (1 << NUM_SEL_MNT_OPTS)); 593 594 tmp = sbsec->flags & SE_MNTMASK; 595 /* count the number of mount options for this sb */ 596 for (i = 0; i < NUM_SEL_MNT_OPTS; i++) { 597 if (tmp & 0x01) 598 opts->num_mnt_opts++; 599 tmp >>= 1; 600 } 601 /* Check if the Label support flag is set */ 602 if (sbsec->flags & SBLABEL_MNT) 603 opts->num_mnt_opts++; 604 605 opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); 606 if (!opts->mnt_opts) { 607 rc = -ENOMEM; 608 goto out_free; 609 } 610 611 opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC); 612 if (!opts->mnt_opts_flags) { 613 rc = -ENOMEM; 614 goto out_free; 615 } 616 617 i = 0; 618 if (sbsec->flags & FSCONTEXT_MNT) { 619 rc = security_sid_to_context(sbsec->sid, &context, &len); 620 if (rc) 621 goto out_free; 622 opts->mnt_opts[i] = context; 623 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT; 624 } 625 if (sbsec->flags & CONTEXT_MNT) { 626 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len); 627 if (rc) 628 goto out_free; 629 opts->mnt_opts[i] = context; 630 opts->mnt_opts_flags[i++] = CONTEXT_MNT; 631 } 632 if (sbsec->flags & DEFCONTEXT_MNT) { 633 rc = security_sid_to_context(sbsec->def_sid, &context, &len); 634 if (rc) 635 goto out_free; 636 opts->mnt_opts[i] = context; 637 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 638 } 639 if (sbsec->flags & ROOTCONTEXT_MNT) { 640 struct dentry *root = sbsec->sb->s_root; 641 struct inode_security_struct *isec = backing_inode_security(root); 642 643 rc = security_sid_to_context(isec->sid, &context, &len); 644 if (rc) 645 goto out_free; 646 opts->mnt_opts[i] = context; 647 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; 648 } 649 if (sbsec->flags & SBLABEL_MNT) { 650 opts->mnt_opts[i] = NULL; 651 opts->mnt_opts_flags[i++] = SBLABEL_MNT; 652 } 653 654 BUG_ON(i != opts->num_mnt_opts); 655 656 return 0; 657 658 out_free: 659 security_free_mnt_opts(opts); 660 return rc; 661 } 662 663 static int bad_option(struct superblock_security_struct *sbsec, char flag, 664 u32 old_sid, u32 new_sid) 665 { 666 char mnt_flags = sbsec->flags & SE_MNTMASK; 667 668 /* check if the old mount command had the same options */ 669 if (sbsec->flags & SE_SBINITIALIZED) 670 if (!(sbsec->flags & flag) || 671 (old_sid != new_sid)) 672 return 1; 673 674 /* check if we were passed the same options twice, 675 * aka someone passed context=a,context=b 676 */ 677 if (!(sbsec->flags & SE_SBINITIALIZED)) 678 if (mnt_flags & flag) 679 return 1; 680 return 0; 681 } 682 683 /* 684 * Allow filesystems with binary mount data to explicitly set mount point 685 * labeling information. 686 */ 687 static int selinux_set_mnt_opts(struct super_block *sb, 688 struct security_mnt_opts *opts, 689 unsigned long kern_flags, 690 unsigned long *set_kern_flags) 691 { 692 const struct cred *cred = current_cred(); 693 int rc = 0, i; 694 struct superblock_security_struct *sbsec = sb->s_security; 695 const char *name = sb->s_type->name; 696 struct dentry *root = sbsec->sb->s_root; 697 struct inode_security_struct *root_isec; 698 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 699 u32 defcontext_sid = 0; 700 char **mount_options = opts->mnt_opts; 701 int *flags = opts->mnt_opts_flags; 702 int num_opts = opts->num_mnt_opts; 703 704 mutex_lock(&sbsec->lock); 705 706 if (!ss_initialized) { 707 if (!num_opts) { 708 /* Defer initialization until selinux_complete_init, 709 after the initial policy is loaded and the security 710 server is ready to handle calls. */ 711 goto out; 712 } 713 rc = -EINVAL; 714 printk(KERN_WARNING "SELinux: Unable to set superblock options " 715 "before the security server is initialized\n"); 716 goto out; 717 } 718 if (kern_flags && !set_kern_flags) { 719 /* Specifying internal flags without providing a place to 720 * place the results is not allowed */ 721 rc = -EINVAL; 722 goto out; 723 } 724 725 /* 726 * Binary mount data FS will come through this function twice. Once 727 * from an explicit call and once from the generic calls from the vfs. 728 * Since the generic VFS calls will not contain any security mount data 729 * we need to skip the double mount verification. 730 * 731 * This does open a hole in which we will not notice if the first 732 * mount using this sb set explict options and a second mount using 733 * this sb does not set any security options. (The first options 734 * will be used for both mounts) 735 */ 736 if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 737 && (num_opts == 0)) 738 goto out; 739 740 root_isec = backing_inode_security_novalidate(root); 741 742 /* 743 * parse the mount options, check if they are valid sids. 744 * also check if someone is trying to mount the same sb more 745 * than once with different security options. 746 */ 747 for (i = 0; i < num_opts; i++) { 748 u32 sid; 749 750 if (flags[i] == SBLABEL_MNT) 751 continue; 752 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 753 if (rc) { 754 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 755 "(%s) failed for (dev %s, type %s) errno=%d\n", 756 mount_options[i], sb->s_id, name, rc); 757 goto out; 758 } 759 switch (flags[i]) { 760 case FSCONTEXT_MNT: 761 fscontext_sid = sid; 762 763 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, 764 fscontext_sid)) 765 goto out_double_mount; 766 767 sbsec->flags |= FSCONTEXT_MNT; 768 break; 769 case CONTEXT_MNT: 770 context_sid = sid; 771 772 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, 773 context_sid)) 774 goto out_double_mount; 775 776 sbsec->flags |= CONTEXT_MNT; 777 break; 778 case ROOTCONTEXT_MNT: 779 rootcontext_sid = sid; 780 781 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, 782 rootcontext_sid)) 783 goto out_double_mount; 784 785 sbsec->flags |= ROOTCONTEXT_MNT; 786 787 break; 788 case DEFCONTEXT_MNT: 789 defcontext_sid = sid; 790 791 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, 792 defcontext_sid)) 793 goto out_double_mount; 794 795 sbsec->flags |= DEFCONTEXT_MNT; 796 797 break; 798 default: 799 rc = -EINVAL; 800 goto out; 801 } 802 } 803 804 if (sbsec->flags & SE_SBINITIALIZED) { 805 /* previously mounted with options, but not on this attempt? */ 806 if ((sbsec->flags & SE_MNTMASK) && !num_opts) 807 goto out_double_mount; 808 rc = 0; 809 goto out; 810 } 811 812 if (strcmp(sb->s_type->name, "proc") == 0) 813 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 814 815 if (!strcmp(sb->s_type->name, "debugfs") || 816 !strcmp(sb->s_type->name, "sysfs") || 817 !strcmp(sb->s_type->name, "pstore")) 818 sbsec->flags |= SE_SBGENFS; 819 820 if (!sbsec->behavior) { 821 /* 822 * Determine the labeling behavior to use for this 823 * filesystem type. 824 */ 825 rc = security_fs_use(sb); 826 if (rc) { 827 printk(KERN_WARNING 828 "%s: security_fs_use(%s) returned %d\n", 829 __func__, sb->s_type->name, rc); 830 goto out; 831 } 832 } 833 834 /* 835 * If this is a user namespace mount, no contexts are allowed 836 * on the command line and security labels must be ignored. 837 */ 838 if (sb->s_user_ns != &init_user_ns) { 839 if (context_sid || fscontext_sid || rootcontext_sid || 840 defcontext_sid) { 841 rc = -EACCES; 842 goto out; 843 } 844 if (sbsec->behavior == SECURITY_FS_USE_XATTR) { 845 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 846 rc = security_transition_sid(current_sid(), current_sid(), 847 SECCLASS_FILE, NULL, 848 &sbsec->mntpoint_sid); 849 if (rc) 850 goto out; 851 } 852 goto out_set_opts; 853 } 854 855 /* sets the context of the superblock for the fs being mounted. */ 856 if (fscontext_sid) { 857 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred); 858 if (rc) 859 goto out; 860 861 sbsec->sid = fscontext_sid; 862 } 863 864 /* 865 * Switch to using mount point labeling behavior. 866 * sets the label used on all file below the mountpoint, and will set 867 * the superblock context if not already set. 868 */ 869 if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) { 870 sbsec->behavior = SECURITY_FS_USE_NATIVE; 871 *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS; 872 } 873 874 if (context_sid) { 875 if (!fscontext_sid) { 876 rc = may_context_mount_sb_relabel(context_sid, sbsec, 877 cred); 878 if (rc) 879 goto out; 880 sbsec->sid = context_sid; 881 } else { 882 rc = may_context_mount_inode_relabel(context_sid, sbsec, 883 cred); 884 if (rc) 885 goto out; 886 } 887 if (!rootcontext_sid) 888 rootcontext_sid = context_sid; 889 890 sbsec->mntpoint_sid = context_sid; 891 sbsec->behavior = SECURITY_FS_USE_MNTPOINT; 892 } 893 894 if (rootcontext_sid) { 895 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec, 896 cred); 897 if (rc) 898 goto out; 899 900 root_isec->sid = rootcontext_sid; 901 root_isec->initialized = LABEL_INITIALIZED; 902 } 903 904 if (defcontext_sid) { 905 if (sbsec->behavior != SECURITY_FS_USE_XATTR && 906 sbsec->behavior != SECURITY_FS_USE_NATIVE) { 907 rc = -EINVAL; 908 printk(KERN_WARNING "SELinux: defcontext option is " 909 "invalid for this filesystem type\n"); 910 goto out; 911 } 912 913 if (defcontext_sid != sbsec->def_sid) { 914 rc = may_context_mount_inode_relabel(defcontext_sid, 915 sbsec, cred); 916 if (rc) 917 goto out; 918 } 919 920 sbsec->def_sid = defcontext_sid; 921 } 922 923 out_set_opts: 924 rc = sb_finish_set_opts(sb); 925 out: 926 mutex_unlock(&sbsec->lock); 927 return rc; 928 out_double_mount: 929 rc = -EINVAL; 930 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, different " 931 "security settings for (dev %s, type %s)\n", sb->s_id, name); 932 goto out; 933 } 934 935 static int selinux_cmp_sb_context(const struct super_block *oldsb, 936 const struct super_block *newsb) 937 { 938 struct superblock_security_struct *old = oldsb->s_security; 939 struct superblock_security_struct *new = newsb->s_security; 940 char oldflags = old->flags & SE_MNTMASK; 941 char newflags = new->flags & SE_MNTMASK; 942 943 if (oldflags != newflags) 944 goto mismatch; 945 if ((oldflags & FSCONTEXT_MNT) && old->sid != new->sid) 946 goto mismatch; 947 if ((oldflags & CONTEXT_MNT) && old->mntpoint_sid != new->mntpoint_sid) 948 goto mismatch; 949 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 950 goto mismatch; 951 if (oldflags & ROOTCONTEXT_MNT) { 952 struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 953 struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 954 if (oldroot->sid != newroot->sid) 955 goto mismatch; 956 } 957 return 0; 958 mismatch: 959 printk(KERN_WARNING "SELinux: mount invalid. Same superblock, " 960 "different security settings for (dev %s, " 961 "type %s)\n", newsb->s_id, newsb->s_type->name); 962 return -EBUSY; 963 } 964 965 static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, 966 struct super_block *newsb) 967 { 968 const struct superblock_security_struct *oldsbsec = oldsb->s_security; 969 struct superblock_security_struct *newsbsec = newsb->s_security; 970 971 int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); 972 int set_context = (oldsbsec->flags & CONTEXT_MNT); 973 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 974 975 /* 976 * if the parent was able to be mounted it clearly had no special lsm 977 * mount options. thus we can safely deal with this superblock later 978 */ 979 if (!ss_initialized) 980 return 0; 981 982 /* how can we clone if the old one wasn't set up?? */ 983 BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); 984 985 /* if fs is reusing a sb, make sure that the contexts match */ 986 if (newsbsec->flags & SE_SBINITIALIZED) 987 return selinux_cmp_sb_context(oldsb, newsb); 988 989 mutex_lock(&newsbsec->lock); 990 991 newsbsec->flags = oldsbsec->flags; 992 993 newsbsec->sid = oldsbsec->sid; 994 newsbsec->def_sid = oldsbsec->def_sid; 995 newsbsec->behavior = oldsbsec->behavior; 996 997 if (set_context) { 998 u32 sid = oldsbsec->mntpoint_sid; 999 1000 if (!set_fscontext) 1001 newsbsec->sid = sid; 1002 if (!set_rootcontext) { 1003 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1004 newisec->sid = sid; 1005 } 1006 newsbsec->mntpoint_sid = sid; 1007 } 1008 if (set_rootcontext) { 1009 const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 1010 struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 1011 1012 newisec->sid = oldisec->sid; 1013 } 1014 1015 sb_finish_set_opts(newsb); 1016 mutex_unlock(&newsbsec->lock); 1017 return 0; 1018 } 1019 1020 static int selinux_parse_opts_str(char *options, 1021 struct security_mnt_opts *opts) 1022 { 1023 char *p; 1024 char *context = NULL, *defcontext = NULL; 1025 char *fscontext = NULL, *rootcontext = NULL; 1026 int rc, num_mnt_opts = 0; 1027 1028 opts->num_mnt_opts = 0; 1029 1030 /* Standard string-based options. */ 1031 while ((p = strsep(&options, "|")) != NULL) { 1032 int token; 1033 substring_t args[MAX_OPT_ARGS]; 1034 1035 if (!*p) 1036 continue; 1037 1038 token = match_token(p, tokens, args); 1039 1040 switch (token) { 1041 case Opt_context: 1042 if (context || defcontext) { 1043 rc = -EINVAL; 1044 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1045 goto out_err; 1046 } 1047 context = match_strdup(&args[0]); 1048 if (!context) { 1049 rc = -ENOMEM; 1050 goto out_err; 1051 } 1052 break; 1053 1054 case Opt_fscontext: 1055 if (fscontext) { 1056 rc = -EINVAL; 1057 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1058 goto out_err; 1059 } 1060 fscontext = match_strdup(&args[0]); 1061 if (!fscontext) { 1062 rc = -ENOMEM; 1063 goto out_err; 1064 } 1065 break; 1066 1067 case Opt_rootcontext: 1068 if (rootcontext) { 1069 rc = -EINVAL; 1070 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1071 goto out_err; 1072 } 1073 rootcontext = match_strdup(&args[0]); 1074 if (!rootcontext) { 1075 rc = -ENOMEM; 1076 goto out_err; 1077 } 1078 break; 1079 1080 case Opt_defcontext: 1081 if (context || defcontext) { 1082 rc = -EINVAL; 1083 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG); 1084 goto out_err; 1085 } 1086 defcontext = match_strdup(&args[0]); 1087 if (!defcontext) { 1088 rc = -ENOMEM; 1089 goto out_err; 1090 } 1091 break; 1092 case Opt_labelsupport: 1093 break; 1094 default: 1095 rc = -EINVAL; 1096 printk(KERN_WARNING "SELinux: unknown mount option\n"); 1097 goto out_err; 1098 1099 } 1100 } 1101 1102 rc = -ENOMEM; 1103 opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC); 1104 if (!opts->mnt_opts) 1105 goto out_err; 1106 1107 opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC); 1108 if (!opts->mnt_opts_flags) { 1109 kfree(opts->mnt_opts); 1110 goto out_err; 1111 } 1112 1113 if (fscontext) { 1114 opts->mnt_opts[num_mnt_opts] = fscontext; 1115 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT; 1116 } 1117 if (context) { 1118 opts->mnt_opts[num_mnt_opts] = context; 1119 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT; 1120 } 1121 if (rootcontext) { 1122 opts->mnt_opts[num_mnt_opts] = rootcontext; 1123 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT; 1124 } 1125 if (defcontext) { 1126 opts->mnt_opts[num_mnt_opts] = defcontext; 1127 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT; 1128 } 1129 1130 opts->num_mnt_opts = num_mnt_opts; 1131 return 0; 1132 1133 out_err: 1134 kfree(context); 1135 kfree(defcontext); 1136 kfree(fscontext); 1137 kfree(rootcontext); 1138 return rc; 1139 } 1140 /* 1141 * string mount options parsing and call set the sbsec 1142 */ 1143 static int superblock_doinit(struct super_block *sb, void *data) 1144 { 1145 int rc = 0; 1146 char *options = data; 1147 struct security_mnt_opts opts; 1148 1149 security_init_mnt_opts(&opts); 1150 1151 if (!data) 1152 goto out; 1153 1154 BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA); 1155 1156 rc = selinux_parse_opts_str(options, &opts); 1157 if (rc) 1158 goto out_err; 1159 1160 out: 1161 rc = selinux_set_mnt_opts(sb, &opts, 0, NULL); 1162 1163 out_err: 1164 security_free_mnt_opts(&opts); 1165 return rc; 1166 } 1167 1168 static void selinux_write_opts(struct seq_file *m, 1169 struct security_mnt_opts *opts) 1170 { 1171 int i; 1172 char *prefix; 1173 1174 for (i = 0; i < opts->num_mnt_opts; i++) { 1175 char *has_comma; 1176 1177 if (opts->mnt_opts[i]) 1178 has_comma = strchr(opts->mnt_opts[i], ','); 1179 else 1180 has_comma = NULL; 1181 1182 switch (opts->mnt_opts_flags[i]) { 1183 case CONTEXT_MNT: 1184 prefix = CONTEXT_STR; 1185 break; 1186 case FSCONTEXT_MNT: 1187 prefix = FSCONTEXT_STR; 1188 break; 1189 case ROOTCONTEXT_MNT: 1190 prefix = ROOTCONTEXT_STR; 1191 break; 1192 case DEFCONTEXT_MNT: 1193 prefix = DEFCONTEXT_STR; 1194 break; 1195 case SBLABEL_MNT: 1196 seq_putc(m, ','); 1197 seq_puts(m, LABELSUPP_STR); 1198 continue; 1199 default: 1200 BUG(); 1201 return; 1202 }; 1203 /* we need a comma before each option */ 1204 seq_putc(m, ','); 1205 seq_puts(m, prefix); 1206 if (has_comma) 1207 seq_putc(m, '\"'); 1208 seq_escape(m, opts->mnt_opts[i], "\"\n\\"); 1209 if (has_comma) 1210 seq_putc(m, '\"'); 1211 } 1212 } 1213 1214 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) 1215 { 1216 struct security_mnt_opts opts; 1217 int rc; 1218 1219 rc = selinux_get_mnt_opts(sb, &opts); 1220 if (rc) { 1221 /* before policy load we may get EINVAL, don't show anything */ 1222 if (rc == -EINVAL) 1223 rc = 0; 1224 return rc; 1225 } 1226 1227 selinux_write_opts(m, &opts); 1228 1229 security_free_mnt_opts(&opts); 1230 1231 return rc; 1232 } 1233 1234 static inline u16 inode_mode_to_security_class(umode_t mode) 1235 { 1236 switch (mode & S_IFMT) { 1237 case S_IFSOCK: 1238 return SECCLASS_SOCK_FILE; 1239 case S_IFLNK: 1240 return SECCLASS_LNK_FILE; 1241 case S_IFREG: 1242 return SECCLASS_FILE; 1243 case S_IFBLK: 1244 return SECCLASS_BLK_FILE; 1245 case S_IFDIR: 1246 return SECCLASS_DIR; 1247 case S_IFCHR: 1248 return SECCLASS_CHR_FILE; 1249 case S_IFIFO: 1250 return SECCLASS_FIFO_FILE; 1251 1252 } 1253 1254 return SECCLASS_FILE; 1255 } 1256 1257 static inline int default_protocol_stream(int protocol) 1258 { 1259 return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP); 1260 } 1261 1262 static inline int default_protocol_dgram(int protocol) 1263 { 1264 return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP); 1265 } 1266 1267 static inline u16 socket_type_to_security_class(int family, int type, int protocol) 1268 { 1269 switch (family) { 1270 case PF_UNIX: 1271 switch (type) { 1272 case SOCK_STREAM: 1273 case SOCK_SEQPACKET: 1274 return SECCLASS_UNIX_STREAM_SOCKET; 1275 case SOCK_DGRAM: 1276 return SECCLASS_UNIX_DGRAM_SOCKET; 1277 } 1278 break; 1279 case PF_INET: 1280 case PF_INET6: 1281 switch (type) { 1282 case SOCK_STREAM: 1283 if (default_protocol_stream(protocol)) 1284 return SECCLASS_TCP_SOCKET; 1285 else 1286 return SECCLASS_RAWIP_SOCKET; 1287 case SOCK_DGRAM: 1288 if (default_protocol_dgram(protocol)) 1289 return SECCLASS_UDP_SOCKET; 1290 else 1291 return SECCLASS_RAWIP_SOCKET; 1292 case SOCK_DCCP: 1293 return SECCLASS_DCCP_SOCKET; 1294 default: 1295 return SECCLASS_RAWIP_SOCKET; 1296 } 1297 break; 1298 case PF_NETLINK: 1299 switch (protocol) { 1300 case NETLINK_ROUTE: 1301 return SECCLASS_NETLINK_ROUTE_SOCKET; 1302 case NETLINK_SOCK_DIAG: 1303 return SECCLASS_NETLINK_TCPDIAG_SOCKET; 1304 case NETLINK_NFLOG: 1305 return SECCLASS_NETLINK_NFLOG_SOCKET; 1306 case NETLINK_XFRM: 1307 return SECCLASS_NETLINK_XFRM_SOCKET; 1308 case NETLINK_SELINUX: 1309 return SECCLASS_NETLINK_SELINUX_SOCKET; 1310 case NETLINK_ISCSI: 1311 return SECCLASS_NETLINK_ISCSI_SOCKET; 1312 case NETLINK_AUDIT: 1313 return SECCLASS_NETLINK_AUDIT_SOCKET; 1314 case NETLINK_FIB_LOOKUP: 1315 return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET; 1316 case NETLINK_CONNECTOR: 1317 return SECCLASS_NETLINK_CONNECTOR_SOCKET; 1318 case NETLINK_NETFILTER: 1319 return SECCLASS_NETLINK_NETFILTER_SOCKET; 1320 case NETLINK_DNRTMSG: 1321 return SECCLASS_NETLINK_DNRT_SOCKET; 1322 case NETLINK_KOBJECT_UEVENT: 1323 return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; 1324 case NETLINK_GENERIC: 1325 return SECCLASS_NETLINK_GENERIC_SOCKET; 1326 case NETLINK_SCSITRANSPORT: 1327 return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET; 1328 case NETLINK_RDMA: 1329 return SECCLASS_NETLINK_RDMA_SOCKET; 1330 case NETLINK_CRYPTO: 1331 return SECCLASS_NETLINK_CRYPTO_SOCKET; 1332 default: 1333 return SECCLASS_NETLINK_SOCKET; 1334 } 1335 case PF_PACKET: 1336 return SECCLASS_PACKET_SOCKET; 1337 case PF_KEY: 1338 return SECCLASS_KEY_SOCKET; 1339 case PF_APPLETALK: 1340 return SECCLASS_APPLETALK_SOCKET; 1341 } 1342 1343 return SECCLASS_SOCKET; 1344 } 1345 1346 static int selinux_genfs_get_sid(struct dentry *dentry, 1347 u16 tclass, 1348 u16 flags, 1349 u32 *sid) 1350 { 1351 int rc; 1352 struct super_block *sb = dentry->d_sb; 1353 char *buffer, *path; 1354 1355 buffer = (char *)__get_free_page(GFP_KERNEL); 1356 if (!buffer) 1357 return -ENOMEM; 1358 1359 path = dentry_path_raw(dentry, buffer, PAGE_SIZE); 1360 if (IS_ERR(path)) 1361 rc = PTR_ERR(path); 1362 else { 1363 if (flags & SE_SBPROC) { 1364 /* each process gets a /proc/PID/ entry. Strip off the 1365 * PID part to get a valid selinux labeling. 1366 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */ 1367 while (path[1] >= '0' && path[1] <= '9') { 1368 path[1] = '/'; 1369 path++; 1370 } 1371 } 1372 rc = security_genfs_sid(sb->s_type->name, path, tclass, sid); 1373 } 1374 free_page((unsigned long)buffer); 1375 return rc; 1376 } 1377 1378 /* The inode's security attributes must be initialized before first use. */ 1379 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry) 1380 { 1381 struct superblock_security_struct *sbsec = NULL; 1382 struct inode_security_struct *isec = inode->i_security; 1383 u32 sid; 1384 struct dentry *dentry; 1385 #define INITCONTEXTLEN 255 1386 char *context = NULL; 1387 unsigned len = 0; 1388 int rc = 0; 1389 1390 if (isec->initialized == LABEL_INITIALIZED) 1391 goto out; 1392 1393 mutex_lock(&isec->lock); 1394 if (isec->initialized == LABEL_INITIALIZED) 1395 goto out_unlock; 1396 1397 sbsec = inode->i_sb->s_security; 1398 if (!(sbsec->flags & SE_SBINITIALIZED)) { 1399 /* Defer initialization until selinux_complete_init, 1400 after the initial policy is loaded and the security 1401 server is ready to handle calls. */ 1402 spin_lock(&sbsec->isec_lock); 1403 if (list_empty(&isec->list)) 1404 list_add(&isec->list, &sbsec->isec_head); 1405 spin_unlock(&sbsec->isec_lock); 1406 goto out_unlock; 1407 } 1408 1409 switch (sbsec->behavior) { 1410 case SECURITY_FS_USE_NATIVE: 1411 break; 1412 case SECURITY_FS_USE_XATTR: 1413 if (!(inode->i_opflags & IOP_XATTR)) { 1414 isec->sid = sbsec->def_sid; 1415 break; 1416 } 1417 /* Need a dentry, since the xattr API requires one. 1418 Life would be simpler if we could just pass the inode. */ 1419 if (opt_dentry) { 1420 /* Called from d_instantiate or d_splice_alias. */ 1421 dentry = dget(opt_dentry); 1422 } else { 1423 /* Called from selinux_complete_init, try to find a dentry. */ 1424 dentry = d_find_alias(inode); 1425 } 1426 if (!dentry) { 1427 /* 1428 * this is can be hit on boot when a file is accessed 1429 * before the policy is loaded. When we load policy we 1430 * may find inodes that have no dentry on the 1431 * sbsec->isec_head list. No reason to complain as these 1432 * will get fixed up the next time we go through 1433 * inode_doinit with a dentry, before these inodes could 1434 * be used again by userspace. 1435 */ 1436 goto out_unlock; 1437 } 1438 1439 len = INITCONTEXTLEN; 1440 context = kmalloc(len+1, GFP_NOFS); 1441 if (!context) { 1442 rc = -ENOMEM; 1443 dput(dentry); 1444 goto out_unlock; 1445 } 1446 context[len] = '\0'; 1447 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1448 if (rc == -ERANGE) { 1449 kfree(context); 1450 1451 /* Need a larger buffer. Query for the right size. */ 1452 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); 1453 if (rc < 0) { 1454 dput(dentry); 1455 goto out_unlock; 1456 } 1457 len = rc; 1458 context = kmalloc(len+1, GFP_NOFS); 1459 if (!context) { 1460 rc = -ENOMEM; 1461 dput(dentry); 1462 goto out_unlock; 1463 } 1464 context[len] = '\0'; 1465 rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); 1466 } 1467 dput(dentry); 1468 if (rc < 0) { 1469 if (rc != -ENODATA) { 1470 printk(KERN_WARNING "SELinux: %s: getxattr returned " 1471 "%d for dev=%s ino=%ld\n", __func__, 1472 -rc, inode->i_sb->s_id, inode->i_ino); 1473 kfree(context); 1474 goto out_unlock; 1475 } 1476 /* Map ENODATA to the default file SID */ 1477 sid = sbsec->def_sid; 1478 rc = 0; 1479 } else { 1480 rc = security_context_to_sid_default(context, rc, &sid, 1481 sbsec->def_sid, 1482 GFP_NOFS); 1483 if (rc) { 1484 char *dev = inode->i_sb->s_id; 1485 unsigned long ino = inode->i_ino; 1486 1487 if (rc == -EINVAL) { 1488 if (printk_ratelimit()) 1489 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " 1490 "context=%s. This indicates you may need to relabel the inode or the " 1491 "filesystem in question.\n", ino, dev, context); 1492 } else { 1493 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " 1494 "returned %d for dev=%s ino=%ld\n", 1495 __func__, context, -rc, dev, ino); 1496 } 1497 kfree(context); 1498 /* Leave with the unlabeled SID */ 1499 rc = 0; 1500 break; 1501 } 1502 } 1503 kfree(context); 1504 isec->sid = sid; 1505 break; 1506 case SECURITY_FS_USE_TASK: 1507 isec->sid = isec->task_sid; 1508 break; 1509 case SECURITY_FS_USE_TRANS: 1510 /* Default to the fs SID. */ 1511 isec->sid = sbsec->sid; 1512 1513 /* Try to obtain a transition SID. */ 1514 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1515 rc = security_transition_sid(isec->task_sid, sbsec->sid, 1516 isec->sclass, NULL, &sid); 1517 if (rc) 1518 goto out_unlock; 1519 isec->sid = sid; 1520 break; 1521 case SECURITY_FS_USE_MNTPOINT: 1522 isec->sid = sbsec->mntpoint_sid; 1523 break; 1524 default: 1525 /* Default to the fs superblock SID. */ 1526 isec->sid = sbsec->sid; 1527 1528 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { 1529 /* We must have a dentry to determine the label on 1530 * procfs inodes */ 1531 if (opt_dentry) 1532 /* Called from d_instantiate or 1533 * d_splice_alias. */ 1534 dentry = dget(opt_dentry); 1535 else 1536 /* Called from selinux_complete_init, try to 1537 * find a dentry. */ 1538 dentry = d_find_alias(inode); 1539 /* 1540 * This can be hit on boot when a file is accessed 1541 * before the policy is loaded. When we load policy we 1542 * may find inodes that have no dentry on the 1543 * sbsec->isec_head list. No reason to complain as 1544 * these will get fixed up the next time we go through 1545 * inode_doinit() with a dentry, before these inodes 1546 * could be used again by userspace. 1547 */ 1548 if (!dentry) 1549 goto out_unlock; 1550 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1551 rc = selinux_genfs_get_sid(dentry, isec->sclass, 1552 sbsec->flags, &sid); 1553 dput(dentry); 1554 if (rc) 1555 goto out_unlock; 1556 isec->sid = sid; 1557 } 1558 break; 1559 } 1560 1561 isec->initialized = LABEL_INITIALIZED; 1562 1563 out_unlock: 1564 mutex_unlock(&isec->lock); 1565 out: 1566 if (isec->sclass == SECCLASS_FILE) 1567 isec->sclass = inode_mode_to_security_class(inode->i_mode); 1568 return rc; 1569 } 1570 1571 /* Convert a Linux signal to an access vector. */ 1572 static inline u32 signal_to_av(int sig) 1573 { 1574 u32 perm = 0; 1575 1576 switch (sig) { 1577 case SIGCHLD: 1578 /* Commonly granted from child to parent. */ 1579 perm = PROCESS__SIGCHLD; 1580 break; 1581 case SIGKILL: 1582 /* Cannot be caught or ignored */ 1583 perm = PROCESS__SIGKILL; 1584 break; 1585 case SIGSTOP: 1586 /* Cannot be caught or ignored */ 1587 perm = PROCESS__SIGSTOP; 1588 break; 1589 default: 1590 /* All other signals. */ 1591 perm = PROCESS__SIGNAL; 1592 break; 1593 } 1594 1595 return perm; 1596 } 1597 1598 /* 1599 * Check permission between a pair of credentials 1600 * fork check, ptrace check, etc. 1601 */ 1602 static int cred_has_perm(const struct cred *actor, 1603 const struct cred *target, 1604 u32 perms) 1605 { 1606 u32 asid = cred_sid(actor), tsid = cred_sid(target); 1607 1608 return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL); 1609 } 1610 1611 /* 1612 * Check permission between a pair of tasks, e.g. signal checks, 1613 * fork check, ptrace check, etc. 1614 * tsk1 is the actor and tsk2 is the target 1615 * - this uses the default subjective creds of tsk1 1616 */ 1617 static int task_has_perm(const struct task_struct *tsk1, 1618 const struct task_struct *tsk2, 1619 u32 perms) 1620 { 1621 const struct task_security_struct *__tsec1, *__tsec2; 1622 u32 sid1, sid2; 1623 1624 rcu_read_lock(); 1625 __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid; 1626 __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid; 1627 rcu_read_unlock(); 1628 return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL); 1629 } 1630 1631 /* 1632 * Check permission between current and another task, e.g. signal checks, 1633 * fork check, ptrace check, etc. 1634 * current is the actor and tsk2 is the target 1635 * - this uses current's subjective creds 1636 */ 1637 static int current_has_perm(const struct task_struct *tsk, 1638 u32 perms) 1639 { 1640 u32 sid, tsid; 1641 1642 sid = current_sid(); 1643 tsid = task_sid(tsk); 1644 return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL); 1645 } 1646 1647 #if CAP_LAST_CAP > 63 1648 #error Fix SELinux to handle capabilities > 63. 1649 #endif 1650 1651 /* Check whether a task is allowed to use a capability. */ 1652 static int cred_has_capability(const struct cred *cred, 1653 int cap, int audit, bool initns) 1654 { 1655 struct common_audit_data ad; 1656 struct av_decision avd; 1657 u16 sclass; 1658 u32 sid = cred_sid(cred); 1659 u32 av = CAP_TO_MASK(cap); 1660 int rc; 1661 1662 ad.type = LSM_AUDIT_DATA_CAP; 1663 ad.u.cap = cap; 1664 1665 switch (CAP_TO_INDEX(cap)) { 1666 case 0: 1667 sclass = initns ? SECCLASS_CAPABILITY : SECCLASS_CAP_USERNS; 1668 break; 1669 case 1: 1670 sclass = initns ? SECCLASS_CAPABILITY2 : SECCLASS_CAP2_USERNS; 1671 break; 1672 default: 1673 printk(KERN_ERR 1674 "SELinux: out of range capability %d\n", cap); 1675 BUG(); 1676 return -EINVAL; 1677 } 1678 1679 rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd); 1680 if (audit == SECURITY_CAP_AUDIT) { 1681 int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0); 1682 if (rc2) 1683 return rc2; 1684 } 1685 return rc; 1686 } 1687 1688 /* Check whether a task is allowed to use a system operation. */ 1689 static int task_has_system(struct task_struct *tsk, 1690 u32 perms) 1691 { 1692 u32 sid = task_sid(tsk); 1693 1694 return avc_has_perm(sid, SECINITSID_KERNEL, 1695 SECCLASS_SYSTEM, perms, NULL); 1696 } 1697 1698 /* Check whether a task has a particular permission to an inode. 1699 The 'adp' parameter is optional and allows other audit 1700 data to be passed (e.g. the dentry). */ 1701 static int inode_has_perm(const struct cred *cred, 1702 struct inode *inode, 1703 u32 perms, 1704 struct common_audit_data *adp) 1705 { 1706 struct inode_security_struct *isec; 1707 u32 sid; 1708 1709 validate_creds(cred); 1710 1711 if (unlikely(IS_PRIVATE(inode))) 1712 return 0; 1713 1714 sid = cred_sid(cred); 1715 isec = inode->i_security; 1716 1717 return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp); 1718 } 1719 1720 /* Same as inode_has_perm, but pass explicit audit data containing 1721 the dentry to help the auditing code to more easily generate the 1722 pathname if needed. */ 1723 static inline int dentry_has_perm(const struct cred *cred, 1724 struct dentry *dentry, 1725 u32 av) 1726 { 1727 struct inode *inode = d_backing_inode(dentry); 1728 struct common_audit_data ad; 1729 1730 ad.type = LSM_AUDIT_DATA_DENTRY; 1731 ad.u.dentry = dentry; 1732 __inode_security_revalidate(inode, dentry, true); 1733 return inode_has_perm(cred, inode, av, &ad); 1734 } 1735 1736 /* Same as inode_has_perm, but pass explicit audit data containing 1737 the path to help the auditing code to more easily generate the 1738 pathname if needed. */ 1739 static inline int path_has_perm(const struct cred *cred, 1740 const struct path *path, 1741 u32 av) 1742 { 1743 struct inode *inode = d_backing_inode(path->dentry); 1744 struct common_audit_data ad; 1745 1746 ad.type = LSM_AUDIT_DATA_PATH; 1747 ad.u.path = *path; 1748 __inode_security_revalidate(inode, path->dentry, true); 1749 return inode_has_perm(cred, inode, av, &ad); 1750 } 1751 1752 /* Same as path_has_perm, but uses the inode from the file struct. */ 1753 static inline int file_path_has_perm(const struct cred *cred, 1754 struct file *file, 1755 u32 av) 1756 { 1757 struct common_audit_data ad; 1758 1759 ad.type = LSM_AUDIT_DATA_FILE; 1760 ad.u.file = file; 1761 return inode_has_perm(cred, file_inode(file), av, &ad); 1762 } 1763 1764 /* Check whether a task can use an open file descriptor to 1765 access an inode in a given way. Check access to the 1766 descriptor itself, and then use dentry_has_perm to 1767 check a particular permission to the file. 1768 Access to the descriptor is implicitly granted if it 1769 has the same SID as the process. If av is zero, then 1770 access to the file is not checked, e.g. for cases 1771 where only the descriptor is affected like seek. */ 1772 static int file_has_perm(const struct cred *cred, 1773 struct file *file, 1774 u32 av) 1775 { 1776 struct file_security_struct *fsec = file->f_security; 1777 struct inode *inode = file_inode(file); 1778 struct common_audit_data ad; 1779 u32 sid = cred_sid(cred); 1780 int rc; 1781 1782 ad.type = LSM_AUDIT_DATA_FILE; 1783 ad.u.file = file; 1784 1785 if (sid != fsec->sid) { 1786 rc = avc_has_perm(sid, fsec->sid, 1787 SECCLASS_FD, 1788 FD__USE, 1789 &ad); 1790 if (rc) 1791 goto out; 1792 } 1793 1794 /* av is zero if only checking access to the descriptor. */ 1795 rc = 0; 1796 if (av) 1797 rc = inode_has_perm(cred, inode, av, &ad); 1798 1799 out: 1800 return rc; 1801 } 1802 1803 /* 1804 * Determine the label for an inode that might be unioned. 1805 */ 1806 static int 1807 selinux_determine_inode_label(const struct task_security_struct *tsec, 1808 struct inode *dir, 1809 const struct qstr *name, u16 tclass, 1810 u32 *_new_isid) 1811 { 1812 const struct superblock_security_struct *sbsec = dir->i_sb->s_security; 1813 1814 if ((sbsec->flags & SE_SBINITIALIZED) && 1815 (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { 1816 *_new_isid = sbsec->mntpoint_sid; 1817 } else if ((sbsec->flags & SBLABEL_MNT) && 1818 tsec->create_sid) { 1819 *_new_isid = tsec->create_sid; 1820 } else { 1821 const struct inode_security_struct *dsec = inode_security(dir); 1822 return security_transition_sid(tsec->sid, dsec->sid, tclass, 1823 name, _new_isid); 1824 } 1825 1826 return 0; 1827 } 1828 1829 /* Check whether a task can create a file. */ 1830 static int may_create(struct inode *dir, 1831 struct dentry *dentry, 1832 u16 tclass) 1833 { 1834 const struct task_security_struct *tsec = current_security(); 1835 struct inode_security_struct *dsec; 1836 struct superblock_security_struct *sbsec; 1837 u32 sid, newsid; 1838 struct common_audit_data ad; 1839 int rc; 1840 1841 dsec = inode_security(dir); 1842 sbsec = dir->i_sb->s_security; 1843 1844 sid = tsec->sid; 1845 1846 ad.type = LSM_AUDIT_DATA_DENTRY; 1847 ad.u.dentry = dentry; 1848 1849 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1850 DIR__ADD_NAME | DIR__SEARCH, 1851 &ad); 1852 if (rc) 1853 return rc; 1854 1855 rc = selinux_determine_inode_label(current_security(), dir, 1856 &dentry->d_name, tclass, &newsid); 1857 if (rc) 1858 return rc; 1859 1860 rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad); 1861 if (rc) 1862 return rc; 1863 1864 return avc_has_perm(newsid, sbsec->sid, 1865 SECCLASS_FILESYSTEM, 1866 FILESYSTEM__ASSOCIATE, &ad); 1867 } 1868 1869 /* Check whether a task can create a key. */ 1870 static int may_create_key(u32 ksid, 1871 struct task_struct *ctx) 1872 { 1873 u32 sid = task_sid(ctx); 1874 1875 return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL); 1876 } 1877 1878 #define MAY_LINK 0 1879 #define MAY_UNLINK 1 1880 #define MAY_RMDIR 2 1881 1882 /* Check whether a task can link, unlink, or rmdir a file/directory. */ 1883 static int may_link(struct inode *dir, 1884 struct dentry *dentry, 1885 int kind) 1886 1887 { 1888 struct inode_security_struct *dsec, *isec; 1889 struct common_audit_data ad; 1890 u32 sid = current_sid(); 1891 u32 av; 1892 int rc; 1893 1894 dsec = inode_security(dir); 1895 isec = backing_inode_security(dentry); 1896 1897 ad.type = LSM_AUDIT_DATA_DENTRY; 1898 ad.u.dentry = dentry; 1899 1900 av = DIR__SEARCH; 1901 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1902 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad); 1903 if (rc) 1904 return rc; 1905 1906 switch (kind) { 1907 case MAY_LINK: 1908 av = FILE__LINK; 1909 break; 1910 case MAY_UNLINK: 1911 av = FILE__UNLINK; 1912 break; 1913 case MAY_RMDIR: 1914 av = DIR__RMDIR; 1915 break; 1916 default: 1917 printk(KERN_WARNING "SELinux: %s: unrecognized kind %d\n", 1918 __func__, kind); 1919 return 0; 1920 } 1921 1922 rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad); 1923 return rc; 1924 } 1925 1926 static inline int may_rename(struct inode *old_dir, 1927 struct dentry *old_dentry, 1928 struct inode *new_dir, 1929 struct dentry *new_dentry) 1930 { 1931 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1932 struct common_audit_data ad; 1933 u32 sid = current_sid(); 1934 u32 av; 1935 int old_is_dir, new_is_dir; 1936 int rc; 1937 1938 old_dsec = inode_security(old_dir); 1939 old_isec = backing_inode_security(old_dentry); 1940 old_is_dir = d_is_dir(old_dentry); 1941 new_dsec = inode_security(new_dir); 1942 1943 ad.type = LSM_AUDIT_DATA_DENTRY; 1944 1945 ad.u.dentry = old_dentry; 1946 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1947 DIR__REMOVE_NAME | DIR__SEARCH, &ad); 1948 if (rc) 1949 return rc; 1950 rc = avc_has_perm(sid, old_isec->sid, 1951 old_isec->sclass, FILE__RENAME, &ad); 1952 if (rc) 1953 return rc; 1954 if (old_is_dir && new_dir != old_dir) { 1955 rc = avc_has_perm(sid, old_isec->sid, 1956 old_isec->sclass, DIR__REPARENT, &ad); 1957 if (rc) 1958 return rc; 1959 } 1960 1961 ad.u.dentry = new_dentry; 1962 av = DIR__ADD_NAME | DIR__SEARCH; 1963 if (d_is_positive(new_dentry)) 1964 av |= DIR__REMOVE_NAME; 1965 rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad); 1966 if (rc) 1967 return rc; 1968 if (d_is_positive(new_dentry)) { 1969 new_isec = backing_inode_security(new_dentry); 1970 new_is_dir = d_is_dir(new_dentry); 1971 rc = avc_has_perm(sid, new_isec->sid, 1972 new_isec->sclass, 1973 (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad); 1974 if (rc) 1975 return rc; 1976 } 1977 1978 return 0; 1979 } 1980 1981 /* Check whether a task can perform a filesystem operation. */ 1982 static int superblock_has_perm(const struct cred *cred, 1983 struct super_block *sb, 1984 u32 perms, 1985 struct common_audit_data *ad) 1986 { 1987 struct superblock_security_struct *sbsec; 1988 u32 sid = cred_sid(cred); 1989 1990 sbsec = sb->s_security; 1991 return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); 1992 } 1993 1994 /* Convert a Linux mode and permission mask to an access vector. */ 1995 static inline u32 file_mask_to_av(int mode, int mask) 1996 { 1997 u32 av = 0; 1998 1999 if (!S_ISDIR(mode)) { 2000 if (mask & MAY_EXEC) 2001 av |= FILE__EXECUTE; 2002 if (mask & MAY_READ) 2003 av |= FILE__READ; 2004 2005 if (mask & MAY_APPEND) 2006 av |= FILE__APPEND; 2007 else if (mask & MAY_WRITE) 2008 av |= FILE__WRITE; 2009 2010 } else { 2011 if (mask & MAY_EXEC) 2012 av |= DIR__SEARCH; 2013 if (mask & MAY_WRITE) 2014 av |= DIR__WRITE; 2015 if (mask & MAY_READ) 2016 av |= DIR__READ; 2017 } 2018 2019 return av; 2020 } 2021 2022 /* Convert a Linux file to an access vector. */ 2023 static inline u32 file_to_av(struct file *file) 2024 { 2025 u32 av = 0; 2026 2027 if (file->f_mode & FMODE_READ) 2028 av |= FILE__READ; 2029 if (file->f_mode & FMODE_WRITE) { 2030 if (file->f_flags & O_APPEND) 2031 av |= FILE__APPEND; 2032 else 2033 av |= FILE__WRITE; 2034 } 2035 if (!av) { 2036 /* 2037 * Special file opened with flags 3 for ioctl-only use. 2038 */ 2039 av = FILE__IOCTL; 2040 } 2041 2042 return av; 2043 } 2044 2045 /* 2046 * Convert a file to an access vector and include the correct open 2047 * open permission. 2048 */ 2049 static inline u32 open_file_to_av(struct file *file) 2050 { 2051 u32 av = file_to_av(file); 2052 2053 if (selinux_policycap_openperm) 2054 av |= FILE__OPEN; 2055 2056 return av; 2057 } 2058 2059 /* Hook functions begin here. */ 2060 2061 static int selinux_binder_set_context_mgr(struct task_struct *mgr) 2062 { 2063 u32 mysid = current_sid(); 2064 u32 mgrsid = task_sid(mgr); 2065 2066 return avc_has_perm(mysid, mgrsid, SECCLASS_BINDER, 2067 BINDER__SET_CONTEXT_MGR, NULL); 2068 } 2069 2070 static int selinux_binder_transaction(struct task_struct *from, 2071 struct task_struct *to) 2072 { 2073 u32 mysid = current_sid(); 2074 u32 fromsid = task_sid(from); 2075 u32 tosid = task_sid(to); 2076 int rc; 2077 2078 if (mysid != fromsid) { 2079 rc = avc_has_perm(mysid, fromsid, SECCLASS_BINDER, 2080 BINDER__IMPERSONATE, NULL); 2081 if (rc) 2082 return rc; 2083 } 2084 2085 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__CALL, 2086 NULL); 2087 } 2088 2089 static int selinux_binder_transfer_binder(struct task_struct *from, 2090 struct task_struct *to) 2091 { 2092 u32 fromsid = task_sid(from); 2093 u32 tosid = task_sid(to); 2094 2095 return avc_has_perm(fromsid, tosid, SECCLASS_BINDER, BINDER__TRANSFER, 2096 NULL); 2097 } 2098 2099 static int selinux_binder_transfer_file(struct task_struct *from, 2100 struct task_struct *to, 2101 struct file *file) 2102 { 2103 u32 sid = task_sid(to); 2104 struct file_security_struct *fsec = file->f_security; 2105 struct dentry *dentry = file->f_path.dentry; 2106 struct inode_security_struct *isec; 2107 struct common_audit_data ad; 2108 int rc; 2109 2110 ad.type = LSM_AUDIT_DATA_PATH; 2111 ad.u.path = file->f_path; 2112 2113 if (sid != fsec->sid) { 2114 rc = avc_has_perm(sid, fsec->sid, 2115 SECCLASS_FD, 2116 FD__USE, 2117 &ad); 2118 if (rc) 2119 return rc; 2120 } 2121 2122 if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2123 return 0; 2124 2125 isec = backing_inode_security(dentry); 2126 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), 2127 &ad); 2128 } 2129 2130 static int selinux_ptrace_access_check(struct task_struct *child, 2131 unsigned int mode) 2132 { 2133 if (mode & PTRACE_MODE_READ) { 2134 u32 sid = current_sid(); 2135 u32 csid = task_sid(child); 2136 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); 2137 } 2138 2139 return current_has_perm(child, PROCESS__PTRACE); 2140 } 2141 2142 static int selinux_ptrace_traceme(struct task_struct *parent) 2143 { 2144 return task_has_perm(parent, current, PROCESS__PTRACE); 2145 } 2146 2147 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2148 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2149 { 2150 return current_has_perm(target, PROCESS__GETCAP); 2151 } 2152 2153 static int selinux_capset(struct cred *new, const struct cred *old, 2154 const kernel_cap_t *effective, 2155 const kernel_cap_t *inheritable, 2156 const kernel_cap_t *permitted) 2157 { 2158 return cred_has_perm(old, new, PROCESS__SETCAP); 2159 } 2160 2161 /* 2162 * (This comment used to live with the selinux_task_setuid hook, 2163 * which was removed). 2164 * 2165 * Since setuid only affects the current process, and since the SELinux 2166 * controls are not based on the Linux identity attributes, SELinux does not 2167 * need to control this operation. However, SELinux does control the use of 2168 * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. 2169 */ 2170 2171 static int selinux_capable(const struct cred *cred, struct user_namespace *ns, 2172 int cap, int audit) 2173 { 2174 return cred_has_capability(cred, cap, audit, ns == &init_user_ns); 2175 } 2176 2177 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb) 2178 { 2179 const struct cred *cred = current_cred(); 2180 int rc = 0; 2181 2182 if (!sb) 2183 return 0; 2184 2185 switch (cmds) { 2186 case Q_SYNC: 2187 case Q_QUOTAON: 2188 case Q_QUOTAOFF: 2189 case Q_SETINFO: 2190 case Q_SETQUOTA: 2191 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL); 2192 break; 2193 case Q_GETFMT: 2194 case Q_GETINFO: 2195 case Q_GETQUOTA: 2196 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL); 2197 break; 2198 default: 2199 rc = 0; /* let the kernel handle invalid cmds */ 2200 break; 2201 } 2202 return rc; 2203 } 2204 2205 static int selinux_quota_on(struct dentry *dentry) 2206 { 2207 const struct cred *cred = current_cred(); 2208 2209 return dentry_has_perm(cred, dentry, FILE__QUOTAON); 2210 } 2211 2212 static int selinux_syslog(int type) 2213 { 2214 int rc; 2215 2216 switch (type) { 2217 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */ 2218 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */ 2219 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 2220 break; 2221 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */ 2222 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */ 2223 /* Set level of messages printed to console */ 2224 case SYSLOG_ACTION_CONSOLE_LEVEL: 2225 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); 2226 break; 2227 case SYSLOG_ACTION_CLOSE: /* Close log */ 2228 case SYSLOG_ACTION_OPEN: /* Open log */ 2229 case SYSLOG_ACTION_READ: /* Read from log */ 2230 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */ 2231 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */ 2232 default: 2233 rc = task_has_system(current, SYSTEM__SYSLOG_MOD); 2234 break; 2235 } 2236 return rc; 2237 } 2238 2239 /* 2240 * Check that a process has enough memory to allocate a new virtual 2241 * mapping. 0 means there is enough memory for the allocation to 2242 * succeed and -ENOMEM implies there is not. 2243 * 2244 * Do not audit the selinux permission check, as this is applied to all 2245 * processes that allocate mappings. 2246 */ 2247 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages) 2248 { 2249 int rc, cap_sys_admin = 0; 2250 2251 rc = cred_has_capability(current_cred(), CAP_SYS_ADMIN, 2252 SECURITY_CAP_NOAUDIT, true); 2253 if (rc == 0) 2254 cap_sys_admin = 1; 2255 2256 return cap_sys_admin; 2257 } 2258 2259 /* binprm security operations */ 2260 2261 static u32 ptrace_parent_sid(struct task_struct *task) 2262 { 2263 u32 sid = 0; 2264 struct task_struct *tracer; 2265 2266 rcu_read_lock(); 2267 tracer = ptrace_parent(task); 2268 if (tracer) 2269 sid = task_sid(tracer); 2270 rcu_read_unlock(); 2271 2272 return sid; 2273 } 2274 2275 static int check_nnp_nosuid(const struct linux_binprm *bprm, 2276 const struct task_security_struct *old_tsec, 2277 const struct task_security_struct *new_tsec) 2278 { 2279 int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); 2280 int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); 2281 int rc; 2282 2283 if (!nnp && !nosuid) 2284 return 0; /* neither NNP nor nosuid */ 2285 2286 if (new_tsec->sid == old_tsec->sid) 2287 return 0; /* No change in credentials */ 2288 2289 /* 2290 * The only transitions we permit under NNP or nosuid 2291 * are transitions to bounded SIDs, i.e. SIDs that are 2292 * guaranteed to only be allowed a subset of the permissions 2293 * of the current SID. 2294 */ 2295 rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); 2296 if (rc) { 2297 /* 2298 * On failure, preserve the errno values for NNP vs nosuid. 2299 * NNP: Operation not permitted for caller. 2300 * nosuid: Permission denied to file. 2301 */ 2302 if (nnp) 2303 return -EPERM; 2304 else 2305 return -EACCES; 2306 } 2307 return 0; 2308 } 2309 2310 static int selinux_bprm_set_creds(struct linux_binprm *bprm) 2311 { 2312 const struct task_security_struct *old_tsec; 2313 struct task_security_struct *new_tsec; 2314 struct inode_security_struct *isec; 2315 struct common_audit_data ad; 2316 struct inode *inode = file_inode(bprm->file); 2317 int rc; 2318 2319 /* SELinux context only depends on initial program or script and not 2320 * the script interpreter */ 2321 if (bprm->cred_prepared) 2322 return 0; 2323 2324 old_tsec = current_security(); 2325 new_tsec = bprm->cred->security; 2326 isec = inode_security(inode); 2327 2328 /* Default to the current task SID. */ 2329 new_tsec->sid = old_tsec->sid; 2330 new_tsec->osid = old_tsec->sid; 2331 2332 /* Reset fs, key, and sock SIDs on execve. */ 2333 new_tsec->create_sid = 0; 2334 new_tsec->keycreate_sid = 0; 2335 new_tsec->sockcreate_sid = 0; 2336 2337 if (old_tsec->exec_sid) { 2338 new_tsec->sid = old_tsec->exec_sid; 2339 /* Reset exec SID on execve. */ 2340 new_tsec->exec_sid = 0; 2341 2342 /* Fail on NNP or nosuid if not an allowed transition. */ 2343 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2344 if (rc) 2345 return rc; 2346 } else { 2347 /* Check for a default transition on this program. */ 2348 rc = security_transition_sid(old_tsec->sid, isec->sid, 2349 SECCLASS_PROCESS, NULL, 2350 &new_tsec->sid); 2351 if (rc) 2352 return rc; 2353 2354 /* 2355 * Fallback to old SID on NNP or nosuid if not an allowed 2356 * transition. 2357 */ 2358 rc = check_nnp_nosuid(bprm, old_tsec, new_tsec); 2359 if (rc) 2360 new_tsec->sid = old_tsec->sid; 2361 } 2362 2363 ad.type = LSM_AUDIT_DATA_FILE; 2364 ad.u.file = bprm->file; 2365 2366 if (new_tsec->sid == old_tsec->sid) { 2367 rc = avc_has_perm(old_tsec->sid, isec->sid, 2368 SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad); 2369 if (rc) 2370 return rc; 2371 } else { 2372 /* Check permissions for the transition. */ 2373 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2374 SECCLASS_PROCESS, PROCESS__TRANSITION, &ad); 2375 if (rc) 2376 return rc; 2377 2378 rc = avc_has_perm(new_tsec->sid, isec->sid, 2379 SECCLASS_FILE, FILE__ENTRYPOINT, &ad); 2380 if (rc) 2381 return rc; 2382 2383 /* Check for shared state */ 2384 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 2385 rc = avc_has_perm(old_tsec->sid, new_tsec->sid, 2386 SECCLASS_PROCESS, PROCESS__SHARE, 2387 NULL); 2388 if (rc) 2389 return -EPERM; 2390 } 2391 2392 /* Make sure that anyone attempting to ptrace over a task that 2393 * changes its SID has the appropriate permit */ 2394 if (bprm->unsafe & 2395 (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 2396 u32 ptsid = ptrace_parent_sid(current); 2397 if (ptsid != 0) { 2398 rc = avc_has_perm(ptsid, new_tsec->sid, 2399 SECCLASS_PROCESS, 2400 PROCESS__PTRACE, NULL); 2401 if (rc) 2402 return -EPERM; 2403 } 2404 } 2405 2406 /* Clear any possibly unsafe personality bits on exec: */ 2407 bprm->per_clear |= PER_CLEAR_ON_SETID; 2408 } 2409 2410 return 0; 2411 } 2412 2413 static int selinux_bprm_secureexec(struct linux_binprm *bprm) 2414 { 2415 const struct task_security_struct *tsec = current_security(); 2416 u32 sid, osid; 2417 int atsecure = 0; 2418 2419 sid = tsec->sid; 2420 osid = tsec->osid; 2421 2422 if (osid != sid) { 2423 /* Enable secure mode for SIDs transitions unless 2424 the noatsecure permission is granted between 2425 the two SIDs, i.e. ahp returns 0. */ 2426 atsecure = avc_has_perm(osid, sid, 2427 SECCLASS_PROCESS, 2428 PROCESS__NOATSECURE, NULL); 2429 } 2430 2431 return !!atsecure; 2432 } 2433 2434 static int match_file(const void *p, struct file *file, unsigned fd) 2435 { 2436 return file_has_perm(p, file, file_to_av(file)) ? fd + 1 : 0; 2437 } 2438 2439 /* Derived from fs/exec.c:flush_old_files. */ 2440 static inline void flush_unauthorized_files(const struct cred *cred, 2441 struct files_struct *files) 2442 { 2443 struct file *file, *devnull = NULL; 2444 struct tty_struct *tty; 2445 int drop_tty = 0; 2446 unsigned n; 2447 2448 tty = get_current_tty(); 2449 if (tty) { 2450 spin_lock(&tty->files_lock); 2451 if (!list_empty(&tty->tty_files)) { 2452 struct tty_file_private *file_priv; 2453 2454 /* Revalidate access to controlling tty. 2455 Use file_path_has_perm on the tty path directly 2456 rather than using file_has_perm, as this particular 2457 open file may belong to another process and we are 2458 only interested in the inode-based check here. */ 2459 file_priv = list_first_entry(&tty->tty_files, 2460 struct tty_file_private, list); 2461 file = file_priv->file; 2462 if (file_path_has_perm(cred, file, FILE__READ | FILE__WRITE)) 2463 drop_tty = 1; 2464 } 2465 spin_unlock(&tty->files_lock); 2466 tty_kref_put(tty); 2467 } 2468 /* Reset controlling tty. */ 2469 if (drop_tty) 2470 no_tty(); 2471 2472 /* Revalidate access to inherited open files. */ 2473 n = iterate_fd(files, 0, match_file, cred); 2474 if (!n) /* none found? */ 2475 return; 2476 2477 devnull = dentry_open(&selinux_null, O_RDWR, cred); 2478 if (IS_ERR(devnull)) 2479 devnull = NULL; 2480 /* replace all the matching ones with this */ 2481 do { 2482 replace_fd(n - 1, devnull, 0); 2483 } while ((n = iterate_fd(files, n, match_file, cred)) != 0); 2484 if (devnull) 2485 fput(devnull); 2486 } 2487 2488 /* 2489 * Prepare a process for imminent new credential changes due to exec 2490 */ 2491 static void selinux_bprm_committing_creds(struct linux_binprm *bprm) 2492 { 2493 struct task_security_struct *new_tsec; 2494 struct rlimit *rlim, *initrlim; 2495 int rc, i; 2496 2497 new_tsec = bprm->cred->security; 2498 if (new_tsec->sid == new_tsec->osid) 2499 return; 2500 2501 /* Close files for which the new task SID is not authorized. */ 2502 flush_unauthorized_files(bprm->cred, current->files); 2503 2504 /* Always clear parent death signal on SID transitions. */ 2505 current->pdeath_signal = 0; 2506 2507 /* Check whether the new SID can inherit resource limits from the old 2508 * SID. If not, reset all soft limits to the lower of the current 2509 * task's hard limit and the init task's soft limit. 2510 * 2511 * Note that the setting of hard limits (even to lower them) can be 2512 * controlled by the setrlimit check. The inclusion of the init task's 2513 * soft limit into the computation is to avoid resetting soft limits 2514 * higher than the default soft limit for cases where the default is 2515 * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK. 2516 */ 2517 rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS, 2518 PROCESS__RLIMITINH, NULL); 2519 if (rc) { 2520 /* protect against do_prlimit() */ 2521 task_lock(current); 2522 for (i = 0; i < RLIM_NLIMITS; i++) { 2523 rlim = current->signal->rlim + i; 2524 initrlim = init_task.signal->rlim + i; 2525 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2526 } 2527 task_unlock(current); 2528 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 2529 update_rlimit_cpu(current, rlimit(RLIMIT_CPU)); 2530 } 2531 } 2532 2533 /* 2534 * Clean up the process immediately after the installation of new credentials 2535 * due to exec 2536 */ 2537 static void selinux_bprm_committed_creds(struct linux_binprm *bprm) 2538 { 2539 const struct task_security_struct *tsec = current_security(); 2540 struct itimerval itimer; 2541 u32 osid, sid; 2542 int rc, i; 2543 2544 osid = tsec->osid; 2545 sid = tsec->sid; 2546 2547 if (sid == osid) 2548 return; 2549 2550 /* Check whether the new SID can inherit signal state from the old SID. 2551 * If not, clear itimers to avoid subsequent signal generation and 2552 * flush and unblock signals. 2553 * 2554 * This must occur _after_ the task SID has been updated so that any 2555 * kill done after the flush will be checked against the new SID. 2556 */ 2557 rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL); 2558 if (rc) { 2559 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) { 2560 memset(&itimer, 0, sizeof itimer); 2561 for (i = 0; i < 3; i++) 2562 do_setitimer(i, &itimer, NULL); 2563 } 2564 spin_lock_irq(¤t->sighand->siglock); 2565 if (!fatal_signal_pending(current)) { 2566 flush_sigqueue(¤t->pending); 2567 flush_sigqueue(¤t->signal->shared_pending); 2568 flush_signal_handlers(current, 1); 2569 sigemptyset(¤t->blocked); 2570 recalc_sigpending(); 2571 } 2572 spin_unlock_irq(¤t->sighand->siglock); 2573 } 2574 2575 /* Wake up the parent if it is waiting so that it can recheck 2576 * wait permission to the new task SID. */ 2577 read_lock(&tasklist_lock); 2578 __wake_up_parent(current, current->real_parent); 2579 read_unlock(&tasklist_lock); 2580 } 2581 2582 /* superblock security operations */ 2583 2584 static int selinux_sb_alloc_security(struct super_block *sb) 2585 { 2586 return superblock_alloc_security(sb); 2587 } 2588 2589 static void selinux_sb_free_security(struct super_block *sb) 2590 { 2591 superblock_free_security(sb); 2592 } 2593 2594 static inline int match_prefix(char *prefix, int plen, char *option, int olen) 2595 { 2596 if (plen > olen) 2597 return 0; 2598 2599 return !memcmp(prefix, option, plen); 2600 } 2601 2602 static inline int selinux_option(char *option, int len) 2603 { 2604 return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || 2605 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || 2606 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || 2607 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || 2608 match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); 2609 } 2610 2611 static inline void take_option(char **to, char *from, int *first, int len) 2612 { 2613 if (!*first) { 2614 **to = ','; 2615 *to += 1; 2616 } else 2617 *first = 0; 2618 memcpy(*to, from, len); 2619 *to += len; 2620 } 2621 2622 static inline void take_selinux_option(char **to, char *from, int *first, 2623 int len) 2624 { 2625 int current_size = 0; 2626 2627 if (!*first) { 2628 **to = '|'; 2629 *to += 1; 2630 } else 2631 *first = 0; 2632 2633 while (current_size < len) { 2634 if (*from != '"') { 2635 **to = *from; 2636 *to += 1; 2637 } 2638 from += 1; 2639 current_size += 1; 2640 } 2641 } 2642 2643 static int selinux_sb_copy_data(char *orig, char *copy) 2644 { 2645 int fnosec, fsec, rc = 0; 2646 char *in_save, *in_curr, *in_end; 2647 char *sec_curr, *nosec_save, *nosec; 2648 int open_quote = 0; 2649 2650 in_curr = orig; 2651 sec_curr = copy; 2652 2653 nosec = (char *)get_zeroed_page(GFP_KERNEL); 2654 if (!nosec) { 2655 rc = -ENOMEM; 2656 goto out; 2657 } 2658 2659 nosec_save = nosec; 2660 fnosec = fsec = 1; 2661 in_save = in_end = orig; 2662 2663 do { 2664 if (*in_end == '"') 2665 open_quote = !open_quote; 2666 if ((*in_end == ',' && open_quote == 0) || 2667 *in_end == '\0') { 2668 int len = in_end - in_curr; 2669 2670 if (selinux_option(in_curr, len)) 2671 take_selinux_option(&sec_curr, in_curr, &fsec, len); 2672 else 2673 take_option(&nosec, in_curr, &fnosec, len); 2674 2675 in_curr = in_end + 1; 2676 } 2677 } while (*in_end++); 2678 2679 strcpy(in_save, nosec_save); 2680 free_page((unsigned long)nosec_save); 2681 out: 2682 return rc; 2683 } 2684 2685 static int selinux_sb_remount(struct super_block *sb, void *data) 2686 { 2687 int rc, i, *flags; 2688 struct security_mnt_opts opts; 2689 char *secdata, **mount_options; 2690 struct superblock_security_struct *sbsec = sb->s_security; 2691 2692 if (!(sbsec->flags & SE_SBINITIALIZED)) 2693 return 0; 2694 2695 if (!data) 2696 return 0; 2697 2698 if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) 2699 return 0; 2700 2701 security_init_mnt_opts(&opts); 2702 secdata = alloc_secdata(); 2703 if (!secdata) 2704 return -ENOMEM; 2705 rc = selinux_sb_copy_data(data, secdata); 2706 if (rc) 2707 goto out_free_secdata; 2708 2709 rc = selinux_parse_opts_str(secdata, &opts); 2710 if (rc) 2711 goto out_free_secdata; 2712 2713 mount_options = opts.mnt_opts; 2714 flags = opts.mnt_opts_flags; 2715 2716 for (i = 0; i < opts.num_mnt_opts; i++) { 2717 u32 sid; 2718 2719 if (flags[i] == SBLABEL_MNT) 2720 continue; 2721 rc = security_context_str_to_sid(mount_options[i], &sid, GFP_KERNEL); 2722 if (rc) { 2723 printk(KERN_WARNING "SELinux: security_context_str_to_sid" 2724 "(%s) failed for (dev %s, type %s) errno=%d\n", 2725 mount_options[i], sb->s_id, sb->s_type->name, rc); 2726 goto out_free_opts; 2727 } 2728 rc = -EINVAL; 2729 switch (flags[i]) { 2730 case FSCONTEXT_MNT: 2731 if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid)) 2732 goto out_bad_option; 2733 break; 2734 case CONTEXT_MNT: 2735 if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid)) 2736 goto out_bad_option; 2737 break; 2738 case ROOTCONTEXT_MNT: { 2739 struct inode_security_struct *root_isec; 2740 root_isec = backing_inode_security(sb->s_root); 2741 2742 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2743 goto out_bad_option; 2744 break; 2745 } 2746 case DEFCONTEXT_MNT: 2747 if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid)) 2748 goto out_bad_option; 2749 break; 2750 default: 2751 goto out_free_opts; 2752 } 2753 } 2754 2755 rc = 0; 2756 out_free_opts: 2757 security_free_mnt_opts(&opts); 2758 out_free_secdata: 2759 free_secdata(secdata); 2760 return rc; 2761 out_bad_option: 2762 printk(KERN_WARNING "SELinux: unable to change security options " 2763 "during remount (dev %s, type=%s)\n", sb->s_id, 2764 sb->s_type->name); 2765 goto out_free_opts; 2766 } 2767 2768 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 2769 { 2770 const struct cred *cred = current_cred(); 2771 struct common_audit_data ad; 2772 int rc; 2773 2774 rc = superblock_doinit(sb, data); 2775 if (rc) 2776 return rc; 2777 2778 /* Allow all mounts performed by the kernel */ 2779 if (flags & MS_KERNMOUNT) 2780 return 0; 2781 2782 ad.type = LSM_AUDIT_DATA_DENTRY; 2783 ad.u.dentry = sb->s_root; 2784 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2785 } 2786 2787 static int selinux_sb_statfs(struct dentry *dentry) 2788 { 2789 const struct cred *cred = current_cred(); 2790 struct common_audit_data ad; 2791 2792 ad.type = LSM_AUDIT_DATA_DENTRY; 2793 ad.u.dentry = dentry->d_sb->s_root; 2794 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2795 } 2796 2797 static int selinux_mount(const char *dev_name, 2798 const struct path *path, 2799 const char *type, 2800 unsigned long flags, 2801 void *data) 2802 { 2803 const struct cred *cred = current_cred(); 2804 2805 if (flags & MS_REMOUNT) 2806 return superblock_has_perm(cred, path->dentry->d_sb, 2807 FILESYSTEM__REMOUNT, NULL); 2808 else 2809 return path_has_perm(cred, path, FILE__MOUNTON); 2810 } 2811 2812 static int selinux_umount(struct vfsmount *mnt, int flags) 2813 { 2814 const struct cred *cred = current_cred(); 2815 2816 return superblock_has_perm(cred, mnt->mnt_sb, 2817 FILESYSTEM__UNMOUNT, NULL); 2818 } 2819 2820 /* inode security operations */ 2821 2822 static int selinux_inode_alloc_security(struct inode *inode) 2823 { 2824 return inode_alloc_security(inode); 2825 } 2826 2827 static void selinux_inode_free_security(struct inode *inode) 2828 { 2829 inode_free_security(inode); 2830 } 2831 2832 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2833 const struct qstr *name, void **ctx, 2834 u32 *ctxlen) 2835 { 2836 u32 newsid; 2837 int rc; 2838 2839 rc = selinux_determine_inode_label(current_security(), 2840 d_inode(dentry->d_parent), name, 2841 inode_mode_to_security_class(mode), 2842 &newsid); 2843 if (rc) 2844 return rc; 2845 2846 return security_sid_to_context(newsid, (char **)ctx, ctxlen); 2847 } 2848 2849 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, 2850 struct qstr *name, 2851 const struct cred *old, 2852 struct cred *new) 2853 { 2854 u32 newsid; 2855 int rc; 2856 struct task_security_struct *tsec; 2857 2858 rc = selinux_determine_inode_label(old->security, 2859 d_inode(dentry->d_parent), name, 2860 inode_mode_to_security_class(mode), 2861 &newsid); 2862 if (rc) 2863 return rc; 2864 2865 tsec = new->security; 2866 tsec->create_sid = newsid; 2867 return 0; 2868 } 2869 2870 static int selinux_inode_init_security(struct inode *inode, struct inode *dir, 2871 const struct qstr *qstr, 2872 const char **name, 2873 void **value, size_t *len) 2874 { 2875 const struct task_security_struct *tsec = current_security(); 2876 struct superblock_security_struct *sbsec; 2877 u32 sid, newsid, clen; 2878 int rc; 2879 char *context; 2880 2881 sbsec = dir->i_sb->s_security; 2882 2883 sid = tsec->sid; 2884 newsid = tsec->create_sid; 2885 2886 rc = selinux_determine_inode_label(current_security(), 2887 dir, qstr, 2888 inode_mode_to_security_class(inode->i_mode), 2889 &newsid); 2890 if (rc) 2891 return rc; 2892 2893 /* Possibly defer initialization to selinux_complete_init. */ 2894 if (sbsec->flags & SE_SBINITIALIZED) { 2895 struct inode_security_struct *isec = inode->i_security; 2896 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2897 isec->sid = newsid; 2898 isec->initialized = LABEL_INITIALIZED; 2899 } 2900 2901 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT)) 2902 return -EOPNOTSUPP; 2903 2904 if (name) 2905 *name = XATTR_SELINUX_SUFFIX; 2906 2907 if (value && len) { 2908 rc = security_sid_to_context_force(newsid, &context, &clen); 2909 if (rc) 2910 return rc; 2911 *value = context; 2912 *len = clen; 2913 } 2914 2915 return 0; 2916 } 2917 2918 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 2919 { 2920 return may_create(dir, dentry, SECCLASS_FILE); 2921 } 2922 2923 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) 2924 { 2925 return may_link(dir, old_dentry, MAY_LINK); 2926 } 2927 2928 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) 2929 { 2930 return may_link(dir, dentry, MAY_UNLINK); 2931 } 2932 2933 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name) 2934 { 2935 return may_create(dir, dentry, SECCLASS_LNK_FILE); 2936 } 2937 2938 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mask) 2939 { 2940 return may_create(dir, dentry, SECCLASS_DIR); 2941 } 2942 2943 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) 2944 { 2945 return may_link(dir, dentry, MAY_RMDIR); 2946 } 2947 2948 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 2949 { 2950 return may_create(dir, dentry, inode_mode_to_security_class(mode)); 2951 } 2952 2953 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry, 2954 struct inode *new_inode, struct dentry *new_dentry) 2955 { 2956 return may_rename(old_inode, old_dentry, new_inode, new_dentry); 2957 } 2958 2959 static int selinux_inode_readlink(struct dentry *dentry) 2960 { 2961 const struct cred *cred = current_cred(); 2962 2963 return dentry_has_perm(cred, dentry, FILE__READ); 2964 } 2965 2966 static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, 2967 bool rcu) 2968 { 2969 const struct cred *cred = current_cred(); 2970 struct common_audit_data ad; 2971 struct inode_security_struct *isec; 2972 u32 sid; 2973 2974 validate_creds(cred); 2975 2976 ad.type = LSM_AUDIT_DATA_DENTRY; 2977 ad.u.dentry = dentry; 2978 sid = cred_sid(cred); 2979 isec = inode_security_rcu(inode, rcu); 2980 if (IS_ERR(isec)) 2981 return PTR_ERR(isec); 2982 2983 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad, 2984 rcu ? MAY_NOT_BLOCK : 0); 2985 } 2986 2987 static noinline int audit_inode_permission(struct inode *inode, 2988 u32 perms, u32 audited, u32 denied, 2989 int result, 2990 unsigned flags) 2991 { 2992 struct common_audit_data ad; 2993 struct inode_security_struct *isec = inode->i_security; 2994 int rc; 2995 2996 ad.type = LSM_AUDIT_DATA_INODE; 2997 ad.u.inode = inode; 2998 2999 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms, 3000 audited, denied, result, &ad, flags); 3001 if (rc) 3002 return rc; 3003 return 0; 3004 } 3005 3006 static int selinux_inode_permission(struct inode *inode, int mask) 3007 { 3008 const struct cred *cred = current_cred(); 3009 u32 perms; 3010 bool from_access; 3011 unsigned flags = mask & MAY_NOT_BLOCK; 3012 struct inode_security_struct *isec; 3013 u32 sid; 3014 struct av_decision avd; 3015 int rc, rc2; 3016 u32 audited, denied; 3017 3018 from_access = mask & MAY_ACCESS; 3019 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 3020 3021 /* No permission to check. Existence test. */ 3022 if (!mask) 3023 return 0; 3024 3025 validate_creds(cred); 3026 3027 if (unlikely(IS_PRIVATE(inode))) 3028 return 0; 3029 3030 perms = file_mask_to_av(inode->i_mode, mask); 3031 3032 sid = cred_sid(cred); 3033 isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK); 3034 if (IS_ERR(isec)) 3035 return PTR_ERR(isec); 3036 3037 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); 3038 audited = avc_audit_required(perms, &avd, rc, 3039 from_access ? FILE__AUDIT_ACCESS : 0, 3040 &denied); 3041 if (likely(!audited)) 3042 return rc; 3043 3044 rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags); 3045 if (rc2) 3046 return rc2; 3047 return rc; 3048 } 3049 3050 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 3051 { 3052 const struct cred *cred = current_cred(); 3053 unsigned int ia_valid = iattr->ia_valid; 3054 __u32 av = FILE__WRITE; 3055 3056 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 3057 if (ia_valid & ATTR_FORCE) { 3058 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE | 3059 ATTR_FORCE); 3060 if (!ia_valid) 3061 return 0; 3062 } 3063 3064 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | 3065 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 3066 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3067 3068 if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE) 3069 && !(ia_valid & ATTR_FILE)) 3070 av |= FILE__OPEN; 3071 3072 return dentry_has_perm(cred, dentry, av); 3073 } 3074 3075 static int selinux_inode_getattr(const struct path *path) 3076 { 3077 return path_has_perm(current_cred(), path, FILE__GETATTR); 3078 } 3079 3080 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name) 3081 { 3082 const struct cred *cred = current_cred(); 3083 3084 if (!strncmp(name, XATTR_SECURITY_PREFIX, 3085 sizeof XATTR_SECURITY_PREFIX - 1)) { 3086 if (!strcmp(name, XATTR_NAME_CAPS)) { 3087 if (!capable(CAP_SETFCAP)) 3088 return -EPERM; 3089 } else if (!capable(CAP_SYS_ADMIN)) { 3090 /* A different attribute in the security namespace. 3091 Restrict to administrator. */ 3092 return -EPERM; 3093 } 3094 } 3095 3096 /* Not an attribute we recognize, so just check the 3097 ordinary setattr permission. */ 3098 return dentry_has_perm(cred, dentry, FILE__SETATTR); 3099 } 3100 3101 static int selinux_inode_setxattr(struct dentry *dentry, const char *name, 3102 const void *value, size_t size, int flags) 3103 { 3104 struct inode *inode = d_backing_inode(dentry); 3105 struct inode_security_struct *isec; 3106 struct superblock_security_struct *sbsec; 3107 struct common_audit_data ad; 3108 u32 newsid, sid = current_sid(); 3109 int rc = 0; 3110 3111 if (strcmp(name, XATTR_NAME_SELINUX)) 3112 return selinux_inode_setotherxattr(dentry, name); 3113 3114 sbsec = inode->i_sb->s_security; 3115 if (!(sbsec->flags & SBLABEL_MNT)) 3116 return -EOPNOTSUPP; 3117 3118 if (!inode_owner_or_capable(inode)) 3119 return -EPERM; 3120 3121 ad.type = LSM_AUDIT_DATA_DENTRY; 3122 ad.u.dentry = dentry; 3123 3124 isec = backing_inode_security(dentry); 3125 rc = avc_has_perm(sid, isec->sid, isec->sclass, 3126 FILE__RELABELFROM, &ad); 3127 if (rc) 3128 return rc; 3129 3130 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3131 if (rc == -EINVAL) { 3132 if (!capable(CAP_MAC_ADMIN)) { 3133 struct audit_buffer *ab; 3134 size_t audit_size; 3135 const char *str; 3136 3137 /* We strip a nul only if it is at the end, otherwise the 3138 * context contains a nul and we should audit that */ 3139 if (value) { 3140 str = value; 3141 if (str[size - 1] == '\0') 3142 audit_size = size - 1; 3143 else 3144 audit_size = size; 3145 } else { 3146 str = ""; 3147 audit_size = 0; 3148 } 3149 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 3150 audit_log_format(ab, "op=setxattr invalid_context="); 3151 audit_log_n_untrustedstring(ab, value, audit_size); 3152 audit_log_end(ab); 3153 3154 return rc; 3155 } 3156 rc = security_context_to_sid_force(value, size, &newsid); 3157 } 3158 if (rc) 3159 return rc; 3160 3161 rc = avc_has_perm(sid, newsid, isec->sclass, 3162 FILE__RELABELTO, &ad); 3163 if (rc) 3164 return rc; 3165 3166 rc = security_validate_transition(isec->sid, newsid, sid, 3167 isec->sclass); 3168 if (rc) 3169 return rc; 3170 3171 return avc_has_perm(newsid, 3172 sbsec->sid, 3173 SECCLASS_FILESYSTEM, 3174 FILESYSTEM__ASSOCIATE, 3175 &ad); 3176 } 3177 3178 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, 3179 const void *value, size_t size, 3180 int flags) 3181 { 3182 struct inode *inode = d_backing_inode(dentry); 3183 struct inode_security_struct *isec; 3184 u32 newsid; 3185 int rc; 3186 3187 if (strcmp(name, XATTR_NAME_SELINUX)) { 3188 /* Not an attribute we recognize, so nothing to do. */ 3189 return; 3190 } 3191 3192 rc = security_context_to_sid_force(value, size, &newsid); 3193 if (rc) { 3194 printk(KERN_ERR "SELinux: unable to map context to SID" 3195 "for (%s, %lu), rc=%d\n", 3196 inode->i_sb->s_id, inode->i_ino, -rc); 3197 return; 3198 } 3199 3200 isec = backing_inode_security(dentry); 3201 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3202 isec->sid = newsid; 3203 isec->initialized = LABEL_INITIALIZED; 3204 3205 return; 3206 } 3207 3208 static int selinux_inode_getxattr(struct dentry *dentry, const char *name) 3209 { 3210 const struct cred *cred = current_cred(); 3211 3212 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3213 } 3214 3215 static int selinux_inode_listxattr(struct dentry *dentry) 3216 { 3217 const struct cred *cred = current_cred(); 3218 3219 return dentry_has_perm(cred, dentry, FILE__GETATTR); 3220 } 3221 3222 static int selinux_inode_removexattr(struct dentry *dentry, const char *name) 3223 { 3224 if (strcmp(name, XATTR_NAME_SELINUX)) 3225 return selinux_inode_setotherxattr(dentry, name); 3226 3227 /* No one is allowed to remove a SELinux security label. 3228 You can change the label, but all data must be labeled. */ 3229 return -EACCES; 3230 } 3231 3232 /* 3233 * Copy the inode security context value to the user. 3234 * 3235 * Permission check is handled by selinux_inode_getxattr hook. 3236 */ 3237 static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 3238 { 3239 u32 size; 3240 int error; 3241 char *context = NULL; 3242 struct inode_security_struct *isec; 3243 3244 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3245 return -EOPNOTSUPP; 3246 3247 /* 3248 * If the caller has CAP_MAC_ADMIN, then get the raw context 3249 * value even if it is not defined by current policy; otherwise, 3250 * use the in-core value under current policy. 3251 * Use the non-auditing forms of the permission checks since 3252 * getxattr may be called by unprivileged processes commonly 3253 * and lack of permission just means that we fall back to the 3254 * in-core context value, not a denial. 3255 */ 3256 error = cap_capable(current_cred(), &init_user_ns, CAP_MAC_ADMIN, 3257 SECURITY_CAP_NOAUDIT); 3258 if (!error) 3259 error = cred_has_capability(current_cred(), CAP_MAC_ADMIN, 3260 SECURITY_CAP_NOAUDIT, true); 3261 isec = inode_security(inode); 3262 if (!error) 3263 error = security_sid_to_context_force(isec->sid, &context, 3264 &size); 3265 else 3266 error = security_sid_to_context(isec->sid, &context, &size); 3267 if (error) 3268 return error; 3269 error = size; 3270 if (alloc) { 3271 *buffer = context; 3272 goto out_nofree; 3273 } 3274 kfree(context); 3275 out_nofree: 3276 return error; 3277 } 3278 3279 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3280 const void *value, size_t size, int flags) 3281 { 3282 struct inode_security_struct *isec = inode_security_novalidate(inode); 3283 u32 newsid; 3284 int rc; 3285 3286 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3287 return -EOPNOTSUPP; 3288 3289 if (!value || !size) 3290 return -EACCES; 3291 3292 rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL); 3293 if (rc) 3294 return rc; 3295 3296 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3297 isec->sid = newsid; 3298 isec->initialized = LABEL_INITIALIZED; 3299 return 0; 3300 } 3301 3302 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 3303 { 3304 const int len = sizeof(XATTR_NAME_SELINUX); 3305 if (buffer && len <= buffer_size) 3306 memcpy(buffer, XATTR_NAME_SELINUX, len); 3307 return len; 3308 } 3309 3310 static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3311 { 3312 struct inode_security_struct *isec = inode_security_novalidate(inode); 3313 *secid = isec->sid; 3314 } 3315 3316 static int selinux_inode_copy_up(struct dentry *src, struct cred **new) 3317 { 3318 u32 sid; 3319 struct task_security_struct *tsec; 3320 struct cred *new_creds = *new; 3321 3322 if (new_creds == NULL) { 3323 new_creds = prepare_creds(); 3324 if (!new_creds) 3325 return -ENOMEM; 3326 } 3327 3328 tsec = new_creds->security; 3329 /* Get label from overlay inode and set it in create_sid */ 3330 selinux_inode_getsecid(d_inode(src), &sid); 3331 tsec->create_sid = sid; 3332 *new = new_creds; 3333 return 0; 3334 } 3335 3336 static int selinux_inode_copy_up_xattr(const char *name) 3337 { 3338 /* The copy_up hook above sets the initial context on an inode, but we 3339 * don't then want to overwrite it by blindly copying all the lower 3340 * xattrs up. Instead, we have to filter out SELinux-related xattrs. 3341 */ 3342 if (strcmp(name, XATTR_NAME_SELINUX) == 0) 3343 return 1; /* Discard */ 3344 /* 3345 * Any other attribute apart from SELINUX is not claimed, supported 3346 * by selinux. 3347 */ 3348 return -EOPNOTSUPP; 3349 } 3350 3351 /* file security operations */ 3352 3353 static int selinux_revalidate_file_permission(struct file *file, int mask) 3354 { 3355 const struct cred *cred = current_cred(); 3356 struct inode *inode = file_inode(file); 3357 3358 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 3359 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 3360 mask |= MAY_APPEND; 3361 3362 return file_has_perm(cred, file, 3363 file_mask_to_av(inode->i_mode, mask)); 3364 } 3365 3366 static int selinux_file_permission(struct file *file, int mask) 3367 { 3368 struct inode *inode = file_inode(file); 3369 struct file_security_struct *fsec = file->f_security; 3370 struct inode_security_struct *isec; 3371 u32 sid = current_sid(); 3372 3373 if (!mask) 3374 /* No permission to check. Existence test. */ 3375 return 0; 3376 3377 isec = inode_security(inode); 3378 if (sid == fsec->sid && fsec->isid == isec->sid && 3379 fsec->pseqno == avc_policy_seqno()) 3380 /* No change since file_open check. */ 3381 return 0; 3382 3383 return selinux_revalidate_file_permission(file, mask); 3384 } 3385 3386 static int selinux_file_alloc_security(struct file *file) 3387 { 3388 return file_alloc_security(file); 3389 } 3390 3391 static void selinux_file_free_security(struct file *file) 3392 { 3393 file_free_security(file); 3394 } 3395 3396 /* 3397 * Check whether a task has the ioctl permission and cmd 3398 * operation to an inode. 3399 */ 3400 static int ioctl_has_perm(const struct cred *cred, struct file *file, 3401 u32 requested, u16 cmd) 3402 { 3403 struct common_audit_data ad; 3404 struct file_security_struct *fsec = file->f_security; 3405 struct inode *inode = file_inode(file); 3406 struct inode_security_struct *isec; 3407 struct lsm_ioctlop_audit ioctl; 3408 u32 ssid = cred_sid(cred); 3409 int rc; 3410 u8 driver = cmd >> 8; 3411 u8 xperm = cmd & 0xff; 3412 3413 ad.type = LSM_AUDIT_DATA_IOCTL_OP; 3414 ad.u.op = &ioctl; 3415 ad.u.op->cmd = cmd; 3416 ad.u.op->path = file->f_path; 3417 3418 if (ssid != fsec->sid) { 3419 rc = avc_has_perm(ssid, fsec->sid, 3420 SECCLASS_FD, 3421 FD__USE, 3422 &ad); 3423 if (rc) 3424 goto out; 3425 } 3426 3427 if (unlikely(IS_PRIVATE(inode))) 3428 return 0; 3429 3430 isec = inode_security(inode); 3431 rc = avc_has_extended_perms(ssid, isec->sid, isec->sclass, 3432 requested, driver, xperm, &ad); 3433 out: 3434 return rc; 3435 } 3436 3437 static int selinux_file_ioctl(struct file *file, unsigned int cmd, 3438 unsigned long arg) 3439 { 3440 const struct cred *cred = current_cred(); 3441 int error = 0; 3442 3443 switch (cmd) { 3444 case FIONREAD: 3445 /* fall through */ 3446 case FIBMAP: 3447 /* fall through */ 3448 case FIGETBSZ: 3449 /* fall through */ 3450 case FS_IOC_GETFLAGS: 3451 /* fall through */ 3452 case FS_IOC_GETVERSION: 3453 error = file_has_perm(cred, file, FILE__GETATTR); 3454 break; 3455 3456 case FS_IOC_SETFLAGS: 3457 /* fall through */ 3458 case FS_IOC_SETVERSION: 3459 error = file_has_perm(cred, file, FILE__SETATTR); 3460 break; 3461 3462 /* sys_ioctl() checks */ 3463 case FIONBIO: 3464 /* fall through */ 3465 case FIOASYNC: 3466 error = file_has_perm(cred, file, 0); 3467 break; 3468 3469 case KDSKBENT: 3470 case KDSKBSENT: 3471 error = cred_has_capability(cred, CAP_SYS_TTY_CONFIG, 3472 SECURITY_CAP_AUDIT, true); 3473 break; 3474 3475 /* default case assumes that the command will go 3476 * to the file's ioctl() function. 3477 */ 3478 default: 3479 error = ioctl_has_perm(cred, file, FILE__IOCTL, (u16) cmd); 3480 } 3481 return error; 3482 } 3483 3484 static int default_noexec; 3485 3486 static int file_map_prot_check(struct file *file, unsigned long prot, int shared) 3487 { 3488 const struct cred *cred = current_cred(); 3489 int rc = 0; 3490 3491 if (default_noexec && 3492 (prot & PROT_EXEC) && (!file || IS_PRIVATE(file_inode(file)) || 3493 (!shared && (prot & PROT_WRITE)))) { 3494 /* 3495 * We are making executable an anonymous mapping or a 3496 * private file mapping that will also be writable. 3497 * This has an additional check. 3498 */ 3499 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM); 3500 if (rc) 3501 goto error; 3502 } 3503 3504 if (file) { 3505 /* read access is always possible with a mapping */ 3506 u32 av = FILE__READ; 3507 3508 /* write access only matters if the mapping is shared */ 3509 if (shared && (prot & PROT_WRITE)) 3510 av |= FILE__WRITE; 3511 3512 if (prot & PROT_EXEC) 3513 av |= FILE__EXECUTE; 3514 3515 return file_has_perm(cred, file, av); 3516 } 3517 3518 error: 3519 return rc; 3520 } 3521 3522 static int selinux_mmap_addr(unsigned long addr) 3523 { 3524 int rc = 0; 3525 3526 if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { 3527 u32 sid = current_sid(); 3528 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, 3529 MEMPROTECT__MMAP_ZERO, NULL); 3530 } 3531 3532 return rc; 3533 } 3534 3535 static int selinux_mmap_file(struct file *file, unsigned long reqprot, 3536 unsigned long prot, unsigned long flags) 3537 { 3538 if (selinux_checkreqprot) 3539 prot = reqprot; 3540 3541 return file_map_prot_check(file, prot, 3542 (flags & MAP_TYPE) == MAP_SHARED); 3543 } 3544 3545 static int selinux_file_mprotect(struct vm_area_struct *vma, 3546 unsigned long reqprot, 3547 unsigned long prot) 3548 { 3549 const struct cred *cred = current_cred(); 3550 3551 if (selinux_checkreqprot) 3552 prot = reqprot; 3553 3554 if (default_noexec && 3555 (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { 3556 int rc = 0; 3557 if (vma->vm_start >= vma->vm_mm->start_brk && 3558 vma->vm_end <= vma->vm_mm->brk) { 3559 rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP); 3560 } else if (!vma->vm_file && 3561 ((vma->vm_start <= vma->vm_mm->start_stack && 3562 vma->vm_end >= vma->vm_mm->start_stack) || 3563 vma_is_stack_for_current(vma))) { 3564 rc = current_has_perm(current, PROCESS__EXECSTACK); 3565 } else if (vma->vm_file && vma->anon_vma) { 3566 /* 3567 * We are making executable a file mapping that has 3568 * had some COW done. Since pages might have been 3569 * written, check ability to execute the possibly 3570 * modified content. This typically should only 3571 * occur for text relocations. 3572 */ 3573 rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD); 3574 } 3575 if (rc) 3576 return rc; 3577 } 3578 3579 return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED); 3580 } 3581 3582 static int selinux_file_lock(struct file *file, unsigned int cmd) 3583 { 3584 const struct cred *cred = current_cred(); 3585 3586 return file_has_perm(cred, file, FILE__LOCK); 3587 } 3588 3589 static int selinux_file_fcntl(struct file *file, unsigned int cmd, 3590 unsigned long arg) 3591 { 3592 const struct cred *cred = current_cred(); 3593 int err = 0; 3594 3595 switch (cmd) { 3596 case F_SETFL: 3597 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) { 3598 err = file_has_perm(cred, file, FILE__WRITE); 3599 break; 3600 } 3601 /* fall through */ 3602 case F_SETOWN: 3603 case F_SETSIG: 3604 case F_GETFL: 3605 case F_GETOWN: 3606 case F_GETSIG: 3607 case F_GETOWNER_UIDS: 3608 /* Just check FD__USE permission */ 3609 err = file_has_perm(cred, file, 0); 3610 break; 3611 case F_GETLK: 3612 case F_SETLK: 3613 case F_SETLKW: 3614 case F_OFD_GETLK: 3615 case F_OFD_SETLK: 3616 case F_OFD_SETLKW: 3617 #if BITS_PER_LONG == 32 3618 case F_GETLK64: 3619 case F_SETLK64: 3620 case F_SETLKW64: 3621 #endif 3622 err = file_has_perm(cred, file, FILE__LOCK); 3623 break; 3624 } 3625 3626 return err; 3627 } 3628 3629 static void selinux_file_set_fowner(struct file *file) 3630 { 3631 struct file_security_struct *fsec; 3632 3633 fsec = file->f_security; 3634 fsec->fown_sid = current_sid(); 3635 } 3636 3637 static int selinux_file_send_sigiotask(struct task_struct *tsk, 3638 struct fown_struct *fown, int signum) 3639 { 3640 struct file *file; 3641 u32 sid = task_sid(tsk); 3642 u32 perm; 3643 struct file_security_struct *fsec; 3644 3645 /* struct fown_struct is never outside the context of a struct file */ 3646 file = container_of(fown, struct file, f_owner); 3647 3648 fsec = file->f_security; 3649 3650 if (!signum) 3651 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ 3652 else 3653 perm = signal_to_av(signum); 3654 3655 return avc_has_perm(fsec->fown_sid, sid, 3656 SECCLASS_PROCESS, perm, NULL); 3657 } 3658 3659 static int selinux_file_receive(struct file *file) 3660 { 3661 const struct cred *cred = current_cred(); 3662 3663 return file_has_perm(cred, file, file_to_av(file)); 3664 } 3665 3666 static int selinux_file_open(struct file *file, const struct cred *cred) 3667 { 3668 struct file_security_struct *fsec; 3669 struct inode_security_struct *isec; 3670 3671 fsec = file->f_security; 3672 isec = inode_security(file_inode(file)); 3673 /* 3674 * Save inode label and policy sequence number 3675 * at open-time so that selinux_file_permission 3676 * can determine whether revalidation is necessary. 3677 * Task label is already saved in the file security 3678 * struct as its SID. 3679 */ 3680 fsec->isid = isec->sid; 3681 fsec->pseqno = avc_policy_seqno(); 3682 /* 3683 * Since the inode label or policy seqno may have changed 3684 * between the selinux_inode_permission check and the saving 3685 * of state above, recheck that access is still permitted. 3686 * Otherwise, access might never be revalidated against the 3687 * new inode label or new policy. 3688 * This check is not redundant - do not remove. 3689 */ 3690 return file_path_has_perm(cred, file, open_file_to_av(file)); 3691 } 3692 3693 /* task security operations */ 3694 3695 static int selinux_task_create(unsigned long clone_flags) 3696 { 3697 return current_has_perm(current, PROCESS__FORK); 3698 } 3699 3700 /* 3701 * allocate the SELinux part of blank credentials 3702 */ 3703 static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp) 3704 { 3705 struct task_security_struct *tsec; 3706 3707 tsec = kzalloc(sizeof(struct task_security_struct), gfp); 3708 if (!tsec) 3709 return -ENOMEM; 3710 3711 cred->security = tsec; 3712 return 0; 3713 } 3714 3715 /* 3716 * detach and free the LSM part of a set of credentials 3717 */ 3718 static void selinux_cred_free(struct cred *cred) 3719 { 3720 struct task_security_struct *tsec = cred->security; 3721 3722 /* 3723 * cred->security == NULL if security_cred_alloc_blank() or 3724 * security_prepare_creds() returned an error. 3725 */ 3726 BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); 3727 cred->security = (void *) 0x7UL; 3728 kfree(tsec); 3729 } 3730 3731 /* 3732 * prepare a new set of credentials for modification 3733 */ 3734 static int selinux_cred_prepare(struct cred *new, const struct cred *old, 3735 gfp_t gfp) 3736 { 3737 const struct task_security_struct *old_tsec; 3738 struct task_security_struct *tsec; 3739 3740 old_tsec = old->security; 3741 3742 tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp); 3743 if (!tsec) 3744 return -ENOMEM; 3745 3746 new->security = tsec; 3747 return 0; 3748 } 3749 3750 /* 3751 * transfer the SELinux data to a blank set of creds 3752 */ 3753 static void selinux_cred_transfer(struct cred *new, const struct cred *old) 3754 { 3755 const struct task_security_struct *old_tsec = old->security; 3756 struct task_security_struct *tsec = new->security; 3757 3758 *tsec = *old_tsec; 3759 } 3760 3761 /* 3762 * set the security data for a kernel service 3763 * - all the creation contexts are set to unlabelled 3764 */ 3765 static int selinux_kernel_act_as(struct cred *new, u32 secid) 3766 { 3767 struct task_security_struct *tsec = new->security; 3768 u32 sid = current_sid(); 3769 int ret; 3770 3771 ret = avc_has_perm(sid, secid, 3772 SECCLASS_KERNEL_SERVICE, 3773 KERNEL_SERVICE__USE_AS_OVERRIDE, 3774 NULL); 3775 if (ret == 0) { 3776 tsec->sid = secid; 3777 tsec->create_sid = 0; 3778 tsec->keycreate_sid = 0; 3779 tsec->sockcreate_sid = 0; 3780 } 3781 return ret; 3782 } 3783 3784 /* 3785 * set the file creation context in a security record to the same as the 3786 * objective context of the specified inode 3787 */ 3788 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3789 { 3790 struct inode_security_struct *isec = inode_security(inode); 3791 struct task_security_struct *tsec = new->security; 3792 u32 sid = current_sid(); 3793 int ret; 3794 3795 ret = avc_has_perm(sid, isec->sid, 3796 SECCLASS_KERNEL_SERVICE, 3797 KERNEL_SERVICE__CREATE_FILES_AS, 3798 NULL); 3799 3800 if (ret == 0) 3801 tsec->create_sid = isec->sid; 3802 return ret; 3803 } 3804 3805 static int selinux_kernel_module_request(char *kmod_name) 3806 { 3807 u32 sid; 3808 struct common_audit_data ad; 3809 3810 sid = task_sid(current); 3811 3812 ad.type = LSM_AUDIT_DATA_KMOD; 3813 ad.u.kmod_name = kmod_name; 3814 3815 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM, 3816 SYSTEM__MODULE_REQUEST, &ad); 3817 } 3818 3819 static int selinux_kernel_module_from_file(struct file *file) 3820 { 3821 struct common_audit_data ad; 3822 struct inode_security_struct *isec; 3823 struct file_security_struct *fsec; 3824 u32 sid = current_sid(); 3825 int rc; 3826 3827 /* init_module */ 3828 if (file == NULL) 3829 return avc_has_perm(sid, sid, SECCLASS_SYSTEM, 3830 SYSTEM__MODULE_LOAD, NULL); 3831 3832 /* finit_module */ 3833 3834 ad.type = LSM_AUDIT_DATA_FILE; 3835 ad.u.file = file; 3836 3837 fsec = file->f_security; 3838 if (sid != fsec->sid) { 3839 rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); 3840 if (rc) 3841 return rc; 3842 } 3843 3844 isec = inode_security(file_inode(file)); 3845 return avc_has_perm(sid, isec->sid, SECCLASS_SYSTEM, 3846 SYSTEM__MODULE_LOAD, &ad); 3847 } 3848 3849 static int selinux_kernel_read_file(struct file *file, 3850 enum kernel_read_file_id id) 3851 { 3852 int rc = 0; 3853 3854 switch (id) { 3855 case READING_MODULE: 3856 rc = selinux_kernel_module_from_file(file); 3857 break; 3858 default: 3859 break; 3860 } 3861 3862 return rc; 3863 } 3864 3865 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3866 { 3867 return current_has_perm(p, PROCESS__SETPGID); 3868 } 3869 3870 static int selinux_task_getpgid(struct task_struct *p) 3871 { 3872 return current_has_perm(p, PROCESS__GETPGID); 3873 } 3874 3875 static int selinux_task_getsid(struct task_struct *p) 3876 { 3877 return current_has_perm(p, PROCESS__GETSESSION); 3878 } 3879 3880 static void selinux_task_getsecid(struct task_struct *p, u32 *secid) 3881 { 3882 *secid = task_sid(p); 3883 } 3884 3885 static int selinux_task_setnice(struct task_struct *p, int nice) 3886 { 3887 return current_has_perm(p, PROCESS__SETSCHED); 3888 } 3889 3890 static int selinux_task_setioprio(struct task_struct *p, int ioprio) 3891 { 3892 return current_has_perm(p, PROCESS__SETSCHED); 3893 } 3894 3895 static int selinux_task_getioprio(struct task_struct *p) 3896 { 3897 return current_has_perm(p, PROCESS__GETSCHED); 3898 } 3899 3900 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource, 3901 struct rlimit *new_rlim) 3902 { 3903 struct rlimit *old_rlim = p->signal->rlim + resource; 3904 3905 /* Control the ability to change the hard limit (whether 3906 lowering or raising it), so that the hard limit can 3907 later be used as a safe reset point for the soft limit 3908 upon context transitions. See selinux_bprm_committing_creds. */ 3909 if (old_rlim->rlim_max != new_rlim->rlim_max) 3910 return current_has_perm(p, PROCESS__SETRLIMIT); 3911 3912 return 0; 3913 } 3914 3915 static int selinux_task_setscheduler(struct task_struct *p) 3916 { 3917 return current_has_perm(p, PROCESS__SETSCHED); 3918 } 3919 3920 static int selinux_task_getscheduler(struct task_struct *p) 3921 { 3922 return current_has_perm(p, PROCESS__GETSCHED); 3923 } 3924 3925 static int selinux_task_movememory(struct task_struct *p) 3926 { 3927 return current_has_perm(p, PROCESS__SETSCHED); 3928 } 3929 3930 static int selinux_task_kill(struct task_struct *p, struct siginfo *info, 3931 int sig, u32 secid) 3932 { 3933 u32 perm; 3934 int rc; 3935 3936 if (!sig) 3937 perm = PROCESS__SIGNULL; /* null signal; existence test */ 3938 else 3939 perm = signal_to_av(sig); 3940 if (secid) 3941 rc = avc_has_perm(secid, task_sid(p), 3942 SECCLASS_PROCESS, perm, NULL); 3943 else 3944 rc = current_has_perm(p, perm); 3945 return rc; 3946 } 3947 3948 static int selinux_task_wait(struct task_struct *p) 3949 { 3950 return task_has_perm(p, current, PROCESS__SIGCHLD); 3951 } 3952 3953 static void selinux_task_to_inode(struct task_struct *p, 3954 struct inode *inode) 3955 { 3956 struct inode_security_struct *isec = inode->i_security; 3957 u32 sid = task_sid(p); 3958 3959 isec->sid = sid; 3960 isec->initialized = LABEL_INITIALIZED; 3961 } 3962 3963 /* Returns error only if unable to parse addresses */ 3964 static int selinux_parse_skb_ipv4(struct sk_buff *skb, 3965 struct common_audit_data *ad, u8 *proto) 3966 { 3967 int offset, ihlen, ret = -EINVAL; 3968 struct iphdr _iph, *ih; 3969 3970 offset = skb_network_offset(skb); 3971 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 3972 if (ih == NULL) 3973 goto out; 3974 3975 ihlen = ih->ihl * 4; 3976 if (ihlen < sizeof(_iph)) 3977 goto out; 3978 3979 ad->u.net->v4info.saddr = ih->saddr; 3980 ad->u.net->v4info.daddr = ih->daddr; 3981 ret = 0; 3982 3983 if (proto) 3984 *proto = ih->protocol; 3985 3986 switch (ih->protocol) { 3987 case IPPROTO_TCP: { 3988 struct tcphdr _tcph, *th; 3989 3990 if (ntohs(ih->frag_off) & IP_OFFSET) 3991 break; 3992 3993 offset += ihlen; 3994 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3995 if (th == NULL) 3996 break; 3997 3998 ad->u.net->sport = th->source; 3999 ad->u.net->dport = th->dest; 4000 break; 4001 } 4002 4003 case IPPROTO_UDP: { 4004 struct udphdr _udph, *uh; 4005 4006 if (ntohs(ih->frag_off) & IP_OFFSET) 4007 break; 4008 4009 offset += ihlen; 4010 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4011 if (uh == NULL) 4012 break; 4013 4014 ad->u.net->sport = uh->source; 4015 ad->u.net->dport = uh->dest; 4016 break; 4017 } 4018 4019 case IPPROTO_DCCP: { 4020 struct dccp_hdr _dccph, *dh; 4021 4022 if (ntohs(ih->frag_off) & IP_OFFSET) 4023 break; 4024 4025 offset += ihlen; 4026 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4027 if (dh == NULL) 4028 break; 4029 4030 ad->u.net->sport = dh->dccph_sport; 4031 ad->u.net->dport = dh->dccph_dport; 4032 break; 4033 } 4034 4035 default: 4036 break; 4037 } 4038 out: 4039 return ret; 4040 } 4041 4042 #if IS_ENABLED(CONFIG_IPV6) 4043 4044 /* Returns error only if unable to parse addresses */ 4045 static int selinux_parse_skb_ipv6(struct sk_buff *skb, 4046 struct common_audit_data *ad, u8 *proto) 4047 { 4048 u8 nexthdr; 4049 int ret = -EINVAL, offset; 4050 struct ipv6hdr _ipv6h, *ip6; 4051 __be16 frag_off; 4052 4053 offset = skb_network_offset(skb); 4054 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4055 if (ip6 == NULL) 4056 goto out; 4057 4058 ad->u.net->v6info.saddr = ip6->saddr; 4059 ad->u.net->v6info.daddr = ip6->daddr; 4060 ret = 0; 4061 4062 nexthdr = ip6->nexthdr; 4063 offset += sizeof(_ipv6h); 4064 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4065 if (offset < 0) 4066 goto out; 4067 4068 if (proto) 4069 *proto = nexthdr; 4070 4071 switch (nexthdr) { 4072 case IPPROTO_TCP: { 4073 struct tcphdr _tcph, *th; 4074 4075 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4076 if (th == NULL) 4077 break; 4078 4079 ad->u.net->sport = th->source; 4080 ad->u.net->dport = th->dest; 4081 break; 4082 } 4083 4084 case IPPROTO_UDP: { 4085 struct udphdr _udph, *uh; 4086 4087 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4088 if (uh == NULL) 4089 break; 4090 4091 ad->u.net->sport = uh->source; 4092 ad->u.net->dport = uh->dest; 4093 break; 4094 } 4095 4096 case IPPROTO_DCCP: { 4097 struct dccp_hdr _dccph, *dh; 4098 4099 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4100 if (dh == NULL) 4101 break; 4102 4103 ad->u.net->sport = dh->dccph_sport; 4104 ad->u.net->dport = dh->dccph_dport; 4105 break; 4106 } 4107 4108 /* includes fragments */ 4109 default: 4110 break; 4111 } 4112 out: 4113 return ret; 4114 } 4115 4116 #endif /* IPV6 */ 4117 4118 static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad, 4119 char **_addrp, int src, u8 *proto) 4120 { 4121 char *addrp; 4122 int ret; 4123 4124 switch (ad->u.net->family) { 4125 case PF_INET: 4126 ret = selinux_parse_skb_ipv4(skb, ad, proto); 4127 if (ret) 4128 goto parse_error; 4129 addrp = (char *)(src ? &ad->u.net->v4info.saddr : 4130 &ad->u.net->v4info.daddr); 4131 goto okay; 4132 4133 #if IS_ENABLED(CONFIG_IPV6) 4134 case PF_INET6: 4135 ret = selinux_parse_skb_ipv6(skb, ad, proto); 4136 if (ret) 4137 goto parse_error; 4138 addrp = (char *)(src ? &ad->u.net->v6info.saddr : 4139 &ad->u.net->v6info.daddr); 4140 goto okay; 4141 #endif /* IPV6 */ 4142 default: 4143 addrp = NULL; 4144 goto okay; 4145 } 4146 4147 parse_error: 4148 printk(KERN_WARNING 4149 "SELinux: failure in selinux_parse_skb()," 4150 " unable to parse packet\n"); 4151 return ret; 4152 4153 okay: 4154 if (_addrp) 4155 *_addrp = addrp; 4156 return 0; 4157 } 4158 4159 /** 4160 * selinux_skb_peerlbl_sid - Determine the peer label of a packet 4161 * @skb: the packet 4162 * @family: protocol family 4163 * @sid: the packet's peer label SID 4164 * 4165 * Description: 4166 * Check the various different forms of network peer labeling and determine 4167 * the peer label/SID for the packet; most of the magic actually occurs in 4168 * the security server function security_net_peersid_cmp(). The function 4169 * returns zero if the value in @sid is valid (although it may be SECSID_NULL) 4170 * or -EACCES if @sid is invalid due to inconsistencies with the different 4171 * peer labels. 4172 * 4173 */ 4174 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 4175 { 4176 int err; 4177 u32 xfrm_sid; 4178 u32 nlbl_sid; 4179 u32 nlbl_type; 4180 4181 err = selinux_xfrm_skb_sid(skb, &xfrm_sid); 4182 if (unlikely(err)) 4183 return -EACCES; 4184 err = selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 4185 if (unlikely(err)) 4186 return -EACCES; 4187 4188 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid); 4189 if (unlikely(err)) { 4190 printk(KERN_WARNING 4191 "SELinux: failure in selinux_skb_peerlbl_sid()," 4192 " unable to determine packet's peer label\n"); 4193 return -EACCES; 4194 } 4195 4196 return 0; 4197 } 4198 4199 /** 4200 * selinux_conn_sid - Determine the child socket label for a connection 4201 * @sk_sid: the parent socket's SID 4202 * @skb_sid: the packet's SID 4203 * @conn_sid: the resulting connection SID 4204 * 4205 * If @skb_sid is valid then the user:role:type information from @sk_sid is 4206 * combined with the MLS information from @skb_sid in order to create 4207 * @conn_sid. If @skb_sid is not valid then then @conn_sid is simply a copy 4208 * of @sk_sid. Returns zero on success, negative values on failure. 4209 * 4210 */ 4211 static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) 4212 { 4213 int err = 0; 4214 4215 if (skb_sid != SECSID_NULL) 4216 err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid); 4217 else 4218 *conn_sid = sk_sid; 4219 4220 return err; 4221 } 4222 4223 /* socket security operations */ 4224 4225 static int socket_sockcreate_sid(const struct task_security_struct *tsec, 4226 u16 secclass, u32 *socksid) 4227 { 4228 if (tsec->sockcreate_sid > SECSID_NULL) { 4229 *socksid = tsec->sockcreate_sid; 4230 return 0; 4231 } 4232 4233 return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL, 4234 socksid); 4235 } 4236 4237 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms) 4238 { 4239 struct sk_security_struct *sksec = sk->sk_security; 4240 struct common_audit_data ad; 4241 struct lsm_network_audit net = {0,}; 4242 u32 tsid = task_sid(task); 4243 4244 if (sksec->sid == SECINITSID_KERNEL) 4245 return 0; 4246 4247 ad.type = LSM_AUDIT_DATA_NET; 4248 ad.u.net = &net; 4249 ad.u.net->sk = sk; 4250 4251 return avc_has_perm(tsid, sksec->sid, sksec->sclass, perms, &ad); 4252 } 4253 4254 static int selinux_socket_create(int family, int type, 4255 int protocol, int kern) 4256 { 4257 const struct task_security_struct *tsec = current_security(); 4258 u32 newsid; 4259 u16 secclass; 4260 int rc; 4261 4262 if (kern) 4263 return 0; 4264 4265 secclass = socket_type_to_security_class(family, type, protocol); 4266 rc = socket_sockcreate_sid(tsec, secclass, &newsid); 4267 if (rc) 4268 return rc; 4269 4270 return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); 4271 } 4272 4273 static int selinux_socket_post_create(struct socket *sock, int family, 4274 int type, int protocol, int kern) 4275 { 4276 const struct task_security_struct *tsec = current_security(); 4277 struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4278 struct sk_security_struct *sksec; 4279 int err = 0; 4280 4281 isec->sclass = socket_type_to_security_class(family, type, protocol); 4282 4283 if (kern) 4284 isec->sid = SECINITSID_KERNEL; 4285 else { 4286 err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid)); 4287 if (err) 4288 return err; 4289 } 4290 4291 isec->initialized = LABEL_INITIALIZED; 4292 4293 if (sock->sk) { 4294 sksec = sock->sk->sk_security; 4295 sksec->sid = isec->sid; 4296 sksec->sclass = isec->sclass; 4297 err = selinux_netlbl_socket_post_create(sock->sk, family); 4298 } 4299 4300 return err; 4301 } 4302 4303 /* Range of port numbers used to automatically bind. 4304 Need to determine whether we should perform a name_bind 4305 permission check between the socket and the port number. */ 4306 4307 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 4308 { 4309 struct sock *sk = sock->sk; 4310 u16 family; 4311 int err; 4312 4313 err = sock_has_perm(current, sk, SOCKET__BIND); 4314 if (err) 4315 goto out; 4316 4317 /* 4318 * If PF_INET or PF_INET6, check name_bind permission for the port. 4319 * Multiple address binding for SCTP is not supported yet: we just 4320 * check the first address now. 4321 */ 4322 family = sk->sk_family; 4323 if (family == PF_INET || family == PF_INET6) { 4324 char *addrp; 4325 struct sk_security_struct *sksec = sk->sk_security; 4326 struct common_audit_data ad; 4327 struct lsm_network_audit net = {0,}; 4328 struct sockaddr_in *addr4 = NULL; 4329 struct sockaddr_in6 *addr6 = NULL; 4330 unsigned short snum; 4331 u32 sid, node_perm; 4332 4333 if (family == PF_INET) { 4334 addr4 = (struct sockaddr_in *)address; 4335 snum = ntohs(addr4->sin_port); 4336 addrp = (char *)&addr4->sin_addr.s_addr; 4337 } else { 4338 addr6 = (struct sockaddr_in6 *)address; 4339 snum = ntohs(addr6->sin6_port); 4340 addrp = (char *)&addr6->sin6_addr.s6_addr; 4341 } 4342 4343 if (snum) { 4344 int low, high; 4345 4346 inet_get_local_port_range(sock_net(sk), &low, &high); 4347 4348 if (snum < max(PROT_SOCK, low) || snum > high) { 4349 err = sel_netport_sid(sk->sk_protocol, 4350 snum, &sid); 4351 if (err) 4352 goto out; 4353 ad.type = LSM_AUDIT_DATA_NET; 4354 ad.u.net = &net; 4355 ad.u.net->sport = htons(snum); 4356 ad.u.net->family = family; 4357 err = avc_has_perm(sksec->sid, sid, 4358 sksec->sclass, 4359 SOCKET__NAME_BIND, &ad); 4360 if (err) 4361 goto out; 4362 } 4363 } 4364 4365 switch (sksec->sclass) { 4366 case SECCLASS_TCP_SOCKET: 4367 node_perm = TCP_SOCKET__NODE_BIND; 4368 break; 4369 4370 case SECCLASS_UDP_SOCKET: 4371 node_perm = UDP_SOCKET__NODE_BIND; 4372 break; 4373 4374 case SECCLASS_DCCP_SOCKET: 4375 node_perm = DCCP_SOCKET__NODE_BIND; 4376 break; 4377 4378 default: 4379 node_perm = RAWIP_SOCKET__NODE_BIND; 4380 break; 4381 } 4382 4383 err = sel_netnode_sid(addrp, family, &sid); 4384 if (err) 4385 goto out; 4386 4387 ad.type = LSM_AUDIT_DATA_NET; 4388 ad.u.net = &net; 4389 ad.u.net->sport = htons(snum); 4390 ad.u.net->family = family; 4391 4392 if (family == PF_INET) 4393 ad.u.net->v4info.saddr = addr4->sin_addr.s_addr; 4394 else 4395 ad.u.net->v6info.saddr = addr6->sin6_addr; 4396 4397 err = avc_has_perm(sksec->sid, sid, 4398 sksec->sclass, node_perm, &ad); 4399 if (err) 4400 goto out; 4401 } 4402 out: 4403 return err; 4404 } 4405 4406 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 4407 { 4408 struct sock *sk = sock->sk; 4409 struct sk_security_struct *sksec = sk->sk_security; 4410 int err; 4411 4412 err = sock_has_perm(current, sk, SOCKET__CONNECT); 4413 if (err) 4414 return err; 4415 4416 /* 4417 * If a TCP or DCCP socket, check name_connect permission for the port. 4418 */ 4419 if (sksec->sclass == SECCLASS_TCP_SOCKET || 4420 sksec->sclass == SECCLASS_DCCP_SOCKET) { 4421 struct common_audit_data ad; 4422 struct lsm_network_audit net = {0,}; 4423 struct sockaddr_in *addr4 = NULL; 4424 struct sockaddr_in6 *addr6 = NULL; 4425 unsigned short snum; 4426 u32 sid, perm; 4427 4428 if (sk->sk_family == PF_INET) { 4429 addr4 = (struct sockaddr_in *)address; 4430 if (addrlen < sizeof(struct sockaddr_in)) 4431 return -EINVAL; 4432 snum = ntohs(addr4->sin_port); 4433 } else { 4434 addr6 = (struct sockaddr_in6 *)address; 4435 if (addrlen < SIN6_LEN_RFC2133) 4436 return -EINVAL; 4437 snum = ntohs(addr6->sin6_port); 4438 } 4439 4440 err = sel_netport_sid(sk->sk_protocol, snum, &sid); 4441 if (err) 4442 goto out; 4443 4444 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ? 4445 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 4446 4447 ad.type = LSM_AUDIT_DATA_NET; 4448 ad.u.net = &net; 4449 ad.u.net->dport = htons(snum); 4450 ad.u.net->family = sk->sk_family; 4451 err = avc_has_perm(sksec->sid, sid, sksec->sclass, perm, &ad); 4452 if (err) 4453 goto out; 4454 } 4455 4456 err = selinux_netlbl_socket_connect(sk, address); 4457 4458 out: 4459 return err; 4460 } 4461 4462 static int selinux_socket_listen(struct socket *sock, int backlog) 4463 { 4464 return sock_has_perm(current, sock->sk, SOCKET__LISTEN); 4465 } 4466 4467 static int selinux_socket_accept(struct socket *sock, struct socket *newsock) 4468 { 4469 int err; 4470 struct inode_security_struct *isec; 4471 struct inode_security_struct *newisec; 4472 4473 err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT); 4474 if (err) 4475 return err; 4476 4477 newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4478 4479 isec = inode_security_novalidate(SOCK_INODE(sock)); 4480 newisec->sclass = isec->sclass; 4481 newisec->sid = isec->sid; 4482 newisec->initialized = LABEL_INITIALIZED; 4483 4484 return 0; 4485 } 4486 4487 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4488 int size) 4489 { 4490 return sock_has_perm(current, sock->sk, SOCKET__WRITE); 4491 } 4492 4493 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg, 4494 int size, int flags) 4495 { 4496 return sock_has_perm(current, sock->sk, SOCKET__READ); 4497 } 4498 4499 static int selinux_socket_getsockname(struct socket *sock) 4500 { 4501 return sock_has_perm(current, sock->sk, SOCKET__GETATTR); 4502 } 4503 4504 static int selinux_socket_getpeername(struct socket *sock) 4505 { 4506 return sock_has_perm(current, sock->sk, SOCKET__GETATTR); 4507 } 4508 4509 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname) 4510 { 4511 int err; 4512 4513 err = sock_has_perm(current, sock->sk, SOCKET__SETOPT); 4514 if (err) 4515 return err; 4516 4517 return selinux_netlbl_socket_setsockopt(sock, level, optname); 4518 } 4519 4520 static int selinux_socket_getsockopt(struct socket *sock, int level, 4521 int optname) 4522 { 4523 return sock_has_perm(current, sock->sk, SOCKET__GETOPT); 4524 } 4525 4526 static int selinux_socket_shutdown(struct socket *sock, int how) 4527 { 4528 return sock_has_perm(current, sock->sk, SOCKET__SHUTDOWN); 4529 } 4530 4531 static int selinux_socket_unix_stream_connect(struct sock *sock, 4532 struct sock *other, 4533 struct sock *newsk) 4534 { 4535 struct sk_security_struct *sksec_sock = sock->sk_security; 4536 struct sk_security_struct *sksec_other = other->sk_security; 4537 struct sk_security_struct *sksec_new = newsk->sk_security; 4538 struct common_audit_data ad; 4539 struct lsm_network_audit net = {0,}; 4540 int err; 4541 4542 ad.type = LSM_AUDIT_DATA_NET; 4543 ad.u.net = &net; 4544 ad.u.net->sk = other; 4545 4546 err = avc_has_perm(sksec_sock->sid, sksec_other->sid, 4547 sksec_other->sclass, 4548 UNIX_STREAM_SOCKET__CONNECTTO, &ad); 4549 if (err) 4550 return err; 4551 4552 /* server child socket */ 4553 sksec_new->peer_sid = sksec_sock->sid; 4554 err = security_sid_mls_copy(sksec_other->sid, sksec_sock->sid, 4555 &sksec_new->sid); 4556 if (err) 4557 return err; 4558 4559 /* connecting socket */ 4560 sksec_sock->peer_sid = sksec_new->sid; 4561 4562 return 0; 4563 } 4564 4565 static int selinux_socket_unix_may_send(struct socket *sock, 4566 struct socket *other) 4567 { 4568 struct sk_security_struct *ssec = sock->sk->sk_security; 4569 struct sk_security_struct *osec = other->sk->sk_security; 4570 struct common_audit_data ad; 4571 struct lsm_network_audit net = {0,}; 4572 4573 ad.type = LSM_AUDIT_DATA_NET; 4574 ad.u.net = &net; 4575 ad.u.net->sk = other->sk; 4576 4577 return avc_has_perm(ssec->sid, osec->sid, osec->sclass, SOCKET__SENDTO, 4578 &ad); 4579 } 4580 4581 static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex, 4582 char *addrp, u16 family, u32 peer_sid, 4583 struct common_audit_data *ad) 4584 { 4585 int err; 4586 u32 if_sid; 4587 u32 node_sid; 4588 4589 err = sel_netif_sid(ns, ifindex, &if_sid); 4590 if (err) 4591 return err; 4592 err = avc_has_perm(peer_sid, if_sid, 4593 SECCLASS_NETIF, NETIF__INGRESS, ad); 4594 if (err) 4595 return err; 4596 4597 err = sel_netnode_sid(addrp, family, &node_sid); 4598 if (err) 4599 return err; 4600 return avc_has_perm(peer_sid, node_sid, 4601 SECCLASS_NODE, NODE__RECVFROM, ad); 4602 } 4603 4604 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, 4605 u16 family) 4606 { 4607 int err = 0; 4608 struct sk_security_struct *sksec = sk->sk_security; 4609 u32 sk_sid = sksec->sid; 4610 struct common_audit_data ad; 4611 struct lsm_network_audit net = {0,}; 4612 char *addrp; 4613 4614 ad.type = LSM_AUDIT_DATA_NET; 4615 ad.u.net = &net; 4616 ad.u.net->netif = skb->skb_iif; 4617 ad.u.net->family = family; 4618 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4619 if (err) 4620 return err; 4621 4622 if (selinux_secmark_enabled()) { 4623 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4624 PACKET__RECV, &ad); 4625 if (err) 4626 return err; 4627 } 4628 4629 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad); 4630 if (err) 4631 return err; 4632 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad); 4633 4634 return err; 4635 } 4636 4637 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4638 { 4639 int err; 4640 struct sk_security_struct *sksec = sk->sk_security; 4641 u16 family = sk->sk_family; 4642 u32 sk_sid = sksec->sid; 4643 struct common_audit_data ad; 4644 struct lsm_network_audit net = {0,}; 4645 char *addrp; 4646 u8 secmark_active; 4647 u8 peerlbl_active; 4648 4649 if (family != PF_INET && family != PF_INET6) 4650 return 0; 4651 4652 /* Handle mapped IPv4 packets arriving via IPv6 sockets */ 4653 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4654 family = PF_INET; 4655 4656 /* If any sort of compatibility mode is enabled then handoff processing 4657 * to the selinux_sock_rcv_skb_compat() function to deal with the 4658 * special handling. We do this in an attempt to keep this function 4659 * as fast and as clean as possible. */ 4660 if (!selinux_policycap_netpeer) 4661 return selinux_sock_rcv_skb_compat(sk, skb, family); 4662 4663 secmark_active = selinux_secmark_enabled(); 4664 peerlbl_active = selinux_peerlbl_enabled(); 4665 if (!secmark_active && !peerlbl_active) 4666 return 0; 4667 4668 ad.type = LSM_AUDIT_DATA_NET; 4669 ad.u.net = &net; 4670 ad.u.net->netif = skb->skb_iif; 4671 ad.u.net->family = family; 4672 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4673 if (err) 4674 return err; 4675 4676 if (peerlbl_active) { 4677 u32 peer_sid; 4678 4679 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4680 if (err) 4681 return err; 4682 err = selinux_inet_sys_rcv_skb(sock_net(sk), skb->skb_iif, 4683 addrp, family, peer_sid, &ad); 4684 if (err) { 4685 selinux_netlbl_err(skb, family, err, 0); 4686 return err; 4687 } 4688 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER, 4689 PEER__RECV, &ad); 4690 if (err) { 4691 selinux_netlbl_err(skb, family, err, 0); 4692 return err; 4693 } 4694 } 4695 4696 if (secmark_active) { 4697 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET, 4698 PACKET__RECV, &ad); 4699 if (err) 4700 return err; 4701 } 4702 4703 return err; 4704 } 4705 4706 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval, 4707 int __user *optlen, unsigned len) 4708 { 4709 int err = 0; 4710 char *scontext; 4711 u32 scontext_len; 4712 struct sk_security_struct *sksec = sock->sk->sk_security; 4713 u32 peer_sid = SECSID_NULL; 4714 4715 if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || 4716 sksec->sclass == SECCLASS_TCP_SOCKET) 4717 peer_sid = sksec->peer_sid; 4718 if (peer_sid == SECSID_NULL) 4719 return -ENOPROTOOPT; 4720 4721 err = security_sid_to_context(peer_sid, &scontext, &scontext_len); 4722 if (err) 4723 return err; 4724 4725 if (scontext_len > len) { 4726 err = -ERANGE; 4727 goto out_len; 4728 } 4729 4730 if (copy_to_user(optval, scontext, scontext_len)) 4731 err = -EFAULT; 4732 4733 out_len: 4734 if (put_user(scontext_len, optlen)) 4735 err = -EFAULT; 4736 kfree(scontext); 4737 return err; 4738 } 4739 4740 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 4741 { 4742 u32 peer_secid = SECSID_NULL; 4743 u16 family; 4744 struct inode_security_struct *isec; 4745 4746 if (skb && skb->protocol == htons(ETH_P_IP)) 4747 family = PF_INET; 4748 else if (skb && skb->protocol == htons(ETH_P_IPV6)) 4749 family = PF_INET6; 4750 else if (sock) 4751 family = sock->sk->sk_family; 4752 else 4753 goto out; 4754 4755 if (sock && family == PF_UNIX) { 4756 isec = inode_security_novalidate(SOCK_INODE(sock)); 4757 peer_secid = isec->sid; 4758 } else if (skb) 4759 selinux_skb_peerlbl_sid(skb, family, &peer_secid); 4760 4761 out: 4762 *secid = peer_secid; 4763 if (peer_secid == SECSID_NULL) 4764 return -EINVAL; 4765 return 0; 4766 } 4767 4768 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) 4769 { 4770 struct sk_security_struct *sksec; 4771 4772 sksec = kzalloc(sizeof(*sksec), priority); 4773 if (!sksec) 4774 return -ENOMEM; 4775 4776 sksec->peer_sid = SECINITSID_UNLABELED; 4777 sksec->sid = SECINITSID_UNLABELED; 4778 sksec->sclass = SECCLASS_SOCKET; 4779 selinux_netlbl_sk_security_reset(sksec); 4780 sk->sk_security = sksec; 4781 4782 return 0; 4783 } 4784 4785 static void selinux_sk_free_security(struct sock *sk) 4786 { 4787 struct sk_security_struct *sksec = sk->sk_security; 4788 4789 sk->sk_security = NULL; 4790 selinux_netlbl_sk_security_free(sksec); 4791 kfree(sksec); 4792 } 4793 4794 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) 4795 { 4796 struct sk_security_struct *sksec = sk->sk_security; 4797 struct sk_security_struct *newsksec = newsk->sk_security; 4798 4799 newsksec->sid = sksec->sid; 4800 newsksec->peer_sid = sksec->peer_sid; 4801 newsksec->sclass = sksec->sclass; 4802 4803 selinux_netlbl_sk_security_reset(newsksec); 4804 } 4805 4806 static void selinux_sk_getsecid(struct sock *sk, u32 *secid) 4807 { 4808 if (!sk) 4809 *secid = SECINITSID_ANY_SOCKET; 4810 else { 4811 struct sk_security_struct *sksec = sk->sk_security; 4812 4813 *secid = sksec->sid; 4814 } 4815 } 4816 4817 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 4818 { 4819 struct inode_security_struct *isec = 4820 inode_security_novalidate(SOCK_INODE(parent)); 4821 struct sk_security_struct *sksec = sk->sk_security; 4822 4823 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || 4824 sk->sk_family == PF_UNIX) 4825 isec->sid = sksec->sid; 4826 sksec->sclass = isec->sclass; 4827 } 4828 4829 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4830 struct request_sock *req) 4831 { 4832 struct sk_security_struct *sksec = sk->sk_security; 4833 int err; 4834 u16 family = req->rsk_ops->family; 4835 u32 connsid; 4836 u32 peersid; 4837 4838 err = selinux_skb_peerlbl_sid(skb, family, &peersid); 4839 if (err) 4840 return err; 4841 err = selinux_conn_sid(sksec->sid, peersid, &connsid); 4842 if (err) 4843 return err; 4844 req->secid = connsid; 4845 req->peer_secid = peersid; 4846 4847 return selinux_netlbl_inet_conn_request(req, family); 4848 } 4849 4850 static void selinux_inet_csk_clone(struct sock *newsk, 4851 const struct request_sock *req) 4852 { 4853 struct sk_security_struct *newsksec = newsk->sk_security; 4854 4855 newsksec->sid = req->secid; 4856 newsksec->peer_sid = req->peer_secid; 4857 /* NOTE: Ideally, we should also get the isec->sid for the 4858 new socket in sync, but we don't have the isec available yet. 4859 So we will wait until sock_graft to do it, by which 4860 time it will have been created and available. */ 4861 4862 /* We don't need to take any sort of lock here as we are the only 4863 * thread with access to newsksec */ 4864 selinux_netlbl_inet_csk_clone(newsk, req->rsk_ops->family); 4865 } 4866 4867 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) 4868 { 4869 u16 family = sk->sk_family; 4870 struct sk_security_struct *sksec = sk->sk_security; 4871 4872 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 4873 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4874 family = PF_INET; 4875 4876 selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid); 4877 } 4878 4879 static int selinux_secmark_relabel_packet(u32 sid) 4880 { 4881 const struct task_security_struct *__tsec; 4882 u32 tsid; 4883 4884 __tsec = current_security(); 4885 tsid = __tsec->sid; 4886 4887 return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL); 4888 } 4889 4890 static void selinux_secmark_refcount_inc(void) 4891 { 4892 atomic_inc(&selinux_secmark_refcount); 4893 } 4894 4895 static void selinux_secmark_refcount_dec(void) 4896 { 4897 atomic_dec(&selinux_secmark_refcount); 4898 } 4899 4900 static void selinux_req_classify_flow(const struct request_sock *req, 4901 struct flowi *fl) 4902 { 4903 fl->flowi_secid = req->secid; 4904 } 4905 4906 static int selinux_tun_dev_alloc_security(void **security) 4907 { 4908 struct tun_security_struct *tunsec; 4909 4910 tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); 4911 if (!tunsec) 4912 return -ENOMEM; 4913 tunsec->sid = current_sid(); 4914 4915 *security = tunsec; 4916 return 0; 4917 } 4918 4919 static void selinux_tun_dev_free_security(void *security) 4920 { 4921 kfree(security); 4922 } 4923 4924 static int selinux_tun_dev_create(void) 4925 { 4926 u32 sid = current_sid(); 4927 4928 /* we aren't taking into account the "sockcreate" SID since the socket 4929 * that is being created here is not a socket in the traditional sense, 4930 * instead it is a private sock, accessible only to the kernel, and 4931 * representing a wide range of network traffic spanning multiple 4932 * connections unlike traditional sockets - check the TUN driver to 4933 * get a better understanding of why this socket is special */ 4934 4935 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE, 4936 NULL); 4937 } 4938 4939 static int selinux_tun_dev_attach_queue(void *security) 4940 { 4941 struct tun_security_struct *tunsec = security; 4942 4943 return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, 4944 TUN_SOCKET__ATTACH_QUEUE, NULL); 4945 } 4946 4947 static int selinux_tun_dev_attach(struct sock *sk, void *security) 4948 { 4949 struct tun_security_struct *tunsec = security; 4950 struct sk_security_struct *sksec = sk->sk_security; 4951 4952 /* we don't currently perform any NetLabel based labeling here and it 4953 * isn't clear that we would want to do so anyway; while we could apply 4954 * labeling without the support of the TUN user the resulting labeled 4955 * traffic from the other end of the connection would almost certainly 4956 * cause confusion to the TUN user that had no idea network labeling 4957 * protocols were being used */ 4958 4959 sksec->sid = tunsec->sid; 4960 sksec->sclass = SECCLASS_TUN_SOCKET; 4961 4962 return 0; 4963 } 4964 4965 static int selinux_tun_dev_open(void *security) 4966 { 4967 struct tun_security_struct *tunsec = security; 4968 u32 sid = current_sid(); 4969 int err; 4970 4971 err = avc_has_perm(sid, tunsec->sid, SECCLASS_TUN_SOCKET, 4972 TUN_SOCKET__RELABELFROM, NULL); 4973 if (err) 4974 return err; 4975 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, 4976 TUN_SOCKET__RELABELTO, NULL); 4977 if (err) 4978 return err; 4979 tunsec->sid = sid; 4980 4981 return 0; 4982 } 4983 4984 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 4985 { 4986 int err = 0; 4987 u32 perm; 4988 struct nlmsghdr *nlh; 4989 struct sk_security_struct *sksec = sk->sk_security; 4990 4991 if (skb->len < NLMSG_HDRLEN) { 4992 err = -EINVAL; 4993 goto out; 4994 } 4995 nlh = nlmsg_hdr(skb); 4996 4997 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 4998 if (err) { 4999 if (err == -EINVAL) { 5000 pr_warn_ratelimited("SELinux: unrecognized netlink" 5001 " message: protocol=%hu nlmsg_type=%hu sclass=%s" 5002 " pig=%d comm=%s\n", 5003 sk->sk_protocol, nlh->nlmsg_type, 5004 secclass_map[sksec->sclass - 1].name, 5005 task_pid_nr(current), current->comm); 5006 if (!selinux_enforcing || security_get_allow_unknown()) 5007 err = 0; 5008 } 5009 5010 /* Ignore */ 5011 if (err == -ENOENT) 5012 err = 0; 5013 goto out; 5014 } 5015 5016 err = sock_has_perm(current, sk, perm); 5017 out: 5018 return err; 5019 } 5020 5021 #ifdef CONFIG_NETFILTER 5022 5023 static unsigned int selinux_ip_forward(struct sk_buff *skb, 5024 const struct net_device *indev, 5025 u16 family) 5026 { 5027 int err; 5028 char *addrp; 5029 u32 peer_sid; 5030 struct common_audit_data ad; 5031 struct lsm_network_audit net = {0,}; 5032 u8 secmark_active; 5033 u8 netlbl_active; 5034 u8 peerlbl_active; 5035 5036 if (!selinux_policycap_netpeer) 5037 return NF_ACCEPT; 5038 5039 secmark_active = selinux_secmark_enabled(); 5040 netlbl_active = netlbl_enabled(); 5041 peerlbl_active = selinux_peerlbl_enabled(); 5042 if (!secmark_active && !peerlbl_active) 5043 return NF_ACCEPT; 5044 5045 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5046 return NF_DROP; 5047 5048 ad.type = LSM_AUDIT_DATA_NET; 5049 ad.u.net = &net; 5050 ad.u.net->netif = indev->ifindex; 5051 ad.u.net->family = family; 5052 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5053 return NF_DROP; 5054 5055 if (peerlbl_active) { 5056 err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 5057 addrp, family, peer_sid, &ad); 5058 if (err) { 5059 selinux_netlbl_err(skb, family, err, 1); 5060 return NF_DROP; 5061 } 5062 } 5063 5064 if (secmark_active) 5065 if (avc_has_perm(peer_sid, skb->secmark, 5066 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5067 return NF_DROP; 5068 5069 if (netlbl_active) 5070 /* we do this in the FORWARD path and not the POST_ROUTING 5071 * path because we want to make sure we apply the necessary 5072 * labeling before IPsec is applied so we can leverage AH 5073 * protection */ 5074 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5075 return NF_DROP; 5076 5077 return NF_ACCEPT; 5078 } 5079 5080 static unsigned int selinux_ipv4_forward(void *priv, 5081 struct sk_buff *skb, 5082 const struct nf_hook_state *state) 5083 { 5084 return selinux_ip_forward(skb, state->in, PF_INET); 5085 } 5086 5087 #if IS_ENABLED(CONFIG_IPV6) 5088 static unsigned int selinux_ipv6_forward(void *priv, 5089 struct sk_buff *skb, 5090 const struct nf_hook_state *state) 5091 { 5092 return selinux_ip_forward(skb, state->in, PF_INET6); 5093 } 5094 #endif /* IPV6 */ 5095 5096 static unsigned int selinux_ip_output(struct sk_buff *skb, 5097 u16 family) 5098 { 5099 struct sock *sk; 5100 u32 sid; 5101 5102 if (!netlbl_enabled()) 5103 return NF_ACCEPT; 5104 5105 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5106 * because we want to make sure we apply the necessary labeling 5107 * before IPsec is applied so we can leverage AH protection */ 5108 sk = skb->sk; 5109 if (sk) { 5110 struct sk_security_struct *sksec; 5111 5112 if (sk_listener(sk)) 5113 /* if the socket is the listening state then this 5114 * packet is a SYN-ACK packet which means it needs to 5115 * be labeled based on the connection/request_sock and 5116 * not the parent socket. unfortunately, we can't 5117 * lookup the request_sock yet as it isn't queued on 5118 * the parent socket until after the SYN-ACK is sent. 5119 * the "solution" is to simply pass the packet as-is 5120 * as any IP option based labeling should be copied 5121 * from the initial connection request (in the IP 5122 * layer). it is far from ideal, but until we get a 5123 * security label in the packet itself this is the 5124 * best we can do. */ 5125 return NF_ACCEPT; 5126 5127 /* standard practice, label using the parent socket */ 5128 sksec = sk->sk_security; 5129 sid = sksec->sid; 5130 } else 5131 sid = SECINITSID_KERNEL; 5132 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5133 return NF_DROP; 5134 5135 return NF_ACCEPT; 5136 } 5137 5138 static unsigned int selinux_ipv4_output(void *priv, 5139 struct sk_buff *skb, 5140 const struct nf_hook_state *state) 5141 { 5142 return selinux_ip_output(skb, PF_INET); 5143 } 5144 5145 #if IS_ENABLED(CONFIG_IPV6) 5146 static unsigned int selinux_ipv6_output(void *priv, 5147 struct sk_buff *skb, 5148 const struct nf_hook_state *state) 5149 { 5150 return selinux_ip_output(skb, PF_INET6); 5151 } 5152 #endif /* IPV6 */ 5153 5154 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5155 int ifindex, 5156 u16 family) 5157 { 5158 struct sock *sk = skb_to_full_sk(skb); 5159 struct sk_security_struct *sksec; 5160 struct common_audit_data ad; 5161 struct lsm_network_audit net = {0,}; 5162 char *addrp; 5163 u8 proto; 5164 5165 if (sk == NULL) 5166 return NF_ACCEPT; 5167 sksec = sk->sk_security; 5168 5169 ad.type = LSM_AUDIT_DATA_NET; 5170 ad.u.net = &net; 5171 ad.u.net->netif = ifindex; 5172 ad.u.net->family = family; 5173 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5174 return NF_DROP; 5175 5176 if (selinux_secmark_enabled()) 5177 if (avc_has_perm(sksec->sid, skb->secmark, 5178 SECCLASS_PACKET, PACKET__SEND, &ad)) 5179 return NF_DROP_ERR(-ECONNREFUSED); 5180 5181 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5182 return NF_DROP_ERR(-ECONNREFUSED); 5183 5184 return NF_ACCEPT; 5185 } 5186 5187 static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5188 const struct net_device *outdev, 5189 u16 family) 5190 { 5191 u32 secmark_perm; 5192 u32 peer_sid; 5193 int ifindex = outdev->ifindex; 5194 struct sock *sk; 5195 struct common_audit_data ad; 5196 struct lsm_network_audit net = {0,}; 5197 char *addrp; 5198 u8 secmark_active; 5199 u8 peerlbl_active; 5200 5201 /* If any sort of compatibility mode is enabled then handoff processing 5202 * to the selinux_ip_postroute_compat() function to deal with the 5203 * special handling. We do this in an attempt to keep this function 5204 * as fast and as clean as possible. */ 5205 if (!selinux_policycap_netpeer) 5206 return selinux_ip_postroute_compat(skb, ifindex, family); 5207 5208 secmark_active = selinux_secmark_enabled(); 5209 peerlbl_active = selinux_peerlbl_enabled(); 5210 if (!secmark_active && !peerlbl_active) 5211 return NF_ACCEPT; 5212 5213 sk = skb_to_full_sk(skb); 5214 5215 #ifdef CONFIG_XFRM 5216 /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec 5217 * packet transformation so allow the packet to pass without any checks 5218 * since we'll have another chance to perform access control checks 5219 * when the packet is on it's final way out. 5220 * NOTE: there appear to be some IPv6 multicast cases where skb->dst 5221 * is NULL, in this case go ahead and apply access control. 5222 * NOTE: if this is a local socket (skb->sk != NULL) that is in the 5223 * TCP listening state we cannot wait until the XFRM processing 5224 * is done as we will miss out on the SA label if we do; 5225 * unfortunately, this means more work, but it is only once per 5226 * connection. */ 5227 if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && 5228 !(sk && sk_listener(sk))) 5229 return NF_ACCEPT; 5230 #endif 5231 5232 if (sk == NULL) { 5233 /* Without an associated socket the packet is either coming 5234 * from the kernel or it is being forwarded; check the packet 5235 * to determine which and if the packet is being forwarded 5236 * query the packet directly to determine the security label. */ 5237 if (skb->skb_iif) { 5238 secmark_perm = PACKET__FORWARD_OUT; 5239 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid)) 5240 return NF_DROP; 5241 } else { 5242 secmark_perm = PACKET__SEND; 5243 peer_sid = SECINITSID_KERNEL; 5244 } 5245 } else if (sk_listener(sk)) { 5246 /* Locally generated packet but the associated socket is in the 5247 * listening state which means this is a SYN-ACK packet. In 5248 * this particular case the correct security label is assigned 5249 * to the connection/request_sock but unfortunately we can't 5250 * query the request_sock as it isn't queued on the parent 5251 * socket until after the SYN-ACK packet is sent; the only 5252 * viable choice is to regenerate the label like we do in 5253 * selinux_inet_conn_request(). See also selinux_ip_output() 5254 * for similar problems. */ 5255 u32 skb_sid; 5256 struct sk_security_struct *sksec; 5257 5258 sksec = sk->sk_security; 5259 if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) 5260 return NF_DROP; 5261 /* At this point, if the returned skb peerlbl is SECSID_NULL 5262 * and the packet has been through at least one XFRM 5263 * transformation then we must be dealing with the "final" 5264 * form of labeled IPsec packet; since we've already applied 5265 * all of our access controls on this packet we can safely 5266 * pass the packet. */ 5267 if (skb_sid == SECSID_NULL) { 5268 switch (family) { 5269 case PF_INET: 5270 if (IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) 5271 return NF_ACCEPT; 5272 break; 5273 case PF_INET6: 5274 if (IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) 5275 return NF_ACCEPT; 5276 break; 5277 default: 5278 return NF_DROP_ERR(-ECONNREFUSED); 5279 } 5280 } 5281 if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid)) 5282 return NF_DROP; 5283 secmark_perm = PACKET__SEND; 5284 } else { 5285 /* Locally generated packet, fetch the security label from the 5286 * associated socket. */ 5287 struct sk_security_struct *sksec = sk->sk_security; 5288 peer_sid = sksec->sid; 5289 secmark_perm = PACKET__SEND; 5290 } 5291 5292 ad.type = LSM_AUDIT_DATA_NET; 5293 ad.u.net = &net; 5294 ad.u.net->netif = ifindex; 5295 ad.u.net->family = family; 5296 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 5297 return NF_DROP; 5298 5299 if (secmark_active) 5300 if (avc_has_perm(peer_sid, skb->secmark, 5301 SECCLASS_PACKET, secmark_perm, &ad)) 5302 return NF_DROP_ERR(-ECONNREFUSED); 5303 5304 if (peerlbl_active) { 5305 u32 if_sid; 5306 u32 node_sid; 5307 5308 if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5309 return NF_DROP; 5310 if (avc_has_perm(peer_sid, if_sid, 5311 SECCLASS_NETIF, NETIF__EGRESS, &ad)) 5312 return NF_DROP_ERR(-ECONNREFUSED); 5313 5314 if (sel_netnode_sid(addrp, family, &node_sid)) 5315 return NF_DROP; 5316 if (avc_has_perm(peer_sid, node_sid, 5317 SECCLASS_NODE, NODE__SENDTO, &ad)) 5318 return NF_DROP_ERR(-ECONNREFUSED); 5319 } 5320 5321 return NF_ACCEPT; 5322 } 5323 5324 static unsigned int selinux_ipv4_postroute(void *priv, 5325 struct sk_buff *skb, 5326 const struct nf_hook_state *state) 5327 { 5328 return selinux_ip_postroute(skb, state->out, PF_INET); 5329 } 5330 5331 #if IS_ENABLED(CONFIG_IPV6) 5332 static unsigned int selinux_ipv6_postroute(void *priv, 5333 struct sk_buff *skb, 5334 const struct nf_hook_state *state) 5335 { 5336 return selinux_ip_postroute(skb, state->out, PF_INET6); 5337 } 5338 #endif /* IPV6 */ 5339 5340 #endif /* CONFIG_NETFILTER */ 5341 5342 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5343 { 5344 return selinux_nlmsg_perm(sk, skb); 5345 } 5346 5347 static int ipc_alloc_security(struct task_struct *task, 5348 struct kern_ipc_perm *perm, 5349 u16 sclass) 5350 { 5351 struct ipc_security_struct *isec; 5352 u32 sid; 5353 5354 isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL); 5355 if (!isec) 5356 return -ENOMEM; 5357 5358 sid = task_sid(task); 5359 isec->sclass = sclass; 5360 isec->sid = sid; 5361 perm->security = isec; 5362 5363 return 0; 5364 } 5365 5366 static void ipc_free_security(struct kern_ipc_perm *perm) 5367 { 5368 struct ipc_security_struct *isec = perm->security; 5369 perm->security = NULL; 5370 kfree(isec); 5371 } 5372 5373 static int msg_msg_alloc_security(struct msg_msg *msg) 5374 { 5375 struct msg_security_struct *msec; 5376 5377 msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL); 5378 if (!msec) 5379 return -ENOMEM; 5380 5381 msec->sid = SECINITSID_UNLABELED; 5382 msg->security = msec; 5383 5384 return 0; 5385 } 5386 5387 static void msg_msg_free_security(struct msg_msg *msg) 5388 { 5389 struct msg_security_struct *msec = msg->security; 5390 5391 msg->security = NULL; 5392 kfree(msec); 5393 } 5394 5395 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, 5396 u32 perms) 5397 { 5398 struct ipc_security_struct *isec; 5399 struct common_audit_data ad; 5400 u32 sid = current_sid(); 5401 5402 isec = ipc_perms->security; 5403 5404 ad.type = LSM_AUDIT_DATA_IPC; 5405 ad.u.ipc_id = ipc_perms->key; 5406 5407 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 5408 } 5409 5410 static int selinux_msg_msg_alloc_security(struct msg_msg *msg) 5411 { 5412 return msg_msg_alloc_security(msg); 5413 } 5414 5415 static void selinux_msg_msg_free_security(struct msg_msg *msg) 5416 { 5417 msg_msg_free_security(msg); 5418 } 5419 5420 /* message queue security operations */ 5421 static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 5422 { 5423 struct ipc_security_struct *isec; 5424 struct common_audit_data ad; 5425 u32 sid = current_sid(); 5426 int rc; 5427 5428 rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ); 5429 if (rc) 5430 return rc; 5431 5432 isec = msq->q_perm.security; 5433 5434 ad.type = LSM_AUDIT_DATA_IPC; 5435 ad.u.ipc_id = msq->q_perm.key; 5436 5437 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5438 MSGQ__CREATE, &ad); 5439 if (rc) { 5440 ipc_free_security(&msq->q_perm); 5441 return rc; 5442 } 5443 return 0; 5444 } 5445 5446 static void selinux_msg_queue_free_security(struct msg_queue *msq) 5447 { 5448 ipc_free_security(&msq->q_perm); 5449 } 5450 5451 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 5452 { 5453 struct ipc_security_struct *isec; 5454 struct common_audit_data ad; 5455 u32 sid = current_sid(); 5456 5457 isec = msq->q_perm.security; 5458 5459 ad.type = LSM_AUDIT_DATA_IPC; 5460 ad.u.ipc_id = msq->q_perm.key; 5461 5462 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5463 MSGQ__ASSOCIATE, &ad); 5464 } 5465 5466 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd) 5467 { 5468 int err; 5469 int perms; 5470 5471 switch (cmd) { 5472 case IPC_INFO: 5473 case MSG_INFO: 5474 /* No specific object, just general system-wide information. */ 5475 return task_has_system(current, SYSTEM__IPC_INFO); 5476 case IPC_STAT: 5477 case MSG_STAT: 5478 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE; 5479 break; 5480 case IPC_SET: 5481 perms = MSGQ__SETATTR; 5482 break; 5483 case IPC_RMID: 5484 perms = MSGQ__DESTROY; 5485 break; 5486 default: 5487 return 0; 5488 } 5489 5490 err = ipc_has_perm(&msq->q_perm, perms); 5491 return err; 5492 } 5493 5494 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg) 5495 { 5496 struct ipc_security_struct *isec; 5497 struct msg_security_struct *msec; 5498 struct common_audit_data ad; 5499 u32 sid = current_sid(); 5500 int rc; 5501 5502 isec = msq->q_perm.security; 5503 msec = msg->security; 5504 5505 /* 5506 * First time through, need to assign label to the message 5507 */ 5508 if (msec->sid == SECINITSID_UNLABELED) { 5509 /* 5510 * Compute new sid based on current process and 5511 * message queue this message will be stored in 5512 */ 5513 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG, 5514 NULL, &msec->sid); 5515 if (rc) 5516 return rc; 5517 } 5518 5519 ad.type = LSM_AUDIT_DATA_IPC; 5520 ad.u.ipc_id = msq->q_perm.key; 5521 5522 /* Can this process write to the queue? */ 5523 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 5524 MSGQ__WRITE, &ad); 5525 if (!rc) 5526 /* Can this process send the message */ 5527 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG, 5528 MSG__SEND, &ad); 5529 if (!rc) 5530 /* Can the message be put in the queue? */ 5531 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ, 5532 MSGQ__ENQUEUE, &ad); 5533 5534 return rc; 5535 } 5536 5537 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 5538 struct task_struct *target, 5539 long type, int mode) 5540 { 5541 struct ipc_security_struct *isec; 5542 struct msg_security_struct *msec; 5543 struct common_audit_data ad; 5544 u32 sid = task_sid(target); 5545 int rc; 5546 5547 isec = msq->q_perm.security; 5548 msec = msg->security; 5549 5550 ad.type = LSM_AUDIT_DATA_IPC; 5551 ad.u.ipc_id = msq->q_perm.key; 5552 5553 rc = avc_has_perm(sid, isec->sid, 5554 SECCLASS_MSGQ, MSGQ__READ, &ad); 5555 if (!rc) 5556 rc = avc_has_perm(sid, msec->sid, 5557 SECCLASS_MSG, MSG__RECEIVE, &ad); 5558 return rc; 5559 } 5560 5561 /* Shared Memory security operations */ 5562 static int selinux_shm_alloc_security(struct shmid_kernel *shp) 5563 { 5564 struct ipc_security_struct *isec; 5565 struct common_audit_data ad; 5566 u32 sid = current_sid(); 5567 int rc; 5568 5569 rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM); 5570 if (rc) 5571 return rc; 5572 5573 isec = shp->shm_perm.security; 5574 5575 ad.type = LSM_AUDIT_DATA_IPC; 5576 ad.u.ipc_id = shp->shm_perm.key; 5577 5578 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5579 SHM__CREATE, &ad); 5580 if (rc) { 5581 ipc_free_security(&shp->shm_perm); 5582 return rc; 5583 } 5584 return 0; 5585 } 5586 5587 static void selinux_shm_free_security(struct shmid_kernel *shp) 5588 { 5589 ipc_free_security(&shp->shm_perm); 5590 } 5591 5592 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 5593 { 5594 struct ipc_security_struct *isec; 5595 struct common_audit_data ad; 5596 u32 sid = current_sid(); 5597 5598 isec = shp->shm_perm.security; 5599 5600 ad.type = LSM_AUDIT_DATA_IPC; 5601 ad.u.ipc_id = shp->shm_perm.key; 5602 5603 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5604 SHM__ASSOCIATE, &ad); 5605 } 5606 5607 /* Note, at this point, shp is locked down */ 5608 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) 5609 { 5610 int perms; 5611 int err; 5612 5613 switch (cmd) { 5614 case IPC_INFO: 5615 case SHM_INFO: 5616 /* No specific object, just general system-wide information. */ 5617 return task_has_system(current, SYSTEM__IPC_INFO); 5618 case IPC_STAT: 5619 case SHM_STAT: 5620 perms = SHM__GETATTR | SHM__ASSOCIATE; 5621 break; 5622 case IPC_SET: 5623 perms = SHM__SETATTR; 5624 break; 5625 case SHM_LOCK: 5626 case SHM_UNLOCK: 5627 perms = SHM__LOCK; 5628 break; 5629 case IPC_RMID: 5630 perms = SHM__DESTROY; 5631 break; 5632 default: 5633 return 0; 5634 } 5635 5636 err = ipc_has_perm(&shp->shm_perm, perms); 5637 return err; 5638 } 5639 5640 static int selinux_shm_shmat(struct shmid_kernel *shp, 5641 char __user *shmaddr, int shmflg) 5642 { 5643 u32 perms; 5644 5645 if (shmflg & SHM_RDONLY) 5646 perms = SHM__READ; 5647 else 5648 perms = SHM__READ | SHM__WRITE; 5649 5650 return ipc_has_perm(&shp->shm_perm, perms); 5651 } 5652 5653 /* Semaphore security operations */ 5654 static int selinux_sem_alloc_security(struct sem_array *sma) 5655 { 5656 struct ipc_security_struct *isec; 5657 struct common_audit_data ad; 5658 u32 sid = current_sid(); 5659 int rc; 5660 5661 rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM); 5662 if (rc) 5663 return rc; 5664 5665 isec = sma->sem_perm.security; 5666 5667 ad.type = LSM_AUDIT_DATA_IPC; 5668 ad.u.ipc_id = sma->sem_perm.key; 5669 5670 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5671 SEM__CREATE, &ad); 5672 if (rc) { 5673 ipc_free_security(&sma->sem_perm); 5674 return rc; 5675 } 5676 return 0; 5677 } 5678 5679 static void selinux_sem_free_security(struct sem_array *sma) 5680 { 5681 ipc_free_security(&sma->sem_perm); 5682 } 5683 5684 static int selinux_sem_associate(struct sem_array *sma, int semflg) 5685 { 5686 struct ipc_security_struct *isec; 5687 struct common_audit_data ad; 5688 u32 sid = current_sid(); 5689 5690 isec = sma->sem_perm.security; 5691 5692 ad.type = LSM_AUDIT_DATA_IPC; 5693 ad.u.ipc_id = sma->sem_perm.key; 5694 5695 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5696 SEM__ASSOCIATE, &ad); 5697 } 5698 5699 /* Note, at this point, sma is locked down */ 5700 static int selinux_sem_semctl(struct sem_array *sma, int cmd) 5701 { 5702 int err; 5703 u32 perms; 5704 5705 switch (cmd) { 5706 case IPC_INFO: 5707 case SEM_INFO: 5708 /* No specific object, just general system-wide information. */ 5709 return task_has_system(current, SYSTEM__IPC_INFO); 5710 case GETPID: 5711 case GETNCNT: 5712 case GETZCNT: 5713 perms = SEM__GETATTR; 5714 break; 5715 case GETVAL: 5716 case GETALL: 5717 perms = SEM__READ; 5718 break; 5719 case SETVAL: 5720 case SETALL: 5721 perms = SEM__WRITE; 5722 break; 5723 case IPC_RMID: 5724 perms = SEM__DESTROY; 5725 break; 5726 case IPC_SET: 5727 perms = SEM__SETATTR; 5728 break; 5729 case IPC_STAT: 5730 case SEM_STAT: 5731 perms = SEM__GETATTR | SEM__ASSOCIATE; 5732 break; 5733 default: 5734 return 0; 5735 } 5736 5737 err = ipc_has_perm(&sma->sem_perm, perms); 5738 return err; 5739 } 5740 5741 static int selinux_sem_semop(struct sem_array *sma, 5742 struct sembuf *sops, unsigned nsops, int alter) 5743 { 5744 u32 perms; 5745 5746 if (alter) 5747 perms = SEM__READ | SEM__WRITE; 5748 else 5749 perms = SEM__READ; 5750 5751 return ipc_has_perm(&sma->sem_perm, perms); 5752 } 5753 5754 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 5755 { 5756 u32 av = 0; 5757 5758 av = 0; 5759 if (flag & S_IRUGO) 5760 av |= IPC__UNIX_READ; 5761 if (flag & S_IWUGO) 5762 av |= IPC__UNIX_WRITE; 5763 5764 if (av == 0) 5765 return 0; 5766 5767 return ipc_has_perm(ipcp, av); 5768 } 5769 5770 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 5771 { 5772 struct ipc_security_struct *isec = ipcp->security; 5773 *secid = isec->sid; 5774 } 5775 5776 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 5777 { 5778 if (inode) 5779 inode_doinit_with_dentry(inode, dentry); 5780 } 5781 5782 static int selinux_getprocattr(struct task_struct *p, 5783 char *name, char **value) 5784 { 5785 const struct task_security_struct *__tsec; 5786 u32 sid; 5787 int error; 5788 unsigned len; 5789 5790 if (current != p) { 5791 error = current_has_perm(p, PROCESS__GETATTR); 5792 if (error) 5793 return error; 5794 } 5795 5796 rcu_read_lock(); 5797 __tsec = __task_cred(p)->security; 5798 5799 if (!strcmp(name, "current")) 5800 sid = __tsec->sid; 5801 else if (!strcmp(name, "prev")) 5802 sid = __tsec->osid; 5803 else if (!strcmp(name, "exec")) 5804 sid = __tsec->exec_sid; 5805 else if (!strcmp(name, "fscreate")) 5806 sid = __tsec->create_sid; 5807 else if (!strcmp(name, "keycreate")) 5808 sid = __tsec->keycreate_sid; 5809 else if (!strcmp(name, "sockcreate")) 5810 sid = __tsec->sockcreate_sid; 5811 else 5812 goto invalid; 5813 rcu_read_unlock(); 5814 5815 if (!sid) 5816 return 0; 5817 5818 error = security_sid_to_context(sid, value, &len); 5819 if (error) 5820 return error; 5821 return len; 5822 5823 invalid: 5824 rcu_read_unlock(); 5825 return -EINVAL; 5826 } 5827 5828 static int selinux_setprocattr(struct task_struct *p, 5829 char *name, void *value, size_t size) 5830 { 5831 struct task_security_struct *tsec; 5832 struct cred *new; 5833 u32 sid = 0, ptsid; 5834 int error; 5835 char *str = value; 5836 5837 if (current != p) { 5838 /* SELinux only allows a process to change its own 5839 security attributes. */ 5840 return -EACCES; 5841 } 5842 5843 /* 5844 * Basic control over ability to set these attributes at all. 5845 * current == p, but we'll pass them separately in case the 5846 * above restriction is ever removed. 5847 */ 5848 if (!strcmp(name, "exec")) 5849 error = current_has_perm(p, PROCESS__SETEXEC); 5850 else if (!strcmp(name, "fscreate")) 5851 error = current_has_perm(p, PROCESS__SETFSCREATE); 5852 else if (!strcmp(name, "keycreate")) 5853 error = current_has_perm(p, PROCESS__SETKEYCREATE); 5854 else if (!strcmp(name, "sockcreate")) 5855 error = current_has_perm(p, PROCESS__SETSOCKCREATE); 5856 else if (!strcmp(name, "current")) 5857 error = current_has_perm(p, PROCESS__SETCURRENT); 5858 else 5859 error = -EINVAL; 5860 if (error) 5861 return error; 5862 5863 /* Obtain a SID for the context, if one was specified. */ 5864 if (size && str[1] && str[1] != '\n') { 5865 if (str[size-1] == '\n') { 5866 str[size-1] = 0; 5867 size--; 5868 } 5869 error = security_context_to_sid(value, size, &sid, GFP_KERNEL); 5870 if (error == -EINVAL && !strcmp(name, "fscreate")) { 5871 if (!capable(CAP_MAC_ADMIN)) { 5872 struct audit_buffer *ab; 5873 size_t audit_size; 5874 5875 /* We strip a nul only if it is at the end, otherwise the 5876 * context contains a nul and we should audit that */ 5877 if (str[size - 1] == '\0') 5878 audit_size = size - 1; 5879 else 5880 audit_size = size; 5881 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR); 5882 audit_log_format(ab, "op=fscreate invalid_context="); 5883 audit_log_n_untrustedstring(ab, value, audit_size); 5884 audit_log_end(ab); 5885 5886 return error; 5887 } 5888 error = security_context_to_sid_force(value, size, 5889 &sid); 5890 } 5891 if (error) 5892 return error; 5893 } 5894 5895 new = prepare_creds(); 5896 if (!new) 5897 return -ENOMEM; 5898 5899 /* Permission checking based on the specified context is 5900 performed during the actual operation (execve, 5901 open/mkdir/...), when we know the full context of the 5902 operation. See selinux_bprm_set_creds for the execve 5903 checks and may_create for the file creation checks. The 5904 operation will then fail if the context is not permitted. */ 5905 tsec = new->security; 5906 if (!strcmp(name, "exec")) { 5907 tsec->exec_sid = sid; 5908 } else if (!strcmp(name, "fscreate")) { 5909 tsec->create_sid = sid; 5910 } else if (!strcmp(name, "keycreate")) { 5911 error = may_create_key(sid, p); 5912 if (error) 5913 goto abort_change; 5914 tsec->keycreate_sid = sid; 5915 } else if (!strcmp(name, "sockcreate")) { 5916 tsec->sockcreate_sid = sid; 5917 } else if (!strcmp(name, "current")) { 5918 error = -EINVAL; 5919 if (sid == 0) 5920 goto abort_change; 5921 5922 /* Only allow single threaded processes to change context */ 5923 error = -EPERM; 5924 if (!current_is_single_threaded()) { 5925 error = security_bounded_transition(tsec->sid, sid); 5926 if (error) 5927 goto abort_change; 5928 } 5929 5930 /* Check permissions for the transition. */ 5931 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, 5932 PROCESS__DYNTRANSITION, NULL); 5933 if (error) 5934 goto abort_change; 5935 5936 /* Check for ptracing, and update the task SID if ok. 5937 Otherwise, leave SID unchanged and fail. */ 5938 ptsid = ptrace_parent_sid(p); 5939 if (ptsid != 0) { 5940 error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS, 5941 PROCESS__PTRACE, NULL); 5942 if (error) 5943 goto abort_change; 5944 } 5945 5946 tsec->sid = sid; 5947 } else { 5948 error = -EINVAL; 5949 goto abort_change; 5950 } 5951 5952 commit_creds(new); 5953 return size; 5954 5955 abort_change: 5956 abort_creds(new); 5957 return error; 5958 } 5959 5960 static int selinux_ismaclabel(const char *name) 5961 { 5962 return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0); 5963 } 5964 5965 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 5966 { 5967 return security_sid_to_context(secid, secdata, seclen); 5968 } 5969 5970 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 5971 { 5972 return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL); 5973 } 5974 5975 static void selinux_release_secctx(char *secdata, u32 seclen) 5976 { 5977 kfree(secdata); 5978 } 5979 5980 static void selinux_inode_invalidate_secctx(struct inode *inode) 5981 { 5982 struct inode_security_struct *isec = inode->i_security; 5983 5984 mutex_lock(&isec->lock); 5985 isec->initialized = LABEL_INVALID; 5986 mutex_unlock(&isec->lock); 5987 } 5988 5989 /* 5990 * called with inode->i_mutex locked 5991 */ 5992 static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 5993 { 5994 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); 5995 } 5996 5997 /* 5998 * called with inode->i_mutex locked 5999 */ 6000 static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 6001 { 6002 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); 6003 } 6004 6005 static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 6006 { 6007 int len = 0; 6008 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX, 6009 ctx, true); 6010 if (len < 0) 6011 return len; 6012 *ctxlen = len; 6013 return 0; 6014 } 6015 #ifdef CONFIG_KEYS 6016 6017 static int selinux_key_alloc(struct key *k, const struct cred *cred, 6018 unsigned long flags) 6019 { 6020 const struct task_security_struct *tsec; 6021 struct key_security_struct *ksec; 6022 6023 ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); 6024 if (!ksec) 6025 return -ENOMEM; 6026 6027 tsec = cred->security; 6028 if (tsec->keycreate_sid) 6029 ksec->sid = tsec->keycreate_sid; 6030 else 6031 ksec->sid = tsec->sid; 6032 6033 k->security = ksec; 6034 return 0; 6035 } 6036 6037 static void selinux_key_free(struct key *k) 6038 { 6039 struct key_security_struct *ksec = k->security; 6040 6041 k->security = NULL; 6042 kfree(ksec); 6043 } 6044 6045 static int selinux_key_permission(key_ref_t key_ref, 6046 const struct cred *cred, 6047 unsigned perm) 6048 { 6049 struct key *key; 6050 struct key_security_struct *ksec; 6051 u32 sid; 6052 6053 /* if no specific permissions are requested, we skip the 6054 permission check. No serious, additional covert channels 6055 appear to be created. */ 6056 if (perm == 0) 6057 return 0; 6058 6059 sid = cred_sid(cred); 6060 6061 key = key_ref_to_ptr(key_ref); 6062 ksec = key->security; 6063 6064 return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); 6065 } 6066 6067 static int selinux_key_getsecurity(struct key *key, char **_buffer) 6068 { 6069 struct key_security_struct *ksec = key->security; 6070 char *context = NULL; 6071 unsigned len; 6072 int rc; 6073 6074 rc = security_sid_to_context(ksec->sid, &context, &len); 6075 if (!rc) 6076 rc = len; 6077 *_buffer = context; 6078 return rc; 6079 } 6080 6081 #endif 6082 6083 static struct security_hook_list selinux_hooks[] = { 6084 LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), 6085 LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), 6086 LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), 6087 LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), 6088 6089 LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), 6090 LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), 6091 LSM_HOOK_INIT(capget, selinux_capget), 6092 LSM_HOOK_INIT(capset, selinux_capset), 6093 LSM_HOOK_INIT(capable, selinux_capable), 6094 LSM_HOOK_INIT(quotactl, selinux_quotactl), 6095 LSM_HOOK_INIT(quota_on, selinux_quota_on), 6096 LSM_HOOK_INIT(syslog, selinux_syslog), 6097 LSM_HOOK_INIT(vm_enough_memory, selinux_vm_enough_memory), 6098 6099 LSM_HOOK_INIT(netlink_send, selinux_netlink_send), 6100 6101 LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), 6102 LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), 6103 LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), 6104 LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec), 6105 6106 LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), 6107 LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), 6108 LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data), 6109 LSM_HOOK_INIT(sb_remount, selinux_sb_remount), 6110 LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), 6111 LSM_HOOK_INIT(sb_show_options, selinux_sb_show_options), 6112 LSM_HOOK_INIT(sb_statfs, selinux_sb_statfs), 6113 LSM_HOOK_INIT(sb_mount, selinux_mount), 6114 LSM_HOOK_INIT(sb_umount, selinux_umount), 6115 LSM_HOOK_INIT(sb_set_mnt_opts, selinux_set_mnt_opts), 6116 LSM_HOOK_INIT(sb_clone_mnt_opts, selinux_sb_clone_mnt_opts), 6117 LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str), 6118 6119 LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), 6120 LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), 6121 6122 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), 6123 LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), 6124 LSM_HOOK_INIT(inode_init_security, selinux_inode_init_security), 6125 LSM_HOOK_INIT(inode_create, selinux_inode_create), 6126 LSM_HOOK_INIT(inode_link, selinux_inode_link), 6127 LSM_HOOK_INIT(inode_unlink, selinux_inode_unlink), 6128 LSM_HOOK_INIT(inode_symlink, selinux_inode_symlink), 6129 LSM_HOOK_INIT(inode_mkdir, selinux_inode_mkdir), 6130 LSM_HOOK_INIT(inode_rmdir, selinux_inode_rmdir), 6131 LSM_HOOK_INIT(inode_mknod, selinux_inode_mknod), 6132 LSM_HOOK_INIT(inode_rename, selinux_inode_rename), 6133 LSM_HOOK_INIT(inode_readlink, selinux_inode_readlink), 6134 LSM_HOOK_INIT(inode_follow_link, selinux_inode_follow_link), 6135 LSM_HOOK_INIT(inode_permission, selinux_inode_permission), 6136 LSM_HOOK_INIT(inode_setattr, selinux_inode_setattr), 6137 LSM_HOOK_INIT(inode_getattr, selinux_inode_getattr), 6138 LSM_HOOK_INIT(inode_setxattr, selinux_inode_setxattr), 6139 LSM_HOOK_INIT(inode_post_setxattr, selinux_inode_post_setxattr), 6140 LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr), 6141 LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr), 6142 LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr), 6143 LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity), 6144 LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), 6145 LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), 6146 LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), 6147 LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), 6148 LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), 6149 6150 LSM_HOOK_INIT(file_permission, selinux_file_permission), 6151 LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), 6152 LSM_HOOK_INIT(file_free_security, selinux_file_free_security), 6153 LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), 6154 LSM_HOOK_INIT(mmap_file, selinux_mmap_file), 6155 LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr), 6156 LSM_HOOK_INIT(file_mprotect, selinux_file_mprotect), 6157 LSM_HOOK_INIT(file_lock, selinux_file_lock), 6158 LSM_HOOK_INIT(file_fcntl, selinux_file_fcntl), 6159 LSM_HOOK_INIT(file_set_fowner, selinux_file_set_fowner), 6160 LSM_HOOK_INIT(file_send_sigiotask, selinux_file_send_sigiotask), 6161 LSM_HOOK_INIT(file_receive, selinux_file_receive), 6162 6163 LSM_HOOK_INIT(file_open, selinux_file_open), 6164 6165 LSM_HOOK_INIT(task_create, selinux_task_create), 6166 LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), 6167 LSM_HOOK_INIT(cred_free, selinux_cred_free), 6168 LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), 6169 LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), 6170 LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), 6171 LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), 6172 LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), 6173 LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), 6174 LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), 6175 LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), 6176 LSM_HOOK_INIT(task_getsid, selinux_task_getsid), 6177 LSM_HOOK_INIT(task_getsecid, selinux_task_getsecid), 6178 LSM_HOOK_INIT(task_setnice, selinux_task_setnice), 6179 LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio), 6180 LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio), 6181 LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit), 6182 LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler), 6183 LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler), 6184 LSM_HOOK_INIT(task_movememory, selinux_task_movememory), 6185 LSM_HOOK_INIT(task_kill, selinux_task_kill), 6186 LSM_HOOK_INIT(task_wait, selinux_task_wait), 6187 LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), 6188 6189 LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), 6190 LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), 6191 6192 LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security), 6193 LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security), 6194 6195 LSM_HOOK_INIT(msg_queue_alloc_security, 6196 selinux_msg_queue_alloc_security), 6197 LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security), 6198 LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate), 6199 LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl), 6200 LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd), 6201 LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv), 6202 6203 LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), 6204 LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security), 6205 LSM_HOOK_INIT(shm_associate, selinux_shm_associate), 6206 LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl), 6207 LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat), 6208 6209 LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), 6210 LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security), 6211 LSM_HOOK_INIT(sem_associate, selinux_sem_associate), 6212 LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl), 6213 LSM_HOOK_INIT(sem_semop, selinux_sem_semop), 6214 6215 LSM_HOOK_INIT(d_instantiate, selinux_d_instantiate), 6216 6217 LSM_HOOK_INIT(getprocattr, selinux_getprocattr), 6218 LSM_HOOK_INIT(setprocattr, selinux_setprocattr), 6219 6220 LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel), 6221 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 6222 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 6223 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 6224 LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 6225 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 6226 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 6227 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx), 6228 6229 LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect), 6230 LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send), 6231 6232 LSM_HOOK_INIT(socket_create, selinux_socket_create), 6233 LSM_HOOK_INIT(socket_post_create, selinux_socket_post_create), 6234 LSM_HOOK_INIT(socket_bind, selinux_socket_bind), 6235 LSM_HOOK_INIT(socket_connect, selinux_socket_connect), 6236 LSM_HOOK_INIT(socket_listen, selinux_socket_listen), 6237 LSM_HOOK_INIT(socket_accept, selinux_socket_accept), 6238 LSM_HOOK_INIT(socket_sendmsg, selinux_socket_sendmsg), 6239 LSM_HOOK_INIT(socket_recvmsg, selinux_socket_recvmsg), 6240 LSM_HOOK_INIT(socket_getsockname, selinux_socket_getsockname), 6241 LSM_HOOK_INIT(socket_getpeername, selinux_socket_getpeername), 6242 LSM_HOOK_INIT(socket_getsockopt, selinux_socket_getsockopt), 6243 LSM_HOOK_INIT(socket_setsockopt, selinux_socket_setsockopt), 6244 LSM_HOOK_INIT(socket_shutdown, selinux_socket_shutdown), 6245 LSM_HOOK_INIT(socket_sock_rcv_skb, selinux_socket_sock_rcv_skb), 6246 LSM_HOOK_INIT(socket_getpeersec_stream, 6247 selinux_socket_getpeersec_stream), 6248 LSM_HOOK_INIT(socket_getpeersec_dgram, selinux_socket_getpeersec_dgram), 6249 LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security), 6250 LSM_HOOK_INIT(sk_free_security, selinux_sk_free_security), 6251 LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security), 6252 LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid), 6253 LSM_HOOK_INIT(sock_graft, selinux_sock_graft), 6254 LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request), 6255 LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone), 6256 LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established), 6257 LSM_HOOK_INIT(secmark_relabel_packet, selinux_secmark_relabel_packet), 6258 LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), 6259 LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), 6260 LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), 6261 LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security), 6262 LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), 6263 LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), 6264 LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), 6265 LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), 6266 LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), 6267 6268 #ifdef CONFIG_SECURITY_NETWORK_XFRM 6269 LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), 6270 LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone), 6271 LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), 6272 LSM_HOOK_INIT(xfrm_policy_delete_security, selinux_xfrm_policy_delete), 6273 LSM_HOOK_INIT(xfrm_state_alloc, selinux_xfrm_state_alloc), 6274 LSM_HOOK_INIT(xfrm_state_alloc_acquire, 6275 selinux_xfrm_state_alloc_acquire), 6276 LSM_HOOK_INIT(xfrm_state_free_security, selinux_xfrm_state_free), 6277 LSM_HOOK_INIT(xfrm_state_delete_security, selinux_xfrm_state_delete), 6278 LSM_HOOK_INIT(xfrm_policy_lookup, selinux_xfrm_policy_lookup), 6279 LSM_HOOK_INIT(xfrm_state_pol_flow_match, 6280 selinux_xfrm_state_pol_flow_match), 6281 LSM_HOOK_INIT(xfrm_decode_session, selinux_xfrm_decode_session), 6282 #endif 6283 6284 #ifdef CONFIG_KEYS 6285 LSM_HOOK_INIT(key_alloc, selinux_key_alloc), 6286 LSM_HOOK_INIT(key_free, selinux_key_free), 6287 LSM_HOOK_INIT(key_permission, selinux_key_permission), 6288 LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), 6289 #endif 6290 6291 #ifdef CONFIG_AUDIT 6292 LSM_HOOK_INIT(audit_rule_init, selinux_audit_rule_init), 6293 LSM_HOOK_INIT(audit_rule_known, selinux_audit_rule_known), 6294 LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match), 6295 LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free), 6296 #endif 6297 }; 6298 6299 static __init int selinux_init(void) 6300 { 6301 if (!security_module_enable("selinux")) { 6302 selinux_enabled = 0; 6303 return 0; 6304 } 6305 6306 if (!selinux_enabled) { 6307 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 6308 return 0; 6309 } 6310 6311 printk(KERN_INFO "SELinux: Initializing.\n"); 6312 6313 /* Set the security state for the initial task. */ 6314 cred_init_security(); 6315 6316 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 6317 6318 sel_inode_cache = kmem_cache_create("selinux_inode_security", 6319 sizeof(struct inode_security_struct), 6320 0, SLAB_PANIC, NULL); 6321 file_security_cache = kmem_cache_create("selinux_file_security", 6322 sizeof(struct file_security_struct), 6323 0, SLAB_PANIC, NULL); 6324 avc_init(); 6325 6326 security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 6327 6328 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) 6329 panic("SELinux: Unable to register AVC netcache callback\n"); 6330 6331 if (selinux_enforcing) 6332 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 6333 else 6334 printk(KERN_DEBUG "SELinux: Starting in permissive mode\n"); 6335 6336 return 0; 6337 } 6338 6339 static void delayed_superblock_init(struct super_block *sb, void *unused) 6340 { 6341 superblock_doinit(sb, NULL); 6342 } 6343 6344 void selinux_complete_init(void) 6345 { 6346 printk(KERN_DEBUG "SELinux: Completing initialization.\n"); 6347 6348 /* Set up any superblocks initialized prior to the policy load. */ 6349 printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); 6350 iterate_supers(delayed_superblock_init, NULL); 6351 } 6352 6353 /* SELinux requires early initialization in order to label 6354 all processes and objects when they are created. */ 6355 security_initcall(selinux_init); 6356 6357 #if defined(CONFIG_NETFILTER) 6358 6359 static struct nf_hook_ops selinux_nf_ops[] = { 6360 { 6361 .hook = selinux_ipv4_postroute, 6362 .pf = NFPROTO_IPV4, 6363 .hooknum = NF_INET_POST_ROUTING, 6364 .priority = NF_IP_PRI_SELINUX_LAST, 6365 }, 6366 { 6367 .hook = selinux_ipv4_forward, 6368 .pf = NFPROTO_IPV4, 6369 .hooknum = NF_INET_FORWARD, 6370 .priority = NF_IP_PRI_SELINUX_FIRST, 6371 }, 6372 { 6373 .hook = selinux_ipv4_output, 6374 .pf = NFPROTO_IPV4, 6375 .hooknum = NF_INET_LOCAL_OUT, 6376 .priority = NF_IP_PRI_SELINUX_FIRST, 6377 }, 6378 #if IS_ENABLED(CONFIG_IPV6) 6379 { 6380 .hook = selinux_ipv6_postroute, 6381 .pf = NFPROTO_IPV6, 6382 .hooknum = NF_INET_POST_ROUTING, 6383 .priority = NF_IP6_PRI_SELINUX_LAST, 6384 }, 6385 { 6386 .hook = selinux_ipv6_forward, 6387 .pf = NFPROTO_IPV6, 6388 .hooknum = NF_INET_FORWARD, 6389 .priority = NF_IP6_PRI_SELINUX_FIRST, 6390 }, 6391 { 6392 .hook = selinux_ipv6_output, 6393 .pf = NFPROTO_IPV6, 6394 .hooknum = NF_INET_LOCAL_OUT, 6395 .priority = NF_IP6_PRI_SELINUX_FIRST, 6396 }, 6397 #endif /* IPV6 */ 6398 }; 6399 6400 static int __init selinux_nf_ip_init(void) 6401 { 6402 int err; 6403 6404 if (!selinux_enabled) 6405 return 0; 6406 6407 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 6408 6409 err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops)); 6410 if (err) 6411 panic("SELinux: nf_register_hooks: error %d\n", err); 6412 6413 return 0; 6414 } 6415 6416 __initcall(selinux_nf_ip_init); 6417 6418 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6419 static void selinux_nf_ip_exit(void) 6420 { 6421 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 6422 6423 nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops)); 6424 } 6425 #endif 6426 6427 #else /* CONFIG_NETFILTER */ 6428 6429 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6430 #define selinux_nf_ip_exit() 6431 #endif 6432 6433 #endif /* CONFIG_NETFILTER */ 6434 6435 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 6436 static int selinux_disabled; 6437 6438 int selinux_disable(void) 6439 { 6440 if (ss_initialized) { 6441 /* Not permitted after initial policy load. */ 6442 return -EINVAL; 6443 } 6444 6445 if (selinux_disabled) { 6446 /* Only do this once. */ 6447 return -EINVAL; 6448 } 6449 6450 printk(KERN_INFO "SELinux: Disabled at runtime.\n"); 6451 6452 selinux_disabled = 1; 6453 selinux_enabled = 0; 6454 6455 security_delete_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); 6456 6457 /* Try to destroy the avc node cache */ 6458 avc_disable(); 6459 6460 /* Unregister netfilter hooks. */ 6461 selinux_nf_ip_exit(); 6462 6463 /* Unregister selinuxfs. */ 6464 exit_sel_fs(); 6465 6466 return 0; 6467 } 6468 #endif 6469